1

A SECURE HIGH AVAILABILITY CONNECTION BETWEEN MULTI-SITES FOR A VOIP COMMUNICATION SYSTEM WITH EAVESDROPPING PREVENTION SECURITY STRATEGIES

BY EMMANUEL EMEGHA

MSc Telecommunications Engineering Client: Stephen Swales (University of Sunderland)

Project Supervisor: Dr Chris BowermanSecond Marker: Dr Leslie Kingham

2

EXECUTIVE SUMMARY

In telecommunications engineering, the concept of high availability refers to techniques used to mitigate network downtimes while VPNs (Virtual Private Networks) are WAN connection technologies that provides data security (such as authentication, confidentiality integrity) using encryption services. VoIP systems are implemented as a result of its flexibility, simplicity and low cost over traditional hard-wired telephones communication. However, their security vulnerabilities undermines the confidentiality of voice packets being transmitted.This project implements a highly available WAN network for a VoIP solution that allows active/on-going calls to continue should a link connecting two sites fail, ensuring suitable protocols to restore links. The above highly available network and VoIP solution are equipped with eavesdropping prevention technologies (IPSec VPN and SRTP) to render any tampered data/voice packets unreadable/unlistenable.

3

CLIENT & PROBLEM• Client• Problem: Network downtimes, WAN Security, Voice

communication & Security

Client Requirements• A highly available WAN network• Site-to-Site Security (Eavesdropping)• VoIP communication and Security (Eavesdropping)• Active call continuity during WAN connection outages

4

PROJECT OBJECTIVES1. To research and evaluate the concept of high availability in

communication networks.2. To critically evaluate the various protocols used in high availability

including those for failover and redundancy.3. To research and evaluate VPN technologies for the encryption of data

packets between sites.4. To research and evaluate VoIP security protocols used to prevent/mitigate

eavesdropping. 5. To implement a fully functional prototype of the VoIP system for internal

communication.6. To evaluate and access the final prototype to see if it fully satisfies the

client’s requirements and identify possible areas for future work/research.7. To produce a dissertation that is a reflection of the entire project.

5

RESEARCH 1. Research Areas & Relevance to project • High availability (failover, redundancy) and its protocols in

communications network (LACP, STP/RSTP, HSRP, VRRP, GLBP, IS-IS, OSPF, EIGRP, RIP and Cisco IP SLA)• WAN Eavesdropping Prevention Technologies (VPN) (SSL, PPTP, IPSec, MPLS)• VoIP security protocols (TLS, SRTP, ZRTP)

6

RESEARCH (CONT’D) 2. Research Findings • High availability concepts: Hardware & Software• OSPF & EIGRP: Similarities & differences Eavesdropping Prevention• Virtual Private Networks (VPNs): SSL, MPLS, PPTP, IPSec VPN• Voice Communication: SRTP vs ZRTP (compatibility)

Impacts of Security Mechanism?YES: High computational and communicational overhead (Khodabakhshi et al., 2013)NO: Encryption technologies encrypt traffic at wire-speed without interfering with QoS, call quality and performance (Dakur & Dakur, 2014)Project Author: In support of Khodabakhshi et al. (2013)

7

PROJECT METHODOLOGY• Network Design: Hierarchical Design Model - Core, Distribution & Access layers

(Cisco Systems, 2014)

Hierarchical Design Model

• VoIP Telephony Design: Top-down approach (Cisco Systems, 2012)Aimed at tailoring specific applications to user requirements

8

PROTOTYPE DESIGN• High Availability Design: Redundancies, ISPs, failover protocols •WAN Security Design: IPSec VPN & GRE • VoIP Telephony Design: 3CX PBX server, User Agents (UAs), Security

OSI-7 Layer Model

Layer Name Protocol/Technology

7 Application 3CX PBX Server, Softphones6 Presentation Codecs5 Session SIP4 Transport UDP, RTP, SRTP3 Network IP2 Data Link WAN technology used for connecting

hosts in different sites MPLS, leased line (represented using LAN cabling such as

Serial andGigabit Ethernet)

1 Physical Link

Top - down Design Approach (Protocols based on OSI-7 Layer)

9

R1_SITE 1R3_SITE 2

R2_MAIN

IPSec VPN 1 and 2

IPSec VPN 1, 2, 3 and 4

IPSec VPN 3 and 4

Encrypted WAN Traffic

PROTOTYPE IMPLEMENTATION• Network: Redundancies, EIGRP, Cisco IP SLA•WAN Security: IPSec VPN (4 Tunnels)

Authentication – Pre-share

1) crypto isakmp key nandos address 172.16.1.22) crypto isakmp key chicken address 172.16.1.63) crypto isakmp key spicyribs address 172.16.2.24) crypto isakmp key pulledpork address 172.16.2.6

Integrity: Md5 Encryption: 3DES

Key Exchange: Diffie-Hellman group 2

• VoIP: SIP, RTP, UDP, Security: SRTPPrototype IPSec VPN Map

103CX PBX Server

IP Phone

IP PhoneIP Phone

G0/0

G0/1

G0/0

G0/2S0/0G0/1 G0/1

S0/1S0/1

S0/0 S0/0

Fa0/1 Fa0/1

Fa0/1/1 Fa0/1/0

S0/0

S0/0S0/1

IMPLEMENTED PROTOTYPE SYSTEM

11

RESULTS & PROTOTYPE EVALUATION • Highly available WAN solution: (‘tracert’ command, ISP, fast

convergence)• Secured all WAN traffic against (Eavesdropping): Wireshark - Network

metric ‘ESP’ protocol.• Secure voice communication: Network metric ‘SRTP’

No VoIP security (listenable) Encrypted (unlistenable)

• Active voice call continuity during connection downtimeMet all client requirements (Evidence)

12

CLIENT FEEDBACK

Client’s Evaluation & Feedback

• Critical Evaluation of Client’s Feedback & Solutions1. GLBP (or HSRP, VRRP which are evaluated in chapter 2)2. Extra Redundancies (WAN links, ISPs)

13

Unsecured With IPSec VPN

RTD

(ms)

Unsecured and IPSec Secured RTD/RTT Graph

EXPERIMENTAL FINDINGS • Impacts of Security Techniques

Performance: Graph of RTD/RTT for Unsecured & Secured VPN

Supports Khodabakhshi et al. (2013)

• Performance Improvement: Protocol Tuning 1. EIGRP

2. Cisco IP SLA

14

EVALUATION AGAINST PROJECT OBJECTIVES1. To research and evaluate the concept of high availability in communication networks.

(Chapter 2)2. To critically evaluate the various protocols used in high availability including those for

failover and redundancy. (Chapter 2)3. To research and evaluate VPN technologies for the encryption of data packets between

sites. (Chapter 3)4. To research and evaluate VoIP security protocols used to prevent/mitigate

eavesdropping. (Chapter 3) 5. To implement a fully functional prototype of the VoIP system for internal

communication. (Chapter 5)6. To evaluate and access the final prototype to see if it fully satisfies the client’s

requirements and identify possible areas for future work/research. (Chapter 6, 7 & 8)7. To produce a dissertation that is a reflection of the entire project. (Submitted -Turnitin)

15

CONCLUSION • A functional highly available site-to-site connection was designed

and built based on research findings.• IPSec VPN and SRTP technologies were implemented on the

prototype system to secure all WAN traffic and voice packets against eavesdropping attacks respectively.• Prototype supported Active voice continuity during WAN failure.• Protocol tuning aided network performance.• Prototype system met all client requirements• Dissertation presented/met all project objectives • Extra experimentations to verify theoretical findings (security

impacts, performance)

16

PROJECT MANAGEMENT • Project Schedule and Gantt Chart• Multitasking

17

THANK YOU

Question Time