Transcript Broadband Services

Providing Teleworker
Services
Accessing the WAN – Chapter 6
Version 4.0
© 2006 Cisco Systems, Inc. All rights reserved.
Cisco Public
1
Objectives

Describe the enterprise requirements for providing
teleworker services

Explain how broadband services extend Enterprise
Networks including DSL, cable, and wireless

Describe how VPN technology provides secure
teleworker services in an Enterprise setting
© 2006 Cisco Systems, Inc. All rights reserved.
Cisco Public
2
The Enterprise Requirements for Providing
Teleworker Services
 With advances in broadband and wireless technologies,
working away from the office no longer presents the
challenges it did in the past.
 Workers can work remotely almost as if they were in
the next cubicle or office.
 Organizations can cost-effectively distribute data, voice,
video, and real-time applications extended over one
common network connection, across their entire
workforce no matter how remote and scattered they
might be.
© 2006 Cisco Systems, Inc. All rights reserved.
Cisco Public
3
The Enterprise Requirements for Providing
Teleworker Services
 The benefits of teleworkers for business, society and
the environment.
© 2006 Cisco Systems, Inc. All rights reserved.
Cisco Public
4
The Enterprise Requirements for Providing
Teleworker Services
 Three remote connection technologies available to
organizations for supporting teleworker services:
–Traditional private WAN Layer 2 technologies, including Frame
Relay, ATM, and leased lines, provide many remote connection
solutions. The security of these connections depends on the
service provider.
–IPsec Virtual Private Networks (VPNs) offer flexible and
scalable connectivity.
–Site-to-site connections can provide a secure, fast, and
reliable remote connection to teleworkers. This is the most
common option for teleworkers, combined with remote access
over broadband, to establish a secure VPN over the public
Internet.
© 2006 Cisco Systems, Inc. All rights reserved.
Cisco Public
5
The Enterprise Requirements for Providing
Teleworker Services
© 2006 Cisco Systems, Inc. All rights reserved.
Cisco Public
6
Teleworker Solution
 Home Office Components
– A laptop or desktop computer, broadband access (cable or
DSL), and a VPN router or VPN client software installed on the
computer.
–Additional components might include a wireless access point.
When traveling, teleworkers need an Internet connection and a
VPN client to connect to the corporate network over any
available dialup, network, or broadband connection.
 Corporate Components
–VPN-capable routers, VPN concentrators, multifunction
security appliances, authentication, and central management
devices for resilient aggregation and termination of the VPN
connections.
© 2006 Cisco Systems, Inc. All rights reserved.
Cisco Public
7
Teleworker Solution
© 2006 Cisco Systems, Inc. All rights reserved.
Cisco Public
8
Connecting Teleworkers to WAN
© 2006 Cisco Systems, Inc. All rights reserved.
Cisco Public
9
Connecting Teleworkers to WAN
 Dialup access - An inexpensive option that uses any phone line
and a modem. To connect to the ISP, a user calls the ISP access
phone number. Dialup is the slowest connection option, and is
typically used by mobile workers in areas where higher speed
connection options are not available.
 DSL - Typically more expensive than dialup, but provides a faster
connection. DSL also uses telephone lines, but unlike dialup
access, DSL provides a continuous connection to the Internet. DSL
uses a special high-speed modem that separates the DSL signal
from the telephone signal and provides an Ethernet connection to
a host computer or LAN.
 Cable modem - Offered by cable television service providers. The
Internet signal is carried on the same coaxial cable that delivers
cable television. A special cable modem separates the Internet
signal from the other signals carried on the cable and provides an
Ethernet connection to a host computer or LAN.
 Satellite - Offered by satellite service providers. The computer
connects through Ethernet to a satellite modem that transmits
radio signals to the nearest point of presence (POP) within the
satellite network.
© 2006 Cisco Systems, Inc. All rights reserved.
Cisco Public
10
Broadband Services - Cable
 The cable system uses a coaxial cable that carries radio frequency
(RF) signals across the network. Coaxial cable is the primary
medium used to build cable TV systems.
© 2006 Cisco Systems, Inc. All rights reserved.
Cisco Public
11
Broadband Services - Cable
 A cable network is capable of transmitting signals on
the cable in either direction at the same time:
–Downstream - The direction of an RF signal
transmission (TV channels and data) from the source
(headend) to the destination (subscribers).
Transmission from source to destination is called the
forward path. Downstream frequencies are in the
range of 50 to 860 megahertz (MHz).
–Upstream - The direction of the RF signal
transmission from subscribers to the headend, or the
return or reverse path. Upstream frequencies are in
the range of 5 to 42 MHz.
© 2006 Cisco Systems, Inc. All rights reserved.
Cisco Public
12
Broadband Services - Cable
© 2006 Cisco Systems, Inc. All rights reserved.
Cisco Public
13
Broadband Services - DSL
 DSL is a means of providing high-speed connections over installed copper
wires.
 The two basic types of DSL technologies are asymmetric (ADSL) and
symmetric (SDSL).
–ADSL provides higher downstream bandwidth to the user than upload
bandwidth.
–SDSL provides the same capacity in both directions.
–http://www.speedtest.com.hk/
© 2006 Cisco Systems, Inc. All rights reserved.
Cisco Public
14
Broadband Services - DSL
 The two key components:
–Transceiver - Connects the computer of the teleworker to the
DSL. Usually the transceiver is a DSL modem connected to the
computer using a USB or Ethernet cable. Newer DSL
transceivers can be built into small routers with multiple 10/100
switch ports suitable for home office use.
–DSLAM - Located at the CO of the carrier, the DSLAM
combines individual DSL connections from users into one highcapacity link to an ISP, and thereby, to the Internet.
© 2006 Cisco Systems, Inc. All rights reserved.
Cisco Public
15
Broadband Services - Broadband Wireless
 A significant limitation of wireless access has been the
need to be within the local transmission range (typically
less than 100 feet) of a wireless router or wireless
access point that has a wired connection to the
Internet.
 Once a worker left the office or home, wireless access
was not readily available.
 New developments in broadband wireless technology
are increasing wireless availability. These include:
–Municipal Wi-Fi
–WiMAX
–Satellite Internet
© 2006 Cisco Systems, Inc. All rights reserved.
Cisco Public
16
Broadband Services - Municipal Wi-Fi
 Most municipal wireless networks use a mesh topology
rather than a hub-and-spoke model.
© 2006 Cisco Systems, Inc. All rights reserved.
Cisco Public
17
Broadband Services - WiMAX
 WiMAX (Worldwide Interoperability for Microwave Access) is
telecommunications technology aimed at providing wireless data over
long distances in a variety of ways, from point-to-point links to full
mobile cellular type access.
 WiMAX operates at higher speeds, over greater distances, and for a
greater number of users than Wi-Fi.
© 2006 Cisco Systems, Inc. All rights reserved.
Cisco Public
18
Broadband Services - Standards
 The most common standards are included in the IEEE 802.11
wireless local area network (WLAN) standard, which addresses the
5 GHz and 2.4 GHz public (unlicensed) spectrum bands.
 The terms 802.11 and Wi-Fi appear interchangeably, but this is
incorrect. Wi-Fi is an industry-driven interoperability certification
based on a subset of 802.11. The Wi-Fi specification came about
because market demand led the Wi-Fi Alliance to begin certifying
products before amendments to the 802.11 standard were complete.
The 802.11 standard has since caught up with and passed Wi-Fi.
 From the point of view of teleworkers, the most popular access
approaches to connectivity are those defined by the IEEE 802.11b
and IEEE 802.11g protocols.
 The latest standard, 802.11n, is a proposed amendment that builds
on the previous 802.11 standards by adding multiple-input multipleoutput (MIMO).
 The 802.16 (or WiMAX) standard allows transmissions up to 70
Mb/s, and has a range of up to 30 miles (50 km). It can operate in
licensed or unlicensed bands of the spectrum from 2 to 6 GHz.
© 2006 Cisco Systems, Inc. All rights reserved.
Cisco Public
19
Broadband Services - Standards
© 2006 Cisco Systems, Inc. All rights reserved.
Cisco Public
20
VPN Technology
 VPN technology enables organizations to create private
networks over the public Internet infrastructure that
maintain confidentiality and security.
© 2006 Cisco Systems, Inc. All rights reserved.
Cisco Public
21
VPN Technology
 Cost savings - Organizations can use cost-effective,
third-party Internet transport to connect remote offices
and users to the main corporate site. This eliminates
expensive dedicated WAN links and modem banks. By
using broadband, VPNs reduce connectivity costs while
increasing remote connection bandwidth.
 Security - Advanced encryption and authentication
protocols protect data from unauthorized access.
 Scalability - VPNs use the Internet infrastructure within
ISPs and carriers, making it easy for organizations to
add new users. Organizations, big and small, are able
to add large amounts of capacity without adding
significant infrastructure.
© 2006 Cisco Systems, Inc. All rights reserved.
Cisco Public
22
VPN Technology - Site-to-Site
 In a site-to-site VPN, hosts send and receive TCP/IP
traffic through a VPN gateway, which could be a router,
PIX firewall appliance, or an Adaptive Security Appliance
(ASA).
 The VPN gateway is responsible for encapsulating and
encrypting outbound traffic for all of the traffic from a
particular site and sending it through a VPN tunnel over
the Internet to a peer VPN gateway at the target site.
 On receipt, the peer VPN gateway strips the headers,
decrypts the content, and relays the packet toward the
target host inside its private network.
© 2006 Cisco Systems, Inc. All rights reserved.
Cisco Public
23
VPN Technology - Site-to-Site
© 2006 Cisco Systems, Inc. All rights reserved.
Cisco Public
24
VPN Technology – Remote-access
 In a remote-access VPN, each host typically has VPN client
software. Whenever the host tries to send any traffic, the VPN
client software encapsulates and encrypts that traffic before
sending it over the Internet to the VPN gateway at the edge of the
target network. On receipt, the VPN gateway handles the data in
the same way as it would handle data from a site-to-site VPN.
© 2006 Cisco Systems, Inc. All rights reserved.
Cisco Public
25
VPN Technology – Components
 Components required to establish this VPN include:
–An existing network with servers and workstations
–A connection to the Internet
–VPN gateways, such as routers, firewalls, VPN concentrators, and
ASAs, that act as endpoints to establish, manage, and control VPN
connections
–Appropriate software to create and manage VPN tunnels
© 2006 Cisco Systems, Inc. All rights reserved.
Cisco Public
26
Characteristics of Secure VPNs
 Data confidentiality - Protecting the contents of messages from interception
by unauthenticated or unauthorized sources. VPNs achieve confidentiality
using mechanisms of encapsulation and encryption.
 Data integrity - Guarantees that no tampering or alterations occur to data
while it travels between the source and destination. VPNs typically use hashes
to ensure data integrity. A hash is like a checksum or a seal that guarantees
that no one has read the content, but it is more robust.
 Authentication - Ensures that a message comes from an authentic source
and goes to an authentic destination. User identification gives a user
confidence that the party with whom the user establishes communications is
who the user thinks the party is. VPNs can use passwords, digital certificates,
smart cards, and biometrics to establish the identity of parties at the other end
of a network.
© 2006 Cisco Systems, Inc. All rights reserved.
Cisco Public
27
VPN Tunneling
 Tunneling encapsulates an entire packet within another
packet and sends the new, composite packet over a
network.
© 2006 Cisco Systems, Inc. All rights reserved.
Cisco Public
28
VPN Data Integrity
 For encryption to work, both the sender and the receiver must know the
rules used to transform the original message into its coded form.
 VPN encryption rules include an algorithm and a key. An algorithm is a
mathematical function that combines a message, text, digits, or all three
with a key.
 The output is an unreadable cipher string. Decryption is extremely
difficult or impossible without the correct key.
© 2006 Cisco Systems, Inc. All rights reserved.
Cisco Public
29
VPN Data Integrity
Common encryption algorithms:
 Data Encryption Standard (DES) algorithm - Developed by IBM,
DES uses a 56-bit key, ensuring high-performance encryption.
DES is a symmetric key cryptosystem. Symmetric and asymmetric
keys are explained below.
 Triple DES (3DES) algorithm - A newer variant of DES that
encrypts with one key, decrypts with another different key, and then
encrypts one final time with another key. 3DES provides
significantly more strength to the encryption process.
 Advanced Encryption Standard (AES) - The National Institute of
Standards and Technology (NIST) adopted AES to replace the
existing DES encryption in cryptographic devices. AES provides
stronger security than DES and is computationally more efficient
than 3DES. AES offers three different key lengths: 128, 192, and
256-bit keys.
 Rivest, Shamir, and Adleman (RSA) - An asymmetrical key
cryptosystem. The keys use a bit length of 512, 768, 1024, or
larger.
© 2006 Cisco Systems, Inc. All rights reserved.
Cisco Public
30
VPN Data Integrity
© 2006 Cisco Systems, Inc. All rights reserved.
Cisco Public
31
VPN Data Integrity
 Hashes contribute to data integrity and authentication by ensuring
that unauthorized persons do not tamper with transmitted
messages.
 A hash, also called a message digest, is a number generated from
a string of text. The hash is smaller than the text itself.
 It is generated using a formula in such a way that it is extremely
unlikely that some other text will produce the same hash value.
© 2006 Cisco Systems, Inc. All rights reserved.
Cisco Public
32
IPSec Security Protocols
 Authentication Header (AH)
–AH provides data authentication and integrity for IP packets passed
between two systems.
–AH does not provide data confidentiality (encryption) of packets.
 Encapsulating Security Payload (ESP)
–Provides confidentiality and authentication by encrypting the IP
packet.
–IP packet encryption conceals the data and the identities of the
source and destination.
–ESP authenticates the inner IP packet and ESP header.
Authentication provides data origin authentication and data integrity.
–Although both encryption and authentication are optional in ESP, at a
minimum, one of them must be selected.
© 2006 Cisco Systems, Inc. All rights reserved.
Cisco Public
33
IPSec Security Protocols
DES - Encrypts and decrypts packet data.
3DES - Provides significant encryption strength over 56-bit DES.
AES - Provides stronger encryption, depending on the key length used, and faster throughput.
MD5 - Authenticates packet data, using a 128-bit shared secret key.
SHA-1 - Authenticates packet data, using a 160-bit shared secret key.
DH - Allows two parties to establish a shared secret key used by encryption and hash algorithms, for
example, DES and MD5, over an insecure communications channel.
© 2006 Cisco Systems, Inc. All rights reserved.
Cisco Public
34
Summary
 Requirements for providing teleworker services are:
–Maintains continuity of operations
–Provides for increased services
–Secure & reliable access to information
–Cost effective
–Scalable
 Components needed for a teleworker to connect to an
organization’s network are:
–Home components
–Corporate components
© 2006 Cisco Systems, Inc. All rights reserved.
Cisco Public
35
Summary
 Broadband services used
–Cable
• transmits signal in either direction simultaneously
–DSL
• requires minimal changes to existing telephone
infrastructure
• delivers high bandwidth data rates to customers
–Wireless
• increases mobility
• wireless availability via:
» municipal WiFi
» WiMax
» satellite internet
© 2006 Cisco Systems, Inc. All rights reserved.
Cisco Public
36
Summary
 Securing teleworker services
–VPN security achieved through using
•Advanced encryption techniques
•Tunneling
–Characteristics of a secure VPN
•Data confidentiality
•Data integrity
•authentication
© 2006 Cisco Systems, Inc. All rights reserved.
Cisco Public
37
© 2006 Cisco Systems, Inc. All rights reserved.
Cisco Public
38