LI Jian-jun,XU Duan-qing,GUO Wei-qing

DOI: https://doi.org/10.3969/j.issn.1000-7024.2005.09.068

2005-01-01

Abstract:Combining with living examples and based on IPSEC,the realization of the VPN system was approached in many internet circumstances of remote access(such as gateway,broadband,xDSL etc.),and in view of the deficiency and the hidden troubles of the traditional static password,introduces a working mechanism was introduced which took into consideration both the tokencard two factor authentication and Windows AD,and proveds to be flexible and liable for the single-sign on clients.

L Cai,Xh Yang

DOI: https://doi.org/10.1109/ICSMC.2005.1571196

2005-01-01

Abstract:More and more network attacks are focusing on application level vulnerabilities. Recently, several examples of this trend have been highly publicized such as the SQL Slammer and SQL Snake attacks. Traditional firewalls, used for protecting the database, only prevent attacks searching for vulnerabilities. Database firewalls take defense deep into the organization by providing full syntax control and audit of the SQL AN stream before it reaches the database, and enforcing content-driven access to database. This paper proposes a layered reference model for database firewalls by enhancing the capability of COAST Laboratory's model. It separates a database firewall into three layers (network layer, schematic layer and semantic layer) according to the knowledge, computation target, and the control granularity of each layer. Based on this model, a database firewall product had been prototyped It can greatly improve the database security by introducing self-controlled authentication principal mapping, object mapping, and mandatory access control modules.

Yan Shen,Qi-fei Zhang,Ling-di Ping,Yan-Fei Wang,Wen-juan Li

DOI: https://doi.org/10.1109/trustcom.2012.41

2012-01-01

Abstract:In the existing large-scale performance test of IPsec tunnel, it often needs special software and hardware. To solve the problem, this article proposed a new method, in which packet was encapsulated in user space, and a multi-tunnel controller was designed and implemented with the method of FSM(finite state machine), which controlled the negotiation and establishment of multiple tunnel, including L2tp, IKEv1, IKEv2, IKEv2+EAP and L2tp Over IPsec. Libpcap was used as the bottom layer driver of package, and the application of zero copy technique had reduced system cost immensely. At last, the result of the experiment verified the performance of the IKEv1 tunnel on Tunnel-mode and Transport-mode.

Haichun Gao

2004-01-01

Abstract:The constant development of VPN service brings a lot of challenge toVPN management,this paper presents one kind of computer techniques-multi-agent technique to manage VPN. The technique possesses features of intelligence,cooperation,flexibility and expansion etc. It can solve problems of different network architectures and different network service providers. Both client and service provider will win together. This multi-agent based computer technique is very important for solving these problems.

Yin Shu-ling

Abstract:Secure socket layer protocol is developed for the security of the data transmission,SSL VPN is a kind of VPN technology based on SSL protocol.It provides remote access and has been applied in the enterprises increasingly in recent years.It analyzed the components of SSL VPN and researched the key technologies.In view of the problem that the outside users can not access the resources of enterprise network,a solution of SSL VPN is designed.SSL VPN provides remote-access connectivity from almost any Internet-enabled location using a web browser that natively supports SSL encryption,the connection of SSL VPN,the connection of SSL VPN can help enterprise to improve efficient production and information protection in security access,and decrease the management and maintenance cost.

Engineering,Computer Science

Mir Ali Rezazadeh Baee,Leonie Simpson,Xavier Boyen,Ernest Foo,Josef Pieprzyk

DOI: https://doi.org/10.1186/s13638-021-01968-6

2021-05-21

EURASIP Journal on Wireless Communications and Networking

Abstract:Abstract In intelligent vehicular networks, vehicles have enhanced sensing capabilities and carry computing and communication platforms to enable new versatile systems known as Vehicular Communication (VC) systems. Vehicles communicate with other vehicles and with nearby fixed equipment to support different applications, including those which increase driver awareness of the surroundings. This should result in improved safety and may optimize traffic. However, VC systems are vulnerable to cyber attacks involving message manipulation. Research aimed at tackling this problem has resulted in the proposal of multiple authentication protocols. Several existing survey papers have attempted to classify some of these protocols based on a limited set of characteristics. However, to date there is no generic framework to support the comparison of these protocols and provide guidance for design and evaluation. Most existing classifications either use computation complexity of cryptographic techniques as a criterion, or they fail to make connections between different important aspects of authentication. This paper provides such a framework, proposing a new taxonomy to enable a consistent means of classifying authentication schemes based upon seven main criteria. The main contribution of this study is a framework to enable protocol designers and investigators to adequately compare and select authentication schemes when deciding on particular protocols to implement in an application. Our framework can be applied in design, making choices appropriate for the intended context in both intra-vehicle and inter-vehicle communications. We demonstrate the application of our framework using two different types of case study: individual analysis and hypothetical design. Additionally, this work makes several related contributions. We present the network model, outline the applications, list the communication patterns and the underlying standards, and discuss the necessity of using cryptography and key management in VC systems. We also review the threats, authentication, and privacy requirements in vehicular networks.

telecommunications,engineering, electrical & electronic

Xun Chen,Jiqiang Liu,Yanfeng Shi,Zhen Han

DOI: https://doi.org/10.1007/978-3-662-48683-2_6

2015-01-01

Abstract:Simple username and password are used as the only credential for virtual private network (VPN) access in most authentication schemes. The absence of strong security measures in user's platform invites attacks on integrity and confidentiality of data in private networks and consequently posts threats to other users who use the same VPN service. An authentication scheme based on verifying platform attributes is presented in this paper, which contains a notion of multi-level classification to satisfy different VPN systems. The implementation of the attribute expression and the authentication framework under an example of access policy is provided. Two cryptographic methods are introduced to achieve privacy protection in the network communication, including hash value conversion and attribute based encryption. Trusted computing is also included to guarantee the authenticity of platform attributes. This authentication scheme is distinctive that combines platform attributes with traditional credentials for VPN access attestation.

XIAO Zhensha,LIN Chuang,YANG Ran,PANG Ling

2009-01-01

Abstract:With the popularity of the P2P technology,the security problem on P2P network has attracted more and more attention.To address the issue,a model called P2P-VPN virtual network framework is proposed,which sets up a virtual network group according to the specific application.The framework is not only to achieve the secure P2P transmission,but also to apply P2P technology to the local area network applications.The completeness of security mechanism of P2P-VPN is proved by Petri Nets and some other formal methods.The simulation results from the prototype system show that although the framework introduces a series of security processing procedure,it will not cause significant decline in data transfer rate.

朱昌盛,余冬梅,王庆梅,谢鹏寿,包仲贤

DOI: https://doi.org/10.3969/j.issn.1000-3428.2002.11.041

2002-01-01

Abstract:The advent of VPN makes it possible for enterprises to transform private confidential massage securely and economically through the Internet. Security tunneling technology is the core technology of VPN, while L2TP IPSec are two tunneling technologies most widely used at present. As the two main accesses to IP network, the combination of L2TP IPSec can share the advantage of L2TP's low cost, initiative, mutual-communication and IPSec's high security, reliability，learn from others' strong points to offset one's weakness, to a great extent, to construct a secure, reliable and low-cost VPN.

Chen Yan-dong

Abstract:With the expanding scale of the enterprise network,VLAN and VPN technology is applied to the construction of the enterprise network.VLAN is a logical network established in accordance with the management functions on the basis of the physical network through technical means.VPN technology is to rely on the ISP to establish a dedicated data communication network technology in public online.Article a brief description of the VLAN and VPN technology,combined with a coal company VLAN and VPN technology in the enterprise network.

Computer Science,Engineering

Yan Jiang,Jing Huang,Yunsong Fan,Xiaobin Zhu

DOI: https://doi.org/10.13052/jcsm2245-1439.1345

2024-06-14

Journal of Cyber Security and Mobility

Abstract:With the development of Internet of Things technology, the security threats faced by the industrial control field are increasing, and strengthening the security protection capabilities of intelligent systems on IoT highways is becoming increasingly important. IPSec VPN tunneling technology can achieve identity authentication and encrypted data transmission, and is an important means to achieve secure data transmission in intelligent systems on Expressway intelligent tunnel system. The commonly used IPSec VPN gateway uses a traditional Linux protocol stack-based approach for data capture, which requires multiple data copies and context switching, resulting in low efficiency of IPSec services. In addition, the commonly used IPSec VPN security gateway is implemented on the basis of the open-source IPSec framework, using internationally recognized algorithms for encryption and decryption, which poses security risks. This article is based on the IPSec protocol, and studies the high-speed network packet capture framework PFRING technology, the fusion technology of national secret algorithm and IPSec protocol. It designs and implements an IPSec VPN IoT security gateway based on national secret algorithm. After experimental verification, the IPSec VPN gateway system constructed in this article has complete functions and better performance than the common open-source IPSec frameworks OpenSwan and strongSwan, and can meet the application requirements of IoT data encryption transmission.

Ling-xiang HUANG,Ming GU

DOI: https://doi.org/10.3969/j.issn.1000-3428.2011.04.099

2011-01-01

Abstract:Portability and usability for access control systems are presented.This paper presents an access control model based on I/O model on Windows platform,which uses virtual device with encrypted file as container.It mainly relies on authorization,transparent encryption/decryption and redirection of disk access.Various access control systems can be extended from this model.It describes the design of the model according to the requirements,and illustrates the development which is composed of API Hook,virtual device driver and filter driver development.Experiments are conducted to verify the characteristics of this model including performance.Two extensions in practice are discussed as a confirmation to the extensibility.

Fujun Feng,Chuang Lin,Junshan Li

DOI: https://doi.org/10.1109/NSWCTC.2009.405

2009-01-01

Abstract:Trustworthy network is the inevitable trend in the development of high trusted computing and Internet. It is beyond the traditional information security including confidentiality, integrity and availability, but on the survivability and controllability. Trustworthiness of users on identity and behaviors is very important for trustworthy network, which can be realized by access control technology. Firstly, we discuss the security requirements of access control in trustworthy network. Then we propose a Trust and Context based Access Control (TCAC) model, and describe the core, hierarchical and constrained TCAC in detail. Finally, a trust evaluation mechanism is presented.

Li Wei,Cai Zhongmin,Xiaohong Guan

DOI: https://doi.org/10.3321/j.issn:0253-987x.2006.10.001

2006-01-01

Abstract:An analysis method of Internet architecture security is presented by introducing the concept of access relations and access streams to show that the access control is a procedure to reduce access relations according to certain security policies in the traditional network access control. On the basis of the concept, a new scheme of data classification is proposed based on real and anonymous addresses and network addresses of the control and application data. A set of the corresponding global access control rules is established under the conditions of the openness and manageability of the uniform network, security and user privacy. The analysis of the scheme shows that the proposed method reduces access relations significantly, and the level of the Internet architecture security is increased wholly.

Thanh Bui,Siddharth Prakash Rao,Markku Antikainen,Tuomas Aura

DOI: https://doi.org/10.48550/arXiv.1912.04669

2019-12-10

Abstract:Internet users increasingly rely on commercial virtual private network (VPN) services to protect their security and privacy. The VPN services route the client's traffic over an encrypted tunnel to a VPN gateway in the cloud. Thus, they hide the client's real IP address from online services, and they also shield the user's connections from perceived threats in the access networks. In this paper, we study the security of such commercial VPN services. The focus is on how the client applications set up VPN tunnels, and how the service providers instruct users to configure generic client software. We analyze common VPN protocols and implementations on Windows, macOS and Ubuntu. We find that the VPN clients have various configuration flaws, which an attacker can exploit to strip off traffic encryption or to bypass authentication of the VPN gateway. In some cases, the attacker can also steal the VPN user's username and password. We suggest ways to mitigate each of the discovered vulnerabilities.

Cryptography and Security

Yada Hu,Hao Yin,Chuang Lin,Xin Jiang,Ying Ouyang,Chao Li

DOI: https://doi.org/10.1109/ispacs.2007.4446008

2007-01-01

Abstract:A novel secure solution for remote access is proposed. Compared with the previous methods such as dial-up and vpn, our solution CSGW-RAS is quite new at using SSL for data transfer and GNU/Linux pseudo network device for data forward. It offers two important types of properties. One is security, which includes confidentiality, IP assigning and authentication, etc. We compare CSGW-RAS with IPSec VPN which is widely-used for its high security, by using a security risk index. The results shows that our solution is as secure as IPSec VPN. The other is simplicity. CSGW-RAS completely throws away the complexity both in deployment and in operation but is different with the so-called SSL VPN which is just a Web proxy. The security and performance analysis show that our solution is quite secure and easy-to-use with a little lost in efficiency which results from the handshake process but would not affect its whole performance.

XIANG Zhong-hua,LI Qi,QING Si-han,MU Hai-bing

DOI: https://doi.org/10.3969/j.issn.1673-0291.2007.02.017

2007-01-01

Abstract:A user space VPN scheme based on TLS protocol is presented and its security is analyzed. The scheme overcomes the complexity of IPSEC and increases the usability of VPN. Under the local area network and public network, user space VPN scheme is tested. The result indicates that the user space VPN scheme can meet the requirements of low bandwidth of dial-up network and the use of encryption scheme dose not obviously increase the cost of communication.

Liu Guangyi,Mao Yanbin,Xiaokang, Lin

DOI: https://doi.org/10.1109/ICCCAS.2002.1180726

2002-01-01

Abstract:Multicast is an old concept that was proposed in 1988. However, the deployment of multicast is a rather slow process, although it is always an attractive network technology. Some high quality multimedia services can be applied by multicast, which can save abundant bandwidth and precious resources in routers. Therefore, multicast is a very important technology in a QoS controllable network. We point out some intrinsic deficiencies in the current multicast service model that have resulted in its slow deployment. We propose a novel multicast access control model to solve these problems. The novel model adds admission control and forward control and a centralized control entity to the traditional network. The entire network is also divided into different multicast policy areas for better management. With the evaluation of the model, we show that it is not only more suitable for commercial use, but also friendly to MPLS, which is the leading transfer technology in the next generation IP backbone network.

Rui Li,Jiawei Ye,Dongjie He,Hua Cai

DOI: https://doi.org/10.3969/j.issn.1000-386x.2014.05.078

2014-01-01

Abstract:Virtualisation technology allows multiple virtual machines to run simultaneously on a single physical machine,which improves the resource utilisation,and becomes the basis of cloud computing technology to develop.However,the virtualisation technology has also brought a number of new security issues,and due to the characteristics of virtualisation its own,traditional security means are not sufficient to solve these issues.In this paper,we focus on the analysis of virtual network security features,and explore the use of Open vSwitch to imple-ment virtual network access control.

Zhen Chen,Fa-Chao Deng,An-An Luo,Xin Jiang,Guo-Dong Li,Run-hua Zhang,Chuang Lin

DOI: https://doi.org/10.1109/wcins.2010.5541863

2010-01-01

Abstract:Traditional NAC system in enterprise network is in coarse granularity (e.g. IP or MAC address) and lack of flexibility. Recently the demand in tight control of the enterprise network to defense the misuse and security issues become more and more urgent. Based on the TCG TNC standard, an application level network access control mechanism is proposed and implemented. With TNC client/server model in hand, a client is designed to enhance TNC client with the function of host flow controller (HFC), and intercepts each application network access request(ANAR) and transfer it to PDP server to authorize the access request. When a sensor (i.e. intrusion detection system) detects any malicious traffic, host flow controller and network flow controller can identify the application that origins this traffic by querying Metadata Access Point (MAP) server and block this application's network access. A prototype system is implemented to demonstrate the design and can be used to defense the anomaly network behaviors. The prototype system demonstrates that the hosts, switches, firewalls and IDS can work together to detect, diagnose and protect enterprise network from the malicious applications attack initiated inside or outside of an enterprise network, quarantine unhealthy hosts and make the enterprise network more reliable and trustworthy.