Wireless Lan with UTM Appliance Deployment Project - Subhankar Sanyal.
-
Upload
subhankar-sanyal -
Category
Documents
-
view
227 -
download
0
Transcript of Wireless Lan with UTM Appliance Deployment Project - Subhankar Sanyal.
-
7/30/2019 Wireless Lan with UTM Appliance Deployment Project - Subhankar Sanyal.
1/68
ACKNOWLEDGEMENT
It is my great pleasure to have project training in Information System and IT Operations at
Barsana Hotel and Resort, Siliguri.
During my training period, I had an opportunity to visit almost every department, and I am
grateful to the executives who have extended maximum effort and co-operation to illustrate
regarding the operation of the unit, technical details, etc.
I want to thank specially to:
Mr. Prasun Kumar Nath (General Manager, Barsana Hotel & Resorts)
Mr. Dipendra Raikut. Head (IT & Infrastructure, Barsana Hotel & Resorts)
Mr. Promod Thapa. Executive (Front Desk, Barsana Hotel & Resorts)
I would also like to express my heartiest thanks to our faculty members at Sikkim Manipal
University, Star Institute of Management, Patel Road, Pradhan Nagar, Siliguri -734003 who have
been a source of inspiration throughout, without their help and valuable feedback this project
could not have been possible.
Finally, I like to thank my Family Members, specially my mother and Friends (Sayantan
Bhattacharjee, Susmit Dutta) who have always been my continuous source of inspiration and
they have constantly supported and motivated me to complete my project.
-
7/30/2019 Wireless Lan with UTM Appliance Deployment Project - Subhankar Sanyal.
2/68
2
BONAFIDE CERTIFICATE
Certified that this project report titled A PROJECT REPORT ON
is the
bonafide work of SUBHANKAR SANYAL who carried out the project work
under my supervision.
SIGNATURE SIGNATURE
HEAD OF THE DEPARTMENT FACULTY IN CHARGE
SIKKIM MANIPAL UNIVERSITY, SIKKIM MANIPAL UNIVERSITY,Centre Code: 01005 Centre Code: 01005
Star Institute of Management, Star Institute of Management
Patel Road, Pradhan Nagar, Patel Road, Pradhan Nagar,Siliguri - 734003. Siliguri - 734003.
-
7/30/2019 Wireless Lan with UTM Appliance Deployment Project - Subhankar Sanyal.
3/68
3
Executive Summary
I t is my great pleasure and opportunity to have a project development
opportunity and implementation at Barsana Hotel and Resorts. One of the
best Five Star Hotel and Resort located in North East India. This report is a
summary of 6 months of learning, implementing and solving difficult technical
sk ills. Th e OBJ ECTIVE of th e Project is to h ave a clear vision regard ing.
* Produ ct Deta i l s .
* Workin g of a Robu s t Wire les s Net work wi th in t egra t ed
Secur i t y fea t u r es fo r a l l u s e r s .
* The detai l working of WLAN with integrated UTM Appl iance.
My specialization is in I n f o r m a t i o n S y s t e m s . However, before developing a
live system, my knowledge was limited to the software simulation technologies
an d books. Du ring my project , I becam e able to enh an ce my knowledge in th e
good practical exposur e. My Project developmen t report is ba sed on th e
followin g a sp ect.
INTRODUCTION WITH HOSPITALITY INDUSTRY.
PROF ILE OF THE ORGANIZATION.
ISSUES AND CHALLENGES FACED BY THE ORGANIZATION.
PR EVIOUS NETWORK ARCHITE CTURE.
BRIEF S DET AILS OF VARIOUS HARDWARE / SOF TWARE USED IN
THE NEW PROJ ECT.
ARCHITE CTURAL DETAILS OF THE SET UP.
-
7/30/2019 Wireless Lan with UTM Appliance Deployment Project - Subhankar Sanyal.
4/68
4
VARIOUS PRACTISES ADOPTED IN EACH SECTION TO OPTIMIZE
AND ENHANCE NETWORK P ER FO RMANCE.
TABLE OF CONTENTS
SL.No. Top ic Pa ge No .
1 In trodu ct ion With Hos pita lity In du s try. 6 -6
2 Orga n iza t ion His tory 8-8
3 Is s u es a n d Ch a llen ges fa ced in Network in g 10-10
4 Previou s Network Arch itectu re 12-13
5 Deta ils of New Ha rdwa re / Softwa re a dded to
imp lemen t n ew Wireless Network Architectu re
15-15
6 Firewa ll Fea tu res 17-17
7 In trodu ct ion of WLAN Secu rity with IPCOP
Appliance.
18-18
8 New Network Arch itectu re 20-20
9 Meth odology 22-60
10 Con clu s ion 62-63
11 Bib liogra ph y 65-65
12 Referen ces 67-67
-
7/30/2019 Wireless Lan with UTM Appliance Deployment Project - Subhankar Sanyal.
5/68
5
-
7/30/2019 Wireless Lan with UTM Appliance Deployment Project - Subhankar Sanyal.
6/68
6
-
7/30/2019 Wireless Lan with UTM Appliance Deployment Project - Subhankar Sanyal.
7/68
7
The hospitality industry is a broad category of fields within the service
industry that includes lodging, restaurants, event planning, theme parks,
transportation, cruise line, and additional fields within the tourism industry.
The hospitality industry is a several billion dollar industry that mostly
depends on the availability of leisure time and disposable income. A
hospitality unit such as a restaurant, hotel, or even an amusement park
consists of multiple groups such as facility maintenance, direct operations
(servers, housekeepers, porters, kitchen workers, bartenders, etc.),
management, marketing, and human resources.
To secure for the hotel industry its due place in India's economy; project its
role as a contributor to employment generation and sustainable economic and
social development; highlight its crucial role in the service to tourism industry
as the largest net foreign exchange earner; help raise the standards ofhoteliering and to build an image for this industry both within and outside the
country.
Competition and usage rate
Usage rate or its inverse "vacancy rate" is an important variable for the hospitality
industry. Just as a factory owner would wish a productive asset to be in use as
much as possible (as opposed to having to pay fixed costs while the factory isn't
producing), so do restaurants, hotels, and theme parks seek to maximize the
number of customers they "process" in all sectors. This led to formation of services
with the aim to increase usage rate provided by hotel consolidators. Information
about required or offered products are brokered on business networks used by
vendors as well as purchasers.
In viewing various industries, "barriers to entry" by newcomers and competitive
advantages between current players are very important. Among other things,
hospitality industry players find advantage in old classics (location), initial and
ongoing investment support (reflected in the material upkeep of facilities and the
luxuries located therein), and particular themes adopted by the marketing arm ofthe organization in question (for example at theme restaurants). Very important is
also the characteristics of the personnel working in direct contact with the
customers. The authenticity, professionalism, and actual concern for the happiness
and well-being of the customers that is communicated by successful organizations
is a clear competitive advantage.
-
7/30/2019 Wireless Lan with UTM Appliance Deployment Project - Subhankar Sanyal.
8/68
8
-
7/30/2019 Wireless Lan with UTM Appliance Deployment Project - Subhankar Sanyal.
9/68
9
ABOUT BARSANA HOTEL AND RESORTS
HISTORY OF THE ORGANIZATION
Barsana Hotel and Resorts is a venture of North Bengal premier Industrial
house the Beekay Group. The Beekay group is setted up a luxurious Five Star
Category Hotel at Matigara, Siliguri in Darjeeling District. Located in
Matigara, at the outskirts of Siliguri, the site has been selected away from the
chaos of the bustling town of Siliguri amidst calm and quite settings with aview of the Picturesque Himalayan Mountains & greenery. The Project is on
60 cottahs of land and started operation by July 2010. Conforming to the
standards norms prescribed by Department of Tourism, Government of India
it has Five Star Category approval. The proposed hotel has been carefully
designed with luxurious interiors and exterior beauty with the most modern
architectural structure and beautiful landscape.
The hotel possess 52 Double Bedded and 7 Suites with 2 banquet halls, 2
restaurant, bar & coffee shop. Centrally air conditioned with all modernfacilities such as 24 Hour Hot/Cold Water, Room Service with Telephone and
Internet Facility, CCTV with, Lift, In-house Generator, Safe Deposit Vault,
Laundry, Car Rental with Free Car Parking, Doctor-on-Call, Banquet Room,
Conference Room, 24 Hour Coffee Shop, Bar- Cum Restaurant, Travel
Desk Service, Making arrangement of Conducted Tour to Darjeeling and
other neighboring places of interest.
-
7/30/2019 Wireless Lan with UTM Appliance Deployment Project - Subhankar Sanyal.
10/68
10
-
7/30/2019 Wireless Lan with UTM Appliance Deployment Project - Subhankar Sanyal.
11/68
11
Issues and Challenges faced in Networking
Barsana Hotel and Resorts become operational in October 2010, the Organization
commissioned all state of the art IT equipments for it IT needs and necessities. All
the computer terminals and point of sale equipments for the Hotel Managementand Staffs were connected using Twisted Pair Ethernet and a dedicated Windows
Server 2008 use to process and serve all internal users of the Hotel.
Since the Hotel also possesses 60 + Rooms, Restaurant, Bar, Gym, Conference
Hall, the Hotel Management decided to deploy a full Wireless Network for the
visiting Guests.
The main Internet Backbone was served by BSNL Dataone 1 mbps broadband
connection which was shared by the Hotels Internal Users and also the Guest Wifi
Infrastructure.
But post commission of the WiFi network it failed to serve its purpose, and most
Guests and Users complained of Slow, Unreliable Network with Faint Wi-Fi
Signal.
Below is the issue which was faced by the Organization.
Insufficient wireless network coverage in all Four Floors,
Restaurant, Conference Hut, Gym, Lobby. Breakage of Signal Continuity.
Slow and Unresponsive Internet Experience.
No security, all PCs connected to the WiFi infrastructure and see
and view other PCs connected in the network if Print and File
Sharing is enabled by default, also exposing Hotels Internal
network to Guest Users.
No Content Filtering or Metering Technologies to monitor Internet
Activity of the Guests, which is a compliance issue as per IndianLaws.
Network congestion, if more users logged on to the Wi-Fi the
entire Network becomes very slow and at finally fails to serve its
purpose due to lack of QOS (Quality of Service) implementation.
-
7/30/2019 Wireless Lan with UTM Appliance Deployment Project - Subhankar Sanyal.
12/68
12
-
7/30/2019 Wireless Lan with UTM Appliance Deployment Project - Subhankar Sanyal.
13/68
13
PR EVIOUS NET WORK ARCH ITECT URE
The Previous Network Composed Primarily of Several Hardware Components:
1) BSNL ADSL Router cum Modem (Make TP Link) with Four RJ45 LAN
Ports to share Internet Connection.
2) SMC Networks Barricade Routers (SMCWBR14-3GN) 13 NOs
3) TPLink (TL-WA730RE) Repeating Stations 3 NOs
4) D-Link 24 Port 100/1000 mbps Managed Switch (Rack) 2 NOs
5) Ethernet Cables
Basic Working Principle of the Previous Network:
A copper cable use to get terminated to the BSNL ADSL Modem cum Router.
The ADSL Router automatically connected to the BSNL DataOne Broadband
network using PPPoE (Point to Point Protocol over Ethernet) and an inbuilt
DHCP (Dynamic Host Control Protocol) server embedded in the ADSL router
use to provide Dynamic Leased IP Address to all other network equipments
and routers.
A single RJ45 cable was used to connect to the LAN port of the ADSL Modem
and terminated on one of the 24 Port 100/1000 mbps D-Link Managed Switch.
All devices such as Servers (for Internal Network), Workstations (Internal
Network) and Routers (Guest Wifi Network) got its IP address directly from
the ADSL modems DHCP server.
Primarily there were four SMC Barricade routers, each mounted on every
floor directly connected to the D-Link Managed Switch. These four routers
were acting as core routers for the entire Wireless Network for Guest andvisitors of the Hotel. All other routers connected to any of these four routers
in Repeater Mode, as such there were 12 different repeating stations which
relayed the signals of these four core routers.
-
7/30/2019 Wireless Lan with UTM Appliance Deployment Project - Subhankar Sanyal.
14/68
14
The Previous Network Diagram
-
7/30/2019 Wireless Lan with UTM Appliance Deployment Project - Subhankar Sanyal.
15/68
15
Drawbacks of the Previous Network Design:
1) The points mentioned on page 10 describe the issues faced by the Organization.
2) As all routers other than the 4 core routers were connected using Extender mode, the
Wifi Channel was saturated and bandwidth was limited when number of users grew.
3) There was no inherit security features built onto the network and there was no way tomonitor network access.
4) Troubleshooting and maintenance was difficult.
-
7/30/2019 Wireless Lan with UTM Appliance Deployment Project - Subhankar Sanyal.
16/68
16
-
7/30/2019 Wireless Lan with UTM Appliance Deployment Project - Subhankar Sanyal.
17/68
17
Det a i ls o f New Har dwar e / S o ft war e added t o i mp l em en t n ew
Wire les s Net work Arch i t ec t u re
List of Hardware purchased by Barsana Hotel and Resorts to complete the
new Network Topology
1) IBM Compatible PC (As Main UTM Server/ Proxy) Intel Pentium Dual
Core 3.0 GHz, 2 GB DDR SDRAM, ECS P4VM-M7 Motherboard, 500 GB
Western Digital Cavier Blue Hard Disk Drive, Corisiar Server Chassis withSilver Power Supply (600 watts), Two Ethernet Adapters 10/100/1000 mbps
(D-Link).
2) IBM PC Compatible PS2 101/103 Keyboard.
3) 8 Port D-link 10/100 mbps Switch(DES 1008V) .
4) Cat 6 (D-Link) approximately 400 meters.
5) RJ 45 connectors (D-Link), approximately 40 in Nos.
Details of Software used:
Custom built Firewall with UTM features using GNU Linux Kernel
2.6.394(IPCOP), added Squid Proxy Module, and Radius Authentication Module.
-
7/30/2019 Wireless Lan with UTM Appliance Deployment Project - Subhankar Sanyal.
18/68
18
-
7/30/2019 Wireless Lan with UTM Appliance Deployment Project - Subhankar Sanyal.
19/68
19
Firewall/ UTM Featu res of Wireless LAN
A secure, stable and highly configurable Linux based firewall
Easy administration through the built in web server
A DHCP client that allows IPCop to, optionally, obtain its IP address from
your ISP A DHCP server that can help configure machines on your internal network
A caching DNS proxy, to help speed up Domain Name queries
A web caching proxy, to speed up web access
An intrusion detection system to detect external attacks on your network
The ability to partition your network into a GREEN, safe, network protected
from the Internet, a BLUE network for your wireless LAN and a DMZ or
ORANGE network containing publicly accessible servers, partially
protected from the Internet
A VPN capability that allows you to connect your internal network to
another network across the Internet, forming a single logical network or to
securely connect PCs on your BLUE, wireless, network to the wired
GREEN network
Traffic shaping capabilities to give highest priority to interactive services
such as ssh and telnet, high priority to web browsing, and lower priority to
bulk services such as FTP.
Improved VPN support with x509 certificates.
Built from the ground up with ProPolice to prevent stack smashing attacks in
all applications.
Captive Portal for user access using any Web Browser in Client Devices.
-
7/30/2019 Wireless Lan with UTM Appliance Deployment Project - Subhankar Sanyal.
20/68
20
In t rod uc t ion o f WLAN Sec u r i t y wit h IPCOP App lian c e .
Below, you will find a copy of our Mission Statement. All members of the
IPCop Firewall Team strive to meet these goals. By achieving these goals, the
IPCop Firewall will be one of the major Linux Firewall distributions in the
world.
Provide a stable Linux Firewall Distribution.
Provide a secure Linux Firewall Distribution.
Provide an opensourced Linux Firewall Distribution.Provide a highly configurable Linux Firewall Distribution.
Provide an easily maintained Linux Firewall Distribution.
Provide an easily configured Linux Firewall Distribution.Provide reliable Support to the IPCop Linux user base.
Provide an enjoyable environment for the Public to discuss and request assistance.Provide stable, secure, and easy to implement upgrades/patches for IPCop Linux.
Develop an appreciation for both the Linux and Opensource movements in our user base.Develop a long lasting relationship with our userbase.
Strive to adapt IPCop to meet the needs of the Internet of Tomorrow.
Further develop the Linux Knowledge base of all Project Members and Users.After seeing the direction certain Linux Distributions were heading in, a group of dissatisfied
users/developers decided that there was little reason for the idea of a GPL Linux Firewall
Distribution of such potential to be, simply, extinguished.
IPCop Linux is a complete Linux Distribution whose sole purpose is to protect the
networks it is installed on. By implementing existing technology, outstanding new
technology and secure programming practices IPCop is the Linux Distribution for
those wanting to keep their computers/networks safe.
-
7/30/2019 Wireless Lan with UTM Appliance Deployment Project - Subhankar Sanyal.
21/68
21
-
7/30/2019 Wireless Lan with UTM Appliance Deployment Project - Subhankar Sanyal.
22/68
22
NEW NETWORK ARCHITECTURE
Below is the information flow diagram of the Newly Designed
Optim ized Network with Firewall an d User Au th ent icat ion Featu res.
-
7/30/2019 Wireless Lan with UTM Appliance Deployment Project - Subhankar Sanyal.
23/68
23
-
7/30/2019 Wireless Lan with UTM Appliance Deployment Project - Subhankar Sanyal.
24/68
24
METHODOLOGY
As per the network diagram, the entire structure of Guest Wi-Fi
network has changed dramatically.
Earlier the BSNL Broadband use to connect to The Internet at 1
mbps link, since 1 mbps link is insufficient to support both Internal
and Guest Wi-Fi Network, as per my request, Barsana Hotel &
Resorts upgraded the Data Circuit at 4 mpbs synchronous link.
In present network up gradation scenario as a part of the project,
the same BSNL provided ADSL Router connects to BSNL Data One
network using PPPoE. The router has inbuilt features such as
Guaranteed QOS (Quality of Service) for the four LAN ports. Port
One of the LAN Link connects directly to the 24 port Managed
Switch, and the ADSL router is programmed to provide dedicated 1
mbps link to the Hotels Internal Network using MAC (Media AccessControl) feature of the Managed Switch. Rest of the 3mbps link is
shared to second LAN Port which directly connects to the LAN port
1 (eth0) of IP-COP Server.
The ADSL modem is providing only one Dynamic Leased IP
Address to LAN Port (eth0) of IP-COP. The routers part of the
Guest WiFi network automatically gets its IP Address from IP COP
firewall.
Also the entire Router Connectivity Architecture was modified
along with Physical Router Placement for better Wireless Signal
Delivery.
-
7/30/2019 Wireless Lan with UTM Appliance Deployment Project - Subhankar Sanyal.
25/68
25
The 8 Port D-link Switch connects to the IP-COP box in Ethernet
port (eth1). From the D-Link switch four Ethernet Cables provides
dedicated connectivity to four routers located in each floors (First
Floor, Second Floor, Third Floor, Fourth Floor).
In the new network we are not using any Repeating Station features
of both SMC Barricade and TP Link Routers.
The link from D-Link switch using Ethernet connects every SMC
Barricade Router in the WAN port, and all four SMC routers are
programmed to work as Router Mode. In each floor there are more
3 routers to serve rooms, lobby, bars. These routers connect to the
SMC router to get its IP Address. These secondary routers nowconnect using Ethernet, these secondary routers connect to the LAN
ports of SMC routers and also the routers act only as Access Point
Routers.
Note: Every SMC router has an Hardware button which allows to
toggle between Router and Access Point Mode.
IP Addresses used in the WLAN setup:
1) 192.168.1.X provided by BSNL ADSL Modem to IP Cop
Ethernet port(0).
2) IP-Cop uses NAT (Network Address Translation) and changes
IP address to 172.16.0.1 for Ethernet port (1).
3) All routers connecting to IP-COP Firewall UTM device obtains
its IP Address Automatically using the DHCP feature of IP-
COP and uses address 172.16.0.X to 172.16.1.X
4) Presently the Network Firewall (UTM) designed by me cansupport upto 254 different / unique devices.
-
7/30/2019 Wireless Lan with UTM Appliance Deployment Project - Subhankar Sanyal.
26/68
26
Firewall Configuration / System Setup
-
7/30/2019 Wireless Lan with UTM Appliance Deployment Project - Subhankar Sanyal.
27/68
27
Set the BIOS parameters so that the target machine will operate, as much as possible,
as a stand-alone server. For example:
Turn off the CPU power saver feature; the target computer must wake on all
network activity on all NICs and/or modems. It's usually easier and safer to just
turn off the power saver features. You can leave the video power saver turned
on.
Set the BIOS to boot on power up.
Turn off the BIOS keyboard test, if possible.
Set the power state to Always restore power after power failure. This willguarantee your IPCop PC will power up and reboot after power is restored.
IPCop can backup your configuration to a floppy disk drive or a usb key, or to
a file loaded through the web interface. It is not uncommon for the floppy to be
accidentally left in the floppy drive. In case of power failure, this may stop the
IPCop machine from booting.
If you are installing from CD drive, make sure your system will only boot from
the CD drive and hard drive. Turn off all types of boot, except your hard drive
after installation completes.
If you are installing from usb key, you may need to set some bios options. Turn
off all types of boot, except your hard drive after installation completes.
-
7/30/2019 Wireless Lan with UTM Appliance Deployment Project - Subhankar Sanyal.
28/68
28
If the IPCop PC has a CD drive and its BIOS can boot from CD, you can use the
Bootable CD media for the install. The CD drive can be removed after the install.
If the IPCop PC cannot boot from CD, but has both a floppy drive and a CD drive, the
Bootable Floppy With CD can be used. Both the floppy drive and CD drive can be
removed after the install. However, if you plan on using IPCop's backup and restorefacilities, you may want to keep the floppy disk in the IPCop PC.
Finally, if the IPCop PC has only a floppy drive or you do not own a CD burner, the
Bootable Floppy with FTP/Web Server must be used. Again, the floppy drive can
be removed after the install. Again, if you plan on using IPCop's backup and restore
facilities, you may want to keep the floppy drive in the IPCop PC.
Installing From Bootable CD or Bootable Floppy and CD
This screen contains a warning that all your existing data will be destroyed.
At this point you may just press the Enter key, or enter one of the three installation
options nopcmcia, nousb or nousborpcmcia. The installation options will
restrict the devices that the IPCop installation process detects. Use these options only
if the standard installation runs into trouble identifying PCMCIA or USB devices
-
7/30/2019 Wireless Lan with UTM Appliance Deployment Project - Subhankar Sanyal.
29/68
29
attached to the target machine. You may also eject the IPCop media and reboot to
abort the installation.
After a few seconds, the language selection screen will appear.
-
7/30/2019 Wireless Lan with UTM Appliance Deployment Project - Subhankar Sanyal.
30/68
30
The next screen simply informs you of how to abort the installation. Select
the Cancel and press the Enter key.
The next dialog box lets you choose the installation media. Since you are installing
from CD-ROM, select it, tab to the Ok button and press the Enter key.
-
7/30/2019 Wireless Lan with UTM Appliance Deployment Project - Subhankar Sanyal.
31/68
31
Your final warning appears next.
After you select Ok and press Enter on this screen all of the data on your hard drive
will be erased. To abort the installation, select Cancel and press the Enter key.
-
7/30/2019 Wireless Lan with UTM Appliance Deployment Project - Subhankar Sanyal.
32/68
32
Next IPCop will format and partition your hard drive. Then it will install all its files.
At this point, you have the option of restoring files from an IPCop backup floppy.
To do the restore, place the backup floppy in the floppy disk drive andselect Restore and press the Enter key. Otherwise, select Skip and press
the Enter key.
-
7/30/2019 Wireless Lan with UTM Appliance Deployment Project - Subhankar Sanyal.
33/68
33
If you specify Select, above, the following screen will appear:
Select your GREEN Ethernet NIC from the list.
If you select MANUAL the following screen will appear. Enter the object module for
the driver you require. Each driver may require extra installation parameters.
Unfortunately, these are driver dependent. The sample, below, is for a NE 2000
-
7/30/2019 Wireless Lan with UTM Appliance Deployment Project - Subhankar Sanyal.
34/68
34
driver. Like most ISA drivers, it needs both its IO address, io=, and IRQ, irq=,
specified.
If you specify Probe, above, the following screen will appear:
Your NIC card's manufacturer may not appear. IPCop identifies NICs based on the
chip manufacturer, not the card manufacturer. This can be ignored.
-
7/30/2019 Wireless Lan with UTM Appliance Deployment Project - Subhankar Sanyal.
35/68
35
IPCop will now configure its internal network address, the GREEN interface.
This is an address on the network discussed in Decide On Your Local Network Address, above.Usually, this will be either GREEN address 1, i.e. 192.168.1.1; or GREEN address 254, i.e.
192.168.1.254. Although any address on your GREEN network will do. IPCop will
automatically set your Network mask based on your IP address, but you can modify it if youneed to.All of IPCop has now been installed on your hard drive. The following screen will
appear. Remove the IPCop CD from your CD drive and, if present, the bootable floppy from the
floppy drive. Select Ok to continue.
-
7/30/2019 Wireless Lan with UTM Appliance Deployment Project - Subhankar Sanyal.
36/68
36
IPCop will continue with the setup command automatically.
From this point on the Installation process is identical no matter which media was used for the
initial boot. Please continue with the Initial Configuration Section, below.
The first screen allows you to configure your keyboard.
-
7/30/2019 Wireless Lan with UTM Appliance Deployment Project - Subhankar Sanyal.
37/68
37
The next screen, above, asks for your time zone.
Some people leave the time zone as London or UTC. This allows you to leave yourPC's hardware clock set to the local time. There are a couple of disadvantages to this
setting:
You will not be able to use a network time server to accurately set your PC's
time, via the Time Administrative Web Page.
If your local time zone changes from Winter to Summer or Daylight Savings to
Standard time, you will have to remember to manually change the IPCop PC's
clock. If you set the time zone to your correct time zone, IPCop will
automatically change the time for you.
-
7/30/2019 Wireless Lan with UTM Appliance Deployment Project - Subhankar Sanyal.
38/68
38
You must then configure your IPCop machine's hostname.
The default of ipcop is fine. You may want to change this if you are planning on setting up a VPN and allowing
administration across your VPN. In this case you may want to give each IPCop machine a unique hostname, such as
ipcop1, ipcop2, millie, steve, bob, etc.
You must then configure your IPCop machine's domain name.
If you have a domain name then enter it here. If you do not have one or do not wish to use it then just accept the
default localdomain. If you plan on using a VPN, you may wish to add additional qualifiers in front of
-
7/30/2019 Wireless Lan with UTM Appliance Deployment Project - Subhankar Sanyal.
39/68
39
localdomain such as x.localdomain and y.localdomain.It may also be a bad idea to use your real domain name
for this purpose, unless you will use your official name server instead of IPCop's domain name server.
This domain name will be automatically set as IPCop's DHCP server's domain name suffix. Please see the DHCP
server discussion.
Setup will continue with the ISDN configuration menu.
The next screen starts a series of dialogs that will help you set up your ISDN card. If you do not have an ISDN card,
select Disable ISDN, and setup will continue with network setup.
If you do have an ISDN modem, select the protocol and country.
-
7/30/2019 Wireless Lan with UTM Appliance Deployment Project - Subhankar Sanyal.
40/68
40
After setting protocol and country, you may need to set driver parameters for your card, especially if it's an ISA
card. If so, select Set additional module parameters.
Next you must select the type of ISDN card you have.
IPCop will probe for the card type, if you select AUTODETECT. If necessary, you can manually select the card you
have.
-
7/30/2019 Wireless Lan with UTM Appliance Deployment Project - Subhankar Sanyal.
41/68
41
The final step in setting up your ISDN card is setting its local phone number.
Next you will configure your network interfaces. The Network Configuration Menu will take you through the steps
necessary to configure them.
-
7/30/2019 Wireless Lan with UTM Appliance Deployment Project - Subhankar Sanyal.
42/68
42
If you are planning to run a DHCP server on IPCop you can configure it at this time. Otherwise, do not enable the
server, and continue with setting passwords, below.
Dynamic Host Configuration Protocol allows computers to configure their network interfaces when they are booted.
You can delay setting up IPCop's DHCP server until after the installation completes. See the Administration
Manual for a description of the web based method of enabling and configuring the DHCP server.
You must select Enabled to enable the DHCP server.
When you are done with the DHCP server configuration select the Ok button.
-
7/30/2019 Wireless Lan with UTM Appliance Deployment Project - Subhankar Sanyal.
43/68
43
The next steps will set up IPCop's root, web administrator and backup passwords.
If you are familiar with Linux you may wish to login to the IPCop machine to carry maintenance tasks. The only
user id configured is the root user. Enter the root password twice. Be careful, the root userid has the keys to the
kingdom of your firewall. If someone gets its password they can cause all sorts of mischief. By default root is only
allowed to log in via the local console, though.
-
7/30/2019 Wireless Lan with UTM Appliance Deployment Project - Subhankar Sanyal.
44/68
44
Congratulations!
You've completed your IPCop installation. Press Ok to reboot. After the reboot is
completed, you will undoubtedly need to perform some administrative tasks to
complete your setup.
-
7/30/2019 Wireless Lan with UTM Appliance Deployment Project - Subhankar Sanyal.
45/68
45
Select:
IPCop SMP (ACPI HT enabled)
This kernel configuration supports processor chips with hyperthreading, HT,
SMP and ACPI. Some Intel processors support hyperthreading, which is treated
as an SMP, multiprocessing, configuration.
Once you have chosen an appropriate kernel configuration, press the Enter key to
boot IPCop.
IPCop loads the default Linux Kernel with all selected modules to implement NAT/
Firewall, Radius Features.
-
7/30/2019 Wireless Lan with UTM Appliance Deployment Project - Subhankar Sanyal.
46/68
46
Administration and Configuration
To access the IPCop GUI is as simple as starting your browser and entering the IP
address (of the green IPCop interface) or hostname of your IPCop server along with a
port director of either 445 (https/secure) or 81(redirected to
445): https://ipcop:445 or https://192.168.10.1:445 or http://ipcop:81 or http://192.168
.10.1:81.
Modem Connection Buttons
Connect - This will force a connection attempt to the Internet. Disconnect - This will sever the connection to the Internet. Refresh - This will refresh the information on the main screen.
-
7/30/2019 Wireless Lan with UTM Appliance Deployment Project - Subhankar Sanyal.
47/68
47
System Web Pages
This group of web pages is designed to help you administer and control the IPCop
server itself. To get to these web pages, select Systemfrom the tab bar at the top ofthe screen. The following choices will appear in a dropdown:
Home Returns to the home page.
Updates Allows you to query and apply fixes to IPCop. Passwords Allows you to set the admin and optionally, the dial password. SSH Access Allows you to enable and configure Secure Shell, SSH,
access to IPCop.
GUI Settings Enables or disables the use of JavaScript and allows you toset the language of the web display.
Backup Backs up your IPCop settings either to files or to a floppy disk.You can also restore your settings from this web page.
Shutdown Shutdown or restart your IPCop from this web page. Credits This web page lists the many volunteers and other projects that
make IPCop so great.
Status Menu
This group of web pages provides you with information and statistics from the IPCop
server. To get to these web pages, select Statusfrom the tab bar at the top of thescreen. The following choices will appear in a dropdown:
System Status Network Status
System Graphs Traffic Graphs Proxy Graphs Connections
-
7/30/2019 Wireless Lan with UTM Appliance Deployment Project - Subhankar Sanyal.
48/68
48
Services Menu
As well as performing its core function of Internet firewall, IPCop can provide a
number of other services that are useful in a small network.
These are:
Proxy (Web Proxy Server) DHCP Server
Dynamic DNS Management
Edit Hosts (Local DNS Server)
Time Server
Traffic Shaping
Intrusion Detection System
In a larger network it is likely that these services will be provided by dedicated servers
and should be disabled here.
-
7/30/2019 Wireless Lan with UTM Appliance Deployment Project - Subhankar Sanyal.
49/68
49
-
7/30/2019 Wireless Lan with UTM Appliance Deployment Project - Subhankar Sanyal.
50/68
50
DHCP Administrative Web Page
.
DHCP (Dynamic Host Configuration Protocol) allows you to control the network
configuration of all your computers or devices from your IPCop machine. When a
computer (or a device like a printer, pda, etc.) joins your network it will be given a
valid IP address and its DNS and WINS configuration will be set from the IPCop
machine. To use this feature new machines must be set to obtain their network
configuration automatically.
-
7/30/2019 Wireless Lan with UTM Appliance Deployment Project - Subhankar Sanyal.
51/68
51
Traffic Shaping Administrative Web PageTraffic Shaping allows you to prioritize IP traffic moving through your firewall.
IPCop uses WonderShaper to accomplish this. WonderShaper was designed to
minimize ping latency, ensure that interactive traffic like SSH is responsive all while
downloading or uploading bulk traffic.
To use Traffic Shaping in IPCop:
1. Use well known fast sites to estimate your maximum upload and download speeds. Fill in the speeds in the
corresponding boxes of the Settings portion of the web page.2. Enable traffic shaping by checking the Enable box.
3. Identify what services are used behind your firewall.4. Then sort these into your 3 priority levels. For example:
a. Interactive traffic such as SSH (port 22) and VOIP (voice over IP) go into the high priority group.
b. Your normal surfing and communicating traffic like the web (port 80) and streaming video/audio
to into the medium priority group.
c. Put your bulk traffic such as P2P file sharing into the low traffic group.
5. Create a list of services and priorities using the Add service portion of the web page.
-
7/30/2019 Wireless Lan with UTM Appliance Deployment Project - Subhankar Sanyal.
52/68
52
The services, above, are only examples of the potential Traffic Shaping configuration.
Depending on your usage, you will undoubtedly want to rearrange your choices of
high, medium and low priority traffic.
Intrusion Detection System Administrative Web Page
IPCop contains a powerful intrusion detection system, Snort, which analyses the contents of packets received by the
firewall and searches for known signatures of malicious activity.
Snort is a passive system which requires management by the User. You need to monitor the logs, and interpret the
information. Snort only logs suspicious activity, so if you need an active system, consider snort_inline orthe guardian addon.
You should also note that Snort is memory hungry, with newer versions using about 80Mb per interface. This
depends in part on the ruleset used, and can be reduced by selection of the rules used.
-
7/30/2019 Wireless Lan with UTM Appliance Deployment Project - Subhankar Sanyal.
53/68
53
Snort rules update
A standard installation of IPCop comes with a set of Snort's default rules. As more attacks are discovered, the rules
Snort uses to recognize them will be updated. To utilize Sourcefire VRT Certified rules you need to register on
Snort's website www.snort.org and obtain an Oink Code.
Select the correct radio button, add your Oink Code and click the Save button before your first attempt to downloada ruleset.Then, click the Refresh update list button, followed by the Download new ruleset button, and finallyclickApply now.
After a successful operation the date and time will be displayed beside each button.
The final button - Read last ruleset installation log - will display the last installation log.
Firewall Menu
Grouped together in the Firewall Menu are some of the core functions of IPCop which
controls how traffic flows through the firewall.
These are:
Port Forwarding
External Access (Controls remote administration of IPCop from the Internet)
DMZ Pinholes
Blue Access (Connecting a Wireless Access Point to IPCop)
Firewall Options
-
7/30/2019 Wireless Lan with UTM Appliance Deployment Project - Subhankar Sanyal.
54/68
54
Log Summary Page
Displays the summary generated by logwatch for the previous day.
No (or only partial) logs exist for the day queried
Each logwatch summary is generated at midnight, and covers the preceding day's
events. If you do not run your IPCop server overnight, you may not be able to view
any summaries.
-
7/30/2019 Wireless Lan with UTM Appliance Deployment Project - Subhankar Sanyal.
55/68
55
Proxy Logs Page
This page provides you with the facility to see the files that have been cached by the
web proxy server within IPCop. The web proxy is inactive after first installation of
IPCop, and may be activated (and deactivated) through a specific administration page(Services> Proxy).
Adding Users to UTM for Secure Internet Access
-
7/30/2019 Wireless Lan with UTM Appliance Deployment Project - Subhankar Sanyal.
56/68
56
A web proxy server is a program that makes requests for web pages on behalf of all
the other machines on your intranet. The proxy server will cache the pages it retrievesfrom the web so that if 3 machines request the same page only one transfer from the
Internet is required. If your organization has a number of commonly used web sites
this can save on Internet accesses.
Normally you must configure the web browsers used on your network to use the
proxy server for Internet access. You should set the name/address of the proxy to that
of the IPCop machine and the port to the one you have entered into the ProxyPort box, default 800. This configuration allows browsers to bypass the proxy if theywish. It is also possible to run the proxy in transparent mode. In this case the
browsers need no special configuration and the firewall automatically redirects alltraffic on port 80, the standard HTTP port, to the proxy server.
-
7/30/2019 Wireless Lan with UTM Appliance Deployment Project - Subhankar Sanyal.
57/68
57
Local Proxy Authentication
Local user authentication is the preferred solution for SOHO environments. Users need to authenticatewhen accessing web sites by entering a valid username and password. The user management resides onthe IPCop Proxy Server. Users are categorized into three groups: Extended, Standardand Disabled.
This authentication method lets you manage user accounts locally without the need for externalauthentication servers.
Global authentication settings
Number of authentication processes. The number of background processes listening for requests. The default
value is 5 and should be increased if authentication takes too long or Windows integrated authentication falls back to
explicit authentication.
-
7/30/2019 Wireless Lan with UTM Appliance Deployment Project - Subhankar Sanyal.
58/68
58
Authentication cache TTL. Duration in minutes how long credentials will be cached for each single session. If this
time expires, the user has to re-enter the credentials for this session. The default is set to 60 minutes, the minimum
will be 1 minute. The TTL will always be reset when the user sends a new request to the Proxy Server within a
session.
Local user manager
The user manager is the interface for creating, editing and deleting useraccounts.
Within the user manager page, all available accounts are listed in alphabetically order.
Group definitions. You can select between three different groups:
Standard
The default for all users. All given restrictions apply to this group.
Extended
Use this group for unrestricted users. Members of this group will bypass any time and filter restrictions.
Disabled
Members of this group are blocked. This can be useful if you want to disable an account temporarily
without losing the password.
Proxy service restart requirements. The following changes to user accounts will require a restart of the proxy
service:
A new user account was added and the user is not a member of the Standardgroup.
The group membership for a certain user has been changed.
-
7/30/2019 Wireless Lan with UTM Appliance Deployment Project - Subhankar Sanyal.
59/68
59
The following changes to user accounts will notrequire a restart of the proxy service:
A new user account was added and the user is a member of the Standardgroup.
The password for a certain user has been changed.
An existing user account has been deleted.
Create user accounts
Username. Enter the username for the user. If possible, the name should contain only alphanumeric characters.
Group. Select the group membership for this user.
Password. Enter the password for the new account.
Password (confirm). Confirm the previously entered password.
Create user. This button creates a new user account. If this username already exists, the account for this username
will be updated with the new group membership and password.
Back to main page. This button closes the user manager and returns to the main page.
Edit user accounts
A user account can be edited by clicking on the Yellow pencilicon. When editing a user account, only thegroup membership or password can be changed.
While editing an account, the referring entry will be marked with a yellow bar.
To save the changed settings, use the button Update user.
-
7/30/2019 Wireless Lan with UTM Appliance Deployment Project - Subhankar Sanyal.
60/68
60
Note
The username cannot be modified. This field is read-only. If you need to rename a user, delete the user and
create a new account.
Client side password management
Users may change their passwords if needed. The interface can be invokedby entering this URL:
http://192.168.1.1:81/cgi-bin/chpasswd.cgi
Replace 192.168.1.1 with the GREEN IP address of your IPCop.
The web page dialog requires the username, the current password and the new password (twice for confirmation).
-
7/30/2019 Wireless Lan with UTM Appliance Deployment Project - Subhankar Sanyal.
61/68
61
-
7/30/2019 Wireless Lan with UTM Appliance Deployment Project - Subhankar Sanyal.
62/68
62
CONCLUSION
I have started the project at Barsana Hotel & Resorts as my Internship for Sikkim Manipal
University. Once I knew the issues faced by the organization, I decided to implement the projectmyself with the kind guidance of Mr. Subhankar Dhar (Faculty, SMU). Since the project
involved installation and purchase of complex hardware and software, I started the project first
my Analyzing the Situation and formulating the correct Hardware/ Software Strategy.
Since it was a mid industrial scale deployment of WIFI Infrastructure, the cost of commercial
solutions were quite high especially the cost of UTM/ Firewall Hardware beside this major
Hardware Firewall Vendors available in the market license their product on number ofconcurrent users and also based on a yearly renewal contract.
After discussions with the Mr. Prasun Kumar Nath (General Manager) of Barsana Hotel &Resorts, I took the challenge to develop the firewall appliance myself using GNU Linux, and
after thorough testing I have selected IPCop for its support, robustness and tested deployments
across various industries.
Once the new Secured Wireless Network was ready, I personally supervised the network for few
days and trained the in-house staff how to guide Guests to connect their unique devices to
Barsana Wifi Network.
Below is the brief Description of the Wi-Fi Setup.
Wireless SSID : Barsana
Security : WPA2/ PSK
Pass Phrase : barsana@30 (All the pass phrase is common among all the Wireless Routers)Login Page: http://www.google.com or any URL
-
7/30/2019 Wireless Lan with UTM Appliance Deployment Project - Subhankar Sanyal.
63/68
63
Once a Guest or user checks onto the Hotel or Restaurant, the Guest and user can ask for the
Wireless Key along with the Internet Access User Name and Password.
Below is a detail example of a situation:
Suppose a Guest Checks in. He stays on the fourth floor. Once he/she decides to connect theirNotebook or Tablet, he/ she can contact the reception helpdesk. At first the user needs the
WPA2/PSK Key, which the receptionist provides immediately.
Once the Guest provides the Wireless Security Key, the user gets access to the WirelessNetwork, immediately when the user tries visiting any webpage, the URL of the requested page
get replaced with the IPCOP Login page. Suppose the guests stays 4th
floor room no: 402, then
the User Name is user and the default password is barsana@402. All these details are providedby the Hotel Reception or the helpdesk sitting in the Restaurant / Bar/ Conference Hall/ Lobby.
Once the user gets Authenticated they can immediately start surfing the internet. Presently there
is no cap on usage limit and Barsana Hotel & Resort provides Internet Access absolutely free ofcost as a complementary service to all its Guests and Visitors.
Impact of New Wireless Setup with Inbuilt Security Features:
Robust and Fast Internet.
Near Zero Downtimes except Broadband/ Leased Line Failure. 100% Maintenance Free Network.
Inherit inbuilt Security Features like Print and File Sharing Disabled.
100% Guaranteed QOS (Quality of Service) for Mission Critical Applications. One of the fastest Internet Gateway offered by any Hotel/ Resort in North East India.
In-house staff relieved from Internet Slowing down/ They only receive compliment forgreat Internet Experinece.
-
7/30/2019 Wireless Lan with UTM Appliance Deployment Project - Subhankar Sanyal.
64/68
64
-
7/30/2019 Wireless Lan with UTM Appliance Deployment Project - Subhankar Sanyal.
65/68
65
As I mentioned earlier that my project is based on the specialization in Information System and
as the Project work has been carried out in the Hospitality Industry i.e. Barsana Hotel & Resortsinfrastructure became a losing concern as its guests and visitors were unhappy with Internet
Experience, It was necessary to have a clear picture of the Network Architecture, Internet
Functionality, the IT infrastructure of the organization where Customer Satisfaction was very
much desirable. Thus collecting information from the Operations Desk, Sales Department,Production Department, and Marketing Department of the works. I am appending the details of
the Project Work as mentioned below;-
1. Introduction with UTM Devices: - All the related has been carried out from the Internet
(http://searchsecuritychannel.techtarget.com/guide/Introduction-to-UTM)
2. IPCop Deployment: - All the related matter has been taken from the IP COP technical
Documentation Team (http://www.ipcop.org/2.0.0/en/install/html/index.html)
3. Special Feature: - During training and classes and discussion made by Free Software
Foundation, Oracle Corporation, XFree86 Org.
4. Hardware Partners :- Cyber Informatics, Siliguri for providing me all necessary hardware tocomplete the project.
5. Department Related to Specialization Subject: - All related figures has been collected fromthe Accounts Deptt. Where Mr. Dipendra Dev Raikut helped me lot how ever by the help of
this dated and ratio analysis which has been carried out by my self I have tried my best to
clarify and justify the actual position of the works and in future which is required for the
revival of the network and cause for ailing ness.
6. Aims and Objective:- Made by my self as per the departmental Study.
7. Methodology; - The related information has been collected from concerned persons and
related website.
8. Analysis ;- All related data month wise can be collected from Mr. Dipendra Dev Raikut
regarding Network Performance, Internet Speed, Customer Satisfaction, Network
Downtimes.
-
7/30/2019 Wireless Lan with UTM Appliance Deployment Project - Subhankar Sanyal.
66/68
66
-
7/30/2019 Wireless Lan with UTM Appliance Deployment Project - Subhankar Sanyal.
67/68
67
References
The Book Jacob, John, 2009. The Rise of Integrated Security Appliances. Channel
Business. http://www.channelbusiness.in/index.php?Itemid=83&id=252&option=c
om_content&task=view.
1. Internet, SMC Networks (http://www.smc.com/index.cfm)
2. DHCP and its working (www.ietf.org/rfc/rfc2131.txt)
3. Internet Gateways & VPN (http://www.cisco.com/en/US/docs/routers/csbr/app_notes/rv0xx_g2gvpn_an_OL-26286.pdf)
4. Faculty S.M.U. Star Institute of Management, Pradhan Nagar, Siliguri - 734001
-
7/30/2019 Wireless Lan with UTM Appliance Deployment Project - Subhankar Sanyal.
68/68