Transcript CPSC 463 Networks and Distributed Processing

Top Three Layers
• Session Layer
• Presentation Layer
• Application Layer
1
Session Layer Design
• Marks the division between “upper layers and
lower layers”
– lower layers:= end to end communications
– upper layers:= user-oriented services
•
•
•
•
Invented by ISO
Can support transport layer QoS
Not explicitly used by TCP/IP
“Generally connection-oriented”
2
Session Layer &
Transport Layer
• Usually a transport connection is required to
establish a session
• Session Layer provides Control. It says what
to do, not necessarily how to do it.
• Can provide redundancy and multiplexing of
transport layer resources
• Administrative control point
3
Dialog Management
• In principle, all OSI connections are full
duplex
• Some upper layer software is structured to be
half-duplex
• This is to simplify the software and has
nothing to do with hardware limitations
• The session layer supports data token
schemes to support half-duplex
transmissions
4
Synchronization
• Transport layer provides error recovery only
from communication errors
• Synchronization in the transport layer
provides for returning the session entries
back to the last known correct state.
• Example: Session established and large file
transmitted; receiving end has no storage and
directly prints the incoming data. The printer
dies and data is lost.
• Session users could split the text into pages
and insert a synchronization point between
each page.
5
Activity Management
• Users split the message stream into activities
• delimiters are added in the session to
separate activities
First
File
Sent
Second File Sent
Session
Stop
Start
Start
Stop
6
Remote Procedure Calls
•
•
•
•
Based on the connectionless model
Generally outside the OSI model
Can be implemented in the application layer
Multiple Flavors
– {Sun} ONC RPC
– {OSF} DCE RPC
7
“RPC School of Thought”
• Clients sending messages are viewed as
procedure calls with the reply being the
return from the procedure
• Contrast this to the more “conventional”
school which views I/O with primitives such
as X-DATA.request and X-DATA.return as I/O
and interrupts respectively.
8
RPC Invocation
Client
Client Stub
Network
{Portmapper}
Server Stub
Server
1
2
3
4
5
6
7
9
RPC Semantics and Orphans
• Operations
– exactly once
– at most once
– at least once
• Handling crashes:
– 1. Hang forever, waiting for reply that never comes
– 2. Time out and raise an exception
– 3. Time out and retransmit
• Orphans
–
–
–
–
extermination
expiration
reincarnation (kill & restart)
gentle reincarnation (selectively kill and restart)
10
Presentation Layer
Information
Transformation
Network
Format
Local
Format
“few standards, but a lot of ideas”
11
Presentation Functions
These are examples!
• Syntax (format) conversion
• Compression
• Encryption
– Sub-issue: Does it belong here?
12
Presentation Layer, cont.
• Providing a way to specify complex data
structures
• Managing the set of data structures required
• Converting data between internal and external
form
13
Data Representation
• ASCII vs. EBCDIC
• two’s complement vs. one’s complement
• FFF0 hex is -15 1’s complement; -16 2’s
complement
• byte order right left vs. left right
• Text File formats
14
Abstract Syntax Notation 1
(ASN.1)
•
•
•
•
•
Data Structures
Abstract Syntax
Transfer Syntax
International Standard 8825
Notation used to encode, transfer and decode
data structures across a wide range of
applications
• Both connection-oriented and connectionless
primitives
15
Data Compression
• Encoding a Finite Set of Equally Likely
Symbols
– Finiteness of the set of symbols.
• Frequency Dependent Coding
– The relative frequencies with which the symbols are
used.
• Context Dependent Encoding
– The context in which a symbol appears.
16
Compression
• Elimination of Redundancy
– (increased susceptibility to error)
• Examples
–
–
–
–
Run Length Encoding
Predictive Codes
Huffman
LZW
17
Frequency Dependent Coding
• In English, “E” occurs ~100 times more than
the letter “Q”
• So give common symbols short codes and
longer symbols longer codes.
• Theoretical minimum encoding often requires
fractional bits, but close approximations
available.
18
Huffman Coding
• 1. Write down all symbols and associated probability of
each. Eventually a binary tree is built on these nodes, with
the symbols representing terminal nodes.
• 2. Find the two smallest nodes and mark them. Add a new
node with arcs to each of the nodes just marked. Set the
probability of the new node to the sum of the probabilities of
the two nodes connected to the new node.
• 3. Repeat until all symbols are marked except one. The
probability of the unmarked node will always be 1.0.
• 4. The encoding for each symbol is found by tracing the path
from the unmarked symbol to that symbol, recording the
sequence of left and right branches taken. The code is the
path, left = 0, right = 1.
19
Context Dependent Encoding
• Uses conditional probability instead of
independent probability.
• What is P(u|q)?
• So determine the conditional probability for
each possible predecessor and store in a
table.
• For k symbols this requires k2 entries.
20
Compression (Summary)
• Problem Domain determines the “best”
compression scheme
• Lossy vs Loss-less schemes
• One-pass vs multi-pass schemes
21
Network Security and Privacy
• Protecting data from being read by
unauthorized persons.
• Preventing unauthorized persons from
inserting and deleting messages.
• Verifying the sender of each message.
• Allowing electronic signatures on documents.
22
Cryptography
• Traditional Cryptography
– Substitution Ciphers
– Codes
– Transposition Ciphers
• Data Encryption Standard
• Key Distribution
• Public Key Crytography
– MIT Algorithm
• Authentication & Digital Signatures
– Federal Standards
23
Cryptography Users
• Military
• Diplomatic
• Diarists
• Lovers
• Curmugdeons
24
Cyptography Terms
• Ciphertext or Cryptogram -- encrypted
message
• Cryptanalysis -- breaking ciphers
• Cryptography -- devising ciphers
• Cryptology := Cryptanalysis and
Cryptography
25
Encryption Model
Passive Listener
Plaintext
Ciphertext
Plaintext
Key-1
Active Intruder
26
Key-2
Keys
• If Key-1 is the same as Key-2, then it has to be
a secret key process. They can differ, making
it a Public Key Process.
• Big Problems: key distribution and key
security
27
Fundamental Truths of
Cryptology
• Potential intruders know the general
encryption method.
• Message contents may be guessed.
• Cryptographic systems may be changed, but
rarely are.
• Non-technical compromises always
outnumber successful cryptanalysis.
28
Ciphers
• Substitution (preserve order, disquise)
–
–
–
–
Caesar code = “shift 4”
Alphabet shifted by k letters --”enigma”
Exhaustive search infeasible
Words and phrases may be guessed
• Codes
– Purple code, Japanese translated into Latin
– Navajo talkers
• Transposition Ciphers (reorder, do not
disguise)
– Game is up when key length is guessed
– Once close, easy to guess
29
Data Encryption Standard
•
•
•
•
Developed by IBM in 1977
Implemented in hardware
Widely used
128 bit key proposed, 56 bit key specified
Any guesses why?
• Now, study AES.
30
Public Key Encryption
• Applying the decryption key to an encrypted
message must return the plaintext message.
• The decryption key can’t be guessed from an
encyption key.
• The encryption key cannot be broken by a
plaintext attack.
• Key Point: the decryption key must be
privately held.
31
Digital Signatures
• A’s secret key must remain secret
• B has A’s public key and A has B’s public key
• B received a encypted message from A that
he decypts with A’s public key
• B can later show that lacking A’s private key
that he could not have produced the
encrypted message
32
Politics of Cryptography
•
•
•
•
•
Software as Munition
“Clipper” Chip
Digital Telephony Bill
Digital Signature Standard
Other Countries
• Current Legislation
33
Application Layer
• File Transfer, Access and Management
– virtual file store
– file servers and requesting clients
• Electronic Mail
– process to process traffic expected to dominate Internet
– actually email dominates the Internet
• Virtual Terminals
– representing the abstract state of the real terminal
• Remote Job Execution
– JTM: Job Transfer and Manipulation
34
ISO Applications
•
•
•
•
FTAM ~ FTP File Transfer, Access & Manipulation
VTS ~ TELNET Virtual Terminal Service
JTM ~ ??? Job Transfer & Manipulation {maybe rsh, RPC?}
MHS ~ SMTP Message Handling System (X.400)
35
ISO Terminology
“applications”
SASE
SASE
CASE
[Specific|Common] Application Service Elements
“think of them as programming libraries or APIs”
36
Electronic Mail
• Motis and X.400
CCITT has aligned them for compatibility
Won’t replace SMTP!
• The user agent
user interface
• Message transfer agent
post office
37
Virtual Terminals
• Scroll mode terminals
no local resources; dumb display and
transmission
• Page mode terminals
25 x 80 character display
screen editing via termcap
• Form mode terminals
local processing enabled
• Bitmapped terminals
like X stations
• Browsers?
38
File Transfer Protocol
• FTP recognizes four file types:
• 1. Image
– bit by bit transfer
• 2. ASCII
• 3. EBCDIC
• 4. Logical Byte files
– binary files which use byte size other than 8 bits
39
Electronic Mail
• Pioneered by ARPANET
• RFC 822 (widely used)
• Simple Mail Transfer Protocol (SMTP)
• Supports only ASCII text
(see MIME)
• name@domain addressing
40
Virtual Terminals - TELNET
• Designed for scroll mode terminals
• Hit a key , 8-bit bytes are sent
• 95 ASCII and 7 control characters legal
41
The Web
• “the” killer application for the Internet
• Two components for popularity
– http combines multiple access (gopher, ftp, etc) methods
– hypertext interface supports point-and-click interface
• Who will organize the information?
– No one...
– Database experts
– Librarians (!)
42
Web Future Directions
• HTML Enhancements
• Secure Transactions
• Uniform Naming
• Librarians & Brokers
• Information “push” or “pull”
43
Layer 7 Summary
• Service Element Model
• Not all Apps belong here...
• Common Network Services
44
What is a Distributed System?
Just insert a
network?
Mass
Storage
Computing
(CPU)
User
Interface
45
Distributed System
Services
Servers (Storage, Compute)
Network
Users
User Interfaces
Users
46
D.S. Design Issues
• Transparency
• Flexibility
• Reliability
• Performance
• Scalability
47
More Design Issues
• Global Clocks?
• Causality
• Information Consistency
48
Distributed Control
• Master/Slave (Issue: Response Time)
– Polled
– Command -> <-Response
– Schedule under control of server
• Client/Server (Issue: Server Size)
– Interrupt, or Event, Driven
– Aperiodic Scheduling
• Peer-to-Peer (Issue: Coordination)
– No single critical node
– Hard to describe or predict
49
Distributed System:
Why or Why not?
• Performance
• Economics
• Reliability
• Security
50
D. S. Architectures
• Cooperating Peers
• Client-Server
• Tiered Client-Server
– Data Repository
– Compute Servers
– Client Stations
51
“Intranets”
• Definition
– Using Internet protocols, especially Web tools, for
internal MIS
• Motivation
– Information “push” vs “pull”
• Problems
– User Capabilities
– Corporate Policy or Personal Opinion
52
Key Protocol Areas
•
•
•
•
•
Directory Services
RPCs
Security/Authentication
(Performance) Management
Programming Models
53
References
• ISO RM-ODP
– ITU-T X.901/ISO 10746-1/2/3/4
• Amjad Umar Distributed Computing: A
Practical Synthesis
– PTR Prentice-Hall, Englewood Cliffs, NJ, 1993
• Sape Mullender Distributed Systems, 2d ed.
– Addison Wesley, 1993
54
Network Management
Definition
"...deploying and coordinating resources in
order to plan, operate, administer, analyze, evaluate,
design and expand communication networks to
meet service-level objectives at all times, at a
reasonable cost, and with optimum capacity."
55
Network Management
Functional Areas
• Fault Management
detect -- diagnose -- repair
•Configuration/Name Mgmt
a database problem...
•Performance Mgmt
measure and predict
•Accounting Mgmt
look at individual usage
•Security Mgmt
access control and encryption
56
Management Protocols
• SNMP - Simple Network Management
Protocol
– Internet
• CMIP - Common Management Information
Protocol
– ISO
• TMN - Telecommunications Management
Network
– ITU-T
57
Management Protocols
Philosophy
• SNMP - Simple Network Management
Protocol
– keep it simple! (cf the Internet toaster)
• CMIP - Common Management Information
Protocol
– the bazaar: whatever you want
• TMN - Telecommunications Management
Network
– actually a separate network specification
58
SNMP vs CMIP {round 1}
SNMP
CMIP
Requirements from
various vendors and
user communities
59
ISO Management Overview
Fault
Configuration Performance Security
Accounting
Management Management Management Management Management
System Management Functions
Object Mgmt Alarm Mgmt Event Report Mgmt Workload Monitoring
State Mgmt Log Control Security Alarm
Security Reporting
Measurement Summarization
Bill Verification
Billing
Resource Utilization
Test Mgmt
Relation Mgmt
CMISE Services
Initialize Event Report
Set Get Delete Cancel
Terminate
Action Create Abort
Confirmed Event Report Confirmed Get
60
SNMP Architecture
• Keep the agent as simple as possible
• Support remote management operations to
the fullest extent possible
• Plan for future additions & expansion
• Be independent of specific hosts or devices
• Operate at the Application level
61
Internet Management Model
Agent
Managed
Entities
Network
Management
Proxy
Agent
62
Managed
Entities
SNMP
• Intersection of vendor/user requirements
• Few ‘verbs’:
–
–
–
–
get / get-next
get-bulk {SNMPv2}
set
trap
• Polled, Master-Slave, Request-Response
63
SNMP Format
• <header><verb><value><variable>[<verb><value><variable>]
• ASN.1 subset to describe value format
• MIB-II{Management Information Base} to
identify variables
• UDP as a Transport layer
• Now out! SNMPv2
64
The MIB
• Standard set of data for managing network
devices
• Variable names are part of the ISO/CCITT
object identifier namespace
• Provides globally unique identifiers
• Variables governed by Structure of
Management Information (SMI) specification
65
Accessing MIB Data
• SNMP Communities
• SNMP Views
• SNMP Authentication
66
Abstract Syntax Notation 1
(ASN.1)
•
•
•
•
•
Data Structures
Abstract Syntax
Transfer Syntax
International Standard 8825
Notation used to encode, transfer and decode
data structures across a wide range of
applications
• Both connection-oriented and connectionless
primitives
67
Example SNMP PDU using
ASN.1
SEQUENCE
len=41 INTEGER
len=1 vers=0
30
29
02
01
00
string len=6 p
u
b
l
i
c
04
06
70
75
62
6C
69
63
getreq. len=28 INTEGER len=4 -------request ID---------------A0
1c
02
04
05
AE
56
02
INTEGER len=1 status INTEGER len=1 error index
02
01
00
02
01
00
SEQ.
len=14 SEQ
len=12 objectid
len=8
30
0E
30
0C
06
08
1.3
6
1
2
1
1
1
0
2B 06
01
02
01
01
01
00
null
len=0
05
00
68
SNMP vs SNMPv2
• History in Brief
• More features (more complex)
• BIG increase in security
– authentication and integrity
– access controls
– security and privacy
• Better access controls in Views
• Trap confirmations
• Knowledge of multiple managers
69
Enterprise Architecture
• SNMP is designed for simple, manager-toagent communications
• CMIP is complex and bulky, but complete
• Most Enterprise networks can’t be managed
directly from a single place
70
Enterprise Management
CMIP
Managers
Separate
Organization
SNMP
Managers
Local
Networks
71
Management Tools
•
•
•
•
Packet Analyzer
Media Analyzers (TDR, OTDR, BER Tester)
RMON devices
Hosts (?)
72
Software Tools
• Hosted on PCs
• Hosted on Unix Workstations
• Commercial Packages
73
Decent Books
• Network Management Standards 2d ed
– Uyless Black
• The Simple Book, 2d ed
– Marshall T. Rose
• Communication Networks Management, 2d ed
– Kornel Terplan
• Internetworking with TCP/IP, Vol I, 3d ed
– Douglas E. Comer
74
Defining Network Security
Security is prevention of unwanted information
transfer
• What are the components?
–
–
–
–
...Physical Security
…Operational Security
…Human Factors
…Protocols
75
Areas for Protection
•
•
•
•
Privacy
Data Integrity
Authentication/Access Control
Denial of Service
76
Regulations and Standards
• Computer Crime Laws
• Encryption
• Government as “Big Brother”
77
Security
Threat, Value and Cost Tradeoffs
• Identify the Threats
• Set a Value on Information
• Add up the Costs (to secure)
Cost < Value * Threat
78
Threats
•
•
•
•
•
Hackers/Crackers (“Joyriders”)
Criminals (Thieves)
Rogue Programs (Viruses, Worms)
Internal Personnel
System Failures
79
Network Threats
•
•
•
•
•
IP Address spoofing attacks
TCP SYN Flood attacks
Random port scanning of internal systems
Snooping of network traffic
SMTP Buffer overrun attacks
80
Network Threats (cont.)
• SMTP backdoor command attacks
• Information leakage attacks via finger, echo,
ping, and traceroute commands
• Attacks via download of Java and ActiveX
scripts
• TCP Session Hijacking
• TCP Sequence Number Prediction Attacks
81
Threat, Value and Cost Tradeoffs
•
•
•
•
•
Operations Security
Host Security
Firewalls
Cryptography: Encryption/Authentication
Monitoring/Audit Trails
82
Host Security
•
•
•
•
Security versus Performance & Functionality
Unix, Windows NT, MVS, etc
PCs
“Security Through Obscurity” L
83
Host Security (cont)
• Programs
• Configuration
• Regression Testing
84
Network Security
• Traffic Control
• Not a replacement for Host-based
mechanisms
• Firewalls and Monitoring, Encryption
• Choke Points & Performance
85
Access Control
• Host-based:
–
–
–
–
Passwords, etc.
Directory Rights
Access Control Lists
Superusers L
• Network-based:
–
–
–
–
Address Based
Filters
Encryption
Path Selection
86
Network Security and Privacy
• Protecting data from being read by unauthorized persons.
• Preventing unauthorized persons from inserting and deleting
messages.
• Verifying the sender of each message.
• Allowing electronic signatures on documents.
87
FIREWALLS
•
•
•
•
•
Prevent against attacks
Access Control
Authentication
Logging
Notifications
88
Types of Firewalls
• Packet Filters
Application
– Network Layer
• Stateful Packet Filters
– Network Level
• Circuit-Level Gateways
– Session Level
• Application Gateways
– Application Level
89
Presentation
Session
Transport
Network
Data Link
Physical
Packet Level
• Sometimes part of router
• TAMU “Drawbridge”
Drawbridge
Campus
90
ROTW
Router
Circuit Level
• Dedicated Host
• Socket Interfaces
Local
FW
ROTW
91
Application Level
• Needs a dedicated host
• Special Software most everywhere
Firewall
telnet
ROTW
92
Firewall Installation Issues
FTP
INTERNET
DNS
Web
Router
93
Mail
Firewall Installation Issues
•
•
•
•
•
•
DNS Problems
Web Server
FTP Server
Mail Server
Mobile Users
Performance
94
Address Transparency
• Need to make some addresses visible to
external hosts.
• Firewall lets external hosts connect as if
firewall was not there.
• Firewall still performs authentication
95
Gateway
Internet
10.0.0.0
128.194.103.0
Network Address Translation
Firewall
96
Network Address Translation
Host B: External Host
Gateway Host
Host A: Internal Host
gw control
ftpd
ftp
proxy ftp
TCP
IP
TCP
Data Link
IP
Hardware
Data Link
TCP
IP
Data Link
Hardware
Hardware
A GW
Datagram
A B Datagram
97
IP Packet Handling
•
•
•
•
•
Disables IP Packet Forwarding
Cannot function as a insecure router
eg. ping packets will not be passed
Fail Safe rather than Fail Open
Only access is through proxies
98
DNS Proxy Security
INTERNET
External DNS Server
DNSd
Eagle Gateway
eagle.xyz.com
finance.xyz.com
sales.xyz.com
marketing.xyz.com
99
Virtual Private Tunnels
Encapsulate
Hello
Authenticate
Hello
Encrypt
Hello
INTERNET
!@@%*
!@@%*
!@@%*
Creates a “ Virtual Private Network “
100
Hello
Decapsulate
Hello
Authenticate
Hello
Decrypt
VPN Secure Tunnels
• Two types of Tunnels supported
– SwIPe and IPsec tunnels
• Encryption
– DES, triple DES and RC2
• Secret key used for used for authenticatio
and encryption
• Trusted hosts are allowed to use the tunnel
on both ends
101
Designing DMZ’s
DMZ
INTERNET
Web
FTP
Company
Intranet
Mail
102
Screening
Router
Firewall Design Project
San Jose
File Server
INTERNET
Mail Server
Wide Area Router
Dallas
Internet
Router
Raptor Eagle
Raptor Remote
Hawk Console
103
Monitoring
• Many tools exist for capturing network traffic.
• Other tools can analyze captured traffic for
“bad” things.
• Few tools are real-time.
104
Summary
• Security must be comprehensive to be
effective.
• Remember threat, value, cost when
implementing a system.
• Security is achievable, but never 100%.
• Make your system fault tolerant.
105
Where Do the 7 layers “fit”?
Or, where is
the dividing line
between hdw &
s/w?
Application
7
Presentation
6
?
Session
5
Transport
4
Network
3
Data/Link
2
Physical
1
106
?
Implementing the Model
User Space Software
OS Space
Software
Firmware
Hardware
107
Some More Definitions
• User Space Software - Code that executes as any
program that a normal user could compile and run
• OS Space Software - Code that executes on the host
CPU but in a mode or with special access that normal users can
not use
• ‘Firmware’ - Code that executes on a processor (special or
general purpose) that is different from the host CPU; may be in
PROM or RAM downloaded from another source
• Hardware - Generally special purpose VLSI and analog/linear
interface components
108
Assigning the 7 layers
• Performance
• vs
• Flexibility
109