Teleworker Services, DSL, VPN

The figure shows an encrypted VPN tunnel connecting the teleworker to the corporate network. This is the heart of secure and reliable teleworker connections. A VPN is a private data network that uses the public telecommunication infrastructure. VPN security maintains privacy using a tunneling protocol and security procedures. 

Teleworkers require a connection to an ISP to access the Internet. ISPs offer various connection options. The main connection methods used by home and small business users are:

• Dialup access - An inexpensive option that uses any phone line and a modem. To connect to the ISP, a user calls the ISP access phone number. Dialup is the slowest connection option
• DSL - Typically more expensive than dialup, but provides a faster connection. DSL also uses telephone lines, but unlike dialup access, DSL provides a continuous connection to the Internet
• Cable modem - Offered by cable television service providers. The Internet signal is carried on the same coaxial cable that delivers cable television
• Satellite - Offered by satellite service providers

Cable

Accessing the Internet through a cable network is a popular option used by teleworkers to access their enterprise network. The cable system uses a coaxial cable that carries radio frequency (RF) signals across the network. Coaxial cable is the primary medium used to build cable TV systems. Most cable operators use satellite dishes to gather TV signals. Early systems were one-way, with cascading amplifiers placed in series along the network to compensate for signal loss. These systems used taps to couple video signals from the main trunks to subscriber homes via drop cables. 

Modern cable systems provide two-way communication between subscribers and the cable operator. Cable operators now offer customers advanced telecommunications services, including high-speed Internet access, digital cable television, and residential telephone service.

The electromagnetic spectrum encompasses a broad range of frequencies. 

Frequency is the rate at which current (or voltage) cycles occur, computed as the number of "waves" per second. Wavelength is the speed of propagation of the electromagnetic signal divided by its frequency in cycles per second. 

Radio waves, generally called RF, constitute a portion of the electromagnetic spectrum between approximately 1 kilohertz (kHz) through 1 terahertz. When users tune a radio or TV set to find different radio stations or TV channels, they are tuning to different electromagnetic frequencies across that RF spectrum. The same principle applies to the cable system. The cable TV industry uses a portion of the RF electromagnetic spectrum. Within the cable, different frequencies carry TV channels and data. At the subscriber end, equipment such as TVs, VCRs, and high-definition TV set-top boxes tune to certain frequencies that allow the user to view the channel or, using a cable modem, to receive high-speed Internet access.

A cable network is capable of transmitting signals on the cable in either direction at the same time. The following frequency scope is used:

• Downstream - The direction of an RF signal transmission (TV channels and data) from the source (headend) to the destination (subscribers).
• Upstream - The direction of the RF signal transmission from subscribers to the headend, or the return or reverse path

The Data-over-Cable Service Interface Specification (DOCSIS) is an international standard developed by CableLabs. DOCSIS defines the communications and operation support interface requirements for a data-over-cable system, and permits the addition of high-speed data transfer to an existing CATV system. Cable operators employ DOCSIS to provide Internet access over their existing hybrid fiber-coaxial (HFC) infrastructure. 

DOCSIS specifies the OSI Layer 1 and Layer 2 requirements:

• Physical layer - For data signals that the cable operator can use, DOCSIS specifies the channel widths (bandwidths of each channel) as 200 kHz, 400 kHz, 800 kHz, 1.6 MHz, 3.2 MHz, and 6.4 MHz. DOCSIS also specifies modulation techniques
• MAC layer - Defines a deterministic access method, time-division multiple access (TDMA) or synchronous code division multiple access method (S-CDMA).

Plans for frequency allocation bands differ between North American and European cable systems. Euro-DOCSIS is adapted for use in Europe. The main differences between DOCSIS and Euro-DOCSIS relate to channel bandwidths.

Delivering services over a cable network requires different radio frequencies. Downstream frequencies are in the 50 to 860 MHz range, and the upstream frequencies are in the 5 to 42 MHz range. 

Two types of equipment are required to send digital modem signals upstream and downstream on a cable system:

• Cable modem termination system (CMTS) at the headend of the cable operator
• Cable modem (CM) on the subscriber end

A headend CMTS communicates with CMs located in subscriber homes. The headend is actually a router with databases for providing Internet services to cable subscribers. The architecture is relatively simple, using a mixed optical-coaxial network in which optical fiber replaces the lower bandwidth coaxial. 

A web of fiber trunk cables connects the headend to the nodes where optical-to-RF signal conversion takes place. The fiber carries the same broadband content for Internet connections, telephone service, and streaming video as the coaxial cable carries. Coaxial feeder cables originate from the node that carries RF signals to the subscribers. 

DSL

DSL is a means of providing high-speed connections over installed copper wires. The figure shows a representation of bandwidth space allocation on a copper wire for ADSL. The blue area identifies the frequency range used by the voice-grade telephone service, which is often referred to as the plain old telephone service (POTS). The other colored spaces represent the frequency space used by the upstream and downstream DSL signals.

The two basic types of DSL technologies are asymmetric (ADSL) and symmetric (SDSL). All forms of DSL service are categorized as ADSL or SDSL, and there are several varieties of each type. ADSL provides higher downstream bandwidth to the user than upload bandwidth. SDSL provides the same capacity in both directions. 

The transfer rates are dependent on the actual length of the local loop, and the type and condition of its cabling. For satisfactory service, the loop must be less than 5.5 kilometers (3.5 miles).

Service providers deploy DSL connections in the last step of a local telephone network, called the local loop or last mile. The connection is set up between a pair of modems on either end of a copper wire that extends between the customer premises equipment (CPE) and the DSL access multiplexer (DSLAM). A DSLAM is the device located at the central office (CO) of the provider and concentrates connections from multiple DSL subscribers. 

The figure shows the key equipment needed to provide a DSL connection to a SOHO. The two key components are the DSL transceiver and the DSLAM:

• Transceiver - Connects the computer of the teleworker to the DSL. Usually the transceiver is a DSL modem connected to the computer
• DSLAM - Located at the CO of the carrier, the DSLAM combines individual DSL connections from users into one high-capacity link to an ISP, and thereby, to the Internet.

The advantage that DSL has over cable technology is that DSL is not a shared medium. Each user has a separate direct connection to the DSLAM. Adding users does not impede performance, unless the DSLAM Internet connection to the ISP, or the Internet, becomes saturated. 

The major benefit of ADSL is the ability to provide data services along with POTS voice services. 

When the service provider puts analog voice and ADSL on the same wire, the provider splits the POTS channel from the ADSL modem using filters or splitters. This setup guarantees uninterrupted regular phone service even if ADSL fails. When filters or splitters are in place, the user can use the phone line and the ADSL connection simultaneously without adverse effects on either service.


The major benefit of ADSL is the ability to provide data services along with POTS voice services.

When the service provider puts analog voice and ADSL on the same wire, the provider splits the POTS channel from the ADSL modem using filters or splitters. This setup guarantees uninterrupted regular phone service even if ADSL fails. When filters or splitters are in place, the user can use the phone line and the ADSL connection simultaneously without adverse effects on either service.


There are two ways to separate ADSL from voice at the customer premises: using a microfilter or using a splitter.

A microfilter is a passive low-pass filter with two ends. One end connects to the telephone, and the other end connects to the telephone wall jack. This solution eliminates the need for a technician to visit the premises and allows the user to use any jack in the house for voice or ADSL service. In this solution, the user can install inline microfilters on each telephone, or install wall-mounted microfilters in place of regular telephone jacks

POTS splitters separate the DSL traffic from the POTS traffic. The POTS splitter is a passive device. In the event of a power failure, the voice traffic still travels to the voice switch in the CO of the carrier. Splitters are located at the CO and, in some deployments, at the customer premises. At the CO, the POTS splitter separates the voice traffic, destined for POTS connections, and the data traffic destined for the DSLAM.

Broadband Wireless

Using 802.11 networking standards, data travels from place to place on radio waves. What makes 802.11 networking relatively easy to deploy is that it uses the unlicensed radio spectrum to send and receive data. The benefits of Wi-Fi extend beyond not having to use or install wired network connections. Wireless networking provides mobility. Wireless connections provide increased flexibility and productivity to the teleworker.A hotspot is the area covered by one or more interconnected access points. Public gathering places, like coffee shops, parks, and libraries, have created Wi-Fi hotspots, hoping to increase business. By overlapping access points, hotspots can cover many square miles. 

New developments in broadband wireless technology are increasing wireless availability. These include:

• Municipal Wi-Fi
• WiMAX
• Satellite Internet

Most municipal wireless networks use a mesh topology rather than a hub-and-spoke model. A mesh is a series of access points (radio transmitters) as shown in the figure. Each access point is in range and can communicate with at least two other access points. The mesh blankets its area with radio signals. Signals travel from access point to access point through this cloud.

A meshed network has several advantages over single router hotspots. Installation is easier and can be less expensive because there are fewer wires. Deployment over a large urban area is faster. From an operational point of view, it is more reliable. If a node fails, others in the mesh compensate for it. 

WiMAX (Worldwide Interoperability for Microwave Access) is telecommunications technology aimed at providing wireless data over long distances in a variety of ways, from point-to-point links to full mobile cellular type access. WiMAX operates at higher speeds, over greater distances, and for a greater number of users than Wi-Fi. Because of its higher speed (bandwidth) and falling component prices, it is predicted that WiMAX will soon supplant municipal mesh networks for wireless deployments.

A WiMAX network consists of two main components:

• A tower that is similar in concept to a cellular telephone tower. A single WiMAX tower can provide coverage to an area as large as 3,000 square miles, or almost 7,500 square kilometers.
• A WiMAX receiver that is similar in size and shape to a PCMCIA card, or built into a laptop or other wireless device.

A WiMAX tower station connects directly to the Internet using a high-bandwidth connection (for example, a T3 line)

Satellite Internet services are used in locations where land-based Internet access is not available, or for temporary installations that are continually on the move. Internet access using satellites is available worldwide, including for vessels at sea, airplanes in flight, and vehicles moving on land.

There are three ways to connect to the Internet using satellites: one-way multicast, one-way terrestrial return, and two-way.

• One-way multicast satellite Internet systems are used for IP multicast-based data, audio, and video distribution
• One-way terrestrial return satellite Internet systems use traditional dialup access to send outbound data through a modem and receive downloads from the satellite.
• Two-way satellite Internet sends data from remote sites via satellite to a hub, which then sends the data to the Internet. The satellite dish at each location needs precise positioning to avoid interference with other satellites.

Upload speeds are about one-tenth of the download speed, which is in the range of 500 kb/s. Two-way satellite Internet uses IP multicasting technology, which allows one satellite to serve up to 5,000 communication channels simultaneously. The 802.16 (or WiMAX) standard allows transmissions up to 70 Mb/s, and has a range of up to 30 miles (50 km). It can operate in licensed or unlicensed bands of the spectrum from 2 to 6 GHz.

VPN and Their Benefits

VPN technology enables organizations to create private networks over the public Internet infrastructure that maintain confidentiality and security. Organizations use VPNs to provide a virtual WAN infrastructure that connects branch offices, home offices, business partner sites, and remote telecommuters to all or portions of their corporate network. To remain private, the traffic is encrypted. Instead of using a dedicated Layer 2 connection, such as a leased line, a VPN uses virtual connections that are routed through the Internet.

Data on a VPN is encrypted and undecipherable to anyone not entitled to have it. VPNs bring remote hosts inside the firewall, giving them close to the same levels of access to network devices as if they were in a corporate office. 

Consider these benefits when using VPNs:

• Cost savings
• Security - Advanced encryption and authentication protocols protect data from unauthorized access. 
• Scalability - VPNs use the Internet infrastructure within ISPs and carriers, making it easy for organizations to add new users. 

Types of VPNs

In a site-to-site VPN, hosts send and receive TCP/IP traffic through a VPN gateway, which could be a router, PIX firewall appliance, or an Adaptive Security Appliance (ASA). The VPN gateway is responsible for encapsulating and encrypting outbound traffic for all of the traffic from a particular site and sending it through a VPN tunnel over the Internet to a peer VPN gateway at the target site. On receipt, the peer VPN gateway strips the headers, decrypts the content, and relays the packet toward the target host inside its private network.

In a remote-access VPN, each host typically has VPN client software. Whenever the host tries to send any traffic, the VPN client software encapsulates and encrypts that traffic before sending it over the Internet to the VPN gateway at the edge of the target network. On receipt, the VPN gateway handles the data in the same way as it would handle data from a site-to-site VPN.

Characteristics of Secure VPN

The foundation of a secure VPN is data confidentiality, data integrity, and authentication:

• Data confidentiality - A common security concern is protecting data from eavesdroppers. As a design feature, data confidentiality aims at protecting the contents of messages from interception by unauthenticated or unauthorized sources. VPNs achieve confidentiality using mechanisms of encapsulation and encryption. 
• Data integrity - Receivers have no control over the path the data has traveled and therefore do not know if the data has been seen or handled while it journeyed across the Internet. There is always the possibility that the data has been modified. Data integrity guarantees that no tampering or alterations occur to data while it travels between the source and destination. VPNs typically use hashes to ensure data integrity. A hash is like a checksum or a seal that guarantees that no one has read the content, but it is more robust
• Authentication - Authentication ensures that a message comes from an authentic source and goes to an authentic destination. User identification gives a user confidence that the party with whom the user establishes communications is who the user thinks the party is. VPNs can use passwords, digital certificates, smart cards, and biometrics to establish the identity of parties at the other end of a network.

VPN Tunneling

Tunneling allows the use of public networks like the Internet to carry data for users as though the users had access to a private network. Tunneling encapsulates an entire packet within another packet and sends the new, composite packet over a network. This figure lists the three classes of protocols that tunneling uses.

This figure illustrates an e-mail message traveling through the Internet over a VPN connection. PPP carries the message to the VPN device, where the message is encapsulated within a Generic Route Encapsulation (GRE) packet. GRE is a tunneling protocol developed by Cisco Systems that can encapsulate a wide variety of protocol packet types inside IP tunnels, creating a virtual point-to-point link to Cisco routers at remote points over an IP internetwork. In the figure, the outer packet source and destination addressing is assigned to "tunnel interfaces" and is made routable across the network. Once a composite packet reaches the destination tunnel interface, the inside packet is extracted.

VPN Data Integrity

If plain text data is transported over the public Internet, it can be intercepted and read. To keep the data private, it needs to be encrypted. VPN encryption encrypts the data and renders it unreadable to unauthorized receivers.

For encryption to work, both the sender and the receiver must know the rules used to transform the original message into its coded form. VPN encryption rules include an algorithm and a key.

The degree of security provided by any encryption algorithm depends on the length of the key. For any given key length, the time that it takes to process all of the possibilities to decrypt cipher text is a function of the computing power of the computer. Therefore, the shorter the key, the easier it is to break, but at the same time, the easier it is to pass the message.

Some of the more common encryption algorithms and the length of keys they use are as follows:

• Data Encryption Standard (DES) algorithm - Developed by IBM, DES uses a 56-bit key, ensuring high-performance encryption. DES is a symmetric key cryptosystem.
• Triple DES (3DES) algorithm - A newer variant of DES that encrypts with one key, decrypts with another different key, and then encrypts one final time with another key. 3DES provides significantly more strength to the encryption process.
• Advanced Encryption Standard (AES) - The National Institute of Standards and Technology (NIST) adopted AES to replace the existing DES encryption in cryptographic devices. AES provides stronger security than DES and is computationally more efficient than 3DES. AES offers three different key lengths: 128, 192, and 256-bit keys.
• Rivest, Shamir, and Adleman (RSA) - An asymmetrical key cryptosystem. The keys use a bit length of 512, 768, 1024, or larger.

Symmetric Encryption

Encryption algorithms such as DES and 3DES require a shared secret key to perform encryption and decryption. Each of the two computers must know the key to decode the information. With symmetric key encryption, also called secret key encryption, each computer encrypts the information before sending it over the network to the other computer. Symmetric key encryption requires knowledge of which computers will be talking to each other so that the same key can be configured on each computer. 

For example, a sender creates a coded message where each letter is substituted with the letter that is two letters down in the alphabet; "A" becomes "C," and "B" becomes "D", and so on. In this case, the word SECRET becomes UGETGV. The sender has already told the recipient that the secret key is "shift by 2." When the recipient receives the message UGETGV, the recipient computer decodes the message by shifting back two letters and calculating SECRET.

The question is, how do the encrypting and decrypting devices both have the shared secret key? You could use e-mail, courier, or overnight express to send the shared secret keys to the administrators of the devices. Another easier and more secure method is asymmetric encryption.

Asymmetric Encryption

Asymmetric encryption uses different keys for encryption and decryption. Knowing one of the keys does not allow a hacker to deduce the second key and decode the information. One key encrypts the message, while a second key decrypts the message. It is not possible to encrypt and decrypt with the same key. 

Public key encryption is a variant of asymmetric encryption that uses a combination of a private key and a public key. The recipient gives a public key to any sender with whom the recipient wants to communicate. The sender uses a private key combined with the recipient's public key to encrypt the message. Also, the sender must share their public key with the recipient. To decrypt a message, the recipient will use the public key of the sender with their own private key.

Hashes contribute to data integrity and authentication by ensuring that unauthorized persons do not tamper with transmitted messages. A hash, also called a message digest, is a number generated from a string of text. The hash is smaller than the text itself. It is generated using a formula in such a way that it is extremely unlikely that some other text will produce the same hash value. 

The original sender generates a hash of the message and sends it with the message itself. The recipient decrypts the message and the hash, produces another hash from the received message, and compares the two hashes. If they are the same, the recipient can be reasonably sure the integrity of the message has not been affected.

VPNs use a message authentication code to verify the integrity and the authenticity of a message, without using any additional mechanisms. A keyed hashed message authentication code (HMAC) is a data integrity algorithm that guarantees the integrity of the message.

A HMAC has two parameters: a message input and a secret key known only to the message originator and intended receivers. The message sender uses a HMAC function to produce a value (the message authentication code), formed by condensing the secret key and the message input. The message authentication code is sent along with the message. The receiver computes the message authentication code on the received message using the same key and HMAC function as the sender used, and compares the result computed with the received message authentication code. If the two values match, the message has been correctly received and the receiver is assured that the sender is a member of the community of users that share the key. The cryptographic strength of the HMAC depends upon the cryptographic strength of the underlying hash function, on the size and quality of the key, and the size of the hash output length in bits.

There are two common HMAC algorithms:

• Message Digest 5 (MD5) - Uses a 128-bit shared secret key. The variable length message and 128-bit shared secret key are combined and run through the HMAC-MD5 hash algorithm. The output is a 128-bit hash. The hash is appended to the original message and forwarded to the remote end.
• Secure Hash Algorithm 1 (SHA-1) - Uses a 160-bit secret key. The variable length message and the 160-bit shared secret key are combined and run through the HMAC-SHA-1 hash algorithm. The output is a 160-bit hash. The hash is appended to the original message and forwarded to the remote end.

When conducting business long distance, it is necessary to know who is at the other end of the phone, e-mail, or fax. The same is true of VPN networks. The device on the other end of the VPN tunnel must be authenticated before the communication path is considered secure. There are two peer authentication methods:

• Pre-shared key (PSK) - A secret key that is shared between the two parties using a secure channel before it needs to be used. PSKs use symmetric key cryptographic algorithms. A PSK is entered into each peer manually and is used to authenticate the peer. At each end, the PSK is combined with other information to form the authentication key.
• RSA signature - Uses the exchange of digital certificates to authenticate the peers. The local device derives a hash and encrypts it with its private key. The encrypted hash (digital signature) is attached to the message and forwarded to the remote end. At the remote end, the encrypted hash is decrypted using the public key of the local end. If the decrypted hash matches the recomputed hash, the signature is genuine.

IPsec Security Protocols

IPsec is protocol suite for securing IP communications which provides encryption, integrity, and authentication. There are two main IPsec framework protocols.

• Authentication Header (AH) - Use when confidentiality is not required or permitted. AH provides data authentication and integrity for IP packets passed between two systems. It verifies that any message passed from R1 to R2 has not been modified during transit. It also verifies that the origin of the data was either R1 or R2. AH does not provide data confidentiality (encryption) of packets. Used alone, the AH protocol provides weak protection
• Encapsulating Security Payload (ESP) - Provides confidentiality and authentication by encrypting the IP packet. IP packet encryption conceals the data and the identities of the source and destination. ESP authenticates the inner IP packet and ESP header. Authentication provides data origin authentication and data integrity. Although both encryption and authentication are optional in ESP, at a minimum, one of them must be selected.