Professional Documents
Culture Documents
High Level Design: Ministry of Justice
High Level Design: Ministry of Justice
High Level Design: Ministry of Justice
Contents
Copyright Statement
All information included in this document is confidential and exclusive property of
TeleLink AD.
Any unauthorized use of the above mentioned information for publication, multiplication
and commercial purposes, as well as its dissemination and transfer to third parties in part,
processed or complete form without the explicit consent of TeleLink AD is strictly
prohibited.
The trade marks, used in the document are registered trademarks of the respective
companies, proprietors of the brands in USA and other countries.
Review History
Reviewer’s Details Version No. Date
Georgi Georgiev 0.2; 1.0 04/02/2005, 26/07/2005
Juliana Gradetzka(General editing) 1.0 26/07/2005
1. Network Architecture
At the central site in Sofia there will be installed a Network Management System (NMS)
server, PIX Firewalls, Intrusion Detection System (IDS), Content Engine and a Core
router. The Core router will aggregate the traffic and will provide the whole Internet
access for the network.
This layer will integrate all District Courts. The routers from the distribution layer will be
connected to one of the five core routers, thus forming an extended star topology. The
advantage of this topology is high scalability. Links will be realized through Ethernet
interfaces. At this level all IP and IPSec connection and tunnels from the access layer will
be terminated and aggregated. When two or more courts are situated in one building, only
one router will be used. It will serve as a multilayer router (distribution and access or
core, distribution and access router) and will deliver network services to courts that are
located in the building. In this case the actual division between the judicial institutions
will be made on Layer 2 with creation of separate VLANs.
At the lowest level of access there will be access routers connecting all regional courts.
They will terminate IPSec tunnels to the distribution layer routers. Several connectivity
alternatives exist – a leased line with a serial interface, leased line with Ethernet
interfaces. Every access router will run routing protocol with a corresponding router from
the distribution layer. The access routers will deliver network services to the regional
courts. The connection to the LANs will be realized via a Layer 2 switch.
Access Access
Access router router
router
Access
Distribution router
Distribution router
router
Distribution
router Distribution
router
Access
router
Access
Distribution router
and Access Access
Access router router
router
Access
router
This network architecture will be used as a transport infrastructure for two independent
networks – one for the courts and another for the Registry Agency. They will be
completely separated by allocating their traffics in two different IPSEC tunnels. In order
to accomplish this, they will be assigned to different VLANs at Layer 2. The only
common service for these networks will be the Internet access.
Two additional VLANs will be created - one for server management and one for
management of the active network equipment.
VLAN
Server
Management
VLAN
Network
Management
Workgroup
VLAN Switches
Registry Agency
Re
gis
Router t yA
VLANS M ge
oJ nc
Tu y Tu
nn nn
el el
Courts
MoJ Network
2. Network Services
2.1. IP Connectivity
OSPF will be the running routing protocol and all core routers will be in backbone area 0.
The distribution routers and the access routers connected to them will have their own area
number corresponding to the extended star topology.
OSPF has two primary characteristics. The first is that the protocol is open, which means
that its specification is in the public domain. The OSPF specification is published as
Request For Comments (RFC) 1247. The second principal characteristic is that OSPF is
based on the SPF algorithm, which sometimes is referred to as the Dijkstra algorithm,
named for the person credited with its creation.
OSPF is a link-state routing protocol that calls for the sending of link-state
advertisements (LSAs) to all other routers within the same hierarchical area. Information
on attached interfaces, metrics used, and other variables, is included in OSPF LSAs. As
OSPF routers accumulate link-state information, they use the SPF algorithm to calculate
the shortest path to each node.
IPSec tunnels will be used for protection and encryption of the data traffic between all
routers. Cisco supports the IP Security (IPSec) data encryption methods. IPSec is a
framework of open standards that provides data confidentiality, data integrity, and data
authentication between participating peers at the network layer.
IPSec encryption is an Internet Engineering Task Force (IETF) standard that supports
Data Encryption Standard (DES) 56-bit and Triple DES (3DES) 168-bit symmetric key
encryption algorithms in IPSec client software. GRE configuration is optional with
IPSec. IPSec also supports certificate authorities and Internet Key Exchange (IKE)
negotiation. IPSec encryption can be deployed in standalone environments between
clients, routers, and firewalls, or used in conjunction with L2TP tunneling in access
VPNs. IPSec is supported in on various operating system platforms.
IPSec encryption is the right VPN solution for you if you want true data confidentiality
for your networks. IPSec is also an open standard, so interoperability between different
devices is easy to implement.
There is a fundamental problem with IPsec tunnels and dynamic routing protocols.
Dynamic routing protocols rely on using IP multicast or broadcast packets, but IPsec
does not support encrypting multicast or broadcast packets. The current method for
solving this problem is to use generic routing encapsulation (GRE) tunnels in
combination with IPsec encryption. GRE tunnels do support transporting IP multicast and
broadcast packets to the other end of the GRE tunnel. The GRE tunnel packet is an IP
unicast packet, so the GRE packet can be encrypted using IPsec.
This feature allows you to configure the source and destination of a tunnel to belong to
any Virtual Private Network (VPN) routing/forwarding (VRFs) tables. A VRF table
stores routing data for each VPN. The VRF table defines the VPN membership of a
customer site attached to the network access server (NAS). Each VRF table comprises an
IP routing table, a derived Cisco Express Forwarding (CEF) table, and guidelines and
routing protocol parameters that control the information that is included in the routing
table. The implementation of this feature allows you to configure a tunnel source and
destination to belong to any VRF. As with existing GRE tunnels, the tunnel becomes
disabled if no route to the tunnel destination is defined.
In order to have common access to Internet and also for security reason, the internal
network traffic will be separated from the Internet traffic leaving the latter non-encrypted.
Internet traffic will flow through direct IP connection whereas the local will flow through
general routing encapsulation interfaces and encrypted with IPSec.