以防火牆為基礎之虛擬私有網路的身份驗證系統設計與實作

Abstract

隨著網際網路 (Internet) 的快速成長和普及，相當多的組織企業也 紛紛將原本封閉的私有網路和Internet 相連，讓分散各地的組織可以透 過Internet更快速而有效率的分享資源形成一個邏輯上虛擬的私有網路( Virtual Private Network，簡稱VPN)。由於Internet上的安全問題隨著 其商業應用的增加及網路犯罪的日益頻繁而日漸受到重視，所以本研究以 企業利用Internet建立VPN後所面臨的安全問題做為主軸。身分確認是網 路安全防護上的第一道關卡，如果身分確認沒有嚴格把關，一個冒充合法 身份的非法使用者一旦成功的侵入管制進出的系統之中，即使資料保護的 再嚴密也是枉然，因此我們將探討如何在以防火牆為基礎的VPN上安全的 進行使用者身份驗證。 首先，我們會探討VPN的安全需求和現有的安 全解決方案，歸納出現有方法的優缺點。然後針對幾個著名的身份驗證協 定包括ISO Three-way Protocol、X.509 Three-way Protocol、STS Protocol in Practice做一深入的比較和安全性評估，然後從中選出STS 驗證協定將之加強後用於以防火牆為基礎之VPN身分驗證系統中。最後我 們會在資策會開發之防火牆架構下，設計與實作VPN身份驗證系統。此系 統透過安全的身份驗證協定，讓非法的使用者無法藉由各種攻擊偽裝進入 其所保護的內部網路系統。 Since the Internet grows rapidly and becomes very popular, an increasingnumber of enterprises connect their private LAN with the Internet; thereforeits subsidiary separated geographically can share their resources in an efficient way, and form a logical private LAN called Virtual Private Networks( VPNs). Because commercial applications and Internet crimes increases day-by-day, Internet security issues become more important. This thesis focuses on the security problem that enterprises would encounter when connecting with Internet, and find out how a firewall-based virtual private networkauthenticates its users. The user authentication is the first checkpoint ofnetwork security, if an illegal user impersonates a legal user intrudes thesystem, any data protection will be useless. Thus we will explore how to authenticate user's legality in a firewall-based virtual private network. First, we will analyze the security requirement of VPNs and the solutionsnowadays. Furthermore, we will compare three famous literature of authentication protocols: ISO Three- way Protocol, X.509 Three-way Protocoland STS Protocol in Practice. We choose the STS Protocol and modify it forthe purpose of firewall's authentication system. After studying the userauthentication protocol, we will write an authentication client-server program for firewall proxy server base on the modified STS protocol. Thisproxy server can safely authenticate the identity of a remote user by thisprogram.