Teleworker Services

Teleworker Services

W.lilakiatsakun

Introduction (1)

• Teleworking is working away from a traditional workplace, usually from a home office.

• The reasons for choosing teleworking are varied and include everything from personal convenience to allowing injured or shut-in employees opportunities to continue working during periods of convalescence.

Introduction (2)

• Teleworking is a broad term referring to conducting work by connecting to a workplace from a remote location, with the assistance of telecommunications.

• Efficient teleworking is possible because of broadband Internet connections, virtual private networks (VPN), and more advanced technologies, including Voice over IP (VoIP) and videoconferencing.

Benefit

Teleworker Solution (1)

• Traditional private WAN Layer 2 technologies, including Frame Relay, ATM, and leased lines, provide many remote connection solutions.– The security of these connections depends on the

service provider.

• IPsec Virtual Private Networks (VPNs) offer flexible and scalable connectivity.


• Site-to-site connections can provide a secure, fast, and reliable remote connection to teleworkers. – This is the most common option for teleworkers,

combined with remote access over broadband, to establish a secure VPN over the public Internet.

– (A less reliable means of connectivity using the Internet is a dialup connection.)

Teleworking Component (1)

• Home Office Components - The required home office components are a laptop or desktop computer, broadband access (cable or DSL), and a VPN router or VPN client software installed on the computer. – Additional components might include a wireless

access point. – When traveling, teleworkers need an Internet

connection and a VPN client to connect to the corporate network over any available dialup, network, or broadband connection.


• Corporate Components - Corporate components are VPN-capable routers, VPN concentrators, multifunction security appliances, authentication, and central management devices for resilient aggregation and termination of the VPN connections.


• Routers need Quality of Service (QoS) functionality. QoS refers to the capability of a network to provide better service to selected network traffic, as required by voice and video applications..

Connecting teleworkers to WAN (1)

• Dialup access - An inexpensive option that uses any phone line and a modem. – Dialup is the slowest connection option

• DSL - Typically more expensive than dialup, but provides a faster connection. – DSL also uses telephone lines, but unlike dialup

access, DSL provides a continuous connection to the Internet.

– DSL uses a special high-speed modem that separates the DSL signal from the telephone signal and provides an Ethernet connection to a host computer or LAN.


• Cable modem - Offered by cable television service providers.– The Internet signal is carried on the same coaxial

cable that delivers cable television. – A special cable modem separates the Internet signal

from the other signals carried on the cable and provides an Ethernet connection to a host computer or LAN.

• Satellite - Offered by satellite service providers. – The computer connects through Ethernet to a

satellite modem that transmits radio signals to the nearest point of presence (POP) within the satellite network.

Broadband Services (1)


• A cable network is capable of transmitting signals on the cable in either direction at the same time:

• Downstream - The direction of an RF signal transmission (TV channels and data) from the source (headend) to the destination (subscribers). (Forward Path) – Downstream frequencies are in the range of 50 to 860

megahertz (MHz). • Upstream - The direction of the RF signal transmission

from subscribers to the headend (Reverse Path)– Upstream frequencies are in the range of 5 to 42 MHz.


• The Data-over-Cable Service Interface Specification (DOCSIS) is an international standard developed by CableLabs, a non-profit research and development consortium for cable-related technologies.


• DOCSIS specifies the OSI Layer 1 and Layer 2 requirements:– Physical layer - For data signals that the cable

operator can use, DOCSIS specifies the channel widths (bandwidths of each channel) as 200 kHz, 400 kHz, 800 kHz, 1.6 MHz, 3.2 MHz, and 6.4 MHz.• DOCSIS also specifies modulation techniques (the way

to use the RF signal to convey digital data).


– MAC layer - Defines a deterministic access method, time-division multiple access (TDMA) or synchronous code division multiple access method (S-CDMA).

Cable Modem (1)

• Two types of equipment are required to send digital modem signals upstream and downstream on a cable system:

• Cable modem termination system (CMTS) at the headend of the cable operator

• Cable modem (CM) on the subscriber end

Cable Modem (2)

Cable Modem (3)

• A headend CMTS communicates with CMs located in subscriber homes.

• The headend is actually a router with databases for providing Internet services to cable subscribers.

• The architecture is relatively simple, using a mixed optical-coaxial network in which optical fiber replaces the lower bandwidth coaxial.

Cable Modem (4)

• In a modern HFC network, typically 500 to 2,000 active data subscribers are connected to a cable network segment, all sharing the upstream and downstream bandwidth.

• The actual bandwidth for Internet service over a CATV line can be up to 27 Mb/s on the download path to the subscriber and about 2.5 Mb/s of bandwidth on the upload path.

DSL (1)

• The two basic types of DSL technologies are asymmetric (ADSL) and symmetric (SDSL). – ADSL provides higher downstream bandwidth to the

user than upload bandwidth. – SDSL provides the same capacity in both directions.

• The different varieties of DSL provide different bandwidths, some with capabilities exceeding those of a T1 or E1 leased line. – For satisfactory service, the loop must be less than 5.5

kilometers (3.5 miles).

DSL(2)

DSL(3)• The two key components are the DSL transceiver and

the DSLAM:• Transceiver - Connects the computer of the teleworker

to the DSL. – Usually the transceiver is a DSL modem connected to the

computer using a USB or Ethernet cable. – Newer DSL transceivers can be built into small routers

with multiple 10/100 switch ports suitable for home office use.

• DSLAM - Located at the CO of the carrier, the DSLAM combines individual DSL connections from users into one high-capacity link to an ISP, and thereby, to the Internet.

DSL (4)

DSL (5)

• The advantage that DSL has over cable technology is that DSL is not a shared medium.– Each user has a separate direct connection to the

DSLAM. – Adding users does not impede performance,

unless the DSLAM Internet connection to the ISP, or the Internet, becomes saturated.

DSL (6)

DSL (7)

Microfilter

DSL(8)

SPLITTER

Broadband Wireless (1)

• New developments in broadband wireless technology are increasing wireless availability. These include:– Municipal Wi-Fi– WiMAX– Satellite Internet


• Most municipal wireless networks use a mesh topology rather than a hub-and-spoke model.

• A mesh is a series of access points (radio transmitters).

• Each access point is in range and can communicate with at least two other access points.

• The mesh blankets its area with radio signals. Signals travel from access point to access point through this cloud.


• WiMAX (Worldwide Interoperability for Microwave Access) is telecommunications technology aimed at providing wireless data over long distances in a variety of ways, from point-to-point links to full mobile cellular type access.

• WiMAX operates at higher speeds, over greater distances, and for a greater number of users than Wi-Fi.


• A WiMAX network consists of two main components:– A tower that is similar in concept to a cellular

telephone tower. – A single WiMAX tower can provide coverage to an

area as large as 3,000 square miles, or almost 7,500 square kilometers.

• A WiMAX receiver that is similar in size and shape to a PCMCIA card, or built into a laptop or other wireless device.


• Satellite Internet services are used in locations where land-based Internet access is not available, or for temporary installations that are continually on the move.

• Internet access using satellites is available worldwide, including for vessels at sea, airplanes in flight, and vehicles moving on land.


• One-way multicast satellite Internet systems are used for IP multicast-based data, audio, and video distribution.

• One-way terrestrial return satellite Internet systems use traditional dialup access to send outbound data through a modem and receive downloads from the satellite.


• Two-way satellite Internet sends data from remote sites via satellite to a hub, which then sends the data to the Internet. – The satellite dish at each location needs precise

positioning to avoid interference with other satellites.

VPN Technology (1)

• VPNs provide a virtual WAN infrastructure that connects branch offices, home offices, business partner sites, and remote telecommuters to all or portions of their corporate network.

• To remain private, the traffic is encrypted. Instead of using a dedicated Layer 2 connection, such as a leased line, a VPN uses virtual connections that are routed through the Internet.

VPN Technology (2)

VPN Technology (3)

• Benefits :• Cost savings - Organizations can use cost-

effective, third-party Internet transport to connect remote offices and users to the main corporate site. This eliminates expensive dedicated WAN links and modem banks. By using broadband, VPNs reduce connectivity costs while increasing remote connection bandwidth.

VPN Technology (4)

• Security - Advanced encryption and authentication protocols protect data from unauthorized access.

• Scalability - VPNs use the Internet infrastructure within ISPs and carriers, making it easy for organizations to add new users. – Organizations, big and small, are able to add large

amounts of capacity without adding significant infrastructure.

VPN Technology (5)

VPN Technology (6)

• In a site-to-site VPN, hosts send and receive TCP/IP traffic through a VPN gateway, which could be a router, PIX firewall appliance, or an Adaptive Security Appliance (ASA). – The VPN gateway is responsible for encapsulating and

encrypting outbound traffic for all of the traffic from a particular site and sending it through a VPN tunnel over the Internet to a peer VPN gateway at the target site.

– On receipt, the peer VPN gateway strips the headers, decrypts the content, and relays the packet toward the target host inside its private network.

VPN Technology (7)

VPN Technology (7)

• In a remote-access VPN, each host typically has VPN client software.

• Whenever the host tries to send any traffic, the VPN client software encapsulates and encrypts that traffic before sending it over the Internet to the VPN gateway at the edge of the target network.

• On receipt, the VPN gateway handles the data in the same way as it would handle data from a site-to-site VPN.

VPN Technology (8)

VPN Technology (9)

• Components required to establish this VPN include:– An existing network with servers and workstations– A connection to the Internet– VPN gateways, such as routers, firewalls, VPN

concentrators, and ASAs, that act as endpoints to establish, manage, and control VPN connections

– Appropriate software to create and manage VPN tunnels

VPN Technology (10)

VPN Technology (11)

• VPNs secure data by encapsulating or encrypting the data. – Encapsulation is also referred to as tunneling,

because encapsulation transmits data transparently from network to network through a shared network infrastructure.

– Encryption codes data into a different format using a secret key. • Decryption decodes encrypted data into the original

unencrypted format.

VPN Technology (12)

Characteristics of Secure VPN

VPN Tunneling (1)

VPN Tunneling (2)

VPN Tunneling (3)

• PPP carries the message to the VPN device, where the message is encapsulated within a Generic Route Encapsulation (GRE) packet. – GRE is a tunneling protocol developed by Cisco

Systems that can encapsulate a wide variety of protocol packet types inside IP tunnels, creating a virtual point-to-point link to Cisco routers at remote points over an IP internetwork.

• Once a composite packet reaches the destination tunnel interface, the inside packet is extracted.

VPN Data Integrity (1)

VPN Data Integrity (2)• Gail and Jeremy have previously agreed on a secret

shared key. • At Gail's end, the VPN client software combines the

document with the secret shared key and passes it through an encryption algorithm. – The output is undecipherable cipher text. – The cipher text is then sent through a VPN tunnel over the

Internet.• At the other end, the message is recombined with the

same shared secret key and processed by the same encryption algorithm. – The output is the original financial document, which is now

readable to Jeremy.


• Data Encryption Standard (DES) algorithm - Developed by IBM, DES uses a 56-bit key, ensuring high-performance encryption. – DES is a symmetric key cryptosystem. Symmetric

and asymmetric keys are explained below.• Triple DES (3DES) algorithm - A newer variant of

DES that encrypts with one key, decrypts with another different key, and then encrypts one final time with another key. – 3DES provides significantly more strength to the

encryption process.

VPN Data Integrity (4)• Advanced Encryption Standard (AES) - The

National Institute of Standards and Technology (NIST) adopted AES to replace the existing DES encryption in cryptographic devices.– AES provides stronger security than DES and is

computationally more efficient than 3DES. – AES offers three different key lengths: 128, 192, and

256-bit keys.• Rivest, Shamir, and Adleman (RSA) - An

asymmetrical key cryptosystem. – The keys use a bit length of 512, 768, 1024, or larger.


• Hashes contribute to data integrity and authentication by ensuring that unauthorized persons do not tamper with transmitted messages.

• A hash, also called a message digest, is a number generated from a string of text.

• The hash is smaller than the text itself. • It is generated using a formula in such a way that

it is extremely unlikely that some other text will produce the same hash value.


• VPNs use a message authentication code to verify the integrity and the authenticity of a message, without using any additional mechanisms.

• A keyed hashed message authentication code (HMAC) is a data integrity algorithm that guarantees the integrity of the message.


• A HMAC has two parameters: a message input and a secret key known only to the message originator and intended receivers. – The message sender uses a HMAC function to

produce a value (the message authentication code), formed by condensing the secret key and the message input.

– The message authentication code is sent along with the message.


– The receiver computes the message authentication code on the received message using the same key and HMAC function as the sender used, and compares the result computed with the received message authentication code. • If the two values match, the message has been

correctly received and the receiver is assured that the sender is a member of the community of users that share the key.

VPN Data Integrity (10)• There are two common HMAC algorithms:• Message Digest 5 (MD5) - Uses a 128-bit shared

secret key. The variable length message and 128-bit shared secret key are combined and run through the HMAC-MD5 hash algorithm. – The output is a 128-bit hash.

• Secure Hash Algorithm 1 (SHA-1) - Uses a 160-bit secret key. The variable length message and the 160-bit shared secret key are combined and run through the HMAC-SHA-1 hash algorithm. – The output is a 160-bit hash.

VPN Authentication (1)


• There are two peer authentication methods:• Pre-shared key (PSK) - A secret key that is

shared between the two parties using a secure channel before it needs to be used.– PSKs use symmetric key cryptographic algorithms. – A PSK is entered into each peer manually and is

used to authenticate the peer. – At each end, the PSK is combined with other

information to form the authentication key.


• RSA signature - Uses the exchange of digital certificates to authenticate the peers.– The local device derives a hash and encrypts it

with its private key. – The encrypted hash (digital signature) is attached

to the message and forwarded to the remote end. – At the remote end, the encrypted hash is

decrypted using the public key of the local end. – If the decrypted hash matches the recomputed

hash, the signature is genuine.

IPSEC Security Protocol (1)


• There are two main IPsec framework protocols.– Authentication Header (AH) - Use when

confidentiality is not required or permitted. • AH provides data authentication and integrity for IP

packets passed between two systems. • It verifies that any message passed from R1 to R2 has not

been modified during transit. • It also verifies that the origin of the data was either R1 or

R2. • AH does not provide data confidentiality (encryption) of

packets.


– Encapsulating Security Payload (ESP) - Provides confidentiality and authentication by encrypting the IP packet.• IP packet encryption conceals the data and the identities

of the source and destination. • ESP authenticates the inner IP packet and ESP header. • Authentication provides data origin authentication and

data integrity. • Although both encryption and authentication are optional

in ESP, at a minimum, one of them must be selected.

IPSEC Security Protocol (5)• Algorithms used in IPSEC Framework• DES - Encrypts and decrypts packet data.• 3DES - Provides significant encryption strength over 56-bit

DES.• AES - Provides stronger encryption, depending on the key

length used, and faster throughput.• MD5 - Authenticates packet data, using a 128-bit shared

secret key.• SHA-1 - Authenticates packet data, using a 160-bit shared

secret key.• DH - Allows two parties to establish a shared secret key

used by encryption and hash algorithms, for example, DES and MD5, over an insecure communications channel.

IPSEC Security Protocol (6)• When configuring an IPsec gateway to provide security

services, first choose an IPsec protocol. – The choices are ESP or ESP with AH.

• The second square is an encryption algorithm if IPsec is implemented with ESP. – Choose the encryption algorithm that is appropriate for the

desired level of security: DES, 3DES, or AES. • The third square is authentication. – Choose an authentication algorithm to provide data integrity:

MD5 or SHA. • The last square is the Diffie-Hellman (DH) algorithm group.

Which establishes the sharing of key information between peers. – Choose which group to use, DH1 or DH2.

Teleworker Services

Documents

Transcript of Teleworker Services