© 2006 Cisco Systems, Inc. All rights reserved.Cisco PublicITE I Chapter 6 1 Providing Teleworker Services Accessing the WAN – Chapter 6

© 2006 Cisco Systems, Inc. All rights reserved.Cisco PublicITE 1 Chapter 6 2 Objectives  Describe the enterprise requirements for providing teleworker services  Explain how broadband services extend Enterprise Networks including DSL, cable, and wireless  Describe how VPN technology provides secure teleworker services in an Enterprise setting

© 2006 Cisco Systems, Inc. All rights reserved.Cisco PublicITE 1 Chapter 6 3 Teleworking  Teleworking is a broad term referring to conducting work by connecting to a workplace from a remote location, with the assistance of telecommunications.  Efficient teleworking is possible because of  Broadband Internet connections  virtual private networks (VPN)  Voice over IP (VoIP) and  Videoconferencing.  Teleworking can save money otherwise spent on travel, infrastructure, and facilities support.

© 2006 Cisco Systems, Inc. All rights reserved.Cisco PublicITE 1 Chapter 6 4 Benefits of Teleworking  Benefits of teleworkers for business, society and the environment.

© 2006 Cisco Systems, Inc. All rights reserved.Cisco PublicITE 1 Chapter 6 5 Teleworker Solutions  Organizations need secure, reliable, and cost-effective networks to connect  corporate headquarters,  branch offices, and  suppliers.  With the growing number of teleworkers, enterprises have an increasing need for  secure,  reliable, and  cost-effective ways to connect to people working in small offices and home offices (SOHOs), and other remote locations, with resources on corporate sites.

© 2006 Cisco Systems, Inc. All rights reserved.Cisco PublicITE 1 Chapter 6 6 Conti…

© 2006 Cisco Systems, Inc. All rights reserved.Cisco PublicITE 1 Chapter 6 7 Conti…  To connect effectively to their organization's networks, teleworkers need two key sets of components:  Home office components  The required home office components are a laptop or desktop computer, broadband access (cable or DSL), and a VPN router or VPN client software installed on the computer. Additional components might include a wireless access point  Corporate components.  Corporate components are VPN-capable routers, VPN concentrators, multifunction security appliances, authentication, and central management devices for resilient aggregation and termination of the VPN connections.  Note: IPsec (IP Security) protocol as the favored approach to building secure VPN tunnels. IPsec works at the network or packet processing layer.

© 2006 Cisco Systems, Inc. All rights reserved.Cisco PublicITE 1 Chapter 6 8 Conti…

© 2006 Cisco Systems, Inc. All rights reserved.Cisco PublicITE 1 Chapter 6 9 Broadband Services  Teleworkers typically use diverse applications that require a high- bandwidth connection.  The choice of access network technology and the need to ensure suitable bandwidth are the first considerations to address when connecting teleworkers.  The main connection methods used by home and small business users are:  Dialup access –  DSL – DSL uses a special high-speed modem that separates the DSL signal from the telephone signal and provides an Ethernet connection to a host computer or LAN.  Cable modem –The Internet signal is carried on the same coaxial cable that delivers cable television.  Satellite – Offered by satellite service providers. The computer connects through Ethernet to a satellite modem that transmits radio signals to the nearest point of presence (POP) within the satellite network.

© 2006 Cisco Systems, Inc. All rights reserved.Cisco PublicITE 1 Chapter 6 10 Conti…

© 2006 Cisco Systems, Inc. All rights reserved.Cisco PublicITE 1 Chapter 6 11 Conti…  Cable connectivity to extend their reach  DOCSIS=The Data-over-Cable Service Interface Specification developed by CableLabs, a non-profit research and development consortium for cable-related technologies.  Downstream frequencies are in the 50 to 860 MHz range, and the upstream frequencies are in the 5 to 42 MHz range.

© 2006 Cisco Systems, Inc. All rights reserved.Cisco PublicITE 1 Chapter 6 12 Conti…  DSL connectivity to extend their reach  POTS=plain old telephone service  DSL can be ADSL or SDSL.  ADSL provides higher downstream bandwidth to the user than upload bandwidth. SDSL provides the same capacity in both directions.  Transceiver  DSLAM

© 2006 Cisco Systems, Inc. All rights reserved.Cisco PublicITE 1 Chapter 6 13 Conti…  Broadband wireless connectivity to extend their reach

© 2006 Cisco Systems, Inc. All rights reserved.Cisco PublicITE 1 Chapter 6 14 Conti…

© 2006 Cisco Systems, Inc. All rights reserved.Cisco PublicITE 1 Chapter 6 15 VPN Technology  VPN technology enables organizations to create private networks over the public Internet infrastructure that maintain confidentiality and security.  Advantages of VPN  Cost savings -  Security  Scalability -

© 2006 Cisco Systems, Inc. All rights reserved.Cisco PublicITE 1 Chapter 6 16 Conti…  Types of VPN  Site-to-Site VPN  Organizations use site-to-site VPNs to connect dispersed locations in the same way as a leased line or Frame Relay connection is used.  Site-to-site VPNs connect entire networks to each other.  In a site-to-site VPN, hosts send and receive TCP/IP traffic through a VPN gateway, which could be a router, PIX firewall appliance, or an Adaptive Security Appliance (ASA).  The VPN gateway is responsible for encapsulating and encrypting outbound traffic

© 2006 Cisco Systems, Inc. All rights reserved.Cisco PublicITE 1 Chapter 6 17 Conti…  Remote Site VPN  In a remote-access VPN, each host typically has VPN client software. Whenever the host tries to send any traffic, the VPN client software encapsulates and encrypts that traffic before sending it over the Internet to the VPN gateway at the edge of the target network.  On receipt, the VPN gateway handles the data in the same way as it would handle data from a site-to-site VPN.

© 2006 Cisco Systems, Inc. All rights reserved.Cisco PublicITE 1 Chapter 6 18 Conti…  Site-to-site VPNs &remote-access VPNs

© 2006 Cisco Systems, Inc. All rights reserved.Cisco PublicITE 1 Chapter 6 19 VPN Components  Components of VPN:  An existing network with servers and workstations  A connection to the Internet  VPN gateways, such as routers, firewalls, VPN concentrators, and ASAs, that act as endpoints to establish, manage, and control VPN connections  Appropriate software to create and manage VPN tunnels

© 2006 Cisco Systems, Inc. All rights reserved.Cisco PublicITE 1 Chapter 6 20 VPN Tunneling  Concept of VPN tunneling

© 2006 Cisco Systems, Inc. All rights reserved.Cisco PublicITE 1 Chapter 6 21 Encryption Algorithm  Symmetric vs Asymmetric Algorithms  Encryption and Decryption with same key called Symmetric while Asymmetric use different keys called public and private keys.  Some of the more common encryption algorithms and the length of keys they use are as follows:  Data Encryption Standard (DES) algorithm –DES uses a 56-bit key,  Triple DES (3DES) algorithm – Asymmetric  Advanced Encryption Standard (AES) –AES offers three different key lengths: 128, 192, and 256-bit keys.  Rivest, Shamir, and Adleman (RSA) –An asymmetrical key cryptosystem. The keys use a bit length of 512, 768, 1024, or larger.  Note :- These are for confidentiality

© 2006 Cisco Systems, Inc. All rights reserved.Cisco PublicITE 1 Chapter 6 22 Data Integrity  Hashes contribute to data integrity and authentication by ensuring that unauthorized persons do not tamper with transmitted messages.  There are two common HMAC (hashed message authentication code) algorithms:  Message Digest 5 (MD5) - Uses a 12  Secure Hash Algorithm 1 (SHA-1) - Uses a 160-bit secret key 8-bit shared secret key.

© 2006 Cisco Systems, Inc. All rights reserved.Cisco PublicITE 1 Chapter 6 23 IPsec Security Protocol  IPsec is protocol suite for securing IP communications which provides encryption, integrity, and authentication.  There are two main IPsec framework protocols.  Authentication Header (AH) - Use when confidentiality is not required or permitted. But Data Integrity is desired.  Encapsulating Security Payload (ESP) - Provides confidentiality and authentication by encrypting the IP packet.

© 2006 Cisco Systems, Inc. All rights reserved.Cisco PublicITE 1 Chapter 6 24 Conti…  Concept of IPsec Protocols

© 2006 Cisco Systems, Inc. All rights reserved.Cisco PublicITE 1 Chapter 6 25 Summary  Requirements for providing teleworker services are: –Maintains continuity of operations –Provides for increased services –Secure & reliable access to information –Cost effective –Scalable  Components needed for a teleworker to connect to an organization’s network are: –Home components –Corporate components

© 2006 Cisco Systems, Inc. All rights reserved.Cisco PublicITE 1 Chapter 6 26 Summary  Broadband services used –Cable transmits signal in either direction simultaneously –DSL requires minimal changes to existing telephone infrastructure delivers high bandwidth data rates to customers –Wireless increases mobility wireless availability via: » municipal WiFi » WiMax » satellite internet

© 2006 Cisco Systems, Inc. All rights reserved.Cisco PublicITE 1 Chapter 6 27 Summary  Securing teleworker services –VPN security achieved through using Advanced encryption techniques Tunneling –Characteristics of a secure VPN Data confidentiality Data integrity authentication

© 2006 Cisco Systems, Inc. All rights reserved.Cisco PublicITE 1 Chapter 6 28