Nortel Network Security Routing Technology solution (1)

Currently, the method of connecting Internet users through a modem or a dedicated line is gradually replaced by a virtual private network (VPN). VPN allows users to communicate securely over the Internet. The conti solution provided by beidian network not only enables customers to establish various VPN types, but also integrates these VPNs into a network that combines voice and data in the future. In the opinion of beidian network, tomorrow's VPN will develop into a high-speed and secure network, which will securely integrate all services, including data, voice and video on the public internet.
IPSec VPN is the best choice to ensure that important information will not be leaked when being uploaded or transmitted over the public internet. IPSec effectively ensures data privacy, integrity, authentication, and auditability. IPSec has two working modes: tunnel mode and transmission mode. Tunnel mode is used when many hosts establish secure tunnel communication through the IPSec VPN gateway. The Nortel Network has solved the problem of implementing secure routing in the IPSec tunnel and laid a solid foundation for the popularization of IPSec VPN.
Secure routing technology
The so-called secure routing technology is how to implement dynamic routing selection technology on the IPSec VPN tunnel.
1. Implementation of secure routing technology
To implement dynamic routing technology in an IPSec tunnel, you must find the SA (SecurityAssociation) of the two communication endpoints. If the SA does not exist, enable IKE (Internet KeyExchange) to create a SA for the communication endpoint. Once the SA is created, only the two communication endpoints are allowed to communicate with each other, and the rest of the data is forbidden (unless a new SA is created through IKE ).
Assume that the IPSec VPN tunnel has been established and IKE is used as the dynamic routing protocol (OSPF, RIP, Etc. a sa is created that allows the dynamic route protocol package to pass through. the routing information at both ends of the VPN learns from each other and a dynamic route table is created. When users at both ends communicate with each other based on the routing information, you also need to re-establish the SA for the respective communication endpoints through IKE. If the network status changes and the network segment disappears, you need to delete the relevant SA through IKE, which is very complicated, the cost is too large and unacceptable. This standard is not currently available in the IPSec specification. Some manufacturers have to encapsulate the data to the GRE (General RoutingEncapsulation tunnel) to solve this problem. Due to the large number of data encapsulation times, the data overhead is too large, so it is not accepted by the market.
It can be seen that the key to implementing secure routing is to establish a specific SA. The batchcompute contivity has enabled secure routing (SRT.
The batchcompute contivity operation component has the following advantages:
(1) Security Route Selection
SRT supports dynamic routing over the IPSec tunnel. Contivity complies with IPSec standards and can map virtual IP interfaces to IPSec tunnels. When an IP service is transmitted through a tunnel, the dynamic path of conticons avoids additional State Processing and packet overhead (each packet can be up to 24 B ).
(2) Secure Access
All connections to contivity or connections through contivity, whether tunneling or non-tunneling connections, can be secured. Users, user groups, and remote sites all have a unique filtering configuration file. The configuration file is stored in an LDAP database to implement public policy settings on a single device or multiple conticons devices. Contivity supports authentication using multiple technologies, including RADIUS, digital certificate, smart card, and Token card.
(3) Security Policy
SRT allows each user, user group, or branch office to use their respective Security Configuration File Settings. The configuration file stores personal information, whether at home or in the office, and whether running on tunnel or non-tunnel connections, authentication and access permissions are applied in the same way.
(4) Security Management
There is no "backdoor" in the contivity design ". Configuring the security encryption tunnel is the only mode supported by the conticons Internet (or public) interface. The interface has built-in Denial of Service (DoS) Protection. Contivity also records all security/authentication transactions and events that can be stored in a contivity local hard drive or in a media other than a device, depending on the enterprise's security practices.