A VPN configuration method to allow hierarchical security domains

一种允许分层安全域的VPN配置方法

• 批准号: 13680421
• 负责人: ISHIBASHI Hayato
• 金额: $ 0.58万
• 依托单位: Osaka City University
• 依托单位国家: 日本
• 项目类别: Grant-in-Aid for Scientific Research (C)
• 财政年份: 2001
• 资助国家: 日本
• 起止时间: 2001 至 2002
• 项目状态: 已结题
• 来源: https://kaken.nii.ac.jp/grant/KAKENHI-PROJECT-13680421/
• 关键词: VPN; Hierarchical Security Domain; LDAP; Internet; Security

Establishing VPN connections using existing VPN technology requires IP-level reachability to the destination security gateway. This means, if security domain (a network domain which shares the same security policy and separated by security gateways with other domains) is hierarchically organized, VPN connection cannot be established because external computers cannot reach inner security gateways directly.To solve this issue, we have proposed a method to allow establishing VPN connections in such an environment, traversing security gateways. Furthermore, to demonstrate and evaluate the proposed method, we have implemented the method using SOCKS5.We also have proposed and implemented a method to separately and effectively manage each security domain's access policy. In our method, access policy, which consists of per user availability and authentication requirements, is managed with tree structure, based on the security domain hierarchy. As access policy is automatically propagated from inner domain to outer domain, inner domain's administrator can freely change their access policy without bothering outer domain's administrator. To evaluate this method, we have implemented a policy server that lookups access policy and distribute to security gateways. Access policy is stored in distributed, hierarchical databases using LDAP (Lightweight Directory Access Protocol) servers.

使用现有VPN技术建立VPN连接需要对目标安全网关的IP级可达性。这意味着，如果安全域（共享相同的安全策略，并通过安全网关与其他域隔离的网络域）是分层组织的，VPN连接无法建立，因为外部计算机无法直接到达内部的安全网关。为了解决这个问题，我们提出了一种方法，允许在这样的环境中建立VPN连接，穿越安全网关。此外，为了验证和评估该方法，我们使用SOCKS5实现了该方法。我们还提出并实现了一种方法来单独有效地管理每个安全域的访问策略。在我们的方法中，访问策略，其中包括每个用户的可用性和认证要求，管理与树结构，基于安全域层次结构。由于访问策略是自动从内部域传播到外部域的，内部域的管理员可以自由地改变他们的访问策略，而无需打扰外部域的管理员。为了评估这种方法，我们实现了一个策略服务器，它查找访问策略并分发到安全网关。访问策略使用LDAP（轻型目录访问协议）服务器存储在分布式分层数据库中。

项目成果

Hayato Ishibashi: "New Approach for Configuring Hierarchical Virtual private Networks using Proxy Gateways"Lecture Notes in Computer Science, LNCS 2662. (to be published). (2003)

Hayato Ishibashi：“使用代理网关配置分层虚拟专用网络的新方法”计算机科学讲义，LNCS 2662。（待出版）。

Hayato Ishibashi: "New Approach for Configuring Hierarchical Virtual Private Networks using Proxy Geteways"Lecture Notes in Computer Science. 2662(to appear). (2003)

Hayato Ishibashi：“使用代理 Geteways 配置分层虚拟专用网络的新方法”计算机科学讲义。

Hayato Ishibashi: "New Approach for Configuring Hierarchical Virtual Private Networks using Proxy Gateways"Lecture Notes in Computer Science. 2662(to appear). (2003)

Hayato Ishibashi：“使用代理网关配置分层虚拟专用网络的新方法”计算机科学讲座笔记。