虚拟专用网毕业论文外文翻译.doc
附录:英文技术资料翻译英文原文:Solutions, such as the various encryption methods and PKI, enable businesses to securely extend their networks through the Internet. One way in which businesses accomplish this extension is through Virtual Private Networks (VPNs).A VPN is a private network that is created via tunneling over a public network, usually the Internet. Instead of using a dedicated physical connection, a VPN uses virtual connections routed through the Internet from the organization to the remote site. The first VPNs were strictly IP tunnels that did not include authentication or encryption of the data. For example, Generic Routing Encapsulation (GRE) is a tunneling protocol developed by Cisco that can encapsulate a wide variety of Network Layer protocol packet types inside IP tunnels. This creates a virtual point-to-point link to Cisco routers at remote points over an IP internetwork. Other examples of VPNs that do not automatically include security measures are Frame Relay, ATM PVCs, and MultIProtocol Label Switching (MPLS) networks. A VPN is a communications environment in which access is strictly controlled to permit peer connections within a defined community of interest. Confidentiality is achieved by encrypting the traffic within the VPN. Today, a secure implementation of VPN with encryption is what is generally equated with the concept of virtual private networking.VPNs have many benefits:l Cost savings - VPNs enable organizations to use cost-effective, third-party Internet transport to connect remote offices and remote users to the main corporate site. VPNs eliminate expensive dedicated WAN links and modem banks. Additionally, with the advent of cost-effective, high-bandwidth technologies, such as DSL, organizations can use VPNs to reduce their connectivity costs while simultaneously increasing remote connection bandwidth.l Security - VPNs provide the highest level of security by using advanced encryption and authentication protocols that protect data from unauthorized access.l Scalability - VPNs enable corporations to use the Internet infrastructure that is within Internet service providers (ISPs) and devices. This makes it easy to add new users, so that corporations can add significant capacity without adding significant infrastructure.l Compatibility with broadband technology - VPNs allow mobile workers, telecommuters, and people who want to extend their workday to take advantage of high-speed, broadband connectivity to gain access to their corporate networks, providing workers significant flexibility and efficiency. High-speed broadband connections provide a cost-effective solution for connecting remote offices.In the simplest sense, a VPN connects two endpoints over a public network to form a logical connection. The logical connections can be made at either Layer 2 or Layer 3 of the OSI model. VPN technologies can be classified broadly on these logical connection models as Layer 2 VPNs or Layer 3 VPNs. Establishing connectivity between sites over a Layer 2 or Layer 3 VPN is the same. A delivery header is added in front of the payload to get it to the destination site. This chapter focuses on Layer 3 VPN technology.Common examples of Layer 3 VPNs are GRE, MPLS, and IPSec. Layer 3 VPNs can be point-to-point site connections such as GRE and IPSec, or they can establish any-to-any connectivity to many sites using MPLS.Generic routing encapsulation (GRE) was originally developed by Cisco and later standardized as RFC 1701. An IP delivery header for GRE is defined in RFC 1702. A GRE tunnel between two sites that have IP reachability can be described as a VPN, because the private data between the sites is encapsulated in a GRE delivery header.Pioneered by Cisco, MPLS was originally known as tag switching and later standardized via the IETF as MPLS. Service providers are increasingly deploying MPLS to offer MPLS VPN services to customers. MPLS VPNs use labels to encapsulate the original data, or payload, to form a VPN.How does a network administrator prevent eavesdropping of data in a VPN? Encrypting the data is one way to protect it. Data encryption is achieved by deploying encryption devices at each site. IPSec is a suite of protocols developed with the backing of the IETF to achieve secure services over IP packet-switched networks. The Internet is the most ubiquitous packet-switched public network; therefore, an IPSec VPN deployed over the public Internet can provide significant cost savings to a corporation as compared to a leased-line VPN.IPSec services allow for authentication, integrity, access control, and confidentiality. With IPSec, the information exchanged between remote sites can be encrypted and verified. Both remote-access and site-to-site VPNs can be deployed using IPSec. There are two basic types of VPN networks:Site-to-siteRemote-accessA site-to-site VPN is created when connection devices on both sides of the VPN connection are aware of the VPN configuration in advance. The VPN remains static, and internal hosts have no knowledge that a VPN exists. Frame Relay, ATM, GRE, and MPLS VPNs are examples of site-to-site VPNs.A remote-access VPN is created when VPN information is not statically set up, but instead allows for dynamically changing information and can be enabled and disabled. Consider a telecommuter who needs VPN access to corporate data over the Internet. The telecommuter does not necessarily have the VPN connection set up at all times. The telecommuter's PC is responsible for establishing the VPN. The information required to establish the VPN connection, such as the IP address of the telecommuter, changes dynamically depending on the location of the telecommuter.A site-to-site VPN is an extension of a classic WAN network. Site-to-site VPNs connect entire networks to each other, for example, they can connect a branch office network to a company headquarters network. In the past, a leased line or Frame Relay connection was required to connect sites, but because most corporations now have Internet access, these connections can be replaced with site-to-site VPNs.Site-to-site VPNIn a site-to-site VPN, hosts send and receive normal TCP/IP traffic through a VPN gateway, which can be a router, firewall, Cisco VPN Concentrator, or Cisco ASA 5500 Series Adaptive Security Appliance. The VPN gateway is responsible for encapsulating and encrypting outbound traffic from a particular site and sending it through a VPN tunnel over the Internet to a peer VPN gateway at the target site. Upon receIPt, the peer VPN gateway strIPs the headers, decrypts the content, and relays the packet toward the target host inside its private network.Remote-Access VPNRemote-access VPNs are an evolution of circuit-switching networks, such as plain old telephone service (POTS) or ISDN. Remote-access VPNs can support the needs of telecommuters, mobile users, and extranet consumer-to-business traffic. Remote-access VPNs support a client / server architecture where a VPN client (remote host) requires secure access to the enterprise network via a VPN server device at the network edge.In the past, corporations supported remote users by using dial-in networks and ISDN. With the advent of VPNs, a mobile user simply needs access to the Internet to communicate with the central office. In the case of telecommuters, their Internet connectivity is typically a broadband connection.In a remote-access VPN, each host typically has Cisco VPN client software. Whenever the host tries to send traffic intended for the VPN, the Cisco VPN Client software encapsulates and encrypts that traffic before sending it over the Internet to the VPN gateway at the edge of the target network. Upon receIPt, the VPN gateway behaves as it does for site-to-site VPNs.An emerging remote-access technology is Cisco IOS SSL VPN. This technology provides remote-access connectivity from almost any Internet-enabled host using a web browser and its native Secure Sockets Layer (SSL) encryption. SSL VPNs allow users to access web pages and services, including the ability to access files, send and receive email, and run TCP-based applications without IPSec VPN Client software. They provide the flexibility to support secure access for all users, regardless of the host from which they establish a connection. This flexibility enables companies to extend their secure enterprise networks to any authorized user by providing remote-access connectivity to corporate resources from any Internet-enabled host.SSL VPN currently delivers two modes of access: clientless and thin client. With clientless SSL VPN, a remote client needs only an SSL-enabled web browser to access HTTP- or HTTPS-enabled web servers on the corporate LAN. In a thin client SSL VPN environment, a remote client must download a small, Java-based applet for secure access of TCP applications that use static port numbers. UDP is not supported in a thin client environment.SSL VPNs are appropriate for user populations that require per-application or per-server access control, or access from non-enterprise-owned desktops. SSL VPNs are not a complete replacement for IPSec VPNs. IPSec VPNs allow secure access to all of an organization's client/server applications. Additionally, SSL VPNs do not support the same level of cryptographic security that IPSec VPNs support. While SSL VPNs cannot replace IPSec VPNs, in many cases, they are complementary because they solve different problems. This complementary approach allows a single device to address all remote-access user requirements.The primary benefit of SSL VPNs is that they are compatible with Dynamic MultIPoint VPNs (DMVPNs), Cisco IOS Firewalls, IPSec, intrusion prevention systems (IPSs), Cisco Easy VPN, and Network Address Translation (NAT).中文译文:解决方案,如各种加密方法和PKI,使企业能够安全地通过互联网扩展其网络,实现这一企业网络扩展的方式之一就是通过虚拟专用网。VPN通常是通过公共网络建立隧道的专用网络,VPN不是使用专用的物理连接,而是使用一个虚拟链路通过互联网实现远程站点到本地网络的连接,起初VPN的IP隧道中并不包含对身份验证和加密数据的服务,例如,思科公司开发的通用路由封装隧道协议,可以封装一个网络层协议在IP隧道内的各种数据包类型。远程站点可以通过创建一个虚拟的点对点链路进入到内部网络。另外一些例子,比如一些不会自动采取安全措施的协议,帧中继,ATM虚拟链路和多协议标签交换网络。VPN是一种严格访问控制权限的通信环境,加密数据在虚拟专用网内进行传输。今天,执行安全VPN加密通常就是等同于与虚拟专用网的概念。虚拟专用网有许多好处:l 节约成本:虚拟专用网使企业能够降通过第三方互联网传输进行远程办公用户和企业总部之间连接的成本,虚拟专用网消除了昂贵的专用广域网连接和调制解调器器件,此外,随着成本的出现效益,高带宽的技术,如DSL,企业可以使用VPN连接,以减少成本,同时提高远程连接带宽,l 安全性 - VPN提供采用先进的加密和认证协议,以最高级别的安全机制保护数据免受未授权的访问。l 可扩展性 - 虚拟专用网络使企业能够利用互联网基础设施,与Internet服务提供商的设备建立通信,这十分方便的添加新用户,使公司与其他公司建立通信在不增加基础设施的前提下。l 兼容宽带技术 VPN允许移动员工,移动办公,员工可以在工作日以外时间通过VPN以高速的宽带连接来访问企业网络,这为工作人员提供了极好的灵活性和提高了工作效率,高速宽带连接提供了具有成本效益的远程办公室连接的解决方案简单的来讲,VPN通过公共网络实现两个端点的逻辑连接。逻辑连接可以建立在OSI模型的第2层和第3层。VPN技术大致可以分为第2层VPN或第3层逻辑VPN两种连接模型, 第2层或第3层VPN建立的是相同站点之间的连接,在数据包的头部增加了一个标识字段来使数据到达目的站点,本章的重点是第三层VPN技术。常见的VPN例子有GRE,MPLS,和IPSec。第3层VPN可以实现站点到站点直接的连接,如GRE和IPSec,或者通过MPLS建立多对多的站点连接。通用路由封装(GRE)最初是由思科创建的,后来作为RFC 1701规范。在RFC 1702中定义了GRE的一种IP头,两个站点之间的GRE隧道是提供IP可达作为VPN的描述,因为站点之间的私人数据被封装在一个GRE交付头。思科首创的MPLS最初被称为标签交换,后来通过了IETF标准化才被叫做MPLS。服务供应商正越来越多地部署MPLS技术的MPLS VPN服务提供给客户,MPLS VPN的使用标签来封装原始数据,或有效载荷,形成一个VPN。网络管理员如何防止一个VPN数据窃听?数据加密是保护它的方法之一。数据加密是通过在每个站点部署加密设备。IPSec是一个在IETF的支持下开发的来实现对IP数据包安全交换的网络服务协议。互联网是最普遍的分组交换公用网络,因此,一个IPSec VPN通过公共互联网部署可以节约公司大量的成本与采用租用线的VPN网络相比。待添加的隐藏文字内容2IPSec允许服务认证,完整性,访问控制和保密性。通过IPSec远程站点之间交换的信息可以得到加密和验证。远程访问和站点到站点VPN都可以使用IPSec来部署。有两个基本类型的VPN网络:站点到站点远程访问一个站点到站点的VPN的被创建时,两端连接VPN的设备是提前知道VPN设置的。VPN是静态的,而内部主机是不知道VPN的存在的。帧中继,ATM,GRE和MPLS VPN 都是站点到站点的 VPN 的例子。远程接入VPN时创建的VPN信息不是静态设置,而是用于动态变化的信息,可以启用和禁用允许。考虑到远程办公的人需要通过VPN拨入访问企业数据在internet上。但没必要在任何时候都要有VPN连接.远程办公的PC负责建立VPN连接。在建立VPN连接的时候需要一些信息,比如,远程工作者的IP地址,根据远程工作的地址该成动态的。站点到站点的VPN一个站点到站点的VPN是一个典型的广域网络的扩展。站点到站点的VPN相互连接整个网络,例如,可以把一个分支办公室的网络连接到公司总部网络上。在过去,通过租用线路或帧中继连接需要连接的站点,但因为现在大多数企业有internet接入,这些连接可以被替换为站点到站点VPN在一个站点到站点VPN中,主机发送和接收正常的TCP/IP数据通过一个VPN网关,这个VPN网关可以是一个路由器,防火墙,思科的VPN连接器或者是一个思科的5500系列的安全模块。VPN网关负责封装和加密从一个特定的站点发送的出站通信数据,通过互联网上的VPN隧道到达目标站点的相同VPN网关上。收到数据后,目标站点的VPN网管检查数据头,解密内容,转发数据包到私有网络内的目标主机上。远程VPN拨入远程拨入VPN是一种扩展的电路交换网络,比如普通老式电话服务或者综合业务数字网。远程拨入VPN可以为有需要的远程办公者,移动用户和外部客户对企业数据的访问提供支持。当一个VPN客户端(远程主机)要求通过边缘网络上的一个VPN服务器设备安全地访问企业网络时,远程拨入VPN可以提供支持。在过去,公司为远程用户提供支持通过拨号网络和ISDN.随着VPN的到来,移动用户与中央办公室进行交流只需要访问互联网.在远程情况下,他们的互联网连接通常是一个宽带连接。在远程接入VPN时,每个主机通常有思科的VPN客户端软件。当主机尝试发送VPN数据时,思科的VPN客户端软件用于数据封装和加密,然后递交给因特网上的目标网络边缘上的VPN网关。目标VPN网关收到数据后,把它作为一个站点到站点的VPN来处理。一个新兴的远程接入技术是思科IOS的SSL VPN。这项技术几乎为所有的互联网远程访问连接功能的主机提供了使用Web浏览器及其本地安全套接字层(SSL)加密。SSL VPN产品允许用户访问网页和服务,包括访问文件的能力,发送和接收电子邮件,并运行基于TCP无IPSec VPN客户端软件的应用。它们提供了灵活性,以支持所有用户的安全访问,无论从他们任意一台主机建立连接。这种灵活的方式使公司通过提供远程访问,让其安全的企业网络的授权用户可以从任何可上网的主机上连接到公司访问企业资源。目前提供的SSL VPN两种接入方式:客户端和瘦客户端,在客户端SSL VPN模式下,远程客户端只需要启用SSL的Web浏览器访问的HTTP或HTTPS,就可以访问到企业局域网的网络服务器,在瘦客户端模式下,远程客户端必须下载一个Java的TCP应用小程序,使用静态的端口号进行安全的连接,UDP协议不被支持在瘦客户端模式下。SSL VPN产品适合需要对每个应用程序或每个服务器的都进行访问控制的用户群,或从非接入企业的台式机。SSL VPN并不是一个完整的IPSec VPN的替代品,IPSec VPN允许安全地连接进入一个组织的所有客户端/服务器应用程序, 此外,SSL VPN产品并不像IPSec VPN一样支持同样级别的安全加密,SSL VPN并不能替代IPSec VPN,在许多情况下,它们是互补的,因为他们解决不同的问题,这种互补的方法实现在单个设备情况下解决所有远程访问用户的需求。SSL VPN的主要特点是兼容动态多点虚拟专用网,思科IOS防火墙,IPSec,入侵防御系统(IPS产品),思科的虚拟私人网络,和网络地址转换(NAT)。