Data Networking/Fall 2015/Neeharika

Project Objective
To design a robust and secured network consisting of DNS Server, DHCP Server, Web server and Firewall as key network elements for a corporate organization.

Team members

 * Sukumar Sekuri
 * Neeharika Chandra Naidu
 * Ravi Chandra Sekhar Bojja
 * Keerthi Reddy Vade

Network Elements

 * DNS
 * DHCP
 * WEB SERVER & FIREWALL

Domain Name Server
DNS is a name service protocol for Internet addresses that resolves domain or host names into numeric IP addresses. Maintaining a central list of domain name or IP address correspondences would be impractical, so the domain names and the corresponding IP addresses are distributed in a hierarchy throughout the Internet making Domain Name System a hierarchical database. When a client requests for a domain name or a website, the browser will send a query request to the DNS server located in close geographic proximity to the client’s access provider and this server returns back the IP address to the client. Now, client will be able to access the contents on the website. Some of the DNS servers are BIND, Posadis and Power DNS. Out of the three, BIND is used as it is the most flexible software. The latest version BIND9 with caching is used as the DNS server in this project. Caching is advantageous because the response received for every new DNS query is cached in the server. So, the time taken to access and display a cached page will be comparatively very less than fetching a page that is not cached in the DNS server. As a result, the waiting time of the user reduces and a lot of bandwidth will be saved. The extra bandwidth becomes available for other operations like displaying many more web pages.

Dynamic Host Configuration Protocol
DHCP is a client-server protocol which automatically provides an Internet Protocol host with an IP address. Without DHCP, every time a device moves from one subnet to another should be configured manually. Similarly, when a device is removed from a network, its IP address should be manually reclaimed. With DHCP, this process is automated and much simpler than manual procedure. DHCP server creates a pool of IP addresses and assigns the addresses to devices from this pool. While assigning the address, DHCP leases the address to the client when it enters a network. If the client doesn’t renew the lease time before it expires, the address will be returned back to the pool automatically for reallocation.

DHCP allocates IP addresses to the clients in three different ways:
 * Static Allocation: DHCP does static allocation of IP addresses based on a preconfigured mapping to each device’s MAC address. And, the addresses assigned to the devices will remain unchanged until changed by the network administrator.
 * Dynamic Allocation: Network administrator allocates a pool of IP addresses for DHCP and the server will assign IP addresses to the clients from this reserved pool. Both IPv4 and IPv6 addresses are assigned by DHCP in this project.
 * Automatic Allocation: This is similar to Dynamic allocation but here the server assigns the same IP address which the client had previously when it got connected to the network.

Webserver & Firewall
Web server’s primary job is to deliver web pages as per the client’s request. And this communication between server and the client is done through HTTP. The available web servers are Windows web server or Linux (Apache) web server. In this project, we are using an Apache Web Server because Linux is an open source system and it provides free license for configuring the web server. Whereas for using Windows web server, license needs to be purchased for hosting websites. In this project, we also created backup for the web server in case of the server failure. All the files from the web server are zipped and sent to the backup server. Backup server updates itself by copying only those files which were modified. Additionally, firewall is implemented to provide security to the incoming and outgoing information from the network. All the traffic except the one’s entered into the IP routes will be blocked by the firewall and cannot access the network.

Algorithm
Web page will be displayed, if the request is successful Otherwise, an error will be displayed.
 * 1)       Client attempts to join the network “neeharika”
 * 2)       Client sends a request to DHCP server for attaining an IP address.
 * 3)       If the request is successful, an IP will be assigned to the client. Otherwise, client needs to re connect to the network.
 * 4)       Once the client gets an IP address, it can now try to connect to ‘neeharika.net’ website via web browser.If the domain name is valid, web server will send request to DNS for the domain’s IP address.
 * 5)       DNS server will reply with an IP address otherwise it will display an error saying “server not found”
 * 6)   	Once DNS server responds, client will send HTTP request to the server.

DNS Master
1. 	DHCP assigns an IP address to Master DNS server(192.168.1.9)

2.     Update the package list sudo apt-get update 3.     Then, install bind9 server sudo apt-get install bind9 4.	Now, a forward zone file should be created sudo cp /etc/bind/db.local /etc/bind/db.neeharika.net 5.     Then, edit the file /etc/bind.neeharika.net as below

6.     Now, create a reverse zone file in the similar way of a forward zone file for For IPv4  sudo cp /etc/bind/db.127 /etc/bind/db.192 For IPv6  sudo cp /etc/bind/db.127 /etc/bind/db.193 7.	Open /etc/bind/db.192 and /etc/bind/db.193 and edit as below

8.     Now, add forward and reverse zones in /etc/bind/named.conf.local file

9.	Change nameserver in /etc/resolv.conf file

10.	Then restart the DNS server sudo service bind9 restart

DNS Slave
1.	DHCP assigns an IP address to Slave DNS server(192.168.1.10)

2.	Update the package list sudo apt-get update 3.     Then, install bind9 server sudo apt-get install bind9 4.     Now, a forward zone file should be created sudo cp /etc/bind/db.local /etc/bind/db.neeharika.net 5.	Then, edit the file /etc/bind.neeharika.net as below

6.     Now, create a reverse zone file in the similar way of a forward zone file for For IPv4  sudo cp /etc/bind/db.127 /etc/bind/db.192 For IPv6  sudo cp /etc/bind/db.127 /etc/bind/db.193 7.	Open /etc/bind/db.192 and /etc/bind/db.193 and edit as below

8.     Now, add forward and reverse zones in /etc/bind/named.conf.local file

9.	Change nameserver in /etc/resolv.conf file

10.	Then restart the DNS server sudo service bind9 restart

Testing
Testing can be done by using ‘nslookup’ command as follows:
 * nslookup for forward zone
 * nslookup for reverse zone
 * nslookup for forward zone to get IPv6 address

DHCP
ISC-DHCP Server is used in configuring DHCP Server. It is an open source software, which runs freely on any linux machine and it matches with the performance environment. The following commands are used to implement the DHCP server on Ubuntu Linux machine.

1.	To update the package sudo apt-get update 2.	Install ISC-DHCP Server sudo apt-get install isc-dhcp-server 3.	Go to cd /etc/dhcp and make necessary changes in the dhcp configuration file sudo nano /etc/dhcp/dhcpd.conf 4.	The following changes are made in the dhcpd.conf file for IPv4 address 5.	In order to assign IPv6 addresses the following configurations are made in dhcpd6.conf. The command for that is       sudo nano /etc/dhcp/dhcpd6.conf 6.	The following changes are made in dhcpd6.conf The subnet and pool of IPv6 addresses are assigned here along with default and max lease time. 7.	Now, restart the DHCP server using the following command. sudo /etc/init.d/isc-dhcp-server restart sudo /etc/init.d/isc-dhcp6-server restart
 * The subnet mask, netmask, gateway router, pool address range for subnet, domain name server address, broadcast address,  default-lease time and max lease time are set as per the network used in the project
 * Also, the static IP address are assigned to web server, DNS server and mail server dynamically. Since we doesn’t want DHCP to assign dynamic address to these server everytime we connect to the network.

Testing
1.	We can check the leased IP address by using the following command. It shows the leases on the DHCP server and the IP addresses that have been leased to the clients. sudo tail /var/lib/dhcp/*.leases 2.	Also, the output of the DHCP can be verified by using the following command. sudo tail –f/var/log/syslog

Apache Web Server
1.	Installing Apache 2 sudo apt-get update sudo apt-get install apache 2 In order to check apache 2 is successfully installed go web browser and type http://localhost 2.	Creating directory file sudo mkdir /var/www/neeharika.net/ sudo chmod 755 /var/www/ sudo chmod $USER: $ USER /var/www/neeharika.net/ sudo nano /var/www/neeharika.net/sample.html 3.     Configuring Apache 2- apache 2.conf sudo nano /etc/apache2/apache2.conf We need to modify the following things < Directory /var/www/neeharika.net/> Options indexes followsymlinks Allow override none Require all granted < /Directory> 4.     Configuring Apache2-dir.conf Because we haven’t used index.html as default we need to add our sample.html to the list of accessible directory indices. sudo nano /etc/apache2/mods-available/dir.conf Appending our html file i.e sample .html to the list of indices        Directory index index.html index.cgi index.p1 index.php index.xhtml index.htm sample.html  5.     Configuring Apache 2-000-default.conf server Admin webserver@localhost server name neeharika.net DocumentRoot /var/www/neeharika.net 6.     Now we Map IP address to domain name sudo nano /etc/hosts Given web servers IP address --   Neeharika.net 7.     Restart Apache 2 sudo service Apache2 restart 8.	Verification http://localhost

Firewall
Configuring IP Tables We will add these access listing lines to filter the incoming connections to our web server. sudo iptables –A INPUT –i lo –j ACCEPT sudo iptables –A INPUT –m conntrack –ctstate RELATED,ESTABLISHED –j ACCEPT sudo iptables –A INPUT –s 192.168.1.0/24 –p tcp –m tcp –dport 2049 –j ACCEPT sudo iptables –A INPUT –s 192.168.1.0/24 –p tcp –m tcp –dport 80 –j ACCEPT sudo iptables –A INPUT –s 192.168.1.0/24 –p icmp –m icmp –icmp-type 0 –j ACCEPT

Backup
1.     Go to the web server and generate the pair of keys sudo ssh-keygen –t rsa 2.     use ssh to create a directory on backup server ssh raviclient@192.168.1.33 mkdir –p .ssh 3.     Append web servers key to the back up server cat /home/.ssh/id_rsa.pub | ssh raviclient@192.168.1.33 ‘cat >> .ssh/authorized_keys’ 4.     we are making the file compressed for back up        sudo tar –cvpzf ravibackup.tar.gz  /var/www/neeharika.net/sample.html 5.     use cron tab to schedule backup every minute sudo crontab –e ***** sudo tar –cvpzf /home/raviserver/ravibackup.tar.gz /var/www/neeharika.net/sample.html ***** sudo scp /home/raviserver/ravibackup.tar.gz raviclient@192.168.1.33:/home/raviclient/

Mail Server
Mail server is a software which allows us to view email from anywhere in the world from any computer using web browser. The mail server we used here is squirrel mail. It is one of the simple, fast and most popular webmail package. We use mail transfer agent, mail delivery agent and web server to send and receive emails via web browser. Postfix acts as mail transfer agent, Dovecot acts as a mail delivery agent and the dovecot uses imap and pop3 protocol servers to send and receive emails.

Configuration
The configuration of mail server is like a continuation of DNS server. Forward and Reverse DNS records are used along with some mail exchange records which are required for sending and receiving mails. These records are discussed in detail in the Domain name server section. The following commands are used after creating the DNS records

1.	Go to sites-available in apache2 file. The command for this is: cd /etc/apache2/sites-available 2.	Create a mail file with the same configuration as default-ssl. The command for that is       cp default-ssl mail.conf 3.	Now edit mail.conf file as shown below

4.	Enable mail.conf file by using the following command a2ensite mail 5.	Edit /etc/squirrelmail/apache.conf file as shown below

6.	Edit /etc/dovecot/dovecot.conf file as shown below

7.	Now enter the commands killall named killall apache2 killall dovecot 8.	Now restart everything by entering the following commands invoke-rc.d bind9 restart invoke-rc.d apache2 restart invoke-rc.d postfix restart invoke-rc.d dovecot restart 9.	Now we can create different users by just using “adduser” command.

Testing
Now, we can open the web browser and type “mail.neeharika.net”. The squirrel mail login page pops up. There we can give username and password to login to send and receive mails from different users in the same domain.

FTP
File transfer protocol is a network protocol used to transfer files from one computer to another computer over TCP based network like Internet. It is built on server-client architecture and it uses two separate connections (for data and control) between client and the server.

Configuration
1.	FTP package should be installed and updated sudo apt-get install vsftpd 2.	Make the following changes to the file /etc/vsftpd.conf. Uncomment the commands by removing ‘#’ sign. sudo nano /etc/vsftpd.conf write_enable=yes anonymous=yes 3.	Now, restart vsftp sudo restart vsftp 4.	Then, create files cd /srv/ftp sudo touch text1 text2 sudo chmod 777 text1 text2

Testing
Type the following command and then enter username and password to log   in. Once the verification is done, user or client can also make changes to the file ftp  192.168.1.16

NFS
Network File Systems is used for sharing files with other computers on the network. It is a file distribution system protocol.

NFS server
1.	Initially, repositories should be updated sudo apt-get update 2.	Next, install nfs server package sudo apt-get install nfs-kernel-server 3.	Then, make a directory which is to be shared with other devices sudo mkdir /shome sudo mkdir /home 4.	/etc/exports is the main config file for NFS and add the following command to the file /shome 192.168.1.0/24(rw,sync,no_root_squash) /home 192.168.1.0/24(rw,sync,no_root_squash) 5.	Now, start the service sudo /etc/init.d/nfs-kernel-server start 6.	Check the NFS share status by following commands sudo exportfs -u

NFS Client
1.	Install NFS client and dependencies sudo apt-get install nfs-common rpcbind 2.	Create a directory /rhome sudo mkdir /rhome 3.     Mount the remote share /shome on local directory /rhome sudo mount 192.168.1.16:/shome /rhome 4.	And the following line in /etc/fstab file for permanent mount 192.168.1.16:/shome /rhome nfs rw,sync,hard,intr 0 0

NFS Server
The two files text1 and text2 are created in NFS Server’s /shome directory. Two files text3 and text4 are created in NFS Client. As, they are mounted it is shown in both folders.

VPN
To provide an access to remote client to the private network through the tunnel VPN is configured.

Configuration
1.	Install the “pptpd” package sudo apt-get install pptpd 2.     Edit file /etc/pptpd.conf as follows sudo nano /etc/pptpd.conf localip  remoteip  3.	Edit /etc/ppp/pptpd/options file. sudo nano /etc/ppp/pptpd.options ms-dns 192.168.1.9 ms-dns 192.168.1.10 4.	Set ‘user-id’ and ‘password’ for users sudo nano /etc/ppp/chap-secrets sukumar pptp sukumar * Note- * indicates access for all users (ip’s) in the same network.

Testing
1. Test the working of VPN by checking the interfaces. ifconfig

NTP
NTP stands for Network Time Protocol. NTP Server assigns the date and time for the users connected to the server.

Configuration
1.	Install the “ntp” package sudo apt-get install ntp 2.	Edit the servers sudo nano /etc/ntp.conf 3.	Restart the NTP server using command /etc/init.d/ntp restart 4.	Use the command to check the servers ntpq -p

Testing
Note: The implementation is tested considering Windows as client.

NIS
Network Information Service protocol is a client-server model for distributing configuration data of the system such as user names and passwords between computers on the network. NIS was originally called as Yellow Pages (YP).

NIS Server
1.	Install portmap, NIS and update portmap sudo apt-get install portmap sudo update-rc.d rpcbind defaults 10 sudo apt-get install nis 2.     Edit the file /ect/defaults/nis as follows NISServer = master NISClient = false 3.	Edit the file /etc/ypserv.securenets by adding the IP address range to whom access to NIS server will be given and comment out 0.0.0.0 line for restricting access to everyone and edit /var/yp/Makefile by giving permission to all hosts to use NIS 255.255.255.0 	192.168.1.0       #0.0.0.0.0      0.0.0.0 4.	Restart NIS and portmap sudo service portmap restart sudo service nis restart 5.	Build NIS database sudo /usr/lib/yp/ypinit -m 6.	Add users to NIS database sudo useradd –d /home/user1 –m user1 sudo useradd –d /home/user2 –m user2 7.	Create passwords for these accounts sudo passwd username 8.	All user accounts can be seen by typing cat ‘/etc/passwd’

9.	To enter the changes into database, type cd /var/yp sudo make

NIS Client
1.	Install portmap, NIS and update portmap sudo apt-get install portmap sudo update-rc.d rpcbind defaults 10 sudo apt-get install nis 2.	Edit /etc/hosts file to add the NIS server IP address and domain name

3.	Then, edit /etc/yp.conf for adding domain and server name

4.	Edit /etc/nsswitch.conf file to provide NIS as backup for searching the password information when /etc/passwd fails passwd:	nis compat group: 	nis compat shadow:	nis compat 5.	To modify the permissions on the /home folder so that users will be allowed to read, write and execute the files, type the following command sudo chmod 777 home 6.	Then reboot the client machine sudo reboot

Testing
Use command ‘ypcat passwd’ to test NIS.

Future Improvements

 * DHCP Superscope-DHCP Superscope implementation gives flexibility for DHCP servers to all allocate multiple addresses to the subnets. This allows the company to expand the network with a smooth transition without affecting the existing setup. The Superscope DHCP is more flexible and the configuration of this is done by simply adding the next subnet level in dhcp configuration file
 * Security-The overall security of the network can be improved by installing IPS and IDS for monitoring and to access the behavior of the traffic flow of all the servers

Conclusion
A robust, intelligent and secured network is designed for a corporate organisation consisting of DNS Server, DHCP Server, Webserver & Firewall as key network elements

Books

 * Kurose,Ross “Computer Networking – A Top Down Approach”, 6th edition, Pearson Education, Inc
 * The DHCP Handbook - Ralph Droms | Ted Lemon
 * DNS and BIND - Cricket Liu | Paul Albitz (OReilly)