Virtual-Machine-Based Network Exercises for Introductory Computer Networking Courses Robert Montante Bloomsburg University of Pennsylvania Encore Presentation CCSC-Northeastern April 7, 2017
Overview First course in computer networks, for Digital Forensics majors - little or no programming experience Also for a Computer Science networks course No dedicated networking lab or hardware Shared Linux lab, networked disk space
Lab Activity Goals - Networking Hands-on work with networking concepts - not the same as configuring a router Experience configuring network clients - Linux Ubuntu 16.04» some students prefer Fedora, Kali, - Windows 7 un-activated copy - no Mac OSX (it's not legal) Command-line router configuration - Open-source VyOS router software
Lab Activity Goals - Additional Exercises featuring network servers - FTP, web server Wireshark practice Exposure to Linux usage, virtual-machine usage - helpful for other courses as well
Hands-on with Networking Concepts: Examination of LAN protocols Progression of configurations - change IP assignments, routing Network services - DHCP - DNS Routing Examination of higher-layer protocols - Client-server architectures
Software Options VirtualBox - Free, students can install on their own computers for home use - Available in some classroom/labs on campus VMware - Workstation Pro isn't free GNS3 - needs (Cisco) router images, - needs virtual machines for "normal" hosts
Initial Lab Exercise Install Windows and Linux clients into Virtualbox - default settings allow NAT'd access to the Internet - Install Wireshark, LLTD, and scapy to Linux - Why not preconfigured appliances?» Practice using and configuring Virtualbox
Layer 2 - the Datalink Layer Use Win7 LLTD mapping to examine Link-Layer service - "Link Layer Topology Discovery" - Requires an MS-developed Ubuntu client for the LLTD protocol - Requires changing VMs' NIC connections to Virtualbox "internal network"
Layer-2 Exploration Scapy exercise - graded assignment - Students create Ethernet frames "by hand" - Python-based - Nice analytic output of frames Scapy graphical output (requires pyx, matplotlib modules)
Moving Up To Layer 3 Conversion to private LAN/subnet - Students reconfigure clients' NICs to connect only to private LAN - Can ping each other - Verify "No route to destination network" when pinging to the Internet» (or to the physical host) - Short lab Students assign IP addresses manually - Subnets are defined by the host ID's of their physical lab computers - (no DHCP server yet)
Add a Router to the LAN VyOS open-source router software - Clone of the Vyatta router product - Linux-based distro - Provides routing, firewall, DHCP, DNS services - Command-line configuration» akin to Cisco IOS, although not compatible Exercise installs VyOS with two NICs - one on private subnet - other is bridged to the campus network, but with private addresses that provide connection to other students' routers - RIPv2 finds the other routers Instructor provides border router that routes to the Internet
Almost-Final VM-LAN Topology Students manage their own LAN/subnet Routers use RIPv2 to interconnect subnets
Network Services VyOS routers support many functions: - DHCP» Students configure DHCP server with a subnet calculated as part of the exercise - DNS» VyOS router just forwards requests to the campus DNS server - (connected to the campus network through instructor's router) - optional Firewall» Desirable if the clients will be exposed to the Big Bad Internet
DHCP Server Initial student exercise: develop subnet mask and subnet ID, and range of client addresses Cover subnetting in class, prior to exercise Binary-oriented approach to determination of needed values - Worksheet steps students through process Review worksheet in class before moving on to DHCP-server configuration - Make sure they have the right answers
DNS Server and Firewall Simple DNS server, merely passes requests on to upstream DNS server - Optional: discuss DNS in more depth, add caching Firewall recommended if VMs are exposed to the Internet - Good practice to always install a firewall in any case - Supports and controls forwarding - Include rules to drop "foreign" source IP addresses - prevent any compromised machines from participating in spoofed DDoS attacks - Optional, can be omitted
Exercises with Applications In-class activities: Python on Linux includes a simple web server - Classic, basic server-client transaction Windows 7 includes an FTP server - Students configure FTP, transfer a file between Linux ftp client and Windows ftp server TCP ports and FTP - Graded VM-LAN assignment - Explore three-way handshake, sequence and acknowledgment values, plaintext logins - Examine use of data channel for file transfers
Final Activities - Routing Final configuration activity: Install a gateway ("border") router Configure network services: - RIP - DNS forwarding - NAT» Necessary because lab subnets are not routable
Scapy, Revisited Graded VM-LAN assignment, needs Internet a) Bare IP packet Demonstrates that IP doesn't do much "stand-alone" b) TCP SYN packet - 2/3 of a three-way handshake» Final ACK packet, RST packet, or FIN packet left off c) UDP datagram, in IP packet - Sent out to instructor's QOTD server, which responds with random quote» Only works behind campus firewall d) Ping-like traceroute loop; scapy traceroute
Final Network Configuration Highly redundant network, as long as students remember to start their routers along with their clients
Discussion Few Link-layer activities - More possibilities using scapy/python? Decent Internet (Network) layer activities - including network services Some activities as assignments - Completed outside of classroom, serve as "checkpoints" for completing lab exercises - Should be "out-of-band", not vital for subsequent lab exercises Not the only assignments - Other assignments use Wireshark on physical host or students' own computers, hands-on with Ethernet cabling
Discussion 2 Physical layer? not on virtual machines - Additional assignment to build an Ethernet cable - More of a "motor skills" exercise Could use some activity for Transport layer - Scapy to the rescue? Application-layer activities can be expanded For Digital Forensics / Security: - Emphasis on Wireshark, malicious network traffic - Scapy has many possibilities for hacking Exercises are in-class, so difficulties/problems roll over to the next exercise for completion - Instructor serves as lab assistant - Lab assistant? Lab section? (wishful thinking)
Future Work Email / SMTP exercise - Send emails between students' subnets Scapy / LLTD exercise - Good candidate for an out-of-class assignment Convert routers from RIP to OSPF Proxy servers Coding exercise for C.S. majors?
Thank You!