LI Jian-jun,XU Duan-qing,GUO Wei-qing

DOI: https://doi.org/10.3969/j.issn.1000-7024.2005.09.068

2005-01-01

Abstract:Combining with living examples and based on IPSEC,the realization of the VPN system was approached in many internet circumstances of remote access(such as gateway,broadband,xDSL etc.),and in view of the deficiency and the hidden troubles of the traditional static password,introduces a working mechanism was introduced which took into consideration both the tokencard two factor authentication and Windows AD,and proveds to be flexible and liable for the single-sign on clients.

黄勇,陈小平,潘雪增,陈红洲,蒋晓宁

DOI: https://doi.org/10.16208/j.issn1000-7024.2008.09.057

2008-01-01

Abstract:Under the WAN environment,large-scale VPN networks is effectively and safely managed by long-distance centralized mana-gement system based on SNMP.To solve the flaw of topology discovery,a method in which agent initiates registry to the server is pro-posed.After analysis of the SNMPv3 security features,the public key authentication mechanism is introduced and the procedure of key negotiation is discussed in detail.For poor reliability and real-time data transmission of UDP-based SNMP,a strategy of configuration based on XML is given,which is proved to be feasible and efficient by the result of experiment at last.

Yan Shen,Qi-fei Zhang,Ling-di Ping,Yan-Fei Wang,Wen-juan Li

DOI: https://doi.org/10.1109/trustcom.2012.41

2012-01-01

Abstract:In the existing large-scale performance test of IPsec tunnel, it often needs special software and hardware. To solve the problem, this article proposed a new method, in which packet was encapsulated in user space, and a multi-tunnel controller was designed and implemented with the method of FSM(finite state machine), which controlled the negotiation and establishment of multiple tunnel, including L2tp, IKEv1, IKEv2, IKEv2+EAP and L2tp Over IPsec. Libpcap was used as the bottom layer driver of package, and the application of zero copy technique had reduced system cost immensely. At last, the result of the experiment verified the performance of the IKEv1 tunnel on Tunnel-mode and Transport-mode.

Ouyang Kai,Zhou Jing-li,Xia Tao,Yu Sheng-sheng

DOI: https://doi.org/10.1631/jzus.2006.a0240

2006-01-01

Journal of Zhejiang University SCIENCE A

Abstract:With the rapid development of Virtual Private Network (VPN), many companies and organizations use VPN to implement their private communication. Traditionally, VPN uses security protocols to protect the confidentiality of data, the message integrity and the endpoint authentication. One core technique of VPN is tunneling, by which clients can access the internal servers traversing VPN. However, the tunneling technique also introduces a concealed security hole. It is possible that if one vicious user can establish tunneling by the VPN server, he can compromise the internal servers behind the VPN server. So this paper presents a novel Application-layer based Centralized Information Access Control (ACIAC) for VPN to solve this problem. To implement an efficient, flexible and multi-decision access control model, we present two key techniques to ACIAC—the centralized management mechanism and the stream-based access control. Firstly, we implement the information center and the constraints/events center for ACIAC. By the two centers, we can provide an abstract access control mechanism, and the material access control can be decided dynamically by the ACIAC’s constraint/event mechanism. Then we logically classify the VPN communication traffic into the access stream and the data stream so that we can tightly couple the features of VPN communication with the access control model. We also provide the design of our ACIAC prototype in this paper.

XIA Tao,ZHOU Jing-Li,YU Sheng-Sheng,OUYANG Kai

2006-01-01

Computer Science

Abstract:The use of VPN to securely access the remote servers through Internet is one important technology in the current network security research. However, the tunneling technology of VPN makes it possible to bypass the control of firewall and compromise interior servers based on VPN server. Thus, this paper puts forth the Application-layer based Centralized Information Access Control Model, a new access control model for VPN. It integrates the features of the current mainstream access control models and the working mechanism of anti-virus and intrusion detection. On the basis of VPN communication stream, it also tightly couples access control with VPN tunnel and transmission mechanism to enhance network security. This paper also provides a prototype for the model.

Shengsheng Yu,Changchun Ouyang,Jingli Zhou,Kai Ouyang

DOI: https://doi.org/10.3321/j.issn:1671-4512.2006.07.016

2006-01-01

Abstract:On the basis of NAP′s and NAC′s kernel philosophy, a security detecting system on the client sides of SSL VPN was designed to guarantee user′s security. The detection system protects the client from the hostile infringement of virus, malevolent code and being attacked by hacker through the detection to firewall, anti-virus software, OS patch in VPN client. An access control system was designed in SSL VPN server to control the access requests of different VPN clients. It is based on the result of client security state. The access control to requests of SSL VPN clients further enhances SSL VPN system security performance.

Kai OUYANG,Jing-li ZHOU,Tao XIA,Sheng-sheng YU

DOI: https://doi.org/10.3969/j.issn.1000-1220.2006.02.009

2006-01-01

Abstract:Based on the analyses of the standard SSL VPN (Secure Socket Layer Virtual Private Network), this paper presents the framework of SSL VPN which comprises two key techniques: virtual service and VPN stream based access control model. By the virtual services created dynamically at the client server, SSL VPN can help traditional applications securely and transparently access VPN internal servers; in view of VPN stream, it also tightly couples access control with VPN tunnel and transmission mechanism to implement the fine-grained access control and the intrusion detection of the application layer. We finally provided an implemented prototype and its related performance testing.

朱昌盛,余冬梅,王庆梅,谢鹏寿,包仲贤

DOI: https://doi.org/10.3969/j.issn.1000-3428.2002.11.041

2002-01-01

Abstract:The advent of VPN makes it possible for enterprises to transform private confidential massage securely and economically through the Internet. Security tunneling technology is the core technology of VPN, while L2TP IPSec are two tunneling technologies most widely used at present. As the two main accesses to IP network, the combination of L2TP IPSec can share the advantage of L2TP's low cost, initiative, mutual-communication and IPSec's high security, reliability，learn from others' strong points to offset one's weakness, to a great extent, to construct a secure, reliable and low-cost VPN.

OU Yang-Kai,Zhou Jing-li,XIA Tao,YU Sheng-Sheng

DOI: https://doi.org/10.3969/j.issn.1002-137x.2005.05.015

2005-01-01

Computer Science

Abstract:Aiming at the defects of the ordinary SSL VPN that the frequent setting-ups of tunnels will consume a large number of system resources,this paper presented a mechanism called STDM(Secure Tunnel Division Multiplexing).The kernel of this mechanism was Tunnel Caching,which implemented the shared use of secure tunnels by the independence of tunnel of a remote service.This mechanism would improve the efficiency of the system.

SUN Ruo-zi,YUAN Jian,SHAN Xiu-ming,REN Yong

2011-01-01

Computer Science

Abstract:At present,most studies utilize connectivity to evaluate fault-tolerance of wireless networks.As a metric of fault-tolerance,connectivity fails to consider spatial relativity of failed nodes and assumes that any node group can fail simultaneously.In fact,the faults generally have strong spatial correlativity in wireless networks.It is particularly true in military application that the nodes located in the same limited area will fail simultaneously such as due to the damage of an enemy bomb.Therefore,connectivity hardly satisfies the fault tolerant design requirements for wireless networks.To capture the feature of the spatial correlations of faults,the notion of convex region fault-tolerance was introduced and based on it,a fault-tolerant topology control algorithm named as convex region fault-tolerant algorithm(C-RFT) was proposed.It is proved theoretically that C-RFT can preserve the convex region fault-tolerance of the original graph and simulation results demonstrate that the topology generated by C-RFT has lower logical degree and transmission radius compared with original graph.

YANG Hao-miao,CHENG Hong-rong,ZHANG Wen-ke

DOI: https://doi.org/10.3969/j.issn.1009-8054.2012.06.026

2012-01-01

Abstract:A virtual private network(VPN) is a technology in build up the private network on the public communication infrastructures such as the Internet,which could be built up on PPTP,L2TP over IPSec,or SSTP tunnels.Traditional VPN Experiment is based on SSTP Protocol.Two more general Experiments,respectively based on L2TP/IPSec Protocol and SSTP Protocol,are designed.However,these experiments based on virtual machine platform are more convenient and economical.In addition,various security apparatuses on Windows system platform are also involved in the comprehensive experiment,such as active directory,DNS server,DHCP server,firewall,certification authority(CA),and so on.

YANG Xing-liang,HUA Bei,HU Xiang-hui,GUO Yan

DOI: https://doi.org/10.3969/j.issn.1006-9348.2006.08.036

2006-01-01

Abstract:With the rapid development of network technology and the ever-increasing communication requirement,Virtual Private Network(VPN) has become the most important technique for private network construction.Secure Socket Layer VPN(SSL VPN),due to its prominent advantages such as easy deployment and fine granularity configuration etc.compared with other VPNs,is widely employed in Remote Access VPN.However,SSL VPN is also faced with the security and efficiency challenges which seriously limit the development of the SSL VPN.This paper presents a new SSL VPN security authentication and acceleration scheme based on the discussion and analysis of the challenges,and also deduces a method for accelerator performance evaluation.

Ravishankar Ravindran,Changcheng Huang,Krishnaiyan Thulasiraman,Tachun Lin

DOI: https://doi.org/10.4236/ajor.2018.83011

2016-08-16

Abstract:VPN service providers (VSP) and IP-VPN customers have traditionally maintained service demarcation boundaries between their routing and signaling entities. This has resulted in the VPNs viewing the VSP network as an opaque entity and therefore limiting any meaningful interaction between the VSP and the VPNs. A key challenge is to expose each VPN to information about available network resources through an abstraction (TA) [1] which is both accurate and fair. In [2] we proposed three decentralized schemes assuming that all the border nodes performing the abstraction have access to the entire core network topology. This assumption likely leads to over- or under-subscription. In this paper we develop centralized schemes to partition the core network capacities, and assign each partition to a specific VPN for applying the decentralized abstraction schemes presented in [2]. First, we present two schemes based on the maximum concurrent flow and the maximum multicommodity flow (MMCF) formulations. We then propose approaches to address the fairness concerns that arise when MMCF formulation is used. We present results based on extensive simulations on several topologies, and provide a comparative evaluation of the different schemes in terms of abstraction efficiency, fairness to VPNs and call performance characteristics achieved.

Networking and Internet Architecture

LI Yufeng,LAN Julong,XUE Xiangyang

DOI: https://doi.org/10.3969/j.issn.1009-6868.2011.04.007

2011-01-01

Abstract:This paper proposes a Common Security and Control Framework(CSCF) for application security,network security,information security,and behavioral security in tri-network convergence.CSCF has an independent architecture and can be operated transparently across the whole network.It treats the network link as the control object and can perform functions such as link traffic identification and link traffic analysis.It can also check and control a security problem at one point and initiate a whole-system response.CSCF is based on a distributed security and control platform with high scalability.This paper discusses the development of techniques used to establish a security system that proactively defends against threats,flexibly reacts to and blocks threats as they occur,and traces threats.

Rongsheng Shan,Shenghong Li,Mingzheng Wang,Jianhua Li

DOI: https://doi.org/10.1109/ICCT.2003.1209071

2003-01-01

Abstract:In the current VPN, manual security policy configuration is usually inefficient and error-prone. The paper studies the problem of conflicts among policies in different domains of a large-scale VPN. In this paper, a new trusted domain and a novel security transmission model as the fundament of the security theory of VPN are defined, and based on them, the exact definition of security transmission requirements and the corresponding effective security policies for a large-scale VPN are proposed. In addition, this paper gives the principles of policy verification for the purpose of checking the consistence of security policies in the whole network environment.

Hui He,Mingzeng Hu,Weizhe Zhang,Hongli Zhang,Zhi Yang

DOI: https://doi.org/10.1007/11596981_83

2005-01-01

Abstract:The large-scale network security events are becoming a major threat to internet. How to quickly detect and effectively control the network security events’ spreading has become the research focus among network security experts. By combining active topology measurement with distributed anomaly detection, a large-scale network security events’ discovery and cooperative system is proposed, which focuses on macroscopical alert analysis, control point selection, creating control suggestion etc. After the process of visualization, it exhibits preferable application effect. The experimental result proved that it offers administrators the direct decisive advice to prevent network security event from overspreading.

Ying Wan,Jinde Cao

DOI: https://doi.org/10.3390/s23084013

2023-04-15

Abstract:Complex cyber-physical networks combine the prominent features of complex networks and cyber-physical systems (CPSs), and the interconnections between the cyber layer and physical layer usually pose significant impacts on its normal operation. Many vital infrastructures, such as electrical power grids, can be effectively modeled as complex cyber-physical networks. Given the growing importance of complex cyber-physical networks, the issue of their cybersecurity has become a significant concern in both industry and academic fields. This survey is focused on some recent developments and methodologies for secure control of complex cyber-physical networks. Besides the single type of cyberattack, hybrid cyberattacks are also surveyed. The examination encompasses both cyber-only hybrid attacks and coordinated cyber-physical attacks that leverage the strengths of both physical and cyber attacks. Then, special focus will be paid to proactive secure control. Reviewing existing defense strategies from topology and control perspectives aims to proactively enhance security. The topological design allows the defender to resist potential attacks in advance, while the reconstruction process can aid in reasonable and practical recovery from unavoidable attacks. In addition, the defense can adopt active switching-based control and moving target defense strategies to reduce stealthiness, increase the cost of attacks, and limit the attack impacts. Finally, conclusions are drawn and some potential research topics are suggested.

PAN Pei-sheng,ZHENG Bao-yu

DOI: https://doi.org/10.3969/j.issn.1005-7641.2006.07.010

2006-01-01

Abstract:VPN has been a popular network technology in recent years.By VPN the enterprise can establish conveniently its own private network through public networks.As a platform,MPLS can support different link layer technologies and different layer 3 protocols,fuse the existing mainstream network technique, avoid the repetition of network,insure the security of IP operation.In this paper,the difference between MPLS L2 VPN and other traditional VPN technology is described,and then the realizing principle of MPLS L2 VPN is introduced in detail.Finally,the developing trend of MPLS L2 VPN is foreseen.

Meng Li,Yong Chen

DOI: https://doi.org/10.1177/0142331218799818

IF: 2.146

2018-01-01

Transactions of the Institute of Measurement and Control

Abstract:Nowadays, networked control systems (NCSs) have been a popular research topic in both academia and industry areas. However, the NCSs also present great challenging problems due to imperfect communication, node moving, external interference and hacker attack. In this paper, we review some of the recent challenging researches for NCSs. Several concerned research subjects in NCSs are surveyed, including network-induced delays, packet dropouts, packet disordering, external disturbance, parameter uncertainty, data quantization, event-triggers mechanism, sensor or actuator failures, scheduling protocols, network attack and network topology. Correspondingly, various control laws to deal with these issues are discussed. Finally, some conclusions are given, and possible future directions are explored.

Zhao Ling

Abstract:This paper is the research of security gateway that can set up a Virtual Private Network(VPN),the gateway adopts IPSec protocol as the security protocol of the network layer.Firstly,introduces the concept of VPN and its critical techniques;Secondly,describes the key technique to implement VPN security gateway—IPSec and its architecture,working mode and implement structure; Finally,analyzes the important role of security gateway in VPN system in detail.

Engineering,Computer Science