Transcript Teleworker Services

Teleworker Services
W.lilakiatsakun
Introduction (1)
• Teleworking is working away from a traditional
workplace, usually from a home office.
• The reasons for choosing teleworking are
varied and include everything from personal
convenience to allowing injured or shut-in
employees opportunities to continue working
during periods of convalescence.
Introduction (2)
• Teleworking is a broad term referring to
conducting work by connecting to a workplace
from a remote location, with the assistance of
telecommunications.
• Efficient teleworking is possible because of
broadband Internet connections, virtual
private networks (VPN), and more advanced
technologies, including Voice over IP (VoIP)
and videoconferencing.
Benefit
Teleworker Solution (1)
• Traditional private WAN Layer 2 technologies,
including Frame Relay, ATM, and leased lines,
provide many remote connection solutions.
– The security of these connections depends on the
service provider.
• IPsec Virtual Private Networks (VPNs) offer
flexible and scalable connectivity.
Teleworker Solution (2)
• Site-to-site connections can provide a secure,
fast, and reliable remote connection to
teleworkers.
– This is the most common option for teleworkers,
combined with remote access over broadband, to
establish a secure VPN over the public Internet.
– (A less reliable means of connectivity using the
Internet is a dialup connection.)
Teleworker Solution (3)
Teleworking Component (1)
• Home Office Components - The required home
office components are a laptop or desktop
computer, broadband access (cable or DSL), and a
VPN router or VPN client software installed on
the computer.
– Additional components might include a wireless
access point.
– When traveling, teleworkers need an Internet
connection and a VPN client to connect to the
corporate network over any available dialup, network,
or broadband connection.
Teleworking Component (2)
• Corporate Components - Corporate
components are VPN-capable routers, VPN
concentrators, multifunction security
appliances, authentication, and central
management devices for resilient aggregation
and termination of the VPN connections.
Teleworking Component (3)
• Routers need Quality of Service (QoS)
functionality. QoS refers to the capability of a
network to provide better service to selected
network traffic, as required by voice and video
applications..
Teleworking Component (4)
Connecting teleworkers to WAN (1)
• Dialup access - An inexpensive option that uses
any phone line and a modem.
– Dialup is the slowest connection option
• DSL - Typically more expensive than dialup, but
provides a faster connection.
– DSL also uses telephone lines, but unlike dialup
access, DSL provides a continuous connection to the
Internet.
– DSL uses a special high-speed modem that separates
the DSL signal from the telephone signal and provides
an Ethernet connection to a host computer or LAN.
Connecting teleworkers to WAN (2)
• Cable modem - Offered by cable television
service providers.
– The Internet signal is carried on the same coaxial
cable that delivers cable television.
– A special cable modem separates the Internet signal
from the other signals carried on the cable and
provides an Ethernet connection to a host computer
or LAN.
• Satellite - Offered by satellite service providers.
– The computer connects through Ethernet to a satellite
modem that transmits radio signals to the nearest
point of presence (POP) within the satellite network.
Connecting teleworkers to WAN (3)
Broadband Services (1)
Broadband Services (2)
• A cable network is capable of transmitting signals on
the cable in either direction at the same time:
• Downstream - The direction of an RF signal
transmission (TV channels and data) from the source
(headend) to the destination (subscribers). (Forward
Path)
– Downstream frequencies are in the range of 50 to 860
megahertz (MHz).
• Upstream - The direction of the RF signal transmission
from subscribers to the headend (Reverse Path)
– Upstream frequencies are in the range of 5 to 42 MHz.
Broadband Services (3)
Broadband Services (4)
• The Data-over-Cable Service Interface
Specification (DOCSIS) is an international
standard developed by CableLabs, a non-profit
research and development consortium for
cable-related technologies.
Broadband Services (5)
• DOCSIS specifies the OSI Layer 1 and Layer 2
requirements:
– Physical layer - For data signals that the cable
operator can use, DOCSIS specifies the channel
widths (bandwidths of each channel) as 200 kHz,
400 kHz, 800 kHz, 1.6 MHz, 3.2 MHz, and 6.4 MHz.
• DOCSIS also specifies modulation techniques (the way
to use the RF signal to convey digital data).
Broadband Services (6)
– MAC layer - Defines a deterministic access
method, time-division multiple access (TDMA) or
synchronous code division multiple access method
(S-CDMA).
Cable Modem (1)
• Two types of equipment are required to send
digital modem signals upstream and
downstream on a cable system:
• Cable modem termination system (CMTS) at
the headend of the cable operator
• Cable modem (CM) on the subscriber end
Cable Modem (2)
Cable Modem (3)
• A headend CMTS communicates with CMs
located in subscriber homes.
• The headend is actually a router with
databases for providing Internet services to
cable subscribers.
• The architecture is relatively simple, using a
mixed optical-coaxial network in which optical
fiber replaces the lower bandwidth coaxial.
Cable Modem (4)
• In a modern HFC network, typically 500 to
2,000 active data subscribers are connected to
a cable network segment, all sharing the
upstream and downstream bandwidth.
• The actual bandwidth for Internet service over
a CATV line can be up to 27 Mb/s on the
download path to the subscriber and about
2.5 Mb/s of bandwidth on the upload path.
DSL (1)
• The two basic types of DSL technologies are
asymmetric (ADSL) and symmetric (SDSL).
– ADSL provides higher downstream bandwidth to the
user than upload bandwidth.
– SDSL provides the same capacity in both directions.
• The different varieties of DSL provide different
bandwidths, some with capabilities exceeding
those of a T1 or E1 leased line.
– For satisfactory service, the loop must be less than 5.5
kilometers (3.5 miles).
DSL(2)
DSL(3)
• The two key components are the DSL transceiver and
the DSLAM:
• Transceiver - Connects the computer of the teleworker
to the DSL.
– Usually the transceiver is a DSL modem connected to the
computer using a USB or Ethernet cable.
– Newer DSL transceivers can be built into small routers with
multiple 10/100 switch ports suitable for home office use.
• DSLAM - Located at the CO of the carrier, the DSLAM
combines individual DSL connections from users into
one high-capacity link to an ISP, and thereby, to the
Internet.
DSL (4)
DSL (5)
• The advantage that DSL has over cable
technology is that DSL is not a shared
medium.
– Each user has a separate direct connection to the
DSLAM.
– Adding users does not impede performance,
unless the DSLAM Internet connection to the ISP,
or the Internet, becomes saturated.
DSL (6)
DSL (7)
Microfilter
DSL(8)
SPLITTER
Broadband Wireless (1)
• New developments in broadband wireless
technology are increasing wireless availability.
These include:
– Municipal Wi-Fi
– WiMAX
– Satellite Internet
Broadband Wireless (2)
Broadband Wireless (3)
• Most municipal wireless networks use a mesh
topology rather than a hub-and-spoke model.
• A mesh is a series of access points (radio
transmitters).
• Each access point is in range and can
communicate with at least two other access
points.
• The mesh blankets its area with radio signals.
Signals travel from access point to access point
through this cloud.
Broadband Wireless (4)
• WiMAX (Worldwide Interoperability for
Microwave Access) is telecommunications
technology aimed at providing wireless data
over long distances in a variety of ways, from
point-to-point links to full mobile cellular type
access.
• WiMAX operates at higher speeds, over
greater distances, and for a greater number of
users than Wi-Fi.
Broadband Wireless (5)
• A WiMAX network consists of two main
components:
– A tower that is similar in concept to a cellular
telephone tower.
– A single WiMAX tower can provide coverage to an
area as large as 3,000 square miles, or almost
7,500 square kilometers.
• A WiMAX receiver that is similar in size and
shape to a PCMCIA card, or built into a laptop
or other wireless device.
Broadband Wireless (6)
• Satellite Internet services are used in locations
where land-based Internet access is not
available, or for temporary installations that
are continually on the move.
• Internet access using satellites is available
worldwide, including for vessels at sea,
airplanes in flight, and vehicles moving on
land.
Broadband Wireless (7)
Broadband Wireless (8)
• One-way multicast satellite Internet systems
are used for IP multicast-based data, audio,
and video distribution.
• One-way terrestrial return satellite Internet
systems use traditional dialup access to send
outbound data through a modem and receive
downloads from the satellite.
Broadband Wireless (9)
• Two-way satellite Internet sends data from
remote sites via satellite to a hub, which then
sends the data to the Internet.
– The satellite dish at each location needs precise
positioning to avoid interference with other
satellites.
VPN Technology (1)
• VPNs provide a virtual WAN infrastructure that
connects branch offices, home offices, business
partner sites, and remote telecommuters to all or
portions of their corporate network.
• To remain private, the traffic is encrypted.
Instead of using a dedicated Layer 2 connection,
such as a leased line, a VPN uses virtual
connections that are routed through the Internet.
VPN Technology (2)
VPN Technology (3)
• Benefits :
• Cost savings - Organizations can use costeffective, third-party Internet transport to
connect remote offices and users to the main
corporate site. This eliminates expensive
dedicated WAN links and modem banks. By
using broadband, VPNs reduce connectivity
costs while increasing remote connection
bandwidth.
VPN Technology (4)
• Security - Advanced encryption and
authentication protocols protect data from
unauthorized access.
• Scalability - VPNs use the Internet
infrastructure within ISPs and carriers, making
it easy for organizations to add new users.
– Organizations, big and small, are able to add large
amounts of capacity without adding significant
infrastructure.
VPN Technology (5)
VPN Technology (6)
• In a site-to-site VPN, hosts send and receive TCP/IP
traffic through a VPN gateway, which could be a
router, PIX firewall appliance, or an Adaptive
Security Appliance (ASA).
– The VPN gateway is responsible for encapsulating and
encrypting outbound traffic for all of the traffic from a
particular site and sending it through a VPN tunnel over
the Internet to a peer VPN gateway at the target site.
– On receipt, the peer VPN gateway strips the headers,
decrypts the content, and relays the packet toward the
target host inside its private network.
VPN Technology (7)
VPN Technology (7)
• In a remote-access VPN, each host typically has
VPN client software.
• Whenever the host tries to send any traffic, the
VPN client software encapsulates and encrypts
that traffic before sending it over the Internet to
the VPN gateway at the edge of the target
network.
• On receipt, the VPN gateway handles the data in
the same way as it would handle data from a siteto-site VPN.
VPN Technology (8)
VPN Technology (9)
• Components required to establish this VPN
include:
– An existing network with servers and workstations
– A connection to the Internet
– VPN gateways, such as routers, firewalls, VPN
concentrators, and ASAs, that act as endpoints to
establish, manage, and control VPN connections
– Appropriate software to create and manage VPN
tunnels
VPN Technology (10)
VPN Technology (11)
• VPNs secure data by encapsulating or
encrypting the data.
– Encapsulation is also referred to as tunneling,
because encapsulation transmits data
transparently from network to network through a
shared network infrastructure.
– Encryption codes data into a different format
using a secret key.
• Decryption decodes encrypted data into the original
unencrypted format.
VPN Technology (12)
Characteristics of Secure VPN
VPN Tunneling (1)
VPN Tunneling (2)
VPN Tunneling (3)
• PPP carries the message to the VPN device,
where the message is encapsulated within a
Generic Route Encapsulation (GRE) packet.
– GRE is a tunneling protocol developed by Cisco
Systems that can encapsulate a wide variety of
protocol packet types inside IP tunnels, creating a
virtual point-to-point link to Cisco routers at remote
points over an IP internetwork.
• Once a composite packet reaches the destination
tunnel interface, the inside packet is extracted.
VPN Data Integrity (1)
VPN Data Integrity (2)
• Gail and Jeremy have previously agreed on a secret
shared key.
• At Gail's end, the VPN client software combines the
document with the secret shared key and passes it
through an encryption algorithm.
– The output is undecipherable cipher text.
– The cipher text is then sent through a VPN tunnel over the
Internet.
• At the other end, the message is recombined with the
same shared secret key and processed by the same
encryption algorithm.
– The output is the original financial document, which is now
readable to Jeremy.
VPN Data Integrity (3)
• Data Encryption Standard (DES) algorithm Developed by IBM, DES uses a 56-bit key,
ensuring high-performance encryption.
– DES is a symmetric key cryptosystem. Symmetric
and asymmetric keys are explained below.
• Triple DES (3DES) algorithm - A newer variant of
DES that encrypts with one key, decrypts with
another different key, and then encrypts one
final time with another key.
– 3DES provides significantly more strength to the
encryption process.
VPN Data Integrity (4)
• Advanced Encryption Standard (AES) - The
National Institute of Standards and Technology
(NIST) adopted AES to replace the existing DES
encryption in cryptographic devices.
– AES provides stronger security than DES and is
computationally more efficient than 3DES.
– AES offers three different key lengths: 128, 192, and
256-bit keys.
• Rivest, Shamir, and Adleman (RSA) - An
asymmetrical key cryptosystem.
– The keys use a bit length of 512, 768, 1024, or larger.
VPN Data Integrity (5)
VPN Data Integrity (6)
• Hashes contribute to data integrity and
authentication by ensuring that unauthorized
persons do not tamper with transmitted
messages.
• A hash, also called a message digest, is a number
generated from a string of text.
• The hash is smaller than the text itself.
• It is generated using a formula in such a way that
it is extremely unlikely that some other text will
produce the same hash value.
VPN Data Integrity (7)
VPN Data Integrity (8)
• VPNs use a message authentication code to
verify the integrity and the authenticity of a
message, without using any additional
mechanisms.
• A keyed hashed message authentication code
(HMAC) is a data integrity algorithm that
guarantees the integrity of the message.
VPN Data Integrity (9)
• A HMAC has two parameters: a message input
and a secret key known only to the message
originator and intended receivers.
– The message sender uses a HMAC function to
produce a value (the message authentication
code), formed by condensing the secret key and
the message input.
– The message authentication code is sent along
with the message.
VPN Data Integrity (10)
– The receiver computes the message
authentication code on the received message
using the same key and HMAC function as the
sender used, and compares the result computed
with the received message authentication code.
• If the two values match, the message has been
correctly received and the receiver is assured that the
sender is a member of the community of users that
share the key.
VPN Data Integrity (10)
• There are two common HMAC algorithms:
• Message Digest 5 (MD5) - Uses a 128-bit shared
secret key. The variable length message and 128bit shared secret key are combined and run
through the HMAC-MD5 hash algorithm.
– The output is a 128-bit hash.
• Secure Hash Algorithm 1 (SHA-1) - Uses a 160-bit
secret key. The variable length message and the
160-bit shared secret key are combined and run
through the HMAC-SHA-1 hash algorithm.
– The output is a 160-bit hash.
VPN Authentication (1)
VPN Authentication (2)
• There are two peer authentication methods:
• Pre-shared key (PSK) - A secret key that is
shared between the two parties using a
secure channel before it needs to be used.
– PSKs use symmetric key cryptographic algorithms.
– A PSK is entered into each peer manually and is
used to authenticate the peer.
– At each end, the PSK is combined with other
information to form the authentication key.
VPN Authentication (3)
• RSA signature - Uses the exchange of digital
certificates to authenticate the peers.
– The local device derives a hash and encrypts it
with its private key.
– The encrypted hash (digital signature) is attached
to the message and forwarded to the remote end.
– At the remote end, the encrypted hash is
decrypted using the public key of the local end.
– If the decrypted hash matches the recomputed
hash, the signature is genuine.
IPSEC Security Protocol (1)
IPSEC Security Protocol (2)
• There are two main IPsec framework protocols.
– Authentication Header (AH) - Use when
confidentiality is not required or permitted.
• AH provides data authentication and integrity for IP
packets passed between two systems.
• It verifies that any message passed from R1 to R2 has not
been modified during transit.
• It also verifies that the origin of the data was either R1 or
R2.
• AH does not provide data confidentiality (encryption) of
packets.
IPSEC Security Protocol (3)
– Encapsulating Security Payload (ESP) - Provides
confidentiality and authentication by encrypting the
IP packet.
• IP packet encryption conceals the data and the identities
of the source and destination.
• ESP authenticates the inner IP packet and ESP header.
• Authentication provides data origin authentication and
data integrity.
• Although both encryption and authentication are optional
in ESP, at a minimum, one of them must be selected.
IPSEC Security Protocol (4)
IPSEC Security Protocol (5)
• Algorithms used in IPSEC Framework
• DES - Encrypts and decrypts packet data.
• 3DES - Provides significant encryption strength over 56-bit
DES.
• AES - Provides stronger encryption, depending on the key
length used, and faster throughput.
• MD5 - Authenticates packet data, using a 128-bit shared
secret key.
• SHA-1 - Authenticates packet data, using a 160-bit shared
secret key.
• DH - Allows two parties to establish a shared secret key
used by encryption and hash algorithms, for example, DES
and MD5, over an insecure communications channel.
IPSEC Security Protocol (6)
• When configuring an IPsec gateway to provide security
services, first choose an IPsec protocol.
– The choices are ESP or ESP with AH.
• The second square is an encryption algorithm if IPsec is
implemented with ESP.
– Choose the encryption algorithm that is appropriate for the
desired level of security: DES, 3DES, or AES.
• The third square is authentication.
– Choose an authentication algorithm to provide data integrity:
MD5 or SHA.
• The last square is the Diffie-Hellman (DH) algorithm group.
Which establishes the sharing of key information between
peers.
– Choose which group to use, DH1 or DH2.