基于VPN 的远程数据存储管理系统 开发与应用

开发一种基于VPN 的远程数据存储管理系统,并将其应用到网络信息系统。用户通过VPN 可登录到数据存 储系统的虚拟存储服务器,对存储设备及虚拟存储空间进行配置与管理。服务端采集和监测存储设备组运行状态、在线情况 等信息,并把这些信息反馈给系统管理人员,实现对数据存储设备及其构成的虚拟存储空间进行远程实时监控与管理。     

Auto-Discovery Capabilities for Service Management: An ISP Case Study

Auto-discovery is one of the key technologies that enables management systems to be quickly customized to the environments that they are intended to manage. As Internet services have grown in complexity in recent years, it is no longer sufficient to monitor and manage these services in isolation. Instead, it is critical that management systems discover dependencies that exist among Internet services, and use this knowledge for correlation of measurement resutls, so as to determine the root-causes of problems. While most existing management systems have focused on discovery of host, servers, and network elements in isolation, in this paper we describe auto-discovery techniques that discover relationships among services. Since new Internet services and service elements are being deployed at a rapid pace, it is essential that the discovery methodologies be implemented in an extensible manner, so that new discovery capabilities can be incrementally added to the management system. In this paper, we present an extensible architecture for auto-discovery and describe a prototype implementation of this architecture and associated auto-discovery techniques. We also highlight experiences from applying these techniques to discover real-world ISP systems. Although described in the context of ISP systems, the concepts described in this paper are applicable for the discovery of services and inter-service relationships in enterprise systems as well.     

EDNM：基于EI技术支持嵌入式设备网络管理模型的研究与实现

随着EI技术的不断发展，人们目前可以对非Internet设备进行访问、管理和控制，但是如何才能有效系统管理大量的嵌入式设备一直都是困扰人们的难题。作者针对面向设备级动态驱动的异种网络互连的研究，提出了一种基于EI技术的支持嵌入式设备的网络管理的研究，通过该模型可以透明地加入和删除节点以实现系统的可伸缩性；通过检测节点或设备故障和正确地重置系统达到高可重用性。该模型可以实现设备的动态管理，可以对接入到互联网大量的嵌入式设备进行访问和控制，从而真正实现设备的网络化和智能化管理。本文详细讨论了嵌入式设备网络管理模型的体系结构、设计方法和实现技术，并给出了相应的性能测试结果。     

一种虚拟企业间网络的互连模型

企业间电子化业务的展开需要一个局部互连的网络平台,在该平台上不同企业间可以基于某个业务应用在认证后进行交互协作。在分析了现有虚拟企业系统和Internet技术的基础上,提出了基于应用共享的虚拟Inter-Enterprise网络(VirtualInter-EnterpriseNetwork,简称VIEN),分析了其网络体系架构和交互协议。通过在原型系统的初步应用,证实VIEN能支持不同网络平台的企业间的应用互连需求。     

基于MPLS VPN大型网络安全防护体系研究

当前,运营商、铁路和电力企业均采用MPLS VPN技术进行骨干网组网,网络覆盖范围扩大,承载业务越来越重要,以及新技术的快速迭代,对企业网络安全提出更高的要求。因此,研究MPLS VPN大型网络安全防护体系具有非常重要的价值。本文开展了大型企业网络安全防护体系研究,深入分析了基于MPLS VPN大型企业网络技术特点,在明确防护原则并进行风险分析的基础上,提出了针对企业网络的全局安全防护体系。从边界、网络、终端、物理和运维安全等多个维度进行安全防控体系设计,对大型企业网络安全防控具有重要意义。     

网络安全管理平台研究

越来越多的企业网都直接或间接与互联网相连,给企业网带来不安全因素,其信息系统的安全性都需要得到充分的保护.要保证网络安全以及网络资源能够充分被利用,需要为其提供一个高效合理的网络管理平台来管理这些网络安全设备.     

基于CORBA／JAVA的VPN管理系统的研究和实现

VPN网络在中小企业中得到广泛应用，然而对VPN网络管理的研究还比较少。为了解决VNP网络环境下的分布式的网络设备管理的问题，针对VPN网络的特点，提出了一种基于CORBA／JAVA的网络管理系统的实现原型，详细介绍了其中的CORBA对象的开发方法。根据以上原型，设计与实现了一种CORBA和JAvA技术相结合的网络管理系统。该网络管理系统实现了对VPN网络的管理。     

基于IPSec隧道区分服务的研究与实现

随着Internet及网络经济的快速发展，企业在网络的安全性等方面提出了更高的要求，虚拟专用网(VPN)以其安全性好、成本低等优势赢得了越来越多企业的青睐。IP层安全协议(IPSec)能很好地实现VPN。但是基于IPsec的VPN的网络服务质量不能满足用户的需求。针对此问题,文章提出了用区分服务(DiffServ)来实现IPSec隧道的服务质量保障的方案，这样IPSec隧道就可以根据不同的需求提供不同的网络性能。文章深入研究了区分服务和IPSec隧道技术，通过实验进一步证明了该方案的可行性和优势。     

Transparent VPN failure recovery with virtualization

Cloud computing is widely used to provide today’s Internet services. Since its service scope is being extended to a wide range of business applications, the security of network communications between clients and clouds are becoming important. Several cloud vendors support virtual private networks (VPNs) for connecting their clouds. Unfortunately, cloud services become unavailable when a VPN failure occurred in a VPN gateway or networks. We propose a transparent VPN failure recovery scheme that can hide VPN failures from users and operating systems (OSs). This scheme transparently recovers from VPN failures by establishing VPN connections in a virtualization layer. When a VPN failure occurs, a client virtual machine monitor (VMM) automatically reconnects to an available VPN gateway which is geographically distributed and connected via leased lines in clouds. IP address changes are hidden from client OSs and servers via a packet relay system implemented by a relay client in the client VMM and a relay server. We implemented a prototype system based on BitVisor, a small client VMM supporting IPsec VPN, and evaluated the prototype system in a wide-area distributed Internet environment in Japan. Experimental results show that our scheme can maintain TCP connections on VPN failures, and performance overhead with the virtualization layer is around 0.6 ms to latency and 8%-30% to throughput.     

基于物联网的航天产品装配物流管理系统研究

针对某航天企业装配生产物料品种多、数量大和物流管理复杂等问题,将物联网技术应于装配物流管理中,构建具有感知层、网络层和应用层的装配物流管理系统架构。在感知层,综合应用条形码和RFID对装配物料进行多手段标识和多方式感知。在网络层,基于企业现有的网络资源,利用IPv6、2G/3G、Wi-Fi等现代先进通信技术搭建网络支撑体系。在应用层,给出包括物料库存管理、物料配送管理、现场物流监控管理、装配生产资源管理模块的功能模型。最后,参照Java EE技术架构,采用Java和JSP语言开发实现B/S架构的航天产品装配物流管理原型系统。     

基于SSL VPN的单点登录在智慧校园平台中的应用

在过去几年的时间中,宁波广播电视大学开发和购买了各类信息系统和运维系统,例如工资查询系统、科研管理系统、智慧校园门户和思福迪堡垒机等。基于网络安全和信息保密的考虑,这些系统需要部署在校园网环境中对授权用户开放访问,在互联网上授权用户只能通过登录vpn后才能访问这些系统。该文采用了深信服的sslvpn,认证方式包括本地密码认证和cas票据认证,对于已经接入智慧校园统一身份认证的系统,采用cas票据认证先登录vpn,再访问这些系统,对于思福迪堡垒机等运维系统,只需新建若干个本地账户分配给有需要的老师即可。此外,该文还实现了vpn无感知拉起业务系统的功能,被授权的用户在互联网上直接输入业务系统的网址,就能调用vpn并访问该业务系统,达到方便又安全的效果。     

SSL＋VPN网络安全技术研究及实现

SSL VPN是近年来发展起来的一种新型安全VPN,通过SSL VPN的安全接入,用户可以随时在接入Internet的任何地方安全地访问企业内部资源,这就大大提高了企业生产力以及信息的安全性,降低了企业管理和维护成本,为企业持续稳定发展提供了可靠保证。本文对SSL＋VPN网络安全技术进行了探讨。     

基于物联网的能源管理系统设计

给出一种基于物联网的钢铁企业能源管理系统的应用设计。综合运用网络、自动化、软件、数据库等领域的相关技术,对全厂能源数据进行采集、分析、处理,实现了实时监测、平衡预测分析、综合管理等功能。对比分析几种能源管理方法,总结基于物联网的能源管理系统的优势。实现基于物联网的能源管理系统,不仅提高了钢铁企业能源管理水平,而且在优化能源平衡、节能减排等方面起到了十分重要的作用。     

VPN的IPSec和SSL实施对比研究

VPN是指在公开网络上建立的网络,并且拥有与专用网络相同的安全、管理及功能特点。目前主流VPN有IPSec和SSL两种实现方法,两种实现有各自的优缺点。在开源平台有Openswan和OpenVPN两种实施方法。该文分析了这两种VPN的原理和实现。     

Assessment of SDN technology for an easy-to-use VPN service

This paper describes how state-of-the-art SDN technology can be used to create and validate a user configurable, on-demand VPN service. In the Community Connection (CoCo) project an architecture for the VPN service was designed and a prototype was developed based on the OpenFlow protocol and the OpenDaylight controller. The CoCo prototype enables automatic setup and tear down of CoCo instances (VPNs) by end-users via an easy to use web portal, without needing the help of network administrators to do manual configuration of the network switches. Users from the research community, amongst others, expressed their interest in using such an easy-to-use VPN service for on-demand interconnection of their eScience resources (servers, VMs, laptops, storage, scientific instruments, etc.) that may only be reachable for their closed group. The developed CoCo prototype was validated in an SDN testbed and via Mininet simulation. Using the calibrated Mininet simulation the impact was analysed for larger scale deployments of the CoCo prototype.     

Edge Provisioning and Fairness in VPN-DiffServ Networks

Customers of Virtual Private Networks (VPNs) over Differentiated Services (DiffServ) infrastructure are most likely to demand not only security but also guaranteed Quality-of-Service (QoS) in pursuance of their desire to have leased-line-like services. However, expectedly they will be unable or unwilling to predict the load between VPN endpoints. This paper proposes that customers specify their requirements as a range of quantitative services in the Service Level Agreements (SLAs). To support such services Internet Service Providers (ISPs) would need an automated provisioning system that can logically partition the capacity at the edges to various classes (or groups) of VPN connections and manage them efficiently to allow resource sharing among the groups in a dynamic and fair manner. While with edge provisioning a certain amount of resources based on SLAs (traffic contract at edge) are allocated to VPN connections, we also need to provision the interior nodes of a transit network to meet the assurances offered at the boundaries of the network. We, therefore, propose a two-layered model to provision such VPN-DiffServ networks where the top layer is responsible for edge provisioning, and drives the lower layer in charge of interior resource provisioning with the help of a Bandwidth Broker (BB). Various algorithms with examples and analyses are presented to provision and allocate resources dynamically at the edges for VPN connections. We have developed a prototype BB performing the required provisioning and connection admission.     

Java- and CORBA-based network management

Systems to manage distributed heterogeneous networks and services must often use off-the-shelf components and leverage legacy applications. Much of the telecommunications industry uses a network architecture based on CMIP (Common Management Information Protocol) to manage networks and services, while much of the Internet uses the SNMP (Simple Network Management Protocol). To provide distributed network management, the telecommunications industry must accommodate both, Nokia developed the Distributed Computing Platform prototype to support the creation, management, and invocation of distributed telecommunications services. Using CORBA as a base, DCP handles network management by adding managed-object models and protocols. It provides mechanisms that allow communication between CMIP-based objects and a gateway for SNMP-based systems. The prototype also allows users to access network information via Web browsers, CGI gateways, and Java or HTTP daemons. The Nokia engineers also discuss the lessons they learned about Java and CORBA integration     

基于智能代理的系统集成平台

为解决企业当前存在的信息孤岛问题,设计了一个基于智能代理的系统集成平台,该平台使用B／AS／DS （Browser/Agent Server/Database Server)三层体系结构,实现了现场实时监控网、MIS网和因特网的互连,不仅实现了资源共享,而且保证了监控网的安全性,并且支持用户二次开发。     

Ensuring security in depth based on heterogeneous network security technologies

With the explosive growth of Internet connectivity that includes not only end-hosts but also pervasive devices, security becomes a requirement for enterprises. Although a significant effort has been made by the research community to develop defense techniques against security attacks, less focus has been given to manage security configuration efficiently. Network security devices, such as firewalls, intrusion detection and prevention systems, honeypot as well as vulnerability scanner, operate as a stand-alone system for solving a particular security problem. Yet these devices are not necessarily independent. The focus of this work is encompassing a security infrastructure where multiple security devices form a global security layer. Each component is defined with respect to the others and interacts dynamically and automatically with the different security devices in order to choose the best solution to be launched to prevent the final malicious objective. Our solution aims at solving, at the same time, the need for active defence, speed, reliability, accuracy and usability of the network.     

天地一体化网络地面核心网基于5G网络切片的设计与实现

针对天地一体化网络地面核心网组网灵活性不足和资源利用率低的问题,提出了采用5G网络切片技术的架构设计方案,并基于Docker平台实现了原型系统.在原型系统上加载了IM S多媒体通信、物联网信息采集和上网下载3种切片业务进行测试,结果表明,不同网络切片可以根据服务的性能要求灵活地分配网络资源并独立提供服务,相关设计方案能...