Neon-komputadór

Network Management

A significant amount of network management has already been discussed in Chapter II. To recap however, network connections are arranged over a series of layers, originating in an application and moving down the system of layers until it reaches the physical communications system and is transferred to the receiving computers, where it moves up the series of layers to the receivers application. In the TCP/IP network protocol suite, this means originating from the application layer, travelling as either a stream (TCP) or message (UDP) to the transport layer, where it becomes a segment (TCP) or packet (UDP), down the internet layer (datagram) and then across the network access layer (frame) where it is transferred to the receiving machine according to the Internet Protocol (IP) address.

Not only must a system administrator be fully versed in the operation and design of the network protocol suite being used (which is usually the TCP/IP suite), they must also be competent at the various hardware and software components, such as connecting Ethernet cables, installing network interface cards and managing the wiring so that hosts can connect to hubs and switches, switches to routers, establishing the Domain Name System, file and print sharing, maintaining email servers and clients, webservers and clients, and newservers.

For a system administrator the first decision required is what sort of network typology is required. For small networks (under 10 computers) that don't require routing running with a MS-Windows platform, the most efficient, easiest to install and cost-effective choice is NetBEUI through a hub. In a larger network, or one that requires routing to other networks, a switchable hub with Ethernet NICs and using the TCP/IP protocol is recommended. Physical installation of a Network Interface Card may require changing jumper settings on the adapter board and as such the manufacturer's instructions should be followed carefully.

Assuming the physical installation, network interface cards still have to be tested and configured. In Linux, this is achieved through linuxconf and in MS-Windows 2000 through the Network dialog box. In most cases the operating system will successfully determine the correct I/O port and IRQs, but there are rare cases when these will have to be entered manually. In both cases it is essential that the system administrator is aware of the IP address of the host server, the subnet mask (the latter is invariably 255.255.0.0) and, if required, the default gateway for internetwork communications. From here, the network properties are established either through static or dynamic IP addresses. Simply put, manually assigned IP addresses are fixed and don't change unless the administrator changes them. Dynamic IP addresses are assigned by the DHCP server and may change.

If a static IP address is chosen, then the value entered needs to be within the range of addresses determined for the network. It is strongly recommended that a ping test on the IP address is carried out to ensure that the address isn't already in use (either manually or through Dynamic Host Control Protocol Servers (DHCP)). Static IP routing also has the modest security advantage of authenticating IP addresses. Static IP addressing is recommended for small networks and for servers. It should also be noted at this point that multiple IP addresses can be assigned to Windows 2000 and Linux computers, even if they only have one network adapter card. This is particularly useful when a computer carries different services and having different IP addresses can be used to differentiate between those services (e.g., a mailserver and a webserver). If a single network adapter is being used IP addresses must be assigned to the same network segment or segments of a single logical network. If the network is divided into multiple physical networks, then multiple adapters must be used.

However, on a large network the problem of static routing is fairly obvious - entering static IP addresses for all the computers is extremely time consuming. Thus, automated dynamic addressing is recommended for most, if not all user computers. DHCP operates providing a temporary IP address assigned from a pool for a specified period of time, called a lease. In Windows 2000, DHCP Servers are managed through the DHCP Manager which can create, arrange options, modify IP pools (or scopes), manage client leases and reservations and reserve addresses. System administrators and technicians however need to be aware that Windows 2000 DHCP occasionally conflict IP addresses with client systems that have multiple adapters on the same network. Microsoft is aware of this problem, but current information offers no immediate solution. Rather it is best simply to reconnect the cable to the second adapter and activate it.

The Windows Name Service (WINS) is used to resolve NetBIOS computer names to an IP address. It operates only on MS-Windows operating systems (Windows 3.1 and up). If a computer with a static IP address accesses Internet or UNIX networks, DNS (Domain Name Service) needs to be configured and a DNS Server must be installed on the network. This name service is native to Linux and UNIX computers as, with the most common DNS server being the Berkerley Internet Name Daemon (BIND). As with a MS-Windows system, not all systems require a name server - in fact many only require a resolver, which is a library that queries the name server.

The arrangement of the Domain Name System has already been discussed in some detail in Chapter II. For the system administrator the important thing is establishing a DNS server. Using Microsoft's DNS Server, three types are available, Primary, Secondary and Forwarding-only. These are the logical equivalents of BIND's Master, Slave and Caching-only servers. The essential difference is that Master servers are authoritative for the domain and all DNS data about a domain is derived from such a server. A Slave DNS server is also authoritative; however, the information is received from the Master server which receives the data directly from an administrator-provided file. A Caching-only server rarely contains information about the domain, but rather caches the results of queries to build a second-hand, incomplete, but usually accurate database.

Zone files store domain database information and consist of a sequence of Resource Records and the zone name equates to the primary or Master DNS server domain name. The range of DNS records is fairly significant - the ones most commonly used are A (address), CNAME (Canonical Name), MX (Mail Exchange), NS (Name Server), PTR (Pointer) and SOA (Start of Authority). The SOA Record declares the host that is most authoritative for the zone and defines the parameters for the zone. It is created automatically when a zone is created. The NS Record specifies the name of the name server for the domain (yes, it does sound recursive), which allows DNS lookups within various zones. The A Record maps a hostname to an address whereas the PTR Record maps an address to a hostname. A computer that has multiple IP addresses and adapters, it should have multiple Address and Pointer Records. The MX record specifies a mail exchange server for the domain and finally the CN Record sets an alias for a host name, for example "brussels.mfac.gov.tp" is also known as "www.mfac.gov.tp".

Whilst there are various complexities relating to hardware, IP addresses and name services, sharing network resources such as data files and applications, directories, and printers is significantly easier. This is just as well, as the purpose behind networking is to share resources and communications and thus provide financial and productive efficiencies through distribution. This is also an area when interoperability becomes particularly important, especially when one is dealing with a heterogeneous network which is unavoidable for a nation-state whose resources are limited and often dependent on donated equipment such as East Timor.

In MS-Windows 2000, sharing files, directories and drives allows remote users access from across a network or even from the web, if websharing is available through the installation of Internet Information Server. When a directory or a drive is set to be shared, all its files and subdirectories are available to a specified set of users. If access to specific files and subdirectories is sought, the system must be mounted on a NTFS file system. Sharing is established through Windows Explorer or by using the Server Manager which allows management of resources on any networked computer, assuming that the user is of the Administrators or Server Operators group. Share permissions determine the maximum allowable actions within a shared directory, which in order vary from No Access, Read (including Execute program files), Change and Full Control. In Windows NTFS volumes, share permissions for files and directories are Read, Write, Execute, Delete, Change Permissions and Take Ownership.

Within MS-Windows 2000 the operating system creates some special shared resources automatically. These are known as either Administrative shares or Hidden shares and are designed to aid system administration. Permissions on special shares can't be changed, although they can be deleted. Some of the more useful special shares include ADMIN$, which is used for remote administration of a system, NETLOGON, which supports the Net Logon service and access to logon scripts (everyone has read access to this - deleting it is not recommended!), PRINT$ which provides access to shared printer drivers and driveletter$, which allows administrators to connect to the root directory of a drives (C$, D$, E$ etc).

The Linux operating system, like UNIX has long been recognized for its abilities in networking. This includes networking with other Linux/UNIX hosts through the traditional NFS (Network File System) or the newer Coda distributed file system but also with other operating systems through packages which allow other operating systems access to the NFS protocols. This includes Samba to integrate Linux into a MS-Windows networks and vice-versa and emulation for AppleTalk and Netware. Within the environment of East Timor, Samba is the most useful of these utilities and is briefly discussed here.

MS-Windows networking is the result of evolution that started with the NetBIOS file-sharing protocol, which was gradually developed to become the Session Message Block (SMB) protocol and now the Common Internet File System (CIFS). Samba implements the four basic CIF services (file and print, authentication and authorization, name resolution, browsing) for UNIX and similar operating systems through two smaller programs, the Session Message Block daemon (smbd) (file and print, authentication and authorization) and the NetBIOS names management daemon (name resolution, browsing). Furthermore Samba also comes with several utilities including nmblookup (queries NetBIOS names and maps them to an IP addess), smbclient (ftp-like client for accessing SMB/CIF resources), smbmount/smbumount (mount/umount command for SMB/CIFS shared filesystems on UNIX systems) and smbstatus (lists current SMB connections).

In addition to these commands there is also the Samba Web Administration Tool (SWAT) which can be executed by connecting to the url http://localhost:901/ which also allows modifications to the Samba configuration file and the establishment of a Samba server, which allows the use of a Linux system a resource server with MS-Windows clients. The importance of this is not to be underestimated. Through the use of Samba in server mode, a Linux resource server can be created which significantly reduce hardware and licensing costs and improve stability and security. Such a system can handle email, run a DNS server, an intranet webserver and so forth. Under all circumstances where Samba can be used as a resource server, it should be used.

The main problem of providing Internet services is that which arises from the differences of internal and external users. Providing an Internet service in many instances provides an opening to external users, who are neither governed by the organization's network use policy, accountability and who may be malicious. This section will provide a brief overview of electronic mail, ftp services, webservers and newsservers.

In Linux, the basic Internet services offered, with configuration through the inetd and security options in tcpd, are Telnet, remote login and SSH (Secure Shell). Telnet and remote login are considered adequate connection utilities, but are not considered to be secure. SSH on the other hand uses public-key cryptography to establish a secure connection. Telnet is also part of the Windows operating system and SSH clients are also available.

Electronic mail consists of three elements: a mail transport agent (MTA), a mail user agent (MUA or client) and a mail distribution agent (MDA). When a user composes an email, they will be using an MUA. When it is sent, it is passed to the MTA, either directly or (in MS-Windows) to a spool directory, from which the MTA will extract at a particular time. The MTA sorts messages into local or remotes, with the former representing message within the LAN. For remote message, the MTA will contact the recipient MTA and pass the message on. In the case of receiving mail, the MUA may contact a MDA, such as a remote Post-Office Protocol (POP) or Interactive Mail Access Protocol (IMAP) server.

Nearly all email is carried by the Simple Mail Transfer Protocol (SMPT). Originally designed for text-only messages, it now carries formats under the Multipurpose Internet Mail Extensions (MIME) standard. Originally designed for machines permanently connected to the Internet, it is quite possible to ignore POP and IMAP protocols and handle all mail via SMPT. Certainly for MTA to MTA communications, SMPT is all that is required. However, not all user clients accept this arrangement. POP is intended for dail-up links, where the servers MTA delivers to the client mailbox in bulk when a connection is established and requested. IMAP is intended for LAN use, where mail is handled by a single server. Users may logon on to any machine and IMAP gives the MUA read/write access to the users mailbox. For a systems administrator the key tasks are to determine what MTA to use (sendmail, qmail and exim are choices available on Linux, Exchange for Windows 2000).

Secure Emails

Setting up a secure email system for Internet communications is essential for any East Timorese government body. The current prevalence of webmail is not recommended in any circumstances.

The best secure email choice in Gnu PG (the GNU Privacy Guard) (http://www.gnupg.org). Like the PGP method GnuPG uses public key cryptography. It does not use the patented IDEA algorithm and can be used without any restriction. It is the recommended public key encryption of the Network Working Group (cf., RFC 2440). Also unlike PGP is to freely distributable. It is interoperable across MS-Windows (command line interface), Mac GPG and Linux.

File transfer protocol (ftp) is the one of the most widely supported standards for networked file exchange. All ftp implementations are either Control FTP connections or Data ftp connections. The former allows basic actions on the FTP server such as navigation through directory trees and file operations and the latter allows directory and data listing only. Setting up an FTP daemon requires an entry into the inetd configuration file under Linux, which can be set to run as foreground or background server processes. The most commonly used FTP daemon is Wu-ftpd. Options for this daemon can be passed directly on execution or from the inetd process. Because FTP allows remote users to retrieve and possibly store information on an organization's network a systems administrator must pay attention to security and legal issues. Wu-ftpd has a number of security parameters that a systems administrator should be aware of and implement.

The most popular webserver program today is Apache server, which operates on Linux and MS-Windows 2000, as well as a wide range of other operating systems. It is considered a shining example of the success of open source and freely distributable program development. Derived from the NSCA httpd, the name originally comes from the fact that initial development came from collating patches for NSCA's httpd, hence "A PAtCHy" release. With the first public release in 1995, Apache took over NSCA's httpd by 1997 as the most popular webserver program and has remained there ever since. Apache is widely considered to be the fastest and most functional of all servers. Apache allows configuration on three levels - global directives, main directive and virtual host settings. The basic configuration directives include setting up the ServerAdmin directive, the ServerName, the DocumentRoot, the ServerRoot and directory-based services. Apache allows logging, customizable error handling (make your own 404 pages!), server-side includes and CGI configuration as well as modules, such as PHP3, add-ons like Apache-SSL (Secure Sockets Layer).

A related program to Apache is Squid (Source Quench Introduced Delay), a proxy caching service that has renowned performance. Squid caches Internet objects, which is any data that is available on the standard Internet protocols (HTTP, FTP), as well as DNS lookups, failed requests, and SSL support. This is more fully elaborated in the section on Security.

Usenet started when two university departments wanted to communicate with each via an electronic bulletin board some twenty years ago. Now it consists of thousands of newsgroups and tens of thousands of messages every day, and not just text, graphic, sounds and movie files increasingly make up the bulk of Usenet in terms of bandwidth. In fact, managing a full Usenet feed is simply beyond East Timor's means.

By way of illustration, even the traditional, binaries-free hierarchies - say comp*, rec*, soc*, require about 200 megabytes a day. A decent server will store message for about two weeks, which means 2.8 gigabytes. Plus a history file. Any establishment of a Usenet server in East Timor, for the foreseeable future, must be based on a very strict, interest-based feed (e.g., soc.culture.indonesia, soc.culture.portuguese, soc.culture.australia, a couple of comp* newsgroups, rec.games.soccer). This is not to suggest that East Timor shouldn't be part of the Usenet community - it should and it will be marvellous event when it joins - it's just that any systems administrator in this nation that is contemplating such a resource needs to think very seriously about bandwidth and disk storage implications.

Usenet system works by each message having two components to prevent replication. A path header and a message-id. The path header describes where the article has been, so it doesn't get sent back from where it came from. The message-id is a unique identifier. Each news server keeps track of each message-id it has seen recently. If the server is offered such a message, it rejects it. From the various commercial and non-commercial packages available as news servers, the freely distributable and most widespread INN Server is recommended (http://www.isc.org/inn.html), which is available on the standard Linux distributions. INN comes a great number of options however; the installation is still relatively simple.