1

Sohag University, Faculty Of Computing
And Artificial Intelligence
Building and Securing Enterprise

Network and Infrastructure
with some Features
GRADUATION PROJECT
Supervised by:
Dr-Hamdy Hassan El-Sayed
The phd degree in computer science department sohag university 2015.
His research interests are in the areas of ad hoc routing protocols
And sensor networks, cloud computing and mobile robotics
PREPARED BY
1. Ahmed Ragab El-sayed ID (4003)

2. Ahmed Shawky Abdelaal ID (4004)
3. Reham Essam Mahmoud ID (4210)
4. Zahraa Saied Al-Tayeb ID (4212)
5. Mahmoud Al-Sayed Abo Taleb ID (4221)
Sohag 2022 – 2023

ACKNOWLEDGEMENTS
First of all, we would like to express our gratitude to Allah before everyone that
supports our ideas.
This team would have never come this far without everyone, a special thanks to
our supervisor Dr-Hamdy Hassan El-Sayed we couldn’t have started or
finished this project without her support.
We would like to thank and appreciate those who cheered for us knowing that our
goals are somewhat farfetched.
We would also like to thank our Rivals for the moral support and rivalry, we
appreciate a challenge anytime.
.
Table of Content
Title Page
CHAPTER 1: SUMMARY 1
1.1 Problem Definition 1
1.2 Motivation 1
1.3 Method 1
1.4 Restrictions 1
1.5 Structure of report 2
CHAPTER 2: NETWORK INFRASTRUCTURE 3
2.Theory 3
2.1 Company computer network with branches 3
2.1.1 Network Infrastructure and Architecture 3
2.1.2 Services 19
2.1.3 Communication and integration 19
2.2 Methodological 44
2.2.1 Modular design 44
2.2.2 Prepare, Plan, Design, Implement, Operate, Optimize
47
(PPDIOO) Network Lifecycle Approach
2.3 Conclusion, Aims and Purposes 49
CHAPTER 3: NETWORK DESIGN 50
Company network with remote branch offices architecture,
services and communication 59
Architecture 72
Services 76
Branch office connectivity, communication, and integration 78
CHAPTER 4: NETWORK SECURITY 80
Configuring Secure Administrative Access 83
Configuration on ACS 89
L2 Security 101
CHAPTER 5: VOICE OVER NETWORK 113
how does VOIP work 116
Pros and cons of Voice over IP 125
CHAPTER 6: DATA CENTER 132
Chapter 7 (Features) 158
Face Mask Detection 158

Howdy (login by face ) 164
SebatNet Lite (Fast cigarette smoking detection) 165
ChatGPT 166
Change Ubuntu Boot and Login Screen Logo 169
Results 174
References 175
Tables of figures
Figure 2.1 Access/Distribution/Core model ........................................................ 5
Figure 2.2 Sample network based on Access/Distribution/Core model .............. 5
Figure 2.3 Different size branch offices............................................................... 6
Figure 2.4 Typical Enterprise topology ............................................................... 6
Figure 2.5 Detailed Typical Enterprise Architecture ............................................7
Figure 2.6 WAN Connectivity Options ............................................................... 9
Figure 2.7 WAN aggregation topology ............................................................... 9
Figure 2.8 Performance metrics associated with the ISR series routers .............13
Figure 2.9 VPN device placed parallel to a firewall ...........................................13
Figure 2.10 VPN device placed in the DMZ zone .............................................. 14
Figure 2.11 Integrated VPN and firewall device ............................................... 14
Figure 2.12 IPsec Phases in Cisco Devices ....................................................... 15
Figure 2.13 SSL VPN Connection ...................................................................... 16
Figure 2.14 L2TP over IPsec Negotiations ......................................................... 17
Figure 2.15 PPTP Connection Negotiations ...................................................... 18
Figure 2.16 Access management in an enterprise using RADIUS .................... 19
Figure 2.17 Configuration Mechanisms for Network Management ...................20
Figure 2.18 Traffic Flows for In-Band Management ........................................ 20
Figure 2.19 Traffic Flows for Out-of-Band Management ................................. 21
Figure 2.23 Dual firewall DMZ Architecture .....................................................24
Figure 2.24 ISR Small Branch Office Deployment ............................................25
Figure 2.25 Corporate branch offices ................................................................ 26
Figure 2.26 New York branch office ................................................................. 27
Figure 2.27 PPDIOO Network Lifecycle Approach .......................................... 30
Figure 2.28 Identifying Customer Requirements .............................................. 31
Figure 3.1 Remote Access Infrastructure........................................................... 34
Figure 3.2 Placing the Remote Access Firewalls............................................... 34
Figure 3.3 Border routers’ Internet connectivity ............................................... 35
Figure 3.4 Cisco ASR 1000 Services .................................................................. 36
Figure 3.5 Cisco ASR routing positioning.......................................................... 36
Figure 3.6 Campus network ................................................................................43
Figure 3.7 Campus network - DMZ and Internet edge .......................................44
Figure 3.8 Campus network - Remote access VPN cluster ................................45
Figure 3.9 Branch Office Architecture .............................................................. 46
Figure 5.1 voip system components................................................................. 116
Figure 5.2 how voip work .................................................................................117
Figure 5.3 two phase approach......................................................................... 122
figure 6. 1 in data center .................................................................................. 143
figure 6. 4 in data centet ................................................................................... 146
figure 6. 7 in data center................................................................................... 148
figure 6. 10 in data center................................................................................. 141
figure 6. 11 in data centet ................................................................................. 152
figure 6. 12 in data centet ................................................................................ 152
figure 6. 13 in data center................................................................................. 145
Figure Face Mask Detection 7.1.2 ………………………………………….. 157
Figure Face Mask Detection 7.1.2 1…………………………………………. 158
Figure 7.1.9.1 ( Results) 1………………………………………………….. 160
Figure 7.1.9.1 ( Results) 2 …………………………………………………..161
Figure 7.1.11 Images 1 …………………………………………………… 162
Figure 7.1.11 Images 2 ……………………………………………………162
Figure Change Ubuntu Boot and Login Screen 1 …………………………….165
Figure ChatGPT 1 ……………………………………………………………..171
Figure ChatGPT 2 …………………………………………………………….172
Figure ChatGPT 3 ……………………………………………………………..172
List of abbreviations
 LAN – Local Area Network
 MAN – Metropolitan Area Network
 WAN – Wide Area Network
 PSTN – Public Switched Telephone Network
 DHCP – Dynamic Host Configuration Protocol
 DNS – Domain Name System
 AMANDA - Advanced Maryland Automatic Network Disk Archiver
 VPN – Virtual Private Network
 IPsec – Internet Protocol Security
 SSL – Secure Sockets Layer
 L2TP – Layer 2 Tunneling Protocol
 PPTP – Point to Point Tunneling Protocol
 OSI – Open System Interconnection
 TCP – Transmission Control Protocol
 UDP – User Datagram Protocol
 POP – Post Office Protocol
 SSH – Secure Shell
 PAP – Password Authentication Protocol
 CHAP – Challenge-Handshake Authentication Protocol
 MS-CHAP – Microsoft CHAP
 MPPE – Microsoft Point-to-Point Encryption
 NAT – Network Address Translation
 GRE – Generic Routing Encapsulation
 RADIUS – Remote Authentication Dial In User Service
 AAA – Authentication, Authorization and Accounting
 SNMP – Simple Network Management Protocol
 DoS – Denial of service
 DMZ – Demilitarized Zone
 VoIP – Voice over IP
 ISP – Internet Service Provider
 PPPoE – Point to Point Protocol over Ethernet
 PSTN – Public Switched Telephone Network
 QoS – Quality of Service
 PPDIOO – Prepare, Plan, Design, Implement, Operate, and Optimize
I. Executive Summary
In this project we design and implement a secure network for design and
implementation of system and network security for an enterprise with worldwide
branches in which we maintain the security, quality, and safety of systems. The
project has been provided with different utilities to introduce a network with a
high security level for the airport. These utilities are s/w firewalls, an IP access
control list, Mac address port security, a domain server and s proxy server. All of
these utilities have been configured to provide a secure environment for the entire
network and to prevent hackers from entering sensitive departments like the
service providers departments.
In this project, we also used artificial intelligence techniques and modified

an operating system to make it an operating system for our college
We also made a website with WordPress templates , we used the latest

artificial intelligence technology, ChatGPT
II. Introduction
Enterprise Network for worldwide Branches are the sensitive places around
the world. Technology plays many different roles to protect and represent a high
quality of services for these places. Computer networking is the most crucial part
of modern airports because this new technology takes the most important
responsibilities, rather than people doing the tasks as in previous decades. We
installed and configure the network devices such as switches, routers, computers,
IP Phones, & APs. We made topology and created IP address with minimum
wastage of IP addresses. This project also consists of hardware-based firewalls,
an IP access control list, MAC address control, a domain server and a proxy server
are the tools that applied to prevent the hackers accessing the data center
department, which is the important department for any campus.
The network is designed to be scalable based upon requirements because
scalability has been the most important consideration during the planning phase.
Further security appliances such as IPS, IDS, NGFW etc. can be added to improve
security and make the network bullet proof.
We also used gethub libraries such as facial recognition technology and

detection of intruders who divert access to the system ,We also used a cigarette
smoke detector and we used the latest artificial intelligence technology,
ChatGPT
III. Project Scope
The project calls for the design and implementation of a secure network for a
design and implementation of system and network security for an enterprise with
worldwide branches which we maintain the security, quality, and safety of
systems
IV. Project Statement

The project goals and objectives include:
1. Building a highly resilient Network used in large campus and used by
millions of uses per year.
2. Building a high throughput network
3. Providing a high security level for the campus network
4. Providing a high quality of service for the campus network
5. Maintaining the users’ safety
6. Maintaining users’ info
In this project we will implement the security for servers and internal network
as well. The project is design to secure the network from the following threats:
1. Unauthorized access devices.
2. Unencrypted or plaintext information. 3- DHCP Snooping.
3. Internal Access.
4. Using artificial intelligence techniques and integrating them with the network
V. Project Requirement
Requirements for the network are:
 All 100 employees be interconnected whether its LAN or WLAN.
 We’ve to accommodate about 200 IP addresses, since everyone has
smartphone and requires internet connectivity.
 Employees need internet access
 Cisco Networking devices will be used .
 The network must be secure, redundant and fast.
 We used Linux operating systems to do the experiments on it

CHAPTER 1: SUMMARY
1.1 Problem Definition
The final goal of this project is to show a design of a corporate computer
communication network with a branched network of affiliate. The requirements
we have on our solution are that the branched network of affiliates could be
regionally- extended, international-extended or worldwide-extended with focus
on the remote branch network implementation.
1.2 Motivation
The motivation behind this project is based on some previous knowledge and
experience in networking, network protocols, and configuration of Cisco network
devices. What we hope to achieve at the end of the project is to improve our
network design skills by doing research in that area and use the gathered
knowledge for designing a network that will solve the problem
1.3 Method
We used comparative method in this project. In Chapter 2 we collect
information about enterprises with remote branches network architectures and
present different approaches. In Chapter 3 we analyze the collected solutions,
compare them and decide which one to use for the goal of this project.
1.4 Restrictions
Because of the background knowledge and experience we have with Cisco,
and because Cisco is one of the biggest solution providers in networking (for
example Juniper is another big network solution provider) and offers wide area
of network solutions (from small/home office to complex corporate solutions) the
project is based on Cisco strategies, advices, and equipment. Network design by
general is a very wide area and designing a corporate network with branches is
complex task to accomplish. For this project it would be practically not feasible
to analyze every single aspect of the network design for large scale company in
details. The project focuses on the remote networks as branch offices with details
for the functions, services, communication, integration, structure etc., on the
background of a 2-corporate network. From the side of the corporate network will
be discussed only the network elements needed for the remote access networks
to operate.
1.5 Structure of report

This report is organized into six chapters. In Chapter 1 the main goals of the
project are pointed out. In Chapter 2 the main theoretical aspects of the work are
discussed. It covers enterprise network architecture, remote branch network
solutions, security, communication, and in the last section shows some sample
network topologies. Chapter 3 is focused on designing a network solution for
the goal of this project. Enterprise campus network topology is suggested as
well as solution topology for the branch offices. Chapter 4 is network security
and implementation. Chapter 5 is VOIP system explanation and
implementation. Chapter 6 is data center. at the end there is results of the work,
Recommendations and conclusions are made and possible future work on the
problem is suggested.
CHAPTER 2: NETWORK INFRASTRUCTURE
2. Theory
This chapter covers the basic theoretical knowledge that we would be needed
in the designing process. The chapter is divided into four main sections. Section
2.1 contains information about company computer network with branches –
architecture, services, communication and integration; section 2.2 discusses the
methodological aspects of design – advices and steps we should follow when
designing a network; and in section 2.3 are conclusions, aims and purposes.
2.1 Company computer network with branches

2.1.1 Network Infrastructure and Architecture
Network architecture is the process of developing a high-level, end-to-end
structure for the network. This includes the relationships within and between
major architectural components of the network, such as addressing and routing,
network management, performance, and security. Network architecture is the
next part of the process of developing our network, and as we will see, it is key
in integrating requirements and flows into the structure of a network.
In this chapter, you will take about network architecture—what is contained

within the architecture of a network and how to develop this architecture. We will
discuss the concept of relationships within and between components of the
architecture. You will discuss the factors that make up these relationships and
how they apply to each architectural component.
In the development of our network there are several architectural models we can
use as a starting point, either as a foundation of the network or build upon existing
network. We will discuss three types of architectural models:
Topological models: which are often used as starting point in the

development of a network. These models are based on geographical or
topological arrangement of network devices.
Flow-based models, which are focused on and take advantage of a

particular traffic flows
Functional models – there models are based on one or more functions or

features planned for in the network. Usually the network is built using more
than one of the architectural models.
Topological models
Access/Distribution/Core and LAN/MAN/WAN models are most
commonly used. We can also use them because they are simple and intuitive,
and they are based on geographical or/and topological separation of networks.
They also indicate the degree of hierarchy planned for the network (shown in
Figure 2.1). If we need we can also not use all of the levels of the models or if
we need more we can expand them to show as many as we need. For example
we can use the only LAN/WAN from the model as we assign campus,
buildings, or even floors to the LAN. However, the Access/Distribution/Core
model focuses on function instead of location. Both the LAN/MAN/WAN and
Access/Distribution/Core models are used as starting points in the network
architecture, as both are intuitive and easy to apply.
Figure 2.1 Access/Distribution/Core model [9]
Figure 2.2 shows a sample corporate network based on this topological model.
On the figure the different layers can be clearly seen.
Figure 2.2 Sample corporate network based on Access/Distribution/Core model [9]

Flow-based models
The flow-based models we will discuss are peer-to-peer, client server,
hierarchical client–server, and distributed computing.
✔ Peer-to-peer the users and applications in this model are consistent
throughout the network, there are no obvious locations for architectural
features. This pushes the functions, features, and services toward the edge of
the network, close to users and their devices.
Figure 2.3 peer-to-peer architectural model [9]
✔ Client–server functions, features, and services are focused at server locations,

the interfaces to client LANs, and client–server flows. The characteristics of
the client–server model also apply to the hierarchical client– server
architectural model. In addition to the functions, features, and services being
focused at server locations and client–server flows, they are also focused at
the server–server flows.
6
Figure 2.4 Client-server architectural model [9]
✔ Distributed-computing: in this model the data sources and sinks are obvious
locations for architectural features. Flow-based models, like the topological
models, are intuitive and can be easy to apply. Since they are associated with
flows, they should map well to any flow maps we created as part of the
requirements analysis process. These models are fairly general, and they have
to be modified to fit the specific requirements of a network.
Figure 2.5 Distribute-computing architectural model [9]
Functional models
These models focus on supporting particular function in the network, like
service- provider, intranet/extranet, single-/multi-tiered performance, and end-
to-end models.
 The service-provider architectural model is based on service-provider
functions, focusing on privacy and security, service delivery to customers
(users), and billing. Many enterprise networks are evolving to this model,
applying it across organizations, departments, and buildings.
7
Figure 2.7 Service-provider architectural model [9]
 The intranet/extranet architectural model focuses on security and privacy,
including the separation of users, devices, and applications based on secure
access.
Figure 2.8 intranet architectural model [9]

 The single-/multi-tiered performance architectural model focuses on
identifying networks or parts of a network as having a single tier of
performance, multiple tiers of performance, or having components of both.
 The end-to-end architectural model focuses on all components in the end-to-
end path of a traffic flow.


8
Figure 2.9 end-to-end architectural model [9]
Functional models are the most difficult to apply to a network, because we must
understand where each function will be located. For example, to apply the end-to
end model we first have to define where end-to-end is for each set of users,
applications, or devices that will be a part of end-to-end.
Basic concepts of remote access networks

Remote access is the ability to connect and gain access to internal network
resources that are physically disbursed. Typically, this means that a workstation
equipped with remote access software will give authorized users at the remote
site access to dial in over a phone or ISDN line to read E-mail, troubleshoot
problems, run applications, and transfer files to and from the corporate
computers. There are many things that the security professional should be aware
of relative to remote access solutions. The following sections examine them.
Why organization needs remote access

Remote access computing helps businesses comply with the Clean Air Act
by reducing travel to work. It also helps businesses comply with other legislation
like the Family Leave Act, which allows employees to spend time away from the
office to be with a newborn child or for family medical emergencies. Service
9
technicians who are on the road need office connectivity to get assignments, order
parts, and send billing information. Small branch offices need access to the
information from the corporate systems and may not need their own processor.
For many organizations, remote access is a cost-effective replacement for
additional hardware. Busy executives need connectivity to work from home or on
the road. Successful telecommuting programs require reliable connectivity to the
corporate network. Coupled with reliable access is the ability to remotely
troubleshoot and fix applications and system problems. An effective
telecommuting program incorporates all elements found in the workplace and
moves them out to the remote access user.
What are the Types of Remote Access?

In the past, remote access was possible by hard wiring to a telephone network.
Analog modems and dial-up technology allowed two different devices to interact
with one another by calling assigned phone numbers. This has changed
significantly with broadband technology. Today, remote access is possible via:
 Cable broadband - shares the bandwidth with many users.
 DSL (digital subscriber line) - uses a telephone network and is not always
available if the infrastructure is poor.
 Cellular internet service - uses mobile devices via a wireless connection; only
possible if a cellular network is available.
 Satellite- uses satellites to provide internet access.
 Fiber optics broadband - one of the best ways to transfer massive amounts of
data and do so quickly.
 VPN/ LAN/ WAN - uses a secure and encrypted network that creates a data
tunnel between devices or servers.
 Desktop sharing - software tools or apps make it possible to share files; great
for webinars, conferences, presentations, and more.
10
 PAM (Privileged Access Management) - tools monitor access to privileged
accounts in an organization; necessary for secure file transfers and, sensitive
data access.
 VPAM (Vendor Privileged Access Management) - secure network sharing
with vendors or contractors; can grant access to only parts of a server.
Remote Access Protocols for a Safe Connection

No matter which remote access software you are using, it should have
authentication to ensure that the right people are accessing the right information.
It also helps keep your server secure and protected against hacks and leaks. There
are several protocols for doing this:
 Single sign-on - grants access to apps without VPN configuration or firewall
modifications
 IPsec (Internet Protocol Security) - enables authentication and encryption for
IP packet transfers using several security protocols.
 L2TP (Layer Two Tunneling Protocol) - VPN protocol without authentication
or encryption; usually paired with another protocol.
 PPTP (Point-to-Point Tunneling) - implements VPN, though it’s less secure
than others.
 SLIP (Serial Line Internet Protocol) - transmits IP’s over serial connections;
connects a workstation to the internet or to another IP on the network.
 PPP (Point-to-Point Protocol) - connects two endpoints with a direct
connection.
 RAS (Remote Access Services) - establishes connection with a dial-up server
and host network; remote servers authorize access by communicating with the
central server.
11
 RDP (Remote Desktop Protocol) - for Windows users only; grants access with
Windows Terminal Services.
 TACACS (Terminal Access Control System) - forwards password to an
authentication server to grant remote access.
 The remote access network also had some basic components.

From a topological level, a remote access network consists of
three network segments:
 The user’s network is the point of origin of access requests. It can be a branch
office network, or a home office consisting of a personal computer (PC)
equipped with a modem.
 The corporate network is the destination of the user’s traffic.
The wide area network (WAN) enables the user to access the corporate network.
The WAN covers a large geographical area and can be a public switched
telephone network (PSTN), the Internet, or a private data network. It provides the
switching and/or routing function required to get a remote connection from the
user’s network to the corporate network.
12
Figure 2.10 Different size branch offices
We have labeled them as small, medium and large but this is a bit
subjective. As the size of a branch increases, the number of routers (connections)
increases, and also the issues number we have to consider are also increased. But
anyhow, the figure gives us a clue of the two main implementation challenges we
are facing for the branch design. First, we must to provide features that would be
needed for interaction with host in the public Internet, and second, we must
provide secure communication with the enterprise hosts. For the first category we
should consider details for Internet access. For example, we should make DSL,
or cable, or any other type of connection work. In the second category we must
focus on options that allow an enterprise to prevent packets being read by
attackers when they traverse the Internet. Such option is VPN as it allows the
enterprise to trust packets coming from legitimate branch office.
13
From the side of the enterprise the architecture may look like the one shown in
Figure 2.11. However we could evolve this topology by dividing it into modules
– data centers, campus, and WAN (MAN) as part of the enterprise edge. Below
we will discuss in more details these modules which are interesting for this
project.
Figure 2.11 Typical enterprise Topology [21]
Internet Based Remote Access

Currently, most corporate remote access is done by dialing directly into a
corporate remote access server (see fig-2.12). This creates a huge long-distance
expense, particularly for a high number of users. Some organizations, however,
are taking advantage of their existing connection to the Internet and allowing
remote users and branch offices to remotely access the corporate network over
the Internet. The remote users simply dial into their local Internet Service
Provider (ISP) and initiate a connection to their corporate network
14
Figure 2.12 remote access over internet [21]
Internet-Based Remote Access Issues/Solutions

Organizations planning to allow their users to access the network over the Internet
must be prepared to deal with several challenges before allowing this type of
access (see fig-2.13). The two major challenges are:
Figure 2.13 remote access over internet issues [21]
15
 Protecting the network against unauthorized or unwanted access. Firewalls
are commonly used to authenticate legitimate Internet users. A strong
authentication mechanism should be used in this case. Traditional passwords
can be easily sniffed off the Internet and used to penetrate the corporate
network. Address filtering is not effective, because most ISP assign dynamic
addresses to their subscribers. Even with static IP addresses, IP spoofing is a
scheme that is commonly used by hackers to attack and penetrate networks
protected by a packet filtering routers or firewalls.
 Guaranteeing the integrity and confidentiality of the information being sent
over the Internet. Encryption is the only means available today that enables
information to be securely transmitted from one computer to another over a
public network. Encryption of data over public networks is implemented
through a mechanism called tunneling. Tunneling works as follows: packets
are encrypted, wrapped with another IP header, and then sent over the Internet.
The receiving end unwraps and decrypts the packets to yield the original IP
packet and sends it to its final destination. Many firewall vendors are offering
firewall-to-firewall or a client-to-firewall encryption (or tunneling) solution.
Most firewall vendors are using encryption methods that are Internet Protocol
Security (IPSec) compliant, which enables their firewall to communicate with
any other firewall that is IPSec compliant. There are other tunneling solutions
that use tunnel end-point servers (sometimes referred to as crypto servers),
which create Virtual Private Tunnels between remote location and the
enterprise network, protecting data transmitted across the public Internet (see
fig 2.14). These solutions also offer clients that can be installed on home
workstations or a laptop and allow users to securely access the corporate
network from remote locations.
16
Figure 2.14 Private Tunnels or Sleeves [21]
REMOTE ACCESS SECURITY: GOALS

When developing a security strategy for the enterprise remote access, it is
important to remember that remote access security must be stronger than the
general network security. Remote access provides a gateway to hackers and
uninvited guests to probe and attack the network and poses special risks to an
organization. Although security needs are different for every organization, remote
access security should at least meet the following objectives:
 Allow access to legitimate users only
 Be easy to administer and flexible to meet the needs of all users Be largely
transparent to the user. Users go to great lengths to circumvent security
methods that are difficult to use.
Protecting Transmitted Data

There has been a dramatic increase of new products designed to provide secure
communications over public and private networks. These products let security
administrators control access of remote users to the corporate network and allow
users to secure the transfer of vital information over public networks. These
products are based on end-to-end encryption between two firewalls, two crypto
17
servers, a remote user and firewall, or a remote user and crypto server. Because
firewall vendors have their own standard for firewall-to-firewall tunnels,
implementations from different vendors were usually not interoperable. Today,
however, firewall vendors are supporting IPSec, a common standard that allows
interoperation of firewall-tofirewall tunnels from different vendors. By
definition, tunnels are established between trusted end systems, and packets are
authenticated (initiated from a trusted system). Tunnel end-point servers or crypto
servers allow organizations to create secure, virtual private networks that link
their headquarters with regional and branch offices. They can also be used to link
their customers and vendors, thus permitting sensitive data to flow between
trusted parties in total confidentiality. Crypto servers can be used in conjunction
with any firewall. They usually come with packet filtering and are able to perform
both user-based and address-based authentication. Firewall and crypto server
vendors offer clients that run on remote laptops or workstations and allow users
to create secure tunnels between the desktop and the corporate network over open
networks like the Internet. Microsoft has developed Point-to-Point-Tunneling
Protocol (PPTP), a new technology that supports Virtual Private Network (VPN)
and enables remote users to access the corporate network securely across the
Internet. Another product, Layer Two Forwarding (L2F), created by Cisco
Systems, is designed to tunnel protocols like PPP and SLIP over the Internet.
Protecting Network Resources

Every node on a network has an address (IP address). These addresses can be
used to implement security measures to prevent unauthorized users from gaining
access to the network and control access of authorized users to the various
network resources. It works by programming into the central site access
equipment or an attached router a list of remote node addresses that can connect
to the network. For each node, access restrictions such as services that can be
18
used and the destination addresses that can be accessed from the node can be
19
included. Application-level firewalls provide enhanced packet filtering and better
access control mechanism to servers and applications.
2.1.2 Services
Services are typically installed on one or more network servers to provide shared
resources to end users. In the section bellow we have pointed out the network
services that are applied in maybe every network implementation.
Standard system services
On a corporate network we usually use the following services:
✔ DHCP (Dynamic Host Configuration Protocol)
✔ DNS (Domain Name System)
✔ File sharing o Authentication
✔ E-mail o Printing E-mail, printing and file sharing services require users
to have permissions to access them – security and access right needs to
be configured. It is usually done easily by using directory service which
is also a network service. Also very important services of business
nowadays are voice and video. We have to make sure to build a network
that supports both voice and video with minimized jitter and delay
2.1.3 Communication and integration

An enterprise core network connects to the remote branch networks via
WAN. We can choose from many existing options today for building the private
WAN of an enterprise. These options include leased lines, Frame Relay, MPLS
VPNs, and Metro Ethernet. Despite each is different in a way from the others they
all have a common characteristic – they provide us with an inherently private path
over which two of our enterprise routers can communicate with each other.
20
VPN Site-To-Site
A site-to-site virtual private network (VPN) is a connection between two
or more networks, such as a corporate network and a branch office network.
Many organizations use site-to-site VPNs to leverage an internet connection for
private traffic as an alternative to using private MPLS circuits.
Site-to-site VPNs are frequently used by companies with multiple offices in
different geographic locations that need to access and use the corporate network
on an ongoing basis. With a site-to-site VPN, a company can securely connect its
corporate network with its remote offices to communicate and share resources
with them as a single network.
Figure 2.15 VPN site-to-site
Several years ago, the most common way to connect computers between multiple
offices was by using a leased line. Leased lines, such as ISDN (integrated services
digital network, 128 Kbps), are private network connections that a
telecommunications company can lease to its customers. Leased lines provide a
company with a way to expand its private network beyond its immediate
geographic area. These connections form a single wide-area network (WAN) for
the business. Though leased lines are reliable and secure, the leases are expensive,
with costs rising as the distance between offices increases.
21
Today, the internet is more accessible than ever before, and internet service
providers (ISPs) continue to develop faster and more reliable services at lower
costs than leased lines. To take advantage of this, most businesses have replaced
leased lines with new technologies that use internet connections without
sacrificing performance and security. Businesses started by establishing intranets,
private internal networks designed for use only by company employees. Intranets
enabled distant colleagues to work together through technologies such as desktop
sharing. By adding a VPN, a business can extend all its intranet's resources to
employees working from remote offices or their homes.
However, these days, VPNs can do much more and they're not just for businesses
anymore. Individuals interested in securing their communications over unsecured
public WiFi networks and remaining anonymous during their online transactions
have begun subscribing to paid VPN services. These services function very much
like business VPNs but go through a VPN provider to reach the internet, rather
than via a private business.
In other words, a VPN can keep your computer, smartphone, and any other device
you connect to the internet safe from hackers and malware, while keeping all your
personal data and communications safe from prying eyes. With cybercrime on
the rise, it's easy to see why so many people have started using them.
Any organization might not require all these benefits from its business VPN, but
it should demand the following essential VPN features:
✔ Security The VPN should protect data while it's traveling on the public
network. If intruders attempt to capture the data, they should be unable to
read or use it.
✔ Reliability Employees and remote offices should be able to connect to the

VPN with no trouble at any time (unless hours are restricted), and the VPN
22
should provide the same quality of connection for each user even when it is
handling its maximum number of simultaneous connections.
✔ Scalability As a business grows, it should be able to extend its VPN services
to handle that growth without replacing the VPN technology altogether.
There are two types of site-to-site VPNs:
✔ Intranet-based If a company has one or more remote locations that they wish
to join in a single private network, they can create an intranet VPN to
connect each separate LAN to a single WAN.
✔ Extranet-based When a company has a close relationship with another
company (such as a partner, supplier or customer), it can build an extranet
VPN that connects those companies' LANs. This extranet VPN allows the
companies to work together in a secure, shared network environment while
preventing access to their separate intranets. Even though the purpose of a
site-to-site VPN is different from that of a remote-access VPN, it could use
some of the same software and equipment. Ideally, though, a site-to-site
VPN should eliminate the need for each computer to run VPN client
software as if it were on a remote-access VPN. Dedicated VPN client
equipment, described later in this article, can accomplish this goal in a site-
to-site VPN.
 There are several strategies for placing the VPN devices among which we can
choose. We will go through them with details for advantages and
disadvantages:
23
 We can place VPN device parallel to a firewall
Figure 2.16 VPN parallel ti a firewall [9]
 The advantages in placing the VPN device parallel to the firewall are:
 Deployment is simplified because we do not need to change
firewall addressing
 High scalability because we can deploy multiple VPN devices
parallel to the firewall
 The drawbacks in placing the VPN device parallel to the firewall are:
 IPsec decrypted traffic is not inspected by the firewall. This is
a major concern if the passing traffic is not subject to a
stateful inspection.
 we can place a VPN device in the demilitarized zone (DMZ)
Figure 2.17 VPN in DMZ [9]
24
The advantages for this design scenario are:
 The firewall can stateful inspect the decrypted VPN traffic.
 This design offers moderate-to-high scalability by adding additional VPN
devices. We can migrate to this design relatively easy by adding a LAN
interface to firewall.
The disadvantages here are:
 The configuration has increased complexity because we will need
additional configuration on the firewall to support the additional
interfaces. The firewall must support policy routing to differentiate VPN
versus non-VPN traffic.
Figure 2.11 shows the scenario if we use an integrated VPN and firewall device.
Figure 2.18 Integrated [9]

Introduction to IPsec
The IPsec standard provides a method to manage authentication and data
protection between multiple crypto peers engaging in secure data transfer. IPsec
includes the Internet Security Association and Key Management Protocol
(ISAKMP)/Oakley and two IPsec IP protocols: Encapsulating Security Protocol
(ESP) and Authentication Header (AH). IPsec uses symmetrical encryption
algorithms for data protection. Symmetrical encryption algorithms are more
efficient and easier to implement in hardware. These algorithms need a secure
25
method of key exchange to ensure data protection. Internet Key Exchange (IKE)
ISAKMP/Oakley protocols provide this capability. This solution requires a
standards-based way to secure data from eavesdropping and modification. IPsec
provides such a method. IPsec provides a choice of transform sets so that a user
can choose the strength of their data protection. IPsec also has several Hashed
Message Authentication Codes (HMAC) from which to choose, each giving
different levels of protection for attacks such as man-in-the-middle, packet replay
(anti-replay), and data integrity attacks.
Tunneling Protocols
Tunneling protocols vary in the features they support, the problems they are
designed to solve, and the amount of security they provide to the data being
transported. The designs presented in this architecture focus on the use of IPsec
as a tunneling protocol alone, and IPsec used in conjunction with Generic Route
Encapsulation (GRE) and Virtual Tunnel Interfaces (VTI). When used alone,
IPsec provides a private, resilient network for IP unicast only, where support is
not required for IP multicast, dynamic IGP routing protocols, or non IP protocols.
When support for one or more of these features is required, IPsec should be used
in conjunction with either GRE or VTI. The p2p GRE over IPsec design allows
for all three features described in the preceding paragraph, while a DMVPN
design or a VTI design fulfills only the IP multicast and dynamic IGP routing
protocol requirements. Other possible tunneling protocols include the following:
• Secure Sockets Layer/Transport Layer Security (SSL/TLS) • VPN (WebVPN)
• Point-to-Point Tunneling Protocol (PPTP) • Layer Two Tunneling Protocol
(L2TP) These protocols are based on user- or client-to-gateway VPN
connections, commonly called remote access solutions, and are not implemented
in this solution
26
SSL VPN
That a VPN technology that acts at the Application layer of the OSI model and
proves secure connectivity to the corporate office resources through the use of
web browser or dedicated client. The great advantage of SSL VPN comes from
the fact that SSL is implemented and available in all web browsers. We can use
SSL VPN from a kiosk or public networks like cafes, airports and many others.
SSL VPN can also be customized so it can meet our company’s requirements. It
is also using a cost-effective and flexible method but still providing strong data
confidentiality.
Figure 2.19 SSL VPN Connection [2]

Cisco has improved SSL VPN so it can provide many ways of usage including
the following:
 Client less mode – we can connect to the corporate resources, specifically to
web and e-mail servers, without the need of any clients of applets.
 Thin client mode – we have access to most of the TCP-based protocols –
SMTP,
POP, SSH, and Telnet by loading a Java applet on the client workstation
 Full mode – we have full access to the corporate resources as if we were
directly connected to the network. To use this mode we must install
dynamically downloadable SSL VPN client
27
IPsec Security Services
 Confidentiality: Prevents third parties from reading the data. lPsec
ensures confidentiality by using encryption. To achieve confidentiality
we use encryption due to Encryption is a process of converting plain text
data into cipher text data using an algorithm. The receiver can decrypt
cipher text data only when it has the correct key. The encryption
mechanism ensures data confidentiality and prevents data from being
eavesdropped during transmission. IP Sec involves data encryption and
protocol message encryption.
Figure 2.20 Data encryption and decryption

the symmetric key can be manually configured or generated through IKE auto-
negotiation.
Common symmetric encryption algorithms include:
 Data Encryption Standard (DES)
 DES was developed by the National Institute of Standards and Technology
(NIST). It uses a 56-bit key to encrypt a 64-bit plaintext block.
 Triple Data Encryption Standard (3DES) 3DES is an enhancement to DES
and uses three different 56-bit keys (168 bits in total) to encrypt a plaintext
block.
 Compared with DES, 3DES is slower but more secure.
28
 Advanced Encryption Standard (AES)
AES is designed to replace 3DES and is faster and more secure than 3DES. AES
supports three types of keys: AES-128, ES-192, and AES-256, which have key
lengths of 128 bits, 192 bits, and 256 bits, respectively.
The encryption algorithm with a longer key is more secure but slower. In general,
AES-128 can meet security requirements.
Protocol message encryption
Protocol message encryption occurs in IKE negotiation. Symmetric encryption
algorithms, such as DES, 3DES, and AES, are used to encrypt protocol messages.
The symmetric key used for protocol message encryption is generated
through IKE auto-negotiation.
 Data integrity: Ensures that data arrives unchanged at the destination.
lPsec ensures data integrity by using hash—based message
authentication.
VPN data is transported over some form of insecure network, such as the Internet.
Potentially, this data could be intercepted and modified. To guard against this,
each message has a hash attached to it. This is called a Hash-based Message
Authentication Code (HMAC).
Figure 2.21 HMAC

A hash guarantees the integrity of the original message. If the transmitted hash
29
matches the received hash, the message has not been tampered with. However, if
there is no match, the message was altered. In Figure someone is trying to send
Terry Smith a check for $100. At the remote end, Alex Jones is trying to cash the
check for $1000. As the check progressed through the Internet, it was altered.
Both the recipient and the dollar amount were changed. In this case, the hashes
do not match, so the transaction is no longer valid.
Figure 2.22 Data integrity

✔ Origin authentication: Ensures that the connection is made with the
desired communication partner. IPsec uses IKE to authenticate users
and devices that can carry out communication independently.
Antireplay protection: Verifies that each packet is unique and is not
duplicated.
In the middle ages, a seal guaranteed the authenticity of an edict. In modern times,
a signed document is notarized with a seal and a signature. In the electronic era,
a document is signed using the sender's private encryption key—a digital
signature. A signature is authenticated by decrypting the signature with the
sender's public key.
the local device derives a hash and encrypts it with its private key. The encrypted
hash (digital signature) is attached to the message and is forwarded to the remote
30
end. At the remote end, the encrypted hash is decrypted using the local end's
public key. If the decrypted hash matches the recomputed hash, the signature is
genuine. A digital signature ties a message to a sender. The sender is
authenticated. It is used during the initial establishment of a VPN tunnel to
authenticate both ends to the tunnel.
Figure 2.23 Digital signature

 RSA signatures: Uses the exchange of digital certificates to
authenticate the peers.
 RSA encrypted nonce: Nonce (random numbers generated by each peer)
are encrypted and then exchanged between peers. The two nonce are used
during the peer authentication process.
Anti-Replay Protection: IPsec uses anti-replay mechanisms to ensure that IP
packets cannot be intercepted by a third party or man in the middle and then be
changed and reinserted into the data stream. This is implemented in IPsec by the
Authentication Header (AH) protocol and the Encapsulating Security Payload
(ESP) protocol. The anti-replay mechanism works by keeping track of the
31
sequence number allocated to each packet as it arrives at the VPN endpoint. When
a security association is established between two VPN endpoints, the sequence
counter is set to 0. The packets that are encrypted and transmitted over the VPN
are sequenced starting from 1. Each time a packet is sent, the receiver of the
packet verifies that the sequence number is not that of a previously sent packet.
If the receiver receives a packet with a duplicate sequence number, the packet is
discarded, and an error message is sent back to the transmitting VPN endpoint to
log this event.
Key management: Allows for an initial exchange of dynamically
generated keys across a non-trusted network and a periodic re-keying
process
ES, 3DES, AES, and also the two authentication algorithms, MD5 and SHA-1,
all require a symmetric shared secret key to perform encryption and decryption.
The question is, how do the encrypting and decrypting devices get the shared
secret key?
The keys can be sent by e-mail, courier, overnight express, or public key
exchange. The easiest method is DH public key exchange. The DH key agreement
is a public key exchange method that provides a way for two peers to establish a
shared secret key that only they know, although they are communicating over an
insecure channel.
Public key cryptosystems rely on a two-key system: a public key, which is
exchanged between end users, and a private key, which is kept secret by the
original owners. The DH public key algorithm states that if user A and user B
exchange public keys, and a calculation is performed on their individual private
key and one another's public key, the end result of the process is an identical
shared key. The shared key is used to derive encryption and authentication keys.
32
Figure 2.24 Key Exchange
With DH, each peer generates a public/private key pair. The private key generated
by each peer is kept secret and never shared. The public key is calculated from
the private key by each peer and is exchanged over the insecure channel. Each
peer combines the other's public key with its own private key and computes the
same shared secret number. The shared secret number is then converted into a
shared secret key. The shared secret key is never exchanged over the insecure
channel.
IP-sec Protocols
The following sections describe the two IP protocols used in the IPsec standard:
ESP and AH.
Encapsulating Security Protocol
The ESP header (IP protocol 50) forms the core of the IPsec protocol. This
protocol, in conjunction with an agreed-upon set of security parameters or
transform set, protects data by rendering it indecipherable. This protocol encrypts
the data portion of the packet only and uses other protections (HMAC) for other
protections (data integrity, anti-replay, man-in-the-middle). Optionally, it can
also provide for authentication of the protected data. Figure 2.25 illustrates how
ESP encapsulates an IP packet.
33
Figure 2.26 Authentication Header (AH)
IPsec Protocol Framework
The preceding section discussed encryption, authentication, and integrity. This
section explains how encryption, integrity, and authentication are applied to the
IPsec protocol suite. As mentioned, IPSec is a framework of open standards.
IPSec spells out the messaging to secure the communications but relies on
existing algorithms, such as DES and 3DES, to implement the encryption and
authentication. The two main IPSec framework protocols are as follows:
34
Figure 2.25 ip-sec framework
✔ AH-AH, shown in Figure, is the appropriate protocol when confidentiality is
not required or permitted. It provides data authentication and integrity for IP
packets passed between two systems. It is a means of verifying that any
message passed from Router A to Router B was not modified during transit.
It verifies that the data's origin was either Router A or Router B. AH does not
provide data confidentiality (encryption) of packets. It does the following:
 Ensures data integrity
 Provides origin authentication (ensures that packets definitely
came from the peer router)
 Uses a keyed-hash mechanism
 Does not provide confidentiality (no encryption)
 Provides anti-replay protection
35
Figure 2.26 AH figure
✔ ESP A security protocol may be used to provide confidentiality (encryption)
and authentication. ESP, provides confidentiality by performing encryption at
the IP packet layer. IP packet encryption conceals the data payload and the
identities of the ultimate source and destination. ESP provides authentication
for the inner IP packet and ESP header. Authentication provides data origin
authentication and data integrity. Although both encryption and authentication
are optional in ESP, at a minimum, one of them must be selected. ESP
provides
 Data confidentiality (encryption)
 Data integrity
 Data origin authentication
 Anti-replay protection
ESP, shown in Figure, provides confidentiality by encrypting the payload. It
supports a variety of symmetric encryption algorithms. The default algorithm for
IPSec is 56-bit DES. Cisco products also support the use of 3DES and AES for
stronger encryption.
36
Figure 2.27 Esp. protocol
ESP can be used alone or in combination with AH. ESP with AH also provides
integrity and authentication of datagrams. First, the payload is encrypted. Next,
the encrypted payload is sent through a hash algorithm—HMAC-MD5 or
HMAC-SHA-1. The hash provides origin authentication and data integrity for the
data payload.
Alternatively, ESP may also enforce anti-replay protection by requiring that a
receiving host set the replay bit in the header to indicate that the packet has been
seen.
Between two security gateways, the original payload is well protected, because
the entire original IP datagram is encrypted. An ESP header and trailer are added
to the encrypted payload. With ESP authentication, the encrypted IP datagram
and the ESP header or trailer are included in the hashing process. Last, a new IP
header is appended to the front of the authenticated payload. The new IP address
is used to route the packet through the Internet.
When both ESP authentication and encryption are selected, encryption is
performed before authentication. One reason for this order of processing is that it
facilitates rapid detection and rejection of replayed or bogus packets by the
receiving node. Before decrypting the packet, the receiver can authenticate
37
inbound packets. By doing this, it can detect the problems and potentially reduce
the impact of DoS attacks.
To establish an IPsec tunnel, we use a protocol called IKE
(Internet Key Exchange).
There are two phases to build an IPsec tunnel:
 IKE phase 1
 IKE phase 2
In IKE phase 1, two peers will negotiate about the encryption, authentication,
hashing and other protocols that they want to use and some other parameters that
are required. In this phase, an ISAKMP (Internet Security Association and Key
Management Protocol) session is established. This is also called the ISAKMP
tunnel or IKE phase 1 tunnel. The collection of parameters that the two devices
will use is called a SA (Security Association). Here’s an example of two routers
that have established the IKE phase 1 tunnel:
The VPN gateways agree on Phase 1 Transform settings. The settings in the Phase
1 transform on each IPsec device must exactly match, or IKE negotiations fail.
The items you can set in the Phase 1 transform are:
✔ Authentication The type of authentication (SHA-2, SHA-1, or MD5)
38
✔ Encryption The type of encryption algorithm (DES, 3DES, or AES) and key
length
✔ SA Life The amount of time until the Phase 1 Security Association expires
✔ Key Group the Diffie-Hellman key group
The main purpose of IKE phase 1 is to establish a secure tunnel that we can use
for IKE phase 2.
We can break down phase 1 in three simple steps:
Step 1: Negotiation:
The peer that has traffic that should be protected will initiate the IKE phase 1
negotiation. The two peers will negotiate about the following items:
Figure 2.27Negtioation step

 Hashing: we use a hashing algorithm to verify the integrity, we use MD5 or
SHA for this.
 Authentication: each peer has to prove who he is. Two commonly used
options are a pre-shared key or digital certificates.
39
 DH (Diffie Hellman) group: the DH group determines the strength of the key
that is used in the key exchange process. The higher group numbers are more
secure but take longer to compute.
 Lifetime: how long does the IKE phase 1 tunnel stand up? the shorter the
lifetime, the more secure it is because rebuilding it means we will also use
new keying material. Each vendor uses a different lifetime, a common default
value is 86400 seconds (1 day).
 Encryption: what algorithm do we use for encryption? For example, DES,

3DES or AES.
Step 2: DH Key Exchange
Once the negotiation has succeeded, the two peers will know what policy to use.
They will now use the DH group that they negotiated to exchange keying
material. The end result will be that both peers will have a shared key.
Step 3: Authentication
The last step is that the two peers will authenticate each other using the
authentication method that they agreed upon on in the negotiation. When the
authentication is successful, we have completed IKE phase 1. The end result is a
IKE phase 1 tunnel (aka ISAKMP tunnel) which is bidirectional. This means that
both peers can send and receive on this tunnel.
40
Figure 2.28 Authentication step
IKE phase 2
The purpose of phase 2 negotiations is for the two peers to agree on a set of
parameters that define what traffic can go through the VPN, and how to encrypt
and authenticate the traffic. This agreement is called a Security Association.
Phase 2 Negotiations
After the two IPSec VPN gateways successfully complete Phase 1 negotiations,
Phase 2 negotiations begin. The purpose of Phase 2 negotiations is to establish
the Phase 2 SA (sometimes called the IPSec SA). The IPSec SA is a set of traffic
specifications that tell the device what traffic to send over the VPN, and how to
encrypt and authenticate that traffic.
Phase 2 negotiations include these steps:
The VPN gateways use the Phase 1 SA to secure Phase 2 negotiations. The VPN
gateways agree on whether to use Perfect Forward Secrecy (PFS).
VPN encryption keys are changed at the interval specified by the Force Key
Expiration setting. The interval is eight hours by default. To prevent SAs from
using Phase 1 keys for Phase 2, PFS forces the DH calculation to happen a second
time. This means that Phase 1 and Phase 2 always have different keys, which is
harder to break unless you select a DH group lower than 14.
41
We recommend that you use PFS to keep your data secure. If you want to use
PFS, it must be enabled on both VPN gateways, and both gateways must use the
same Diffie-Hellman key groups.
The VPN gateways agree on a Phase 2 proposal.
The Phase 2 proposal includes the algorithm to use to authenticate data, the
algorithm to use to encrypt data, and how often to make new Phase 2 encryption
keys.
The items you can set in a Phase 2 proposal include:
Type — For a manual BOVPN, you can select the type of protocol to use:
Authentication Header (AH) or Encapsulating Security Payload (ESP). Both AH
and ESP encrypt the data and protect against spoofing and packet manipulation
(replay detection). We recommend that you use ESP, because you can protect
against spoofing in other ways. Managed BOVPNs, Mobile VPN with IKEv2,
Mobile VPN with IPSec, and Mobile VPN with L2TP always use ESP.
 Authentication — Authentication makes sure that the information received is
exactly the same as the information sent. You can use SHA-1, SHA-2, or MD5
as the algorithm the VPN gateways use to authenticate IKE messages from
each other. SHA-2 is the only secure option.
 Encryption — Encryption keeps the data confidential. You can select DES,
3DES, or AES, or AES-GCM. AES and AES-GCM variants are the only
secure options.
 Force Key Expiration — To make sure Phase 2 encryption keys change
periodically, specify a key expiration interval. The default setting is 8 hours.
The longer a Phase 2 encryption key is in use, the more data an attacker can
collect to use to mount an attack on the key. We recommend that you do not
select the Traffic option because it causes high Firebox load, throughput
issues, packet loss, and frequent, random outages. Lets Show How IKE Phase
2 Work
42
Apply Transform Set at Router A:
A transform set is a combination of individual IPSec transforms designed to enact
a specific security policy for traffic. During the ISAKMP IPSec security
association negotiation that occurs in IKE phase 2 quick mode, the peers agree to
use a particular transform set for protecting a particular data flow. Transform sets
combine the following IPSec factors:
 Mechanism for payload authentication—AH transform
 Mechanism for payload encryption—ESP transform
 IPSec mode (transport versus tunnel)
Transform sets equal a combination of an AH transform, plus an ESP transform,
plus the IPSec mode (either tunnel or transport mode).
This brings us to the end of the second part of this five-part series of articles
covering IPSec. Be sure to catch the next installment.
Figure 2.29 Transform set
Apply crypto access-list Set At Router A:

Crypto access lists are used to identify which IP traffic is to be protected by
encryption and which traffic is not. After the access list is defined, the crypto
maps reference it to identify the type of traffic that IPSec protects. The permit
keyword in the access list causes IPSec to protect all IP traffic that matches the
access list criteria. If the deny keyword is used in the access list, the traffic is not
43
encrypted. The crypto access lists specified at the remote peer should be mirror
images of the access lists specified at the local peer. This ensures that traffic that
has IPSec protection applied locally can be processed correctly at the remote peer.
The crypto map entries should also support common transforms and should refer
to the other system as a peer. It is not recommended that you use the permit ip
any any command, because it causes all outbound traffic to be encrypted (and all
encrypted traffic to be sent to the peer specified in the corresponding crypto map
entry), and it requires encryption of all inbound traffic.
Figure 2.30 Summary of config

44
2.2 Methodological
aspects of the design Designing a corporate network or even a single fragment
from it (like the edge network) is complex task. Because of that we need to follow
a proved approach, in the design process, which will facilitate our work as much
as possible. Now we will review possible design guides in order to select one we
will use in the design of our network.
2.2.1 Modular design
When designing network architecture, it is a helpful and useful to divide the
network into smaller pieces called blocks or modules. This is key moment to start
from because 28 it is much easier to design small pieces of the network than to
design the entire network. This modular design has many benefits including the
following: o A smaller piece of the network is easier to understand and design o
Smaller elements of the network eases troubleshooting o It provides flexibility
because it is easier to change single modules of the network than to change the
whole network When planning a network there are also some basic network
components that need to be considered. They are addressing/routing, network
management, performance and security:
 A smaller piece of the network is easier to understand and design
 Smaller elements of the network eases troubleshooting
 It provides flexibility because it is easier to change single modules of the
network than to change the whole network When planning a network there
are also some basic network components that need to be considered. They
are addressing/routing, network management, performance and security
Addressing/routing component
This component is about addressing/routing techniques we should use in our
network. These techniques include subnetting, variable-length subnetting,
supernetting, public addressing, dynamic addressing, private addressing, virtual
LANs (VLANs), IPv6, and network address translation (NAT). Public network
45
addresses are used to uniquely identify computers on the Internet. We can obtain
public addressing space from our ISP or we can obtain it directly from the Internet
Assigned Numbers Authority (IANA). The private addressing space contains
particular IP addresses that are not allowed to exit a private network as our
corporate LAN. The well known private addresses that are available for internal
network use are:
 Class A – From 10.0.0.0 to 10.255.255.255
 Class B – From 172.16.0.0 to 172.31.255.255
 Class C – From 192.168.0.0 to 192.168.255.255
These address ranges are the classfull addresses. For more optimal use of address
range we can deploy variable-length subnetting or variable length subnet mask
(VLSM). This technique allows us to allocate IP addresses to subnets according
to their individual need. For example for connection between two routers where
we practically need just two address, one for each router. We should not waste a
whole subnet of class C addresses – the 192.168.1.0 255.255.255.0 subnet where
can reside 253 hosts. Doing so we would waste a lot of address space. To avoid
this we can deploy VLSM. Instead of reserving the whole 192.168.1.0 subnet just
for connection between the two routers, we can allocate them addresses from the
address range 192.168.1.0/4, where only two hosts can reside and thus preserve
addressing space. So far we have been discussing IPv4 addresses. We should also
consider the possibility of deploying IPv6 addresses. IPv6 is newer version of the
IP protocol that was first intended to resolve the space limitations of IPv4. IPv6
also has the following benefits over IPv4: “larger address space for global
reachability and scalability; simplified header for routing efficiency and
performance; deeper hierarchy and policies for network architecture flexibility;
efficient support for routing and route aggregation; serverless autoconfiguration,
easier renumbering, multihoming, and improved plug and play support; security
with mandatory IP Security (IPSec) support for all IPv6 devices; improved
46
support for Mobile IP and mobile computing devices (direct-path); enhanced
multicast support with increased addresses and efficient mechanisms”
Performance component
For this component we must set mechanism to configure, manage and deliver
resources to the end users, devices and applications and to assure the projected
characteristics of performance. These mechanisms include the following:
1. Quality of Service (QoS)
2. Resource control - prioritization, traffic management, scheduling, and
queuing
3. Service-Level Agreements (SLA)
4. Policies o Capacity (bandwidth) – The data-carrying capability of a circuit or
network, usually measured in bits per second (bps)
5. Utilization – The percent of total available capacity in use
6. Optimum utilization – Maximum average utilization before the network is
considered saturated o Throughput – Quantity of error-free data successfully
transferred between nodes per unit of time, usually seconds
7. Efficiency – A measurement of how much effort is required to produce a
certain amount of data throughput o Delay (latency) – Time between a frame
being ready for transmission from a node and delivery of the frame
elsewhere in the network to Delay variation. The amount of time average
delay varies o Response time. The amount of time between a request for
some network service and a response to the request
Security component
For the security component we must set security mechanism to guarantee the
confidentiality, integrity, and availability of user, application, device, and
network information and physical resources. These security mechanisms include
security threat 30 analysis, security policies and procedures, physical security and
awareness, protocol and application security, encryption, network perimeter
47
security, remote access security. There are also interactions between these
components that must not be ignored. For example, increasing our security will
also affect in slowing performance, because security requires more time for
processing access queries to network resources. There are such interactions
between performance and security as mentioned, between management and
security, management and performance, and addressing/routing and performance.
2.2.2 Prepare, Plan, Design, Implement, Operate, Optimize (PPDIOO)
Network Lifecycle Approach
Cisco as leading company in worldwide networking has developed a design plan
to follow when someone is designing a network for a company. It is called a
PPDIOO which represent a lifecycle of network. PPDIOO has six phases:
prepare, plan, design, implement, operate, and optimize, hence comes it name
Figure 2.32 PPDIOO Network Lifecycle Approach
The PPDIOO phases are as follows:

1. Prepare: Involves establishing the organizational requirements, developing
a network strategy, and proposing a high-level conceptual architecture
identifying technologies that can best support the architecture. The prepare
48
phase can establish a financial justification for network strategy by assessing
the business case for the proposed architecture.
2. Plan: Involves identifying initial network requirements based on goals,
facilities, user needs, and so on. The plan phase involves characterizing sites
and assessing any existing networks and performing a gap analysis to
determine whether the existing system infrastructure, sites, and the
operational environment can support the proposed system. A project plan is
useful for helping manage the tasks, responsibilities, critical milestones, and
resources required to implement changes to the network. The project plan
should align with the scope, cost, and resource parameters established in the
original business requirements.
3. Design: The initial requirements that were derived in the planning phase
drive the activities of the network design specialists. The network design
specification is a comprehensive detailed design that meets current business
and technical requirements, and incorporates specifications to support
availability, reliability, security, scalability, and performance. The design
specification is the basis for the implementation activities.
4. Implement: The network is built or additional components are incorporated
according to the design specifications, with the goal of integrating devices
without disrupting the existing network or creating points of vulnerability.
5. Operate: Operation is the final test of the appropriateness of the design. The
operational phase involves maintaining network health through day-to-day
operations, including maintaining high availability and reducing expenses.
The fault detection, correction, and performance monitoring that occur in
daily operations provide the initial data for the optimization phase.
6. Optimize: Involves proactive management of the network. The goal of
proactive management is to identify and resolve issues before they affect the
organization. Reactive fault detection and correction (troubleshooting) is
49
needed when proactive management cannot predict and mitigate failures. In
the PPDIOO process, the optimization phase can prompt a network redesign
if too many network problems and errors arise, if performance does not meet
expectations, or if new applications are identified to support organizational
and technical requirements.
The benefits of PPDIOO approach are:
 The total cost of network ownership is lowered
 Network availability is increased
 Business agility is improved
 Speed to access applications and services is increased
2.3 Conclusion, Aims and Purposes
It would be useful if we consider implementing redundancy for the remote access
connections. We should implement main and backup AAA servers, main and
backup border routers and two VPN gateways so the remote users are able to
connect even in the event of failure of the main devices. Actually, redundancy is
useful for every aspect of the network but it is not good to add to much
redundancy because it increases complexity and costs by adding additional
elements to the network. We have reviewed some approaches for designing a
network and we can select either one of them to follow in the design process.
However, using a top-down approach is recommended over a bottom-up
approach. The top-down approach helps us to evaluate all the needed
requirements for services and applications and based on them to select particular
network equipment. This is economically effective solution because we will
choose equipment to suit our needs; we will not go blind shopping. Since we are
developing a solution for an enterprise network, it would be better if we select the
PPDIOO network design approach, because it is top-down and complex corporate
design approach.
50
CHAPTER 3: NETWORK DESIGN
Network Design Overview:
Computers and information networks are critical to the success of businesses,
both large and small. They connect people, support applications and services, and
provide access to the resources that keep the businesses running. To meet the
daily requirements of businesses, networks themselves are becoming quite
complex.
Network design is a category of systems design that deals with data transport
mechanisms. As with other systems' design disciplines, network design follows
an analysis stage, where requirements are generated, and precedes
implementation, where the system (or relevant system component) is constructed.
The objective of network design is to satisfy data communication requirements
while minimizing expense. Requirement scope can vary widely from one network
design project to another based on geographic particularities and the nature of the
data requiring transport.
Network Requirements
Today, the Internet-based economy often demands around-the-clock customer
service. This means that business networks must be available nearly 100 percent
of the time. They must be smart enough to automatically protect against
unexpected security incidents. These business networks must also be able to
adjust to changing traffic loads to maintain consistent application response times.
It is no longer practical to construct networks by connecting many standalone
components without careful planning and design.
Building a Good Network
Good networks do not happen by accident. They are the result of hard work by
network designers and technicians, who identify network requirements and select
the best solutions to meet the needs of a business.
51
The steps required to design a good network are as follows:
 Step 1. Verify the business goals and technical requirements.

 Step 2. Determine the features and functions required to meet the needs
identified in Step 1.
 Step 3. Perform a network-readiness assessment.
 Step 4. Create a solution and site acceptance test plan.
 Step 5. Create a project plan.
After the network requirements have been identified, the steps to designing a
good network are followed as the project implementation moves forward.
Network users generally do not think in terms of the complexity of the underlying
network. They think of the network as a way to access the applications they need,
when they need them.
Network Requirements:
Most businesses actually have only a few requirements for their network:
I. The network should stay up all the time, even in the event of failed links,
equipment failure, and overloaded conditions.
II. The network should reliably deliver applications and provide reasonable
response times from any host to any host.
III. The network should be secure. It should protect the data that is transmitted
over it and data stored on the devices that connect to it.
IV. The network should be easy to modify to adapt to network growth and
general business changes.
V. Because failures occasionally occur, troubleshooting should be easy. Finding

and fixing a problem should not be too time-consuming.
52
Fundamental Design Goals:
When examined carefully, these requirements translate into four fundamental
network design goals:
■ Scalability: Scalable network designs can grow to include new user groups and
remote sites and can support new applications without impacting the level of
service delivered to existing users.
■ Availability: A network designed for availability is one that delivers
consistent, reliable performance, 24 hours a day, 7 days a week. In addition, the
failure of a single link or piece of equipment should not significantly impact
network performance.
■ Security: Security is a feature that must be designed into the network, not
added on after the network is complete. Planning the location of security devices,
filters, and firewall features is critical to safeguarding network resources.
■ Manageability: No matter how good the initial network design is, the available
network staff must be able to manage and support the network. A network that is
too complex or difficult to maintain cannot function effectively and efficiently.
Hierarchical Network Design:
To meet the four fundamental design goals, a network must be built on an
architecture that allows for both flexibility and growth.
Hierarchical Network Design In networking, a hierarchical design is used to
group devices into multiple networks. The networks are organized in a layered
approach. The hierarchical design model has three basic layers:
 Core layer: Connects distribution layer devices.
 Distribution layer: Interconnects the smaller local networks.
 Access layer: Provides connectivity for network hosts and end devices.
Hierarchical networks have advantages over flat network designs. The benefit of
dividing a flat network into smaller, more manageable hierarchical blocks is that
53
local traffic remains local. Only traffic destined for other networks is moved to a
higher layer.
Layer 2 devices in a flat network provide little opportunity to control broadcasts
or to filter undesirable traffic. As more devices and applications are added to a
flat network, response times degrade until the network becomes unusable.
Figures 1-1 and 1-2 show the advantages of a hierarchical network design versus
a flat network design.
Early networks were deployed in a flat topology as shown in Figure1-1
Hubs and switches were added as more devices needed to be connected. A flat
network design provided little opportunity to control broadcasts or to filter
undesirable traffic. As more devices and applications were added to a flat
network, response times degraded, making the network unusable.
Flat Network
A better network design approach was needed. For this reason, organizations now
use a hierarchical network design as shown in Figure 1-2.
54
A hierarchical network design involves dividing the network into discrete layers.
Each layer, or tier, in the hierarchy provides specific functions that define its role
within the overall network. This helps the network designer and architect to
optimize and select the right network hardware, software, and features to perform
specific roles for that network layer. Hierarchical models apply to both LAN and
WAN design.
Network Design Methodologies:
Large network design projects are normally divided into three distinct steps:
Step 1. Identify the network requirements.
Step 2. Characterize the existing network.
Step 3. Design the network topology and solutions.
55
Step 1: Identifying Network Requirements
The network designer works closely with the customer to document the goals of
the project. Figure 1-5 depicts a meeting between the designer and the business
owner. Goals are usually separated into two categories:
 Business goals: Focus on how the network can make the business more
successful.
 Technical requirements: Focus on how the technology is implemented
within the network.
Step 2: Characterizing the Existing Network
Information about the current network and services is gathered and analyzed. It
is necessary to compare the functionality of the existing network with the defined
goals of the new project. The designer determines whether any existing
equipment, infrastructure, and protocols can be reused, and what new equipment
and protocols are needed to complete the design.
Step 3: Designing the Network Topology
A common strategy for network design is to take a top-down approach. In this
approach, the network applications and service requirements are identified, and
then the network is designed to support them. When the design is complete, a
prototype or proof-of-concept test is performed. This approach ensures that the
new design functions as expected before it is implemented.
56
Client Interaction
Impacting the Entire Network:

Network requirements that impact the entire network include the following:
a) Adding new network applications and making major changes to existing

applications, such as database or Domain Name System (DNS) structure
changes.
b) Improving the efficiency of network addressing or routing protocol changes.
c) Integrating new security measures.
d) Adding new network services, such as voice traffic, content networking, and
storage networking.
e) Relocating servers to a data center server farm.
57
Impacting a Portion of the Network:
Requirements that may only affect a portion of the network include the following:
1 Improving Internet connectivity and adding bandwidth.
2 Updating access layer LAN cabling.
3 Providing redundancy for key services.
4 Supporting wireless access in defined areas.
5 Upgrading WAN bandwidth.
Investigating Access Layer Design Considerations:
The access layer is used to control user access to the internetwork resources. The
network designer has to facilitate the traffic generated from the access layer as it
is bound for other segments or other layers within the network. Without an
appropriate design, the access layer could quickly become inundated with traffic,
resulting in less-than-acceptable performance for the end users.
What Happens at the Access Layer?
The access layer, as illustrated in Figure, represents the edge of the network
where end devices connect. Access layer services and devices reside inside each
building of a campus, each remote site and server farm, and at the enterprise edge.
58
Access Layer Physical Considerations
The access layer of the campus infrastructure uses Layer 2 switching technology
to provide access into the network. The access can be either through a permanent
wired infrastructure or through wireless access points. Ethernet over copper
wiring poses distance limitations. Therefore, one of the primary concerns when
designing the access layer of a campus infrastructure is the physical location of
the equipment.
Wiring Closets
Wiring closets can be actual closets or small telecommunication rooms
that act as the termination point for infrastructure cabling within
buildings or within floors of a building. The placement and physical
size of the wiring closets depends on network size and expansion plans.
The wiring closet equipment provides power to end devices such as IP
phones and wireless access points. Many access layer switches have
Power-over-Ethernet (PoE) functionality.
59
Unlike a typical wiring closet, inside a server farm or data center the
access layer devices are typically redundant multilayer switches that
combine the functionality of both routing and switching. Multilayer
switches can provide firewall and intrusion protection features and
Layer 3 functions.
The Impact of Converged Networking at the Access Layer The modern
computer network consists of more than just personal computers and
printers connecting to the access layer. Many different devices, as
shown in Figure, can connect to an IP network, including the following:
 IP telephones
 Video cameras
 Videoconferencing systems
60
All of these services can be converged onto a single physical access layer
infrastructure. However, the logical network design to support them becomes
more complex because of considerations such as quality of service (QoS), traffic
segregation, and filtering. These new types of end devices, and the associated
applications and services, change the requirements for scalability, availability,
security, and manageability at the access layer.
The Need for Availability at the Access Layer
In early networks, high availability was usually present only at the network core,
enterprise edge, and data center networks. With IP telephony, there is now an
expectation that every individual telephone should be available 100 percent of the
time.
Redundant components and failover strategies can be implemented at the access
layer to improve reliability and increase availability for the end devices.
Access Layer Management
Improving the manageability of the access layer is a major concern for the
network designer. Access layer management is crucial because of the following:
 The increase in the number and types of devices connecting at the access
layer.
 The introduction of wireless access points into the LAN.
Designing for Manageability
In addition to providing basic connectivity at the access layer, the
designer needs to consider the following:
 Naming structures
 VLAN architecture
 Traffic patterns
 Prioritization strategies
61
Configuring and using network management systems for a large converged
network are very important. Figure shows an example of network management
software. It is also important to standardize configurations and equipment when
possible.
Network Management Software: Cisco Assistant
Following good design principles improves the manageability and

ongoing support of the network by
 Ensuring that the network does not become too complex.
 Allowing easy troubleshooting when a problem occurs.
 Making it easier to add new features and services in the future.
Network Topologies at the Access Layer
Most recent Ethernet networks use a star topology, which is sometimes called a
hub-and-spoke topology. In a star topology, each end device has a direct
connection to a single networking device. This single networking device is
usually a Layer 2 or multilayer switch. A wired star topology in the access layer
typically has no redundancy from individual end devices to the switch. For many
businesses, the cost of additional wiring to create redundancy is usually too high.
However, if costs are not a factor, the network can be configured as a full-mesh
topology (see Figure) to ensure redundancy.
62
How VLANs Segregate and Control Network Traffic
Using VLANs and IP subnets is the most common method for segregating user
groups and traffic within the access layer network.
VLANs in the Past:
With the introduction of Layer 2 switching, VLANs were used to create end-to-
end workgroup networks. The networks connected across buildings or even
across the entire infrastructure. End-to-end VLANs are no longer used in this
way. The increased number of users and the volume of network traffic that these
users generate are too high to be supported.
VLANs Now:
Today, VLANs are used to separate and classify traffic streams and to control
broadcast traffic within a single wiring closet or building. Figure 1-20 shows
VLANs segregating traffic within a network. Although large VLANs that span
entire networks are no longer recommended, they may be required to support
special applications, such as wireless roaming and wireless IP phones.
63
Segregating VLAN Traffic
The recommended approach is to contain VLANs within a single wiring closet.

This approach increases the number of VLANs in a network, which also increases
the number of individual IP subnets. It is recommended practice to associate a
single IP subnet with a single VLAN. IP addressing at the access layer becomes
a critical design issue that affects the scalability of the entire network.
Investigating Distribution Layer Design Considerations
The next layer of the Cisco hierarchical model is the distribution layer. This layer
is associated with routing, filtering, and is the communication point between the
core layer and the access layer. A network designer must create a distribution
layer design that complements the needs of the other two layers.
The distribution layer represents a routing boundary between the access layer and
the core layer. It also serves as a connection point between remote sites and the
core layer.
Distribution Layer Routing
The access layer is commonly built using Layer 2 switching technology. The
distribution layer (see Figure 1-10) is built using Layer 3 devices. Routers or
64
multilayer switches, located at the distribution layer, provide many functions
65
critical for meeting the goals of the network design, including the following:
 Filtering and managing traffic flows
 Enforcing access control policies 14 Designing and Supporting
 Summarizing routes before advertising the routes to the Core
 Isolating the core from access layer failures or disruptions
 Routing between access layer VLANs
Distribution layer devices are also used to manage queues and prioritize traffic
before transmission through the campus core.
Distribution Layer
66
Trunks
Trunk links are often configured between access and distribution layer
networking devices. Trunks are used to carry traffic that belongs to multiple
VLANs between devices over the same link. The network designer considers the
overall VLAN strategy and network traffic patterns when designing the trunk
links.
Redundant Links
When redundant links exist between devices in the distribution layer, the devices
can be configured to load balance the traffic across the links. Figure shows the
redundant links at the distribution layer. Load balancing is another option that
increases the bandwidth available for applications.
Redundancy at the Distribution Layer
67
Distribution Layer Topology
Distribution layer networks are usually wired in a partial-mesh topology. This
topology provides enough redundant paths to ensure that the network can survive
a link or device failure. When the distribution layer devices are located in the
same wiring closet or data center, they are interconnected using gigabit links.
When the devices are separated by longer distances, fiber cable is used. Switches
that support multiple high-speed fiber connections can be expensive, so careful
planning is necessary to ensure that enough fiber ports are available to provide
the desired bandwidth and redundancy.
Building a Redundant Network at the Distribution Layer
To reduce downtime, the network designer deploys redundancy in the network.
Devices at the distribution layer have redundant connections to switches at the
access layer and to devices at the core layer. If a link or device fails, these
connections provide alternate paths. Using an appropriate routing protocol at the
distribution layer, the Layer 3 devices react quickly to link failures so that they
do not impact network operations.
Providing multiple connections to Layer 2 switches can cause unstable behavior
in a network unless STP is enabled. Without STP (see Figure 1-13), redundant
links in a Layer 2 network can cause broadcast storms. Switches are unable to
correctly learn the ports, so traffic ends up being flooded throughout the switch.
By disabling one of the links, STP guarantees that only one path is active between
two devices (see Figure 1-14).
If one of the links fails, the switch recalculates the spanning tree topology and
automatically begins using the alternate link.
Rapid Spanning Tree Protocol (RSTP), as defined in IEEE 802.1w, builds upon
the IEEE 802.1d technology and provides rapid convergence of the spanning tree.
68
Figure 1-14 Traffic Patterns with STP
Consider the case in which a high-volume, enterprise server is connected to a

switch port. If that port recalculates because of STP, the server is down for 50
seconds. It would be difficult to imagine the number of transactions lost during
that timeframe.
69
In a stable network, STP recalculations are infrequent. In an unstable network, it
is important to check the switches for stability and configuration changes. One of
the most common causes of frequent STP recalculations is a faulty power supply
or power feed to a switch. A faulty power supply causes the device to reboot
unexpectedly.
Investigating Core Layer Design Considerations
The Cisco three-layer hierarchal model is composed of the core layer, distribution
layer, and access layer. Of the three layers, the core layer is responsible for
transporting large amounts of data quickly and reliably. The designer must ensure
that the core layer is designed with fault tolerance, especially because all users in
the network can be affected by a failure. The ability to avoid unnecessary delays
in network traffic quickly becomes a top priority for the network designer.
The core layer is sometimes called the network backbone. Routers and switches
at the core layer provide high-speed connectivity. In an enterprise LAN, the core
layer, shown in Figure 1-7, may connect multiple buildings or multiple sites, and
may provide connectivity to the server farm. The core layer includes one or more
links to the devices at the enterprise edge to support Internet, virtual private
networks (VPN), extranet, and WAN access.
70
Core Layer
Implementing a core layer reduces the complexity of the network, making it

easier to manage and troubleshoot.
Goals of the Core Layer:
The core layer design enables the efficient, high-speed transfer of data between
one section of the network and another. The primary design goals at the core layer
are as follows:
 Provide 100% uptime.
 Maximize throughput.
 Facilitate network growth.
71
Core Layer Technologies:
Technologies used at the core layer include the following:
 Routers or multilayer switches that combine routing and switching in the
same device.
 Redundancy and load balancing.
 High-speed and aggregate links.
 Routing protocols that scale well and converge quickly, such as Enhanced
Interior Gateway Routing Protocol (EIGRP) and Open Shortest Path First
(OSPF) Protocol.
Routing Protocols on Routers
Another important function that occurs at the distribution layer is route
summarization, also called route aggregation or super netting.
Route Summarization:
Route summarization has several advantages for the network, such as the
following:
 One route in the routing table that represents many other routes, creating
smaller routing tables
 Less routing update traffic on the network
 Lower overhead on the router
Summarization can be performed manually or automatically, depending on which
routing protocols are used in the network.
Classless routing protocols such as RIPv2, EIGRP, OSPF, and Intermediate
System-to-Intermediate System (IS-IS) Protocol support route summarization
based on subnet addresses on any boundary.
Classful routing protocols such as RIPv1 automatically summarize routes on the
classful network boundary, but do not support summarization on any other
boundaries.
72
Individual and Summarized Routes
Security Measures
The vulnerabilities previously identified show that, for the most part, a network
is an extremely unsecure environment. Network designers must place security as
a top priority in their designs. Antivirus software is one way to prevent an attack,
but software cannot prevent physical breaches of the network or its applications.
Consideration must be taken when designing any network to secure the facilities
and hardware from unauthorized access.
Providing Physical Security
Physical security of a network is important. Most network intruders gain physical
entry at the access layer. On some network devices, such as routers and switches,
physical access can provide the opportunity to change passwords and obtain full
access to devices.
Obvious measures, such as locking wiring closets and restricting access to
networking devices, are often the most effective ways to prevent security
breaches. In high-risk or easily accessible areas, it might be necessary to equip
73
wiring closets with additional security, such as cameras or motion detection
devices and alarms. Figure shows an area visibly marked to forbid unauthorized
personnel from entering the area. Some devices, such as keypad locks, can record
which codes are used to enter the secured areas.
Unauthorized Entry
Securing Access Layer Networking Devices

The measures listed here can provide additional security to networking devices
at the access layer:
 Setting strong passwords
 Using Secure Shell (SSH) to administer devices
 Disabling unused ports
Switch port security and network access control can ensure that only known and
trusted devices have access to the network.
Design Considerations at the Enterprise Edge
The enterprise edge is the area of the network where the enterprise network
connects to external networks. Routers at the enterprise edge provide connectivity
between the internal campus infrastructure and the Internet. They also provide
connectivity to remote WAN users and services. The design requirements at the
enterprise edge differ from those within the campus network. Figure shows the
Cisco Enterprise Architecture with an emphasis on the enterprise edge.
74
Cisco Enterprise Architecture
Cost of Bandwidth
Most campus networks are built on Ethernet technology. However, WAN
connectivity at the enterprise edge is usually leased from a third-party
telecommunications service provider. Because these leased services can be
expensive, the bandwidth available to WAN connections is often significantly
less than the bandwidth available in the LAN.
QoS
The difference in bandwidth between the LAN and the WAN can create
bottlenecks. These bottlenecks cause data to be queued by the edge
routers. Anticipating and managing the queuing of data requires a QoS
strategy. As a result, the design and implementation of WAN links can
be complicated.
75
Security
Because the users and services accessed through the edge routers are not always
known, security requirements at the enterprise edge are critical. Intrusion
detection and stateful firewall inspection must be implemented to protect the
internal campus network from potential threats.
Remote Access
In many cases, the campus LAN services must extend through the enterprise edge
to remote offices and workers. This type of access has different requirements than
the level of public access provided to users coming into the LAN from the
Internet.
Integrating Remote Sites into the Network Design
Designing a network to support branch locations and remote workers requires
the network designer to be familiar with the capabilities of the various WAN
technologies. Traditional WAN technologies include the following:
 Leased lines
 Circuit-switched networks
 Packet-switched networks, such as Frame Relay networks
 Cell-switched networks such as Asynchronous Transfer Mode (ATM)
networks
In many locations, newer WAN technologies are available, such as the
following:
 Digital subscriber line (DSL)
 Metro Ethernet
 Cable modem
 Long-range wireless
 VPN site to site
76
Most WAN technologies are leased on a monthly basis from a
telecommunications service provider. Depending on the distances, this type of
connectivity can be quite expensive. WAN contracts often include service level
agreements (SLA). These agreements guarantee the service level offered by the
service provider.
SLAs support critical business applications, such as IP telephony and high-speed
transaction processing to remote locations. Figure 1-31 shows several WAN
technologies.
WAN Technologies
VPNs
One common connectivity option, especially for remote workers, is a VPN
through the Internet. A VPN is a private network that uses a public network to
connect remote sites or users together. Instead of using a dedicated, real-world
connection, such as leased lines, a VPN uses virtual connections routed through
the Internet from the company private network to the remote router or PC.
77
3.1.1 Services
The usual services an enterprise offers to its branch offices are access to data
centers, backup services, security services, and streaming voice and video.
Services performance over the WAN is affected by bandwidth and delay. We can
combine them both into a quantify value (called Bandwidth Delay Product
(BDP)) by which we can measure the maximum amount of data that can be
transferred over the WAN at a particular time.
BDP is calculated using the formula:
BDP [Kbytes] = (Bandwidth Link [Kbytes/sec] * Round-trip Latency [sec])
BDP can be used to verify if a TCP application is using optimally the WAN
link. In TCP communication, the maximum segment size (MSS) is sent between
both end points of the link. MSS determines the maximum amount of data that
can be sent and unacknowledged at a point of time.
 If MSS > BDP, the TCP application can use the available bandwidth
 If BDP > MSS, the TCP application cannot completely utilize bandwidth.
We can use these measures for a single TCP application bandwidth utilization.
Our branch office typically will have multiple simultaneous TCP application and
available bandwidth will be utilized efficiently.
Backup services
There are many strategies for backing up remote office/branch office (ROBO).
One is using centralized backup and recovery; another is using cloud backup
services. The centralized solution means that we place the backup and recovery
processes within the data center. There are two ways we can do that. We can
centralize all the storage to the main data center and thus eliminate the need for
remote backup and recovery because all the data is located in the data center and
utilizes data center backup. But this can have reduced productivity because of
TCP latency and WAN packet loss. To remove these side effects we can use
78
WAN optimization controllers/appliances or virtual equivalents but this add cost.
79
Backing up large number of ROBOs can be very expensive. The other option we
can use to centralize the storage is to utilize backup software that is capable of
centralizing and controlling all the backup procedures from the main data center.
Some software products that offer such services are Asigra Inc. Cloud,
CommVault Simpana, products from FalconStor Software, and Symantec Corp.
NetBackup[29].
The cloud backup uses an off-site server on which data is copied. This off-site
server is usually hosted by third-party service provider who charges based on
capacity, bandwidth, or number of users. This backup strategy is gaining
popularity in SOHO since no cost for additional hardware is required and backups
can be run automatically without manual intervention.
Security services
The goal of the security is to ensure that every aspect of the network is protected
by devices (and associated policies) connected to the network that secure and
protect against data theft. The key services we must apply are
 Infrastructure protection;
 Secure connectivity;
 Threat defense detection and mitigation.
To protect the infrastructure, we must provide measures to protect our
infrastructure devices (Cisco IOS routers, switches, appliances) from direct
attacks. We can achieve that by using the following:
 Disabling unnecessary services – we should disable all known, potentially
risky and unused services in our network. These services are (but not limited
to) – “directed broadcasts, IP redirects, IP proxy-ARP, finger, CDP, small
services, and the built-in global HTTP daemon in Cisco IOS Software :
 Enabling device logs;
 Using SSH instead of Telnet for Remote Administration;
80
 Enabling HTTPS server built in Cisco IOS devices;
81
 Restricting accepted connections on VTY and Console lines;
 Managing passwords with AAA on all devices.
Devices configuration commands for all of the above security hardening are
shown in Appendix A.2.
Secure connectivity will help us protect the network against data theft and altered
end user data sent over untrusted connections. We can do that by applying data
encryption for data privacy. Mechanisms for data isolation will also help us
provide secure connection between the campus and the branch. We can use
tunneling protocol like GRE to for data isolation, and encryption protocol like
IPsec for data encryption.
To detect and mitigate defense threats we must use mechanisms to detect,
mitigate, and protect network devices from violations and unauthorized events.
We can apply these mechanisms to routers, switches, and security appliances as
stated in “Routers and security appliances use inline firewalls and intrusion
protection systems (IPS). Catalyst switches use Port Security, DHCP Snooping,
Dynamic ARP Inspection (DAI), and IP Source Guard.”
3.1.3 Branch office connectivity, communication, and integration
We describe the solution of three critical issues about the communication between
the branch offices and the headquarters. o Private WAN or site-to-site VPN
selection, and as we will motivate the choice of the second option, o Which type
of possible site-to-site VPN implementation to choose o Which Cisco ISR router
for which type of a branch to choose (comparison & recommendations) In Section
2.1.3 of chapter 1 we discussed possible enterprise WAN solutions – private
WAN and site-to-site VPNs. Table 3.3 shows a summary of the features of both
technologies based on the information in Section 2.1.3. In the table “xx” means
that flexibility of site-to-site VPN is greater than flexibility of private WAN.
“$$$” means that cost of private WAN is much greater than cost of site-to-site
VPN. For securing the WAN we must implement mechanisms as IPsec and/or
82
GRE while site-to-site VPN is usually based on IPsec and has strong security.
Both technologies support multiple protocols, scalability and high reliability and
by these criteria they do not differ from one another. They do differ in the QoS
support – the private WAN is under the management of the enterprise IT staff,
while the site-to site VPN depends on ISP’s QoS and the effective SLA.
83
Chapter 4: NETWORK SECURITY
Network Security Fundamentals

This section covers the need for network security and the security objectives
found within most organizations. This section also examines the different types
of attacks that modern networks can experience.
Why Do We Need Network Security?
Network threats include internal and external threats. Internal threats are the most
serious. These threats often occur because best practices are not followed. For
example, blank or default passwords are used, or in-house developers use
insecure programming practices. External threats typically rely on technical
methods to attack the network. The CCNA in Security focuses on combating
these attacks using technical means. Firewalls, routers with access control lists
(ACL), intrusion prevention systems (IPS), and other methods are the focus.
Network Security Objectives
Network security should provide the following:
 Data confidentiality
 Data integrity
 Data and system availability
Confidentiality ensures that only authorized individuals can view sensitive data.
Powerful methods to ensure confidentiality are encryption and access controls.
Integrity ensures that data has not been changed by an unauthorized individual.
Availability ensures that access to the data is uninterrupted. Denial-of-service
(DoS) attacks attempt to compromise data availability.
These attacks typically try to fail a system using an unexpected condition or input,
or fail an entire network with a large quantity of information.
84
Confidentiality Attacks
Attackers can use many methods to compromise confidentiality. Following are
some of the common methods:
 Packet sniffing: Eavesdropping and logging traffic that passes over a digital
network or part of a network.

 Port scanning: Searching a network host for open ports.
 Dumpster diving: Searching through company dumpsters, looking for
information that can provide a valuable source of information for hackers.

 Emanations capturing: Capturing electrical transmissions from the
equipment of an organization to obtain information about the organization.

 Wiretapping: Monitoring the telephone or Internet conversations of a third
party.
 Social engineering: Using social skills to manipulate people inside the
network to provide the information needed to access the network.

 Overt channels: The ability to hide information within a transmission
channel based on tunneling one protocol inside another. Steganography is an

example of an overt channel: hiding messages in digital pictures and
digitized audio.
 Covert channels: The ability to hide information within a transmission
channel based on encoding data using another set of events.

 Phishing, pharming, and identity theft: Phishing is an attempt to criminally
acquire sensitive information, such as usernames, passwords, and credit card

details, by masquerading as a trustworthy entity. Pharming is an attack
aimed at redirecting the traffic of one website to another websites
Integrity Attacks
 Hackers can use many types of attacks to compromise integrity:
 Salami attacks: A series of minor data security attacks that together result in a
85
larger attack.
86
 Data diddling: Changing data before or as it is input into a computer.
 Trust exploits: An individual taking advantage of a trust relationship within a
network. Perhaps the trust relationship is between a system in the DMZ and a
system in the inside network.
 Password attacks: Any attack that attempts to identify a user account,
password, or both.
 Session hijacking: The exploitation of a valid computer session to gain
unauthorized access to information or services in a computer system.

Availability Attacks
Hackers can use many types of attacks to compromise availability:
 Botnets: A collection of software robots that run autonomously and
automatically.
 DoS (denial-of-service): An attack seeks to make a system or service
unavailable after the system is sent large amounts of traffic.
 DDoS (Distributed DoS): Hackers use a terminal to scan for systems to hack.
The hacker then installs zombie software on them.
 SYN floods: The system is sent many different false SYN requests for TCP
communication channels. This is a form of DoS.
 ICMP floods: The system is sent many false ICMP packets.
 Electrical power: Attacks involve power loss, reduction, or spikes.
 Computer environment: Temperature, air flow, humidity, water, and gas.
Developing a Network Security Policy
This section details the creation of a network security policy an important
document that details the security objectives and procedures for the organization.
Why Do You Need One?
Aside from protecting organization assets, a security policy serves other
purposes, such as the following:
87
 Making employees aware of their security-practice obligations
88
 Identifying specific security solutions required to meet the goals of the
security policy
 Acting as a baseline for ongoing security monitoring Components of the
Security Policy
Governing Policy
At a high level, a governing policy addresses security concepts deemed important
to an organization. Following are typical elements of this section:
 Identification of the issue addressed by the policy
 Discussion of the organization’s view of the issue
 Examination of the relevance of the policy to the work environment
 Explanation of how employees must comply with the policy
 Enumeration of appropriate activities, actions, and processes
 Explanation of the consequences of noncompliance Technical Policies
Technical policies
provide a more detailed treatment of an organization’s security policy, rather
than the governing policy. Elements of this section include the following:
 E-mail
 Wireless networks
 Remote access
End-User Policies
End-user policies address security issues and procedures relevant to end users.
Configuring Secure Administrative Access
You need to secure administrative access for local access (console port) and
remote access, such as HTTP or Telnet/SSH. You must password-protect your
router. These commands can be used:
 Console password line console 0 login password cisco
 Virtual terminal password line vty 0 4 login password cisco
89
 Enable password enable password cisco
 Secret password enables secret cisco All these passwords are in clear text in
the configuration files with the exception of the enable secret command. To
encrypt the passwords that are clear text, use the command service password-
encryption. To configure idle timeouts for router lines, use the command exec-
timeout minutes [seconds]. You can also configure minimum password
lengths with the security passwords min-length length command. To create
username and password entries in the local accounts database, use the syntax
username name secret {[0] password | 5 encrypted-secret}. To disable the
ability to access ROMMON to disable password recovery on your router, use
no service password-recovery.
Authentication, Authorization, and Accounting

Authentication requires users and administrators to prove that they actually are
who they say they are. Authorization dictates what these users can do after they
are authenticated. Accounting tracks what users do. You can use AAA
(pronounced “triple A”) to control administrative access to the device and access
90
to the network through the device. Cisco provides four methods to implement
AAA:
 Self-contained AAA using the local database
 Cisco Secure Access Control Server (ACS) for Microsoft Windows
Server
 AAA server may consult other systems such as Active directory
 Most network devices rely on TACACS+ or RADIUS to
communicate with AAA servers.
AAA Protocols
TACACS+ RADIUS
Combines
Separates authentication
Functionality authentication and
and authorization.
authorization.
Standard Mostly Cisco supported Open standard
Transport Protocol TCP UDP
Confidentiality Entire packet encrypted Password encrypted

TACACS+ RADIUS
TACACS+ Authentication Process
91
RADIUS Authentication Process
Local Authentication
The following are the general steps to configure a router to support local AAA
authentication:
✔ Add usernames and passwords to the local router database.
✔ Enable AAA globally on the router using the aaa new-model command.
✔ Configure authentication policies using the aaa authentication command and
specified method lists.

✔ (Optional) Configure authorization policies using the aaa authorization
command and specified method lists.

✔ (Optional) Configure accounting policies using the aaa accounting command
and specified method lists. 6. Confirm and troubleshoot the AAA configuration.
Hence we apply AAA on local so router “R1” become AAA server that stores
92
inside database the username and password of client “pc” when the client login
at router which ask it about username and password so user must know own
password ,username then after this process the AAA server check it if it the same
information in it database that Authenticate will be succeed .
R1(config)# aaa new-model

R1(config)# aaa authentication login default local
R1(config)# aaa authorization exec default local
R1(config)#username ADMIN privilege 15 secret Team
Authorization Role-Based CLI Access

A new approach to having various levels of access for different administrators is
called role-based CLI access. Using this approach, different administrators have
different “views” of the CLI. These views contain the specific commands
available for different administrators. To configure role-based CLI, complete the
following steps:
✔ Enable AAA.
✔ Use the enable view command to enable the feature.
✔ Use the con figure terminal command to enter global con figuration mode.
✔ Use the parser view view-name command to create a new view.

✔ Use the secret command to assign a password to the view.
✔ Use the command commands parser-mode {include | include-exclusive |
exclude} [all] [interface name | command] to assign commands to the selected
view.
✔ Verify using the enable view command.
93
Using AAA with Cisco Secure ACS
ACS is a more scalable solution than trying to create and maintain user accounts
on separate Cisco devices. To communicate with the external Cisco Secure ACS,
the Cisco device uses TACACS+ or RADIUS. Of the two, TACACS+ is more
secure, but RADIUS is an open standard. Also, many of the most modern security
features require the use of the open-standard RADIUS protocol.
Hence we apply AAA on Server ACS so router “R1” become AAA client that
when “pc” login at router which ask it about username and password so user
must know own password ,username then after this process the AAA client Take
it’s information and forward it to AAA server to check it if it the same information
in it database that Authenticate will be succeed .
94
Configuration on ACS
✔ We Browse ACS through ip add
95
✔ choose the “Network Resources”
✔ Pointer to “Network Devices and AAA Clients” for ACS
96
✔ Click Create
 Enter name of client and ip add and show the protocol which both
contact through it and enter password
 Add users whose will be authenticate on Tacacs+ server and submit it
97
Configuration on AAA Client
✔ For check
Securing The management plan

 Areas of Router Security
Physical Security
 Place router in a secured, locked room
 Install an uninterruptible power supply
Operating System Security

 Use the latest stable version that meets network requirements
 Keep a copy of the O/S and configuration file as a backup
Router Hardening
 Secure administrative control
 Disable unused ports and interfaces
 Disable unnecessary services
98
SSH
 Configuring Router
 SSH Commands
 Connecting to Router
Configuring the Router for SSH
99
Optional SSH Commands
100
Connecting to the Router
there are two different ways to connect to an SSH-enabled router:
 Connect using an SSH-enabled Cisco router
 Connect using an SSH client running on a host
101
Configuring for privilege levels
By default:
 User EXEC mode (privilege level 1)
 Privileged EXEC mode (privilege level 15)
 Sixteen privilege levels available
 Methods of providing privileged level access infrastructure access:
 Privilege Levels
 Role-Based CLI Access
Privilege levels for users
A SUPPORT account with Level 5 and ping command access.

A JR-ADMIN account with Level 10 plus access to the reload command.
An ADMIN account which has all of the regular privileged EXEC commands
102
IOS Resilient configuration
 The configuration file in the primary boot set is a copy of the running
configuration that was in the router when the feature was first enabled.
 The feature secures the smallest working set of files to preserve persistent
storage space. No extra space is required to secure the primary IOS image file.
 The feature automatically detects image or configuration version mismatch.
 Only local storage is used for securing files.
 The feature can be disabled only through a console session.
CLI Commands
103
Preventing Password Recovery
Authenticating Routing Protocols

 Prevent router from accepting fraudulent route updates .
 Shared key configured on peer routers.
 Update source creates mac using shared key and update data.
 Update receiver verifies mac using shared key and received data.
 Protection relies on shared key secrecy.
 Provides integrity but not secrecy.
104
For EIGRP Authentication
✔ Creat a key chain
✔ enable authentication on interfaces
✔ Assign the key chain to interface
105
106
L2 Security
 Mac Address Spoofing Attack
107
 Mac Address Table Overflow Attack
108
 STP Manipulation Attack
109
 BPDU Guard
110
 Root Guard
111
 Vlan Attack
 Vlan Hopping Attack
112
 Mitigating VLAN Attack
113
 Port Security Overview
114
 DHCP Attack-DHCP Server Spoofing
 DHCP Attack-DHCP Starvation
115
 DHCP Snooping
 ARP Overview
116
ARP Cache Poisoning Attack
 ARP Spoofing: Man, in the middle Attacks
 Dynamic ARP Inspection
117
118
CHAPTER 5: VOICE OVER NETWORK
Voice over Internet Protocol (VoIP) is a proven technology that lets anyone place
phone calls over an internet connection. With the rise of broadband, VoIP has
become the definitive choice for phone service for consumers and businesses
alike.
People enjoy using VoIP phone service over traditional phone lines. Because It
offers many more capabilities than analog phones. And it can do it all for less
than half the cost.
119
What is VOIP?
VoIP is an acronym for Voice over Internet Protocol that describes the method to
place and receive phone calls over the internet. Most people consider VoIP the
alternative to the local telephone company.
If you’ve heard of an IP address, that’s your Internet Protocol address. An IP

address is how computers and devices communicate with each other on the
internet.
VoIP isn’t actually all that new. Telephony has relied on digital lines to carry
phone calls since the late 90s. VoIP converts your phone calls into data and is
sent over the internet. You can use the Ethernet cables or skip them if you have
a strong Wi-Fi signal.
It does so at a much lower cost than older telephone systems. Voice over IP has
many advantages over traditional phone service.
If you have an internet connection, you call anyone without the need for local
phone service. VoIP solutions work on any computer because it’s built upon
120
many years of open standards.
121
VoIP service providers do more than establishing calls. They perform routing of
outgoing and incoming calls through existing telephone networks. Landlines and
cell phones depend on the Public Switched Telephone Network (PSTN).
Traditional telephones use analog lines to carry voice signals. If you want to make
calls, you have to have extra wiring installed.
Many businesses rely on specialized hardware for phone service. This equipment
is known as a Private Branch Exchange (PBX). It connects internal phone
extensions to the public telephone network. PBXs are generally quite costly to set
up and maintain.
VoIP converts your phone calls into data and is sent over the internet. You can
use the Ethernet cables or skip them if you have a strong Wi-Fi signal. It does so
at a much lower cost than older telephone systems.
122
How does VoIP work?
Voice over IP uses Internet Protocol, an essential building block of the internet.
IP telephony is a massive innovation from the century-old telecommunications
system.
For phone calls, the conversation is exchanged using small data packets. The
internet can send these data packets around the world in less than a second. For
internet telephony, these packets travel between your phone and a VoIP
provider.
A VoIP phone system facilitates calls between other phones or over to another
telephone company. It also provides other useful functions like voicemail, call
forwarding, call recording, and more.
Fig 5.1 voip system components.

123
Fig 5.2 how voip work
Based on this architecture, VoIP calls are delivered in three key phases:
1) CODEC : (Coder/Decoder), The analog voice signals are converted into digital
signal at sender’s side, after that these digital signals are compressed and then
encoded into a predetermined format using voice codec.
2) packetization process is performed by distributing fragmented encoded voice into
equal size of packets. Furthermore, in each packet, some protocol headers from
different layers are attached to the encoded voice. Protocols headers added to voice
packets are of Real-time Transport protocol (RTP), User Datagram Protocol
(UDP), and Internet Protocol (IP) as well as Data Network header. In addition,
RTP and Real-Time Control Protocol ( RTCP) were designed to support realtime
applications at the application layer
3)playout buffer: better balance between end-to-end delay and packet loss.
Experimental results show that the proposed playout buffer algorithm can achieve the
optimum perceived speech quality under various network conditions.
117
In four steps, here’s how VoIP works.
1) Your phone connects to your switch or router in your Local Area Network (LAN).
2) When you dial a telephone number, your IP phone tells your VoIP service
provider to call the other party.
3) Your VoIP service establishes the call and exchanges data packets from your IP
phone.
4) Your VoIP phone converts these digital signals back into the sound you can hear.
Common Types of VoIP Devices:
Cloud-based PBXs are responsible for features like voicemail, conferencing, and
call routing. When you think about it, they act as their own full-service phone
companies that you control.
The PSTN is what most of us know as the phone network. It was originally a
fixed-line analog network, but now the core of the PSTN is mostly digital. It
consists of a mix of copper telephone lines, fiber optic cables, cellular networks
and undersea cables.
As a circuit-switched network, the PSTN establishes a dedicated line between

callers. This is a resource-intensive approach compared to VoIP, which sends call
data over the internet to the recipient in labelled packets via the most efficient
route. These packets are then re-assembled and converted back into audio so the
recipient can hear what’s been said.
Voice over Internet Protocol bypasses the telephone company entirely. Wherever
you have a broadband internet connection, you can use VoIP. It’s a significant
upgrade from an analog phone system.
 Devices of Client
Device manufacturers, service providers, and enterprises develop and deploy many types
of Internet Protocol (IP) phones and other Voice over IP (VoIP)–enabled devices. As with
other computing devices, such as desktop phones, personal digital assistants (PDAs),
cellular phones, set-top-boxes, and gateways, users can choose from a broad variety of
form factors, feature sets, and user interfaces.
How a Company would move their network to VoIP
There are many different strategies to go about this. Some companies, if they
are a new, come in and just say that we are brand new company and we don’t
want to waste money on PBX system (figure below)
Why don’t we just get a VoIP system (figure below).
But for most companies, they will be running PBX system for years and for
them to move their entire system on VoIP is a shock. As they had invested 100s
of 1000s of dollars on PBX systems (depending on the size of the business) why
would they throw that all away to get free long distance? And when they will
put on cost on a spreadsheet, they will know that the cost savings would not be
realized for decades. So these types of companies might use a “two phased
approach”.
Phase 1 to move over VoIP system is ‘to keep all your PBX system’, so you
keep your PBX, your phones. Just re-equipped your routers or buy new routers
that allows you to connect the PBX system through WAN and PSTN.
It is very low cost to get some new routers or new Modules like VWIC (voice
and WAN interface card) that allows the router to connect with PBX system
through a T-1 line and also connect the router to the PSTN via a T-1 line. Now
we not only can connect our router with IP WAN, but we can also connect our
router with the voice world (PBX, PSTN).
It gives us the capability to choose one of two paths any time you communicate
to the offices. If your WAN link is up and has bandwidth, your calls between
the offices will go through WAN and if WAN is down then we can use PSTN as
a backup.
It gives us many of the benefits of VoIP like free long distance between the
offices, compressing the voice across WAN, we get rid of Tie Lines between
the offices with has high reoccurring monthly cost. So we get a lot of cost
saving by just buying some new routers or modules to connect our PBX through
WAN rather than just PSTN. This is phase 1 migration/upgrade. There are
companies that have this phase 1 type set up and they want to upgrade to phase
2 which is difficult to maintain as compared to phase 1 in which we have a back
up of PSTN.
In phase 2 we get rid of PBX system, it is the new voice system which has Call
Manager Express which is now known as Cisco Unified Communication
Manager Express as a standalone device OR we have a Communication
Manager Express running on Router (this is what we are going to deal with in
CCNA voice) and we will use new phones here that connect with switches and
your everything is end-to-end VoIP.
It is also possible to have a hybrid, we can have half of the network like phase 1
and half like phase 2. For example Intel, which is a big company and has a lot
of offices and all of their new Fabrication Plants will have phase 2 styled end-
to-ends VoIP and all of their existing fabrication plants still has PBX systems
and they want to keep them in that way until the maintenance expires on the
PBX systems then they will move them out. So it is totally possible to have
phase 2 connected through routers to phase 1 and convert back and forth
between those calls.
Fig 5.3 two phase approach
When we move over VoIP we should make sure that we take away the fear, Don’t
worry about it as PBX system will be around for years, very scary statistics that
2 million people in America still use rotary phones. People still use them as they
just works fine. So VoIP is not going to be one of those things that will take the
world by storm and everybody running it, it going to take the back end. As we
know rotary phones still exits and users send their audio to SP via these rotary
phones and the SP can be converted to VoIP.
Protocols of VoIP
Voice over IP has been implemented in various ways using both proprietary protocols
and protocols based on open standards. Examples of the VoIP protocols are:
• H.323
• Media Gateway Control Protocol (MGCP)
• Session Initiation Protocol (SIP)
• H.248 (also known as Media Gateway Control (Megaco))
• Real-time Transport Protocol (RTP)
• Real-time Transport Control Protocol (RTCP)
• Secure Real-time Transport Protocol (SRTP)
• Session Description Protocol (SDP)
• Inter-Asterisk eXchange (IAX)
• Jingle XMPP VoIP extensions
• Skype protocol
• Teamspeak
The H.323 protocol was one of the first VoIP protocols that found widespread
implementation for long-distance traffic, as well as local area network services.
However, since the development of newer, less complex protocols such as MGCP and
SIP, H.323 deployments are increasingly limited to carrying existing long-haul
network traffic. In particular, the Session Initiation Protocol (SIP) has gained
widespread VoIP market penetration.
These protocols can be used by special-purposesoftware, such as Jitsi, or integrated
into a web page (web-based VoIP), like Google Talk
Pros and cons of Voice over IP.
There are pros and cons to consider when looking into VoIP for handling your
telephone calls to VoIP. Here’s the benefits and drawbacks of voice over IP.
Benefits of VoIP
 Lower cost – Many consumers and businesses alike have realized substantial cost
savings and lowered their phone bills by over 60%.
 High-quality sound – There’s a noticeable difference in the call quality, so the
audio isn’t muffled or fuzzy.
 Advanced features – Leverage premium features to run your company such as
auto attendants, call recording, and call queues. They’re often included with
business phone service plans.
 Remote-ready – Use your phone service wherever you work. No technical setup
is necessary if you work from home.
 Call anyone worldwide – International long distance rates are as low as $0.04
per minute to call Mexico or $0.01 to reach the United Kingdom.


Downsides of VoIP
 Needs a high-speed internet connection – VoIP doesn’t work well on dial-

up or satellite-based internet connections. You’ll need at least 100 kbps (0.1
Mbps) per phone line.
 Emergency services limitations – In the unlikely event you need to call 911
from your VoIP phone, you need to tell the operator your actual location.
Voice over IP systems default to sending your company’s mailing address to
public safety operators.
 Makes analog phones obsolete – Voice over IP uses new technology that
doesn’t rely on analog signals. You’ll likely want to upgrade outdated phone
handsets. Read our advice later to find out how you can get a free VoIP
phone.
How is VoIP different from a landline phone?
There are several differences between the two systems – from technological
contrasts pricing and scalability.
Here is a list of major differences that will help you better understand VoIP vs.
landlines.
How much does VoIP cost?
VoIP is surprisingly inexpensive when you consider all its capabilities. The
short answer is that you can expect to pay approximately $35 per user per
month for VoIP. The cost savings are quite dramatic compared to a traditional
phone system or on-premises PBX.
To give you an idea, here’s how much VoIP typically costs:
 Initial costs: $0-$50 per line

 Monthly costs: $19-$45 per line
 Device costs: $80-$600 per IP phone
 International calls: $0.01+ per minute
 Taxes and fees: Varies based on your city, county, and state.
Traditional phone systems have hidden costs you might not expect:
 Installation fees: $50-100 per drop

 Deposit: $100-$500
 Maintenance contact: $1000+ annually
 International calls: $1.00+ per minute
 Hard pull credit check
CHAPTER 6: DATA CENTER
What is a Data Center ?
Data Center usually refers to a physical space that centrally process,
store, transmit, exchange and manage information. Computers, servers,
network and storage equipment are generally considered as key Data
Center equipment.
Components Of Data Center:
Routers , Switches , Firewalls , Storage Systems , Servers
,Applications ,delivery controllers , computers and peripherals .
Features of Data Center:
1-Location of Data Center is the most important basis.
2-providing safety and security.
3-providing cooling systems to save devices.
4-high quality of servers due to its operating all time and fast internet.
5-Human element must be professionals and technicians to solvo
problems.
Types of Data Center
figure in data center 6. 1
figure in data center 6. 2figure in data center 6. 3
Standard Data Center Architecture
figure in data center 6. 5figure in data center 6. 6

What is a SERVER ?
It is a computer with high resources and quality ,used to produce servisec.
The types of servers
1. Proxy Server
A proxy server sits between a client program (typically a Web browser) and an
external server (typically another server on the Web) to filter requests, improve
performance, and share connections.
2. Mail Server
Almost as ubiquitous and crucial as Web servers, mail servers move and store
mail over corporate networks (via LANs and WANs) and across the Internet.
3. Web server
A web server serves static content to a web browser by loading a file from
a disk and serving it across the network to a user`s web browser, this entire
exchange is mediated by the browser and server talking to each Other using
HTTP.
There are two types of Web server:
1-Apache server
It is a web server , open source and free
Apache uses about 46% of websites around the world
Main name of Apache is "Apache HTTP Server" which is maintained by
Apache software foundation .
2-ISIS Server
Stands for Integrated Science Instrument Server
ISIS is a message passing server that uses connectionless UDP network
sockets and RS232
4. IRC server
It reffered to as instant messaging IM Servers enable large numbers of user To

exchange info known as chat Server.
5. DNS server
This server is used to translate domain names into IPs ,used with web server.
6. DHCP server
This server used to provide configuration of the device (ip , subnet

,gateway , DNS..) automatically instead of manual configuration.
7. Virtual Server
In 2009, the number of virtual servers deployed exceeded the number of

physical servers. Today, server virtualization has become near ubiquitous in the
data center.
Virtualization
1.1.1 What's Virtualization?
Virtualization is a technology that simulates hardware functionalities and

creates multiple VMs on a physical server
History of virtualization:
1.1.2 A Brief History of Compute Virtualization
figure in data centet 6. 8figure in data center 6. 9
1.1.3 Types of Compute Virtualization
figure in data centet 6. 10
figure in data centet 6. 11figure in data centet 6. 12
1.1.4 characteristics of virtualization
A. Partitioned
B. Isolated
C. Encapsulated
D. Independent
1.2.5 Virtualization benefits

• Optimizes utilization of IT infrastructure
• Reduce cost and management complexity
• Reduce deployment time
• Increases flexibility
Before and After virtualization :
1.2.6 CPU Virtualization

1.2.7 Memory Virtualization
1.2.6 i/o virtualization
With compute virtualization, a large number of VMs can be created on a single

host, and these VMs all need to access the I/O devices of this host. However,
I/O devices are limited. I/O device sharing among multiple VMs requires
VMM. VMM intercepts access requests from VMs to I/O devices, simulates I/O
devices using software, and responds to I/O requests. This way, multiple VMs
can access I/O resources concurrently. I/O virtualization can be implemented in
the following methods: full virtualization, Para virtualization, and hardware-
assisted virtualization. Hardware-assisted virtualization is the mainstream
technology for I/O virtualization.
 Full virtualization
 Para virtualization
 Hardware-assisted virtualization
1.2.7 Mainstream Compute Virtualization

What is Hypervisor ?
It is a software program that manages multiple operating system for multiple instances of
the same operating system on a single computer system .
The hypervisor manages the system`s processor , memory and other resources to allocate
what each OS require.
Hypervisors are designed for a particular processor architecture and may also be
Called virtualization managers.
Examples for hypervisor :
 VMWare ESXi
 Microsoft Hyper-v
 Virtual Box
 VMWare Workstation
Hypervisor Types
*type1 native(bare-metal)hypervisor :
The hypervisor runs directly on the host`s hardware to control the hardware and to
manage guest operating systems .
Examples:
Xen , VMware Esxi , Microsoft Hyper-v .
*type2 Hosted hypervisors:
These hypervisors run on a conventional operating system just as other computer

program .
Examples:
VMware workstation , VirtualBox .
Popular hypervisors :
1-Xen
It is an open source paravirtualization technology that provides a platform for running

multiple operating system in parallel on one physical hardware resources , developed
2003 .
2-KVM (kernel based VM)
it is an open source virtualization technology built into linux , specially KVM lets you
turn linux into hypervisor that allows a host machine to run multiple , isolated virtual
environment called guests or virtual machine (VMs).
Storage
Latest Storage Technologies and Trends
Definition of Storage
What is Storage?
Development History of Storage

 Direct Attached Storage (DAS).
1. Direct Attached Storage (DAS)

Used in all devices
Directly connected to any pc
Such as hard disk and extena hard which are connected with IDE , SCSI , ISCSI .
There are 3 cases in DAS :
1) Standalone (independent)
2) JBOD (Spanned)
3) RAID
And these three types also in NAS , SAN
Network Attached Storage (NAS).

Centralized storage device for storing data on a network .
Will have multiple hard devices in a RAID configuration .
Directly attached to a switch or a Router on a network to allow other devices access to

SAN .
Are used in homes and small to medium size business.
Storage Area Network (SAN).

It is the most popular type of storage .
It is a collection of hards .
A special , high speed network that stores and provides access to large amounts of data .
Features of SAN
SANs are fault tolerant .

Data is shared among several disk arrays .
Servers access this data as if it was a local hard drive .
Highly scalable .
SAN is a high speed network so

-its speed between 2Gb/s _128Gb/s
-used by large companies .
4 . Cloud Storage :
It is a type of saving tools on internet , companies like Google ,Apple and Microsoft
can provides space of storage in their servers such as (Gmail-oneDrive-icloud…)
This type of Storage is ubiquitous so known as cloud storage
5 . Distributed Storage :
It is a storage system adopts a scalable structure using multiple storage servers to share
storage load and uses location servers to locate and store information .
Cloud Computing
Is a set of servers connected to internet which store and distribute data away your
personal device .
types of cloud computing

• Private Cloud :Systems and users only have access with other devices inside the same
private cloud or system
• Public Cloud : Systems and users interact with devices on public networks, such as the
Internet and other clouds
• Hybrid Cloud : Combination of private and public
Characteristics of cloud computing

e (scaled up and scaled
-
demand self-
led based on the
metered usage /payper-use)

3 Models of Cloud
Computing
• Software as a Service (SaaS)
• Platform as a Service (PaaS)
• Infrastructure as a Service (IaaS)
IAAS
○ Provides capability to the consumer to hire infrastructure components such as servers,
storage, and network, the customer does not manage or control, the underlying cloud
infrastructure.
o Enables consumers to deploy and run software, including OS and applications, along
with some networking components (for example, host firewalls).
○ Pays for infrastructure components usage, for example, Storage capacity, CPU usage,
etc.
○ The company is responsible for the security of applications and data. ○ It is based on
virtualization of machines and network
○ IaaS Examples : Amazon Elastic Compute Cloud (EC2).
PAAS
○ Customers can deploy supported applications onto the provider’s cloud infrastructure,
○ the customer does not manage or control, the underlying cloud infrastructure.
○ The customer is responsible for the security of those applications and data.
○ Developers build the software without worrying about operating systems, software
updates, storage, or infrastructure
○ PaaS Examples :Google App Engine , Microsoft Azure Platform.
SAAS
○ Customers are provided access to an application running on a cloud infrastructure,
○ the customer does not manage or control, the underlying cloud infrastructure.
○ Application is accessible from various client devices, for example, via a thin client
interface such as a Web browser
○ SaaS eliminates the need to have IT staff download and install applications on each
individual computer,Billing is based on the application usage
○ SaaS Examples : EMC Mozy ( Software-as-a-Service solution for on-line backup)
○Office 365 .

Chapter 7 (Features)
7.1.1 Face Mask Detection
Face Mask Detection System built with OpenCV, Keras/TensorFlow using Deep Learning and
Computer Vision concepts in order to detect face masks in static images as well as in real-time
video streams.
7.1.2Motivation
Amid the ongoing COVID-19 pandemic, there are no efficient face mask detection applications
which are now in high demand for transportation means, densely populated areas, residential
districts, large-scale manufacturers and other enterprises to ensure safety. The absence of large
datasets of ‘with_mask’ images has made this task cumbersome and challenging.
Face Mask Detection 7.1.2

Face Mask Detection 7.1.2 1
7.1.3 TechStack/framework used

OpenCV
Caffe-based face detector
Keras
TensorFlow
MobileNetV2
7.1.4 Features
Our face mask detector doesn't use any morphed masked images dataset and the model is
accurate. Owing to the use of MobileNetV2 architecture, it is computationally efficient, thus
making it easier to deploy the model to embedded systems (Raspberry Pi, Google Coral, etc.).
This system can therefore be used in real-time applications which require face-mask detection
for safety purposes due to the outbreak of Covid-19. This project can be integrated with
embedded systems for application in airports, railway stations, offices, schools, and public
places to ensure that public safety guidelines are followed.
7.1.5Dataset
The dataset used can be downloaded here - Click to Download
This dataset consists of 4095 images belonging to two classes:
 with_mask: 2165 images

 without_mask: 1930 images
The images used were real images of faces wearing masks. The images were collected from the
following sources:
 Bing Search API (See Python script)

 Kaggle datasets
 RMFD dataset (See here)
7.1.6Prerequisites
All the dependencies and required libraries are included in the file requirements.txt See
here
7.1.8 Installation
1. Clone the repo

$ git clone https://github.com/chandrikadeb7/Face-Mask-Detection.git
2. Change your directory to the cloned repo
$ cd Face-Mask-Detection
3. Create a Python virtual environment named 'test' and activate it
$ virtualenv test
$ source test/bin/activate
4. Now, run the following command in your Terminal/Command Prompt to install the
libraries required
$ pip3 install -r requirements.txt
7.1.9 Results
Our model gave 98% accuracy for Face Mask Detection after training via tensorflow-
gpu==2.5.0
Figure 7.1.9.1 ( Results) 1

We got the following accuracy/loss training curve plot
Figure 7.1.9.1 ( Results) 2
7.1.10Streamlit app
Face Mask Detector webapp using Tensorflow & Streamlit

command
$ streamlit run app.py
7.1.11 Images
Figure 7.1.11 Images 1
Figure 7.1.11 Images 2
Results
And it's done!
7.2Howdy (login by face )
Howdy provides Windows Hello™ style authentication for Linux. Use your built-in IR emitters
and camera in combination with facial recognition to prove who you are.
Using the central authentication system (PAM), this works everywhere you would otherwise
need your password: Login, lock screen, sudo, su, etc.
7.2.1Installation
Howdy is currently available and packaged for Debian/Ubuntu, Arch Linux, Fedora and
openSUSE. If you’re interested in packaging Howdy for your distro, don’t hesitate to open an
issue.
Note: The build of dlib can hang on 100% for over a minute, give it time.
7.2.2Ubuntu or Linux Mint
Run the installer by pasting (ctrl+shift+V) the following commands into the terminal one
at a time:
sudo add-apt-repository ppa:boltgolt/howdy
sudo apt update
sudo apt install howdy
This will guide you through the installation.

7.2.3 Setup
After installation, Howdy needs to learn what you look like so it can recognise you later. Run
sudo howdy add to add a face model.
If nothing went wrong we should be able to run sudo by just showing your face. Open a new
terminal and run sudo -i to see it in action. Please check this wiki page if you're experiencing
problems or search for similar issues.
If you're curious you can run sudo howdy config to open the central config file and see
the options Howdy has to offer. On most systems this will open the nano editor, where you
have to press ctrl+x to save your changes.
7.2.4 CLI
The installer adds a howdy command to manage face models for the current user. Use howdy
--help or man howdy to list the available options.
Usage:
howdy [-U user] [-y] command [argument]
Command Description
Add Add a new face model for a user
clear Remove all face models for a user
config Open the config file in your default editor
disable Disable or enable howdy
List List all saved face models for a user
remove Remove a specific model for a user

snapsho
Take a snapshot of your camera input
t
Test Test the camera and recognition methods
version Print the current version number
7.2.6 Troubleshooting
Any Python errors get logged directly into the console and should indicate what went wrong. If authentication still fails but
no errors are printed, you could take a look at the last lines in /var/log/auth.log to see if anything has been
reported there.
If you encounter an error that hasn't been reported yet, don't be afraid to open a new issue.
7.3SebatNet Lite (Fast cigarette smoking detection)
Fast cigarette smoking detection with ONNX, Linzaer's face detection model.
7.3.1 How to use
1. pip3 install -r requirements.txt to install required modules.
2. You can import sebatnet to your script or run python3 video_example.py

<video.mp4>. With webcam you need to run python3 video_example.py 0
7.3.2 Limitation
This script uses a small model that prioritizes inference speed over accuracy.
7.4 Change Ubuntu 22.04 Boot and Login Screen Logo
Follow through this tutorial to learn how to change Ubuntu 22.04 boot and login screen logo.
One of the customization you can do to your Ubuntu 22.04 instance is to change the desktop
background, the login screen background, and of course the default boot logo.
For Ubuntu 22.04, the default boot logo is as shown in the screen below;
Change Ubuntu Boot and Login Screen 1
So, how can you change Ubuntu 22.04 login screen logo?
Well, first of all you need to know where the default Ubuntu 22.04 logo images are stored.
The logo at the bottom of the login screen;
Is stored under /usr/share/plymouth as ubuntu-logo.png.
The same logo is also used on the boot screen, but stored in a different location. We will look
into that later.
So, if you want to change this login screen logo, then you have to copy your image to that
directory and name it as ubuntu-logo.png.
For example, I want to use our Kifarunix image as Ubuntu 22.04 bottom login screen logo, then
first of all backup the default image;
sudo cp /usr/share/plymouth/ubuntu-logo.png
Next, copy your image to /usr/share/plymouth directory naming it as ubuntu-logo.png.
sudo cp ~/Pictures/kifarunix.png /usr/share/plymouth/ubuntu-
logo.png
When you log out, you should see that the default login screen logo is now changed!
Figure 7.4 1
Now, let’s see how you can change Ubuntu 22.04 boot logo.
Ubuntu 22.04 uses BGRT as the default splash screen Plymouth theme;
update-alternatives --list default.plymouth
Sample output;
/usr/share/plymouth/themes/bgrt/bgrt.plymouth
So where does this theme stores the default images under?

grep -i imagedir /usr/share/plymouth/themes/bgrt/bgrt.plymouth
Sample output;
ImageDir=/usr/share/plymouth/themes/spinner
As you can see, the default images for this default splash screen theme are stored under
/usr/share/plymouth/themes/spinner directory.
Under this directory, we have some images used as boot screen logos as highlighted in this
screenshot below;
/usr/share/plymouth/themes/spinner/bgrt-fallback.png
/usr/share/plymouth/themes/spinner/watermark.png
our logo

7.5 ChatGPT
7.5.1What is ChatGPT?
• ChatGPT is a large language model chatbot developed by OpenAI. It is capable of

generating
human-like text responses to a given prompt, based on its training on a large corpus of
text
data.
• GPT - Generative pre-trained transformer
Who Built ChatGPT?
• ChatGPT was created by San Francisco-based artificial intelligence company OpenAI.
They
opened the tool for public testing on November 2022.
ChatGPT Adavantage
• Human-like responses: ChatGPT is trained on a large corpus of text from the internet,
allowing it to generate human-like responses to questions and prompts.
• Speed and efficiency: ChatGPT can generate responses quickly, allowing for real-time
conversation.
• Scalability: ChatGPT can handle multiple requests at once, making it suitable for large-
scale
applications.
• Continuous improvement: OpenAI regularly updates and fine-tunes ChatGPT,
improving its
performance over time.
• Cost-effectiveness: ChatGPT can provide a cost-effective solution compared to hiring
human operators for customer service or other conversational AI applications.
7.5.2ChatGPT Limitation
• Lack of Common Sense: ChatGPT lacks the common sense knowledge that a human
has,
which can lead to incorrect or nonsensical answers.
• Contextual Understanding: ChatGPT may have difficulty understanding the context of
a
question or conversation, leading to misunderstandings.
• Limited Domain Knowledge: ChatGPT is trained on a large dataset, but it still has
limitations in
terms of the particularly in niche or specialized subjects.
• Lack of Creativity: ChatGPT can provide answers based on the information it has been
trained
on, but it does not have the ability to come up with creative or original ideas.
How to access ChatGPT?
• Just Sign up – Chat.openai.com
Figure 7.5.2
ChatGPT 1
Example:-
ChatGPT 2
7.6 website server used Bitnami WordPress
Bitnami WordPress is a pre-packaged, ready-to-run version of the popular open source content
management system (CMS) WordPress. It includes all the software required to run WordPress,
including Apache, MySQL, and PHP. Bitnami WordPress is designed to be easy to install and use,
making it a great choice for users who want to get up and running quickly with a full-featured
WordPress installation.
Results
In the Theory chapter we reviewed two communication options between the
enterprise and the remote branch networks – private WAN and site-to-site VPN.
The possible types of private WAN were reviewed - Frame Relay, ATM, leased
lines and others. The possible types of VPN implementations we also reviewed.
These types include but are not limited to PPTP, IPsec, and SSL VPN. Security,
management, and services for the enterprise network with remote branch offices
were also discussed. In Theory chapter we reviewed possible types of
management – in-band and out of band management; centralized, distributed, and
hierarchical management. We also reviewed possible ways of keeping
management data – to a permanent (or semi-permanent) media or system. The
parts of the process for keeping data were also explained - primary storage,
secondary storage, and tertiary storage for the designing we chose site-to-site
VPN model as primary connection between the enterprise and the branch offices.
The solution of the problem we offered is based on that model. We discussed site-
to-site in more details and chose IPsec as possible implementation type. We also
reviewed carefully the types of equipment to be used in the network. For any
particular location we chose the most appropriate equipment. The solution was
analyzed, evaluated, and partly tested. The results show that the enterprise
network solution is appropriate for medium to large enterprises. It offers high
security, availability, redundancy, and high-speed links. The branch office
solution is appropriate for small to medium branch office implementations. It
offers high security, low availability, none redundancy, and high-speed links.
Discussion on results
This chapter contains discussion on the results of the designing. Here we will
make final conclusion, list recommendations and make advices for future work.
Each one of there will be covered in separate sections as follows conclusions in
Section 4.1, recommendations in Section 4.2, and future work in Section 4.3.
Conclusion
The project provides a solution to the problem. The designed enterprise computer
communication network with a branched network of affiliates (described in
Section 3.1.4) can support branch offices regionally-extended, international-
extended or worldwide-extended. The branch offices (explained in Section 3.2)
need Internet connection and equipment that supports site-to-site VPNs based on
IPsec.
Recommendations
The redundancy of the branch office network should be implemented. Without
redundancy if the ISR router is down, the entire branch office is lost. Another ISR
router could be deployed to provide redundant network. The designed branch
office network suits best the needs of a small to medium branch office. For other
sizes of branch offices other equipment should be used.
Future work
The used router models (7201) in the enterprise Internet edge have high
performance and wide range of supported features. However, if the enterprise
demands even higher performance in the future a migration to ASR 1000 series
should be considered. The enterprise communicates with the branch offices via
the site-to-site VPN connection based on IPsec. But if that connection is down,
the enterprise does not have any backup connectivity with the branch offices.
Secondary connection between both locations could be implemented in the future.
Implementing IPv6 should also be considered in the future. IPv6 has a lot benefits
over IPv4 - simplified header for routing efficiency and performance; deeper
hierarchy and policies for network architecture flexibility; efficient support for
routing and route aggregation; security with mandatory IP Security (IPSec)
support for all IPv6 devices and others. There also migration strategies than can
be deployed to facilitate the migration process. The project offers testing of the
HSRP functionality. In the future more features of the designed network could be
tested to support the theory statements with testing results. These features include,
but are not limited to servers’ accessibility from branch offices; the VPN cluster
operation; firewall packet filtering; and VPN link bandwidth utilization.
References
1) James McCabe (2007). Network Analysis, Architecture, and Design 3rd Edition
2) Jazib Frahim, Qiang Huang (2008). Cisco Press SSL Remote Access VPNs
3) http://en.wikipedia.org/wiki/RADIUS (visited 180410)
4) http://www.networkcomputing.com/netdesign/soho1.html (visited 030510)
5) http://www.pro-100.org/?oblast=0&sort=economy# (visited 060510)
6) Diane Teare, Catherine Paquet (2005). Campus Network Design Fundamentals
7) Richard Deal (2006). The Complete Cisco VPN Configuration Guide
8) http://www.ibm.com/developerworks/ru/library/l-
Backup_1/?S_TACT=105AGX99&S_CMP=GR01
(visited 110610)
9) Keith Hutton, Mark Schofield (2009). Designing Cisco Network Service
Architectures 2nd Edition
10) http://www.edrivium.com/ (visited 120610)
11) http://www.juniper.net/ (visited 120610)
12) http://en.wikipedia.org/wiki/DMZ_%28computing%29 (visited 130610)
13) http://campustechnology.com/Articles/2010/03/12/Machine-Hunt-User-
Forensics- at-Salt-Lake-Community-College.aspx?Page=2 (visited 220610)
14) http://www.etelemetry.com/ (visited 230610)
15) http://www.cisco.com/en/US/docs/ios/solutions_docs/ipv6/IPv6dswp.html
(visited 080710)
16) http://www.groupstudy.com/bookstore/samples/Oppenheimer/index.html
(visited 110710)
17) Priscilla Oppenheimer (2004). Cisco Press Top-Down Network Design Second
Edition
18) Mark Lewis (2006). Cisco Press Comparing, Designing, and Deploying VPNs
19) http://www.networkworld.com/subnets/cisco/092509-ch1-intro-to-wan-
architectures.html (visited 140710)
20) Wendell Odom (2010), CCNP ROUTE 642-902 Official Certification Guide
21) Bob Vachon, Rick Graziani (2008). Accessing the WAN CCNA Exploration
Companion
22) http://www.ciscoguard.com/CISCO892W.asp (visited 170710)
23) http://secret-epedemiology-statistic.org.ua/1587052091/ch22lev1sec1.html
(visited 180710)
24) http://iaoc.ietf.org/network_requirements.html (visited 240710)
25) http://www.archicadwiki.com/Teamwork/NetworkSpecification (visited
270710)
26) http://www.networkworld.com/newsletters/wireless/2009/052509wireless2.html
(visited 040810)
27) http://www.cisco.com/en/US/prod/collateral/routers/ps9343/white_paper_c11-
451583_ns592_Networking_Solutions_White_Paper.html (visited 050810)
28) http://www.cisco.com/en/US/docs/solutions/Enterprise/Branch/WAASBr11.htm
l (visited 260810)
29) http://searchdatabackup.techtarget.com/tip/0,289483,sid187_gci1516980,00.htm
l (visited 280810)
30) http://searchdatabackup.techtarget.com/sDefinition/0,,sid187_gci1378343,00.ht
ml (visited 280810) [31]
http://www.cisco.com/application/pdf/en/us/guest/netsol/ns171/c649/ccmigration_0
9186a00807593b6.pdf (visited 300810)
31) http://www.cisco.com/en/US/prod/collateral/routers/ps9343/at_a_glance_c45-
457081_v7.pdf (visited 010910)
32) http://www.cisco.com/en/US/prod/collateral/routers/ps341/product_data_sheet0918
6a008008872b.html (visited 020910)
33) http://www.cisco.com/en/US/docs/solutions/Enterprise/Security/IE_DG.html#w
p42019 (visited 020910)
34) https://github.com/chandrikadeb7/Face-Mask-Detection
35) https://github.com/Wikidepia/sebatnet-lite
36) https://kifarunix.com/change-ubuntu-22-04-boot-and-login-screen-logo/
37) https://github.com/boltgolt/howdy

1

Uploaded by

Copyright:

Available Formats

1

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

1

Uploaded by

Copyright:

Available Formats

Sohag University, Faculty Of Computing

And Artificial Intelligence

Building and Securing Enterprise

1. Ahmed Ragab El-sayed ID (4003)

Sohag 2022 – 2023

Face Mask Detection 158

In this project, we also used artificial intelligence techniques and modified

We also made a website with WordPress templates , we used the latest

We also used gethub libraries such as facial recognition technology and

IV. Project Statement

 We used Linux operating systems to do the experiments on it

1.5 Structure of report

2.1 Company computer network with branches

In this chapter, you will take about network architecture—what is contained

Topological models: which are often used as starting point in the

Flow-based models, which are focused on and take advantage of a

Functional models – there models are based on one or more functions or

Figure 2.1 Access/Distribution/Core model [9]

Figure 2.2 Sample corporate network based on Access/Distribution/Core model [9]

Figure 2.3 peer-to-peer architectural model [9]

✔ Client–server functions, features, and services are focused at server locations,

Figure 2.5 Distribute-computing architectural model [9]

Figure 2.8 intranet architectural model [9]

Basic concepts of remote access networks

Why organization needs remote access

What are the Types of Remote Access?

Remote Access Protocols for a Safe Connection

 The remote access network also had some basic components.

Figure 2.11 Typical enterprise Topology [21]

Internet Based Remote Access

Internet-Based Remote Access Issues/Solutions

Figure 2.13 remote access over internet issues [21]

REMOTE ACCESS SECURITY: GOALS

Protecting Transmitted Data

Protecting Network Resources

2.1.3 Communication and integration

Figure 2.15 VPN site-to-site

✔ Reliability Employees and remote offices should be able to connect to the

There are two types of site-to-site VPNs:

Figure 2.16 VPN parallel ti a firewall [9]

Figure 2.17 VPN in DMZ [9]

Figure 2.18 Integrated [9]

Figure 2.19 SSL VPN Connection [2]

Figure 2.20 Data encryption and decryption

Figure 2.21 HMAC

Figure 2.22 Data integrity

Figure 2.23 Digital signature

✔ Authentication The type of authentication (SHA-2, SHA-1, or MD5)

✔ Key Group the Diffie-Hellman key group

Figure 2.27Negtioation step

 Encryption: what algorithm do we use for encryption? For example, DES,

Step 2: DH Key Exchange

Figure 2.29 Transform set

Apply crypto access-list Set At Router A:

Figure 2.30 Summary of config

Figure 2.32 PPDIOO Network Lifecycle Approach

The PPDIOO phases are as follows:

 Step 1. Verify the business goals and technical requirements.

V. Because failures occasionally occur, troubleshooting should be easy. Finding

 Core layer: Connects distribution layer devices.