You are on page 1of 68

ACKNOWLEDGEMENT

It is my great pleasure to have project training in “Information System and IT Operations” at Barsana Hotel and Resort, Siliguri.

During my training period, I had an opportunity to visit almost every department, and I am grateful to the executives who have extended maximum effort and co-operation to illustrate regarding the operation of the unit, technical details, etc.

I want to thank specially to:

Mr. Prasun Kumar Nath (General Manager, Barsana Hotel & Resorts) Mr. Dipendra Raikut. Head (IT & Infrastructure, Barsana Hotel & Resorts) Mr. Promod Thapa. Executive (Front Desk, Barsana Hotel & Resorts)

I would also like to express my heartiest thanks to our faculty members at Sikkim Manipal University, Star Institute of Management, Patel Road, Pradhan Nagar, Siliguri -734003 who have been a source of inspiration throughout, without their help and valuable feedback this project could not have been possible.

Finally, I like to thank my Family Members, specially my mother and Friends (Sayantan Bhattacharjee, Susmit Dutta) who have always been my continuous source of inspiration and they have constantly supported and motivated me to complete my project.

BONAFIDE CERTIFICATE
Certified that this project report titled “A PROJECT REPORT ON Secure

Wireless LAN with Unified Threat Management (UTM)” is the
bonafide work of “SUBHANKAR SANYAL” who carried out the project work under my supervision.

SIGNATURE

SIGNATURE

HEAD OF THE DEPARTMENT

FACULTY IN CHARGE

SIKKIM MANIPAL UNIVERSITY, Centre Code: 01005 Star Institute of Management, Patel Road, Pradhan Nagar, Siliguri - 734003.

SIKKIM MANIPAL UNIVERSITY, Centre Code: 01005 Star Institute of Management Patel Road, Pradhan Nagar, Siliguri - 734003.

2

Executive Summary
It is my great pleasure and opportunity to have a project development opportunity and implementation at “Barsana Hotel and Resorts”. One of the best Five Star Hotel and Resort located in North East India. This report is a summary of 6 months of learning, implementing and solving difficult technical skills. The OBJECTIVE of the Project is to have a clear vision regarding. * Product Details. * Working of a Robust Wireless Network with integrated Security features for all users. * The detail working of WLAN with integrated UTM Appliance. My specialization is in “Information Systems”. However, before developing a live system, my knowledge was limited to the software simulation technologies and books. During my project, I became able to enhance my knowledge in the good practical exposure. My Project development report is based on the following aspect. INTRODUCTION WITH HOSPITALITY INDUSTRY. PROFILE OF THE ORGANIZATION. ISSUES AND CHALLENGES FACED BY THE ORGANIZATION. PREVIOUS NETWORK ARCHITECTURE. BRIEFS DETAILS OF VARIOUS HARDWARE/ SOFTWARE USED IN THE NEW PROJECT. ARCHITECTURAL DETAILS OF THE SETUP.

3

VARIOUS PRACTISES ADOPTED IN EACH SECTION TO OPTIMIZE AND ENHANCE NETWORK PERFORMANCE.

TABLE OF CONTENTS
SL.No. 1 2 3 4 5 6 7 8 9 10 11 12 Topic Introduction With Hospitality Industry. Organization History Issues and Challenges faced in Networking Previous Network Architecture Page No. 6-6 8-8 10-10 12-13

Details of New Hardware / Software added to 15-15 implement new Wireless Network Architecture Firewall Features 17-17 Introduction of WLAN Security with IPCOP 18-18 Appliance. New Network Architecture 20-20 Methodology Conclusion Bibliography References 22-60 62-63 65-65 67-67

4

5

6

The hospitality industry is a broad category of fields within the service industry that includes lodging, restaurants, event planning, theme parks, transportation, cruise line, and additional fields within the tourism industry. The hospitality industry is a several billion dollar industry that mostly depends on the availability of leisure time and disposable income. A hospitality unit such as a restaurant, hotel, or even an amusement park consists of multiple groups such as facility maintenance, direct operations (servers, housekeepers, porters, kitchen workers, bartenders, etc.), management, marketing, and human resources.

To secure for the hotel industry its due place in India's economy; project its role as a contributor to employment generation and sustainable economic and social development; highlight its crucial role in the service to tourism industry as the largest net foreign exchange earner; help raise the standards of hoteliering and to build an image for this industry both within and outside the country. Competition and usage rate Usage rate or its inverse "vacancy rate" is an important variable for the hospitality industry. Just as a factory owner would wish a productive asset to be in use as much as possible (as opposed to having to pay fixed costs while the factory isn't producing), so do restaurants, hotels, and theme parks seek to maximize the number of customers they "process" in all sectors. This led to formation of services with the aim to increase usage rate provided by hotel consolidators. Information about required or offered products are brokered on business networks used by vendors as well as purchasers. In viewing various industries, "barriers to entry" by newcomers and competitive advantages between current players are very important. Among other things, hospitality industry players find advantage in old classics (location), initial and ongoing investment support (reflected in the material upkeep of facilities and the luxuries located therein), and particular themes adopted by the marketing arm of the organization in question (for example at theme restaurants). Very important is also the characteristics of the personnel working in direct contact with the customers. The authenticity, professionalism, and actual concern for the happiness and well-being of the customers that is communicated by successful organizations is a clear competitive advantage.
7

8

ABOUT BARSANA HOTEL AND RESORTS

HISTORY OF THE ORGANIZATION Barsana Hotel and Resorts is a venture of North Bengal premier Industrial house the Beekay Group. The Beekay group is setted up a luxurious Five Star Category Hotel at Matigara, Siliguri in Darjeeling District. Located in Matigara, at the outskirts of Siliguri, the site has been selected away from the chaos of the bustling town of Siliguri amidst calm and quite settings with a view of the Picturesque Himalayan Mountains & greenery. The Project is on 60 cottahs of land and started operation by July 2010. Conforming to the standards norms prescribed by Department of Tourism, Government of India it has Five Star Category approval. The proposed hotel has been carefully designed with luxurious interiors and exterior beauty with the most modern architectural structure and beautiful landscape. The hotel possess 52 Double Bedded and 7 Suites with 2 banquet halls, 2 restaurant, bar & coffee shop. Centrally air conditioned with all modern facilities such as 24 Hour Hot/Cold Water, Room Service with Telephone and Internet Facility, CCTV with, Lift, In-house Generator, Safe Deposit Vault, Laundry, Car Rental with Free Car Parking, Doctor-on-Call, Banquet Room, Conference Room, 24 Hour Coffee Shop, Bar- Cum – Restaurant, Travel Desk Service, Making arrangement of Conducted Tour to Darjeeling and other neighboring places of interest.

9

10

Issues and Challenges faced in Networking
Barsana Hotel and Resorts become operational in October 2010, the Organization commissioned all state of the art IT equipments for it IT needs and necessities. All the computer terminals and point of sale equipments for the Hotel Management and Staffs were connected using Twisted Pair Ethernet and a dedicated Windows Server 2008 use to process and serve all internal users of the Hotel. Since the Hotel also possesses 60 + Rooms, Restaurant, Bar, Gym, Conference Hall, the Hotel Management decided to deploy a full Wireless Network for the visiting Guests. The main Internet Backbone was served by BSNL Dataone 1 mbps broadband connection which was shared by the Hotels Internal Users and also the Guest Wifi Infrastructure. But post commission of the WiFi network it failed to serve its purpose, and most Guests and Users complained of Slow, Unreliable Network with Faint Wi-Fi Signal.

Below is the issue which was faced by the Organization.  Insufficient wireless network coverage in all Four Floors, Restaurant, Conference Hut, Gym, Lobby.  Breakage of Signal Continuity.  Slow and Unresponsive Internet Experience.  No security, all PC’s connected to the WiFi infrastructure and see and view other PC’s connected in the network if Print and File Sharing is enabled by default, also exposing Hotel’s Internal network to Guest Users.  No Content Filtering or Metering Technologies to monitor Internet Activity of the Guests, which is a compliance issue as per Indian Laws.  Network congestion, if more users logged on to the Wi-Fi the entire Network becomes very slow and at finally fails to serve its purpose due to lack of QOS (Quality of Service) implementation.
11

12

PREVIOUS NETWORK ARCHITECTURE
The Previous Network Composed Primarily of Several Hardware Components: 1) BSNL ADSL Router cum Modem (Make TP Link) with Four RJ45 LAN Ports to share Internet Connection. 2) SMC Networks Barricade Routers (SMCWBR14-3GN) – 13 NOs 3) TPLink (TL-WA730RE) Repeating Stations – 3 NOs 4) D-Link 24 Port 100/1000 mbps Managed Switch (Rack) – 2 NOs 5) Ethernet Cables Basic Working Principle of the Previous Network: A copper cable use to get terminated to the BSNL ADSL Modem cum Router. The ADSL Router automatically connected to the BSNL DataOne Broadband network using PPPoE (Point to Point Protocol over Ethernet) and an inbuilt DHCP (Dynamic Host Control Protocol) server embedded in the ADSL router use to provide Dynamic Leased IP Address to all other network equipments and routers. A single RJ45 cable was used to connect to the LAN port of the ADSL Modem and terminated on one of the 24 Port 100/1000 mbps D-Link Managed Switch. All devices such as Servers (for Internal Network), Workstations (Internal Network) and Routers (Guest Wifi Network) got its IP address directly from the ADSL modems DHCP server. Primarily there were four SMC Barricade routers, each mounted on every floor directly connected to the D-Link Managed Switch. These four routers were acting as core routers for the entire Wireless Network for Guest and visitors of the Hotel. All other routers connected to any of these four routers in Repeater Mode, as such there were 12 different repeating stations which relayed the signals of these four core routers.

13

The Previous Network Diagram

14

Drawbacks of the Previous Network Design:
1) The points mentioned on page 10 describe the issues faced by the Organization. 2) As all routers other than the 4 core routers were connected using Extender mode, the Wifi Channel was saturated and bandwidth was limited when number of users grew. 3) There was no inherit security features built onto the network and there was no way to monitor network access. 4) Troubleshooting and maintenance was difficult.

15

16

Details of New Hardware / Software added to implement new Wireless Network Architecture List of Hardware purchased by Barsana Hotel and Resorts to complete the new Network Topology 1) IBM Compatible PC (As Main UTM Server/ Proxy) – Intel Pentium Dual Core 3.0 GHz, 2 GB DDR SDRAM, ECS P4VM-M7 Motherboard, 500 GB Western Digital Cavier Blue Hard Disk Drive, Corisiar Server Chassis with Silver Power Supply (600 watts), Two Ethernet Adapters 10/100/1000 mbps (D-Link). 2) IBM PC Compatible PS2 101/103 Keyboard. 3) 8 Port D-link 10/100 mbps Switch(DES 1008V) . 4) Cat 6 (D-Link) approximately 400 meters. 5) RJ 45 connectors (D-Link), approximately 40 in Nos.

Details of Software used:
Custom built Firewall with UTM features using GNU Linux Kernel 2.6.394(IPCOP), added Squid Proxy Module, and Radius Authentication Module.

17

18

Firewall/ UTM Features of Wireless LAN
       

  

A secure, stable and highly configurable Linux based firewall Easy administration through the built in web server A DHCP client that allows IPCop to, optionally, obtain its IP address from your ISP A DHCP server that can help configure machines on your internal network A caching DNS proxy, to help speed up Domain Name queries A web caching proxy, to speed up web access An intrusion detection system to detect external attacks on your network The ability to partition your network into a GREEN, safe, network protected from the Internet, a BLUE network for your wireless LAN and a DMZ or ORANGE network containing publicly accessible servers, partially protected from the Internet A VPN capability that allows you to connect your internal network to another network across the Internet, forming a single logical network or to securely connect PCs on your BLUE, wireless, network to the wired GREEN network Traffic shaping capabilities to give highest priority to interactive services such as ssh and telnet, high priority to web browsing, and lower priority to bulk services such as FTP. Improved VPN support with x509 certificates. Built from the ground up with ProPolice to prevent stack smashing attacks in all applications. Captive Portal for user access using any Web Browser in Client Devices.

19

Introduction of WLAN Security with IPCOP Appliance.
Below, you will find a copy of our Mission Statement. All members of the IPCop Firewall Team strive to meet these goals. By achieving these goals, the IPCop Firewall will be one of the major Linux Firewall distributions in the world.

Provide a stable Linux Firewall Distribution. Provide a secure Linux Firewall Distribution. Provide an opensourced Linux Firewall Distribution. Provide a highly configurable Linux Firewall Distribution. Provide an easily maintained Linux Firewall Distribution. Provide an easily configured Linux Firewall Distribution. Provide reliable Support to the IPCop Linux user base. Provide an enjoyable environment for the Public to discuss and request assistance. Provide stable, secure, and easy to implement upgrades/patches for IPCop Linux. Develop an appreciation for both the Linux and Opensource movements in our user base. Develop a long lasting relationship with our userbase. Strive to adapt IPCop to meet the needs of the Internet of Tomorrow. Further develop the Linux Knowledge base of all Project Members and Users. After seeing the direction certain Linux Distributions were heading in, a group of dissatisfied users/developers decided that there was little reason for the idea of a GPL Linux Firewall Distribution of such potential to be, simply, extinguished.

IPCop Linux is a complete Linux Distribution whose sole purpose is to protect the networks it is installed on. By implementing existing technology, outstanding new technology and secure programming practices IPCop is the Linux Distribution for those wanting to keep their computers/networks safe.
20

21

NEW NETWORK ARCHITECTURE

Below is the information flow diagram of the Newly Designed Optimized Network with Firewall and User Authentication Features.

22

23

METHODOLOGY As per the network diagram, the entire structure of Guest Wi-Fi network has changed dramatically. Earlier the BSNL Broadband use to connect to The Internet at 1 mbps link, since 1 mbps link is insufficient to support both Internal and Guest Wi-Fi Network, as per my request, Barsana Hotel & Resorts upgraded the Data Circuit at 4 mpbs synchronous link. In present network up gradation scenario as a part of the project, the same BSNL provided ADSL Router connects to BSNL Data One network using PPPoE. The router has inbuilt features such as Guaranteed QOS (Quality of Service) for the four LAN ports. Port One of the LAN Link connects directly to the 24 port Managed Switch, and the ADSL router is programmed to provide dedicated 1 mbps link to the Hotels Internal Network using MAC (Media Access Control) feature of the Managed Switch. Rest of the 3mbps link is shared to second LAN Port which directly connects to the LAN port 1 (eth0) of IP-COP Server. The ADSL modem is providing only one Dynamic Leased IP Address to LAN Port (eth0) of IP-COP. The routers part of the Guest WiFi network automatically gets its IP Address from IP COP firewall. Also the entire Router Connectivity Architecture was modified along with Physical Router Placement for better Wireless Signal Delivery.

24

The 8 Port D-link Switch connects to the IP-COP box in Ethernet port (eth1). From the D-Link switch four Ethernet Cables provides dedicated connectivity to four routers located in each floors (First Floor, Second Floor, Third Floor, Fourth Floor). In the new network we are not using any Repeating Station features of both SMC Barricade and TP Link Routers. The link from D-Link switch using Ethernet connects every SMC Barricade Router in the WAN port, and all four SMC routers are programmed to work as Router Mode. In each floor there are more 3 routers to serve rooms, lobby, bars. These routers connect to the SMC router to get its IP Address. These secondary routers now connect using Ethernet, these secondary routers connect to the LAN ports of SMC routers and also the routers act only as Access Point Routers. Note: Every SMC router has an Hardware button which allows to toggle between Router and Access Point Mode. IP Addresses used in the WLAN setup: 1) 192.168.1.X provided by BSNL ADSL Modem to IP Cop Ethernet port(0). 2) IP-Cop uses NAT (Network Address Translation) and changes IP address to 172.16.0.1 for Ethernet port (1). 3) All routers connecting to IP-COP Firewall UTM device obtains its IP Address Automatically using the DHCP feature of IPCOP and uses address 172.16.0.X to 172.16.1.X 4) Presently the Network Firewall (UTM) designed by me can support upto 254 different / unique devices.

25

Firewall Configuration / System Setup

26

Set the BIOS parameters so that the target machine will operate, as much as possible, as a stand-alone server. For example:

   

Turn off the CPU power saver feature; the target computer must wake on all network activity on all NICs and/or modems. It's usually easier and safer to just turn off the power saver features. You can leave the video power saver turned on. Set the BIOS to boot on power up. Turn off the BIOS keyboard test, if possible. Set the power state to “Always restore power after power failure”. This will guarantee your IPCop PC will power up and reboot after power is restored. IPCop can backup your configuration to a floppy disk drive or a usb key, or to a file loaded through the web interface. It is not uncommon for the floppy to be accidentally left in the floppy drive. In case of power failure, this may stop the IPCop machine from booting. If you are installing from CD drive, make sure your system will only boot from the CD drive and hard drive. Turn off all types of boot, except your hard drive after installation completes. If you are installing from usb key, you may need to set some bios options. Turn off all types of boot, except your hard drive after installation completes.

27

If the IPCop PC has a CD drive and its BIOS can boot from CD, you can use the “Bootable CD” media for the install. The CD drive can be removed after the install. If the IPCop PC cannot boot from CD, but has both a floppy drive and a CD drive, the “Bootable Floppy With CD” can be used. Both the floppy drive and CD drive can be removed after the install. However, if you plan on using IPCop's backup and restore facilities, you may want to keep the floppy disk in the IPCop PC. Finally, if the IPCop PC has only a floppy drive or you do not own a CD burner, the “Bootable Floppy with FTP/Web Server” must be used. Again, the floppy drive can be removed after the install. Again, if you plan on using IPCop's backup and restore facilities, you may want to keep the floppy drive in the IPCop PC.

Installing From Bootable CD or Bootable Floppy and CD

This screen contains a warning that all your existing data will be destroyed. At this point you may just press the Enter key, or enter one of the three installation options “nopcmcia”, “nousb” or “nousborpcmcia”. The installation options will restrict the devices that the IPCop installation process detects. Use these options only if the standard installation runs into trouble identifying PCMCIA or USB devices

28

attached to the target machine. You may also eject the IPCop media and reboot to abort the installation.

After a few seconds, the language selection screen will appear.

29

The next screen simply informs you of how to abort the installation. “Select the Cancel and press the Enter key.”

The next dialog box lets you choose the installation media. Since you are installing from CD-ROM, select it, tab to the Ok button and press the Enter key.

30

Your final warning appears next. After you select Ok and press Enter on this screen all of the data on your hard drive will be erased. To abort the installation, select Cancel and press the Enter key.

31

Next IPCop will format and partition your hard drive. Then it will install all its files.

At this point, you have the option of restoring files from an IPCop backup floppy. To do the restore, place the backup floppy in the floppy disk drive and select Restore and press the Enter key. Otherwise, select Skip and press the Enter key.

32

If you specify Select, above, the following screen will appear:

Select your GREEN Ethernet NIC from the list. If you select MANUAL the following screen will appear. Enter the object module for the driver you require. Each driver may require extra installation parameters. Unfortunately, these are driver dependent. The sample, below, is for a NE 2000
33

driver. Like most ISA drivers, it needs both its IO address, io=, and IRQ, irq=, specified.

If you specify Probe, above, the following screen will appear:

Your NIC card's manufacturer may not appear. IPCop identifies NICs based on the chip manufacturer, not the card manufacturer. This can be ignored.
34

IPCop will now configure its internal network address, the GREEN interface. This is an address on the network discussed in Decide On Your Local Network Address, above. Usually, this will be either GREEN address 1, i.e. 192.168.1.1; or GREEN address 254, i.e. 192.168.1.254. Although any address on your GREEN network will do. IPCop will automatically set your Network mask based on your IP address, but you can modify it if you need to.All of IPCop has now been installed on your hard drive. The following screen will appear. Remove the IPCop CD from your CD drive and, if present, the bootable floppy from the floppy drive. Select Ok to continue.

35

IPCop will continue with the setup command automatically. From this point on the Installation process is identical no matter which media was used for the initial boot. Please continue with the Initial Configuration Section, below.

The first screen allows you to configure your keyboard.
36

The next screen, above, asks for your time zone. Some people leave the time zone as London or UTC. This allows you to leave your PC's hardware clock set to the local time. There are a couple of disadvantages to this setting:
 

You will not be able to use a network time server to accurately set your PC's time, via the Time Administrative Web Page. If your local time zone changes from Winter to Summer or Daylight Savings to Standard time, you will have to remember to manually change the IPCop PC's clock. If you set the time zone to your correct time zone, IPCop will automatically change the time for you.

37

You must then configure your IPCop machine's hostname.
The default of “ipcop” is fine. You may want to change this if you are planning on setting up a VPN and allowing administration across your VPN. In this case you may want to give each IPCop machine a unique hostname, such as “ipcop1”, “ipcop2”, “millie”, “steve”, “bob”, etc.

You must then configure your IPCop machine's domain name. If you have a domain name then enter it here. If you do not have one or do not wish to use it then just accept the default “localdomain”. If you plan on using a VPN, you may wish to add additional qualifiers in front of
38

“localdomain” such as “x.localdomain” and “y.localdomain”.It may also be a bad idea to use your real domain name for this purpose, unless you will use your official name server instead of IPCop's domain name server. This domain name will be automatically set as IPCop's DHCP server's “domain name suffix”. Please see the DHCP server discussion.

Setup will continue with the ISDN configuration menu. The next screen starts a series of dialogs that will help you set up your ISDN card. If you do not have an ISDN card, select Disable ISDN, and setup will continue with network setup.

If you do have an ISDN modem, select the protocol and country.

39

After setting protocol and country, you may need to set driver parameters for your card, especially if it's an ISA card. If so, select Set additional module parameters.

Next you must select the type of ISDN card you have. IPCop will probe for the card type, if you select AUTODETECT. If necessary, you can manually select the card you have.

40

The final step in setting up your ISDN card is setting its local phone number.

Next you will configure your network interfaces. The Network Configuration Menu will take you through the steps necessary to configure them.

41

If you are planning to run a DHCP server on IPCop you can configure it at this time. Otherwise, do not enable the server, and continue with setting passwords, below. Dynamic Host Configuration Protocol allows computers to configure their network interfaces when they are booted. You can delay setting up IPCop's DHCP server until after the installation completes. See the Administration Manual for a description of the web based method of enabling and configuring the DHCP server. You must select Enabled to enable the DHCP server. When you are done with the DHCP server configuration select the Ok button.

42

The next steps will set up IPCop's root, web administrator and backup passwords. If you are familiar with Linux you may wish to login to the IPCop machine to carry maintenance tasks. The only user id configured is the “root” user. Enter the root password twice. Be careful, the root userid has the “keys to the kingdom” of your firewall. If someone gets its password they can cause all sorts of mischief. By default root is only allowed to log in via the local console, though.

43

Congratulations! You've completed your IPCop installation. Press Ok to reboot. After the reboot is completed, you will undoubtedly need to perform some administrative tasks to complete your setup.

44

Select:

IPCop SMP (ACPI HT enabled) This kernel configuration supports processor chips with hyperthreading, HT, SMP and ACPI. Some Intel processors support hyperthreading, which is treated as an SMP, multiprocessing, configuration. Once you have chosen an appropriate kernel configuration, press the Enter key to boot IPCop. IPCop loads the default Linux Kernel with all selected modules to implement NAT/ Firewall, Radius Features.

45

Administration and Configuration

To access the IPCop GUI is as simple as starting your browser and entering the IP address (of the green IPCop interface) or hostname of your IPCop server along with a port director of either 445 (https/secure) or 81(redirected to 445): https://ipcop:445 or https://192.168.10.1:445 or http://ipcop:81 or http://192.168 .10.1:81. Modem Connection Buttons
  

Connect - This will force a connection attempt to the Internet. Disconnect - This will sever the connection to the Internet. Refresh - This will refresh the information on the main screen.

46

System Web Pages

This group of web pages is designed to help you administer and control the IPCop server itself. To get to these web pages, select System from the tab bar at the top of the screen. The following choices will appear in a dropdown:
       

Home — Returns to the home page. Updates — Allows you to query and apply fixes to IPCop. Passwords — Allows you to set the admin and optionally, the dial password. SSH Access — Allows you to enable and configure Secure Shell, SSH, access to IPCop. GUI Settings — Enables or disables the use of JavaScript and allows you to set the language of the web display. Backup — Backs up your IPCop settings either to files or to a floppy disk. You can also restore your settings from this web page. Shutdown — Shutdown or restart your IPCop from this web page. Credits — This web page lists the many volunteers and other projects that make IPCop so great.
Status Menu

This group of web pages provides you with information and statistics from the IPCop server. To get to these web pages, select Status from the tab bar at the top of the screen. The following choices will appear in a dropdown:
     

System Status Network Status System Graphs Traffic Graphs Proxy Graphs Connections

47

Services Menu

As well as performing its core function of Internet firewall, IPCop can provide a number of other services that are useful in a small network. These are:
      

Proxy (Web Proxy Server) DHCP Server Dynamic DNS Management Edit Hosts (Local DNS Server) Time Server Traffic Shaping Intrusion Detection System

In a larger network it is likely that these services will be provided by dedicated servers and should be disabled here.

48

49

DHCP Administrative Web Page

.

DHCP (Dynamic Host Configuration Protocol) allows you to control the network configuration of all your computers or devices from your IPCop machine. When a computer (or a device like a printer, pda, etc.) joins your network it will be given a valid IP address and its DNS and WINS configuration will be set from the IPCop machine. To use this feature new machines must be set to obtain their network configuration automatically.

50

Traffic Shaping Administrative Web Page

Traffic Shaping allows you to prioritize IP traffic moving through your firewall. IPCop uses WonderShaper to accomplish this. WonderShaper was designed to minimize ping latency, ensure that interactive traffic like SSH is responsive all while downloading or uploading bulk traffic.

To use Traffic Shaping in IPCop: 1. 2. 3. 4. Use well known fast sites to estimate your maximum upload and download speeds. Fill in the speeds in the corresponding boxes of the Settings portion of the web page. Enable traffic shaping by checking the Enable box. Identify what services are used behind your firewall. Then sort these into your 3 priority levels. For example: a. Interactive traffic such as SSH (port 22) and VOIP (voice over IP) go into the high priority group. b. Your normal surfing and communicating traffic like the web (port 80) and streaming video/audio to into the medium priority group. c. Put your bulk traffic such as P2P file sharing into the low traffic group. Create a list of services and priorities using the Add service portion of the web page.

5.

51

The services, above, are only examples of the potential Traffic Shaping configuration. Depending on your usage, you will undoubtedly want to rearrange your choices of high, medium and low priority traffic.

Intrusion Detection System Administrative Web Page

IPCop contains a powerful intrusion detection system, Snort, which analyses the contents of packets received by the firewall and searches for known signatures of malicious activity. Snort is a passive system which requires management by the User. You need to monitor the logs, and interpret the information. Snort only logs suspicious activity, so if you need an active system, consider snort_inline or the guardian addon. You should also note that Snort is memory hungry, with newer versions using about 80Mb per interface. This depends in part on the ruleset used, and can be reduced by selection of the rules used.

52

Snort rules update A standard installation of IPCop comes with a set of Snort's default rules. As more attacks are discovered, the rules Snort uses to recognize them will be updated. To utilize Sourcefire VRT Certified rules you need to register on Snort's website www.snort.org and obtain an “Oink Code”. Select the correct radio button, add your Oink Code and click the Save button before your first attempt to download a ruleset.Then, click the Refresh update list button, followed by the Download new ruleset button, and finally click Apply now. After a successful operation the date and time will be displayed beside each button. The final button - Read last ruleset installation log - will display the last installation log.

Firewall Menu

Grouped together in the Firewall Menu are some of the core functions of IPCop which controls how traffic flows through the firewall. These are:
    

Port Forwarding External Access (Controls remote administration of IPCop from the Internet) DMZ Pinholes Blue Access (Connecting a Wireless Access Point to IPCop) Firewall Options

53

Log Summary Page

Displays the summary generated by logwatch for the previous day.
No (or only partial) logs exist for the day queried

Each logwatch summary is generated at midnight, and covers the preceding day's events. If you do not run your IPCop server overnight, you may not be able to view any summaries.
54

Proxy Logs Page

This page provides you with the facility to see the files that have been cached by the web proxy server within IPCop. The web proxy is inactive after first installation of IPCop, and may be activated (and deactivated) through a specific administration page (Services > Proxy).

Adding Users to UTM for Secure Internet Access

55

A web proxy server is a program that makes requests for web pages on behalf of all the other machines on your intranet. The proxy server will cache the pages it retrieves from the web so that if 3 machines request the same page only one transfer from the Internet is required. If your organization has a number of commonly used web sites this can save on Internet accesses. Normally you must configure the web browsers used on your network to use the proxy server for Internet access. You should set the name/address of the proxy to that of the IPCop machine and the port to the one you have entered into the Proxy Port box, default 800. This configuration allows browsers to bypass the proxy if they wish. It is also possible to run the proxy in “transparent” mode. In this case the browsers need no special configuration and the firewall automatically redirects all traffic on port 80, the standard HTTP port, to the proxy server.

56

Local Proxy Authentication
Local user authentication is the preferred solution for SOHO environments. Users need to authenticate when accessing web sites by entering a valid username and password. The user management resides on the IPCop Proxy Server. Users are categorized into three groups: Extended, Standard and Disabled. This authentication method lets you manage user accounts locally without the need for external authentication servers.

Global authentication settings

Number of authentication processes. The number of background processes listening for requests. The default value is 5 and should be increased if authentication takes too long or Windows integrated authentication falls back to explicit authentication.
57

Authentication cache TTL. Duration in minutes how long credentials will be cached for each single session. If this time expires, the user has to re-enter the credentials for this session. The default is set to 60 minutes, the minimum will be 1 minute. The TTL will always be reset when the user sends a new request to the Proxy Server within a session.

Local user manager
The user manager is the interface for creating, editing and deleting user accounts.

Within the user manager page, all available accounts are listed in alphabetically order. Group definitions. You can select between three different groups: Standard The default for all users. All given restrictions apply to this group. Extended Use this group for unrestricted users. Members of this group will bypass any time and filter restrictions. Disabled Members of this group are blocked. This can be useful if you want to disable an account temporarily without losing the password. Proxy service restart requirements. The following changes to user accounts will require a restart of the proxy service:   A new user account was added and the user is not a member of the Standard group. The group membership for a certain user has been changed.
58

The following changes to user accounts will not require a restart of the proxy service:    A new user account was added and the user is a member of the Standard group. The password for a certain user has been changed. An existing user account has been deleted.

Create user accounts
Username. Enter the username for the user. If possible, the name should contain only alphanumeric characters. Group. Select the group membership for this user. Password. Enter the password for the new account. Password (confirm). Confirm the previously entered password. Create user. This button creates a new user account. If this username already exists, the account for this username will be updated with the new group membership and password. Back to main page. This button closes the user manager and returns to the main page.

Edit user accounts
A user account can be edited by clicking on the Yellow pencil icon. When editing a user account, only the group membership or password can be changed. While editing an account, the referring entry will be marked with a yellow bar.

To save the changed settings, use the button Update user.
59

Note The username cannot be modified. This field is read-only. If you need to rename a user, delete the user and create a new account.

Client side password management Users may change their passwords if needed. The interface can be invoked by entering this URL:
http://192.168.1.1:81/cgi-bin/chpasswd.cgi

Replace 192.168.1.1 with the GREEN IP address of your IPCop. The web page dialog requires the username, the current password and the new password (twice for confirmation).

60

61

CONCLUSION I have started the project at Barsana Hotel & Resorts as my Internship for Sikkim Manipal University. Once I knew the issues faced by the organization, I decided to implement the project myself with the kind guidance of Mr. Subhankar Dhar (Faculty, SMU). Since the project involved installation and purchase of complex hardware and software, I started the project first my Analyzing the Situation and formulating the correct Hardware/ Software Strategy. Since it was a mid industrial scale deployment of WIFI Infrastructure, the cost of commercial solutions were quite high especially the cost of UTM/ Firewall Hardware beside this major Hardware Firewall Vendors available in the market license their product on number of concurrent users and also based on a yearly renewal contract. After discussions with the Mr. Prasun Kumar Nath (General Manager) of Barsana Hotel & Resorts, I took the challenge to develop the firewall appliance myself using GNU Linux, and after thorough testing I have selected IPCop for its support, robustness and tested deployments across various industries. Once the new Secured Wireless Network was ready, I personally supervised the network for few days and trained the in-house staff how to guide Guests to connect their unique devices to Barsana Wifi Network. Below is the brief Description of the Wi-Fi Setup. Wireless SSID : Barsana Security : WPA2/ PSK Pass Phrase : barsana@30 (All the pass phrase is common among all the Wireless Routers) Login Page: http://www.google.com or any URL

62

Once a Guest or user checks onto the Hotel or Restaurant, the Guest and user can ask for the Wireless Key along with the Internet Access User Name and Password.

Below is a detail example of a situation:
Suppose a Guest Checks in. He stays on the fourth floor. Once he/she decides to connect their Notebook or Tablet, he/ she can contact the reception helpdesk. At first the user needs the WPA2/PSK Key, which the receptionist provides immediately. Once the Guest provides the Wireless Security Key, the user gets access to the Wireless Network, immediately when the user tries visiting any webpage, the URL of the requested page get replaced with the IPCOP Login page. Suppose the guests stays 4th floor room no: 402, then the User Name is user and the default password is barsana@402. All these details are provided by the Hotel Reception or the helpdesk sitting in the Restaurant / Bar/ Conference Hall/ Lobby. Once the user gets Authenticated they can immediately start surfing the internet. Presently there is no cap on usage limit and Barsana Hotel & Resort provides Internet Access absolutely free of cost as a complementary service to all its Guests and Visitors. Impact of New Wireless Setup with Inbuilt Security Features:        Robust and Fast Internet. Near Zero Downtimes except Broadband/ Leased Line Failure. 100% Maintenance Free Network. Inherit inbuilt Security Features like Print and File Sharing Disabled. 100% Guaranteed QOS (Quality of Service) for Mission Critical Applications. One of the fastest Internet Gateway offered by any Hotel/ Resort in North East India. In-house staff relieved from Internet Slowing down/ They only receive compliment for great Internet Experinece.

63

64

As I mentioned earlier that my project is based on the specialization in Information System and as the Project work has been carried out in the Hospitality Industry i.e. Barsana Hotel & Resorts infrastructure became a losing concern as its guests and visitors were unhappy with Internet Experience, It was necessary to have a clear picture of the Network Architecture, Internet Functionality, the IT infrastructure of the organization where Customer Satisfaction was very much desirable. Thus collecting information from the Operations Desk, Sales Department, Production Department, and Marketing Department of the works. I am appending the details of the Project Work as mentioned below;1. Introduction with UTM Devices: - All the related has been carried out from the Internet (http://searchsecuritychannel.techtarget.com/guide/Introduction-to-UTM) 2. IPCop Deployment: - All the related matter has been taken from the IP COP technical Documentation Team (http://www.ipcop.org/2.0.0/en/install/html/index.html) 3. Special Feature: - During training and classes and discussion made by Free Software Foundation, Oracle Corporation, XFree86 Org. 4. Hardware Partners :- Cyber Informatics, Siliguri for providing me all necessary hardware to complete the project. 5. Department Related to Specialization Subject: - All related figures has been collected from the Accounts Deptt. Where Mr. Dipendra Dev Raikut helped me lot how ever by the help of this dated and ratio analysis which has been carried out by my self I have tried my best to clarify and justify the actual position of the works and in future which is required for the revival of the network and cause for ailing ness. 6. Aims and Objective:- Made by my self as per the departmental Study. 7. Methodology; - The related information has been collected from concerned persons and related website. 8. Analysis ;- All related data month wise can be collected from Mr. Dipendra Dev Raikut regarding Network Performance, Internet Speed, Customer Satisfaction, Network Downtimes.

65

66

References
The Book Jacob, John, 2009. The Rise of Integrated Security Appliances. Channel Business. http://www.channelbusiness.in/index.php?Itemid=83&id=252&option=c om_content&task=view.
1. Internet, SMC Networks (http://www.smc.com/index.cfm) 2. DHCP and its working (www.ietf.org/rfc/rfc2131.txt) 3. Internet Gateways & VPN (http://www.cisco.com/en/US/docs/routers/csbr/app_notes/rv0xx_g2gvpn_an_OL26286.pdf)

4. Faculty S.M.U. Star Institute of Management, Pradhan Nagar, Siliguri - 734001

67

THANK YOU

68