1Chapter 6
Chap 6 – Providing Teleworker Services
Learning Objectives
•Describe the enterprise requirements for providing teleworker services
•Explain how broadband services extend Enterprise Networks including DSL, cable, and wireless
•Describe how VPN technology provides secure teleworker services in an Enterprise setting
2Chapter 6
Teleworking BenefitsOrganisational benefits:
•Continuity of operations•Increased responsiveness•Secure, reliable, and manageable access to information•Cost-effective integration of data, voice, video, and applications•Increased employee productivity, satisfaction, and retention
Social benefits:
•Increased employment opportunities for marginalized groups•Less travel and commuter related stress
Environmental benefits:
•Reduced carbon footprints, both for individual workers and organisations
3Chapter 6
Remote Connection Options
Teleworker
Main Office
IPsec,VPN
Broadband,ISPs
Layer 2 VPN:Frame Relay, ATM
Supplier
4Chapter 6
Virtual Private Network (VPN)
•A VPN is a private data network that uses the public telecommunication infrastructure. VPN security maintains privacy using a tunneling protocol and security procedures.
5Chapter 6
Connecting Teleworkers
• Dialup access - An inexpensive option that uses any phone line and a modem. To connect to the ISP, a user calls the ISP access phone number. Dialup is the slowest connection option, and is typically used by mobile workers in areas where higher speed connection options are not available.
• DSL - Typically more expensive than dialup, but provides a faster connection. DSL also uses telephone lines, but unlike dialup access, DSL provides a continuous connection to the Internet, using a special high-speed modem.
• Cable modem - Offered by cable television service providers. The Internet signal is carried on the same coaxial cable that delivers cable television.
• Satellite - Offered by satellite service providers. The computer connects through Ethernet to a satellite modem that transmits radio signals to the nearest point of presence (POP) within the satellite network.
6Chapter 6
Cable Modem
•Coaxial cable is widely used in urban areas to distribute television signals. •Network access is available from some cable television networks - allows for greater bandwidth than the conventional telephone local loop.
7Chapter 6
Cable Frequency Plan
•Downstream - The direction of an RF signal transmission (TV channels and data) from the source (headend) to the destination (subscribers).
•Upstream - The direction of the RF signal transmission from subscribers to the headend, or the return or reverse path.
8Chapter 6
Cable Modem
• Cable modems provide an always-on connection and a simple installation.
• A cable modem is capable of delivering up to 30 to 40 Mbps of data on one 6 MHz cable channel.
• With a cable modem, a subscriber can continue to receive cable television service while simultaneously receiving data to a personal computer.
9Chapter 6
Data-over-Cable Service Interface Specification (DOCSIS)
• DOCSIS defines the communications and operation support interface requirements for a data-over-cable system, and permits the addition of high-speed data transfer to an existing CATV system.
• Cable operators employ DOCSIS to provide Internet access over their existing hybrid fiber-coaxial (HFC) infrastructure.
• DOCSIS specifies the OSI Layer 1 and Layer 2 requirements:
• Physical layer - For data signals that the cable operator can use, DOCSIS specifies the channel widths (bandwidths of each channel) as 200 kHz, 400 kHz, 800 kHz, 1.6 MHz, 3.2 MHz, and 6.4 MHz. DOCSIS also specifies modulation techniques.
• MAC layer - Defines a deterministic access method, time-division multiple access (TDMA) or synchronous code division multiple access method (S-CDMA).
10Chapter 6
Email & Web
servers
CMTS
Fibre Node
FOFO
Coax
Cable Modem
Cable Modem
Cable Modem
Two types of equipment are required to send digital modem signals upstream and downstream on a cable system:
•Cable modem termination system (CMTS) at the headend of the cable operator.•Cable modem (CM) on the subscriber end.
11Chapter 6
• Digital Subscriber Line (DSL) technology is a broadband technology that uses existing twisted-pair telephone lines to transport high-bandwidth data to service subscribers.
• DSL technology allows the local loop line to be used for normal telephone voice connection and an always-on connection for instant network connectivity. The two basic types of DSL technologies are asymmetric (ADSL) and symmetric (SDSL).
• All forms of DSL service are categorized as ADSL or SDSL and there are several varieties of each type.
• Asymmetric service provides higher download or downstream bandwidth to the user than upload bandwidth.
• Symmetric service provides the same capacity in both directions.
Digital Subscriber Line (DSL)
12Chapter 6
What is DSL?
• DSL uses the high frequency range of up to about 1 MHz.
• For example, asymmetric digital subscriber line (ADSL) uses the frequency range of about 42 kHz to 1MHz.
• ADSL does not overlap the Plain Old Telephone Service (POTS) voice frequency range. (300 – 4000 Hz).
• POTS and ADSL service can coexist over the same wire.
13Chapter 6
Frequency0Hz 1.1MHz
Voice Up stream Down stream
0 6-30 31-255
Digital Subscriber Line (DSL)
Channel(4kHz ea):
•Channel 0 – analogue voice (traditional modem channel)
•Chan 6-30 – upstream data and control (1.44Mbps max)
•Chan 21-255 – downstream data and control (13.44Mbps max)
14Chapter 6
DSL Modem Filter Local
LoopDSLAMFilter
Analogue
Voice(300-3400Hz)
To PSTN
To ISPDigital Data
Digital Subscriber Line (DSL)
Modulated Data(30kHz-1.1MHz)
Modulated Data(30kHz-1.1MHz)
Digital Data
Voice(300-3400Hz)
•Transceiver - Connects the computer of the teleworker to the DSL. Usually the transceiver is a DSL modem connected to the computer using a USB or Ethernet cable. Newer DSL transceivers can be built into small routers with multiple 10/100 switch ports suitable for home office use.
•DSLAM - Located at the CO of the carrier, the DSLAM combines individual DSL connections from users into one high-capacity link to an ISP, onwards to the Internet.
15Chapter 6
ADSL Filters & Splitters
•This setup guarantees uninterrupted regular phone service even if ADSL fails. When filters or splitters are in place, the user can use the phone line and the ADSL connection simultaneously without adverse effects on either service.
•When the service provider puts analog voice and ADSL on the same wire, the provider splits the POTS channel from the ADSL modem using filters or splitters.
16Chapter 6
• Multiple DSL subscriber lines are multiplexed into a single, high capacity link by the use of a DSL Access Multiplexer (DSLAM) at the provider location.
• DSLAMs incorporate TDM technology to aggregate many subscriber lines into a less cumbersome single medium, generally at 8.192 Mbps.
DSL Access Multiplexer (DSLAM)
17Chapter 6
Why Wireless?•Mobility
•Scalability
•Flexibility
•Short & long term cost savings
•Installation advantages
•Reliability in harsh environments
•Reduced installation time
18Chapter 6
•A telecommunications technology aimed at providing wireless data over long distances in a variety of ways, from point-to-point links to full mobile cellular type access.
•Based on the IEEE 802.16 standard, which is also called WirelessMAN.
•WiMAX allows a user to browse the Internet on a laptop computer without physically connecting the laptop to a wall socket.
Worldwide Interoperability for Microwave Access (WiMax)
19Chapter 6
802.16
802.16
802.16
Broadband Wireless Access
Internet
ISP
DSL Coverage area (<=5.5km)
802.16
(Wired or wireless)WiMax Base
Station
802.16
20Chapter 6
In addition to providing a wireless alternative to cable and DSL for last mile (last km) broadband access, 802.16 can be applied to the following situations:
• Connecting Wi-Fi hotspots with each other and to other parts of the Internet.
•Providing high-speed data and telecommunications services.
•Providing a diverse source of Internet connectivity as part of a business continuity plan. That is, if a business has a fixed and a wireless Internet connection, especially from unrelated providers, they are unlikely to be affected by the same service outage.
•Providing nomadic connectivity.
WiMax Applications
21Chapter 6
Wireless ConsiderationsSubscribers can have a variety of receiving equipment:
•External Antenna
•Indoor Wimax router
•WiMax PCM Card
•Integral WiMax Antenna
Receivers located indoors, or with integral antennas will need more power from the base-station to achieve a satisfactory SNR
22Chapter 6
Benefits of VPNs
•Each LAN can communicate in a secure and reliable manner using the Internet as the medium to connect to the private LAN.
•A VPN can grow to accommodate more users and different locations much easier than a leased line.
•Scalability is a major advantage that VPNs have over typical leased lines, as the cost does not increase in proportion to the distances involved
23Chapter 6
• Cost savings - Organizations can use cost-effective, third-party Internet transport to connect remote offices and users to the main corporate site. This eliminates expensive dedicated WAN links and modem banks. By using broadband, VPNs reduce connectivity costs while increasing remote connection bandwidth.
• Security - Advanced encryption and authentication protocols protect data from unauthorised access.
• Scalability - VPNs use the Internet infrastructure within ISPs and carriers, making it easy for organizations to add new users. Organisations, big and small, are able to add large amounts of capacity without adding significant infrastructure.
Benefits of VPNs
24Chapter 6
Site-to-Site VPNs
Firewall
Router
ASA
•A site-to-site VPN is an extension of classic WAN networking, connecting entire networks to each other.
•In a site-to-site VPN, hosts send and receive TCP/IP traffic through a VPN gateway, which could be a router, PIX firewall appliance, or an Adaptive Security Appliance (ASA).
25Chapter 6
Remote Access VPNs
Firewall
Router
ASA
Concentrator
•In a remote-access VPN, each host typically has VPN client software.
•Whenever the host tries to send any traffic, the VPN client software encapsulates and encrypts that traffic before sending it over the Internet to the VPN gateway at the edge of the target network.
26Chapter 6
VPN Security
• The key to VPN effectiveness is security. VPNs secure data by encapsulating or encrypting the data. Most VPNs can do both.
• Encapsulation is also referred to as tunneling, because encapsulation transmits data transparently from network to network through a shared network infrastructure.
• Encryption codes data into a different format using a secret key. Decryption decodes encrypted data into the original unencrypted format.
27Chapter 6
The foundation of a secure VPN is data confidentiality, data integrity, and authentication:
• Data confidentiality -As a design feature, data confidentiality aims at protecting the contents of messages from interception. VPNs achieve confidentiality using mechanisms of encapsulation and encryption.
• Data integrity - Data integrity guarantees that no tampering or alterations occur to data while it travels between the source and destination. VPNs typically use hashes to ensure data integrity.
• Authentication - ensures that a message comes from an authentic source and goes to an authentic destination. VPNs can use passwords, digital certificates, smart cards, and biometrics to establish the identity of parties at the other end of a network.
VPN Security
28Chapter 6
Tunnelling Protocols• Create secure tunnels through un-secure networks
(The Internet).
• Most common protocols are:
• Generic Route Encapsulation (GRE)• Point-to-Point Tunnelling Protocol (PPTP)• Layer 2 Forwarding (L2F)• Layer 2 Tunnelling Protocol (L2TP)• Internet Protocol Security (IPSec) for L2TP• Secure Shell (SSH)
29Chapter 6
• Carrier protocol - The protocol over which the information is traveling (Frame Relay, ATM, MPLS).
• Encapsulating protocol - The protocol that is wrapped around the original data (GRE, IPSec, L2F, PPTP, L2TP).
• Passenger protocol - The protocol over which the original data was being carried (IPX, AppleTalk, IPv4, IPv6).
Tunnelling Protocols
30Chapter 6
Packet Encapsulation
R1Computer R2 Computer VPN Tunnel
IP Packet
Frame
IP Packet
GRE
IP
IPsec IP Packet
FrameFrame
VPN Device VPN Device
•GRE was developed by Cisco and was designed to be stateless; the tunnel end-points do not monitor the state or availability of other tunnel end-points.
•IPsec (IP security) is used for securing IP communications by authenticating and/or encrypting each IP packet in a data stream. IPsec also includes protocols for cryptographic key establishment.
31Chapter 6
Encryption Algorithms
• Data Encryption Standard (DES) algorithm - Developed by IBM, DES uses a 56-bit key, ensuring high-performance encryption. DES is a symmetric key cryptosystem.
• Triple DES (3DES) algorithm - A newer variant of DES that encrypts with one key, decrypts with another different key, and then encrypts one final time with another key. 3DES provides significantly more strength to the encryption process.
• Advanced Encryption Standard (AES) - The National Institute of Standards and Technology (NIST) adopted AES to replace the existing DES encryption in cryptographic devices. AES provides stronger security than DES and is computationally more efficient than 3DES. AES offers three different key lengths: 128, 192, and 256-bit keys.
• Rivest, Shamir, and Adleman (RSA) - An asymmetrical key cryptosystem. The keys use a bit length of 512, 768, 1024, or larger.
32Chapter 6
• DES and 3DES require a shared secret key to perform encryption and decryption. •Each of the two computers must know the key to decode the information
Symmetric Encryption
•RSA uses different keys for encryption and decryption.•One key encrypts the message, while a second key decrypts the message. It is not possible to encrypt and decrypt with the same key.
Asymmetric Encryption
Encryption Algorithms
33Chapter 6
Data Integrity - Hashing
• Hashes contribute to data integrity and authentication by ensuring that unauthorised persons do not tamper with transmitted messages.
• A hash, also called a message digest, is a number generated from a string of text. The hash is smaller than the text itself.
• It is generated using a formula in such a way that it is extremely unlikely that some other text will produce the same hash value.
34Chapter 6
MD5 Hash Tool
1. Run hash tool on a text document – hash generated using algorithm and document contents
2. Change text within document
3. Run hash tool on changed document – hash is different, as the document contents are different
35Chapter 6
Hashed Message Authentication Code
• VPNs use a message authentication code to verify the integrity and the authenticity of a message, without using any additional mechanisms. A keyed hashed message authentication code (HMAC) is a data integrity algorithm that guarantees the integrity of the message.
• A HMAC has two parameters: a message input and a secret key known only to the message originator and intended receivers. The message sender uses a HMAC function to produce a value (the message authentication code), formed by condensing the secret key and the message input.
• The message authentication code is sent along with the message. The receiver computes the message authentication code on the received message using the same key and HMAC function as the sender used, and compares the result computed with the received message authentication code. If the two values match, the message has been correctly received and the receiver is assured that the sender is a member of the community of users that share the key.
36Chapter 6
There are two common HMAC algorithms:
• Message Digest 5 (MD5) - Uses a 128-bit shared secret key. The variable length message and 128-bit shared secret key are combined and run through the HMAC-MD5 hash algorithm. The output is a 128-bit hash. The hash is appended to the original message and forwarded to the remote end.
• Secure Hash Algorithm 1 (SHA-1) - Uses a 160-bit secret key. The variable length message and the 160-bit shared secret key are combined and run through the HMAC-SHA-1 hash algorithm. The output is a 160-bit hash. The hash is appended to the original message and forwarded to the remote end.
Hashed Message Authentication Code
37Chapter 6
VPN Authentication
• When conducting business long distance, it is necessary to know who is at the other end of the phone, e-mail, or fax. The same is true of VPN networks.
• The device on the other end of the VPN tunnel must be authenticated before the communication path is considered secure. There are two peer authentication methods:
1. Pre-shared key (PSK)2. RSA signature
38Chapter 6
Internet Protocol Security (IPsec)• IPsec works at layer 3• IPsec can provide:
1. Data privacy
2. Integrity
3. Authenticity
4. Anti-replay
• IPSec can work in two modes Transport and Tunnelling mode
• There are two core protocols in IPsec:1. AH (Authentication Headers)
2. ESP (Encapsulating Security Payload)
39Chapter 6
There are two main IPsec framework protocols.
• Authentication Header (AH) - Use when confidentiality is not required or permitted. AH provides data authentication and integrity for IP packets passed between two systems
• Encapsulating Security Payload (ESP) - Provides confidentiality and authentication by encrypting the IP packet. IP packet encryption conceals the data and the identities of the source and destination.
Internet Protocol Security (IPsec)
40Chapter 6
IPsec – Transport Mode
• Leaves original IP headers alone• Can use either AH or ESP• Does not work across NAT networks• Suited for LAN security
IP Header PayloadAH / ESP Header
41Chapter 6
IPsec – Tunnel Mode
• Encapsulates secured IP packet inside a new IP packet
• Can use either AH or ESP• Can work across NAT networks• Suited for VPN security
NewIP Header
PayloadAH / ESP Header IP Header
42Chapter 6
IPsec Configuration
IPsec provides the security framework, and the administrator chooses the algorithms used to
implementthe security services within that framework. There are four IPsec security considerations:
1. Choose an IPsec protocol. The choices are ESP or ESP with AH.
2. Choose an encryption algorithm if IPsec is implemented with ESP. Choose the encryption algorithm that is appropriate for the desired level of security: DES, 3DES, or AES.
3. Choose an authentication algorithm to provide data integrity: MD5 or SHA.
4. Chose a key-sharing mechanism from the Diffie-Hellman (DH) algorithm group - DH1 or DH2.
43Chapter 6
Chap 6 – Providing Teleworker Services
Learning Objectives
•Describe the enterprise requirements for providing teleworker services
•Explain how broadband services extend Enterprise Networks including DSL, cable, and wireless
•Describe how VPN technology provides secure teleworker services in an Enterprise setting
44Chapter 6
AnyQuestions?
45Chapter 6
Lab TopologyChapter 5.2.8 – StandardACLs
S0/0/0 S0/0/1DCE
R2
R1
S0/0/0DCE S0/0/1
10.2.2.0/30
R3
10.1.1.0/30
.1
.2 .1
.2
Computer
PC1192.168.10.10
Fa0/0 Fa0/1
ComputerComputer Computer
Fa0/0
PC2192.168.11.10
PC3192.168.30.10
PC4192.168.30.128
192.168.10.0/24 192.168.11.0/24 192.168.30.0/24
WWW/TFTP192.168.20.254/24
Fa0/0192.168.20.1/254 ISPS0/1/0
S0/0/1DCE209.165.200.224/27
Computer
WWW209.165.201.30/27
Ext Host209.165.202.158/27
Fa0/0
Fa0/1
S1 S2 S3
.225.226
209.165.201.1/27
209.165.202.129/27
•The 192.168.10.0/24 network is allowed access to all locations, except the 192.168.11.0/24 network.
•The 192.168.11.0/24 network is allowed access to all destinations, except to any networks connected to the ISP.
•The 192.168.30.0/10 network is allowed access to all destinations.
•Host 192.168.30.128 is not allowed access outside of the LAN.
•Allow only PC 1 to Telnet to R3
46Chapter 6
Lab TopologyChapter 5.3.4 – ExtendedACLs
S0/0/0 S0/0/1DCE
R2
R1
S0/0/0DCE S0/0/1
10.2.2.0/30
R3
10.1.1.0/30
.1
.2 .1
.2
Computer
PC1192.168.10.10
Fa0/0 Fa0/1
Computer
ComputerComputer
Fa0/0
PC2192.168.11.10
PC3192.168.30.10
PC4192.168.30.128
192.168.10.0/24 192.168.11.0/24 192.168.30.0/24
WWW/TFTP192.168.20.254/24
Fa0/0192.168.20.1/254 ISPS0/1/0
S0/0/1DCE209.165.200.224/27
Computer
WWW209.165.201.30/27
Ext Host209.165.202.158/27
Fa0/0
Fa0/1
S1 S2 S3
.225.226
209.165.201.1/27
209.165.202.129/27
•All IP addresses of the 192.168.30.0/24 network are blocked from accessing all IP addresses of the 192.168.20.0/24 network.
•The first half of 192.168.30.0/24 is allowed access to all other destinations.
•The second half of 192.168.30.0/24 network is allowed access to the 192.168.10.0/24 and 192.168.11.0/24 networks.
•The second half of 192.168.30.0/24 is allowed web and ICMP access to all remaining destinations.
•All other access is implicitly denied.
•For the 192.168.10.0/24 network, block Telnet access to all locations and TFTP access to the corporate Web/TFTP server at 192.168.20.254. All other access is allowed.
•For the192.168.11.0/24 network, allow TFTP access and web access to the corporate Web/TFTP server at 192.168.20.254. Block all other traffic from the 192.168.11.0/24 network to the 192.168.20.0/24 network. All other access is allowed.
•Outside hosts are allowed to establish a web session with the internal web server on port 80 only.
•Only established TCP sessions are allowed in.
•Only ping replies are allowed through R2.
