【正文】 rs, and others access works from their own PCs, laptops, publicly available puters like those at airport kiosks, and even mobile devices, many not controlled by the anization. VPNs based on Inter Protocol security (IPsec) technology were not designed for and are not wellsuited for such uses. Instead of restricting remote users who should not have access to many parts of a pany161。 work, explained Graham Titterington, principal analyst with marketresearch firm Ovum, IPsec [generally] connects users into a work and gives the same sort of access they would have if they were physically on the LAN.161。177。 Organizations are thus increasingly adopting VPNs based on Secure Sockets Layer technology from vendors such as Aventail, Cisco Systems, F5 Networks, Juniper Networks, and Nortel Networks. SSL VPNs enable relatively easy deployment, added Chris Silva, an analyst at Forrester Research, a marketresearchrm. A pany can install the VPN at its head quarters and push any necessary software to users, who then access the work via their browsers, he explained. Organizations thus do not have to 山 東 科 技 大 學(xué) 畢 業(yè) 設(shè) 計(jì) (論 文 )51manage, update, or buy licenses for multiple clients, yielding lower costs, less maintenance and support, and greater simplicity than IPsec VPNs,Silva said. From a remoteaccess perspective, IPsec is turning into a legacy technology,161。177。 said Rich Campagna, Juniper161。 SSL VPN product manager Noheless, IPsec VPNs are still preferable for some uses, such as linking a remote, panycontrolled node, perhaps in a branch ofce, with the corporate work. Both VPN flavors are likely to continue to ourish, with the choice Published by the IEEE Computer Society An early attempt to create a VPN over the Inter used multiprotocol label switching, which adds labels to packets to designate their work path. In essence, all packets in a data set travel through designated tunnels to their destinations. However, MPLS VPNs don39。t encrypt data. IPsec and SSL VPNs, on the other hand, use encrypted packets with cryptographic keys exchanged between sender and receiver over the public Inter. Once encrypted, the data can take any route over the Inter to reach it39。s nal destination. There is no dedicated pathway. US Defense Department contractors began using this technique as far back as the late 1980s, according to Paul Hoffman, director of the VPN Consortium. Introducing IPsec Vendors initially used proprietary and other forms of encryption with their VPNs. However, to establish a standard way to create interoperable VPNs, many vendors moved to IPsec, which the Inter Engineering Task Force (IETF) adopted in 1998. With IPsec, a puter sends a request for data from a server through a gateway, acting essentially as a router, at the edge of its work. The gateway encrypts the data and sends it over the Inter. The receiving gateway queries the ining packets, authenticates the sender39。s identity and designated workaccess level, and if everything 山 東 科 技 大 學(xué) 畢 業(yè) 設(shè) 計(jì) (論 文 )52checks out, admits and decrypts the information. Both the transmitter and receiver must support IPsec and share a public encryption key for authentication. December 2022 17 Firewall Terminal services Decrypted traffic File and media server Inter SSL encrypted Remote user: traffic Business partner Kiosk user Temporary staff Traveling staff TelemuterDesktop SSL VPN: Authentication Authorization Decryption Integrity checkWeb proxy Web server Email server Figure 1. In an SSL VPN, a remote user logs in to a dedicated Web site to access a pany’s work. The user’s browser initiates the session with a corporate server or desktop puter, which downloads the necessary software to the client. The software uses SSL for encrypting the transmitted data. At the corporate site, the VPN system authenticates users, determines what level of work access they should have, and if everything checks out, decrypts the data and sends it to the desired SSL, IPsec is implemented as a full application installed on the client. And it doesn’t take advantage of existing browser code.IPsec limitationsAccording to Forrester’s Silva, corporate IT departments increasingly need to let remote users connect to enterprise works, which is challenging with IPsec. The normal practice of conguring IPsec VPNs to allow full access to a work can create vulnerabilities. To avoid this, administrators would have to configure them to permit access only to parts of a work, according to Peter Silva, technical marketing manager for F5 Networks SSL VPNs. IPsec VPNs also have trouble letting certain traffic transverse firewalls, he explained. This isn’t usually a problem, as most panies have the same basic ports open both inbound and outbound. However, it is possible that one 山 東 科 技 大 學(xué) 畢 業(yè) 設(shè) 計(jì) (論 文 )53pany would let trafc out over a port that another doesn39。t leave open for inbound data. By contrast, the vast majority of panies have port 80 (dedicated) Computer Open inbound and outbound, so crossing ?rewalls is rarely a problem for SSL VPNs, which are Webbased. IPsec VPNs are full programs and thus are large, generally 6 to 8 megabytes. This means they download more slowly and don39。t always work well on smaller devices. ENTER THE SSL VPN The first SSL VPN vendor was Neoteris, purchased in 2022 by NetScreen, which Juniper bought the next year, according to Juniper’s Campagna. SSL Netscape Communications developed SSL and released therst public version in 1994. The IETF adopted the technology as a standard in 1999, naming it Transport Layer Security. However, most users still call it SSL. The technology, which offers the same encryption strengths as IPsec, has been used largely to secure financial transactions on the Web. In an SSL VPN, a user logs into a dedicated Web site. The browser in