Designing_a_Bank_Network

INTRODUCTION In the old days, business was done using papers and flat registers. The organization of these registers was difficult and the storage of huge amounts of data was a real problem. Also, the process of preparing a report takes a lot of time. But when computers were introduced into the business field, everything had changed. Databases were used to store huge amounts of data and organize them. Instead of spending many hours (or maybe days) preparing a report, a query consisting of a number of statements can perform the job in some seconds. Although databases were very useful, another problem has appeared. Companies and corporations spread over wide distances. A single company can have branches in all the governorates of a country and maybe with some branches outside that country. Data communicating and sharing was a problem. This problem was solved using computer networks which are the best way for data communicating. Nowadays, computer networks are essential for any business. Computer networks are used for file transfer, voice and video conferencing. For this reason, we have chosen our final project to discuss networks from different sides. In our project, we have selected a network of the Shamil Bank of Yemen and Bahrain to study. Banks are deeply using computer networks to transfer data between the different bank branches. These networks should be designed to be as good as possible to achieve the best performance. Security should also be maintained to prevent from any attack coming from outside or inside the network of the bank. Our project will consist of two parts. Part one will start by explaining a number of topics that should be understood in order to redesign the network to achieve the recommendations. Due to the idea of part one, it is divided into three chapters. Chapter one will study the network devices that will be used in the project. Chapter two will explain the wireless networks in detail. Chapter four is about network security. Part two will focus on the process of redesigning the network based on the bank needs and our recommendations. It will consist of four chapters starting by chapter four which focuses on the analysis of the current network, advantages and disadvantages. The chapter ends with the recommendations that the bank is advised to follow in the process of designing the new network. Chapter five deals with the topology of the network and the possible solutions that can be used to connect the remote branches of the bank to the central branch. Chapter six concerns on the security aspects that the network must be designed to take care of them. Chapter seven will deal with the process of creating wireless networks in some branches. Appendix (A) shows the topology and configuration of the main routers used in simulation. Chapter One Networks Fundamentals 1.1 Introduction In the previous chapter, the current network of the bank has been discussed. The chapter ended with four recommendations in order to improve the network. Before moving to techniques that will be used to achieve that, we will first cover some of the important network topics. This chapter starts by studying the network types. Then, the different network devices will be studied too. After that, we will talk about the transmission media used in networking. Finally, we will study the basics of IP addressing and routing protocols. 1.2 Network Types In this section we will study the different types of computer networks that should be understood in order to design a network: 1.2.1 LAN: It is a high-speed, fault-tolerant data network that covers a relatively small geographic area. It typically connects workstations, personal computers, printers, and other devices. LANs offer computer users many advantages, including shared access to devices and applications, file exchange between connected users, and communication between users via electronic mail and other applications. Networks infrastructures can vary greatly in terms of: • The size of the area covered • The number of users connected • The number and types of services available An individual network usually spans a single geographical area, providing services and applications to people within a common organizational structure, such as a single business, campus or region. This type of network is called a Local Area Network (LAN). A LAN is usually administered by a single organization. The administrative control that governs the security and access control policies are enforced on the network level. 1.2.2 WAN When a company or organization has locations that are separated by large geographical distances, it may be necessary to use a telecommunications service provider (TSP) to interconnect the LANs at the different locations. Telecommunications service providers operate large regional networks that can span long distances. Traditionally, TSPs transported voice and data communications on separate networks. Increasingly, these providers are offering converged information network services to their subscribers. Individual organizations usually lease connections through a telecommunications service provider network. These networks that connect LANs in geographically separated locations are referred to as Wide Area Networks (WANs). Although the organization maintains all of the policies and administration of the LANs at both ends of the connection, the policies within the communications service provider network are controlled by the TSP. WANs use specifically designed network devices to make the interconnections between LANs. Because of the importance of these devices to the network, configuring, installing and maintaining these devices are skills that are integral to the function of an organization's network. LANs and WANs are very useful to individual organizations. They connect the users within the organization. They allow many forms of communication including exchange e-mails, corporate training, and other resource sharing. 1.2.3 MAN Metropolitan-area network is a network that spans a metropolitan area. Generally, a MAN spans a larger geographic area than a LAN, but a smaller geographic area than a WAN. 1.2.4 Internetwork An internetwork is a group of interconnected networks. Some of these interconnected networks are owned by large public and private organizations, such as government agencies or industrial enterprises, and are reserved for their exclusive use. The most well-known and widely used publicly-accessible internetwork is the Internet. The Internet is created by the interconnection of networks belonging to Internet Service Providers (ISPs). These ISP networks connect to each other to provide access for millions of users all over the world. Ensuring effective communication across this diverse infrastructure requires the application of consistent and commonly recognized technologies and protocols as well as the cooperation of many network administration agencies. 1.3 Wired Network Devices There are many devices used for networking. From those devices we will select the following devices to explain: 1.3.1 Network Hub A network hub is a device for connecting multiple twisted pair or fiber optic Ethernet devices together and thus making them act as a single network segment. Hubs work at the physical layer (layer 1) of the OSI model. A network hub is a fairly un-sophisticated broadcast device. Hubs do not manage any of the traffic that comes through them, and any packet entering any port is broadcast out on every other port (other than the port of entry). Since every packet is being sent out through every other port, packet collisions result--which greatly impedes the smooth flow of traffic. Figure 1-1 shows a simple hub. Figure 1-1, Network Hub 1.3.2 Network Switch A network switch is a computer networking device that connects network segments. The term commonly refers to a Network bridge that processes and routes data at the Data link layer (layer 2) of the OSI model. In the context of a standard 10/100 Ethernet switch, a switch operates at the data-link layer of the OSI model to create a different collision domain per switch port. If you have 4 computers A/B/C/D on 4 switch ports, then A and B can transfer data between them as well as C and D at the same time, and they will never interfere with each others' conversations. In the case of a "hub" then they would all have to share the bandwidth, run in half-duplex and there would be collisions and retransmissions. Using a switch is called micro-segmentation. It allows you to have dedicated bandwidth on point to point connections with every computer and to therefore run in full duplex with no collisions. Figure 1-2 shows a simple network switch. Figure 1-2, Network Switch 1.3.3 Router A router is a network layer device that uses one or more metrics to determine the optimal path along which network traffic should be forwarded. Routers forward packets from one network to another based on the network layer information. Figure 1-3 shows cisco 7600 router series. Figure 1-3, Cisco 7600 series 1.4 Wireless Network Devices Wired and wireless networks use the same basic types of components to build the network. 1.4.1 Wireless Network Cards Each computer that needs to be connected to the network requires a network card to be installed in it. In a desktop computer, the card is usually installed inside the computer, most commonly in one of the PCI expansion slots that are common in tower or desktop PC configurations. On a wireless card, a short aerial, about 10cm (4 inches) protrudes outside the computer and can be swiveled about to receive the best signal. In a laptop computer, the card would most likely be installed in one of the PCMCIA slots in the side of the laptop. On a wireless card, about 2cm (3/4 inch) of the card protrudes beyond the slot to act as the aerial. On Apple Macintosh computers, the Airport card is installed inside the computer and is not obvious from the outside. Sample wireless network cards are shown in figure 1-4. Figure 1-4, Wireless cards A third possibility is to connect the card via a USB cable to the computer. In this case, the aerial will be on the card, which can be placed anywhere that the USB cable will allow it, which could be up to 5 meters (16 feet 4 inches) from the computer. The card is powered though the USB cable, so no additional power supply will be required. Figure 1-5 shows a USB wireless card. Figure 1-5 The wireless card will come with installation software; as well as providing a means of controlling the card and establishing the network, the software usually provides some sort of visual indication of signal strength, so that aerial or card position can be adjusted to obtain the best signal. 1.4.2 Wireless Access Point Most existing computer networks are based on the use of network cables (wires) that plug into sockets on the wall. The wires behind these sockets are routed back to a central location where they are plugged into a hub, either directly or via a patch panel. (Patch panels are used to provide greater flexibility when configuring or reconfiguring the physical connections in the network). The hub is a box with (commonly) 4, 8, 16 or 32 sockets on it; in order to communicate on the network each computer’s network card will have to be connected to one of the sockets on the hub. When all the sockets on the hub are used, no more computers can be attached. To overcome this limitation, most wired hubs can be ‘cascaded’ together so when all the sockets on one hub have been used, a second hub can be connected to make more sockets available. Of course, these extra sockets would require cabling between them and the computers; installing these is a costly and often disruptive operation. The wireless alternative to the hub is a wireless access point (WAP). When the WAP is powered on, it will be the point of communication for the wireless cards in each of the computers that are configured to connect to it. Any wireless enabled computer that works with the same or a compatible wireless standard can then be configured to link up with this wireless access point. If the access point is linked to an existing hub which offers shared services such as file, print and Internet connections, then these can be made immediately available to the wireless computer. All that is required is software configuration - no manipulation or installation of wires. Figure 1-6 shows a wirless access point. Figure 1-6, Wireless Access Point It is not necessary to connect the wireless access point to a wired network for the wireless part of the network to function, although this may require manual configuration of IP addresses on each wireless card. When a wireless network uses a wireless access point, it is configured in infrastructure mode. 1.4.3 Wireless Broadband Routers For many community access or learning situations, a requirement is that the network is connected to the Internet. A connection to the Internet can be established with a router, firewall and an ADSL modem. A number of manufacturers provide these in a single unit, and also include a small wired hub with – for example – four ports, so that both wired and wireless devices can join a local network. In addition, such broadband routers can be set up to offer DHCP services to the local network and include a basic firewall, so a complete local network with a shared Internet connection can be established with this single unit. When choosing a broadband wireless router, do look carefully at the specification of the unit to determine what it contains, as different manufacturers offer different configurations. Many broadband routers do NOT include the ADSL modem, so if your ISP does not provide this, you will have to provide it as a separate device. If you are using an ISP which provides Internet via cable, do ensure that any router with a built-in modem can support a cable connection. Figure 1-6 shows a wireless broadband router. Figure 1-6 1.4.4 Wireless Bridges A wireless bridge is a way of joining two remote LANs together wirelessly. A typical application might be where you have two LANs in separate buildings and you would like to join these together without the need to run a cable between the buildings. A wireless bridge is required on each LAN, and the two bridges need to be within wireless range of each other. The range of a wireless bridge is usually slightly greater than a wireless access point, typically 350m for an 802.11g device, due to the design of the aerial. Wireless bridges are usually designed so that a large aerial, which can be mounted outdoors for maximizing range, can replace the rod aerial normally fitted. It is also possible to replace the omni-directional rod aerial with a directional dish aerial, and this can increase the bridging distance to distances of several miles when the antennae are correctly installed and configured. Wireless bridges are not normally required in a small installation, but are mentioned here because they may be relevant to some installations. Figure 1-7 shows a wireless bridge. Figure 1-7 1.5 Transmission Media There are three basic forms of network media on which data is represented: • Copper cable • Fiber • Wireless 1.5.1 Copper cable The most commonly used media for data communications is cabling that uses copper wires to signal data and control bits between network devices. Cabling used for data communications usually consists of a series of individual copper wires that form circuits dedicated to specific signaling purposes. Other types of copper cabling, known as coaxial cable, have a single conductor that runs through the center of the cable that is encased by, but insulated from, the other shield. The copper media type chosen is specified by the Physical layer standard required to link the Data Link layers of two or more network devices. Unshielded twisted-pair (UTP) cabling, as it is used in Ethernet LANs, consists of four pairs of color-coded wires that have been twisted together and then encased in a flexible plastic sheath. UTP cabling, terminated with RJ-45 connectors, is a common copper-based medium for interconnecting network devices, such as computers, with intermediate devices, such as routers and network switches. Different situations may require UTP cables to be wired according to different wiring conventions. This means that the individual wires in the cable have to be connected in different orders to different sets of pins in the RJ-45 connectors. The following are main cable types that are obtained by using specific wiring conventions: • Ethernet Straight-through • Ethernet Crossover • Rollover Table 1-1 describes the different copper cable connections: Cable Type Description Console Console connections can be made between PCs and routers or switches. Certain conditions must be met for the console session from the PC to work: the speed on both sides of the connection must be the same, the data bits must be 7 for both or 8 for both, the parity must be the same, the stop bits must be 1 or 2 (but they do not have to be the same), and the flow control can be anything for either side. Copper Straight-through This cable type is the standard Ethernet media for connecting between devices that operate at different OSI layers (such as hub to router, switch to PC, and router to hub). It can be connected to the following port types: 10 Mbps Copper (Ethernet), 100 Mbps Copper (Fast Ethernet), and 1000 Mbps Copper (Gigabit Ethernet). Copper Cross-over This cable type is the Ethernet media for connecting between devices that operate at the same OSI layer (such as hub to hub, PC to PC, PC to printer). It can be connected to the following port types: 10 Mbps Copper (Ethernet), 100 Mbps Copper (Fast Ethernet), and 1000 Mbps Copper (Gigabit Ethernet). Fiber Fiber media is used to make connections between fiber ports (100 Mbps or 1000 Mbps). Phone Phone line connections can only be made between devices with modem ports. The standard application for modem connections is an end device (such as a PC) dialing into a network cloud. Coaxial Coaxial media is used to make connections between coaxial ports such as a cable modem. Serial DCE and DTE Serial connections, often used for WAN links, must be connected between serial ports. Note that you must enable clocking on the DCE side to bring up the line protocol. The DTE clocking is optional. You can tell which end of the connection is the DCE side by the small “clock” icon next to the port. If you choose the Serial DCE connection type and then connect two devices, the first device will be the DCE side and the second device will be automatically set to the DTE side. The reverse is true if you choose the Serial DTE connection type. Table 1-1 the Different Copper Cable Connections 1.5.2 Fiber optic media Fiber-optic cabling uses either glass or plastic fibers to guide light impulses from source to destination. The bits are encoded on the fiber as light impulses. Optical fiber cabling is capable of very large raw data bandwidth rates. Most current transmission standards have yet to approach the potential bandwidth of this media. Optical fiber media implementation issues include: • More expensive (usually) than copper media over the same distance (but for a higher capacity). • Different skills and equipment required to terminate and splice the cable infrastructure. • More careful handling than copper media. 1.5.3 Wireless Links You can establish wireless links between access points and end devices (PCs, servers, and printers). To establish a link, simply remove the existing module on an end device, insert a wireless module, and turn on the device. The device will automatically try to associate itself with an access point. Typically, this means it will associate (physically) with the nearest access point. However, if two or more access points are in the same closet, the distance from any access point to any end device is essentially the same. In this case, an end device will associate with the access point that was created first. Recall that the logical topology does not reflect physical distances, and everything that is created in the Logical Workspace is initially placed in the same wiring closet in the Physical Workspace. 1.6 IP Addressing One of the most important topics in any discussion of TCP/IP is IP addressing. An IP address is a numeric identifier assigned to each machine on an IP network. It designates the specific location of a device on the network. An IP address is a software address, not a hardware address—the latter is hard-coded on a network interface card (NIC) and used for finding hosts on a local network. IP addressing was designed to allow hosts on one network to communicate with a host on a different net-work regardless of the type of LANs the hosts are participating in. 1.6.1 The Network Address The network address (which can also be called the network number) uniquely identifies each network. Every machine on the same network shares that network address as part of its IP address. In the IP address 172.16.30.56, for example, 172.16 is the network address. The node address is assigned to, and uniquely identifies, each machine on a network. This part of the address must be unique because it identifies a particular machine—an individual as opposed to a network, which is a group. This number can also be referred to as a host address. In the sample IP address 172.16.30.56, the 30.56 is the node address. The designers of the Internet decided to create classes of networks based on network size. For the small number of networks possessing a very large number of nodes, they created the rank Class A network. At the other extreme is the Class C network, which is reserved for the numerous networks with a small number of nodes. The class distinction for networks between very large and very small is predictably called the Class B network. To ensure efficient routing, Internet designers defined a mandate for the leading-bits section of the address for each different network class. For example, since a router knows that a Class A network address always starts with a 0, the router might be able to speed a packet on its way after reading only the first bit of its address. This is where the address schemes define the difference between a Class A, a Class B, and a Class C address. Network Address Range: Class A The designers of the IP address scheme said that the first bit of the first byte in a Class A network address must always be off, or 0. This means a Class A address must be between 0 and 172in the first byte, inclusive. Consider the following network address: 0xxxxxxx If we turn the other 7 bits all off and then turn them all on, we’ll find the Class A range of network addresses: 0=00000000 172=01111111 So, a Class A network is defined in the first octet between 0 and 127, and it can’t be less or more. In a Class A network address, the first byte is assigned to the network address and the three remaining bytes are used for the node addresses. The Class A format is as follows: network.node.node.node Class A network addresses are 1 byte long, with the first bit of that byte reserved and the remaining bits available for manipulation (addressing). As a result, the maximum number of Class A networks that can be created is 128. Why' Because each of the 7 bit positions can be either a 0 or a 1, thus 27, or 128. To complicate matters further, the network address of all 0s (0000 0000) is reserved to designate the default route. Additionally, the address 127, which is reserved for diagnostics, can’t be used either, which means that you can really only use the numbers 1 to 126 to designate Class A network addresses. This means the actual number of usable Class A network addresses is 128 minus 2, or 126. Network Address Range: Class B In a Class B network, the RFCs state that the first bit of the first byte must always be turned on but the second bit must always be turned off. If you turn the other 6 bits all off and then all on, you will find the range for a Class B network: 128=10000000 191=10111111 As you can see, a Class B network is defined when the first byte is configured from 128 to 191. In a Class B network address, the first 2 bytes are assigned to the network address and the remaining 2 bytes are used for node addresses. The format is as follows: network.network.node.node For example, in the IP address 172.16.30.56, the network address is 172.16 and the node address is 30.56. With a network address being 2 bytes (8 bits each); there would be 2^16 unique combinations. But the Internet designers decided that all Class B network addresses should start with the binary digit 1, then 0. This leaves 14 bit positions to manipulate, therefore 16,384 (that is, 2^14) unique Class B network addresses. A Class B address uses 2 bytes for node addresses. This is 2^16 minus the two reserved pat-terns (all 0s and all 1s), for a total of 65,534 possible node addresses for each Class B network. Network Address Range: Class C For Class C networks, the RFCs define the first 2 bits of the first octet as always turned on, but the third bit can never be on. Following the same process as the previous classes, convert from binary to decimal to find the range. Here’s the range for a Class C network: 11000000 = 192 11011111 = 223 So, if you see an IP address that starts at 192 and goes to 223, you’ll know it is a Class C IP address. The first 3 bytes of a Class C network address are dedicated to the network portion of the address, with only 1 measly byte remaining for the node address. Here’s the format: network.network.network.node Using the example IP address 192.168.100.102, the network address is 192.168.100 and the node address is 102. In a Class C network address, the first three bit positions are always the binary 110. The calculation is as follows: 3 bytes, or 24 bits, minus 3 reserved positions leaves 21 positions. Hence, there are 2^21, or 2,097,152, possible Class C networks. Each unique Class C network has 1 byte to use for node addresses. This leads to 2^8 or 256, minus the two reserved patterns of all 0s and all 1s, for a total of 254 node addresses for each Class C network. 1.6.2 Private IP Address The people who created the IP addressing scheme also created what we call private IP addresses. These addresses can be used on a private network, but they’re not routable through the Internet. This is designed for the purpose of creating a measure of well-needed security, but it also conveniently saves valuable IP address space. If every host on every network had to have real routable IP addresses, we would have run out of IP addresses to hand out years ago. But by using private IP addresses, ISPs, corporations, and home users only need a relatively tiny group of bona fide IP addresses to connect their networks to the Internet. This is economical because they can use private IP addresses on their inside networks and get along just fine. To accomplish this task, the ISP and the corporation—the end user, no matter who they are need to use something called Network Address Translation (NAT), which basically takes a private IP address and converts it for use on the Internet. Although most IPv4 host addresses are public addresses designated for use in networks that are accessible on the Internet, there are blocks of addresses that are used in networks that require limited or no Internet access. These addresses are called private addresses. The private address blocks are: • 10.0.0.0 to 10.255.255.255 (10.0.0.0 /8) • 172.16.0.0 to 172.31.255.255 (172.16.0.0 /12) • 192.168.0.0 to 192.168.255.255 (192.168.0.0 /16) Private space address blocks are set aside for use in private networks. The use of these addresses need not be unique among outside networks. Hosts that do not require access to the Internet at large may make unrestricted use of private addresses. However, the internal networks still must design network address schemes to ensure that the hosts in the private networks use IP addresses that are unique within their networking environment. Many hosts in different networks may use the same private space addresses. Packets using these addresses as the source or destination should not appear on the public Internet. The router or firewall device at the perimeter of these private networks must block or translate these addresses. Even if these packets were to make their way to the Internet, the routers would not have routes to forward them to the appropriate private network. 1.6.3 Network Address Translation (NAT) With services to translate private addresses to public addresses, hosts on a privately addressed network can have access to resources across the Internet. These services, called Network Address Translation (NAT), can be implemented on a device at the edge of the private network. NAT allows the hosts in the network to "borrow" a public address for communicating to outside networks. While there are some limitations and performance issues with NAT, clients for most applications can access services over the Internet without noticeable problems. 1.6.4 Public Addresses The vast majority of the addresses in the IPv4 unicast host range are public addresses. These addresses are designed to be used in the hosts that are publicly accessible from the Internet. Even within these address blocks; there are many addresses that are designated for other special purposes. Chapter Two Wireless Networks 2.1 Introduction As said in chapter one, wireless networks will be used in the bank in situations where the bank branch is located in a place far from city centers so that there are no neighboring buildings. 2.2 Wireless Networks Business networks today are evolving to support people who are on the move. Employees and employers, students and faculty, government agents and those they serve, sports fans and shoppers, all are mobile and many of them are "connected." Perhaps you have a mobile phone that you route instant messages to when you are away from your computer. This is the vision of mobility environment where people can take their connection to the network along with them on the road. There are many different infrastructures (wired LAN, service provider networks) that allow mobility like this to happen, but in a business environment; the most important is the WLAN. Productivity is no longer restricted to a fixed work location or a defined time period. People now expect to be connected at any time and place, from the office to the airport or even the home. Traveling employees used to be restricted to pay phones for checking messages and returning a few phone calls between flights. Now employees can check e-mail, voice mail, and the status of products on personal digital assistants (PDAs) while at many temporary locations. At home, many people have changed the way they live and learn. The Internet has become a standard service in many homes, along with TV and phone service. Even the method of accessing the Internet has quickly moved from temporary modem dialup service to dedicated DSL or cable service. Home users are seeking many of the same flexible wireless solutions as office workers. For the first time, in 2005, more Wi-Fi-enabled mobile laptops were purchased than fixed-location desktops. In addition to the flexibility that WLANs offer, another important benefit is reduced costs. For example, with a wireless infrastructure already in place, savings are realized when moving a person within a building, reorganizing a lab, or moving to temporary locations or project sites. On average, the IT cost of moving an employee to a new location within a site is $375 (US dollars). Another example is when a company moves into a new building that does not have any wired infrastructure. In this case, the savings resulting from using WLANs can be even more noticeable, because the cost of running cables through walls, ceilings, and floors is largely avoided. 2.3 Definition of Wireless Networks A wireless network enables people to communicate and access applications and information without wires. This provides freedom of movement and the ability to extend applications to different parts of a building, city, or nearly anywhere in the world. For example, people at home researching on the Internet can do so in a quiet area away from noisy children or in front of the television with the entire family nearby. Wireless networks allow people to interact with e-mail or browse the Internet from a location that they prefer. Wireless networks have been around for many years. In fact, early forms of wireless communications include Native Americans waving buffalo skins over a fire to send smoke signals to others over great distances. Also, the use of pulsing lights carrying information through Morse code between ships has been and still is an important form of communications. Of course, cell phones are also a type of wireless communication and are popular today for people talking to each other worldwide. Many types of wireless communication systems exist, but a distinguishing attribute of a wireless network is that communication takes place between computer devices. These devices include personal digital assistants (PDAs), laptops, personal computers (PCs), servers, and printers. Computer devices have processors, memory, and a means of interfacing with a particular type of network. Traditional cell phones don't fall within the definition of a computer device; however, newer phones and even audio headsets are beginning to incorporate computing power and network adapters. Eventually, most electronics will offer wireless network connections. As with networks based on wire, or optical fiber, wireless networks convey information between computer devices. The information can take the form of e-mail messages, web pages, and database records, streaming video or voice. In most cases, wireless networks transfer data, such as e-mail messages and files, but advancements in the performance of wireless networks is enabling support for video and voice communications as well. Wireless networks use either radio waves or infrared light as a medium for communication between users, servers, and databases. This type of communication is invisible to the human eye. In addition, the actual medium (air) is transparent to the user. Most manufacturers are now integrating the wireless network interface card (NIC; also referred to as an adapter) and antenna into computing devices and out of view from the user. This makes wireless computing devices mobile and easy to use. 2.4 Types of Wireless Networks Wireless networks fall into several categories, depending on the size of the physical area that they are capable of covering. The following types of wireless networks satisfy diverse user requirements: • Wireless Personal-Area Network (PAN) • Wireless Local-Area Network (LAN) • Wireless Metropolitan-Area Network (MAN) • Wireless Wide-Area Network (WAN) 2.4.1 Wireless PANs As Figure 2-1 illustrates, wireless PANs have relatively short range (up to 50 feet) and are most effective for fulfilling requirements within a small room or personal area. The performance of wireless PANs is moderate, with data rates up to 2 Mbps. These attributes satisfy needs for replacing cables in many situations. Figure 2-1. Wireless PAN Enables the Interconnection of Computer Devices within Close Reach of the User A wireless PAN, for example, might involve someone wirelessly synchronizing his PDA to a laptop or desktop computer. Likewise, a wireless PAN can provide wireless connectivity to a printer. The benefit of eliminating the tangle of wires when using computer peripherals in this fashion is extremely useful, and the initial installation and movement of peripherals is easy. The low power consumption and small footprint of most wireless PAN transceivers make it possible to effectively support small user devices equipped with computer processors. The lower power consumption allows the computer device to operate over long periods of time without draining its battery. This, of course, avoids the need for the user to charge batteries often. The low power consumption, for example, leads to successful implementation of wireless PANs in cell phones, PDAs, and audio headsets. The phone can continuously interface with the address book in the PDA so that all phone numbers in a person's contact manager are available when making phone calls. The user can also use a wireless headset when making phone calls, or listen to digital music playing on the PDA. This avoids hooking wires on things while working or playing. In addition, some wireless PANs can interconnect laptops and desktop PCs for the purpose of sharing Internet connections and applications. This might be suitable for a network within the confines of a room. Wireless LANs, however, consist of attributes that better support building-wide wireless connectivity. Most wireless PANs use radio waves for carrying information through air. For example, the Bluetooth specification defines the operation of a wireless PAN operating in the 2.4-GHz frequency band with a range of 50 feet and data rates up to 2 Mbps. Furthermore, the Institute of Electrical and Electronic Engineers (IEEE) 802.15 standard incorporates the Bluetooth specification for wireless PANs. These technologies offer a reliable, long-term solution for connecting computer devices within a small area. Some wireless PANs employ infrared light to carry information from one point to another. The Infrared Data Association (IrDA) specification defines the use of direct infrared beams to provide ranges of up to three feet and data rates as high as 4 Mbps. The advantage of infrared light is freedom from radio frequency interference, but the line-of-sight requirement between computer devices limits the placement of wireless components. An office partition, for example, blocks the path of the infrared light signal, which reduces the usability of the wireless device to a small area. 2.4.2 Wireless LANs Wireless LANs supply high performance within and around office buildings, factories, and homes. (See Figure 2-2.) Users in these areas typically have laptops, PCs, and PDAs with large screens and processors that support higher-end applications. Wireless LANs efficiently satisfy connectivity requirements for these types of computer devices. Figure 2-2. A Wireless LAN Enables the Interconnection of Computer Devices within the Confines of a Building A business, for example, can install a wireless LAN to offer mobile access to corporate applications from laptops. With this type of system, a user can utilize network services from conference rooms and other places while away from their office. This allows employees to be more efficient while working away from their desks and collaborating with others. Wireless LANs easily provide levels of performance that enable the higher-end applications to run smoothly. For example, wireless LAN users can easily view a large e-mail attachment or stream video from a server. With data rates of up to 54 Mbps, a wireless LAN can satisfy just about any office or home network application. Wireless LANs are similar to traditional wired Ethernet LANs in their performance, components, costs, and operation. Because of the widespread implementation of wireless LAN adapters in laptops, most public wireless network providers deploy wireless LANs to provide mobile, broadband access to the Internet. Users within range of a public wireless LAN at a hotspot, such as an airport or hotel, can access e-mail and browse the Internet for a fee (if the faculty doesn't offer it for free). The rapid growth rate of public wireless LANs is making the Internet available to people at areas where people tend to congregate. IEEE 802.11 is the most prevalent standard for wireless LANs, with versions operating in the 2.4-GHz and 5-GHz frequency bands. A problem with 802.11 is that there is limited interoperability among various versions of the standard. For example, a wireless LAN computer device using 802.11a adapters will not connect with another computer device those implements 802.11b. In order to solve issues with the 802.11 standard, the Wi-Fi Alliance incorporates assorted functions of 802.11 into a standard they refer to as Wireless Fidelity (Wi-Fi). If a wireless LAN product complies with Wi-Fi, there are assurances that the product is interoperable with other Wi-Fi products. The additional openness of Wi-Fi ensures that diverse users can operate on the same wireless LAN. This is extremely important with public wireless LANs. 2.4.3 Wireless MANs Wireless MANs encompass areas the size of cities. In most cases, applications involve fixed connectivity, but some implementations enable mobility. For example, a hospital can deploy a wireless MAN to provide data communications between the main hospital facility and a remote clinic. Or, a power utility company can install a wireless MAN throughout a city to supply access to work orders from various sites. As a result, wireless MANs can connect existing network infrastructures together or allow mobile users to communicate with an existing network infrastructure. Wireless Internet Service Providers (WISPs) provide wireless MANs in cities and rural areas, as Figure 2-3 illustrates, to provide fixed wireless connections for homes and companies. A wireless MAN offers significant advantages when traditional wired connections (such as Digital Subscriber Line [DSL] and cable modem) are not feasible to install. Wireless MANs are effective when right-of-way restrictions make wired systems impossible or too expensive. Figure 2-3. Wireless MAN Is an Alterative for Homes and Companies Needing to Connect to an Internet Service Wireless MAN performance varies. Connections between buildings using infrared light can reach 100 Gbps or more; whereas radio links over a 20-mile distance might provide only 100 kbps. The actual performance depends on the choice from a wide assortment of technologies and components. Many proprietary wireless MAN solutions are on the market, but the industry is beginning to settle on the use of standards. Some vendors utilize the IEEE 802.11 standard as the basis for wireless MANs. While the use of 802.11 systems is optimum for satisfying requirements within buildings, 802.11 solutions can connect buildings over metropolitan distances using antennae that focus transmission and reception of the signals in one direction. A greater number of companies are now beginning to deploy IEEE 802.16 systems, a relatively new standard with products just becoming available. 802.16 offers a standardized solution for deploying effective wireless MANs with performance in the megabits-per-second range over appreciable ranges. As a result, 802.16 will likely become a common standard for wireless MANs. 2.4.4 Wireless WANs Wireless WANs offer mobile applications covering a large area, such as a country or continent. Because of economies of scale, a telecommunications operator can feasibly deploy the relatively expensive wireless WAN infrastructure to provide long-range connectivity for a large customer base. The costs such as deployment can be spread across many users, resulting in low subscriber fees. Wireless WANs, as Figure 2-4 indicates, have nearly worldwide coverage through the cooperation of multiple telecommunications companies. Well-established roaming agreements among telecommunications operators enable continuous connections for instant mobile data communications. By paying one telecommunications service provider, a user can access limited Internet services over a wireless WAN from almost anywhere in the world. Figure 2-4. A Wireless WAN Is Capable of Supporting Mobile Applications over a Wide Area Performance of wireless WANs is relatively low, with data rates of up to 170 kbps and typical rates of 56 kbps. This level of performance is similar to dial-up telephone modems. Special web portals, however, made to streamline information content work efficiently with smaller devices and lower performance networks. This makes the most from the limited bandwidth of wireless WANs. The per-user data rates of wireless WANs are relatively low, but that is generally acceptable because of the small devices (for example, cell phones and PDAs) that people carry with them in situations where they need wireless WAN connectivity. The smaller screen sizes and limited processing power of cell phones do not require high performance. The transmission of video to a small cell phone or PDA screen can be done with lower data rates. Wireless WAN applications involve users accessing the Internet, sending and receiving e-mails, and accessing corporate applications while away from the home and office. Subscribers to wireless WAN services, for example, can stay connected while traveling in taxis or walking throughout a city. A wireless WAN can reach more places than other types of wireless networks, enabling users to carry on business and leisure activities from many different locations. Wireless WANs include several competing standards that are slowly evolving. For example, Cellular Digital Packet Data (CDPD) is an older technology that enables the transmission of data over analog cell phone systems with data rates of 19.2 kbps. Some companies still offer CDPD in the U.S., but it is becoming obsolete as telecommunication operators move toward Third Generation (3G) telecommunications systems, with data rates possible in the megabit-per-second range. An issue with the deployment of wireless WAN technology is it does not lend itself to coverage inside facilities, such as homes, offices, airports, and convention centers. Because wireless WAN infrastructure is outdoors, the radio signals of wireless WANs lose most of their strength when penetrating a facility. As a result, wireless WAN users within buildings might have poor performance and possibly no connectivity at all. Some telecommunications companies install wireless WAN systems within buildings, but this is expensive and is not feasible in most situations. Figure 2-5 provides general description for the types of wireless networks: Figure 2-5. General Description for the types of wireless networks 2.5 Wireless LAN Standards 802.11 wireless LAN is an IEEE standard that defines how radio frequency (RF) in the unlicensed industrial, scientific, and medical (ISM) frequency bands is used for the physical layer and the MAC sub-layer of wireless links. When 802.11 were first released, it prescribed 1-2 Mb/s data rates in the 2.4 GHz band. At that time, wired LANs were operating at 10 Mb/s so the new wireless technology was not enthusiastically adopted. Since then, wireless LAN standards have continuously improved with the release of IEEE 802.11a, IEEE 802.11b, IEEE 802.11g, and draft 802.11n. Figure 2-6 describes the standards for the wireless LAN. Figure 2-6 Wireless LAN Standards Typically, the choice of which WLAN standard to use is based on data rates. For instance, 802.11a and g can support up to 54 Mb/s, while 802.11b supports up to a maximum of 11 Mb/s, making 802.11b the "slow" standard, and 802.11 a and g the preferred ones. A fourth WLAN draft, 802.11n, exceeds the currently available data rates. Figure 2-7 compares the different standards. Figure 2-7. Wireless LAN Standards The data rates of different wireless LAN standards are affected by something called a modulation technique. The two modulation techniques that you will reference here are Direct Sequence Spread Spectrum (DSSS) and Orthogonal Frequency Division Multiplexing (OFDM). You should be aware that when a standard uses OFDM, it will have faster data rates. Also, DSSS is simpler than OFDM, so it is less expensive to implement. 2.5.1 The 802.11a Standard The IEEE 802.11a adopted the OFDM modulation technique and uses the 5 GHz band. A devices operating in the 5 GHz band are less likely to experience interference than devices that operate in the 2.4 GHz band because there are fewer consumer devices that use the 5 GHz band. Also, higher frequencies allow for the use of smaller antennas. There are some important disadvantages to using the 5 GHz band. The first is that higher frequency radio waves are more easily absorbed by obstacles such as walls, making 802.11a susceptible to poor performance due to obstructions. The second is that this higher frequency band has slightly poorer range than either 802.11b or g. Also, some countries, including Russia, do not permit the use of the 5 GHz band, which may continue to curtail its deployment. 2.5.2 The 802.11b and 802.11g Standards 802.11b specified data rates of 1, 2, 5.5, and 11 Mb/s in the 2.4 GHz ISM band using DSSS. 802.11g achieves higher data rates in that band by using the OFDM modulation technique. IEEE 802.11g also specifies the use of DSSS for backward compatibility with IEEE 802.11b systems. DSSS data rates of 1, 2, 5.5, and 11 Mb/s are supported, as are OFDM data rates of 6, 9, 12, 18, 24, 48, and 54 Mb/s. There are advantages to using the 2.4 GHz band. Devices in the 2.4 GHz band will have better range than those in the 5GHz band. Also, transmissions in this band are not as easily obstructed as 802.11a. There is one important disadvantage to using the 2.4 GHz band. Many consumer devices also use the 2.4 GHz band and cause 802.11b and g devices to be prone to interference. 2.5.3 The 802.11n Standard The IEEE 802.11n draft standard is intended to improve WLAN data rates and range without requiring additional power or RF band allocation. 802.11n uses multiple radios and antennae at endpoints, each broadcasting on the same frequency to establish multiple streams. The multiple input/multiple output (MIMO) technology splits a high data-rate stream into multiple lower rate streams and broadcasts them simultaneously over the available radios and antennae. This allows for a theoretical maximum data rate of 248 Mb/s using two streams. 2.5.4 Wi-Fi Certification Wi-Fi certification is provided by the Wi-Fi Alliance, a global, nonprofit, industry trade association devoted to promoting the growth and acceptance of WLANs. You will better appreciate the importance of Wi-Fi certification if you consider the role of the Wi-Fi Alliance in the context of WLAN standards. Standards ensure interoperability between devices made by different manufacturers. Internationally, the three key organizations influencing WLAN standards are: *ITU-R *IEEE *Wi-Fi Alliance The ITU-R regulates the allocation of the RF spectrum and satellite orbits. These are described as finite natural resources that are in demand from such consumers as fixed wireless networks, mobile wireless networks, and global positioning systems. The IEEE developed and maintains the standards for local and metropolitan area networks with the IEEE 802 LAN/MAN family of standards. IEEE 802 is managed by the IEEE 802 LAN/MAN Standards Committee (LMSC), which oversees multiple working groups. The dominant standards in the IEEE 802 family are 802.3 Ethernet, 802.5 Token Ring, and 802.11 Wireless LAN. Although the IEEE has specified standards for RF modulation devices, it has not specified manufacturing standards, so interpretations of the 802.11 standards by different vendors can cause interoperability problems between their devices. The Wi-Fi Alliance is an association of vendors whose objective is to improve the interoperability of products that are based on the 802.11 standard by certifying vendors for conformance to industry norms and adherence to standards. Certification includes all three IEEE 802.11 RF technologies, as well as early adoption of pending IEEE drafts, such as 802.11n, and the WPA and WPA2 security standards based on IEEE 802.11i. The roles of these three organizations can be summarized as follows: *ITU-R regulates allocation of RF bands. *IEEE specifies how RF is modulated to carry information. *Wi-Fi ensures that vendors make devices that are interoperable. 2.6 CSMA/CA Access points oversee a distributed coordination function (DCF) called Carrier Sense Multiple Access with Collision Avoidance (CSMA/CA). This simply means that devices on a WLAN must sense the medium for energy (RF stimulation above a certain threshold) and wait until the medium is free before sending. Because all devices are required to do this, the function of coordinating access to the medium is distributed. If an access point receives data from a client station, it sends an acknowledgement to the client that the data has been received. This acknowledgement keeps the client from assuming that a collision occurred and prevents a data retransmission by the client. Figure 2-8 shows the process. Figure 2-8. CSMA/CA RF signals attenuate. That means that they lose their energy as they move away from their point of origin. Think about driving out of range of a radio station. This signal attenuation can be a problem in a WLAN where stations contend for the medium. Imagine two client stations that both connect to the access point, but are at opposite sides of its reach. If they are at the maximum range to reach the access point, they will not be able to reach each other. So neither of those stations senses the other on the medium, and they may end up transmitting simultaneously. This is known as the hidden node (or station) problem. 2.7 The 802.11 Topologies Wireless LANs can accommodate various network topologies. When describing these topologies, the fundamental building block of the IEEE 802.11 WLAN architecture is the basic service set (BSS). The standard defines a BSS as a group of stations that communicate with each other. Ad hoc Networks Wireless networks can operate without access points; this is called an ad hoc topology. Client stations which are configured to operate in ad hoc mode configure the wireless parameters between themselves. The IEEE 802.11 standard refers to an ad hoc network as an independent BSS (IBSS). Figure 2-9 shows an example for Ad hoc: Figure 2-9. Ad hoc networks Basic Service Sets Access points provide an infrastructure that adds services and improves the range for clients. A single access point in infrastructure mode manages the wireless parameters and the topology is simply a BSS. The coverage area for both an IBSS and a BSS is the basic service area (BSA). See figure 2.10. Figure 2-10 BSS Extended Service Sets When a single BSS provides insufficient RF coverage, one or more can be joined through a common distribution system into an extended service set (ESS). In an ESS, one BSS is differentiated from another by the BSS identifier (BSSID), which is the MAC address of the access point serving the BSS. The coverage area is the extended service area (ESA). Figure 2-11. ESS 2.8 Common Distribution System The common distribution system allows multiple access points in an ESS to appear to be a single BSS. An ESS generally includes a common SSID to allow a user to roam from access point to access point. Cells represent the coverage area provided by a single channel. An ESS should have 10 to 15 percent overlap between cells in an extended service area. With a 15 percent overlap between cells, an SSID, and non-overlapping channels (one cell on channel 1 and the other on channel 6), roaming capability can be created. 2.9 The 802.11 Join Process (Association) Before an 802.11 client can send data over a WLAN network, it goes through the following three-stage process: Stage 1 - 802.11 probing: Clients search for a specific network by sending a probe request out on multiple channels. The probe request specifies the network name (SSID) and bit rates. A typical WLAN client is configured with a desired SSID, so probe requests from the WLAN client contain the SSID of the desired WLAN network. If the WLAN client is simply trying to discover the available WLAN networks, it can send out a probe request with no SSID, and all access points that are configured to respond to this type of query respond. WLANs with the broadcast SSID feature disabled do not respond. The process is shown in figure 2-13. Figure 2-13. 802.11 Probe Stage 2 - 802.11 authentications: Was originally developed with two authentication mechanisms. The first one, 8.2,11 called open authentication, is fundamentally a NULL authentication where the client says "authenticate me," and the access point responds with "yes." This is the mechanism used in almost all 802.11 deployments. A second authentication mechanism is based on a key that is shared between the client station and the access point called the Wired Equivalency Protection (WEP) key. The idea of the shared WEP key is that it gives a wireless link the equivalent privacy of a wired link, but the original implementation of this authentication method was flawed. Although shared key authentication needs to be included in client and access point implementations for overall standards compliance, it is not used or recommended. Figure 2-14 shows the process. Figure 2-14. 802.11 Authentication Stage 3 - 802.11 association: This stage finalizes the security and bit rate options, and establishes the data link between the WLAN client and the access point. As part of this stage, the client learns the BSSID, which is the access point MAC address, and the access point maps a logical port known as the association identifier (AID) to the WLAN client. The AID is equivalent to a port on a switch. The association process allows the infrastructure switch to keep track of frames destined for the WLAN client so that they can be forwarded. Once a WLAN client has associated with an access point, traffic is now able to travel back and forth between the two devices. See figure 2-15. Figure 2-15 802.11 Association 2.10 Planning the Wireless LAN Implementing a WLAN that takes the best advantage of resources and delivers the best service can require careful planning. WLANs can range from relatively simple installations to very complex and intricate designs. There needs to be a well-documented plan before a wireless network can be implemented. In this topic, we introduce what considerations go into the design and planning of a wireless LAN. The number of users a WLAN can support is not a straightforward calculation. The number or users depends on the geographical layout of your facility (how many bodies and devices fit in a space), the data rates users expect (because RF is a shared medium and the more users there are the greater the contention for RF), the use of non-overlapping channels by multiple access points in an ESS, and transmit power settings (which are limited by local regulation).You will have sufficient wireless support for your clients if you plan your network for proper RF coverage in an ESS. When planning the location of access points, you may not be able to simply draw coverage area circles and drop them over a plan. The approximate circular coverage area is important, but there are some additional recommendations. If access points are to use existing wiring or if there are locations where access points cannot be placed, note these locations on the map. *Position access points above obstructions. *Position access points vertically near the ceiling in the center of each coverage area, if possible. *Position access points in locations where users are expected to be. For example, conference rooms are typically a better location for access points than a hallway. When these points have been addressed, estimate the expected coverage area of an access point. This value varies depending on the WLAN standard or mix of standards that you are deploying, the nature of the facility, the transmit power that the access point is configured for, and so on. Always consult the specifications for the access point when planning for coverage areas. 2.11 Rogue Access Points A rogue access point is an access point placed on a WLAN that is used to interfere with normal network operation. If a rogue access point is configured with the correct security settings, client data could be captured. A rogue access point also could be configured to provide unauthorized users with information such as the MAC addresses of clients (both wireless and wired), or to capture and disguise data packets or, at worst, to gain access to servers and files. A simple and common version of a rogue access point is one installed by employees without authorization. Employees install access points intended for home use on the enterprise network. These access points typically do not have the necessary security configuration, so the network ends up with a security hole. 2.12 Man-in-the-Middle Attacks One of the more sophisticated attacks an unauthorized user can make is called a man-in-the-middle (MITM) attack. Attackers select a host as a target and position themselves logically between the target and the router or gateway of the target. In a wired LAN environment, the attacker needs to be able to physically access the LAN to insert a device logically into the topology. With a WLAN, the radio waves emitted by access points can provide the connection. Radio signals from stations and access points are "hearable" by anyone in a BSS with the proper equipment, such as a laptop with a NIC. Because access points act like Ethernet hubs, each NIC in a BSS hears all the traffic. Device discards any traffic not addressed to it. Attackers can modify the NIC of their laptop with special software so that it accepts all traffic. With this modification, the attacker can carry out wireless MITM attacks, using the laptop NIC acts as an access point. To carry out this attack, a hacker selects a station as a target and uses packet sniffing software, such as Wireshark, to observe the client station connecting to an access point. The hacker might be able to read and copy the target username, server name, client and server IP address, the ID used to compute the response, and the challenge and associate response, which is passed in clear text between station and access point. If an attacker is able to compromise an access point, the attacker can potentially compromise all users in the BSS. The attacker can monitor an entire wireless network segment and wreak havoc on any users connected to it. Defeating an attack like a MITM attack, depends on the sophistication of your WLAN infrastructure and your vigilance in monitoring activity on the network. The process begins with identifying legitimate devices on your WLAN. To do this, you must authenticate users on your WLAN. When all legitimate users are known, you then monitor the network for devices and traffic that is not supposed to be there. Enterprise WLANs that use state-of-the-art WLAN devices provide administrators with tools that work together as a wireless intrusion prevention system (IPS). These tools include scanners that identify rogue access points and ad hoc networks, and radio resource management (RRM) which monitors the RF band for activity and access point load. An access point that is busier than normal, alerts the administrator of possible unauthorized traffic. 2.13 Denial of Service 802.11b and g WLANs use the unlicensed 2.4 GHz ISM band. This is the same band used by most wireless consumer products, including baby monitors, cordless phones, and microwave ovens. With these devices crowding the RF band, attackers can create noise on all the channels in the band with commonly available devices. Earlier we discussed how an attacker can turn a NIC into an access point. That trick can also be used to create a DoS attack. The attacker, using a PC as an access point, can flood the BSS with clear-to-send (CTS) messages, which defeat the CSMA/CA function used by the stations. The access points, in turn, flood the BSS with simultaneous traffic, causing a constant stream of collisions. Another DoS attack that can be launched in a BSS is when an attacker sends a series of disassociate commands that cause all stations in the BSS to disconnect. When the stations are disconnected, they immediately try to reassociate, which creates a burst of traffic. The attacker sends another disassociate command and the cycle repeats itself. 2.14 Benefits & Disadvantages for wireless networks: 2.14.1 Benefits The popularity of wireless LANs is a testament primarily to their convenience, cost efficiency, and ease of integration with other networks and network components. The majority of computers sold to consumers today come pre-equipped with all necessary wireless LAN technology. Benefits of wireless LANs include: Convenience The wireless nature of such networks allows users to access network resources from nearly any convenient location within their primary networking environment (home or office). With the increasing saturation of laptop-style computers, this is particularly relevant. Mobility With the emergence of public wireless networks, users can access the internet even outside their normal work environment. Most chain coffee shops, for example, offer their customers a wireless connection to the internet at little or no cost. Productivity Users connected to a wireless network can maintain a nearly constant affiliation with their desired network as they move from place to place. For a business, this implies that an employee can potentially be more productive as his or her work can be accomplished from any convenient location. For example, a hospital or warehouse may implement Voice over WLAN applications that enable mobility and cost savings. Deployment Initial setup of an infrastructure-based wireless network requires little more than a single access point. Wired networks, on the other hand, have the additional cost and complexity of actual physical cables being run to numerous locations (which can even be impossible for hard-to-reach locations within a building). Expandability Wireless networks can serve a suddenly-increased number of clients with the existing equipment. In a wired network, additional clients would require additional wiring. Cost Wireless networking hardware is at worst a modest increase from wired counterparts. This potentially increased cost is almost always more than outweighed by the savings in cost and labor associated to running physical cables. 2.14.2 Disadvantages Wireless LAN technology, while replete with the conveniences and advantages described above has its share of downfalls. For a given networking situation, wireless LANs may not be desirable for a number of reasons. Most of these have to do with the inherent limitations of the technology. Security Wireless LAN transceivers are designed to serve computers throughout a structure with uninterrupted service using radio frequencies. Because of space and cost, the antennas typically present on wireless networking cards in the end computers are generally relatively poor. In order to properly receive signals using such limited antennas throughout even a modest area, the wireless LAN transceiver utilizes a fairly considerable amount of power. What this means is that not only can the wireless packets be intercepted by a nearby adversary's poorly-equipped computer, but more importantly, a user willing to spend a small amount of money on a good quality antenna can pick up packets at a remarkable distance; perhaps hundreds of times the radius as the typical user. In fact, there are even computer users dedicated to locating and sometimes even cracking into wireless networks, known as wardrivers. On a wired network, any adversary would first have to overcome the physical limitation of tapping into the actual wires, but this is not an issue with wireless packets. To combat this consideration, wireless networks users usually choose to utilize various encryption technologies available such as Wi-Fi Protected Access (WPA). Some of the older encryption methods, such as WEP are known to have weaknesses that a dedicated adversary can compromise. Range The typical range of a common 802.11g network with standard equipment is on the order of tens of meters. While sufficient for a typical home, it will be insufficient in a larger structure. To obtain additional range, repeaters or additional access points will have to be purchased. Costs for these items can add up quickly. Other technologies are in the development phase, however, which feature increased range, hoping to render this disadvantage irrelevant. Reliability Like any radio frequency transmission, wireless networking signals are subject to a wide variety of interference, as well as complex propagation effects (such as multipath, or especially in this case Rician fading) that are beyond the control of the network administrator. One of the most insidious problems that can affect the stability and reliability of a wireless LAN is the microwave oven.[8] In the case of typical networks, modulation is achieved by complicated forms of phase-shift keying (PSK) or quadrature amplitude modulation (QAM), making interference and propagation effects all the more disturbing. As a result, important network resources such as servers are rarely connected wirelessly. Speed The speed on most wireless networks (typically 1-108 Mbit/s) is reasonably slow compared to the slowest common wired networks (100 Mbit/s up to several Gbit/s). There are also performance issues caused by TCP and its built-in congestion avoidance. For most users, however, this observation is irrelevant since the speed bottleneck is not in the wireless routing but rather in the outside network connectivity itself. For example, the maximum ADSL throughput (usually 8 Mbit/s or less) offered by telecommunications companies to general-purpose customers is already far slower than the slowest wireless network to which it is typically connected. That is to say, in most environments, a wireless network running at its slowest speed is still faster than the internet connection serving it in the first place. However, in specialized environments, higher throughput through a wired network might be necessary. Newer standards such as 802.11n are addressing this limitation and will support peak throughput in the range of 100-200 Mbit/s. Chapter Three Network security 3.1 Introduction Network security is one of the most important aspects that should be kept in mind when designing a computer network, but when designing a computer network of a bank, network security should has ultra care than usual. This chapter deals with network security concepts. It starts with a general overview. Then, it discusses the concepts of Firewalls and digital signatures. 3.2 Network Security Overview 3.2.1 Defining Trust What is trust in general terms' Before categorizing people and resources, trust must be defined. Trust is the likelihood that people will act the way you expect them to act. Trust is often based on past experiences. You could also say that trust can exist only between two individuals who know each other. You can never trust a total stranger, but you can start to trust one over a certain period of time. An exception to this rule exists in the context of networking. You might be willing to trust a stranger if you know that someone you trust trusts him. Now that trust is defined, a list of resources can be developed that ranges from most trusted to least trusted, as shown in Figure 3-1. Figure 3-1 Security Zones Most Trusted The most trusted network resources in an organization are internal servers, domain controllers, and storage devices attached to the network. Only a limited number of well-known people should have access to these devices. Less Trusted This category includes the internal users and the remote, authenticated users. On a certain level, an organization has to trust its users, internal or remote, because otherwise these users cannot perform their jobs. Despite the trust granted to them, some people in an organization use the passwords they have to do things they are not supposed to do. Although most employees can be trusted, it is because of the minority that abuses its privileges that this group is categorized as less trusted, not most trusted. Least Trusted The least trusted (sometimes referred to as untrusted) resources and users are Internet servers and remote, unauthenticated users. You can never trust an Internet server because you are not sure what is behind it. That is the reason for using digital certificates. 3.2.2 Weaknesses and Vulnerabilities External and internal weaknesses and vulnerabilities must be considered. External weaknesses include malware, spyware, hackers, crackers, and script kiddies. Malware is a group of destructive programs such as viruses or worms. The following list defines some types of malware: Virus: A virus is a piece of code that is capable of attaching to programs, disks, or computer memory to propagate itself. Viruses also carry a payload with an action they must carry out. The action can be anything from displaying a message to erasing a computer hard disk. Worm: Like viruses, worms replicate. They are capable of making copies of themselves, and they use e-mail and network facilities to spread to other resources. Trojan horse: Trojan horses do not have the capability to replicate. By pretending to be a useful utility or a clever game, Trojan horses convince the user that they should be installed on a PC or on a server. Spyware: This is software that gathers user information and sends it to a central site. The popular music-sharing program Kazaa came with spyware attached to the original program. It is even mentioned in the user license agreement, so that when users accept the agreement, they are giving permission to install the spyware and send personal user information to a central site. Hoax: This is a special kind of malware. Hoaxes do not contain any code, instead relying on the gullibility of the users to spread. They often use emotional subjects such as a child's last wish. Any e-mail message that asks you to forward copies to everyone you know is almost certainly a hoax. Often driven by a passion for computing, a hacker is a person who is proficient in using and creating computer software to gain illegal access to information. Hackers do no malicious damage whatsoever. NOTE Many people confuse hackers and crackers. In popular terminology, the term hacker is used to describe an individual who attempts an unauthorized and malicious activity. The press and public have muddied the definitions so much that both now often mean people with malicious intent. Crackers differ from hackers. A cracker uses various tools and techniques to gain illegal access to various computer platforms and networks with the intention of harming the system. Script kiddies are a subclass of crackers. They use scripts made by others to exploit a security flaw in a certain system. A common security mistake is to assume that attacks always come from outside your organization. Many companies build a massive wall around their buildings, but they leave all inside doors unlocked. The following list shows some of the potential threats from inside your organization: Authenticated users: These users already have access to the network. They are authenticated and authorized to use certain resources on the network. Often they use the access they have to get to confidential data such as payrolls or personnel records. Unauthorized programs: Users within your organization sometimes install additional programs and plug-ins that are not authorized by your organization. Often they open a hole to your network by doing this. Unpatched software: It is also very important to keep up with the latest updates or patches. Once a software bug or flaw is identified, vendors provide an update to their affected customers. It is good practice to check for updates and patches frequently, especially for your browser and operation system. 3.2.3 Security Objectives When performing security tasks, security professionals try to protect their environments as effectively as possible. These actions can also be described as protecting confidentiality, integrity, and availability (CIA), or maintaining CIA. CIA stands for Confidentiality Ensure that no data is disclosed intentionally or unintentionally. Integrity Make sure that no data is modified by unauthorized personnel, that no unauthorized changes are made by authorized personnel, and that the data remains consistent, both internally and externally. Availability Provide reliable and timely access to data and resources. NOTE The opposite of CIA is disclosure, alteration, and denial (DAD). A major security objective is measuring the costs and benefits of security. If you want to measure the cost of securing an entity, whether it is data on networks, data on computers, or other assets of an organization, you need to know something about risk assessment. Generally, the assets of an organization have multiple risks associated with them, such as: Equipment failure Theft Misuse Viruses Bugs After you have identified the assets at risk as well as the risks themselves, you need to determine the probability of a risk occurring. Although there are numerous threats that could affect an organization, not all of them are likely to occur in your environment. For example, an earthquake is highly possible if you live close to San Francisco but not if you live in New York City. For this reason, a realistic assessment of the risks must be performed. Research must be performed to determine the likelihood of risks occurring to certain resources at specific places. By determining the likelihood of a risk occurring within a year, you can determine what is known as the annualized rate of occurrence (ARO). 3.3 Firewalls 3.3.1 Introduction to Firewalls The term firewall has many definitions in the industry. The definition depends on how and to what extent a firewall is used in a network. Generally, a firewall is a network device that, based on a defined network policy, implements access control for a network. Apart from doing this basic job, firewalls are often used as network address translating devices, because they often tend to sit on the edge of a network and serve as entry points into the network. Figure 2-1 shows the basic philosophy of a firewall setup. Figure 3-2 Basic Firewall Philosophy 3.3.2 Firewall Charactristics Some important characteristics distinguish a serious, industrial-strength firewall from other devices that go only halfway toward providing a true security solution are: - Logging and notification ability - High-volume packet inspection - Ease of configuration - Device security and redundancy Logging and Notification Ability A firewall is not much good unless it has a good logging facility. Good logging not only allows network administrators to detect if attacks are being orchestrated against their networks, but it also lets them detect if what is considered normal traffic originating from trusted users is being used for ungainly purposes. Good logging allows network administrators to filter much information based on traffic tagging and get to the stuff that really matters very quickly. Obviously, good logging is different from logging everything that happens. "Good logging" also refers to notification ability. Not only do you want the firewall to log the message, but you also want it to notify the administrator when alarm conditions are detected. Notification is often done by software that sorts through the log messages generated by the firewall device. Based on the criticality of the messages, the software generates notifications in the form of pages, e-mails, or other such means to notify a network administrator. The purpose of the notification is to let the administrator make a timely modification to either the configuration or the software image of the firewall itself to decrease the threat and impact of an attack or potential attack. High-Volume Packet Inspection One test of a firewall is its ability to inspect a large amount of network traffic against a configured set of rules without significantly degrading network performance. How much a firewall should be able to handle varies from network to network, but with today's demanding networks, a firewall should not become a bottleneck for the network it is sitting on. It is important to keep a firewall from becoming a bottleneck in a network because of its placement in the network. Firewalls are generally placed at the periphery of a network and are the only entry point into the network. Consequently, a slowdown at this critical place in the network can slow down the entire network. Various factors can affect the speed at which a firewall processes the data passing through it. Most of the limitations are in hardware processor speed and in the optimization of software code that keeps track of the connections being established through the firewall. Another limiting factor is the availability of the various types of interface cards on the firewall. A firewall that can support Gigabit Ethernet in a Gigabit Ethernet environment is obviously more useful than one that can only do Fast Ethernet in a faster network such as Gigabit Ethernet. One thing that often helps a firewall process traffic quickly is to offload some of the work to other software. This work includes notifications, URL filter-based access control, processing of firewall logs for filtering important information, and other such functions. These often-resource-intensive functions can take up a lot of the firewall's capacity and can slow it down. Ease of Configuration Ease of configuration includes the ability to set up the firewall quickly and to easily see configuration errors. Ease of configuration is very important in a firewall. The reason is that many network breaches that occur in spite of a firewall's being in place are not due to a bug in the firewall software or the underlying OS on which the firewall sits. They are due to an error in the firewall's configuration! Some of the "credit" for this goes to the person who configures the firewall. However, an easy-to-configure firewall mitigates many errors that might be produced in setting it up. It is important for a firewall to have a configuration utility that allows easy translation of the site security policy into the configuration. It is very useful to have a graphical representation of the network architecture as part of the configuration utility to avoid common configuration errors. Similarly, the terminology used in the configuration utility needs to be in synch with normally accepted security site topological nomenclature, such as DMZ zones, high-security zones, and low-security zones. Use of ambiguous terminology in the configuration utility can cause human error to creep in. Centralized administrative tools that allow for the simultaneous management of multiple security devices, including firewalls, are very useful for maintaining uniformly error-free configurations. Device Security and Redundancy The security of the firewall device itself is a critical component of the overall security that a firewall can provide to a network. A firewall that is insecure itself can easily allow intruders to break in and modify the configuration to allow further access into the network. There are two main areas where a firewall needs to have strength in order to avoid issues surrounding its own security: The security of the underlying operating system— If the firewall software runs on a separate operating system, the vulnerabilities of that operating system have the potential to become the vulnerabilities of the firewall itself. It is important to install the firewall software on an operating system known to be robust against network security threats and to keep patching the system regularly to fill any gaps that become known. Secure access to the firewall for administrative purposes— It is important for a firewall to have secure mechanisms available for allowing administrative access to it. Such methods can include encryption coupled with proper authentication mechanisms. Weakness in the implementation of such access mechanisms can allow the firewall to become an easy target for intrusions of various kinds. An issue related to device security is the firewall's ability to have a redundant presence with another firewall in the network. Such redundancy allows the backup device to take up the operations of a faulty primary device. In the case of an attack on the primary device that leaves it nonoperational, redundancy also allows for continued operation of the network. 3.3.3 Firewall Types In order to gain a thorough understanding of firewall technology, it is important to understand the various types of firewalls. These various types of firewalls provide more or less the same functions that were outlined earlier. However, their methods of doing so provide differentiation in terms of performance and level of security offered. The firewalls discussed in this section are divided into five categories based on the mechanism that each uses to provide firewall functionality: - Circuit-level firewalls - Proxy server firewalls - Nonstateful packet filters - Stateful packet filters - Personal firewalls These various types of firewalls gather different types of information from the data flowing through them to keep track of legitimate and illegitimate traffic and to protect against unauthorized access. The type of information they use often also determines the level of security they provide. 3.3.3.1 Circuit-Level Firewalls These firewalls act as relays for TCP connections. They intercept TCP connections being made to a host behind them and complete the handshake on behalf of that host. Only after the connection is established the traffic allowed to flow to the client. Also, the firewall makes sure that as soon as the connection is established, only data packets belonging to the connection are allowed to go through. Circuit-level firewalls do not validate the payload or any other information in the packet, so they are fairly fast. These firewalls essentially are interested only in making sure that the TCP handshake is properly completed before a connection is allowed. Consequently, these firewalls do not allow access restrictions to be placed on protocols other than TCP and do not allow the use of payload information in the higher-layer protocols to restrict access. 3.3.3.2 Proxy Server Firewalls Proxy server firewalls work by examining packets at the application layer. Essentially a proxy server intercepts the requests being made by the applications sitting behind it and performs the requested functions on behalf of the requesting application. It then forwards the results to the application. In this way it can provide a fairly high level of security to the applications, which do not have to interact directly with outside applications and servers. Proxy servers are advantageous in the sense that they are aware of application-level protocols and they can restrict or allow access based on these protocols. They also can look into the data portions of the packets and use that information to restrict access. However, this very capability of processing the packets at a higher layer of the stack can contribute to the slowness of proxy servers. Also, because the inbound traffic has to be processed by the proxy server as well as the end-user application, further degradation in speed can occur. Proxy servers often are not transparent to end users who have to make modifications to their applications in order to use the proxy server. For each new application that must go through a proxy firewall, modifications need to be made to the firewall's protocol stack to handle that type of application. 3.3.3.3 Nonstateful Packet Filters Nonstateful packet filters are fairly simple devices that sit on the periphery of a network and, based on a set of rules, allow some packets through while blocking others. The decisions are made based on the addressing information contained in network layer protocols such as IP and, in some cases, information contained in transport layer protocols such as TCP or UDP headers as well. Nonstateful packet filters are fairly simple devices, but to function properly they require a thorough understanding of the usage of services required by a network to be protected. Although these filters can be fast because they do not proxy any traffic but only inspect it as it passes through, they do not have any knowledge of the application-level protocols or the data elements in the packet. Consequently, their usefulness is limited. These filters also do not retain any knowledge of the sessions established through them. Instead, they just keep tabs on what is immediately passing through. The use of simple and extended access lists (without the established keyword) on routers are examples of such firewalls. 3.3.3.4 Stateful Packet Filters Stateful packet filters are more intelligent than simple packet filters in that they can block pretty much all incoming traffic and still can allow return traffic for the traffic generated by machines sitting behind them. They do so by keeping a record of the transport layer connections that are established through them by the hosts behind them. Stateful packet filters are the mechanism for implementing firewalls in most modern networks. Stateful packet filters can keep track of a variety of information regarding the packets that are traversing them, including the following: - Source and destination TCP and UDP port numbers - TCP sequence numbering - TCP flags - TCP session state based on the RFCed TCP state machine - UDP traffic tracking based on timers Stateful firewalls often have built-in advanced IP layer handling features such as fragment reassembly and clearing or rejecting of IP options. Many modern stateful packet filters are aware of application layer protocols such as FTP and HTTP and can perform access-control functions based on these protocols' specific needs. 3.3.3.5 Personal Firewalls Personal firewalls are firewalls installed on personal computers. They are designed to protect against network attacks. These firewalls are generally aware of the applications running on the machine and allow only connections established by these applications to operate on the machine. A personal firewall is a useful addition to any PC because it increases the level of security already offered by a network firewall. However, because many of the attacks on today's networks originate from inside the protected network, a PC firewall is an even more useful tool, because network firewalls cannot protect against these attacks. Personal firewalls come in a variety of flavors. Most are implemented to be aware of the applications running on the PC. However, they are designed to not require any changes from the user applications running on the PC, as is required in the case of proxy servers. 3.3.4 Positioning of Firewalls Positioning a firewall is as important as using the right type of firewall and configuring it correctly. Positioning a firewall determines which traffic will be screened and whether there are any back doors into the protected network. Some of the basic guidelines for positioning a firewall are as follows: Topological location of the firewall— It is often a good idea to place a firewall on the periphery of a private network, as close to the final exit and initial entry point into the network as possible. The network includes any remote-access devices and VPN concentrators sitting on its periphery. This allows the greatest number of devices on the private network to be protected by the firewall and also helps keep the boundary of the private and public network very clear. A network in which there is ambiguity as to what is public and what is private is a network waiting to be attacked. Certain situations might also warrant placing a firewall within a private network in addition to placing a firewall at the entry point. An example of such a situation is when a critical segment of the network, such as the segment housing the financial or HR servers, needs to be protected from the rest of the users on the private network. Also, in most cases firewalls should not be placed in parallel to other network devices such as routers. This can cause the firewall to be bypassed. You should also avoid any other additions to the network topology that can result in the firewall's getting bypassed. Accessibility and security zones— If there are servers that need to be accessed from the public network, such as Web servers, it is often a good idea to put them in a demilitarized zone (DMZ) built on the firewall rather than keep them inside the private network. The reason for this is that if these servers are on the internal network and the firewall has been asked to allow some level of access to these servers from the public network, this access opens a door for attackers. They can use this access to gain control of the servers or to stage attacks on the private network using the access holes created in the firewall. A DMZ allows publicly accessible servers to be placed in an area that is physically separate from the private network, forcing the attackers who have somehow gained control over these servers to go through the firewall again to gain access to the private network. Asymmetric routing— Most modern firewalls work on the concept of keeping state information for the connections made through them from the private network to the public network. This information is used to allow only the packets belonging to the legitimate connections back into the private network. Consequently, it is important that the exit and entry points of all traffic to and from the private network be through the same firewall. If this is not the case, a firewall may drop packets belonging to legitimate connections started from the internal network for which it has no state information. This scenario is known as asymmetric routing. Layering firewalls— In networks where a high degree of security is desired, often two or more firewalls can be deployed in series. If the first firewall fails, the second one can continue to function. This technique is often used as a safeguard against network attacks that exploit bugs in a firewall's software. If one firewall's software is vulnerable to an attack, hopefully the software of the second firewall sitting behind it will not be. Firewalls from different vendors are often used in these setups to ensure that one incorrect or compromised implementation can be backed up by the other vendor's implementation. Positioning a firewall can be a complicated issue in a large network with multiple subsegments and entry points. Often a network that has not used a firewall in the past needs to be restructured to allow a firewall to be placed properly to protect it. This is necessary to create a single point of entry and exit and to remove the issue of asymmetric routing. 3.4 Digital Signature 3.4.1 Definition A digital signature or digital signature scheme is a type of asymmetric cryptography. For messages sent through an insecure channel, a properly implemented digital signature gives the receiver reason to believe the message was sent by the claimed sender. Digital signatures are equivalent to traditional handwritten signatures in many respects; properly implemented digital signatures are more difficult to forge than the handwritten type. Digital signature schemes in the sense used here are cryptographically based, and must be implemented properly to be effective. Digital signatures can also provide non-repudiation, meaning that the signer cannot successfully claim they did not sign a message, while also claiming their private key remains secret; further, some non-repudiation schemes offer a time stamp for the digital signature, so that even if the private key is exposed, the signature is valid nonetheless. Digitally signed messages may be anything representable as a bitstring: examples include electronic mail, contracts, or a message sent via some other cryptographic protocol. 3.4.2 Proof of Identity There are two important things about digital certificates: • They are issued to a user or entity by a certificate authority after a verification process is carried out. • A key pair is included in the certificate. The private key is installed/associated with some application controlled by the owner. As with any public/private key pair, the private key is never distributed. In contrast, the public key is given out freely. An electronic message written by the user is encrypted using the user’s private key. The recipient of the message can decrypt the encrypted message using the sender’s public key. If the sanctity of the private key is not compromised, then the message could have been sent only by the owner of that private key and no one else. Thus, encrypting a message with your private key provides proof of identity. This encrypted message can be taken as a digital signature. However, in the following concept you will see that while the above is true, the implementation of digital signatures is performed differently. This is because, if you encrypt the entire message using your private key, then anybody can read the message; there will be no confidentiality. 3.4.3 Digital Essentials In normal day-to-day practice, the entire message is not encrypted using the private key. Rather, the message is hashed to a unique value. The hash value of a message written electronically by the user is typically computed using MD5. This hash is then encrypted using the sender’s private key. The recipient of the message can decrypt the encrypted hash using the sender’s public key. In order to ensure confidentiality of the message (if required), the sender can do one of two things: • Option A: Encrypt the message using the recipient’s public key. • Option B: Encrypt the message using a shared secret key. Option B is far more efficient. The recipient recomputes the hash of the message using the same algorithm and compares it to the decrypted hash that was received from the sender. If the sanctity of the private key is not compromised, then there is assurance that the message was sent only by that person and no one else. Encrypting a message with your private key provides proof of identity. Encrypting the hash of the message not only provides proof of identity, but also assurance that the message itself was not tampered with in transit. Furthermore, encrypting the hash with the private key and using it as a signature ensures that this signature can never be attached to any other message. It is integral to that particular message only. In essence, the reason that it is done in this manner is that it is computationally vastly more efficient to: • Encrypt • Encrypt/decrypt the message with a symmetric key and • Encrypt/decrypt the hash using asymmetric encryption than it is to: • Encrypt/decrypt the entire message using asymmetric encryption only. Thus, the message digest of a message encrypted with a private key becomes the digital signature of the owner of that private key(for that message ). 3.4.4 The Work of Hashes Notice that if you try to append to a message or try to deduct from a message—in short, if you try to make any kind of edit—the hashing algorithms will tell you that something has changed. It won’t tell you what changed, but it will let you know that something has changed. Hashing algorithms work by implementing iterated cryptographic hash functions upon a message (typically calculated on plaintext, although hashes of encrypted messages are also used in some instances). RSA’s and MD5 are currently the two most widely used algorithms. 3.4.5 Features of Digital Signatures The digital signature is similar in function to the handwritten signature. The integrity of the handwritten signature relies on the fact that it is very hard to find two people with the same signature. In addition, the digital signature must have the following properties. • Must be able to verify the author and the date and time of the signature. • Must be able to authenticate the contents at the time of the signature. • Must be verifiable by third parties in order to resolve disputes. Also: • The signature binds the signer to whatever the document states. • The document will not be changed after it is signed. • The signature will not be transferred to another document. 3.4.6 Using Digital Signature in E-commerce E-commerce transactions involve obtaining secure answers to three basic questions: • Who are the participants in a transaction' Secure e-commerce depends on reliable identification and authentication of business partners, suppliers, and customers online. This is a risk management issue. • Is there an acceptable method for payment for your goods/services' E-commerce requires secure, automated, real-time transactions and interoperation with existing payment infrastructures. • Will I have proof of the transaction after it has taken place' Finally, participants need records of electronic transactions sufficient for dispute resolution purposes, taking into account the absence of traditional paper records. Digital signatures enable secure commerce. Therefore, the requirements for digital signatures are stringent. Digital signatures must:  Be a bit pattern that depends on the message being signed.  Use some information unique to the sender to prevent both forgery and denial.  Be relatively easy to produce.  Be relatively easy to recognize and verify.  Be computationally infeasible to forge.  Be practical to retain a copy of in storage. 3.4.7 Digital Signatures in Practice Properly implemented, the steps behind the creation and interpretation of a digital signature should be invisible to the users. The sender indicates that he or she wants the message digitally signed, and the recipient’s software determines the validity Digital Signature Process of the signature. Let’s step through the process of how digital signatures are created and sent. First, a brief introduction to the players:  We have two co-workers who would like to establish communications with each other over public media. They are Alice and Bob. Alice wishes to make plans for a meeting with Bob and discuss the agenda.  Eve works for Alice’s and Bob’s competitor. Given the opportunity, she would find out the topic of their meeting. Eve is the threat. She is the eavesdropper. (Note that anybody can eavesdrop on communications that take place over this public media.) Under normal circumstances, if Alice wanted to communicate with Bob, she could simply send plaintext messages to him. Of course, Eve could eavesdrop on this communication as will. To ensure that communications between Alice and Bob take place in such a manner as to uphold the five pillars of security— authentication, privacy, authorization, integrity, and non-repudiation—Alice and Bob have to negotiate a secure session key exchange. Symmetric keys, one for Alice and one for Bob, are generated specifically for a session. They will be used for the actual encryption and decryption of messages in any one direction. Symmetric key encryption/decryption is a process that is much faster than asymmetric key encryption and decryption. Before Alice and Bob can generate session-specific symmetric keys, they have to have respective asymmetric public and private keys. These keys are required in order for them to be able to say who they are as well as recognize each other electronically, in the absence of more traditional visual or aural recognition patterns that we are so used to. (They can each submit their public keys to a CA that they trust [trusted third party] and receive a digital certificate. This way, the public key’s authenticity can be verified). Apart from generating the session key, we can delineate ten steps for the encryption/decryption process. Five steps are from Alice’s side (the sender of the email) and five are from Bob’s side (the receiver of the email). Now, let’s examine what keys are used for the email exchange: Alice has the following keys: • Alice’s private key • Alice’s public key Alice obtains: • Bob’s public key Alice generates: • Alice’s random session key Bob has the following keys: • Bob’s private key • Bob’s public key After Alice and Bob negotiate their one-time random session keys, the exchange begins: 1. Alice writes her message (plaintext). Alice also creates a message digest. This is a short 128- or 160-bit hash depending upon the algorithm used (integrity). 2. Alice now uses her private key to encrypt the message digest. This becomes her digital signature (authenticity and non-repudiation). 3. Alice encrypts her message using the symmetric session key. Large messages can quickly be encrypted this way (privacy). 4. Alice encrypts her session key with Bob’s public key. Only Bob, with his private key, can decrypt this (authorization). 5. Alice now sends the whole packet: Message digest + message + session key = all encrypted, to Bob. Component Sent by Alice Encrypted By: Message digest Alice’s private key Message (plain text) Alice’s session key Alice’s session key Bob’s public key 6. Bob receives the packet consisting of the encrypted session key, encrypted message, and encrypted message digest (Alice’s digital signature). 7. First, Bob decrypts the session key using his private key (authorization). 8. Bob decrypts the message using the now decrypted session key (privacy). 9. Bob decrypts the message digest using Alice’s public key (authenticity and non- repudiation). 10. Bob recalculates a message digest from the decrypted message and compares it with the decrypted message digest to see if they match (integrity). Component Received by Bob Decrypted By: Encrypted Alice’s session key Bob’s private key Encrypted message (cipher text) Alice’s session key Encrypted message digest Alice’s public key Where is Eve during all this' What can she do to capture Alice and Bob’s meeting schedule and agenda' How can she even know that they are making meeting plans' Eve can eavesdrop on the public media being used by Alice and Bob. She can grab hold of the packets and try her hand at deciphering them. To read the message she needs the session key, which is, as we have seen, encrypted such that the only key that will decrypt it is Bob’s private key. In the absence of Bob’s private key, Eve has two choices: blind luck or brute force. As far as luck is concerned, Eve’s chances are better at winning the lottery. Eve could attempt brute force, but with today’s computing power, she would need to set aside a few centuries or a few million dollars. 3.4.8 Email Software To illustrate precisely what’s happening within the email software, let’s say Alice wants to send a digitally signed message to Bob. Alice likely clicks the appropriate icon in her email software. This starts the following chain of events: 1. Alice’s message is passed through a hashing algorithm to produce a message digest. The size of the message digest depends on the specific hashing algorithm used, but will remain constant, regardless of the size of the original message. For any non-trivial hashing algorithm, there is almost no chance that two non-identical messages will coincidentally produce the same message digests. (Going by the law of averages, the 128-bit MD5 hash algorithm requires hashes from different messages to produce two hashes that are alike. Similarly, the 160-bit SHA-1 hash algorithm requires hashes from different messages to produce two hashes that are alike). 2. The message digest is encrypted using Alice’s private key. This is the digital signature. The digital signature is attached to the original message and sent to Bob. Note that the digital signature may be generated only once the message is complete; if Alice wants to change the message after signing it, she’ll have to discard the old signature and generate a new one after her changes have been made. Once Bob receives the message, his software will perform the following steps: 1. Bob’s software separates the signature from the message and uses the same hashing algorithm Alice used to create a message digest. 2. Bob’s software decrypts Alice’s digital signature with her public key. It can now view the original message digest from Alice’s message. 3. Bob’s software compares the two message digests. If they are the same, Alice’s identity is confirmed and Bob is assured the message he received is the message she sent. If they are not the same, then either Alice is not who she claims to be or the contents of the message have been altered since it was signed. In order for the digital signature to be of any use, Bob’s software must be able to determine both the hashing algorithm Alice used and her public key—the underlying PKI should be capable of providing this information. Also, a failed match will indicate only that something went wrong; it does not determine what, exactly, went wrong. If Bob’s software reports the signature is invalid, it cannot tell if it is because the contents of the message have been corrupted or if there is a problem with Alice’s identity. To summarize, the steps for digital signature are: Alice (sender): 1. Writes the message and creates a message digest (MD). 2. Encrypts the MD with her private key. 3. Encrypts the message with a random session key. 4. Encrypts the session key with Bob’s public key. 5. Sends the entire packet to Bob. Bob (recipient): 1. Receives the packet with the session key, digital signature, and encrypted message. 2. Decrypts the session key with his private key 3. Decrypts the message using the session key. 4. Decrypts the MD with Alice’s public key and then calculates his own MD from the message. 5. If the two MDs are the same, he knows the message came from Alice and has not been modified in transit. Part Two Designing the New Network Introduction: After completing the theoretical part in chapter one, the ideas understood there are going to be used to design the new network of the bank. This part will be divided into four chapters starting by chapter four. Chapter four will analyze the problems found in the current network. The next chapter, chapter five, is talking about the way of modifying the network infrastructure to avoid the problems associated with the current topology of the network. Chapter six explains the security systems and techniques that will be used in the new network in order to give the network a high degree of security. Chapter seven introduces the design of the branches wireless networks. In addition to those chapters, appendix (A) is included to show the configuration of routers used in simulation. Chapter Four Analysis of the Bank Network Problems 4.1 Introduction: The Shamil bank of Yemen and Bahrain was established as a Yemeni shareholding close company with a fully paid - up capital of Yemeni rial two billion. A decree was issued by the central bank of Yemen on 17 February 2002 allowing it to commence banking operations. The main goal of the bank is its pursuit of implementing services to activate various aspects of communal work on the basis of reciprocal and mutual benefit. The bank aims at achieving this by improving means of attracting finances and deposits and in the correct investment of these funds. The bank also domestic and foreign commercial trade and participates in development projects in the fields of agriculture, industry, mining, construction, tourism, housing and other economic and social development projects. The bank has six branches in addition to the central office. There branched are distributed as follows: three branches in Sana'a, and one branch in each of Aden, Mukalla and Alhudaida. 4.2 The Current Network of the Bank The bank uses the hub-and-spoke topology for interconnecting its branches. The general topology is shown in figure 4-1: Figure 4-1 General Topology of the Bank The bank uses this topology because it is the most cost effective topology that one can chose for using Frame Relay technology. This topology also makes sure that for a branch to access another branch, it must pass through the central office which can permit the connection or not. But there is a problem in using the topology shown in figure 4-1. If the central office fail, the entire WAN will fail. The number of the employees is different from branch to branch. The total number of employees using computers is 147 distributed as follows: • Central Office: 59 • Sana'a Branch: 21 • Hadda Branch: 16 • Shomaila: 6 • Aden Branch: 20 • Mukalla Branch: 13 • Hodaida Branch: 12 From those employees, the employees who deeply use the computer network are the employees of the banking hall. They are about 50% of the employees of each branch. The bank has a database server in each of the branches of Aden, Hodaida and Mukalla. It has a database server located in central office for both Hadda and Shomaila branches. The servers of the central office are divided as follows: • Two servers for database. • One server for DNS. • One server for ISA Firewall + Presence and Absence system. • One server for ATM (Automatic Teller Machine). • One server for anti-virus. The bank uses Frame Relay as the WAN technology chosen for connecting the central office to the branches. They do not use a backup technology that can be used if there is a problem with the Frame Relay WAN. It should be noted that the IT engineers of the central office can access and configure any server and any router at any branch. But the IT engineers of the other branches can just access and configure their servers and routers; they cannot access any remote server or router. 4.3 The Current Network Problems: The bank is going to get a new computer-based banking system. There are many requirements for that system in order to operate efficiently. The servers should be upgraded and the network components should be upgraded too. The new network should avoid the current problems and mistakes in the current network. Here are some of the problems that should be solved or avoided. 1- The problem of the topology: As shown in figure 4-1, if the central router fails, the entire network will fail. Also, if the Frame Relay link from the ISP to the central router fails, the entire network will fail. The problem of the old banking system is that if an operation is done in one branch and that operation belongs to an account created in another branch, the new data should be recorded in the central branch and the branch of that account in order to be committed. In the new banking system, the operation should not happen in the same time. The new system can synchronize the data automatically. This feature can make us sending the data to the one of the parties and they will synchronize themselves. 2- WAN Technology Backup: The current network does not have a backup for its wan. This is a serious problem that should be solved. 3- Security Weaknesses: The current network does not has a physical firewall that is specialist in protecting the network from the outside dangers. This firewall should be present in the new system because the bank will have many Internet-banking activities when the new system works. The current network does not have VLANs. The servers are attached to the same switch and manipulated as simple PCs. If a user has a dangerous program or a virus entered the network, there is no even basic network-based protection way to protect the servers. Also, if a user used a packet sniffing program, he will be able to see the data passing the switch in clear because there is not any encryption mechanism. 4- The Current Network Devices: Most the current networking devices are old and cannot be upgraded to provide the needs of the new network. Chapter Five Topology Redesigning As stated before, the problem of figure 4-1 is that when the main router fails, the entire network will fail. Also, if the connection between the ISP and the central branch fails, the entire network will also fail. In this chapter we will try to solve these problems. There are many ways for solving the topology problem. Two of them are chosen to be the best solutions that can fit the bank requirements. The first method is relatively expensive but will provide the best performance. This is the DSL over optical fibers. The other method is using ISDN as backup for the Frame Relay. 5.1 The Networking Devices: The current routers of the bank are Cisco 2600 routers. These routers are considered to be old and its support started getting shortened. The new adjustments to the network require new cards to be added to the routers and it is difficult to find cards that are appropriate for the current routers. The current switches are very simple and do not provide any management features or advanced features such as VLANs and basic port security. It is recommended that all routers and switches are replaced by new ones in order to support new technologies and for efficient and cost effective future growth. The routers of the central branch and Aden branch are recommended to be Cisco 3700 series or higher. All the other routers are recommended to be changed to Cisco 2811 or higher. All the switches are also required to be replaced by Cisco catalyst switches that provide VLANs and basic port security. In addition to the replacement of the routers and switches, an additional router should be added to the central branch to solve the problem of the failure of the primary router. This router will be used as a backup router for the primary router so that when the primary router fails, no effect will be notices on the network performance. Now, after discussing the devices requirements for the new network, we are going to discuss the possible solutions that could fit the requirements of the bank. 5.2 DSL over Optical Fibers: If this method is used, the routers should be installed with optical fiber cards. This method is very expensive because it requires the bank to pay for the path preparation from the branches to the ISP. Also, the monthly payment for the optical fiber is high. Despite the above drawbacks, the concepts of DSL and VPN can be applied to copper wires too. 5.3 DSL: DSL or xDSL, is a family of technologies that provides digital data transmission over the wires of a local telephone network. DSL originally stood for digital subscriber loop, although in recent years, the term digital subscriber line has been widely adopted as a more marketing-friendly term for ADSL, which is the most popular version of consumer-ready DSL. DSL can be used at the same time and on the same telephone line with regular telephone, as it uses high frequency, while regular telephone uses low frequency. Typically, the download speed of consumer DSL services ranges from 256 kilobits per second (kbit/s) to 24,000 kbit/s, depending on DSL technology, line conditions and service level implemented. Typically, upload speed is lower than download speed for Asymmetric Digital Subscriber Line (ADSL) and equal to download speed for the rarer Symmetric Digital Subscriber Line (SDSL). 5.3.1 Voice and Data: Voice DSL (VDSL) typically works by dividing the frequencies used in a single phone line into two primary "bands". The ISP data is carried over the high-frequency band (25 kHz and above) whereas the voice is carried over the lower-frequency band (4 kHz and below). The user typically installs a DSL filter on each phone. This filters out the high frequencies from the phone line, so that the phone only sends or receives the lower frequencies (the human voice). The DSL modem and the normal telephone equipment can be used simultaneously on the line without interference from each other. 5.3.2 History and Science: Digital subscriber line technology was originally implemented as part of the ISDN specification, which is later reused as IDSL. Higher speed DSL connections like HDSL and SDSL have been developed to extend the range of DS1 services on copper lines. Consumer oriented ADSL is designed to operate also on a BRI ISDN line, which itself is another (not IP) form of digital signal transmission, as well as on an analog phone line. DSL, like many other forms of communication, stems directly from Claude Shannon's seminal 1948 scientific paper: A Mathematical Theory of Communication. Employees at Bellcore (now Telcordia Technologies) developed ADSL in 1988 by placing wideband digital signals above the existing baseband analog voice signal carried between telephone company central offices and customers on conventional twisted pair cabling. U.S. telephone companies promote DSL to compete with cable internet. DSL service was first provided over a dedicated "dry loop", but when the FCC required the incumbent local exchange carriers (ILECs) to lease their lines to competing providers such as Earthlink, shared-line DSL became common. Also known as DSL over Unbundled Network Element, this allows a single pair to carry data (via a digital subscriber line access multiplexer [DSLAM]) and analog voice (via a circuit switched telephone switch) at the same time. Inline low-pass filter/splitters keep the high frequency DSL signals out of the user's telephones. Although DSL avoids the voice frequency band, the nonlinear elements in the phone would otherwise generate audible intermodulation products and impair the operation of the data modem. Older ADSL standards can deliver 8 Mbit/s to the customer over about 2 km (1.25 miles) of unshielded twisted-pair copper wire. The latest standard, ADSL2+, can deliver up to 24 Mbit/s, depending on the distance from the DSLAM. Distances greater than 2 km (1.25 miles) significantly reduce the bandwidth usable on the wires, thus reducing the data rate. By using an ADSL loop extender, these distances can be increased substantially. In 2007, Dr. John Papandriopoulos, a researcher at Melbourne School of Engineering, University of Melbourne, patented algorithms that can potentially boost DSL line speeds to a maximum of 250 Mbit/s 5.3.3 DSL Operation 5.3.3.1 Regular DSL: The local loop of the public switched telephone network (PSTN) was initially designed to carry POTS voice communication and signaling, since the concept of data communications as we know it today did not exist. For reasons of economy, the phone system nominally passes audio between 300 and 3,400 Hz, which is regarded as the range required for human speech to be clearly intelligible. This is known as voiceband or commercial bandwidth. At the local telephone exchange (United Kingdom) or central office (United States) the speech is generally digitized into a 64 kbit/s data stream in the form of an 8 bit signal using a sampling rate of 8,000 Hz, therefore, according to the Nyquist theorem, any signal above 4,000 Hz is not passed by the phone network (and has to be blocked by a filter to prevent aliasing effects). The laws of physics, specifically the Shannon limit, cap the speed of data transmission. For a long time, it was believed that a conventional phone line couldn't be pushed beyond low speed limits (typically under 9600 bit/s). In the 1950s, 4 MHz television signals were often carried between studios on ordinary twisted pair telephone cable, suggesting that the Shannon Limit would allow transmitting many megabits per second. However, these cables had other impairments besides Gaussian noise, preventing such rates from becoming practical in the field. In the 1980s techniques were developed for broadband communications that allowed the limit to be greatly extended. The local loop connecting the telephone exchange to most subscribers is capable of carrying frequencies well beyond the 3.4 kHz upper limit of POTS. Depending on the length and quality of the loop, the upper limit can be tens of megahertz. DSL takes advantage of this unused bandwidth of the local loop by creating 4312.5 Hz wide channels starting between 10 and 100 kHz, depending on how the system is configured. Allocation of channels continues at higher and higher frequencies (up to 1.1 MHz for ADSL) until new channels are deemed unusable. Each channel is evaluated for usability in much the same way an analog modem would on a POTS connection. More usable channels equates to more available bandwidth, which is why distance and line quality are a factor (the higher frequencies used by DSL travel only short distances). The pool of usable channels is then split into two different frequency bands for upstream and downstream traffic, based on a preconfigured ratio. This segregation reduces interference. Once the channel groups have been established, the individual channels are bonded into a pair of virtual circuits, one in each direction. Like analog modems, DSL transceivers constantly monitor the quality of each channel and will add or remove them from service depending on whether they are usable. One of Lechleider's contributions to DSL was his insight that an asymmetric arrangement offered more than double the bandwidth capacity of symmetric DSL. This allowed Internet Service Providers to offer efficient service to consumers, who benefitted greatly from the ability to download large amounts of data but rarely needed to upload comparable amounts. ADSL supports two modes of transport: fast channel and interleaved channel. Fast channel is preferred for streaming multimedia, where an occasional dropped bit is acceptable, but lags are less so. Interleaved channel works better for file transfers, where the delivered data must be error free but latency incurred by the retransmission of errored packets is acceptable. Because DSL operates at above the 3.4 kHz voice limit, it cannot be passed through a load coil. Load coils are, in essence, filters that block out any non-voice frequency. They are commonly set at regular intervals in lines placed only for POTS service. A DSL signal cannot pass through a properly installed and working load coil, while voice service cannot be maintained past a certain distance without such coils. Therefore, some areas that are within range for DSL service are disqualified from eligibility because of load coil placement. Because of this, phone companies are endeavoring to remove load coils on copper loops that can operate without them, and conditioning lines to avoid them through the use of fiber to the neighborhood or node FTTN. The commercial success of DSL and similar technologies largely reflects the advances made in electronics, that, over the past few decades, have been getting faster and cheaper even while digging trenches in the ground for new cables (copper or fiber optic) remains expensive. Several factors contributed to the popularization of DSL technology: • Until the late 1990s, the cost of digital signal processors for DSL was prohibitive. All types of DSL employ highly complex digital signal processing algorithms to overcome the inherent limitations of the existing twisted pair wires. Due to the advancements of VLSI technology, the cost of the equipment associated with a DSL deployment (a DSLAM at one end and a DSL modem at the other end) lowered significantly. • A DSL line can be deployed over existing cable. Such deployment, even including equipment, is much cheaper than installing a new, high-bandwidth fiber-optic cable over the same route and distance. This is true both for ADSL and SDSL variations. • In the case of ADSL, competition in Internet access caused subscription fees to drop significantly over the years, thus making ADSL more economical than dial up access. Telephone companies were pressured into moving to ADSL largely due to competition from cable companies, which use DOCSIS cable modem technology to achieve similar speeds. Demand for high bandwidth applications, such as video and file sharing, also contributed to popularize ADSL technology. Most residential and small-office DSL implementations reserve low frequencies for POTS service, so that (with suitable filters and/or splitters) the existing voice service continues to operate independent of the DSL service. Thus POTS-based communications, including fax machines and analog modems, can share the wires with DSL. Only one DSL "modem" can use the subscriber line at a time. The standard way to let multiple computers share a DSL connection is to use a router that establishes a connection between the DSL modem and a local Ethernet, Powerline, or Wi-Fi network on the customer's premises. Once upstream and downstream channels are established, they are used to connect the subscriber to a service such as an Internet service provider. 5.3.3.2 Naked DSL: Dry-loop DSL or "naked DSL," which does not require the subscriber to have traditional land-line telephone service, started making a comeback in the US in 2004 when Qwest started offering it, closely followed by Speakeasy. As a result of AT&T's merger with SBC and Verizon's merger with MCI, those telephone companies are required to offer naked DSL to consumers. Even without the regulatory mandate, however, many ILECs offer naked DSL to consumers. The number of telephone landlines in the US has dropped from 188 million in 2000 to 172 million in 2005, while the number of cellular subscribers has grown to 195 million. This lack of demand for landline service has resulted in the expansion of naked DSL availability. 5.3.4 Typical Setup and Connection Procedure: The first step is the physical connection. On the customer side, the DSL Transceiver, or ATU-R, or more commonly known as a DSL modem, is hooked up to a phone line. (Modems actually modulate and demodulate a signal, whereas the DSL Transceiver is a radio-signal transmit and receive unit.) The telephone company (Telco) connects the other end of the line to a DSLAM, which concentrates a large number of individual DSL connections into a single box. The location of the DSLAM depends on the Telco, but it cannot be located too far from the user because of attenuation, the loss of data due to the large amount of electrical resistance encountered as the data moves between the DSLAM and the user's DSL modem. It is common for a few residential blocks to be connected to one DSLAM. When the DSL modem is powered up, it goes through a sync procedure. The actual process varies from modem to modem but can be generally described as: 1. The DSL Transceiver does a self-test. 2. The DSL Transceiver checks the connection between the DSL Transceiver and the computer. For residential variations of DSL, this is usually the Ethernet (RJ-45) port or a USB port; in rare models, a FireWire port is used. Older DSL modems sported a native ATM interface (usually, a 25 Mbit serial interface). Also, some variations of DSL (such as SDSL) use synchronous serial connections. 3. The DSL Transceiver then attempts to synchronize with the DSLAM. Data can only come into the computer when the DSLAM and the modem are synchronized. The synchronization process is relatively quick (in the range of seconds) but is very complex, involving extensive tests that allow both sides of the connection to optimize the performance according to the characteristics of the line in use. External, or stand-alone modem units, have an indicator labeled "CD", "DSL", or "LINK", which can be used to tell if the modem is synchronized. During synchronization the light flashes; when synchronized, the light stays lit, usually with a green color. Modern DSL gateways have more functionality and usually go through an initialization procedure that is very similar to a PC starting up. The system image is loaded from the flash memory; the system boots synchronizes the DSL connection and establishes the IP connection between the local network and the service provider, using protocols such as DHCP or PPPoE. The system image can usually be updated to correct bugs, or to add new functionality. 5.3.5 Equipment: The customer end of the connection consists of a Terminal Adaptor or in layman's terms "DSL modem." This converts data from the digital signals used by computers into a voltage signal of a suitable frequency range which is then applied to the phone line. In some DSL variations (for example, HDSL), the terminal adapter is directly connected to the computer via a serial interface, using protocols such as RS-232 or V.35. In other cases (particularly ADSL), it is common for the customer equipment to be integrated with higher level functionality, such as routing, firewalling, or other application-specific hardware and software. In this case, the entire equipment is usually referred to as a DSL router or DSL gateway. Some kinds of DSL technology require installation of appropriate filters to separate, or "split", the DSL signal from the low frequency voice signal. The separation can be done either at the demarcation point, or can be done with filters installed at the telephone outlets inside the customer premises. Either way has its practical and economical limitations. See ADSL for more information about this. At the exchange, a digital subscriber line access multiplexer (DSLAM) terminates the DSL circuits and aggregates them, where they are handed off onto other networking transports. In the case of ADSL, the voice component is also separated at this step, either by a filter integrated in the DSLAM or by a specialized filtering equipment installed before it. The DSLAM terminates all connections and recovers the original digital information. 5.3.6 Protocols and Configuration: Many DSL technologies implement an ATM layer over the low-level bitstream layer to enable the adaptation of a number of different technologies over the same link. DSL implementations may create bridged or routed networks. In a bridged configuration, the group of subscriber computers effectively connects into a single subnet. The earliest implementations used DHCP to provide network details such as the IP address to the subscriber equipment, with authentication via MAC address or an assigned host name. Later implementations often use PPP over Ethernet or ATM (PPPoE or PPPoA), while authenticating with a userid and password and using PPP mechanisms to provide network details. 5.3.7 DSL Technologies: The line length limitations from telephone exchange to subscriber are more restrictive for higher data transmission rates. Technologies such as VDSL provide very high speed, short-range links as a method of delivering "triple play" services (typically implemented in fiber to the curb network architectures). Technologies likes GDSL can further increase the data rate of DSL. Fiber Optic technologies exist today that allow the conversion of copper based IDSN, ADSL and DSL over fiber optics. Example DSL technologies (sometimes called xDSL) include: • ISDN Digital Subscriber Line (IDSL), uses ISDN based technology to provide data flow that is slightly higher than dual channel ISDN. • High Data Rate Digital Subscriber Line (HDSL / HDSL2), was the first DSL technology that uses a higher frequency spectrum of copper, twisted pair cables. • Symmetric Digital Subscriber Line (SDSL / SHDSL), the volume of data flow is equal in both directions. • Symmetric High-speed Digital Subscriber Line (G.SHDSL), a standardized replacement for early proprietary SDSL. • Asymmetric Digital Subscriber Line (ADSL), the volume of data flow is greater in one direction than the other. • Asymmetric Digital Subscriber Line 2 (ADSL2), an improved version of ADSL • Asymmetric Digital Subscriber Line 2 Plus (ADSL2+), A version of ADSL2 that doubles the data rates by using twice the spectrum. • Asymmetric Digital Subscriber Line Plus Plus (ADSL++), technology developed by Centillium Communications for Japan market that extends downstream rates to 50 Mbit/s by using spectrum up to 3.75 MHz. • Rate-Adaptive Digital Subscriber Line (RADSL) • Very High Speed Digital Subscriber Line (VDSL) • Very High Speed Digital Subscriber Line 2 (VDSL2), an improved version of VDSL • Etherloop Ethernet Local Loop • Uni Digital Subscriber Line (UDSL), technology developed by Texas Instruments, backwards compatible with all DMT standards • Gigabit Digital Subscriber Line (GDSL), based on binder MIMO technologies. • (UHDSL) Universal Digital Subscriber Line using fiber optics. Developed in 2005 by RLH Industries, Inc. Converts HDSL-1, 2 or 4 copper service into fiber optic HDSL service. 5.4 VPN: The Internet is a worldwide, publicly accessible IP network. Due to its vast global proliferation, it has become a viable method of interconnecting remote sites. However, the fact that it is a public infrastructure has deterred most enterprises from adopting it as a viable remote access method for branch and SOHO sites. A virtual private network (VPN) is a concept that describes how to create a private network over a public network infrastructure while maintaining confidentiality and security. VPNs use cryptographic tunneling protocols to provide sender authentication, message integrity, and confidentiality by protecting against packet sniffing. VPNs can be implemented at Layers 2, 3, and 4 of the Open Systems Interconnection (OSI) model. The key to VPN technology is security. VPNs secure data by encapsulating the data, encrypting the data, or both encapsulating the data and then encrypting it: • Encapsulation is also referred to as tunneling because encapsulation transmits data transparently from network to network through a shared network infrastructure. • Encryption codes data into a different format. Decryption decodes encrypted data into the data’s original unencrypted format 5.4.1 Overlay and Peer-to-Peer VPN architecture: In terms of evolution, there are two major VPN models: overlay VPN and peer-to-peer VPN. 5.4.1.1 Overlay VPNs Service providers (SPs) are the most common users of the overlay VPN model. The design and provisioning of virtual circuits (VC) across the backbone is complete prior to any traffic flow. In the case of an IP network, this means that even though the underlying technology is connectionless, it requires a connection-oriented approach to provision the service. The scaling issues of overlay VPNs present a challenge to SPs when they have to manage and provision a large number of circuits and tunnels between customer devices. From a customer's point of view, the Interior Gateway Protocol design is also complex and difficult to manage. The overlay model includes L2 and L3 VPNs. L2 overlay VPN: L2 overlay VPNs are independent of the network protocol used by the customer meaning that the VPN is not limited to carrying IP traffic. If the carrier offers the appropriate ATM service, the overlay VPN will carry any kind of information. Frame Relay VPNs are normally limited to data applications; although voice over Frame Relay customer premises equipment (CPE) devices may be useable on some services. L3 overlay VPN: L3 Overlay VPNs most often use an “IP in IP” tunneling scheme using Point to Point Tunneling Protocol (PPTP), Layer 2 Tunneling Protocol (L2TP), and IP security (IPsec). Figure 5-1 summarizes the basic properties of these technologies: Figure 5-1 L3 overlay VPN Technologies 5.4.1.2 CPE-Based VPN (Peer-to-Peer) CPE-based VPN is another name for an L3 overlay VPN. The VPN is implemented using CPE. In this way, a customer creates a VPN across an Internet connection without any specific knowledge or cooperation from the service provider. The customer gains the advantage of increased privacy using an inexpensive Internet connection. This approach is not advantageous to the SP because there is little opportunity for VPN service revenue. However, SPs do charge a higher rate for “business class” Internet services applicable to medium to large enterprises. Also, some SPs offer “managed VPN” services where CPE configuration and Network Address Translation (NAT) address management are performed by the SP rather than by the customer. 5.4.1.3 SP-Provisioned VPN The introduction of Multiprotocol Label Switching (MPLS) combines the benefits of overlay VPNs (security and isolation among customers) with the benefits of the simplified routing of a peer-to-peer VPN. MPLS VPN provides simpler customer routing, simpler service provider provisioning and a number of possible topologies that are hard to implement in either the overlay or peer-to-peer VPN models. MPLS also adds the benefits of a connection-oriented approach to the IP routing paradigm, through the establishment of label-switched paths that are created based on topology information rather than traffic flow. This model uses three types of routers: • The Provider (P) and the Customer Edge (CE) routers are assumed to be unaware of any VPN protocols or procedures. • Only the Provider Edge (PE) routers need to be provisioned to support the VPNs. Note that MPLS VPNs cannot replace all VPN implementations because MPLS only supports IP as the Layer 3 protocol. Other protocols including IPX and AppleTalk must be tunneled through the IP backbone. 5.4.2 VPN Technologies: There are three VPN topologies to consider: • Remote Access VPN: Remote access VPNs provide remote users access to an intranet or extranet over a shared infrastructure. Mobile users, telecommuters, and branch offices can securely connect using dialup, Integrated Services Digital Network (ISDN), digital subscriber line (DSL), mobile IP, and cable technologies. Remote access VPNs use only a single VPN gateway. The party negotiating a secure connection with the VPN Gateway uses VPN client software. The VPN Client software allows telecommuters and traveling users to communicate on the central network and access servers from many different locations. Tunnels are created using either IPsec, Point to Point Tunneling Protocol (PPTP), Layer 2 Tunnel Protocol (L2TP), or Layer 2 Forwarding (L2F) Protocol. Figure 5-2 shows the concept of remote access VPN: Figure 5-2, Remote Access VPN Benefits: Remote access VPNs reduce long-distance charges that are associated with dialup access. Remote access VPNs also help increase productivity and confidence by ensuring secure network access regardless of an employee’s location. • Site-to-Site Intranet VPN: Site-to-site intranet VPNs link headquarters, remote offices, and branch offices to an internal network over a shared infrastructure using dedicated connections. Intranet VPNs differ from extranet VPNs in that intranet VPNs allow access only to trusted employees. With an intranet VPN, gateways at various physical locations within the same business negotiate secure tunnels across the Internet. An example of this type of VPN is a network that exists in several geographic locations, connecting to a data center or mainframe that has secure access through the Internet. Users from the networks on either side of the tunnel can communicate with one another as if the networks were a single network. These networks may need strong encryption and strict performance and bandwidth requirements. Tunnels are created using either IPsec, or IPsec/GRE. Figure 5-3 shows site-to-site VPN: Figure 5-3, Site-to-Site VPN Benefits: Site-to-site intranet VPNs offer cost savings over traditional leased-line or Frame Relay technologies. • Site-to-Site Extranet VPN: An extranet site-to-site VPN links outside customers, suppliers, partners, or communities of interest to an enterprise customer's network over a shared infrastructure using dedicated connections. Extranet VPNs differ from intranet VPNs in that extranet VPNs allow access to users who are outside the enterprise. Extranet VPNs use firewalls in conjunction with VPN tunnels so that business partners are only able to gain secure access to specific data and resources while not gaining access to private corporate information. Benefits: Businesses enjoy the same policies as a private network, including security, quality of service (QoS), manageability, and reliability. 5.4.3 Characteristics of Secure VPNs: Security is the focus of any VPN design. VPNs can use advanced encryption techniques and tunneling to establish secure, end-to-end, private network connections over third-party networks, such as the Internet or extranets. The foundation of secure VPNs is based on authentication, encapsulation, and encryption. By properly implementing security, successful VPN implementations meet three goals: Authentication: Authentication ensures that a message comes from an authentic source and goes to an authentic destination. User identification gives a user confidence that the party the user establishes communications with is who the user thinks the party is. VPN technologies are making use of several reputable methods for establishing the identity of the party at the other end of a network. These include passwords, digital certificates, smart cards, and biometrics. Data confidentiality: One of the traditional security concerns is protecting data from eavesdroppers. As a design feature, data confidentiality aims at protecting the message contents from being intercepted by unauthenticated or unauthorized sources. VPNs achieve confidentiality using mechanisms of encapsulation and encryption. Data integrity: Since you have no control over where the data has traveled and who has seen or handled the data you send or receive while the data journeys across the Internet, there is always the possibility that the data has been modified. Data integrity guarantees that no tampering or alterations occur to data while it travels between the source and destination. VPNs typically use one of three technologies to ensure data integrity: one-way hash functions, message authentication codes (MAC), or digital signatures. 5.4.4 VPN Security: Encapsulation Incorporating the appropriate data confidentiality capabilities into a VPN ensures that only the intended sources and destinations are capable of interpreting the original message contents. Encapsulation is one of the major components of confidentiality. Encryption is the other. Tunneling is the transmission of data through a public network so that routing nodes in the public network are unaware that the transmission is part of a private network. Tunneling allows the use of public networks (for example, the Internet) to carry data on behalf of users as though the users had access to a private network. This is where the name VPN comes from. VPNs build tunnels by encapsulating the private network data and protocol information within the public network protocol data so that the tunneled data is not available to anyone examining the transmitted data frames. Tunneling is the process of placing an entire packet within another packet and sending the new, composite packet over a network. Following are the three different protocols that tunneling uses: • Carrier protocol: The protocol the information is traveling over. • Encapsulating protocol: The protocol (GRE, IPsec, L2F, PPTP, L2TP) that is wrapped around the original data. Not all protocols offer the same level of security. • Passenger protocol: The original data (IPX, AppleTalk, IPv4, IPv6). To reinforce the concepts of tunneling, consider an example of sending a holiday card through traditional mail. The holiday card has a message inside and is the passenger protocol. The card is put inside an envelope (encapsulating protocol) with proper addressing applied. The envelope is put inside a mailbox for delivery. The Postal system (carrier protocol) picks up and delivers the envelope to your mailbox. The two end points in the carrier system are the “tunnel interfaces.” You remove the holiday card (extract the passenger protocol) and read the message. 5.4.5 VPN Security: IPsec and GRE Tunneling protocols vary in the features that they support, the problems that they aim to solve, and the amount of security that they provide to the data that they transport. This course focuses on using IPsec and IPsec with GRE. When used alone, IPsec provides a private, resilient network for IP unicast only. Use IPsec in conjunction with GRE when support for IP multicast, dynamic IGP routing protocols, or non-IP protocols is required. Figure shows an example secure remote access VPN. IPsec has two encryption modes: • Tunnel mode • Transport mode Tunnel mode encrypts the header and the payload of each packet while transport mode only encrypts the payload. Only systems that are IPsec-compliant can take advantage of transport mode. Additionally, all devices must use a common key and the firewalls of each network must be set up with very similar security policies. IPsec can encrypt data between various devices, including router to router, firewall to router, PC to router, and PC to server. GRE encloses the IP header and payload of packets with a GRE-encapsulation header. Network designers use this method of encapsulation to hide the IP header of packets as part of the GRE-encapsulated payload. By hiding information, the designers separate, or “tunnel,” data from one network to another without making changes to the underlying common network infrastructure. 5.4.6 Tunneling in Site-to-Site VPNs In a site-to-site VPN, GRE provides the framework for packaging the passenger protocol for transport over the carrier protocol (usually IP-based). This transport includes information on what type of packet is encapsulated and information about the connection between the client and server. Site-to-site VPNs can also use IPsec in tunnel mode as the encapsulating protocol. IPsec works well on both remote-access and site-to-site VPNs. To use IPsec, both tunnel interfaces must support IPsec. 5.4.7 Tunneling: Remote-Access In a remote-access VPN, tunneling often uses PPP and associated protocols. When communication is established over the network between the host computer and a remote access system, PPP is the carrier protocol. Remote-access VPNs can also use the protocols listed below. Each protocol uses the basic structure of PPP: Layer 2 Forwarding (L2F): Developed by Cisco Systems, L2F uses any authentication scheme that is supported by PPP. However, L2F does not support encryption. Point-to-Point Tunneling Protocol (PPTP): The PPTP Forum, a consortium that includes US Robotics, Microsoft, 3COM, Ascend, and ECI Telematics, created PPTP. PPTP supports 40-bit and 128-bit encryption and uses any authentication scheme that is supported by PPP. Layer 2 Tunneling Protocol (L2TP): L2TP is the product of a partnership between the members of the PPTP Forum, Cisco Systems, and the Internet Engineering Task Force (IETF). It is a combination of the PPTP and L2F protocols. Both site-to-site VPNs and remote-access VPNs can use L2TP as a tunneling protocol. However, due to the lack of confidentiality inherent in the L2TP protocol, it is often implemented along with IPsec and is called L2TP/IPsec. A new version of the protocol was released in 2005 and is referred to as L2TPv3. 5.4.8 IPsec Security Features: IPsec provides a mechanism for secure data transmission over IP networks, ensuring confidentiality, integrity, and authenticity of data communications over unprotected networks such as the Internet. IPsec encompasses a suite of protocols and is not bound to any specific encryption or authentication algorithms, key generation technique, or security association (SA). IPsec provides the rules while existing algorithms provide the encryption, authentication, key management, and so on. IPsec acts at the network layer, protecting and authenticating IP packets between IPsec devices (peers), such as Cisco PIX Firewalls, Adaptive Security Apliances (ASA), Cisco routers, the Cisco Secure VPN Client, and other IPsec-compliant products. IPsec is an Internet Engineering Task Force (IETF) standard (RFC 2401-2412) that defines how a VPN can be created over IP networks. IPsec provides the following essential security functions: • Data confidentiality: IPsec ensures confidentiality by using encryption. Data encryption prevents third parties from reading the data, especially data that is transmitted over public networks or wireless networks. The IPsec sender can encrypt packets before transmitting the packets across a network and prevent anyone from hearing or viewing the communication (eavesdropping). If intercepted, the data cannot be decoded. Encryption is provided using encryption algorithms including DES, 3DES, and AES. • Data integrity: IPsec ensures that data arrives unchanged at the destination; that is, that the data is not manipulated at any point along the communication path. IPsec ensures data integrity by using hashes. A hash is a simple redundancy check. The IPsec protocol adds up the basic components of a message (typically the number of bytes) and stores the total value. IPsec performs a checksum operation on received data and compares the result to the authentic checksum. If the sums match, the data is considered not manipulated. Data integrity is provided through the Hash-based Message Authentication Code (HMAC) function. Supported HMAC functions include Message Digest 5 (MD5) and Secure Hash Algorithm 1 (SHA-1). • Data origin authentication: The IPsec receiver can authenticate the source of the IPsec packets. Authentication ensures that the connection is actually made with the desired communication partner. IPsec authenticates users (people) and devices that can carry out communication independently. The quality of Data origin authentication is dependent on the data integrity service that is provided. • Anti-replay: Anti-replay protection verifies that each packet is unique, not duplicated. IPsec packets are protected by comparing the sequence number of the received packets and a sliding window on the destination host, or security gateway. A packet whose sequence number is before the sliding window is considered late, or a duplicate. Late and duplicate packets are dropped. 5.4.9 IPsec Protocols: The IPsec standard provides a method to manage authentication and data protection between multiple peers engaging in secure data transfer. IPsec includes a protocol for exchanging keys called Internet Key Exchange (IKE) and two IPsec IP protocols, Encapsulating Security Payload (ESP) and Authentication Header (AH). In simple terms, IPsec provides secure tunnels between two peers, such as two routers. The sender defines what packets need protection and will be sent through these secure tunnels and then defines the parameters that are needed to protect these sensitive packets by specifying the characteristics of these tunnels. Then, when the IPsec peer sees such a sensitive packet, the IPsec peer sets up the appropriate secure tunnel and sends the packet through the tunnel to the remote peer. More accurately, these tunnels are sets of Security Associations (SA)s). established between two remote IPsec peers. The Security Associations define which protocols and algorithms should be applied to sensitive packets and specify the keying material to be used by the two peers. Security Associations are unidirectional and are established by the security protocol that is being used (AH or ESP). IPsec uses three main protocols to create a security framework: • IKE: Provides a framework for the negotiation of security parameters and establishes authenticated keys. IPsec uses symmetrical encryption algorithms for data protection, which are more efficient and easier to implement in hardware than other types of algorithms. These algorithms need a secure method of key exchange to ensure data protection. The IKE protocols provide the capability for secure key exchange. • AH: The IP Authentication Header (AH) provides connectionless integrity and data origin authentication for IP datagrams and optional protection against replays. AH is embedded in the data that needs to be protected. ESP has replaced the AH protocol, and AH is no longer used very often in IPsec. • ESP: Encapsulating Security Payload (ESP) provides a framework for encrypting, authenticating, and securing data. ESP provides data privacy services, optional data authentication, and anti-replay services. ESP encapsulates the data that needs protection. Most IPsec implementations use the ESP protocol. Note RFC 2401 defines the architecture for IPsec, including the framework and the services that are provided. RFC 2401 also defines how the services work together and how and where to use the services. Other RFCs define individual protocols. Beyond these protocols, the framework consists of the implementation specifics, such as the exact encryption algorithm and the key length that is used for ESP. 5.4.10 IPsec Headers: IPsec provides authentication, integrity, and encryption via the insertion of one or both of two specific headers, AH or ESP, into the IP datagram. The AH provides authentication and integrity checks on the IP datagram. Successful authentication means that the packet was, indeed, sent by the apparent sender. Integrity means the packet was not changed during transport. The ESP header provides information that indicates encryption of the datagram payload contents. The ESP header also provides authentication and integrity checks. AH and ESP are used between two hosts. These hosts may be end stations or gateways. Note AH and ESP provide services to transport layer protocols such as TCP and User Datagram Protocol (UDP). AH and ESP are Internet protocols and are assigned numbers 51 (AH) and 50 (ESP) by the Internet Assigned Numbers Authority (IANA). AH and ESP solutions require a standards-based way to secure data from modification and being read by a third party. IPsec has a choice of different encryptions (Data Encryption Standard [DES], Triple Data Encryption Standard [3DES], and Advanced Encryption Standard [AES]) so that users can choose the strength of their data protection. IPsec also has several hash methods to choose from (Hash-based Message Authentication Code [HMAC], Message Digest 5 [MD5], and Secure Hash Algorithm 1 [SHA-1]), each giving different levels of protection. 5.4.11 Internet Key Exchange: To implement a VPN solution with encryption, it is necessary to periodically change the encryption keys. Failure to change these keys makes the network susceptible to brute-force attacks. IPsec solves the problem of susceptibility with the Internet Key Exchange (IKE) protocol, which uses two other protocols to authenticate a peer and generate keys. The IKE protocol uses the DH key exchange to generate symmetrical keys to be used by two IPsec peers. IKE also manages the negotiation of other security parameters, such as data to be protected, strength of the keys, hash methods used, and whether packets are protected from replay. IKE uses UDP port 500. IKE negotiates a security association (SA), which is an agreement between two peers engaging in an IPsec exchange, and consists of all the parameters that are required to establish successful communication. IPsec uses the IKE protocol to provide these functions: • Negotiation of SA characteristics • Automatic key generation • Automatic key refresh • Manageable manual configuration A security association (SA) requires the following: • Internet Security Association and Key Management Protocol (ISAKMP): ISAKMP is a protocol framework that defines the mechanics of implementing a key exchange protocol and negotiating a security policy. ISAKMP can be implemented over any transport protocol. The reference document for ISAKMP is RFC 2408. • SKEME: A key exchange protocol that defines how to derive authenticated keying material with rapid key refreshment. • OAKLEY: A key exchange protocol that defines how to acquire authenticated keying material. The basic mechanism for OAKLEY is the DH key exchange algorithm. The reference document is RFC 2412: The OAKLEY Key Determination Protocol. IKE automatically negotiates IPsec SAs and enables IPsec secure communications without costly manual preconfiguration. IKE includes these features: • Eliminates the need to manually specify all of the IPsec security parameters at both peers • Allows specification for a lifetime for the IPsec SA • Allows encryption keys to change during IPsec sessions • Allows IPsec to provide anti-replay services • Permits certification authority (CA) support for a manageable, scalable IPsec implementation • Allows dynamic authentication of peers IKE Phases and Modes: IKE is executed in two phases to establish a secure communication channel between two peers: IKE Phase 1: Phase 1 is the initial negotiation of SAs between two IPsec peers. Optionally, Phase 1 can also include an authentication in which each peer is able to verify the identity of the other. This conversation between two IPsec peers can be subject to eavesdropping with no significant vulnerability of the keys being discovered by the third party. Phase 1 SAs are bidirectional; data can be sent and received using the same key material that is generated. IKE Phase 1 occurs in two modes: main mode or aggressive mode. These modes are explained in the following paragraphs. IKE Phase 1.5 (optional): To further authenticate VPN participants (clients), you can use a protocol called Extended Authentication (Xauth) that provides user authentication of IPsec tunnels within the IKE protocol. Additionally, you can exchange other parameters between the peers. Mode configuration is used to deliver parameters such as the IP address and Domain Name System (DNS) address to the client. IKE Phase 2: Phase 2 SAs are negotiated by the IKE process (ISAKMP) on behalf of other services such as IPsec that need key material for operation. Because the SAs that are used by IPsec are unidirectional, separate key exchanges are needed for data that is flowing in the forward direction and the reverse direction. The two peers have already agreed upon the transform sets, hash methods, and other parameters during the Phase 1 negotiation. Quick mode is the method used for the Phase 2 SA negotiations. Figure 5-4 summarizes the IKE phases: Figure 5-4, IKE Phases To establish a secure communication channel between two peers, the IKE protocol uses these three modes of operation: • Main Mode: In the main mode, an IKE session begins with the initiator sending a proposal or proposals to the responder. These proposals define which encryption and authentication protocols are acceptable, how long keys should remain active, and whether perfect forward secrecy (PFS) should be enforced. Multiple proposals can be sent in one offering. The first exchange between nodes establishes the basic security policy. The responder chooses the appropriate proposal and sends the proposal to the initiator. The next exchange passes DH public keys and other data. All further negotiation is encrypted within the IKE SA. The third exchange authenticates the ISAKMP session. Once the IKE SA is established, IPsec negotiation (quick mode) begins. • Aggressive Mode: The aggressive mode squeezes the IKE SA negotiation into three packets, with all data that is required for the SA being passed by the initiator. The responder sends the proposal, keying material, and identification and authenticates the session in the next packet. The initiator replies by authenticating the session. Negotiation is quicker than in main mode, and the initiator and responder ID pass in plaintext. Aggressive mode is appropriate and should be used whenever devices are capable of handling main mode with no difficulty. • Quick Mode: The quick mode IPsec negotiation is similar to an aggressive mode IKE negotiation, except negotiation must be protected within an IKE SA. Quick mode negotiates the SA for the data encryption and manages the key exchange for that IPsec SA. If the respondent gives a negative response, the initiator will send the request in main mode. Figure 5-5 illustrates how an IKE negotiation results in secure communications between two SAs: Figure 5-5, IKE Negotiation 5.4.12 ESP and AH protocols, Transport, and Tunnel Modes: These two IP protocols are used in the IPsec standard: • ESP: The ESP header (IP protocol 50) forms the core of the IPsec protocol. This protocol, in conjunction with an agreed-upon encryption method or transform set, protects data by rendering the data undecipherable. This protocol protects only the data portion of the packet. This protocol can optionally also provide for authentication of the protected data. • AH: The other part of IPsec is formed by the AH protocol (IP protocol 51). The AH does not protect data in the usual sense by hiding the data but by adding a tamper-evident seal to the data. This protocol also protects fields in the IP header carrying the data, including the address fields of the IP header. The AH protocol should not be used alone when data confidentiality is required. IPsec has two methods of forwarding data across a network, tunnel mode and transport mode, which differ in their application and in the amount of overhead added to the passenger packet:  Tunnel mode: Tunnel mode works by encapsulating and protecting an entire IP packet. Because tunnel mode encapsulates or hides the IP header of the packet, a new IP header must be added for the packet to be successfully forwarded. The encrypting devices themselves own the IP addresses that are used in this new header. These addresses can be specified in the configuration of Cisco IOS routers. Tunnel mode can be used with either ESP or AH or with both. Tunnel mode results in an additional packet expansion of approximately 20 bytes because of the new IP header.  Transport mode: Because packet expansion can be a concern during the forwarding of small packets, a second forwarding method is also possible. IPsec transport mode works by inserting the ESP header between the IP header and the next protocol or the Transport layer of the packet. Both IP addresses of the two network nodes whose traffic is being protected by IPsec are visible. This mode of IPsec can sometimes be susceptible to traffic analysis. However, because there is no additional IP header added, the result is less packet expansion. Transport mode can be deployed with either ESP or AH or both. This mode works well with Generic Routing Encapsulation (GRE) because GRE already hides the addresses of the end stations by adding an IP header. 5.4.13 ESP and AH Header You can achieve AH authentication by applying a keyed one-way hash function to the packet, creating a hash or message digest. The hash is combined with the text and then transmitted. Changes in any part of the packet that occur during transit are detected by the receiver when the receiver performs the same one-way hash function on the received packet and compares the value of the message digest that the sender has supplied. One-way hash also involves the use of a symmetric key between the two systems, meaning that authenticity is guaranteed. ESP provides confidentiality by encrypting the payload. The default algorithm for IPsec is 56-bit DES. Cisco products also support the use of 3DES for stronger encryption. The ESP encryption algorithms by themselves do not provide authentication or guarantee data integrity. ESP encryption with an authentication and data integrity service can be achieved in two ways: • Authenticated ESP format • Nested ESP within AH With authenticated ESP, IPsec encrypts the payload using one symmetric key, then calculates an authentication value for the encrypted data using a second symmetric key and the HMAC-SHA1 or HMAC-MD5 algorithm. The ESP authentication value is appended to the end of the packet. The recipient computes its own authentication value for the encrypted data using the second symmetric key and the same algorithm. The recipient compares the result with the transmitted authentication value. If the values match, the recipient then decrypts the encrypted portion of the packet with the first symmetric key and extracts the original data. An ESP packet can be nested within an AH packet. First, the payload is encrypted. Next, the encrypted payload is sent through a hash algorithm: MD5 or SHA-1. The hash provides origin authentication and data integrity for the data payload. Figure shows nested ESP in AH using transport mode. 5.4.14 AH Authentication and Integrity: The AH function is applied to the entire datagram, except for any mutable IP header fields that change in transit, such as Time to Live (TTL) fields that are modified by the routers along the transmission path. AH works as follows: Step 1 The IP header and data payload are hashed. Step 2 The hash is used to build an AH header, which is appended to the original packet. Step 3 The new packet is transmitted to the IPsec peer router. Step 4 The peer router hashes the IP header and data payload. Step 5 The peer router extracts the transmitted hash from the AH header. Step 6 The peer router compares the two hashes. The hashes must exactly match. Even if one bit is changed in the transmitted packet, the hash output on the received packet will change and the AH header will not match. AH supports MD5 and SHA-1 algorithms. 5.4.15 Site-to-Site IPsec VPN Operation: The goal of IPsec is to protect data between peers by using the necessary security and encryption algorithms. IPsec operation can be broken down into five steps: Step 1 Interesting traffic initiates the IPsec process: Traffic is deemed interesting when the VPN device recognizes that the traffic you want to send needs protection. Step 2 IKE Phase 1: IKE authenticates IPsec peers and negotiates IKE SAs during this phase, setting up a secure communications channel for negotiating IPsec SAs in Phase 2. Step 3 IKE Phase 2: IKE negotiates IPsec SA parameters and sets up matching IPsec SAs in the peers. These security parameters are used to protect data and messages that are exchanged between endpoints. Step 4 Data transfer: Data is transferred between IPsec peers based on the IPsec parameters and keys that are stored in the SA database. Step 5 IPsec tunnel termination: IPsec SAs terminate through deletion or by timing out. For every inbound and outbound datagram there are two choices: apply IPsec or bypass IPsec and send the datagram in clear text. For every datagram that is protected by IPsec, the system administrator must specify the security services that are applied to the datagram. The security policy database specifies the IPsec protocols, modes, and algorithms that are applied to the traffic. IPsec then applies the services to traffic that is destined to each particular IPsec peer. With the VPN Client, you use menu windows to select connections that you want IPsec to secure. When interesting traffic transits the IPsec client, the client initiates the next step in the process, negotiating an IKE Phase 1 exchange. Step Two: IKE Phase 1 The purpose of IKE Phase 1 is to negotiate IKE policy sets, authenticate the peers, and set up a secure channel between the peers. IKE Phase 1 occurs in two modes: main mode and aggressive mode. The main mode has three two-way exchanges between the initiator and receiver:  First exchange: The two peers negotiate and agree on which algorithms and hashes to use to secure the IKE communications.  Second exchange: A Diffie-Hellmann exchange generates shared secret keys and pass nonces (a nonce is a value used only once by a computer security system). A random number sent by one party to another party, signed, and returned to the first party proves the second party’s identity. Once created, the shared secret key is used to generate all the other encryption and authentication keys.  Third exchange: In this exchange, each peer verifies the identity of the other side by authenticating the remote peer. The outcome of main mode is a secure communication path for subsequent exchanges between the peers. Without proper authentication, you might establish a secure communication channel with a hacker who can then steal your sensitive material. In aggressive mode, fewer exchanges take place with fewer packets. Most of the actions occur during the first exchange: IKE policy set negotiation; Diffie-Hellmann public key generation; a nonce, which the other party signs; and an identity packet, which can be used to verify the identity of the other party via a third party. The receiver sends everything back that is needed to complete the exchange. The only action left after the first exchange is for the initiator to confirm the exchange. Matching IKE Policies When a secure connection is being made between Host A and Host B through the Internet, IKE security proposals are exchanged between Router A and Router B. The proposals identify the IPsec protocol that is being negotiated (for example, Encapsulating Security Payload [ESP]). Under each proposal, the originator must delineate which algorithms are used in the proposal (for example, Data Encryption Standard [DES] with Message Digest 5 [MD5]). Rather than negotiate each algorithm individually, the algorithms are grouped into sets called IKE transform sets. A transform set describes which encryption algorithm, authentication algorithm, mode, and key length are proposed. These IKE proposals and transform sets are exchanged during the IKE main mode first exchange phase. If a transform set match is found between peers, main mode continues. If no match is found, the tunnel is torn down. In a point-to-point application, each end may only need to have a single IKE policy defined. However, in a hub-and-spoke environment, the central site may require multiple IKE policies be defined to satisfy all the remote peers. DH Key Exchange Diffie-Hellmann key exchange is a public key exchange method that provides a way for two peers to establish a shared secret key over an insecure communications path. There are several different Diffie-Hellmann algorithms, called groups, defined (Diffie-Hellmann Groups 1'7). A group number defines an algorithm and unique values. For example, Group 1 defines a modular exponentiation (MODP) algorithm with a 768-bit prime number. Group 2 defines a MODP algorithm with a 1024-bit prime number. During IKE Phase 1, the group is negotiated between peers. Between Cisco VPN devices, either Group 1 or Group 2 is supported. After the group negotiations are completed, the shared secret key is calculated. The shared secret key, SKEYID, is used in the derivation of three other keys: SKEYID_a, SKEYID_e, and SKEYID_d. Each key has a separate purpose. SKEYID_a is the keying material that is used during the authentication process, the SKEYID_e key is the keying material that is used in the encryption process, and the SKEY_d key is the keying material that is used to derive keys for non-Internet Security Association and Key Management Protocol (non-ISAKMP) SAs. All four keys are calculated during IKE Phase 1. Authenticate Peer Identity When conducting business over the Internet, the device on the other end of a VPN tunnel must be authenticated before the communications path is considered secure. The last exchange of IKE Phase 1 authenticates the remote peer. There are three methods for identifying data origin:  Pre-shared keys: A secret key value is entered into each peer manually and used to authenticate the peers.  RSA signatures: Digital certificates are exchanged to authenticate the peers.  RSA encrypted nonces: Nonces are encrypted and then exchanged between peers. The two nonces are used during a peer authentication process. Step Three: IKE Phase 2 The purpose of IKE Phase 2 is to negotiate the IPsec security parameters that will be used to secure the IPsec tunnel. IKE Phase 2 performs these functions: • Negotiates IPsec security parameters and IPsec transform sets • Establishes IPsec SAs • Periodically renegotiates IPsec SAs to ensure security • Optionally, performs an additional Diffie-Hellmann exchange IKE Phase 2 has one mode called quick mode. Quick mode occurs after IKE has established the secure tunnel in Phase 1. Quick mode negotiates a shared IPsec transform, derives shared secret keying material used for the IPsec security algorithms, and establishes IPsec SAs. Quick mode exchanges nonces that are used to generate new shared secret key material and to prevent replay attacks that can occur by generating bogus SAs. Quick mode is also used to renegotiate a new IPsec SA when the IPsec SA lifetime expires. Quick mode is used to refresh the keying material that is used to create the shared secret key based on the keying material derived from the Diffie-Hellmann exchange in Phase 1. IPsec Transform Sets The ultimate goal of IKE Phase 2 is to establish a secure IPsec session between endpoints. Before the session can be established, each pair of endpoints negotiates the level of security that is required (for example, encryption and authentication algorithms for the session). Rather than negotiate each protocol individually, the protocols are grouped into an IPsec transform set. IPsec transform sets are exchanged between peers during quick mode. If a match is found between sets, IPsec session establishment continues. If no match is found, the session is torn down. Security Associations When two peers agree on which security services they will use, each VPN peer device enters the information in a Security Policy Database (SPD). The information in the SPD includes the encryption and authentication algorithm, destination IP address, transport mode, key lifetime, and any other security information. This information is referred to as the SA. An SA is a one-way logical connection that provides security to all traffic that is traversing the connection. Because most traffic is bidirectional, two SAs are required: one for inbound traffic and one for outbound traffic. The VPN device indexes the SA with a number called a Security Parameter Index (SPI). Rather than send the individual parameters of the SA across the tunnel, the source gateway, or host, inserts the SPI into the ESP header. When the IPsec peer receives the packet, the peer looks up the destination IP address, IPsec protocol, and SPI in the peer’s security association database (SAD) and then processes the packet according to the algorithms listed under the SPD. The IPsec SA is a compilation of the SAD and SPD. SAD is used to identify the SA destination IP address, IPsec protocol, and SPI number. The SPD defines the security services that are applied to the SA, encryption and authentication algorithms, and mode and key lifetime. SA Lifetime To maintain adequate security, change the SA and keys periodically. There are two parameters of an SA lifetime: type and duration. The first parameter is lifetime type. The second parameter is the unit of measure: either kilobytes of data or seconds of time. For example, a lifetime could be based on 10,000 kilobytes of data transmitted or 28,800 seconds of time expired. The keys and SAs remain active until the configured lifetime expires or until some external event, such as the client dropping the tunnel, causes them to be deleted. 5.4.16 IPsec Tunnel Operation: The last two steps in IPsec involve transferring the data and then closing the connection: Data Transfer: After IKE Phase 2 is complete and quick mode has established IPsec SAs, traffic is exchanged between Host A and Host B via a secure tunnel. IPsec Tunnel Termination: IPsec SAs terminate through deletion or by timing out. An SA can time out when a specified number of seconds has elapsed or when a specified number of bytes have passed through the tunnel. When the SAs terminate, the keys are also discarded. When subsequent IPsec SAs are needed for a flow, IKE performs a new Phase 2, and, if necessary, a new Phase 1 negotiation. A successful negotiation results in creating new SAs and new keys. New SAs are usually established before the existing SAs expire so that a given flow can continue uninterrupted. 5.3.17 Configuring a Site-to-Site IPsec VPN: Following are the required steps to configure a site-to-site IPsec VPN: Step 1 Configure the ISAKMP policy that is required to establish an IKE tunnel. Step 2 Define the IPsec transform set. The definition of the transform set defines the parameters for the IPsec tunnel, such as encryption and integrity algorithms. Step 3 Create a crypto access control list (ACL). The crypto ACL identifies the traffic to be forwarded through the IPsec tunnel. Step 4 Create a crypto map. The crypto map combines the previously configured parameters together and defines the IPsec peer device. Step 5 Apply the crypto map to the outgoing interface of the VPN device. Step 6 Configure an ACL and apply the list to the interface. Typically, edge routers are configured with restrictive ACLs that could inadvertently block the IKE or IPsec protocols. Step 1: Establish an IKE Policy The first step to configuring a site-to-site IPsec VPN is establishing an ISAKMP policy. Various IKE policies can be configured including key distribution method, encryption algorithm, hash algorithm, authentication method, key exchange, and IKE security association lifetime value. Figure 5-6 displays a sample configuration of the ISAKMP parameters. In the example, key parameters that are configured include pre-shared authentication, SHA hashing, AES encryption and DH group 2. Also, the ISAKMP key “SeCrEt” has been configured and associated with the IPsec peer. Figure 5-6, Configuring ISAKMP Parameters Note Only values other than the default must be configured. Default and configured values can be verified using the show crypto isakmp policy command. Steps 2, 3, and 4: Define a Crypto Map Figure 5-7 displays the next steps three steps. These steps include configuring an IPsec transform set, a crypto access list, and a crypto map. The configuration defines the crypto ACL. This ACL states a “permit” entry for the traffic that should be sent into the IPsec tunnel. If packets are not matching, the packets are not encrypted but are not dropped. Figure 5-7, Defining a Crypto Map Note Traffic that does not match or is not interesting and should not be sent through the IPsec tunnel is not simply dropped. This traffic will be forwarded as per normal routing policy. The transform set AES-SHA configures the IPsec parameters. Crypto map entries that are created for IPsec amalgamate the various parts that are used to set up IPsec SAs, including the following:  Which traffic should be protected by IPsec (per a crypto ACL)  The granularity of the flow to be protected by a set of SAs  Where IPsec-protected traffic should be sent (who the remote IPsec peer is)  The local address to use for the IPsec traffic (optional)  What IPsec security should be applied to this traffic (selecting from a list of one or more transform sets) After the parameters are defined, they are combined together with the crypto map configuration. The crypto map (for example, VPN_To_R2) maps the configured ACL 101 with the transform set (AES-SHA). Additionally, the map defines the IP address of the IPsec peer. Crypto map entries with the same crypto map name (but different map sequence numbers) are grouped into a crypto map set. Step 5: Apply the Crypto Map to the Interface Apply the crypto map on the outgoing interface of the VPN tunnel. All IP traffic that passes through the interface where the crypto map is applied is evaluated against the applied crypto map set. If a crypto map entry identifies outbound IP traffic that should be protected and the crypto map specifies the use of IKE, an SA is negotiated with the remote peer according to the parameters that are listed in the crypto map entry. See figure 5-8. The example also includes a static route configuration for packets that are to be sent into the tunnel. Figure 5-8, Applying the Crypto Map to the Interface Step 6: Apply an ACL to the Interface As previously mentioned, edge routers are configured with restrictive ACLs and usually permit only VPN traffic into the internal network. Therefore, all other traffic is usually denied. In this case you only have to enable the IPsec protocols (protocol 50 for ESP and / or protocol 51 for Authentication Header [AH]) and IKE (User Datagram Protocol [UDP] port 500). The example in Figure 5-8 displays part of ACL 102 that only permits the AH, ESP, and ISAKMP protocols. The protocol keyword of esp equals the ESP protocol (number 50), the keyword of ahp equals the AH protocol (number 51), and the isakmp keyword equals UDP port 500. Figure 5-9 shows configuration of ACLs. Figure 5-9, Access Lists Configuration If there is any dynamic routing done on the interface, ensure that you permit the routing traffic. Also if other types of traffic are allowed incoming on the interface, then the ACL will require the appropriate statements. The IPsec Network Address Translation Traversal (NAT-T) feature is required for passing the IPsec traffic through devices using NAT or Port Address Translation (PAT). Including the NAT-T feature is accomplished by wrapping (encapsulating) the IPsec packet with a UDP header. Additional ACL entries are required when using NAT-T. Use the following steps to add additional entries to support NAT-T: Step 1 Examine the current ACL configuration at the perimeter router to determine that the ACL will block IPsec traffic. Step 2 Add ACL entries to permit IPsec traffic. To do this, copy the existing ACL configuration and paste the entry into a text editor, complete the revisions, and put the ACL back into the configuration 5.4.18 Using IPsec VPNs in the Bank Network: If the chooses DSL to be its WAN technology, there are two main requirements that should be provided. The first requirement is the DSL modem. This modem should meet the type of DSL service that the bank will use. Typically, the bank will use SHDSL since that the upload speed equals the download speed. The bank network traffic is bidirectional and requires the same speed or bandwidth in both directions. The required speed is 1 Mb/s. SHDSL is typical for this purpose. The second requirement is public IP addresses. When using DSL as the WAN technology for a certain company or bank, the traffic of this company or bank will pass through the Internet. Since the traffic passes through the Internet, public IP addresses are required. The number of those IP addresses equals the number of the branches of the bank. The bank should rent those IP addresses from the ISP. The traffic passes through the Internet is very insecure. Without a strong authentication and encryption techniques, a third party like a hacker can easily intrude the network of the bank and can see the data transmitted between the different branches of the bank. To avoid that VPN should be use. VPN, as the name indicates, is a technique used to change the insecure Internet into a secure network that is comparable to a private network. The network of the bank will use the powerful features of the IPsec to build the required VPN tunnels. IPsec will guarantee strong encryption and authentication mechanisms. The full configuration of the central branch and Aden branch routers in appendix B will show how VPN will be implemented. 5.5 Using Frame Relay and ISDN: Using Frame Relay as the primary WAN technology guarantees maximum security because no traffic passes through the Internet. This results in the ability of using private IP addresses between the remote branches so that we don’t need to buy any public IP addresses from the ISP. This reduces costs significally. ISDN will be used as a backup technology in the since of Frame Relay failure. 5.6 Frame Relay: Frame Relay is a high-performance WAN protocol that operates at the physical and data link layers of the OSI reference model. Frame Relay originally was designed for use across Integrated Services Digital Network (ISDN) interfaces. Today, it is used over a variety of other network interfaces as well. This chapter focuses on Frame Relay's specifications and applications in the context of WAN services. Frame Relay is an example of a packet-switched technology. Packet-switched networks enable end stations to dynamically share the network medium and the available bandwidth. The following two techniques are used in packet-switching technology: • Variable-length packets • Statistical multiplexing Variable-length packets are used for more efficient and flexible data transfers. These packets are switched between the various segments in the network until the destination is reached. Statistical multiplexing techniques control network access in a packet-switched network. The advantage of this technique is that it accommodates more flexibility and more efficient use of bandwidth. Most of today's popular LANs, such as Ethernet and Token Ring, are packet-switched networks. Frame Relay often is described as a streamlined version of X.25, offering fewer of the robust capabilities, such as windowing and retransmission of last data that are offered in X.25. This is because Frame Relay typically operates over WAN facilities that offer more reliable connection services and a higher degree of reliability than the facilities available during the late 1970s and early 1980s that served as the common platforms for X.25 WANs. As mentioned earlier, Frame Relay is strictly a Layer 2 protocol suite, whereas X.25 provides services at Layer 3 (the network layer) as well. This enables Frame Relay to offer higher performance and greater transmission efficiency than X.25, and makes Frame Relay suitable for current WAN applications, such as LAN interconnection. 5.6.1 Frame Relay Standardization Initial proposals for the standardization of Frame Relay were presented to the Consultative Committee on International Telephone and Telegraph (CCITT) in 1984. Because of lack of interoperability and lack of complete standardization, however, Frame Relay did not experience significant deployment during the late 1980s. A major development in Frame Relay's history occurred in 1990 when Cisco, Digital Equipment Corporation (DEC), Northern Telecom, and StrataCom formed a consortium to focus on Frame Relay technology development. This consortium developed a specification that conformed to the basic Frame Relay protocol that was being discussed in CCITT, but it extended the protocol with features that provide additional capabilities for complex internetworking environments. These Frame Relay extensions are referred to collectively as the Local Management Interface (LMI). Since the consortium's specification was developed and published, many vendors have announced their support of this extended Frame Relay definition. ANSI and CCITT have subsequently standardized their own variations of the original LMI specification, and these standardized specifications now are more commonly used than the original version. Internationally, Frame Relay was standardized by the International Telecommunication Union—Telecommunications Standards Section (ITU-T). In the United States, Frame Relay is an American National Standards Institute (ANSI) standard. 5.6.2 Frame Relay Devices Devices attached to a Frame Relay WAN fall into the following two general categories: • Data terminal equipment (DTE) • Data circuit-terminating equipment (DCE) DTEs generally are considered to be terminating equipment for a specific network and typically are located on the premises of a customer. In fact, they may be owned by the customer. Examples of DTE devices are terminals, personal computers, routers, and bridges. DCEs are carrier-owned internetworking devices. The purpose of DCE equipment is to provide clocking and switching services in a network, which are the devices that actually transmit data through the WAN. In most cases, these are packet switches. Figure 5-10 shows the relationship between the two categories of devices. Figure 5-10 DCEs Generally Reside Within Carrier-Operated WANs The connection between a DTE device and a DCE device consists of both a physical layer component and a link layer component. The physical component defines the mechanical, electrical, functional, and procedural specifications for the connection between the devices. One of the most commonly used physical layer interface specifications is the recommended standard (RS)-232 specification. The link layer component defines the protocol that establishes the connection between the DTE device, such as a router, and the DCE device, such as a switch. This chapter examines a commonly utilized protocol specification used in WAN networking: the Frame Relay protocol. 5.6.3 Frame Relay Virtual Circuits Frame Relay provides connection-oriented data link layer communication. This means that a defined communication exists between each pair of devices and that these connections are associated with a connection identifier. This service is implemented by using a Frame Relay virtual circuit, which is a logical connection created between two data terminal equipment (DTE) devices across a Frame Relay packet-switched network (PSN). Virtual circuits provide a bidirectional communication path from one DTE device to another and are uniquely identified by a data-link connection identifier (DLCI). A number of virtual circuits can be multiplexed into a single physical circuit for transmission across the network. This capability often can reduce the equipment and network complexity required to connect multiple DTE devices. A virtual circuit can pass through any number of intermediate DCE devices (switches) located within the Frame Relay PSN. Frame Relay virtual circuits fall into two categories: switched virtual circuits (SVCs) and permanent virtual circuits (PVCs). Switched Virtual Circuits Switched virtual circuits (SVCs) are temporary connections used in situations requiring only sporadic data transfer between DTE devices across the Frame Relay network. A communication session across an SVC consists of the following four operational states:  Call setup—The virtual circuit between two Frame Relay DTE devices is established.  Data transfer—Data is transmitted between the DTE devices over the virtual circuit.  Idle—The connection between DTE devices is still active, but no data is transferred. If an SVC remains in an idle state for a defined period of time, the call can be terminated.  Call termination—The virtual circuit between DTE devices is terminated. After the virtual circuit is terminated, the DTE devices must establish a new SVC if there is additional data to be exchanged. It is expected that SVCs will be established, maintained, and terminated using the same signaling protocols used in ISDN. Few manufacturers of Frame Relay DCE equipment support switched virtual circuit connections. Therefore, their actual deployment is minimal in today's Frame Relay networks. Previously not widely supported by Frame Relay equipment, SVCs are now the norm. Companies have found that SVCs save money in the end because the circuit is not open all the time. Permanent Virtual Circuits Permanent virtual circuits (PVCs) are permanently established connections that are used for frequent and consistent data transfers between DTE devices across the Frame Relay network. Communication across a PVC does not require the call setup and termination states that are used with SVCs. PVCs always operate in one of the following two operational states: • Data transfer—Data is transmitted between the DTE devices over the virtual circuit. • Idle—the connection between DTE devices is active, but no data is transferred. Unlike SVCs, PVCs will not be terminated under any circumstances when in an idle state. DTE devices can begin transferring data whenever they are ready because the circuit is permanently established. 5.6.4 Data-Link Connection Identifier Frame Relay virtual circuits are identified by data-link connection identifiers (DLCIs). DLCI values typically are assigned by the Frame Relay service provider (for example, the telephone company). Frame Relay DLCIs have local significance, which means that their values are unique in the LAN, but not necessarily in the Frame Relay WAN. Figure 5-11 illustrates how two different DTE devices can be assigned the same DLCI value within one Frame Relay WAN. Figure 5-11 A Single Frame Relay Virtual Circuit Can Be Assigned Different DLCIs on Each End of a VC 5.6.5 Congestion-Control Mechanisms Frame Relay reduces network overhead by implementing simple congestion-notification mechanisms rather than explicit, per-virtual-circuit flow control. Frame Relay typically is implemented on reliable network media, so data integrity is not sacrificed because flow control can be left to higher-layer protocols. Frame Relay implements two congestion-notification mechanisms: • Forward-explicit congestion notification (FECN) • Backward-explicit congestion notification (BECN) FECN and BECN each is controlled by a single bit contained in the Frame Relay frame header. The Frame Relay frame header also contains a Discard Eligibility (DE) bit, which is used to identify less important traffic that can be dropped during periods of congestion. The FECN bit is part of the Address field in the Frame Relay frame header. The FECN mechanism is initiated when a DTE device sends Frame Relay frames into the network. If the network is congested, DCE devices (switches) set the value of the frames' FECN bit to 1. When the frames reach the destination DTE device, the Address field (with the FECN bit set) indicates that the frame experienced congestion in the path from source to destination. The DTE device can relay this information to a higher-layer protocol for processing. Depending on the implementation, flow control may be initiated, or the indication may be ignored. The BECN bit is part of the Address field in the Frame Relay frame header. DCE devices set the value of the BECN bit to 1 in frames traveling in the opposite direction of frames with their FECN bit set. This informs the receiving DTE device that a particular path through the network is congested. The DTE device then can relay this information to a higher-layer protocol for processing. Depending on the implementation, flow-control may be initiated, or the indication may be ignored. Frame Relay Discard Eligibility The Discard Eligibility (DE) bit is used to indicate that a frame has lower importance than other frames. The DE bit is part of the Address field in the Frame Relay frame header. DTE devices can set the value of the DE bit of a frame to 1 to indicate that the frame has lower importance than other frames. When the network becomes congested, DCE devices will discard frames with the DE bit set before discarding those that do not. This reduces the likelihood of critical data being dropped by Frame Relay DCE devices during periods of congestion. 5.6.6 Frame Relay Error Checking Frame Relay uses a common error-checking mechanism known as the cyclic redundancy check (CRC). The CRC compares two calculated values to determine whether errors occurred during the transmission from source to destination. Frame Relay reduces network overhead by implementing error checking rather than error correction. Frame Relay typically is implemented on reliable network media, so data integrity is not sacrificed because error correction can be left to higher-layer protocols running on top of Frame Relay. 5.6.7 Frame Relay Local Management Interface The Local Management Interface (LMI) is a set of enhancements to the basic Frame Relay specification. The LMI was developed in 1990 by Cisco Systems, StrataCom, Northern Telecom, and Digital Equipment Corporation. It offers a number of features (called extensions) for managing complex internetworks. Key Frame Relay LMI extensions include global addressing, virtual circuit status messages, and multicasting. The LMI global addressing extension gives Frame Relay data-link connection identifier (DLCI) values global rather than local significance. DLCI values become DTE addresses that are unique in the Frame Relay WAN. The global addressing extension adds functionality and manageability to Frame Relay internetworks. Individual network interfaces and the end nodes attached to them, for example, can be identified by using standard address-resolution and discovery techniques. In addition, the entire Frame Relay network appears to be a typical LAN to routers on its periphery. LMI virtual circuit status messages provide communication and synchronization between Frame Relay DTE and DCE devices. These messages are used to periodically report on the status of PVCs, which prevents data from being sent into black holes (that is, over PVCs that no longer exist). The LMI multicasting extension allows multicast groups to be assigned. Multicasting saves bandwidth by allowing routing updates and address-resolution messages to be sent only to specific groups of routers. The extension also transmits reports on the status of multicast groups in update messages. Figure 5-12 A Simple Frame Relay Network Connects Various Devices to Different Services over a WAN 5.6.8 Frame Relay Network Implementation A common private Frame Relay network implementation is to equip a T1 multiplexer with both Frame Relay and non-Frame Relay interfaces. Frame Relay traffic is forwarded out the Frame Relay interface and onto the data network. Non-Frame Relay traffic is forwarded to the appropriate application or service, such as a private branch exchange (PBX) for telephone service or to a video-teleconferencing application. A typical Frame Relay network consists of a number of DTE devices, such as routers, connected to remote ports on multiplexer equipment via traditional point-to-point services such as T1, fractional T1, or 56-Kb circuits. An example of a simple Frame Relay network is shown in Figure 5-12. The majority of Frame Relay networks deployed today are provisioned by service providers that intend to offer transmission services to customers. This is often referred to as a public Frame Relay service. Frame Relay is implemented in both public carrier-provided networks and in private enterprise networks. The following section examines the two methodologies for deploying Frame Relay. 5.6.9 Public Carrier-Provided Networks In public carrier-provided Frame Relay networks, the Frame Relay switching equipment is located in the central offices of a telecommunications carrier. Subscribers are charged based on their network use but are relieved from administering and maintaining the Frame Relay network equipment and service. Generally, the DCE equipment also is owned by the telecommunications provider. DTE equipment either will be customer-owned or perhaps will be owned by the telecommunications provider as a service to the customer. The majority of today's Frame Relay networks are public carrier-provided networks. 5.6.10 Private Enterprise Networks More frequently, organizations worldwide are deploying private Frame Relay networks. In private Frame Relay networks, the administration and maintenance of the network are the responsibilities of the enterprise (a private company). All the equipment, including the switching equipment, is owned by the customer. 5.7 ISDN Normally the user is connected to the network by analog lines. The signals are then digitized and inside the network all communication is digital. ISDN (Integrated Services Digital Network) brings the digital network to the individual user. Thus, the same twisted-pair copper telephone line that could traditionally carry only one voice, or one computer or one fax "communication" can now carry as many as three separate "connections" at the same time, through the same line. ISDN is the "magic" that makes this happen. The basic ISDN-to-user connection, called a BRI, which stands for Basic Rate Interface, contains three separate channels. Two of these channels called the B channels, carry user communication from a telephone, a computer, a fax or almost any other device. The third channel called the D channel, not only carries call setup information for the network, but can also carry user data transmissions, even if it is not normally used for this purpose. That means that two separate "communications", say, a voice call and a computer transmission, can take place at the same time through the same ISDN line. The power of ISDN enables these two transmissions to happen at the same time, through the same copper twisted-pair telephone line that once could handle only one transmission. ISDN allows more information to be sent, more reliably and at higher speeds, and in most cases without changing the telephone wiring in your house or building. Another advantage is fast connection establishment. For example, with ISDN, it takes only few seconds to establish connection with the Internet, compared to 40 seconds for an analog connection. There is a second type of ISDN called a PRI, which stands for Primary Rate Interface, which is normally used by companies. PRI contains up to 32 separate channels. One of these channels is D channel and the rest are B channels. ISDN is standardized by ITU. There are different configurations of ISDN. The one used in Europe is called Euro-ISDN. There are different costs involved with ISDN. First you have a fixed fee for ISDN subscription. Then you have an establishment cost each time you make a new connection through the ISDN network. Finally you have to pay for the time you are connected. ISDN is used for many different applications. One example is bandwidth on demand, which means that ISDN is used as extra backup when the leased connection is overloaded. 5.7.1 Basic elements of ISDN First you need an ISDN subscription from a service provider. Then you need a line box called NT, which stands for Network Terminal equipment. In Europe this is installed by the service provider, but in the USA it must be bought and installed by the user. You also need a terminal adapter. This adapter is sometimes called an ISDN modem or an ISDN router. Finally you need terminal equipment such as a PC or an ISDN telephone. 5.7.2 Basic Rate Interface The Basic Rate Interface, or BRI, is defined as two 64 kbps Bearer channels, and one 16 kbps Data channel. The D channel normally carries call setup data but could also carry user data across the network. The BRI interface is also referred to as a 2B+D connection 5.7.3 Primary Rate Interface The Primary Rate Interface, or PRI, is defined as several 64 kbps B channels, and one 64 kbps D channel. The Primary Rate Interface has different configurations in different countries. In the United States the PRI consists of 23B+D configuration. This amounts to a total bandwidth of 1.5 Mbps, and is designed for transmission through a standard North American T1 trunk. In Europe and the Pacific, the transmission standard differs from the one used in the USA. The Primary Rate Interface is supplied through a standard 2.4 Mbps E1 channel, and consists of either 30B+D configuration used in Europe or 31B+D configuration used in the Pacific. Although the specifics of ISDN implementation are still slightly different from nation to nation, an interconnection between any two systems in the world is now not only possible, but increasingly practical. 5.7.4 ISDN Cable Bus There are different kinds of cable buses used in ISDN. In short bus configuration the maximum length between the NT and terminal equipment is 140 meters. The terminal equipment can be connected anywhere on the bus. In extended bus configuration the maximum length between the NT and terminal equipment is 500 meters. There are however some restrictions about where terminal equipment are connected on the bus. In both short bus configuration and extended bus configuration you can connect up to 8 terminal equipments, but the maximum length between two terminal equipments is 50 meters. In Point-to-Point bus configuration, only one terminal equipment can be connected to the NT. The maximum length between the NT and terminal equipment is 750 meters. 5.7.5 ISDN Example One application is WAN backup where you use ISDN together with a leased line. When the leased line is overloaded or broken the ISDN connection becomes active. Another application is remote access. This could refer to Internet access or access to a LAN from a distant place. A third application is Simultaneous voice, fax and data. This could be very convenient for people working from home. ISDN could also be used as a WAN service, connecting two LANs with each other. One popular application for ISDN is to connect LANs. The maximum bandwidth between LANs is 128 kbps if BRI is used. If PRI is used the maximum bandwidth is 2 Mbps. The ISDN call is automatically made by the router only when data is to be sent to the network on the other side. The connection establishment time is very short and there are practically no delays when the traffic flows. A timer configured by the owner of the router can be set to disconnect the ISDN connection after some time. 5.7.6 Access to the Internet One of the major uses of ISDN is high-speed access to the Internet. More and more applications on the Internet, like audio and video applications, demand higher bandwidth, for satisfactory results. The normal 28.8 kbps is not enough any longer. One alternative, for individuals and small companies, is to use ISDN. The equipment is connected to ISDN through an ISDN router which has a BRI connection. In this case the maximum bandwidth for Internet communication that a single user can have is 128 kbps. 5.7.7 Home or small office solution Two types of configurations can be used for SOHO applications. In the first type there is an ISDN card installed in the PC, which can communicate directly with the NT. This is the cheapest solution, but maximum two users can have ISDN access. In the second type an ISDN router is used. In this configuration many users can have ISDN access at the same time. A PC must have a network interface card to be able to communicate with an ISDN router. These cards are not special in any way. Normal Ethernet cards for instance have this functionality. One common application for ISDN in these configurations is telecommuting. The idea is simple: to "transport" as much as possible of the functionality of the office to a remote site through a single ISDN BRI connection. This functionality includes: 1. Acceptably high-speed access to the user's LAN and file servers. 2. Full access to mailboxes. 3. Access to the Internet. 5.7.8 Large office solution A large office can use a PRI, ISDN connection. The advantage is that you can use the bandwidth that you need for the moment. A PRI connection can use from 8 up to 30 B channels. You cannot however use less than 8 B channels. A typical solution for PRI is to connect some of the B channels to the PBX. The telephones which are connected to the PBX can use the ISDN network to reach public telephone service. The other B channels could be used for data communication. 5.7.9 Bandwidth on demand Frame Relay and ISDN are a common internetworking team, with Frame Relay handling the main link and ISDN providing back-up capabilities, replacing traditional asynchronous connections. Leased lines have two major limitations. Peak periods of traffic that overload the available bandwidth, causing congestion and delays. If the leased line is sized correctly, then a second leased line of any capacity is overkill. In fact, normal, non-peak, traffic may be well below the data rate of the existing line. A second limitation is the lack of redundancy with a single leased line. For mission-critical applications, as is frequently the case when leased lines are used, this can be a serious limitation with devastating consequences. Separate provisions that use dial-up lines can provide the necessary backup and overflow bandwidth inexpensively and transparently. Unfortunately, integrating dial-up backup with the existing leased lines can be a challenge. Most routers are not equipped to handle backup and overflow cost-effectively. A solution for this problem is an ISDN Basic Rate Interface service which provides dial-up backup and bandwidth on demand. 5.7.10 Using Frame Relay and ISDN in the Bank Network: When using Frame Relay as the primary WAN technology for connecting the separated bank branches, we provide the maximum possible security into the network since that no data is transferred over the Internet which is very insecure. Frame Relay provides a 24-hour always up connection for a monthly fee. When using this solution, a Frame Relay adapter is required for any branch accept for the central branch which requires two Frame Relay adapters, one for the connection to the different branches and one for connecting the ATM (Automatic Teller Machines). Note that the branches will connect only to the central branch in this scenario. In this scenario we will use ISDN as a backup because of its bandwidth on demand feature. We will pay a very low monthly for the ISDN service and no more fees will be paid accept when the ISDN link became up if the primary Frame Relay link comes down and that is rarely happens. To use ISDN technology, an ISDN adapter or so called modem is required for each branch accept for the central branch which will require three ISDN adapters to connect three router ISDN BRI interfaces to provide maximum of six connections at a time. The full configuration of the central branch and Aden branch routers in appendix (A) will clearly show how Frame Relay and ISDN are used and how ISDN is used as a backup WAN technology when the primary technology (Frame Relay) fails. 5.8 Wavelength-Division Multiplexing: WDM (Wavelength-Division Multiplexing) is a new technology that can provide better bandwidth than all the other technologies. This technology can also be used by the bank to connect its branches. This technology is very expensive but when implemented it can provide very high speeds. Here is brief description of the technology. In fiber-optic communications, wavelength-division multiplexing (WDM) is a technology which multiplexes multiple optical carrier signals on a single optical fiber by using different wavelengths (colors) of laser light to carry different signals. This allows for a multiplication in capacity, in addition to enabling bidirectional communications over one strand of fiber. This is a form of frequency division multiplexing (FDM) but is commonly called wavelength division multiplexing. The term wavelength-division multiplexing is commonly applied to an optical carrier (which is typically described by its wavelength), whereas frequency-division multiplexing typically applies to a radio carrier (which is more often described by frequency). However, since wavelength and frequency are inversely proportional, and since radio and light are both forms of electromagnetic radiation, the two terms are equivalent in this context. 5.8.1 WDM Systems A WDM system uses a multiplexer at the transmitter to join the signals together, and a demultiplexer at the receiver to split them apart. With the right type of fiber it is possible to have a device that does both simultaneously, and can function as an optical add-drop multiplexer. The concept was first published in 1970, and by 1978 WDM systems were being realized in the laboratory. The first WDM systems only combined two signals. Modern systems can handle up to 160 signals and can thus expand a basic 10 Gbit/s fiber system to a theoretical total capacity of over 1.6 Tbit/s over a single fiber pair. WDM systems are popular with telecommunications companies because they allow them to expand the capacity of the network without laying more fiber. By using WDM and optical amplifiers, they can accommodate several generations of technology development in their optical infrastructure without having to overhaul the backbone network. Capacity of a given link can be expanded by simply upgrading the multiplexers and demultiplexers at each end. This is often done by using optical-to-electrical-to-optical (O/E/O) translation at the very edge of the transport network, thus permitting interoperation with existing equipment with optical interfaces. Most WDM systems operate on single mode fiber optical cables, which have a core diameter of 9 µm. Certain forms of WDM can also be used in multi-mode fiber cables (also known as premises cables) which have core diameters of 50 or 62.5 µm. Early WDM systems were expensive and complicated to run. However, recent standardization and better understanding of the dynamics of WDM systems have made WDM less expensive to deploy. Optical receivers, in contrast to laser sources, tend to be wideband devices. Therefore the demultiplexer must provide the wavelength selectivity of the receiver in the WDM system. WDM systems are divided in different wavelength patterns, conventional or coarse and dense WDM. Conventional WDM systems provide up to 16 channels in the 3rd transmission window (C-band) of silica fibers around 1550 nm. DWDM uses the same transmission window but with denser channel spacing. Channel plans vary, but a typical system would use 40 channels at 100 GHz spacing or 80 channels with 50 GHz spacing. Some technologies are capable of 25 GHz spacing (sometimes called ultra dense WDM). New amplification options (Raman amplification) enable the extension of the usable wavelengths to the L-band, more or less doubling these numbers. WDM, DWDM and CWDM are based on the same concept of using multiple wavelengths of light on a single fiber, but differ in the spacing of the wavelengths, number of channels, and the ability to amplify the multiplexed signals in the optical space. 5.8.2 Dense WDM: Dense Wavelength Division Multiplexing, or DWDM for short, refers originally to optical signals multiplexed within the 1550-nm band so as to leverage the capabilities (and cost) of erbium doped fiber amplifiers (EDFAs), which are effective for wavelengths between approximately 1525-1565 nm (C band), or 1570-1610 nm (L band). EDFAs were originally developed to replace SONET/SDH optical-electrical-optical (OEO) regenerators, which they have made practically obsolete. EDFAs can amplify any optical signal in their operating range, regardless of the modulated bit rate. In terms of multi-wavelength signals, so long as the EDFA has enough pump energy available to it, it can amplify as many optical signals as can be multiplexed into its amplification band (though signal densities are limited by choice of modulation format). EDFAs therefore allow a single-channel optical link to be upgraded in bit rate by replacing only equipment at the ends of the link, while retaining the existing EDFA or series of EDFAs through a long haul route. Furthermore, single-wavelength links using EDFAs can similarly be upgraded to WDM links at reasonable cost. The EDFAs cost is thus leveraged across as many channels as can be multiplexed into the 1550-nm band. 5.8.2.1DWDM Systems: At this stage, a basic DWDM system contains several main components: 1. A DWDM terminal multiplexer. The terminal multiplexer actually contains one wavelength converting transponder for each wavelength signal it will carry. The wavelength converting transponders receive the input optical signal (i.e., from a client-layer SONET/SDH or other signal), convert that signal into the electrical domain, and retransmit the signal using a 1550-nm band laser. (Early DWDM systems contained 4 or 8 wavelength converting transponders in the mid 1990s. By 2000 or so, commercial systems capable of carrying 128 signals were available.) The terminal mux also contains an optical multiplexer, which takes the various 1550-nm band signals and places them onto a single SMF-28 fiber. The terminal multiplexer may or may not also support a local EDFA for power amplification of the multi-wavelength optical signal. 2. An intermediate optical terminal, or Optical Add-drop multiplexer. This is a remote amplification site that amplifies the multi-wavelength signal that may have traversed up to 140 km or more before reaching the remote site. Optical diagnostics and telemetry are often extracted or inserted at such a site, to allow for localization of any fiber breaks or signal impairments. In more sophisticated systems (which are no longer point-to-point), several signals out of the multiwavelength signal may be removed and dropped locally. 3. A DWDM terminal demultiplexer. The terminal demultiplexer breaks the multi-wavelength signal back into individual signals and outputs them on separate fibers for client-layer systems (such as SONET/SDH) to detect. Originally, this demultiplexing was performed entirely passively, except for some telemetry, as most SONET systems can receive 1550-nm signals. However, in order to allow for transmission to remote client-layer systems (and to allow for digital domain signal integrity determination) such demultiplexed signals are usually sent to O/E/O output transponders prior to being relayed to their client-layer systems. Often, the functionality of output transponder has been integrated into that of input transponder, so that most commercial systems have transponders that support bi-directional interfaces on both their 1550-nm (i.e., internal) side, and external (i.e., client-facing) side. Transponders in some systems supporting 40 GHz nominal operation may also perform forward error correction (FEC) via 'digital wrapper' technology, as described in the ITU-T G.709 standard. 4. Optical Supervisory Channel (OSC). This is an additional wavelength usually outside the EDFA amplification band (at 1510nm, 1620nm, 1310nm or another proprietary wavelength). The OSC carries information about the multi-wavelength optical signal as well as remote conditions at the optical terminal or EDFA site. It is also normally used for remote software upgrades and user (i.e., network operator) Network Management information. It is the multi-wavelength analogue to SONET's DCC (or supervisory channel). ITU standards suggest that the OSC should utilize an OC-3 signal structure, though some vendors have opted to use 100 megabit Ethernet or another signal format. Unlike the 1550-nm band client signal-carrying wavelengths, the OSC is always terminated at intermediate amplifier sites, where it receives local information before retransmission. The introduction of the ITU-T G.694.1 frequency grid in 2002 has made it easier to integrate WDM with older but more standard SONET/SDH systems. WDM wavelengths are positioned in a grid having exactly 100 GHz (about 0.8nm) spacing in optical frequency, with a reference frequency fixed at 193.10 THz (1552.52nm). The main grid is placed inside the optical fiber amplifier bandwidth, but can be extended to wider bandwidths. Today's DWDM systems use 50 GHz or even 25 GHz channel spacing for up to 160 channel operation. DWDM systems have to maintain more stable wavelength or frequency than those needed for CWDM because of the closer spacing of the wavelengths. Precision temperature control of laser transmitter is required in DWDM systems to prevent "drift" off a very narrow frequency window of the order of a few GHz. In addition, since DWDM provides greater maximum capacity it tends to be used at a higher level in the communications hierarchy than CWDM, for example on the Internet backbone and is therefore associated with higher modulation rates, thus creating a smaller market for DWDM devices with very high performance levels. These factors of smaller volume and higher performance result in DWDM systems typically being more expensive than CWDM. Recent innovations in DWDM transport systems include pluggable and software-tunable transceiver modules capable of operating on 40 or 80 channels. This dramatically reduces the need for discrete spare pluggable modules, when a handful of pluggable devices can handle the full range of wavelengths. Chapter Six Securing the Network of the Bank 6.1 Introduction: As said before, the security features of the current network are somewhat week. The current network does not have any physical firewall. Using firewall in the new network is very important since this network will be connected to the Internet and will use a web server. Also, the current network does not have any kind of VLANs. VLANs are very useful to separate the network based on the job of each group of computers. VLANs can provide extra security because different computers are permitted to transfer different types of traffic based on their permissions. In this chapter will focus on the security sides of the network and how we can increase the security of the network by including a firewall and implementing VLANs. 6.2 Using a Firewall in the Network: Every network that will be connected to the Internet should add a firewall at its edge to protect the entire network. In our network, Cisco PIX or ASA firewalls can be used for this purpose. Most of the concepts can be used in the configuration of the two types of firewalls. The network topology after adding the firewall will be as shown in figure 6-1: Figure 6-1, The Bank Topology After Adding a Firewall In the topology shown in figure 6-1, the physical firewall is used only in the central office because of its central role in the bank and because it has the heavies traffic load so that the security processes should be separated from the routing processes. It is needed that each one of these processes be implemented on a separate device. On the other hand, the load on the other branches is much less than in the central branch. So, a separate firewall device in each of them is not necessary. An IOS firewall can be installed on the routers of these branches. The LAN of the central branch will be divided into two security zones, the demilitarized zone (DMZ) and the private zone. The DMZ will contain servers that will be accessed from the Internet by different users and guests. This area will have the minimum security features because it should allow access to its servers from the outside. The servers of the DMZ are the web server and mail server. For maximum possible security, a switch will be used to put each server in a different VLAN so that when one of the servers of the DMZ is attacked, the other server is on another VLAN and the attacker is forced to pass the firewall again in order to attack it. The private network is further divided by the router into to networks. One of these networks is the network of servers (server farm) and the other is for the users of the bank. The network of the servers will be divided using VLANs to put each server in a separate VLAN. The network of the bank users will also be divided to VLANs to assign different permissions to different groups of users. 6.3 Implementing VPNs on the Firewall: The WAN technology that will be used by the bank is the DSL. The bank traffic will pass through the Internet so that there is a need for strong security mechanism to protect this traffic from this very insecure Internet. IPsec VPNs are one of the most powerful methods used to establish tunnels in the Internet and making the traffic passing through them very secure. The site-to-site VPN type will be used as shown in figure 6-2. IPsec provides strong encryption and authentication algorithms as explained in detail in chapter five. Figure 6-2, VPNs of the Bank 6.4 Using VLANs in the Bank Network: A VLAN allows a network administrator to create groups of logically networked devices that act as if they are on their own independent network, even if they share a common infrastructure with other VLANs. When you configure a VLAN, you can name it to describe the primary role of the users for that VLAN. Benefits of a VLAN: User productivity and network adaptability are key drivers for business growth and success. Implementing VLAN technology enables a network to more flexibly support business goals. The primary benefits of using VLANs are as follows: • Security - Groups that have sensitive data are separated from the rest of the network, decreasing the chances of confidential information breaches. Database servers, for example, are completely separated from web and mail servers. • Cost reduction - Cost savings result from less need for expensive network upgrades and more efficient use of existing bandwidth and uplinks. • Higher performance - Dividing flat Layer 2 networks into multiple logical workgroups (broadcast domains) reduces unnecessary traffic on the network and boosts performance. • Broadcast storm mitigation - Dividing a network into VLANs reduces the number of devices that may participate in a broadcast storm. LAN segmentation prevents a broadcast storm from propagating to the whole network. The number of the broadcast domains in each LAN depends on the number of VLANs in it. • Improved IT staff efficiency - VLANs make it easier to manage the network because users with similar network requirements share the same VLAN. When you provision a new switch, all the policies and procedures already configured for the particular VLAN are implemented when the ports are assigned. It is also easy for the IT staff to identify the function of a VLAN by giving it an appropriate name. As said before, the bank will use VLANs to separate each server from the other in the server farm and in the DMZ. The bank will also use VLANs to give different permissions to its employees. The configuration of VLANs will be shown in the configuration of routers in appendix (A). 6.5 Securing the Networking Devices: It is very important to understand that if a networking device cannot protect itself, it cannot protect other devices or resources. The protection if these devices require the consideration of different areas. • The first thing one can consider is the protection of the networking equipments room itself. No one should be allowed to enter the servers and equipments room except those who are responsible for them. Those persons are mainly the computer staff. • The second thing is the use of strong and difficult passwords to protect the devices. In the router or switch, a password must be used to protect the access from the console port, auxiliary console, establishing a telnet session, changing from mode to mode. • The third thing is that to shutdown any unused interfaces so that no one can connect it and use it for doing some disallowed things. • The fourth thing is to protect first access ports to the network which are the switch ports. All the unused ports should be shutdown. Also, one method that could be used to protect the used ports is to assign each port to a specific device MAC address. This can greatly help from a stranger to unplug a cable of one of the computers and plugging a cable that connects its laptop to the network. All the above security steps will be shown clearly when configuring the networking devices of the central branch and Aden branch in appendix (A). Chapter Seven Designing the Wireless Network of the Bank After studying wireless networks, we have found that it is possible to implement wireless LANs for branches that have less number of buildings in the neighborhood. That is because in such an environment, it is difficult for a strange to enter the network because he will be noted that he is doing something fishy. So, for maximum security, these wireless LANs will be implemented only in calm environments. Those LANs will have the advantages of ease of installation and ease of configuration. 7.1 The Current Network of Aden Branch From through the analyzing we knew that the bank is consisting from two floors. The first floor consists of many offices, there is an office with the name (HUMAN RESOURCE), consisting of three computers. All computers are connected to a printer. The second office has the name (INFORMATION TECHNOLOGY), consisting of two computers. Also, there is an office with the name (CUSTOMERS SERVICE), consisting of two computers. The second floor consists of an office with the name (BRANCH MANAGER OFFICE) which consists of one computer; an office with the name (DEPUTYBRANCH MANAGER) consisting of one computer. And there are many computers in (CASH DEVELOPMENT), (EXCHANGE), (BILLS DEPARTMENT), (CLEARING), (TRANSFER DEPARTMENT), (COLLECTION CHEQUE) and SECRETARIAL. The number of total computers in the first floor is 6 computers and in the second floor the number is 12 computers. The computers in the first floor and second floor are connected together to a switch, and this switch is connected to another switch, the second switch is connected to a router. There is a problem in users growth, in the bank there is one switch and the switch has a limited number of ports. It is not possible to increase the number of computers, which means that this network do not allow user growth, this is a mistake, the network must be (scalability) for future growth. The topology is as follows: Fig 7.1 7.2 The Wireless Network Installation When installing the wireless network, wireless devices must be provided such as wireless NIC (network interface card) and access point, now will clear each type. In our project the devices we require are an access point and a wireless NIC for each PC. 7.2.1 Configuring the Wireless Access Point The Basic Setup screen is the first screen you see when you access the web-based utility. Click the Wireless tab and then select the Basic Wireless Settings tab. Basic Wireless Settings: Fig 7.2 Network Mode: If you have Wireless-N, Wireless-G, and 802.11b devices in your network, keep Mixed, the default setting. If you have Wireless-G and 802.11b devices, select BG-Mixed. If you have only Wireless-N devices, select Wireless-N Only. If you have only Wireless-G devices, select Wireless-G Only. If you have only Wireless-B devices, select Wireless-B Only. If you want to disable wireless networking, select disable. See figure 7-3. Fig 7-3 Network Name (SSID): The SSID is the network name shared among all points in a wireless network. The SSID must be identical for all devices in the wireless network. It is case-sensitive and must not exceed 32 characters (use any of the characters on the keyboard). For added security, you should change the default SSID (Linksys) to a unique name as in figure 7-4. Fig 7-4 SSID Broadcast: When wireless clients survey the local area for wireless networks to associate with, they detect the SSID broadcast by the access point. To broadcast the SSID, keep Enabled, the default setting. If you do not want to broadcast the SSID, select Disabled. When you have finished making changes to this screen, click the Save Settings button, or click the Cancel Changes button to undo your changes. Radio Band: For best performance in a network using Wireless-N, Wireless-G, and Wireless-B devices, keep the default Auto. For Wireless-N devices only, select wide - 40MHz Channel. For Wireless-G and Wireless-B networking only, select Standard - 20MHz Channel. See figure 7-5 Fig 7-5 Wide Channel: If you selected wide - 40MHz Channel for the Radio Band setting, this setting is available for your primary Wireless-N channel. Select any channel from the drop-down menu. Fig 7-6 Standard Channel: Select the channel for Wireless-N, Wireless-G, and Wireless-B networking. If you selected wide - 40MHz Channel for the Radio Band setting, the standard channel is a secondary channel for Wireless-N as in figure 7-7. Fig 7-7 7.2.2 Configuring a Wireless NIC: Scan for SSIDs: When the access point has been configured, you need to configure the wireless NIC on a client device to allow it to connect to the wireless network. You also should verify that the wireless client has successfully connected to the correct wireless network, especially since there may be many WLANs available with which to connect. We will also introduce some basic troubleshooting steps and identify common problems associated with WLAN connectivity. If your PC is equipped with a wireless NIC, you should be ready to scan for wireless networks. PCs running Microsoft Windows XP have a built-in wireless networks monitor and client utility. You may have a different utility installed and selected in preference to the native Microsoft Windows XP version. The steps below are for using the View Wireless Networks feature in Microsoft Windows XP. Step 1. On the Microsoft Windows XP toolbar system tray, find the network connection icon that looks similar to the one shown in the figure 7-8. Double-click the icon to open the Network Connections dialog box. Fig 7.8 Step 2. Click the View Wireless Networks button in the dialog box. Step 3. Observe the wireless networks that your wireless NIC has been able to detect. If you have a WLAN that is not showing up on the list of networks, you may have disabled SSID broadcast on the access point. If this is the case, you must enter the SSID manually. See figure 7-9. Fig 7-9 Select the Wireless Security Protocol: After having configured your access point to authenticate clients with a strong security type, you must match your client configuration to the access point parameters. The following steps describe how to configure your wireless network security parameters on the client: Step 1. Double-click the network connections icon in the Microsoft Windows XP system tray as in figure 7-10. Fig 7.10 Step 2. Click the Properties button in the Wireless Network Connections Status dialog box. Fig 7.11 Step 3. In the Properties dialog box, click the Wireless Networks tab. As in figure 7-12. Fig 7-12 Step 4. In the Wireless Networks tab, click the Add button. Also, you can save multiple wireless profiles with different security parameters allowing you to quickly connect to the WLANs you may use regularly. See figure 7-13. Fig 7.13 Step 5. In the Wireless Network Properties dialog box, enter the SSID of the WLAN you wish to configure. Fig 7.14 Step 6. In the Wireless network key box, select your preferred authentication method from the Network Authentication drop-down menu. WPA2 and PSK2 are preferred because of their strength. Fig 7-15 Step 7. Select the Data encryption method from the drop-down menu. Recall that AES is a stronger cipher than TKIP, but you should match the configuration from your access point here on your PC. See figure 7-16. Fig 7-16 After selecting the encryption method, enter and confirm the Network key. Again, this is a value that you have entered into the access point. Step 8. Click OK. Appendix (A) In this appendix, the configuration of the routers of Sana’a and Aden will be shown. The appendix is divided into two parts. The first part deals with the VPN and its configuration in the case that this technology is used. The second part is about the Frame Relay, wireless technology, and securing the networking devices. Appendix A-1: The idea of this part is to show the configuration of Sana’a and Aden routers in the case that VPN is used. The simulator is chosen to be dynamips. The topology of this scenario is as in figure A.1: Figure A.1, the topology of appendix A-1 All the IP addresses are shown on the figure. The only difference between the figure and the real simulation is that the simulator does not provide the capability of adding end devices. So, instead of using regular end devices, routers were used with interfaces having the same IP addresses just as the end devices in the figure. Now the configuration of the two routers will be shown. Sana’a Router Configuration: Connected to Dynamips VM "R0" (ID 0, type c3600) - Console port User Access Verification Password: Sana'a>enable Password: Sana'a#show running-config Building configuration... Current configuration : 1331 bytes ! version 12.2 service timestamps debug uptime service timestamps log uptime no service password-encryption ! hostname Sana'a ! enable secret 5 $1$iAwI$utTTbAAtYN6BsRFqJtsZ71 ! ! ip subnet-zero ! ! crypto isakmp policy 1 encr 3des authentication pre-share group 2 crypto isakmp key SeCrEt address 172.16.171.2 255.255.255.0 ! ! crypto ipsec transform-set AAA esp-3des esp-sha-hmac ! crypto map vvv 10 ipsec-isakmp set peer 172.16.171.2 set transform-set AAA match address MyACL ! ! ! fax interface-type fax-mail mta receive maximum-recipients 0 ! ! interface FastEthernet0/0 ip address 172.16.171.1 255.255.255.0 duplex auto speed auto crypto map vvv ! interface FastEthernet1/0 ip address 192.168.20.1 255.255.255.0 duplex auto speed auto ! ip classless ip route 192.168.10.0 255.255.255.0 172.16.171.2 ip http server ! ! ip access-list extended MyACL permit ip host 172.16.171.1 host 172.16.171.2 permit ip host 172.16.171.1 192.168.10.0 0.0.0.255 permit ip 192.168.20.0 0.0.0.255 host 172.16.171.2 permit ip 192.168.20.0 0.0.0.255 192.168.10.0 0.0.0.255 ! ! line con 0 password cisco login line aux 0 line vty 0 4 password cisco login ! ! end Sana'a# Aden Router Configuration: Connected to Dynamips VM "R1" (ID 1, type c3600) - Console port User Access Verification Password: Aden>ena Password: Aden#show running-config Building configuration... Current configuration : 1329 bytes ! version 12.2 service timestamps debug uptime service timestamps log uptime no service password-encryption ! hostname Aden ! enable secret 5 $1$fPkg$ov0cIvPzbkoCo1yimBQf61 ! ip subnet-zero ! crypto isakmp policy 1 encr 3des authentication pre-share group 2 crypto isakmp key SeCrEt address 172.16.171.1 255.255.255.0 ! ! crypto ipsec transform-set AAA esp-3des esp-sha-hmac ! crypto map vvv 10 ipsec-isakmp set peer 172.16.171.1 set transform-set AAA match address MyACL ! ! fax interface-type fax-mail mta receive maximum-recipients 0 ! ! interface FastEthernet0/0 ip address 172.16.171.2 255.255.255.0 duplex auto speed auto crypto map vvv ! interface FastEthernet1/0 ip address 192.168.10.1 255.255.255.0 duplex auto speed auto ! ip classless ip route 192.168.20.0 255.255.255.0 172.16.171.1 ip http server ! ! ip access-list extended MyACL permit ip host 172.16.171.2 host 172.16.171.1 permit ip host 172.16.171.2 192.168.20.0 0.0.0.255 permit ip 192.168.10.0 0.0.0.255 host 172.16.171.1 permit ip 192.168.10.0 0.0.0.255 192.168.20.0 0.0.0.255 ! ! line con 0 password cisco login line aux 0 line vty 0 4 password cisco login ! ! end Aden# Appendix A-2: This is the main simulation in which the entire network of the bank is included. The use and configuration of many technologies such as Frame Relay, VLANs, routing, and securing the networking devices are included here. Packet Tracer is used here as the simulator. The topology of the simulation is as in figure A.2. All the IP addresses are denoted on the figure. The configuration of Sana’a and Aden routers is shown below. Sana’a Router Configuration: User Access Verification Password: Sana'a>enable Password: Sana'a#show running-config Building configuration... Current configuration : 3157 bytes ! version 12.4 service password-encryption ! hostname Sana'a ! enable secret 5 $1$mERr$hx5rVt7rPNoS4wqbXKX7m0 ! username whitefuture password 7 0822455D0A16 ! ip ssh version 1 ip domain-name sbyb.com ! interface FastEthernet0/0 no ip address duplex auto speed auto ! interface FastEthernet0/0.2 encapsulation dot1Q 2 ip address 192.168.1.1 255.255.255.240 ip access-group DBServer out ! interface FastEthernet0/0.3 encapsulation dot1Q 3 ip address 192.168.1.17 255.255.255.240 ip access-group MailServer out ! interface FastEthernet0/0.4 encapsulation dot1Q 4 ip address 192.168.1.33 255.255.255.240 ip access-group DNSServer out ! interface FastEthernet0/0.5 encapsulation dot1Q 5 ip address 192.168.1.49 255.255.255.240 ip access-group PreServer out ! interface FastEthernet0/1 no ip address duplex auto speed auto ! interface FastEthernet0/1.6 encapsulation dot1Q 6 ip address 192.168.2.1 255.255.255.224 ! interface FastEthernet0/1.7 encapsulation dot1Q 7 ip address 192.168.2.33 255.255.255.224 ! interface FastEthernet0/1.8 encapsulation dot1Q 8 ip address 192.168.2.129 255.255.255.128 ! interface Serial0/0/0 no ip address encapsulation frame-relay ietf frame-relay lmi-type ansi ! interface Serial0/0/0.102 point-to-point ip address 192.168.10.9 255.255.255.252 frame-relay interface-dlci 102 ! interface Serial0/0/0.103 point-to-point ip address 192.168.10.5 255.255.255.252 frame-relay interface-dlci 103 ! interface Serial0/0/0.104 point-to-point ip address 192.168.10.13 255.255.255.252 frame-relay interface-dlci 104 ! interface Serial0/0/0.105 point-to-point ip address 192.168.10.17 255.255.255.252 frame-relay interface-dlci 105 ! interface Serial0/0/0.106 point-to-point ip address 192.168.10.21 255.255.255.252 frame-relay interface-dlci 106 ! interface Serial0/0/1 no ip address shutdown ! interface Vlan1 no ip address shutdown ! router ospf 1 log-adjacency-changes network 192.168.10.4 0.0.0.3 area 0 network 192.168.10.8 0.0.0.3 area 0 network 192.168.10.12 0.0.0.3 area 0 network 192.168.10.16 0.0.0.3 area 0 network 192.168.10.20 0.0.0.3 area 0 network 192.168.1.0 0.0.0.15 area 0 network 192.168.1.16 0.0.0.15 area 0 network 192.168.1.32 0.0.0.15 area 0 network 192.168.1.48 0.0.0.15 area 0 network 192.168.2.128 0.0.0.127 area 0 network 192.168.2.0 0.0.0.31 area 0 network 192.168.2.32 0.0.0.31 area 0 ! ip classless ! ! ip access-list extended DBServer permit tcp any host 192.168.1.2 eq ftp permit tcp any host 192.168.1.2 eq www permit ip 192.168.2.0 0.0.0.31 host 192.168.1.2 ip access-list extended MailServer permit tcp any host 192.168.1.18 eq smtp permit tcp any host 192.168.1.18 eq pop3 permit ip 192.168.2.0 0.0.0.31 host 192.168.1.18 ip access-list extended DNSServer permit tcp any host 192.168.1.34 eq domain permit ip 192.168.2.0 0.0.0.31 host 192.168.1.34 ip access-list extended PerServer permit tcp any host 192.168.1.50 eq ftp permit ip 192.168.2.0 0.0.0.31 host 192.168.1.50 ! ! ! no cdp run ! line con 0 password 7 0822455D0A16 login line vty 0 4 exec-timeout 0 0 password 7 0822455D0A16 login local transport input ssh ! ! end Sana'a# Aden Router Configuration: User Access Verification Password: Aden>enable Password: Aden#show running-config Building configuration... Current configuration : 1143 bytes ! version 12.4 service password-encryption ! hostname Aden ! enable secret 5 $1$mERr$hx5rVt7rPNoS4wqbXKX7m0 ! ! username whitefuture password 7 0822455D0A16 ! ip ssh version 1 ip domain-name sbyh.com ! ! interface FastEthernet0/0 no ip address duplex auto speed auto ! interface FastEthernet0/0.2 encapsulation dot1Q 2 ip address 192.168.5.225 255.255.255.224 ! interface FastEthernet0/0.3 encapsulation dot1Q 3 ip address 192.168.5.129 255.255.255.192 ! interface FastEthernet0/1 no ip address duplex auto speed auto shutdown ! interface Serial0/0/0 no ip address encapsulation frame-relay ietf frame-relay lmi-type ansi ! interface Serial0/0/0.401 point-to-point ip address 192.168.10.14 255.255.255.252 frame-relay interface-dlci 401 ! interface Serial0/0/1 no ip address shutdown ! interface Vlan1 no ip address shutdown ! router ospf 1 log-adjacency-changes network 192.168.10.12 0.0.0.3 area 0 network 192.168.5.128 0.0.0.63 area 0 network 192.168.5.224 0.0.0.31 area 0 ! ip classless ! no cdp run ! line con 0 password 7 0822455D0A16 login line vty 0 4 login local transport input ssh ! end Aden# Conclusion From the above study, it is clear that designing a network for a large corporation should be done with careful. In certain situations it is possible to use wireless technology while in others it is not allowed. The network should be built with strong security techniques. The designer of the network should keep in mind that the network should be very secure and scalable. The configuration of the devices must be optimizes so that the delay should be as minimum as possible. This should be maintained also when configuring the firewall because it is the edge of the network and the entire traffic passes through it. In general words, scalability, adaptability, and security are the most important characteristics that should be studied carefully when designing and configuring a large network. References Books: 1- " Saadat Malik", " Network Security Principles and Practices", Cisco Press. 2- " Gert De Laet, Gert Schauwers", " Network Security Fundamentals", Cisco Press. 3- " Behrouz A. Forouzan", " Data Communications and Networking", Fourth Edition, McGraw Hill. 4- "Omar Santos", "End-to-End Network Security Defense-in-Depth", Cisco Press. 5- " Rod Harris & Roger White", "Wireless Technology", Chemeketa Community College. 6- " Rick Graziani", "Cisco Fundamentals of Wireless LANs version 1.1", Cabrillo College, Spring 2005. 7- "Wireless Networks first-step", Publisher Cisco press, Pub Date August 03, 2004. 8- “Cisco CCNA study guide”, Cisco press, 2007. 9- “Cisco CCNP study guide”, Cisco press, 2005. Websites: 1- www.cisco.com 2- www.wikipedia.com 3- www.techrepublic.com 4- www.protocols.com 5- www.warriorsofthe.net 6- www.howstuffworks.com 7- www.microsoft.com 8- www.microsoftnetworks.com 9- www.ciscobible.com