Ssl  vpn的安全性

When thinking about setting up home or branch offices for your organization, don’t overlook the potent combination of features and functions that Internet access and security appliances can bring to the table. Many of these units combine a network switch, DHCP and NAT services, firewalls, port screening and more within a single, small and often very affordable enclosure. It’s not unreasonable to think of these devices as network controls centers and Internet access gateways combined.

Though only a subset of the offerings available in this product niche include VPN capabilities, enough of them offer VPN services that those whose home or branch office networking needs include VPN requirements should give such products a closer look. And even those appliances that don’t include built-in VPN support will typically offer pass-through or special handling for common VPN protocols such as IPSec, L2TP, PPTP and so forth, to make them easy to deploy and use in concert with other VPN solutions.

That said, there are some particularly noteworthy appliances that do include VPN capabilities along with other equally compelling features and functions. Since the appliance market is booming, if enough buyers start asking for VPN features from such devices, you’ll probably also see that demand answered by an additional bevy of product offerings. Today, the following such devices stand out among a crowd of hundreds of devices that offer some combination of network hub or switch capabilities, basic network services, plus Internet access and security features:

• MultiTech’s SOHO Routefinder VPN (to which the vendor also attaches the label SOHO Internet Security Appliance) includes a single DSL or cable modem WAN Ethernet port, support for IPSec and PPTP VPN tunnels for both LAN-to-LAN and Client-to-LAN access across the Internet, along with support or 3DES and AES encryption schemes and VPN tunneling using fully qualified domain names (FQDNs). The unit also includes a four-port 10/100 Ethernet switch, firewall, NAT and DHCP services, as well as IP address mapping/port forwarding services. It will even accommodate a backup dial-up connection so that a conventional POTS or ISDN modem will take over should the primary broadband link fail for any reason. The device supports up to 100 simultaneous IPSec VPN connections. This unit is available for a whopping $146.56.

• Linksys offers the BEFVP41 EtherFast Cable/DSL VPN Router, based around the company’s standard 4 Port Router model BEFSR41. To a feature set that’s nearly identical to the non-VPN capabilities of the MultiTech RouteFinder, Linksys adds support for DES and 3DEC encryption, MD5 and SHA authentication, as well as secure Internet Key Exchange (IKE). Numerous reviews of the product make mention of how easy it is to set up VPNs by installing one at headquarters and additional units at home or branch offices. If this device is used, clients need no additional IPSec VPN client software to make secure VPN connections to other networks. The device supports up to 70 simultaneous IPSec VPN connections. This unit is available at Buy.com for a mere $65.34.

• ZyXEL offers the ZyWall 70, which it also labels an Internet Security Appliance. It’s a bit more advanced than the other devices mentioned so far and includes a more powerful firewall that includes stateful inspection, DoS and DDoS protection, and content filtering capabilities, along with dual WAN links with load balancing or auto fail-over policy-based routing capability. In addition to 3DES encryption, the unit can handle AES for VPN connections as well, and also supports manual key exchange and X.509 PKI, as well as IKE. It’s also the only device in this list that’s been certified for both IPSec and firewall capabilities at ICSA Labs. It supports up to 100 simultaneous IPSec connections. Its price is also considerably more hefty: $1,349.

Though there are numerous other appliances in the SOHO space, these provide a pretty good cross-section of pricing and capabilities. For larger operations, useful offerings are likely to fall under more typical Internet gateway or firewall product offerings, but even here appliances are beginning to find some traction—such as the Sun/Check Point iForce VPN Firewall, designed for considerably higher throughput and many more simultaneous IPSec connections that the lower-scale devices already mentioned.

But whatever your particular needs might be when setting up VPN links—particularly for home office, small office or branch office situations—appliances are definitely a worthwhile addition to your product research checklist.

In the last article I discussed MPLS certifications offered by the major vendors and also gave an overview of the foundational skills required to pass the certifications. This article represents the first in a series of articles all tailored towards certification skills required for the MPLS portion of the Cisco CCIP certification. These skills are tested in the CCIP exam 642-611 – Implementing Cisco MPLS Exam.

Be sure to understand the history of MPLS. Why was it desired?
MPLS is the combination of ATM capabilities over an IP backbone. IP has run over ATM circuits for quite some time, however, scalability has always been an issue with service providers as they provided redundant circuits between the routers that served customers for internet traffic and also provided a mesh of circuits for the ATM backbone. ATM provided traffic engineering capabilities and Quality of service. This was termed the overlay model as IP traffic was overlayed on a mesh of ATM circuits. Make sure you understand what is meant by an overlay model and why the meshing issue causes scalability problems. The more routers the more ATM circuits were required to provide the mesh. The issue with this is that for every router added, there needed to be a mesh of circuits built to all the other routers. This can be demonstrated by the formula n(n-1)/2 where n is the number of routers. The formula derives the number of circuits required to provide a full mesh. If you have 4 routers you would need 6 circuits to provide a full mesh. 100 routers would require 4500 circuits.

Be sure to understand the label stack.
The MPLS label is the foundation for label switching. The MPLS label has four octets or 32 bits that make up four fields. The fields are the label field, the EXP field, the S field and the TTL field. The label field comprised of 20 bits which allows for the creation of over 1 million labels.

The EXP field maps directly to IP Precedence TOS bits to provide Class of Service (COS) markings for an MPLS label. This field is 3 bits in length. The S field is used for stacking labels. This is important and is used to indicate that last label in the label stack. The S field is 1 bit in length. The TTL field is used to decrement the time to live counter. It is 8 bits in length.

Each of these fields plays an important role in the delivery of MPLS technologies such as the creation and forwarding of traffic along a label switched path, QoS guarantees and transport of one carrier’s MPLS over another’s backbone. Be familiar with the field names, purpose and length.

The MPLS label stack is inserted into ordinary packets between the IP header and the layer 2 header (frame-Relay, Ethernet or ATM). This allows routers to switch the packet based on the MPLS label rather than the layer 3 or layer 2 information. This is why the MPLS label stack is sometimes referred to as the shim header as it is shimmied in between the layer 2 and layer 3 headers. Know the location of the MPLS label stack within different encapsulation types (frame and cell).

The MPLS label stack is just like an IP packet in that the router will make forwarding decisions based on the MPLS label that is found in the packets. The routers will use MPLS labels exclusively to forward traffic over an MPLS backbone, therefore an understanding of the contents of the label is mandatory to understanding MPLS.

The next article will focus on how the router makes decisions on forwarding of packets containing MPLS labels. We will revisit the binding of labels to an IP route and discuss the control and forwarding plane of an MPLS router. This will provide the concepts necessary to understand how routers build the virtual circuits or label switched paths that the labels are forwarded across.

In the next series of articles I am going to talk about the foundational skills required to achieve MPLS certification. In reality there is no MPLS certification. MPLS skills are generally considered a subset of the skills required for multiple vendor certifications including Cisco’s Certified Internetworking Professional (CCIP), Juniper Networks Technical Certification Program (JNTCP) and Foundry’s Network Certification Program (FNCP). While these vendor certifications represent the major certifications surrounding MPLS, in reality, Cisco and Juniper dominate the deployed base for carrier solutions and as such I would recommend that those interested in certification pursue either Cisco or Juniper certifications.

Regardless of which vendor’s certifications you eventually pursue, there are going to be key concepts related to MPLS technology that will be common across all of the certifications. These concepts are what I consider the foundation skills for having a complete understanding of MPLS technology in order to be considered an expert in the field. The key areas of focus are as follows:

Virtual Private Network Models – Peer versus Overlay
MPLS Labels & Label Distribution
Frame Mode MPLS
Cell Mode MPLS
MPLS Virtual Private Networks
MPLS Traffic Engineering
Customer Edge to Provider Edge Routing
Multi-protocol Border Gateway Protocol – MBGP
Virtual Routing & Forwarding – VRF
Route Targets – Import & Export
Route Distinguisher
VPN-IP Addressing – VPNv4

These areas represent the key aspects of MPLS technology and specifically MPLS VPN technology. If you can gain a good understanding of all of these topics, not only will you be well versed in MPLS technology, but you will be prepared for any of the certification exams that the vendors have that require MPLS expertise.

Cisco Certified Internetworking Professional (CCIP) certification requires an understanding of these topics as well as an understanding of how to implement these technologies. The subsequent articles I write will provide a brief overview (or refresh if I have already written a past article on the topic) of the technology and specific configurations for enabling the technology on Cisco platforms. The intent is to provide the foundational skills required to pass the CCIP exam 642-611 – Implementing Cisco MPLS Exam. This exam is one of 3 to 4 exams required to achieve CCIP certification. The reason I say 3-4 exams is that Cisco provides a dual track to CCIP certification. Check Cisco.com for an outline of the CCIP certification requirements.

I will not be writing any articles outlining the technology or skills required for the other certification tests, only for the MPLS portion of the exam. It is my intent to provide a solid foundation of MPLS skills that can be used to pass the MPLS exam.

In the next series of articles I am going to talk about the foundational skills required to achieve MPLS certification. In reality there is no MPLS certification. MPLS skills are generally considered a subset of the skills required for multiple vendor certifications including Cisco’s Certified Internetworking Professional (CCIP), Juniper Networks Technical Certification Program (JNTCP) and Foundry’s Network Certification Program (FNCP). While these vendor certifications represent the major certifications surrounding MPLS, in reality, Cisco and Juniper dominate the deployed base for carrier solutions and as such I would recommend that those interested in certification pursue either Cisco or Juniper certifications.

Regardless of which vendor’s certifications you eventually pursue, there are going to be key concepts related to MPLS technology that will be common across all of the certifications. These concepts are what I consider the foundation skills for having a complete understanding of MPLS technology in order to be considered an expert in the field. The key areas of focus are as follows:

Virtual Private Network Models – Peer versus Overlay
MPLS Labels & Label Distribution
Frame Mode MPLS
Cell Mode MPLS
MPLS Virtual Private Networks
MPLS Traffic Engineering
Customer Edge to Provider Edge Routing
Multi-protocol Border Gateway Protocol – MBGP
Virtual Routing & Forwarding – VRF
Route Targets – Import & Export
Route Distinguisher
VPN-IP Addressing – VPNv4

These areas represent the key aspects of MPLS technology and specifically MPLS VPN technology. If you can gain a good understanding of all of these topics, not only will you be well versed in MPLS technology, but you will be prepared for any of the certification exams that the vendors have that require MPLS expertise.

Cisco Certified Internetworking Professional (CCIP) certification requires an understanding of these topics as well as an understanding of how to implement these technologies. The subsequent articles I write will provide a brief overview (or refresh if I have already written a past article on the topic) of the technology and specific configurations for enabling the technology on Cisco platforms. The intent is to provide the foundational skills required to pass the CCIP exam 642-611 – Implementing Cisco MPLS Exam. This exam is one of 3 to 4 exams required to achieve CCIP certification. The reason I say 3-4 exams is that Cisco provides a dual track to CCIP certification. Check Cisco.com for an outline of the CCIP certification requirements.

I will not be writing any articles outlining the technology or skills required for the other certification tests, only for the MPLS portion of the exam. It is my intent to provide a solid foundation of MPLS skills that can be used to pass the MPLS exam.