Analysis of Company Network Models

Published Date: 28 Feb 2018

CHAPTER 1 ABSTRACT

The purpose of this exercise is to provide a detailed design document as per the requirements given in various formats by the Client NoBo Inc. The scope of this document includes at first explaining the requirements provided by the client, explaining the solution both from a top level view and detailed, also explained are the configuration steps, technologies used and scope of the future work and recommendations. We have used modular design approach for designing the network .The final outcome is a detailed document which will extensively assist in deploying and configuration stages of network for NoBo Designs.

CHAPTER 2 INTRODUCTION

2.1 AIM:

This project aims to analyse the various network models and design a network according to the client's requirements.

2.2 OBJECTIVES:

1. All the Cisco network models: Campus network, Hierarchical network, Enterprise edge model have been reviewed.
2. According to the client requirements the suitable network model has been identified and designed.
3. Proper selection of the devices (Routers, Switches, Computers, cables) has been made to meet the service requirements.
4. The cost for all the devices and equipments that are required has been estimated.
5. Centralised internet connection has been provided for the branch sites from their respective headquarters. This provides high control on the data between the sites.
6. IPsec is cond for data security while using the backup line when the main link goes down. Cisco IOS Firewall is also cond on the perimeter devices.
7. The designed network has been cond on the simulator and all its functioning has been tested.

2.3 DISSERTATION STRUCTURE:

1. CHAPTER 1: This chapter briefly discusses about the abstract of our project.
2. CHAPTER 2: This chapter briefly explains the introduction of our project topic, reviewing all the objectives and ends with the conclusions of each and individual chapter in our dissertation.
3. CHAPTER 3: This chapter explains the background of various network topologies, reviewing of all the concepts like routing, switching, IP addressing and ends with the discussion of the QOS, security issues.
4. CHAPTER 4: This chapter introduces the requirements of network design, implementation, testing and ends with the explanation of all configurations.
5. CHAPTER 5: This chapter briefly discusses about all the experimental results and ends with the analysis of the obtained results.
6. CHAPTER 6: This chapter discusses the entire evaluation of our project and ends with the introduction of conclusions.
7. CHAPTER 7: This chapter briefly discusses about the overall conclusions.
8. CHAPTER 8: This chapter provides the recommendations and future work in our present topic.

CHAPTER 3

LITERATURE REVIEW

3.1 Cisco Network Models:

Network models may change due to the implementation of different technologies which are applicable to us. But the goal of each model is finally same which is convergence and achieving service integration. There are 6 different geographies available in an end-end network architecture which is briefly discussed below: ( Inc., C. S. (Mar2009, Roberts, E. (8/28/95).

3.2 Cisco Hierarchical model:

It is an older model which is good for network scalability. The entire network is divided into 3 layers which are given below:

Access layer: These devices are generally developed entirely in a network for the purpose of providing clients access to the network. In general it has been done by the switch port access.

Distribution layer: In general, these devices are developed as aggregation points for access layer devices. These devices can be used for the dividing of workgroups or some other departments in the network environment. They can also provide WAN aggregation connectivity at various Cisco Network Models.

Core layer: These devices are designed for the purpose of fast switching of packets and they should provide the redundant otherwise it results in loss of degradation of service at the time of network congestion or link failures. Finally these devices help in carrying the entire network traffic from one end to the other end.

Finally this model provides good scalability and it supports the combination of SONA, other interactive services and these are applicable to any topology (LAN, WAN, MAN, VPN..) or other connectivity options which are applicable to us. The following diagram (3.1) shows us the Cisco Hierarchical model.

3.3 Campus Network Architecture:

In last 10 years it has been developed rapidly and the no of services supported in this model are more. The basic structure of this model is just an extension of the previous model. It supports the implementation of various technologies in this model like QOS, MPLS VPN, IPSEC VPN, and HSRP and so on. It provides the network access to campus wide resources and provides layer 2 switching; layer 3 switching at the Access and Distribution respectively.

Services in this model are switched from stateless to stateful and provide redundant devices to monitor all the events, connections in a network. Meeting of these requirements requires some changes in its basic model. The following (3.2) shows us the campus network architecture model.( Gilmer, B. (Nov2004)

It provides the combination, multi- service environment which gives the sharing and connectivity of all the users who are working at the remote, branch sites. It requires the combination of both hardware and software devices for providing the services and applications to all the clients in a network architecture. SONA architecture helps an enterprise model to extend its services to the remote site under the consideration of good service levels. Cisco Unified Communications, security and so on can be offered at all the branch sites to overcome the problems of inadequate connectivity. The following diagram (3.3) shows the branch network architecture.

It plays a major role in the deployment of any network. Now days, it is growing rapidly to implement more SONA functions. These additions of new functions like virtual servers, instant applications, dynamic change of network configurations and so on. Some resources will be added online to get the support of upcoming needs. This network architecture provides the info about on- demand services which provides dynamic network environment to all the users, consolidation of services while growing of various business applications provided by an adaptive network. Finally this network model reports more usage of our capital without any changes in its infrastructure.

In general it has been developed for the purpose of higher level security features in network architecture. It has been done by the support of several server farms having different functionality from DMZ (demilitarized zone) functions like DNS, FTP, HTTP, Telnet and so on for all the users (internal/ external) to share various applications and services among partners and to get the access of internet applications.

This network architecture is entirely different and it can make a new or it can break the all discussed Cisco versions. Based on the discussion of all the services like SONA, QOS, and transport services and so on which would mandatory in an end- end system? Based on the bandwidth requirements, their functions and providing QOS the WAN/ MAN has been designed. The functioning and geography plays a major role in deciding the method and speed connectivity's among various sites. The cost of total deployment of a network may vary and it is different from each other. If the connection exists between the sites is a traditional frame relay or if it is provided by a service provider. For example, by using MPLS this provides layer three connectivity between two ends. And it also varies by considering the distance between two sites. The convergence of various types of application over an IP network requires good connectivity, high security levels and providing of good services over the large WAN. The following fig (3.6) shows the WAN/ MAN architecture. (Israelsohn, J. (7/22/2004.)

In this approach the overall network design and implementation is discussed with the adequate background. Modular Design Approach:

The recipe for an efficient and robust network is to design the network taking into Consideration the various functionalities/requirement required by the network and placing that functionality into a module. Various modules might end up acting in independent physical devices or one physical device may contain all the modules, the idea is to visualize the various functionalities acting as independent unit. The part of the network which consists of hardware and configurations for the wide area networks is termed as the WAN module of the network. It should contain of the all routers, interfaces, cabling and configurations that belong to the Wide Area Networks. The module should be designed separate from the other modules. Similarly all the devices, interfaces and configurations that are involved in the virtual private network would be designed as one module.

Some aspects of the design for which there are no pointers in the design documents are also discussed in the detail design section with details of the relevant choices.

1) Performance: A network to its end user is as good as how his/her applications perform. Following are few metrics to for measuring network performance.

Responsiveness: The design should be such that it is par with the acceptable responsive time of all the business applications.

Throughput: The rate of traffic passing through a given point in the network, it can be calculated in multiples of bits per second or packets per second.

Utilization: utilization of resources is the most effective metric to calculate the congestion points in the network, aiding the network design to a great extent.

2) Availability: Network Availability is the key factor to a proper network design. Planning for continuous uptime is important for the business to carry out their activities without any interruptions. Following are a few points for availability:

Device Fault tolerance: All the devices installed in the network should be of quality and reliable. Where ever possible redundant ports, modules and devices should be installed.

Capacity Planning: A network design should consider adequate capacity planning, for example how many connections can a link handle in worst case scenarios.

Link Redundancy: As per the business requirement at least all the important links and internet connectivity should be redundant.

3) Scalability: All the network modules should be designed as such that they should cater for future requirements as well as today's needs.

Topology: The topology should be designed as such that it would require minimal configuration whenever any major or minor changes are required.

Addressing: The network addressing should allow routing with minimum resources. For example by using route summarization and proper ip addressing scheme which would have minimal impact or no impact on the existing networks or subnets and routing mechanisms. Local Area Network Module:

The local area network design primarily consists of dividing the various departmental requirements into logical network separations.

1. At all the sites will create individual virtual area networks for all the departments.
2. All the virtual area networks will use a class c /24 subnet mask, reason behind that is the IP addressing used for the internal networks is all private and hence no sub netting is required.
3. All the Vlans at all the sites are local Vlans which means that they do not extend across the wan pipes.
4. The departments at different sites might have similar names and functionality but its always recommended that the Vlans are kept to be local.
5. The Virtual are network will divide the whole LAN into virtual boundaries allowing for broadcast control and provide for access-control using access-lists.

A VLAN has been provisioned for the Server Network and wireless network at each site as well. The VLANS are local to the respective sites only and are class C /24 networks.DOT1q trunks have been placed between the layer 2 switches and the routers at each site. DHCP:

The DHCP is Dynamic Host Configuration Protocol provides automatic IP addresses

To the hosts on the TCP/Ip network [RFC 1531].It uses BOOTP known as bootstrap protocol. The DHCP server can be on the same or on a different network away from the host pcs. This is possible with the dhcp relay agent. When a client Pc boots, it searches for the server by sending broadcast packets on the network. When server gets theses broadcast packet it responds and sends a packet with an IP address to the client from the DHCP pool. The client can use the IP or can request for another IP instead. The client can hold this IP as according to the configuration in the DHCP server. The minimum duration for the client to hold the IP address is 8 days. After this period the clients has to make a new request for an IP address. This how , the DHCP usage in the network will reduce the intervention of the administrator from giving the IP addresses manually.

NAT:

For a Pc to connect to the internet and communicate with the other Pcs on the internet, it needs a public Ip address. One has to pay to have a public IP. It will be very expensive to have all Public IP addresses in a network. So, NAT provides a facility to convert the private IP address to the Public Ip which is on the interface of the device (router) that is directly connected to the internet via ISP. This saves money. Moreover it provides the additional security to the internal network

By using the one public address.

Following are the benefits that NAT provides:

1. Preservation of IP address
2. IP address and application privacy
3. Easy management Routing Module:

The routing module consists of the routing architecture at each site; it is the responsibility of the routers to forward packets to the correct destination. Routers by querying the routing table make the forwarding decision.

1) Static routes: At each site static routes have been placed at each head quarter sites. Static routes are the manual routes that are placed by the network administrator manually in the router and have to be taken out manually as well.

At the headquarter site the static routes point to far end headquarter site or to the vpn subnet.

2) Default routes have been placed at all sites, Default routes are treated by the routers as a catch all. If there are no specific routes towards a given destination, the default route will be picked up and the packet would be forwarded out of that interface to which the default route belongs.

Since the Internet has more than 100,000 routes , it would be infeasible to place all those routes into our routing table , so instead a default route has been placed at each headquarter to forward all the internet traffic towards the interface belonging to the ISP end. Since we are using the far end headquarter as back up to our internet connections at each site.

A special type of default route has been added in each headquarter, if the internet link goes down, the floating route will come into the routing table and the original route will disappear. The floating route is nothing but a default route with a higher administrative distance. This is a feature of Cisco IOS, it originally takes the route with the lower AD and places that into the routing table, if that route is lost it would place the second default route with the higher administrative distance.

3) Routing Information Protocol: Routing information protocol version 2 has been used to propagate the Subnet routing between the sites. RIP is a distance vector routing protocol which advertises its routing tables to its neighbours and has a hop count of 15 , since our network has only five sites at the moment, RIP has been used for routing between the networks , the RIP version2 is the recent version of the rip ipv4 and it can carry variable length subnet masks . The RIP is adequate for our requirement.

(http://www.ciscosystems.org/en/US/docs/internetworking/technology/handbook/Routing-Basics.html accessed on Dec 12 ,2009) RIP:

As said earlier Routing Information Protocol is the only widely used distance vector protocol. It propagates the full routing table out to all participating interface in every 30 seconds. RIP works very well in smaller networks, but it is not scalable for large networks having slow WAN links or on networks with more than 15 routers installed. RIP version only supports class full routing, which essentially means that all devices in the network must have the same subnet mask. The reason: RIP version 1 does not propagate with subnet mask information. RIP version 2 supports classless routing, which is also called prefix routing and does send subnet mask in the route updates. (Chin-Fu Kuo; Ai-Chun Pang; Sheng-Kun Chan (Jan2009,)

RIP Timers

RIP has 3 different timers which regulate the performance:

Route update timer: This timer sets the delay between the propagation of the full

Routing table to all the neighbours: this would be normally 30 seconds.

Route invalid timer If the router doesn't hear any updates for a particular router for 90 seconds it will declare that route invalid and will update all the neighbours to that the route has become invalid.

Route flush timer : After the route has become invalid , another timer starts which is normally 240 seconds ,if the router doesn't hear anything about the said route , it will flush the route out of its routing table and will update the neighbour that I am going to remove this route from my routing .

RIP Updates

RIP being a distance-vector algorithm propagates full routing tables to neighbouring routers. The neighbouring routers then add the received routing updates with their respective local routing table's entries to accomplish the topology map. This is called routing by rumor, In routing by rumour the peer believes the routing table of its neighbour blindly without doing any calculations itself.

Rip uses hop count as its metric and if it finds that multiple path share the same cost to a particular destination it will start load-balancing between those links, however there is no unequal cost path load balancing as there is possible in case of EIGRP. Rip can be troublesome in many ways:

Rip actually only sees the hop count as a true metric, it doesn't take care into consideration any other factors So if a network has two paths, the first only 1 hop away with 64 Kbps of bandwidth but a second path exists with 2 hops but each link having a bandwidth of 2 mbps , RIP will always prefer path no 1 because the hop count is less. Rip has a very crude metric and hence not a protocol of choice in many networks.

Since RIP by default is classless and is a true distance vector protocol, it also carries with itself same issues as presented by the distance vector routing protocols, fixes have been added to RIP to counterattack such problems.

Snort is an open source network based intrusion detection system, it can do traffic logging and intrusion detection analysis on the live traffic, snort is installed on a host and the interesting traffic is copied to it via the port mirroring or port spanning techniques, Snort can be also used inline on an Ethernet tap, it can work in conjunction with Ip tables to drop unwanted traffic.

Inter-site Routing: The routing protocol RIP version 2 will propagate routes among all the sites, each Vlan will be advertised as a network in the routing protocol. Switching:

The switches at each site carry all the virtual local area networks.

1) A DOT1q trunk has been placed between the switches and the routers at each site. The dot1q trunks carries all the Vlans from the switches to the routers, the routers act as the layer 3 gateway for all the Vlans present in the site, the layer 2 switches alone cannot act as the layer 3 gateways and hence they require some kind of layer 3 device.

2) All the other ports in the switches are either access ports or are trunks to other switches in the same sites. The access ports are the user ports, each access ports would belong to one or the other Vlans. The no of access ports in the building would decide the number and the model of the switches to be placed inside the access layer.

Vlan: By Default all the ports on a layer 2 switch belong to the same broadcast domain. The broadcast domains are segregated at the router level, however there are requirements to segregate the broadcast domains in campus switching environments, hence the virtual local area networks are used. The numbers of Vlans in a switch are equal to the number of broadcast domains, the ports on the switch which belongs to a particular Vlan belongs to a certain broadcast domain of that Vlan.

Devices in one Vlan cannot connect to other Vlans if there is no layer 3 connectivity provided.

Trunking:

Speaking of IEEE 802.1Q....

"There are two different trunking protocols in use on today's Cisco switches, ISL and IEEE 802.1Q, generally referred to as "dot1q". There are three main differences between the two. First, ISL is a Cisco-proprietary trunking protocol, where dot1q is the industry standard. (Those of you new to Cisco testing should get used to the phrases "Cisco-proprietary" and "industry standard".)

If you're working in a multivendor environment, ISL may not be a good choice. And even though ISL is Cisco's own trunking protocol, some Cisco switches run only dot1q.ISL also encapsulates the entire frame, increasing the network overhead. A Dot1q only place a header on the frame, and in some circumstances, doesn't even do that. There is much less overhead with dot1q as compared to ISL. That leads to the third major difference, the way the protocols work with the native Vlan.

The native Vlan is simply the default Vlan that switch ports are placed into if they are not expressly placed into another Vlan. On Cisco switches, the native Vlan is Vlan 1. (This can be changed.) If dot1q is running, frames that are going to be sent across the trunk line don't even have a header placed on them; the remote switch will assume that any frame that has no header is destined for the native Vlan.

The problem with ISL is that doesn't understand what a native Vlan is. Every single frame will be encapsulated, regardless of the Vlan it's destined for. Access ports:

An access port is a port which does not carry any Vlan information, the port which is cond as a an access port, on that port the switch takes off the Vlan information and passes the frame on to the end device, end device be it a pc or a printer or something else has no information passed about the Vlan.

A).routing:

The routing table in a router is populated mainly in 3 ways.

a) Connected routes: router places the networks belonging to all types of its live interfaces in the routing table such routes carry an administrative distance of 0 as they are most trusted routers, these routes are taken out of the routing table if the interface goes down.

b) Static routes are routes place manually by the router administrator and carry an administrative distance of 1, these routes are the second most trusted by the router after the connected routes, since these are being added by the administrator themselves

c) Third type of routes are installed by the routing protocols and carry administrative distances according to the type of the routing protocol. Wireless local area network Module:

A Vlan has been provided at each site which acts as a wireless network, the wireless Vlan connects to wireless access points which provides wireless connectivity to the users. Wireless access points are placed at each floor at all the sites, all the wireless access points will be of Cisco Linksys brands. The wireless access points at each site will be WIFI carrying all a, b or g standard. (O. Elkeelany , M. M. M., J. Qaddour & (5 Aug 2004)

The wireless networks will use WPA2 key security mechanisms to protect the network from unauthorised access and attacks. Proper placements of the wireless access points can be done after a physical inspection of the sites. If a barrier wall or something else obstructs the coverage of the wifi access points at a floor another wifi access point will be required at the same floor. IP Addressing Module:

WAN Ip addressing, all wan connections are point to point and use a /30 subnet mask

A /30 subnet only allows for two actual hosts which fits for the wan connections.

VLAN Ip addressing, all the Vlans including the wireless and the server Vlans are /24 networks

All the future Vlans should be /24 as well, this would help to limit the layer3 broadcasts to only 254 hosts, /24 is being used because our Vlans are all based on class c private addressing and there are adequate addresses in the same class for our future needs as well so there is no actual requirement to subnet any further, sub netting further would actually make the design complex without any real benefits.

The routers also have a trunk which comes from their respective site switches. The 1st valid address of the each Vlan belongs to the router acting as a gateway to the Vlans. These .1 addresses are required to be hardcoded inside the routers themselves.

The host addressing is taken care by the dhcp protocol, each router as its site will act as a dhcp server for all the Vlans present in the same site. The router acting as a dhcp server would provide gateway information to the hosts in each Vlan as well as the dns servers to be used and the domain information as well.

A separate list has been maintained for the hosts outside the dhcp scope, should there be a requirement that a host be provided a static Ip address, and the same Ip address should be added to the list of non dhcp addresses for each Vlan at each site. Server Farm Module:

A special virtual area network is in place at every site for a special purpose, this vlan only has servers placed in it, this Vlan acts as a DMZ at all sites. The servers at various sites are placed in separate Vlans to protect them from the broadcasts created by the users in the site as well as blocking unauthorised access. If the requirement arises that a server should also be placed in another Vlan at same time, either 2 network cards should be attached to the same server and each placed in the respective Vlan, if the server is required to be attached to more than 2 Vlans, then the server should carry a special network card which could build trunks with the 2960 switches. The speed and duplex modes on all the server ports should be manually cond by the network engineers as there are chances of duplex mismatch in the auto mode. Unauthorised access can be blocked into the server farm via using IP access-lists feature of the Cisco IOS.( Zhuo L , W. C., Lau FCM . (OCT 2003 ) Security Module:

This is the most important module of the network design, as its name suggests it would cater for the network security, following are the security measures in place for the network designs. An integrated Cisco IOS firewall protects the perimeter interface (internet connection) from attacks from the outside world at both the headquarter sites; IOS firewall uses stateful inspection for the protocols listed in the firewall itself. As advised earlier the access to the server Vlan at each site is also controlled by the use of IP access-lists, only authorized IPs/networks and that too only on specific ports are allowed to traverse the DMZ(DEMILITARIZED ZONE).

There are perimeter access-lists in place at the headquarter sites blocking most common and known attacks from the internet. The internet modules have been centrally designed to keep a tighter control and strict security. An additional measure of security can be placed at each site by adding an intrusion prevention system to each headquarter. A very effective intrusion detection engine is SNORT, being open source it can be installed in a very short period of time and is free. Further management Vlan can be secured by using port security and sticky Mac mechanisms.

http://www.cisco.com/en/US/prod/collateral/vpndevc/ps5708/ps5710/ps1018/prod_qas09186a008010a40e.html

The Cisco IOS firewall is an EAL4 certified solution and is a stateful firewall, it is integrated into Cisco router IOS, IOS is the best available routing, security and VoIP software around, and integrating a stateful firewall produces an economical yet flexible solution. It is the ideal solution for small offices, branch offices and wherever the need arises for an embedded firewall solution. The Cisco IOS firewall can be turned on and off in the desired manner on the desired interface in the Cisco router

Cisco IOS firewall can be cond in basically two modes, Classic firewall also known as CBAC - control based access control or the new configuration technique which is called Zone based policy firewall. The later one is used wherever the network is required to be divided into various zones for example a DMZ zone. The later configuration methodology will be carried on in the future as it caters for the changing needs of networks.

WAN MODULE:

The Wan connectivity for the NoBo designs has been designed taking in consideration of the following characteristics

WAN connectivity:

Head -quarters: All the head Quarters have been has been connected via an International leased line from service provider. All the branch-offices are connected to their headquarters via leased lines as well via service provider.

Wide Area Network Back up

The internet connectivity at both the remote and client sites can be used as a backup in case the primary WAN link is down; a separate site-to-site vpn link will be required to be cond between the two sites. The site to site vpn will use the IPSEC framework which would be only used if the floating routes that are present in the Cisco routers start pointing towards the vpn links in case of the wan link outage.

This IPSec vpn back up link should be strictly used as a back up as the internet bandwidth is limited and the latency is high. Network Management mechanisms would notify everyone, if the primary wan link is down. If the requirement for the backup link for a branch site comes up, same methodology can be used, the branch can acquire its own internet connection and use it as a backup link to its respective head office. In that case changes in routing will also occur. IPSec:

IPSec is a protocol contains set of features that protect the data which traverses from one location point to another. The location itself defines the type of VPN. The location could be anything such as pc on the internet, a small regional office, a home office or any corp. headquarters.

A user on the go would always connect to a user to site vpn and all the others would be called a site to site vpn.

The IPSec protocol works on layer 3 and above, like tcp/udp header and data and does not protect any layer 2 frames, a different kind of protection mechanism has to be deployed for the same and also is possible only in the controlled network.

The encryption and IPSec are many times thought to be one and the same thing but they are different, IPSec is basically a suite of protocols and one of them does encryption.

Following are the features of the IPSEC protocol suite.

• Data confidentiality
• Data integrity
• Data origin authentication
• Anti-replay

Data Confidentiality: This means that the data is kept confidential between the IPSec end points. Since IPSec vpn are mostly used over the internet. Hence the data can be captured and used by hackers. Even the data between private networks is subject to being hacked, so internet is not the only unsecured place. Various encryption techniques and algorithms are used to scramble data which travels between two vpn sites. The encryption algorithms used in IPSec are not very easy if not impossible to break. IPSec process also involves the selection of the encryption algorithm and how to distribute the encryption keys to the respective parties. As stated above encryption is not a necessary feature of the IPSec protocol but it is on mostly at all times in all IPSec vpn connections.-

Data integrity guarantees that the payload was not tampered/ altered in the transit between the IPSec VPN endpoints .This feature itself does not do any kind of data confidentiality but it uses a hashing algorithm to ascertain if the data in the IP packet was changed between endpoints. Payloads that get tampered or changed are always dropped by the IPSec.

Data origin authentication deals with the source of the IPSec VPN packets. The feature is used by all the VPN endpoints to determine that weather the other end is genuine or not. Anti-replay is an optional IPSec feature which determines that that no data packets are duplicated within the vpn connection IPSec uses sequence numbers in the packets and a windowing mechanism on the receiver side. A comparison is done between the sequence number and the sliding windows to detect late packets and further these late packets are treated as duplicate packets and are dropped

As it has been discussed earlier that IPSec is a suite of protocols and these protocols are open standard, the reason behind it is because interoperability between various vendors is a necessarily. The IPSec protocols themselves never specify any particular type of authentication, encryption algorithms, key generation techniques, or security association (SA) mechanisms.

IPSec uses 3 main protocols which are as follows

• Internet Key Exchange
• Encapsulating Security Payload
• Authentication Header

IKE: Internet Key Exchange provides a framework for the negotiation / exchange of security Parameters and the authentication keys. An important point to consider is known there are many possible options which can be used between IPSec VPN endpoints.

What IKE essentially does is that its supports the exchange of this parameter or so called options. It secures the exchange.IKE also does the exchanging of keys which are used by the encryption algorithms of IPSec. The symmetrical algorithms are the most popular ones with in all the encryption algorithms used in the IPSec vpn. IKE phase provides the encryption and secure transfer of keys for the symmetrical algorithms.

ESP

Encapsulating Security Payload is the actual framework for providing the payload confidentiality, integrity, origin authentication, anti-replay features of the IPSec suite of protocols. ESP is the sole protocol of IPSec which caters for data encryption, although it can also do all of the IPSec features

As ESP is used in today's IPSec vpn commonly following are the encryption algorithms which are used.

• Data Encryption Standard: This standard although outdated. But is commonly used and is hack able.
• Triple Data Encryption Standard: This is block cipher using DES three times. This still holds good
• Advanced Encryption Standard: This is also one of the most widely used encryption algorithms today

AH

Authentication header is not commonly used these days as ESP is most widely used, the reason. Ah does not provide any data confidentiality which ESP provides but AH just provides a framework for doing data integrity, origin authentication and anti-replay functionality. AH uses a Hash-based Message Authentication Code (HMAC) as the authentication and integrity check mechanisms. IPSec Modes:

The cover of protection offered by IPSec to the Ip packet is defined in 2 different modes. In the IPSec packet, an IPSec header follows the Ip header and it also has an Ip protocol number, so what it essentially means that all the IPSec features work after the Ip protocol layer header. Following are two IPSec modes: tunnel mode and transport mode

When the original Ip header is kept and an IPSec header is added after it, it is called the transport mode, since IPSec only plays the role at the transport layer, the original Ip header is unprotected from the attacker. The data and the upper layers are protected by the IPSec protocol; in this case the payload is safe but the Ip headers can be seen by anyone in the untrusted network.

The second mode is known as the tunnel mode, the original Ip header details are also protected, the same thing is done for the payload as well, A new ip header is created in this mode, the Ip addresses displayed in this mode are of the tunnel endpoints and not the device Ip addresses that are behind the tunnel endpoints. The second mode is more safer as it hides the end to end communication happening , giving less chance to a packet hacker to ascertain the right packet, if they need to know the end to end packet information , they will need to hack the packet header first and then the payload. Virtual private networks Module:

The virtual private area networks allow the remote users to login to the network in a secure fashion. The Cisco internet routers will function as VPN routers as well; the static public address provided by the ISPs at each headquarters will be used at vpn gateway addresses. The remote users can login into any of the 2 headquarters and can reach the desired servers. ( Bolla*, R. B., Roberto, Davoli, Franco . (06 Jun 2006)

1. The pcs at remote locations will be treated as an extension to the network.
2. The users will use the Cisco vpn client on their windows Mac or Linux pcs to connect to the vpn gateway.
3. IPSec is the suite/framework of the open standard protocols which provide data confidentiality, data integrity, and data authentication between participating peers. IPSec provides these security services at the IP layer.
4. Internet Key Exchange is used to handle negotiation of protocols and algorithms as per policy and it generates the encryption and authentication keys to be used by IPSec.
5. IPSec happens in the second phase and is used to protect data flows between 2 remote hosts across the internet.

What is encryption?

"Encryption is the transformation of plain text into a form that makes the original text incomprehensible to an unauthorized recipient that does not hold a matching key to decode or decrypt the encrypted message."

Decryption is the reverse of encryption; it is the transformation of encrypted data back into plain text. Encryption techniques are as old as history in fact, Julius Cesar apparently did not trust his messengers and therefore encrypted his military messages to his generals with a simple encryption scheme; he replaced every A by D, every B by E, and so on. Only someone who knew the key (to shift each alphabetical letter by three, in this case) would be able to decrypt the message.

Following are the encryption and hashing algorithms used by the IPSec.

AES stands for Advanced Encryption Standard. A cryptographic algorithm which protects information. . AES is more secure than DES: AES has a larger key size than DES; it ensures that the only known approach for message decryption is to try all possible keys. AES has variable length keys 128, 192 or 256-bit key.

DES: Data Encryption Standard is another encryption algorithm, an old one. A newer version of the same protocol is Triple DES encryption; Triple DES has stronger encryption than its counterpart DES and is used by data to traverse the un trusted networks utilizing network layer encryption schemes.

MD5 is message digest algorithm and is a hash algorithm. HMAC is a keyed hash variant used for data authentication.

AH: Authentication Header is a security protocol used for data authentication and also anti replay services. AH embedded itself in the data to be protected for example an IP datagram to be protected

ESP: Encapsulating Security Payload. Provides data privacy, data authentication, and anti replay services. ESP encapsulates the data which needs to be protected.

The vpn connections at the NoBo designs will use pres hared keys, these key will be generated by using complex key generation software's so they are nearly impossible to guess. Quality of service module:

For a converged network this module should be designed carefully.

The entire network traffic has been divided into four classes.

1. Real time traffic (Voice and Video Traffic)
2. Application traffic (all the app servers)
3. VPN traffic
4. Internet traffic

Currently Auto Qos is being used for simplicity to provide priority to the voice and video traffic.

In the auto Qos mechanism the Cisco router uses NBAR mechanism to inspect traffic.

In case of the manual Qos policy, the traffic should be marked accordingly at the edges, i.e., at the entry point of the traffic. The manual Qos policy should be applied in the phase 2 of the network design. Once the network is operational, the various traffic flows can be measured and the appropriate queuing techniques can be applied.( A, M. (NOV 2005 )

(http://www1.cisco.com/en/US/docs/internetworking/technology/handbook/QoS.html#wp1024961 accessed on Nov 29 ,2009)

The QOS policy will be enforced with priority queuing technique over the wan pipes. The classification of the traffic is as follows.

VOIP and VIDEO traffic - highest priority

Application Traffic/Mission critical - Second high

Internet (backup) - International leased line - No priority at all. Internet Module:

Every site in an enterprise network model requires internet connectivity. The design of the internet connectivity in an enterprise model is redundant and centralized.

The remote and the client head quarters carry 2 high speed fibre connections to internet service providers at their respective locations, all the other sites present in the respective countries connect to their respective head offices for connection to internet via the wide area network pipes.

Following are the benefits for keeping the internet connectivity centralized

1) Internal Access control : As the company grows more and more branch offices would be added to the company, keeping a check and access control would become more and more difficult , if the users connect to the internet via centralized points, it's easier to implement control.

2) Centralization: More Protection from threats and attacks from the internet, keeping net connectivity centralized would make the security easier and centralized.

3) Low Cost: Hardware and Administration costs for the internet will also be lowered with this centralized design.

Internet redundancy: The 2 head quarters are playing as backups for each other internet connections, for example if the internet link goes down at the client end , Routing mechanisms have been placed that the internet users from the client and its branch will be automatically switched to the remote site internet connection.

In case the internet link on each site is up and there is a routing issue/packet loss with one of the internet service providers, a provision can be made using Cisco's IP SLA service to track the connection and switch the users to the other head quarters in case of any problems. Internet Bandwidth considerations:

The Bandwidth at both the headquarters can be decided with the following inputs.

1) Estimation of the usage by all the employees varies from company to company, depending on the type of activity.

2) Consideration of the fact that each link will be used as a backup for the other headquarter in case of an outage at the other end

3) The fact that each internet connection is also providing the remote user virtual private network connectivity as well, on the same token, if the Internet connectivity is broken on the far end headquarter the site will have to become the internet entry point for the users of the other continent.( Santitoro, R. (Apr2007,). Internet connectivity:

The headquarters are connected to the internet via internet service provider. A separate leased line has been provisioned for the same.

All the branch sites with their respective WAN pipes are connected to the internet via their headquarters.

Internet Backup: The two headquarters will use each other as backups for their internet connections via the International leased line using STATIC FLOATING DEFAULT ROUTES. The first static default route will be placed to the ISP and second default route will be placed towards the International leased line from both sides with higher administrative distance. Remote and home users:

The remote and home users can connect securely to the internal networks via using the USER IPSEC VPN through the respective headquarters. The user IPSec vpn will be deployed such that if the server Internet service is down the remote and home users can still connect to the branch vpn connection and get to their respective servers. VOIP:

A separate voice Vlan can be cond for the VOIP and video traffic at each site. Telephony services will be cond to facilitate VoIP calling. Dial-peers are used to route the voice calls to the destination. These dial-peers are similar to the static routes. These routes identify the destination peer by using session target. VIDEO CONFERENCE:

All the video traffic should be marked and classified at the source, that is on the access port of the switch from where it originates. After the video traffic has been marked , on the wan connection between the NY and London , it should be properly qos, the policies applied to the voice traffic which is also a type of real time traffic can be applied to video as well. The Qos for the video traffic should be a part of the qos policy formed for the NoBo designs.

The video conferencing devices will be connected to the respective switch at each site. The details about the opposite video conferencing devicemust be entered in both the devices. The video traffic will be identified on the switch and will be marked accordingly once the video traffic goes to the wan router it will be queued according to the qos policy. Project Equipment Cost:

1. Personal Computers: HP Pavilion Slim line s5211 each £369.32

2. Cisco 2960 switch 10/100 T 48-port £ 833/- each

3. Cisco 3560E -10/100/1000-48 ports-£7783 each

4. Cisco 2811 Router: £1,824.24/- each

5. Linksys Cisco WRT54G wireless router £59.99

6. Cat5e (305M) enhanced cable-£25 Video Conferencing:

Polycom QDX 6000 Video conferencing kit from is suggested for video conferencing. It is the most widely used device for corporate video conferencing. It is as reliable as Cisco versions and available for cheaper price: £2,703/-. Sony PCS will be used and it costs: £1,910/-

The site- site leased line prices for different service providers are given in general in the above table from the web sources.

Limitation: It was not possible to get the exact cost for the leased lines and backup lines, as the information is not open for everyone.

INTERNET SERVICE PROVIDER (ISP):

The ISP BTnet is chosen for the leased line among the sites located in up and Eclipse internet is chosen for the backup line. AT&T is chosen for the leased line for the sites in America and Level-3 is chosen for the backup. BTnet can provide various Bandwidths (2, 4, 10 Mbps..,) of leased lines. For the proposed network about 10 Mbps approximately bandwidth is suggestible.

Chapter 4: PRACTICAL WORK

4.1- INTRODUCTION:

This document presents a detailed plans, designs as well as configurations for our Client NoBo Designs. Recently they have acquired five locations which are spread over Europe and the Americas, All the networks are acting independently of each other. The Primary goal of this exercise is to plan design and con all five sites as such that they act as an integrated network with users from one site being able to connect the services on the other sites. Further the network design should also provide for Local area networks and virtual private networks for the remote users as well Ip addressing design etc. The solution should also consider the VOIP and security requirements.

QUESTIONNAIRE:

1. What is the main purpose of the network?

2. What kind of servers (file servers, web servers, application servers, etc..) will be used to provide service to the users. Servers that are to be used are centralised or distributed.

3. Where the users located are, are they any physically separated sites?

4. How many numbers of users at each site?

5. What is the type of connectivity between each site?

6. Does the network require any internet? If yes is that a leased line, broadband, or a dial-up connection?

7. What is the networking communication protocol?(Ethernet , token ring )

8. Which protocol is used to provide security for a network?

9. Select an ISP provider by considering service, uptime/down time, and band width.

10. Do you need any back up internet connection?

11. Does the network require any firewalls?

12. What are the public and private IP addresses to be used (public addresses will be given by ISP).

13. Does the network requires NAT (network address translation) service and/or DHCP (dynamic host configuration protocol) .

14. What type of routers, switches, and firewalls are used .

15. Does the above mentioned devices need any security (privileged mode, global privileged mode) to avoid unauthorised user access .

16. Does the network need QOS (quality of service) implementation?

17. Does the network require any monitoring tools?

18. What is the budget for the network that is to be designed?

4.2-Design requirements

NoBo Designs have the following specific challenges.

• NoBo Designs is required to provide dedicated connections between all the five sites spread Across USA and Britain.
• All the sites should have continuous internet connectivity.
• The ip addressing scheme for all the sites as well as wide area network connections also needs to be designed.
• NoBo designs has different departments at each site, the ip addressing should flawlessly assimilate to provide adequate addressing as well as there should be logical separation at the same time.
• A separate subnet/network should be provided at each site for the servers , this subnet would act as an internal dmz.
• Provision required for remote connectivity at all five sites.
• Provision required for VoIP and video traffic between the two head offices.
• A wireless (wifi) network should be present at each site for wireless users.

4.4-Network design -Detailed work:

The network design has been divided into modules as earlier stated; this concept is same as designing an enterprise network where overall network is divided into different modules as per functionality basis. Later the configuration of the devices is also explained in detail.

4.5-HARDWARE:

The Routers and switches used in the NoBo Design are from Cisco systems. The Wireless routers used at all the sites are from Linksys Cisco. The model of the routers is Cisco 2811 along with the following hardware and the software features.

Hardware at London

At the London head office the Cisco 2811 series router should have 1 serial (e1) interface to connect to the service provider for international link to the NY head office. For the link between the London and New York please be aware that the link types used at both sides are different in Americas its T1 standard and in Europe its E1 standard. when ordering the channels

• One Serial (e1) interface connected to the Edinburgh site.
• One serial (e1) interface connected to the Manchester site.
• One Fast Ethernet or Gigabit link connected to the London Switch. This link would carry the trunk.
• One Fast Ethernet connected to the fibre link terminator from the ISP providing the internet connection.
• It would be a good idea to keep 1 extra port of each type for the purpose of redundancy and scalability.

The reason for choosing the 2800 series router: NoBo is a small business, the Cisco 2800 series router are the perfect fit to merge the vpn, internet and wan modules into one device to keep the costs lower and to keep the design simple.

The IOS version chosen should be such that it supports IPSec VPNS and IOS firewall and DOT1q trunking as well.

Switches: The model of the switches to be used at the London site is Cisco 2960 with 48 ports. At least 4 switches of series 2960 should be purchased and installed.

Reason for choosing 2960 switches: All the features of an access layer switch are present.

Further Cisco contracts for replacements and warranties should be bought.

Hardware at New York site:

The hardware at the New York site is very similar to the London site.

Router 1: 2811 Cisco series with

1 serial port for the London site

1 serial port for the Sacramento site

1 Fast Ethernet or Gigabit link connected to the NY Switch. This link would carry the trunk.

1 Fast Ethernet to connect to the fibre link terminator from the ISP providing the internet connection

Switches: 2 Cisco 2960 switches.

All the other hardware considerations are the same as explained in the London site.

Hardware at the Edinburgh site:

Router 1: 2811 Cisco series with

1 serial port for the London site

1 Fast Ethernet or Gigabit link connected to the Edinburgh Switch. This link would carry the trunk.

Switches: 2 Cisco 2960 switches.

Hardware at the Manchester site:

Router 1: 2811 Cisco series with

1 serial port for the London site

1 Fast Ethernet or Gigabit link connected to the Manchester Switch. This link would carry the trunk.

Switches:2 Cisco 2960 switches.

Hardware at the Sacramento site:

Router 1: 2811 Cisco series with

1 serial port for the NY site

1 Fast Ethernet or Gigabit link connected to the Sacramento Switch. This link would carry the trunk.

Switches: 2 Cisco 2960 switches.

For wireless, at each of the site depending on the number of the floors, Linksys cisco wrt54g routers should be placed.

BANDWIDTH:

The first and foremost metric is the bandwidth, how much bandwidth is required to support all users and applications, let's take it link by link.

The overseas link between the London site and the New York site requirement are as follows:

London has 4 servers with proprietary software:

LONADMIN -London Administration Server

LONTECH - London Technical Server;LONFIN - London Finance Server

FLOOR

Offices

Number of Users

Access / Server

1

Administration

18

Internet, LONADMIN

2

Personnel

18

Internet, LONADMIN

3

Technical Design

40

Internet,Wireless,LONTECH

4

Finance and Sales

15

LONFIN

5

International Sales and Help

10

LONFIN, NYFIN

6

Management

8

Wireless, Internet, LONADMIN, LONFIN and NYFIN

The London site has 109 users, the users use the internet and some of them use the wan connection as well. There are 18 users at the London site who connect to the NY financial server, now once the actual protocol used by NY fin server can be known, the number of users can be multiplied with the bandwidth used by one user instance of the finance application . This will provide us the first leg of the bandwidth required for the connection between the London and New York site.

(a) Bandwidth of one instance of NY finance server application *18

Similarly when the two Britain branch offices i.e. Manchester and Edinburgh users want to connect to the NY finance, there number should be multiplied with the one instance of the application.

At Manchester there are 2 users which connect to the New York head office admin servers.

One instance of bandwidth used by the NY admin application should be multiplied with the number of users; this would provide us the second part of the bandwidth requirement (b).

(b) Bandwidth of one instance of NY admin server application *2

New York Site

New York has 4 servers with proprietary software: NYADMIN -London Administration Server

NYNFIN -New York Finance Server

FLOOR

Offices

Number of Users

Access / Server

1

Administration

18

Internet, LONADMIN, NYADMIN, SACADMIN

2

Personnel

4

Internet, LONADMIN, SACADMIN

3

Finance and Sales

40

Internet, Wireless, LONFIN, NYFIN

4

International Sales and Help

8

LONFIN, NYFIN, NYADMIN, LONADMIN,

5

Management

LONFIN, NYFIN, NYADMIN, LONADMIN

At the New York site, there are 78 users and all of them connect to the London Head office servers. Following are the calculation of the bandwidth used by all of these users.

(c)Administration: 18 users multiplied by the 1 instance of the London administration application.

(d)Personnel: 4 users multiplied by the 1 instance of the London administration application.

(e)Finance and sales: 40 users multiplied by the 1 instance of the London finance application.

(f)International sales and help: 8 users * one instance of London finance app, 8 users * one instance of London administration app.

(g)Management: 8 users * one instance of London finance app, 8 users * one instance of London administration app.

The Sacramento site also piggy backs the NY-London link to reach London and Manchester servers from NY.

(h)Management: 50 users * one instance of London Technical app, 50 users * one instance of Manchester technical app.

The NY-London link is also acting as up a back up to the internet connection at the head offices

(i)The amount of bandwidth which can be dedicated to the backup internet link should be taken into consideration over here.

(j) The NY-London link would be also used as a back up to the remote user virtual private networks the number of back up vpn should be established and relevant bandwidth should be provided, if the company policy is to use the internet bandwidth as a superset of the vpn bandwidth, then at least the vpn bandwidth should be Qos, i.e. the internet will be given the last priority.

(k) The bandwidth consideration for the VoIP and video connections should also be added to the bandwidth required for VoIP and video calls can be calculated by using the following method. Calculate the maximum number of VoIP and video calls which can happen at a given time using erlangs. There are several web calculators for VoIP and video.

The total bandwidth required for the NY-London Link can be calculated by adding all the elements from (a) to (k). The remote office will use the link to their respective geographic head offices for the internet connections as well as the application connectivity and the remote users will also traverse the same link to reach the respective servers at these branch offices. Following is the calculation of the bandwidth required at each branch site.

Provision for the bandwidth used by vpn users at each site can be calculated by estimating the number of simultaneous vpn connections allowed at each site. As of now each vpn connection bandwidth can be taken from the internet bandwidth available by using quality of service mechanisms.

Manchester: one instance = bandwidth for one app instance in each direction.

Manchester has 3 servers with proprietary software: MANADMIN -Manchester Administration Server

MANTECH -Manchester Technical Server: MANFIN -Manchester Finance Server

FLOOR

Number of Users

Access / Server

1

Administration

Personnel

Management

6

2

2

Internet access, MANADMIN, LONADMIN,NYADMIN,NYFIN

Managers require Wireless / INTERNET, MANADMIN, LONADMIN, LONFIN

2

Technical Design

16

Wireless, Internet, MANTECH and LONTECH

3

Technical Design

14

Wireless, Internet, MANTECH and LONTECH

Personnel: 2 users * one instance of London administration app.

Management: 2 users * one instance of NY administration app

2 users * one instance of NY finance app

2 users * one instance of London administration app.

2 users * one instance of London finance app.

Tech design: 30 users *one instance of London technical application.

Edinburgh users: 24* one instance of Manchester Financial application.

Edinburgh users: 12* one instance of Manchester Administration application.

Provision for internet site company policy.

Edinburgh: one instance = bandwidth for one application instance in each direction.

Edinburgh has 2 servers with proprietary software: EDADMIN -Edinburgh Administration Server

EDFIN -Edinburgh Finance Server

FLOOR

Offices

Number of Users

Access / Server

1

Administration

Personnel

Management

6

3

3

Internet access, EDADMIN, LONADMIN

Managers require Wireless / INTERNET, MANADMIN, LONADMIN, LONFIN, MANFIN

2

Sales

12

Wireless / Internet, EDFIN, MANFIN, LONFIN

12 users * one instance of London finance app.

12 users * one instance of London administration app.

24* one instance of Manchester Financial application.

12* one instance of Manchester Administration application

Provision for the internet and vpn traffic - site/company policy.

Sacramento: one instance = bandwidth for one application instance in each direction.

Sacramento has 2 servers with proprietary software: SACADMIN -Sacramento Administration Server

SACTECH -Sacramento Technical Server

FLOOR

Offices

Number of Users

Access / Server

1

Administration

Personnel

Technical Design

10

2

50

SACADMIN

Internet / NYADMIN

Wireless, Internet, SACTECH, MANTECH, LONTECH

2 users * one instance of Sacramento administration app.

50* one instance of Manchester technical application.

50* one instance of London Technical application

Provision for internet and vpn traffic - site/company policy. GNS3:

The designed network was implemented on GNS3 network simulator. This software allows to use only routing devices that has to be cond. It still gives the same results when implemented on the real network. The configuration of switches was also included with the explanation in the next following section. 4.6-Explanation of the configuration:

Each router in the NoBo has some common configurations, there for each instance of the configuration is just explained once.

Service timestamps debug date time msec

This command enables to print time stamp in the debug printed by the users, it prints date time and msec.

Service timestamps log date time msec

This command enables to add time stamp in all the logs, it prints date time and milliseconds.

Whenever troubleshooting the devices , we would need the exact date time and milliseconds of an event to analyze the occurrence of the events , its more