diplomna_rabota_FN21110

download diplomna_rabota_FN21110

of 72

  • date post

    26-Aug-2014
  • Category

    Documents

  • view

    128
  • download

    2

Embed Size (px)

Transcript of diplomna_rabota_FN21110

- .

: VPN SUnet

: , . 21110, : : . ,,

. 15.07.2006 .

1

1. VPN. 1.1. (VPN) 1.2. VPN 1.3. VPN 1.4. , VPN 1.5. , VPN 1.6. VPN 1.7. VPN 2. IPSec. 2.1. , IPSec. 2.2. Encapsulating Security Payload (ESP) 2.3. Authentication Header (AH) 2.4. Internet Key Exchange (IKE) 3. Openswan VPN . 3.1. ipsec.conf. Openswan 3.2. K ipsec.secrets. 4. SUNet ADSL . . 4.1. Openswan 4.2. Openswan vpn.uni-sofia.bg 4.3. L2TP PPP vpn.uni-sofia.bg 4.4. Openswan 4.5. Windows XP Openswan l2tp/ipsec

2

,

. (Virtual Private Network VPN) . VPN , , , , .., , , . , VPN , , , . , . , VPN - , . IPSec . Openswan, VPN . VPN SUNet, penswan , .

3

1. VPN: SSL IPSec. 1.1. (VPN). VPN (Virtual Private Network - ) ( , . ) , . VPN , (Point-to Point). , , . virtual private networking. , () (header ), , (). , . , , . , , . , , . 1.1 .

1.1.

VPN , , ( ). VPN 4

. , . VPN ( ), . VPN (wide area network - WAN) . , , . , . : , , , , . , . - , , . VPN . 1.2. VPN. . VPN , .

5

1.2.

, VPN . . dial-up . . VPN . , Frame Relay, WAN , . VPN

: VPN . , VPN VPN . VPN (Demand-Dial VPN Networking). dial-up VPN - , , .6

.

, LAN . , , LAN . 1.3. VPN. VPN , , (data integrity) . . LAN , . , VPN : . VPN VPN . VPN. . VPN , , dns , . . , , VPN . . . , VPN , , ,

7

, . 1.4. , VPN. , . : 1. . , . ( ) , . (plain) (cipher). , cipher plain . : 3DES (Triple DES) DES (Data Encryption Standard). Triple DES DES 56- . BlowFish, TwoFish, Goldfish. BlowFish 64- , , 32 448 . . Goldfish Twofish Blowfish. AES (Advanced Encryption Standard) - AES - , Rijndael, 2000 . 128 , 192 1024 . 2. .

, . - , . - , , - . - :8

RSA (Rivest Shamir Adleman) - , , . DSA (Digital Signature Algorithm) . Diffie-Hellman .

, . RSA , DSA VPN , Diffie-Hellman . - DSA Diffie-Hellman .

. : : 112- . : 1024- 2048- . 1.5. , VPN. 1.5.1. . (, ) , (message digests). , . . 9

, - , . : MD5 (Message Digest) MD2 MD4, 128- . SHA1 (Secure Hash Algorithm) , 512 160- . MAC (Message Authentication Codes) , , . HMAC (Hash Message Authentication Codes) , . , - MD5 SHA. 1.5.2. , VPN . (Pre shared secret). . . , . , (certification authority -CA), . , , , , CA. CA , . , ,

10

. . 1.6. VPN. . , , , . . , , , , PFS (Perfect Forward Secrecy). PFS , . Denial of service ( ). DoS , , . : . - . , . . PPTP Denial-of-Service (DoS) Windows NT, OpenBSD , AH/ESP ( IPSec), DoS, Windows 2000 IKE IPSec. . VPN , Windows, VPN . VPN .

11

Man in the middle . spoof- ( , ). Diffie-Hellman . ( HMAC ). Replay . , . 1.7. VPN. VPN 2 3 Open System Interconnection (OSI) 1.3. , 2, L2TP PPTP. VPN, 3, IP . 3 IPSec, L2TP 3.

7 6 5 4 3 2 1

OSI 1.3.

TCP/IP

TCP,UDP IP , ICMP

1.7.1. PPTP VPN . Point-to-Point Tunneling Protocol (PPTP) , Cisco Windows, . Point-to-Point Protocol (PPP), o . PPP 12

Generic Routing Encapsulation (GRE) , RFC 1701 1702. IP , . PPP IP, IPX NetBEUI .

IP Header

GRE Header

PPP Header 1.4.

PPP Payload

PPTP : MSCHAP-v2 EAP-TLS, . Microsoft MSCHAP-v2 PPP e MSCHAP-v1 Challenge Handshake Authentication Protocol (CHAP). MSCHAP . PPTP Microsoft Point-to-Point Encryption (MPPE). MPPE PPP RSA RC4 , 40, 56 128-. PPTP. PPTP , Microsoft Windows Windows 95. , MacOS PDA . VPN EAP-TLS, . NAT (Network Address Translation). VPN , , , , , , replay .

13

1.7.2. L2TP VPN . Layer 2 Tunneling Protocol (L2TP) (datalink) OSI ( ). - PPP L2TP , PPTP. . L2TP IP UDP L2TP- . L2TP UDP, L2TP- PPP . / , Microsoft L2TP .

IP Header

UDP Header

L2TP Header

PPP Header 1.4.

PPP Payload

L2TP - IPSec, , . L2TP/IPSec RFC3193. L2TP PPTP, : L2TP ; , ; , IP, ATM Frame Relay . L2TP/IPSec , . Windows Server 2003, Windows XP, Windows 2000 L2TP , Microsoft L2TP/IPsec VPN Client. 1.7.3. IPSec VPN. IPSec (Internet Protocol security) IP, , Internet Protocol .

14

IPSec , IP, : ; ; . , IPSec: (Authentication Header) - IP . ESP (Encapsulating Security Payload) IP . IKE (Internet Key Exchange) - , . IPSec e , ( ), ( ), . IPSec , , VPN 2. 1.7.4. VPN , - . , 3 OSI . , SSL, SSH TLS, 4-7 OSI. OpenVPN, . OpenVPN VPN, Secure Socket Layer/Transport Socket Layer (SSL/ TSL) , . : , (site-to-site), , , (failover) 15

. , (firewall), VPN-. Universal/ Tap Device Driver. Tun , , Tap Ethernet . OpenVPN. SSL . . OpenVPN RSA/DHE. OpenVPN OSI 2 3 , . , , VPN. OpenVPN : 1. - (pre-shared key), . . 2. , -, X.509 . 3. OpenVPN (Pluggable Authentification Module, PAM). , . OpenVPN : (SSL/ TLS), RSA X509 PKI; ; ; IP NAT; ;16

- Linux, Solaris, OpenBSD, FreeBSD, NetBSD, Mac OS X, and Windows 2000/XP; ; - GNU License . IPSec, IKE, PPTP L2TP. 2. IPSec. 2.1. , IPSec. IPSec IPv4 IPv6 . , (integrity) , , (replays), ( ) . IP. , IPSec (firewall). - , IPSec . IPSec (security gateway - SG) IPSec . . , a IPSec, , (Security Policy Database - SPD) / . IP (PROTECT) IPSec , (DISCARD) IPSec (BYPASS). IPsec (Security Association - SA). , IPSec VPN - AH ( , , IP ) ESP ( IP ), SA. Internet Key Exchange (IKE).17

, , , , . SA , , , AH ESP (: DES , 3DES, AES MD5 SHA-1 ). , , AH ESP, , SA. oo IPSec , SA ( ). IKE SA. IPSec VPN SA: ISAKMP (Internet Security Association Key Management Protocol), IKE. IKE SA , - . IPSec SAs. IPSec SA . IPSec SAs . IPSec SA : 1. Security parameter index (SPI) 32- , SA. 2. IP . 3. , SA AH ESP. SA Security Association Database (SAD). . IPSec RFC 4301. . , IPSec , . IPSec . Authentication Header (RFC 4302) IP , Encapsulating Security Payload (RFC 4303) - , IP , .. - . 18

. / . , AH ESP, . - . IPSec IP . IP , IPsec . . VPN . , . . IPSec , . IP , . TCP/IP , . , IPSec IP . IPSec . : . , , . , . , VPN. . VPN VPN , , .

19

, . VPN . , VPN , . SA SA . . - VPN IPSec . ,

. VPN . , , . , , , . , IP . , IP . : . IP , , . IP , , VPN. IPSec . . V