Japan

Download Report

Transcript Japan 

Telecommunication and data handling system at NMC s
Doc. 3.3 (1) Presentation version
GTS Seminar 2002 (Thailand, 23 to 27 September 2002)
Contents
1. Overview of function at NMCs
1.1 Connect to neighboring centre
1.2 Provide data to local offices
2. PC-based system at NMCs
2.1 FTP service
2.2 Security setting
2.3 Tools
3. Design of Operation
3.1 Design of host switching
3.2 Design of trigger which processes received data
3.3 Introduction of RSMC server
Submitted By Atsushi Sugano (Japan)
1. Overview of function at NMC s
**
**
**
**
**
Exchange data within a fixed time.
Maintain the system 24 hours a day in the operation.
Repair the system quickly.
Easy extendable system.
GTS network
Connect system to TCP/IP network.
NAT
Router
Internet
Firewall
Router
Office
FTP
DMZ
Specific
Protocol
Internet
Router rarely
break.
Internet user can
only access
Network C.
Router
Network C
Router
Network A
Network B
Even if Network B has
a trouble, network A works
normally with other
networks.
** Firewall
It’s used for purpose to guard from Hacker.
** DMZ ( De Militarized Zone )
DMZ is the area that the user accesses from Internet.
** NAT ( Network Address Transfer )
NAT automatically changes an IP address from internal to global.
NAT saves your global addresses.
Office side ( Internal )
NAT
Internet side ( Global )
Address A
Address A
Address B
Address C
Need to fix an address and port
Unix PC
Terminal
JOB-5
JOB-1
JOB-2
Unix server
Any user can access
a data base.
JOB-3
Auto processing at time schedule
on server.
Terminal
JOB-4
Windows PC
There are
many
Distributions
It works nonstop
in months
Linux server
OS patch is
updated free
There are many
kinds of OPEN SOURCE
for Internet, office,
Unix…
There is much
information on
Internet and Books
It operates on
a cheap PC to an
expensive UNIX.
Anyone can do
a maintenance
FTP server
ProFTPD, Wu_ftpd,
Ncftp…
Apache
Web server
Development
C, COBOL,Perl,
java…
OPEN SOURCE
software
Security
Many software
Office works
Open office,
SAMBA
Data Base
Postgre SQL
Microsoft Access
1.1 Connect to neighboring centre
** Currently Tokyo Message Switching System ( MSS ) has socket
communication on TCP/IP for connection with neighboring centres.
** A socket processes messages as a sequential data stream, like Teletype.
** In the processing on a server, it is easy that a program takes in a socket
data stream.
** The socket is convenient to control traffic on each line.
New Delhi
Tokyo
Bangkok
MSS finds a break
line soon.
Example of a socket system
GTS network
Passive
open
Active
open
**
**
**
**
**
Port X
Port Y
Port Z
AN
BI
FX
AN
BI
FX
Active
open
Port X
Port Y
Port Z
Passive
open
Each side system fixes port numbers for passive open and IP address of host.
Each socket is used according to a type of data.
Passive open port is always waiting for connection request from an other side.
Data sender connects with receiver’s passive open port by active open.
Active open host transmits data to passive open host.
Message format for socket communication
Message
Length
8 characters
Message
Type
2 characters
S
O
H
C
R
C
R
L
F
NNN
Or
NNNNN
C C
R R
socket header
30
30
43
54
39
35
32
37
35
30
32
20
41
39
30
33
30
41
30
:
:
20 35
35 36
37 32
30 38
30
0D
38
20
31
30
0D
30
35
30
34
20
39
3D
39
35
32
0D
33 31
0A 55
30 30
38 30
20 30
:
:
37 31
35 35
20 32
0D 0A
L Heading
F
Text
38
53
30
30
33
20
37
36
03
41
55
20
31
35
4E 01
53 30
52 52
20 37
36 32
:
:
32 38 30
31 20 32
35 39 38
0D
31
42
32
20
35
37
0D
0D
20
0D
35
33
0A
4B
0D
31
32
30
57
0A
38
30
:
:
39 20 38
30 39 30
0D 0A 34
Text
C C L E
R R F T
X
30
42
54
20
30
00000318AN....00
023...USUS01 KWB
C 080000 RRB...T
TAA 58001 72518
99010 03562 3200
38
20
31
5 54971 28059 88
256 55571 27090
77292 26598...41
508=....
GTS Circuit Upgrade
We perform some tests in case GTS circuit is upgraded.
1.
2.
3.
4.
Carrier checks circuit quality.
We analyze received data and check their format.
Making heavy traffic, we look at the capability of a circuit and a server.
We check continuity of data exchange in case of a host switching.
1. Circuit quality
Tokyo
carrier
A
Other
Centre
carrier B
2. Analyze data
4. switching
3. Capability under heavy
loaded condition
1.2 Provide data to local offices
Internet is convenient to provide data and products to local offices, in
case of a need quick action.
** It should use popular FTP service on Internet.
** There is many Free software.
** It is easy to take in FTP service to a program.
** Its service is given to an anonymous user and a specific user.
Mail
for providing
temporary data
Internet
specific user access
FTP server
for providing routine data
anonymous user access
2. PC-based system at NMCs
In consideration of reliability, you should build a PC server, because a
PC server does not use the newest extension board for reliability. And it
is desirable to use DAT.
memory
media
NMC system should be a duplicate
system for non-stop operation.
NMC system should have a memory media
for operation and system log.
2.1 FTP service
When using FTP transmission between neighboring centers, FTP
service has two transmitting methods : PUT and GET.
PUT Base
** PUT base provides smooth transmission without delay time.
** PUT base has burden to check whether receiving system is alive.
When does it re-send ?
Trouble
In case of PUT base, receiving system is required to keep a constant
operation. Always one of hosts should be in operation.
and..
** An imperfect file will be made if FTP transmission fails on the
way.
** But a receiving host does not know whether a received file is
imperfect.
A transmitting host needs to show the
signal of a transmission end.
2. Don’t use a file with
TMP in name.
1. Put `ABC.DAT.TMP`
3. Rename ABC.DAT.TMP ABC.DAT
4. Use ABC.DAT file
GET Base
In order to provide user with data, GET base is usually used by
Internet server.
GET
ABC1.DAT
Only get ABC2.DAT
ABC1.DAT
ABC2.DAT
FTP software has functions to get only new data, so it has
stress.
no
There are two methods in building FTP server, one is Anonymous server
and another is Guest server.
Anonymous server
** Anyone is accessible.
** No password is needed
** Very strong internet security
** It is able to separate Real
user from anonymous users
Guest server
** only registered user
is accessible
** strong internet security
** Use alias user name
** frequent change of
word to guard data
Notice
** Need to change root position
Even if a hacker logs in for a password leak, he can not move
to other directory including system directory.
** Need to have not real shell
Even if a hacker tries another method, he can not login.
pass
** ServerName
ServerType
DefaultServer
DefaultRoot
AuthAliasOnly
RequireValidShell
UseReverseDNS
** ExtendedLog
Systemlog
SyslogFacility
Transferlog
“RSMC server“
inetd
on
~ !wheel
on
off
off
/var/log/proftpd all
/var/log/messages
LOCAL6
/var/log/xferlog
** Port
21
# Umask 022 is a good standard umask to prevent new dirs and files
# from being group and world writable.
Umask
022
Proftpd configuration
**# To prevent DoS attacks, set the maximum number of child processes
# to 30. If you need to allow more than 30 concurrent connections
# at once, simply increase this value. Note that this ONLY works
# in standalone mode, in inetd mode you should use an inetd server
# that allows you to limit maximum number of processes per service
# (such as xinetd)
MaxInstances
30
** # Set the user and group that the server normally runs at.
User
nobody
Group
nobody
** # Normally, we want files to be overwriteable.
<Directory /*>
AllowOverwrite
on
</Directory>
UserAlias
UserAlias
UserAlias
anonymous
apple
lemon
ftp
suga
naps
Proftpd configuration
** # A basic anonymous configuration, no upload directories.
<Anonymous ~ftp>
User
ftp
Group
ftp
# We want clients to be able to login with "anonymous" as well as "ftp"
# UserAlias
anonymous ftp
** # Limit the maximum number of anonymous logins
MaxClients
10
** # We want 'welcome.msg' displayed at login, and '.message' displayed
# in each newly chdired directory.
DisplayLogin
welcome.msg
DisplayFirstChdir
.message
** # Limit WRITE everywhere in the anonymous chroot
<Limit WRITE>
DenyAll
</Limit>
</Anonymous>
Proftpd configuration
2.2 Security setting
** IPCHAINS
It works like a router, and only a specific protocol and IP address can
access a server.
** XINETD
It permits access to specific port from outside, and control number of
session.
** PAM ( Plug gable Authentication Module )
In case of using the command with a need of authentication, a function
is extended. For example.. In case of changing password, PAM does
check user password with a easy word.
** SUDO
Specific user can use super user command.
Internet
** SSH ( Secure Shell )
It’s secure remote shell.
FW
FTP
XINETD
IPCHAINS
2.3 Tools
** TOP
It displays a list of tasks status on the host.
** PS
It displays the current processes status.
** PING
It requests to elicit a response ECHO from a host or gateway.
** TRACEROUTE
It attempts to elicit a TIME_EXCEED_RESPONSE from each gateway
along the path to some host.
** NETSTAT
It print network connections, routing tables,interface statistics,
masquerade connections.
** TCPDUMP
It displays the headers of packets on a network interface that match
the boolean expression.
** NMAP
It displays a list of interesting ports on PC being scanned.
3. Design of Operation
Automatically get
a system log
Make statistics on
files retrieved
by users
If a trouble occurs,
we will closely check
the host.
We don’t resume
operation until
cause of the
trouble is known.
In case of software
modification, all hosts
are not modified
at once.
Go to a security site
to check whether there
is any patch for OS
and OPEN SOURCE.
Patch is installed in test
host for checking whether
it runs normally.
3.1 Design of host switching
Duplicated system
Standby host
Operational host
Static IP C
Alias IP A
Alias IP A
Static IP B
** Only operational host has an alias IP address.
** When an operational host is switched, an alias
address will be also taken over by the new
operational host.
** Static addresses are used for a maintenance.
Maintenance
3.2 Design of trigger which processes received data
Even if a host receives data, it does not start processing them without
any trigger a mechanism that starts processing data is required. There
are two executing methods schedule and data.
Schedule trigger execute
It can plan easily a constant
processing with CROND, but
it can not process a non
scheduled data.
Data trigger execute
It is always watching a specific
directory, and if data are put
there, it calls processing
according to a kind of data.
Real Check
A
Up load directory
Monitor Daemon
A
B
C
3.3 Introduction of RSMC server
Office server
An operation system log
is got automatically.
RSMC server
SAMBA service
for windows
clients
ALARM mail
Windows PC
Monitor
system
Security watch
PUT
Monitor
system
RSMC server
Tripwire.
It confirmes whether files
were rewritten from file
information every day.
swatch
It is always checking system
log to find specific words
related to an attack.
Secure Shell
It is intended to replace rlogin and rsh, and provide secure encrypted
communications between two hosts over an insecure network.
1. Password login
2. rhost
Generate an encryption key
and decryption key.
decryption key
encryption key
3. use key
SAMBA
SAMBA is sometimes also referred to as the Common Internet File System,
LanManager or NetBIOS protocol. The usage is as follows.
1. It check whether samba is installed. ( rpm -q samba, rpm -q samba-client,
rpm -q samba-common, rpm -q samba-swat )
2. If samba does not install, goes rpm -iVh samba samba-client sambacommon samba-swat.
3. It checks whether samba and swat put a switch on at NTSYSV.
4. It sets a swat protocol on XINETD. ( /etc/xinetd.d/ )
5. It sets password for oic ( samba user). ( smbpasswd -a oic )
6. It sets samba configuration at Internet Browser. ( http://localhost:901 )
7. It selects SHARE window, and sets oic at username, sets no write at guest.
8. It selects GLOBALS window, and selects euc at a coding system, selects
share at a security.
This is a sample shell for closing a system automatically, when there
is not a windows and unix client after 7:00 p.m.
First, set time schedule at CROND
$ cat /etc/crontab
SHELL=/bin/bash
PATH=/sbin:/bin:/usr/sbin:/usr/bin
MAILTO=root
HOME=/
# run-parts
05,15,25,35,45,55 19,20,21,22,23 * * * root run-parts /etc/bye_check.sh
01 * * * * root run-parts /etc/cron.hourly
02 4 * * * root run-parts /etc/cron.daily
a standard set item
22 4 * * 0 root run-parts /etc/cron.weekly
in RedHat
42 4 1 * * root run-parts /etc/cron.monthly
bye_check.sh
#!/bin/sh
PATH=/bin:/usr/bin:/usr/local/bin:/usr/sbin
export PATH
# check samba user
smb_client=`smbstatus -p|wc -l`
# check linux user
linux_client=`w -h|wc -l`
time_chk=`date +%k`
#
echo `date` smb:$smb_client linux:$linux_client >> /var/log/work_log
#echo " Samba client .." $smb_client
#echo " Linux client .." $linux_client
if [ ${smb_client} -lt 1 ]
then
if [ ${linux_client} -lt 1 ]
then
echo shutdown for no users `date` >> /var/log/work_log
/sbin/shutdown -h now > /dev/null
#echo "finish OK!"
fi
fi
Introduction of back up of MDUS product on RSMC server
Daemon
Back up copy Neighbor RSMC
GmsUPchkd
Real time check
WORK
UPgms
Up load
data
NAPS
UPgms
BACK
** Check a file in UPgms, confirm completion of
receiving data by the `tmp` word.
** Backup to copy for neighbor RSMC
** Move a file in BACK directory
** Copy a file in WORK directory
Memory media
DAT
It can be used like the TAR
command. Usually DAT is
used as backup HDD.
If MO drive is connectable with
USB, it can be easily used like a
floppy disk.
CDR & DVD-RAM
If CDR is found on scsi,
CD image can be written
to CDR. It also use only
one side of DVD-RAM,
like a CDR.
Daemon
check
GmsProcd
GmsSplit
WORK
160KB x 60
8MB
PUB
ORIGINAL
PUB
SPLIT
check
Split a file into
60 parts for low
speed users.
GmsPexp
Delete files in public
area after their
available time expires.
Thank you