Teleworker Benefits:
Organizational benefits:
Continuity of operations
Increased responsiveness
Secure, reliable, and manageable access to information
Cost-effective integration of data, voice, video, and applications
Increased employee productivity, satisfaction, and retention
Social benefits:
Increased employment opportunities for marginalized groups
Less travel and commuter related stress
Environmental benefits:
Reduced carbon footprints, both for individual workers and organizations
• Traditional private WAN Layer 2 technologies, including Frame Relay, ATM, and leased lines, provide many remote connection solutions. The security of these connections depends on the service provider.
• IPsec Virtual Private Networks (VPNs) offer flexible and scalable connectivity. Site-to-site connections can provide a secure, fast, and reliable remote connection to teleworkers. This is the most common option for teleworkers, combined with remote access over broadband, to establish a secure VPN over the public Internet. (A less reliable means of connectivity using the Internet is a dialup connection.)
• The term broadband refers to advanced communications systems capable of providing high-speed transmission of services, such as data, voice, and video, over the Internet and other networks. Transmission is provided by a wide range of technologies, including digital subscriber line (DSL) and fiber-optic cable, coaxial cable, wireless technology, and satellite. The broadband service data transmission speeds typically exceed 200 kilobits per second (kb/s), or 200,000 bits per second, in at least one direction: downstream (from the Internet to the user’s computer) or upstream (from the user’s computer to the Internet).
To connect effectively to their organization’s networks, teleworkers need two key sets of components: home office components and corporate components. The option of adding IP telephony components is becoming more common as providers extend broadband service to more areas.
• Home Office Components – The required home office components are a laptop or desktop computer, broadband access (cable or DSL), and a VPN router or VPN client software installed on the computer. Additional components might include a wireless access point. When traveling, teleworkers need an Internet connection and a VPN client to connect to the corporate network over any available dialup, network, or broadband connection.
• Corporate Components – Corporate components are VPN-capable routers, VPN concentrators, multifunction security appliances, authentication, and central management devices for resilient aggregation and termination of the VPN connections.
• Dialup access – An inexpensive option that uses any phone line and a modem. To connect to the ISP, a user calls the ISP access phone number. Dialup is the slowest connection option, and is typically used by mobile workers in areas where higher speed connection options are not available.
• DSL – Typically more expensive than dialup, but provides a faster connection. DSL also uses telephone lines, but unlike dialup access, DSL provides a continuous connection to the Internet. DSL uses a special high-speed modem that separates the DSL signal from the telephone signal and provides an Ethernet connection to a host computer or LAN.
• Cable modem – Offered by cable television service providers. The Internet signal is carried on the same coaxial cable that delivers cable television. A special cable modem separates the Internet signal from the other signals carried on the cable and provides an Ethernet connection to a host computer or LAN.
• Satellite – Offered by satellite service providers. The computer connects through Ethernet to a satellite modem that transmits radio signals to the nearest point of presence (POP) within the satellite network.
Accessing the Internet through a cable network is a popular option used by teleworkers to access their enterprise network.
A cable network is capable of transmitting signals on the cable in either direction at the same time. The following frequency scope is used:
• Downstream – The direction of an RF signal transmission (TV channels and data) from the source (headend) to the destination (subscribers). Transmission from source to destination is called the forward path. Downstream frequencies are in the range of 50 to 860 megahertz (MHz).
• Upstream – The direction of the RF signal transmission from subscribers to the headend, or the return or reverse path. Upstream frequencies are in the range of 5 to 42 MHz.
The Data-over-Cable Service Interface Specification (DOCSIS) is an international standard developed by CableLabs, a non-profit research and development consortium for cable-related technologies.
DOCSIS defines the communications and operation support interface requirements for a data-over-cable system, and permits the addition of high-speed data transfer to an existing CATV system.
DOCSIS specifies the OSI Layer 1 and Layer 2 requirements:
• Physical layer – For data signals that the cable operator can use, DOCSIS specifies the channel widths (bandwidths of each channel) as 200 kHz, 400 kHz, 800 kHz, 1.6 MHz, 3.2 MHz, and 6.4 MHz. DOCSIS also specifies modulation techniques (the way to use the RF signal to convey digital data).
• MAC layer – Defines a deterministic access method, time-division multiple access (TDMA) or synchronous code division multiple access method (S-CDMA).
Frequency-division multiple access (FDMA) divides access by frequency.
Code division multiple access (CDMA) employs spread-spectrum technology and a special coding scheme in which each transmitter is assigned a specific code.
Two types of equipment are required to send digital modem signals upstream and downstream on a cable system:
• Cable modem termination system (CMTS) at the headend of the cable operator
• Cable modem (CM) on the subscriber end
DSL is a means of providing high-speed connections over installed copper wires.
• Uses high transmission frequencies (up to 1 MHz)
• Technology for delivering high bandwidth over regular copper lines
• Connection between subscriber and CO
ADSL provides higher downstream bandwidth to the user than upload bandwidth. SDSL provides the same capacity in both directions.
The connection is set up between a pair of modems on either end of a copper wire that extends between the customer premises equipment (CPE) and the DSL access multiplexer (DSLAM). A DSLAM is the device located at the central office (CO) of the provider and concentrates connections from multiple DSL subscribers.
• Transceiver – Connects the computer of the teleworker to the DSL. Usually the transceiver is a DSL modem connected to the computer using a USB or Ethernet cable. Newer DSL transceivers can be built into small routers with multiple 10/100 switch ports suitable for home office use.
• DSLAM – Located at the CO of the carrier, the DSLAM combines individual DSL connections from users into one high-capacity link to an ISP, and thereby, to the Internet.
• A key feature of ADSL is coexistence with POTS.
• Transmission of voice and data signals is performed on the same wire pair.
• Data circuits are offloaded from the voice switch.
There are two ways to separate ADSL from voice at the customer premises: using a microfilter or using a splitter.
A microfilter is a passive low-pass filter with two ends. One end connects to the telephone, and the other end connects to the telephone wall jack.
POTS splitters separate the DSL traffic from the POTS traffic. The POTS splitter is a passive device. In the event of a power failure, the voice traffic still travels to the voice switch in the CO of the carrier. Splitters are located at the CO and, in some deployments, at the customer premises.
A hotspot is the area covered by one or more interconnected access points. Public gathering places, like coffee shops, parks, and libraries, have created Wi-Fi hotspots, hoping to increase business. By overlapping access points, hotspots can cover many square miles.
WiMAX (Worldwide Interoperability for Microwave Access) is telecommunications technology aimed at providing wireless data over long distances in a variety of ways, from point-to-point links to full mobile cellular type access. WiMAX operates at higher speeds, over greater distances, and for a greater number of users than Wi-Fi. Because of its higher speed (bandwidth) and falling component prices, it is predicted that WiMAX will soon supplant municipal mesh networks for wireless deployments.
A WiMAX network consists of two main components:
• A tower that is similar in concept to a cellular telephone tower. A single WiMAX tower can provide coverage to an area as large as 3,000 square miles, or almost 7,500 square kilometers.
• A WiMAX receiver that is similar in size and shape to a PCMCIA card, or built into a laptop or other wireless device.
There are three ways to connect to the Internet using satellites: one-way multicast, one-way terrestrial return, and two-way.
• One-way multicast satellite Internet systems are used for IP multicast-based data, audio, and video distribution. Even though most IP protocols require two-way communication, for Internet content, including web pages, one-way satellite-based Internet services can be “pushed” pages to local storage at end-user sites by satellite Internet. Full interactivity is not possible.
• One-way terrestrial return satellite Internet systems use traditional dialup access to send outbound data through a modem and receive downloads from the satellite.
• Two-way satellite Internet sends data from remote sites via satellite to a hub, which then sends the data to the Internet. The satellite dish at each location needs precise positioning to avoid interference with other satellites.
Organizations use VPNs to provide a virtual WAN infrastructure that connects branch offices, home offices, business partner sites, and remote telecommuters to all or portions of their corporate network.
Virtual: information within a private network is transported over a public network.
Private: The traffic is encrypted to keep the data confidential.
Organizations using VPNs benefit from increased flexibility and productivity. Remote sites and teleworkers can connect securely to the corporate network from almost any place. Data on a VPN is encrypted and undecipherable to anyone not entitled to have it.
Consider these benefits when using VPNs:
• Cost savings – Organizations can use cost-effective, third-party Internet transport to connect remote offices and users to the main corporate site. This eliminates expensive dedicated WAN links and modem banks. By using broadband, VPNs reduce connectivity costs while increasing remote connection bandwidth.
• Security – Advanced encryption and authentication protocols protect data from unauthorized access.
• Scalability – VPNs use the Internet infrastructure within ISPs and carriers, making it easy for organizations to add new users. Organizations, big and small, are able to add large amounts of capacity without adding significant infrastructure.
The key to VPN effectiveness is security. VPNs secure data by encapsulating or encrypting the data. Most VPNs can do both.
• Encapsulation is also referred to as tunneling, because encapsulation transmits data transparently from network to network through a shared network infrastructure.
• Encryption codes data into a different format using a secret key. Decryption decodes encrypted data into the original unencrypted format.
VPNs use advanced encryption techniques and tunneling to permit organizations to establish secure, end-to-end, private network connections over the Internet.
• Data confidentiality – A common security concern is protecting data from eavesdroppers. As a design feature, data confidentiality aims at protecting the contents of messages from interception by unauthenticated or unauthorized sources. VPNs achieve confidentiality using mechanisms of encapsulation and encryption.
• Data integrity – Receivers have no control over the path the data has traveled and therefore do not know if the data has been seen or handled while it journeyed across the Internet. There is always the possibility that the data has been modified. Data integrity guarantees that no tampering or alterations occur to data while it travels between the source and destination. VPNs typically use hashes to ensure data integrity. A hash is like a checksum or a seal that guarantees that no one has read the content, but it is more robust. Hashes are explained in the next topic.
• Authentication – Authentication ensures that a message comes from an authentic source and goes to an authentic destination. User identification gives a user confidence that the party with whom the user establishes communications is who the user thinks the party is. VPNs can use passwords, digital certificates, smart cards, and biometrics to establish the identity of parties at the other end of a network.
Some of the more common encryption algorithms and the length of keys they use are as follows:
• Data Encryption Standard (DES) algorithm – Developed by IBM, DES uses a 56-bit key, ensuring high-performance encryption. DES is a symmetric key cryptosystem. Symmetric and asymmetric keys are explained below.
• Triple DES (3DES) algorithm – A newer variant of DES that encrypts with one key, decrypts with another different key, and then encrypts one final time with another key. 3DES provides significantly more strength to the encryption process.
• Advanced Encryption Standard (AES) – The National Institute of Standards and Technology (NIST) adopted AES to replace the existing DES encryption in cryptographic devices. AES provides stronger security than DES and is computationally more efficient than 3DES. AES offers three different key lengths: 128, 192, and 256-bit keys.
• Rivest, Shamir, and Adleman (RSA) – An asymmetrical key cryptosystem. The keys use a bit length of 512, 768, 1024, or larger.
Symmetric Encryption
Encryption algorithms such as DES and 3DES require a shared secret key to perform encryption and decryption. Each of the two computers must know the key to decode the information. With symmetric key encryption, also called secret key encryption, each computer encrypts the information before sending it over the network to the other computer.
Asymmetric Encryption
Asymmetric encryption uses different keys for encryption and decryption. Knowing one of the keys does not allow a hacker to deduce the second key and decode the information. One key encrypts the message, while a second key decrypts the message. It is not possible to encrypt and decrypt with the same key.
IPsec is protocol suite for securing IP communications which provides encryption, integrity, and authentication. IPsec spells out the messaging necessary to secure VPN communications, but relies on existing algorithms.
There are two main IPsec framework protocols.
• Authentication Header (AH) – Use when confidentiality is not required or permitted. AH provides data authentication and integrity for IP packets passed between two systems. It verifies that any message passed from R1 to R2 has not been modified during transit. It also verifies that the origin of the data was either R1 or R2. AH does not provide data confidentiality (encryption) of packets. Used alone, the AH protocol provides weak protection. Consequently, it is used with the ESP protocol to provide data encryption and tamper-aware security features.
• Encapsulating Security Payload (ESP) – Provides confidentiality and authentication by encrypting the IP packet. IP packet encryption conceals the data and the identities of the source and destination. ESP authenticates the inner IP packet and ESP header. Authentication provides data origin authentication and data integrity. Although both encryption and authentication are optional in ESP, at a minimum, one of them must be selected.
