N10-007 Compare and contrast the use of networking services and applications

VPN

VPN encapsulates encrypted data inside another datagram that contains routing information. The connection between two computers establishes a switched connection dedicated to the two computers. The encrypted data is encapsulated inside Point-to-Point Protocol (PPP), and that connection is used to deliver the data.

A VPN enables users with an Internet connection to use the infrastructure of the public network to dial in to the main network and access resources as if they were logged on to the network locally. It also enables two networks to be connected to each other securely.

Site to site 

The scope of a tunnel can vary, with the two most common variations being site-to-site and client-to-site. In a site-to-site implementation, as the name implies, whole networks are connected together. An example of this would be divisions of a large company. Because the networks are supporting the VPN, each gateway does the work and the individual clients do not need to have any VPN.

In a client-to-site scenario, individual clients (such as telecommuters or travelers) connect to the network remotely. Because the individual client makes a direct connection to the network, each client doing so must have VPN client software installed.

Protocols

VPN uses protocols to conduct its operation. Here we discuss a few protocols:

IPsec:: IPsec provides security at the network layer. With the help of IPsec IP traffic can be protected between the two devices. To use IPsec on the client side we need to install additional software to provide layer 3 security. IPsec’s is defined in RFC 2401.
The various services provided by the IPsec are:

1) Data confidentiality

2) Data integration and authentication

3) Anti-replay detection

4) Peer authentication

Data confidentiality: It is done with the help of encryption to prevent data theft by various attacks such as eavesdropping. IPsec supports various encryption algorithms such as DES, 3DES and AES.

Data integration and authentication: It is done by using HMAC functions. HMAC verifies that the data packets have not been tampered and are received from an authentic host. MD5 and SHA-1 are supported HMAC functions.

Anti-replay detection: All data packets in IPsec are provided with encrypted sequence numbers to ensure that the replay attack does not take place.

Peer Authentication: It is done to ensure the integrity and authenticity of the peers before they send data.

The two main grouping standards IPsec uses are:

1) ISAKMP/IKE/Oakley/SKEME: These standards are used for setting up a secure management connection.

2) AH and ESP: These standards provide various services like data integrity, data origin authentication and anti-replay etc.

SSL VPN: It provides remote access solutions. They are used mainly to provide secure access to the web based applications. As the SSL uses web browser so there is no need to install any additional software for the working of SSL. It operates at the session layer of the OSI model. Applications such as Telnet, FTP, SMTP, IP telephony etc. do not work with SSL because these applications do not use web browsers as their front end interfaces.

There are three general types of SSL client implementations:

1) Clientless

2) Thin Client

3) Network Client

Clientless: When only the web browser is used for SSL VPN they are called as clientless VPNs

Thin client: When Java or Active X software is loaded into the web browser. This added software provides capability to use some non web based applications to be transported across the SSL VPN.

Network Client: In this case the SSL client is required to be installed on the user’s desktop. When the user makes a SSL VPN connection to the central site the SSL client is installed on the user’s system. User must have required permissions to install SSL client on the system.

SSL VPNs do not provide Layer 3 security to data but in case of clientless VPNs layer 5 protection is provided. SSL VPNs do not provide security to the user data;

instead they provide security to the users access to various services and applications on the network. SSL VPNs also provide authentication and access control features. SSL VPNs supports two types of authentication

1)  Digital certificates

2)  Username and Passwords

PTP/PPTP: PPTP was invented by Microsoft to provide secure remote access solution. Suppose the traffic flows from the client across the unsecure network to the VPN gateway we need to use PPTP. PPTP is an extension of PPP as PPTP uses PPP it also has PPP features. PPTP can authenticate various network devices with the help of protocols such as PAP, CHAP etc.

PPTP contains several features such as:

1)  Compression

2)  Encryption

3)  User Authentication

4)  Data Delivery

5)  Client Addressing

• Compression: Compression of data is handled by Microsoft’s Point-to-Point Compression (MPPC) protocol within the PPP payload. This is supported by both PPTP and L2TPand normally enabled for dialup clients
• Encryption: Encryption of data is handled by Microsoft’s Point-to-Point Encryption (MPPE) protocol within the PPP payload. The encryption uses RSA’s RC4 encryption algorithm. PPTP uses this method, whereas L2TP uses IPsec, which is more secure. With MPPE, the initial key created during user authentication is used for the encryption algorithm and is regenerated periodically.
• User authentication: It is achieved using PPP’s authentication methods, such as PAP or CHAP, and others, such as EAP. MPPE support requires the use of MS-CHAPv1 or v2. If you use EAP, you can choose from a wide range of authentication methods, including static passwords and one-time passwords (through the use of token cards).
• Data delivery: Data is packetized using PPP, which is then encapsulated in a PPTP/ L2TP packet. By using PPP, PPTP can support multiple transport protocols, such as IP, IPX, NetBEUI, and others.
• Client addressing PPTP and L2TP support dynamic addressing of the client using PPP’s Network Control Protocol (NCP).

TACACS/RADIUS

RADIUS was developed by the Internet Engineering Task Force (IETF). It safeguards the network from unauthorized access. It is an open standard solution to implement security as RADIUS being an open standard it is used by most security servers. RADIUS uses client server architecture where the client is the router and the web server is the operating system running RADIUS software.

There are four types of RADIUS message:

1) Access-Request

2) Access-Challenge

3) Access-Accept

4) Access-Reject

Working of RADIUS

Figure 10: Radius Working 

In this figure the Workstation is authenticated into the network with the use of RADIUS. The working of RADIUS is defined in below process:

1) The Network Access System prompts the client for the username

2) The client provides a username to the network access system

3) NAS prompts for a password

4) The client provides the password to the server

5) The username and password is sent to the RADIUS server.

6) If the supplied information is correct the RADIUS server responds with an Access-Accept datagram. If the information provided by the user is incorrect an Access-Reject message is returned and NAS then terminates the connection

Router(config)# aaa new-model

Router(config)# radius-server host 10.0.0.1 single connection

Router(config)# radius-server key shared2

Terminal Access Controller Access Control System (TACACS+)

It is used to provide security to the network devices access. It is more flexible than RADIUS. In some ways TACACS+ is similar to RADIUS. It is not an open standard protocol it is developed by Cisco Systems to interact with Cisco AAA servers. In case of implementing TACACS+ we can implement all AAA features.

RAS

In case of Microsoft the PPTP endpoints need to be on the client and RAS software on the server.

Figure 11: RAS Software

The RAS software runs on the server side and on the client side we need to just create a new connection. When the client connects to the remote server PPTP creates a secure tunnel to the private LAN.

Web services

The term Web services describes a standardized way of integrating Web-based applications using the XML, SOAP, WSDL and UDDI open standards over an Internet protocol backbone. XML is used to tag the data, SOAP is used to transfer the data, WSDL is used for describing the services available and UDDI is used for listing what services are available. Used primarily as a means for businesses to communicate with each other and with clients, Web services allow organizations to communicate data without intimate knowledge of each other’s IT systems behind the firewall.

Unlike traditional client/server models, such as a Web server/Web page system, Web services do not provide the user with a GUI. Web services instead share business logic, data and processes through a programmatic interface across a network. The applications interface, not the users. Developers can then add the Web service to a GUI (such as a Web page or an executable program) to offer specific functionality to users.

Web services allow different applications from different sources to communicate with each other without time-consuming custom coding, and because all communication is in XML, Web services are not tied to any one operating system or programming language. For example, Java can talk with Perl, Windows applications can talk with UNIX applications.

Web services do not require the use of browsers or HTML.

Web services are sometimes called application services.

Unified voice services

Unified Communications (UC) is all about improving collaboration and boosting business productivity. The successful adoption of UC services, such as VoIP, Video Conferencing, Telepresence and Desktop Video, assumes that service quality will be sufficient for users to interact effectively and consistently.

Assuring the quality of UC services is not an easy task. UC services are complex and require unforgiving performance levels with always-on availability to meet the high expectations of users and the organization. The reality is that many UC deployments fail to achieve the internal traction desired due to poor user experiences. Underperforming Unified Communications (UC) deployments lead to erosion in savings and productivity due to increased management costs and dissatisfied users.

Unified voice services simplifies UC performance management by providing real-time visibility into end-to-end service performance for voice and video sessions that enables powerful analysis and troubleshooting for both proactive and reactive service management tasks.

Unified voice services enables the implementation of a unified strategy for managing and optimizing the delivery of UC services to assure service quality and deliver a consistent user experience. The holistic approach enables IT organizations to manage business data and UC services side-by-side to assure reliable and high quality performance levels for a broad range of real-time UC services including:

• Voice over IP (VoIP)
• Desktop Video
• Video Conferencing
• Telepresence

Network controllers

Network controller is just another name for a network card or network adapter. These cards have their own processors to handle the network interface rather than relying on the motherboard chipset or CPU to do it.