Data Networking/Fall 2014/Ruinan Hu
Behavior of the Protocol
DNS: The Domain Name System is a distributed database implemented in a hierarchy of DNS servers, and an application-layer protocol that allows hosts to query the distributed database. Depending on the query forwarded by the client, the DNS can perform two functions: 1) Forward DNS Query – Hostname to IP address; 2) Reverse DNS Query – IP address to Hostname.
There are three classes of DNS servers: 1) Root DNS servers; 2) Top-level domain (TLD) server; 3) Authoritative DNS servers.
➢ BIND 9
BIND is the most widely used Domain Name System (DNS) software on the Internet. The name originates as an acronym of Berkeley Internet Name Domain. The BIND 9 software distribution contains both a name server and a resolver interface library. BIND 9 is a major rewrite of nearly all aspects of the underlying BIND architecture. Some of the important features of BIND 9 are DNS Security (DNSSEC, TSIG), IPv6, DNS Protocol Enhancements (IXFR, DDNS, DNS Notify, EDNS0), Views, Multiprocessor Support, and Improved Portability Architecture.
There are some basic terms used in BIND 9: 1) Domains and Domain Name – The data stored in the DNS is identified by domain names that are organized as a tree according to organizational or administrative boundaries. Each node of the tree is called a domain. 2) Zones – A zone consists of those contiguous parts of the domain tree for which a name server has complete information and over which it has authority. It contains all domain names from a certain point downward in the domain tree except those which are delegated to other zones. 3) Authoritative Name Server – Each zone is served by at least one authoritative name server, which contains the complete data for the zones. There are two types of authoritative name servers: Master (Primary) and Slave (Secondary).
DHCP: DHCP stands for Dynamic Host Configuration Protocol. DHCP server is a network protocol that enables a server to automatically assign an IP address to a computer from a defined range of numbers configured for a given network. DHCP can return more than just allocated IP address on subnet: 1) Address of first-hop router for client 2) Name and IP address of DNS server 3) Network mask (indicating network versus host portion of address) The communication between the DHCP server and the Client can be given as below: Step1: The Client sends DHCP-DISCOVER broadcast packet. Since no network configuration is there, source address is 0.0.0.0 and destination is 255.255.255.255. If server is in local subnet, it directly receives the message else a relay agent is used to pass request to DHCP server. Step2: Server receives DHCP-DISCOVER packet and offer available IP address to client by sending DHCP-OFFER. Step3: Client receives DHCP-OFFER and sends DHCP-REQUEST requesting the IP address lease offered. Step4: Server receives DHCP-REQUEST and grants IP address lease officially by sending DHCP-ACK. Step5: Client requests extension on lease before it expires. Step6: Server sends ACK to client granting an extension on the IP address lease.
➢ PXE Boot PXE protocol stands for Preboot eXecution Environment. To ensure that the meaning of the client-server interaction is standardized as well, certain vendor option fields in DHCP protocol are used, which are allowed by the DHCP standard.
Web Server:
The Web Server, which is also known as World Wide Web server, is to store the webpages, and transmit the webpages to the clients. And the content of the webpages are HTML documents, which may include images, text, sheets. etc. The protocol used between the web server and the clients is HTTP.
➢ There are four steps during the HTTP process:
Step1: The client send TCP request
Step2: The web server send TCP response back to the client
Step3: The client will send HTTP request
Step4: The server sends the webpages (HTML documents) to the client using HTTP response message.
➢ There are two kinds of HTTP:
1) Non-persistent HTTP, which means for each requested object, there should be a TCP connection.
2) Persistent HTTP, which means there is only one TCP connection between the server and client during the transmission of the webpage.
➢ There are two versions of HTTP: HTTP1.0 and HTTP1.1.
The difference is that HTTP 1.1 can use pipelining technology that can transmit the objects of the webpages faster. The port number of the web server for HTTP request is 80.
➢ Apache2: Nowadays, there are many kinds web servers, like Nginx, IIS, lighttpd, apache, etc. As half of the web servers in the world are apache web server, we choose apache as the web server of the company. Apache supports a variety of features; many implemented as compiled modules that extend the core functionality. These can range from server-side programming language support to authentication schemes. Some common language interfaces support Perl, Python, Tcl, and PHP.
VPN: A virtual private network (VPN) extends a private network across a public network, such as the Internet. It enables a computer or Wi-Fi-enabled device to send and receive data across shared or public networks as if it were directly connected to the private network, while benefiting from the functionality, security and management policies of the private network. A VPN is created by establishing a virtual point-to-point connection through the use of dedicated connections, virtual tunneling protocols, or traffic encryptions. VPNs allow employees to securely access their company's intranet while traveling outside the office. Similarly, VPNs securely connect geographically separated offices of an organization, creating one cohesive network. Individual Internet users to secure their wireless transactions, to circumvent geo restrictions and censorship, and to connect to proxy servers for the purpose of protecting personal identity and location, also use VPN technology.
NFS: Network File System (NFS) is a distributed file system protocol originally developed by Sun Microsystems in 1984, allowing a user on a client computer to access files over a network in a manner similar to how local storage is accessed. NFS, like many other protocols, builds on the Open Network Computing Remote Procedure Call (ONC RPC) system. The Network File System is an open standard defined in RFCs, allowing anyone to implement the protocol.
NIS: The Network Information Services or NIS (originally called Yellow Pages or YP) is a client–server directory service protocol for distributing system configuration data such as usernames and host names between computers on a computer network.
RSYNC: The RSYNC is a file synchronization and file transfer program for Unix-like systems that minimizes network data transfer by using a form of delta encoding. The RSYNC can compress the data to save the bandwidth. RSYNC also supports SSH security channel to transfer files.
SNORT: SNORT is an open source intrusion detection system. It can perform the real-time traffic analysis based on Internet Protocol network. It provides many capture function to get packets from network. It supports protocol analysis content search, and content matching. It helps administrator to detect probes or attacks, including, but not limited to, operation system fingerprinting attempts, common gateway interface, buffer overflows, server message block probes, and stealth port scans. The SNORT supports three main modes: sniffer, packet logger, and network intrusion detection. In the intrusion detection mode, the program will monitor network traffic and analyze it against a rule set defined by user. The program will then perform a specific action based on what has been identified.
PSAD: The PSAD is a lightweight IDS system. It analyzes iptables log to detect port scans and other suspicious traffic. It support many rules from SNORT. 1) Iptables capture packets from network and save them to a log file. 2) PSAD loads the packets and then analyzes the packets according the rules. 3) If PSAD detect some suspicious action, it would send email alerts to administrator.
Signaling
The signaling means the flow of packets in a given system. The protocol based signaling of individual component are follows: 1. DHCP Protocol: The physical connection (initial connection) is established using the switch. The DHCP gives IP addresses and configuration information to the DNS Server, the Web Server and the Client. DHCP-Client Connection Procedure: 1) DHCP-Discover 2) DHCP-Offer 3) DHCP Request 4) DHCP-ACK. 2. DNS Forward/Reverse Query: Once the IP addresses are assigned to components, the client then tries to access the web page using IP address/Hostname. Since there’s no data in the cache of browser, the client will send a Forward/Reverse Query to the DNS server which will resolves the query sends Hostname/IP address to the client. 3. Once the browser receives the IP Address of the Web page to be accessed, there is a three-way handshake that takes place between the Client and the Web Server to create a HTTP connection. Once the connection is setup, the Web Server sends the HTML page requested by the client and the data successfully transferred. Three-way Handshake: 1) SYN 2) SYN-ACK 3) ACK HTTP Connection: 1) HTTP Request 2) HTTP Response 4. Firewall: In case of firewall, we allow data transfer between Webserver and Client on port 80 (for HTTP), port1194 (for OpenVPN) and port 22 (for RSYNC). 5. Manual Backup: Use RSYNC to synchronize the file from Webserver to Client at port 22 for backup.
Hierarchy The hierarchy of the protocols implemented at different layers can be given as follows: Layer Protocols Application Layer DNS, DHCP, HTTP, Firewall, SSH, NIS, NFS, Mail Server Transport Layer RSYNC, Firewall Network Layer Firewall Link Layer VPN (Open VPN) Physical Layer Access-list (Depending on switch configuration)
Commands Used DNS Server: Step1: Install bind 9
apt-get install bind9
Step2: Enter the directory of the bind server
cd/etc/bind
Step3: Create a file for IP address resolution
touch bind9.ubuntu.e
Step4: Edit the file for IP address resolution (both ipv4 and ipv6) Step5: Create an address file for ipv4 reverse lookup
touch bind9.192.168.1
Step6: Edit the address file for ipv4 reverse lookup Step7: Create an address file for ipv6 reverse lookup
touch bind9.0.0.0.0.0.0.0.0.0.0.0.0.0.8.e.f
Step8: Edit the address file for ipv6 reverse lookup Step9: Edit the configuration file for named.conf.local Step10: Restart the DNS server
sudo /etc/init.d/bind9 restart
DHCP Server: Step1: Install the required packages for DHCP server and TFTP server
sudo apt-get install dhcp3-server tftpd-hpa syslinux nfs-kernel-server initramfs-tools
Step2: Set network interfaces
sudo vi /etc/network/interfaces
Edit enth0: Step3: Restart the networking service
sudo /etc/init.d/network restart
Step4: Change the network environment for DHCP
sudo vim /etc/default/isc-dhcp-server INTERFACES = “eth0”
Step5: Edit the configuration of DHCP file, to offer /tftpboot/pxelinux.0 as a boot file as a minimum. sudo vi /etc/dhcp/dhcpd.conf Step6: Restart the DHCP server
sudo service isc-dhcp-server restart
Step7: Configure the TFTP Server
1) Edit the configuration of TFTP file sudo /etc/default/tftpd-hpa 2) Set permission sudo chmod -R 777 /var/lib/tftpboot 3) Start the tftp-hpa service sudo /etc/init.d/tftpd-hpa start
Web server: Step1: Install the apache2 web server on the Linux OS, and we can test whether it is installed correctly Step2: Install mysql which is a relational database management system. Because we need to save and change the files of the web site, so we need to use mysql to store the files. During the installation, we need to set a password for the root user. Step3: Install php to write our webpage. To test whether it is installed correctly. We can write a php file under /var/www/html, and then we browns localhost/php to see the result. Step4: Add modules for the php, like php-mysql modules and some other modules. We just search for all the modules and install some of them. Step5: Restart apache2, and we can see from the info.php that all the modules are installed. (e.g. install php5-mysql, php5-curl and php5-gd.) And we can see that the mysql module has been installed correctly Step6: Install phpmyadmin, which we could use to manage the mysql database like add or delete the sheets. And we need to move its folder to /var/www/html, so that we can open it by typing localhost/phpmyadmin in the browser to open it. Step7: Change the content of the webpage.
backup server: For both server and client, install rsync ssh sudo apt-get install rsync ssh
firewall: Step1: Enable the firewall
ufw enable
Step2: Allow HTTP request to the webserver
ufw allow 80
Step3: Allow RSYNC
ufw allow 22
Step4: Allow OpenVPN
ufw allow 1194
Add-ons:
Create a Slave DNS Server for the Master DNS Server: Step1: Clone an Ubuntu from the Master DNS Server as the Slave DNS server Step2: Assign IP address 192.168.1.250 to this server Step3: Modify the conf file of Master DNS Server, to allow Slave DNS Server to get transferred authority Step4: Edit the configuration file for named.conf.local Step5: Restart the DNS server
sudo /etc/init.d/bind9 restart
VPN: To implement openVPN, we should do the steps showed as below: For the server: 1. apt-get install openvpn 2. apt-get install easy-rsa 3. cp –r /usr/share/easy-rsa/ /etc/openvpn/ 4. cp –r /usr/share/doc/openvpn/examples/sample-config-files/server.conf.gz /etc/openvpn gzip –d server.conf.gz 5. vim /etc/openvpn/easy-rsa/vars 6. source /etc/openvpn/easy-rsa/vars ./clean-all 7. After these steps, we now begin to generate a certificate and private key for the server. 8. At last we configure the server.conf file as follow. 9. start the openvpn server.
For the openvpn client: 1. create the certificate for the client on the server, and then copy it to the client. 2. configure the vpn client. 3. try to ping the server.
NIS: Step1: install the NIS, writing “nis.linux group.loc” as the NIS domain name, and edit it Step2: Initialization Step3: For the client, install NIS, and the domain name is the same as the server. Then change the ypserver to its IP address.
NFS: Step1: install NFS
sudo apt-get install nfs-kernel-server
Step2: Configure NFS Step3: Restart NFS, then the client can browse the folder on the server Step4: Read the NFS folder
PSAD: Implement PSAD to detect port scans and other suspicious traffic. Step1: Download the psad from cipherdyne.org and make directory for compiling Step2: Install make suite and run install script Step3: Start psad service Step4: Enable log for iptable
SNORT: Step1: Download autosnort from gitub Step2: Unzip Step3: Add link information and password for SQL Step4: Modify the install file to load the configure file and setup the software Step5: Change the interface in this file Step6: Modify the config for snort Step7: Restart the snort
Algorithm and Flow Chart DHCP and Client: 1. Connect the client in the network. 2. If the MAC address of the client is present in the reservation list, assign a fixed IP address, else go to the next step. 3. Assign a Dynamic IP address to the client.
DNS and Client: 1. Examine if there are two DNS servers. 2. Check for the best one between the Master and Slave and select one of them. 3. Client can send a request to the DNS Server. 4. If the request sent to the DNS Server is in form of Forward Query, the DNS responds with the IP address corresponding to the Hostname. 5. If the request sent to the DNS Server is in form of Reverse Query, the DNS responds with the same IP address and the corresponding Hostname.
Web Server and Client: 1. The client will send a request to the Web Server. 2. If firewall is disabled, allow all requests to pass. 3. If the firewall is enabled, check if the request is HTTP, OpenVPN or RSYNC, if yes; allow the request else go to next step. 4. Discard the request.
Backup: 1. First the RSYNC find which files between sending and receiving system is different according to time stamp on the files. 2. Then RSYNC determines which parts of the files should be modified using MD5. 3. Setting a safety channel between sending and receiving system and transfer the parts.
Flow Chart:
Testing (with an example)
Topology:
VMware Bridged Switch<->HTTP server
^
| Client1
V /
DNS server <-> VMware Bridged Switch <-> Switch <-> VMware Bridged Switch <-> Backup server
/ ^ \
Client3 | Client2
V
VMware Bridged Switch<->DHCP server and TFTP server
1. Test of DHCP from VMware
The VMware host can get IP address and default router from the DHCP server. 2. Test for DNS from Client2
IPv4
IPv6
Reverse DNS 3. Test PXE from Client3