Implementation of Network Security and VOIP technology

CAPSTONE PROJECT-II
Submitted in partial fulfillment of the Requirement for the award of the Degree of

BACHELOR OF TECHNOLOGY IN (Electronics and Communication Engineering)

Manik Garg Roop Kanwal Divya Pahwa Ramandeep Kaur Mayank Shah

Registration Number: 10900871 Registration Number: 10900033 Registration Number: 10901208 Registration Number: 10901210 Registration Number:10900154
Under the Guidance of Mr. Sonit Singh

(Lovely School of Electronics and Communication Engineering) Lovely Professional University Punjab APRIL, 2013

Page |2

CERTIFICATE
This is to certify that the Dissertation titled Implementation of Network Security and VOIP technology made by this group of students is correct to the best of my knowledge and belief. The Capstone Project Proposal based on the technology / tool learnt is fit for the submission and partial fulfillment of the conditions for the award of B.Tech in from Lovely Professional University, Phagwara. Electronics and communicat ion

Name: Sonit Singh Designation: Assistant professor Signature of Faculty Mentor

Objective of the Capstone project is satisfactory / unsatisfactory

Examiner I

Examiner II

Page |3

ACKNOWLEDGEMENT
To make a project there is a need of guidance and motivation on every step. This gives us encouragement to do our best and help in reaching the goal. We feel immense pleasure to express our sincere thanks and deep sense of gratitude as it has been our privilege, to work under the best guidance of Mr. Sonit Singh. For his interest, perception and constant encouragement gave us confidence to carry out this study.

Roop Kanwal (10900033) Divya Pahwa (10901208) Manik Garg(10900871) Ramandeep Kaur(10901210) Mayank Shah(10900154)

Page |4

DECLARATION
We hereby declare that the project work entitled Implementation on Network Security and VOIP Technology is an authentic record of our own work carried out as requirements of Capstone Project (Part-I) for the award of degree of B.Tech. in Electronics and Communication from Lovely Professional University, Phagwara, under the guidance of Mr. Sonit Singh , during August to December, 2012.

Project Group Number: LPU/0903 Name of Group Member

Roop Kanwal (10900033) Divya Pahwa (10901208) Manik Garg(10900871) Ramandeep Kaur(10901210) Mayank Shah(10900154)

Signature of the member

Page |5

ABSTRACT
The project which is creating a complex network which is similar to daily life networks implemented in the offices, colleges, enterprises and organizations. This report presents an overview of the campus network architecture and includes descriptions of various design considerations, topologies, technologies, configuration design guidelines, and other

considerations relevant to the design of highly available, full-service campus switching fabric. It is also intended to serve as a guide to direct readers to more specific campus design best practices and configuration examples for each of the specific design options. It can be used as a manual for further designing of more complex networks by the network administrators and designers. The aim of the project is to design a complex network which can be implemented in practical daily life situations and using VOIP technology and understanding security attacks used by hackers concerned with a network and measures to protect the network from unauthorized access and damage.

Page |6

TABLE OF CONTENTS
Implementation of Network Security and VOIP technology ........................................................1 Certificate ...................................................................................................................................2 Acknowledgment ........................................................................................................................3 Declaration..................................................................................................................................4 Abstract ......................................................................................................................................5 Table of Contents ........................................................................................................................6 Table of Figures ..........................................................................................................................8 Chapter1 .....................................................................................................................................9 1.1Introduction............................................................................................................................9 Chapter 2 .................................................................................................................................. 10 2.1 Key terms and Scope of study ............................................................................................. 12 2.2 Wireless network attacks ................................................................................................... ..13 2.2.1Identity theft (MAC spoofing) ........................................................................................... 13 2.2.2 Man in the middle attack .................................................................................................. 14 2.2.3Unauthorized accesss.19 2.3 VoIP technology..21 2.3.1 Benefits of IP communications.21 2.3.2How VoIP works....................................................................................................................23 Chapter 3 .................................................................................................................................. 25 3.1 Software used ...................................................................................................................... 25 3.2Feautures Overview..25 3.3GNS3 supported platforms...25 3.4Version and other software used...26 3.5Network devices used specification..27 Chapter 4 .................................................................................................................................. 29

Page |7

4.1 Configuration and implementations: .................................................................................... 29

4.1.1 Configuring port security .......................................................................................................... 29 4.1.1.1Tweaking Port security: ........................................................................................................... 32 4.1.2Implementing HTTPS on a webserver ........................................................................................ 32 4.1.3Access List configuration ........................................................................................................... 33

4.1.3.1Types of access control list........................................................34 4.1.4VoIP configuration ............................................................................................................. 35 Chapter 5 (Bibliography) ........................................................................................................... 35 5.1 Conclusion : .......i 5.2 References ............................................................................................................................. i Chapter 6 (Bio-data of the candidates) ........................................................................................ ii

Page |8

TABLE OF FIGURES AND SNAPSHOTS

Figure 1: Components of wireless network ........................................................................................... 12 Figure 2: Mac spoofing .......................................................................................................................... 13 Figure 3: Man in the middle attack......................................................................................................... 15 Figure 4: SSL working........................................................................................................................... 18 Figure 5: Unauthorized access ............................................................................................................... 19 Figure 6: VoIP working.......................................................................................................................... 24 Figure 7: Logo of GNS 3 ....................................................................................................................... 24 Figure 8: Series of devices and protocol supported by GNS 3 ................................................................ 26 Snapshot 1: Basic configuration of portsecurity.......30 Snapshot 2: Learning of MAC addresse...30 Snapshot 3: Port status is changed to down..31 Snapshot 4: Status of port security implied on a device...31 Snapshot 5: Restricted port of violation mode..32 Snapshot 6: Network configuration...33 Snapshot 7: Configuration of webserver...33 Snapshot 8: Access list configuration....34 Snapshot 9: VoIP configuration.....35 Snapshot 10: Ip-Phone with cisco ip communicator..........36

Page |9

Chapter1
INTRODUCTION _____________________________________________________________________________________

Wireless networking presents many advantages Productivity improves because of increased accessibility to information resources. Network configuration and reconfiguration is easier, faster, and less expensive. However, wireless technology also creates new threats and alters the existing information security risk profile. For example, because communications takes place "through the air" using radio frequencies, the risk of interception is greater than with wired networks. If the message is not encrypted, or encrypted with a weak algorithm, the attacker can read it, thereby compromising confidentiality. Although wireless networking alters the risks associated with various threats to security, the overall security objectives remain the same as with wired networks: preserving confidentiality, ensuring integrity, and maintaining availability of the information and information systems. The objective of this paper is to assist managers in making such decisions by providing them with a basic understanding of the nature of the various threats associated with wireless networking and available countermeasures. The popularity of wireless Networks is a testament primarily to their convenience, cost efficiency, and ease of integration with other networks and network components. The majority of computers sold to consumers today come pre-equipped with all necessary wireless Networks technology. The benefits of wireless Networks include: Convenience, Mobility, Productivity, Deployment, Expandability and Cost. Wireless Network technology, while replete with the conveniences and advantages described above has its share of downfalls. For a given networking situation, wireless Networks may not be desirable for a number of reasons. Most of these have to do with the inherent limitations of the technology. The disadvantages of using a wireless network are: Security Range Reliability Speed

P a g e | 10

Wireless Networks present a host of issues for network managers. Unauthorized access points, broadcasted SSIDs, unknown stations, and spoofed MAC addresses are just a few of the problems addressed in WLAN troubleshooting. Most network analysis vendors, such as Network Instruments, Network General, and Fluke, offer WLAN troubleshooting tools or functionalities as part of their product line.

Chapter 2 Key terms and scope of study

_____________________________________________________________________________ Wireless Vulnerabilities, Threats and Countermeasures The wireless networks consist of four basic components: The transmission of data using radio frequencies; Access points that provide a connection to the organizational network and/or the Client devices (laptops, PDAs, etc.); and Users. Each of these components provides an avenue for attack that can result in the compromise of one or more of the three fundamental security objectives of confidentiality, integrity, and availability.

Fig. 1.0(Wireless networking components)

2.2 Wireless Network Attacks 2.2.1 Identity theft (MAC spoofing)

Identity theft (or MAC spoofing) occurs when a cracker is able to listen in on network traffic and identify the MAC address of a computer with network privileges.Most wireless systems allow some kind of MAC filtering to only allow authorized computers with specific MAC IDs to gain access and utilize the network. However, a number of programs exist that have network sniffing capabilities. Combine these programs with other software that allow a computer to pretend it has any MAC address that the cracker desires, and the cracker can easily get around that hurdle.

P a g e | 11

Fig1. (MAC spoofing)

The attack: Its resource consumption is almost unmeasurable, and even if it doesnt keep out any reasonably knowledgeable security crackers willing to spend a few moments gaining access, it does keep out a lot of automated opportunistic attacks that are aiming solely for the absolute lowest-hanging fruit on the security tree. Since that lowest-hanging fruit consists of the majority of wireless access points, MAC filtering can be of value as a way of turning away the majority of opportunistic attackers. Method to attack: Listen in on network traffic. Pick out the MAC address. This can be done with a plethora of freely available security tools, including Nmap. Change your MAC address.

You can spoof a MAC address when using Nmap with nothing more than a spoofmac command line option for Nmap itself to hide the true source of Nmap probes. If you give it a MAC address argument of 0, it will even generate a random MAC address for you.For more general MAC address spoofing, your MAC address is trivially reset with tools available in default installs of most operating systems. Here are some examples: Linux: ifconfig eth0 hw ether 03:a0:04:d3:00:11 FreeBSD: ifconfig bge0 link 03:a0:04:d3:00:11 MS Windows: On Microsoft Windows systems, the MAC address is stored in a registry key. The location of that key varies from one MS Windows version to the next, but find that and

P a g e | 12

you can just edit it yourself. There are, of course, numerous free utilities you can download to make this change for you as well (such as Macshift for MS Windows XP). PREVENTION METHOD: Port security: Use the port security feature to mitigate MAC spoofing attacks. Port security provides the capability to specify the MAC address of the system connected to a particular port. This also provides the ability to specify an action to take if a port security violation occurs. It is a layer two traffic control feature on Cisco Catalyst switches. It enables an administrator configure individual switch ports to allow only a specified number of source MAC addresses ingressing the port. Its primary use is to deter the addition by users of "dumb" switches to illegally extend the reach of the network (e.g. so that two or three users can share a single access port).

2.2.2 Man-in-the-middle attack

A man-in-the-middle attacker entices computers to log into a computer which is set up as a soft AP (Access Point). Once this is done, the hacker connects to a real access point through another wireless card offering a steady flow of traffic through the transparent hacking computer to the real network. The hacker can then sniff the traffic. One type of man-in-the-middle attack relies on security faults in challenge and handshake protocols to execute a de-authentication attack. This attack forces AP -connected computers to drop their connections and reconnect with the crackers soft AP.Man-in-the-middle attacks are enhanced by software such as LANjack and AirJack, which automate multiple steps of the process. What once required some skill can now be done by script kiddies. Hotspots are particularly vulnerable to any attack since there is little to no security on these networks.

P a g e | 13

Fig. 2.0(Man in the middle attack)

The Attack: A MitM attack will take advantages of weaknesses in network communication protocols in order to convince a host that traffic should be routed through the attacker instead of through the normal router. In essence, the attacker is advertising that they are the router and the client should update their routing records appropriately. This attack is called ARP spoofing. The (greatly simplified) purpose of ARP (Address Resolution Protocol) is to enable IP address to MAC address translations for hosts. By design, ARP does not contain authentication. Therefore, any host can reply to an ARP request or send an unsolicited ARP response to a specific host. These ARP response messages are used by the attacker to instruct the victims machine that the appropriate MAC address for a given IP address is now the MAC address of the attackers machine. More specifically, the attacker is instructing the victim to overwrite their ARP cache for the IP->MAC entry for the router. Now, the IP address for the router will correspond to the MAC address for the attackers machine. What does this mean? Now, all of the victims traffic will be routed throug h the attacker. Of course, we dont stop here. In order to allow the traffic to reach the Internet, the attacker must

P a g e | 14

configure his system (or attack tool) to also forward this traffic to the original router. In addition, the attacker performs a similar ARP spoofing attack against the router. This way the router knows to send traffic, that was destined for the victim machine, to our attacker instead. The attacker then forwards on the traffic to the victim. This completes the chain and places the attacker in the middle of the communication. Impacts on HTTP

At this point, the attacker has the ability to view and modify any TCP traffic sent to or from the victim machine. HTTP traffic is unencrypted and contains no authentication. Therefore, all HTTP traffic can be trivially monitored/modified by the attacker. What about HTTPS?

Everything we have talked about thus far is related to getting in the middle of the network communications. This enables the attacker to view most exchanged data, but does not enable the attacker to intercept data exchanged of protocols that implement their own authentication and encryption (e.g. SSH, SSL/TLS)But, this is where the fun starts. The purpose of HTTPS is to create a secure communication over top of HTTP by the use of SSL or TLS.

PREVENTION METHOD: HTTPS ENCRYPTION: Hyper Text Transfer Protocol Secure (HTTPS) is a secure version of the Hyper Text Transfer Protocol (http). HTTPS allows secure ecommerce transactions, such as online banking. HTTPS, the website encrypts the session with a digital certificate. Secure Sockets Layer, a protocol developed by Netscape for transmitting private documents via the Internet. SSL uses a cryptographic system that uses two keys to encrypt data a public key known to everyone and a private or secret key known only to the recipient of the message.

P a g e | 15

How ssl works ?:

Fig 3.0(SSL working) A browser requests a secure page (usually https://). The web server sends its public key with its certificate. The browser checks that the certificate was issued by a trusted party (usually a trusted root CA), that the certificate is still valid and that the certificate is related to the site contacted. The browser then uses the public key, to encrypt a random symmetric encryption key and sends it to the server with the encrypted URL required as well as other encrypted http data. The web server decrypts the symmetric encryption key using its private key and uses the symmetric key to decrypt the URL and http data.

P a g e | 16

The web server sends back the requested html document and http data encrypted with the symmetric key. The browser decrypts the http data and html document using the symmetric key and displays the information.

2.2.3 UNAUTHORIZED ACCESS: While it may seem simple to protect your directory from unauthorized access, the problem can be more complicated. There are several opportunities along the path of directory information delivery for an unauthorized client to gain access to data. Unauthorized access includes: Unauthorized access to data via data-fetching operations Unauthorized access to reusable client authentication information by monitoring the access of others. Unauthorized access to data by monitoring the access of others.

Fig4.0(Showing comical images of unauthorized access) PREVENTION METHOD: Access control lists (ACLs): They perform packet filtering to control which packets move through a network and to where. The packet filtering provides security by helping to limit the network traffic, restrict the access of users and devices to a network, and prevent the traffic from leaving a network. IP access lists reduce the chance of spoofing and denial-of-service attacks and allow dynamic, temporary useraccess through a firewall. Access control lists (ACLs) perform packet filtering to control the flow of packets through a network. Packet filtering can restrict the access of users and devices to

P a g e | 17

a network, providing a measure of security. Access lists can save network resources by reducing traffic. The benefits of using access lists are as follows: Authenticate incoming rsh and rcp requestsAccess lists can simplify the identification of local users, remote hosts, and remote users in an authentication database that is configured to control access to a device. Block unwanted traffic or usersAccess lists can filter incoming or outgoing packets on an interface, thereby controlling access to a network based on source addresses, destination addresses, or user authentication. You can also use access lists to determine the types of traffic that are forwarded or blocked at device interfaces. Provide NAT controlAccess lists can control which addresses are translated by Network Address Translation (NAT). Reduce the chance of DoS attacksAccess lists reduce the chance of denial-of-service.

2.3 VOIP Technology

The term Voice over Internet Protocol, or VoIP, has been used as a catch-all phrase in the industry to refer collectively to a large group of technologies designed to provide Internet-based communications services. More accurately, VoIP refers only to the underlying transport protocol that encapsulates voice traffic or voice media streams and allows them to be carried over data networks, using IP network technologies or internet protocols. VoIP, however, is not IP Telephony, nor is it the more widely used industry terminology called IP Communications that refers to an even broader definition of communications networking applications and technologies. VoIP can be understood as simply a transport protocolfor carrying voice over any packet network, usually between sites. The term convergence, also sometimes referred as a multi-service network, refers to the integration of data, voice, and video solutions onto a converged network infrastructure.

2.3.1 Benefits of IP Communications over a Converged Intelligent Network

The benefits of IP Communications applications over a converged intelligent network are derived from a series of fundamental capabilities within IP networks that provide for the advantages of flexibility, resilience, and economy.

P a g e | 18

Economy: As opposed to connecting elements and applications of a communications system using expensive legacy voice technologies such as DS1 and DS0 line cards, trunk cards and digital signaling technologies, IP Communications networks allow customers to build network communication services based on IP networking technologies using Ethernet economics, often called silicon economics. One Ethernet port can replace 50 or more legacy voice circuits, line cards, and chassis equipment needed to provide equivalent service. The key point here is that the costs are significantly less to provide connections to other sites and to other applications.

Flexibility:

As opposed to connecting elements and applications of a communications system using legacy technologies that are proprietary, monolithic, and restrictive in nature, IP networking allows connections to be made. with virtual reachresources to be distributed anywhere as needed; economies to be gained by centralization of gateway resources, circuit, and server resources; and the use of many types of media and applications to be brought together to facilitate communications within an organization. IP Communications systems are also more capable in supporting mobility requirements, telecommuting, moves/adds/changes, centralized

management, outsourcing operations, extension mobility, desktop integration, front office, back office integration and applications, enterprise directories, and taking advantage of emerging web innovations and services such as instant messaging, presence, and mobility.

Resilience:

With business continuity and disaster recovery high on the agendas of many organizations, the resiliency of connectivity and abilities provided by IP Communications to keep the organization connected make it an ideal candidate for survivable services. Redundancy is built into intelligent layer 2 and layer 3 networking technologies and applications. Internet protocols offer superior failover, redundant and self-healing capabilities that are easyto deploy, open standards based, and can support not only voice, but all of an organization's communications services. The fact that the most resilient military and enterprise communications systems can now use IP Communications and Internet protocols to achieve five nines of reliability and availability

P a g e | 19

provides a superior alternative to rigid voice technologies. These legacy technologies are far more expensive, and are unable to provide the overall system resiliency needed for as broad a range of services and applications as can IP Communications.

2.3.2 How VOIP works

With VoIP, analog voice calls are converted into packets of data. The packets travel like any other type of data, such as e-mail, over the public Internet and/or any private Internet Protocol (IP) network. Using a VoIP service, you can call landline or cell phones. You can also call computer-tocomputer, with both parties speaking into a computer microphone and listening through computer speakers or headsets. When evaluating, it's worth noting that you can make or receive calls using landline telephones. All you need is an analog telephone adapter connected to your network. Also, to ensure the best voice quality and security, consider using your VoIP or other communications system on a private IP network.

Fig5.0 (VOIP WOORKING)

P a g e | 20

CHAPTER 3 Software used __________________________________________________________________

Fig6.0 (Logo of simulator) The GNS3 network simulator is free, open source software that can be downloaded and used by anyone. GNS3 works by using real Cisco IOS images which are emulated using a program called Dynamips. GNS3 is really like the GUI part of the overall product. With this GUI, users get an easy to use interface that allows them to build complex labs consisting of a variety of supported Cisco routers. GNS3 is an excellent complementary tool to real labs for network engineers, administrators and people wanting to study for certifications such as Cisco CCNA, CCNP, CCIP and CCIE as well as Juniper JNCIA, JNCIS and JNCIE.It can also be used to experiment features of Cisco IOS, Juniper JunOS or to check configurations that need to be deployed later on real routers. Thanks to VirtualBox integration, now even system engineers and administrators can take advantage of GNS3 to make labs and study for Redhat (RHCE, RHCT), Microsoft (MSCE, MSCA), Novell (CLP) and many other vendor certifications. This project is an open source, free program that may be used on multiple operating systems, including Windows, Linux, and MacOS X.

3.1 Features overview

Design of high quality and complex network topologies. Emulation of many Cisco IOS router platforms, IPS, PIX and ASA firewalls, JunOS. Simulation of simple Ethernet, ATM and Frame Relay switches. Connection of the simulated network to the real world! Packet capture using Wireshark.

P a g e | 21

3.2 GNS3 Supported Platforms These are the current platforms supported by GNS3. As you can see from the table, youve got quite a list of devices that can be used with GNS3 to build your labs. This is definitely another great feature of this simulator. As you all know, with each different model of Cisco devices, you have more or less features supported by that model. These mostly range from the types of commands supported on the particular IOS youre running for that platform.

Fig7.0 (Series of devices and protocol supported by GNS3.0 ) 3.3 Version and other software used We have used the latest version of GNS3 v0.8.3.1 all-in-one (installer which includes Dynamips, Qemu/Pemu, Putty, VPCS, WinPCAP and Wireshark) on WINDOWS operating system and using virtualization software VIRTUAL BOX in conjugation with CISCO IP

COMMUNICATOR.

P a g e | 22

3.3 Network devices used specification:

Sr.no

Device

Type

Specification

Vendor

1 2 3

Router Switch End points Servers

Wireless,wired Multilayer,single layer Laptops,personal computers

WRT300N,2620XM,2621XM Catalyst 3560,Catalyst 2960 Inbuilt in software as nodes

Linksys,Cisco Cisco

Mail server and DNS Inbuilt in software as devices server

(a.)Linksys WRT300N Details: Device type: Wireless router 4 port-switch (Integrated) Data link protocol:Ethernet,fast Ethernet,IEEE802.11 b,g,n, Encryption Algorithm:WPA,WPA2,128-bit WEP, 64-bit WEP Features :MIMO technology ,Full duplex capability,Firewall protection ,MAC address filtering,Firmware upgradable,Stateful Packet Inspection (SPI),DHCP support ,NAT support Interfaces:WAN : 1 x Ethernet 10Base-T/100Base-TX - RJ-45,LAN : 4 x Ethernet 10Base-T/100Base-TX - RJ-45

(b.)Cisco 2620/21 Ethernet, Fast Ethernet Router: Device type:Wired router Data link protocol:Ethernet,Fast Ethernet,IEEE802.3,802.3u Features:Auto-sensing per device,Modular design,Manageable,NAT support Interfaces:Management : 1.0 x Auxiliary - RJ-45 - 1.0,2.0 x Console - RJ-45 - 1.0, 1.0 x Ethernet 10Base-T/100Base-TX - RJ-45 - 2.0

P a g e | 23

(c.)Catalyst 3560-24PS : Device type: Switch-24 ports-Layer Compliant Protocols:IEEE 802.3af,802.3x,802.1Q,802.1w, 802.1p,802.3z,802.3, 802.1x,802.1D,802.3ab Features:Layer 2 switching,Layer 3 switching,DHCP server,Full duplex capability, VLAN support,Trivial File Transfer Protocol (TFTP) support,Dynamic Trunking Protocol (DTP) support,DHCP snooping,DHCP support,Trunking,Access Control List (ACL) support,IP-routing, Interfaces:24 x Ethernet 10Base-T/100Base-TX - RJ-45 - PoE,1 x Console - RJ-45 Management.

(d.) Catalyst 2960-24-TT: Device type:Switch - 24 ports Compliant Protocols::IEEE 802.3af,802.3x,802.1Q,802.1w, 802.1p,802.3z,802.3, 802.1x,802.1D,802.3ab Features:Layer 2 switching,IPv6 support,VLAN support,Multiple Spanning Tree Protocol (MSTP) support,Port Security,MAC Address Notification,Dynamic Trunking Protocol (DTP) support,ARP support,BOOTP support,DHCP snooping,Dynamic IP address assignment,Broadcast Storm Control,Access Control List (ACL) support, Interfaces:24 x Ethernet 10Base-T/100Base-TX - RJ-45,2 x Ethernet10BaseT/100BaseTX/1000Base-T RJ-45

P a g e | 24

CHAPTER 4 Configuration and implementation _______________________________________________________________

After implementing the basic principle network same as in earlier phase of this project we have added security features and added VoIP technology in it .So basically we have configured the same configuration with security measures and VoIP technology and have shown the configuration of each security measure mentioned above separately with a small example of topologies of them respectively. 4.1 Configuring port security Configuring the Port Security feature is relatively easy. In its simplest form, port security requires going to an already enabled switch port and entering the port-securityInterface Mode command. Port security can be enabled with default parameters by issuing a single command on an interface:

We can view the default port security configuration with show port-security

Snapshot 1.0 (Basic configuration of port security)

P a g e | 25

As you can see, there are a number of attributes which can be adjusted. We'll cover these in a moment. When a host connects to the switch port, the port learns the host's MAC address as the first frame is received:

Snapshot 2 (Learning of MAC address) Now, we disconnect the host from the port, connect a small switch or hub, and reconnect the original host plus a second, unauthorized host so that they both attempt to share the access port. Observe traffic: what happens as soon as the second host attempts to send

Snapshot 3 (Port status is changed to down) Inspecting the status of port security on the port again, we can see that the new MAC address triggered a violation. By default, a port security violation forces the interface into the errordisabled state. An administrator must re-enable the port manually by issuing the shutdown interface command followed by no shutdown. This must be done after the offending host has been removed, or the violation will be triggered again as soon as the second host sends another frame.

P a g e | 26

Snapshot 4 (Status of port security implied on device) 4.1.1 Tweaking Port Security Violation Mode

Port security can be configured to take one of three actions upon detecting a violation: shutdown (default);.The interface is placed into the error-disabled state, blocking all traffic. Protect; Frames from MAC addresses other than the allowed addresses are dropped; traffic from allowed addresses is permitted to pass normally. restrict ; Like protect mode, but generates a syslog message and increases the violation counter. By changing the violation mode to restrict, we are still alerted when a violation occurs, but legitimate traffic remains unaffected:

Snapshot 5 (Restricted port in violation mode)

P a g e | 27

4.2 Implementing HTTPS on a webserver A basic topology of a network with router and switch with some host as users and a web server is set up to show this security measure and the web server we have configured the web server to work upon both HTTP as well as HTTPS protocols making it doubly applicable for any type of traffic requiring access to the particular website or service and protecting the network from eavesdropping by encrypting the data and passing it through secure tunnel where eavesdropping and intrusion is not possible.

Snapshot 6(Network Configuration)

Snapshot 7(Configuration on Webserver)

P a g e | 28

4.3 Access List configuration An access control list (ACL), in networks is used to assign different permissions e.g deny/permit to an object. ACL Rules: List is applied from Top statement to bottom, order is important if first statement is matched then other are neglected. Default Invisible deny at bottom of every access list, it mean that if you have different hosts in network lets say 192.16.1.1, 192.16.1.2, 192.16.1.100 etc and you have create a access list in which you have only deny 192.16.1.100 to access internet. In this case all other host are also block because of this rule, you have whrite another statement to permit any other host to correct this.ACL is applied to interfaces that may be inbound or outbound direction 4.3.1 Types of Access Control List There are two main types of ACL 1. Standard ACL 2. Extended ACL Standard ACL: ACL Number range is from 1-99 Always apply near to destination Lower process utilization

Snapshot 8(Access list configuration)

P a g e | 29

Configuration of Standard ACL Syntax Router(config)#access-list <1-99> deny/permit host/network R3(config)#access-list 1 deny host 172.16.2.10 R3(config)#access-list 1 permit any R3(config)#int f1/0 R3(config-if)#ip access-group 1 out R1(config)#line vty 0 4 R1(config-line)#password cisco R1(config-line)#^Z R1#conf t R1(config)#access-list 2 deny 172.16.2.10 R1(config)#access-list 2 permit any R1(config)#line vty 0 4 R1(config-line)#access-class 2 in 4.4 VoIP configuration Here the setup of VoIP is made using 2 Ip-phones 2 routers and switch with 1 computer as node

Snapshot 9(VoIP configuration)

P a g e | 30

Snapshot 10 (IP-phone with cisco ip communicator) First, drag all devices and configure router to work as DHCP server to lease IP addresses for IP phones.

ip dhcp pool test-vlan network 192.168.10.0 255.255.255.0 default-router 192.168.10.1 option 150 ip 192.168.10.1 Using option 150 is required to provide IP address to Cisco phone. Pool range is the whole network of 192.168.10.0/24. Here is the configuration of router. telephony-service max-ephones 3 max-dn 3 ip source-address 192.168.10.1 port 2005 auto assign 1 to 5 ! ephone-dn 1 number 1001 ! ephone-dn 2 number 1005 !

P a g e | 31

ephone-dn 3 number 1010 I have used IP phones with power supply. So, power adapter need to plug to get IP phone online. If you don't want and need PoE, have to use multilayer switch.Configure switch as follow; Enable trust boundary to Cisco phone using "mls qos trust device cisco-phone". interface FastEthernet0/1 switchport access vlan 10 switchport mode trunk switchport voice vlan 1 mls qos trust device cisco-phone ! interface FastEthernet0/4 switchport mode access switchport voice vlan 1 ! interface FastEthernet0/5 switchport mode access switchport voice vlan 1 Check in switch after phone online whether it's trusted Cisco Phone or not by executing command "mls qos interface fa0/1". trust device: cisco-phone is appear in outpout. Switch#sh mls qos interface fa0/1 FastEthernet0/1 trust state: not trusted trusted mode: not trusted COS override: dis default COS: 0 pass-through: none trust device: cisco-phone As soon as IP phones are online, following message appear in Cisco router and confirmed that phone are registered with IP address.

P a g e | 32

Router#%IPPHONE-6-REGISTER: ephone-1 IP:192.168.10.2 Socket:2 DeviceType:Phone has registered. Router#%IPPHONE-6-REGISTER: ephone-2 IP:192.168.10.3 Socket:2 DeviceType:Phone has registered. Check lease IP address in router using following command.

Router#sh ip dhcp binding IP address Client-ID/ Lease expiration Hardware address 192.168.10.3 0006.2A21.B937 -192.168.10.4 000B.BE52.8501 -192.168.10.2 0001.9628.4786 -192.168.10.6 0010.11E9.75C9 --

Type Automatic Automatic Automatic Automatic

Page |i

Chapter 5 Conclusion
_______________________________________________________________________ Wireless networking provides numerous opportunities to increase productivity and cut costs. It also alters an organizations overall computer security risk profile. Although it is impossible to totally eliminate all risks associated with wireless networking, it is possible to achieve a reasonable level of overall security by adopting a systematic approach to assessing and managing risk. This report mentioned the threats and vulnerabilities associated with each of the three basic technology components of wireless networks (clients, access points, and the transmission medium) and described various commonly available countermeasures that could be used to mitigate those risks. It also stressed the importance of training and educating users in safe wireless networking procedures. We also demonstrated the VoIP technology and its upper hand of the conventional communication system as a practical implementation in real world scenario.

5.1 References [1]http://www.cisco.com/en/US/prod/collateral/switches/ps5718/ps5528/product_data_sh eet09186a00801f3d7d.html

[2]http://reviews.cnet.com/routers/cisco-2621-ethernet-fast/4507-3319_7-112030.html

[3]http://reviews.cnet.com/routers/linksys-wrt300n-router/4507-3319_7-31851121.html

[4]http://www.cisco.com/web/learning/netacad/course_catalog/docs/Cisco_PacketTracer _AAG.pdf

[5]http://www.cisco.com/web/learning/netacad/downloads/pdf/PacketTracer5_0_Brochur e_0707.pdf

[6]http://ieeexplore.ieee.org/ielx5/49/32439/01514524.pdftp=&arnumber=1514524&isnu mbe

P a g e | ii

Chapter 6 (Bio-data of the candidates)

_______________________________________________________________________ Roop Kanwal: Pursuing B.Tech in Electronics and Communication with 9.17 current CGPA from LPU, Phagwara. Divya Pahwa: Pursuing B.Tech in Electronics and Communication with current CGPA 9.19 from LPU, Phagwara. Manik Garg: Pursuing B.Tech in Electronics and Communication with current CGPA 6.92 from LPU, Phagwara. Ramandeep: Pursuing B.Tech in Electronics and Communication with current CGPA 7.93 from LPU, Phagwara. Mayank Shah: Pursuing B.Tech in Electronics and Communication with current CGPA 2.9 from LPU, Phagwara.

ii