Facultat d'Informàtica de Barcelona Univ. Politècnica de Catalunya Administració de Sistemes Operatius Network services �����������������������������������������������������
Topics � 1. Introduction to OS administration � 2. Installation of the OS � 3. Users management � 4. Applications management � 5. System monitoring � 6. Maintenance of the file system � 7. Local services � 8. Network services � 9. Protection and security
Objectives � Knowledge � Main elements in a network � Main network services and protocols � Superserver, portmapper, DNS, FTP, WWW, e-mail � Habilities � Services configuration � Superserver � DNS � FTP � WWW � E-mail
Transmission systems � Local area networks (LAN) � RS-232 � Ethernet � Token ring � FDDI (optical fiber) � Wide area networks (WAN) � Gigabit ethernet, and 10GbE � Frame relay � X-25 � ATM
Protocols � Each network has its own link protocol � ... and we have TCP/IP on top � Modem � Ethernet � Token ring � Gigabit ethernet � ATM � Frame relay � X-25
IP networks and hosts � IP Network classes � Class A (0) � 1.0.0.0 - 127.0.0.0 � 7 network bits, 24 host bits (16 milions of hosts - 2) � Class B (10) � 128.0.0.0 - 191.255.0.0 � 16 network bits (16K-2 networks), 16 host bits (64K-2 hosts) � Class C (110) � 192.0.0.0 - 223.255.255.0 � 24 network bits (2M-2 networks), 8 host bits (254 hosts in each subnetwork)
IP networks and hosts � Network classes � Class D: multicast addresses (1110) � 224.0.0.0 - 240.0.0.0 � Class E: reserved for future use (11110) � 240.0.0.0 - 248.0.0.0 � Class F � 248.0.0.0 - 252.0.0.0 � Class G � 252.0.0.0 - 254.0.0.0
IP networks and hosts � IP addresses with special meanings � 0.0.0.0: this host � 0.host: host on this network � 127.anything: loopback (not seen in the network) � 255.255.255.255: LAN broadcast � network.255: broadcast at the specified network � Private addresses (intranet only): � 10.0.0.0 - 10.255.255.255: 1 class A network � 172.16.0.0 - 172.31.255.255: 16 class B networks � 192.168.0.0 - 192.168.255.255: 255 class C networks
Subnetting � Usually the number of machines in the same network is under 100 � Class A and B addresses are underutilized � Subnetting: use a portion of the host address to extend the network address � Can use an arbitrary number of bits, not byte-aligned 149 76 12 4 256*256 hosts 149 76 12 4 10 bits 6 bits subnet host 2^10 = 1024 subnets de 2^6 = 64 hosts
IP address management � IANA: Internet Assigned Numbers Authority � www.iana.org � Regional Internet Registries (RIRs) � ARIN: American Registry for Internet Numbers � www.arin.net � RIPE NCC: Europe, Middle East and Central Asia � www.ripe.net � Internet Service Providers (ISPs) � ESNIC: www.nic.es � Domains at “.es”
Gateways � Subnets usually represent the physical structure of the network � An office, room, floor... � An ethernet host is only accessible to the hosts connected into the same subnet � Same cable � Gateway: host connected to serveral networks, with the hability to transfer information across them 149.76. 149.76. 12.4 12.5 149.76.12.1 Gateway 149.76.13.1 149.76. 149.76. 13.40 13.43
Routing � Determine where a message has to be sent given its destination address � The router selects the output path given the routing tables � Association between a target IP address with a network interface 149.76. 149.76. 192.45. 192.45. ... ... 12.4 12.5 2.87 2.93 eth2 eth1 eth0 149.76. 149.76. ... 13.40 13.43
IP port classification � Privileged ports: 0 - 1023 � Assigned by the IANA � Only a privileged user (root) can start services on them � Registered ports: 1024 - 49151 � Registered within IANA to avoid collisions � Registry of the usual services associated to the ports � /etc/services � Dynamic ports: 49152 - 65535 � Used in temporary connections � Answers to requests
/etc/services � Relates services with port numbers � DB accessed by several programs (netstat, ... ) � servicename port/protocol aliaslist echo 7/tcp # 24 - private mail system echo 7/udp smtp 25/tcp mail systat 11/tcp users smtp 25/udp mail systat 11/udp users domain 53/tcp ftp-data 20/tcp domain 53/udp ftp-data 20/udp http 80/tcp www www-http # 21 is registered to ftp, but also used by fsp http 80/udp www www-http ftp 21/tcp ftp 21/udp fsp fspd ssh 22/tcp ssh 22/udp telnet 23/tcp telnet 23/udp
Network Address Translation (NAT) � A router translates internal IP addresses for his own one � Allows to use a private IP address, keeping connectivity with the Internet � The router records all outgoing connections, and relates them to the inbound communications � Outgoing connection: � 192.168.1.25 (port 1085) -> 212.106.192.142 (1085) � Inbound communication: � 212.106.192.142 (1085) -> 192.168.1.25 (1085)
NAT, side effects � Internal addresses are not visible from outside � Only the router can be attacked � Network security depends on router security and good maintenance � Internal machines can not offer services to Internet � Except when Port Address Translation (PAT) is enabled � Impact on network performance � All Internet connections go through the router � Each packet requires a certain CPU time � Some services can not be used on NAT � When they have incoming connections � FTP, IRC, Netmeeting...
Port Address Translation (PAT) � Indicate to the router implementing NAT that some incoming connections must be redirected to internal machines � Mapping router ports to ports in a local machine Ports 22,25,80 212.16.13.84 Internet 192.168.12.1 Ports 25,80 Port 22 192.168. 192.168. ... 12.4 12.5
Firewalls � Server that determines which communications can be established between two networks � Typically works at link level � Does not know the application � It can keep state � Allows related connections and inbound connections Firewall
(Firewall == security) ? � Firewalls are supplementary elements enforcing system security � Their use can just offer a false idea of security � Other aspects related to security cannot be relaxed because of the use of a firewall � Other security tools in the local network and servers are still necessary
Server types (type of services) � Connexion oriented � The servers keeps session state � Increased performance � Low fault tolerance � Non-connexion oriented � No session state � There are no sessions � Requests must be self-contained � Client requests must carry all the information needed, as there is no session � Increased fault tolerance
Server types (authoritative) � Primary � Keeps the main copy of the information � In case of divergency, the service relies on the primary server � One for each service � Secondary � Keep copies of the information � Updated periodically to/from the primary server � Several for each service � Allow load balancing � Can be used as backup in case the primary server fails
Server types (authoritative) � cache servers (and/or proxies) � Keep copies of the most-used information � Several for each service are possible � Performance benefits � They can incorporate tasks related to security, filtering, log...
Superserver (inetd) � An active service uses resources, even when it is not being used � For services that are used not so often... � telnet, ftp, ssh... � Superserver listens to all active ports, and activates the service only when necessary � Receives the request � Starts the server associated � Transfers the request to it � Limitations � It cannot keep information among connections � Process creation overhead � not really important when the service is started sporadically
/etc/inetd.conf � Especifies the services listened by the superserver � Service (port) to be listen to (in /etc/services) � Protocol � User/group � Binary to execute to start the service � Arguments ( arg0 = process name, ... ) # If you make changes to this file, either reboot your machine or send the # inetd a HUP signal: Do a "ps x" as root and look up the pid of inetd. Then do a "kill -HUP <pid of inetd>". # The inetd will re-read this file whenever it gets that signal. # <service_name> <sock_type> <proto> <flags> <user> <server_path> <args> # # The first 4 services are really only used for debugging purposes, so # we comment them out since they can otherwise be used for some nasty # denial-of-service attacks. If you need them, uncomment them. # echo stream tcp nowait root internal # discard stream tcp nowait root internal ...
Recommend
More recommend
