Commented 111
Uploaded by
Abdulaziz TilahunCommented 111
Uploaded by
Abdulaziz TilahunMIZAN-TEPI UNIVERSITY, TEPI CAMPUS
COLLEGE OF ENGINEERING AND TECHNOLOGY
DEPARTMENT OF ELECTRICAL AND COMPUTER ENGINEERING
COMPUTER STREAM
INTERNSHIP REPORT
Hosting company: Jimma university ICT center
Student name ID NO
1. Abduselam Ali …………………………………………………ETR/0031/11
Advisor: Mr. Tamiru Demelash
Submission date: February, 2015
DECLARATION
We have undertaken my internship experience in JU ICT center, we are 5th year Electrical
Engineering student in Mizan-Tepi University. For a period of four months from October to end
of January under the guidance of Mr. Tamiru Demelash (Academic advisor) and Mr. Dawit
Mekonnin(Company Advisor). We certify that our work is original and compiled according to
the internship report writing guideline given by the Industry Linkage office of the university.
This report has not been previously submitted to any other university, collage or organization of
an academic qualification, certificate, diploma or degree. We hereby warrant that the work we
have presented does not breach any existing copyright. We also confirm that the report is only
prepared for our academic requirement.
Name of student Signature Date
1. Abduselam Ali ___________ ___________
This is to certify that the above declaration made by the candidate is corrected to the best of his
knowledge.
Name of the center advisors Signature Date
1. Mr. Dawit Mekonnin _____________ ___________
Name of Academic advisors Signature Date
1. Mr. Tamiru Demelash _____________ ____________
May 15, 2015 ii
ACKNOWLEDGMENT
First of all, we would like to thank the Almighty God for giving us the strength and motivation to
complete the entire work. Our first expression gratitude goes to Mr. Tamiru Demelash our
internship Advisor, He gave his full support and advice and guided us. We would also like to
thanks Mr. Niguse Mehari (technical Manager of the center) for his relevant information about
the working activities which is carried out in the company. And we owe our endless thanks to
Mr. Dawit Mekonnin for his best follow up and giving all necessary information from starting
up to end of our internship program. Secondly, we would like to thank all JU Cisco Networking
Academy managers and workers for allowing us to use Cisco computer labs. we also thanks all
network Maintenance operators and helpers for their continued advice and assistance how to
improve our practical skill, how to perform our work task and able to solve challenge.
May 15, 2015 iii
EXECUTIVE SUMMARY
In our duration in JU ICT center, the first four weeks we had started to look the whole working
process of the center, as well as network installation materials and devices that are used in the
center, some devices used in network security like firewalls. Our final internship report contains
all the necessary information about our work experience that we had gained from JU ICT center.
The first part describes the background of the hosting company and it includes his brief history.
ICT center is one of the necessary and basic center for development of the country. We spent
four months of the internship program in this company performing various activities. Basically,
this report studies on the network infrastructure, network installation, virtual machines and detail
explanations of network security protection. We also tried to observe about routing.
May 15, 2015 iv
TABLE OF CONTENTS
DECLARATION.......................................................................................................................................ii
ACKNOWLEDGMENT..........................................................................................................................iii
EXECUTIVE SUMMARY.......................................................................................................................iv
LIST OF ABBREVIATIONS.................................................................................................................viii
LIST OF FIGURES....................................................................................................................................xi
CHAPTER ONE........................................................................................................................................1
1. BACKGROUND OF THE HOSTING CAMPANY...........................................................................1
1.1. Introduction....................................................................................................................................1
1.2. Mission, vision, and goal of Jimma University ICT.....................................................................3
1.2.1. Mission......................................................................................................................................3
1.2.2. Vision........................................................................................................................................3
1.2.3. Goal...........................................................................................................................................3
1.3. Objectives........................................................................................................................................3
1.3.1. General objectives....................................................................................................................3
1.3.2. Specific objectives....................................................................................................................3
1.4. Services and productions under Jimma University ICT..............................................................3
1.4.1. Highly available and secure internet service..........................................................................3
1.4.2. E-mail Services.........................................................................................................................4
1.4.3. Surveillance Cameras..............................................................................................................4
1.4.4. IP Telephony Service...............................................................................................................4
1.4.5. Automated Registrar System..................................................................................................5
1.4.6. Hospital Automation System...................................................................................................5
1.4.7. Video Conferencing Service....................................................................................................5
1.4.8. Smart Classrooms....................................................................................................................5
1.4.9. E-Learning...............................................................................................................................5
1.4.10. Main Customers or End-users..............................................................................................5
CHAPTER TWO.......................................................................................................................................6
2. Overall Internship Experience.............................................................................................................6
2.1. Section of the company that we have been working.....................................................................6
2.2. Network architecture of University of Jimma overview..............................................................6
2.3. The work flow of University of Jimma networking section.........................................................6
May 15, 2015 v
2.4. Transmission media........................................................................................................................6
2.4.1. UTP cable.................................................................................................................................6
2.4.2. Fiber optic cable (single-mode and multi-mode)...................................................................7
2.5. Tasks we have been executing........................................................................................................9
2.6. JU– ICT directorate network section comprises three layers...................................................10
2.6.1. Core layer...............................................................................................................................10
2.6.2. Distribution layer...................................................................................................................11
2.6.3. Access layer............................................................................................................................11
2.7. DMZ...............................................................................................................................................12
2.8. Cisco Web Security Appliance (Iron port c370 or proxy server)..............................................12
2.9. Email security appliance (Iron port c370 or proxy server).......................................................13
2.10. Firewall Installation....................................................................................................................13
2.10.1. Packet Filter.........................................................................................................................14
2.10.2. Application Gateway...........................................................................................................14
2.10.3. Circuit-Level Gateway.........................................................................................................14
2.10.4. Proxy Server.........................................................................................................................14
2.11. TCP and UDP.............................................................................................................................19
2.12. ICMP...........................................................................................................................................20
2.13. IPv6..............................................................................................................................................20
2.14. Firewall Policy.............................................................................................................................22
2.15. Virtual Machines Installation....................................................................................................22
2.16. Router..........................................................................................................................................27
2.17. Gateways.....................................................................................................................................31
2.18. Routing and Routing Protocols..................................................................................................33
2.18.1. Static Routes.........................................................................................................................34
2.18.2. Dynamic Routes...................................................................................................................34
2.19. WAN VSS....................................................................................................................................34
2.20. Virtual Switching System...........................................................................................................34
2.21. Virtual LAN Concepts................................................................................................................35
2.21.1. VLAN characteristics..........................................................................................................36
2.22. Network Address Translation....................................................................................................36
2.23. Methodology................................................................................................................................36
2.24. Results and Conclusion..............................................................................................................37
May 15, 2015 vi
CHAPTER THREE.................................................................................................................................39
3. Over All Benefits We Gained From Internship.................................................................................39
3.1. Introduction..................................................................................................................................39
3.2. The theoretical knowledge gained...............................................................................................39
3.3. Practical knowledge gained..........................................................................................................39
3.4. Inter personal communication skill.............................................................................................40
3.5. Team playing skill.........................................................................................................................40
3.6. Leadership skill.............................................................................................................................41
3.7. Benefit we gained in terms of understanding work ethics.........................................................41
CHAPTER FOUR...................................................................................................................................42
4. Conclusion and Recommendation......................................................................................................42
4.1. Conclusion.....................................................................................................................................42
4.2. Recommendation..........................................................................................................................43
4.2.1. Recommendation for the company.......................................................................................43
REFERENCES..........................................................................................................................................44
May 15, 2015 vii
LIST OF ABBREVIATIONS
JU Jimma university
ICT Information and Communication Technology
FM Frequency Modulation
CBE Computer Based Education
CCNA Cisco Certified Network Associate
MIS Management Information System
DDO Drawing and Disbursing Officer
CSM Cisco system Manager
LMS LAN Management System
QOS Quality of Service
QPM QOS Policy Management
ACS Access Control System
LAN Local Area Network
WCS Wireless Controller System
WLC Wireless LAN Controller
DCNM Data Center Network Manager
MSA Management Security Appliance
MARS Monitoring Analysis System Response
UCS Unified Computing System
APC Auto Power Control
UPS Uninterruptible Power Supply
KVA Kilo Volt Per-Ampere
ID Identification
LCD Liquid Crystal Display
JUCAVM JU College of Animal Science and Veterinary Medicine
May 15, 2015 viii
UTP Unshielded Twisted Pair Cable
NIC Network Interface Card
RJ Registered Jack 45
SMF Single Mode Fiber
LED Light Emitting Diode
VLAN Virtual Local Area Network
STP Spanning Tree Protocol
IP Internet Protocol
HA High Availability
POE Power over Ethernet
WLAN Wireless Local Area Network
DMZ Demilitarized Management Zone
DNS Domain Name System
WSA Web Security Appliance
TCP Transmission Control Protocol
FTP File Transfer Protocol
IT Information Technology
ADSL Asymmetric Digital Subscribe Line
NAT Network Address Translation
VPN Virtual Private network
DHCP Dynamic Host Configuration Protocol
UDP User Datagram Protocol
SMTP Simple Mail Transfer Protocol
CMP Certified Management Protocol
RFC Request for Comments
ISASTAP Intra Site Automatic Tunneling Address Protocol
ISP Internet Service Protocol
OS Operating System
May 15, 2015 ix
VM Virtual Machine
PC Personal Computer
BSD Berkeley Software Distribution
XP Experience
DOS Disk Operating System
CPU Central Processing System
RAM Random Access Memory
ROM Read Only Memory
ISDN Integrated Service Digital Network
DSL Digital Subscriber Line
MAC Media Access Control
PPP Point-to-Point Protocol
VSS Virtual Switching System
UTP User Transmission Protocol
HDLC High Level Data Link Control
L2 Layer2
L3 Layer3
May 15, 2015 x
LIST OF FIGURES
Figure 2.1.single mode fiber............................................................................................................8
Figure 2.2.mult-imode fiber.............................................................................................................9
Figure 2.3. Firewall with a DMZ...................................................................................................17
Figure 2.4. Simple Routed Network with Firewall Device...........................................................18
Figure 2.5.virtual machine.............................................................................................................24
Figure 2.6. Ubuntu Guest OS Installation in Progress...................................................................25
Figure 2.7. Ubuntu Installation Done............................................................................................26
Figure 2.8. Router interfaces logical representation......................................................................30
Figure 2.9.Router interfaces physical representation....................................................................31
Figure 2.10. Configuration of basic router parameters..................................................................32
Figure 2.11. Router interface configuration..................................................................................33
May 15, 2015
CHAPTER ONE
1. BACKGROUND OF THE HOSTING CAMPANY
1.1. Introduction
Jimma University is a public research university located in Jimma, Oromia, Ethiopia. JU is
recognized as the leading national university, JU ranked first by the Federal Ministry of
Education for four successive years (2009 - 2012). The establishment of JU dates back to 1952
when Jimma college of Agriculture was founded. The JU got its current name in December 1999
following the amalgamation of Jimma College of Agriculture founded in 1952 and Jimma
Institute of Health Sciences founded in 1983. The JU is located in the city of Jimma, situated
around 352 kilometers southwest of Addis Ababa. JUs grounds cover some 167 hectares. JU is
Ethiopia's first innovative community-oriented educational institution of higher learning, with
teaching centers for health care students in JU, Omo Nada, Shebe, Agaro, and Asendabo. JU is a
pioneer in Public health training. JU has academic and scientific collaboration with numerous
national and international partners. JU also publishes the biannual Ethiopian Journal of Health
Sciences, and launched the JU Journal of Law in October 2007. JU is one of the largest and
comprehensive public research universities in Africa. The JU has more than 4,000 faculty and
staff members. JU also has twelve research facilities, a modern hospital, a community school, a
community radio station FM 102.0, an ICT center, libraries and revenue generating enterprises.
The JU is operating on four campuses and JU is on the phase of establishing its fifth campus at
Agaro. Currently, the JU educates more than 43,000 students in 56 undergraduate and 103
postgraduate programs in regular, summer and distance education with more enrollments in the
years to come. The JU has many national and international linkages and collaborations in the
area of research, education and community service. JUs innovative educational philosophy, staff
commitment and motivation and availability of better research facility have helped the JU in
attracting both national and international partners. JU is highly committed to pioneering
concepts, as reflected in JUs motto, the JU was initially founded based on the concept of
Community Based Education. Throughout its history, the JU has been committed to this scheme,
and almost all of the academic curriculum are based on CBE programs. JU is the first university
in Africa that has established an exclusive office under the President's office to supervise all
innovative programs across the JU. Currently the university is consist of:
The College of Medicine and Health Sciences
May 15, 2015 1
The Faculties of Agriculture and Veterinary Medicine
Business and Economics, Social Sciences and Humanities
Natural and Computational Sciences, Schools of law, Technology and Education
In now day one of the back bone of the college is ICT because we are in era of technology, so
JU established ICT center to easiest all services of the college. JU Information Communication
Technology Development Director Office, when JU started to integrate ICT in its system, it
established the Computer Center to handle issues related to ICT. Ever since its establishment, the
computer center has been working closely with different sections of the university to create
awareness of ICT, to introduce new technologies into the university and most importantly to help
students acquire basic computer skills which is required in the market. These services have been
evolving with the growth of the university to incorporate additional tasks. For a long time, the
major task of the computer center had been creating a conducive environment for ICT related
courses by providing computer Labs and relevant software and hardware support. However, in
the recent years the involvement of computer center in course offerings is significantly reduced
since most of the faculties have established their own computer laboratories. The other area
which the computer center is involved in is providing short-term trainings to the university
community [1]. Cisco Networking Academy hosted by the university to provide Cisco Certified
Network Associate (CCNA) course is also temporarily under the supervision of the Computer
Center. Recently, the main focus of the computer center is shifted to the newly built campus
wide network of the university. From the conception to the implementation of the network
infrastructure, the computer center has been enthusiastically participating in every activity. In
fact, the network project was under the direct supervision of the computer center since the
beginning. However, after the implementation, the relationship between the network services and
the computer center has become vague. Apart from these activities the computer center is highly
involved in developing specifications for purchase orders of computers and accessories,
troubleshooting and maintenance of equipments and purchase of software required for the
academic and administrative tasks. The strategic plan of the university states that the future
academic and administrative tasks of the university highly depend on the effective utilization of
ICT infrastructures and services. Management Information Systems (MIS) will be implemented
to take the administration of the university to a higher level. The requirements of the academic
wing are also expected to increase to integrate e-learning with the classical teaching-learning
May 15, 2015 2
process in the near future. Generally the background of JU the way it becomes to rank in now
days is so motivator for others.
1.2. Mission, vision, and goal of Jimma University ICT
1.2.1. Mission
Develop state-of-the-art ICT infrastructure and provide superior quality services whereby the
teaching, research, and administrative activities of the university are carried out by utilizing the
resources and services efficiently and effectively
1.2.2. Vision
Make JU a high-tech university, which integrates ICT in all aspects of its activities
1.2.3. Goal
Ensure that ICT is fully integrated into planning and implementation of the University mission
in order to speed up and improve quality of activities of JU
1.3. Objectives
1.3.1. General objectives
Develop world class ICT infrastructure which is capable of providing multitudes of services
that significantly improve the teaching, research and administrative activities
Build the capacity of potential users of ICT resources so that they will make the most out of
the resources
Retain competent, highly qualified and innovative ICT professionals that maintain the existing
resources and plan for future expansions
1.3.2. Specific objectives
Develop high quality computer software
Provide a system of reliable support for users of ICT resources
Provide a standard for procurement of ICT resources and/or services
Consult higher decision making bodies in ICT and related issues
Carry out researches in ICT
1.4. Services and productions under Jimma University ICT
1.4.1. Highly available and secure internet service
The connection is secured with redundant firewalls and redundant iron port web security
Appliance which are thoroughly being monitored.
May 15, 2015 3
1.4.2. E-mail Services
The university has its own mail server with domain name ju.edu.et. Currently, there are more
than 600 employees of the university who are using the e-mail service. The number of users
is currently escalating. The University web mail can be accessed through http://mail.ju.edu.et
Official website of JU: Among several services that the ICT DDO runs and maintains, the JU
Official website is one of the most important ones. And thus, at the moment a serious of
improvements are being made to the official website through important user’s comments. The
Official website of JU could be accessed through http://www.ju.edu.et/ and it is easy to access.
1.4.3. Surveillance Cameras
The data center is being controlled by the surveillance cameras installed. The access door of the
data center, that asks a card and a finger print to be opened, is also worth mentioning. All the
above services are meticulously being looked after by our monitoring and management servers.
These include Cisco Security Manger (CSM), LAN Management System (LMS), QOS Policy
Manager (QPM), Monitoring Analysis System Response (MARS), Cisco Access Control System
(ACS) for the LAN and Security Devices, Iron Port Management Security Appliance (MSA) for
managing the WSAs and ESAs, Cisco Wireless LAN Controller (WLC) and Wireless Control
System (WCS) for managing Wireless Network Data Center Network Manager (DCNM), Cisco
Unified Computing System Manager (UCS), VM Ware center Server, and Net App’s On
Command System Manager for managing our Data Center Services. The Main Data Center is
supplied with redundant 100KVA APC UPSs and a dedicated 200KVA generator which insures
24/7 service delivery. The data center is also being monitored and managed for out of range
environmental conditions by different environmental sensors like smoke sensors, water sensors,
temperature sensors that alert the administrator to take action.
1.4.4. IP Telephony Service
VOIP phone or IP phone uses Voice over IP technologies for placing and transmitting telephone
calls over an IP network. VoIP phones can be simple software-based softphones or purpose-built
hardware devices that appear much like an ordinary telephone or a cordless phone. Alcatel
VoIP phone which is used in the JU have many features that an analog phone doesn't support,
such as e-mail-like IDs for contacts that may be easier to remember than names or phone
numbers, or easy sharing of contact lists among multiple accounts. The Alcatel VoIP phone in
May 15, 2015 4
JU has two interfaces, the outgoing interface and the interface inside the LAN. If calls are
applied on the outgoing interface, it will have cost for that call. Because the outgoing interface
monitored by Tele not by JU LAN system administrator. The system administrator can
administer only service inside the LAN.
1.4.5. Automated Registrar System
This is a distributed software system that handles students’ records. The server, maintained by
office of the registrar is connected to client machines that are scattered across the university
through the university network.
1.4.6. Hospital Automation System
This service automates the services that the hospital provides. Although it is at its infant stage, it
is expected to replace the manual system once fully implemented.
1.4.7. Video Conferencing Service
To supplement the six videoconferencing terminals that Ministry of Education provided, JU has
acquired a full set of videoconferencing equipment, including five terminals. The newly acquired
videoconferencing units were tested by broadcasting live the 2009 graduation ceremony of the
university to families of the graduates within the campus.
1.4.8. Smart Classrooms
The smart classrooms are equipped with multimedia teaching facilities such as LCD Projectors
and computers at JUCAVM, so that lecturers use their lecture notes saved on memory sticks. The
future of the classrooms includes connecting them to the computer network so that lecturers
supplement their lectures with resources from the Internet and the university servers.
1.4.9. E-Learning
JU E-learning coordinating office is one of the offices established under the auspices of Vice
President for Academic affairs office to promote and support excellence in teaching and to
enhance the quality of education.
1.4.10. Main Customers or End-users
The customers of University of Jimma are divided in different groups of actors, who are linked
to the educational process being the main: current students, potential students, Employees,
May 15, 2015 5
employers, Government and industry. Which have classified the customers in internal and
external.
CHAPTER TWO
2. Overall Internship Experience
2.1. Section of the company that we have been working
We have been doing my internship program in university of Jimma ICT development office
specifically, in the network infrastructure and security team at main campus.
2.2. Network architecture of University of Jimma overview
The building block components of JU network architecture are based on the recommended cisco
hierarchical model which is a layered approach network design, access layer, distribution layer
and core layer. The principal advantages of this model are its hierarchical structure and its
modularity.
2.3. The work flow of University of Jimma networking section
Jimma University has to strive to emplace management system that is democratic, honest,
inspiring, transparent, and highly participatory. The University has two core processes and five
support processes. The major focus of the management in terms of governance and management
includes improve efficiency on major administration areas such as budget utilization,
business process (procurement, finance, registrar etc.) efficiency and decision making system in
a transparent manner. It supported decision making is one of the areas under governance and
management which JU will give special attention too. The ICT development office has also five
divisions on which each of them perform different tasks.
2.4. Transmission media
There are two types of transmission medium that are:-
Wired
Wireless there are two common types of cable media that can be used to connect devices to a
network
May 15, 2015 6
2.4.1. UTP cable
Unshielded twisted-pair (UTP) cable is the most common networking media. Unshielded
twisted- pair (UTP) consists of four pairs of thin, copper wires covered in color-coded plastic
insulation that are twisted together. The wire pairs are then covered with a plastic outer jacket.
UTP cables are of small diameter and it doesn’t need grounding. Since there is no shielding for
UTP cabling, it relies only on the cancellation to avoid noise. The connector used on a UTP
cable is called as RJ-45 (Registered Jack 45) connector. One end of the Unshielded Twisted Pair
cable with RJ45 jacks attached is plugged in to computer's Ethernet NIC card port and other end
is plugged to the wall mount plate with female RJ45 port (receptacle), From the wall mount RJ45
female receptacle, Unshielded Twisted Pair cable is wired to the Local Area Network (LAN)
switches. UTP cabling has different categories. Each category of UTP cabling was designed for a
specific type of communication or transfer rate. The most popular categories in use today is 5e
and 6, which can reach transfer rates of over 1000 Mbps (1Gbps). Unshielded Twisted Pair
cables support a maximum distance of 100 Meters (from NIC Card to Switch Port), without
signal distortion.
2.4.2. Fiber optic cable (single-mode and multi-mode)
2.4.2.1. Single-mode fiber
In fiber-optic communication, a single-mode optical fiber (SMF) is an optical fiber designed to
carry light only directly down the fiber, the transverse mode. Single-mode is generally yellow,
with a blue connector, and a longer transmission distance as shown in figure 2.1. Single-mode
fiber cable works better for longer distances. Because the light travels different paths, the longer
the cable is, the more distortion is caused by the different paths arriving at the receiving end at
slightly different times. Single mode fibers are therefore better at retaining the fidelity of each
light pulse over longer distances than multi-mode fibers. For these reasons, single-mode fibers
can have a higher bandwidth than multi-mode fibers. Equipment for single mode fiber is more
expensive than equipment for multi-mode optical fiber.
May 15, 2015 7
Figure 2.1.single mode fiber
2.4.2.2. Multi-mode fiber
The term “multimode” refers to the fact that the light takes multiple paths (modes) through the
glass fiber core, as opposed to “single-mode” where the light takes single path. Because the light
travels different paths, the longer the cables, the more distortions caused by the different paths
arriving at the receiving end at slightly different times. Multi-mode is generally orange or grey,
with a cream or black connector and a shorter transmission distance (figure 2.2). Multimode
cables have a larger diameter glass core than single-mode cables and is typically used for shorter
distances and/or lower speeds. Operate from less expensive light sources. The light sent through
multimode cables may be driven by a LED or a laser operating at 850 or 1300nm wavelength.
May 15, 2015 8
Figure 2.2.mult-imode fiber
2.5. Tasks we have been executing
After we have understood the organizational structure, environment of the company and
observing the network infrastructure of company, we discussed with our supervisor Mr. Dawit
mekonnin what we have expected to gain in our internship program in University of jimma ICT
center. We assigned under networking and security section, because we had been interesting to
work on networking and security section. Some of the daily tasks we have executed in the
networking section and security are as follows:-
Visiting whole network architecture
Visiting security camera control room
Installation of virtual machines and operating systems (Ubuntu)
Installation of software firewalls
Configuration of hardware firewalls
View indoor and outdoor wireless access points
Visiting data center
May 15, 2015 9
Configure switches and create VLAN
Configure router
Install wireless network
2.6. JU– ICT directorate network section comprises three layers
These are:
1. Core layer
2. Distribution layer
3. Access layer
2.6.1. Core layer
In a typical hierarchical model, the individual building blocks are interconnected using a core
layer. The core serves as the backbone for the network. The core needs to be fast and extremely
resilient because every building block depends on it for connectivity. Current hardware
accelerated systems have the potential to deliver complex services at wire speed. However, in the
core of the network a “less is more” approach should be taken. A minimal configuration in the
core reduces configuration complexity limiting the possibility for operational error. Although it
is possible to achieve redundancy with a fully-meshed or highly-meshed topology, that type of
design does not provide consistent convergence if a link or node fails. Also, peering and
adjacency issues exist with a fully-meshed design, making routing complex to configure and
difficult to scale. In addition, the high port count adds unnecessary cost and increases complexity
as the networks grows or change. The following are some of the other key design issues to keep
in mind: Design the core layer as a high-speed, Layer3 (L3) switching environment utilizing only
hardware accelerated services. Layer3 core designs are superior to Layer2 and other alternatives
because they provide:-
Faster convergence around a link or node failure
Increased scalability because neighbor relationships and meshing are reduced
More efficient bandwidth utilization
May 15, 2015 10
Use redundant point-to-point L3 interconnections in the core (triangles, not squares) wherever
Possible, because this design yields the fastest and most deterministic convergence results
Avoid L2 loops and the complexity of L2 redundancy, such as Spanning Tree Protocol (STP)
and indirect failure detection for L3 building block peers
2.6.2. Distribution layer
The distribution layer aggregates nodes from the access layer, protecting the core from high-
density peering. Additionally, the distribution layer creates a fault boundary providing a logical
isolation point in the event of a failure originating in the access layer [2]. Typically deployed as
a pair of L3 switches, the distribution layer uses L3 switching for its connectivity to the core of
the network and L2 services for its connectivity to the access layer. Load balancing, Quality of
Service (QOS), and ease of provisioning are key considerations for the distribution layer. High
availability in the distribution layer is provided through dual equal-cost paths from the
distribution layer to the core and from the access layer to the distribution layer. This results in
fast, deterministic convergence in the event of a link or node failure. When redundant paths are
present, failover depends primarily on hardware link failure detection instead of timer-based
software failure detection. Convergence based on these functions, which are implemented in
hardware, is the most deterministic.
2.6.3. Access layer
The access layer is the first point of entry into the network for edge devices, end stations, and IP
phones. The switches in the access layer are connected to two separate distribution layer
switches for redundancy. If the connection between the distribution layer switches is an L3
connection, then there are no loops and all uplinks actively forward traffic. A robust access layer
provides the following key features:
High availability (HA) supported by many hardware and software attribute
Inline power over Ethernet (POE) for IP telephony and wireless access points, allowing
customers to converge voice onto their data network and providing roaming WLAN access for
users
Foundation services the hardware and software attributes of the access layer that support high
availability include the following:-
May 15, 2015 11
Operating system high-availability features, such as Link Aggregation which provides higher
effective bandwidth while reducing complexity
Prioritization of mission-critical network traffic using QOS
Efficient network and bandwidth management using software features such as Internet Group
Membership Protocol (IGMP) snooping. IGMP snooping helps control multicast packet flooding
for multicast applications
2.7. DMZ
In computer security, a DMZ or demilitarized zone is a physical or logical sub network that
contains and exposes an organization's external-facing services to a larger and untrusted network,
usually the Internet [3]. The purpose of a DMZ is to add an additional layer of security to an
organization's local area network (LAN), an external network node only has direct access to
equipment in the DMZ, rather than any other part of the network. The e-mail, video Conference,
Web and Domain Name System (DNS) servers are in DMZ. Because they should be known to
the outside network (internet) to be advertised. Communication between hosts in JU in the DMZ
and to the external network is also restricted, to make the DMZ more secure than the Internet,
and suitable for housing these special purpose services. This allows hosts in JU the DMZ to
communicate with both the internal and external network, while an intervening firewall controls
the traffic between the DMZ servers and the internal network clients, and another firewall would
perform some level of control to protect the DMZ from the external network. A DMZ
configuration provides security from external attacks, but it typically has no bearing on internal
attacks such as sniffing communication via a packet analyzer or spoofing such as e-mail
spoofing. A highly monitored militarized zone comprising mostly Web servers (and similar
servers that interface to the external world i.e. the Internet) that are not in the DMZ but contain
sensitive information about accessing servers within LAN. JU LAN has internal security system
with proxy server or iron port which support layer 7 or application layer services. Cisco Web
and E mail Security Appliance are JU proxy servers which are used for web and email security
purpose.
May 15, 2015 12
2.8. Cisco Web Security Appliance (Iron port c370 or proxy server)
The Cisco Web Security Appliance (WSA) is the first secure web gateway to combine advanced
malware protection, application visibility and control, use acceptable policy controls, and secure
mobility on a single platform, helping organizations address the growing challenges of securing
and controlling web traffic. Flexible deployment options and integration with the existing
security infrastructure help customers meet demanding service needs. Cisco iron port provides a
24x7 view into global traffic activity to analyzer anomalies, uncover new threats, and monitor
traffic trends. Iron port defend against malware and advanced persistent threats using multiple
layers of antimalware technologies.
2.9. Email security appliance (Iron port c370 or proxy server)
Cisco iron port email products are high-performance, easy-to-use, and technically innovative
solutions designed to secure organizations of all sizes. Built for security and deployed at the
gateway to protect the JU networks, these products enable a powerful perimeter defines.
Email- borne threats consist of virus attacks, distributed denial-of-service attacks and data loss.
The cisco iron Port C370 (Email Security Appliance) incorporates preventive and reactive
security measures that are easy to deploy and manage [4]. Cisco iron Port technology enables
organizations to improve their security and transparently protect users from the latest Internet
threats. The cisco iron port C370 contains a powerful multi-layered approach to email security,
providing advanced threat prevention, blocking viruses, and enabling corporate data loss
prevention. It gives the following advantages.
Virus Protection
Data Loss Prevention
Email Encryption
Reduced Administrative Burden
Increased End-User Productivity
Improved Network Efficiency
Reputation Filters
May 15, 2015 13
2.10. Firewall Installation
A firewall is a system or group of systems that enforces an access or deny policy. The firewall
filters all the packets of data that go in and out of a JU network and blocks them or allows them
to continue to their destination. For example, you can configure a firewall to allow only email to
enter JU network, thus shielding JU from any attacks except for ones via email. A firewall is
typically a separate computer or device on network that sits between one private network found
in JU and external internet connection. This way a successful break in to private network must
still go through a separate level of security to get to their files. A firewall often includes or
works alongside a proxy server. A proxy server is a computer that also sits between computers
on JU network and the Internet. It allows JU to ensure security and administrative control
(amongst other things). This way information on JU network can be hidden from the outside
world. A firewall also acts as the concentrator for JUs Internet access. Since all of your traffic
goes through one place, you can produce great logs of who tried to access your network, what
traffic went where, and much, much more. Firewalls can come in many different types, but they
will always have one or two of the following items:
2.10.1. Packet Filter
This technique looks at each packet entering or leaving a network, accepting or rejecting it based
on established rules. Packet filtering is fairly effective and transparent to users, however it is
often difficult to configure. It is also vulnerable to Denial of Service attacks, featured
prominently with the attacks on Ebay, Yahoo, Microsoft and friends (during which these
websites were forced to temporarily close due to deliberate malicious activity from an external
source via the Internet).
2.10.2. Application Gateway
This method is used for specific applications, such as FTP and telnet. This can allow for a secure
connection to these relatively insecure services but the performance typically suffers.
2.10.3. Circuit-Level Gateway
This is also used for specific applications, such as TCP. Once a connection has been established,
packets can flow between the hosts without further checking.
2.10.4. Proxy Server
This method intercepts all messages entering and leaving a network. The proxy server hides the
network's true address giving out a phoney one to anyone who might want to know. A firewall is
May 15, 2015 14
only your first line of defense. If the rest of your network is insecure, a firewall breach will be
disastrous. Network security is a tricky business, and you need to be diligent in keeping your
entire network secure. No network is safe if the entire system isn't safe. Your security policy
needs to take into consideration employees, physical systems (doors) and waste paper, amongst
many other things. A locked door means nothing if the window is wide open. The first thing you
need to think about is your overall security policy. This may sound suspiciously like planning,
but if you don't have a strong security policy, your firewall will be an interesting experiment, but
not much more. A security policy will take into account your entire system causing you to think
about how long your passwords are in place before they must be changed, who has the keys to
the server, and your own paranoia level. Pay special attention to the level of security and the
effect on usability. The more secure a system is, the more often the users are required to
remember multiple passwords or to change their passwords, making the system more
cumbersome to use. After you have worked that out, you want to think specifically about the
firewall. A Firewall Policy will answer the questions:
What type of traffic do you want to allow?(e.g. do you want to restrict access to certain
websites?( Do you want to allow only email and web access or do you need services such as FTP
for example to upload web pages to your website or to download software?)
Is your firewall just there for queuing traffic and monitoring or do you want to restrict
everything but Web traffic?
What are the risks associated with these things?
Is security more important than usability or vice-versa?
We have now an idea about what is a firewall, but what kind of firewall does our network need?
The firewall needs to have a mixture of the best characteristics of all those kind of firewalls that
exist at the time. It would be better if the firewall was hardware designed specifically to be a
firewall (appliance) with their own and proprietary software. All these additional characteristics
will give our firewall a better performance but what if our firewall has additional IDS
characteristics. An IDS is an Intrusion Detection System. An Intrusion Detection System sends
alarms due to unexpected behaviors of network traffic and standard protocol behavior. The
change of behavior of determined protocol activates an alarm and an action is taken by the IDS.
Many hardware firewall devices have a feature called DMZs, an acronym related to the
demilitarized zones that are sometimes set up between warring countries. While no single
May 15, 2015 15
technical definition exists for firewall DMZs, they are usually interfaces on a routing firewall
that are similar to the interfaces found on the firewall’s protected side. The major difference is
that traffic moving between the DMZ and other interfaces on the protected side of the firewall
still goes through the firewall and can have firewall protection policies applied. DMZs are
sometimes useful for organizations that have hosts that need to have all traffic destined for the
host bypass some of the firewall’s policies (for example, because the DMZ hosts are sufficiently
hardened), but traffic coming from the hosts to other systems on the organization’s network need
to go through the firewall. It is common to put public-facing servers, such as web and email
servers, on the DMZ. An example of this is shown in Figure 2.3, a simple network layout of a
firewall with a DMZ. Traffic from the Internet goes into the firewall and is routed to systems on
the firewall’s protected side or to systems on the DMZ. Traffic between systems on the DMZ
and systems on the protected network goes through the firewall, and can have firewall policies
applied. Most network architectures are hierarchical, meaning that a single path from an outside
network splits into multiple paths on the inside network and it is generally most efficient to place
a firewall at the node where the paths split. This has the advantage of positioning the firewall
where there is no question as to what is “outside” and what is “inside.” However, there may be
reasons to have additional firewalls on the inside of the network, such as to protect one set of
computers from another. If a network’s architecture is not hierarchical, the same firewall policies
should be used on all ingresses to the network. In many organizations, there is only supposed to
be one ingress to the network, but other ingresses are set up on an ad-hoc basis, often in ways
that are not allowed by overall policy. In these situations, if a properly configured firewall is not
placed at each entry point, malicious traffic that would normally be blocked by the main ingress
can enter the network by other means. The diagrams in Figure 2.4 shows a single firewall
however, many implementations use multiple firewalls. Some vendors sell high availability (HA)
firewalls, which allow one firewall to take over for another if the first firewall fails or is taken
offline for maintenance. HA firewalls are deployed in pairs at the same spot in the network
topology so that they both have the same external and internal connections. While HA firewalls
can increase reliability, they can also introduce some problems, such as the need to combine logs
between the paired firewalls and possible confusion by administrators when configuring the
firewalls (for example, knowing which firewall is pushing its policy changes to the other
firewall) [5]. HA functionality may be provided through a variety of vendor-specific technique.
May 15, 2015 16
Figure 2.3. Firewall with a DMZ
May 15, 2015 17
Figure 2.4. Simple Routed Network with Firewall Device
So generally for most voluntary sector organizations, the way to start is to look for a product to
buy. If someone has told you about how you can build a firewall to meet your needs with
existing routers, please think twice or thrice about embarking on this endeavour. In theory this
approach is good if you have a full-time IT staff member who really understands wide area
networking. In practice this approach often costs much more in staff time and energy than
comparable out-of-the-box firewalls. There are a few things to consider when deciding though:
1. Will the firewall implement your security system or are you dependent on the firewalls in built
security?
2. Is the firewall, flexible, user-friendly easy to program and able to filter on a wide variety of
attributes, including source and destination IP address?
3. Does it contain mechanisms for logging traffic and suspicious activity, as well as mechanisms
for log reduction to keep logs readable and understandable?
4. The firewall and any corresponding operating system should be updateable with patches and
other bug fixes in a timely manner.
May 15, 2015 18
Now you need to define your network (with appropriate help if needed). List out your network
protocols, main systems such as email, file server version and patch level, list out your Internet
connection, speed, IP addresses and services. Defining where a firewall will go and what its
purpose will be can help you determine what device will work best for your organization. For
small offices and homes with an ADSL connection to the Internet, ADSL Modems with built-in
firewalls are a good bet. If you are getting ADSL anyway you might as well get a decent modem
that has a firewall. Check with your Internet Service Provider as to which modem they are giving
you, or to make sure that the one you buy is compliant with their system. Often these devices
also include:
· VPN
· NAT
· DHCP
For stand-alone firewalls, products like the Watch Guard Firebox SOHO devices are relatively
easy to install and configure and are suitable.
2.11. TCP and UDP
Application protocols can use TCP, UDP, or both, depending on the design of the protocol. An
application server typically listens on one or more fixed TCP or UDP ports. Some applications
use a single port, but many applications use multiple ports. For example, although SMTP uses
TCP port 25 for sending mail, it uses TCP port 587 for mail submission. Similarly, FTP uses at
least two ports, one of which can be unpredictable, and while most web servers use only TCP
port 80, it is common to have web sites that also use additional ports such as TCP port 8080.
Some applications use both TCP and UDP; for example, DNS lookups can occur on UDP port 53
or TCP port 53. Application clients typically use any of a wide range of ports. As with other
aspects of firewall rule sets, deny by default policies should be used for incoming TCP and UDP
traffic. Less stringent policies are generally used for outgoing TCP and UDP traffic because most
organizations permit their users to access a wide range of external applications located on
millions of external hosts. In addition to allowing and blocking UDP and TCP traffic, many
firewalls are also able to report or block malformed UDP and TCP traffic directed towards the
firewall or to hosts protected by the firewall. This traffic is frequently used to scan for hosts, and
may also be used in certain types of attacks. The firewall can help block such activity or at least
report when such activity is happening.
May 15, 2015 19
2.12. ICMP
Attackers can use various ICMP types and codes to perform reconnaissance or manipulate the
flow of network traffic. However, ICMP is needed for many useful things, such as getting
reasonable performance across the Internet. Some firewall policies block all ICMP traffic, but
this often leads to problems with diagnostics and performance [6]. Other common policies allow
all outgoing ICMP traffic, but limit incoming ICMP to those types and codes needed for Path
Maximum Transmission Unit (PMTU) discovery (ICMP code 3) and destination reachability. To
prevent malicious activity, firewalls at the network perimeter should deny all incoming and
outgoing ICMP traffic except for those types and codes specifically permitted by the
organization. For ICMP in IPv4, ICMP type 3 messages should not be filtered because they are
used for important network diagnostics. The ping command (ICMP code 8) is an important
network diagnostic, but incoming pings are often blocked by firewall policies to prevent
attackers from learning more about the internal topology of the organization’s network. For
ICMP in IPv6, many types of messages must be allowed in specific circumstances to enable
various IPv6 features. See RFC 4890, Recommendations for Filtering ICMPv6 Messages in
Firewalls, for detailed information on selecting which ICMPv6 types to allow or disallow for a
particular firewall type. ICMP is often used by low-level networking protocols to increase the
speed and reliability of networking. Therefore, ICMP within an organization’s network generally
should not be blocked by firewalls that are not at the perimeter of the network, unless security
needs outweigh network operational needs. Similarly, if an organization has more than one
network, ICMP that comes from or goes to other networks within the organization should not be
blocked.
2.13. IPv6
IPV6 is a new version of IP that is increasingly being deployed. Although IPv6’s internal format
and address length differ from those of IPv4, many other features remain the same and some of
these are relevant to firewalls. For the features that are the same between IPv4 and IPv6,
firewalls should work the same. For example, blocking all inbound and outbound traffic that has
not been expressly permitted by the firewall policy should be done regardless of whether or not
the traffic has an IPv4 or IPv6 address. As of this writing, some firewalls cannot handle IPv6
traffic at all, others are able to handle it but have limited abilities to filter IPv6 traffic; and still
May 15, 2015 20
others can filter IPv6 traffic to approximately the same extent as IPv4 traffic. Every organization,
whether or not it allows IPv6 traffic to enter its internal network, needs a firewall that is capable
of filtering this traffic. These firewalls should have the following capabilities:
The firewall should be able to use IPv6 addresses in all filtering rules that use IPv4 addresses.
The administrative interface should allow administrators to clone IPv4 rules to IPv6 addresses
to make administration easier.
The firewall needs to be able to filter ICMPv6, as specified in RFC 4890, Recommendations
for Filtering ICMPv6 Messages in Firewalls.
The firewall should be able to block IPv6-related protocols such as 6-to-4 and 4-to-6 tunneling,
and Intra-site Automatic Tunnel Addressing Protocol (ISATAP) if they are not required.
Many sites tunnel IPv6 packets in IPv4 packets. This is particularly common for sites
experimenting with IPv6, because it is currently easier to obtain IPv6 transit from a tunnel
broker through a v6-to-v4 tunnel than to get native IPv6 transit from an Internet service
provider (ISP). A number of ways exist to do this, and standards for tunneling are still
evolving. If the firewall is able to inspect the contents of IPv4 packets, it needs to know how
to inspect traffic for any tunneling method used by the organization. A corollary to this is that
if an organization is using a firewall to prohibit IPv6 coming into or going out of its network,
that firewall needs to recognize and block all forms of v6-to-v4 tunneling.
The above list is short and not all the rules are security-specific. Because IPv6 deployment is still
in its early stages, there is not yet widespread agreement in the IPv6 operations community about
what an IPv6 firewall should do that is different from IPv4 firewalls. For firewalls that permit
IPv6 use, traffic with invalid source or destination IPv6 addresses should always be blocked this
is similar to blocking traffic with invalid IPv4 addresses. Since much more effort has been spent
on making lists of invalid IPv4 addresses than on IPv6 addresses, finding lists of invalid IPv6
addresses can be difficult. Also, IPv6 allows network administrators to allocate addresses in their
assigned ranges in different ways. This means that in a particular address range assigned to an
organization, there can literally be trillions of invalid IPv6 addresses and only a few that are
valid. By necessity, listing which IPv6 addresses are invalid will have to be less fine-grained
May 15, 2015 21
than listing invalid IPv4 addresses, and the firewall rules that use these lists will be less effective
than their IPv4 counterparts. Organizations that do not yet use IPv6 should block all native and
tunneled IPv6 traffic at their firewalls. Note that such blocking limits testing and evaluation of
IPv6 and IPv6 tunneling technologies for future deployment. To permit such use, the firewall
administrator can selectively unblock IPv6 or the specific tunneling technologies of interest for
use by the authorized testers.
2.14. Firewall Policy
A firewall policy dictates how firewalls should handle network traffic for specific IP addresses
and address ranges, protocols, applications, and content types (e.g., active content) based on the
organization’s information security policies [7]. Before a firewall policy is created, some form of
risk analysis should be performed to develop a list of the types of traffic needed by the
organization and categorize how they must be secured including which types of traffic can
traverse a firewall under what circumstances. This risk analysis should be based on an evaluation
of threats, vulnerabilities, counter measures in place to mitigate vulnerabilities, and the impact if
systems or data are compromised. Firewall policy should be documented in the system security
plan and maintained and updated frequently as classes of new attacks or vulnerabilities arise, or
as the organization’s needs regarding network applications change. The policy should also
include specific guidance on how to address changes to the rule set. Generally, firewalls should
block all inbound and outbound traffic that has not been expressly permitted by the firewall
policy traffic that is not needed by the organization. This practice, known as deny by default,
decreases the risk of attack and can also reduce the volume of traffic carried on the
organization’s networks. Because of the dynamic nature of hosts, networks, protocols, and
applications, deny by default is a more secure approach than permitting all traffic that is not
explicitly forbidden.
2.15. Virtual Machines Installation
VMware is a platform that makes it possible to run an unmodified operating system as a user-
level application. The OS running within VMware can be rebooted, crashed, modified, and
reinstalled without affecting the integrity of other applications running on the computer. A
virtual-machine monitor is an additional layer of software between the hardware and the
operating system that virtualizes all of the hardware resources of the machine. It essentially
May 15, 2015 22
creates a virtual hardware execution environment called a “virtual machine” (VM). Multiple
VMs can be used at the same time, and each VM provides isolation from the real hardware and
other activities of the underlying system (Figure2.5).Because, it provides the illusion of standard
PC (Personal Computer) hardware within a VM, VMware can be used to run multiple
unmodified PC operating systems simultaneously on the same machine by running each
operating system in its own VM. An OS running as a user-level application on top of VMware is
called a “guest OS.” The native OS originally running on the real hardware is called the “host
OS.” VMware is low-level enough to make a guest OS appear to be receiving hardware
interrupts (such as timer interrupts) and behave as if it were the only OS on the machine [8]. At
the same time, it provides isolation so that a failure in or misbehaving of a guest OS does not
affect other guest OSs or the underlying system. For instance, a guest OS crashing will not crash
the underlying system. As opposed to a software simulator, much of the code running in a VM
executes directly on the hardware without interpretation. Operating systems currently supported
as guest operating systems under VMware include Windows 95/98/2000/NT, FreeBSD, Solaris,
Novell Netware, DOS, and Linux, all of which run unmodified. Theoretically, any OS that can
Run on an x86 architecture can run as a guest OS, since it will see a complete virtualized PC
environment. For host operating systems, VMware currently runs and is supported on Windows.
Vista, XP, 2000/NT and Linux.
May 15, 2015 23
Figure 2.5.virtual machine
May 15, 2015 24
Figure 2.6. Ubuntu Guest OS Installation in Progress
May 15, 2015 25
Figure 2.7. Ubuntu Installation Done
JU typically provide an account for students, often with limited access and privileges, in their
servers dedicated for a particular systems course or a programming course. But, it is often
difficult to expect the university creating more than one account per student. If students have to
run multiple processes (e.g., a multi-user chatting application), they would have to typically open
multiple terminals within the same account and run the processes at different port numbers. Even
in JU with dedicated labs for the courses, students rarely get chance to simultaneously run their
processes on multiple physical machines and observe the interaction between these processes.
For such scenarios, students could download pre-built Linux-based appliances (without any
restriction on licensing as well as relatively lower resource overhead than Windows-based
appliances) using which they can simultaneously run several virtual machines and test their
applications. Virtual machines play a significant role in reducing the need for several physical
host machines to run multiple processes. In addition, if students are interested in trying out
certain special software for their course or research projects, they would have to go through the
instructors/ universities for obtaining permissions as well as requiring the institution to install the
software. Virtual machines can reduce the administrative overhead for the Information
Technology (IT) divisions in an institution and also simultaneously enhance student creativity
and performance. With virtual machines, students have several options to try out. They could
download pre-built virtual appliances (some may be completely free and others may be available
in trial versions) and install. Students can further install any required programming language
compiler, software development kit on a virtual machine without affecting their personal
machine (i.e. the host). After downloading and installing the virtual machine they can connect
their virtual machine to their home based router either using VM player Bridge adapter, which
will probably be the best option for the fact that the virtual machine will have its own IP address
similar to the host machine. The other option is to use NAT (Network Address Translation)
adapter to connect to the router indirectly via the host machine. After all, a virtual machine
breakdown will neither affect the physical host machines nor the network. A virtual machine is
the best candidate for courses related to Network Security. In order for students to run
vulnerability related programs against the machines, they would have to first have a machine on
which they can create such security risks and then create their programs or run commercially
available programs to detect and/or study different types of attacks on a machine. Most of the
May 15, 2015 26
network security related projects are best suited for Linux-based virtual machines. Again, the JU
level account will not be the best option for such projects due to the fact that students will need
more privileges on their account for administration purposes as well as to create different
privilege levels for the account as per the needs of the experiments. The advantage of running
such exercises on a virtual network is that none of the damaging or questionable traffic can get
generated on any of the production network, and all of the project could be run not just from the
lab but from a properly configured remote location. VMware machines allow for the creation of
simple files or group of files that can be distributed with the entire configuration necessary to
demonstrate topics in a way that does not negatively impact the device or the network the device
is running on. Virtual machines could be widely adopted in academics (for example, in many
courses), because the main objective of virtualization is to reduce the cost, and keep the host
system unmodified and make the host portable and manageable as much possible. Students will
have an accessible environment to work on their projects both from on campus and remotely. A
very feasible and cost-effective solution is possible that closely resembles real-life environment,
easily adaptable to the changing needs of the courses without the overhead of IT resources and
cost. Several options can be considered to provide such facility to students. Below, we explore
the use of virtual machines for some of the commonly studied problems in computer and
network security related courses [9].
2.16. Router
At the center of the network is the router. Stated simply, a router connects one network to
another network [10]. Therefore, the router is responsible for the delivery of packets across
different networks in JU. The destination of the IP packet might be a web server in another
country or an e-mail server on the local area network. It is the responsibility of the routers to
deliver those packets in a timely manner. The effectiveness of internetwork communications
depends, to a large degree, on the ability of routers to forward packets in the most efficient way
possible. A Router is a computer, just like any other computer including a PC. Routers have
many of the same hardware and software components that are found in other computers
including:
• CPU
• RAM
• ROM
May 15, 2015 27
• Operating System
In addition to packet forwarding, a router provides other services:
1- (Availability), Routers use alternate paths in case the primary path fails.
2- Provide integrated services of data, video, and voice over wired and wireless networks.
Routers use Quality of service (QOS) prioritization of IP packets to ensure that real-time traffic,
such as voice, video and critical data are not dropped or delayed.
3- Mitigate the impact of worms, viruses, and other attacks on the network by permitting or
denying the forwarding of packets.
Typical users in JU may be unaware of the presence of numerous routers in their own network or
in the Internet. Users expect to be able to access web pages, send e-mails, and download music
whether the server they are accessing is on their own network or on another network half-way
around the world. However, networking professionals know it is the router that is responsible for
forwarding packets from network-to-network, from the original source to the final destination. A
router connects multiple networks. This means that it has multiple interfaces that each belong to
a different IP network. When a router receives an IP packet on one interface, it determines which
interface to use to forward the packet onto its destination. The interface that the router uses to
forward the packet may be the network of the final destination of the packet (the network with
the destination IP address of this packet), or it may be a network connected to another router that
is used to reach the destination network. The router uses its routing table to determine the best
path to forward the packet. When the router receives a packet, it examines its destination IP
address and searches for the best match with a network address in the router's routing table. The
routing table also includes the interface to be used to forward the packet. Once a match is found,
the router encapsulates the IP packet into the data link frame of the outgoing or exit interface,
and the packet is then forwarded toward its destination. A routing table is a data file in RAM that
is used to store route information about directly connected and remote networks. The routing
table contains network/next hop associations. These associations tell a router that a particular
destination can be optimally reached by sending the packet to a specific router that represents the
"next hop" on the way to the final destination. The next hop association can also be the outgoing
or exit interface to the final destination. . The network/exit-interface association can also
May 15, 2015 28
represent the destination network address of the IP packet. This association occurs on the router's
directly connected networks. Routers have physical connectors that are used to manage the
router. These connectors are known as management ports. Unlike Ethernet and serial interfaces,
management ports are not used for packet forwarding. The most common management port is
the console port. The console port is used to connect a terminal, or most often a PC running
terminal emulator software, to configure the router without the need for network access to that
router. The console port must be used during initial configuration of the router. Another
management port is the auxiliary port. Not all routers have auxiliary ports. At times the auxiliary
port can be used in ways similar to a console port. It can also be used to attach a modem. Routers
have multiple interfaces that are used to connect to multiple networks. Typically, the interfaces
connect to various types of networks, which means that different types of media and connectors
are required. Often a router will need to have different types of interfaces. For example, a router
usually has Fast Ethernet interfaces for connections to different LANs and various types of WAN
interfaces to connect a variety of serial links including T1, DSL and ISDN. The figure shows the
Fast Ethernet and serial interfaces on the router.
Router interfaces can be divided into two major groups:
1- LAN interfaces - such as Ethernet and Fast Ethernet
2- WAN interfaces - such as serial, ISDN, and Frame Relay
May 15, 2015 29
Figure 2.8. Router interfaces logical representation
May 15, 2015 30
LAN interfaces are used to connect the router to the LAN. WAN Interfaces are used to connect
routers to external networks. The Layer 2 encapsulation can be of different types, such as PPP,
Frame Relay, and HDLC (High-Level Data Link Control).
Figure 2.9.Router interfaces physical representation
When configuring a router, certain basic tasks are performed including:
•Naming the router
•Setting passwords
•Configuring interfaces
•Configuring a banner
•Saving changes on a router
•Verifying basic configuration and router operations
2.17. Gateways
Gateways are the key to routing, they are systems through which other networks can be reached.
The kind of gateway most people are familiar with is a default gateway, which is the router
through which a system will connect to the Internet or any other networks it doesn’t have a more
May 15, 2015 31
specific route to reach. Gateways are also used for static routing, where other networks must be
reached via specific local routers. On most normal networks, gateways always reside in the same
subnet as one of the interfaces on a system. For example, if a firewall has an IP address of
192.168. 22.5/24, then a gateway to another network would have to be somewhere inside of
192.168.22.x if the other network is reachable through that interface. One notable exception to
this is point-to- point interfaces like those used in PPP based protocols, which often have
gateway IP addresses in another subnet because they are not used in the same way. When
working with routing and gateways, the functionality and procedures are the same for both IPv4
and IPv6 addresses, however all of the addresses for a given route must involve addresses of the
same family. For example, an IPv6 network must be routed using an IPv6 gateway/router. A
route cannot be created for an IPv6 network using an IPv4 gateway address. When working with
gateway groups, the same restriction applies, all gateways in a gateway group must be of the
same address family.
Figure 2.10. Configuration of basic router parameters
May 15, 2015 32
Figure 2.11. Router interface configuration
2.18. Routing and Routing Protocols
The primary responsibility of a router is to direct packets destined for local and remote networks
by:
• Determining the best path to send packets
• Forwarding packets toward their destination
The router uses its routing table to determine the best path to forward the packet. When the
router receives a packet, it examines its destination IP address and searches for the best match
with a network address in the router's routing table. The routing table also includes the interface
to be used to forward the packet. Once a match is found, the router encapsulates the IP packet
May 15, 2015 33
into the data link frame of the outgoing or exit interface and the packet is then forwarded toward
its destination. Types of routers:
2.18.1. Static Routes
Static routes are configured manually, network administrators must add and delete static routes
to reflect any network topology changes. In a large network, the manual maintenance of routing
tables could require a lot of administrative time. On small networks with few possible changes,
static routes require very little maintenance. Static routing is not as scalable as dynamic routing
because of the extra administrative requirements. Even in large networks, static routes that are
intended to accomplish a specific purpose are often configured in conjunction with a dynamic
routing protocol.
2.18.2. Dynamic Routes
Dynamic routing protocol uses a route that a routing protocol adjusts automatically for topology
or traffic changes.
2.19. WAN VSS
WAN VSS is the edge of Ethernet which is used to terminate to Ethernet project and JU. It has
two links, one link connects with ministry of education and the other link is connects with JU
core switch.
2.20. Virtual Switching System
In this technology two or more devices will operate as if its single device, the main advantage of
this is the devices will have more processing speed and bandwidth output than a single device
can give. Most of the universities devices are operating in this mode, such that in all layers
(Except the Access layer) there are two devices acting as one with twice the processing speed
and port availability than a single device. Additionally if one of the combined devices fails still
one can be used without service interruption.VSS is network system virtualization technology
that pools Cisco Catalyst 6500 Series (in JU case c6504-E) Switches into one virtual switch to
increasing operational efficiency, and boosting nonstop communications VSS combines two
physical switches into a single logical switch.
The application of VSS is wide ranging. VSS application is possible in all three tiers of the
hierarchical campus WAN, core, and distribution as well as the services block in both multilayer
and routed-access designs
May 15, 2015 34
VSS enables a loop-free topology along with the simplification of the control plane and high
availability
Simplifying user connectivity by spanning VLANs per building or location
Network virtualization (guest VLAN supporting transient connectivity, intra-company
connectivity, and so on)
Outsource group and inter-agency resources requiring spanned VLANs
Wireless VLANS without centralized controller. Why we use VSS? VSS allows us to:-
Maximize network performance
Increase network availability
Simplify network architecture
Reduce administrative burden
Support virtualization
2.21. Virtual LAN Concepts
A LAN includes all devices in the same broadcast domain. A broadcast domain includes the set
of all LAN-connected devices that any of the devices sends a broadcast frame, all the other
devices get a copy of the frame. Without VLANs, a switch considers all its interfaces to be in the
same broadcast domain; With VLANs, a switch can put some interfaces into one broadcast
domain and some into another, creating multiple broadcast domains. These individual broadcast
domains created by the switch are called virtual LANs. VLAN organize physically separate users
into the same broadcast domain. The use of the VLANS improve performance, security, and
flexibility. The use of VLANS also the cost of arranging users, because no extra cabling is
required. Putting hosts into different VLANs provides many benefits. The key to appreciating
these benefits is to realize that a broadcast sent by one host in a VLAN will be received and
processed by all the other hosts. To create more flexible designs that group users by department,
or by groups that work together, instead of by physical location.
May 15, 2015 35
2.21.1. VLAN characteristics
VLAN allows logically defined user groups rather than user groups defined by their physical
locations. For example you can arrange user groups such as accounting, engineering, and
finance, rather than everyone on one building.
VLANs define broadcast domains that can span multiple LAN segments.
VLANs improve segmentation, flexibility, and security VLAN segmentation is not bound by
the physical location of users.
2.22. Network Address Translation
A device that is configured with NAT will have at least one interface to the inside network and
one to the outside network. In a typical environment, NAT is configured at the exit device
between a stub domain and the backbone. When a packet leaves the domain, NAT translates the
locally significant source address into a globally unique address. When a packet enters the
domain, NAT translates the globally unique destination address into a local address. If more than
one exit point exists, each NAT must have the same translation table. If NAT cannot allocate an
address because it has run out of addresses, it drops the packet and sends an Internet Control
Message Protocol (ICMP) host unreachable packet to the destination. NAT can be used for the
following scenarios: To connect to the Internet, but not all of your hosts have globally unique IP
addresses. Network Address Translation (NAT) enables private IP internetworks that use
nonregistered IP addresses to connect to the Internet. NAT is configured on a device at the
border of a stub domain (referred to as the inside network) and a public network such as the
Internet (referred to as the outside network). NAT translates internal local addresses to globally
unique IP addresses before sending packets to the outside network.
2.23. Methodology
Hardware requirements:-
Switch (network access device)
Firewall (hardware)
Router (inter networking device)
Multilayer switch (chasse board switch)
May 15, 2015 36
UTP (network media)
Access point
PC (personal computer)
Software requirement
Firewall (Pfsense)
Cisco packet tracer 7.2
virtual machines.
Linux operating systems (Ubuntu)
Systems of methods used in this project are:-
drag and drop network devices in cisco packet tracer
connecting network devices using automatically choose connection type cable
Then configure the IOS command line interfaces in each device
2.24. Results and Conclusion
During our internship we have been watching network installation, specially we tried to give
attention to network security .we have been installing and configuring some firewalls and virtual
machines to keep the colleges network and computers secure. Using firewalls it gives the
following benefits:-
Confidentiality: It keeps information in the network private.
Authentication: ensure the users of network.
Integrity: ensure the message has not been modified in transit.
Authorization: providing authorized users to communicate to and from.
In general, a firewall should fit into a current network’s layout. However, an organization
might change its network architecture at the same time as it deploys a firewall as part of an
overall security upgrade.
May 15, 2015 37
Different common network architectures lead to very different choices for where to place a
firewall, so an organization should assess which architecture works best for its security goals.
If an edge firewall has a DMZ, consider which outward-facing services should be run from the
DMZ and which should remain on the inside network.
Do not rely on NATs to provide the benefits of firewalls.
In some environments, putting one firewall behind another may lead to a desired security goal,
but in general such multiple layers of firewalls can be troublesome.
May 15, 2015 38
CHAPTER THREE
3. Over All Benefits We Gained From Internship
3.1. Introduction
We are confident to say something, to suggest our opinion for every question or idea those are
forwarded to us, it is nothing but due to the skill that we have developed throughout the
internship program. Getting experience is a great way to build confidence. What's more, if we
have an impressive resume, we will be more confident in our chances of securing a job. After
we’ve done an internship, if an interviewer asks if you know how to do something, we won’t say
“um (doubt), yes, we think we would be able to do that but can say “absolutely and supplement
my assertion with examples. The following are the main benefits we gain from the work we have
done:-
Improving practical skills
Applying Theoretical Knowledge
Interpersonal communication skills
3.2. The theoretical knowledge gained
The theoretical knowledge we get is what a network and networking security is, components of
network what a local area network is, what is a firewall, a router and an internet is, how virtual
machines installed, how data’s are transmitted through the internet and through the network,
about a networking medium, what an IP address is and class of IP address, sub netting, the flow,
while a local area network is a network in a small or limited geographical area. In general
network is an intercommunication of networking devices and networking is intercommunicating
them identification given to the components or sites. There are 5 class of IP address of them we
were familiar with the first three on a network while sub netting is classifying an IP address to
the required number of network and hosts.
3.3. Practical knowledge gained
Regarding to the network and infrastructure the practical knowledge gained are real device
configuration like firewall, cabling, trucking, smart board adaptation Visiting data center room
and understanding the integration of devices located on the room, Visiting security camera
May 15, 2015 39
control room and smart class room and deal on how it can be done Configure switch and create
VLAN, configuring firewalls and virtual machines, configuring router with different routing
protocols. With regarding to the work environment practical knowledge gained are:-
Responsibility
Possessing a positive attitude
Adaptability
Honesty and integrity
Motivation to work
Willing to grow and learn Strong self-confidence
3.4. Inter personal communication skill
Now days it is the most essential equipment to communicate with other persons not only in
language but in personal attitudes; interpersonal skill is the most crucial and basic issue for
human beings. The time of internship is the most power to develop our interpersonal skill for
us. Individuals often learn different things from colleagues (team) through communication. For
any individual, communication is an important way of learning, which can be defined formally
as the act, process, or experience of gaining knowledge or skills. Communication and the
subsequent learning help us from novices (lack of experience in a job or situation) to experts and
allow them to gain new professional knowledge and abilities. Good communication skill has the
many advantages the following is a few one:
Improve relationships with others.
To express and share ideas clearly.
3.5. Team playing skill
over the last 4 month in addition to the skills we develop as mentioned above the most skill we
develop is also a team playing skill, we were all good and responsible for what we are doing ,if
we hadn’t develop this team playing skill it was very difficult for us to know those things we
mentioned.
May 15, 2015 40
3.6. Leadership skill
Though we were not in a leadership position that doesn’t limit us to develop good leadership
skills because all minor things are also in a circle of leadership. Thus the following are some of
the leadership skill we attained that a good leader should to experience:
Impartiality
Transparency and openness
Integrity
Accountability
Motivation
Recognize that everyone is unique
Gain trust
Seeks optimal solution to problems
Respect others experience and ability
Control the learning experience
Being a model for others and love what he is doing if he didn’t love even he shouldn’t show
for his fellows
Should to have tolerance
3.7. Benefit we gained in terms of understanding work ethics
Internship helps us to know that value of work ethics, so that we try to practice and understand
work ethics related issues during our internship.
Punctuality
Office Disciplines
Reliability
Honest
May 15, 2015 41
CHAPTER FOUR
4. Conclusion and Recommendation
4.1. Conclusion
After going through the whole world of the internship as an intern we have observed so many
professional activities and learnt as well. This internship was very fruitful to us because we cover
many different fields, also we learnt new concepts and new ways of working. During this
internship period we acquired practical experience to complement the theoretical content of our
study for campus cisco three-layer hierarchical model and network security tasks and detailed
configuration of firewalls, wireless local area network (WLAN) and of network security of the
main campus data center. We was also to be able to know networking Medias like fiber optic and
their way of transmitting data and in general what networking and security is. To conclude, this
internship was very beneficial to us.
May 15, 2015 42
4.2. Recommendation
The data center is the hub of the university’s computing resources, which are shared by the
academic, research, and administrative community. These facilities provide a secure enterprise,
wide, reliable and redundant infrastructure for the delivery of mission, critical university system.
As per earns observation some suggestion for the improvement of the situation are given below:
Access floors: one of the key predesigned consideration that affect almost every aspect of
success within data center environment in the access floor this infrastructure is every bit as
important to cooling, equipment support, grounding and electrical and communication
connectivity as the building structure supporting it .main campus data center class room building,
it maintained in standard data center designed way. Optimizes air flow, heat dissipation and other
standards.
Cable Management: All data cabling should be under the floor, both ends of the cable should
be labeled and tagged for proper identification.
The data center should be protected in building grounding and lighting protection system
4.2.1. Recommendation for the company
All most all materials movement into/out of the store is uncleansed. So finding the materials
easily is very difficult.
The main problem of JU is the cutting of UTP cables in the trunk by rat. This causes waste
time, loss of budget, and extra time to find the exact location of the problem.
The university uses controller based Wireless LAN and they use two controllers both are at
main campus Distribution layer, when a wireless user wants to connect to the wireless LAN they
have to be authenticated by the controller at the main campus, also the techno campus is used as
a DHCP server for all wireless users in each campus and this is not efficient, they can improve
the efficiency of the wireless LAN by using controller in each campus such that a user in any
campus will be served by the local wireless controller.
May 15, 2015 43
REFERENCES
[1] J. u. e. r. a. communications, "ICTDO," Jimma university, 25 9 2021. [Online]. Available:
www.ju.edu.et. [Accessed 4 1 2023].
[2] A. HAYES, "Investopedia," 22 1 2021. [Online]. Available: www.investopedia.com. [Accessed 4 1
2023].
[3] B. Lutkevich, "dmz in networking," 9 7 2021. [Online]. Available: techtarget.com. [Accessed 4 1
2023].
[4] "Cisco Web Security Appliance S370," 28 7 2014. [Online]. Available: www.cisco.com. [Accessed 5 1
2023].
[5] PAN-OS, "HA over view," 7 10 2022. [Online]. Available: TECHDOCS.com. [Accessed 5 1 2023].
[6] B. Lutkevich, "techtarget.com," 11 7 2021. [Online]. Available: www.ICMP.com. [Accessed 4 1
2023].
[7] "firewall policies," 14 5 2021. [Online]. Available: docs.trendmicro.com. [Accessed 4 1 2023].
[8] Ishtiaq Ali1 and Natarajan Meghanathan2, "VIRTUAL MACHINES AND NETWORKS –," International
Journal of Network Security & Its Applications (IJNSA), vol. Vol.3, p. 7, January 2011.
[9] Ishtiaq Ali1 and Natarajan Meghanathan, "VIRTUAL MACHINES AND NETWORKS –," International
Journal of Network Security & Its Applications (IJNSA),, vol. 3, p. 15, 2011.
[10] "Firewall Configuration Guide,," AT&T Intellectual Property, vol. 2, p. 1, October 24, 2017.
[11] j. u. e. r. a. communications, "ICTDO," jimma university, 22 7 2021. [Online]. Available:
www.ju.edu.et. [Accessed 4 1 2023].
May 15, 2015 44
You might also like
- Internship Report and Project Edited FinalNo ratings yetInternship Report and Project Edited Final63 pages
- Kapino Kasso Cs Weekend Industrial ReportNo ratings yetKapino Kasso Cs Weekend Industrial Report16 pages
- INDUSTRIAL PRACTICE EXPERIENCE REPORT - Ethio Telecom100% (4)INDUSTRIAL PRACTICE EXPERIENCE REPORT - Ethio Telecom36 pages
- Electronics & Telecom Internship ReportNo ratings yetElectronics & Telecom Internship Report15 pages
- Bahir Dar Universit Bahir Dar Institute of Technology (Bit) : Hosting Company: Bit Ict Development OfficeNo ratings yetBahir Dar Universit Bahir Dar Institute of Technology (Bit) : Hosting Company: Bit Ict Development Office69 pages
- JIMMA UNIVERSITY ICT DIRECTORATE Internship75% (8)JIMMA UNIVERSITY ICT DIRECTORATE Internship13 pages
- Admas University Department of Computer Science100% (1)Admas University Department of Computer Science22 pages
- Final Report and Project Iyosiyas MekonenNo ratings yetFinal Report and Project Iyosiyas Mekonen71 pages
- Reading Comprehension Free PDF Set 3 For Bank Prelims ExamNo ratings yetReading Comprehension Free PDF Set 3 For Bank Prelims Exam7 pages