CAP Network and Application Conguration

The CAP has two network interfaces. This can either be achieved by using two physical Network Interface Cards (NIC) or a single NIC with two IP aliases [27] which reside on separate Virtual LANs (VLANs). One network interface is connected to the C-WAN (external interface) and the other is connected to the C-LAN (internal interface). The CAPs external interface connects to a shared and an assumed to be insecure network, the C-WAN. The CAPs internal interface connects to the C-LAN via switching infrastructure

4.4. Community Access Point (CAP) 65 to connect to the computers and servers within the C-LAN. The external interface is used to establish a PPPoE tunnel to the AC over the C-WAN, providing authenticated and encrypted network trac over the C-WAN.

By using PPPoE to facilitate secure connections between the CAPs and the AC, it ensures that only authorised hosts may use the C-WAN and the services it provides. Secured connections are a necessary requirement when using a shared medium for the network link, as it prevents the potential of network abuse or attacks. Technologies which use shared mediums can include WiFi or WiMAX. WiFi has well documented exploits [37]: passive attacks, listening or eavesdropping on network trac to obtain information; active attacks to gain unauthorised access or perform Denial of Service (DoS); Man-in-the-Middle attacks in which a legitimate user is tricked into talking to a rogue access point; and jamming attacks which involve introducing interference on the radio frequency. PPPoE can aid in preventing active, passive and man-in-the-middle attacks.

The CAP is congured as a forwarding DNS server using the application BIND [45] and all DNS lookups by the hosts within the C-LAN must use the CAP as their DNS server. DNS lookups are cached for a set period of time called the Time To Live (TTL) which is set by an authoritative DNS server for a specic DNS entry. If the DNS cache on the CAP does not have the entry, the request is forwarded to the AC which in turn will forward the request to the ISP's DNS servers. By providing a DNS server on the CAP, response times for regularly accessed websites can be improved, as DNS entries can be retrieved from the cache instead of requesting lookups from the upstream DNS servers.

The CAP can be congured as a DHCP server for the C-LAN, providing IP addresses to hosts within the C-LAN in a specic IP range. DHCP allows automatic conguration of IP addresses for hosts within the C-LAN, providing automatic TCP/IP conguration for hosts such as IP address, subnet mask, default gateway, DNS servers and Windows Internet Naming (WIN) servers. By providing this service hosts within the C-LAN do not require manual conguration for their TCP/IP settings. The conguration for DHCP on the CAP is modied by using the CAPgui.

SNMP agent software is installed on each CAP. Net-SNMP [72] was chosen as the SNMP agent for the CAPs as the installation comes pre-packaged with a number of MIBs for a wide variety of devices. Net-SNMP on the CAP provides a method to monitor sys- tem health; variables such as system uptime, secondary storage usage, RAM usage, CPU usage, load averages, services running and bytes in and out of the network interfaces. SNMP data is retrieved from the CAP by querying a number of MIBs related to the mon- itoring data required. For example, the MIB for system uptime is HOST-RESOURCES- MIB::hrSystemUptime.0 [115]. In another example, to discover how many bytes have passed through any particular network interface, we look at IF-MIB::ifInOctets for the

4.4. Community Access Point (CAP) 66 number of bytes that have been received or IF-MIB::ifOutOctets for the number of bytes transmitted [25]. Appendix A identies some useful OIDs that have been monitored via SNMP within this system.

The AC requests SNMP data from the CAP and creates status summaries and graphs. As the CAP is the default router for the C-LAN and all packets leaving or entering the network will route through it, the SNMP agent will collect data regarding the network trac that passes through the C-LAN interfaces (from within the local C-LAN and the community wide C-WAN). However, the SNMP agent can only collect information on the host on which it is installed.An SNMP agent cannot provide details regarding which hosts are using the network and what they are using the network for. For example, the SNMP agent will provide information suggesting that the external network interface, of the host on which it is running, is at 90% capacity. In this example, SNMP does not provide information regarding the origin of the trac, be it the local host or another host on the local network. To provide ner grain network utilisation data, NetFlow [20] is used.

The CAP has Softowd [92] installed, a software implementation of NetFlow to moni- tor ows within the C-LAN. Softowd is congured to listen on the PPPoE tunnel interface and to transmit the summarised ow data to the AC, which has a NetFlow collector, via UDP ow exports on a specic port.

As the CAP is not required to have a screen or monitor to access it, OpenSSH [120] is used to provide a shell environment via Secure SHell (SSH). However, SSH should only be used by administrators who are troubleshooting problems with the CAP, upgrading applications or installing new applications. For this reason the login process is secured using cryptographic keys rather than plain-text passwords. For typical use, the CAPgui is provided for conguration and viewing of monitoring data and this is discussed in the subsequent section.

The CAP is congured with IPFW rewall. IPFW has been congured with an inclusive rewall ruleset, only allowing trac which matches the rules and with a default to deny all other incoming and outgoing trac. The C-LANs are only required to be able to access the WWW, via HTTP and HTTPS. HTTP trac is automatically forwarded by IPFW to the Squid proxy server situated on the AC. DNS trac is allowed on the internal interface (from the C-LAN) to the CAP, where the DNS requests will be forwarded upstream.

ICMP and SSH are allowed in and out on any interface. Trac destined to the CAP from the AC for the SNMP port is allowed. Softowd transmits UDP packets on a specied port to the AC and this is allowed. NAT is implemented by using an IPFW divert rule and all outgoing trac has its IP address translated to that of the PPPoE tunnel interface.

4.4. Community Access Point (CAP) 67 The IPFW rewall rules prevent unencrypted trac from being directly transmitted using the external network interface and packets are routed over the PPPoE tunnel carried by the external interface. However, SSH and ICMP are allowed over the external interface for troubleshooting purposes.