tax net training

8/10/2019 Tax Net Training

1/25

PROJECT REPORT

SUMMER TRAINING

AT

IBM

BY:

SRM UNIVERSITY

B.Tech (EEE)

June, 2014


2/25

PREFACE

Income Tax department (DIT) has offices in more than 510 cities and towns acrossIndia covering 751 buildings. DIT intends to implement All India Income Tax Network

(TAXNET) under phase III of computerization to augment its existing network and to

cover the additional cities and buildings in the country. DITs consultant IBM handles

all its computerised operations.

I am extremely grateful to get the opportunity to undergo my summer training here. I

got to work with the extremely efficient persons of IBM and gained immense

exposure and knowledge from this training.

In this particular project I have tried to cover the LAN, WAN, MPLS, IPSec, Layers,Security Leading practices, IP for routers and Switches, as based on the requirement

and knowledge I captured through discussion with DITs consultant IBM.

I thank for giving me the opportunity to undergo the summer training at this

highly esteemed company. This project would not have been a success without the

able guidance of Sir. I am thankful to each and every person at IBM for their

cooperation and guidance which led to the completion of this project.


3/25

CONTENTS

Sl. No. Topic

1. Overview TAXNET network

2. LAN sites

3. WAN topology

4. LAN topology

5. LAN security

6. Leased Line

7. MPLS

8. DATA Security

9. TAXNET IPSec design

10. OSI Model

11. IP : TCP/UDP

12. Hardware Overview


4/25

OVERVIEW : TAXNET NETWORK

Income Tax department (ITD) has offices in more than 510 cities and towns acrossIndia covering 751 buildings. ITD intends to implement All India Income Tax Network(TAXNET) under phase III of computerization to augment its existing network and to

cover the additional cities and buildings in the country. ITD has set up Wide AreaNetwork and Local Area Networks (LAN) in majority of the buildings across 60 citiescovered in previous phases of the computerization program of ITD.

In the present phase of the project, it is proposed to augment existing networkinfrastructure and also to set up new infrastructure wherever required, to supportcommunication requirement in terms of Data and Video.

ITD network solution is based on Cisco Routers and LAN switches at every location,which are connecting to central site (PDC), Backup site (BCP) and a DR Site. Theconnectivity between edge and central site will be provided through Bhartis MPLS IP

VPN cloud. Each ITD location will connect to nearest MPLS IP VPN PoP (point ofpresence). From the various MPLS IP VPN PoPs, required bandwidth would beprovided by IP VPN service provider till central ITD site. However to achieve highersecurity on IP VPN connection, IPSec tunnels will be established.

In this particular project I have tried to cover the LAN, WAN, MPLS, IPSec, Layers,Security Leading practices, IP for routers and Switches, as based on the requirementand knowledge I captured through discussion with DITs consultant IBM.


5/25

TAXNET LAN DESIGN

TAXNET LAN sites overview

The proposed TAXNET network consists of 751 locations spread across differentstates in India. The LANs at different locations have multiple device configurationsdepending on the size of the location and the criticality. Broadly all LANs at differentlocations can be classified into 11 different types :

1. Primary data centre PDC2. Back up data centre BDC3. Disaster recovery centre DR4. Network Operations Center (NOC)

5. VSAT Hub Location6. C2 sites2 to 6 users7. A2/B2 sites2 to 20 users8. A1/B1 sites20 to 36 users9. A1/B1 sites36 to 75 users10. A1/b1 sitesup to 240 users11/ A1/B1 sitesmore than 240 users

Each of these LAN sites have different LAN device configuration depending onthe capacity requirements and also the redundancy and failover requirements.


6/25

WAN(Wide Area Network)

A wide area network WAN is a network that covers a broad area using leased

telecommunication lines. In essence, this mode of telecommunication allows abusiness to effectively carry out its daily function regardless of location. The Internetcan be considered a WAN as well, and is used by businesses, governments,organizations, and individuals for almost any purpose imaginable.

WAN TOPOLOGY:

The phraseWAN Topology refers to the arrangement or relative positioning of links andnodes.

Point-to-Point

Point-to-point networks see WAN sites connected by high-capacity network cabling

known as backbone. The sites are connected as if in a line, with each site (other

than the ones at the ends of the line) only linked to the sites directly before and after

it. This is a simple topology to implement, and provides cost benefits in that it

requires minimal cabling. However, it leaves networks vulnerable to failure, as asingle fault on the backbone can bring whole sections of the network down.

MPLS

MPLS mechanism is a high performance telecommunication networks that directs

data from one network node to the next based on short path labels rather than long

network addresses, avoiding complex look ups in a routing table. The labels identify

virtual links (paths) between distant nodes rather than end points. MPLS canencapsulate packets of various network protocols.


7/25

LAN(Local Area Network)

A local area network LAN, is a computer network that interconnects computers within

a limited area such as home, school, computer laboratory, or office building, using

metwork media. The defining characteristics od LANs, in contrast to Wide AreaNetworkk WANs, include their smaller geographic area, and non-inclusion of leased

telecommunication lines.

LAN TOPOLOGY

RingThe ring topology is the same as the point-to-point topology, except the sites at the

end of the backbone are connected to each other as well. This makes ring topology

WANs less vulnerable to failure, as traffic can be routed the opposite way around the

ring if a fault is detected on the network. However, adding new sites to ring topology

WANs requires additional work and cost when compared to point-to-point setups, as

each new site requires two connections instead of one.

StarThe star topology sees all sites connected to a central hub, a little like the spokes of

a wheel. WAN hubs use a technology known as a concentrator router to ensure data

is sent to the right destination. This topology allows for sites to be added to the

network easily an important consideration for business WANs and is not

vulnerable to a single cable failure bringing down the whole network. However, it is

entirely dependent on the concentrator router to be able to run.

Bus

In bus topologies, all computers are connected to a single cable or "trunk orbackbone", by a transceiver either directly or by using a short drop cable. All ends ofthe cable must be terminated, that is plugged into a device such as a computer orterminator. Most bus topologies use coax cables.The number of computers on a bus network will affect network performance, sinceonly one computer at a time can send data, the more computers you have on thenetwork the more computers there will be waiting send data. A line break at anypoint along the trunk cable will result in total network failure. Computers on a busonly listen for data being sent they do not move data from one computer to the next,

this is called passive topology.


8/25

Mesh

A Mesh topology Provides each device with a point-to-point connection to every

other device in the network. These are most commonly used in WAN's, whichconnect networks over telecommunication links. Mesh topologies use routers todetermine the best path. Mesh networks provide redundancy, in the event of a linkfailure, meshed networks enable data to be routed through any other site connectedto the network. Because each device has a point-to-point connection to every otherdevice, mesh topologies are the most expensive and difficult to maintain.Mesh networks differ from other networks in that the component parts can allconnect to each other via multiple hops, and they generally are not mobile. Mobilead-hoc networking (MANET), featured in many consumer devices, is a subsection ofmesh networking. Mesh networks are self-healing: the network can still operate evenwhen a node breaks down or a connection goes bad. As a result, a very reliable

network is formed.

.


9/25

LAN SECURITY

This section covers different security mechanisms available in LAN environments toprotect the LAN switch network from unauthorised access and resource protection.

DHCP SNOOPINGDHCP (dynamic host configuration protocol) snooping is a DHCP security featurethat provides network security by filtering untrusted DHCP messages and bybuilding and maintaining a DHCP snooping binding table. An untrusted message isa message that is received from outside the network or firewall that can cause trafficattacks within your network.DIT is planning to use manual IP addressing for all the sites due to their requirementto ensure a static IP address is available for all the hosts. This is to ensure that,network or application access control can be achieved based on the IP address and

hence an individual user.

DYNAMIC ARP INSPECTIONDynamic arp inspection is a security feature that validitates ARP packets in anetwork. It intercepts, logs and discards ARP packets with invalid IP-to-MACaddress bindings. This protects the network from certain man in the middle attacks.For TAXNET network, dynamic ARP inspection is not a scalable option because ofthe non DHCP environments.

PORT SECURITYPortSecurity helps to ensure that only valid sources are allowed to transmit traffic

into the LAN network. Port Security feature uses dynamically learned and staticMAC addresses to restrict ingress traffic to an interface by limiting the MACaddresses that are allowed to send traffic into a port. Upon assigning secure MACaddresses to a secure port, the port does not forward packets with sourceaddresses outside the group of defined addresses.As security of LAN is a critical requirement for DIT, port security can be used toprotect the network from unauthorized workstations gaining access. This ensuresthat only one allowed MAC address (i.e. Workstation) can send traffic into theswitch.


10/25

LEASED LINE:

A leased lineis a service contract between a provider and a customer, whereby the

provider agrees to deliver a symmetric telecommunication line connecting two ormore locations in exchange for a monthly rent (hence the term lease). It is

sometimes known as a "private circuit" or "data line". Leased lines can be used for

telephone, data or internet services.

Typically, leased lines are used by businesses to connect geographically distant

offices. Unlike dial-up connections, a leased line is always active. The fee for the

connection is a fixed monthly rate. The primary factors affecting the monthly fee are

distance between end points and the speed of the circuit. Because the connection

does not carry anybody else's communications, the carrier can assure a given level

of quality.

An Internet leased line is a premium internet connectivity product, delivered over

fibre normally, which is dedicated and provides uncontended, symmetrical speeds,

full-duplex. It is also known as an Ethernet leased line, DIA line, data circuit or

private circuit.

Leased lines, as opposed to DSL, are being used by companies and individuals

for Internet access because they afford faster data transfer rates and are cost-

effective for heavy users of the Internet.

Applications:

Site to site data connectivity

Site to site PBX connectivity

Site to site network connectivity


11/25

MPLS (multiprotocol label switching)

MPLS mechanism is a high performance telecommunication networks that directs

data from one network node to the next based on short path labels rather than long

network addresses, avoiding complex look ups in a routing table. The labels identifyvirtual links (paths) between distant nodes rather than end points. MPLS can

encapsulate packets of various network protocols.

MPLS is a data carrying mechanism. Data packets are assigned labels in an MPLS

network. Instead of examining the packet itself, packet forwarding decisions are

made purely on the contents of this label. At every point a new label is attached to

the packet to tell the router what has to be done with the packet until it reaches its

destination. By using any protocol it allows the creation of end-to-end circuits across

all types of transport medium.

It is a complex framework of functions. Dependence on a particular data link layer

technology such as Synchronous Optical Networking, Frame Relay, and

Asynchronous Transfer Mode is eliminated by using this mechanism and also the

need for multiple layer-2 networks to satisfy the different types of traffic is eliminated.

MPLS is often referred to as layer 2.5 protocol because of its operation on an OSI

model. It is designed to give an unified data carrying service for both packet-

switching clients and circuit-based clients. Its uses are in many kinds of traffic such

as Ethernet frames, SONET, native ATM and IP packets.

MPLS is now replacing the older technologies at rapid pace.

MPLS supports a wide range of access technologies, including T1/E1, ATM, Frame

Relay and DSL.

MPLS works by prefixing packets with an MPLS header, containing one or more

labels. This is called a label stack.These MPLS-labelled packets are switched after a

label lookup/switch instead of a lookup into the IP table.

ADVANTAGES:

Improve Uptimeby sending data over an alternative path in less than 50

milliseconds (if one exists). MPLS also reduces the amount of manual

intervention your network provider has to do to create a WAN, reducing the

likelihood of human error bringing down your circuit.

Create Scalable IP VPNswith MPLS its easy to add an additional site to

the VPN. There is no need to configure a complex mesh of tunnels, as iscommon with some traditional approaches.


12/25

Improve User Experienceby prioritising time-sensitive traffic such as VoIP.

Multi-Protocol Label Switching offers multiple Classes of Service, enabling

you to apply separate settings to different types of traffic.

Improve Bandwidth Utilisation by putting multiple types of traffic on the

same link, you can let high priority traffic borrow capacity from lower prioritytraffic streams whenever required. Conversely, when the lower priority traffic

needs to burst beyond its usual amount of bandwidth, it can use any capacity

thats not being used by higher priority services.

Hide Network Complexityan MPLS connection between two sites can be

configured to act like a long Ethernet cable, with the hops involved hidden

from view. This is sometimes known as VPLS(Virtual Private LAN Service).

Reduce Network CongestionSometimes the shortest path between two

locations isnt the best one to take, as congestion has made it less attractive

(at least for the time being). MPLS offers sophisticated traffic engineering

options that enable traffic to be sent over non-standard paths. This can

reduce latency (the delay in sending/receiving data). It also reduces

congestion on the paths that have just been avoided as a result of traffic

engineering.


13/25

Customer networks are connected via Customer Edge (CE) routers to the providerMPLS network. In MPLS-VPN terminology, an Edge LSR that provides VPN servicesover MPLS is referred to as a PE. The Customer Edge router runs ordinary IPforwarding (static or dynamic) will not run MPLS. If the CE does run MPLS, it willusually use it independently of the provider.

MPLS network structure:


14/25


15/25

DATA SECURITY OVER THE MPLS:

ENCRYPTION:

Encryption is the process of encoding messages or information in such a way that

only authorised parties can read it. In an encryption scheme, the message or

information is encrypted using an encryption algorithm, generating cipher text that

can only be read if decrypted. A pseudo-random encryption key is generated by an

algorithm.

In a world growing increasingly dependent on technology and the desire for privacy

in the virtual realm, data encryption techniques have become widely used to ensure

the protection of important information.

Data security includes the following four basic functions: Confidentiality that

guarantees data is not leaked to third parties. Integrity that prevents alteration of

prepared data. Authenticity that guarantees the ostensible preparer of the data is the

real preparer. Accountability is used for checking all processes in the past when

errors occur and clear assignment of responsibility.

In TAXNET 3DES is used as encryption method for securing of data.

IPsec: (Internet Protocol Security)

Internet Protocol Security(IPsec) is a protocol suite for securing Internet

Protocol (IP) communications by authenticating and encrypting each IP packet of a

communication session. Internet Protocol security (IPsec) uses cryptographic

security services to protect communications over Internet Protocol (IP) networks.

IPsec supports network-level peer authentication, data origin authentication, data

integrity, data confidentiality (encryption), and replay protection.


16/25

TAXNET IPSec DESIGN

Security is a critical concern for any Enterprise these days. Especially inenvironments like government where information transported is very sensitive.Hence, for obvious reasons, one of the TAXNET network is to have a securenetwork due to sensitiveness of the data that is transported over its network. DITrequires high confidentiality of data during transport over Bharti transported MPLSVPV transport. The requirement is to encrypt all user data between CE to CE.IPSecwith 3DES encryption provides excellent level encryption and hence confidentiality.

While IPSec provides complete confidentiality of data that is transported across theIPSec tunnels, IPSec alone cannot provide transport of multicast traffic which is arequirement for multicast applications and exchange of routing protocol updates.This requires the use of GRE point to point tunnels which are encrypted usingIPSec. GRE over the available infrastructure provides an overlay HUB and Spoke

connectivity. In the case of DIT, the central PDC location in Delhi will host all thedata application services eventually when this project is completed. All the remotelocations of DIT access the core applications available at the PDC. DIT also plannedfor a backup location in Mumbai which is called BCP. This location is an exactreplica of the PDC in terms of network equipment that is planned at this site. He goalis to provide disaster recovery in case of PDC site is not available completely duringextreme cases of disaster.

In addition to PDC and BCP, DIT also has plans to implement another disasterrecovery centre in Chennai. The idea of this DR location is to provide basic servicesin extreme emergencies. The complete details of the network equipment are not

known at this time and design for DR is out of the scope of this document.


17/25


18/25

Layer 1: physical layer

The physical layer has the following major functions:

it defines the electrical and physical specifications of the data connection. It

defines the relationship between a device and a physical transmission

medium (e.g., a copper or fiber optical cable). This includes the layout of pins,

voltages, signal timing,network adapters and more.

it defines the protocol to establish and terminate a connection between two

directly connected nodes over a communication medium.

it may define the protocol for flow control.

it defines a protocol for the provision of a (not necessarily reliable) connection

between two directly connected nodes, and the modulation or conversionbetween the representation of digital data.

Layer 2: data link layer

The data link layer provides a reliable link between two directly connected nodes, by

detecting and possibly correcting errors that may occur in the physical layer. The

data link layer is divided into two sub-layers:

Media Access Control (MAC) layer - responsible for controlling how computers in

the network gain access to data and permission to transmit it.

Logical Link Control (LLC) layer - control error checking and packet

synchronization.

The Point-to-Point (PPP) is an example of a data link layer in the TCP/IP protocol

stack.

Layer 3: network layer

The network layer provides the functional and procedural means of transferring

variable length data sequences (called datagrams) from one node to another

connected to the same network.A network is a medium to which many nodes can be

connected, on which every node has an addressand which permits nodes

connected to it to transfer messages to other nodes connected to it by merelyproviding the content of a message and the address of the destination node and


19/25

letting the network find the way to deliver ("route") the message to the destination

node. In addition to message routing, the network may (or may not) implement

message delivery by splitting the message into several fragments, delivering each

fragment by a separate route and reassembling the fragments, report delivery errors,

etc.

Layer 4: transport layer

The transport layer provides the functional and procedural means of transferring

variable-length data sequences from a source to a destination host via one or more

networks, while maintaining the quality of service functions.

The transport layer controls the reliability of a given link through flow

control, segmentation/desegmentation and error control. Some protocols are state-

and connection oriented. This means that the transport layer can keep track of the

segments and retransmit those that fail. The transport layer also provides the

acknowledgement of the successful data transmission and sends the next data if no

errors occurred. The transport layer creates packets out of the message received

from the application layer. Packetizing is a process of dividing the long message into

smaller messages.

Layer 5: session layer

The session layer controls the dialogues (connections) between computers. It

establishes, manages and terminates the connections between the local and remote

application. It provides for full-duplex, half-duplex or simplex operation, and

establishes checkpointing, adjournment, termination, and restart procedures. The

OSI model made this layer responsible for graceful close of sessions, which is a

property of the Transmission Control Protocol, and also for session check pointing

and recovery, which is not usually used in the Internet Protocol Suite.

The session layer is commonly implemented explicitly in application environments

that use remote procedure calls.


20/25


21/25


22/25

Transmission Control Protocol (TCP)

The Transmission Control Protocol TCP is one of the core protocols of the Internet

Protocol Suite (IP) and is so common that the entire suite is called TCP/IP. TCPprovides reliable, ordered and error-checked delivery of a stream of octets between

programs running on computers connected to a local area network, intranet or

the public Internet. It resides at the transport layer.

Web browsers use TCP when they connect to servers on the World Wide Web, and

it is used to deliver email and transfer files from one location to another. HTTP,

HTTPS, SMTP, Telnet and a variety of other protocols are typically encapsulated in

TCP.

Function:

The protocol corresponds to the transport layer of TCP/IP suite. TCP provides a

communication service at an intermediate level between an application program and

the Internet Protocol (IP).

IP works by exchanging pieces of information called packets. A packet is a sequenceof octets (bytes) and consists of a headerfollowed by a body. The header describes

the packet's source, destination and control information.

Due to network congestion, traffic load balancing, or other unpredictable network

behavior, IP packets can be lost, duplicated, or delivered out of order. TCP detects

these problems, requests retransmission of lost data, rearranges out-of-order data,

and even helps minimize network congestion to reduce the occurrence of the other

problems. Once the TCP receiver has reassembled the sequence of octets originally

transmitted, it passes them to the receiving application. While IP handles actual

delivery of the data, TCP keeps track of the individual units of data transmission,

called segments that a message is divided into for efficient routing through the

network. Thus, TCP abstracts the application's communication from the underlying

networking details.


23/25

User Datagram Protocol (UDP)

The UDP is one of the core members of the internet protocol suite. With UDP,

computer applications can send messages (datagrams) to other hosts or an InternetProtocol network without prior communications to set up data paths.

UDP is a minimal message-oriented Transport Layer protocol. UDP provides no

guarantees to the upper layer protocol for message delivery and the UDP protocol

layer retains no state of UDP messages once sent.

UDP is suitable for purposes where error checking and correction is either not

necessary or is performed in the application, avoiding the overhead of such

processing at the network interface level. Time-sensitive applications often use UDP

because dropping packets is preferable to waiting for delayed packets, which maynot be an option in a real-time system. Lacking reliability, UDP applications must

generally be willing to accept some loss, errors or duplication. If error correction

facilities are needed at the network interface level, an application may use

the Transmission Control Protocol (TCP).


24/25

HARDWARE OVERVIEW:

Cisco 2511 router

Cisco 3845 router

Cisco 4510 switch


25/25

Cisco 3750 switch

Cisco 2950 switch

Cisco 2560 switch

tax net training

Documents