Remote access technology to the enterprise information system via a virtual private network (VPN) and the of regulations certification

The information system of the modern enterprise has developed a client-server architecture that provides the necessary information for the different categories of users. This system not only collects, updates, gives you important information for it to work, but also involves the user in the use of various technologies to work with information, develops standards of behavior of the network, forming an active subject of his system. In this case, instead of mandatory requirements of a secure network connection to the user is guaranteed confidentiality, integrity, dedicated to his information.

Previously, for secure data transmission need to mark a line that links two points. Cost of organizing such lines are quite large. VPN gives users a secure way to access the corporate network through the Internet or other public or private networks (VPN) without the need for a dedicated line. Usually, VPN (Virtual Private Network-VPN) deployed at levels no higher power, as the use of cryptography at these levels can be used unchanged in transport protocols. At the appropriate level to implement and use special software VPN network can provide a high level of encryption of the information. When properly configured, all the components of VPN technology provides anonymity on the web. VPN technology in recent years is not only used to create your own private network, but some providers for the provision of Internet access.

VPN consists of two parts: the "internal" (controlled) network, which may be several, and the "external" network, which forms the encapsulated compounds (usually the Internet). You can also connect to a virtual network a single computer. Connecting to a remote user VPN is through an access server, which is connected to both the internal and the external (public) network. When a remote user (or when connecting to another secure network) access server requires the passage of the identification process, and then the authentication process. After successful completion of both processes, the remote user (remote system) has the authority to work on the network, that is, the process of authorization.

Using a (VPN) can solve the following applications:

• Virtual private network between organizations;

• The mobile user;

• User SOHO.

Picture 1 - Users and propagation method VPN

For users SMB / SOHO (Small Business / Small Office / Home Office):

• Cost-effectiveness

• A complete solution for commercial use

For remote users:

• Integrated security solution

• No need for additional software

• Easy configuration

For corporate users:

• Cost-effective solution for remote users and branch offices

• Compatible with the decisions of the majority of solution providers for virtual private networks.

At present virtual private networks, are recommended for the management of quality communication services and improve service to users of communications services. In order to reach general population and public organizations, public PKI AIC together with JSC "National Information Technologies" created the National Certification Authority (NCA). Connection Registration Authority (RA) users with NCA secured through VPN.

The end of 2009 "Kazakhtelecom" together with Cisco and AMT Group have announced the launch of the operation of IP-NGN-based optical networking solutions Cisco. This solution enables us to provide new services to businesses and demanding home users. These services include high-speed Internet access with integrated voice, video and data services, virtual private networks (VPN) for corporate users to virtual video conferencing using the technology of Cisco Tele Presence. In accordance with the Strategic Plan of the Ministry of Communications and Information for 2011-2015 performance of a direct result of the budget program highlighted the number of facilities needed to provide network VPN (2010ã.-941, 2014g.-1500).

It should be noted the importance of the certification procedure - as proof of the remote user access to the virtual network. Certificate issued by a certificate authority, meets the quality standards in order to ascertain the identity, encrypts messages and performs other actions related to security in the network. Regulation of a remote access through certification process includes the certificate was issued by a CA company, the process of accessing and re-issue and revoke certificates. Computer support for remote access is provided through a special program VPNClient-v.5.0.07.0290, service support - OS NT 4.0 SP4 or higher, Internet Explorer, archives. Cryptographic support is provided through RSA and AES, SHA-1 hashing.

Let us consider in more detail regulation indicated access. The process of issuing certificates of the issuing CA includes the steps of:

1. Certificate to connect to the corporate network is issued based on an office memo. The memo indicates the reason for providing access, then the network resources or services that will be used.

2. To issue certificates employee a memo must pass approval and approval:

- Signature of a certificate request to access

- Signature of immediate supervisor the employee who requested the certificate for access

- Signature of company

3. To issue certificates employee third party requires formal security clearance company. Only on the basis of this document may be memo to provide remote access. After that memo must pass approval and the approval referred to in paragraph 2.

4. After agreements and approvals an office memo employee company formed a certificate request to connect to the network from the issuing CA. Depending on the task certificates can be issued for the period:

- 1 year

- 1 month

- 1 week

Validity of the certificate specified in coordination an office memo.

5. On the basis of the approved an office memo employee who is responsible for publishing the CA approves the request for a certificate. If an employee who requested the certificate, there is an account in the domain, the competent person responsible for the domain is added to a domain account the employee who requested the certificate to the group «VPNUSers» for additional authentication when connecting to the network. If you have an account, it starts and also added to the group.

6. Employee archives certificates with a password to access:

- Certificate for connection to the user (with a password)

- Root public certificate of the issuing CA

- Manual user

7. Employee of the enterprise on the basis of agreements and approvals an office memo transmission archive holds an explanation about the person responsible, a certificate request to access, then passes the archive certificates and password on it. Based on the issued certificate will describe the process remote user inputs to the enterprise network. The remote user must have:

- Connecting to the Internet;

- Installed software such as, «VPN Client»;

- The root certificate with a public key;

- Personal certificate with a private key;

- Username and password for authentication.

Fur there mote user:

1. Establishes a stable connection to the Internet.

2. After a pre-configured software connects the hardware authentication.

3. Hardware authentication checks:

3.1. Certificate is signed by the issuing CA;

3.2. Actual whether the user certificate;

3.3. Certificate revocation user.

Picture 2 - Regulation of remote access to the corporate network

Then hardware authentication requests login and password from the remote user. A remote user enters his famous name and password.

4. Hardware authentication checks:

4.1. Actual whether the login and password

4.2. Actual user account

4.3. Is the account in the group «VPNUS»

5. It then sets a stable connection to the remote user's corporate enterprise network via the Internet. And time, for the session, the remote user is assigned IP-address.

Reissue remote user certificate on the expiry of the issued certificate to connect to the enterprise network to the user submits a memo like the "Process of getting a certificates of the issuing CA."

The certificate may be recalled in the following cases:

1. In case of dismissal or transfer of an employee who requested the certificate

2. In the case of fixed compromised certificate authorized officer of the company. In the presence of an active session, the session is disconnected. Further prepared memo to the head of the company specifying the facts of compromise.

3. In the case of a request from the chief of the disabled employee who requested the certificate.

4. If you specify a termination date in the memo on the issue of the certificate, the issuing CA.

In case of revocation of a certificate issued by an authorized employee responsible for issuing CA certificates must manually update the certificate revocation lists and report to the authorized person responsible for the equipment connected. In case of necessity to block the remote user account. After the authorized person responsible for the device connection must check CRLs to prevent unauthorized access.

Known protocols to build VPN-tunnel:

• PPTP;

• L2TP;

• IPSec;

• SSL.

In the present group of records of certain interest is the family of IPS (IP Security) - a set of protocols addressing issues of data protection when transporting IP-packets. IPS VPN is best for connecting networks of different offices over the Internet. You can install VPN-connection protocol IPS. IPS also includes protocols for secure key exchange in the Internet. IPS protocols operate at the network layer (layer 3 model OSI). Internet-protocol (IP) has no means of data protection. He can not even guarantee that the sender is exactly who he says he is. IPS is an attempt to correct the situation. When using IPS all traffic can be protected before transmission over the network. When using IPS recipient can trace the source of the packet and ensure data integrity.

Thus, a combination of tunneling and encryption allows for such an important in today protectant such as virtual private networks. Such networks, usually superimposed over the Internet is much cheaper and safer than their own corporate network, built on a dedicated channel. Modern protocols to support classes of service, will help ensure virtual private network defined bandwidth, latencies, thus eliminating the advantage of their own networks.

REFERENCES

1. Romanet Yu. Timofeev, PA, Shangin VF protection of information in computer systems and networks. 2nd ed. - M.: Radio and communication, 2002. - 328 p.

2. Galatenko VA Fundamentals of Information Security course lectures. Textbook. - M.: Internet Technical University, 2004. – 264 p.

3. http://ru.wikipedia.org/wiki/VPN

4. Types of VPN-connections http:// zyxel.ru/ kb/ 1638

5. GOST R 53729-2009 «Quality services provide a virtual private network (VPN)»