Design of Secured WLANs using Firewall with VPN

International Association of Scientific Innovation and Research (IASIR)
(An Association Unifying the Sciences, Engineering, and Applied Research)
ISSN (Print): 2279-0047
ISSN (Online): 2279-0055
International Journal of Emerging Technologies in Computational
and Applied Sciences (IJETCAS)
(Open Access, Double Blind Peer-reviewed, Refereed and Indexed Journal)
www.iasir.net
Design of Secured WLANs using Firewall with VPN
Haider Mohammed Turki AL-HILFI1, Bassam Abdulmunem Salih2, Dr.Ammar Ali Sahrab 3
1
PhD.Student Electronics Telecommunication & Information Technology, University "Polytechnic"of Bucharest
2
Assist. Lect., Electrical Engineering Dept. Kufa University, Najaf, Iraq
3
Assist. Lect., Electrical Engineering Dept. Mustansiriyah University, Baghdad-Iraq
__________________________________________________________________________________________
Abstract: In this paper, a proposed design is presented to provide security for WLANs, where recent developments
in the field of the wireless networks are focusing on security issues. The proposed design is adopting security
approach that uses a firewall with VPN protection to provide high security for WLANs. The modeling and
simulation of WLANs are implemented using OPNET 14.5 modular simulator. Three scenarios of WLANs are
designed, implemented and analyzed. These scenarios are: Designing WLAN without using firewall protection
"Inactive firewall", designing it with only firewall protection “Active firewall” and the third scenarios is by
adopting both firewall and VPN protection “firewall with VPN WLAN”. The effects of various conditions are
investigated, where various types of traffic are applied to the three designed scenarios. Analysis and comparisons
are performed. The obtained results showed that good security and better performance, when using scenario
"firewall with VPN" WLAN solution can be obtained. Where secure data traffic between the client "mobile_4"
and server are obtained. However, the security enhancement resulted in increased delay because of encryption
and authentication processes
Keywords: WLAN "Firewall with VPN" IEEE 802.11b, OPNET 14.5
__________________________________________________________________________________________
I.
Introduction
With the wide spread and application of wireless technology, WLAN (Wireless local area network) today faces a
serious security threat. Network security raises serious concern for all users. On account of the peculiarity of its
transmission particularity WLAN faces a severe security threat. With continuing innovations to counter the ever
growing threats to 802. 11b technology bypassing restrictions will be more and more difficult. There are currently
the following categories of threats to the wireless network technology. Unauthorized access or login, external
disturbance, end-to-end attack, password hack, encryption attack, misconfiguration etc. which greatly threaten the
security of WLAN. Therefore a series of measures are required to be taken to prevent unauthorized access and
ensure security of the network [11, 16]. A Firewall is a hardware or software based network security system which
monitors, filters incoming and outgoing traffic in order to prevent unauthorized access based on a set of
predetermined rules. The firewall protects a computer network or websites from unauthorized access. Firewalls are
also referred to as filters, as their task is to filter the packets that do not adhere to the defined criteria in the system
configuration [9, 10]. A Virtual Private Network (VPN) is a technology that creates a secure network connection
using the internet over another network. When communication is carried out through a network with less level of
security for example a public network, the core networks are secured through the use of cryptography which is a
mechanism of transmitting data in encrypted or coded form such that it can only be read by whom it is intended.
The VPN technology combines distant objects in a common network through the use of a public network for
example the Internet. When information is transmitted over a public network, it needs to be protected from being
read or modified. To enable this different coding tools are used. The Open Systems Interconnection Model or OSI
model comprises a seven layer tunnelling feature in data transmission between two endpoints in a computer
network. Maximum data protection in a virtual private network VPN enables us to protect our communication
from being intercepted and thus helps in creation of a secure network where corporate employees can easily get
into the company network and connect through a secure access [5, 6, and 9].
This article is sequenced as under: Section II includes aspects related to network security. Section III contains
related works. Section IV comprises measures for securing WLAN by using firewall and VPN technologies.
Section V deals with details related to OPNET 14.5 simulator for WLAN. Section VI contains a discussion on
different simulation results and a comparative analysis of the same. Section VII is the concluding part of the article.
II.
SECURITY ISSUES FOR (WLANS)
WLAN is today the most commonly employed security measure. Although 802.11a/g standard has already been
developed, 802.11b continues to be the most commonly used WLAN product. 802.11b primarily defines the under
noted WLAN security mechanisms [3, 4].
IJETCAS 16-311; © 2016, IJETCAS All Rights Reserved
Page 89
Haider Mohammed Turki et al., International Journal of Emerging Technologies in Computational and Applied Sciences, 18(1).,
September-November, 2016, pp. 89-96
A. Service Set Identifier (SSID).
In wireless LAN, a specific Service Set Identifier (SSID) is initially configured for multiple access points. The
terminal must be aware of the configured SSID for data transmission in and out of the network. When a wireless
terminal tries to access WLAN, the access point checks the wireless terminal for SSID in order to allow access.
SSID mechanism provides a shared key between the client and the access point. SSID by access point external
broadcast can sometimes be invaded by illegal intruders who can disguise as AP, to deceive the very purpose of
wireless terminals [3, 4].
B. Physical address (MAC) filtering control
Physical address (MAC) filtering control is the application of a hardware mechanism to enable identification of
wireless terminals. Since the network card in a wireless terminal has a unique MAC address, it can identify and
legitimate the wireless terminal by checking its MAC. The requirement for a physical address filtering control mode
is that a valid MAC address be listed in the access point server. When the MAC address of the wireless client
correlates with that in the access point MAC address table, the AP grants access to the client to establish
communication with the physical address. However, since MAC address can be reconfigured in many wireless
cards, illegal intruders can sometimes intercept the data from radio waves, analyses the addresses of authorized
users, and then disguise themselves as legitimate users and then illegally access WLAN. The MAC address list
therefore must be updated with the changing traffic of wireless terminal. The MAC address list in the AP is however
maintained manually. The capability of physical address filtering control mechanism is therefore suitable for small
wireless networks. [9].
C. Wired Equivalent Privacy Mechanism (WEP)
In 802.11 the technology is based on shared key encryption mechanism which is known as "Wired Equivalent
Privacy" (WEP) technology. WEP is a RC-4 algorithm and is based on 40bit or 128bit encryption technology. In
this mechanism the access points and mobile terminals can be configured with four groups of wired equivalent
privacy keys, which can be used in turns while encrypting data, enabling the encryption key to change dynamically.
Since in the WEP mechanism the keys used can be only from one of the four groups, they are therefore basically
static WEP encryption. Since the access point and the mobile terminals to which it is connected use the same
encryption key, they can cause the following problems. Once the key of a user is leaked, the other user's key can
no longer be kept a secret [6, 9, and 12].
In order to improve the WLAN security, we need to introduce more secure authentication, encryption and control
mechanisms.
1.
Virtual Private Network (VPN)
VPN refers to a networking mechanism using tunnel and encryption technology for ensuring data security on a
private network. VPN can be set up through IP connectivity. Though the technology is not a part of the 802.11
standard definition, it is a powerful and reliable method for encrypting data transmission. And for a wireless
business network, the VPN based solution is a good alternative to WEP and MAC address filtering mechanisms.
The VPN technology is widely used by remote users for secure access on over the Internet.
2.
Use of a firewall with VPN
In order to enhance the security of wireless LANs a "VPN Firewall" is used which protects the network through
the use of a router that controls the network traffic. The router is a device that filters and transmits data packets
from one network to another [4]. WLAN provides a wireless network as compared to the wired Ethernet network.
It is today widely being used as platform for offering fast wireless internet connections across vast areas. It's vast
spread and applicability is however endangered by unauthorized users which makes it less secure than wired
networks.
III. RELATED WORKS
In recent years, many researchers concentrate on analysis and provide firewall and VPN for the WLANs.
However, these studies and proposals "firewall with VPN” models, that were conducted on the WLANs have not
achieved the level required to simulate the network. In [1], the impact of using VPN with the firewall on "cloud
computing" performance. In [9], the relationship between security and performance and the effects of using a
firewall on wireless networks. In [10], the IEEE802.11i standard was developed with VPN to address security
problems for WLANs. In this paper, secured WLANs using "firewall with VPN” model is used based on the part
of the model proposed in [1, 9, and 10]. The model is implemented by using Opnet 14.5 modular. WLAN network
is modeled, and then simulated network for the three different scenarios and analyse the results and evaluate the
effects of the use of the firewall with VPN technology.
IV. SECURED WLAN USING FIREWALL WITH VPN
The proposed design is to provide WLANs with secure delivery of data from a source to the IP cloud. The VPN is
one of the technologies adopted. This principle is commonly used in wired LAN, remote access networks and can
also be used in WLANs. The function of the firewall is to prevent external illegal intrusion and VPN is a proposed
virtual private network, through the encryption of this network is private network can be exclusive bandwidth and
to ensure the security of the data and some authors said firewall compatible, VPN is the main function is the firewall
IJETCAS 16-311; © 2016, IJETCAS All Rights Reserved
Page 90
Haider Mohammed Turki et al., International Journal of Emerging Technologies in Computational and Applied Sciences, 18(1).,
September-November, 2016, pp. 89-96
but with the VPN function, based on the software VPN but it is based on the software VPN, relatively has VPN
features no special VPN powerful, stability and security is not so good, some say VPN compatible firewall: The
same reason, its main function is VPN, and the firewall is just an additional feature, but now the market also has a
set of firewall and VPN in one and hardware-based products[6,9].
V.
THE OPNET 14.5 WLAN SIMULATION
In this section, the simulation a proposed is presented to provide security for WLANs, where recent developments
in the field of the wireless network are focusing on security issues. The proposed design is adopting, firewall with
VPN, to provide high security for WLANs. The modeling and simulation of WLANs are implemented using
OPNET 14.5 modular simulator. The effects of various conditions are investigated, where more type of traffic are
applied to the three designed scenarios.
D. Scenario A : Inactive firewall
In this scenario A. The network topology consist of a four of workstations connected to 2 access points (AP1 and
AP 2) that configured as two BSS. Two access points are connected by 1000 BaseT to a switch. The latter is
connected by 1000 BaseT to router B which is connected through PPP-DS3 to IP cloud. The IP cloud is connected
through PPP-DS3 to Router A which, in turn, is connected by 1000 BaseT to the server. The server represents the
database. The network corresponding to scenario A is shown in figure 1.The WLAN delay response time is given
Table 1.
Table 1. WLAN delay response time
Type of standard
Frequency
Data rate
Modulation
Range
IEEE802.11b
2.4GHz
11 Mbps
DSSS
(50-100)m
Figure 1. The Simulation scenario A : Inactive
firewall
E. Scenario B: With firewall
In scenario B: A security mechanism that isolates two different networks of security trust can be implemented by
software or hardware, the use of the system established by the safety rules, effective control of internal and external
traffic. The Wireless LAN network topology is consisted of four workstations connected to 2 access points (AP 1
and AP 2) which is configured as two BSS. Each access point represents a cell. The (AP 1 and AP 2) are connected
through 1000 BaseT to switch which is connected through 1000 BaseT to router B that connected also through
PPP-DS3 to IP cloud. The latter is connected through PPP-DS3 to router A which firewall connected through
PPP-DS3 to firewall named "ethernet2_silp8_firewall". This firewall is protecting the server from any external
access on the network. The firewall is connected by PPP-DS3 to the server that represents the database. The
simulation model of this scenario is shown in figure 2.
Figure 2. The Simulation of Scenario B: active firewall
F. Scenario C: firewall with VPN
In the previous second scenario, the firewall is specially programmed to prevent hackers from access to the
database of the server in the network, regardless of the source of the data traffic . VPN with firewall refers to the
integrated function to the enhance the internal security of the network to prevent external illegal users or data
through the VPN with firewall function can ensure that remote access to ensure that the confidentiality of corporate
data security.
IJETCAS 16-311; © 2016, IJETCAS All Rights Reserved
Page 91
Haider Mohammed Turki et al., International Journal of Emerging Technologies in Computational and Applied Sciences, 18(1).,
September-November, 2016, pp. 89-96
In scenario C the Wireless LAN network topology consists of four workstations connected to 2 access points (AP1
and AP2) that configured as two BSS. Each access point represents a cell. The (AP 1 and AP 2) are connected
through 1000 BaseT to switch that connected through 1000BasT to Router B where this router is connected
through PPP-DS3 to IP cloud. The latter is connected through PPP-DS3 to router A. This router is connected
through PPP-DS3 to firewall named “ethernet2_silp8_firewall" which protect the main server in the network from
any external access. The firewall is connected through 1000BasT to Router A which is connected through
1000BaseT to the server that represents the database.
In this case, the "VPN tunnel" would be used to allow to the (Mobile 4) client from access database in the server.
The firewall will not filter the traffic created through (mobile 4) due to the "IP packets" in the "VPN tunnel" will
be encapsulated inside an "IP datagram". The simulation model of this scenario is shown in fig 3.
Figure 3. The Simulation scenario C. Firewall with VPN
VI. Simulation Results and Comparative Analysis
In this section, comparisons and analysis of the response time are presented for the three cases are "Inactive
firewall" and "Active firewall "and "active firewall with VPN". The evaluation result of system showed the delay
in case of scenario "active firewall " is higher delay than that in scenario "active firewall" because the firewall is
will a filter and will prevent the "database applications packages" of the passing to the server via checking the IP
address through "sending and receive" packets to the server. While the results showed the delay in case of the
scenario "Active firewall with VPN” is the highest delay than that in scenario "active firewall” and scenario
"Inactive firewall “First, because the filtering process for the packets by firewall causes a higher delay. Second,
due to the complicated process in the VPN tunnel inside "router A, B" concerning the processes of the
"encryption/decryption" and "encapsulation/de-capsulation" in the sent and received modes respectively between
the client (mobile 4) and the server. Because of this reasons, scenario “firewall with VPN" has more delay than
that of "active firewall" scenario and scenario "inactive firewall”. It is found that the delay value in the scenarios
of "inactive firewall" & "active firewall" & "active firewall and VPN" at the operating time of 8 min and 9 sec are
0.48 msec, 0.64 msec, 0.71 msec respectively. These results are shown in table 2 and figure 4.
Table 2. WLAN response time
cases
Inactive
firewall
0.48 msec
Delay at time
8min.9sec
Voice jitter at
0.16microsec
time 8min
MOS at time 10m 3.78
Figure 4. Wireless LAN. Delay
IJETCAS 16-311; © 2016, IJETCAS All Rights Reserved
Voice packet
“End to End
delay” at time
10min
Voice traffic
(sent) at time
8min
Voice traffic
received at time
8min
DB traffic
received Mobile
4 at time 10min
DB traffic
received Mobile
2 at time 10min
Active
firewall
0.64msec
Active firewall
with VPN
0.71msec
0.14micros 0.15microsec
ec
3.78
3.78
60msec
60msec
60msec
37.9
kilobytes/sec
50.9
kilobytes/sec
5.2 Bytes/sec
50.9
kilobytes/se
c
51.9
kilobytes/se
c
0 Bytes/sec
9.5 Bytes/sec
0 Bytes/sec 0 Bytes/sec
38.9
kilobytes/sec
51.9
kilobytes/sec
9.5 Bytes/sec
Page 92
Haider Mohammed Turki et al., International Journal of Emerging Technologies in Computational and Applied Sciences, 18(1).,
September-November, 2016, pp. 33-38
Figure 5 shows the jitter in "packet voice Networks". The jitter is variation in the delay of "received packets". It
is caused by the packets sent in a "continuous stream" and the "packets spaced" evenly apart. Because the network
congestion, "improper queuing" or "configuration errors", this continual stream may become "lumpy". Results of
system evaluation showed jitter at the first 6 minutes of operation time scenario "Active firewall with VPN"
scenario is little higher than that for scenario "inactive firewall" and scenario "active firewall" because of the
sudden network load due to the highest traffic through the use of four applications. After a time of 6 minutes, the
jitter values became very close, at the time of 8 minutes. They are about 0.014 micro sec but the voice jitter is
better, and not more than 0.041 microsecond which means the model is acceptable. These results are shown in
table 2
Figure 5. Voice jitter.
The average rating score MOS (Mean opinion Score) is often used to evaluate the voice quality of a telephone
service, expressed as a fraction of 1 to 5, where 5 is the best, as is used to determine the subjective listening test,
and function that covers many factors, including the type of network and codec used, cabling and terminal
equipment, and even the handset used to make the call. The evaluation result of the system showed MOS value
are equal and constant for the three scenarios "Inactive firewall", "Active firewall", "Active firewall with VPN"
which equals to (3.78) which can be considered as a good value. As showed the figure 6 and table 2.
Figure 6. Voice MOS value.
Figure 7 shows, voice packet "end-to-end delay", refers to the “IP packet” from the source point to the arrival of
the end of the total experience of how long the delay, mainly by the queue delay, send delay, transmission delay,
propagation delay composition. The physical meaning is the delay time between the first bit from the A- point
host and the last bit of the B-point host for the three scenarios "Inactive firewall", "Active firewall", "Active
firewall with VPN are equal for all the network which are equal to 60 msec.
Figure 7. "Voice Packet" End to End Delay.
IJETCAS 16-311; © 2016, IJETCAS All Rights Reserved
Page 93
Haider Mohammed Turki et al., International Journal of Emerging Technologies in Computational and Applied Sciences, 18(1).,
September-November, 2016, pp. 89-96
Fig 8 shows the “voice traffic" received for the network. This statistic is simulated as the average number of
forwarded to all "voice applications" through the “transport layers" fourth layer in the network. The traffic value
for the scenarios "Active firewall" and "Active firewall with VPN" were equal to 51, 8 kilobytes /sec at time = 8
min. It is higher than that "Inactive firewall" which was equal to 38, 9 kilobytes /sec at time = 8 min. These results
are shown in table 2.
Figure 8. Voice traffic received.
Figure 9 shows the "voice traffic" for sent packets submitted to the fourth layer through all "voice applications"
in the network. The traffic for the scenarios "Active firewall" and "Active firewall with VPN" are convergent,
while it is higher than that scenario "Inactive firewall" because of "packet filtering process" will prevent and
hinder database traffic, enabling the users to sending much voice packets, according to "Carrier sense multiple
access with collision avoidance"access protocol. The traffic voice value which was sent on the network at the
operation time = 8 min is equal to 50. 9 kilobytes/sec & 37. 9 kilobytes/sec respectively. These results are shown
in table 2.
Figure 9 Voice traffic sent.
Figure 10 shows, the (mobile _4) client received average database traffic (bytes/sec). The (mobile _4) is
considered the director is authorized to enter into the database applications by "VPN tunnel" that runs through the
fourth layer in the network. The database traffic of scenario "active firewall" = 0, because of firewall existence
which prevents "mobile_4" from database access to the main server. While, the scenario "active firewall with
VPN" will be authorized "mobile _4" to access the database by "VPN tunnel" then the server, so there will be a
"database traffic" between client and server. These results are shown in table 2
Figure 10. "Mobile_4" client DB traffic received.
IJETCAS 16-311; © 2016, IJETCAS All Rights Reserved
Page 94
Haider Mohammed Turki et al., International Journal of Emerging Technologies in Computational and Applied Sciences, 18(1).,
September-November, 2016, pp. 89-96
Figure 11 shows the client received average database traffic. The client "Mobile_2" is not authorized to access the
database applications by a "VPN tunnel" and therefore cannot access the server and therefore data traffic for
scenario " active firewall with VPN " equal zero, While the traffic database application for scenario "Active
firewall" also, equal zero because the firewall is preventing the data traffic which passes through it and therefore
the data traffic for both scenario equal zero. These results are shown in table 2.
Figure 11. Mobile_2 client DB traffic received.
VII. CONCLUSIONS
This paper introduced design of secured WLAN (firewall with VPN) technology implemented by OPNET 14.5
Modeler. The proposed network is simulated and analyzed to investigate the impact of firewall security with VPN
technology on throughput and received data traffic, in addition to delay on the network through individual nodes.
It is found that VPN is a fit way to secure and protect WLANs by decreasing the data traffic on the network and
check the security required. The following aspects can be pointed out:
1- Using a firewall in WLAN enhances the security of the network but increases the delay on the network. The
increased delay on the network is due to preventing the hacker attacks by testing IP addresses of sent and received
packets from the server.
2- The integration of Firewall with VPN resulted in secured network but with increased delay. The increased delay
on the network, in this case, is due to filtering process of the packets by firewall. In addition to the complicated
process in the VPN tunnel inside (Router A, B) concerning the processes of the "encryption/decryption" and
"encapsulation/de-capsulation" in the sent and received modes respectively between the client (mobile 4) and the
server. Accordingly, firewall with VPN WLAN scenario has enhanced security performance but with increased
delay.
References
[1]
[2]
[3]
[4]
[5]
[6]
[7]
[8]
[9]
[10]
[11]
[12]
[13]
[14]
[15]
[16]
Y.Siddeeq, W. Shayma “Firewall VPN Investigation on Cloud Computeing Performance” (IJCSES)Vol.5,April 2014
Z.Mohd, M. Mahfuzan “Performance Analysis of Application Layer Firewall” (ISWTA) 2012 IEEE.
Maneesha Sharma, Himani Bansal, Amit Kumar Sharma, “Cloud Computing: Different Approach &Security Challenge”, International
Journal of Soft Computing and Engineering (IJSCE) ISSN: 2231- 2307, Volume-2, Issue-1, pp. 421-424, March 2012
Y.P Kosta, U. D. Dalal “Security Comparison of Wired and Wireless Network with Firewall withVPN”, 2010 IEEE
S. Nassar, A. El-Sayed, and N. Aiad, "Improve the network performance by using parallel firewalls," in Networked Computing (INC),
2010 6th International Conference on, 2010, pp. 1-5.
Weili Huang, Fanzheng Kong , “The research of VPN on WLAN” , International Conference on Computational and Information
Sciences, 2010 IEEE, PP 250 – 253
Kevin Hamlen, Murat Kantarcioglu, Latifur Khan and Bhavani Thuraisingham, “Security Issues for Cloud Computing”, International
Journal of Information Security and Privacy, 4(2), 39-51, April-June 2010.
K. Scarfone and P. Hoffman, Guidelines on Firewalls and Firewall Policy, Gaithersburg, MD, U.S.A.: National Institute of Standards
and Technology, 2009.
H. Garantla and O. Gemikonakli, "Evaluation of Firewall Effects on Network Performance," School of Engineering and Information
Sciences, Middlesex University, London, 2009.
H. Bourdoucen, A. Al Naamany and A. Al Kalbani, “Impact of Implementing VPN to Secure Wireless LAN”, World Academy of
Science, Engineering and Technology 51, pp. 625 – 630, 2009.
W. Hneiti, N.Ajlouni “Performance Enhancement of Wireless Local Area Networks”, 2006 IEEE.
Young B. Choi, Jeffrey Muller, Christopher V. Kopek and Jennifer M. Makarsky “Corporate wirelessLAN security: threats and an
effective security assessment framework for wireless information assurance”, Int. J. Mobile Communications, Vol. 4, No. 3, pp. 266 –
290, 2006.
S.Kumudu and A.Seyed Shahrestani “Wireless VPNs: An Evaluation of QoS Metrics and Measures” 2005 IEEE
G. Holden, Guide to firewalls and network security with intrusion detection and VPNs, NY, U.S.A.: Course Technology, Thomson
Learning Inc., 2004.
H. Anne L. Mark “Firewall Policies and VPN Configurations” Publisher: Andrew Williams. Technical Editor. Printed in Canada
B, LIANG “Security Technology Based on IEEE 802. 11bWLAN" Colleg e of Computer and Electronic Information, Guang xi
University, Nanning 530004, China)
IJETCAS 16-311; © 2016, IJETCAS All Rights Reserved
Page 95
Haider Mohammed Turki et al., International Journal of Emerging Technologies in Computational and Applied Sciences, 18(1).,
September-November, 2016, pp. 89-96
Acknowledgments
I would like to begin by thanking Allah for making all this possible. Second, I would like to thanks, "Republic
of Romania”. I am grateful for all the support received whilst researching and writing up this article. There are
so many to thank. First and foremost I want to express my sincere gratitude and appreciation to my supervisor
Prof. ION MARGHESCU Ph.D. Telecommunication & Information Technology, University "Polytechnic" of
Bucharest. His words of encouragement, quiet urgings and careful reading of all of my writing will never be
forgotten and also all committee members discussion.
IJETCAS 16-311; © 2016, IJETCAS All Rights Reserved
Page 96