You are on page 1of 5

Title: Firewall Implementation and Configuration using OPNET

Muhammad Junaid Ashfaq (09-TE-25), junaid.uet09@gmail.com Saad Shahid Khokhar (09-TE-01), saad.khokhar@hotmail.com University of Engineering and Technology, Taxila.
Format: Our project domain is based mainly on the simulations that were generated using one of best available network simulating and research tool, OPNET IT Guru. We tried our best to associate network optimizations close to the real time scenarios. We were encountered with Network of University of Engineering and technology, Taxila. We applied Firewall and Virtual Private network (VPN) network practices to see the difference in link utilizations and DB query responses before and after implementations.
Abstract: Network security has become a major priority for both, network design and implementation. Due to this fact, the interest in making network communications secure has increased at the same rate as the accessibility to Internet services. Firewall is one of the important tool in achieving network security and guaranty proper use of link bandwidth. Our Project concentrates on implementing firewall policies and understanding its effect on application performance and link utilizations. It is often impossible to measure its effectiveness in real life because of the network administrators fears or prejudice, but simulation opens the path to solving problems that are hard to fix in real life. . We have implemented CISCO PIX Firewall in OPNET and configure it for obtaining desired results.

After creating the exact physical structure of UET network and joining it with the same specified link cables, we ran simulations using various individual and global scenarios. A firewall is a specially programmed router that sits between a site and the rest of the network. It is a router in the sense that it is connected to two or more physical networks and it forwards packets from one network to another, but it also filters the packets that flow through it. A firewall allows the system administrator to implement a security policy in one centralized place. Filter-based firewalls are the simplest and most widely deployed type of firewall. They are configured with a table of addresses that characterize the packets they will and will not forward. The firewall is network device that is mainly used to block certain protocols over the network. By doing this you can limit the traffic of the network. By blocking the traffic of some protocols you not only save link bandwidth but also ensure network security. Over a network there are some useful application or you can say that high priority applications running which needs some minimum bandwidth to ensure proper security and quality of service (QoS). There are also some applications that are not only less useful for the set up but also sucking large amount of bandwidth. Blocking those services guarantees that low response time for priority services. Like in UET network HTTP is more important and useful service than FTP. Many research processes are running with the help of it. Also students use it for the information for their regular activities. But FTP is not as important but can consume some very useful bandwidth so we applied firewall on FTP blocking its traffic over the network.

I.

INTRODUCTION

In any network, the link bandwidth is always limited, we have to apply certain procedures to make sure that the link available is utilized correctly and assigned as per priority bases. For example we took the network structure of UET, Taxila. We examined the topologies and generate the exact topologies in the OPNET. We tried to stick with the same device specifications that are present in the network physically. To generate that network in the OPNET we carefully examined the OPNET documentation [1]. We also examined the behaviors of LAN in the OPNET.

A VPN is an example of providing a controlled connectivity over a public network such as the Internet. VPNs utilize a concept called an IP tunnela virtual point-to-point link between a pair of nodes that are actually separated by an arbitrary number of networks. The virtual link is created within the router at the entrance to the tunnel by providing it with the IP address of the router at the far end of the tunnel. Whenever the router at the entrance of the tunnel wants to send a packet over this virtual link, it encapsulates the packet inside an IP datagram. The destination address in the IP header is the address of the router at the far end of the tunnel, while the source address is that of the encapsulating router. We use three scenarios in our Project to elaborate the result. 1. 2. 3. Network without Firewall. Network with Firewall implemented. Firewall Network with VPN.

Screenshot of no firewall scenario Here for Example we take SE lab in the Telecom Dept. subnet. After running the network for 0.5 hour the results shows that every service is available in the SE lab. In this scenario no firewall is implemented, so every application is running over the network. In SE lab individual statistics we mark for criteria of stats i. ii. iii. iv. DB query- traffic received (bytes/ sec) FTP- traffic received (bytes/ sec) HTTP- traffic received (bytes/ sec) Email- traffic received (bytes/ sec)

We discuss these scenarios later. Applying firewall and VPN network guarantees following results: Low Overall (global) response time Secure Database Access Proper link utilization

UET network is consist of five subnets, a 100 baseT LAN in the admin, 100 base T LAN at NARC. The 5 subnets further have LANs of 100 Mbps links and an access switch of eth6_tr6_switch of FIDDI. All these subnets and LANs are connected to a Core Switch of eth16_tr16_switch also of FIDDI, through gigabit Ethernet having speed of 10 Gbps. The traffic of this core switch is then connected to Proxy Router Ethernet4_slip8_gateway which is connected with the server room via PPP DS1 at serial ports. Server room has three servers Database, Services which is providing FTP and SMTP services, and Web server containing university website. Proxy router is then connected to edge router which transfers the traffic to the Pakistan Internet exchange. II. RESEARCH WORK

Screenshot of SE lab simulation results Now, look at scenario 2, here we converted eth4_slip8 gateway to eth4_slip8 firewall also known as CISCO PIX firewall. After implementation we configured this firewall proxy

We first look at the scenario 1, having no firewall

server info to block traffic of Database access, and FTP over the whole network.

Screenshot of Firewall scenario By updating the proxy server info in the firewall we ran the simulation again for 0.5 hour for Admin block .and the results shows that traffic Of DB access and FTP has been blocked over entire network.

Screenshot of simulation results for HTTP & Email traffic in Admin block (Firewall Scenario) In Scenario 3, we applied Virtual private network (VPN) in addition with the firewall.

Screenshot of Firewall + VPN scenario

Screenshot of simulation results for DB & FTP traffic in Admin block (Firewall Scenario) And the traffic of HTTP and email remained open. Here we encountered a problem that is Admin. Block, NARC and the network administrator are authenticated for the DB access of the university also FTP services. This is entertained in Scenario 3. For the global statistics, we select following criteria: i. ii. iii. iv. DB query response time (seconds) HTTP - response time (seconds) FTP - response time (seconds) Email - response time (seconds)

Screenshot of the Admin block implementing VPN

In this scenario, we used two eth4_slip8 gateway routers. One is applied as tunnel Source router and other as tunnel destination router. Source router is connected with Admin block, NARC and Network admin. Destination tunnel is connected in between edge router and Pakistan internet exchange via DS3 PPP link. In VPN configuration, we mentioned Admin. , NARC and Network Admin in the remote client list. This will tunnel the traffic of DB and FTP to these networks. But DB and FTP traffic is still inaccessible for rest of the network.

without firewall. It is clear that after implementing firewall the response times of Database access and FTP has been decreased a great deal.

Simulation results of firewall less and firewall& VPN network for DB query

Screenshot of SE lab after implementing VPN So, our setup network performs the desired result. Now if you want to add another network or node to the VPN just add its name to the remote client list of the VPN configuration. III. CONCLUSION

Simulation results of firewall less and firewall& VPN network for FTP IV. FUTURE WORK

After implementing the VPN firewall network, we achieved security and an important goal, low response times for priority services over the network. The security in a sense that now only authorized entities only in the admin; NARC and network admin can access the university database hub. Also only these networks can use FTP services in the UET network. The simulation results are compared of all three scenarios, and obtained results are desired ones. The red line show the result of Firewall and VPN network while blue showing result of network

This setup can be tested with different topologies and links to cut down costs. Also firewall is implemented with more custom settings V. BIBLIOGRAPHIC STUDY/RELATED WORK

OPNET is conducting several training programs on network simulating technologies and implementation with the collaboration with many universities. You can visit it over the internet,

http://www.opnet.com/university_program/research _with_opnet/ Cisco is also a very leading organization in educating and certifying students on network problems. They are conducting several research domains in this regard. Visit, https://learningnetwork.cisco.com/index.jspa VI. REFERENCES

Engineering and Technology, Taxila. He has previously written a research paper with the title: Job Saturation in Global Telecom Industry.

[1] OPNET documentation http://www.opnet.com [2] OSSTMM Documentation http://www.isecom.org [3] ITU- Committed to connecting the world. http://www.itu.int/ VII. AUTHORS BIBLIOGRAPHY

MR. MUHAMMAD JUNAID ASHFAQ has completed his FSc from Pakistan International School, Riyadh in 2009 with A GRADE. Now he is a student of Telecommunication Engineering in University of Engineering and Technology, Taxila . He has previously written a research paper with the title: Job Saturation in Global Telecom Industry.

MR. SAAD SHAHID KHOKHAR has completed his FSc from F.G Degree colloge for men, Wah Cantt in 2009 with A GRADE. He was awarded a MERIT SCHOLARSHIP CERTIFICATE in 2008 for obtaining A+ grade in FSc part-I. Now he is having a 4 year BSc program in the field of Telecommunication Engineering at University of

You might also like