VPN Network Design For SME

Criteria for VPN Network Design

After a detailed investigation of the infrastructure of the organization and identification of the needs of the network the report is prepared. The current needs of the organization is to establish a VPN connection between remote sites of the same organization and securely transmission of the data packets in the network. The success of the development of the network depends on the successful implementation of the VPN. The VPN services that should be identified that are needed by the organization and the scopes of the project should be defined for the implementation of the new technology.

For the development of the VPN network the current network framework should be identified and with the required number of hardware and software that are essential for the development of the network. The network device should be configured according to the needs of the organization and there should be used in future for the expansion of the current network. The network should be connected with a wireless router such that the users with mobile devices can connect with the wifi network for sending and receiving data packets in the network. A secure cloud solution can be used for the storage of the data and allowing the access to the limited number of users for the management of the information.

During the project development different barrier or constraint can rise that can affect the project development such as the addition of extra cost during the progress of the project. The unavailability of a hardware device and incompatibility of a device with the protocols and service required for the configuration of the vpn network should be identified before the selection of the network hardware. The skills and knowledge of the network engineer for configuration and troubleshooting the network can also become a problem for the development of the network.

For the analysis of the requirement the stakeholders must be involved and the service required by them should be identified. The list of requirement for the development of the network are listed below:

• Quality of standards should be followed for the selection of the hardware device and its installation in different parts of the network.
• The traffic in the network should be sub divided by creating different vlan for each of the department
• The access of the servers connected in the network should be restricted such that the employees cannot physically access the data.
• The server should be virtualized for the management of the load and fulfill the request of the user without any delay.
• Use of Ip addressing plan should be prepared according to the number of user for each of the department and configuration of the access network device according to the addressing plan.
• A RADIUS server should be installed for the management of the authentication and authorization of the user connected with then network.

a. Logical Design

 

b. Physical Design

 

c. Network Topologies

For the development of the network the selection of the topology is important for the deployment of the network device and configuration of the network. The branch is connected using the vpn hub and spoke topology such that all the communication between the remote branches is done using the central server. A site to site vpn connection is established between the remote branches connected with each other and traffic of the internal network is passed via the hub and then the out to the destination address.

Infrastructure Investigation and Project Scope

d. IP Addressing

Major Network: 172.139.28.0/22

Available IP addresses in major network: 1022

Number of IP addresses needed: 500

Available IP addresses in allocated subnets: 696

About 69% of available major network address space is used

About 72% of subnetted network address space is used

Subnet Name	Needed Size	Allocated Size	Address	Mask	Dec Mask	Assignable Range	Broadcast
Administrative network	50	62	172.139.30.128	/26	255.255.255.192	172.39.30.129 – 172.39.30.190	172.139.30.191
Finance Network	100	126	172.139.30.0	/25	255.255.255.128	172.39.30.1 – 172.39.30.126	172.139.30.127
Sales Network	200	254	172.139.28.0	/24	255.255.255.0	172.139.28.1 – 172.139.28.254	172.139.28.255
Dispatch Network	150	254	172.139.29.0	/24	255.255.255.0	172.139.29.1 – 172.139.29.254	172.39.29.255

e. Security features and policies

The application of the IPSec design between the routers can create an encrypted channel with the spoke router. The A multi-layer security model is selected for the management of the security of the network framework. The internal network is divided into different modules such that a specific module can be provided with limited access. The use CHAP authentication and RADIUS server help in maintaining the identity of the user.

f. Redundancy and failover plans

The fail over plan and the redundancy can be used for the creation of the back up link and help in increasing the network uptime. The source can reach the destination via multiple path and if one path is unavailable the other path is selected for successfully delivering the data packet.

g. VPN service implementation

For the implementation of the vpn service the router of the organization needs to be configured with the ipsec policy and an encryption key should be used for the authentication of the access of the remote user. For the implementation of the VPN service a research is done on maintaining the confidentiality of data, tunneling, authentication, integration of data. The IPSEC, PPP, MPPE protocols are used for the management of the authorization and encryption of the channels to secure the network.

For the development of the network the access of the security controls should be available to the network administrator such that it is ensured that the data is sent and received using secure communication tunnel. A proper authentication mechanism is followed for the authentication and authorization of the users  for creating a unique identification procedure. It is used for management of the corporate resources and ensuring secure transmission of data.

Network Diagram for configuring IPsec Client VPN

 

Configuration of Crypto isakmp

 

Installation of the Email and the file server in the DMZ zone improves the security and reliability of the network and it creates a perimeter of the network where the internal resources are secured from the external resources. The DMZ is configured such that an additional security layer is imposed in the network and allows the network administrator to easily identify the breaches in the network. The demilitarized zone is created for protecting the network from different types of vulnerability and protect the network from the internal and the outside users.

Conclusion

It can be concluded that the requirement of a SME organization should be analyze for the selection of the vpn service that would help the organization to meet their long term goals. It is important to create an security policy for maintaining the access of the user to the different parts of the network. For the establishment nt of the remote connection the VPN hub and spoke topology is selected where a failover plan is also created for the management of the complexity of the network. The network suitable for the small and medium sized organization should be identified for the management of the current network capacity and management of the growth of the organization.

1. Brewer, “Advanced persistent threats: minimising the damage”, Network Security, vol. 2014, no. 4, pp. 5-9, 2014.

“IEEE/ACM Transactions on Networking society information”, IEEE/ACM Transactions on Networking, vol. 24, no. 5, pp. C3-C3, 2016.

1. Langenhan, VMware View Security Essentials. Packt Publishing, 2013.

“Optical Switching and Networking”, Optical Switching and Networking, vol. 10, no. 4, pp. 463-464, 2013.

1. Subramaniam, M. Brandt-Pearce, P. Demeester and C. Vijaya Saradhi, Cross-Layer Design in Optical Networks. Boston, MA: Springer US, 2013.

“Introduction to Information Security”, Network Security, vol. 2013, no. 12, p. 4, 2013.

“The Practice of Network Security Monitoring”, Network Security, vol. 2014, no. 10, p. 4, 2014.

Wang, “The Design of Improved Elman Network Intrusion Detection Algorithm in Digital Campus Network“, Advanced Materials Research, vol. 1049-1050, pp. 2096-2099, 2014.

Kermanshahi, Y. Shafahi and M. Bagherian, “Application of a new rapid transit network design model to bus rapid transit network design: case study Isfahan metropolitan area”, Transport, vol. 30, no. 1, pp. 93-102, 2013.

Yadegari, M. Zandieh and H. Najmi, “A hybrid spanning tree-based genetic/simulated annealing algorithm for a closed-loop logistics network design problem”, International Journal of Applied Decision Sciences, vol. 8, no. 4, p. 400, 2015.

Liu and W. Qu, “Design of Campus Network Database Access Based on Encryption”, Applied Mechanics and Materials, vol. 608-609, pp. 331-335, 2014.

Hosapujari and A. Verma, “Development of a Hub and Spoke Model for Bus Transit Route Network Design”, Procedia – Social and Behavioral Sciences, vol. 104, pp. 835-844, 2013.

“The Comprehensive Evaluation Research of Campus Network Security Based on the Analytic Hierarchy Process (AHP)”, INTERNATIONAL JOURNAL ON Advances in Information Sciences and Service Sciences, vol. 5, no. 7, pp. 809-816, 2013.