avans

hogeschool

Academie voor Technologie en Management Computer Science [Technische Informatica]

Period: TI::3.3::NWT-HwA project

Networktechnology (NWT) Projectassignment

J.B. Mulder Januari 2013 TI-3.3 NWT Project

TI-3.3 NWT project description and assignment, 29-01-2013 version 2.0

avans
hogeschool

1. Content
2. Introduction .............................................................................................................................. 3 3. Project targets........................................................................................................................... 3 4. System specifications ................................................................................................................ 4
4.1 Hardware .............................................................................................................................................. 4 4.2 Operating systems ................................................................................................................................ 4 4.2.1 Linux ........................................................................................................................................... 4 4.2.2 DMZ server(s)............................................................................................................................. 5 4.2.3 Workstation(s) ........................................................................................................................... 5 4.2.4 Gateway (router) ....................................................................................................................... 5 4.2.5 Image-server .............................................................................................................................. 5 Bonus 1 ............................................................................................................................................... 6 4.2.6 TSLR2'-router ............................................................................................................................ 6 Bonus 2 ............................................................................................................................................... 7 4.2.7 DMZ server(s)............................................................................................................................. 7 Bonus 3 ............................................................................................................................................... 7 4.2.8 Use of the harddrive IPC ............................................................................................................ 7 Penalty ................................................................................................................................................ 7 5. Architecture lay out ................................................................................................................................ 8 6.Organization ............................................................................................................................................ 9 Soft skills: ............................................................................................................................................ 9 Hard skills: ........................................................................................................................................... 9

TI-3.3 NWT project description and assignment, 29-01-2013 version 2.0

avans
hogeschool

2. Introduction
Broadband routers for domestically appliances can be bought for a price around 30 Euros. Typically routers of this type are equipped with 5 RJ45 gates, one for the WAN and four for the LAN side. If you take a look at the internals of the router you'll notice that the four LAN gates are driven by only one chipset. On IP level you can decide whether or not to use one LAN connected host for DMZ usage. Furthermore this kind of routers is equipped with a (micro) processor, RAM, ROM and Flash memory. On the Flash memory an OS image is installed which contains all the implemented functionality. In the ROM part you find the default configuration. On Flash you have the actual configuration. The latter one can be adjusted using an embedded webserver. Image updates are downloadable from the vendors' website and installable in the router. The product which you are going to build in this assignment, a Thin Server Linux Router 2 - `TSLR2' is quite similar in respect with the situation as drawn here above. A sort of same functionality reflect on aspects like LAN / WAN / DMZ routing; firewall (packet filtering, syn flood protection, etcetera); containment of processor, RAM and ROM; DHCP server on the LAN side; DHCP client on the WAN side; etcetera. However our product contain flash and disk memory. The OS has to be placed in the RAM of the TSLR2 . While rebooting the complete image including all configuration settings are to be downloaded from a boot server, the Image-server. Advantages with respect of this kind of machines are on aspects like costs, centralization of maintenance and security. A complete new OS, with new features, can be saved within the configuration while rebooting, so an ISP can put a new image on the Image-server and generate a reboot of the TSLR2 . Also a power loss means a network reboot (e.g. for security reasons). The hardware for the product (Thin Server Linux Router 2 - `TSLR2') is an industrial PC from Advantech, ARK-3382 . Important notice: within the system there is a hard disk mounted. This one is for other uses and so it is not allowed to be used for the configuration, the OS, of the TSLR2. The OS image for the `TSLR2' router needs to be developed on and distributed from the so-called Image-server. For the Image-server you are going to use Linux. This distribution has enough tools on board for building the OS image for the router. Besides you will need to configure the Image-server so that it can actually operate in such a way (PXE boot server).

3. Project targets
The main target of the project has to do with the dimensioning, configuring, building and distribution of an image on behalf of a (diskless) thin server (called `TSLR2 router'). This thin server is a PC system (based on industrial PC format) equipped with four NIC's. The thin server has to play the role of a routing firewall. Besides this thin server which separates a LAN (2), WAN and DMZ you will have to configure a Gateway, an Image-server and a DMZ server. For the LAN side it's enough to use a simple workstations with DHCP client capabilities. The most important project targets are listed down here: 1. Use your earlier gained knowledge and skills in a practical situation, especially on the aspects of system- and network maintenance, computer architecture and operating sys-

TI-3.3 NWT project description and assignment, 29-01-2013 version 2.0

avans
hogeschool

2. 3. 4. 5.

tem s. Filling in the im portant parts of the project according to your ow n insight. Form ulating system requirements. Project w ise w orking on a practical problem . Attention for non-functional system requirem ents.

4. System specifications
4.1Hardware
The available hardware for this project are standard PC's equipped with slots for removable hard disks. Per group three removable hard disks will be available. Besides this the hardw are of the 'TSLR2'-router is a system casing from the m anufacturer Advantech w hich is an so called Em bedded Com puter 3300 Series Com pact Box IPCs type ARK-3382 . The motherboard has a CMOS BIOS chip. In the setup menu you can adapt some parameters. The boot process of the 'TSLR2'-router should start with PXE/Etherboot with a bootROM (BIOS expansion). You can enable this feature in the BIOS settings (enable LANboot). The OS of the 'TSLR2'-router can be placed upon the com pact flash card or, even better, on a RAM disk. The Gateway should be a box equipped with tw o (at least) NIC's. One of these is used to have a connection with the Internet (through the TI labnetwork). The other NIC is needed for the connection with the TSLR2 router. The Im age-server, in the cloud, m ust be able to serve PXE and TFTP requests as well as NFS requests. The Gateway uplink is connected on `the TI labnetwork' using the blue straight cable. Gateway and Industrial PC must can be connected using a cross cable (black with red connectors). At the IPC side determine which outlet to use (its a special job!). The IPC and DM Z com puter m ust be connected using a cross cable too. The IPC and LAN-PC's and also the access point (AP) are connected using the desktop sw itch device, using a patch cable.

4.2 Operating systems

4.2.1 Linux
For the Image-server you are going to use a Linux distribution equipped with all the necessary tools. If you want to build a Linux image for the thin server you need kernel source code, GCC compiler and all other stuff to build a network bootable mini kernel. Which Linux distribution you want to use is upon to you. The 'TSLR2'-router must be able to boot with a network boot protocol (PXE). For this the Linux kernel is downloaded from the Image-server. And after download the other parts of the operating system ought to be fetched from the Image-server using NFS. The simple solution. A more complicated solution, and to be preferred, is by building a network bootable image containing the kernel, the operating system and the necessary applications. Pro for this solution is

TI-3.3 NWT project description and assignment, 29-01-2013 version 2.0

avans
hogeschool

that the router keeps functioning even when the network connection with the Image-server is lost (provides a higher grade). The best solution is to place a complete network bootable image on a RAM disk in the TSLR2 (provides the highest grade).

4.2.2 DMZ server(s)

The DMZ must contain (at least) one server box which must be equipped with a number of network services. Some of these services must be reachable for the outside world, but also from the LAN. Others must be only reachable from the LAN. Also for this server (or these servers) you'll have to choose an operating system. Which one to choose? Well, that is up to you. But obviously the same Linux distribution as you're using for the Gateway can be a good choice.

4.2.3 Workstation(s)
On the LAN side of the router we will only find DHCP-client workstations. These workstations may be equipped with any (non server) operating system you like. IP numbers and other important data are gained from the 'TSLR2'-router.

4.2.4 Gateway (router)

As said before the Gateway should be a box containing two NIC's. This machine is used for isolating your project network from the TI labnetwerk. It serves the routing from and to de TI labnetwerk and it act as DHCP server and as root DNS (one of all the DNSs as TLD for the other groups). See also figure 1 on page 8. The Im age-server separates your ow n WAN' (10.0.Y.0/24) from the TI labnetw erk (145.48.132.0/24) netw ork. In this picture the uplink NIC from the Gateway uses a dynamical IP address on the TI labnetwerk side. The g at ew ay al so act s as r o ot DNS server. The second NIC inside the Gateway is the router for your WAN', which actually consists of no more than two NICs (Gateway side and 'TSLR2'-router side) and an UTP cross cable. Network number of this WAN' should be 10.0.Y.0/24. In this Y equals your group number what is going to be determined and published on Blackboard. The NIC of itself has IP address 10.0.Y.1. The other device which is connected at your WAN' is the 'TSLR2' router. Obviously this NIC has the fixed IP address 10.0.Y.2. The host Gateway must be able doing the next: Dynam ical IP address on the TI labnetw erk side; DHCP-server on the WAN' side [w ith M AC-authentication]; DNS server [top level domain e.g. .tajo or .mujp or .japi (etc) - distributed by the teachers, but also second level zone e.g. mycom pany.m ujp packet filtering.

4.2.5 Image-server
As a 'boot Image-server it must be a (only on the WAN' side): PXE boot server for 'TSLR2' router

TI-3.3 NWT project description and assignment, 29-01-2013 version 2.0

avans
hogeschool

TFTP server N FS ser v er

Bonus 1
Webserver with PHP and MySQL [because of choice of an image]. This webserver must be reachable from within the LAN, so a client can choose a different kind of image for his router.

4.2.6 TSLR2'-router
The `TSLR2' router needs to contain a lot of functionality in which it will differ from interface to interface. As mentioned before the `TSLR2' router has four NIC's: a WAN, two LANs and a DMZ interface. Globally speaking the `TSLR2' router must be able to filter and route the packets between the four interfaces. The `TSLR2' router acts during the boot process as a PXE, DHCP and TFTP client (on the `WAN' interface). By this the bootstrap loader, the kernel with RAM file system and other functionality will be loaded and initialized. As soon as the router is started up the `TSLR2' router must behave as a routing firewall. With this you should think about the next: Regarding IP addresses: o The `WAN' interface has acquired an IP address through DHCP from the Gateway. On the `LAN' interface the `TSLR2' router runs a DHCP server. It serves the IP addresses 192.168.1.0/24 and 192.168.2.0/24. The `LAN' interface itself has IP address 192.168.x.1. The netw ork num ber of the `DM Z' is 192.168.250.0/24. Servers inside the `DMZ' have fixed IP addresses (e.g. 192.168.250.2). The IP address of the `DM Z' interface is 192.168.250.1. Regarding routing: o Routing between the four NIC's should be based on static routing. Regarding the firew all: o o State full packet filtering should be possible between the four NIC's. The `WAN' side needs to be protected against: Port-scans (e.g. by nmap) Initializing TCP connections (exception: if allowed by the packet filtering rule set, pass them to server inside DMZ e.g. a setup connection from a client in the outside world to the webserver); Incoming UDP packet which do not belong to a previously outgoing UDP packet (except those which are allowed by the filtering rules); ICM P t r af f i c.

On the `DMZ' interface you need to pay attention on: Initializing TCP connections from a DMZ server towards the LAN are for-

TI-3.3 NWT project description and assignment, 29-01-2013 version 2.0

avans
hogeschool

bidden. o At the `LAN' interface you have to look at: Normal traffic from a LAN workstation to a DMZ server or directly to the Internet is allowed.

Regarding logging / m aintenance: o Every im portant kind of anom aly needs to be logged. So all kernel loggings from the `TSLR2' router should be redirected to a designated server within the 'DMZ'. This is because when the `TSLR2' router reboots the logs are stored elsewhere. o A SSH shell for viewing statistics on the interfaces, accessible from the LAN side only.

Bonus 2
o A (small) web server by which you're capable to view the statistics (e.g. send and received frames per interface) and the state of the `TSLR2' router (and change it, e.g. throw the WAN' interface down [and up]).

4.2.7 DMZ server(s)

In principle you could have more than one (physical) server within the DMZ. Probably in case of this project you will have only one. The services we minimally expect are the following: A webserver (www.mycompany.mycountry) supported with PHP and MySQL, reachable from within both the LAN and the WAN on ports 80 and 443; A SSH server, reachable from w ithin the LAN only; A FTP server (ftp.mycompany.mycountry) which has anonymous access from within the LAN only, and authorized access from the WAN side; A logger server for both the DM Z servers and the `TSLR2' router; A primairy DNS server which is authorative for the subzone (<mycompany>.<mycountry>). The secondary DNS server runs on the Imageserver.

Bonus 3
An IDS (e.g. Snort) for analyzing the loggings from the `TSLR2' router, but also for the most important DM Z servers. On the (web/ftp/ssh) server only one normal user account (besides root) is allowed. Connecting w ith the ftp or ssh server w ith the root account is because of security issues not allow ed. The server boxes only may run the minimum required services.

4.2.8 Use of the harddrive IPC

Penalty
M ake use of the harddrive in the IPC in one or another w ay stands for a penalty.

TI-3.3 NWT project description and assignment, 29-01-2013 version 2.0

avans
hogeschool

5. Architecture lay out

In the figure below you can see a graphical display of the different parts related to this assignment. Details have been given on the previous pages. If you still have questions, ask the teachers.

Figure 1; The configuration

TI-3.3 NWT project description and assignment, 29-01-2013 version 2.0

avans
hogeschool

6.

6. Organization
The project is scheduled in the classrooms 61.207 and 61.206 for a period of five working days. The start is on Wednesday in week 4, GO/NO-GO. The first four weeks are for preparation on the project. For the exact schedule see your roster. Of course you can start m ore rather w ith the project w hen you think of having lesser tim e necessary for the preparation, but only after getting a GO. M oreover also on other days then Wednesday you m ay w ork on your project. The available hardware is: one industrial PC (TSLR2 router) per group (two students each). Three removable hard disks, each to install the preferred Linux OS. All the work you have to do with your group. On some aspects you can ask for help. Everything you need (procedures, howto's, relevant documentation etcetera) can be found on the Internet. We expect a great level of independency.

The project deadline is Wednesday morning week 9, schedule follows. On this last day each group gives a presentation (non classical) about and a demonstration of their Network environment. Most important issues hereby are the 'TSLR2' router (provided with the required services) which must be able to boot from the Image-server. Also the DMZ services are important but they can have a lower priority (ask the teacher for approval before!). Inclusive in this presentation is the assessment of the part NWT/HwA. During the complete project we will pay attention to the next:

Soft skills:
Ability to analyze - requirem ents analysis & prioritization, The design pr oces, Level of independency, Level of cooperation, Pr o d u ct i vi t y, W o r ki n g et h o s, e.g. w o r ki n g t i m es (ar r i vi n g t o l at e o r l eavi n g sch o o l b ef o r e 16.00 h o ur s, w h i l e t h e l ab i s esp eci al l y r eser v ed f or y ou ) Et cet er a.

Hard skills:
The direct results of the project, The results of the separate (self defined) targets, Creativity and originality. Each person gets a principally individual end mark for the project. The end mark for the group is leading in this. Wednesday in week 9 can be used as an extra day for those who did not finish in time, but is actually penalty time. The assessment will then take place in week 10

TI-3.3 NWT project description and assignment, 15-02-2012 version 1.1