ISO's OSI /RM is a well-known network architecture model. However, OSI /RM is not specifically designed for security, so the security of the model itself is very weak. In order to improve the security status of the network and increase the strength of network security, ISO has proposed a set of OSI security architecture based on OSI/RM to strengthen the security of the network.
1 OSI security architecture
The OSI security architecture is an object-oriented, multi-level structure. It believes that secure network applications are implemented by secure services, and security services are implemented by security mechanisms.
1.1 OSI Security Service
In view of the technology and environment of the network system, the OSI security architecture proposes five types of security services for network security, namely, object authentication service, access control service, data confidentiality service, data integrity service, and non-repudiation service.
(1) Object authentication service
Object authentication services can be divided into peer entity authentication and source authentication, which are used to identify the identity of the peer entity or source, and to verify the authenticity and validity of the identity. Among them, peer entity authentication is used to verify that the claims of both parties in a pair of related entities in a certain communication process are consistent, and to confirm that there is no fake identity in the peer entity. Source authentication can verify whether the received information actually has the source it claims.
(2) Access control service
The access control service prevents unauthorized use of resources in the communication network. Access control services can be divided into autonomous access control, mandatory access control, and role-based access control. Due to the inherent weaknesses of DAC and MAC, as well as the outstanding advantages of RBAC, RBAC has become the most popular access control method in design as soon as it appears. The specific content of access control has been described above, so I won't repeat it here.
(3) Data confidentiality service
Data confidentiality services are defensive measures taken against information leakage, including information confidentiality, selected segment confidentiality, and business flow confidentiality. The data confidentiality service is realized by encrypting the data transmitted in the network.
(4) Data integrity service
Data integrity services include preventing illegal tampering of information, such as modification, deletion, insertion, and copying.
(5) Denial of service is prohibited
The prohibition of denial service can prevent the sender of information from denying the operation that he has performed afterwards, that is, to prevent denial by verifying all the operations that have occurred. Specifically, it can be divided into several aspects, such as preventing denial from sending, preventing denial from submitting and notarizing.
1.2 OSI security mechanism
In order to implement the five OSI security services mentioned above, the OSI security architecture recommends the following eight security mechanisms: encryption mechanism, digital signature mechanism, access control mechanism, data integrity mechanism, authentication exchange mechanism, flow filling mechanism, route verification mechanism , Just mechanism.
(1) Encryption mechanism
The encryption mechanism is to encrypt the information transmitted in the network through various encryption algorithms, and it is the most commonly used measure to protect the information. There are many kinds of encryption algorithms, which can be roughly divided into two categories: symmetric key encryption and public key encryption. Some of these (for example, DES, etc.) encryption algorithms can already be implemented by hardware and have high efficiency.
(2) Digital signature mechanism
The digital signature mechanism is a method in which a private key is used for digital signature and a public key encryption algorithm is used to verify the digital signature. It is used to help the receiver of information confirm whether the received information is sent by the sender it claims, and it can also check whether the information has been tampered with, and implement services such as denial prohibition.
(3) Access control mechanism
The access control mechanism can judge whether the subject's access to the object is legal according to a series of pre-designed access rules in the system, if it is legal, continue the access operation, otherwise deny access. The access control mechanism is the most basic method of security protection and the frontier barrier of network security.
(4) Data integrity mechanism
The data integrity mechanism includes two aspects: the integrity of the data unit and the integrity of the data unit sequence. It guarantees that the data is always complete and correct during transmission and use. The data integrity mechanism is closely related to the data encryption mechanism.
(5) Identification exchange mechanism
The authentication exchange mechanism confirms the identity of an entity by exchanging information, and is generally used for authentication between communicating entities at the same level. To achieve authentication exchange, the following techniques are often used. ① Password: Submitted by the sender and checked by the receiver. ② Encryption: Encrypt the exchanged information so that only legitimate users can interpret it. ③ The characteristics or ownership of the entity: for example, fingerprint identification, identification card identification, etc.
(6) Business flow filling mechanism
The service flow filling mechanism tries to make the encryption device continuously send pseudo-random sequences to the communication line in a certain way when there is no effective data transmission, and the pseudo-random sequences sent here are also encrypted. In this way, an illegal interceptor cannot distinguish which of the monitored information is valid and which is invalid, so that illegal attackers can be prevented from monitoring data, analyzing traffic, flow, etc., to achieve the purpose of protecting communication security.
(7) Routing control mechanism
In a large network, there are often multiple routes from the source node to the destination node, some of which are safe, while others may be insecure. When transmitting sensitive data between the source node and the destination node, it is necessary to select a specific secure route to transmit it only in a secure path, thereby ensuring the security of data communication.
(8) Notarization mechanism
In a complex information system, there must be many users, resources and other entities. Due to various reasons, it is difficult to ensure that every user is honest and every resource is reliable. At the same time, information may be delayed or lost due to system failures and other reasons. These are likely to cause liability disputes or disputes. A notary institution is an authoritative institution trusted by all parties in the communication system. Before communicating between the parties, they exchange information with this institution, thus relying on this trusted third party to ensure that the communication is credible, even if In the event of a dispute, it can also be arbitrated through a notary.
1.3 The relationship between OSI security services and security mechanisms
There is no one-to-one correspondence between OSI security services and security mechanisms. Some services need to rely on multiple mechanisms to solidify, and at the same time, some mechanisms can provide multiple services. Generally speaking, there is a relationship between OSI security services and security mechanisms as shown in the table, and these security mechanisms can be used as a reference in the design to provide corresponding security services.
| Security Mechanism\Security Service | Object authentication | Access control | Data confidentiality | Data integrity | Prevent denial |
|---|---|---|---|---|---|
| encryption | √ | √ | √ | ||
| Data signature | √ | √ | √ | √ | |
| Access control | √ | ||||
| Data integrity | √ | √ | |||
| Authentication exchange | √ | ||||
| Business flow filling | √ | ||||
| Routing control | √ | ||||
| notarization | √ |
2 Application of VPN in network security
Virtual Private Network (Virtual Private Network, VPN) refers to the use of insecure public networks such as the Internet as a transmission medium, through a series of security technology processing, to achieve a security performance similar to a private network, to ensure the safe transmission of important information network technology.
2.1 Advantages of VPN technology
VPN technology has very prominent advantages, including:
(1) Network communication security
VPN uses secure tunnels and other technologies to provide secure end-to-end connection services. When users at both ends of the VPN communicate on the Internet, the information they transmit is encrypted by the RSA asymmetric encryption algorithm, and its key is passed through Diffie-Hellman algorithm is calculated, which can fully guarantee the security of data communication.
(2) Convenient scalability
The use of VPN technology to realize the internal private network of the enterprise and the remote access of business personnel in remote places, etc., has convenient and flexible scalability. The first is that the reconstruction is very convenient, and the network can be reconstructed only by adjusting the configuration, and the second is the convenience of expanding the network, only a few nodes need to be configured, and there is no need to make engineering adjustments to the already built network.
(3) Convenient management
Using VPN networking, a large number of network management tasks can be put on the Internet service provider side for unified implementation, thereby reducing the burden of internal network management in the enterprise. At the same time, VPN also provides intelligent features such as information transmission and routing, and features independent of other network equipment, and also provides users with flexible means of network management.
(4) Significant cost savings
Utilizing the existing ubiquitous Internet to build a private enterprise network can save a lot of investment costs and subsequent operation and maintenance costs. In the past, to achieve the interconnection of two remote networks, the main way was to use a dedicated line connection. This method is too costly. VPN is a virtual private network with better security established on the Internet, so the cost is relatively low, and part of the operation and maintenance work can be put on the service provider side, and part of the maintenance cost can be saved.
2.2 Principle of VPN
A series of key security technologies are needed to implement VPN, including:
(1) Secure tunnel technology
That is, the transmitted information is encrypted and encapsulated by the protocol, and then nested into a data packet of another protocol and sent to the network, and is transmitted like a normal data packet. After such processing, only the users at the source and target can extract and process the encrypted and encapsulated information, while for other users, the information is just meaningless garbage.
(2) User authentication technology
Confirm the user's identity before the connection starts, and then the system performs corresponding authorization and resource access control according to the user's identity.
(3) Access control technology
The provider of the VPN service and the provider of the final network information resource jointly negotiate to determine the user's access authority to the resource, thereby realizing user-based access control and realizing the protection of information resources.
In the above figure, the secure tunnel agent and the management center form a secure transmission plane (STP), which implements secure transmission on the Internet and corresponding system management functions. The user authentication management center and the key distribution center form a common function plane (Common Function Plane, CFP), which is an auxiliary plane of the secure transmission plane, which mainly provides relatively independent user identity authentication and management, key distribution and management to user agents Features.
When establishing VPN communication, the VPN user agent requests the secure tunnel agent to establish a secure tunnel. After the secure tunnel agent accepts it, it establishes a secure tunnel on the Internet under the control and management of the management center, and then provides users with transparent network transmission. The VPN user agent includes three parts: a secure tunnel terminal function, a user authentication function, and an access control function, which together provide a complete VPN service to the upper application.
(1) Secure transmission plane
The secure transmission plane realizes secure transmission and corresponding system management functions on the Internet, which is jointly completed by the secure tunnel agent and the management center.
① Secure tunnel agent. The secure tunnel agent can connect multiple point-to-point secure paths into an end-to-end secure tunnel under the control of the management center.
It is the main body of VPN, and its main function is to establish and release a secure tunnel. According to the request of the user agent, a point-to-point secure channel is established between the user agent and the secure tunnel agent, and interactions such as user authentication and service level negotiation are performed in this secure channel. The initialization process in the secure channel can fully protect the security of important information such as user authentication. Then, under the control of the management center, an end-to-end secure tunnel is established between the sending end and the receiving end by a number of point-to-point secure channels connected in sequence. After the information transmission is over, the agent of either party in the communication can request to release the tunnel connection to terminate the secure tunnel connection. Verification of user identity.
In the initialization process of establishing a secure tunnel, the secure tunnel agent requires the user agent to submit a certificate provided by the user authentication management center, and the identity of the user agent can be confirmed by verifying the certificate. If necessary, the user agent can perform reverse authentication on the secure tunnel agent to further improve the security of the system. Negotiation of service level. After the user's identity is verified, the security tunnel agent negotiates the service level with the user agent, determines the service level provided according to its requirements and the actual situation of the VPN system at the time, and reports it to the management center. Transparent transmission of information.
After the secure tunnel is established, the secure tunnel agent is responsible for the transmission of information between the communicating parties, and performs corresponding control according to the agreed service parameters, and provides transparent VPN transmission services for its applications. Control and manage secure tunnels. During the maintenance of the secure tunnel connection, the secure tunnel agent also needs to manage and adjust the network performance and service level of the established secure tunnel in accordance with the management command of the management center.
② VPN management center. The VPN management center is the core part of the entire VPN. It directly contacts the secure tunnel agent and is responsible for coordinating the work between the secure tunnel agents on the secure transmission plane.
Specific functions include: management and control of secure tunnels. Determine the best route and issue a command to all secure tunnel agents included on the route to establish a secure tunnel connection. After the tunnel is established, the management center continues to monitor the working status of each tunnel connection. For the faulty security tunnel, the management center is responsible for re-selecting the route and replacing the connection with a new route. During the communication process, management commands can also be sent to the agents on the corresponding security tunnels as needed to optimize network performance and adjust service levels. Monitoring and management of network performance. The management center constantly monitors the working status of each security tunnel agent, collects various VPN performance parameters, and completes functions such as VPN performance optimization and troubleshooting based on the collected data. At the same time, the management center is also responsible for completing common network management functions such as logging of various VPN events, user billing, tracking audits, and fault reports.
(2) Public functional plane
The public function plane is an auxiliary plane of the secure transmission plane, which provides relatively independent user identity authentication and management, key distribution and management functions to the VPN user agent, which are respectively completed by the user authentication management center and the VPN key distribution center.
① Certification management center. The authentication management center provides user identity authentication and user management. User authentication is to objectively provide user authentication to one or both of the VPN user agent and the secure tunnel agent as a third party, so that they can mutually confirm each other's identity. User management refers to the user management part directly related to the user identity authentication function, that is, log records of the credibility and authentication status of each user (including user agents, security tunnel agents, and authentication management centers, etc.), and can be used in VPN and establishment Refer to when the two parties of the security tunnel negotiate the service level. The management here is service-oriented, and user management functions related to user rights, access control, etc. are not included here.
② Key distribution center. The key distribution center provides key distribution, recovery and management functions for both parties who need to perform identity verification and information encryption. In the VPN system, user agents, secure tunnel agents, and authentication management centers are all users of the key distribution center.
The use of VPN technology can not only ensure the connectivity and data sharing of the entire enterprise network, but also ensure the security of important data such as finances. It is a good solution for the interconnection of local networks within the enterprise.
