The KIPS Transactions:PartC (정보처리학회논문지C)

Korea Information Processing Society (한국정보처리학회)
권호 표지
DOI QR코드

DOI QR Code

Cascade Perimeter Defence Model in Multiple VPN Environment

다중 VPN 환경에서의 분산 Perimeter defence 모델에 관한 연구

  • 임형진 (성균관대학교 대학원 정보통신공학부) ;
  • 김태경 (성균관대학교 대학원 정보통신공학부) ;
  • 정태명 (성균관대학교 정보통신공학부)
  • Published : 2004.02.01
Download PDF
⟨ Previous Next ⟩

Abstract

This paper analyzed the proper methods to solve the security problems of establishing trust zone which is changed by security policy in large scale networks containing multiple VPNs. Therefore, we surveyed the vulnerability of VPN technologies, it analyzed various models suitable for trust zone. By simulations of various models, we Propose the cascade perimeter defence policy model having the neit as such an efficient transit cost and the strictly isolation for trust tone. This model can protect the trust zone from the public network by dividing the trust Tone according to each VPN group and it shows the better transit performance by cascading the position of perimeter defence policy.

본 논문에서는 다중 VPN을 수용하는 대규모 네트워크에서 인터넷 액세스를 지원할 때, 보안 정책에 따라 신뢰구역(Trust zone)의 불확실한 경계설정으로 발생할 수 있는 보안 문제를 해결하기 위한 적응방안을 제시하였다. 관련연구로 기존 적용모델과 다중 VPN 네트워크에서의 보안 위협을 분석하고, 외부 네트워크로부터의 보호를 위해 신뢰구역 분리와 분산 정책 적용을 고려한 시뮬레이션을 수행하였다. 시뮬레이션을 통해 다중 VPN 수용과 인터넷 액세스에 의한 신뢰구간의 불확실한 경계는 신뢰되지 않은 경계로부터의 분산 계층적인 Perimeter defence 정책 적용을 통해서 개별 VPN간의 신뢰구간을 축소할 수 있었고, 하위 개별 사이트로부터의 적용보다 정책 적용횟수가 줄어 전송 지연에 영향을 줄일 수 있었다.

Keywords

References

  1. Landwehr & Goldschlag, 'Security Issues in Networks with Internet Access,' Proc. IEEE, Vol.85, No. 12, December, 1997 https://doi.org/10.1109/5.650183
  2. Dorothy E. DENNING, 'Intrusion Detection Model,' IEEE Transactions on Software Engineering, Vol.SE-13, pp.222-232, February, 1987 https://doi.org/10.1109/TSE.1987.232894
  3. 윤재우, 이승형, 'IP 기반 VPN 프로토콜의 연구동향 : 확장성과 보안성', 한국정보보호학회, 정보보호학회지, 제11권 제6호, pp. 53-43, 2001
  4. Internet URL, http://rr.sans.org/encryption/mpls2.php
  5. Frame Relay Forum, 'The Path to MPLS,' WAVESMITH NETWORK, white paper, 2001
  6. Paul Knight, Bryan Gleeson, 'Network based IP VPN Architecture using Virtual Routers,' IETF Internet Draft Provider Provisioned VPN WG, July, 2002
  7. Ananth Nagarajan, 'Generic Requirements for Provider Provisioned VPN,' IETF Internet Draft Provider Provisioned VPN WG, December, 2002
  8. ITU-T, Recommendation Y.1311,'Network Based VPNs-Generic Architecture and Service Requirements,' ITU-T, 2002
  9. Michael Behringer, 'Analysis of the Security of the MPLS Architecture,' IETF Internet Draft Provider Provisioned VPN WG, October, 2002
  10. R. Callon, M. Suzuki, 'A Framework for Layer 3 Provider Provisioned Virtual Private Networks,' IETF Internet Draft Provider Provisioned VPN WG, October, 2002
  11. Internet URL, http:www.acm.org/xrds2-4/intrus.html
  12. Internet URL, http://staff/ashington.edu /gray/papers/credo.html
  13. ITU-T Recommendation Y.1311-1, 'Network Based IP VPN over MPLS architecture,' ITU-T, 2001
  14. Internet URL, http://www.cosinecom.com
  15. Robert N. Smith, Sourav Bhattacharya, 'Firewall Placement In A Large Network Topology,' IEEE FTDCS '97, p.40, October, 1997 https://doi.org/10.1109/FTDCS.1997.644701
  16. Herve Debar, Marc Dacier, 'Toward a Taxonomy of Intrusion-Detection Sysetms,' IBM R&D, 1998
  17. Jeremy de Clercq, Cliff Wang, 'An Architecture for Provider Provisioned CE-based Virtual Private Networks using IPsec,' IETF Internet Draft Provider Provisioned VPN WG, June, 2002
  18. Eric C. Rosen, 'Use of PE-PE IPsec in RFC2547 VPNs,' IETF Internet Draft Provider Provisioned VPN WG, August, 2002
  19. M. Carugi, 'Service requirements for Layer 3 Provider Provisioned Virtual Private Networks : ,' IETF Internet Draft Provider Provisioned VPN WG, October, 2002
  20. Samuel Patton, David Doss, William Yurcik, 'Distributed weakness in virtual private networks,' IEEE LCN '00, p.96, 2000 https://doi.org/10.1109/LCN.2000.891014
  21. Ananth Nagarajan, 'Generic Requirements for Provider Provisioned VPN,' IETF Internet Draft Provider Provisioned VPN WG, December 2002