1、VPN技术与应用,vpn的概念和应用情况Ipsec技术介绍Ipsec技术在企业中的应用SSLvpn技术介绍,内容介绍,vpn的概念和应用情况Ipsec技术介绍Ipsec技术在企业中的应用SSLvpn技术介绍,内容介绍,VPN的概念,Virtual private network (VPN)An encrypted connection between private networks over a public network such as the Internet,Server,Mobile user,Remote site,Analog ISDN Cable DSL,Central si
2、te,Internet,Remote site,基于结构的分类,Remote Access VPNSite to Site VPN,远程接入VPN,SOHO workers,POP,DSL cable,Mobile,POP,Extranet,Consumer-to-business,Telecommuter,Router,Internet,Remote access client,or,or,Remote access VPNExtension/evolution of dial,Center Site,Cisco VPN 3000 Gateway,VPN Client,HTML-Based
3、Manager,远程接入VPN,SSL Web based vpn,VPN,远程接入VPN,场点到场点VPN,Site-to-Site VPNExtension of classic WAN,Intranet,DSL cable,Extranet,Business-to-business,Router,POP,Remote site,Central site,or,vpn的概念和应用情况Ipsec技术介绍Ipsec技术在企业中的应用SSLvpn技术介绍,内容介绍,What Is IPSec?,IETF standard that enables encrypted communication
4、between peers: Consists of open standards for securing private communications Network layer encryption ensuring data confidentiality, integrity, and authentication Scales from small to very large networks Available in Cisco IOS software version 11.3(T) and later Included in PIX Firewall version 5.0
5、and later,IPSec,IPSec VPN Features,Data confidentiality Data integrity Data origin authentication Anti-replay,IPSec,IPSec Transforms,An IPSec transform specifies either an AH or an ESP protocol and its corresponding algorithms and mode.,Confidentiality (Encryption),Internet,This quarterly report doe
6、s not look so good. Hmmm . . . .,Server,Types of Encryption,Internet,Pay to Terry Smith $100.00One Hundred and xx/100 Dollars,4ehIDx67NMop9eR U78IOPotVBn45TR,Pay to Terry Smith $100.00One Hundred and xx/100 Dollars,Hmmm . . . . I cannot read a thing.,4ehIDx67NMop9eR U78IOPotVBn45TR,Diffie-Hellman (D
7、H) Key Exchange,Terry,Alex,public key A + private key B,shared secret key (BA),Internet,Pay to Terry Smith $100.00One Hundred and xx/100 Dollars,Pay to Terry Smith $100.00One Hundred and xx/100 Dollars,public key B + private key A,shared secret key (AB),=,4ehIDx67NMop9eR U78IOPotVBn45TR,4ehIDx67NMop
8、9eR U78IOPotVBn45TR,Key,Key,Encrypt,Pay to Terry Smith $100.00One Hundred and xx/100 Dollars,Encryption Algorithms,Encryption algorithms DES 3DES RSA,Key,Encryption key,Decryption key,Pay to Terry Smith $100.00One Hundred and xx/100 Dollars,Data Integrity,Pay to Terry Smith $100.00One Hundred and xx
9、/100 Dollars,Internet,Pay to Alex Jones $1000.00One Thousand and xx/100 Dollars,Yes, I am Alex Jones,4ehIDx67NMop9,12ehqPx67NMoX,Match = No changes No match = Alterations,Hash Algorithm,Receivedmessage,Hash function,Pay to Terry Smith $100.00One Hundred and xx/100 Dollars,4ehIDx67NMop9,Message + Has
10、h,Shared secret key,Variable-length input message,Shared secret key,Hash function,Pay to Terry Smith $100.00One Hundred and xx/100 Dollars,Local,Remote,Fixed-length authenticator value,Variable-length input message,Shared secret key,Hash function,Pay to Terry Smith $100.00One Hundred and xx/100 Doll
11、ars,Pay to Terry Smith $100.00One Hundred and xx/100 Dollars,Message + Hash,Hashed Message Authentication Codes (HMAC),Digital Signatures,Pay to Terry Smith $100.00One Hundred and xx/100 Dollars,Hash,Hash,Private key,Public key,Local,Remote,Pay to Terry Smith $100.00One Hundred and xx/100 Dollars,Ha
12、sh,Match,Data Origin Authentication,Data origin authentication methods: Pre-shared keys RSA signatures RSA encrypted nonces,HR servers,Data origin authentication,Remote office,Corporate Office,Pre-Shared Keys,Authenticating hash (Hash_L),+ IDInformation,Local Peer,Remote Router,Hash,Internet,Compute
13、d hash (Hash_L),Hash,Received hash (Hash_L),=,Auth. Key,+ ID Information,Auth. Key,RSA Signatures,Hash_L,Hash_L,Private key,Public key,Local,Remote,Hash,=,Digital Signature,Digital Signature,Digital Cert,+,Digital Cert,RSA Encrypted Nonces,Authenticating hash (Hash_L),+ IDInformation,Local Peer,Remo
14、te Router,Hash,Internet,Computed hash (Hash_L),Hash,Received hash (Hash_L),=,Auth. Key,+ ID Information,Auth. Key,ESP Protocol,Provides ESP confidentiality with encryption Provides integrity with authentication,Router,Router,ESP HDR,New IP HDR,ESP Trailer,ESP Auth,IP HDR,Data,Encrypted,Authenticated
15、,Authentication data (00ABCDEF),IP header + data,AH Authentication and Integrity,Router A,Router B,Hash,Internet,Re-computed hash (00ABCDEF),IP header + data,Hash,Received hash (00ABCDEF),=,IPSec Encrypted Tunnel,IPSec tunnel,SAs are exchanged via an IPSec tunnel. Interesting traffic is encrypted an
16、d decrypted.,vpn的概念和应用情况Ipsec技术介绍Ipsec技术在企业中的应用SSLvpn技术介绍,内容介绍,如何为用户提供更完善的服务如何减少重复投资,减少建设及维护成本如何提供有效风险控制手段如何迅速为管理者提供管理辅助信息,证券行业面临的挑战,证券行业需要集中交易系统,集中业务清算、集中业务管理、集中业务数据、集中利用资金,其核心就是集中交易。,集中交易对网络的需求,高可靠性高性能更高安全性更好的可管理性低成本,传统证券公司典型网络构架,公司总部,营业部 1,营业部 2,营业部 3,营业部 4,营业部 5,主路由,备份路由,主干DDN,备份DDN,VPN方案介绍,公司总部
17、内网,InterNet,VPN接入路由,主路由,拨号备份路由,营业部,主干DDN,ISDN备份,VPN TUNNEL,模式一的逻辑结构,除了中心一个固定IP地址,其它的分部都是动态IP 可以穿越NAT 带宽可以稳定在200K以上 可以运行任何动态路由协议 需要在核心路由器上建立多GRE TUNNEL配置 需要关闭快速交换 管理成本高 两个营业部之间的通讯一定要通过中心,模式一的特性说明,模式二的逻辑结构,模式二的特性说明,除了中心一个固定IP地址,其它的分部都是动态IP 可以穿越NAT 带宽可以稳定在300K以上 可以运行任何动态路由协议 中心和分部的GRETUNNEL配置最大简化 很好的支持
18、IP CEF快速交换 管理成本高 两个SPOKE之间通讯可以建立动态零时的直通链路 路由过滤控制较麻烦,vpn的概念和应用情况Ipsec技术介绍Ipsec技术在企业中的应用SSLvpn技术介绍,内容介绍,SSL简介,SSL- Secure Sockets Layer由Netscape 发展的用于WEB访问 Version1 没有发布 先行版本为 Version2&3,SSL技术,Confidentiality(数据的私秘性) Message integrity (数据的完整性) Authentication (身份认证),SSL achieves these elements of secur
19、ity through the use of cryptography, digital signatures, and certificates.,SSL协议栈,The encryption for all messaging in SSL is handled in the Record Protocol,SSL Shakehand,SSL Shakehand,SSL Records,The encryption for all messaging in SSL is handled in the Record Protocol SSL records consist of the enc
20、apsulated data, digital signature, message type, version, and length. SSL records are 8 bytes long.,As mentioned earlier, the Alert Protocol handles any questionable packets. If either the server or client detects an error, it sends an alert containing the error. There are three types of alert messages: warning, critical, and fatal. Based on the alert message received, the session can be restricted (warning, critical) or terminated (fatal).,SSL Alerts,Traditional Deployed SSL,Cisco SSL Design Architecture,谢 谢,
