支持TNC的IPsec VPN系统的研究
发布时间:2019-01-09 15:56
【摘要】:传统的VPN技术在用户接入时只对用户的合法性进行认证,并不对用户终端的安全性进行检查,用户终端携带病毒、木马程序,这样的用户接入网络是十分危险的。TCG组织的TNC架构能够提供用户身份认证和平台完整性检查功能,保护企业网络不受接入终端中恶意代码和系统漏洞的危害,但TNC主要应用在局域网中,很少在VPN中应用。本文研究“支持TNC的IPsec VPN系统”,就是要将TNC技术应用到远程接入技术IPsec VPN中,使得用户接入时,,不仅身份合法,而且平台完整性也符合要求。 本文首先介绍了TNC架构和IPsec VPN技术,然后介绍了IKEv2的EAP消息扩展,以使系统支持TNC需要的EAP消息的传递。在此基础之上,利用strongSwan、TNC@FHH和FREERADIUS设计并搭建了支持TNC的IPsec VPN系统。然后,根据安全需求,设计并实现了对BOOTLOADER和防火墙进行安全状态检查的相关模块。最后对系统进行了测试,在IPsec VPN环境下实现了用户身份认证和平台完整性度量。
[Abstract]:The traditional VPN technology only authenticates the legitimacy of the user when they access the user, and does not check the security of the user terminal. The user terminal carries the virus and Trojan program. This kind of user access network is very dangerous. The TNC architecture of TCG organization can provide user identity authentication and platform integrity check function, and protect enterprise network from malicious code and system vulnerability in access terminal. But TNC is mainly used in LAN, but rarely in VPN. In this paper, "IPsec VPN system supporting TNC" is studied, which is to apply TNC technology to remote access technology (IPsec VPN), so that the user's identity is not only legal, but also the platform integrity meets the requirements. This paper first introduces the TNC architecture and IPsec VPN technology, then introduces the EAP message extension of IKEv2 to enable the system to support the EAP message delivery required by TNC. On this basis, IPsec VPN system supporting TNC is designed and built by using strongSwan,TNC@FHH and FREERADIUS. Then, according to the security requirements, design and implementation of the BOOTLOADER and firewall security status check module. Finally, the system is tested, and user identity authentication and platform integrity measurement are realized in IPsec VPN environment.
【学位授予单位】:西安电子科技大学
【学位级别】:硕士
【学位授予年份】:2014
【分类号】:TP393.08
本文编号:2405835
[Abstract]:The traditional VPN technology only authenticates the legitimacy of the user when they access the user, and does not check the security of the user terminal. The user terminal carries the virus and Trojan program. This kind of user access network is very dangerous. The TNC architecture of TCG organization can provide user identity authentication and platform integrity check function, and protect enterprise network from malicious code and system vulnerability in access terminal. But TNC is mainly used in LAN, but rarely in VPN. In this paper, "IPsec VPN system supporting TNC" is studied, which is to apply TNC technology to remote access technology (IPsec VPN), so that the user's identity is not only legal, but also the platform integrity meets the requirements. This paper first introduces the TNC architecture and IPsec VPN technology, then introduces the EAP message extension of IKEv2 to enable the system to support the EAP message delivery required by TNC. On this basis, IPsec VPN system supporting TNC is designed and built by using strongSwan,TNC@FHH and FREERADIUS. Then, according to the security requirements, design and implementation of the BOOTLOADER and firewall security status check module. Finally, the system is tested, and user identity authentication and platform integrity measurement are realized in IPsec VPN environment.
【学位授予单位】:西安电子科技大学
【学位级别】:硕士
【学位授予年份】:2014
【分类号】:TP393.08
【参考文献】
相关期刊论文 前8条
1 周明天;谭良;;可信计算及其进展[J];电子科技大学学报;2006年S1期
2 王晔澄;谭成翔;;EAP-IKEv2协议研究和安全分析[J];计算机安全;2008年12期
3 张红旗,李景峰;基于属性证书的X.509证书改进方案[J];计算机工程与应用;2001年20期
4 徐明迪;张焕国;严飞;;基于标记变迁系统的可信计算平台信任链测试[J];计算机学报;2009年04期
5 刘宏伟;卫国斌;;可信计算在VPN中的应用[J];计算机应用;2006年12期
6 陈卓;张正文;;Internet密钥交换协议IKEv2研究[J];计算机应用与软件;2008年02期
7 陈卓,张正文,王瑞民;IKE安全机制的研究[J];计算机工程与设计;2004年04期
8 雷怀玉,任新华;基于EAP/TLS的无线局域网安全认证系统的研究与实现[J];太原理工大学学报;2005年05期
本文编号:2405835
本文链接:https://www.wllwen.com/guanlilunwen/ydhl/2405835.html
