| Secure socket layer based virtual private network (SSL VPN) provides a safe and easy apoarch for remote accessing. The SSL protocol, TLS (Transport Layer Security)protocol and tunnel technology of SSL VPN can authenticate client and assure confidentiality, authentication and integrity of data transmission. Currently, SSL VPN is in its full blossom, but there still some problems on its performance, scalability and security.Firstly, Performance of SSL VPN was also affected by SSL/TLS protocol. It is necessary to append SSL accelerator to meet high end applications. Secondly, SSL VPN server handles a large quantity of network events, and the system call to acquire those events, so called I/O multiplexing interface, was invoked frequently, but traditional I/O multiplexing interface has poor scalibility and efficiency. Finally, SSL VPN can't assure the security of user end. Malicious program or user can access the resource of VPN and cause enormous loss.The problem of performance and scalibility of SSL VPN can be solved from two directions: VPN architecture and OS kernel. In traditional VPN architecture, VPN server is performance bottleneck. A lot of computation load concentrated on VPN server, and its computational capability determines the communication quality of whole VPN system. A new VPN architecture based on asymmetrical SSL tunnel (AST) was proposed here. In the new architecture, part of computation load was transferred to those internal application servers, who's IO operations are busy but CPU utilization is low, so that disengaged CPU resource can be used to improve the overall performance of whole VPN system. The key management of the new solution has extended the SSL shakehand protocol to synchronize the cipher spec of VPN client, VPN server and internal application server. AST based VPN solution was coupled with two algorithms: IP packet engrafting and UDP diffusing.According to Amdahl's law, the best way to improve performance of a system is to make the common case fast. A new I/O multiplexing interface was proposed, named as kernel-user shared event queue (KSEQ). In KSEQ's algorithm, the feature of single process event driven structure of SSL VPN server gives the solution for the problem of data sharing between OS kernel and VPN process. KSEQ interface avoids a lot of system call overhead, and provides good scalibility for applications. Analysis on the time sequence of KSEQ using the logical clock based formulization model shows that, the value of kenerl user shared data structures always conform to their logical definition. Thoeretical analysis and testing proved that KSEQ interface has good scalability and it has better efficiency than those interfaces provided by other research.As SSL VPN can't assure the security of user end, log system of VPN server is very important for SSL VPN. Log system can be considered as a one-way transport system, which carries log messages from system programs to the forensic investigator. Based on that viewpoint, this paper proposes a forensic log evidence assurance (FLEA) system to provide judicial log evidence. FLEA is an intrusion tolerant system supported by operation system, and assures the objectivity of the whole system. It can be proved by extended GNY logic that FLEA system can assure its log is authentic, integrated and confidential. The log protected by FLEA can be delived to court as reliable evidence.
|
PDF Full Text Request