Date post: | 07-Apr-2017 |
Category: |
Documents |
Upload: | emmanuel-emegha |
View: | 123 times |
Download: | 2 times |
1
A SECURE HIGH AVAILABILITY CONNECTION BETWEEN MULTI-SITES FOR A VOIP COMMUNICATION SYSTEM WITH EAVESDROPPING PREVENTION SECURITY STRATEGIES
BY EMMANUEL EMEGHA
MSc Telecommunications Engineering Client: Stephen Swales (University of Sunderland)
Project Supervisor: Dr Chris BowermanSecond Marker: Dr Leslie Kingham
2
EXECUTIVE SUMMARY
In telecommunications engineering, the concept of high availability refers to techniques used to mitigate network downtimes while VPNs (Virtual Private Networks) are WAN connection technologies that provides data security (such as authentication, confidentiality integrity) using encryption services. VoIP systems are implemented as a result of its flexibility, simplicity and low cost over traditional hard-wired telephones communication. However, their security vulnerabilities undermines the confidentiality of voice packets being transmitted.This project implements a highly available WAN network for a VoIP solution that allows active/on-going calls to continue should a link connecting two sites fail, ensuring suitable protocols to restore links. The above highly available network and VoIP solution are equipped with eavesdropping prevention technologies (IPSec VPN and SRTP) to render any tampered data/voice packets unreadable/unlistenable.
3
CLIENT & PROBLEM• Client• Problem: Network downtimes, WAN Security, Voice
communication & Security
Client Requirements• A highly available WAN network• Site-to-Site Security (Eavesdropping)• VoIP communication and Security (Eavesdropping)• Active call continuity during WAN connection outages
4
PROJECT OBJECTIVES1. To research and evaluate the concept of high availability in
communication networks.2. To critically evaluate the various protocols used in high availability
including those for failover and redundancy.3. To research and evaluate VPN technologies for the encryption of data
packets between sites.4. To research and evaluate VoIP security protocols used to prevent/mitigate
eavesdropping. 5. To implement a fully functional prototype of the VoIP system for internal
communication.6. To evaluate and access the final prototype to see if it fully satisfies the
client’s requirements and identify possible areas for future work/research.7. To produce a dissertation that is a reflection of the entire project.
5
RESEARCH 1. Research Areas & Relevance to project • High availability (failover, redundancy) and its protocols in
communications network (LACP, STP/RSTP, HSRP, VRRP, GLBP, IS-IS, OSPF, EIGRP, RIP and Cisco IP SLA)• WAN Eavesdropping Prevention Technologies (VPN) (SSL, PPTP, IPSec, MPLS)• VoIP security protocols (TLS, SRTP, ZRTP)
6
RESEARCH (CONT’D) 2. Research Findings • High availability concepts: Hardware & Software• OSPF & EIGRP: Similarities & differences Eavesdropping Prevention• Virtual Private Networks (VPNs): SSL, MPLS, PPTP, IPSec VPN• Voice Communication: SRTP vs ZRTP (compatibility)
Impacts of Security Mechanism?YES: High computational and communicational overhead (Khodabakhshi et al., 2013)NO: Encryption technologies encrypt traffic at wire-speed without interfering with QoS, call quality and performance (Dakur & Dakur, 2014)Project Author: In support of Khodabakhshi et al. (2013)
7
PROJECT METHODOLOGY• Network Design: Hierarchical Design Model - Core, Distribution & Access layers
(Cisco Systems, 2014)
Hierarchical Design Model
• VoIP Telephony Design: Top-down approach (Cisco Systems, 2012)Aimed at tailoring specific applications to user requirements
8
PROTOTYPE DESIGN• High Availability Design: Redundancies, ISPs, failover protocols •WAN Security Design: IPSec VPN & GRE • VoIP Telephony Design: 3CX PBX server, User Agents (UAs), Security
OSI-7 Layer Model
Layer Name Protocol/Technology
7 Application 3CX PBX Server, Softphones6 Presentation Codecs5 Session SIP4 Transport UDP, RTP, SRTP3 Network IP2 Data Link WAN technology used for connecting
hosts in different sites MPLS, leased line (represented using LAN cabling such as
Serial andGigabit Ethernet)
1 Physical Link
Top - down Design Approach (Protocols based on OSI-7 Layer)
9
R1_SITE 1R3_SITE 2
R2_MAIN
IPSec VPN 1 and 2
IPSec VPN 1, 2, 3 and 4
IPSec VPN 3 and 4
Encrypted WAN Traffic
PROTOTYPE IMPLEMENTATION• Network: Redundancies, EIGRP, Cisco IP SLA•WAN Security: IPSec VPN (4 Tunnels)
Authentication – Pre-share
1) crypto isakmp key nandos address 172.16.1.22) crypto isakmp key chicken address 172.16.1.63) crypto isakmp key spicyribs address 172.16.2.24) crypto isakmp key pulledpork address 172.16.2.6
Integrity: Md5 Encryption: 3DES
Key Exchange: Diffie-Hellman group 2
• VoIP: SIP, RTP, UDP, Security: SRTPPrototype IPSec VPN Map
103CX PBX Server
IP Phone
IP PhoneIP Phone
G0/0
G0/1
G0/0
G0/2S0/0G0/1 G0/1
S0/1S0/1
S0/0 S0/0
Fa0/1 Fa0/1
Fa0/1/1 Fa0/1/0
S0/0
S0/0S0/1
IMPLEMENTED PROTOTYPE SYSTEM
11
RESULTS & PROTOTYPE EVALUATION • Highly available WAN solution: (‘tracert’ command, ISP, fast
convergence)• Secured all WAN traffic against (Eavesdropping): Wireshark - Network
metric ‘ESP’ protocol.• Secure voice communication: Network metric ‘SRTP’
No VoIP security (listenable) Encrypted (unlistenable)
• Active voice call continuity during connection downtimeMet all client requirements (Evidence)
12
CLIENT FEEDBACK
Client’s Evaluation & Feedback
• Critical Evaluation of Client’s Feedback & Solutions1. GLBP (or HSRP, VRRP which are evaluated in chapter 2)2. Extra Redundancies (WAN links, ISPs)
13
Unsecured With IPSec VPN
RTD
(ms)
Unsecured and IPSec Secured RTD/RTT Graph
EXPERIMENTAL FINDINGS • Impacts of Security Techniques
Performance: Graph of RTD/RTT for Unsecured & Secured VPN
Supports Khodabakhshi et al. (2013)
• Performance Improvement: Protocol Tuning 1. EIGRP
2. Cisco IP SLA
14
EVALUATION AGAINST PROJECT OBJECTIVES1. To research and evaluate the concept of high availability in communication networks.
(Chapter 2)2. To critically evaluate the various protocols used in high availability including those for
failover and redundancy. (Chapter 2)3. To research and evaluate VPN technologies for the encryption of data packets between
sites. (Chapter 3)4. To research and evaluate VoIP security protocols used to prevent/mitigate
eavesdropping. (Chapter 3) 5. To implement a fully functional prototype of the VoIP system for internal
communication. (Chapter 5)6. To evaluate and access the final prototype to see if it fully satisfies the client’s
requirements and identify possible areas for future work/research. (Chapter 6, 7 & 8)7. To produce a dissertation that is a reflection of the entire project. (Submitted -Turnitin)
15
CONCLUSION • A functional highly available site-to-site connection was designed
and built based on research findings.• IPSec VPN and SRTP technologies were implemented on the
prototype system to secure all WAN traffic and voice packets against eavesdropping attacks respectively.• Prototype supported Active voice continuity during WAN failure.• Protocol tuning aided network performance.• Prototype system met all client requirements• Dissertation presented/met all project objectives • Extra experimentations to verify theoretical findings (security
impacts, performance)
16
PROJECT MANAGEMENT • Project Schedule and Gantt Chart• Multitasking
17
THANK YOU
Question Time