Monday, September 27, 2010

The new VPN strength



VPN, there is not overnight, from IPSec to SSL, VPN through a lot of technology evolution. However, the nature of any security technology is applied. The VPN and enterprise business integration, and promote enterprise border security, while business development to the edge of the external supply chain integration, which will promote the evolution of a new round of VPN technology.

Power I: Trusted VPN

VPN's original intention was to provide a secure channel, so that remote users can access the private network. But in the current computing environment, for trying to access the corporate network can be managed or unmanaged devices, network administrators could not access network in its pre-knowledge of their origin. In particular, the increase in the mobile VPN users, the network office workers and road warriors through the IPSec VPN client software access to the potential safety problems within the network attention.

If the user can access a host within the network through the VPN, but the host itself is unsafe, who have been infected or otherwise insecure network connection (split tunnel), etc., within the network will bring a serious threat. Moreover, the attacker can use the VPN encryption technology through the firewall, the firewall on their behavior to avoid detection and control.

In addition, most of the existing intranet or internal network security behavior control, only to consider the conduct of internal LAN security, that is, the host of the LAN access to conduct surveillance and control, not related to large-scale cross-boundary business the whole network security.

In fact, Juniper's security experts said that as the VPN can be established on a public computer, so the company network may be additional risks that the particular SSL VPN performance significantly. In addition, the public computer may not support two or more authentication methods, because they do not own a smart card reader, or directly by the disabled USB port.

In this case, a private network based on the credibility of VPN TPN (Trusted Private Network) began to appear. Anda through the security experts Kang-ho said in an interview, the current TPN technology integrated security and communications gateway endpoint security technology, while leveraging the unified management of global deployed, in order to achieve comprehensive, multi-level security.

It is reported that in the TPN system, any host access network must be verified through user authentication and host authentication mechanisms mandatory. Only one host is classified as a trusted host before they can access the system resources. Basically means that the host trusted by the management of risk. This state of the managed host is responsible for configuration for IT administrators and users. If a trusted host mismanagement, is likely to be the weakness of the whole solution.

When the host is considered a trusted host, other trusted host can reasonably be assumed that the host will not initiate malicious actions. For example, a trusted host should not expect the implementation of other trusted hosts they attack the virus, because all the trusted hosts requires the use of some of the mechanisms used to mitigate the virus threat (such as anti-virus software).

Kanghao Jiang stressed that such a trusted state is not static, it is only a transitional state, with corporate security standards will change and change, and to continue to meet those standards. As new threats and new defenses will continue to emerge, so the organization management system must constantly check the trusted host, to keep in line with the standards. In addition, when needed, these systems must be able to publish updates or configuration changes to help maintain a trusted state. Continued compliance with all safety requirements may be considered a trusted host host.

According to reports, the credibility of private network through the compulsory certification system for TPN host and user, use the "user roles ---- ---- resources" licensing mechanism, to achieve "internal network threat" and "border threat," "host threat "and" access threat "of the system. It is reported that role is the system of communication between users and service hub, to avoid the use of roles between users and services directly related to relationship, reducing the amount of configuration tasks, and strategies to improve the maintainability of the system. A user can be assigned to multiple roles, each role contains more than one user. For each service can access the service can be set to a variety of roles.

When enterprise users access the network TPN system protection, the first must be "compulsory identity" (or client can use Web-way authentication system log TPN), in the authentication passed, TPN security gateway, in accordance with the user resource access rights and the login authentication when the PC-user features (IP / port), dynamic security gateway in the formation of TPN "Meta Group + time" dynamic access control policy. Dynamic access control policy of the short-term effects, when there is no activity after a period of time users, the policy shall become invalid, need to re-enforce authentication, security gateway again in the TPN for the user to create dynamic access control policy.

Not difficult to see why that TPN system can be more secure VPN, because it is through VPN access for mobile users and remote local area network such as the local user access control. For example, when the VPN user and the headquarters of the TPN security gateway to establish encrypted tunnels, the headquarters of the TPN secure remote access gateway to the host on the safety assessment: If you find that there is a threat or does not meet the host access to the security headquarters level (if not patched, etc.), the host is not allowed access to the headquarters. This is the so-called "VPN access control" technology.

At present, the enterprise through the application of this technology, you can ensure that the external network threats (such as Trojans, viruses, attacks, etc.) are not brought into the internal network through the VPN users to avoid hackers to "springboard" attack. And network administrators to manage local LAN as the same as a unified whole VPN network security policy management, and for the whole network, not just the local LAN network-wide behavior management.

In addition, the enterprise network against the threat of protection, TPN inherited the traditional behavior management within the network, gateway anti-virus, anti-spam technology. At the same time, TPN will use these technologies to the enterprise network, not just limited to the LAN. Therefore, whether local or VPN access to LAN users access to the user, TPN system uses "mandatory identity" authentication mechanism, there is no authenticated user can not access any internal / external network resources.

In view of this emerging technology, Xinhua Life Insurance Group's IT manager said, for large Qi Ye, Ke Yi Tongguojiezhu VPN TPN system control, including can Zhi Yun Xu legitimate, trusted endpoint devices, such as Ye Wu network of PC, 鏈嶅姟鍣? agents The PDA access network, while other devices are not allowed access. The new system "TPN Gateway" and "TPN client" form a defensive system linkage, to avoid relying on a single gateway defense system or the formation of a single client functionality defense system bottlenecks to enterprise IT departments to reduce the pressure.

In fact, Digital China Networks Jinghui, senior product manager explained that the focus on border security and distribution of safety is ambiguous, as insurance companies, as agents of the company's information security and information security as important, but this is controllable VPN charm.

Power 2: SSL VPN's two major breakthroughs

SSL VPN in, there were two major breakthroughs this year. First, the United States last year, Microsoft announced the acquisition of security in the VPN and remote access products with leading-edge companies specialized vendors Whale, Microsoft Windows Vista systems this year on launching a new VPN protocol ---- Secure Socket Tunneling Protocol SSTP (Secure Socket Tunneling Protocol).

It is reported that the new SSTP agreement to SSL-based, it will appear in the upcoming Windows Longhron Server Beta3, and in Windows Vista SP1. Microsoft's security experts said, SSTP will be used to replace PPTP and L2TP protocols, to increase the flexibility of VPN access.

In fact, many business users using PPTP and L2TP protocol for VPN connections when the VPN connection will come across the situation does not work very often because of a firewall or NAT router does not open PPTP GRE or L2TP ESP port. For users, the VPN connection that experience certainly is not good. Business users want is the same VPN connection as easy to use IE to connect, and SSTP is to solve this problem occurs.

According to Microsoft engineer, a firewall or NAT in order to avoid the impact of the VPN connection, SSTP through HTTPS (SSL) to establish VPN tunnels, most of the firewall to allow the direction of the SSL access pass. But the SSTP does not support the site to site VPN, only suitable site in the remote access client to connect.

In addition, as a supporter of SSTP agreement, Jinghui for the reporter describes a standard SSTP agreement, the seven steps for VPN connections:

First, the client and server through the Internet to establish TCP connection, the connection is carried out through TCP port 443. Assumes that the client's IP address is 100.100.100.1, the server's IP address is 200.200.200.1.

Second, when the TCP session from the beginning, will be SSL negotiation. Consultation process through SSL, the client will obtain and verify server certificate (if the validation fails, the connection will be terminated). In this process, the server does not verify the identity of the client.

Third, the client will encrypt the SSL session to send HTTPS requests to the server.

Fourth, the HTTPS session, SSTP agreement will commence operation, the client sends SSTP control packet, the client and server, open the SSTP state machine, and then establish links and communication in the PPP layer.

Fifth, the PPP session (this session is established in the SSTP over HTTPS above) will be the initial PPP authentication, authentication method depends on the authentication algorithm, in general, then the server will verify the identity of the client, the client on the server authentication is optional.

Sixth, PPP authentication end, SSTP will be the client and server communicate through the VPN connection interface, the interface will use the "Internal IP", such as the client is 192.168.1.2, the server is 192.168.1.1. This IP address is configured on the RRAS server, used to access the company's internal network.

Seventh, the client and server communicate through the VPN SSTP to send packets. Suppose that a client (192.168.1.2) to send a packet to the server (192.168.1.1), then SSTP will be submitted to this data packet to the SSL layer encryption, and SSL layer to add a new header Department (the source address of 100.100. 100.1, the destination address is 200.200.200.1), through the Internet connection interface, the packet sent to the server.

In fact, in many ways, SSTP and other VPN protocols, as will be through the server RRAS (Routing and Remote Access Service) configuration. Currently, SSTP communications default TCP 443 port. SSTP in IPv6 on the channel will also be supported.

According to Microsoft, Vista and Longhorn have been installed in the system, IPv6, and enabled by default. The multi-factor authentication, such as smart cards or SecurID tokens, and also as RRAS remote access strategy, was supported. The link Administration Kit (CMAK) that the SSTP VPN connection can create different profiles.

The Jinghui's view, SSTP protocol integrated support for NAP, but also support IPv6. In addition, SSTP using a single channel of the HTTPS connection, compared to traditional multi-channel implementation, better network utilization and better load balancing performance. But he also believes that the current SSTP is not a standard, the future is certain to travel.

Another major breakthrough in SSL VPN is the scene for a "point" (Site2Site) era. Point to SSL-based VPN technology first appeared in this year's RSA Conference. It should be said, new technologies break the long-IPSec can be achieved only through secure access between the two points the only way for enterprises to provide users with a more flexible and secure access point mode, to ensure that the "extension will be applied to network "possibilities.

Array Networks CTO, Dr. Xu Naiding said in an interview, the traditional point to point VPN IPSec VPN has been the only choice, but this method can not meet current business needs a business environment that is, how ---- to two different networks and IP addresses based on the rules of enterprises open up a tunnel between two points and how to implement role-based security and application-specific access control, IPSec VPN can not be achieved has been a shortcoming.

In contrast, the new peer SSL VPN technology, user, host, any two or more networks between sites to establish an independent two-way encrypted channel, and enterprise network management is not worried about security issues within the network. At the same time, network administrators can achieve in one location access to the global user security settings and control, eliminating the need for the same user-defined number of access control policies, but also can no longer consider core switches, SSL VPN devices and access into the floor switch on the set and maintain the access control list (ACL). No doubt, this technology has greatly improved the efficiency of management, the management cost savings.

Power of three: do integration with ERP

Both within the network or remote, VPN technology has applications for business, but it causes the VPN and ERP system integration.

According to press the investigation, VPN integration trend early as three years ago has begun, but the technology and deployment conditions were not perfect. From the current trends, VPN and ERP integration has been in many large enterprises and government agencies to achieve, even on this basis, there is also the integration of VPN with the router signs.

Deeply convinced of the security product manager Wu Di proposal, corporate IT staff should be concerned about VPN integration with the ERP process. As this has been, ERP are enterprises solve business expansion and branch number of tools, including the channel, partners, remote or mobile office all 闇?眰, belonged to ERP management paradigm (or is the business part of the system). The core of ERP and enterprise business integration, and an advanced VPN system, the same with business integration, thus inevitably led to a new of "integration" of the technological revolution.

From the technical analysis, ERP remote management module integrated with the VPN, you can achieve the remote access based on business. According to Wang Jinghui description, whether it is B / S mode, or C / S model system, can use SSL VPN or IPSec VPN integration. Note however that in the C / S mode, the client and the server does not use TCP / IP protocol, the link bandwidth is usually in the 100K-500Kbps range, C / S architecture is often developed from the point of fact, if the LAN not for optimization, bandwidth may be as large as 3-5Mbps. Therefore, in this case, the VPN throughput requirements are high.

In addition, support for enterprise applications, the Jinghui that IPSec and SSL support on ERP is different, and sometimes quite different. First, when users try a restaurant or similar location to establish VPN connection ERP system, a problem often encountered is some network or firewall administrators shut down the ports used by VPN protocol. However, most networks will allow for secure HTTPS communications, so this case is still under SSL VPN to work properly, while the other VPN protocols can not do anything. On the other hand, he also emphasized that the use of SSL VPN, nature will not be able to gain access to other traditional VPN technologies available to the appropriate access level permissions.

In addition, based on experience, IPSec in the IP layer to encrypt data, it can end the transmission of data between sites to protect all, regardless of the type of business applications. In other words, whether corporate or branch offices and down the supply chain can use IPSec between the different local area network and remote client and the central node to establish a secure transmission between the channels, support for traditional ERP wider.

Should be emphasized that, as in the ERP environment, user data is encrypted Internet transmission is still in the public, so encryption is very important, it directly affects the security of user data. The IPSec is made in this regard a technology better.

In contrast, SSL is application layer protocol, its main advantages lie in VPN client deployment and management, the basic need to install client. The benefit of this is that if the company carried out based on B / S structure of the ERP application, the user can use the browser to complete the establishment of SSL-VPN.

However, this model also has limitations. Because the Web page for non-business access, SSL is often applied to the help of conversion. In particular, some SSL VPN products can support the application of converter and the number of agents is very small, and some even basic file server, FTP and Microsoft do not support the application of conversion. The characteristics of the decision to carry out SSL VPN-based ERP applications and can not form a local area network applications on the LAN, so in the enterprise integration of upstream and downstream supply chain, there are challenges.

In the ERP and the deployment of the VPN, Jiangsu Provincial Food Bureau of the application of the most representative. Leadership council, said in an interview, the Grain Bureau had set up in ERP systems, when discovered, due to their own under the jurisdiction of grain storage scattered throughout the province, the collection of information is relatively cumbersome. And based on information security, the initial idea was to ERP Data Collection and VPN combination. It is reported that IT executives said the Grain Bureau, Jiangsu Provincial Food Bureau has jurisdiction over dozens of local grain depots and sub-cities, IPSec VPN network using a unified, successful ERP central office with the safety of docking and data acquisition.

In this regard, Jinghui said that many companies want to leverage the security services to enhance efficiency and competitiveness. Similar to the grain bureau that have "fragmented, high-security business," features the company should use VPN technologies to build a protective ---- ---- Jiance response system that can cover the internal business systems and even the late Intranet security.







相关链接:



Mail Servers introduction



LUAN Yun Feng: Jun Tang speculation is not the so-called master



Agents How to live better?



Rongcheng School Link



Five 8-word mantra! Speculative memory are major contributors spit voice



ASF to AVI



nokia real ONE player 2



Photoshop combat KPT7 (2)



Auto Attendant Computer operator



Good Mail Servers



Matroska To MP4



e-cology in the Pan MICRO Series 29



3G2 to MPEG



News about Computer Education



Kaspersky v. Rising 7.45 million claims of unfair competition



Shift from the C + + C # issues needing ATTENTION (1)



No comments:

Post a Comment