1 / 39

COMP3122 Network Management

COMP3122 Network Management. Richard Henson March 2010. Week 8: Internet Access, Web Services, and Remote Access. Objectives: Configure a specified web server to support www & ftp sites Run a world wide web site that includes server scripting

monifa
Télécharger la présentation

COMP3122 Network Management

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. COMP3122 Network Management Richard Henson March 2010

  2. Week 8: Internet Access, Web Services, and Remote Access • Objectives: • Configure a specified web server to support www & ftp sites • Run a world wide web site that includes server scripting • Configure a server to accept services by remote access

  3. Web Services • Client-Server • installed on a web server • used on a web browser • By default, provide a network service that runs on TCP port 80, but port could vary • Products tend to be specific to the operating system e.g. • Internet Information Server runs on Windows NT/2000/XP/2003/2008/7 • Apache runs on Unix/Linux

  4. Request for Service access The following diagram illustrates the relationship between web client and web server proceses. The client requests information; the server processes the request and sends a response back to the client

  5. Other web-related Network Services • Most popular: • ftp (file transfer), port 21 • smtp (mail between internet sites) port 25 • With IIS, each service provides a default folder to act as the default root e.g. • wwwroot • ftproot • mailroot

  6. Accessing Web Services across a local network • Each web service should have a local network name • e.g. mywebsite, myftpsite • used with IP address to access web services across the Intranet • Internal Access: • www services accessed at the client end using an Internet Browser • local name maps by default to root www service folder e.g. wwwroot

  7. Access Control and Internal Web Services(Intranet) • Access controlled by: • EITHER username/password protection of pages beyond the home page • OR user login name authentication with active directory (or equivalent) for access to the service

  8. Accessing Web Services through the world wide web • The Microsoft IIS www service must have: • website on or in a subfolder of www • a domain name • and an IP address • Full URL needed to gain access • Syntax: • local www name.domain name • Access to service controlled through a requirement to login • by default, all users automatically logged on to an “anonymous” account (Internet Guest)

  9. Web-based Client-Server Model

  10. IIS and Security • IIS has been coupled with Windows Servers since 1996… • Originally enabled VB code to create .asp files to perform tasks and interact directly with the client browser • included a number of COM+ objects • By 2000 generally acknowledged to be one of the major security weaknesses of Microsoft platforms interfacing with the web • most viruses came in via IIS & VB code

  11. The .net framework and web services • Major change in 2001 -> .net framework • server scripts no longer contained source code (except HTML) • not supported by Windows 2000 (IIS v5) • not yet developed… • Windows 2003 has .net built-in (IIS v6) • Windows 2000 setups need to add the .net framework and upgrade IIS if they are to be used for supporting .net based websites

  12. .net framework v1.1 and Active Directory • To get maximum benefit from the structure of .net, the object framewoek should interface well with active directory • not necessarily the case with v1.1 • and therefore also with the first release of 2003 Server…

  13. .net framework v2.0 and Active Directory • Windows 2003 a success… • NOT because of .net framework! • v2 released some time after 2003 server • included “Active Directory namespace” • System.DirectoryServices • allowed more effective linking of active directory objects with .net objects. e.g.’s • http://www.vsj.co.uk/dotnet/display.asp?id=409 • helped .net to finally gain wider acceptance

  14. .net framework v3.5 and Active Directory • SystemDirectory.Services often needs further coding to be effective… • V3.5 uses something called System.DirectoryServices.AccountManagement namespace • uniform access and manipulation of user, computer, and group security principals across the multiple principal stores: • Active Directory Domain Services (AD DS) • Active Directory Lightweight Directory Services (AD LDS) • Machine SAM (MSAM). • manages directory objects independent of the System.DirectoryServices namespace

  15. Management of Groups of Web Pages • IIS needs to perform a number of server tasks, but especially to provide : • access to the contents of web sites in a controlled way • home or “root” directory path • name definition(s) for “home page” e.g index.html, index.aspx • the right scripting “engine” for website files so they are compiled, interpreted, or (if run-time e.g. active X) just executed

  16. Home Page Service for websites • Agreed home page convention by ISPs: • home page is index.htm, index.html • this page is downloaded when the domain name is entered in the browser window • Microsoft home page convention: • default.html • default.asp(x) • Latter can (should?) be changed to conform to general convention

  17. Setting up an IISFTP service • FTP protocol is ancient (RFC 238, 1972) • still popular & works well for uploading/downloading • IIS allows configuration of an FTP server for: • Internal ftp access: • local ftp service name • External ftp access: • local name.domain name • FTP server can be accessed: • directly through the browser • using an ftp client

  18. Accessing an IIS SMTP service • SMTP protocol (or Internet Mail forwarding) developed from FTP (RFC 821, 1978) • Web-based or Internal SMTP service set up in the same way as FTP • same access rights/limitations, etc. • However, further software (Exchange Server) is needed to provide a full mail service

  19. Setting up an Exchange Mail Server Service • Exchange is complex software • large resource requirements • Uses x500 data storage standard • store for details of mailbox users • can interface with details of Active Directory users! • Further stores: • incoming messages that need distributing to mailboxes • mailboxes & their messages • database of existing mailbox names

  20. A POP3 service • SMTP sends messages between Internet servers • Cannot be used to download mail from mailboxes to clients • need to use the POP3 protocol • POP3 Server principles: • user logs on to server • if user is authorised: • any messages in that user’s mailbox are located • all messages downloaded to local folder by POP3 client software

  21. Administering the Web Service • Software GUI tools for IIS administration • MMC • management snap-in • Command line tools for IIS administration • direct access via browser • Access to these tools needs to be restricted… • Service should allow a number of different web sites to be set up in different folders • Excellent website (for W2003, IIS v6) • http://www.windowsnetworking.com/articles_tutorials/Web-Sites-Windows-2003.html

  22. Administering the Web Service • The IP address of the web server normally that of the host machine • needs to be provision for • manual settings • several addresses e.g. multiple websites running through separate folders • Typical set up & management tasks required for each website: • website name, port, home directory, default filename pecking order • optional username/password & access permissions • “virtual directories” • security permissions for use with server certificates and the public key infrastructure (PKI)

  23. Open Access v Logonto Web Server? • Allowing network or external users to access part of the server has its risks! • One strategy: use “anonymous login” • anyone can log on and gain access to the service • but only get “guest-equivalent” (i.e. minimum) access rights • can be frustrating…

  24. Open Access v Logonto Web Server? • Alternative: request username/password access • access rights then depend on user privilege • no longer “open access” • but good for auditing and control

  25. Open Access v Logonto Web Server? • Servers in general: • potentially open to attack by both internal and external network users (security vital) • Standard web server practice: • no file access possible other than at and below the designated root • main issue for the system regarding user requests for web access: • whether or not to allow access at all • whether to allow read only or read-write access

  26. Offering a Proxy Service • A Proxy Server runs on a server being used as a Firewall • Acts as an intermediate party between the Internet and local network services: • intercepts user requests for services such as FTP • decides whether or not to forward them to the true server • The effect is that the internal and external computers talk to the proxy service rather than directly to each other

  27. The Proxy Service approach Firewall with Proxy service Real server Request to proxy server Internal Network ...

  28. Proxy Service - continued • The user on either side of the firewall is presented with an illusion that they are talking to a real server when in fact they are dealing with a proxy • So if an outside user tries to “hack” into the network server the actual internal network architecture is hidden • A proxy server can be programmed to block certain requests, sites, actions e.g: • blocking certain WWW sites • preventing FTP downloads

  29. Proxy Service • Provides network client machine with controlled access to the Internet • Clients can only gain access to the Internet via the Proxy Service • Enables the network administrator to control: • which TCP ports, and therefore which protocols can be used • which (if any) external IP addresses can be accessed/filtered

  30. Proxy Service • Can also provide a storage facility for web pages (web cache), so that clients don’t need to keep going out onto the Internet to access the same page • web cache speeds up access to regularly accessed web pages • less actual www traffic, so more bandwidth available to those accessing pages that haven’t been previously downloaded

  31. Streaming Media Service • Serves streaming sound/video/animation files to multiple users simultaneously • across the network • across the Internet • If connection has sufficient bandwidth • Also provides the conversion software codecs to produce and run the streaming media files

  32. How Does Streaming Technology Work? • A streaming sound file is no longer in a .wav or .mid format • Using special software, any sound file can be: • converted/compressed into a streaming format • Accessed remotely using e.g. rtsp://server/path/filename • A suitable Audio player is then needed to play the streaming audio • must contains its own software codecs

  33. Real Audio • Probably the most popular Internet streaming system • .ram file contains the search string for the local browser • .ra file contains the sound file that can be sent bit by bit using streaming technologies

  34. How Does Streaming Technology Work? • The .ra file is stored on a remote server • path begins with rtsp:// • tells an application that: • the file is located externally on a streaming sever • it is using Real Time Streaming Protocols • next in the path: • name of the folder on the streaming server where the file resides • finally the name of the target file itself

  35. Remote Access Service (RAS) • Configured in Windows 2003 as Routing and Remote Access service • not available by default • needs to be installed • Provides ways of allowing access to the server/network externally

  36. Remote Access Service • ISPs use RAS to provide logon connections for multiple users via: • standard (analogue) phone link • one modem needed on/connected to the server for each remote connection • ISDN • ADSL • As with www, ftp, email services: • appropriate security arrangements need to be in place • appropriate client-server TCP protocols required

  37. Remote Access Service • Public Telephone network, security options: • Callback security • server makes a note of the caller’s number • hangs up • calls the caller back! • Logon • only authorised users are allowed to log on • Encryption • log on data can/should? be encrypted • PPTP filtering • only allows PPTP packets through

  38. Remote Access Service • Dial-up (OSI level 1/2) Protocols • SLIP (Serial Line Interface Protocol) • developed in 1984 • now old hat! • PPP (Point-Point Protocol) • current standard • more flexible than PPP • allows a greater range of transport protocols • Allows remote allocation of IP addresses to clients by DHCP server

  39. Remote Access via VPN within the Internet • Protocols for creating a secure channel through the Internet: • PPTP (Point-Point Tunnelling Protocol) • secure version of PPP • port 1723 • L2TP now more popular • port 1701

More Related