A New Method Of VPN Based On LSP Technology

Similar documents
Intelligent Computer Room Management Platform Based on RF Card

Firewalls, Tunnels, and Network Intrusion Detection

Research on Software Scheduling Technology Based on Multi-Buffered Parallel Encryption

The Design and Implementation of Disaster Recovery in Dual-active Cloud Center

The Mobile Terminal Security Access System Based on IPSec VPN Di Zhao1,a, Xin He2,b and Yunjun Li1,c*

Research and Design of Crypto Card Virtualization Framework Lei SUN, Ze-wu WANG and Rui-chen SUN

The Design of Electronic Color Screen Based on Proteus Visual Designer Ting-Yu HOU 1,a, Hao LIU 2,b,*

Design of Temperature and Humidity Data Acquisition System. Based on ARM

CLIENT SERVER SYNERGY USING VPN

Research on Two - Way Interactive Communication and Information System Design Analysis Dong Xu1, a

Application Note. Providing Secure Remote Access to Industrial Control Systems Using McAfee Firewall Enterprise (Sidewinder )

Virtual Dispersive Networking Spread Spectrum IP

The Application Analysis and Network Design of wireless VPN for power grid. Wang Yirong,Tong Dali,Deng Wei

Intelligent Terminal System Based on Trusted Platform Module

Research on the Application of Digital Images Based on the Computer Graphics. Jing Li 1, Bin Hu 2

IPSec. Slides by Vitaly Shmatikov UT Austin. slide 1

A Design of Remote Monitoring System based on 3G and Internet Technology

A liquid level control system based on LabVIEW and MATLAB hybrid programming

A Compatible Public Service Platform for Multi-Electronic Certification Authority

Performance Comparison and Analysis of Power Quality Web Services Based on REST and SOAP

Secure Networking with NAT Traversal for Enhanced Mobility

Networking interview questions

A Hybrid Architecture for Video Transmission

Numerics I N D E X. 3DES (Triple Data Encryption Standard), 48

Load Balancing Technology White Paper

HP Instant Support Enterprise Edition (ISEE) Security overview

This course prepares candidates for the CompTIA Network+ examination (2018 Objectives) N

Remote Monitoring System of Ship Running State under Wireless Network

Available online at ScienceDirect. IERI Procedia 4 (2013 ) 2 7

The application of OLAP and Data mining technology in the analysis of. book lending

Keywords: Motion Capture System, Virtual Interaction, Wireless Sensor Network, Motion Builder

Research on WSN Secure Communication Method Based on Digital Watermark for the Monitoring of Electric Transmission Lines

School of Computer Sciences Universiti Sains Malaysia Pulau Pinang

CIT 480: Securing Computer Systems

HUAWEI USG6000 Series Next-Generation Firewall Technical White Paper VPN HUAWEI TECHNOLOGIES CO., LTD. Issue 1.1. Date

Chapter 6: Security of higher layers. (network security)

HC-711 Q&As. HCNA-CBSN (Constructing Basic Security Network) - CHS. Pass Huawei HC-711 Exam with 100% Guarantee

Research on System Login Security Encryption Method Based on MD5

Construction of Computer Encrypted Secure Communication Environment Based on Private Virtual Network Technology

The Analysis and Research of IPTV Set-top Box System. Fangyan Bai 1, Qi Sun 2

CompTIA Network+ Study Guide Table of Contents

A Tentative Study on Ward Monitoring System based on Zigbee Technology Jifeng Liang

An Embedded Dynamic Security Networking Technology Based on Quick Jump and Trust

Research on Multi-service Unified Bearing Electric Power Communication Access Network Bao Feng1,a, Yang Li1, Yang Hu1, Yan Long2, Yongzhong Xie3

Design Universal Security Scheme for Broadband Router

Virtual private networks

The Research and Application of Firewall based on Netfilter

Overview. SSL Cryptography Overview CHAPTER 1

Research on Heterogeneous Communication Network for Power Distribution Automation

Hands-On TCP/IP Networking

INTERNET PROTOCOL SECURITY (IPSEC) GUIDE.

Configuring Web Cache Services By Using WCCP

Comprehensive analysis and evaluation of big data for main transformer equipment based on PCA and Apriority

Chongqing, China. *Corresponding author. Keywords: Wireless body area network, Privacy protection, Data aggregation.

Research on software development platform based on SSH framework structure

Development of a Rapid Design System for Aerial Work Truck Subframe with UG Secondary Development Framework

Integration of information security and network data mining technology in the era of big data

A Method of Identifying the P2P File Sharing

The Research and Application of the Fingerprint Key based USB-Key Pin Number Protection System Yu Lu 1, a, Zhong Liang 2, b, Chen Yue 3, c

Study on Jabber Be Applied to Video Diagnosis for Plant Diseases and Insect Pests

Design and Implementation of Dual-Mode Wireless Video Monitoring System

Design in the Authentication and Billing System Based on Radius and 802.1x Protocol

Design and Implementation of Inspection System for Lift Based on Android Platform Yan Zhang1, a, Yanping Hu2,b

Int ernet w orking. Internet Security. Literature: Forouzan: TCP/IP Protocol Suite : Ch 28

31270 Networking Essentials Focus, Pre-Quiz, and Sample Exam Answers

Man-hour Estimation Model based on Standard Operation Unit for Flexible Manufacturing System

Virtual Private Networks

Design and Implementation of Real-Time Data Exchange Software of Maneuverable Command Automation System

Development and Application of Database System for Rubber Material

VPN and IPsec. Network Administration Using Linux. Virtual Private Network and IPSec 04/2009

IP Mobility vs. Session Mobility

ISG-600 Cloud Gateway

The design and implementation of data exchange based on XML

Construction and Application of Cloud Data Center in University

TCP/IP stack is the family of protocols that rule the current internet. While other protocols are also used in computer networks, TCP/IP is by far

Configure Transmission Control Protocol (TCP) and User Datagram Protocol (UDP) Service Settings on a Switch

result, it is very important to design a simulation system for dynamic laser scanning

The World Wide Web is widely used by businesses, government agencies, and many individuals. But the Internet and the Web are extremely vulnerable to

Deployment Scheme of Video Conferencing MCU Based on OpenStack Haifeng Han a, Jianxin Song b

A Design of Trusted Computing Supporting Software based on Security Function

Research on Control Routing Technology in Communication Network

Research and Implementation of Server Load Balancing Strategy in Service System

Exercises with solutions, Set 3

CONTENTS. vii. Chapter 1 TCP/IP Overview 1. Chapter 2 Symmetric-Key Cryptography 33. Acknowledgements

Network Security Protocols NET 412D

IPSec. Overview. Overview. Levente Buttyán

Distributed Systems. 27. Firewalls and Virtual Private Networks Paul Krzyzanowski. Rutgers University. Fall 2013

The Modification and Implementation of Campus Network Client. Lingfang Huanga

IP Security. Have a range of application specific security mechanisms

2017 2nd International Conference on Communications, Information Management and Network Security (CIMNS 2017) ISBN:

Networking and Health Information Exchange Unit 1a ISO Open Systems Interconnection (OSI) Slide 1. Slide 2. Slide 3

Open Access Universal Real-time Monitoring System Based on Ethernet in Test and Measurement Domain

CSE543 Computer and Network Security Module: Network Security

Autonomous System Network Topology Discovery Algorithm Based On OSPF Protocol

Secure Transmission for Interactive Three-Dimensional Visualization System

Study on data encryption technology in network information security. Jianliang Meng, Tao Wu a

A Static-Dynamic Conjunct Windows Process Integrity Detection Model

An Overview of Optical Label Switching Technology

IPv6 migration challenges and Security

A Flow Label Based QoS Scheme for End-to-End Mobile Services

Transcription:

2nd Joint International Information Technology, Mechanical and Electronic Engineering Conference (JIMEC 2017) A New Method Of VPN Based On LSP Technology HaiJun Qing 1, 2 1, 2, ChaoXiang Liang, LiPing Chen3 1 School of Information and Electronic Engineering,WuZhou University 2 Guangxi Colleges and Universities Key Laboratory of Professional Software Technology 3 First Middle School of WuZhou WuZhou, 543000, China qingnavy@qq.com, 420844683@qq.com, 393946674@qq.com Keywords: Layered Service Provider, Virtual Private performance for a virtual line to external. So as long as the Network, data packet aforementioned security features can be achieved, the VPN Abstract technology can be more flexible. With the rapid development of mobile Internet and intelligent tunnel protocol with the two or three layers in the terminal, the demand of the remote access network is more transmission control protocol/internet protocol (TCP/IP) intense than before. The virtual private network is a common architecture, with original data packets encapsulated by solution to this problem, with its traditional technology tunnel protocol, which has generic routing encapsulation realized by a security protocol and tunnel mechanism. But (GRE), internet protocol security extensions (IPSEC), etc. this is complicated and not flexible enough by the constraints [2-7]. There is also a remote access VPN based on secure of protocol. So it is a challenge for enterprises to adopt a sockets layer (SSL) protocol, which does not apply the tunnel more flexible and customized way to enable the employees to technology to remote access and work in between the third The traditional VPN technology mainly employs the make remote access to the intranet. A new virtual private and fourth layers in the architecture. Almost all of VPN network based on layered service provider technology is technology design is based on the existing security protocols proposed in this paper, by using layered service provider with different implementation technology, without enough technology to intercept the network data packets, so the data flexibility. And it cannot meet personalized needs while its packets can further receive their encrypted conversion and implementation mechanism is complex and huge. So how to integrity check. The virtual private network system based on achieve remote access to the intranet in a lightweight way is a layered service provider technology doesn t need any security valuable exploration. The VPN technology based on the protocol, with its flexible security which caters to the needs of layered service provider (LSP) do not depend on SSL, IPSEC personalized and customized remote access. protocol etc., so it can be customized according to the needs 1 Introduction of enterprise development, and the client and server can be simplified as much as possible. It can also provide service for With the rapid development of mobile Internet and intelligent terminals, the virtual private network (VPN) technology is the most economical and secures solution for remote access network. VPN technology is a virtual private the hypertext transfer protocol (HTTP) and other applications, with its security freely controlled; the enterprise can choose encryption algorithm and key length according to their own security needs. channel for users to access enterprise network. Its security 2. New method of VPN implementation based on and authentication and preventing malicious attacks and so on LSP technology features include encryption protection, integrity protection, [1]. The traditional VPN technology is based on a specific 2.1 LSP Technology security protocol, in fact, the essence of VPN is encrypted the LSP is a layered service provider which is the private data by the public network, so that the connecting implementation of Winsock 2 mechanism of Microsoft. The Copyright 2017, the Authors. Published by Atlantis Press. This is an open access article under the CC BY-NC license (http://creativecommons.org/licenses/by-nc/4.0/). 216

Winsock 2 service provider interface (SPI) is implemented by in this paper and its essence is to capture data packet and network transport service providers and namespace resolution encrypt. Also we can use other methods to achieve VPN, such service providers [8]. Winsock 2 SPI can be used to extend an as NDIS, TDI and API etc. however, the LSP method can be existing transport service provider by implementing a layered used to achieve a good balance between difficulty and service provider. For example, Quality of Service (QOS) on transparency. Windows 98 and Windows 2000 is implemented as an LSP over the TCP/IP protocol stack [9]. The Winsock2 architecture diagram is shown in Figure 1 and LSP between 2.2 The new method of VPN implementation based on LSP technology 2.2.1 The function structure design of VPN client and server Application The VPN client functional structure design scheme is shown in Figure 2. The VPN client includes three modules Winsock2 API such as data interception, parameter negotiation and identity authentication. Data interception module is responsible for WS2_32.DLL intercepting encrypting decrypting verifying the data packet according to the parameters. The parameter negotiation SPI module is responsible for the negotiation key, encryption and decryption algorithm and the integrity verification algorithm. Transport Namespace The encryption and decryption algorithm suitable use Service Service symmetric encryption and it can reduce the complexity and provider provider improve the performance of the system. But the distribution and negotiation of the key suitable use asymmetric encryption. Base Protocol The identity authentication module is responsible for verifying the authenticity of the identity of the client, and it Fig 1 Winsock2 architecture diagram can use the password authentication method to authenticity. The parameter library mainly includes key, encryption and WS2_32.DLL and base protocol, which plays a connecting role. decryption algorithm and integrity verification algorithm parameters. The length of the key depends on the encryption There are many applications which grab and process network data, such as firewall, security manager, bandwidth manager and data stream filtering. Various kinds of applications work on the network data flow at different levels, but they intercept and process the data at the places where the data must pass. The network data channel flows through different levels, such as network driver interface specification (NDIS), LSP, transport driver interface (TDI) and application programming interface (API) layer. The network data can be controlled, filtered and processed when it flows through in any layers. The lower level of the network is, the more transparent the user program is, and the more powerful the function is, and the more difficult it is to design and implement [10]. The LSP technology is to intercept and process data in the next layer of the API system. We implement VPN by LSP and decryption algorithm and the actual needs. The encryption and decryption algorithm and the integrity verification can be selected from the backup algorithm. These parameters can be selected according to the settings of the front end and security level; generally speaking, a higher security will lead to a reduction in performance. the server of VPN can adopt a similar architecture with the client of VPN, but the identity authentication module in the server is must to be changed into the verification module and the parameters library of the server must storage more parameter than the parameters library of client storage. The parameters library of client just save the parameters related to the client, and the parameters library of server must save all the parameters of all clients. The server can obtain different parameters to encryption decryption and integrity check according to different client. In addition, the server needs to 217

add a data packet forwarding agent module, so forwarding the installation of the LSP is to configure the LSP information into the system database of Winsock 2, where the LSP will be The client of VPN packaged into dynamic link library (DLL). The specific process is as follows: The The module The module of module of of intercept authenticate negotiate data Start identity parameter Authenticate identity Failure Negotiate parameter Negotiate Encryption and decryption Integrity verification encryption and Negotiate Negotiate integrity key verification decryption Failure Install LSP algorithm algorithm Intercept process data Fig 2 the VPN client functional structure diagram data received from the remote access, at the same time, the No Is over data packet sent by internal network host transmitted to remote host. In order to the remote host achieve the final access to the internal network. Uninstall LSP 2.2.2 The process design of client and server The client process design diagram is shown in Figure 3, Log out where the two core steps are parameters negotiation and data interception. Parameter negotiation process includes negotiation of encryption and decryption algorithm, key and Exit algorithm of integrity verification. The encryption and decryption algorithm can be selected according to the performance of the client machine and the Fig 3 the client process design diagram safety requirements of the enterprise from the encryption and decryption algorithm list, and it is suitable to use the symmetric cryptography.the key can be generated by the server according to the request of the encryption and decryption algorithm, and then the client's public key can be used to encrypt the key and send the key to the client, so the client will receive the encrypted key and use the private key to decrypt it. Then the server and the client can use the key to carry out communication. In the system, a special database is used to store all the information of LSP. When the application needs to create a Socket for communication, the system will search the database for matching LSP and load it so that the system can pass the communication requirements to the next. So the (1) Enumerate all the LSP directories, and find the first TCP, user datagram protocol (UDP) protocol chain directory, and save it. (2) Call the WSCInstallProvider function to install the LSP of the client, once again enumerate all the LSP directories, and obtain the LSP directory's identification (ID). (3) In the TCP and UDP protocol chain directory which is saved in the first step insert the ID of the second steps obtained (4) Call the WSCInstallProvider function write the protocol chain directory which is rewritten at the third step to the Winsock 2 configure library. (5) Call the WSCWriteProviderOrder function to resort the Winsock directory, and put our protocol chain directory in 218

front. The process design for the client is mentioned above, and the server needs to load authentication module to verify (6) Call the WSPStartup function of the lower level with the parameter of the upper function table, the lower level function table, and so on. the identity of the client followed by parameter negotiation Secondly, modify the function table. between the client and the server. After negotiated When the WSP Startup function of the lower level LSP successfully with the first client, then LSP for encrypted is called, the bottom function table will be replaced with a communication will be loaded, so the subsequent clients will custom function, and the following functions need to be only need to negotiate parameters with the server, and replaced, such as RecvFrom, Send, Recv, and SendTo etc. repeated loading LSP will no longer be needed, and the server After the function mentioned above being replaced, the parameter library will save all parameters which are unique to custom function can be implemented. The Send function is each customer, which will enable them to carry out used as an example to describe the process of the custom encryption communication and integrity check. In addition, function WSPSend, and the same is true of other custom the server needs to increase the agent and forwarding process functions in terms of processing. of remote host data packets, at the same time; it needs The processing of WSPSend functions is as follows: implement the process of package disassembly and re (1) Check whether the destination address of the packet package. 2.2.3 The implementation of client and server LSP of intercept network packet The LSP must be packed to DLL file, and the main work done in the DLL file includes two aspects. The first aspect is is specified for the enterprise intranet address. (2) If the packet destination address is the intranet address of the enterprise, read the client key, encryption algorithm, integrity checking algorithm and other parameters from the parameter library. to load the next layer of LSP, and then the LSP is stacked to a (3) Replace the destination internet protocol (IP) address hierarchy structure, with each layer filtering and processing with the VPN server IP address, and the destination IP the network data packet based on their needs. The second address is saved in a data packet some location. aspect of the work is to modify the function table, with the (4) Encrypt the network data packet by using the bottom of the function being replaced with their own specified encryption algorithm. HASH the encrypted data functions, so as to filter and process the past network packet packet by the specified integrity check algorithm. Then write in their own functions. After filtering and processing the the verification code which obtained by integrity algorithm network data packet, the bottom of the function will be called into the data packet. to complete some basic receiving and sending work. These two aspects mentioned above will be discussed as follows. Firstly, the process of loading the next layer of LSP is as follows: (1) The ID of the lower level protocol will be found (5) Call the Send function of the below layer with the parameter of the modified data packet. For Recv, RecvFrom, SendTo and other functions, they can be carried out similar processing with send function. For the receiver function, the function is decryption and based on the parameter lpprotocolinfo of the WSP Startup verification the integrity of the data packet, the operation is function. the opposite. (2) To Enumerate all LSP based on the previous step of the ID to find the directory of the lower layer protocol. (3) Find the next layer of LSP file directory by the directory at the second step. (4) Call the Load Library function to load the DLL LSP, and get the address of the WSPStartup functions of next layer. (5) Replace the corresponding function in the underlying function table with a custom function. The implementation of the client LSP is discussed above, and the same is true of the server to load the next layer of LSP, with its similar custom functions, but what should be paid attention to is the definition parameter should cater to different clients. 3. Implementation of VPN system We used the Visual C++ to achieve the VPN system of the client and server on the windows platform. Due to the 219

development of a complete set of VPN system workload is method between application layer and transport layer. very large, so we just use LSP to catch the data packet and Although the VPN implementation method we proposed encrypt it and provide the proxy service. VPN system s client have some advantages. But compared with the traditional and server needs less code to implement with only more than method, there are three main problems. 1. The method 4000 and 5000 lines. We used the DES encryption algorithm proposed in this paper is more applicable to the case of to encrypt and decrypt the network data packets in the data remote access to internal network, for the case of intranet interception module. Then we deploy VPN server program in VPN and extranet VPN may have not good performance. 2. the company s server and the client program is installed on The method proposed in this paper need to be further verified. the computer at home. The connectivity of the system and the While the traditional VPN method is a more mature method. speed of the network are tested. The connectivity of the 3. The traditional implementation method has formed a system is verified. Due to the factors impact of the network certain standard with it has been widely accepted. The speed is more, under the limit of the communication operator method proposed in this paper need to be further studied. 4Mbps speed, we test its speed up to 3.2Mbps. Of course, the 5. Summary universality of the experiment and the completeness of the function need to be further improved. 4. Discussion This paper presents a new VPN system implementation method compared with the traditional VPN implementation method without using existing security protocols to achieve This method we presented in this paper has three main VPN. Since the essence of the VPN communication is to advantages over the traditional VPN implementation based on provide identity authentication, confidentiality and integrity, security protocol as follows: 1. Light weight. The traditional LSP technology is artfully used to complete the function of VPN implementation based on a security protocol is complex the VPN, which can satisfy customized needs of some and large and requires hardware support in some cases. For enterprises with its flexibility and personalized methods. Of example, The VPN system based on IPsec protocol designed course there is a deeper step to verify this method; next we by Wang is implementation by hardware, its cost is very high will improve the function of the experimental system as well and it is a very complex technology [3]. The method used in as the experiment in more scenes. this paper is not restricted to the security protocol, but it can Acknowledgements realize the security characteristics of VPN system by simpler methods, which therefore simplifies the design of VPN This article is supported by Young and middle-aged system. 2. Freely controlled security. Mr. Liu pointed out the backbone teacher training program Of Wuzhou University. VPN system based on SSL protocol mainly use DES and RC4 References etc. symmetric encryption algorithm to encrypt the network data packet which limit its flexibility [4]. The VPN implementation methods we presents in this paper doesn t restrict the algorithm of encryption and decryption as well as key length, so these parameters can be flexibly negotiated based on the need of actual security levels by enterprises. 3. Flexibility and convenience. While the traditional VPN implementation method bound to a certain protocol with its restrictions and standards. Mr. Yang pointed out installation and configuration the VPN system based on IPsec protocol is very complicated and not easy to flexible deploy in complex network environment [7]. The VPN implementation based on LSP technology is not limited to a particular application or application protocol, which provides a flexible processing [1] Yao Yonglei and Ma li, Network security of computer (the second edition), Beijing, Tsinghua University press, (2011) [2] Zhang Kaixia, Research on the Design and Realization of VPN-Based Campus Mobile OA, Dissertation, Nanjing University of Posts and Telecommunications, (2013) [3] Wang Yan, Design and Implementation of VPN System Based on IPSEC, Dissertation, University of Electronic Science and technology, (2013) [4] Liu Hongqiang, Research and Implementation of SSL-based VPN, Dissertation, Shandong University, (2008) [5] He Yahui, Xiao Lu, Chen Fengying, Principle and 220

Application of IPSec-based VPN Technology, Journal of Chongqing Institute of Technology, vol:20, pp,114-117, (2006). [6] Xu Kunliang, Wu Man, Research on VPN application based on IPsec protocol, Computer knowledge and technology, vol:11, pp:52-53,(2015). [7] Yang Wenkai, Research on security key technology of SSL VPN, Dissertation, Southwest Jiao Tong University, (2010). [8] Hu Junhua, Wei Fang, Online game acceleration based on LSP proxy Computer applications and software, vol:29, pp:149-153,(2012). [9] Wei Hua, Jim Ohlund, Barry Butterklee MSDN Home. http://www.microsoft.com/msj/0599/layeredservice/la yeredservice.aspx. (1999). [10] Leng Wei, Lu Yu, Using LSP Technology to Build Simple Firewall, Journal of Institute of Command and Technology, vol:12, pp:169-172,( 2001). 221

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback