Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Pro Viva Emmanuel

295 views

Published on

  • Be the first to comment

  • Be the first to like this

Pro Viva Emmanuel

  1. 1. A SECURE HIGH AVAILABILITY CONNECTION BETWEEN MULTI-SITES FOR A VOIP COMMUNICATION SYSTEM WITH EAVESDROPPING PREVENTION SECURITY STRATEGIES BY EMMANUEL EMEGHA MSc Telecommunications Engineering Client: Stephen Swales (University of Sunderland) Project Supervisor: Dr Chris Bowerman Second Marker: Dr Leslie Kingham 1
  2. 2. EXECUTIVE SUMMARY In telecommunications engineering, the concept of high availability refers to techniques used to mitigate network downtimes while VPNs (Virtual Private Networks) are WAN connection technologies that provides data security (such as authentication, confidentiality integrity) using encryption services. VoIP systems are implemented as a result of its flexibility, simplicity and low cost over traditional hard-wired telephones communication. However, their security vulnerabilities undermines the confidentiality of voice packets being transmitted. This project implements a highly available WAN network for a VoIP solution that allows active/on-going calls to continue should a link connecting two sites fail, ensuring suitable protocols to restore links. The above highly available network and VoIP solution are equipped with eavesdropping prevention technologies (IPSec VPN and SRTP) to render any tampered data/voice packets unreadable/unlistenable. 2
  3. 3. CLIENT & PROBLEM • Client • Problem: Network downtimes, WAN Security, Voice communication & Security Client Requirements • A highly available WAN network • Site-to-Site Security (Eavesdropping) • VoIP communication and Security (Eavesdropping) • Active call continuity during WAN connection outages 3
  4. 4. PROJECT OBJECTIVES 1. To research and evaluate the concept of high availability in communication networks. 2. To critically evaluate the various protocols used in high availability including those for failover and redundancy. 3. To research and evaluate VPN technologies for the encryption of data packets between sites. 4. To research and evaluate VoIP security protocols used to prevent/mitigate eavesdropping. 5. To implement a fully functional prototype of the VoIP system for internal communication. 6. To evaluate and access the final prototype to see if it fully satisfies the client’s requirements and identify possible areas for future work/research. 4
  5. 5. RESEARCH 1. Research Areas & Relevance to project • High availability (failover, redundancy) and its protocols in communications network (LACP, STP/RSTP, HSRP, VRRP, GLBP, IS-IS, OSPF, EIGRP, RIP and Cisco IP SLA) • WAN Eavesdropping Prevention Technologies (VPN) (SSL, PPTP, IPSec, MPLS) • VoIP security protocols (TLS, SRTP, ZRTP) 5
  6. 6. RESEARCH (CONT’D) 2. Research Findings • High availability concepts: Hardware & Software • OSPF & EIGRP: Similarities & differences Eavesdropping Prevention • Virtual Private Networks (VPNs): SSL, MPLS, PPTP, IPSec VPN • Voice Communication: SRTP vs ZRTP (compatibility) Impacts of Security Mechanism? YES: High computational and communicational overhead (Khodabakhshi et al., 2013) NO: Encryption technologies encrypt traffic at wire-speed without interfering with QoS, call quality and performance (Dakur & Dakur, 2014) Project Author: In support of Khodabakhshi et al. (2013) 6
  7. 7. PROJECT METHODOLOGY • Network Design: Hierarchical Design Model - Core, Distribution & Access layers (Cisco Systems, 2014) Hierarchical Design Model • VoIP Telephony Design: Top-down approach (Cisco Systems, 2012) Aimed at tailoring specific applications to user requirements 7
  8. 8. PROTOTYPE DESIGN • High Availability Design: Redundancies, ISPs, failover protocols • WAN Security Design: IPSec VPN & GRE • VoIP Telephony Design: 3CX PBX server, User Agents (UAs), Security OSI-7 Layer Model Layer Name Protocol/Technology 7 Application 3CX PBX Server, Softphones 6 Presentation Codecs 5 Session SIP 4 Transport UDP, RTP, SRTP 3 Network IP 2 Data Link WAN technology used for connecting hosts in different sites MPLS, leased line (represented using LAN cabling such as Serial and Gigabit Ethernet) 1 Physical Link Top - down Design Approach (Protocols based on OSI-7 Layer) 8
  9. 9. R1_SITE 1 R3_SITE 2 R2_MAIN IPSec VPN 1 and 2 IPSec VPN 1, 2, 3 and 4 IPSec VPN 3 and 4 Encrypted WAN Traffic PROTOTYPE IMPLEMENTATION • Network: Redundancies, EIGRP, Cisco IP SLA • WAN Security: IPSec VPN (4 Tunnels) Authentication – Pre-share 1) crypto isakmp key nandos address 172.16.1.2 2) crypto isakmp key chicken address 172.16.1.6 3) crypto isakmp key spicyribs address 172.16.2.2 4) crypto isakmp key pulledpork address 172.16.2.6 Integrity: Md5 Encryption: 3DES Key Exchange: Diffie-Hellman group 2 • VoIP: SIP, RTP, UDP, Security: SRTP Prototype IPSec VPN Map 9
  10. 10. 3CX PBX Server IP Phone IP Phone IP Phone G0/0 G0/1 G0/0 G0/2S0/0 G0/1 G0/1 S0/1S0/1 S0/0 S0/0 Fa0/1 Fa0/1 Fa0/1/1 Fa0/1/0 S0/0 S0/0S0/1 IMPLEMENTED PROTOTYPE SYSTEM 10
  11. 11. RESULTS & PROTOTYPE EVALUATION • Highly available WAN solution: (‘tracert’ command, ISP, fast convergence) • Secured all WAN traffic against (Eavesdropping): Wireshark - Network metric ‘ESP’ protocol. • Secure voice communication: Network metric ‘SRTP’ No VoIP security (listenable) Encrypted (unlistenable) • Active voice call continuity during connection downtime Met all client requirements (Evidence) 11
  12. 12. CLIENT FEEDBACK Client’s Evaluation & Feedback • Critical Evaluation of Client’s Feedback & Solutions 1. GLBP (or HSRP, VRRP which are evaluated in chapter 2) 2. Extra Redundancies (WAN links, ISPs) 12
  13. 13. Unsecured With IPSec VPN RTD(ms) Unsecured and IPSec Secured RTD/RTT Graph EXPERIMENTAL FINDINGS • Impacts of Security Techniques Performance: Graph of RTD/RTT for Unsecured & Secured VPN Supports Khodabakhshi et al. (2013) • Performance Improvement: Protocol Tuning 1. EIGRP 2. Cisco IP SLA 13
  14. 14. EVALUATION AGAINST PROJECT OBJECTIVES 1. To research and evaluate the concept of high availability in communication networks. (Chapter 2) 2. To critically evaluate the various protocols used in high availability including those for failover and redundancy. (Chapter 2) 3. To research and evaluate VPN technologies for the encryption of data packets between sites. (Chapter 3) 4. To research and evaluate VoIP security protocols used to prevent/mitigate eavesdropping. (Chapter 3) 5. To implement a fully functional prototype of the VoIP system for internal communication. (Chapter 5) 6. To evaluate and access the final prototype to see if it fully satisfies the client’s requirements and identify possible areas for future work/research. (Chapter 6, 7 & 8) 7. To produce a dissertation that is a reflection of the entire project. (Submitted - 14
  15. 15. CONCLUSION • A functional highly available site-to-site connection was designed and built based on research findings. • IPSec VPN and SRTP technologies were implemented on the prototype system to secure all WAN traffic and voice packets against eavesdropping attacks respectively. • Prototype supported Active voice continuity during WAN failure. • Protocol tuning aided network performance. • Prototype system met all client requirements • Dissertation presented/met all project objectives • Extra experimentations to verify theoretical findings (security impacts, performance) 15
  16. 16. PROJECT MANAGEMENT • Project Schedule and Gantt Chart • Multitasking 16
  17. 17. THANK YOU Question Time 17

×