Jump to content

Data Networking/Fall 2016/TSM

From Wikiversity

Group Members

[edit | edit source]

1. Jibran Ahmed
2. Vijayalakshmi Hunnur
3. Ayanti Sengupta
4. Prerana Joshi

Motivation

[edit | edit source]

The Linux operating system allows its users to control almost every aspect of the operating system. The freedom, flexibility and security offered by this OS makes it ideal for network engineers to design their own networks. The desire to learn about various network protocols and security implementations motivated us to approach this project.

Behaviour of Protocols

[edit | edit source]

Domain Name System

[edit | edit source]

The Domain Name System (DNS) is an application layer protocol which hierarchically implements distributed databases in DNS servers. The main service of the DNS is to translate the domain names into IP addresses. The internet working is based on IP addresses. As it is not easy to remember the IP addresses of all domains, the DNS servers resolves the domain-names into IP addresses. DNS works on port number 53. In our project, we have maintained two servers viz; master server as PurpleKush and the Slave server as Grapefruit. When the master server is down, the DNS client reaches out to the slave server for the resolving. The two name-servers running on these respectively are stranger1.LinuxProject.jaap.edu and stranger2.LinuxProject.jaap.edu.

Dynamic Host Configuration Protocol

[edit | edit source]

Dynamic Host Configuration Protocol (DHCP ) is a client -server protocol which provides IP addresses along with their subnet masks and the gateways to the devices in the network. The DHCP protocol is defined based on the RFC 2131 and RFC 2132 standard. DHCP minimizes configuration errors , such as typographical errors, or address conflicts caused by the assignment of an IP address to more than one computer at the same time. Which are caused by manual assignment of IP addresses.It also results in reduced network administarition. The DHCP server proves to be beneficial in the scenario when the network needs to be scaled up such that when each time a device is added to the network there is no need to manually assign the IP address . Based on the DHCP protocol the new device gets the IP address automatically from the specified range of the IP address.Thus DHCP enables this entire process to be automated and managed centrally. DHCPv4 employs connectionless service model using the User datagram Protocol (UDP ) such that 67 is the destination port of the server and port 68 is used by the client.

The DHCP Implementation has specific terms and definitions :

In our project , we have created two master DHCP servers PurpleKush and GrapeFruit that assign the IP address statistically . They are based on the IPv4 protocol:

PurpleKush IP assignment range : 192.168.5.10 - 192.168.5.100
GrapeFruit IP assignment range: 192.168.5.150 - 192.168.5.200
Exclusion Range : Addresses in the scope that are excluded from leasing . Excluded addresses are normally used to give IP addresses to the routers or the static IP addresses.In our project we have assigned static IP addreses to the DHCP master servers as
PurpleKush : 192.168.5.8
GrapeFruit : 192.168.5.9
Web Server : 192.168.5.3
Reservation : Assigns a permanent IP address to a particular client, server or hardware device. In our project we have assigned the reservation range as 192.168.5.101 to 192.168.5.149

IPv6
The DHCP server PurpleKush assigns both IPv4 and IPv6 addresses dynamically to the device in the network. DHCPv6 uses UDP port 546 for the client and port 547 for the server. DHCPv6 is a network protocol for Internet Protocol Version 6. DHCPV6 is based on RFC 3315 standard.The router advertisement daemon (radvd) is a open source software product that implements link local advertisements and IPv6 routing prefixes using Neighbour Recovery Protocol as specified in RFC 2461 standard.DHCPV6 is not necessary for configuring hosts with addresses of domain name system servers because they can be configured using Neighbour Discovery protocol. The neighbour discovery protocol operates in the link layer of the internet model and is responsible for address auto configuration of nodes , discovery of other nodes on the link , determining the address of other nodes , finding available routers and DNS servers .
Scope : The entire range for the DHCPv6 assignment is fd37:f7e3:802b:be94::/64
Address Pool : The address pool from which the IPv6 addresses will be assigned is fd37:f7e3:802b:be94::10 to fd37:f7e3:802b:be94::254
Exclusion range and reservation : The name server in dhcpv6 is given as fd37:f7e3:802b:be94::1


Webserver & Firewall

[edit | edit source]

The Apache web server is the most popular way of serving web content on the internet. It accounts for more than half of all active websites on the internet and is extremely powerful and flexible.Apache breaks its functionality and components into individual units that can be customized and configured independently. The basic unit that describes an individual site or domain is called a virtual host.Each domain that is configured will direct the visitor to a specific directory holding that site's information, never indicating that the same server is also responsible for other sites. This scheme is expandable without any software limit as long as your server can handle the load.In our project Apache2 web server is hosted and the webpage is written in the HTML script.

In computing , a firewall is a network security system that monitors and controls the incoming and outgoing network traffic based on predetermined security rules. A firewall typically establishes a barrier between a trusted, secure internal network and another outside network such as the internet, that is assumed not to be trusted or secure. Firewalls can be hardware based or software based.Uncomplicated firewall or UFW is default firewall configuration tool for Ubuntu which is developed to ease iptables firewall configuration .UFW provides a user friendly way to create IPv4 and IPv6 host based firewalls

Installation Steps

[edit | edit source]

For server1: PurpleKush (Master)

Step 1: Login as root user and Install bind9
Command:

               apt-get install bind9

Step 2: Restart the networking daemon
Command:

               service networking restart

Step 3: Create a hostname
Command:

               vi etc/hostname
PurpleKush

Step 4: Create a domain-name by editing /etc/hosts
Command:

               vi etc/hosts

Add

               127.0.0.1   localhost 
127.0.1.1 PurpleKush
#The following lines are desirable for IPv6 capable hosts
 ::1 ip-6-localhost ip6-loopback
fe00::0 ip6-localnet
ff00::0 ip6-mcastprefix
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters
192.168.5.8 stranger1.LinuxProject.jaap.edu stranger1
192.168.5.8 stranger1.LinuxProject.jaap.edu
192.168.5.9 stranger2.LinuxProject.jaap.edu
192.168.5.9 stranger2
192.168.5.8 LinuxProject.jaap.edu
                # v6  
fd37:f7e3:802b:be94:0:0:0:1 stranger1
fd37:f7e3:802b:be94::1 LinuxProject.jaap.edu

Step 5: Configure named.conf.options
Command:

               vi /etc/bind/named.conf.options

Add

               // Trusted range configuration for recursive query 
acl "trusted" {
192.168.5.0/24;
};
              options { 
directory "/var/cache/bind";
recursion yes;
allow-recursion { trusted; };
listen-on { 192.168.5.8; };
allow-transfer { none; };
               forwarders {
8.8.8.8;
8.8.4.4;
};
dnssec-validation auto;
auth-nxdomain no; # conform to RFC1035
listen-on-v6 { any; };
};

Step 6: Configure named.conf.local
Command:

             vi /etc/bind/named.conf.local

Edit

            zone "LinuxProject.jaap.edu" {
type master;
file "/etc/bind/zones/db.LinuxProject.jaap.edu";
allow-transfer { 192.168.5.9; };
};
           zone "5.168.192.in-addr.arpa" { 
type master;
file "/etc/bind/zones/db.192.168.5";
allow-transfer { 192.168.5.9; };
};
// fd37:f7e3:802b:be94::/64
zone "9.4.e.b.b.2.0.8.3.e.7.f.7.3.d.f.ip6.arpa" {
type master;
file "/etc/bind/zones/db.v6.1";
allow-transfer { 192.168.5.9; };
};

Step 7: Create two database files db.LinuxProject.jaap.edu and db.192.168.5 in zones folder
Command:
Make the directory etc/bind/zones

               mkdir /etc/bind/zones

Copy db.local to db.LinuxProject.jaap.edu

               cd /etc/bind/zones
cp /etc/bind/db.local /etc/bind/zones/db.LinuxProject.jaap.edu

Open db.LinuxProject.jaap.edu file

               vi db.LinuxProject.jaap.edu

Edit the file

                $TTL	604800 
@ IN SOA stranger1.LinuxProject.jaap.edu. admin.LinuxProject.jaap.edu. (
30  ; Serial
604800  ; Refresh
86400  ; Retry
2419200  ; Expire
604800 )  ; Negative Cache TTL
 ;
 ; Name Server NS Records
IN NS stranger1.LinuxProject.jaap.edu.
IN NS stranger2.LinuxProject.jaap.edu.
 ;
 ; NS A Records
stranger1.LinuxProject.jaap.edu. IN A 192.168.5.8
IN AAAA fd37:f7e3:802b:be94::1
www IN CNAME stranger1.LinuxProject.jaap.edu.
stranger2.LinuxProject.jaap.edu. IN A 192.168.5.9
 ;
 ; Webserver record - Type A
known.LinuxProject.jaap.edu. IN A 192.168.5.3
IN AAAA fd37:f7e3:802b:be94::3
www.known. IN CNAME known.LinuxProject.jaap.edu.
ftp IN CNAME stranger2.LinuxProject.jaap.edu.
;smtp IN CNAME mail.LinuxProject.jaap.edu.
smtp IN MX 5 mx1.LinuxProject.jaap.edu.
mx1.LinuxProject.jaap.edu. IN A 192.168.5.6

Step 8: Edit two database files db.192.168.5 and db.v6.1 (for IPv6) in zones folder
Command:
Open db.192.168.5 file

               vi /etc/bind/zones/db.192.168.5

Edit the file

               $TTL	604800
@ IN SOA stranger1.LinuxProject.jaap.edu. admin.LinuxProject.jaap.edu. (
9  ; Serial
604800  ; Refresh
86400  ; Retry
2419200  ; Expire
604800 )  ; Negative Cache TTL
 ;
 ; NS Records
IN NS stranger1.LinuxProject.jaap.edu.
IN NS stranger2.LinuxProject.jaap.edu.
 ;
 ; PTR Records
8 IN PTR stranger1.LinuxProject.jaap.edu. ; 192.168.5.8
9 IN PTR stranger2.LinuxProject.jaap.edu. ; 192.168.5.9
3 IN PTR known.LinuxProject.jaap.edu. ; 192.168.5.3

Open db.v6.1 file

               vi /etc/bind/zones/db.v6.1

Edit the file

               $TTL    604800
               @       IN      SOA     stranger1.LinuxProject.jaap.edu. admin.LinuxProject.jaap.edu. (
                                       6         ; Serial
                                  604800         ; Refresh
                                   86400         ; Retry
                                 2419200         ; Expire
                                  604800 )       ; Negative Cache TTL
               ;
               ; NS Records
                        IN      NS      stranger1.LinuxProject.jaap.edu.
                        IN      NS      stranger2.LinuxProject.jaap.edu.
               ;
               ; PTR Records
               1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0 IN      PTR     stranger1.LinuxProject.jaap.edu.; fd37:f7e3:802b:be94::1
               3.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0 IN      PTR     known.LinuxProject.jaap.edu.    ; fd37:f7e3:802b:be94::3
              

Step 9: Configure resolv.conf
Command:

              vi /etc/resolv.conf

Edit

             nameserver 192.168.5.8
nameserver 192.168.5.9
search LinuxProject.jaap.edu

Step1: Login as root and Install DHCP server package
Command:

               apt-get install isc-dhcp-server

Step2: Edit the isc-dhcp-server file
Command:

               vi /etc/default/isc-dhcp-server
#On line 11 change:
INTERFACES=”ens33”
#Save and Exit

Step3: Editing file /etc/dhcp/dhcpd.conf
Command:

                vi /etc/dhcp/dhcpd.conf
default-lease-time 6000; max-lease-time 72000; option subnet-mask 255.255.255.0; option broadcast-address 192.168.5.255; option routers 192.168.5.254; option netbios-name-servers 192.168.5.8; option domain-name-servers 192.168.5.8, 192.168.5.9; option domain-name "LinuxProject.jaap.edu";
                subnet 192.168.5.0 netmask 255.255.255.0 {
                range 192.168.5.10 192.168.5.100;
                }

                ddns-update-style none;
                deny declines;
                deny bootp;


Step4: Restart the DHCP server
Command:

                service isc-dhcp-server restart

Webserver

[edit | edit source]

Step 1: Login as root and Install Apache2 Webserver
Command:

                apt-get install apache2 

Step 2: Check whether the web server is able to listen on port 80
Command:

                netstat -a | more 

Step 3: Restart the web server
Command:

                /etc/init.d/apache2 stop
/etc/init.d/apache2 start

Step 4: Develop a webpage for the server
Command:

                cd /var/www/html/public_html
vi index.html

Firewall and Security

[edit | edit source]

Firewall allows the system administrator to alter the incoming policy.
Install the package as root user
Command:

               apt-get install ufw

1. In order to block FTP requests:

               ufw deny from any port 20 to any port 20 proto tcp 
ufw deny from any port 21 to any port 21 proto tcp

2. In order to block telnet requests:

               ufw deny from any port 23 to any port 23 proto tcp

SSH port number is changed from port 22 to 2222 to avoid daemon and default attacks.
Root login is disabled for ssh.

DNS is made secure by configuring acl "trusted" for recursion. This configuration is done on named.conf.options.

DHCP has the following denied for security in the file /etc/dhcp/dhcpd.conf,

               ddns-update-style none;
deny declines;
deny bootp;

Additional Features

[edit | edit source]

IPSec protocol’s objective is to provide security for IP packets by creating a Virtual Private network and establishing a tunnel connection between two hosts. The tunnel is established between a private network (192.168.11.8 – 192.168.11.9) from a public network with IP addresses 192.168.5.8 and 192.168.5.9. It is a PC-to-PC tunnel. With the tunnel mode, the entire original IP packet is encrypted and a new IP header is added and is sent to the other side of the tunnel. Tunneling is done to prevent eavesdropping as it creates a secure path for transmission.

Step 1:Install strongswan package used to configure VPN
Command:

               apt-get install strongswan strongswan-plugin-xauth-generic

Step 2:Edit the files in /etc/ipsec.secrets
Replace default with the server’s public IP address:

              192.11.0.8 192.11.0.9 : PSK "  #key gets generated here "

Step 3:Restart Strongswan service
Command:

              service strongswan restart

Network File System is an application that allows one host to view, access and update the files and directories which were originally present on the other host computer.  These files can be accessed only after the administrator mounts the files onto the second host computer.

Step 1:Configuring the NFS-server
Command:

               sudo apt-get install nfs-kernel-server 

Edit the file

               vi /etc/exports

On the last line

               /nico/f2	        192.168.5.0/24(rw,sync,no_root_squash,no_subtree_check)
               /nico/f2   	192.11.0.0/24(rw,sync,no_root_squash,no_subtree_check)

Restart the server

              sudo service nfs-kernel-server restart

Step 2:Configuring the NFS-client
Command:

               sudo apt-get install nfs-common

Make directory in /nico/f2 (client path)

               mount serverip:/serverpath /clientpath

Backup

[edit | edit source]

Unprecedented technical errors can occur any time. To prevent loss of important data, backup is required. The two servers namely, PurpleKush and GrapeFruit are automatically backed up at 00.00 by using SSH protocol. The data from PurpleKush gets backed up onto GrapeFruit and data from GrapeFruit gets backed up on PurpleKush. All the files to be backed up are ‘tarred’ and a secure remote copy is created and sent via FTP

Step 1: Install rsync

                            sudo apt-get install rsync 

Step 2: Install ssh

                            sudo apt-get install openssh-server 

Step 3: Create a public and a private key for security

                            ssh-keygen -t rsa

Step 4: Copy this into the web server

                            ssh-copy-id -i /root/.ssh/id_rsa.pub root@GrapeFruit

Step 5: Edit crontab

                            crontab –e

Step 6: Give the scheduling and run the rsync command from the crontab to automate the backup of the webserver using Rsync

                            0 0 * * * /home/jibs/Documents/backupApp.sh >/home/jibs/Documents/backupApp.log 2>&1

Conclusion

[edit | edit source]

A robust , intelligent and secured corporate network architecture is implemented which consists of DNS servers (Master and Slave ) , DHCP servers (2 Master Servers) , Web Server, Virtual Private Networks, Network File System, Firewalls, and Backup directories and also Malicious Web Server was implemented to demonstrate ARP Spoofing using Scapy Script.

References

[edit | edit source]

Websites Referred:
1. https://help.ubuntu.com/community/BIND9ServerHowto
2. https://help.ubuntu.com/community/Postfix
3. https://help.ubuntu.com/community/isc-dhcp-server
4. http://www.bind9.net
5. http://net.tutsplus.com/tutorials/other/the-linux-firewall
6. https://help.ubuntu.com/community/OpenVPN
Books Referred:
1. Computer Networking: A Top-Down Approach, 6/e James F. Kurose, Keith W. Ross