Помощничек
Главная | Обратная связь


Археология
Архитектура
Астрономия
Аудит
Биология
Ботаника
Бухгалтерский учёт
Войное дело
Генетика
География
Геология
Дизайн
Искусство
История
Кино
Кулинария
Культура
Литература
Математика
Медицина
Металлургия
Мифология
Музыка
Психология
Религия
Спорт
Строительство
Техника
Транспорт
Туризм
Усадьба
Физика
Фотография
Химия
Экология
Электричество
Электроника
Энергетика

Virtual private network



A virtual private network (VPN) is a private communications network often used by companies or organizations to communicate confidentially over a public network. VPN traffic can be carried over a public networking infrastructure (e.g. the Internet) on top of standard protocols, or over a service provider's private network with a defined Service Level Agreement (SLA) between the VPN customer and the VPN service provider. A VPN can send data (e.g., voice, data or video, or a combination of these media) across secured and encrypted private channels between two points.

[edit] Authentication mechanism

VPN can be a cost effective and secure way for corporations to provide users access to the corporate network and for remote networks to communicate with each other across the Internet. VPN connections are more cost-effective than dedicated private lines. Usually a VPN involves 2 parts: the protected or "inside" network, which provides physical and administrative security to protect the transmission; and a less trustworthy, "outside" network or segment (usually through the Internet). Generally, a firewall sits between a remote user's workstation or client and the host network or server. As the user's client establishes the communication with the firewall, the client may pass authentication data to an authentication service inside the perimeter. A known trusted person, sometimes only when using trusted devices, can be provided with appropriate security privileges to access resources not available to general users.

[edit] Types

Secure VPNs use cryptographic tunneling protocols to provide the intended confidentiality (blocking snooping and thus Packet sniffing), sender authentication (blocking identity spoofing), and message integrity (blocking message alteration) to achieve privacy. When properly chosen, implemented, and used, such techniques can provide secure communications over unsecured networks. This has been the usually intended purpose for VPN for some years.

Because such choice, implementation, and use are not trivial, there are many insecure VPN schemes available on the market.

Secure VPN technologies may also be used to enhance security as a "security overlay" within dedicated networking infrastructures.

Secure VPN protocols include the following:

§ IPsec (IP security) - commonly used over IPv4, and an obligatory part of IPv6.

§ SSL/TLS used either for tunneling the entire network stack, as in the OpenVPN project, or for securing what is, essentially, a web proxy. A major practical advantage of an SSL-based VPN is that it can be accessed from any public wireless access point that allows access to SSL-based e-commerce websites, whereas other VPN protocols may not work from such public access points. OpenVPN, an open standard VPN. Clients and servers are available for all major operating systems.

§ PPTP (Point-to-Point Tunneling Protocol), developed jointly by a number of companies, including Microsoft.

§ L2TP (Layer 2 Tunneling Protocol), which includes work by both Microsoft and Cisco.

§ L2TPv3 (Layer 2 Tunneling Protocol version 3), a new release.

§ VPN Quarantine The client machine at the end of a VPN could be a threat and a source of attack; this has no connection with VPN design and is usually left to system administration efforts. There are solutions that provide VPN Quarantine services which run end point checks on the remote client while the client is kept in a quarantine zone until healthy. Microsoft ISA Server 2004/2006 together with VPN-Q 2006 from Winfrasoft or an application called QSS (Quarantine Security Suite) provide this functionality.

§ MPVPN (Multi Path Virtual Private Network). MPVPN is a registered trademark owned by Ragula Systems Development Company. See Trademark Applications and Registrations Retrieval (TARR)

Some large ISPs now offer "managed" VPN service for business customers who want the security and convenience of a VPN but prefer not to undertake administering a VPN server themselves.

Trusted VPNs do not use cryptographic tunneling, and instead rely on the security of a single provider's network to protect the traffic. In a sense, these are an elaboration of traditional network and system administration work.

§ Multi-Protocol Label Switching (MPLS) is often used to build trusted VPN.

§ L2F (Layer 2 Forwarding), developed by Cisco, can also be used.

Mobile VPNs are VPNs designed for mobile and wireless users. They integrate standards-based authentication and encryption technologies to secure data transmissions to and from devices and to protect networks from unauthorized users. Designed for wireless environments, Mobile VPNs are designed as an access solution for users that are on the move and require secure access to information and applications over a variety of wired and wireless networks. Mobile VPNs allow users to roam seamlessly across IP-based networks and in and out of wireless coverage areas without losing application sessions or dropping the secure VPN session.

However, since VPNs extend the "mother network" by such an extent (almost every employee) and with such ease (no dedicated lines to rent/hire), there are certain security implications that must receive special attention:

§ Security on the client side must be tightened and enforced, lest security be lost at any of a multitude of machines and devices. This has been termed Central Client Administration, and Security Policy Enforcement. It is common for a company to require that each employee wishing to use their VPN outside company offices (eg, from home) first install an approved firewall (often hardware).

§ The scale of access to the target network may have to be limited.

§ Logging policies must be evaluated and in most cases revised.

A single breach or failure can result in the privacy and security of the network being compromised. In situations in which a company or individual has legal obligations to keep information confidential, there may be legal problems, even criminal ones, as a result. Two examples are the HIPAA (the Health Insurance Portability and Accountability Act) regulations in the U.S. with regard to health data, and the more general European Union data privacy regulations which apply to even marketing and billing information and extend to those who share that data elsewhere.

One way to reduce the consequences from a lost or stolen laptop is to use one of the thin client laptops now sold by several companies. These can allow mobile workers to access security-sensitive databases with less risk of lost or compromised data should the laptop be lost or stolen since it has no local storage.

[edit] Tunneling

Tunneling is the transmission of data through a public network in such a way that routing nodes in the public network are unaware that the transmission is part of a private network. Tunneling is generally done by encapsulating the private network data and protocol information within the public network protocol data so that the tunneled data is not available to anyone examining the transmitted data frames. Port forwarding is one aspect of tunneling in particular circumstances.

[edit] Security dialogues

The most important part of a VPN solution is security. The very nature of VPNs — putting private data on public networks — raises concerns about potential threats to that data and the impact of data loss. A Virtual Private Network must address all types of security threats by providing security services in the areas of:

Authentication (access control) - Authentication is the process of ensuring that a user or system is who the user claims to be. There are many types of authentication mechanisms, but they all use one or more of the following approaches:

§ something you know: a login name, a password, a PIN

§ something you have: a computer readable token (i.e., a Smart card), a card key

§ something in you: fingerprint, retinal pattern, iris pattern, hand configuration, etc

Generally, systems use only of one of these components, usually a login name/password sequence. Strong authentication is usually taken to combine at least two authentication components from different areas (i.e., two-factor authentication).

Privacy policy

§About Wikipedia

§Disclaimers

 




Поиск по сайту:

©2015-2020 studopedya.ru Все права принадлежат авторам размещенных материалов.