[go: up one dir, main page]

CN115174258A - VPN data security access method - Google Patents

VPN data security access method Download PDF

Info

Publication number
CN115174258A
CN115174258A CN202210906434.2A CN202210906434A CN115174258A CN 115174258 A CN115174258 A CN 115174258A CN 202210906434 A CN202210906434 A CN 202210906434A CN 115174258 A CN115174258 A CN 115174258A
Authority
CN
China
Prior art keywords
vpn
user
gateway
tunnel
file
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202210906434.2A
Other languages
Chinese (zh)
Inventor
黄维维
刘春�
伍韵文
陈飞
李骁睿
张杰豪
吴华兵
龙晨吟
张雪
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Leshan Power Supply Co of State Grid Sichuan Electric Power Co Ltd
Original Assignee
Leshan Power Supply Co of State Grid Sichuan Electric Power Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Leshan Power Supply Co of State Grid Sichuan Electric Power Co Ltd filed Critical Leshan Power Supply Co of State Grid Sichuan Electric Power Co Ltd
Priority to CN202210906434.2A priority Critical patent/CN115174258A/en
Publication of CN115174258A publication Critical patent/CN115174258A/en
Pending legal-status Critical Current

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • H04L63/029Firewall traversal, e.g. tunnelling or, creating pinholes
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • H04L63/0272Virtual private networks
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/04Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
    • H04L63/0428Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/06Network architectures or network communication protocols for network security for supporting key management in a packet data network
    • H04L63/062Network architectures or network communication protocols for network security for supporting key management in a packet data network for key distribution, e.g. centrally by trusted party
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/10Network architectures or network communication protocols for network security for controlling access to devices or network resources
    • H04L63/105Multiple levels of security
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L2463/00Additional details relating to network architectures or network communication protocols for network security covered by H04L63/00
    • H04L2463/062Additional details relating to network architectures or network communication protocols for network security covered by H04L63/00 applying encryption of the keys

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The invention discloses a VPN data security access method, which comprises the following steps: s1, establishing a VPN gateway, and generating a gateway key pair, a global public key file and a mobile user file; s2, injecting a gateway key pair, a global public key file and a mobile user file into the VPN gateway; s3, establishing a user authentication domain on the VPN gateway, and generating a user according to the user authentication domain; and S4, sending a connection request to the VPN gateway through the user, and establishing an access tunnel of the VPN network of the user. The security of network transmission data is ensured by generating a gateway key pair, encrypting the global public key file and the mobile user file, the security risk is reduced and the quality of data security access is improved by establishing a user authentication domain on the VPN gateway and generating a user according to the user authentication domain, and the security and the integrity of user data are ensured by establishing an access tunnel of the user VPN network and adopting a tunnel transmission mode.

Description

一种VPN数据安全访问方法A VPN data security access method

技术领域technical field

本发明涉及网络安全技术领域,具体涉及一种VPN数据安全访问方法。The invention relates to the technical field of network security, in particular to a VPN data security access method.

背景技术Background technique

国际标准化组织对计算机系统安全的定义是:为数据处理系统建立和采用的技术和管理的安全保护,保护计算机硬件、软件和数据不因偶然和恶意的原因遭到破坏、更改和泄露。由此计算机网络的安全可以理解为:通过采用各种技术和管理措施,使网络系统正常运行,从而确保网络数据的可用性、完整性和保密性。所以,建立网络安全保护措施的目的是确保经过网络传输和交换的数据不会发生增加、修改、丢失和泄露等。The definition of computer system security by the International Organization for Standardization is: the technical and management security protection established and adopted for data processing systems to protect computer hardware, software and data from accidental and malicious reasons. Therefore, the security of computer network can be understood as: by adopting various technologies and management measures, the network system can run normally, so as to ensure the availability, integrity and confidentiality of network data. Therefore, the purpose of establishing network security protection measures is to ensure that the data transmitted and exchanged through the network will not be added, modified, lost or leaked.

随着电力系统发展,电力边缘物联网终端移动终端的大规模接入,信息采集终端设备数量的急速增加和业务数据的大幅增长,导致了信息传输的带宽面临极大的挑战,且引入了不可预知的网络安全隐患,在电力通信网数字化转型过程中,数据安全的传输和共享访问越来越受到重视。虚拟专用网络VPN(Virtual Private Network)作为一种专用加密网络可以提供高安全级别的数据安全共享访问。现有的VPN数据访问控制系统,是访问方(如用户终端)通过客户端与远程数据服务方建立VPN数据专用通道进行安全的数据共享,在进行数据共享过程中,容易因远程共享导致数据不安全,容易导致数据不完整,访问稳定性无法得到保障,从而导致整个数据共享链路被破坏。With the development of the power system, the large-scale access of mobile terminals of the Internet of Things terminals at the power edge, the rapid increase in the number of information collection terminal equipment and the substantial growth of business data, the bandwidth of information transmission is faced with great challenges, and the introduction of inaccessible In the process of digital transformation of power communication network, the transmission and shared access of data security has received more and more attention. Virtual Private Network VPN (Virtual Private Network), as a private encrypted network, can provide high security level data security sharing access. In the existing VPN data access control system, the access party (such as the user terminal) establishes a VPN data dedicated channel with the remote data service party through the client for secure data sharing. In the process of data sharing, it is easy to cause data inconsistency due to remote sharing. Security, it is easy to lead to incomplete data, access stability cannot be guaranteed, resulting in the destruction of the entire data sharing link.

发明内容SUMMARY OF THE INVENTION

本发明所要解决的技术问题是在现有的VPN数据访问控制系统在进行远程数据共享时数据不安全不完整,访问稳定性无法得到保障,从而导致整个数据共享链路被破坏的问题,目的在于提供一种VPN数据安全访问方法,通过生成网关密钥对、全局公钥文件和对移动用户文件进行加密,确保网络传输数据的安全性,通过VPN用户对认证域的访问,减少了安全风险,提高数据访问的质量,采用隧道传输方式保证用户数据的安全性和完整性。The technical problem to be solved by the present invention is that when the existing VPN data access control system performs remote data sharing, the data is insecure and incomplete, and the access stability cannot be guaranteed, thereby causing the entire data sharing link to be destroyed. The purpose is to Provides a VPN data security access method, which ensures the security of network transmission data by generating a gateway key pair, a global public key file and encrypting mobile user files, and reduces security risks through VPN users' access to the authentication domain. Improve the quality of data access, and use tunnel transmission to ensure the security and integrity of user data.

本发明通过下述技术方案实现:The present invention is achieved through the following technical solutions:

一种VPN数据安全访问方法,包括以下步骤:A VPN data security access method, comprising the following steps:

S1、建立VPN网关,生成网关密钥对、全局公钥文件和移动用户文件;S1. Establish a VPN gateway, and generate a gateway key pair, a global public key file and a mobile user file;

S2、向VPN网关注入网关密钥对、全局公钥文件和移动用户文件;S2. Inject the gateway key pair, global public key file and mobile user file into the VPN gateway;

S3、在VPN网关上建立用户认证域,根据用户认证域生成用户;S3. Establish a user authentication domain on the VPN gateway, and generate users according to the user authentication domain;

S4、通过用户向VPN网关发送连接请求,建立用户VPN网络的访问隧道。S4. The user sends a connection request to the VPN gateway to establish an access tunnel of the user's VPN network.

本发明通过建立VPN网关,生成网关密钥对、全局公钥文件和移动用户文件;向VPN网关注入网关密钥对、全局公钥文件和移动用户文件;确保网络传输数据的安全性,在VPN网关上建立用户认证域,根据用户认证域生成用户;通过VPN用户对认证域的访问,减少了安全风险,提高了数据安全访问的质量,通过用户向VPN网关发送连接请求,建立用户VPN网络的访问隧道,采用隧道传输方式保证用户数据的安全性和完整性。The invention generates a gateway key pair, a global public key file and a mobile user file by establishing a VPN gateway; injects the gateway key pair, the global public key file and the mobile user file into the VPN gateway; A user authentication domain is established on the VPN gateway, and users are generated according to the user authentication domain; the access to the authentication domain by VPN users reduces security risks and improves the quality of data security access. Users send connection requests to the VPN gateway to establish a user VPN network The access tunnel, using tunnel transmission to ensure the security and integrity of user data.

进一步的,所述步骤S1具体包括:对VPN网关上载许可,获取NetEyeVPN防火墙,通过NetEyeVPN防火墙,生成根密钥,获取VPN网关的IP地址和密钥交换端口信息,根据VPN网关的IP地址和密钥交换端口信息生成网关密钥、全局公钥文件和移动用户文件。所述全局公钥文件用于建立当前VPN网关和其他VPN网关之间的安全通道,所述移动用户文件用于建立当前VPN网关和期望VPN网关之间的安全通道。Further, the step S1 specifically includes: uploading a license to the VPN gateway, obtaining the NetEyeVPN firewall, generating a root key through the NetEyeVPN firewall, obtaining the IP address and key exchange port information of the VPN gateway, and according to the IP address and password of the VPN gateway. The key exchange port information generates the gateway key, global public key file and mobile user file. The global public key file is used to establish a secure channel between the current VPN gateway and other VPN gateways, and the mobile user file is used to establish a secure channel between the current VPN gateway and a desired VPN gateway.

进一步的,所述根据用户认证域生成用户,具体包括:在认证域中创建用户,添加用户名和用户密码信息,生成用户,根据用户性质创建角色名称,根据角色名称为用户分配使用的IP地址。Further, generating a user according to the user authentication domain specifically includes: creating a user in the authentication domain, adding user name and user password information, generating a user, creating a role name according to the nature of the user, and assigning an IP address to the user according to the role name.

进一步的,所述根据角色为每个用户分配使用的IP地址包括:根据用户VPN网络的访问隧道配置VPN网关隧道IP地址池,将IP地址池中的IP地址对应认证域分配到角色中。Further, the assigning the IP address for each user according to the role includes: configuring the VPN gateway tunnel IP address pool according to the access tunnel of the user's VPN network, and assigning the corresponding authentication domain of the IP address in the IP address pool to the role.

进一步的,所述用户向VPN网关发送连接请求后,通过VPN网关对用户进行鉴别与认证,认证成功后建立远程用户VPN网络的访问隧道。Further, after the user sends a connection request to the VPN gateway, the user is authenticated and authenticated through the VPN gateway, and an access tunnel to the VPN network of the remote user is established after the authentication is successful.

进一步的,所述建立远程用户VPN网络的访问隧道具体步骤包括:对用户的访问进行控制和过滤,所述过滤内容为用户访问信息的源目的IP地址、目的端口号和连接协议。Further, the specific steps of establishing the access tunnel of the remote user VPN network include: controlling and filtering the access of the user, and the filtering content is the source and destination IP addresses, destination port numbers and connection protocols of the user access information.

进一步的,所述过滤后的用户将根据其所属角色及分配的IP地址范围访问已授权的认证域,并自动加入到该认证域中。Further, the filtered user will access the authorized authentication domain according to the role to which he belongs and the assigned IP address range, and automatically join the authentication domain.

进一步的,所述访问隧道为通过VPN网关建立源地址和目的地址之间的多对多传输隧道。Further, the access tunnel is a many-to-many transmission tunnel established between the source address and the destination address through the VPN gateway.

进一步的,所述传输隧道中的数据进行传输时,对传输隧道的传输数据进行封装,所述封装包括对传输数据进行VPN封包,对进行VPN封包后的传输数据进行IP封包。Further, when the data in the transmission tunnel is transmitted, the transmission data of the transmission tunnel is encapsulated, and the encapsulation includes VPN encapsulation of the transmission data, and IP encapsulation of the transmission data after VPN encapsulation.

本发明与现有技术相比,具有如下的优点和有益效果:Compared with the prior art, the present invention has the following advantages and beneficial effects:

1.通过生成网关密钥对、全局公钥文件和移动用户文件进行加密,确保网络传输数据的安全性,通过VPN用户对认证域的访问,减少了安全风险,提高了数据安全访问的质量,采用隧道传输方式保证用户数据的安全性和完整性;1. Encryption by generating gateway key pair, global public key file and mobile user file to ensure the security of network transmission data, reducing security risks and improving the quality of data security access through VPN users' access to the authentication domain, Use tunnel transmission to ensure the security and integrity of user data;

2.本发明通过获取VPN网关的IP地址和密钥交换端口信息,生成网关密钥和全局公钥文件,全局公钥文件使用管理中心的私钥签名,可以防止在传送过程中被替换或篡改。2. The present invention generates a gateway key and a global public key file by obtaining the IP address and key exchange port information of the VPN gateway, and the global public key file is signed with the private key of the management center, which can prevent being replaced or tampered with during the transmission process. .

附图说明Description of drawings

为了更清楚地说明本发明示例性实施方式的技术方案,下面将对实施例中所需要使用的附图作简单地介绍,应当理解,以下附图仅示出了本发明的某些实施例,因此不应被看作是对范围的限定,对于本领域普通技术人员来讲,在不付出创造性劳动的前提下,还可以根据这些附图获得其他相关的附图。在附图中:In order to more clearly illustrate the technical solutions of the exemplary embodiments of the present invention, the accompanying drawings required in the embodiments will be briefly introduced below. It should be understood that the following drawings only illustrate some embodiments of the present invention, Therefore, it should not be regarded as a limitation of the scope. For those of ordinary skill in the art, other related drawings can also be obtained from these drawings without any creative effort. In the attached image:

图1为本发明实施例中的流程图。FIG. 1 is a flowchart in an embodiment of the present invention.

具体实施方式Detailed ways

为使本发明的目的、技术方案和优点更加清楚明白,下面结合实施例和附图,对本发明作进一步的详细说明,本发明的示意性实施方式及其说明仅用于解释本发明,并不作为对本发明的限定。In order to make the purpose, technical solutions and advantages of the present invention clearer, the present invention will be further described in detail below with reference to the embodiments and the accompanying drawings. as a limitation of the present invention.

实施例1Example 1

如图1所示,本实施例提供一种VPN数据安全访问方法,包括以下步骤:As shown in Figure 1, this embodiment provides a VPN data security access method, including the following steps:

S1、建立VPN网关,生成网关密钥对、全局公钥文件和移动用户文件;S1. Establish a VPN gateway, and generate a gateway key pair, a global public key file and a mobile user file;

S2、向VPN网关注入网关密钥对、全局公钥文件和移动用户文件;S2. Inject the gateway key pair, global public key file and mobile user file into the VPN gateway;

S3、在VPN网关上建立用户认证域,根据用户认证域生成用户;S3. Establish a user authentication domain on the VPN gateway, and generate users according to the user authentication domain;

S4、通过用户向VPN网关发送连接请求,建立用户VPN网络的访问隧道。S4. The user sends a connection request to the VPN gateway to establish an access tunnel of the user's VPN network.

本发明通过建立VPN网关,生成网关密钥对、全局公钥文件和移动用户文件;向VPN网关注入网关密钥对、全局公钥文件和移动用户文件;确保网络传输数据的安全性,在VPN网关上建立用户认证域,根据用户认证域生成用户;通过VPN用户对认证域的访问,减少了安全风险,提高了数据安全访问的质量,通过用户向VPN网关发送连接请求,建立用户VPN网络的访问隧道,采用隧道传输方式保证用户数据的安全性和完整性。The invention generates a gateway key pair, a global public key file and a mobile user file by establishing a VPN gateway; injects the gateway key pair, the global public key file and the mobile user file into the VPN gateway; A user authentication domain is established on the VPN gateway, and users are generated according to the user authentication domain; the access to the authentication domain by VPN users reduces security risks and improves the quality of data security access. Users send connection requests to the VPN gateway to establish a user VPN network The access tunnel, using tunnel transmission to ensure the security and integrity of user data.

在一些可能的实施例中,步骤S1具体包括:所述步骤S1具体包括:对VPN网关上载许可,获取NetEyeVPN防火墙,通过NetEyeVPN防火墙,生成根密钥,获取VPN网关的IP地址和密钥交换端口信息,根据VPN网关的IP地址和密钥交换端口信息生成网关密钥、全局公钥文件和移动用户文件。全局公钥文件用于建立当前VPN网关和其他VPN网关之间的安全通道,移动用户文件用于建立当前VPN网关和期望VPN网关之间的安全通道。In some possible embodiments, step S1 specifically includes: the step S1 specifically includes: uploading a license to the VPN gateway, obtaining the NetEyeVPN firewall, generating a root key through the NetEyeVPN firewall, and obtaining the IP address and key exchange port of the VPN gateway information, generate the gateway key, global public key file and mobile user file according to the IP address and key exchange port information of the VPN gateway. The global public key file is used to establish a secure channel between the current VPN gateway and other VPN gateways, and the mobile user file is used to establish a secure channel between the current VPN gateway and the desired VPN gateway.

在一些可能的实施例中,根据用户认证域生成用户,具体包括:在认证域中创建用户,添加用户名和用户密码信息,生成用户,根据用户性质创建角色名称,根据角色名称为用户分配使用的IP地址。根据角色为每个用户分配使用的IP地址包括:根据用户VPN网络的访问隧道配置VPN网关隧道IP地址池,将IP地址池中的IP地址根据认证域分配到角色中。In some possible embodiments, generating a user according to a user authentication domain specifically includes: creating a user in the authentication domain, adding a user name and user password information, generating a user, creating a role name according to the nature of the user, and assigning a role name to the user according to the role name. IP address. Assigning an IP address to each user according to the role includes configuring the VPN gateway tunnel IP address pool according to the access tunnel of the user's VPN network, and assigning the IP addresses in the IP address pool to the role according to the authentication domain.

在一些可能的实施例中,通过用户向VPN网关发送连接请求后,通过VPN网关对用户进行鉴别与认证,认证成功后建立远程用户VPN网络的访问隧道。建立远程用户VPN网络的访问隧道具体步骤包括:对用户的访问进行控制和过滤,过滤内容为用户访问信息的源目的IP地址、目的端口号和连接协议。过滤后的用户将根据其所属角色及分配的IP地址范围访问已授权的认证域,并自动加入到该认证域中。In some possible embodiments, after the user sends a connection request to the VPN gateway, the user is authenticated and authenticated by the VPN gateway, and an access tunnel to the VPN network of the remote user is established after the authentication is successful. The specific steps of establishing the access tunnel of the remote user VPN network include: controlling and filtering the user's access, and the filtering content is the source and destination IP address, destination port number and connection protocol of the user's access information. Filtered users will access authorized authentication domains according to their roles and assigned IP address ranges, and automatically join the authentication domains.

在一些可能的实施例中,访问隧道为通过VPN网关建立源地址和目的地址之间的多对多传输隧道。传输隧道中的数据进行传输时,对传输隧道的传输数据进行封装,封装包括对传输数据进行VPN封包,对进行VPN封包后的传输数据进行IP封包。In some possible embodiments, the access tunnel is a many-to-many transport tunnel established through the VPN gateway between the source address and the destination address. When the data in the transmission tunnel is transmitted, the transmission data of the transmission tunnel is encapsulated, and the encapsulation includes VPN encapsulation of the transmission data, and IP encapsulation of the transmission data after VPN encapsulation.

实施例2Example 2

A1、建立VPN网关A1. Establish VPN gateway

建立VPN网关,通过建立的VPN网关来建立一个数据传输隧道,传输隧道中的所有传输数据都需要经过VPN网关进行封包,其中传输数据的源地址和目的地址都是VPN网关地址,VPN网关对传输数据进行VPN封包后,在进行VPN封包后的基础上再进行IP封包,其源地址就是服务器a,目的地址就是服务器b,在服务器a和服务器b间的传输数据会通过VPN数据封包,再经过IP数据封包,最终的IP数据包包括源IP、目标IP、IP协议和VPN信息。Establish a VPN gateway, and establish a data transmission tunnel through the established VPN gateway. All transmission data in the transmission tunnel needs to be packaged through the VPN gateway. The source address and destination address of the transmission data are both VPN gateway addresses. After the data is encapsulated by VPN, IP encapsulation is performed on the basis of the VPN encapsulation. The source address is server a, and the destination address is server b. The data transmitted between server a and server b will pass through VPN data packets, and then IP data packet, the final IP data packet includes source IP, destination IP, IP protocol and VPN information.

A2、通信间的管理A2. Management of communication rooms

保证VPN传输数据的关键是保证整个系统的密钥管理安全,本发明采用基于PKI的密钥管理框架,来实现安全可靠的密钥分发与管理,并在网络中心设立密钥管理中心,为整个VPN系统配置RSA密钥对。The key to ensuring VPN transmission data is to ensure the security of key management of the entire system. The present invention adopts a key management framework based on PKI to realize safe and reliable key distribution and management, and establishes a key management center in the network center to provide the entire system. The VPN system is configured with an RSA key pair.

登录密钥管理中心后,在密钥加密卡内生成根密钥,根密钥为RSA公私钥对,VPN网关的RSA密钥对,通过IKE协商,其私钥是身份的标志。每个VPN网关都有一个网关密钥对,由密钥管理中心生成并注入到各自的VPN网关上,使用专用的密钥加密卡作为密钥传递介质,并采用加密密钥,保证了密钥颁发过程中的安全性。After logging in to the key management center, the root key is generated in the key encryption card. The root key is the RSA public and private key pair, and the RSA key pair of the VPN gateway is negotiated through IKE, and the private key is the identity symbol. Each VPN gateway has a gateway key pair, which is generated by the key management center and injected into the respective VPN gateways. The dedicated key encryption card is used as the key transmission medium, and the encryption key is used to ensure the key Security during issuance.

通过密钥管理中心,获取VPN网关的IP地址和密钥交换端口信息,根据VPN网关的IP地址和密钥交换端口信息生成网关密钥对、全局公钥文件和移动用户文件,其中,全局公钥文件使用管理中心的私钥签名,可以防止在数据传输过程中被替换或篡改。由于公钥和私钥之间很难互相推导出来,公钥和私钥加密的密文只能分别通过对应的私钥或公钥进行解密,保证了信息在传送中的机密性。Obtain the IP address and key exchange port information of the VPN gateway through the key management center, and generate the gateway key pair, global public key file and mobile user file according to the IP address and key exchange port information of the VPN gateway. The key file is signed with the private key of the management center, which can prevent it from being replaced or tampered with during data transmission. Since it is difficult to derive the public key and the private key from each other, the ciphertext encrypted by the public key and the private key can only be decrypted by the corresponding private key or public key, which ensures the confidentiality of the information during transmission.

A3、网关配置A3. Gateway configuration

VPN网关的密钥配置及用户E-Key的生成:对VPN上载合适的License许可后,即获取NetEyeVPN防火墙的VPN功能,形成VPN网关。对VPN网关注入密钥管理中心生成的网关密钥对、全局公钥文件和移动用户文件,全局公钥文件用于建立当前VPN网关和其他VPN网关之间的安全通道,移动用户文件用于建立当前VPN网关和期望VPN网关之间的安全通道。在VPN网关上建立用户认证域,创建时可以选择本地认证或Radius认证,在认证域中创建用户(添加用户名和用户密码信息),生成用户E-Key,其中用户E-Key主要保存用户认证证书文件和用户名信息,增强用户认证的安全性。VPN gateway key configuration and user E-Key generation: After uploading the appropriate license for the VPN, the VPN function of the NetEyeVPN firewall will be acquired to form a VPN gateway. Inject the gateway key pair, global public key file, and mobile user file generated by the key management center into the VPN gateway. The global public key file is used to establish a secure channel between the current VPN gateway and other VPN gateways, and the mobile user file is used to establish a secure channel between the current VPN gateway and other VPN gateways. Establish a secure tunnel between the current VPN gateway and the desired VPN gateway. Create a user authentication domain on the VPN gateway. You can select local authentication or Radius authentication during creation. Create a user in the authentication domain (add user name and user password information), and generate a user E-Key, where the user E-Key mainly stores the user authentication certificate. File and user name information to enhance the security of user authentication.

A4、数据传输处理A4. Data transmission processing

当VPN用户通过NetEyeVPN客户端和VPN客户端E-Key对VPN网关发送连接请求时,VPN网关对VPN用户进行鉴别与认证,其中连接请求中的会话密钥按照IKE协议自动协商生成,并用协商好的密钥对传输数据进行加密,VPN网关对VPN用户进行鉴别和认证成功后,通过创建SA以及SA的组合建立远程用户的访问隧道,其中NetEyeVPN遵循IPSec安全协议,用隧道模式为用户数据提供加密、完整性验证,并通过集成的认证服务,为信息传输提供安全保护。NetEyeVPN采用IP封装,将原来的IP包加密并添加认证信息后,完全封装在新的IP包中,新IP包中IP头的源地址和目的地址分别是用户端和VPN网关的外部地址,IP包经过这样的封装后,在公网上传输时隐藏了内部网拓扑,增强了网络的安全性,另外,通过采用标准的AH和ESP协议,保证了IP包的机密性与完整性。When a VPN user sends a connection request to the VPN gateway through the NetEyeVPN client and the VPN client E-Key, the VPN gateway authenticates and authenticates the VPN user, and the session key in the connection request is automatically negotiated and generated according to the IKE protocol. After the VPN gateway authenticates and authenticates the VPN user successfully, it establishes the access tunnel of the remote user by creating the SA and the combination of the SA. NetEyeVPN follows the IPSec security protocol and uses the tunnel mode to provide encryption for user data. , integrity verification, and provide security protection for information transmission through integrated authentication services. NetEyeVPN uses IP encapsulation. After encrypting the original IP packet and adding authentication information, it is completely encapsulated in a new IP packet. The source address and destination address of the IP header in the new IP packet are the external addresses of the client and VPN gateway, respectively. After the packet is encapsulated in this way, the internal network topology is hidden when it is transmitted on the public network, and the security of the network is enhanced. In addition, the confidentiality and integrity of the IP packet are guaranteed by using the standard AH and ESP protocols.

A5、区域划分A5. Regional division

在VPN网关的认证域中创建用户时,针对不同性质的用户创建多个角色名称,分别对应于OA、生产、配网、营销等应用区域,设定VPN网关隧道虚拟设备IP地址池,将池中IP地址分别分配到角色中,对应各应用域,在用户登录并经过认证后,用户将根据自己所属的角色分配IP地址,并自动加入到自己的应用域中,其中认证方式可以基于E-Key方式或者口令。When creating users in the authentication domain of the VPN gateway, create multiple role names for users of different natures, which correspond to application areas such as OA, production, network distribution, and marketing, and set the IP address pool of the VPN gateway tunnel virtual device. The IP addresses are assigned to roles respectively, corresponding to each application domain. After the user logs in and is authenticated, the user will be assigned an IP address according to the role to which he belongs, and will be automatically added to his own application domain. The authentication method can be based on E- Key method or password.

经过防火墙安全控制策略过滤后的VPN用户将根据其所属角色及分配的IP地址范围访问经过授权的应用域,即为认证域的每个角色指定IP地址范围,指定的IP地址范围必须隶属于配置的IP地址池内的IP地址,其中,应用域包括访问OA、生产管理、配网管理和营销等应用域的其中之一或者几个域的组合。VPN users filtered by the firewall security control policy will access authorized application domains according to their roles and assigned IP address ranges, that is, specify an IP address range for each role in the authentication domain, and the specified IP address range must belong to the configuration The IP address in the IP address pool, where the application domain includes one or a combination of several application domains such as access OA, production management, distribution network management, and marketing.

仅仅加密是不够的,全面的保护还要求认证和识别。它确保参与加密对话的用户认证可以依靠许多机制来实现,从安全卡到身份鉴别,安全卡的安全保护能确保只有经过授权的用户才能通过可靠终端进行网络的交互式访问;身份鉴别提供一种方法,用它生成某种形式的口令或数字签名,被访问的一方据此来认证来自访问者的请求。Encryption alone is not enough, comprehensive protection also requires authentication and identification. It ensures that the authentication of users participating in encrypted conversations can be achieved by relying on many mechanisms, from security cards to identity authentication. The security protection of security cards can ensure that only authorized users can interactively access the network through reliable terminals; identity authentication provides a kind of method that generates some form of password or digital signature by which the visited party authenticates the request from the visitor.

A6、制定安全策略A6. Develop security policies

VPN用户和VPN网关之间在公网上建立VPN网络通道之后,还需要通过防火墙安全策略和安全规则的制定,进一步把网络分成不同的安全访问区域,限制用户对不同安全区域的访问,使网络的安全性得到进一步提升,其中防火墙一般位于企业网络的边缘控制点,如与Internet的连接处,还可以部署在企业网络内部的安全区域控制点上。After the VPN network channel is established on the public network between the VPN user and the VPN gateway, it is necessary to further divide the network into different security access areas through the formulation of firewall security policies and security rules, restrict users' access to different security areas, and make the network The security is further improved. The firewall is generally located at the edge control point of the enterprise network, such as the connection with the Internet, and can also be deployed on the control point of the security zone inside the enterprise network.

安全区域防御的弱点是不能抵御来自区域内部的“合法”用户的攻击,如恶意或无意的内部用户,没有防火墙和安全保护较弱的远程移动工作者或SOHO被身份窃取,以及安全区域存在的后门漏洞(无线网络、远程访问)等。采用防火墙技术,通过制定安全策略实现对用户的访问进行限制和过滤,主要过滤内容为用户访问信息的源目的IP地址、目的端口号和连接协议等。经过防火墙安全控制策略过滤后的VPN用户将根据其所属角色及分配的IP地址范围访问经过授权的应用域,比如只能访问OA、生产管理、配网管理和营销等应用域的其中之一或者几个域的组合。对防火墙进行配置时,需保证传输数据通道两端的VPN设备的安全等级一致,以保证通道两端的VPN设备的数据传输的效率。The weakness of secure zone defense is that it cannot defend against attacks from "legitimate" users inside the zone, such as malicious or unintentional internal users, remote mobile workers without firewalls and weak security protections or SOHO from identity theft, and the existence of security zones Backdoor vulnerabilities (wireless network, remote access), etc. Firewall technology is used to restrict and filter user access by formulating security policies. The main filtering content is the source and destination IP addresses, destination port numbers and connection protocols of user access information. VPN users filtered by the firewall security control policy will access authorized application domains according to their roles and assigned IP address ranges. For example, they can only access one of the OA, production management, distribution network management, and marketing application domains, or A combination of several domains. When configuring the firewall, ensure that the security levels of the VPN devices at both ends of the data transmission channel are the same to ensure the data transmission efficiency of the VPN devices at both ends of the channel.

以上所述的具体实施方式,对本发明的目的、技术方案和有益效果进行了进一步详细说明,所应理解的是,以上所述仅为本发明的具体实施方式而已,并不用于限定本发明的保护范围,凡在本发明的精神和原则之内,所做的任何修改、等同替换、改进等,均应包含在本发明的保护范围之内。The specific embodiments described above further describe the objectives, technical solutions and beneficial effects of the present invention in detail. It should be understood that the above descriptions are only specific embodiments of the present invention, and are not intended to limit the scope of the present invention. Any modification, equivalent replacement, improvement, etc. made within the spirit and principle of the present invention shall be included within the protection scope of the present invention.

Claims (10)

1.一种VPN数据安全访问方法,其特征在于,包括以下步骤:1. a VPN data security access method, is characterized in that, comprises the following steps: S1、建立VPN网关,生成网关密钥对、全局公钥文件和移动用户文件;S1. Establish a VPN gateway, and generate a gateway key pair, a global public key file and a mobile user file; S2、向VPN网关注入网关密钥对、全局公钥文件和移动用户文件;S2. Inject the gateway key pair, global public key file and mobile user file into the VPN gateway; S3、在VPN网关上建立用户认证域,根据用户认证域生成用户;S3. Establish a user authentication domain on the VPN gateway, and generate users according to the user authentication domain; S4、通过用户向VPN网关发送连接请求,建立用户VPN网络的访问隧道。S4. The user sends a connection request to the VPN gateway to establish an access tunnel of the user's VPN network. 2.根据权利要求1所述的VPN数据安全访问方法,其特征在于,所述步骤S1具体包括:对VPN网关上载许可,获取NetEyeVPN防火墙,通过NetEyeVPN防火墙,生成根密钥,获取VPN网关的IP地址和密钥交换端口信息,根据VPN网关的IP地址和密钥交换端口信息生成网关密钥、全局公钥文件和移动用户文件。2. VPN data security access method according to claim 1, is characterized in that, described step S1 specifically comprises: to VPN gateway upload permission, obtain NetEyeVPN firewall, by NetEyeVPN firewall, generate root key, obtain the IP of VPN gateway Address and key exchange port information, generate gateway key, global public key file and mobile user file according to the IP address of VPN gateway and key exchange port information. 3.根据权利要求2所述的VPN数据安全访问方法,其特征在于,所述全局公钥文件用于建立当前VPN网关和其他VPN网关之间的安全通道,所述移动用户文件用于建立当前VPN网关和期望VPN网关之间的安全通道。3. VPN data security access method according to claim 2 is characterized in that, described global public key file is used to establish the security channel between current VPN gateway and other VPN gateways, and described mobile user file is used to establish current VPN gateway. A secure tunnel between the VPN gateway and the desired VPN gateway. 4.根据权利要求1所述的VPN数据安全访问方法,其特征在于,所述根据用户认证域生成用户,具体包括:在认证域中创建用户,添加用户名和用户密码信息,生成用户,根据用户性质创建角色名称,根据角色名称为用户分配使用的IP地址。4. The VPN data security access method according to claim 1, wherein generating a user according to a user authentication domain specifically comprises: creating a user in the authentication domain, adding a user name and user password information, generating a user, and generating a user according to the user authentication domain. Create a role name and assign IP addresses to users based on the role name. 5.根据权利要求4所述的VPN数据安全访问方法,其特征在于,所述根据角色为每个用户分配使用的IP地址包括:根据用户VPN网络的访问隧道配置VPN网关隧道IP地址池,将IP地址池中的IP地址对应认证域分配到角色中。5. VPN data security access method according to claim 4, is characterized in that, described according to the IP address that each user is allocated and used comprises: configure VPN gateway tunnel IP address pool according to the access tunnel of user VPN network, The IP addresses in the IP address pool are assigned to roles corresponding to the authentication domains. 6.根据权利要求1所述的VPN数据安全访问方法,其特征在于,所述用户向VPN网关发送连接请求后,通过VPN网关对用户进行鉴别与认证,认证成功后建立远程用户VPN网络的访问隧道。6. VPN data security access method according to claim 1 is characterized in that, after described user sends connection request to VPN gateway, user is authenticated and authenticated by VPN gateway, after authentication is successful, the access of remote user VPN network is established tunnel. 7.根据权利要求6所述的VPN数据安全访问方法,其特征在于,所述建立远程用户VPN网络的访问隧道具体步骤包括:对用户的访问进行控制和过滤,所述过滤内容为用户访问信息的源目的IP地址、目的端口号和连接协议。7. The VPN data security access method according to claim 6, wherein the specific steps of establishing the access tunnel of the remote user VPN network include: controlling and filtering the access of the user, and the filtering content is user access information source and destination IP address, destination port number and connection protocol. 8.根据权利要求7所述的VPN数据安全访问方法,其特征在于,所述过滤后的用户将根据其所属角色及分配的IP地址范围访问已授权的认证域,并自动加入到该认证域中。8. VPN data security access method according to claim 7, is characterized in that, the user after described filtering will visit authorized authentication domain according to its role and assigned IP address range, and automatically join this authentication domain middle. 9.根据权利要求6所述的VPN数据安全访问方法,其特征在于,所述访问隧道为通过VPN网关建立源地址和目的地址之间的多对多传输隧道。9 . The VPN data security access method according to claim 6 , wherein the access tunnel is a many-to-many transmission tunnel established between a source address and a destination address through a VPN gateway. 10 . 10.据权利要求9所述的VPN数据安全访问方法,其特征在于,所述传输隧道中的数据进行传输时,对传输隧道的传输数据进行封装,所述封装包括对传输数据进行VPN封包,对进行VPN封包后的传输数据进行IP封包。10. The VPN data security access method according to claim 9, characterized in that, when the data in the transmission tunnel is transmitted, the transmission data of the transmission tunnel is encapsulated, and the encapsulation comprises VPN packetization of the transmission data, IP encapsulates the transmission data after VPN encapsulation.
CN202210906434.2A 2022-07-29 2022-07-29 VPN data security access method Pending CN115174258A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202210906434.2A CN115174258A (en) 2022-07-29 2022-07-29 VPN data security access method

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202210906434.2A CN115174258A (en) 2022-07-29 2022-07-29 VPN data security access method

Publications (1)

Publication Number Publication Date
CN115174258A true CN115174258A (en) 2022-10-11

Family

ID=83476546

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202210906434.2A Pending CN115174258A (en) 2022-07-29 2022-07-29 VPN data security access method

Country Status (1)

Country Link
CN (1) CN115174258A (en)

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101179470A (en) * 2007-12-12 2008-05-14 胡祥义 Dual-protocol based VPN implementing method
CN113645115A (en) * 2020-04-27 2021-11-12 中国电信股份有限公司 Virtual private network access method and system
CN114070672A (en) * 2021-08-24 2022-02-18 阿里云计算有限公司 Method, device and system for realizing communication between VPN gateway and client

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101179470A (en) * 2007-12-12 2008-05-14 胡祥义 Dual-protocol based VPN implementing method
CN113645115A (en) * 2020-04-27 2021-11-12 中国电信股份有限公司 Virtual private network access method and system
CN114070672A (en) * 2021-08-24 2022-02-18 阿里云计算有限公司 Method, device and system for realizing communication between VPN gateway and client

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
陶国庆;: "VPN技术在电力系统移动办公中的应用", 电力信息化, no. 01, pages 54 - 57 *

Similar Documents

Publication Publication Date Title
CN112235235B (en) SDP authentication protocol implementation method based on cryptographic algorithm
CN114553568A (en) Resource access control method based on zero-trust single packet authentication and authorization
US9781114B2 (en) Computer security system
JP2023514736A (en) Method and system for secure communication
Frankel et al. Guide to IPsec VPNs:.
Oppliger Internet security: firewalls and beyond
US8201233B2 (en) Secure extended authentication bypass
US7188365B2 (en) Method and system for securely scanning network traffic
JP4558389B2 (en) Reduce network configuration complexity using transparent virtual private networks
US8607301B2 (en) Deploying group VPNS and security groups over an end-to-end enterprise network
CN101841525A (en) Secure access method, system and client
CN111935213B (en) Distributed trusted authentication-based virtual networking system and method
US20240195795A1 (en) Computer-implemented methods and systems for establishing and/or controlling network connectivity
CN112016073B (en) Construction method of server zero trust connection architecture
CN117834218A (en) A unified identity authentication method and platform based on zero trust architecture
CN105591748B (en) A kind of authentication method and device
CN118427856A (en) Method for cross-network secure access to database
JP2011054182A (en) System and method for using digital batons, and firewall, device, and computer readable medium to authenticate message
CN115174258A (en) VPN data security access method
Markovic Data protection techniques, cryptographic protocols and pki systems in modern computer networks
CN107342999A (en) A kind of system and method based on agent protection certificate is strengthened
Tian et al. Network security and privacy architecture
Huang et al. The Research of VPN on WLAN
US20250240175A1 (en) Methods and systems for implementing secure communication channels between systems over a network
Ganguly Network and application security: fundamentals and practices

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
RJ01 Rejection of invention patent application after publication
RJ01 Rejection of invention patent application after publication

Application publication date: 20221011