Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Design of a campus network


Published on

This is an introductory presentation regarding the issues in designing a campus network infrastructure. Unlike theoretical approaches, this presentation actually was used to describe some of the real configurations performed by Server Administrators and Network Managers. This is for an introductory audience with very little background in computer networks assumed.

Published in: Education, Technology

Design of a campus network

  1. 1. Computer Oriented Project Design & Configuration of a Campus Network Case : BITS Pilani Goa Campus (2005) Aalap Tripathy Faculty Guide : Mr Mangesh Bedekar, BITS Pilani Goa Campus, Zuari Nagar, GOA - 403726 COMPUTER PROJECT - BITS GC 335
  2. 2. Agenda <ul><li>Introduction to networks </li></ul><ul><li>IP Addressing & Packet Analysis </li></ul><ul><li>Brief Description of the servers installed </li></ul><ul><ul><li>DNS Server </li></ul></ul><ul><ul><li>DHCP Server </li></ul></ul><ul><ul><li>Proxy Server </li></ul></ul><ul><li>Incomplete Assignments </li></ul><ul><ul><li>LDAP server </li></ul></ul><ul><li>Packet Analysis on our network </li></ul><ul><li>Q&A </li></ul>
  3. 3. Basics … <ul><li>The internet works using two main address units: the IP Address and the port. </li></ul><ul><li>For example, I want to load </li></ul><ul><ul><li>it starts by asking the IP address of for the webpage. </li></ul></ul><ul><ul><li>asks ‘s IP address on port 80--the universal webpage port. </li></ul></ul><ul><li>Our computer instructs the response to be sent back to our IP address on some port that we opened to recieve that data. </li></ul><ul><li>By using ports, our computer can keep track of which stream of data belongs to what. </li></ul><ul><li>main text content be sent back to it on port 10345 </li></ul><ul><li>and the image be sent back on 10548. </li></ul><ul><li>recieving instant messages on other ports and e-mails on yet other ports </li></ul>Our Computer’s Instructions : The ports here don't matter because our computer just makes them up on the fly . all of the ports from 1-1024 are set aside for such standardization.
  4. 4. two types of addresses public IP addresses private IP addresses Public IP addresses are those addresses that are routable on the internet. Addresses that begin with 10.x.y.z or 192.168.x.y (where x, y, and z can be anything 0-255) are strictly private addresses and cannot exist on the internet. 127.x.y.z is set asside as the local loop back address There are only 2^32 possible IP addresses, and worldwide there are many more than 2^32 devices (computers, printers, scanners, etc) that would like to have internet IP addresses.
  5. 5. 4,294,967,296 2^32 =
  6. 6. Private Addresses and, more specifically, NAT were setup to solve the problem of a limited number of IP addresses. The new IP Protocol specification, IPv6 intends to solve this problem by increasing the number of addresses. Ipv6 is something BITS Pilani is spearhearding research on. Why not we have a lecture on this ? Someone volunteering ??
  7. 7. NAT can be done on a router – example the one you see infront of you or on a PC Let’s see how it is done !!!
  8. 8. WRT54G Wi-Fi Router <ul><li>firmware source code released to satisfy the obligations of the GNU GPL . </li></ul><ul><li>All models come standard with a 4+1 ports network switch (the Internet/WAN port is also in the same switch, but on a different VLAN ) and a wireless chipset by Broadcom which provides Wi-Fi connectivity. </li></ul><ul><li>The devices have two removable antennas connected through Reverse Polarity TNC connectors </li></ul>
  9. 10. A Little Primer on IP Addressing <ul><li>We write them in decimal form to make it more readable for humans. </li></ul><ul><ul><li>`the 1.2.3 network - meaning all 256 addresses from to </li></ul></ul><ul><ul><li>1.2 network' which meant all addresses from to </li></ul></ul><ul><li>Each number between the dots in an IP address is actually 8 binary digits (00000000 to 11111111) </li></ul>
  10. 11. A Little Primer on IP Addressing <ul><li>We usually don't write </li></ul><ul><ul><li>` -'. </li></ul></ul><ul><ul><li>Instead, we shorten it to `'. </li></ul></ul><ul><ul><li>The `/16' means that the first 16 binary digits is the network address , in other words, the `1.2.' part is the the network </li></ul></ul><ul><li>So what is ? </li></ul><ul><ul><li>A Big Network or small Network ? </li></ul></ul><ul><ul><li>What is the range of IP Addresses </li></ul></ul>
  11. 12. A Little Primer on IP Addressing <ul><li>We usually don't write </li></ul><ul><ul><li>` -'. </li></ul></ul><ul><ul><li>Instead, we shorten it to `'. </li></ul></ul><ul><ul><li>The `/16' means that the first 16 binary digits is the network address , in other words, the `1.2.' part is the the network </li></ul></ul><ul><li>So what is ? </li></ul><ul><ul><li>A Big Network or small Network ? </li></ul></ul><ul><ul><li>What is the range of IP Addresses </li></ul></ul>
  12. 13. A Little Primer on IP Addressing <ul><li>`' is a big network </li></ul><ul><li>Contains any address from to (over 16 million addresses!) </li></ul><ul><li> is smaller, containing only IP addresses from to </li></ul><ul><li> is smaller still, containing addresses to </li></ul>
  13. 14. BITS IP Addressing <ul><li>`' is a description of the BITS Goa Network !!! </li></ul><ul><li>Contains any address from to (over 16 million addresses!) </li></ul><ul><li> is mostly 1 hostel or a combination of nearby hostels </li></ul><ul><li> is most generally closest rooms in a hostel or classroom/faculty chambers in a corridor </li></ul>
  14. 15. Let’s get the concepts clear !!
  15. 21. ICANN The Internet Corporation for Assigned Names and Numbers
  16. 22. Root Servers <ul><li>There are 13 root authoritative DNS servers (super duper authorities) that all DNS servers query first. </li></ul><ul><li>These root servers know all the authoritative DNS servers for all the main domains - .com, .net, and the rest. </li></ul><ul><li>This layer of servers keep track of all the DNS servers that Web site systems administrators have assigned for their sub domains. </li></ul>
  17. 24. Root Servers
  18. 25. Only one of the root servers that direct traffic and serve as the Internet's master directories is located outside the US -- in Tokyo, Japan Twelve of the 13 root servers that make the Internet run are located in the United States. US monopoly over the internet. We should have a debate sometime !!!
  19. 26. “ Many different Web sites can map to a single IP address, but the reverse isn't true; an IP address can map to only one FQDN. “ Default Server: Address: > Server: Address: Non-authoritative answer: Name: Addresses:, > Server: Address: Name: Address: Forward Lookup Reverse Lookup Why ???
  20. 29. Everything is Logical !!! Ascii of a is 97 = 61 in hex
  21. 32. DHCP Dynamic Host Control Protocol
  22. 35. http://dakiya What is its ip address ??? Ok got it .. Let’s ask
  23. 36. External DNS
  24. 42. Internal DNS Primary
  25. 43. Relevant configuration details for configuring Authoritative Zone zone &quot;; IN { type master; file &quot;;; notify yes; allow-query {any;}; allow-update {any;}; allow-transfer {;}; };
  26. 44. Example of A Reverse Zone Authoritative Zone Definition <ul><li>zone &quot;; IN { </li></ul><ul><li>type master; </li></ul><ul><li>notify yes; </li></ul><ul><li>file &quot;;; </li></ul><ul><li>allow-transfer {;}; </li></ul><ul><li>}; </li></ul>
  27. 45. The Full Zone file <ul><li>; </li></ul><ul><li>; Zone File for </li></ul><ul><li>; The Full Zone File </li></ul><ul><li>; </li></ul><ul><li>$TTL 3D </li></ul><ul><li>@ IN SOA </li></ul><ul><li>200608228 ; Serial </li></ul><ul><li>3600 ; Refresh seconds </li></ul><ul><li>3600 ; retry, seconds </li></ul><ul><li>3600 ; expire, seconds </li></ul><ul><li>3600) ; minimum, seconds </li></ul><ul><li>NS </li></ul><ul><li>www A </li></ul><ul><li>studentnet A </li></ul><ul><li>orion A </li></ul><ul><li>proxy A </li></ul><ul><li>proxy A </li></ul><ul><li>proxy A </li></ul><ul><li>titan A </li></ul><ul><li>glimpses06 A </li></ul><ul><li>library A </li></ul><ul><li>S1 A </li></ul><ul><li>S2 A </li></ul><ul><li>mailbox A </li></ul><ul><li> IN MX 10 </li></ul><ul><li>dns3 A </li></ul><ul><li>dns4 A </li></ul><ul><li>dakiya A </li></ul><ul><li>central A </li></ul><ul><li>mail CNAME dakiya </li></ul>
  28. 46. A Sample Reverse Zone file <ul><li>; </li></ul><ul><li>; Reverse Zone File for </li></ul><ul><li>; Note Made By Aalap as Internal DNS server only </li></ul><ul><li>; </li></ul><ul><li>; The Full Reverse Zone File </li></ul><ul><li>; </li></ul><ul><li>$TTL 3D </li></ul><ul><li>@ IN SOA </li></ul><ul><li>200607213 ; Serial </li></ul><ul><li>3600 ; Refresh seconds </li></ul><ul><li>3600 ; retry, seconds </li></ul><ul><li>3600 ; expire, seconds </li></ul><ul><li>3600) ; minimum, seconds </li></ul><ul><li>NS; </li></ul><ul><li>61 PTR </li></ul><ul><li>62 PTR </li></ul><ul><li>222 PTR </li></ul><ul><li>223 PTR </li></ul><ul><li>225 PTR </li></ul><ul><li>220 PTR </li></ul>Remember FQDN ?!?!?!?
  29. 48. Internal DNS Secondary
  30. 49. How is the Secondary DNS Config Different <ul><li>Because I never make the entries which it finally answers on it </li></ul><ul><li>It is supposed to prefetch the primary DNS Servers entries as and when they change and keep onto local cache. </li></ul><ul><li>My named.conf configuration is critical here </li></ul>
  31. 50. The Critical Lines in named.conf <ul><li>// query-source address * port 53; </li></ul><ul><li>allow-notify {;}; </li></ul><ul><li>recursive-clients 6000; </li></ul><ul><li>// the above line was added by RJ/AS/RS on 27/10/2006 </li></ul><ul><li>}; </li></ul><ul><li>// </li></ul><ul><li>// a caching only nameserver config </li></ul><ul><li>// </li></ul><ul><li>controls { </li></ul><ul><li>inet allow { any; } keys { rndckey; }; </li></ul><ul><li>}; </li></ul>
  32. 51. Definition of what it is the authoritative zone for it <ul><li>// Segment added to make This m/c a slave for Internal Zone It seeks its addresses from which is defined to be the master </li></ul><ul><li>zone &quot;; IN { </li></ul><ul><li>type slave; </li></ul><ul><li>file &quot;slaves/;; </li></ul><ul><li>masters {; }; </li></ul><ul><li>}; </li></ul>
  33. 52. Similarly defining reverse lookup for authoritative zones <ul><li>zone &quot;; IN { </li></ul><ul><li>type slave; </li></ul><ul><li>file &quot;slaves/;; </li></ul><ul><li>masters {; }; </li></ul><ul><li>}; </li></ul>
  34. 53. Remember.. We made a transfer entry on the primary server <ul><li>zone &quot;; IN { </li></ul><ul><li>type master; </li></ul><ul><li>notify yes; </li></ul><ul><li>file &quot;;; </li></ul><ul><li>allow-transfer {;}; </li></ul><ul><li>}; </li></ul>
  35. 54. A Jail !!! This is a Technology Lecture right ??? <ul><li>Ensures that if the system is ever compromised, the attacker will not have access to the entire file system. </li></ul><ul><li>The attacker might feel that he has compromised the system but actually he has just exposed himself – as his activity has been logged !! </li></ul>
  36. 57. Making the chroot Jail Effective <ul><li>This is important because running it as root defeats the purpose of the jail, and using a different user id that already exists on the system can allows services to access each others' resources. </li></ul><ul><li>Check the /etc/passwd and /etc/group files for a free UID/GID number available. </li></ul><ul><li>In my case, I used number 53 and the name named. </li></ul><ul><li>[root@dns4] /# useradd -c DNS Server -u 53 -s /bin/false -r -d /chroot/named named 2>/dev/null || : </li></ul>
  37. 58. Proxies Types & Applications Proxy Client Browser Web Server
  38. 59. Proxies Web SSL Intercepting Open Split <ul><li>Traditional </li></ul><ul><li>Caching </li></ul><ul><li>CGI Proxies </li></ul><ul><li>HTTPS to create an encrypted tunnel </li></ul><ul><li>There are privacy concerns with SSL proxies. </li></ul><ul><li>often incorrectly called transparent proxy (also known as a forced proxy) combines a proxy server with NAT . </li></ul><ul><li>it is not possible to use user authentication, since the browser does not know there is a proxy in the middle, so it will not send any authentication headers. </li></ul><ul><li>accept client connections from any IP address </li></ul><ul><li>make connections to any Internet resource. </li></ul><ul><li>a pair of proxies installed across two computers. </li></ul>Reverse Ex - Google Web Accelerator
  39. 60. Reverse Proxies <ul><li>Instead of delivering pages for internal users, it delivers them for external users. </li></ul><ul><li>It can be used to take some load off web servers and provide an additional layer of protection. </li></ul><ul><li>This proxy placed outside the firewall as a stand-in for the content server. </li></ul><ul><li>When outside clients try to access the content server, they are sent to the proxy server instead. </li></ul>
  40. 61. Web Proxy
  41. 63. Why Web Proxy ?? <ul><li>Improve Performance: </li></ul><ul><ul><li>it saves the results of all requests for a certain amount of time (caching) </li></ul></ul><ul><li>Filter Requests: </li></ul><ul><ul><li>Pages to be accessed can be limited </li></ul></ul><ul><ul><li>Ports / Services Accessed can be controlled </li></ul></ul><ul><ul><li>Timing of Web Access can be controlled </li></ul></ul><ul><li>Bandwidth Control: </li></ul><ul><ul><li>Most Important Mandate in the system currently setup on campus </li></ul></ul>
  42. 64. Caching – how is it done ? <ul><li>Two simple cache algorithms are Least Recently Used (LRU) and Least Frequently Used (LFU). </li></ul><ul><li>LRU removes the documents that have been left the longest, while LFU removes the least popular documents. The algorithms can also be combined. </li></ul>“ expiration algorithm ”
  43. 65. CGI proxies <ul><li>A special case of web proxies </li></ul><ul><li>These are web sites which allow a user to access a site through them. </li></ul><ul><li>They generally use PHP or CGI to implement the proxying functionality. </li></ul><ul><li>Since they also hide the user's own IP address from the web sites they access through the proxy, they are sometimes also used to gain a degree of anonymity , called &quot;Proxy Avoidance.&quot; </li></ul>
  44. 67. <ul><li>We use Squid Web Proxy which is... </li></ul><ul><ul><li>a full-featured Web proxy cache </li></ul></ul><ul><ul><li>free, open-source software </li></ul></ul><ul><ul><li>the result of many contributions by unpaid (and paid) volunteers </li></ul></ul>
  45. 68. Some Relevant Proxy Configuration Entries <ul><li>http_port </li></ul><ul><li># The socket addresses where Squid will listen for HTTP client requests. </li></ul><ul><li>cache_mem 100 MB </li></ul><ul><li># maximum_object_size 409600 KB </li></ul><ul><li>#Objects larger than this size will NOT be saved on disk. </li></ul><ul><li># minimum_object_size 0 KB </li></ul><ul><li># Knowingly done so that everything is actually stored. This is for faster operation </li></ul><ul><li>visible_hostname BITSGOA </li></ul>
  46. 69. Some Relevant Proxy Configuration Entries <ul><li>cache_replacement_policy lru </li></ul><ul><li>memory_replacement_policy lru </li></ul><ul><li># cache_access_log /var/log/squid/access.log </li></ul><ul><li># TAG: cache_access_log </li></ul><ul><li># Logs the client request activity. Contains an entry for </li></ul><ul><li># every HTTP and ICP queries received. To disable, enter &quot;none&quot;. </li></ul><ul><li>log_fqdn on </li></ul>Remember fqdn ??
  47. 70. Critical Proxy Configuration Lines <ul><li>auth_param basic program /usr/lib/squid/ncsa_auth /etc/squid/squid_passwd </li></ul><ul><li>auth_param basic children 300 </li></ul><ul><li>auth_param basic realm BITS GOA PROXY </li></ul><ul><li>auth_param basic credentialsttl 1 minute </li></ul>
  48. 71. Access Control & Definition on the Proxy Server <ul><li># ACCESS CONTROLS </li></ul><ul><li>acl ncsa_users proxy_auth REQUIRED </li></ul><ul><li>acl all src </li></ul><ul><li>acl labs src </li></ul><ul><li>acl hostels src </li></ul><ul><li>acl SSL_ports port 443 563 </li></ul><ul><li>acl Safe_ports port 80 # http </li></ul><ul><li>acl day_time time 8:30-17:30 </li></ul><ul><li>acl night_time time 17:30-24:00 0:00-8:30 </li></ul><ul><li>acl other_time time 17:30-21:00 </li></ul>
  49. 72. http_access directives – Most Critical instructions <ul><li>http_access allow ncsa_users </li></ul><ul><li>http_access allow labs day_time other_time </li></ul><ul><li>http_access allow hostels night_time </li></ul><ul><li>http_access deny banned </li></ul><ul><li>http_access deny !Safe_ports </li></ul><ul><li>#http_access deny all </li></ul><ul><li>#Last line. By default. The final directive is the reverse of the last okayed directive </li></ul>
  50. 73. The actual configuration file <ul><li>Squid.conf </li></ul>
  51. 77. What I didn’t cover <ul><li>The deep intricacies in the working of servers </li></ul><ul><li>Many configuration settings : Secret !! </li></ul><ul><li>Setting services on/off. Autorun facilities avaliable on the Linux platform </li></ul>
  52. 78. Future Objectives <ul><li>In house Mail Server Development </li></ul><ul><li>LDAP Server Deployment </li></ul><ul><li>Cascading Proxies & “Atleast one proxy per hostel” </li></ul><ul><li>Decentralization of the website – </li></ul>
  53. 79. Bored ??? Let’s have some questions ? <ul><li>The Net is very very slow ??? </li></ul><ul><ul><li>Well if the bandwidth is too less and he user’s too many that’s what happens </li></ul></ul><ul><ul><li>Proxy can handle only limited traffic. Future plans : One Proxy Per hostel </li></ul></ul><ul><li>My Net isn’t working ?? </li></ul><ul><ul><ul><ul><ul><li>Ensure that you give the correct proxy name i.e. proxy and port 8080 </li></ul></ul></ul></ul></ul><ul><ul><ul><ul><ul><li>In case you give the ip address – there is no guarentee that it will work always </li></ul></ul></ul></ul></ul><ul><ul><ul><ul><ul><li>Come on More …. ????? Let us confine ourselves to the Server configurations only. </li></ul></ul></ul></ul></ul>