Data Networking/Fall 2016/TSM

Group Members
1. Jibran Ahmed 2. Vijayalakshmi Hunnur 3. Ayanti Sengupta 4. Prerana Joshi

Motivation
The Linux operating system allows its users to control almost every aspect of the operating system. The freedom, flexibility and security offered by this OS makes it ideal for network engineers to design their own networks. The desire to learn about various network protocols and security implementations motivated us to approach this project.

Domain Name System
The Domain Name System (DNS) is an application layer protocol which hierarchically implements distributed databases in DNS servers. The main service of the DNS is to translate the domain names into IP addresses. The internet working is based on IP addresses. As it is not easy to remember the IP addresses of all domains, the DNS servers resolves the domain-names into IP addresses. DNS works on port number 53. In our project, we have maintained two servers viz; master server as PurpleKush and the Slave server as Grapefruit. When the master server is down, the DNS client reaches out to the slave server for the resolving. The two name-servers running on these respectively are stranger1.LinuxProject.jaap.edu and stranger2.LinuxProject.jaap.edu.

Dynamic Host Configuration Protocol
Dynamic Host Configuration Protocol (DHCP ) is a client -server protocol which provides IP addresses along with their subnet masks and the gateways to the devices in the network. The DHCP protocol is defined based on the and  standard. DHCP minimizes configuration errors, such as typographical errors, or address conflicts caused by the assignment of an IP address to more than one computer at the same time. Which are caused by manual assignment of IP addresses.It also results in reduced network administarition. The DHCP server proves to be beneficial in the scenario when the network needs to be scaled up such that when each time a device is added to the network there is no need to manually assign the IP address. Based on the DHCP protocol the new device gets the IP address automatically from the specified range of the IP address.Thus DHCP enables this entire process to be automated and managed centrally. DHCPv4 employs connectionless service model using the User datagram Protocol (UDP ) such that 67 is the destination port of the server and port 68 is used by the client.

The DHCP Implementation has specific terms and definitions :

In our project, we have created two master DHCP servers PurpleKush and GrapeFruit that assign the IP address statistically. They are based on the IPv4 protocol:

PurpleKush IP assignment range : 192.168.5.10 - 192.168.5.100 GrapeFruit IP assignment range: 192.168.5.150 - 192.168.5.200 Exclusion Range : Addresses in the scope that are excluded from leasing. Excluded addresses are normally used to give IP addresses to the routers or the static IP addresses.In our project we have assigned static IP addreses to the DHCP master servers as PurpleKush : 192.168.5.8 GrapeFruit : 192.168.5.9 Web Server : 192.168.5.3 Reservation : Assigns a permanent IP address to a particular client, server or hardware device. In our project we have assigned the reservation range as 192.168.5.101 to 192.168.5.149 IPv6 The DHCP server PurpleKush assigns both IPv4 and IPv6 addresses dynamically to the device in the network. DHCPv6 uses UDP port 546 for the client and port 547 for the server. DHCPv6 is a network protocol for Internet Protocol Version 6. DHCPV6 is based on standard.The router advertisement daemon (radvd) is a open source software product that implements link local advertisements and IPv6 routing prefixes using Neighbour Recovery Protocol as specified in  standard.DHCPV6 is not necessary for configuring hosts with addresses of domain name system servers because they can be configured using Neighbour Discovery protocol. The neighbour discovery protocol operates in the link layer of the internet model and is responsible for address auto configuration of nodes, discovery of other nodes on the link , determining the address of other nodes , finding available routers and DNS servers. Scope : The entire range for the DHCPv6 assignment is fd37:f7e3:802b:be94::/64 Address Pool : The address pool from which the IPv6 addresses will be assigned is fd37:f7e3:802b:be94::10 to fd37:f7e3:802b:be94::254 Exclusion range and reservation : The name server in dhcpv6 is given as fd37:f7e3:802b:be94::1

Webserver & Firewall
The Apache web server is the most popular way of serving web content on the internet. It accounts for more than half of all active websites on the internet and is extremely powerful and flexible.Apache breaks its functionality and components into individual units that can be customized and configured independently. The basic unit that describes an individual site or domain is called a virtual host.Each domain that is configured will direct the visitor to a specific directory holding that site's information, never indicating that the same server is also responsible for other sites. This scheme is expandable without any software limit as long as your server can handle the load.In our project Apache2 web server is hosted and the webpage is written in the HTML script. In computing, a firewall is a network security system that monitors and controls the incoming and outgoing network traffic based on predetermined security rules. A firewall typically establishes a barrier between a trusted, secure internal network and another outside network such as the internet, that is assumed not to be trusted or secure. Firewalls can be hardware based or software based.Uncomplicated firewall or UFW is default firewall configuration tool for Ubuntu which is developed to ease iptables firewall configuration .UFW provides a user friendly way to create IPv4 and IPv6 host based firewalls

DNS
For server1: PurpleKush (Master)

Step 1: Login as root user and Install bind9 Command: apt-get install bind9 Step 2: Restart the networking daemon Command: service networking restart Step 3: Create a hostname Command: vi etc/hostname PurpleKush Step 4: Create a domain-name by editing /etc/hosts Command: vi etc/hosts Add 127.0.0.1  localhost 127.0.1.1  PurpleKush #The following lines are desirable for IPv6 capable hosts ::1        ip-6-localhost ip6-loopback fe00::0    ip6-localnet ff00::0    ip6-mcastprefix ff02::1    ip6-allnodes ff02::2    ip6-allrouters 192.168.5.8    stranger1.LinuxProject.jaap.edu stranger1 192.168.5.8    stranger1.LinuxProject.jaap.edu 192.168.5.9    stranger2.LinuxProject.jaap.edu 192.168.5.9    stranger2 192.168.5.8    LinuxProject.jaap.edu

# v6                  fd37:f7e3:802b:be94:0:0:0:1 stranger1 fd37:f7e3:802b:be94::1 LinuxProject.jaap.edu

Step 5: Configure named.conf.options Command: vi /etc/bind/named.conf.options Add // Trusted range configuration for recursive query acl "trusted" { 192.168.5.0/24;                };

options { directory "/var/cache/bind"; recursion yes; allow-recursion { trusted; }; listen-on { 192.168.5.8; }; allow-transfer { none; };

forwarders { 8.8.8.8;                       8.8.4.4;                 };                 dnssec-validation auto; auth-nxdomain no;   # conform to RFC1035 listen-on-v6 { any; }; };

Step 6: Configure named.conf.local Command: vi /etc/bind/named.conf.local Edit zone "LinuxProject.jaap.edu" { type master; file "/etc/bind/zones/db.LinuxProject.jaap.edu"; allow-transfer { 192.168.5.9; }; };

zone "5.168.192.in-addr.arpa" { type master; file "/etc/bind/zones/db.192.168.5"; allow-transfer { 192.168.5.9; }; };            // fd37:f7e3:802b:be94::/64 zone "9.4.e.b.b.2.0.8.3.e.7.f.7.3.d.f.ip6.arpa" { type master; file "/etc/bind/zones/db.v6.1"; allow-transfer { 192.168.5.9; }; };

Step 7: Create two database files db.LinuxProject.jaap.edu and db.192.168.5 in zones folder Command: Make the directory etc/bind/zones mkdir /etc/bind/zones Copy db.local to db.LinuxProject.jaap.edu cd /etc/bind/zones cp /etc/bind/db.local /etc/bind/zones/db.LinuxProject.jaap.edu Open db.LinuxProject.jaap.edu file vi db.LinuxProject.jaap.edu Edit the file $TTL	604800 @	IN	SOA	stranger1.LinuxProject.jaap.edu. admin.LinuxProject.jaap.edu. (                                          30          ; Serial                                       604800          ; Refresh                                        86400          ; Retry                                      2419200          ; Expire                                      604800 )         ; Negative Cache TTL ;                 ; Name Server NS Records IN	NS	stranger1.LinuxProject.jaap.edu. IN	NS	stranger2.LinuxProject.jaap.edu. ;                 ; NS A Records stranger1.LinuxProject.jaap.edu. IN	A	192.168.5.8 IN	AAAA	fd37:f7e3:802b:be94::1 www                                 IN	CNAME	stranger1.LinuxProject.jaap.edu. stranger2.LinuxProject.jaap.edu. IN	A	192.168.5.9 ;                 ; Webserver record - Type A                     known.LinuxProject.jaap.edu. IN	A	192.168.5.3 IN	AAAA	fd37:f7e3:802b:be94::3 www.known. IN	CNAME	known.LinuxProject.jaap.edu. ftp                            IN	CNAME 	stranger2.LinuxProject.jaap.edu. ;smtp                          IN   CNAME   mail.LinuxProject.jaap.edu. smtp                           IN	MX	5 mx1.LinuxProject.jaap.edu. mx1.LinuxProject.jaap.edu. IN	A	192.168.5.6

Step 8: Edit two database files db.192.168.5 and db.v6.1 (for IPv6) in zones folder Command: Open db.192.168.5 file vi /etc/bind/zones/db.192.168.5 Edit the file $TTL	604800 @	IN	SOA	stranger1.LinuxProject.jaap.edu. admin.LinuxProject.jaap.edu. (                                    9     ; Serial                                604800     ; Refresh                                 86400     ; Retry                               2419200     ; Expire                              604800 )     ; Negative Cache TTL ;                 ; NS Records IN	NS	stranger1.LinuxProject.jaap.edu. IN	NS	stranger2.LinuxProject.jaap.edu. ;                 ; PTR Records 8	IN	PTR	stranger1.LinuxProject.jaap.edu. ; 192.168.5.8                        9	IN	PTR	stranger2.LinuxProject.jaap.edu. ; 192.168.5.9                        3	IN	PTR	known.LinuxProject.jaap.edu. ; 192.168.5.3 Open db.v6.1 file vi /etc/bind/zones/db.v6.1 Edit the file $TTL   604800 @      IN      SOA     stranger1.LinuxProject.jaap.edu. admin.LinuxProject.jaap.edu. (                                       6         ; Serial                                   604800         ; Refresh                                    86400         ; Retry                                  2419200         ; Expire                                   604800 )       ; Negative Cache TTL ;               ; NS Records IN     NS      stranger1.LinuxProject.jaap.edu. IN     NS      stranger2.LinuxProject.jaap.edu. ;               ; PTR Records 1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0 IN     PTR     stranger1.LinuxProject.jaap.edu.; fd37:f7e3:802b:be94::1 3.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0 IN     PTR     known.LinuxProject.jaap.edu. ; fd37:f7e3:802b:be94::3 Step 9: Configure resolv.conf Command: vi /etc/resolv.conf Edit nameserver 192.168.5.8 nameserver 192.168.5.9 search LinuxProject.jaap.edu

DHCP
Step1: Login as root and Install DHCP server package Command: apt-get install isc-dhcp-server Step2: Edit the isc-dhcp-server file Command: vi /etc/default/isc-dhcp-server INTERFACES=”ens33”
 * 1) On line 11 change:
 * 1) Save and Exit

Step3: Editing file /etc/dhcp/dhcpd.conf Command: vi /etc/dhcp/dhcpd.conf default-lease-time 6000; max-lease-time 72000; option subnet-mask 255.255.255.0; option broadcast-address 192.168.5.255; option routers 192.168.5.254; option netbios-name-servers 192.168.5.8; option domain-name-servers 192.168.5.8, 192.168.5.9; option domain-name "LinuxProject.jaap.edu";

subnet 192.168.5.0 netmask 255.255.255.0 { range 192.168.5.10 192.168.5.100; }                ddns-update-style none; deny declines; deny bootp;

Step4: Restart the DHCP server Command: service isc-dhcp-server restart

Webserver
Step 1: Login as root and Install Apache2 Webserver Command: apt-get install apache2 Step 2: Check whether the web server is able to listen on port 80 Command: netstat -a | more Step 3: Restart the web server Command: /etc/init.d/apache2 stop /etc/init.d/apache2 start Step 4: Develop a webpage for the server Command: cd /var/www/html/public_html vi index.html

Firewall and Security
Firewall allows the system administrator to alter the incoming policy. Install the package as root user Command: apt-get install ufw 1. In order to block FTP requests: ufw deny from any port 20 to any port 20 proto tcp ufw deny from any port 21 to any port 21 proto tcp 2. In order to block telnet requests: ufw deny from any port 23 to any port 23 proto tcp

SSH port number is changed from port 22 to 2222 to avoid daemon and default attacks. Root login is disabled for ssh.

DNS is made secure by configuring acl "trusted" for recursion. This configuration is done on named.conf.options.

DHCP has the following denied for security in the file /etc/dhcp/dhcpd.conf, ddns-update-style none; deny declines; deny bootp;

VPN
IPSec protocol’s objective is to provide security for IP packets by creating a Virtual Private network and establishing a tunnel connection between two hosts. The tunnel is established between a private network (192.168.11.8 – 192.168.11.9) from a public network with IP addresses 192.168.5.8 and 192.168.5.9. It is a PC-to-PC tunnel. With the tunnel mode, the entire original IP packet is encrypted and a new IP header is added and is sent to the other side of the tunnel. Tunneling is done to prevent eavesdropping as it creates a secure path for transmission.

Step 1:Install strongswan package used to configure VPN Command: apt-get install strongswan strongswan-plugin-xauth-generic Step 2:Edit the files in /etc/ipsec.secrets Replace default with the server’s public IP address:

192.11.0.8 192.11.0.9 : PSK " #key gets generated here "

Step 3:Restart Strongswan service Command: service strongswan restart

NFS
Network File System is an application that allows one host to view, access and update the files and directories which were originally present on the other host computer. These files can be accessed only after the administrator mounts the files onto the second host computer.

Step 1:Configuring the NFS-server Command: sudo apt-get install nfs-kernel-server Edit the file vi /etc/exports On the last line /nico/f2	       192.168.5.0/24(rw,sync,no_root_squash,no_subtree_check) /nico/f2  	192.11.0.0/24(rw,sync,no_root_squash,no_subtree_check) Restart the server sudo service nfs-kernel-server restart Step 2:Configuring the NFS-client Command: sudo apt-get install nfs-common Make directory in /nico/f2 (client path) mount serverip:/serverpath /clientpath

Backup
Unprecedented technical errors can occur any time. To prevent loss of important data, backup is required. The two servers namely, PurpleKush and GrapeFruit are automatically backed up at 00.00 by using SSH protocol. The data from PurpleKush gets backed up onto GrapeFruit and data from GrapeFruit gets backed up on PurpleKush. All the files to be backed up are ‘tarred’ and a secure remote copy is created and sent via FTP

Step 1: Install rsync sudo apt-get install rsync Step 2: Install ssh sudo apt-get install openssh-server Step 3: Create a public and a private key for security ssh-keygen -t rsa Step 4: Copy this into the web server ssh-copy-id -i /root/.ssh/id_rsa.pub root@GrapeFruit Step 5: Edit crontab crontab –e Step 6: Give the scheduling and run the rsync command from the crontab to automate the backup of the webserver using Rsync 0 0 * * * /home/jibs/Documents/backupApp.sh >/home/jibs/Documents/backupApp.log 2>&1

Conclusion
A robust, intelligent and secured corporate network architecture is implemented which consists of DNS servers (Master and Slave ) , DHCP servers (2 Master Servers) , Web Server, Virtual Private Networks, Network File System, Firewalls, and Backup directories and also Malicious Web Server was implemented to demonstrate ARP Spoofing using Scapy Script.