Today, virtual private network (VPN) is widely used in the Internet, which allows enterprise networks to expand almost infinitely to every corner of the Earth, thus, the safe and low-cost Network Interconnection model provides a stage for the development of all-encompassing application services.
Virtual Private Network (VPN) is a service that uses public network resources to form a private network for customers. The VPN mentioned here has two meanings:
1. It is a virtual network, that is, there is no fixed physical connection, and the network is established only when users need it;
2. It is a private network composed of public network facilities.
VPN is actually a service. users feel like they are directly connected to their personal network, but they are actually connected through service providers. VPN can bring the following benefits to enterprises and service providers:
Companies that adopt remote access have paid in advance all the fees for purchasing and supporting the entire enterprise remote access infrastructure;
Companies can use the ubiquitous Internet to provide staff and business partners with secure and secure connections through a single network structure;
For enterprises, the exists based on the dial-up VPN can enhance contact with users, business partners and suppliers;
Telephone companies can use the dial-up VPN service to reduce terminal congestion;
By providing secure external remote access services for the company, ISP can increase revenue. through exclusive layering and Related Competition services, ISP can also provide different dial-up VPNs.
VPN combines many features of the public network and the private network, and combines the reliable performance and rich functions of the public network with the flexibility and efficiency of the private network, it is a network between a public network and a private network.
VPN can make full use of existing network resources and provide economic and flexible connection methods, saving customers the investment required for equipment, personnel and management, and reducing users' Telecom fees, it has been quickly applied in recent years. Some experts believe that VPN will be one of the fastest growing businesses by the end of this century.
1.1 What is VPN
Through packets and encrypted transmission of network data, private data is transmitted on the public network to achieve the security level of the private network, so that the public network can be used to build an internal Al private network (VPN ). If the access method is dial-up, it is called VPDN.
VPN establishes a private data transmission channel through the public IP network to connect remote branch offices, business partners, and mobile office staff. This reduces the cost of remote access, reduces telephone fees, and provides secure end-to-end data communication.
VPN can be established in three ways: one is self-built by the enterprise and transparent to the ISP; the other is ISP construction and transparent to the enterprise; and the third is the joint construction of the ISP and the Enterprise.
1.2 Working Principle of VPN
VPN connection mode:
The similarities and differences between conventional direct dial-up connections and virtual private network connections are that in the previous case, PPP (Point-to-Point Protocol) data packets are transmitted through a dedicated line. In a VPN, a PPP packet flow is sent from a vrolan on the LAN and transmitted through a tunnel on the shared IP network before arriving at the vro on the other LAN.
The key difference between the two is that the tunnel replaces the real dedicated line. A tunnel pulls a serial communication cable from the WAN cloud. So how to form a VPN tunnel?
There are two main ways to establish a tunnel: client-initiated or client-transparent ). Customer startup requirements and tunnel
Channel servers (or gateways) are installed with tunnel software. The latter is usually installed on the company's central site. The customer software initializes the tunnel, and the tunnel server terminates the tunnel. The ISP does not have to support the tunnel. Customer and tunnel server
The server only needs to establish a tunnel and use the user ID and password or digital license for authentication. Once the tunnel is established, communication can be performed, just as if the ISP is not involved in the connection.
On the other hand,
To make the tunnel transparent to the customer, the ISP's pops must have the access server that allows the tunnel and the router that may be needed. The customer first enters the server by dialing. The server must be able to identify the connection.
To establish a tunnel with a specific remote point, and then the server establishes a tunnel with the tunnel server, the user ID and password are usually used for authentication. In this way, the client establishes a direct conversation with the tunnel server through the tunnel. Do
This policy does not require the customer to have specialized software, but the customer can only dial to access the correctly configured access server.
1.3 Key technologies involved in VPN
VPN is a virtual network. Its important significance lies in "virtual" and "dedicated ". In order to transmit private data over the public network, the security of private data must be met. VPN technology is mainly reflected in two technical points: Tunnel, related tunnel protocols (including PPTP, l2f, L2TP), and data security protocol (IPSec ). The following describes these technologies. Encryption and user authorization provide security assurance for personal communication on the company's Internet.
1.3.1 Tunneling)
1.3.1.1 introduction to tunnel technology
VPN is a networking method on the surface, which has many advantages over a leased line network. In VPN, a so-called "Tunnel" technology can be used to transmit data groups through public routing networks, such as Internet networks or other commercial networks.
Here, the proprietary "Tunnel" is similar to a point-to-point connection. This method enables network traffic from many sources to pass through a separate tunnel from the same infrastructure. This tunneling technology uses point-to-point communication protocol generation
For the exchange connection, connect the data address through the routing network. Tunnel technology allows authorized mobile users or authorized users to access the enterprise network anytime and anywhere.
By establishing tunnel, you can implement the following functions:
Forces data traffic to a specific destination
Hide private network addresses
Transmit non-IP protocol data packets over the IP Network
Provides data security support
Assists in AAA-based user management.
In terms of security, Data Packet Authentication, data encryption, and key management can be provided.
The dial-up VPNs uses tunneling technology to remotely access the server and package user data into an IP information package. These information packages are transmitted through the network of the telecommunications service provider. On the internet, they must pass through different
Network, and finally reach the tunnel endpoint
And then the data is split and forwarded to the original form. VPN allows the conversion of network protocols and the difference between traffic from many sources. In this way, you can specify a specific destination and accept services at a specified level. Company
Network for remote access communication, from circuit switching, long distance local telecommunications service providers to ISPs and the Internet need to use tunneling technology. Tunneling uses point-to-point communication protocols instead of Switching
Connect to the data address through the routing network. This replaces the telephone number connection used by the telephone exchange network. Tunnel technology allows authorized mobile users or authorized users to access the enterprise network anytime and anywhere.
Unauthorized access is also prohibited by using authorization technology.
The following is a typical tunnel Package Design:
To form a tunnel, there are several basic elements:
Tunnel provisioner (Ti)
Public Networks with routing capabilities
One or more channel Terminators (TT)
Add a tunnel Switch if necessary to increase flexibility
The tunnel provisioner task is to open a tunnel in the public network. There are a variety of network devices and software to complete this task, for example: (1) end-to-end use with analog modem PC Card and VPN dial-up software
User laptop; (2) Exclusive routers with VPN functions in the LAN of the branch or home office; (3) VPN-capable access to the site of the network service provider
Concentrator.
The task of the tunnel Terminator is to terminate the tunnel and no longer extend forward. There are also a variety of network devices and software to complete this task, such as: (1) Dedicated tunnel Terminator; (2) tunnel switches in the enterprise network; (3) the VPN gateway on the exclusive router of the NSP network.
There are usually one or more security servers in the VPN network. In addition to the firewall and address translation functions, the security server also provides encryption, authentication, and authorization functions by communicating with the tunnel device. They also provide various information, such as bandwidth, tunnel endpoints, network policies, and service levels.
Through software or module upgrade, the existing network device can increase the VPN capability. A device with VPN capabilities can undertake multiple VPN applications.
There are already many Internet (IETF) Suggestions on how to apply tunneling technology. This includes Point-to-Point Tunneling Protocol (PPTP), L2 Forwarding (l2f), and L2 forwarding.
Tunneling Protocol (L2TP), Virtual tunneling protocol (VTP), and mobile IP. With support from different network vendors, the recommended standard defines how remote devices can access the company's network in a simple and secure manner.
And Internet.
Tunnel technology is very useful:
First, an IP tunnel can adjust any form of payload. users using desktop or portable computers can transparently dial the Internet to access their company's IP, IPX, or appletalk network.
Second, the tunnel can be used to adjust multiple users or different types of loads at the same time. This can be achieved by using encapsulation technology. For example, IETF rfc1701 defines general Routing Encapsulation.
Third, when you use tunneling technology to access the company's network, the company's network will not report its IP address to the Internet.
Fourth, the tunneling technology allows the receiver to filter out or report the individual's tunnel connection.
1.3.1.2 second-level tunnel and third-level tunnel
As shown in, the tunnel can be divided into the second layer and the third layer according to the start and end positions of the tunnel. The termination of a tunnel varies depending on whether the second or third tunnel is used. When using the layer-3 tunnel, use
The terminal device is created and terminated on the network of the service provider. Remote User Point Protocol (PPP) conversations can also be terminated on the remote access server (RAS. Create a tunnel when using the second-level tunnel
It can be submitted at the RAS or service provider.
Supplied network or on Ras
, The third-tier tunnel terminates the second-tier tunnel connection. The enterprise intranet or route in the service provider's network resides. It only transmits the layer-3 payload to the tunnel endpoint through a tunnel. Remote access to the server, the other side
The second layer tunnel transmits the PPP frame to the predefined destination on the backbone network of the service provider. Remote client. The termination of the tunnel is on the vro client or a common server.
The following is a comparison between the second-tier tunnel and the third-tier tunnel:
Layer 2 Tunnel
Layer 3 Tunnel
Excellent
Point
Simple
End-to-End compression/Encryption
Bidirectional Tunnel Configuration
Scalability
Security
Reliability
Missing
Point
Standards are still developing
Scalability problems
Reliability Problems
Limited PPP load type
Security problems
Limited vendor participation
Complex Development
For the IP tunneling protocol, the tunnel established through the PPTP and IPSec protocol starts from the client and ends with the enterprise VPN access device. As shown in:
A tunnel established over l2f and L2TP starts from the ISP access device and ends with the enterprise VPN access device. As shown in:
Layer-3 tunneling technology has some other advantages for the company's network. When network managers use layer-3 tunneling technology, they do not have to install special software on their remote nodes or the customer's original equipment (CPE. Because
PPP and tunnel endpoints are generated by the service provider's device. CPE does not need to provide these features, but serves as only one router. The third layer tunnel technology can be implemented using CPE of any manufacturer.
The company network that uses layer-3 tunneling technology does not require an Internet address. The application of this tunneling technology is also secure. The service provider network can hide the company's network and remote node addresses.
With layer-3 tunneling technology, service providers do not need to participate in the company's network selection. The service provider controls the communication of all the data packages on its network. When the third-tier tunnel technology is applied to the second-tier tunnel channel, the service provider can more conveniently estimate the service.
1.3.2 tunneling protocols
Currently, the standard tunnel protocol is as follows:
Transparent to ISP Based on customers
PPTP
IPSec
Provided by the ISP, no client knowledge required
L2f
L2TP (later support from the client is required)
The following is a brief introduction to the above protocols.
1.3.2.1 PPTP-Point to Point tunnel Protocal
This is the most popular Internet protocol. It provides encrypted communication between the PPTP client and the PPTP server. It allows the company to use a dedicated "Tunnel" to expand the company's network through the public internet. Data communication over the Internet,
To encapsulate and encrypt data streams, PPTP can implement these two functions and implement multi-function communication over the Internet. This means that, through PPTP encapsulation or "Tunnel" Server
So that non-IP networks can achieve the advantages of Internet communication. However, PPTP sessions cannot be performed through the proxy. PPTP is a standard supported by Microsoft and other manufacturers.
Is an extension of the PPTP protocol. It can establish a multi-protocol VPN over the Internet. PPTP uses a 40-or 128-bit RC4 encryption algorithm.
One of PPTP
The main advantage is Microsoft's support. It has been well integrated in Windows 95, 98, and NT (L2TP has been integrated in Win98 ). PPTP is also well integrated into NT
Domain. No special support is required for ISP. Another advantage is that it supports traffic control, which can prevent the customer and server from crashing due to service, and reduce the number of discarded packets.
Re-transmission improves the performance.
How PPTP works
Network protocols work by exchanging data blocks called packages. Packets are controlled by specific protocols.
Information and the real data to be sent (usually called load, payload. As a network user, we only care about the load. As long as data can be exchanged as soon as possible without errors, we don't mind
Select the control information you want to add. However, if two computers want to communicate, whatever the media they use, control information is crucial and must be kept completely.
PPTP works by encapsulating native packages in TCP/IP packages, such as IPX packages. The entire IPX packet, including the control information, will become the load of the TCP/IP packet, and then it will be transmitted over the Internet. The software on the other end opens the package and sends it to the original protocol for regular processing. This process is called tunneling ).
In addition to saving the long-distance dial-in cost, the channel also enhances data security. Because the channel connects the compatible protocol to Windows NT
Network, the operating system can perform a wide range of security checks on the LAN itself. In this way, the connection can pass through PAP (Pass-word Authentication
Protocol) or chap (Challenge Handshake Authentication Protocol) use Windows NT
. In addition, PPTP can transmit data encrypted by RSA RC-4 or DES. If inbound security is very important for VPN,
The server administrator can specify that the server only receives the PPTP package from the remote connection, but this prevents the server from being used as a public web or FTP access question.
However, if multiple servers are available and require the highest security, this is an acceptable solution. However, even if all these security measures are taken, the only special software required by the client is the PPTP protocol.
Discuss itself, and the dialup program that can connect to the VPN. Does even the Internet service provider support PPTP?
This is not necessary. In this case, everything can be securely implemented through the standard Point-to-Point Protocol (PPP ).
Line. For providers that do not support PPTP, Windows NT provides security assurance through the dual-dial system.
PPTP Execution Process
Since remote
The whole idea of access is to allow the client to dial into the server, so PPTP connection starts with the client, which uses Windows NT Remote Access Service (Remote Access)
Service, Ras) to establish to the ISP
. When a PPP connection is activated and the server is connected to the Internet and serves as the RAS server, the customer uses ras for the second dial-up. This time, specify the IP address (name or number) in the phone number field ), in addition, the customer uses the VPN port instead of the COM port for connection (the VPN port is added to both the client and server during PPTP installation ).
When you dial an IP address, a request for starting a session is sent to the server. The client waits for the server to verify the user name and port order and returns the connection completion information. At this time, the PPTP channel is started, and the customer can start to transfer packets to the server. Because they may be IPX or netbeui packages, the server can perform regular security operations on them.
The core of PPTP data exchange is the PPTP control connection, which is a series of control messages for establishing and maintaining channels. The whole PPTP connection only contains a unique TCP/IP connection. It needs to respond to a command set to maintain the open state in case of transaction processing.
PPTP Management
In terms of VPN user management, VPN follows the user database of the ETS, and some user groups can be set to accept VPN access. VPN security is very important to user information.
The keys used for encryption are not transmitted online at all, so ordinary people cannot
The RC-4 Encrypted Key is calculated. If you can use the-bit encryption algorithm, it is absolutely guaranteed to transmit information through VPN. PPTP routers support
Remove the personnel on the non-PPTP user name list from the link, so that the "hacker" will not be able to attack.
1.3.2.2 IPSec (IP Security)
As a tunneling protocol, IPSec is one of the IPv6 packet protocol families. Because it is mainly used for data encryption between the two points above the IP network, it is applied to the VPN tunnel protocol. In IPv6 data
Packet, with Authentication Header AH (authentication header) and Data Encryption format ESP (Encapsulating Security
Payload ). The acceptor authenticates and decrypts data packets based on AH and ESP. There are two operation modes: tunnel mode and transmission mode. The following sections describe data security
.
IPSec is used to establish a VPN tunnel between clients and has no special requirements on ISP.
1.3.2.3 l2f (Layer 2 forwarding)
L2f is a layer 2 forwarding protocol for VPDN developed by Cisco, which establishes a tunnel on Layer 2. Currently, this protocol is supported in Routers devices of several network manufacturers. L2f must be supported by the ISP, and both devices at the transmission end must support l2f. The client has no special requirements. The following conditions are required for a vro that meets the VPN requirements:
Currently, l2f does not encrypt data.
Take the Cisco router as an example to briefly introduce the l2f operating mechanism. In a Cisco router device, the following conditions are required for l2f support:
Cisco IOS version
Flash capacity
DRAM capacity
2 or later desktop or enterprise version 8 m
6 m
NAS
The l2f_tunnel negotiation process with gataway is a process in which chap is used to negotiate, verify, and establish a chain. In this process, both parties share a public password. First,
NAS sends an l2f_conf package to gataway, carrying the NAS name and a random challenge Value. When gataway
After receiving the l2f_tunnel package from NAS, it also sends an l2f_tunnel package to NAs, carrying its own name and a random challenge Value B,
There is a new key A', and the new key a' is formed by using the MD5 encryption algorithm to encrypt the passwords of A and gzhgw. In NAS
Once the end receives the l2f_conf package, it uses the MD5 Algorithm
A ''to decrypt and then compare it with your A and the decrypted a'''. If they match, NAS will send a l2f_conf information package to gataway, this time it carries
Key
B ''(obtained by encrypting the NAS password and B using the MD5 Algorithm ). On the gataway side, after receiving the l2f_open packet, compare the decrypted B ''' with B.
If yes, send an l2f_open information package to NAs with a key value of ''.
In the future, all information packets sent from NAs to gataway will carry key B '', and all information packets sent from gataway to NAs will carry key ''.
1.3.2.4 L2TP-Layer2 Tunneling Protocol
In addition to microsft, some other manufacturers have also done a lot of development work, PPTP can support Macintosh and UNIX, Cisco l2f (Layer2
Forwarding) is another tunnel protocol. L2TP is a set of PPTP and l2f tunneling protocols. PPTP and L2TP are very similar, because some of L2TP uses
PPTP protocol. both Protocols allow the customer to establish a tunnel through the network during which there is an extension with the client software. L2TP also supports channel authentication, but it does not specify a channel protection method. L2TP has
IPSec option. Standardization was officially implemented in September.
L2TP follows the handshake Information Mode of PPTP and the l2f working mode. L2TP is initiated by the Access Server and ends at the gataway end of the enterprise network.
L2TP allows a remote user to dial in to an ISP by dialing nearby, and can connect to the private network over the Internet. It is one of the first PPP connections between a dial-up user and a private network.
Extensions. L2TP is a combination of Cisco l2f and Microsoft PPTP protocol. PPTP is an extension of the PPP protocol. L2TP is designed on the second layer of OSI.
Build a tunnel to replace PPTP (three-tier tunnel ).
1.3.2.5 socks
Socks is a proxy protocol for network connections.
Enable hosts at one end of socks to access socks completely, while hosts at the other end do not require direct access from IP addresses. Socks can identify and authorize connection requests, establish proxy connections, and transmit data.
Socks is usually used as a network firewall. It enables hosts behind socks to gain full access over the Internet, avoiding unauthorized access to internal hosts through the Internet.
Q. Currently, there are two versions: socksv4 and socksv5. socksv5 can process UDP, while socksv4 cannot.
1.3.3 Security
The most important aspect of VPN technology is data security. Currently, international popular data security policies include data authentication, data encryption, and data signature. Dedicated security protocols have been developed for secure data transmission in tunnels. These protocols use encryption and digital signature technologies to ensure the confidentiality and integrity of data, and identify the recipient and sender.
In most cases, encryption methods and tunneling technologies are bundled. For example, PPTP includes RC4 encryption technology (40 or 128 bits). IPSec supports multiple types of encryption methods, such
Des, Triple DES, etc. Before applying to enter the enterprise network, the user must first perform Access Control Filtering. The main content to be filtered is protocol.
ID, direction, source, destination IP addresses, source, destination
Port, TCP connection establishment, etc.
1.3.3.1 Data Encryption Algorithm
Currently, data encryption algorithms include:
-International Data Encryption Algorithm (idea: International Data Encryption Algorithm): A 128-bit long key that encrypts 64-bit plaintext blocks into 64-bit ciphertext blocks.
-Ms point-to-point encryption algorithm (MPPE: Microsoft Point to Point encryption): You can select a relatively weak 40-bit key or a 128-bit key with a high strength.
Microsoft's dial-up networking software has added the MPPE encryption capability. The 40-bit version of the software has been bound to Windows 95, and the 128-bit version is bound with Windows NT.
MPPE encrypts PPP data packets on the client Workstation before sending them to the PPTP tunnel. The tunnel Switch during transmission cannot decrypt these PPP packets. This improves data confidentiality. MPPE also uses the enhanced password handshake protocol (MS-CHAP) to enhance user identification.
-Des and des3 encryption algorithms (the Data Encryption Standard)
1.3.3.2 Data Security Standard IPSec
IPSec is a standard developed by tetf, which includes a complete set of IP protocols for the encryption and digital signature methods agreed between two IP sites. IPSec provides IP packet-level security verification, data integrity, data security through encryption, and is not related to applications. IPSec provides two operation modes:
Tunnel mode, which encrypts and encapsulates packets transmitted through unsafe links or private IP addresses of the Internet (this mode is suitable for Nat environments ).
Transmission mode, which directly encrypts the IP load content (TCP or UDP data) (suitable for non-Nat environments ).
Any encryption algorithm can be used in both modes. Currently, IPSec has two versions: IPv4 and IPv6.
IPSec content mainly includes data authentication and integrity and confidentiality ). So-called number
The authentication mainly ensures that the received data is the same as the sent data, and the authenticity of the sent data. The so-called data integrity mainly ensures the data
Confidentiality (confidentiality) is used to confirm the mutual trust between the two parties and ensure the communication between the impersonators. Generally, encryption is used.
(Encryption) is used to establish trust. IPSec content can be used separately or in combination, depending on the specific solution.
IPSec is more reliable than MPPE, including check, encryption, and data
Data Integrity. It can also go beyond the tunnel terminator to the main workstation at the destination. Another advantage of IPSec is its check and security functions loose coupling with its key management system. Therefore, if
When the key management system is changed, the IPSec Security Mechanism does not need to be modified.
The second important issue for installing and applying a dial-up VPN is network security. For example, you can allow remote dial-up connections and prevent unauthorized access and eavesdropping.
In some network designs, the tunnel ends after the user's firewall. Some Types of IP tunneling technology require the customer to directly connect to the Internet, which is dangerous to the customer. In order to protect the network from
Authorize users' access. Many company users establish a firewall on their Internet routers, which limits Internet access to resources, such as access to the company's Web server. For example
If the device is behind the firewall, the firewall must enable and allow the tunnel information packets to pass to devices unrelated to the device. there are many methods in this regard, but they will make the firewall configuration program complex. besides
Some firewalls can effectively control communications that do not terminate the firewall.
The application of the dial-up VPN service based on the layer-3 tunnel technology is more secure than the application of the dial-up VPN service based on the layer-2 tunnel technology, because the tunnel does not need to reach the customer network, instead, it terminates the gateway on the target of the service provider.
1.4 network management and operation
The goal of VPN management is to make VPN treat like a private network. To achieve this goal, the first step is to launch a VPN management tool to manage the VPN, such as monitoring the network capacity.
The usage rate, service quality, and security violation rate are analyzed as follows. The second step is to launch a unified management tool, which must be able to manage conventional networks and VPNs.
Finally, it is indispensable.
Network management and maintenance. Two key points for managing a dial-up VPN are network layer address management (nlam) and tunnel management. tunnel management refers to external software applications, which are used to establish tunnels, maintain user information, and execute customers.
Layer account management-traditional software management functions, such as performance monitoring, need to be used to manage the dial-up VPN service, which is the same as their functions on other networks and network management.
1.4.1 user IP Address Management
The management of user IP addresses is mainly reflected in the IP Address Allocation Method between the user network and the public network. Different user IP Address allocation policies are used based on different tunneling protocols.
You can use a valid or reserved IP address policy to manage your internal enterprise network. The internal IP address of an enterprise is transparent to the public network. VPN repacks internal enterprise data and then transmits it over the Internet. For remote users, the assigned IP address policy varies according to the tunnel protocol used by the VPN connection.
If the l2f or L2TP tunnel protocol is used, the user must dial only once and only assign the Intranet IP address. If the PPTP or IPsec tunnel protocol is used, the user needs to dial twice, that is, on the basis of having a public IP address, you need to dial the cen vpn gataway and then assign the CEN internal IP address.
1.4.2 network layer address management
Network Layer address management (nlam) refers to the ability of the dial-up VPN to establish network layer-related protocol configurations (filters, routing protocols, subnet shielding, etc.) and domain name registration for remote nodes. a VPN structure with proper capacity can support the following services: remote dial-up authorized Internet User Services (radius, which must be correctly configured by the vendor), Dynamic Host Control Protocols (DHCP or
The same Protocol) and Domain Name Service (DNS ). Radius is used not only for user authorization, but also for executing part or all of the network layer configuration information. DHCP can be connected to the radius and the slave address
Select an address in the pool and assign it to a remote user. Obviously, this method is more extensive than manual address construction in the radius database. It is very important that the management of the layer-3 address system must have the right
This means that once the conversation ends, the address must return the address pool related to the user domain name.
The opposite is true for network-layer address management and IP address management. Many companies still use IPX and appletalk protocols, so address management services that support these protocols and IP protocols still exist. Unfortunately, there are no more standard addressing non-IP address pools, so few products support IPX or appletalk address management on remote nodes.
1.4.3 VPN Member Management
VPN member management, including user connection authentication, authorization, billing management and internal IP Address Allocation, VPN "Tunnel" establishment, data encryption, multiple important functions such as user access permission management.
1. Authentication)
Before a remote member can be connected to an enterprise, the user must be authenticated. User data (such as user names and passwords) is stored in external databases. The access to the user database requires an intermediary Association
For example, LDAP
Or authentication protocols such as radius. This user database is transparent to users. The VPN Access Server defines the corresponding member groups (such as data encryption formats, filtering definitions, and service attribute definitions ).
LDAP (Lightweight Directory Access
Protocol) is embodied in the X.500 Directory management service. LDAP is accepted as quickly as interenet directory mode. Microsoft,
Netscape and Novell are both supported in their directory service policies
. LDAP is an entry-based management that provides standard and extended attributes definitions for individuals on the Internet. User Directory Server (directory
Is the user information center.
Radius (Remote Authentication Dial-In User Service) is a distributed security system that uses an authentication server to verify the dial-up connection attributes and authentication connection permissions. Radius is widely used in remote access authentication.
Ii. Access Control Filtering and user priority Definition
After a user access, it is necessary to filter the user's access control. The main filter content is the user source, destination IP address, destination port number, and TCP connection customization. After user access control
The content of the certification database defines the user's call priority, mainly to solve the network congestion problem caused by a large number of user access. After the network is congested to a certain extent, only connections with higher priority are allowed to be established. But once connected
After the connection is established, it will not be interrupted.
Iii. Billing and Settlement
The VPN access server will record the user's access to CEN, and charge and settle the user's access to CEN based on the user's log records. The records include user access duration and data communication volume, security denial records, and system configuration modification records.
Currently, the management of members varies with VPN devices of different manufacturers.