CryptoLab
Cryptolab consists of 24 servers behind a cryptogate. It is used to teach COMP3441. The 2009 version of the cryptolab implements the gateway and lab machines as virtual machines operating in a single VMware ESX server. This is different from the past where the gateway and the lab machines were separate physical computer located in the CSE server room.What it is?
- 24 virtual computers named after the chemical elements.
- 3 virtual switches:
- 1 to connect to outside,
- 1 to use vlans and with a trunk on an external physical switch to connect the physical gear,
- 1 which is set to be promiscuous for sniffing
- 3 physical hubs
- 1 wireless access point
What is the purpose?
- To provide computers and network with which students can create subnetworks and experiment with routing, firewalls and kernel configurations.
- Students have root access to the computers.
Architecture
Gateway=cryptogate-vm
- Its firewall isolates the lab computers from the rest of CSE, UNSW and the internet.
- It is configured with both DHCP and DNS serving the lab machine subnetwork. The default Linux machines are configured to use DHCP to acquire their networking details. This includes using as their DNS server. cryptogate-vm's DNS server is a simple caching server, but it does know about the lab machines and can resolve their names and IP addresses.
- Remote access to the lab machines is by SSH or Remote desktop to ports on the gateway.
The lab computers
- They run Fedora 10 by default but the CryptoAdmin can install any operating system.
- The configuration is identical for all machines.
- They have 3 Ethernet interfaces:
- eth0 (under Linux) is connected to cryptogate-vm via the "CryptoMainSwitch". This is the way in which external network traffic (such as ssh) reaches each virtual lab machine.
- eth1 is connected to an 802.1q VLAN trunk. This trunk is switched so that when any virtual machine brings up a VLAN interface on this network interface, it will be able to communicate on that VLAN to other similary configured machines. To configure a VLAN, see the section "How to configure a vlan".
- eth2 is connected to "CryptoPromiscSwitch" which works like a hub.
- They use DHCP (the server runs on the gateway) to get their network configuration and machine name.
Remote access to the cryptolab machines
- Access to each lab machine is via port-forwarding through cryptogate-vm
Machine name Alias IP address Port forwarded
on cryptogate-vm
for the SSH (X)Port forwarded
on cryptogate-vm
for the RDP (Y)hydrogen h 192.168.0.1 101 3381 helium he 192.168.0.2 102 3382 lithium li 192.168.0.3 103 3383 beryllium be 192.168.0.4 104 3384 boron b 192.168.0.5 105 3385 carbon c 192.168.0.6 106 3386 nitrogen n 192.168.0.7 107 3387 oxygen o 192.168.0.8 108 3388 fluorine f 192.168.0.9 109 3389 neon ne 192.168.0.10 110 3390 sodium na 192.168.0.11 111 3391 magnesium mg 192.168.0.12 112 3392 aluminium al 192.168.0.13 113 3393 silicon si 192.168.0.14 114 3394 phosphorus p 192.168.0.15 115 3395 sulfur s 192.168.0.16 116 3396 chlorine cl 192.168.0.17 117 3397 argon ar 192.168.0.18 118 3398 potassium k 192.168.0.19 119 3399 calcium ca 192.168.0.20 120 3400 scandium sc 192.168.0.21 121 3401 titanium ti 192.168.0.22 122 3402 vanadium v 192.168.0.23 123 3403 chromium cr 192.168.0.24 124 3404 - The SSH column shows the port on cryptogate-vm which forwards to TCP port 22 of the corresponding lab machine. Used on Linux/UNIX machines.
ssh -p X root@cryptogate-vm (where X is the port forwarded) - The RDP column shows the port on cryptogate-vm which forwars to TCP 3389 (Remote Desktop) of the corresponding lab machine. Used on Microsoft Windows machines.
rdesktop cryptogate-vm:3381 -u administrator (to use rdesktop with hydrogen)
Physical networking
The new lab does retain some of the physical components from the old lab - namely a switch, three hubs and the wireless access point. The same 802.1q trunk shared by the eth1 interfaces of the lab machines extends out to the Cisco switch. It is preconfigured with each physical non-trunk port being its own separate VLAN. The physical switch ports connected as shown in the following table.| Switch port | VLAN | Connected to |
|---|---|---|
| 1 | 101 | Hub #1 - port 1 |
| 2 | 102 | Hub #1 - port 2 |
| 3 | 103 | Hub #1 - port 3 |
| 4 | 104 | Hub #1 - port 4 |
| 5 | 105 | Hub #1 - port 5 |
| 6 | 106 | Hub #1 - port 6 |
| 7 | 107 | Hub #1 - port 7 |
| 8 | 108 | Hub #1 - port 8 |
| 9 | 109 | Hub #2 - port 1 |
| 10 | 110 | Hub #2 - port 2 |
| 11 | 111 | Hub #2 - port 3 |
| 12 | 112 | Hub #2 - port 4 |
| 13 | 113 | Hub #2 - port 5 |
| 14 | 114 | Hub #2 - port 6 |
| 15 | 115 | Hub #2 - port 7 |
| 16 | 116 | Hub #2 - port 8 |
| 17 | 117 | Hub #3 - port 1 |
| 18 | 118 | Hub #3 - port 2 |
| 19 | 119 | Hub #3 - port 3 |
| 20 | 120 | Hub #3 - port 4 |
| 21 | 121 | |
| 22 | 122 | |
| 23 | 123 | Wireless AccessPoint |
| 24 | Trunk |
How to configure a vlan
On fedora
The following code shows how to configure a Fedora Linux network interface file for a VLAN. In this case, the VLAN is number 13 and the configuration file is /etc/sysconfig/network-scripts/ifcfg-eth1.13 . Once this configuration file is in place, it only needs either service network restart or ifup eth1.13 to be run.This creates an eth1.13 interface which will appear and work like a normal network interface ( such as when ifconfig -a or tcpdump is run). It's worth noting that running tcpdump on eth1 without the VLAN ID will show traffic for all VLANs (including the VLAN tags).
Do ensure that the vconfig package is installed otherwise the above will not work.
VLAN=yes
DEVICE=eth1.13
BOOTPROTO=none
ONBOOT=yes
IPADDR=10.13.0.2
NETMASQ=255.255.255.0
NETWORK=10.13.0.0
BROADCAST=10.13.0.255
On Windows Vista & Server 2008
Microsoft Windows operating system do not support VLANs (802.1q or otherwise). However, many network car manufacturers (such as Intel) provide VLAN support in their device drivers. Here's how to configure 802.1q support into Vista and Server 2008.Firstly, note that the Windows virtual lab machines have virtual Intel E1000 network cards.
Secondly, download the following from the cryptogate-vm (those drivers were founded on www.intel.com):
- http://cryptogate-vm/IntelDrivers/AllNetworkAdapterDrivers_13_5.zip (v13.5 for Server 2008 at time of writting)
- http://cryptogate-vm/IntelDrivers/PROVISTAX64_v13_5.exe (v13.5 at time of writting) Note that this is the 64-bit version. Next, do the following:
- Replace the Microsoft network card driver with the Intel one from AllNetworkAdapterDrivers (Start->Computer->Properties->DeviceManager)
- Install Provista64.
Those new virtual LANs will show up in the network connections manager:
Note that in the network connections manager diagram, the names of the interfaces associated with the trunk have already been changed to be more meaningful. E.g, "Local Area Connection #2" has been changed to "Local Trunk".
Administration of the lab
By means of the VMware Infrastructure Client tutors and lecturers have greater access to the lab machine. This allows to insert virtual media into each machine's CD/DVD drive and install whatever operating system (thought Linux remains available as an install option when booting). Also the power switch and reset button of each machine is now accessible via the VIC.Install the Virtual Infrastructure Client
VIC can be installed on a Windows box, it can be download at engesx04.cse.unsw.edu.auConnect to the CSE virtual farm
Once the VIC is installed, you can connect to vim.cse.unsw.edu.au with the login CryptoAdmin
Select the Virtual Machines & Templates view :
Then you can see the console of the machine, reset it, stop an start it as well as connect a CD or an iso file.
Install Fedora on one of the lab machine
Each machine is configured so it first boots on the CD/DVD, then on the network card and finally on the hard drive. So if the CD/DVD drive is not connected, the following menu will appear while booting:
###########################################
############## PXE boot #################
###########################################
1 : will install fedora10 64 bits
2 : will boot from the local hard drive
default is to boot from the local hard drive
By default, the machine boot on the local hard drive, if the user types "1" and then "enter", a new Fedora10 operating system will be installed.