Dedicated Access User Guide Home

Dedicated Access User's Guide

Our Dedicated Access Users Guide is where you will find answers to most questions you may have about Pacific Bell Internet business solutions. For more information, check out our Required Hardware and Software for dedicated access, Dedicated Services FAQ, and the Classless Inter-Domain Routing (CIDR) overview.

Version 1.03

TABLE OF CONTENTS

INTRODUCTION

  • Welcome!
  • Who Is Pacific Bell Internet?
  • What is the Internet?
  • Contact update for your firm.

    • SECTION 1 - DEDICATED ACCESS SERVICE

  • What Does Pacific Bell Internet Offer?
  • What Do I Need To Connect?
  • Domain Name Service
  • Electronic Mail System
  • Network News Server
  • Web Browser
  • Web Server

    • SECTION 2 - DEDICATED ACCESS OPTIONS

  • Transport Options Supported
  • Recommended Customer Network Equipment
  • Recommended Routing Protocols

    • SECTION 3 - ADDRESS AND DOMAIN NAME REGISTRATION

  • Why Must I Register My Address and Domain Name?
  • How Do I Register My Address?
  • How Long Will Internet Address Registration Take?
  • How Do I Register My Domain Name?
  • What If I Already Have A Registered Domain Name?

    • SECTION 4 - DEDICATED ACCESS ORDERING AND TIMELINES

    SECTION 5 - NETWORK SECURITY

  • Packet Filtering
  • Application Level Firewall
  • Authentication
  • One-Time Passwords
  • Dynamic Passwords
  • Encryption
  • Application Encryption

    • SECTION 6 - KEY CONTACT LIST

    APPENDIX A - ADDRESS AND DOMAIN NAME REGISTRATION SURVEY

  • General Site Information
  • Network Specific Information
  • Domain Name Information

    • APPENDIX B - IMPLEMENTATION CHECKLIST

  • Hardware
  • Software Applications
  • Address and Domain Name Registration
  • Data Transport Service

    • APPENDIX C - HELPFUL RESOURCES

  • Establishing a Network News Feed
  • CIDR Overview
  • Pacific Bell Reference Documents
  • Internet Engineering Task Force Requests For Comments

    • GLOSSARY OF ACRONYMS

    INTRODUCTION

    Welcome

    Who is Pacific Bell Internet?

    Pacific Bell Internet, a wholly owned subsidiary of SBC Communications, Inc., was created in 1995 to provide California customers with reliable, comprehensive, easy-to-use Internet solutions. Leveraging over 20 years of data transport service experience, Pacific Bell Internet has the unique advantage of being able to provide its customers with a total communications portfolio. Pacific Bell Internet has established strategic partnerships with Sun Microsystems Computer Company, Cisco Systems Inc., and Netscape Communications Corporation, three companies whose products complement Pacific Bell Internet. We expect that these alliances will result in better products for our customers now and in the future.

    What is the Internet?

    The Internet is a vast worldwide network comprised of thousands of smaller interconnected networks; this worldwide network evolved from a project funded by the U.S. Defense Advanced Research Projects Agency (DARPA). The Internet was originally created to help researchers and scientists exchange information quickly and actually prohibited use of the network for commercial purposes.

    Today, the Internet has grown dramatically and its users have expanded from research institutions and scientific laboratories to commercial businesses and consumers. The Internet now includes many for-profit Internet Service Providers such as Pacific Bell Internet. Along with the increase in the number of users on the Internet, the quantity of tools that can be used on the Internet has also grown. Now, those users on the Internet can not only transfer files in electronic format, they can send messages via electronic mail (e-mail), conduct research using the vast resources of the Internet, hold real-time "talk" sessions with others connected to the Internet, and much more.

    Pacific Bell Internet is a large regional network within the Internet. Pacific Bell Internet receives its customers' network traffic and delivers it either to the destination address or, as needed, to a Global Service Provider who forwards it onto the ultimate destination. In turn, Pacific Bell Internet receives network traffic that is destined for its customers from Global Service Providers and then delivers it to the appropriate location.

    The Pacific Bell Internet network is composed of multiple network hubs connected by a high speed 45 Mbps backbone network. Each major network hub runs on an FDDI LAN connecting routers and hosts that accept and route Internet Protocol (IP) traffic, and provide auxiliary services that make accessing the Internet easier. Today, customers access the Pacific Bell Internet network by connecting to the closest major hub via DS1 (T-1), DS3 (45 Mbps), SMDS, or Frame Relay. Each of these major hubs is connected directly to the Internet through an Internet Global Service Provider.

    SECTION 1 - DEDICATED ACCESS SERVICE


    What Does Pacific Bell Internet Offer?

    Currently, Pacific Bell Internet provides customers with dedicated connections to the Internet through its Dedicated Access service. We also offer analog dial-up access up to 56 Kbps and ISDN dial-up access up to 128 Kbps.

    Pacific Bell Internet provides dedicated access customers with three components: Transport Service, Internet Connectivity, and Customer Services.

    Transport Services refers to the Pacific Bell data network service that connects the customer location to the Pacific Bell Internet hub. Options include Pacific Bell FasTraksm DS1 (T-1), Frame Relay, DS3 and ATM Cell Relay access.

    Internet Connectivity is what enables Pacific Bell Internet customers to communicate with others on the Internet. Internet Connectivity refers not only to the backbone network facilities that connect our network hubs to the global Internet, but also to the fact that the appropriate agreements are in place to allow Pacific Bell Internet to route its customers' traffic onto the Internet. What does this mean for you as a Pacific Bell Internet customer? Simply, this means that you can communicate with anyone else on the Internet who is willing to communicate with you.

    Customer Services includes secondary Domain Name Service (DNS), secondary e-mail spooling, network news feed, optional Primary DNS service, and customer support for trouble resolution via the Pacific Bell Internet 24-hour NetCenter. The NetCenter's highly skilled staff is also responsible for monitoring all customer network connections to our network hubs, the Pacific Bell Internet network hubs and backbone network. Our future plans include online customer profile traffic reports.

    We also offer businesses new to the Internet an excellent starter package using our most popular Internet access solution: our Frame Relay Internet Access Pack. Please contact us at sales@pacbell.net for more information.

    Pacific Bell Internet also offers consulting services through its sister subsidiary, Pacific Bell Network Integration (PBNI). Consulting services include, but are not limited to: integrating Pacific Bell Internet with existing customer environments, providing the hardware and software required to connect to the Internet, configuring customer hardware (such as PCs, workstations, DSU/CSUs), designing and implementing security measures such as firewalls.

    What Do I Need to Connect?

    Typically, dedicated access customers are connecting a LAN-based configuration to the Internet. Customers need to provide the appropriate standard WAN equipment such as routers and CSU/DSUs. And because the Internet is a TCP/IP based network, customers need to have the TCP/IP protocol stack installed on each host or to translate any proprietary network traffic into TCP/IP through the use of a gateway.

    Customers are also responsible for providing, configuring, and supporting any software tools required for accessing the Internet. Below we have provided a short explanation of the most commonly used Internet tools.

    Domain Name Service (DNS)

    Domain Name Service (DNS), though typically invisible to the user, is the most fundamental tool associated with use of the Internet. The Internet uses the IP protocol and all IP traffic must have a source host address and a destination host address in the form of 206.13.28.11. Unfortunately, these addresses are extremely cumbersome and nearly impossible to remember.

    The function of DNS is to map the required IP addresses into more user-friendly, easy-to-remember host names. For example, the IP address of the Pacific Bell Internet mail server is 206.13.1.17, but its associated host name is popper.pacbell.net. DNS allows users to document the correlation between their IP addresses and host names. Each site is responsible for documenting the correlation between their own IP addresses and host names. This information is then propagated to other DNS servers all over the world. Everyone on the Internet relies on this mapping to easily access hosts and resources.

    Also, since hosts at a specific site are associated with a specific IP network address, all hosts at that site can be grouped together into a single domain. In this way, a host name such as "popper" can be reused by many Internet sites, as long as they each belong to different domains. To clarify, popper.pacbell.net does not correspond to the same IP address as popper.pacbell.com, since the domain "pacbell.net" is associated with the 206.13.1.0 network and the domain "pacbell.com" is associated with the 129.245.2.0 network. Of course, two computers cannot have the same host name if they are part of the same domain.

    The DNS for a particular site is provided by one or more hosts running specialized software; these hosts are commonly referred to as name servers or domain name servers. Customers are responsible for providing one primary name server at their location or they can choose to use Pacific Bell Internet's optional Primary DNS service. Customers are also responsible for providing one or more secondary name servers located off-site. The function of the secondary name server is to provide DNS for the site in case the primary fails.

    As part of our basic service, Pacific Bell Internet offers Dedicated Access customers the option of using one of our name servers as a secondary name server, for up to a maximum of three fully qualified domains per customer at no additional charge. The advantage of such a configuration is that if the primary name server fails, the Pacific Bell Internet name server can provide the required mapping between host names and IP addresses.

    Without a secondary name server, the site would be virtually isolated from the rest of the Internet. Remote users would find hosts at that site to be unresponsive to their host names. Likewise, local users trying to reach any host would be forced to manually enter the destination IP address in place of its host name. Please note that not providing DNS is NOT a security feature; it will not prevent your site from receiving data since the IP addresses for your site can easily be found or guessed.

    Electronic Mail System

    Electronic mail (e-mail) is an electronic equivalent to a letter delivered by the US Postal Service (USPS). However, in its electronic format, mail can be delivered almost instantaneously around the world! The Internet is similar to the USPS delivery system in that there must be a mechanism for getting mail in and out of the delivery system. With traditional mail, the sender must take the letter to the nearest post office or mailbox. Once a letter is delivered by the USPS, the recipient must physically go to his mailbox to retreive delivered mail.

    The sender of e-mail must also have a way of both delivering and receiving mail from the delivery system. This is accomplished through the use of individual host e-mail software, mail servers, and mail gateways.

    Pacific Bell Internet dedicated access customers must provide their own e-mail host software, server and gateway(s). We strongly recommend that the customer's e-mail system be Simple Mail Transfer Protocol (SMTP) RFC-1123 compliant since this is the predominant e-mail protocol used on the Internet.

    Each host must have an e-mail software package installed to generate the actual e-mail messages. The host e-mail software must be configured to forward messages to the local SMTP mail server for delivery.

    The local SMTP mail server then determines where to send outgoing messages by looking up the Mail Exchange (MX) record for the latter portion of the destination e-mail address. For example, if the destination address of an electronic mail message is help@PBI.net, the latter portion of the address is PBI.net. The SMTP mail server (which may also be referred to as the "mail server", "mail host", "mail spooler", or "mail relay") will check its DNS to obtain the MX record for PBI.net. The mail server would then forward the e-mail message to the IP address indicated in the MX record for PBI.net.

    The mail server also accepts incoming mail addressed to its site and delivers the mail to the individual hosts. The mail server may be configured to "spool" incoming mail if an individual host is temporarily unable to receive mail. The mail server stores the messages until the host is again able to accept mail. A spooling facility requires that disk space be reserved on the mail server for this purpose; the more mail a site gets, the more disk space is required. A reasonable configuration is disk space to spool mail for the entire site for three days.

    In some environments, a mail gateway is also necessary. A mail gateway's function is to translate e-mail messages from a proprietary format to a standard, SMTP-compliant format. For example, a mail gateway might translate between Macintosh Quickmail and SMTP Internet mail. If you are unsure which mail package your site is using, contact your local system administrator. If you need assistance setting up your e-mail system, we can refer you to Pacific Bell Network Integration.

    Pacific Bell Internet offers its dedicated access customers limited secondary mail spooling service. If your primary SMTP mail server becomes temporarily unavailable, our mail server will accept mail messages destined for your hosts. Customer mail will be spooled on our mail server for up to one week, unless otherwise negotiated. While it is possible to set up a secondary SMTP mail spooler at your own site, it is recommended to have this service provided off-site in the event that the failure is due to a problem on your local network.

    Network News Server

    An electronic news feed provides access to the exchange of information between Usenet news servers around the world. The process of exchanging information between Usenet servers occurs fairly frequently in order that updates and postings to Usenet news groups can be propagated throughout the Internet.

    The function of Usenet news is to allow Internet users to exchange ideas about particular subjects ranging from highly technical to political to recreational. Many users find that Usenet news is a valuable resource since specific questions or ideas can be posted to a news group and a response is usually posted fairly rapidly. Internet users tend to monitor news groups that are of specific interest to them; therefore, the likelihood of getting valuable, free information is quite high. Since Usenet is not administered by any one entity, news groups may or may not be moderated. This means that some newsgroups may be considered distasteful, offensive, or inappropriate to certain users.

    Pacific Bell Internet currently provides its customers either an unrestricted Usenet news feed which consists of ALL of the news groups it receives, or a choice of several subsets consisting of the most popular news groups.

    Customers who want to receive Usenet news must provide a high performance host which can devote a large percentage of resources to processing news. Pacific Bell Internet recommends that dedicated access customers set up their news server on a host with the following minimal characteristics:

    Usenet news software must be installed and configured on the news server. For more detailed information about the news server software and setup required to work with our service, check Appendix C - Establishing a Network News Feed. Each host also needs to have a news reader installed. Most Web browsers provide a news reader (see "Web Browser" below).

    Please note that the configuration and administration of a news server is a complicated issue requiring a high level of systems administration expertise. Pacific Bell Internet can refer you to Pacific Bell Network Integration if you need assistance in setting up your news server.

    Web Browser

    A Web browser, such as Netscape Navigator, is a software application that enables individual users to access the Internet with a Graphical User Interface (GUI). These applications make it easy for Internet users to do research, locate specific sites or services, conduct financial transactions, and keep up on the news available on the WWW. Most Web browsers also provide facilities for posting and reading Usenet news.

    Under an agreement with Netscape Communications Corporation, Pacific Bell Internet is authorized to sell Netscape Navigator LAN Edition. Each host requires its own copy and our prices start at $25 per copy with volume discounts available.

    Web Server

    More and more organizations are finding it valuable to have a presence on the World Wide Web (WWW). Web servers function as "virtual storefronts" to provide customer service, marketing, advertisements, and public relations information to Internet users. Web servers may also be used to provide resources or proprietary information to employees or key partners. A Web server can be easily configured to record the number of hits or connections to each of its Web pages; this information can be used to measure the interest level of the content of the Web pages themselves.

    If you want to have a Web server on the WWW, Pacific Bell Internet recommends that your server have at least the following characteristics:

    If the load on the Web server is too great, additional servers may be set up to handle additional requests. Optionally, there are many companies that offer Web Hosting services where your Web site resides on a third party maintained server.

    SECTION 2 - DEDICATED ACCESS OPTIONS

    Transport Options Supported

    Pacific Bell Internet supports both point-to-point, private line and fast packet services. Private line services supported include Pacific Bell FasTrak DS1 (1.544 Mbps) and DS3 (45 Mbps) services.

    However, many customers find that fast packet services, such as Frame Relay, can reduce their network and equipment cost, as well as providing added flexibility. For example, if a site with a 128 Kbps Frame Relay connection to the Internet suddenly has more users to support, the service can be increased to 384 Kbps or even 1.536 Mbps with minimal effort.

    Below is a complete list of the Pacific Bell FasTrak data transport services supported by Pacific Bell Internet:

    Service Speed
    Frame Relay 56 Kbps
    Frame Relay 128 Kbps
    Frame Relay 384 Kbps
    Frame Relay 1.536 Mbps
    DS1 1.544 Mbps
    DS3 3 - 45 Mbps
    Burstable DS3 3 - 45 Mbps
    ATM 3 Mbps
    ATM 5 Mbps
    ATM 10 Mbps
    ATM 15 Mbps
    ATM 20 Mbps
    ATM 30 Mbps
    ATM 40 Mbps

    Recommended Customer Network Equipment

    Regardless of the data transport service ordered, customers must ensure that the network equipment they are using conforms to industry standards. Pacific Bell Internet has tested and approved the following standards compliant CSU/DSUs and routers:

    CSU/DSUs Routers
    ADC Kentrox Cisco Systems
    Adtran Ascend Communications

    Recommended Routing Protocol

    We recommend that dedicated access customers set up a static default route in their router that points to the appropriate Pacific Bell Internet hub router. A static route helps avoid the problems associated with dynamic routing protocol interactions. If static routes are not appropriate for your situation (i.e., you have multiple, diverse links to the Internet), Pacific Bell Internet will be happy to discuss a more suitable choice with your local network administrator.

    SECTION 3 - ADDRESS AND DOMAIN NAME REGISTRATION

    Why Must I Register My Address and Domain Name?

    All Internet IP addresses and Domain Names must be registered to ensure that there are no duplications. If duplications were to occur, there would be a great deal of confusion and inaccessibility due to incorrect host name/IP address mapping and routing errors. Such problems could be extreme and affect many Internet users.

    To avoid this, the Internet Addressing and Numbering Authority (IANA) was established. The IANA has chosen the InterNIC as its service provider, who in turn has contracted with Network Solutions Inc. (NSI) to perform the tasks associated with address and name registration. While this may seem somewhat confusing, the processes are fairly straightforward.

    How Do I Register My Address?

    To receive an InterNIC allocated or registered IP address, the policies of the InterNIC must be followed. Pacific Bell Internet will be happy to assist dedicated access customers with this process. Appendix A includes a survey to be completed by your network administrator so the appropriate information can be passed to the InterNIC in the appropriate format.

    How Long Will Internet Address Registration Take?

    The length of time required to obtain a InterNIC allocated address depends on your specific circumstances. Below are the most common scenarios and their corresponding timelines. It should be noted that the re-addressing of the local network cannot begin until the Internet Address assignment process is completed by the InterNIC.

    No Previously Assigned Internet IP Address
    Pacific Bell Internet should be able to allocate an IP address out of its existing address block within two weeks. If your addressing requirements are very large or unique, addresses may have to be obtained directly from the InterNIC. This process could take eight weeks depending on how busy the InterNIC is at the time.

    Previously Assigned Internet Address to be "transferred" to Pacific Bell Internet
    If a dedicated access customer has been allocated an Internet IP address block by another Internet Service Provider (ISP), agreement with the ISP must be reached as to whether the addresses can be transferred. The advantage of transferring IP addresses is that the customer will not have to re-number all hosts on their local network.

    In the best interest of the customer, Pacific Bell Internet will only accept address transfers with a legitimate 18-bit network address prefix (subnet masks of 255.255.192.0) or less. Pacific Bell Internet may, on an individual case basis, agree to transfer address assignments with up to a 24-bit network address prefix (subnet masks of 255.255.255.0). However, customers requesting such transfers must understand the risk involved with such transfers.

    Specifically, other ISPs may drop these small network entries from their routing tables as their routing tables reach capacity. Neither Pacific Bell Internet nor the InterNIC can mandate that these routes be re-entered in other ISP routing tables. For this reason, transfers should be thoroughly and carefully evaluated by the customer. In order to begin the transfer process, written permission must be obtained by the customer from their previous ISP. These transfers may take up to 8 weeks.

    Previously Assigned Address to be replaced by a Pacific Bell Internet Allocated Address
    Dedicated access customers who have IP addresses from another ISP will be allocated a Pacific Bell Internet IP address block upon request. Pacific Bell Internet should be able to allocate an IP address out of its existing address block within two weeks. If your addressing requirements are very large or unique, they may have to be obtained directly from the InterNIC. This process could take eight weeks depending on how busy the InterNIC is at the time.

    It is recommended that customers who will be re-numbering their hosts to a Pacific Bell Internet allocated address work with their Pacific Bell Internet Dedicated Service Engineer to ensure that this transition is as smooth as possible.

    How Do I Register My Domain Name?

    Pacific Bell Internet will register domain names with the InterNIC on behalf of our dedicated access customers. Appendix A includes a survey to be completed by your network administrator so the appropriate information can be passed to the InterNIC in the appropriate format.

    There are a few important factors customers must know before they choose to register a domain. First, since domain names are typically provided on a first-come, first-served basis we cannot guarantee your desired domain name will be available. Second, those customers that choose to register a domain name zone must provide the following:

    Domain name zones must be registered in the appropriate suffix category. Table 1 provides a list of domain suffixes. The most common domain suffix, .COM, may take up to three weeks to register. .COM registrations also have an associated fee of $75 for initial two-year registration and $35 per year thereafter which will be billed to the customer.

    What If I Already Have A Registered Domain Name?

    If you already have a registered domain name, the InterNIC must still be notified that you have changed Internet Service Providers. Pacific Bell Internet recommends that you complete the customer survey in Appendix A so we can assist you in updating the InterNIC's records. If you have further questions or concerns on this issue contact your Dedicated Service Coordinator.

    Table 1 - Domain Name Suffix Options

    Suffix Recommended Use
    .COM For-profit commercial entities
    .EDU Universities (4-year degree granting)
    .GOV Federal government
    .MIL US military (DoD)
    .ORG Non-profit entities
    .NET Internet service provider
    .INT International charter
    .US Individual registrations
    .<local>.<state>.US City or county
    .CI.<local>.<state>.US City governments
    .CO.<local>.<state>.US County governments
    .STATE.<state>.US State governments
    .K12.<state>.US Public K-12 schools
    .PVT.K12.<state>.US Private K-12 schools
    .CC.<state>.US Community colleges
    .TEC.<state>.US Vocational/technical
    .LIB.<state>.US Libraries
    .GEN.<state>.US General/miscellaneous

    SECTION 4 - DEDICATED ACCESS ORDERING AND TIMELINES

    Pacific Bell Internet provides the very best service through its Dedicated Service Team approach. The Dedicated Service Team is available to dedicated access customers throughout the service installation process. Each installation is assigned a Dedicated Service Coordinator who is responsible for ensuring that the customer's service is installed as requested and on time. The Service Coordinator is also available to answers any service-related questions during the implementation process. Each installation is also assigned a Dedicated Service Engineer who is responsible for configuration of Pacific Bell Internet hardware and software that will enable the customer to become part of Pacific Bell Internet. The Service Engineer is available to answer any technical questions the customer may have regarding their upcoming service.

    For each installation, a Customer Service Activation appointment will be scheduled by the Dedicated Service Coordinator. The purpose of this appointment is to verify installation and to ensure that the customer is able to properly exchange routing information with Pacific Bell Internet. Please note that Pacific Bell Internet considers your site successfully connected to the Internet when we can exchange routing information with your site and your site can reach remote sites on the Internet by IP address (not host name).

    If your site's Domain Name Service is not functioning at the time of the Service Activation appointment, but your site passes the Internet service installation verification tests, billing for the service will commence. If you are changing Internet Service Providers, we recommend that you do not discontinue your current service until your site has passed the Internet service installation verification tests. Please notify the Dedicated Service Engineer during your Service Activation appointment that you have an existing Internet connection.

    Appendix B is a checklist which will help ensure a smooth installation. Following indicates some typical configurations and their corresponding installation time frames.

    Transport Service Only 21 business days
    Transport Service and Domain Name Registration Up to 8 weeks

    Pacific Bell Internet configurations requiring only a new transport service are typically installed in 21 business days, the standard installation interval for most Pacific Bell data transport services.

    SECTION 5 - INTERNET NETWORK SECURITY

    Since the Internet is not owned or administered by any one entity, it is impossible to ensure the credibility or integrity of the millions of users. For this reason, Pacific Bell Internet strongly urges its customers to understand that they are individually responsible for implementing the level of security that is appropriate for their specific situation. Pacific Bell Internet can refer customers requiring help in implementing network security implementation to its sister subsidiary, Pacific Bell Network Integration, or one of its Internet Partners.

    Security implementations are as unique as personalities–no one solution fits every situation. Some organizations are comfortable with security implemented at the Internet gateway; while others feel that security must be implemented everywhere: at the Internet gateway, on each host, etc. It is important to understand that security is inversely proportional to convenience; this means that the more levels of security a site implements, the less convenient it is for users.

    Just as there are many levels of security that can be implemented, there are many ways in which to implement these levels of security. Below is a description of a few of the most common Internet security implementation methods.

    Packet Filtering

    Packet filters are typically implemented on the routers connecting a site to the Internet. These filters are a set of criteria by which each IP packet that is sent or received from a particular interface is judged. If the packet meets the criteria, it is processed by the router. If the packet does not meet the criteria, it is discarded by the router.

    Since each IP packet has a source and destination address, it is possible to narrow down the set of other Internet sites that can connect to your network; however, since most Internet applications require two-way transmission, such filtering will also decrease the number of sites that your users can access.

    Along with a source and destination address, IP packets utilizing TCP and UDP protocols also contain a destination port number. The port number determines what Internet service is being accessed by this packet. For example, an IP packet with TCP port number 25 is destined for the Sendmail port, the standard SMTP mail port on a UNIX machine. Many sites choose to develop a filter criteria based on the TCP port number and the structure of the packet itself. Such filtering is certainly more thorough than the simple source/address packet filter; however, it requires an in-depth understanding of TCP/IP.

    Finally, filters can be created based on the location of particular bits within each packet. Such filtering is quite valuable to those who have mastered the intricacies of TCP/IP.

    Application Level Firewall

    An application level firewall is considered by many to be a more complete security mechanism than packet filtering because it is more configurable. Application level firewalls utilize a host that runs application proxy software, such as a telnet proxy.

    These proxies support more detailed filtering criteria like destination, user, time of day, etc. Application proxies also allow for hiding the true internal IP address of the user's workstation. This may be important for those sites that are extremely concerned about security.

    One concern with application level firewalls is their performance, since the associated proxying tasks require additional computing time. Another concern with application level firewalls is that each client and server involved in proxying must be configured to do so–a time-consuming effort.

    Authentication

    For many organizations with Internet connectivity, authentication is one of the most important aspects of security. Employees frequently use the Internet for remote access to the corporate local network while at home or away on travel. For example, if an employee who has dial-up access to the Internet needs to access information on an office workstation, it is imperative that the authentication of the user attempting to gain access is verified.

    The problem with the scenario described above is that most sites authenticate users through the use of a login ID and a re-usable password that is sent in clear text. There exists a possibility that when the employee attempts to access the office network through the Internet from home, a malicious person could tap the employee's home telephone line and record the entire remote login session. With this information, the malicious person could impersonate a legitimate user and gain access to the company resources, probably without being detected. For this reason, better authentication methods have been developed; a few are described below.

    One-Time Passwords

    The philosophy of one-time passwords is that it does not matter if both the login ID and password were "sniffed" since the password is valid only for one remote login session. One-time password authentication schemes require the user to use a login ID and a one-time password, and corporate systems to verify them. The one-time password is usually composed of a secret and a calculated portion. Both the user and the system must know which password is expected each time a remote login occurs.

    Since it is unrealistic for a user to memorize each of the successive calculated portions of the passwords, systems have been developed that precalculate the calculated portions of the passwords that can then be printed on a small sheet of paper that can be tucked into the user's wallet or purse. If this paper is stolen, it is not enough information by itself for an unauthorized user to gain access to the corporate system. The user's name, login ID and secret portion of the one-time password should NOT be written on this or any other paper.

    Software versions of one-time password schemes can be installed on portable computers so that the paper is not necessary. This assumes the user will only use that portable computer to gain remote access to the company. There are also electronic pocket calculator-like password generators that eliminate the need for the paper listing of one-time passwords. With these calculators, the user enters a secret password that is then used to calculate the one-time password. Again, the secret password, user name and login ID should not be written on the calculator. S/Key is one of the most commonly used one-time password schemes and is available free on the World Wide Web.

    Dynamic Passwords

    Dynamic password authentication schemes are similar to one-time password schemes in that if the login ID and dynamic password are sniffed, there would not be enough information to obtain unauthorized reentry. Dynamic passwords rely on the use of a token card. The token card continuously generates dynamic passwords that are displayed on an LCD screen. The dynamic password alone is not enough information for an unauthorized user to gain access to the local resources. The process requires the user to first enter a login ID, followed by a secret password, followed by the dynamic password displayed on the token card at that instant in time. Once again, the user's name, login ID, and secret password should NOT be written on the token card.

    The most popular dynamic password implementation to date is Security Dynamics' SecureID token card system. This system is not free of charge, but does provide for more convenient and highly improved authentication than that of the traditional login ID and reusable, clear text password authentication method.

    Encryption

    Encryption is a more intensive security mechanisms than those described above. Encryption simply refers to the manipulation of a message resulting in a new message that is meaningless to anyone who does not know how to re-manipulate it to its original form. This manipulation of messages is called cryptography.

    There are two types of cryptography: symmetric and asymmetric. The most popular implementation of symmetric cryptography is the Data Encryption Standard (DES). In DES the manipulation of the message is done with a private key that is known only to those parties that need to manipulate the message.

    One of the major drawbacks of symmetric cryptography is that the private keys must be communicated prior to the data exchange and are vulnerable to being accessed by unauthorized users at this point. This may sound trivial, but in today's world of electronic information exchange, ensuring that a key is not compromised in transmission is very difficult. Even utilizing non-electronic systems, such as the US Postal Service may not ensure that during transit unauthorized eyes have not seen the key.

    One of the advantages of symmetric cryptography is that the technology is available in hardware implementations. This makes the entire process of encrypting and decrypting messages much faster than those cryptography systems that are implemented in software.

    Asymmetric or "public key" cryptography systems operate with both a private and a public key. Messages are encrypted with the sender's private key, and decrypted with the sender's public key. Since each public key decrypts only one private key, the receiver can be certain that the message was generated by the person holding the private key for which the corresponding public key was used to decrypt the message.

    Public key cryptography can also be utilized to ensure that only the intended recipient can decrypt the message by first encrypting the message with the recipient's public key. Since only the recipient holds the corresponding private key, only the recipient will be able to decrypt and read the message.

    Public key cryptography was made feasible by the mathematical algorithm invented by three people: Rivest, Shamir, and Adleman. Their initials make up the most commonly used public key cryptographic implementation, RSA. Since public key cryptography is fairly new to the commercial market, it is not yet available in production quality hardware implementations. However, such implementations will likely become available in the near future.

    Public key systems do not require the sharing of a private key with others. A person's public key can be published or sent directly to those with whom that person wishes to share secure data. For this reason, as well as the fact that public key cryptography is considered by many to be more robust (when done properly) than symmetric cryptography, public key systems are becoming more and more popular.

    Application Encryption

    Finally, it should be noted that recently there have been promising developments in the area of application level encryption. The two primary examples are Netscape's Secure Sockets Layer (SSL) and Enterprise Integration Technologies and Terisa Systems' Secure HTTP (SHTTP).

    Both protocols utilize public key encryption to secure application sessions. SHTTP provides for encryption of only HTTP (World Wide Web) transactions, while SSL provides for encryption of HTTP, Telnet, FTP, and Usenet news. Currently, Netscape offers a secure Web server product, Commerce Server, that utilizes the SSL protocol. As commerce on the Internet becomes more popular, use of such tools will become essential.

    In Conclusion

    Many organizations find it appropriate to implement security at many levels: the network level, the host level, and the application level. It is important to fully understand the consequences of implementing and not implementing security in you network. If you feel that you need more assistance in this area, Pacific Bell Internet can refer you to selected integration partners who specialize in security and firewall construction.

    Product names mentioned herein may be service marks, trademarks, or registered trademarks of their respective companies.

    SECTION 6 - KEY CONTACT LIST

    To order new service 1-888-PBI-SALES
    To check status an existing order 1-800-833-2120
    To report trouble 1-800-463-8724

    APPENDIX A - ADDRESS AND DOMAIN REGISTRATION SURVEY

    We have provided the following survey to be completed by your network administrator. This is to ensure the appropriate information is passed to the InterNIC in the appropriate format.

    General Site Information:

    Network Specific Information:

    Domain Name Information:

    APPENDIX B - IMPLEMENTATION CHECKLIST

    The following list of tips is provided to help make your Dedicated Access Internet implementation as smooth as possible. If you have further questions, please contact us at 1-800-708-INET.

    Pacific Bell Internet strongly recommends that dedicated access customers verify that customer-provided network equipment, such as CSU/DSUs and routers, are preconfigured and have been tested (with local loop-back tests if possible) prior to the data transport circuit installation date. In addition, customers should have all other hardware and software related to their Internet service installed prior to the Service Activation date.

    Hardware

    Have you ordered your equipment? Router orders can take up to eight weeks for delivery

    Software Applications

    Servers

    Hosts

    Address and Domain Name Registration

    Data Transport Service

    Have you verified that the designated point of contact is available on the day of circuit installation? (Installations are often delayed because the installation technician can't access the building or wiring closet.)

    APPENDIX C - HELPFUL RESOURCES

    CIDR Overview

    Establishing a Network News Feed

    Before we can establish a Network News/Usenet feed to your site, we need the following information:

    Before we can establish the feed, your machine needs to be up and running an appropriate daemon on port 119. Both DNS lookups of your fully qualified domain name and reverse lookups of your machine's IP address need to be working.

    Be warned that a full feed runs 3-4 gigbytes a day, 80% of which is in alt.binaries. You can look at our daily stats at:

    ftp://ftp.pbi.net/private/netnews/counts.Xxx
    (where Xxx = Sun, Mon, etc.)

    If you want a PULL feed, your server will be dnews.pbi.net and you will feed all new news articles to dnews.pbi.net.

    If you want a PUSH feed, you should allow all of the following to act as peer servers:

    And you will feed all new news articles to news.pbi.net.

    A copy of our active and newsgroups files are at:

    If you have any additional questions about setting up your Pacific Bell Internet news feed, please contact news-admin@pbi.net.

    Pacific Bell Reference Documents

    The following Pacific Bell documents are available via a faxback system accessed at 1-800-704-4636 in Directory #4.

    DOCUMENT # TITLE
    148 FasTrak ATM/Cell Relay Overview
    151 FasTrak Frame Relay Overview
    175 FasTrak SMDS Overview

    Internet Engineering Task Force Requests For Comments

    The following documents are RFCs that are documents defining defacto standards for the Internet. They are available from various sources, including the Internet at: ftp://rs.internic.net

    RFC # TITLE
    791 Internet Protocol
    793 Transmission Control Protocol
    904 Exterior Gateway Protocol Formal Specification
    920 Domain Requirements
    974 Mail Routing and the Domain System
    1009 Requirements for Internet Gateways
    1055 Transmission of IP over Serial Lines
    1157 A Simple Network Management Protocol (SNMP)
    1209 The Transmission of IP Datagrams over
    the SMDS Service
    1213 Management Information Base for Network
    Management of TCP/IP Based Internets: MIB II
    1281 Guidelines for the Secure Operation of the Internet
    1332 Point-to-Point Protocol Control Protocol
    1334 Point-to-Point Protocol Authentication
    1403 BGP-OSPF Interaction
    1459 Internet Relay Chat Protocol
    1466 Guidelines for Management of IP Address Space
    1467 Status of CIDR Deployment in the Internet
    1477 IDPR as a Proposed Standard
    1478 An Architecture for Inter-Domain Policy Routing
    1492 An Access Control Protocol, Sometimes Called TACACS
    1518 An Architecture for IP Address Allocation with CIDR
    1519 Classless Inter-Domain Routing (CIDR):
    an Address Assignment and Aggregation Strategy
    1520 Exchanging Routing Information Across Provider
    Boundaries in the CIDR Environment
    1531 Dynamic Host Configuration Protocol

    GLOSSARY OF ACRONYMS

    bpsbits per second
    B8ZSBinary 8 Zero Substitution
    CIDRClassless Inter-Domain Routing
    CSUChannel Service Unit
    DESData Encryption Standard
    DNSDomain Name Service
    DSUData Service Unit
    FTPFile Transfer Protocol
    GUIGraphical User Interface
    HTMLHyperText Markup Language
    HTTPHyperText Transfer Protocol
    IANAInternet Addressing and Numbering Authority
    INNInterNetNews
    IPInternet Protocol
    LCDLiquid Crystal Display
    MXMail eXchange
    NAPNetwork Access Point
    NICNetwork Interface Card
    NSINetwork Solutions Inc.
    PBNIPacific Bell Network Integration
    RAMRandom Access Memory
    RFCRequest for Comment
    RIPRouting Information Protocol
    RSARivest, Shamir, Adleman
    SHTTPSecure HyperText Transfer Protocol
    SMDSSwitched Multimegabit Data Service
    SMTPSimple Mail Transfer Protocol
    SSLSecure Sockets Layer
    TCPTransmission Control Protocol
    UDPUser Datagram Protocol
    WWWWorld Wide Web

    Return Home
    | Home | Home Services | Business Services | Get Software | Web Hosting |
    | Dial In Numbers | FAQ | News | Safety 'Net | Contact Us | Find | Text Only |

    Copyright © 1999 Pacific Bell Internet Services. All rights reserved.