1 / 46

Chap 6 – Providing Teleworker Services Learning Objectives

Chap 6 – Providing Teleworker Services Learning Objectives. Describe the enterprise requirements for providing teleworker services Explain how broadband services extend Enterprise Networks including DSL, cable, and wireless

muniya
Télécharger la présentation

Chap 6 – Providing Teleworker Services Learning Objectives

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Chap 6 – Providing Teleworker Services Learning Objectives • Describe the enterprise requirements for providing teleworker services • Explain how broadband services extend Enterprise Networks including DSL, cable, and wireless • Describe how VPN technology provides secure teleworker services in an Enterprise setting

  2. Teleworking Benefits • Organisational benefits: • Continuity of operations • Increased responsiveness • Secure, reliable, and manageable access to information • Cost-effective integration of data, voice, video, and applications • Increased employee productivity, satisfaction, and retention • Social benefits: • Increased employment opportunities for marginalized groups • Less travel and commuter related stress • Environmental benefits: • Reduced carbon footprints, both for individual workers and organisations

  3. Remote Connection Options Main Office Broadband, ISPs IPsec, VPN Layer 2 VPN: Frame Relay, ATM Teleworker Supplier

  4. Virtual Private Network (VPN) • A VPN is a private data network that uses the public telecommunication infrastructure. VPN security maintains privacy using a tunneling protocol and security procedures.

  5. Connecting Teleworkers • Dialup access - An inexpensive option that uses any phone line and a modem. To connect to the ISP, a user calls the ISP access phone number. Dialup is the slowest connection option, and is typically used by mobile workers in areas where higher speed connection options are not available. • DSL - Typically more expensive than dialup, but provides a faster connection. DSL also uses telephone lines, but unlike dialup access, DSL provides a continuous connection to the Internet, using a special high-speed modem. • Cable modem - Offered by cable television service providers. The Internet signal is carried on the same coaxial cable that delivers cable television. • Satellite - Offered by satellite service providers. The computer connects through Ethernet to a satellite modem that transmits radio signals to the nearest point of presence (POP) within the satellite network.

  6. Cable Modem • Coaxial cable is widely used in urban areas to distribute television signals. • Network access is available from some cable television networks - allows for greater bandwidth than the conventional telephone local loop.

  7. Cable Frequency Plan • Downstream - The direction of an RF signal transmission (TV channels and data) from the source (headend) to the destination (subscribers). • Upstream - The direction of the RF signal transmission from subscribers to the headend, or the return or reverse path.

  8. Cable Modem • Cable modems provide an always-on connection and a simple installation. • A cable modem is capable of delivering up to 30 to 40 Mbps of data on one 6 MHz cable channel. • With a cable modem, a subscriber can continue to receive cable television service while simultaneously receiving data to a personal computer.

  9. Data-over-Cable Service Interface Specification (DOCSIS) • DOCSIS defines the communications and operation support interface requirements for a data-over-cable system, and permits the addition of high-speed data transfer to an existing CATV system. • Cable operators employ DOCSIS to provide Internet access over their existing hybrid fiber-coaxial (HFC) infrastructure. • DOCSIS specifies the OSI Layer 1 and Layer 2 requirements: • Physical layer - For data signals that the cable operator can use, DOCSIS specifies the channel widths (bandwidths of each channel) as 200 kHz, 400 kHz, 800 kHz, 1.6 MHz, 3.2 MHz, and 6.4 MHz. DOCSIS also specifies modulation techniques. • MAC layer - Defines a deterministic access method, time-division multiple access (TDMA) or synchronous code division multiple access method (S-CDMA).

  10. Two types of equipment are required to send digital modem signals upstream and downstream on a cable system: • Cable modem termination system (CMTS) at the headend of the cable operator. • Cable modem (CM) on the subscriber end. Email & Web servers Fibre Node FO FO Cable Modem Coax CMTS Cable Modem Cable Modem

  11. Digital Subscriber Line (DSL) technology is a broadband technology that uses existing twisted-pair telephone lines to transport high-bandwidth data to service subscribers. DSL technology allows the local loop line to be used for normal telephone voice connection and an always-on connection for instant network connectivity. The two basic types of DSL technologies are asymmetric (ADSL) and symmetric (SDSL). All forms of DSL service are categorized as ADSL or SDSL and there are several varieties of each type. Asymmetric service provides higher download or downstream bandwidth to the user than upload bandwidth. Symmetric service provides the same capacity in both directions. Digital Subscriber Line (DSL)

  12. What is DSL? • DSL uses the high frequency range of up to about 1 MHz. • For example, asymmetric digital subscriber line (ADSL) uses the frequency range of about 42 kHz to 1MHz. • ADSL does not overlap the Plain Old Telephone Service (POTS) voice frequency range. (300 – 4000 Hz). • POTS and ADSL service can coexist over the same wire.

  13. Digital Subscriber Line (DSL) • Channel 0 – analogue voice (traditional modem channel) • Chan 6-30 – upstream data and control (1.44Mbps max) • Chan 21-255 – downstream data and control (13.44Mbps max) Voice Up stream Down stream Channel (4kHz ea): 0 6-30 31-255 Frequency 0Hz 1.1MHz

  14. Digital Subscriber Line (DSL) Analogue Modulated Data (30kHz-1.1MHz) Modulated Data (30kHz-1.1MHz) Digital Data Local Loop To ISP DSL Modem Filter Filter DSLAM Digital Data To PSTN Voice (300-3400Hz) Voice (300-3400Hz) • Transceiver - Connects the computer of the teleworker to the DSL. Usually the transceiver is a DSL modem connected to the computer using a USB or Ethernet cable. Newer DSL transceivers can be built into small routers with multiple 10/100 switch ports suitable for home office use. • DSLAM - Located at the CO of the carrier, the DSLAM combines individual DSL connections from users into one high-capacity link to an ISP, onwards to the Internet.

  15. ADSL Filters & Splitters • When the service provider puts analog voice and ADSL on the same wire, the provider splits the POTS channel from the ADSL modem using filters or splitters. • This setup guarantees uninterrupted regular phone service even if ADSL fails. When filters or splitters are in place, the user can use the phone line and the ADSL connection simultaneously without adverse effects on either service.

  16. Multiple DSL subscriber lines are multiplexed into a single, high capacity link by the use of a DSL Access Multiplexer (DSLAM) at the provider location. DSLAMs incorporate TDM technology to aggregate many subscriber lines into a less cumbersome single medium, generally at 8.192 Mbps. DSL Access Multiplexer (DSLAM)

  17. Why Wireless? • Mobility • Scalability • Flexibility • Short & long term cost savings • Installation advantages • Reliability in harsh environments • Reduced installation time

  18. Worldwide Interoperability for Microwave Access (WiMax) • A telecommunications technology aimed at providing wireless data over long distances in a variety of ways, from point-to-point links to full mobile cellular type access. • Based on the IEEE 802.16 standard, which is also called WirelessMAN. • WiMAX allows a user to browse the Internet on a laptop computer without physically connecting the laptop to a wall socket.

  19. Broadband Wireless Access 802.16 802.16 802.16 802.16 802.16 (Wired or wireless) WiMax Base Station DSL Coverage area (<=5.5km) Internet ISP

  20. WiMax Applications • In addition to providing a wireless alternative to cable and DSL for last mile (last km) broadband access, 802.16 can be applied to the following situations: • Connecting Wi-Fi hotspots with each other and to other parts of the Internet. • Providing high-speed data and telecommunications services. • Providing a diverse source of Internet connectivity as part of a business continuity plan. That is, if a business has a fixed and a wireless Internet connection, especially from unrelated providers, they are unlikely to be affected by the same service outage. • Providing nomadic connectivity.

  21. Wireless Considerations • Subscribers can have a variety of receiving equipment: • External Antenna • Indoor Wimax router • WiMax PCM Card • Integral WiMax Antenna • Receivers located indoors, or with integral antennas will need more power from the base-station to achieve a satisfactory SNR

  22. Benefits of VPNs • Each LAN can communicate in a secure and reliable manner using the Internet as the medium to connect to the private LAN. • A VPN can grow to accommodate more users and different locations much easier than a leased line. • Scalability is a major advantage that VPNs have over typical leased lines, as the cost does not increase in proportion to the distances involved

  23. Benefits of VPNs • Cost savings - Organizations can use cost-effective, third-party Internet transport to connect remote offices and users to the main corporate site. This eliminates expensive dedicated WAN links and modem banks. By using broadband, VPNs reduce connectivity costs while increasing remote connection bandwidth. • Security - Advanced encryption and authentication protocols protect data from unauthorised access. • Scalability - VPNs use the Internet infrastructure within ISPs and carriers, making it easy for organizations to add new users. Organisations, big and small, are able to add large amounts of capacity without adding significant infrastructure.

  24. Site-to-Site VPNs ASA Router Firewall • A site-to-site VPN is an extension of classic WAN networking, connecting entire networks to each other. • In a site-to-site VPN, hosts send and receive TCP/IP traffic through a VPN gateway, which could be a router, PIXfirewall appliance, or an Adaptive Security Appliance (ASA).

  25. Remote Access VPNs Concentrator Router Firewall ASA • In a remote-access VPN, each host typically has VPN client software. • Whenever the host tries to send any traffic, the VPN client software encapsulates and encrypts that traffic before sending it over the Internet to the VPN gateway at the edge of the target network.

  26. VPN Security • The key to VPN effectiveness is security. VPNs secure data by encapsulating or encrypting the data. Most VPNs can do both. • Encapsulation is also referred to as tunneling, because encapsulation transmits data transparently from network to network through a shared network infrastructure. • Encryption codes data into a different format using a secret key. Decryption decodes encrypted data into the original unencrypted format.

  27. VPN Security The foundation of a secure VPN is data confidentiality, data integrity, and authentication: • Data confidentiality -As a design feature, data confidentiality aims at protecting the contents of messages from interception. VPNs achieve confidentiality using mechanisms of encapsulation and encryption. • Data integrity - Data integrity guarantees that no tampering or alterations occur to data while it travels between the source and destination. VPNs typically use hashes to ensure data integrity. • Authentication - ensures that a message comes from an authentic source and goes to an authentic destination. VPNs can use passwords, digital certificates, smart cards, and biometrics to establish the identity of parties at the other end of a network.

  28. Tunnelling Protocols Create secure tunnels through un-secure networks (The Internet). Most common protocols are: Generic Route Encapsulation (GRE) Point-to-Point Tunnelling Protocol (PPTP) Layer 2 Forwarding (L2F) Layer 2 Tunnelling Protocol (L2TP) Internet Protocol Security (IPSec) for L2TP Secure Shell (SSH)

  29. Tunnelling Protocols • Carrier protocol - The protocol over which the information is traveling (Frame Relay, ATM, MPLS). • Encapsulating protocol - The protocol that is wrapped around the original data (GRE, IPSec, L2F, PPTP, L2TP). • Passenger protocol - The protocol over which the original data was being carried (IPX, AppleTalk, IPv4, IPv6).

  30. Packet Encapsulation R2 R1 • GRE was developed by Cisco and was designed to be stateless; the tunnel end-points do not monitor the state or availability of other tunnel end-points. IP Packet GRE IP IPsec IP Packet IP Packet Frame Frame Frame VPN Tunnel VPN Device VPN Device • IPsec (IP security) is used for securing IP communications by authenticating and/or encrypting each IP packet in a data stream. IPsec also includes protocols for cryptographic key establishment.

  31. Encryption Algorithms • Data Encryption Standard (DES) algorithm - Developed by IBM, DES uses a 56-bit key, ensuring high-performance encryption. DES is a symmetric key cryptosystem. • Triple DES (3DES) algorithm - A newer variant of DES that encrypts with one key, decrypts with another different key, and then encrypts one final time with another key. 3DES provides significantly more strength to the encryption process. • Advanced Encryption Standard (AES) - The National Institute of Standards and Technology (NIST) adopted AES to replace the existing DES encryption in cryptographic devices. AES provides stronger security than DES and is computationally more efficient than 3DES. AES offers three different key lengths: 128, 192, and 256-bit keys. • Rivest, Shamir, and Adleman (RSA) - An asymmetrical key cryptosystem. The keys use a bit length of 512, 768, 1024, or larger.

  32. Encryption Algorithms Symmetric Encryption • DES and 3DES require a shared secret key to perform encryption and decryption. • Each of the two computers must know the key to decode the information • RSA uses different keys for encryption and decryption. • One key encrypts the message, while a second key decrypts the message. It is not possible to encrypt and decrypt with the same key. Asymmetric Encryption

  33. Data Integrity - Hashing • Hashes contribute to data integrity and authentication by ensuring that unauthorised persons do not tamper with transmitted messages. • A hash, also called a message digest, is a number generated from a string of text. The hash is smaller than the text itself. • It is generated using a formula in such a way that it is extremely unlikely that some other text will produce the same hash value.

  34. MD5 Hash Tool 1. Run hash tool on a text document – hash generated using algorithm and document contents 2. Change text within document 3. Run hash tool on changed document – hash is different, as the document contents are different

  35. Hashed Message Authentication Code • VPNs use a message authentication code to verify the integrity and the authenticity of a message, without using any additional mechanisms. A keyed hashed message authentication code (HMAC) is a data integrity algorithm that guarantees the integrity of the message. • A HMAC has two parameters: a message input and a secret key known only to the message originator and intended receivers. The message sender uses a HMAC function to produce a value (the message authentication code), formed by condensing the secret key and the message input. • The message authentication code is sent along with the message. The receiver computes the message authentication code on the received message using the same key and HMAC function as the sender used, and compares the result computed with the received message authentication code. If the two values match, the message has been correctly received and the receiver is assured that the sender is a member of the community of users that share the key.

  36. Hashed Message Authentication Code There are two common HMAC algorithms: • Message Digest 5 (MD5) - Uses a 128-bit shared secret key. The variable length message and 128-bit shared secret key are combined and run through the HMAC-MD5 hash algorithm. The output is a 128-bit hash. The hash is appended to the original message and forwarded to the remote end. • Secure Hash Algorithm 1 (SHA-1) - Uses a 160-bit secret key. The variable length message and the 160-bit shared secret key are combined and run through the HMAC-SHA-1 hash algorithm. The output is a 160-bit hash. The hash is appended to the original message and forwarded to the remote end.

  37. VPN Authentication • When conducting business long distance, it is necessary to know who is at the other end of the phone, e-mail, or fax. The same is true of VPN networks. • The device on the other end of the VPN tunnel must be authenticated before the communication path is considered secure. There are two peer authentication methods: • Pre-shared key (PSK) • RSA signature

  38. Internet Protocol Security (IPsec) IPsec works at layer 3 IPsec can provide: Data privacy Integrity Authenticity Anti-replay IPSec can work in two modes Transport and Tunnelling mode There are two core protocols in IPsec: AH (Authentication Headers) ESP (Encapsulating Security Payload)

  39. Internet Protocol Security (IPsec) There are two main IPsec framework protocols. • Authentication Header (AH) - Use when confidentiality is not required or permitted. AH provides data authentication and integrity for IP packets passed between two systems • Encapsulating Security Payload (ESP) - Provides confidentiality and authentication by encrypting the IP packet. IP packet encryption conceals the data and the identities of the source and destination.

  40. IPsec – Transport Mode Leaves original IP headers alone Can use either AH or ESP Does not work across NAT networks Suited for LAN security IP Header AH / ESP Header Payload

  41. IPsec – Tunnel Mode Encapsulates secured IP packet inside a new IP packet Can use either AH or ESP Can work across NAT networks Suited for VPN security NewIP Header AH / ESP Header IP Header Payload

  42. IPsec Configuration IPsec provides the security framework, and the administrator chooses the algorithms used to implement the security services within that framework. There are four IPsec security considerations: • Choose an IPsec protocol. The choices are ESP or ESP with AH. • Choose an encryption algorithm if IPsec is implemented with ESP. Choose the encryption algorithm that is appropriate for the desired level of security: DES, 3DES, or AES. • Choose an authentication algorithm to provide data integrity: MD5 or SHA. • Chose a key-sharing mechanism from the Diffie-Hellman (DH) algorithm group - DH1 or DH2.

  43. Chap 6 – Providing Teleworker Services Learning Objectives • Describe the enterprise requirements for providing teleworker services • Explain how broadband services extend Enterprise Networks including DSL, cable, and wireless • Describe how VPN technology provides secure teleworker services in an Enterprise setting

  44. Any Questions?

  45. Lab Topology Chapter 5.2.8 – Standard ACLs R2 ISP R3 R1 S0/0/1 DCE 209.165.200.224/27 Fa0/1 Fa0/0 192.168.20.1/254 209.165.202.129/27 S0/1/0 .226 .225 Fa0/0 209.165.201.1/27 S0/0/1 DCE S0/0/0 WWW/TFTP 192.168.20.254/24 .2 .1 Ext Host 209.165.202.158/27 10.1.1.0/30 10.2.2.0/30 S0/0/0 DCE S0/0/1 .2 .1 WWW 209.165.201.30/27 • Allow only PC 1 to Telnet to R3 Fa0/0 Fa0/1 Fa0/0 192.168.11.0/24 192.168.30.0/24 192.168.10.0/24 • The 192.168.10.0/24 network is allowed access to all locations, except the 192.168.11.0/24 network. • The 192.168.11.0/24 network is allowed access to all destinations, except to any networks connected to the ISP. • The 192.168.30.0/10 network is allowed access to all destinations. • Host 192.168.30.128 is not allowed access outside of the LAN. S1 S2 S3 PC1 192.168.10.10 PC2 192.168.11.10 PC3 192.168.30.10 PC4 192.168.30.128

  46. Lab Topology Chapter 5.3.4 – Extended ACLs R2 ISP R3 R1 S0/0/1 DCE 209.165.200.224/27 Fa0/1 Fa0/0 192.168.20.1/254 209.165.202.129/27 S0/1/0 .226 .225 Fa0/0 209.165.201.1/27 S0/0/1 DCE S0/0/0 WWW/TFTP 192.168.20.254/24 .2 .1 Ext Host 209.165.202.158/27 10.1.1.0/30 10.2.2.0/30 • Outside hosts are allowed to establish a web session with the internal web server on port 80 only. • Only established TCP sessions are allowed in. • Only ping replies are allowed through R2. S0/0/0 DCE S0/0/1 WWW 209.165.201.30/27 .2 .1 • All IP addresses of the 192.168.30.0/24 network are blocked from accessing all IP addresses of the 192.168.20.0/24 network. • The first half of 192.168.30.0/24 is allowed access to all other destinations. • The second half of 192.168.30.0/24 network is allowed access to the 192.168.10.0/24 and 192.168.11.0/24 networks. • The second half of 192.168.30.0/24 is allowed web and ICMP access to all remaining destinations. • All other access is implicitly denied. Fa0/0 Fa0/1 Fa0/0 192.168.11.0/24 192.168.30.0/24 192.168.10.0/24 • For the 192.168.10.0/24 network, block Telnet access to all locations and TFTP access to the corporate Web/TFTP server at 192.168.20.254. All other access is allowed. • For the192.168.11.0/24 network, allow TFTP access and web access to the corporate Web/TFTP server at 192.168.20.254. Block all other traffic from the 192.168.11.0/24 network to the 192.168.20.0/24 network. All other access is allowed. S1 S2 S3 PC1 192.168.10.10 PC2 192.168.11.10 PC3 192.168.30.10 PC4 192.168.30.128

More Related