Presentation is loading. Please wait.

Presentation is loading. Please wait.

Exploration 4 Chapter 6. Teleworker More and more companies are finding it beneficial to have teleworkers. More and more companies are finding it beneficial.

Published byMarcus Holland Modified over 8 years ago

Similar presentations

Presentation on theme: "Exploration 4 Chapter 6. Teleworker More and more companies are finding it beneficial to have teleworkers. More and more companies are finding it beneficial."— Presentation transcript:

1 Exploration 4 Chapter 6

2 Teleworker More and more companies are finding it beneficial to have teleworkers. More and more companies are finding it beneficial to have teleworkers. With advances in broadband and wireless technologies, working away from the office no longer presents the challenges it did in the past. With advances in broadband and wireless technologies, working away from the office no longer presents the challenges it did in the past. Workers can work remotely almost as if they were in the next cubicle or office. Workers can work remotely almost as if they were in the next cubicle or office. Organizations can cost-effectively distribute data, voice, video, and real-time applications extended over one common network connection, across their entire workforce no matter how remote and scattered they might be. Organizations can cost-effectively distribute data, voice, video, and real-time applications extended over one common network connection, across their entire workforce no matter how remote and scattered they might be.

3 The teleworker solution Organizations need secure, reliable, and cost-effective networks to connect corporate headquarters, branch offices, and suppliers. Organizations need secure, reliable, and cost-effective networks to connect corporate headquarters, branch offices, and suppliers. With the growing number of teleworkers, enterprises have an increasing need for secure, reliable, and cost-effective ways to connect to people working in small offices and home offices (SOHOs), and other remote locations, with resources on corporate sites. With the growing number of teleworkers, enterprises have an increasing need for secure, reliable, and cost-effective ways to connect to people working in small offices and home offices (SOHOs), and other remote locations, with resources on corporate sites. The term broadband refers to advanced communications systems capable of providing high-speed transmission of services, such as data, voice, and video, over the Internet and other networks. The term broadband refers to advanced communications systems capable of providing high-speed transmission of services, such as data, voice, and video, over the Internet and other networks. Transmission is provided by a wide range of technologies, including digital subscriber line (DSL) and fiber-optic cable, coaxial cable, wireless technology, and satellite. Transmission is provided by a wide range of technologies, including digital subscriber line (DSL) and fiber-optic cable, coaxial cable, wireless technology, and satellite. The broadband service data transmission speeds typically exceed 200 kilobits per second (kb/s), or 200,000 bits per second, in at least one direction: downstream (from the Internet to the user's computer) or upstream (from the user's computer to the Internet). The broadband service data transmission speeds typically exceed 200 kilobits per second (kb/s), or 200,000 bits per second, in at least one direction: downstream (from the Internet to the user's computer) or upstream (from the user's computer to the Internet).

4 ISPs offer various connection options: Dialup access - An inexpensive option that uses any phone line and a modem. To connect to the ISP, a user calls the ISP access phone number. Dialup is the slowest connection option, and is typically used by mobile workers in areas where higher speed connection options are not available. Dialup access - An inexpensive option that uses any phone line and a modem. To connect to the ISP, a user calls the ISP access phone number. Dialup is the slowest connection option, and is typically used by mobile workers in areas where higher speed connection options are not available. DSL - Typically more expensive than dialup, but provides a faster connection. DSL also uses telephone lines, but unlike dialup access, DSL provides a continuous connection to the Internet. DSL uses a special high-speed modem that separates the DSL signal from the telephone signal and provides an Ethernet connection to a host computer or LAN. DSL - Typically more expensive than dialup, but provides a faster connection. DSL also uses telephone lines, but unlike dialup access, DSL provides a continuous connection to the Internet. DSL uses a special high-speed modem that separates the DSL signal from the telephone signal and provides an Ethernet connection to a host computer or LAN. Cable modem - Offered by cable television service providers. The Internet signal is carried on the same coaxial cable that delivers cable television. A special cable modem separates the Internet signal from the other signals carried on the cable and provides an Ethernet connection to a host computer or LAN. Cable modem - Offered by cable television service providers. The Internet signal is carried on the same coaxial cable that delivers cable television. A special cable modem separates the Internet signal from the other signals carried on the cable and provides an Ethernet connection to a host computer or LAN. Satellite - Offered by satellite service providers. The computer connects through Ethernet to a satellite modem that transmits radio signals to the nearest point of presence (POP) within the satellite network. Satellite - Offered by satellite service providers. The computer connects through Ethernet to a satellite modem that transmits radio signals to the nearest point of presence (POP) within the satellite network.

5 Cable Accessing the Internet through a cable network is a popular option used by teleworkers to access their enterprise network. Accessing the Internet through a cable network is a popular option used by teleworkers to access their enterprise network. The cable system uses a coaxial cable that carries radio frequency (RF) signals across the network. Coaxial cable is the primary medium used to build cable TV systems. The cable system uses a coaxial cable that carries radio frequency (RF) signals across the network. Coaxial cable is the primary medium used to build cable TV systems. Most cable operators use satellite dishes to gather TV signals. Most cable operators use satellite dishes to gather TV signals. Modern cable systems provide two-way communication between subscribers and the cable operator. Modern cable systems provide two-way communication between subscribers and the cable operator. Cable operators now offer customers advanced telecommunications services, including high-speed Internet access, digital cable television, and residential telephone service. Cable operators now offer customers advanced telecommunications services, including high-speed Internet access, digital cable television, and residential telephone service. Cable operators typically deploy hybrid fiber-coaxial (HFC) networks to enable high-speed transmission of data to cable modems located in a SOHO. Cable operators typically deploy hybrid fiber-coaxial (HFC) networks to enable high-speed transmission of data to cable modems located in a SOHO.

6 A cable network is capable of transmitting signals on the cable in either direction at the same time. The following frequency scope is used: Downstream - The direction of an RF signal transmission (TV channels and data) from the source (headend) to the destination (subscribers). Transmission from source to destination is called the forward path. Downstream frequencies are in the range of 50 to 860 megahertz (MHz). Downstream - The direction of an RF signal transmission (TV channels and data) from the source (headend) to the destination (subscribers). Transmission from source to destination is called the forward path. Downstream frequencies are in the range of 50 to 860 megahertz (MHz). Upstream - The direction of the RF signal transmission from subscribers to the headend, or the return or reverse path. Upstream frequencies are in the range of 5 to 42 MHz. Upstream - The direction of the RF signal transmission from subscribers to the headend, or the return or reverse path. Upstream frequencies are in the range of 5 to 42 MHz.

7 The Data-over-Cable Service Interface Specification (DOCSIS) DOCSIS is an international standard developed by CableLabs, a non- profit research and development consortium for cable-related technologies. CableLabs tests and certifies cable equipment vendor devices, such as cable modems and cable modem termination systems, and grants DOCSIS-certified or qualified status. DOCSIS is an international standard developed by CableLabs, a non- profit research and development consortium for cable-related technologies. CableLabs tests and certifies cable equipment vendor devices, such as cable modems and cable modem termination systems, and grants DOCSIS-certified or qualified status. DOCSIS defines the communications and operation support interface requirements for a data-over-cable system, and permits the addition of high-speed data transfer to an existing CATV system. Cable operators employ DOCSIS to provide Internet access over their existing hybrid fiber-coaxial (HFC) infrastructure. DOCSIS defines the communications and operation support interface requirements for a data-over-cable system, and permits the addition of high-speed data transfer to an existing CATV system. Cable operators employ DOCSIS to provide Internet access over their existing hybrid fiber-coaxial (HFC) infrastructure. DOCSIS specifies the OSI Layer 1 and Layer 2 requirements: DOCSIS specifies the OSI Layer 1 and Layer 2 requirements: Physical layer - For data signals that the cable operator can use, DOCSIS specifies the channel widths (bandwidths of each channel) as 200 kHz, 400 kHz, 800 kHz, 1.6 MHz, 3.2 MHz, and 6.4 MHz. DOCSIS also specifies modulation techniques (the way to use the RF signal to convey digital data). Physical layer - For data signals that the cable operator can use, DOCSIS specifies the channel widths (bandwidths of each channel) as 200 kHz, 400 kHz, 800 kHz, 1.6 MHz, 3.2 MHz, and 6.4 MHz. DOCSIS also specifies modulation techniques (the way to use the RF signal to convey digital data). MAC layer - Defines a deterministic access method, time-division multiple access (TDMA) or synchronous code division multiple access method (S-CDMA). MAC layer - Defines a deterministic access method, time-division multiple access (TDMA) or synchronous code division multiple access method (S-CDMA).

8 Congestion When high usage causes congestion, the cable operator can add additional bandwidth for data services by allocating an additional TV channel for high-speed data. When high usage causes congestion, the cable operator can add additional bandwidth for data services by allocating an additional TV channel for high-speed data. This addition may effectively double the downstream bandwidth that is available to subscribers. This addition may effectively double the downstream bandwidth that is available to subscribers. Another option is to reduce the number of subscribers served by each network segment. Another option is to reduce the number of subscribers served by each network segment. To reduce the number of subscribers, the cable operator further subdivides the network by laying the fiber-optic connections closer and deeper into the neighborhoods. To reduce the number of subscribers, the cable operator further subdivides the network by laying the fiber-optic connections closer and deeper into the neighborhoods.

9 DSL Service providers deploy DSL connections in the last step of a local telephone network, called the local loop or last mile. Service providers deploy DSL connections in the last step of a local telephone network, called the local loop or last mile. The connection is set up between a pair of modems on either end of a copper wire that extends between the customer premises equipment (CPE) and the DSL access multiplexer (DSLAM). The connection is set up between a pair of modems on either end of a copper wire that extends between the customer premises equipment (CPE) and the DSL access multiplexer (DSLAM). A DSLAM is the device located at the central office (CO) of the provider and concentrates connections from multiple DSL subscribers. A DSLAM is the device located at the central office (CO) of the provider and concentrates connections from multiple DSL subscribers. The two key components are the DSL transceiver and the DSLAM: The two key components are the DSL transceiver and the DSLAM: Transceiver - Connects the computer of the teleworker to the DSL. Usually the transceiver is a DSL modem connected to the computer using a USB or Ethernet cable. Newer DSL transceivers can be built into small routers with multiple 10/100 switch ports suitable for home office use. Transceiver - Connects the computer of the teleworker to the DSL. Usually the transceiver is a DSL modem connected to the computer using a USB or Ethernet cable. Newer DSL transceivers can be built into small routers with multiple 10/100 switch ports suitable for home office use. DSLAM - Located at the CO of the carrier, the DSLAM combines individual DSL connections from users into one high-capacity link to an ISP, and thereby, to the Internet. DSLAM - Located at the CO of the carrier, the DSLAM combines individual DSL connections from users into one high-capacity link to an ISP, and thereby, to the Internet. The advantage that DSL has over cable technology is that DSL is not a shared medium. Each user has a separate direct connection to the DSLAM. Adding users does not impede performance, unless the DSLAM Internet connection to the ISP, or the Internet, becomes saturated. The advantage that DSL has over cable technology is that DSL is not a shared medium. Each user has a separate direct connection to the DSLAM. Adding users does not impede performance, unless the DSLAM Internet connection to the ISP, or the Internet, becomes saturated.

10 Broadband Wireless The benefits of Wi-Fi extend beyond not having to use or install wired network connections. The benefits of Wi-Fi extend beyond not having to use or install wired network connections. Wireless networking provides mobility. Wireless connections provide increased flexibility and productivity to the teleworker. Wireless networking provides mobility. Wireless connections provide increased flexibility and productivity to the teleworker. Wireless networking complies with a range of standards that routers and receivers use to communicate with each other. Wireless networking complies with a range of standards that routers and receivers use to communicate with each other. The most common standards are included in the IEEE 802.11 wireless local area network (WLAN) standard, which addresses the 5 GHz and 2.4 GHz public (unlicensed) spectrum bands. The most common standards are included in the IEEE 802.11 wireless local area network (WLAN) standard, which addresses the 5 GHz and 2.4 GHz public (unlicensed) spectrum bands.

11 VPN VPN technology enables organizations to create private networks over the public Internet infrastructure that maintain confidentiality and security. VPN technology enables organizations to create private networks over the public Internet infrastructure that maintain confidentiality and security. Organizations use VPNs to provide a virtual WAN infrastructure that connects branch offices, home offices, business partner sites, and remote telecommuters to all or portions of their corporate network. Organizations use VPNs to provide a virtual WAN infrastructure that connects branch offices, home offices, business partner sites, and remote telecommuters to all or portions of their corporate network. To remain private, the traffic is encrypted. Instead of using a dedicated Layer 2 connection, such as a leased line, a VPN uses virtual connections that are routed through the Internet. To remain private, the traffic is encrypted. Instead of using a dedicated Layer 2 connection, such as a leased line, a VPN uses virtual connections that are routed through the Internet.

12 VPN Benefits Organizations using VPNs benefit from increased flexibility and productivity. Organizations using VPNs benefit from increased flexibility and productivity. Remote sites and teleworkers can connect securely to the corporate network from almost any place. Data on a VPN is encrypted and undecipherable to anyone not entitled to have it. Remote sites and teleworkers can connect securely to the corporate network from almost any place. Data on a VPN is encrypted and undecipherable to anyone not entitled to have it. VPNs bring remote hosts inside the firewall, giving them close to the same levels of access to network devices as if they were in a corporate office. VPNs bring remote hosts inside the firewall, giving them close to the same levels of access to network devices as if they were in a corporate office. Cost savings - Organizations can use cost-effective, third-party Internet transport to connect remote offices and users to the main corporate site. This eliminates expensive dedicated WAN links and modem banks. By using broadband, VPNs reduce connectivity costs while increasing remote connection bandwidth. Cost savings - Organizations can use cost-effective, third-party Internet transport to connect remote offices and users to the main corporate site. This eliminates expensive dedicated WAN links and modem banks. By using broadband, VPNs reduce connectivity costs while increasing remote connection bandwidth. Security - Advanced encryption and authentication protocols protect data from unauthorized access. Security - Advanced encryption and authentication protocols protect data from unauthorized access. Scalability - VPNs use the Internet infrastructure within ISPs and carriers, making it easy for organizations to add new users. Organizations, big and small, are able to add large amounts of capacity without adding significant infrastructure. Scalability - VPNs use the Internet infrastructure within ISPs and carriers, making it easy for organizations to add new users. Organizations, big and small, are able to add large amounts of capacity without adding significant infrastructure.

13 Site-to-site VPN A site-to-site VPN is an extension of classic WAN networking. Site-to-site VPNs connect entire networks to each other. For example, they can connect a branch office network to a company headquarters network. A site-to-site VPN is an extension of classic WAN networking. Site-to-site VPNs connect entire networks to each other. For example, they can connect a branch office network to a company headquarters network. In a site-to-site VPN, hosts send and receive TCP/IP traffic through a VPN gateway, which could be a router, PIX firewall appliance, or an Adaptive Security Appliance (ASA). In a site-to-site VPN, hosts send and receive TCP/IP traffic through a VPN gateway, which could be a router, PIX firewall appliance, or an Adaptive Security Appliance (ASA). The VPN gateway is responsible for encapsulating and encrypting outbound traffic for all of the traffic from a particular site and sending it through a VPN tunnel over the Internet to a peer VPN gateway at the target site. The VPN gateway is responsible for encapsulating and encrypting outbound traffic for all of the traffic from a particular site and sending it through a VPN tunnel over the Internet to a peer VPN gateway at the target site. On receipt, the peer VPN gateway strips the headers, decrypts the content, and relays the packet toward the target host inside its private network. On receipt, the peer VPN gateway strips the headers, decrypts the content, and relays the packet toward the target host inside its private network.

14 VPN Components A VPN creates a private network over a public network infrastructure while maintaining confidentiality and security. VPNs use cryptographic tunneling protocols to provide protection against packet sniffing, sender authentication, and message integrity. A VPN creates a private network over a public network infrastructure while maintaining confidentiality and security. VPNs use cryptographic tunneling protocols to provide protection against packet sniffing, sender authentication, and message integrity. Components required to establish this VPN include: Components required to establish this VPN include: An existing network with servers and workstations An existing network with servers and workstations A connection to the Internet A connection to the Internet VPN gateways, such as routers, firewalls, VPN concentrators, and ASAs, that act as endpoints to establish, manage, and control VPN connections VPN gateways, such as routers, firewalls, VPN concentrators, and ASAs, that act as endpoints to establish, manage, and control VPN connections Appropriate software to create and manage VPN tunnels Appropriate software to create and manage VPN tunnels The key to VPN effectiveness is security. VPNs secure data by encapsulating or encrypting the data. Most VPNs can do both. The key to VPN effectiveness is security. VPNs secure data by encapsulating or encrypting the data. Most VPNs can do both. Encapsulation is also referred to as tunneling, because encapsulation transmits data transparently from network to network through a shared network infrastructure. Encapsulation is also referred to as tunneling, because encapsulation transmits data transparently from network to network through a shared network infrastructure. Encryption codes data into a different format using a secret key. Decryption decodes encrypted data into the original unencrypted format. Encryption codes data into a different format using a secret key. Decryption decodes encrypted data into the original unencrypted format.

15 Secure VPN Data confidentiality - A common security concern is protecting data from eavesdroppers. As a design feature, data confidentiality aims at protecting the contents of messages from interception by unauthenticated or unauthorized sources. VPNs achieve confidentiality using mechanisms of encapsulation and encryption. Data confidentiality - A common security concern is protecting data from eavesdroppers. As a design feature, data confidentiality aims at protecting the contents of messages from interception by unauthenticated or unauthorized sources. VPNs achieve confidentiality using mechanisms of encapsulation and encryption. Data integrity - Receivers have no control over the path the data has traveled and therefore do not know if the data has been seen or handled while it journeyed across the Internet. There is always the possibility that the data has been modified. Data integrity guarantees that no tampering or alterations occur to data while it travels between the source and destination. VPNs typically use hashes to ensure data integrity. A hash is like a checksum or a seal that guarantees that no one has read the content, but it is more robust. Hashes are explained in the next topic. Data integrity - Receivers have no control over the path the data has traveled and therefore do not know if the data has been seen or handled while it journeyed across the Internet. There is always the possibility that the data has been modified. Data integrity guarantees that no tampering or alterations occur to data while it travels between the source and destination. VPNs typically use hashes to ensure data integrity. A hash is like a checksum or a seal that guarantees that no one has read the content, but it is more robust. Hashes are explained in the next topic. Authentication - Authentication ensures that a message comes from an authentic source and goes to an authentic destination. User identification gives a user confidence that the party with whom the user establishes communications is who the user thinks the party is. VPNs can use passwords, digital certificates, smart cards, and biometrics to establish the identity of parties at the other end of a network. Authentication - Authentication ensures that a message comes from an authentic source and goes to an authentic destination. User identification gives a user confidence that the party with whom the user establishes communications is who the user thinks the party is. VPNs can use passwords, digital certificates, smart cards, and biometrics to establish the identity of parties at the other end of a network.

16 VPN Tunneling Incorporating appropriate data confidentiality capabilities into a VPN ensures that only the intended sources and destinations are capable of interpreting the original message contents. Incorporating appropriate data confidentiality capabilities into a VPN ensures that only the intended sources and destinations are capable of interpreting the original message contents. Tunneling allows the use of public networks like the Internet to carry data for users as though the users had access to a private network. Tunneling allows the use of public networks like the Internet to carry data for users as though the users had access to a private network. Tunneling encapsulates an entire packet within another packet and sends the new, composite packet over a network. Tunneling encapsulates an entire packet within another packet and sends the new, composite packet over a network.

17 VPN Data Integrity If plain text data is transported over the public Internet, it can be intercepted and read. If plain text data is transported over the public Internet, it can be intercepted and read. To keep the data private, it needs to be encrypted. VPN encryption encrypts the data and renders it unreadable to unauthorized receivers. To keep the data private, it needs to be encrypted. VPN encryption encrypts the data and renders it unreadable to unauthorized receivers. For encryption to work, both the sender and the receiver must know the rules used to transform the original message into its coded form. For encryption to work, both the sender and the receiver must know the rules used to transform the original message into its coded form. VPN encryption rules include an algorithm and a key. An algorithm is a mathematical function that combines a message, text, digits, or all three with a key. VPN encryption rules include an algorithm and a key. An algorithm is a mathematical function that combines a message, text, digits, or all three with a key. The output is an unreadable cipher string. Decryption is extremely difficult or impossible without the correct key. The output is an unreadable cipher string. Decryption is extremely difficult or impossible without the correct key.

18 Encryption algorithms Data Encryption Standard (DES) algorithm - Developed by IBM, DES uses a 56-bit key, ensuring high-performance encryption. DES is a symmetric key cryptosystem. Symmetric and asymmetric keys are explained below. Data Encryption Standard (DES) algorithm - Developed by IBM, DES uses a 56-bit key, ensuring high-performance encryption. DES is a symmetric key cryptosystem. Symmetric and asymmetric keys are explained below. Triple DES (3DES) algorithm - A newer variant of DES that encrypts with one key, decrypts with another different key, and then encrypts one final time with another key. 3DES provides significantly more strength to the encryption process. Triple DES (3DES) algorithm - A newer variant of DES that encrypts with one key, decrypts with another different key, and then encrypts one final time with another key. 3DES provides significantly more strength to the encryption process. Advanced Encryption Standard (AES) - The National Institute of Standards and Technology (NIST) adopted AES to replace the existing DES encryption in cryptographic devices. AES provides stronger security than DES and is computationally more efficient than 3DES. AES offers three different key lengths: 128, 192, and 256-bit keys. Advanced Encryption Standard (AES) - The National Institute of Standards and Technology (NIST) adopted AES to replace the existing DES encryption in cryptographic devices. AES provides stronger security than DES and is computationally more efficient than 3DES. AES offers three different key lengths: 128, 192, and 256-bit keys. Rivest, Shamir, and Adleman (RSA) - An asymmetrical key cryptosystem. The keys use a bit length of 512, 768, 1024, or larger. Rivest, Shamir, and Adleman (RSA) - An asymmetrical key cryptosystem. The keys use a bit length of 512, 768, 1024, or larger.

19 Symmetric Encryption Encryption algorithms such as DES and 3DES require a shared secret key to perform encryption and decryption. Encryption algorithms such as DES and 3DES require a shared secret key to perform encryption and decryption. Each of the two computers must know the key to decode the information. Each of the two computers must know the key to decode the information. With symmetric key encryption, also called secret key encryption, each computer encrypts the information before sending it over the network to the other computer. With symmetric key encryption, also called secret key encryption, each computer encrypts the information before sending it over the network to the other computer. Symmetric key encryption requires knowledge of which computers will be talking to each other so that the same key can be configured on each computer. Symmetric key encryption requires knowledge of which computers will be talking to each other so that the same key can be configured on each computer.

20 Asymmetric encryption Asymmetric encryption uses different keys for encryption and decryption. Knowing one of the keys does not allow a hacker to deduce the second key and decode the information. One key encrypts the message, while a second key decrypts the message. It is not possible to encrypt and decrypt with the same key. Asymmetric encryption uses different keys for encryption and decryption. Knowing one of the keys does not allow a hacker to deduce the second key and decode the information. One key encrypts the message, while a second key decrypts the message. It is not possible to encrypt and decrypt with the same key. Public key encryption is a variant of asymmetric encryption that uses a combination of a private key and a public key. Public key encryption is a variant of asymmetric encryption that uses a combination of a private key and a public key. The recipient gives a public key to any sender with whom the recipient wants to communicate. The sender uses a private key combined with the recipient's public key to encrypt the message. Also, the sender must share their public key with the recipient. To decrypt a message, the recipient will use the public key of the sender with their own private key The recipient gives a public key to any sender with whom the recipient wants to communicate. The sender uses a private key combined with the recipient's public key to encrypt the message. Also, the sender must share their public key with the recipient. To decrypt a message, the recipient will use the public key of the sender with their own private key

21 Hashes contribute to data integrity and authentication by ensuring that unauthorized persons do not tamper with transmitted messages. A hash, also called a message digest, is a number generated from a string of text. The hash is smaller than the text itself. It is generated using a formula in such a way that it is extremely unlikely that some other text will produce the same hash value. Hashes contribute to data integrity and authentication by ensuring that unauthorized persons do not tamper with transmitted messages. A hash, also called a message digest, is a number generated from a string of text. The hash is smaller than the text itself. It is generated using a formula in such a way that it is extremely unlikely that some other text will produce the same hash value. The original sender generates a hash of the message and sends it with the message itself. The recipient decrypts the message and the hash, produces another hash from the received message, and compares the two hashes. If they are the same, the recipient can be reasonably sure the integrity of the message has not been affected. The original sender generates a hash of the message and sends it with the message itself. The recipient decrypts the message and the hash, produces another hash from the received message, and compares the two hashes. If they are the same, the recipient can be reasonably sure the integrity of the message has not been affected.

22 HMAC VPNs use a message authentication code to verify the integrity and the authenticity of a message, without using any additional mechanisms. VPNs use a message authentication code to verify the integrity and the authenticity of a message, without using any additional mechanisms. A keyed hashed message authentication code (HMAC) is a data integrity algorithm that guarantees the integrity of the message. A keyed hashed message authentication code (HMAC) is a data integrity algorithm that guarantees the integrity of the message. A HMAC has two parameters: a message input and a secret key known only to the message originator and intended receivers. A HMAC has two parameters: a message input and a secret key known only to the message originator and intended receivers. The message sender uses a HMAC function to produce a value (the message authentication code), formed by condensing the secret key and the message input. The message sender uses a HMAC function to produce a value (the message authentication code), formed by condensing the secret key and the message input. The message authentication code is sent along with the message. The receiver computes the message authentication code on the received message using the same key and HMAC function as the sender used, and compares the result computed with the received message authentication code. The message authentication code is sent along with the message. The receiver computes the message authentication code on the received message using the same key and HMAC function as the sender used, and compares the result computed with the received message authentication code. If the two values match, the message has been correctly received and the receiver is assured that the sender is a member of the community of users that share the key. The cryptographic strength of the HMAC depends upon the cryptographic strength of the underlying hash function, on the size and quality of the key, and the size of the hash output length in bits. If the two values match, the message has been correctly received and the receiver is assured that the sender is a member of the community of users that share the key. The cryptographic strength of the HMAC depends upon the cryptographic strength of the underlying hash function, on the size and quality of the key, and the size of the hash output length in bits.

23 There are two common HMAC algorithms: Message Digest 5 (MD5) - Uses a 128-bit shared secret key. The variable length message and 128-bit shared secret key are combined and run through the HMAC-MD5 hash algorithm. The output is a 128-bit hash. The hash is appended to the original message and forwarded to the remote end. Message Digest 5 (MD5) - Uses a 128-bit shared secret key. The variable length message and 128-bit shared secret key are combined and run through the HMAC-MD5 hash algorithm. The output is a 128-bit hash. The hash is appended to the original message and forwarded to the remote end. Secure Hash Algorithm 1 (SHA-1) - Uses a 160-bit secret key. The variable length message and the 160-bit shared secret key are combined and run through the HMAC-SHA-1 hash algorithm. The output is a 160-bit hash. The hash is appended to the original message and forwarded to the remote end. Secure Hash Algorithm 1 (SHA-1) - Uses a 160-bit secret key. The variable length message and the 160-bit shared secret key are combined and run through the HMAC-SHA-1 hash algorithm. The output is a 160-bit hash. The hash is appended to the original message and forwarded to the remote end.

24 peer authentication methods When conducting business long distance, it is necessary to know who is at the other end of the phone, e-mail, or fax. The same is true of VPN networks. The device on the other end of the VPN tunnel must be authenticated before the communication path is considered secure. When conducting business long distance, it is necessary to know who is at the other end of the phone, e-mail, or fax. The same is true of VPN networks. The device on the other end of the VPN tunnel must be authenticated before the communication path is considered secure. There are two peer authentication methods: There are two peer authentication methods: Pre-shared key (PSK) - A secret key that is shared between the two parties using a secure channel before it needs to be used. PSKs use symmetric key cryptographic algorithms. A PSK is entered into each peer manually and is used to authenticate the peer. At each end, the PSK is combined with other information to form the authentication key. Pre-shared key (PSK) - A secret key that is shared between the two parties using a secure channel before it needs to be used. PSKs use symmetric key cryptographic algorithms. A PSK is entered into each peer manually and is used to authenticate the peer. At each end, the PSK is combined with other information to form the authentication key. RSA signature - Uses the exchange of digital certificates to authenticate the peers. The local device derives a hash and encrypts it with its private key. The encrypted hash (digital signature) is attached to the message and forwarded to the remote end. At the remote end, the encrypted hash is decrypted using the public key of the local end. If the decrypted hash matches the recomputed hash, the signature is genuine. RSA signature - Uses the exchange of digital certificates to authenticate the peers. The local device derives a hash and encrypts it with its private key. The encrypted hash (digital signature) is attached to the message and forwarded to the remote end. At the remote end, the encrypted hash is decrypted using the public key of the local end. If the decrypted hash matches the recomputed hash, the signature is genuine.

25 IPsec IPsec is protocol suite for securing IP communications which provides encryption, integrity, and authentication. IPsec spells out the messaging necessary to secure VPN communications, but relies on existing algorithms. IPsec is protocol suite for securing IP communications which provides encryption, integrity, and authentication. IPsec spells out the messaging necessary to secure VPN communications, but relies on existing algorithms. There are two main IPsec framework protocols. There are two main IPsec framework protocols. Authentication Header (AH) - Use when confidentiality is not required or permitted. AH provides data authentication and integrity for IP packets passed between two systems. It verifies that any message passed from R1 to R2 has not been modified during transit. It also verifies that the origin of the data was either R1 or R2. AH does not provide data confidentiality (encryption) of packets. Used alone, the AH protocol provides weak protection. Consequently, it is used with the ESP protocol to provide data encryption and tamper-aware security features. Authentication Header (AH) - Use when confidentiality is not required or permitted. AH provides data authentication and integrity for IP packets passed between two systems. It verifies that any message passed from R1 to R2 has not been modified during transit. It also verifies that the origin of the data was either R1 or R2. AH does not provide data confidentiality (encryption) of packets. Used alone, the AH protocol provides weak protection. Consequently, it is used with the ESP protocol to provide data encryption and tamper-aware security features. Encapsulating Security Payload (ESP) - Provides confidentiality and authentication by encrypting the IP packet. IP packet encryption conceals the data and the identities of the source and destination. ESP authenticates the inner IP packet and ESP header. Authentication provides data origin authentication and data integrity. Although both encryption and authentication are optional in ESP, at a minimum, one of them must be selected. Encapsulating Security Payload (ESP) - Provides confidentiality and authentication by encrypting the IP packet. IP packet encryption conceals the data and the identities of the source and destination. ESP authenticates the inner IP packet and ESP header. Authentication provides data origin authentication and data integrity. Although both encryption and authentication are optional in ESP, at a minimum, one of them must be selected.

Download ppt "Exploration 4 Chapter 6. Teleworker More and more companies are finding it beneficial to have teleworkers. More and more companies are finding it beneficial."

Similar presentations

Encrypting Wireless Data with VPN Techniques

Encrypting Wireless Data with VPN Techniques
Internet Protocol Security (IP Sec)

Internet Protocol Security (IP Sec)
Networks & Components Discuss the components required for successful communications Explain the purpose of communications software Identify various sending.

Networks & Components Discuss the components required for successful communications Explain the purpose of communications software Identify various sending.
© 2008 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 1 Chapter 6: Broadband Solutions Connecting Networks.

© 2008 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 1 Chapter 6: Broadband Solutions Connecting Networks.
CP2073 - Networking1 WAN and Internet Access. CP2073 - Networking2 Introduction What is Wide Area Networking? What is Wide Area Networking? How Internet.

CP Networking1 WAN and Internet Access. CP Networking2 Introduction What is Wide Area Networking? What is Wide Area Networking? How Internet.
Setting Up a Virtual Private Network Chapter 9. Learning Objectives Understand the components and essential operations of virtual private networks (VPNs)

Setting Up a Virtual Private Network Chapter 9. Learning Objectives Understand the components and essential operations of virtual private networks (VPNs)
Information System Security AABFS-Jordan Summer 2006 IP Security Supervisor :Dr. Lo'ai Ali Tawalbeh Done by: Wa’el Musa Hadi.

Information System Security AABFS-Jordan Summer 2006 IP Security Supervisor :Dr. Lo'ai Ali Tawalbeh Done by: Wa’el Musa Hadi.
Guide to Network Defense and Countermeasures Second Edition

Guide to Network Defense and Countermeasures Second Edition
Kapitel 7: Securing Site-to-Site Connectivity

Kapitel 7: Securing Site-to-Site Connectivity
© 2006 Cisco Systems, Inc. All rights reserved. Implementing Secure Converged Wide Area Networks (ISCW) Module 2: Teleworker Connectivity.

© 2006 Cisco Systems, Inc. All rights reserved. Implementing Secure Converged Wide Area Networks (ISCW) Module 2: Teleworker Connectivity.
Lesson 11-Virtual Private Networks. Overview Define Virtual Private Networks (VPNs). Deploy User VPNs. Deploy Site VPNs. Understand standard VPN techniques.

Lesson 11-Virtual Private Networks. Overview Define Virtual Private Networks (VPNs). Deploy User VPNs. Deploy Site VPNs. Understand standard VPN techniques.
Chapter 20: Network Security Business Data Communications, 4e.

Chapter 20: Network Security Business Data Communications, 4e.
Chapter 7: Securing Site-to-Site Connectivity

Chapter 7: Securing Site-to-Site Connectivity
Faten Yahya Ismael.  It is technology creates a network that is physically public, but virtually it’s private.  A virtual private network (VPN) is a.

Faten Yahya Ismael.  It is technology creates a network that is physically public, but virtually it’s private.  A virtual private network (VPN) is a.
Virtual Private Networks (VPN’s)

Virtual Private Networks (VPN’s)
Copyright Microsoft Corp. 2006 Ramnish Singh IT Advisor Microsoft Corporation Secure Remote Access Challenges, Choices, Best Practices.

Copyright Microsoft Corp Ramnish Singh IT Advisor Microsoft Corporation Secure Remote Access Challenges, Choices, Best Practices.
Lecture slides prepared for “Business Data Communications”, 7/e, by William Stallings and Tom Case, Chapter 8 “TCP/IP”.

Lecture slides prepared for “Business Data Communications”, 7/e, by William Stallings and Tom Case, Chapter 8 “TCP/IP”.
Virtual Private Network

Virtual Private Network
© 2007 Cisco Systems, Inc. All rights reserved.ISCW-Mod3_L7 1 Network Security 2 Module 6 – Configure Remote Access VPN.

© 2007 Cisco Systems, Inc. All rights reserved.ISCW-Mod3_L7 1 Network Security 2 Module 6 – Configure Remote Access VPN.
Virtual Private Network prepared by Rachna Agrawal Lixia Hou.

Virtual Private Network prepared by Rachna Agrawal Lixia Hou.

Similar presentations

Ads by Google