about the project work

5/22/2018 About the project work

1/102

Department of Computing, Communications Technology and Mathematics

Final Year Project ReportSubmitted in partial fulfilment of the requirements ofthe degree of Bachelor of Science with Honours of

the London Metropolitan University

VIRTUAL PRIVATE NETWORKING

IMPLEMENTATION

FOR

SUN INFOSYS LTD.

By

Rashid Khan

May 2005

ID: 03020935

Supervisor: Professor Algirdas Pakstas

Author: Rashid Khan 1


2/102

ABSTRACT

This project will provide an introduction, research, theory, analysis, solutions & real

time implementation and study of Virtual Private Networking for Sun Infosys Ltd. It

also will provide a structure of content of this document. It will consist of various

concepts, theories and main terminology to understand and implement a Virtual

Private Network.

Chapter 1 (Introduction)will explain the introduction of the project proposal and

project implementation and a presentation in front of students and teachers after the

submission of this documentation. The presentation will clarify; demonstrate the

understanding of this project the actual implementation of this project by myself, and

to see through to implementation of this project.

Chapter 2 (Project Proposal) this is the project proposal report completed in the

previous module and detailed in theory how best to implement this project.

In this Chapter 3 (Literature Search) I will also be using the relevant literature

research, to justify some of the aims and objectives.

Chapter 4 (Project Plan)Here I discuss the project plan which is to examine how

and what I would like to implement.

Chapter 5 (Investigation and Result) This section describes the details of the

experiments or investigations carried out.

Chapter 6 (A critical appraisal of the work done)This section examines the project

in its entirety with a critique of what is achieved, discussion of problems encountered,

examination of the validity of the method chosen to solve the problem, etc.



3/102

Chapter 7 (Conclusion)This chapter states the purpose of the work and involves a

concise summary of the project.

Chapter 8 (Suggestions for further work)Here I discussed how I could have

improved things.

Chapter 9contains the References.

Chapter 10contains the Appendix.



4/102

CONTENTS

Chapter 1 - INTRODUCTION.6

1.1 What the Project is about...6

1.2 Organisational Structure............7

Chapter 2 - THE PROJECT PROPOSAL..9

2.1 Background Information on the company10

2.2 The UNIX based solution.12

2.3 The Windows Based solution...13

Chapter 3 - THE LITERATURE SEARCH..15

3.1 What is VPN? .16

3.2 What Makes a VPN?..17

3.3 Types of VPN..18

3.4 Remote-Access VPN...18

3.5 Site-to-Site VPN..20

3.6 Extranet VPN...22

3.7 VPN Security...23

3.8 Firewalls..24

3.9 Encryption...25

3.10 IPSec.26

3.11 AAA Servers.28

3.12 VPN Technologies29

3.13 VPN Concentrator29

3.14 VPN-Optimized Router30

3.15 Cisco Secure PIX Firewall30

3.16 Tunnelling.30

3.17 Carrier protocol.31

3.18 Encapsulating protocol..31

3.19 Passenger protocol.31

3.20 Tunneling: Site-to-Site..32

3.21 Tunnelling: Remote-Access..32

3.22 L2F (Layer 2 Forwarding) ....32

3.23 PPTP (Point-to-Point Tunneling Protocol) ...33

3.24 L2TP (Layer 2 Tunneling Protocol) .33

3.25 MPLS.34



5/102

Chapter 4 - PROJECT PLAN....38

4.1 Step1.38

4.1 Step2.39

4.1 Step3.39

Chapter 5 - INVESTIGATION AND RESULT...41

5.1 VPN using hardware based tools and technologies.42

5.2 VPN using software based tools and technologies..42

5.3 Protocol Selection....42

5.4 Performance needs..43

5.5 IP Address Planning....43

5.6 ISP Evaluation.44

5.7 Installing & configuring ISA Server 2000..44

Chapter 6 - CRITICAL APPRAISAL OF THE WORK DONE45

Chapter 7 - CONCLUSION...46

Chapter 8 - SUGGESTIONS FOR FURTHER WORK..49

REFERENCES....51

APPENDICES..55

APPENDIX A Implementation Installing Windows Server 2003..56

APPENDIX B Implementation Installing ISA Server 2000...63

APPENDIX C Implementation Installing ISA Server Service Pack 1...74

APPENDIX D Implementation Installing Hotfix isahf255.exe..77

APPENDIX E Implementation Installing Feature Pack 1...80

APPENDIX F Implementation Configuring the ISA Server 2000/VPN Server.82

APPENDIX G Implementation Connecting to the VPN...100



6/102

ACKNOWLEDGEMENTS

I would like to thank the following people, without their help the completion of this

project was not possible.

Special thanks to Peter Chalk, for all this help, guidance and encouragement.

Mr. Sri Adam for letting me implement this project in his organization.

All my friends and family, for their help, support and suggestions.

All the final year BSc. Computer Networking students for their feedback aboutthis report.

Any one who helped me whether knowingly or unknowingly, willingly orunwillingly, directly or indirectly.



7/102

Virtual Private Networking Introduction

Chapter 1 - Introduction

1.1What the Project is about

This project is about the Virtual Private Network technology and its implementation

in a real work environment. This is the final year project implementation by me, I am

a final year undergraduate student in BSc Hons. Computer Networking. The chosen

topic for this project is Virtual Private Network implementation for Sun InfoSys Ltd.

http://www.suninfosys.co.uk/

Sun InfoSys Ltd. has a business of CCTV systems. Sun InfoSys Ltd. is established by

I.T and Security experts to provide total security solutions to retail business market.

They provide security systems by integrating Information Technology with their

digital and analogue CCTV systems. Sun InfoSys is the supplier and installer of

various hardware (i.e. Computers, Printers, Point of Sale systems, Digital Internet

enabled CCTV systems and software and hardware (All types of software needed by

EPOS, CCTV, Client business) for retail business in the UK.

The company's aim is to add value in all areas of its involvement with customers

whether simply offering technical support, single hardware components or efficient

security monitoring systems in the form of digital CCTV systems. They also provide

24 hours digital CCTV remote monitoring facility.

http://www.suninfosys.co.uk/http://www.suninfosys.co.uk/


8/102


1.2 ORGANIZATIONAL STRUCTURE

Name of Organisation:Sun InfoSys Ltd.

Address:No 8, Exmouth Rd. London, e17 7qq.

Telephone & Fax numbers:Tel: 0870 609 2363

Name of Managing Director:Mr. Sri Adam

Managing Director

SalesAccounts

Warehouse

Technical Support

Customer Services

The motivation behind this project for me is not only to enhance my knowledge of a

complex but very rewarding and currently hot technology of Virtual Private

Networking for an existing company called Sun InfoSys Ltd., but to actually

implement this project in that company. This can bear fruit for me in the form of

possible future job prospect in this company. I had to be able to liaise with the staff

and establish a nice rapport with them.

Furthermore In this project, I will also be developing an online website covering this

report that will be available with this documentation and will publish the web address

within the conclusion of this report.

Previously I actually have worked for several years as a Network Engineer in Pakistan

for several companies and have actually designed, deployed, managed and trouble-

shooted complex networks.



9/102


I have also worked as a web developer and developed several websites for clients in

Pakistan. Clearly I have great interest in the field of Networking and this is the sole

reason for me taking up this degree to further my knowledge and career within this

field.



10/102

Virtual Private Networking Project Proposal

Chapter 2 - The Project Proposal

2.1 Background Information on the company:

Sun Infosys Ltd. http://www.suninfosys.co.uk/ has a business of not only computer

hardware but software and CCTV systems as well. Because of the varied systems

there was a need for convergence and also availability so that the resources can be

tapped and checked from virtually everywhere as the sales team and director is mostly

mobile. This need coupled with the popularity of VPN systems gave me a chance to

offer myself for this project and offer a solution to their problems. Sun Infosys Ltd.

gladly accepted my offer.

The aims and objectives of this project is that to make proposals and then implement a

suitable proposal that will allow me to investigate the best method and solution of

implementing a Virtual Private Network for Sun InfoSys Ltd. between its Head

Office, Branch office and to provide connectivity to its Managing Director, Sales

team various Installers and Site Engineers requiring access to various resources.

Sun InfoSys Ltd. is established by I.T and Security experts to provide total solutions

to retail business market. Probably Sun InfoSys Ltd. is the only one which provides

total security systems by integrating with I.T Sun Infosys is the supplier and installer

of various hardware (i.e. Computers, Printers, Point of Sale systems, Digital Internet

enabled CCTV systems and software and hardware (All types of software needed by

EPOS, CCTV, Client business) for retail business in the UK.

The companys aim is to add value in all areas of its involvement with customers

whether simply offering technical support, single hardware components or efficient

planning of a large systems integration and installation programme.

http://www.suninfosys.co.uk/http://www.suninfosys.co.uk/


11/102


By making a Virtual Private Network system, I plan to cater to the companys current

need of providing connectivity to its essential resources as the Managing Director Mr.

S. Peter Andy is always on the move and needs to connect to the company resources

from various national and international venues such as UK and Taiwan when doing

meetings & presentations with his suppliers in Taiwan. He needs to be able to have up

to the minute data about stocks, current requirements, current problems and sales

figures.

The company has a head office in the following location:

Head Office: No 8, Exmouth Rd. London, e17 7qq.

And also has a branch office in the following location:

Branch Office: No 772-776, Romford Rd., London e12.

The sales team need to commute to various organizations to give presentations and

also to convince potential clients, they frequently require on the move connections to

resources such as sales figures, Sage, presentations, Technical Date and live demos

and IP Based demonstrations if their digital CCTV systems.

The Support team and various installers and engineers require on the move access to

technical resources, software, patches, and contact information from the company &

Sage and when visiting client locations varied anywhere in London currently.

In light of the above data and information give to me, I propose a Virtual Private

Network solution. This solution can be delivered under a UNIX system or on a

Microsoft Windows based system.



12/102


2.2 The UNIX based solution entitles the following to be done:Installation and configuration of a LINUX box (server). Installation of LINUX

FreeS/WAN. LINUX FreeS/WAN is an implementation of IPSEC & IKE for Linux.

The abbreviation IPSEC stands for Internet Protocol SECurity. It uses strong

cryptography to offer both authentication and encryption services. The reason for

Authentication is that it ensures that packets are from the right sender and have not

been altered in transfer. The purpose of Encryption is that it prevents unauthorisedreading of packet contents. Hence proving even better security.

These services enable to build secure tunnels through untrustworthy and unreliable

networks. Everything that passes through the untrusted network is encrypted by the

IPSEC gateway machine and decrypted by the gateway at the other end. This results

in forming a Virtual Private Network or VPN, a network which is effectively private

even though it includes machines at several different sites connected by the insecure

and public Internet.

The IPSEC protocols were developed by the IETF (Internet Engineering Task Force)

and will be required as part of the next generation IPV or IPVersion 6. They are also

being widely implemented for IP V4. In particular, nearly all vendors of any type of

firewall or security software have IPSEC support either shipping or in development.

There are also several open source IPSEC projects. Several companies are co-

operating in the Secure Wide Area Network (S/WAN) project to ensure that products

will interoperate. There is also a VPN Consortium fostering cooperation among

companies in this area.

The LINUX / FreeS/WAN solution requires basic knowledge of LINUX and a

moderate knowledge of networking protocols.



13/102


There are three popular authentication methods that are being supported by LINUX

based FreeS/WAN:

RAW RSA keys - for FreeS/WAN to FreeS/WAN connections only.

A raw RSA key is literally a long string of alphanumeric characters,

which is the encoding of either a public or private key. The public and

private keys go together, so that with the private key the owner can

validate the public key.

X.509 certificates (which are essentially RSA keys in a glorified format)

The X.509 certificates are the same encryption scheme as raw RSA

keys, but use certificates. This allows a trust-inheritance scheme, and

also the certificates themselves contain useful supporting information.

The actual representation of a certificate is a file, and can be encoded

in many different ways (plain-text, binary or combinations of the two)

for example: - PEM, base64, pkcs12, etc.

PSKs (Pre-shared secret keys).

PSKs are not very secure at all. They are simply non-encrypted

passphrases stored in plain-text, eg my_secret_password. They help

get a connection set up if easy authentication is to be used (they are the

easiest of any of these three to set up), but are insecure and should not

be used in the long run.

Hardware Requirements for LINUX FreeS/WAN solution:

The hardware requirements are pretty basic. A 32-bit machine capable of running

Linux, with two NICs (network interface cards; one is connected towards the internet,

the other is connected to the clients).



14/102


2.3 The Windows Based solution consists of the following:

Requirements: A Windows based Server operating system ideally Windows Server2003 and Microsoft ISA Server 2000.

Hardware requirements for Windows Server 2003 / ISA Server 2000 solution:

Computer and processor:

PC with a 133-MHz processor required; 550-MHz or faster processor recommended

Memory:

128 MB of RAM required; 256 MB or more recommended; 4 GB maximum

Hard disk:

1.25 to 2 GB of available hard-disk space

Drive:

CD-ROM or DVD-ROM drive

Display:

VGA or hardware that supports console redirection required; Super VGA supporting

800 x 600 or higher-resolution monitor recommended



15/102

Virtual Private Networking Literature Search

Chapter 3 - Literature Search

Hence I have accumulated key topics for research for Virtual Private Networking:

3.1 What is VPN?

3.2 What Makes a VPN?

3.3 Types of VPN

3.4 Remote-Access VPN

3.5 Site-to-Site VPN

3.6 Extranet VPN

3.7 VPN Security

3.8 Firewalls

3.9 Encryption

3.10 IPSec

3.11 AAA Servers

3.12 VPN Technologies

3.13 VPN Concentrator

3.14 VPN-Optimized Router

3.15 Cisco Secure PIX Firewall

3.16 Tunnelling

3.17 Carrier protocol

3.18 Encapsulating protocol

3.19 Passenger protocol

3.20 Tunneling: Site-to-Site

3.21 Tunnelling: Remote-Access

3.22 L2F (Layer 2 Forwarding)

3.23 PPTP (Point-to-Point Tunneling Protocol)

3.24 L2TP (Layer 2 Tunneling Protocol)

3.25 MPLS



16/102


3.1 What is VPN?A VPN is a generic term that describes any combination of technologies that

can be used to secure a connection through an otherwise unsecured or

untrusted network.

Cisco Definition:http://www.cisco.com/warp/public/779/largeent/design/vpn.html

[VPN is one of the most used words in networking today and has many

different meanings.

The broadest definition of a VPN is 'any network built upon a public network

and partitioned for use by individual customers'. This results in public frame

relay, X.25, and ATM networks being considered as VPNs. These types of

VPNs are generically referred to a Layer 2 VPNs. The emerging forms of

VPNs are networks constructed across shared IP backbones, referred to as 'IP

VPNs'. ]

Definition by VPN Consortium:http://www.vpnc.org/vpn-technologies.html

[A virtual private network (VPN) is a private data network that makes use of

the public telecommunication infrastructure, maintaining privacy through the

use of a tunneling protocol and security procedures. A virtual private networkcan be contrasted with a system of owned or leased lines that can only be used

by one company. The main purpose of a VPN is to give the company the same

capabilities As private leased lines at much lower cost by using the shared

public Infrastructure. Phone companies have provided private shared resources

for voice messages for over a decade. A virtual private network makes it

possible to have the same protected sharing of public resources for data.

http://www.cisco.com/warp/public/779/largeent/design/vpn.htmlhttp://www.vpnc.org/vpn-technologies.htmlhttp://www.vpnc.org/vpn-technologies.htmlhttp://www.cisco.com/warp/public/779/largeent/design/vpn.html


17/102


Companies today are looking at using a private virtual network for both

extranets and wide-area intranets. ]

My Definition:Basically a VPN is a private network that uses a public network (usually the

Internet) to connect remote sites or users together. Instead of using a

dedicated, real-world connection such as leased line, a VPN uses "virtual"

connections routed through the Internet from the company's private network to

the remote site or employee.

3.2 What Makes a VPN?A well-designed VPN can greatly benefit a company. For example, it can:

Extend geographic connectivity

Improve security

Reduce operational costs versus traditional WAN

Reduce transit time and transportation costs for remote users

Improve productivity

Simplify network topology

Provide global networking opportunities

Provide telecommuter support

Provide broadband networking compatibility

Provide faster ROI (return on investment) than traditional WAN

A well-designed VPN should have the following features:

It should incorporate:

Security

Reliability

Scalability

Network management Policy management



18/102


3.3 Types of VPN:1) Remote-Access VPN

2) Site-to-Site VPN

3) Extranet VPNs

3.4 Remote-Access VPNCisco Definition:

http://www.cisco.com/warp/public/779/largeent/design/remote_vpn.html

[ Remote Access VPNs provide remote access to a corporate Intranet or

extranet over a shared infrastructure with the same policies as a private

network. Access VPNs enable users to access corporate resources whenever,

wherever, and however they require. Access VPNs encompass analog, dial,

ISDN, digital subscriber line (DSL), mobile IP, and cable technologies to

securely connect mobile users, telecommuters, or branch offices. ]

Remote-Access VPN

My Definition:

Remote-access, also called a virtual private dial-up network (VPDN), is a

user-to-LAN connection used by a company that has employees who need to

connect to the private network from various remote locations. Normally, acompany that wishes to set up a large remote-access VPN will outsource to an

enterprise service provider (ESP). The ESP sets up a network access server

(NAS) and provides the remote users with desktop client software for their

computers. The telecommuters can then dial a Low Call or Free number

(0800, 0500 etc) to reach the NAS and use their VPN client software to access

the corporate network.

http://www.cisco.com/warp/public/779/largeent/design/extranet_vpn.htmlhttp://www.cisco.com/warp/public/779/largeent/design/remote_vpn.htmlhttp://www.cisco.com/warp/public/779/largeent/design/remote_vpn.htmlhttp://www.cisco.com/warp/public/779/largeent/design/extranet_vpn.html


19/102


Image source:-

Understanding Virtual Private Networking, from ADTRAN

http://www.adtran.com/adtranpx/Doc/0/EU0GPR0PEFB139RF038BE81ID8/

EU0GPR0PEFB139RF038BE81ID8.pdf

** Source: Above picture is copyrighted & taken from Cisco website:


http://www.adtran.com/adtranpx/Doc/0/EU0GPR0PEFB139RF038BE81ID8/EU0GPR0PEFB139RF038BE81ID8.pdfhttp://www.adtran.com/adtranpx/Doc/0/EU0GPR0PEFB139RF038BE81ID8/EU0GPR0PEFB139RF038BE81ID8.pdfhttp://www.cisco.com/warp/public/779/largeent/design/remote_vpn.htmlhttp://www.cisco.com/warp/public/779/largeent/design/remote_vpn.htmlhttp://www.adtran.com/adtranpx/Doc/0/EU0GPR0PEFB139RF038BE81ID8/EU0GPR0PEFB139RF038BE81ID8.pdfhttp://www.adtran.com/adtranpx/Doc/0/EU0GPR0PEFB139RF038BE81ID8/EU0GPR0PEFB139RF038BE81ID8.pdf


20/102


A good example of a company that needs a remote-access VPN would be a

company with a lot of sales people in the field. Remote-access VPNs permit

secure, encrypted connections between a company's private network and

remote users through a third-party service provider.

3.5 Site-to-Site VPNCisco Definition:

http://www.cisco.com/warp/public/779/largeent/design/intranet_vpn.html

[ Site-to-Site VPNs are an alternative WAN infrastructure that used to connect

branch offices, home offices, or business partners' sites to all or portions of a

company's network. VPNs do not inherently change private WAN

requirements, such as support for multiple protocols, high reliability, and

extensive scalability, but instead meet these requirements more cost-

effectively and with greater flexibility. ]

A company can connect multiple fixed sites over a public network such as the

Internet through the use of dedicated equipment and large-scale encryption.

Site-to-site VPNs can be one of two types:

Intranet-based - If a company has one or more remote locations that they wish

to join in a single private network, they can create an intranet VPN to connect

LAN to LAN.

Extranet-based - When a company has a close relationship with another

company (for example, a partner, supplier or customer), they can build an

extranet VPN that connects LAN to LAN, and that allows all of the various

companies to work in a shared environment.

http://www.cisco.com/warp/public/779/largeent/design/intranet_vpn.htmlhttp://www.cisco.com/warp/public/779/largeent/design/intranet_vpn.html


21/102


Image source:-


http://www.adtran.com/adtranpx/Doc/0/EU0GPR0PEFB139RF038BE81ID8/EU0GPR0PEFB139RF038BE81ID8.pdf



http://www.adtran.com/adtranpx/Doc/0/EU0GPR0PEFB139RF038BE81ID8/EU0GPR0PEFB139RF038BE81ID8.pdfhttp://www.adtran.com/adtranpx/Doc/0/EU0GPR0PEFB139RF038BE81ID8/EU0GPR0PEFB139RF038BE81ID8.pdfhttp://www.cisco.com/warp/public/779/largeent/design/intranet_vpn.htmlhttp://www.cisco.com/warp/public/779/largeent/design/intranet_vpn.htmlhttp://www.adtran.com/adtranpx/Doc/0/EU0GPR0PEFB139RF038BE81ID8/EU0GPR0PEFB139RF038BE81ID8.pdfhttp://www.adtran.com/adtranpx/Doc/0/EU0GPR0PEFB139RF038BE81ID8/EU0GPR0PEFB139RF038BE81ID8.pdf


22/102


3.6 Extranet VPNCisco Definition:

http://www.cisco.com/warp/public/779/largeent/design/extranet_vpn.html

[Extranet VPNs link customers, suppliers, partners, or communities of interest

to a corporate Intranet over a shared infrastructure using dedicated

connections. Businesses enjoy the same policies as a private network,

including security, QoS, manageability, and reliability. ]

* See reference section for resource detail.



http://www.cisco.com/warp/public/779/largeent/design/extranet_vpn.htmlhttp://www.cisco.com/warp/public/779/largeent/design/extranet_vpn.htmlhttp://www.cisco.com/warp/public/779/largeent/design/extranet_vpn.htmlhttp://www.cisco.com/warp/public/779/largeent/design/extranet_vpn.html


23/102


Image Source:

http://www.cisco.com/warp/public/cc/so/neso/sqso/eqso/ipsec_wp.pdf

3.7 VPN Security:A well-designed VPN uses several methods for keeping your connection and

data secure:

1) Firewalls

2) Encryption

3) IPSec

4) AAA Server

http://www.cisco.com/warp/public/cc/so/neso/sqso/eqso/ipsec_wp.pdfhttp://www.cisco.com/warp/public/cc/so/neso/sqso/eqso/ipsec_wp.pdf


24/102


3.8 Firewalls:Definition:

Resource: Webopedia

http://www.webopedia.com/TERM/f/firewall.html

[(frwl) (n.) A system designed to prevent unauthorized access to or from a

private network. Firewalls can be implemented in both hardware and software,

or a combination of both. Firewalls are frequently used to prevent

unauthorized Internet users from accessing private networks connected to the

Internet, especially intranets. All messages entering or leaving the intranet

pass through the firewall, which examines each message and blocks those that

do not meet the specified security criteria. ]

There are several types of firewall techniques:

Packet filter: Looks at each packet entering or leaving the network and

accepts or rejects it based on user-defined rules. Packet filtering is fairly

effective and transparent to users, but it is difficult to configure. In addition, it

is susceptible to IP spoofing.

Application gateway:Applies security mechanisms to specific applications,

such as FTP and Telnet servers. This is very effective, but can impose

performance degradation.

Circuit-level gateway: Applies security mechanisms when a TCP or UDP

connection is established. Once the connection has been made, packets can

flow between the hosts without further checking.

Proxy server: Intercepts all messages entering and leaving the network. The

proxy server effectively hides the true network addresses.

In practice, many firewalls use two or more of these techniques in concert.

http://www.webopedia.com/TERM/f/firewall.htmlhttp://www.webopedia.com/TERM/f/firewall.html


25/102


A firewall is considered a first line of defense in protecting private

information. For greater security, data can be encrypted.

3.9 Encryption Definition:Resource: Webopedia

http://www.webopedia.com/TERM/e/encryption.html

[The translation of data into a secret code. Encryption is the most effective

way to achieve data security. To read an encrypted file, you must have access

to a secret key or password that enables you to decrypt it. Unencrypted data is

called plain text; encrypted data is referred to as cipher text. ]

My Definition:

Encryption is the process of taking all the data that one computer is sending to

another and encoding it into a form that only the other computer will be able to

decode. Most computer encryption systems belong in one of two categories:

Symmetric-key encryption

Public-key encryption

In symmetric-key encryption, each computer has a secret key (code) that it

can use to encrypt a packet of information before it is sent over the network to

another computer. One should know that which computers will be talking to

each other so the key can be installed on each computer. Symmetric-key

encryption is essentially the same as a secret code that each of the two

computers must know in order to decode the information. The code provides

the key to decoding the message.

http://www.webopedia.com/TERM/e/encryption.htmlhttp://www.webopedia.com/TERM/e/encryption.html


26/102


This can be further understood by a simple example: you create a coded

message to send to a friend in which each letter is substituted with the letter

that is two down from it in the alphabet. So "A" becomes "C," and "B"

becomes "D". You have already told a trusted friend that the code is "Shift by

2". Your friend gets the message and decodes it. Anyone else who sees the

message will see only nonsense.

Public-key encryptionuses a combination of a private key and a public key.

The private key is known only to our computer, while the public key is given

by our computer to any computer that wants to communicate securely with it.

To decode an encrypted message, a computer must use the public key,

provided by the originating computer, and its own private key. A very popular

public-key encryption utility is called Pretty Good Privacy (PGP), which

allows encrypting almost anything.

3.10 IPSec Definition:Resource: Webopedia

http://www.webopedia.com/TERM/I/IPsec.html

[ Short for IP Security, a set of protocols developed by the IETF to support

secure exchange of packets at the IP layer. IPSec has been deployed widely to

implement Virtual Private Networks (VPNs). ]

My Definition:

Internet Protocol Security Protocol (IPSec) provides enhanced security

features such as better encryption algorithms and more comprehensive

authentication.

http://www.webopedia.com/TERM/I/IPsec.htmlhttp://www.webopedia.com/TERM/I/IPsec.html


27/102


Image Source:


IPSec has two encryption modes: tunnel and transport. Tunnel encrypts the

header and the payload of each packet while transport only encrypts the

payload. Only systems that are IPSec compliant can take advantage of this

protocol. Also, all devices must use a common key and the firewalls of each

network must have very similar security policies set up. IPSec can encrypt

data between various devices, such as:

Router to router

Firewall to router

PC to router

PC to server

http://www.cisco.com/warp/public/cc/so/neso/sqso/eqso/ipsec_wp.pdfhttp://www.cisco.com/warp/public/cc/so/neso/sqso/eqso/ipsec_wp.pdf


28/102


3.11 AAA Servers Definition:Resource: Webopediahttp://www.webopedia.com/TERM/A/AAA.html

[Short for authentication, authorization and accounting, a system in IP-based

networking to control what computer resources users have access to and to

keep track of the activity of users over a network. ]

My Definition:

AAA (authentication, authorization and accounting) servers are used for more

secure access in a remote-access VPN environment. When a request to

establish a session comes in from a dial-up client, the request is proxied to the

AAA server. AAA then checks the following:

Who you are (authentication)

What you are allowed to do (authorization)

What you actually do (accounting)

The accounting information is especially useful for tracking client use for

security auditing, billing or reporting purposes.

http://www.webopedia.com/TERM/A/AAA.htmlhttp://www.webopedia.com/TERM/A/AAA.html


29/102


3.12 VPN TechnologiesDepending on the type of VPN (remote-access or site-to-site), certaincomponents will need to be put in place to build the VPN. These might

include:

Desktop software client for each remote user

Dedicated hardware such as a VPN concentrator or secure PIX firewall

Dedicated VPN server for dial-up services

NAS (network access server) used by service provider for remote-user

VPN access

VPN network and policy-management center

Because there is no widely accepted standard for implementing a VPN, many

companies have developed turn-key solutions on their own.

I will discuss some of the solutions offered by Cisco, one of the most prevalent

networking technology companies:-

3.13 VPN ConcentratorIncorporating the most advanced encryption and authentication techniques

available, Cisco VPN concentrators are built specifically for creating a remote-

access VPN. They provide high availability, high performance and scalability

and include components, called scalable encryption processing (SEP)

modules, which enable users to easily increase capacity and throughput. The

concentrators are offered in models suitable for everything from small

businesses with up to 100 remote-access users to large organizations with up

to 10,000 simultaneous remote users.



30/102


3.14 VPN-Optimized RouterCisco's VPN-optimized routers provide scalability, routing, security and QoS(quality of service). Based on the Cisco IOS (Internet Operating System)

software, there is a router suitable for every situation, from small-office/home-

office (SOHO) access through central-site VPN aggregation, to large-scale

enterprise needs.

3.15 Cisco Secure PIX FirewallCisco PIX Firewall is a really technology, the PIX (private Internet exchange)firewall combines dynamic network address translation, proxy server, packet

filtration, firewall and VPN capabilities in a single piece of hardware.

Instead of using Cisco IOS, this device has a highly streamlined OS that trades

the ability to handle a variety of protocols for extreme robustness and

performance by focusing on IP.

3.16 Tunnelling Definition:Resource: Webopedia

http://www.webopedia.com/TERM/t/tunneling.html

[(tun&l-ing) (n.) A technology that enables one network to send its data via

another network's connections. Tunneling works by encapsulating a network

protocol within packets carried by the second network. For example,

Microsoft's PPTP technology enables organizations to use the Internet to

transmit data across a VPN. It does this by embedding its own network

protocol within the TCP/IP packets carried by the Internet. ]

http://www.webopedia.com/TERM/t/tunneling.htmlhttp://www.webopedia.com/TERM/t/tunneling.html


31/102


My Definition:

Most VPNs rely on tunneling to create a private network that reaches across

the Internet. Essentially, tunneling is the process of placing an entire packet

within another packet and sending it over a network. The protocol of the outer

packet is understood by the network and both points, called tunnel interfaces,

where the packet enters and exits the network.

To explain and simplify the process of Tunneling I will give an example: Its

like having a Mobile phone delivered by Royal Mail. The Mobile Phone

Company packs the Mobile Phone (passenger protocol) into a box

(encapsulating protocol) which is then put on a Royal Mail delivery truck

(carrier protocol) at the Mobile Phone Companys warehouse (entry tunnel

interface). The truck (carrier protocol) travels over the Motorways (Internet) to

customers home (exit tunnel interface) and delivers the Mobile Phone. The

customer opens the box (encapsulating protocol) and removes the Mobile

Phone (passenger protocol). Thats called Tunneling. Simple!

Tunneling requires three different protocols:

3.17 Carrier protocol - The protocol used by the network that theinformation is traveling over

3.18 Encapsulating protocol - The protocol (GRE, IPSec, L2F,PPTP, L2TP) that is wrapped around the original data

3.19 Passenger protocol - The original data (IPX, NetBeui, IP)being carried

Tunnelinghas several nice uses for VPNs. For example, a packet that uses a

protocol not supported on the Internet (such as NetBeui) can be placed inside

an IP packet and sent safely over the Internet. Or a packet that uses a private

(non-routable) IP address can be put inside a packet that uses a globally unique

IP address to extend a private network over the Internet.



32/102


3.20 Tunnelling: Site-to-SiteIn a site-to-site VPN, GRE (generic routing encapsulation) is normally the

encapsulating protocol that provides the framework for how to package the

passenger protocol for transport over the carrier protocol, which is typically

IP-based. This includes information on what type of packet is being

encapsulated and information about the connection between the client and

server. Instead of GRE, IPSec in tunnel mode is sometimes used as the

encapsulating protocol. IPSec works well on both remote-access and site-to-

site VPNs. IPSec must be supported at both tunnel interfaces to use.

3.21 Tunnelling: Remote-AccessIn a remote-access VPN, tunneling normally takes place using PPP. Part of the

TCP/IP stack, PPP is the carrier for other IP protocols when communicating

over the network between the host computer and a remote system. Remote-

access VPN tunneling relies on PPP.

Each of the protocols listed below were built using the basic structure of

PPP and are used by remote-access VPNs.

3.22 L2F (Layer 2 Forwarding)

Definition:

Resource: Webopedia

http://www.webopedia.com/TERM/L/Layer_Two_Forwarding.html

[Often abbreviated as L2F, a tunneling protocol developed by Cisco Systems.

L2F is similar to the PPTP protocol developed by Microsoft, enabling

organizations to set up virtual private networks (VPNs) that use the Internet

backbone to move packets. ] Developed by Cisco, L2F will use any

authentication scheme supported by PPP.

http://www.webopedia.com/TERM/L/Layer_Two_Forwarding.htmlhttp://www.webopedia.com/TERM/L/Layer_Two_Forwarding.html


33/102


3.23 PPTP (Point-to-Point Tunnelling Protocol)

Definition:

Resource: Webopedia

http://www.webopedia.com/TERM/P/PPTP.html

[Short for Point-to-Point Tunneling Protocol, a new technology for creating

Virtual Private Networks (VPNs) , developed jointly by Microsoft

Corporation, U.S. Robotics, and several remote access vendor companies,

known collectively as the PPTP Forum. A VPN is a private network of

computers that uses the public Internet to connect some nodes. Because the

Internet is essentially an open network, the Point-to-Point Tunneling Protocol

(PPTP) is used to ensure that messages transmitted from one VPN node to

another are secure. With PPTP, users can dial in to their corporate network via

the Internet. ]

PPTP was created by the PPTP Forum, a consortium which includes US

Robotics, Microsoft, 3COM, Ascend and ECI Telematics. PPTP supports 40-

bit and 128-bit encryption and will use any authentication scheme supported

by PPP.

3.24 L2TP (Layer 2 Tunneling Protocol)

Definition:Resource: Webopedia

http://www.webopedia.com/TERM/L/L2TP.html

[ Short for Layer Two (2) Tunneling Protocol, an extension to the PPP

protocol that enables ISPs to operate Virtual Private Networks (VPNs).

http://www.webopedia.com/TERM/P/PPTP.htmlhttp://www.webopedia.com/TERM/L/L2TP.htmlhttp://www.webopedia.com/TERM/L/L2TP.htmlhttp://www.webopedia.com/TERM/P/PPTP.html


34/102


L2TP merges the best features of two other tunneling protocols: PPTP from

Microsoft and L2F from Cisco Systems. Like PPTP, L2TP requires that the

ISP's routers support the protocol. ]

L2TP is the product of a partnership between the members of the PPTP

Forum, Cisco and the IETF (Internet Engineering Task Force). Combining

features of both PPTP and L2F, L2TP also fully supports IPSec.

L2TP can be used as a tunneling protocol for site-to-site VPNs as well as

remote-access VPNs. In fact, L2TP can create a tunnel between:

Client and router

NAS and router

Router and router

3.25 MPLS:

** Note: MPLS Information & Description Is Taken From The Article

Resource:

The MPLS FAQ - MPLS-RC - The MPLS Resource Center

http://www.mplsrc.com/mplsfaq.shtml

Copyright 2000-2004, MPLSRC.COM

**

MPLS History

a. What is MPLS?

MPLS stands for "Multiprotocol Label Switching". In an MPLS network,

incoming packets are assigned a "label" by a "label edge router (LER)".

Packets are forwarded along a "label switch path (LSP)" where each "label

switch router (LSR)" makes forwarding decisions based solely on the contents

of the label. At each hop, the LSR strips off the existing label and applies a

new label which tells the next hop how to forward the packet.

http://www.mplsrc.com/mplsfaq.shtmlhttp://www.mplsrc.com/mplsfaq.shtml


35/102


Label Switch Paths (LSPs) are established by network operators for a variety

of purposes, such as to guarantee a certain level of performance, to routearound network congestion, or to create IP tunnels for network-based virtual

private networks. In many ways, LSPs are no different than circuit-switched

paths in ATM or Frame Relay networks, except that they are not dependent on

a particular Layer 2 technology.

An LSP can be established that crosses multiple Layer 2 transports such as

ATM, Frame Relay or Ethernet. Thus, one of the true promises of MPLS is

the ability to create end-to-end circuits, with specific performance

characteristics, across any type of transport medium, eliminating the need for

overlay networks or Layer 2 only control mechanisms.

To truly understand ["What is MPLS", RFC 3031 - Multiprotocol Label

Switching Architecture], is required reading.

b. How did MPLS evolve?MPLS evolved from numerous prior technologies including Cisco's "Tag

Switching", IBM's "ARIS", and Toshiba's "Cell-Switched Router". More

information on each of these technologies can be found at

http://www.watersprings.org/links/mlr/. The IETF's MPLS Working Group

was formed in 1997.

c. What problems does MPLS solve?

The initial goal of label based switching was to bring the speed of Layer 2

switching to Layer 3. Label based switching methods allow routers to make

forwarding decisions based on the contents of a simple label, rather than by

performing a complex route lookup based on destination IP address. This

initial justification for technologies such as MPLS is no longer perceived as

the main benefit, since Layer 3 switches (ASIC-based routers) are able to

perform route lookups at sufficient speeds to support most interface types.



36/102


However, MPLS brings many other benefits to IP-based networks, they

include:

Traffic Engineering - the ability to set the path traffic will take through the

network, and the ability to set performance characteristics for a class of traffic

VPNs - using MPLS, service providers can create IP tunnels throughout

their network, without the need for encryption or end-user applications

Layer 2 Transport - New standards being defined by the IETF's PWE3 and

PPVPN working groups allow service providers to carry Layer 2 services

including Ethernet, Frame Relay and ATM over an IP/MPLS core

Elimination of Multiple Layers - Typically most carrier networks employ an

overlay model where SONET/SDH is deployed at Layer 1, ATM is used atLayer 2 and IP is used at Layer 3. Using MPLS, carriers can migrate many of

the functions of the SONET/SDH and ATM control plane to Layer 3, thereby

simplifying network management and network complexity. Eventually,

carrier networks may be able to migrate away from SONET/SDH and ATM

all-together, which means elimination of ATM's inherent "cell-tax" in carrying

IP traffic.

d. What is the status of the MPLS standard?

Most MPLS standards are currently in the "Internet Draft" phase, though

several have now moved into the RFC-STD phase. See "MPLS Standards" for

a complete listing of current ID's and RFC's. For more information on the

current status of various Internet Drafts, see the IETF's MPLS Working Group

home page at http://www.ietf.org/html.charters/mpls-charter.html



37/102


There's no such thing as a single MPLS "standard". One day there will be a

set of RFCs that together will allow you to build an MPLS system. For

example today, a typical IP router spec. sheet will list about 20 RFCs to which

this router will comply. If you go to the IETF web site (http://www.ietf.org),

then click on "I-D Keyword Search", enter "MPLS" as your search term, and

crank up the number of items to be returned, (or visit

http://www.mplsrc.com/standards.shtml) you'll find over 100 drafts currently

stored. These drafts have a lifetime of 6 months. Some of these drafts have

been adopted by the IETF WG for MPLS.

Further reading:

Additional information on MPLS:

For articles, papers, and additional resources, see the MPLS Resource Center

at http://www.mplsrc.com

**

http://www.mplsrc.com/http://www.mplsrc.com/


38/102

Virtual Private Networking Project Plan

Chapter 4 - Project Plan

My project plan consisted of three major steps:

4.1 Step1)My first step would be to collect information and data about the companys

existing hardware and software. To visit and inspect the premises, furthermore I

would need to make an inventory to determine what would be suitable next step for

their organization.

When I visited the premises I did a small survey and noted that they were using ten

computers in a Local Area Network Domain based environment connected together

through a Router. These computers are comprised of Shuttle workstations see

[Shuttle], running Microsoft Windows 2000 Professional operating systems, a Fujitsu

Siemens Server see [Fujitsu] running Microsoft Windows Server 2003 operating

system. The hardware configurations are as following:

Figure1. Shuttle workstation

Shuttle Small form factor CPUs.

AMD Athlon XP processor.

Kingston 512 MB DDR RAM

Seagate 160 GB Hard Disk Drives

NVidia 64 MB Graphics Card

Lite-On CD-Writer

Sony Floppy Drive

1 Gigabit Ethernet Adaptor



39/102


Logitech Keyboard

Logitech Mouse

The server is a Fujitsu Siemens server and has the following hardware specifications:

Figure2. Fujitsu Siemens Server

Intel Pentium 4 3.0 Ghz processor

Kingston 3 GB DDR RAM

320 GB SATA Hard disk drives

NVidia 128 MB Graphics Card

Lite-On DVD Rewriter

1 Gigabit Ethernet Adaptors (two in quantity)

Sony Floppy Drive

Logitech Keyboard

Logitech Mouse

4.2 Step 2)After taking the inventory the next step would be to prepare Windows

Server 2003 for configuration changes. Following that, the next step was to install

ISA Server 2000 and to configure it for VPN.

These steps in great detail are demonstrated and documented in the Appendices A, B,

C, D, E and F.

4.3 Step3)To educate the staff about connecting to the VPN. Please [see Appendix

G.]



40/102


RESOURCES AND ASSIGNMENTS START

DATE

FINISH

DATE

Abstract 17/02/2005 22/02/2005

Introduction 24/02/2005 24/02/2005

The project proposal 25/02/2005 03/03/2005

Investigation and result 04/03/2005 28/04/2005

Conclusion & Completion of Final Report 29/04/2005 18/05/2005

Web Site 19/05/2005 20/05/2005

Article 20/05/2005 20/05/2005



41/102

Virtual Private Networking Investigation and result

Chapter 5 - Investigation and result

When I analyzed the problem I saw two problems instead of one! First being

convergence of various services and platforms and second being remote availability.

However these are two separate problems but they can actually be addressed by just

one solution. Virtual Private Networking!

Virtual Private Networking offers scalability, remote availability and eventually offersconvergence as well. How does VPN offer convergence? You might ask? Well lets

take Sun Infosys Ltds Scenario. They have CCTV systems which are currently

offline systems, PC hardware assembling and sales. By leveraging VPN the offline

CCTV systems can be linked to the internet and intranet eventually and effectively

making the CCTV systems ONLINE system, the PC assembling department has to go

through various procedures such as hardware procurement, supplier chain

management, stock, sales, dispatch, returns, technical support and marketing. All

these aspects can be brought together via a single either online system or networked

system in both cases VPN again is the answer bridging the gap.

In my view the possible methods to achieve the objective would be:

5.1 Virtual Private Networking using hardware based tools and technologies.

5.2 Virtual Private Networking using software based tools and technologies.

5.3 Protocol Selection

5.4 Performance needs

5.5 IP Address Planning

5.6 ISP Evaluation

5.7 Installing and configuring ISA Server 2000 and on Windows Server 2003

for Remote VPN



42/102


5.1Hardware Based Solutions:

For hardware based solutions, various tools and devices are available by a number of

vendors; these include Cisco as the foremost mentioned, Sonicwall, Shiva etc. The list

is endless. These are VPN enabled / pass through routers, VPN Concentrators, VPN

Optimized Routers and VPN Firewalls etc.

5.2Software Based Solutions:

For software based solutions there are numerous products in the market each catering

to all the needs of any kind of scenario. The good side about software based solutions

is that they are very much customizable and upgradeable, scaleable. The bad point is

that they are prone to fallouts, attacks, viruses, and performance issues.

Software based solutions are best offered by the software giant Microsoft, Then

Symantec, Check point software, Cisco and many others.

5.3Protocol Selection

When talking about protocol selection for a VPN implementation I have to take into

account Sun InfoSys Ltds existing infrastructure, scale of the company, the costs and

budget.

Keeping in view of the above factors Sun InfoSys is a small to medium sized

organization and in my view the best protocol to go for would be IPSec, with IPSec to

IPSec implementation, given its various qualities which is discussed and researched

further in the proposal.

When talking about software based solutions a point to note is that they are all

platform dependent. Hence they can incur overhead costs and expensive expertise to

pay for installation and or management. I chose ISA Server 2000 for this

implementation. I decided to show the work done and with the help of figures to

better understand each step that I took. The next steps were:

Performance needs of the remote applications IP Address Planning



43/102


ISP Evaluation

Installing and configuring ISA Server 2000 and on Windows Server

2003 for Remote VPN

5.4Performance needs:

The applications that are being used in Sun InfoSys Ltd. are SAGE, MSOffice,

Internet Explorer, Microsoft Outlook, Microsoft Remote Desktop, and IP cameras

and DVRs propriety softwares. The most resource hungry applications are SAGE and

the IP Cameras and DVRs remote viewing softwares.

My analysis after actual testing is that these applications are not incredibly resource

hungry yet are not on the basic level as well, in other words they are nor enterprise

class application on the other hand they are not basic or home applications, they are

medium level moderate application which requite a fairly consistent performance if

not super fast performance.

Because of the nature of the Camera and DVR software, they need to have the highest

frames per second and need no frames to be dropped, the reason being if any frame is

dropped and a burglary is occurring in that given time and frame then the evidence

could become lost. Therefore I decided that I should choose a solution that should

provide me consistency and little amount of errors while also delivering adequate

speed levels and performance.

5.5IP Address Planning:

Sun InfoSys Ltd. does not need a huge amount of IP addresses to be purchased from

an ISP because the whole network only need to be available for certain individuals

and they can log on the internet.



44/102


In my investigation I found out that they need 5 static IP addresses which should be

purchased by their ISP. One for the remote connection capability, one for backup

purposes, another for network allotment and rest two for future requirements like

windows media server as they are planning to do web casting for some of their

customers.

5.6ISP Evaluation:

Sun InfoSys Ltd. already is on a business plan with an Internet Service Provider called

Eclipse Internet. The service provider is excellent and already providing all the

necessary broadband needs and bandwidth, the requested 5 static IP address were

readily provided by them. I did not find any need to move on to another ISP and this

ISP is excellent.

5.7Installing and configuring ISA Server 2000 and on Windows Server 2003 for

Remote VPN:

I installed and configured (partitioning the hard drive, formatting the hard drive

etc)a Windows Server 2003 for the purpose of VPN. SeeAppendix A.for the

detailed procedures.

After this step I followed the excellent articles and help available in abundance by

Microsoft and on the internet on how to install and configure VPN on Microsoft

Windows Server 2003.

I installed ISA Server 2000 because it was cheap, offered everything that this project

required and fairly easy to deploy. SeeAppendix B, C, D, E and F.

The articles can be found at:

[ http://www.microsoft.com/]

[ http://www.microsoft.com/isaserver/default.mspx]

http://www.microsoft.com/http://www.microsoft.com/isaserver/default.mspxhttp://www.microsoft.com/isaserver/default.mspxhttp://www.microsoft.com/


45/102

Virtual Private Networking Critical Appraisal

Chapter 6 - Critical appraisal of the work done

The work done in this project was analysis of the current situation for Sun InfoSys

Ltd. and coming up with solutions, the solution I followed for implementation was

real time implementation of Virtual Private Networking. I decided to follow the

software based route rather than the hardware based route because of companys

budget and size considerations. I eventually did manage to implement the solution and

generally had a most pleasant time in doing so.

I encountered problems in actually communicating with the company as to make them

aware of the demands of this project. I found it quite a difficult task to communicate

with non technical management for such a technical task. I think I should improve my

project management skills which would have enabled me to communicate effectively

and on their level. Point noted!

Looking back at the work that I carried out, I could have tried to implement this

solution on Unix platform but I still think that the time frame that would have required

to complete would have exceeded the given time frame by the company and hence

would invalidate this research, however the really low cost involved in deploying

Unix based solutions are quite enticing for companies. In the end I am satisfied I

chose the right solution and the company is satisfied as well.

Website: http://www.rashidkhan.co.uk

http://www.rashidkhan.co.uk/http://www.rashidkhan.co.uk/


46/102

Virtual Private Networking - Conclusion

Chapter 7 - Conclusion

I developed a Website for this project and it can be found at:

http://www.rashidkhan.co.uk/

When Microsoft released Windows 2000 in the year 2000 it caused a stir in the

industry by announcing that Windows 2000 would offer Virtual Private Networking.

There were several concerns and complaints in the industry such as that Microsoft's

implementation adds data overhead and slows down transaction processing. And

Will established VPN products from other vendors work with Microsoft's

technology?

"If you're using IP, we don't see the reason to use L2TP," comments Iris Tal [see

CNN], RadGuard's technical support manager. "It only causes overhead for network

traffic because it's 'double-tunneling.' But because of Microsoft's L2TP client

software, I'm sure we'll do the support for it in our product."

Many VPN vendors have opposed Microsoft's VPN implementation, complaining that

it adds data overhead and slows down transaction processing. On the other hand some

companies, such as Check Point Software and Newbridge Networks, acknowledge

that they can't afford to ignore that hundreds of thousands of desktops will probably

end up running Microsoft's new software. This fact by far is most significant and very

crucial and has to be taken into account as most companies have a Microsoft

environment already in place and this is the scenario in Sun InfoSys Ltd as well.

Another point that I noted is that Microsoft has since releasing Windows 2000 have

progressed, updated and made advanced changes on their Windows Server 2003

operating system.



47/102


I did several meetings With Mr. Andy the managing director, the sales team, support

team, technicians and visited both head office and branch offices. I took inventory of

existing hardware, [see Project Plan] computer systems, budget and the time frame

required. Their budget was simply low and literally spelt out that I must use the

existing systems.

I had proposed two options in my Project Proposal but the UNIX based proposal was

declined due to their low budget and inability to adopt an abrupt system wide change

of operating systems, especially since everything was already functioning and in

place. A key note to be taken into account here is that they already had Windows

Server 2003 as part of their Server. That meant that they did not need to purchase it.

Consequently these facts made the Windows based solution the winning choice.

I found out that installing Microsoft's ISA server 2000 and using it to its full potential

is quite a complicated and difficult task to perform even though it might look simple.

The minute intricacies and planning procedures involve a great deal of time and effort

and if miscalculated or carried out improperly can result in complete failure and

double the time frame required implementing.

The related personnel were briefed and shown how to use the new system to its full

potential. It took a bit of time and effort on my behalf, I gave them instructions on

how to connect to their VPN[see Appendix G]and doing their related tasks of

managing warehouse, despatch, sales and technical support all remotely. It was not an

easy task as this was quite a new and complex task to grasp for them. But it was not

be a major issue and eventually it was overcome by trying and trying again.

This placement has had many positive effects on me. I have learnt a lot, for example

how to communicate, how to analyze problems, analyzing company expectations,

how to come up with various solutions that might be possible and feasible. I found out

that planning things, taking personal notes, being highly observant and determined atall times really does help.



48/102


After this work placement I am able to identify with the real life professional work

environment. I am able to organize myself, able to face challenges and complete

personal and professional milestones.

I have come to conclude that this company actually did benefit enormously with a

Virtual Private Network because they have made gains in managing their recourses

which shows in their Sales figures and better customer feedback made possible by

even better and informed technical support because they are in touch all the time. This

project was also successful partly because they already had most of the infrastructure

in place most importantly the Windows Server 2003 operating system software. That

was definitely a deciding factor for the management to take up my Windows based

solution as they did not had to incur extra cost in procuring any other operating

system software or expertise to maintain it.

I am very pleased with the outcome of this project and so is the company. The project

was well managed and finished on time with a small budget. A nice possible outcome

for me could be that they might even offer a permanent position in their company.



49/102

Virtual Private Networking Suggestions for further work

Chapter 8 - Suggestions for further work

The project can be implemented using the Unix operating system on a much more

cheaper scale and surprisingly more secure manner but the down side is the time

frame required to install, configure and deploy such an option is often too long for

organization.

Another fact is that organizations generally do not have Unix administrators and find

that costly to obtain. If Sun InfoSys Ltd.s company size and operations increases two

folds then I would suggest to implement a Unix solution and hire a Unix

Administrator to maintain the network.

The benefits & advantages of a UNIX based solution are that it is a cheaper option to

procure and implement than the more proprietary Windows based solutions by

Microsoft , it is more effective on a larger scale and offers more stability and security.

The biggest advantage that lies in the UNIX platform is its security since the

Microsoft platform is plagued by security loopholes, viruses, hackings, bugs, patches

etc hence not offering the stability a larger organization would require to keep its

operations up and running all the time.

Another advantage of the UNIX environment is that it does not require expensive new

hardware or updated to run and can run on an old cheaper computer. Its offers more

speed.

UNIX operating system was originally adopted by big financial institutions like banks

etc which required ultimate security and stability as they have huge amounts of money

and consumer confidentiality etc at stake. UNIX was written with these requirements

in mind so it utilizes less memory and hardware, furthermore it is a centralized

operating system with one source being accessed by thousand of users

simultaneously.



50/102

Virtual Private Networking Suggestions for further work

With all the above in mind my suggestions for further work would be to research a

solution offering Virtual Private Networking under a UNIX platform rather than the

Microsoft Platform. Just like Microsoft, UNIX is an operating system but is more

stable and secure, in order to implement Virtual Private Networking there are

applications that can be installed and configured namely the Apache Tomcat server

which is very similar to the Microsoft Internet Information Server (IIS). The Apache

server can then be configured to offer Virtual Private Networking via third party

software.

One key point to note is to consider the organizations size and its budget to

implement a solution. At the given time this organization had a very low budget but

also a small organization size. In my opinion a UNIX based solution would have not

been feasible because there are underlying factors namely expensive staff to manage

and monitor UNIX. Because UNIX is generally used in big financial organizations

they have a complex structure and quite difficult to manage and require expert UNIX

staff to maintain their facilities. These staff work in high paid postitions and would

not consider working in a smaller organization such as Sun InfoSys Ltd. with lower

wages.

Therefore I would only recommend such a UNIX based solution, when this company

expands and increases in size exponentially. As only then it will have the adequate

resources to justify the expensive labour.



51/102

Virtual Private Networking - References

Chapter 9 - References

Sun InfoSys Ltd.

http://www.suninfosys.co.uk/

email:- [email protected]

The company has a head office in the following location:

Head Office: No 8, Exmouth Rd. London, e17 7qq.

And also has a branch office in the following location:

Branch Office: No 772-776, Romford Rd., London e12.

Telephone: 0044 0870 609 2363

[Microsoft1]

Deploying Virtual Private Networks with Microsoft Windows Server 2003

by Joseph Davies and Elliot Lewis

Microsoft Press 2004 (496 pages)

ISBN:0735615764

[Microsoft2]

Microsoft Privacy Protected Network Access: Virtual Private Networking and

Intranet SecurityResource:

http://www.microsoft.com/windows2000/techinfo/howitworks/communications/re

moteaccess/nwpriv.asp

[CNN]

Windows 2000 VPN technology causes stir

Resource:

http://archives.cnn.com/2000/TECH/computing/01/12/vpn.stir.idg/index.html

[Shuttle]

Shuttle XPC WorkstationsResource: Shuttle

http://eu.shuttle.com/en/desktopdefault.aspx/tabid-72/169_read-2791/

[Fujitsu-Siemens]

Fujitsu-Siemens Server

Recourse: Fujitsu-Siemens

http://www.fujitsu-

siemens.co.uk/sme/promos/intel_servers/primergy_tx200s2.html

http://www.suninfosys.co.uk/mailto:[email protected]://www.microsoft.com/windows2000/techinfo/howitworks/communications/remoteaccess/nwpriv.asphttp://www.microsoft.com/windows2000/techinfo/howitworks/communications/remoteaccess/nwpriv.asphttp://archives.cnn.com/2000/TECH/computing/01/12/vpn.stir.idg/index.htmlhttp://eu.shuttle.com/en/desktopdefault.aspx/tabid-72/169_read-2791/http://www.fujitsu-siemens.co.uk/sme/promos/intel_servers/primergy_tx200s2.htmlhttp://www.fujitsu-siemens.co.uk/sme/promos/intel_servers/primergy_tx200s2.htmlhttp://www.fujitsu-siemens.co.uk/sme/promos/intel_servers/primergy_tx200s2.htmlhttp://www.fujitsu-siemens.co.uk/sme/promos/intel_servers/primergy_tx200s2.htmlhttp://eu.shuttle.com/en/desktopdefault.aspx/tabid-72/169_read-2791/http://archives.cnn.com/2000/TECH/computing/01/12/vpn.stir.idg/index.htmlhttp://www.microsoft.com/windows2000/techinfo/howitworks/communications/remoteaccess/nwpriv.asphttp://www.microsoft.com/windows2000/techinfo/howitworks/communications/remoteaccess/nwpriv.aspmailto:[email protected]://www.suninfosys.co.uk/


52/102


[Cisco1]

Virtual Private Network Design:-

Resource: Ciscohttp://www.cisco.com/warp/public/779/largeent/design/vpn.html

[Cisco2]

Remote Access VPNs:

Resource: Cisco


[Cisco3]

Site-to-Site VPNs:-

Resource: Cisco


[Cisco4]

Extranet VPNs:-

Resource: Cisco


[Cisco5]

Resource2: Cisco IPSec White Paper


[Webopedia1]

Firewalls:-

Resource: Webopedia

http://www.webopedia.com/TERM/f/firewall.html

[Webopedia2]

Encryption:-

Resource: Webopedia

http://www.webopedia.com/TERM/e/encryption.html

[Webopedia3]IPSec:-

Resource1: Webopedia

http://www.webopedia.com/TERM/I/IPsec.html

[Webopedia4]

AAA Servers:-

Resource: Webopedia

http://www.webopedia.com/TERM/A/AAA.html

http://www.cisco.com/warp/public/779/largeent/design/vpn.htmlhttp://www.cisco.com/warp/public/779/largeent/design/remote_vpn.htmlhttp://www.cisco.com/warp/public/779/largeent/design/intranet_vpn.htmlhttp://www.cisco.com/warp/public/779/largeent/design/extranet_vpn.htmlhttp://www.cisco.com/warp/public/cc/so/neso/sqso/eqso/ipsec_wp.pdfhttp://www.webopedia.com/TERM/f/firewall.htmlhttp://www.webopedia.com/TERM/e/encryption.htmlhttp://www.webopedia.com/TERM/I/IPsec.htmlhttp://www.webopedia.com/TERM/A/AAA.htmlhttp://www.webopedia.com/TERM/A/AAA.htmlhttp://www.webopedia.com/TERM/I/IPsec.htmlhttp://www.webopedia.com/TERM/e/encryption.htmlhttp://www.webopedia.com/TERM/f/firewall.htmlhttp://www.cisco.com/warp/public/cc/so/neso/sqso/eqso/ipsec_wp.pdfhttp://www.cisco.com/warp/public/779/largeent/design/extranet_vpn.htmlhttp://www.cisco.com/warp/public/779/largeent/design/intranet_vpn.htmlhttp://www.cisco.com/warp/public/779/largeent/design/remote_vpn.htmlhttp://www.cisco.com/warp/public/779/largeent/design/vpn.html


53/102


[Webopedia5]

Tunnelling

Resource: Webopediahttp://www.webopedia.com/TERM/t/tunneling.html

[Webopedia6]

L2F (Layer 2 Forwarding)

Resource: Webopedia

http://www.webopedia.com/TERM/L/Layer_Two_Forwarding.html

[Webopedia7]

PPTP (Point-to-Point Tunneling Protocol)

Resource: Webopedia

http://www.webopedia.com/TERM/P/PPTP.html

[Webopedia8]

L2TP (Layer 2 Tunneling Protocol)

Resource: Webopedia

http://www.webopedia.com/TERM/L/L2TP.html

[MPLS1]

Resource: The MPLS FAQ - MPLS-RC - The MPLS Resource Center

Copyright 2000-2004, MPLSRC.COM

http://www.mplsrc.com/mplsfaq.shtml

[MPLS2]

The MPLS Resource Center

Resource:

http://www.mplsrc.com/

[VPNC]

Resource:

Virtual Private Network Consortium

http://www.vpnc.org

[VPN Whitepapers]

Virtual Private Network White papers:-

Resource:

http://www.vpnc.org/white-papers.html

[Adtran]


Resource:

http://www.adtran.com/adtranpx/Doc/0/EU0GPR0PEFB139RF038BE81ID8/EU

0GPR0PEFB139RF038BE81ID8.pdf

http://www.webopedia.com/TERM/t/tunneling.htmlhttp://www.webopedia.com/TERM/L/Layer_Two_Forwarding.htmlhttp://www.webopedia.com/TERM/P/PPTP.htmlhttp://www.webopedia.com/TERM/L/L2TP.htmlhttp://www.mplsrc.com/mplsfaq.shtmlhttp://www.mplsrc.com/http://www.vpnc.org/http://www.vpnc.org/white-papers.htmlhttp://www.adtran.com/adtranpx/Doc/0/EU0GPR0PEFB139RF038BE81ID8/EU0GPR0PEFB139RF038BE81ID8.pdfhttp://www.adtran.com/adtranpx/Doc/0/EU0GPR0PEFB139RF038BE81ID8/EU0GPR0PEFB139RF038BE81ID8.pdfhttp://www.adtran.com/adtranpx/Doc/0/EU0GPR0PEFB139RF038BE81ID8/EU0GPR0PEFB139RF038BE81ID8.pdfhttp://www.adtran.com/adtranpx/Doc/0/EU0GPR0PEFB139RF038BE81ID8/EU0GPR0PEFB139RF038BE81ID8.pdfhttp://www.vpnc.org/white-papers.htmlhttp://www.vpnc.org/http://www.mplsrc.com/http://www.mplsrc.com/mplsfaq.shtmlhttp://www.webopedia.com/TERM/L/L2TP.htmlhttp://www.webopedia.com/TERM/P/PPTP.htmlhttp://www.webopedia.com/TERM/L/Layer_Two_Forwarding.htmlhttp://www.webopedia.com/TERM/t/tunneling.html


54/102


[FreeS/WAN]

http://www.freeswan.org/

[Linux]

Resourse:

http://www.samag.com/documents/s=4072/sam0203c/sam0203c.htm

http://www.freeswan.org/http://www.samag.com/documents/s=4072/sam0203c/sam0203c.htmhttp://www.samag.com/documents/s=4072/sam0203c/sam0203c.htmhttp://www.freeswan.org/


55/102

APPENDICES

APPENDIX A

APPENDIX B

APPENDIX C

APPENDIX D

APPENDIX E

APPENDIX F



56/102

APPENDIX A

Implementation Installing Windows Server 2003



57/102

Virtual Private Networking Appendix A Installing Windows Server 2003

WEBSITE:

http://www.rashidkhan.co.uk/AND ALSO AVAILABLE ON CD

INSTALLING WINDOWS SERVER 2003

To install Windows Server 2003 following actions were taken:

Booted directly from the Windows Server 2003 CD.

Setup loaded all the needed files and drivers.

The setup process begins loading a blue-looking text screen. I was asked to accept the

EULA and choose a partition on which to install 2003, then I was asked to format it

by using either FAT, FAT32 or NTFS. I chose NTFS.

Selected to Setup Windows Server 2003 by pressing ENTER.

Read and accepted the licensing agreement by pressing F8 to accept it.

The hard disk was unpartitioned, created and sized the partition on which to install


Selected the NTFS file system for the installation partition.

Setup then began copying necessary files from the installation CD.



58/102


The computer then restarted in graphical mode, and the installation continued in a

GUI mode phase. It then began to load device drivers based upon what hardware was

found on the computer.

I didn't need to make any changes to the system local etc and just pressed Next.

Setup then copied the necessary files from the installation CD.

I was then prompted to enter a name, organization name, the product key, the

appropriate license type and number of purchased licenses.

I was prompted to type the computer name and a password for the local Administrator

account. Selected the date, time, and time zone settings. Setup then installed the

networking components. I then highlighted the TCP/IP selection and pressed

Properties. In the General tab entered the required information. I had to specify the IP

address of the computer and Subnet Mask. Next step was to finish copying files and

the setup. After the copying and configuring phase finished, setup finished and booted




59/102


After carefull study I found out that the following procedures must be performed to

install ISA Server 2000 on a Windows Server 2003 computer and they must be in the

following order:

Install Windows Server 2003

Install ISA Server 2000

Install ISA Server Service Pack 1

Install isahf255.exe

Install Feature Pack 1

ISA Server 2000 can be installed in one of thee mode:

Cache ModeCaching mode ISA Server is designed to have one or two network interfaces.

Each interface must be located on the internal network because packet filtering

is not enforceable on a caching only ISA Server machine.

Firewall ModeFirewall mode provides a high level of firewall protection from external

intruders and also protects your network by enabling granular outbound access

control. Firewall mode does not include the Web caching features that are part

of the Cache mode server.

Integrated ModeIntegrated mode provides all the firewall and caching features available with

ISA Server 2000

The Windows Server 2003 server machine that I was using for VPN deployment

had to have the following characteristics:

At least two network interfaces one internal and one external

DNS setting on the internal interface uses an internal DNS server that canresolve Internet host names

All non-essentials services on the ISA Server 2000 machine are disabled

An Integrated mode ISA Server firewall requires at least one internal and one external

interface.

The internal interface is never configured with a default gateway address. TheIP address on the internal interface is always on the LAT.

The external interface is configured with a default gateway that routes packetsto the Internet. The external interface is never on the LAT.



60/102


Windows Server 2003, like Windows 2000, allows a single default gateway. The

result is ISA Server 2000 on Windows Server 2003 supports a single external

interfaceor single Internet interface. I can have multiple public address DMZinterfaces, but only a single interface can connect the internal network to the Internet.

The DNS settings on the ISA Server interfaces must be configured correctly.

Misconfiguration of the DNS settings is the most common configuration error made

on ISA Server firewalls in production. The preferred setup is to

Configure the internal interface of the ISA Server with the address of a DNSserver on the internal network that is capable of resolving Internet host names

Place the internal interface on the top of the interface list. Windows Server2003 uses the interface orderto determine which name server addresses to

query first.

Do not enter a DNS server address on the external interface

I had to perform the following steps to configure the interface order on the ISA Server

computer:

1. Clicked Start, pointed to Control Panel and right clicked on NetworkConnections. Clicked the Opencommand (figure 1).

Figure 1

2. In the Network Connectionswindow, clicked the Advanced menu and thenclicked the Advanced Settingscommand (figure 2).



61/102


Figure 2

3. In the Advanced Settingsdialog box, selected the interface representing the

internal interface and clicked the up arrow to move the internal interface to thetop of the interface list. Clicked OKin the Advanced Settings dialog box

after making the changes to the interface order.



62/102


Figure 3

I disabled all non-essential services on the ISA Server firewall computer. Whileindividual implementations of ISA Server firewalls require a customized set of

services, it is safe to conclude the IIS W3SVC (the World Wide Web service) should

not run on the ISA Server firewall.



63/102

APPENDIX B

Implementation Installing ISA Server 2000



64/102

Virtual Private Networking Appendix B Installing ISA Server 2000

Installing ISA Server 2000

I located the ISA Server 2000 CD-ROM disk and put it into the CD-ROM drive. Performed thefollowing steps to install ISA Server on a Windows Server 2003 machine:

1. Double click on the ISAAutorun.exefile on the ISA Server CD (figure 4), local harddisk, or network share point.

Figure 4

2. Click on the Install ISA Serverlink on the Internet Security & Acceleration Server2000splash page (Figure 5).

Figure 5



65/102


3. I saw an ISA 2000dialog box informing that I need to install ISA 2000Service Pack1 (figure 6). Error messages occurred during the installation. I was not concerned

about these errors as I will perform the required procedures to prevent them frombecoming a problem. Clicked Continue.

Figure 6

4. Clicked Continueon the Welcome to the Microsoft ISA Server installationprogrampage (figure 7).



66/102


Figure 7

5. Entered the CD Key in the CD Keydialog box (figure 8). Clicked OK.

Figure 8

6. Wrote down the Product ID as list in the Product IDdialog box. Clicked OKin theProduct IDdialog box after writing this number down.



67/102


7. Clicked I Agreein the Microsoft ISA Server Setupdialog box (figure 9).

Figure 9

8. Clicked the Full Installationbutt

about the project work

Documents

project work

project planhere

abstractthis project

project proposal report

conclusionthis chapter

site vpn

vpn concentrator293

vpn technologies293