VPN English full name virtual private receptacle, Chinese translation as: Virtual personal network, also known as Virtual Private network.
As the name suggests, virtual private network we can understand it as a virtual out of the enterprise internal line. It can establish a proprietary communication line between two or more corporate intranets that are connected to the Internet in different places via a special encrypted communication protocol, like a dedicated line, but it does not need to actually lay out physical wiring such as optical cables. This is like going to the Telecommunications Bureau to apply for a special line, but not the cost of laying the line, and do not buy routers and other hardware equipment. VPN technology is a router has an important technology, at present in the switch, firewall equipment or WINDOWS2000 software also supports the VPN function, in a word, the core of the VPN is in the use of public network to establish virtual private network.
For different user requirements, VPN has three solutions: Remote access virtual network (Access VPN), Enterprise internal virtual network (Intranet VPN) and enterprise Extended virtual network (Extranet VPN), these three types of VPN with traditional remote access network, An extranet (external extension) of intranets within an enterprise and the enterprise network of the Enterprise network and associated partners.
A VPN gateway is a device that implements a local area network (LAN) connection to a local area network. Literally we know that it can achieve two main functions: VPN and gateway. Broadly speaking, devices such as routers and firewalls that support VPN (virtual private networks) can be counted as VPN gateways. The current common VPN gateway products can include simple VPN gateway, VPN router, VPN firewall, VPN server and other products.
A typical VPN gateway product should have the following performance:
It should integrate the functions of packet filtering firewall and application Agent firewall.
The Enterprise VPN product develops from the firewall product, the function characteristic of the firewall has already become its basic ability centralism part. If it is a stand-alone product, VPN and firewall work together will encounter many difficult problems, there may be different manufacturers of firewalls and VPNs can not work together, firewall security policy can not be developed (this is because of the VPN IP packet encryption package for the sake of) or to bring performance losses, Such as firewalls cannot use NAT features, and so on. If the product is integrated by function, the above problem does not exist or can be easily solved.
A VPN should have an open architecture.
After the VPN is deployed in the enterprise to connect the Internet router, or it itself has the function of the router, therefore, it has become the protection of enterprise internal assets security the most important portal. Many security features, such as hacking, virus detection, identity authentication, and permission checking, require VPN completion or collaboration with related products in conjunction with VPN. Therefore, the VPN must provide the ability of third-party security products to work together according to an open standard.
Have a sound certification management.
A VPN system should support standard authentication methods such as RADIUS (Remote authentication Dial in User Service, remotely authenticated dial-up User Services) authentication, PKI based (public Key infrastructure, Certificate Certification of Public key infrastructure and emerging biometric technologies, and so on. For a large-scale VPN system, PKI/KMI Key Management Center, providing the entity (personnel, equipment, application) LDAP directory services and the use of standard strong authentication technology (token, IC card) is a successful implementation of a VPN system and normal operation of the necessary conditions.
VPNs should provide interfaces for Third-party products.
When a user deploys a client to a LAN VPN scheme, the VPN product should provide a standard feature or an exposed API (application programming interface) that can be entered directly into the user's information from the corporate database. Otherwise, the ability to create and manage users individually is unthinkable for an enterprise with thousands of or even tens of thousands of Soho and mobile office workers.
VPN gateways should have IP filtering language and packet filtering according to the nature of the packet.
The nature of the packet has the target and the source IP address, the protocol type, the source and the destination UDP port, the TCP packet ack bit, the stack and the stack network interface and so on.
A complete VPN system typically includes the following units:
VPN server: A computer or device that is used to receive and authenticate requests for a VPN connection, handling data packaging and reconciliation work.
VPN client: A request for a computer or device to initiate a VPN connection, as well as a package and reconciliation of data.
VPN data channel: A data connection that is built on a public network.
Note that the so-called server and client have the same role in communication after the VPN connection is established, and the difference is only in who the connection is initiated.
What functions can VPNs implement?
First, although the DDN technology can realize the interconnection between enterprises, but the rent is expensive; ADSL broadband Although the price is low, but it can only be applied to enterprise access to the Internet, can not achieve the interconnection between enterprises. VPNs can help to achieve an economic and secure interconnection between enterprises, that is, enterprises can use the ubiquitous Internet to achieve convenient and efficient exchange of visits.
Second, although the Internet provides the convenience for enterprise to realize data access, its high openness and loose management structure also make the enterprise face serious network security problem. The user can encrypt the data transmitted through the VPN tunnel by using encryption technology to ensure that the data is only understood by the designated sender and receiver, thus ensuring the privacy and security of the data.
VPN Usage Restrictions
First, if the company's internal LAN and external network to build a VPN, you must ensure that the server and Internet connection network card to obtain a public network address, not the use of address translation technology.
Second, there must be a fixed IP address at the end of the installation of the VPN server, and the client has to know the server-side IP address in advance to initiate the connection. And most users of broadband Internet IP address is changed, so the dynamic IP address must be converted to static.
Dynamic IP users can use dynamic Domain name resolution service and VPN scheme, the dynamic IP resolution to static.
VPN three deployment Scenarios
1. Using the Pure software method, the headquarters installs the VPN headquarters software gateway, the branch installs the VPN partial gateway, the mobile user (including the external notebook and the remote stand-alone machine) installs the VPN client. This program is useful for Microsoft NT system and desktop system, as well as VPN service and client software developed by the third party.
2. The headquarters uses the VPN function firewall, the division uses the VPN function broadband router, the mobile user (including the external notebook and the remote stand-alone machine) installs the firewall belt VPN client. VPN firewall such devices are relatively common with VPN-enabled broadband routers more professional. More famous products such as: Netscreen,nokia, and so on. These products can support more than 100 VPN, data throughput rate has a higher performance, applicable to the network core of enterprise organizations.
3. The headquarters uses the VPN function broadband router, the branch can use the broadband router with the VPN function, the mobile user (including the external notebook and the remote stand-alone machine) installs the Windows Belt VPN client.
For larger organizations, you can choose the second option, which has a higher degree of network performance. Because of the use of VPN encryption and decryption technology, data transfer speed will be reduced accordingly. Small enterprises generally adopt a third scheme is enough, the market is often rich in products.