Wireless Lan with UTM Appliance Deployment Project - Subhankar Sanyal.

7/30/2019 Wireless Lan with UTM Appliance Deployment Project - Subhankar Sanyal.

1/68

ACKNOWLEDGEMENT

It is my great pleasure to have project training in Information System and IT Operations at

Barsana Hotel and Resort, Siliguri.

During my training period, I had an opportunity to visit almost every department, and I am

grateful to the executives who have extended maximum effort and co-operation to illustrate

regarding the operation of the unit, technical details, etc.

I want to thank specially to:

Mr. Prasun Kumar Nath (General Manager, Barsana Hotel & Resorts)

Mr. Dipendra Raikut. Head (IT & Infrastructure, Barsana Hotel & Resorts)

Mr. Promod Thapa. Executive (Front Desk, Barsana Hotel & Resorts)

I would also like to express my heartiest thanks to our faculty members at Sikkim Manipal

University, Star Institute of Management, Patel Road, Pradhan Nagar, Siliguri -734003 who have

been a source of inspiration throughout, without their help and valuable feedback this project

could not have been possible.

Finally, I like to thank my Family Members, specially my mother and Friends (Sayantan

Bhattacharjee, Susmit Dutta) who have always been my continuous source of inspiration and

they have constantly supported and motivated me to complete my project.


2/68

2

BONAFIDE CERTIFICATE

Certified that this project report titled A PROJECT REPORT ON

is the

bonafide work of SUBHANKAR SANYAL who carried out the project work

under my supervision.

SIGNATURE SIGNATURE

HEAD OF THE DEPARTMENT FACULTY IN CHARGE

SIKKIM MANIPAL UNIVERSITY, SIKKIM MANIPAL UNIVERSITY,Centre Code: 01005 Centre Code: 01005

Star Institute of Management, Star Institute of Management

Patel Road, Pradhan Nagar, Patel Road, Pradhan Nagar,Siliguri - 734003. Siliguri - 734003.


3/68

3

Executive Summary

I t is my great pleasure and opportunity to have a project development

opportunity and implementation at Barsana Hotel and Resorts. One of the

best Five Star Hotel and Resort located in North East India. This report is a

summary of 6 months of learning, implementing and solving difficult technical

sk ills. Th e OBJ ECTIVE of th e Project is to h ave a clear vision regard ing.

* Produ ct Deta i l s .

* Workin g of a Robu s t Wire les s Net work wi th in t egra t ed

Secur i t y fea t u r es fo r a l l u s e r s .

* The detai l working of WLAN with integrated UTM Appl iance.

My specialization is in I n f o r m a t i o n S y s t e m s . However, before developing a

live system, my knowledge was limited to the software simulation technologies

an d books. Du ring my project , I becam e able to enh an ce my knowledge in th e

good practical exposur e. My Project developmen t report is ba sed on th e

followin g a sp ect.

INTRODUCTION WITH HOSPITALITY INDUSTRY.

PROF ILE OF THE ORGANIZATION.

ISSUES AND CHALLENGES FACED BY THE ORGANIZATION.

PR EVIOUS NETWORK ARCHITE CTURE.

BRIEF S DET AILS OF VARIOUS HARDWARE / SOF TWARE USED IN

THE NEW PROJ ECT.

ARCHITE CTURAL DETAILS OF THE SET UP.


4/68

4

VARIOUS PRACTISES ADOPTED IN EACH SECTION TO OPTIMIZE

AND ENHANCE NETWORK P ER FO RMANCE.

TABLE OF CONTENTS

SL.No. Top ic Pa ge No .

1 In trodu ct ion With Hos pita lity In du s try. 6 -6

2 Orga n iza t ion His tory 8-8

3 Is s u es a n d Ch a llen ges fa ced in Network in g 10-10

4 Previou s Network Arch itectu re 12-13

5 Deta ils of New Ha rdwa re / Softwa re a dded to

imp lemen t n ew Wireless Network Architectu re

15-15

6 Firewa ll Fea tu res 17-17

7 In trodu ct ion of WLAN Secu rity with IPCOP

Appliance.

18-18

8 New Network Arch itectu re 20-20

9 Meth odology 22-60

10 Con clu s ion 62-63

11 Bib liogra ph y 65-65

12 Referen ces 67-67


5/68

5


6/68

6


7/68

7

The hospitality industry is a broad category of fields within the service

industry that includes lodging, restaurants, event planning, theme parks,

transportation, cruise line, and additional fields within the tourism industry.

The hospitality industry is a several billion dollar industry that mostly

depends on the availability of leisure time and disposable income. A

hospitality unit such as a restaurant, hotel, or even an amusement park

consists of multiple groups such as facility maintenance, direct operations

(servers, housekeepers, porters, kitchen workers, bartenders, etc.),

management, marketing, and human resources.

To secure for the hotel industry its due place in India's economy; project its

role as a contributor to employment generation and sustainable economic and

social development; highlight its crucial role in the service to tourism industry

as the largest net foreign exchange earner; help raise the standards ofhoteliering and to build an image for this industry both within and outside the

country.

Competition and usage rate

Usage rate or its inverse "vacancy rate" is an important variable for the hospitality

industry. Just as a factory owner would wish a productive asset to be in use as

much as possible (as opposed to having to pay fixed costs while the factory isn't

producing), so do restaurants, hotels, and theme parks seek to maximize the

number of customers they "process" in all sectors. This led to formation of services

with the aim to increase usage rate provided by hotel consolidators. Information

about required or offered products are brokered on business networks used by

vendors as well as purchasers.

In viewing various industries, "barriers to entry" by newcomers and competitive

advantages between current players are very important. Among other things,

hospitality industry players find advantage in old classics (location), initial and

ongoing investment support (reflected in the material upkeep of facilities and the

luxuries located therein), and particular themes adopted by the marketing arm ofthe organization in question (for example at theme restaurants). Very important is

also the characteristics of the personnel working in direct contact with the

customers. The authenticity, professionalism, and actual concern for the happiness

and well-being of the customers that is communicated by successful organizations

is a clear competitive advantage.


8/68

8


9/68

9

ABOUT BARSANA HOTEL AND RESORTS

HISTORY OF THE ORGANIZATION

Barsana Hotel and Resorts is a venture of North Bengal premier Industrial

house the Beekay Group. The Beekay group is setted up a luxurious Five Star

Category Hotel at Matigara, Siliguri in Darjeeling District. Located in

Matigara, at the outskirts of Siliguri, the site has been selected away from the

chaos of the bustling town of Siliguri amidst calm and quite settings with aview of the Picturesque Himalayan Mountains & greenery. The Project is on

60 cottahs of land and started operation by July 2010. Conforming to the

standards norms prescribed by Department of Tourism, Government of India

it has Five Star Category approval. The proposed hotel has been carefully

designed with luxurious interiors and exterior beauty with the most modern

architectural structure and beautiful landscape.

The hotel possess 52 Double Bedded and 7 Suites with 2 banquet halls, 2

restaurant, bar & coffee shop. Centrally air conditioned with all modernfacilities such as 24 Hour Hot/Cold Water, Room Service with Telephone and

Internet Facility, CCTV with, Lift, In-house Generator, Safe Deposit Vault,

Laundry, Car Rental with Free Car Parking, Doctor-on-Call, Banquet Room,

Conference Room, 24 Hour Coffee Shop, Bar- Cum Restaurant, Travel

Desk Service, Making arrangement of Conducted Tour to Darjeeling and

other neighboring places of interest.


10/68

10


11/68

11

Issues and Challenges faced in Networking

Barsana Hotel and Resorts become operational in October 2010, the Organization

commissioned all state of the art IT equipments for it IT needs and necessities. All

the computer terminals and point of sale equipments for the Hotel Managementand Staffs were connected using Twisted Pair Ethernet and a dedicated Windows

Server 2008 use to process and serve all internal users of the Hotel.

Since the Hotel also possesses 60 + Rooms, Restaurant, Bar, Gym, Conference

Hall, the Hotel Management decided to deploy a full Wireless Network for the

visiting Guests.

The main Internet Backbone was served by BSNL Dataone 1 mbps broadband

connection which was shared by the Hotels Internal Users and also the Guest Wifi

Infrastructure.

But post commission of the WiFi network it failed to serve its purpose, and most

Guests and Users complained of Slow, Unreliable Network with Faint Wi-Fi

Signal.

Below is the issue which was faced by the Organization.

Insufficient wireless network coverage in all Four Floors,

Restaurant, Conference Hut, Gym, Lobby. Breakage of Signal Continuity.

Slow and Unresponsive Internet Experience.

No security, all PCs connected to the WiFi infrastructure and see

and view other PCs connected in the network if Print and File

Sharing is enabled by default, also exposing Hotels Internal

network to Guest Users.

No Content Filtering or Metering Technologies to monitor Internet

Activity of the Guests, which is a compliance issue as per IndianLaws.

Network congestion, if more users logged on to the Wi-Fi the

entire Network becomes very slow and at finally fails to serve its

purpose due to lack of QOS (Quality of Service) implementation.


12/68

12


13/68

13

PR EVIOUS NET WORK ARCH ITECT URE

The Previous Network Composed Primarily of Several Hardware Components:

1) BSNL ADSL Router cum Modem (Make TP Link) with Four RJ45 LAN

Ports to share Internet Connection.

2) SMC Networks Barricade Routers (SMCWBR14-3GN) 13 NOs

3) TPLink (TL-WA730RE) Repeating Stations 3 NOs

4) D-Link 24 Port 100/1000 mbps Managed Switch (Rack) 2 NOs

5) Ethernet Cables

Basic Working Principle of the Previous Network:

A copper cable use to get terminated to the BSNL ADSL Modem cum Router.

The ADSL Router automatically connected to the BSNL DataOne Broadband

network using PPPoE (Point to Point Protocol over Ethernet) and an inbuilt

DHCP (Dynamic Host Control Protocol) server embedded in the ADSL router

use to provide Dynamic Leased IP Address to all other network equipments

and routers.

A single RJ45 cable was used to connect to the LAN port of the ADSL Modem

and terminated on one of the 24 Port 100/1000 mbps D-Link Managed Switch.

All devices such as Servers (for Internal Network), Workstations (Internal

Network) and Routers (Guest Wifi Network) got its IP address directly from

the ADSL modems DHCP server.

Primarily there were four SMC Barricade routers, each mounted on every

floor directly connected to the D-Link Managed Switch. These four routers

were acting as core routers for the entire Wireless Network for Guest andvisitors of the Hotel. All other routers connected to any of these four routers

in Repeater Mode, as such there were 12 different repeating stations which

relayed the signals of these four core routers.


14/68

14

The Previous Network Diagram


15/68

15

Drawbacks of the Previous Network Design:

1) The points mentioned on page 10 describe the issues faced by the Organization.

2) As all routers other than the 4 core routers were connected using Extender mode, the

Wifi Channel was saturated and bandwidth was limited when number of users grew.

3) There was no inherit security features built onto the network and there was no way tomonitor network access.

4) Troubleshooting and maintenance was difficult.


16/68

16


17/68

17

Det a i ls o f New Har dwar e / S o ft war e added t o i mp l em en t n ew

Wire les s Net work Arch i t ec t u re

List of Hardware purchased by Barsana Hotel and Resorts to complete the

new Network Topology

1) IBM Compatible PC (As Main UTM Server/ Proxy) Intel Pentium Dual

Core 3.0 GHz, 2 GB DDR SDRAM, ECS P4VM-M7 Motherboard, 500 GB

Western Digital Cavier Blue Hard Disk Drive, Corisiar Server Chassis withSilver Power Supply (600 watts), Two Ethernet Adapters 10/100/1000 mbps

(D-Link).

2) IBM PC Compatible PS2 101/103 Keyboard.

3) 8 Port D-link 10/100 mbps Switch(DES 1008V) .

4) Cat 6 (D-Link) approximately 400 meters.

5) RJ 45 connectors (D-Link), approximately 40 in Nos.

Details of Software used:

Custom built Firewall with UTM features using GNU Linux Kernel

2.6.394(IPCOP), added Squid Proxy Module, and Radius Authentication Module.


18/68

18


19/68

19

Firewall/ UTM Featu res of Wireless LAN

A secure, stable and highly configurable Linux based firewall

Easy administration through the built in web server

A DHCP client that allows IPCop to, optionally, obtain its IP address from

your ISP A DHCP server that can help configure machines on your internal network

A caching DNS proxy, to help speed up Domain Name queries

A web caching proxy, to speed up web access

An intrusion detection system to detect external attacks on your network

The ability to partition your network into a GREEN, safe, network protected

from the Internet, a BLUE network for your wireless LAN and a DMZ or

ORANGE network containing publicly accessible servers, partially

protected from the Internet

A VPN capability that allows you to connect your internal network to

another network across the Internet, forming a single logical network or to

securely connect PCs on your BLUE, wireless, network to the wired

GREEN network

Traffic shaping capabilities to give highest priority to interactive services

such as ssh and telnet, high priority to web browsing, and lower priority to

bulk services such as FTP.

Improved VPN support with x509 certificates.

Built from the ground up with ProPolice to prevent stack smashing attacks in

all applications.

Captive Portal for user access using any Web Browser in Client Devices.


20/68

20

In t rod uc t ion o f WLAN Sec u r i t y wit h IPCOP App lian c e .

Below, you will find a copy of our Mission Statement. All members of the

IPCop Firewall Team strive to meet these goals. By achieving these goals, the

IPCop Firewall will be one of the major Linux Firewall distributions in the

world.

Provide a stable Linux Firewall Distribution.

Provide a secure Linux Firewall Distribution.

Provide an opensourced Linux Firewall Distribution.Provide a highly configurable Linux Firewall Distribution.

Provide an easily maintained Linux Firewall Distribution.

Provide an easily configured Linux Firewall Distribution.Provide reliable Support to the IPCop Linux user base.

Provide an enjoyable environment for the Public to discuss and request assistance.Provide stable, secure, and easy to implement upgrades/patches for IPCop Linux.

Develop an appreciation for both the Linux and Opensource movements in our user base.Develop a long lasting relationship with our userbase.

Strive to adapt IPCop to meet the needs of the Internet of Tomorrow.

Further develop the Linux Knowledge base of all Project Members and Users.After seeing the direction certain Linux Distributions were heading in, a group of dissatisfied

users/developers decided that there was little reason for the idea of a GPL Linux Firewall

Distribution of such potential to be, simply, extinguished.

IPCop Linux is a complete Linux Distribution whose sole purpose is to protect the

networks it is installed on. By implementing existing technology, outstanding new

technology and secure programming practices IPCop is the Linux Distribution for

those wanting to keep their computers/networks safe.


21/68

21


22/68

22

NEW NETWORK ARCHITECTURE

Below is the information flow diagram of the Newly Designed

Optim ized Network with Firewall an d User Au th ent icat ion Featu res.


23/68

23


24/68

24

METHODOLOGY

As per the network diagram, the entire structure of Guest Wi-Fi

network has changed dramatically.

Earlier the BSNL Broadband use to connect to The Internet at 1

mbps link, since 1 mbps link is insufficient to support both Internal

and Guest Wi-Fi Network, as per my request, Barsana Hotel &

Resorts upgraded the Data Circuit at 4 mpbs synchronous link.

In present network up gradation scenario as a part of the project,

the same BSNL provided ADSL Router connects to BSNL Data One

network using PPPoE. The router has inbuilt features such as

Guaranteed QOS (Quality of Service) for the four LAN ports. Port

One of the LAN Link connects directly to the 24 port Managed

Switch, and the ADSL router is programmed to provide dedicated 1

mbps link to the Hotels Internal Network using MAC (Media AccessControl) feature of the Managed Switch. Rest of the 3mbps link is

shared to second LAN Port which directly connects to the LAN port

1 (eth0) of IP-COP Server.

The ADSL modem is providing only one Dynamic Leased IP

Address to LAN Port (eth0) of IP-COP. The routers part of the

Guest WiFi network automatically gets its IP Address from IP COP

firewall.

Also the entire Router Connectivity Architecture was modified

along with Physical Router Placement for better Wireless Signal

Delivery.


25/68

25

The 8 Port D-link Switch connects to the IP-COP box in Ethernet

port (eth1). From the D-Link switch four Ethernet Cables provides

dedicated connectivity to four routers located in each floors (First

Floor, Second Floor, Third Floor, Fourth Floor).

In the new network we are not using any Repeating Station features

of both SMC Barricade and TP Link Routers.

The link from D-Link switch using Ethernet connects every SMC

Barricade Router in the WAN port, and all four SMC routers are

programmed to work as Router Mode. In each floor there are more

3 routers to serve rooms, lobby, bars. These routers connect to the

SMC router to get its IP Address. These secondary routers nowconnect using Ethernet, these secondary routers connect to the LAN

ports of SMC routers and also the routers act only as Access Point

Routers.

Note: Every SMC router has an Hardware button which allows to

toggle between Router and Access Point Mode.

IP Addresses used in the WLAN setup:

1) 192.168.1.X provided by BSNL ADSL Modem to IP Cop

Ethernet port(0).

2) IP-Cop uses NAT (Network Address Translation) and changes

IP address to 172.16.0.1 for Ethernet port (1).

3) All routers connecting to IP-COP Firewall UTM device obtains

its IP Address Automatically using the DHCP feature of IP-

COP and uses address 172.16.0.X to 172.16.1.X

4) Presently the Network Firewall (UTM) designed by me cansupport upto 254 different / unique devices.


26/68

26

Firewall Configuration / System Setup


27/68

27

Set the BIOS parameters so that the target machine will operate, as much as possible,

as a stand-alone server. For example:

Turn off the CPU power saver feature; the target computer must wake on all

network activity on all NICs and/or modems. It's usually easier and safer to just

turn off the power saver features. You can leave the video power saver turned

on.

Set the BIOS to boot on power up.

Turn off the BIOS keyboard test, if possible.

Set the power state to Always restore power after power failure. This willguarantee your IPCop PC will power up and reboot after power is restored.

IPCop can backup your configuration to a floppy disk drive or a usb key, or to

a file loaded through the web interface. It is not uncommon for the floppy to be

accidentally left in the floppy drive. In case of power failure, this may stop the

IPCop machine from booting.

If you are installing from CD drive, make sure your system will only boot from

the CD drive and hard drive. Turn off all types of boot, except your hard drive

after installation completes.

If you are installing from usb key, you may need to set some bios options. Turn

off all types of boot, except your hard drive after installation completes.


28/68

28

If the IPCop PC has a CD drive and its BIOS can boot from CD, you can use the

Bootable CD media for the install. The CD drive can be removed after the install.

If the IPCop PC cannot boot from CD, but has both a floppy drive and a CD drive, the

Bootable Floppy With CD can be used. Both the floppy drive and CD drive can be

removed after the install. However, if you plan on using IPCop's backup and restorefacilities, you may want to keep the floppy disk in the IPCop PC.

Finally, if the IPCop PC has only a floppy drive or you do not own a CD burner, the

Bootable Floppy with FTP/Web Server must be used. Again, the floppy drive can

be removed after the install. Again, if you plan on using IPCop's backup and restore

facilities, you may want to keep the floppy drive in the IPCop PC.

Installing From Bootable CD or Bootable Floppy and CD

This screen contains a warning that all your existing data will be destroyed.

At this point you may just press the Enter key, or enter one of the three installation

options nopcmcia, nousb or nousborpcmcia. The installation options will

restrict the devices that the IPCop installation process detects. Use these options only

if the standard installation runs into trouble identifying PCMCIA or USB devices


29/68

29

attached to the target machine. You may also eject the IPCop media and reboot to

abort the installation.

After a few seconds, the language selection screen will appear.


30/68

30

The next screen simply informs you of how to abort the installation. Select

the Cancel and press the Enter key.

The next dialog box lets you choose the installation media. Since you are installing

from CD-ROM, select it, tab to the Ok button and press the Enter key.


31/68

31

Your final warning appears next.

After you select Ok and press Enter on this screen all of the data on your hard drive

will be erased. To abort the installation, select Cancel and press the Enter key.


32/68

32

Next IPCop will format and partition your hard drive. Then it will install all its files.

At this point, you have the option of restoring files from an IPCop backup floppy.

To do the restore, place the backup floppy in the floppy disk drive andselect Restore and press the Enter key. Otherwise, select Skip and press

the Enter key.


33/68

33

If you specify Select, above, the following screen will appear:

Select your GREEN Ethernet NIC from the list.

If you select MANUAL the following screen will appear. Enter the object module for

the driver you require. Each driver may require extra installation parameters.

Unfortunately, these are driver dependent. The sample, below, is for a NE 2000


34/68

34

driver. Like most ISA drivers, it needs both its IO address, io=, and IRQ, irq=,

specified.

If you specify Probe, above, the following screen will appear:

Your NIC card's manufacturer may not appear. IPCop identifies NICs based on the

chip manufacturer, not the card manufacturer. This can be ignored.


35/68

35

IPCop will now configure its internal network address, the GREEN interface.

This is an address on the network discussed in Decide On Your Local Network Address, above.Usually, this will be either GREEN address 1, i.e. 192.168.1.1; or GREEN address 254, i.e.

192.168.1.254. Although any address on your GREEN network will do. IPCop will

automatically set your Network mask based on your IP address, but you can modify it if youneed to.All of IPCop has now been installed on your hard drive. The following screen will

appear. Remove the IPCop CD from your CD drive and, if present, the bootable floppy from the

floppy drive. Select Ok to continue.


36/68

36

IPCop will continue with the setup command automatically.

From this point on the Installation process is identical no matter which media was used for the

initial boot. Please continue with the Initial Configuration Section, below.

The first screen allows you to configure your keyboard.


37/68

37

The next screen, above, asks for your time zone.

Some people leave the time zone as London or UTC. This allows you to leave yourPC's hardware clock set to the local time. There are a couple of disadvantages to this

setting:

You will not be able to use a network time server to accurately set your PC's

time, via the Time Administrative Web Page.

If your local time zone changes from Winter to Summer or Daylight Savings to

Standard time, you will have to remember to manually change the IPCop PC's

clock. If you set the time zone to your correct time zone, IPCop will

automatically change the time for you.


38/68

38

You must then configure your IPCop machine's hostname.

The default of ipcop is fine. You may want to change this if you are planning on setting up a VPN and allowing

administration across your VPN. In this case you may want to give each IPCop machine a unique hostname, such as

ipcop1, ipcop2, millie, steve, bob, etc.

You must then configure your IPCop machine's domain name.

If you have a domain name then enter it here. If you do not have one or do not wish to use it then just accept the

default localdomain. If you plan on using a VPN, you may wish to add additional qualifiers in front of


39/68

39

localdomain such as x.localdomain and y.localdomain.It may also be a bad idea to use your real domain name

for this purpose, unless you will use your official name server instead of IPCop's domain name server.

This domain name will be automatically set as IPCop's DHCP server's domain name suffix. Please see the DHCP

server discussion.

Setup will continue with the ISDN configuration menu.

The next screen starts a series of dialogs that will help you set up your ISDN card. If you do not have an ISDN card,

select Disable ISDN, and setup will continue with network setup.

If you do have an ISDN modem, select the protocol and country.


40/68

40

After setting protocol and country, you may need to set driver parameters for your card, especially if it's an ISA

card. If so, select Set additional module parameters.

Next you must select the type of ISDN card you have.

IPCop will probe for the card type, if you select AUTODETECT. If necessary, you can manually select the card you

have.


41/68

41

The final step in setting up your ISDN card is setting its local phone number.

Next you will configure your network interfaces. The Network Configuration Menu will take you through the steps

necessary to configure them.


42/68

42

If you are planning to run a DHCP server on IPCop you can configure it at this time. Otherwise, do not enable the

server, and continue with setting passwords, below.

Dynamic Host Configuration Protocol allows computers to configure their network interfaces when they are booted.

You can delay setting up IPCop's DHCP server until after the installation completes. See the Administration

Manual for a description of the web based method of enabling and configuring the DHCP server.

You must select Enabled to enable the DHCP server.

When you are done with the DHCP server configuration select the Ok button.


43/68

43

The next steps will set up IPCop's root, web administrator and backup passwords.

If you are familiar with Linux you may wish to login to the IPCop machine to carry maintenance tasks. The only

user id configured is the root user. Enter the root password twice. Be careful, the root userid has the keys to the

kingdom of your firewall. If someone gets its password they can cause all sorts of mischief. By default root is only

allowed to log in via the local console, though.


44/68

44

Congratulations!

You've completed your IPCop installation. Press Ok to reboot. After the reboot is

completed, you will undoubtedly need to perform some administrative tasks to

complete your setup.


45/68

45

Select:

IPCop SMP (ACPI HT enabled)

This kernel configuration supports processor chips with hyperthreading, HT,

SMP and ACPI. Some Intel processors support hyperthreading, which is treated

as an SMP, multiprocessing, configuration.

Once you have chosen an appropriate kernel configuration, press the Enter key to

boot IPCop.

IPCop loads the default Linux Kernel with all selected modules to implement NAT/

Firewall, Radius Features.


46/68

46

Administration and Configuration

To access the IPCop GUI is as simple as starting your browser and entering the IP

address (of the green IPCop interface) or hostname of your IPCop server along with a

port director of either 445 (https/secure) or 81(redirected to

445): https://ipcop:445 or https://192.168.10.1:445 or http://ipcop:81 or http://192.168

.10.1:81.

Modem Connection Buttons

Connect - This will force a connection attempt to the Internet. Disconnect - This will sever the connection to the Internet. Refresh - This will refresh the information on the main screen.


47/68

47

System Web Pages

This group of web pages is designed to help you administer and control the IPCop

server itself. To get to these web pages, select Systemfrom the tab bar at the top ofthe screen. The following choices will appear in a dropdown:

Home Returns to the home page.

Updates Allows you to query and apply fixes to IPCop. Passwords Allows you to set the admin and optionally, the dial password. SSH Access Allows you to enable and configure Secure Shell, SSH,

access to IPCop.

GUI Settings Enables or disables the use of JavaScript and allows you toset the language of the web display.

Backup Backs up your IPCop settings either to files or to a floppy disk.You can also restore your settings from this web page.

Shutdown Shutdown or restart your IPCop from this web page. Credits This web page lists the many volunteers and other projects that

make IPCop so great.

Status Menu

This group of web pages provides you with information and statistics from the IPCop

server. To get to these web pages, select Statusfrom the tab bar at the top of thescreen. The following choices will appear in a dropdown:

System Status Network Status

System Graphs Traffic Graphs Proxy Graphs Connections


48/68

48

Services Menu

As well as performing its core function of Internet firewall, IPCop can provide a

number of other services that are useful in a small network.

These are:

Proxy (Web Proxy Server) DHCP Server

Dynamic DNS Management

Edit Hosts (Local DNS Server)

Time Server

Traffic Shaping

Intrusion Detection System

In a larger network it is likely that these services will be provided by dedicated servers

and should be disabled here.


49/68

49


50/68

50

DHCP Administrative Web Page

.

DHCP (Dynamic Host Configuration Protocol) allows you to control the network

configuration of all your computers or devices from your IPCop machine. When a

computer (or a device like a printer, pda, etc.) joins your network it will be given a

valid IP address and its DNS and WINS configuration will be set from the IPCop

machine. To use this feature new machines must be set to obtain their network

configuration automatically.


51/68

51

Traffic Shaping Administrative Web PageTraffic Shaping allows you to prioritize IP traffic moving through your firewall.

IPCop uses WonderShaper to accomplish this. WonderShaper was designed to

minimize ping latency, ensure that interactive traffic like SSH is responsive all while

downloading or uploading bulk traffic.

To use Traffic Shaping in IPCop:

1. Use well known fast sites to estimate your maximum upload and download speeds. Fill in the speeds in the

corresponding boxes of the Settings portion of the web page.2. Enable traffic shaping by checking the Enable box.

3. Identify what services are used behind your firewall.4. Then sort these into your 3 priority levels. For example:

a. Interactive traffic such as SSH (port 22) and VOIP (voice over IP) go into the high priority group.

b. Your normal surfing and communicating traffic like the web (port 80) and streaming video/audio

to into the medium priority group.

c. Put your bulk traffic such as P2P file sharing into the low traffic group.

5. Create a list of services and priorities using the Add service portion of the web page.


52/68

52

The services, above, are only examples of the potential Traffic Shaping configuration.

Depending on your usage, you will undoubtedly want to rearrange your choices of

high, medium and low priority traffic.

Intrusion Detection System Administrative Web Page

IPCop contains a powerful intrusion detection system, Snort, which analyses the contents of packets received by the

firewall and searches for known signatures of malicious activity.

Snort is a passive system which requires management by the User. You need to monitor the logs, and interpret the

information. Snort only logs suspicious activity, so if you need an active system, consider snort_inline orthe guardian addon.

You should also note that Snort is memory hungry, with newer versions using about 80Mb per interface. This

depends in part on the ruleset used, and can be reduced by selection of the rules used.


53/68

53

Snort rules update

A standard installation of IPCop comes with a set of Snort's default rules. As more attacks are discovered, the rules

Snort uses to recognize them will be updated. To utilize Sourcefire VRT Certified rules you need to register on

Snort's website www.snort.org and obtain an Oink Code.

Select the correct radio button, add your Oink Code and click the Save button before your first attempt to downloada ruleset.Then, click the Refresh update list button, followed by the Download new ruleset button, and finallyclickApply now.

After a successful operation the date and time will be displayed beside each button.

The final button - Read last ruleset installation log - will display the last installation log.

Firewall Menu

Grouped together in the Firewall Menu are some of the core functions of IPCop which

controls how traffic flows through the firewall.

These are:

Port Forwarding

External Access (Controls remote administration of IPCop from the Internet)

DMZ Pinholes

Blue Access (Connecting a Wireless Access Point to IPCop)

Firewall Options


54/68

54

Log Summary Page

Displays the summary generated by logwatch for the previous day.

No (or only partial) logs exist for the day queried

Each logwatch summary is generated at midnight, and covers the preceding day's

events. If you do not run your IPCop server overnight, you may not be able to view

any summaries.


55/68

55

Proxy Logs Page

This page provides you with the facility to see the files that have been cached by the

web proxy server within IPCop. The web proxy is inactive after first installation of

IPCop, and may be activated (and deactivated) through a specific administration page(Services> Proxy).

Adding Users to UTM for Secure Internet Access


56/68

56

A web proxy server is a program that makes requests for web pages on behalf of all

the other machines on your intranet. The proxy server will cache the pages it retrievesfrom the web so that if 3 machines request the same page only one transfer from the

Internet is required. If your organization has a number of commonly used web sites

this can save on Internet accesses.

Normally you must configure the web browsers used on your network to use the

proxy server for Internet access. You should set the name/address of the proxy to that

of the IPCop machine and the port to the one you have entered into the ProxyPort box, default 800. This configuration allows browsers to bypass the proxy if theywish. It is also possible to run the proxy in transparent mode. In this case the

browsers need no special configuration and the firewall automatically redirects alltraffic on port 80, the standard HTTP port, to the proxy server.


57/68

57

Local Proxy Authentication

Local user authentication is the preferred solution for SOHO environments. Users need to authenticatewhen accessing web sites by entering a valid username and password. The user management resides onthe IPCop Proxy Server. Users are categorized into three groups: Extended, Standardand Disabled.

This authentication method lets you manage user accounts locally without the need for externalauthentication servers.

Global authentication settings

Number of authentication processes. The number of background processes listening for requests. The default

value is 5 and should be increased if authentication takes too long or Windows integrated authentication falls back to

explicit authentication.


58/68

58

Authentication cache TTL. Duration in minutes how long credentials will be cached for each single session. If this

time expires, the user has to re-enter the credentials for this session. The default is set to 60 minutes, the minimum

will be 1 minute. The TTL will always be reset when the user sends a new request to the Proxy Server within a

session.

Local user manager

The user manager is the interface for creating, editing and deleting useraccounts.

Within the user manager page, all available accounts are listed in alphabetically order.

Group definitions. You can select between three different groups:

Standard

The default for all users. All given restrictions apply to this group.

Extended

Use this group for unrestricted users. Members of this group will bypass any time and filter restrictions.

Disabled

Members of this group are blocked. This can be useful if you want to disable an account temporarily

without losing the password.

Proxy service restart requirements. The following changes to user accounts will require a restart of the proxy

service:

A new user account was added and the user is not a member of the Standardgroup.

The group membership for a certain user has been changed.


59/68

59

The following changes to user accounts will notrequire a restart of the proxy service:

A new user account was added and the user is a member of the Standardgroup.

The password for a certain user has been changed.

An existing user account has been deleted.

Create user accounts

Username. Enter the username for the user. If possible, the name should contain only alphanumeric characters.

Group. Select the group membership for this user.

Password. Enter the password for the new account.

Password (confirm). Confirm the previously entered password.

Create user. This button creates a new user account. If this username already exists, the account for this username

will be updated with the new group membership and password.

Back to main page. This button closes the user manager and returns to the main page.

Edit user accounts

A user account can be edited by clicking on the Yellow pencilicon. When editing a user account, only thegroup membership or password can be changed.

While editing an account, the referring entry will be marked with a yellow bar.

To save the changed settings, use the button Update user.


60/68

60

Note

The username cannot be modified. This field is read-only. If you need to rename a user, delete the user and

create a new account.

Client side password management

Users may change their passwords if needed. The interface can be invokedby entering this URL:

http://192.168.1.1:81/cgi-bin/chpasswd.cgi

Replace 192.168.1.1 with the GREEN IP address of your IPCop.

The web page dialog requires the username, the current password and the new password (twice for confirmation).


61/68

61


62/68

62

CONCLUSION

I have started the project at Barsana Hotel & Resorts as my Internship for Sikkim Manipal

University. Once I knew the issues faced by the organization, I decided to implement the projectmyself with the kind guidance of Mr. Subhankar Dhar (Faculty, SMU). Since the project

involved installation and purchase of complex hardware and software, I started the project first

my Analyzing the Situation and formulating the correct Hardware/ Software Strategy.

Since it was a mid industrial scale deployment of WIFI Infrastructure, the cost of commercial

solutions were quite high especially the cost of UTM/ Firewall Hardware beside this major

Hardware Firewall Vendors available in the market license their product on number ofconcurrent users and also based on a yearly renewal contract.

After discussions with the Mr. Prasun Kumar Nath (General Manager) of Barsana Hotel &Resorts, I took the challenge to develop the firewall appliance myself using GNU Linux, and

after thorough testing I have selected IPCop for its support, robustness and tested deployments

across various industries.

Once the new Secured Wireless Network was ready, I personally supervised the network for few

days and trained the in-house staff how to guide Guests to connect their unique devices to

Barsana Wifi Network.

Below is the brief Description of the Wi-Fi Setup.

Wireless SSID : Barsana

Security : WPA2/ PSK

Pass Phrase : barsana@30 (All the pass phrase is common among all the Wireless Routers)Login Page: http://www.google.com or any URL


63/68

63

Once a Guest or user checks onto the Hotel or Restaurant, the Guest and user can ask for the

Wireless Key along with the Internet Access User Name and Password.

Below is a detail example of a situation:

Suppose a Guest Checks in. He stays on the fourth floor. Once he/she decides to connect theirNotebook or Tablet, he/ she can contact the reception helpdesk. At first the user needs the

WPA2/PSK Key, which the receptionist provides immediately.

Once the Guest provides the Wireless Security Key, the user gets access to the WirelessNetwork, immediately when the user tries visiting any webpage, the URL of the requested page

get replaced with the IPCOP Login page. Suppose the guests stays 4th

floor room no: 402, then

the User Name is user and the default password is barsana@402. All these details are providedby the Hotel Reception or the helpdesk sitting in the Restaurant / Bar/ Conference Hall/ Lobby.

Once the user gets Authenticated they can immediately start surfing the internet. Presently there

is no cap on usage limit and Barsana Hotel & Resort provides Internet Access absolutely free ofcost as a complementary service to all its Guests and Visitors.

Impact of New Wireless Setup with Inbuilt Security Features:

Robust and Fast Internet.

Near Zero Downtimes except Broadband/ Leased Line Failure. 100% Maintenance Free Network.

Inherit inbuilt Security Features like Print and File Sharing Disabled.

100% Guaranteed QOS (Quality of Service) for Mission Critical Applications. One of the fastest Internet Gateway offered by any Hotel/ Resort in North East India.

In-house staff relieved from Internet Slowing down/ They only receive compliment forgreat Internet Experinece.


64/68

64


65/68

65

As I mentioned earlier that my project is based on the specialization in Information System and

as the Project work has been carried out in the Hospitality Industry i.e. Barsana Hotel & Resortsinfrastructure became a losing concern as its guests and visitors were unhappy with Internet

Experience, It was necessary to have a clear picture of the Network Architecture, Internet

Functionality, the IT infrastructure of the organization where Customer Satisfaction was very

much desirable. Thus collecting information from the Operations Desk, Sales Department,Production Department, and Marketing Department of the works. I am appending the details of

the Project Work as mentioned below;-

1. Introduction with UTM Devices: - All the related has been carried out from the Internet

(http://searchsecuritychannel.techtarget.com/guide/Introduction-to-UTM)

2. IPCop Deployment: - All the related matter has been taken from the IP COP technical

Documentation Team (http://www.ipcop.org/2.0.0/en/install/html/index.html)

3. Special Feature: - During training and classes and discussion made by Free Software

Foundation, Oracle Corporation, XFree86 Org.

4. Hardware Partners :- Cyber Informatics, Siliguri for providing me all necessary hardware tocomplete the project.

5. Department Related to Specialization Subject: - All related figures has been collected fromthe Accounts Deptt. Where Mr. Dipendra Dev Raikut helped me lot how ever by the help of

this dated and ratio analysis which has been carried out by my self I have tried my best to

clarify and justify the actual position of the works and in future which is required for the

revival of the network and cause for ailing ness.

6. Aims and Objective:- Made by my self as per the departmental Study.

7. Methodology; - The related information has been collected from concerned persons and

related website.

8. Analysis ;- All related data month wise can be collected from Mr. Dipendra Dev Raikut

regarding Network Performance, Internet Speed, Customer Satisfaction, Network

Downtimes.


66/68

66


67/68

67

References

The Book Jacob, John, 2009. The Rise of Integrated Security Appliances. Channel

Business. http://www.channelbusiness.in/index.php?Itemid=83&id=252&option=c

om_content&task=view.

1. Internet, SMC Networks (http://www.smc.com/index.cfm)

2. DHCP and its working (www.ietf.org/rfc/rfc2131.txt)

3. Internet Gateways & VPN (http://www.cisco.com/en/US/docs/routers/csbr/app_notes/rv0xx_g2gvpn_an_OL-26286.pdf)

4. Faculty S.M.U. Star Institute of Management, Pradhan Nagar, Siliguri - 734001


68/68

Wireless Lan with UTM Appliance Deployment Project - Subhankar Sanyal.

Documents

Transcript of Wireless Lan with UTM Appliance Deployment Project - Subhankar Sanyal.