Quản trị mạng - Chapter 6: Teleworker Services

Components required to establish this VPN include: 1. An existing network with servers and workstations 2. A connection to the Internet 3. VPN gateways, such as routers, firewalls, VPN concentrators, and ASAs, that act as endpoints to establish, manage, and control VPN connections 4. Appropriate software to create and manage VPN tunnels

pdf54 trang | Chia sẻ: nguyenlam99 | Lượt xem: 831 | Lượt tải: 0download
Bạn đang xem trước 20 trang tài liệu Quản trị mạng - Chapter 6: Teleworker Services, để xem tài liệu hoàn chỉnh bạn click vào nút DOWNLOAD ở trên
1Chapter 6 - Teleworker Services CCNA Exploration 4.0 Học viện mạng Bach Khoa - Website: www.bkacad.com 2 Introduction Học viện mạng Bach Khoa - Website: www.bkacad.com 3 Business Requirements for Teleworker Services Học viện mạng Bach Khoa - Website: www.bkacad.com 4 The Business Requirements for Teleworker Services • When designing network architectures that support a teleworking solution, designers must balance organizational requirements for security, infrastructure management, scalability, and affordability against the practical needs of teleworkers for ease of use, connection speeds, and reliability of service. Học viện mạng Bach Khoa - Website: www.bkacad.com 5 The Teleworker Solution • The term broadband refers to advanced communications systems capable of providing high-speed transmission of services, such as data, voice, and video, over the Internet and other networks. • Transmission is provided by a wide range of technologies, including digital subscriber line (DSL) and fiber-optic cable, coaxial cable, wireless technology, and satellite. Học viện mạng Bach Khoa - Website: www.bkacad.com 6 • Soon, voice over IP (VoIP) and videoconferencing components will become expected parts of the teleworkers toolkit. • Home Office Components - The required home office components are a laptop or desktop computer, broadband access (cable or DSL), and a VPN router or VPN client software installed on the computer. Additional components might include a wireless access point. When traveling, teleworkers need an Internet connection and a VPN client to connect to the corporate network over any available dialup, network, or broadband connection. • Corporate Components - Corporate components are VPN-capable routers, VPN concentrators, multifunction security appliances, authentication, and central management devices for resilient aggregation and termination of the VPN connections. The Teleworker Solution Học viện mạng Bach Khoa - Website: www.bkacad.com 7 Broadband Services Học viện mạng Bach Khoa - Website: www.bkacad.com 8 Connecting Teleworkers to the WAN • The choice of access network technology and the need to ensure suitable bandwidth are the first considerations to address when connecting teleworkers. Học viện mạng Bach Khoa - Website: www.bkacad.com 9 Connecting Teleworkers to the WAN Học viện mạng Bach Khoa - Website: www.bkacad.com 10 Cable Học viện mạng Bach Khoa - Website: www.bkacad.com 11 Cable Học viện mạng Bach Khoa - Website: www.bkacad.com 12 Cable Học viện mạng Bach Khoa - Website: www.bkacad.com 13 Cable • The Data-over-Cable Service Interface Specification (DOCSIS) is an international standard developed by CableLabs, a non-profit research and development consortium for cable-related technologies. • DOCSIS specifies the OSI Layer 1 and Layer 2 requirements: – Physical layer - For data signals that the cable operator can use, DOCSIS specifies the channel widths (bandwidths of each channel) as 200 kHz, 400 kHz, 800 kHz, 1.6 MHz, 3.2 MHz, and 6.4 MHz. DOCSIS also specifies modulation techniques (the way to use the RF signal to convey digital data). – MAC layer - Defines a deterministic access method, time-division multiple access (TDMA) or synchronous code division multiple access method (S-CDMA). Học viện mạng Bach Khoa - Website: www.bkacad.com 14 Cable Học viện mạng Bach Khoa - Website: www.bkacad.com 15 Học viện mạng Bach Khoa - Website: www.bkacad.com 16 DSL • DSL is a means of providing high-speed connections over installed copper wires. • Several years ago, Bell Labs identified that a typical voice conversation over a local loop only required bandwidth of 300 Hz to 3 kHz. • Advances in technology allowed DSL to use the additional bandwidth from 3 kHz up to 1 MHz to deliver high-speed data services over ordinary copper lines. • The two basic types of DSL technologies are asymmetric (ADSL) and symmetric (SDSL). • The transfer rates are dependent on the actual length of the local loop, and the type and condition of its cabling. For satisfactory service, the loop must be less than 5.5 kilometers (3.5 miles). Học viện mạng Bach Khoa - Website: www.bkacad.com 17 DSL • The two key components are the DSL transceiver and the DSLAM: – Transceiver - Connects the computer of the teleworker to the DSL. Usually the transceiver is a DSL modem connected to the computer using a USB or Ethernet cable. Newer DSL transceivers can be built into small routers with multiple 10/100 switch ports suitable for home office use. – DSLAM - Located at the CO of the carrier, the DSLAM combines individual DSL connections from users into one high-capacity link to an ISP, and thereby, to the Internet. Học viện mạng Bach Khoa - Website: www.bkacad.com 18 DSL • The major benefit of ADSL is the ability to provide data services along with POTS voice services. • ADSL signals distort voice transmission and are split or filtered at the customer premises. There are two ways to separate ADSL from voice at the customer premises: using a microfilter or using a splitter. Học viện mạng Bach Khoa - Website: www.bkacad.com 19 DSL • A microfilter is a passive low-pass filter with two ends. One end connects to the telephone, and the other end connects to the telephone wall jack. This solution eliminates the need for a technician to visit the premises and allows the user to use any jack in the house for voice or ADSL service. Học viện mạng Bach Khoa - Website: www.bkacad.com 20 DSL • POTS splitters separate the DSL traffic from the POTS traffic. The POTS splitter is a passive device. In the event of a power failure, the voice traffic still travels to the voice switch in the CO of the carrier. • Splitters are located at the CO and, in some deployments, at the customer premises. At the CO, the POTS splitter separates the voice traffic, destined for POTS connections, and the data traffic destined for the DSLAM. Học viện mạng Bach Khoa - Website: www.bkacad.com 21 Broadband Wireless • Broadband access by ADSL or cable provides teleworkers with faster connections than dialup, but until recently, SOHO PCs had to connect to a modem or a router over a Cat 5 (Ethernet) cable. • Wireless networking, or Wi-Fi (wireless fidelity), has improved that situation, not only in the SOHO, but on enterprise campuses as well. • The benefits of Wi-Fi extend beyond not having to use or install wired network connections. Wireless networking provides mobility. Wireless connections provide increased flexibility and productivity to the teleworker. Học viện mạng Bach Khoa - Website: www.bkacad.com 22 Broadband Wireless • The significant limitation of wireless access has been the need to be within the local transmission range (typically less than 100 feet) of a wireless router or wireless access point that has a wired connection to the Internet. • The concept of hotspots has increased access to wireless connections across the world. A hotspot is the area covered by one or more interconnected access points. Học viện mạng Bach Khoa - Website: www.bkacad.com 23 Broadband Wireless • The figure shows a typical home deployment using a single wireless router. • This deployment uses the hub-and-spoke model. Học viện mạng Bach Khoa - Website: www.bkacad.com 24 Broadband Wireless • A mesh is a series of access points (radio transmitters) as shown in the figure. Each access point is in range and can communicate with at least two other access points. • A meshed network has several advantages over single router hotspots. – Installation is easier and can be less expensive because there are fewer wires. – Deployment over a large urban area is faster. From an operational point of view, it is more reliable. – If a node fails, others in the mesh compensate for it. Học viện mạng Bach Khoa - Website: www.bkacad.com 25 Broadband Wireless • WiMAX (Worldwide Interoperability for Microwave Access) is telecommunications technology aimed at providing wireless data over long distances in a variety of ways, from point-to-point links to full mobile cellular type access. • A WiMAX network consists of two main components: – A tower that is similar in concept to a cellular telephone tower. A single WiMAX tower can provide coverage to an area as large as 3,000 square miles, or almost 7,500 square kilometers. – A WiMAX receiver that is similar in size and shape to a PCMCIA card, or built into a laptop or other wireless device. Học viện mạng Bach Khoa - Website: www.bkacad.com 26 Broadband Wireless • There are three ways to connect to the Internet using satellites: one-way multicast, one- way terrestrial return, and two-way. 1. One-way multicast satellite Internet systems are used for IP multicast-based data, audio, and video distribution. Even though most IP protocols require two-way communication, for Internet content, including web pages, one-way satellite-based Internet services can be "pushed" pages to local storage at end-user sites by satellite Internet. Full interactivity is not possible. 2. One-way terrestrial return satellite Internet systems use traditional dialup access to send outbound data through a modem and receive downloads from the satellite. 3. Two-way satellite Internet sends data from remote sites via satellite to a hub, which then sends the data to the Internet. The satellite dish at each location needs precise positioning to avoid interference with other satellites. • Satellite Internet services are used in locations where land-based Internet access is not available, or for temporary installations that are continually on the move. Học viện mạng Bach Khoa - Website: www.bkacad.com 27 Broadband Wireless • The most common standards are included in the IEEE 802.11 wireless local area network (WLAN) standard, which addresses the 5 GHz and 2.4 GHz public (unlicensed) spectrum bands. • The 802.11n standard is a proposed amendment that builds on the previous 802.11 standards by adding multiple-input multiple-output (MIMO). • The 802.16 (or WiMAX) standard allows transmissions up to 70 Mb/s, and has a range of up to 30 miles (50 km). It can operate in licensed or unlicensed bands of the spectrum from 2 to 6 GHz. Học viện mạng Bach Khoa - Website: www.bkacad.com 28 VPN Technology Học viện mạng Bach Khoa - Website: www.bkacad.com 29 • VPN technology enables organizations to create private networks over the public Internet infrastructure that maintain confidentiality and security. VPNs and Their Benefits Học viện mạng Bach Khoa - Website: www.bkacad.com 30 VPNs and Their Benefits • Scalability - VPNs use the Internet infrastructure within ISPs and carriers, making it easy for organizations to add new users. Organizations, big and small, are able to add large amounts of capacity without adding significant infrastructure. • Consider these benefits when using VPNs: • Cost savings - Organizations can use cost-effective, third-party Internet transport to connect remote offices and users to the main corporate site. This eliminates expensive dedicated WAN links and modem banks. • Security - Advanced encryption and authentication protocols protect data from unauthorized access. Học viện mạng Bach Khoa - Website: www.bkacad.com 31 Types of VPNs • Organizations use site-to-site VPNs to connect dispersed locations in the same way as a leased line or Frame Relay connection is used. • Because most organizations now have Internet access, it makes sense to take advantage of the benefits of site-to-site VPNs. Học viện mạng Bach Khoa - Website: www.bkacad.com 32 Types of VPNs • Mobile users and telecommuters use remote access VPNs extensively. In the past, corporations supported remote users using dialup networks. This usually involved a toll call and incurring long distance charges to access the corporation. • In a remote-access VPN, each host typically has VPN client software. Học viện mạng Bach Khoa - Website: www.bkacad.com 33 VPN Components • Components required to establish this VPN include: 1. An existing network with servers and workstations 2. A connection to the Internet 3. VPN gateways, such as routers, firewalls, VPN concentrators, and ASAs, that act as endpoints to establish, manage, and control VPN connections 4. Appropriate software to create and manage VPN tunnels Học viện mạng Bach Khoa - Website: www.bkacad.com 34 Characteristics of Secure VPNs • VPNs use advanced encryption techniques and tunneling to permit organizations to establish secure, end-to-end, private network connections over the Internet. Học viện mạng Bach Khoa - Website: www.bkacad.com 35 VPN Tunneling • Tunneling allows the use of public networks like the Internet to carry data for users as though the users had access to a private network. • Tunneling encapsulates an entire packet within another packet and sends the new, composite packet over a network. Học viện mạng Bach Khoa - Website: www.bkacad.com 36 VPN Data Integrity • For encryption to work, both the sender and the receiver must know the rules used to transform the original message into its coded form. • VPN encryption rules include an algorithm and a key. An algorithm is a mathematical function that combines a message, text, digits, or all three with a key. The output is an unreadable cipher string. Học viện mạng Bach Khoa - Website: www.bkacad.com 37 VPN Data Integrity • Some of the more common encryption algorithms and the length of keys they use are as follows: – Data Encryption Standard (DES) algorithm – Triple DES (3DES) algorithm – Advanced Encryption Standard (AES) – Rivest, Shamir, and Adleman (RSA) Học viện mạng Bach Khoa - Website: www.bkacad.com 38 VPN Data Integrity • Hashes contribute to data integrity and authentication by ensuring that unauthorized persons do not tamper with transmitted messages. • A hash, also called a message digest, is a number generated from a string of text. • The hash is smaller than the text itself. It is generated using a formula in such a way that it is extremely unlikely that some other text will produce the same hash value. • There are two common HMAC algorithms: – Message Digest 5 (MD5) – Secure Hash Algorithm 1 (SHA-1) • There are two peer authentication methods: – Pre-shared key (PSK) – RSA signature Học viện mạng Bach Khoa - Website: www.bkacad.com 39 IPsec Security Protocols • IPsec is protocol suite for securing IP communications which provides encryption, integrity, and authentication. • There are two main IPsec framework protocols. – Authentication Header (AH) – Encapsulating Security Payload (ESP) Học viện mạng Bach Khoa - Website: www.bkacad.com 40 IPsec Security Protocols • Activity 6.3.7 Học viện mạng Bach Khoa - Website: www.bkacad.com 41 IPsec Security Protocols Học viện mạng Bach Khoa - Website: www.bkacad.com 42 IPsec Security Protocols Học viện mạng Bach Khoa - Website: www.bkacad.com 43 IPsec Security Protocols Học viện mạng Bach Khoa - Website: www.bkacad.com 44 IPsec Security Protocols Học viện mạng Bach Khoa - Website: www.bkacad.com 45 IPsec Security Protocols Học viện mạng Bach Khoa - Website: www.bkacad.com 46 Labs Học viện mạng Bach Khoa - Website: www.bkacad.com 47 Summary IKE1 • HNI(config)# crypto isakmp policy 10 hash md5 authentication pre-share encryption des group 1 • HNI(config)# crypto isakmp key cisco123 address 200.0.0.2 Học viện mạng Bach Khoa - Website: www.bkacad.com 48 IKE1 • HCM(config)# crypto isakmp policy 10 hash md5 authentication pre-share encryption des group 1 • HCM(config)# crypto isakmp key cisco123 address 100.0.0.1 Học viện mạng Bach Khoa - Website: www.bkacad.com 49 IPSec • HNI(config)#crypto ipsec transform-set HNI esp-3des esp-sha-hmac • HCM(config)#crypto ipsec transform-set HCM esp-3des esp-sha-hmac Học viện mạng Bach Khoa - Website: www.bkacad.com 50 CRYPTO MAP • HNI(config)# crypto map MYMAP 1 ipsec- isakmp set peer 200.0.0.2 set transform-set HNI match address 101 • HNI(config)# access-list 101 permit ip 192.168.1.0 0.0.0.255 172.16.1.0 0.0.0.255 • HNI(config)#interface f0/1 Crypto map MYMAP Học viện mạng Bach Khoa - Website: www.bkacad.com 51 CRYPTO MAP • HCM(config)# crypto map MYMAP 1 ipsec- isakmp set peer 100.0.0.1 set transform-set HCM match address 101 • HCM(config)# access-list 101 permit ip 172.16.1.0 0.0.0.255 192.168.1.0 0.0.0.255 • HCM(config)#interface f0/1 Crypto map MYMAP Học viện mạng Bach Khoa - Website: www.bkacad.com 52 • R1(config)# crypto isakmp policy 1 hash md5 authentication pre-share encryption des group 1 • R1(config)# crypto isakmp key cisco123 address 200.0.2.1 • R1(config)#crypto ipsec transform-set R1 esp-3des esp-sha-hmac • R1(config)# crypto map MYMAP 1 ipsec-isakmp set peer 200.0.2.1 set transform-set R1 match address 101 • R1(config)# access-list 101 permit ip 192.168.1.0 0.0.0.255 172.16.1.0 0.0.0.255 • R1(config)#interface f0/1 Crypto map MYMAP Học viện mạng Bach Khoa - Website: www.bkacad.com 53 • Show crypto isakmp sa • Show crypto ipsec sa Học viện mạng Bach Khoa - Website: www.bkacad.com 54

Các file đính kèm theo tài liệu này:

  • pdfccna_exp4_chapter06_teleworker_services_6129_2183.pdf
Tài liệu liên quan