360 likes | 524 Views
Network Services—VPN and VoIP. Chapter 11. Knowledge Concepts. Understanding VPN technology Getting a grip on encryption The business application of VoIP and VPNs How VoIP works. Important Terms. VPN RADIUS Authentication Provisioned Encryption PPTP, L2TP,IPSec Firewall
E N D
Network Services—VPN and VoIP Chapter 11
Knowledge Concepts • Understanding VPN technology • Getting a grip on encryption • The business application of VoIP and VPNs • How VoIP works
Important Terms • VPN • RADIUS • Authentication • Provisioned • Encryption • PPTP, L2TP,IPSec • Firewall • Proxy server • PKI • DES • Symmetric and asymmetric encryption • VoIP • H.323, SIP, LDAP
Why VPNs? • Improves ability to communicate outside of a company • Enables secure access • Provides rapid provisioning of capacity as needed
VPN Characteristics • Logical network • Isolates customer traffic on shared provider facilities • Looks like a private network • Runs on either packet switched data network or circuit-switched public network • Can be deployed over a wide range of network technologies • Uses shared carrier infrastructure
Deployment Models • Customer-based • Carriers install gateways, routers and hardware on customer premises • Customer manages security • Network-based • Carrier houses all equipment at POP near customer location
VPN Frameworks • Internet based • Small ISPs provide local access services in a region • Business users get end-to-end services from a variety of suppliers • Encryption used to isolate traffic and provide security • Customer provides servers wit applications/content • A RADIUS server is used to authenticate traffic for access to application/Content servers • RADIUS server is connected to a firewall
Provisioned VPNs • Packet-switched VPN that runs across ISP backbone using Frame Relay or ATM • Supports multiple protocols • Provisioned services improve performance by enabling guarantees of service (QoS)
VPN Applications • VPN is an architecture tied together and calibrated • Goals are to manage security and deliver applications with minimal latency • Save money by • Substituting leased lines for Internet connectivity • Reducing dial up costs
3 Major VPN Applications • Intranets • Sit-to-site connections • Remote Access • Remote workers and outside customers • Eliminates modems & remote access routers • Extranets • Suppliers have specific access
VPN Gateway Functions • Maintenance of a secure logical connection as a tunnel • Tunneling is encapsulation of a data packet within an IP packet • Remote ends of tunnel can be at edges of ISP or corporate boundary router • Traffic is routed as encyrpted
Key Tunneling Protocols • PPTP—Layer 2 in MS products • L2TP –used by ISPs on backbone • IPSec –covers encryption at 168 bit and authenticated both ends of tunnel connection • Works only in IP environment
VPN Security • Firewalls are used to control policies for data exchange between 2 networks • Routers can act as a firewall by managing packet traffic (filter) • Proxy servers used to separate internal network from public services • Authentication provided by RADIUS servers • Uses CHAP (Challenge Handshake Authentication Protocol) to authenticate • Tokens issued with user password to server to verify user access • New tokens generated each time a user connects
Basic Encryption Terminology • Plaintext (aka cleartext): original, readable data • Ciphertext: scrambled form of plaintext • Encryption: reversible conversion of plaintext into ciphertext • Decryption: conversion of ciphertext back into plaintext • Crack (aka break) code: decrypt ciphertext without knowing key
Basic Encryption Terminology (cont’d) • Key: secret allowing encryption and decryption to be restricted to possessors of key • Symmetric encryption: encryption requiring a shared key for both encryption and decryption • Asymmetric encryption: algorithm using a different key for decryption than for encryption
Encryption • Encoding plain text data to hide contents with cipher text • Symmetric • Sender and receiver use same key • Popular algorithms: DES, Triple DES, Blowfish • Asymmetric (PKI) • Different keys with one key held publicly • Verifies message through hashing (MD5) • Types of public keys are RSA, Diffie-Hellman, PGP • PKI uses digital certificates to authenticate users and encrypt data • Verisign and Entrust
US Digital Signature Law USA: 15 USC §7006 • Title 15: Commerce and Trade • Chapter 96: Electronic Signatures in Global and National Commerce • Based on S.761 (Sponsor Sens Abraham & Spencer) • Introduced 1999-003-25 • Came into force 2000-06-30 • See Legal Information Institute entry at http://www4.law.cornell.edu/uscode/15/ch96.html#PC96
Electronic Payments • Credit card transactions • Digital cash • Micropayments
Credit Card Transactions • No documented case of interception of credit-card data while in transit through the Internet • Most sites use Secure Sockets Layer (SSL) • Credit-card information theft has occurred from servers • All sensitive data on Web servers should be encrypted • Safety of allowing a merchant to use credit-card information depends on the merchant • No worse to give info to reputable firm via Web than to clerk who takes card away from view
Credit Cards & Escrow • Allow buyer to register credit-card data with reputable firm • Merchant receives payment from escrow service • Escrow service bills client credit card • Insulates buyer from seller • Examples: • VeriSign Cybercash http://www.cybercash.com • Escrow.com http://www.escrow.com (for domain name sales) • Beseen BuyIt Button http://buyit.beseen.com • Tradenable http://www.tradenable.com • PayPal www.paypal.com
Digital Cash • All credit-card transactions result in electronic audit trail • Digital cash (aka e-cash) removes trail • Load a device with credits • Use device for transactions to transfer credits • Requires device that can prevent • Counterfeiting (loading credits fraudulently) • Theft (removing credits fraudulently)
Digital Cash (cont’d) • Mechanisms depend on smart cards • Devices size of credit card • Include microprocessor, RAM, power • Programmed with cryptographic tools to prevent unauthorized modification of contents • Interface allows merchant to deduct or refund credits • Examples include • eCash http://www.digiscash.com • E-Cash Services http://www.ecashservices.com
VPNs and Business Before a VPN— Point-to-Point After a VPN— Tunneled
VoIP • Not yet a big player with less than 5% of market • Cost savings, enhanced voice services and new applications major advantages • VoIP gateways bridge circuit-switched PSTN and packet-switched Internet • Gateways packetize, and compress voice, route packets, authenticate users, and manage network of gateways
VoIP Hardware • Enterprise gateway • Deployed between PBX and WAN device (router) for call set-up,routing, and conversion • VoIP routers • Voice cards perform packetization and compression functions in a router • IP PBX • Distributed telephony servers that operat ein packt-switched mode • ISP VoIP gateways • Aggregate incoming traffic and routing
VoIP Standards • H.323 • Based on ISDN and limited to point-to-point applications • SIP • Application layer (signaling) protocol • Establishes temp sessions for multimedia conferences, telephony, mobile phone-to-instant messaging • LDAP • Standard directory server technology for Internet • Enables retrieval of information from multi-vendor directories • Used for free phone and Internet phone number hosting
Important Figures • Figure 11.1 & 11.2 p.332-333 • Figure 11.3 & 11.4 p. 334-335 • Figure 11.5 p. 336 • Figure 11.8 p. 339 • Figure 11.10 p. 346 • Figure 11.12 p. 358