ACTIVATING MININET-SEC

If you encounter the error message “No module called Mininet” during the installation process, even with Mininet already installed on your system, run the following commands to resolve the issue:

sudo -i
            cd ~
            git clone https://github.com/mininet/mininet.git
            export PYTHONPATH=$PYTHONPATH:$HOME/mininet

Kytos-ng is the SDN controller that will be used along with mnsec to create and manage connections between network components, as well as perform other functions. It can be activated in different ways. Each of the processes described below must be executed in separate terminals.

⚠️ Steps 1 and 3 are not necessary if the user uses the topology defined in the firewall.py file. They are required to activate Kytos-ng and allow its use as a remote controller and establish connections between network components (NOS activation) when using a custom topology.

1. Activate Kytos;

source test_env/bin/activate
            cd teste
            cd kytos
            sudo ./docker/scripts/add-etc-hosts.sh
            export MONGO_USERNAME=mymongouser
            export MONGO_PASSWORD=mymongopass
            docker compose up -d
            docker ps
            kytosd -f --database mongodb

2. Start mnsec;

It is important to use root mode when running these commands. Mnsec can be used with predefined topologies, for example:

cd mininet-sec
            cd examples
            python3 firewall.py

In this topology, we have 3 internal hosts (h1, h2, h3), 1 external server (o1), 2 servers (srv1, srv2), 3 switches (s1, s2, nettap1), and a firewall (fw0).

This is the established network:

fw0 fw0-eth0:s1-eth4 fw0-eth1:s2-eth3 fw0-eth2:nettap1-eth1
            h1 h1-eth0:s1-eth1
            h2 h2-eth0:s1-eth2
            h3 h3-eth0:s1-eth3
            o1 o1-eth0:nettap1-eth2
            srv1 srv1-eth0:s2-eth1
            srv2 srv2-eth0:s2-eth2

Nettap1 is a switch that connects the internal network components to the internet through the fw0-eth2 interface of the firewall. It also uses the nettap1-eth2 interface to connect to the o1 host. Additionally, there are interfaces that promote the connection of the firewall to the internet:

• nettap1-ethmonA: Internet connection, facilitates traffic forwarding from the firewall to the internet.
• nettap1-ethmonB: Internet connection, facilitates traffic forwarding from the internet to the firewall.

mnsec --topo linear,3 --apps h3:ssh:port=22,h3:http:port=80,h3:ldap,h3:smtp,h3:imap,h3:pop3 --controller=remote,ip=127.0.0.1

In this case, we are creating a linear topology with 3 hosts (h1, h2, h3), and h3 has some important ports defined as open for testing attacks.

3. Activating the NOS;

for sw in $(curl -s http://127.0.0.1:8181/api/kytos/topology/v3/switches | jq -r '.switches[].id'); do curl -H 'Content-type: application/json' -X POST http://127.0.0.1:8181/api/kytos/topology/v3/switches/$sw/enable; curl -H 'Content-type: application/json' -X POST http://127.0.0.1:8181/api/kytos/topology/v3/interfaces/switch/$sw/enable; done
        
            for l in $(curl -s http://127.0.0.1:8181/api/kytos/topology/v3/links | jq -r '.links[].id'); do curl -H 'Content-type: application/json' -X POST http://127.0.0.1:8181/api/kytos/topology/v3/links/$l/enable; done
        
            curl -H 'Content-type: application/json' -X POST http://127.0.0.1:8181/api/kytos/mef_eline/v2/evc/ -d '{"name": "my evc1", "dynamic_backup_path":'