INE 2810 Mission 6
Version 1.3
Mission outlines
- Set up NTP service for your switch, router and all of your hosts
- Set up a network monitoring station to monitor your switch and router
traffic
- Set up a netflow service for IP accounting
- Set up a tacacs+ server for your switch and router authentication and
accounting
- Set up a web reverse proxy server in DMZ or NAT in your router/firewall so
that your headquarter can access your network monitoring station web pages
- Backup your router configuration by anonymous ftp upload
¡@
Task 1: Set up NTP service for your switch, router and all of your hosts
- Chose one of your hosts in DMZ as your network NTP server. You can
download the NTP package from
http://rpmfind.net/. Edit the /etc/ntp.conf file to set the NTP server
pointing to 192.168.11.1.
- Install NTP to all other hosts in your network and set the NTP server
pointing to your NTP server that you have set up in step 1
- Use ntpq and ntptrace to verify your NTP service.
- Configure your switch and router NTP server pointing to your NTP server.
¡@
Task 2 : Set up a network monitoring station to monitor your switch and
router traffic
- Chose the host with sniffer sensor as your network monitoring station
- Configure your switch to let your sniffer sensor port to monitor (i.e.
port mirror) your Internet uplink port. E.G
interface FastEthernet0/9
description connected to vms1-5 eth2 (sniffer interface)
port monitor FastEthernet0/8
switchport access vlan 249
- Enable your switch and router SNMP by defining the SNMP read only community string
E.G.
snmp-server community your_read_community_string RO
Also set your switch IP and its management VLAN to be your internal private network.
E.G.
interface VLAN1
no ip directed-broadcast
no ip route-cache
shutdown
!
interface VLAN800
ip address 172.18.10.10 255.255.255.0
no ip directed-broadcast
no ip route-cache
!
- Build your tcpdump from
http://www.tcpdump.org and use it to check if your sniffer sensor is
working
- You may use snmpwalk to check if your switch and router SNMP is working.
E.G.
snmpwalk your switch your_read_community_string system
-
Generate your mrtg configuration file by cfgmaker. E.G.
mv /etc/mrtg/mrtg.cfg /etc/mrtg/mrtg.cfg.orig
/usr/bin/cfgmaker comm_string@your_router comm_string@your_switch > /etc/mrtg/mrtg.cfg
Edit the mrtg.cfg to update the "WorkDir:" entry
- Run your mrtg by "mrtg /etc/mrtg/mrtg.cfg". There should be some warning messages about
log file at the first two runnings. It should be normal. After a few hours, you should
have some data in the directory you specified in the "WorkDir"
- Create your mrtg index.html web page by indexmaker command
- Start your httpd at your network monitor station.
- Either set up a reverse proxy server in your DMZ or NAT at your firewall
so that outsiders can view your mrtg web page at your network monitor station.
Here is an example at
http://netmon.int.cd.delta.ine.cuhk.edu.hk.
You may need to adjust your
external and internal DNS, and firewall rules to support this service.
- Install ntop at your network monitor station to monitor the traffic at
your sniffer sensor. You can download the packet from
http://www.ntop.org. Again, either set up a reverse proxy server in your DMZ or NAT at your firewall
so that outsiders can view your ntop web page at your network monitor station.
Here is an example at
http://ntop.int.cd.delta.ine.cuhk.edu.hk.
You may need to adjust your
external and internal DNS, and firewall rules to support this service.
¡@
Task 3 : Set up netflow service for IP accounting
- Choose one of your hosts in your internal private network as the netflow collector.
You may download the netflow collectors from:
Netflow tools:
http://www.splintered.net/sw/flow-tools/
cflowd:
http://www.caida.org/tools/measurement/cflowd/
- Configure your router to export netflow data to your netflow collector.
E.G.
interface FastEthernet0
description VLAN trunk of uplink and DMZ
no ip address
ip route-cache flow
speed auto
!
ip flow-export source FastEthernet0.801
ip flow-export version 5 origin-as
ip flow-export destination 172.18.10.2 9991
ip flow-export destination 172.18.10.1 9991
- Use the netflow collector tool to do some traffic analysis for your
netflow data. Here is an example at
http://netflow.int.cd.delta.ine.cuhk.edu.hk/. Again, use reverse proxy
server or NAT to let outsiders to view your netflow web pages
¡@
Task 4 : Set up a tacacs+ server for your switch and router authentication and
accounting
- Choose one of your hosts in your internal private network as the tacacs+ server.
you may download the tacacs+ package from
http://www.gazi.edu.tr/tacacs/
- Install the tacas+ server at this host. Set your key password and use
/etc/passwd as your authentication file.
- Configure your switch and router for the authentication and accounting.
E.G.
aaa new-model
aaa authentication login default group tacacs+ line
aaa accounting exec default start-stop group tacacs+
aaa accounting commands 0 default start-stop group tacacs+
aaa accounting commands 1 default start-stop group tacacs+
aaa accounting commands 2 default start-stop group tacacs+
aaa accounting commands 3 default start-stop group tacacs+
aaa accounting commands 15 default start-stop group tacacs+
!
tacacs-server host 172.18.10.1
tacacs-server key mypasskey
- Now try to telnet your switch or router and login by using the accounts in your /etc/passwd
and check if the authentication and accounting is working. Here is an example of
a tacacs+ accounting log file:
http://netflow.int.cd.delta.ine.cuhk.edu.hk
¡@
Task 5: Set up a web reverse proxy server in DMZ or NAT in your
router/firewall
You need to set up a reverse proxy server in DMZ or NAT in your
router/firewall so that outsiders can view your MRTG/NTOP/NETFLOW/TACACS+ web
pages which are housed in your internal private network hosts.
If you you choose reverse proxy server solution, you need to configure your
external DNS servers to point the web servers to your reverse proxy server whose
DNS resolver should use your internal DNS servers instead.
If you choose NAT solution, you need to configure your router or firewall to
do the IP and port redirect.
¡@
Task 6: Backup your router configuration by anonymous ftp upload
- Choose one of your hosts in your internet private network to backup your
router configuration.
- Edit the /etc/ftpaccess file to enable anonymous ftp upload. E.G.
noretrieve .notar
noretrieve /var/ftp/incoming
upload /var/ftp /incoming yes auser auser 0440 nodirs
- Edit /etc/xinetd/wu-ftpd to enable the ftp
- At your router, try to upload the running configuration by ftp
(.i.e. copy run ftp)
¡@
¡@
References
¡@