Introduction
For this assignment you will use the core network emulator to
complete a series of tasks on an individual
core configuration file that is generated for you. To download your
individual core configuration file, open
the subject’s moodle page then navigate to the Assessments section
and follow the provided instructions
for the Assignment 2. The downloaded *.imn file will be in zip
format, please unzip the file to use it.
You must write a report to explain the changes you make and the
configuration you add to achieve the
goals of each task and your reasons for each change/configuration
as well as the tests you perform to
check the task is accomplished. Your submitted core file will be
marked by running the configuration and
testing that the tasks are completedT. he report will serve as a
reference and maybe checked during
marking. However, if a test fails when running your submitted core
file, you will receive no mark for that
failed test (i.e. part of a task) regardless of your explanations
in the report. If tasks are similar you only
need to explain your reasons once, and then just report the changes
you make to individual services on
each node.
Network Structure
The provided network is comprised of two organisations labelled
Talos and Delos, a router named
Internet playing the role of the Internet, and a global DNS server
named clio. The internal subnets
of Talos are labelledI nternal, and the public servers of the Talos
network are placed in a separate
subnet named DMZ. The Internet facing router of the Talos
organisation, R3, is also its network firewall.
The Delos network is divided into two subnets: (i) a subnet for the
organisation clients and private servers
and (ii) a subnet for its public servers. The public servers of
Delos are named apollo, artemis, and
demeter providing web, domain name, and mail services
respectively.
DNS Setup
The core file is configured to resolve the domain names between the
two organisationst, alos.edu and
delos.edu. This is achieved through a global DNS server named clio.
The server only resolves the
names for the two domains in the configuration ( talos.edu and
delos.edu) by sending the request
to the corresponding nameserver for each domain and send back the
response to the requesting client.
Each DNS server in aforementioned networks must have access to UDP
port 53 of the server clio as
the organisation DNS servers resolve the names on behalf of their
respective clients. You do not need
to make any changes to DNS servers; this section only explains the
DNS setup.
Important Notes
• It is recommended to use tcpdump if you wish to capture traffic
and to observe whether the packets
reach their intended destination when trying to accomplish the
tasks. To use tcpdump, you can
right click on a node and move the mouse to select tcpdump in the
provided list and then select the
intended interface. You can also run tcpdump from the command line
using the command tcpdump
l i eth0 to print the summary of the captured packets frometh0
interface in the terminal. To
write the captured packets to a file use the command with w
option followed by a filename. For
instance running the command tcpdump w /home/muni/R3eth3.pcap
i
eth3 on the node R3 will capture the traffic on its eth3 interface
and store the frames in a file named R3 eth3.pcap under /home/muni
directory. You can then stop the capture with Control+C and
use
Wireshark to analyse the captured packets.
• Any changes you make to the nodes when the emulation is running
will be lost when you stop the
emulation. You can test the changes you want to make when the
emulation is running and once
you have the correct commands then add them through the GUI in the
proper service. For example
to add static routes to a router that persist and will be stored
with the configuration file, you need to
add ip route add commands to the StaticRoute service of that
router.
• If you make changes to a core configuration file and then close
the core window without saving the
changes, you will not be warned and the changes will be lost, hence
if you wish to keep the changes
you have made, you must save before closing the core window.
• Make sure to keep a backup of your core file in the shared folder
in case you encounter issues with
your VM and you need to replace the VM so that you would not lose
the work you have done. It is
your responsibility to backup your work.
• You must not change the name of any node in the given
configuration file.
Tasks
Task A: Routing
[35 +10 = 45 Marks]
The routing tables of the routers in the provided network are not
configured. The correct configuration of
this task allows any host from any network to reach any other host
in the entire network. You must
satisfy the following requirements while completing this
task:
1. All hosts inside talos.edu network must be reachable from any
other host within that network
through an optimal path. You need to add static routes to
routersR1, R2, R3, and R4 to accomplish
this goal. You must explain your reasons for choosing a path in the
report. The notationus for links
represents the propagation delay in microseconds. You can assume
that the processing delay is
negligible.
2. The router R3 must be the default gateway of thetalos.edu
network. The router Internetmust
be the default gateway of R3 and minerva (the only router of
Delos). You will lose marks if you
create routing loops.
Task B: DHCP Server
[8 + 2 = 10 Marks]
The clients of delos are configured with static IP addresses. Your
task is to:
1. Configure DHCP server on the nodeminerva to assign dynamic IP
addresses and other required
settings to the client machines in the clients subnet. You can use
the DHCP server configuration
on R1 as a reference to follow.
2. Enable DHCP client service on clients of delos.
Note: The node leto is a private local server in the clients subnet
and must have a static IP address as
assigned for the given configuration.
Task C: Firewall
[45 Marks]
The node R3 is the firewall for talos network. Configure the
Firewall service on this node to satisfy the
following requirements:
1. Allow traffic from anywhere to DMZ for the provided service by
each server. This must be limited
to only the public service that a server provides: dns only DNS,
web only HTTP,mail only SMTP.
2. Allow servers in DMZ to initiate a communication if it is
required by the service the server provides
and only for that service (stateful inspection: DMZ →
External).
3. Allow internal hosts to access all services provided by servers
in the DMZ (stateful inspection:
Internal→ DMZ). This includes all services that DMZ servers
provide. You can be more permissive
here and use address ranges and all IP traffic. All servers in DMZ
run SSH service which you can
use to test your rules for the internal subnets.
4. Allow internal hosts to reach other internal hosts (if the
traffic passes through R3). All traffic is
allowed if it is internal to internal.
5. Allow internal nodes to access external servers however packets
from external to internal are only
allowed if they are responses to communications that were initiated
from inside (stateful inspection:
Internal → External).
6. Allow the nodes in clients subnet oftalos to ssh to node R3 (any
host connected to theR1.eth0
subnet).
7. Allow the node R3 to send and receive ICMP echo messages to
internal nodes and DMZ servers
8. All other traffic must be dropped (see Notes bellow).
- Network Configuration And Security Introduction For This Assignment You Will Use The Core Network Emulator To Complete A 1 (541.89 KiB) Viewed 33 times