拨号和虚拟专用专用设置
安全VPN-协议 (Secure VPN — The protocols)
The Secure VPN tunnel using cryptographic protocols to provide authentication of the sender and the integrity of the message, in order to protect privacy. Once selected, deployed and used, some techniques can provide secure communications over insecure networks. The Secure VPN technologies should be used as a “security overlay” through dedicated network infrastructure. The protocols that implement a secure VPN most popular are:
使用加密协议的安全VPN隧道可提供发件人的身份验证和消息的完整性,以保护隐私。 一旦选择,部署和使用,某些技术便可以通过不安全的网络提供安全的通信。 安全VPN技术应通过专用网络基础结构用作“安全覆盖”。 实现最流行的安全VPN的协议是:
- IPsec (IP security), commonly used over IPv4 (mandatory part of IPv6). IPsec(IP安全),通常在IPv4(IPv6的强制性部分)上使用。
- PPTP (point-to-point tunneling protocol), developed by Microsoft. PPTP(点对点隧道协议),由Microsoft开发。
- SSL / TLS used either for tunneling the entire network, as in the OpenVPN project, or to make sure that it is essentially a Web Proxy. The SSL is a framework, very often associated with electronic commerce, which has proved of great flexibility and is therefore used as a security implementations for various (more or less standard) virtual private networks. SSL / TLS用于在OpenVPN项目中建立整个网络的隧道,或确保它本质上是Web代理。 SSL是一个框架,通常与电子商务相关联,该框架已被证明具有极大的灵活性,因此被用作各种(或多或少标准)虚拟专用网络的安全性实现。
- VPN Quarantine: The end of the VPN client machine could be a source of attack, which does not depend on the design of VPN. There are solutions that provide VPN Quarantine services which control the computer remotely. The customer is kept in quarantine until the infection has not been removed. VPN隔离:VPN客户端计算机的末端可能是攻击的来源,这与VPN的设计无关。 有些解决方案提供了VPN隔离服务,可以远程控制计算机。 客户将被隔离,直到尚未消除感染为止。
- MPVPN (Multi Path Virtual Private Network), a registered trademark owned by Ragula System Development Company. MPVPN(多路径虚拟专用网),是Ragula System Development Company拥有的注册商标。
- The ISPs now offers a VPN service for companies that want security and convenience of a VPN. In addition to providing remote workers with secure access to internal network, are sometimes included other security services and management. ISP现在为需要VPN的安全性和便利性的公司提供VPN服务。 除了为远程工作人员提供对内部网络的安全访问之外,有时还包括其他安全服务和管理。
These mechanisms by themselves do not implement a virtual network, but only a secure conversation between two terminals. In these cases, the virtual network mechanism must be implemented through a special protocol which is then encapsulated. There is now a fair number of alternative approaches (and of course, mutually incompatible) to this scheme, among which we can mention the following.
这些机制本身并不实现虚拟网络,而仅实现两个终端之间的安全对话。 在这些情况下,必须通过特殊协议来实现虚拟网络机制,然后将其封装。 现在有很多替代方法(当然,彼此不兼容),其中我们可以提及以下内容。
- SOCKS Protocol: this approach is the “standard” as SOCKS is an IETF standard for Generic Firewall Traversal defined in RFC 1928. SOCKS协议:此方法是“标准”,因为SOCKS是RFC 1928中定义的通用防火墙穿越的IETF标准。
- OpenVPN provides an executable that creates an encrypted tunnel with another instance of the same program on a remote computer, and can carry the entire TCP / IP stack. OpenVPN提供了一个可执行文件,该文件可以与远程计算机上同一程序的另一个实例创建加密隧道,并且可以携带整个TCP / IP堆栈。
- Another widely used approach uses the SSH protocol, which is able, as OpenVPN to create the tunnel between two machines connected. This feature was created to carry X windows, but has been implemented in a general way, and you can use it to carry any protocol. 另一种广泛使用的方法是使用SSH协议,它可以作为OpenVPN在连接的两台计算机之间创建隧道。 创建此功能是为了承载X窗口,但已以一般方式实现,您可以使用它承载任何协议。
- The approach now all firewall vendors is rather to use TLS to secure communication with a proxy to be accessed via browser. The secure channel is implemented in reality, usually through a Java applet or an ActiveX object, which can then be installed in an almost transparent to the end user. The resulting ease of management makes this approach is particularly popular in complex organizations. 现在,所有防火墙供应商都采用TLS来保护与要通过浏览器访问的代理的通信安全。 安全通道实际上是通过Java小程序或ActiveX对象实现的,然后可以以对最终用户几乎透明的方式安装。 易于管理的结果使这种方法在复杂的组织中特别受欢迎。
Some VPNs use secure encryption algorithms but do not assume that a single trusted entity manages the entire network and then shared the lack of access to the global traffic of the network make sure the channels as the network operator provides each subject only to its VPN.
某些VPN使用安全加密算法,但不假定单个受信实体管理整个网络,然后共享对网络全局流量的访问权限不足,请确保网络运营商提供的通道仅针对其VPN提供每个主题。
The protocols that use this philosophy include:
使用此原理的协议包括:
- L2F (Layer 2 Forwarding), developed by Cisco. L2F(第2层转发),由Cisco开发。
- L2TP (Layer 2 Tunnelling Protocol), developed in collaboration between Microsoft and Cisco. L2TP(第2层隧道协议),由Microsoft和Cisco合作开发。
- L2TPv3 (Layer 2 Tunneling Protocol version 3). The Trusted VPNs do not use a “tunneling” and instead rely on the cryptographic security of a single network provider to protect traffic. In a sense, this is an elaboration of a wired network. L2TPv3(第2层隧道协议版本3)。 Trusted VPN不使用“隧道”,而是依靠单个网络提供商的加密安全性来保护流量。 从某种意义上讲,这是对有线网络的详细说明。
- Multi Protocol Label Switching (MPLS) is often used to build a trusted VPN. 多协议标签交换(MPLS)通常用于构建受信任的VPN。
Well-structured VPN — Benefits for companies
结构良好的VPN-对公司的好处
A well-structured VPN can offer great benefits for a company:
结构良好的VPN可以为公司带来巨大的好处:
- Extend geographic connectivity 扩展地理连接
- Improve security where data lines have not been encrypted 在未加密数据线的情况下提高安全性
- Reduces transaction costs 降低交易成本
- Reduce transit time and transportation costs for remote clients 减少远程客户的运输时间和运输成本
- Simplify the network topology, at least in certain scenarios 至少在某些情况下,简化网络拓扑
- Provides the possibility of global networks 提供全球网络的可能性
- Provides support network 提供支持网络
- Provides compatibility with the broadband networks 提供与宽带网络的兼容性
- Provides faster ROI (payback time) compared to traditional transportation lines WAN 与传统的运输线WAN相比,提供更快的ROI(投资回收期)
- Show a good economy of scale 显示良好的规模经济
However, since the VPN has thus extended the “mother network” with a wealth of machines and devices, some implementations of security should receive special attention: The safety to the client must be narrow and strengthened. This was determined by the Central Client Administration and Security Policy Enforcement.
但是,由于VPN从而通过大量的机器和设备扩展了“母网络”,因此某些安全性实现应引起特别注意:必须缩小并加强对客户端的安全性。 这由中央客户管理和安全策略实施确定。
It is necessary for a company that needs that each employee can use their offices outside the VPN, first of all install a firewall certificate. Some organizations with sensitive data mean that employees are using two different WAN connections: one for working on sensitive data and one for all other uses:
对于需要每个员工都可以在VPN之外使用其办公室的公司而言,首先必须安装防火墙证书。 一些拥有敏感数据的组织意味着员工正在使用两种不同的WAN连接:一种用于处理敏感数据,另一种用于所有其他用途:
- The stairway to the target network should be limited 限制目标网络的阶梯
- The registration policies should be considered and in most cases magazines 应考虑注册政策,大多数情况下应考虑杂志
In situations where companies or individuals, have legal requirements for keeping information confidential, there may be legal or criminal problems. Two examples are the HIPAA regulations in the U.S. with the data safe, the European Union and the general regulation that apply to all commercial and accounting information, and extends to those who share these data.
在公司或个人对保密信息有法律要求的情况下,可能存在法律或刑事问题。 两个例子是美国的HIPAA法规以及适用于所有商业和会计信息的数据安全性的欧盟法规以及适用于所有共享这些数据的通用法规。
One way to reduce the consequences of a theft of a laptop is to use a mobile thin clients are available on the market. This allows employees to remotely access secure and confidential database with less risk of losing or compromising the confidentiality of data.
减少笔记本电脑失窃后果的一种方法是使用市场上有售的移动瘦客户机。 这使员工可以远程访问安全且机密的数据库,而丢失或破坏数据机密性的风险较小。
Tunneling
挖洞
Tunneling is the transmission of data over a public network, which means that the routing nodes of the public network are not able to detect that the transmission is part of a private network.
隧道传输是通过公用网络进行的数据传输,这意味着公用网络的路由节点无法检测到该传输是专用网络的一部分。
Tunneling allows then to use the public network to carry data on behalf of clients authorized to access the private network, causing the end-to-end communication between users remains at logic level confined within the same private network.
然后,隧道允许使用公共网络代表授权访问该专用网络的客户端携带数据,从而导致用户之间的端到端通信保持在同一专用网络内的逻辑级别。
Typically, the tunneling is created by encapsulating the data and protocol in the protocol of the public network, so that the data passing through the tunnel are not understandable to others who are possibly looking at the data transmitted.
通常,通过将数据和协议封装在公共网络的协议中来创建隧道,以使通过隧道的数据对于可能正在查看所传输数据的其他人来说是不可理解的。
Solution for the security of a VPN
VPN安全性解决方案
The most important part of the VPN solution.
VPN解决方案中最重要的部分。
The very nature of VPNs – to pass on private data networks – requires attention to potential threats to the data and the impact of those lost. A VPN is concerned with all types of security threats by offering security services in the areas of: Authentication (access control):
VPN的本质(传递到专用数据网络上)要求注意对数据的潜在威胁以及丢失数据的影响。 通过提供以下方面的安全服务,VPN可以处理所有类型的安全威胁:身份验证(访问控制):
Authentication is a process to ensure that a customer or a system are indeed those who claim to be. There are many types of authentication mechanisms, but the most common are:
认证是确保客户或系统确实是声称拥有的客户或系统的过程。 身份验证机制有很多类型,但是最常见的是:
- Something you know (an ID, password, PIN) 8 您知道的一些信息(ID,密码,PIN)8
- Something you have (e.g., a machine readable symbol. SmartCard) 您拥有的东西(例如,机器可读的符号。智能卡)
- Something that you (the retina, fingerprints) 你的东西(视网膜,指纹)
The login and password authentications are generally considered weak. Strong authentication can be obtained by combining two different types of authentication. The actual level of safety of course depends on the context because a smart card can be stolen, and login credentials can not be difficult to detect. Safety data stolen or lost may allow more attacks and require more authentication schemes. No technique offers complete security of authentication, even biometrics (fingerprints, voice prints, retinal mapping) are not completely safe for that matter.
登录和密码认证通常被认为是弱认证。 可以通过组合两种不同类型的身份验证来获得强身份验证。 当然,实际的安全级别取决于上下文,因为智能卡可能会被盗,并且登录凭据不会很容易被检测到。 安全数据被盗或丢失可能允许更多攻击,并需要更多身份验证方案。 没有任何一种技术可以提供完全的身份验证安全性,就算是生物识别(指纹,语音记录,视网膜映射)也不是完全安全的。
Study: From Wikipedia, the free encyclopedia. The text is available under the Creative Commons.
研究:来自维基百科,免费的百科全书。 该文本可在“ 知识共享”下找到 。
翻译自: https://www.eukhost.com/blog/webhosting/virtual-private-network-part-3/
拨号和虚拟专用专用设置
扫一扫
1618
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
