辽阳公安局综合业务数据网系统设计与实施
摘要
本课题对基于ATM技术和MPLS VPN技术组建新的辽阳公安局综合业务数据网进行了研究,提出了具体解决方案,实现了组建新的辽阳公安局综合业务数据网的目标。通过实际应用改变了目前公安局原有综合业务数据网的面貌,提高了公安局综合业务数据网的安全性和使用范围,提高了公安局的业务处理能力。
主要做了以下几方面的工作
(1)参与设计了系统的整体方案,以及系统的硬件选型。
(2)完成了辽阳公安局综合业务数据网身份验证的部分原代码的编写工作。
(2)在Windows 2000环境下设置了VPN服务。
(4)设置了VPN路由器。
本课题的组网工作虽然已经完成,但在一些方面还存在不足和值得改进之处,在今后的研究中还需要进一步进行完善,这主要包括以下几个方面:
(1)现在的MPLS网络还不支持点到多点的多播通讯,使得新的辽阳公安局综合业务数据网在使用过程中这方面的业务不能很好的开展。
(2) MPLS VPN的网络配置和流量管理较易实现,但与不同运营商的多个网络如何互联还存在一定问题,如何保证用户端到端的业务质量、如何快速定位故障发生地点等问题亟待解决。
(3) MPLS VPN与传统光网相结合是今后研究工作中的重点研究方向。
In recent years, it raises the worldwide information superhighway upsurge. The information highway construction is a huge social system project under the guidance of the state government. Its technology integrates communications technology, computer and multimedia, a number of comprehensive technogies. As the basis of the information superhighway, we must first establish a high-speed broadband communication network. Fiber medium for communication to the Broadband Integrated Services Digital Network (B -ISDN) is the main direction of the development for communication network in the future.Asynchronous transfer mode (ATM) and Synchronous digital hierarchy (SDH) is the broadband communications technology research focus. ITU-T takes ATM as the ultimate B - ISDN transmission, The ATM bwadband,intenet exchenge network which constructed on the SDH fiber is the lower infrastructure of the information in the future . Therefore, it can be considered: SDH + + AN ATM (User Access Network) + MMDB (Multimedia Database) + MMT (multimedia terminal) = ISHW (information superhighway) ATM high-speed and flexibility, taking it as the basis of the information superhighway technology, ATM broadband network for conducting business provides an excellent platform
Based on the system investigation and study , this topic aimed at the issue that traditional Internet service couldn't satisfy users' demand. (Traditional Internet only provides simple service such as browsing, email and, without service guarantee and jurisdiction and safety mechanism. Another problem is that contact surface is complex and not easy to grasp), This thesis proposed the design goal, principle and settlement of VPN technology network. The solution has realized the virtual special-purpose net's function with the public special-purpose net.
Liaoyang police station's existing comprehensive service data networking system is quite complex, The connection between the bureau and the sub-bureau, the traffic police crew, the fire crew, the local police station, the city team and the countryside team are through the dialing way. Influenced by net speed limit, the internal file processing speed is specially slow, and the work service also comes under the influence. Meanwhile the internal data couldn't be shared. Moreover, it has little security, and the network security cannot be effectively guaranteed. If the user needs some new services, he will need to fill in many documentary evidences and wait for a quite period of time for enjoying the new service. What's more important, the terminal device of the beginnings and ends is expensive, and it also needs a certain specialized technical personnel, which will increased the cost undoubtedly. And its existing comprehensive service data couldn't immediately connect with any net unit in the world as the Internet do.
In order to solve the above problem, the Liaoyang Telecommunication Network Company computer application development center and Liaoning Information Vocational Technology Institute Huawei laboratory proposed the development research work tentative plan which based on the existing equipment and technical force. The plan is to build a VPN network with the optical fiber straight connecting way, and to connect the sub-bureau and the city bureau original north electricity Passport 6,480 routers by the 10/100M. Sub-bureau belongs to the Ministry of Public Security Golden Shield Project No. 3 network, the project of the police station at the Golden Shield Project belongs to the Ministry of Public Security of four network construction.
There are three nodes (sub-units) 11,4 node (the police station) 69 in the construction. Currently, traffic police detachment, the fire brigade, Liaoyang county, Dengta city have built their WAN and LAN (core equipment for Huawei and PASSPORT 3680 - 6440), The Public Security Bureau and the fire brigade using DDN special line connected with the traffic police detachment, the cable connected by radio and television, after the works for all of its nodes to achieve interoperability. The entire network should have higher requirements of security and stability.
The construction of the three-tier network model using Direct Connect mode fiber to 10/100 M PUC achieve Branch and the original Nortel Passport 6480 routers connected. Branch nodes use the HuaweuARl 8-20 router equipment as the export equipment. Using Huawei VG10-40 voice gateway can access four-way ordinary telephone, to achieve VoIP. S3526E clustering various sub-port 10/100 M, access to the PUC Passport6480 router.
The police station uses Huawei routers AR18-30 and voice gateway VG10-40, dial-up connections through ADSL communication established through Liaoyang ADSL network, mapped to MPLS VPN, the S8016 Liaoyang communications companies with 100 M Passport6480 linked to achieve the four public security Golden Shield Project Network VPN network with the three-tier convergence.
Considering the isolation between the public security network and otheruser networks.We set up a VPN network.Proposed the solution of using the MPLS VPN technology to sove the public security service realization and the security isolution.As ADSL structures in the way of Internet, in the process of ADSL uplink, using the ATM PVC technology to strict segregate each user, after ascending to the BAS layer ,achieve ADSL to the communications companies existing MPLS VPN mapping by BAS, divided into an independent VPN, with the realization the security isolation fuction of the public security network close off other network users. Communications companies in the MPLS VPN jurisdictions, S8016 routing switches, BAS equipment respectively use as MPLS P and PE equipment to achieve decentralized nodes center equipment to the police station VPN aggregation, the final realization by the S8016 network traffic on the access layer convergence transponders.
To the public security Integrated Services Data Network, highly reliable, security is a basic requirement. Guaranteed one of VPN secure main technologies is the identification authentication. In Liaoyang Public Security Bureau Data Network Integrated Services Network in the process of ensuring their use for the process of security, authentications of achieving become a major issue. To ensure that the identity of the user conclusive, and when necessary verification machinery logo, which all belong to the application security module part.
his thesis has narrated the thought and the realization process of using the VPN technology to realize public security private network in detail, attaching the system analysis situs chart, and with the suitable hardware equipment. The technology has realized the security, effectiveness and reliability in the use of public security private network.
主要做了以下几方面的工作
(1)参与设计了系统的整体方案,以及系统的硬件选型。
(2)完成了辽阳公安局综合业务数据网身份验证的部分原代码的编写工作。
(2)在Windows 2000环境下设置了VPN服务。
(4)设置了VPN路由器。
本课题的组网工作虽然已经完成,但在一些方面还存在不足和值得改进之处,在今后的研究中还需要进一步进行完善,这主要包括以下几个方面:
(1)现在的MPLS网络还不支持点到多点的多播通讯,使得新的辽阳公安局综合业务数据网在使用过程中这方面的业务不能很好的开展。
(2) MPLS VPN的网络配置和流量管理较易实现,但与不同运营商的多个网络如何互联还存在一定问题,如何保证用户端到端的业务质量、如何快速定位故障发生地点等问题亟待解决。
(3) MPLS VPN与传统光网相结合是今后研究工作中的重点研究方向。
In recent years, it raises the worldwide information superhighway upsurge. The information highway construction is a huge social system project under the guidance of the state government. Its technology integrates communications technology, computer and multimedia, a number of comprehensive technogies. As the basis of the information superhighway, we must first establish a high-speed broadband communication network. Fiber medium for communication to the Broadband Integrated Services Digital Network (B -ISDN) is the main direction of the development for communication network in the future.Asynchronous transfer mode (ATM) and Synchronous digital hierarchy (SDH) is the broadband communications technology research focus. ITU-T takes ATM as the ultimate B - ISDN transmission, The ATM bwadband,intenet exchenge network which constructed on the SDH fiber is the lower infrastructure of the information in the future . Therefore, it can be considered: SDH + + AN ATM (User Access Network) + MMDB (Multimedia Database) + MMT (multimedia terminal) = ISHW (information superhighway) ATM high-speed and flexibility, taking it as the basis of the information superhighway technology, ATM broadband network for conducting business provides an excellent platform
Based on the system investigation and study , this topic aimed at the issue that traditional Internet service couldn't satisfy users' demand. (Traditional Internet only provides simple service such as browsing, email and, without service guarantee and jurisdiction and safety mechanism. Another problem is that contact surface is complex and not easy to grasp), This thesis proposed the design goal, principle and settlement of VPN technology network. The solution has realized the virtual special-purpose net's function with the public special-purpose net.
Liaoyang police station's existing comprehensive service data networking system is quite complex, The connection between the bureau and the sub-bureau, the traffic police crew, the fire crew, the local police station, the city team and the countryside team are through the dialing way. Influenced by net speed limit, the internal file processing speed is specially slow, and the work service also comes under the influence. Meanwhile the internal data couldn't be shared. Moreover, it has little security, and the network security cannot be effectively guaranteed. If the user needs some new services, he will need to fill in many documentary evidences and wait for a quite period of time for enjoying the new service. What's more important, the terminal device of the beginnings and ends is expensive, and it also needs a certain specialized technical personnel, which will increased the cost undoubtedly. And its existing comprehensive service data couldn't immediately connect with any net unit in the world as the Internet do.
In order to solve the above problem, the Liaoyang Telecommunication Network Company computer application development center and Liaoning Information Vocational Technology Institute Huawei laboratory proposed the development research work tentative plan which based on the existing equipment and technical force. The plan is to build a VPN network with the optical fiber straight connecting way, and to connect the sub-bureau and the city bureau original north electricity Passport 6,480 routers by the 10/100M. Sub-bureau belongs to the Ministry of Public Security Golden Shield Project No. 3 network, the project of the police station at the Golden Shield Project belongs to the Ministry of Public Security of four network construction.
There are three nodes (sub-units) 11,4 node (the police station) 69 in the construction. Currently, traffic police detachment, the fire brigade, Liaoyang county, Dengta city have built their WAN and LAN (core equipment for Huawei and PASSPORT 3680 - 6440), The Public Security Bureau and the fire brigade using DDN special line connected with the traffic police detachment, the cable connected by radio and television, after the works for all of its nodes to achieve interoperability. The entire network should have higher requirements of security and stability.
The construction of the three-tier network model using Direct Connect mode fiber to 10/100 M PUC achieve Branch and the original Nortel Passport 6480 routers connected. Branch nodes use the HuaweuARl 8-20 router equipment as the export equipment. Using Huawei VG10-40 voice gateway can access four-way ordinary telephone, to achieve VoIP. S3526E clustering various sub-port 10/100 M, access to the PUC Passport6480 router.
The police station uses Huawei routers AR18-30 and voice gateway VG10-40, dial-up connections through ADSL communication established through Liaoyang ADSL network, mapped to MPLS VPN, the S8016 Liaoyang communications companies with 100 M Passport6480 linked to achieve the four public security Golden Shield Project Network VPN network with the three-tier convergence.
Considering the isolation between the public security network and otheruser networks.We set up a VPN network.Proposed the solution of using the MPLS VPN technology to sove the public security service realization and the security isolution.As ADSL structures in the way of Internet, in the process of ADSL uplink, using the ATM PVC technology to strict segregate each user, after ascending to the BAS layer ,achieve ADSL to the communications companies existing MPLS VPN mapping by BAS, divided into an independent VPN, with the realization the security isolation fuction of the public security network close off other network users. Communications companies in the MPLS VPN jurisdictions, S8016 routing switches, BAS equipment respectively use as MPLS P and PE equipment to achieve decentralized nodes center equipment to the police station VPN aggregation, the final realization by the S8016 network traffic on the access layer convergence transponders.
To the public security Integrated Services Data Network, highly reliable, security is a basic requirement. Guaranteed one of VPN secure main technologies is the identification authentication. In Liaoyang Public Security Bureau Data Network Integrated Services Network in the process of ensuring their use for the process of security, authentications of achieving become a major issue. To ensure that the identity of the user conclusive, and when necessary verification machinery logo, which all belong to the application security module part.
his thesis has narrated the thought and the realization process of using the VPN technology to realize public security private network in detail, attaching the system analysis situs chart, and with the suitable hardware equipment. The technology has realized the security, effectiveness and reliability in the use of public security private network.
引文
[1] Gentry,B.Perry.What Is A VPN.Information Security Technical Report,2001.99~102
[2] 华北工控供文.VPN的嵌入式应用.电子与电脑.2006(4):45~47
[3] 邵波等.计算机网络安全技术及应用.北京.电子工业出版社.2005.11:36~38
[4] S.Broderick.VPN Security Policy.Information Security Technical Report.2001:32~35
[5] W Lee, R. Bhagavathula, N.Thanthry. MPLS-over-GRE based VPN Architecture: a Performance Comparison.Circuits and Systems,2002:77~80
[6] PKnight, C. Lewis. Layer 2 and 3 Virtual Private Networks. Communications Magazine.2004:19~23
[7] 杨煦,孙建华.IPSec与MPLS结合增强VPN安全性.网络安全技术与应用.2005(9):36~38
[8] 李泽光,郝莉,徐晖.IPSec安全体系与实施.网络安全技术与应用.2005(2):38~41
[9] 杨华,钟文海.ISO/OSI网络体系结构中网络高层的安全防护.电脑学习.2005(5):20~22
[10] (英)毛文博.现代密码学理论与实践(英文版).北京.电子工业出版社 年5月52~53
[11] R.Perlman,C.Kaufman.Key Exchange in IPSec:Analysis of IKE.Intenet Computing,IEEE.2000:25~27
[12] 逯海军,祝跃平.一个基于离散对数、HASH函数和大数分解的访问控制协议.计算机工程与应用.2004(1):179~181
[13] 高海曲,薛元星,辛阳等.VPN技术.北京.机械工业出版社.2004.4:17~19
[14] R. Cohen. On the Establishment of an Access VPN in Broadband Access Networks. Communications Magazine,2003:121~123
[15] 高玉雷.中小型局域网组建与管理教程.北京.机械工业出版社.2004年10月23~250
[16] Ivan Pepelnjak,Jim Guichard,JeffApcar.MPLS和VPN体系结构(第2卷).卢泽新,朱培栋,齐宁译.北京.电子工业出版社.2004年3月:56~59
[17] Harding, Andrew. SSL Virtual Private Networks. Computer Networks, 2003:81~84
[18] A.Linna,S.A.Netcelo,Echirolles.Managing and Securing Web Services With VPNs.ICW S '0 4 conference,San Diego,California,2004:62~65
[19] C.J.Pena, J.Evans. Performance Evaluation of Software Virtual Private Networks. 25th Annual IEEE Conference,2000,Local Computer Networks,2000:96~102
[20] 曹利.基于第四层交换的SLB技术及在Cisco 4804G上的实现.计算机时代.2006(3):10~11
[21] 吴海燕,石磊,李清玲.网络信息安全技术综述.电脑知识与技术.2005(4):55~57
[22] 宁相军,桂志波.以端节点为中心的TCP拥塞控制研究.现代计算机.2006(3):31~33
[23] Axent.Companies Provide Firewall and VPN Solution.Network Security ,2000:141~144
[24] 司孟华,郭彦涛.计算机异地局域安全传输的研究应用.计算机与网络.2006(2):40~41
[25] 姜淑菊.Internet连接共享的设计与实现.电脑学习,2005(5):16~17
[26] 关桂霞等.网络系统集成教程.北京.电子工业出版社.2004年10月95~96
[27] 李宏乔,杨峰等.宽带网络技术原理.北京.机械工业出版社.2002年6月36~38
[28] 刘先锋,舒林,陈松乔,陈建二.基于Qos约束的多播路由研究.计算机工程与应用.2005(2):125~128
[29] 蔡昭权,吴莉娅,黄陶明.内网安全联动防护技术的研究与实现.微计算机应用.2006(2):168~170
[30] 臧卫玉,王国胜.ATM网络中的输入排队信元调度研究.计算机工程与应用.2004(11):252~256
[31] (美)Rajiv Ramaswami等.光网络·下卷:组网技术分析(原书第2版).北京.机械工业出版社.2004年10月250~251
[32] 蒋加伏,李广琼,唐贤瑛.基于小波包分析的ATM网分层传输.计算机工程与应用.2004(10):217~220
[33] 杨大全.计算机网络.沈阳.东北大学出版社.2004年2月45~46
[34] F. Palmieri. VPN Scalability over High Performance Backbones Evaluating MPLS VPN Against Traditional Approaches.Computers and Communication,2003:77~79
[35] 张大陆,徐健.多业务网络总体设计与实现.计算机工程.2004(6):112~113
[36] 柳志宏.基于网络处理器防火墙的设计与实现.微计算机信息.2006(2):15~16
[37] 黎连业.网络综合布线系统与施工技术.北京.机械工业出版社.2003年1月120~121
[38] 张旭东,平铃娣,潘雪增.基于SIP协议的分布式VOIP体系结构的设计与实现.计算机工程.2004(14):95~97
[39] 赵娜.IP网络视频会议的MCU的设计与实现.现代计算机.2005(10):41~44
[40] Karli Watson,Christian Nagel.C#入门经典.北京.清华大学出版社.2003年3月58~60
[41] 甘登岱.Windows 2000组网教程.北京.电子工业出版社.2001年9月38~39
[42] 刘志勇等.网络服务器配置详解.北京.电子工业出版社.2004年3月:78~79
[43] 程伍端.客户端/服务器体系结构的应用与发展.电脑知识与技术(学术交流).2005(12):79~80
[44] K.Schultz.Making the VPN Connection.www.infoworld.com.2004:69~71
[45] 马新文.利用Ping命令排除网络故障.电脑学习.2005(3):16~18
[46] 孔祥春,李春娟.路由器网络地址转换(NAT)的配置.电脑知识与技术.2005(6):41~44
[2] 华北工控供文.VPN的嵌入式应用.电子与电脑.2006(4):45~47
[3] 邵波等.计算机网络安全技术及应用.北京.电子工业出版社.2005.11:36~38
[4] S.Broderick.VPN Security Policy.Information Security Technical Report.2001:32~35
[5] W Lee, R. Bhagavathula, N.Thanthry. MPLS-over-GRE based VPN Architecture: a Performance Comparison.Circuits and Systems,2002:77~80
[6] PKnight, C. Lewis. Layer 2 and 3 Virtual Private Networks. Communications Magazine.2004:19~23
[7] 杨煦,孙建华.IPSec与MPLS结合增强VPN安全性.网络安全技术与应用.2005(9):36~38
[8] 李泽光,郝莉,徐晖.IPSec安全体系与实施.网络安全技术与应用.2005(2):38~41
[9] 杨华,钟文海.ISO/OSI网络体系结构中网络高层的安全防护.电脑学习.2005(5):20~22
[10] (英)毛文博.现代密码学理论与实践(英文版).北京.电子工业出版社 年5月52~53
[11] R.Perlman,C.Kaufman.Key Exchange in IPSec:Analysis of IKE.Intenet Computing,IEEE.2000:25~27
[12] 逯海军,祝跃平.一个基于离散对数、HASH函数和大数分解的访问控制协议.计算机工程与应用.2004(1):179~181
[13] 高海曲,薛元星,辛阳等.VPN技术.北京.机械工业出版社.2004.4:17~19
[14] R. Cohen. On the Establishment of an Access VPN in Broadband Access Networks. Communications Magazine,2003:121~123
[15] 高玉雷.中小型局域网组建与管理教程.北京.机械工业出版社.2004年10月23~250
[16] Ivan Pepelnjak,Jim Guichard,JeffApcar.MPLS和VPN体系结构(第2卷).卢泽新,朱培栋,齐宁译.北京.电子工业出版社.2004年3月:56~59
[17] Harding, Andrew. SSL Virtual Private Networks. Computer Networks, 2003:81~84
[18] A.Linna,S.A.Netcelo,Echirolles.Managing and Securing Web Services With VPNs.ICW S '0 4 conference,San Diego,California,2004:62~65
[19] C.J.Pena, J.Evans. Performance Evaluation of Software Virtual Private Networks. 25th Annual IEEE Conference,2000,Local Computer Networks,2000:96~102
[20] 曹利.基于第四层交换的SLB技术及在Cisco 4804G上的实现.计算机时代.2006(3):10~11
[21] 吴海燕,石磊,李清玲.网络信息安全技术综述.电脑知识与技术.2005(4):55~57
[22] 宁相军,桂志波.以端节点为中心的TCP拥塞控制研究.现代计算机.2006(3):31~33
[23] Axent.Companies Provide Firewall and VPN Solution.Network Security ,2000:141~144
[24] 司孟华,郭彦涛.计算机异地局域安全传输的研究应用.计算机与网络.2006(2):40~41
[25] 姜淑菊.Internet连接共享的设计与实现.电脑学习,2005(5):16~17
[26] 关桂霞等.网络系统集成教程.北京.电子工业出版社.2004年10月95~96
[27] 李宏乔,杨峰等.宽带网络技术原理.北京.机械工业出版社.2002年6月36~38
[28] 刘先锋,舒林,陈松乔,陈建二.基于Qos约束的多播路由研究.计算机工程与应用.2005(2):125~128
[29] 蔡昭权,吴莉娅,黄陶明.内网安全联动防护技术的研究与实现.微计算机应用.2006(2):168~170
[30] 臧卫玉,王国胜.ATM网络中的输入排队信元调度研究.计算机工程与应用.2004(11):252~256
[31] (美)Rajiv Ramaswami等.光网络·下卷:组网技术分析(原书第2版).北京.机械工业出版社.2004年10月250~251
[32] 蒋加伏,李广琼,唐贤瑛.基于小波包分析的ATM网分层传输.计算机工程与应用.2004(10):217~220
[33] 杨大全.计算机网络.沈阳.东北大学出版社.2004年2月45~46
[34] F. Palmieri. VPN Scalability over High Performance Backbones Evaluating MPLS VPN Against Traditional Approaches.Computers and Communication,2003:77~79
[35] 张大陆,徐健.多业务网络总体设计与实现.计算机工程.2004(6):112~113
[36] 柳志宏.基于网络处理器防火墙的设计与实现.微计算机信息.2006(2):15~16
[37] 黎连业.网络综合布线系统与施工技术.北京.机械工业出版社.2003年1月120~121
[38] 张旭东,平铃娣,潘雪增.基于SIP协议的分布式VOIP体系结构的设计与实现.计算机工程.2004(14):95~97
[39] 赵娜.IP网络视频会议的MCU的设计与实现.现代计算机.2005(10):41~44
[40] Karli Watson,Christian Nagel.C#入门经典.北京.清华大学出版社.2003年3月58~60
[41] 甘登岱.Windows 2000组网教程.北京.电子工业出版社.2001年9月38~39
[42] 刘志勇等.网络服务器配置详解.北京.电子工业出版社.2004年3月:78~79
[43] 程伍端.客户端/服务器体系结构的应用与发展.电脑知识与技术(学术交流).2005(12):79~80
[44] K.Schultz.Making the VPN Connection.www.infoworld.com.2004:69~71
[45] 马新文.利用Ping命令排除网络故障.电脑学习.2005(3):16~18
[46] 孔祥春,李春娟.路由器网络地址转换(NAT)的配置.电脑知识与技术.2005(6):41~44