The Analysis of Firewall and VPN in Enterprise Network Performances

Transcription

1 Research Paper The Analysis of Firewall and VPN in Enterprise Network Performances K.M. Sumesh Kumar MSc-MBIS Student School of Engineering & Computing Sciences University of East London - FTMS College Technology Park Malaysia Bukit Jalil, Kuala Lumpur, Malaysia k.sumeshkumar88@gmail.com Kinn Abass Bakon Lecturer School of Engineering and Computing Sciences FTMS College Technology Park Malaysia Bukit Jalil, Kuala Lumpur, Malaysia kinn@ftms.edu.my Abstract The rapid increase in communication technology has influenced global changes in the network security characteristics. A sequences of internet attacks and fraudulent acts on enterprises network have shown us that computer network environments are not immune against intrusions. Due to the emergence of the internet, rapid increase in the development and usages of application software and the inventiveness of hackers, network security has become a complicated problem and it demands a well-planned solutions to deal with ever increasing security threats. Security solutions must be efficient and effective in dealing with the threats and vulnerabilities of the networking domain. Enterprises can ensure better security by implementing systematic approach such as analysis, design, implementation and maintenance. This paper focus on the analysis phase and detailed study of network parameters. The analysis phase demands clear investigation of the complete network. We designed and implemented enterprise network scenarios in a lab through simulation with different level of security layers and mind approaches and we also studied its impact on security deployment in enterprise networks scenarios. The results show that enterprises network vulnerabilities could be fixed. Key Terms: Firewall, VPN, DMZ, OSI layers, Protocols, Bandwidth 1. Introduction Ensuring network security is effective a complicated task. Organizations have their own computer security procedures and levels to implement. So, the need for systematic approach i.e. analysis, design, implementation and maintenance is necessary to ensure networks are properly secured. The major challenges in the enterprises network architecture is how to implement suitable procedure and dominance for attaining security. Attackers still exist in the market and their numbers seems to be increasing every day. As better development techniques in the field of security technology emerges would, so too are better hacking tools methods, as a result Page 1

2 network solutions have to be complicated to address security issues. If some individuals tries too up-to-date with the new threats and security technology soon there will be under stress. One of the main problem in the enterprises network security is its complexity. Presently in the field of technology more complicated and quality application software is designed and implemented and it result in the increase of vulnerabilities. Furthermore, there are computer experts such as hackers, who are interested in finding the vulnerabilities in the applications and exploit the same. The main induction of this hacker s action is to gain fame and money and some due to the curiosity in the field of technology. But the attacker s action are always impact in loss to the organizations. Sometime security measures implemented by the administrator to secure the networks form the malicious attacks will impact against the system usability i.e. authorized users in the networks will unable to complete some of the functionality. In many occasion network security of the organization is attained successfully, but it will contradicted with user friendliness of the systems. So naturally the additional burden to authorized user to complete their task will increase. This problem can be addressed by analyzing network often. Analysis helps to check the vulnerabilities in the network security. For example before implementing security measures in the networks, it is mandatory to analyze these measures and ensure that they are integrated with present network design, would it meet demands of future, upgrade possibility, would it maintainable and compatible to new products. Through this paper, we are pointing the importance of human analysis practice in the Enterprise network performances. 2. Literature Review 2.1 Network The networks exist when the collection of systems interconnected to each other via any communication channel. The existing communication channel may consist of wired or wireless medium to forward and receive the traffics between any nodes. Network protocols are the element of rules to implement the communication between the nodes in the networks (Dostalek & Kabelova, 2006). 2.2 OSI Open System Interconnection Model Reference Model OSI reference model is the standard communication framework for the purpose to establish the communication between the heterogeneous systems in the networking domain. Due to functionality of the communication system in the open world, this familiarly known as Open system interconnection model (OSI). The OSI references model introduced a framework to dilute the complexity in the inter-networks in to minor components so that can be understood, analyzed and utilized easily (Dostalek & Kabelova, 2006). The OSI model s purpose is to allow the communication between the computers under any platform with each other until both follows the OSI standards. (Day & Zimmermann, 1983) In the OSI references model there are seven layers, each layers has its own working principle and functionality. These layers are solitary but arranged in the sequences to each other to have a proper flow of communication functionality among them. These layers are collectively known as OSI layers. Page 2

3 Fig 2.1: Architecture of OSI reference model (Day & Zimmermann, 1983:p.1338) If we analyze the OSI system architecture, they will be three concept levels which are clearly stated; The OSI reference model, OSI service specifications and OSI protocol specifications (Day & Zimmermann, 1983). The OSI service specification is accountable for particular services between the system and user in a particular layer. The OSI protocol specification is accountable for particular type of protocol existing against particular communication services (See fig 2.2). So it is clearly identified the combination of these two specification become OSI architecture. Fig 2.2: System Architecture of OSI (Day & Zimmermann, 1983:p.1335) It is registered trademark that the OSI references model composed of seven layers and each one of the layer have different functionality, services and protocol to achieve their task. In the OSI system architecture anomaly lowest layer s functions are effectively separated from functions of higher layers (Held, 2000). Identically the information hiding design principle; the lower layers are agitated with significant levels of details, upper layer are individualistic about these details. Within layers, services are presented to the succeeding higher layer and protocol are presented to the peer layer in the other system (Stallings, 2005). Consequently we may say that the any alteration exist in any layer-n, then it may influence only on its lowest layers N-1. These alteration does not affect the higher layer N+1 due to isolation from lower layers. (See fig 2.3) Page 3

4 Fig 2.3: Architecture of OSI Framework (Ahamad & Habib, 2010:p.5) Technology Used Networking concepts and technologies are complicated to explain, even with proper example and detailed description. The method to make an audience to clearly understand the networking concept is to create a network environment, where an audience can experience how the concept works by utilizing a software tools which will simulates the functions in the networking domain. This approach of using simulation to demonstrate the concepts of networking domains are highly recommended. It enable the virtual environment of certain features such as network modeling based on particular criteria and analyzing its impact on different case scenarios. OPNET modeler 14.5 education version enable a virtual network environment to analyzing, modelling and forecast the behavior of IT infrastructures, which includes the server, application and networking technologies. By implementing the network environment in simulator IT administrator can easily diagnose the complicated problems, evaluate the changes before implementation (Portnoi & Martin, 2007). OPNET enables several modules which includes the response of protocols in networks, features of network hardware elements. The configuration and outcome of result for network elements are closer to real time network environment. The graphical configuration and the graphical representation of the result outcomes are the added features acquired by OPNET simulator (Salah & Alkhoraidly, 2006). 3. Research Design and Methodology The following methodology was applied to analyze the security domain of the enterprises networks. It is also essential to understand the important topics below and how they relate to each other. The network parameters investigated are as follows: i. Virtual Private Network (VPN) ii. Firewall iii Extracting the simulation result on different scenarios VPN Virtual Private Network The term VPN is described as network communication which utilize the combination of other technologies to establish the secured connection via untrusted network. The data transmission is done as if it were forwarding via private network. Page 4

5 The data transmission is executed by means of tunneling process. Before the transmission of the packets, it is wrapped i.e. encapsulated into a new packet and add new header information. The routing information is provided by this added header, so the packet is traverse a shared communication network before get into tunnel end point. This logical pathway of the encapsulated packet is known as tunnelthe data confidentiality is achieved in VPN by the encryption process. The most commonly used tunneling protocol in the VPN is IPSEC (Internet Protocol Security).The IPsec use two security protocols; Authentication header (AH), Encapsulated Security Payload (ESP) in order to provide the authentication, encryption and integrity of data (Frankel et al., 2005). Authentication header: This protocol ensures the packets integrity, authentication of source. The information which is added to the packets includes the data hash, sequence number etc., information of source verification details to ensure the data integrity (Hooper, 2012). Fig: 3.1-Authentication header (The Government of the HKSAR, 2008:p.9) Encapsulated security payload (ESP): In addition of authentication of source and data integrity, it also ensure the confidentiality of data. Data privacy is achieved by the usage of symmetric encryption algorithm, specifically 3DES. These algorithm should be identical in the both end (Hooper, 2012). Fig: 3.2- Encapsulated security payload (The Government of the HKSAR, 2008:p.9) There are two modes operation which is supported by each security protocols. There are tunnel mode and transport mode (Frankel et al., 2005). Tunnel mode: It is end to end connection in which the packet entirely is protected. The original packet is wrapped into the new packet and AH, ESP are added to this new packet. This new packet is forwarded to tunnel end point. In the tunnel end point new IP headers are decrypted and the original packet is forwarded to the targeted destination in the network. Fig: 3.3- Tunnel mode (The Government of the HKSAR, 2008:p.10) Page 5

6 Transport mode: In this mode the encryption and authentication is done to the data but not on the IP header information. The AH and ESP headers are implemented on the data of the original packet. So, added overhead is less as compare to tunnel mode. But the attackers can easily execute the traffic analysis because the header information is not encrypted. So that this mode mostly used in the host to host connection establishment Firewall Fig: 3.4- Transport mode (The Government of the HKSAR, 2008:p.10) A firewall is the barrier to perform the network isolation and decides the direction and permission of the traffic to pass through. The firewall result in the tighter and complex Firewall types: The administrator need to decide which firewall types is suitable for the existing network architecture (INL, 2006). The firewall categories are as Packet filter firewall, Application level gateway, Circuit level gate way and Stateful inspection firewall. (Stalling, 2013) 3.3 Scenarios In the simulation there are three scenario designed as follows: a) General network design scenario: where the default mode of network parameters setting and configurations are used. b) Firewall network design scenario: Where well approached security deployment with existences security modules are used. But this approach of security deployment will impact in losing connection establishing ability between the client and server architecture for the particular applications in the networks. c) VPN-Firewall network design scenario: Where the intelligent approaches of security deployment by security professionals to establish the customized solution of networks to provide the connection and resources availability to the particular and authorized users in the proper manner i.e. secure and fulfill the need of network architecture requirements are applied. 3.4 Object Modules The object models that are configured in the network scenario s topology are given below in table 1. S.No OBJECT NAME OBJECT MODULES QUANTITY DESCRIPTION OF MODULES 1. PROFILE PROFILE_CONFIGURATION Used to describe the user groups in terms of the existences of application 2. APPLICATION APPLICATION_CONFIGURATION Customize the application parameters such as repeatability, process duration, start time 3. VPN-CONFIG IP_VPN_CONFIGRATION 1 Used to establish the VPN tunneling between the specified nodes. 4. ROUTER (A, B, C, D, Represents the IP based gateway devices ETHERNET4_SLIP8_GATEWAY 5 E) which support the routing protocols and VPN. 5. FIREWALL ETHERNET2_SLIP8_GATEWAY 1 Represents the IP based devices with firewall and server support features. Page 6

7 6. 7. CLIENT (1,2,3,4,) and NETWORK ADMIN (1,2) APPLICATION_ SERVER ETHERNET_WORKSTATION 6 PPP_SERVER 1 Represents the workstation which support the client and server application over TCP/IP and UDP/IP. Represents the server nodes applications working over TCP/IP and UDP/IP. 8. INTERNET_CLOUD IP32_CLOUD 1 Represents the Internet cloud environment 9. LINK PPP_DSI 7 PPP LINK (44Mbps) 10. LINK 100BaseT 6 ETHERNET LNK (100Mbps) TABLE 1: Object Modules 3.5 Object Modelling The parameters are configured as per the requirement of the given task. In the application configuration, object attributes are configured to support default application services (Database access, , FTP, HTTP, VOIP, and Video Conferencing). In the profile configuration is set it attributes to support the configured three applications in the server i.e. Database, HTTP and . Finally the attributes of client, server, router and firewall is configured as supportive to our requirements. 3.6 Task Fig 3.5 Network scenario s topology 1. The NETWORK ADMIN 1 and NETWORK ADMIN 2 should have the permission to access the Database services, HTTP services and services. 2. The rest of the user s such as CLIENT 1, CLIENT 2, CLIENT 3 and CLIENT 4 are denied access to the Database and HTTP services but permitted to access the services. The main objective of this paper is to show the dominant role of the analysis practice to ensure the security of the enterprises network. So to achieve the effective analysis the data collection techniques should be in detailed manner. 4. Result and Analysis The result of each scenario is analyzed below. 4.1 General Network Design Scenario It uses the default mode of network parameters setting and configurations. In this scenario all the work station can access the HTTP and services from the application Page 7

8 server as shown in figures. At the same time all the users have the unrestricted access to the Database services as shown in fig 4.3 and fig 4.4. It will impact in the vulnerable attacks in the form of any client users. We can analysis this impact by the simulation result of this scenario as given in the following figures. Fig: 4.1: HTTP client traffic sent (bytes/sec) in General Network Design scenario. Fig 4.2: HTTP Client Traffic Received (Bytes/Sec) in General Network Design Scenario. Page 8

9 Fig: 4.3: DATABASE client traffic sent (bytes/sec) in General Network Design scenario. Fig: 4.4: DATABASE client traffic received (bytes/sec) in General Network Design scenario. Page 9

10 Fig 4.5: client traffic sent (bytes/sec) in General Network Design scenario. Fig 4.6: Client Traffic Received (Bytes/Sec) in General Network Design Scenario. 4.2 Firewall network design scenario It uses the well approached security deployment with existences security modules. But this approaches of security deployment will impact in losing connection establishing ability between the client and server architecture for the particular applications in the networks. Page 10

11 In this scenario Database and HTTP services are denied in firewall across the networks. As an impact of this security configuration NETWORK ADMIN 1 and NETWORK ADMIN 2 can access the services at the same time there loss the access to Database and HTTP services. This security implementation measures fulfill only one of our requirement i.e. access to services, but the other requirement such as access to Database and HTTP services are denied. Presently none of the users in the network can access Database and HTTP services after the implementation of this security policy in the Enterprises network. It is analyzed by the simulation results in given fig 4.7 and fig 4.8. Fig4.7:HTTP client traffic sent and received (bytes/sec) in Firewall Network Design Fig 4.8: DATABASE client traffic sent and received (bytes/sec) in Firewall Network Design scenario. Page 11

12 Fig 4.9: Client Traffic Sent And Received (Bytes/Sec) in Firewall Network Design Scenario VPN-Firewall network design scenario It uses the intelligent approaches of security deployment by security professionals to establish the customized solution of networks to provide the connection and resources availability to the particular and authorized users in the proper manner i.e. secure and fulfill the need of network architecture requirements. In this scenario NETWORK ADMN 1 and NETWORK ADMIN 2 can access the Database, HTTP and services. At the same time CLIENT 1, CLIENT 2, CLIENT 3 and CLIENT 4 are denied to access the Database, HTTP services and permitted to access services. In this security policy all requirement mentioned in the task assignment are fulfilled. It is analyzed by the simulation results in the following fig 4.10, fig 4.11 and fig Fig 4.10: HTTP traffic sent and received (bytes/sec) in VPN FIREWALL NETWORK DESIGN scenario. Page 12

13 Fig 4.11: DATABASE Client Traffic Sent And Received (Bytes/Sec) in VPN Firewall Network Design Scenario. Fig 4.12: client traffics send and received (bytes/sec) in VPN Firewall Network Design scenario. 4.4 COMPARISON OF RESULTS In this section of paper we can analyze the impact of the security deployment in the enterprises network architecture. After the successful implementation of the security solutions to the existing enterprises network, it ensures the secure network environment but it will affect the performances of the network i.e. changes in the delay factors in the network traffics. It is analyzed in the simulation result given it the below figures. The VPN is the effective solution to establish the secure communication but it will impact enterprise networks to experience slower response time in the network services such as TCP, http, , and database inquires. This is analyzed by the simulation result in the given figures. This decrease in the network performance is due to the process of encryption and adding the authentication header for the packets in the network. Page 13

14 Fig: 4.13: HTTP response time (seconds) In fig 4.13 we compared the HTTP page response time of general network scenario and VPN firewall scenario. From the fig 4.14 it is clear the HTTP response time is high with VPN firewall scenario as compared to general network scenario. The HTTP response time value is found to be for general network scenario while VPN firewall network scenario is sec. Fig 4.14: DATABASE entry response time (seconds) In fig 4.14 we compared the DATABASE entry response time of general network scenario and VPN firewall scenario. From the fig 5.14 it is clear the DATABASE entry response time is high with VPN firewall scenario as compared to general network scenario. The DATABASE entry response time value is found to be for general network scenario while VPN firewall network scenario is sec. Fig 4.15: DATABASE query response time (seconds) Page 14

15 In fig 4.15 we compared the DATABASE query response time of general network scenario and VPN firewall scenario. From the fig 4.15 it is clear the DATABASE query response time is high with VPN firewall scenario as compared to general network scenario. The DATABASE query response time value is sec for general network scenario while VPN firewall network scenario is sec. Fig 4.16: download response time (seconds) In fig 4.16 we compared the download response time of general network scenario, firewall network scenario and VPN firewall scenario. From the fig 4.16 it is clear the E- MAIL download response time is high with VPN firewall scenario as compared to general network scenario and firewall network scenario. The download response time value is found to be in case of general network scenario is sec, in case of firewall network scenario is sec and in case of VPN firewall network scenario is sec. Fig 4.17: upload response time (seconds) In fig 4.17 we compared the upload response time of general network scenario, firewall network scenario and VPN firewall scenario. From the fig 4.17 it is clear the upload response time is high with VPN firewall scenario as compared to general network scenario and firewall network scenario. The upload response time value is found for general network scenario is sec, firewall network scenario is sec while VPN firewall network scenario is sec. Page 15

16 Fig 4.18: TCP delay (seconds) In fig 4.18 we compared the TCP delay of general network scenario, firewall network scenario and VPN firewall scenario. From the fig 4.18 it is clear the TCP delay is high with VPN firewall scenario compared to general network scenario and firewall network scenario. TCP delay value for general network scenario is sec, sec for firewall network scenario while VPN firewall network scenario is sec. Fig 4.19: TCP segment delay (seconds) In fig 4.19 we compared the TCP segment delay of general network scenario, firewall network scenario and VPN firewall scenario. From the fig 4.19 it is clear the TCP segment delay is high with VPN firewall scenario as compared to general network scenario and firewall network scenario. TCP segment delay value is found to be sec for general network scenario is, but firewall network scenario is sec and VPN firewall network scenario is sec. In this section we implemented three scenarios namely general network design scenario (without firewall), firewall network design scenario and firewall_vpn network design scenario. It is analyzed that after implementing the firewall even the authorized user are denied an access to the deserved application services. On other hand when using the VPN and firewall the security of the network reaches high level and we experiences reasonable decrease in the network performance, which was due to the process of encryption and addition of authentication headers in the packets. Page 16

17 5. Conclusion The main objectives of this paper was to explore the vulnerabilities in the network and perform in-depth analysis of various attacks against security and solutions of security. Security of the enterprise network is not dependant on the particular product or brand such as firewall, operating system or other security applications. The precise configuration of firewall, changing the password at regular interval of time, updating the security application software such as antivirus on regular basis etc. all these are the elements to implement the fabulous security practices. Deficiencies in the design of the security product can be solved by the good practices. It is better to use the network services with no security devices instead of security devices with incorrect configurations. There is familiar quote related to security domain i.e. The system which is said to be secure is one that is switched off, cast in a concrete block and sealed inside the lead lined room with armed guards and even then I have my doubts ( Dewdney, 1989). As the result of the analysis has shown in the first scenario, in which no existence of any security implementation and configuration of parameters of network in default mode would permit the unauthorized user access to the resources in the networks. In the second scenario configuring the firewall to deny the particular services denies the authorized user access such as NETWORK ADMIN 1 and 2. In third scenario it is clear the security deployment would sometimes affect the network performance and introduce the delay factors in the network environment. The final line is that a network cannot be implement in the 100% secured mode. The practice of analysis would help to sort the presences of vulnerabilities in enterprise networks. The practice of analysis would also be a strong baseline to design a better security implementation plan. Reference [1] AHAMAD, N. & HABIB, M. K., (2010) Analysis of Network Security Threats and Vulnerabilities by Development & Implementation of a Security Network Monitoring Solution. [Online] Available from: nd_vulnerabilities_by_development Implementation_of_a_Security_Network_Monitoring_Solutio n [Accessed: 15th Nov 2014] [2] CS-IIT (Department of Computer Science, Illinois Institute of Technology) Lectures notes. (2014) Cryptography and Network Security [Online] Available from: [Accessed: 2th Nov 2014] [3] DAY, J. D., & ZIMMERMANN, H. (1983) The OSI Reference Model. In proceedings of IEEE, Volume- 71, No.12, p [4] DOSTALEK, L. & KABELOVA, A. (2006) Understanding TCP/IP. Ed.1st. Birmingham: Packt Publishing. [5] EDWARDS, W. et al. (2005) CCSP: Complete Study Guide ( , , , ). 1st Ed. Alameda: Sybex Publications. [6] FRANKEL, S. et al. (2005) Guide to IPSEC VPNs: Recommendations of the National Institute of Standards and Technology. Ed.1st. Gaithersburg: NIST Special Publications (U.S. Department of Commerce). [7] HOOPER, H. (2012) CCNP Security VPN , Official Cert. Guide. Ed. 1st. Indianapolis: Cisco press. [8] HELD, G. (2000) TCP/IP Professional reference guide. Ed.1st. Boca Raton: Auer Bach Publications. [9] HUCABY, D., GARNEAU, D. & SEQUEIRA, A. (2012) CCNP Security FIREWALL Official Cert Guide. 1st Ed. Indianapolis: Cisco Press. Page 17

18 [10] INL (Idaho National Laboratory) Report, U.S. Department of Homeland security. (2006) Control System Cyber Security: Defense in Depth Strategies. [Online] Available from: [Accessed: 30th Sep 2014] [11] PORTNOI, M. & MARTINS, J. S., (2007) TARVOS an Event-Based Simulator for Performance Analysis, Supporting MPLS, RSVP-TE, and Fast Recovery. Published in XIII Brazilian Symposium on Multimedia and the Web Webmedia. Volume 1, p [12] STALLINGS, W. (2005) Wireless Communication. Ed.1st. New Jersey: Prentice Hall. [13] STALLING, W. (2013) Network Security Essential: Application and Standards. Ed. 5th. New Jersey: Prentice hall. [14] SALAH, K., & ALKHORAIDLY, A., (2006) An OPNET-based simulation approach for deploying VoIP International Journal of Network Management. Volume 1. Issue-3. p [15] THE GOVERNMENT OF THE HKSAR (Hong Kong Special Administrative Region). (2008) VPN Security [Online] Available from: [Accessed: 12th Nov 2014] [16] WIKIVERSITY. (2014) Introduction to Computer/System Software. Available from: [Accessed: 1th Oct 2014] [17] Dewdney.KA(1989)"Computer Recreations: Of Worms, Viruses and Core War" in Scientific American, pp 110. Page 18