Virtual Private Network which provides a secure and remote access via the internet instead of dial-up connection. So the client can access the internet via VPN connection through VPN gateway. VPN is less cost than telephone line. The VPN creates a special tunnel for its clients in the internet line that's from ISP (Internet Service Provider). It is also cheaper than leased lines because it didn't need a special line for the implementation. In VPN you can send an encrypted data through a public network in a point to point manner.
The following below sentences are explained how the operation of the VPN connection occurs:
A VPN client makes a VPN connection to a remote VPN server. So the VPN server acts as a gateway for the users that belongs to a particular company.
2- VPN server answers the virtual calls.
3- VPN server authenticates by contacting the domain controller and verifies the caller's authentication.
4- VPN server transfers the data between VPN client and the corporate network.
2.1.2 Types of VPN connection:
Site-to-site VPNs: This type connects the branches of a particular company to each other through on tunnel over the public network. Each branch should have device acts a VPN Gateway such as; router or firewall.
2- Remote access VPNs: This type enable the individual users such as; mobile users, remote users, external users and telecommuters to access organization's network in a secure manner over the internet. But each user must have VPN client software or using a web based client.
There are many advantages when you implement VPN connection in your network:
Solve problems in a fast manner: you can make a call the technical experts to help you for fixing any problem in your system without waiting to receive logs, traces & dumps.
Cost saving: when you implement VPN you will save the money for that particular organization, and the points below are explaining how the cost will be less:
Eradicating the needs for leased lines which are very expensive.
Decreasing telephone charges for long distances.
Divesting any support costs.
Scalability: Easy to add new users in your network because VPN connection uses the internet infrastructure with Internet Service Provider (ISP) and devices.
VPN is compatible with broadband technology which supported by the ISP such as; DSL.
Security: VPN provides authentication to users for ensure only the authorized users can access your network. Also VPN apply encryption for that data that should be transmitted.
needs less hardware
reduce the number of telephone lines
2.1.3 Components of VPN connection:
The VPN connection includes the followings:
1- VPN server: It is a computer which accepts the connections from VPN client.
2- VPN client: It is a computer which starts the VPN connection to VPN server.
3- Transit Network: It is the public network or we can call it the shared network which let the encapsulated data to flow through. The common transit network in implementing VPN connection is the internet.
4- VPN tunnel: It is part of VPN connection in which the data can be encrypted and encapsulated.
5- Tunneling Protocols: they are protocols which can be used to control the tunnel and encapsulate the data.
6- Tunneled data: It is the data which is sent through VPN tunnel.
7- Authentication: for identify the server and the client in the VPN connection and also to ensure the sending data have not been altered during the transmission.
8- Address & name server allocation: this means that; the VPN server is responsible for assigning the IP addresses.
2.1.3 Protocols that used in VPN:
Many protocols are used in VPN such as; SSL (Secure Socket Layer) which used in web site and also there are protocols which are using by VPN to secure "tunnels" over the Internet such as; IP sec (Internet Protocol Security), L2TP (Layer 2 Tunneling Protocol), IKE (Internet Key Exchange) and PPTP (Point-to-Point Tunneling Protocol).
When using L2TP (Layer 2 Tunneling Protocol) in VPN connection, the internetwork ATM, x.25, Frame Relay or IP based. Moreover you can perform; the tunnel authentication and header compression. Also you will be able to use IPsec for encrypt the data.
When you use PPTP (Point-to-Point Tunneling Protocol) in VPN connection, the internetwork should be IP based. Also there is no tunnel authentication or header compression. Also you will be able to use PPP (Point-to-Point Protocol) for encrypt the data.
When implement VPN the developer must meets these requirements:
Data origin authentication: for verifying (make sure) every datagram is originate by a right sender.
Data integrity: for verifying the contents of each received datagram were not altered during the transmission.
Data Confidentially: for hide the clear text of a particular message by applying the encryption technology method.
Replay Protection: for ensure that; the hacker will not be able to intercept any datagram during the transmission.
Key management: for ensuring that; the policy that have been applied in your VPN can be implemented in the extended network with a little bit of configuration.
Interoperability: for make sure you use a VPN that uses standard-based technologies for maintaining interoperability with other vendors of VPN.
2.1.4 Type chosen for the technique:
The type which is chosen for the project is site to site, that is mean this type is used for the branches linking but remote VPN is used for remote user for example subscribe user or free user as we known this time VPN proxy or mean that they have specific servers to do that. Whatever our VPN technique stand for scope of project so Site-to-Site VPN connection is suitable for our scope, therefor stand of the description above.
2.2.0 L2TP encryption definition:
VPN have multiple types of encryptions protocols, L2TP layer 2 tunneling protocol, the advantage of L2TP over IPsec and TLS VPNs is that L2TP depend on the network protocol but IPsec and TLS require IP as the network layer, L2TP work to support other network layers like IPX, when L2TP work with many data link protocols.L2TP can help to reduce the cost of remote dial-up networking for users who are normally can dial into a headquarter or cooperate network over a long distance connection. L2TP is sometimes virtual dial-up protocol because it extends a dial-up session PPP session across the internet. With L2TP the remote user connect to the internet via local ISP or by using one of the national ISPs that have local dial-up technique numbers through dial up link between the user and the company or head quarter. An L2TP access concentrator (LAC) then virtually extends PPP across the Internet to an L2TP network server (LNS), which is located at the corporate network. This is where the PPP session officially terminates.C:\Users\IT-Security\Desktop\l2tp-1.gif
The client as shown up is request for getting the network over the VPN through the L2TP protocol, so he will use dial up as we know to get network by use password and username to authenticate.
Then the request arrive at the ISP LAC, the LAC performs a call to check by contacting a RADIUS server for AAA. So the radius server will response with an accept or reject message. If it is accepting it will replay and then it will specify L2TP tunnel is needed.
The LAC will create a tunnel to the LNS after accepted the request. After create the tunnel the client request which is send it by UDP port is start to authenticate between LAC and LNS in L2TP tunnel show there in next step.
Right now the tunnel is set up and the client begins communicating with head quarter or corporate network LCP using PPP. So the client first sends PPP authentication information as password and username to the LCP which is used to authenticate.
LAC is stand for L2TP access Concentrator is like hop or node which is used inend to end communication over L2TP. But LNS is stand for L2TP network server. The LAC site between LNS and a remote system and forward packets to and from each packet sent from the LAC to the LNS require tunneling with the L2TP protocol.
RSA server is built in windows server when you create a role for it, RSA is usually can connected to PSTN from ISP devices or ISDN network devices which allow you or remote users to access a server through these network. RSA allow the users to access the VPN network over the internet within the point to point protocol.
PTPP is a new protocol which is allows the users site to site or remote to access the VPN network over the internet securely from the ISP internet network, just login in by using password and username which is given by corporate network or company. PPTP have some advantages are:
Lower Transmission Costs PPTP uses the Internet as a connection instead of a long-distance telephone number or 800 services. This can greatly reduce transmission costs.
Lower Hardware Costs PPTP enables modems and ISDN cards to be separated from the RAS server. Instead, they can be located at a modem pool or at a communications server (resulting in less hardware for an administrator to purchase and manage).
Lower Administrative Overhead with PPTP, network administrators centrally manage and secure their remote access networks at the RAS server. They need to manage only user accounts instead of supporting complex hardware configurations.
Enhanced Security Above all, the PPTP connection over the Internet is encrypted and secure, and it works with any protocol (including, IP, IPX, and NetBEUI).
PPTP in Outsourced Dial-Up Networks
Communications hardware available for supporting dial-up needs can be complicated and not well integrated. For a large enterprise, putting together a Windows NT RAS server requires modems, serial controllers, and many cables. Furthermore, many solutions do not provide a single integrated way to efficiently support V.34 and ISDN dial-up lines.
Many corporations would like to outsource dial-up access to their corporate backbone networks in a manner that is cost effective, hassle free, protocol independent, secure, and that requires no changes to the existing network addressing. Virtual WAN support using PPTP is one way a service provider can meet the needs of corporations.
By separating modem pools from a RAS server, PPTP allows you to outsource dial up services or geographically separate the RAS server from the hardware within a corporation. For example, a telephone company can manage modems and telephone lines so that user account management can be centralized at the RAS server. An end user would then make a local call to the telephone company which connects to a Windows NT RAS Server using a WAN link. The client then has access to the corporate network. This type of solution leverages existing proven PPP authentication, encryption, and compression technologies.C:\Users\IT-Security\Desktop\IC194000.gif
As shown in the figure The RAS client does not need to have the PPTP protocol; the client simply makes a PPP connection to the modem pool or communications server. Note that the communication server or modem pool must implement PPTP for communication with the RAS server.
IPsec is a protocol security is used for the cryptography security or for encryption the communication over Internet protocol IP networks. IPsec provide the authentication data for integrity the username and password and encryption them by using IPsec protocol. IP security is suite of protocol that accomplishes several different securities. IPsec is a complex protocol for example one of the most complex elements is its key management system. Always IPsec is used for encryption the data which is travel from the network layer or IP protocol to prevent the sniffing or hijacking or any types of attacks, IPsec is the one of the element which used to encrypt the data.
Site-to-site VPN is one of the connection type which is used for branches communication, site to site VPN is can be used to link the head quarter to the branches, so the host does not have the client software or not required because the configuration is done in the firewall or any device suitable for this technique or type.
The most common secure tunneling protocol used in site-to-site VPNs is the IPsec Encapsulating Security Payload (ESP), an extension to the standard IP protocol used by the Internet and most corporate networks today. Most routers and firewalls now support IPsec and so can be used as a VPN gateway for the private network behind them. Another site-to-site VPN protocol is Multi-Protocol Label Switching (MPLS), although MPLS does not provide encryption.C:\Users\IT-Security\Desktop\site2sitevpn.jpg
2.3.0 VLAN Definition:
VLAN network is as logical network which are separate IP subnet network. VLAN management allows multiple network subnets to travel over switches ports. VLAN it is a logical broadcast domain that can span multiple LAN segment. VLAN network give some management for the network subnets and give more administration to make all groups to gather in one place this is can help the administrator to find issues in network.
As we know that the broadcast domain it is make some treble in network, this mean each single pc in which is connected directly to the switch send something to other pc on the other switch make some broadcast domain because the switch depend on the MAC address table if the mac address is not assigned so the switch will send broadcast message to all switches and will happen crash or stake in switches, so VLAN can stop this broadcast domain by spread the sub network into groups therefore no one can communicate to each other unless add layer 3 device which called router in this situation we can add inter VLAN communication by using encapsulation in the router for each VLAN.
In VALN there are three major functions:
Limits the size of broadcast domains.
Improves network performance.
Provides a level of security.
VLAN is an independent LAN network.
VLAN allows the student and Faculty Computers to be separated although the share the same infrastructure.
For easy identification, VLANs can be named.
2.3.1 When do I need a VLAN?
You need to consider using VLAN's in any of the following situations:
You have more than 200 devices on your LAN
You have a lot of broadcast traffic on your LAN
Groups of users need more security or are being slowed down by too many broadcasts?
Groups of users need to be on the same broadcast domain because they are running the same applications. An example would be a company that has VoIP phones. The users using the phone could be on a different VLAN, not with the regular users.
Or, just to make a single switch into multiple virtual switches.
What is a trunk port?
When there is a link between two switches or a router and a switch that carries the traffic of more than one VLAN, that port is a trunk port.
A trunk port must run a special trunking protocol. The protocol used would be Cisco's proprietary Inter-switch link (ISL) or the IEEE standard 802.1q.
2.3.2 What do VLAN's offer?
VLAN's offer higher performance for medium and large LAN's because they limit broadcasts. As the amount of traffic and the number of devices grow, so does the number of broadcast packets. By using VLAN's you are containing broadcasts.
VLAN's also provide security because you are essentially putting one group of devices, in one VLAN, on their own network.
2.3.3 VTP protocol:
Definition: VLAN Trunking Protocol (VTP) is a Layer 2 messaging protocol that manages the addition, deletion, and renaming of VLANs on a network-wide basis.
VTP is stand for VLAN trunking protocol which is used to make multiple VLAN in one cable connection just add the VLAN in the switch which work as server and then make the connection trunking it will directly update the VLAN database in clients switches over the cables. This technique it give time for the administrator and it is reduce the effort of him just configure the core layer switches and let it to update. On the other hand the purpose of VTP is to provide a way to manage Cisco switches as a single group for VLAN configuration purposes. For example, if VTP is enabled on Cisco switches, the creation of a new VLAN on one switch makes that VLAN available to all switches within the same VTP management domain. A switch can be part of only one VTP management domain at a time, and is part of no VTP management domain by default.
Without VTP, the creation of a new VLAN would require you to define that new VLAN individually on all necessary switches, a process that is subject to error and that is time-consuming to say the least. Instead, with VTP, you define the VLAN once and have VTP spread the information to all other switches in the same domain dynamically. The primary benefit of VTP is that in large environments it facilitates adding and deleting VLANs, as well as making changes to VLAN configurations. Without VTP you would have to add a VLAN manually to each switch; with VTP you can add a VLAN to one switch and let the switches propagate the changes throughout the VTP management domain, and all before lunch.
So that in VTP there are some types which will take off:
If you need to configure a switch to be part of VTP management environment you should to take care about the 4 types of VTP modes types which let the switches to interact to other switches and the mode which give this communication are server, client, transparent and off therefore these mode will explained now:
Server mode: switch in the local network is appear as default configuration with manual configuration of VLAN mean that all switches are configured as manually, so right now we take one switch and configured as server domain for example (VTP mode server) and the domain should be the same in the client switches, in this case the switches which we have configured it will work as server mode and it is sending the update to other switches in LAN network but must be add VLAN in the sever switch.
Client mode: A switch configured in client mode is the recipient of any changes within the VTP management domain, such as the addition, deletion, or modification of VLANs by a server mode switch. A switch in VTP client mode cannot make any changes to VLAN information.
Transparent mode: A switch configured in transparent mode passes VTP updates received by switches in server mode to other switches in the VTP management domain, but does not process the contents of these messages. When individual VLANs are added, deleted, or changed on a switch running in transparent mode, the changes are local to that particular switch only, and are not passed to other switches within the VTP management domain.
Off mode: With the introduction of COS version 7.1.1, the option now exists to disable VTP completely on a switch.
Definition: STP is spanning tree protocol which is used to reduce the loopback messages in the network or switches, it is work automatically no need to configure as you see in this topology:
If you look to this topology you will get that some link in orange and the other in green, mean that the orange link is mean the link is block automatically to avoid the loopback link this depend on the priority port or which switch is mac address is small and biggest this will discuss in details.
So there are some types of ports rules:
The root port exists on non-root bridges and is the switch port with best path to the root bridge. Root ports forward traffic toward the root bridge. The source MAC address of frames received on the root port.
The designated port exists on root and non-root bridges. For root bridges all switches ports are designated ports. For non-root bridges, a designated port is the switch port that receives and forwards frames toward the root bridge as needed. Only one designated port is allowed per segment. If multiple switches exist on the same segment as shown above an election process determined the designated switch, and the corresponding switch port begins forwarding frame for the segment. So designated port are capable of populating the MAC address table.
Disable port is nothing but it is appear not working or it is off port in red color, this port is disabled by administrator as backup port if some ports are cut or down.
2.4.0 ASA Firewall 5501:
ASA firewall is hardware device which is used for the large, medium and small organization, ASA firewall is better that PIX firewall from it is cost or speed it is very cheap and newer one it also very simple to use for example some hardware devices use commands as juniper firewall and PIX but ASA it is support GUI graphic user interface. ASA firewall has 4 versions Firewall, IPS, Anti-X and VPN. ASA firewall it is advanced performance than PIX, ASA can update packet filtering to prevent the latest threats. ASA firewall can take place of 3 types of hardware firewall devices such are: Juniper, Cisco PIX firewall and Cisco IPS 4000 series sensor. But from software it takes place than TMG server.
ASA firewall no need for the clients software because ASA has a single defense inside it is built in that is developed by the developer; It can protect every machine in the local network. ASA have 4 ports as minimum 3 ports as used in network like DMZ, internal, external network.
For more information:
The ASA5510 is intended to be a single device solution to your Internet security requirements and with its 300Mbps throughput and 9,000 firewall connections per second capacity will be suitable for most office deployments. The key features will be covered in more detail later but in brief these are; firewall/NAT, SSL/IPsec VPN, content security and intrusion prevention. It has five 10/100Mbps ports, by default these provide one outside (Internet) interface, one management and three internal network interfaces but they are fully reconfigurable and also support vLANing for further network subdivision if required. Functionality can be upgraded via a Security Services Module port which provides support for additional Content Security and Intrusion Prevention features.
2.4.1 CISCO IPS 4210:
Cisco IPS is stand for intrusion prevention system, this is unlike of IDS intrusion Detection system, mean that IPS it can be prevent and detect in same time but IDS just detect and cannot prevent the attack if it is happen. These small different between them, so IPS is taking place than IDS in protecting system from any try to attack. IPS has some features which are enhanced the networks are:
Policy based management:
All in one IPS Management software.
Up-to-date security intelligent.
More information about Cisco IPS 4210 series:
Detect threats to intellectual property and customer data, with modular inspection throughout the network stack.
Stop sophisticated attackers by detecting behavioral anomalies, evasion, and attacks against vulnerabilities.
Prevent threats with confidence using the industry's most comprehensive set of threat prevention actions.
Focus response with dynamic threat ratings and detailed logging.
Provide protection from the latest threats and vulnerabilities.C:\Users\IT-Security\Desktop\CCNA-CCNP-CCIE-Cisco-IPS-4210.jpg
2.5.0 Lync server 2010:
Lync server 2010 is a software server which is used for the chatting communication between the users in the OU or external users can used, Lync server have many features and versions and there are 2 versions standard and enterprise editions. Standard is used for few features as chat but enterprise can use multiple features as unified messages. Lync server is nothing it is like other servers as messenger live yahoo, but this software is special because it is used in organizations to easily communication between them and sending files but in live not by mail or as normal attachments in messages, so by this programs can use to communicate directly also there are some features such as voice and webcam so any one can make call by video or voice in perfect sound quality, this technique can be used to solve problems even you are outside your organization just put the user email which belong to your OU and just singing in and directly will connected to that person. This as brief description about the Lync server, however Lync server also can install in smart phone as galaxy or any device available mean that you can connect from anywhere therefore the propose of developing the Lync server is to get communications fast and more flexibility and availability.
There are many features and these some of them:
New user interface.
The "Me" area.
Official and windows 7 integration.
Programs sharing and desktop sharing.
2.5.1 Cisco Wireless LAN Controller:
Before came this device the administration or admins of the network take effort to configure the all APs in the organization sometimes he misconfiguration and this case some conflict in channels or type of security or IP address. So when this device come it is take place of 100 APs configuration and safe time and enhance the type of security also choose better channel. WLC is stand for wireless LAN controller mean that it is used in control the wireless APs LANs , so when placed this device you can configure 100 APs or more this depend on type of WLC model but can say WLC is very good device or solution that cisco provided for their customers for enhance the security and management. WLC has many keys or features inside it but we take two as commonly, the security in WLC is very good so you can use Authentication or WAP2 or RADIUS server over the WLC we can connect it direct to the Domain controller to get the credentials of the users to authenticate and access the network this give some security, if we take management, WLC can provide VLAN or IP addressing schema and control all APs to be same configuration. This is from working conditions, but about features and how many APs can connect to WLC and what other feature all of these will take below:
It can provide Connections up to 50 access points and 500 clients
It is Support for 802.11n wireless up to 500 Mbps speed bandwidth.
It is provide Centralized security policies to detect rogue access points mean that fake and protect against denial-of-service attacks
Can provide or manage Layer 2 and Layer 3 mobility and quality of service for voice and video, highly secure wireless guest access
It is Integrated Cisco clean Air technology for a self-healing, self-optimizing network that avoids RF interference; mean that there are no conflicts APs SSID or channels.