presentation8
Download
Report
Transcript presentation8
COMP3122
Network Management
Richard Henson
March 2012
Week 8: Internet Access,
Web Services, and
Remote Access
Objectives:
– Configure a specified web server to support www
& ftp sites
– Run a world wide web site that includes server
scripting
– Configure a server to accept services by remote
access
– Apache runs on Unix/Linux
“Web Service” access
The following diagram illustrates the relationship
between web client and web server processes:
client requests information…
server processes the request and sends a response
back to the client…
CLIENT
Client
Program
SERVER
REQUEST
RESPONSE
Send Request
Read Results
Server
Program
Process Request
Send Back Results
Internal & External Access
to Web Services
Both use, by default, http (TCP port 80)
Both use a specified area on the server
for webpages
http:// always needs to be used
– Internal host service (Intranet) can be
accessed via resource name or IP address
– External host needs a domain name
Access to Web Services
across a local network
Each web service has a unique name
– e.g. “mywebsite”, “myftpsite”
For Internal network access…
– www services accessed at the client end using
an Internet Browser
– local name maps by default to root www service
folder e.g. wwwroot
Access Control and
Internal Web Services
(Intranet)
Access controlled by:
– EITHER username/password protection of
pages beyond the home page
– OR user login name authentication with
active directory (or equivalent) for access
to the service
Accessing through the
world wide web
Full URL needed to gain access
– i.e. local www name.domain name
Access to service controlled through a
requirement to login
– by default, all users automatically logged
on to an “anonymous” account (Internet
Guest)
Web-based Client-Server
Model
Optional logon at
The server end…
Most web pages
Accessed directly
through “anonymous”
guest logon: no pwd
IIS
(Internet Information Server)
IIS has been logically coupled with Windows
Servers since 1996…
– Visual BASIC runtime environment known as ASP
– originally enabled VB code to create .asp files to
perform tasks and interact directly with the client
browser
» included a number of COM+ objects
IIS and Security
By 2000…
– IIS generally acknowledged to be one of
the major security weaknesses of
Microsoft platforms interfacing with the
web
» Vb source code easily hacked or reengineered
» most viruses came in via IIS & VB code
The .net framework
and web services
Major IIS change in 2001 -> .net
framework
– server scripts no longer contained source
code (except HTML)
– Windows 2003 has .net built-in (IIS v6)
– .net framework required to run server
scripts and access databases
.net framework
and Active Directory
.net took awhile to perfect… (!)
– not the case with .net v1.1
» and not with the first release of 2003 Server…
– early object framework did not interface
well with active directory
Windows 2003 WAS a success…
– But NOT because of .net framework!
.net framework v2.0
and Active Directory
.net v2 released some time after 2003
server
– included “Active Directory namespace”
» System.DirectoryServices
– allowed more effective linking of active
directory objects with .net objects. e.g.’s
» http://www.vsj.co.uk/dotnet/display.asp?id=409
– helped .net to become a popular platform
Management of Groups
of Web Pages
IIS performs various “server end” tasks:
– controlled access to the contents of web
sites
– home or “root” directory path
– name definition(s) for “home page” e.g
index.html, index.aspx
– the right scripting “engine” for files
containing executable code
» need to be compiled, interpreted, or (if run-time e.g.
ActiveX) just executed
Home Page Service
for websites
Agreed home page convention by ISPs:
– home page is index.htm, index.html
– this page is downloaded when the domain name is
entered in the browser window
Microsoft home page convention:
– default.htm/html
– default.aspx
Latter can (should?) be changed to conform
to general convention
Setting up an IIS
FTP service
FTP protocol is ancient (RFC 238, 1972)
– still popular & works well for
uploading/downloading
IIS allows configuration of an FTP server
for:
– Internal ftp access:
» local ftp service name
– External ftp access:
» local name.domain name
FTP server can be accessed:
– directly through the browser
– using an ftp client
Accessing an
IIS SMTP service
SMTP protocol (or Internet Mail
forwarding) developed from FTP (RFC
821, 1978)
Web-based or Internal SMTP service set
up in the same way as FTP
– same access rights/limitations, etc.
Further software (Exchange Server)
needed to provide a full mail service
Setting up an Exchange
Mail Server Service
Exchange is complex software
– MailServers have large resource requirements
Uses x500 data storage standard
– store for details of mailbox users
– can interface with details of Active Directory users!
Further stores:
– incoming messages that need distributing to
mailboxes
– mailboxes & their messages
– database of existing mailbox names
A POP3 service
SMTP sends messages between Internet
servers
Cannot be used to download mail from
mailboxes to clients
– need to use the POP3 protocol
POP3 Server principles:
– user logs on to server
– if user is authorised:
» any messages in that user’s mailbox are located
» all messages downloaded to local folder by POP3 client
software
Administering the
Web Service
Software GUI tools for IIS administration
– MMC
– management snap-in
Command line tools for IIS administration
– direct access via browser
Access to these tools needs to be restricted…
Service should allow a number of different web
sites to be set up in different folders
Excellent website (for W2003, IIS v6)
– http://www.windowsnetworking.com/articles_tutorial
s/Web-Sites-Windows-2003.html
Administering the
WWW Service
IP address of the web server is normally that of the
host machine
– needs to be provision for
» manual settings
» several addresses e.g. multiple websites running through separate
folders
Typical set up & management tasks required for each
website:
– website name, port, home directory, default filename pecking
order
– optional username/password & access permissions
– “virtual directories”
– security permissions for use with server certificates and the
public key infrastructure (PKI)
Web Services and The Cloud
Companies like Amazon, Google
(apps), and salesforce.com have
created web services (XML/http) and
made them available to a wider public
for storing their data
– this approach benefits companies most
that are experience relatively quick growth
– instead of getting new storage resources
every year, organisations can quickly and
easily purchase more "cloud space"
Cloud Services, the future,
and Security
Cloud computing can offer applications as-aservice as well…
– a future is predicted where everything is
outsourced and no kind of local CPU is even
needed
– employees will simply have a monitor, keyboard,
and mouse that will allow them to connect to the
cloud for all of their resources (!)
– but will this be secure? And what comeback will
organisations have if something goes wrong?
Open Access v Logon
to Web Server?
Allowing network or external users to
access part of the server has its risks!
One strategy: use “anonymous login”
– anyone can log on and gain access to the
service
– but they only get “guest-equivalent” (i.e.
minimum) access rights
» can be frustrating…
Open Access v Logon
to Web Server?
Alternative: request
username/password access
– access rights then depend on user
privilege
– no longer “open access”
– but good for auditing and control
Open Access v Logon
to Web Server?
Servers in general:
– potentially open to attack by both internal
and external network users (security vital)
Standard web server practice:
– no file access possible other than at and
below the designated root
– main issue for the system regarding user
requests for web access:
» whether or not to allow access at all
» whether to allow read only or read-write access
Offering a Proxy Service
A Proxy Server runs on a server being used
as a Firewall
Acts as an intermediate party between the
Internet and local network services:
– intercepts user requests for services such as FTP
– decides whether or not to forward them to the true
server
The effect is that the internal and external
computers talk to the proxy service rather
than directly to each other
The Proxy Service approach
Real server
Firewall with
Proxy service
Request to
proxy
server
Internal
Network
...
Proxy Service - continued
User on either side of the firewall…
– illusion that they are talking to a real server
– in fact they are dealing with a proxy
IF outside user tries to “hack” into the network
server, internal network architecture is hidden
A proxy server can be programmed to block
certain requests, sites, actions e.g:
– blocking certain WWW sites
– preventing FTP downloads
Proxy Service
Provides network client machine with
controlled access to the Internet
Clients can only gain access to the
Internet via the Proxy Service
Enables the network administrator to
control:
– which TCP ports, and therefore which
protocols can be used
– which (if any) external IP addresses can be
accessed/filtered
Proxy Service
Can also provide a storage facility for
web pages (web cache)
Mans that clients don’t need to keep
going out onto the Internet to access the
same page
– web cache speeds up access to regularly
accessed web pages
– less actual www traffic, so more bandwidth
available to those accessing pages that
haven’t been previously downloaded
Streaming Media Service
Serves streaming sound/video/animation files
to multiple users simultaneously
– across the network
– across the Internet
» If connection has sufficient bandwidth
Also provides the conversion software codecs
to produce and run the streaming media files
How Does Streaming
Technology Work?
A streaming sound file is no longer in a
.wav or .mid format
Using special software, any sound file
can be:
– converted/compressed into a streaming format
– Accessed remotely using e.g.
rtsp://server/path/filename
A suitable Audio player is then needed
to play the streaming audio
– must contains its own software codecs
Real Audio
Probably the most popular Internet
streaming system
.ram file contains the search string for
the local browser
.ra file contains the sound file that can
be sent bit by bit using streaming
technologies
How Does Streaming
Technology Work?
The .ra file is stored on a remote server
– path begins with rtsp://
» tells an application that:
» the file is located externally on a streaming sever
» it is using Real Time Streaming Protocols
– next in the path:
» name of the folder on the streaming server where the
file resides
» finally the name of the target file itself
Secure Remote Access
to the Network Servers
Two realistic possibilities:
– via telephone line to server
– via secure channel through the Internet
– Routing and Remote Access service
Provided by Windows Servers as
“Routing and Remote Access service”
– not available by default
– Wizard eases installation
Access to www service
via Telephone
ISPs use RAS to provide logon connections
for multiple users via:
– standard (analogue) phone link
» one modem needed on/connected to the server for each remote
connection – still needed in some parts of the country
– ISDN (largely replaced by… ADSL)
As with www, ftp, email services available:
– appropriate security arrangements need to be in
place
– appropriate client-server TCP protocols required
Remote Access Service
Public Telephone network, security options:
– callback security
» server makes a note of the caller’s number
» hangs up
» calls the caller back!
– logon
» only authorised users are allowed to log on
– encryption
» log on data can/should? be encrypted
– PPTP filtering
» only allows PPTP packets through
Remote Access Service
Dial-up (OSI level 1/2) Protocols
– SLIP (Serial Line Interface Protocol)
» developed in 1984
» now old hat!
– PPP (Point-Point Protocol)
» current standard
» more flexible than PPP
» allows a greater range of transport protocols
» Allows remote allocation of IP addresses to clients
by DHCP server
Remote Access via
VPN within the Internet
Protocols for creating a secure channel
through the Internet:
– PPTP (Point-Point Tunnelling Protocol)
» secure version of PPP
» port 1723
– L2TP now more popular
» port 1701
Thanks for Listening