標題: 以防火牆為基礎之虛擬私有網路的身份驗證系統設計與實作
Design and Implementation of An Authentication System for Firewall-Based Virtual Private Networks
作者: 陳柏飛
Chen, Pai-Fei
羅濟群
Chi-Chun Lo
資訊管理研究所
關鍵字: 虛擬私有網路;防火牆;身份驗證;網際網路安全;VPN;firewall;authentication;Internet Security
公開日期: 1997
摘要: 隨著網際網路 (Internet) 的快速成長和普及,相當多的組織企業也
紛紛將原本封閉的私有網路和Internet 相連,讓分散各地的組織可以透
過Internet更快速而有效率的分享資源形成一個邏輯上虛擬的私有網路(
Virtual Private Network,簡稱VPN)。由於Internet上的安全問題隨著
其商業應用的增加及網路犯罪的日益頻繁而日漸受到重視,所以本研究以
企業利用Internet建立VPN後所面臨的安全問題做為主軸。身分確認是網
路安全防護上的第一道關卡,如果身分確認沒有嚴格把關,一個冒充合法
身份的非法使用者一旦成功的侵入管制進出的系統之中,即使資料保護的
再嚴密也是枉然,因此我們將探討如何在以防火牆為基礎的VPN上安全的
進行使用者身份驗證。 首先,我們會探討VPN的安全需求和現有的安
全解決方案,歸納出現有方法的優缺點。然後針對幾個著名的身份驗證協
定包括ISO Three-way Protocol、X.509 Three-way Protocol、STS
Protocol in Practice做一深入的比較和安全性評估,然後從中選出STS
驗證協定將之加強後用於以防火牆為基礎之VPN身分驗證系統中。最後我
們會在資策會開發之防火牆架構下,設計與實作VPN身份驗證系統。此系
統透過安全的身份驗證協定,讓非法的使用者無法藉由各種攻擊偽裝進入
其所保護的內部網路系統。
Since the Internet grows rapidly and becomes very popular,
an increasingnumber of enterprises connect their private LAN
with the Internet; thereforeits subsidiary separated
geographically can share their resources in an efficient way,
and form a logical private LAN called Virtual Private Networks(
VPNs). Because commercial applications and Internet crimes
increases day-by-day, Internet security issues become more
important. This thesis focuses on the security problem that
enterprises would encounter when connecting with Internet, and
find out how a firewall-based virtual private
networkauthenticates its users. The user authentication is the
first checkpoint ofnetwork security, if an illegal user
impersonates a legal user intrudes thesystem, any data
protection will be useless. Thus we will explore how to
authenticate user's legality in a firewall-based virtual private
network. First, we will analyze the security requirement of
VPNs and the solutionsnowadays. Furthermore, we will compare
three famous literature of authentication protocols: ISO Three-
way Protocol, X.509 Three-way Protocoland STS Protocol in
Practice. We choose the STS Protocol and modify it forthe
purpose of firewall's authentication system. After studying the
userauthentication protocol, we will write an authentication
client-server program for firewall proxy server base on the
modified STS protocol. Thisproxy server can safely authenticate
the identity of a remote user by thisprogram.
URI: http://140.113.39.130/cdrfb3/record/nctu/#NT860396004
http://hdl.handle.net/11536/62956
顯示於類別:畢業論文