1. A SECURE HIGH AVAILABILITY CONNECTION
BETWEEN MULTI-SITES FOR A VOIP
COMMUNICATION SYSTEM WITH
EAVESDROPPING PREVENTION SECURITY
STRATEGIES
BY
EMMANUEL EMEGHA
MSc Telecommunications Engineering
Client: Stephen Swales (University of Sunderland)
Project Supervisor: Dr Chris Bowerman
Second Marker: Dr Leslie Kingham
1
2. EXECUTIVE SUMMARY
In telecommunications engineering, the concept of high availability refers to
techniques used to mitigate network downtimes while VPNs (Virtual Private
Networks) are WAN connection technologies that provides data security (such as
authentication, confidentiality integrity) using encryption services. VoIP systems
are implemented as a result of its flexibility, simplicity and low cost over
traditional hard-wired telephones communication. However, their security
vulnerabilities undermines the confidentiality of voice packets being transmitted.
This project implements a highly available WAN network for a VoIP solution that
allows active/on-going calls to continue should a link connecting two sites fail,
ensuring suitable protocols to restore links. The above highly available network
and VoIP solution are equipped with eavesdropping prevention technologies
(IPSec VPN and SRTP) to render any tampered data/voice packets
unreadable/unlistenable.
2
3. CLIENT & PROBLEM
• Client
• Problem: Network downtimes, WAN Security, Voice
communication & Security
Client Requirements
• A highly available WAN network
• Site-to-Site Security (Eavesdropping)
• VoIP communication and Security (Eavesdropping)
• Active call continuity during WAN connection outages
3
4. PROJECT OBJECTIVES
1. To research and evaluate the concept of high availability in
communication networks.
2. To critically evaluate the various protocols used in high availability
including those for failover and redundancy.
3. To research and evaluate VPN technologies for the encryption of data
packets between sites.
4. To research and evaluate VoIP security protocols used to
prevent/mitigate eavesdropping.
5. To implement a fully functional prototype of the VoIP system for
internal communication.
6. To evaluate and access the final prototype to see if it fully satisfies the
client’s requirements and identify possible areas for future
work/research.
4
5. RESEARCH
1. Research Areas & Relevance to project
• High availability (failover, redundancy) and its protocols in
communications network
(LACP, STP/RSTP, HSRP, VRRP, GLBP, IS-IS, OSPF, EIGRP, RIP and
Cisco IP SLA)
• WAN Eavesdropping Prevention Technologies (VPN)
(SSL, PPTP, IPSec, MPLS)
• VoIP security protocols (TLS, SRTP, ZRTP)
5
6. RESEARCH (CONT’D)
2. Research Findings
• High availability concepts: Hardware & Software
• OSPF & EIGRP: Similarities & differences
Eavesdropping Prevention
• Virtual Private Networks (VPNs): SSL, MPLS, PPTP, IPSec VPN
• Voice Communication: SRTP vs ZRTP (compatibility)
Impacts of Security Mechanism?
YES: High computational and communicational overhead (Khodabakhshi et
al., 2013)
NO: Encryption technologies encrypt traffic at wire-speed without
interfering with QoS, call quality and performance (Dakur & Dakur, 2014)
Project Author: In support of Khodabakhshi et al. (2013)
6
7. PROJECT METHODOLOGY
• Network Design: Hierarchical Design Model - Core, Distribution & Access layers
(Cisco Systems, 2014)
Hierarchical Design Model
• VoIP Telephony Design: Top-down approach (Cisco Systems, 2012)
Aimed at tailoring specific applications to user requirements
7
8. PROTOTYPE DESIGN
• High Availability Design: Redundancies, ISPs, failover protocols
• WAN Security Design: IPSec VPN & GRE
• VoIP Telephony Design: 3CX PBX server, User Agents (UAs), Security
OSI-7 Layer
Model
Layer Name Protocol/Technology
7 Application 3CX PBX Server, Softphones
6 Presentation Codecs
5 Session SIP
4 Transport UDP, RTP, SRTP
3 Network IP
2 Data Link WAN technology used for connecting hosts
in different sites MPLS, leased line
(represented using LAN cabling such as
Serial and
Gigabit Ethernet)
1 Physical Link
Top - down Design Approach (Protocols based on OSI-7 Layer) 8
10. 3CX PBX
Server
IP Phone
IP Phone
IP Phone
G0/0
G0/1
G0/0
G0/2S0/0
G0/1
G0/1
S0/1S0/1
S0/0
S0/0
Fa0/1 Fa0/1
Fa0/1/1 Fa0/1/0
S0/0
S0/0S0/1
IMPLEMENTED PROTOTYPE SYSTEM
10
11. RESULTS & PROTOTYPE EVALUATION
• Highly available WAN solution: (‘tracert’ command, ISP, fast
convergence)
• Secured all WAN traffic against (Eavesdropping): Wireshark - Network
metric ‘ESP’ protocol.
• Secure voice communication: Network metric ‘SRTP’
No VoIP security (listenable) Encrypted (unlistenable)
• Active voice call continuity during connection downtime
Met all client requirements (Evidence)
11
12. CLIENT FEEDBACK
Client’s Evaluation & Feedback
• Critical Evaluation of Client’s Feedback & Solutions
1. GLBP (or HSRP, VRRP which are evaluated in chapter 2)
2. Extra Redundancies (WAN links, ISPs) 12
13. Unsecured With IPSec VPN
RTD(ms)
Unsecured and IPSec Secured RTD/RTT Graph
EXPERIMENTAL FINDINGS
• Impacts of Security Techniques
Performance: Graph of RTD/RTT for Unsecured & Secured VPN
Supports Khodabakhshi et al. (2013)
• Performance Improvement: Protocol Tuning
1. EIGRP
2. Cisco IP SLA
13
14. EVALUATION AGAINST PROJECT OBJECTIVES
1. To research and evaluate the concept of high availability in communication
networks. (Chapter 2)
2. To critically evaluate the various protocols used in high availability including
those for failover and redundancy. (Chapter 2)
3. To research and evaluate VPN technologies for the encryption of data packets
between sites. (Chapter 3)
4. To research and evaluate VoIP security protocols used to prevent/mitigate
eavesdropping. (Chapter 3)
5. To implement a fully functional prototype of the VoIP system for internal
communication. (Chapter 5)
6. To evaluate and access the final prototype to see if it fully satisfies the client’s
requirements and identify possible areas for future work/research. (Chapter 6,
7 & 8)
7. To produce a dissertation that is a reflection of the entire project. (Submitted -
14
15. CONCLUSION
• A functional highly available site-to-site connection was designed
and built based on research findings.
• IPSec VPN and SRTP technologies were implemented on the
prototype system to secure all WAN traffic and voice packets
against eavesdropping attacks respectively.
• Prototype supported Active voice continuity during WAN failure.
• Protocol tuning aided network performance.
• Prototype system met all client requirements
• Dissertation presented/met all project objectives
• Extra experimentations to verify theoretical findings (security
impacts, performance)
15