COMP3122 Network Management Richard Henson March 2010.

COMP3122 COMP3122 Network ManagementNetwork Management

Richard HensonRichard Henson

March 2010March 2010

Week 8: Internet Access, Week 8: Internet Access, Web Services, and Web Services, and

Remote AccessRemote Access Objectives:Objectives:

– Configure a specified web server to Configure a specified web server to support www & ftp sitessupport www & ftp sites

– Run a world wide web site that includes Run a world wide web site that includes server scriptingserver scripting

– Configure a server to accept services by Configure a server to accept services by remote accessremote access

Web ServicesWeb Services Client-ServerClient-Server

– installed on a web serverinstalled on a web server– used on a web browserused on a web browser

By default, provide a network service that runs By default, provide a network service that runs on TCP port 80, but port could varyon TCP port 80, but port could vary

Products tend to be specific to the operating Products tend to be specific to the operating system e.g. system e.g. – Internet Information Server runs on Windows Internet Information Server runs on Windows

NT/2000/XP/2003/2008/7NT/2000/XP/2003/2008/7– Apache runs on Unix/LinuxApache runs on Unix/Linux

Request for Service accessRequest for Service access

The following diagram illustrates the relationship between web client and web server proceses. The client requests information; the server processes the request and sends a response back to the client

CLIENT SERVER

RESPONSE

Send RequestRead Results

Process RequestSend Back Results

ClientProgram

REQUEST

ServerProgram

Other web-related Other web-related Network Services Network Services

Most popular:Most popular:– ftp (file transfer), port 21ftp (file transfer), port 21– smtp (mail between internet sites) port 25smtp (mail between internet sites) port 25

With IIS, each service provides a default With IIS, each service provides a default folder to act as the default root e.g.folder to act as the default root e.g.– wwwrootwwwroot– ftprootftproot– mailrootmailroot

Accessing Web Services Accessing Web Services across a local networkacross a local network

Each web service should have a local network Each web service should have a local network namename– e.g. mywebsite, myftpsitee.g. mywebsite, myftpsite– used with IP address to access web services used with IP address to access web services

across the Intranetacross the Intranet Internal Access:Internal Access:

– www services accessed at the client end using an www services accessed at the client end using an Internet BrowserInternet Browser

– local name maps by default to root www service local name maps by default to root www service folder e.g. wwwrootfolder e.g. wwwroot

Access Control and Access Control and Internal Web ServicesInternal Web Services

(Intranet)(Intranet)

Access controlled by:Access controlled by:– EITHER username/password protection of EITHER username/password protection of

pages beyond the home page pages beyond the home page – OR user login name authentication with OR user login name authentication with

active directory (or equivalent) for access active directory (or equivalent) for access to the serviceto the service

Accessing Web Services Accessing Web Services through the world wide webthrough the world wide web

The Microsoft IIS www service must have:The Microsoft IIS www service must have:– website on or in a subfolder of wwwwebsite on or in a subfolder of www– a domain namea domain name– and an IP addressand an IP address

Full URL needed to gain accessFull URL needed to gain access– Syntax:Syntax:

» local www name.domain namelocal www name.domain name

Access to service controlled through a Access to service controlled through a requirement to loginrequirement to login– by default, all users automatically logged on to an by default, all users automatically logged on to an

“anonymous” account (Internet Guest)“anonymous” account (Internet Guest)

Web-based Client-Server Web-based Client-Server ModelModel

IIS and SecurityIIS and Security IIS has been coupled with Windows Servers IIS has been coupled with Windows Servers

since 1996…since 1996…– Originally enabled VB code to create .asp files to Originally enabled VB code to create .asp files to

perform tasks and interact directly with the client perform tasks and interact directly with the client browserbrowser

» included a number of COM+ objectsincluded a number of COM+ objects

– By 2000 generally acknowledged to be one of By 2000 generally acknowledged to be one of the major security weaknesses of Microsoft the major security weaknesses of Microsoft platforms interfacing with the webplatforms interfacing with the web

» most viruses came in via IIS & VB codemost viruses came in via IIS & VB code

The .net framework The .net framework and web servicesand web services

Major change in 2001 -> .net frameworkMajor change in 2001 -> .net framework– server scripts no longer contained source code server scripts no longer contained source code

(except HTML)(except HTML)– not supported by Windows 2000 (IIS v5)not supported by Windows 2000 (IIS v5)

» not yet developed…not yet developed…

– Windows 2003 has .net built-in (IIS v6)Windows 2003 has .net built-in (IIS v6)

Windows 2000 setups need to add the .net Windows 2000 setups need to add the .net framework and upgrade IIS if they are to be framework and upgrade IIS if they are to be used for supporting .net based websitesused for supporting .net based websites

.net framework v1.1 .net framework v1.1 and Active Directoryand Active Directory

To get maximum benefit from the To get maximum benefit from the structure of .net, the object framewoek structure of .net, the object framewoek should interface well with active should interface well with active directorydirectory– not necessarily the case with v1.1not necessarily the case with v1.1– and therefore also with the first release of and therefore also with the first release of

2003 Server…2003 Server…

.net framework v2.0 .net framework v2.0 and Active Directoryand Active Directory

Windows 2003 a success…Windows 2003 a success…– NOT because of .net framework!NOT because of .net framework!

v2 released some time after 2003 server v2 released some time after 2003 server – included “Active Directory namespace”included “Active Directory namespace”

» System.DirectoryServicesSystem.DirectoryServices

– allowed more effective linking of active directory allowed more effective linking of active directory objects with .net objects. e.g.’sobjects with .net objects. e.g.’s

» http://www.vsj.co.uk/dotnet/display.asp?id=409http://www.vsj.co.uk/dotnet/display.asp?id=409

– helped .net to finally gain wider acceptancehelped .net to finally gain wider acceptance

.net framework v3.5 and .net framework v3.5 and Active DirectoryActive Directory

SystemDirectory.Services often needs further SystemDirectory.Services often needs further coding to be effective…coding to be effective…

V3.5 uses something called V3.5 uses something called System.DirectoryServices.AccountManagement System.DirectoryServices.AccountManagement namespacenamespace– uniform access and manipulation of user, computer, uniform access and manipulation of user, computer,

and group security principals across the multiple and group security principals across the multiple principal stores: principal stores:

» Active Directory Domain Services (AD DS)Active Directory Domain Services (AD DS)» Active Directory Lightweight Directory Services (AD LDS)Active Directory Lightweight Directory Services (AD LDS)» Machine SAM (MSAM).Machine SAM (MSAM).

– manages directory objects independent of the manages directory objects independent of the System.DirectoryServicesSystem.DirectoryServices namespace namespace

Management of Groups Management of Groups of Web Pagesof Web Pages

IIS needs to perform a number of server IIS needs to perform a number of server tasks, but especially to provide :tasks, but especially to provide :– access to the contents of web sites in a access to the contents of web sites in a

controlled waycontrolled way– home or “root” directory pathhome or “root” directory path– name definition(s) for “home page” e.g name definition(s) for “home page” e.g

index.html, index.aspxindex.html, index.aspx– the right scripting “engine” for website files the right scripting “engine” for website files

so they are compiled, interpreted, or (if run-so they are compiled, interpreted, or (if run-time e.g. active X) just executedtime e.g. active X) just executed

Home Page Service Home Page Service for websitesfor websites

Agreed home page convention by ISPs:Agreed home page convention by ISPs:– home page is index.htm, index.htmlhome page is index.htm, index.html– this page is downloaded when the domain name is this page is downloaded when the domain name is

entered in the browser windowentered in the browser window

Microsoft home page convention:Microsoft home page convention:– default.htmldefault.html– default.asp(x)default.asp(x)

Latter can (should?) be changed to conform Latter can (should?) be changed to conform to general conventionto general convention

Setting up an IISSetting up an IISFTP serviceFTP service

FTP protocol is ancient (RFC 238, 1972)FTP protocol is ancient (RFC 238, 1972)– still popular & works well for still popular & works well for

uploading/downloading uploading/downloading IIS allows configuration of an FTP server IIS allows configuration of an FTP server

for:for:– Internal ftp access:Internal ftp access:

» local ftp service namelocal ftp service name– External ftp access:External ftp access:

» local name.domain namelocal name.domain name FTP server can be accessed:FTP server can be accessed:

– directly through the browserdirectly through the browser– using an ftp clientusing an ftp client

Accessing an Accessing an IIS SMTP serviceIIS SMTP service

SMTP protocol (or Internet Mail SMTP protocol (or Internet Mail forwarding) developed from FTP (RFC forwarding) developed from FTP (RFC 821, 1978) 821, 1978)

Web-based or Internal SMTP service set Web-based or Internal SMTP service set up in the same way as FTPup in the same way as FTP– same access rights/limitations, etc.same access rights/limitations, etc.

However, further software (Exchange However, further software (Exchange Server) is needed to provide a full mail Server) is needed to provide a full mail serviceservice

Setting up an Exchange Setting up an Exchange Mail Server ServiceMail Server Service

Exchange is complex softwareExchange is complex software– large resource requirementslarge resource requirements

Uses x500 data storage standardUses x500 data storage standard– store for details of mailbox usersstore for details of mailbox users– can interface with details of Active Directory users!can interface with details of Active Directory users!

Further stores:Further stores:– incoming messages that need distributing to incoming messages that need distributing to

mailboxesmailboxes– mailboxes & their messagesmailboxes & their messages– database of existing mailbox namesdatabase of existing mailbox names

A POP3 serviceA POP3 service

SMTP sends messages between Internet SMTP sends messages between Internet serversservers

Cannot be used to download mail from Cannot be used to download mail from mailboxes to clientsmailboxes to clients– need to use the POP3 protocolneed to use the POP3 protocol

POP3 Server principles:POP3 Server principles:– user logs on to serveruser logs on to server– if user is authorised:if user is authorised:

» any messages in that user’s mailbox are locatedany messages in that user’s mailbox are located» all messages downloaded to local folder by POP3 client all messages downloaded to local folder by POP3 client

softwaresoftware

Administering the Administering the Web ServiceWeb Service

Software GUI tools for IIS administrationSoftware GUI tools for IIS administration– MMCMMC– management snap-inmanagement snap-in

Command line tools for IIS administrationCommand line tools for IIS administration– direct access via browserdirect access via browser

Access to these tools needs to be restricted…Access to these tools needs to be restricted… Service should allow a number of different web Service should allow a number of different web

sites to be set up in different folderssites to be set up in different folders Excellent website (for W2003, IIS v6)Excellent website (for W2003, IIS v6)

– http://www.windowsnetworking.com/articles_tutorialhttp://www.windowsnetworking.com/articles_tutorials/Web-Sites-Windows-2003.htmls/Web-Sites-Windows-2003.html

Administering the Administering the Web ServiceWeb Service

The IP address of the web server normally that of the The IP address of the web server normally that of the host machinehost machine– needs to be provision forneeds to be provision for

» manual settingsmanual settings» several addresses e.g. multiple websites running through separate several addresses e.g. multiple websites running through separate

foldersfolders

Typical set up & management tasks required for each Typical set up & management tasks required for each website:website:– website name, port, home directory, default filename pecking website name, port, home directory, default filename pecking

orderorder– optional username/password & access permissions optional username/password & access permissions – ““virtual directories”virtual directories”– security permissions for use with server certificates and the security permissions for use with server certificates and the

public key infrastructure (PKI)public key infrastructure (PKI)

Open Access v LogonOpen Access v Logonto Web Server?to Web Server?

Allowing network or external users to Allowing network or external users to access part of the server has its risks!access part of the server has its risks!

One strategy: use “anonymous login”One strategy: use “anonymous login”– anyone can log on and gain access to the anyone can log on and gain access to the

serviceservice– but only get “guest-equivalent” (i.e. but only get “guest-equivalent” (i.e.

minimum) access rightsminimum) access rights» can be frustrating…can be frustrating…

Open Access v LogonOpen Access v Logonto Web Server?to Web Server?

Alternative: request Alternative: request username/password accessusername/password access– access rights then depend on user access rights then depend on user

privilegeprivilege– no longer “open access”no longer “open access”– but good for auditing and controlbut good for auditing and control

Open Access v LogonOpen Access v Logonto Web Server?to Web Server?

Servers in general:Servers in general:– potentially open to attack by both internal potentially open to attack by both internal

and external network users (security vital)and external network users (security vital) Standard web server practice:Standard web server practice:

– no file access possible other than at and no file access possible other than at and below the designated rootbelow the designated root

– main issue for the system regarding user main issue for the system regarding user requests for web access:requests for web access:

» whether or not to allow access at allwhether or not to allow access at all» whether to allow read only or read-write accesswhether to allow read only or read-write access

Offering a Proxy ServiceOffering a Proxy Service A Proxy ServerA Proxy Server runs on a server being used runs on a server being used

as a Firewallas a Firewall Acts as an intermediate party between the Acts as an intermediate party between the

Internet and local network services:Internet and local network services:– interceptsintercepts user requests for services such as FTP user requests for services such as FTP– decides whether or not to decides whether or not to forward them to the true forward them to the true

serverserver TheThe effect is that effect is that the internal and external the internal and external

computers talk tocomputers talk to the the proxy service proxy service rather rather than directly to each otherthan directly to each other

The Proxy Service approachThe Proxy Service approach

...

Firewall withProxy service

InternalNetwork

Request to proxy server

Real server

The user The user on either side of the firewall on either side of the firewall is is presented with an illusion that they are talking presented with an illusion that they are talking to to aa real server when in fact they are dealing real server when in fact they are dealing with a proxywith a proxy

So if an outside user tries to “hack” into the So if an outside user tries to “hack” into the network network server the actual internal network server the actual internal network architecture is hiddenarchitecture is hidden

A proxy server canA proxy server can be programmed to block be programmed to block certain requests, sites, actionscertain requests, sites, actions e.g: e.g:– blocking certain WWW sitesblocking certain WWW sites– preventing FTP downloadspreventing FTP downloads

Proxy ServiceProxy Service - continued - continued

Proxy ServiceProxy Service Provides network client machine with Provides network client machine with

controlled access to the Internetcontrolled access to the Internet Clients can only gain access to the Clients can only gain access to the

Internet via the Proxy ServiceInternet via the Proxy Service Enables the network administrator to Enables the network administrator to

control:control:– which TCP ports, and therefore which which TCP ports, and therefore which

protocols can be usedprotocols can be used– which (if any) external IP addresses can be which (if any) external IP addresses can be

accessed/filteredaccessed/filtered

Proxy ServiceProxy Service

Can also provide a storage facility for Can also provide a storage facility for web pages (web cache), so that clients web pages (web cache), so that clients don’t need to keep going out onto the don’t need to keep going out onto the Internet to access the same pageInternet to access the same page– web cache speeds up access to regularly web cache speeds up access to regularly

accessed web pagesaccessed web pages– less actual www traffic, so more bandwidth less actual www traffic, so more bandwidth

available to those accessing pages that available to those accessing pages that haven’t been previously downloadedhaven’t been previously downloaded

Streaming Media ServiceStreaming Media Service

Serves streaming sound/video/animation files Serves streaming sound/video/animation files to multiple users simultaneouslyto multiple users simultaneously– across the networkacross the network– across the Internetacross the Internet

» If connection has sufficient bandwidthIf connection has sufficient bandwidth

Also provides the conversion software codecs Also provides the conversion software codecs to produce and run the streaming media filesto produce and run the streaming media files

How Does Streaming How Does Streaming Technology Work?Technology Work?

A streaming sound file is no longer in a .wav or .mid format

Using special software, any sound file can be:– converted/compressed into a streaming format– Accessed remotely using e.g.

rtsp://server/path/filename

A suitable Audio player is then needed to play the streaming audio– must contains its own software codecs

Real Audio

Probably the most popular Internet streaming system

.ram file contains the search string for the local browser

.ra file contains the sound file that can be sent bit by bit using streaming technologies

How Does Streaming How Does Streaming Technology Work?Technology Work?

The .ra file is stored on a remote server– path begins with rtsp://

» tells an application that:

» the file is located externally on a streaming sever

» it is using Real Time Streaming Protocols

– next in the path:» name of the folder on the streaming server where

the file resides

» finally the name of the target file itself

Remote Access Service Remote Access Service (RAS)(RAS)

Configured in Windows 2003 as Configured in Windows 2003 as Routing and Remote Access serviceRouting and Remote Access service– not available by defaultnot available by default– needs to be installedneeds to be installed

Provides ways of allowing access to Provides ways of allowing access to the server/network externallythe server/network externally

Remote Access ServiceRemote Access Service ISPs use RAS to provide logon connections ISPs use RAS to provide logon connections

for multiple users via:for multiple users via:– standard (analogue) phone linkstandard (analogue) phone link

» one modem needed on/connected to the server for each remote one modem needed on/connected to the server for each remote connectionconnection

– ISDNISDN– ADSLADSL

As with www, ftp, email services:As with www, ftp, email services:– appropriate security arrangements need to be in appropriate security arrangements need to be in

placeplace– appropriate client-server TCP protocols requiredappropriate client-server TCP protocols required

Remote Access ServiceRemote Access Service Public Telephone network, security options:Public Telephone network, security options:

– Callback securityCallback security» server makes a note of the caller’s numberserver makes a note of the caller’s number» hangs uphangs up» calls the caller back!calls the caller back!

– LogonLogon» only authorised users are allowed to log ononly authorised users are allowed to log on

– EncryptionEncryption» log on data can/should? be encryptedlog on data can/should? be encrypted

– PPTP filteringPPTP filtering» only allows PPTP packets throughonly allows PPTP packets through

Remote Access ServiceRemote Access Service Dial-up (OSI level 1/2) ProtocolsDial-up (OSI level 1/2) Protocols

– SLIP (Serial Line Interface Protocol)SLIP (Serial Line Interface Protocol)» developed in 1984developed in 1984

» now old hat!now old hat!

– PPP (Point-Point Protocol)PPP (Point-Point Protocol)» current standardcurrent standard

» more flexible than PPPmore flexible than PPP

» allows a greater range of transport protocolsallows a greater range of transport protocols

» Allows remote allocation of IP addresses to clients Allows remote allocation of IP addresses to clients by DHCP serverby DHCP server

Remote Access via Remote Access via VPN within the Internet VPN within the Internet

Protocols for creating a secure channel Protocols for creating a secure channel through the Internet:through the Internet:– PPTP (Point-Point Tunnelling Protocol)PPTP (Point-Point Tunnelling Protocol)

» secure version of PPPsecure version of PPP

» port 1723port 1723

– L2TP now more popularL2TP now more popular» port 1701port 1701