DESIGN AND SIMULATION OF SECURE VIRTUAL PRIVATE NETWORK (VPN) OVER AN OPEN NETWORK (INTERNET) INFRASTRUCTURE

DESIGN AND SIMULATION OF SECURE VIRTUAL PRIVATE NETWORK (VPN) OVER AN OPEN NETWORK (INTERNET) INFRASTRUCTURE

(CASE STUDY OF NATIONAL BOARD FOR TECHNICAL EDUCATION NBTE)

ABSTRACT

The world has changed a lot in the last couple of decades. Instead of simply dealing with local or regional concerns, many businesses now have to think about global markets and logistics. Many companies have facilities spread out across the country or around the world, and there is one thing that all of them need, a way to maintain cost effective, fast, secure and reliable communications wherever their offices are. How do we ensure the safe passage of data across a shared infrastructure? The answer is to deploy a secured Virtual Private Network (VPN).

CHAPTER ONE

1.0  Introduction

This is the information age. We no longer have to commute physically from one place to another to complete a set of tasks or to gather pieces of information. Everything can be done virtually with a mouse click on an online host. In a way, everything we do in our daily lives is related in one way or another to information access. This has made information sharing almost mandatory and indispensable. These days, a customer can retrieve and compare products or services information promptly online, anytime, anywhere. For competitive reasons, organizations that provide this information have to make the information readily available online.

In other words, the concept of a shared infrastructure is undisputedly important. A shared infrastructure is none other than a public network. At present, the biggest public networks is the Internet, which has over 100,000 routes and is still growing rapidly. As more and more companies link up their corporate networks to the Internet, we are faced with an inevitable issue—information security. Sharing information on a public networks also implies giving access and visibility to everyone who wants to retrieve these data. What if the person who has the accessibility and visibility to the information decides to create havoc? Some of the general threat types that are posed by malicious hackers include eavesdropping, denial of service, unauthorized access, data manipulation, masquerade, session replay, and session hijacking.

VPNs are networks deployed on a public network infrastructure that utilize the same security, management, and quality of service policies that are applied in a private network. VPNs provide an alternative to building a private network for site-to-site communication over a public network or the Internet. Because they operate across a shared infrastructure (Internet) rather than a private networks, companies can cost effectively extend the corporate WAN to telecommuters, mobile users, and remote offices as well as to new constituencies, such as customers, suppliers, and business partners.

1.1  Background of the Study

The National Board for Technical Education (NBTE) is a Commission that was established by Federal Government of Nigeria to oversee the affairs of technical Schools in Nigeria. Their offices are located in various states of the Federation. Their functions include accreditation of courses, monitoring of the affairs of technical institutions in Nigeria. They do not have any secure and reliable communications infrastructure that connects their offices across the country. WANs connect customer sites via dedicated point-to-point links. This means that multiple independent circuits have to terminate at the corporate network egress, making the deployment non-scalable and difficult to maintain.

VPNs extend the classic WAN by replacing the physical point-to-point links with logical point-to-point links sharing a common infrastructure, allowing all the traffic to be aggregated into a single physical connection. This scenario results in potential bandwidth and cost savings at the network egress. Because customers no longer need to maintain a private network, and because a VPN itself is cheaper to own and offers significant cost savings over private WANs, operation costs are reduced.

VPNs provide an alternative WAN infrastructure that can replace or augment commercial private networks that use leased-line or frame relay/ATM networks. There are two ways business customers can implement and manage their VPNs. They can either roll out their own VPNs and manage them internally, or outsource the VPN management to their service providers for a total VPN package that is tailored to their particular business needs. Last but not least, from the service providers’ perspective, VPNs are a fundamental building block in delivering new value-added services that benefit their business customers as well as themselves. In this instance, the service providers deploy the VPNs for their customers, and the customers need only subscribe to the service providers for the VPN services.

1.2  Objectives of the study:

Secure VPN is the cost effective means to achieve the following.

• Access Control into a Private Networks in a shared network
• Secure information and Identity Management
• Secure Intranet and information sharing
• Reliability
• Near 99% Network up Time.
• Secure Desktop Sharing

1.3  Significance of the study:

This project enlightens readers and would serve as bedrock for computer networks and information control in a computer Networks environment. As for a well-designed VPN, the project has the following significance:

• Extends geographic Network connectivity
• Improve security in Private Network
• Reduce operational costs versus traditional WAN
• Improve productivity
• Simplify network topology
• Provide broadband networking compatibility
• Provide faster ROI (return on investment) than traditional WAN
• The study would also be helpful to the students who are carrying out research on this topic or any related topic

And the following features are incorporate:

• Security
• Reliability

1.4  Scope of the Study:

This study will cover the following features, design and demonstration of:

1. Intranet-based Site to Site VPN that connects the NBTE offices.
2. Three Site WAN location which implies a HQ and two Branch Offices
3. Access Control List Implementation, IPSec and Encryption to provide secure Access to network resources
4. Network Reliability

1.5  Limitations of the study:

The design of Secure VPN is an enterprise network Project that leverages the use of enterprise facilities and network infrastructures available to the organization. In this project most of these facilities are not present rather simulator is used to achieve relevant features. This research ought to cover a wide area but unable to do so due to the following limitations

Finance: The cost of acquiring network equipments is high, and as a student, I was unable to afford all the financial requirements of the research study.

Time: The period of time allowed for this project was small. A project of this nature need more time for complete investigation and research to be conducted. More so, studies and examinations are being combined which does not allow complete dedication to the project. Therefore the following may not be achieved in this academic project.

• Scalability
• Network management
• Policy management
• Remote Access VPN

 1.6  Definition of terms:

LEASED LINES These are usually referred to as a point –to –point or dedicated connection. A leased line is a pre-established WAN communications path that goes from the CPE through the DCE switch, then over to the CPE of the remote site. The CPE enables DTE communicate at any time with no cumbersome setup procedures to muddle through before transmitting data. It uses synchronous serial lines up to 45Mbps. HDLC and PPP encapsulations are frequently used on leased lines

ROUTER A Network layer mechanism, either software or hardware, using one or more metrics to decide on the best path to use for transmission of network traffic. Sending packets between Networks by routers are based on the information provided on Network layers. Historically, this device has sometimes been called a gateway.

 ACCESS RATE Defines the bandwidth rate of the circuit. For example, the access rate of a T1 circuit is 1.544Mbps. In Frame Relay and other technologies, there may be a fractional T1 connection-256Kbps, for example- however, the access rate and clock rate are still 1.544Mbps.

ATM Asynchronous Transfer Mode: The international standard, identified by fixed-length 53-byte cells, for transmitting cells in multiple service systems, such as voice, video, or data. Transit delays are reduced because the fixed-length cells permit processing to occur in the hardware.

ATM is designed to maximize the benefits of high-speed transmission media, such as SONET, E3, and T3

BANDWIDTH. The gap between the highest and lowest frequencies employed by network signals, more commonly, it refers to the rated throughput capacity of a network protocol or medium bursting. Some technologies, including ATM and Frame Relay, are considered burst able. This means that user data can exceed the bandwidth normally reserved for the connection; however, this cannot exceed the port speed. An example of this would be a 128Kbps Frame Relay CIR on a T1- depending on the vendor, it may be possible to send more than 128Kbps for a short time

Class A Network Part of the Internet Protocol hierarchical addressing scheme. Class A networks have only 8 bits for defining networks and 24 bits for defining hosts and subnets on each network.

Class B Network Part of the Internet Protocol hierarchical addressing scheme. Class B networks have 16 bits for defining networks and 16 bits for defining hosts and subnets on each network.

Class C Network Part of the Internet Protocol hierarchical addressing scheme. Class C networks have 24 bits for defining networks and only 8 bits for defining hosts and subnets on each network.

COLLISION DOMAIN The network area in Ethernet over which frames that have collided will be detected. Collisions are propagated by hubs and repeaters, but not by LAN switches, routers, or bridges.

DCE data communications equipment (as defined by the EIA) or data circuit-terminating equipment (as defined by the ITU-T): The mechanisms and links of a communications network that make up the network portion of the user-to-network interface, such as modems. The DCE supplies the physical connection to the network, forwards traffic, and provides a clocking signal to synchronize data transmission between DTE and DCE devices.

DHCP Dynamic Host Configuration Protocol: DHCP is a superset of the BootP protocol. This means that it uses the same protocol structure as BootP, but it has enhancements added. Both of these protocols use servers that dynamically configure clients when requested. The two major enhancements are address pools and lease times

Circuit Switching: the term circuit switching mean to setup connection first before transmitting data and disconnection at the end of transmission – just like making phone call. It’s used with dial-up networks such as PPP and ISDN.

WAN: Wide Area Network Is a designation used to connect LANs together across a DCE (data communication equipment) network. Typically, a WAN is a leased line or Dial-up connection across a PSTN network. Examples of WAN protocols includes Frame Relay, PPP, ISDN, and HDLC

ISDN : Integrated Services Digital Network, Offered as a service by telephone companies, a communication protocol that allows telephone networks to carry data, voice and other digital traffic.

Intranet: computer network within organization: a network of computers, especially one using World Wide Web conventions, accessible only to authorized users such as those within a company.

Internet: The Global “network of Networks’” a network that links computer networks all over the world by satellite and telephone, connecting users with service networks such as e-mail and the World Wide Web

Encryption: The conversion of information into scrambled form that effectively disguises it to prevent unauthorized access. Every encryption scheme uses some well-defined algorithm, which is reversed at the receiving end by an opposite algorithm in a process known as decryption.

Firewall: A barrier purposefully erected between any connected public networks and private network, made up of a router or access server or several routers or access servers that uses access lists and other methods to ensure the security of the private network.

VPN virtual private network: A method of encrypting point-to-point logical connections across a public network, such as the Internet. This allows secure communications across a public network.