Research Paper

The Analysis of Firewall and VPN in Enterprise Network

Performances

K.M. Sumesh Kumar

MSc-MBIS Student
School of Engineering & Computing Sciences
University of East London - FTMS College
Technology Park Malaysia
Bukit Jalil, Kuala Lumpur, Malaysia
k.sumeshkumar88@gmail.com

Kinn Abass Bakon

Lecturer
School of Engineering and Computing Sciences
FTMS College
Technology Park Malaysia
Bukit Jalil, Kuala Lumpur, Malaysia
kinn@ftms.edu.my

Abstract
The rapid increase in communication technology has influenced global changes in the network
security characteristics. A sequences of internet attacks and fraudulent acts on enterprises
network have shown us that computer network environments are not immune against intrusions.
Due to the emergence of the internet, rapid increase in the development and usages of application
software and the inventiveness of hackers, network security has become a complicated problem
and it demands a well-planned solutions to deal with ever increasing security threats. Security
solutions must be efficient and effective in dealing with the threats and vulnerabilities of the
networking domain. Enterprises can ensure better security by implementing systematic approach
such as analysis, design, implementation and maintenance. This paper focus on the analysis phase
and detailed study of network parameters. The analysis phase demands clear investigation of the
complete network. We designed and implemented enterprise network scenarios in a lab through
simulation with different level of security layers and mind approaches and we also studied its
impact on security deployment in enterprise networks scenarios. The results show that enterprises
network vulnerabilities could be fixed.

Key Terms: Firewall, VPN, DMZ, OSI layers, Protocols, Bandwidth

1. Introduction

Ensuring network security is effective a complicated task. Organizations have their own
computer security procedures and levels to implement. So, the need for systematic approach i.e.
analysis, design, implementation and maintenance is necessary to ensure networks are properly
secured. The major challenges in the enterprises network architecture is how to implement
suitable procedure and dominance for attaining security. Attackers still exist in the market and
their numbers seems to be increasing every day. As better development techniques in the field
of security technology emerges would, so too are better hacking tools methods, as a result

Page 1
network solutions have to be complicated to address security issues. If some individuals tries
too up-to-date with the new threats and security technology soon there will be under stress.

One of the main problem in the enterprises network security is its complexity. Presently
in the field of technology more complicated and quality application software is designed and
implemented and it result in the increase of vulnerabilities. Furthermore, there are computer
experts such as hackers, who are interested in finding the vulnerabilities in the applications and
exploit the same. The main induction of this hackers action is to gain fame and money and some
due to the curiosity in the field of technology. But the attackers action are always impact in loss
to the organizations.

Sometime security measures implemented by the administrator to secure the networks

form the malicious attacks will impact against the system usability i.e. authorized users in the
networks will unable to complete some of the functionality. In many occasion network security
of the organization is attained successfully, but it will contradicted with user friendliness of the
systems. So naturally the additional burden to authorized user to complete their task will
increase.

This problem can be addressed by analyzing network often. Analysis helps to check the
vulnerabilities in the network security. For example before implementing security measures in
the networks, it is mandatory to analyze these measures and ensure that they are integrated
with present network design, would it meet demands of future, upgrade possibility, would it
maintainable and compatible to new products.

Through this paper, we are pointing the importance of human analysis practice in the
Enterprise network performances.

2. Literature Review

2.1 Network

The networks exist when the collection of systems interconnected to each other via any
communication channel. The existing communication channel may consist of wired or wireless
medium to forward and receive the traffics between any nodes. Network protocols are the
element of rules to implement the communication between the nodes in the networks (Dostalek
& Kabelova, 2006).

2.2 OSIOpen System Interconnection Model Reference Model

OSI reference model is the standard communication framework for the purpose to
establish the communication between the heterogeneous systems in the networking domain.
Due to functionality of the communication system in the open world, this familiarly known as
Open system interconnection model (OSI). The OSI references model introduced a framework to
dilute the complexity in the inter-networks in to minor components so that can be understood,
analyzed and utilized easily (Dostalek & Kabelova, 2006).

The OSI models purpose is to allow the communication between the computers under
any platform with each other until both follows the OSI standards. (Day & Zimmermann, 1983)
In the OSI references model there are seven layers, each layers has its own working principle
and functionality. These layers are solitary but arranged in the sequences to each other to have
a proper flow of communication functionality among them. These layers are collectively known
as OSI layers.

Page 2
 Fig 2.1: Architecture of OSI reference model (Day & Zimmermann, 1983:p.1338)

If we analyze the OSI system architecture, they will be three concept levels which are
clearly stated; The OSI reference model, OSI service specifications and OSI protocol
specifications (Day & Zimmermann, 1983). The OSI service specification is accountable for
particular services between the system and user in a particular layer. The OSI protocol
specification is accountable for particular type of protocol existing against particular
communication services (See fig 2.2). So it is clearly identified the combination of these two
specification become OSI architecture.

Fig 2.2: System Architecture of OSI (Day & Zimmermann, 1983:p.1335)

It is registered trademark that the OSI references model composed of seven layers and
each one of the layer have different functionality, services and protocol to achieve their task. In
the OSI system architecture anomaly lowest layers functions are effectively separated from
functions of higher layers (Held, 2000). Identically the information hiding design principle; the
lower layers are agitated with significant levels of details, upper layer are individualistic about
these details. Within layers, services are presented to the succeeding higher layer and protocol
are presented to the peer layer in the other system (Stallings, 2005). Consequently we may say
that the any alteration exist in any layer-N, then it may influence only on its lowest layers N-1.
These alteration does not affect the higher layer N+1 due to isolation from lower layers. (See fig
2.3)

Page 3
 Fig 2.3: Architecture of OSI Framework (Ahamad & Habib, 2010:p.5)
.
2.3. Technology Used

Networking concepts and technologies are complicated to explain, even with proper
example and detailed description. The method to make an audience to clearly understand the
networking concept is to create a network environment, where an audience can experience how
the concept works by utilizing a software tools which will simulates the functions in the
networking domain. This approach of using simulation to demonstrate the concepts of
networking domains are highly recommended. It enable the virtual environment of certain
features such as network modeling based on particular criteria and analyzing its impact on
different case scenarios.

OPNET modeler 14.5 education version enable a virtual network environment to analyzing,
modelling and forecast the behavior of IT infrastructures, which includes the server, application
and networking technologies. By implementing the network environment in simulator IT
administrator can easily diagnose the complicated problems, evaluate the changes before
implementation (Portnoi & Martin, 2007).

OPNET enables several modules which includes the response of protocols in networks, features
of network hardware elements. The configuration and outcome of result for network elements
are closer to real time network environment. The graphical configuration and the graphical
representation of the result outcomes are the added features acquired by OPNET simulator
(Salah & Alkhoraidly, 2006).

3. Research Design and Methodology

The following methodology was applied to analyze the security domain of the
enterprises networks. It is also essential to understand the important topics below and how
they relate to each other . The network parameters investigated are as follows:

i. Virtual Private Network (VPN)

ii. Firewall
iii Extracting the simulation result on different scenarios.

3.1. VPNVirtual Private Network

The term VPN is described as network communication which utilize the combination of
other technologies to establish the secured connection via untrusted network. The data
transmission is done as if it were forwarding via private network.

Page 4
 The data transmission is executed by means of tunneling process. Before the
transmission of the packets, it is wrapped i.e. encapsulated into a new packet and add new
header information. The routing information is provided by this added header, so the packet is
traverse a shared communication network before get into tunnel end point. This logical
pathway of the encapsulated packet is known as tunnelThe data confidentiality is achieved in
VPN by the encryption process.

The most commonly used tunneling protocol in the VPN is IPSEC (Internet Protocol
Security).The IPsec use two security protocols; Authentication header (AH), Encapsulated
Security Payload (ESP) in order to provide the authentication, encryption and integrity of data
(Frankel et al., 2005).

Authentication header:

This protocol ensures the packets integrity, authentication of source. The information
which is added to the packets includes the data hash, sequence number etc., information of
source verification details to ensure the data integrity (Hooper, 2012).

Fig: 3.1-Authentication header (The Government of the HKSAR, 2008:p.9)

Encapsulated security payload (ESP):

In addition of authentication of source and data integrity, it also ensure the

confidentiality of data. Data privacy is achieved by the usage of symmetric encryption algorithm,
specifically 3DES. These algorithm should be identical in the both end (Hooper, 2012).

Fig: 3.2- Encapsulated security payload (The Government of the HKSAR, 2008:p.9)

There are two modes operation which is supported by each security protocols. There
are tunnel mode and transport mode (Frankel et al., 2005).

Tunnel mode:

It is end to end connection in which the packet entirely is protected. The original packet
is wrapped into the new packet and AH, ESP are added to this new packet. This new packet is
forwarded to tunnel end point. In the tunnel end point new IP headers are decrypted and the
original packet is forwarded to the targeted destination in the network.

Fig: 3.3- Tunnel mode (The Government of the HKSAR, 2008:p.10)

Page 5
Transport mode:

In this mode the encryption and authentication is done to the data but not on the IP
header information. The AH and ESP headers are implemented on the data of the original
packet. So, added overhead is less as compare to tunnel mode. But the attackers can easily
execute the traffic analysis because the header information is not encrypted. So that this mode
mostly used in the host to host connection establishment.

Fig: 3.4- Transport mode (The Government of the HKSAR, 2008:p.10)

3.2. Firewall

A firewall is the barrier to perform the network isolation and decides the direction and
permission of the traffic to pass through. The firewall result in the tighter and complex

Firewall types:

The administrator need to decide which firewall types is suitable for the existing
network architecture (INL, 2006). The firewall categories are as Packet filter firewall,
Application level gateway, Circuit level gate way and Stateful inspection firewall. (Stalling,
2013)

3.3 Scenarios

In the simulation there are three scenario designed as follows:

a) General network design scenario: where the default mode of network parameters setting
and configurations are used.
b) Firewall network design scenario: Where well approached security deployment with
existences security modules are used. But this approach of security deployment will impact
in losing connection establishing ability between the client and server architecture for the
particular applications in the networks.
c) VPN-Firewall network design scenario: Where the intelligent approaches of security
deployment by security professionals to establish the customized solution of networks to
provide the connection and resources availability to the particular and authorized users in
the proper manner i.e. secure and fulfill the need of network architecture requirements are
applied.

3.4 Object Modules

The object models that are configured in the network scenarios topology are given
below in table 1.

S.No OBJECT NAME OBJECT MODULES QUANTITY DESCRIPTION OF MODULES

Used to describe the user groups in terms of
1. PROFILE PROFILE_CONFIGURATION
the existences of application
Customize the application parameters such as
2. APPLICATION APPLICATION_CONFIGURATION
repeatability, process duration, start time
Used to establish the VPN tunneling between
3. VPN-CONFIG IP_VPN_CONFIGRATION 1
the specified nodes.
ROUTER (A, B, C, D, Represents the IP based gateway devices
4. ETHERNET4_SLIP8_GATEWAY 5
E) which support the routing protocols and VPN.
Represents the IP based devices with firewall
5. FIREWALL ETHERNET2_SLIP8_GATEWAY 1
and server support features.

Page 6
 CLIENT (1,2,3,4,) Represents the workstation which support the
6. and NETWORK ETHERNET_WORKSTATION 6 client and server application over TCP/IP and
ADMIN (1,2) UDP/IP.
APPLICATION_ Represents the server nodes applications
7. PPP_SERVER 1
SERVER working over TCP/IP and UDP/IP.
8. INTERNET_CLOUD IP32_CLOUD 1 Represents the Internet cloud environment
9. LINK PPP_DSI 7 PPP LINK (44Mbps)
10. LINK 100BaseT 6 ETHERNET LNK (100Mbps)
TABLE 1: Object Modules

3.5 Object Modelling

The parameters are configured as per the requirement of the given task. In the
application configuration, object attributes are configured to support default application
services (Database access, Email, FTP, HTTP, VOIP, and Video Conferencing). In the profile
configuration is set it attributes to support the configured three applications in the server i.e.
Database, HTTP and E-mail. Finally the attributes of client, server, router and firewall is
configured as supportive to our requirements.

Fig 3.5 Network scenarios topology

3.6 Task

1. The NETWORK ADMIN 1 and NETWORK ADMIN 2 should have the permission to access the
Database services, HTTP services and E-mail services.

2. The rest of the users such as CLIENT 1, CLIENT 2, CLIENT 3 and CLIENT 4 are denied access
to the Database and HTTP services but permitted to access the E-mail services.

The main objective of this paper is to show the dominant role of the analysis practice to
ensure the security of the enterprises network. So to achieve the effective analysis the data
collection techniques should be in detailed manner.

4. Result and Analysis

The result of each scenario is analyzed below.

4.1 General Network Design Scenario

It uses the default mode of network parameters setting and configurations. In this
scenario all the work station can access the HTTP and E-mail services from the application

Page 7
server as shown in figures. At the same time all the users have the unrestricted access to the
Database services as shown in fig 4.3 and fig 4.4. It will impact in the vulnerable attacks in the
form of any client users. We can analysis this impact by the simulation result of this scenario as
given in the following figures.

Fig: 4.1: HTTP client traffic sent (bytes/sec) in General Network Design scenario.

Fig 4.2: HTTP Client Traffic Received (Bytes/Sec) in General Network Design Scenario.

Page 8
 Fig: 4.3: DATABASE client traffic sent (bytes/sec) in General Network Design scenario.

Fig: 4.4: DATABASE client traffic received (bytes/sec) in General Network Design scenario.

Page 9
 Fig 4.5: E-MAIL client traffic sent (bytes/sec) in General Network Design scenario.

Fig 4.6: E-MAIL Client Traffic Received (Bytes/Sec) in General Network Design Scenario.

4.2 Firewall network design scenario

It uses the well approached security deployment with existences security modules. But
this approaches of security deployment will impact in losing connection establishing ability
between the client and server architecture for the particular applications in the networks.

Page 10
 In this scenario Database and HTTP services are denied in firewall across the networks.
As an impact of this security configuration NETWORK ADMIN 1 and NETWORK ADMIN 2 can
access the E-mail services at the same time there loss the access to Database and HTTP services.
This security implementation measures fulfill only one of our requirement i.e. access to E-mail
services, but the other requirement such as access to Database and HTTP services are denied.
Presently none of the users in the network can access Database and HTTP services after the
implementation of this security policy in the Enterprises network. It is analyzed by the
simulation results in given fig 4.7 and fig 4.8.

Fig4.7:HTTP client traffic sent and received (bytes/sec) in Firewall Network Design

Fig 4.8: DATABASE client traffic sent and received (bytes/sec) in Firewall Network Design scenario.

Page 11
 Fig 4.9: E-MAIL Client Traffic Sent And Received (Bytes/Sec) in Firewall Network Design Scenario.

4.3. VPN-Firewall network design scenario

It uses the intelligent approaches of security deployment by security professionals to

establish the customized solution of networks to provide the connection and resources
availability to the particular and authorized users in the proper manner i.e. secure and fulfill the
need of network architecture requirements.

In this scenario NETWORK ADMN 1 and NETWORK ADMIN 2 can access the Database,
HTTP and E-mail services. At the same time CLIENT 1, CLIENT 2, CLIENT 3 and CLIENT 4 are
denied to access the Database, HTTP services and permitted to access E-mail services. In this
security policy all requirement mentioned in the task assignment are fulfilled. It is analyzed by
the simulation results in the following fig 4.10, fig 4.11 and fig 4.12.

Fig 4.10: HTTP traffic sent and received (bytes/sec) in VPN FIREWALL NETWORK DESIGN
scenario.

Page 12
Fig 4.11: DATABASE Client Traffic Sent And Received (Bytes/Sec) in VPN Firewall Network Design Scenario.

Fig 4.12: E-MAIL client traffics send and received (bytes/sec) in VPN Firewall Network Design scenario.

4.4 COMPARISON OF RESULTS

In this section of paper we can analyze the impact of the security deployment in the
enterprises network architecture. After the successful implementation of the security solutions
to the existing enterprises network, it ensures the secure network environment but it will affect
the performances of the network i.e. changes in the delay factors in the network traffics. It is
analyzed in the simulation result given it the below figures.

The VPN is the effective solution to establish the secure communication but it will
impact enterprise networks to experience slower response time in the network services such as
TCP, http, e-mail, and database inquires. This is analyzed by the simulation result in the given
figures. This decrease in the network performance is due to the process of encryption and
adding the authentication header for the packets in the network.

Page 13
 Fig: 4.13: HTTP response time (seconds)

In fig 4.13 we compared the HTTP page response time of general network scenario and
VPN firewall scenario. From the fig 4.14 it is clear the HTTP response time is high with VPN
firewall scenario as compared to general network scenario. The HTTP response time value is
found to be 0.192118 for general network scenario while VPN firewall network scenario is
14.8903 sec.

Fig 4.14: DATABASE entry response time (seconds)

In fig 4.14 we compared the DATABASE entry response time of general network
scenario and VPN firewall scenario. From the fig 5.14 it is clear the DATABASE entry response
time is high with VPN firewall scenario as compared to general network scenario. The
DATABASE entry response time value is found to be 0.193264 for general network scenario
while VPN firewall network scenario is 2.72216 sec.

Fig 4.15: DATABASE query response time (seconds)

Page 14
 In fig 4.15 we compared the DATABASE query response time of general network
scenario and VPN firewall scenario. From the fig 4.15 it is clear the DATABASE query response
time is high with VPN firewall scenario as compared to general network scenario. The
DATABASE query response time value is 0.192118 sec for general network scenario while VPN
firewall network scenario is 2.69704 sec.

Fig 4.16: E-MAIL download response time (seconds)

In fig 4.16 we compared the E-MAIL download response time of general network
scenario, firewall network scenario and VPN firewall scenario. From the fig 4.16 it is clear the E-
MAIL download response time is high with VPN firewall scenario as compared to general
network scenario and firewall network scenario. The E-MAIL download response time value is
found to be in case of general network scenario is 0.558577 sec, in case of firewall network
scenario is 0.563336 sec and in case of VPN firewall network scenario is 7.24786 sec.

Fig 4.17: E-MAIL upload response time (seconds)

In fig 4.17 we compared the E-MAIL upload response time of general network scenario,
firewall network scenario and VPN firewall scenario. From the fig 4.17 it is clear the E-MAIL
upload response time is high with VPN firewall scenario as compared to general network
scenario and firewall network scenario. The E-MAIL upload response time value is found for
general network scenario is 0.569694 sec, firewall network scenario is 0.558776 sec while VPN
firewall network scenario is 5.39690 sec.

Page 15
 Fig 4.18: TCP delay (seconds)

In fig 4.18 we compared the TCP delay of general network scenario, firewall network
scenario and VPN firewall scenario. From the fig 4.18 it is clear the TCP delay is high with VPN
firewall scenario compared to general network scenario and firewall network scenario. TCP
delay value for general network scenario is 0.31632 sec, 0.927719 sec for firewall network
scenario while VPN firewall network scenario is 1.77422 sec.

Fig 4.19: TCP segment delay (seconds)

In fig 4.19 we compared the TCP segment delay of general network scenario, firewall
network scenario and VPN firewall scenario. From the fig 4.19 it is clear the TCP segment delay
is high with VPN firewall scenario as compared to general network scenario and firewall
network scenario. TCP segment delay value is found to be 0.106895 sec for general network
scenario is, but firewall network scenario is 0.110819 sec and VPN firewall network scenario is
0.767215 sec.

In this section we implemented three scenarios namely general network design scenario
(without firewall), firewall network design scenario and firewall_vpn network design scenario.

It is analyzed that after implementing the firewall even the authorized user are denied
an access to the deserved application services. On other hand when using the VPN and firewall
the security of the network reaches high level and we experiences reasonable decrease in the
network performance, which was due to the process of encryption and addition of
authentication headers in the packets.

Page 16
5. Conclusion

The main objectives of this paper was to explore the vulnerabilities in the network and
perform in-depth analysis of various attacks against security and solutions of security. Security
of the enterprise network is not dependant on the particular product or brand such as firewall,
operating system or other security applications. The precise configuration of firewall, changing
the password at regular interval of time, updating the security application software such as
antivirus on regular basis etc. all these are the elements to implement the fabulous security
practices.

Deficiencies in the design of the security product can be solved by the good practices. It
is better to use the network services with no security devices instead of security devices with
incorrect configurations. There is familiar quote related to security domain i.e. The system
which is said to be secure is one that is switched off, cast in a concrete block and sealed inside
the lead lined room with armed guards and even then I have my doubts( Dewdney, 1989).

As the result of the analysis has shown in the first scenario, in which no existence of any
security implementation and configuration of parameters of network in default mode would
permit the unauthorized user access to the resources in the networks. In the second scenario
configuring the firewall to deny the particular services denies the authorized user access such
as NETWORK ADMIN 1 and 2. In third scenario it is clear the security deployment would
sometimes affect the network performance and introduce the delay factors in the network
environment.

The final line is that a network cannot be implement in the 100% secured mode. The
practice of analysis would help to sort the presences of vulnerabilities in enterprise networks.
The practice of analysis would also be a strong baseline to design a better security
implementation plan.

Reference

[1] AHAMAD, N. & HABIB, M. K., (2010) Analysis of Network Security Threats and Vulnerabilities by
Development & Implementation of a Security Network Monitoring Solution. [Online]
Available from:
http://www.researchgate.net/publication/202784990_Analysis_of_Network_Security_Threats_a
nd_Vulnerabilities_by_Development__Implementation_of_a_Security_Network_Monitoring_Solutio
n [Accessed: 15th Nov 2014]
[2] CS-IIT (Department of Computer Science, Illinois Institute of Technology) Lectures notes. (2014)
Cryptography and Network Security [Online]
Available from: http://www.cs.iit.edu/~cs549/lectures/CNS-1.pdf [Accessed: 2th Nov 2014]
[3] DAY, J. D., & ZIMMERMANN, H. (1983) The OSI Reference Model. In proceedings of IEEE, Volume-
71, No.12, p.1334-13340.
[4] DOSTALEK, L. & KABELOVA, A. (2006) Understanding TCP/IP. Ed.1st. Birmingham: Packt
Publishing.
[5] EDWARDS, W. et al. (2005) CCSP: Complete Study Guide (642-501, 642-511, 642- 531, 642-541).
1st Ed. Alameda: Sybex Publications.
[6] FRANKEL, S. et al. (2005) Guide to IPSEC VPNs: Recommendations of the National Institute of
Standards and Technology. Ed.1st. Gaithersburg: NIST Special Publications (U.S. Department of
Commerce).
[7] HOOPER, H. (2012) CCNP Security VPN 642-648, Official Cert. Guide. Ed. 1st. Indianapolis: Cisco
press.
[8] HELD, G. (2000) TCP/IP Professional reference guide. Ed.1st. Boca Raton: Auer Bach Publications.
[9] HUCABY, D., GARNEAU, D. & SEQUEIRA, A. (2012) CCNP Security FIREWALL 642-618 Official Cert
Guide. 1st Ed. Indianapolis: Cisco Press.

Page 17
[10] INL (Idaho National Laboratory) Report, U.S. Department of Homeland security. (2006) Control
System Cyber Security: Defense in Depth Strategies. [Online]
Available from: http://www.inl.gov/technicalpublications/Documents/3375141.pdf
[Accessed: 30th Sep 2014]
[11] PORTNOI, M. & MARTINS, J. S., (2007) TARVOS an Event-Based Simulator for Performance
Analysis, Supporting MPLS, RSVP-TE, and Fast Recovery. Published in XIII Brazilian Symposium on
Multimedia and the Web Webmedia. Volume 1, p. 222-229.
[12] STALLINGS, W. (2005) Wireless Communication. Ed.1st. New Jersey: Prentice Hall.
[13] STALLING, W. (2013) Network Security Essential: Application and Standards. Ed. 5th. New Jersey:
Prentice hall.
[14] SALAH, K., & ALKHORAIDLY, A., (2006) An OPNET-based simulation approach for deploying VoIP
International Journal of Network Management. Volume 1. Issue-3. p.159-183.
[15] THE GOVERNMENT OF THE HKSAR (Hong Kong Special Administrative Region). (2008)
VPN Security [Online] Available from:
http://www.infosec.gov.hk/english/technical/files/vpn.pdf [Accessed: 12th Nov 2014]
[16] WIKIVERSITY. (2014) Introduction to Computer/System Software.
Available from: http://en.wikiversity.org/wiki/Introduction_to_Computers/System_software
[Accessed: 1th Oct 2014]
[17] Dewdney.KA(1989)"Computer Recreations: Of Worms, Viruses and Core War" in Scientific
American, pp 110.

Page 18