Network Services—VPN and VoIP

Chapter 11

Knowledge Concepts

Understanding VPN technology Getting a grip on encryption The business application of VoIP and VPNs How VoIP works

Important Terms

VPN RADIUS Authentication Provisioned Encryption PPTP, L2TP,IPSec Firewall Proxy server PKI DES Symmetric and asymmetric encryption VoIP H.323, SIP, LDAP

Tunneling with a VPN

Why VPNs?

Improves ability to communicate outside of a company

Enables secure access Provides rapid provisioning of capacity as

needed

How Remote Access Via a VPN Works

VPN Characteristics

Logical network Isolates customer traffic on shared provider facilities Looks like a private network Runs on either packet switched data network or circuit-

switched public network Can be deployed over a wide range of network

technologies Uses shared carrier infrastructure

Deployment Models

Customer-based– Carriers install gateways, routers and hardware on

customer premises– Customer manages security

Network-based– Carrier houses all equipment at POP near customer

location

VPN Frameworks

Internet based– Small ISPs provide local access services in a region– Business users get end-to-end services from a variety of

suppliers– Encryption used to isolate traffic and provide security– Customer provides servers wit applications/content– A RADIUS server is used to authenticate traffic for access to

application/Content servers– RADIUS server is connected to a firewall

Provisioned VPNs

Packet-switched VPN that runs across ISP backbone using Frame Relay or ATM

Supports multiple protocols Provisioned services improve performance by

enabling guarantees of service (QoS)

VPN Applications

VPN is an architecture tied together and calibrated

Goals are to manage security and deliver applications with minimal latency

Save money by– Substituting leased lines for Internet connectivity– Reducing dial up costs

3 Major VPN Applications

Intranets– Sit-to-site connections

Remote Access– Remote workers and outside customers– Eliminates modems & remote access routers

Extranets– Suppliers have specific access

VPN Gateway Functions

Maintenance of a secure logical connection as a tunnel

Tunneling is encapsulation of a data packet within an IP packet

Remote ends of tunnel can be at edges of ISP or corporate boundary router

Traffic is routed as encyrpted

Key Tunneling Protocols

PPTP—Layer 2 in MS products L2TP –used by ISPs on backbone IPSec –covers encryption at 168 bit and

authenticated both ends of tunnel connection – Works only in IP environment

VPN Security

Firewalls are used to control policies for data exchange between 2 networks

Routers can act as a firewall by managing packet traffic (filter) Proxy servers used to separate internal network from public

services Authentication provided by RADIUS servers

– Uses CHAP (Challenge Handshake Authentication Protocol) to authenticate

– Tokens issued with user password to server to verify user access

– New tokens generated each time a user connects

Basic Encryption TerminologyPlaintext (aka cleartext): original,

readable dataCiphertext: scrambled form of plaintextEncryption: reversible conversion of

plaintext into ciphertextDecryption: conversion of ciphertext

back into plaintextCrack (aka break) code: decrypt

ciphertext without knowing key

Basic Encryption Terminology (cont’d)

Key: secret allowing encryption and decryption to be restricted to possessors of key

Symmetric encryption: encryption requiring a shared key for both encryption and decryption

Asymmetric encryption: algorithm using a different key for decryption than for encryption

Encryption

Encoding plain text data to hide contents with cipher text Symmetric

– Sender and receiver use same key– Popular algorithms: DES, Triple DES, Blowfish

Asymmetric (PKI)– Different keys with one key held publicly– Verifies message through hashing (MD5)– Types of public keys are RSA, Diffie-Hellman, PGP– PKI uses digital certificates to authenticate users and encrypt

data– Verisign and Entrust

US Digital Signature Law

USA: 15 USC §7006 Title 15: Commerce and Trade

– Chapter 96: Electronic Signatures in Global and National Commerce

Based on S.761 (Sponsor Sens Abraham & Spencer)– Introduced 1999-003-25– Came into force 2000-06-30– See Legal Information Institute entry at

http://www4.law.cornell.edu/uscode/15/ch96.html#PC96

Electronic Payments

Credit card transactions Digital cash Micropayments

Credit Card Transactions

No documented case of interception of credit-card data while in transit through the Internet

– Most sites use Secure Sockets Layer (SSL)– Credit-card information theft has occurred from servers– All sensitive data on Web servers should be encrypted

Safety of allowing a merchant to use credit-card information depends on the merchant

– No worse to give info to reputable firm via Web than to clerk who takes card away from view

Credit Cards & Escrow

Allow buyer to register credit-card data with reputable firm– Merchant receives payment from escrow service– Escrow service bills client credit card– Insulates buyer from seller

Examples:– VeriSign Cybercash http://www.cybercash.com– Escrow.com http://www.escrow.com (for domain name sales)– Beseen BuyIt Button http://buyit.beseen.com– Tradenable http://www.tradenable.com– PayPal www.paypal.com

Digital Cash

All credit-card transactions result in electronic audit trail

Digital cash (aka e-cash) removes trail– Load a device with credits– Use device for transactions to transfer credits

Requires device that can prevent– Counterfeiting (loading credits fraudulently)– Theft (removing credits fraudulently)

Digital Cash (cont’d)Mechanisms depend on smart cards

– Devices size of credit card– Include microprocessor, RAM, power– Programmed with cryptographic tools to prevent

unauthorized modification of contents– Interface allows merchant to deduct or refund

creditsExamples include

– eCash http://www.digiscash.com– E-Cash Services http://www.ecashservices.com

Expensive Leased Lines

VPN Access as an Intranet

VPNs and Business

Before a VPN—Point-to-Point

After a VPN—Tunneled

Encryption and VPNs

Evaluating a VPN Solution

VoIP

Not yet a big player with less than 5% of market

Cost savings, enhanced voice services and new applications major advantages

VoIP gateways bridge circuit-switched PSTN and packet-switched Internet– Gateways packetize, and compress voice, route

packets, authenticate users, and manage network of gateways

VoIP Hardware

Enterprise gateway– Deployed between PBX and WAN device (router) for call set-

up,routing, and conversion VoIP routers

– Voice cards perform packetization and compression functions in a router

IP PBX– Distributed telephony servers that operat ein packt-switched

mode ISP VoIP gateways

– Aggregate incoming traffic and routing

VoIP Infrastructure

VoIP Architecture

Implementing VoIP

VoIP Standards

H.323– Based on ISDN and limited to point-to-point applications

SIP– Application layer (signaling) protocol– Establishes temp sessions for multimedia conferences,

telephony, mobile phone-to-instant messaging LDAP

– Standard directory server technology for Internet– Enables retrieval of information from multi-vendor directories– Used for free phone and Internet phone number hosting

Important Figures

Figure 11.1 & 11.2 p.332-333 Figure 11.3 & 11.4 p. 334-335 Figure 11.5 p. 336 Figure 11.8 p. 339 Figure 11.10 p. 346 Figure 11.12 p. 358