Data Networking/Fall 2013/Group6

The Folks

edit

Ashwin Aher

Vicky Dewani

Jaysinh Patil

Rohit Aswani

Motivation

edit

The use of Internet is ubiquitous. The Internet is a network of networks. It is a group of interconnected computer networks that is based on TCP/IP model to make our lives easy and comfortable. The aim of Computer Networks is to provide the basic understanding of the networks and get into the practical insights of it.

While studying Data Networking, we have got the theoretical knowledge of various concepts encountered in it. The need arises to actually implement our own network, an ad-hoc network. The ad-hoc network consists of Dynamic Host Configuration Protocol (DHCP) server that assigns IP addresses to the clients joining the network and provides access to the web page after resolution of its IP address from Domain Name System (DNS) which is an Internet's Directory Service. The security is one of the most significant feature that needs to be incorporated in our network. This arises the need to configure Firewall to make our servers secure. At last, every system should be robust enough to tolerate the catastrophe that can occur any point of time, thereby paving a way to configure Backup in our network.

Right from childhood we have been using Windows in our systems. In order to make life more happening and monotonous-free, it shows a way to migrate to another Operating System named Linux to achieve this project. Linux is an open-source platform; free of cost, easy to develop, modify and distribute. We achieve our task using Ubuntu 12.04.

Understanding the Protocol

edit

Dynamic Host Configuration Protocol (DHCP)

Dynamic Host Configuration Protocol is an application layer protocol that dynamically assigns an unique IP address to every host or client that comes into the network from a pool of IP addresses it has. It is a plug and play protocol because it automatically performs the network-related functions of connecting a host to the network. The DHCP server also provides the additional information such as subnet mask, default gateway IP address and the local DNS server IP address. The functionality of DHCP server can be achieved using four steps, namely, DHCP server discovery, DHCP server offers, DHCP request and DHCP ACK.

Domain Name System (DNS)

Domain Name System is an application layer protocol that performs the translation of hostnames to IP address. It stores this information into its directory having a hierarchical structure of DNS servers. It uses either Transmission Control Protocol (TCP) or User Datagram Protocol (UDP) service at the Transport layer. The port used by DNS is 53.

Web server

Web server consists of web pages that are requested by clients. These web pages provide the necessary information asked by the users. Web pages contains the base HTML file and a list of referenced objects. They are based on Hypertext Transfer Protocol (HTTP) that uses the port number 80.

Firewall

Firewall is the best means of securing the internal network from the outside world. It is an amalgamation of hardware and software that allows a limited number of users for a particular service such as ICMP, HTTP and SSH and blocks other services such as FTP and SMTP.

The Requirements

edit

In this project, we aim at configuring DHCP server[isc-dhcp-server], DNS[bind9], Web server[apache2], Firewall[iptables] and Back up[ssh server].

Steps to perform the setup / installation

edit

Dynamic Host Configuration Protocol Configuration

edit

Dynamic Host Configuration Protocol (DHCP) is a plug and play protocol. It assigns IP address to every client joining a particular network.

Steps to configure DHCP:

1. To install the packages for configuration of DHCP, open up and terminal and install the package named isc-dhcp-server.

2. DHCP should provide an interface or port to which it should listen to all the incoming requests. This can be edited using the text editor nano and specifying the interface to which your DHCP server should listen to all the requests. By default, DHCP listens on interface eth0. We have kept the same in our project. Also, change the dhcp to static. In this file, we have specified a static IP address i.e 192.168.1.10 to DHCP server.

3. The network interfaces is restarted using the command sudo etc/init.d/networking restart.

4. The next important file is the DHCP configuration file (/etc/dhcp/dhcpd.conf) . In this file, we have specified the subnet mask, netmask, range of IP address which can be leased to clients joining the network, broadcast address, default gateway and DNS zone names using nano text editor.

5. After all the changes have been made, the DHCP service is restarted in order to save the new configuration settings using the command sudo service isc-dhcp-server restart.

For IPV6 implementation

1. To configure DHCPV6 for leasing IPV6 addresses clients, we used radvd file which stands for Router Advertisement Daemon wherein we declare various parameters like prefix, advertisements, refresh-time, range of IPV6 addresses etc.

2. To make the changes to take effect, we restarted the DHCP server using the command sudo service radvd restart.

Domain Name System Configuration

edit

Domain Name System (DNS) is an application layer protocol that translates hostnames into IP address. The following steps are performed to configure DNS server in Ubuntu 12.04.

1. Install the package BIND9 using the command sudo apt-get install bind9.

2. Assign a static IP address to DNS server [192.168.1.10] by using the command sudo nano /etc/network/interfaces and restart the network using the command sudo /etc/init.d/networking restart.

3.Declare the forward and reverse look-up zones in the file /etc/bind/named.conf.local

4. Specify the forwarders in the file /etc/bind/named.conf.local.options in case DNS is unable to resolve the IP address.

5. To add records of DNS in the forward look-up zones, we used the command nano /etc/bind/zones/s.com.db

6. Add the reverse look-up zones in the file nano /etc/bind/zones/rev.1.168.192.in-addr.arpa.

7. Specify the IP address of the DNS server and search s.com in the file /etc/resolv.conf.

8. To make these changes in effect, restart it using the command sudo service bind9 restart.

For IPV6 implementation

1. In forward lookup zones, we listed quad A [AAAA] records for one-to-one mapping and for reverse lookup, we created a separate reverse zone file with a title as reverse of netid. For example, if the net id is f80::, then we write it as 0.0.0.0.0.0.0.0.0.8.f and follow similar steps as performed for IPV4 addressing.

2. Enlist the hostid in the reverse way.

Web Server Configuration

edit

We configured Web server Apache2 which is available in Ubuntu 12.04. We installed it in one of the systems which act as a Web server. The Web server's static IP address is specified in the DNS records so that every client joining the network will be able to access the web server.

Web server gets its static IP address from DNS.

Steps for configuration of Web server:

1. Install the package using the command sudo apt-get install apache2.

2. Configure the base HTML file in the /var/www directory. Perform ls and you will find index.html file. Edit this file using the command sudo nano index.html.

3. In order to save these new changes into the file, restart the service using the command sudo /etc/init.d/apache2 restart.

Firewall Configuration

edit

A basic firewall is configured on the client serving as a web server to allow or block specific access to clients. The basic rules for configuring a firewall are enumerated as follows:

1. To check the current rules set for firewall, we used the command sudo iptables -L

2. To allow all the current conenctions, we used the command sudo iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT

3. To allow TCP traffic, we used the command sudo iptables -A INPUT -p tcp --dport 80 -j ACCEPT

4. To allow ssh traffic, we used the command sudo iptables -A INPUT -p tcp --dport ssh -j ACCEPT

5. To allow FTP, we used the following the two commands:

sudo iptables -A INPUT -p tcp --dport 21 -j ACCEPT
sudo iptables -A INPUT -p tcp --sport 20 -j ACCEPT

6. To allow ICMP, we used the following the two commands:

sudo iptables -A INPUT -p icmp -m icmp --icmp-type 8 -j ACCEPT
sudo iptables -A OUTPUT -p icmp -m icmp --icmp-type 0 -j ACCEPT

7. To block the remaining traffic, we used the command sudo iptables -A INPUT -j DROP

8. To allow loopback access and put this command at the top of the stack of commands used in configuring the firewall which excutes every command in a sequential manner, we used the command sudo iptables -I INPUT 1 -i lo -j ACCEPT

9. To check the rules in firewall, we used the command sudo iptables -L -v

10. To make the changes into effect, we used the command sudo apt-get install iptables-persistent During the installation of thsi package, save these rules for IPV4 and IPV6 both. After installation, save these changes using the command sudo service iptables-persistent start

Even if the system reboots now, the changes will be in effect.

Backup Configuration

edit

In order to make our system tolerant in case of failure, backup of the important files or directories is a must. To backup our data, we used the protocol Secure Shell (SSH) which works on the authentication of the user based on the key generation. In our project, we used rsync which is a file transfer program similar to a copy command used in Linux OS. It is used for copying the files or directories from one system to another. rsync uses the port 873 by default.

In order to automate our backip process, a schedular is needed to meet this requirement. We used crontab as a schedular. Using ssh, a pair of public and private keys is generated using the command ssh-keygen -t rsa which uses RSA algorithm to generate these keys. In order that the destination should be able to receive the backup files in a secure manner, the public key should be given to the destination. It is given in the file named authorized_keys. This file has the write privileges but should be banned. To change the file permissions, we used the command chmod 644 authorized_keys. This key is given to destination by using the command ssh-copy-id username@ip_address. After this, we specify our job in the file crontab -e and execute it by providing the destination username and IP address scheduled at 12am every day.

Testing

edit

Test Plan

For DHCP:

1. Verify whether DHCP server is assigned static IP address or not.
2.Check whether DHCP assigns IP address to the client joining the network within its IP address range using the command ifconfig.
3. If yes, then try to ping the DHCP server. If no, then check whether the changes made in the configuration files has taken effect in place by restarting the networking service.
4. If still it doesn't work, then verify whether there is a crossover cable connected between the DHCP server and client.
5. Repeat the same procedure for different no of clients joining the network.

For DNS:

1. For testing DNS, we checked using the command nslookup.

2. If there is an error such as NX DOMAIN, then there are errors in the lookup zones.

3. In case if bind9 doesn't restart, then there is a error in /etc/bind/named.conf.local file or /etc/bind/named.conf.local.options.

For Web server:

1. Test whether the Web server was created properly by typing 'localhost' in the browser.
2. Check using the same with IP address now. It should work and it works.
3. To provide access of webserver to every client joining the network, make sure that there is an entry into the DNS records.
4. Use nslookup command to check the Web server's name and the IP address.

For Firewall:

1. With all the rules defined in iptables (initially allow access for FTP), check whether the client is able to ping the web server machine.
2. Disable the ICMP traffic and then check the same.
3. Allow the client to transfer files from the web server machine. Check if it is able to do so. The client should be able to access the files.
4. Disable the FTP traffic and check whether the client can access the files. Verify that the client is not able to do so.
5. Check using the command netstat that the particular protocol is allowed or blocked access.


Test Tools Various test tools required are Ubuntu installed workstations, cables to connect them and verify them and switches. For testing purposes, we used commands like ifconfig, ping and nslookup.

Test Cases

Problems and Remedies

edit

1. Problem: DHCP server was not working.

  Solution: We had not restarted the DHCP server. We achieved this using the command sudo service isc-dhcp-server restart.

2. Problem: Syntax errors were common

  Solution: We used the --help function to know the correct syntax of the command being typed. 

3. Problem: During testing, DNS was not resolving the hostname while performing nslookup.

  Solution: We had forgotten to add an entry for the DNS zone name into the DHCP configuration file /etc/dhcp/dhcpd.conf

4. Problem: While doing backup, we were using the command sudo crontab -e. Due to this, we were not able to see the backed up file in the /home directory of the destination.

  Solution: We used the command crontab -e and found that the back up file exists in the /home directory.

Add-ons

edit

Established VPN and NFS.


Virtual Private Network

The steps involved in configuring VPN are as follows:

1. First enter into the ROOT mode by using command “sudo su” and enter your password.

2. Now install the openvpn on both server and client side using the command “apt-get install openvpn”.

3. Directory is created by using the command “mkdir /etc/openvpn/easy-rsa” and contents are copied which will ensure that any changes in the package will not affect scripts using the command “cp /usr/share/doc/openvpn/examples/easy-rsa/2.0/* /etc/openvpn/easy-rsa”. Owner is also changed to current user so that it can create the files.

4.In order to edit and make any changes then use the command “/etc/openvpn/easy-rsa/vars”.

5. Now root certificate is created which will ensure that both server and client are authenticated by sharing the public keys. After completing the “./build-ca”, we can see two files named as “ca.key” and “ca.crt” inside “/etc/openvpn/easy-rsa/keys/”.

6. Now create the certificate for openvpn server and client using the command “/etc/openvpn/easy-rsa/build-key-server vpnserver” for server side while for client side use the command “./buid-key vpnclient1”

7. Now create the diffie hellman parameters by using the command “./build-dh”.

8. Configuring the server using the command “/etc/openvpn/server.conf”.

9. Now configure the client side “/etc/openvpn/client.conf” and start the openvpn in client.

10. Now check the vpn server if it is working or not by pinging the vpnserver from the client side.


Network File System


NFS is Network File System which is also called as distributed file system which allows the user which will be on client side and wanted to access the files over a network which is stored on the server. Many clients can share a directory which is on the server.

Steps and commands used to configure NFS:

On the server side:

1. First enter into the ROOT mode by using command “sudo su” and enter your password.

2. Now install the nfs kernel server using the command “apt-get install nfs-kernel-server”.

3. By using the command “mkdir /var/nfs” directory is shown which changes the owner of the directory. In order to edit the directory following command is to be used “nano /etc/exports”.

4. In order to export to the client then use the following command “/export client ip (rw,sync,no_root-squash,no_subrce_check)”.

5. Now restart the nfs kernel server by using the command “/etc/init.d/nfs-kernel-server restart”.

On the receiver side:

1. First enter into the ROOT mode by using command “sudo su” and enter your password.

2. Now install the nfs common using the command “apt-get install nfs-common”.

3. Use the command “mkdir –p /mnt/nfs/home” and “mkdir –p /mnt/var/nfs”.

4. For the mounting, use the command “mount server IP :/export destination path” and “mount server IP :/export/user destination path” .

5. For checking purpose use the command “df –h”.

Future Prospects

edit

1. The concept of Dynamic DNS can be implemented in the project.
2. For configuring firewall using iptables, IP spoofing can be blocked. Traffic from MAC address can be allowed or blocked.
3. The number of parallel connections to a server per client can be restricted using iptables.
4. Backup can be achieved using symmetric key cryptography.

Citations

edit

Websites:

www.google.com

www.help.ubuntu.com

www.ubuntuforum.org

www.youtube.com

Books:

Computer Networking : A top - down approach by James Kurose and Keith Ross