Documente Academic
Documente Profesional
Documente Cultură
Overview
This module deals with the wide area technologies with includes various methods of switching technology, Internet access methods and the remote access protocols. The Switching method is a component of a network topology which determines the connection created between nodes. The rapid growth of the Internet and the abundance in computer hardware and software availability to people has placed an increasing demand on the telecommunications providers to supply faster data rates for the private use. To log into the remote access server, you must dial into a network as a remote node. This server often provides the remote node services across the Internet, via tunneling protocols. There are a number of remote access servers, among which a dedicated server is used to provide remote node services since it is able to maintain better security and high performance. This module also deals with the security protocols which are implemented to provide security on a network to protect the stored data and the software from being accessed by unknown users.
Introduction
Switching is a component of a network topology which determines the connection created between nodes. Common switching types of switching methods are packet switching and circuit switching. The rapid growth of the Internet and the abundance in computer hardware and software availability to people has placed an increasing demand on the telecommunications providers to supply faster data rates for the private use. One of the currently popular solutions is Digital Subscriber Line (DSL) technology. These standards are often called xDSL because of many variations, permit rapid data communications over common telephone lines, often simultaneously permitting voice conversations.
throughout the wide area network. This method divides messages into packets and sends each packet individually. Switching methods influence the rapid process of routing. Some of the common switching methods are:
Packet switching involves the breaking up of messages into smaller components called packets. Depending on the system involved, the packets size often range from about 600 bytes to 4000 bytes. Each packet contains source and destination information, and is treated as an individual message.
Packet switching is ideal for digital data, because the information is grouped into frames or packets, which are simply a collection of bytes of data. Packet switching networks treat each packet as an individual message to be routed. Messages are broken into packets and reassembled via the Packet Assembler/Disassembler device (PADs).
Packet switching is quiet faster because messages are not stored in their entirety for later recovery. It allows the avoidance of pathway failure due to excessive traffic loads or mechanical problems. Packet switching allows us to use pathways that may not normally get much traffic. Instead of concentrating on a few paths that are always busy, packet switching spreads the load of communication across several paths.
Understanding Network Basics
Circuit switching involves the formation of a physical path for data flow between a sender and receiver. This method creates link between the callers using the phone system. The whole connection of sender to receiver is called a circuit. Circuit switching has the advantages associated with a physical pathway like reliability of transfer. The problem associated with circuit switching is that overhead is required to create the physical pathway. The circuit offers the desirable bandwidth to the sender and receiver.
Integrated Services Digital Network (ISDN) is a circuit switched telephone network system, intended to allow digital transmission of voice and data over ordinary telephone copper wires, resulting in better quality and higher speeds. It is a set of protocols for establishing and breaking circuit switched connections. ISDN consists of digital lines that are broken up into two types of channels - Data and Signaling. The data-bearing B channels or bearer channels support data transfer rates up to 64Kbps per channel. The B channels can be grouped together to support higher data rates. ISDN supports two major service types. They are:
Basic Rate Interface (BRI) Primary Rate Interface (PRI)
Basic Rate Interface (BRI) is made up of two B channels and one D channel (2B+D) for transmitting control information. It is also called as S or T interface. The BRI B-channel service operates at 64Kbps and its main function is to carry the user data. BRI D-channel service operates at 16Kbps and is intended to carry control and signaling information.
Primary Rate Interface (PRI) consists of 23 B-channels and one D-channel (23B+D or 30B+D depending on the bandwidth. It can also handle 23 and 30 voice channels respectively. The 23B+D delivers throughputs of 1.544 Mbps while 30B+D delivers 2.040 Mbps. These arrangements feature separate 16 Kbps D channels for handling control information.
10
A computer with an ISDN line is able to connect to any other computer that also uses ISDN simply by dialing its ISDN number. The ISDN specification includes several types of equipment, as listed below:
Terminal adapter (TA): Also called an ISDN modem, this is either an internal or external adapter to connect equipment to an ISDN line. Terminal equipment type 1 (TE1): Terminals with built-in ISDN adapters. Terminal equipment type 2 (TE2): Terminals that require a terminal adapter to connect to an ISDN line. Network termination type 1 (NT1): Connects the ISDN line between the customers location and the telephone companys local loop. Network termination type 2 (NT2): Used for digital private branch exchanges (PBXs), providing addressing and routing services.
11
Fiber Distributed Data Interface is a media access control protocol with token-ring architecture which has a communication bandwidth of 100 Mbps. It is supported on a fiber network medium and is fast compared to standard token ring and Ethernet.
12
FDDI Specifications
FDDI specifies the physical and media access layers of the OSI reference model. There are four specifications in FDDI. They are;
Media Access Control (MAC) Physical Layer Protocol (PHY) Physical Medium Dependent (PMD) Station Management specifications (SMT) The Media Access Control specification defines the method of accessing the medium with the frame format, token handling, addressing, algorithms for calculating cyclic redundancy check (CRC) value, and error recovery mechanisms. The Physical Layer Protocol specification defines the data encoding/decoding procedures, clocking requirements, and framing, along with the other functions.
Understanding Network Basics
13
14
The FDDI frame format is similar to that of the Token ring frame. The following frame format show the extent of similarities between the FDDI and Token ring frame format.
15
Preamble This field gives a unique sequence which prepares each station for the upcoming frame. Start Delimiter This field indicates the starting of the frame and consists of the signaling patterns which differentiate it from the other frame. Frame Control This field indicates the size of the address fields and confirms the frame contains asynchronous or synchronous data among the other control information. Destination Address The Destination Address field is 6 bytes long and it contains a unicast, multicast or broadcast address. Source Address The Source Address field is 6 bytes long and field identifies the station which is sent the frame.
16
Data It contains either the information destined for an upper-layer protocol or control information. Frame Check Sequence Frame Check Sequence field is used to check or verify the traversing frame for any bit errors. This field is filled by the source station with a calculated 32 bit cyclic redundancy check value dependent on frame contents. The destined address recalculates the value to determine whether the frame was damaged in transit, otherwise the frame is discarded. End Delimiter This field contains unique symbols which indicate the end of the frame. Frame Status This field allows the source station to determine the error check and identifies whether the frame is reorganized and copied into the memory of the intended receiver.
Understanding Network Basics
17
T-carrier system is a series of data transmission formats developed by Bell Telephone. The base unit of a T-carrier is DS0, which is 64 Kbps. The Tcarrier system uses in-band signaling which is a method that actually robs bits from being used for data and uses them instead for overhead. This reduces the transmission rates used for T-carrier signals. T-1 carrier
T-1 is a digital line made up of 24 channels which consists the rate of 1.544Mbps used to connect corporate networks and Internet Service Providers. It is also called as DS0 or DS1.
T-3 carrier
T-3 carrier is also associated with the phone connection supporting data rates of 43Mbps. A T3 line usually consists of 672 individual channels. It is also called as DS3 lines.
18
E1
E1 is the European format for digital transmission. E1 carries signals at 2Mbps, 32 channels at 64 Kbps with 2 channels reserved for signaling and controlling with the T1, which carries signals at 1.544Mbps, 24 channels at 64Kbps. E1 and T1 lines can be interconnected for international purpose.
X.25
X.25 is a set of protocols incorporated in a packet switching network made up of switching services. It uses packet switching and virtual circuits, and provides a data rate up to 64kbps. It provides robust error checking features, which makes it a good option for older networks.. In addition, the data packets are subjected to the delays of the shared networks. Most of the packet switching technology does not use a dedicated physical or virtual circuit and is generally connectionless in nature therefore; X.25 establishes virtual circuits that allow it to be connection oriented. The connection is established, the data is transferred, and then the connection is terminated.
Understanding Network Basics
19
One of the currently popular solutions is Digital Subscriber Line (DSL) technology. These standards are often called xDSL because of many variations, permit rapid data communications over common telephone lines, often simultaneously permitting voice conversations. A major network company Aber, 2001 defines xDSL as the dedicated, point-to-point, public network access technologies which allow multiple forms of data, voice, and video to be carried over twisted-pair copper wire on the local loop between a network service providers central office and the customer site.
20
The x Digital Subscriber Line technology or xDSL is an advanced coding technique which allows digital signals of up to 50 Mbits to be transmitted over the length of copper pair cable. xDSL is used to enhance the service delivery capability of copper pairs. The xDSL includes two main branches namely,
Symmetric DSL: Symmetric DSL services provide identical data rates upstream and downstream. Asymmetric DSL: Asymmetric DSL provides relatively lower rates upstream but higher rates downstream.
21
22
Broadband refers to the transmission technique which carries several data channels through common wire. In home networking, broadband usually refers to high-speed Internet access using transmission technique. The DSL and cable modem are the common broadband Internet technologies.
Network (POTS/PSTN)
Public Switched Telephone Network refers to the international telephone system based on copper wires carrying analog voice data. PSTN is now entirely digital and includes mobile as well as fixed telephone. By using digital signal, instead of analog, PSTN can send more voice calls over the same cable which has reduced the per call minute cost.
23
Satellite Internet is a form of high-speed Internet service. Satellite Internet services utilize telecommunications satellites to provide Internet access to consumers. It covers areas where DSL and cable access is unavailable. Satellite offers less network bandwidth compared to DSL or cable. In addition, the extended delays required to transmit data between the satellite and the ground stations tend to create high network latency, causing a slowmoving performance. Wireless networking refers to the technology which enables two or more computers to communicate using the standard network protocols, but without network cabling. Wireless has grown from an expensive curiosity to a practical and affordable networking technology. Todays most common wireless standard is 802.11b Ethernet, also called Wi-Fi (Wireless Fidelity). It is fast and affordable for the home networks.
Understanding Network Basics
Wireless
24
remote access server. This is often the same server which provides remote node services across the Internet, via tunneling protocols. A variety of remote access servers is available. In general, organizations use a dedicated server to provide remote node services because it can maintain security better and offer higher performance. Point-to-Point Protocol (PPP)
Point-to-point protocol was originally intended for the encapsulation of protocol for transporting IP traffic between two peers. The PPP provides a standard method for transporting multi-protocol datagram's over point-topoint links. It is a data link layer protocol in the TCP/IP protocol suite. PPP is an addition to TCP/IP that adds two sets of functionality:
It can transmit TCP/IP packets over a serial link It has login security
25
Encapsulation It is a method for encapsulating multi-protocol datagrams. The PPP encapsulation provides multiplexing of different network layer protocols simultaneously over the same link. The PPP encapsulation has been carefully designed to retain compatibility with the most commonly used supporting hardware.
26
Link Control Protocol The Link Control Protocol is flexible and portable to a wide variety of environment. Configuration is used by other control protocols such as Network Control Protocols (NCPs). In order to establish communications over a point-to-point link, each end of the PPP link should send the LCP packets to configure and test data link. After the link is established and optional facilities are negotiated as needed by the LCP, PPP must send NCP packets to choose and configure one or more network layer protocols.
27
Flag field indicates the beginning or end of a frame which consists of the binary sequence 01111110. Address field contains the binary sequence 11111111, the standard broadcast address. Control field contains the binary sequence 00000011, which calls for transmission of user data in an unsequenced frame. Protocol field identifies the protocol encapsulated in the information field of the frame. Information field has zero or more octets which contains the datagram for the protocol specified in the protocol field. Frame Check Sequence (FCS) field contains normally 16 bits, but for PPP implementations 32-bit FCS can be used for improved error detection.
28 Understanding Network Basics
Serial Line Internet Protocol is simply a packet framing protocol. SLIP defines a sequence of characters which frame the IP packets on a serial line. It does not provide addressing, packet type identification, error detection/correction or compression mechanisms. It is commonly used on serial links and sometimes for dialup purposes, and is generally used with line speeds between 1200bps and 19.2Kbps. SLIP is useful for allowing mixes of hosts and routers to communicate with one another. The SLIP protocol defines two special characters
END ESC
29
Point-to-Point Protocol over Ethernet is a designed for connecting multiple computer users on an Ethernet local area network. PPPoE is used to share a common Digital Subscriber Line (DSL), cable modem, or wireless connection for multiple users to the Internet. PPPoE combines the Point-toPoint Protocol commonly used in dialup connections, with the Ethernet protocol, which supports multiple users in a local area network. The PPP protocol information is encapsulated within an Ethernet frame. Point-to-Point-Tunneling Protocol is a networking technology which supports multiprotocol virtual private networks (VPN). This protocol enables remote users to access corporate networks securely across various operating systems and other point-to-point protocol (PPP) enabled systems to dial into a local Internet service provider, in order to connect securely to their corporate network through the Internet.
Understanding Network Basics
30
PPTP supports data encryption and compression of the data packets. PPTP also uses a form of General Routing Encapsulation (GRE) to get data to and from its final destination. The PPTP-based Internet remote access VPNs are the most common form of PPTP VPN. In this environment, VPN tunnels are created by means of the following two-step process:
The PPTP client connects to their ISP using PPP dial-up networking. PPTP creates a TCP control connection between the VPN client and VPN server to establish a tunnel. PPTP uses TCP port 1723 for these connections.
PPTP also supports VPN connectivity via a LAN and therefore, the tunnels can be created directly using the YCP control connection between the VPN server and client. When the VPN tunnel is established, PPTP supports two types of information flow:
Control messages for managing and eventually breaking down the VPN connection. This message is passed directly between VPN client and server. Data packets are passed to or from the VPN client through the tunnel.
31
Remote Desktop Protocol (RDP) is a multi-channel protocol which allows a user to connect to a system for separate virtual channels used for carrying presentation data, serial device communication, and highly encrypted information. This protocol is designed to provide remote display and input capabilities through network connections for Windows-based applications running on a server. RDP is mainly used for connectivity purpose because it offers a platform to extend capabilities. It is also designed to support many different types of network topologies such as ISDN and LAN protocols like IPX, NetBIOS.
32
The Dial-up networking technology allows you to connect to your computer and other network devices to a LAN or WAN through the standard telephone lines. Dial-up networking is the simplest way and most widely used type of computer connection to the Internet. Dial-up connections are the most common type of internet connection available from ISPs; they are also the slowest and the most inexpensive.
Understanding Network Basics
33
Dial-up networking uses a modem as the interface between a single system and a network such as the Internet; the modems are typically capable of speeds up to 56 kbps. Dial-up connection with a modem is the cheapest and most extensively available way to connect to the Internet, but because it offers comparatively slow connection speeds, graphics-intensive web sites take a longtime to download. The maximum speed to download the data using dial-up networking is limited by the telephone systems analog bandwidth, the line quality, and the Internet traffic load. Dial-up networking usually communicates with the ISP using the Point to Point Protocol standard.
34
35
Virtual Private Network (VPN) is a network that allows the combination of computers and networks to communicate without a number of security risks. It uses the Internet or other network service as its Wide Area Network (WAN) backbone. VPN enables you to send the data between two computers across a shared or public internet work in a method which emulates the properties of a point-to-point private link. When a point-to-point link is established, data is encapsulated, or wrapped, with a header that provides routing information allowing it to navigate the shared or public transit internet work to reach its endpoint. When a private link is established, the data being sent is encrypted for privacy. Packets that are intercepted on the shared or public network are impossible to read without the encryption keys.
36
encapsulated is known as the tunnel. The portion of the connection in which the private data is encrypted is known as the virtual private network (VPN) connection and is illustrated below:
37
Internet or other network service, facilitating secure extranet connections. There are three main types of VPN:
Intranet VPN: It allows the private networks to be extended across the Internet or other public network service in a secure way. Remote access VPN: The remote access VPN is also referred as dial-up VPNs. It allows individual dial-up users to connect to a central site across the Internet. Extranet VPN: It allows secure connections for the purpose of e-commerce. Extranet VPNs are an extension of intranet VPNs with the addition of firewalls to protect the internal network.
38
Introduction
In computer networking, security is a part of every network administrators job in order to secure the data stored on every computer. There are various methods used to provide security on a network to protect information and software from being accessed by unauthorized people.
39
40
network. They are commonly used over TCP/IP connections such as the Internet to communicate between the systems. Using some of the security protocols, the communication between the systems is ensured and the data is prevented from tampering. A set of security protocols are discussed as follows.
41
IP Security is a set of protocols developed by the Internet Engineering Task Force (IETF) to maintain secure exchange of packets at the IP layer. IPsec is has been deployed widely to implement Virtual Private Networks (VPNs). IPsec supports two encryption modes:
Transport: Transport mode encrypts only the data segment (payload) of each packet, but leaves the header intact. Tunnel: The Tunnel mode is more secure and encrypts both the header and the payload. On the receiving side, an IPSec compliant device decrypts each packet.
Establishment of a secure VPN between the separated networks using Internet. Remotely accessing private networks from a stand-alone system.
42
The above diagram shows a VPN tunnel between the two LAN sites. Most of the tasks are automatically done by the IPSec gateways. The gateways are connected to the Internet, as long as the connection exists, an IPSec tunnel is automatically established between the respective LANs.
Understanding Network Basics
43
The establishment of a secure tunnel between a system and the office LAN is automatically connected as long as the IPSec client is configured accurately. Modem or the ISDN dial-up connection is used by the remote system to connect to the Internet and directly connect to the office LAN.
Understanding Network Basics
44
The Layer 2 Tunneling Protocol is used for integrating multi-protocol dial-up services into the existing Internet Service Providers Point of Presence. The Point-to-point Protocol defines an encapsulation mechanism for transporting multiprotocol packets across the layer 2 (L2) point-to-point links. L2TP extends the PPP model by allowing the L2 and PPP endpoints to be located on different devices interconnected by a packet switched network. With L2TP, a user has an L2 connection to an access concentrator such as modem bank, ADSL DSLAM, etc and the concentrator then tunnels individual PPP frames to the NAS. This allows the actual processing of PPP packets to be broken up from the termination of the L2 circuit. This protocol may also be used to solve the "multilink hunt-group splitting" problem. Multilink PPP, often used to aggregate ISDN B channels, requires that all channels composing a multilink bundle be grouped at a single Network Access Server (NAS).
Understanding Network Basics
45
Secure Socket layer is a protocol designed to provide a new and flexible alternative for secure remote access across the Internet. Its main purpose is to ensure the data is transmitted privately, the content of the data is not altered during transmission, authentication of the web server authentication of the web browser. Private Data Transmission SSL uses encryption and decryption method to ensure that the data is transmitted privately. Encryption transforms the data to a format that is not readable. Decryption transforms encrypted data back into a readable format, because the web server encrypts the data before sending it to the web browser, web browser users can only read the information sent by the web server. Therefore, SSL uses two types of encryption:
Symmetric-key Public-key
46
Symmetric-key
Symmetric-key encryption uses a single key. The web browser and the web server create the key during the SSL handshake. The same key is used to both encrypt and decrypt the data. This encryption ensures that no one else can read the data being transmitted in either direction. Public-key encryption uses a pair of keys made up of public and a private key, which work together to encrypt and decrypt the information. The private key and the public key correspondingly are referred to as key pair. The public key is freely distributed; the sender uses the public key to encrypt messages to the recipient and the private key is kept by its owner. The recipient uses the private key to decrypt the messages from the sender. The data encrypted with one key in the pair can only be decrypted using the other key in the pair.
Public-key
47
A web server and web browser use a public key encryption when initially establishing communications. During the SSL handshake, the web browser authenticates the web server. When the handshake is complete, the web server and web browser switch to the more efficient symmetric key encryption for the remainder of the transaction.
48
Wired Equivalent Privacy is a security protocol for wireless local area networks mainly designed to prevent the interception of radio frequency signals by unauthorized users. It is most suitable for small networks since, there is no key management protocol and each key must be entered manually into the clients which is a time consuming administrative task. WEP aims to provide security by encrypting data over radio waves so that it is protected as it is transmitted from one end point to another. It works by having all clients and Access Points configured with the same key for encryption and decryption.
49
Wireless access point (WAP) allows mobile users to connect to a wired network via radio frequency technologies. WAPs also allow wired networks to connect to each other via wireless technologies. They can connect to multiple wireless devices through hub or a switch together to form a network. The most popular use for wireless access points is to provide Internet access in public areas. WAPs are easy to set up and most often, you just need to plug them in to a wired network and power them up to get them to work.
50
802.1x
The 802.1x standard is a port-based network access control and the devices that support it have the ability to allow a connection into the network at layer 2 only if user authentication is successful. This protocol works well for access points which need the ability to keep users disconnected if they are not connected on the network. 802.1x provides a means of authenticating and authorizing devices to attach to a LAN port.
51
Authentication is the process of determining and verifying the identity of a user or service. Developers can use the authentication services and programming interfaces to authenticate users and to store certificates that can be used for authentication.
52
Challenge Handshake Authentication Protocol is an Internet standard defined in RFC 1994. This protocol uses the industry standard Message Digest 5 oneway encryption scheme to encrypt the response, providing a high level of protection against unauthorized access. CHAP uses a three-way handshake to verify identity. The three steps in the process are:
The authenticator sends a challenge message to the client. The client responds with a value which is calculated via the Message Digest 5 (MD-5) one-way hash function. The authenticator also calculates the hash value and compares the clients response with its own calculation. If the values match, the connection is established.
53
CHAP)
Microsoft Challenge Handshake Authentication Protocol is Microsofts version of the standard CHAP method. It uses the same three-way handshake process, but is designed to be used by computers running Windows operating systems and integrates the encryption and hashing algorithms that are used on Windows networks. Version 2 adds such features as mutual (two-way) authentication of the client and server, as well as stronger encryption keys. MS-CHAP v2 is more secure than CHAP for Windows systems.
54
Password Authentication Protocol is the most basic form of authentication, in which a users name and password are transmitted through the network and compared to a table of name password pairs. Usually, the passwords stored in the table are encrypted. The Basic Authentication feature built into the HTTP protocol uses PAP. This protocol can be excluded as a feasible option for most businesses because it sends passwords across the phone line or Internet in plain text. The users name and password are sent through the wire to a server, where they are compared with a database of user account names and passwords. The Password Authentication Protocol provides a simple method for the peer to establish its identity using a 2-way handshake. PAP is not a strong authentication method because of its security issues. There is no protection or repeated trial and error attacks.
55
Remote Authentication Dial-In User Service provides for a centralized authentication database and can handle authorization and accounting in addition to authentication. Authorization refers to granting specific services to users based on their authenticated identity. Accounting refers to tracking the use of the network by users and can be done for billing, management, or security purposes. RADIUS is supported by dial-in remote access servers, VPN servers, and wireless access points (WAPs).
56
EAP provides for use of more secure authentication methods such as smart cards, Kerberos, and digital certificates, which are much more secure than the user name/password authentication methods above. The remote access server acts as the EAP authenticator, or it can act as a pass through, encapsulating the EAP packets and sending them to a backend security server such as a Remote Authentication Dial In User Server (RADIUS) server.
57
Kerberos is a network authentication protocol. It is designed to provide strong authentication for client/server applications by using secret-key cryptography. Kerberos was created by MIT (Massachusetts Institute of Technology) as a solution to the network security problems. The Kerberos protocol uses strong cryptography so that a client can prove its identity to a server (and vice versa) across an insecure network connection. After a client and server have used Kerberos to prove their identity, they can also encrypt all of their communications to assure privacy. Kerberos is a solution to your network security problems.
58
Summary
Authentication is the process of determining and verifying the identity of a user or service. Password Authentication Protocol is the most basic form of authentication, in which a users name and password are transmitted through the network and compared to a table of name password pairs. Kerberos is a network authentication protocol. It is designed to provide strong authentication for client/server applications by using secret-key cryptography.
59
Summary
Switching methods divide messages into packets and send each packet individually. Some of the common switching methods are:
Packet Switching Circuit Switching
Packet switching involves the process of breaking up of messages into smaller components called packets. It is ideal for digital data, because the information is grouped into frames or packets, which are simply a collection of bytes of data. Circuit switching involves the formation of a physical path for data flow between a sender and receiver. This method creates link between the callers using the phone system. The whole connection of sender to receiver is called a circuit. Circuit switching has the advantages associated with a physical pathway like reliability of transfer.
Understanding Network Basics
60
Integrated Services Digital Network (ISDN) is a set of protocols for establishing and breaking circuit switched connections. ISDN consists of digital lines that are broken up into two types of channels - Data and Signaling. The x Digital Subscriber Line technology or xDSL is an advanced coding technique used to enhance the service delivery capability of copper pairs. The Dial-up networking technology is the simplest way and most widely used type of computer connection to the Internet. It allows you to connect to your computer and other network devices to a LAN or WAN through the standard telephone lines. Virtual Private Network (VPN) is a network that allows the combination of computers and networks to communicate without a number of security risks. VPN uses the Internet or other network service as its Wide Area Network (WAN) backbone.
61