cap report
TRANSCRIPT
Implementation of Network Security and
VOIP technology
CAPSTONE PROJECT-II
Submitted in partial fulfillment of the
Requirement for the award of the
Degree of
BACHELOR OF TECHNOLOGY
IN
(Electronics and Communication Engineering)
Manik Garg Registration Number: 10900871
Roop Kanwal Registration Number: 10900033
Divya Pahwa Registration Number: 10901208
Ramandeep Kaur Registration Number: 10901210
Mayank Shah Registration Number:10900154
Under the Guidance of
Mr. Sonit Singh
(Lovely School of Electronics and Communication Engineering)
Lovely Professional University
Punjab
APRIL, 2013
P a g e | 2
CERTIFICATE
This is to certify that the Dissertation titled Implementation of Network Security and VOIP
technology made by this group of students is correct to the best of my knowledge and belief. The
Capstone Project Proposal based on the technology / tool learnt is fit for the submission and
partial fulfillment of the conditions for the award of B.Tech in Electronics and communicat ion
from Lovely Professional University, Phagwara.
Name: Sonit Singh
Designation: Assistant professor
Signature of Faculty Mentor
Objective of the Capstone project is satisfactory / unsatisfactory
E x a m i n e r I E x a m i n e r I I
P a g e | 3
ACKNOWLEDGEMENT
To make a project there is a need of guidance and motivation on every step. This gives us
encouragement to do our best and help in reaching the goal. We feel immense pleasure to
express our sincere thanks and deep sense of gratitude as it has been our privilege, to work under
the best guidance of ―Mr. Sonit Singh‖. For his interest, perception and constant encouragement
gave us confidence to carry out this study.
Roop Kanwal (10900033)
Divya Pahwa (10901208)
Manik Garg(10900871)
Ramandeep Kaur(10901210)
Mayank Shah(10900154)
P a g e | 4
DECLARATION
We hereby declare that the project work entitled ―Implementation on Network Security and
VOIP Technology‖ is an authentic record of our own work carried out as requirements of
Capstone Project (Part-I) for the award of degree of B.Tech. in Electronics and Communication
from Lovely Professional University, Phagwara, under the guidance of Mr. Sonit Singh , during
August to December, 2012.
Project Group Number: LPU/0903
Name of Group Member Signature of the member
Roop Kanwal (10900033)
Divya Pahwa (10901208)
Manik Garg(10900871)
Ramandeep Kaur(10901210)
Mayank Shah(10900154)
P a g e | 5
ABSTRACT
The project which is creating a complex network which is similar to daily life networks
implemented in the offices, colleges, enterprises and organizations. This report presents an
overview of the campus network architecture and includes descriptions of various design
considerations, topologies, technologies, configuration design guidelines, and other
considerations relevant to the design of highly available, full-service campus switching fabric. It
is also intended to serve as a guide to direct readers to more specific campus design best
practices and configuration examples for each of the specific design options. It can be used as a
manual for further designing of more complex networks by the network administrators and
designers. The aim of the project is to design a complex network which can be implemented in
practical daily life situations and using VOIP technology and understanding security attacks used
by hackers concerned with a network and measures to protect the network from unauthorized
access and damage.
P a g e | 6
TABLE OF CONTENTS
Implementation of Network Security and VOIP technology ........................................................1
Certificate ...................................................................................................................................2
Acknowledgment ........................................................................................................................3
Declaration..................................................................................................................................4
Abstract ......................................................................................................................................5
Table of Contents ........................................................................................................................6
Table of Figures ..........................................................................................................................8
Chapter1 .....................................................................................................................................9
1.1Introduction ............................................................................................................................9
Chapter 2 .................................................................................................................................. 10
2.1 Key terms and Scope of study ............................................................................................. 12
2.2 Wireless network attacks ................................................................................................... ..13
2.2.1Identity theft (MAC spoofing) ........................................................................................... 13
2.2.2 Man in the middle attack .................................................................................................. 14
2.2.3Unauthorized accesss……………………………………………………………………….19
2.3 VoIP technology……………………………………………………………………………..21
2.3.1 Benefits of IP communications…………………………………………………………….21
2.3.2How VoIP works.......................................................................................................... ..........23
Chapter 3 .................................................................................................................................. 25
3.1 Software used ...................................................................................................................... 25
3.2Feautures Overview…………………………………………………………………………..25
3.3GNS3 supported platforms…………………………………………………………………...25
3.4Version and other software used……………………………………………………………...26
3.5Network devices used specification…………………………………………………………..27
Chapter 4 .................................................................................................................................. 29
P a g e | 7
4.1 Configuration and implementations: .................................................................................... 29
4.1.1 Configuring port security .......................................................................................................... 29
4.1.1.1Tweaking Port security: ........................................................................................................... 32
4.1.2Implementing HTTPS on a webserver ........................................................................................ 32
4.1.3Access List configuration ........................................................................................................... 33
4.1.3.1Types of access control list…………………………………........................................................34
4.1.4VoIP configuration ............................................................................................................. 35
Chapter 5 (Bibliography) ........................................................................................................... 35
5.1 Conclusion : ...………………………………………………………………………………....i
5.2 References ............................................................................................................................. i
Chapter 6 (Bio-data of the candidates) ........................................................................................ ii
P a g e | 8
TABLE OF FIGURES AND SNAPSHOTS Figure 1: Components of wireless network ........................................................................................... 12
Figure 2: Mac spoofing .......................................................................................................................... 13
Figure 3: Man in the middle attack......................................................................................................... 15
Figure 4: SSL working........................................................................................................................... 18
Figure 5: Unauthorized access ............................................................................................................... 19
Figure 6: VoIP working .......................................................................................................................... 24
Figure 7: Logo of GNS 3 ....................................................................................................................... 24
Figure 8: Series of devices and protocol supported by GNS 3 ................................................................ 26
Snapshot 1: Basic configuration of portsecurity………………………………………………….......…30
Snapshot 2: Learning of MAC addresse………………………..…………………………………….…30
Snapshot 3: Port status is changed to down…………………………………………………………..…31
Snapshot 4: Status of port security implied on a device……………………….……………………..…31
Snapshot 5: Restricted port of violation mode……………………….………………………………….32
Snapshot 6: Network configuration.………………………..……………………………………………33
Snapshot 7: Configuration of webserver………………………………………….………..……………33
Snapshot 8: Access list configuration……………………………………...………………….…………34
Snapshot 9: VoIP configuration……………………………………………………………………..…...35
Snapshot 10: Ip-Phone with cisco ip communicator…………………..………………..……………......36
P a g e | 9
Chapter1
INTRODUCTION
_____________________________________________________________________________________
Wireless networking presents many advantages Productivity improves because of increased
accessibility to information resources. Network configuration and reconfiguration is easier, faster,
and less expensive. However, wireless technology also creates new threats and alters the existing
information security risk profile. For example, because communications takes place "through the
air" using radio frequencies, the risk of interception is greater than with wired networks. If the
message is not encrypted, or encrypted with a weak algorithm, the attacker can read it, thereby
compromising confidentiality. Although wireless networking alters the risks associated with
various threats to security, the overall security objectives remain the same as with wired
networks: preserving confidentiality, ensuring integrity, and maintaining availability of the
information and information systems. The objective of this paper is to assist managers in making
such decisions by providing them with a basic understanding of the nature of the various threats
associated with wireless networking and available countermeasures. The popularity of wireless
Networks is a testament primarily to their convenience, cost efficiency, and ease of integration
with other networks and network components. The majority of computers sold to consumers
today come pre-equipped with all necessary wireless Networks technology. The benefits of
wireless Networks include: Convenience, Mobility, Productivity, Deployment, Expandability
and Cost.
Wireless Network technology, while replete with the conveniences and advantages described
above has its share of downfalls. For a given networking situation, wireless Networks may not be
desirable for a number of reasons. Most of these have to do with the inherent limitations of the
technology. The disadvantages of using a wireless network are:
Security
Range
Reliability
Speed
P a g e | 10
Wireless Networks present a host of issues for network managers. Unauthorized access points,
broadcasted SSIDs, unknown stations, and spoofed MAC addresses are just a few of the
problems addressed in WLAN troubleshooting. Most network analysis vendors, such as
Network Instruments, Network General, and Fluke, offer WLAN troubleshooting tools or
functionalities as part of their product line.
Chapter 2
Key terms and scope of study _____________________________________________________________________________
Wireless Vulnerabilities, Threats and Countermeasures
The wireless networks consist of four basic components: The transmission of data using radio
frequencies; Access points that provide a connection to the organizational network and/or the
Client devices (laptops, PDAs, etc.); and Users. Each of these components provides an avenue
for attack that can result in the compromise of one or more of the three fundamental security
objectives of confidentiality, integrity, and availability.
Fig. 1.0(Wireless networking components)
2.2 Wireless Network Attacks
2.2.1 Identity theft (MAC spoofing)
Identity theft (or MAC spoofing) occurs when a cracker is able to listen in on network traffic and
identify the MAC address of a computer with network privileges.Most wireless systems allow
some kind of MAC filtering to only allow authorized computers with specific MAC IDs to gain
access and utilize the network. However, a number of programs exist that have network
―sniffing‖ capabilities. Combine these programs with other software that allow a computer to
pretend it has any MAC address that the cracker desires, and the cracker can easily get around
that hurdle.
P a g e | 11
Fig1. (MAC spoofing)
The attack:
Its resource consumption is almost unmeasurable, and even if it doesn’t keep out any reasonably
knowledgeable security crackers willing to spend a few moments gaining access, it does keep out
a lot of automated opportunistic attacks that are aiming solely for the absolute lowest-hanging
fruit on the security tree. Since that lowest-hanging fruit consists of the majority of wireless
access points, MAC filtering can be of value as a way of turning away the majority of
opportunistic attackers.
Method to attack:
―Listen‖ in on network traffic. Pick out the MAC address. This can be done with a plethora
of freely available security tools, including Nmap.
Change your MAC address.
You can spoof a MAC address when using Nmap with nothing more than a –spoof-
mac command line option for Nmap itself to hide the true source of Nmap probes. If you give it a
MAC address argument of ―0″, it will even generate a random MAC address for you.For more
general MAC address spoofing, your MAC address is trivially reset with tools available in
default installs of most operating systems. Here are some examples:
Linux: ifconfig eth0 hw ether 03:a0:04:d3:00:11
FreeBSD: ifconfig bge0 link 03:a0:04:d3:00:11
MS Windows: On Microsoft Windows systems, the MAC address is stored in a registry key.
The location of that key varies from one MS Windows version to the next, but find that and
P a g e | 12
you can just edit it yourself. There are, of course, numerous free utilities you can download
to make this change for you as well (such as Macshift for MS Windows XP).
PREVENTION METHOD:
Port security: Use the port security feature to mitigate MAC spoofing attacks. Port security
provides the capability to specify the MAC address of the system connected to a particular port.
This also provides the ability to specify an action to take if a port security violation occurs. It is a
layer two traffic control feature on Cisco Catalyst switches. It enables an administrator configure
individual switch ports to allow only a specified number of source MAC addresses ingressing the
port. Its primary use is to deter the addition by users of "dumb" switches to illegally extend the
reach of the network (e.g. so that two or three users can share a single access port).
2.2.2 Man-in-the-middle attack
A man-in-the-middle attacker entices computers to log into a computer which is set up as a soft AP
(Access Point). Once this is done, the hacker connects to a real access point through another wireless card
offering a steady flow of traffic through the transparent hacking computer to the real network. The hacker
can then sniff the traffic. One type of man-in-the-middle attack relies on security faults in challenge and
handshake protocols to execute a ―de-authentication attack‖. This attack forces AP-connected computers
to drop their connections and reconnect with the cracker’s soft AP.Man-in-the-middle attacks are
enhanced by software such as LANjack and AirJack, which automate multiple steps of the process. What
once required some skill can now be done by script kiddies. Hotspots are particularly vulnerable to any
attack since there is little to no security on these networks.
P a g e | 13
Fig. 2.0(Man in the middle attack)
The Attack:
A MitM attack will take advantages of weaknesses in network communication protocols in order
to convince a host that traffic should be routed through the attacker instead of through the normal
router. In essence, the attacker is advertising that they are the router and the client should update
their routing records appropriately. This attack is called ARP spoofing.
The (greatly simplified) purpose of ARP (Address Resolution Protocol) is to enable IP address to
MAC address translations for hosts.
By design, ARP does not contain authentication. Therefore, any host can reply to an ARP request
or send an unsolicited ARP response to a specific host. These ARP response messages are used
by the attacker to instruct the victim’s machine that the appropriate MAC address for a given IP
address is now the MAC address of the attacker’s machine. More specifically, the attacker is
instructing the victim to overwrite their ARP cache for the IP->MAC entry for the router. Now,
the IP address for the router will correspond to the MAC address for the attacker’s machine.
What does this mean? Now, all of the victim’s traffic will be routed through the attacker. Of
course, we don’t stop here. In order to allow the traffic to reach the Internet, the attacker must
P a g e | 14
configure his system (or attack tool) to also forward this traffic to the original router. In addition,
the attacker performs a similar ARP spoofing attack against the router. This way the router
knows to send traffic, that was destined for the victim machine, to our attacker instead. The
attacker then forwards on the traffic to the victim. This completes the ―chain‖ and places the
attacker ―in the middle‖ of the communication.
Impacts on HTTP
At this point, the attacker has the ability to view and modify any TCP traffic sent to or from the
victim machine. HTTP traffic is unencrypted and contains no authentication. Therefore, all
HTTP traffic can be trivially monitored/modified by the attacker.
What about HTTPS?
Everything we have talked about thus far is related to getting in the middle of the network
communications. This enables the attacker to view most exchanged data, but does not enable the
attacker to intercept data exchanged of protocols that implement their own authentication and
encryption (e.g. SSH, SSL/TLS)But, this is where the fun starts. The purpose of HTTPS is to
create a secure communication over top of HTTP by the use of SSL or TLS.
PREVENTION METHOD:
HTTPS ENCRYPTION: Hyper Text Transfer Protocol Secure (HTTPS) is a secure version of
the Hyper Text Transfer Protocol (http). HTTPS allows secure ecommerce transactions, such as
online banking. HTTPS, the website encrypts the session with a digital certificate.
Secure Sockets Layer, a protocol developed by Netscape for transmitting private documents via
the Internet. SSL uses a cryptographic system that uses two keys to encrypt data − a public key
known to everyone and a private or secret key known only to the recipient of the message.
P a g e | 15
How ssl works ?:
Fig 3.0(SSL working)
A browser requests a secure page (usually https://).
The web server sends its public key with its certificate.
The browser checks that the certificate was issued by a trusted party (usually a trusted root
CA), that the certificate is still valid and that the certificate is related to the site contacted.
The browser then uses the public key, to encrypt a random symmetric encryption key and
sends it to the server with the encrypted URL required as well as other encrypted http data.
The web server decrypts the symmetric encryption key using its private key and uses the
symmetric key to decrypt the URL and http data.
P a g e | 16
The web server sends back the requested html document and http data encrypted with the
symmetric key.
The browser decrypts the http data and html document using the symmetric key and displays
the information.
2.2.3 UNAUTHORIZED ACCESS: While it may seem simple to protect your directory from unauthorized access, the problem can
be more complicated. There are several opportunities along the path of directory information
delivery for an unauthorized client to gain access to data. Unauthorized access includes:
Unauthorized access to data via data-fetching operations
Unauthorized access to reusable client authentication information by monitoring the access
of others.
Unauthorized access to data by monitoring the access of others.
Fig4.0(Showing comical images of unauthorized access)
PREVENTION METHOD:
Access control lists (ACLs):
They perform packet filtering to control which packets move through a network and to where.
The packet filtering provides security by helping to limit the network traffic, restrict the access of
users and devices to a network, and prevent the traffic from leaving a network. IP access lists
reduce the chance of spoofing and denial-of-service attacks and allow dynamic, temporary user-
access through a firewall. Access control lists (ACLs) perform packet filtering to control the
flow of packets through a network. Packet filtering can restrict the access of users and devices to
P a g e | 17
a network, providing a measure of security. Access lists can save network resources by reducing
traffic. The benefits of using access lists are as follows:
Authenticate incoming rsh and rcp requests—Access lists can simplify the identification of
local users, remote hosts, and remote users in an authentication database that is configured to
control access to a device.
Block unwanted traffic or users—Access lists can filter incoming or outgoing packets on an
interface, thereby controlling access to a network based on source addresses, destination
addresses, or user authentication. You can also use access lists to determine the types of
traffic that are forwarded or blocked at device interfaces.
Provide NAT control—Access lists can control which addresses are translated by Network
Address Translation (NAT).
Reduce the chance of DoS attacks—Access lists reduce the chance of denial-of-service.
2.3 VOIP Technology
The term Voice over Internet Protocol, or VoIP, has been used as a catch-all phrase in the
industry to refer collectively to a large group of technologies designed to provide Internet-based
communications services. More accurately, VoIP refers only to the underlying transport protocol
that encapsulates voice traffic or voice media streams and allows them to be carried over data
networks, using IP network technologies or internet protocols. VoIP, however, is not IP
Telephony, nor is it the more widely used industry terminology called IP Communications that
refers to an even broader definition of communications networking
applications and technologies. VoIP can be understood as simply a transport protocolfor
carrying voice over any packet network, usually between sites. The term convergence, also
sometimes referred as a multi-service network, refers to the integration of data, voice, and
video solutions onto a converged network infrastructure.
2.3.1 Benefits of IP Communications over a Converged Intelligent Network
The benefits of IP Communications applications over a converged intelligent network are
derived from a series of fundamental capabilities within IP networks that provide for the
advantages of flexibility, resilience, and economy.
P a g e | 18
Economy:
As opposed to connecting elements and applications of a communications system using
expensive legacy voice technologies such as DS1 and DS0 line cards, trunk cards and digital
signaling technologies, IP Communications networks allow customers to build network
communication services based on IP networking technologies using Ethernet economics,
often called silicon economics. One Ethernet port can replace 50 or more legacy voice
circuits, line cards, and chassis equipment needed to provide equivalent service. The key
point here is that the costs are significantly less to provide connections to other sites and to
other applications.
Flexibility:
As opposed to connecting elements and applications of a communications system using legacy
technologies that are proprietary, monolithic, and restrictive in nature, IP networking allows
connections to be made. with virtual reach—resources to be distributed anywhere as needed;
economies to be gained by centralization of gateway resources, circuit, and server resources; and
the use of many types of media and applications to be brought together to facilitate
communications within an organization. IP Communications systems are also more capable in
supporting mobility requirements, telecommuting, moves/adds/changes, centralized
management, outsourcing operations, extension mobility, desktop integration, front office, back
office integration and applications, enterprise directories, and taking advantage of emerging web
innovations and services such as instant messaging, presence, and mobility.
Resilience:
With business continuity and disaster recovery high on the agendas of many organizations, the
resiliency of connectivity and abilities provided by IP Communications to keep the organization
connected make it an ideal candidate for survivable services. Redundancy is built into intelligent
layer 2 and layer 3 networking technologies and applications. Internet protocols offer superior
failover, redundant and self-healing capabilities that are easyto deploy, open standards based,
and can support not only voice, but all of an organization's communications services. The fact
that the most resilient military and enterprise communications systems can now use IP
Communications and Internet protocols to achieve five nines of reliability and availability
P a g e | 19
provides a superior alternative to rigid voice technologies. These legacy technologies are far
more expensive, and are unable to provide the overall system resiliency needed for as broad a
range of services and applications as can IP Communications.
2.3.2 How VOIP works
With VoIP, analog voice calls are converted into packets of data. The packets travel like any
other type of data, such as e-mail, over the public Internet and/or any private Internet
Protocol (IP) network.
Using a VoIP service, you can call landline or cell phones. You can also call computer-to-
computer, with both parties speaking into a computer microphone and listening through
computer speakers or headsets.
When evaluating, it's worth noting that you can make or receive calls using landline
telephones. All you need is an analog telephone adapter connected to your network. Also, to
ensure the best voice quality and security, consider using your VoIP or other communications
system on a private IP network.
Fig5.0 (VOIP WOORKING)
P a g e | 20
CHAPTER 3
Software used
__________________________________________________________________
Fig6.0 (Logo of simulator)
The GNS3 network simulator is free, open source software that can be downloaded and used by
anyone. GNS3 works by using real Cisco IOS images which are emulated using a program called
Dynamips. GNS3 is really like the GUI part of the overall product. With this GUI, users get an
easy to use interface that allows them to build complex labs consisting of a variety of supported
Cisco routers. GNS3 is an excellent complementary tool to real labs for network engineers,
administrators and people wanting to study for certifications such as Cisco CCNA, CCNP, CCIP
and CCIE as well as Juniper JNCIA, JNCIS and JNCIE.It can also be used to experiment
features of Cisco IOS, Juniper JunOS or to check configurations that need to be deployed later
on real routers. Thanks to VirtualBox integration, now even system engineers and administrators
can take advantage of GNS3 to make labs and study for Redhat (RHCE, RHCT), Microsoft
(MSCE, MSCA), Novell (CLP) and many other vendor certifications. This project is an open
source, free program that may be used on multiple operating systems, including Windows,
Linux, and MacOS X.
3.1 Features overview
Design of high quality and complex network topologies.
Emulation of many Cisco IOS router platforms, IPS, PIX and ASA firewalls, JunOS.
Simulation of simple Ethernet, ATM and Frame Relay switches.
Connection of the simulated network to the real world!
Packet capture using Wireshark.
P a g e | 21
3.2 GNS3 Supported Platforms
These are the current platforms supported by GNS3. As you can see from the table, you’ve got
quite a list of devices that can be used with GNS3 to build your labs. This is definitely another
great feature of this simulator. As you all know, with each different model of Cisco devices, you
have more or less features supported by that model. These mostly range from the types of
commands supported on the particular IOS you’re running for that platform.
Fig7.0 (Series of devices and protocol supported by GNS3.0 )
3.3 Version and other software used
We have used the latest version of GNS3 v0.8.3.1 all-in-one (installer which includes Dynamips,
Qemu/Pemu, Putty, VPCS, WinPCAP and Wireshark) on WINDOWS operating system and
using virtualization software VIRTUAL BOX in conjugation with CISCO IP
COMMUNICATOR.
P a g e | 22
3.3 Network devices used specification:
Sr.no Device Type Specification Vendor
1 Router Wireless,wired WRT300N,2620XM,2621XM Linksys,Cisco
2 Switch Multilayer,single
layer
Catalyst 3560,Catalyst 2960 Cisco
3 End
points
Laptops,personal
computers
Inbuilt in software as nodes
4 Servers Mail server and DNS
server
Inbuilt in software as devices
(a.)Linksys WRT300N Details:
Device type: Wireless router 4 port-switch (Integrated)
Data link protocol:Ethernet,fast Ethernet,IEEE802.11 b,g,n,
Encryption Algorithm:WPA,WPA2,128-bit WEP, 64-bit WEP
Features :MIMO technology ,Full duplex capability,Firewall protection ,MAC address
filtering,Firmware upgradable,Stateful Packet Inspection (SPI),DHCP support ,NAT
support
Interfaces:WAN : 1 x Ethernet 10Base-T/100Base-TX - RJ-45,LAN : 4 x Ethernet
10Base-T/100Base-TX - RJ-45
(b.)Cisco 2620/21 Ethernet, Fast Ethernet Router:
Device type:Wired router
Data link protocol:Ethernet,Fast Ethernet,IEEE802.3,802.3u
Features:Auto-sensing per device,Modular design,Manageable,NAT support
Interfaces:Management : 1.0 x Auxiliary - RJ-45 - 1.0,2.0 x Console - RJ-45 - 1.0,
1.0 x Ethernet 10Base-T/100Base-TX - RJ-45 - 2.0
P a g e | 23
(c.)Catalyst 3560-24PS :
Device type: Switch-24 ports-Layer
Compliant Protocols:IEEE 802.3af,802.3x,802.1Q,802.1w, 802.1p,802.3z,802.3,
802.1x,802.1D,802.3ab
Features:Layer 2 switching,Layer 3 switching,DHCP server,Full duplex capability,
VLAN support,Trivial File Transfer Protocol (TFTP) support,Dynamic Trunking
Protocol (DTP) support,DHCP snooping,DHCP support,Trunking,Access Control List
(ACL) support,IP-routing,
Interfaces:24 x Ethernet 10Base-T/100Base-TX - RJ-45 - PoE,1 x Console - RJ-45 –
Management.
(d.) Catalyst 2960-24-TT:
Device type:Switch - 24 ports
Compliant Protocols::IEEE 802.3af,802.3x,802.1Q,802.1w, 802.1p,802.3z,802.3,
802.1x,802.1D,802.3ab
Features:Layer 2 switching,IPv6 support,VLAN support,Multiple Spanning Tree Protocol
(MSTP) support,Port Security,MAC Address Notification,Dynamic Trunking Protocol
(DTP) support,ARP support,BOOTP support,DHCP snooping,Dynamic IP address
assignment,Broadcast Storm Control,Access Control List (ACL) support,
Interfaces:24 x Ethernet 10Base-T/100Base-TX - RJ-45,2 x Ethernet10BaseT/100Base-
TX/1000Base-T – RJ-45
P a g e | 24
CHAPTER 4
Configuration and implementation
_______________________________________________________________
After implementing the basic principle network same as in earlier phase of this project we
have added security features and added VoIP technology in it .So basically we have
configured the same configuration with security measures and VoIP technology and have
shown the configuration of each security measure mentioned above separately with a small
example of topologies of them respectively.
4.1 Configuring port security
Configuring the Port Security feature is relatively easy. In its simplest form, port security
requires going to an already enabled switch port and entering the port-securityInterface Mode
command.
Port security can be enabled with default parameters by issuing a single command on an
interface:
We can view the default port security configuration with show port-security
Snapshot 1.0 (Basic configuration of port security)
P a g e | 25
As you can see, there are a number of attributes which can be adjusted. We'll cover these in a
moment. When a host connects to the switch port, the port learns the host's MAC address as the
first frame is received:
Snapshot 2 (Learning of MAC address)
Now, we disconnect the host from the port, connect a small switch or hub, and reconnect the
original host plus a second, unauthorized host so that they both attempt to share the access port.
Observe what happens as soon as the second host attempts to send
traffic:
Snapshot 3 (Port status is changed to down)
Inspecting the status of port security on the port again, we can see that the new MAC address
triggered a violation. By default, a port security violation forces the interface into the error-
disabled state. An administrator must re-enable the port manually by issuing the shutdown
interface command followed by no shutdown. This must be done after the offending host
has been removed, or the violation will be triggered again as soon as the second host sends
another frame.
P a g e | 26
Snapshot 4 (Status of port security implied on device)
4.1.1 Tweaking Port Security
Violation Mode
Port security can be configured to take one of three actions upon detecting a violation:
shutdown (default);.The interface is placed into the error-disabled state, blocking all
traffic. Protect; Frames from MAC addresses other than the allowed addresses are dropped;
traffic from allowed addresses is permitted to pass normally. restrict ; Like protect mode, but
generates a syslog message and increases the violation counter. By changing the violation mode
to restrict, we are still alerted when a violation occurs, but legitimate traffic remains unaffected:
Snapshot 5 (Restricted port in violation mode)
P a g e | 27
4.2 Implementing HTTPS on a webserver
A basic topology of a network with router and switch with some host as users and a web server is
set up to show this security measure and the web server we have configured the web server to
work upon both HTTP as well as HTTPS protocols making it doubly applicable for any type of
traffic requiring access to the particular website or service and protecting the network from
eavesdropping by encrypting the data and passing it through secure tunnel where eavesdropping
and intrusion is not possible.
Snapshot 6(Network Configuration)
Snapshot 7(Configuration on Webserver)
P a g e | 28
4.3 Access List configuration
An access control list (ACL), in networks is used to assign different permissions e.g deny/permit
to an object.
ACL Rules:
List is applied from Top statement to bottom, order is important if first statement is matched
then other are neglected.
Default Invisible deny at bottom of every access list, it mean that if you have different hosts
in network lets say 192.16.1.1, 192.16.1.2, 192.16.1.100 etc and you have create a access list
in which you have only deny 192.16.1.100 to access internet. In this case all other host are
also block because of this rule, you have whrite another statement to permit any other host to
correct this.ACL is applied to interfaces that may be inbound or outbound direction
4.3.1 Types of Access Control List
There are two main types of ACL 1. Standard ACL
2. Extended ACL
Standard ACL:
ACL Number range is from 1-99
Always apply near to destination
Lower process utilization
Snapshot 8(Access list configuration)
P a g e | 29
Configuration of Standard ACL Syntax
Router(config)#access-list <1-99> deny/permit host/network
R3(config)#access-list 1 deny host 172.16.2.10
R3(config)#access-list 1 permit any
R3(config)#int f1/0
R3(config-if)#ip access-group 1 out
R1(config)#line vty 0 4
R1(config-line)#password cisco
R1(config-line)#^Z
R1#conf t
R1(config)#access-list 2 deny 172.16.2.10
R1(config)#access-list 2 permit any
R1(config)#line vty 0 4
R1(config-line)#access-class 2 in
4.4 VoIP configuration
Here the setup of VoIP is made using 2 Ip-phones 2 routers and switch with 1 computer as node
Snapshot 9(VoIP configuration)
P a g e | 30
Snapshot 10 (IP-phone with cisco ip communicator)
First, drag all devices and configure router to work as DHCP server to lease IP addresses for IP phones.
ip dhcp pool test-vlan
network 192.168.10.0 255.255.255.0
default-router 192.168.10.1
option 150 ip 192.168.10.1
Using option 150 is required to provide IP address to Cisco phone. Pool range is the whole network of 192.168.10.0/24.
Here is the configuration of router.
telephony-service
max-ephones 3
max-dn 3
ip source-address 192.168.10.1 port 2005
auto assign 1 to 5
!
ephone-dn 1
number 1001
!
ephone-dn 2
number 1005
!
P a g e | 31
ephone-dn 3
number 1010
I have used IP phones with power supply. So, power adapter need to plug to get IP phone online.
If you don't want and need PoE, have to use multilayer switch.Configure switch as follow;
Enable trust boundary to Cisco phone using "mls qos trust device cisco-phone".
interface FastEthernet0/1
switchport access vlan 10
switchport mode trunk
switchport voice vlan 1
mls qos trust device cisco-phone
!
interface FastEthernet0/4
switchport mode access
switchport voice vlan 1
!
interface FastEthernet0/5
switchport mode access
switchport voice vlan 1
Check in switch after phone online whether it's trusted Cisco Phone or not by executing command "mls qos interface fa0/1". trust device: cisco-phone is appear in outpout.
Switch#sh mls qos interface fa0/1
FastEthernet0/1
trust state: not trusted
trusted mode: not trusted
COS override: dis
default COS: 0
pass-through: none
trust device: cisco-phone
As soon as IP phones are online, following message appear in Cisco router and confirmed that phone are registered with IP address.
P a g e | 32
Router#%IPPHONE-6-REGISTER: ephone-1 IP:192.168.10.2 Socket:2 DeviceType:Phone has registered.
Router#%IPPHONE-6-REGISTER: ephone-2 IP:192.168.10.3 Socket:2 DeviceType:Phone has
registered.
Check lease IP address in router using following command.
Router#sh ip dhcp binding
IP address Client-ID/ Lease expiration Type
Hardware address
192.168.10.3 0006.2A21.B937 -- Automatic
192.168.10.4 000B.BE52.8501 -- Automatic
192.168.10.2 0001.9628.4786 -- Automatic
192.168.10.6 0010.11E9.75C9 -- Automatic
P a g e | i
i
Chapter 5
Conclusion _______________________________________________________________________
Wireless networking provides numerous opportunities to increase productivity and cut
costs. It also alters an organization’s overall computer security risk profile. Although it is
impossible to totally eliminate all risks associated with wireless networking, it is possible
to achieve a reasonable level of overall security by adopting a systematic approach to
assessing and managing risk. This report mentioned the threats and vulnerabilities
associated with each of the three basic technology components of wireless networks
(clients, access points, and the transmission medium) and described various commonly
available countermeasures that could be used to mitigate those risks. It also stressed the
importance of training and educating users in safe wireless networking procedures. We
also demonstrated the VoIP technology and it’s upper hand of the conventional
communication system as a practical implementation in real world scenario.
5.1 References
[1]http://www.cisco.com/en/US/prod/collateral/switches/ps5718/ps5528/product_data_sh
eet09186a00801f3d7d.html
[2]http://reviews.cnet.com/routers/cisco-2621-ethernet-fast/4507-3319_7-112030.html
[3]http://reviews.cnet.com/routers/linksys-wrt300n-router/4507-3319_7-31851121.html
[4]http://www.cisco.com/web/learning/netacad/course_catalog/docs/Cisco_PacketTracer
_AAG.pdf
[5]http://www.cisco.com/web/learning/netacad/downloads/pdf/PacketTracer5_0_Brochur
e_0707.pdf
[6]http://ieeexplore.ieee.org/ielx5/49/32439/01514524.pdftp=&arnumber=1514524&isnu
mbe
P a g e | ii
ii
Chapter 6
(Bio-data of the candidates) _______________________________________________________________________
Roop Kanwal: Pursuing B.Tech in Electronics and Communication with 9.17
current CGPA from LPU, Phagwara.
Divya Pahwa: Pursuing B.Tech in Electronics and Communication with current
CGPA 9.19 from LPU, Phagwara.
Manik Garg: Pursuing B.Tech in Electronics and Communication with current
CGPA 6.92 from LPU, Phagwara.
Ramandeep: Pursuing B.Tech in Electronics and Communication with current
CGPA 7.93 from LPU, Phagwara.
Mayank Shah: Pursuing B.Tech in Electronics and Communication with current
CGPA 2.9 from LPU, Phagwara.