Design and Simulation of a Secured Enterprise Network for Faculty of Engineering, Rivers State University

Institutions generally seek for a network infrastructure solution that intelligently combines voice and data networks. To compete globally, It has become necessary for the Faculty of Engineering to build and setup a secured enterprise network solution to drive the rapid engineering and technological advancement of the University. The aim of this study is to develop a secured, scalable, available, and manageable enterprise network for the Faculty of Engineering, Rivers State University, Port Harcourt, Nigeria. In this article the various services that comprise the enterprise network as a unit have been put together using the Hierarchical Network Model. The physical and logical network topology was designed for the Faculty of Engineering infrastructures and the results from the simulation showed that any user who tried to connect to the network and initiated http traffic were redirected to the authentication server for verification of credentials, before being allowed on the network. The result also shows that the Cisco Adaptive Security Appliance, the Core Router, the distribution switches and the integrated service routers were properly configured. The design reduced network device load and the time to identify network issues to resolve them. The configured network security provided availability, integrity, and confidentiality. This design also enhanced rapid connectivity, and the inclusion of new devices did not affect the transfer of packets. Finally, the specifications and commands used in this study is a model that could be modified and deployed for other Faculties or Universities.

use of Virtual Local Area Networks to segment the network for each departments in the college of engineering. It also analyze the transfer of packets on a network.. Chunlin, et al. (2017), explore genetic algorithm in other to use it for network topology design from hierarchical network model. It was made up of lower physical topology and upper logical topology. The selfsimilar traffic was modeled using the ON/OFF model and the self-similar traffic information on the network was described by the logical topology. The network connection of devices and links were represented in the lower physical topology. This study proposed a genetic algorithm technique for developing a novel network topology design in order to obtain a network with minimum cost and delay under certain reliability. In conclusion a practical test was carried out to verify the accuracy and the effectiveness of the network topology design. The result of the test showed that the techniques was better than the referenced methods.

Identified Knowledge Gap
The Several studies carried out on the design and simulation of an Enterprise Network, did not handle the physical and logical design of an enterprise network for the proposed case study but demonstrated the generalized design implementation with a network simulator. None of the researchers included the use of Cisco Adaptive Security Appliance (ASA) device, which is a dedicated network security hardware that prevents both internal and external attacks on the network. Furthermore, none of the researchers developed a customized encryption and decryption solution to secure the database of the proposed case study. Finally, it was observed that none of the researchers included the bill of engineering measurement and evaluation of the proposed designed case study to enable IT/Network Engineers deploy the proposed design.

Current Work and Expected Outcome
This research is to design and simulate a secured enterprise network for Faculty of Engineering Rivers State University, Port Harcourt, Nigeria. In addition, this research work would be geared towards achieving the identified knowledge gap as stated above. At the accomplishment of this research work, we would have developed a solution that would enable Network/Communication Engineers deploy the design of a secured, scalable, available, and manageable enterprise network for the Faculty of Engineering, Rivers State University, Port Harcourt, Nigeria and also serve as a prototype for other Faculties.

Methodology
The method used for the design of the secured enterprise network is the top down network design approach. This method enhances optimization of network resources and proffer better solution than bottom-up network design approach. This techniques comprises of four stages, i.e. (i) Identifying Design Requirement and Goals, (ii) Logical Network Design, (iii) Physical Network Design, (iv) Testing, Optimizing, and Documenting Network Design.

Identifying Design Requirement and Goals
This section of the study was achieved by obtaining relevant data from users. The usersare made up of students, lecturers and none teaching staff in the Institution. The information about the size of classes, Laboratories, Office Complexes, and the number of students and staff for each Department in the Faculty were obtained along with future needs of the Faculty. To aid the design of the logical and physical topology of the Institution's Enterprise Network.
Total Number of Users for the case study = No of staff + Students= 7,674 Network design plan is for 32,736 users, which can be scaled to about 65,000 users 3.

Logical Network Design
This section is concerned with the development of the proposed logical network design. The procedures for designing logical network involves the design of network topology, routing protocol selection, and redundancy  Vol.10, No.5, 2019 29 technique for increasing availability. The hierarchical network design approach was adoptedowing to itsbenefits over flat network designtechnique. There are three basic layers that characterized the hierarchical design model: Core layer, which links distribution layer devices, Distribution layer, which Interconnects the smaller local networks, and Access layer, which provides connectivity for network hosts and end devices.

Physical Network Design
The physical network design stage involves choosing an appropriate LAN and WAN technologies to deploy anInstitution Enterprise Network. The selections are made based on cabling, physical and data link layer protocols, and internetworking devices (such as wireless access points, routers, andswitches).

Network Design Considerations
The design consideration for the core layer includes avoidanceto unnecessary delays in network traffic which is a top priority for the network design, andfault tolerance, because all users in the network can be affected by a failure. The distribution layer design consideration involves routing, filtering, and interconnection between the core layer and the access layer. The access layer provides the platform for user access to network resources. Since the access layer is bound for other segments within the network, it would facilitate the traffic generated. The design consideration for the wireless network was basedon the physical coverage areas of the network, and to determine the optimum locations for mounting wireless access points. The number of users within each coverage area, was used to determine the types of antennas, access point hardware, and the required wireless feature sets.

Network Architecture
The core router in figure 2 had one of its interface connected to the Internet through the Cisco Adaptive security appliance and the other to the DMZ (De-Militrialized Zone). The DMZ had a switch which hosted serversnamely; FTP, Web, Email and application servers. The distribution layer had three switches connecting the virtual local area network (VLAN) of the following units of the Institution; Laboratories, Lecture Theatres, Conference Room, Library, Departmental Offices, Staff Offices, IT Unit and Administrative Unit. The listed units are locations with different sub-networks that made up the access layer.

Network Addressing and Subnetting
In this section of the design process, the class B private Internet Protocol (IP) Address was specified for each devices on the IP network. This would enable the transmission of packets to the exact location of a user device on the network. No matter the type of LAN a user is connected to, the IP addressenable hosts from a network could interact with hosts on another network (Nathaniel et al., 2017). Furthermore, for proper management of traffic, speed and availability of the network, the IP addresses were subnetted. The practice of taking bits from the host part of an IP address for the purpose of reducing the size of a network is called subnetting (Nathaniel et al., 2017). Host fields of a subnet in a network are formed after subnetting. Two IP addresses areset asidefor the subnet and the other for the broadcast address in the subnet. We can implement Subnetting in three fundamental methods, the first is done considering the number of small networks you intend to built from a particular group of IP address; the second method is could be obtained from the number of host systems you wish to join a network and thirdly, by reverse engineering that is a method in which an IP address block and a subnet mask is known and the number of sub-networks and hosts per each subnet are obtainable (Nathaniel et al., 2017). The internal network address selected is 172.16.0.0 with a mask of 255.255.0.0. There are some equation that can be used to obtain the required information for subnetting as follows: Number of subnet = (1) Number of host per subnet = (2) Block size = Increment = 256 -subnet mask (3) Where: x =Number bits on the network part or masked bits and y = The number bits on the host part or unmasked bits Therefore, in this study at least 2024 hosts per subnet is required From equation (2)  The table below shows the subnets obtained from the computation.  Table 3.1 showed the range of network host addresses that would be used to allocate IP addresses on the LAN for each building within the Faculty of Engineering. It also showed the network and broadcast addresses each LAN devices or users will be operating on at any of the buildings within the Faculty of Engineering.

Switch Configurations
The code configured on the switches were, creation of trunk port for the Router, creation of access ports, configuration of default-gateway, creation of VLANs and assignment of switch ports to the VLANs.

Trunk-to-Router
The following commands were used to configure a trunk port on the switch and all other access ports, the switch command Line interface (CLI)was used to run the commands. EngrgSW(config)# int fastethernet 0/2 EngrgSW(config-if)# switchport mode trunk EngrgSW(config-if)# spanning-tree portfast trunk EngrgSW(config-if)# interface range fa0/3 -23 EngrgSW(config-if-range)# switchport mode access EngrgSW(config-if-range)# end

Creating Virtual Local Area Network (VLANs)
There are about sixteen buildings within the Faculty of Engineering infrastructure at Rivers State University, Port Harcourt, Nigeria, which included the Faculty Building, the departmental laboratories, Lecture halls etc. each of the buildings will be connected on a separate VLAN, In all sixteen (16) VLANs were created. The command used to create the VLAN on the switch, is as follows: EngrgSW(config)#vlan [id]. The following commands were used to create the VLAN for the Faculty of Engineering (FE) main building and to assign an easy identifiable name: (none, WEP, WPA-PSK, WPA2-PSK) and input the pass phrase for the chosen authentication to get connected on the network.

Server Configuration
The Network deployment for the Faculty needs the services of a Remote Desktop service, DNS, DHCP, SMTP, HTTP and AAA servers. The details setup information is as follows:

Dynamic Host Configuration Protocol (DHCP) Server Setup
The graphical user interface of the first server was used to configure the DHCP server by selecting the DHCP service from the services tab, and thereafter turn on the DHCP service to provide the platform to configure the address pools of the DHCP server for each VLANs on the network. The parameters used to setup the address pools on the server is as follows: The configuration parameters above was repeated for the other VLANs (VLAN40 -VLAN160) The add button was used to include the inputted parameter of the address pools for each VLANs on the DHCP server. Not all the IP addresses are used for the DHCP address pools. The reason is to reserve them for some network equipment that may require manual assignment of static IP address and also for the expansion of the network. In this research VLAN 10 is the network for the administrative centre of the institution. In this VLAN more IP address were reserved to enable the network administrator manually assign static IP addresses to network equipments at the centre.
Other servers configured include: Domain Name Server (DNS), Hyper Text Transfer Protocol (HTTP) Server, Email Server, Authentication, Authorization, and Accounting (AAA) Server by using the graphical user interface (GUI) of the servers to configure it. This was achieved by clicking the services tab, and choosing the required service.
Security configurations on the network include coding passwords on the Routers and Switches, Setting up Console Port and Telnet Connection Passwords, Setting up Secure Shell (SSH), Setting up an AAA Model on the Router, Access Control List Configuration

RESULTS AND DISCUSSION 4.1 The Simulation of the Enterprise Network
The simulation screen capture shown in figure 4.1 is a prototype design of a secured enterprise network. It shows that the Cisco Adaptive Security Appliance, the Core Router, the two distribution switches and the integrated service routers were properly configured to provide network coverage to the entire Faculty Infrastructure. The green circular lights indicates network connectivity between the Servers, router, switches, internet and other devices. Furthermore, the integrated service routers/access points creates a point of presence (POP) network coverage within each buildings in the Faculty that enabled wireless connectivity and communication among PCs, Laptops, PDA's and other devices with WiFi enabled technologies.

Verifying Router Configurations
The result of the "show ip route" and "show ip int brief" command is as shown in Figure 4.2. the result indicates that the routing protocol and router interface configuration was functioning as expected.

Verifying the Virtual Local Area Network (VLAN)
The result of the "show vlan brief" command is captured in Figure 4.3 which indicates that the VLANs are active, the ID and ports corresponding to all VLANs assigned to each building in the Faculty are active and working as expected.

Verifying User Connections at Various Locations in the Faculty
The results of the user devices that received an IP address after the connection to the network are shown in Figure 4.4 with the VLAN they are connected to.  Figure 4.4: User Devices obtaining IP address from DHCP Server From figure 4.5 we were able to show that each user connected to the network was able to dynamically obtain IP address according to the VLAN the user device was connected to by the DHCP Server.

Network Connectivity Test
The ping command was used for testing the communication and connectivity of the enterprise network, with the IP address of the user or the domain name. About sixteen VLANs were configured on the network and four server computers. A ping command was executed to ascertain the connectivity of devices on the VLANs. Figure  4.5 shows the results obtained from the test.  Fig. 4.5 Network Connectivity Test From figure 4.5, it was evident that the network was well configured and it is performing optimally as expected. Hence users on the network at any location within the coverage area could access the resources on the Faculty enterprise network.
The ping command was also used to test and confirm if the DNS configuration was working as expected, the command line interface was used to ping the domain name engfaculty.com. The result obtained showed that the domain name is translated to a valid IP address which ascertain the workability or correctness of the DNS setup. The result of the test is shown in Figure 4.6.

Verifying the Dynamic Host Configuration Protocol (DHCP)
The result of the DHCP server is shown in Figure 4.7 which displays the DHCP server IP address groups for all VLANs. A test for the dynamic address assignment was also conducted. A user when connected to the network automatically obtained an IP address from the address pool the user device is connected to by the DHCP server.

Access to Faculty Website
The Faculty website was hosted properly on the web server, which was setup in the demilitarize zone (DMZ) and users in the network can surf the Faculty website with the domain name or IP address as shown in figure 4.9.

Faculty Email Service
The email service was tested by sending a message after registering an email client on the server. The results of the email service is shown in Fig. 4.9. The results from the email client, shows that the mail server was configured correctly on the network and it is functioning very well.

Network Deployment Bill of Engineering Measurement and Evaluation (BEME)
The deployment of the secured enterprise network will require buying the network equipment and other computing resources. A detail bill of engineering measurement and evaluation for the deployment of the Faculty Enterprise Network is as stated below:

CONCLUSION
In this study, the physical and logical network topology was successfully developed from the surveyed data obtained at the Faculty of Engineering, Rivers State University. A good techniques for designing a secure enterprise networks for Faculty of Engineering was developed by ensuring internal and external protection using the Cisco Adaptive Security Appliance. The method not only stress the significance of using institutional prerequisites and goals in developing a secure network yet in addition provides built-in mechanisms to capture security needs and use them seamlessly throughout the steps of analyzing and designing secure network architecture. In this research, an Enterprise Network for both guided and unguided media was developed by setting up the followings: DHCP, DNS, Email, Web, FTP, VLANs. With the aid of a router and switches, VLANs were created and packets could be routed from one device to another. Furthermore, the network was designed to reduce network device load by limiting number of device interconnection and broadcast domain. It further reduced cost by using appropriate specification per layered device. Finally, it reduce time to identify problem and proffer solution. The computerization of the Institution, would provided competitive advantage for staff in the Faculty of Engineering, since it creates an extremely dynamic and flexible work environment, allowing lecturers be in a permanent contact and interaction with their students, which is the fundamental basis for e-learning. Finally, the specifications and commands used in this study is a model that could be modified and deployed for other Faculties or Universities.

Recommendations for Future Work
(a) The Addition of Biometric and CCTV technologies for advance access control and security to provide robust end-to-end security is recommended for future work on this study. (b) The use of IPv6 addressing is highly recommended. This will enable all users or devices on the network to be assigned a unique IP address for easy identification and authentication. (c) Increase the target storage capacity of the Institutions storage backup by acquiring additional high capacity storage devices and a cloud storage solution for users on the network.  Vol.10, No.5, 2019