Remote access technology to the enterprise information system via a virtual private network (VPN) and the of regulations certification
Table of contents: The Kazakh-American Free University Academic Journal №4 - 2012
Authors: Zhantassova Zheniskul, East Kazakhstan State University in honor of S. Amanzholov, Kazakhstan
Sizdikpayeva Aigul, East Kazakhstan State University in honor of S. Amanzholov, Kazakhstan
Bulatova Zhamilya, East Kazakhstan State University in honor of S. Amanzholov, Kazakhstan
The information system of the modern enterprise has
developed a client-server architecture that provides the necessary information
for the different categories of users. This system not only collects, updates,
gives you important information for it to work, but also involves the user in
the use of various technologies to work with information, develops standards of
behavior of the network, forming an active subject of his system. In this case,
instead of mandatory requirements of a secure network connection to the user is
guaranteed confidentiality, integrity, dedicated to his information.
Previously, for secure data transmission need to mark a
line that links two points. Cost of organizing such lines are quite large. VPN
gives users a secure way to access the corporate network through the Internet
or other public or private networks (VPN) without the need for a dedicated
line. Usually, VPN (Virtual Private Network-VPN) deployed at levels no higher
power, as the use of cryptography at these levels can be used unchanged in
transport protocols. At the appropriate level to implement and use special
software VPN network can provide a high level of encryption of the information.
When properly configured, all the components of VPN technology provides
anonymity on the web. VPN technology in recent years is not only used to create
your own private network, but some providers for the provision of Internet
access.
VPN consists of two parts: the "internal"
(controlled) network, which may be several, and the "external"
network, which forms the encapsulated compounds (usually the Internet). You can
also connect to a virtual network a single computer. Connecting to a remote
user VPN is through an access server, which is connected to both the internal
and the external (public) network. When a remote user (or when connecting to
another secure network) access server requires the passage of the
identification process, and then the authentication process. After successful
completion of both processes, the remote user (remote system) has the authority
to work on the network, that is, the process of authorization.
Using a (VPN) can solve the following applications:
• Virtual private network between organizations;
• The mobile user;
• User SOHO.
Picture 1 - Users and propagation method VPN
For users SMB / SOHO (Small Business / Small Office / Home Office):
• Cost-effectiveness
• A complete solution for commercial use
For remote users:
• Integrated security solution
• No need for additional software
• Easy configuration
For corporate users:
• Cost-effective solution for remote users and branch offices
• Compatible with the decisions of the majority of solution
providers for virtual private networks.
At present virtual private networks, are recommended for the
management of quality communication services and improve service to users of
communications services. In order to reach general population and public
organizations, public PKI AIC together with JSC "National Information
Technologies" created the National Certification Authority (NCA). Connection
Registration Authority (RA) users with NCA secured through VPN.
The end of 2009 "Kazakhtelecom" together with Cisco and
AMT Group have announced the launch of the operation of IP-NGN-based optical
networking solutions Cisco. This solution enables us to provide new services to
businesses and demanding home users. These services include high-speed Internet
access with integrated voice, video and data services, virtual private networks
(VPN) for corporate users to virtual video conferencing using the technology of
Cisco Tele Presence. In accordance with the Strategic Plan of the Ministry of
Communications and Information for 2011-2015 performance of a direct result of
the budget program highlighted the number of facilities needed to provide
network VPN (2010ã.-941, 2014g.-1500).
It should be noted the importance of the certification procedure -
as proof of the remote user access to the virtual network. Certificate issued
by a certificate authority, meets the quality standards in order to ascertain
the identity, encrypts messages and performs other actions related to security
in the network. Regulation of a remote access through certification process includes
the certificate was issued by a CA company, the process of accessing and
re-issue and revoke certificates. Computer support for remote access is
provided through a special program VPNClient-v.5.0.07.0290, service support -
OS NT 4.0 SP4 or higher, Internet Explorer, archives. Cryptographic support is
provided through RSA and AES, SHA-1 hashing.
Let us consider in more detail regulation indicated access. The
process of issuing certificates of the issuing CA includes the steps of:
1. Certificate to connect to the corporate network is issued based
on an office memo. The memo indicates the reason for providing access, then the
network resources or services that will be used.
2. To issue certificates employee a memo must pass approval and approval:
- Signature of a certificate request to access
- Signature of immediate supervisor the employee who requested the
certificate for access
- Signature of company
3. To issue certificates employee third party requires formal
security clearance company. Only on the basis of this document may be memo to
provide remote access. After that memo must pass approval and the approval
referred to in paragraph 2.
4. After agreements and approvals an office memo employee company
formed a certificate request to connect to the network from the issuing CA.
Depending on the task certificates can be issued for the period:
- 1 year
- 1 month
- 1 week
Validity of the certificate specified in coordination an office
memo.
5. On the basis of the approved an office memo employee who is
responsible for publishing the CA approves the request for a certificate. If an
employee who requested the certificate, there is an account in the domain, the
competent person responsible for the domain is added to a domain account the
employee who requested the certificate to the group «VPNUSers» for additional
authentication when connecting to the network. If you have an account, it
starts and also added to the group.
6. Employee archives certificates with a password to access:
- Certificate for connection to the user (with a password)
- Root public certificate of the issuing CA
- Manual user
7. Employee of the enterprise on the basis of agreements and
approvals an office memo transmission archive holds an explanation about the
person responsible, a certificate request to access, then passes the archive
certificates and password on it. Based on the issued
certificate will describe the process remote user inputs to the enterprise
network. The remote user must have:
- Connecting to the Internet;
- Installed software such as, «VPN Client»;
- The root certificate with a public key;
- Personal certificate with a private key;
- Username and password for authentication.
Fur there mote user:
1. Establishes a stable connection to the Internet.
2. After a pre-configured software connects the hardware
authentication.
3. Hardware authentication checks:
3.1. Certificate is signed by the issuing CA;
3.2. Actual whether the user certificate;
3.3. Certificate revocation user.
Picture 2 - Regulation of remote access to the corporate
network
Then hardware authentication requests login and password from the
remote user. A remote user enters his famous name and password.
4. Hardware authentication checks:
4.1. Actual whether the login and password
4.2. Actual user account
4.3. Is the account in the group «VPNUS»
5. It then sets a stable connection to the remote user's corporate
enterprise network via the Internet. And time, for the session, the remote user
is assigned IP-address.
Reissue remote user certificate on the expiry of the issued
certificate to connect to the enterprise network to the user submits a memo
like the "Process of getting a certificates of the issuing CA."
The certificate may be recalled in the following cases:
1. In case of dismissal or transfer of an
employee who requested the certificate
2. In the case of fixed compromised
certificate authorized officer of the company. In the presence of an active
session, the session is disconnected. Further prepared memo to the head of the
company specifying the facts of compromise.
3. In the case of a request from the chief
of the disabled employee who requested the certificate.
4. If you specify a termination date in the memo on the issue of the
certificate, the issuing CA.
In case of revocation of a certificate issued by an authorized
employee responsible for issuing CA certificates must manually update the
certificate revocation lists and report to the authorized person responsible
for the equipment connected. In case of necessity to block the remote user account.
After the authorized person responsible for the device connection must check
CRLs to prevent unauthorized access.
Known protocols to build VPN-tunnel:
• PPTP;
• L2TP;
• IPSec;
• SSL.
In the present group of records of certain interest is the family of
IPS (IP Security) - a set of protocols addressing issues of data protection when
transporting IP-packets. IPS VPN is best for connecting networks of different
offices over the Internet. You can install VPN-connection protocol IPS. IPS
also includes protocols for secure key exchange in the Internet. IPS protocols
operate at the network layer (layer 3 model OSI). Internet-protocol (IP) has no
means of data protection. He can not even guarantee that the sender is exactly
who he says he is. IPS is an attempt to correct the situation. When using IPS
all traffic can be protected before transmission over the network. When using IPS
recipient can trace the source of the packet and ensure data integrity.
Thus, a combination of tunneling and encryption allows for such an
important in today protectant such as virtual private networks. Such networks,
usually superimposed over the Internet is much cheaper and safer than their own
corporate network, built on a dedicated channel. Modern protocols to support
classes of service, will help ensure virtual private network defined bandwidth,
latencies, thus eliminating the advantage of their own networks.
REFERENCES
1. Romanet Yu. Timofeev, PA, Shangin VF protection
of information in computer systems and networks. 2nd ed. - M.: Radio and
communication, 2002. - 328 p.
2. Galatenko VA Fundamentals of Information Security
course lectures. Textbook. - M.: Internet Technical University, 2004. – 264 p.
3. http://ru.wikipedia.org/wiki/VPN
4. Types of VPN-connections http:// zyxel.ru/ kb/ 1638
5. GOST R 53729-2009 «Quality services provide a virtual
private network (VPN)»
Table of contents: The Kazakh-American Free University Academic Journal №4 - 2012
|