netaxess - technical document for sify
DESCRIPTION
TRANSCRIPT
Technical document for ISP First of all we would like to thanks you for giving us opportunity to test our product more, I am just briefing you what more we have on the product and how you can use the same for various application .for various Indian telecom operator we have developed special feature Like VRRP and IPSEC and GRE and VLAN, content-filtering (domain filtering and URL filtering and again we have developed concept for failover based on keep alive. I am briefing you just about telexcell what we used to do and how old we are?? In one sentence what we can say we mainly used to work with ISP and always prefer the case also to route through ISP. Again we have already experience of working with Various ISP, so we have experience of support and services what ISP used to hope and again . “We align technology to business goals. That's the solution, not the technology itself " Mahendra Lalwani | MD TelExcell Information Systems Ltd. is one of the leading Value Added Distributor with track record of launching industries most innovative wireless, access control, security and networking products. We are one of the pioneers to introduce Networking and Communication Products in the country. TelExcell main focus is Wireless & Security, which is implied in all of our innovative and often unique leading solutions which meet the common and specialist requirements of customers. Where possible TelExcell have a direct relationship with manufacturers, avoiding many of the issues that can occur if a distribution company is used. The direct relationship ensures the highest quality logistics, technical knowledge and technical support across the entire sales cycle. TelExcell reviews the security environment as a whole and advises organizations on the best practices and applications to meet legal and company obligations. It constantly reviews new technologies to satisfy the emerging customer requirements. We have the best choice of voice and data solutions available to successfully excel your business. TelExcell are renowned for introducing unique and emerging technologies into India. We are one of the pioneers in introducing Networking and Communication Products in the country starting our operations way back in 1993.
Our business is focused on three solutions areas: ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- Communications TelExcell installs, and maintains communications solutions, such as the latest in unified communications, contact center, network security, wireless, IP & traditional telephony, and more. We offer a complete services portfolio, including system maintenance plans and remote monitoring services. Infrastructure TelExcell provides planning, installation, and maintenance services for all types of data infrastructures from structured cabling to wireless networks to CATV, and the latest in integrated networking solutions such as routers, switches, and security applications. Products Telexcell’ portfolio includes all the key technologies required to build today’s high performance networks including: Switching IP Telephony
Routing Unified Communications
Wireless Mobility
Access Network Security
RF Connectivity Access Storage
Coming to product overview I am just listing down the application where we can do the same and again brief overview of what we used to support and how can we use the same to design the solution
1. IPSEC site to site application
`
`
`
InternetWAN
LAN
WAN
LAN
Brief about IPSec VPN Settings are settings that are used to create virtual private tunnels to remote VPN gateways. The tunnel technology supports data confidentiality, data origin authentication and data integrity of network information by utilizing encapsulation protocols, encryption algorithms, and hashing algorithms. • VPN enable item VPN protects network information from ill network inspectors. But it greatly degrades network throughput. Enable it when you really need a security tunnel. It is disabled for default. • Max. Number of tunnels item Since VPN greatly degrades network throughput, the allowable maximum number of tunnels is limited. Be careful to set the value for allowing the number of tunnels can be created simultaneously. Its value ranges from 1 to 80. • Tunnel name Indicate which tunnel that is focused now. • Method IPSec VPN supports two kinds of key-obtained methods: manual key and automatic key exchange. Manual key approach indicates that two end VPN gateways setup authenticator and encryption key by system managers manually. However, IKE approach will perform automatic Internet key exchange. System managers of both end gateways only need set the same pre-shared key.
Function of Buttons
More... To setup detailer configuration for manual key or IKE approaches by clicking the "More" button.
IPSEC consist of two phase 1. IKE Phase I: the parameter are used to encrypted the Key and to start the communication between two site and again that key does not get decrypted by any
third party , we used to configure how encrypted and which method we need to follow for authentication etc
2. IKE Phase II The parameter which we used to configure is used to encrypt the data. To create a IPSec tunnel between two location both IKE 1 and Ike II phase need to be same on both side.
Configuration parameter a.
b.
c.
2. As IPsec server( Access-server )
`
`
`
InternetWAN
LAN
WAN
LAN
delhi
Bangalore
HYdchennai
Jaipur
Ipsec client software
Ipsec client softwareIpsec client software
IPSEC server
NA-3G-VWR
NA-3G-VWR
For retail segment we can use netaxcess router and then we can configure the same as IPsec server and mean dynamic access server and for remote site we can use same netaxcess boxes or we can ask customer to use IPSEC client software for the same to reduce the CAPEX and OPEX.
Configuration detail for access server
2.
3. For customer having at central side firewall and behind that mapped private ip addressed on IPSec server for security purpose.
As customer like Bank normally what they used to do they used to IPSec devices behind firewall and again from firewall to IPSec server that used to map public ip address to private ip address for security reason. As in this case normally for remote site used to have user between 20 to 30, so for that kind of customer we can use Netaxcess router to reduce the cost and we can at remote site.
`
`
`
InternetWAN
LAN
WAN
LAN
delhi
Bangalore
IPSEC server
Cisco routerNA-3G-VWR203.110.80.
67192.168.1.1
192.168.8.1
192.168.1.177
On firewall customer used to map 203.110.84.69 to
192.168.1.177
firewallswitch
192.168.8.2
192.168.8.3
192.168.8.4
115.80.x.x
192.168.123.254
Configuration detail On netaxcess router
On Cisco router Current configuration : 4084 bytes ! version 12.4 service timestamps debug datetime msec service timestamps log datetime msec no service password-encryption ! hostname yourname ! boot-start-marker boot system flash c1841-advipservicesk9-mz.124-13b.bin boot-end-marker ! logging buffered 51200 warnings enable password cisco ! no aaa new-model ip cef ! ! no ip dhcp use vrf connected ip dhcp excluded-address 192.168.8.1 192.168.8.9 ip dhcp excluded-address 192.168.8.101 192.168.8.254
! ip dhcp pool ccp-pool1 network 192.168.8.0 255.255.255.0 domain-name cisco.com default-router 192.168.8.1 ! ! ip domain name yourdomain.com ip name-server 4.2.2.2 ip name-server 8.8.8.8 ! ! ! username cisco123 privilege 15 secret 5 $1$6DW6$G6JVPN9Uqyoo6/vddSGzL. ! ! ! ! crypto isakmp policy 1 encr 3des hash md5 authentication pre-share group 2 crypto isakmp key cisco123 address 0.0.0.0 0.0.0.0 crypto isakmp keepalive 10 ! ! crypto ipsec transform-set ankit esp-3des esp-md5-hmac ! crypto dynamic-map dynamic 11 set security-association lifetime seconds 28800 set transform-set ankit set pfs group2 match address 103 ! ! crypto map remotesite 11 ipsec-isakmp dynamic dynamic ! ! ! interface FastEthernet0/0 description $ETH-LAN$$ETH-SW-LAUNCH$$INTF-INFO-FE 0$ ip address 192.168.1.177 255.255.255.0 duplex auto speed auto crypto map remotesite
! interface FastEthernet0/1 description $ES_LAN$ ip address 192.168.8.1 255.255.255.0 ip nat inside ip virtual-reassembly duplex auto speed auto no keepalive ! ip route 0.0.0.0 0.0.0.0 192.168.1.1 ! ! ip http server ip http access-class 23 ip http authentication local no ip http secure-server ip http timeout-policy idle 60 life 86400 requests 10000 ip nat inside source list 101 interface FastEthernet0/0 overload ! access-list 101 deny ip 192.168.8.0 0.0.0.255 192.168.0.0 0.0.255.255 access-list 101 permit ip 192.168.8.0 0.0.0.255 any access-list 103 permit ip 192.168.8.0 0.0.0.255 192.168.0.0 0.0.255.255 access-list 103 deny ip 192.168.8.0 0.0.0.255 any no cdp run ! ! ! ! control-plane ! ! banner exec ^C % Password expiration warning. ----------------------------------------------------------------------- Cisco Configuration Professional (Cisco CP) is installed on this device and it provides the default username "cisco" for one-time use. If you have already used the username "cisco" to login to the router and your IOS image supports the "one-time" user option, then this username has already expired. You will not be able to login to the router with this username after you exit this session. It is strongly suggested that you create a new username with a privilege level of 15 using the following command.
username <myuser> privilege 15 secret 0 <mypassword> Replace <myuser> and <mypassword> with the username and password you want to use. ----------------------------------------------------------------------- ^C banner login ^C ----------------------------------------------------------------------- Cisco Configuration Professional (Cisco CP) is installed on this device. This feature requires the one-time use of the username "cisco" with the password "cisco". These default credentials have a privilege level of 15. YOU MUST USE CISCO CP or the CISCO IOS CLI TO CHANGE THESE PUBLICLY-KNOWN CREDENTIALS Here are the Cisco IOS commands. username <myuser> privilege 15 secret 0 <mypassword> no username cisco Replace <myuser> and <mypassword> with the username and password you want to use. IF YOU DO NOT CHANGE THE PUBLICLY-KNOWN CREDENTIALS, YOU WILL NOT BE ABLE TO LOG INTO THE DEVICE AGAIN AFTER YOU HAVE LOGGED OFF. For more information about Cisco CP please follow the instructions in the QUICK START GUIDE for your router or go to http://www.cisco.com/go/ciscocp ----------------------------------------------------------------------- ^C ! line con 0 login local line aux 0 line vty 0 4 privilege level 15 password cisco login transport input telnet line vty 5 15 access-class 23 in privilege level 15 login local
transport input telnet ! scheduler allocate 20000 1000 end yourname# 4. GRE solution based for site to site and again for hub and Spoke location
5. Solution Based on L2TP and PPTP We used for this protocol to design solution who does not used to make so much expense and again they do not want separate client software and want to use window Xp VPN client to connect
`
`
`
Internet
WAN
LAN
WAN
LAN
delhi
Bangalore
NA-3G-VWRNA-3G-VWR
203.110.80.67
192.168.8.1
192.168.8.2
192.168.8.3
192.168.8.4
115.80.x.x
192.168.123.254
L2TP tunnel/PPTP
LNS server
L2TP client
HYD
Jaipur
L2TP Client using XP client software
L2TP client using XP or vista or 7
L2TP Tunnel
L2TP Tunnel
6. For backup solution where Cisco router or any other router is their. Let say customer is having Cisco router or any router and have terminated bandwidth on Ethernet or E1 and in that case let say his link got some problem then all his services will going to be get affected and many time what happen customer cannot afford ISDN as backup and cost and again NT1 boxes cost too much and again it cost to much on him and again many time what happen ISP does not used to have feasibility and he cannot provide ISDN connectivity and in that case we can use 3 G technology as hardware cost is less than ISDN and again cost of charges of 3 G is also less then ISDN and again customer is going to get hardware level redundancy also .
In above case let say E1 or Ethernet used to get down then all traffic will automatically going to be route through 3 G router. We used to support VRRP on our router, so using that functionality we can make the thing workable.
7.let say customer want to terminated VSAT or Ethernet link on same router and want to use 3 G technology as backup , for failover we have developed a special feature for Failover and again these failover is based on keep alive and as what used to happen in normal case Ethernet port does not used to get down and but let say there is problem in network or fiber cut or any thing , for these type of scenario to over come with these what we can do we can configure any ip address on router so that it can ping on regular interval and so if router will not get ping response through Ethernet path and it will dial 3 G backup and then it will connect and get connect and so all traffic will move through 3 G .
`
Internet
WAN
LAN
NA-3G-VWR203.110.80.
67
192.168.8.1
192.168.8.2
192.168.8.3
192.168.8.4
l
3G wireless
CDMA
ethernet
primary
Backup
`
Internet
WAN
LAN
NA-3G-VWR203.110.80.
67
192.168.8.1
192.168.8.2
192.168.8.3
192.168.8.4
l
3G wireless
CDMA
ethernet
primary
Backup VSAT DISH
For ATM Connectivity
The following security is built in the proposed solution for ISP using CDMA technology
as ISP used to have LNS and AAA in network, so we can use the infrastructure to
design the solution.
The LNS also acts like a firewall and basic firewall policies can be defined in the LNS.
The Remote Terminal communicates directly with the Host in an IP call through the
Customer Firewall and their router. The Access Control List (ACL) is setup in the Bank router and adds to the security.
The AN-AAA user id and AN-AAA password gets authenticated at the AN-AAA to
assign UATI to the AT. UATI is Unicast Access Terminal Identifier that uniquely identifies the AT during data call.
PPP user id and PPP password gets authenticated at PDSN to assign IP to the AT and also subnet locking is implemented to avoid misutilization of EVDO HSD+ network.
Since the communication is using IP addresses, there is no need for TPDU handling.
Different type of Authentications in 3 G technology which customer can
1) IS 856 air interface Authentication. 2) IS 856 RAN Authentication (performed by RAN) 3) ISP Authentication (between the user and PDSN) 4) Home Agent Authentication (between the user and home agent)
IS 856 Air Interface Authentication Air Interface Authentication eliminates the need to perform authentication with the AAA servers (i.e., Access Authentication) every time the AT opens a connection. It works as follows: Perform ephemeral session key establishment-- Diffie-Hellman algorithm is used for session key exchange. Authenticate the Access Atempts—The AT signs the access channel packets to prove it is the true owner of the session. SHA-1 is applied to the AC packet, the authentication key and a time stamp to generate the signature. IS 856 RAN Authentication
IS 856 RAN Authentication is also called as AN-AAA Authentication. In the AN-AAA authentication AN-AAA credentials (i.e., AN-AAA username and AN-AAA password) has to be configured both in the AT and AN-AAA. When ever the AT wants to establish session, AN-AAA requests for username and password. AN-AAA authenticates the username and password by using CHAP algorithm and AN-AAA returns the IMSI that has been configured against the username and password. ISP Authentication ISP Authentication is also called as PPP Authentication. PDSN Authenticates the AT before going to assign IP to the User. Home Agent Authentication The HA Authenticates the registration request using the Mobile Number-Home agent shared key. The following figure shows the Broadband+ Authentications all together. Hardware ID Authentication Hardware ID Authentication is based on ESN/MEID of the device. Hardware ID is unique to the user device so this type of Authentication is useful in avoiding the cloning problems.
End-to-End Security True data protection should be implemented from data owner to data owner (for example a remote access employee computer to employer’s server.) A Broadband+ 1xRTT network protects data over the air, but once outside the carrier’s network, public information network systems (i.e. the internet) carry data unprotected. Broadband+ 1xRTT security should be complemented with a VPN security protocol for true data protection. Qualcomm’s MSM software provides direct support for SSL. VPN software support is available for both laptops and PDAs.
Now let say BANK have taken Already VSAT Link for ATM connectivity for Backup purpose we can propose 3 G technology and in this way we can achieve 99.9 % uptime.
8. For customer who wants to block specify web site and want to block based on content or word we can use netaxcess router for the same.
a. Domain Filter let you prevent users under this device from accessing specific URLs. b. URL Blocking will block LAN computers to connect to pre-define Web. c. Packet filtering is also their, so we can communication not to happen between A and B
computer.