Data Networking/Fall 2016/BATA

Group Members
Aashish Anand Ayush Shah Bala Prasanth Sankaran Tarun Sharma

Purpose
To design and come up with a solution which fulfills the basic requirements of a company located in Boston and simultaneously understand the concepts of Data Networking.

Dynamic Host Configuration Protocol (DHCP)
DHCP stands for dynamic host control protocol used for dynamically assigning the IP address to the network hosts using from the given pool of IP address. The IP assignment can be assigned for a time interval decided by the lease parameter, post which the lease has to be renewed to hold the same IP address. The DHCP is a 4 step process which involves the below phased for IP allocation. 1) DHCP discover 2) DHCP offer 3) DHCP request 4) DHCP acknowledge

Domain Name Server (DNS)
The DNS stands for domain name server and is the first point of contact to resolve the Host names to IP address and vice versa. It maintains separate tables in the database for mapping the Host names to IP and IP to host names and the process is referred to a forward and reverse lookup respectively. The DNS query is both iterative and recursive in nature, while implies the DNS query start from the user and goes to the local DNS server and then it goes to the root DNS server which passes the request to the TLD server and then it finally goes to the authoritative server for the final DNS resolution and thus the user is able to go the requested URL.

Web Server & Firewall
A Web server is a program that uses HTTP (Hypertext Transfer Protocol) to serve the files that form Web pages to users, in response to their requests, which are forwarded by their computers' HTTP clients. The process is an example of the client/server model. The term "Web server" often refers only to the HTTP server software in the machine, which provides the Web site functionality. HTTP is the protocol of the Web, and HTTP server software, such as Microsoft's IIS and the open source Apache server, accepts requests from the user's browser and responds by sending back HTML documents (Web pages) and files. It also executes scripts that reside in the server (CGI scripts, JSPs, ASPs, etc.) Firewall is a network security system that controls the incoming and outgoing network traffic based on applied rule set.Firewall in our project has the functions of IP filtering, protocol filtering, etc. It is used to limit the particular incoming or outgoing visit. For example, We can block a client with particular IP address from visiting the web server.

Back-up
This is a dedicated server used for storing the configuration files coming from each attached server. This helps in restoring the configuration files as a disaster recovery measure.

ARP Cache poisoning
Any node that interacts with the outside network qualifies to be called as the client. The client is always the connection initiator implying that the first hand of communication is made from the client and after the connection is established the client interacts with the server.

The malicious client is the one that has the malicious intentions and look for attacking the network by different means. The attack can be as simple as packed sniffing to as intense of Denial of service attack. In our scenario the malicious client has done the arp poisoning at the target and the web server and thus mapping his own mac address in the arp. As the client intends to redirect the requested web page from the genuine web server to his own web server he also makes changes in the ip-tables to translate the destination IP address to his own IP address. This completes the attack and hence the web server is able to redirect the web request to any desired server. This attack can be mitigated by using the DHCP Snooping and Dynamic ARP inspection which involves the check of the mapping of authentic ip address with the mac address in the binding table.

Network File System (NFS)
NFS allows a system to share directories and files with others over a network. By using NFS, users and programs can access files on remote systems almost as if they were local files. Some of the most notable benefits that NFS can provide are: 1.	Local workstations use less disk space because commonly used data can be stored on a single machine and still remain accessible to others over the network. 2.	There is no need for users to have separate home directories on every network machine. Home directories could be set up on the NFS server and made available throughout the network. 3.	Storage devices such as floppy disks, CDROM drives, and USB Thumb drives can be used by other machines on the network. This may reduce the number of removable media drives throughout the network.

IPsec VPN
Virtual private network technology is based on the idea of tunneling. VPN tunnelinginvolves establishing and maintaining a logical network connection (that may contain intermediate hops). On this connection, packets constructed in a specific VPN protocol format are encapsulated within some other base or carrier protocol, then transmitted between VPN client and server, and finally de-encapsulated on the receiving side. For Internet-based VPNs, packets in one of several VPN protocols are encapsulated within Internet Protocol (IP) packets. VPN protocols also support authentication and encryption to keep the tunnels secure.

Installation & Configuration
We have logged in to the root user with the "sudo su" command and we have configured the entire project as a root user on all systems.

Installation
Commands: apt-get update apt-get install isc-dhcp-server

Configurations
To configure the ethernet port: nano /etc/default/isc-dhcp-server Commands: INTERFACES="ens33" To assign a static IP to the DHCP server: Commands: nano /etc/network/interfaces auto lo         iface lo inet loopback auto ens33 iface ens33 inet static address 192.168.240.5 netmask 255.255.255.0 gateway 192.168.240.1 broadcast 192.168.240.255 network 192.168.240.0 To configure the DHCP server: nano /etc/dhcp/dhcpd.conf Commands: # A slightly different configuration for an internal subnet. subnet 192.168.240.0 netmask 255.255.255.0 { range 192.168.240.20 192.168.240.100; option domain-name-servers 192.168.240.2; option subnet-mask 255.255.255.0; option routers 192.168.240.1; option broadcast-address 192.168.240.255; default-lease-time 600; max-lease-time 7200; }

DHCP IP version 6
For IPv6 configurations, we use the radvd module for router advertisements and the isc-dhcp-server6 module to configure the DHCP ipv6 server.

Installation
In the designing of DNS Server, we need to install bind9 first in our DNS sever command: sudo apt-get install bind9

Configuration
DNS Master server: Command: apt-get install bind9 cd /etc/bind/ mkdir zones cd /etc/bind/zones/ for forward zones: nano db.linux.abc for backward zones: nano db.192 Configuration in db.linux.abc: Configuration: ;  ; BIND data file for local loopback interface ;  $TTL    604800 @      IN      AAAA    2001:aaaa:1000::7 @      IN      NS      ns.linux.abc. @      IN      SOA     linux.abc. bala.linux.abc. (                             2         ; Serial                         604800         ; Refresh                          86400         ; Retry                        2419200         ; Expire                         604800 )       ; Negative Cache TTL ;                       IN      NS      ns.linux.abc. IN     NS      ns1.linux.abc. ns.linux.abc. IN     AAAA    2001:aaaa:1000::7 ns.linux.abc. IN     A       192.168.240.10 ns1.linux.abc. IN     A       192.168.240.8 itworks.linux.abc. IN     A       192.168.240.12 ; macbook IN      CNAME   itworks.linux.abc. www    IN      A       192.168.240.12 ns     IN      AAAA    2001:aaaa:1000::7

Configuration in db.192:

; ; BIND reverse data file for local loopback interface ; $TTL    604800 @      IN      SOA     linux.abc. admin.linux.abc. (                             2         ; Serial                         604800         ; Refresh                          86400         ; Retry                        2419200         ; Expire                         604800 )       ; Negative Cache TTL ; @       IN      NS      linux.abc. 8      IN      PTR     ns1.linux.abc. 10     IN      PTR     ns.linux.abc. 12     IN      PTR     www.linux.abc. @      IN      NS      ns.linux.abc. 7.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0 IN     PTR     ns.linux.abc.

Command: nano /etc/bind/named.conf.options: forwarders { 0.0.0.0;       192.168.240.1;        8.8.8.8;        8.8.4.4;         };

Command: nano /etc/bind/named.conf.local: #Forward zone zone "linux.abc" { type master; allow-transfer{192.168.240.114 ;}; file "/etc/bind/zones/db.linux.abc"; };

#Reverse zone Command: zone "240.168.192.in-addr.arpa" { type master; allow-transfer{192.168.240.114 ;}; file "/etc/bind/zones/db.192"; };

Command: zone "0.0.0.0.0.0.0.1.a.a.a.a.1.0.0.2.ip6.arpa" { type master; allow-transfer{192.168.240.114 ;}; file "/etc/bind/zones/db.192"; };
 * 1) Reverse zone

Command: nano /etc/hosts: 127.0.0.1      localhost #127.0.1.1     ubuntu 192.168.240.2  ubuntu.linux.abc        ubuntu 2001:aaaa:1000::7      ubuntu.linux.abc

# The following lines are desirable for IPv6 capable hosts ::1    ip6-localhost ip6-loopback fe00::0 ip6-localnet ff00::0 ip6-mcastprefix ff02::1 ip6-allnodes ff02::2 ip6-allrouters

nano /etc/resolv.conf: nameserver 192.168.240.2 nameserver 192.168.240.114 nameserver 2001:aaaa:1000::7

DNS Slave: Command: nano /etc/bind/named.conf.local zone "linux.abc" { type slave; notify no; file "/var/lib/bind/db.linux.abc"; masters {192.168.240.2 ;}; masterfile-format text; };

zone "240.168.192.in-addr.arpa" { type slave; notify no; file "/var/lib/bind/db.192"; masters {192.168.240.2 ;}; masterfile-format text; };

zone "0.0.0.0.0.0.0.1.a.a.a.a.1.0.0.2.ip6.arpa" { type slave; notify no; file "/var/lib/bind/db.ipv6"; masters {192.168.240.2 ;}; masterfile-format text; }; nano /etc/bind/named.conf.options: forwarders { 0.0.0.0;               192.168.240.1;                8.8.8.8;                8.8.4.4;         };

Nano /etc/resolv.conf nameserver 192.168.240.114 nameserver 192.168.240.2 nameserver 2001:aaaa:1000::7

nano /etc/hosts 127.0.0.1      localhost 127.0.1.1      ubuntu 192.168.240.2  ubuntu.linux.abc        ubuntu 2001:aaaa:1000::7      ns.linux.abc

Give a service bind9 restart after the configurations to immediate the effects. Now we could test if the master and slave are working fine by doing an nslookup for each record we have given. First check both master and slave when both are on, then suspend services for master, slave must be able to independently able to resolve the queries.

Installation
we need to install apache2 on our webserver.

Command: apt-get install apache2 In CLI: netstat -a|more This is used to check if the web server is able to listen on port 80

Restart the web server: /etc/init.d/apache2 stop /etc/init.d/apache2 start

develop the webpage for the server: cd /var/www/html nano index.html Here, we edit the basic webpage with the contents that we want our webpage to display.

Firewall
Firewall allows the administrator to configure the iptables. Here, we look to block ping requests from other systems to the web server while the web server would be able to ping others. Also, we allow http from port 80 that uses TCP so that the webpage is accessible by other systems. To install uncomplicated firewall package: Commands: apt-get update apt-get install ufw After this, we go to the the before.rules file. Command: nano /etc/ufw/before.rules In #OK icmp codes for INPUT: Give a DROP instead of ACCEPT for icmp echo request. Disable and enable firewall: ufw disable ufw enable This blocks other users from pinging the web server. Next, if we would like to allow any application to be accessible by the other systems, we could allow that. For example, if we would like the web server to allow http to be run by other systems: Command on CLI: ufw allow 80/tcp Then restart the ufw process. This will let other systems to access the webpage from their browser. We could follow this process for any application to be allowed or denied specifically.

Back-up
1)We create a backup of the web server. We are storing the backup files in the backup server. 2)Our web server has the IP: 192.168.240.112. The IP of our backup server is 192.168.240.111. The username of the Backup server is p. 3)For key exchange: We first get the update of packages. Command:    apt-get update 4)Install SSH on both the webs server and the backup server Command: apt-get install ssh 5)Check the status of the service. Command:    service  ssh status It should be active and running. 5)Now, try to ssh from the web server to the backup server. Command: ssh p@192.168.240.111 It will prompt for a password. Give the password and do an ssh login for the first time. Once logged in, exit. 6)Now, we need to exchange keys between the servers to have an ssh login without password prompt. Command:     ssh-keygen -t rsa 7)A key is generated, give a yes, then blank for a passphrase and then give a blankspace again when it asks for a passphrase repeat. This stores the generated key in files in the root directory. After this, we need to store this key in the backup server. Command: ssh-copy-id p@192.168.240.111 8)Give Oks to all prompts. So the key is stored in the backup server. After this step, the keys are exchanged between the two systems. The system will ask us to log in once again to check if login is happening without a password. Try it out and the login should happen automatically now. Once the ssh happens without a password prompt, we could proceed with the process of backing up the data. In the web server, create a folder of B in the desktop. Provide full permissions to it. Also create a folder with the name of Backup in the Backup servers. All the backup files should get stored here. For Backup, I first generate a shell script to zip the file and do an SSH to the Backup server. Then, I schedule a crontab for the process of automating the process of backing up each time. 9)The filename of the script is BackupFinal.sh Command: Contents are as such: Command:

#!/bin/bash #Purpose = Backup of Important Data #Created on 27-11-2016 #Author = Bala Prasanth S  #Version 1.0 #START TIME=`date +%b-%d-%I-%M-%S`           # This Command will add date in Backup File Name. FILENAME=backup-$TIME.tar.gz   # Here I define Backup file name format. SRCDIR=/var/www/html                   # Location of Important Data Directory (Source of backup). DESDIR=/home/bpsa/Desktop/B           	# Destination of backup file. tar -cvzf $DESDIR/$FILENAME $SRCDIR rsync -avz /home/bpsa/Desktop/B/backup* -e ssh p@192.168.240.111:/home/p/Desktop/Backup/ mv /home/bpsa/Desktop/B/backup* /home/BACKUP/ #END 10)After this, do a crontab from the root user of Webserver, select option 2. Command:    10	00	*/2	*	*	/home/bpsa/Desktop/BackupFinal.sh This command would automate and run the script for backup every 2 days at midnight: 00:10. 11)Thus, Backup is automated in a really efficient manner.

NFS
For NFS server: We first install NFS server package Command: apt-get install nfs-kernel-server We make a directory: Command: mkdir aash To configure NFS server: Command: nano /etc/exports Configurations: /aash 192.168.240.0/24 (rw,sync,no_root_squash,no_subtree_check) To check if the appropriate directory is ready to be shared with the NFS clients: Command: exportfs -u Restart the server: Command: /etc/init.d/nfs-kernel-server restart

For NFS client: Make a directory: Command: mkdir /ayush Mounting: Command: mount 192.168.240.12:/aash /ayush To check if the mounting is done: Command: df -h

Here we use /home/gxless/Desktop as the default NFS file, and allow client with IP address 192.168.1.30 to share this default file. Then we install nfs-common in the client’s host. Installation command: Sudo apt-get install nfs-common Then we can transfer the default file to client.

IPSec VPN
RED Server 1) We install Strongswan. Command:    apt-get install ipsec-tools strongswan-starter 2) Open the file ipsec.conf Command: /etc/ipsec.conf Configuration: conn red-to-blue authby=secret auto=route keyexchange=ike left=192.168.240.5 right=192.168.240.12 type=tunnel esp=aes128gcm16! 3) Open the file ipsec.secrets Command:     /etc/ipsec.secrets Configuration:     192.168.240.5 192.168.240.12 : PSK "Dab" 4) Restart the ipsec service Command: ipsec restart Blue Server

Everything will be the same except the left and right ip will be reversed.

To check the working of IPSec VPN we will: One RED server ping Command: ping 192.168.240.12 On BLUE server look at tcp Command: tcpdump esp

Future Improvements
Backup -- There are many methods that can be used as backup for our web server. In the future, we could consider more efficient and convenient way to implement backup. Mail server -- Mail server is often needed for most companies. So in the future, we could add a mail server for this company. IPv6 -- We could assign IPv4 for our servers and clients in the future.

DNS Server
During the process of configuring the DNS server, I deeply found that computer doesn’t works in human way, we have to use computer language to talk with computer. There is a lot of format requirement for the Ubuntu machine. Beside, adding the IPv6 address is sort of annoying, since I thought the IPv6 has the same format with IPv4, and it didn’t work. After going through so many videos on YouTube, we finally configured everything.

DHCP Server
First, the most important things we should pay attention to in configure DHCP server is that the IP address of the interface of the DHCP server and the subnet of your DHCP range should be in consistent. This two things is edit in two different file, so that we may make some mistake when we editing it. If these two are not in consistent, the DHCP server will not able to start. This is a big issue when we doing the DHCP configuration, after we finish everything, the DHCP server always fail. We did know what’s wrong at that time, and we almost try every possible ways even install the Ubuntu system again. Finally, we decided to check all the configurations again and we find this problem. Second, there are two possible ways to start/restart the DHCP server, the first one is “sudo service isc-dhcp-server start” and the second one is “sudo /etc/init.d/isc-dhcp-server restart”. We use the second one because we found that the first one may “cheat” us. Sometimes, it shows start successfully, but actually it did not. Hence, the most reliable ways to restart/start the DHCP server is to start/restart it under the init.d file. Third, you should be really careful when you enter the dhcpd.conf file. The format of the command in the file is very strict. You should follow the format or the file will not work. This fault is very obvious because you can actually see where you got wrong in that file by using the second command we mentioned above.