COMP3122 Network Management

COMP3122 COMP3122

Network ManagementNetwork Management

Richard HensonRichard Henson

March 2012March 2012

Week 8: Internet Access, Week 8: Internet Access, Web Services, and Web Services, and

Remote AccessRemote Access Objectives:Objectives:

– Configure a specified web server to support www Configure a specified web server to support www & ftp sites& ftp sites

– Run a world wide web site that includes server Run a world wide web site that includes server scriptingscripting

– Configure a server to accept services by remote Configure a server to accept services by remote accessaccess

– Apache runs on Unix/LinuxApache runs on Unix/Linux

““Web Service” accessWeb Service” accessThe following diagram illustrates the relationship between web client and web server processes:

client requests information…

server processes the request and sends a response back to the client…

CLIENT SERVER

RESPONSE

Send RequestRead Results

Process RequestSend Back Results

ClientProgram

REQUEST

ServerProgram

Internal & External Access Internal & External Access to Web Servicesto Web Services

Both use, by default, http (TCP port 80)Both use, by default, http (TCP port 80) Both use a specified area on the server Both use a specified area on the server

for webpagesfor webpages http:// always needs to be usedhttp:// always needs to be used

– Internal host service (Intranet) can be Internal host service (Intranet) can be accessed via resource name or IP addressaccessed via resource name or IP address

– External host needs a domain nameExternal host needs a domain name

Access to Web Services Access to Web Services across a local networkacross a local network

Each web service has a unique nameEach web service has a unique name– e.g. “mywebsite”, “myftpsite”e.g. “mywebsite”, “myftpsite”

For Internal network access…For Internal network access…– www services accessed at the client end using www services accessed at the client end using

an Internet Browseran Internet Browser– local name maps by default to root www service local name maps by default to root www service

folder e.g. wwwrootfolder e.g. wwwroot

Access Control and Access Control and Internal Web ServicesInternal Web Services

(Intranet)(Intranet)

Access controlled by:Access controlled by:– EITHER username/password protection of EITHER username/password protection of

pages beyond the home page pages beyond the home page – OR user login name authentication with OR user login name authentication with

active directory (or equivalent) for access active directory (or equivalent) for access to the serviceto the service

Accessing through the Accessing through the world wide webworld wide web

Full URL needed to gain accessFull URL needed to gain access– i.e. local www name.domain namei.e. local www name.domain name

Access to service controlled through a Access to service controlled through a requirement to loginrequirement to login– by default, all users automatically logged by default, all users automatically logged

on to an “anonymous” account (Internet on to an “anonymous” account (Internet Guest)Guest)

Web-based Client-Server Web-based Client-Server ModelModel

Optional logon at The server end…

Most web pagesAccessed directlythrough “anonymous”guest logon: no pwd

IIS IIS (Internet Information Server)(Internet Information Server)

IIS has been logically coupled with Windows IIS has been logically coupled with Windows Servers since 1996…Servers since 1996…– Visual BASIC runtime environment known as ASPVisual BASIC runtime environment known as ASP– originally enabled VB code to create .asp files to originally enabled VB code to create .asp files to

perform tasks and interact directly with the client perform tasks and interact directly with the client browserbrowser

» included a number of COM+ objectsincluded a number of COM+ objects

IIS and SecurityIIS and Security

By 2000…By 2000…– IIS generally acknowledged to be one of IIS generally acknowledged to be one of

the major security weaknesses of the major security weaknesses of Microsoft platforms interfacing with the Microsoft platforms interfacing with the webweb

» Vb source code easily hacked or reengineeredVb source code easily hacked or reengineered

» most viruses came in via IIS & VB codemost viruses came in via IIS & VB code

The .net framework The .net framework and web servicesand web services

Major IIS change in 2001 -> .net Major IIS change in 2001 -> .net frameworkframework– server scripts no longer contained source server scripts no longer contained source

code (except HTML)code (except HTML)– Windows 2003 has .net built-in (IIS v6)Windows 2003 has .net built-in (IIS v6)– .net framework required to run server .net framework required to run server

scripts and access databasesscripts and access databases

.net framework.net frameworkand Active Directoryand Active Directory

.net took awhile to perfect… (!).net took awhile to perfect… (!)– not the case with .net v1.1not the case with .net v1.1

» and not with the first release of 2003 Server…and not with the first release of 2003 Server…

– early object framework did not interface early object framework did not interface well with active directorywell with active directory

Windows 2003 WAS a success…Windows 2003 WAS a success…– But NOT because of .net framework!But NOT because of .net framework!

.net framework v2.0 .net framework v2.0 and Active Directoryand Active Directory

.net v2 released some time after 2003 .net v2 released some time after 2003 server server – included “Active Directory namespace”included “Active Directory namespace”

» System.DirectoryServicesSystem.DirectoryServices

– allowed more effective linking of active allowed more effective linking of active directory objects with .net objects. e.g.’sdirectory objects with .net objects. e.g.’s

» http://www.vsj.co.uk/dotnet/display.asp?id=409http://www.vsj.co.uk/dotnet/display.asp?id=409

– helped .net to become a popular platformhelped .net to become a popular platform

Management of Groups Management of Groups of Web Pagesof Web Pages

IIS performs various “server end” tasks:IIS performs various “server end” tasks:– controlled access to the contents of web controlled access to the contents of web

sites sites – home or “root” directory pathhome or “root” directory path– name definition(s) for “home page” e.g name definition(s) for “home page” e.g

index.html, index.aspxindex.html, index.aspx– the right scripting “engine” for files the right scripting “engine” for files

containing executable codecontaining executable code» need to be compiled, interpreted, or (if run-time e.g. need to be compiled, interpreted, or (if run-time e.g.

ActiveX) just executedActiveX) just executed

Home Page Service Home Page Service for websitesfor websites

Agreed home page convention by ISPs:Agreed home page convention by ISPs:– home page is index.htm, index.htmlhome page is index.htm, index.html– this page is downloaded when the domain name is this page is downloaded when the domain name is

entered in the browser windowentered in the browser window

Microsoft home page convention:Microsoft home page convention:– default.htm/htmldefault.htm/html– default.aspxdefault.aspx

Latter can (should?) be changed to conform Latter can (should?) be changed to conform to general conventionto general convention

Setting up an IISSetting up an IISFTP serviceFTP service

FTP protocol is ancient (RFC 238, 1972)FTP protocol is ancient (RFC 238, 1972)– still popular & works well for still popular & works well for

uploading/downloading uploading/downloading IIS allows configuration of an FTP server IIS allows configuration of an FTP server

for:for:– Internal ftp access:Internal ftp access:

» local ftp service namelocal ftp service name– External ftp access:External ftp access:

» local name.domain namelocal name.domain name FTP server can be accessed:FTP server can be accessed:

– directly through the browserdirectly through the browser– using an ftp clientusing an ftp client

Accessing an Accessing an IIS SMTP serviceIIS SMTP service

SMTP protocol (or Internet Mail SMTP protocol (or Internet Mail forwarding) developed from FTP (RFC forwarding) developed from FTP (RFC 821, 1978) 821, 1978)

Web-based or Internal SMTP service set Web-based or Internal SMTP service set up in the same way as FTPup in the same way as FTP– same access rights/limitations, etc.same access rights/limitations, etc.

Further software (Exchange Server) Further software (Exchange Server) needed to provide a full mail serviceneeded to provide a full mail service

Setting up an Exchange Setting up an Exchange Mail Server ServiceMail Server Service

Exchange is complex softwareExchange is complex software– MailServers have large resource requirementsMailServers have large resource requirements

Uses x500 data storage standardUses x500 data storage standard– store for details of mailbox usersstore for details of mailbox users– can interface with details of Active Directory users!can interface with details of Active Directory users!

Further stores:Further stores:– incoming messages that need distributing to incoming messages that need distributing to

mailboxesmailboxes– mailboxes & their messagesmailboxes & their messages– database of existing mailbox namesdatabase of existing mailbox names

A POP3 serviceA POP3 service

SMTP sends messages between Internet SMTP sends messages between Internet serversservers

Cannot be used to download mail from Cannot be used to download mail from mailboxes to clientsmailboxes to clients– need to use the POP3 protocolneed to use the POP3 protocol

POP3 Server principles:POP3 Server principles:– user logs on to serveruser logs on to server– if user is authorised:if user is authorised:

» any messages in that user’s mailbox are locatedany messages in that user’s mailbox are located» all messages downloaded to local folder by POP3 client all messages downloaded to local folder by POP3 client

softwaresoftware

Administering the Administering the Web ServiceWeb Service

Software GUI tools for IIS administrationSoftware GUI tools for IIS administration– MMCMMC– management snap-inmanagement snap-in

Command line tools for IIS administrationCommand line tools for IIS administration– direct access via browserdirect access via browser

Access to these tools needs to be restricted…Access to these tools needs to be restricted… Service should allow a number of different web Service should allow a number of different web

sites to be set up in different folderssites to be set up in different folders Excellent website (for W2003, IIS v6)Excellent website (for W2003, IIS v6)

– http://www.windowsnetworking.com/articles_tutorialhttp://www.windowsnetworking.com/articles_tutorials/Web-Sites-Windows-2003.htmls/Web-Sites-Windows-2003.html

Administering the Administering the WWW ServiceWWW Service

IP address of the web server is normally that of the IP address of the web server is normally that of the host machinehost machine– needs to be provision forneeds to be provision for

» manual settingsmanual settings» several addresses e.g. multiple websites running through separate several addresses e.g. multiple websites running through separate

foldersfolders

Typical set up & management tasks required for each Typical set up & management tasks required for each website:website:– website name, port, home directory, default filename pecking website name, port, home directory, default filename pecking

orderorder– optional username/password & access permissions optional username/password & access permissions – ““virtual directories”virtual directories”– security permissions for use with server certificates and the security permissions for use with server certificates and the

public key infrastructure (PKI) public key infrastructure (PKI)

Web Services and The CloudWeb Services and The Cloud Companies like Amazon, Google Companies like Amazon, Google

(apps), and salesforce.com have (apps), and salesforce.com have created web services (XML/http) and created web services (XML/http) and made them available to a wider public made them available to a wider public for storing their datafor storing their data– this approach benefits companies most this approach benefits companies most

that are experience relatively quick growththat are experience relatively quick growth– instead of getting new storage resources instead of getting new storage resources

every year, organisations can quickly and every year, organisations can quickly and easily purchase more "cloud space" easily purchase more "cloud space"

Cloud Services, the future, Cloud Services, the future, and Securityand Security

Cloud computing can offer applications as-a-Cloud computing can offer applications as-a-service as well…service as well…– a future is predicted where everything is a future is predicted where everything is

outsourced and no kind of local CPU is even outsourced and no kind of local CPU is even neededneeded

– employees will simply have a monitor, keyboard, employees will simply have a monitor, keyboard, and mouse that will allow them to connect to the and mouse that will allow them to connect to the cloud for all of their resources (!)cloud for all of their resources (!)

– but will this be secure? And what comeback will but will this be secure? And what comeback will organisations have if something goes wrong?organisations have if something goes wrong?

Open Access v LogonOpen Access v Logonto Web Server?to Web Server?

Allowing network or external users to Allowing network or external users to access part of the server has its risks!access part of the server has its risks!

One strategy: use “anonymous login”One strategy: use “anonymous login”– anyone can log on and gain access to the anyone can log on and gain access to the

serviceservice– but they only get “guest-equivalent” (i.e. but they only get “guest-equivalent” (i.e.

minimum) access rightsminimum) access rights» can be frustrating…can be frustrating…

Open Access v LogonOpen Access v Logonto Web Server?to Web Server?

Alternative: request Alternative: request username/password accessusername/password access– access rights then depend on user access rights then depend on user

privilegeprivilege– no longer “open access”no longer “open access”– but good for auditing and controlbut good for auditing and control

Open Access v LogonOpen Access v Logonto Web Server?to Web Server?

Servers in general:Servers in general:– potentially open to attack by both internal potentially open to attack by both internal

and external network users (security vital)and external network users (security vital) Standard web server practice:Standard web server practice:

– no file access possible other than at and no file access possible other than at and below the designated rootbelow the designated root

– main issue for the system regarding user main issue for the system regarding user requests for web access:requests for web access:

» whether or not to allow access at allwhether or not to allow access at all» whether to allow read only or read-write accesswhether to allow read only or read-write access

Offering a Proxy ServiceOffering a Proxy Service A Proxy ServerA Proxy Server runs on a server being used runs on a server being used

as a Firewallas a Firewall Acts as an intermediate party between the Acts as an intermediate party between the

Internet and local network services:Internet and local network services:– interceptsintercepts user requests for services such as FTP user requests for services such as FTP– decides whether or not to decides whether or not to forward them to the true forward them to the true

serverserver TheThe effect is that effect is that the internal and external the internal and external

computers talk tocomputers talk to the the proxy service proxy service rather rather than directly to each otherthan directly to each other

The Proxy Service approachThe Proxy Service approach

...

Firewall withProxy service

InternalNetwork

Request to proxy server

Real server

User User on either side of the firewall…on either side of the firewall…– illusion that they are talking to illusion that they are talking to aa real server real server– in fact they are dealing with a proxyin fact they are dealing with a proxy

IF outside user tries to “hack” into the IF outside user tries to “hack” into the network network server, internal network architecture is hiddenserver, internal network architecture is hidden

A proxy server canA proxy server can be programmed to block be programmed to block certain requests, sites, actionscertain requests, sites, actions e.g: e.g:– blocking certain WWW sitesblocking certain WWW sites– preventing FTP downloadspreventing FTP downloads

Proxy ServiceProxy Service - continued - continued

Proxy ServiceProxy Service Provides network client machine with Provides network client machine with

controlled access to the Internetcontrolled access to the Internet Clients can only gain access to the Clients can only gain access to the

Internet via the Proxy ServiceInternet via the Proxy Service Enables the network administrator to Enables the network administrator to

control:control:– which TCP ports, and therefore which which TCP ports, and therefore which

protocols can be usedprotocols can be used– which (if any) external IP addresses can be which (if any) external IP addresses can be

accessed/filteredaccessed/filtered

Proxy ServiceProxy Service Can also provide a storage facility for Can also provide a storage facility for

web pages (web cache)web pages (web cache) Mans that clients don’t need to keep Mans that clients don’t need to keep

going out onto the Internet to access the going out onto the Internet to access the same pagesame page– web cache speeds up access to regularly web cache speeds up access to regularly

accessed web pagesaccessed web pages– less actual www traffic, so more bandwidth less actual www traffic, so more bandwidth

available to those accessing pages that available to those accessing pages that haven’t been previously downloadedhaven’t been previously downloaded

Streaming Media ServiceStreaming Media Service

Serves streaming sound/video/animation files Serves streaming sound/video/animation files to multiple users simultaneouslyto multiple users simultaneously– across the networkacross the network– across the Internetacross the Internet

» If connection has sufficient bandwidthIf connection has sufficient bandwidth

Also provides the conversion software codecs Also provides the conversion software codecs to produce and run the streaming media filesto produce and run the streaming media files

How Does Streaming How Does Streaming Technology Work?Technology Work?

A streaming sound file is no longer in a .wav or .mid format

Using special software, any sound file can be:– converted/compressed into a streaming format– Accessed remotely using e.g.

rtsp://server/path/filename

A suitable Audio player is then needed to play the streaming audio– must contains its own software codecs

Real Audio

Probably the most popular Internet streaming system

.ram file contains the search string for the local browser

.ra file contains the sound file that can be sent bit by bit using streaming technologies

How Does Streaming How Does Streaming Technology Work?Technology Work?

The .ra file is stored on a remote server– path begins with rtsp://

» tells an application that:

» the file is located externally on a streaming sever

» it is using Real Time Streaming Protocols

– next in the path:» name of the folder on the streaming server where

the file resides

» finally the name of the target file itself

Secure Remote Access Secure Remote Access to the Network Serversto the Network Servers

Two realistic possibilities:Two realistic possibilities:– via telephone line to servervia telephone line to server– via secure channel through the Internetvia secure channel through the Internet– Routing and Remote Access serviceRouting and Remote Access service

Provided by Windows Servers as Provided by Windows Servers as “Routing and Remote Access service”“Routing and Remote Access service”– not available by defaultnot available by default– Wizard eases installationWizard eases installation

Access to www service Access to www service via Telephonevia Telephone

ISPs use RAS to provide logon connections ISPs use RAS to provide logon connections for multiple users via:for multiple users via:– standard (analogue) phone linkstandard (analogue) phone link

» one modem needed on/connected to the server for each remote one modem needed on/connected to the server for each remote connection – still needed in some parts of the countryconnection – still needed in some parts of the country

– ISDN (largely replaced by… ADSL)ISDN (largely replaced by… ADSL)

As with www, ftp, email services available:As with www, ftp, email services available:– appropriate security arrangements need to be in appropriate security arrangements need to be in

placeplace– appropriate client-server TCP protocols requiredappropriate client-server TCP protocols required

Remote Access ServiceRemote Access Service Public Telephone network, security options:Public Telephone network, security options:

– callback securitycallback security» server makes a note of the caller’s numberserver makes a note of the caller’s number» hangs uphangs up» calls the caller back!calls the caller back!

– logonlogon» only authorised users are allowed to log ononly authorised users are allowed to log on

– encryptionencryption» log on data can/should? be encryptedlog on data can/should? be encrypted

– PPTP filteringPPTP filtering» only allows PPTP packets throughonly allows PPTP packets through

Remote Access ServiceRemote Access Service Dial-up (OSI level 1/2) ProtocolsDial-up (OSI level 1/2) Protocols

– SLIP (Serial Line Interface Protocol)SLIP (Serial Line Interface Protocol)» developed in 1984developed in 1984

» now old hat!now old hat!

– PPP (Point-Point Protocol)PPP (Point-Point Protocol)» current standardcurrent standard

» more flexible than PPPmore flexible than PPP

» allows a greater range of transport protocolsallows a greater range of transport protocols

» Allows remote allocation of IP addresses to clients Allows remote allocation of IP addresses to clients by DHCP serverby DHCP server

Remote Access via Remote Access via VPN within the Internet VPN within the Internet

Protocols for creating a secure channel Protocols for creating a secure channel through the Internet:through the Internet:– PPTP (Point-Point Tunnelling Protocol)PPTP (Point-Point Tunnelling Protocol)

» secure version of PPPsecure version of PPP» port 1723port 1723

– L2TP now more popularL2TP now more popular» port 1701port 1701

Thanks for ListeningThanks for Listening