The Research And Design Of The SSL VPN Server

As applications have moved to the Web, the challenge all enterprises face to is how to deliver the flexibility of "anywhere" access without being intrusive on the end-user. Combining security of SSL protocol and find-grained access control, SSL VPN(Secure Socket Layer Virtual Private Netwrok) does well in resolving this problem.As the key part of the SSL VPN, the server includes many key technologies such as: designing flexible API to implement SSL protocol for ensuring data privacy and message integrity; providing perfect authentication policy to get validity of clients; presenting find-grained access control policy to secure intranet sources; optimizing the design of server to enhance the performance of SSL VPN; constructing abstract manage system to enhance the extensibility of server.Based on the study of the OpenSSL API that strictly follows the definition of SSL protocol, we have enhanced the security of OpenSSL on supporting client authentication and session resumption, and then use this API to provide confidentiality of communication and message integration.Compared with some different solutions of client authentication, this paper presents a flexible solution based on PKI(Public Key Infrastructure) system and details the username/password form and two-factor authentication. Analyzed those problems about authentication deficiency and lack of delay control brought by traditional SSL VPN, this paper gives a private protocol SSL_ECP(SSL Enhanced Control Protocol) to solve all of these. Based on the analysis of current popular access control policies, this paper has implemented role based access control and content dependent access control and made the system more effective and fine-grained on resource control.As the only access point, the server needs to be carefully designed to enhance the performance of SSL VPN. Thinking about those influences of server which brought by public key algorithms in the hand shake phase and encrypted and decrypted operations in the data transmitting phase, this paper gives solutions such as session resumption and providing hardware accelerator to enhance the performance of the server.For SSL VPN server, there are many resources that need to be carefully managed. This paper gives a Web-based management control system to easy the work of manager, which enhanced the extensibility of the server.