| In these years, the development of science and technology in China are quickly. The competition among the enterprises is increasing; most of enterprises have to speed up the process of informatization for invincible position in the competition. With the improvement of the process of enterprises information in the enterprise, the application systems which deployed in quantity, widely distributed, with a lot of uses. The information security will in inevitably lead to a big challenge. Most of enterprises business operation systems are high confidentiality and dependent on network more and more.IPSec protocol as an open network-layer security protocols, is safe, efficient, application transparency, etc. But it supplied poor ability over the security control, does not meet all application requirements. VPN based on SSL protocol is the most concerned emerging VPN product. However, the lack of uniform standards and norms, currently the SSL VPN product are technology varies functions quite different. Meanwhile, in order to improve ease of use of SSL VPN products, and safety, efficiency and safety factors based on the urgent need to change the traditional authentication method, using a more efficient and secure authentication mechanism, the concept of single sign-on the resulting.This paper analyzes the security requirements of the SSL VPN product, as well as a number of security technology, the design of a centralized security management system, design a rich and flexible access control methods, but also improved the identity management, authentication and access control and many other a part of the security of SSL VPN. This paper also analyses the system, based on the overall framework, combined with the specific needs of the system, this paper designed user management module based on the LDAP. Identity Management module uses the LDAP database, and supplies of a variety of user registration methods, can be flexible and seamless integration of existing enterprise information systems. And based on the research about single-sign-on and access control framework, the paper designs authentication and authorization module to provide authentication, authorization and other security services. This module is centralized, it will provide authentication, authorization and other security policy operations, and support a unique policy decision-making point, you can simplify the communication of policy changes and operation of maintain the integrity of policy and reduce the risk of inconsistencies in identity and policy management, can effectively meet and improve the SSL VPN system security requirements. In order to meet the higher security requirements, this paper added in the design of the digital certificate authentication support which based on X509 V3.In this paper, centralized user management, authentication and authorization mechanism to support multiple authentication methods to allow users to use a different authentication method to obtain different levels of trust and get the system access. Authentication methods can be used as a mechanism for security-policy; you can configure the security policy of the SSL VPN system.This paper mainly related of the following aspects of work:1) Survey researches the situations of the SSL VPN products on the market, and summed up and summarized the requirements of existing customers for security products.2) Research the basic requirements of product design knowledge and cryptography-related security content, in-depth study and descript them in the paper.3) To follow the principle of hierarchical design, from the SSL VPN product features requirements to abstract a basic framework of certificate authority certificate authority, and make special design of features based on the security requirements. |
PDF Full Text Request