2010 International Conference on Computational and Information Sciences
2010 International Conference on Computational and Information Sciences
2010 International Conference on Computational and Information Sciences
2010 International Conference on Computational and Information Sciences
2010 International Conference on Computational and Information Sciences
2010 International Conference on Computational and Information Sciences
2010 International Conference on Computational and Information Sciences
2010 International Conference on Computational and Information Sciences
The research of VPN on WLAN
Weili Huang Fanzheng Kong
College of Information and Electrical Engineering College of Information and Electrical Engineering
Hebei University of Engineering Hebei University of Engineering
Handan, China
Handan, Chin ?

Chenmo811@163.com
Huangweili58@163.com
Abstract VPN technology is an effective method and easy to
realize on WLAN. Several of VPN technologies have already
been widely used nowadays. Each of them has its advantages
and disadvantages. this paper introduces the working principle
of SSL VPN and IPSec VPN, then analyzes these two kinds of
VPN scheme of the advantages and disadvantages, finally
several aspects such as the field of application the security
strategy
0Installation were Analysis and compared
Keywords- SSL VPN
0IPSec VPN
0WLAN
I. INTRODUCTION
Virtual Private Network (VPN) is a new Network
technology. VPN security technology not only have been
widely applied in local-area network (LAN) and remote
access, etc, but also can be used for wireless local-area
network (WLAN).It can replace Wired Equivalent Privacy
(WEP) solutions. It adopts Data Encryption Standard (DES)
and 3DES technology to ensure the security of data
Figure 1. IPSec system structure
transmission. In the specific application of virtual private
network (VPN), users need to log on to a VPN server, then
Designing IPSec provide high quality, interoperable,
the encrypted data frame, which were transmitted by user,
password-based security functions to IPv4 and IPv6 data.
were packaged in the new data frame to transmit.
IPSec through the use of two kinds of communication
IPSec VPN and SSL VPN are both VPN solutions, which
security agreement to achieve these objectives:
have been widely applied in WLAN. But with the increasing
authentication head (AH)
0Encapsulating Security Payload
popularity of application, many products have set them in the
tendency, namely IPSec VPN and SSL VPN products in (ESP) and Internet Key ExchangeÿIKE ÿ. AH and ESP has
function tends to merge. Technically speaking, the SSL VPN two kinds of operating mode: transmission and tunnel. IKE
products and the IPSec VPN products both have their own consulate cryptographic algorithm between AH and ESP,
advantages in function. Users must choose according to and set the algorithm-needs key in the right place. All of
need. these services are based on IP layer, and protect the protocol.
B. Be provided security services by IPSec
II. THE TECHNOLOGY OF IPSEC VPN
" Confidentiality services. IPSec provides data
A. The summarize of IPSec VPN
confidentiality services to ensure that it is not illegal
eavesdropping by users in the transmission. IPSec is
IP Security system structure, referred to as IPSec, is a
provided by the ESP, algorithm uses Cipher Block
group of cryptography-based security of open network
Chaining (CBC) way, it can ensure that unauthorized
security protocols, which is drafted by the IETF IPSec in
users can not know the true content of the
1998.AH (Authentication Header, AH)
0 ESP
information, even the information is eavesdropping
(Encapsulating Security Payload, ESP)and IKE rule
in the transmission
encryption and authentication and key management (ESP
" Data-origin authentication and integrity services.
provide support for authentication).AH and ESP are used
The authentication data of AH and ESP is derived
SA(Security Association. IKE is responsible for the
from HMAC that it comes from constant field which
establishment and maintenance of SA. IPSec system
is the transfer process by one-way hash to packet
structure is shown in figure 1:
source IP address and so on.
978-0-7695-4270-6/10 $26.00 © 2010 IEEE 250
978-0-7695-4270-6/10 $26.00 © 2010 IEEE 250
978-0-7695-4270-6/10 $26.00 © 2010 IEEE 250
978-0-7695-4270-6/10 $26.00 © 2010 IEEE 250
978-0-7695-4270-6/10 $26.00 © 2010 IEEE 250
978-0-7695-4270-6/10 $26.00 © 2010 IEEE 250
978-0-7695-4270-6/10 $26.00 © 2010 IEEE 1162
978-0-7695-4270-6/10 $26.00 © 2010 IEEE 1162
DOI 10.1109/ICCIS.2010.67
DOI 10.1109/ICCIS.2010.67
DOI 10.1109/ICCIS.2010.287
DOI 10.1109/ICCIS.2010.287
DOI 10.1109/ICCIS.2010.67
DOI 10.1109/ICCIS.2010.67
DOI 10.1109/ICCIS.2010.67
DOI 10.1109/ICCIS.2010.67
.
C. The application of IPSec VPN III. THE TECHNOLOGY OF SSL VPN
IPSec protocol can be used to protect one or multiple
A. The summarize of SSL VPN
paths, which is between hosts, or between a security
SSL (Security Socket Layer) is a general protocol, which
gateway and a host, or between gateways (Security gateway
guarantees to send information security. It is between a
can be router or firewall). IPSec protocol allows users (or
network layer and application layer. SSL follow PKI (Public
system administrators) to control of the security services.
Key Infrastructure) system and use non-symmetric RSA
For example, users can set an encrypted tunnel between
algorithms. SSL protocols including handshaking protocol,
security gateways to protect all the communications
record and warning protocol. Handshaking protocol is
between them; also can set an encrypted tunnel for every
responsible for determining the conversation encryption
TCP connection between hosts.
parameters between client and server. Record protocol is
In the environment of WLAN, IPSec is placed in every
responsible for exchanging the applied data. Warning
PC which connected with wired net; users need to establish
protocol is responsible for terminating the conversation
IPSec tunnel so as to transmitted flow to wired net. Filters
between hosts when an error occurred. The structure of SSL
are used to prevent wireless flow beyond the gateway of
as shown in figure 2:
VPN and the DHCP/DNS server
handshaking modified Alarming HTTP
protocols cipher-text protocols
D. IPSec advantages and disadvantages
protocols
1) Advantages :.
SSL Record protocol
a) IPSec implements  data encryption from end to
TCP
end ", it can implement in the different parts of the network,
IP
constitutes a virtual private network. In this network,
Figure 2. The structure of SSL
different networks are integrated, can be two hosts or two
different LAN.
The main purpose of the SSL protocol is to provide
b) IPSec is implemented in the network layer; the
privacy and reliability between two communications
upper can not do any change
applications. The SSL- connections is established between
c) Interoperability. Whether transmission mode or two application processes to communicate. That is divided
into two stages: handshaking stage and data transmission
tunnel model, packets should be inserted IPSec head. IPSec
stage. In the handshaking stage the server is authenticated
head contained the field of interoperability-needed, therefore,
and the encryption key to protect data is generated. It must
as in the same security domain IPSec entity is, or can be
be completed handshaking before any application data
deduced in the same security domain by the transmission
transmission. Data is divided into a series record of
rule, can meet the conditions of the interoperability.
protection to transmit until handshaking Complete.
d) Implementation flexible. Firstly, IPSec can be
implemented in host, gateway and routers; also can be in B. Be provided security services by IPSec VPN
hardware implementation. Secondly choose only for packet
" The client authentication. One kind of server is
to validate (especially suitable for those who cannot be
responsible for client special authentication; the
applied password), or choose to encrypt and verified data
server can recognize each communication is the
packets. Thirdly, safety connection can be coarse-grained,
correct communication, and it can install access
such as the hosts in the whole gateway common use a safety
control strategy in SSL VPN server, different clients
connection; also can be fine- grained, such as each packet
choose a different strategy.
use a safety connection. The packet which don't hope for
" Confidentiality. Data transmission needs to encrypt,
security service, can bypass IPSec processing however, because of the communication process
needs to encrypt and decrypt, a huge amount of
e) IPSec provides a agreement framework that is
resources is cost and transmission performance is
independent cryptography, this design allows the users
reduced. Therefore both the complexity of
select algorithm in the case of without changing specific
encryption algorithm and the key of management
agreement.
and transmission are needs to be considered.
2) Disadvantages:IPSec VPN operation requires
" Supportability of tunnel. SSL protocol support to the
specialized training because of the need of software and
tunneling weakly, so cannot simultaneously supports
hardware of configuring client, so it is not easy to extend.
multiple applications and protocol. But the SSL
IPSec VPN products are not well resolved the complex
VPN package IP packets or ethernet frame into TCP
remote access problem, including network address
or UDP packets through Tun/Tap driver of virtual
translation, firewall traversal, and broadband access.
network cards to construct tunnel.
" Information integrity. Information integrity ensures
the data transmission without being tampered, this
can be resolved by setting access control policies,
different users have different permissions, and only
1163
1163
251
251
251
251
251
251
the premised user has access to the appropriate application alone is rare. SSL VPN can only protect the
resources.
application layer protocol, so the limitations are apparent..
C. The application of SSL VPN
IV. COMPARISON OF SSL VPN WITH IPSEC VPN
The SSL VPN can provide security tunnel between hosts,
The SSL VPN and IPSec VPN in performance has its
also can protect data transmission and identification of
own advantages, the table 1 is two kinds of technical
computer communication, lest the WLAN information
performance comparison.
should be intercepted, altered to send the target host. The
security architecture on WLAN as shown in the figure 3:
TABLE I. TWO KINDS OF TECHNICAL PERFORMANCE COMPARISON
options SSL VPN IPSec VPN
authentication One-way/two-way two-way identity
identity verification verification
Digital certificates Digital certificates
Encryption Strong encryption Strong encryption
algorithm algorithm
Based on the Web Based on the
browser program execution
Whole journey End-to-end security, Network edge to
Security The tunnel encrypted the client security,
from the client to Channel encrypt
Figure 3. The security architecture on WLAN
network resources Only between the
client to VPN
The realization of the SSL VPN is divided into two
gateway
kinds: agent-typed and tunnel-typed.
Accessibility Can be used in any Applies only to have
The agent-typed is a type of the SSL VPN which is
time, any place well-defined
realized by HTPS-based and agent technology. User only
controlled Secure
access
needs a WEB browser to access internal resources, without
Expenses Low, No additional High, To manage
client. Typical Agent-typed consists of client-side with
client software the client software
browser, the SSL VPN servers and network application
Installation Type plug and play, Usually require a
servers.
Without adding any long time
The tunnel-typed is a type of the SSL VPN which is
client software and configuration;
realized by virtual network cards and SSL protocol.
hardware Need to re-install
installations the software and
Communicating parties need to install VPN software to
hardware
create a virtual network cards. In the process of tunnel-typed
Usability Use the Web browser, Difficult to the
run in system user space, through the interface of virtual
user friendly, no user user who didn t
network cards will send the application to the network layer.
training equip with
SSL VPN tunnel-typed can realize host to host, host to
corresponding
network connections ,also network to the network technical; need
user training
connection.
Support Based on the web All the IP protocol
D. Advantages and disadvantages applications application/email/file that based on
sharing service
1) Advantages :
users customers, partners, More suitable for
remote users enterprise internal
a) there s no need to install client software or client
,suppliers use
device, only through Web browser and web can access to
Scalability Easy configuration easy in the server;
the network resources of the corporate headquarter,
and extension difficult in the
eliminating the client's cost, maintenance and management
client
costs are also greatly reduced.
Authentication Using a Digital Only use Digital
and Certificate or a series Certificate
b) The management of SSL VPN uses centralized
management of secret key
management and centralized maintenance mode, this can
Attack of Internal network Open application
application transparent, system direct ;easy
greatly reduce administrative and maintenance costs. The
system vulnerable to hackers to be attacked
web access based on SSL is not a real network node, but
Macrocosm In a remote Only attack the
also it can get an access to internal resources. In the SSL-
connection, if the client
based remote access program, it can bypass firewalls and
client computer is
proxy servers to access corporate resources. attacked by virus, the
virus would have an
2) Disadvantages: SSL VPN only support for proxy
opportunity to attack
access to Web-based or client-specific applications. An
the internal network
enterprise usually runs many applications which are not
Web-based, the enterprises that simple use only one Web
1164
1164
252
252
252
252
252
252
[3] Lucas, etc. [author], Xielin, etc. [translate]. Firewall policy and VPN
V. CONCLUSIONS
configuration [M].Chongqing: China Waterpower Press, 2008..
SSL VPN application has been very popular in WLAN,
[4] Taoli Wang based on the wireless local area network security
especially for Data Confidentiality application. In order to
architecture and the SSL VPN access control System research.
meet the needs of different applications, according to their [J]Yinshan academic journal, 2007..
respective performance, many enterprises combined both of
[5] Savage S, Wetherlal DÿPractical network support for IP trackback
[J]ÿ Proc of IEEEÿACM Transactions on Networkÿ2001ÿ9(3)ÿ
the advantages to make more safe and effective.
226 237
REFERENCES [6] P. Hoffman, VPN Consortium, IETF RFC4308: Cryptographic Suites
for IPSec, December 2005
[1] CarIton RÿDavisÿThe security implementation of IPSec
[7] Qi Lin, realize the process of handshake for SSL protocol. Mini-
VPN [M]ÿBeijingÿTsinghai university press
Micro Systems, 2000, 21(8):894~896.
[2] Baohong He, Tianhui. Technology of IPSec VPN [M]. Beijing: Posts
& Telecom press, 2008, 7..
1165
1165
253
253
253
253
253
253