vpn.php

vpn虚拟专用网络的一个开源搭建工具

<?php
include('head.php');
?>
		<div class="item">
			<h2 class="title">.: VPN :.</h2>
			<p class="first"><b><a href="#1._Introduction_to_VPN">1. Introduction to VPN</a><br />
			<a href="#2._What_Does_a_VPN_Do">2. What Does a VPN Do?</a><br />
			<a href="#3._VPN_Pros_and_Cons">3. VPN Pros and Cons</a><br />
			<a href="#3.1._Advantages">3.1. Advantages</a><br />
			<a href="#3.2_Disadvantages">3.2. Disadvantages</a><br />
			<a href="#4._VPN_Technology">4. VPN Technology</a><br />
			<a href="#5._How_does_a_OpenVPN_work">5. How does a OpenVPN work?</a></b></p>
			<p class="first"><b><a name="1._Introduction_to_VPN">1. Introduction to VPN</a></b><br />
			A VPN, or Virtual Private Network, refers to simulating a private network 
			over the public Internet between the two private end-points.<br />
			</p>
			<p class="first"><b><a name="2._What_Does_a_VPN_Do">2. What Does a VPN Do?</a></b><br />
			VPN technology is based on the idea of site-to-site tunnel. Network 
			tunneling involves establishing and maintaining a logical network connection 
			(that may contain intermediate hops). On this connection, packets constructed 
			in a specific VPN protocol format are encapsulated within some other 
			base or carrier protocol, then transmitted between VPN client and server, 
			and finally de-encapsulated on the receiving side.<br />
			VPN also support authentication and encryption to keep the tunnels secure.<br />
			</p>
			<p class="first"><b><a name="3._VPN_Pros_and_Cons">3. VPN Pros and Cons</a></b><br />
			<b><a name="3.1._Advantages">3.1. Advantages</a></b><br />
			VPNs promise two main advantages over competing approaches:<br />
			<b>1) The Low Cost of a VPN</b><br />
			One way a VPN lowers costs is by eliminating the need for expensive 
			long-distance leased lines.<br />
			With VPNs, an organization needs only a relatively short dedicated connection 
			to the service provider. This connection could be a local leased line 
			(much less expensive than a long-distance one), or it could be a local 
			broadband connection such as DSL service.<br />
			Another way VPNs reduce costs is by lessening the need for long-distance 
			telephone charges for remote access. Recall that to provide remote access 
			service, VPN clients need only call into the nearest service provider&amp;#39;s 
			access point. In some cases this may require a long distance call, but 
			in many cases a local call will suffice.<br />
			A third, more subtle way that VPNs may lower costs is through offloading 
			of the support burden. With VPNs, the service provider rather than the 
			organization must support dial-up access, for example. Service providers 
			can in theory charge much less for their support than it costs a company 
			internally because the public provider&amp;#39;s cost is shared amongst 
			potentially thousands of customers.<br />
			<b>2) Scalability and VPNs</b><br />
			The cost to an organization of traditional leased lines may be reasonable 
			at first but can increase exponentially as the organization grows. A 
			company with two branch offices, for example, can deploy just one dedicated 
			line to connect the two locations. If a third branch office needs to 
			come online, just two additional lines will be required to directly 
			connect that location to the other two.<br />
			However, as an organization grows and more companies must be added to 
			the network, the number of leased lines required increases dramatically. 
			Four branch offices require six lines for full connectivity, five offices 
			require ten lines, and so on. Mathematicans call this phenomenon a &quot;combinatorial 
			explosion,&quot; and in a traditional WAN this explosion limits the flexibility 
			for growth. VPNs that utilize the Internet avoid this problem by simply 
			tapping into the geographically-distributed access already available.<br />
			Compared to leased lines, Internet-based VPNs offer greater global reach, 
			given that Internet access points are accessible in many places where 
			dedicated lines are not available.<br />
			<b><a name="3.2_Disadvantages">3.2 Disadvantages</a></b><br />
			With the hype that has surrounded VPNs historically, the potential pitfalls 
			or &quot;weak spots&quot; in the VPN model can be easy to forget. These four concerns 
			with VPN solutions are often raised.<br />
			<b>1)</b> VPNs require an in-depth understanding of public network security 
			issues and taking proper precautions in VPN deployment.<br />
			<b>2)</b> The availability and performance of an organization&amp;#39;s 
			wide-area VPN (over the Internet in particular) depends on factors largely 
			outside of their control.<br />
			<b>3)</b> VPN technologies from different vendors may not work well 
			together due to immature standards.<br />
			<b>4)</b> VPNs need to accomodate protocols other than IP and existing 
			(&quot;legacy&quot;) internal network technology.<br />
			Generally speaking, these four factors comprise the hidden costs of 
			a VPN solution. Whereas VPN advocates tout cost savings as the primary 
			advantage of this technology, detractors cite hidden costs as the primary 
			disadvantage of VPNs<br />
			</p>
			<p class="first"><b><a name="4._VPN_Technology">4. VPN Technology</a></b><br />
			In the past, the method for creating such a site-to-site tunnel was 
			to use the Internet Protocol Security (IPSec) standard. IPSec was not 
			chosen due to its great strength as a protocol. It was chosen because 
			it was the only game in town. IPSec has received much criticism for 
			its unnecessary complexity and tight coupling with the OS kernel [SF99], 
			but due to its monopoly on function, it has enjoyed widespread implementation.<br />
			IPSec VPNs also are either too expensive or too difficult to use securely. 
			IPSec is dense and contains too many options to be configured and administered 
			securely by non-expert personnel. It also operates in kernel space providing 
			the opportunity for catastrophic failure.<br />
			True SSL VPNs are beginning to appear in the market. One of the best, 
			and definitely the least expensive, is the open source SSL VPN, OpenVPN 
			(<a target="_blank" href="http://openvpn.sourceforge.net">openvpn.sourceforge.net</a>), 
			by James Yonan.<br />
			OpenVPN is a user-space SSL-based VPN that illustrates the ease of use 
			and simplicity of SSL VPNs while providing protection and function equivalent, 
			and in some cases superior, to IPSec.<br />
			OpenVPN rejects the complexity of IPSec by using the battle tested SSL/TLS<br />
			protocol and cryptographic libraries to provide equal or better function 
			in a simpler package. OpenVPN also operates in user-space increasing 
			security and stability.<br />
			OpenVPN does away with the complexities of IPSec from an installation, 
			configuration, and management perspective. Security?s worst enemy is 
			complexityand OpenVPN defeats this enemy.<br />
			SSL VPNs is not in the same category with SSL enabled web servers and 
			proxy servers, in this case is not used to encrypts traffic for an application, 
			or for several applications, one at a time via proxying, application 
			translation, or port forwarding.<br />
			</p>
			<p class="first"><b><a name="5._How_does_a_OpenVPN_work">5. How does a OpenVPN work?</a></b><br />User-space SSL VPNs use the highly mature and widespread SSL/TLS protocol 
			(from OpenSSL Library) to handle the tunnel creation and cryptographic 
			elements necessary to create a VPN. We are going to focus mostly on 
			an open source SSL VPN, OpenVPN.<br />OpenVPN is a user-space VPN that uses the well tested and mature SSL/TLS 
			infrastructure to create the same site-to-site connection functionality 
			found in IPSec VPNs. OpenVPN is referred to as a user-space VPN because 
			it does not require sophisticated intertwining with the OS?s kernel 
			to function. It operates in Ring3 of our secure OS Ring Architecture, 
			which is right where we want it.<br />Usually, in order to do link encryption, an application must be intertwined 
			with the kernel to provide low level access to the interface where the 
			link is found. Userspace VPNs use a ?virtual interface? they control 
			and access without this kernel dependence. This gives user-space VPNs 
			a more secure starting point than standard IPSec devices, as well as 
			provided more flexibility in porting to other operating systems and 
			ease of installation and maintenance.<br />The tunnel, established from IP subnetwork or virtual Ethernet adapter, 
			is over a single UDP or TCP port could be better with a firewall.<br />The new version of OpenVPN (v. 2.0, still unstable) provides:<br />
			1) A highly scalable server for handling multiple TCP/UDP clients over 
			point-to-point tun interfaces, all using a single port number.<br />
			2) The server configuration file is only slightly more complex than a 
			configuration file for a single tunnel instance.<br />3) The server is able to handle an arbitrary number of clients using 
			a single TCP or UDP port, a single /dev/tunX interface, and a single 
			config file.<br />This last point has given me the idea for a VPN community.<br />
			</p>
		</div>
<?
include('foot.php');
?>