ITE I Chapter 6
Cisco Public
Objectives
In this chapter, you will learn to:
Describe the enterprise requirements for providing teleworker services, including the differences between private and public network infrastructures. Describe the teleworker requirements and recommended architecture for providing teleworking services. Explain how broadband services extend enterprise networks using DSL, cable, and wireless technology. Describe the importance of VPN technology, including its role and benefits for enterprises and teleworkers. Describe how VPN technology can be used to provide secure teleworker services to an enterprise network.
BSCI Module 3
Cisco Public
On a broader scale, the ability of businesses to provide service across time zones and international boundaries is greatly enhanced using teleworkers.
Contracting and outsourcing solutions are easier to implement and manage.
From a social perspective, teleworking options increase the employment opportunities for various groups, including parents with small children, the handicapped, and people living in remote areas.
Teleworkers enjoy more quality family time, less travelrelated stress, and in general provide their employers with increased productivity, satisfaction, and retention.
2006 Cisco Systems, Inc. All rights reserved. Cisco Public
BSCI Module 3
Teleworker Solution
With the growing number of teleworkers, enterprises have an increasing need for secure, reliable, and cost-effective ways to connect to people working in small offices and home offices (SOHOs), and other remote locations, with resources on corporate sites. The figure displays 3 remote connection technologies available to organizations for supporting teleworker:
1. Traditional private WAN Layer 2 technologies, including Frame Relay, ATM, and leased lines, provide many remote connection solutions. 2. IPsec Virtual Private Networks (VPNs) offer flexible and scalable connectivity.
Site-to-site connections can provide a secure, fast, and reliable remote connection to teleworkers. This is the most common option for teleworkers, combined with remote access over broadband, to establish a secure VPN over the public Internet. (A less reliable means of connectivity using the Internet is a dialup connection.)
BSCI Module 3
Cisco Public
The broadband service data transmission speeds typically exceed 200 kilobits per second (kb/s), or 200,000 bits per second, in at least one direction:
downstream (from the Internet to the user's computer) upstream (from the user's computer to the Internet).
BSCI Module 3
Cisco Public
The most common problem with broadband access is lack of coverage area.
BSCI Module 3
Cisco Public
Teleworker Solution
To connect effectively to their organization's networks, teleworkers need two key sets of components:
Home Office Components - The required home office components are a laptop or desktop computer, broadband access (cable or DSL), and a VPN router or VPN client software installed on the computer.
When traveling, teleworkers need an Internet connection and a VPN client to connect to the corporate network over any available dialup, or broadband connection.
Corporate Components - Corporate components are VPN-capable routers, VPN concentrators, multifunction security appliances, authentication, and central management devices for resilient aggregation and termination of the VPN connections.
BSCI Module 3
Cisco Public
Teleworker Solution
Typically, providing support for VoIP requires upgrades to these components.
Routers need Quality of Service (QoS) functionality. QoS refers to the capability of a network to provide better service to selected network traffic, as required by voice and video applications.
The figure shows an encrypted VPN tunnel connect the teleworker to the corporate network.
This is the heart of secure and reliable teleworker connections. A VPN is a private data network that uses the public telecommunication infrastructure. VPN security maintains privacy using a tunneling protocol and security procedures. This course presents the IPsec (IP Security) protocol as the favored approach to building secure VPN tunnels.
BSCI Module 3 2006 Cisco Systems, Inc. All rights reserved. Cisco Public
Advantages
An advantage of using split tunneling is that it alleviates bottlenecks and conserves bandwidth as Internet traffic does not have to pass through the VPN server.
Disadvantages
A disadvantage of this method is that it essentially renders the VPN vulnerable to attack as it is accessible through the public, non-secure network.
BSCI Module 3 2006 Cisco Systems, Inc. All rights reserved. Cisco Public
10
He was the first to use coaxial cable to improve picture quality, and the distribute pay television programming.
Cable television first began in Pennsylvania in 1948. John Walson, the owner of an appliance store in a small mountain town, needed to solve poor over-the-air reception problems experienced by customers trying to receive TV signals from Philadelphia through the mountains.
Walson erected an antenna on a utility pole on a local mountaintop that enabled him to demonstrate the televisions in his store with strong broadcasts coming from the three Philadelphia stations. He connected the antenna to his appliance store via a cable and modified signal boosters. http://www.pcta.com/news/walson. He then connected several of his customers who were php?PHPSESSID=bad26d0ac5fd located along the cable path. 8e02fb67d0d5045a6fab This was the first community antenna television (CATV) system in the United States.
BSCI Module 3 2006 Cisco Systems, Inc. All rights reserved. Cisco Public
11
Modern cable systems provide two-way communication between subscribers and the cable operator.
Cable operators now offer customers advanced telecommunications services including high-speed Internet access, digital cable television, and residential telephone service. (e.g. impulse-pay-per-view, home shopping, Internet access),
BSCI Module 3 2006 Cisco Systems, Inc. All rights reserved. Cisco Public
12
Cable modem service is always-on and so the problems with busy signals, connect time, and disconnects are eliminated.
These systems generally permanently assign a dedicated internet address (IP number) to each user which allows the use of services where your friends need to know your Internet address such as ICQ or netphone.
BSCI Module 3 2006 Cisco Systems, Inc. All rights reserved. Cisco Public
http://www.azinet.com/articles/c ablemodem.htm
13
Tap
Amplifier
14
The cable system architecture provides a cost-effective solution for densely populated areas by cascading a broadcast architecture to the users. The development of cable systems made new services possible.
Cable systems support telephony and data services and analog and digital video services.
Businesses that employ teleworkers can gain the following benefits from this widely available high-speed cable Internet access method:
VPN connectivity to corporate intranets
SOHO capabilities for work-at-home employees Interactive television Public switched telephone network (PSTN)quality voice and fax calls over the managed IP networks
BSCI Module 3 2006 Cisco Systems, Inc. All rights reserved. Cisco Public
www.conniq.com/InternetAccess_cable.htm
15
What is DSL
Several years ago, Bell Labs identified that a typical voice conversation over a local loop only required the use of bandwidth of 300 Hz to 3 kHz.
For many years, the telephone networks did not use the bandwidth beyond 3 kHz.
Advances in technology allowed DSL to use the additional bandwidth above 3 kHz up to 1 MHz to deliver high-speed data services over ordinary copper lines.
As an example, asymmetric DSL (ADSL) uses a frequency range from approximately 20 kHz to 1 MHz. Fortunately, only relatively small changes to existing telephone company infrastructure are required to deliver high-bandwidth data rates to subscribers.
Figure shows a representation of bandwidth space allocation on a copper wire for ADSL.
The green area represents the space used by POTS,
The other colored spaces represent the space used by the upstream and downstream DSL signals.
BSCI Module 3 2006 Cisco Systems, Inc. All rights reserved. Cisco Public
http://en.wikibooks.org/wiki/Computer_Networks /DSL
16
What is DSL
Service providers deploy DSL connections in the last step of a local telephone network, called the local loop or last mile.
The connection is set up between a pair of modems on either end of a copper wire that extends between the customer premises equipment (CPE) and the DSL access multiplexer (DSLAM).
The DSL transceiver: it connects the teleworkers computer to the DSL line.
Newer DSL transceivers can be built into small routers with multiple 10/100 switch ports for home office use.
The advantage that DSL has over cable technology is that DSL is not a shared medium.
Each user has a separate direct connection to the DSLAM. Adding users does not impede performance unless the DSLAM Internet connection on the other side becomes saturated.
BSCI Module 3 2006 Cisco Systems, Inc. All rights reserved. Cisco Public
17
The term xDSL covers a number of DSL variations, such as Asymmetric DSL (ADSL), high-data-rate DSL (HDSL), Rate Adaptive DSL (RADSL), symmetric DSL (SDSL), ISDN DSL (IDSL), and very-high-data-rate DSL (VDSL).
DSL types that do not use the voice frequency band allow DSL lines to carry both data and voice signals simultaneously (for example, ADSL and VDSL types), while other DSL types occupying the complete frequency range can carry data only (for example, SDSL and IDSL types).
The data rate that DSL service can provide depends on the distance between the subscriber and the CO.
The shorter the distance: the higher the bandwidth available.
http://www.linktionary.com/d/dsl.html
18
BSCI Module 3
Cisco Public
ADSL signals distort voice transmission and are split or filtered at the customer premises.
A microfilter filters the ADSL signal from the voice signal. This solution eliminates the need for a technician to visit the premises and allows the user to use any jack in the house for voice or ADSL service. POTS splitters separate the DSL traffic from the POTS traffic. The POTS splitter is a passive device. Splitters are located at the CO and, in some deployments, at the customer premises.
Figure uses a splitter at the customer premises.
The actual device is the network interface device (NID). The splitter acts as a low-pass filter, allowing only the 0 to 4 kHz frequencies to pass to or from the telephone.
BSCI Module 3 2006 Cisco Systems, Inc. All rights reserved. Cisco Public
19
BSCI Module 3
Cisco Public
20
Broadband Wireless
Wireless networking, or Wi-Fi, has improved the connectivity situation, not only in the SOHO, but on enterprise campuses as well.
Using 802.11 networking standards, data travels from place to place on radio waves.
What makes 802.11 networking easy to deploy is that it uses the unlicensed radio spectrum. Most radio and TV transmissions are government regulated and require a license to use.
BSCI Module 3
Cisco Public
21
Broadband Wireless
Until recently, a significant limitation of wireless access has been the need to be within the local transmission range (typically less than 100 feet) of a wireless router or wireless access. New developments in broadband wireless technology are increasing wireless availability. These include:
Municipal Wi-Fi WiMAX Satellite Internet
BSCI Module 3
Cisco Public
22
Most municipal wireless networks use a mesh topology rather than a hub-and-spoke model.
A mesh is a series of access points (radio transmitters). Each access point is in range and can communicate with at least two other access points. From an operational point of view, it is more reliable. If a node fails, others in the mesh compensate for it.
BSCI Module 3
Cisco Public
23
BSCI Module 3
Cisco Public
24
One-way terrestrial return satellite Internet systems use traditional dialup access to send outbound data through a modem and receive downloads from the satellite. Two-way satellite Internet sends data from remote sites via satellite to a hub, which then sends the data to the Internet. The satellite dish at each location needs precise positioning to avoid interference with other satellites.
BSCI Module 3 2006 Cisco Systems, Inc. All rights reserved. Cisco Public
25
Two-way satellite Internet uses IP multicasting technology, which allows one satellite to serve up to 5,000 communication channels simultaneously.
IP multicast sends data from one point to many points at the same time by sending data in a compressed format. Compression reduces the size of the data and the bandwidth.
BSCI Module 3
Cisco Public
26
Broadband Wireless
The IEEE 802.11 wireless local area network (WLAN) standard, which addresses the 5 GHz and 2.4 GHz public (unlicensed) spectrum bands.
The most popular access approaches to connectivity are those defined by the IEEE 802.11b and IEEE 802.11g protocols. The latest standard, 802.11n, is a proposed amendment that builds on the previous 802.11 standards by adding multiple-input multipleoutput (MIMO). [Tony]: 802.11a 5.4 GHz and 54 Mb/s
The 802.16 (or WiMAX) standard allows transmissions up to 70 Mb/s, and has a range of up to 30 miles (50 km). It can operate in licensed or unlicensed bands of the spectrum from 2 to 6 GHz.
BSCI Module 3 2006 Cisco Systems, Inc. All rights reserved. Cisco Public
27
VPN
A VPN creates a private network over a public network infrastructure while maintaining confidentiality and security. VPNs use cryptographic tunneling protocols to provide protection against packet sniffing, sender authentication, and message integrity.
BSCI Module 3
Cisco Public
28
29
Security - Advanced encryption and authentication protocols protect data from unauthorized access. Scalability - Organizations, big and small, are able to add large amounts of capacity without adding significant infrastructure.
BSCI Module 3 2006 Cisco Systems, Inc. All rights reserved. Cisco Public
30
In a site-to-site VPN, hosts send and receive IP traffic through a VPN gateway, which could be a router, PIX firewall, or an ASA.
The VPN gateway is responsible for encapsulating and encrypting outbound traffic and sending it through a VPN tunnel over the Internet to the target site. On receipt, the peer VPN gateway strips the headers, decrypts the content, and relays the packet toward the target host inside its private network.
2006 Cisco Systems, Inc. All rights reserved. Cisco Public
BSCI Module 3
31
32
VPN Components
Components required to establish VPN include:
An existing network with servers and workstations A connection to the Internet
VPN gateways, such as routers, firewalls, VPN concentrators, and ASAs, that act as endpoints to establish, manage, and control VPN connections
Appropriate software to create and manage VPN tunnels
The key to VPN effectiveness is security. VPNs secure data by encapsulating or encrypting the data. Most VPNs can do both.
Encapsulation referres to as tunneling, because encapsulation transmits data transparently from network to network through a shared infrastructure. Encryption codes data into a different format using a secret key. Decryption decodes encrypted data into the original unencrypted format.
BSCI Module 3 2006 Cisco Systems, Inc. All rights reserved. Cisco Public
33
Data integrity - Data integrity guarantees that no tampering or alterations occur to data while it travels between the source and destination.
VPNs typically use hashes to ensure data integrity. A hash is like a checksum or a seal that guarantees that no one has read the content, but it is more robust.
Authentication - Authentication ensures that a message comes from an authentic source and goes to an authentic destination.
User identification gives a user confidence that the party with whom the user establishes communications is who the user thinks the party is. VPNs can use passwords, digital certificates, smart cards, and biometrics to establish the identity of parties at the other end of a network.
BSCI Module 3
Cisco Public
34
VPN Tunneling
Tunneling allows the use of public networks like the Internet to carry data for users as though the users had access to a private network.
Tunneling encapsulates an entire packet within another packet and sends the new, composite packet over a network.
This figure illustrates an e-mail message traveling through the Internet over a VPN.
PPP carries the message to the VPN device, where the message is encapsulated within a Generic Route Encapsulation (GRE) packet.
GRE is a tunneling protocol developed by Cisco.
The outer packet source and destination addressing is assigned to "tunnel interfaces" and is made routable across the network. Once a composite packet reaches the destination tunnel interface, the inside packet is extracted.
BSCI Module 3 2006 Cisco Systems, Inc. All rights reserved. Cisco Public
35
For encryption to work, both the sender and the receiver must know the rules used to transform the original message into its coded form.
VPN encryption rules include an algorithm and a key.
An algorithm is a mathematical function that combines a message, text, digits, or all three with a key.
BSCI Module 3
Cisco Public
36
Some of the more common encryption algorithms and the length of keys they use are as follows:
Data Encryption Standard (DES) algorithm Developed by IBM, DES uses a 56-bit key.
DES is a symmetric key cryptosystem.
Triple DES (3DES) algorithm - A variant of DES that encrypts with one key, decrypts with another different key, and then encrypts one final time with another key. Advanced Encryption Standard (AES) - AES provides stronger security than DES and is computationally more efficient than 3DES. AES offers three different key lengths: 128, 192, and 256-bit keys. Rivest, Shamir, and Adleman (RSA) - An asymmetrical key cryptosystem. The keys use a bit length of 512, 768, 1024, or larger.
BSCI Module 3 2006 Cisco Systems, Inc. All rights reserved. Cisco Public
192 bits
37
For example, a sender creates a coded message where each letter is substituted with the letter that is two letters down in the alphabet;
"A" becomes "C," and "B" becomes "D", and so on. In this case, the word SECRET becomes UGETGV. The sender has already told the recipient that the secret key is "shift by 2." When the recipient receives the message UGETGV, the recipient computer decodes the message by shifting back two letters and calculating SECRET.
The question is, how do the encrypting and decrypting devices both have the shared secret key?
You could use e-mail, courier, or overnight express to send the shared secret keys to the administrators of the devices.
BSCI Module 3
Cisco Public
38
39
40
41
RSA signature
Uses the exchange of digital certificates to authenticate the peers. The local device derives a hash and encrypts it with its private key. The encrypted hash (digital signature) is attached to the message and forwarded to the remote end. At the remote end, the encrypted hash is decrypted using the public key of the local end. If the decrypted hash matches the recomputed hash, the signature is genuine.
42
Encapsulating Security Payload (ESP) - Provides confidentiality and authentication by encrypting packet.
ESP authenticates the inner IP packet and ESP header. Authentication provides data origin authentication and data integrity. Although both encryption and authentication are optional in ESP, at a minimum, one of them must be selected.
BSCI Module 3 2006 Cisco Systems, Inc. All rights reserved. Cisco Public
43
44
Chapter Summary
In this chapter, you have learned to:
Describe the enterprise requirements for providing teleworker services, including the differences between private and public Tony Chen COD network infrastructures. Describe the teleworker requirements and recommended architecture for providing teleworking services. Explain how broadband services extend enterprise networks using DSL, cable, and wireless technology. Describe the importance of VPN technology, including its role and benefits for enterprises and teleworkers. Describe how VPN technology can be used to provide secure teleworker services to an enterprise network.
Cisco Networking Academy
BSCI Module 3
Cisco Public
45