design standard ds 43-05

Information and Technology Group Operational Technology

DESIGN STANDARD DS 43-05

IP Network Design for Operational Technology Assets

VERSION 1 REVISION 2

JANUARY 2022

Design Standard No. DS 43-05 IP Network Design for Operational Technology Assets

Uncontrolled if Printed of 28 Ver 1 Rev2

© Copyright Water Corporation 2001-2022

FOREWORD

The intent of Operational Technology Design Standards is to specify requirements that assure effective design and delivery of fit for purpose Water Corporation infrastructure assets for best whole-of-life value with least risk to Corporation service standards and safety. Design standards are also intended to promote uniformity of approach by asset designers, drafters and constructors to the design, construction, commissioning and delivery of water infrastructure and to the compatibility of new infrastructure with existing like infrastructure.

Design Standards draw on the asset design, management and field operational experience gained and documented by the Corporation and by the water industry generally over time. They are intended for application by Corporation staff, designers, constructors and land developers to the planning, design, construction and commissioning of Corporation infrastructure including water services provided by land developers for takeover by the Corporation.

Nothing in this Design Standard diminishes the responsibility of designers and constructors for applying the requirements of WA OSH Regulations 1996 (Division 12, Construction Industry – consultation on hazards and safety management) to the delivery of Corporation assets. Information on these statutory requirements may be viewed at the following web site location:

https://www.legislation.wa.gov.au/legislation/statutes.nsf/law_s4665.html

Enquiries relating to the technical content of a Design Standard should be directed to the Principal SCADA Engineer, Operational Technology. Future Design Standard changes, if any, will be issued to registered Design Standard users as and when published.

Head of Operational Technology

This document is prepared without the assumption of a duty of care by the Water Corporation. The document is not intended to be nor should it be relied on as a substitute for professional engineering design expertise or any other professional advice.

Users should use and reference the current version of this document.

© Copyright – Water Corporation: This standard and software is copyright. With the exception of use permitted by the Copyright Act 1968, no part may be reproduced without the written permission of the Water Corporation.

https://www.legislation.wa.gov.au/legislation/statutes.nsf/law_s4665.html




DISCLAIMER

Water Corporation accepts no liability for any loss or damage that arises from anything in the Standards/Specifications including any loss or damage that may arise due to the errors and omissions of any person. Any person or entity which relies upon the Standards/Specifications from the Water Corporation website does so that their own risk and without any right of recourse to the Water Corporation, including, but not limited to, using the Standards/Specification for works other than for or on behalf of the Water Corporation.

The Water Corporation shall not be responsible, nor liable, to any person or entity for any loss or damage suffered as a consequence of the unlawful use of, or reference to, the Standards/Specifications, including but not limited to the use of any part of the Standards/Specification without first obtaining prior express written permission from the CEO of the Water Corporation.

Any interpretation of anything in the Standards/Specifications that deviates from specific Water Corporation Project requirements must be referred to, and resolved by, reference to and for determination by the Water Corporation’s Project Manager and/or designer for that particular project.




REVISION STATUS

The revision status of this standard is shown section by section below:

REVISION STATUS SECT. VER./R

EV. DATE PAGES

REVISED REVISION DESCRIPTION (Section, Clause, Sub-Clause)

RVWD. APRV.

1 0/0 23.05.18 All New Version JGB JGB 1 1/0 04.11.19 Final for publication JWH JGB 1 1/2 20.01.22 All Reformatted. Section 1.6 added CM DL 2 0/0 23.05.18 All New Version JGB JGB 2 1/0 04.11.19 Final for publication JWH JGB 2 1/2 20.01.22 All Reformatted CM DL 3 0/0 23.05.18 All New Version JGB JGB 3 1/0 04.11.19 Final for publication JWH JGB 3.4.1/3,4,2 1/1 20.08.20 10,11 Clarifications added to table JWH NM 2 1/2 20.01.22 All Reformatted. Out of date terms updated in

section 3.2 & 3.2. Rewording of sections 3.4.1, 3.4.1 & 3.4.3. Subnets for small sites revised to a minimum of /28 in multiple sections.

CM DL

4 0/0 23.05.18 All New Version JGB JGB 4 1/0 04.11.19 Final for publication JWH JGB A 1/2 20.01.22 All Reformatted and revised to Appendix A CM DL




DESIGN STANDARD DS 43-05

IP Network Design for Operational Technology Assets CONTENTS Section Page

1 INTRODUCTION ........................................................................................................... 7

1.1 Purpose ......................................................................................................................................... 7

1.2 Scope ............................................................................................................................................. 7

1.3 References ..................................................................................................................................... 7

1.4 Acronyms ...................................................................................................................................... 7

1.5 Definitions ..................................................................................................................................... 8

1.6 References ..................................................................................................................................... 8

2 NETWORK DEVICE CONFIGURATION ................................................................. 9

2.1 Routers .......................................................................................................................................... 9

2.2 Switches ........................................................................................................................................ 9

3 SITE NETWORK DESIGN ......................................................................................... 10

3.1 Network Design Prerequisite .................................................................................................... 10

3.2 Communications ........................................................................................................................ 10

3.3 SNMP Data ................................................................................................................................. 10

3.4 IP allocations .............................................................................................................................. 10 3.4.1 Small sites .................................................................................................................................... 10 3.4.2 Medium Sites ............................................................................................................................... 11 3.4.3 Large Sites/Shared Sites .............................................................................................................. 12

3.5 Network Route Summarisation ................................................................................................ 13

3.6 Network Design Examples ........................................................................................................ 13 3.6.1 Dual communications redundancy ............................................................................................... 13 3.6.2 Network with IP radio peer to peer .............................................................................................. 13 3.6.3 Multipoint network ...................................................................................................................... 14

3.7 Programmable Logic Controllers ............................................................................................. 15

3.8 Remote Terminal Links............................................................................................................. 15

3.9 IP Radios..................................................................................................................................... 15 3.9.1 Point to Point ............................................................................................................................... 15 3.9.2 Point to Multipoint ....................................................................................................................... 15

3.10 Cellular Modems ........................................................................................................................ 15

APPENDIX A NETWORK TERMINOLOGY AND DETAILS ....................................................... 17

A.1 TCP/IP and the ISO Layers ...................................................................................................... 17 A.1.1 Layer 1: Physical Layer ............................................................................................................... 18 A.1.2 Layer 2: Data Link Layer............................................................................................................. 18 A.1.3 Layer 3: Network Layer ............................................................................................................... 18 A.1.4 Layer 4: Transport Layer ............................................................................................................. 18 A.1.5 Layer 5: Session Layer ................................................................................................................ 19 A.1.6 Layer 6: Presentation Layer ......................................................................................................... 19




A.1.7 Layer 7: Application Layer .......................................................................................................... 19

A.2 Basic Network Concept ............................................................................................................. 19 A.2.1 Network Requirements ................................................................................................................ 19 A.2.2 Network Design Fundamentals .................................................................................................... 19 A.2.3 Network Hierarchy ...................................................................................................................... 19

A.3 Security ....................................................................................................................................... 22 A.3.1 DMVPN Concepts ....................................................................................................................... 22 A.3.2 IPSec ............................................................................................................................................ 23 A.3.3 IEEE 802.1X ................................................................................................................................ 24 A.3.4 AAA Computer Security ............................................................................................................. 26




1 INTRODUCTION

1.1 Purpose This standard describes the design of Ethernet networks for Water Corporation operational technology installations. The use of routers, switches, modems, radios, PLCs and RTUs can be very complicated when the intricacies of the Ethernet suite are added.

This document was written to clarify the use of TCP/IP and UDP/IP as well as other Ethernet protocols such as SNMP, NTP, HTTP, etc as applied to Water Corporation.

1.2 Scope This technical standard applies to all Water Corporation OT designs that utilise Ethernet communications.

1.3 References TCP/IP Illustrated Volume 1: The Protocols; W. Richard Stevens

CCNA Routing and Switching: Todd Lammle

https://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst6500/ios/12- 2SX/configuration/guide/book/dot1x.html

https://www.cisco.com/c/en/us/td/docs/ios/12_4/interface/configuration/guide/inb_tun.html

https://www.cisco.com/c/en/us/td/docs/wireless/asr_5000/20/IPSec/b_20_IPSec/b_20_IPSec_chapter_01.pdf

https://www.scte.org/documents/pdf/CCNA4%20Sample.pdf

https://en.wikipedia.org/wiki/RADIUS

1.4 Acronyms For the purposes of this standard, the following acronyms shall apply:

ARP Address Resolution Protocol BGP Border Gateway Protocol CE Client Edge DHCP Dynamic Host Configuration Protocol DNS Domain Name Server EIGRP Enhance Internal Gateway Routing Protocol Fa Fast Access port FTP File Transfer Protocol Gi Gigabit port IP Internet Protocol MAC Media Access Controller MTU Maximum Transmission Unit OSPF Open Short Path First RARP Reverse Address Resolution Protocol RIP Routing Information Protocol SMTP Simple Mail Transport Protocol SNMP Simple Network Management Protocol SOE Standard Operating Environment STP Spanning Tree Protocol TCP Transport Control Protocol UDP User Datagram Protocol

https://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst6500/ios/12-%202SX/configuration/guide/book/dot1x.html

https://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst6500/ios/12-%202SX/configuration/guide/book/dot1x.html

https://www.cisco.com/c/en/us/td/docs/ios/12_4/interface/configuration/guide/inb_tun.html



https://www.scte.org/documents/pdf/CCNA4%20Sample.pdf

https://en.wikipedia.org/wiki/RADIUS




1.5 Definitions For the purposes of this standard, the following definitions shall apply:

Broadcast Where a packet is sent to every connection within the subnet.

Corporation Water Corporation (of Western Australia) Multicast Where a packet is sent to every connection within the

subnet. Router A networking device that performs traffic directing

functions to forward data packets between other networks. Switch A networking device that connects multiple devices

together on a network using packet switching. Tunnel A protocol that allows secure data transfer from one

private network to another usually involves going through the public network such as the internet.

Unicast Where a message is sent to one recipient Water Corporation SOE

Water Corporation’s Standard Operating Environment for workstations.

1.6 References References shall be made to the following associated design standard, forms and requests:

DS 40 Design Process for SCADA Works Nexus 58560607

ITG Design Request IT Self Service

https://nexus.watercorporation.com.au/otcs/cs.exe/app/nodes/58560607

https://watercorporation.service-now.com/sp?id=wco_sc_cat_item&sys_id=197679394f42cb409aee46501310c7c6&sysparm_category=f7d36a9cdbf0bf404be742a014961965




2 Network Device Configuration This section defines the router and switch configuration and programming standards that must be followed when working with a Water Corporation asset.

2.1 Routers All router devices used on Water Corporation assets must be selected from Water Corporation’s Approved Equipment List. If there is a special need to use an item of equipment not on the Approved Equipment List its use must have prior approval from the Principal SCADA Engineer.

Configuration of the router may be performed by members of the PCS or OT Panel. The configurations must have, as a minimum:

• The Hostname defined

• Debugging logs to use local timestamp

• The DHCP pool defined

• The DNS server defined

• The Administration password defined

• Tunnels 100, 200, 300 and 600 defined

• Router ports Gi2/1 and Gi2/2 used for primary and secondary communications

• Vlan1 set to use DHCP when using satellite communications

• Vlan245 defined for local area network

• All ports Fa2/3 to Fa2/8 are setup as access port Vlan245 unless a switch is used in which case Fa2/8 will be the designated as the trunk port for the switch

• BGP routes defined

• Communication preference defined

• Warning banner defined

• SNMP server and community string defined

• SSH session defined

• NTP server defined

• Crypto key generated

2.2 Switches All switch devices used on Water Corporation assets must be selected from Water Corporation’s Approved Equipment List. If there is a special need to use an item of equipment not on the Approved Equipment List its use must have prior approval from the Principal SCADA Engineer.

All switches must have the last Ethernet port defined as a trunk port to the router.

Configuration of the switch may be performed by members of the PCS or OT Panel. The configurations must have, as a minimum:

• The Hostname defined

• Debugging logs set to use local timestamp

• The DNS server defined

• The Administration password defined




• PVST-Spanning Tree with extended system-ID enabled

• Vlan1 and Vlan245 defined

• All switchports set to switchport access with the exception of the last switchport to trunk

• Default gateway defined as the router IP

• Warning banner defined

• SNMP server and community string defined

• SSH session defined

• NTP server defined

• Crypto key generated

• Refers to a security server such as RADIUS

3 Site Network Design

3.1 Network Design Prerequisite For any network design an LTM/PTM must be submitted using the ITG Design Request via IT Self Service portal. The LTM/PTM will provide the IP addresses for use at the site.

3.2 Communications Refer to DS40 Appendix B1.3.1 for communication considerations preferences.

3.3 SNMP Data All network devices must be configured to send SNMP traps and respond to SNMP polls. The SNMP version must be 2 or higher.

3.4 IP allocations Vlan245 (SCADA Vlan) IP address range for different asset classes are as follows:

3.4.1 Small sites Small sites are those which have fewer than 5 devices which require IP addresses to connect to the SCADA WAN. Small sites include:

• Minor WWPS\

• Minor WPS/BPS/TPS

• Bore

• Dataloggers

Small sites can be allocated as a minimum /28 subnet for SCADA WAN. These can also be /24 subnet with IP addressing allocation detailed in Table 3-3.

For a /28 subnet there are 14 available addresses . Table 3-1 details the IP address allocation for devices connecting to a /28 subnet LAN. An example of device IP allocation for a treatment plant site has been provided in Table 3-2 which is on the subnet 10.10.10.0/28. Table 3-1 IP address allocation for /28 subnet at Small Sites

IP Address Allocated Device Description 1st Reserved for Local Server




IP Address Allocated Device Description 2nd Reserved for DNP3 Device (RTU/PLC with DNP3) 3rd To be grouped sequentially and allocated to IED devices 4th To be grouped sequentially and allocated to IED devices 5th To be grouped sequentially and allocated to IED devices 6th To be grouped sequentially and allocated to IED devices 7th To be grouped sequentially and allocated to IED devices 8th To be grouped sequentially and allocated to IED devices 9th To be grouped sequentially and allocated to IED devices 10th To be grouped sequentially and allocated to IED devices 11th To be grouped sequentially and allocated to IED devices 12th Reserved for IP Radio 13th Reserved for User connection 14th Reserved for gateway (Router/NextG or xDSL modem)

Table 3-2 IP address allocation for/28 subnet at an example Small Site

IP Address Example Device 10.10.10.1 Local server SVSC****** 10.10.10.2 DNP3 Device (RTU/PLC with DNP3) 10.10.10.3 PLC 10.10.10.4 OIP 10.10.10.5 Power Supply Monitoring (PSM) 10.10.10.6 To be grouped sequentially and allocated to IED devices 10.10.10.7 To be grouped sequentially and allocated to IED devices 10.10.10.8 To be grouped sequentially and allocated to IED devices 10.10.10.9 To be grouped sequentially and allocated to IED devices 10.10.10.10 To be grouped sequentially and allocated to IED devices 10.10.10.11 To be grouped sequentially and allocated to IED devices 10.10.10.12 IP Radio 10.10.10.13 Reserved for User connection 10.10.10.14 Reserved for gateway (Router/NextG or xDSL modem)

3.4.2 Medium Sites Medium sites are those that are not listed in Section 1.1.1 that also do not have a Corporate VLAN connection. Medium sites are typically small treatment plants. Medium sites are assigned as a minimum a /24 subnet.

For a /24 subnet the available addresses are 254, for example:

Subnet 10.12.1.0 /24 has a usable IP range of 10.12.1.1 to 10.12.1.254

IP allocation for /24 subnet address range is detailed in Table 3-3: Table 3-3 IP address allocation for /24 subnet at Medium Sites

IP Address (Last Octet) Description/Reserved for 1 to 9 Local servers 10 to 14 Engineering workstations 15 to 20 Operator workstation (OWS) 21 to 29 SCADA Clients 30 to 39 RTU’s 40 to 79 PLC’s 80 to 99 OIP’s 100 to 149 Other IED




IP Address (Last Octet) Description/Reserved for 150 to 160 DHCP Reserved 161 to 219 Spare 220 to 253 Network/Communications Equipment 254 Gateway (Router)

3.4.3 Large Sites/Shared Sites Large sites are those which typically have a Corporate network connection. For large sites, spare subnets are to be included in the design for future expansion.

An example allocation of subnets for a shared site is shown in Figure 3-1:

Figure 3-1 Example allocation of subnets

IP allocation for SCADA subnets at large sites are detailed in Table 3-4: Table 3-4 IP address allocation for SCADA /24 subnet at Large Sites

IP Address (Last Octet) Description/Reserved for 1 to 10 SCADA Servers 11 to 20 SCADA Clients 30 to 40 Other PCs 41 to 149 Other EI&C Hardware 150 to 160 DHCP Client Reserved 161 to 219 Spare 220 to 253 Other Network Equipment 254 Gateway

Mngt

Corp

SCADA

Spare

10.12.0.0 /24

10.12.1.0 /24

10.12.2.0 /24

10.12.3.0 /24

CE

Network Summary: 10.12.0.0 /22

Network Summary: 10.12.0.0 /21 to provide 5 spares if required




3.5 Network Route Summarisation Design a network so that all its subnets can be summaries in the routing table. The benefit of establishing a route summary is to reduce the size of the routing table, prevent routing instability due to flapping routes and reduce the size of routing updates.

10.0.0.0 /24 10.1.0.0 /24 10.2.0.0 /24 10.3.0.0 /24 192.168.1.0 /27 192.168.1.32 /27 192.168.1.64 /27 192.168.1.96 /27 ... 192.168.1.224 /27

Figure 3-2 Example of network summarisation

3.6 Network Design Examples

3.6.1 Dual communications redundancy IP addresses are subjected to LTM/PTM design. For simplicity the IP address is assumed to be class A. Notice between the NextG modem and the router uses a /30 subnet because it provides 2 host addresses to be used.

Figure 3-3 Common network design with communications redundancy

3.6.2 Network with IP radio peer to peer This example links a location with NextG capability to the site router by utilizing IP radio. Notice this setup uses a /28 subnet because it allocates 14 host addresses, perfect to be used for this small site with limited IP connections.

Router 10.0.0.0 /12 OR 10.0.0.0 /8 Depending on your network design

Router 192.168.1.0 /24

Local SCADA Devices (RTU, PLC, Client PC, LASS, LARS, OIP, etc.)

Router

NextG Satellite

Gi2/1 10.0.0.2/30 Gi2/2 DHCP Client

Fa2/3 to Fa2/7 (Switchport access)

Switch

Fa2/8 (Switchport trunk if switch is used)

(Last switch port)

10.0.0.1/30

Vlan245 subnet Vlan245 subnet




Figure 3-4: Shows a network design using IP radios to link a site with Cellular Communication

3.6.3 Multipoint network

Figure 3-5: Example of a multipoint network design

Router

Comms to

SCADA

Network summary: 10.0.0.0/24

RTU Bore1

RTU Bore2

RTU Bore3

RTU Bore4

IP Radio A IP Radio B IP Radio C IP Radio D

Base Radio

Subnet

10 0 0 16 /28

DNP3 Device

10.0.0.14 /28 10.0.0.2 /28

10.0.0.12 /28

10.0.0.105 /30

10.0.0.104 /30

Subnet

10 0 0 32 /28

Subnet

/

Subnet

10 0 0 64 /28

10.0.0.28 /28 10.0.0.44 /28 10.0.0.60 /28 10.0.0.74 /28

10.0.0.18 /28 10.0.0.34 /28 10.0.0.50 /28 10.0.0.64 /28

IP Radio A IP Radio B

Cellular Satellite

Router

LAN

10.0.0.1/28

10.0.0.12/28 10.0.0.28/28

Gi2/1 10.0.0.30/28

Fa2/3 to Fa2/8 Vlan245 Switchport access

Gi2/2 DHCP Client




3.7 Programmable Logic Controllers Network requirements for PLCs include:

• at no circumstance where a programmable logic controller (PLC), capable or otherwise, is used for routing purposes;

• PLCs will be located at the access layer of the hierarchy as a node;

• all PLC devices with Ethernet capability must have routable IP addresses and gateway assigned.

3.8 Remote Terminal Links Network requirements for RTUs include:

• at no circumstance where a remote terminal unit (RTU), capable or otherwise, is used for routing purposes;

• RTUs will be located at the access layer of the hierarchy as a node;

• all RTU devices with Ethernet capability must have routable IP addresses and gateway assigned.

3.9 IP Radios

3.9.1 Point to Point IP Radios used for point to point shall comply with the follow network requirements:

• be setup as Bridge mode;

• data MTU must be set to 1498 (Due to tunnelling);

• device must have a username and password obtainable from Water Corporation;

• encryption must be turned on and Encryption Key obtained from Water Corporation;

• HTTP(S) web browser interface must be enabled and accessible;

• other parameters must be in line with manufacturer’s recommendations.

3.9.2 Point to Multipoint IP Radios used for point to multipoint shall comply with the follow network requirements:

• be configured in Gateway Routing mode;

• data MTU must be set to 1498 (Due to tunnelling);

• device must have a username and password obtainable from Water Corporation;

• encryption must be turned on and Encryption Key obtained from Water Corporation;

• HTTP(S) web browser interface must be enabled and accessible;

• other parameters must be in line with manufacturer’s recommendations.

3.10 Cellular Modems Network requirements for Cellular Modems include:




• WAN and LAN IP addresses must be configured.

• HTTP(S) web browser interface must be enabled and accessible.

• device must have a username and password obtainable from Water Corporation.

Appendix A Network Terminology and Details

A.1 TCP/IP and the ISO Layers The International Standards Organisation (ISO) has defined seven layers in the model for the transmission of data.

Figure AA-1: Seven layers for ISO

The TCP/IP model has simplified these seven layers into 4. The link layer includes the physical layer. The model only specifies the Link, Network and Transport layers however there are many application layer protocols that are defined.

https://community.fs.com/blog/tcpip-vs-osi-whats-the-difference-between-the-two-models.html




Layer 7Application Layer

Layer 6Presentation Layer

Layer 4Transport Layer

Layer 5Session Layer

Layer 2Data Link Layer

Layer 3Network Layer

Layer 1Physical Layer

Figure AA-2: ISO 7 layer model

Application Layer

Transport Layer

Internet Layer (Network Layer)

Link Layer

Figure AA-3: TCP/IP model

HTTP, HTTPS, NNTP, FTP, Telnet, SSH,

POP3, IMAP4, SMTP, DNS, TFTP, NTP,

DHCP, SNMP, Syslog

TCP, UDP

IP, ARP, IGMP, ICMP

Ethernet, PPP Frame relay, MAC addresses,Electrons,

electromagnetic, light

Figure AA-4: TCP/IP protocols

A.1.1 Layer 1: Physical Layer The physical layer, sometimes abbreviated as PHY, is the layer where data moves from one location to another. It incorporates the hardware such as Ethernet copper cables, wireless transmitters and receivers, optic fibre and modems. It also includes the encoding techniques required to convert the bits to signals that can be transmitted over the various physical media.

The physical layer also defined the topology of the network: star, point-to-point, multi-drop, etc.

The TCP/IP Model includes this in the Link Layer.

A.1.2 Layer 2: Data Link Layer The data link layer provides node to node data transfer and also handles error corrections. Data link layer further subdivides into two sublayers:

Medium access control (MAC) – Controls device network access and permission to transmit data

Logical link control (LLC) – Identifying and encapsulating network layer protocols. Also involved in error checking and frame synchronization

A.1.3 Layer 3: Network Layer Network layer is responsible for device addressing, tracking the location of devices on the network and determines the best way to transport data. Routers are layer three devices that provide routing services within a network. Data packets are used to transport user data through the internetwork. Common Routing protocols used to facilitate routing are RIP, OSPF, EIGRP and BGP.

A.1.4 Layer 4: Transport Layer Transport Layer provides the functional and procedural means of transferring variable length data sequences from source to destination while maintaining the quality of service functions. This layer controls reliability of a network link through flow control, as in segmentation/desegmentation and error control. This layer also provides the acknowledgement of a successful data transmission and sends the next data if no error occur. Segmentation is a process of dividing long messages into smaller messages.




A.1.5 Layer 5: Session Layer The session layer controls the connections between computers. It establishes, manages and terminates the connections between local and remote applications. This layer provides full-duplex, half-duplex or simplex operation. In the OSI modem this layer is responsible for gracefully closing a session which is handled in the TCP transport layer.

A.1.6 Layer 6: Presentation Layer The presentation layer provides independence from data representation by translating between application and network formats. This layer transforms data into a form that application accepts.

A.1.7 Layer 7: Application Layer This layer interacts with software applications that implement a communicating component. Application layer functions include identifying communication partners, determining resource availability and synchronizing communications. This layer is closest to the end user.

A.2 Basic Network Concept

A.2.1 Network Requirements The International Standards Organisation (ISO) has defined seven layers in the model for the transmission of data.

Outline the network requirements to meet business needs:

• The network should be available all the time even in the conditions such as communications failure, faulty equipment and other fault conditions;

• The network should be reliable to deliver and to provide quick response times to the end user;

• The network should be secure and protected;

• The network should be easily adaptable to growth and to business changes;

• The network should be easy to troubleshoot and maintain to reduce time spent on maintenance.

A.2.2 Network Design Fundamentals Basic network design falls into these categories:

• Scalability: The networks is able to grow to keep up with the growth in business and service level requirements

• Availability: The networks capability to delivery all the time and every time. A single network failure event should not be significant enough to impact performance.

• Security: This is to safeguard network resources by implementing policies, filters, firewalls and other security resources and strategy.

• Manageability: The network must not be too complicated to be managed and supported.

A.2.3 Network Hierarchy A computer network topology is generally either flat or hierarchical.

A.2.3.1 Flat Network Topology A Flat network topology reduces cost and complexity due to reduced number of routers and switches.

The disadvantages are:




• Poor security

• No redundancy

• Lack of scalability

Figure AA-5: Flat network topology

A.2.3.2 Hierarchical Network Topology The hierarchical network is commonly divided into three layers.

• Core Layer: connects to the corporate systems

o Access-list checking

o Data Encryption

o Address translation

• Distribution Layer: connects small local area networks

o Routine updates

o Route summaries

o VLAN traffic

o Address aggregation

• Access Layer: Provides connectivity to end users

The advantages of the hierarchical topology are:

• They are easily scalable

• Have higher security potential

• Have redundancy

At the same time they are:

• More complex to set up

• More difficult to maintain

• More expensive

Switch2 Switch1 Switch3

LAN1 LAN2 LAN3




Figure AA-6: Hierarchical network

Variable Length Subnet Masking (VLSM)

To have a good subnet and host allocation one must be familiar with variable length subnet masking. VLSM allows more efficient way to allocating subnets with minimum wastage compared to a classful subnet allocation or fixed length subnet masking (FLSM). A strong knowledge of subnetting is required.

Step 1. Setup a table as follows:

Network Hosts Block Subnet Mask Subnet Range A B C

Step 2. List down the amount of host requires for each subnet:

Network Hosts Block Subnet Mask Subnet Range A 12 B 22 C 52

Step 3. List down the subnet blocks required and proceed to wrote down the subnet and mask:

Network Hosts Block Subnet Mask Subnet Range A 12 16 /28 240

Core – Provides fast transport between distribution switches

Distribution – Provides policy based connectivity

Router3 Router2 Router4

Switch1 Switch2 Switch3

LAN1 LAN2 LAN3

Access – Provides end user/device access to the network

Router1




B 22 32 /27 224 C 52 64 /26 192

Step 4. Start assigning subnet ranges to fit the design:

Network Hosts Block Subnet Mask Subnet Range A 12 16 /28 240 10.0.0.16 10.0.0.31 B 22 32 /27 224 10.0.0.32 10.0.0.63 C 52 64 /26 192 10.0.0.64 10.0.0.127

Make sure your router can summarise the routing table!!

A.3 Security

A.3.1 DMVPN Concepts Dynamic Multipoint Virtual Private Network (DMVPN) is a routing technique used to build a VPN network with multiple sites without the need to statically configure all relevant devices, take care not to confuse DMVPN as a protocol which in fact it is not.

DMVPN is the combined of protocols of Generic Routing Encapsulation (GRE) and Next Hop Routing Protocol (NHRP). IP Security (IPSec) is used to provide the security feature for DMVPN. When discussing DMVPN the term hub and spoke will be used. Do not confuse ‘Hub’ in this context as ‘bridge’.

Figure AA-7: Example of a VPN tunnel network

The key to DMVPN being dynamic is the use of NHRP. This allows dynamic spoke-to-spoke traffic flows and has spokes with dynamically allocated addresses on the underlying topology, eliminating any static configuration on spokes. Each spoke is pre-configured with the hub’s IP address. The spoke will then send a NHRP request to hub to find out the IP address of the other spoke it needs to communicate with. The hub will learn all spokes IP addresses from the NHRP request received and can send back a NHRP reply with the necessary information to form a tunnel.

GRE is a tunnelling protocol used to form point-to-point connection between two nodes in a network. One advantage of GRE is that is can be used to encapsulate a variety of network layer protocols inside virtual point-to-point links, such as routing protocols EIGRP, OSPF or BGP. Multipoint GRE (mGRE) is used to enable multiple tunnel connections on the hub/spoke using only one interface. Note that GRE adds another 24bytes of GRE header into the packet.

Main Office

Branch Office A Branch Office B

Hub

Spoke Spoke

Hub-and-Spoke Tunnel

Spoke-to-Spoke Tunnel




Unfortunately DMVPN itself does not have a security feature however this risk is mitigated by using IPSec. IPsec provides security by encrypt IP packets.

Figure AA-8: Security for a tunnel using IPSec

A.3.2 IPSec Security in DMVPN is provided by IPSec. The security features offered by IPSec are:

• Confidentiality: Data is encrypted, a third party that manages to intercept the encrypted data will not be able to interpret the data.

• Integrity: Data integrity ensures it is not modified in transit. The router on each end could calculate the checksum or hash value for the data and if the result is the same it is most likely the data is not modified.

• Authentication: Data authentication verifies the party that is claims to be.

• Antireplay: Antireplay protection ensures that packets sent are not duplicate packets. An attacker might capture a valid packet and attempt to play those packets back to gain access to the host. This is prevented by IPsec using sequence numbers to determine if the packet is considered duplicate. Any duplicate packets are not transmitted.

IPSec is a collection of protocols. One of the primary protocols used by IPSec is the Internet Key Exchange (IKE) protocol. IPSec can provide data encryption between authenticated peers using encryption keys, which are changed periodically.

IKE happens in two phases. Phase 1 is the establishment a security session by the two endpoints called Security Association and Key Management Protocols (ISAKMP). This session establishes the security parameters be it encryption, authentication, hash methods, etc and this collection of parameters is called the Security Association (SA) which is exchanged between the two end points. The direction of IKE phase 1 is bidirectional, meaning that the same key exchange is used for data flow across either direction. IKE phase 2 is the protection of IKE phase 1, sometimes called the IKE phase 2 tunnel. The direction of IKE phase 2 is unidirectional SA negotiations meaning a separate key exchange is used on each data flow.

Figure AA-9: IPSec formed for a tunnel

IPSec relies on either Authentication Header (AH) protocol or Encapsulation Security Payload (ESP) protocol for authentication and integrity services. Both of these protocols can operate in two modes:

GRE Tunnel IPSec Tunnel Router Router

ISP Cloud




• Transport Mode: Encrypts only the payload and ESP trailer and thereby leaving the original IP header of the packet not encrypted.

• Tunnel mode: Encapsulates the entire packet which means a new packet header is put in place (IPSec header). This new header has information of the two VPN termination devices at both sites.

Figure AA-10: Shows the two modes of IPSec applications to a packet

A.3.3 IEEE 802.1X The 802.1X is an authentication mechanism to devices wanting to connect themselves to a LAN or WLAN. Imagine three parts of this mechanism, a client who wishes to connect to the network (Supplicant), a network device such as an Ethernet switch or access point either wireless or otherwise (Authenticator) and finally a server that provides the authentication software (Authentication).

Figure AA-11: IEEE 802.1X implementation

An Ethernet switch with 802.1X configured, acts as a security guard to the network. The supplicant is not allowed access through the authenticator until the supplicant’s identity is validated and authorised. The supplicant produce the credentials, could be a simple username and password, to the authenticator and this information is passed on to the authentication server for verification. If the credentials are valid the supplicant is allowed to access to resources.

Switch

Supplicant

Authenticator

Authentication Server (likely a RADIUS Server)

EAP EAP

Resources

Access Authorized




A typical authentication progression is as follows:

• Initialization: On first detection of the supplicant, the port on the switch is set to “unauthorised” state. In this state the only traffic that is allowed is none other than 802.1X. All other traffic is dropped, including IP protocols (TCP, UDP).

• Initiation: The authenticator periodically transmits Extensible Authentication Protocol (EAP) Request Identity frames on the local network. The supplicant listens and responds with an EAP Response Identity frame containing an identifier such as User ID. The authenticator encapsulates this identity response in a RADIUS Access-Request packet and forwards it to the authentication server.

• Negotiation: the authentication server sends a reply encapsulated in a RADIUS Access-Challenge packet to the authenticator. The Access Challenge packet contains an EAP request specifying the EAP method (An EAP based authentication it wishes the supplicant to perform). The authenticator encapsulates the EAP Request and transmits to the supplicant. The supplicant then either starts using the requested EAP Method or sends a negative acknowledgement (NAK).

• Authentication: If both authentication server and supplicant agree on an EAP Method, EAP Requests and Responses are sent between these two parties until the authentication server responds with either an EAP-Success message or an EAP Failure message (RADIUS Access-Accept and RADIUS Access-Reject packets respectively). If authentication is successful the authenticator sets the port to the “authorised” state and normal traffic is allowed, if authorisation is unsuccessful the port remains in the “unauthorised” state. When a supplicant logs off, it sends an EAPOL-logoff message to the authenticator and the port is set to “unauthorised” state blocking all non-EAP traffic.




Figure AA-12: Message exchanges in a 802.1X system

A.3.4 AAA Computer Security Authentication, authorisation and accounting (AAA) is a term used to refer to a group of protocols that manage network access. :

• Authentication: Provides the methods for user identification via login and password, challenge and response.

• Authorisation: Provides the methods for access control. Security servers authorise users for specific rights.

• Accounting: Provides the methods for collecting and sending security information for billing, auditing and reporting.

Two well-known protocols of AAA are RADIUS and TACACAS+.

Supplicant

Authenticator

Authentication Server

New Connection

EAP – Request Identity

EAP – Request Identity

RADIUS Access - Request

RADIUS Access - Challenge

EAP Request

EAP Response

RADIUS Access - Request

RADIUS Access - Accept

EAP Success




A.3.4.1 RADIUS RADIUS is an AAA protocol that manages network access. RADIUS uses two packet types that manage the full AAA process, Access-Request which handles authentication and authorisation, and Accounting-Request which manages accounting. RADIUS uses three responses which are the Access Reject, Access Challenge or Access Accept. See Figure AA-12 for RADIUS authentication and authorisation flow).




END OF DOCUMENT

design standard ds 43-05

Documents