Wide area networks (WANs) are considerably different than LANs. Organizations usually own their own LANs, but WAN services are typically leased; it's not feasible to have your network guy run a cable from New York to Dallas. WANs are concerned with the long-haul transmission of data and connect remote devices; the Internet is a good example of a WAN. WAN data transmissions typically cost more per megabyte than LAN transmissions. WAN technologies can be divided into two broad categories: packet switching and circuit switching.
Packet Switching
Packet-switched networks share bandwidth with other devices. Packet-switched networks divide data into packets and frames. These packets are individually routed among various network nodes at the provider's discretion. They are considered more resilient than circuit-switched networks and work well for on-demand connections with bursty traffic. Each packet takes the most expedient route, which means they might not all arrive in order or at the same time. Packet switching is a form of connectionless networking.
X.25
X.25 is one of the original packet-switching technologies. Although it is not fast, with speeds up to 56Kbps, it is reliable and works over analog phone lines.
Frame Relay
Frame Relay is a virtual circuit-switched network. It is a kind of streamlined version of X.25. Frame Relay controls bandwidth use with a committed information rate (CIR). The CIR specifies the maximum guaranteed bandwidth that the customer is promised. The customer can send more data than is specified in the CIR if additional bandwidth is available. If there is additional bandwidth, the data will pass; otherwise, the data is marked discard eligibility (DE) and is discarded. Frame Relay can use permanent virtual circuits (PVCs) or switched virtual circuits (SVCs). A PVC is used to provide a dedicated connection between two locations. A SVC works much like a phone call, in that the connection is set up on a per-call basis and is disconnected when the call is completed. Switched virtual circuits are good for teleconferencing, for phone calls, and when data transmission is sporadic.
Asynchronous Transfer Mode (ATM)
ATM is a cell-switching-based physical-layer protocol. It supports high-bandwidth data needs and works well for time-sensitive applications. Because the switching process occurs in hardware, delays are minimized. ATM uses a fixed 53-byte cell size. ATM can be implemented on LANs or WANs.
ATM is being surpassed by newer technologies, such as Multiprotocol Label Switching Architecture (MPLS). MPLS designers recognized that data didn't need to be converted into 53-byte cells. MPLS packets can be much larger than ATM cells. MPLS can provide traffic engineering and allows VPNs to be created without end-user applications.
Voice over IP (VoIP)
VoIP is carried on packet-switched networks in IP packets. Networks that have been configured to carry VoIP treat voice communications as just another form of data. Companies are moving to VoIP because of major cost savings. However, using VoIP is not without risks; as a network service, it is vulnerable in some of the same ways as other data traffic. Attackers can intercept the traffic, hack the VoIP server, or launch a DoS attack against the VoIP server and cause network outages. Another consideration is that the vulnerabilities of the operating system that the VoIP application is running on are inherited.
Circuit Switching
Circuit switching comes in either analog or digital configurations. Today the most common form of circuit switching is the Plain Old Telephone Service (POTS), but Integrated Services Digital Network (ISDN), T-carriers, and digital subscriber line (DSL) are also options.
Plain Old Telephone Service (POTS)
POTS is a voice-grade analog telephone service used for voice calls and for connecting to the Internet and other locations via modem. Modem speeds can vary from 9600bps to 56Kbps. Although the POTS service is relatively inexpensive and widely available, it offers only low data speeds.
Integrated Services Digital Network (ISDN)
ISDN is a communication protocol that operates similarly to POTS, except that all digital signaling is used. Although it was originally planned as a replacement for POTS, it was not hugely successful. ISDN uses separate frequencies called channels on a special digital connection. It consists of B channels used for voice, data, video, and fax services, and a D channel used for signaling by the service provider and user equipment. Keeping the D signaling data separate makes it harder for attackers to manipulate the service. The D channel operates at a low 16Kbps; the B channels operate at a speed up to 64Kbps. By binding the B channels together, ISDN can achieve higher speeds. ISDN is available in two levels: Basic Rate Interface (BRI) 128Kbps and Primary Rate Interface (PRI) 1.544Mbps.
T-Carriers
T-carrier service is used for leased lines. A leased line is locked in between two locations. It is very secure, but users pay a fixed monthly fee for this service, regardless of use. The most common T-carrier is a T1. A T1 uses time-division multiplexing and consists of 24 digital signal 0 (DS0) channels. Each DS0 channel is capable of transmitting 64Kbps of data; therefore, a T1 can provide a composite rate of 1.544Mbps. T3s are the next available choice. A T3 is made up of 672 DS0s and has a composite data rate of 45Mbps. For those who don't need a full T1 or a full T3, fractional service is available. A fractional T-line is just a portion of the entire carrier. Table 6.2 details common T-carrier specifications and contrasts them with POTS, ISDN, and DSL.
Service |
Characteristics |
Maximum Speed |
---|---|---|
POTS dial-up service |
Switch line; widely used |
56Kbps |
ISDN BRI digital |
Requires a terminal adaptor; can be costly |
128Kbps |
ISDN PRI digital |
Requires a terminal adaptor; can be costly |
1.54Mbps |
DSL |
Typically asymmetric; downloads faster than uploads |
up to 52Mbps |
T1 |
Dedicated leased line; 24 bundled phone lines |
1.54Mbps |
T3 |
Dedicated leased line; 28 bundled T1s |
44.736Mbps |
Digital Subscriber Line (DSL)
DSL is another circuit-switching connectivity option. Most DSLs are asymmetric, which means that the download speed is much faster than the upload speed. The theory is that you usually download more than you upload.
DSL modems are always connected to the Internet; therefore, you do not have to dial in to make a connection. As long as your computer is powered on, it is connected to the Internet and is ready to transmit and receive data. This is the primary security concern of DSL. Unlike the usual lengthy connection time used for dial-up service, no waiting time is involved. An advantage of the DSL is that it maintains more of a fixed speed than cable modems typically do. Table 6.3 details the different DSL types.
Name |
Data Rate |
Mode |
Distance |
---|---|---|---|
IDSL (Internet digital subscriber line) |
160Kbps |
Duplex |
18,000 ft., 24AWG |
HDSL (High-data-rate digital subscriber line) |
1.544Mbps 2.048Mbps |
Duplex Duplex |
12,000 ft., 24 AWG |
SDSL (Symmetric digital subscriber line) |
1.544Mbps 2.048Mbps |
Duplex Duplex |
10,000 ft., 24 AWG |
ADSL (Asymmetrical digital subscriber line) |
1.59Mbps 16640Kbps |
Down Up |
9,00018,000 ft., 24 AWG |
VDSL (Very-high-data-rate digital subscriber line) |
1352Mbps 1.52.3Mbps |
Down Up |
1,0004,500 ft., 24 AWG |
Cable Modems
Cable Internet access refers to the delivery of Internet access over the cable television infrastructure. The Internet connection is made through the same coaxial cable that delivers the television signal to your home. The coaxial cable connects to a special cable modem that demultiplexes the TCP/IP traffic. This always-on Internet connection is a big security issue if no firewall is used. One of the weaknesses of cable Internet access is that there is a shared amount of bandwidth among many users. Cable companies control the maximum data rate of the subscriber by capping the maximum data rate. Some unscrupulous individuals attempt to uncap their line to obtain higher speeds. Uncappers are almost always caught and can be prosecuted because cable Internet providers check for this daily.
Another lingering concern is that of the loss of confidentiality. Individuals have worried about the possibility of sniffing attacks. Most cable companies have addressed this issue by implementing the Data Over Cable Service Interface Specification (DOCSIS) standard. The DOCSIS standard specifies encryption and other security mechanisms that prevent sniffing and protect privacy.
The CISSP Cram Sheet
A Note from Series Editor Ed Tittel
About the Author
Acknowledgments
We Want to Hear from You!
Introduction
Self-Assessment
The CISSP Certification Exam
Physical Security
Security-Management Practices
Access-Control Systems and Methodology
System Architecture and Models
Telecommunications and Network Security
Applications and Systems-Development Security
Operations Security
Business Continuity Planning
Law, Investigations, and Ethics
Cryptography
Practice Exam 1
Answers to Practice Exam 1
Practice Exam 2
Answers to Practice Exam 2