This essay has been submitted by a student. This is not an example of the work written by our professional essay writers.
VPN stands for Virtual Private Network; it is an extension of a private network that contains links across shared pr public networks like the Internet. VPN allows data can be sent between computers across a shared or public internetwork in a manner that emulates the properties of a point-to-point private link.
To emulate point to point link, the data is encapsulated with a header which will provide the routing information and permit it across the shared or public transit internetwork to reach the end points. To emulate a private link, the data will be sent with the encrypted confidentially. Packets which are intercepted on the shared or public network are hard to decipher without the encryption keys.
The portion of the connection where the private data is wrapped or encapsulated is known as the tunnel. Besides that, the portion in which the data is encrypted is known as the virtual network connection.
VPN technologies have long been used and nowadays, it is being more become popular in most of the solution in almost company in the world because of the connectivity.
The illustration for the Virtual private network connection
The advantages of VPN
The connection among schools can be created easy and quickly via internet
Some of specific application can configure its security.
The communication and synchronous data among school will be done easy and quickly.
The price for share facility will be decreased if we use VPN which replace for traditional routed network over the dedicated facility.
VPN can help system to increase using of IP private address.
Remote Access over the Internet
VPNs provide the remote access to collect all resource over the public internet while it also maintains the privacy of information. The figure will show a VPN connection used to remote access to corporate intranet.
The illustration for VPN connection to connect 2 remote site.
Connecting networks via the Internet
Two methods will be used to connect local area networks at the remote side:
Using the dedicated lines to connect a branches office to LAN corporate.
Using a dial up lines to connect a branches office to LAN corporate.
Connecting Computer via a Intranet
In some commercial internetworks, the departmental data is so sensitive that the department's LAN is physically disconnected from the rest of the corporate internetwork. Although this protects the department's confidential information, it creates information accessibility problems for those users not physically connected to the separate LAN.
Tunneling is a method which is used an internetwork infrastructure to transfer data for one network over one network. The data is transferred may be a frame or packets of another protocol. Instead of sending a frame or packets by using the original node, in the tunneling method, the frames or packets will be wrapped or encapsulated by the additional header. These additional headers will provide the routing information so that the encapsulated payload can traverse the intermediate internetwork.
Then, all encapsulated frames will be routed over the tunnel endpoints over the internetwork. The encapsulated packets will travel throughout the internetwork by the logical path it is called a tunnel. Once the frames reach their destination, they will be decapsulated and after that, they will be forwarded to its final destination.
This figure will be an illustration for tunneling protocol.
Tunneling technologies have been existed for some time. These mature technologies will be showed in the following list.
SNA tunneling over IP internetworks.
IPX tunneling for Novel Netware over IP internetwork.
Point to Point tunneling protocol (PPTP).
Layer two tunneling protocol (L2TP)
IPSec tunnel mode.
In this assignment, we will discuss for Point to Point tunneling protocol (PPTP), Layer two tunneling protocol and IPSec tunnel mode.
Point to Point tunneling protocol
Point to Point tunneling protocol is a layer 2 of protocol which encapsulated frames of Point to Point protocol (PPP) in IP datagram and it used for transmission purpose over an IP internetwork such as internet.
In generally, Point to Point tunneling protocol uses a TCP connection for maintained tunnel to encapsulated PPP frames for tunneled data.
The figure will be an illustration for structure of PPTP packet containing user data.
Layer two tunneling protocol (L2TP)
Layer two tunneling protocol is association between Point to Point tunneling protocol and Layer 2 forwarding. This is a technology which was introduced by Cisco System.
L2TP uses UDP and a series of L2TP messages for tunneling maintenance. Besides that, layer 2 tunneling protocol also uses UDP to send L2TP encapsulated frames as the tunneled data. The payloads of encapsulated PPP frames can be encrypted and/or compressed.
This figure will explain the structure of L2TP packet containing user data.
This figure will be an encryption of an L2TP packet.
Internet protocol security tunnel model (IPSec)
Internet protocol security tunnel model is a layer 3 of standard protocol that supports the secured transfer of information across the IP internetwork. IPSec recommend two security headers
The encapsulated security payload.
ïƒ According to the theory of transferred information between school district and head quarter, the cable can be used to connect them but geography condition and budget is not allow to deploy. The school district has connected its 264 schools with a basic frame relay network so VPN is a good solution to solve this problem with reasonable cost and secure transfer information.
Security VPN in Cisco
VPN uses encryption tunnel to send the authentication and trust message to achieve the privacy so it can reduce damage from packet sniffing and block identity spoofing. When VPN is deployed, it will increase the level of security of our network.
Cisco 3825 and VPN
Group Encrypted Transport VPN
Offers IPSec encryption via Internet without the use of tunnels, this security model use for common security and only use for "trusted" group. This feature is suite for full mesh network.
Dynamic Multipoint VPN (DMVPN)
DMVPN provides a good way to deploy virtual full meshed IPSec tunnels from site to site. No need to configured when adding new segment
Easy VPN (support for remote site)
Support to create a new policy for new remote site. Support administrate and mange point to point VPNs
MPLS (Multiprotocol Label Switching) VPN support
This feature is used for branch office, it allow to extend customers' MPLS VPN networks out to the customer edge with Multi-Virtual Route Forwarding (VRF)
Multi-VRF and MPLS secure contexts
Supports multiple independent contexts (interfaces, routing, and addressing). Use for branch office to separate the department. All departments can use a single link, while still make sure the security of each department
Voice and Video Enabled VPN
V3PN allow transfer voice, video and data over VPN
Virtual Tunnel Interface (VTI)
VTI make the configuration of VPN more easier
Provide data integrity over Internet
Beside configuration of VPN, Cisco 3800 series also have other benefits:
Cisco IOS Intrusion Prevention (IPS)
Inline intrusion prevention system (IPS)
This feature use to reduce the damage if the unauthorized intrusions access the network. This system can drop the traffic and sent an alarm or reset the connection, immediately to respond the potential threat for protected network.
Flexible Packet matching (FPM)
The system can realize the potential harmful for network before the antivirus can update and detect this kind of virus
Cisco Network Foundation Protection (NFP)
Control Plane Policing
This feature use to prevent DoS attack by control the incoming rate of traffic, it make the network still available even under attack
Automatic configured the secure component "Just one click"
CPU or memory threshold
Increate the capability processing of router even under attack
Is the set of application that show the network traffic to end user so they can easily to monitor. Depend on the information received; user can analyze the status of network.
Role-based command-line interface (CLI) access
The feature allows user to connect to CLI commands, and provide high secure. Furthermore, it separate logically router with others such as end users, security operation groups and network operations groups
Secure Shell (SSH) Protocol Version 2
This feature provide more powerful, authentication and encryption with addition tunneling options via encrypted connection (include file copy and email protocol.
Simple Network Management Protocol Version 3 (SNMPv3)
The protocol is used to access to the device through the network. The accessing to device is secured by authentication and packet encryption
Cisco Network Admission Control (NAC): This feature will provide the list of devices that network consider it is "trust devices". Only devices belonging to this list can access to network so it prevent the spread of virus and worm inside system.
Cisco IOS Firewall: the firewall project JKL Toy Company's network infrastructure from viruses, Trojans, and hacker. It is certified by ICSA and is deployed broadly. The main purpose of the firewall is to control traffic flow from outside to inside and vice of versa. There are list of benefits when the Cisco Firewall is used.
Protect the network system.
Cost expenditure is low.
Easy to deployment in LAN, WLAN and WAN.
Addition security feature
AAA (Authentication, authorization, accounting): allow dynamic configuration of authentication and authorization follow requirement of network.
Standard 802.1x support on integrated switching: This feature only allow the valid access (authentication) to access information resource and prevent unsecure wireless access (make wireless access more difficult to access the resource).
Cisco IOS contend filtering: The router will rate the level of threat protect again malicious code, malware, fishing website, spyware. It also blocks URL and keyword to ensure that the employees are using Internet productivity.
Back-up and restore:
Our SDB cannot afford data loss so the reliable access to data is one of important key to take the advantage in business competitive. Loss data mean you loss the information, your business went wrong. Back up is the solution for this problem, as the administrator we need to ensure that all the business information is always available whenever it is needed.
The backup process has revolved around manual application that copies the important file to copy to the other storage. This process is redoing again and again in the particular time. In JKL Toy Company, backing up data happened weekly and at the weekend when the traffic of network is low, and almost no data update. At that time, the backup processes are quickest and minimize the percentage of loss data.
The backup file will be store in backup server DellTM Power EdgeTM R200 in head quarter and DellTM Power EdgeTM T100 in the branches, whenever something happen with network, backup file can be retrieved. To avoid the unauthorized access to use the backup file, this file must be set the policy that allow suitable person can access or use.
A firewall is a part of computer system or network which is discovered to protect the data on the internet environment and block the unauthorized access. Firewall is a device or set of devices which is configured to permit or deny the computer applications and based on the rules and the other criterion. Firewall can be installed by the either software or hardware or combine both of them.
Functions of firewall
Nowadays, most of firewalls are often used to prevent the unauthorized users from the private networks connected to the internet. Especially, all the message want to enter or leaving the intranet must pass through the firewall.
Most of Firewall must include one or many the following elements:
Packet- filtering router.
Application - level gateway or proxy server.
Circuit level gateway.
The following figure will be an illustration for construction of firewall with above the elements.
The figure for firewall classification
The main function of the packet filters is an inspection of each packet. By this way, these packets will be passed or blocked based upon the user defined rules. Most of the filtering packets use ports to communicate among hosts, source IP address and destination IP address. Although the configuration of packet filters is very difficult, its effects is very fairly and transparent. In the system of the school district we can set up filtering rules for Microsoft ISA Server and two types of routers: Firewall ASA 5510-K8 and Router Cisco 3825.
Proxy server is an application which is used to pass the request to the services. Proxy server can be considerate as the immediate service for the communication between clients and application servers. According the theory, proxy server will work on the application layer or transport layer. Therefore, it often includes the application gateways and circuit gateways.
Application gateway also has the proxy server's functions. So it will analyze the traffic flow in the detail and consider as the most secure type firewall. Besides that, it can track all activities of the network. Furthermore, application gateway can hide the private message while the internal host passes through it to connect the external resource. Internal hosts' IP address can be replaced by proxy server's IP address.
The main function of the circuit gateway is validation the TCP and UDP before the allowance of connection throughout firewall. It is very effective for connection establishment and prevents the transmission the packets until access control rules has been met.
Firewall architecture is the best way to approach where firewall components have been arranged to against the accession of the unauthorized users. It will be set up after the network security policy is defined. There are three common firewall architectures.
Dual Home Host
In this architecture, the function of dual homed host must be disable to prevent form external IP to inside.
To communicate with each other, inside and outside system must have to go thorough Dual Homed Host. They cannot contact or connect directly with others.
Proxy server will provide the service to Dual Home host or login directly to Dual Homed host.
This firewall is applying for school district system because of its security.
There are perimeter network called DMZ (Demilitarized Zone) is added to isolate the internal network and internet environment. When hacker attacked and withhold the bastion host, they still one barrier which is called interior router to overcome. Besides that, network traffic flow is safe even thought the bastion host is being occupied.
Bastion host is a connection from the internet to internal network with services like SMTP, FTP and DNS. The clients can connect to servers and it will be controlled by the following steps:
We can install the packet filtering on both the internal and external router to permit clients can connect external server from the directly internet.
We also can set up the proxy server on the bastion host to permit clients can connect to internal server indirectly.
In this architecture security functions are provided by the package filtering function in screening router.
Packet filtering on the screening router setup for bastion host to be unique in internal network that other host from the internet can access.
Packet Filtering often do the follow function:
Allows internal host open connection to host from the internet with some services is allowed.
Prohibit all connection form internal hosts.
When hacker attacks to bastion host, there is no barrier existing for the all of internal hosts.