Skip to content

guilhermeleitao2002/Network-Security-Project

BranchesTags

Repository files navigation

A31 MessagIST Project Read Me

Team

Number Name User E-mail
99189 Carolina Coelho https://github.com/carolcoelho11 mailto:carolina.coelho@tecnico.ulisboa.pt
99951 Guilherme Leitão https://github.com/guilhermeleitao2002 mailto:guilhermeleitao0202@tecnico.ulisboa.pt
99335 Tiago Silva https://github.com/trvds mailto:tiagovsilva@tecnico.ulisboa.pt

Carolina Guilherme Tiago

Contents

This repository contains documentation and source code for the Network and Computer Security (SIRS) project.

The REPORT document provides a detailed overview of the key technical decisions and various components of the implemented project. It offers insights into the rationale behind these choices, the project's architecture, and the impact of these decisions on the overall functionality and performance of the system.

This document presents installation and demonstration instructions.

Installation

To see the project in action, it is necessary to setup a virtual environment, with 3 networks and 6 machines (3 of which are clients).

The following diagram shows the networks and machines:

Diagram

Prerequisites

All the virtual machines are based on: Linux 64-bit, Kali 2024.3

Download and install a virtual machine of Kali Linux 2024.3.

Log in to the machine (username: kali, password: kali), open a terminal and run the initialization script to install all the necessary packages.

./initial.sh

Note: you need to have the correct ssh keys to be able to access the repository, so follow these guides to generate and add them to your github account.

Now that you have all the common configurations set up, you can proceed to cloning the VM into the necessaries machines:

  1. Close the VM and open the VirtualBox home screen;
  2. Right-click on the original VM and select Clone...;
  3. Name it "Client 1", select Generate new MAC addresses for all network adapters and click Next;
  4. Select Linked clone and click Finish;
  5. Repeat steps 2 through 4 for the following names: "Client 2", "Client 3", "Gateway", "Backend", "Database".

Now that you have all the machines cloned, you can add the required adapters to each machine:

  • Client 1:
    • Go to Settings -> Network (Expert) -> Adapter 1;
    • Make sure Enable Network Adapter is checked;
    • Select Attached to: Internal Network and Name: sw-clients;
    • Select Promiscuous Mode: Allow VMs;
    • Click OK.
  • Client 2: Repeat the same steps.
  • Client 3: Repeat the same steps.
  • Gateway:
    • Go to Settings -> Network (Expert) -> Adapter 1;
    • Make sure Enable Network Adapter is checked;
    • Select Attached to: Internal Network and Name: sw-clients;
    • Select Promiscuous Mode: Allow VMs;
    • Click OK;
    • Go to Adapter 2;
    • Make sure Enable Network Adapter is checked;
    • Select Attached to: Internal Network and Name: sw-backend;
    • Select Promiscuous Mode: Allow VMs;
    • Click OK;
    • Go to Adapter 3;
    • Make sure Enable Network Adapter is checked;
    • Select Attached to: Internal Network and Name: sw-db;
    • Select Promiscuous Mode: Allow VMs;
    • Click OK;
  • Backend:
    • Go to Settings -> Network (Expert) -> Adapter 1;
    • Make sure Enable Network Adapter is checked;
    • Select Attached to: Internal Network and Name: sw-backend;
    • Select Promiscuous Mode: Allow VMs;
    • Click OK.
  • Database:
    • Go to Settings -> Network (Expert) -> Adapter 1;
    • Make sure Enable Network Adapter is checked;
    • Select Attached to: Internal Network and Name: sw-db;
    • Select Promiscuous Mode: Allow VMs;
    • Click OK.

Machine configurations

For each machine, there is an initialization script with the machine name, with prefix init- and suffix .sh that installs all the necessary packages and makes all required configurations in the clean machine. There is also a firewall script that configures the firewall rules for each machine with the respective name, with prefix firewall- and suffix .sh.

To test if the configuration changes took place correctly, you can run the following command and check if the IP addresses correspond to the correct network interfaces:

sudo ifconfig

If you wish to test if the firewall is working correctly, try pinging all the machines from everywhere before running the firewall script. After running the firewall script, try pinging the machines again and see if the firewall is blocking the pings accordingly.

Next we have custom instructions for each machine.

Client 1

This machine runs the client application.

Log in to the machine, open a terminal and run the respective client configuration script.

sudo ./config/init-client1.sh

The machine will reboot to apply the changes.

Client 2

Repeat the same steps above but with the appropriate configuration script.

Client 3

Repeat the same steps above but with the appropriate configuration script.

Gateway

This machine runs the gateway.

Log in to the machine, open a terminal and run the gateway configuration script.

sudo ./config/init-gateway.sh

The machine will reboot to apply the changes. Next, run the firewall script:

sudo ./firewall/firewall-gateway.sh

Backend

This machine runs the backend logic.

Log in to the machine, open a terminal and run the backend configuration script.

sudo ./config/init-backend.sh

The machine will reboot to apply the changes. Next, run the firewall script:

sudo ./firewall/firewall-backend.sh

Database

This machine runs the database application (PostgreSQL v17.2).

Log in to the machine, open a terminal and run the database configuration script.

sudo ./config/init-database.sh

The machine will reboot to apply the changes. Next, run the firewall script:

sudo ./firewall/firewall-database.sh

Demonstration

Now that all the networks and machines are up and running, ...

Before running each client, you have to manually register the intended usernames in the configuration file of the client application. For security reasons, the only private key provided in the configuration file should be the one used by the respective client. Presently, the file already contains an example of a configuration for three clients (you ought to remove the privates keys yourself).

It's worthy to mention that, on startup, the application creates a file (message_sequences.csv) that holds the sequence of messages sent by that respective client.

Running the Backend

To run the backend, open a terminal and run the following command:

cd backend/ && mvn spring-boot:run

Running the Client

To run the client, open a terminal and run the following command:

cd client/ && mvn spring-boot:run

Security Mechanisms

  1. Below is an example of the same message being sent with and without TLS from the perspective of a potential attacker sniffing the network:

    • Without TLS:
    • With TLS:

  2. Here is displayed what happens when a clients sends a message with the wrong sequence number:

  3. The following image shows what happens when the backend sends a response message to the client with the wrong nonce:

This concludes the demonstration.

Additional Information

Video Link

The video demonstration of the project's functionality can be found here.

Links to Used Tools and Libraries

License

This project is licensed under the MIT License - see the LICENSE.txt for details.

About

Java-based secure messaging platform implementing TLS, firewalls, and PostgreSQL database.

Topics

java networking spring-boot firewall cybersecurity shellscript

Resources

Readme

License

MIT license
Activity

Stars

1 star

Watchers

1 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

No packages published

Languages