Implementation of Network Security and

VOIP technology

CAPSTONE PROJECT-II

Submitted in partial fulfillment of the

Requirement for the award of the

Degree of

BACHELOR OF TECHNOLOGY

IN

(Electronics and Communication Engineering)

Manik Garg Registration Number: 10900871

Roop Kanwal Registration Number: 10900033

Divya Pahwa Registration Number: 10901208

Ramandeep Kaur Registration Number: 10901210

Mayank Shah Registration Number:10900154

Under the Guidance of

Mr. Sonit Singh

(Lovely School of Electronics and Communication Engineering)

Lovely Professional University

Punjab

APRIL, 2013

P a g e | 2

CERTIFICATE

This is to certify that the Dissertation titled Implementation of Network Security and VOIP

technology made by this group of students is correct to the best of my knowledge and belief. The

Capstone Project Proposal based on the technology / tool learnt is fit for the submission and

partial fulfillment of the conditions for the award of B.Tech in Electronics and communicat ion

from Lovely Professional University, Phagwara.

Name: Sonit Singh

Designation: Assistant professor

Signature of Faculty Mentor

Objective of the Capstone project is satisfactory / unsatisfactory

E x a m i n e r I E x a m i n e r I I

P a g e | 3

ACKNOWLEDGEMENT

To make a project there is a need of guidance and motivation on every step. This gives us

encouragement to do our best and help in reaching the goal. We feel immense pleasure to

express our sincere thanks and deep sense of gratitude as it has been our privilege, to work under

the best guidance of ―Mr. Sonit Singh‖. For his interest, perception and constant encouragement

gave us confidence to carry out this study.

Roop Kanwal (10900033)

Divya Pahwa (10901208)

Manik Garg(10900871)

Ramandeep Kaur(10901210)

Mayank Shah(10900154)

P a g e | 4

DECLARATION

We hereby declare that the project work entitled ―Implementation on Network Security and

VOIP Technology‖ is an authentic record of our own work carried out as requirements of

Capstone Project (Part-I) for the award of degree of B.Tech. in Electronics and Communication

from Lovely Professional University, Phagwara, under the guidance of Mr. Sonit Singh , during

August to December, 2012.

Project Group Number: LPU/0903

Name of Group Member Signature of the member

Roop Kanwal (10900033)

Divya Pahwa (10901208)

Manik Garg(10900871)

Ramandeep Kaur(10901210)

Mayank Shah(10900154)

P a g e | 5

ABSTRACT

The project which is creating a complex network which is similar to daily life networks

implemented in the offices, colleges, enterprises and organizations. This report presents an

overview of the campus network architecture and includes descriptions of various design

considerations, topologies, technologies, configuration design guidelines, and other

considerations relevant to the design of highly available, full-service campus switching fabric. It

is also intended to serve as a guide to direct readers to more specific campus design best

practices and configuration examples for each of the specific design options. It can be used as a

manual for further designing of more complex networks by the network administrators and

designers. The aim of the project is to design a complex network which can be implemented in

practical daily life situations and using VOIP technology and understanding security attacks used

by hackers concerned with a network and measures to protect the network from unauthorized

access and damage.

P a g e | 6

TABLE OF CONTENTS

Implementation of Network Security and VOIP technology ........................................................1

Certificate ...................................................................................................................................2

Acknowledgment ........................................................................................................................3

Declaration..................................................................................................................................4

Abstract ......................................................................................................................................5

Table of Contents ........................................................................................................................6

Table of Figures ..........................................................................................................................8

Chapter1 .....................................................................................................................................9

1.1Introduction ............................................................................................................................9

Chapter 2 .................................................................................................................................. 10

2.1 Key terms and Scope of study ............................................................................................. 12

2.2 Wireless network attacks ................................................................................................... ..13

2.2.1Identity theft (MAC spoofing) ........................................................................................... 13

2.2.2 Man in the middle attack .................................................................................................. 14

2.2.3Unauthorized accesss……………………………………………………………………….19

2.3 VoIP technology……………………………………………………………………………..21

2.3.1 Benefits of IP communications…………………………………………………………….21

2.3.2How VoIP works.......................................................................................................... ..........23

Chapter 3 .................................................................................................................................. 25

3.1 Software used ...................................................................................................................... 25

3.2Feautures Overview…………………………………………………………………………..25

3.3GNS3 supported platforms…………………………………………………………………...25

3.4Version and other software used……………………………………………………………...26

3.5Network devices used specification…………………………………………………………..27

Chapter 4 .................................................................................................................................. 29

P a g e | 7

4.1 Configuration and implementations: .................................................................................... 29

4.1.1 Configuring port security .......................................................................................................... 29

4.1.1.1Tweaking Port security: ........................................................................................................... 32

4.1.2Implementing HTTPS on a webserver ........................................................................................ 32

4.1.3Access List configuration ........................................................................................................... 33

4.1.3.1Types of access control list…………………………………........................................................34

4.1.4VoIP configuration ............................................................................................................. 35

Chapter 5 (Bibliography) ........................................................................................................... 35

5.1 Conclusion : ...………………………………………………………………………………....i

5.2 References ............................................................................................................................. i

Chapter 6 (Bio-data of the candidates) ........................................................................................ ii

P a g e | 8

TABLE OF FIGURES AND SNAPSHOTS Figure 1: Components of wireless network ........................................................................................... 12

Figure 2: Mac spoofing .......................................................................................................................... 13

Figure 3: Man in the middle attack......................................................................................................... 15

Figure 4: SSL working........................................................................................................................... 18

Figure 5: Unauthorized access ............................................................................................................... 19

Figure 6: VoIP working .......................................................................................................................... 24

Figure 7: Logo of GNS 3 ....................................................................................................................... 24

Figure 8: Series of devices and protocol supported by GNS 3 ................................................................ 26

Snapshot 1: Basic configuration of portsecurity………………………………………………….......…30

Snapshot 2: Learning of MAC addresse………………………..…………………………………….…30

Snapshot 3: Port status is changed to down…………………………………………………………..…31

Snapshot 4: Status of port security implied on a device……………………….……………………..…31

Snapshot 5: Restricted port of violation mode……………………….………………………………….32

Snapshot 6: Network configuration.………………………..……………………………………………33

Snapshot 7: Configuration of webserver………………………………………….………..……………33

Snapshot 8: Access list configuration……………………………………...………………….…………34

Snapshot 9: VoIP configuration……………………………………………………………………..…...35

Snapshot 10: Ip-Phone with cisco ip communicator…………………..………………..……………......36

P a g e | 9

Chapter1

INTRODUCTION

_____________________________________________________________________________________

Wireless networking presents many advantages Productivity improves because of increased

accessibility to information resources. Network configuration and reconfiguration is easier, faster,

and less expensive. However, wireless technology also creates new threats and alters the existing

information security risk profile. For example, because communications takes place "through the

air" using radio frequencies, the risk of interception is greater than with wired networks. If the

message is not encrypted, or encrypted with a weak algorithm, the attacker can read it, thereby

compromising confidentiality. Although wireless networking alters the risks associated with

various threats to security, the overall security objectives remain the same as with wired

networks: preserving confidentiality, ensuring integrity, and maintaining availability of the

information and information systems. The objective of this paper is to assist managers in making

such decisions by providing them with a basic understanding of the nature of the various threats

associated with wireless networking and available countermeasures. The popularity of wireless

Networks is a testament primarily to their convenience, cost efficiency, and ease of integration

with other networks and network components. The majority of computers sold to consumers

today come pre-equipped with all necessary wireless Networks technology. The benefits of

wireless Networks include: Convenience, Mobility, Productivity, Deployment, Expandability

and Cost.

Wireless Network technology, while replete with the conveniences and advantages described

above has its share of downfalls. For a given networking situation, wireless Networks may not be

desirable for a number of reasons. Most of these have to do with the inherent limitations of the

technology. The disadvantages of using a wireless network are:

Security

Range

Reliability

Speed

P a g e | 10

Wireless Networks present a host of issues for network managers. Unauthorized access points,

broadcasted SSIDs, unknown stations, and spoofed MAC addresses are just a few of the

problems addressed in WLAN troubleshooting. Most network analysis vendors, such as

Network Instruments, Network General, and Fluke, offer WLAN troubleshooting tools or

functionalities as part of their product line.

Chapter 2

Key terms and scope of study _____________________________________________________________________________

Wireless Vulnerabilities, Threats and Countermeasures

The wireless networks consist of four basic components: The transmission of data using radio

frequencies; Access points that provide a connection to the organizational network and/or the

Client devices (laptops, PDAs, etc.); and Users. Each of these components provides an avenue

for attack that can result in the compromise of one or more of the three fundamental security

objectives of confidentiality, integrity, and availability.

Fig. 1.0(Wireless networking components)

2.2 Wireless Network Attacks

2.2.1 Identity theft (MAC spoofing)

Identity theft (or MAC spoofing) occurs when a cracker is able to listen in on network traffic and

identify the MAC address of a computer with network privileges.Most wireless systems allow

some kind of MAC filtering to only allow authorized computers with specific MAC IDs to gain

access and utilize the network. However, a number of programs exist that have network

―sniffing‖ capabilities. Combine these programs with other software that allow a computer to

pretend it has any MAC address that the cracker desires, and the cracker can easily get around

that hurdle.

P a g e | 11

Fig1. (MAC spoofing)

The attack:

Its resource consumption is almost unmeasurable, and even if it doesn’t keep out any reasonably

knowledgeable security crackers willing to spend a few moments gaining access, it does keep out

a lot of automated opportunistic attacks that are aiming solely for the absolute lowest-hanging

fruit on the security tree. Since that lowest-hanging fruit consists of the majority of wireless

access points, MAC filtering can be of value as a way of turning away the majority of

opportunistic attackers.

Method to attack:

―Listen‖ in on network traffic. Pick out the MAC address. This can be done with a plethora

of freely available security tools, including Nmap.

Change your MAC address.

You can spoof a MAC address when using Nmap with nothing more than a –spoof-

mac command line option for Nmap itself to hide the true source of Nmap probes. If you give it a

MAC address argument of ―0″, it will even generate a random MAC address for you.For more

general MAC address spoofing, your MAC address is trivially reset with tools available in

default installs of most operating systems. Here are some examples:

Linux: ifconfig eth0 hw ether 03:a0:04:d3:00:11

FreeBSD: ifconfig bge0 link 03:a0:04:d3:00:11

MS Windows: On Microsoft Windows systems, the MAC address is stored in a registry key.

The location of that key varies from one MS Windows version to the next, but find that and

P a g e | 12

you can just edit it yourself. There are, of course, numerous free utilities you can download

to make this change for you as well (such as Macshift for MS Windows XP).

PREVENTION METHOD:

Port security: Use the port security feature to mitigate MAC spoofing attacks. Port security

provides the capability to specify the MAC address of the system connected to a particular port.

This also provides the ability to specify an action to take if a port security violation occurs. It is a

layer two traffic control feature on Cisco Catalyst switches. It enables an administrator configure

individual switch ports to allow only a specified number of source MAC addresses ingressing the

port. Its primary use is to deter the addition by users of "dumb" switches to illegally extend the

reach of the network (e.g. so that two or three users can share a single access port).

2.2.2 Man-in-the-middle attack

A man-in-the-middle attacker entices computers to log into a computer which is set up as a soft AP

(Access Point). Once this is done, the hacker connects to a real access point through another wireless card

offering a steady flow of traffic through the transparent hacking computer to the real network. The hacker

can then sniff the traffic. One type of man-in-the-middle attack relies on security faults in challenge and

handshake protocols to execute a ―de-authentication attack‖. This attack forces AP-connected computers

to drop their connections and reconnect with the cracker’s soft AP.Man-in-the-middle attacks are

enhanced by software such as LANjack and AirJack, which automate multiple steps of the process. What

once required some skill can now be done by script kiddies. Hotspots are particularly vulnerable to any

attack since there is little to no security on these networks.

P a g e | 13

Fig. 2.0(Man in the middle attack)

The Attack:

A MitM attack will take advantages of weaknesses in network communication protocols in order

to convince a host that traffic should be routed through the attacker instead of through the normal

router. In essence, the attacker is advertising that they are the router and the client should update

their routing records appropriately. This attack is called ARP spoofing.

The (greatly simplified) purpose of ARP (Address Resolution Protocol) is to enable IP address to

MAC address translations for hosts.

By design, ARP does not contain authentication. Therefore, any host can reply to an ARP request

or send an unsolicited ARP response to a specific host. These ARP response messages are used

by the attacker to instruct the victim’s machine that the appropriate MAC address for a given IP

address is now the MAC address of the attacker’s machine. More specifically, the attacker is

instructing the victim to overwrite their ARP cache for the IP->MAC entry for the router. Now,

the IP address for the router will correspond to the MAC address for the attacker’s machine.

What does this mean? Now, all of the victim’s traffic will be routed through the attacker. Of

course, we don’t stop here. In order to allow the traffic to reach the Internet, the attacker must

P a g e | 14

configure his system (or attack tool) to also forward this traffic to the original router. In addition,

the attacker performs a similar ARP spoofing attack against the router. This way the router

knows to send traffic, that was destined for the victim machine, to our attacker instead. The

attacker then forwards on the traffic to the victim. This completes the ―chain‖ and places the

attacker ―in the middle‖ of the communication.

Impacts on HTTP

At this point, the attacker has the ability to view and modify any TCP traffic sent to or from the

victim machine. HTTP traffic is unencrypted and contains no authentication. Therefore, all

HTTP traffic can be trivially monitored/modified by the attacker.

What about HTTPS?

Everything we have talked about thus far is related to getting in the middle of the network

communications. This enables the attacker to view most exchanged data, but does not enable the

attacker to intercept data exchanged of protocols that implement their own authentication and

encryption (e.g. SSH, SSL/TLS)But, this is where the fun starts. The purpose of HTTPS is to

create a secure communication over top of HTTP by the use of SSL or TLS.

PREVENTION METHOD:

HTTPS ENCRYPTION: Hyper Text Transfer Protocol Secure (HTTPS) is a secure version of

the Hyper Text Transfer Protocol (http). HTTPS allows secure ecommerce transactions, such as

online banking. HTTPS, the website encrypts the session with a digital certificate.

Secure Sockets Layer, a protocol developed by Netscape for transmitting private documents via

the Internet. SSL uses a cryptographic system that uses two keys to encrypt data − a public key

known to everyone and a private or secret key known only to the recipient of the message.

P a g e | 15

How ssl works ?:

Fig 3.0(SSL working)

A browser requests a secure page (usually https://).

The web server sends its public key with its certificate.

The browser checks that the certificate was issued by a trusted party (usually a trusted root

CA), that the certificate is still valid and that the certificate is related to the site contacted.

The browser then uses the public key, to encrypt a random symmetric encryption key and

sends it to the server with the encrypted URL required as well as other encrypted http data.

The web server decrypts the symmetric encryption key using its private key and uses the

symmetric key to decrypt the URL and http data.

P a g e | 16

The web server sends back the requested html document and http data encrypted with the

symmetric key.

The browser decrypts the http data and html document using the symmetric key and displays

the information.

2.2.3 UNAUTHORIZED ACCESS: While it may seem simple to protect your directory from unauthorized access, the problem can

be more complicated. There are several opportunities along the path of directory information

delivery for an unauthorized client to gain access to data. Unauthorized access includes:

Unauthorized access to data via data-fetching operations

Unauthorized access to reusable client authentication information by monitoring the access

of others.

Unauthorized access to data by monitoring the access of others.

Fig4.0(Showing comical images of unauthorized access)

PREVENTION METHOD:

Access control lists (ACLs):

They perform packet filtering to control which packets move through a network and to where.

The packet filtering provides security by helping to limit the network traffic, restrict the access of

users and devices to a network, and prevent the traffic from leaving a network. IP access lists

reduce the chance of spoofing and denial-of-service attacks and allow dynamic, temporary user-

access through a firewall. Access control lists (ACLs) perform packet filtering to control the

flow of packets through a network. Packet filtering can restrict the access of users and devices to

P a g e | 17

a network, providing a measure of security. Access lists can save network resources by reducing

traffic. The benefits of using access lists are as follows:

Authenticate incoming rsh and rcp requests—Access lists can simplify the identification of

local users, remote hosts, and remote users in an authentication database that is configured to

control access to a device.

Block unwanted traffic or users—Access lists can filter incoming or outgoing packets on an

interface, thereby controlling access to a network based on source addresses, destination

addresses, or user authentication. You can also use access lists to determine the types of

traffic that are forwarded or blocked at device interfaces.

Provide NAT control—Access lists can control which addresses are translated by Network

Address Translation (NAT).

Reduce the chance of DoS attacks—Access lists reduce the chance of denial-of-service.

2.3 VOIP Technology

The term Voice over Internet Protocol, or VoIP, has been used as a catch-all phrase in the

industry to refer collectively to a large group of technologies designed to provide Internet-based

communications services. More accurately, VoIP refers only to the underlying transport protocol

that encapsulates voice traffic or voice media streams and allows them to be carried over data

networks, using IP network technologies or internet protocols. VoIP, however, is not IP

Telephony, nor is it the more widely used industry terminology called IP Communications that

refers to an even broader definition of communications networking

applications and technologies. VoIP can be understood as simply a transport protocolfor

carrying voice over any packet network, usually between sites. The term convergence, also

sometimes referred as a multi-service network, refers to the integration of data, voice, and

video solutions onto a converged network infrastructure.

2.3.1 Benefits of IP Communications over a Converged Intelligent Network

The benefits of IP Communications applications over a converged intelligent network are

derived from a series of fundamental capabilities within IP networks that provide for the

advantages of flexibility, resilience, and economy.

P a g e | 18

Economy:

As opposed to connecting elements and applications of a communications system using

expensive legacy voice technologies such as DS1 and DS0 line cards, trunk cards and digital

signaling technologies, IP Communications networks allow customers to build network

communication services based on IP networking technologies using Ethernet economics,

often called silicon economics. One Ethernet port can replace 50 or more legacy voice

circuits, line cards, and chassis equipment needed to provide equivalent service. The key

point here is that the costs are significantly less to provide connections to other sites and to

other applications.

Flexibility:

As opposed to connecting elements and applications of a communications system using legacy

technologies that are proprietary, monolithic, and restrictive in nature, IP networking allows

connections to be made. with virtual reach—resources to be distributed anywhere as needed;

economies to be gained by centralization of gateway resources, circuit, and server resources; and

the use of many types of media and applications to be brought together to facilitate

communications within an organization. IP Communications systems are also more capable in

supporting mobility requirements, telecommuting, moves/adds/changes, centralized

management, outsourcing operations, extension mobility, desktop integration, front office, back

office integration and applications, enterprise directories, and taking advantage of emerging web

innovations and services such as instant messaging, presence, and mobility.

Resilience:

With business continuity and disaster recovery high on the agendas of many organizations, the

resiliency of connectivity and abilities provided by IP Communications to keep the organization

connected make it an ideal candidate for survivable services. Redundancy is built into intelligent

layer 2 and layer 3 networking technologies and applications. Internet protocols offer superior

failover, redundant and self-healing capabilities that are easyto deploy, open standards based,

and can support not only voice, but all of an organization's communications services. The fact

that the most resilient military and enterprise communications systems can now use IP

Communications and Internet protocols to achieve five nines of reliability and availability

P a g e | 19

provides a superior alternative to rigid voice technologies. These legacy technologies are far

more expensive, and are unable to provide the overall system resiliency needed for as broad a

range of services and applications as can IP Communications.

2.3.2 How VOIP works

With VoIP, analog voice calls are converted into packets of data. The packets travel like any

other type of data, such as e-mail, over the public Internet and/or any private Internet

Protocol (IP) network.

Using a VoIP service, you can call landline or cell phones. You can also call computer-to-

computer, with both parties speaking into a computer microphone and listening through

computer speakers or headsets.

When evaluating, it's worth noting that you can make or receive calls using landline

telephones. All you need is an analog telephone adapter connected to your network. Also, to

ensure the best voice quality and security, consider using your VoIP or other communications

system on a private IP network.

Fig5.0 (VOIP WOORKING)

P a g e | 20

CHAPTER 3

Software used

__________________________________________________________________

Fig6.0 (Logo of simulator)

The GNS3 network simulator is free, open source software that can be downloaded and used by

anyone. GNS3 works by using real Cisco IOS images which are emulated using a program called

Dynamips. GNS3 is really like the GUI part of the overall product. With this GUI, users get an

easy to use interface that allows them to build complex labs consisting of a variety of supported

Cisco routers. GNS3 is an excellent complementary tool to real labs for network engineers,

administrators and people wanting to study for certifications such as Cisco CCNA, CCNP, CCIP

and CCIE as well as Juniper JNCIA, JNCIS and JNCIE.It can also be used to experiment

features of Cisco IOS, Juniper JunOS or to check configurations that need to be deployed later

on real routers. Thanks to VirtualBox integration, now even system engineers and administrators

can take advantage of GNS3 to make labs and study for Redhat (RHCE, RHCT), Microsoft

(MSCE, MSCA), Novell (CLP) and many other vendor certifications. This project is an open

source, free program that may be used on multiple operating systems, including Windows,

Linux, and MacOS X.

3.1 Features overview

Design of high quality and complex network topologies.

Emulation of many Cisco IOS router platforms, IPS, PIX and ASA firewalls, JunOS.

Simulation of simple Ethernet, ATM and Frame Relay switches.

Connection of the simulated network to the real world!

Packet capture using Wireshark.

P a g e | 21

3.2 GNS3 Supported Platforms

These are the current platforms supported by GNS3. As you can see from the table, you’ve got

quite a list of devices that can be used with GNS3 to build your labs. This is definitely another

great feature of this simulator. As you all know, with each different model of Cisco devices, you

have more or less features supported by that model. These mostly range from the types of

commands supported on the particular IOS you’re running for that platform.

Fig7.0 (Series of devices and protocol supported by GNS3.0 )

3.3 Version and other software used

We have used the latest version of GNS3 v0.8.3.1 all-in-one (installer which includes Dynamips,

Qemu/Pemu, Putty, VPCS, WinPCAP and Wireshark) on WINDOWS operating system and

using virtualization software VIRTUAL BOX in conjugation with CISCO IP

COMMUNICATOR.

P a g e | 22

3.3 Network devices used specification:

Sr.no Device Type Specification Vendor

1 Router Wireless,wired WRT300N,2620XM,2621XM Linksys,Cisco

2 Switch Multilayer,single

layer

Catalyst 3560,Catalyst 2960 Cisco

3 End

points

Laptops,personal

computers

Inbuilt in software as nodes

4 Servers Mail server and DNS

server

Inbuilt in software as devices

(a.)Linksys WRT300N Details:

Device type: Wireless router 4 port-switch (Integrated)

Data link protocol:Ethernet,fast Ethernet,IEEE802.11 b,g,n,

Encryption Algorithm:WPA,WPA2,128-bit WEP, 64-bit WEP

Features :MIMO technology ,Full duplex capability,Firewall protection ,MAC address

filtering,Firmware upgradable,Stateful Packet Inspection (SPI),DHCP support ,NAT

support

Interfaces:WAN : 1 x Ethernet 10Base-T/100Base-TX - RJ-45,LAN : 4 x Ethernet

10Base-T/100Base-TX - RJ-45

(b.)Cisco 2620/21 Ethernet, Fast Ethernet Router:

Device type:Wired router

Data link protocol:Ethernet,Fast Ethernet,IEEE802.3,802.3u

Features:Auto-sensing per device,Modular design,Manageable,NAT support

Interfaces:Management : 1.0 x Auxiliary - RJ-45 - 1.0,2.0 x Console - RJ-45 - 1.0,

1.0 x Ethernet 10Base-T/100Base-TX - RJ-45 - 2.0

P a g e | 23

(c.)Catalyst 3560-24PS :

Device type: Switch-24 ports-Layer

Compliant Protocols:IEEE 802.3af,802.3x,802.1Q,802.1w, 802.1p,802.3z,802.3,

802.1x,802.1D,802.3ab

Features:Layer 2 switching,Layer 3 switching,DHCP server,Full duplex capability,

VLAN support,Trivial File Transfer Protocol (TFTP) support,Dynamic Trunking

Protocol (DTP) support,DHCP snooping,DHCP support,Trunking,Access Control List

(ACL) support,IP-routing,

Interfaces:24 x Ethernet 10Base-T/100Base-TX - RJ-45 - PoE,1 x Console - RJ-45 –

Management.

(d.) Catalyst 2960-24-TT:

Device type:Switch - 24 ports

Compliant Protocols::IEEE 802.3af,802.3x,802.1Q,802.1w, 802.1p,802.3z,802.3,

802.1x,802.1D,802.3ab

Features:Layer 2 switching,IPv6 support,VLAN support,Multiple Spanning Tree Protocol

(MSTP) support,Port Security,MAC Address Notification,Dynamic Trunking Protocol

(DTP) support,ARP support,BOOTP support,DHCP snooping,Dynamic IP address

assignment,Broadcast Storm Control,Access Control List (ACL) support,

Interfaces:24 x Ethernet 10Base-T/100Base-TX - RJ-45,2 x Ethernet10BaseT/100Base-

TX/1000Base-T – RJ-45

P a g e | 24

CHAPTER 4

Configuration and implementation

_______________________________________________________________

After implementing the basic principle network same as in earlier phase of this project we

have added security features and added VoIP technology in it .So basically we have

configured the same configuration with security measures and VoIP technology and have

shown the configuration of each security measure mentioned above separately with a small

example of topologies of them respectively.

4.1 Configuring port security

Configuring the Port Security feature is relatively easy. In its simplest form, port security

requires going to an already enabled switch port and entering the port-securityInterface Mode

command.

Port security can be enabled with default parameters by issuing a single command on an

interface:

We can view the default port security configuration with show port-security

Snapshot 1.0 (Basic configuration of port security)

P a g e | 25

As you can see, there are a number of attributes which can be adjusted. We'll cover these in a

moment. When a host connects to the switch port, the port learns the host's MAC address as the

first frame is received:

Snapshot 2 (Learning of MAC address)

Now, we disconnect the host from the port, connect a small switch or hub, and reconnect the

original host plus a second, unauthorized host so that they both attempt to share the access port.

Observe what happens as soon as the second host attempts to send

traffic:

Snapshot 3 (Port status is changed to down)

Inspecting the status of port security on the port again, we can see that the new MAC address

triggered a violation. By default, a port security violation forces the interface into the error-

disabled state. An administrator must re-enable the port manually by issuing the shutdown

interface command followed by no shutdown. This must be done after the offending host

has been removed, or the violation will be triggered again as soon as the second host sends

another frame.

P a g e | 26

Snapshot 4 (Status of port security implied on device)

4.1.1 Tweaking Port Security

Violation Mode

Port security can be configured to take one of three actions upon detecting a violation:

shutdown (default);.The interface is placed into the error-disabled state, blocking all

traffic. Protect; Frames from MAC addresses other than the allowed addresses are dropped;

traffic from allowed addresses is permitted to pass normally. restrict ; Like protect mode, but

generates a syslog message and increases the violation counter. By changing the violation mode

to restrict, we are still alerted when a violation occurs, but legitimate traffic remains unaffected:

Snapshot 5 (Restricted port in violation mode)

P a g e | 27

4.2 Implementing HTTPS on a webserver

A basic topology of a network with router and switch with some host as users and a web server is

set up to show this security measure and the web server we have configured the web server to

work upon both HTTP as well as HTTPS protocols making it doubly applicable for any type of

traffic requiring access to the particular website or service and protecting the network from

eavesdropping by encrypting the data and passing it through secure tunnel where eavesdropping

and intrusion is not possible.

Snapshot 6(Network Configuration)

Snapshot 7(Configuration on Webserver)

P a g e | 28

4.3 Access List configuration

An access control list (ACL), in networks is used to assign different permissions e.g deny/permit

to an object.

ACL Rules:

List is applied from Top statement to bottom, order is important if first statement is matched

then other are neglected.

Default Invisible deny at bottom of every access list, it mean that if you have different hosts

in network lets say 192.16.1.1, 192.16.1.2, 192.16.1.100 etc and you have create a access list

in which you have only deny 192.16.1.100 to access internet. In this case all other host are

also block because of this rule, you have whrite another statement to permit any other host to

correct this.ACL is applied to interfaces that may be inbound or outbound direction

4.3.1 Types of Access Control List

There are two main types of ACL 1. Standard ACL

2. Extended ACL

Standard ACL:

ACL Number range is from 1-99

Always apply near to destination

Lower process utilization

Snapshot 8(Access list configuration)

P a g e | 29

Configuration of Standard ACL Syntax

Router(config)#access-list <1-99> deny/permit host/network

R3(config)#access-list 1 deny host 172.16.2.10

R3(config)#access-list 1 permit any

R3(config)#int f1/0

R3(config-if)#ip access-group 1 out

R1(config)#line vty 0 4

R1(config-line)#password cisco

R1(config-line)#^Z

R1#conf t

R1(config)#access-list 2 deny 172.16.2.10

R1(config)#access-list 2 permit any

R1(config)#line vty 0 4

R1(config-line)#access-class 2 in

4.4 VoIP configuration

Here the setup of VoIP is made using 2 Ip-phones 2 routers and switch with 1 computer as node

Snapshot 9(VoIP configuration)

P a g e | 30

Snapshot 10 (IP-phone with cisco ip communicator)

First, drag all devices and configure router to work as DHCP server to lease IP addresses for IP phones.

ip dhcp pool test-vlan

network 192.168.10.0 255.255.255.0

default-router 192.168.10.1

option 150 ip 192.168.10.1

Using option 150 is required to provide IP address to Cisco phone. Pool range is the whole network of 192.168.10.0/24.

Here is the configuration of router.

telephony-service

max-ephones 3

max-dn 3

ip source-address 192.168.10.1 port 2005

auto assign 1 to 5

!

ephone-dn 1

number 1001

!

ephone-dn 2

number 1005

!

P a g e | 31

ephone-dn 3

number 1010

I have used IP phones with power supply. So, power adapter need to plug to get IP phone online.

If you don't want and need PoE, have to use multilayer switch.Configure switch as follow;

Enable trust boundary to Cisco phone using "mls qos trust device cisco-phone".

interface FastEthernet0/1

switchport access vlan 10

switchport mode trunk

switchport voice vlan 1

mls qos trust device cisco-phone

!

interface FastEthernet0/4

switchport mode access

switchport voice vlan 1

!

interface FastEthernet0/5

switchport mode access

switchport voice vlan 1

Check in switch after phone online whether it's trusted Cisco Phone or not by executing command "mls qos interface fa0/1". trust device: cisco-phone is appear in outpout.

Switch#sh mls qos interface fa0/1

FastEthernet0/1

trust state: not trusted

trusted mode: not trusted

COS override: dis

default COS: 0

pass-through: none

trust device: cisco-phone

As soon as IP phones are online, following message appear in Cisco router and confirmed that phone are registered with IP address.

P a g e | 32

Router#%IPPHONE-6-REGISTER: ephone-1 IP:192.168.10.2 Socket:2 DeviceType:Phone has registered.

Router#%IPPHONE-6-REGISTER: ephone-2 IP:192.168.10.3 Socket:2 DeviceType:Phone has

registered.

Check lease IP address in router using following command.

Router#sh ip dhcp binding

IP address Client-ID/ Lease expiration Type

Hardware address

192.168.10.3 0006.2A21.B937 -- Automatic

192.168.10.4 000B.BE52.8501 -- Automatic

192.168.10.2 0001.9628.4786 -- Automatic

192.168.10.6 0010.11E9.75C9 -- Automatic

P a g e | i

i

Chapter 5

Conclusion _______________________________________________________________________

Wireless networking provides numerous opportunities to increase productivity and cut

costs. It also alters an organization’s overall computer security risk profile. Although it is

impossible to totally eliminate all risks associated with wireless networking, it is possible

to achieve a reasonable level of overall security by adopting a systematic approach to

assessing and managing risk. This report mentioned the threats and vulnerabilities

associated with each of the three basic technology components of wireless networks

(clients, access points, and the transmission medium) and described various commonly

available countermeasures that could be used to mitigate those risks. It also stressed the

importance of training and educating users in safe wireless networking procedures. We

also demonstrated the VoIP technology and it’s upper hand of the conventional

communication system as a practical implementation in real world scenario.

5.1 References

[1]http://www.cisco.com/en/US/prod/collateral/switches/ps5718/ps5528/product_data_sh

eet09186a00801f3d7d.html

[2]http://reviews.cnet.com/routers/cisco-2621-ethernet-fast/4507-3319_7-112030.html

[3]http://reviews.cnet.com/routers/linksys-wrt300n-router/4507-3319_7-31851121.html

[4]http://www.cisco.com/web/learning/netacad/course_catalog/docs/Cisco_PacketTracer

_AAG.pdf

[5]http://www.cisco.com/web/learning/netacad/downloads/pdf/PacketTracer5_0_Brochur

e_0707.pdf

[6]http://ieeexplore.ieee.org/ielx5/49/32439/01514524.pdftp=&arnumber=1514524&isnu

mbe

P a g e | ii

ii

Chapter 6

(Bio-data of the candidates) _______________________________________________________________________

Roop Kanwal: Pursuing B.Tech in Electronics and Communication with 9.17

current CGPA from LPU, Phagwara.

Divya Pahwa: Pursuing B.Tech in Electronics and Communication with current

CGPA 9.19 from LPU, Phagwara.

Manik Garg: Pursuing B.Tech in Electronics and Communication with current

CGPA 6.92 from LPU, Phagwara.

Ramandeep: Pursuing B.Tech in Electronics and Communication with current

CGPA 7.93 from LPU, Phagwara.

Mayank Shah: Pursuing B.Tech in Electronics and Communication with current

CGPA 2.9 from LPU, Phagwara.