Tuesday, December 23, 2008

Firewalls and Token IDs

Firewalls - Virus Protection
A firewall is a device or set of devices at carriers, enterprises, and homes that screens incoming and internal traffic to prevent hackers' access to files. Firewalls are designed to keep out hackers by allowing only designated users to access networks. In organizations' networks, firewall software is installed on routers and on remote access switches called VPN gateways. Organizations that use carriers' firewall protection have onsite firewall protection as well.
Firewalls use various techniques including address filtering, which looks at a user's IP address and accepts or rejects messages based on the IP address. Important applications might contain their own firewalls for extra protection. Firewalls can also restrict communications to certain addresses. New firewalls can also filter by port. In addition, they can be programmed to recognize applications and content. Acting as an agent for and screening traffic for applications is referred to intermediation or proxy-type functions.

Because employees use their laptops at home to surf the Web and then bring them into work, corporations monitor internal transmissions as well as communications from the Internet. The goal is to avoid contamination from these laptops.

Firewalls do not protect against viruses and other threats. Corporations often subscribe to security services that keep them posted about new software attacks, monitor their networks for unusual amounts or types of traffic, and download protection against new types of attacks.

Token ID Security - Identify Verification
Token identification, which adds an additional layer of user authentication in addition to passwords, is used in most remote access services. Tokens are small devices that generate new six- to eight-digit numbers every 60 seconds. When prompted, users type in the token-generated number. These numbers are generated by a combination of factory set matching numbers in the user's device and a central server combined with the time. To be authenticated, the number the user types in must match that generated by the central computer. RSA is the leading supplier of token IDs. If a person's password is stolen, the hacker will not be able to access the network unless he or she has the token as well as the password.

Monday, December 22, 2008

SSL VPNs

The attraction of SSL VPN service is that the service works from within standard browsers on laptops, desk computers, and personal digital assistants. This makes VPNs easier to use, with less administrative support required from IT staff. The business or commercial enterprise is not required to supply special software to each laptop computer used from remote access. The simplified login results in fewer user login errors.

SSL is a newer technology used for VPNs, however, simplified access and improvements in SSL are expected to spur growth. Employees using SSL-type security can only access applications such as email supported by the SSL gear. Software in the SSL appliances is adapted to enable access to particular applications. An appliance is a specialized computer dedicated to a particular task. These appliances prompt users for their names, passwords, and (if used) token number. They apply encryption and a secure tunnel and allow or deny access to enterprise applications. They have other features such as scanning users' PCs and automatically downloading software patches to computers that do not have the latest security corrections loaded.

Because SSL is a higher-level security protocol, it has the benefit of allowing or denying access to particular applications based on privileges granted to classes of employees. As it is possible for remote computers to pass viruses to corporate networks, some SSL appliances have the capability to scan remote computers for antivirus software and operating systems with the latest security patches. Other appliances have the capability to wipe out passwords and corporate data from computers used for remote access. This eliminates the possibility of computers in public areas, such as kiosks, storing and passing on private information and passwords.

Friday, December 19, 2008

IPSec VPNs

Public Internet-Based VPNs for Intersite Connections
Some organizations save money by using the public Internet for VPN service rather than MPLS (Multi-Protocol Label Switching) VPN or frame relay service. Companies using the public Internet mix intracompany and public Internet traffic on the same access lines. They provide their own security, usually IPSec as described below, as well as firewalls and antivirus software. Alternatively, they contract with their carrier to manage their security devices, which are onsite or at the carriers' POPs.

While the public Internet does not guarantee speeds, companies are finding that providing a high-speed access line gives them adequate site-to-site service at a lower price than frame relay and MPLS VPNs. This is because many Internet backbone providers overbuilt their networks, expecting a larger increase in traffic than occurred. Moreover, the costs for T-1 and T-3 have been decreasing, making them affordable for many more organizations.

Network-Based IPSec VPNs- Over Carriers' Private IP Networks
These IPSec VPN-based services operate over carriers' private IP networks instead of the public Internet. The carrier provides security in its network. It encapsulates (creates tunnels around) packets routed between its points of presence (POPs).

** Both of these IPSec VPN-type offerings don't offer the classes of service for voice and video. In addition, they do not provide service level agreements with statistics on traffic levels and network reliability. Customers are responsible for monitoring traffic flows through their own routers.

IPSec VPNs for Remote Access
To support VPN remote access, IT staff distribute client software to each person's computer or laptop. Users click on the client software, which is a special program that contains IPSec security, to launch remote access. It can be used with dial-up or broadband access. A shortcoming is that employees can only access their e-mail when they have their computers with the client software with them. This service does not work at public computers such as those at airports or Internet cafes.

IPSec establishes a secure connection between the corporate local area network and the remote user by scrambling and tunneling the bits and hiding the IP header in each packet. This ensures privacy. Tunneling prevents hackers from learning corporate LAN IP addresses. To stop remote users from passing viruses from the Internet to corporate networks, the client software will often not function if there is an open connection to the Internet while the user is logged in remotely.

Thursday, December 18, 2008

Multiprotocol Label Switching (MPLS) VPNs - Everyone-to-Everyone Links

When customers sign up for MPLS VPN service they give their provider a list of the Internet protocol (IP) addresses associated with each site they want included in the VPN. The carrier uses this list to define a closed group of users allowed to communicate with each other using the VPN service.

Classes of Service - To Prioritize Particular Traffic
The customer chooses from a list of four or five classes of service. These classes of service are used to define the priority given to traffic for each class. For example, there may be two or three classes for data, one for voice, and another (the most expensive) for video. Voice and video have higher priorities than data. Some organizations use the lowest priced class of service for most data and higher-priced classes of service for database lookups. Often customers choose MPLS for its capability to treat voice differently than data. They initially use the network exclusively for data but plan to add voice traffic at a later time. Examples of voice traffic include:
Worldwide voice mail functionality such as broadcasting lists made up fo staff at diverse sites

Audio conferences
Sending call center traffic to remote sites based on time-of-day or staffing levels
Transmitting voice calls between international and domestic sites
Electronic Tags on MPLS Packets

MPLS attaches electronic tags to packets. Routers read the tags and assign levels of priority. The tags also enable routers to forward packets more quickly because they don't have to look up addresses in tables for each packet.

Most carriers offer service level agreements (SLAs) for an additional fee in conjunction with MPLS VPNs. These agreements offer guarantees on issues like the following:

Uptime, the percentage of time that the service operates
Latency, the amount of delay in milliseconds between when packets are sent and when they are received. This is important for voice and video
Restoral time per failure
Packet loss
Access line (the line from the customer to the carrier) uptime
Carriers that do not meet these SLAs generally give agreed-upon credits to customers.
Service Components

Customers that order MPLS use access lines between their network and the carrier. These lines are typically T-1, 1.54 Mbps or less. Most customers have a separate access line for MPLS traffic and a different line for their Internet traffic. They feel their MPLS traffic is from trusted sources at branches. The public Internet traffic requires higher levels of security.

They also specify the following:

A port speed at the provider's point of presence, often at a lower speed than their access line, perhaps 1 Mb

A committed access rate (CAR) - also referred to as committed data rate (CDR), and committed information rate (CIR). The bandwidth charge is the fee charged by many carriers for guaranteeing a particular speed between the carrier's edge and the carrier's high-speed core network. Some carriers charge a higher rate for international traffic. These speeds vary from 64 kilobits to 44 megabits (T-3)

Access charge for the circuit connecting the customer to the provider's network
They can "burst" send data at up to the speed of the port and access line they lease
Service level agreements
Classes of service; classes with a lower priority cost less than those with a higher priority (see above)

Managed Service - Provider Monitor Onsite Routers
Customers have the option of managing their own router or paying their provider to manage it. Carrier management of the router is referred to as managed service. With managed service, carriers monitor the router 24 hours per day, 7 days a week for service disruptions, denial of service attacks indicated by unusual traffic levels, and viruses. For medium-size companies, it may cost less to depend on a pool of specially trained provider technicians than to train and hire their own technical staff for these functions. As part of the service, carriers provide activity reports that track the level of traffic so that customers can ensure there is adequate capacity.

MPLS Advantages for Carriers - Revenue Sources and Administrative Efficiency
Carriers are eager to migrate customers to MPLS to save money on administration and as a platform for new services. Administratively, carriers have the capability to add classes of service for higher-priced voice and videoconferencing. These changes can be made in real time by programming requested modifications. Making changes to frame relay service is more complex because each path between sites must be programmed separately. Other potential sources of revenue for carriers are hosting, and access to hosted data storage (backup storage of customer files on the network).

However, carriers still have investments in asynchronous transfer mode (ATM) network infrastructure that is not fully depreciated. The transition to MPLS as the single network will take place gradually.

Tuesday, December 16, 2008

VPN Technology

Improvements in routing and security protocols and increased capacity in the Internet led to the capability of IP networks to differentiate different types of corporate traffic and to improvements in secure remote access. The following are newer VPN services carried on IP networks:

VPNs for Site-to-Site Communications Within Organizations:
• Multiprotocol label switching (MPLS) VPNs provide any site-to-any site connectivity. This is referred to as meshed service. MPLS service is more flexible than frame relay to configure and is more suitable for intersite voice traffic. MPLS VPN traffic is carried separately from public Internet traffic to guarantee levels of service.

• IP-VPNs are for site-to-site data communications using the public Internet and mixing Internet traffic with site-to-site email and other applications with Internet protocol security (IPSec). IPSec creates a tunnel for each packet. The tunnel hides the destination IP address by surrounding it with a different address. IPSec also scrambles data by encrypting it.


Secure access on VPNs for Remote Access:
• Internet protocol security (IPSec) requires client software on computers. The IPSec protocol establishes a secure, encrypted link to a security device at the carrier or enterprise. This is referred to as tunneling.

• Secure socket layer (SSL) security is a newer VPN access method. Access is embedded in browsers so that organizations are not require to install special client software in each user's computer.

IP VPN and MPLS offerings enable carriers to migrate traffic to their existing IP networks rather than older networks designed to carry frame relay traffic.

Monday, December 15, 2008

VPN's for Remote Access

In many organizations, employees assume that they will have the tools to be as productive (or more productive) away from the office as in the office. Organizations frequently supply salespeople and other remote workers with laptop computers that enable them to work offsite. Employees remotely access e-mail messages, place orders, check order status, and check inventory levels from the road and from home computers (I know this is probably shocking news to you all!). With the growth of Voice over IP, some employees also receive phone calls directed to their office extensions on their laptops or PDAs.

Without a VPN, employees dial into remote access equipment consisting of modem banks at corporate headquarters to access e-mail or other applications using toll-free numbers billed to the corporation. Organization rack up thousands of dollars in toll-free charges. In addition, calls are frequently dropped and speeds are slow. Moreover, these dial-in remote access arrangements do not support cable or DSL modems.

VPNs provide staff at remote offices or home offices to gain access to the corporate Intranet in the same manner they would if they were locally connected to files. Distributing VPNs to home, telecommuters, and small offices may put access to sensitive information in facilities not as well protected as more traditional facilities. VPNs need to be designed and operated under well-thought-out security policies. Organizations using them must have clear security rules supported by top management. When access goes beyond traditional office facilities, where there may be no professional administrators, security must be maintained as transparently as possible to end users.

Some organizations with especially sensitive data, such as health care companies, even arrange for an employee's home to have two separate WAN connections: one for working on that employer's sensitive data and one for all other uses. More common is that bringing up the secure VPN cuts off Internet connectivity for any use except secure communications into the enterprise; Internet access is still possible but will go through enterprise access rather than that of the local user.

Friday, December 12, 2008

Rationale for VPN's

Organizations use VPNs to save money on renting and managing private lines between sites. Dedicated private lines are circuits used only by the organization that leases them monthly (more on dedicated private lines in the future). In contrast, virtual private networks use shared circuits (electronic paths between points) within carriers' networks. Carriers benefit by not having to dedicate as much infrastructure to single customers.

In addition, VPN installation intervals, the time between ordering service and implementations, are shorter than for new private lines, which take weeks to engineer. Thus, customers with existing virtual private networks can quickly add locations. The biggest delays revolve around new access lines, if they are not already in place between the customer and the VPN provider. If links to the carrier are in place, sites can be added in a matter of days using spare capacity on these links.

VPNs enable businesses to avoid administering growth and day-to-day maintenance of private networks. Adding capacity to a virtual private network is simpler than adding higher-speed, dedicated lines and new hardware to each site of a private network. The customer only needs higher-speed access lines from its building to the carrier's network. The carrier is responsible for making sure there is capacity in the network for the customer's applications.

Large organizations often have a mix of private lines for routes with the highest amount of voice and data traffic and VPN services for routes with less voice and data traffic.

In summary, VPN benefits include:
• Shared facilities may be cheaper - especially in CAPEX (Capital Expenditure) - than traditional routed networks over dedicated facilities
• VPNs can rapidly link enterprise offices, as well as small-and-home-office and mobile workers (more later this week)
• Can scale to meet sudden demands, especially when provider-provisioned on shared infrastructure
• Can reduce opex (Operational Expenditure) by outsourcing support and facilities

Thursday, December 11, 2008

A virtual private network (VPN)

Any arrangement that provides connections between offices, remote workers, and the Internet without requiring dedicated lines, also referred to as private networks between sites. The term "virtual" refers to the fact that these VPNs provide the features of private lines; they are virtually private.

An alternate definition: A VPN is a communications network tunneled through another network, and dedicated for a specific network. One common application is secure communications through the public Internet, but a VPN need not have explicit security features, such as authentication or content encryption. VPNs, for example, can be used to separate the traffic of different user communities over an underlying network with strong security features.

Wednesday, December 10, 2008

Digital Network Services Overview

As stated last week, we will now be shifting our attention towards networks and network services. As an introduction, the table below provides an overview of digital network services for your reference:

Tuesday, December 9, 2008

Storage Area Networks

As more business processes are computerized, enterprises are storing exact copies of all of their data at remote data centers and storage areas networks (SANs). A SAN is a network designed for backup and disk mirroring of large databases. These networks include those used for vital functions such as inventory, accounts receivable, order entry and accounts payable. Disk mirroring is the process of simultaneously writing data to backup and primary servers. SANs provide data restoral in the event of disasters or computer failures. They are located at the same site as the primary servers or at other locations in the metro area or across the country.

A data center is a centralized location for corporate data with special environmental controls such as air conditioning, fire alarms, and duplicate power sources. It also has special security provisions regarding who is allowed to enter the center. Data centers can support multiple enterprise sites. Some organizations hire outside organizations to manage their data center either at their site or at a remote site.

Enormous speed is required to transport the massive amounts of data between corporate sites and SANs and/or data centers. In some cases, data centers act as backups to each other. Fibre channel is a standard for high-speed connections at between 133 megabits per second and 4 gigabits per second between servers and storage devices. Fibre channel is used as a local physical channel within the data center. Because there are many devices in a SAN, SANs use either hubs or switches to distribute data to devices. Hubs provide a common path between devices, and switches establish dedicated paths. Fibre channel data is transmitted directly to devices' input/output interfaces. Fibre channel operates over most network protocols.

Because of the speed and reliability requirements, organizations typically use Ethernet VPNs, SONET, or leased fiber with an individual wavelength. Individual wavelengths have distance limitations of hundreds of kilometers but are less costly than SONET. Wavelengths are sent to data centers, customers, or SANs at speeds of 1.5 gigabits, 2.5 gigabits or 10 gigabits per second over one pair of fiber.

Monday, December 8, 2008

SONET Offerings for Enterprises

Local telephone companies sell SONET (Synchronous Optical Networking) transport for connections between local customers and interexchange carriers. The speeds offered are at OC-3 (155 megabit), OC-12 (622 megabit), and OC-48 (2.5 gigabit) rates. The local telephone companies guarantee 50 millisecond network restoration in the case of a network failure or degradation. They run the SONET service to multiple local central offices. In the case of a failure at one CO (Central Office), service is immediately available from the backup CO. Matching SONET multiplexers are required at the customer premises and at the telephone company office. Another variation of SONET service protects customers from fiber cuts. This diverse routing scheme offers fiber from separate building entrances to the same CO.

Customers often opt for point-to-point SONET rather than bidirectional rings to save money. The major impediment on sales of these services is the cost to dig trenches for additional fiber runs from the customer to the incumbent carrier's fiber ring. Because it is lower in price, newer Ethernet services at gigabit or lower speeds ranging from 10 megabits to 500 megabits are gaining in popularity for data communications. However, customers with existing SONET service have the option to add Ethernet data that runs at 10, 50 or 100 megabits per second. This uses spare capacity on the SONET multiplexer for perhaps LAN-to-LAN connections in metro areas.

Friday, December 5, 2008

Third generation SONET

Connectivity to Ethernet: Transporting IP voice and Ethernet traffic on SONET-equipped links wastes capacity on carriers' networks. This is because SONET carries traffic in "chunks" at 64 kilobits per second in fixed-size frames called cells. However, IP and Ethernet traffic bits are in variable-size packets. In addition, SONET cells have high overhead (nonuser data such as monitoring and addressing), which adds to its inefficiency because less customer traffic is carried in each cell. This mismatch between frame size results in carriers stuffing zeros into many SONET frames.

Some manufacturers have developed SONET equipment that handles packet traffic more efficiently. For example, newer multiplexers have Gigabit Ethernet ports and ports that can interface directly with telecommunications services used in storage area networks. These SONET multiplexers have the capability to pick up and drop off Ethernet and IP traffic more efficiently at Ethernet speeds. However, they transport traffic to older SONET devices in SONET frames, which wastes capacity.

Thursday, December 4, 2008

Second generation SONET

Second generation SONET also referred to as multiservice platforms, achieved higher speeds (up to OC-192 [Optical Carrier-192], 10 gigabits), took up less space by supporting more ports on each card, and gave carriers the capability to increase and decrease speeds remotely without taking the ring out of service. They also enabled carriers to drop off lower optical carrier streams to customers for enterprise SONET (Synchronous Optical Networking) services such as Ethernet and storage area network services. However, next-generation multiplexers do not interface directly to MPLS (Multiprotocol Label Switching) networks. In addition, although they carry Ethernet and storage area network services, they do so inefficiently, in SONET frames. Next-generation SONET devices can have internal add and drop multiplexers and digital cross-connect systems.

ADD and Drop Multiplexers (ADM)
Add and drop multiplexers add and drop channels from fiber rings at the edge of the network. They drop off and pick up channels to a particular central office or to a small metropolitan area from rings that connect the core to the access network. Add and drop multiplexers are less complex and handle fewer streams of traffic than digital cross connects.

Digital Cross Connects
Digital cross connects rearrange channels of traffic between multiple routes. A digital cross connect system has the same functionality as a switch. For example, multiple rings may connect at a carrier's point of presence (POP) in the core network in the northeast. The digital cross connect sends some of the traffic to, for example, New York, some to Pennsylvania, and the rest to New Jersey. It also accepts traffic from these states and connects it to other routes. The newest digital cross connects are all-optical. They switch colors (channels) of traffic without converting light signals carried on fiber to electrical signals and electrical signals back to light. This eliminates the need for conversation equipment in these devices, which leads to lower prices and higher-speed switching.

Wednesday, December 3, 2008

SONET Rings

SONET can run as a straight point-to-point line between sites, or in a ring topology. When fiber in a point-to-point arrangement is cut, service is lost. However, the higher speeds attainable on fiber make reliability critical. When a medium such as copper carries a conversation from one telephone subscriber, a copper cut only impacts one customer. Fiber cuts in networks can put hundreds of locations out of service. For this reason, the majority of telephone companies deploy bidirectional ring topology.

In the bidirectional SONET/SDH ring, one set of fiber strands is used for sending and receiving; the other is the protect ring (spare ring). If one set of fiber strands is broken, the spare (protect) ring reroutes traffic in the other direction. In addition, if one multiplexer on one set of fibers fails, the backup multiplexer on the fiber running in the other direction automatically takes over.

Tuesday, December 2, 2008

SONET continued

SONET was developed to aggregate (multiplex) and carry circuit switched traffic such as T-1, E-1, T-3 and E-3 as well as slower rates from multiple sources on fiber-optic networks. SONET transports traffic at high speeds called OC (optical carrier). The international version of SONET is synchronous digital hierarchy (SDH). SDH carries traffic at synchronous transport mode (STM) rates. See the table below for optical carrier and synchronous transport mode speeds. Interfaces in the equipment make SONET and SDH speeds compatible with each other. The same SONET equipment can be used for both OC and SDH speeds.

Europe's time division hierarchy is based on E1 (2-megabit) and E3 (34-megabit) signals. E1 circuits carry 30 channels at 64 kilobits per channel. E3 circuits carry 512 channels at 64 kilobits per channel. Traffic that is carried between cities in Europe or in undersea cables is often referred to as being carried at STM-1 or STM-16 rates.

Monday, December 1, 2008

SONET (Synchronous Optical Network):

First introduced in 1994, SONET is a North American standard for multiplexing slower streams of traffic onto fiber-optic cabling and transporting it at optical carrier (OC) speeds. The international standard for the same functions is synchronous digital hierarchy (SDH). SONET/SDH was a major innovation in enabling carriers to carry enormous amounts of voice and data traffic reliably on fiber networks. As SONET equipment prices dropped, large enterprises adopted it as well.

SONET equipment transports high-speed traffic on fiber-optic network between the following:
- Central offices in metropolitan areas (the metropolitan core)
- Remote terminals (digital loop carriers) in metropolitan networks (metropolitan access networks) and central offices
- Long-haul backbone networks and metropolitan areas
- Points of presence (POPs) in long-haul, core networks
- Enterprises and data centers where backup data is stored
- Enterprises and points of presence (POPs) that carry their long distance traffic
- Enterprises to separate central offices for redundancy in case of a central office failure or a fiber cut

SONET also can carry ATM and IP traffic and television signals. However, as increasing amounts of traffic is data rather than voice and more of the data and a growing percentage of the traffic is IP based, lower-priced gear is becoming available to transport IP traffic more efficiently and at lower costs on redundant fiber rings. These rings found in MPLS (Mulitprotocol Label Switching) networks and some metro-area networks are based on dense wavelength division multiplexing.