Viop phone - Voice Over IP

The layman’s version (don’t try this at home because it won’t work as described here) is that each of us thinks up a couple of prime numbers (the bigger the better). One number we keep for ourselves and the other number we publish on our web site along with the product of the two prime numbers as our public key. Anyone wanting to send us something will use the public key to encrypt it with the public key, and only we can decrypt the message with our private key. We can authenticate the source if the sender used his private key to encrypt his signature because only his public key will decrypt his signature.

This system is secure because of the tremendous amount of processing power it takes to factor large prime numbers. (For example, if we could factor the product, we could determine the private key.) Unfortunately, performing the encryption and decryption are also processor intensive (slow). But it sure solves the key distribution problem. Therefore, we could use public key cryptography to
encrypt and distribute the keys to all our VPN boxes.
Authentication
Authentication is the process of verifying that this is the party to whom I am speaking, and that they have authorized access. There are several ways of doing this; however, the most common way is to provide an authentication server that passes out authenticated certificates based on something the user has or knows. User Level Authentication The user has or knows his/her account code (name) and password. User names are public, and passwords can be compromised. A more secure system is to use a type of secure ID card. These credit card sized devices are based on an internal clock that generates a different pseudo random code every minute. The authentication server is time synchronized with the card and therefore generates the same number at the same time. When the user calls in, he/she must enter his/her account code and the code from the card as the password. The IP has embedded in it a set of layer 2 protocols called the Point−to−Point Protocol (PPP). In PPP, the basic security methods used are Password Authentication Procedure (PAP) and the
Challenge Handshake Authentication Protocol (CHAP). PAP and CHAP do little for security. In fact, PAP and CHAP are part of the basic PPP protocol suite and fall short in providing a true security procedure. These schemes do not address issues of ironclad authentication and integrity, oreavesdropping. The PAP and CHAP are rudimentary procedures used to log on to a network, but
hackers and crackers easily defeat both.

Tunnel Protocol (L2TP) is another variation of an IP encapsulation protocol as shown in Figure 4−6. An L2TP tunnel is created by encapsulating an L2TP frame inside a UDP packet, which in turn is encapsulated inside an IP packet, whose source and destination addresses define the tunnel’s ends. Because the outer encapsulating protocol is IP, clearly IPSec protocols can be applied to this composite IP packet, thus protecting the data that flows within the L2TP tunnel. Authentication Header (AH), Encapsulated Security Payload (ESP), and Internet Security Association and Key Management Protocol (ISAKMP) can all be applied in a straightforward way.

L2TPs are an excellent way of providing cost−effective remote access, multiprotocol transport, and remote LAN access. It does not provide cryptographic robust security. L2TP should, therefore, be used in conjunction with IPSec for providing secure remote access. L2TP supports both host−created and ISP−created tunnels. A remote host that implements L2TP should use IPSec to protect any protocol that can be carried within a PPP packet. Integrated at the VPN point of access, user authentication establishes the identity of the person using the VPN node, and this is because an encrypted session is established between the two locations. The user authentication mechanism enables the authorized user of the VPN system access to the system, while preventing the attacker from accessing the system. Some of the common user authentication schemes are

• Operating system username/password
• S/Key (one time) password
• Remote Authentication Dial−In User Service (RADIUS)
• Strong two−factor token−based scheme

The strongest user authentication schemes available on the market are two−factor authentication schemes. These require two elements to verify a user’s identity: a physical element in their possession (a hardware electronic token), and a code that is memorized (a PIN). Some cutting−edge solutions are beginning to use biometrics mechanisms such as fingerprints, voiceprints, and retinal scans. However, these are still relatively unproven. When evaluating VPN solutions, it is important to consider a solution that has both data authentication and user authentication mechanisms. Currently, there are VPN viop solutions that provide only one form of authentication.
Because of this, VPN solution providers that only support one of the two authentication mechanisms will typically refer to authentication generically, without qualification of whether they support data authentication, user authentication, or both. A complete VPN solution will support both data authentication (also known as the digital signature process or data integrity) as well as user authentication (the process of verifying VPN user identity).

Packet Level Authentication The IPSec standard provides for packet level authentication to prevent man−in−the−middle attacks. (This is where someone intercepts your packets and substitutes his/her own.) IPSec is a layer 3 protocol that enhances the use of the layer 2 underlying checksum is calculated and encrypted with the data. If the checksum calculated by the recipient doesn’t match the one sent by the originator, someone has tampered with the data. The IPSec standard specifies two different algorithms for doing this MD−5 and SHA−1. If your vendor’s equipment supports both algorithms, it improves the chances for intervendor compatibility. The other alternative is to simply not use packet level authentication. In order to guarantee authenticity of the packets, a digital signature is required to authenticate the devices to one another. IPSec has included the X.509 digital certificate standard. Essentially, the X.509 certificate server keeps a list of certificates for each user. When you want to receive data from another device, you first ask for the certificate from the certificate server. The sender stamps all data with that certificate. Because this process is secure, you may be sure that these packets are
authentic. Your vendor then ideally supports both authentication algorithms and X.509. In any case, it is essential that someone in your organization understands in detail how each vendor supports the various levels of security that you intend to use. These authentication and encryption systems all have to work together flawlessly. If the vendors you choose stick to the standards, it improves the chances of, but does not guarantee, an integrated working environment.

IPSec offers a variety of advantages. Chief among those are

• IPSec is widely supported by the industry including Cisco, Microsoft, Nortel Networks, and so on.
• This universal presence ensures interoperability and availability of secure solutions for all types of end users. In addition, all IPSec−compliant products from different vendors are required to be compatible.
• IPSec provides for transparent security, irrespective of the applica−tions used.
• IPSec is not limited to operating system−specific solutions. It will be ubiquitous with IP. It will also be a mandatory part of the forthcoming Internet Protocol Version 6 (IPv6) standard.
• IPSec offers a variety of strong encryption standards. The key design decision to support an open architecture allows for easy adaptability of newer, stronger cryptographic algorithms.
• IPSec includes a secure key−management solution with digital certificate support. IPSec guarantees the ease of management and use. This reduces deployment costs in large−scale corporate networks

IPSec used in conjunction with L2TP provides secure remote−access client−to−server communication. L2TP alone cannot provide for a totally secure communication channel due to its failure to provide per packet integrity, inability to encrypt the user datagram, and the limited security coverage only at the ends of the established tunnel. The major drawback to packet−filtering techniques is that they require access to clear text, both in packet headers and in the packet payloads.
There are two major drafts in IPSec: AH and ESP. They are defined as follows:

• AH is used to provide connectionless integrity and data origin authentication for an entire IP datagram (hereafter referred to as authentication).
• ESP provides authentication and encryption for IP datagrams with the encryption algorithm determined by the user. In ESP authentication, the actual message digest is now inserted at the end of the packet (whereas in AH the digest is inside the authentication).

AH provides data integrity only and ESP, formerly encryption only, now provides both encryption and data integrity. The difference between AH data integrity and ESP data integrity is the scope of the data being authenticated. AH authenticates the entire packet, while ESP doesn’t authenticate the outer IP header. In ESP authentication, the actual message digest is now inserted at the end of the packet, whereas in AH the digest is inside the authentication header. The IPSec standard dictates that prior to any data transfer occurring, a Security Association (SA) must be negotiated between the two VPN nodes (gateways or clients). The SA contains all the information required for execution of various network security services such as the IP layer services (header authentication and payload encapsulation), transport or application layer services, and self−protection of negotiation traffic. These formats provide a consistent framework for transferring key and authentication data that is independent of the key generation technique, encryption algorithm, and authentication mechanism. One of the major benefits of the IPSec efforts is that the standardized packet structure and security association within the IPSec standard will facilitate third−party VPN solutions that interoperate at the data transmission level. However, it does not provide an automatic mechanism to exchange the encryption and data authentication keys needed to establish the encrypted session, which introduces the second major benefit of the IPSec standard: key management infrastructure or Public Key Infrastructure (PKI).
The IPSec working group is in the development and adoption stages of a standardized key management mechanism that enables safe and secure negotiation, distribution, and storage of encryption and authentication keys. A standardized packet structure and key management mechanism will facilitate fully interoperable third−party VPN solutions. Other VPN technologies that are being proposed or implemented as alternatives to the IPSec standard are not true IP security standards at all. Instead, they are encapsulation protocols that tunnel higher level protocols into a link layer protocols. When encryption is applied, some or all of the information needed by the packet filters may no longer be available.

read comments (0)

The goal of any network is to support users in a flexible, reliable, secure, and inexpensive manner:

• Network managers want the network to be flexible.
• Users want the network to be reliable and secure.
• Management wants the network to be inexpensive.

A balance of these often−competing goals can be achieved, provided a good dialog is maintained among the participants. It is an exercise left to the reader to select from the list those applications and users who are to be served. The network list indicates that these users and applications could be interconnected by any of these network technologies. As indicated previously, dedicated networks are expensive and rarely fit the need perfectly. Frame Relay and Asynchronous Transfer Mode (ATM) are shared network technologies that can be very cost effective, depending on the geography and traffic volume. Dial−up telephony can be a networking technology for highly mobile, low−volume users. Normally, we would like to have a backbone network with direct access for various users and dial−up remote access for infrequent users. We will discuss these alternatives in the following sections.

Shared Networks

The advantage of shared networks is that organizations do not have to incur the entire cost of the infrastructure. For that reason, Frame Relay has been extremely popular. Because it (like X.25 before it) is virtual circuit based, there is little concern about misdirected or intercepted traffic. Still, Frame Relay service is not universally available and access charges to a point−of−presence (POP) can be expensive. However, compared to the cost of dedicated networks, shared networks offer equivalent performance and a much lower cost.

Internet

The next logical step is to use the Internet as the private network. It is almost universally accessible, minimizing access charges. From our discussion of the Internet in Chapter 29, “Synchronous Optical Network (SONET),” two things are clear

• No one is watching the traffic or performance of the Net as a whole.
• The path our data takes across the network is quite unpredictable.

This leads to the conclusion that performance will be unpredictable and that our precious corporate data may pass through a router on the campus of “Den−of−Hackers University.” (It is not the intent here to malign university students, but only to offer the observation that they are bright, curious, love a challenge, and may have time on their hands and access opportunity to do a little extra curricular research on the vulnerability of data on the Internet.) There are then two problems: performance and security.

Performance

The performance issue poses the problem of sizing the bandwidth on each link, which becomes a major task as the network grows. Unfortunately, few network managers have a good handle on the amount of traffic flowing between any given pair of locations. Typically, they are too busy handling moves and additions to the network, which frequently leads to performance problems. Because the network grew without the benefit of a design plan, invariably, it means that portions of the network, including servers, become overloaded.

A dedicated line network is expensive, requires maintenance, and necessitates a backup plan should a line or two fail. Using a shared network does not alleviate the problem of traffic analysis. On the contrary, we now have to worry about the capability of the Internet to provide the bandwidth we need when we need it. Selecting our ISP to provide the performance we need becomes an important issue.

Outsourcing

One solution is to outsource the network to a network provider (the analogy to a voice VPN here is strong). The most popular previous solution was to lease Frame Relay service. The benefit was that the network provider took care of the management of the network and even provided levels of redundancy (for which you paid) within its network. Unfortunately, to make most efficient use of this service, one still needed to have a handle on traffic volumes. For example, a committed information rate (CIR) that was too low resulted in lost data and retransmission, while a CIR set too high was a waste of money.
A national or international carrier with its own Internet backbone then becomes a good choice as a VPN provider. One negotiates service level agreements (SLA), which include quality of service (QoS) guarantees. Some ISPs even provide Virtual IP Routing (VIPR) in which they permit you to use internal, unregistered IP addresses. If one builds a completely independent, internal (intranet) network, one could use any set of IP addresses one might choose. This alternative is attractive to large corporations that are constrained to using class C addresses. If these private addresses were to get out onto the Internet, chaos would quickly ensue. VIPR permits the flexibility to continue to use this unregistered set of addresses transparently across the Internet. This is strongly analogous to having one’s own dialing
plan on a voice VPN. There are many possibilities and choices here. We can outsource the whole network, including the VPN equipment on each site, or outsource pieces.
Standard Outsourcing Issues A few points are worth making about outsourcing. One must take a realistic look at the task at hand:

• If the internal staff possesses the capability to implement the VPN, do they have the time?
• If you outsource the whole network, how permanent will the relationship be?
• To what extent will the internal staff become involved in the design and maintenance of the VPN?

Choose your vendor carefully. Evaluate responsiveness in the areas of presale support, project management, and post−sale support. As in any procurement process, writing a system specification and Request for Proposal (RFP) is essential. Also, make up the evaluation criteria ahead of time. You may (or may not) choose to publish the evaluation criteria in the RFP. Select the vendor who is most responsive to your requirements. Here is a good opportunity for the vendor to do the traffic analysis so that a traffic baseline for design can be established. Always include growth in the RFP. Ongoing support will be critical. If the network spans multiple time zones, specify the minimum support requirements. For example, 9 A.M. to 5 P.M. CST is of little use to offices located in Taiwan. What training is offered as part of the package? The more knowledgeable the internal staff can be, the better they will be able to support the VPN — even when they are outsourcing support. It is important to have a coordinated security plan so that we have an integrated and consistent view across our firewalls, proxy servers, and VPN equipment

Security

The basic concept of a VPN is to provide a secure, point−to−point connection across the network between communicating entities. A couple of questions about security are important to keep our paranoia in check. The first question is how much security is enough? To answer that question, wemust consider the impact on our business if the data we are sending is

• Simply lost. Is there a backup mechanism for sending or recovering the data?
• Found by another business (not a competitor).
• Found by a competito

In the last case, we must ask how much effort is the competitor willing to invest to get our data? The answer to these questions will help us decided how much security is enough. Note that in the foregoing example, one can equally substitute the word hacker for competitor. What About Security Issues? Turning to security, remote access to a system must have integral security to protect the network and users from unauthorized access and penetration. We have all heard about the teenaged hackers who have been creating havoc in the data processing and Internet business. These young hackers break into systems for the sheer pleasure of challenging the system and showing their prowess with the modem. And it works, because they do it every day. We, therefore, have to consider these issues before opening a door. We must start with different techniques such as VPNs, encryption, authenticating servers, and secure firewalls. The key technologies that compose the security component of a VPN are

• Access control to guarantee the security of network connections
• Encryption to protect the privacy of data
• Authentication to verify the user’s identity as well as the integrity of the data

What Can We Do to Secure the Site? Remote access users sitting in a distant site need to know how to use the system, so training is important. A company with salespersons who travel frequently would provide 800 number access. Hardware considerations vary, depending on what networking you’re using, the number of users, and whether the users need desktops or laptops at the remote location. Standardization is essential — you don’t want three or four different platforms, and you don’t want to have to support 47 varieties of software. We want to leave the variety of flavors to the ice cream manufacturers! Additionally, a firewall service will offer a bastion router capability to filter the packet, the protocol, or the user id and address. These systems will help to keep out unwanted guests. Firewalls can be in different places, as we will see. They can also be integrated or CPE solutions. Security must also be ensured while the data is in transit. Therefore, we need to use a form of encryption so that an eavesdropper cannot listen in on our data and intercept it. By using Internet Protocol Security (IPSec) techniques, we introduce up to five different forms of encryption and digital signatures. These will be sufficient to delay any access to the data and by the time the code could be broken, the data will have little value.
Authentication is also a very effective tool that challenges the caller and requests a key−coded response. In a security dynamics environment, a challenge and response can be issued by default every 30 seconds or user variable to effectively manage the logged−on users. What Are the Risks? The risks posed on data integrity and security take many forms. We usually think of data protection in terms of the corruption or total loss of data. However, other areas of concern may be from the undetected interception of the data by hackers or crackers. Moreover, the inaccessibility of our data from the denial of service attacks has become more prevalent in the security issues facing the IT manager. Lastly, there are also issues of invasions on our LANs or WANs when a promiscious device is attached to the network and picks off all data packets regardless of the addressee. These sniffers, as they are called, can capture all data packets from
the network, usually undetected.

• Hackers
• Crackers
• Salami attackers
• Denial−of−service attacks
• Sniffer

read comments (0)

In the local loop, the topological layout of the wires has traditionally been a single−wire pair or multiple pairs of wires strung to the customer’s location. Just how many pairs of wires are needed for the connection of a single line set to a telecommunications system and network? The answer (one pair) is obvious. However, other types of services, such as digital circuits and connections, require two pairs. The use of a single or dual pair of wires has been the norm. More recently, the local providers have been installing a four−pair (eight wires) connection to the customer location. The end user is now using separate voice lines, separate fax lines, and separate data communications hookups. Each of these requires a two−wire interface from the LEC. However, if a CATV provider has the technology installed, they can get a single coax (or fiber) to satisfy the voice, fax, data, and high−speed Internet access on a single interface, proving the convergence is rapidly occurring at the local loop. It is far less expensive to install a coax running all services (TV, voice, and data) than multiple pairs of wire, so the topology is a dedicated local connection of one or more pairs from the telephone provider to the customer location or a shared coax from the CATV supplier. This is called a star and/or shared star−bus configuration. The telephone company connection to the customer originates from a centralized point called a central office (CO). The provider at this point might be using a different topology. Either a star configuration to a hierarchy of other locations in the network layout or a ring can be used. The ring is becoming a far more prevalent method of connection for the local Telcos. Although we might also show the ring as a triangle, it is still a functional and logical ring. These star/ring or star/bus combinations constitute the bulk of the networking topologies today. Remember one fundamental fact: the telephone network was designed to carry analog electrical signals across a pair of wires to recreate a voice conversation at both ends. This network has been built to carry voice and does a reasonable job of doing so. Only recently have we been transmitting other forms of communication, such as fax, data, and video. The telephone switch (such as DMS−100 or #a5ESS) makes routing decisions based on some parameter, such as the digits dialed by the customer. These decisions are made very quickly and a cross−connection is made in logic. This means that the switch sets up a logical connection to another set of wires. Throughout this network, more or fewer connections are installed, depending on the anticipated calling patterns of the user population. Sometimes there are many connections among many offices  At other times, it can be simple with single connections. The telephone companies have begun to see a shift in their traffic over the past few years. More data traffic is being generated across the networks than ever before. As a matter of fact, 1996 marked the first year that as much data was carried on the network as voice. Since that time, data has continued its escalated growth pattern upwards of 30 percent, whereas voice has been stable at around a 4−percent growth.

read comments (0)