Project: Design Virtual Private Network Within Campus Environment
Added on - 20 Sep 2019
CHAPTER 33.0 RESEARCH METHODOLOGYThe purpose of this project is to design virtual private network within the campus environmentby connecting various department together using highly secure network system which lead meto multiple research collection on how to design a secure remote network system by connectingall their department together using Dynamic Multiple virtual Private Network (DMVPN).In order to implement Dynamic multiple virtual private network the methodologies were collectedfrom the study of remote virtual private network usingleasedprivate line internet from existingwireless network and cisco certified network associate by ToddLammleand also Ciscocertified network professional byChrisBrown (CCIE).Dynamic Multipoint VPN (DMVPN) is a Cisco VPN solution for building a Virtual Private Networkhaving branch sites at different locations using a scalable architecture. DMVPN architectureprovides an easy approach towards implementation and management for deployments thatrequire access controls for diverse user communities, including mobile employees,departments, and different remote sites.The Cisco DMVPN provides an environment to connect different branch locations to helpcommunicate directly between branches over the WAN, such as when using differentcommunication protocols like voice over IP between two branch offices, but does not require apermanent VPN connection between sites. It also provides a zero touch deployment of IPsecVPNs that improves network performance. This also minimizes the deployment time, reducesthe cost in integrating voice, video with IPSEC VPN security. Helps us to enable directcommunication between branches for variety of business applications. It has all the benefits ofrouting with standard IPsec security technology.VPN using Internet Leased Line for Wired and Wireless Private Networks:A VPN is secure connection between sites that can be established by using a Internet LeasedLine or any of the existing Wireless or Wired connection.The VPN deployment only needs IP connectivity between the sites.There are different methods for remote VPNs between sites like DMVPN, SSL VPN etc.As explained above DMVPN helps us to connect site using a HUB and SPOKE topology.SSL VPN is specially used for remote users with no hardware requirement. Only requires you toinstall a VPN software which connects to the VPN HUB which then connects the PC to thePrivate network of the company/organization.3.1 SOFTWARE REQUIREMENT FOR THE VPN DESIGN
This design is in real life scenario and would require CISCO configurable router 2900 series butis tooexpensivedue to that, I will use PACKET TRACER SIMULATION for the lab design andtesting of the network security.For setting up VPN we will be needing CISCO IOS routers 1900 or 2900 series with IOS version15.x and above. As we have limitation for the physical devices so we have chosen CISCOPacket Tracer to simulate the VPN setup for this implementation.Cisco Packet tracer enables us to simulate network devices which we can use to create networktopologies which help us to implement and practice network scenarios. Before implementation.Packet tracer provides different types of cisco devices Router Switches Firewall Etc. and manydifferent connection options which then help the user to create a vast number of design options.In our case we will be implementing VPN of different media types including wireless and wiredtopology. And connect the private network through VPN and secure it through IPSEC.3.2 HARDWARE REQUIREMENT FOR THE VPN DESIGNThe following network devices are required➢5 Cisco 1841 or 2900 series➢Internet service provider private modem with lease line➢4 Cisco wireless router➢5 server system➢Cat 6 network cable➢Serial cable➢Wireless computersFor the DMVPN the hardware requirement may vary from scenario to scenario as is depends onvarious factors like Routing protocols, the number of sites, number of users as well as theamount of traffic.As for a basic DMVPN setup, we will be needing a CISCO IOS router (2911 or 1841) as anedge router for each site or department. These routers are good for small offices and brancheswith medium traffic load and are suitable for a limited number of VPN connections. Theserouters will be connecting us to the ISP which will be providing us with the internet leased lineconnectivity, we will be calling as WAN or Public Network. These departments or site may havetheir wired or wireless connectivity to their respective local area devices and allocate them withprivate IP addresses.For Internet leased line we will be using serial connection provided by our ISP and for our LANwe are using a CISCO wireless routers for providing wireless connectivity to our wireless PCsand Devices using WiFi. The wired connectivity will be provided by CAT6 ethernet cables.These cables are capable to provide 100 Mbps speeds on LAN.Also, we are using different servers for various purposes in our different departments which willbe giving access to services to the users on the network.3.5 NEW SYSTEM DESIGNThe prescribed solution is to design a Virtual private Network in a campus environment usingthe university wireless network ofSheffield Hallam Universityvia the school existing wirelessnetwork by connecting the following department together such as:
●Administration department●Computer science●Business school●Engineering and Medical departmentConnecting the above department together remotely using virtual private network design it willinvolve the following procedures:➢Default routing protocol:This will be used in order to connect to the ISP network also can be called as theInternet as we are not running any protocols with the ISP we need the traffic to be routedtowards the ISP so we will be directing this using the default route. So all the traffic goingtowards the public will be forwarded to the ISP’s router. The ISP will then forward theroute to the destination.The default route is generally used when we do not want to give any specific route to thedestination or we do not have any protocols running for many routes / destination.This allows us to forward all our non specific traffic towards a mentioned destination.The syntax of default route is.ip route 0.0.0.0 0.0.0.0 <forwarding router’s address>This is the forwarding of all network traffic towards a specific router destination (Admindepartment).➢Dynamic routing protocol:Dynamic routing is way of getting the routes in a network of many routers and devicesby running a dynamic routing protocol. The dynamic routing helps us to get routes easilywithout manual entry into the routing table also helps us to populate the routing table byusing the best route from the different routes available with the router.There are manydynamic routing protocols available. Routing information protocol (RIP), Enhancedinterior gateway routing protocol (EIGRP), Open Shortest Path First (OSPF).Each routing protocol works in a different way, they use different Algorithms for thebest path selections. Some of them choose the best route by using hop counts as metricsome calculate cost and type of link to select the best possible route for the destination.The packets exchanged by the dynamic routing protocols are called routing updatedtheses updates carry the routes or networks that are connected to the routers which arethen passed on the other router running the same protocols. In this way all the routersget their routes from each others. And populate their routing tables. The benefit is that itcan be configured on large network easily to exchange routes. But the downside is thatis consumes more bandwidth than static routing.This involves the advertisement of network address in each routing table with otherneighboring router that are connected together to enable information sharing via thenetwork however on this designEnhancedinterior gateway routing protocol(EIGRP) willbe configure.➢Generic Route Encapsulation (GRE)It is routing based VPN which helps users / sites to connect their private networks viathe public network by using simple encapsulation. The GRE is used by routers toencapsulate their private IPs.GRE is a IPv4 tunneling protocol that provides simple and generic encapsulationapproach to transport IPv4 packets of one protocol over another protocol by the help ofencapsulation. GRE encapsulates its packets called payload, and packs it in an innerpacket which then needs to be delivered to a destination network inside the public IP
which is an an outer IP packet. With GRE tunneling endpoints can send their payloadsthrough encapsulated tunnels by routing-encapsulated packets through an interveningby IP networks. Other IP routers like the ISP routers or other routers along the way areunable to resolve the the payload (encapsulated DATA packet), they are only able toresolve the outer IPv4 packet while forwarding it towards the destination which is theGRE tunnel endpoint. while reaching the tunnel destination, the GRE encapsulation isremoved by the receiving router and the payload (original IPv4 DATA) is then forwardedto it’s final destination which is the private network of the other remote location which isconnected by public network.This involve the encapsulation of data shared within the network source and destinationby preventing it from unauthorized access.➢Virtual Private Network (VPN) :VPN stands for Virtual Private Network. VPN is build on an existing network. It worksby transferring the traffic generated by private networks and sending it to the otherprivate network over the public domain, which helps in reducing the costs forconnectivity over long distances significantly. As the data which is transferred over thepublic domain is in plain text and can be seen and read by other devices, theconfidentiality of the data must be protected. For this we use various techniques ofencryption. There are two main types of encryptions which are generally used,Symmetric and Asymmetric.With symmetric cryptography techniques, the keywhich is used encryption is also used for decryption of the messages.On the other hand, with the use of asymmetriccryptography techniques, two different keys are used for encryption and decryption. Themostly used encryption technique is the asymmetric encryption which is used toauthenticate the each other sites, while the symmetric encryption technique is applied toensure the confidentiality of the IP data. The popular symmetric encryption algorithmsare 3DES, DES , AES256 etc. the widely used asymmetric algorithm are RSA, DSA, etc.IPsec is a suite of containing some special internetprotocols to ensure a secure data is transferred over the network layer using thestandards of cryptographic techniques. The IP (Internet Protocol) in general does notsupports or has any security mechanism when it was primarily designed. With increasingdemands of the data security and internet security, there was a need for new protocolswhich have been developed for ensuring the security confidentiality of the data behindthe network layer, like ESP(encapsulated security payload) and AH(AuthenticationHeader) Protocols etc. IPsec is a suite which comprises of these protocols in order toprovide a complete secure transmission of data.It involves the securing of data within the network by using a timing authentication keywhich allow only user with the access key to get the data while those without the key aredeny total access to the data.It also give uses different access level within the network.CHAPTER 44.0 ANALYSIS AND RESULTS
4.1 DISCUSSIONMeanwhile the VPN secure network procedure will be implemented in the lab design belowusing packet tracer and 1841 router series. Due to the limitation of the application routersmultiple tunnel will only demonstrate single generic routing encapsulation from the computerscience department to Business school department which will apply the VPN to both of them.Also the router multiple Generic route encapsulation and multiple VPN will also work perfectly invarious department.We will implement GRE to connect the private networks of the different department namelyAdministration, Business school, Medical, Computer Science Department and EngineeringDepartment.For this setup we have taken Cisco 1841 routers at each site and they are connected by WANIPs as mentioned in the table below. and the diagram illustrates the connectivity and location ofthe different departments.The need is to connect these departments by configuring GRE VPN and test the connectivity ofthese departments by having them communicate with each other.The LAN present on each site comprises of different PCs, servers laptops and wired as well aswireless network we will be considering all of them as the private network of each site.There is a complete configuration explained below which demonstrates the configuration andprocessoftheabovementionedimplementation.
Fig A.Setting up a VPN between the University Departments of Sheffield Hallam University in aCampus Environment.4.2 IP ADDRESS USED IN THIS CONFIGURATIONTABLE 1DESCRIPTIONComputerscience ipAddressAdmin ipAddrBusinessschool ipAddrEngr dept ipAddrMed dept IPAddrLAN IP192.168.1.33/27192.168.1.65192.168.1.97192.168.1.129WAN IP126.96.36.199/30188.8.131.52/30184.108.40.206/30220.127.116.11/3018.104.22.168/322.214.171.124/30126.96.36.199/30188.8.131.52