Research And Implementation Of SSL-based VPN

With the development of Internet technology,a growing number of enterprises and departments put their business on the Internet,which led directly to the growth of demand for information security products.The market survey report of recent years shows that VPN market is growing by leaps and bounds.As the shortcomings coming to appear gradually in the application of IPsec VPN(for example,confliction with NAT equipment,complexity in configuration and use,the security risks brought to the operating system kernel,etc.),people began to seek more secure and easy-to-use VPN technology.SSL-based VPN is the most spectacular VPN technology,which is a new type of VPN.Due to the lack of unified standards and norms,the current VPN products based on the SSL protocol(commonly known as SSL VPN)differs greatly from each other in technology and function,as brings difficulties to the choice of VPN products.In addition,because of the United States's controls on the export of encryption products, the key in the standard SSL protocol implementation is shorter and thus its strength was greatly weakened.So it can not be used in some fields that require more stringent security(such as government,military,financial,etc.).Therefore it is necessary to make an in-depth study on SSL-based VPN and to improve it.Firstly,the thesis analyses the supports provided by the SSL protocol for VPN implementation,which bases on the security analyse of the SSL protocol.The thesis summarizes the characteristic of SSL-based VPN and proposes dividing SSL-based VPNs into two categories:proxy-based SSL VPN and tunnel-based SSL VPN.The security issues are summarized that should be paid attention to in the applications of SSL-based VPNs.The characteristics of proxy-based SSL VPN are its implementation relying on proxy technology and "clientless" operation mode,which only needs WEB browser without installation of specialized client.The thesis studies the technical principles of proxy-based SSL VPN,summarizes the application types supported by proxy-based SSL VPN and illustrates the proxy technologies adopted by every application type, analyses the security flaws of the proxy-based SSL VPN clients and puts forward solutions.The thesis summarizes the proxy-based SSL VPN's advantages, disadvantages,and applicable occasions.Tunnel-based SSL VPN bases on virtual NIC technology.The ends of VPN both require for the installation of the VPN software and it transmits data through the secure tunnel established between the virtual NICs.The thesis studies the technical principles of tunnel-based SSL VPN,illustrates the virtual NIC technology,discusses the problem brought by TCP over TCP encapsulation and gives a solution.The tunnel-based SSL VPN's advantages,disadvantages,and applicable occasions are also summarized in the thesis.Finally,the thesis presents an implementation of VPN based on the SSL protocol which provides support for the domestic crypto equipments and algorithms.The implementation is based on the mature tunnel-based SSL VPN,OpenVPN,an open source project,and calls the domestic crypto equipments and algorithms through a custom OpenSSL Engine to compensate for the defects of weak key strength of standard SSL protocol.The implementation not only meets domestic needs for VPN based on the SSL protocol,but also accelerated the VPN's development and reduces the cost of constructing the VPN.To sum up,the thesis mainly:(1)summarizes the characteristic of SSL-based VPN and proposes dividing SSL-based VPNs into two categories:proxy-based SSL VPN and tunnel-based SSL VPN.(2)makes a in-depth study on the key technologies of proxy-based SSL VPN and tunnel-based SSL VPN,analyzes their respective advantages and disadvantages,and sums up their applicable occasions and the applications supported.(3)presents an implementation of SSL-based VPN with support for the domestic crypto equipments and algorithms.I took part in the SSL VPN preliminary research project during my studying for a master's degree,which give me a big help to complete the thesis.