LI Jian-jun,XU Duan-qing,GUO Wei-qing

DOI: https://doi.org/10.3969/j.issn.1000-7024.2005.09.068

2005-01-01

Abstract:Combining with living examples and based on IPSEC,the realization of the VPN system was approached in many internet circumstances of remote access(such as gateway,broadband,xDSL etc.),and in view of the deficiency and the hidden troubles of the traditional static password,introduces a working mechanism was introduced which took into consideration both the tokencard two factor authentication and Windows AD,and proveds to be flexible and liable for the single-sign on clients.

Yan Shen,Qi-fei Zhang,Ling-di Ping,Yan-Fei Wang,Wen-juan Li

DOI: https://doi.org/10.1109/trustcom.2012.41

2012-01-01

Abstract:In the existing large-scale performance test of IPsec tunnel, it often needs special software and hardware. To solve the problem, this article proposed a new method, in which packet was encapsulated in user space, and a multi-tunnel controller was designed and implemented with the method of FSM(finite state machine), which controlled the negotiation and establishment of multiple tunnel, including L2tp, IKEv1, IKEv2, IKEv2+EAP and L2tp Over IPsec. Libpcap was used as the bottom layer driver of package, and the application of zero copy technique had reduced system cost immensely. At last, the result of the experiment verified the performance of the IKEv1 tunnel on Tunnel-mode and Transport-mode.

黄勇,陈小平,潘雪增,陈红洲,蒋晓宁

DOI: https://doi.org/10.16208/j.issn1000-7024.2008.09.057

2008-01-01

Abstract:Under the WAN environment,large-scale VPN networks is effectively and safely managed by long-distance centralized mana-gement system based on SNMP.To solve the flaw of topology discovery,a method in which agent initiates registry to the server is pro-posed.After analysis of the SNMPv3 security features,the public key authentication mechanism is introduced and the procedure of key negotiation is discussed in detail.For poor reliability and real-time data transmission of UDP-based SNMP,a strategy of configuration based on XML is given,which is proved to be feasible and efficient by the result of experiment at last.

LIN Chen,LI Zhi-tang

DOI: https://doi.org/10.3969/j.issn.1007-130x.2007.06.007

2007-01-01

Abstract:The VPN technology is an efficient way to solve the end-to-end security problem in networks. The most pivotal aspect is to build the fit network security policies, which consist of one or more rules that describe the specific actions. This paper studies the security policy module, proposes a security policy model,and analyses the roles and the state translation of rules in security policy management tools. The results of experiment show that our VPN system can work normally and steadily.

Haichun Gao

2004-01-01

Abstract:The constant development of VPN service brings a lot of challenge toVPN management,this paper presents one kind of computer techniques-multi-agent technique to manage VPN. The technique possesses features of intelligence,cooperation,flexibility and expansion etc. It can solve problems of different network architectures and different network service providers. Both client and service provider will win together. This multi-agent based computer technique is very important for solving these problems.

YANG Xing-liang,HUA Bei,HU Xiang-hui,GUO Yan

DOI: https://doi.org/10.3969/j.issn.1006-9348.2006.08.036

2006-01-01

Abstract:With the rapid development of network technology and the ever-increasing communication requirement,Virtual Private Network(VPN) has become the most important technique for private network construction.Secure Socket Layer VPN(SSL VPN),due to its prominent advantages such as easy deployment and fine granularity configuration etc.compared with other VPNs,is widely employed in Remote Access VPN.However,SSL VPN is also faced with the security and efficiency challenges which seriously limit the development of the SSL VPN.This paper presents a new SSL VPN security authentication and acceleration scheme based on the discussion and analysis of the challenges,and also deduces a method for accelerator performance evaluation.

XIA Tao,ZHOU Jing-Li,YU Sheng-Sheng,OUYANG Kai

2006-01-01

Computer Science

Abstract:The use of VPN to securely access the remote servers through Internet is one important technology in the current network security research. However, the tunneling technology of VPN makes it possible to bypass the control of firewall and compromise interior servers based on VPN server. Thus, this paper puts forth the Application-layer based Centralized Information Access Control Model, a new access control model for VPN. It integrates the features of the current mainstream access control models and the working mechanism of anti-virus and intrusion detection. On the basis of VPN communication stream, it also tightly couples access control with VPN tunnel and transmission mechanism to enhance network security. This paper also provides a prototype for the model.

XIAO Zhensha,LIN Chuang,YANG Ran,PANG Ling

2009-01-01

Abstract:With the popularity of the P2P technology,the security problem on P2P network has attracted more and more attention.To address the issue,a model called P2P-VPN virtual network framework is proposed,which sets up a virtual network group according to the specific application.The framework is not only to achieve the secure P2P transmission,but also to apply P2P technology to the local area network applications.The completeness of security mechanism of P2P-VPN is proved by Petri Nets and some other formal methods.The simulation results from the prototype system show that although the framework introduces a series of security processing procedure,it will not cause significant decline in data transfer rate.

Jun Li,Wei-jian Chi

DOI: https://doi.org/10.12783/dteees/seeie2016/4497

2016-01-01

Abstract:Mobile wireless Internet has created great requirement for seamless and secure communication over heterogeneous devices. There are many security issues on this kind of network. This paper shows a survey of various security solutions and presents a VPN mechanism to integrate the security protocols, which can greatly enhance the network security. The analyses prove the correctness of the design.

X Guo,K Yang,A Galis,Xc Cheng,B Yang,Dy Liu

DOI: https://doi.org/10.1109/ICCT.2003.1209840

2003-01-01

Abstract:Even though IP VPN has practically proven itself to be a cost-effective solution, the lack of centralized network management capabilities of current IP VPN deployment makes the management of growing VPN networks an extremely tedious procedure. This paper proposes to use policy-based network management method to address this challenge. Firstly, a policy-based IP VPN management architecture is presented, mainly explaining the operational components concerning the IPsec. Then a detailed discussion with respect to policy definition language and IP VPN policy information model is given. Finally, a case study for interdomain IP VPN configuration exemplifies the design and implementation of this management system based on the test-bed developed in the Networks & Services Group of University College London (UCL).

Kai OUYANG,Jing-li ZHOU,Tao XIA,Sheng-sheng YU

DOI: https://doi.org/10.3969/j.issn.1000-1220.2006.02.009

2006-01-01

Abstract:Based on the analyses of the standard SSL VPN (Secure Socket Layer Virtual Private Network), this paper presents the framework of SSL VPN which comprises two key techniques: virtual service and VPN stream based access control model. By the virtual services created dynamically at the client server, SSL VPN can help traditional applications securely and transparently access VPN internal servers; in view of VPN stream, it also tightly couples access control with VPN tunnel and transmission mechanism to implement the fine-grained access control and the intrusion detection of the application layer. We finally provided an implemented prototype and its related performance testing.

OU Yang-Kai,Zhou Jing-li,XIA Tao,YU Sheng-Sheng

DOI: https://doi.org/10.3969/j.issn.1002-137x.2005.05.015

2005-01-01

Computer Science

Abstract:Aiming at the defects of the ordinary SSL VPN that the frequent setting-ups of tunnels will consume a large number of system resources,this paper presented a mechanism called STDM(Secure Tunnel Division Multiplexing).The kernel of this mechanism was Tunnel Caching,which implemented the shared use of secure tunnels by the independence of tunnel of a remote service.This mechanism would improve the efficiency of the system.

Haixin Duan,Jianping Wu

DOI: https://doi.org/10.1109/APCC.1999.820481

1999-01-01

Abstract:Security management is one of the five management functions defined by ISO/OSI, which covers two aspects: security of management and management of security. As to management of network security, we give security management requirements for large computer networks, combined with our management experience of managing CERNET. From our experience, the widely used firewalls in the Internet are lacking in the capability to be remotely managed on a large scale, especially multi-vendor network environment. Addressing these problems, the concept of high level security policy management is proposed for large networks. To support high level policy management and collaborative management of multi-vendor firewalls, a definition for a common firewall MIB (CFWMIB) and a common format for the TRAP events record are proposed. For the aspect of security of network management, we present a security architecture which is implemented in our web-based network management system. Flexible authentication and role-based access control mechanisms of the architecture are described. Our ongoing and future research is also outlined.

Xiaoli Zhang,Cong Wang,Qi Li,Jianping Wu

DOI: https://doi.org/10.1109/MNET.001.1800330

IF: 10.294

2020-01-01

IEEE Network

Abstract:Guaranteeing that large scale networks are always operated as policy goals dictate is critical for network availability, security, and performance. The problem is challenging, as it should not only assure the correctness of policy configurations across various network devices, but also guarantee the faithfulness of policy enforcement on actual packet forwarding behaviors. In this article, we provide a systematic overview of the direction of network verification, which covers both verification of network configurations and assurance of device actual behaviors. In particular, we summarize state-of-the-art designs with focuses from early stateless data planes with switches/routers to more recent stateful ones containing middleboxes. After analyzing and comparing these works, we also specify future directions in the verification of stateful networks.

梁健,李建华,石荣

DOI: https://doi.org/10.3969/j.issn.1000-3428.2002.09.097

2002-01-01

Abstract:At present, remote access VPN is mainly on the base of L2TP protocol and IPsec protocol. But both of them have some shortcomings. This article gives a particular analysis on them and puts forward two stronger solutions, L2TP/IPsec solution and an IKE solution based on PKI and hybrid authentication.

Jingli Zhou,Hongtao Xia,Xiaofeng Wang,Jifeng Yu

DOI: https://doi.org/10.1109/fcst.2006.4

2006-01-01

Abstract:Conventional SSL tunnel of SSL-based virtual private network is symmetric, in which the data must be encrypted at one end and decrypted at the other end, or contrariwise for the reverse direction. Because all data flows of VPN are relayed by VPN server via SSL tunnels, those symmetric SSL tunnels cause a lot of computational load concentrated in VPN server, and make it the bottleneck of VPN. This paper proposes a cheap solution to eliminate that bottleneck for larger scale SSL VPNs: The VPN based on asymmetric SSL tunnels (AST). It is coupled with two algorithms: IP packet engrafting and UDP diffusing. In this solution, portion of computational load is distributed to disengaged internal application servers. Experiment shows that the overall throughput of VPN can be greatly improved by adopting AST solution

LI Zhi-tang,HE Ji-mei,LEI Jie

2006-01-01

Abstract:SSL VPN Applications present an exciting new development trend in remote-access technology. As they require no client-side software other than a Web browser, SSL VPN offers great convenience, and promises to provide a much lower Total Cost of Ownership than the traditional IPSEC VPN. Yet, at the same time, this novel technology presents new challenges in the realm of security. This paper explores the security issues in the SSL VPN client/server model, explains the threats inherent both on the client side and on the server side, such as “sensitive data remaining on insecure access devices”, “insecure logout”, “application-level vulnerabilities”, “authentication”, and so on. Finally, we discuss the technologies to address them.

Yin Shu-ling

Abstract:Secure socket layer protocol is developed for the security of the data transmission,SSL VPN is a kind of VPN technology based on SSL protocol.It provides remote access and has been applied in the enterprises increasingly in recent years.It analyzed the components of SSL VPN and researched the key technologies.In view of the problem that the outside users can not access the resources of enterprise network,a solution of SSL VPN is designed.SSL VPN provides remote-access connectivity from almost any Internet-enabled location using a web browser that natively supports SSL encryption,the connection of SSL VPN,the connection of SSL VPN can help enterprise to improve efficient production and information protection in security access,and decrease the management and maintenance cost.

Engineering,Computer Science

Yahui Li,Han Zhang,Jilong Wang,Xingang Shi,Xia Yin,Zhiliang Wang,Jiankun Hu,Congcong Miao,Jianping Wu

DOI: https://doi.org/10.1109/tifs.2024.3409935

IF: 7.231

2024-01-01

IEEE Transactions on Information Forensics and Security

Abstract:Network managers configure networks to enforce various high-level policies, and to respond to the wide range of network events (e.g., attacks, intrusions, malicious route announcements from neighbors) that may occur. It is incredibly difficult to specify these high-level policies in terms of distributed low-level configuration. These high-level policies hold only if the distributed configurations are well equipped to react to unsafe and unreliable environments (e.g., malicious route announcements, unsafe components and devices). Therefore, it is important to proactively verify whether network policies hold across continually changing environments in terms of current network configurations. State-of-the-art policy verification techniques are limited because they can check only the Boolean policies (e.g., forwarding reachability, waypoint or blackhole-freeness). However, many policy violations express themselves in quantitative ways (e.g., a link becomes overloaded). In this paper, we propose quantitative network verification (QNV) analyzing the quantitative policies of networks across unsafe and unreliable environments. QNV translates network configurations into a symbolic simulation model that captures the stable states to which the network forwarding will converge as a result of interactions between routing protocols. It then generates a logical formula matrix that describes network forwarding in the event of failures and verifies quantitative policies based on the formula matrix. We implement QNV and evaluate it on realistic and synthetic configurations. Our evaluation shows that QNV can precisely verify quantitative policies in only a few minutes, even in large networks.

Yunfei Meng,Zhiqiu Huang,Guohua Shen,Changbo Ke

DOI: https://doi.org/10.1016/j.cose.2020.102089

2021-01-01

Abstract:<p>Software-defined networking (SDN) has been increasingly utilized to enforce the security of complex networks. However SDN-based security enforcement mechanisms rely heavily on some specific security policies containing underlying network information. Facing the increasingly complex and huge SDN networks, we urgently need a novel security policy management mechanism which can be completely transparent to any underlying network information. That is it can permit network managers to define the high-level security policy model without containing any underlying information, and by means of model transformation, high-level security policy model can be automatically transformed into its corresponding lower-level security policy model containing underlying information. Moreover, we must ensure the system model of data plane updated by the low-level security policy model can hold all of security properties defined in high-level security policy model. Based on these insights, we propose a security policy model transformation and verification approach for SDN in this paper. We first specify the security policies used in SDN networks as a formal security policy model (SPM). Then we establish the system model of SDN's data plane and the mapping rules between the policy objects of SPM and the system objects of system model of data plane. Based on these mapping rules, we propose a security policy model transformation mechanism which transforms SPM into the low-level security policy model, RSPM. In order to verify the system model of data plane updated by RSPM can hold all of security properties defined in SPM, we propose a security policy verification mechanism based on model checking techniques and a group of validation conditions. Finally, we utilize a comprehensive case to illustrate the feasibility of this approach.</p>

computer science, information systems