ABSTRACT
This dissertation presents the development of an improved application specific tunnelling protocol selection scheme (iASTPSS) for site-to-site virtual private network (VPN). The aim is to develop an improved tunnelling protocol selection scheme for site to site VPN that is application specific, requiring security, bandwidth, and time sensitivity as a service for applications. ASTPSS has been developed for security, bandwidth, and time sensitive applications, but in the Internet protocol security (IPsec) tunnel which is responsible for providing security as a service to applications, the security algorithms used such as triple data encryption standard (3DES) and message digest 5 (MD5) are vulnerable to a couple of attacks that exposed the network to such attacks. Therefore, iASTPSS was developed to address these attacks through configurations on the tunnel, security algorithms with longer block size and key length namely advanced encryption standard 256 (AES256) and secure hash algorithm 256 (SHA256) that were optimised against these attacks. All software, graphical network simulator3 (GNS3), windows7 operating system (OS), virtual personal computers (VPCs) and Cisco Internetworking operating system (iOS) necessary for the emulation were setup in a virtual network environment running on Ubuntu 14.04 long term space (LTS) as host. Considering security, bandwidth, and time sensitivity as application requirements in a site-to-site VPN testbed, two layer-3 tunnelling protocols that met these requirements, IPsec and generic routing encapsulation (GRE) were deployed on the network developed in GNS3. Network performance was measured using throughput, latency, and round-trip time (RTT) as metrics. In the first stage of development in the IPsec tunnel, using these metrics, a trade-off of network performance for security occurred in iASTPSS in comparison to ASTPSS due to the computational overhead involved in the encryption process of iASTPSS. A second instance of iASTPSS was yet developed for the IPsec tunnel by using open shortest path first (OSPF) routing protocol to improve route convergence time and scale up the network. The effect of using OSPF was seen in the improvement of the network performance in throughput by 1.62% with a corresponding reduction in latency and RTT by 12.58% and 9.25% respectively compared to the first instance of iASTPSS that was configured with RIPv2. Consequently, this made the second instance of iASTPSS also suitable for both bandwidth and time sensitive applications besides security. In the GRE tunnel, iASTPSS outperformed ASTPSS with an improvement in throughput by 10.90%, with a 17.08%, and 66.29% reduction in latency, and RTT respectively.
TABLE OF CONTENTS
TITLE PAGE …………………………………………………………………………………….i
DECLARATION ………………………………………………………………………………………………………… ii
CERTIFICATION ……………………………………………………………………………………………………… iii
DEDICATION …………………………………………………………………………………………………………… iv
ACKNOWLEDGEMENT ………………………………………………………………………………………….. v
ABSTRACT ……………………………………………………………………………………………………………… vii
TABLE OF CONTENTS …………………………………………………………………………………………. viii
LIST OF FIGURES …………………………………………………………………………………………………… xi
LIST OF TABLES …………………………………………………………………………………………………… xiii
LIST OF APPENDICES ………………………………………………………………………………………….. xiv
LIST OF ABBREVIATIONS…………………………………………………………………………………… xiv
CHAPTER ONE:INTRODUCTION
1.1 Background of Research ……………………………………………………………………………………… 1
1.2 Significance of Research ……………………………………………………………………………………… 3
1.3 Statement of Problem ………………………………………………………………………………………….. 4
1.4 Aim and Objectives …………………………………………………………………………………………….. 5
1.5 Scope of Research ……………………………………………………………………………………………….. 5
CHAPTER TWO:LITERATURE REVIEW
2.1 Introduction …………………………………………………………………………………………………………. 7
2.2 Review of Fundamental Concepts ……………………………………………………………………….. 7
2..2.1 Internet protocol addressing ………………………………………………………………………. 7
2.2.1.1 Classes of IP address ……………………………………………………………………………… 8
2.2.1.2 Private IP addresses ………………………………………………………………………………. 8
2.2.2 Network and networking ………………………………………………………………………….. 9
2.2.2.1 VPN vulnerabilities ………………………………………………………………………………… 10
2.2.2.2 Types of VPN ………………………………………………………………………………………… 13
2.2.1.3 VPN tunnelling protocols classification ……………………………………………………. 14
2.2.3 Overview of layer 3 tunnelling protocols ………………………………………………….. 15
2.2.4 Access control lists …………………………………………………………………………………. 20
2.2.4.1 Types of access lists ……………………………………………………………………………….. 21
2.2.5 Routers and routing protocols …………………………………………………………………… 22
ix
2.2.5.1 Routing protocols …………………………………………………………………………………… 23
2.2.6 Network security …………………………………………………………………………………….. 25
2.2.6.1 Data encryption standard ……………………………………………………………………… 27
2.2.6.2 3DES …………………………………………………………………………………………… 28
2.2.6.3 Advanced encryption standard ……………………………………………………………… 29
2.2.6.4 Hashing algorithms ……………………………………………………………………………… 30
2.2.7 Network performance metrics …………………………………………………………………. 32
2.2.8 Graphical network simulator …………………………………………………………………… 33
2.3 Review of Similar Works …………………………………………………………………………………. 34
CHAPTER THREE:MATERIALS AND METHODS
3.1 Introduction ……………………………………………………………………………………………………….. 43
3.2 Materials ……………………………………………………………………………………………………………. 43
3.2.1 Hardware platform ………………………………………………………………………………….. 43
3.2.2 VM workstation pro v12.0.1.3 ………………………………………………………………….. 43
3.2.3 GNS3 software ……………………………………………………………………………………….. 44
3.2.4 GNS3 VM ……………………………………………………………………………………………… 44
3.2.5 Windows7 OS ………………………………………………………………………………………… 44
3.3 Methods …………………………………………………………………………………………………………….. 44
3.3.1 Network topology design and development ……………………………………………….. 46
3.3.2 ASTPS implementation …………………………………………………………………………… 46
3.3.3 iASTPSS implementation ………………………………………………………………………… 47
3.3.4 Experimental procedure for ASTPS and iASTPSS ……………………………………… 50
3.3.5 Performance validation ……………………………………………………………………………. 52
3.3.5.1 Throughput parameters and conversion ………………………………………………….. 53
CHAPTER FOUR:RESULTS AND DISCUSSIONS
4.1 Introduction ……………………………………………………………………………………………………….. 54
4.2 Experimental Outcome ………………………………………………………………………………………. 54
4.3 Result Analysis……………………………………………………………………………………………………. 58
4.4 Performance Comparison and Analysis ……………………………………………………………… 62
4.4.1 Result comparison and analysis from the IPsec tunnel …………………………………. 62
4.4.1.1iASTPSS_case1 and ASTPS comparison in terms of throughput from the IPsec Tunnel 62
4.3.1.2 iASTPSS_case1 and ASTPS comparison in terms of latency from the IPsec Tunnel 63
4.4.1.3 iASTPSS_case1 and ASTPS comparison in terms of RTT from the IPsec tunnel64
4.4.2 iASTPSS_case1 and iASTPSS_case2 results comparison and analysis …………… 65
x
4.4.2.1 iASTPSS_case2 and iASTPSS_case1 comparison using throughput …………….. 65
4.4.2.2 iASTPSS_case2 and iASTPSS_case1 comparison using latency …………………… 66
4.4.2.3 Comparison of iASTPSS_case2 and iASTPSS_case1 using RTT ………………….. 66
4.4.3 Results comparison and analysis from the GRE tunnel ………………………………….. 67
4.4.3.2 iASTPSS and ASTPS comparison and analysis in terms of latency ………………. 68
4.4.3.3 iASTPSS and ASTPS comparison and analysis in terms of RTT …………………… 69
4.5 Performance Percentage Improvement of iASTPSS over ASTPS ………………………. 70
CHAPTER FIVE:CONCLUSION AND RECOMMENDATION
5.1 Summary …………………………………………………………………………………………………………… 72
5.2 Conclusion ………………………………………………………………………………………………………… 72
5.3 Significant Contributions …………………………………………………………………………………… 73
5.4 Recommendations for Further Work ………………………………………………………………….. 73
REFERENCES ……………………………………………………………………………………………………….. 74
CHAPTER ONE
INTRODUCTION
1.1 Background of Research
Virtual private networks (VPN) is a private but virtual network created in a public network. It allows the creation of private networks in a public network such as the Internet enabling privacy and tunnelling of Internet protocol (IP) and non IP networks (Shrivastava & Rizvi, 2014). The Internet is not secured to guarantee safety of data transmitted across it from source to destination for participating networks. This is because no layer provides security by default for transmitted packets, except with the intervention of an Internet service provider (ISP) through the provision of dedicated or leased lines. Obtaining security through the use of these lines comes at a throat-cutting price to organizations. VPN offers this security at a minimal cost through the use of VPN tunnelling protocols. Tunnelling, as seen in Fig: 1.1 relates to the process of wrapping data payload with the header information of a protocol, passing it through a tunnel across the network from source to destination. It involves data encapsulation, data transfer, and data de-encapsulation. VPNs are used daily to give remote users and branch offices secured connectivity over the Internet through to the corporate headquarters instead of using leased or permanent lines. Security services offered by VPN are confidentiality, authenticity, and data integrity to ensure transmitted data protection against interception by unauthorised persons (Ismoyo & Wardhani, 2016).
2
Fig 1.1: Tunnelling Process (Degefa, 2015)
The process as seen in Fig: 1.1 shows a data payload that is encapsulated at the source end and passed through the tunnel to the destination end, where the data payload is de-encapsulated to retrieve the payload. The payload at the source end is wrapped with an extra header which is the protocol information of the tunnelling protocol used (Degefa, 2015).
The virtual concept in VPN is due to the fact that the physical infrastructure of the network is transparent to the VPN user, though, not owned by the VPN user. It is also private due to the privacy (advanced encryption and authentication) of the traffic that flows through the VPN, and finally it is a network that has no physical network infrastructure, it exists as part of an existing network (Elezi & Raufi, 2015).
Overtime, VPN tunnelling protocols are deployed based on the technology involved and the area of deployment. Some tunnelling protocols are an alternative to others such as transport layer security (TLS) and secure socket layer (SSL), while, some are used in
3
conjunction with one another. Examples of protocols used in conjunction with one another are layer two tunnelling protocol over Internet protocol security (L2TP/IPsec) or point to point tunnelling protocol over Internet protocol security (PPTP/IPsec). Based on this, tunnelling protocols such as IPSec, generic routing encapsulation (GRE), multi-protocol label switch (MPLS) are mostly used for site to site VPN. PPTP, L2TP/IPsec, SSL on the other hand are used for remote access VPN (Lammle, 2013).
Most recently, there is a paradigm shift in the deployment of tunnelling protocols according to technology involved or areas of deployment as research has begun advocating for the deployment of VPN technologies based on organizational needs or application requirements (Jahan et al., 2017). This advocacy is timely as deploying VPN technology based on application requirements or organizational needs would not only reduce network overhead in terms of management cost but it would also improve network performance in terms of latency and throughput. (Jahan et al., 2017).
1.2 Significance of Research
VPN provides a cost effective, secure and scalable platform for connecting branch offices to the head office or a remote user to the enterprise network through the Internet compared to leased or dedicated lines issued by ISPs. This is because VPN leverages on the existing physical network infrastructure to achieve security and scalability at a minimal cost with high security. The major reason for deploying VPN on a network, aside cost saving, is the security.
However, the deployment of VPN on a network is achieved through some tunnelling technologies which should be done in compliance with organizational needs or application requirements (Jahan et al., 2017). Beyond this, it is also necessary to ensure
4
that a trade-off is maintained between performance, security and the chosen protocol. This could be achieved by using protocols that complement the operation of each other since a weakness in a protocol could be a strength in another. Previous researches on VPN tunnelling protocols were based on the following (Jahan et al., 2017):
a) areas of deployment (either site to site or remote access) and
b) VPN classification (secured or trusted, Layer 2 and Layer 3)
Meanwhile, not much attention has been paid to the deployment of these technologies based on specific application requirements or organizational needs. Taking cognisance of the fact that security is the main thrust of VPN, this research took a step further on application specific tunnelling protocol selection scheme (ASTPSS) by Jahan et al., (2017) by strengthening the security algorithm with the aim of further strengthening the tunnel against possible forms of unauthorised access on the network. This is to meet the security as a service need of applications. In the final analysis, an improved ASTPSS (iASTPSS) for site to site VPN that provides security, bandwidth, and time sensitivity as requirements for applications with appreciable throughput, latency and RTT values on the IPsec and GRE tunnels was developed.
1.3 Statement of Problem
VPN is deployed in networks basically for the benefits it renders such as security, scalability and cost saving. In fact, security is the major goal of VPN deployment in networks. Security vulnerabilities are the major problems associated with VPN. These vulnerabilities arose mostly from the encryption and hashing algorithms used in the VPN. Encryption and hashing algorithms with shorter key lengths and block sizes are known to be vulnerable to certain forms of attacks. In addition, it reduces attack complexity. Using security algorithms with longer key length and block sizes mitigates these vulnerabilities
5
with an increase attack complexity. Also, earlier practice of VPN deployment based on the technology involved or area of deployment instead of deployment according to application needs introduces vulnerabilities in the network especially where the deployed tunnelling protocols are not compatible in operation. As a result, research is now advocating VPN deployment based on application requirements (Jahan et al., 2017). Deploying a VPN technology without reference to organizational needs or applications requirements would, beside creating extra vulnerability in the network, also increase network overhead in terms of management cost. As a result, it is expedient to deploy VPN technologies based on application requirements and draw a line between application requirements and technology to be deployed while placing high premium on security.
1.4 Aim and Objectives
The aim of this research is to develop an improved application specific tunnelling protocol selection scheme for site-to-site VPN
The objectives are:
a) To emulate the network environment on a virtual machine necessary for the implementation of application specific tunnelling protocol selection scheme (ASTPSS) by Jahan et al., (2017)
b) To develop an improved ASTPSS based on a) called iASTPSS
c) To perform a comparison of iASTPSS and ASTPSS using throughput, latency and round trip time (RTT) as metrics.
1.5 Scope of Research
The scope of the research are as follows:
6
a) It is limited to ASTPSS for site to site VPN that requires security, bandwidth and time sensitivity as application requirements using IPsec and GRE with the network topology set up in a virtual environment in GNS3.
b) Network performance is measured using throughput, latency, and RTT as metrics.
7
IF YOU CAN'T FIND YOUR TOPIC, CLICK HERE TO HIRE A WRITER»
