Ministry of Justice Project:

Delivery and implementation of secure LOT 9

communication infrastructure for the Ministry of
Justice and all the courts in Bulgaria

High Level Design

TeleLink PLC Page 1 of 12

 Ministry of Justice Project:
Delivery and implementation of secure LOT 9
communication infrastructure for the Ministry of
Justice and all the courts in Bulgaria

Contents

A. Document Release Information .................................................................................. 3

B. Document Control Sheet............................................................................................. 4
1. Network Architecture ................................................................................................. 4
1.1. Network topology and Core Layer topology .................................................... 4
1.2. Distribution Layer............................................................................................... 7
1.3. Access Layer....................................................................................................... 7
1.4. Remote Access.................................................................................................. 10
2. Network Services...................................................................................................... 11
2.1. IP Connectivity ................................................................................................. 11
2.2 OSPF overview ................................................................................................. 11
2.3 IPSEC tunnels ................................................................................................... 11
2.4 GRE (Generic Routing Encapsulation) Tunneling ........................................... 12
2.5 GRE Tunnel IP Source and Destination VRF Membership ............................. 12
2.6 Internet access................................................................................................... 12

TeleLink PLC Page 2 of 12

 Ministry of Justice Project:
Delivery and implementation of secure LOT 9
communication infrastructure for the Ministry of
Justice and all the courts in Bulgaria

A.Document Release Information

Persons in charge Document Information

Technical Approval Todor Georgiev Version 1.0

Author(s) Georgi Lyaskov Release Date 26.07.2005

Change Authority TeleLink PLC Reference № TL-1-15-701-1327\26.07.05

Copyright Statement
All information included in this document is confidential and exclusive property of
TeleLink AD.

Any unauthorized use of the above mentioned information for publication, multiplication
and commercial purposes, as well as its dissemination and transfer to third parties in part,
processed or complete form without the explicit consent of TeleLink AD is strictly
prohibited.

The trade marks, used in the document are registered trademarks of the respective
companies, proprietors of the brands in USA and other countries.

TeleLink PLC Page 3 of 12

 Ministry of Justice Project:
Delivery and implementation of secure LOT 9
communication infrastructure for the Ministry of
Justice and all the courts in Bulgaria

B. Document Control Sheet

Revision History
Version No. Issue Date Status Reason for Change
0.1 04/02/2005 First Draft Added GRE Tunneling
1.0 26/07/2005 First Release

Review History
Reviewer’s Details Version No. Date
Georgi Georgiev 0.2; 1.0 04/02/2005, 26/07/2005
Juliana Gradetzka(General editing) 1.0 26/07/2005

1. Network Architecture

1.1. Network topology and Core Layer topology

The network architecture is chosen according to the hierarchical structure of Bulgarian

Judicial System. It is divided into three logical layers – Core layer, Distribution layer and
Access layer. The core layer will be formed among five major Judicial institutions –
Ministry of Justice in Sofia and Courts of Appeal in Bourgas, Varna, Veliko Tarnovo and
Plovdiv. Central router for this layer and for the whole network will be Core router Sofia.
Secondary core routers will be connected to the main router in logical ring topology and
thus form a hierarchical structure with one central point – Sofia. The core routers will
provide connection to the rest of the network for the distribution layer routers.
At this stage of network design there is no clear information about the physical
connectivity between the routers. The links must have a large enough capacity to provide
a reliable and fast connection from and to every point of the network.

TeleLink PLC Page 4 of 12

 Ministry of Justice Project:
Delivery and implementation of secure LOT 9
communication infrastructure for the Ministry of
Justice and all the courts in Bulgaria

Figure 1 Ministry of Justice network: Core Layer Physical Topology

At the central site in Sofia there will be installed a Network Management System (NMS)
server, PIX Firewalls, Intrusion Detection System (IDS), Content Engine and a Core
router. The Core router will aggregate the traffic and will provide the whole Internet
access for the network.

TeleLink PLC Page 5 of 12

 Ministry of Justice Project:
Delivery and implementation of secure LOT 9
communication infrastructure for the Ministry of
Justice and all the courts in Bulgaria

Figure 2 Physical Topology: Main Site – Sofia Core

The provided architecture reduces the number of points vulnerable to unauthorized

access. Internet connection will be terminated on a PIX firewall that will have a direct
link to a second PIX firewall (where all remote access IPSEC tunnels will be terminated)
and a Layer 2 switch. The Layer 2 switch will provide connectivity for the local network,
the NMS, the IDS, Content Engine and the Core router. Content engine in central office
will provide local content storage, in order to enhance performance of user applications
through the Internet, to speed up communications and to save a certain amount of Internet
traffic.
The Core router will have at least two interfaces – one for the Layer 2 switch and another
for connection to the rest of the network. The exact number and types of required
interfaces depends on the number of different providers and types of interurban
connectivity. The so proposed architecture of the core layer will provide the necessary
functionality without violating the high requirements for security and scalability of the
system.

TeleLink PLC Page 6 of 12

 Ministry of Justice Project:
Delivery and implementation of secure LOT 9
communication infrastructure for the Ministry of
Justice and all the courts in Bulgaria

1.2. Distribution Layer

This layer will integrate all District Courts. The routers from the distribution layer will be
connected to one of the five core routers, thus forming an extended star topology. The
advantage of this topology is high scalability. Links will be realized through Ethernet
interfaces. At this level all IP and IPSec connection and tunnels from the access layer will
be terminated and aggregated. When two or more courts are situated in one building, only
one router will be used. It will serve as a multilayer router (distribution and access or
core, distribution and access router) and will deliver network services to courts that are
located in the building. In this case the actual division between the judicial institutions
will be made on Layer 2 with creation of separate VLANs.

Figure 3 Ministry of Justice network: Core and Distribution Layers

1.3. Access Layer

At the lowest level of access there will be access routers connecting all regional courts.
They will terminate IPSec tunnels to the distribution layer routers. Several connectivity
alternatives exist – a leased line with a serial interface, leased line with Ethernet
interfaces. Every access router will run routing protocol with a corresponding router from
the distribution layer. The access routers will deliver network services to the regional
courts. The connection to the LANs will be realized via a Layer 2 switch.

TeleLink PLC Page 7 of 12

 Ministry of Justice Project:
Delivery and implementation of secure LOT 9
communication infrastructure for the Ministry of
Justice and all the courts in Bulgaria

Access Access
Access router router
router

Access
Distribution router
Distribution router
router
Distribution
router Distribution
router

Core router Core router

DISTRIBUTION LAYER CORE LAYER

Core and Core router

Distributon
router
Distribution Distribution
router router
Distribution
router

Access
router
Access
Distribution router
and Access Access
Access router router
router
Access
router

Figure 4 Ministry of Justice network: Layer 3 physical topology

TeleLink PLC Page 8 of 12

 Ministry of Justice Project:
Delivery and implementation of secure LOT 9
communication infrastructure for the Ministry of
Justice and all the courts in Bulgaria

This network architecture will be used as a transport infrastructure for two independent
networks – one for the courts and another for the Registry Agency. They will be
completely separated by allocating their traffics in two different IPSEC tunnels. In order
to accomplish this, they will be assigned to different VLANs at Layer 2. The only
common service for these networks will be the Internet access.

Two additional VLANs will be created - one for server management and one for
management of the active network equipment.

VLAN

Server
Management

VLAN

Network
Management

Workgroup
VLAN Switches

Registry Agency
Re
gis
Router t yA
VLANS M ge
oJ nc
Tu y Tu
nn nn
el el
Courts

MoJ Network

Figure 5 LAN Connectivity model

TeleLink PLC Page 9 of 12

 Ministry of Justice Project:
Delivery and implementation of secure LOT 9
communication infrastructure for the Ministry of
Justice and all the courts in Bulgaria

1.4. Remote Access

A PIX firewall that will terminate all the IPSec tunnels will be used for remote access.
The PIX firewall will have a direct connection to Internet and the secondary PIX that
provides access to the internal network. Teleworkers will connect to the internal network
via IPSec tunnels through Internet.

Figure 6 Remote Access to the Ministry of Justice network

TeleLink PLC Page 10 of 12

 Ministry of Justice Project:
Delivery and implementation of secure LOT 9
communication infrastructure for the Ministry of
Justice and all the courts in Bulgaria

2. Network Services

2.1. IP Connectivity

OSPF will be the running routing protocol and all core routers will be in backbone area 0.
The distribution routers and the access routers connected to them will have their own area
number corresponding to the extended star topology.

2.2 OSPF overview

OSPF has two primary characteristics. The first is that the protocol is open, which means
that its specification is in the public domain. The OSPF specification is published as
Request For Comments (RFC) 1247. The second principal characteristic is that OSPF is
based on the SPF algorithm, which sometimes is referred to as the Dijkstra algorithm,
named for the person credited with its creation.
OSPF is a link-state routing protocol that calls for the sending of link-state
advertisements (LSAs) to all other routers within the same hierarchical area. Information
on attached interfaces, metrics used, and other variables, is included in OSPF LSAs. As
OSPF routers accumulate link-state information, they use the SPF algorithm to calculate
the shortest path to each node.

2.3 IPSEC tunnels

IPSec tunnels will be used for protection and encryption of the data traffic between all
routers. Cisco supports the IP Security (IPSec) data encryption methods. IPSec is a
framework of open standards that provides data confidentiality, data integrity, and data
authentication between participating peers at the network layer.

IPSec encryption is an Internet Engineering Task Force (IETF) standard that supports
Data Encryption Standard (DES) 56-bit and Triple DES (3DES) 168-bit symmetric key
encryption algorithms in IPSec client software. GRE configuration is optional with
IPSec. IPSec also supports certificate authorities and Internet Key Exchange (IKE)
negotiation. IPSec encryption can be deployed in standalone environments between
clients, routers, and firewalls, or used in conjunction with L2TP tunneling in access
VPNs. IPSec is supported in on various operating system platforms.

IPSec encryption is the right VPN solution for you if you want true data confidentiality
for your networks. IPSec is also an open standard, so interoperability between different
devices is easy to implement.

TeleLink PLC Page 11 of 12

 Ministry of Justice Project:
Delivery and implementation of secure LOT 9
communication infrastructure for the Ministry of
Justice and all the courts in Bulgaria

2.4 GRE (Generic Routing Encapsulation) Tunneling

There is a fundamental problem with IPsec tunnels and dynamic routing protocols.
Dynamic routing protocols rely on using IP multicast or broadcast packets, but IPsec
does not support encrypting multicast or broadcast packets. The current method for
solving this problem is to use generic routing encapsulation (GRE) tunnels in
combination with IPsec encryption. GRE tunnels do support transporting IP multicast and
broadcast packets to the other end of the GRE tunnel. The GRE tunnel packet is an IP
unicast packet, so the GRE packet can be encrypted using IPsec.

2.5 GRE Tunnel IP Source and Destination VRF Membership

This feature allows you to configure the source and destination of a tunnel to belong to
any Virtual Private Network (VPN) routing/forwarding (VRFs) tables. A VRF table
stores routing data for each VPN. The VRF table defines the VPN membership of a
customer site attached to the network access server (NAS). Each VRF table comprises an
IP routing table, a derived Cisco Express Forwarding (CEF) table, and guidelines and
routing protocol parameters that control the information that is included in the routing
table. The implementation of this feature allows you to configure a tunnel source and
destination to belong to any VRF. As with existing GRE tunnels, the tunnel becomes
disabled if no route to the tunnel destination is defined.

2.6 Internet access

In order to have common access to Internet and also for security reason, the internal
network traffic will be separated from the Internet traffic leaving the latter non-encrypted.
Internet traffic will flow through direct IP connection whereas the local will flow through
general routing encapsulation interfaces and encrypted with IPSec.

TeleLink PLC Page 12 of 12