INE 2810 Mission 6

Mission outlines

1. Set up NTP service for your switch, router and all of your hosts
2. Set up a network monitoring station to monitor your switch and router traffic
3. Set up a netflow service for IP accounting
4. Set up a tacacs+ server for your switch and router authentication and accounting
5. Set up a web reverse proxy server in DMZ or NAT in your router/firewall so that your headquarter can access your network monitoring station web pages
6. Backup your router configuration by  anonymous ftp upload

Task 1: Set up NTP service for your switch, router and all of your hosts

1. Chose one of your hosts in DMZ as your network NTP server. You can download the NTP package from http://rpmfind.net/. Edit the /etc/ntp.conf file to set the NTP server pointing to 192.168.11.1.

2. Install NTP to all other hosts in your network and set the NTP server pointing to your NTP server that you have set up in step 1

3. Use ntpq and ntptrace to verify your NTP service.

4. Configure your switch and router NTP server pointing to your NTP server.

Task 2 :  Set up a network monitoring station to monitor your switch and router traffic

1. Chose the host with sniffer sensor as your network monitoring station

2. Configure your switch to let your sniffer sensor port to monitor (i.e. port mirror) your Internet uplink port. E.G interface FastEthernet0/9 description connected to vms1-5 eth2 (sniffer interface) port monitor FastEthernet0/8 switchport access vlan 249
3. Enable your switch and router SNMP by defining the SNMP read only community string E.G. snmp-server community your_read_community_string RO Also set your switch IP and its management VLAN to be your internal private network. E.G. interface VLAN1 no ip directed-broadcast no ip route-cache shutdown ! interface VLAN800 ip address 172.18.10.10 255.255.255.0 no ip directed-broadcast no ip route-cache !

4. Build your tcpdump from http://www.tcpdump.org and use it to check if your sniffer sensor is working

5. You may use snmpwalk to check if your switch and router SNMP is working. E.G. snmpwalk your switch your_read_community_string system

6. Generate your mrtg configuration file by cfgmaker. E.G.

   mv /etc/mrtg/mrtg.cfg /etc/mrtg/mrtg.cfg.orig /usr/bin/cfgmaker comm_string@your_router comm_string@your_switch > /etc/mrtg/mrtg.cfg Edit the mrtg.cfg to update the "WorkDir:" entry

7. Run your mrtg by "mrtg /etc/mrtg/mrtg.cfg". There should be some warning messages about log file at the first two runnings. It should be normal. After a few hours, you should have some data in the directory you specified in the "WorkDir"

8. Create your mrtg index.html web page by indexmaker command

9. Start your httpd at your network monitor station.

10. Either set up a reverse proxy server in your DMZ or NAT at your firewall so that outsiders can view your mrtg web page at your network monitor station. Here is an example at http://netmon.int.cd.delta.ine.cuhk.edu.hk.
    You may need to adjust your external and internal DNS, and firewall rules to support this service.

11. Install ntop at your network monitor station to monitor the traffic at your sniffer sensor. You can download the packet from http://www.ntop.org. Again, either set up a reverse proxy server in your DMZ or NAT at your firewall so that outsiders can view your ntop web page at your network monitor station. Here is an example at http://ntop.int.cd.delta.ine.cuhk.edu.hk.
    You may need to adjust your external and internal DNS, and firewall rules to support this service.

Task 3 :  Set up netflow service for IP accounting

1. Choose one of your hosts in your internal private network as the netflow collector. You may download the netflow collectors from:

   Netflow tools: http://www.splintered.net/sw/flow-tools/
   cflowd: http://www.caida.org/tools/measurement/cflowd/

2. Configure your router to export netflow data to your netflow collector. E.G. interface FastEthernet0 description VLAN trunk of uplink and DMZ no ip address ip route-cache flow speed auto ! ip flow-export source FastEthernet0.801 ip flow-export version 5 origin-as ip flow-export destination 172.18.10.2 9991 ip flow-export destination 172.18.10.1 9991

3. Use the netflow collector tool to do some traffic analysis for your netflow data. Here is an example at http://netflow.int.cd.delta.ine.cuhk.edu.hk/. Again, use reverse proxy server or NAT to let outsiders to view your netflow web pages

Task 4 :  Set up a tacacs+ server for your switch and router authentication and accounting

1. Choose one of your hosts in your internal private network as the tacacs+ server. you may download the tacacs+ package from http://www.gazi.edu.tr/tacacs/

2. Install the tacas+ server at this host. Set your key password and use /etc/passwd as your authentication file.

3. Configure your switch and router for the authentication and accounting. E.G. aaa new-model aaa authentication login default group tacacs+ line aaa accounting exec default start-stop group tacacs+ aaa accounting commands 0 default start-stop group tacacs+ aaa accounting commands 1 default start-stop group tacacs+ aaa accounting commands 2 default start-stop group tacacs+ aaa accounting commands 3 default start-stop group tacacs+ aaa accounting commands 15 default start-stop group tacacs+ ! tacacs-server host 172.18.10.1 tacacs-server key mypasskey

4. Now try to telnet your switch or router and login by using the accounts in your /etc/passwd and check if the authentication and accounting is working. Here is an example of a tacacs+ accounting log file: http://netflow.int.cd.delta.ine.cuhk.edu.hk

Task 5: Set up a web reverse proxy server in DMZ or NAT in your router/firewall

You need to set up a reverse proxy server in DMZ or NAT in your router/firewall so that outsiders can view your MRTG/NTOP/NETFLOW/TACACS+ web pages which are housed in your internal private network hosts.

If you you choose reverse proxy server solution, you need to configure your external DNS servers to point the web servers to your reverse proxy server whose DNS resolver should use your internal DNS servers instead.

If you choose NAT solution, you need to configure your router or firewall to do the IP and port redirect.

Task 6: Backup your router configuration by anonymous ftp upload

1. Choose one of your hosts in your internet private network to backup your router configuration.

2. Edit the /etc/ftpaccess file to enable anonymous ftp upload. E.G. noretrieve .notar noretrieve /var/ftp/incoming upload /var/ftp /incoming yes auser auser 0440 nodirs

3. Edit /etc/xinetd/wu-ftpd to enable the ftp

4. At your router, try to upload the running configuration by ftp (.i.e. copy run ftp)

References

• NTP http://www.eecis.udel.edu/~ntp/

• SNMP FAQ

  http://www.faqs.org/faqs/snmp-faq/

• RFC1067 A Simple Network Management Protocol

  http://www.faqs.org/rfcs/rfc1067.html

• MRTG configuration reference

  http://ee-staff.ethz.ch/~oetiker/webtools/mrtg/reference.html

• MRTG FAQ

  http://faq.mrtg.org/FAQ.html

• CfgMaker Manual

  http://ee-staff.ethz.ch/~oetiker/webtools/mrtg/cfgmaker.html

• IndexMaker Manual

  http://ee-staff.ethz.ch/~oetiker/webtools/mrtg/indexmaker.html

• NTOP

  http://www.ntop.org/

• NetFlow

  http://www.cisco.com/warp/public/cc/pd/iosw/ioft/neflct/tech/napps_wp.htm

• Netflow collector

  Netflow tools: http://www.splintered.net/sw/flow-tools/
  cflowd: http://www.caida.org/tools/measurement/cflowd/

  　

• Authentication, Authorization, and Accounting (AAA)  http://www.cisco.com/univercd/cc/td/doc/product/software/ios122/122cgcr/fsecur_c/fsaaa/index.htm

• Tacacs+ Home Page http://www.gazi.edu.tr/tacacs/