| As an important branch of network security, VPN has been increasingly applied to modern enterprises. Solutions of secure remote access provided by VPN can effectively resolve the problems of secure communications between the enterprise departments that are located in different places. Currently application-layer VPN has been proposed and it becomes one of irreplaceable solutions adopted by modern enterprise network security due to its secure, fast and flexible properties.This paper discusses the design and implementation of application-layer VPN secure system and other related issues. Specific details of the discussions are started from the design of the prototype system and the two modes it supports -- proxy mode and Site-to-Site mode. Discussions of proxy mode are focused on the design and implementation of core modules of VPN client and server, including user network request redirection, multi-lines hot backup, dual-factor authentication, fine-grained access control, and server dynamic entry support. While discussions of Site-to-Site mode are mainly focused on the design of application-layer VPN gateway and related topics, including the introduction of virtual network adapter forwarding IP packets from protocol stacks to tunnels and vice versa, ideas of exempting VPN network address space from redeployment, and multi-versions of the VPN gateway solving the connection problems between headquarters, branches and mobile users.Compared with the traditional VPN, application-layer VPN can not only securely access remote application servers and other network resources, but also provide fine-grained access control. Further more, less redundant data transmission in proxy mode makes it possible to acquire incomparable efficiency that the traditional VPN never has. In addition, application-layer VPN can successfully penetrate NAT and firewall. |
PDF Full Text Request