Design, Implementation, And Evaluation Of VPN Business Sites: A Case Study

Questions:

SMSD is major School districts. It will be decided to launch the digital learning initiative. The digital learning initiative will be helpful for students and teachers. It allows the students and teachers to transform the information. The sixth grade students get the information through the iPad and the twelfth grade students get the information through the MacBook Air computers. The teachers get the information through both iPad and MacBook Air computers. The security problem will be appeared in the digital learning. It is very complex .To avoid the security problem, SMSD  decided to provide firewall authentication in the digital learning. The process of firewall authentication will be done by the ELA (Enterprise License Agreement) with cisco.it will be provide solution for collaboration also. Three tools will be used to avoid the collaboration. The tools are Cisco collaboration meeting tool, Cisco WebEx and cisco spark. It reduced the security managing problem and complexity. VPN allows the end users to connect securely to the remote network via servers run by VPN providers. Since the data is fully encrypted the data cannot be hacked and misused by man in the middle. The privasy of the users can be hidden while using VPN. Censorships can be evaded. Many services may not be available to few countries. VPN allows them to access those services too. When using public Wifi hotspot , the devices can be protected from hackers. P2P downloads can be done very safely.

Security Objectives

• Highly secured and highly available network
• High quality of video and data transfer between teachers and students
• Optimized network security that provided well secured voice and data applications
• For better information security traffic isolation should be there
• Secured tunneling like GRE with MPLS
• Scalable network to take care of future expansion

Business Objectives

• A secured network infrastructure that supports voice , video and data traffic
• Good isolation between teachers and students
• Good network connectivity between teachers and students
• Capability to expand the IT infrastructure

The network for Shawnee Mission School District (SMSD) is planned in such a manner that full security is provided to the network. It is a big network that remains as home to 27,500 students. It has 5 high schools, one alternative high school, five middle schools and 33 elementary schools. The district is planning to launch well maintained digital learning platforms. The district has planned to launch 30,000 new devices and that devices has to be linked in a secure network. Secure network in the sense it should be away from the hackers [1]. That is the network has to be designed in a manner that provides security to the network that help the students to execute the studying tasks painlessly. The district also planned to use CISCO’s licensed Identity Service Engine. The school Network’s sample diagram has been designed using Cisco packet tracer. The sample diagram has 3 routers, two switches and 2 PC clients. The number of routers, switches and clients can be extended. As this is a macro level project, it is able to provide only the minimum number of devices. The security is specified as a important feature in the network planning and hence more security layers are attached.

It controls the communication between authenticated user and unauthorized user. It provides the security for the user’s network. It is one type of network security. It provides the permission for accessing the network in the secured network [2]. The firewall is implemented as a hardware and software.one could built the firewall as both hardware and software.

Answers:

Basic types of firewall

1. Proxys firewall
2. packet filters
3. Stateful inspection firewall.

The gate way is used to connect two different protocols for connecting two networks. It is one of the network nodes. The router is gateway to connect the home network to the internet [3].

1. Cloud storage gateway
2. API,SOA gateway
3. Email security gateway
4. VoIP trunk gateway
5. Amazon API gateway
6. media gateway

Switch is a high speed device.it is used to send and receive the data. It is Ethernet based one. It is more all as similar to router and hub.

Types of switch

1. LAN switch
2. Routers
3. Managed switch
4. Unmanaged network switches.

LAN stands for Local Area network. It is one type of computer network.it covers only small region [4]. It works based on the Ethernet. One could build LAN for small region, like home, schools etc.

1. It is used for share the information among the workers and collaborators.
2. It is used to share software licences.so it saves the cost.
3. It is used to share high cost hardware.

Webserver is used for delivering the web pages. By installing the server software and connecting the system to the internet, one could made any computer as a webserver. By retransmit the HTML files in the HTTP connection, one could create the website with the help of webserver [5]. Web server will be having one or multiple IP Addresses. It will be hosting many domains.

Types of webserver

1. Nginx Web server
2. Light speed web server
3. Apache web server
4. IIS web server

Some features of webserver

1. Server side  scripting
2. virtual hosting
3. Bandwidth throttling
4. Support for large files.

Benefits of webserver

1. Easy to manage the applications
2. uptime guarantee
3. Hassle-free deployment and installation.
4. Round the clock support.

Router is one type of networking device. Router connects many different networks. The pockets reach the router. The router reads the source and destination IP addresses of the pocket and guides it to the next router. The traffic directing functions is performed at the internet by router. It transfers the data packets between the computer networks [6].

1. Virtual router
2. Edge router
3. wired router
4. Wireless router
5. Broadband router
6. Inter provider border router
7. subscribe edge router

First layer-Firewall – This firewall is mainly used to provide the security [7].  To safeguard the network Firewall is set to protect it.

Second layer-VPN – To enable the license of security technology package in order to complete the activity.

Third layer-IPS- it can able to encapsulate the traffic in a single device.

Fourth layer-SSH- this is can also provide the security shell for the network.

CCP is nothing but the Cisco Configuration Protocol. CCP is a tool created to operate under the windows operating system. It is a tool designed for device management. Router can be efficiently configured using CCP [8].

Requirements

1. 3 routers
2. 2 switches
3. PC-1: Windows XP, Vista, or Windows 7
4. Serial and Ethernet cables
5. Rollover cables

Basic Network Device configurations

Objectives:

• To Cable the network
• To Configure IP addresses for routers and PCs.
• To configure routers.
• To Verify connection between hosts and routers

Steps followed

• The devices are attached as per the topology  for establishing proper connection among devices
• The hostnames, Interface IP addresses are configured as follows
• DCE cable is used to configure a clock rate for routers [9].
• DNS lookup is disabled to stop the router translate incorrect commands including the hostnames
• configuration of static routes are done
  1. R0 to R1
  2. R2 to R1
  3. R1 to R0 LAN
  4. R1 to R2 LAN
• Configuration of EIGRP routing protocols are done.
  1. For R0
  2. For R1
  3. For R2
• A static IP address, subnet mask and default gateway for PC-0 and PC-1 are done
  1. PC-0
  2. PC-1
• Verification of connectivity

Pinging test

Pinging of PC-1 on the R2 LAN from PC-0 on the R0 LAN is done. The ping result is successful.

Pinging of PC-1 on the R2 LAN from PC-0 on the R0 LAN is done. The ping result is successful.

Configuration of CCP Access for routers

Objectives

• HTTP/HTTPS can be configured
• User accounts with higher permissions can be created
• SSH and Telnet will be created

Procedure

• Router is connected using Telnet or SSH console.
• Router HTTP or HTTPS server is enabled
• A user with privilege level 15 is created.
• SSH and Telnet login are configured

CCP configuration

Objectives

• To install CCP.
• To manage communities.
• To discover router devices.

Procedure

1. CCP is installed using the link provided.
2. Start–> Cisco Configuration Professional–> Select / Manage Community window–> Ok
3. Dashboard–> Discover–> connect to R2
4. IP for select community number is provided.

VPN stands Virtual Private Network. To provide the security and privacy for Public and private network, VPN is used. It acts like an internet and Wi-Fi hotspot. The data transformation between the computer network and remote user is securely done by the VPN. To saves the secure data, VPN is used in the corporate world [10].

Benefits of VPN

1. Data could be encrypted.
2. Provide security and protection for Wi-Fi connection.
3. One could replace original IP.
4. With the help of VPN, censorship is avoided.

VPN Tunneling protocols

1. PPTP – Point to point tunneling protocol
2. L2TP-Layer two Tunneling
3. Open VPN-Internet protocol security

Tunneling is a protocol. It provides the security for transfer the data from the one system to another system. Port forwarding is another name for tunneling. The private network communications is provided to the public network by using the tunneling process [11].

Objectives

It is the process of translating the data from one protocol to another protocol. That is transfer the data from source to the destination.

Objective

• To configure a site to site virtual private network.
• Configuration procedure for VPN
• A password of minimum length is configured after checking the connectivity between the devices.
• Basic consoles are configured by following the specified router commands
• Pass word encryption is used to encrypt the clear text passwords [12].
• Basic running configurations are configured.
• The configurations are saved for future reference
• Connection of the devices is tested and then IKE policies are enabled.
• ISAKMP policy parameters are configured.
• Pre shared keys are configured.
• Transform the IPsec set
• A crypto map is created and applied.
• ISAKMP security is associated.

SSH stands for secure Shell. It is used for protecting the system from attacks. The attacks are DNS spoofing, IP source routing and IP spoofing. It is used for transferring the files from one machine to another. By using associated SSH file transfer, one could transfer the files. The secured copy protocols also used for transfer files. The secure authentications are provided at insecure channels by SSH. It is a network protocol. To remotely access and manage a device, SSH is used [13]. It is used for supporting some operations like forward the TCP ports, tunneling and X11 connections. It is used for data encryption.

The SSH protect system from following risks

1. Data manipulation
2. Sniffing of data transmission.
3. IP address spoofing
4. spoofing of DNS
5. Routing of a source of an IP source.

Benefits of SSH

1. It is used to avoid the attack.
2. It provides the Authentication for system.
3. It is used for hosting the control.

Trunk is one type of communication link. It is used to provide network access between two points with multiple signals. It connects the switching centers. The bandwidth of single cable is increased by Trunk. Because the trunk has multiple cables and wires. It is also used for sharing the frequency to the more number of users.TO connect the switching nodes, trunk is used [14]. The switching nodes may be PBX (private branch exchange) and central offices. Two types of trunk are there. Trunk Port, Port Trunking

1. Trunk port-takes the data from the virtual local area network in the single interconnect. This inter connect is present between the switches and router.
2. Port Trunking –   It gives permission for multiple physical links to make the higher capacity, single and more reliable logical link.

IPS is nothing but the intrusion prevention system. IPS is used to detect security problems. IPS provides the layer of security next to the firewall [15].

Objective

• To verify Access to the R0 LAN from R1
• To prepare the Router and TFTP Server
• To Configure the IPS Crypto Key
• Configure IPS
• Load the IOS IPS Signature Package to the Router
• Test the IPS Rule and Modify a Signature
• Test IPS with Super Scan

Procedure

• Ping from R1 to R0.
• Ping from R1 to PC-0 on the R0 LAN.
• Display the R0 running configuration prior to configuring IPS.
• Verify the availability of Cisco IOS IPS files.
• Verify or create the IPS directory in router flash on R0
• Locate and open the crypto key file
• Copy the contents of the text file
• Apply the contents of the text file to the router
• Create an IPS rule
• Configure the IPS Signature storage location in router flash memory.
• Enable IPS SDEE event notification
• Enable IPS syslog support
• (Optional) Download and start the syslog server
• Configure IOS IPS to use one of the pre-defined signature categories
• Apply the IPS rule to an interface
• Save the running configuration
• Download the TFTP server
• Start the TFTP server on PC-0 and verify the IPS file directory.
• Copy the signature package from the TFTP server to the router.
• Verify that the signature package is properly compiled.
• Ping from R1 to the R0 serial 0/0/0 interface.
• Ping from R1 to PC-0
• Modify the signature.
• Ping from R1 to R0 serial 0/0/0 interface
• Ping from R1 to PC-0
• Download the SuperScan program
• Run SuperScan and set scanning options
• Observe the syslog messages on R0.

IPsec VPN is used. The clients are connected with VPN server using gateway. Security firewalls can be used for further security. The VPN system will be having connection with routers too. The client to server connection will be fully secured. Admin computers can have multiple special access levels into the VPN network. VPN will be having two IP Addresses. External and Internal.

CPT (cisco packet tracer) is a most widely used software for network simulation, which is mainly used for simulation of LAN setup. Cisco Packet Tracer is considered as a great network simulation program, with the help of this software the following design for a network of school is made. Generally, to set up a network, user need a router, Client PC, Server and switch. Here, the network configuration need 3 routers. It should contain the network interfaces [16].

Conclusion

SMSD is decided to launch the digital learning initiative. The security problem would be appeared in the digital learning. It is very complex. To avoid the security problem, SMSD would decide to provide firewall authentication in the digital learning. The process of firewall authentication would be done by the ELA (Enterprise License Agreement) with cisco. It would be providing solution for collaboration also. The security and business objectives are explained. The existing security solution may not meet all the requirements. VPN solution will give better security and will satisfy all the business and technical requirements. Unmanaged systems are totally insecure. Data theft and password thefts used to happen very easily in unsecured network. Browser cache will be having lot of sensitive data and that can be stolen without the end users permission. Browser histories, Browser cookies, saved form data’s, saved passwords also can act as a easy loops holes for data theft and identification theft. Man in the middle attacks is pssoble. When the user names and passwords travels in simple WAN, anyone can hack these details. Web application attacks like SQL injection, buffer overflow attacks, and directory traversal attacks and cross site scripting are very much possible in unsecured network. Viruses, Worms and Trojans are possible in unsecured network. VPN prevents all these problems. Strong user authentication policy, complex password policy, usage of strong encryption algorithms can save the end users from ID theft and data theft. Web application firewalls, IPS and gateway level anti-virus systems and network admission controls can act as the best prevention mechanisms.

Reference

[1]H. Mankell and E. Segerberg, Firewall. London: Vintage, 2012.

[2]D. Mills, Firewall. .

[3]V. Bollapragada, M. Khalid and S. Wainner, IPSec VPN design. Indianapolis: Cisco Press, 2005.

[4]”What Is A VPN? – WhatIsMyIP.com®”, Whatismyip.com, 2017. [Online]. Available: https://www.whatismyip.com/what-is-a-vpn/. [Accessed: 28- Sep- 2017].

[5]”What Is VPN Tunneling?”, Lifewire, 2017. [Online]. Available: https://www.lifewire.com/vpn-tunneling-explained-818174. [Accessed: 28- Sep- 2017].

[6]”What is Secure Shell (SSH)? Webopedia Definition”, Webopedia.com, 2017. [Online]. Available: https://www.webopedia.com/TERM/S/SSH.html. [Accessed: 28- Sep- 2017].

[7]”What is gateway? – Definition from WhatIs.com”, IoT Agenda, 2017. [Online]. Available: https://internetofthingsagenda.techtarget.com/definition/gateway. [Accessed: 28- Sep- 2017].

[8]W. Nelson, A. Srinivasan and M. Chintalapati, Sun web server. Upper Saddle River, N.J.: Prentice Hall, 2010.

[9]M. Feilner and N. Graf, Beginning OpenVPN 2.0.9. Birmingham, U.K.: Packt Pub., 2009.

[10]X. Yang and R. Shang, Luo yang qie lan ji. Beijing: Zhong hua shu ju, 2012.

[11]J. Eliot, Ssh. [Place of publication not identified]: Mosaique Press, 2014.

[12]D. Barrett, R. Silverman and R. Byrnes, SSH, the secure shell. Sebastopol, CA: O’Reilly Media, Inc., 2011.

[13]S. Carey, The trunk. Melbourne, Vic.: Puffin Books, 2013.

[14]H. Belloc, On. Freeport, N.Y.: Books for Libraries Press, 1967.

[15]O. Santos and J. Stuppi, CCNA security 210-260 official cert guide. .

[16]J. Guichard, I. Pepelnjak and J. Apcar, MPLS and VPN architectures. Indianapolis: Cisco Press, 2014.