Where to Find Real Online Jobs

Home Business Hound

Home Business Hound

Get All The Support And Guidance You Need To Find Just The Right Business! This Book Is One Of The Most Valuable Resources In The World When It Comes To How To Sniff Out The Right Home Business! Keep reading to get the help you need. Success is achieved by being willing to resist the odds, take the ‘road less traveled,’ and realizing that the greatest power you have, is already within you. Home business is that discovery for many.

Get My Free Ebook

Legitimate Online Jobs Over 2,000 Legit Online Jobs

Legitimate Online Jobs provides you with the most complete database of trusted work at home job opportunities on the internet. You can start browsing over 2,000 online jobs here. By becoming a member, you will gain:. Instant access to over 2,000 pre-screened, legitimate, and high quality online jobs! Instant access to part-time, freelance, contract, flex-time, and no-experience online jobs! Instant access to our International Online Jobs! Access to over 150 New Jobs added each week! This website is the real deal for any person looking to telecommute from their home office.

Legitimate Online Jobs Over 2000 Legit Online Jobs Summary


4.6 stars out of 11 votes

Contents: Premium Membership

My Legitimate Online Jobs Over 2000 Legit Online Jobs Review

Highly Recommended

Furthermore, if anyone else has purchased this product or similar products, please let me know about your experience with it.

I give this product my highest rating, 10/10 and personally recommend it.

Download Now

Telecommuter WLAN Design Overview

The primary objective when considering deployment of a WLAN in a telecommuter environment is to increase productivity and flexibility. In addition to the types of benefits discussed in WLAN Solution Benefits, the following benefits can be derived from telecommuter-oriented WLANs Makes it easier for the telecommuter to work where and when it is convenient, and potentially extends work-time online resulting in increased per-employee productivity. Extends hours and enables flexible telecommuter work conditions can potentially leading to better responsiveness beyond normal work hours. Simplifies telecommuter home network setups reducing hardware and cabling costs. Enhances the work-from-home experience promoting several key potential benefits for the employee and employer The design recommendations provided aim to facilitate creation of secure, scalable and supportable wireless telecommuter designs for a telecommuter connected to the enterprise through a public broadband Internet...

Traditional Teleworker versus Business Ready Teleworker

So how does the business-ready teleworker differ from the teleworker or, in the traditional sense, the telecommuter The simplest answer is evolution. The telecommuter was simply connected however and whenever necessary. There was no thought of one experience regardless of device or locale. There was no concept of SLA for the teleworker. The ability for a full-time employee to perform all job functions from home was a novelty rather than a compelling business case for cost reduction with increased productivity. Every service offered to the telecommuter of yesterday was best-effort, if it could even be thought of to that level. The construction of a corporate solution, security policy, and all-out elevation to an actual executive-accepted business solution was beyond the extent of most lines of thought. The advent of higher-speed broadband solutions available to residential areas is likely one of the most significant drivers of the solution as well as one of the most relevant...

WLAN Telecommuter Design

This chapter defines the functional components required to build a WLAN telecommuter solution. Topics include identifying the individual hardware requirements and their interconnections, software features, management needs, and dependencies necessary to deploy manageable and maintainable WLAN telecommuter solutions. The general design characteristics of a WLAN telecommuting design are illustrated in Figure 4-1. Figure 4-1 WLAN Telecommuter Environment Figure 4-1 WLAN Telecommuter Environment Telecommuter Deployment Models WLAN Telecommuter Design Guidelines WLAN Telecommuter Configuration

Topologies for Teleworker Connectivity

A revolution is in the works with regard to the workplace for well over half of the United States workforce. According to a September 2005 Gartner research publication, by 2008 41 million full-time corporate employees will fall into the telecommuter classification, also known by the more correct term, teleworkers. The term commuter gives the impression of changing locations or moving from one place to another for a particular purpose. Teleworkers have the luxury of taking that early morning conference call in their pajamas. Cisco Service-Oriented Network Architecture (SONA) addresses the teleworker with its own full architecture solution, rather than a cursory glance and a wave in passing. In fact, the teleworker has spawned a number of leading-edge technologies and augmentations to existing technologies. Among these are virtual private network (VPN) solutions, customer premises equipment (CPE) choices for the home, and a Cisco Solutions Reference Network Design (SRND) detailing...

Software Based Teleworker Design

The software-based teleworker design makes no assumptions about the security of the location the teleworker will be accessing. The network can be public or private, and the underlying security mechanisms stay the same. For most organizations, this is the teleworker design. The hardware option, discussed next, simply isn't viable from a security standpoint for most networks. Even if it were, most systems sometimes must connect from a location without their hardware VPN device anyway. This means you must deploy solutions for a software teleworker design for these users as well, which complicates systems management and user education.

Hardware Based Teleworker Design

The hardware-based teleworker design assumes an IPsec VPN (or other network crypto) and moves the crypto process to a dedicated hardware device. This device might also support a firewall, limited IDS, NAT, and so on, much like the capabilities of the small network edge in Chapter 13. This device is connected to the same LAN as the teleworker PC that routes traffic through this device on its way to the central location. Often these devices have built-in hubs or switches that allow the PC to connect directly without any additional network hardware. The PC connects to the LAN side, and the WAN Ethernet interface connects to the ISP customer premise equipment (CPE) device. The hardware teleworker design is most appropriate when the teleworker system will remain in one place or when there are multiple systems at a single location that must connect. In this case, the hardware teleworker design resembles the small network edge design. The key benefits of this design are that no special...

Challenges of Connecting Teleworkers

In maintaining position on the path to IIN, it should be noted that some sections of the map are more mature and well-traveled than others, meaning that there is greater detail available. The industry experience with providing multiple enhanced functions to teleworker devices is at a relatively early stage. The enterprise teleworker solution provides an always-on (potentially), secure, and centrally managed connection to business resources and services. In keeping with established goals, this should provide services and applications identical to those available to users based in campus and or branch sites. In doing so, a number of requirements spring forth Consider the fact that the corporate network is being extended to co-exist with the user's home network. The corporation has no control whatsoever over the traffic flow habits in the home network. A careless teleworker can easily compromise the security of a corporate network infrastructure. In that, there are associated risks and...

Providing SOHOTeleworker Connectivity

The traditional teleworker solution consists of a virtual private network (VPN) client on the user's computer connecting over the Internet to a VPN concentrator, firewall, or Cisco Adaptive Security Appliance (ASA) at the corporate site. This requires only a dialup or broadband Internet connection and a dialup or broadband modem. However, this approach has several shortcomings There is no centralized control of the teleworker equipment, so security, virus protection, and so forth are left to the teleworker to implement. The Cisco Business-Ready Teleworker Solution addresses these issues with the traditional teleworker approach. It seeks to secure corporate data by using IPsec VPNs, allow corporate control of the connection components, and provide a scalable architecture as part of disaster planning. It consists of an always-on broadband connection, a corporate-owned and -managed router configured for VPN and QoS, IP phone, and (optionally) video equipment.

Defining the Teleworker Environment

A teleworker computer is any computer that spends at least some of its time outside the confines of your organization's physical security. This definition errs on the side of inclusion because even a system that never connects to your organization's network while away is still susceptible to a variety of attacks, which can present problems when the system is reintroduced to the campus network. In general, there are two main kinds of teleworker computers portable computers and fixed-location remote systems. Portable computers have unique security requirements because they can connect to many different networks, each of which has a different threat profile. Fixed-location systems are systems such as desktop PCs installed at users' homes for what can be termed full-time teleworkers. These systems typically have lowered security risks but still must deal with the inability for the organization to control the physical and network access in that location.

IIN and the Teleworker

Teleworker connectivity is, by definition, a wide-area network (WAN) connectivity scenario. It contains many of the same needs and requirements as a branch office or other remote site. The connection must be secure, reliable, and capable of protecting critical traffic types such as voice and video.

Enterprise Teleworker Branch of One Design

Organizations are constantly striving to reduce costs, improve employee productivity, and retain valued employees. These goals can be furthered by allowing employees to work from home with quality, function, performance, convenience, and security similar to that available in the office. With a work environment in the residence, employees can optimally manage their work schedules, allowing for higher productivity (less affected by office distractions) and greater job satisfaction (flexibility in schedule). This transparent extension of the enterprise to employee homes is the objective of the Cisco Enterprise Teleworker (or Branch of One) architecture. Occasional remote users have much lighter application requirements than part-time and full-time teleworkers. They can connect through a wireless hotspot or a guest network at a hotel and have little control over network resiliency and availability. In contrast, Enterprise teleworkers can be differentiated from other forms of work-at-home...

Teleworker Components

Teleworker solutions present a number of challenges in terms of deployment and support. The deployment must be almost entirely automated, thereby limiting user involvement. It also must be supportable and manageable from a corporate IT policy standpoint. The solution comprises three distinct components Not every solution will include components for IP telephony and video from day one. However, in the evolution of the network as well as keeping on the path to the IIN, these services will need to be included at some point. Figure 2-2 illustrates the basic connectivity of the teleworker solution. The requirement for home office components includes the access methodology, remote VPN router with QoS capabilities, and the desktop or laptop computer to be used by the teleworker. Optionally, the components may include a Cisco IP Phone, Cisco Unified Video Advantage (CUVA) camera for video, a wireless LAN access point (separate or integrated into the 800 series router), and possibly a laptop...

Teleworker Architecture

Increasingly, due to space, real estate, employee accommodation, workforce diversification, and other factors, the population of the home-based workforce is increasing at an exceedingly high rate. Call center remote agents with access to features and functionality identical to their in-office counterparts are taking customer calls from home offices. Salespeople are making deals and booking them via VPN connections back to the corporate site. Most of these workers are using IP telephony to place their office desk phone on their home desk. Figure 1-7 illustrates the teleworker architecture. Figure 1-7 Teleworker Architecture Figure 1-7 Teleworker Architecture These and many other examples are out there in the world. Cisco is a very big proponent of the enterprise teleworker model and using an ISR platform to provide all the comforts, and access, of physically being in the office.

Table 151 Teleworker Threats

In the list, direct access is the most common attack because a teleworker PC often is not protected by any form of network infrastructure. This allows an attacker to communicate with the PC on any port or protocol with only the local application security to protect the device. As with the previous two chapters, virus worms Trojan horses are always present, making host protections, such as antivirus, essential. Also, if you've ever run a firewall on a home connection, you know that your IP addresses Identity spoofing is a common form of attack in teleworker PCs that have some resource shared with the network. Windows shares, a Secure Shell (SSH) daemon, and other accessible services frequently are attacked by using default or weak passwords in an attempt to gain access to the system. A deliberate attacker targeting a specific resource is likely to be much more diligent. Finally, war driving is an increasingly common attack now that many broadband-connected homes have 802.11 WLAN...

Enterprise Teleworker Module

The Enterprise Teleworker module provides people in geographically dispersed locations, such as home offices or hotels, with highly secure access to central-site applications and network services. The Enterprise Teleworker module supports a small office with one to several employees or the home office of a telecommuter. Telecommuters might also be mobile users people who need access while traveling or who do not work at a fixed company site. Depending on the amount of use and the WAN services available, telecommuters working from home tend to use broadband or dialup services. Mobile users tend to access the company network using a broadband Internet service and the VPN client software on their laptops or via an asynchronous dialup connection through the telephone company. Telecommuters working from home might also use a VPN tunnel gateway router for encrypted data and voice traffic to and from the company intranet. These solutions provide simple and safe access for teleworkers to the...

Connecting to an IP WAN

The previous chapters have focused on Voice over IP (VoIP) within the IP network at a single site. The gateway in such a setup would interconnect public switched telephone network (PSTN), PBX, and other plain old telephone service (POTS) endpoints with voice-enabled IP endpoints, such as IP phones. VoIP over the WAN has several applications, such as connecting multiple sites, allowing service providers to terminate long-distance and local voice calls, providing voice services to telecommuters, and so on.

Deploying Basic Security Services

Proper deployment of IOS security increases the utility and improves the stability of the network. Remote access security, for example, enables your network to reach mobile users and telecommuters securely, and services that guard against hacking attacks preserve the integrity of networking devices and increase reliability of the network service, in the end, enhancing security increases the trust users have in the network and enables your organization to deploy applications over the network with greater confidence.

Cisco products enable a secure VPN

VPNs are typically deployed to provide improved access to corporate resources while providing tighter control over security at a reduced cost for WAN infrastructure services. Telecommuters, mobile users, remote offices, business partners, clients, and customers all benefit because corporations see VPNs as a secure and affordable method of opening access to corporate information. Surveys have shown that most corporations implementing VPNs do so to provide access for telecommuters to access the corporate network from home. They cite security and reduced cost as the primary reasons for choosing VPN technology and single out monthly service charges as the cost justification for the decision.

Integrating Insecure Elements into the Home Network

A hardware VPN client telecommuter presents a risk to the enterprise network because anyone that gains access to the local telecommuter network has full and unchecked access to the enterprise network People who are not employees of the enterprise A common situation in many telecommuter environments is that the Internet connection is shared with other members of the household. If these people or wireless components access or are connected to the same network as the telecommuter, they have complete access to the enterprise network and resources. In addition, all their traffic is routed via the enterprise. This traffic path is shown in Figure 4-4 as traffic from the Home Telecommuter Network. If the ISP providing Internet connectivity in Figure 4-4 uses Point-to-Point Protocol over Ethernet (PPPoE) to connect the telecommuter network to the Internet, the PPPoE tunnel must be terminated before, or on the small switch hub that is used to share the Internet connection. Normally, the PPPoE...

Client VPN Connectivity Model

The VPN software client design is a remote-access solution. In terms of client stack and corporate concentrator requirements, the telecommuter solution is indistinguishable from a WLAN hot-spot, remote-access solution. Implications of this connectivity model are as follows

Quality of Service QoS Voice over IP VoIP for VPN Software Client

The lack of effective QoS is not a major issue in a telecommuter environment for the following reasons A telecommuter environment is unlikely to experience contention for the available 802.11 bandwidth due to the low number of concurrent wireless users (usually one, or a maximum of two). The telecommuter has control over the traffic on the WLAN. Critical traffic can be protected simply by not initiating other less critical traffic at the same time. For example, a WLAN telecommuter might

Deploying Authentication Authorization and Accounting

Providing service to road warriors, telecommuters, and other remote users greatly extends the effective reach of the network. With the option to make the network available anytime from anywhere, organizations see opportunities for convenience, productivity, and cost savings. Some popular methods to reach a private network from the outside world include dialup modems over basic telephone service, telecommuter ISDN routers, cable modems or xDSI devices over the public Internet, wireless modems, and so on. These types of access methods can liberate new applications and new ways of doing business, hut can also brinj new challenges in securing a private service that is publicly accessible.

Why Should I Care About VPNs

A virtual private network (VPN) is a set of solutions and technologies designed to make secure (encrypted) site-to-site and remote-access connections over public networks. These connections provide low-cost alternatives to dedicated private WANs and allow telecommuters to connect to the corporate network via cable, DSL, or dialup. Compatibility with broadband technology VPNs allow mobile workers, telecommuters, and day extenders to take advantage of high-speed broadband connectivity such as DSL and cable for corporate connectivity.

Determining How Many IP Addresses Are Required

To determine how many IP addresses are required in your network, you should consider131 the many different locations in your network that need addresses, including headquarters, branch and regional offices, telecommuters, and so forth. The number of devices in each location must be counted, including the network devices such as routers, switches, and firewalls workstations IP phones network management stations servers and so forth. For each of these devices, determine how many interfaces need to be addressed and whether private or public addresses will be used.

Utilizing Remote Connection Design

Remote connections link single users (mobile users and or telecommuters) and branch offices to a local campus or the Internet. Typically, a remote site is a small site that has few users and therefore needs a smaller size WAN connection. The remote requirements of an internetwork, however, usually involve a large number of remote single users or sites, which causes the aggregate WAN charge to be exaggerated.

Centralized Call Processing Model

The primary advantage of this model is the ability to centralize call processing. This reduces the equipment required at the remote branch, while eliminating the administration of multiple PBXs or key systems, which would have traditionally been used. Figure 7-1 shows that the IP WAN is backed up by an Integrated Services Digital Network (ISDN) connection, which can provide a redundant IP WAN path for call processing. This scheme is particularly attractive for small branch offices of less than 20 people and for telecommuters. Life-line services can be provided by dedicated POTS lines or cellular phones.

Demystifying 8021x

802.1x is a public standard that defines port-based user authentication. 802.1x is also a mechanism for user identity and authentication over both wired and wireless network infrastructures. 802.1x is considered by many to be fairly complex, with several Extensible Authorization Protocol (EAP) types that define how authentication is implemented on the network. This chapter attempts to demystify 802.1 x, provide an overview of Cisco Identity-Based Networking Services (IBNS) and machine authentication, and discuss how 802.1x can complement Network Admission Control (NAC). In this chapter, you also learn the basics of some of the most popular EAP types and how 802.1 x can participate in an EzVPN network for telecommuting and remote branch offices.

Benefits of Cable Modem Services

Manufacturers can provide a wide range of services, available at the headend, which are based on modularity and service compatibility. The Cisco ubr7200 Series routers support cable telephony, streaming video, data services, VPN, telecommuting, and multiple dwelling units (high-speed integrated data, voice, and video services within apartment buildings and business complexes). Supported standards include all major standards such as Data-over-Cable Service Interface Specifications (DOCSIS) 1.0, EuroDOCSIS, and the upcoming DOCSIS 1.1 standard. Cable operators can choose the appropriate services and devices to optimize their capital investment with a single platform. A variety of radio frequency modem cards provide multiple downstream and upstream port densities over hybrid fiber-coaxial networks, and the fixed wireless card uses next-generation wireless technology to deliver the highest available data rates over obstructed links.

Using Cable to Connect to a Central Site

Chapter 2, Topologies for Teleworker Connectivity, discussed some of the options available for teleworker connectivity. Among these options is cable modem access. Heavy competition has been building in recent years among cable providers and telephone companies in the broadband services market. The companies offering these services are benefiting greatly from both the Internet generation's demand for high-speed access and the corporate move toward teleworker deployments. This chapter discusses, in more detail, the terminology, capabilities, and technologies surrounding cable access as a teleworker access methodology.

Using DSL to Connect to a Central Site

Chapter 2, Topologies for Teleworker Connectivity, discussed some of the options available for teleworker connectivity. Among these was digital subscriber line (DSL) access. Heavy competition has been building in recent years among telephone companies in the broadband services market. The companies offering these services are benefiting greatly from both the Internet generation's demand for high-speed access and the corporate move toward teleworker deployments. This chapter discusses, in more detail, the terminology, capabilities, and technologies surrounding DSL access as a teleworker access methodology.

Facilitating Remote Connections

In Chapter 1, the discussion centered, very briefly, on teleworker architectures. Now that you are familiar with some of the available options, it is an appropriate opportunity to explore the concept further. Throughout the discussions to follow, SONA will continue to guide the overall path of the subject matter. For in-depth details regarding the various available technologies and methodologies regarding teleworkers, Cisco has published the Business-Ready Teleworker SRND document, available at http www.cisco.com go srnd. To the outside observer, it might be quite easy to settle on the idea that the role of the teleworker, as compared to an all-out campus architecture, is a detail scribbled in the margin down near the legend on a map of the way to some grandiose treasure. Interestingly enough, the plight of the teleworker has brought about a revolution in the way businesses operate and, obviously, from where they do that business.

Infrastructure Services

Once the access solution for the teleworker's basic connectivity has been addressed and a solution decided upon, you need to consider the choice of infrastructure services to be provided. This is not to be confused with the applications and services necessary for job performance. This discussion revolves around the architecture necessary to provide secure, reliable access to those applications and services. Typically, a router, such as a Cisco 800 series router, will be placed at the teleworker home. This router provides the necessary technologies for the connection back to the central site. The 800 series routers vary in technological capability. Therefore, some research into the proper model will be necessary. The Business-Ready Teleworker SRND contains much of this information. Security Safeguards for the corporate network to prevent backdoor access to the central site network via a teleworker home network. This involves firewall, intrusion protection services (IPS), and web...

Choose Sensible Logging Levels

One of my favorite pet peeves in this area is teleworker firewall logging. I've often had discussions with customers who have felt that the management of firewall logs from teleworker systems is a huge impediment to their deployment. Of course, after discussing the issue further, I find out that they aren't properly managing the data for their primary firewalls either. There are enough things to worry about as a security professional without trying to devise solutions for the potentially hundreds of thousands of events a large teleworker deployment can generate each day. Better to spend those resources on an area of greater importance. Let your policies and risk analysis guide you here. Most teleworker firewalls, for example, are configured to allow anything out and nothing in. Logging the countless denies that will be generated by this configuration is pointless. However, if your CEO has a teleworker firewall and needs inbound connections for some business need, you probably want to...

Foundation Summary

Configuration of PPPoE is similar to most other LAN WAN configurations in that it requires multiple, dependent pieces to be assembled. Only the most basic configuration parameters are discussed in this chapter. Options such as PPP authentication, VPN options, quality of service (QoS), network management, and security are all still on the to-do list with regard to teleworker solution deployments and can be found in detail in the Business Ready Teleworker SRND found at http www.cisco.com go srnd. A route to a gateway of last resort. In teleworker deployments, no routing protocol is necessary because there is typically only a single subnet. The static default route takes any traffic destined to nonlocal destinations and directs it to the aggregation router.

Configuring DSL Access with PPPoE

DSL access has become an overwhelmingly popular access methodology for homes and home offices. Along with this surge in popularity comes a host of additional possible application and service offerings. These applications and services may be provided by a service provider or offered by a corporation deploying a teleworker architecture.

Configure Static Default Route on a DSL Router

Because the teleworker home network is typically a stub network, there is no need to enable routing protocols to maintain connectivity. This simply adds unneeded overhead to the router and WAN link. A static default route will suffice to send all nonlocal traffic to the next logical hop router and out to the Internet or enterprise network, as the case may be. Example 5-6 shows the configuration of the static default route.

Network Security Device Best Practices

Now that you've learned some of the trade-offs with different platform types, this section outlines best practices for use of the most common network security technology, including both deployment options and usage best practices. To keep things simple, the topology options are based on the assumption that you are trying to protect an Internet edge design. Location specific designs are presented in Chapter 13, Edge Security Design, Chapter 14, Campus Security Design, and Chapter 15, Teleworker Security Design. This section talks about security technologies as isolated elements. Integrating the technologies into a security system is the subject of Part III, Secure Network Designs. The following network security technologies are covered

Mpls Vpn Technologies

Chapter 2 provided some brief discussion of Virtual Private Network (VPN) architecture with respect to connectivity options for teleworkers. Remote-access VPNs and IPsec VPNs were both discussed along with some key differences between the two. Among the items discussed was the fact that a remote-access VPN is an on-demand connection, whereas an IPsec VPN is an always-on connection. Each has its particular place in the bigger picture of the Intelligent Information Network (IIN). The Service-Oriented Network Architecture (SONA) framework encourages the offering of applications and services to all network users so that they may have the same network experience regardless of how they access the network. The Multiprotocol Label Switching (MPLS) VPN is another piece of the SONA framework that allows those applications and services to be offered to remote branch offices and small office home office (SOHO) sites. With MPLS VPNs, two key pieces of the framework fall into place the teleworker...

Cable Access Technologies

Cable access is among the fastest growing technologies for home access to multiple services via a common connection. One connection to the cable company carries the television signal and Internet traffic. Most cable carriers are now getting into the voice market as well by providing voice services with unlimited long distance and other traditional services over the cable connection. The addition of teleworker functionality is a natural extension of this already multiservice connection technology.

Remote Connection Options

The enterprise architecture framework, and therefore the Cisco SRND for teleworkers, emphasizes a few ideas for the overall solution. These ideas are the primary goals of the solution Defining safe boundaries within which the solution may be deployed (facilitated by proper expectation setting). That is, the solution must maintain the security standards of the corporation to avoid or mitigate exposure. The teleworker must agree to be bound by corporate security policies in the residential office. These goals are meant to allow the extension of integrated services to teleworker homes in a safe, secure manner while maintaining a comparable service level to that provided to campus-based employees. The overall goal is similar to that of the other architectures put forth by SONA, including protection, cost reduction, and scalable growth potential. Traditional Layer 2 connections such as Frame Relay and ATM are, most importantly, not available to residential premises (typically). Also, the...

Cisco VPN Client Software

Simple to deploy and operate, the Cisco VPN Client allows organizations to establish end-to-end, encrypted VPN tunnels for secure connectivity for mobile employees or teleworkers. This thin design, IPsec implementation is compatible with all Cisco VPN products. The Cisco VPN Client supports Microsoft Windows 98, Me, NT 4.0, 2000, and XP Linux (Intel) Solaris (UltraSPARC 32- and 64-bit) and Mac OS X 10.2, 10.3, and 10.4. The Cisco VPN Client is compatible with these Cisco products

Foundation Topics

The Cisco Easy VPN solution simplifies the deployment of remote offices and teleworkers. Teleworkers, on the whole, represent one of the fastest growth areas of network users. The availability of high bandwidth at low cost is spurring a great deal of industry evolution. Along with this growth in remote connection requests comes a similar, if not greater, growth in security needs of the network.

Networked Infrastructure Layer

The SONA model reaches out across network geographies to pull all resources into a single, logical entity. The architecture includes specifications on the construction of all of these geographies, including the campus, branch, data center, WAN MAN, and teleworkers. Each is addressed individually in the SONA model as each is crucial to the creation of an IIN capable of providing a common user experience anytime, anywhere and from any device.

Cable System Benefits

The more advanced capabilities offered by high-speed network access brought about a practice of placing equipment, including telephone switches and cable modem termination systems (CMTS), in a common facility so that services could be leveraged in a variety of manners. The resulting broadband Internet access offering presents corporations with cost-effective connectivity for teleworkers who connect back to a central site either through a IPsec VPN or remote-access VPN. Additionally, interactive television content and Public Switched Telephone Network (PSTN) voice access for voice and fax calls allow cable providers to offer VoIP services.

Displaying the End Station Hostname in the Device Groups

The hostname of the end station must be associated with a device group. A hostname is automatically associated with a device group as indicated in the Cisco Security Agent kit. A hostname can also be added to additional device groups. The ability to associate a hostname, such as a Windows workstation name, with a device group enables common security policies to be deployed to different end stations, including Solaris Web Server, SAP Servers, teleworkers, and so on. For example, a Linux web server in New York City for business-to-business (B2B) can be part of the Linux device group, Web Server device group, New York City data center device group, and the B2B server device group.

Cisco PIX Firewall 501 Security Appliance

Designed for small offices and teleworkers The PIX 501 Security Appliance measures only 1.0 x 6.25 x 5.5 inches and weighs only 0.75 pounds, yet it delivers enterprise-class security for small offices and teleworkers. Ideal for securing high-speed, always on broadband environments, the PIX 501 Security Appliance delivers a multilayered defense for small office network environments through rich, integrated security services, including stateful inspection firewall services, advanced application and protocol inspection, site-to-site and remote access VPNs, intrusion prevention, and robust multimedia and voice security all in a single, integrated solution.

Mesh Versus Hierarchical Mesh Topologies

For small and medium-sized companies, the hierarchical model is often implemented as a hub-and-spoke topology with little or no meshing. Corporate headquarters or a data center form the hub. Links to remote offices and telecommuters' homes form the spokes as shown in Figure 5-5.

Configuring Basic Security

Teleworker Teleworker The enterprise also has a VPN concentrator that allows remote workers or small remote branch offices to connect through a firewall. Tunneling authenticated virtual private network (VPN) streams from teleworkers through a firewall requires a simple firewall configuration and is highly secure.

ISR Overview and Providing Secure Administrative Access

The Cisco 800 series of ISRs is designed for teleworkers and small-office environments. These routers can connect to the Internet via a cable modem or DSL modem connection and offer secure connections over the Internet. Table 3-3 contrasts some of the features available in the Cisco 850 and 870 series of ISRs.

Secure Networking Over the Internet

Virtual private networks (VPN) allow corporations to replace their dedicated private networks (such as Frame Relay, ATM, and leased line) with virtually private networks. This means that their data traverses public IP networks but is secure because of authentication and encryption. Because of the Internet and service provider IP networks, networks of equivalent bandwidth end up being cheaper than dedicated services. With the availability of Internet connectivity, VPNs allow users to access their corporate networks securely from homes, hotels, businesses, and other public locations. VPNs also provide the ability to work from home, creating telecommuters. For example, call-center employees can answer phones from home, using IP phones and contact center applications such as Cisco IP Contact Center. Remote access Individual users gain access to the corporate network either over dialup or broadband network. Also called teleworker.

Enterprise Branch Module

Connectivity to corporate intranets, telecommuting capabilities for work-at-home employees, videoconferencing, and economical PSTN-quality voice and fax calls over managed IP networks. The Enterprise Branch module typically uses a simplified version of the Campus Infrastructure module design.

Do I Know This Already Quiz

Challenges of Connecting Teleworkers 1. The guidelines for deploying a teleworker solution are part of the SONA vision and defined in detail by which of the following 2. The teleworker architecture is defined in which layer of the SONA framework 3. Which of the following are goals for the teleworker architecture 4. Which remote connectivity option is the most viable for teleworker connections 7. Among the components typically deployed for a campus to support teleworkers is which of the following 8. Among the components typically deployed for a teleworker solution are which of the following

Protecting Against Eavesdropping Attacks

A good way to protect your voice traffic in untrusted environments is by the use of the voice- and video-enabled VPN (V3PN) solution. V3PN provides secure site-to-site connectivity to transport voice, video, and data. With V3PN, you can enable remote branch offices and teleworkers to use IP telephony services while reducing business operations costs.

Packet Telephony Call Centers

Circuit-Switching Call Centers (CSCCs) enable users to work from home and still take calls, but this equipment is expensive. With PTCCs, users can log in to a phone no matter where they are and have access to the exact same features as if they were at their desk, and the costs are much lower. In a packet telephony infrastructure, you can have a group of distributed virtual agents that you can locate anywhere, and you can still offer them the same tools that a traditional call center offers. Figure 6-1 shows ways you can use a common IP infrastructure to unite various methods, and it showcases one possibility of telecommuters as virtual agents. Regional call-center talent Having skilled workers come into a brick-and-mortar facility can lower the number of possible workers in the pool of talent. Telecommuting so that regional workers can work within any geography in a specific time zone increases the number of workers in the available pool. Although Figure 6-2 shows how a CSCC is...

Clusters for Multisite WAN with Centralized Call Processing

As stated earlier, Cisco CallManagers within a cluster must be interconnected over a local area network. Cisco CallManager also provides locations-based call admission control that enables provisioning of small branch and telecommuter solutions where remote call processing is acceptable. Figure 3-9 illustrates this model.

Describing Network Requirements

Cisco Hierarchical Network Model 16 Campus Network Architecture 17 Branch Network Architecture 19 Data Center Architecture 21 Enterprise Edge Architecture 23 Teleworker Architecture 24 WAN MAN Architecture 25 Remote Connection Requirements in a Converged Network 27 Central Site 27 Branch Office 27 SOHO Site 28

Enhanced Firewall System Design

Dhs Cyber Security Dmz Diagram

It is used to provide encrypted connections for the remote office connection (from the remote office firewall to the concentrator), as well as to terminate remote-access user connections from telecommuters and SOHO users. Notice that an IDS sensor behind the VPN concentrator is examining the unencrypted traffic. This is placed here just in case one of the remote access users or the remote office becomes compromised The IDS can view the unencrypted traffic to detect network threats, which the IDS device connected between the perimeter router and the Internet firewall cannot because the traffic is encrypted at this point.

Example Enterprise Network

Remote sites typically connect to the central site and also sometimes connect to some other remote sites. Telecommuters may also require access to remote sites. Redundancy In internetworking, duplicate devices, services, or connections can perform the work of original devices, services, or connections in the event of a failure. Branch offices typically require more redundancy than SOHO offices or mobile teleworkers.

Evolution of the North American Digital Hierarchy

About a year later, with your company growing rapidly, you decided that it was time to get a combination of T1 and Fractional T1 (FT1) circuits to accommodate the increased demand. Your applications now include Internet Web and FTP services, video conferencing, and telecommuting for your employees. You are adding more and more T1 circuits to keep up with your explosive growth. The costs are adding up quickly, and you need to find a way to eliminate this growing problem. You decide to investigate the costs of a T3 circuit from your service provider.

Hybrid Fiber Coaxial Networks

The movement of the cable system infrastructure to the HFC network architecture is essentially the catalyst that allowed for more advanced services to be offered. Initially, this was limited to data over cable but has evolved significantly and will continue to do so. DOCSIS 3.0 and Cisco's Wideband channel bonding technology will push the services and applications offerings forward at an unimaginable pace. This, coupled with the integrated services and applications afforded to the teleworker by Service-Oriented Network Architecture (SONA), will reinvent the way in which we work, live, play, and learn. In the same manner that SONA provides the framework for enterprise evolution to an Intelligent Information Network (IIN), the service provider market has an IP-Next Generation Network (IP-NGN) architecture providing a path to a similar destination. Once both the enterprise and the service providers begin to reach the true IIN state, the goal of one experience regardless of locale or...

Changes in Enterprise Networks

Enterprise networks at many corporations have been undergoing major changes. The value of making vast amounts of data available to employees, customers, and business partners has been recognized. Corporate employees, field employees, contract employees, and telecommuters need access to sales, marketing, engineering, and financial data, regardless of whether the data is stored on centralized or distributed servers or mainframes. Suppliers, vendors, and customers also need access to many types of data. In the last few years, networks have become more interconnected and complex, which can make meeting goals for network resiliency more difficult. Many enterprise networks are linked to telecommuter home networks, branch-office networks, extranets that offer access to business partners and customers, and the Internet. The diversity and quantity of portals into the enterprise network pose many security and stability risks. On the other hand, geographical diversity of mission-critical...

Access Point Hardening

Like most devices on the network, access points (APs) must be hardened. Out of the box, they typically enabled. An unauthorized deployment of an AP in an organization can eliminate the validity of any incre having physical access to the network. This is particularly troubling for teleworker home deployments bi that purchases an AP from a consumer electronics store will never enable security features. If you have at that teleworker location, outsiders will be able to access the central site over the VPN. In addition to 1 identified in Chapter 5, the following considerations are AP specific

Cisco 700 Series Access Routers

The Cisco 700 series is the next generation of low-cost and easy-to-manage multiprotocol ISDN access routers. These devices provide small professional offices, home offices, and telecommuters with high-speed remote access to enterprise networks and the Internet. Table E-4 lists the products in the 700 series. I0S-700, a suite of software features targeted at small office, home office (SOHO), and telecommuting users Internet or main office LAN access for telecommuters or home offices

The Need for Network Security

There are many reasons for the increasing threat to networks. One reason is the ubiquity of the Internet. As more and more companies and households go on line, the number of vulnerable systems available to an attacker grows at an incredible pace. Furthermore, this same ubiquity of the Internet facilitates the exchange of knowledge and experience on a global scale. In the past, networks were designed to provide connectivity only to known parties, such as business partners and authorized clients, and the closed network was not necessarily connected to the public Internet. This is no longer the case. Today's open networks require connectivity to the Internet for e-commerce and telecommuting needs.

SAFE Modules Overview

The SAFE Extending the Security Blueprint to Small, Midsize, and Remote-User Networks (SAFE SMR) blueprint was written approximately one year after the successful release of SAFE A Security Blueprint for Enterprise Networks (SAFE Enterprise). The SAFE SMR blueprint provides best practice information about designing and securing networks that are of a smaller scale than that described in the original SAFE Enterprise white paper. SAFE SMR uses the same principles as the original SAFE Enterprise white paper and scales them appropriately for smaller networks. These smaller networks can be branches of larger, enterprise networks or standalone small to medium-sized deployments. SAFE SMR also covers other deployment designs, such as telecommuters and mobile workers.

SAFE Extending the Security Blueprint to Small Midsize and Remote User Networks

The white paper SAFE Extending the Security Blueprint to Small, Midsize, and Remote-User Networks extends the principles discussed in the SAFE Enterprise white paper and sizes them appropriately for smaller networks. These smaller networks include branches of larger enterprise networks as well as standalone and small to medium-sized network deployments. The design also covers the telecommuter and the mobile worker.

Corporate Internet Module in Small Networks

The Corporate Internet module provides internal users connectivity to Internet services and provides Internet users access to information on the corporate public servers. This module also provides remote access for remote locations and telecommuters through the use of VPN connectivity.

Corporate Internet Module in Medium Sized Networks

The Corporate Internet module provides internal users with connectivity to Internet services and provides Internet users access to information on the corporate public servers. This module also provides remote access for remote locations and telecommuters through the use of VPN connectivity as well as traffic from traditional dial-in users.

Configuring PPP and Controlling Network Access

The growing need of corporations to include dial-up access to network resources for remote users has created a high demand for point-to-point technologies. Telecommuting personnel require access to network devices and information that looks and feels as it would at the office (albeit at slower access rates). PPP and its options enable this type of access to become a reality. The capabilities of PPP give it the versatility to remain flexible, yet viable, in many situations.

Configuring a Cisco 700 Series Router

The 700 series router was purchased by Cisco from Combinet in 1997. The purchase gave Cisco an ISDN product uniquely suited to the telecommuter and SOHO market. The 700 series provides single Basic Rate Interface (BRI) connectivity and an Ethernet interface for a LAN connection. The 700 series router is compatible with the full Cisco router product line however, it does not use the same command line structure for configuration. For those who are familiar with the IOS command set, the 700 series command language can be less than intuitive. It is important, however, for the successful CCNP candidate to become familiar with the basic concepts of the 700 configuration and the target market. The target market for this product is the telecommuter, the small office, and the home office environment.

Circuit Switching Links ISDN

Integrated Services Digital Network (ISDN) is used by telephone companies to carry digitized voice and data over the existing telephone system. ISDN has emerged as one of the leading technologies for telecommuting and remote office connection into the corporate headquarters.

Small Office and Home Wireless LANs

With a wireless LAN, employees can bring laptops home from work and continue working just as they do from their offices. For many professions, this makes it possible for people to work from home more effectively, whether it is to spend a few more hours researching information on the Internet or to enable telecommuting on a daily basis.

Foundation Topics WAN Design Considerations

With today's globalization of businesses, the WAN is proving to be an essential component of the network design. These changes in businesses include the growth of remote offices, increased numbers of telecommuters, and a growing business reliance on the Internet. These areas can be categorized into remote access networks and WAN access in the enterprise network. Unlike remote access, WAN technology is the more broad term that encompasses technology used to provide remote access to the telecommuter and WAN access for an entire company. Enterprise WAN connections can vary in speed from 56 Kbps to 2.488 Gbps. Enterprise WAN technology has a broad spectrum of technologies, equipment, and services that can be implemented, such as Frame Relay, ATM, SONET, modems, routers, switches, and Quality of Service (QoS), all of which are covered in this chapter.

Cisco High Performance LAN Solutions

Traditional hub-centric LANs can no longer support the bandwidth needed for companies to conduct business. Small- and medium-sized businesses often connect remote or branch offices, mobile users, and telecommuters. Internet usage to support marketing and commerce applications also places demand on LANs once isolated from the rest of the world.

Cisco Business Solutions

Telecommuting can reduce office costs, increase employee productivity, and improve morale and job satisfaction while enhancing a company's capability to recruit top talent in a competitive job market. By employing innovative remote user solutions, growing businesses can provide their field employees with remote access to e-mail, network resources, and up-to-date pricing, product, and inventory information. The result is dramatically improved customer service.

Cisco AS5x00 Universal Access Server Series

The AS5x00 series products are high-performance, medium- to high-density universal access servers that deliver hybrid asynchronous serial and ISDN line service to accommodate both mobile users and high-bandwidth dedicated telecommuters. By terminating both analog modem and ISDN calls on the same chassis from the same trunk line, the AS5x00 enables ISPs and enterprise network managers to meet traditional analog dial access needs while supporting the growing demand for high-speed ISDN access. The AS5x00 contains the functionality of CSUs, channel banks, communication servers, switches, routers, ISDN capabilities, and up to 120 56K digital modems tightly integrated in one standalone chassis, making it ideal for mixed-media environments. The AS5x00 does the following

Cisco Access Router and Access Server Summarization

Telecommuter, Small Office, and Home Office Dialup Access Routers Telecommuter, Small Office, and Home Office Dialup Access Routers Universal access server for mobile, telecommuter, and branch office access High-density universal access server for mobile, telecommuter, and branch office access

Explain the Relationship Between Communication and Troubleshooting

Good communication skills enhance a technician's troubleshooting skills. Both of these skill sets take time and experience to develop. As your hardware, software, and operating system knowledge increases, your ability to quickly determine a problem and find a solution will improve. The same principle applies to developing communication skills. The more you practice good communication skills, the more effective you will become when working with customers. A knowledgeable technician who uses good communication skills will always be in demand in the job market.

The Future of Cable IP Networks

At the time of this writing the rollout of added services such as VoIP, telecommuting services, and tiered data rates is increasing. Most large MSOs are anticipating the wide-scale deployment of VoIP in the near term. Trials are ongoing in numerous cities. Telecommuter services are offered in many locations, too. However, challenges remain for the MSOs to streamline service offerings, develop effective management and provisioning systems, scale their networks, implement appropriate QoS, and build supporting business models. It appears that added services on the cable IP network will be a common part of broadband access in the future.

Remote Access Network Design

When you're designing remote-access networks for teleworkers and traveling employees, the type of connection drives the technology selection, such as whether to choose a data link or a network layer connection. By analyzing the application requirements and service provider offerings, you can choose the most suitable of a wide range of remote-access technologies. Typical remoteaccess requirements include the following Remote access to the Enterprise Edge network is typically provided over permanent connections for remote teleworkers through a dedicated circuit or a provisioned service, or on-demand connections for traveling workers.

Virtual Private Networking

Virtual private networks (VPNs) use advanced encryption and tunneling to permit organizations to establish secure, end-to-end, private network connections over a third-party network. The third-party network can be a private service provider network or the public Internet. An organization can connect to the third-party network using a variety of WAN and remote-access technologies, including leased lines, Frame Relay, cable modems, digital subscriber line (DSL), analog modems, ISDN, and so on. Organizations can also use VPNs to connect outside users, such as business partners, customers, resellers, and suppliers. VPNs also support mobile users and telecommuters.

Selecting Remote Access Devices for an Enterprise Network Design

The previous sections discussed remote-access technologies. This section covers selecting devices to implement those technologies. Selecting remote-access devices for an enterprise network design involves choosing devices for remote users and for a central site. Remote users include telecommuters, users in remote offices, and mobile users. The central site could be the corporate headquarters of a company, the core network of a university that has branch campuses, a medical facility that connects doctors' offices, and so on.

Selecting Devices for Remote Users

Telecommuters and mobile users who access the central-site network for fewer than 2 hours per day can use an analog modem. Most laptop and desktop computers ship with a built-in analog modem. When selecting computers for remote users who will use modems, research the performance and functionality of the built-in modem. Some modems are notoriously unreliable, especially when connecting to modems of a different brand or connecting to certain types of services. Read articles in trade magazines and on the web to ensure that you select reliable modems with few interoperability problems, high throughput, low latency, and support for advanced features, such as compression and error correction.

Guidelines for Creating an Enterprise Network

When creating an Enterprise network, divide the network into appropriate areas, where the Enterprise Campus includes all devices and connections within the main Campus location the Enterprise Edge covers all communications with remote locations and the Internet from the perspective of the Enterprise Campus and the remote modules include the remote branches, teleworkers, and the remote data center. Define clear boundaries between each of the areas.

Remote Access Technologies

As organizations have become more mobile and geographically dispersed, remoteaccess technologies have become an important ingredient of many enterprise network designs. Enterprises use remote-access technologies to provide network access to telecommuters, employees in remote offices, and mobile workers who travel. An analysis of the location of user communities and their applications should form the basis of your remote-access design. It is important to recognize the location and number of full-and part-time telecommuters, the extent that mobile users access the network, and the location and scope of remote offices. Remote offices include branch offices, sales offices, manufacturing sites, warehouses, retail stores, regional banks in the financial industry, and regional doctors' offices in the health-care industry. Remote offices are also sometimes located at a business partner's site (for example, a vendor or supplier). Part-time telecommuters and mobile users who access the network...

Integrated Services Digital Network

ISDN offers a cost-effective, remote-access solution for telecommuters and remote offices that require higher transmission speeds and quicker connection establishment than analog dialup links can offer. ISDN is also a good choice as a backup link for another type of link (for example, a Frame Relay link). Telecommuters and remote offices typically use a device that supports BRI (for example, an ISDN BRI router). A central site, such as headquarters for a company, can use a PRI device to connect multiple telecommuters and remote offices. PRI offers an elegant solution for connecting many small sites because it requires only one physical connection to support 23 (or 30) channels.

Identity Considerations

Identity considerations for teleworker systems have to do with two primary elements. The first is establishing the identity of the operator of the teleworker system. The second is establishing the identity of the teleworker system to the organization's main network. The former is a user identity function traditionally comprised of username and password on the local PC. The latter is most often also user based, but as you will see in the designs presented, it is sometimes device based. User-based identity for VPN access should almost always be based on a one-time password (OTP) checked before VPN establishment. In both cases (Figure 15-2), the security of the communications is affected by the surrounding network, but this is particularly true for device-based identity when using a dedicated hardware VPN device (much like a small, site-to-site VPN branch). Figure 15-2. Software Versus Hardware Teleworker VPN Options Figure 15-2. Software Versus Hardware Teleworker VPN Options As you can...

WAN Connection Modules

The Enterprise Edge can have multiple WAN interconnections. Common connectivity modules include but are not limited to the Internet, the demilitarized zone (DMZ), and the WAN. Internet service providers (ISPs) offer many connectivity options for the Internet and DMZ modules of the Enterprise Edge. Internal WAN connectivity between an organization's headquarters and remote sites generally is across a service provider or carrier network. PSTN connectivity still exists for teleworkers and more recently because of the increasing use of VoIP offnet services.

Applied Knowledge Questions

The following questions are designed to test your knowledge of teleworker secure network design and sometimes build on knowledge found elsewhere in the book. You might find that a question has more than one possible answer. The answers provided in Appendix B are intended to reinforce concepts that you can apply in your own networking environment. 5 Based on your understanding of this chapter, which teleworker design is most appropriate for your organization 7 Look back over the teleworker-tuned threats in Table 15-1. Find at least one place where you disagree with my selections. Would it change anything about the teleworker design you might use

Tunnel Group Switching

To enable Tunnel Group Switching, you must enable Strip Group processing using the strip-group command from tunnel-group general-attributes mode. When enabled, the security appliance selects the tunnel group for user connections by obtaining the group name from the username presented by the VPN client. The security appliance then sends only the user part of the username for authorization and authentication. Otherwise (if disabled), the security appliance sends the entire username, including the realm. In the following example, Strip Group processing is enabled for the tunnel-group telecommuters asa1(config) tunnel-group telecommuters general-attributes

Provisioning of Enterprise Remote Access Services

A key function of IT planning and design includes provisioning of remote access services for employees. Remote work is defined as work conducted away from corporate facilities. The provisioning activities described in this section support remote workers in a home office (telecommuting), as opposed to another type of virtual office (for example, a satellite or hotel office), instead of commuting to a corporate facility. Cisco's internal remote access offering has changed over the last couple of years however, the following information describes the processes that Cisco used to provision services for Frame Relay, ISDN, DSL, and VPN. Frame Relay circuits were usually provisioned for full-time telecommuters, who have no office space and work entirely from home. The full-time usage could usually justify the high monthly service charge, and was more cost effective than a usage based solution. In some cases, the employee's unique business requirements limited the remote access solution to a...

MMP Sample Implementation

In the sample implementation shown in Example 10-25, you need a solution for a company with thousands of telecommuters across the U.S. who want to connect to the corporate network through an ISDN BRI from each of their homes. You are going to use two 7200 routers (7200-isdn-a and 7200-isdn-b) to terminate the ISDN calls with no offload server.

Troubleshooting ISDN Connections

ISDN applications include high-speed image applications (such as Group IV facsimile), additional telephone lines in homes to serve the telecommuting industry, high-speed file transfer, and video conferencing. Voice, of course, will also be a popular application for ISDN.

Group Mapping by External User Database

You can map an external database to a ACS group. Unknown users who authenticate by using the specified database automatically belong to, and inherit the authorizations of, the group. For example, you could configure ACS so that all unknown users who authenticate with a certain token server database belong to a group called Telecommuters. You could then assign a group setup that is appropriate for users who are working away from home, such as Maxsessions i. Or, you could configure restricted hours for other groups but give unrestricted access to Telecommuters group members.

Benefits of Analog Dialup Services

Today, the dialup solution is the most common solution for remote users, road warriors traveling on business, and home teleworkers. Dialup technology does not require any changes to the CPE side, even if the remote user is using a 56-kbps modem. Plenty of tools exist, including web tools, which are offered by manufacturers to measure the maximum connection speed in any particular location.

Cisco Easy VPN Server

In addition, a Cisco Easy VPN Server-enabled device can terminate IPsec tunnels initiated by mobile remote workers running VPN client software on PCs. This flexibility makes it possible for mobile and remote workers, such as salespeople on the road or telecommuters, to access their headquarters intranet, where critical data and applications exist.

Connection Oriented VPNs

Access VPNs are circuit-switched, connection-oriented VPNs that provide a temporary secure connection for remote access between individuals (mobile users or telecommuters) and a corporate intranet or extranet over a shared service provider network with the same policies as a private network. Access VPNs that use dial access into an ISP point of presence (PoP) with transport over the public Internet and ultimate access into a corporate intranet.

Ssl Vpn Tunnel Client

Traditional clientless web access and port-forwarding access do not satisfy the needs of power users and telecommuters who run VPNs on corporate-owned machines and like to have full access to the corporate resources. The IPsec VPN is a better fit to provide full network-layer access to the VPN users. Organizations that already have a remote access IPsec VPN can use the existing VPN solution to provide network-layer access and clientless SSL VPN for application-level VPN access. Today, most SSL VPN solutions also provide a tunnel client option for companies that have a greenfield remote access VPN deployment.

Securing DialIn Access

This chapter examines how to secure the dial-in connections coming into the corporate network. Often, corporate networks encompass both privately connected dial-in infrastructures (direct dial-in) and public data infrastructures (virtual dial-in) from Internet service providers (ISPs) to deliver remote access to corporate users. Dial-in access for a corporate network usually includes access between corporate branches located in different geographic regions, telecommuters, and mobile users. The direct dial-in access can be by way of public switched telephone networks (PSTN)---for example, modem lines, frame relay, ATM, T1 T3 circuits, or ISDN. A sample dial-in environment is shown in Figure 10-1 notice that there are branch offices connected with T1 lines, mobile users dialing in with modems, and telecommuters dialing in using ISDN BRI.

Additional Considerations

Disgruntled employee problems are the hardest for corporate management to handle in this litigious age because there are so many lawyers who will take the flimsiest of employee termination cases on contingency in hopes of obtaining a tidy out-of-court settlement from the company. Companies know that it costs more to fight the suit in court than to pay the malcontent 25K to get rid of him or her, so the majority of companies will pay some sum of money to get rid of a problem employee who makes a legal threat. Sadly, the disgruntled employee is now loose on the job market again---without the public record of a court case for future employers to find in any background check.