Design And Implementation Of IPSEC VPN Module In Firewall

Virtual Private Network is a kind of security technology, based on public net espacially on Internet.It uses encapsulation, authentication, encryption, access control technologies and so on, serving enterprise, their branch and travelling employees to keep in touch secretly. IPSec, developed by the IETF, is an IP-layer security framework protocol, part of the network layer VPN technology. It achieve a variety of encryption and authentication security technologies through the IP layer, which greatly improved the TCP/IP protocol security. Useing IPSec technology in communication between entities can establish a secure data transmission channel to ensure private communication ends security, including data, integrity, authenticity and anti-replay attacks, increased security of sensitive information transmission.The main work of the paper includes, introducing the technical background and the development of of VPN; studying of the evolution of the firewall, leading to the distributed architecture firewall HSU, which the module relly on and analysing basic processes; analysing IPSEC theoretical system; the IPSEC VPN module design and implementation based on the network security equipment.The core of the content of this paper accomplished an IPSEC VPN module design and implementation. The module is implemented on a distributed architecture firewall platform. It is an kernel part of firewall security capabilities. Module software is based on distributed architecture. Modules mainly tasks is processed on Service Processing Unit, while Main Processing Unit control information management and information issued. Interface Processing Unit handle data packets distributed.Service Processing Unit has 32 hardware threads deviding into four types according to the allocation of software functions. Main Processing Unit associated commands to configure, then IPSEC command is transferred to management threads through configuring threads. Operation threads is responsible for packet forwarding. Configuring thread is responsible for configuration management. Aging thread is responsible for timmer running and key updates.In practical applications, the use of IPSec software encryption/ decryption operations take a lot of CPU resources and impact the overall performance. To solve this problem, Service Processing Unit itself integrated encryption engine SAE hardware to accomplish the data encryption/decryption operations, eliminating the performance effect of the software which process IPSec protocols, and improved the efficiency of the firewall.Finally in close remarks of this paper, the performance advantages and shortcomings that worth improved will also depicted and some other requirements for the future development of the module will also be given.