DESIGN AND SIMULATION OF SECURE VIRTUAL PRIVATE NETWORK (VPN) OVER AN OPEN NETWORK (INTERNET) INFRATRUCTURE (CASE STUDY OF NATIONAL BOARD FOR TECHNICAL EDUCATION NBTE)
ABSTRACT The world has changed a lot in the last couple of decades. Instead of simply dealing with local or regional concerns, many businesses now have to think about global markets and logistics. Many companies have facilities spread out across the country or around the world, and there is one thing that all of them need, a way to maintain cost effective, fast, secure and reliable communications wherever their offices are. How do we ensure the safe passage of data across a shared infrastructure? The answer is to deploy a secured Virtual Private Network (VPN). TABLE OF CONTENT Title page Approval Dedication Acknowledgement Table of content Abstract CHAPTER ONE 1.0 Introduction 1.1 Background of the Study 1.2 Objectives of the Study 1.3 Significance of the Study 1.4 Scope of the Study 1.5 Limitations of the Study 1.6 Definition of Terms CHAPTER TWO 2.0 Review of Related Literature 2.1 Introduction 2.2 Remote-Access VPN 2.3 Site-to-Site VPN 2.4 VPN Analogy: Each LAN is an Island 2.5 Firewall-based 2.6 VPN Security ¬2.7 Security Review of IPSEC and SSL VPNs 2.8 IPSEC and IPSEC VPNs 2.9 SSL and SSL VPNs 2.10 Maturity and Acceptance 2.11 Cryptography 2.12 Client Desktop Integration CHAPTER THREE 3.0 Network Analysis and Design 3.1 Introduction 3.2 Data Communication Problem Faced by NBTE 3.3 Project Scope 3.4 Objective of the VPN Design 3.5 The Proposed VPN 3.6 Conceptual Model of the Proposed Design 3.7 Physical Model of Proposed Design 3.8 Logical Model of the Proposed Design CHAPTER FOUR 4.0 Network Design Implementation 4.1 Introduction 4.2 ISP & Connectivity Provision 4.3 Routers Interface IP Address Configurations CHAPTER FIVE 5.0 Summary, Conclusion, and Recommendations 5.1 Summary 5.2 Conclusion 5.3 Recommendations References Appendix CHAPTER ONE 1.0 Introduction This is the information age. We no longer have to commute physically from one place to another to complete a set of tasks or to gather pieces of information. Everything can be done virtually with a mouse click on an online host. In a way, everything we do in our daily lives is related in one way or another to information access. This has made information sharing almost mandatory and indispensable. These days, a customer can retrieve and compare products or services information promptly online, anytime, anywhere. For competitive reasons, organizations that provide this information have to make the information readily available online. In other words, the concept of a shared infrastructure is undisputedly important. A shared infrastructure is none other than a public network. At present, the biggest public network is the Internet, which has over 100,000 routes and is still growing rapidly. As more and more companies link up their corporate network to the Internet, we are faced with an inevitable issue—information security. Sharing information on a public network also implies giving access and visibility to everyone who wants to retrieve these data. What if the person who has the accessibility and visibility to the information decides to create havoc? Some of the general threat types that are posed by malicious hackers include eavesdropping, denial of service, unauthorized access, data manipulation, masquerade, session replay, and session hijacking. VPNs are networks deployed on a public network infrastructure that utilize the same security, management, and quality of service policies that are applied in a private network. VPNs provide an alternative to building a private network for site-to-site communication over a public network or the Internet. Because they operate across a shared infrastructure (Internet) rather than a private network, companies can cost effectively extend the corporate WAN to telecommuters, mobile users, and remote offices as well as to new constituencies, such as customers, suppliers, and business partners. 1.1 Background of the Study The National Board for Technical Education (NBTE) is a Commission that was established by Federal Government of Nigeria to oversee the affairs of technical Schools in Nigeria. Their offices are located in various states of the Federation. Their functions include accreditation of courses, monitoring of the affairs of technical institutions in Nigeria. They do not have any secure and reliable communications infrastructure that connects their offices across the country. WANs connect customer sites via dedicated point-to-point links. This means that multiple independent circuits have to terminate at the corporate network egress, making the deployment non-scalable and difficult to maintain. VPNs extend the classic WAN by replacing the physical point-to-point links with logical point-to-point links sharing a common infrastructure, allowing all the traffic to be aggregated into a single physical connection. This scenario results in potential bandwidth and cost savings at the network egress. Because customers no longer need to maintain a private network, and because a VPN itself is cheaper to own and offers significant cost savings over private WANs, operation costs are reduced. VPNs provide an alternative WAN infrastructure that can replace or augment commercial private networks that use leased-line or frame relay/ATM networks. There are two ways business customers can implement and manage their VPNs. They can either roll out their own VPNs and manage them internally, or outsource the VPN management to their service providers for a total VPN package that is tailored to their particular business needs. Last but not least, from the service providers’ perspective, VPNs are a fundamental building block in delivering new value-added services that benefit their business customers as well as themselves. In this instance, the service providers deploy the VPNs for their customers, and the customers need only subscribe to the service providers for the VPN services. 1.2 Objectives of the study: Secure VPN is the cost effective means to achieve the following. • Access Control into a Private Network in a shared network • Secure information and Identity Management • Secure Intranet and information sharing • Reliability • Near 99% Network up Time. • Secure Desktop Sharing 1.3 Significance of the study: This project enlightens readers and would serve as bedrock for computer network and information control in a computer Network environment. As for a well-designed VPN, the project has the following significance: • Extends geographic Network connectivity • Improve security in Private Network • Reduce operational costs versus traditional WAN • Improve productivity • Simplify network topology • Provide broadband networking compatibility • Provide faster ROI (return on investment) than traditional WAN • The study would also be helpful to the students who are carrying out research on this topic or any related topic And the following features are incorporate: • Security • Reliability 1.4 Scope of the Study: This study will cover the following features, design and demonstration of: 1. Intranet-based Site to Site VPN that connects the NBTE offices. 2. Three Site WAN location which implies a HQ and two Branch Offices 3. Access Control List Implementation, IPSec and Encryption to provide secure Access to network resources 4. Network Reliability 1.5 Limitations of the study: The design of Secure VPN is an enterprise network Project that leverages the use of enterprise facilities and network infrastructures available to the organization. In this project most of these facilities are not present rather simulator is used to achieve relevant features. This research ought to cover a wide area but unable to do so due to the following limitations Finance: The cost of acquiring network equipments is high, and as a student, I was unable to afford all the financial requirements of the research study. Time: The period of time allowed for this project was small. A project of this nature need more time for complete investigation and research to be conducted. More so, studies and examinations are being combined which does not allow complete dedication to the project. Therefore the following may not be achieved in this academic project. • Scalability • Network management • Policy management • Remote Access VPN 1.6 Definition of terms: LEASED LINES These are usually referred to as a point –to –point or dedicated connection. A leased line is a pre-established WAN communications path that goes from the CPE through the DCE switch, then over to the CPE of the remote site. The CPE enables DTE communicate at any time with no cumbersome setup procedures to muddle through before transmitting data. It uses synchronous serial lines up to 45Mbps. HDLC and PPP encapsulations are frequently used on leased lines ROUTER A Network layer mechanism, either software or hardware, using one or more metrics to decide on the best path to use for transmission of network traffic. Sending packets between Networks by routers are based on the information provided on Network layers. Historically, this device has sometimes been called a gateway. ACCESS RATE Defines the bandwidth rate of the circuit. For example, the access rate of a T1 circuit is 1.544Mbps. In Frame Relay and other technologies, there may be a fractional T1 connection-256Kbps, for example- however, the access rate and clock rate are still 1.544Mbps. ATM Asynchronous Transfer Mode: The international standard, identified by fixed-length 53-byte cells, for transmitting cells in multiple service systems, such as voice, video, or data. Transit delays are reduced because the fixed-length cells permit processing to occur in the hardware. ATM is designed to maximize the benefits of high-speed transmission media, such as SONET, E3, and T3 BANDWIDTH. The gap between the highest and lowest frequencies employed by network signals, more commonly, it refers to the rated throughput capacity of a network protocol or medium bursting. Some technologies, including ATM and Frame Relay, are considered burst able. This means that user data can exceed the bandwidth normally reserved for the connection; however, this cannot exceed the port speed. An example of this would be a 128Kbps Frame Relay CIR on a T1- depending on the vendor, it may be possible to send more than 128Kbps for a short time Class A Network Part of the Internet Protocol hierarchical addressing scheme. Class A networks have only 8 bits for defining networks and 24 bits for defining hosts and subnets on each network. Class B Network Part of the Internet Protocol hierarchical addressing scheme. Class B networks have 16 bits for defining networks and 16 bits for defining hosts and subnets on each network. Class C Network Part of the Internet Protocol hierarchical addressing scheme. Class C networks have 24 bits for defining networks and only 8 bits for defining hosts and subnets on each network. COLLISION DOMAIN The network area in Ethernet over which frames that have collided will be detected. Collisions are propagated by hubs and repeaters, but not by LAN switches, routers, or bridges. DCE data communications equipment (as defined by the EIA) or data circuit-terminating equipment (as defined by the ITU-T): The mechanisms and links of a communications network that make up the network portion of the user-to-network interface, such as modems. The DCE supplies the physical connection to the network, forwards traffic, and provides a clocking signal to synchronize data transmission between DTE and DCE devices. DHCP Dynamic Host Configuration Protocol: DHCP is a superset of the BootP protocol. This means that it uses the same protocol structure as BootP, but it has enhancements added. Both of these protocols use servers that dynamically configure clients when requested. The two major enhancements are address pools and lease times DTE data terminal equipment: Any device located at the user end of a user-network interface serving as a destination, a source, or both. DTE includes devices such as multiplexers, routers, protocol translators, and computers. The connection to a data network is made through data communication equipment (DCE) such as a modem, using the clocking signals generated by that device. Ethernet A baseband LAN specification created by the Xerox Corporation and then improved through joint efforts of Xerox, Digital Equipment Corporation, and Intel. Ethernet is similar to the IEEE 802.3 series standard and, using CSMA/CD, operates over various types of cables at 10Mbps. Also called: DIX (Digital/Intel/Xerox) Ethernet Fast Ethernet Any Ethernet specification with a speed of 100Mbps. Fast Ethernet is ten times faster than 10BaseT, while retaining qualities such as MAC mechanisms, MTU, and frame format. These similarities make it possible for existing 10BaseT applications and management tools to be used on Fast Ethernet networks. Fast Ethernet is based on an extension of IEEE 802.3 specifications (IEEE 802.3u) Frame Relay A more efficient replacement of the X.25 protocol (an unrelated packet relay technology that guarantees data delivery). Frame Relay is an industry-standard, shared-access, best-effort, switched Data Link layer encapsulation that services multiple virtual circuits and protocols between connected mechanisms HDLC High-Level Data Link Control: Using frame characters, including checksums, HDLC designates a method for data encapsulation on synchronous serial links and is the default encapsulation for Cisco routers. HDLC is a bit-oriented synchronous Data Link layer protocol created by ISO and derived from SDLC. However, most HDLC vendor implementations (including Cisco’s) are proprietary IP Internet Protocol: Defined in RFC 791, it is a Network layer protocol that is part of the TCP/IP stack and offers connectionless service. IP furnishes an array of features for addressing, type-of-service specification, fragmentation and reassembly, and security IP address Often called an Internet address; this is an address uniquely identifying any device (host) on the Internet (or any TCP/IP network). Each address consists of four octets (32 bits), represented as decimal numbers separated by periods (a format known as “dotted-decimal”). Every address is made up of a network number, an optional sub network number, and a host number. The network and sub network numbers together are used for routing, while the host number addresses an individual host within the network or sub network. The network and sub network information is extracted from the IP address using the subnet mask. There are five classes of IP addresses (A–E), in which classes A-C allocate different numbers of bits to the network, sub network, and host portions of the address. LAN local area network: Broadly, any network linking two or more computers and related devices within a limited geographical area (up to a few kilometers). LANs are typically high-speed, low-error networks within a company. Cabling and signaling at the Physical and Data Link layers of the OSI are dictated by LAN standards. Ethernet, FDDI, and Token Ring are among the most popular LAN technologies NIC Network Interface Card: An electronic circuit board placed in a computer. The NIC provides network communication to a LAN. OSI Open Systems Interconnection: International standardization program designed by ISO and ITU-T for the development of data networking standards that make multivendor equipment interoperability a reality Packet In data communications, the basic logical unit of information transferred. A packet consists of a certain number of data bytes, wrapped or encapsulated in headers and/or trailers that contain information about where the packet came from, where it’s going, and so on. The various protocols involved in sending a transmission add their own layers of header information, which the corresponding protocols in receiving devices then interpret Ping Packet Internet Groper: A Unix-based Internet diagnostic tool, consisting of a message sent to test the accessibility of a particular device on the IP network. The term’s acronym reflects the underlying metaphor of submarine sonar. Just as the sonar operator sends out a signal and waits to hear it echo (“ping”) back from a submerged object, the network user can ping another node on the network and wait to see if it responds Provider network (P-Network): the service provider infrastructure that is used to provide VPN services. Customer network (C-Network): the part of the network that is still under customer control. Customer site: a contiguous part of the C-Network that can comprise many physical locations. Provider (P) device: the device in the P-Network with no customer connectivity and without any “knowledge” of the VPN. This device is usually a router and is commonly referred as the P router. Provider edge (PE) device: the device in the P-Network to which the CE devices are connected. This device is usually a router and is often referred as the PE router. Customer edge (CE) device: the device in the C-network that links into the P-network; also known as customer premises equipment (CPE). This device is usually a router and is normally referred as the CE router. Virtual circuit (VC): logical point-to-point link that is established across a shared layer-2 infrastructure. PPP Point-to-Point Protocol: The protocol most commonly used for dial-up Internet access, superseding the earlier SLIP. Its features include address notification, authentication via CHAP or PAP, support for multiple protocols, and link monitoring. PPP has two layers: the Link Control Protocol (LCP) establishes, configures, and tests a link; and then any of various Network Control Protocols (NCPs) transport traffic for a specific protocol suite, such as IPX PSTN public switched telephone network: Colloquially referred to as “plain old telephone service” (POTS). A term that describes the assortment of telephone networks and services available globally PVC permanent virtual circuit: In a Frame Relay or ATM network, a logical connection, defined in software that is maintained permanently. RIP Routing Information Protocol: The most commonly used interior gateway protocol in the Internet. RIP employs hop count as a routing metric. Routed Protocol Routed protocols (such as IP and IPX) are used to transmit user data through an internetwork. By contrast, routing protocols (such as RIP, IGRP, and OSPF) are used to update routing tables between routers. Routing The process of forwarding logically addressed packets from their local sub network toward their ultimate destination. In large networks, the numerous intermediary destinations a packet might travel before reaching its destination can make routing very complex SDLC Synchronous Data Link Control: A protocol used in SNA Data Link layer communications. SDLC is a bit-oriented, full-duplex serial protocol that is the basis for several similar protocols, including HDLC and LAPB. Subnet Address The portion of an IP address that is specifically identified by the subnet mask as the sub network. See also: IP address, sub network, and subnet mask Subnet Mask Also simply known as mask, a 32-bit address mask used in IP to identify the bits of an IP address that are used for the subnet address. Using a mask, the router does not need to examine all 32 bits, only those indicated by the mask X.25 An ITU-T packet-relay standard that defines communication between DTE and DCE network devices, X.25 uses a reliable Data Link layer protocol called LAPB. X.25 also uses PLP at the Network layer. X.25 has mostly been replaced by Frame Relay. OSI reference model Open Systems Interconnection reference model: A conceptual model defined by the International Organization for Standardization (ISO), describing how any combination of devices can be connected for the purpose of communication. The OSI model divides the task into seven functional layers, forming a hierarchy with the applications at the top and the physical medium at the bottom, and it defines the functions each layer must provide Packet Switching: A networking technology based on the transmission of data in packets. Dividing a continuous stream of data into small units called packets, enables data from multiple devices on a network to share the same communication channel simultaneously but also requires the use of precise routing information. It is a WAN switching method that allows you to share bandwidth with other companies to save money. Packet switching can be thought of as a network that’s designed to look like a leased line yet charges more like circuit switching. Though it has a downside when it comes to transferring data constantly. Packet switching is good for data transfers that are bursty – not continuous. Frame Relay and X.25 are packet- switching technologies with speeds that range from 56Kbps up to 45 mbps. Circuit Switching: the term circuit switching mean to setup connection first before transmitting data and disconnection at the end of transmission – just like making phone call. It’s used with dial-up networks such as PPP and ISDN. WAN: Wide Area Network Is a designation used to connect LANs together across a DCE (data communication equipment) network. Typically, a WAN is a leased line or Dial-up connection across a PSTN network. Examples of WAN protocols includes Frame Relay, PPP, ISDN, and HDLC ISDN : Integrated Services Digital Network, Offered as a service by telephone companies, a communication protocol that allows telephone networks to carry data, voice and other digital traffic. Intranet: computer network within organization: a network of computers, especially one using World Wide Web conventions, accessible only to authorized users such as those within a company. Internet: The Global “network of Networks’” a network that links computer networks all over the world by satellite and telephone, connecting users with service networks such as e-mail and the World Wide Web Encryption: The conversion of information into scrambled form that effectively disguises it to prevent unauthorized access. Every encryption scheme uses some well-defined algorithm, which is reversed at the receiving end by an opposite algorithm in a process known as decryption. Firewall: A barrier purposefully erected between any connected public networks and private network, made up of a router or access server or several routers or access servers that uses access lists and other methods to ensure the security of the private network. VPN virtual private network: A method of encrypting point-to-point logical connections across a public network, such as the Internet. This allows secure communications across a public network.
NOTE: To have an access to Download this material please contact Us On
+234-903-685-7618, Any Time
Or Or Locate us at pam industrial estate Block 4 Makurdi, Benue State
Click here to make a payment Online or get Payment details