Currículo de Matemáticas

Wide area network (WAN) topologies are network configurations that are designed to carry data over a great distance. Unlike LANs, which are designed to deliver data between many systems, WAN topologies are usually point to point. Point to point means that the technology was developed to support only two nodes sending and receiving data. If multiple nodes need access to the WAN, a LAN will be placed behind it to accommodate this functionality.

Private Circuit Topologies

Leased lines are dedicated analog or digital circuits that are paid for on a flat-rate basis. This means

that whether you use the circuit or not, you are paying a fixed monthly fee. Leased lines are point-to- point connections—they are used to connect one geographical location to another. The maximum throughput on a leased line is 56Kbps.

A T1 is a full-duplex signal (each end of the connection can transmit and receive simultaneously) over two-pair wire cabling. This wire pair terminates in a receptacle that resembles the square phone jacks used in older homes. T1s are used for dedicated point-to-point connections in the same way that leased lines are. Bandwidth on a T1 is available in increments from 64Kb up to 1.544Mb. T1s use time division to break the two wire pairs into 24 separate channels. Time division is the allotment of available bandwidth based on time increments. This is extremely useful, as a T1 is capable of

carrying both voice and data at the same time.

There are two common ways to deploy leased lines or T1s:

• The circuit constitutes the entire length of the connection between the two organizational facilities (such as a branch office and a main office).

• The leased line is used for the connection from each location to its local exchange carrier. Connectivity between the two exchange carriers is then provided by some other technology, like frame relay (discussed in the next section).

The first of these two options creates the more secure connection, but at a much higher cost. Using a private circuit for end-to-end connectivity between two geographically separated sites is the best way to insure that your data is not monitored. While it is still possible to sniff one of these circuits, an attacker would need to gain physical access to some point along its path. The attacker would also need to be able to identify the specific circuit to monitor. Telephone carriers are not known for using attacker-friendly labels like “Bank XYZ’s financial data: monitor here.”

The second option is simply used to get your signal to the local exchange carrier. From there, your data would travel over a public network, such as frame relay or X.25.

Frame Relay and X.25

Frame relay and X.25 are packet-switched technologies. Because data on a packet-switched network is capable of following any available circuit path, such networks are represented by clouds in

graphical presentations such as Figure 4.7.

FIGURE 4.7 A WAN frame relay cloud connecting three remote networks to a corporate office Both X.25 and frame relay must be configured as permanent virtual circuits (PVCs), meaning that all data entering the cloud at point A is automatically forwarded to point B. These end points are defined at the time the service is leased. For large WAN environments, frame relay can be far more cost effective than dedicated circuits. This is because you can run multiple PVCs through a single WAN connection.

For example, let’s say you have four remote sites that require a 56Kb connection to the home office. If you were to construct this network out of dedicated circuits, you would require a 56Kb leased line connection at each of the remote sites, as well as four 56Kb leased line connections running into the main office.

With frame relay, however, you could replace the four dedicated connections at the main office with one fractional T1 connection and simply activate four channels of the T1 circuit to accept the data. By requiring only a single circuit at the main site, you can reduce your WAN costs.

In fact, there is nothing that says the CIR at the main office must equal the CIR value of all your remote sites. For example, let’s assume that the connections to your remote site are used strictly for transferring e-mail. If bandwidth requirements are low, you may be able to drop the CIR at the main office from 256Kb to 128Kb. As long as the combined traffic to your four remote sites never exceeds 128Kb, you would not even notice a drop in performance. This would reduce your WAN costs even further.

The packet-switched network is a shared medium. Your exchange carrier uses the same network for all PVCs it leases out. In effect, you are sharing available bandwidth with every other client.

Your connection point into the cloud is defined through the use of a Data Link Connection Identifier (DLCI). A unique DLCI is assigned to each router that connects to the cloud. The DLCI lets the local exchange carrier know which PVC it should map to your connection.

As long as everyone uses their assigned DLCI, life is happy. The problem is when someone

incorrectly, or with malicious intent, assigns his or her router the same DLCI as your circuit. This can cause traffic to be diverted to their network. In order for this to occur, the following conditions must be met:

1. The attacker must be connected to the same local exchange carrier. 2. The attacker must be connected to the same physical switch.

3. The attacker must know your DLCI.

Clearly, this is not the most difficult attack to stage. While it would be expensive (unless the attacker can gain access to another organization’s network and “borrow” that connection), this attack may be well worth the effort if the attacker knows that sensitive information will be passing across the link. Also, a would-be attacker can actually redirect a PVC to another geographical location. While doing so would eliminate the need to be connected through the same local carrier and the same switch in order to capture data, it also means that the attacker would have to infiltrate the exchange carrier’s management system. Although this is not an easy task, it has been done in the past.

Previous Table of Contents Next

Previous Table of Contents Next