SEC 440 Network Redundancy Project - Zacham17/my-tech-journal GitHub Wiki

In this project, I completed the following objectives:

  • Configured and Networked the following systems:
    • vyos1
    • vyos2
    • xubuntu-wan
    • xubuntu-lan
    • web01
  • Configured redundant WAN and LAN on vyos1 and vyos2
  • Configured port forwarding for the following:
    • HTTP(port 80) from the WAN to web01 on the LAN
    • SSH(port 22) from the WAN to web01 on the LAN
      • MFA SSH to web01
      • Root SSH Disabled on web01
  • Set redundant default gateway on LAN systems

The next portion of this page will cover each system and the setup and configuration involved for this project.

vyos1

Network Information:

  • Eth0(WAN) IP : 10.0.17.24
  • Eth1(LAN) IP : 10.0.5.2
  • Virtual IP(LAN) : 10.0.5.1
  • Virtual IP(WAN) : 10.0.17.114
  • Default Gateway : 10.0.17.2
  • Name Server: 10.0.17.2

Network Configuration Commands:

The following commands were used for vyos1's network configuration(Virtual IPs are from VRRP Setup):

set interfaces ethernet eth0 address '10.0.17.24/24'
set interfaces ethernet eth0 description 'WAN'
set interfaces ethernet eth1 address '10.0.5.2/24'
set interfaces ethernet eth1 description 'LAN'
set protocols static route 0.0.0.0/0 next-hop 10.0.17.2
set service dns forwarding allow-from '10.0.5.0/24'
set service dns forwarding listen-address '10.0.5.2'
set service dns forwarding system
set system name-server '10.0.17.2'

Port Forwarding

The commands below are used to port forward from the LAN to the WAN. This allows internet connection from the LAN network.

set nat source rule 10 description 'NAT from LAN to WAN'
set nat source rule 10 outbound-interface 'eth0'
set nat source rule 10 source address '10.0.5.0/24'
set nat source rule 10 translation address 'masquerade'

The commands below are used to port forward services from the WAN to web01 on the LAN. The services being forwarded are HTTP and SSH.

set nat destination rule 10 description 'HTTP->web01'
set nat destination rule 10 destination port '80'
set nat destination rule 10 inbound-interface 'eth0'
set nat destination rule 10 protocol 'tcp'
set nat destination rule 10 translation address '10.0.5.100'
set nat destination rule 10 translation port '80'
set nat destination rule 20 description 'SSH to web01'
set nat destination rule 20 destination port '22'
set nat destination rule 20 inbound-interface 'eth0'
set nat destination rule 20 protocol 'tcp'
set nat destination rule 20 translation address '10.0.5.100'
set nat destination rule 20 translation port '22'

Virtual Router Redundancy Protocol(VRRP)

VRRP is used to create redundancy between vyos1 and vyos2. It allows for multiple devices to share a virtual IP address. This creates an environment where if one device goes down, the other device will still supply services to connected devices. The commands below were used to configure VRRP:

set high-availability vrrp group langroup address 10.0.5.1/24
set high-availability vrrp group langroup interface 'eth1'
set high-availability vrrp group langroup priority '200'
set high-availability vrrp group langroup vrid '10'
set high-availability vrrp group wangroup14 address 10.0.17.114/24
set high-availability vrrp group wangroup14 interface 'eth0'
set high-availability vrrp group wangroup14 priority '200'
set high-availability vrrp group wangroup14 vrid '164'

This is where the virtual IP addresses are set. The priority specifies which devices are prioritized when being connected to by other devices. The higher the number, the higher the priority.

At this point, I ran the following command to have the system listen on the virtual IP address as a DNS server: set service dns forwarding listen-address '10.0.5.1'

vyos2

Network Information:

  • Eth0(WAN) IP : 10.0.17.84
  • Eth1(LAN) IP : 10.0.5.3
  • Virtual IP(LAN): 10.0.5.1
  • Virtual IP(WAN): 10.0.17.114
  • Default Gateway: 10.0.17.2
  • Name Server: 10.0.17.2

Network Configuration Commands:

The following commands were used for vyos1's network configuration(Virtual IPs are from VRRP Setup):

set interfaces ethernet eth0 address '10.0.17.84/24'
set interfaces ethernet eth0 description 'WAN'
set interfaces ethernet eth1 address '10.0.5.3/24'
set interfaces ethernet eth1 description 'LAN'
set protocols static route 0.0.0.0/0 next-hop 10.0.17.2
set service dns forwarding allow-from '10.0.5.0/24'
set service dns forwarding listen-address '10.0.5.3'
set service dns forwarding system
set system name-server '10.0.17.2'

Port Forwarding

The commands below are used to port forward from the LAN to the WAN. This allows internet connection from the LAN network.

set nat source rule 10 description 'NAT from LAN to WAN'
set nat source rule 10 outbound-interface 'eth0'
set nat source rule 10 source address '10.0.5.0/24'
set nat source rule 10 translation address 'masquerade'

The commands below are used to port forward services from the WAN to web01 on the LAN. The services being forwarded are HTTP and SSH.

set nat destination rule 10 description 'HTTP->Web01'
set nat destination rule 10 destination port '80'
set nat destination rule 10 inbound-interface 'eth0'
set nat destination rule 10 protocol 'tcp'
set nat destination rule 10 translation address '10.0.5.100'
set nat destination rule 10 translation port '80'
set nat destination rule 20 description 'SSH to web01'
set nat destination rule 20 destination port '22'
set nat destination rule 20 inbound-interface 'eth0'
set nat destination rule 20 protocol 'tcp'
set nat destination rule 20 translation address '10.0.5.100'
set nat destination rule 20 translation port '22'

Virtual Router Redundancy Protocol(VRRP)

VRRP is used to create redundancy between vyos1 and vyos2. It allows for multiple devices to share a virtual IP address. This creates an environment where if one device goes down, the other device will still supply services to connected devices. The commands below were used to configure VRRP:

set high-availability vrrp group langroup address 10.0.5.1/24
set high-availability vrrp group langroup interface 'eth1'
set high-availability vrrp group langroup priority '100'
set high-availability vrrp group langroup vrid '10'
set high-availability vrrp group wangroup14 address 10.0.17.114/24
set high-availability vrrp group wangroup14 interface 'eth0'
set high-availability vrrp group wangroup14 priority '100'
set high-availability vrrp group wangroup14 vrid '164'

This is where the virtual IP addresses are set. The priority specifies which devices are prioritized when being connected to by other devices. The higher the number, the higher the priority. Vyos2 is the backup, as it has lower priority than vyos 1.

At this point, I ran the following command to have the system listen on the virtual IP address as a DNS server: set service dns forwarding listen-address '10.0.5.1'

All Vyos configuration commands:

The links below lead to files containing the configuration commands for vyos1 and vyos2

NOTE: The following command can be used to show the configuration commands that have been used on a vyos machine:

show configuration commands | grep -v "syslog global\|ntp\|login\|console\|config\|hw-id\|loopback\|conntrack"

xubuntu-wan

Network Information:

  • IP : 10.0.17.54
  • Default Gateway: 10.0.17.2
  • Name Server: 10.0.17.2

The network information was configured using the GUI in Linux.

xubuntu-lan

Network Information:

  • IP : 10.0.5.6
  • Default Gateway: 10.0.5.1
  • Name Server: 10.0.5.1

The network information was configured using the GUI in Linux. As seen, the default gateway was set to the virtual IP address created with VRRP.

web01

Network Information:

  • IP : 10.0.5.100
  • Default Gateway: 10.0.5.1
  • Name Server: 10.0.5.1

The network information was configured using the nmtui tool. As seen, the default gateway was set to the virtual IP address created with VRRP.

HTTPD Setup

I installed apache web server onto web01.

I ran the commands below:

sudo yum update httpd
sudo yum install httpd

sudo firewall-cmd --permanent --add-service=http
sudo firewall-cmd --permanent --add-service=https
sudo firewall-cmd --reload

In the /var/www/html/ directory, I added an index.html file with arbitrary code to identify web01. I then started the httpd service by running the command sudo systemctl start httpd

Two-Factor Authentication With SSH

I configured TFA SSH on web01 using google authenticator. I took the following steps.

  1. Run the Commands below from web01:
sudo yum update
sudo yum install https://dl.fedoraproject.org/pub/epel/epel-release-latest-7.noarch.rpm
sudo yum install google-authenticator
  1. Run the command google-authenticator, to initialize google authentication. Respond to the prompts as follows:
  • Make tokens “time-based”: yes
    • When the QR code appears, scan it in the google authenticator app to generate a code.
  • Update the .google_authenticator file: yes
  • Disallow multiple uses: yes
  • Increase the original generation time limit: no
  • Enable rate-limiting: yes

  1. To make SSH use the installed Google Authenticator PAM module, add the following line to the /etc/pam.d/sshd file: auth required pam_google_authenticator.so

  2. Modify the /etc/ssh/sshd_config file by changing "ChallengeResponseAuthentication" from no to yes.

  3. Restart the ssh service using sudo systemctl restart sshd.service

Now when connecting to web01 over an ssh connection on the user's account that generated the authentication code, there will be a prompt after the password to enter a verification code.

Requirement Testing

To test that I met the objectives of this project, I performed the following actions:

Testing HTTP from WAN to web01

From xubuntu-wan, I used the curl command to check http connectivity.

  • Running curl http://10.0.17.24 should be successful in reaching web01 as vyos01 is the primary router
  • Running curl http://10.0.17.84 should be fail in reaching web01 as vyos02 is the backup and isn't used while vyos01 is active.
  • Running curl http://10.0.17.114 should be successful in reaching web01 as that is the virtual IP being used by both vyos1 and vyos2.

Demonstrate virtual IP address usage

From xubuntu-wan, I run the command arp -a to show that the WAN interface on vyos1 is using its own IP address and the virtual IP.

Testing Multi-Factor SSH from WAN to web01

From xubuntu-wan, I used the SSH command, ssh [email protected]. The address in the command is the VRRP address. Executing this command established a connection to web01, and required the entry of a password and verification code to log in.

Determining Active Firewall From LAN

Using the command, tracepath 10.0.17.2, will reveal the active firewall. The arp -a command can also be used to show that the LAN interfaces on vyos1 and 2 are using its own IP address and the virtual IP is sharing a MAC with the active router.

Confirming VRRP Redundancy

I disconnected vyos1 from all connected networks, and ran all of the above tests again. The tracepath command run from the lan-xubuntu system, now shows vyos2 as the active router.

Reflection

I found this lab fairly simple, since it mostly refers back to a previous course I took. New thing that I learned how to do include configuring VRRP and Two Factor Authentication over SSH. Setting up VRRP was interesting to do and I think it will become useful in the future. I think redundancy is important in systems just in case something breaks. Something I had to remember for this lab is that when navigating to web01 from the WAN, the address to contact is the WAN address for the router(whether that be vyos1, vyos2, or the vrrp ip).

References:

The following links lead to references used to complete this project: