Secure VPN Solution in a Converged Network for Phoniro Systems, AB., an Emerging SME
Total Page:16
File Type:pdf, Size:1020Kb
Secure VPN solution in a converged network for Phoniro Systems, AB., an emerging SME Adnan Ahmed Khan Hassan Zahur Computer Network Engineering 15 ECTS Thesis Report IDE1267 Halmstad University, Sweden, 12 September 2012 Secure VPN solution in a converged network for Phoniro Systems, AB., an emerging SME. ii Abstract With the advent of emerging communications technologies in today’s era of global computing, the significance of exploiting converged networks for the corporate sector has become all the more prudent. This thesis is a feasibility report for the implementation of a secure video-conference and VPN solution for an SME i.e. Phoniro Systems AB. Phoniro Systems provides health and welfare solutions. With offices in various locations throughout Sweden and active remote workers, it’s ever increasing needs and entering into new ventures; a secure, robust and reliable VPN and video- conference solution over a resilient converged network was needed. The proposed solution should integrate networks at different geographical locations. The solution should not only connect the offices but cater to the needs of remote clients providing secure and seamless connectivity. The accomplishment of the task required investigating various VPN and video conference technologies, while considering Phoniro's network infrastructure and requirements stated by the company. A balance between security, performance, ease of use and cost were some of the key considerations. Evaluating of different different technologies related to solution were done after testing them in the end a solution considering Phoniro’s requiremets was devised. iii Acknowledgment This thesis gave us an insight into learning and implementing a secure VPN and video-conference solution for an SME (Small and Medium-sized Enterprise) over a converged network by putting our theoretical knowledge into practice. For this thesis we would like to thank all the people who helped and inspired us. First and foremost, our thesis supervisor, Sławomir Nowaczyk (Halmstad University) for his guidance, patience and hours of discussions for formulating possible solutions. Olle Bliding (C.T.O, Phoniro Systems AB) for providing us this unique opportunity to suggest a secure VPN and video-conference solution for his prestigious organization and providing us with the information needed for completing this thesis. Nicolina Månsson (Halmstad University), our thesis coordinator for her help and guidance. We would also like to thank our friends and family, without their support and encouragement this work won’t have been possible. iv Contents Abstract………………………........................................................................ iii Acknowledgement…………………………………………………………..……iv Contents…………………………………………………………………………….v List of Figures…………………………………………………………………….vii List of Acronyms…………..………………………………….…………………viii 1 Introduction….……….……………………………….………………….………2 1.1 Motivation……………………………………………………………….……….3 1.2 Goal………………………………………………………………………………3 1.3The project: VPN, video-conferencing and security………………………....4 1.3.1 VPN ………….………………………………………………………………..4 1.3.2 Video-conference…………….………………….…………………………...4 1.3.3 Security……………………….……………………………………………….5 1.4 Testing methodology, evaluation and solution………………..……………..5 2 VPN.….………………………….………………..…………………………..…...6 2.1 VPN Introduction………………….………………………..……….………….6 2.2 VPN benefits……………………..……………………………………………..6 2.3 VPN drawbacks and issues……………..……….……..…………................7 2.3.1 Quality of Service……………..……….……………..….............................8 2.3.2 Bandwidth reservation……..…………………...........................................8 2.3.3 Multimedia…………………………………….……………………………….8 2.4 Types of VPN…………………………..………….…………………………….8 2.4.1 Site to site VPN.……………….…...………………………………………...9 2.4.2 Remote-access VPN………….….…………………………………...….….9 2.5 VPN Tunneling Protocols…………….…..……..…..………………………..10 3 IPsec ………………..…………………………………...……..……...……......13 3.1 Introduction ……………………………………………………………..…..…13 3.1.1 Encryption Terminology……………………………………………….…....13 3.2 IPsec features…………………………………….………………...…………14 3.2.1 Cryptographic Algorithm……………………………………………………14 3.2.2 Confidentiality ……………………………………………………………...….….15 3.2.3 Integrity ……………………..…………………………………………………..….16 3.2.4 Authentication…………………………………...….……………………………..17 3.2.5 Secure key exchange……………………….………………….………..…18 3.2.6 IPsec security Protocols…………………..……………….………….……18 3.3 L2TP with IPsec (L2TP/IPsec)…………………………..…………………..19 4 Video-conference………………………..…………………………………….22 4.1 Introduction…………………………………………….……………………....22 4.2 Working………..………………..…………………………………………...…23 4.2.1 PC based Video-conference setup….……..………………………….….23 4.2.2 Dedicated Setups….………………………….………..…………………..23 4.3 Video-conference data…..…………………………………….……………..24 v 4.4 Improving video-conference experience…………………….……………..24 5 Methodology for Testing and Considerations………....…………………27 5.1 Methodology for testing and Considerations……..…………………..……27 5.1.1 Considerations……………………………….…..………………….……...28 5.2 Implementation and results of testing scenarios….….….…………..…….29 5.2.1 Network based VPN testing……………….……………………..………..30 5.2.1.1 Testing…………………………..….….…………………………………..34 5.2.1.2 Results……………………………..….…………………………………..36 5.2.1.3 QoS……………………………………………………………….………..37 5.2.1.4 Implementation of QoS on Network…..………………………………..37 5.3 Operating System based VPN testing………………….....………………..39 5.3.1 Testing with Jperf……………………………………….…….…………….40 5.3.2 Result observations.…………….……………..……….…………………..42 5.4 Operating system based and Network based testing inferences….....….43 6 Evaluation and Recommendations……………...…………………..….….45 6.1 Cisco based Site to Site and Quick VPN(Remote workers).….....…..…..45 6.2 Cisco based site to site and Windows Server L2TP/IPsec………….……46 6.3 Available VPN products for solution……………….……………..….….…..47 6.3.1 Cisco RV042……………………………………….……………….….……48 6.3.1.1 Cisco RV042 feature set……………………….………………..….……48 6.3.1.2 Cisco Quick VPN for remote workers…………………..…….…...……49 6.3.2 Future Expansion and possible issue……………………………..….…..50 6.4 Video Conference Evaluation and recommendation……………….……..50 6.4.1 Available video-conference solutions………………….………….……...50 6.4.1.1 Nefsis…………………………………………....………………….…..…51 6.4.1.2 Skype…………………………………………….………………….…..…51 6.4.1.3 SightSpeed………………………..…………….………………….……..52 6.4.1.4 Cisco ūmi……………………………….…………...…..………….……..53 6.4.2 Video-conference recommendation………….……………….…..……....54 6.4.2.1 Skype recommendation…………..…………………………………..….54 6.4.2.2 Video-conference hardware…..…………………………..….………….55 6.4.2.2.1 Possible issues with Logitech c910……….……………….…..…..…55 6.5 Data Backup…………………...…………………………….………………..56 6.6 Final Solution………..…………………………..………..….……….……….57 7 Conclusion.………………..……………………………..………..……………59 Appendix a) Cisco IPsec Router Configurations. ……………………………..……..……61 b) Operating System based L2TP/IPsec Config ..…….………………...……..68 c) RV042 Router Setup steps …….…………………..…………………………77 d) Video-conference resolution table……………………………………………79 e) Bandwidth requirement table for Skype……..…….…………………………79 f) Cisco RV042 VPN features………………….……………….…………..……80 vi References……………….…....…………………………………………………81 List of figures Fig 1 Site to site IPsec with remote VPN connectivity…….………………..…..9 Fig 2 Confidentiality……………………….…….………………..……..………...15 Fig 3 ESP payload……………………………………………...…………………18 Fig 4 L2TP/IPsec structure……………….………..……………………………..19 Fig 5 PPP datagram………………………..…………………..………...……….19 Fig 6 QoS Packet size ………………………….…………………..………….…27 Fig 7 Static IPsec testing……………………..……………….…..……..…….…29 Fig 8 Skype server……………………………….………………..…………....…31 Fig 9 Skype traffic………………….……………..………………..……………...32 Fig 10 Two point video-conference scenario…….…………………………......34 Fig 11 Three point video-conference………………………..………………......34 Fig 12 Jperf client………………………………..………………………………...40 Fig 13 Jperf server………………………………………….………………….….40 Fig 14 Cisco RV 042………………………………….…….…………….……….47 Fig 15 Skype settings……………………………….……………..……….…..…51 Fig 16 Cisco Ūmi video-conference camera………….……………………...…52 Fig 17 Logitech 910…………………………………………..…………………...54 Fig 18 Final suggested scenario……………...…….……………………………57 vii List of Acronyms AES - Advanced Encryption Standard AH- Authentication Header CLI- Command Line interface. CRM(Customer relationship management) DES - Data Encryption Standard DH,D-H- Diffie-Hellman DiffServ-differentiated services DSCP-DiffServ code point. EF-Expedited Forwarding ESP- Encapsulating Security Payload FHD-(Full high definition i.e. 1080p) GRE -Generic Routing Encapsulation (GRE) HD-(High Definition video i.e. 720p) HMAC- Hashed Message Authentication Codes IKE-Internet Key Exchange iLBC-Internet Low Bitrate Codec iSAC-Internet Speech Audio Codec ISAKMP-Internet Security Association and Key Management Protocol ISP- Internet Service Provider. L2TP-Layer 2 Tunneling Protocol md- Message Digest. NAT-Network address translation OSPF-(Open Shortest Path First; routing protocol) PDA-(personal digital assistant) PPP- Point-to-Point Protocol PPTP- Point-to-Point Tunneling Protocol PPTP-Point-to-Point Tunneling Protocol PS- Packet Size in Bytes. PSKs-Pre-shared Keys QoS-(Quality of Service) RSA - Rivest, Shamir and Adleman algortihm for public key cryptography. viii SEAL- Software-Optimized Encryption Algorithm SHA- Secure Hash Algorithm. SSL -Secure Socket Layer SSTP-Secure Socket Tunneling Protocol (SSTP) UDP-User Datagram Protocol VGA- Video Graphics Array i.e. a resolution of 640x480. VoIP-Voice over Internet Protocol VPN-Virtual private network. 1 Introduction Ever