Survey
* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project
Download Project Plan
Document related concepts
Computer security wikipedia , lookup
Wake-on-LAN wikipedia , lookup
Wireless security wikipedia , lookup
Zero-configuration networking wikipedia , lookup
Net neutrality law wikipedia , lookup
Distributed firewall wikipedia , lookup
Deep packet inspection wikipedia , lookup
Computer network wikipedia , lookup
Recursive InterNetwork Architecture (RINA) wikipedia , lookup
Network tap wikipedia , lookup
Cracking of wireless networks wikipedia , lookup
Airborne Networking wikipedia , lookup
List of wireless community networks by region wikipedia , lookup
Transcript
ICT Standards and Guidelines Segment 103 Telecommunications Main Document (Version 2.0) Disclaimer The Office of the Minister of State for Administrative Reform (OMSAR) provides the contents of the ICT Standards and Guidelines documents, including any component or part thereof, submission, segment, form or specification, on an 'as-is' basis without additional representation or warranty, either expressed or implied. OMSAR does not accept responsibility and will not be liable for any use or misuse, decision, modification, conduct, procurement or any other activity of any nature whatsoever undertaken by any individual, party or entity in relation to or in reliance upon the ICT Standards and Guidelines or any part thereof. Use of or reliance upon the ICT Standards and Guidelines is, will be and will remain the responsibility of the using or relying individual, party or entity. The ICT Standards and Guidelines are works in progress and are constantly being updated. The documentation should be revisited regularly to have access to the most recent versions. The last date of update for this document was June 2003. Table of Contents - Telecommunications 1.0 2.0 3.0 4.0 5.0 6.0 Executive Summary for Telecommunications ........................................... 1 The Background of Telecommunications .................................................. 2 2.1 The Scope of Telecommunications ....................................................... 2 2.2 The Benefits of Standardization ........................................................... 3 2.3 Policies to Follow for Telecommunications ............................................. 3 2.4 Risks Resulting from the Standardization Activities ................................ 3 2.5 Related Documents ........................................................................... 4 2.6 How to Use This Document? ............................................................... 4 2.7 Related Terms and Acronyms ............................................................. 4 2.8 Related Segments and Cross References .............................................. 7 2.9 Related International Standards .......................................................... 7 2.10 All Segments in the ICT Standards and Guidelines ................................. 7 WAN Technologies ................................................................................... 8 3.1 Dial up Analog Connections ................................................................ 8 3.1.1 Requirements ......................................................................... 8 3.1.2 When to Use Dial up Analog Connections.................................... 8 3.2 ISDN ............................................................................................... 9 3.2.1 Basic Rate Interface (BRI) ........................................................ 9 3.2.2 Primary Rate Interface (PRI)..................................................... 9 3.2.3 ISDN Requirements ................................................................. 9 3.2.4 When to Use ISDN .................................................................. 9 3.3 Frame Relay ................................................................................... 10 3.3.1 Frame Relay Requirements ..................................................... 10 3.3.2 When to Use Frame Relay ...................................................... 10 3.4 Digital Carrier System - T1 ............................................................... 11 3.4.1 T1 Requirements ................................................................... 11 3.4.2 When to Use T1 .................................................................... 11 3.5 E1 ................................................................................................. 11 3.5.1 E1 Requirements ................................................................... 11 3.5.2 When to Use E1 .................................................................... 11 WAN Devices and Equipment ................................................................. 13 4.1 Modems ......................................................................................... 13 4.2 ISDN Terminal Adapter .................................................................... 14 4.3 ISDN Router ................................................................................... 15 4.4 Frame Relay Capable Router ............................................................. 16 4.5 DSU and CSU Devices ...................................................................... 17 4.6 Firewalls ........................................................................................ 18 Virtual Private Networks ........................................................................ 19 5.1 Roadmap for Implementing a VPN Solution ........................................ 20 5.2 Step 1: Determine Networking Connectivity + Access Requirements ...... 20 5.3 Step 2: Choose Product(s) or a Service Provider ................................. 21 5.4 Step 3: Test It Out .......................................................................... 22 5.5 Step 4: Design and Implement the Network Design ............................. 22 5.6 Step 5: Monitor and Manage the VPN ................................................. 22 5.7 Step 6: Upgrade and Migrate ............................................................ 23 Appendix A – OGERO Rates .................................................................... 24 Figures - Telecommunications Figure Figure Figure Figure Figure Figure Figure Figure Figure Figure 1: A typical WAN connection ................................................................... 8 2: Summary of WAN Technologies ......................................................... 12 3: Roadmap to Determine a WAN Technology ....................................... 12 4: Modem Characteristics ...................................................................... 13 5: ISDN Terminal Adapter Technical Specifications ............................... 14 6: ISDN Router Technical Specifications ................................................ 15 7: Routers ............................................................................................. 16 8: DSU/CSU Technical Specifications ..................................................... 17 9: Firewalls............................................................................................ 18 10: Roadmap to Implementing a VPN Solution ...................................... 20 1.0 Executive Summary for Telecommunications The objective of this segment is to present guidelines that can be used during the acquisition, installation and maintenance of Wide Area Networks and Telecommunications equipment. With many solutions to choose from, it has proved difficult to select the most suitable approach. There are many protocols, technologies, standards, vendors involved. This segment provides guidelines to help an ICT manager through his decision process and particularly in preparing an RFP (Request for Proposal). Telecommunications are usually provided by the Government and regulated to be provided by a few providers. Therefore, the choice of vendor is restricted. This segment covers the following areas: WAN Technologies: Examines different available WAN technologies and discusses the requirements for each technology and when to use it. WAN Devices and Equipment: Describes the Telecommunications materiel needed to implement WAN solutions. Virtual Private Networks: Examines VPN as a means of providing security to the WAN and draws a roadmap of implementation. A separate and comprehensive segment covers Local Area Networks (LAN). It can be downloaded from OMSAR’s website on ICT Standards and Guidelines at www.omsar.gov.lb/ICTSG/NW. Telecommunications Page 1 2.0 The Background of Telecommunications This segment is concerned with Telecommunications and related technologies. Telecommunication is the science and practice of information transmission. A wide variety of information can be transferred through a telecommunications system, including voice and music, still-frame and full-motion pictures, computer files and applications and telegraphic data. The objective of this segment is to present and discuss guidelines that can be used during the acquisition, installation and maintenance of Telecommunications systems. It helps provide cost effective networking and telecommunications services to connect Ministries and Agencies that need to transmit data, voice and video to conduct the business of the government. 2.1 The Scope of Telecommunications This document is applicable to Ministries and Agencies which already use or have the need to use wide area networking and telecommunications. These Ministries and Agencies are encouraged to consider and use this document in the following situations: Tendering and acquiring Wide Area Networks and related Telecommunications materiel. Maintaining and running networks. Upgrading networks to stay current with newer technologies or based on new Telecommunications requirements. The scope of Telecommunications covered in this segment is limited to: Wide Area Network (WAN) Technologies Analog Dial up ISDN Frame Relay T1 E1 Networking Devices & Equipments Modems Bridges Routers & Gateways DSU/CSU This segment will not discuss the following as these are either not available in Lebanon or are outside the scope of Telecommunications for Information Processing: Wide Area Network (WAN) Technologies Cable Modems Microwaves and Satellites Wireless ATM DSL Voice Communications & Telephony (PSTN, PABX, CTI, Call Centers, IVR, ACD, IP Telephony & VoIP and Wireless Communications & Cellular) Telecommunications Page 2 Video Conferencing Other Networking Devices & Equipment File & Print Servers Network Interface Adapters Hubs & Repeaters Switches Network Software & Utilities 2.2 The Benefits of Standardization The benefits of standardization are: 2.3 To ensure clear statement of high level, government wide directives concerning networking and telecommunications. To ensure coordination of networking and telecommunications related standards across branches of government. To assist Ministries and Agencies in the development, maintenance and administration of networking and telecommunications services. To ease the tasks of support personnel To use the appropriate telecommunication solution. Adopting the wrong solution may have very costly consequences because the telecommunications costs are high Cost savings by buying in bulk for the Ministry or Agency and its branches or by applying the same solution to one or more Ministry or Agency To identify the equipment needed and the issues at hand before engaging in deploying a telecommunications solution. To reduce product cycle time. To develop network plans that are reusable and sustainable Policies to Follow for Telecommunications The following policies are to be followed: 2.4 Telecommunications Acquisitions should follow the guidelines stated in this document so that minimum requirements of tendered equipments be observed. It is important to ensure that acquisitions are in line with strategic goals and objectives of the Ministry or Agency. Public and private network infrastructure requirements must be an integral part of building design, leasing, construction and renovation and should be appropriately scheduled to ensure service availability. This practice will help Ministries and Agencies to avoid time delays and future inflated expenses in obtaining needed telecommunications and networking infrastructure. Risks Resulting from the Standardization Activities Telecommunications costs are high. One of the key risks in implementing telecommunications is adopting the wrong solution. Telecommunications Page 3 2.5 To depend on the Standards and Guidelines and not explore the limits of the solution under examination. To relinquish the development of documentation specific to the Ministry or Agency relating to the telecommunication solution applied in that Ministry or Agency Telecommunications transfers are subject to security holes. It is important to adopt the necessary security policies to cover for such a risk if the information being sent/received is sensitive. (Refer to the Data Integrity and Security segment which can be downloaded from OMSAR’s website on ICT Standards and Guidelines at www.omsar.gov.lb/ICTSG/SC). Related Documents There are no related documents to this segment. 2.6 How to Use This Document? The reader should step through the following main sections of the document: WAN Technologies: WAN Devices and Equipment: Virtual Private Networks: Section 3.0 Section 4.0 Section 5.0 Revert to the segment on Networks for further discussion of local area networks and related equipment. This segment can be downloaded from OMSAR’s website on ICT Standards and Guidelines at www.omsar.gov.lb/ICTSG/NW. 2.7 Related Terms and Acronyms ATM: (Asynchronous Transfer Mode) A networking technology that contains a flexible multiplexing and switching technique which provides variable bandwidth for local-area and wide-area networks. Unlike ordinary synchronous configurations, ATM permits flexible allocation of available bandwidth for data, voice, images and video. ATM uses a scalable architecture, making it easily upgradeable; it allows a virtually unlimited number of users to have dedicated, high speed connections with high-performance network servers. CSU/DSU: Short for Channel Service Unit and Data Service Unit. The CSU is a device that connects a terminal to a digital line. Typically, the two devices are packaged as a single unit. The DSU is a device that performs protective and diagnostic functions for a telecommunications line. It can be thought of as a very high-powered and expensive modem. Such a device is required for both ends of a T1 connection and the units at both ends must be set to the same communications standard. E1: The European format for digital transmission. It carries signals at 2 Mbps (32 channels at 64Kbps, with 2 channels reserved for signaling and controlling), versus the T1, which carries signals at 1.544 Mbps (24 channels at 64Kbps). E1 and T1 lines may be interconnected for international use. Extranet: Refers to an intranet that is partially accessible to authorized outsiders. Whereas an intranet resides behind a firewall and is accessible only to people who are members of the same company or organization, an extranet provides various levels of Telecommunications Page 4 accessibility to outsiders. You can access an extranet only if you have a valid username and password and your identity determines which parts of the extranet you can view. Extranets are becoming a very popular means for business partners to exchange information. Internet Protocol (IP): A communications protocol which plays a significant role in the routing of packets of data from one node on the internet to another. IPv4 routes each packet based on a 32 bit destination address called an IP address (e.g., 123.122.211.111). Intranet: A network based on TCP/IP protocols (an internet) belonging to an organization, usually a corporation, accessible only by the organization's members, employees or others with authorization. An intranet's Websites look and act just like any other Websites, but the firewall surrounding an intranet fends off unauthorized access. Like the Internet itself, intranets are used to share information. Secure intranets are now the fastest-growing segment of the Internet because they are much less expensive to build and manage than private networks based on proprietary protocols. ISP: (Internet Service Provider). This is a company that provides access to the Internet. For a monthly fee, the service provider offers a software package, username, password and access phone number. Equipped with a modem, the customer can then log on to the Internet and browse the World Wide Web and USENET and send and receive e-mail. In addition to serving individuals, ISPs also serve large companies, providing a direct connection from the company's networks to the Internet. ISPs themselves are connected to one another through Network Access Points (NAPs). IPv4: IPv4 is a four byte, 32 bit IP address in the form 255.255.255.255. IPv6: Ipv6 is a sixteen byte, 128 bit IP address that may be viewed as hexadecimal numbers separated by semicolons. ISDN: (Integrated Services Digital Network). This is an international communications standard for sending voice, video and data over digital telephone lines or normal telephone wires. ISDN supports data transfer rates of 64 Kbps (64,000 bits per second). There are two types of ISDN: ISDN - Basic Rate Interface (BRI): consists of two 64-Kbps B-channels and one D-channel for transmitting control information. ISDN - Primary Rate Interface (PRI): consists of 23 B-channels and one Dchannel (U.S.) or 30 B-channels and one D-channel (Europe). The original version of ISDN employs baseband transmission. Another version, called B-ISDN, uses broadband transmission and is able to support transmission rates of 1.5 Mbps. BISDN requires fiber optic cables and is not widely available. ITU: International Telecommunications Union Network: A configuration of devices and software connected for information, voice or image transmission or for other purposes that may be addressed by electrical, radio or optical signaling. Any local, wide-area, metropolitan-area or campus network established for use by Ministries or Agencies. NAP: Network Access Points Telecommunications Page 5 PABX: (Private Branch Automatic exchange). PABX is a private phone system usually in an office environment, which connects a number of extensions to the telephone network. PSTN: (Public Switched Telephone Network). The main telephone system owned or operated by a telecommunications company, e.g. OGERO. TCP/IP: (Transmission Control Protocol / Internet Protocol). TCP/IP is a set of communications protocols. The TCP/IP networking scheme implements a peer-to-peer client-server architecture. Any computing system in the network can run TCP/IP server software and can provide services to any other computing system that runs complementary TCP/IP client software. Telecommunications: Any transmission, emission or reception of signs, signals, writings, images and sounds or information of any nature by wire, radio, visual, optical or other electromagnetic systems. T1: A dedicated digital phone connection supporting data rates of 1.544Mbits per second. A T1 line actually consists of 24 individual channels, each of which supports 64Kbits per second. Each 64Kbit/second channel can be configured to carry voice or data traffic. Most telephone companies allow you to buy just some of these individual channels, known as fractional T1 access. T1 lines are a popular leased line option for businesses connecting to the Internet and for Internet Service Providers (ISPs) connecting to the Internet backbone. The Internet backbone itself consists of faster T-3 connections. T1 lines are sometimes referred to as DS1 lines. Virtual Private Network (VPN): A network that is constructed by using public wires to connect nodes. For example, there are a number of systems that enable you to create networks using the Internet as the medium for transporting data. These systems use encryption and other security mechanisms to ensure that only authorized users can access the network and that the data cannot be intercepted. Wide Area Network (WAN): A network that provides communication services to a geographic area larger than that served by a local area network or a metropolitan area network and that may use or provide public communication facilities. A data communications network designed to serve an area of hundreds or thousands of miles; for example, public and private packet-switching networks and national telephone networks. A computer network that links multiple workstations and other devices across a large geographical area. A WAN typically consists of multiple LANs that are linked together. X.25: A popular standard for packet-switching networks. The X.25 standard was approved by the CCITT (now the ITU) in 1976. It defines layers 1, 2 and 3 in the OSI Reference Model. Telecommunications Page 6 2.8 Related Segments and Cross References This segment is related to the following: 102 105 204 205 www.omsar.gov.lb/ICTSG/NW www.omsar.gov.lb/ICTSG/OS www.omsar.gov.lb/ICTSG/SC www.omsar.gov.lb/ICTSG/DE Networks Operating Systems Information Integrity and Security Data Definition and Exchange These can be downloaded from OMSAR’s website on ICT Standards and Guidelines at www.omsar.gov.lb/ICTSG. 2.9 Related International Standards There are no related standards for the usage of Telecommunications. However, telecommunications science relies heavily on engineering standards which are not within the scope of this segment. 2.10 All Segments in the ICT Standards and Guidelines OMSAR's website for ICT Standards and Guidelines is found at www.omsar.gov.lb/ICTSG and it points to one page for each segment. The following pages will take you to the home page for the three main project document and the 13 segments: 101 101 102 103 104 105 106 201 202 203 204 205 206 207 www.omsar.gov.lb/ICTSG/Global www.omsar.gov.lb/ICTSG/Cover www.omsar.gov.lb/ICTSG/Legal www.omsar.gov.lb/ICTSG/HW www.omsar.gov.lb/ICTSG/HW www.omsar.gov.lb/ICTSG/NW www.omsar.gov.lb/ICTSG/TC www.omsar.gov.lb/ICTSG/DB www.omsar.gov.lb/ICTSG/OS www.omsar.gov.lb/ICTSG/EN www.omsar.gov.lb/ICTSG/QM www.omsar.gov.lb/ICTSG/SW www.omsar.gov.lb/ICTSG/EV www.omsar.gov.lb/ICTSG/SC www.omsar.gov.lb/ICTSG/DE www.omsar.gov.lb/ICTSG/RM www.omsar.gov.lb/ICTSG/CM Global Policy Document Cover Document for 13 segment Legal Recommendations Framework Hardware Hardware Systems Networks Telecommunications Database Systems Operating Systems Buildings, Rooms and Environment Quality Management Software Applications Evaluation + Selection Framework Information Integrity and Security Data Definition and Exchange Risk Management Configuration Management Each page contains the main document and supplementary forms, templates and articles for the specific subject. Telecommunications Page 7 3.0 WAN Technologies This section addresses different kinds of Wide Area Network technologies and describes a selection procedure of a network-to-network connectivity. There are many different technologies available for connecting isolated networks. The best solution depends on the frequency of data transfers and the bandwidth requirements. The most common WAN connections are: Analog Dial up ISDN Frame Relay T1 E1 Figure 1: A typical WAN connection 3.1 Dial up Analog Connections Dial up analog connections operate over standard voice grade telephone lines. Analog modems can achieve data transfer rates up to 56Kbps depending on the clarity of the telephone line. There are also new products on the market called dual analog modems that can double this transfer rate by sending data over two analog phone lines. The advantage of analog connections is that they are inexpensive. 3.1.1 Requirements Each site will require a modem of similar speed and a standard dedicated phone line. 3.1.2 When to Use Dial up Analog Connections Dial up analog connections are best for small file transfers and low bandwidth applications such as e-mail. Analog connections should be used where download times are not critical and low cost is required. Telecommunications Page 8 3.2 ISDN Integrated Services Digital Network (ISDN) transmits voice and data simultaneously over a single digital channel. It operates over a single twisted pair copper telephone line using the existing wiring. Because ISDN uses digital lines, noise and interference are eliminated and calls are set up almost instantaneously. ISDN allows simultaneous transmission of data while carrying on a voice conversation or sending a fax. This is a benefit for small offices that would typically need multiple telephone lines installed. ISDN comes in two types of access services: Basic Rate Interface (BRI) and Primary Rate Interface (PRI). 3.2.1 Basic Rate Interface (BRI) BRI consists of two 64Kbps circuit-switched data/voice channels (B Channels) and one 16Kbps signaling channel (D Channel). BRI is referred to as 2B+D. BRI can achieve data transfer rates of 64Kbps using a single B channel or 128Kbps combining the 2 B channels. 3.2.2 Primary Rate Interface (PRI) This is for users with greater bandwidth requirements. PRI consists of 23 data channels and one signaling channel (23B+D). ISDN can transmit data up to 1.544Mbps equivalent to a single T1 channel. PRI is used for intensive bandwidth-on-demand applications such as LAN-to-LAN interconnection and video conferencing. Each B channel may be used for virtually any combination of voice, video or packet switching. 3.2.3 ISDN Requirements ISDN requires that the Telephone Company (OGERO) install services to the offices that are to be connected. An ISDN terminal adapter or an ISDN router will be required at each location. ISDN charges from OGERO include a one time installation fee + a flat monthly fee + usage charges (charges apply to each B channel). Refer to the Appendix in Section 6.0 for OGERO rates. 3.2.4 When to Use ISDN ISDN is a good choice for high speed dial up connections between LANs. It is used for simultaneous use of voice, data, images and video. ISDN should be used for intermittent rather than constant data transmission between sites. The advantage of ISDN is that calls can be instantly made and instantly dropped. This means that the link needs to be active only when data is actually being transmitted. Routers can automatically make the call, transmit data and drop the call with no interaction from the user. ISDN can also be used for redundancy to backup up critical Frame Relay or T1 WAN connections. Telecommunications Page 9 3.3 Frame Relay For frequent data transfers or higher bandwidth requirements, a Frame Relay connection is the best choice. Frame Relay fills the gap between expensive leased T1 lines and lower priced ISDN service. The advantage of Frame Relay is the flat monthly fee for the service. There are no usage charges; therefore monthly service costs are more predictable. Frame Relay is available in access rates from 56Kbps to 1.544Mbps. Frame Relay is a "scalable service" meaning that the Phone Company can increase access rates without changing wiring or equipment. 3.3.1 Frame Relay Requirements A DSU/CSU (Data Service Unit / Channel Service Unit) and a Frame Relay capable router should be installed on each side of the network. There are products on the market that combine both a router and DSU/CSU. Frame Relay costs include a one time installation fee + a flat monthly fee. These fees are applied on a per site basis. 3.3.2 When to Use Frame Relay Frame Relay is a good choice for frequent or constant data transmission between sites. It is used for critical high bandwidth applications. Because Frame Relay provides multiple logical links to one or more destinations over a single physical link, it is a good choice if you need multiple sites connected. Telecommunications Page 10 3.4 Digital Carrier System - T1 Also known as the Digital Carrier System (DS1), T1 connections provide 1.544Mbps of bandwidth. A T1 line is leased from the Telephone Company (OGERO) and directly links two sites. OGERO can also provide Fractional T1 service (DS0) in multiples of 64Kbps for users needing less than the full T1 bandwidth. T1 provides the highest performance for network-to-network connections because it does not rely on the Telephone Company's switched network. However, T1 is the most expensive type of service. 3.4.1 T1 Requirements The requirements for T1 are similar to Frame Relay. The Telephone Company must install service to both sites and a DSU/CSU and a T1 capable router must be installed. T1 costs include a one time installation fee + a flat monthly fee. 3.4.2 When to Use T1 T1 lines should be used for critical, high bandwidth applications. T1 lines are best when the sites being connected are close together (otherwise the cost is prohibitive). 3.5 E1 While T1 is an American standard, E1 is the European format for digital transmission. It carries signals at 2 Mbps (32 channels at 64Kbps, with 2 channels reserved for signaling and controlling). Similarly to T1, an E1 line can is leased from the Telephone Company. The Telephone Company can also provide Fractional E1 service in multiples of 64Kbps for users needing less than the full E1 bandwidth. 3.5.1 E1 Requirements The requirements for E1 are similar to T1. The Telephone Company must install service to both sites and a DSU/CSU and an E1 capable router must be installed. E1 costs include a one time installation fee + a flat monthly fee. 3.5.2 When to Use E1 E1 lines should be used for critical, high bandwidth applications. E1 lines are best when the sites being connected are close together (otherwise the cost is prohibitive). The figure below summarizes the different WAN technologies as describe above. Telecommunications Page 11 WAN Technology Requirements Analog Dial up Standard Telephone line modem ISDN ISDN service, ISDN terminal adapter or ISDN router Frame Relay DSU/CSU device and Frame Relay capable router T1 DSU/CSU device and T1 capable router DSU/CSU device and T1 capable router E1 Typical When to Use Bandwidth Range Up to 56 Small file transfers. Kbps. Low bandwidth applications (e-mail). Low cost is required. 64Kbps~1.5 High speed dial up connections between 44Mbps. LANs. Simultaneous use of voice, data, images and video is required. Constant data transmission is not required. To backup up critical Frame Relay or T1 WAN connections. 56Kbps~1.5 Frequent or constant data transmission 44Mbps. requirements. 1.544Mbps. Multiple site connectivity. Critical, high bandwidth applications. 2Mbps. Critical, high bandwidth applications. Figure 2: Summary of WAN Technologies High High Bandwidth Requirements Frequency of Network Access Low High Low Step 3 Test it Out ISDN or Frame Relay T1 / E1 Link Low ISDN or Dialup Analog Figure 3: Roadmap to Determine a WAN Technology Telecommunications Page 12 4.0 WAN Devices and Equipment This section describes Telecommunications devices necessary to establish WAN connections between two or more sites, based on the requirements presented for each WAN technology. 4.1 Modems Figure 4: Modem Characteristics Telecommunications Page 13 4.2 ISDN Terminal Adapter An ISDN terminal adapter is analogous to a modem for an analog phone line connection. Terminal adapters are normally the optimal choice for situations in which there will be one computer using the ISDN line. Terminal adapters connect to the computer as either an internal card or via the computer's serial port. Recommended technical features and characteristics are shown in table 2. ISDN Terminal Adapter Technical Features Data Rates ISDN-Interfaces Technical Specifications and Mandatory Requirements Asynchronous 300bps to 115Kbps Synchronous 64Kbps S0 (BRI): 4-wire, RJ-45. Configuration Caller ID Remote configurable via ISDN. Checking of calling line identification (CLI) for access protection. DBA - Dynamic Bandwidth Allocation International Access Allows a voice call to be placed or received while multilink PPP is running. Inband communication to provide international access bypassing addressing problems often encountered with international gateways Network Interface Basic Rate Access (2B+D) S/T interface: conforms to ITU-T I.430 1420 compatible Protocol: ITU Q.921, Q.931 and ETSI NET3 Bearer Services: 3.1 kHz audio, speech, 64k data Line Rate: 64 Kbps on 1 B-channel (ISDN data mode) 128 Kbps on 2 B-channel (Multi-Link PPP) 16 Kbps on D-channel for signaling D Channel Signaling Protocols ETSI/DSS1(European Standard) B Channel Protocols Compatibility X.21 for videoconferencing support X.30, X.75, V.24 (RS-232), V.35, T.70, V.110, V.120, ISO 8208, ECMA 102. PPP and Multi-Link Protocol G3 fax over B-channel Voice over B-channel Asynchronous-to-Synchronous PPP conversion Figure 5: ISDN Terminal Adapter Technical Specifications Telecommunications Page 14 4.3 ISDN Router A router is normally the optimal choice for situations in which there are multiple computers that will be using the ISDN line for network connectivity. Routers connect to the computer using an Ethernet connection (LAN environment). ISDN Router Technical Features Protocol Support Technical Specifications & Minimum Requirements IP, IPX routing and spoofing, Transparent Bridging, PPP, MultiLink PPP Bandwidth Management ISDN Features Authentication/Security VPN Support Network Management Ports available IP Multicast Forwarding, DHCP IP Address Assignment, Single IP Addressing, and Reverse Port Mapping (NAT) Multilink PPP (MP) Hi/fn STAC and VJ header compression Dial up/take-down on demand AutoSwitch type detection, AutoSPID detection, and worldwide ISDN switch-type support PAP, CHAP, callback, and Caller ID authentication L2TP (Layer 2 Tunneling Protocol) PPP/ECP/DES/IPSec Command line interface (CLI) through console or telnet Web browser-based user interface SNMP agent LAN interface: minimum 2-port 10BASE-T hub and one uplink WAN Interface: ISDN BRI (Basic Rate Interface) Analog: 2 POTS (Plain Old Telephone Services) ports Management: RS-232 console port Figure 6: ISDN Router Technical Specifications Telecommunications Page 15 4.4 Frame Relay Capable Router Routers Technical Features Technical Specifications & Minimum Requirements Routing Protocols IP, IPX, RIP,RIP2, ARP, Proxy ARP, ICMP, Novell, IPX, Novell RIP, Novell SAP,Novell SAP spoofing 802.3/Ethernet Transparent MAC layer bridging, 802.1D Spanning Tree Protocol, Closed-loop bridging (Delta/Triangulation) PPP, ML-PPP, BACP, Frame Relay RFC1490, ISDN, PPPoE, IP/IPX Filtering UDP, TCP, TFTP NAT, NAPT, Reverse NAPT, NetSAFE Firewall, PAP, CHAP, VPN: IPSec, DES/3DES Transparent link activation/deactivation on: Time of day, IP and/or IPX destination address, LAN traffic, Automatic activation, of 2nd link on main link threshold. Priority Queuing TCP Session Keepalives, IP RIP Broadcasts, IPX Watchdogs, IPX SAP Advertisements, IPX RIP Broadcasts, IPX Serializations SNMP, MIB II, Bridge MIB, Enterprise MIB, Telnet, Local RS-232 console port Stac/Stac LZS (6:1) 4Mbps aggregate 14,000 pps 10BaseT (RJ45), 10Base2 (BNC), AUI V.35 V.21 V.24/RS422/RS530 ISDN BRI U, S/T 56/64K CSU/DSU T1/E1 CSU/DSU G.703 Bridging Protocols WAN Protocols Other Protocols Security Wide Area Bandwidth Management Quality of Service (QoS) Protocol Spoofing Network Management Compression Link Speeds Filter Rate LAN Interface Options WAN Interface Options Figure 7: Routers Telecommunications Page 16 4.5 DSU and CSU Devices A Data Service Unit/Channel Service Unit (DSU/CSU) is the ideal solution for high speed access to LAN/WAN applications. It connects to T1/E1 or fractional T1/E1 network services with data rates from Nx56/64 Kbps up to 2.0 Mbps. It delivers access to the high-bandwidth requirements of LAN internetworking, video conferencing, CAD/CAM, data and image applications. Providing high speed access, a DSU/CSU can be configured for point-to-point applications or point-to-multiple-endpoint applications using Fractional T1/E1 topologies. It is capable of accessing public network services such as frame relay, T1/E1 and fractional T1/E1, value-added networks and private backbone networks. Technical Features Access Speed Network Interface Data Interface WAN Protocols Diagnostics DSU/CSU Technical Specifications & Minimum Requirements T1 E1 1 T1 ANSI 403 port 1 E1 G703/G704 port Line Rate: T1 (1.544 Mbps) Line Rate: E1 (2.048 Mbps) Connector Type: 100 ohm RJ-48C Connector Type: 120 ohm RJ-48C socket socket or 75 ohm BNC Line Code: AMI or B8ZS Line Code: HDB3 Framing: D4 or ESF Framing: ITU - TG.704/CTR 12 Output Level: 0 db, -7.5 db, or -15 db Output Level: I T U - T G.703/CTR 12 LBO Input Level: 0 to -26dB Input Level: 0 to 20dB RS-449/EIA-530 or V.35 RS-449/EIA-530, V.35, or X.21 Data Rates: Nx56/64 kbps (N=1 Data Rates: Nx64 kbps (N=1 through through 24) 31) (structured), 32x64 kbps (unstructured) Frame Relay and Protocol transparent Frame Relay and Protocol transparent support support Loopback Tests: T1 network, T1 Loopback Tests: E1 network, E1 payload, fractional T1 payload, looppayload, fractional E1 payload, loopup/loop-down commands, DTE (full or up/loop-down commands, DTE(full or fractional) NET/DTE fractional ) Loopback Control: T1 set/reset codes, Loopback Control: E1 set/reset codes ESF FDLper AT & T5 4 0 1 6 and ANSI T1.403 Annex B Figure 8: DSU/CSU Technical Specifications Telecommunications Page 17 4.6 Firewalls Firewalls Technical Features Packet Filtering User Authentication Technical Specifications & Minimum Requirements SSHvl/v2 compliant secure remote access. OpenPGP-compatible (RFC2440) system Routine secure transfer of logs and system status information Routine monitoring of all system event logs Incident detection, logging, and follow-up with administrators of attacking networks. All network interfaces should automatically enforce Spoof attempts should be logged and processed as intrusion attempts. HTTP - FTP - SMTP - POP/IMAP - TCP Plug All predictable-port TCP/IP services. Bi-directional NAT through application proxies. Unidirectional NAT through packet filters. Full IP tunnels with 128 bit encryption. Shared private key for each tunnel to eliminate attacks on key infrastructure. Packet filters and proxies should be available to control VPN traffic. IPSec or PPTP. support of a minimum of 3 ethernet segments, allowing 3 networks, VPN connections, special purpose extranets, or protected inside network segments. All proxy and packet filter functionality should be available on all DMZ networks. Full TCP, UDP, and IP packet filtering. HTTPS-based username/password Memory Minimum 64M system memory - Flash-RAM storage. Administration Secure Data Transfer Misuse Detection IP Spoofing Protection Application Proxies Packet Filtering Network Address Translation Branch Office VPN Remote User VPN DMZ Support Figure 9: Firewalls Telecommunications Page 18 5.0 Virtual Private Networks With the advent of the Internet, the opportunity has arisen to provide temporary links across the public network between companies and sites. Instead of creating a true private network with all its attendant costs and management issues, one can make use of the Internet to provide a Virtual Private Network (VPN). Rather than maintaining an expensive point-to-point leased line (a T1 or an E1 link), the Ministry or Agency can connect each office or Local Area Network to a local Internet Service Provider (ISP) and route data through the Internet, thereby using shared, lowcost public bandwidth as the communications backbone. VPN's are not limited in the number of LAN’s or nodes that can be included in the virtual WAN. For a Ministry or an Agency that has numerous sites to link, this can result in significant savings when compared to maintaining a network of leased lines. VPN is a technology that can be employed by Ministries or Agencies of any size traffic requirements. These requirements may impose bandwidths much less than 64 Kbps for the Wide Area Network and VPN’s can be set up to work at speeds slower than is possible with leased lines. A VPN does not need to be a permanent link. Dial-on-demand virtual networks can be created using analog modems or ISDN for those sites that don’t require a full-time connection. When a user on the LAN needs to access the WAN, a modem or router automatically connects to a nearby ISP and starts sending data across the Internet. VPN links can be set up with little effort and removed just as easily. In addition, clientto-server VPN’s can be created on demand between remote user PC’s and a firewall or VPN termination device at head office. This provides the means for roaming users to have access to corporate networks no matter where they may be located. A VPN reduces the number of modems and telephone lines required centrally to support dial-in networking and dramatically decreases long distance charges since remote PC users would connect to their local ISP instead of dialing direct to head office. With all this sensitive corporate data going around the public network, security becomes a primary concern. Unprotected data sent across the public Internet is susceptible to being viewed, copied or modified by unintended individuals or organizations. Data can be tampered with en route and valuable systems can be sabotaged. Both ends of the tunnel must ensure beyond any measure of doubt that they are communicating with a valid host or client at the remote end of the link. Once the link has been established, data traveling within the tunnel must be encrypted to ensure that no one who may be eaves dropping on the conversation can gain access to the raw data. The most important considerations for Internet security are: Authentication: Verifying that the parties on each end of the link are who they claim to be Privacy: Ensuring that transmitted content is not read or intercepted by unauthorized recipients Integrity: Verifying that the transmitted data is received in an unchanged state Telecommunications Page 19 Doing business over the Internet, including transferring funds, obtaining and verifying credit information, selling and even delivering products, requires a reliable and effective security solution. 5.1 Roadmap for Implementing a VPN Solution The following sections describe the roadmap for implementing a VPN solution: Step 1 Determine Networking Connectivity & Access Requirements Step 2 Choose Product or Service Provider Step 3 Test it Out Step 4 Design and Implement the Network Step 5 Monitor and Manage the VPN Step 6 Upgrade and Migrate Figure 10: Roadmap to Implementing a VPN Solution 5.2 Step 1: Determine Networking Connectivity + Access Requirements First and foremost, the Ministry or Agency needs to determine what kind of WAN connections and network access requirement for remote users are needed. WAN connections fall into two general categories: Intranet connections and extranet connections. Intranet connects different locations within the same Ministry or Agency together. Extranet usually refers to the network connections between “business partners” of the Ministry or Agency. Telecommunications Page 20 Remote access users can also be classified into two categories: Road Warriors: Road warriors typically move from location to location frequently. Telecommuters: generally stay at one location for an extended period of time. After determining the connectivity and access requirements, network security policy should be created (if it is not already in place) to facilitate network design. Sometimes, the policy could be simple, such as granting the same uniform access to every location and every remote access user. Often, the policies are more complex, involving different functions of different agency levels and the different needs of “business partners”. 5.3 Step 2: Choose Product(s) or a Service Provider As VPN involves many different technologies and there are even more different VPN products from various equipment vendors, choosing the right technology from the right vendor is often not easy. VPN products in general fall into four distinctive categories: VPN gateway. Devices with special software and hardware to provide VPN capability. Various functions are optimized onto various software/hardware components. Software only. Software are overlaid on PC or workstation platforms, the software performs all the VPN functions. Firewall based. Additional functions are added to the firewall to enable VPN capability. Router based. Additional functions are added to the router to enable VPN capability. Hardware based encryption provides faster encryption speed. When the link speed reaches above T1 (1.5Mbps), hardware encryption is almost a necessity. The various standards and protocols supported by the product are very important. In general, most VPN products should support IPSec, L2TP and PPTP. IPSec is the standard created by the Internet standard body: Internet Engineering Task Force (IETF) to provide security services in the IP based Internet. It is been widely adopted in the networking industry. ICSA (International Computer Security Association) provides IPSec compliant certification for equipment vendors. The various types of authentication method supported by the products are also very important. RADIUS (Remote Authentication Dial In User Service) and PKI (Public Key Infrastructure) are two popular authentication standards. Directory server (e.g. LDAP) based authentication is also been implemented by various vendors. For many Ministries or Agencies, it makes sense to outsource the VPN implementation to a service provider. A VPN service provider already has the right expertise in designing and implementing the VPN. By working closely with a service provider, the organization can be assured that its networking needs of adequately addressed. At the same time, it can focus on its core business and expertise, which often do not lie in the networking and security field. Telecommunications Page 21 5.4 Step 3: Test It Out After choosing the product or service provider, the next step is to try it out. Two or three sites and a small group of remote access users can be chosen to conduct a pilot service. The goal of the pilot is to ensure the VPN can be correctly configured to meet a subset of the network connectivity and remote access requirements determined in step 1. It should also show that the performance of the network is adequate and the right authentication method can be managed. For example, in the case of using PKI for authentication, digital certificate can be appropriately issues and revoked. 5.5 Step 4: Design and Implement the Network Design After a successful pilot project, a production implementation can follow. A complete VPN design that meets all the network connectivity and remote access requirements determined in step 1 should be completed, either by the Ministry or Agency itself or working with the service provider. The implementation plan itself may be phased in. In designing the VPN, an important aspect is the relative location of the VPN device with respect to the firewall already located at the corporate network perimeter. For example, the VPN device can be positioned in parallel to the firewall. In some cases, the VPN device can also perform the firewall function (and vice versa), thus combining the two devices into a single entity. Implementing a VPN may mean reconfiguring other devices on the corporate network, such as the routers in the corporate network and the NAT (network address translation) server. In some cases, the VPN device can also perform NAT functions. Deployment of VPN software onto remote access computers should be managed carefully. Unlike the VPN gateways situated on the corporate network, which is often installed by experienced network engineers, the VPN client software for remote access often needs to be installed by the end user themselves. Therefore, a convenient software delivery method (e.g. web download) and an easy to follow installation guide should be provided. 5.6 Step 5: Monitor and Manage the VPN Corporate networks require continued monitoring and management. The same holds true for VPNs. The VPN needs to be monitored and managed to ensure the continued correct operation of the network. It is also desirable to gather usage and performance statistics, so that appropriate network changes can be planned. In today’s fast changing industry, the networking needs of a Ministry or Agency will also change. Because IP based VPN does not have dedicated circuits based physical infrastructure, making changes in the VPN simply amounts changing the configuration of the VPN devices. This offers companies flexibility to change at moment’s notice, a distinctive advantage compared to the slow telecommunications circuit provision process, which can usually take 30 days. Similar to the implementation of the VPN, the Ministry or Agency can choose to perform the monitoring and management of the VPN themselves or outsource the tasks to a trusted service provider, making use of the infrastructure and expertise of the provider. Telecommunications Page 22 5.7 Step 6: Upgrade and Migrate Virtual Private Network technologies continue to evolve, just as the networking industry. VPN products continue to achieve higher performance, stronger security and easier management. In addition, different security models, such as providing security in the ISP’s POP (Point of Presence) are emerging. The Ministry or Agency should continue to upgrade its network infrastructure to adapt to the ever changing business needs and technologies. Telecommunications Page 23 6.0 Appendix A – OGERO Rates The current rates for OGERO’s Telecommunications Services are posted on OGERO’s website: www.ogero.gov.lb and should be reviewed regularly in case of updates. Telecommunications Page 24
