Secure and Configurable Private Network

Embed Size (px)

Citation preview

  • 8/6/2019 Secure and Configurable Private Network

    1/54

    www.adilansari.com Page 1

    Project Report On

    Implementation Of Secure And Configurable Private

    Network

    Submitted by

    ADIL ANSARIIn partial fulfillment for the award of the degree

    Of

    BACHELOR OF TECHNOLOGY

    In

    COMPUTER SCIENCE AND ENGINEERING

    BBDIT, GHAZIABAD

    2010-2011

  • 8/6/2019 Secure and Configurable Private Network

    2/54

    www.adilansari.com Page 2

    BONAFIDE CERTIFICATE

    Certified that this project report Implementation Of A Secure And

    Configurable Private Network is the bonafide work of Neeraj Patel,

    Aakash Sricvastava, Adil Ansari, Mahesh Singh Bisht who carried out the

    project work under my supervision.

    Project Guide:

    Mr. AMIT SINGHAL

    HEAD OF THE DEPARTMENTComputer Science & Engineering

    BBDIT, GHAZIABAD

  • 8/6/2019 Secure and Configurable Private Network

    3/54

    www.adilansari.com Page 3

    ACKNOWLEDGEMENT

    This project is an outcome of tremendous help and support of all our friends,colleagues and other concerned people.

    First of all, we all thank God, the almighty, for his everlasting mercy on us. Support ofour family is a key role playing attribute in this assignment.

    Besides our faculty Mr. Amit Singhal, Mr. Shwetav Sharad also played a majorrole. Mr. Vineet Garg also gave a good guidance and helped a lot in overcoming theproject. It all went smoothly because of their help and coordination. We render theiresteem help and support wherever and whenever required.

    We are thankful for their concern and guidance.

    Thanking You

    Adil Ansari (0703510056)

  • 8/6/2019 Secure and Configurable Private Network

    4/54

    www.adilansari.com Page 4

    ABSTRACT: Implementation Of A Secure And

    Configurable Private Network

    We are developing a scenario-based computer project .In which we are makingcommunication possible by connecting multiple cites virtually irrespective of

    their geographic location under standard security parameter.We here provide communication at basically two level first inter-branch

    communication and intra-branch communication. Our approach provides user asecure way for his communication whether its in his office or between his

    office. CPT allows users to quickly simulate with the user and, eliminatekeystrokes to reduce data entry costs and still maintain the high level ofaccuracy required in forms processing applications.

    We are using SIMULATER provided by CISCO to shape our project. PACKETTRACER is Ciscos Graphics User Interface (GUI) Design Environment that

    creates stand-alone application.

    Our effort in designing this project provides some remarkable features to it like

    as speed and simplicity, we try to provide user a congestion free private networkto user such that hes communication in his network is secure.

  • 8/6/2019 Secure and Configurable Private Network

    5/54

    www.adilansari.com Page 5

    Table of Contents

    i. Acknowledgement

    ii. Abstract

    1. Introduction

    1.1.Networking

    1.2.Requirement

    2. Types of Network

    2.1.Local Area Network

    2.2.Wide Area Network

    3. Network Models

    3.1.OSI Model

    4. Types of Cables

    4.1.Twisted Cable

    4.2.Coaxial Cable

    4.3.Fibre Optic

    5. Networking Devices

    5.1.Network Interface Card

    5.2.Hub

    5.3.Switch

    5.4.Router

    6. IP Addressing

    6.1.Introduction

    6.2.Private IP6.3.Masking

    6.4.Subnetting

    6.5.Example

    7. LAN Solution

    7.1.Requirement

    7.2.Solution

    7.3.Specification Sheet

  • 8/6/2019 Secure and Configurable Private Network

    6/54

    www.adilansari.com Page 6

    8. Router

    8.1.Internal Components

    8.2.Network Interfaces

    8.3.Configuring8.4.Configuring Using Console

    8.5.Routing Protocols

    8.5.1. RIP

    8.5.2. IGRP

    8.6.Access List

    9. Firewall

    9.1.Introduction

    9.2.Technologies

    9.3.Configuring

    10.WLAN

    10.1. Standards

    10.2. Topologies

    10.2.1. Infrastructure Network

    10.2.2. Adhoc Network

    11.Intrusion Detection System

    11.1. HIDS

    11.2. NIDS

    11.3. Techniques

    12.Integrated Services Digital Network (ISDN)

    12.1. Channels12.2. Interfaces

    12.3. Functional Group

    12.4. Reference Points

    iii. Snapshots

    iv. Future Scope Of Project

    v. References

    vi. Conclusion

  • 8/6/2019 Secure and Configurable Private Network

    7/54

    www.adilansari.com Page 7

    1.INTRODUCTION

    1.1INTRODUCTION TO NETWORKING

    Definition :-

    A network is a system that transmits any combination of voice, video and/or data between

    users. A network can be defined by its geographical dimensions and by which the users PCaccess it.

    A network consists of a:

    The network operating system (Windows NT/2000TM/Xp) on the users PC (client)and server.

    The cablesconnecting all network devices (users PC, server, peripherals, etc.). All supporting networkcomponents (hubs, routers and switches, etc.).

    Computer Network means an interconnected collection of autonomous computers .

    1.2REQUIREMENT OF NETWORKING

    Resource sharing- To make all programs, equipment, and especially data available toanyone on the network without regard to the physical location of the resource and the user.

    High reliability- As all files could be replicated on two or three machines, so if one of them

    is unavailable (due to hardware failure), the other copies could be used.

    Scalability- It is the ability to increase system performance gradually as the workload grows

    just by adding more processors.A computer network can provide a powerful communication medium along widely

    separated employees.

    The use of networks to enhance human-to-human communication will probably prove more

    important than technical goals such as improved reliability.

    These are the requirement with respect to companies but computer networking is requiredeven in the normal day to day life as we have to access the internet to get information aboutwhat all new happening in the world, to have communication with people staying far away

    using the e mail service.

    These are the reasons that forced the inventerors to invent the networking devices, modelsand protocols etc.

    And the birth of Networking took place in 1844 when for the first time Samuel Morse sendthe first telegraph message.

  • 8/6/2019 Secure and Configurable Private Network

    8/54

    www.adilansari.com Page 8

    2.TYPES OF NETWORKS

    2.1LAN(LOCALAREANETWORK)

    These are privately owned networks within a single building or campus of up to a few a

    kilometers in size.LANs are distinguished from other networks by three characteristics:

    1) Their size.2) Their transmission technology.3) Their topology.

    LANs are restricted in size, which means that the worst-case transmission time is bounded

    and known in advance.LANs often use a transmission technology consisting of a single cable to which all themachines are attached.

    LANs run at speeds of 10 to 100 Mbps, have low delays, and make very few errors.

    LAN SETUP

    IEEE has produced several standards for LANs. These standards collectively known as

    IEEE 802 .

    IEEE802.3 (Ethernet), IEEE802.4 (Token Bus), IEEE802.5 (Token Ring)

  • 8/6/2019 Secure and Configurable Private Network

    9/54

    www.adilansari.com Page 9

    2.2 WAN (WIDE AREA NETWORK)

    It is a Computer network that spans a relatively large geographical area, often a country orcontinent. Typically a WAN consists of two or more Local Area Network.

    Computers connected to WAN are often connected through public networks such as

    telephone systems. They can also be connected through leased lines or satellites. The largestWAN in existence is Internet.

    WANs run at speed of maximum 2 to 10 Mbps.

    WAN SETUP

    For most WANs, the long distance bandwidth is relatively slow: on the order of kilobits persecond (kbps) as opposed to megabits per second (Mbps) forlocal-area networks (LANs). For example, an Ethernet LAN has a 10 Mbps bandwidth; a

    WAN using part or all of a T1 carrier has a bandwidth of 1.544 Mbps .

    Three types of approaches are used to connect WANs:

    1) Circuit switching, which provides a fixed connection (at least for the duration of a call or

    session), so that each packet takes the same path. Examples of this approach include ISDN,Switched 56, and Switched T1.

    2) Packet switching, which establishes connections during the transmissionprocess so that different packets from the same transmission may take different routes and

    may arrive out of sequence at the destination. Examplesof this approach are X.25, frame relay, and ATM.

    3) Leased lines, which can provide a dedicated connection for private use

  • 8/6/2019 Secure and Configurable Private Network

    10/54

  • 8/6/2019 Secure and Configurable Private Network

    11/54

    www.adilansari.com Page 11

    PRESENTATION LAYER

    Translates from application to network format and vice-versa All different formats from all sources are made into a common uniform format that

    the rest of the OSI model can understand

    Responsible for protocol conversion, character conversion, data encryption /decryption, expanding graphics commands, data compression

    Sets standards for different systems to provide seamless communication from multipleprotocol stacks

    Not always implemented in a network protocol

    SESSION LAYER

    Establishes, maintains and ends sessions across the network

    Responsible for name recognition (identification) so only the designated parties canparticipate in the session

    Provides synchronization services by planning check points in the data stream => ifsession fails, only data after the most recent checkpoint need be transmitted

    Manages who can transmit data at a certain time and for how long Examples are interactive login and file transfer connections, the session would

    connect and re-connect if there was an interruption; recognize names in sessions andregister names in history

    TRANSPORT LAYER

  • 8/6/2019 Secure and Configurable Private Network

    12/54

    www.adilansari.com Page 12

    Additional connection below the session layer

    Manages the flow control of data between parties across the network Divides streams of data into chunks or packets; the transport layer of the receiving

    computer reassembles the message from packets

    "Train" is a good analogy => the data is divided into identical units Provides error-checking to guarantee error-free data delivery, with on losses or

    duplications

    Provides acknowledgment of successful transmissions; requests retransmission ifsome packets dont arrive error-free

    Provides flow control and error-handlingTCP, ARP, RARP;

    NETWORK LAYER

    Translates logical network address and names to their physical address (e.g. computername ==> MAC address)

    Responsible for addressing and determining routes for sending

    Managing network problems such as packet switching, data congestion and routing If router cant send data frame as large as the source computer sends, the network

    layer compensates by breaking the data into smaller units. At the receiving end, the

    network layer reassembles the data

    Think of this layer stamping the addresses on each train carIP; ARP; RARP, ICMP; RIP; OSFP;

    DATA LINK LAYER

    Turns packets into raw bits 100101 and at the receiving end turns bits into packets.

    Handles data frames between the Network and Physical layers

    The receiving end packages raw data from the Physical layer into data frames fordelivery to the Network layer

    Responsible for error-free transfer of frames to other computer via the Physical Layer

    This layer defines the methods used to transmit and receive data on the network. Itconsists of the wiring, the devices use to connect the NIC to the wiring, the signalinginvolved to transmit / receive data and the ability to detect signaling errors on thenetwork media

    Logical Link Control

    Error correction and flow control

    Manages link control and defines SAPs

    PHYSICAL LAYER

    Transmits raw bit stream over physical cable

    Defines cables, cards, and physical aspects Defines NIC attachments to hardware, how cable is attached to NIC

  • 8/6/2019 Secure and Configurable Private Network

    13/54

    www.adilansari.com Page 13

    4.CABLES

    There are different Cabling options depending on the access method :

    4.1 Twisted pair

    The wires are twisted around each other to

    minimize interference from other twisted pairs in the cable.

    Twisted pair cables are available unshielded (UTP)

    or shielded (STP). UTP is the most common type

    and uses a RJ-45 Connector.

    Typical lengths are up to 100m.

    Twisted pair network uses a star topology.

    4.2 Coaxial cables

    Coaxial cable uses BNC connectors.

    The maximum cable lengths are around 500m.Coaxial networks use a single bus topology

    4.3 Fiber Optic

    UTP and Co-axial cables are not capable for driving the data signals for long distance i.e.

    UTP is capable of transmitting up to a distance 100 meters only By using the Fiber cables it ispossible to send the data about 10 kilometers. Fiber optic cable uses SC, ST, LC connectors(most common in use is SC connector)

    In fiber cables the data is converted to light signals and the signal is made to propagatethrough the fiber cable. There are two types of Fibre optic cable available.

    1. Single mode: In this mode typical length is up to 12km and data rate is 1000Mbps. Thecore diameter is about 9.25 nm cable is known as 1000 base LX cable.

    2. Multi mode: This mode is further categorised in two:

    1) SX: Typical length is up to 500m and data rate is 1000Mbps.

    2) FX: Typical length is up to 220m and data rate is 100Mbps.

  • 8/6/2019 Secure and Configurable Private Network

    14/54

    www.adilansari.com Page 14

    PATCH PANEL

    A patch panel provides a convenient place to terminate (connect) all of the cable coming

    from different locations into the wiring closet. We connect the cables coming from variouslocations willing to connect to switch through the patch panel.

    NEED OF PATCH PANEL

    We can label the patch panel so we know that which wire belongs to which location.Without a patch panel, it is chaotic. If we want to disconnect a station from the switch, it'sa lot easier if there's a label.

    Most cabling is wired "straight-through" from end to end. But sometimes we need to cross-wire some of the pairs between switch and station, like with a cable modem, or cross-wire to

    connect two switches. With a patch panel, all of this cross-wiring is done in the patch cable.If you have to make any changes, like moving a station or switch, you just move the patchcable with it, instead of having to reterminate the cable run.

    PATCH CORD

  • 8/6/2019 Secure and Configurable Private Network

    15/54

    www.adilansari.com Page 15

    RACK

    We have to mount the patch panel somehow. The best way is to buy a rack. Basically, a rackis a pair of vertical rails with holes drilled in them so that we can mount patch panels, hubs,and other network equipment. This made it easy to access the back of the patch panel and other networking components.

    Cabling Guidelines

    The RJ-45 ports on the switch support automatic MDI/MDI-X operation, so wecan use

    standard straight-through twisted-pair cables to connect to any other network device (PCs,servers, switches, routers, or hubs).

    We use only twisted-pair cables with RJ-45 connectors that conform to FCC standards.

    Connecting to PCs, Servers, Hubs and Switches

    1. Attach one end of a twisted-pair cable segment to the devices RJ-45 connector.Making Twisted-Pair Connections

    2. The port where we are connecting the RJ-45 is a network card, attach the other end ofthe cable segment to a modular wall outlet that is connected to the wiring closet .Otherwise, attach the other end to an available port on the switch.

    Make sure each twisted pair cable does not exceed 100 meters (328 ft) in length.

    Wiring Closet Connections

    Today, the punch-down block is an integral part of many of the newer equipment racks. It isactually part of the patch panel. Instructions for making connections in the wiring closet with

    this type of equipment follow.

    1. Attach one end of a patch cable to an available port on the switch, and the other end tothe patch panel.

    2. If not already in place, attach one end of a cable segment to the back of the patchpanel where the punch-down block is located, and the other end to a modular wall

    outlet.3. Label the cables to simplify future troubleshooting.

  • 8/6/2019 Secure and Configurable Private Network

    16/54

    www.adilansari.com Page 16

  • 8/6/2019 Secure and Configurable Private Network

    17/54

    www.adilansari.com Page 17

    5.NETWORKING DEVICES

    Networking devices do various kind of jobs like transferring the data to signals, providingconnectivity to different network devices, transferring the data in form of packets or frames

    form one device to other. These are the central connections for all the network equipmentsand handles a data type known as frame or packet. Actually frames/ packet contain data and

    the destination address of where it is going. When a frame is received, it is amplified and thentransmitted on to port of destination PC. But different networking components do this job indiff form at diff layers.

    5.1 NETWORK INTERFACE CARD

    A Network Interface Card (NIC) is a circuit board that plugs into both clients and servers and

    controls the exchange of data between them (A specific software driver must be installeddepending on the make of the NIC. A physical transmission medium, such as twisted pair orcoaxial cable interconnects all network interface cards to network hubs or switches. Ethernet

    and Token Ring are common network interface cards. Todays cards supports 10baseT and

    100baseT with automatic recognition.

    5.2 HUB

    When the need for interconnecting more then 2 devices together then a device known as hub

    comes to picture. Basically hub is a layer one device. i.e. it operates on the physical layer ofthe OSI model. It is designed to do broadcasting i.e when it gets any frame it broadcasts it toevery port irrespective that whether it is destined for that port or not. Hub has no way of

    distinguishing which port a frame should be sent. Broadcasting results in lot of traffic on thenetwork which lead to poor network response. If two PC simultaneously transmit there datapackets and both are connected to a HUB, then collision will occur, so we can say, it creates a

    single collision domain. On the other hand all PCs connected to a hub will get a samemessage so a single broadcast domain will be created.

    A 100/1000 Mbps hub must share its bandwidth with each and every one of its ports. Sowhen only one PC is broadcasting, it will have access to the max available bandwidth. If,

    however, multiple PCs are broadcasting, then that bandwidth will need to be dividedbetween all of these systems, which will degrade the performance. They are usually Half-

    Duplex in nature.

    5.3 SWITCH

    Hubs are capable of joining more than two PC but having some demerits like if two PCwould want to communicate at a time then there would be a collision and the both PC would

    have to send the data once again. This shortcoming of Hub is overcame by Switches.Switches are intelligent devices which work on the Layer2 of the OSI model. Basically a

  • 8/6/2019 Secure and Configurable Private Network

    18/54

    www.adilansari.com Page 18

    switch keeps a record of MAC addresses of all the devices connected to it. Using thisinformation, it builds a MAC address table. So when a frame is received, it knows exactly

    which port to send it to, which increases the network response time.

    Basic Working Principle of Switch.

    1. At the time of initializing the switch the MAC address table is yet to be built up.When a frame is send by some of the PC, it recognises the source MAC address andupdate the MAC address table.

    2. If the destination is available in the MAC table then forward to the corresponding PC.3. If the destination MAC address is not present in the table then forwards in all the port

    available expect the incoming one. The designated PC will respond for the data and it

    will send the acknowledge for the data received. This acknowledged data will beexamined by the switch and the MAC address table would be up dated accordingly.

    If two PC simultaneously transmit there data packets and both are connected to a SWITCH,

    then collision will not occur, so we can say, it creates a multiple collision domain.

    The switch supports broadcast. Hence we can call switches create single broadcast domain

    and multiple collision domains.

    A 100/1000Mbps switch will allocate a full 100/1000 Mbps to each of its ports. So regardlessof the no of PCs transmitting user will always have access to max amt of bandwidth. They

    are usually Full-Duplex in nature.

    Different switching Principles:-

    1. Store-and-forward:- The switch fully receives all bits in the frame (store) before

    forwarding the frame (forward). This allows the switch to check the FCS before forwardingthe frame. (FCS is in the Ethernet trailer.)

    2. Cut-through:- The switch performs the address table lookup as soon as the destinationaddress field in the header is received. The first bits in the frame can be sent out the outbound

    port before the final bits in the incoming frame are received. This does not allow the switch todiscard frames that fail the FCS check. (FCS is in the Ethernet trailer.)

    3. Fragment Free:- This performs like cut-through switching, but the switch waits for 64

    bytes to be received before forwarding the first bytes of the outgoing frame. According toEthernet specifications, collisions should be detected during the first 64 bytes of the frame;frames in error because of a collision will not be forwarded. The FCS still cannot be checked.

    Bridge is another device like switch which also operates basing on the MAC address. But theBasic difference between the bridge and the switch is that bridge works on software bases,

    but the switch works on hardware basic. The Switch works on ASICs ( Application SpecificIntegrated Circuits)

  • 8/6/2019 Secure and Configurable Private Network

    19/54

    www.adilansari.com Page 19

    5.4 ROUTER

    Switch and the Hub can only interconnect devices in a single LAN. For interconnecting twoLAN or two or more different networks anther device known as router is used. Its main job is

    to route ( sends ) packets to other networks and to do the routing ( establishing paths betweennetworks ) it uses the IP address. A router is typically connected to at least two networks,commonly two LANs or WANs or a LAN and its ISPs network. Routers are located at

    gateways, the places where two or more networks connect. Routers to determine the best pathfor forwarding the packet are using forwarding tables.

    It is a layer 3 device i.e it operates at network layer of OSI model. The working principle ofthe router is totally different from a switch. Router makes a table known as routing table,which contains all the IP address in the network, the information for IP address router obtains

    directly ( all configured IP address on it ) or indirectly ( from neighbour routers ). When apacket is received it compares the destination IP address of the packet with the available IP

    addresses in its Routing table. If the IP address is not available in the routing table then it

    simply discard the packet instead of flooding in all the ports like a switch.(DetailedInformation about router in chap )

    Comparison between Hub, Bridge, Switch & Router

    Feature Hub Bridge Switch Router

    Number ofbroadcast domains Segment 1 1

    1 per

    routerinterface

    Number ofcollision domains 1

    1 perbridge port

    1 per switchport

    1 per

    routerinterface

    Forwards LANbroadcasts? 1 Yes Yes No

    Forwards LAN

    multicasts N/A Yes

    Yes; can be

    optimized forless

    forwarding No

    OSI layer usedwhen making

    forwardingdecision N/A Layer 2 Layer 2 Layer 3

    Internal

    processingvariants N/A

    Store-and-forward

    Store-and-forward, cut-

    through,FragmentFree

    Store-

    and-forward

    Frame/packet

    fragmentationallowed? N/A No No Yes

    Multiple

    concurrent equal-cost paths to samedestination

    allowed? N/A No No Yes

  • 8/6/2019 Secure and Configurable Private Network

    20/54

    www.adilansari.com Page 20

    6.IPADDRESSING

    Every machine on the internet has a unique identifying number, called an IP

    Address. A typical; IP address looks like this:

    216.27.61.45

    IP ADDRESS is a 32-bit number, usually written in dotted decimal form, that uniquely

    identifies an interface of some computer. This 32-bit number is divided into 4 octets eachseparated by a decimal. Out so many values certain values are restricted for use as typical IP

    address. For example, the IP address 0.0.0.0 is reserved for the default network and theaddress 255.255.255.255is used for broadcast.

    Each IP address is split into 2 sections:

    1) Network address

    2) Host address

    Individual IP address in same network all have a different value in the host part of address,

    but they have identical value in network part, just as in town there are different street addressbut same ZIP code.

    There are five IP classes:

    Class AThis class is for very large networks, such as a major international company. IP

    addresses with a first octet from 1 to 126 are part o f this c lass. The other three octets are eachused to identify each host.

    Net Host or Node

    54. 24.54.43

    Loopback- The IP address 127.0.0.1 is used as the loopback address. This means that it is

    used by the host computer to send a message back to itself. It is commonly used fortroubleshooting and network testing.

    Class B- Class B is used for medium-sized networks. A good example is a large college

    campus. IP addresses with a first octet from 128 to191 are part of this class. Class Baddresses also include the second octet as part of the Net identifier. The other two octets are

    used to identify each host.

    Net Host or Node

    145.24 53.198

  • 8/6/2019 Secure and Configurable Private Network

    21/54

    www.adilansari.com Page 21

    Class C- Class C addresses are commonly used for small to mid-size business. IP addresses

    with a first octet from192 to 223 are part of this class. Class C addresses also include thesecond and third octets as part of Net identifier. The last octet is used to identify each host.

    Net Host or Node

    196.54.34 86

    Class D- It is used for multicast. It has first bit value of 1, second bit value of 1, third bit

    value of 1 and fourth bit value of 0. The other 28 bits are used to identify the group ofcomputers the multicast messages is intended for.

    Net Host or Node

    224 24.54.145

    Class E- It is used for experimental purpose only.Net Host or Node

    240. 23.45.105

    Private IP

    It is not necessary that every time we make a network we are connected to some ISP (Internet

    Service Provider). So in that case we require some private IP also which can be used inindigenous networks .In each class a range of IP addresses have been defined for this purpose

    CLASS A 10.0.0.1 to 10.255.255.244

    CLASS B 172.16.0.1 to 172.34.255.254

    CLASS C 192.168.0.0/16

    MASKING

    Computers use a mask to define size of network and host part of an address. Mask is a 32-bit

    number written in dotted decimal form. It provides us the network address when we performa Boolean AND of mask with the IP address. It also define number of host bits in an address.

    Class ofaddress

    Size ofnetwork

    Part ofaddress,in bits

    Size ofHost

    Part ofaddress,in bits

    Default Maskfor Each

    Class ofNetwork

    A8 24 255.0.0.0

    B16 16 255.255.0.0

    C 24 8 255.255.255.0

  • 8/6/2019 Secure and Configurable Private Network

    22/54

    www.adilansari.com Page 22

    SUBNETTING

    Basically it is a process of subdividing networks into smaller subnets.In case we have 2-3 small networks but we cant buy IP address for each and every network.

    So here we use the basic concept of SUBNETTING i.e using one public IP address we willgive them IP address and make them independent networks. For this we take some bits ofhost address and use them for network address so we have different independent networks

    Address Format when Subnetting Is Used (class A,B,C resp.):

    8 24-x x

    Network Subnet Host

    16 16-x x

    Network Subnet Host

    24 8-x x

    Network Subnet HostAnd due to this mask changes to subnet mask and now the network address also includes

    subnet address.

    Example

    If subnet mask is 255.255.240.0

    And an IP address for a computer is given as 142.16.52.4142.16.0.0 is network address

    0.0.48.0 is the subnet address0.0.4.4 is the host address of the computer

    10001110.00010000.00110100.00000100 is ANDed with11111111.11111111.11110000.00000000

    and output is 10001110.00010000.00110000.00000000here first two octets represents Network address and third octet represents subnet address.It can be compared with a postal address as there is only one ZIP code (Network address),

    different streets (Subnet address), and different house number (Host address).

    Some terminologies those are used with Networkingmodels:

    Collision Domain-It is the group of PCs in which collision will occur when

    two PC will transmit data simultaneously.

    Broadcast Domain-It is the group of PCs those will receive same broadcastmessage.

    CSMA/CD (Carrier Sense Multiple Access/ Collision Detection)- In this

    protocol when a PC wants to transmit any packet it sense the carrier i.e the path

    ,if no other PC is using the carrier then only it sends. If two PCs starts sending

  • 8/6/2019 Secure and Configurable Private Network

    23/54

    www.adilansari.com Page 23

    data simultaneously collision will occur. Both PCs will wait for some randomtime and then initiate the same process.

    MAC (Media Access Control) . The IEEE 802.3 (Ethernet) and 802.5

    (Token Ring) are the MAC sub layers of these two LAN data-link protocols.

    Burned-in address: The 6-byte address assigned by the vendor makingthe card. It is usually burned in to a ROM or EEPROM on the LAN card and

    begins with a 3-byte organizationally unique identifier (OUI) assigned bythe IEEE.

    Locally administered address: Through configuration, an address that is used

    instead of the burned-in address.

    Unicast address: Fancy term for a MAC that represents a single LAN

    interface.

    PASSIVE COMPONENTS:Passive components are those devices which are used to provide connectivity betweendifferent networking devices.

    It includes

    Cables

    Patch Panel Patch Cord

    I/O box Racks

    RJ-45 Connectors

  • 8/6/2019 Secure and Configurable Private Network

    24/54

    www.adilansari.com Page 24

    7.LANSOLUTION

    7.1 CUSTOMER REQUIREMENT

    There is a company, which has 3 offices. And the offices are in different cities. Theconnectivity between these three offices is the main requirement to be fulfilled.

    In each office there are four different departments each department at different floor.

    In building IstAt each floor there are 20 users and also at 3rd floor t.

    In building IIndAt floor 1st and 2nd there are 20 users each. And at 3 rd floor there are 40 users.

    The bandwidth requirement of each user is 100 Mbps while the bandwidth requirement forthe server is 1 Gbps.

    All floors must be connected to a central switch to be placed at IInd floor in office . And

    connectivity should be via optical fiber.

    Everywhere there should be structured cabling.

    Every switch should be provide with one GBIC slot for future connectivity of server.

    Every where smart and managed switch should be used.

    7.2 SOLUTION

    By looking at the requirement it is clear that we require a switch that has got 20 ports and

    also 2 GBIC slots (one for optical fiber connectivity and one free slot is demanded for futureuse).

    Keeping this point into consideration we can use HCL 24 Port Managed Stackable Switch asthis switch has got 24 ports and 2 GBIC slots and this switch is managed switch also.

    And with this 24 port switch we will use 24 port HCL made Patch PanelAnd for connectivity of patch panel with switch we require 3 ft Patch Cord. As structured

    cabling is must so we require UTP cable and I/O box and to connect PCs with I/O box werequire 7ft Patch Cord.Here we will use Cat5e UTP cable because bandwidth requirement is 100 Mbps

    This trend of connecting the users to the switch will be followed at each and every floor butat floor 3rd of building IInd there are 40 user so here instead of 1 switch we require 2

    switches.

    At 3rd floor of building 1st 2 servers are also present whose bandwidth requirement is 1Gbps.

    So now we have two options either to connect with UTP cable or Fiber optic cable. But herewe will use fiber optic as we are already using it so thee is no need to waste money on UTP

    Cat 6 Cable. So here we will simply use the fiber optic patch cord to connect the server to

    switch.

  • 8/6/2019 Secure and Configurable Private Network

    25/54

    www.adilansari.com Page 25

    Now only one thing is left i.e. connection of switches to a central switch placed at 2nd floor ofIInd building.

    As the connection requirement is via optical fiber so we at central location we require aswitch having all its ports as GBIC slots and no of ports should not be more than 8 as there

    are only 7 24 port switches in use (one optical cable line from each switch)

    Now here as the distance between the two offices is only 200 meters so here we will use

    multimode optical fiber and that too FX type and as the cable is to be laid in open so outdoorarmored cable will be use.

    The connectivity diagram, the bill of material and the specification sheet for the solution isgiven in the following pages.

    7.3 SPECIFICATION SHEET

    HCL-24TMS-2S-W

    HCL 24 Port Managed Stackable Switch

    STANDARDS- IEEE802.3 (Ethernet) , IEEE802.3a (Fast Ethernet),

    IEEE802.2ab (Gigabit Ethernet), IEEE802.3z (1000BaseSX/LX)

    PORTS- 24 port auto negotiation 10 base T/100 base TX

    2optional modular expansion ports (1000 base-T, 1000 baseLX/SX/FX)

    MAC Addresses- 4KBANDWIDTH- 12GbpsSWITCHING RATE- 6.6Mbps

    SNMP(Simple Network Management Protocol)- Yes, and supports RFC1157WEB MANAGEABLE- Yes

    PC-C305-E

    CAT 5 e CABLE

    Enhanced CAT 5 350 MHzUTP Bulk Cable

    4 PairsSolid GreyLength: 305 Meters

    PC-JP24-E

    PATCH PANEL

    Unshielded 24 Port RJ-45 jack for performance @ rated 100 MbpsFully Complied to e CAT 5 T568A/B standards

  • 8/6/2019 Secure and Configurable Private Network

    26/54

    www.adilansari.com Page 26

    1.6mm metallic Patch Panel 19'' Rack Mount frame 1U Fully powder coated Black

    PC-MC3-GE

    3 ft. patch cord

    3 ft. Enhance CAT.5 350 MHzGrey Patch CordUTP twisted pair with Black Snagless Flange Boot

    PC-MC7-GE

    7 ft. patch cord

    7 ft. Enhance CAT.5 350 MHz

    Grey Patch Cord

    UTP twisted pair with Black Snagless Flange Boot.

    PF-CM6-A-OM2

    outdoor armoured Fiber optic cable - Multimode

    Construction: Corrugated steel tape armoured cable constructionMultimode62.5/125m cableNo of Cores6 fibre core cables.

    Length- 1 meter

    PF-PMSC-SC-3D-50

    SC-SC Duplex Patch cord Multimode

    Patch Cords cable 50/125m Multi modePatch Cords connectorsSC/ST Connectors MM patch cordsOFC Patch cord is duplex type of 3mtrs length

    PF-COSC-M

    SC Connector Multi mode

    Easy connection & disconnectionPull -- Push type

  • 8/6/2019 Secure and Configurable Private Network

    27/54

    www.adilansari.com Page 27

    PF-CPSC-M

    SC Couplermm (Included in the Fiber Patch Panel)

    Low Insertion loss

    TypeSC - SC type

    PF-LIU-12U

    12 Core LIU ( Line Insertion Unit )

    Wall mount 12 way Fibre Jack PanelBase Unit + 12 MM SC couplers with panel

    PF-LIU-6U

    6 Core LIU (Line Insertion Unit)

    Wall mount 6 way Fibre Jack Panel

    Base Unit + 6 MM SC couplers with panel.

  • 8/6/2019 Secure and Configurable Private Network

    28/54

    www.adilansari.com Page 28

    8.ROUTER

    8.1 ROUTER INTERNAL COMPONENTS

    Like a computer, a router has a CPU that varies in performance and capabilities dependingupon router platform. It has typically 4 types of memory in it.:

    ROM- It is used to store the routers bootstrap startup program, operating system software,

    and power-on diagnostic tests programs. We can also upgrade our ROM

    FLASH MEMORY- It holds operating systems image(s). Flash memory is erasable,reprogrammable ROM. Our IOS software is present in this memory and we can upgrade italso. Flash content is retained even when we switch off or restart the router.

    RAM- It is used to store operational information such as routing tables, routers running

    configuration file. RAM also provides caching and packet buffering capabilities. Its content islost when we switch off or restart the router. When we configure the router at that timeactually we are writing in RAM.

    NVRAM- It is used to store the routers startup configuration file. It does not lose data when

    power is switched off. So the contents of startup configuration files are maintained evenwhen we switch off or restart the router.

    8.2 ROUTERS NETWORK INTERFACES

    Ethernet or Token Ring interface are configured to allow connection to a LAN.

    Synchronous serial interfaces are configured to allow connections to WANs.

    ISDN BRI interfaces are configured to allow connection to an ISDN WAN.

    All cisco routers have a console port that provides an EIA/TIA-232 asynchronous serialconnection. Console port can be connected to computers serial connection to gain terminal

    access to router.

    Most routers also have an auxiliary port that is very similar to console port but, is typically

    used for modem connection for remote router management.

  • 8/6/2019 Secure and Configurable Private Network

    29/54

    www.adilansari.com Page 29

    8.3 CONFIGURING THE ROUTER

    There are three methods for configuring the router:

    1) Through console port:- The console port is used for configuring a router locally withthe help of a PC or a Laptop. The console port of the router is connected to the seriali.e COM port of the router. The detailed configuration is given in the section.

    2) Through the AUX port:- The aux ( auxiliary ) port is accessed from a modem located

    faraway from a router through the PSTN ( Public Switched Telephone Network ) andthe configuration is done.

    3) Through Telnet:- Line vty ( virtual terminal ) 0 to 4 are used for the configuring therouter by telnet.

    8.4 Configuring Router through Console port

    We use HyperTerminal Program to open a console session and log into the router locally.

    This console connection allows to connect to and to communicate with router without havingto connect to the network to which it belongs. Now, the PC becomes the console that allowsto enter commands and communicate directly with the router. To set up a console session,we use the workstations Windows HyperTerminal (terminal emulation) program. Now first

    of all we configure the COM port settings, then log into the router to interact with the IOScommand line interface (CLI). These are the com port settings:

    9600

    8N

    1On/off

  • 8/6/2019 Secure and Configurable Private Network

    30/54

    www.adilansari.com Page 30

    After pressing enter or OK to accept these settings, we came across a blank window. This is

    a session window.

    The Following steps are adopted to access a router through the console port with a Windows

    based PC.

    Access Hyper terminal:- Start Menu Programs Accessories Communication Hyperterminal

    Connect to the device of the PC

    COM 1 Setting

  • 8/6/2019 Secure and Configurable Private Network

    31/54

    www.adilansari.com Page 31

    Hyper terminal Screen

    After connecting the router that will boot and after booting the following procedures

    will be adopted.Router> enable

    Now automatically prompt asking for password will appear on the screen like this:

    Password:Now write password over here. This is done to secure access to router. After this

    Router#will appear on the screen this shows that we are in privileged mode and now we try to enter

    in configuration mode.

    Router# configure terminal

    This is done to enter configuration mode. Now starts the configuration of router

    Now we will assign IP address to each and very interface connected to router. Subnet maskshould be given with a proper care. Following steps are to be followed:

    For configuring ethernet interface :

    Router# config terminal

    Router (config)# interface ethernet 0Router (config-if)# ip address 223.8.151.1 255.255.255.0

  • 8/6/2019 Secure and Configurable Private Network

    32/54

    www.adilansari.com Page 32

    Router (config-if)# no shutdownRouter (config-if)#exit

    For configuring serial interface:

    Router (config)# interface serial 0Router (config-if)# ip address 204.204.7.1 255.255.255.0

    Router (config-if)# no shutdownRouter (config-if)#exit

    Router (config)# interface serial 1Router (config-if)# ip address 199.6.13.2 255.255.255.0Router (config-if)# no shutdown

    Router(config-if)# exit

    8.5 ROUTING PROTOCOLS

    8.5.1 ROUTING INFORMATION PROTOCOL (RIP)

    RIP is a dynamic, distance vector routing protocol. RIP uses UDP port 520 for route updates.

    RIP calculates the best route based on hop count. This makes RIP very fast to convergeRIP sends full table updates at regular intervals specified by the route-update timer (30

    seconds is the default). This means that a RIP router summarizes all routes it knows alongclassful boundaries and sends the summary information to all other RIP routing devices. RIPupdates can contain up to 25 messages.

    RIP TIMERS

    TIMER DEFAULT CONTROLSupdate 30 sec. Interval between route update advertisements

    timeout 180 sec. Interval a route should stay 'live' in the routing table. Thiscounter is reset every time the router hears an update for this route.

    Flush 240 sec. How long to wait from the time the route was received to deletea route (60 seconds after timeout).

    The routing-update timer controls the time between routing updates. Default is usually 30seconds, plus a small random delay to prevent all RIP routers from sending updates

    simultaneously.

    The route-timeout timer controls when a route is no longer available. The default is usually180 seconds. If a router has not seen the route in an update during this specified interval, it is

    dropped from the router's announcements. The route is maintained long enough for the routerto advertise the route as down (hop count of 16).

    The route-flush timer controls how long before a route is completely flushed from the routingtable. The default setting is usually 120 seconds.

    BASIC RIP CONFIGURATION

    According to the recollection of InetDaemon, configuring a Cisco router for a basic RIPconfiguration would look something like this:

    router> enable

  • 8/6/2019 Secure and Configurable Private Network

    33/54

    www.adilansari.com Page 33

    Password:router# conf t

    router(config)#interface ethernet 0router(config-if)# ip address 192.168.42.1

    router(config-if)# interface ethernet 1

    router(config-if)# ip address 192.168.43.1router(config- if)# exit

    router(config)# router riprouter(config-router)# network 192.168.42.0

    router(config-router)# network 192.168.43.0router(config-router)# exitrouter(config-router)# ^z

    router#

    The example above assumes that the interfaces that will be running RIP have IP addresses onthem that fall within the 192.168.42.0, and 192.168.43.0 class C ranges.

    8.5.2 IGRP

    IGRP is a distance-vector routing protocol that considers a composite metric which, bydefault, uses bandwidth and delay as parameters instead of hop count. IGRP is not limited tothe 15-hop limit of RIP. IGRP has a maximum hop limit of 100, by default, and can be

    configured to support a network diameter of 255.With IGRP, routers usually select paths with a larger minimum-link bandwidth over paths

    with a smaller hop count. Links do not have a hop count. They are exactly one hop.IGRP is available only on Cisco routersIGRP will load-balance traffic if there are several paths with equal cost to the destination

    IGRP sends its routing table to its neighbors every 90 seconds. IGRP's default update period

    of 90 seconds is a benefit compared to RIP, which can consume excessive bandwidth whensending updates every 30 seconds. IGRP uses an invalid timer to mark a route as invalid after270 seconds (three times the update timer). As with RIP, IGRP uses a flush timer to remove a

    route from the routing table; the default flush timer is set to 630 seconds (seven times theupdate period and more than 10 minutes).

    If a network goes down or the metric for the network increases, the route is placed inholddown. The router accepts no new changes for the route until the holddown timer expires.This setup prevents routing loops in the network. The default holddown timer is 280 seconds

    (three times the update timer plus 10 seconds).

    IGRP Timer Default Time

    Update 90 seconds

    Invalid 270 seconds

    Holddown 280 seconds

    Flush 630 seconds

  • 8/6/2019 Secure and Configurable Private Network

    34/54

    www.adilansari.com Page 34

    8.6 IP ACCESS LIST

    IP access lists cause a router to discard some packets based on criteria defined by the networkengineer. The goal of these filters is to prevent unwanted traffic in the networkwhether to

    prevent hackers from penetrating the network, or just to prevent employees from using

    systemsthat they should not be using.

    Key features of access lists:

    Packets can be filtered as they enter an interface, before the routing decision. Packets can be filtered before they exit an interface, a fter the routing decision.

    Deny is the term used in Cisco IOS software to imply that the packet will be filtered. Permitis the term used in Cisco IOS software to imply that the packet will not be filtered. The filtering logic is configured in the access list.

    At the end of every access list is an implied deny all traffic statement. Therefore, if apacket does not match any of your access list statements, it is blocked.

    Access lists have two major steps in their logic: matching and action. Matching logicexamines each packet and determines whether it matches the

    access-list statement. As soon as an access-list statement is matched, there are two actions tochoose from: deny and permit. Deny means to discard the packet, and permit implies that the

    packet should continue on its way.

  • 8/6/2019 Secure and Configurable Private Network

    35/54

    www.adilansari.com Page 35

    9.FIREWALL

    9.1 Introduction

    As the limits of networking is increasing unfolded so the danger of information leaking inand leaking out increases. So a mechanism is required to keep good bits in and bad bits out.

    And for this we use FIREWALL.A firewall is a device of some kind that separates and protects our network - in most cases,

    from the Internet. It restricts traffic to only what is acceptable, and monitors that what ishappening. Every firewall has at least two network interfaces, one for the network it isintended to protect, and one for the network it is exposed to. A firewall sits at the junction

    point or gateway between the two networks, usually a private network and a public networksuch as the Internet.

    It may be a hardware device or a software program running on a secure host computer.Hardware device means a physical devise connected at the gateway which checks every

    incoming or outgoing packet.Software program means that software is loaded in computer that determines as what to allowand what to reject.

    A firewall examines all traffic routed between the two networks to see if itmeets certain criteria. A firewall filters both inbound and outbound traffic.

    9.2 Technologies

    There are three different types of firewall technologies:1) Packet Filtering

    2) Proxy3) Stateful Inspection

    Packet FilteringA packet filtering firewall simply inspects incoming traffic at the transport layer of the OSImodel. The packet filtering firewall analyzes TCP or UDP packets and compare them to a set

    of established rules called as Access Control List (ACL). Packet filtering inspects packet nlyfor following elements

    Source IP address Source Port

    Destination IP address

    Destination Port Protocol

    ProxyWhen a firewall is installed then no PC makes direct connection to the outside world. In that

    case they use proxy i.e each PC first of all sends request to proxy which then forwards therequest to the internet or outside world for connection or data transfer.

    Stateful InspectionIt is a combination of Packet filtering and proxy services. This is the most secure technology

    and provides the most functionality because connections are not only applied to ACL, but arelogged into a static table. After a connection is established, all session data is compared to the

  • 8/6/2019 Secure and Configurable Private Network

    36/54

    www.adilansari.com Page 36

    static table. If the session data does not match the state table information for that connection,then connection is dropped.

    9.3 Configuring the Firewall

    Five basic commands are used to do a basic configuring of the firewall.

    interface nameif

    ip-address nat

    globalInterface Command

    The interface command identifies the interface hardware card, sets the speed of the interfaceand enables the interface all in one command.

    SYNTAX: interface hardware_id hardware_speed [shutdown]

    hardware_id indicates interfaces physical location on the firewall. Hardware_speed indicates connection speed. There are various options provided to us by the

    firewall regarding speed.1000sxfullSets full-duplex Gigabit Ethernet.

    1000basesxSets half-duplex Gigabit Ethernet1000autoAutomatically detects ands negotiates full/half duplex10fullSets 10Mbps full-duplex Ethernet

    100fullSets 100Mbps full-duplex Ethernet.Shutdown This parameter administratively shuts down the interface.

    nameif command

    It is used to name an interface and assign security level from 1 to 99.The outside and inside interfaces are named by default and have default security values of 0and 100, respectively. By default, the interfaces have their hardware ID. Ethernet 0 is the

    outside interface, and Ethernet 1 is the inside interface

    SYNTAX: nameif hardware_id if_name security_level

    hardware_idIndicates the interfaces physical location on the Firewall. if_name The name by which we refer to this interface.

    security_level A numerical value from 1 to 99 indicating the security level.Examples:nameif ethernet0 outside security0

    nameif ethernet1 inside security100nameif ethernet2 dmz security20We can see the configuration by using show nameifcommand.

    ip address Command

    All the interfaces must be configured with an IP address. The ip address command is used toconfigure IP addresses on the interfaces. The ipaddress command binds a logical address (IP address) to the hardware ID.

    SYNTAX: ip address if_name ip_address [netmask]

    if_nameThe interface name that was configured using the

    nameifcommand.ip_address The interfaces IP address.

  • 8/6/2019 Secure and Configurable Private Network

    37/54

    www.adilansari.com Page 37

    netmask The appropriate network mask. If the mask value is not entered, the firewall assignsa classful network mask.

    Example: ip address inside 10.10.10.14 255.255.255.0

    We can see the configuration by using show ip command.

    nat Command

    The nat (Network Address Translation) command translates a set of IP addresses to anotherset of IP addresses.

    SYNTAX: nat ( if_name) nat_id local_ip [netmask](if_name) The internal network interface name.nat_idThe ID number to match with the global address pool.

    local_ip The IP address that is translated. This is usually the inside networkIP address.

    netmask Network mask for the local IP address.

    There are two types of NATing:1) Static: For ex. There is a google server and we dont want to make its IP address

    public so we change its IP address using nat command in firewall and now user will

    logon to this new IP . This results in more security as every time it has to pass throughfirewall.

    2) Dynamic: If there are lots of PCs in a network and all want to access the internet , itis not easy that every PC is being provided with independent public IP so at firewalllevel we change every PCs pvt Ip with public IP.

    Examples:nat (inside) 1 10.10.10.0 255.255.255.0

    nat (inside) 1 172.16.1.0 255.255.255.0

    global CommandThe global command is used to define the address or range of addresses that the addressesdefined by the nat command are translated into. It is important that the nat_idbe identical to

    the nat_id used in the nat command. The nat_id pairs the IP address defined by the globaland nat commands so that network translation can take place.

    SYNTAX: global ( if_name) nat_id global_ip | global_ip-global_ip [netmask](if_name) The external network where you use these global addresses.

    nat_idIdentifies the global address and matches it with the nat command itis pairing with.

    global_ip A single IP address. When a single IP address is specified, the firewallautomatically performs Port Address Translation (PAT).global_ip-global_ip Defines a range of global IP addresses to be used by the firewall to

    NAT.netmask The network mask for the global IP address(es).

  • 8/6/2019 Secure and Configurable Private Network

    38/54

    www.adilansari.com Page 38

    10.WLAN (WIRELESS LAN)

    In a traditional LAN each computer physically connects to the network via wires and a

    network port. A Wireless Local Area Network (WLAN) is a network that provides the sameservices but without the need for physical connections between the computers and the

    network. Wireless LANs offer many advantages over traditional wired networks, such asmobility, flexibility, scalability and speed, simplicity and reduced cost of installation. AWLAN typically uses radio waves, which allow network PC cards plugged into a PC/laptop

    to connect to a traditional Ethernet LAN.IEEE developed the 802.11 standards to provide wireless networking technology like the

    wired Ethernet.

    10.1 STANDARDS

    IEEE developed the 802.11 standards to provide wireless networking technology. With time-to-time development in the field of technology three standards has been finalized. 802.11(a),802.11(b), 802.11(g)

    802.11(b) 802.11(a) 802.11(g)

    Max. bit rate/Raw

    net

    11Mb/s

    5.5Mb/s

    54 Mb/s

    22-26 Mb/s

    54 Mb/s

    17-22 Mb/s

    Frequency Band 2.4 GHZ 5 GHZ 2.4 GHZ

    Range @ Max. rate 57 m 12m 19m

    Unit Cost 100% 120% 110%Coverage Cost 100% 2000% 500%

    No. of channels 3 8 4

    IEEE 802.11a standard is the most widely adopted one because it operates at licensed 5 GHZ

    band while other are unlicensed and also it provides max. nof channels and max. bit rate thanany other standards.

    10.2 TOPOLOGIES

    There are two topologies on which WLAN works:1) Infrastructure Network2) Ad hoc Network

    10.2.1 INFRASTRUCTURE NETWORK

    It is useful for providing wireless coverage of building or campus areas. This is a

    topology used when there are many access points in a single location. By deployingmultiple Access Points (APs) with overlapping coverage areas, organizations can achieve

    broad network coverage. . A laptop or other mobile device may move from AP to APwhile maintaining access to the resources of the LAN. Each client is equipped with

    wireless network interface card (NIC) that consists of the radio transceiver and the logic

  • 8/6/2019 Secure and Configurable Private Network

    39/54

    www.adilansari.com Page 39

    to interact with the client machine and software. While the AP is essentially a radiotransceiver on one side and the wired backbone on the other.

    10.2.2 ADHOC NETWORK

    This topology is used when we have to interconnect mobile devices that are in the same area

    (e.g., in the same room). In this architecture, client stations are grouped into a singlegeographic area and can be Internet-worked without access to the wired LAN (infrastructure

    network). The ad hoc configuration is similar to a peer-to-peer office network in which nonode is required to function as a server. In ad hoc there is no need of any AP as all devicesare wirelessly connected to each other.

  • 8/6/2019 Secure and Configurable Private Network

    40/54

    www.adilansari.com Page 40

  • 8/6/2019 Secure and Configurable Private Network

    41/54

    www.adilansari.com Page 41

    11.INTRUSION DETECTION SYSTEM (IDS)

    An IDS is a security counter measure. It monitors network traffic and monitors for suspicious

    activity and alerts the system or network administrator. In some cases the IDS may alsorespond to anomalous or malicious traffic by taking action such as blocking the user or

    source IP address from accessing the networkA firewall simply blocks openings into your network/system, but cannot distinguish betweengood/bad activity. Therefore, if you need to allow an opening to a system (like a web-server),

    then a firewall cannot protect against intrusion attempts against this opening. In contrast,intrusion detection systems can monitor for hostile activity on these openings.

    11.1 HIDS

    Host Intrusion Detection Systems run on individual hosts or devices on the network. A HIDS

    monitors the inbound and outbound packets from the device only and will alert the user oradministrator of suspicious activity if detected

    11.2 NIDS

    Network Intrusion Detection Systems are placed at a strategic point or points within thenetwork to monitor traffic to and from all devices on the network. Ideally you would scan allinbound and outbound traffic, however doing so might create a bottleneck that would impair

    the overall speed of the network.

    When an unauthorized user logs in successfully, or attempts to log in, they are best trackedwith host-based IDS. However, detecting the unauthorized user before their log on attempt isbest accomplished with network-based IDS.

    There are four basic techniques used to detect intruders:1) Anomaly detection2) misuse detection (signature detection)3) target monitoring

    Anomaly DetectionDesigned to uncover abnormal patterns of behavior the IDS establishes a baseline of normalusage patterns, and anything that widely deviates from it gets flagged as a possible intrusion.

    An example of this would be if a user logs on and off of a machine 20 times a day instead ofthe normal 1 or 2. Also, if a computer is used at 2:00 AM when normally no one outside of

    business hours should have access, this should raise some suspicions. At another level,anomaly detection can investigate user patterns, such as profiling the programs executeddaily. If a user in the graphics department suddenly starts accessing accounting programs or

    compiling code, the system can properly alert its administrators.

    Misuse Detection or Signature Detection

    this method uses specifically known patterns of unauthorized behavior to predict and detect

    subsequent similar attempts. These specific patterns are called signatures. For host-basedintrusion detection, one example of a signature is "three failed logins."

  • 8/6/2019 Secure and Configurable Private Network

    42/54

    www.adilansari.com Page 42

    Target Monitoring

    These systems do not actively search for anomalies or misuse, but instead look for themodification of specified files. This is more of a corrective control, designed to uncover an

    unauthorized action after it occurs in order to reverse it. One way to check for the covert

    editing of files is by computing a cryptographic hash beforehand and comparing this to newhashes of the file at regular intervals. This type of system is the easiest to implement, because

    it does not require constant monitoring by the administrator. Integrity checksum hashes canbe computed at whatever intervals you wish, and on either all files or just the mission/system

    critical files

    Passive IDS

    A passive IDS simply detects and alerts. When suspicious or malicious traffic is detected analert is generated and sent to the administrator or user and it is up to them to take action to

    block the activity or respond in some way.

    Reactive IDSA reactive IDS will not only detect suspicious or malicious traffic and alert the administrator,but will take pre-defined proactive actions to respond to the threat. Typically this means

    blocking any further network traffic from the source IP address or user.

    IDS is required to be properly configured to recognize what is normal traffic on your network

    vs. what might be malicious traffic and you, or the administrators responsible for respondingto IDS alerts, need to understand what the alerts mean and how to effectively respond.

    WAN SOLUTION

    REQUIREMENT

    There is one CBC (Central Billing Center) which is required to be connected with 28 BGC(Bill Generation Center). As with each BGC location further locations are connected so it is

    required to use a router at each location.

    CBC Router must have these specifications:

    4 numbers of10/100 fast Ethernet interfaces. 20 number of V.35 interface to receive the data from coming BGC Via optical fiber/

    Lease line

    2 numbers of ISDN BRI ports.

    Four numbers of synchronous serial interfaces for 64 kbps lease line connectivity.

    BGC Router must have these specifications:

    2 port 10/100 Mbps Ethernet Interface.

    Sufficient port Serial WAN Interfaces.

  • 8/6/2019 Secure and Configurable Private Network

    43/54

    www.adilansari.com Page 43

    Al the BGC locations are to be connected to the central location having a point to pointconnectivity. The BGC location are having a leased line connectivity of 128 Kbps which can

    be up gradable to 2 Mbps. The leased Line connectivity is to be provided BY a ISP.

    SOLUTION

    As per the requirement the proposed solution is to have point to point connectivity between

    the central location and the 28 BGC locations. There is a Cisco 1841 Router at each of theBGC location. They are connected to a 2 Mbps Leased Line Modem Pair., HCL-Gateway

    2M-2W, through the serial port. The modem at the customer end is connected to a modem atthe ISP side. Like this way the central location having a Cisco 3845 Router is connected to 28nos of 2 Mbps Leased Line modem pair.

    The connectivity diagram and the bill of material required for the solution is given in thefollowing pages.

  • 8/6/2019 Secure and Configurable Private Network

    44/54

    www.adilansari.com Page 44

    12.INTEGRATED SERVICES DIGITAL NETWORK (ISDN)

    ISDNs primary goal is the integration of voice and nonvoice services.ISDN is actually a set of communication protocols proposed by telephone companies that

    allows them to carry a group of digital services that simultaneously convey data, text, voice,music, graphics, and video to end users, and it was designed to achieve this over the

    telephone systems already in place.

    12.1 CHANNELS

    There are two types of channels:

    1) B channel2) D channel

    B channel

    Bearer channels (B channels) are used to transport data. B channels are called bearer channelsbecause they bear the burden of transporting the data. B channels operate at speeds of up to64 kbps.

    D channelD channels are used for signaling. They are used to establish the session before the data is

    actually transfer.

    12.2 ISDN INTERFACES

    Types of ISDN interfaces:1) Basic Rate Interface (BRI)2) Primary Rate Interface (PRI).

    Both BRI and PRI provide multiple digital bearer channels over which temporaryconnections can be made and data can be sent.

    BRI: ISDN Basic Rate Interface (BRI, also known as 2B+1D) service provides two Bchannels and one D channel. The BRI B-channel service operates at 64Kbps and carries data,

    while the BRI D-channel service operates at 16Kbps and usually carries control and signalinginformation.

    PRI: According to American standards , the ISDN Primary Rate Interface (PRI, also knownas 23B+D1) service delivers 23 64Kbps B channels and one 64Kbps D channel for a total bit

    rate of up to 1.544Mbps.And according to European standards, ISDN provides 30 64Kbps B channels and one 64KbpsD channel for a total bit rate of up to 2.048Mbps.

    12.3 ISDN Function Groups and Reference Points

    Function groupA set of functions implemented by a device and software Reference pointThe interface between two function groups, including cabling details

  • 8/6/2019 Secure and Configurable Private Network

    45/54

    www.adilansari.com Page 45

    Router A is ordered with an ISDN BRI U reference point, referring to the I.430 referencepoint defining the interface between the customer premises and the ISP.

    Router B is bought with an ISDN BRI S/T interface, implying that it must be cabled to afunction group NT1 device. An NT1 function group device must be connected to the ISP linethrough a U reference point; the S/T interface defines the connection to Router B. Router B is

    called a TE1 (Terminal Equipment 1) function group device.Non-ISDN equipment is called a TE2 (Terminal Equipment 2) device and is attached using

    the R reference point to a terminal adapter (TA) function group device.Alternatively, a TE1 can connect using an S reference point to an NT2 function group,

    Function Groups:1)TE1 (Terminal Equipment 1) ISDN-capable four-wire cable. Understands signaling and2B+D. Uses an S reference point.

    2) TE2 (Terminal Equipment 2): Equipment that does not understand ISDN protocolsand specifications (no ISDN awareness). Uses an R reference point, typically an RS-232 orV.35 cable, to connect to a TA

    3) TA (Terminal adapter): Equipment that uses R and S reference points. Can be thought of

    as the TE1 function group on behalf of a TE2.

    4) NT1 (Network Termination): Connects with a U reference point (two-wire) to the ISP.

    Connects with T or S reference points to other customer premises equipment.

    12.4 Reference Points

    R between TE2 and TA.

    S between TE1 or TA and NT2.

    T between NT2 and NT1.U between NT1 and ISP.

  • 8/6/2019 Secure and Configurable Private Network

    46/54

    www.adilansari.com Page 46

    SNAPSHOTS

  • 8/6/2019 Secure and Configurable Private Network

    47/54

    www.adilansari.com Page 47

  • 8/6/2019 Secure and Configurable Private Network

    48/54

    www.adilansari.com Page 48

  • 8/6/2019 Secure and Configurable Private Network

    49/54

    www.adilansari.com Page 49

  • 8/6/2019 Secure and Configurable Private Network

    50/54

    www.adilansari.com Page 50

  • 8/6/2019 Secure and Configurable Private Network

    51/54

    www.adilansari.com Page 51

  • 8/6/2019 Secure and Configurable Private Network

    52/54

    www.adilansari.com Page 52

    .

    FUTURE SCOPE OF THE PROJECT

    FUTURE SCOPE OF THE PROJECT

    Invariance to changes in communication, security, speed and congestion in theworld are constantly changing feature in this modern world, so new anddifferent routing technique should be introduced in modern world. So

    communicating in your own secure private network and managing it on yourown way is the future scope of the project.

    This model can be extended with any application to give very initial

    authorization service.

    LIMITATIONS

    Wireless networking signals are subject to a wide variety of signals.

    Slows down the speed reasonably.

    Needs an explicit preprocessing of router configuration to satisfy theconstraints.

    IP Access list construction is not so much efficient.

    _____________________________________________________

  • 8/6/2019 Secure and Configurable Private Network

    53/54

  • 8/6/2019 Secure and Configurable Private Network

    54/54

    CONCLUSION

    EVERY GREAT ACHIEVEMENT IS DONE SLOWLY.

    The project Implementation Of A Secure And Configurable PrivateNetwork plays an important role in our career. This project has been quite

    interesting for us. The specialty of this project is that it provides a very simpleinterface to execute the idea of computer establishing of secure private network.

    We have worked to our best level to make this project a USER FRIENDLYONE. So that users are able to use this project freely and with no difficulty.

    This projecthas undergone many changes at many steps and still has a lot toinvestigate in this field but this work encouraged us.

    Success and failure are never final. It is the courage that counts.

    At the end, we would again like to thank each and every person who directly orindirectly contributed in this project to help this project be a success.

    It is well said:-

    PROGRESS IS THE ACTIVITY OF TODAY AND THE

    ASSURANCE OF TOMORROW.

    _____________________________________________________