webpointmorpheus Network Info
LAN - WAN - Remote

     Overview      RAS      Protocols      PPP      SLIP      VPN      PPTP      L2TP      L2F      IPsec      SSL      Kerberos      ICA
     Switched Network      ISDN      ATM      Frame Relay      SONET      T-Carrier      ICS      NAT      Firewalls      Proxy

©2005 - material compiled by Bob Carnaghi, www.webpointmorpheus.com

Overview     Top of Page

This document begins the journey of attempting to understand the complex issues of communication between computers that are on different networks. The network connection may be between two separate Local Area Networks (LANs), a Wide Area Network (WAN), or across the Internet. The situations become more complex when considering greater distances, security, access methods, encryption, etc. Listed below are some currently popular protocols and some of the means of securing the transmissions. This information is outlined by topic, and does not follow a logical order or progression.

If you have a difficult time with the acronymn drenched terms used in this document, check out the Network Definitions Page.

RAS - Remote Access Services     Top of Page

RAS was originally a service which could be installed on Microsoft's Windows NT to allow remote clients to dial-in and connect to a Local Area Network. Clients could logon to a remote domain as if they were locally connected to the network. RAS has evolved to define many types of remote dial-in solutions. DHCP is typically used to configure the client's IP addressing upon connection, and varying levels of security can be implemented as outlined below.

   Necessities for Remote Access

1. Communication Link: can be through DUN (Dial Up Networking across the public telephone network) or through the Internet via secure HTTP transfer.
2. Hardware: The proper server(s), NICs, modems, etc. must be installed on both ends of the communication link. They must be capable of communicating clearly.
3. Data Link Protocol: The most popular today is PPP. An older protocol still in existence is SLIP - (Serial Line Internet Protocol.)
4. Encryption: there are several options available, and the configuration is software dependent.

   Remote Access Security

Remote access security for an organization can be complex, especially when considering that it is in addition to the pre-existing security requirements of the local network. Security takes on several facets when data is transmitted across a public route. Some of the considerations are a secure connection, user and server authentication, data encryption while the data is in transit, etc. The following points are to be considered from the viewpoint of the network administrator of the LAN.

1. Review and list all the users of the Remote Access Services - those who will be making the remote connections.
2. Maintain a centralized access point into the network.
3. Limit the number of authentication processes. Use a single (or a very few) strong password(s).
4. Encrypt and scan incoming packets of data. Use IPSec for security.
5. Implement personal and/or distributed firewalls to deter hackers.
6. Implement and enforce only the level of security necessary to maintain data safely - no more, no less.
7. Consider and actualize a Security Incident Response Team as well as Incident Handling Procedures. Document all proceedings.

Protocols     Top of Page

There are several protocols available for working over telephone lines with voice/data/video transfer. The protocol or combination of protocols used will depend upon the outline of the needs of the communication, as well as the connection type that's available. Security will also play a part in the process. See the individual protocols below for an outline of their potential uses and limitations.

1. SLIP - Serial Line Internet Protocol
2. PPP - Point to Point Protocol
3. PPTP - Point to Point Tunneling Protocol

PPP - Point to Point Protocol     Top of Page

PPP is today's most commonly used RAS protocol and is supported by virtually every operating system as it is part of the TCP/IP suite. PPP works at the Network Layer of the OSI Model. PPP is capable of PSTN, ISDN, and router-to-router connections in WANs. There are three types of control protocols included in PPP.

   LLP - The Link Layer Protocol

Similar to HDLC (High-Level Data Link Control). Its purpose is to frame the data and provide error control. This is accomplished in the headers of the frame generated for transmission.

   LCP - The Link Control Protocol

LCP establishes, configures, maintains, and terminates the point-to-point connection. LCP establishes an MTU and MRU (Maximum Transmission & Receive Units) which limits the size of the data packets. Various protocols are capable of being transmitted, as long as each end of the transmission agrees on the protocols.

   NCP - Network Control Protocols

NCP negotiates the dynamic IP address that is assigned. Upper-layer network protocols can be encapsulated such as IP, IPX, AppleTalk, etc. The data is transferred over the link created by LCP.

PPP is capable of several security protocols including CHAP, PAP, etc. which are used for authentication purposes. PAP sends user credentials in clear text, and CHAP provides a more secure, encrypted, method of authenticating users. After the remote user is authenticated, the PPP connection is not considered secure since the data itself is not encrypted. There are other options for encrypting the transmitted data, see below.

Digital connections are capable of Multilink PPP which allows multiple physical connections to be combined into one logical connection. This approach can be used to combine the 2 B-channels in ISDN BRI.

SLIP - Serial Line Internet Protocol     Top of Page

SLIP was the original remote connection protocol. It is an older dial-up protocol and is still supported by some ISPs. SLIP has several drawbacks, which include:

1. SLIP cannot work with DHCP - must have a static IP address.
2. No authentication, compression, or multi-link capabilities.
3. Capable of transporting TCP/IP only. Not capable of IPX/SPX, AppleTalk, etc.

VPN - Virtual Private Networks     Top of Page

A VPN is a private connection which is used over a public network such as the Internet. The connection can be between two separate LANs, a remote user to an office, a moblie user to his home, etc. There are basically four security protocols that make VPNs possible with RAS type accounts: PPTP, L2TP, L2F, & IPSEC. The Internet is the main transport mechanism, and makes possible connections across states or nations.

When the VPN connection is established, a virtual encrypted tunnel is created, which allows for secure communication. VPNs can prove to be efficient for a company by using existing Internet connections. These public connections bypass expensive point-to-point connections such as ISDN and T1. Read below for more on VPN protocols.

   PPTP - Point to Point Tunneling Protocol     Top of Page

PPTP is a secure protocol that encapsulates packets to transfer them through an encrypted 'tunnel' over an IP network. The protocol being tunneled through the public IP network can be IP, IPX, AppleTalk, NetBEUI, (yes - even the non-routable NetBEUI,) etc. The protocol requires encryption, which makes possible a secure connection from a mobile user to a remote server without expensive dedicated lines. PPTP is capable of only one channel, which limits the number of users who can connect to the server at any one time. PPTP utilizes TCP port 1723.

   L2TP - Layer 2 Tunneling Protocol     Top of Page

L2TP is a newer tunneling protocol which will probably replace PPTP because it is considered to be more secure and supports tunneling through networks other than IP. L2TP is the result of combining the technology of Cisco's Layer 2 Forwarding (L2F) tunneling protocol with PPTP. L2TP is used to encrypt traffic over various types of point-to-point networks including IP, Frame-Relay, X.25 and ATM. The protocol being tunneled is always IP. L2TP is often used in combination with IPsec to create an extremely secure connection. L2TP clients connect to UDP port 1701.

   L2F - Layer 2 Forwarding     Top of Page

L2F is a multilink protocol that addresses some of the weaknesses of PPTP. This protocol was developed by Cisco. It is a Layer 2 protocol that uses PPP to authenticate end-to-end connections. A client must connect to an ISP which then uses L2F to forward the encrypted data through a tunnel to the server.

   IPsec     Top of Page

IPsec is an encryption protocol for IP networks that provides end-to-end security at the Network layer. The sending and receiving computers negotiate a key which is used to encrypt traffic. For the duration of the connection, this key is renewed frequently. IPsec is often used in addition to tunneling protocols to offer a higher level of security in VPNs. Besides being used in VPNs, IPsec is used in LAN environments for client/server connections, in WANs for router to router connections, and for secure RAS connections. A big advantage of IPsec is that it is transparent to the user and can be easily implemented. Most modern operating systems support IPSEC natively, including Windows 2000.

IPsec operates in one of two modes:

1. Transport Mode encrypts the IP payload only (the data you transfer).
2. Tunneling Mode encrypts the IP payload and the IP message headers

IPsec has been implemented with an eye to the future by incorporating IPv6. It is currently using IPv6 over IPv4 connections. IPsec only routes IP packets, and does not support IPX, NetBEUI, etc. It is capable of several encryption schemes which include Private Key, DES, Triple DES, Public Key, RSA, Hash Key Message digests, Digital Certificates, etc.

SSL - Secure Socket Layer     Top of Page

SSL is a protocol that provides security by using a public key to encrypt the session between a client and a server. It typically identifies the server to the client, and is capable of identifying the client to the server as well. The server is often a web server that is used for e-commerce or other online point of sale transactions. SSL operates at the higher levels in the OSI model, and the most common use of SSL is HTTPS. HTTPS is similar to HTTP but uses SSL to encrypt the data between client and server. One of the differences between SSL and IPsec is that IPsec can be used to protect any IP connection, and SSL can only be use if the application (such as a web browser) supports it. SSL is not limited to ecommerce, and can secure any connection for which it is enabled.

SSL uses a digital certificate that the web site must possess before authentication is possible. The certificate is issued by a Certificate Authority which guarantees the authenticity of the holder. The certificate also provides a digital signature for verification to ensure that the certificate has not been altered. SSL uses either TCP or UDP port 443.

Kerberos     Top of Page

Kerberos is a secure authentication protocol that utilizes a centralized authorization server called the Key Distribution Center (KDC). The KDC issues a ticket to the client at logon, and this ticket is used to authorize the user during the session. The ticket is used when the client tries to access a resource such as a share, printer, intranet application, database, etc. The advantage of Kerberos is that it can be used to provide single sign-on capabilities for users in large heterogeneous network environments. When a user logs on to the network, the user will be authenticated automatically for every resource or application he or she will try to access, without having to enter a username and password again and again. Kerberos uses TCP and UDP port 88.

ICA - Independent Computing Architecture     Top of Page

The Citrix Independent Computing Architecture (ICA) protocol is a server technology that is used for remote connections to advanced terminal servers such as a Citrix Metaframe. An ICA connection departs from the typical PPP protocol connection in that files and requests are not downloaded from server to client. The client can run applications on the terminal server since the ICA protocol is used to transfer mouse and keyboard input to the server, and only the screen output is returned to the client. This allows a computer with a minimal configuration to run applications that are not normally run on the computer. This concept is know as Thinnet. The ICA protocol departs from the typical PPP connection in that there is no downloaded file to the client. The client only sends input to the server. The amount of bandwidth necessary for this connection is minimal, 5-10 Kbps.

Circuit switched vs. Packet switched     Top of Page

The most common circuit switched network is the telephone system. There is a dedicated physical path for the entire duration of the connection. All data travels along the direct route of the connection, and the stream of the data is continuous. PSTN (the Public Switched Telephone Network) and ISDN both use circuit switching technology.

In a packet switched network, there is no direct dedicated connection between the sender and the reciever. Data is segmented into packets which are disassembled 'blocks' of the communication. Each packet may take a different route to reach the destination. The packets are then reassembled into the entire communication based upon intelligence that is contained in their headers. The packets can be routed independently based on the addressing information the header. In theory the route can can be different for each individual packet, or it can be one and the same path for each packet. The packet is sent by 'hops' whereby each router determines the next best 'hop' in the route. The Internet is a packet switched network.

ISDN     Top of Page

ISDN (Integrated Services Digital Network) is a circuit-switched network that is used for voice/data/video transfer over existing copper telephone lines. The ISDN package of services is a complete end-to-end digital solution with its own set of hardware, etc. ISDN is similar to the normal telephone service, but tends to be faster and requires less time to negotiate a transfer link. ISDN compares to T-1 and cable modems in terms of availability, speed, and cost. There are some considerations that may make cost an issue, such as availability. ISDN has a distance limitation of about ±3 miles. After that point, a repeater may be necessary, which will drive the cost of the line up.

ISDN frames carry data in the B (Bearer) channel, which has a nominal 64 kbps bandwidth. A D (Data) channel carries supervisor and signal (control type) information. The two basic types of ISDN connections, BRI & PRI are outlined below.

   ISDN BRI

ISDN BRI (Basic-Rate Interface)is composed of two(2) 64 kbps B-channels and one(1) 16 kbps D-channel. Some Remote Access Servers support a feature called multilink, which allows both B-channels to be combined into a single virtual link of 128 Kbps. BRI channel bandwidth can drop if carried over an older telephone line. Often one B-channel is used for data (an internet connection) and one B-channel is used for voice (a digital telephone.)

   ISDN PRI

ISDN PRI (Primary-Rate Interface) is made up of 23 B-channels and 1 16 kbps D-channel. (The European version supports 30 B-channels). This type of connection is often called PRI 23B+D. A common implementation of these two types of ISDN is an ISDN PRI at the corporate network supporting 23 dial-in connections, and remote employees with ISDN BRI at home.

ATM     Top of Page

ATM (Asynchronous Transfer Mode) is packet switched network protocol that is commonly used for high-speed backbones in large network environments. ATM is suitable for Internet transfers that include voice/data/video. ATM transfers data in small 53-byte fixed length cells. Due to the small packet size, ATM is able to reach data rates up to 622 Mbps. ATM switches use integrated hardware circuits that switch cells between incoming and outgoing ports. This hardware approach significantly increases data throughput when compared to software based switching. Routing structure for ATM provides that every cell with the same source and destination address travels over the same route if at all possible. ATM supports features such as Bandwidth on Demand and QoS (Quality of Service). QoS allows data to be prioritized based on the content.

ATM has established its own reference model, which corresponds roughly to both the Data Link and the Physical Layer of the OSI Model. ATM supports different types of high speed media such as:

• Sonet OC-3 & OC-12
• T3/E3
• 155 Mbps UTP
• 100 Mbps FDDI

Frame Relay     Top of Page

Frame Relay is a common example of a packet-switched network. Frame Relay is a high-performance WAN protocol that operates at the physical and data link layers of the OSI model. Frame Relay is structured such that the physical network medium and the available bandwidth is dynamically shared between end nodes. Common use of Frame Relay is to interconnect LANs in a WAN and or providing centralized internet connectivity to remote offices. Another advantage of Frame Relay is that it is cost-effective because generally the user only pays for actual bandwidth usage. Frame Relay media includes ISDN and T1.

SONET/OCx     Top of Page

SONET (Synchronous Optical NETwork) is a hierarchy of standardized digital data rates for optical transmission. The standard was proposed by Bellcore. SONET data rates are divided into OC-levels, data rates listed below.

SONET Speed Chart
OC-1	51.85 Mbps
OC-3	155.52 Mbps
OC-9	466.56 Mbps
OC-12	622.08 Mbps
OC-18	933.12
OC-24	1.244 Gbps
OC-36	1.866 Gbps
OC-48	2.488 Gbps
OC-192	9.952 Gbps
NOTE that all speeds are multiples of OC-1.

T1/E1 & T3/E3     Top of Page

The T-Carrier system consists of digital lines with bandwidth allotted by channel. T1 consists of 24 channels providing rates up to 1.544 Mbps. (called DS0, 1 DS0 is 64K), T1 is often beyond the reach of consumers financially, so it is typically used to connect corporate networks and ISPs to the Internet. Fractional T1 is available in some situations, where the bandwidth is shared among users. The European version E1 consists of 30 channels providing rates up to 2.048 Mbps. T1 uses the DS1 signaling standard which is often used as the name as well.

T3 is a faster version of the same standard of digital leased line. T3 provides rates up to 44.736 Mbps (672 DS0s). T3 is typically used for high-speed internet backbones. The European version (E3) provides rates up to 34.064 Mbps (480 DS0s). T3/E3 uses the DS3 signalling standard.

Internet Connection Sharing     Top of Page

Internet Connection Sharing is designed to allow multiple clients to use the same internet connection. A small office with a small number of employees that need regular access to the Internet can use ICS to allow for a single cable or DSL connection. The single connection is established through one computer, and is shared among all other computers. A dial-up, cable, or DSL connection can be shared using the ICS method.

As stated, ICS uses a single computer to establish the Internet connection. It then performs an address translation, and acts as a DHCP server and DNS proxy as well. In larger networks with a DHCP server, configuration issues may arise that create an address conflict in the LAN. SOHO networks are conducive to ICS connections. ICS for Linux is called 'ipchains'. ICS works on Novell NetWare 4.11 and 5.x through BorderManager.

Network Address Translation (NAT)     Top of Page

NAT, or Network Address Translation, is a networking practice that is defined in RFC 1631. NAT is typically implemented through routers to translate public IP addresses, as well as TCP and UDP port numbers, to the corresponding internal addresses. NAT works in both directions: traffic bound for the external network from this inside undergoes NAT, and incoming traffic undergoes NAT in order to be routed to the approptiate internal host. NAT operates at Layer 3 of the OSI model, the Network Layer. A NAT router typically also performs DCHP server and DNS Proxy services. NAT offers a certain amount of security, since only one, or a limited number of public IP addresses are visible to external hosts.

   How NAT works

Corporate LANs and WANs use private address ranges, and the Internet uses public address ranges. The private addresses are reserved ranges of numbers that are constantley re-used on different private networks. This allows for every IP address on the Internet to be unique. A private class A network 10.0.0.0 can be used by both company A and company B, while both their internal networks can be connected to the Internet.

There are two main types of connections: routed and translated. In a directly routed network that does not use a private addressing scheme, every single IP address must be unique. If both company A and B have a routed connection to the Internet, their internal addresses would be public to the web. To avoid this situation, companies only register a limited number of public addresses, and use NAT to translate and use them for their internal hosts. The public (theoretically) never sees or knows the internal address of any host machines. This is a security feature, as well as logically saves a limited number of public IP addresses.

As well as translating IP addresses, NAT can also be used to translate TCP and UDP port numbers, which are complete the socket specification. (A socket being the combination of an IP address and a port number.) Using NAT can make possible use of non-standard ports to further mask traffic bound for an internal network.

Firewall     Top of Page

A firewall is a hardware device or software application that isolates and protects private networks from unauthorized external intruders. A firewall filters both inbound and outbound traffic and verifies that it meets specific criteria by filtering the traffic on different layers of the OSI model. A firewall that operates at layer 3 is known as a packet filter. The basic criteria for letting packets pass or not is typically determined by the source and destination addresses and/or port numbers. The port number or address is set at the firewall to be allowed or denied.

Firewall systems can be applied at different layers of the OSI Model. The higher in the OSI Model the firewall operates, the more advanced the criteria can be that is assigned to traffic. The most advanced criteria can be applied at the Application layer. Firewalls that operate at the Application layer typically use port numbers as their criteria.

A circuit-level firewall operates at the Transport layer of the OSI model. This firewall checks and verifies that TCP and UDP messages used to establish a connection meet certain criteria. Once a connection is established, traffic can pass the firewall without further verification.

Proxy     Top of Page

A network Proxy serves two purposes:

1. To isolate LAN users from users outside the network.
2. To cache frequently visited web pages.

Proxy servers are situated such that all requests for traffic outside the network must go through them. The proxy server acts on behalf of the host which makes a request. The proxy server pretends to be that client, and retrieves and caches the data, then passes it on to the client. This offers a certain degree of protection, since only the IP address of the proxy server is visible beyond the LAN.

Proxies work differently than NAT. A proxy is requested to act on behalf of a client. The proxy is making the actual request of the web server. NAT simply changes the addressing info of packets. NAT is a transparent process, therefore the client doesn't know anything about the translating. In order to use a proxy server, all the applications involved, such as a web browsers, must support it.

There are many different types of proxy servers. Proxies can offer caching of network traffic. A caching proxy first checks if the data that an internal client requests has been requested by another client previously. If this case, the proxy server then retrieves the data locally, instead of using the external connection. Obviously this can conserve bandwidth in networks of high traffic, as well as relatively slow internet connections. Listed below are the most common type of proxies:

1. SOCKS Proxy: - SOCKS works with TCP/IP (HTTP, FTP, POP3, SMTP, NNTP, etc.) SOCKS allows secure and transparent communication between a client and a proxy server.
2. HTTP Proxy: - besides providing an anonymous appearance on the web, and acting as an intermediary for clients, the HTTP proxy caches web content that is requested by clients.
3. DNS Proxy: - caches DNS lookups. A WINS Proxy works similar to a DNS Proxy except, that it forwards NETBIOS name lookups to a WINS server. A WINS proxy is only used in Microsoft networks.

The functions of an HTTP Proxy and a SOCKS proxy are often combined. The HTTP Proxy handles requests for web pages, and the SOCKS proxy handles all other TCP/IP traffic. (SMTP, POP3, and Telnet, etc.) Proxy servers are in wide use, and virtually every ISP provides one to its subscribers. Public proxy servers are available which are intended for anonymous surfing.