基于SPS的互联型IPSec VPN中策略服务器的设计与实现

【作者】 王永；

【导师】 毛玉明；

【作者基本信息】 电子科技大学 ， 通信与信息系统， 2005， 硕士

【摘要】 互联网在当今社会中的应用日趋广泛,人们对网络安全也提出了更高的要求。企业、高校和政府机关等组织,作为互联网的重要参与者和使用者大量引入VPN 来作为其通信时的安全解决方案。而自从IETF 制定了IPSec 框架作为网络层的安全协议以后,IPSec也开始被人们引入到VPN的创建方案中来,从此,IPSec VPN 技术开始成为安全研究中的一个关键问题。本文分析了现有的IPSec VPN 技术,通过分析其工作方式,提出其中存在的几个问题。它们包括:VPN 对于异种网络的兼容性问题以及系统对于安全策略的管理问题。前者的提出,是因为当前IPv6 正快速发展并已经步入实用化,网络层协议的过渡正在发生并预计将持续很长时间;而后者的提出,则是从系统管理的一致性和规范性的角度出发的。本文讨论了将NAT 技术引入VPN 后,解决了IPv4/IPv6 不同网络的VPN 互通性问题,保证在网络过渡过程中,VPN 始终能够正常运行。在论文的主体部分,集中讨论了安全策略系统的引入对于IPSec VPN 系统工作方式的影响。并详细阐述了安全策略系统的核心——安全策略服务器的创建技术和工作流程。提出了基于等级的系统管理方案,该方案将用户、策略和子网的管理融入到一个有机的整体之中,并且简化了管理的复杂度。在策略管理方案中,我们分析了由于策略的相关性而导致的策略管理混乱的情况。在现有技术的基础上,提出了策略相关性算法,并从理论和测试两个方面证实了算法的正确性和有效性。算法的加入,使得策略管理系统能应付复杂网络中的大量相互影响的安全策略,扩展了系统的适用范围。更多还原

【Abstract】 As the development of Internet, more strict security solution of network is required. As the important participants and users of Internet, corporations, universities and governments choose VPN to be their security solution. Since IETF designed IPSec protocol, it has been used to construct VPN system. Then, IPSec VPN began to be a key problem of security research. The IPSec VPN technology in exsit is analyzed first, then, some limitations are found, which are the compatibility of different network connected by VPN and problem of security policy management. The former is raised by the rapid development of IPv6 which lead to the transition of network protocol, while the later is based on the consistent and standardization of system management. This paper discusses how to add NAT into VPN system, by which we solve the problem, which occurs when the communication is between IPv4 and IPv6 network. In the main body of this paper, we discuss the influence to the work mode of IPSec VPN when the SPS is added into, and introduce the technology of security sever which is the kernel of SPS. By the precept based on class, we make the management of user, policy and subnetwork into a whole entity. After analyzing the chaos raised by relativity of policies, we develop the policy relativity algorithm, and prove it to be correct and effective by deducing and testing. As a result of adding the algorithm into SPS, the system gains the capability of deal with interrelated policies in more complicated network.更多还原