Brief description of WAN Technologies

WAN Technologies Internet Access and Security Protocols

·         WAN Technologies

·         Switching Methods

·         Packet Switching

·         Circuit Switching

·         Integrated Services Digital Network (ISDN)

·         BRI

·         PRI

·         Fiber Distributed Data Interface (FDDI)

·         T-carrier Lines

·         SONET/OC-x Levels

·         X.25

·         Internet Access Technologies

·         xDSL Internet Access

·         Cable Internet Access

·         Broadband Security Considerations

·         POTS/PSTN (Plain Old Telephone Service/Public Switched Telephone Network)

·         Satellite Internet Access

·         Wireless Internet Access

·         Remote Access Protocols and Services

·         Remote Access Service (RAS)

·         SLIP

·         PPP

·         PPTP

·         Virtual Private Networks

·         Remote Desktop Protocol

·         Security Protocols

·         IP Security (IPSec)

·         Layer 2 Tunneling Protocol (L2TP)

·         Secure Sockets Layer (SSL)

·         WEP

·         WPA

·         802.1x

·         Authentication Protocols

·         Remote Authentication Dial-In User Service (RADIUS)

·         Kerberos

WAN Technologies Internet Access and Security Protocols

Many technologies are used to create today's wide area networks (WANs). Each of these technologies has advantages and disadvantages, making some of them well suited for certain environments and completely impractical in others. Each of the technologies varies in terms of media, speed, availability, and cost. This tutorial examines various WAN technologies and the protocols used to secure and establish the connections.

WAN Technologies

Many of today's network environments are not restricted to a single location or LAN. Instead, many of these networks span great distances, becoming wide area networks (WANs). When they do, hardware and software are needed to connect these networks. This section reviews the characteristics of various WAN technologies. Before we go on to discuss the specific WAN technologies, we must first look at an important element of the WAN technologies switching methods.

Switching Methods

In order for systems to communicate on a network, there has to be a communication path or multiple paths between which the data can travel. To communicate with another entity, these paths move the information from one location to another and back. This is the function of switching. Switching provides communication pathways between two endpoints and manages how data is to flow between these endpoints. Two of the more common switching methods used today include:

• Packet switching
• Circuit switching

Packet Switching

In packet switching, messages are broken down into smaller pieces called packets. Each packet is assigned source, destination, and intermediate node addresses. Packets are required to have this information because they do not always use the same path or route to get to their intended destination. Referred to as independent routing, this is one of the advantages of packet switching. Independent routing allows for a better use of available bandwidth by letting packets travel different routes to avoid high-traffic areas. Independent routing also allows packets to take an alternate route if a particular route is unavailable for some reason.

In a packet-switching system, when packets are sent onto the network, the sending device is responsible for choosing the best path for the packet. This path might change in transit, and it is possible for the receiving device to receive the packets in a random or no sequential order. When this happens, the receiving device waits until all the data packets are received, and then it reconstructs them according to their built-in sequence numbers.

Two types of packet-switching methods are used on networks: virtual-circuit packet switching and datagram packet switching.

·         Virtual-Circuit Packet Switching When virtual-circuit switching is used; a logical connection is established between the source and the destination device. This logical connection is established when the sending device initiates a conversation with the receiving device. The logical communication path between the two devices can remain active for as long as the two devices are available or can be used to send packets once. After the sending process has completed, the line can be closed.

·         Datagram Packet Switching Unlike virtual-circuit packet switching, datagram packet switching does not establish a logical connection between the sending and transmitting devices. The packets in datagram packet switching are independently sent, meaning that they can take different paths through the network to reach their intended destination. To do this, each packet must be individually addressed to determine where its source and destination are. This method ensures that packets take the easiest possible routes to their destination and avoid high-traffic areas.

Circuit Switching

In contrast to the packet-switching method, circuit switching requires a dedicated physical connection between the sending and receiving devices. The most commonly used analogy to represent circuit switching is a telephone conversation in which the parties involved have a dedicated link between them for the duration of the conversation. When either party disconnects, the circuit is broken and the data path is lost. This is an accurate representation of how circuit switching works with network and data transmissions. The sending system establishes a physical connection, the data is transmitted between the two, and when the transmission is complete, the channel is closed.

Some clear advantages to the circuit-switching technology make it well suited for certain applications. The primary advantage is that after a connection is established, there is a consistent and reliable connection between the sending and receiving device. This allows for transmissions at a guaranteed rate of transfer.

Like all technologies, circuit switching has downsides. As you might imagine, a dedicated communication line can be very inefficient. After the physical connection is established, it is unavailable to any other sessions until the transmission is complete. Again, using the phone call analogy, this would be like a caller trying to reach another caller and getting a busy signal. Circuit switching can therefore be fraught with long connection delays.

Integrated Services Digital Network (ISDN)

ISDN has long been an alternative to the slower modem WAN connections but at a higher cost. ISDN allows the transmission of voice and data over the same physical connection.

ISDN connections are considerably faster than regular modem connections. To access ISDN, a special phone line is required, and this line is usually paid for through a monthly subscription. You can expect these monthly costs to be significantly higher than those for traditional dial-up modem connections.

To establish an ISDN connection, you dial the number associated with the receiving computer, much as you do with a conventional phone call or modem dial-up connection. A conversation between the sending and receiving devices is then established. The connection is dropped when one end disconnects or hangs up. The line pickup of ISDN is very fast, allowing a connection to be established, or brought up, much more quickly than a conventional phone line.

ISDN has two defined interface standards Basic Rate Interface (BRI) and Primary Rate Interface (PRI).

BRI

BRI ISDN uses three separate channels two bearer (B) channels of 64Kbps each and a delta (D) channel of 16Kbps. B channels can be divided into 4 D channels, which allows businesses to have 8 simultaneous Internet connections. The B channels carry the voice or data, and the D channels are used for signaling.

The two B channels can be used independently as 64Kbps carriers, or they can be combined to provide 128Kbps transfer speeds.

PRI

PRI is a form of ISDN that is generally carried over a T1 line and can provide transmission rates of up to 1.544Mbps. PRI is composed of 23 B channels, each providing 64Kbps for data/voice capacity, and one 64Kbps D channel, which is used for signaling. Table 1 compares BRI and PRI ISDN.

Table 1 BRI and PRI ISDN Comparison
Characteristic	PRI	BRI
Speed	1.544Mbps	128Kbps
Channels	23B+D	2B+D
Transmission carrier	T1	ISDN

Fiber Distributed Data Interface (FDDI)

FDDI is an American National Standards Institute (ANSI) topology standard that uses fiber-optic cable and token-passing media access.

FDDI is implemented using both multimode and single-mode fiber cable and can reach transmissions speeds of up to 100Mbps at distances of more than 2 kilometers. FDDI combines the strengths of Token Ring, the speed of Fast Ethernet, and the security of fiber-optic cable. Such advantages make FDDI a strong candidate for creating network backbones and connecting private LANs to create MANs and WANs.

Unlike the regular 802.5 network standard, FDDI uses a dual-ring configuration. The first, or primary, ring is used to transfer the data around the network, and the secondary ring is used for redundancy and fault tolerance; the secondary ring waits to take over if the primary ring fails. If the primary ring fails, the secondary ring kicks in automatically, with no disruption to network users.

FDDI has a few significant advantages some of which stem directly from the fact that it uses fiber-optic cable as its transmission media. These include a resistance to EMI, the security offered by fiber, and the longer distances available with fiber cable. In addition to the advantages provided by the fiber-optic cable, FDDI itself has a few strong points, including

·         Fault-tolerant design By using a dual-ring configuration, FDDI provides some fault tolerance. If one cable fails, the other can be used to transmit the data throughout the network.

·         Speed because of the use of multiple tokens Unlike the IEEE 802.5 standard, FDDI uses multiple tokens, which increase the overall network speed.

·         Beaconing FDDI uses beaconing as a built-in error-detection method, making finding faults, such as cable breaks, a lot easier.

Like every technology, there are always a few caveats:

·         High cost The costs associated with FDDI and the devices and cable needed to implement an FDDI solution are very costly; too costly for many small organizations.

·         Implementation difficulty FDDI setup and management can be very complex, requiring trained professionals with significant experience to manage and maintain the cable and infrastructure.

T-carrier Lines

T-carrier lines are high-speed dedicated digital lines that can be leased from telephone companies. This creates an always open, always available line between you and whomever you choose to connect to when you establish the service. T-carrier lines can support both voice and data transmissions and are often used to create point-to-point private networks. Because they are a dedicated link, they can be a costly WAN option. Four types of T-carrier lines are available:

• T1 T1 lines offer transmission speeds of 1.544Mbps, and they can create point-to-point dedicated digital communication paths. T1 lines have commonly been used for connecting LANs.
• T2 T2 leased lines offer transmission speeds of 6.312Mbps. They accomplish this by using 96 64Kbps B channels.
• T3 T3 lines offer transmission speeds of up to 44.736Mbps, using 672 64Kbps B channels.
• T4 T4 lines offer impressive transmission speeds of up to 274.176Mbps by using 4,032 64Kbps B channels

Of these T-carrier lines, the ones commonly associated with networks.

It is important to point out that T-carrier is the designation to the technology used in the United States and Canada. In Europe, they are referred to as E-carriers and in Japan, J-carriers. Table 2 shows the T/E/J carriers.

Table 2 Comparing T/E/J Carriers
Name	Transmission Speed
T-1	1.544Mbps
T-1C	3.152Mbps
T-2	6.312Mbps
T-3	44.736Mbps
T-4	274.176Mbps
J-0	64Kbps
J-1	1.544Mbps
J-1C	3.152Mbps
J-2	6.312Mbps
J-3	32.064Mbps
J-3C	97.728Mbps
J-4	397.200Mbps
E-0	64Kbps
E-1	2.048Mbps
E-2	8.448Mbps
E-3	34.368Mbps
E-4	139.264Mbps
E-5	565.148Mbps

SONET/OC-x Levels

Bell Communications Research developed SONET, a fiber-optic WAN technology that delivers voice, data, and video at speeds in multiples of 51.84Mbps. Bell's main goals in creating SONET were to create a standardized access method for all carriers and to unify different standards around the world. SONET is capable of transmission speeds between 51.84Mbps and 2.488Gbps.

One of Bell's biggest accomplishments with SONET was to create a new system that defined data rates in terms of Optical Carrier (OC) levels, as shown in Table 3.

Table 3 OC Levels and Transmission Rates
OC Level	Transmission Rate
OC-1	51.84Mbps
OC-3	155.52Mbps
OC-12	622.08Mbps
OC-24	1.244Gbps
OC-48	2.488Gbps
OC-192	9.953Gbps

X.25

One of the older WAN technologies is X.25, which is a packet-switching technology. Today, X.25 is not as widely implemented as it once was. X.25's veteran status is both its greatest advantage and its greatest disadvantage. On the upside, X.25 is a global standard that can be found in many places. X.25 had an original maximum transfer speed of 56Kbps, which, when compared to other technologies in the mid-1970s, was fast but almost unusable for most applications on today's networks. In the 1980s a digital version of X.25 was released increasing throughput to a maximum 64kbps. This too is slow by today's standards.

Because X.25 is a packet-switching technology, it uses different routes to get the best possible connection between the sending and receiving device at a given time. As conditions on the network change, such as increased network traffic, so do the routes that the packets take. Consequently, each packet is likely to take a different route to reach its destination during a single communication session. The devices that make it possible to use X.25 service are called packet assemblers/disassemblers (PADs). A PAD is required at each end of the X.25 connection. Table 4 compares the various WAN technologies reviewed in this Chapter.

Table 4 Comparing WAN Technologies
WAN Technology	Speed	Supported Media	Switching Method Used	Key Characteristics
ISDN	BRI: 64Kbps to 128Kbps PRI: 64Kbps to 1.5Mbps	Copper/fiber-optic	Can be used for circuit-switching or packet-switching connections	ISDN can be used to transmit all types of traffic, including voice, video, and data. BRI uses 2B+D channels, PRI uses 23B+D channels. B channels are 64Kbps. ISDN uses the public network and requires dial-in access.
T-carrier (T1, T3)	T1: 1.544Mbps T3: 44.736Mbps	Copper/fiber-optic	Circuit switching	T-carrier is used to create point-to-point network connections for private networks.
FDDI	100Mbps	Fiber-optic	N/A	Uses a dual-ring configuration for fault tolerance. Uses a token-passing media-access method. Uses beaconing for error detection.
X.25	56Kbps/64Kbps	Copper/fiber-optic	Packet switching	X.25 is limited to 56Kbps. X.25 provides a packet-switching network over standard phone lines.
SONET/Ocx	51.8Mbps	Fiber-optic to 2.4Gbps	N/A	SONET defines synchronous data transfer over optical cable.

Internet Access Technologies

Internet access has become an integral part of modern business. There are several ways to obtain Internet access. The type chosen will often depend on the cost as well as what technologies are available in the area you are located. This section explores some of the more common methods of obtaining Internet access.

xDSL Internet Access

DSL is an Internet access method that uses a standard phone line to provide high-speed Internet access. DSL is most commonly associated with high-speed Internet access; because it is less expensive than technologies such as ISDN, it is often used in homes and small businesses. With DSL, a different frequency can be used for digital and analog signals, which means that you can talk on the phone while you're uploading data.

DSL arrived on the scene in the late 1990s, and it brought with it a staggering number of flavors. Together, all these variations are known as xDSL:

• Asymmetric DSL (ADSL) Probably the most common of the DSL varieties is ADSL. ADSL uses different channels on the line: One channel is used for POTS and is responsible for analog traffic, the second channel is used to provide upload access, and the third channel is used for downloads. With ADSL, downloads are faster than uploads.
• Symmetric DSL (SDSL) SDSL offers the same speeds for uploads and for downloads, making it most suitable for business applications such as Web hosting, intranets, and e-commerce. It is not widely implemented in the home/small business environment and cannot share a phone line.
• ISDN DSL (IDSL) ISDN DSL is a symmetric type of DSL that is commonly used in environments where SDSL and ADSL are unavailable. IDSL does not support analog phones.
• Rate Adaptive DSL (RADSL) RADSL is a variation on ADSL that can modify its transmission speeds based on the signal quality. RADSL supports line sharing.
• Very High Bit Rate DSL (VHDSL) VHDSL is an asymmetric version of DSL and, as such, can share a telephone line.
• High Bit Rate DSL (HDSL) HDSL is a symmetric technology that offers identical transmission rates in both directions. HDSL does not allow line sharing with analog phones.

Why are there are so many DSL variations? The answer is quite simply that each flavor of DSL is aimed at a different user, business, or application.

Businesses with high bandwidth needs are more likely to choose a symmetric form of DSL, whereas budget-conscious environments such as home offices are likely to opt for an option that allows phone line sharing at the expense of bandwidth. In addition, some of the DSL variants are simply older technologies. While the name persists, they have been replaced with newer DSL implementations. When you're working in a home/small office environment, you should expect to work with an ADSL system.

Table 5 summarizes the maximum speeds of the various DSL options. Keep in mind that maximum speeds are rarely obtained.

Table 5 DSL Speeds
DSL Variation	Upload Speed	Download Speed
ADSL	1Mbps	8Mbps
SDSL	1.5Mbps	1.5Mbps
IDSL	144Kbps	144Kbps
RADSL	1Mbps	7Mbps
VHDSL	1.6Mbps	13Mbps
HDSL	768Kbps	768Kbps

Cable Internet Access

Cable Internet access is an always on Internet access method that is available in areas that have digital cable television. Cable Internet access is attractive to many small businesses and home office users because it is both inexpensive and reliable. Most cable providers do not restrict how much use is made of the access. Connectivity is achieved by using a device called a cable modem; it has a coaxial connection for connecting to the provider's outlet and an Unshielded Twisted Pair (UTP) connection for connecting directly to a system or to a hub or switch.

Cable providers often supply a cable modem free of charge, although of course you are paying for the rental of the modem in a monthly service fee. Many cable providers offer free or low-cost installation of cable Internet service, which includes installing a network card in a PC. Some providers also do not charge for the network card. Cable Internet costs are comparable to DSL subscription.

Most cable modems supply a 10Mbps Ethernet connection for the home LAN, although you wouldn't expect the actual Internet connection to reach these speeds. The actual speed of the connection can vary somewhat depending on the utilization of the shared cable line in your area. In day-to-day application, data rates range from 1.5Mbps to 3Mbps.

One of the biggest disadvantages of cable access is cited (by DSL providers at least) as the fact that you share the available bandwidth with everyone else in your cable area. As a result, during peak times, performance of a cable link might be poorer than in low-use periods. In residential areas, busy times are evenings and weekends, and particularly right after school. In general, though, performance with cable systems is good, and in low-usage periods, it can be very fast.

Broadband Security Considerations

Whether using DSL or cable Internet access, there are a few things to keep in mind. Each of these technologies offers always on service. This means that even when you are away from your computer; it is still on the Internet. As you can imagine, this creates a security risk. The longer you are online, the more chance someone has of remotely accessing your system.

The operating systems we use today all have some security holes through which some people are waiting to exploit. These attacks often focus on technologies such as email or open TCP/UDP ports. Combining OS security holes with an always on Internet technology is certainly a dangerous mix.

Today, DSL and cable Internet connections have to be protected by mechanisms such as firewalls to protect the system. The firewall system will offer features such as packet filtering and network address translation (NAT). The firewall can be a third-party software application installed on the system, or it can be a hardware device.

In addition to a firewall, it is equally important to ensure that the operating system you are using is completely up-to-date in terms of service packs and security updates. Today's client systems typically offer automatic update features that will alert you when a new security update is available.

Following a few safety rules, both DSL and cable Internet can provide safe Internet access. We just have to be security diligent.

POTS/PSTN (Plain Old Telephone Service/Public Switched Telephone Network)

The most popular means of connecting to the Internet or a remote network might still be the good old telephone line and modem.

Internet access through a phone system requires two things: a modem and a dial-up access account through an ISP. Modems are devices that convert the digital signals generated by a computer system into analog signals that can travel across a phone line. A computer can have either an internal or external modem. External modems tend to be less problematic to install and troubleshoot because they don't require reconfiguration of the host system. Internal modems use one of the serial port assignments (that is, a COM port) and must therefore be configured not to conflict with other devices.

The second piece of the puzzle, the dial-up ISP account, can easily be obtained by contacting one of the many local, regional, or national ISPs. Most ISPs offer a range of plans that are normally priced based on the amount of time the user is allowed to spend online. Almost without exception, ISPs offer 56Kbps access, the maximum possible under current standards. Most ISPs also provide email accounts, access to newsgroup servers, and often small amounts of Web space.

It is a good idea to research an ISP choice carefully. Free services exist, but they generally restrict users to a certain number of online hours per month or use extensive banner advertising to pay for the services. Normally, you pay a monthly service fee for an ISP; doing so provides a degree of reassurance because the ISP can be held accountable. Paid-for service also tends to provide a higher level of support.

Another big consideration for dial-up Internet access is how many lines the ISP has. ISPs never have the same number of lines as subscribers; instead, they work on a first-come, first-serve basis for dial-up clients. This means that on occasion, users get busy signals when they try to connect. Before signing up for a dial-up Internet access account, you should ask the company what its ratio of lines to subscribers is and use that figure as part of your comparison criteria.

Satellite Internet Access

Many of us take DSL and cable Internet access for granted, but these technologies are not offered everywhere. For areas where cheaper broadband options are not available, there are a limited number Internet options. One of the primary ones is Internet via satellite.

Satellite access provides a viable Internet access solution for those who cannot get other methods of broadband. Satellite Internet offers an always on connection with theoretical speeds advertised anywhere from 512Kbps upload speeds to 2048Kbps download speeds, considerably faster than a 56k dial-up connection. One of the primary drawbacks to satellite Internet is the cost, and even with the high price tag, it is not as fast as DSL or cable modem.

Although satellite Internet is slower and more costly than DSL or cable, it offers some very attractive features first of which has to be its portability. Quite literally, wherever you go, you can have Internet access. For business with remote users and clients, the benefit to this is clear. But the technology has far reaching impact; it is not uncommon to see RVs with a satellite dish on the roof. They have 24/7 unlimited access to the Internet as they travel.

There are many companies offering satellite Internet services, and a quick Internet search will reveal many. These Internet providers offer different Internet packages that vary greatly in terms of price, access speeds, and service. Some target business, whereas others are aiming for the private market.

Two different types of broadband Internet satellite services are deployed: one-way and two-way systems. A one-way satellite system requires a satellite card and a satellite dish installed at the end user's site; this system works by sending outgoing requests on one link using a phone line, with inbound traffic returning on the satellite link. A two-way satellite system, on the other hand, provides data paths for both upstream and downstream data. Like a one-way system, a two-way system also uses a satellite card and a satellite dish installed at the end user's site; bidirectional communication occurs directly between the end user's node and the satellite.

Home satellite systems are asymmetric; that is, download speeds are faster than upload speeds. In fact, a home satellite system is likely to use a modem for the upline traffic, with downloads coming over the satellite link. The exact speeds you can expect with satellite Internet depend on many factors. As with other wireless technologies, atmospheric conditions can significantly affect the performance of satellite Internet access. One additional consideration for satellite Internet is increased propagation timethe time it takes for the signal to travel back and forth from the satellite. In networking terms, this time is very high and an important consideration for business applications.

Wireless Internet Access

Not too long ago, it would have been inconceivable to walk into your local coffee shop with your laptop under your arm and surf the Web while drinking a latte. Putting aside the fact that beverages and laptops don't mix, wireless Internet access is everywhere and increasing.

Wireless Internet access is provided by a Wireless Internet Service Provider (WISP). The WISP provides public wireless Internet access known as hotspots. Hotspots provide Internet access for mobile network devices such as laptops, handheld computers, and cell phones in airports, coffee shops, conference rooms, and so on. A hotspot is created using one or many wireless access points near the hotspot location.

Client systems might need to install special application software for billing and security purposes; others require no configuration other than obtaining the network name (SSID). Hotspots do not always require a fee for service as companies use them as a marketing tool to lure Internet users to their businesses.

As of today, hotspots are not everywhere, but finding them is not difficult. Typically, airports, hotels, and coffee shops will advertise that they offer Internet access for customers or clients. In addition, WISP providers list their hotspot sites online so that they are easily found.

Establishing a connection to a wireless hotspot is a straightforward process. If not equipped with built-in wireless capability, laptops will require an external wireless adapter card. With the physical requirements of the wireless card taken care of, connect as follows:

1.   When you arrive at the hotspot site, power up your laptop. In some instances, you might need to reboot your system if it was on standby to clear out old configuration settings.

2.   The card might detect the network automatically. If this is the case, configuration settings, such as the SSID, will be automatically detected, and the wireless Internet will be available. If Internet access is free, there is little else to do; if it is a paid-for service, you will need to enter a method of payment. One thing to remember is to verify that you are using encryption for secure data transfer.

3.   If for some reason the wireless settings are not automatically detected, you will need to open up your wireless NICs configuration utility and manually set the configurations. These settings can include setting the mode to infrastructure, inputting the correct SSID, and setting the level of encryption used.

In addition to using a WISP, some companies such as hotels and cafes will provide wireless Internet access by connecting a wireless router to a DSL or cable Internet connection. The router becomes the wireless access point to which the users connect, and it allows clients to connect to the Internet through the broadband connection. The technology is based on the 802.11 standards, typically 802.11b/g, and client systems require only an internal or external wireless adapter.

Remote Access Protocols and Services

Today, there are many ways to establish remote access into networks. Some of these include such things as virtual private networks (VPNs) or plain old modem dial-up access. Regardless of the technique used for remote access or the speed at which access is achieved, certain technologies need to be in place in order for the magic to happen. These technologies include the protocols to allow the access to the server and to secure the data transfer after the connection is established. Also necessary are methods of access control that make sure only authorized users are using the remote access features.

All the major operating systems include built-in support for remote access. They provide both the access methods and security protocols necessary to secure the connection and data transfers.

Remote Access Service (RAS)

RAS is a remote access solution included with Windows Server products. RAS is a feature-rich, easy-to-configure, and easy-to-use method of configuring remote access.

Any system that supports the appropriate dial-in protocols, such as PPP, can connect to a RAS server. Most commonly, the clients are Windows systems that use the dial-up networking feature; but any operating system that supports dial-up client software will work. Connection to a RAS server can be made over a standard phone line, using a modem, over a network, or via an ISDN connection.

RAS supports remote connectivity from all the major client operating systems available today, including all newer Windows OSs:

·         Windows 2000 Professional based clients

·         Windows XP Home based clients

·         Windows XP Professional based clients

·         UNIX-based\Linux clients

·         Macintosh-based clients

Although the system is called RAS, the underlying technologies that enable the RAS process are dial-up protocols such as Serial Line Internet Protocol (SLIP) and Point-to-Point Protocol (PPP).

SLIP

SLIP was designed to allow data to be transmitted via Transmission Control Protocol/Internet Protocol (TCP/IP) over serial connections in a UNIX environment. SLIP did an excellent job, but time proved to be its enemy. SLIP was developed in an atmosphere in which security was not an overriding concern; consequently, SLIP does not support encryption or authentication. It transmits all the data used to establish a connection (username and password) in clear text, which is, of course, dangerous in today's insecure world.

In addition to its inadequate security, SLIP also does not provide error checking or packet addressing, so it can be used only in serial communications. It supports only TCP/IP, and log in is accomplished through a terminal window.

Many operating systems still provide at least minimal SLIP support for backward capability to older environments, but SLIP has been replaced by a newer and more secure alternative: PPP. SLIP is still used by some government agencies and large corporations in UNIX remote access applications, so you might come across it from time to time.

PPP

PPP is the standard remote access protocol in use today. PPP is actually a family of protocols that work together to provide connection services.

Because PPP is an industry standard, it offers interoperability between different software vendors in various remote access implementations. PPP provides a number of security enhancements compared to regular SLIPthe most important being the encryption of usernames and passwords during the authentication process. PPP allows remote clients and servers to negotiate data encryption methods and authentication methods and support new technologies. PPP even gives administrators the ability to choose which particular local area network (LAN) protocol to use over a remote link. For example, administrators can choose among NetBIOS Extended User Interface (NetBEUI), NW Link (Internetwork Packet Exchange/Sequenced Packet Exchange (IPX/SPX)), AppleTalk, or TCP/IP.

During the establishment of a PPP connection between the remote system and the server, the remote server needs to authenticate the remote user and does so by using the PPP authentication protocols. PPP accommodates a number of authentication protocols, and it's possible on many systems to configure more than one authentication protocol. The protocol used in the authentication process depends on the security configurations established between the remote user and the server. PPP authentication protocols include CHAP, MS-CHAP (2), EAP, SPAP, and PAP. Each of these authentication methods is discussed later in this chapter in the section on authentication protocols.

PPPoE (Point-to-Point Protocol over Ethernet) is a protocol used for connecting multiple network users on an Ethernet local area network to a remote site through a common device. For example, using PPPoE it is possible to have all users on a network share the same link such as a DSL, cable modem, or a wireless connection to the Internet. PPPoE is a combination of PPP and the Ethernet protocol, which supports multiple users in a local area network. Hence the name. The PPP protocol information is encapsulated within an Ethernet frame.

With PPPoE, a number of different users can share the same physical connection to the Internet, and in the process, PPPoE provides a way to keep track of individual user Internet access times. Because PPPoE allows for individual authenticated access to high-speed data networks, it is an efficient way to create a separate connection to a remote server for each user. This strategy allows Internet access and billing on a per-user basis rather than a per-site basis.

Users accessing PPPoE connections require the same information as required with standard dial-up phone accounts, including a username and password combination. As with a dial-up PPP service, an Internet service provider (ISP) will most likely automatically assign configuration information such as the IP address, subnet mask, default gateway, and DNS server.

There are two distinct stages in the PPPoE communication process the discover stage and the PPP session stage. The discovery stage has four steps to complete to establish the PPPoE connection: initiation, offer, request, and session confirmation. These steps represent back and forth communication between the client and the PPPoE server. Once these steps have been negotiated, the PPP session can be established using familiar PPP authentication protocols.

PPTP

The function of the Point-to-Point Tunneling Protocol (PPTP) is to create a secure transmission tunnel between two points on a network. The tunneling functionality that PPTP provides forms the basis for creating multi-protocol virtual private networks (VPNs), which allow users to access remote networks through a secure connection. PPTP works in conjunction with PPP and, as such, uses PPP authentication methods including PAP, CHAP, and MS-CHAP.

To establish a PPTP session between a client and server, a TCP connection known as a PPTP control connection is required to create and maintain the communication tunnel. The PPTP control connection exists between the IP address of the PPTP client and the IP address of the PPTP server, using TCP port 1723 on the server and a dynamically assigned port on the client. It is the function of the PPTP control connection to pass the PPTP control and management messages used to maintain the PPTP communication tunnel between the remote system and the server. Once the PPTP connection is made, it provides a secure channel, or tunnel, using the original PPP connection between the devices.

Virtual Private Networks

VPNs are one of the most popular methods of remote access. Essentially, a VPN extends a LAN by establishing a remote connection, using a public network such as the Internet. A VPN provides a point-to-point dedicated link between two points over a public IP network.

VPN encapsulates encrypted data inside another datagram that contains routing information. The connection between two computers establishes a switched connection that is dedicated to the two computers. The encrypted data is encapsulated inside the PPP or IPSec protocols and that connection is used to deliver the data.

A VPN allows anyone with an Internet connection to use the infrastructure of the public network to dial in to the main network and access resources as if he or she were logged on to the network locally. It also allows two networks to be connected to each other securely. Once connected, data can be exchanged between networks. In this way, VPNs create a WAN.

Many elements are involved in establishing a VPN connection, including the following:

·         A VPN client The VPN client is the computer that initiates the connection to the VPN server.

·         A VPN server The VPN server authenticates connections from VPN clients.

·         An access method as mentioned, a VPN is most often established over a public network such as the Internet; however, some VPN implementations use a private intranet. The network that is used must be IP based.

·         VPN protocols Protocols are required to establish, manage, and secure the data over the VPN connection. PPTP and L2TP are commonly associated with VPN connections.

VPNs have become very popular because they allow the public Internet to be safely used as a wide area network (WAN) connectivity solution.

Remote Desktop Protocol

In a Windows environment, Terminal Services provides a way for a client system to connect to a server, such as Windows server 2000/2003, and by using the Remote Desktop Protocol (RDP) run programs on the server as if they were local client applications. Such a configuration is known as thin client computing, whereby client systems use the resources of the server instead of their local processing power.

Originally, Terminal Services was available in remote administration mode or application server mode. Today, in Windows Server 2003, Terminal Services remote administration mode is no more as it has been replaced with the Remote Desktop feature.

Windows Server 2003 and XP Professional have built-in support for Remote Desktop Connections. The underlying protocol used to manage the connection is RDP. RDP is a low bandwidth protocol used to send mouse movements, keystrokes, and bitmap images of the screen on the server to the client computer. RDP does not actually send data over the connectiononly screenshots and client keystrokes.

Security Protocols

Any discussion of remote access is sure to include security, and for a good reason: Remote access opens your network to remote users. Although you'd like to think that only authorized users would try to connect from remote locations, the reality is that an equal number of illegitimate users will probably attempt to connect. Because many of the methods used to establish remote access are over public networks, securing the data you send and the points at which you connect at an important consideration. A significant element of this security is encryption.

Encryption is the process of encoding data so that it can be securely sent over remote connections. As well as encrypting the data itself, the usernames and passwords used to gain access to the remote network are also typically encrypted. In practical terms, encryption is the process of encoding data using a mathematical algorithm that makes it difficult for unauthorized users to read the data if they are able to intercept it. The algorithm used in the encryption is actually a mathematical value known as a key. The key is required in order to read the encrypted data. Encryption techniques use public and private keys; public keys can be shared, and private keys cannot.

IP Security (IPSec)

IPSec was created by the Internet Engineering Task Force (IETF) and can be used on both IPv4 and IPv6 networks. It is designed to encrypt data and authenticate users. IPSec encryption ensures that data on a network cannot be viewed, accessed, or modified by those who should not have access to it. IPSec provides security for both internal and external networks. It might seem that protection on an internal network is less necessary than on an external network; however, much of the data you send across networks has little or no protection, allowing unwanted eyes to access it.

IPSec provides several key security services:

·         Data verification and authentication it verifies that the data received is from the intended source.

·         Protection from data tampering it ensures that the data has not been tampered with and changed between the sending and receiving devices.

·         Private transactions it ensures that the data sent between the sending and receiving devices is unreadable by any other devices.

IPSec operates at the network layer of the Open Systems Interconnect (OSI) model and provides security for protocols that operate at higher layers of the OSI model. Thus, by using IPSec, you can secure practically all TCP/IP-related communications.

Layer 2 Tunneling Protocol (L2TP)

The Layer 2 Tunneling Protocol (L2TP) is a combination of PPTP and Cisco's L2F technology. L2TP utilizes tunneling to deliver data. It authenticates the client in a two-phase process: It first authenticates the computer and then the user. By authenticating the computer, it prevents the data from being intercepted, changed, and returned to the user in what is known as a man-in-the-middle attack. L2TP assures both parties that the data they are receiving is the data sent by the originator.

L2TP operates at the data-link layer, making it protocol independent. This means that an L2TP connection can support protocols such as IPX and AppleTalk.

L2TP and PPTP are both tunneling protocols, so you might be wondering which you should use. Here is a quick list of some of the advantages of each, starting with PPTP:

·         PPTP has been around the longest; it offers more interoperability than L2TP.

·         PPTP is easier to configure than L2TP because L2TP uses digital certificates.

·         PPTP has less overhead than L2TP.

The following are some of the advantages of L2TP:

·         L2TP offers greater security than PPTP.

·         L2TP supports common public key infrastructure technology.

·         L2TP provides support for header compression.

Secure Sockets Layer (SSL)

SSL is a security protocol that is used on the Internet. Originally developed by Netscape for use with its Navigator browser, SSL uses public key encryption to establish secure connections over the Internet. SSL provides three key services:

·         Server authentication SSL allows a user to confirm a server's identity. For example, you can use this ability when you are purchasing something online with a credit card but first want to verify the server's identity.

·         Client authentication SSL allows a server to confirm a user's identity. This functionality is often used when a server is sending sensitive information such as banking information or sensitive documents to a client system and wants to verify the client's identity.

·         Encrypted connections it is possible to configure SSL to require all information sent between a client and a server to be encrypted by the sending software and decrypted by the receiving software. Doing this establishes private and secure communication between two devices. In addition, SSL has a mechanism to determine whether the data sent has been tampered with or altered in transit.

You can see SSL security on the Web when you access a secure universal resource locator (URL). Secure websites begin withhttps: // instead of the http://. Hypertext Transfer Protocol over SSL (HTTPS) connections requires a browser with built-in security features to establish a secure connection.

WEP

WEP was the first attempt to keep wireless networks safe. WEP was designed to be easy to configure and implement. Originally, it was hoped that WEP would provide the same level of security to wireless networks as was available to wire. It was soon discovered that WEP had significant shortcomings.

WEP is an IEEE standard, introduced in 1997, designed for securing 802.11 networks. With WEP enabled, each data packet transmitted over the wireless connection would be encrypted. Originally, the data packet was combined with a secret 40-bit number key as it passed through an encryption algorithm known as RC4. The packet was scrambled and sent across the airwaves. On the receiving end, the data packet passed through the RC4 backward, and the host received the data as it was intended. WEP originally used a 40-bit number key, but later specified 128-bit encryption, making WEP that much more robust.

WEP was designed to provide security by encrypting data from the sending and receiving devices. In a short period of time, however, it was discovered that WEP encryption was not nearly as secure as hoped. Part of the problem was that when the 802.11 standards were being written, security was not the major concern it is today. As a result, WEP security was easy to crack with freely available hacking tools. From this point, wireless communication was regarded as a potentially insecure transmission media.

WPA

Security weaknesses associated with WEP provided administrators with a very valid reason to be concerned with wireless security. The need for increased wireless security was important for wireless networking to reach its potential and to bring a sense of confidence for those with sensitive data to use wireless communications. In response, the Wi-Fi Protected Access (WPA) was created. WPA was designed to improve on the security weaknesses of WEP and to be backward compatible with older devices using the WEP standard. WPA addressed two main security concerns:

·         Enhanced data encryption WPA uses a Temporal Key Integrity Protocol (TKIP), which scrambles encryption keys using a hashing algorithm. Then the keys are issued an integrity check to verify that they have not been modified or tampered with during transit.

·         Authentication WPA uses the Extensible Authentication Protocol (EAP). WEP regulates access to a wireless network based on a computer's hardware-specific MAC address, which is relatively simple to be sniffed out and stolen. EAP is built on a more secure public-key encryption system to ensure that only authorized network users can access the network.

802.1x

802.1 xs is an IEEE standard specifying port-based network access control. 802.1 xs was not specifically designed for wireless networks rather, it provides authenticated access for both wired and wireless networks. Port-based network access control uses the physical characteristics of a switched local area network (LAN) infrastructure to authenticate devices that are attached to a LAN port and to prevent access to that port in cases in which the authentication process fails.

During a port-based network access control interaction, a LAN port adopts one of two roles: authenticator or supplicant. In the role of authenticator, a LAN port enforces authentication before it allows user access to the services that can be accessed through that port. In the role of supplicant, a LAN port requests access to the services that can be accessed through the authenticator's port. An authentication server, which can either be a separate entity or co-located with the authenticator, checks the supplicant's credentials on behalf of the authenticator. The authentication server then responds to the authenticator, indicating whether the supplicant is authorized to access the authenticator's services.

The authenticator's port-based network access control defines two logical access points to the LAN through one physical LAN port. The first logical access point, the uncontrolled port, allows data exchange between the authenticator and other computers on the LAN, regardless of the computer's authorization state. The second logical access point, the controlled port, allows data exchange between an authenticated LAN user and the authenticator.

Authentication Protocols

Two primary technologies are required for securing data transmissions: encryption and authentication. Encryption was discussed earlier; in this section, authentication protocols are reviewed.

When designing a remote connection strategy, it is critical to consider how remote users will be authenticated. Authentication defines the way in which a remote client and server will negotiate on a user's credentials when the user is trying to gain access to the network. Depending on the operating system used and the type of remote access involved, several different protocols are used to authenticate a user. The following authentication protocols are used with various technologies, including PPP:

·         Challenge Handshake Authentication Protocol (CHAP) CHAP is an authentication system that uses the MD5 encryption scheme to secure authentication responses. CHAP is a commonly used protocol, and as the name suggests, anyone trying to connect is challenged for authentication information. When the correct information is supplied, the systems "shake hands," and the connection is established.

·         Microsoft Challenge Handshake Authentication Protocol (MS-CHAP) MS-CHAP, based on CHAP, was developed to authenticate remote Windows-based workstations. There are two versions of MS-CHAP; the main difference between the two is that MS-CHAP version 2 offers mutual authentication. This means that both the client and the server must prove their identities in the authentication process. Doing so ensures that the client is connecting to the expected server.

·         Password Authentication Protocol (PAP) PAP is the least secure of the authentication methods because it uses unencrypted passwords. PAP is often not the first choice of protocols used; rather, it is used when more sophisticated types of authentication fail between a server and a workstation.

·         Extensible Authentication Protocol (EAP) EAP is an extension made to standard PPP. EAP has additional support for a variety of authentication schemes including smart cards. It is often used with VPNs to add security against brute-force or dictionary attacks.

·         Shiva Password Authentication Protocol (SPAP) SPAP is an encrypting authentication protocol used by Shiva remote access servers. SPAP offers a higher level of security than other authentication protocols such as PAP, but it is not as secure as CHAP.

Remote Authentication Dial-In User Service (RADIUS)

Among the potential issues network administrators face when implementing remote access are utilization and the load on the remote access server. As a network's remote access implementation grows, reliance on a single remote access server might be impossible, and additional servers might be required. RADIUS can help in this scenario.

RADIUS is a protocol that enables a single server to become responsible for all remote access authentication, authorization, and auditing (or accounting) services. The RADIUS protocol can be implemented as a vendor-specific product such as Microsoft's Internet Authentication Server (IAS).

RADIUS functions as a client/server system. The remote user dials in to the remote access server, which acts as a RADIUS client, or network access server (NAS), and connects to a RADIUS server. The RADIUS server performs authentication, authorization, and auditing (or accounting) functions and returns the information to the RADIUS client (which is remote access server running RADIUS client software); the connection is either established or rejected based on the information received.

Kerberos

Seasoned administrators can tell you about the risks of sending clear-text, unencrypted passwords across any network. The Kerberos network authentication protocol is designed to ensure that the data sent across networks is safe from attack. Its purpose is to provide authentication for client/server applications.

Kerberos authentication works by assigning a unique key (called a ticket), to each client that successfully authenticates to a server. The ticket is encrypted and contains the password of the user, which is used to verify the user's identity when a particular network service is requested.

Kerberos was created at Massachusetts Institute of Technology to provide a solution to network security issues. With Kerberos, the client must prove its identity to the server, and the server must also prove its identity to the client. Kerberos provides a method to verify the identity of a computer system over an insecure network connection.

Kerberos is distributed freely, as is its source code, allowing anyone interested to view the source code directly. Kerberos is also available from many different vendors that provide additional support for its use.