6 Teleworker Services

6.0 Chapter Introduction

6.0.1 Chapter Introduction

Page 1:
Teleworking is working away from a traditional workplace, usually from a home office. The reasons for choosing teleworking are varied and include everything from personal convenience to allowing injured or shut-in employees opportunities to continue working during periods of convalescence.

Teleworking is a broad term referring to conducting work by connecting to a workplace from a remote location, with the assistance of telecommunications. Efficient teleworking is possible because of broadband Internet connections, virtual private networks (VPN), and more advanced technologies, including Voice over IP (VoIP) and videoconferencing. Teleworking can save money otherwise spent on travel, infrastructure, and facilities support.

Modern enterprises employ people who cannot commute to work every day or for whom working out of a home office is more practical. These people, called teleworkers, must connect to the company network so that they can work from their home offices.

This chapter explains how organizations can provide secure, fast, and reliable remote network connections for teleworkers.

6.0.1 - Chapter Introduction
The diagram depicts the chapter objectives:
- Describe the enterprise requirements for providing teleworker services, including the differences between private and public network infrastructures.
- Describe the teleworker requirements and recommended architecture for providing teleworking services.
- Explain how broadband services extend enterprise networks using DSL, cable, and wireless technology.
- Describe the importance of VPN technology, including its role and benefits for enterprises and teleworkers.
- Describe how VPN technology can be used to provide secure teleworker services to an enterprise network.

6.1 Business Requirements for Teleworker Services

6.1.1 The Business Requirements for Teleworker Services

Page 1:
More and more companies are finding it beneficial to have teleworkers. With advances in broadband and wireless technologies, working away from the office no longer presents the challenges it did in the past. Workers can work remotely almost as if they were in the next cubicle or office. Organizations can cost-effectively distribute data, voice, video, and real-time applications extended over one common network connection, across their entire workforce no matter how remote and scattered they might be.

The benefits of telecommuting extend well beyond the ability for businesses to make profits. Telecommuting affects the social structure of societies, and can have positive effects on the environment.

For day-to-day business operations, it is beneficial to be able to maintain continuity in case weather, traffic congestion, natural disasters, or other unpredictable events affect workers from getting to the workplace. On a broader scale, the ability of businesses to provide increased service across time zones and international boundaries is greatly enhanced using teleworkers. Contracting and outsourcing solutions are easier to implement and manage.

From a social perspective, teleworking options increase the employment opportunities for various groups, including parents with small children, the handicapped, and people living in remote areas. Teleworkers enjoy more quality family time, less travel-related stress, and in general provide their employers with increased productivity, satisfaction, and retention. In the age of climate change, teleworking is another way people can reduce their carbon footprint.

When designing network architectures that support a teleworking solution, designers must balance organizational requirements for security, infrastructure management, scalability, and affordability against the practical needs of teleworkers for ease of use, connection speeds, and reliability of service.

To allow businesses and teleworkers to function effectively, we must balance the selection of technologies and carefully design for telecommuting services.

6.1.1 - The Business Requirements for Teleworker Services
The diagram depicts a listing of teleworker benefits.
Organizational benefits:
- Continuity of operations.
- Increased responsiveness.
- Secure, reliable, and manageable access to information.
- Cost-effective integration of data, voice, video, and applications.
- Increased employee productivity, satisfaction, and retention.

Social benefits:
- Increased employment opportunities for marginalized groups.
- Less travel and commuter-related stress.

Environmental benefits:
- Reduced carbon footprints, both for individual workers and organizations.

6.1.2 The Teleworker Solution

Page 1:
Organizations need secure, reliable, and cost-effective networks to connect corporate headquarters, branch offices, and suppliers. With the growing number of teleworkers, enterprises have an increasing need for secure, reliable, and cost-effective ways to connect to people working in small offices and home offices (SOHOs), and other remote locations, with resources on corporate sites.

The figure illustrates the remote connection topologies that modern networks use to connect remote locations. In some cases, the remote locations only connect to the headquarters location, while in other cases, remote locations connect to multiple sites. The branch office in the figure connects to the headquarters and partner sites while the teleworker has a single connection to the headquarters.

Click the Options button in the figure.

The figure displays three remote connection technologies available to organizations for supporting teleworker services:

Traditional private WAN Layer 2 technologies, including Frame Relay, ATM, and leased lines, provide many remote connection solutions. The security of these connections depends on the service provider.
IPsec Virtual Private Networks (VPNs) offer flexible and scalable connectivity. Site-to-site connections can provide a secure, fast, and reliable remote connection to teleworkers. This is the most common option for teleworkers, combined with remote access over broadband, to establish a secure VPN over the public Internet. (A less reliable means of connectivity using the Internet is a dialup connection.)
The term broadband refers to advanced communications systems capable of providing high-speed transmission of services, such as data, voice, and video, over the Internet and other networks. Transmission is provided by a wide range of technologies, including digital subscriber line (DSL) and fiber-optic cable, coaxial cable, wireless technology, and satellite. The broadband service data transmission speeds typically exceed 200 kilobits per second (kb/s), or 200,000 bits per second, in at least one direction: downstream (from the Internet to the user's computer) or upstream (from the user's computer to the Internet).

This chapter describes how each of these technologies operates, and introduces some of the steps needed to ensure that teleworker connections are secure.

6.1.2 - The Teleworker Solution
The diagram depicts remote connection topologies and options.

Topologies:
There are four areas defined in the diagram that are interconnected via a WAN cloud. The fours areas are:
- Headquarters (includes a server farm, enterprise campus, and enterprise edge).
- Branch offices.
- Teleworkers (includes a mobile worker, individual, and a SOHO).
- Partners and suppliers.

Options:
Various telecommunications technologies are shown as smaller clouds within the larger WAN cloud. These include IPSec VPN, Layer 2 VPN's over WAN technologies such as Frame Relay and ATM, as well as broadband networks and ISP's.

Page 2:
To connect effectively to their organization's networks, teleworkers need two key sets of components: home office components and corporate components. The option of adding IP telephony components is becoming more common as providers extend broadband service to more areas. Soon, voice over IP (VoIP) and videoconferencing components will become expected parts of the teleworkers toolkit.

As shown in the figure, telecommuting needs the following components:

Home Office Components - The required home office components are a laptop or desktop computer, broadband access (cable or DSL), and a VPN router or VPN client software installed on the computer. Additional components might include a wireless access point. When traveling, teleworkers need an Internet connection and a VPN client to connect to the corporate network over any available dialup, network, or broadband connection.
Corporate Components - Corporate components are VPN-capable routers, VPN concentrators, multifunction security appliances, authentication, and central management devices for resilient aggregation and termination of the VPN connections.

Typically, providing support for VoIP and videoconferencing requires upgrades to these components. Routers need Quality of Service (QoS) functionality. QoS refers to the capability of a network to provide better service to selected network traffic, as required by voice and video applications. An in-depth discussion of QoS is beyond the scope of this course.

The figure shows an encrypted VPN tunnel connecting the teleworker to the corporate network. This is the heart of secure and reliable teleworker connections. A VPN is a private data network that uses the public telecommunication infrastructure. VPN security maintains privacy using a tunneling protocol and security procedures.

This course presents the IPsec (IP Security) protocol as the favored approach to building secure VPN tunnels. Unlike earlier security approaches that apply security at the Application layer of the Open Systems Interconnection (OSI) model, IPsec works at the network or packet processing layer.

6.1.2 - The Teleworker Solution
The diagram depicts teleworker connectivity requirements and components.

Two areas are defined in the diagram, teleworker and headquarters, which are interconnected via the Internet cloud using an encrypted VPN tunnel.

Teleworker Solution Components:
- Home office components
- Corporate components
- Optional corporate IP telephony components

Teleworker area:
- End-user devices - Laptop or desktop computer, IP phones, video conference equipment
- Broadband modem (cable or DSL)
- Remote VPN router (or VPN client software installed on the computer)

Headquarters area:
- Headend VPN router

6.2 Broadband Services

6.2.1 Connecting Teleworkers to the WAN

Page 1:
Teleworkers typically use diverse applications (for example, e-mail, web-based applications, mission-critical applications, real-time collaboration, voice, video, and videoconferencing) that require a high-bandwidth connection. The choice of access network technology and the need to ensure suitable bandwidth are the first considerations to address when connecting teleworkers.

Residential cable, DSL and broadband wireless are three options that provide high bandwidth to teleworkers. The low bandwidth provided by a dialup modem connection is usually not sufficient, although it is useful for mobile access while traveling. A modem dialup connection should only be considered when other options are unavailable.

Teleworkers require a connection to an ISP to access the Internet. ISPs offer various connection options. The main connection methods used by home and small business users are:

Dialup access - An inexpensive option that uses any phone line and a modem. To connect to the ISP, a user calls the ISP access phone number. Dialup is the slowest connection option, and is typically used by mobile workers in areas where higher speed connection options are not available.
DSL - Typically more expensive than dialup, but provides a faster connection. DSL also uses telephone lines, but unlike dialup access, DSL provides a continuous connection to the Internet. DSL uses a special high-speed modem that separates the DSL signal from the telephone signal and provides an Ethernet connection to a host computer or LAN.
Cable modem - Offered by cable television service providers. The Internet signal is carried on the same coaxial cable that delivers cable television. A special cable modem separates the Internet signal from the other signals carried on the cable and provides an Ethernet connection to a host computer or LAN.
Satellite - Offered by satellite service providers. The computer connects through Ethernet to a satellite modem that transmits radio signals to the nearest point of presence (POP) within the satellite network.

In this section, you will learn how broadband services, such as DSL, cable, and broadband wireless, extend enterprise networks to enable teleworker access.

6.2.1 - Connecting Teleworkers to the WAN
The diagram depicts various last-mile access technologies that allow teleworkers to connect to the WAN. These include the following:

Dialup access - The customer is connected using a dialup modem and a phone line to connect to a POP at ISP A, which is a telephone company.

With access speeds around 56 Kbps, dialup access is the slowest connection option. For example, downloading a 5 MB file using a 56 Kbps dialup connection takes approximately twelve minutes.

DSL access - The customer is connected using a DSL modem and a phone line to connect to a POP at ISP A.

DSL provides high-speed broadband access at speeds of 200 Kbps and higher. Upload and download speeds vary with distance from the central office.
There are many types of DSL. Home users usually use asymmetric DSL (ADSL), which has download speeds higher than upload speeds. Symmetric DSL (SDSL) has the same speeds up and down. SDSL is more suitable for small-to-medium business applications.

Cable modem access - The customer is connected using a cable modem and a coaxial cable to connect to a POP at ISP B, which is a cable service provider.

Cable is similar to DSL in that it provides broadband access at speeds of 200 Kbps and higher. Unlike DSL, speeds are not affected by the distance to the ISP. However, cable is a shared service, so speeds are affected to a degree by the number of subscribers sharing a particular lag of the distribution network.

Satellite access - The customer is connected using a satellite modem and a wireless link through a satellite to connect to a POP at ISP C, which is a satellite service provider.

Satellite Internet access speeds range from 128 Kbps to 512 Kbps, depending on the subscriber plan.

6.2.2 Cable

Page 1:
Accessing the Internet through a cable network is a popular option used by teleworkers to access their enterprise network. The cable system uses a coaxial cable that carries radio frequency (RF) signals across the network. Coaxial cable is the primary medium used to build cable TV systems.

Cable television first began in Pennsylvania in 1948. John Walson, the owner of an appliance store in a small mountain town, needed to solve poor over-the-air reception problems experienced by customers trying to receive TV signals from Philadelphia through the mountains. Walson erected an antenna on a utility pole on a local mountaintop that enabled him to demonstrate the televisions in his store with strong broadcasts coming from the three Philadelphia stations. He connected the antenna to his appliance store via a cable and modified signal boosters. He then connected several of his customers who were located along the cable path. This was the first community antenna television (CATV) system in the United States.

Walson's company grew over the years, and he is recognized as the founder of the cable television industry. He was also the first cable operator to use microwave to import distant television stations, the first to use coaxial cable to improve picture quality, and the first to distribute pay television programming.

Most cable operators use satellite dishes to gather TV signals. Early systems were one-way, with cascading amplifiers placed in series along the network to compensate for signal loss. These systems used taps to couple video signals from the main trunks to subscriber homes via drop cables.

Modern cable systems provide two-way communication between subscribers and the cable operator. Cable operators now offer customers advanced telecommunications services, including high-speed Internet access, digital cable television, and residential telephone service. Cable operators typically deploy hybrid fiber-coaxial (HFC) networks to enable high-speed transmission of data to cable modems located in a SOHO.

The figure illustrates the components of a typical modern cable system.

Roll over each component in the figure for a description of what it does.

6.2.2 - Cable
The diagram depicts the structure of a cable system. Rollover text provides additional information on each component.

- CATV originally meant community antenna television. This form of transmission shared TV signals.
- Cable systems were originally built to extend the reach of TV signals and improve over-the-air TV reception.
- Modern cable systems use fiber and coaxial for signal transmission.

Network Topology:
A building location labeled Headend is the main component in the cable transportation system. An antenna site receives TV signals and passes them to the headend for distribution. A trunk cable carries the signal from the headend to the first amplifier. Other amplifiers boost the signal as it travels to various houses along the way. A distribution cable feeds a home, and a subscriber drop cable carries the signal into the home.

Rollover text provides additional information on cable system components.

Antenna Site:
The location of an antenna site is chosen for optimum reception of over-the-air, satellite, and sometimes point-to-point signals. The main receiving antennas and satellite dishes are located at the antenna site.

Headend:
This is where signals are first received, processed, formatted, and then distributed downstream to the cable network. The headend facility is usually not staffed, under security fencing, and is similar to a telephone company central office.

Distribution Network:
In a classic cable system called a tree-and-branch cable system, the distribution network consists of trunk and feeder cables. The trunk is the backbone that distributes signals throughout the community service area to the feeder and typically uses 0.750 inch (19 millimeter) diameter coaxial cable. The feeder branches flow from a trunk and reach all the subscribers in the service area via coaxial cables. The feeder cable is usually a 0.50 inch (13 millimeter) diameter coaxial cable.

Subscriber Drop:
A subscriber drop connects the subscriber to the cable services. The subscriber drop is a connection between the feeder part of a distribution network and the subscriber terminal device (for example, TV set, videocassette recorder [VCR], high-definition TV set-top box, or cable modem). A subscriber drop consists of radio grade (RG) coaxial cabling (usually 59-series or 6-series coaxial cable), grounding and attachment hardware, passive devices, and a set-top box.

Page 2:
The electromagnetic spectrum encompasses a broad range of frequencies.

Frequency is the rate at which current (or voltage) cycles occur, computed as the number of "waves" per second. Wavelength is the speed of propagation of the electromagnetic signal divided by its frequency in cycles per second.

Radio waves, generally called RF, constitute a portion of the electromagnetic spectrum between approximately 1 kilohertz (kHz) through 1 terahertz. When users tune a radio or TV set to find different radio stations or TV channels, they are tuning to different electromagnetic frequencies across that RF spectrum. The same principle applies to the cable system.

The cable TV industry uses a portion of the RF electromagnetic spectrum. Within the cable, different frequencies carry TV channels and data. At the subscriber end, equipment such as TVs, VCRs, and high-definition TV set-top boxes tune to certain frequencies that allow the user to view the channel or, using a cable modem, to receive high-speed Internet access.

A cable network is capable of transmitting signals on the cable in either direction at the same time. The following frequency scope is used:

Downstream - The direction of an RF signal transmission (TV channels and data) from the source (headend) to the destination (subscribers). Transmission from source to destination is called the forward path. Downstream frequencies are in the range of 50 to 860 megahertz (MHz).
Upstream - The direction of the RF signal transmission from subscribers to the headend, or the return or reverse path. Upstream frequencies are in the range of 5 to 42 MHz.

6.2.2 - Cable
The diagram depicts sending digital signal over radio waves. The portion of the electromagnetic spectrum used by cable modems for upstream and downstream transmission is illustrated.
- Cable uses a part of the RF electromagnetic frequencies.
- Cable can transmit signal simultaneously in either direction.
- The RF portion used is subdivided for the two paths:
- Downstream: Headend to subscriber has 810 megahertz of RF bandwidth.
- Upstream: Subscriber to headend has 37 megahertz of RF bandwidth.

Downstream - Source (headend) to the destination (subscribers). Downstream frequencies are in the range of 50 to 860 megahertz.

Upstream - Subscriber to the cable operator headend. Upstream frequencies are in the frequency range of 5 to 42 megahertz.

Page 3:
The Data-over-Cable Service Interface Specification (DOCSIS) is an international standard developed by CableLabs, a non-profit research and development consortium for cable-related technologies. CableLabs tests and certifies cable equipment vendor devices, such as cable modems and cable modem termination systems, and grants DOCSIS-certified or qualified status.

DOCSIS defines the communications and operation support interface requirements for a data-over-cable system, and permits the addition of high-speed data transfer to an existing CATV system. Cable operators employ DOCSIS to provide Internet access over their existing hybrid fiber-coaxial (HFC) infrastructure.
DOCSIS specifies the OSI Layer 1 and Layer 2 requirements:

Physical layer - For data signals that the cable operator can use, DOCSIS specifies the channel widths (bandwidths of each channel) as 200 kHz, 400 kHz, 800 kHz, 1.6 MHz, 3.2 MHz, and 6.4 MHz. DOCSIS also specifies modulation techniques (the way to use the RF signal to convey digital data).
MAC layer - Defines a deterministic access method, time-division multiple access (TDMA) or synchronous code division multiple access method (S-CDMA).

To understand the MAC layer requirements for DOCSIS, an explanation of how various communication technologies divide channel access is helpful. TDMA divides access by time. Frequency-division multiple access (FDMA) divides access by frequency. Code division multiple access (CDMA) employs spread-spectrum technology and a special coding scheme in which each transmitter is assigned a specific code.

An analogy that illustrates these concepts starts with a room representing a channel. The room is full of people needing to speak to one another-in other words, needing channel access. One solution is for the people to take turns speaking (time division). Another is for each person to speak at different pitches (frequency division). In CDMA, they would speak different languages. People speaking the same language can understand each other, but not other people. In radio CDMA used by many North American cell phone networks, each group of users has a shared code. Many codes occupy the same channel, but only users associated with a particular code can understand each other. S-CDMA is a proprietary version of CDMA developed by Terayon Corporation for data transmission across coaxial cable networks. S-CDMA scatters digital data up and down a wide frequency band and allows multiple subscribers connected to the network to transmit and receive concurrently. S-CDMA is secure and extremely resistant to noise.

Plans for frequency allocation bands differ between North American and European cable systems. Euro-DOCSIS is adapted for use in Europe. The main differences between DOCSIS and Euro-DOCSIS relate to channel bandwidths. TV technical standards vary across the world, which affects the way DOCSIS variants develop. International TV standards include NTSC in North American and parts of Japan; PAL in most of Europe, Asia, Africa, Australia, Brazil, and Argentina; and SECAM in France and some Eastern European countries.

More information is available at these websites:

About DOCSIS: http://www.cablemodem.com/specifications
About Euro-DOCSIS: http://www.eurocablelabs.com

6.2.2 - Cable
The diagram depicts a listing of information on Data-over-Cable Service Interface Specification (DOCSIS).
- DOCSIS is a standard for certification of cable equipment vendor devices (cable modem and cable modem termination system).
- DOCSIS specifies the physical and MAC layers.
- DOCSIS defines RF interface requirements for a data-over-cable system.
- Cable equipment vendors must pass certification conducted by CableLabs.
- Euro-DOCSIS is a variation adapted for use in Europe.

Page 4:
Delivering services over a cable network requires different radio frequencies. Downstream frequencies are in the 50 to 860 MHz range, and the upstream frequencies are in the 5 to 42 MHz range.

Two types of equipment are required to send digital modem signals upstream and downstream on a cable system:

Cable modem termination system (CMTS) at the headend of the cable operator
Cable modem (CM) on the subscriber end

Roll over the components in the figure and observe the role each plays.

A headend CMTS communicates with CMs located in subscriber homes. The headend is actually a router with databases for providing Internet services to cable subscribers. The architecture is relatively simple, using a mixed optical-coaxial network in which optical fiber replaces the lower bandwidth coaxial.

A web of fiber trunk cables connects the headend to the nodes where optical-to-RF signal conversion takes place. The fiber carries the same broadband content for Internet connections, telephone service, and streaming video as the coaxial cable carries. Coaxial feeder cables originate from the node that carries RF signals to the subscribers.

In a modern HFC network, typically 500 to 2,000 active data subscribers are connected to a cable network segment, all sharing the upstream and downstream bandwidth. The actual bandwidth for Internet service over a CATV line can be up to 27 Mb/s on the download path to the subscriber and about 2.5 Mb/s of bandwidth on the upload path. Based on the cable network architecture, cable operator provisioning practices, and traffic load, an individual subscriber can typically get an access speed of between 256 kb/s and 6 Mb/s.

When high usage causes congestion, the cable operator can add additional bandwidth for data services by allocating an additional TV channel for high-speed data. This addition may effectively double the downstream bandwidth that is available to subscribers. Another option is to reduce the number of subscribers served by each network segment. To reduce the number of subscribers, the cable operator further subdivides the network by laying the fiber-optic connections closer and deeper into the neighborhoods.

6.2.2 - Cable
The diagram depicts sending data over cable. The equipment typically used is identified:
- Data service runs between cable modem and Cable Modem Termination System (CMTS).
- Users on a segment share upstream and downstream bandwidth.

Network Topology:
A building location labeled Headend contains servers (provisioning, cache, Web e-mail) and a CMTS. The CMTS connects to a fiber trunk that connects to a node for distribution to subscribers. The node connects to an amplifier and finally to a drop cable that carries signals to the cable modem in a home.

Rollover text provides additional information on data-over-cable components:

CMTS: A cable modem termination system exchanges digital signals with cable modems on a cable network. A headend CMTS communicates with cable modems that are located in subscriber homes.

Fiber: The trunk portion of the cable network is usually fiber optic cable.

Node: Nodes convert optical signals to RF signals.

Cable Modem: A cable modem enables you to receive data at high speeds. Typically, the cable modem attaches to a standard 10 BASE-T Ethernet card in the computer.

Distribution Area: A distribution network segment (feeder segment) is from 500 to as many as 2000 subscribers.

6.2.3 DSL

Page 1:
DSL is a means of providing high-speed connections over installed copper wires. In this section, we look at DSL as one of the key teleworker solutions available.

Several years ago, Bell Labs identified that a typical voice conversation over a local loop only required bandwidth of 300 Hz to 3 kHz. For many years, the telephone networks did not use the bandwidth above 3 kHz. Advances in technology allowed DSL to use the additional bandwidth from 3 kHz up to 1 MHz to deliver high-speed data services over ordinary copper lines.

As an example, asymmetric DSL (ADSL) uses a frequency range from approximately 20 kHz to 1 MHz. Fortunately, only relatively small changes to existing telephone company infrastructure are required to deliver high-bandwidth data rates to subscribers. The figure shows a representation of bandwidth space allocation on a copper wire for ADSL. The blue area identifies the frequency range used by the voice-grade telephone service, which is often referred to as the plain old telephone service (POTS). The other colored spaces represent the frequency space used by the upstream and downstream DSL signals.

The two basic types of DSL technologies are asymmetric (ADSL) and symmetric (SDSL). All forms of DSL service are categorized as ADSL or SDSL, and there are several varieties of each type. ADSL provides higher downstream bandwidth to the user than upload bandwidth. SDSL provides the same capacity in both directions.

The different varieties of DSL provide different bandwidths, some with capabilities exceeding those of a T1 or E1 leased line. The transfer rates are dependent on the actual length of the local loop, and the type and condition of its cabling. For satisfactory service, the loop must be less than 5.5 kilometers (3.5 miles).

6.2.3 - DSL
The diagram depicts information describing asymmetric DSL (A DSL), which allows telephone service and DSL service to share the same line.

A chart is shown identifying the frequency range used by the voice-grade telephone service, which is often referred to as the plain old telephone service (POTS). This range is from approximately 300 Hz to 3 KHz. The other area identified represents the frequencies used by the upstream and downstream DSL signals. DSL uses a frequency range from approximately 20 KHz to 1 MHz.
- Uses high transmission frequencies (up to 1 megahertz )
- Technology for delivering high bandwidth over regular copper lines
- Connection between subscriber and C O

Page 2:
Service providers deploy DSL connections in the last step of a local telephone network, called the local loop or last mile. The connection is set up between a pair of modems on either end of a copper wire that extends between the customer premises equipment (CPE) and the DSL access multiplexer (DSLAM). A DSLAM is the device located at the central office (CO) of the provider and concentrates connections from multiple DSL subscribers.

Click the DSL Connections button in the figure.

The figure shows the key equipment needed to provide a DSL connection to a SOHO. The two key components are the DSL transceiver and the DSLAM:

Transceiver - Connects the computer of the teleworker to the DSL. Usually the transceiver is a DSL modem connected to the computer using a USB or Ethernet cable. Newer DSL transceivers can be built into small routers with multiple 10/100 switch ports suitable for home office use.
DSLAM - Located at the CO of the carrier, the DSLAM combines individual DSL connections from users into one high-capacity link to an ISP, and thereby, to the Internet.

Click the DSL Router button and DSLAM in the figure.

The advantage that DSL has over cable technology is that DSL is not a shared medium. Each user has a separate direct connection to the DSLAM. Adding users does not impede performance, unless the DSLAM Internet connection to the ISP, or the Internet, becomes saturated.

6.2.3 - DSL
The diagram depicts information describing DSL connections and photographs of DSL routers and DSL access multiplexer (D SLAM) chassis.

DSL Connections:
A home location labeled SOHO contains a DSL modem, a PC, telephones, and microfilters. The PC connects to the DSL modem and then to the phone line. Each telephone connects to a microfilter, which is between the phone and the phone line. The phone line carries both the DSL data and the telephone voice frequencies back to the telephone company C O. For DSL, the maximum distance between the subscriber and the C O is 5,460 meters or 18,000 feet. At the C O, the voice is split off and sent to the PSTN Class 5 switch. The data is sent to a D SLAM and then to the ISP and Internet.

DSL Router and D SLAM:
Photographs of Cisco 830 and 870 Series broadband routers are shown. Photographs of Cisco 7600 Series Router chassis are also shown.

Page 3:
The major benefit of ADSL is the ability to provide data services along with POTS voice services.

When the service provider puts analog voice and ADSL on the same wire, the provider splits the POTS channel from the ADSL modem using filters or splitters. This setup guarantees uninterrupted regular phone service even if ADSL fails. When filters or splitters are in place, the user can use the phone line and the ADSL connection simultaneously without adverse effects on either service.

ADSL signals distort voice transmission and are split or filtered at the customer premises. There are two ways to separate ADSL from voice at the customer premises: using a microfilter or using a splitter.

A microfilter is a passive low-pass filter with two ends. One end connects to the telephone, and the other end connects to the telephone wall jack. This solution eliminates the need for a technician to visit the premises and allows the user to use any jack in the house for voice or ADSL service.

POTS splitters separate the DSL traffic from the POTS traffic. The POTS splitter is a passive device. In the event of a power failure, the voice traffic still travels to the voice switch in the CO of the carrier. Splitters are located at the CO and, in some deployments, at the customer premises. At the CO, the POTS splitter separates the voice traffic, destined for POTS connections, and the data traffic destined for the DSLAM.

The figure shows the local loop terminating on the customer premises at the demarcation point. The actual device is the network interface device (NID). This point is usually where the phone line enters the customer premises. At this point, a splitter can be attached to the phone line. The splitter forks the phone line; one branch provides the original house telephone wiring for telephones, and the other branch connects to the ADSL modem. The splitter acts as a low-pass filter, allowing only the 0 to 4 kHz frequencies to pass to or from the telephone. Installing the POTS splitter at the NID usually means that a technician must go to the customer site.

Because of this additional labor and technical support, most home installations today use microfilters, as shown in the figure. Using microfilters also has the advantage of providing wider connectivity through the residence. Since the POTS splitter separates the ADSL and voice signals at the NID, there is usually only one ADSL outlet available in the house.

Click the Microfilter button in the figure.

The figure shows a typical SOHO DSL layout using microfilters. In this solution, the user can install inline microfilters on each telephone, or install wall-mounted microfilters in place of regular telephone jacks. If you roll over the microfilters on the graphic, photos of Cisco products are shown.

Click the Splitter button in the figure.

If the service provider were to have installed a splitter, it would be placed between the NID and the inside telephone distribution system. One wire would go directly to the DSL modem, and the other would carry the voice signal to the telephones. If you roll over the splitter box on the graphic, a typical wiring scheme will be revealed.

6.2.3 - DSL
The diagram depicts additional information on separating data from voice in A DSL connections. An A DSL topology is presented along with diagrams showing how microfilters and splitters are used to separate voice and data.

A DSL:
- A key feature of A DSL is coexistence with POTS.
- Transmission of voice and data signals is performed on the same wire pair.
- Data circuits are offloaded from the voice switch.

A home location labeled Customer Premises contains an A DSL modem (CPE), a PC, an analog phone, and a microfilter. The PC connects to the A DSL modem and then to the phone line. The phone line connects to the network interface device (N ID) on the outside of the home.

The telephone connects to a microfilter that is between the phone and the phone line within the home. The phone line carries both POTS and A DSL to the telephone company C O. At the C O, a POTS splitter separates analog voice and directs it to a Class 5 PSTN switch. The splitter directs A DSL data to the D SLAM.

Microfilters:
The diagram shows a typical SOHO DSL layout using microfilters. An inline microfilter can be installed for each telephone or a wall-mounted microfilter can be used in place of regular telephone jacks. Rolling over the microfilters on the diagram shows photos of Cisco EZ-DSL inline and wall-mounted products.

Splitters:
A splitter is placed between the N ID and the inside telephone distribution system. One pair of wires goes directly to the DSL modem, and the other carries the voice signal to the telephones. Rolling over the splitter box on the diagram shows a typical wiring scheme, where a single pair of wires comes into the N ID from the telephone company and is split into two pairs. One pair goes to the DSL data jack, and one pair goes to the phone jacks.

6.2.4 Broadband Wireless

Page 1:
Broadband access by ADSL or cable provides teleworkers with faster connections than dialup, but until recently, SOHO PCs had to connect to a modem or a router over a Cat 5 (Ethernet) cable. Wireless networking, or Wi-Fi (wireless fidelity), has improved that situation, not only in the SOHO, but on enterprise campuses as well.

Using 802.11 networking standards, data travels from place to place on radio waves. What makes 802.11 networking relatively easy to deploy is that it uses the unlicensed radio spectrum to send and receive data. Most radio and TV transmissions are government regulated and require a license to use.

Beginning in 2007, computer manufacturers started building wireless network adapters into most laptop computers. As the price of chipsets for Wi-Fi continues to drop, it is becoming a very economical networking option for desktop computers as well.

The benefits of Wi-Fi extend beyond not having to use or install wired network connections. Wireless networking provides mobility. Wireless connections provide increased flexibility and productivity to the teleworker.

6.2.4 - Broadband Wireless
The diagram uses a cutaway view to depict the use of broadband wireless inside a home with three floors. Computers with wireless capability are shown in the bedrooms, a home office, the living room, and on the patio.

Page 2:
Until recently, a significant limitation of wireless access has been the need to be within the local transmission range (typically less than 100 feet) of a wireless router or wireless access point that has a wired connection to the Internet. Once a worker left the office or home, wireless access was not readily available.

However, with advances in technology, the reach of wireless connections has been extended. The concept of hotspots has increased access to wireless connections across the world. A hotspot is the area covered by one or more interconnected access points. Public gathering places, like coffee shops, parks, and libraries, have created Wi-Fi hotspots, hoping to increase business. By overlapping access points, hotspots can cover many square miles.

New developments in broadband wireless technology are increasing wireless availability. These include:

Municipal Wi-Fi
WiMAX
Satellite Internet

Municipal governments have also joined the Wi-Fi revolution. Often working with service providers, cities are deploying municipal wireless networks. Some of these networks provide high-speed Internet access at no cost or for substantially less than the price of other broadband services. Other cities reserve their Wi-Fi networks for official use, providing police, fire fighters, and city workers remote access to the Internet and municipal networks.

Click the Single Router button in the figure.

The figure shows a typical home deployment using a single wireless router. This deployment uses the hub-and-spoke model. If the single wireless router fails, all connectivity is lost. Use your mouse to roll over the text box.

Click the Mesh button in the figure.

Most municipal wireless networks use a mesh topology rather than a hub-and-spoke model. A mesh is a series of access points (radio transmitters) as shown in the figure. Each access point is in range and can communicate with at least two other access points. The mesh blankets its area with radio signals. Signals travel from access point to access point through this cloud.

A meshed network has several advantages over single router hotspots. Installation is easier and can be less expensive because there are fewer wires. Deployment over a large urban area is faster. From an operational point of view, it is more reliable. If a node fails, others in the mesh compensate for it.

Click the WiMAX button in the figure.

WiMAX (Worldwide Interoperability for Microwave Access) is telecommunications technology aimed at providing wireless data over long distances in a variety of ways, from point-to-point links to full mobile cellular type access. WiMAX operates at higher speeds, over greater distances, and for a greater number of users than Wi-Fi. Because of its higher speed (bandwidth) and falling component prices, it is predicted that WiMAX will soon supplant municipal mesh networks for wireless deployments.

A WiMAX network consists of two main components:

A tower that is similar in concept to a cellular telephone tower. A single WiMAX tower can provide coverage to an area as large as 3,000 square miles, or almost 7,500 square kilometers.
A WiMAX receiver that is similar in size and shape to a PCMCIA card, or built into a laptop or other wireless device.

A WiMAX tower station connects directly to the Internet using a high-bandwidth connection (for example, a T3 line). A tower can also connect to other WiMAX towers using line-of-sight microwave links. WiMAX is thus able to provide coverage to rural areas out of reach of "last mile" cable and DSL technologies.

Click the Satellite button in the figure.

Satellite Internet services are used in locations where land-based Internet access is not available, or for temporary installations that are continually on the move. Internet access using satellites is available worldwide, including for vessels at sea, airplanes in flight, and vehicles moving on land.

There are three ways to connect to the Internet using satellites: one-way multicast, one-way terrestrial return, and two-way.

One-way multicast satellite Internet systems are used for IP multicast-based data, audio, and video distribution. Even though most IP protocols require two-way communication, for Internet content, including web pages, one-way satellite-based Internet services can be "pushed" pages to local storage at end-user sites by satellite Internet. Full interactivity is not possible.
One-way terrestrial return satellite Internet systems use traditional dialup access to send outbound data through a modem and receive downloads from the satellite.
Two-way satellite Internet sends data from remote sites via satellite to a hub, which then sends the data to the Internet. The satellite dish at each location needs precise positioning to avoid interference with other satellites.

The figure illustrates a two-way satellite Internet system. Upload speeds are about one-tenth of the download speed, which is in the range of 500 kb/s.

The key installation requirement is for the antenna to have a clear view toward the equator, where most orbiting satellites are stationed. Trees and heavy rains can affect reception of the signals.

Two-way satellite Internet uses IP multicasting technology, which allows one satellite to serve up to 5,000 communication channels simultaneously. IP multicast sends data from one point to many points at the same time by sending data in a compressed format. Compression reduces the size of the data and the bandwidth.

6.2.4 - Broadband Wireless
The diagram depicts the types of broadband wireless access. These include single router, meshed municipal WiFi, WiMAX, and satellite.

Single Router: The diagram shows a typical home deployment using a single wireless router. This deployment uses the hub-and-spoke model. A wireless router is shown with three laptops around it, two of which are in range and are connected. In a normal situation, any PC within range is connected. But if the router fails, there is no connectivity for any device.

Meshed Municipal WiFi: Most municipal wireless networks use a mesh topology. A mesh or series of access points (radio transmitters) is shown in the diagram. Each access point (AP) can communicate with at least two other access points. The mesh blankets the area with radio signals. Signals travel from access point to access point through this cloud. Three of the AP's connect to a backhaul node that connects to the ISP and the Internet.

WiMAX:
WiMAX (Worldwide Interoperability for Microwave Access) is based on the IEEE 8 0 2 dot 16 family of standards. A WiMAX network consists of two main components:

Tower - Similar in concept to a cellular telephone tower.

Receiver - Similar in size and shape to a PCMCIA card, or can be built into a laptop or other wireless device.

The diagram shows a home LAN with a WiMAX receiver connected over a non-line-of-sight wireless link to a WiMAX tower. That tower connects to another WiMAX tower using a line-of-sight microwave link. The second tower connects to a WiMAX tower station that connects directly to the Internet.

Satellite:
The diagram shows two-way satellite, which sends data from remote sites via satellite to a hub that then sends the data to the Internet. A satellite service subscriber with a dish is linked to a satellite that is linked to a dish at the satellite service provider's ISP.

Page 3:
Wireless networking complies with a range of standards that routers and receivers use to communicate with each other. The most common standards are included in the IEEE 802.11 wireless local area network (WLAN) standard, which addresses the 5 GHz and 2.4 GHz public (unlicensed) spectrum bands.

The terms 802.11 and Wi-Fi appear interchangeably, but this is incorrect. Wi-Fi is an industry-driven interoperability certification based on a subset of 802.11. The Wi-Fi specification came about because market demand led the Wi-Fi Alliance to begin certifying products before amendments to the 802.11 standard were complete. The 802.11 standard has since caught up with and passed Wi-Fi.

From the point of view of teleworkers, the most popular access approaches to connectivity are those defined by the IEEE 802.11b and IEEE 802.11g protocols. Security was originally intentionally weak in these protocols because of the restrictive export requirements of multiple governments. The latest standard, 802.11n, is a proposed amendment that builds on the previous 802.11 standards by adding multiple-input multiple-output (MIMO).

The 802.16 (or WiMAX) standard allows transmissions up to 70 Mb/s, and has a range of up to 30 miles (50 km). It can operate in licensed or unlicensed bands of the spectrum from 2 to 6 GHz.

6.2.4 - Broadband Wireless
The diagram depicts a photograph of a Linksys wireless broadband router commonly used by SOHO's and teleworkers. Teleworker equipment generally uses the 2.4 GHz range complying with these standards:
- 8 0 2 dot 11b - 11 Mb/s, 2.4 GHz
- 8 0 2 dot 11g - 54 Mb/s, 2.4 GHz
- 8 0 2 dot 11n > 54 Mb/s, M I M O, 2.4 GHz

Page 4:
In this activity, you will demonstrate your ability to add broadband devices and connections to Packet Tracer. Although you cannot configure DSL and cable modems, you can simulate end-to-end connectivity to teleworker devices.

Detailed instructions are provided within the activity as well as in the PDF link below.

Activity Instructions (PDF)

Click the Packet Tracer icon for more details.

6.2.4 - Broadband Wireless
Link to Packet Tracer Exploration: Broadband Services

6.3 VPN Technology

6.3.1 VPNs and Their Benefits

Page 1:
The Internet is a worldwide, publicly accessible IP network. Because of its vast global proliferation, it has become an attractive way to interconnect remote sites. However, the fact that it is a public infrastructure poses security risks to enterprises and their internal networks. Fortunately, VPN technology enables organizations to create private networks over the public Internet infrastructure that maintain confidentiality and security.

Organizations use VPNs to provide a virtual WAN infrastructure that connects branch offices, home offices, business partner sites, and remote telecommuters to all or portions of their corporate network. To remain private, the traffic is encrypted. Instead of using a dedicated Layer 2 connection, such as a leased line, a VPN uses virtual connections that are routed through the Internet.

Earlier in this course, an analogy involving getting priority tickets for a stadium show was introduced. An extension to that analogy will help explain how a VPN works. Picture the stadium as a public place in the same way as the Internet is a public place. When the show is over, the public leaves through public aisles and doorways, jostling and bumping into each other along the way. Petty thefts are threats to be endured.

Consider how the performers leave. Their entourage all link arms and form cordons through the mobs and protect the celebrities from all the jostling and pushing. In effect, these cordons form tunnels. The celebrities are whisked through tunnels into limousines that carry them cocooned to their destinations. This section describes how VPNs work in much the same way, bundling data and safely moving it across the Internet through protective tunnels. An understanding of VPN technology is essential to be able to implement secure teleworker services on enterprise networks.

Analogy: Each LAN Is an IsLANd

We will use another analogy to illustrate the VPN concept from a different point of view. Imagine that you live on an island in a huge ocean. There are thousands of other islands all around you, some very close and others farther away. The normal way to travel is to take a ferry from your island to whichever island you wish to visit. Traveling on a ferry means that you have almost no privacy. Anything you do can be seen by someone else.

Assume that each island represents a private LAN, and the ocean is the Internet. When you travel by ferry, it is similar to when you connect to a web server or to another device through the Internet. You have no control over the wires and routers that make up the Internet, just like you have no control over the other people on the ferry. This leaves you susceptible to security issues if you try to connect between two private networks using a public resource.

Your island decides to build a bridge to another island so that there is an easier, more secure and direct way for people to travel between the two. It is expensive to build and maintain the bridge, even though the island you are connecting with is very close. But the need for a reliable, secure path is so great that you do it anyway. Your island would like to connect to a second island that is much farther away, but you decide that it is too expensive.

This situation is very much like having a leased line. The bridges (leased lines) are separate from the ocean (Internet), yet they are able to connect the islands (LANs). Many companies have chosen this route because of the need for security and reliability in connecting their remote offices. However, if the offices are very far apart, the cost can be prohibitively high-just like trying to build a bridge that spans a great distance.

So how does VPN fit into this analogy? We could give each inhabitant of the islands their own small submarine with these properties:

Fast
Easy to take with you wherever you go
Able to hide you completely from any other boats or submarines
Dependable
Costs little to add additional submarines to your fleet once the first is purchased

Although they are traveling in the ocean along with other traffic, the inhabitants of our two islands could travel back and forth whenever they wanted to with privacy and security. That is essentially how a VPN works. Each remote member of your network can communicate in a secure and reliable manner using the Internet as the medium to connect to the private LAN. A VPN can grow to accommodate more users and different locations much easier than a leased line. In fact, scalability is a major advantage that VPNs have over typical leased lines. Unlike leased lines, where the cost increases in proportion to the distances involved, the geographic locations of each office matter little in the creation of a VPN.

6.3.1 - VPN's and Their Benefits
The diagram depicts a description of VPN's and various VPN connections.

A VPN is:
- Virtual: Information within a private network is transported over a public network.
- Private: The traffic is encrypted to keep the data confidential.

Network Topology:
A main site building is shown with a perimeter router, firewall, legacy concentrator, and a corporate network attached. Various external locations connect to the main site using VPN technology:

- Business partner with a router connects to the perimeter router.
- Regional office with a firewall connects to the perimeter router. The connection between the firewall and the perimeter router is labeled IPSec.
- SOHO with an ISDN/DSL router connects to a POP with an access server.
- Mobile worker with a VPN client on a laptop computer router connects to a POP with an access server.
- Access server connects to the perimeter router.

Page 2:
Organizations using VPNs benefit from increased flexibility and productivity. Remote sites and teleworkers can connect securely to the corporate network from almost any place. Data on a VPN is encrypted and undecipherable to anyone not entitled to have it. VPNs bring remote hosts inside the firewall, giving them close to the same levels of access to network devices as if they were in a corporate office.

The figure shows leased lines in red. The blue lines represent VPN-based connections. Consider these benefits when using VPNs:

Cost savings - Organizations can use cost-effective, third-party Internet transport to connect remote offices and users to the main corporate site. This eliminates expensive dedicated WAN links and modem banks. By using broadband, VPNs reduce connectivity costs while increasing remote connection bandwidth.
Security - Advanced encryption and authentication protocols protect data from unauthorized access.
Scalability - VPNs use the Internet infrastructure within ISPs and carriers, making it easy for organizations to add new users. Organizations, big and small, are able to add large amounts of capacity without adding significant infrastructure.

6.3.1 - VPN's and Their Benefits
The diagram depicts the benefits of VPN's. A branch office, a mobile user, and a SOHO are each shown connecting to the central site using traditional Layer 2 WAN technologies and VPN's through the public Internet.

Compared to leased-line options, VPN benefits include cost savings, added security, and increased scalability.

6.3.2 Types of VPNs

Page 1:
Organizations use site-to-site VPNs to connect dispersed locations in the same way as a leased line or Frame Relay connection is used. Because most organizations now have Internet access, it makes sense to take advantage of the benefits of site-to-site VPNs. As illustrated in the figure, site-to-site VPNs also support company intranets and business partner extranets.

In effect, a site-to-site VPN is an extension of classic WAN networking. Site-to-site VPNs connect entire networks to each other. For example, they can connect a branch office network to a company headquarters network.

In a site-to-site VPN, hosts send and receive TCP/IP traffic through a VPN gateway, which could be a router, PIX firewall appliance, or an Adaptive Security Appliance (ASA). The VPN gateway is responsible for encapsulating and encrypting outbound traffic for all of the traffic from a particular site and sending it through a VPN tunnel over the Internet to a peer VPN gateway at the target site. On receipt, the peer VPN gateway strips the headers, decrypts the content, and relays the packet toward the target host inside its private network.

6.3.2 - Types of VPN's
The diagram depicts a topology that connects external sites to the central site using site-to-site VPN's. Site-to-site VPN's are extensions of the classic WAN.

Network Topology:
A main site building cloud is shown with a perimeter router at the edge. Inside the central site cloud is an adaptive security appliance (ASA), router, and firewall, each of which can be used to terminate the external VPN connections. Various external locations connect to the main site using site-to-site VPN technology.

Remote Site - Connects to a POP using DSL or cable. The POP connects the Internet.

Intranet - Site with two routers. One connects to a POP, and the other connects directly to the Internet.

Extranet - Router connects directly to the Internet.

Page 2:
Mobile users and telecommuters use remote access VPNs extensively. In the past, corporations supported remote users using dialup networks. This usually involved a toll call and incurring long distance charges to access the corporation.

Most teleworkers now have access to the Internet from their homes and can establish remote VPNs using broadband connections. Similarly, a mobile worker can make a local call to a local ISP to access the corporation through the Internet. In effect, this marks an evolutionary advance in dialup networks. Remote access VPNs can support the needs of telecommuters, mobile users, as well as extranet consumer-to-business.

In a remote-access VPN, each host typically has VPN client software. Whenever the host tries to send any traffic, the VPN client software encapsulates and encrypts that traffic before sending it over the Internet to the VPN gateway at the edge of the target network. On receipt, the VPN gateway handles the data in the same way as it would handle data from a site-to-site VPN.

6.3.2 - Types of VPN's
The diagram depicts a topology that connects external sites to the central site using remote access VPN's. Remote access VPN's mark an evolutionary step in dialup and ISDN networks.

Network Topology:
A main site building cloud is shown with a perimeter router at the edge. Inside the central site cloud is a VPN concentrator, an ASA, a router, and a firewall, each of which can be used to terminate the external VPN connections. Various external locations connect to the main site using remote access VPN technology.

Remote Access Clients:
Telecommuter - Connects to a POP using DSL or cable. The POP connects to the Internet.

Mobile User - Connects to a POP using wireless. The POP connects to the Internet.

Extranet Consumer-to-Business - Connects to a POP using wireless. The POP connects to the Internet.

6.3.3 VPN Components

Page 1:
A VPN creates a private network over a public network infrastructure while maintaining confidentiality and security. VPNs use cryptographic tunneling protocols to provide protection against packet sniffing, sender authentication, and message integrity.

The figure illustrates a typical VPN topology. Components required to establish this VPN include:

An existing network with servers and workstations
A connection to the Internet
VPN gateways, such as routers, firewalls, VPN concentrators, and ASAs, that act as endpoints to establish, manage, and control VPN connections
Appropriate software to create and manage VPN tunnels

The key to VPN effectiveness is security. VPNs secure data by encapsulating or encrypting the data. Most VPNs can do both.

Encapsulation is also referred to as tunneling, because encapsulation transmits data transparently from network to network through a shared network infrastructure.
Encryption codes data into a different format using a secret key. Decryption decodes encrypted data into the original unencrypted format.

Encapsulation and encryption are discussed in more detail later in this course.

6.3.3 - VPN Components
The diagram depicts a topology and the VPN components that connect external sites to the corporate network.

Network Topology:
A corporate network building is shown with a perimeter router at the edge. Inside the central site cloud, the router is connected to a firewall and a VPN concentrator. These provide access to the corporate servers and other resources. Various external locations connect to the corporate network using site-to-site VPN technology and components.

Business Partner with Router - Connects to the Internet cloud, which connects to the corporate perimeter router.

Remote Office with Router - Connects to the Internet cloud, which connects to the corporate perimeter router.

Regional Office with Firewall - Connects to the Internet cloud, which connects to the corporate perimeter router.

SOHO with broadband connection - Router connects to a POP, which contains an access server. The POP connects to the Internet cloud, which connects to the corporate perimeter router.

Teleworker with a VPN Client on a Laptop Computer - Client connects to a POP, which contains an access server. The POP connects to the Internet cloud, which connects to the corporate perimeter router.

6.3.4 Characteristics of Secure VPNs

Page 1:
VPNs use advanced encryption techniques and tunneling to permit organizations to establish secure, end-to-end, private network connections over the Internet.

The foundation of a secure VPN is data confidentiality, data integrity, and authentication:

Data confidentiality - A common security concern is protecting data from eavesdroppers. As a design feature, data confidentiality aims at protecting the contents of messages from interception by unauthenticated or unauthorized sources. VPNs achieve confidentiality using mechanisms of encapsulation and encryption.
Data integrity - Receivers have no control over the path the data has traveled and therefore do not know if the data has been seen or handled while it journeyed across the Internet. There is always the possibility that the data has been modified. Data integrity guarantees that no tampering or alterations occur to data while it travels between the source and destination. VPNs typically use hashes to ensure data integrity. A hash is like a checksum or a seal that guarantees that no one has read the content, but it is more robust. Hashes are explained in the next topic.
Authentication - Authentication ensures that a message comes from an authentic source and goes to an authentic destination. User identification gives a user confidence that the party with whom the user establishes communications is who the user thinks the party is. VPNs can use passwords, digital certificates, smart cards, and biometrics to establish the identity of parties at the other end of a network.

6.3.4 - Characteristics of Secure VPN's
The diagram depicts secure VPN characteristics and their purpose. With VPN's, data confidentiality and data integrity depend on encryption and encapsulation.

Characteristic: Data Confidentiality
Purpose: Protects data from eavesdroppers (spoofing).

Characteristic: Data Integrity
Purpose: Guarantees that no tampering or alterations occur.

Characteristic: Authentication
Purpose: Ensures that only authorized senders and devices enter the network.

6.3.5 VPN Tunneling

Page 1:
Incorporating appropriate data confidentiality capabilities into a VPN ensures that only the intended sources and destinations are capable of interpreting the original message contents.

Tunneling allows the use of public networks like the Internet to carry data for users as though the users had access to a private network. Tunneling encapsulates an entire packet within another packet and sends the new, composite packet over a network. This figure lists the three classes of protocols that tunneling uses.

To illustrate the concept of tunneling and the classes of tunneling protocols, consider an example of sending a holiday card through traditional mail. The holiday card has a message inside. The card is the passenger protocol. The sender puts the card inside an envelope (encapsulating protocol) with proper addressing applied. The sender then drops the envelope into a mailbox for delivery. The postal system (carrier protocol) picks up and delivers the envelope to the mailbox of the recipient. The two endpoints in the carrier system are the "tunnel interfaces." The recipient removes the holiday card (extracts the passenger protocol) and reads the message.

Click the Encapsulation button in the figure to view an illustration of the encapsulation process.

This figure illustrates an e-mail message traveling through the Internet over a VPN connection. PPP carries the message to the VPN device, where the message is encapsulated within a Generic Route Encapsulation (GRE) packet. GRE is a tunneling protocol developed by Cisco Systems that can encapsulate a wide variety of protocol packet types inside IP tunnels, creating a virtual point-to-point link to Cisco routers at remote points over an IP internetwork. In the figure, the outer packet source and destination addressing is assigned to "tunnel interfaces" and is made routable across the network. Once a composite packet reaches the destination tunnel interface, the inside packet is extracted.

6.3.5 - VPN Tunneling
The diagram depicts tunneling protocols and the VPN packet encapsulation process.

Tunneling Protocols:
Carrier protocol:
- The protocol over which the information is traveling (Frame Relay, ATM, MPLS).
Encapsulating protocol:
- The protocol that is wrapped around the original data (GRE, IPSec, L2F, P P T P, L2TP).
Passenger protocol:
- The protocol over which the original data was being carried (IPX, AppleTalk, IPv4, IPv6).

Encapsulation:
In the diagram, a sender computer sends a packet to a VPN device. From there, it enters the VPN tunnel in the Internet. It exits the tunnel at a VPN device on the other end. The packet then goes to an access server and then to the receiver.

The diagram illustrates an SMTP e-mail message traveling through the Internet over a VPN connection. P P P carries the message to the VPN device, where the message is encapsulated within a generic route encapsulation (GRE) packet. The outer packet source and destination addressing is assigned to tunnel interfaces and is made routable across the network. When the composite packet reaches the destination tunnel interface, the inside packet is extracted.

Packet Encapsulation Protocols (inside to outside):

Packet from the client computer:
SMTP to TCP to IP to P P P

Packet in transmission through the Internet VPN tunnel:
SMTP to TCP to IP to P P P to GRE to IP to IPSec

Packet from the VPN to the receiving computer:
SMTP to TCP to IP to P P P

6.3.6 VPN Data Integrity

Page 1:
If plain text data is transported over the public Internet, it can be intercepted and read. To keep the data private, it needs to be encrypted. VPN encryption encrypts the data and renders it unreadable to unauthorized receivers.

For encryption to work, both the sender and the receiver must know the rules used to transform the original message into its coded form. VPN encryption rules include an algorithm and a key. An algorithm is a mathematical function that combines a message, text, digits, or all three with a key. The output is an unreadable cipher string. Decryption is extremely difficult or impossible without the correct key.

In the example, Gail wants to send a financial document to Jeremy across the Internet. Gail and Jeremy have previously agreed on a secret shared key. At Gail's end, the VPN client software combines the document with the secret shared key and passes it through an encryption algorithm. The output is undecipherable cipher text. The cipher text is then sent through a VPN tunnel over the Internet. At the other end, the message is recombined with the same shared secret key and processed by the same encryption algorithm. The output is the original financial document, which is now readable to Jeremy.

6.3.6 - VPN Data Integrity
The diagram depicts VPN encryption of a financial transaction with a hacker attempting to intercept and decipher the message.

The message "Pay Jeremy $100" is sent from Gail and goes through an encryption algorithm as it enters the VPN. The encrypted message is shown, and the hacker cannot decipher it. At the receiving end, Jeremy's VPN device applies a decryption algorithm, allowing him to read the message.

Page 2:
The degree of security provided by any encryption algorithm depends on the length of the key. For any given key length, the time that it takes to process all of the possibilities to decrypt cipher text is a function of the computing power of the computer. Therefore, the shorter the key, the easier it is to break, but at the same time, the easier it is to pass the message.

Some of the more common encryption algorithms and the length of keys they use are as follows:

Data Encryption Standard (DES) algorithm - Developed by IBM, DES uses a 56-bit key, ensuring high-performance encryption. DES is a symmetric key cryptosystem. Symmetric and asymmetric keys are explained below.
Triple DES (3DES) algorithm - A newer variant of DES that encrypts with one key, decrypts with another different key, and then encrypts one final time with another key. 3DES provides significantly more strength to the encryption process.
Advanced Encryption Standard (AES) - The National Institute of Standards and Technology (NIST) adopted AES to replace the existing DES encryption in cryptographic devices. AES provides stronger security than DES and is computationally more efficient than 3DES. AES offers three different key lengths: 128, 192, and 256-bit keys.
Rivest, Shamir, and Adleman (RSA) - An asymmetrical key cryptosystem. The keys use a bit length of 512, 768, 1024, or larger.

Symmetric Encryption

Encryption algorithms such as DES and 3DES require a shared secret key to perform encryption and decryption. Each of the two computers must know the key to decode the information. With symmetric key encryption, also called secret key encryption, each computer encrypts the information before sending it over the network to the other computer. Symmetric key encryption requires knowledge of which computers will be talking to each other so that the same key can be configured on each computer.

For example, a sender creates a coded message where each letter is substituted with the letter that is two letters down in the alphabet; "A" becomes "C," and "B" becomes "D", and so on. In this case, the word SECRET becomes UGETGV. The sender has already told the recipient that the secret key is "shift by 2." When the recipient receives the message UGETGV, the recipient computer decodes the message by shifting back two letters and calculating SECRET. Anyone else who sees the message sees only the encrypted message, which looks like nonsense unless the person knows the secret key.

The question is, how do the encrypting and decrypting devices both have the shared secret key? You could use e-mail, courier, or overnight express to send the shared secret keys to the administrators of the devices. Another easier and more secure method is asymmetric encryption.

Asymmetric Encryption

Asymmetric encryption uses different keys for encryption and decryption. Knowing one of the keys does not allow a hacker to deduce the second key and decode the information. One key encrypts the message, while a second key decrypts the message. It is not possible to encrypt and decrypt with the same key.

Public key encryption is a variant of asymmetric encryption that uses a combination of a private key and a public key. The recipient gives a public key to any sender with whom the recipient wants to communicate. The sender uses a private key combined with the recipient's public key to encrypt the message. Also, the sender must share their public key with the recipient. To decrypt a message, the recipient will use the public key of the sender with their own private key.

6.3.6 - VPN Data Integrity
The diagram depicts two types of VPN encryption algorithms, symmetric and asymmetric, used to convert plain text to cipher text.

Symmetric algorithm:
- Secret key cryptography.
- Encryption and decryption use the same key.
- Typically used to encrypt the content of a message.
- Examples: D E S, 3D E S, A E S.

Asymmetric algorithm:
- Public key cryptography.
- Encryption and decryption use different keys.
- Typically used in digital certification and key management.
- Example: RSA.

Page 3:
Hashes contribute to data integrity and authentication by ensuring that unauthorized persons do not tamper with transmitted messages. A hash, also called a message digest, is a number generated from a string of text. The hash is smaller than the text itself. It is generated using a formula in such a way that it is extremely unlikely that some other text will produce the same hash value.

The original sender generates a hash of the message and sends it with the message itself. The recipient decrypts the message and the hash, produces another hash from the received message, and compares the two hashes. If they are the same, the recipient can be reasonably sure the integrity of the message has not been affected.

In the figure, someone is trying to send Jeremy a check for US$100. At the remote end, Alex Jones (likely a criminal) is trying to cash the check for $1,000. As the check progressed through the Internet, it was altered. Both the recipient and dollar amounts were changed. In this case, if a data integrity algorithm was used, the hashes would not match, and the transaction would no longer be valid.

VPN data is transported over the public Internet. As shown, there is potential for this data to be intercepted and modified. To guard against this threat, hosts can add a hash to the message. If the transmitted hash matches the received hash, the integrity of the message has been preserved. However, if there is no match, the message was altered.

VPNs use a message authentication code to verify the integrity and the authenticity of a message, without using any additional mechanisms. A keyed hashed message authentication code (HMAC) is a data integrity algorithm that guarantees the integrity of the message.

A HMAC has two parameters: a message input and a secret key known only to the message originator and intended receivers. The message sender uses a HMAC function to produce a value (the message authentication code), formed by condensing the secret key and the message input. The message authentication code is sent along with the message. The receiver computes the message authentication code on the received message using the same key and HMAC function as the sender used, and compares the result computed with the received message authentication code. If the two values match, the message has been correctly received and the receiver is assured that the sender is a member of the community of users that share the key. The cryptographic strength of the HMAC depends upon the cryptographic strength of the underlying hash function, on the size and quality of the key, and the size of the hash output length in bits.

There are two common HMAC algorithms:

Message Digest 5 (MD5) - Uses a 128-bit shared secret key. The variable length message and 128-bit shared secret key are combined and run through the HMAC-MD5 hash algorithm. The output is a 128-bit hash. The hash is appended to the original message and forwarded to the remote end.
Secure Hash Algorithm 1 (SHA-1) - Uses a 160-bit secret key. The variable length message and the 160-bit shared secret key are combined and run through the HMAC-SHA-1 hash algorithm. The output is a 160-bit hash. The hash is appended to the original message and forwarded to the remote end.

Click the VPN Authentication button in the figure.

When conducting business long distance, it is necessary to know who is at the other end of the phone, e-mail, or fax. The same is true of VPN networks. The device on the other end of the VPN tunnel must be authenticated before the communication path is considered secure. There are two peer authentication methods:

Pre-shared key (PSK) - A secret key that is shared between the two parties using a secure channel before it needs to be used. PSKs use symmetric key cryptographic algorithms. A PSK is entered into each peer manually and is used to authenticate the peer. At each end, the PSK is combined with other information to form the authentication key.
RSA signature - Uses the exchange of digital certificates to authenticate the peers. The local device derives a hash and encrypts it with its private key. The encrypted hash (digital signature) is attached to the message and forwarded to the remote end. At the remote end, the encrypted hash is decrypted using the public key of the local end. If the decrypted hash matches the recomputed hash, the signature is genuine.

Take a look at an RSA demonstration for an example of RSA encryption.

6.3.6 - VPN Data Integrity
The diagram depicts the use of hashes for data integrity and VPN peer authentication.

Hash operation:
- A match means no changes.
- No match means something was altered.

Hashing:
The transaction from Gail payable to Jeremy for $100 has been altered to pay Alex Jones $1000. The starting hash and ending hash are now different.

VPN Authentication:
In the diagram, a remote office computer connects to a router that connects to the Internet cloud. On the other side of the cloud, the HR server at the Corporate Office connects to a router that connects to the Internet. Peer authentication occurs between the two routers.

Peer authentication methods:
- RSA signatures
- PSK's

6.3.7 IPsec Security Protocols

Page 1:
IPsec is protocol suite for securing IP communications which provides encryption, integrity, and authentication. IPsec spells out the messaging necessary to secure VPN communications, but relies on existing algorithms.

There are two main IPsec framework protocols.

Authentication Header (AH) - Use when confidentiality is not required or permitted. AH provides data authentication and integrity for IP packets passed between two systems. It verifies that any message passed from R1 to R2 has not been modified during transit. It also verifies that the origin of the data was either R1 or R2. AH does not provide data confidentiality (encryption) of packets. Used alone, the AH protocol provides weak protection. Consequently, it is used with the ESP protocol to provide data encryption and tamper-aware security features.
Encapsulating Security Payload (ESP) - Provides confidentiality and authentication by encrypting the IP packet. IP packet encryption conceals the data and the identities of the source and destination. ESP authenticates the inner IP packet and ESP header. Authentication provides data origin authentication and data integrity. Although both encryption and authentication are optional in ESP, at a minimum, one of them must be selected.

Click the IPsec Framework button in the figure.

IPsec relies on existing algorithms to implement encryption, authentication, and key exchange. Some of the standard algorithms that IPsec uses are as follows:

DES - Encrypts and decrypts packet data.
3DES - Provides significant encryption strength over 56-bit DES.
AES - Provides stronger encryption, depending on the key length used, and faster throughput.
MD5 - Authenticates packet data, using a 128-bit shared secret key.
SHA-1 - Authenticates packet data, using a 160-bit shared secret key.
DH - Allows two parties to establish a shared secret key used by encryption and hash algorithms, for example, DES and MD5, over an insecure communications channel.

The figure shows how IPsec is configured. IPsec provides the framework, and the administrator chooses the algorithms used to implement the security services within that framework. There are four IPsec framework squares to be filled.

When configuring an IPsec gateway to provide security services, first choose an IPsec protocol. The choices are ESP or ESP with AH.
The second square is an encryption algorithm if IPsec is implemented with ESP. Choose the encryption algorithm that is appropriate for the desired level of security: DES, 3DES, or AES.
The third square is authentication. Choose an authentication algorithm to provide data integrity: MD5 or SHA.
The last square is the Diffie-Hellman (DH) algorithm group. Which establishes the sharing of key information between peers. Choose which group to use, DH1 or DH2.

6.3.7 - IPSec Security Protocols
The diagram depicts IPSec security protocols and the IPSec framework.

IPSec Protocols:
Authentication Header (A H) - Provides data authentication and integrity for IP packets passed between two systems.

Encapsulating Security Payload (ESP) - Provides confidentiality and authentication by encrypting the IP packet.

IPSec Framework:
The diagram depicts the IPSec framework of an IPSec gateway providing security service. Four categories can be selected from to fill in the framework:

One. IPSec protocol: The choices are ESP, ESP + A H, or A H.
Two. Encryption algorithm (if IPSec is implemented with ESP). Choices are D E S, 3D E S, or A E S.
Three. Authentication. Choices are MD5 or S H A.
Four. Diffie-Hellman (DH) algorithm group. Choices are DH1 or DH2.

Page 2:

6.3.7 - IPSec Security Protocols
The diagram depicts a simulation activity in which you configure a central and branch routers to provide a site-to-site IPSec VPN. Read the scenario and match the proper values to the entries in the Linksys Web interface screen for each VPN device.

Note: You may wish to contact your instructor for assistance in performing this activity.

Scenario:
A small company has set up Internet connectivity using two Linksys WRVS 4400 N business class routers. One is located at the central site and the other at the branch site. The company would like to access resources between sites, but they are concerned that the Internet traffic would not be secure. To address this concern, it has been suggested that the company implements a site-to-site VPN between the two sites. A VPN would enable the branch site office to connect to the central site office securely by creating a VPN tunnel that encrypts and decrypts data.

Network Topology:
Central Site:
- PC1 is connected to the central site router on the 192.168.1.0/24 network.
- The central site router LAN interface IP address is 192.168.1.1.
- The central site router Internet VPN interface IP address is 209.165.200.225.

Branch Site:
- PC2 is connected to the branch site router on the 192.168.101.0/24 network.
- The branch site router LAN interface IP address is 192.168.101.1.
- The branch site router Internet VPN interface IP address is 209.165.202.129.

Referencing the topology description above, fill in the blanks to configure the settings and enable a VPN called Site-to-Site using MD5 authentication, 3D E S encryption, and a pre-shared key of cisco 1 2 3. Select from the choices listed below for both the central site and branch site routers.

Required Configuration Entries:

Central Site Linksys router:
IPSec VPN Tunnel Name: BLANK
Local Security Group IP Address: BLANK
Remote Security Group IP Address: BLANK
Remote Security Gateway IP Address: BLANK
Key Management Encryption: BLANK
Key Management Authentication: BLANK
Key Management Pre-Shared Key: BLANK

Branch Site Linksys router:
IPSec VPN Tunnel Name: BLANK
Local Security Group IP Address: BLANK
Remote Security Group IP Address: BLANK
Remote Security Gateway IP Address: BLANK
Key Management Encryption: BLANK
Key Management Authentication: BLANK
Key Management Pre-Shared Key: BLANK

Entry choices for both routers:
MD5
Site-to-Site
192.168.101.0
209.165.202.129
192.168.1.0
3D E S
cisco 1 2 3
cisco 1 2 3
192.168.1.1
192.168.101.0
209.165.200.0
209.165.200.255
209.165.202.0
D E S
A E S
S H A
Remote Access

Page 3:

6.3.7 - IPSec Security Protocols
The diagram depicts a simulation activity in which you configure a central site router and a VPN client to provide VPN access for a remote user. Read the scenario and match the proper values to the entries in the Linksys Web interface screen for each VPN device.

Note: You may wish to contact your instructor for assistance in performing this activity.

Scenario:
A small company has set up Internet connectivity using a Linksys WRVS 4400 N business class router at their central site. The company would like to provide remote access to select users from remote locations, but they are concerned that the Internet traffic would not be secure. To address this concern, it has been suggested that they implement a remote access VPN that would allow telecommuters to securely access the central site network. Using the Linksys Quick VPN client software, remote users would be able to connect and establish a remote access VPN connection that encrypts and decrypts data.

Referencing the topology description above, fill in the blanks in the Linksys router's Web configuration utility to configure the remote VPN settings and configure a user account. The user's name is BobV, and his password is cisco 1 2 3.

Next Bob will initiate a remote VPN connection to the central site router using the Linksys Quick VPN client software. Fill in the blanks in the VPN client configuration utility to configure the client side of the VPN. The profile name is Central Site. Reference the correct username, password, and IP address.

Network Topology:
Central Site:
- A server is connected to the central site router on the 192.168.1.0/24 network.
- The central site router LAN interface IP address is 192.168.1.1.
- The central site router Internet VPN interface IP address is 209.165.200.225.

Remote User:
Remote user PC2 is connected to the Internet cloud VPN tunnel.

Required Configuration Entries for the Central Site Linksys router:
User Name: BLANK
Password: BLANK
Re-enter to Confirm: BLANK
Entry Choices for Linksys Central Site router:
192.168.1.0
Robert
209.165.200.255
cisco 1 2 3
cisco 1 2 3
cisco 1 2 3
BobV

Required Configuration Entries for the Remote VPN Client:
Profile Name: BLANK
User Name: BLANK
Password: BLANK
Server Address: BLANK

Entry Choices for the Remote VPN Client:
User
Central Site
192.168.1.0
209.165.200.255
BobV
cisco 1 2 3
cisco 1 2 3
192.168.1.1
cisco 1 2 3
Branch Site
Robert
cisco 1 2 3
cisco 1 2 3

6.4 Chapter Summary

6.4.1 Chapter Summary

Page 1:
In this chapter, you learned of the growing importance of teleworkers. You can describe an organization's requirements for providing teleworker services in terms of what the teleworker needs and what the organization needs to provide: reliable, cost-effective connectivity. Among the favored ways to connect teleworkers, you can describe how to use broadband services including DSL, cable, and wireless. Further, you know how VPN technology can be used to provide secure teleworker services in organizations, including the importance, benefits, role, and impact of VPN technology, and the types of access, components, tunneling, and encryption.

6.4.1 - Summary and Review
In this chapter, you have learned to:
- Describe the enterprise requirements for providing teleworker services, including the differences between private and public network infrastructures.
- Describe the teleworker requirements and recommended architecture for providing teleworking services.
- Explain how broadband services extend enterprise networks using DSL, cable, and wireless technology.
- Describe the importance of VPN technology, including its role and benefits for enterprises and teleworkers.
- Describe how VPN technology can be used to provide secure teleworker services to an enterprise network.

Page 2:

6.4.1 - Summary and Review
This is a review and is not a quiz. Questions and answers are provided.
Question One. Describe the organizational, social, and environmental benefits of teleworking.

Answer:
Organizational Benefits:
- Continuity of operations.
- Increased responsiveness.
- Secure, reliable, and manageable access to information.
- Cost-effective integration of data, voice, video, and applications.
- Increased employee productivity, satisfaction, and retention.

Social Benefits:
- Increased employment opportunities for marginalized groups.
- Less traveling and commuter-related stress.

Environmental Benefits:
- Reduced carbon footprints, both for individual workers and organizations.

Question Two. Describe the four main connection methods used by homes and SOHO businesses.
Answer:
Dialup access:
- Dialup access is an inexpensive option that uses any phone line and a modem.
- It is the slowest connection option, and is typically used in areas where higher speed connections are not available.
DSL:
- DSL is more expensive than dialup, but provides a faster connection.
- It also uses telephone lines, but unlike dialup access, DSL provides a continuous connection to the Internet.
- This connection option uses a special high-speed modem that separates the DSL signal from the telephone signal and provides an Ethernet connection to a host computer or LAN.
Cable modem:
- A cable modem is a connection option offered by cable television service providers.
- The Internet signal is carried on the same coaxial cable that delivers cable television to homes and businesses.
- A special cable modem separates the Internet signal from the other signals carried on the cable and provides an Ethernet connection to a host computer or LAN.
Satellite:
- Satellite connection is an option offered by satellite service providers.
- The user's computer connects through Ethernet to a satellite modem that transmits radio signals to the nearest POP within the satellite network.

Question Three. Describe the two types of VPN's.

Answer:
Site-to-Site VPN's:
- A site-to-site VPN is an extension of classic WAN networking and can connect a branch office network to a company headquarters network.
- Hosts send and receive TCP/IP traffic through a VPN "gateway" which could be a router, PIX firewall appliance, or an Adaptive Security Appliance (ASA).
- The VPN gateway is responsible for encapsulating and encrypting outbound traffic for all of the traffic from a particular site and sending it through a VPN tunnel over the Internet to a peer VPN gateway at the target site.
- On receipt, the peer VPN gateway strips the headers, decrypts the content, and relays the packet toward the target host inside its private network.
Remote Access VPN's:
- Mobile users and telecommuters use remote access VPN's extensively.
- Remote VPN connections typically take advantage of the broadband connections.
- Each host typically has VPN client software that encapsulates and encrypts that traffic before sending it over the Internet to the VPN gateway at the edge of the target network.
- On receipt, the VPN gateway handles the data in the same way as it would handle data from a site-to-site VPN.

Page 3:
This activity requires you to configure a default route as well as dynamic routing using RIP version 2. You will also add broadband devices to the network. Finally, you will set up ACLs on two routers to control network traffic.

Detailed instructions are provided within the activity as well as in the PDF link below.

Activity Instructions (PDF)

Click the Packet Tracer icon for more details.

6.4.1 - Summary and Review
Link to Packet Tracer Exploration: Packet Tracer Skills Integration Challenge

6.5 Chapter Quiz

6.5.1 Chapter Quiz

Page 1:

6.5.1 - Chapter Quiz
1.A technician is attempting to explain broadband technology to a customer. Which two descriptions or examples should be used to educate the customer? (Choose two.)
A.Includes dialup connections using POTS.
B.Incompatible with multiplexing.
C.Uses a wide band of frequencies.
D.Offer sustained speeds of 128k or more.
E.Requires line-of-sight connection with the service provider.

2.When accommodating a teleworker, which type of connection should be used when mobile access during traveling is required and broadband options are unavailable?
A.Residential cable
B.DSL
C.Dialup
D.Satellite

3.When comparing DOCSIS and Euro-DOCSIS, what is the primary difference between the two specifications?
A.Flow control mechanisms
B.Maximum data rates
C.Access methods
D.Channel bandwidths

4.If asked to describe DSL technology, which three statements would help the user develop a better understanding of the technology? (Choose three.)
A.DSL is available in any location that has a telephone.
B.A DSL typically has a higher download bandwidth than available upload bandwidth.
C.In home installation, a splitter separates the A DSL and voice signals at the N ID, allowing multiple A DSL outlets in the house.
D.DSL speeds can exceed the speeds available with a typical T1 line.
E.Transfer rates vary by the length of the local loop.
F.All varieties of DSL provide the same bandwidth, although they use different technologies to achieve upload and download.

5.In a DSL installation, which two devices are installed at the customer site? (Choose two.)
A.CM
B.DOCSIS
C.D SLAM
D.Microfilter
E.DSL transceiver

6.Refer to the topology description below to answer the question.

Network Topology:
Three locations connect to the corporate network through the Internet cloud.
Corporate Network - A VPN concentrator and PIX appliance connect to Router R10, which connects to the Internet cloud.
Business Partner - Switch SW1 connects to router R1, which connects to the Internet cloud.
Remote Office - Switch SW2 connects to router R2, which connects to the Internet cloud.
Regional Office - Switch SW3 connects to a PIX appliance, which connects to the Internet cloud.

On the basis of the network topology above, which devices or software applications provide encapsulation and encryption for the VPN traffic?
A.VPN client software installed on the machines of the users at the regional office only.
B.PIX appliances at the corporate network and regional office only.
C.Router and PIX appliance at the corporate network, and the routers and PIX appliance at all remote locations.
D.LAN switches and routers at the remote locations only.

7.Which two techniques can be used to secure the traffic sent over a VPN connection? (Choose two.)
A.Data labeling to mark and separate the VPN traffic for different customers.
B.Data encapsulation to transmit data transparently from network to network through a shared network infrastructure.
C.Data encryption to code data into a different format using a secret key.
D.Second routing protocol to transport the traffic over the VPN tunnel.
E.Dedicated connection over the company's private leased line.

8.Match the description on the left with the corresponding VPN characteristic on the right.
Descriptions:
A. Uses passwords, digital certificates, smart cards, and biometrics.
B. Prevents tampering and alterations to data while data travels between the source and destination.
C. Protects the contents of messages from interception by unauthenticated or unauthorized sources.
D. Uses hashes.
E. Ensures that the communicating peers are who they say they are.
F. Uses encapsulation and encryption.

Characteristics:
One. Data Confidentiality
Two. Data Integrity
Three. Authentication

9.Which is an example of a tunneling protocol developed by Cisco?
A.A E S
B.D E S
C.RSA
D.ESP
E.GRE

10.Match the description to the corresponding type of tunneling protocol.
Descriptions:
A. Frame Relay, ATM, MPLS.
B. The protocol that is wrapped around the original data.
C. The protocol over which the original data was being carried.
D. IPX, AppleTalk, IPv4, IPv6.
E. GRE, IPSec, L2F, P P T P, L2TP.
F. The protocol over which the information is traveling.

Type of Tunneling Protocol:
One. Carrier Protocol
Encapsulating Protocol
Passenger Protocol

11.Match the description to the correct algorithm.
Descriptions:
A. Encryption and decryption use the same key.
B. Public key cryptography.
C. Encryption and decryption use different keys.
D. D E S, 3D E S, A E S
E. RSA
F. Shared secret key cryptology

One. Algorithm categories
Two. Symmetric algorithm
Three. Asymmetric algorithm

12.What type of connection is the most cost-effective to adequately support a SOHO teleworker to access the Internet?
A.Direct T1 link to the Internet
B.56k dialup
C.One-way multicast satellite Internet system
D.DSL to an ISP

13.Which wireless standard operates in both licensed and unlicensed bands of the spectrum from 2 to 8 GHz and allows for transmission rates of 70 Mbps at a range of up to 50 kilometers?
A.8 0 2 dot 11g
B.8 0 2 dot 11n
C.8 0 2 dot 11b
D.8 0 2 dot 16
E.8 0 2 dot 11e

14.What is typically deployed to support high-speed transmissions of data to SOHO cable modems?
A.Hybrid fiber-coaxial (HFC)
B.High-speed dialup cable modems
C.Broadband copper coaxial
D.1000 Base TX

World of Cisco Networking