Data Networking/Fall 2016/BATA

Group Members

edit

Aashish Anand
Ayush Shah
Bala Prasanth Sankaran
Tarun Sharma

Purpose

edit

To design and come up with a solution which fulfills the basic requirements of a company located in Boston and simultaneously understand the concepts of Data Networking.

Protocols (Requirements)

edit

Dynamic Host Configuration Protocol (DHCP)

edit

DHCP stands for dynamic host control protocol used for dynamically assigning the IP address to the network hosts using from the given pool of IP address. The IP assignment can be assigned for a time interval decided by the lease parameter, post which the lease has to be renewed to hold the same IP address. The DHCP is a 4 step process which involves the below phased for IP allocation.
1) DHCP discover
2) DHCP offer
3) DHCP request
4) DHCP acknowledge

Domain Name Server (DNS)

edit

The DNS stands for domain name server and is the first point of contact to resolve the Host names to IP address and vice versa. It maintains separate tables in the database for mapping the Host names to IP and IP to host names and the process is referred to a forward and reverse lookup respectively. The DNS query is both iterative and recursive in nature, while implies the DNS query start from the user and goes to the local DNS server and then it goes to the root DNS server which passes the request to the TLD server and then it finally goes to the authoritative server for the final DNS resolution and thus the user is able to go the requested URL.

Web Server & Firewall

edit

A Web server is a program that uses HTTP (Hypertext Transfer Protocol) to serve the files that form Web pages to users, in response to their requests, which are forwarded by their computers' HTTP clients. The process is an example of the client/server model. The term "Web server" often refers only to the HTTP server software in the machine, which provides the Web site functionality. HTTP is the protocol of the Web, and HTTP server software, such as Microsoft's IIS and the open source Apache server, accepts requests from the user's browser and responds by sending back HTML documents (Web pages) and files. It also executes scripts that reside in the server (CGI scripts, JSPs, ASPs, etc.)
Firewall is a network security system that controls the incoming and outgoing network traffic based on applied rule set.Firewall in our project has the functions of IP filtering, protocol filtering, etc. It is used to limit the particular incoming or outgoing visit. For example, We can block a client with particular IP address from visiting the web server.

Back-up

edit

This is a dedicated server used for storing the configuration files coming from each attached server. This helps in restoring the configuration files as a disaster recovery measure.

Add-on(s)

edit

ARP Cache poisoning

edit

Any node that interacts with the outside network qualifies to be called as the client. The client is always the connection initiator implying that the first hand of communication is made from the client and after the connection is established the client interacts with the server.

The malicious client is the one that has the malicious intentions and look for attacking the network by different means. The attack can be as simple as packed sniffing to as intense of Denial of service attack. In our scenario the malicious client has done the arp poisoning at the target and the web server and thus mapping his own mac address in the arp. As the client intends to redirect the requested web page from the genuine web server to his own web server he also makes changes in the ip-tables to translate the destination IP address to his own IP address. This completes the attack and hence the web server is able to redirect the web request to any desired server.
This attack can be mitigated by using the DHCP Snooping and Dynamic ARP inspection which involves the check of the mapping of authentic ip address with the mac address in the binding table.

Network File System (NFS)

edit

NFS allows a system to share directories and files with others over a network. By using NFS, users and programs can access files on remote systems almost as if they were local files. Some of the most notable benefits that NFS can provide are:
1. Local workstations use less disk space because commonly used data can be stored on a single machine and still remain accessible to others over the network.
2. There is no need for users to have separate home directories on every network machine. Home directories could be set up on the NFS server and made available throughout the network.
3. Storage devices such as floppy disks, CDROM drives, and USB Thumb drives can be used by other machines on the network. This may reduce the number of removable media drives throughout the network.

IPsec VPN

edit

Virtual private network technology is based on the idea of tunneling. VPN tunnelinginvolves establishing and maintaining a logical network connection (that may contain intermediate hops). On this connection, packets constructed in a specific VPN protocol format are encapsulated within some other base or carrier protocol, then transmitted between VPN client and server, and finally de-encapsulated on the receiving side.

For Internet-based VPNs, packets in one of several VPN protocols are encapsulated within Internet Protocol (IP) packets. VPN protocols also support authentication and encryption to keep the tunnels secure. 

Installation & Configuration

edit

We have logged in to the root user with the "sudo su" command and we have configured the entire project as a root user on all systems.

DHCP IP version 4

edit

Installation

edit

Commands:

       apt-get update 
       apt-get install isc-dhcp-server 

Configurations

edit

To configure the ethernet port:

        nano /etc/default/isc-dhcp-server 

Commands:

        INTERFACES="ens33" 

To assign a static IP to the DHCP server:
Commands:

        nano /etc/network/interfaces 
auto lo iface lo inet loopback auto ens33 iface ens33 inet static address 192.168.240.5 netmask 255.255.255.0 gateway 192.168.240.1 broadcast 192.168.240.255 network 192.168.240.0

To configure the DHCP server:

         nano /etc/dhcp/dhcpd.conf  

Commands:

        # A slightly different configuration for an internal subnet. 
subnet 192.168.240.0 netmask 255.255.255.0 { range 192.168.240.20 192.168.240.100; option domain-name-servers 192.168.240.2; option subnet-mask 255.255.255.0; option routers 192.168.240.1; option broadcast-address 192.168.240.255; default-lease-time 600; max-lease-time 7200; }

DHCP IP version 6

edit

For IPv6 configurations, we use the radvd module for router advertisements and the isc-dhcp-server6 module to configure the DHCP ipv6 server.

Installation

edit

In the designing of DNS Server, we need to install bind9 first in our DNS sever
command:
sudo apt-get install bind9

Configuration

edit

DNS Master server: Command:

  apt-get install bind9
cd /etc/bind/ mkdir zones cd /etc/bind/zones/ for forward zones: nano db.linux.abc for backward zones: nano db.192

Configuration in db.linux.abc: Configuration:

  ;
  ; BIND data file for local loopback interface 
  ;
  $TTL    604800
  @       IN      AAAA    2001:aaaa:1000::7
  @       IN      NS      ns.linux.abc.
  @       IN      SOA     linux.abc.       bala.linux.abc. (
                             2         ; Serial
                        604800         ; Refresh
                         86400         ; Retry
                       2419200         ; Expire
                        604800 )       ; Negative Cache TTL
  ;
                       IN      NS      ns.linux.abc.
                       IN      NS      ns1.linux.abc.
 ns.linux.abc.           IN      AAAA    2001:aaaa:1000::7
 ns.linux.abc.           IN      A       192.168.240.10
 ns1.linux.abc.          IN      A       192.168.240.8
 itworks.linux.abc.      IN      A       192.168.240.12
 ;
 macbook IN      CNAME   itworks.linux.abc.
 www     IN      A       192.168.240.12
 ns      IN      AAAA    2001:aaaa:1000::7

Configuration in db.192:

 ;
 ; BIND reverse data file for local loopback interface
 ;
 $TTL    604800
 @       IN      SOA     linux.abc. admin.linux.abc. (
                             2         ; Serial
                        604800         ; Refresh
                         86400         ; Retry
                       2419200         ; Expire
                        604800 )       ; Negative Cache TTL
 ;
 @       IN      NS      linux.abc.
 8       IN      PTR     ns1.linux.abc.
 10      IN      PTR     ns.linux.abc.
 12      IN      PTR     www.linux.abc.
 @       IN      NS      ns.linux.abc.
 7.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0 IN      PTR     ns.linux.abc.


Command:
nano /etc/bind/named.conf.options:

       forwarders {
       0.0.0.0;
       192.168.240.1;
       8.8.8.8;
       8.8.4.4;
        };

Command:

 nano /etc/bind/named.conf.local:
 #Forward zone
 zone "linux.abc" {
 type master;
 allow-transfer{192.168.240.114 ;};
 file "/etc/bind/zones/db.linux.abc";
 };
 #Reverse zone

Command:

 zone "240.168.192.in-addr.arpa" {
 type master;
 allow-transfer{192.168.240.114 ;};
 file "/etc/bind/zones/db.192";
 };


Command:

  1. Reverse zone
 zone "0.0.0.0.0.0.0.1.a.a.a.a.1.0.0.2.ip6.arpa" {
 type master;
 allow-transfer{192.168.240.114 ;};
 file "/etc/bind/zones/db.192";
 };

Command:

 nano /etc/hosts:
 127.0.0.1       localhost
 #127.0.1.1      ubuntu
 192.168.240.2   ubuntu.linux.abc        ubuntu
 2001:aaaa:1000::7       ubuntu.linux.abc


 # The following lines are desirable for IPv6 capable hosts
 ::1     ip6-localhost ip6-loopback
 fe00::0 ip6-localnet
 ff00::0 ip6-mcastprefix
 ff02::1 ip6-allnodes
 ff02::2 ip6-allrouters
 nano /etc/resolv.conf:
 nameserver 192.168.240.2
 nameserver 192.168.240.114
 nameserver 2001:aaaa:1000::7

DNS Slave: Command:

 nano /etc/bind/named.conf.local
 zone "linux.abc" {
 type slave;
 notify no;
 file "/var/lib/bind/db.linux.abc";
 masters {192.168.240.2 ;};
 masterfile-format text;
 };
 zone "240.168.192.in-addr.arpa" {
 type slave;
 notify no;
 file "/var/lib/bind/db.192";
 masters {192.168.240.2 ;};
 masterfile-format text;
 };
 zone "0.0.0.0.0.0.0.1.a.a.a.a.1.0.0.2.ip6.arpa" {
 type slave;
 notify no;
 file "/var/lib/bind/db.ipv6";
 masters {192.168.240.2 ;};
 masterfile-format text;
 };
 nano /etc/bind/named.conf.options:
 forwarders {
               0.0.0.0;
               192.168.240.1;
               8.8.8.8;
               8.8.4.4;
        };


 Nano /etc/resolv.conf
 nameserver 192.168.240.114
 nameserver 192.168.240.2
 nameserver 2001:aaaa:1000::7
  nano /etc/hosts
  127.0.0.1       localhost
  127.0.1.1       ubuntu
  192.168.240.2   ubuntu.linux.abc        ubuntu
  2001:aaaa:1000::7       ns.linux.abc

Give a service bind9 restart after the configurations to immediate the effects. Now we could test if the master and slave are working fine by doing an nslookup for each record we have given. First check both master and slave when both are on, then suspend services for master, slave must be able to independently able to resolve the queries.

Web Server

edit

Installation

edit

we need to install apache2 on our webserver.

Command:

       apt-get install apache2 

In CLI:

       netstat -a|more 

This is used to check if the web server is able to listen on port 80

Restart the web server:

       /etc/init.d/apache2 stop
       /etc/init.d/apache2 start

develop the webpage for the server:

       cd /var/www/html
       nano index.html 

Here, we edit the basic webpage with the contents that we want our webpage to display.

Firewall

edit

Firewall allows the administrator to configure the iptables. Here, we look to block ping requests from other systems to the web server while the web server would be able to ping others. Also, we allow http from port 80 that uses TCP so that the webpage is accessible by other systems. To install uncomplicated firewall package: Commands:

  apt-get update
apt-get install ufw

After this, we go to the the before.rules file. Command:

   nano /etc/ufw/before.rules

In #OK icmp codes for INPUT:
Give a DROP instead of ACCEPT for icmp echo request.
Disable and enable firewall:
ufw disable ufw enable This blocks other users from pinging the web server. Next, if we would like to allow any application to be accessible by the other systems, we could allow that. For example, if we would like the web server to allow http to be run by other systems: Command on CLI:

  ufw allow 80/tcp

Then restart the ufw process. This will let other systems to access the webpage from their browser. We could follow this process for any application to be allowed or denied specifically.

Back-up

edit

1)We create a backup of the web server. We are storing the backup files in the backup server.
2)Our web server has the IP: 192.168.240.112. The IP of our backup server is 192.168.240.111.
The username of the Backup server is p.
3)For key exchange:
We first get the update of packages.
Command:

   apt-get update 

4)Install SSH on both the webs server and the backup server
Command:

   apt-get install ssh 

5)Check the status of the service. Command:

   service  ssh status 

It should be active and running. 5)Now, try to ssh from the web server to the backup server. Command:

    ssh p@192.168.240.111

It will prompt for a password. Give the password and do an ssh login for the first time. Once logged in, exit.
6)Now, we need to exchange keys between the servers to have an ssh login without password prompt.
Command:

    ssh-keygen -t rsa 

7)A key is generated, give a yes, then blank for a passphrase and then give a blankspace again when it asks for a passphrase repeat. This stores the generated key in files in the root directory. After this, we need to store this key in the backup server.
Command:

    ssh-copy-id p@192.168.240.111

8)Give Oks to all prompts. So the key is stored in the backup server. After this step, the keys are exchanged between the two systems. The system will ask us to log in once again to check if login is happening without a password. Try it out and the login should happen automatically now.
Once the ssh happens without a password prompt, we could proceed with the process of backing up the data.
In the web server, create a folder of B in the desktop. Provide full permissions to it. Also create a folder with the name of Backup in the Backup servers. All the backup files should get stored here.
For Backup, I first generate a shell script to zip the file and do an SSH to the Backup server. Then, I schedule a crontab for the process of automating the process of backing up each time.
9)The filename of the script is BackupFinal.sh Command:
Contents are as such: Command:

  #!/bin/bash
  #Purpose = Backup of Important Data
  #Created on 27-11-2016
  #Author = Bala Prasanth S
  #Version 1.0
  #START
  TIME=`date +%b-%d-%I-%M-%S`            # This Command will add date in Backup File Name.
  FILENAME=backup-$TIME.tar.gz    # Here I define Backup file name format.
  SRCDIR=/var/www/html                    # Location of Important Data Directory (Source of backup).
  DESDIR=/home/bpsa/Desktop/B            	# Destination of backup file.
  tar -cvzf $DESDIR/$FILENAME $SRCDIR
  rsync -avz /home/bpsa/Desktop/B/backup* -e ssh p@192.168.240.111:/home/p/Desktop/Backup/
  mv /home/bpsa/Desktop/B/backup* /home/BACKUP/
  #END

10)After this, do a crontab from the root user of Webserver , select option 2.
Command:

   10	00	*/2	*	*	/home/bpsa/Desktop/BackupFinal.sh

This command would automate and run the script for backup every 2 days at midnight: 00:10.
11)Thus, Backup is automated in a really efficient manner.

For NFS server:
We first install NFS server package
Command:
apt-get install nfs-kernel-server
We make a directory:
Command:

        mkdir aash 

To configure NFS server:
Command:

       nano /etc/exports 

Configurations:

        /aash 192.168.240.0/24 (rw,sync,no_root_squash,no_subtree_check) 

To check if the appropriate directory is ready to be shared with the NFS clients:
Command:

         exportfs -u

Restart the server: Command:

          /etc/init.d/nfs-kernel-server restart 

For NFS client:
Make a directory:
Command:

          mkdir /ayush 

Mounting: Command:

           mount 192.168.240.12:/aash /ayush 

To check if the mounting is done:
Command:

           df -h 

Here we use /home/gxless/Desktop as the default NFS file, and allow client with IP address 192.168.1.30 to share this default file.
Then we install nfs-common in the client’s host.
Installation command:
Sudo apt-get install nfs-common
Then we can transfer the default file to client.

IPSec VPN

edit

RED Server 1) We install Strongswan.
Command:

   apt-get install ipsec-tools strongswan-starter

2) Open the file ipsec.conf
Command:

   /etc/ipsec.conf 

Configuration:

   conn red-to-blue
   authby=secret
   auto=route
   keyexchange=ike
   left=192.168.240.5
   right=192.168.240.12
   type=tunnel
   esp=aes128gcm16!

3) Open the file ipsec.secrets Command:

    /etc/ipsec.secrets

Configuration:

   192.168.240.5 192.168.240.12 : PSK "Dab"

4) Restart the ipsec service Command:

   ipsec restart   
   

Blue Server

Everything will be the same except the left and right ip will be reversed.

To check the working of IPSec VPN we will: One RED server ping
Command:

   ping 192.168.240.12

On BLUE server look at tcp
Command:

   tcpdump esp

Future Improvements

edit

Backup -- There are many methods that can be used as backup for our web server. In the future, we could consider more efficient and convenient way to implement backup.
Mail server -- Mail server is often needed for most companies. So in the future, we could add a mail server for this company.
IPv6 -- We could assign IPv4 for our servers and clients in the future.


Challenges

edit

DNS Server

edit

During the process of configuring the DNS server, I deeply found that computer doesn’t works in human way, we have to use computer language to talk with computer. There is a lot of format requirement for the Ubuntu machine.
Beside, adding the IPv6 address is sort of annoying, since I thought the IPv6 has the same format with IPv4, and it didn’t work.
After going through so many videos on YouTube, we finally configured everything.

DHCP Server

edit

First, the most important things we should pay attention to in configure DHCP server is that the IP address of the interface of the DHCP server and the subnet of your DHCP range should be in consistent. This two things is edit in two different file, so that we may make some mistake when we editing it. If these two are not in consistent, the DHCP server will not able to start. This is a big issue when we doing the DHCP configuration, after we finish everything, the DHCP server always fail. We did know what’s wrong at that time, and we almost try every possible ways even install the Ubuntu system again. Finally, we decided to check all the configurations again and we find this problem.
Second, there are two possible ways to start/restart the DHCP server, the first one is “sudo service isc-dhcp-server start” and the second one is “sudo /etc/init.d/isc-dhcp-server restart”. We use the second one because we found that the first one may “cheat” us. Sometimes, it shows start successfully, but actually it did not. Hence, the most reliable ways to restart/start the DHCP server is to start/restart it under the init.d file.
Third, you should be really careful when you enter the dhcpd.conf file. The format of the command in the file is very strict. You should follow the format or the file will not work. This fault is very obvious because you can actually see where you got wrong in that file by using the second command we mentioned above.


Citations

edit

1) https://www.vpn-accounts.com/blog/vpn-tunneling-a-must-for-privacy/
2) http://searchmidmarketsecurity.techtarget.com/definition/IPsec
3) https://technet.microsoft.com/en-us/library/bb531150.aspx.
4) http://searchsecurity.techtarget.com/definition/firewall
5) https://help.ubuntu.com/lts/serverguide/network-file-system.html
6) http://www.mygreatname.com/how-dns-works/e-04-how-dns-works.htm
7) http://www.karlrupp.net/en/computer/nat_tutorial