RU2182355C1 - Method and system for protecting corporate virtual private computer network against unauthorized data exchange with public transport network - Google Patents

Abstract

FIELD: computer engineering. SUBSTANCE: proposed method and system are used for construction of protected corporate virtual private networks using communications infrastructure of public access network including the Internet. Method involves determination of infrastructure of message source and recipient. Burst data are encoding and output burst is formed. Output burst is converted into TCP/IP format and conveyed to the Internet wherein the Internet addresses and identifiers contained therein are checked for coincidence with addresses and identifiers pre- entered in memory unit. When they coincide, decoded data of burst are transmitted to message recipient. In this way data exchange between local computer network and corporate virtual private public-access network is made impossible and public-access network users acquire this information. EFFECT: enhanced reliability of private network protection. 2 cl, 2 dwg, 3 tbl

Description

 The invention relates to the field of computer technology and can be used to build secure corporate virtual private networks using public access networks, in particular, the Internet, as a communication infrastructure.

 A known method of protection against unauthorized exchanges between the first computer network and the second computer network is that they receive a communication message in the first network protocol format on the first network motherboard from the first computer network, prevent routing service communication messages from the first computer network, and convert the communication message in the second format of the network protocol, as a result of which information about the source and destination addresses is deleted from a communication message, transmitting the communication message to the second network motherboard, performing the reverse conversion in the second network motherboard of the communication message to the first network protocol format, transmitting the communication message after the reverse conversion to the second computer network, as a result of which users connected to the first one are prevented or second computer networks, routing overhead and address information that interfere t unauthorized exchanges between computers connected to the first and second computer networks (see RU 2152691, G 06 F 12/14, 10.07.2000).

 A security system is known for preventing unauthorized exchanges between a first computer network and a second computer network, comprising a first network motherboard and a second network motherboard, each of said first and second network motherboards having a network interface adapter for exchanging with said first and second computer networks, respectively, each of these network motherboards additionally has a transmission adapter for exchanging with the transmission adapter of another network motherboard, indicated These transfer adapters are paired and identical, each of the network motherboards has network software to prevent the transfer of information about routing services between the network interface adapters and the transfer adapter of each of the network motherboards, each network motherboard additionally contains protocol conversion software that prevents passage top-level protocol information and information about the source address and destination address between the specified network nterfeysnym adapter and said transfer adapter of each network motherboard, wherein at least one of said network motherboards have intermediate software application program interface for providing application level services task sharing computers connected to said at least one network motherboard.

 The disadvantages of this method, as well as the system that implements it, include the impossibility of preventing information privacy violations when using a virtual private network, namely, listening to and reconstructing the traffic of a virtual private network at some point on the public network, as well as penetration into the corporate network at the point of connection to public network and / or violation of its normal functioning. In addition, when implementing this method, it is impossible to organize a dynamic exchange of routing messages between remote local area networks of a virtual private network protected by this method.

 The technical result consists in providing protection that excludes the penetration of the corporate virtual private network from the public access network into the local computer network, as well as the removal of information by users of the public access network. In addition, the technical result provides the ability to dynamically exchange routing messages between local area networks of a corporate virtual private network, which leads to improved scalability and manageability of all local area networks of the virtual private network as a whole.

 The technical result is achieved by the fact that when organizing the connection of a local computer network, which is part of a virtual private network, to a public network, isolation is made at the second level of the OSI model of routing and message transfer functions both inside and between local computer networks of a corporate virtual private network, from routing and message transfer functions between devices connected to the public network at the third level of the OSI model.

 The technical result is also achieved by the fact that the encryption of the graph of the local area network, which is part of the virtual private network, is carried out on a device isolated at the third level of the OSI model from the public network, which limits (subject to a secure encryption key delivery system) the ability to reconstruct the transmitted data during interception VPN traffic in the public network.

 The basic principle of implementing the technical result of the described method is based on the idea of switching labels.

 A label is a fixed-length header that identifies many packets that are transmitted in a certain way (for example, on the same path or in accordance with some class of service). The label has a local value for the router. Although, often, the label identifies the route prefix or address of the OSI model's third level protocol (for example, the IP address prefix), it does not encode this information in any way. A plurality of packets sent according to certain predetermined criteria is called a route equivalence class.

 Routers using the specified switching principle establish the label binding to the route equivalence class, then using the special standard protocol (LDP RFC-3036) distribute label binding information to all routers for which they will use this label when sending packets. These routers (called "downstream" for this class) use this label as an index for the hash table of the incoming traffic switching table. Further, they determine the sending interface for this packet, select the label that becomes outgoing for this class, and distribute (via the LDP protocol) information about this binding among their "downstream" routers. In the future, traffic switching is carried out automatically according to the values of the incoming and outgoing labels. In this case, the incoming label is replaced by the outgoing one. More than one tag may be associated with a package. In doing so, the router processes as many tags as the stack. In other words, the router decides to switch the packet based on the information contained in the label at the top of the stack. Thus, a tagged packet is associated with a label stack of depth N. An unlabeled packet can be considered as a packet with an associated label stack of depth 0.

 As already noted, the technical result is achieved by separating the functions of routing the traffic of the corporate virtual private network and routing the traffic of the public network.

 Let Ma1, ..., Man be devices that route the schedule of local area networks 1..n of a corporate virtual private network. Let Mb1, ..., Mbn be devices that perform routing functions through a public transport network. At the same time, Ma1 interacts limitedly with Mb1, ..., Man interacts limitedly with Mbn at the second level of the OSI model.

Router Mak, 1 <= k <= n performs the following functions:
- Announces address prefixes of remote local area networks of the corporate virtual private network or the default route to the local area network of the virtual private network;
- assigns labels for the route prefixes of the local area network, distributes them between the routers Ma1, ..., Mak-1, Mak + 1, ..., Man of the remote local area networks of the virtual private network along with information about the statically configured Mbk public network address (as the destination of the public network for a given set of labels) and supports the corresponding table of local labels;
- receives information from the routers Ma1, ..., Mak-1, Mak + 1, ..., Man about the bindings of labels to the address prefixes of remote local area networks, as well as the addresses of the public network Mb1, ..., Mbk -1, Mbk +1, ..., Mbn and supports the corresponding table, performs other operations with labels (deallocation, reassignment) in accordance with the specification of the LDP protocol, supports information about the availability of remote local area networks of a virtual private network;
- performs the process of dynamic or static routing of virtual private network addresses;
- encrypts the IP packet received from the local area network that is part of the virtual private network, addressed to the remote local area network, also included in the same virtual private network and associates with it an outgoing first level label identifying the route equivalence class for the remote local area network and the address of the public network identifying the Mbi router, 1 <= i <= n is the destination of the public network, which is the gateway to the remote local area network;
Transmits encrypted traffic with associated labels to the Mbk router using a simple second-level protocol of the OSI model (description is given below);
receives a protocol packet of the second level of the OSI model from the Mbk router, with an associated label identifying the route equivalence class of the local area network that is part of the virtual private network, determines the destination inside the local area network from the local label table, decrypts the packet and sends it to the destination inside the local computer network;
The Mbk router, 1 <= k <= n, performs the following functions:
supports routing (static or dynamic) of a public network; announces its own Mbk address to a public network (Internet);
receives from Mak encrypted traffic packets of the local area network that is part of the virtual private network addressed to the remote local area networks of this virtual private network, generates an IP header with its own source address, address WE, 1 <= i <= n, the destination, and sends packet to the next gateway on the routing table of the public network;
Receives Mb1, ..., Mbk-1, Mbk + 1, ..., Mbn routers from the routers IP packets containing encapsulated, encrypted information for the local area network, deletes the addresses of the public network and passes it to the router Mak using a simple protocol of the second level.

 Information about label binding to route equivalence classes is distributed between the routers MA, MA1, ..., MAN using the label distribution protocol (LDP), the transport for which is the TCP / IP protocol operating “inside” the virtual private network (i.e. not routable on the public network). For LDP operation, fixed label values are allocated from the service range (0-15).

 The communication protocol between the MA and MB routers defines a point-to-point connection at the second level of the interaction model of open ISO systems and is used to transfer frames containing useful information.

 To implement the physical level of the open systems interaction model of this solution, the requirement is to provide a full duplex bit-oriented synchronous channel between the source and receiver. There are no restrictions on channel bandwidth.

The format of the frame (data structure), see table. 1 where
Flag: this field takes one octet and identifies the beginning and end of the frame. This field always contains the binary value 01111110 (Ox7e).

 Protocol: this field takes two octets and contains the identifier of the protocol encapsulated in the Information field. Protocol identifiers are determined by the most current version of the RFC "Assigned numbers". Some values are given below. The value of the protocol identifier is transmitted in the order "most significant bit - first."

 In the table. Table 2 shows some protocol identifier values (in hexadecimal format).

 Information: this field can contain an arbitrary number of octets. The maximum value is 1,500 octets, however, any maximum value can be set for implementation needs.

 FCS: this field takes two octets and contains the frame checksum, which is calculated from the Protocol and Information fields, not including the Flag field and the FCS field itself.

 To determine the status of the connection, a simple mechanism for keepalive messages is proposed. For such messages, the protocol type (value of the Protocol field) 0x8035 (REVERSE ARP) is used, since on point-to-point connections there is no need to use the mechanisms for reversely determining the addresses of the third level of the interaction model of open IOS systems. Both systems representing the ends of the connection send each other keepalive messages at an equal, configurable interval. The recommended interval is 10 seconds. Both systems must use the same interval value.

Keepalive message has the following format (see table. 3), where
Type: this field defines the type of message and takes two octets. By default, the value of this field is set to 0.

 My seguence: this field takes four octets and contains the value of the synchronization sequence sent to another system. Each system sets this value for each keepalive message, regardless of the other system. The starting value of the sequence is set to 0.

 Your seguence: this field takes four octets and contains the last value of the synchronization sequence received from the neighboring system. Each system must remember the last value of the synchronization sequence received from the neighboring system. Before sending a message to a neighboring system, it compares the value of the synchronization sequence that should be sent in this message with the last value received from the neighboring system. If the absolute value of the difference between these values is more than three, then the connection is considered to be broken and the transmission of information of the highest levels of the interaction model of open systems should be stopped until the correspondence of the indicated values is established. The present architecture does not define the procedure for handling this situation. Nevertheless, it is recommended that developers take some steps to test the physical level of interaction, and then set the initial values of synchronization sequences to resume communication.

 Reserved: this field takes two octets and is reserved for the development of architecture. The value of this field is always set to OxFFFF (hexadecimal).

 In FIG. 1 shows a system for protecting a corporate virtual private computer network from unauthorized exchange of information with a public transport network that implements the proposed method. In FIG. 2 shows a packet reception / transmission diagram.

 A corporate virtual private computer network consists of several (N) local area networks. For simplicity, FIG. 1 illustrates a corporate virtual private computer network protection system including two local area networks.

 The system for protecting a corporate virtual private computer network from unauthorized exchange of information with a public transport network contains a first processor 1 connected to a local computer network 2 of a protected corporate computer network, a router 3, which is connected via an interface 4 to a router 5 connected to the Internet 6, a router 3 is connected to the memory unit 7 and encoding and decoding means 8, and the router 5 is connected to the memory unit 9, the first processor 1 is connected respectively to the march a router 3, a memory unit 7 and encoding and decoding means 8, a second processor 10 connected to the Internet network 6 is connected to a router 5 and a memory unit 9, a third processor 11 connected to a local area network 12 of the protected corporate computer network, router 13, which through the interface 14 is connected to the router 15 connected to the Internet 6, the router 13 is connected to the memory unit 16 and encoding and decoding means 17, and the router 15 is connected to the memory unit 18, the third processor 11 is connected to respectively with the router 13, the memory unit 16 and means 17, coding and decoding, the fourth processor 19, connected to the network 6 is connected to Internet router 15 and memory unit 18.

 Router 3 as well as router 13 interacts with all or part of the devices (user terminals) of the local area network included in the virtual private computer network, at the third level of the interaction model of open ISO systems using the TCP / IP protocol. It is for a local area network a means of interaction with remote local area networks of a virtual private computer network, and it does not interact with a public network. Blocks 7 and 16 of the memory store information about the local area network of the virtual private computer network, in particular the identifiers (labels) of the message source and message recipient and the address of the message source and message recipient (clients of each local area network), including a table of correspondence of identifiers to these addresses. An identifier (label) is a fixed-length header that identifies many packets sent by a router in a certain way (for example, along the same path or in accordance with a certain class of service). The identifier has a local value for the router. The identifier identifies the route prefix or IP address, but it does not encode this information in any way and is not in functional correspondence with it. Blocks 9 and 18 of the memory store information about the table of correspondence of identifiers to addresses on the Internet. It also stores information on which routers communicating with the public network deliver packets to the router communicating with the local computer network of the corporate virtual private computer network. In the general case, each local area network of a virtual private computer network can be served by one or several routers that interact with the local area network of the corporate computer network, and routers that interact with the Internet.

 The system for protecting a corporate virtual private computer network from unauthorized exchange of information with a public transport network that implements the proposed method works as follows.

 The packet generated, for example, in one of the user terminals of the local area network 2, which is the message source in this case, enters the first processor 1, where the addresses of the message source and the message recipient are extracted from this packet and compared with those previously stored in the memory unit 7 . According to the results of the comparison, the first processor 1, using tabular data, selects the identifiers of the message source and the recipient of messages, previously recorded in block 7, while at the command of the first processor 1, the packet data is transmitted via router 3 to the means 8, which encode them, after which the first processor 1 generates an output packet (frame) by adding a message source identifier and a message recipient identifier to the encoded packet data. The generated output packet, at the command of the first processor 1, is transmitted via router 3 through interface 4 to router 5, which interacts with the public data network at the third level of the interaction model of open ISO systems and other similar routers representing other local area networks of the corporation’s virtual private network using TCP / IP protocol, but does not interact with either the local area network of the corporate virtual private network or remote local computer networks.

 Upon receipt of the output packet in the router 5, the second processor 10 selects the identifiers of the message source and the recipient of the messages and compares them with those previously recorded in the memory unit 9. According to the comparison results, the second processor 10, using the tabular data, selects the source addresses of the messages and the recipient of messages in the public network that are previously recorded in the memory unit 9 and adds them to the received output packet, and then converts the output packet to the one required for transmission on the Internet format, i.e. encapsulate encoded packet data with associated identifiers in an Internet packet. The converted output packet at the command of the processor 10 through the router 5 enters the Internet 6. Received from the Internet 6 Internet packet arrives in the fourth processor 19, which selects the output packet (frame) containing encoded data of the source packet, the address of the message source and the recipient of messages on the Internet 6 and the identifiers of the message source and recipient of messages, the selected addresses and identifiers are compared with previously recorded in the memory unit 18. With the coincidence of the compared information, i.e. in the absence of address spoofing on the route through the public network b the Internet, at the command of the fourth processor 19, the selected output packet is transmitted via the interface 15 to the router 13 through the interface 14. When this packet arrives at the router 13, the third processor 11 extracts the encoded packet data from it, which through the router 13 transmits to the means 17, where they are decoded. After decoding the data of the source packet, the third processor 11 extracts the address of the message source and the address of the message recipient and compares them with those previously recorded in the memory unit 16. Based on the comparison results, the third processor 11, using the tabular data, determines their correspondence to the identifiers of the message source and the message recipient, previously recorded in block 16, and if they coincide (i.e., upon successful identification) by the processor 11 command through the router 13, the decoded data of the original the packet is transmitted to the local area network 12, which in this case is the recipient of messages.

 Using the above method and means of protection eliminates penetration into the corporate computer network and, especially, unauthorized removal of information by users of a public network. The most vulnerable point, as in other systems, are routers that directly interact with the public network. The greatest damage that can be caused is the failure of the router. However, the failure of the router is easily compensated by the presence of bypass routes, i.e. reservation.

Claims (2)

 1. A method of protecting a corporate virtual private computer network from unauthorized exchange of information with a public transport network, which consists in generating a packet by a local area network, which is a source of messages in a corporate virtual private computer network, and transmitting the packet to the Internet, characterized in that at the source address messages and the recipient address of the message contained in the packet, and the address correspondence identifiers previously recorded in the first memory block the message source and the message recipient determine the message source identifier and the message recipient identifier, the packet data is encoded, and then the output packet is formed by adding the specified message source identifier and message recipient identifier to the packet encoded data using the specified message source and recipient identifiers contained in the generated output packet messages and the table of correspondence of these identifiers to addresses in the Int network previously recorded in the second memory block it converts the output packet to TCP / IP format and transmits it to the Internet; upon receipt of this packet, the correspondence of the Internet addresses of the message source and the message recipient and message source identifiers and the message recipient to the addresses of the Internet source network recorded in the third memory block is determined messages and the recipient of the messages and the identifiers of the message source and the recipient of the messages, if they coincide, the encoded data of the packet and the exposure are extracted from the output packet they are decoded, after which, according to the source address of the message and the recipient of the message contained in the decoded data packet, and the address correspondence table previously recorded in the fourth memory block, the identifiers of the message source and the message recipient check their correspondence and, if they match, transmit the decoded packet data to the local area network , which is the recipient of the message in the corporate virtual private computer network.  2. A system for protecting a corporate virtual private computer network from unauthorized exchange of information with a public transport network, characterized in that the corporate virtual private computer network further comprises two processors interconnected via an interface, two routers, one of which is connected respectively to the local computer network of the corporate virtual private computer network, encoding and decoding means and a first memory unit for recording and storing the correspondence table of the addresses of the message source and the recipient of the messages with the identifiers of the local area network, and the second router is connected to the Internet and connected to the second memory block, designed to store the correspondence table of identifiers of the message source and the recipient of messages to the addresses of the source and recipient on the Internet, while the first a router, encoding and decoding means, and a first memory unit are connected to a first corporate virtual private computer processor network, which is configured to determine the identifiers of the message source and message recipient from a pre-recorded table of correspondence of addresses to identifiers, as well as the ability to control the encoding and decoding of packet data and the formation of the output packet, and the second router and the second memory unit are connected to the second corporate processor virtual private computer network, which is configured to convert the output packet to the TCP / IP format according to previously recorded m in the memory of the data corresponding to the ID addresses on the Internet and the data contained in the output packet.

Images