Documenti di Didattica
Documenti di Professioni
Documenti di Cultura
NETWORK MANAGMENT
Topic covered in this chapter
• Introduction to networking fundamentals
• TCP/IP Networking Basics
• Configuring for Networking
• Configuring a Web Server , DNS Server , Proxy Caches
• TCP/IP Troubleshooting: ping, trace route, ifconfig, netstat, ipconfig
Introduction
• Most Linux systems are connected to a network, either as clients or as
servers
• To work on a server, your server needs a unique address on the
network, so IP(internet protocol) is used.
• Today two versions of IP addresses are relevant:
• Ipv4 address
• Ipv6 address
IPv4 Addresses
• Every device on the network needs ip address for communication
• Similar to the address of a person
• Based on where the host is actually located
• Known as a logical address because assigned logically
• Assigned to each host by a network administrator manually or through
DHCP server.
• Having the format 192.168.1.0/24 i.e dotted decimal number
• Each octet have 8-bit value a total of 32 bit length.
• In order to communicate to one another, every IP address belongs to a
specific network, and to communicate to computers on another network the
router is used.
Cont..
• To communicate on the Internet, every computer needs a worldwide
unique IP address.
• In IPv4 maximum of four billion IP addresses is available,
• This is too small to accommodate every for device
• To overcome the scarcity of IP address
IPv6 is one solution (large no. of IP addresses can be created in
IPv6)
Using private network addresses.
• Private network addresses are addresses that are for use in internal
networks only.
• Are non-routable on the internet while public address are routed.
Cont..
• Some specific IP network addresses have been created for this
purpose:
• 10.0.0.0/8 ( a single Class A network)
• 172.16.0.0/12 (16 Class B networks)
• 192.168.0.0/16 (256 Class C networks)
• When private addresses are used, the nodes that are using them cannot
access the Internet
• To access the internet the address should be converted to public IP
address.
• NAT (Network Address Translation) handles this conversion.
• The NAT router on its turn uses tables to keep track of all connections
that are currently existing for the hosts in the network.
IPv6 Addresses
• IPv6 addresses are 128 bits long.
• In ipv6 enviroment, every device on the internet can have unique IP address so
no need of NAT so better security.
• Current state
• MAC address
• IPv4 configuration
• IPv6 configuration
Cont..
• Using ip link show command we can verify the current link state, i.e (
up/down)
.1 .2
.2 .1
Cd /etc
Vi sysctl.conf
here the vi editor is open and uncomment the line
# net.ipv4.ip_forward=1 simply remove #
save and exit
Sysctl –w net.ipv4.ip_forward=1
Cont..
• Create virtual LAN card instead of deploying them physically
• To create virtual Ethernet card change directory to
cd /etc/sysconfig/network-scripts
• Copy ifcfg-eth0 to the same folder to create new virtual LAN cards.
cp ifcfg-eth0 ifcfg-eth0.1 => newly virtual LAN card created and Require restart
Run setup command
Assign ip address for the two card (eth0 and eth0.1) with the appropriate address.
Enabled IP forwarding using editor (vi /nano/vim)
Vi /etc/sysctl.conf
Uncomment net.ipv4.ip_forward=1
This may be done by replacing 0 tag 1
Finally reboot your system.
Web server/apache configuration
• An open source web server. Mostly for unix, Linux and Solaris
platform.
• Apache is the most popular web server on the net.
• It is very secure, fast and reliable.
• Apache server is a web server software notable for playing a key role
in the initial growth of the www.
• This is the default web server on Red Hat, SuSE, and Debian systems
and is well known in industry for its flexibility and performance.
How it works
Its always better to modify the default header by changing the lines that
reveals this information in src/include/httpd.h file .
• Upgrading old software when necessary.
• Protecting Web Data with IP Restrictions :
Apache can be configured to allow restricted IP addresses only.
This can be done by adding following lines in .htaccess :
Order Deny, Allow
Deny from All
Allow from 192.168.1.100
Allow from 192.168.1.101
Cont..
• Using HTTP Authentication :
HTTP user authentication restricts access to a particular directory and
subdirectories of the web server .
A browser implements authentication by prompting a dialog box for
the user to type his username/password.
• Using Secure HTTP Connections :
The Secure Socket Layer (SSL) should be used to minimize the likelihood
that a hacker can snoop a username/password.
SSL not only encrypts the data before it is transferred to the web site,
but also it decrypts the data received from the web site, thus securing
the data transfers.
Configuring a DNS Server
(BIND)
How computers communicate ?
192.168.1.1 192.168.1.3 192.168.1.5
192.168.1.2 192.168.1.4
How human communicate with computers?
192.168.1.1 192.168.1.3 192.168.1.5
192.168.1.7
G
Google.com
209.165.200.225
space
DNS Features
Global Distribution:
Resource Record
www.ripe.net. … A 10.10.10.2
Address Resource
Concept: DNS Names 3
slave
master
slave
Concept: Recursive server(Caching)
Resolver Caching
192.168.5.10
forwarder www.ripe.net A ?
(recursive) gtld-server
Ask ripe server @ ns.ripe.net (+ glue)
192.168.5.10
ripe-server
Concept: Resource Records detail
• Resource records consist of it’s name, it’s TTL, it’s class, it’s type and
it’s RDATA
• TTL is a timing parameter
• IN class is widest used
• There are multiple types of RR records
• Everything behind the type identifier is called rdata
ttl rdata
Label type
class
Resource Records
• Resource Record Types
• SOA Start Of Authority
• NS Name Server
•A IPv4 name-to-address translation
• AAAA IPv6 name-to-address translation
• PTR Address-to-name translation
• MX Mail eXchanger
• CNAME Canonical NAME
• TXT Text
•…
Example: RRs in a zone file
ripe.net. 7200 IN SOA ns.ripe.net. olaf.ripe.net. (
2001061501 ; Serial
43200 ; Refresh 12 hours
14400 ; Retry 4 hours
345600 ; Expire 4 days
7200 ; Negative cache 2 hours
)
ripe.net. 7200 IN NS ns.ripe.net.
ripe.net. 7200 IN NS ns.eu.net.
• The SOA and NS records are used to provide information about the
DNS itself.
• The NS indicates where information about a given zone can be found:
Timing parameter
TTL and other Timers
• SOA timers are used for maintaining consistency between primary and
secondary servers
DNS BIND server
• Berkeley Internet Name Domain system (BIND) is
• a popular software for translating domain names into IP addresses
and usually found on Linux servers.
• program can be downloaded and installed on unix and Linux server
to give it’s ability to become a DNS server for a private (LAN) or
public (Internet) network.
• BIND is used as a package name
• The main configuration file for BIND is stored in /etc/named.conf
• Information for each domain is stored in zone file /var/named
• BIND should be updated frequently
Advanced BIND Features
BIND has the advanced features
• Access List
• Round Robin Load Sharing
• Dynamic DNS Update
Access Control List
allow-query {mynetwork; };
allow-transfer {mynetwork; };
allow-update {mynetwork; };
Dynamic DNS Update
www IN A 203.200.95.140
www IN A 203.200.95.141
www IN A 203.200.95.142
Troubleshooting DNS problem
• Utilities for researching DNS problems:
dig
• $ dig eon.cs.ucr.edu
host
• $ host eon.cs.ucr.edu
nslookup
• $nslookup eon.cs.ucr.edu
whois
• $whois google.com
Configuring Mail Transfer Agents
(Postfix)
What is Mail?
• Mail is a text file
• Envelope –
• sender address
• receiver address
• other information
• Message –
• Mail Header – defines the
sender, the receiver, the
subject of the message,
and some other
information
• Mail Body – Contains the
actual information in the
message
SMTP
• SMTP clients and
servers have two main
components
• User Agents – Prepares
the message, encloses it
in an envelope. (Eudora
for example)
• Mail Transfer Agent –
Transfers the mail across
the internet
Mail Transfer Agent basics (MTA)
• POP3 is popular with ISP; usually messages are downloaded from the mail
server to the user's local machine.
• With IMAP, the mail server is typically responsible for the long-term storage of
a user's mail.
2
1
5
1
2 3 4
3
7
5
4 6
1 9
2
8
5
4 6
When both sender and receiver are connected to the mail server via a
LAN or a WAN, we need two UAs, two pairs of MTAs (client and
server), and a pair of MAAs (client and server). This is the most
common situation today.
Postfix
• The Modern and Advance mail transfer agent replacement of existing sendmail
system
• Developed by Wietse Venema
• Human readable configuration file
• Multiple small programs with limited execution privilege
• Backend database lookup table supported
• Simple spam check/block mechanism
• Postfix has a good reputation for security and is relatively straightforward to
configure.
• Used by default in Ubuntu.
Postfix installation
• Debian Linux
• apt-get install postfix-tls libsasl7 libsasl-modules-plain courier-imap
• Redhat/Fedora Linux/centos
• rpm -ivh postfix-2.2.x.i386.rpm
• rpm -ivh cyrus-sasl-2.1.21.i386.rpm
• We can also used yum install method
• Commands to control the postfix program
• postfix start
• postfix stop
• postfix reload
E-MAIL SECURITY
• e-mail exchanges can be secured using two application-layer
securities designed in particular for e-mail systems.
• Two of these protocols, Pretty Good Privacy (PGP) and Secure
MIME.
• Multipurpose Internet Mail Extensions (MIME) is a
supplementary protocol that allows non-ASCII data to be sent
at sender site to ASCII data and delivers it to the client MTA to
be sent through the Internet.
Configuring a Proxy Caches
(Squid)
What Is a Proxy Server?
• Part of an overall Firewall strategy
Connection left open until the Connection only left open until
proxy closes it after receiving server closes the connection
response packet and sending it after sending the response
back to user packet
Proxy Functions
• Firewall
• Filtering
• Logging
What is a caching proxy?
• Stores a local copy of objects fetched
• Subsequent accesses by other users in the organization are served
from the local cache, rather than the origin server
• Reduces network bandwidth
• Users experience faster web access
What is Squid?
Squid abbreviation for (Source Quench Introduced Delay)
• A caching proxy for
• HTTP, HTTPS
• FTP and other data
• Squid is provided as free, open source software and can be used
under the GNU General Public License(GPL)
How proxies work (configuration)
• Check cache for existing copy of object (lookup based on MD5 hash
of URL)
• If it exists in cache
• Check object’s expire time; if expired, fall back to origin server
• Check object’s refresh rule; if expired, perform an If-Modified-
Since against origin server
• If object still considered fresh, return cached object to requester
Squid’s page fetch algorithm