Viop phone - Voice Over IP

VPN specific boxes are the recommended solution for high volume, large networks. Several vendors offer these solutions in both hardware and software incarnations. The general rule is that hardware boxes will outperform software boxes and are theoretically more secure because they are based on proprietary technology that is harder to hack than publicly available operating systems. (A hardened Unix−based system is also extremely difficult to hack.) Traffic volume and feature support for remote terminals and industry compatibility will guide your decision here. These boxes set up secure tunneling by using IPSec encryption and certificates as described previously. They are typically installed in parallel with your firewall. The firewall handles web (HTTP) requests, while the VPN box handles access to your internal database. Because we now have two “holes” into our network, it is imperative that we have the permissions and access rights set up correctly. The firewall should not let users in who would be required to authenticate via the VPN box. The integrated solution that some vendors are offering is an integrated custom box that does routing, firewall, and VPN all under one roof. This is an attractive option where traffic volume and performance is not going to be an issue.

read comments (0)

The very same issues exist here as with routers. One needs to have compatible (preferably the same vendor’s) firewalls at each location. Mobile users or telecommuters must have compatible VPN software. Firewalls are always potential bottlenecks, so asking them to perform VPN encryption can adversely affect all other access to your network. Here again, there is no substitute for traffic analysis. We only recommend this solution for small networks where the traffic through the firewall can easily be handled by the firewall hardware.

read comments (0)

There are five ways to create a VPN:

• Between desktops
• Between routers
• Between firewalls
• Between VPN−specific boxes
• With integrated boxes

Although not normally considered a VPN, one can certainly use desktop PCs to encrypt data and send it across the Internet securely. Additionally, software is available that runs on a desktop capable of creating a VPN to a firewall or stand−alone VPN device. Most VPN equipment vendors offer corresponding software that runs on a laptop or desktop in order to provide a secure path to the home office over the Internet. Most of the discussion then involves creating a VPN between business locations, branch offices, and road warriors.

Encryption
The first basic rule is the more secure it is, the less convenient it is to use and the greater impact (negative) it will have on overall system performance. The strength of an encryption mechanism is dependent upon the complexity of the calculation and the length of the key. The most popular mechanism for which hardware is readily available is Data Encryption Standard (DES), developed by IBM and now standardized. The basic key is 54−bits long. Triple DES involves simply running the algorithm with a 112−bit key. The question here is as always how secure do you need to be? The more secure, the larger the key used (or the more times the algorithm is run with different keys). This all takes time to encode and to decode. Much has been made lately of the fact that by using thousands of computers, a DES−encoded message could be broken in 39 days. Keep in mind that this is for one key. If we change keys, it would take the crackers and hackers another 39 days. Are they (hackers and competitors) motivated to do this? The method mentioned previously used the brute force attack of guessing keys. Changing keys often means that the attackers must start all over again. The other encryption standard (not widely supported) is International Data Encryption Algorithm (IDEA), which uses 128−bit keys.
The second basic rule is that encryption performed in hardware is much faster than in software.

Key Handling
A very important part (some say the most important) of an encryption is the mechanism used to disseminate keys. Here again, security is the inverse of convenience. True, keys can be sent in a multi−encrypted file. They can also be sent by snail mail or given over the telephone (not very secure). The problem with this private key system is that both communicating parties must have the same key. If all locations are talking to the home office, they all must have the same key, or the central office must keep separate key pairs for each location. This key management nightmare can be handled in two ways. We could use the X.509 digital certificate system for key management. The other alternative is to use a public key system to encrypt the private key so that they can easily be exchanged.

read comments (0)

The goal of any network is to support users in a flexible, reliable, secure, and inexpensive manner:

• Network managers want the network to be flexible.
• Users want the network to be reliable and secure.
• Management wants the network to be inexpensive.

A balance of these often−competing goals can be achieved, provided a good dialog is maintained among the participants. It is an exercise left to the reader to select from the list those applications and users who are to be served. The network list indicates that these users and applications could be interconnected by any of these network technologies. As indicated previously, dedicated networks are expensive and rarely fit the need perfectly. Frame Relay and Asynchronous Transfer Mode (ATM) are shared network technologies that can be very cost effective, depending on the geography and traffic volume. Dial−up telephony can be a networking technology for highly mobile, low−volume users. Normally, we would like to have a backbone network with direct access for various users and dial−up remote access for infrequent users. We will discuss these alternatives in the following sections.

Shared Networks

The advantage of shared networks is that organizations do not have to incur the entire cost of the infrastructure. For that reason, Frame Relay has been extremely popular. Because it (like X.25 before it) is virtual circuit based, there is little concern about misdirected or intercepted traffic. Still, Frame Relay service is not universally available and access charges to a point−of−presence (POP) can be expensive. However, compared to the cost of dedicated networks, shared networks offer equivalent performance and a much lower cost.

Internet

The next logical step is to use the Internet as the private network. It is almost universally accessible, minimizing access charges. From our discussion of the Internet in Chapter 29, “Synchronous Optical Network (SONET),” two things are clear

• No one is watching the traffic or performance of the Net as a whole.
• The path our data takes across the network is quite unpredictable.

This leads to the conclusion that performance will be unpredictable and that our precious corporate data may pass through a router on the campus of “Den−of−Hackers University.” (It is not the intent here to malign university students, but only to offer the observation that they are bright, curious, love a challenge, and may have time on their hands and access opportunity to do a little extra curricular research on the vulnerability of data on the Internet.) There are then two problems: performance and security.

Performance

The performance issue poses the problem of sizing the bandwidth on each link, which becomes a major task as the network grows. Unfortunately, few network managers have a good handle on the amount of traffic flowing between any given pair of locations. Typically, they are too busy handling moves and additions to the network, which frequently leads to performance problems. Because the network grew without the benefit of a design plan, invariably, it means that portions of the network, including servers, become overloaded.

A dedicated line network is expensive, requires maintenance, and necessitates a backup plan should a line or two fail. Using a shared network does not alleviate the problem of traffic analysis. On the contrary, we now have to worry about the capability of the Internet to provide the bandwidth we need when we need it. Selecting our ISP to provide the performance we need becomes an important issue.

Outsourcing

One solution is to outsource the network to a network provider (the analogy to a voice VPN here is strong). The most popular previous solution was to lease Frame Relay service. The benefit was that the network provider took care of the management of the network and even provided levels of redundancy (for which you paid) within its network. Unfortunately, to make most efficient use of this service, one still needed to have a handle on traffic volumes. For example, a committed information rate (CIR) that was too low resulted in lost data and retransmission, while a CIR set too high was a waste of money.
A national or international carrier with its own Internet backbone then becomes a good choice as a VPN provider. One negotiates service level agreements (SLA), which include quality of service (QoS) guarantees. Some ISPs even provide Virtual IP Routing (VIPR) in which they permit you to use internal, unregistered IP addresses. If one builds a completely independent, internal (intranet) network, one could use any set of IP addresses one might choose. This alternative is attractive to large corporations that are constrained to using class C addresses. If these private addresses were to get out onto the Internet, chaos would quickly ensue. VIPR permits the flexibility to continue to use this unregistered set of addresses transparently across the Internet. This is strongly analogous to having one’s own dialing
plan on a voice VPN. There are many possibilities and choices here. We can outsource the whole network, including the VPN equipment on each site, or outsource pieces.
Standard Outsourcing Issues A few points are worth making about outsourcing. One must take a realistic look at the task at hand:

• If the internal staff possesses the capability to implement the VPN, do they have the time?
• If you outsource the whole network, how permanent will the relationship be?
• To what extent will the internal staff become involved in the design and maintenance of the VPN?

Choose your vendor carefully. Evaluate responsiveness in the areas of presale support, project management, and post−sale support. As in any procurement process, writing a system specification and Request for Proposal (RFP) is essential. Also, make up the evaluation criteria ahead of time. You may (or may not) choose to publish the evaluation criteria in the RFP. Select the vendor who is most responsive to your requirements. Here is a good opportunity for the vendor to do the traffic analysis so that a traffic baseline for design can be established. Always include growth in the RFP. Ongoing support will be critical. If the network spans multiple time zones, specify the minimum support requirements. For example, 9 A.M. to 5 P.M. CST is of little use to offices located in Taiwan. What training is offered as part of the package? The more knowledgeable the internal staff can be, the better they will be able to support the VPN — even when they are outsourcing support. It is important to have a coordinated security plan so that we have an integrated and consistent view across our firewalls, proxy servers, and VPN equipment

Security

The basic concept of a VPN is to provide a secure, point−to−point connection across the network between communicating entities. A couple of questions about security are important to keep our paranoia in check. The first question is how much security is enough? To answer that question, wemust consider the impact on our business if the data we are sending is

• Simply lost. Is there a backup mechanism for sending or recovering the data?
• Found by another business (not a competitor).
• Found by a competito

In the last case, we must ask how much effort is the competitor willing to invest to get our data? The answer to these questions will help us decided how much security is enough. Note that in the foregoing example, one can equally substitute the word hacker for competitor. What About Security Issues? Turning to security, remote access to a system must have integral security to protect the network and users from unauthorized access and penetration. We have all heard about the teenaged hackers who have been creating havoc in the data processing and Internet business. These young hackers break into systems for the sheer pleasure of challenging the system and showing their prowess with the modem. And it works, because they do it every day. We, therefore, have to consider these issues before opening a door. We must start with different techniques such as VPNs, encryption, authenticating servers, and secure firewalls. The key technologies that compose the security component of a VPN are

• Access control to guarantee the security of network connections
• Encryption to protect the privacy of data
• Authentication to verify the user’s identity as well as the integrity of the data

What Can We Do to Secure the Site? Remote access users sitting in a distant site need to know how to use the system, so training is important. A company with salespersons who travel frequently would provide 800 number access. Hardware considerations vary, depending on what networking you’re using, the number of users, and whether the users need desktops or laptops at the remote location. Standardization is essential — you don’t want three or four different platforms, and you don’t want to have to support 47 varieties of software. We want to leave the variety of flavors to the ice cream manufacturers! Additionally, a firewall service will offer a bastion router capability to filter the packet, the protocol, or the user id and address. These systems will help to keep out unwanted guests. Firewalls can be in different places, as we will see. They can also be integrated or CPE solutions. Security must also be ensured while the data is in transit. Therefore, we need to use a form of encryption so that an eavesdropper cannot listen in on our data and intercept it. By using Internet Protocol Security (IPSec) techniques, we introduce up to five different forms of encryption and digital signatures. These will be sufficient to delay any access to the data and by the time the code could be broken, the data will have little value.
Authentication is also a very effective tool that challenges the caller and requests a key−coded response. In a security dynamics environment, a challenge and response can be issued by default every 30 seconds or user variable to effectively manage the logged−on users. What Are the Risks? The risks posed on data integrity and security take many forms. We usually think of data protection in terms of the corruption or total loss of data. However, other areas of concern may be from the undetected interception of the data by hackers or crackers. Moreover, the inaccessibility of our data from the denial of service attacks has become more prevalent in the security issues facing the IT manager. Lastly, there are also issues of invasions on our LANs or WANs when a promiscious device is attached to the network and picks off all data packets regardless of the addressee. These sniffers, as they are called, can capture all data packets from
the network, usually undetected.

• Hackers
• Crackers
• Salami attackers
• Denial−of−service attacks
• Sniffer

read comments (0)