tax net training
TRANSCRIPT
-
8/10/2019 Tax Net Training
1/25
PROJECT REPORT
SUMMER TRAINING
AT
IBM
BY:
SRM UNIVERSITY
B.Tech (EEE)
June, 2014
-
8/10/2019 Tax Net Training
2/25
PREFACE
Income Tax department (DIT) has offices in more than 510 cities and towns acrossIndia covering 751 buildings. DIT intends to implement All India Income Tax Network
(TAXNET) under phase III of computerization to augment its existing network and to
cover the additional cities and buildings in the country. DITs consultant IBM handles
all its computerised operations.
I am extremely grateful to get the opportunity to undergo my summer training here. I
got to work with the extremely efficient persons of IBM and gained immense
exposure and knowledge from this training.
In this particular project I have tried to cover the LAN, WAN, MPLS, IPSec, Layers,Security Leading practices, IP for routers and Switches, as based on the requirement
and knowledge I captured through discussion with DITs consultant IBM.
I thank for giving me the opportunity to undergo the summer training at this
highly esteemed company. This project would not have been a success without the
able guidance of Sir. I am thankful to each and every person at IBM for their
cooperation and guidance which led to the completion of this project.
-
8/10/2019 Tax Net Training
3/25
CONTENTS
Sl. No. Topic
1. Overview TAXNET network
2. LAN sites
3. WAN topology
4. LAN topology
5. LAN security
6. Leased Line
7. MPLS
8. DATA Security
9. TAXNET IPSec design
10. OSI Model
11. IP : TCP/UDP
12. Hardware Overview
-
8/10/2019 Tax Net Training
4/25
OVERVIEW : TAXNET NETWORK
Income Tax department (ITD) has offices in more than 510 cities and towns acrossIndia covering 751 buildings. ITD intends to implement All India Income Tax Network(TAXNET) under phase III of computerization to augment its existing network and to
cover the additional cities and buildings in the country. ITD has set up Wide AreaNetwork and Local Area Networks (LAN) in majority of the buildings across 60 citiescovered in previous phases of the computerization program of ITD.
In the present phase of the project, it is proposed to augment existing networkinfrastructure and also to set up new infrastructure wherever required, to supportcommunication requirement in terms of Data and Video.
ITD network solution is based on Cisco Routers and LAN switches at every location,which are connecting to central site (PDC), Backup site (BCP) and a DR Site. Theconnectivity between edge and central site will be provided through Bhartis MPLS IP
VPN cloud. Each ITD location will connect to nearest MPLS IP VPN PoP (point ofpresence). From the various MPLS IP VPN PoPs, required bandwidth would beprovided by IP VPN service provider till central ITD site. However to achieve highersecurity on IP VPN connection, IPSec tunnels will be established.
In this particular project I have tried to cover the LAN, WAN, MPLS, IPSec, Layers,Security Leading practices, IP for routers and Switches, as based on the requirementand knowledge I captured through discussion with DITs consultant IBM.
-
8/10/2019 Tax Net Training
5/25
TAXNET LAN DESIGN
TAXNET LAN sites overview
The proposed TAXNET network consists of 751 locations spread across differentstates in India. The LANs at different locations have multiple device configurationsdepending on the size of the location and the criticality. Broadly all LANs at differentlocations can be classified into 11 different types :
1. Primary data centre PDC2. Back up data centre BDC3. Disaster recovery centre DR4. Network Operations Center (NOC)
5. VSAT Hub Location6. C2 sites2 to 6 users7. A2/B2 sites2 to 20 users8. A1/B1 sites20 to 36 users9. A1/B1 sites36 to 75 users10. A1/b1 sitesup to 240 users11/ A1/B1 sitesmore than 240 users
Each of these LAN sites have different LAN device configuration depending onthe capacity requirements and also the redundancy and failover requirements.
-
8/10/2019 Tax Net Training
6/25
WAN(Wide Area Network)
A wide area network WAN is a network that covers a broad area using leased
telecommunication lines. In essence, this mode of telecommunication allows abusiness to effectively carry out its daily function regardless of location. The Internetcan be considered a WAN as well, and is used by businesses, governments,organizations, and individuals for almost any purpose imaginable.
WAN TOPOLOGY:
The phraseWAN Topology refers to the arrangement or relative positioning of links andnodes.
Point-to-Point
Point-to-point networks see WAN sites connected by high-capacity network cabling
known as backbone. The sites are connected as if in a line, with each site (other
than the ones at the ends of the line) only linked to the sites directly before and after
it. This is a simple topology to implement, and provides cost benefits in that it
requires minimal cabling. However, it leaves networks vulnerable to failure, as asingle fault on the backbone can bring whole sections of the network down.
MPLS
MPLS mechanism is a high performance telecommunication networks that directs
data from one network node to the next based on short path labels rather than long
network addresses, avoiding complex look ups in a routing table. The labels identify
virtual links (paths) between distant nodes rather than end points. MPLS canencapsulate packets of various network protocols.
-
8/10/2019 Tax Net Training
7/25
LAN(Local Area Network)
A local area network LAN, is a computer network that interconnects computers within
a limited area such as home, school, computer laboratory, or office building, using
metwork media. The defining characteristics od LANs, in contrast to Wide AreaNetworkk WANs, include their smaller geographic area, and non-inclusion of leased
telecommunication lines.
LAN TOPOLOGY
RingThe ring topology is the same as the point-to-point topology, except the sites at the
end of the backbone are connected to each other as well. This makes ring topology
WANs less vulnerable to failure, as traffic can be routed the opposite way around the
ring if a fault is detected on the network. However, adding new sites to ring topology
WANs requires additional work and cost when compared to point-to-point setups, as
each new site requires two connections instead of one.
StarThe star topology sees all sites connected to a central hub, a little like the spokes of
a wheel. WAN hubs use a technology known as a concentrator router to ensure data
is sent to the right destination. This topology allows for sites to be added to the
network easily an important consideration for business WANs and is not
vulnerable to a single cable failure bringing down the whole network. However, it is
entirely dependent on the concentrator router to be able to run.
Bus
In bus topologies, all computers are connected to a single cable or "trunk orbackbone", by a transceiver either directly or by using a short drop cable. All ends ofthe cable must be terminated, that is plugged into a device such as a computer orterminator. Most bus topologies use coax cables.The number of computers on a bus network will affect network performance, sinceonly one computer at a time can send data, the more computers you have on thenetwork the more computers there will be waiting send data. A line break at anypoint along the trunk cable will result in total network failure. Computers on a busonly listen for data being sent they do not move data from one computer to the next,
this is called passive topology.
-
8/10/2019 Tax Net Training
8/25
Mesh
A Mesh topology Provides each device with a point-to-point connection to every
other device in the network. These are most commonly used in WAN's, whichconnect networks over telecommunication links. Mesh topologies use routers todetermine the best path. Mesh networks provide redundancy, in the event of a linkfailure, meshed networks enable data to be routed through any other site connectedto the network. Because each device has a point-to-point connection to every otherdevice, mesh topologies are the most expensive and difficult to maintain.Mesh networks differ from other networks in that the component parts can allconnect to each other via multiple hops, and they generally are not mobile. Mobilead-hoc networking (MANET), featured in many consumer devices, is a subsection ofmesh networking. Mesh networks are self-healing: the network can still operate evenwhen a node breaks down or a connection goes bad. As a result, a very reliable
network is formed.
.
-
8/10/2019 Tax Net Training
9/25
LAN SECURITY
This section covers different security mechanisms available in LAN environments toprotect the LAN switch network from unauthorised access and resource protection.
DHCP SNOOPINGDHCP (dynamic host configuration protocol) snooping is a DHCP security featurethat provides network security by filtering untrusted DHCP messages and bybuilding and maintaining a DHCP snooping binding table. An untrusted message isa message that is received from outside the network or firewall that can cause trafficattacks within your network.DIT is planning to use manual IP addressing for all the sites due to their requirementto ensure a static IP address is available for all the hosts. This is to ensure that,network or application access control can be achieved based on the IP address and
hence an individual user.
DYNAMIC ARP INSPECTIONDynamic arp inspection is a security feature that validitates ARP packets in anetwork. It intercepts, logs and discards ARP packets with invalid IP-to-MACaddress bindings. This protects the network from certain man in the middle attacks.For TAXNET network, dynamic ARP inspection is not a scalable option because ofthe non DHCP environments.
PORT SECURITYPortSecurity helps to ensure that only valid sources are allowed to transmit traffic
into the LAN network. Port Security feature uses dynamically learned and staticMAC addresses to restrict ingress traffic to an interface by limiting the MACaddresses that are allowed to send traffic into a port. Upon assigning secure MACaddresses to a secure port, the port does not forward packets with sourceaddresses outside the group of defined addresses.As security of LAN is a critical requirement for DIT, port security can be used toprotect the network from unauthorized workstations gaining access. This ensuresthat only one allowed MAC address (i.e. Workstation) can send traffic into theswitch.
-
8/10/2019 Tax Net Training
10/25
LEASED LINE:
A leased lineis a service contract between a provider and a customer, whereby the
provider agrees to deliver a symmetric telecommunication line connecting two ormore locations in exchange for a monthly rent (hence the term lease). It is
sometimes known as a "private circuit" or "data line". Leased lines can be used for
telephone, data or internet services.
Typically, leased lines are used by businesses to connect geographically distant
offices. Unlike dial-up connections, a leased line is always active. The fee for the
connection is a fixed monthly rate. The primary factors affecting the monthly fee are
distance between end points and the speed of the circuit. Because the connection
does not carry anybody else's communications, the carrier can assure a given level
of quality.
An Internet leased line is a premium internet connectivity product, delivered over
fibre normally, which is dedicated and provides uncontended, symmetrical speeds,
full-duplex. It is also known as an Ethernet leased line, DIA line, data circuit or
private circuit.
Leased lines, as opposed to DSL, are being used by companies and individuals
for Internet access because they afford faster data transfer rates and are cost-
effective for heavy users of the Internet.
Applications:
Site to site data connectivity
Site to site PBX connectivity
Site to site network connectivity
-
8/10/2019 Tax Net Training
11/25
MPLS (multiprotocol label switching)
MPLS mechanism is a high performance telecommunication networks that directs
data from one network node to the next based on short path labels rather than long
network addresses, avoiding complex look ups in a routing table. The labels identifyvirtual links (paths) between distant nodes rather than end points. MPLS can
encapsulate packets of various network protocols.
MPLS is a data carrying mechanism. Data packets are assigned labels in an MPLS
network. Instead of examining the packet itself, packet forwarding decisions are
made purely on the contents of this label. At every point a new label is attached to
the packet to tell the router what has to be done with the packet until it reaches its
destination. By using any protocol it allows the creation of end-to-end circuits across
all types of transport medium.
It is a complex framework of functions. Dependence on a particular data link layer
technology such as Synchronous Optical Networking, Frame Relay, and
Asynchronous Transfer Mode is eliminated by using this mechanism and also the
need for multiple layer-2 networks to satisfy the different types of traffic is eliminated.
MPLS is often referred to as layer 2.5 protocol because of its operation on an OSI
model. It is designed to give an unified data carrying service for both packet-
switching clients and circuit-based clients. Its uses are in many kinds of traffic such
as Ethernet frames, SONET, native ATM and IP packets.
MPLS is now replacing the older technologies at rapid pace.
MPLS supports a wide range of access technologies, including T1/E1, ATM, Frame
Relay and DSL.
MPLS works by prefixing packets with an MPLS header, containing one or more
labels. This is called a label stack.These MPLS-labelled packets are switched after a
label lookup/switch instead of a lookup into the IP table.
ADVANTAGES:
Improve Uptimeby sending data over an alternative path in less than 50
milliseconds (if one exists). MPLS also reduces the amount of manual
intervention your network provider has to do to create a WAN, reducing the
likelihood of human error bringing down your circuit.
Create Scalable IP VPNswith MPLS its easy to add an additional site to
the VPN. There is no need to configure a complex mesh of tunnels, as iscommon with some traditional approaches.
-
8/10/2019 Tax Net Training
12/25
Improve User Experienceby prioritising time-sensitive traffic such as VoIP.
Multi-Protocol Label Switching offers multiple Classes of Service, enabling
you to apply separate settings to different types of traffic.
Improve Bandwidth Utilisation by putting multiple types of traffic on the
same link, you can let high priority traffic borrow capacity from lower prioritytraffic streams whenever required. Conversely, when the lower priority traffic
needs to burst beyond its usual amount of bandwidth, it can use any capacity
thats not being used by higher priority services.
Hide Network Complexityan MPLS connection between two sites can be
configured to act like a long Ethernet cable, with the hops involved hidden
from view. This is sometimes known as VPLS(Virtual Private LAN Service).
Reduce Network CongestionSometimes the shortest path between two
locations isnt the best one to take, as congestion has made it less attractive
(at least for the time being). MPLS offers sophisticated traffic engineering
options that enable traffic to be sent over non-standard paths. This can
reduce latency (the delay in sending/receiving data). It also reduces
congestion on the paths that have just been avoided as a result of traffic
engineering.
-
8/10/2019 Tax Net Training
13/25
Customer networks are connected via Customer Edge (CE) routers to the providerMPLS network. In MPLS-VPN terminology, an Edge LSR that provides VPN servicesover MPLS is referred to as a PE. The Customer Edge router runs ordinary IPforwarding (static or dynamic) will not run MPLS. If the CE does run MPLS, it willusually use it independently of the provider.
MPLS network structure:
-
8/10/2019 Tax Net Training
14/25
-
8/10/2019 Tax Net Training
15/25
DATA SECURITY OVER THE MPLS:
ENCRYPTION:
Encryption is the process of encoding messages or information in such a way that
only authorised parties can read it. In an encryption scheme, the message or
information is encrypted using an encryption algorithm, generating cipher text that
can only be read if decrypted. A pseudo-random encryption key is generated by an
algorithm.
In a world growing increasingly dependent on technology and the desire for privacy
in the virtual realm, data encryption techniques have become widely used to ensure
the protection of important information.
Data security includes the following four basic functions: Confidentiality that
guarantees data is not leaked to third parties. Integrity that prevents alteration of
prepared data. Authenticity that guarantees the ostensible preparer of the data is the
real preparer. Accountability is used for checking all processes in the past when
errors occur and clear assignment of responsibility.
In TAXNET 3DES is used as encryption method for securing of data.
IPsec: (Internet Protocol Security)
Internet Protocol Security(IPsec) is a protocol suite for securing Internet
Protocol (IP) communications by authenticating and encrypting each IP packet of a
communication session. Internet Protocol security (IPsec) uses cryptographic
security services to protect communications over Internet Protocol (IP) networks.
IPsec supports network-level peer authentication, data origin authentication, data
integrity, data confidentiality (encryption), and replay protection.
-
8/10/2019 Tax Net Training
16/25
TAXNET IPSec DESIGN
Security is a critical concern for any Enterprise these days. Especially inenvironments like government where information transported is very sensitive.Hence, for obvious reasons, one of the TAXNET network is to have a securenetwork due to sensitiveness of the data that is transported over its network. DITrequires high confidentiality of data during transport over Bharti transported MPLSVPV transport. The requirement is to encrypt all user data between CE to CE.IPSecwith 3DES encryption provides excellent level encryption and hence confidentiality.
While IPSec provides complete confidentiality of data that is transported across theIPSec tunnels, IPSec alone cannot provide transport of multicast traffic which is arequirement for multicast applications and exchange of routing protocol updates.This requires the use of GRE point to point tunnels which are encrypted usingIPSec. GRE over the available infrastructure provides an overlay HUB and Spoke
connectivity. In the case of DIT, the central PDC location in Delhi will host all thedata application services eventually when this project is completed. All the remotelocations of DIT access the core applications available at the PDC. DIT also plannedfor a backup location in Mumbai which is called BCP. This location is an exactreplica of the PDC in terms of network equipment that is planned at this site. He goalis to provide disaster recovery in case of PDC site is not available completely duringextreme cases of disaster.
In addition to PDC and BCP, DIT also has plans to implement another disasterrecovery centre in Chennai. The idea of this DR location is to provide basic servicesin extreme emergencies. The complete details of the network equipment are not
known at this time and design for DR is out of the scope of this document.
-
8/10/2019 Tax Net Training
17/25
-
8/10/2019 Tax Net Training
18/25
Layer 1: physical layer
The physical layer has the following major functions:
it defines the electrical and physical specifications of the data connection. It
defines the relationship between a device and a physical transmission
medium (e.g., a copper or fiber optical cable). This includes the layout of pins,
voltages, signal timing,network adapters and more.
it defines the protocol to establish and terminate a connection between two
directly connected nodes over a communication medium.
it may define the protocol for flow control.
it defines a protocol for the provision of a (not necessarily reliable) connection
between two directly connected nodes, and the modulation or conversionbetween the representation of digital data.
Layer 2: data link layer
The data link layer provides a reliable link between two directly connected nodes, by
detecting and possibly correcting errors that may occur in the physical layer. The
data link layer is divided into two sub-layers:
Media Access Control (MAC) layer - responsible for controlling how computers in
the network gain access to data and permission to transmit it.
Logical Link Control (LLC) layer - control error checking and packet
synchronization.
The Point-to-Point (PPP) is an example of a data link layer in the TCP/IP protocol
stack.
Layer 3: network layer
The network layer provides the functional and procedural means of transferring
variable length data sequences (called datagrams) from one node to another
connected to the same network.A network is a medium to which many nodes can be
connected, on which every node has an addressand which permits nodes
connected to it to transfer messages to other nodes connected to it by merelyproviding the content of a message and the address of the destination node and
-
8/10/2019 Tax Net Training
19/25
letting the network find the way to deliver ("route") the message to the destination
node. In addition to message routing, the network may (or may not) implement
message delivery by splitting the message into several fragments, delivering each
fragment by a separate route and reassembling the fragments, report delivery errors,
etc.
Layer 4: transport layer
The transport layer provides the functional and procedural means of transferring
variable-length data sequences from a source to a destination host via one or more
networks, while maintaining the quality of service functions.
The transport layer controls the reliability of a given link through flow
control, segmentation/desegmentation and error control. Some protocols are state-
and connection oriented. This means that the transport layer can keep track of the
segments and retransmit those that fail. The transport layer also provides the
acknowledgement of the successful data transmission and sends the next data if no
errors occurred. The transport layer creates packets out of the message received
from the application layer. Packetizing is a process of dividing the long message into
smaller messages.
Layer 5: session layer
The session layer controls the dialogues (connections) between computers. It
establishes, manages and terminates the connections between the local and remote
application. It provides for full-duplex, half-duplex or simplex operation, and
establishes checkpointing, adjournment, termination, and restart procedures. The
OSI model made this layer responsible for graceful close of sessions, which is a
property of the Transmission Control Protocol, and also for session check pointing
and recovery, which is not usually used in the Internet Protocol Suite.
The session layer is commonly implemented explicitly in application environments
that use remote procedure calls.
-
8/10/2019 Tax Net Training
20/25
-
8/10/2019 Tax Net Training
21/25
-
8/10/2019 Tax Net Training
22/25
Transmission Control Protocol (TCP)
The Transmission Control Protocol TCP is one of the core protocols of the Internet
Protocol Suite (IP) and is so common that the entire suite is called TCP/IP. TCPprovides reliable, ordered and error-checked delivery of a stream of octets between
programs running on computers connected to a local area network, intranet or
the public Internet. It resides at the transport layer.
Web browsers use TCP when they connect to servers on the World Wide Web, and
it is used to deliver email and transfer files from one location to another. HTTP,
HTTPS, SMTP, Telnet and a variety of other protocols are typically encapsulated in
TCP.
Function:
The protocol corresponds to the transport layer of TCP/IP suite. TCP provides a
communication service at an intermediate level between an application program and
the Internet Protocol (IP).
IP works by exchanging pieces of information called packets. A packet is a sequenceof octets (bytes) and consists of a headerfollowed by a body. The header describes
the packet's source, destination and control information.
Due to network congestion, traffic load balancing, or other unpredictable network
behavior, IP packets can be lost, duplicated, or delivered out of order. TCP detects
these problems, requests retransmission of lost data, rearranges out-of-order data,
and even helps minimize network congestion to reduce the occurrence of the other
problems. Once the TCP receiver has reassembled the sequence of octets originally
transmitted, it passes them to the receiving application. While IP handles actual
delivery of the data, TCP keeps track of the individual units of data transmission,
called segments that a message is divided into for efficient routing through the
network. Thus, TCP abstracts the application's communication from the underlying
networking details.
-
8/10/2019 Tax Net Training
23/25
User Datagram Protocol (UDP)
The UDP is one of the core members of the internet protocol suite. With UDP,
computer applications can send messages (datagrams) to other hosts or an InternetProtocol network without prior communications to set up data paths.
UDP is a minimal message-oriented Transport Layer protocol. UDP provides no
guarantees to the upper layer protocol for message delivery and the UDP protocol
layer retains no state of UDP messages once sent.
UDP is suitable for purposes where error checking and correction is either not
necessary or is performed in the application, avoiding the overhead of such
processing at the network interface level. Time-sensitive applications often use UDP
because dropping packets is preferable to waiting for delayed packets, which maynot be an option in a real-time system. Lacking reliability, UDP applications must
generally be willing to accept some loss, errors or duplication. If error correction
facilities are needed at the network interface level, an application may use
the Transmission Control Protocol (TCP).
-
8/10/2019 Tax Net Training
24/25
HARDWARE OVERVIEW:
Cisco 2511 router
Cisco 3845 router
Cisco 4510 switch
-
8/10/2019 Tax Net Training
25/25
Cisco 3750 switch
Cisco 2950 switch
Cisco 2560 switch