VPN Tunnel Research Articles

Design and Implementation of IPsec VPN IoT Gateway System in National Secret Algorithm

With the development of Internet of Things technology, the security threats faced by the industrial control field are increasing, and strengthening the security protection capabilities of intelligent systems on IoT highways is becoming increasingly important. IPSec VPN tunneling technology can achieve identity authentication and encrypted data transmission, and is an important means to achieve secure data transmission in intelligent systems on Expressway intelligent tunnel system. The commonly used IPSec VPN gateway uses a traditional Linux protocol stack-based approach for data capture, which requires multiple data copies and context switching, resulting in low efficiency of IPSec services. In addition, the commonly used IPSec VPN security gateway is implemented on the basis of the open-source IPSec framework, using internationally recognized algorithms for encryption and decryption, which poses security risks. This article is based on the IPSec protocol, and studies the high-speed network packet capture framework PFRING technology, the fusion technology of national secret algorithm and IPSec protocol. It designs and implements an IPSec VPN IoT security gateway based on national secret algorithm. After experimental verification, the IPSec VPN gateway system constructed in this article has complete functions and better performance than the common open-source IPSec frameworks OpenSwan and strongSwan, and can meet the application requirements of IoT data encryption transmission.

Enhancing the VPN Tunnels from IKEv1 to IKEv2 with improved Security Settings

Enhancing the VPN Tunnels from IKEv1 to IKEv2 with improved Security Settings

Design and Implementation of an IPsec VPN Tunnel to Connect the Head Office and Branch Office of Hijra Bank

Design and Implementation of an IPsec VPN Tunnel to Connect the Head Office and Branch Office of Hijra Bank

NetOr: A Microservice Oriented Inter-Domain Vertical Service Orchestrator for 5G Networks

Most modern 5G Vertical Service Orchestrators present various limitations. Among these, one may high-light (i) the employment of monolithic architectures, (ii) the lack of standardized APIs and methodologies, (iii) the minimum support for inter-domain scenarios, and (iv) the impossibility of performing run-time operations over Vertical Services. To achieve a fully-fledged Vertical Service Orchestrator, these problems must be solved. This is the focus of the work presented in this article. Our work presents a new 5G Vertical Service orchestration system named NetOr, which tackles all the listed limitations and can support complex and intricate use cases. NetOr was implemented according to a microservice architecture. Thus, it has increased flexibility, scalability, and maintainability. Moreover, NetOr inherited most advantages of the modern Vertical Service Orchestrators and, therefore, can be considered an improvement of said orchestrators. Furthermore, this work also presents a Proof-of-Concept solution to achieve inter-domain communication through the orchestration of an End-To-End Network Slice that establishes several VPN tunnels between the domains encompassed by the Network Slice.

Improving the technology for processing the aggregated data flow of a secure corporate multiservice communication network

This paper considers the process of dynamic reservation of the channel resource of a secure corporate multi-service communication network. It has been established that the processes of building and functioning of the schemes of a secure corporate multi-service communication network and improving the quality of the implementation of its main work processes involve the evaluation and dynamic reservation of channel resources for incoming aggregated data flows of the network. The model of dynamic reservation of the channel resource of the aggregated data stream of the secure corporate multi-service communication network was built and proposed. The proposed model makes it possible to set the quantitative values of the reserved channel resource for different service methods depending on the number of component flows in the total aggregated data flow of the VPN tunnel. It was established that an increase in the density of the aggregated data stream requires an increase in the reserved channel resource. At the same time, its value is influenced by the way of servicing the aggregated data flow in the VPN tunnel of the secure corporate multi-service communication network. Application of the isolated service method gives a gain in the allocated resource for the channel reserve from 10 to 20 percent compared to the group service method for IR and video telephony. This is due to the more flexible management process of the border router's incoming data storage buffer under the isolated service mode. The model of dynamic reservation of the channel resource of the secure corporate multi-service communication network reported in this paper could be used in the improvement of existing and development of new structures of the secure corporate multi-service communication network. The consequence of such an improvement is a reduction in the delay time for the processing of incoming data packets in the specified network

MENGAMANKAN SERANGAN PACKET SNIFFING PADA JARINGAN KOMPUTER MENGGUNAKAN VPN TUNNEL

Technological developments greatly affect and control our daily activities. Technological developments were followed by the era of the Industrial Revolution 4.0. In the use of this technology there are not a few threats, so we need an adequate and secure computer network that is a priority, such as packet sniffing attacks. In sending data in a network it is very important to ensure the confidentiality of the data to be sent so that it does not fall into the hands of third parties. So this research has the goal of securing packet sniffing attacks on computer networks using a VPN tunnel. The results of VPN tunnel research can be used to secure packet sniffing from attacks and threats on the right computer networks

Development of an intelligent decision-making system to support scientific and industrial formations VPN connections

The development of information systems to ensure the safe coordination of information flows in scientific and industrial clusters makes it possible to automate a number of tasks aimed at increasing the cooperative interaction productivity. The use of existing traffic encapsulation solutions or the new client-server algorithms development for network interaction affects the decision-making component for managing the TCP/IP structure, authorization of subjects, and support for correct load distribution. At the moment, most VPN servers do not have the specified functionality, which does not allow integrating solutions into existing scientific and industrial clusters. As the main solution, a flexible decision support system is proposed that takes into account all aspects of the virtual tunnel software component. The proposed solution is based on the use of complex methods for assessing the software modules state to make decisions on changing the operation of functional modules. The development result of the proposed system and the conducted functional testing made it possible to automate the operation of VPN tunnels when working with a complex network interaction structure.

Determination of Packet Data Transmission Parameters when Working in the Meter Range

The article considers the possibility of organizing packet TCP/IP exchange in the channel of the frequency range from 30 to 300 MHz, as a basis for implementing a secure VPN connection between two subscribers within one of the communication network modes. The VPN connection, when considered, is a TCP/IP packet transmission, the only difference is that a new special header is attached to the original packet, as well as to the cryptographic encryption of the original packet. Hence, VPN tunnel can be represented as a TCP/IP connection. TCP/IP protocol stacks are oriented to support high-speed interfaces operating at high frequencies (for example, Ethernet/Wi-Fi, speeds from 100 Gb/s, 2.4 GHz frequency). The main problem of such a packet implementation at relatively low frequencies (30-300 MHz) is the sufficient instability of mobile MV radio communication (communication in the meter wave range) at a given frequency range and low transmission rate (up to 32 Kb/s), as a result of which there may be a high probability of data bit errors, loss of information packets and huge time delays in the exchange. The Reno model is used as a model for evaluating packet transmission [rec. ITU-T Y.1541, RFC2001] and such regulated indicators [rec. ITU-T 1.1540, ITU-T Y.1541], as: channel bandwidth, signal-to-noise ratio (SNR), transmission delay (IPTD), transmission delay variation (IPDV), transmission error rate (IPER), packet loss rate (IPLR, SER), maximum packet transport unit (MTU). The simulation of a low-speed communication line with the characteristics: length up to 5 km, transmission speed from 300 bits/s to 32,000 bits/s (V.21 - V.34bis modem protocols), the sizes of transmitted packets is 72, 576 and 1500 bytes (threshold values of the maximum unit of packet transportation), transmitter power 2 W, the signal-code construction is a 4-FSK signal with Reed-Muller encoding RM(30, 14). Based on the analysis of the data obtained, three categories of channels were identified: 'bad' - low signal-to-noise ratio (2-5 dB), high packet loss (above 10%) and long transmission delay (above 400 ms); 'medium' - SNR from 5 to 10 dB, packet loss less than 1%, the delay varies from 400 to 800 ms; 'good' is a channel passing through all regulated TCP/IP parameters, the OSH is more than 10 dB, the error probability is less than 0.1%, the delay fits into the regulated 400 ms.

Algorithm for dynamic channel reservation of aggregated data flow

In modern telecommunications systems, dynamic reservation of channel resources for an aggregated data stream is one of the most important tasks, as it allows for efficient use of available resources and provides high-quality service to subscribers. Developing an algorithm for dynamic reservation is a challenging task, as it requires ensuring optimal resource allocation among subscribers during variable network load. This article discusses an approach to developing an algorithm for dynamic reservation of channel resources for an aggregated data stream that provides efficient resource allocation and ensures high-quality service to subscribers. Specifically, approaches to dynamic resource allocation based on network load and approximation and optimization methods that reduce algorithm complexity and ensure its effective operation will be considered. The results of this work can be useful for telecommunications system developers and for research in the field of telecommunications. The article proposes an algorithm for dynamic reservation of channel resources for an aggregated data stream. The implementation of this algorithm is performed on a VPN gateway designed to manage data streams, filter them, and organize priority access to data streams in the VPN tunnel. In the event of a network load, the developed algorithm should first evaluate the network status and, based on the results obtained, perform data stream access control functions, taking into account their priorities. Based on the developed algorithm for dynamic reservation of channel resources for an aggregated real-time data stream, this section establishes a system of criteria for efficient utilization of channel resources for protected corporate multiservice communication networks under conditions of network resource availability for servicing the proposed workload from the access network and network congestion. The approach to prioritizing data streams takes into account user categories and service classes, which, unlike existing tools, allows for the task of prioritized servicing under load conditions and determines the best use of the available channel resources at the transport layer of protected corporate multiservice communication networks.

SECURING DATA NETWORK FOR GROWING BUSINESS VPN ARCHITECTURES CELLULAR NETWORK CONNECTIVITY

Private networks allow organizations to leverage, customize and dedicate LTE network capabilities to their own service needs. These networks are controlled and managed locally and can be optimized for specific network services and applications. Often they are used because there may be gaps in coverage where there is no cellular connectivity. Enterprises and businesses running on light application systems, using small bandwidth and requiring fast deployment such as ATMs, vending machines, digital signage kiosks and small store branches We propose a method and concept and implementation, in the form of a Data Network Security Configuration For Business Growth VPN architecture Mobile Network Connectivity for various businesses. By implementing products and services by developing the configuration and model of VPN Tunneling Protocol rules, using the EOIP Protocol and SSTP Protocol methods and virtualization schemes using the VLAN Bridging method on Wide Area Network (WAN) network connectivity. This method takes advantage of the LTE features found on the RB751U-2hnd and then integrates Huawei Mobile Broadband LTE. We also present a general Service Level Agreement (SLA) and an open source tools-based SLA network system Zabbix. Then configure the VPN Tunneling Protocol and its features on the RB751U-2hnd using Paramiko Network Automation. The focus of the results of this research is that by utilizing the available tools we will build a VPN with system monitoring facilities with the results achieved are network performance and availability and show that the design we build can be used for private connections for growing businesses. the results obtained from testing for 1 month for the 3 providers used, for the average throughput value with VPN tunneling applied TSEL 14.2 Mbps, ISAT 13.9 Mbps and XL 13.5 Mbps. The SLA value obtained is based on acceptable criteria, TSEL 91.5%, ISAT 91.8% and XL 90.6%.

Automated VPN configuration using DevOps

Enterprise networks are becoming increasingly sophisticated and large in scale due to the critical need for interconnectivity. For the interconnection of sites, VPN technology is essential. Indeed, this technology allows a partially or completely meshed connection between the various sites in a secure way. IPsec is one of the most widely deployed VPN technologies due to its many advantages, including data confidentiality, integrity and authentication. However, implementing this technology requires considerable technical expertise given the diversity of gateway manufacturers that a company may have, advanced engineering given the set of technical parameters that a VPN tunnel may have for its proper functioning, and caution when setting up a large-scale network given that a simple error may prevent the creation of tunnels. Taking these limitations into account, the automation of IT infrastructures has become indispensable, known as DevOps, which promotes continuous communication, collaboration, integration, visibility and transparency between the teams responsible for application development (Dev) and those responsible for IT operations (Ops). With infrastructure automation, networks are becoming easier to manage, diagnose and configure. This paper proposes a new architecture that automates the deployment of VPN tunnels via a web-based graphical interface. This architecture is adapted with a variety of equipment manufacturers and delivers configurations generated via an SSH channel in an automatic way.

Securing Data Network For Growing Business VPN architectures Cellular Network Connectivity

Private networks allow organizations to leverage, customize and dedicate LTE network capabilities to their own service needs. These networks are controlled and managed locally and can be optimized for specific network services and applications. Often they are used because there may be gaps in coverage where there is no cellular connectivity. Enterprises and businesses running on light application systems, using small bandwidth and requiring fast deployment such as ATMs, vending machines, digital signage kiosks and small store branches We propose a method and concept and implementation, in the form of a Data Network Security Configuration For Business Growth VPN architecture Mobile Network Connectivity for various businesses. By implementing products and services by developing the configuration and model of VPN Tunneling Protocol rules, using the EOIP Protocol and SSTP Protocol methods and virtualization schemes using the VLAN Bridging method on Wide Area Network (WAN) network connectivity. This method takes advantage of the LTE features found on the RB751U-2hnd and then integrates Huawei Mobile Broadband LTE. We also present a general Service Level Agreement (SLA) and an open source tools-based SLA network system Zabbix. Then configure the VPN Tunneling Protocol and its features on the RB751U-2hnd using Paramiko Network Automation. The focus of the results of this research is that by utilizing the available tools we will build a VPN with system monitoring facilities with the results achieved are network performance and availability and show that the design we build can be used for private connections for growing businesses. the results obtained from testing for 1 month for the 3 providers used, for the average throughput value with VPN tunneling applied TSEL 14.2 Mbps, ISAT 13.9 Mbps and XL 13.5 Mbps. The SLA value obtained is based on acceptable criteria, TSEL 91.5%, ISAT 91.8% and XL 90.6%.

A Great Approach for Medium Size Hospital Network Infrastructure Architecture

Abstract: To get first-hand experience for setting up a network infrastructure in a medium size hospital to manage the patient’s services, check-ups, follow-up plans from different parts of the hospital primes and store the data into the secured and safe manner in the database and use the data whenever required from the management team for their references. The network architecture based on the concept of the Three- layer network architecture combination of Mesh topology & Bus topology taking into the consideration of the primary data security, remote access to the network, size of the hospital organization, cost-effective, user-friendly and most importantly scalability required in the network architecture for future changes based on the size of the database, utilization of applications remotely, and for security of the data, changing technology etc. The goal of any network architecture is to protect the DATA from any attacks both internally and externally. For internal DATA security it is protected through various user permissions in different layers in the network for the end users. For Outside threat VPN tunnel, Policies, traffic filtering configured at the firewall level. Keywords: HIS-Hospital Information System, VPN- virtual private network tunnel, VLAN- Virtual LAN, HL7- Health Level Seven International, L3- Layer 3, ISP- Internet service provider

Implementation of Site to Site IPsec VPN Tunnel between Routers

Today, security is very important in the communication system over through the Internet. The Transmission control protocol and Internet protocol (TCP/IP) protocol suite is used in the Internet communication that it includes five layers in which it is construct IPSec VPN Tunnel between two routers at the network layer. IPsec have two protocols that it is authentication header and encapsulation security payload (ESP) in which two protocols is shown simulation and then it is give encryption, authentication and confidentiality in which for packets at the IPSec layer within network layer and adds new IP header at the network layer. IPSec is designed to provide security at the network layer that it protects the entire IP packets. It takes an IP packet and then it includes the header, applies IPSec security methods to the entire packet and adds a new IP header. The system purpose is known use router devices at the network layer and then this layer is built IPSec VPN tunnel between routers that when it is known how does command line. IPsec VPN tunnel is built based on ACL (access list), crypto isakmp (internet security association and key management protocol) policy, transform set and crypto map and then the system is aimed to know it facts configuration and then to know used routers at the network layer and is built IPSec VPN tunnel between two routers. This system is simulated using packets tracer software 7.1.

Multilayer Framework for Botnet Detection Using Machine Learning Algorithms

A botnet is a malware program that a hacker remotely controls called a botmaster. Botnet can perform massive cyber-attacks such as DDOS, SPAM, click-fraud, information, and identity stealing. The botnet also can avoid being detected by a security system. The traditional method of detecting botnets commonly used signature-based analysis unable to detect unseen botnets. The behavior-based analysis seems like a promising solution to the current trends of botnets that keep evolving. This paper proposes a multilayer framework for botnet detection using machine learning algorithms that consist of a filtering module and classification module to detect the botnet’s command and control server. We highlighted several criteria for our framework, such as it must be structure-independent, protocol-independent, and able to detect botnet in encapsulated technique. We used behavior-based analysis through flow-based features that analyzed the packet header by aggregating it to a 1-s time. This type of analysis enables detection if the packet is encapsulated, such as using a VPN tunnel. We also extend the experiment using different time intervals, but a 1-s time interval shows the most impressive results. The result shows that our botnet detection method can detect up to 92% of the f-score, and the lowest false-negative rate was 1.5%.

Providing the Ability of Working Remotely on Local Company Server via VPN

Abstract Increasingly popular remote work requires the use of modern network technologies to provide employees in a remote location with access to the company’s IT resources. The answer to the needs of remote access to files and server services can be the use of clouds and VPS. However, this involves high costs and requires entrusting the enterprise’s data to the providers of these services. Both for reasons of data security and too high costs, enterprises sometimes cannot use these technologies. The solution to the problem may be the use of encrypted VPN tunneling, which allows the device to be connected at a remote location to the company’s local network and use its resources as if it was connected to the local network with physical transmission medium.

МОДЕЛЮВАННЯ ХАРАКТЕРИСТИК ОБЛАДНАННЯ КОМП’ЮТЕРНИХ МЕРЕЖ У РАКУРСІ ІНФОРМАЦІЙНОЇ БЕЗПЕКИ

The study focuses on the development of models for analyzing and assessing information security risks in computer networks that are used in the development of enterprise information security systems and in auditing the level of protection of already existing information systems, the development of a family of security models of computer network communications equipment. The developed algorithms and models have been implemented in the system of analysis and correction of information security violations, the use of which has allowed to reduce the time of correction of the consequences of such violations. The basic elements of violations, which are described by the information structure and determine the influence on the activity of information systems, are revealed. It is determined that most information security events are related to the communication equipment of the computer networks on which the information systems operate. Further research has been aimed at finding and developing security models for communication levels of operation of computer networks and a system for correcting information security violations. To implement the algorithm, a number of models, that describe the characteristics of network equipment in the security perspective, have been developed. The model of switch security describes the switch characteristics that affect the security and reliability of the network infrastructure. The tunneling security model reflects the security of the gateway portion of the deployed VPN tunnel. The intrusion detection security model involves the use of a compatible model with the shielding model, namely extending the state-based filtering parameter. The routing security model considers the types and protocols of routing. The use of models in the correcting system of the consequences of information security violations has made it possible to fully or partially automate the response to security events occurring in information systems. The developed models allow to take into account the peculiarities of the information system, the nature of the threat scenarios and the features of the network equipment.

Smart hybrid SDN approach for MPLS VPN management on digital environment

MPLS VPN is growing in front of the other network layer tunneling technologies of the OSI model. The trend related to this technology is justified mainly by the security, the quality of service that it can offer, and especially the routing speed. The main limitation of MPLS VPN is in the deployment complexity; this technology relies on several protocols to establish a tunnel, such as OSPF, BGP, MP-BGP, RSVP, and LDP. Software Defined Network avoids these complexities through the controller entity that supports the establishment of an MPLS VPN tunnel automatically, provided that the equipment to orchestrate is new generation supporting the SDN protocols. However, for budgetary and functional constraints, companies can not completely and immediately change their transport networks by equipment supporting SDN. Hybrid SDN networks address these constraints, providing the ability to orchestrate even equipment that does not support SDN, called a legacy. We propose in this paper a new hybrid intelligent SDN approach for MPLS VPN management in the digital environment. This approach is tested on a network consisting of routers of different manufacturers (Cisco, HP, and Juniper). The proposed approach is accompanied by a WEB graphic tool offering the administrator the possibility to choose the MPLS VPN architecture to deploy (Central Service, Hub-Spoke, and Intranet/Extranet) or customize its own architecture according to the customer’s request. In order to evaluate our model, we subjected it to a scalability test and an evaluation of the quality of experience to measure the satisfaction of the users who tried it.

Comparative Analysis of Data Transmission Quality of Seismic Station Based on Different Communication Modes

In this paper, we selected the VPN tunnels based on wireless 4G network card or fiber broadband, MSTP digital optical fiber and other communication methods, using the seismic station in Hunan Province to set up seismic observation instrument, at the same time, the same location compared to the above communication mode To the observation data, analysis of data transmission test results, selected the best mode of communication for the new seismic stations or replace the existing seismic stations to provide a reference for communication.

Novel Software-Defined Network Approach of Flexible Network Adaptive for VPN MPLS Traffic Engineering

Multi-Protocol Label Switching VPN (MPLS-VPN) is a technology for connecting multiple remote sites across the operator’s private infrastructure. MPLS VPN offers advantages that traditional solutions cannot guarantee, in terms of security and quality of service. However, this technology is becoming more prevalent among businesses, banks or even public institutions. With this strong trend, the management of the paths on which these tunnels can be deployed has become a necessity is a priority need for Internet access providers (ISPs). Through the principle of controller orchestration, ISPs can overcome this difficulty. Software-defined network is a paradigm allowing through the principle of orchestration to manage the entire network infrastructure. In this paper, we propose a new approach called FNA-TE "Flexible Network Adaptive - Traffic Engineering", this approach allows to manage MPLS VPN tunnels to meet the QoS requirements of those with the highest priority.