请问什么是VPN问题
- 主题发起人 gbh198216
- 开始时间
badboy88
知名会员
- 注册
- 2004-07-05
- 消息
- 2,284
- 荣誉分数
- 134
- 声望点数
- 173
fyi
A virtual private network (VPN) is a private data network that makes use of the public telecommunication infrastructure, maintaining privacy through the use of a tunneling protocol and security procedures. A virtual private network can be contrasted with a system of owned or leased lines that can only be used by one company. The main purpose of a VPN is to give the company the same capabilities as private leased lines at much lower cost by using the shared public infrastructure. Phone companies have provided private shared resources for voice messages for over a decade. A virtual private network makes it possible to have the same protected sharing of public resources for data. Companies today are looking at using a private virtual network for both extranets and wide-area intranets.
This document describes three important VPN technologies: trusted VPNs, secure VPNs, and hybrid VPNs. It is important to note that secure VPNs and trusted VPNs are not technically related, and can co-exist in a single service package.
Before the Internet became nearly-universal, a virtual private network consisted of one or more circuits leased from a communications provider. Each leased circuit acted like a single wire in a network that was controlled by customer. The communications vendor would sometimes also help manage the customer's network, but the basic idea was that a customer could use these leased circuits in the same way that they used physical cables in their local network.
The privacy afforded by these legacy VPNs was only that the communications provider assured the customer that no one else would use the same circuit. This allowed customers to have their own IP addressing and their own security policies. A leased circuit ran through one or more communications switches, any of which could be compromised by someone wanting to observe the network traffic. The VPN customer trusted the VPN provider to maintain the integrity of the circuits and to use the best available business practices to avoid snooping of the network traffic. Thus, these are called trusted VPNs.
As the Internet became more popular as a corporate communications medium, security became much more of a pressing issue for both customers and providers. Seeing that trusted VPNs offered no real security, vendors started to create protocols that would allow traffic to be encrypted at the edge of one network or at the originating computer, moved over the Internet like any other data, and then decrypted when it reached the corporate network or a receiving computer. This encrypted traffic acts like it is in a tunnel between the two networks: even if an attacker can see the traffic, they cannot read it, and they cannot change the traffic without the changes being seen by the receiving party and therefore rejected. Networks that are constructed using encryption are called secure VPNs.
More recently, service providers have begun to offer a new type of trusted VPNs, this time using the Internet instead of the raw telephone system as the substrate for communications. These new trusted VPNs still do not offer security, but they give customers a way to easily create network segments for wide area networks (WANs). In addition, trusted VPN segments can be controlled from a single place, and often come with guaranteed quality-of-service (QoS) from the provider.
A secure VPN can be run as part of a trusted VPN, creating a third type of VPN that is very new on the market: hybrid VPNs. The secure parts of a hybrid VPN might be controlled by the customer (such as by using secure VPN equipment on their sites) or by the same provider that provides the trusted part of the hybrid VPN. Sometimes an entire hybrid VPN is secured with the secure VPN, but more commonly, only a part of a hybrid VPN is secure.
3. Usage scenarios for secure VPNs and trusted VPNs
The main reason that companies use secure VPNs is so that they can transmit sensitive information over the Internet without needing to worry about who might see it. Everything that goes over a secure VPN is encrypted to such a level that even if someone captured a copy of the traffic, they could not read the traffic even if they used hundreds of millions of dollars worth of computers. Further, using a secure VPN allows the company to know that an attacker cannot alter the contents of their transmissions, such as by changing the value of financial transactions.
Companies who use trusted VPNs do so because they want to know that their data is moving over a set of paths that has specified properties and is controlled by one ISP or a trusted confederation of ISPs. This allows the customer to use their own private IP addressing schemes, and possibly to handle their own routing. The customer trusts that the paths will be maintained according to an agreement, and that people whom the customer does not trust (such as an attacker) cannot either change the paths of any part of the VPN or insert traffic on the VPN. Note that it is usually impossible for a customer to know the paths used by trusted VPNs, or even to validate that a trusted VPN is in place; they must trust their provider completely.
It is clear that secure VPNs and trusted VPNs have very different properties. Secure VPNs provide security but no assurance of paths. Trusted VPNs provide assurance of properties of paths such as QoS, but no security from snooping or alternation. Because of these strengths and weaknesses, hybrid VPNs have started to appear, although the list of scenarios where they are desired is still evolving. A typical situation for hybrid VPN deployment is when a company already has a trusted VPN in place and some parts of the company also need security over part of the VPN. Fortunately, none of the common trusted VPN technologies prevent the creation of hybrid VPNs, and some manufacturers are creating systems that explicitly support the creation of hybrid VPN services.
A virtual private network (VPN) is a private data network that makes use of the public telecommunication infrastructure, maintaining privacy through the use of a tunneling protocol and security procedures. A virtual private network can be contrasted with a system of owned or leased lines that can only be used by one company. The main purpose of a VPN is to give the company the same capabilities as private leased lines at much lower cost by using the shared public infrastructure. Phone companies have provided private shared resources for voice messages for over a decade. A virtual private network makes it possible to have the same protected sharing of public resources for data. Companies today are looking at using a private virtual network for both extranets and wide-area intranets.
This document describes three important VPN technologies: trusted VPNs, secure VPNs, and hybrid VPNs. It is important to note that secure VPNs and trusted VPNs are not technically related, and can co-exist in a single service package.
Before the Internet became nearly-universal, a virtual private network consisted of one or more circuits leased from a communications provider. Each leased circuit acted like a single wire in a network that was controlled by customer. The communications vendor would sometimes also help manage the customer's network, but the basic idea was that a customer could use these leased circuits in the same way that they used physical cables in their local network.
The privacy afforded by these legacy VPNs was only that the communications provider assured the customer that no one else would use the same circuit. This allowed customers to have their own IP addressing and their own security policies. A leased circuit ran through one or more communications switches, any of which could be compromised by someone wanting to observe the network traffic. The VPN customer trusted the VPN provider to maintain the integrity of the circuits and to use the best available business practices to avoid snooping of the network traffic. Thus, these are called trusted VPNs.
As the Internet became more popular as a corporate communications medium, security became much more of a pressing issue for both customers and providers. Seeing that trusted VPNs offered no real security, vendors started to create protocols that would allow traffic to be encrypted at the edge of one network or at the originating computer, moved over the Internet like any other data, and then decrypted when it reached the corporate network or a receiving computer. This encrypted traffic acts like it is in a tunnel between the two networks: even if an attacker can see the traffic, they cannot read it, and they cannot change the traffic without the changes being seen by the receiving party and therefore rejected. Networks that are constructed using encryption are called secure VPNs.
More recently, service providers have begun to offer a new type of trusted VPNs, this time using the Internet instead of the raw telephone system as the substrate for communications. These new trusted VPNs still do not offer security, but they give customers a way to easily create network segments for wide area networks (WANs). In addition, trusted VPN segments can be controlled from a single place, and often come with guaranteed quality-of-service (QoS) from the provider.
A secure VPN can be run as part of a trusted VPN, creating a third type of VPN that is very new on the market: hybrid VPNs. The secure parts of a hybrid VPN might be controlled by the customer (such as by using secure VPN equipment on their sites) or by the same provider that provides the trusted part of the hybrid VPN. Sometimes an entire hybrid VPN is secured with the secure VPN, but more commonly, only a part of a hybrid VPN is secure.
3. Usage scenarios for secure VPNs and trusted VPNs
The main reason that companies use secure VPNs is so that they can transmit sensitive information over the Internet without needing to worry about who might see it. Everything that goes over a secure VPN is encrypted to such a level that even if someone captured a copy of the traffic, they could not read the traffic even if they used hundreds of millions of dollars worth of computers. Further, using a secure VPN allows the company to know that an attacker cannot alter the contents of their transmissions, such as by changing the value of financial transactions.
Companies who use trusted VPNs do so because they want to know that their data is moving over a set of paths that has specified properties and is controlled by one ISP or a trusted confederation of ISPs. This allows the customer to use their own private IP addressing schemes, and possibly to handle their own routing. The customer trusts that the paths will be maintained according to an agreement, and that people whom the customer does not trust (such as an attacker) cannot either change the paths of any part of the VPN or insert traffic on the VPN. Note that it is usually impossible for a customer to know the paths used by trusted VPNs, or even to validate that a trusted VPN is in place; they must trust their provider completely.
It is clear that secure VPNs and trusted VPNs have very different properties. Secure VPNs provide security but no assurance of paths. Trusted VPNs provide assurance of properties of paths such as QoS, but no security from snooping or alternation. Because of these strengths and weaknesses, hybrid VPNs have started to appear, although the list of scenarios where they are desired is still evolving. A typical situation for hybrid VPN deployment is when a company already has a trusted VPN in place and some parts of the company also need security over part of the VPN. Fortunately, none of the common trusted VPN technologies prevent the creation of hybrid VPNs, and some manufacturers are creating systems that explicitly support the creation of hybrid VPN services.
