VPN Security Technology

Source: Internet
Author: User

As we all know, because VPN (Virtual Private Network) transmits private information, VPN users are concerned about data security. Currently, VPN uses four technologies to ensure security. These four technologies are tunneling, encryption and decryption, and key management) user and device authentication technology (authentication ).

1. Tunneling Technology:

The tunneling technology is a basic VPN technology similar to the point-to-point connection technology. It establishes a data channel (Tunnel) in the public network to transmit data packets through this tunnel. Tunnel is formed by the tunnel protocol, which is divided into the second and third layer tunnel protocols. The second layer tunnel protocol encapsulates various network protocols into PPP, and then loads the entire data packet into the tunnel protocol. Data Packets formed by this double-layer encapsulation method are transmitted by the second-layer protocol. L2 tunnel protocols include l2f, PPTP, and L2TP. The L2TP protocol is currently the IETF standard, formed by IETF's integration of PPTP and l2f.

The layer-3 tunnel protocol directly loads various network protocols into the tunnel protocol, and the data packets formed are transmitted through the layer-3 protocol. Layer-3 tunneling protocols include VTP and IPSec. IPSec (IP Security) is composed of a group of RFC documents, defining a system to provide security protocol selection and securityAlgorithmTo ensure that the service uses keys and other services to provide security at the IP layer.

2. encryption and decryption technology:

Encryption and decryption technology is a mature technology in Data Communication. VPN can directly use the existing technology.

3. Key Management Technology:

The main task of key management technology is to securely transmit keys on the public data network without being stolen. The current key management technology is divided into skip and ISAKMP/Oakley. Skip uses the Diffie-Hellman algorithm to transmit keys over the network. In ISAKMP, both parties have two keys for public and private use.

4. User and device identity authentication technology:

User and device identity authentication is the most common method of user name and password or card authentication.

Block Security Vulnerabilities

Security is the core issue of VPN. At present, VPN security assurance is mainly implemented through firewall technology, router configuration using tunneling technology, encryption protocol and security key, which can ensure that enterprise employees can access the company's network safely.

However, if an enterprise's VPN needs to be extended to remote access, it should be noted that these direct or always online connections to the company's network will be the main target of hacker attacks. Remote employees can access the company's budget, strategic plans, Engineering Projects and other core contents through personal computers outside the firewall, which constitutes a weakness in the company's security defense system. Although employees can increase work efficiency and reduce the time spent on transportation, but it also provides countless opportunities for hackers, competitors, and commercial espionage to enter the company's core network.

However, enterprises do not pay enough attention to the security of long-distance work. Most companies believe that the company's network is safe after a network firewall, employees can dial into the system, and the firewall will reject all illegal requests; some network administrators believe that, it is safe to establish a firewall for the network and provide VPN for employees so that they can dial into the company network through an encrypted tunnel. These opinions are all incorrect.
Working at home is good, but from the security point of view, it is a great threat, because most of the security software used by the company does not provide protection for home computers. Some employees only access a home computer and follow it to access the company's network system through an authorized connection. Although the company's firewall can isolate intruders and ensure information security between the main office and home office VPN. But the problem is that the attacker can access the network through a trusted user. Therefore, the encrypted tunnel is secure and the connection is correct, but this does not mean that the home computer is secure.

Hackers need to detect IP addresses to intrude into employees' home computers. Statistics show that IP addresses using dial-up connections are scanned by hackers almost every day. Therefore, if the Home Office staff has an uninterrupted connection link such as DSL (usually this connection has a fixed IP address), it will make hacker intrusion easier. Because the dial-up connection is assigned different IP addresses each time it is accessed, although it can also be intruded, it is relatively difficult. Once a hacker intrude into a home computer, he can remotely run the employee's VPN Client software. Therefore, there must be corresponding solutions to block remote access to VPN security vulnerabilities, so that the connection between employees and the network can fully reflect the advantages of VPN, and will not become a security threat. Installing a personal firewall on a personal computer is an extremely effective solution that prevents illegal intruders from accessing the company's network.

Of course, there are some practical solutions for remote staff:

* All remote staff must be authorized to use VPN;

* All remote staff must have a personal firewall, which not only prevents computer intrusion, but also records the number of times the connection has been scanned;

* All remote staff should have an intrusion detection system and provide records of hacker attack information;

* Monitors the software installed in the remote system and limits it to work only;

* It personnel need to perform the same booking check on these systems as office systems;

* Outgoing staff should encrypt sensitive files;

* Access Control requiring password input during installationProgramIf the password is incorrect, an alarm is sent to the system administrator through modem;

* When selecting a DSL supplier, you should select a vendor that can provide security protection.

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.