CHAPTER THREE

NETWORK MANAGMENT
Topic covered in this chapter
• Introduction to networking fundamentals
• TCP/IP Networking Basics
• Configuring for Networking
• Configuring a Web Server , DNS Server , Proxy Caches
• TCP/IP Troubleshooting: ping, trace route, ifconfig, netstat, ipconfig
Introduction
• Most Linux systems are connected to a network, either as clients or as
servers
• To work on a server, your server needs a unique address on the
network, so IP(internet protocol) is used.
• Today two versions of IP addresses are relevant:
• Ipv4 address
• Ipv6 address
IPv4 Addresses
• Every device on the network needs ip address for communication
• Similar to the address of a person
• Based on where the host is actually located
• Known as a logical address because assigned logically
• Assigned to each host by a network administrator manually or through
DHCP server.
• Having the format 192.168.1.0/24 i.e dotted decimal number
• Each octet have 8-bit value a total of 32 bit length.
• In order to communicate to one another, every IP address belongs to a
specific network, and to communicate to computers on another network the
router is used.
Cont..
• To communicate on the Internet, every computer needs a worldwide
unique IP address.
• In IPv4 maximum of four billion IP addresses is available,
• This is too small to accommodate every for device
• To overcome the scarcity of IP address
 IPv6 is one solution (large no. of IP addresses can be created in
IPv6)
Using private network addresses.
• Private network addresses are addresses that are for use in internal
networks only.
• Are non-routable on the internet while public address are routed.
Cont..
• Some specific IP network addresses have been created for this
purpose:
• 10.0.0.0/8 ( a single Class A network)
• 172.16.0.0/12 (16 Class B networks)
• 192.168.0.0/16 (256 Class C networks)
• When private addresses are used, the nodes that are using them cannot
access the Internet
• To access the internet the address should be converted to public IP
address.
• NAT (Network Address Translation) handles this conversion.
• The NAT router on its turn uses tables to keep track of all connections
that are currently existing for the hosts in the network.
 IPv6 Addresses
• IPv6 addresses are 128 bits long.

• IPv6 address is the solution for scarcity(deficiency) of ipv4.

• In ipv6 enviroment, every device on the internet can have unique IP address so
no need of NAT so better security.

• IPv6 address look like fe80: badb: abe01:45bc:34ad:6723:8798

• Those colon separated address represent Hexadecimal addressing

• 340 undecillion IPv6 addresses

340,000,000,000,000,000,000,000,000,000,000,000,000
Network masking/Subnet masking
• To know to which network a computer belongs, a subnet mask is used.
• The subnet mask defines which part of the network address indicates
the network and which part indicates the node.
• Examples include 192.168.10.100/255.255.255.0, which indicates that
a 24-bit network address and 8-bit for host address is used.
• Network masks may be written in the classless interdomain routing
(CIDR) notation, like 192.168.10.100/24 both are same in different
notation.
• Like the IP address, the subnet mask is simply a 32-bit number
specified in four 8-bit segments using dotted quad decimal notation.
Cont..
• Class A: 255.0.0.0 (8-bit N and 24-bit H)
• Class B: 255.255.0.0 (16-bit N and 16-bit N)
• Class C: 255.255.255.0 (24-bit N and 8-bit H)
• When logically AND’d with an IP address, the bits set to 0 in the subnet
mask represents the host portion of the address. The remaining bits
represent the network address.
MAC Addresses
• Each network card also has an address, which is known as the MAC
address, enables device to communicate each other on local network
• (that is, the local cable or local WLAN, just up to the first router that
is encountered);
• MAC addresses help computers find the specific network card that an
IP address belongs to.
• Mac address is layer 2
address
 TCP/IP Networking
• TCP/IP” is shorthand for a large collection of protocols and services that are
used for internetworking computer systems.
• These include network hardware, data packets, and protocols for data exchange
those component together make up of network stack.
• TCP/IP is most common network stack today.
• The internet protocol suite(TCP) is the set of communications protocol
used for the internet and other similar networks.
• It is named from two of the most important protocols in it
• The transmission control protocol (TCP) and
• The internet protocol(ip)
• TCP/IP has four layers.
Cont..
Protocol and Ports
• IP is the Internet Protocol, which routes data packets from one
machine to another.
• Nodes offer specific services on the network, such as a web server or a
mail server.
• To identify those service port address are used, hence every service on
the internet have unique port number, example HTTP~80, SSH ~22,
HTTPs~443.
• It is not possible to all services addressed in a similar way, a specific
protocol is used between the IP address and the port address, such as
TCP,UDP,ICMP
• Every protocol has specific properties.
 Cont..
TCP:-is a connection-oriented transport agent used by applications to establish
a network connection.
• Guaranteed for packet arrival and provides for the correct ordering of
received packets.
• FTP, Telnet, and SMTP uses tcp protocol
UDP:- is a connectionless transport agent.
• It provides application programs direct access to IP, allowing them to
exchange information with a minimum of protocol overhead.
• Does not guaranteed for packet arrival
• software must manage transmission errors
• is used by applications such as DNS and NFS.
ICMP:-is a connectionless transport agent that is used to exchange control
information among networked systems
• It uses IP datagrams for the following control, error-reporting, and
informational functions:
 Manage Network Addresses and Interfaces
• A computer must contain at least one network interface to be
considered part of a network.
• The network interface provides a communications link between the
computer and external network hardware.
• /etc/hosts file contains the mappings between IP addresses and
names and is used for name resolution.
• /etc/nsswitch.conf
• controls the sources used by various system library lookup
functions
• It allows the administrator to configure the use of traditional
local files like /hosts, /etc/passwd), an NIS server, or DNS.
Cont..
• /etc/host.conf This configuration has the resolver checking
/etc/hosts first for name resolution, then DNS.

• /etc/resolv.conf this file controls the client-side portions of

the DNS resolve system names.

• /etc/networks Like /etc/hosts, this file sets up equivalence

between addresses and names, but here the addresses
represent entire networks
Network Hardware Configuration
• The network addresses can be assigned in two ways:
1. Fixed (for server and in home network)
• If DHCP server is not configure in the network manual configuration of ip
a, gateway a, DNS and netmask is a must.
For example
• ifconfig eth0 up 192.168.29.39 netmask 255.255.255.0
• This command links the specified IP address to the device
• Gateway Address can be set using the route command
# route add default gw 192.168.29.1 eth0
2. Dynamic host configuration protocol (usually for large enviroment)
• Here the DHCP server lease ip address or renew ip address in response to
the DHCP request.
• The DHCP server process is called dhcpd, typically started at boot time and
listens for incoming DHCP requests.
Cont..
• dhcpd can serve multiple subnets via multiple interfaces, serving a
different pool of IP addresses to each.
• It’s configured using the text configuration file /etc/dhcpd.conf, which
contains one or more subnet.
• For example.

• If you need to manually run a DHCP client dhclient eth0

 Configuration verification
• To verify network configuration ip utility is used
• Ip addr to configure and monitor network addresses
• ip route to configure and monitor routing information
• ip link to configure and monitor network link state
• For example using ip addr show/ip a s/ip a we can verify

• Current state
• MAC address
• IPv4 configuration
• IPv6 configuration
Cont..
• Using ip link show command we can verify the current link state, i.e (
up/down)

• We can temporarily set using ip link set followed by dev devicename

and up # example, ip link set dev eno16777736 up).
Validating Routing

• Routing is important aspect of networking.

• On every network that needs to communicate to nodes on other
networks, routing is a requirement.
• Every network has, at least, a default router (gateway address), this
address should be the same as the local ip address of your card uses.
Validating Ports and Services
• Network problems not only the local IP and router settings but also
be related to network ports that are not available on your server or
remote server.
• To verify availability of ports on your server, you can use the netstat
command, or the newer ss command,
 configuring Linux as router
• Router interconnect networks, and expensive to buy, but it’s required if we
have different network.
• Linux kernel includes a network module, which can be used as a cost
effective solution for IP routing.
• We need two LAN card for routing between two networks.

.1 .2
.2 .1

Cd /etc
Vi sysctl.conf
here the vi editor is open and uncomment the line
# net.ipv4.ip_forward=1 simply remove #
save and exit
Sysctl –w net.ipv4.ip_forward=1
Cont..
• Create virtual LAN card instead of deploying them physically
• To create virtual Ethernet card change directory to
 cd /etc/sysconfig/network-scripts
• Copy ifcfg-eth0 to the same folder to create new virtual LAN cards.
 cp ifcfg-eth0 ifcfg-eth0.1 => newly virtual LAN card created and Require restart
 Run setup command
 Assign ip address for the two card (eth0 and eth0.1) with the appropriate address.
 Enabled IP forwarding using editor (vi /nano/vim)
 Vi /etc/sysctl.conf
 Uncomment net.ipv4.ip_forward=1
 This may be done by replacing 0 tag 1
 Finally reboot your system.
Web server/apache configuration
• An open source web server. Mostly for unix, Linux and Solaris
platform.
• Apache is the most popular web server on the net.
• It is very secure, fast and reliable.
• Apache server is a web server software notable for playing a key role
in the initial growth of the www.
• This is the default web server on Red Hat, SuSE, and Debian systems
and is well known in industry for its flexibility and performance.
How it works

A basic web server works as follows :

• It is a program that runs on a host computer .
• It waits for a request from web browser/client for objects it has in its
possession
• Upon receiving the request (GET command from client), it retrieves
the requested information and sends it to the client.
• The objects it can serve include HTML documents, plain text, images,
sounds, video and other data.
Why apache ?

Apache’s popularity is due to :

• Apache is highly configurable .
• It is extensible (for e.g. mod_perl and mod_php3 can be added) .
• Supports virtual hosts or multi homed servers .
• It is free and open source .
Installation

• The Apache server is provided through some different software

packages.
• Httpd is the package contains everything that is needed for an
operational basic web server.
• Apache is included with most Linux distributions. On a machine
installed with recent version of Linux, by chances Apache is already
installed and running.
• Processor status can be checked to see if its running by using the
command machine1$ ps –ef | grep httpd
 Cont..
• If one wishes to download the source code and compile it then,
Execute the configure script included with the distribution to detect type
of system used and set up appropriate makefiles.
use --prefix option to specify where in ones directory tree the Apache
server should live.
• For example :
% ./configure --prefix=/etc/httpd
• Default modules can be used or some features may be included or
removed by invoking -enable-module= and
-disable-module= options to configure .
 Configuration
• All configuration files are in conf directory ( /etc/httpd/conf). The
files that are to be examined and customized are httpd.conf,
srm.conf and access.conf .
• httpd.conf is used to set the TCP port (usually port 80), location of
log files, and various network and performance parameters
• srm.conf file defines the root of the directory tree in which servable
documents are located .
• access.conf file manages security concerns. This file contains
directives that control access on a per-file or per-directory basis .
Running Apache

• Apache can be started from machine’s rc scripts or initiated by

hand with
% /usr/sbin/httpd –f /etc/httpd/conf/httpd.conf

• It can be started automatically at boot time by making a link in

rc directory that points to /etc/init.d/httpd
Security
• Modifying the Default Header :
A hacker can exploit a web server by the information it sends in its header (
version, machine type, its built-up etc) .

Its always better to modify the default header by changing the lines that
reveals this information in src/include/httpd.h file .
• Upgrading old software when necessary.
• Protecting Web Data with IP Restrictions :
Apache can be configured to allow restricted IP addresses only.
This can be done by adding following lines in .htaccess :
Order Deny, Allow
Deny from All
Allow from 192.168.1.100
Allow from 192.168.1.101
Cont..
• Using HTTP Authentication :
HTTP user authentication restricts access to a particular directory and
subdirectories of the web server .
A browser implements authentication by prompting a dialog box for
the user to type his username/password.
• Using Secure HTTP Connections :
The Secure Socket Layer (SSL) should be used to minimize the likelihood
that a hacker can snoop a username/password.
SSL not only encrypts the data before it is transferred to the web site,
but also it decrypts the data received from the web site, thus securing
the data transfers.
Configuring a DNS Server
(BIND)
How computers communicate ?
192.168.1.1 192.168.1.3 192.168.1.5

192.168.1.2 192.168.1.4
 How human communicate with computers?
192.168.1.1 192.168.1.3 192.168.1.5

192.168.1.7
G

Google.com
209.165.200.225

Mr. G opens browser and type http://www.google.com

1.How this possible ?
2.How computer understand 192.168.1.2 192.168.1.4
http://www.google.com
Purpose of naming

• Addresses are used to locate objects

• Names are easier to remember than numbers

• We would like to get to the address or other objects using a name

• DNS provides a mapping from names to resources of several types

DNS
• DNS is a network service that enables clients to resolve names
to IP address and vice-versa.
• Allows machines to be logically grouped by domain names.
• Comprised of three components
 A “name space”

 Servers making that name space available

 Resolvers (clients) which query the servers about the name

space
DNS Features
Global Distribution:

• Data is maintained locally, but retrievable globally

• No single computer has all DNS data

• DNS lookups can be performed by any device

• Remote DNS data is locally cachable to improve performance

DNS Features
Loose Coherency:
• The database is always internally consistent
• Each version of a subset of the database (a zone) has a serial
number
• The serial number is incremented on each database change
• Changes to the master copy of the database are replicated according
to timing set by the zone administrator

• Cached data expires according to timeout set by zone administrator

DNS Features
Scalability:
• No limit to the size of the database
• One server has over 20,000,000 names

• No limit to the number of queries

• 24,000 queries per second handled easily

• Queries distributed among masters, slaves, and caches

DNS Features
Reliability:
• Data is replicated
• Data from master is copied to multiple slaves
• Clients can query
• Master server
• Any of the copies at slave servers
• Clients will typically query local caches
• DNS use port 53
• UDP for the queries and responses
• TCP for the zone transfer
DNS Features
Dynamicity:
• Database can be updated dynamically
• Add/delete/modify of any record

• Modification of the master database triggers replication

• Only master can be dynamically updated
• Creates a single point of failure
DNS Operation
• A DNS is a distributed database of name and ip address.
• The database is made up of Zone file.
• When a host computer requests for a file “name resolution” the
DNS server consults it’s zone file for ip address
If DNS has the file in its database reply the ip address
If DNS does not has record for that request it consult to
upper domain server or root server
After getting the resolution/file from the root server will
return the result to the client
Then the client will get response back and get access
 Concept: DNS Names 1
• The namespace needs to be made hierarchical to be able to
scale.

• The idea is to name objects based on

• location (within country, set of organizations, set of
companies, etc)
• unit within that location (company within set of company,
etc)
• object within unit (name of person in company)
Concept: DNS Names 2
How names appear in the DNS
• Fully Qualified Domain Name (FQDN) this show the hole domain
levels
WWW.RIPE.NET.
• labels separated by dots Note the trailing dot

• DNS provides a mapping from FQDNs to resources of several types

• Names are used as a key when fetching data in the DNS

Concept: Resource Records
• The DNS maps names into data using Resource Records.

Resource Record
www.ripe.net. … A 10.10.10.2

Address Resource
Concept: DNS Names 3

ws1 ws2 • Domain names can be mapped

ftp to a tree.
•
www www
disi
•
• sun • New branches at the ‘dots’
ripe isi tislabs
• moon
• • • No restriction to the amount of
google
net edu com branches.
•
Concept: Domains
• Domains are “namespaces”
• Everything below .com is in the com domain.
• Everything below ripe.net is in the ripe.net domain and in the net
domain. •
com domain
net edu com
• • •
google
ripe.net domain ripe isi sun tislabs
•
moon •
www disi
net domain ftp • www
ws2 ws1
Delegation
• Administrators can create subdomains to group hosts
• According to geography, organizational affiliation or any
other criterion

• An administrator of a domain can delegate responsibility for

managing a subdomain to someone else

• The parent domain retains links to the delegated subdomain

• The parent domain “remembers” who it delegated the
subdomain to
Concept: Zones and Delegations
• Zones are “administrative spaces”
• Zone administrators are responsible for portion of a domain’s name
space
• Authority is delegated from a parent and to a child
•
net zone
net edu com
net domain •
google
• •

ripe.net zone ripe isi sun tislabs

moon
•
•
www disi
disi.ripe.net zone ftp
• www
ws2 ws1
Concept: Name Servers
• Name servers answer ‘DNS’ questions.
• Several types of name servers
 Authoritative servers
• master (primary)
• slave (secondary)
(Caching) recursive servers
• also caching forwarders
Mixture of functionality
Concept: Authoritative name server

• The last server in DNS and stores the website’s IP address

• Give authoritative answers for one or more zones.
• The master server normally loads the data from a zone file
• A slave server normally replicates the data from the master via a zone
transfer

slave

master
slave
Concept: Recursive server(Caching)

• Recursive servers do the actual lookups; they ask questions to the

DNS on behalf of the clients.

• Answers are obtained from authoritative servers but the answers

forwarded to the clients are marked as not authoritative

• Answers are stored for future reference in the cache

Concept: Resolvers
• Resolvers ask the questions to the DNS system on behalf of
the application.
• Client part of DNS
• Makes requests to DNS server
• Normally implemented in a system library (e.g, libc)
gethostbyname(char *name);
gethostbyaddr(char *addr, int len, type);
Concept: Resolving process & Cache
Question: www.ripe.net A
www.ripe.net A ? root-server
Ask net server @ X.gtld-servers.net (+ glue)
www.ripe.net A ?

Resolver Caching
192.168.5.10
forwarder www.ripe.net A ?

(recursive) gtld-server
Ask ripe server @ ns.ripe.net (+ glue)

Add to cache www.ripe.net A ?

192.168.5.10

ripe-server
Concept: Resource Records detail
• Resource records consist of it’s name, it’s TTL, it’s class, it’s type and
it’s RDATA
• TTL is a timing parameter
• IN class is widest used
• There are multiple types of RR records
• Everything behind the type identifier is called rdata

www.ripe.net. 3600 IN A 10.10.10.2

ttl rdata
Label type
class
Resource Records
• Resource Record Types
• SOA Start Of Authority
• NS Name Server
•A IPv4 name-to-address translation
• AAAA IPv6 name-to-address translation
• PTR Address-to-name translation
• MX Mail eXchanger
• CNAME Canonical NAME
• TXT Text
•…
 Example: RRs in a zone file
ripe.net. 7200 IN SOA ns.ripe.net. olaf.ripe.net. (
2001061501 ; Serial
43200 ; Refresh 12 hours
14400 ; Retry 4 hours
345600 ; Expire 4 days
7200 ; Negative cache 2 hours
)
ripe.net. 7200 IN NS ns.ripe.net.
ripe.net. 7200 IN NS ns.eu.net.

pinkje.ripe.net. 3600 IN A 193.0.1.162

host25.ripe.net. 2600 IN A 193.0.3.25

Label ttl class type rdata

RR: Start Of Authority (SOA) and Name server (NS)

• The SOA and NS records are used to provide information about the
DNS itself.
• The NS indicates where information about a given zone can be found:

ripe.net. 7200 IN NS ns.ripe.net.

ripe.net. 7200 IN NS ns.eu.net.
• The SOA record provides information about the start of authority, i.e.
the top of the zone, also called the APEX.
• It marks the beginning of a zone’s data and defines the parameter that
affects the entire zone..
Resource Record: SOA

Master server Contact address

net. 3600 IN SOA A.GTLD-SERVERS.net. nstld.verisign-grs.com. (

2002021301 ; serial
30M ; refresh
15M ; retry
1W ; expiry
Version number 1D ) ; neg. answ. ttl

Timing parameter
TTL and other Timers

• TTL is a timer used in caches

• An indication for how long the data may be reused
• Data that is expected to be ‘stable’ can have high TTLs

• SOA timers are used for maintaining consistency between primary and
secondary servers
DNS BIND server
• Berkeley Internet Name Domain system (BIND) is
• a popular software for translating domain names into IP addresses
and usually found on Linux servers.
• program can be downloaded and installed on unix and Linux server
to give it’s ability to become a DNS server for a private (LAN) or
public (Internet) network.
• BIND is used as a package name
• The main configuration file for BIND is stored in /etc/named.conf
• Information for each domain is stored in zone file /var/named
• BIND should be updated frequently
Advanced BIND Features
 BIND has the advanced features
• Access List
• Round Robin Load Sharing
• Dynamic DNS Update
Access Control List

• ACL is a list of semi-colon separated IP addresses or networks.

• Create ACLs and apply directives on specified ACLs
acl “mynetwork” { 172.31.0.0/16; 172.30.1.1; };

allow-query {mynetwork; };
allow-transfer {mynetwork; };
allow-update {mynetwork; };
Dynamic DNS Update

• Allows the DNS server to update the Name and IP

address of hosts on the network.
• To disable DDNS, use the directive:
allow-update {none; };
Round Robin Load Sharing

• Load Balancing can be achieved by use of multiple A records for the

same name:

www IN A 203.200.95.140
www IN A 203.200.95.141
www IN A 203.200.95.142
Troubleshooting DNS problem
• Utilities for researching DNS problems:
dig
• $ dig eon.cs.ucr.edu
host
• $ host eon.cs.ucr.edu
nslookup
• $nslookup eon.cs.ucr.edu
whois
• $whois google.com
Configuring Mail Transfer Agents
(Postfix)
 What is Mail?
• Mail is a text file
• Envelope –
• sender address
• receiver address
• other information
• Message –
• Mail Header – defines the
sender, the receiver, the
subject of the message,
and some other
information
• Mail Body – Contains the
actual information in the
message
 SMTP
• SMTP clients and
servers have two main
components
• User Agents – Prepares
the message, encloses it
in an envelope. (Eudora
for example)
• Mail Transfer Agent –
Transfers the mail across
the internet
Mail Transfer Agent basics (MTA)

• MTA are programs that perform the transport of mail

delivery.

• They deliver messages to the mail server for the

destination domain.

• MTA listen on port 25 uses SMTP to transfer messages.

• There are four main MTAs commonly available on Linux

systems are sendmail, postfix, qmail and exim.
Mail User Agent (MUA)
• MUA are programs the end-user interacts with directly to
compose or to read email.

• It provides service to the user to make the process of sending

and receiving a message easier on his machine.

• Some examples of command-driven user agents are mail, pine,

and elm.

• Eudora, Outlook, And Netscape Some of GUI-based user agents

Mail delivery agents (MDA)
• MDA handles the local delivery of mail.
• Messages can be delivered to a person, a mailing list, a file,
or even to a program.

• Postfix can act as an MDA, delivering mail direct to the

users' mailboxes.

• Other MDAs include procmail and the "deliver" component

of Dovecot.
 Mail access agents (MAA)
• MAA deliver messages from the mailbox on the mail server to the user's MUA.

• POP3 and IMAP are the most protocol used in MAA .

• POP3 is popular with ISP; usually messages are downloaded from the mail
server to the user's local machine.

• IMAP is often used by corporate mail servers.

• With IMAP, the mail server is typically responsible for the long-term storage of
a user's mail.

• Examples of MAAs include imapd, qpopper etc..

Architecture of a Mail System
 Architecture of a Simple Mail System:
Sender and receiver on the same server

2
1

When the sender and the receiver of an e-mail are on

the same mail server, we need only two user agents.
 Architecture of a Simple Mail System:
Sender and receiver on different server

5
1

2 3 4

When the sender and the receiver of an e-mail are on different

mail servers,
we need two UAs and a pair of MTAs (client and server).
78
 Architecture of a Simple Mail System:
Sender connected to mail server via LAN/WAN

3
7

5
4 6

When the sender is connected to the mail server via a LAN or a

WAN, we need two UAs and two pairs of MTAs (client and server).
Architecture of a Simple Mail System:
Sender and receiver are connected to mail server via LAN/WAN

1 9

2
8

5
4 6

When both sender and receiver are connected to the mail server via a
LAN or a WAN, we need two UAs, two pairs of MTAs (client and
server), and a pair of MAAs (client and server). This is the most
common situation today.
Postfix
• The Modern and Advance mail transfer agent replacement of existing sendmail
system
• Developed by Wietse Venema
• Human readable configuration file
• Multiple small programs with limited execution privilege
• Backend database lookup table supported
• Simple spam check/block mechanism
• Postfix has a good reputation for security and is relatively straightforward to
configure.
• Used by default in Ubuntu.
Postfix installation
• Debian Linux
• apt-get install postfix-tls libsasl7 libsasl-modules-plain courier-imap
• Redhat/Fedora Linux/centos
• rpm -ivh postfix-2.2.x.i386.rpm
• rpm -ivh cyrus-sasl-2.1.21.i386.rpm
• We can also used yum install method
• Commands to control the postfix program
• postfix start
• postfix stop
• postfix reload
E-MAIL SECURITY
• e-mail exchanges can be secured using two application-layer
securities designed in particular for e-mail systems.
• Two of these protocols, Pretty Good Privacy (PGP) and Secure
MIME.
• Multipurpose Internet Mail Extensions (MIME) is a
supplementary protocol that allows non-ASCII data to be sent
at sender site to ASCII data and delivers it to the client MTA to
be sent through the Internet.
Configuring a Proxy Caches
(Squid)
What Is a Proxy Server?
• Part of an overall Firewall strategy

• Sits between the local network and the external network

• Originally used primarily as a caching strategy to minimize
outgoing URL requests and increase perceived browser
performance
• Primary mission is now to insure anonymity of internal users
• Still used for caching of frequently requested files
• Also used for content filtering
Cont..
• Acts as a go-between, submitting your requests to the external
network
• Requests are translated from your IP address to the Proxy’s
IP address
• E-mail addresses of internal users are removed from request
headers
• Cause an actual break in the flow of communications
• Allows one to implement policy
• Restrict who can access the Internet
• Restrict what sites users can access
• Provides detailed logs of user activity
 Security Advantages

• Terminates the TCP connection before relaying to target host

(in and out)
• Hide internal clients from external network
• Blocking of dangerous URLs
• Filter dangerous content
• Check consistency of retrieved content
• Eliminate need for transport layer routing between networks
• Single point of access, control and logging
TCP Connection Termination
• Both the outgoing and incoming TCP connections are
terminated
• prevents a hacker from hijacking a stale connection on a
service that is being proxied
• ex . HTTP page request
request packet’
request
User packet
Proxy Server

response packet response packet’

Connection left open until the Connection only left open until
proxy closes it after receiving server closes the connection
response packet and sending it after sending the response
back to user packet
Proxy Functions

Here are the main function of proxy -server

• Caching

• Firewall

• Filtering

• Logging
What is a caching proxy?
• Stores a local copy of objects fetched
• Subsequent accesses by other users in the organization are served
from the local cache, rather than the origin server
• Reduces network bandwidth
• Users experience faster web access
What is Squid?
Squid abbreviation for (Source Quench Introduced Delay)
• A caching proxy for
• HTTP, HTTPS
• FTP and other data
• Squid is provided as free, open source software and can be used
under the GNU General Public License(GPL)
How proxies work (configuration)

• User configures web browser to use proxy instead of connecting

directly to origin servers
• Manual configuration for older PC based browsers, and many
UNIX browsers (e.g., Lynx)
• Proxy auto-configuration file for Netscape 2.x+ or Internet
Explorer 4.x+
• Far more flexible caching policy
• Simplifies user configuration, help desk support, etc.
How proxies work (user request)

• User requests a page: http://uniforum.chi.il.us/

• Browser forwards request to proxy
• Proxy optionally verifies user’s identity and checks policy for
right to access uniforum.chi.il.us
• Assuming right is granted, fetches page and returns it to user
Squid’s page fetch algorithm

• Check cache for existing copy of object (lookup based on MD5 hash
of URL)
• If it exists in cache
• Check object’s expire time; if expired, fall back to origin server
• Check object’s refresh rule; if expired, perform an If-Modified-
Since against origin server
• If object still considered fresh, return cached object to requester
Squid’s page fetch algorithm

• If object is not in cache, expired, or otherwise invalidated

• Fetch object from origin server
• If 500 error from origin server, and expired object
available, returns expired object
• Test object for cacheability; if cacheable, store local
copy
END FO SLIDE
10Q!