Comparing WAN Links and Remote Access Methods

# Explain WAN Provider Links PG. 386 ## Wide Area Network Technologies and the OSI Model - Enterprise WAN - used and controlled by a single organization - WAN physical layer - media type & interface specifications - Modulation (out data) and demodulation (in data) -> performed by a modem - Modulation -> transforming an electromagnetic wave to represent information - Analog modems -> only supports low bandwidths (up to 56 kbps) - Digital modems -> performs different type of modulation then analog - WAN data link layer - typically use simpler protocols then Ethernet LANs as links are typically point-to point and do not need to by complex - Serial data protocols - WAN network layer - customer and provider site are addressed using IP - A CE router connects to a PE via the underlying link layer interface - Provider allocates **public** IPv4/IPv6 address/ranges to the customer - Customer Edge (CE) router link to Provider Edge (PE) router ## WAN Provider Links - Establishing a WAN provider link means: terminating the access provider's cabling at some point on prem (demarc) and then attaching modem and routing equipment - Minimum point of entry (MPOE) AKA Demarcation Point (DEMARC) - Customer premises equipment (CPE) - Entrance facilities ## T-Carrier and Leased Link Provider Links - Time Division Multiplexing (TDM) circuits - 64 kbps channels - 24 channels multiplexed as a T1 leased line - Legacy - Smart jack / Network Interface Unit (NIU) - Serial digital signal over 2-pair UTP - RJ-48C or RJ-48X to connect to the CSU/DSU (WAN CARD) - Channel Service Unit/Data Service Unit (CSU/DSU) - DSU digital modem encodes signal from PBX/router - Encodes the signal from DTE (data terminal equipment) - CSU performs diagnostics - Typically implemented as a WAN interface card - Data link layer - High-level data link control (HDLC) or Point-to-point Protocol (PPP) ## Digital Subscriber Link Provider Links - Shares the same physical telephone line but uses higher frequency range - DSL modem installed as CPE typically as a multifunction *wireless router* - Rj-11 WAN port connects to the provider's phone jack over a short length ribbon cable - Supplied as separate appliances or plug-in cards for routers - Standalone DSL modem is connected to the phone line via an RJ-11 port and to the local network's router - Filters must be installed on telephone points or at the demarc point to prevent noise from voice calls or the DSL link - The main drawback of DSL is that as its a copper-wire technology is suffers from attenuation - DSL modem max range -> 3 miles - DSL types: - Symmetrical DSL (SDSL) - same downlink and uplink bandwidth - Typically provided as a business package - Asymmetrical DSL (ADSL) - consumer version of DSL, provides fast downlink, but a slow uplink - ISP may impose usage restrictions to limit the amount of data downloaded per month ## Fiber to the Curb - Fiber to the X (FTTx) - Fiber optic cabling in the last mile - To the Home (FTTH), To the premises (FTTP) - To the Node (FTTN), To the Curb (FTTC) - Very High Bitrate DSL (VDSL) - Supports FTTC with VDSL over the last part of link (up to 300m) - Up to 52 mbps downstream and 6 mbps upstream - VDSL2 up to 100 mbps over 100m (300ft) ## Cable Provider Links - Shares the same physical cable as a cable access TV (CATV) - Coax link to customer premises - Fiber optic core network - Cable modem installed as CPE - Connects to a service provider network using coax F-connector - Data Over Cable Service Interface Specification (DOCSIS) - Downlink speeds of up to 38 mbps (NA) or 50 mbs (EU) and uplinks of up to 27 mbs - DOCSIS version 3 allows use of multiplexed channels to achieve higher bandwidth ## Metro-Optical Provider Links ETHERNET OVER FIBER - Carrier Ethernet - Physical service types - Service categories - Passive Optical Network - Residential/SME fiber to the home (FFTH or premises (FTTP) service - Speeds of 100 mbps+ - CPE router connects to optical network terminator (ONT) at demarc via fiber optic patch cable - E-Line -> point-to-point - E-LAN -> mesh topology (multiple sites) ## Microwave Satellite - aligned with orbiting satellites - Geostationary with the equator - Subject to higher latency - ISP installs a very small aperture terminal (VSAT) satellite dish at the customer's site - Connected via coax to a digital video broadcast satellite (DVB-S) modem - big time issues for anything real-time; such as videoconferencing, VoIP, and multiplayer gaming # Compare and Contrast Remote Access Methods ## Remote Network Access Authentication and Authorization - Authenticate and authorize users - Document service, risks, and countermeasures - Define policy restrictions - Users/groups, time of day, privileges, auditing... - Manage remote devices ## Tunneling and Encapsulation Protocols - Establish a host on the same logical network over a connection through a different network - secure tunnel for private communications thru the internet (VPN) - very efficient in terms of cost - provides security for transmissions and prevents unauthorized uses from making use of the VPN connection - point-to-Point Protocol (PPP) - Encapsulation for higher layer packets at layer 2 - Works over serial point-to-point links - VPN depends on tunneling protocols. Tunneling is used when the source and destination hosts are on the same logical network but connected via different physical networks - PPP encapsulation protocol works at layer 2 - encapsulates IP packets for transmission over serial digital lines - Has no security mechanisms, so it must be used with other protocols to provision a secure tunnel - Generic Routing Encapsulation (GRE) - Encapsulates packets at layer 3 (IP protocol #47) - Supports point-to-point and point-to-multipoint (mGRE) - Independent of PHY/data link network implementation •IPSecurity (IPSec) -> typically at layer 3 •Transport Layer Security (TLS) and Datagram TLS (DTLS) ## Client-To-Site VPNs - Remote access or telecommuter model - Protocols - TLS, SSTP, Layer 2 tunneling protocol (L2TP), IPSec - EAP,RADIUS authentication -> logins to switches and routers also TACACS - Split tunnel -> the client accesses the Internet directly using its “native” IP configuration and DNS servers. - Full tunnel -> Internet access is mediated by the corporate network, which will alter the client’s IP address and DNS servers and may use a proxy. ## Remote Host Access and Remote Desktop Gateways A remote access VPN refers to extending local network access over an intermediate public network, so that a remote computer is effectively joined to the local network. Remote access can also refer to remote host access, where a user operates a computer or configures a network appliance without having to use a local terminal. This type of remote host access can be implemented within a local network or over a public network. It can be used for a variety of purposes: - Remote configuration of network appliances. Most of these appliances are headless (they do not have a video monitor or input devices) and remote connections are the only practical configuration option. This type of connection it typically implemented using Secure Shell (SSH). - Remote desktop connections either allow an administrator to configure a server or a user to operate a computer remotely. Where remote desktop protocols provide GUI access, other protocols can be used for terminal-only access. - Remote desktop gateways allow user access to networked apps. A gateway can also be used to connect a user to a virtual desktop, where a client OS and applications software is provisioned as a virtual appliance. Alternatively, a remote desktop gateway is a means of implementing a clientless VPN. ## Site to Site VPNS - Cheap to setup - use existing internet - operates automatically - The gateways exchange security information using whichever protocol the VPN is based on - this establishes a trust relationship between the gateways and sets up a secure connection through which to tunnel data - Hosts at each site do not need configuring with any information about the VPN - infrastructure at the site determines whether to deliver traffic locally or sent over the VPN tunnel ## Hub and Spoke VPNs and VPN Headends - Hub and spoke topology - VPN headend - Dynamic Multipoint VPN (DMVPN) - IPSec for security - next hop router protocol (NHRP) - GRE Tunneling - Headend is used for central office locations, needing to be able to handle lots of data ## Internet Protocol Security - layer 3 encryption protocol suite - Authentication Header (AH) - Provides authentication/integrity only - ![[Pasted image 20230605094926.png]] - Encapsulation Security Payload (ESP) - Confidentiality and authentication/integrity - ![[Pasted image 20230605094957.png]] - IPv4 and IPv6 implementations ## IKE and IPSec Modes - Internet key exchange (IKE) - Setup Security Associations (SA) - IPSec modes - Transport Mode - IP header is unencrypted, just payload data - Used for end-to-end communication over the same network - Tunnel mode - Encapsulates encrypted packet within new unencrypted header - used when traffic must pass over and intermediate network (VPN) ## Out-of-band Management Methods - managed vs unmanage appliances - Mangement interface - Console port/CLI - Aux port dial-up link - Management port (connect over IP network) - web interface using HTTP/HTTPS - Virtual CLI over telnet/ssh - In-band vs out-of-band management networks - OOB -> port for management access to physically separate network infrastructure - In-band -> connecting within the network