虚拟专用网毕业论文外文翻译.doc 10页

[在此处键入] 附录：英文技术资料翻译 英文原文： Solutions, such as the various encryption methods and PKI, enable businesses to securely extend their networks through the Internet. One way in which businesses accomplish this extension is through Virtual Private Networks (VPNs). A VPN is a private network that is created via tunneling over a public network, usually the Internet. Instead of using a dedicated physical connection, a VPN uses virtual connections routed through the Internet from the organization to the remote site. The first VPNs were strictly IP tunnels that did not include authentication or encryption of the data. For example, Generic Routing Encapsulation (GRE) is a tunneling protocol developed by Cisco that can encapsulate a wide variety of Network Layer protocol packet types inside IP tunnels. This creates a virtual point-to-point link to Cisco routers at remote points over an IP internetwork. Other examples of VPNs that do not automatically include security measures are Frame Relay, ATM PVCs, and MultIProtocol Label Switching (MPLS) networks. A VPN is a communications environment in which access is strictly controlled to permit peer connections within a defined community of interest. Confidentiality is achieved by encrypting the traffic within the VPN. Today, a secure implementation of VPN with encryption is what is generally equated with the concept of virtual private networking. VPNs have many benefits: Cost savings - VPNs enable organizations to use cost-effective, third-party Internet transport to connect remote offices and remote users to the main corporate site. VPNs eliminate expensive dedicated WAN links and modem banks. Additionally, with the advent of cost-effective, high-bandwidth technologies, such as DSL, organizations can use VPNs to reduce their connectivity costs while simultaneously increasing remote connection bandwidth. Security - VPNs provide the highest level of security by using advanced encryption and authentication protocols that protect data from unauthorized access. Scalability - VPNs enable corporations to use the Internet infrastructure that is within Internet service providers (ISPs) and devices. This makes it easy to add new users, so that corporations can add significant capacity without adding significant infrastructure. Compatibility with broadband technology - VPNs allow mobile workers, telecommuters, and people who want to extend their workday to take advantage of high-speed, broadband connectivity to gain access to their corporate networks, providing workers significant flexibility and efficiency. High-speed broadband connections provide a cost-effective solution for connecting remote offices. In the simplest sense, a VPN connects two endpoints over a public network to form a logical connection. The logical connections can be made at either Layer 2 or Layer 3 of the OSI model. VPN technologies can be classified broadly on these logical connection models as Layer 2 VPNs or Layer 3 VPNs. Establishing connectivity between sites over a Layer 2 or Layer 3 VPN is the same. A delivery header is added in front of the payload to get it to the destination site. This chapter focuses on Layer 3 VPN technology. Common examples of Layer 3 VPNs are GRE, MPLS, and IPSec. Layer 3 VPNs can be point-to-point site connections such as GRE and IPSec, or they can establish any-to-any connectivity to many sites using MPLS. Generic routing encapsulation (GRE) was originally developed by Cisco and later standardized as RFC 1701. An IP delivery header for GRE is defined in RFC 1702. A GRE tunnel between two sites that have IP reachability can be described as a VPN, because the private data between the sites is encapsulated in a GRE delivery header. Pioneered by Cisco, MPLS was originally known as tag switching and later standardized via the IETF as MPLS. Service providers are increasingly deploying MPLS to offer MPLS VPN services to customers. MPLS VPNs use labels to encapsulate the original data, or payload, to form a VPN. How does a network administrator prevent eavesdropping of data in a VPN? Encrypting the data is one way to protect it. Data encryption is achieved by deploying encryption devices at each site. IPSec is a suite of protocols developed with the backing of the IETF to achieve secure services over IP packet-switched networks. The Internet is the most ubiquitous packet-switched public network; therefore, an IPSec VPN deployed over the public Internet can provide significant cost savings to a corporation as compared to a leased-line VPN. IPSec services allow for authentication, integrity, access control, and confidentiality. With IPSec, the information exchanged between remote sites can be encrypted and verified. Both remote-access and site-to-site VPNs can be deployed using IPSec. There are two basic types of VPN networks: Site-to-site Remote-access A site-to-site VPN is created when connection devices on both sides of the VPN connection are aware of the VPN configuration in advance. The VPN remains static, and internal hosts have no knowledge that a VPN exists. Frame Relay, ATM, GRE, and MPLS VPNs are examples of site-to-site VPNs. A remote-access VPN is created when VPN information is not statically set up, but instead allows for dynamically changing information and can be enabled and disabled. Consider a telecommuter who needs VPN access to corporate data over the Internet. The telecommuter does not necessarily have the VPN connection set up at all times. The telecommuters PC is responsible for establishing the VPN. The information required to establish the VPN connection, such as the IP address of the telecommuter, changes dynamically depending on the location of the telecommuter. A site-to-site VPN is an extension of a classic WAN network. Site-to-site VPNs connect entire networks to each other, for example, they can connect a branch office network to a company headquarters network. In the past, a leased line or Frame Relay connection was required to connect sites, but because most corporations now have Internet access, these connections can be replaced with site-to-site VPNs. Site-to-site VPN In a site-to-site VPN, hosts send and receive normal TCP/IP traffic through a VPN gateway, which can be a router, firewall, Cisco VPN Concentrator, or Cisco ASA 5500 Series Adaptive Security Appliance. The VPN gateway is responsible for encapsulating and encrypting outbound traffic from a particular site and sending it through a VPN tunnel over the Internet to a peer VPN gateway at the target site. Upon receIPt, the peer VPN gateway strIPs the headers, decrypts the content, and relays the packet toward the target host inside its private network. Remote-Access VPN Remote-access VPNs are an evolution of circuit-switching networks, such as plain old telephone service (POTS) or ISDN. Remote-access VPNs can support the needs of telecommuters, mobile users, and extranet consumer-to-business traffic. Remote-access VPNs support a client / server architecture where a VPN client (remote host) requires secure access to the enterprise network via a VPN server device at the network edge. In the past, corporations supported remote users by using dial-in networks and ISDN. With the advent of VPNs, a mobile user simply needs access to the Internet to communicate with the central office. In the case of telecommuters, their Internet connectivity is typically a broadband connection. In a remote-access VPN, each host typically has Cisco VPN client software. Whenever the host tries to send traffic intended for the VPN, the Cisco VPN Client software encapsulates and encrypts that traffic before sending it over the Internet to the VPN gateway at the edge of the target network. Upon receIPt, the VPN gateway behaves as it does for site-to-site VPNs. An emerging remote-access technology is Cisco IOS SSL VPN. This technology provides remote-access connectivity from almost any Internet-enabled host using a web browser and its native Secure Sockets Layer (SSL) encryption. SSL VPNs allow users to access web pages and services, including the ability to access files, send and receive email, and run TCP-based applications without IPSec VPN Client software. They provide the flexibility to support secure access for all users, regardless of the host from which they establish a connection. This flexibility enables companies to extend their secure enterprise networks to any authorized user by providing remote-access connectivity to corporate resources from any Internet-enabled host. SSL VPN currently delivers two modes of access: clientless and thin client. With clientless SSL VPN, a remote client needs only an SSL-enabled web browser to access HTTP- or HTTPS-enabled web servers on the corporate LAN. In a thin client SSL VPN environment, a remote client must download a small, Java-based applet for secure access of TCP applications that use static port numbers. UDP is not supported in a thin client environment. SSL VPNs are appropriate for user populations that require per-application or per-server access control, or access from non-enterprise-owned desktops. SSL VPNs are not a complete replacement for IPSec VPNs. IPSec VPNs allow secure access to all of an organizations client/server applications. Additionally, SSL VPNs do not support the same level of cryptographic security that IPSec VPNs support. While SSL VPNs cannot replace IPSec VPNs, in many cases, they are complementary because they solve different problems. This complementary approach allows a single device to address all remote-access user requirements. The primary benefit of SSL VPNs is that they are compatible with Dynamic MultIPoint VPNs (DMVPNs), Cisco IOS Firewalls, IPSec, intrusion prevention systems (IPSs), Cisco Easy VPN, and Network Address Translation (NAT). 中文译文： 解决方案，如各种加密方法和PKI，使企业能够安全地通过互联网扩展其网络，实现这一企业网络扩展的方式之一就是通过虚拟专用网。 VPN通常是通过公共网络建立隧道的专用网络，VPN不是使用专用的物理连接，而是使用一个虚拟链路通过互联网实现远程站点到本地网络的连接，起初VPN的IP隧道中并不包含对身份验证和加密数据的服务，例如，思科公司开发的通用路由封装隧道协议，可以封装一个网络层协议在IP隧道内的各种数据包类型。远程站点可以通过创建一个虚拟的点对点链路进入到内部网络。另外一些例子，比如一些不会自动采取安全措施的协议，帧中继，ATM虚拟链路和多协议标签交换网络。 VPN是一种严格访问控制权限的通信环境，加密数据在虚拟专用网内进行传输。今天，执行安全VPN加密通常就是等同于与虚拟专用网的概念。 虚拟专用网有许多好处： 节约成本：虚拟专用网使企业能够降通过第三方互联网传输进行远程办公用户和企业总部之间连接的成本，虚拟专用网消除了昂贵的专用广域网连接和调制解调器器件，此外，随着成本的出现效益，高带宽的技术，如DSL，企业可以使用VPN连接，以减少成本，同时提高远程连接带宽， 安全性 - VPN提供采用先进的加密和认证协议，以最高级别的安全机制保护数据免受未授权的访问。 可扩展性 - 虚拟专用网络使企业能够利用互联网基础设施，与Internet服务提供商的设备建立通信，这十分方便的添加新用户，使公司与其他公司建立通信在不增加基础设施的前提下。 兼容宽带技术 VPN允许移动员工，移动办公，员工可以在工作日以外时间通过VPN以高速的宽带连接来访问企业网络，这为工作人员提供了极好的灵活性和提高了工作效率，高速宽带连接提供了具有成本效益的远程办公室连接的解决方案 简单的来讲，VPN通过公共网络实现两个端点的逻辑连接。逻辑连接可以建立在OSI模型的第2层和第3层。VPN技术大致可以分为第2层VPN或第3层逻辑VPN两种连接模型， 第2层或第3层VPN建立的是相同站点之间的连接，在数据包的头部增加了一个标识字段来使数据到达目的站点，本章的重点是第三层VPN技术。 常见的VPN例子有GRE，MPLS，和IPSec。第3层VPN可以实现站点到站点直接的连接，如GRE和IPSec，或者通过MPLS建立多对多的站点连接。 通用路由封装（GRE）最初是由思科创建的，后来作为RFC 1701规范。在RFC 1702中定义了GRE的一种IP头，两个站点之间的GRE隧道是提供IP可达作为VPN的描述，因为站点之间的私人数据被封装在一个GRE交付头。 思科首创的MPLS最初被称为标签交换，后来通过了IETF标准化才被叫做MPLS。服务供应商正越来越多地部署MPLS技术的MPLS VPN服务提供给客户，MPLS VPN的使用标签来封装原始数据，或有效载荷，形成一个VPN。 网络管理员如何防止一个VPN数据窃听？数据加密是保护它的方法之一。数据加密是通过在每个站点部署加密设备。IPSec是一个在IETF的支持下开发的来实现对IP数据包安全交换的网络服务协议。互联网是最普遍的分组交换公用网络，因此，一个IPSec VPN通过公共互联网部署可以节约公司大量的成本与采用租用线的VPN网络相比。 IPSec允许服务认证，完整性，访问控制和保密性。通过IPSec远程站点之间交换的信息可以得到加密和验证。 远程访问和站点到站点VPN都可以使用IPSec来部署。 有两个基本类型的VPN网络： 站点到站点 远程访问 一个站点到站点的VPN的被创建时，两端连接VPN的设备是提前知道VPN设置的。VPN是静态的，而内部主机是不知道VPN的存在的。帧中继，ATM，GRE和MPLS VPN 都是站点到站点的 VPN 的例子。 远程接入VPN时创建的VPN信息不是静态设置，而是用于动态变化的信息，可以启用和禁用允许。 考虑到远程办公的人需要通过VPN拨入访问企业数据在internet上。但没必要在任何时候都要有VPN连接. 远程办公的PC负责建立VPN连接。在建立VPN连接的时候需要一些信息，比如，远程工作者的IP地址，根据远程工作的地址该成动态的。 站点到站点的VPN 一个站点到站点的VPN是一个典型的广域网络的扩展。站点到站点的VPN相互连接整个网络，例如，可以把一个分支办公室的网络连接到公司总部网络上。在过去，通过租用线路或帧中继连接需要连接的站点,但因为现在大多数企业有internet接入,这些连接可以被替换为站点到站点VPN 在一个站点到站点VPN中，主机发送和接收正常的TCP/IP数据通过一个VPN网关，这个VPN网关可以是一个路由器，防火墙，思科的VPN连接器或者是一个思科的5500系列的安全模块。VPN网关负责封装和加密从一个特定的站点发送的出站通信数据，通过互联网上的VPN隧道到达目标站点的相同VPN网关上。收到数据后，目标站点的VPN网管检查数据头，解密内容，转发数据包到私有网络内的目标主机上。 远程VPN拨入 远程拨入VPN是一种扩展的电路交换网络，比如普通老式电话服务或者综合业务数