Ict standards and Guidelines



Download 86.1 Kb.
Date13.06.2017
Size86.1 Kb.
#20322
ICT Standards and Guidelines

Segment 103


Telecommunications
Main Document

(Version 2.0)

Disclaimer
The Office of the Minister of State for Administrative Reform (OMSAR) provides the contents of the ICT Standards and Guidelines documents, including any component or part thereof, submission, segment, form or specification, on an 'as-is' basis without additional representation or warranty, either expressed or implied. OMSAR does not accept responsibility and will not be liable for any use or misuse, decision, modification, conduct, procurement or any other activity of any nature whatsoever undertaken by any individual, party or entity in relation to or in reliance upon the ICT Standards and Guidelines or any part thereof. Use of or reliance upon the ICT Standards and Guidelines is, will be and will remain the responsibility of the using or relying individual, party or entity.
The ICT Standards and Guidelines are works in progress and are constantly being updated. The documentation should be revisited regularly to have access to the most recent versions.
The last date of update for this document was June 2003.

Table of Contents - Telecommunications




1.0 Executive Summary for Telecommunications 1

2.0 The Background of Telecommunications 2

2.1 The Scope of Telecommunications 2

2.2 The Benefits of Standardization 3

2.3 Policies to Follow for Telecommunications 3

2.4 Risks Resulting from the Standardization Activities 3

2.5 Related Documents 4

2.6 How to Use This Document? 4

2.7 Related Terms and Acronyms 4

2.8 Related Segments and Cross References 7

2.9 Related International Standards 7

2.10 All Segments in the ICT Standards and Guidelines 7

3.0 WAN Technologies 8

3.1 Dial up Analog Connections 8

3.1.1 Requirements 8

3.1.2 When to Use Dial up Analog Connections 8

3.2 ISDN 8

3.2.1 Basic Rate Interface (BRI) 9

3.2.2 Primary Rate Interface (PRI) 9

3.2.3 ISDN Requirements 9

3.2.4 When to Use ISDN 9

3.3 Frame Relay 10

3.3.1 Frame Relay Requirements 10

3.3.2 When to Use Frame Relay 10

3.4 Digital Carrier System - T1 11

3.4.1 T1 Requirements 11

3.4.2 When to Use T1 11

3.5 E1 11

3.5.1 E1 Requirements 11

3.5.2 When to Use E1 11



4.0 WAN Devices and Equipment 13

4.1 Modems 13

4.2 ISDN Terminal Adapter 14

4.3 ISDN Router 15

4.4 Frame Relay Capable Router 16

4.5 DSU and CSU Devices 17

4.6 Firewalls 18

5.0 Virtual Private Networks 19

5.1 Roadmap for Implementing a VPN Solution 19

5.2 Step 1: Determine Networking Connectivity + Access Requirements 20

5.3 Step 2: Choose Product(s) or a Service Provider 21

5.4 Step 3: Test It Out 22

5.5 Step 4: Design and Implement the Network Design 22

5.6 Step 5: Monitor and Manage the VPN 22

5.7 Step 6: Upgrade and Migrate 22



6.0 Appendix A – OGERO Rates 23

Figures - Telecommunications


Figure 1: A typical WAN connection 8

Figure 2: Summary of WAN Technologies 12

Figure 3: Roadmap to Determine a WAN Technology 12

Figure 4: Modem Characteristics 13

Figure 5: ISDN Terminal Adapter Technical Specifications 14

Figure 6: ISDN Router Technical Specifications 15

Figure 7: Routers 16

Figure 8: DSU/CSU Technical Specifications 17

Figure 9: Firewalls 18

Figure 10: Roadmap to Implementing a VPN Solution 20


1.0Executive Summary for Telecommunications

The objective of this segment is to present guidelines that can be used during the acquisition, installation and maintenance of Wide Area Networks and Telecommunications equipment.


With many solutions to choose from, it has proved difficult to select the most suitable approach. There are many protocols, technologies, standards, vendors involved. This segment provides guidelines to help an ICT manager through his decision process and particularly in preparing an RFP (Request for Proposal).
Telecommunications are usually provided by the Government and regulated to be provided by a few providers. Therefore, the choice of vendor is restricted.
This segment covers the following areas:


  • WAN Technologies: Examines different available WAN technologies and discusses the requirements for each technology and when to use it.




  • WAN Devices and Equipment: Describes the Telecommunications materiel needed to implement WAN solutions.




  • Virtual Private Networks: Examines VPN as a means of providing security to the WAN and draws a roadmap of implementation.

A separate and comprehensive segment covers Local Area Networks (LAN). It can be downloaded from OMSAR’s website on ICT Standards and Guidelines at www.omsar.gov.lb/ICTSG/NW.



2.0The Background of Telecommunications

This segment is concerned with Telecommunications and related technologies. Telecommunication is the science and practice of information transmission. A wide variety of information can be transferred through a telecommunications system, including voice and music, still-frame and full-motion pictures, computer files and applications and telegraphic data.


The objective of this segment is to present and discuss guidelines that can be used during the acquisition, installation and maintenance of Telecommunications systems.
It helps provide cost effective networking and telecommunications services to connect Ministries and Agencies that need to transmit data, voice and video to conduct the business of the government.


2.1The Scope of Telecommunications

This document is applicable to Ministries and Agencies which already use or have the need to use wide area networking and telecommunications. These Ministries and Agencies are encouraged to consider and use this document in the following situations:




  • Tendering and acquiring Wide Area Networks and related Telecommunications materiel.

  • Maintaining and running networks.

  • Upgrading networks to stay current with newer technologies or based on new Telecommunications requirements.

The scope of Telecommunications covered in this segment is limited to:




  • Wide Area Network (WAN) Technologies

  • Analog Dial up

  • ISDN

  • Frame Relay

  • T1

  • E1

  • Networking Devices & Equipments

  • Modems

  • Bridges Routers & Gateways

  • DSU/CSU

This segment will not discuss the following as these are either not available in Lebanon or are outside the scope of Telecommunications for Information Processing:




  • Wide Area Network (WAN) Technologies

  • Cable Modems

  • Microwaves and Satellites

  • Wireless

  • ATM

  • DSL




  • Voice Communications & Telephony (PSTN, PABX, CTI, Call Centers, IVR, ACD, IP Telephony & VoIP and Wireless Communications & Cellular)




  • Video Conferencing




  • Other Networking Devices & Equipment

  • File & Print Servers

  • Network Interface Adapters

  • Hubs & Repeaters

  • Switches




  • Network Software & Utilities


2.2The Benefits of Standardization

The benefits of standardization are:




  • To ensure clear statement of high level, government wide directives concerning networking and telecommunications.

  • To ensure coordination of networking and telecommunications related standards across branches of government.

  • To assist Ministries and Agencies in the development, maintenance and administration of networking and telecommunications services.

  • To ease the tasks of support personnel

  • To use the appropriate telecommunication solution. Adopting the wrong solution may have very costly consequences because the telecommunications costs are high

  • Cost savings by buying in bulk for the Ministry or Agency and its branches or by applying the same solution to one or more Ministry or Agency

  • To identify the equipment needed and the issues at hand before engaging in deploying a telecommunications solution.

  • To reduce product cycle time.

  • To develop network plans that are reusable and sustainable


2.3Policies to Follow for Telecommunications

The following policies are to be followed:




  • Telecommunications Acquisitions should follow the guidelines stated in this document so that minimum requirements of tendered equipments be observed.

  • It is important to ensure that acquisitions are in line with strategic goals and objectives of the Ministry or Agency.

  • Public and private network infrastructure requirements must be an integral part of building design, leasing, construction and renovation and should be appropriately scheduled to ensure service availability. This practice will help Ministries and Agencies to avoid time delays and future inflated expenses in obtaining needed telecommunications and networking infrastructure.


2.4Risks Resulting from the Standardization Activities





  • Telecommunications costs are high. One of the key risks in implementing telecommunications is adopting the wrong solution.

  • To depend on the Standards and Guidelines and not explore the limits of the solution under examination.

  • To relinquish the development of documentation specific to the Ministry or Agency relating to the telecommunication solution applied in that Ministry or Agency

  • Telecommunications transfers are subject to security holes. It is important to adopt the necessary security policies to cover for such a risk if the information being sent/received is sensitive. (Refer to the Data Integrity and Security segment which can be downloaded from OMSAR’s website on ICT Standards and Guidelines at www.omsar.gov.lb/ICTSG/SC).


2.5Related Documents

There are no related documents to this segment.




2.6How to Use This Document?

The reader should step through the following main sections of the document:




  • WAN Technologies: Section 3

  • WAN Devices and Equipment: Section 4

  • Virtual Private Networks: Section 5

Revert to the segment on Networks for further discussion of local area networks and related equipment. This segment can be downloaded from OMSAR’s website on ICT Standards and Guidelines at www.omsar.gov.lb/ICTSG/NW.




2.7Related Terms and Acronyms



ATM: (Asynchronous Transfer Mode) A networking technology that contains a flexible multiplexing and switching technique which provides variable bandwidth for local-area and wide-area networks. Unlike ordinary synchronous configurations, ATM permits flexible allocation of available bandwidth for data, voice, images and video. ATM uses a scalable architecture, making it easily upgradeable; it allows a virtually unlimited number of users to have dedicated, high speed connections with high-performance network servers.
CSU/DSU: Short for Channel Service Unit and Data Service Unit. The CSU is a device that connects a terminal to a digital line. Typically, the two devices are packaged as a single unit. The DSU is a device that performs protective and diagnostic functions for a telecommunications line. It can be thought of as a very high-powered and expensive modem. Such a device is required for both ends of a T1 connection and the units at both ends must be set to the same communications standard.
E1: The European format for digital transmission. It carries signals at 2 Mbps (32 channels at 64Kbps, with 2 channels reserved for signaling and controlling), versus the T1, which carries signals at 1.544 Mbps (24 channels at 64Kbps). E1 and T1 lines may be interconnected for international use.
Extranet: Refers to an intranet that is partially accessible to authorized outsiders. Whereas an intranet resides behind a firewall and is accessible only to people who are members of the same company or organization, an extranet provides various levels of accessibility to outsiders. You can access an extranet only if you have a valid username and password and your identity determines which parts of the extranet you can view. Extranets are becoming a very popular means for business partners to exchange information.
Internet Protocol (IP): A communications protocol which plays a significant role in the routing of packets of data from one node on the internet to another. IPv4 routes each packet based on a 32 bit destination address called an IP address (e.g., 123.122.211.111).


Intranet: A network based on TCP/IP protocols (an internet) belonging to an organization, usually a corporation, accessible only by the organization's members, employees or others with authorization. An intranet's Websites look and act just like any other Websites, but the firewall surrounding an intranet fends off unauthorized access. Like the Internet itself, intranets are used to share information. Secure intranets are now the fastest-growing segment of the Internet because they are much less expensive to build and manage than private networks based on proprietary protocols.
ISP: (Internet Service Provider). This is a company that provides access to the Internet. For a monthly fee, the service provider offers a software package, username, password and access phone number. Equipped with a modem, the customer can then log on to the Internet and browse the World Wide Web and USENET and send and receive e-mail. In addition to serving individuals, ISPs also serve large companies, providing a direct connection from the company's networks to the Internet. ISPs themselves are connected to one another through Network Access Points (NAPs).
IPv4: IPv4 is a four byte, 32 bit IP address in the form 255.255.255.255.


IPv6: Ipv6 is a sixteen byte, 128 bit IP address that may be viewed as hexadecimal numbers separated by semicolons.
ISDN: (Integrated Services Digital Network). This is an international communications standard for sending voice, video and data over digital telephone lines or normal telephone wires. ISDN supports data transfer rates of 64 Kbps (64,000 bits per second).

There are two types of ISDN:




  • ISDN - Basic Rate Interface (BRI): consists of two 64-Kbps B-channels and one D-channel for transmitting control information.




  • ISDN - Primary Rate Interface (PRI): consists of 23 B-channels and one D-channel (U.S.) or 30 B-channels and one D-channel (Europe). The original version of ISDN employs baseband transmission. Another version, called B-ISDN, uses broadband transmission and is able to support transmission rates of 1.5 Mbps. B-ISDN requires fiber optic cables and is not widely available.


ITU: International Telecommunications Union
Network: A configuration of devices and software connected for information, voice or image transmission or for other purposes that may be addressed by electrical, radio or optical signaling. Any local, wide-area, metropolitan-area or campus network established for use by Ministries or Agencies.
NAP: Network Access Points
PABX: (Private Branch Automatic exchange). PABX is a private phone system usually in an office environment, which connects a number of extensions to the telephone network.
PSTN: (Public Switched Telephone Network). The main telephone system owned or operated by a telecommunications company, e.g. OGERO.
TCP/IP: (Transmission Control Protocol / Internet Protocol). TCP/IP is a set of communications protocols. The TCP/IP networking scheme implements a peer-to-peer client-server architecture. Any computing system in the network can run TCP/IP server software and can provide services to any other computing system that runs complementary TCP/IP client software.
Telecommunications: Any transmission, emission or reception of signs, signals, writings, images and sounds or information of any nature by wire, radio, visual, optical or other electromagnetic systems.
T1: A dedicated digital phone connection supporting data rates of 1.544Mbits per second. A T1 line actually consists of 24 individual channels, each of which supports 64Kbits per second. Each 64Kbit/second channel can be configured to carry voice or data traffic. Most telephone companies allow you to buy just some of these individual channels, known as fractional T1 access.
T1 lines are a popular leased line option for businesses connecting to the Internet and for Internet Service Providers (ISPs) connecting to the Internet backbone. The Internet backbone itself consists of faster T-3 connections.

T1 lines are sometimes referred to as DS1 lines.



Virtual Private Network (VPN): A network that is constructed by using public wires to connect nodes. For example, there are a number of systems that enable you to create networks using the Internet as the medium for transporting data. These systems use encryption and other security mechanisms to ensure that only authorized users can access the network and that the data cannot be intercepted.
Wide Area Network (WAN):


  • A network that provides communication services to a geographic area larger than that served by a local area network or a metropolitan area network and that may use or provide public communication facilities.

  • A data communications network designed to serve an area of hundreds or thousands of miles; for example, public and private packet-switching networks and national telephone networks.

  • A computer network that links multiple workstations and other devices across a large geographical area. A WAN typically consists of multiple LANs that are linked together.


X.25: A popular standard for packet-switching networks. The X.25 standard was approved by the CCITT (now the ITU) in 1976. It defines layers 1, 2 and 3 in the OSI Reference Model.


2.8Related Segments and Cross References

This segment is related to the following:


102 www.omsar.gov.lb/ICTSG/NW Networks

105 www.omsar.gov.lb/ICTSG/OS Operating Systems

204 www.omsar.gov.lb/ICTSG/SC Information Integrity and Security

205 www.omsar.gov.lb/ICTSG/DE Data Definition and Exchange


These can be downloaded from OMSAR’s website on ICT Standards and Guidelines at www.omsar.gov.lb/ICTSG.


2.9Related International Standards

There are no related standards for the usage of Telecommunications. However, telecommunications science relies heavily on engineering standards which are not within the scope of this segment.




2.10All Segments in the ICT Standards and Guidelines

OMSAR's website for ICT Standards and Guidelines is found at www.omsar.gov.lb/ICTSG and it points to one page for each segment. The following pages will take you to the home page for the three main project document and the 13 segments:


www.omsar.gov.lb/ICTSG/Global Global Policy Document

www.omsar.gov.lb/ICTSG/Cover Cover Document for 13 segment

www.omsar.gov.lb/ICTSG/Legal Legal Recommendations Framework

101 www.omsar.gov.lb/ICTSG/HW Hardware

101 www.omsar.gov.lb/ICTSG/HW Hardware Systems

102 www.omsar.gov.lb/ICTSG/NW Networks

103 www.omsar.gov.lb/ICTSG/TC Telecommunications

104 www.omsar.gov.lb/ICTSG/DB Database Systems

105 www.omsar.gov.lb/ICTSG/OS Operating Systems

106 www.omsar.gov.lb/ICTSG/EN Buildings, Rooms and Environment

201 www.omsar.gov.lb/ICTSG/QM Quality Management

202 www.omsar.gov.lb/ICTSG/SW Software Applications

203 www.omsar.gov.lb/ICTSG/EV Evaluation + Selection Framework

204 www.omsar.gov.lb/ICTSG/SC Information Integrity and Security

205 www.omsar.gov.lb/ICTSG/DE Data Definition and Exchange

206 www.omsar.gov.lb/ICTSG/RM Risk Management

207 www.omsar.gov.lb/ICTSG/CM Configuration Management
Each page contains the main document and supplementary forms, templates and articles for the specific subject.

3.0WAN Technologies

This section addresses different kinds of Wide Area Network technologies and describes a selection procedure of a network-to-network connectivity.


There are many different technologies available for connecting isolated networks. The best solution depends on the frequency of data transfers and the bandwidth requirements. The most common WAN connections are:


  • Analog Dial up

  • ISDN

  • Frame Relay

  • T1

  • E1

Figure 1: A typical WAN connection



3.1Dial up Analog Connections

Dial up analog connections operate over standard voice grade telephone lines. Analog modems can achieve data transfer rates up to 56Kbps depending on the clarity of the telephone line. There are also new products on the market called dual analog modems that can double this transfer rate by sending data over two analog phone lines. The advantage of analog connections is that they are inexpensive.




3.1.1Requirements

Each site will require a modem of similar speed and a standard dedicated phone line.




3.1.2When to Use Dial up Analog Connections

Dial up analog connections are best for small file transfers and low bandwidth applications such as e-mail. Analog connections should be used where download times are not critical and low cost is required.



3.2ISDN

Integrated Services Digital Network (ISDN) transmits voice and data simultaneously over a single digital channel. It operates over a single twisted pair copper telephone line using the existing wiring. Because ISDN uses digital lines, noise and interference are eliminated and calls are set up almost instantaneously. ISDN allows simultaneous transmission of data while carrying on a voice conversation or sending a fax.


This is a benefit for small offices that would typically need multiple telephone lines installed. ISDN comes in two types of access services: Basic Rate Interface (BRI) and Primary Rate Interface (PRI).


3.2.1Basic Rate Interface (BRI)

BRI consists of two 64Kbps circuit-switched data/voice channels (B Channels) and one 16Kbps signaling channel (D Channel). BRI is referred to as 2B+D. BRI can achieve data transfer rates of 64Kbps using a single B channel or 128Kbps combining the 2 B channels.




3.2.2Primary Rate Interface (PRI)

This is for users with greater bandwidth requirements. PRI consists of 23 data channels and one signaling channel (23B+D). ISDN can transmit data up to 1.544Mbps - equivalent to a single T1 channel. PRI is used for intensive bandwidth-on-demand applications such as LAN-to-LAN interconnection and video conferencing. Each B channel may be used for virtually any combination of voice, video or packet switching.




3.2.3ISDN Requirements

ISDN requires that the Telephone Company (OGERO) install services to the offices that are to be connected. An ISDN terminal adapter or an ISDN router will be required at each location. ISDN charges from OGERO include a one time installation fee + a flat monthly fee + usage charges (charges apply to each B channel). Refer to the Appendix in Section 6 for OGERO rates.




3.2.4When to Use ISDN

ISDN is a good choice for high speed dial up connections between LANs. It is used for simultaneous use of voice, data, images and video. ISDN should be used for intermittent rather than constant data transmission between sites.


The advantage of ISDN is that calls can be instantly made and instantly dropped. This means that the link needs to be active only when data is actually being transmitted. Routers can automatically make the call, transmit data and drop the call with no interaction from the user. ISDN can also be used for redundancy to backup up critical Frame Relay or T1 WAN connections.


3.3Frame Relay

For frequent data transfers or higher bandwidth requirements, a Frame Relay connection is the best choice. Frame Relay fills the gap between expensive leased T1 lines and lower priced ISDN service. The advantage of Frame Relay is the flat monthly fee for the service. There are no usage charges; therefore monthly service costs are more predictable.


Frame Relay is available in access rates from 56Kbps to 1.544Mbps. Frame Relay is a "scalable service" meaning that the Phone Company can increase access rates without changing wiring or equipment.


3.3.1Frame Relay Requirements

A DSU/CSU (Data Service Unit / Channel Service Unit) and a Frame Relay capable router should be installed on each side of the network. There are products on the market that combine both a router and DSU/CSU. Frame Relay costs include a one time installation fee + a flat monthly fee. These fees are applied on a per site basis.




3.3.2When to Use Frame Relay

Frame Relay is a good choice for frequent or constant data transmission between sites. It is used for critical high bandwidth applications. Because Frame Relay provides multiple logical links to one or more destinations over a single physical link, it is a good choice if you need multiple sites connected.



3.4Digital Carrier System - T1

Also known as the Digital Carrier System (DS1), T1 connections provide 1.544Mbps of bandwidth. A T1 line is leased from the Telephone Company (OGERO) and directly links two sites. OGERO can also provide Fractional T1 service (DS0) in multiples of 64Kbps for users needing less than the full T1 bandwidth. T1 provides the highest performance for network-to-network connections because it does not rely on the Telephone Company's switched network. However, T1 is the most expensive type of service.




3.4.1T1 Requirements

The requirements for T1 are similar to Frame Relay. The Telephone Company must install service to both sites and a DSU/CSU and a T1 capable router must be installed. T1 costs include a one time installation fee + a flat monthly fee.




3.4.2When to Use T1

T1 lines should be used for critical, high bandwidth applications. T1 lines are best when the sites being connected are close together (otherwise the cost is prohibitive).




3.5E1

While T1 is an American standard, E1 is the European format for digital transmission. It carries signals at 2 Mbps (32 channels at 64Kbps, with 2 channels reserved for signaling and controlling). Similarly to T1, an E1 line can is leased from the Telephone Company. The Telephone Company can also provide Fractional E1 service in multiples of 64Kbps for users needing less than the full E1 bandwidth.




3.5.1E1 Requirements

The requirements for E1 are similar to T1. The Telephone Company must install service to both sites and a DSU/CSU and an E1 capable router must be installed. E1 costs include a one time installation fee + a flat monthly fee.




3.5.2When to Use E1

E1 lines should be used for critical, high bandwidth applications. E1 lines are best when the sites being connected are close together (otherwise the cost is prohibitive).


The figure below summarizes the different WAN technologies as describe above.


Figure 2: Summary of WAN Technologies


Figure 3: Roadmap to Determine a WAN Technology


4.0WAN Devices and Equipment

This section describes Telecommunications devices necessary to establish WAN connections between two or more sites, based on the requirements presented for each WAN technology.



4.1Modems




Figure 4: Modem Characteristics

4.2ISDN Terminal Adapter

An ISDN terminal adapter is analogous to a modem for an analog phone line connection. Terminal adapters are normally the optimal choice for situations in which there will be one computer using the ISDN line. Terminal adapters connect to the computer as either an internal card or via the computer's serial port. Recommended technical features and characteristics are shown in table 2.



Figure 5: ISDN Terminal Adapter Technical Specifications

4.3ISDN Router

A router is normally the optimal choice for situations in which there are multiple computers that will be using the ISDN line for network connectivity. Routers connect to the computer using an Ethernet connection (LAN environment).



Figure 6: ISDN Router Technical Specifications

4.4Frame Relay Capable Router




Figure 7: Routers

4.5DSU and CSU Devices

A Data Service Unit/Channel Service Unit (DSU/CSU) is the ideal solution for high speed access to LAN/WAN applications. It connects to T1/E1 or fractional T1/E1 network services with data rates from Nx56/64 Kbps up to 2.0 Mbps. It delivers access to the high-bandwidth requirements of LAN internetworking, video conferencing, CAD/CAM, data and image applications. Providing high speed access, a DSU/CSU can be configured for point-to-point applications or point-to-multiple-endpoint applications using Fractional T1/E1 topologies. It is capable of accessing public network services such as frame relay, T1/E1 and fractional T1/E1, value-added networks and private backbone networks.



Figure 8: DSU/CSU Technical Specifications

4.6Firewalls




Figure 9: Firewalls


5.0Virtual Private Networks

With the advent of the Internet, the opportunity has arisen to provide temporary links across the public network between companies and sites. Instead of creating a true private network with all its attendant costs and management issues, one can make use of the Internet to provide a Virtual Private Network (VPN).


Rather than maintaining an expensive point-to-point leased line (a T1 or an E1 link), the Ministry or Agency can connect each office or Local Area Network to a local Internet Service Provider (ISP) and route data through the Internet, thereby using shared, low-cost public bandwidth as the communications backbone.
VPN's are not limited in the number of LAN’s or nodes that can be included in the virtual WAN. For a Ministry or an Agency that has numerous sites to link, this can result in significant savings when compared to maintaining a network of leased lines.
VPN is a technology that can be employed by Ministries or Agencies of any size traffic requirements. These requirements may impose bandwidths much less than 64 Kbps for the Wide Area Network and VPN’s can be set up to work at speeds slower than is possible with leased lines.
A VPN does not need to be a permanent link. Dial-on-demand virtual networks can be created using analog modems or ISDN for those sites that don’t require a full-time connection. When a user on the LAN needs to access the WAN, a modem or router automatically connects to a nearby ISP and starts sending data across the Internet.
VPN links can be set up with little effort and removed just as easily. In addition, client-to-server VPN’s can be created on demand between remote user PC’s and a firewall or VPN termination device at head office. This provides the means for roaming users to have access to corporate networks no matter where they may be located.
A VPN reduces the number of modems and telephone lines required centrally to support dial-in networking and dramatically decreases long distance charges since remote PC users would connect to their local ISP instead of dialing direct to head office.
With all this sensitive corporate data going around the public network, security becomes a primary concern. Unprotected data sent across the public Internet is susceptible to being viewed, copied or modified by unintended individuals or organizations. Data can be tampered with en route and valuable systems can be sabotaged.
Both ends of the tunnel must ensure beyond any measure of doubt that they are communicating with a valid host or client at the remote end of the link. Once the link has been established, data traveling within the tunnel must be encrypted to ensure that no one who may be eaves dropping on the conversation can gain access to the raw data.

The most important considerations for Internet security are:




  • Authentication: Verifying that the parties on each end of the link are who they claim to be




  • Privacy: Ensuring that transmitted content is not read or intercepted by unauthorized recipients




  • Integrity: Verifying that the transmitted data is received in an unchanged state

Doing business over the Internet, including transferring funds, obtaining and verifying credit information, selling and even delivering products, requires a reliable and effective security solution.


5.1Roadmap for Implementing a VPN Solution

The following sections describe the roadmap for implementing a VPN solution:



Figure 10: Roadmap to Implementing a VPN Solution


5.2Step 1: Determine Networking Connectivity + Access Requirements

First and foremost, the Ministry or Agency needs to determine what kind of WAN connections and network access requirement for remote users are needed. WAN connections fall into two general categories: Intranet connections and extranet connections. Intranet connects different locations within the same Ministry or Agency together. Extranet usually refers to the network connections between “business partners” of the Ministry or Agency.


Remote access users can also be classified into two categories:


  • Road Warriors: Road warriors typically move from location to location frequently.

  • Telecommuters: generally stay at one location for an extended period of time.

After determining the connectivity and access requirements, network security policy should be created (if it is not already in place) to facilitate network design. Sometimes, the policy could be simple, such as granting the same uniform access to every location and every remote access user. Often, the policies are more complex, involving different functions of different agency levels and the different needs of “business partners”.



5.3Step 2: Choose Product(s) or a Service Provider

As VPN involves many different technologies and there are even more different VPN products from various equipment vendors, choosing the right technology from the right vendor is often not easy. VPN products in general fall into four distinctive categories:




  • VPN gateway. Devices with special software and hardware to provide VPN capability. Various functions are optimized onto various software/hardware components.

  • Software only. Software are overlaid on PC or workstation platforms, the software performs all the VPN functions.

  • Firewall based. Additional functions are added to the firewall to enable VPN capability.

  • Router based. Additional functions are added to the router to enable VPN capability.

Hardware based encryption provides faster encryption speed. When the link speed reaches above T1 (1.5Mbps), hardware encryption is almost a necessity.


The various standards and protocols supported by the product are very important. In general, most VPN products should support IPSec, L2TP and PPTP. IPSec is the standard created by the Internet standard body: Internet Engineering Task Force (IETF) to provide security services in the IP based Internet. It is been widely adopted in the networking industry. ICSA (International Computer Security Association) provides IPSec compliant certification for equipment vendors.
The various types of authentication method supported by the products are also very important. RADIUS (Remote Authentication Dial In User Service) and PKI (Public Key Infrastructure) are two popular authentication standards. Directory server (e.g. LDAP) based authentication is also been implemented by various vendors.
For many Ministries or Agencies, it makes sense to outsource the VPN implementation to a service provider. A VPN service provider already has the right expertise in designing and implementing the VPN. By working closely with a service provider, the organization can be assured that its networking needs of adequately addressed. At the same time, it can focus on its core business and expertise, which often do not lie in the networking and security field.

5.4Step 3: Test It Out

After choosing the product or service provider, the next step is to try it out. Two or three sites and a small group of remote access users can be chosen to conduct a pilot service. The goal of the pilot is to ensure the VPN can be correctly configured to meet a subset of the network connectivity and remote access requirements determined in step 1.


It should also show that the performance of the network is adequate and the right authentication method can be managed. For example, in the case of using PKI for authentication, digital certificate can be appropriately issues and revoked.

5.5Step 4: Design and Implement the Network Design

After a successful pilot project, a production implementation can follow. A complete VPN design that meets all the network connectivity and remote access requirements determined in step 1 should be completed, either by the Ministry or Agency itself or working with the service provider. The implementation plan itself may be phased in.


In designing the VPN, an important aspect is the relative location of the VPN device with respect to the firewall already located at the corporate network perimeter. For example, the VPN device can be positioned in parallel to the firewall. In some cases, the VPN device can also perform the firewall function (and vice versa), thus combining the two devices into a single entity.
Implementing a VPN may mean reconfiguring other devices on the corporate network, such as the routers in the corporate network and the NAT (network address translation) server. In some cases, the VPN device can also perform NAT functions.
Deployment of VPN software onto remote access computers should be managed carefully. Unlike the VPN gateways situated on the corporate network, which is often installed by experienced network engineers, the VPN client software for remote access often needs to be installed by the end user themselves. Therefore, a convenient software delivery method (e.g. web download) and an easy to follow installation guide should be provided.

5.6Step 5: Monitor and Manage the VPN

Corporate networks require continued monitoring and management. The same holds true for VPNs. The VPN needs to be monitored and managed to ensure the continued correct operation of the network. It is also desirable to gather usage and performance statistics, so that appropriate network changes can be planned.


In today’s fast changing industry, the networking needs of a Ministry or Agency will also change. Because IP based VPN does not have dedicated circuits based physical infrastructure, making changes in the VPN simply amounts changing the configuration of the VPN devices. This offers companies flexibility to change at moment’s notice, a distinctive advantage compared to the slow telecommunications circuit provision process, which can usually take 30 days.
Similar to the implementation of the VPN, the Ministry or Agency can choose to perform the monitoring and management of the VPN themselves or outsource the tasks to a trusted service provider, making use of the infrastructure and expertise of the provider.

5.7Step 6: Upgrade and Migrate

Virtual Private Network technologies continue to evolve, just as the networking industry. VPN products continue to achieve higher performance, stronger security and easier management. In addition, different security models, such as providing security in the ISP’s POP (Point of Presence) are emerging. The Ministry or Agency should continue to upgrade its network infrastructure to adapt to the ever changing business needs and technologies.



6.0Appendix A – OGERO Rates



The current rates for OGERO’s Telecommunications Services are posted on OGERO’s website: www.ogero.gov.lb and should be reviewed regularly in case of updates.
Download 86.1 Kb.

Share with your friends:




The database is protected by copyright ©ininet.org 2024
send message

    Main page