Virtual Private Network: Project Report

VIRTUAL PRIVATE NETWORK
PROJECT REPORT
2011-2012 Submitted in partial fulfilment of the requirements for the award of B.Tech. Degree in ELECTRONICS & COMMUNICATION ENGINEERING Of the Cochin University of Science and Technology. Done by: SOUMYA S(13093261) SARATH S.A(13093267) SUJITH K.S(13093268) VIPIN RAJ(13093269)
DEPARTMENT OF ELECTRONICS & COMMUNICATION ENGINEERING
M G COLLEGE OF ENGINEERING
THIRUVANANTHAPURAM 2011
VIRTUAL PRIVATE NETWORK
2012
[Type the company address]
M G College Of Engineering
Page 2
ACKNOWLEDGEMENT
As a group of amateurs in the field of practical electronics we had to use a great deal of help from a lot of people around us in the completion of this project. We take this opportunity of submitting my project report to thank all who helped us in the completion of this work. Words are inadequate in offering our thanks to the project guide
Mr.MAHESHWARAN NAIR at RTTC TVM for their encouragement and cooperation in carrying out the project work We deem it a privilege to express our sincere gratitude to Prof. KURIEN KOSHY, HOD (electronics department) for the valuable supervision and guidance without which the project would not have been a success. We gratefully record our obligation to Smt. GEETHA MARIYAPPAN, lecture, M.G. College of Engineering, who has contributed to this project with suggestions and information. Also we would like to express our gratitude and thanks to our parents, friends and all those who gave a helping hand for completion of our project. Last but not least we would like to thank god almighty for all his blessings bestowed on us without whose unseen guidance we could never have embarked upon and completed the work.
INTRODUCTION The world has changed a lot in the last couple of decades. Instead of simply dealing with local or regional concerns, many businesses now have to think about global markets and logistics. Many companies have facilities spread out across the country or around the world, and there is one thing that all of them need: A way to maintain fast, secure and reliable communications wherever their offices are. Until fairly recently, this has meant the use of leased lines to maintain a wide area network (WAN). Leased lines, ranging from ISDN (integrated services digital network, 128 Kbps) to OC3 (Optical Carrier-3, 155 Mbps) fiber, provided a company with a way to expand its private network beyond its immediate geographic area. A WAN had obvious advantages over a public network like the Internet when it came to reliability, performance and security. But maintaining a WAN, particularly when using leased lines, can become quite expensive and often rises in cost as the distance between the offices increases. As the popularity of the Internet grew, businesses turned to it as a means of extending their own networks. First came intranets, which are password-protected sites designed for use only by company employees. A simple VPN model is shown below.
A company has its Main office, Remote office, Home office at various sites and these can interact with each other via the virtual network.
INTRANET VIRTUAL PRIVATE NETWORK VPN TYPES
2012
We all know WAN is simply the collection of local area networks, each located in geographically diverse locations connected to each other to form a single network. Leased lines which were initially used though forms a private network, it ought to be expensive. But VPN, using the power of the public medium, it helped to create a private connection called tunnel to switch data from one geographical location to the other. A VPN provides network to network or remote user to network connectivity via the encrypted tunnel. Data must be encapsulated in a IP packet before it can be sent across a VPN. Network users use various encryption and authentication schemes to provide security. Some VPN require specialized hardware, while some may require specialized software or some both that adds VPN capabilities to firewall, server or router. Since VPN depends critically on the Internet, ISP becomes drivers of VPN technology. Therefore organization using VPN becomes dependent on the ISP. If ISP faces bandwidth limitation or technical difficulties, the VPN will also face the same. VPN can be of following types: REMOTE ACCESS SITE TO SITE REMOTE ACCESS Also called a virtual private dial-up network (VPDN), this is a user-to-LAN connection used by a company that has employees who need to connect to the private network from various remote locations. Typically, a corporation that wishes to set up a large remote-access VPN will outsource to an enterprise service provider (ESP). The ESP sets up a network access server (NAS) and provides the remote users with desktop client software for their computers. The telecommuters can then dial a toll free number to reach the NAS and use their VPN client software to access the corporate network. A good example of a company that needs a remote-access VPN would be a large firm with hundreds of sales people in the field. Remote-access VPNs permit secure, encrypted connections between a company's private network and remote users through a third-party service provider. SITE-TO-SITE M G College Of Engineering 5
INTRANET VIRTUAL PRIVATE NETWORK
2012
Through the use of dedicated equipment and large-scale encryption, a company can connect multiple fixed sites over a public network such as the Internet. Site-to-site VPNs can be either: Intranet-based - If a company has one or more remote locations that they wish to join in a single private network, they can create an intranet VPN to connect LAN to LAN. Extranet-based - When a company has a close relationship with another company (for example, a partner, supplier or customer), they can build an extranet VPN that connects LAN to LAN, and that allows all of the various companies to work in a shared environment. The following is the examples of the three types of VPN.
VPN TYPES TUNELLING Virtual Private Network protect tunneled data through a combination of encryption, mutual host authentication and protocol tunneling. One of the most basic method of protecting transmitted data is encryption. This involves scrambling the transmitted data using mathematical formula, so that even though the data transmission may be intercepted, it cannot be recovered without the correct key. Encryption can be either be hardware enabled through network devices like routers or through software. While in the case of software, encryption takes place when you correct through the tunneling protocol like PTTP, in the case of router encryption it is performed on the fly.
2012
One of the biggest difficulty encountered over the Internet is identifying the person or a computer at the other end of the wire. This is addressed by the authentication, a process where the two hosts verify each other. This can be done through the X.2509 standard digital certificate which exchanges electronic signatures between the two parties. This electronic signature is then verified by a trust third party, usually a public-certifying authority or the company`s own certificate server. Alternatively, the host can also verify each other using protocols like Secure Shell(SSH).In this case the hosts exchange two keys, a host key and a server key. The receiving computer compares the host key with the keys in the database. If the keys checks out, the computer at the other end is validated as a genuine case. The PC then generates a session key using the host an the server key which is used to encrypt data transmission between the two computers. To ensure a high level of protection, the server key is changed on an hourly basis. Finally there is a protocol tunneling. When data is transmitted on a network in the form of packets, the header-which gives information on the packet source, destination and number of packets transmitted- is in text format. The information can be used by hackers to gain access to either the system or the data being transmitted. Protocol tunneling takes data packets, encrypts them and then encapsulates them again in another clear text packet. This ensures that even if data transmission is intercepted the original header information is not available. Once these packets reach their destination, a router equipped with encryption and decryption capabilities decrypts the packet restoring the original data packets. VPN Technologies: Definitions and Requirements The VPN market has changed significantly in the past ten years as the Internet has grown and as vastly more companies have come to rely on the Internet for communications. The landscape of VPN products and services offered by a wide variety of vendors continues to evolve. This has caused companies whose networks need protection to become confused about what is and is not a VPN, and the features of the different VPN systems that are being offered to them. VPN Terminology A virtual private network (VPN) is a private data network that makes use of the public telecommunication infrastructure, maintaining privacy through the use of a tunneling protocol and security procedures. A virtual private network can be contrasted with a system of M G College Of Engineering 7
2012
owned or leased lines that can only be used by one company. The main purpose of a VPN is to give the company the same capabilities as private leased lines at much lower cost by using the shared public infrastructure. Phone companies have provided private shared resources for voice messages for over a decade. A virtual private network makes it possible to have the same protected sharing of public resources for data. Companies today are looking at using a private virtual network for both extranets and wide-area intranets. There are three important VPN technologies: trusted VPNs, secure VPNs, and hybrid VPNs. It is important to note that secure VPNs and trusted VPNs are not technically related, and can co-exist in a single service package. Before the Internet became nearly-universal, a virtual private network consisted of one or more circuits leased from a communications provider. Each leased circuit acted like a single wire in a network that was controlled by customer. The communications vendor would sometimes also help manage the customer's network, but the basic idea was that a customer could use these leased circuits in the same way that they used physical cables in their local network. The privacy afforded by these legacy VPNs was only that the communications provider assured the customer that no one else would use the same circuit. This allowed customers to have their own IP addressing and their own security policies. A leased circuit ran through one or more communications switches, any of which could be compromised by someone wanting to observe the network traffic. The VPN customer trusted the VPN provider to maintain the integrity of the circuits and to use the best available business practices to avoid snooping of the network traffic. Thus, these are called trusted VPNs. Seeing that trusted VPNs offered no real security, vendors started to create protocols that would allow traffic to be encrypted at the edge of one network or at the originating computer, moved over the Internet like any other data, and then decrypted when it reached the corporate network or a receiving computer. This encrypted traffic acts like it is in a tunnel between the two networks: even if an attacker can see the traffic, they cannot read it, and they cannot change the traffic without the changes being seen by the receiving party and therefore rejected. Networks that are constructed using encryption are called secure VPNs. A secure VPN can be run as part of a trusted VPN, creating a third type of VPN that is very new on the market: hybrid VPNs. The secure parts of a hybrid VPN might be controlled by the customer (such as by using secure VPN equipment on their sites) or by the same provider that provides the trusted part of the hybrid VPN. Sometimes an entire hybrid VPN is secured with the secure VPN, but more commonly, only a part of a hybrid VPN is secure. M G College Of Engineering 8
INTRANET VIRTUAL PRIVATE NETWORK Requirements for VPNs
2012
There is one very important requirement that is common to secure VPNs, trusted VPNs, and hybrid VPNs: the VPN administrator must know the extent of the VPN. Regardless of the type of VPN in use, a VPN is meant to have capabilities that the "regular" network does not. Thus, the VPN administrator must be able to know at all times what data will and will not be in the VPN. Each of the four types of VPNs have their own additional requirements. Secure VPN requirements All traffic on the secure VPN must be encrypted and authenticated. Many of the protocols that are used to create secure VPNs allow the creation of VPNs that have authentication but no encryption. Although such a network is more secure than a network with no authentication, it is not a VPN because there is no privacy. The security properties of the VPN must be agreed to by all parties in the VPN. Secure VPNs have one or more tunnels, and each tunnel has two endpoints. The administrators of the two endpoints of each tunnel must be able to agree on the security properties of the tunnel. No one outside the VPN can affect the security properties of the VPN. It must be impossible for an attacker to change the security properties of any part of a VPN, such as to weaken the encryption or to affect which encryption keys are used. Trusted VPN requirements No one other than the trusted VPN provider can affect the creation or modification of a path in the VPN. The entire value of the trusted VPN is that the customer can trust that the provider to provision and control the VPN. Therefore, no one outside the realm of trust can change any part of the VPN. Note that some VPNs span more than one provider; in this case, the customer is trusting the group of providers as if they were a single provider. No one other than the trusted VPN provider can change data, inject data, or delete data on a path in the VPN. A trusted VPN is more than just a set of paths: it is also the data that flows along those paths. Although the paths are typically shared among many customers of a provider, the path itself must be specific to the VPN and no one other than trusted provider can affect the data on that path. Such a change by an outside party would affect the characteristics of the path itself, such as the amount of traffic measured on the path.
2012
The routing and addressing used in a trusted VPN must be established before the VPN is created. The customer must know what is expected of the customer, and what is expected of the service provider, so that they can plan for maintaining the network that they are purchasing. Hybrid VPN requirements The address boundaries of the secure VPN within the trusted VPN must be extremely clear. In a hybrid VPN, the secure VPN may be a subset of the trusted VPN, such as if one department in a corporation runs its own secure VPN over the corporate trusted VPN. For any given pair of address in a hybrid VPN, the VPN administrator must be able to definitively say whether or not traffic between those two addresses is part of the secure VPN. About VPNC The VPN Consortium (VPNC) is the international trade association for manufacturers in the VPN market. The primary purposes of the VPNC are: Promote the products of its members to the press and to potential customers Increase interoperability between members by showing where the products interoperate Serve as the forum for the VPN manufacturers throughout the world Help the press and potential customers understand VPN technologies and standards Provide publicity and support for interoperability testing events It should be noted that VPNC does not create standards; instead, it strongly supports current and future IETF standards.
OBJECTIVE To design and implementation of intranet based VPN to access a remote LAN through secured connectivity from anywhere using internet technologies and tunneling protocols.
10
2012
PRINCIPLE PPTP Normal communication over internet uses HTTP protocol. But in our project we are using advanced encrypted protocol in order to avoid security loopholes. We are using Microsoft Point to Point Tunneling Protocol (PPTP) here which is a commonly used M G College Of Engineering 11
2012
tunneling protocol over internet. In future it may get replaced by some advanced protocols by the same Microsoft or some free soft wares may get dominated over time. So under the section principle we are describing the most important technical specification of this project i.e. protocol. The Point-to-Point Tunneling Protocol (PPTP) is a method for implementing virtual private networks. PPTP uses a control channel over TCP and a GRE tunnel operating to encapsulate PPP packets. The PPTP specification does not describe encryption or authentication features and relies on the PPP protocol being tunneled to implement security functionality. However the most common PPTP implementation, shipping with the Microsoft Windows product families, implements various levels of authentication and encryption natively as standard features of the Windows PPTP stack. The intended use of this protocol is to provide similar levels of security and remote access as typical VPN products. PPTP HEADER
Length: Total length in octets of this PPTP message including the entire PPTP header. PTPP message type: 1.Control message 2.Management message Control Message Type:
1. Start-Control-Connection-Request.
2. Start-Control-Connection-Reply. 3. Stop-Control-Connection-Request. M G College Of Engineering 12
INTRANET VIRTUAL PRIVATE NETWORK 4. Stop-Control-Connection-Reply. 5. Echo-Request or Keep alive 6. Echo-Reply. Call Management 7. Outgoing-Call-Request. 8. Outgoing-Call-Reply. 9. Incoming-Call-Request. 10.Incoming-Call-Reply. 11.Incoming-Call-Connected. 12.Call-Clear-Request. 13.Call-Disconnect-Notify Error Reporting 14. WAN-Error-Notify PPP Session Control 15. Set-Link-Info. Magic cookie The magic cookie is always sent as the constant 0x1A2B3C4D.
2012
Its basic purpose is to allow the receiver to ensure that it is properly synchronized with the TCP data stream.
PPTP specification A specification for PPTP was published as RFC 2637 and was developed by a vendor consortium formed by Microsoft, Ascend Communications (today part of Alcatel-Lucent), 3Com, and others. PPTP has not been proposed nor ratified as a standard by the IETF.A PPTP tunnel is instantiated by communication to the peer on TCP port 1723. This TCP connection is then used to initiate and manage a second GRE tunnel to the same peer. The PPTP GRE packet format is non standard, including an additional acknowledgement field replacing the typical routing field in the GRE header. M G College Of Engineering 13
2012
The GRE tunnel is used to carry encapsulated PPP packets, allowing the tunneling of any protocols that can be carried within PPP, including IP, NetBEUI and IPX. In the Microsoft implementation, the tunneled PPP traffic can be authenticated with PAP, CHAP, Microsoft CHAP V1/V2 or EAP-TLS. The PPP payload is encrypted using Microsoft Point-to-Point Encryption (MPPE) when using MSCHAPv1/v2 or EAP-TLS. MPPE is described by RFC 3078. PPTP implementations PPTP was the first VPN protocol that was supported by Microsoft Dial-up Networking. All releases of Microsoft Windows since Windows 95OSR2 are bundled with a PPTP client, although they are limited to only 2 concurrent outbound connections. The Routing And Remote Access Service for Microsoft Windows contains a PPTP server. Microsoft Windows Mobile 2003 and higher also support the PPTP protocol. Windows and later support the use of PEAP with PPTP. The authentication mechanisms supported are PEAPv0/EAP-MSCHAPv2 (passwords) and PEAP-TLS (smartcards and certificates). Windows Vista removed support for using the MSCHAP-v1 protocol to authenticate remote access connections. Until recently, Linux distributions lacked full PPTP support because MPPE was believed to be patent encumbered. Full MPPE support was added to the Linux kernel in the 2.6.14 release on October 28, 2005. SuSE Linux 10 was the first Linux distribution to provide a complete working PPTP client. Security of the PPTP protocol PPTP has been the subject of many security analyses and serious security vulnerabilities have been found in the protocol. The known vulnerabilities relate to the underlying PPP authentication protocols used, the design of the MPPE protocol as well as the integration between MPPE and PPP authentication for session key establishment. A summary of these vulnerabilities is below:
MSCHAP-v1 is fundamentally insecure. Tools exist to trivially extract the NT Password hashes from a captured MSCHAP-v1 exchange. MSCHAP-v2 is vulnerable to dictionary attack on the captured challenge response packets. Tools exist to perform this process rapidly.
14
2012
When using MSCHAP-v1, MPPE uses the same RC4 session key for encryption in both directions of the communication flow. This can be cryptanalysed with standard methods by XORing the streams from each direction together.
MPPE uses RC4 stream cipher for encryption. There is no method for authentication of the cipher text stream and therefore the cipher text is vulnerable to a bit-flipping attack. An attacker could modify the stream in transit and adjust single bits to change the output stream without possibility of detection. These bit flips may be detected by the protocols themselves through checksums or other means. EAP-TLS is seen as the superior authentication choice for PPTP however, it requires
implementation of a Public Key Infrastructure for both client and server certificates. As such it is not a viable authentication option for many remote access installations. ROUTING Routing or routing is the process of selecting paths in a network along which to send network traffic. Routing is performed for many kinds of networks, including the telephone network (Circuit switching) ,electronic data networks (such as the Internet), and transportation networks. This article is concerned primarily with routing in electronic data networks using packet switching technology. In packet switching networks, routing directs packet forwarding, the transit of logically addressed packets from their source toward their ultimate destination through intermediate nodes, typically hardware devices called routers, bridges, gateways, firewalls, or switches. General-purpose computers can also forward packets and perform routing, though they are not specialized hardware and may suffer from limited performance. The routing process usually directs forwarding on the basis of routing tables which maintain a record of the routes to various network destinations. Thus, constructing routing tables, which are held in the router's memory, is very important for efficient routing. Most routing algorithms use only one network path at a time, but multipath routing techniques enable the use of multiple alternative paths. Routing, in a more narrow sense of the term, is often contrasted with bridging in its assumption that network addresses are structured and that similar addresses imply proximity within the network. Because structured addresses allow a single routing table entry to represent the route to a group of devices, structured addressing (routing, in the narrow sense) outperforms unstructured addressing (bridging) in large networks, and has become the 15 M G College Of Engineering
2012
dominant form of addressing on the Internet, though bridging is still widely used within localized environments. Routing table In computer networking a routing table, or Routing Information Base (RIB), is a data structure in the form of a table-like object stored in a router or a networked computer that lists the routes to particular network destinations, and in some cases, metrics associated with those routes. The routing table contains information about the topology of the network immediately around it. The construction of routing tables is the primary goal of routing protocols. Static routes are entries made in a routing table by non-automatic means and which are fixed rather than being the result of some network topology 'discovery' procedure. Routing tables are generally not used directly for packet forwarding in modern router architectures; instead, they are used to generate the information for a smaller table which contains only the routes which are chosen by the algorithms preferred routes for packet forwarding, often in a compressed or pre-compiled format that is optimized for hardware storage and lookup. The remainder of this article will ignore this implementation detail, and refer to the entire routing/forwarding information subsystem as the "routing table". Basics A routing table utilizes the same idea that one does when using a map in package delivery. Whenever a node needs to send data to another node on a network, it must know whereto send it, first. If the node cannot directly connect to the destination node, it has to send it via other nodes along a proper route to the destination node. Most nodes do not try to figure out which route(s) might work; instead, a node will send an IP packet to a gateway in the LAN, which then decides how to route the "package" of data to the correct destination. Each gateway will need to keep track of which way to deliver various packages of data, and for this it uses a Routing Table. A routing table is a database which keeps track of paths, like a map, and allows the gateway to provide this information to the node requesting the information. With hop-by-hop routing, each routing table lists, for all reachable destinations, the address of the next device along the path to that destination; the next hop. Assuming that the routing tables are consistent, the simple algorithm of relaying packets to their destination's next hop thus suffices to deliver data anywhere in a network. Hop-by-hop is the fundamental characteristic of the IP Internetwork Layer and the OSI Network Layer, in contrast to the functions of the IP End-to-End and OSI Transport Layers. Current router architecture separates M G College Of Engineering 16
2012
the Control Plane function of the routing table from the Forwarding Plane function of the forwarding table. IP ADDRESSING At the application level, an Internet can be considered as a single network connecting hosts. For a host to communicate with any other host, we need a universal identification system. In other words, we need to name each host uniquely. This system is used only in the Application Layer; it cannot be used in the network layer because there are other entities such as routers that also must be reached. An Internet is made up of a combination of physical networks (LANs or WANs) connected by Routers. When a host communicates with another host, the packets may travel from one physical network to another using these routers. This suggests that communication at network layer also needs a global identification system. A host must be able to communicate with any other host without worrying about which physical network must be passed through. This means that the host must be identified uniquely and globally at this layer also. In addition, for efficient and optimum routing, each router must also be identified uniquely and globally at this layer. The identifier that is used in the IP layer of the TCP/IP Protocol is called Internet Address or IP Address. It is a 32-bit binary address, implemented in software that uniquely and universally defines a host or a router on the Internet. The IP addresses are unique in the sense that each address defines one, and only one, device (host or router) on the Internet. Two devices on the Internet can never have the same address. However, a device can have more than more than one IP address if it is connected to more than one physical network. The IP addresses are universal in the sense that the addressing system must be accepted by any host that wants to be connected to the Internet. In addition to the physical address (contained on NICs) that identifies individual devices, the Internet requires an additional addressing convention: an address that identifies the connection of a host to its network. Each Internet address consists of 4 bytes (32-bits), defining two parts: Net id and Host id. These parts are of varying lengths depending upon the class of the address. The first few bits of Net id determine the class of the address.
17
2012
Decimal Notation To make the 32-bit address form more compact and easier to read, Internet addresses are usually written in decimal form with decimal points separating the bytes.
Classes There are five different IP Address Classes: A, B, C, D& E. These are designed to cover the needs of different types of organizations. (Ref: Figure: 4.3) Class. A In class A address, the first octet (eight bits) defines the net id. However, the leftmost bit must be zero to define the class as A. The remaining seven bits define different networks. This means that the number of networks that have class A IP addresses is very limited. We can theoretically have 27 = 128 networks. However, there are actually 126 networks in class A because two of the addresses are reserved for special purposes. In a class A network, 24 bits are used to define the host id. This means that each network can theoretically have up to 224 = 16,777,216 hosts. However, two special addresses (host id all 0s and host id all 1s) are used for special Class Type .An Internet address is made of four bytes (32 bits)that define a hosts connection to a network address. This means that up to 16,777,214 hosts (or routers) can be connected to class A network. Class A addresses are designed for organizations that may have a huge number of computers attached to their networks. However, it is highly improbable that an organization has so many computers, and a lot of addresses are wasted in this class. M G College Of Engineering 18
INTRANET VIRTUAL PRIVATE NETWORK Class. B
2012
In a class B address, two octets define the net id and two octets define the host id. The two leftmost bits are 10 to define the class as B. The next 14 bits define different networks. This means that there are more class B networks than class A networks. We can have 214 = 16,384 class B networks. In a class B network, 16 bits are used to define the host id. This means that each network can theoretically have up to 216 = 65,536 hosts (or routers). However, two of these addresses (host id all 0s and host id all 1s) are used for special addresses. This means that a class B network can have up to 65,534 hosts (or routers). Class B addresses are designed for midsize organizations that may have a large number of computers attached to their networks. However, it is highly improbable that a midsize organization has 65,534 computers, and a lot of addresses are wasted in this class also. Class. C In a class C address, three octets define the net id and one octet defines the host id. The three leftmost bits are 110 to define the class as C. The next 21 bits define different networks. This means that the number of class C networks is more than class A or B. We can have 221 = 2,097,152 class C networks. In a class C network, 8 bits are used to define the host id. This means that each network can theoretically have up to 28 = 256 hosts (or routers). However, two of these addresses (host id all 0s and host id all 1s) are used for special addresses. This means that a class C network can have up to 254 hosts (or routers). Class C addresses are designed for small organizations that have a small number of computers attached to their networks.
19
INTRANET VIRTUAL PRIVATE NETWORK Class. D
2012
The class D address is defined for multicasting. In this class there is no net id or Host id. The whole address is used for multicasting. The first four bits (1110) define the class as D. The remaining 28 bits define different multicast addresses. Class. E Class E is reserved by the Internet for special use. There is no net id or host id in this class. The first four bits (1111) define the class.
Special Addresses Some parts of the address space in Class A, B and C are used for special addresses.
20
2012
In classes A, B and C, an address with a host id of all 0s is not assigned to any host; it is reserved to define the network address itself. That is, the network itself is considered an entity with an IP address in which the host id part is set to zero. Note that the net id is different from the network address. The net id is only part of the IP address; the network address is an address with the hosted all set to 0s. Note that this address cannot be used to define a source or destination address in an IP packet. Direct Broadcast Address In classes A, B and C, if the hostid is all 1s, the address is called a Direct Broadcast Address. It is used by a router to send a packet to all hosts in a specific network. All hosts will accept a packet having this type of destination address. Note that this address can be used only as a destination address in an IP packet. Limited Broadcast Address In classes A, B and C, an address with all 1s for the net id and host id (32-bits) is used to define a Broadcast Address in the current network. A host which wants to send a message to every other host can use this address as a destination address in an IP packet. However, a router will block a packet having this type of address to confine the broadcasting to the local network. This address belongs to Class E. This Host on this Network If an IP address is composed of all 0s, it means This Host on this Network. This is used by a host at bootstrap time when it does not know its IP address. The host sends an IP packet to a Bootstrap Server using this address as the Source address and a Limited Broadcast Address as the destination address to find its own address. This address can be used only as a Source address. Note also that this address is always a Class A address regardless of the network. Specific Host on this Network M G College Of Engineering 21
2012
An IP address with a net id of all 0s means a Specific Host on this Network. It is used by a host to send a message to another host on the same network. Because the packet is blocked by the router, it is a way of confining the packet to the local network. It can be used only as a destination address. It is actually a class A address regardless of the network. Loopback Address The IP address with the first byte equal to 127 is used for the Loopback Address, which is an address used to test the software on a machine. When this address is used, a packet never leaves the machine; it simply returns to the protocol software. It can be used to test the IP software. For ex: an application such as ping can send a packet with a Loopback Address as the destination address to see if the IP software is capable of receiving and processing a packet. This can be used only as a destination address in an IP packet. This is actually a class A address. Unicast, Multicast & Broadcast Addresses Communication on the Internet can be achieved using Unicast, Multicast, or Broadcast addresses. Unicast Addresses Unicast communication is one-to-one. When a packet is sent from an individual source to an individual destination, a Unicast communication takes place. All systems on the Internet should have at least one unique Unicast address. Unicast addresses belong to Class A, B, or C. Multicast Addresses Multicast communication is one-to-many. When a packet is sent from an individual source to a group of destinations, a Multicast communication takes place. A multicast address is a Class D address. The whole address defines a group id. A system on the Internet can have one or more Class D multicast addresses (in addition to its Unicast address(es). If a system (usually a host) has seven multicast addresses, it means it belongs to seven different groups. A Class D address can be used only as a destination address, not as a source address. Multicasting on the Internet can be on the local level or global level. At the local level, hosts on a LAN form a group and be assigned a multicast address. At the global level, hosts on different networks can form a group and be assigned a multicast address. M G College Of Engineering 22
2012
Broadcast Addresses Broadcast communication is one-to-all. The Internet allows broadcasting only at the local level. Two broadcast addresses used are: Limited broadcast address (all 1s) and Direct broadcast address (net id: specific, host id: all 1s). No broadcasting is allowed at the global level. This means that the system (host or router) cannot send a message to be received by all hosts and routers in the Internet. One of the reasons for this restriction is to prevent a huge traffic jam. SUBNETTING IP networks can be divided into smaller networks or subnets. Subnets are under local administration. In 1985, RFC 950 defined a standard procedure to support the sub netting, or division, of a single Class A, B, or C network number into smaller pieces Sub netting is
to overcome the limitations of the classful two-level addressing hierarchy to create smaller broadcast domains for better utilization of the bits in the Host ID to reduce the total number of network numbers that are assigned. to reduce the size of the Routing table and the performance of the routing will
be more efficient. Hence Sub netting reduces the routing requirements of the Internet Sub netting - How? Sub netting is done by adding another level of hierarchy to the IP addressing structure. Sub netting supports a three-level hierarchy. By dividing the standard classful host-ID field into two parts - subnet-ID - host-ID on that subnet
NETWORK ID HOST ID
NETWORK ID
SUBNETID
LINK-3
23
2012
Subnet Mask Subnet Mask is defined as a 32-bit value which is used to distinguish the Network ID from the Host ID in an arbitrary IP address The bits of the subnet mask are defined as All bits that correspond to Network ID and subnet ID are set to 1. All bits that correspond to Host ID are reset to 0.
Sample subnet mask for class B address - (8 bit subnetting)
Binary Representation Dotted decimal Representation
Network
11111111 111111111111111111111111 1 255 .255 . 255. 0
Network 1111111
Subnet
Host 00000000
Subnet mask is required to extract a Network ID and Subnet ID for a subnetted network. 1. Default Subnet Masks It is used when using Class based Network Ids. (that is - when a network is not divided into subnets.) 2. Custom Subnet Masks It is used when a network is actually divided into networks. Network Prefix length Representation of Subnet Mask. A shorthand way of expressing a subnetmask is to denote the number of bits that define the network ID and subnet Id as a network prefix using the notation / <# of bits> Default Subnet mask using network prefix notation Class A Class B 11111111 11111111 00000000 11111111 00000000 00000000 00000000 00000000 24
INTRANET VIRTUAL PRIVATE NETWORK Class C 11111111 11111111 11111111 00000000
2012
Class A Class B Class C
/8 /16 /24 COMPONENTS & CONCEPTS USED
Various network elements and concepts used for the implementation of this project are described below. SERVERS & CLIENTS Only two kinds of computers are on a network: Servers & Clients. The network computer that contains the hard drive, printers and other resources that are shared with other network computers is called a Server. Any computer thats not a server is called a Client. Dedicated Servers & Peers In some networks, a server computer is a server computer and nothing else. This server computer is dedicated solely to the task of providing shared resources, such as hard drives and printers, to be accessed by the network client computers. Such a server is referred to as a dedicated server because it can perform no other tasks besides network services. A network that relies on dedicated servers is sometimes called a client/server network. Other networks take an alternative approach, enabling any computer on the network to function as both a client and a server. Thus, any computer can share its printers and hard drives with other computers on the network.While a computer is working as aserver, you can still use that same computer for other functions such as word processing. This type of network is called a peer-to-peer network because all the computers are thought of as peers, or equals. Peer-to-peer networking features are built into all current versions of Windows since Windows 95. Hence you dont have to buy any additional software to turn your computer into a server. All you have to do is to enable the 25
2012
Windows Server features. The network server features that are built into desktop versions of Windows (such as Windows XP) arent very efficient because these versions of Windows were not designed primarily to be network servers. Hence you should use a full-fledged Network Operating System, such as Windows 2000 Server.
NETWORK CATEGORIZATION Based on the geographical size, its ownership, the distance it covers and its physical architecture, networks can be categorized as: - LAN: Local Area Network - MAN: Metropolitan Area Network - WAN: Wide Area Network LAN Computers are relatively close together, such as within the same office or building. LAN can extend to several buildings on a campus provided the buildings are close to each other. WAN A network that spans a large geographical territory, such as an entire city, region, or even an entire country. WANs are typically used to connect two or more LANs that are relatively far apart. MAN A network that thats smaller than a typical WAN but larger than a LAN.Typically, a MAN connects two or more LANs within a same city but are far enough apart that the networks cant be connected using a simple cable or wireless connection. NETWORK TOPOLOGY The term network topology refers to the shape of how the computers and other network components are connected to each other. Several different types of network topologies: - Bus Topology - Star Topology M G College Of Engineering 26
INTRANET VIRTUAL PRIVATE NETWORK - Ring Topology - Mesh Topology
2012
UNDERSTANDING PROTOCOLS & STANDARDS Understanding Protocols Protocols & Standards are what make networks work together. Protocols make it possible for the various components of a network to communicate with each other. Standards also make it possible for network components manufactured by different companies to work together. A protocol is a set of rules that enable effective communications to occur. Computer networks depend upon many different types of protocols, which are very rigidly defined, in order to work. Various protocols tend to be used together in matched sets called protocol suites. The two most popular protocol suites for networking are: TCP/IP (Transmission Control Protocol/ Internet Protocol) and IPX/SPX (Internet Packet Exchange/ Sequenced Packet Exchange). TCP/IP was originally developed for UNIX networks and is the protocol for the Internet. IPX/SPX
27
2012
was originally developed for NetWare networks and is still widely used forWindows networks. A third important protocol is Ethernet, a low-level protocol thats used with both TCP/IP and IPX/SPX. Understanding Standards A Standard is an agreed-upon definition of a protocol. Standards are industry-wide protocol definitions that are not tied to a particular manufacturer. Many organizations are involved in setting standards for networking. - ANSI: American National Standards Institute - IEEE: Institute of Electrical & Electronics Engineers - ISO: International Organization for Standardization - IETF: Internet Engineering Task Force - W3C: World Wide Web Consortium OSI Reference Model Open Systems Interconnection Reference Model is a framework into which the various networking standards can fit. Open Systems Interconnection Reference Model is a standard of standards. The OSI Model breaks the various aspects of a computer network into seven distinct layers. Layers Functions APPLICATION File Transfer, e-mail, Remote login etc. PRESENTATION ASCII Text, Sound SESSION Establish/ Manage Connection TRANSPORT End-to-End Communication: TCP NETWORK Routing, Addressing: IP DTA LINK Two party communication: Ethernet PHYSICAL How to transmit signal: Coding Ethernet Protocol The most popular set of protocols for the Physical and Data Link layers is Ethernet. The Ethernet is defined by the IEEE standard known as 802.3. The actual transmission speed of Ethernet is measured in Mbps. Ethernet comes in three different speed versions: - Standard Ethernet - 10-Mbps M G College Of Engineering 28
INTRANET VIRTUAL PRIVATE NETWORK - Fast Ethernet 100-Mbps - Gigabit Ethernet 1-Gbps (or 1000-Mbps)
2012
TCP/IP Protocol Suite The TCP/IP, the protocol on which the Internet is built, is actually not a single protocol but rather an entire suite of related protocols. The TCP/IP suite is based on a four-layered model of networking that is similar to the seven-layer OSI Model. APPLICATION LAYER TRANSPORT LAYER INTERNETWORK LAYER NETWORK ACCESS LAYER IPX/SPX Protocol Suite Novell originally developed the IPX/SPX suite in the 1980s for use with their NetWare Servers. 8IPX/SPX also works with all Microsoft Operating Systems, with OS/2, and even with Unix and Linux. IPX stands for Internet Package Exchange. Its a Network layer protocol thats analogous to IP. SPX stands for Sequenced Package Exchange. Its a Transport layer protocol thats analogous to TCP. Unlike TCP/IP, IPX/SPX is not a standard protocol established by a standards group, such as IEEE. Instead, IPX/SPX is a proprietary standard developed and owned by Novell. Both IPX and IPX/SPX are registered trademarks of Novell.
Other Protocols Worth Knowing About
NetBIOS: Network Basic Input Output System NetBEUI: Network BIOS Extended User Interface AppleTalk: Apple Computers have their own suite of network protocols known as AppleTalk SNA: Systems Network Architecture is an IBM networking architecture used with Mainframe computers
29
2012
UNDERSTANDING NETWORK HARDWARE The building blocks of networks are network hardware devices such as servers, adapter cards, cables, hubs, switches, routers, and so on. Servers Server computers are the lifeblood of any network. Servers provide the shared resources that network users crave, such as file storage, data bases, e-mail, Web services, and so on. For a home network or a small office network with only a few computers, you can get away with true peer-to peer networking. Thats where each client computer shares its resources such as file storage or printers, and a dedicated server computer is not needed. Some general things to keep in mind when picking a server computer for your network: - Scalability - Reliability - Availability - Service and Support Server Form Factors The term Form Factor refers to the size, shape, and packaging of ahardware device. Server computers typically come in one of the three form factors: - Tower Case - Rack Mount - Blade Servers Network Interface Cards (NIC) Every computer on a network, both clients and servers, requires a network interface card (NIC) in order to access the network. A NIC is usually a separate adapter card that slides into one of the motherboard expansion slots. However, some motherboards have a built-in M G College Of Engineering 30
2012
network interface, so a separate card isnt required. Most NICs made today work with both 10Mbps and 100Mbps UTP networks (that is, 10BaseT and 100BaseT) and are called 10/100 Cards. Network Cable We can construct an Ethernet network by using one of two different types of cables: - Coaxial Cable - Twisted Pair Cable (UTP/ 10BaseT) Hubs & Switches The biggest difference between using coaxial cable and twisted-pair cable is that when you use twisted-pair cable, you must also use a separate device called a hub. A switch is simply a more sophisticated type of hub. Repeaters A Repeater is a device that gives your network signals a boost so that the signals can travel farther. You need a repeater when the total length of a single span of network cable is larger than the maximum allowed for the cable type: Cable Maximum Length 10Base2 (Coaxial) 185 metres 10/100BaseT (Twisted Pair) 100 metres Bridges A bridge is a device that connects two networks so that they act as if they are one network. Bridges are used to partition one large network into two smaller networks for performance reasons. Routers A router is like a bridge, but with a key difference. Bridges are Data Link layer devices. A router is a Network layer device. A router is itself a node on the network, with its own MAC and IP addresses. Gateways Similar to routers gateways are used to connect different networks.But the difference is that it can connect large number of networks using different protocols to communicate hiding the details of underlying protocols.
31
2012
UNDERSTANDING NETWORK OPERATING SYSTEMS All network operating systems, from the simplest (such as Windows XP Home Edition) to the most complex (such as Windows Server 2003), must provide certain core functions. Some of the core NOS features are: - Network Support - File Sharing Services - Multitasking - Directory Services - Security Services Microsoft Server Operating System Microsoft currently supports three versions of flagship Server Operating System: - Windows NT Server - Windows 2000 Server - Windows Server 2003
Windows NT Server
Windows NT was a 32-bit processing, a huge step up from the 16-bit processing of earlier versions of Windows. Windows NT was the first Microsoft Operating System that was reliable enough to work as a network server on large networks. Version 4.0 was shipped in July 1996. Windows 2000 Server Windows 2000 Server is currently the most popular server Operating System from Microsoft. Windows 2000 Server, built on the strengths of Windows NT Server, is faster, easier to manage, more reliable, and easier to use for large and small networks alike. Windows 2000 Server comes in three versions: - Windows 2000 Server - Windows 2000 Advanced Server - Windows 2000 Datacenter Server Windows Server 2003
32
2012
Microsoft had just released a new version of Windows Server called Windows Server 2003. For several years prior to its release, this new version was called Windows .NET Server. Windows Server 2003 was built on Windows 2000 Server with added features. Windows Server 2003 comes in Four versions: - Windows Server 2003, Standard Edition - Windows Server 2003, Web Edition - Windows Server 2003, Enterprise Edition - Windows Server 2003, Datacenter Edition Other Server Operating Systems Two other Server choices are: - Linux - Apple Mac OS/X Server Linux is a free Operating System that is based on UNIX, a powerful network operating system often used on large networks. Today, Linux is a full-featured version of UNIX and can be an excellent choice as a Server Operating System. For Macintosh Networks, Apple offers a special network server Operating System known as Mac OS/X Server. Mac OS/X Server has all the features of a server operating system: file and printer sharing, Internet features, email, and so on.
33
2012
CISCO ROUTERS Cisco router has an operating system called IOS, which can be configured to support a variety of protocols and interfaces. There are many versions of IOS in use today. There are different types of routers, varying in size (number of interfaces), types of interfaces, etc. but the configuration procedure is the same, and the commands are the same. The IOS is stored (usually) in flash memory. Apart from the IOS, the Cisco needs a "configuration" which describes the network (interfaces, addresses etc.). This config file is what we create and this is stored in NVRAM, and can be modified using commands. Instead of NVRAM, we can also store the config file on a "server" somewhere on the network, and the router can download its configuration at boot-time (or when we manually tell it to "reload" configuration) using TFTP to the server. The server can be another Cisco router, or a regular computer, which holds configurations for many routers. Fig. below shows Cisco 1800 router.
34
2012
Getting started with Cisco Initially we will configure the router from a terminal. If the router is already configured and at least one port is configured with an IP address, and it has a physical connection to the network, we might be able to telnet to the router and configure it across the network. If it is not already configured, then we will have to directly connect to it with a terminal and a serial cable. From Windows we can use Hyperterminal to easily connect to the router. Plug a serial cable into a serial (COM) port on the PC and the other end into the console port on the Cisco router. Start Hyperterminal, tell it which COM port to use and click OK. Set the speed of the connection to 9600 bits and click OK. Refer fig below.
Often we will need to hit the Enter key to see the prompt from the router. If it is not configured it will look like this: Router> If it has been previously configured with a hostname, it will look like this: hostname of router> Modes The Cisco IOS command-line interface is organized around the idea of modes. We move in and out of several different modes while configuring a router, and which mode we are in determines what commands we can use. Each mode has a set of commands available in that
35
2012
mode, and some of these commands are only available in that mode. In any mode, typing a question mark will display a list of the commands available in that mode. Router>? Unprivileged and privileged modes When we first connect to the router and provide the password (if necessary), we enter EXEC mode, the first mode in which we can issue commands from the command-line. From here we can use such unprivileged commands as ping, telnet etc. We can also use some of the show commands to obtain information about the system. In unprivileged mode we use commands like, show version to display the version of the IOS the router is running. Typing show ?will display all the show commands available in the mode we are presently in. Router>show ? We must enter privileged mode to configure the router. We do this by using the command enable. Privileged mode will usually be password protected unless the router is not configured. When we issue the command enable and provide the password, we will enter privileged mode. To help the user keep track of what mode they are in, the command-line prompt changes each time we enter a different mode. When we switch from unprivileged mode to privileged mode, the prompt changes from: Router>enable Router# The modes of operations are shown in fig. below.
36
2012
T oL v lso A c s w ee f ce s
T e t rc m ad a dc ni ue Cs or ue,au e o ne o mn s n o fg r a i c o t r s r ms l gi t t er ue t ac s t eu e i t rae u t o no h o t r o c es h s r nef c . F rs c rt p r o e,aCs or ue h st olee o o euiy up s s i c o t r a w vl f s ac s . c es
V r i n31 eso .
2 1
Configuring Cisco Router If we have just turned on the router, it is not configured . If it is already configured, we may want to view its current configuration. Even if it has not been previously configured, we should familiarize ourself with the show commands before beginning to configure the router. Enter privileged mode by issuing the command enable, then issue several show commands to see what they display. show ?will display all the show commands available in the current mode. Router#show interfaces Router#show ipprotocols Router#show iproute Router#show iparp When we enter privileged mode by using the command enable, we are in the top-level mode of privileged mode, also known in this document as "parent mode." It is in this top-level or parent mode that we can display most of the information about the router. As we now know, we do this with the show commands. Here we can learn the configuration of interfaces and whether they are up or down. We can display what IP protocols are in use, such as dynamic routing protocols. We can view the route and ARP tables, and these are just a few of the more important options. As we configure the router, we will enter various sub-modes to set options, then return to the parent mode to display the results of commands. We also return to the parent mode to enter other sub-modes. To return to the parent mode, we hit ctrl-z. This puts any commands we have just issued into affect, and returns we to parent mode. M G College Of Engineering 37
INTRANET VIRTUAL PRIVATE NETWORK Global configuration (config)
2012
To configure any feature of the router, we must enter configuration mode. This is the first sub-mode of the parent mode. In the parent mode, we issue the command config. Router#config Router(config)# As demonstrated above, the prompt changes to indicate the mode that we are now in. In configuration mode we can set options that apply system-wide, also referred to as "global configurations." For instance, it is a good idea to name our router so that we can easily identify it. We do this in configuration mode with the hostname command. Router(config)#hostname RTTC(config)# As demonstrated above, when we set the name of the host with the hostname command, the prompt immediately changes by replacing Router with RTTC. This is also where we set the password for privileged mode. RTTC(config)#enable secret password RTTC(config)#ctrl-Z RTTC# Until we hit ctrl-Z (or type exit until we reach parent mode) our command has not been put into effect. We can enter config mode, issue several different commands, then hit ctrl-Z to activate them all. Each time we hit ctrl-Z we return to parent mode and the prompt: RTTC# Here we use show commands to verify the results of the commands we issued in config mode. Configuring Cisco router interfaces Cisco interface naming is straightforward. Individual interfaces are referred to by this convention: M G College Of Engineering 38 RTTC
INTRANET VIRTUAL PRIVATE NETWORK media type slot#/port#
2012
"Media type" refers to the type of media that the port is an interface for, such as Ethernet, Token Ring, FDDI, serial, etc. Slot numbers are only applicable for routers that provide slots into which we can install modules. These modules contain several ports for a given media. The 7200 series is an example. These modules are even hot-swapable. We can remove a module from a slot and replace it with a different module, without interrupting service provided by the other modules installed in the router. These slots are numbered on the router. Port number refers to the port in reference to the other ports in that module. Numbering is left-to-right, and all numbering starts at 0, not at one. Now the interfaces are to be configured with IP addresses.Here is an example of configuring a serial port with an IP address: RTTC#config RTTC(config)#interface serial 0/2/0:0 RTTC(config-if)#ipaddress RTTC(config-if)#ctrl-Z RTTC# The interface configuration commands are summarized in fig below.
Cni ui ga i t ra e o fg rn nnef c
192.168.155.2
255.255.255.0
RTTC(config-if)#no shutdown
39
2012
In the Cisco IOS, the way to reverse or delete the results of any command is to simply put no in front of it. For instance, if we wanted to reverse the assigned IP address for interface serial 0/2/0:0 RTTC(config)#interface serail0/2/0:0 RTTC(config-if)#no ipaddress RTTC(config-if)ctrl-Z RTTC#show interface serial 0/2/0:0 Configuring most interfaces for LAN connections might consist only of assigning a network layer address and making sure the interface is not administratively shutdown. It is usually not necessary to stipulate data-link layer encapsulation. Note that it is often necessary to stipulate the appropriate data-link layer encapsulation for WAN connections, such as framerelay and ATM. Serial interfaces default to using HDLC. Configuring Cisco Routing IP routing is automatically enabled on Cisco routers. If it has been previously disabled on our router, we turn it back on in config mode with the command ip routing. RTTC(config)#ip RTTC(config)#ctrl-Z There are two main ways a router knows where to send packets. The administrator can assign static routes, or the router can learn routes by employing a dynamic routing protocol. These days static routes are generally used in very simple networks or in particular cases that necessitate their use. To create a static route, the administrator tells the router operating system that any network traffic destined for a specified network layer address should be forwarded to a similiarly specified network layer address. In the Cisco IOS this is done with the ip route command. RTTC#config RTTC(config)#ip route 172.16.1.0 255.255.255.0 192.168.150.1 routing 192.168.155.2 255.255.255.0
40
INTRANET VIRTUAL PRIVATE NETWORK RTTC(config)#ctrl-Z RTTC#showip route
2012
The usage of IP route command by specifying the interface for a typical network is given in fig. below.Two things to be said about this example. First, the packet destination address must include the subnet mask for that destination network. Second, the address it is to be forwarded to is the specified address of the next router along the path to the destination. This is the most common way of setting up a static route. Dynamic routing The following describes how to configure the Routing Information Protocol (RIP) on Cisco routers. From the command-line, we must explicitly tell the router which protocol to use, and what networks the protocol will route for. RTTC#config RTTC(config)#router rip RTTC(config-router)#network RTTC(config-router)#network RTTC(config-router)#ctrl-Z RTTC#showip protocols Where aa.bb.cc.dd and ee.ff.gg.hh are networks to be advertised. Now when we issue the show ip protocols command, we should see an entry describing RIP configuration. Saving Cisco Router configuration Once we have configured routing on the router, and we have configured individual interfaces, our router should be capable of routing traffic. Give it a few moments to talk to its neighbors, then issue the commands show ip route and show iparp. There should now be entries in these tables learned from the routing protocol. If we turned the router off right now, and turned it on again, we would have to start configuration over again. Our running configuration is not saved to any permanent storage media. We can see this configuration with the command show running-config. M G College Of Engineering 41 aa.bb.cc.dd ee.ff.gg.hh
INTRANET VIRTUAL PRIVATE NETWORK RTTC#show running-config
2012
We do want to save our successful running configuration. Issue the command copy running-config startup-config. RTTC#copy running-config startup-config Or RTTC#write memory Our configuration is now saved to non-volatile RAM (NVRAM). Issue the command show startup-config. RTTC#show startup-config Now any time we need to return our router to that configuration, issue the command copy startup-config running-config. RTTC#copy startup-config running-config or write memory. NAT Configuration in Cisco Routers Network Address Translation (NAT) replaces IP addresses within a packet with different IP addresses. It is useful for conserving IP address and connecting a private network using an unregistered address to a public network like the Internet. The two main types of NAT configurations are static and dynamic. A static NAT configuration creates a one-to-one mapping and translates a specific address to another address. This type of configuration creates a permanent entry in the NAT table as long as the configuration is present and enables both inside and outside hosts to initiate a connection. This is mostly useful for hosts that provide application services like mail, web, FTP and others. Dynamic NAT is useful when fewer addresses are available than the actual number of hosts to be translated. It creates an entry in the NAT table when the host initiates a connection and establishes a one-to-one mapping between the addresses. However, the mapping could vary depending on the registered address available in the pool at the time of the communication. Dynamic NAT allows sessions to be initiated only from inside or outside networks for which it 42 M G College Of Engineering
2012
is configured. Dynamic NAT entries are removed from the translation table if the host does not communicate for a specific period of time which is configurable. The address is then returned to the pool for use by another host. Another form of dynamic translation is overloading or Port Address Translation (PAT), which allows many hosts to be mapped to a single address at the same time. When PAT is configured, the router makes use of the source port numbers to distinguish the sessions from different hosts. PAT creates an extended translation entry in the NAT table by including the protocol as well as the port information. PAT is configured by adding the overload option to the dynamic NAT configuration command, which binds the hosts and the pool. Static and dynamic NAT can also be configured simultaneously on the same device. This is necessary when hosts provide application services and when hosts that need to connect to the Internet share fewer valid IP addresses
Configuration of NAT A router configured for NAT maintains a translation table that has mapping between the addresses used in the translation. Configuring NAT involves identifying the NAT inside and NAT outside interfaces. Do the following steps. 1. To configure the inside and outside interfaces. Issue the commands ipnat inside and ipnat outside under the respective interfaces. 2. To configure static NAT. Issue the ipnat inside source static or ipnat outside source static commands in global configuration mode, depending on where the host is located. Note: To use static NAT for hosts providing specific services, include the protocol and port number. Issue the ipnat inside source {static tcp | udp local-ip local-port global-ip global-port}{extendable} command or the ipnat outside source {static tcp M G College Of Engineering 43
2012
| udp global-ip global-port local-ip local-port} {extendable} command in global configuration mode, depending on whether the inside or outside network is available. 3. To configure dynamic NAT. Identify the addresses used for translation by issuing the ipnat pool command in global configuration mode. 4. To specify the hosts to be translated. Issue the access-list,command. 5. To associate the pool and the list of hosts to be translated. Issuing the ipnat inside source list name pool name The command can be used for an outside network by replacing the keyword inside with outside. 6. To configure Port Address Translation (PAT). Issue the overload option along with this command. This command allows many hosts to share the same address simultaneously by enabling the NAT router to maintain the uniqueness of a session using the source port number. Note: When static and dynamic NAT are configured together, static NAT takes precedence if a traffic flow matches both the configurations. Access Control Lists-Overview Cisco provides basic traffic filtering capabilities with access control lists (also referred to as access lists). Access lists can be configured for all routed network protocols (IP, AppleTalk, and so on.) to filter those protocols' packets as the packets pass through a router. You can configure access lists at your router to control access to a network: access lists can prevent certain traffic from entering or exiting a network.
44
INTRANET VIRTUAL PRIVATE NETWORK What Access Lists Do ?
2012
Access lists filter network traffic by controlling whether routed packets are forwarded or blocked at the router's interfaces. Router examines each packet to determine whether to forward or drop the packet, based on the criteria you specified within the access lists. Access list criteria could be the source address of the traffic, the destination address of the traffic, the upper-layer protocol, or other information Why You Should Configure Access Lists There are many reasons to configure access listsfor example, you can use access lists to restrict contents of routing updates, or to provide traffic flow control. But one of the most important reasons to configure access lists is to provide security for your network.You should use access lists to provide a basic level of security for accessing your network. If you do not configure access lists on your router, all packets passing through the router could be allowed onto all parts of your network. For example, access lists can allow one host to access a part of your network, and prevent another host from accessing the same area. In the following example, Host A is allowed to access the Human Resources network and Host B is prevented from accessing the Human Resources network. You can also use access lists to decide which types of traffic are forwarded or blocked at the router interfaces. For example, you can permit e-mail traffic to be routed, but at the same time block all Telnet traffic. When to Configure Access Lists Access lists should be used in "firewall" routers, which are often positioned between your internal network and an external network such as the Internet. You can also use access lists on a router positioned between two parts of your network, to control traffic entering or exiting a specific part of your internal network. To provide the security benefits of access lists, you should at a minimum configure access lists on border routersrouters situated at the edges of your networks. This provides
45
2012
a basic buffer from the outside network, or from a less controlled area of your own network into a more sensitive area of your network. On these routers, you should configure access lists for each network protocol configured on the router interfaces. You can configure access lists so that inbound traffic or outbound traffic or both are filtered on an interface. Access lists must be defined on a per-protocol basis. In other words, you should define access lists for every protocol enabled on an interface if you want to control traffic flow for that protocol. (Note that some protocols refer to access lists as filters.) Basic Vs. Advanced Access Lists There are two different types of access lists. They are a. b. Standard access lists Extended access lists These are the basic types of access lists. Besides the basic types of access lists as described above, there are also more advanced access lists available, which provide additional security features and give you greater control over packet transmission. Overview of Access List Configuration Although each protocol has its own set of specific tasks and rules required for you to provide traffic filtering, in general most protocols require at least two basic steps to be accomplished. The first step is to create an access list definition, and the second step is to apply the access list to an interface. The two steps are described next in these sections: a. b. Creating Access Lists Applying Access Lists to Interfaces
46
2012
Note that some protocols refer to access lists as filters and refer to the act of applying the access lists to interfaces as filtering. Creating Access Lists Create access lists for each protocol you wish to filter, per router interface. For some protocols, you create one access list to filter inbound traffic, and one access list to filter outbound traffic. The protocols for which you can configure access lists are identified in and (following). To create an access list, you specify the protocol to filter, you assign a unique name or number to the access list, and you define packet filtering criteria. A single access list can have multiple filtering criteria statements. Assigning a Unique Name or Number to Each Access List When configuring access lists on a router, you must identify each access list uniquely within a protocol, by assigning either a name or a number to the protocol's access list. E.g.: 1. access-list 10 permit 192.168.1.0 0.0.0.255//To permit all traffic from 2. access-list 10 permit 192.168.1.0 0.0.0.63 //To permit only the first 62 hosts to the Destination and all other hosts will be denied access. The Implied "Deny All Traffic" Criteria Statement At the end of every access list is an implied "deny all traffic" criteria statement. Therefore, if a packet does not match any of your criteria statements, the packet will be blocked. The Order In Which You Enter Criteria Statements .Note that each additional criteria statement that you enter is appended to the end of the access list statements. Also note that you cannot delete individual statements after they have been created. You can only delete an entire access list. The order of access list statements is important! When the router is deciding whether to forward or block a packet, the Cisco IOS software tests the packet against each criteria statement in the order the statements were created. After a match is found, no more criteria M G College Of Engineering 47 the LAN 192.168.1.0 to the destination.
2012
statements are checked. If you create a criteria statement that explicitly permits all traffic, no statements added later will ever be checked. If you need additional statements, you must delete the access list and retype it with the new entries. Applying Access Lists to Interfaces You can define ACLs without applying them. But, the ACLs have no effect until they are applied to the interface of the router. It is a good practice to apply the ACL on the interface closest to the source of the traffic. As shown in this example, when you try to block traffic from source to destination, you can apply an inbound ACL to E0 on router A instead of an outbound list to E1 on router C
Define In, Out, Source, and Destination The router uses the terms in, out, source, and destination as references When you refer to a router, these terms have these meanings.
OutTraffic that has already been through the router and leaves the interface.
The source is where it has been, on the other side of the router, and the destination is where it goes.
InTraffic that arrives on the interface and then goes through the router. The
source is where it has been and the destination is where it goes, on the other side of the router. Config t # interface <interface name> Config t # ip access-group <ACL No>in|out For some protocols, you can apply up to two access lists to an interface: one inbound access list and one outbound access list. With other protocols, you apply only one access list which checks both inbound and outbound packets. M G College Of Engineering 48
2012
If the access list is inbound, when the router receives a packet, the Cisco IOS software checks the access list's criteria statements for a match. If the packet is permitted, the software continues to process the packet. If the packet is denied, the software discards the packet. If the access list is outbound, after receiving and routing a packet to the outbound interface, the software checks the access list's criteria statements for a match. If the packet is permitted, the software transmits the packet. If the packet is denied, the software discards the packet.
HARDWARE & SOFTWARE SPECIFICATION
Personal Computer
: 3numbers with all specifications to work efficiently as fast. Sufficient number of NIC should be provided with PCs.
CISCO Router
: 1800 series 2 numbers.
Layer2 unmanaged switch : 1 number (vary according to the no of pc connected). Broadband Modem Cable Operating System Router OS : ADSL modem 2 numbers. : UTP cable as required. : Windows 2003 server (PPTP is inbuilt in this OS) : CISCO IOS
49
2012
ROUTER CONFIGURATION Preliminary Configurations I) Different modes and Display Commands Router> Router# Router(config)# Router(config-if)# show version show memory show protocols show running-config Current config in RAM (write terminal) show startup-config Saved config in NVRAM. (show config) User mode Privileged mode Global config mode Interface subcommand mode Viewing Router Information IOS Version Information Memory statistics. Active network routing protocols.
50
2012
ii) Setting passwords and Router Name Set Passwords (Global Config Mode) line con 0 line aux 0 line vty 0 4 login password rttc enable password rttc enable secret cttc -Selects Console -Selects Auxiliary -Selects Telnet -Allows logins and -sets the password to rttc -Set password for privilege mode to rttc -Set encrypted password to cttc Router Identification (Global Config Mode) hostname <router_name> Sets hostname to route_name
Basic Router Configuration 1. To set the host name RTTC# configure terminal RTTC(config)# hostname <Name> RTTC(config)# Ctrl+Z RTTC#write memory 2. To set the enable password RTTC# configure terminal M G College Of Engineering 51
INTRANET VIRTUAL PRIVATE NETWORK RTTC(config)# enable password rttc RTTC(config)# Ctrl+Z RTTC#write memory
2012
3. Configuring Interface IP. RTTC# configure terminal RTTC(config)# interface <type><Number> RTTC(config-if)# ip address <addr><mask> RTTC(config-if)# no shutdown //To bring the interface administratively up. RTTC(config-if)# Ctrl+Z i) Configuring Logical Addresses at the local interfaces Syntax: RTTC# configure terminal RTTC(config)# interface <type><Number> RTTC(config-if)# ip address <addr><mask> RTTC(config-if)# no shutdown //To bring the interface administratively up. RTTC(config-if)# Ctrl+Z Similarly give IP addresses to all the connected interfaces. RTTC# show interface <int name> ii) Configuring Static Routes Syntax: RTTC(config)# interface <type><Number> RTTC(config-if)# ip route [dest] [mask] [next_hop IP address] M G College Of Engineering 52
INTRANET VIRTUAL PRIVATE NETWORK Verification commands RTTC#show run con RTTC# show ip route Configuring Interface IP. WAN Interface Configuration with Public IP address. RTTC# configure terminal RTTC(config)# interface <type><Number> RTTC(config-if)# ip address <addr><mask>
2012
RTTC(config-if)# no shutdown //To bring the interface administratively up. RTTC(config-if)# Ctrl+Z Similarly Configure LAN interface IP also. RTTC# show ip interface brief //To verify. Configuring ACL. 1. To allow traffic only for the first 32 clients and blocking all others. RTTC# configure terminal RTTC(config)# interface fe0/0 RTTC(config-if)# ip address 192.168.100.1 255.255.255.0 RTTC(config-if)# Ctrl+Z RTTC(config)#Access-list 10 permit 192.168.100.0 0.0.0.31//To permit only the first 32 clients of LAN for internet connectivity. RTTC(config)# interface fe0/0 RTTC(config-if)# ip access group 10 in RTTC(config-if)# Ctrl+Z RTTC# M G College Of Engineering 53
2012
2. ACL to receive ping responses from outside while it prevents unsolicited ping from people outside. RTTC(config)# Access-list 101 deny icmp any 10.0.0.0 0.255.255.255 echo RTTC(config)# Access-list 101 permit ip any 10.0.0.0 0.255.255.255 RTTC(config)# interface fe0/0 RTTC(config-if)# ip access group 101in RTTC(config-if)# Ctrl+Z Configuring NAT Dynamic NAT with overload (If only one WAN IP is available for different LAN IPs) RTTC(config)#interface <int no> //On the LAN side RTTC(config)#ipnat inside RTTC(config)#interface <int no> //On the WAN side RTTC(config)#ipnat outside //On the WAN side RTTC(config)#ipnat pool <Name><First IP><Last IP> net-mask <Sub Mask> RTTC(config)#ipnat inside source list 5 pool <Name>overload
Configuring Access list. RTTC(config)#Access-list 5 permit <IP address><Mask> E.g.: RTTC(config)#Access-list 5 permit 192.168.100.0 0.0.0.31//To permit only the first 32 clients of LAN for internet connectivity. Dynamic NAT without overload(For internet connectivity only) RTTC(config)#interface <int no> //On the LAN side RTTC(config)#ipnat inside M G College Of Engineering 54
INTRANET VIRTUAL PRIVATE NETWORK RTTC(config)#interface <int no> //On the WAN side RTTC(config)# ipnat outside //On the WAN side
2012
RTTC(config)#ipnat pool <Name><First IP><Last IP> net-mask <Sub Mask> RTTC(config)#ipnat inside source list 5 pool <Name> Configuring Access list. RTTC(config)#Access-list 5 permit <IP address><Mask> E.g.: RTTC(config)#Access-list 5 permit 192.168.100.0 0.0.0.31//To permit only the first 32 clients of LAN for internet connectivity.
Verify using show ipnat translations command a. Static NAT (used in case of the network having Web Server, FTP Server etc)
RTTC(config)#ipnat inside //On the LAN side RTTC(config)# ipnat outside //On the WAN side RTTC(config)#ipnat inside source static <LAN IP address><WAN public IP>
Verify using show ipnat translations command
IMPLEMENTATION Hardware implementation of our project is done at network laboratory of RTTC TVM under the assistance of Mr.MAHESHWARAN NAIR sir. We have set our required project 55
2012
setup with optimum utilization of elements placed in appropriate places and got verified by corresponding faculty. Various steps involved in the implementation of the setup is shown below. MODULES USED SERVER SIDE
PPTP Network Server PPTP Access concentrator Corporate LAN Network File Servers
CLIENT SIDE
Branch office Remote client
VPN DIAGRAM
56
2012
PPTP Access Concentrator (PAC)
A device attached to one or more PSTN or ISDN lines capable of PPP operation and of handling the PPTP protocol.
Only needs to implement TCP/IP to pass traffic to one or more PNSs. In our project we use a CISCO ROUTER as a PAC. A node that acts as one side of a PPTP tunnel endpoint and is a peer to the PPTP Network Server (PNS). PAC refers to the server that terminates the PPTP tunnel and provides VPN connectivity to a remote client.
Steps to configure PAC
Assigning ip address to ports(fast Ethernet ports). Create Virtual Interface Dialer1( which is used to interface internet side). 57
INTRANET VIRTUAL PRIVATE NETWORK Enabling Authentication protocol(CHAP protocol). Mapping virtual interface Dialer 1 to outgoing interface of PAC. Create NAT configuration. Create Access list Finally create IP default Routing configuration.
2012
Running configurations of configured PAC CORPORATE#sh ip int br Interface GigabitEthernet0/0 GigabitEthernet0/1 NVI0 Virtual-Access1 Dialer1 CORPORATE#sh r interface GigabitEthernet0/0 ip address 10.10.10.1 255.255.255.0 ip nat inside ip virtual-reassembly duplex auto speed auto interface GigabitEthernet0/1 no ip address shutdown pppoe enable group global pppoe-client dial-pool-number 1 interface Dialer1 ip address negotiated M G College Of Engineering 58 IP-Address 10.10.10.1 unassigned unassigned unassigned unassigned OK? Method Status YES NVRAM up Protocol up
YES NVRAM administratively down down NO unset up YES unset up YES NVRAM up up up up
INTRANET VIRTUAL PRIVATE NETWORK ip nat outside ip virtual-reassembly encapsulation ppp dialer pool 1 dialer-group 1 ppp authentication chap callin ppp chap hostname rttc1 ppp chap password 0 rttc369 ip route 0.0.0.0 0.0.0.0 Dialer1 ip http server no ip http secure-server ip nat inside source list 1 interface Dialer1 overload ip nat inside source static tcp 10.10.10.2 1723 interface Dialer1 1723 access-list 1 permit 10.10.10.0 0.0.0.255 CORPORATE#
2012
PPTP Network Server (PNS):
A node that acts as one side of a PPTP tunnel endpoint and is a peer to the PPTP Access Concentrator (PAC). PNS refers to the remote client that requests to establish a VPN connectivity using PPTP tunnel.
Handles the server side of the PPTP protocol. Uses any combination of IP interface hardware including LAN and WAN devices.
Steps to configure PNS
Assigning computer name. Assigning IP address of LAN and WAN sides of PNS.
Configuring Routing and Remote Access Server .
59
INTRANET VIRTUAL PRIVATE NETWORK SCREENSHOTS
2012
Assigning IP address to LAN and WAN interfaces.
Note:Here the gate way of LAN side PCs (clients of corporate network)should have the same ip of PNS LAN interface. And also select another ip ranges(same ip range of PAC ) to WAN side. That is the WAN side of PAC and PNS have same range of addresses.
ROUTING AND REMOTE ACCESS SETUP AT PPTP SERVER
60
2012
CONFIGURING ROUTING AND REMOTE ACCESS SERVER STEPS
ENABLING THE PPTP SERVER STEP 2
61
2012
PROVIDING THE ACCESS RANGE STEP 3
62

GIVING THE ACCESS RANGE STEP 4
2012
FINISHING THE SET UP STEP 5
63
2012
CREATION OF USER IN PPTP SERVER STEP 1
64

2012
65
2012
Finally one or more users are created in PNS server. This user accounts are used to login the private network.
Configuring a Remote Access PPTP VPN Dial-in Connection
66
2012
A remote worker establishes a PPTP VPN connection with the head office using Microsoft's VPN Adapter (included with Windows XP/2000/ME, etc.). The router is installed in the head office, connected to a couple of PCs and Servers.
67
2012
68
2012
69
2012
FINAL LAN STATUS OF BRANCH OFFICE NETWORK
70
2012
PORT BECAME ACTIVE IN THE PPTP SERVER AFTER USER GET CONNECTED
71
2012
After establishing the VPN service the server automatically assign Ip address to remote client via DHCP service. Thus the IP ranges of corporate network side and branch office (remote client) side become same.
PINGING PROCEDURES
PINGING TO WAN SIDE OF SERVER ROUTER FROM REMOTE CLIENT
72
2012
TO FTP SEVER FROM REMOTE CLIENT
73
2012
After connecting the vpn we can easily ping or share data from corporate network with privately.
APPLICATION OF VPN
ACCESSING THE DESKTOP OF FTP SERVER FROM THE REMOTE CLIENT
ENTERING THE IP ADDRESS OF THE FTP SERVER IN THE REMOTE CLIENT
74

ACCESSING THE FTP SERVER FROM THE REMOTE CLIENT
2012
Here we can entirely access the system resources from corporate side to branch office via REMOTE DESKTOP service.
75
2012
HOW SECURITY IS ACHIEVED Trace route client to wan side without tunnel
76
2012
77
2012
Here the intermediate router hops are shown. Which mens that the entire packet is open or proccesed every node. So there have no secure path. Therfore the hackers can easily enter our network without our permission.
TRACE ROUTE TO FTP SERVER AFTER VPN IS DIALED
78
2012
79
2012
Here 192.168.10.2 is ip address of corporate network side PC, 192.16.10.20 is the IP of branch office client PC(assigned by server) . Here only shows the destination and source tracing informations. No intermediate routing informations are found. That means the nodes are not open layer 3 header. And they are travel into a secure path is called VIRTUAL TUNNEL.
BIBLIOGRAPHY
www.wikipedia.org www.google.com www.scribd.com www.cisco.com
ADVANCED COMPUTER NETWORKS by WILLIAM STALLINGS DATA COMMUNICATION by BEHROUZ A FIROZ
80

Virtual Private Network: Project Report

Загружено:

Сведения о документе

Исходное описание:

Оригинальное название

Авторское право

Доступные форматы

Поделиться этим документом

Поделиться или встроить документ

Параметры публикации

Этот документ был вам полезен?

Это неприемлемый материал?

Авторское право:

Доступные форматы

Virtual Private Network: Project Report

Загружено:

Авторское право:

Доступные форматы

VIRTUAL PRIVATE NETWORK

DEPARTMENT OF ELECTRONICS & COMMUNICATION ENGINEERING

VIRTUAL PRIVATE NETWORK

[Type the company address]

INTRANET VIRTUAL PRIVATE NETWORK VPN TYPES

INTRANET VIRTUAL PRIVATE NETWORK

INTRANET VIRTUAL PRIVATE NETWORK

INTRANET VIRTUAL PRIVATE NETWORK

INTRANET VIRTUAL PRIVATE NETWORK Requirements for VPNs

INTRANET VIRTUAL PRIVATE NETWORK

INTRANET VIRTUAL PRIVATE NETWORK

INTRANET VIRTUAL PRIVATE NETWORK

2. Start-Control-Connection-Reply. 3. Stop-Control-Connection-Request. M G College Of Engineering 12

INTRANET VIRTUAL PRIVATE NETWORK

INTRANET VIRTUAL PRIVATE NETWORK

INTRANET VIRTUAL PRIVATE NETWORK

INTRANET VIRTUAL PRIVATE NETWORK

INTRANET VIRTUAL PRIVATE NETWORK

INTRANET VIRTUAL PRIVATE NETWORK Class. B

INTRANET VIRTUAL PRIVATE NETWORK Class. D

INTRANET VIRTUAL PRIVATE NETWORK

INTRANET VIRTUAL PRIVATE NETWORK

INTRANET VIRTUAL PRIVATE NETWORK

INTRANET VIRTUAL PRIVATE NETWORK

Sample subnet mask for class B address - (8 bit subnetting)

Binary Representation Dotted decimal Representation

11111111 111111111111111111111111 1 255 .255 . 255. 0

INTRANET VIRTUAL PRIVATE NETWORK Class C 11111111 11111111 11111111 00000000

Class A Class B Class C

/8 /16 /24 COMPONENTS & CONCEPTS USED

INTRANET VIRTUAL PRIVATE NETWORK

INTRANET VIRTUAL PRIVATE NETWORK - Ring Topology - Mesh Topology

INTRANET VIRTUAL PRIVATE NETWORK

INTRANET VIRTUAL PRIVATE NETWORK

INTRANET VIRTUAL PRIVATE NETWORK

INTRANET VIRTUAL PRIVATE NETWORK

INTRANET VIRTUAL PRIVATE NETWORK

INTRANET VIRTUAL PRIVATE NETWORK

INTRANET VIRTUAL PRIVATE NETWORK

INTRANET VIRTUAL PRIVATE NETWORK

INTRANET VIRTUAL PRIVATE NETWORK

INTRANET VIRTUAL PRIVATE NETWORK Global configuration (config)

INTRANET VIRTUAL PRIVATE NETWORK media type slot#/port#

INTRANET VIRTUAL PRIVATE NETWORK

INTRANET VIRTUAL PRIVATE NETWORK RTTC(config)#ctrl-Z RTTC#showip route

INTRANET VIRTUAL PRIVATE NETWORK RTTC#show running-config

INTRANET VIRTUAL PRIVATE NETWORK

INTRANET VIRTUAL PRIVATE NETWORK

INTRANET VIRTUAL PRIVATE NETWORK What Access Lists Do ?

INTRANET VIRTUAL PRIVATE NETWORK

INTRANET VIRTUAL PRIVATE NETWORK

INTRANET VIRTUAL PRIVATE NETWORK

INTRANET VIRTUAL PRIVATE NETWORK

HARDWARE & SOFTWARE SPECIFICATION

: 1800 series 2 numbers.

INTRANET VIRTUAL PRIVATE NETWORK

INTRANET VIRTUAL PRIVATE NETWORK

INTRANET VIRTUAL PRIVATE NETWORK

Verify using show ipnat translations command

INTRANET VIRTUAL PRIVATE NETWORK

Branch office Remote client

INTRANET VIRTUAL PRIVATE NETWORK