VPN is one of the most important technologies in the access network. As the access network technology continues to develop, VPN is also evolving to meet more user needs, it brings people a convenient and fast network environment. The emergence of VPN is no longer overnight. From IPSec to SSL, VPN has undergone a lot of technological evolution. However, the essence of any security technology is application. It combines VPN with enterprise services to promote the border security of enterprises. At the same time, it will expand its business to the edge and integrate the external supply chain, which will promote the evolution of a new round of VPN technology.
The original intention of VPN is to provide a secure channel so that remote users can access the private network through the access network technology. However, in the current computing environment, network administrators cannot know the sources of manageable or unmanageable devices that attempt to access the enterprise network.
If you can access the Intranet from a host through a VPN, but the host itself is not secure, such as virus infection or insecure network connections, it will pose a great threat to the Intranet. In addition, most of the existing Intranet security or Intranet behavior control only takes into account the behavior security of the internal LAN, that is, the host access behavior in the LAN is monitored and controlled, it does not involve the security of large-scale cross-regional enterprises across the network.
In fact, Juniper's security expert said: Because VPN can be established on a public computer, it may bring new risks to the company's network, which is particularly evident in ssl vpn performance. In addition, public computers may not support more than two authentication methods, because they do not own smart card readers or are directly disabled with USB ports. In this case, a VPN-based trusted Private Network (TPNTrusted Private Network) begins to appear. Kang Hao, a security expert of andaotong, said in an interview that the current TPN technology integrates the gateway security and communication endpoint security technologies and uses global unified management for deployment, in order to achieve comprehensive and multi-level security.
It is reported that in the TPN system, all hosts connected to the network must pass the mandatory authentication mechanism of user verification and host verification. You can access system resources only when a host is classified as a trusted host. Trust means that the risks of the host are managed. This managed status is the responsibility of the IT administrator and user responsible for host configuration. Improper management of trusted hosts may become a weakness of the entire solution.
When a host is considered as a trusted host, other trusted hosts can reasonably assume that the host will not initiate malicious operations. For example, trusted hosts should expect other trusted hosts to not attack their viruses, because all trusted hosts require some mechanisms, such as anti-virus software, to mitigate virus threats ).
Kang Hao stressed that such a trusted state is not static. It is only a transitional state and will be changed with the change of enterprise security standards, and it must constantly comply with those standards. As new threats and new defense measures continue to emerge, the Organization's management system must constantly check trusted hosts to maintain compliance with standards. Additionally, these systems must be able to publish updates or configuration changes as needed to help maintain a trusted state.
According to reports, the trusted private network TPN system uses the "user-role-resource" authorization mechanism for forcibly verified hosts and users, implements unified management of "intranet threats", "boundary threats", "host threats", and "access network technical threats.
When enterprise users access network technology is used to protect the network from the TPN system, they must first perform "forced Identity Authentication" to log on to the TPN System in the Web or client mode for Identity Authentication ), after the identity authentication is passed, the TPN security net is based on the user's resource access permissions and the characteristic IP Address/port used by the user during logon authentication ), dynamically form a "tuples + time" Dynamic Access Control Policy in the TPN security network. This dynamic access control policy has a short-term validity period. After a user has no activity for a period of time, this policy becomes invalid and requires forced Identity Authentication again, create a dynamic access control policy for the user in the TPN security network.
It is not hard to see that the TPN system can achieve a safer VPN because it implements access control for mobile users and remote LAN users using VPN access technology similar to local users. For example, when a VPN user establishes an encrypted tunnel with the Headquarters's TPN security gateway, the Headquarters's TPN security gateway can evaluate the security of hosts using the Remote Access Network Technology: if the host is found to be threatening or does not meet the security level of the access to the Headquarters, such as not patched), the host is not allowed to access the headquarters. This is the so-called VPN access control technology. Currently, enterprises can use this technology to prevent external network threats, such as Trojans, viruses, and attacks, from being brought into the Intranet by VPN users. This prevents hackers from launching a stepping stone attack. In addition, the network administrator can perform unified security policy management for the entire VPN Network, just like managing the local LAN, to achieve full-network behavior management for the whole network, not just the local LAN.
In addition, for enterprise intranet threat protection, TPN inherits the traditional Intranet behavior management, Gateway anti-virus, and anti-spam technologies. At the same time, TPN applies these technologies to the entire enterprise network, rather than confined to the LAN. Therefore, both VPN access users and local LAN access users use the "forced identity" authentication mechanism. Users who fail to pass the authentication cannot access any Intranet/Internet resources.
In response to this emerging technology, the IT manager of Xinhua life group said that for large enterprises, VPN control can be implemented through the TPN system, including only valid and trustworthy endpoint devices, such as the PDA access network technology network of PCs, servers, and agents of business outlets, and other devices are not allowed to access the network. In the new system, the "TPN Gateway" and "TPN client" form a linkage defense system, avoiding functional bottlenecks formed by a single gateway defense system or a single client defense system, this reduces the IT department pressure on enterprises. Wang jinghui, Senior Product Manager of shenzhou.com, once explained that the boundaries between centralized security and distributed security are vague. Just like insurance companies, information security of the company is equally important to the information security of its agents, this is the charm of controllable VPN.
- Full explanation of SSID in Wireless Access Networks
- Access Network Technology for remote access
- The development of optical fiber access networks will drive the comprehensive improvement of broadband services
- Summary of Broadband Access Technology Learning
- China's optical fiber access network technology department is world-class