Summarize Services Provided by Networked Hosts Lesson 6 a
REMOTE TERMINAL ACCESS SERVERS
A remote terminal server allows a host to accept connections to its command shell or graphical desktop from across the network. The name "terminal" comes from the early days of computing where configuration was performed by a teletype (TTY) device. The TTY is the terminal or endpoint for communication between the computer and the user. It handles text input and output between the user and the shell, or command environment. Where the terminal accepts input and displays output, the shell performs the actual processing. A terminal emulator is any kind of software that replicates this TTY input/output function. A given terminal emulator application might support connections to multiple types of shells. A remote terminal emulator allows you to connect to the shell of a different host over the network. Secure Shell Secure Shell (SSH) is the principal means of obtaining secure remote access to UNIX and Linux servers and to most types of network appliances (switches, routers, and firewalls). As well as encrypted terminal emulation, SSH can be used for SFTP and to achieve many other network configurations. Numerous commercial and open source SSH servers and terminal emulation clients are available for all the major NOS platforms (UNIX®, Linux®, Windows®, and macOS®). The most widely used is OpenSSH (openssh.com). An SSH server listens on port TCP/22 by default. Telnet Telnet is both a protocol and a terminal emulation software tool that transmits shell commands and output between a client and the remote host. A Telnet server listens on port TCP/23 by default. A Telnet interface can be password protected, but the password and other communications are not encrypted and therefore could be vulnerable to packet sniffing and replay. Historically, Telnet provided a simple means to configure switch and router equipment, but only secure access methods should be used for these tasks now. Remote Desktop Protocol Telnet and SSH provide terminal emulation for command-line shells. This is sufficient for most administrative tasks, but where users want to connect to a desktop, they usually prefer to work with a graphical interface. A GUI remote administration tool sends screen and audio data from the remote host to the client
WEB SERVERS
A web server is one that provides client access using HTTP or its secure version (HTTPS). Websites and web applications are perhaps the most useful and ubiquitous of network services. Web technology can be deployed for a huge range of functions and applications, in no way limited to the static pages of information that characterized the first websites. HyperText Transfer Protocol HTTP enables clients (typically web browsers) to request resources from an HTTP server. A client connects to the HTTP server using port TCP/80 (by default) and submits a request for a resource (GET). The server either returns the requested data if it is available or responds with an error code. HyperText Markup Language, Forms, and Web Applications HTTP is usually used to serve HTML web pages, which are plain text files with coded tags describing how the document should be formatted. A web browser can interpret the tags and display the text and other resources associated with the page (such as pictures or sound files). Another powerful feature is the ability to provide hyperlinks to other related documents. HTTP also features mechanisms (POST) whereby a user can submit data from the client to the server. The functionality of HTTP servers is often extended by support for scripting and programmable features (web applications). Uniform Resource Locators Resources on the Internet are accessed using an addressing scheme known as a uniform resource locator (URL). A URL contains all the information necessary to identify and access an item. For example, a URL for an HTTP resource might contain the following elements: The protocol describes the access method or service type being used. The host location is usually represented by a FQDN. The FQDN is not case-sensitive. The host location can also be an IP address; an IPv6 address must be enclosed in square brackets. The file path specifies the directory and file name location of the resource (if required). The file path may or may not be case sensitive, depending on how the server is configured. Web Server Deployment Typically, an organization will lease a web server or space on a server from an ISP. Larger organizations with Internet-connected datacenters may host websites themselv
DIRECTORY AND AUTHENTICATION SERVERS
DHCP allows a network client to request an IP configuration, and DNS allows it to request resources using plain names. Most networks must also authenticate and authorize clients before allowing them to connect to fileshares and mail servers. This security requirement is met by configuring an access control system to prevent unauthorized users (and devices) from connecting. In a Windows workgroup, for example, the access control method is a simple password, shared with all authorized users. Enterprise networks use directory servers to maintain a centralized database of user accounts and authenticate the subjects trying to use those accounts. These protocols allow a user to authenticate once to access the network and gain authorization for all the compatible application servers running on it. This is referred to as single sign-on (SSO). Lightweight Directory Access Protocol Network resources can be recorded as objects within a directory. A directory is a type of database, where an object is like a record and things that you know about the object (attributes) are like fields. Most directories are based on the X.500 standard. The Lightweight Directory Access Protocol (LDAP) is a TCP/IP protocol used to query and update an X.500 directory. It is widely supported in current directory products—Windows Active Directory or the open source OpenLDAP, for instance. LDAP uses TCP and UDP port 389 by default. Authentication, Authorization, and Accounting Network clients can join the network using multiple types of access devices, including switches, access points, and remote access VPN servers. Storing copies of the network directory and authentication information on all these access devices would require each device to do more processing and have more storage. It also increases the risk that this confidential information could be compromised. An authentication, authorization, and accounting (AAA) server is one that consolidates authentication services across multiple access devices. AAA uses the following components: Supplicant—The device requesting access, such as a user's PC or laptop. Network access server (NAS) or network access point (NAP)—Network access appliances, such as switches, access points, and VPN ga
A firewall filters applications based on their port number. If you want to configure a firewall on a mail server to allow clients to download email messages, which port(s) might you have to open?
Either TCP port 993 (IMAPS) or 995 (POP3S), depending on the mail access protocol in use (IMAP or POP). These are the default ports for secure connections. Unsecure default ports are TCP port 143 and TCP port 110. Port 25 (SMTP) is used to send mail between servers and not to access messages stored on a server. Port 587 is often used by a client to submit messages for delivery by an SMTP server.
MAIL SERVERS
Electronic mail enables a person to compose a message and send it to another user on their own network (intranet) or anywhere in the world via the Internet. Two types of mail servers and protocols are used to process email: mail transfer and mailbox access protocols: Internet email addresses follow the mailto URL scheme. An Internet email address comprises two parts—the username (local part) and the domain name, separated by an @ symbol. The domain name may refer to a company or an ISP; for example, [email protected] or [email protected]. The Simple Mail Transfer Protocol (SMTP) specifies how email is delivered from one mail domain to another. The SMTP server of the sender discovers the IP address of the recipient SMTP server by using the domain name part of the recipient's email address. The SMTP servers for the domain are registered in DNS using Mail Exchange (MX) and host (A/AAAA) records. Typical SMTP configurations use the following ports and secure services: Port TCP/25 is used for message relay between SMTP servers, or message transfer agents (MTAs). Transmissions over port 25 are usually unsecure. Port TCP/587 is used by mail clients—message submission agents (MSAs)—to submit messages for delivery by an SMTP server. Servers configured to support port 587 should use encryption and authentication to protect the service.
True or false? AAA allows switches and access points to hold directory information so that they can authenticate clients as they connect to the network.
False. One of the purposes of authentication, authorization, and accounting (AAA) is to authenticate clients as they connect to the network, but the directory information and credentials are not stored on or verified by switches and access points. These devices are configured as clients of an AAA server and act only to transit authentication data between the end user device (the supplicant) and the AAA server.
You are configuring a network attached storage (NAS) appliance. What file sharing protocol(s) could you use to allow access to Windows, Linux, and Apple macOS clients?
Most clients should support Server Message Block (SMB). Another option is to configure File Transfer Protocol (FTP).
FILE/PRINT SERVERS
One of the core network functions is to provide shared access to disk and print resources. Like many network protocols, resource sharing is implemented using a client/server architecture. The machine hosting the disk or printer is the server. A server disk configured to allow clients to access it over the network is a fileshare. Machines accessing those resources are the clients. The fileshare and print server roles may be implemented on a local network using proprietary protocols, such as File and Print Services for Windows Networks. A file server could also be implemented using TCP/IP protocols, such as File Transfer Protocol (FTP). Server Message Block Server Message Block (SMB) is the application protocol underpinning file and printer sharing on Windows networks. SMB usually runs directly over the TCP/445 port. SMB has gone through several updates, with SMB3 as the current version. SMB1 has very serious security vulnerabilities and is now disabled by default on current Windows versions ( docs.microsoft.com/en-us/windows-server/storage/file-server/troubleshoot/detect-enable-and-disable-smbv1-v2-v3 ). Support for SMB in UNIX- or Linux-based machines and network attached storage (NAS) appliances is provided by using the Samba software suite (samba.org/samba/what_is_samba.html), which allows a Windows client to access a Linux host as though it were a Windows file or print server. SMB is sometimes referred to as the Common Internet File System (CIFS), though technically that should only be used to refer to a specific dialect of SMB version 1. Network Basic Input/Output System The earliest Windows networks used a protocol stack called the Network Basic Input/Output System (NetBIOS) rather than TCP/IP. NetBIOS allowed computers to address one another by name and establish sessions for other protocols, such as SMB. As the TCP/IP suite became the standard for local networks, NetBIOS was re-engineered to work over the TCP and UDP protocols, referred to as NetBIOS over TCP/IP (NetBT). NetBT uses UDP/137 for name services and TCP/139 for session services. Modern networks use IP, TCP/UDP, and DNS for these functions, so NetBT is obsolete. NetBT should be disabled on most networks, as it poses a significant ri
HYPERTEXT TRANSFER PROTOCOL SECURE
One of the critical problems for the provision of early websites was the lack of security in HTTP. Under HTTP, all data is sent unencrypted, and there is no authentication of client or server. Secure Sockets Layer (SSL) was developed by Netscape in the 1990s to address these problems. SSL proved very popular with the industry. Transport Layer Security (TLS) was developed from SSL and ratified as a standard by the IETF. When TLS is used with the HTTP application, it is referred to as HTTPS. Encrypted traffic between the client and server is sent over port TCP/443 (by default), rather than the open and unencrypted port 80. TLS can also be used to secure other TCP application protocols, such as FTP, POP3/IMAP, SMTP, and LDAP. TLS can also be used with UDP, referred to as Datagram Transport Layer Security (DTLS), most often in virtual private networking (VPN) solutions. To implement HTTPS, the web server is installed with a digital certificate issued by some trusted certificate authority (CA). The certificate uses encrypted data to prove the identity of the server to the client, assuming that the client also trusts the CA. The system uses a public/private encryption key pair. The private key is kept a secret known only to the server; the public key is given to clients via the digital certificate. The server and client use the key pair in the digital certificate and a chosen cipher suite within the TLS protocol to set up an encrypted tunnel. Even though someone else might know the public key, they cannot decrypt the contents of the tunnel without obtaining the server's private key. This means that the communications cannot be read or changed by a third party. A web browser will open a secure session to an HTTPS server by using a URL starting with https:// and it will also show a padlock icon in the address bar to indicate that the server's certificate is trusted and that the connection is secure. A website can be configured to require a secure session and reject or redirect plain HTTP requests.
MAILBOX SERVERS
SMTP is used only to deliver mail to server hosts that are permanently available. When an email is received by an SMTP server, it delivers the message to a mailbox server. The mailbox server could be a separate machine or a separate process running on the same computer. A mailbox access protocol allows the user's client email software to retrieve messages from the mailbox. Post Office Protocol 3 The Post Office Protocol (POP) is an early example of a mailbox access protocol. POP is often referred to as POP3 because the active version of the protocol is version 3. A POP client application, such as Microsoft Outlook® or Mozilla Thunderbird®, establishes a connection to the POP server on port TCP/110 or over the secure port TCP/995. The user is authenticated (by username and password), and the contents of the mailbox are downloaded for processing on the local PC. With POP3, the messages are typically deleted from the mailbox server when they are downloaded, though some clients have the option to leave messages on the server. Internet Message Access Protocol The Internet Message Access Protocol (IMAP) addresses some of the limitations of POP. IMAP is a mail retrieval protocol, but its mailbox management features lack the features associated with POP mail management. IMAP supports permanent connections to a server and connecting multiple clients to the same mailbox simultaneously. It also allows a client to manage the mailbox on the server (to organize messages in folders and to control when they are deleted, for instance) and to create multiple mailboxes. A client connects to an IMAP server over port TCP/143, but this port is unsecure. Connection security can be established using TLS. The default port for IMAP-Secure (IMAPS) is TCP/993.
NETWORK MONITORING SERVERS
SSH and RDP allow administrators to log on and manage hosts and switches/routers/firewalls remotely. For a network to run smoothly, it is also important to gather information regularly from these systems. This type of remote monitoring can identify an actual or possible fault more quickly. Simple Network Management Protocol The Simple Network Management Protocol (SNMP) is a framework for management and monitoring network devices. SNMP consists of a management system and agents. The agent is a process running on a switch, router, server, or other SNMP-compatible network device. This agent maintains a database called a management information base (MIB) that holds statistics relating to the activity of the device. An example of such a statistic is the number of frames per second handled by a switch. The agent is also capable of initiating a trap operation where it informs the management system of a notable event (port failure, for instance). The threshold for triggering traps can be set for each value. The management system monitors all agents by polling them at regular intervals for information from their MIBs and displays the information for review. It also displays any trap operations as alerts for the network administrator to assess and act upon as necessary. SNMP device queries take place over port UDP/161; traps are communicated over port UDP/162. Syslog Effective network management often entails capturing logs from different devices. It is more efficient to review logs and respond to alerts if the logs are consolidated on a single system. A log collector aggregates event messages from numerous devices to a single storage location. As well as aggregating logs, the system can be configured to run one or more status and alerting dashboards. Syslog is an example of a protocol and supporting software that facilitates log collection. It has become a de facto standard for logging events from distributed systems. For example, syslog messages can be generated by routers and switches, as well as UNIX or Linux servers and workstations. A syslog collector usually listens on port UDP/514. As well as a protocol for forwarding messages to a remote log collector, syslog provides an open format for event data. A
You are advising a company on configuring systems to provide better information about network device status. Why would you recommend the use of both SNMP and syslog?
The Simple Network Management Protocol (SNMP) provides a means for devices to report operational statistics to a management server and to send a trap if a threshold for some critical value is exceeded. Syslog provides a means for devices to send log entries to a remote server. Both of these types of information are required for effective monitoring.
True or false? An HTTP application secured using the SSL/TLS protocol should use a different port to unencrypted HTTP.
True. By default, HTTPS uses port TCP/443. It is possible in theory to apply SSL/TLS to port TCP/80, but most browsers would not support this configuration.