Exploration_Accessing_WAN_Chapter6

Download Report

Transcript Exploration_Accessing_WAN_Chapter6 

Providing Teleworker
Services
Accessing the WAN – Chapter 6
ITE I Chapter 6
© 2006 Cisco Systems, Inc. All rights reserved.
Cisco Public
1
Objectives

Describe the enterprise requirements for providing
teleworker services

Explain how broadband services extend Enterprise
Networks including DSL, cable, and wireless

Describe how VPN technology provides secure
teleworker services in an Enterprise setting
ITE 1 Chapter 6
© 2006 Cisco Systems, Inc. All rights reserved.
Cisco Public
2
Teleworking
 Teleworking is a broad term referring to conducting work by connecting to
a workplace from a remote location, with the assistance of
telecommunications.
 Efficient teleworking is possible because of
 Broadband Internet connections
 virtual private networks (VPN)
 Voice over IP (VoIP) and
 Videoconferencing.
 Teleworking can save money otherwise spent on travel, infrastructure, and
facilities support.
ITE 1 Chapter 6
© 2006 Cisco Systems, Inc. All rights reserved.
Cisco Public
3
Benefits of Teleworking
 Benefits of teleworkers for business, society and the
environment.
ITE 1 Chapter 6
© 2006 Cisco Systems, Inc. All rights reserved.
Cisco Public
4
Teleworker Solutions
 Organizations need secure, reliable, and cost-effective networks to
connect
 corporate headquarters,
 branch offices, and
 suppliers.
 With the growing number of teleworkers, enterprises have an increasing
need for
 secure,
 reliable, and
 cost-effective ways to connect to people working in small offices and
home offices (SOHOs), and other remote locations, with resources on
corporate sites.
ITE 1 Chapter 6
© 2006 Cisco Systems, Inc. All rights reserved.
Cisco Public
5
Conti…
ITE 1 Chapter 6
© 2006 Cisco Systems, Inc. All rights reserved.
Cisco Public
6
Conti…
 To connect effectively to their organization's networks, teleworkers need
two key sets of components:
 Home office components
 The required home office components are a laptop or desktop computer,
broadband access (cable or DSL), and a VPN router or VPN client
software installed on the computer. Additional components might include a
wireless access point
 Corporate components.
 Corporate components are VPN-capable routers, VPN concentrators,
multifunction security appliances, authentication, and central management
devices for resilient aggregation and termination of the VPN connections.
 Note: IPsec (IP Security) protocol as the favored approach to building
secure VPN tunnels. IPsec works at the network or packet processing
layer.
ITE 1 Chapter 6
© 2006 Cisco Systems, Inc. All rights reserved.
Cisco Public
7
Conti…
ITE 1 Chapter 6
© 2006 Cisco Systems, Inc. All rights reserved.
Cisco Public
8
Broadband Services
 Teleworkers typically use diverse applications that require a highbandwidth connection.
 The choice of access network technology and the need to ensure suitable
bandwidth are the first considerations to address when connecting
teleworkers.
 The main connection methods used by home and small business users
are:
 Dialup access –
 DSL – DSL uses a special high-speed modem that separates the DSL
signal from the telephone signal and provides an Ethernet connection to a
host computer or LAN.
 Cable modem –The Internet signal is carried on the same coaxial cable
that delivers cable television.
 Satellite – Offered by satellite service providers. The computer connects
through Ethernet to a satellite modem that transmits radio signals to the
nearest point of presence (POP) within the satellite network.
ITE 1 Chapter 6
© 2006 Cisco Systems, Inc. All rights reserved.
Cisco Public
9
Conti…
ITE 1 Chapter 6
© 2006 Cisco Systems, Inc. All rights reserved.
Cisco Public
10
Conti…
 Cable connectivity to extend their reach
 DOCSIS=The Data-over-Cable Service Interface Specification developed
by CableLabs, a non-profit research and development consortium for
cable-related technologies.
 Downstream frequencies are in the 50 to 860 MHz range, and the
upstream frequencies are in the 5 to 42 MHz range.
ITE 1 Chapter 6
© 2006 Cisco Systems, Inc. All rights reserved.
Cisco Public
11
Conti…
 DSL connectivity to extend their reach
 POTS=plain old telephone service
 DSL can be ADSL or SDSL.
 ADSL provides higher downstream bandwidth to the user than upload
bandwidth. SDSL provides the same capacity in both directions.
 Transceiver
 DSLAM
ITE 1 Chapter 6
© 2006 Cisco Systems, Inc. All rights reserved.
Cisco Public
12
Conti…
 Broadband wireless connectivity to extend their reach
ITE 1 Chapter 6
© 2006 Cisco Systems, Inc. All rights reserved.
Cisco Public
13
Conti…
ITE 1 Chapter 6
© 2006 Cisco Systems, Inc. All rights reserved.
Cisco Public
14
VPN Technology
 VPN technology enables organizations to create private networks over the
public Internet infrastructure that maintain confidentiality and security.
 Advantages of VPN
 Cost savings  Security
 Scalability -
ITE 1 Chapter 6
© 2006 Cisco Systems, Inc. All rights reserved.
Cisco Public
15
Conti…
 Types of VPN
 Site-to-Site VPN
 Organizations use site-to-site VPNs to connect dispersed locations in the
same way as a leased line or Frame Relay connection is used.
 Site-to-site VPNs connect entire networks to each other.
 In a site-to-site VPN, hosts send and receive TCP/IP traffic through a VPN
gateway, which could be a router, PIX firewall appliance, or an Adaptive
Security Appliance (ASA).
 The VPN gateway is responsible for encapsulating and encrypting
outbound traffic
ITE 1 Chapter 6
© 2006 Cisco Systems, Inc. All rights reserved.
Cisco Public
16
Conti…
 Remote Site VPN
 In a remote-access VPN, each host typically has VPN client software.
Whenever the host tries to send any traffic, the VPN client software
encapsulates and encrypts that traffic before sending it over the Internet to
the VPN gateway at the edge of the target network.
 On receipt, the VPN gateway handles the data in the same way as it
would handle data from a site-to-site VPN.
ITE 1 Chapter 6
© 2006 Cisco Systems, Inc. All rights reserved.
Cisco Public
17
Conti…
 Site-to-site VPNs &remote-access VPNs
ITE 1 Chapter 6
© 2006 Cisco Systems, Inc. All rights reserved.
Cisco Public
18
VPN Components
 Components of VPN:
 An existing network with servers and workstations
 A connection to the Internet
 VPN gateways, such as routers, firewalls, VPN concentrators, and ASAs,
that act as endpoints to establish, manage, and control VPN connections
 Appropriate software to create and manage VPN tunnels
ITE 1 Chapter 6
© 2006 Cisco Systems, Inc. All rights reserved.
Cisco Public
19
VPN Tunneling
 Concept of VPN tunneling
ITE 1 Chapter 6
© 2006 Cisco Systems, Inc. All rights reserved.
Cisco Public
20
Encryption Algorithm
 Symmetric vs Asymmetric Algorithms
 Encryption and Decryption with same key called Symmetric while
Asymmetric use different keys called public and private keys.
 Some of the more common encryption algorithms and the length of keys
they use are as follows:
 Data Encryption Standard (DES) algorithm –DES uses a 56-bit key,
 Triple DES (3DES) algorithm – Asymmetric
 Advanced Encryption Standard (AES) –AES offers three different key
lengths: 128, 192, and 256-bit keys.
 Rivest, Shamir, and Adleman (RSA) –An asymmetrical key cryptosystem.
The keys use a bit length of 512, 768, 1024, or larger.
 Note :- These are for confidentiality
ITE 1 Chapter 6
© 2006 Cisco Systems, Inc. All rights reserved.
Cisco Public
21
Data Integrity
 Hashes contribute to data integrity and authentication by ensuring that
unauthorized persons do not tamper with transmitted messages.
 There are two common HMAC (hashed message authentication code)
algorithms:
 Message Digest 5 (MD5) - Uses a 12
 Secure Hash Algorithm 1 (SHA-1) - Uses a 160-bit secret key 8-bit
shared secret key.
ITE 1 Chapter 6
© 2006 Cisco Systems, Inc. All rights reserved.
Cisco Public
22
IPsec Security Protocol
 IPsec is protocol suite for securing IP communications which provides
encryption, integrity, and authentication.
 There are two main IPsec framework protocols.
 Authentication Header (AH) - Use when confidentiality is not required or
permitted. But Data Integrity is desired.
 Encapsulating Security Payload (ESP) - Provides confidentiality and
authentication by encrypting the IP packet.
ITE 1 Chapter 6
© 2006 Cisco Systems, Inc. All rights reserved.
Cisco Public
23
Conti…
 Concept of IPsec Protocols
ITE 1 Chapter 6
© 2006 Cisco Systems, Inc. All rights reserved.
Cisco Public
24
Summary
 Requirements for providing teleworker services are:
–Maintains continuity of operations
–Provides for increased services
–Secure & reliable access to information
–Cost effective
–Scalable
 Components needed for a teleworker to connect to an
organization’s network are:
–Home components
–Corporate components
ITE 1 Chapter 6
© 2006 Cisco Systems, Inc. All rights reserved.
Cisco Public
25
Summary
 Broadband services used
–Cable
• transmits signal in either direction simultaneously
–DSL
• requires minimal changes to existing telephone
infrastructure
• delivers high bandwidth data rates to customers
–Wireless
• increases mobility
• wireless availability via:
» municipal WiFi
» WiMax
» satellite internet
ITE 1 Chapter 6
© 2006 Cisco Systems, Inc. All rights reserved.
Cisco Public
26
Summary
 Securing teleworker services
–VPN security achieved through using
•Advanced encryption techniques
•Tunneling
–Characteristics of a secure VPN
•Data confidentiality
•Data integrity
•authentication
ITE 1 Chapter 6
© 2006 Cisco Systems, Inc. All rights reserved.
Cisco Public
27
ITE 1 Chapter 6
© 2006 Cisco Systems, Inc. All rights reserved.
Cisco Public
28