Accessing the WAN Chapter 6
Objectives Describe the enterprise requirements for providing teleworker services Describe the teleworker requirements and recommended architecture for providing teleworking services. Explain how broadband services extend Enterprise Networks including DSL, cable, and wireless Describe the importance of VPN technology, including its role and benefits for enterprises and teleworkers. Describe how VPN technology provides secure teleworker services in an Enterprise setting 2
4 Business Requirements for Teleworker Services More and more companies are finding it beneficial to have teleworkers. The benefits of telecommuting extend well beyond the ability for businesses to make profits. Telecommuting affects the social structure of societies, and can have positive effects on the environment. Teleworker Benefits: Organizational benefits: Continuity of operations Increased responsiveness Secure, reliable, and manageable access to information Cost-effective integration of data, voice, video, and applications Increased employee productivity, satisfaction,, and retention Social benefits: Increased employment opportunities for marginalized groups Less travel and commuter related stress Environmental benefits: Reduced carbon footprints, both for individual workers and organizations
Teleworker Solution Organizations need secure, reliable, and cost-effective networks to connect corporate headquarters, branch offices, and suppliers. With the growing number of teleworkers, enterprises have an increasing need for secure, reliable, and cost-effective ways to connect to people working in SOHOs. In some cases, the remote locations only connect to the headquarters location, while in other cases, remote locations connect to multiple sites 5
Teleworker Solution A VPN is a private data network that uses the public telecommunication infrastructure. VPN security maintains privacy using a tunneling protocol and security procedures. 6
Connecting Teleworkers to the WAN Teleworkers typically use diverse applications (e-mail, web-based apps, mission-critical apps, real-time collaboration, voice, video, and videoconf) that require a high-bandwidth connection. The choice of access network technology and the need to ensure suitable bandwidth are the first considerations when connecting teleworkers. The main connection methods used by home and small business users are: 8
Cable Popular option used by teleworkers to access their enterprise network. Coaxial cable is the primary medium used to build cable TV systems. Cable television first began in Pennsylvania in 1948. John Walson, needed to solve poor over-the-air reception problems. Most cable operators use satellite dishes to gather TV signals. Early systems were one-way, with cascading amplifiers placed in series along the network to compensate for signal loss. Modern cable systems provide two-way communication between subscribers and the cable operator. Cable operators now offer customers advanced telecommunications services, including high-speed Internet access, digital cable television, 9 and residential telephone service. Cable operators typically deploy hybrid fiber-coaxial (HFC) networks to enable high-speed transmission of data to cable modems located in a SOHO.
10 Cable
Cable The electromagnetic spectrum encompasses a broad range of frequencies. Radio waves, (called RF), constitute a portion of the electromagnetic spectrum between approximately 1 kilohertz (khz) through 1 terahertz. The cable TV industry uses a portion of the RF electromagnetic spectrum. Within the cable, different frequencies carry TV channels and data. A cable network is capable of transmitting signals on the cable in either direction at the same time. The following frequency scope is used: Downstream - The direction of an RF signal transmission i (TV channels and data) from the source (headend) to the destination (subscribers). Transmission from source to destination is called the forward path. 11 Downstream frequencies: range of 50 to 860 megahertz (MHz). Upstream - The direction of the RF signal transmission from subscribers to the headend, or the return or reverse path. Upstream frequencies are in the range of 5 to 42 MHz.
12 Cable
Cable 13 The Data-over-Cable Service Interface Specification (DOCSIS) is an international standard developed by CableLabs. DOCSIS defines the communications and operation support interface requirements for a data-over-cable system, and Permits the addition of high-speed data transfer to an existing CATV system. Cable operators employ DOCSIS to provide Internet access over their existing hybrid fiber-coaxial (HFC) infrastructure. DOCSIS specifies the OSI Layer 1 and Layer 2 requirements: Physical layer - DOCSIS specifies the channel widths (bandwidths of each channel) as 200 khz, 400 khz, 800 khz, 1.6 MHz, 3.2 MHz, and 6.4 MHz. DOCSIS also specifies modulation techniques. MAC layer - Defines a deterministic access method, time-division multiple access (TDMA) or synchronous code division multiple access method (S- CDMA).
Cable 14 To understand the MAC layer requirements for DOCSIS, an explanation of how various communication technologies divide channel access is helpful. TDMA divides access by time. Frequency-division multiple access (FDMA) divides access by frequency. Code division multiple access (CDMA) employs spread-spectrum spectrum technology and a special coding scheme in which each transmitter is assigned a specific code. S-CDMA is a proprietary version of CDMA developed by Terayon Corporation for data transmission across coaxial cable networks. S-CDMA scatters digital data up and down a wide frequency band and allows multiple subscribers connected to the network to transmit and receive concurrently. S-CDMA is secure and extremely resistant to noise.
Cable Two types of equipment are required to send digital modem signals upstream and downstream on a cable system: Cable modem termination system (CMTS) attheheadend the headend of the cable operator Cable modem (CM) on the subscriber end 15
DSL DSL is a means of providing high-speed connections over installed copper wires. A typical voice conversation only required bandwidth of 300 Hz to 3 khz. For many years, the telephone networks did not use the bandwidth above 3 khz. Advances in technology allowed DSL to use the additional bandwidth from 3 khz up to 1 MHz to deliver high-speed data services over ordinary copper lines. 16
DSL Asymmetric DSL (ADSL) frequency range: 20 khz to 1 MHz. The two basic types of DSL technologies are asymmetric (ADSL) and symmetric (SDSL), and there are several varieties of each type. ADSL: higher downstream bandwidth than upload bandwidth. SDSL: provides the same capacity in both directions. The transfer rates are dependentd on the actual llength of the local lloop, and the type and condition of its cabling. The different varieties of DSL provide different bandwidths, some with capabilities exceeding those of a T1 or E1 leased line. For satisfactory service, the loop must be less than 5.5 kilometers. 17
DSL Facilities Service providers deploy DSL connections in the last step of a local telephone network, called the local loop or last mile. The connection is set up between CPE and the DSL access multiplexer (DSLAM) located at the central office (CO) of the provider DSLAM concentrates connections from multiple DSL subscribers. 18
DSL Facilities The two key components are the DSL transceiver and the DSLAM: Transceiver - Connects the computer of the teleworker to the DSL. Usually is a DSL modem connected to the computer. Newer DSL transceivers can be built into small routers with multiple 10/100 switch ports suitable for home office use. DSLAM - Located at the CO of the carrier. Combines individual DSL connections from users into one highcapacity link to an ISP, and thereby, to the Internet. The advantage that DSL has over cable technology is that DSL is not a shared medium. Each user has a separate direct connection to the DSLAM. 19 Adding users does not impede performance, unless the DSLAM Internet connection to the ISP, or the Internet, becomes saturated.
Benefits of ADSL The major benefit of ADSL is the ability to provide data services along with POTS voice services. The provider splits the POTS channel from the ADSL modem using filters or splitters. This guarantees uninterrupted phone service even if ADSL fails. When filters or splitters are in place, the phone line and the ADSL work simultaneously without adverse effects on either service. There are two ways to separate ADSL from voice at the customer premises: Microfilter.- Passive low-pass filter with two ends. One end connects to the telephone, and the other end connects to the telephone wall jack. 20 Splitter.- Passive device. In the event of a power failure, the voice traffic still travels to the voice switch in the CO of the carrier Separate the DSL traffic from the POTS traffic. Splitters are located at the CO or at the CPE. Separates the voice traffic, and the data traffic destined for the DSLAM.
21 Benefits of ADSL
22 Benefits of ADSL
Broadband Wireless 23 Using 802.11 networking standards, data travels on radio waves. 802.11 networking is relatively easy to deploy because it uses the unlicensed radio spectrum to send and receive data. Computer manufacturers building-in wireless network adapters into most laptop computers. As the price of chipsets for Wi-Fi continues to drop, it is becoming a very economical networking option for desktop computers as well. The benefits of Wi-Fi extend beyond nothavingtouseor to or install wired network connections. Wireless networking provides mobility. Wireless connections provide increased flexibility and productivity to the teleworker.
Broadband Wireless New developments in broadband wireless technology are increasing wireless availability. These include: Municipal Wi-Fi WiMAX Satellite Internet Municipal i governments have joined the Wi-Fi revolution, often working with service providers, cities are deploying municipal wireless networks. Some of these networks provide high-speed Internet access at no cost or for substantially less than the price of other broadband d services. Other cities reserve their Wi-Fi networks for official use. 24
WiMAX WiMAX (Worldwide Interoperability for Microwave Access) is aimed at providing wireless data over long distances in a variety of ways, from pointto-point links to full mobile cellular type access. Operates at higher speeds, over greater distances, and for a greater number of users than Wi-Fi. A WiMAX network consists of two main components: A tower that is similar in concept to a cellular telephone tower. A single WiMAX tower can provide coverage to an area as large as 7,500 square kilometers. A WiMAX receiver that is similar in size and shape to a PCMCIA card, or built into a laptop or other wireless device. 25
WiMAX A WiMAX tower station connects directly to the Internet using a highbandwidth connection (for example, a T3 line). Atowercan also connect to other WiMAX towers using line-of-sight microwave links. WiMAX is thus able to provide coverage to rural areas out of reach of "last mile" cable and DSL technologies. 26
Satellite Internet Services 27 Used in locations where land-based Internet access is not available, or for temporary/mobile installations. Available worldwide, including for vessels at sea, airplanes in flight, and vehicles moving on land. There are three ways to connect to the Internet using satellites: One-way multicast satellite Internet systems are used for IP multicastbased data, audio, and video distribution. IP protocols require two-way communication. Full interactivity is not possible. One-way terrestrial return satellite Internet systems use traditional dialup access to send outbound data through a modem and receive downloads from the satellite. Two-way satellite Internet sends data from remote sites via satellite to a hub, which then sends the data to the Internet. The satellite dish at each hlocation needs precise positioning i to avoid interference with other satellites.
Satellite Internet Services The key installation requirement is for the antenna to have a clear view toward the equator, where most orbiting satellites are stationed. Trees and heavy rains can affect reception of the signals. Two-way satellite Internet uses IP multicasting technology, which allows one satellite to serve up to 5,000 communication channels simultaneously. IP multicast sends data from one point to many points at the same time by sending data in a compressed format. 28
Wireless Standards The most common standards are included in the IEEE 802.11 WLAN standard (5 GHz and 2.4 GHz public unlicensed spectrum bands). The terms 802.11 and Wi-Fi appear interchangeably, but this is incorrect. Wi-Fi is an industry-driven interoperability certification based on a subset of 802.11. The Wi-Fi specification came about because market demand. The most popular access approaches to connectivity are those defined by the IEEE 802.11b and IEEE 802.11g protocols. The latest standard, d 802.11n, adds multiple-input l i t multiple-output l t t(mimo) (MIMO). The 802.16 (or WiMAX) standard allows transmissions up to 70 Mb/s, and has a range of up to 30 miles (50 km). 29 It can operate in licensed or unlicensed bands of the spectrum from 2 to 6 GHz.
VPN Beneficts The Internet is a worldwide, publicly accessible IP network. It is a public infrastructure poses security risks to enterprises and their internal networks. VPN enables organizations to create private networks over the public Internet infrastructure that maintain confidentiality and security. With VPNs to remain private, the traffic is encrypted. VPN uses virtual connections that are routed through the Internet. An understanding of VPN technology is essential to be able to implement secure teleworker services on enterprise networks. 31
VPN Beneficts VPNs increase flexibility and productivity. Remote sites and teleworkers can connect securely to the corporate network. Data on a VPN is encrypted and undecipherable to anyone not entitled to have it. VPNs bring remote hosts inside the firewall, giving them close to the same levels of access to network devices as if they were in a corporate office. Consider these benefits when using VPNs: Cost savings Security 32 Scalability Organizations, big and small, are able to add large amounts of capacity without adding significant infrastructure.
Site-to-site VPNs Organizations use site-to-site VPNs to connect dispersed locations in the same way as a leased line or Frame Relay connection is used. Because most organizations now have Internet access, it makes sense to take advantage of the benefits of site-to-site VPNs. Site-to-site VPNs also support company intranets and business partner extranets. In effect, a site-to-site VPN is an extension of classic WAN networking. Site-to-site VPNs connect entire networks to each other. In a site-to-site t VPN, hosts send and receive TCP/IP traffic through h a VPN gateway, which could be a router, PIX firewall appliance, or an Adaptive Security Appliance (ASA). 33
Site-to-site VPNs The VPN gateway is responsible for: Encapsulating and encrypting outbound traffic for all of the traffic from a particular site and sending it through a VPN tunnel over the Internet to a peer VPN gateway at the target site. On receipt, the peer VPN gateway strips the headers, decrypts the content, and relays the packet toward the target host inside its private network. 34
Remote-access VPN Mobile users and telecommuters use remote access VPNs extensively. In the past, corporations supported remote users using dialup networks. Most teleworkers now have access to the Internet from their homes and can establish remote VPNs using broadband connections. Remote access VPNs can support the needs of telecommuters, mobile users, as well as extranet consumer-to-business. In a remote-access VPN, each host typically has VPN client software. 35
VPN Components A VPN creates a private network over a public network infrastructure while maintaining confidentiality and security. VPNs use cryptographic tunneling protocols to provide protection against packet sniffing, sender authentication, and message integrity. Components required to establish this VPN include: 1. An existing network with servers and workstations 2. A connection to the Internet 3. VPN gateways, that act as endpoints to establish, manage, and control VPN connections 4. Appropriate software to create and manage VPN tunnels The key to VPN effectiveness is security. VPNs secure data by 36 encapsulating or encrypting the data. Most VPNs can do both. Encapsulation or tunneling, transmits data transparently from network to network through a shared network infrastructure. Encryption codes data into a different format using a secret key. Decryption decodes encrypted data
Secure VPN Characteristics 37 Data confidentiality A common security concern is protecting data from eavesdroppers. Protecting the contents of messages from interception by unauthenticated or unauthorized sources. VPNs achieve confidentiality using mechanisms of encapsulation and encryption. Data integrity Receivers have no control over the path the data has traveled and therefore do not know if the data has been seen or handled. There is always the possibility that the data has been modified. Data integrity guarantees that no tampering or alterations occur to data. VPNs typically use hashesh to ensure data integrity. i Authentication Authentication ensures that a message comes from an authentic source and goes to an authentic destination. VPNs can use passwords, digital certificates, smart cards, and biometrics to establish the identity of parties at the other end of a network.
VPN Tunneling 38 Appropriate data confidentiality capabilities into a VPN ensures that only the sources and destinations can interpret the original message contents. Tunneling allows the use of public networks like the Internet to carry data for users as though the users had access to a private network. Tunneling encapsulates an entire packet within another packet and sends the new, composite packet over a network. Tunneling Protocols Carrier protocol: The protocol over which the information is traveling (Frame Relay, ATM, MPLS). Encapsulating protocol: The protocol that is wrapped around the original data (GRE, IPSec, L2F, PPTP, L2TP). Passenger protocol: The protocol over which h the original i ldata was being carried (IPX, AppleTalk, IPv4, IPv6).
VPN Tunneling Consider an e-mail message traveling through the Internet over a VPN. PPP carries the message to the VPN device, where the message is encapsulated within a Generic Route Encapsulation (GRE) packet. GRE is a tunneling protocol (Cisco) that can encapsulate a wide variety of protocol packet types inside IP tunnels, creating a virtual point-to- point link to Cisco routers at remote points over an IP internetwork. The outer packet source and destination addressing is assigned to "tunnel interfaces" and is made routable across the network. Once a composite packet reaches the destination tunnel interface, the inside packet is extracted. 39
VPN Data Integrity To keep the data private, it needs to be encrypted. VPN encryption encrypts the data and renders it unreadable to unauthorized receivers. For encryption to work, both the sender and the receiver must know the rules used to transform the original message into its coded form. VPN encryption rules include an algorithm and a key. An algorithm is a mathematical function that combines a message, text, digits, or all three with a key. The output is an unreadable cipher string. Decryption:extremelydifficult extremely or impossible without the correct key. 40
VPN Data Integrity 41 The degree of security provided by any encryption algorithm depends on the length of the key. For any ygiven key length, the time that it takes to process all of the possibilities to decrypt cipher text is a function of the computing power of the computer. Therefore, the shorter the key, the easier it is to break,, but at the same time, the easier it is to pass the message. More common encryption algorithms and the length of keys they use: Data Encryption Standard (DES) algorithm - Developed by IBM, DES uses a 56-bit key, ensuring high-performance encryption. DES is a symmetric key cryptosystem. Triple DES (3DES) algorithm - A newer variant of DES that encrypts with one key, decrypts with another different key, and then encrypts one final time with another key. 3DES provides significantly more strength to the encryption process.
VPN Data Integrity More common encryption algorithms and the length of keys they use: Advanced Encryption Standard (AES) - The National Institute of Standards and Technology (NIST) adopted AES to replace the existing DES encryption in cryptographic devices. AES provides stronger security than DES and is computationally more efficient than 3DES. AES offers three different key lengths: 128, 192, and 256-bit keys. Rivest, Shamir, and Adleman (RSA) - An asymmetrical key cryptosystem. The keys use a bit length of 512, 768, 1024, or larger. 42
Symmetric Encryption Encryption algorithms such as DES and 3DES require a shared secret key to perform encryption and decryption. Each of the two computers must know the key to decode the information. With symmetric key encryption (secret key encryption), each computer encrypts the information before sending it over the network. Symmetric key encryption requires knowledge of which computers will be talking to each other so that the same key can be configured on each computer. The question is, how do the encrypting and decrypting devices both have the shared secret key? 43
Asymmetric Encryption Asymmetric encryption uses different keys for encryption and decryption. One key encrypts the message A second key decrypts the message. It is not possible to encrypt and decrypt with the same key. Public key encryption is a variant of asymmetric encryption that uses a combination of a private key and a public key. The recipient gives a public key to any sender. The sender uses a private key combined with the recipient's public key to encrypt the message. Also, the sender must share their public key with the recipient. To decrypt a message, the recipient will use the public key of the sender 44 with their own private key.
Hash: Data Integrity and Authentication 45 Hashes contribute to data integrity and authentication. A hash, also called a message digest, is a number generated from a string of text. The hash is smaller than the text itself. The original sender generates a hash of the message and sends it with the message itself. The recipient decrypts the message and the hash, produces another hash from the received message, and compares the two hashes. If match, it can be sure of the integrity of the message. VPNs use a message authentication i code to verify the integrityi and dthe authenticity of a message, without using any additional mechanisms. A keyed hashed message authentication code (HMAC) is a data integrity algorithm that t guarantees the integrityi of fthe message. A HMAC has two parameters: a message input and a secret key known only to the sender and intended receivers.
Hash: Data Integrity and Authentication The message sender uses a HMAC function to produce a value (the message authentication code), formed by condensing the secret key and the message input. The message authentication code is sent along with the message. There are two common HMAC algorithms: Message Digest 5 (MD5) - Uses a 128-bit shared secret key. The variable length message and 128-bit shared secret key are combined and run through the HMAC-MD5 hash algorithm. The output is a 128-bit hash. h The hash is appended to the original message and forwarded to the remote end. 46 Secure Hash Algorithm 1 (SHA-1) - Uses a 160-bit secret key. The variable length message and the 160-bit shared secret key are combined and run through the HMAC-SHA-1 hash algorithm. The output is a 160-bit hash. The hash is appended to the original message and forwarded to the remote end.
47 Hash: Data Integrity and Authentication
VPN Authentication The device on the other end of the VPN tunnel must be authenticated. There are two peer authentication methods: Pre-shared key (PSK) - A secret key that is shared between the two parties using a secure channel before it needs to be used. PSKs use symmetric key cryptographic algorithms. A PSK is entered into each peer manually. At each end, the PSK is combined with other information to form the authentication key. RSA signature - Uses the exchange of digital certificates to authenticate the peers. The local device derives a hash and encrypts it with its private key. 48 The encrypted hash (digital signature) is attached to the message and forwarded to the remote end. At the remote end,, the encrypted hash is decrypted using the public key of the local end. If the decrypted and recomputed hash match, the signature is genuine.
VPN Authentication 49 The device on the other end of the VPN tunnel must be authenticated before the communication path is considered secure.
Ipsec Security Protocols IPsec is protocol suite for securing IP communications which provides encryption, integrity, and authentication. IPsec spells out the messaging necessary to secure VPN communications, but relies on existing algorithms. There are two main IPsec framework protocols. Authentication Header (AH) Encapsulating Security Payload (ESP) 50
Ipsec Security Protocols Authentication Header (AH) Use when confidentiality is not required or permitted. AH provides data authentication and integrity for IP packets passed between two systems. It verifies that any message passed has not been modified during transit. It also verifies the origin i of the data. AH does not provide data confidentiality (encryption) of packets. Used alone, the AH protocol provides weak protection. Consequently, it is used with the ESP protocol to provide data encryption and tamper-aware security features. 51
Ipsec Security Protocols Encapsulating Security Payload (ESP) Provides confidentiality and authentication by encrypting the IP packet. IP packet encryption conceals the data and the identities of the source and destination. ESP authenticates the inner IP packet and ESP header. Authentication i provides data origin i authentication i and data integrity. i Although both encryption and authentication are optional in ESP, at a minimum, one of them must be selected. 52
IPsec Framework IPsec relies on existing algorithms to implement encryption, authentication, and key exchange. Some of the standard algorithms that IPsec uses are as follows: DES - Encrypts and decrypts packet data. 3DES - Provides significant encryption strength over 56-bit DES. AES - Provides stronger encryption, and dfaster throughput. h MD5 - Authenticates packet data, using a 128-bit shared secret key. SHA-1 - Authenticates packet data, using a 160-bit shared secret key. DH - Allows two parties to establish a shared secret key used by encryption and hash algorithms, for example, DES and MD5, over an insecure communications channel. 53
IPsec Framework When configuring an IPsec gateway to provide security services: Choose an IPsec protocol. The choices are ESP or ESP with AH. Choose an encryption algorithm if IPsec is implemented with ESP. Appropriated for the desired level of security: DES, 3DES, or AES. Choose authentication algorithm to provide data integrity: MD5 or SHA. Choose the Diffie-Hellman (DH) algorithm group. Which establishes the sharing of key information between peers. Choose which group to use, DH1 or DH2. 54
Summary Requirements for providing teleworker services are: Maintains continuity of operations Provides for increased services Secure & reliable access to information Cost effective Scalable Components needed for a teleworker to connect to an organization s network are: Home components Corporate components 55
Summary 56 Broadband services used Cable transmits signal in either direction simultaneously DSL requires minimal changes to existing telephone infrastructure delivers high bandwidth data rates to customers Wireless increases mobility wireless availability via: Municipal WiFi WiMax Satellite internet
Summary Securing teleworker services VPN security achieved through using Advanced encryption techniques Tunneling Characteristics of a secure VPN Data confidentiality Data integrity authentication 57
58