internship 2014 final report - haag nicolas - english
TRANSCRIPT
HAAG Nicolas P2017 1
GRENOBLE INP Esisar 2014
Project’s title
Stand-alone Internet Node
Company’s address
Edinburgh Napier University
10 Colinton Road
EH10 5DT
United Kingdom
From the 23/06/14 to the 05/09/14
Student’s name
HAAG Nicolas
Dates
From the 23/06/14 to the 05/09/14 (11 weeks)
Company’s supervisor
Brian Davison
Esisar’s supervisor
Laura Joyce
HAAG Nicolas P2017 2
TABLE OF CONTENTS
1. ACKNOWLEDGEMENTS .............................................................................................. 3
2. INTRODUCTION .............................................................................................................. 4
3. THE COMPANY IN A FEW WORDS ........................................................................... 5
3.1. Presentation ................................................................................................................. 5
3.2. Monographs of jobs linked to the company ....................................................... 5
3.2.1. Brian Davison, Lecturer and teaching fellow .................................................. 5
3.2.2. Don Harmill, Probationary lecturer .................................................................... 6
4. DEVELOPMENT .............................................................................................................. 7
4.1. Problems and mission .............................................................................................. 7
4.2. Carrying out ................................................................................................................. 9
4.3. Issues encountered ................................................................................................. 12
4.4. Results and improvement prospects .................................................................. 13
5. CONCLUSION ................................................................................................................ 14
6. BIBLIOGRAPHY ............................................................................................................ 15
HAAG Nicolas P2017 3
1. ACKNOWLEDGEMENTS
Firstly I want to thank warmly Mr Brian Davison, my supervisor in the company, for
having welcomed me in Edinburgh Napier University, for having helped me
throughout the internship, and for everything he has provided in order to make it the
most advantageous.
My second thought goes to Mr Pierre Lemaitre-Auger without whom I would never
have taken advantage of Grenoble INP’s partnerships. He also introduced me to Mr
Davison in France before the beginning of my internship. I do not forget Grenoble
INP Esisar’s staff, especially Mrs Karine Philippe-Chassard and Florence Galli,
who greatly helped me before my departure, along with Napier University’s staff.
I am also grateful to the Rhône-Alpes region and the CROUS for having helped me in
a financial way.
I want to thank my supervisor in Esisar too, Mrs Laura Joyce, who was always there
when I needed her, and I have a special thought for Mrs Alenka Soukup who did the
journey to Edinburgh just to hear us speak during a presentation and who has deeply
affected us with her congratulations.
My last thought goes obviously to Mr Pierre Peyroche, my work partner and
flatmate, without whom these last eleven weeks would have been so gloomy.
HAAG Nicolas P2017 4
2. INTRODUCTION
The Higher Institute of Engineering in Advanced Systems and Networks (Esisar)
offers a formation which is, because it also has an integrated preparatory class,
divided into two: two years of preparatory education followed by three years of
engineering education. This sharing out is particularly marked by the 6-week
technician internship (or 11-week if abroad) which is demanded to students, thus
allowing them to discover the jobs of IT, electronics, automation or networks
technicians. More than enabling them to apply what they have been taught in class,
the work placement also allows them to live in a company’s environment and to
discover the rules and work methods.
As far as I am concerned, I did my internship in Edinburgh Napier University,
Scotland, in the School of Computing. The main task of it was to develop a network
of stand-alone Internet nodes providing a stable Internet connection in rural areas
such as those in Scotland.
This report will begin with a brief description of the University along with two
monographs of jobs linked to it, and then we will take on the precise development
done, from the problematic to the issues encountered.
HAAG Nicolas P2017 5
3. THE COMPANY IN A FEW WORDS
3.1. Presentation
This internship has been carried out in Edinburgh Napier University, a renowned
public university of the UK. It is called after mathematician and physicist John Napier,
inventor of logarithms, who was born in the Merchiston castle, which is now the
central part of the campus in which I worked. The University opened its doors in 1964
under the name of Napier Technical College, before obtaining its university status in
1992, and now welcome more than 17,000 students from across the world. It is
divided into three main campuses in the city: Merchiston (Engineering, Computing &
Creative Industries), Craiglockhart (Business School) and Sighthill (Life & Social
Sciences).
The university, among the most acclaimed ones of Scotland, especially has one of
the grandest business schools along with the biggest IT department of the country,
making it Scotland’s most modern university according to The Guardian. Its repute is
growing every year, the number of candidates hitting a 122% rise in two years1.
I was lucky enough to do most of my work in the only Video Games Lab of the city,
which features 24 networked Xbox 360s and PCs and a large projected screen, as
well as robotics development capabilities, enabling me to see other students work on
video games related problem-solving.
3.2. Monographs of jobs linked to the company
3.2.1. Brian Davison, Lecturer and teaching fellow
Mr Davison is a lecturer in Napier University since 2002 where, as a member of the
School of Computing, he teaches classes in three out of the four subject groups. He
is also leader of the Learning, Teaching and Assessment Forum; he currently
supervises several student projects along with more personal ones, such as
supporting distance learners or developing student badges containing several key
1 http://www.theguardian.com/education/2009/may/10/universityguide-edinburgh-napier-uni
HAAG Nicolas P2017 6
information (Open Badges). He is also responsible for feeding assessment data
directly to the students.
He graduated from Edinburgh University in 1987 with an MA (Master of Arts) in
Linguistics with Artificial Intelligence. He has then held several professional posts
such as head of computer services of the Moray House Institute of Education, now
part of Edinburgh University, in the 1990s. He had an important role there since he
had to make use of the Internet and to provide every student and staff with an email
address. He then became a configuration and release manager of a commercial
company, where he automated the dialogue between the development servers and
the test servers. He arrived in Napier as a lecturer in 2002 after a short 6-month job
as an intranet manager in Sweden.
He is currently undergoing a partial-time PhD on power performance analysis of wind
turbines since 2012, which he is supposed to finish in 2017.
3.2.2. Don Harmill, Probationary lecturer
Mr Harmill is a probationary lecturer in the School of Computing and is being helped
in his task by a supervisor of the University. He teaches to small groups as well as
large lecture theatres. He makes sure the content, teaching methods and resources
meet preset goals, while developing his own methods under the supervision of his
tutor. He acts as an incentive for debates and develops the critical and rational minds
of his students. He is also asked to understand the equal opportunities issues and
their impacts on some students’ academic content.
He often communicates in a complex manner orally, electronically or in writing; he
also participates in funding and accreditation applications. He may be asked to
supervise student projects as well as internships.
He graduated from Edinburgh University in 2010 with a BSc, then went on to work as
a security and technology consultant on several international projects, before joining
Napier University in 2013, where he graduated with an MSc in advances security,
while working as a full-time IT engineer in Switzerland. In September 2013 he signed
a “Zero Hour” contract with Napier in order to provide for its flexible and temporary
needs, such as lecturer substitutions or technical short-term module interventions. He
is hoping to get a full-time position as a cybersecurity lecturer in the years to come.
HAAG Nicolas P2017 7
4. DEVELOPMENT
4.1. Problems and mission
In Scotland, as in many other parts of the world, there are remote rural areas with
poor communications infrastructure. A potential solution is a stand-alone Internet
node which does not require any hard-wired connections. The requirements for such
a device would be
1. To use a local source of power such as solar
2. To be sufficiently rugged to withstand rough weather
3. To support ad-hoc wireless network connections
4. To provide a standard range of Internet services such as FTP and HTTP
connections
An ideal starting point in building this device would be the Raspberry Pi which is
already a fully-functioning Linux server, and which would satisfy requirement 4 with
appropriate system configuration. Requirements 1 – 3 would be more of a challenge.
There will be a small budget available for this project, but it will be important to
ensure that the design is carefully specified in advance so that wasted resources are
kept to a minimum.
There are many examples of similar projects that can be found through a simple
Internet search. These can be used as a starting point, but a critical approach should
be taken. This will help to avoid the limitations of existing configurations.
HAAG Nicolas P2017 8
The schedule we agreed on with Mr Davison was:
Week Main activity Deliverables
1-2 Familiarisation with the
Raspberry Pi and
background research
- Configured
operating system
- 20-min presentation
to demonstrate
basic WiFi
connections
- Technology review
3-4 Design of ad-hoc
networking configuration
- Review of technical
options and
selected approach
5-6 Implementation of design - Prototype 1
- 20-min presentation
to demonstrate ad-
hoc network
operation
7-8 Experiments to test the
reliability of the approach
and the limitations of
current hardware
- Experimental
design, results and
conclusions
9-10 Review of the design and
re-implementation
- Prototype 2
- 20-min presentation
to demonstrate
improved operation
11 Further testing
Completion of project
- Project report
(combining earlier
sections)
- Final presentation
on the complete
project
HAAG Nicolas P2017 9
4.2. Carrying out
As expected, the first couple of weeks of the project have been dedicated to
familiarising with the Raspberry Pis. The first thing to be done was to be able to
connect the systems to a WiFi network. To be done, the /etc/network/interfaces file
needs to be edited in order to assign a static IP address, a netmask, the broadcast
address, the network address and the gateway address. Then it’s the
/etc/wpa_supplicant/wpa_supplicant.conf file which needs to be edited, defining the
network’s SSID, the protocol (WPA most of the time, RSN in some companies and
universities), the pairwise (CCMP of TKIP), the key management protocol (WPA-PSK
most of the time), the authentication algorithm (OPEN for WPA/WPA2), and the
network’s password2.
However, in order to connect to the network of the University (eduroam), things tend
to get messy. The configuration file needs a few more information, such as a new
protocol (RSN), a new key management protocol (WPA-EAP), the EAP method
(PEAP), the network’s ID and password, the University’s CA certificate file, and the
Phase2 parameters (MSCHAPv2 for the PEAP method). Finally, to have an Internet
connection, the command wpa_supplicant needs to be run with the WiFi dongle’s
driver (either nl80211 or rtl8192), the interface which is used (wlan0 in the case of a
wireless connection), and the configuration file’s path.
The next important step is to turn the Pi into a wireless access point. For that reason
a DHCP server has been installed and its netmask, network address, range of
addresses used, broadcast address, router address, default and maximum lease-
time, default domain name and available DNS servers has been specified.
To configure the access point the program Hostapd has been installed. Again, the
interface, driver, SSID, operation mode (g for the 802.11n norm), channel, station
MAC address (0 to accept everything which is not in the deny list), authentication
algorithm (OPEN), whether or not we want the SSID to be broadcasted, whether or
2 http://www.lsi.upc.edu/lclsi/Manuales/wireless/files/wpa_supplicant.conf
HAAG Nicolas P2017 10
not WPA should be enabled, network’s password, key management protocol, and
WPA and RSN’s pairwise has been defined3.
Then, using the iptables firewall, which is already incorporated in the operating
system, we chose to transfer a hypothetical Internet connection from an interface to
another (for instance, from an Ethernet port to a WiFi dongle, or from a WiFi dongle
to another), while automating everything at boot up.
Once the Pi is connected to the same network as the computers on which we work, it
becomes useless to have an external monitor, mouse and keyboard to configure the
system. We can now use the SSH (Secure SHell) protocol to remotely open terminals
on our own working station (either by using the PuTTy software on Windows or by
using the ssh command on a Unix-based operating system).
Now we need to think about the fact that the system is to be used by ordinary users,
who cannot SSH into a Raspberry Pi or use a Linux distribution. The easiest way we
found for a user to manage the network is to install a local dedicated server, using
HTML and PHP. Accessing such a server goes by simply typing the IP address of the
first node of the network (192.168.1.1 in general) in an Internet browser after
connecting to the correct network.
After having installed an Apache2 server, we have coded an index.php page which
displays several buttons such as “Stop”, “Reboot” or “Connect to the Internet”, thus
covering all the actions the users may want to do. Each of these buttons launches
another PHP page which executes a small dedicated Shell script (for instance, the
stop.sh script asks the system to disconnect from the network, stop the DHCP server,
and then shutdown).
After this we have password-protected the server using the htpasswd command, thus
encrypting the passwords via an MD5 hashing algorithm, so that no hacker can see
them in plain.
Another significant point is the security of the devices. As the network provides an
Internet connection, whoever who can break a WPA key can enjoy a network of
interconnected nodes for mischievous purposes (he could for instance create a
3 http://w1.fi/gitweb/gitweb.cgi?p=hostap.git;a=blob_plain;f=hostapd/hostapd.conf
HAAG Nicolas P2017 11
botnet and broadcast spams, viruses and distributed denial of service attacks
(DDoS)).
This is why we opted for a “cascade” security. The principle is to configure the first Pi
of the network, and then make it send the configuration file to the closest non-
configured device. The ideal for this is to write a Shell script which steps are:
a- Receiving the information (except the first Pi)
b- Processing it
c- Identifying the environment
d- Finding the closest non-configured system
e- Sending the information
In detail, the script looks for the available devices everywhere around it (using the
nmap command), writes every IP address on a separate file, then pings every one of
them 5 times. The average response time is extracted from every request, and the
smallest indicates the closest Pi. Then, it looks for the last modification date
(timestamp) of the security configuration file and compares it to its own: if they are
different then the node is not configured; if they are identical it means the node is up
to date and we need to focus on the second closest one.
The exchange of information goes through the FTP protocol. To use it, it is necessary
to install an FTP client (Ftp) as well as an FTP server (we used Vsftpd). The server
needs to be set up so that anonymous connections are denied, but local users are
allowed to read and write in a specified directory. Then, the use of the client is almost
similar to any Linux terminal and it becomes easy to download and/or upload files.
Once the target node has downloaded the configuration file, it processes the
information in it, changes its parameters accordingly, and then continues doing the
“cascade” treatment by looking for the closest non-configured Pi. If every device
within range is configured, then it just stops the research.
Furthermore, since it can be useful to update the software, firmware or security
aspect of the system, we have written a script which always idles in the background,
scanning if a node is trying to send new information.
HAAG Nicolas P2017 12
A new layer of security has been added through the use of a firewall. Indeed, the
Raspberry Pi, as any other computer, must be protected from intrusions.
We have used Ufw (Uncomplicated FireWall), much easier than iptables. Since we
want a maximum of security without preventing us from doing our activities, we have
chosen to deny every connection, incoming our outgoing, but those coming from our
local network, and only on a specific list of ports (22 for SSH, 20 and 21 for FTP, 80
for HTTP…).
Finally, two more features have been added at the end, improving the experience
with the Pis: the first one is the installation of a software named Fail2ban, which bans
temporarily or definitively a user having failed several times in a row typing the
correct password; the second one is the installation of the program Watchdogs,
which is capable of noticing when the Pi is frozen and rebooting it if necessary.
4.3. Issues encountered
Among the main obstacles encountered appears the fact that connecting to the
University’s network, eduroam, has made some things more difficult since it is much
more protected than an ordinary network, blocking off a part of the traffic although
useful (the port 22 especially). This has significantly slowed us down during the first
weeks.
Another difficulty has been when trying to forward an Internet connection from a WiFi
dongle to another, mostly because the two dongles weren’t necessarily of the same
brand and thus didn’t necessarily use the same driver. This issue has been fixed by
installing the two most frequent drivers (nl80211 and rtl8192) on every device.
Where we have spent most of our time was on writing the main Shell script because
it wasn’t always easy to use some of the features above, especially the FTP protocol,
or some commands demanding a super-user permission. These problems have been
fixed by using some special options when typing the commands or by modifying the
permissions of the users.
HAAG Nicolas P2017 13
4.4. Results and improvement prospects
At the end of the day, the bill of specifications has been completed. The systems
work, automatically connect themselves to the Internet, forward the connection,
provide the most elementary Internet services (FTP, HTTP, SSH), have a simple user
interface, and possess a minimum of security.
However, the project is not quite perfect and could use some improvements, which
we couldn’t fulfil due to a lack of time.
The first one we thought of was that if the nodes are arranged as a chain or a circle,
everything should go according to plan, but if the shape of the “map” is more
complex, some systems risk to be left alone since every one of them only looks for
the closest one without considering the arrangement. To prevent this we could have
used the experimental protocol AODV (Ad-Hoc On-Demand Vector routing)4 which
has been created to serve such a purpose, but the lack of reliable sources about it
has made us look away.
Last but not least, even though it is theoretically possible to forward an Internet
connection using only one wireless interface, we didn’t find a way to do it properly.
This would have been our number one priority if we had had more time because it
would have simplified the design of the Pis and it would have reduced the price of
each node, only one dongle being necessary instead of two.
4 https://tools.ietf.org/html/rfc3561
HAAG Nicolas P2017 14
5. CONCLUSION
Firstly, in a human perspective, this adventure has delighted me at the utmost. It
gave me the opportunity to discover a new country, a new culture, and a new
methodology. I knew I was going to have a great time in Scotland but I was far to
know at which extent. I also forged links with some students and members of the
staff, especially Mr Davison who, not only shared his knowledge, but also shared his
passion. I am now going to do everything which is in my power to be able to do a
semester abroad in the years to come.
In an academic perspective now, this project has been rewarding because it
obviously taught me some new things regarding networks and Unix, but much more
than that, it has taught me that after a preparatory course I was truly capable of doing
technical and complex projects, in spite of my mostly theoretical formation.
Lastly, in a professional perspective, this internship has strengthened my desire to
make the information technologies my future, and being exposed to new problems
and challenges showed me what being an engineer really meant.
HAAG Nicolas P2017 15
6. BIBLIOGRAPHY
Internet:
International community of Raspberry Pi users:
http://www.raspberrypi.org/
Ubuntu operating system manuals:
http://manpages.ubuntu.com/
Apache official website:
http://httpd.apache.org/
International community of IT lovers:
http://www.instructables.com/
Official website of the Internet Engineering Task Force (IETF):
https://www.ietf.org/
Various specialised blogs:
http://qcktech.blogspot.co.uk/
http://rbnrpi.wordpress.com/
http://www.bartbania.com/
http://virtualitblog.blogspot.co.uk/
http://www.ducky-pond.com/
http://pibeginners.com/
http://spin.atomicobject.com/
http://www.stratigery.com/