Escolar Documentos
Profissional Documentos
Cultura Documentos
hogeschool
avans
hogeschool
1. Content
2. Introduction .............................................................................................................................. 3 3. Project targets........................................................................................................................... 3 4. System specifications ................................................................................................................ 4
4.1 Hardware .............................................................................................................................................. 4 4.2 Operating systems ................................................................................................................................ 4 4.2.1 Linux ........................................................................................................................................... 4 4.2.2 DMZ server(s)............................................................................................................................. 5 4.2.3 Workstation(s) ........................................................................................................................... 5 4.2.4 Gateway (router) ....................................................................................................................... 5 4.2.5 Image-server .............................................................................................................................. 5 Bonus 1 ............................................................................................................................................... 6 4.2.6 TSLR2'-router ............................................................................................................................ 6 Bonus 2 ............................................................................................................................................... 7 4.2.7 DMZ server(s)............................................................................................................................. 7 Bonus 3 ............................................................................................................................................... 7 4.2.8 Use of the harddrive IPC ............................................................................................................ 7 Penalty ................................................................................................................................................ 7 5. Architecture lay out ................................................................................................................................ 8 6.Organization ............................................................................................................................................ 9 Soft skills: ............................................................................................................................................ 9 Hard skills: ........................................................................................................................................... 9
avans
hogeschool
2. Introduction
Broadband routers for domestically appliances can be bought for a price around 30 Euros. Typically routers of this type are equipped with 5 RJ45 gates, one for the WAN and four for the LAN side. If you take a look at the internals of the router you'll notice that the four LAN gates are driven by only one chipset. On IP level you can decide whether or not to use one LAN connected host for DMZ usage. Furthermore this kind of routers is equipped with a (micro) processor, RAM, ROM and Flash memory. On the Flash memory an OS image is installed which contains all the implemented functionality. In the ROM part you find the default configuration. On Flash you have the actual configuration. The latter one can be adjusted using an embedded webserver. Image updates are downloadable from the vendors' website and installable in the router. The product which you are going to build in this assignment, a Thin Server Linux Router 2 - `TSLR2' is quite similar in respect with the situation as drawn here above. A sort of same functionality reflect on aspects like LAN / WAN / DMZ routing; firewall (packet filtering, syn flood protection, etcetera); containment of processor, RAM and ROM; DHCP server on the LAN side; DHCP client on the WAN side; etcetera. However our product contain flash and disk memory. The OS has to be placed in the RAM of the TSLR2 . While rebooting the complete image including all configuration settings are to be downloaded from a boot server, the Image-server. Advantages with respect of this kind of machines are on aspects like costs, centralization of maintenance and security. A complete new OS, with new features, can be saved within the configuration while rebooting, so an ISP can put a new image on the Image-server and generate a reboot of the TSLR2 . Also a power loss means a network reboot (e.g. for security reasons). The hardware for the product (Thin Server Linux Router 2 - `TSLR2') is an industrial PC from Advantech, ARK-3382 . Important notice: within the system there is a hard disk mounted. This one is for other uses and so it is not allowed to be used for the configuration, the OS, of the TSLR2. The OS image for the `TSLR2' router needs to be developed on and distributed from the so-called Image-server. For the Image-server you are going to use Linux. This distribution has enough tools on board for building the OS image for the router. Besides you will need to configure the Image-server so that it can actually operate in such a way (PXE boot server).
3. Project targets
The main target of the project has to do with the dimensioning, configuring, building and distribution of an image on behalf of a (diskless) thin server (called `TSLR2 router'). This thin server is a PC system (based on industrial PC format) equipped with four NIC's. The thin server has to play the role of a routing firewall. Besides this thin server which separates a LAN (2), WAN and DMZ you will have to configure a Gateway, an Image-server and a DMZ server. For the LAN side it's enough to use a simple workstations with DHCP client capabilities. The most important project targets are listed down here: 1. Use your earlier gained knowledge and skills in a practical situation, especially on the aspects of system- and network maintenance, computer architecture and operating sys-
avans
hogeschool
2. 3. 4. 5.
tem s. Filling in the im portant parts of the project according to your ow n insight. Form ulating system requirements. Project w ise w orking on a practical problem . Attention for non-functional system requirem ents.
4. System specifications
4.1Hardware
The available hardware for this project are standard PC's equipped with slots for removable hard disks. Per group three removable hard disks will be available. Besides this the hardw are of the 'TSLR2'-router is a system casing from the m anufacturer Advantech w hich is an so called Em bedded Com puter 3300 Series Com pact Box IPCs type ARK-3382 . The motherboard has a CMOS BIOS chip. In the setup menu you can adapt some parameters. The boot process of the 'TSLR2'-router should start with PXE/Etherboot with a bootROM (BIOS expansion). You can enable this feature in the BIOS settings (enable LANboot). The OS of the 'TSLR2'-router can be placed upon the com pact flash card or, even better, on a RAM disk. The Gateway should be a box equipped with tw o (at least) NIC's. One of these is used to have a connection with the Internet (through the TI labnetwork). The other NIC is needed for the connection with the TSLR2 router. The Im age-server, in the cloud, m ust be able to serve PXE and TFTP requests as well as NFS requests. The Gateway uplink is connected on `the TI labnetwork' using the blue straight cable. Gateway and Industrial PC must can be connected using a cross cable (black with red connectors). At the IPC side determine which outlet to use (its a special job!). The IPC and DM Z com puter m ust be connected using a cross cable too. The IPC and LAN-PC's and also the access point (AP) are connected using the desktop sw itch device, using a patch cable.
avans
hogeschool
that the router keeps functioning even when the network connection with the Image-server is lost (provides a higher grade). The best solution is to place a complete network bootable image on a RAM disk in the TSLR2 (provides the highest grade).
4.2.3 Workstation(s)
On the LAN side of the router we will only find DHCP-client workstations. These workstations may be equipped with any (non server) operating system you like. IP numbers and other important data are gained from the 'TSLR2'-router.
4.2.5 Image-server
As a 'boot Image-server it must be a (only on the WAN' side): PXE boot server for 'TSLR2' router
avans
hogeschool
Bonus 1
Webserver with PHP and MySQL [because of choice of an image]. This webserver must be reachable from within the LAN, so a client can choose a different kind of image for his router.
4.2.6 TSLR2'-router
The `TSLR2' router needs to contain a lot of functionality in which it will differ from interface to interface. As mentioned before the `TSLR2' router has four NIC's: a WAN, two LANs and a DMZ interface. Globally speaking the `TSLR2' router must be able to filter and route the packets between the four interfaces. The `TSLR2' router acts during the boot process as a PXE, DHCP and TFTP client (on the `WAN' interface). By this the bootstrap loader, the kernel with RAM file system and other functionality will be loaded and initialized. As soon as the router is started up the `TSLR2' router must behave as a routing firewall. With this you should think about the next: Regarding IP addresses: o The `WAN' interface has acquired an IP address through DHCP from the Gateway. On the `LAN' interface the `TSLR2' router runs a DHCP server. It serves the IP addresses 192.168.1.0/24 and 192.168.2.0/24. The `LAN' interface itself has IP address 192.168.x.1. The netw ork num ber of the `DM Z' is 192.168.250.0/24. Servers inside the `DMZ' have fixed IP addresses (e.g. 192.168.250.2). The IP address of the `DM Z' interface is 192.168.250.1. Regarding routing: o Routing between the four NIC's should be based on static routing. Regarding the firew all: o o State full packet filtering should be possible between the four NIC's. The `WAN' side needs to be protected against: Port-scans (e.g. by nmap) Initializing TCP connections (exception: if allowed by the packet filtering rule set, pass them to server inside DMZ e.g. a setup connection from a client in the outside world to the webserver); Incoming UDP packet which do not belong to a previously outgoing UDP packet (except those which are allowed by the filtering rules); ICM P t r af f i c.
On the `DMZ' interface you need to pay attention on: Initializing TCP connections from a DMZ server towards the LAN are for-
avans
hogeschool
bidden. o At the `LAN' interface you have to look at: Normal traffic from a LAN workstation to a DMZ server or directly to the Internet is allowed.
Regarding logging / m aintenance: o Every im portant kind of anom aly needs to be logged. So all kernel loggings from the `TSLR2' router should be redirected to a designated server within the 'DMZ'. This is because when the `TSLR2' router reboots the logs are stored elsewhere. o A SSH shell for viewing statistics on the interfaces, accessible from the LAN side only.
Bonus 2
o A (small) web server by which you're capable to view the statistics (e.g. send and received frames per interface) and the state of the `TSLR2' router (and change it, e.g. throw the WAN' interface down [and up]).
Bonus 3
An IDS (e.g. Snort) for analyzing the loggings from the `TSLR2' router, but also for the most important DM Z servers. On the (web/ftp/ssh) server only one normal user account (besides root) is allowed. Connecting w ith the ftp or ssh server w ith the root account is because of security issues not allow ed. The server boxes only may run the minimum required services.
Penalty
M ake use of the harddrive in the IPC in one or another w ay stands for a penalty.
avans
hogeschool
avans
hogeschool
6.
6. Organization
The project is scheduled in the classrooms 61.207 and 61.206 for a period of five working days. The start is on Wednesday in week 4, GO/NO-GO. The first four weeks are for preparation on the project. For the exact schedule see your roster. Of course you can start m ore rather w ith the project w hen you think of having lesser tim e necessary for the preparation, but only after getting a GO. M oreover also on other days then Wednesday you m ay w ork on your project. The available hardware is: one industrial PC (TSLR2 router) per group (two students each). Three removable hard disks, each to install the preferred Linux OS. All the work you have to do with your group. On some aspects you can ask for help. Everything you need (procedures, howto's, relevant documentation etcetera) can be found on the Internet. We expect a great level of independency.
The project deadline is Wednesday morning week 9, schedule follows. On this last day each group gives a presentation (non classical) about and a demonstration of their Network environment. Most important issues hereby are the 'TSLR2' router (provided with the required services) which must be able to boot from the Image-server. Also the DMZ services are important but they can have a lower priority (ask the teacher for approval before!). Inclusive in this presentation is the assessment of the part NWT/HwA. During the complete project we will pay attention to the next:
Soft skills:
Ability to analyze - requirem ents analysis & prioritization, The design pr oces, Level of independency, Level of cooperation, Pr o d u ct i vi t y, W o r ki n g et h o s, e.g. w o r ki n g t i m es (ar r i vi n g t o l at e o r l eavi n g sch o o l b ef o r e 16.00 h o ur s, w h i l e t h e l ab i s esp eci al l y r eser v ed f or y ou ) Et cet er a.
Hard skills:
The direct results of the project, The results of the separate (self defined) targets, Creativity and originality. Each person gets a principally individual end mark for the project. The end mark for the group is leading in this. Wednesday in week 9 can be used as an extra day for those who did not finish in time, but is actually penalty time. The assessment will then take place in week 10