the main-Download software-All network services. Structure of network services

All network services. Structure of network services

know: purpose and features of using the main network services

be able to: use network services

Services (Services) provided by the Internet

Protocols of the TCP / IP family implement all kinds of Internet services (services).

All services provided by the Internet can be roughly divided into two categories: information exchange between network subscribers and the use of network databases.

Communication services between subscribers include:

Telnet - remote access. It enables the subscriber to work on any computer of the Internet network, as on his own. That is, launch programs, change the operating mode, etc.

FTP (File Transfer Protocol) is a file transfer protocol. Allows the subscriber to exchange binary and text files with any computer on the network. Having established a connection with the remote computer, the user can copy the file from the remote computer to his own or copy the file from his computer to the remote one.

NFS (Network File System) is a distributed file system. Allows the subscriber to use the file system of the remote computer as his own.

Electronic mail - exchange of mail messages with any subscriber of the Internet. It is possible to send both text and binary files. The following limitation is imposed on the size of a mail message on the Internet - the size of a mail message should not exceed 64 kilobytes.

News - receive network news and electronic bulletin boards of the network and the ability to post information on the bulletin boards of the network. Electronic bulletin boards of the Internet are formed by subject. The user can subscribe to any newsgroups of his choice.

Electronic translator - translates the text sent to it from one language to another. Electronic translators are contacted by e-mail.

Gateways - allow the subscriber to send messages on the network that do not work with TCP \ IP protocols (Fido, Goldnet, AT50).


The general concept of databases. Basic concepts of database management systems. Data models

know: general information about database design; basic properties, principles of building and functioning of databases, capabilities of database management systems; basic data storage models; their advantages and disadvantages; features of their use in solving problems

be able to: use data and knowledge storage models; design database table structures; establish links between database tables; choose a DBMS for solving problems of building information systems

Database (DB) Is a structured collection of data that reflects the properties and state of objects in a specific subject area and the relationship between them.

Database Management System (DBMS) Is a set of software tools designed to create, accumulate, process and manage a database.

In the theory of DBMS, there are three main types of database organization: hierarchical (elements are linked by a subordination relationship, while each element can obey only one element); network (extension of the hierarchical - in contrast to the hierarchical in the network model, a descendant record can have any number of previous records); relational (the database is presented as a set of interconnected tables).

The most widespread are DBMS based on the relational data model proposed by E.F. Coddom.

One of the most common DBMS is MS Access, which is part of the professional version of the Microsoft Office suite.

The popularity of MS Access is largely due to its following properties:
- focus on users of various levels of training;
- availability of convenient visual development tools;
- the ability to integrate with other software products of the Microsoft Office suite.

MS Access DBMS consists of six main components:
- tables - for storing the structure of the database and the data itself;
- queries - to create QBE and SQL queries to the database (to search for information in the database);
- forms - for the convenience of entering, viewing and editing data;
- reports - for preparing and formatting data in the form of a document for printing on a printer;
- pages - to provide access to the database from a Web page;
- macros - to automate the execution of repetitive operations (a macro consists of a sequence of internal DBMS commands);
- modules - to automate the execution of standard operations and create new procedures using the Visual Basic programming language.

table

A table consists of the simplest objects called a field (column) and a record (row). Each field is intended to store only one specific type of data.

The main characteristics of the field are its name (a sequence of characters, except for punctuation marks - should be informative, but short) and type (characterizes the content of the data).

The main types of fields are:

- text- for storing data in the form of a collection of symbols;
- numerical- for storing numerical data;
- logical- for storing logical data having only one of two values ​​- true / false;
- Date Time- to enter a date or time;
- MEMO- to ensure the ability to work with long texts;
- counter- a special numeric field for numbering records;
- monetary- for the convenience of working with numbers denoting amounts of money;
- OLE object- to provide the ability to store drawings, pictures, sound, video clips.

- the attachment(analogue of OLE) - creates a field of the "Attachment" type, and in the dialog insert the necessary files with the image

- Substitution wizard- creates a field that allows you to select a value from another table or from a list of values ​​using a combo box. When you select this option in the list of data types, a wizard is launched to automatically detect this field.

One of the table fields is designated as a key field (most often called the primary key, the type is mandatory - counter), i.e. a field whose value uniquely identifies the record.

When filling in lines, i.e. when entering records, it is forbidden to allow quotation marks in the text, but it is imperative to observe the field types.

Data schema

The mechanism for describing the logical relationship between MS Access tables is implemented as an object called a data schema. In this object, relationships between tables are organized through the key fields of the tables.

There are several types of communication:

Scheme "one-to-one" - one field value of one table corresponds to one field value of another table;
- "one-to-many" scheme - one field value of one table ("main table") corresponds to several field values ​​of another table ("subordinate table");
- "many-to-many" scheme - several field values ​​of one table correspond to several field values ​​of another table.

The most common relationship in relational databases is a one-to-many relationship.

Example of a one-to-many relationship

Typical Actions Allowed in Access

LMB - left mouse button, RMB - right mouse button

What to do? How to do it?
Starting Access Start -> Programs -> Microsoft Office -> Microsoft Access
Creating a new database Microsoft Office button -> Create -> enter the name of the created database -> Create
Opening an existing database Microsoft Office button -> Open -> specify the name of the required database -> Open button
Creating a table in design mode Create menu -> Table button -> Work with tables menu -> Views group -> button with the Rulers picture (or the View button -> select design mode) -> save the table, set the table name -> OK button -> enter names and types fields of the created table -> specify which field is the primary key -> switch to table mode -> enter the required number of labels, i.e. fill in the lines
Setting up the primary key Select the line in which the key field is located -> Design menu -> Key field button (from the picture of the key)
Saving a table File -> Save -> Enter table name -> OK
Switch to table mode menu Work with tables -> View group -> button with a picture Tables (or button View -> select table mode)
Editing a table (changing the names or types of fields, creating or deleting them) Go to design mode -> change the name or type of the required field
Switching to design mode menu Work with tables -> View group -> button with a picture of Rulers (or the button View -> select design mode)
Data schema creation Save and close linked tables -> Work with databases menu -> Show or hide group -> Data schema button -> add linked tables -> close the "Add table" window -> create links -> save data schema
Creating links between tables Hover the mouse pointer over the field name -> while holding LMB, drag it to the associated field in another table -> set the checkbox "Ensure data integrity" in the "Change links" dialog box -> if you want, you can check the boxes of cascade modification -> link type self-defined -> Create
Communication change Select communication line LMB -> RMB -> Change connection ...
Deleting a link Select communication line LMB -> RMB -> Delete
Finding data in a table Place the cursor anywhere in the column where the search will be entered -> Home menu -> Find group -> Find button (with a picture of binoculars) -> in the Sample line, enter the search value -> in the remaining sections, set the search parameters (specify -> button Find Next
Replacing data in a table Place the cursor anywhere in the column where the search will be entered -> Home menu -> Find group -> Replace button (with the picture ab-> ac) -> in the Sample and Replace lines with enter the required data -> in the remaining sections, set the search parameters -> Find Next button -> Replace
Using a filter when searching for data Click LMB on the down arrow located in the name of the field that is being searched for -> Home menu -> Sorting and filter group -> Filter button -> Filters command -> select the required Filter -> enter the required parameters -> OK
Canceling a filter Home menu -> Sort & Filter group -> Advanced Filter Options button -> Clear All Filters command
Sorting data Position the cursor anywhere in the column to be sorted -> Home menu -> Sort and Filter group -> Descending or Ascending button

Basic concepts of relational databases

know: basic concepts of the relational data model; basic principles of working with MS Access DBMS objects; main features of Access DBMS

be able to: define data types, assign key fields in tables, create relationships between tables while ensuring data integrity

The relational data model is based on the concept relationship.

Attitude it is presented in the form of a two-dimensional table, on which certain restrictions are imposed.

Column the table corresponds to the concept of the attribute of the relation, the row corresponds to the concept tuple relationship.

The set of possible values ​​that can appear in a table column is a concept domain where the corresponding attribute is defined. Domains are similar to data types in programming languages.

Relationship key- one or more attributes, the values ​​of which uniquely identify any tuple of the relation.

Access 2007 Specifications


The collection of server and client parts of the OS that provide access to a specific type of computer resource over a network is called a network service. The client and server parts of the OS, which together provide access through the network to the computer's file system, form a file service. A network service is said to provide a set of services to network users. These services are sometimes also referred to as network services. Service is the interface between a service consumer and a service provider (service). Each service is associated with a specific type of network resource and / or a specific way of accessing those resources. For example, a print service allows network users to access shared printers on a network and provides a print service, while a postal service provides access to an information resource on the network — emails. The method of accessing resources differs, for example, the remote access service - it provides users of a computer network with access to all its resources through dial-up telephone channels. To obtain remote access to a specific resource, such as a printer, the Remote Access service interacts with the print service. The most important for users of network operating systems are the file service and the print service. Among the network services, one can distinguish those that are focused not on a simple user, but on an administrator. Such services are used to organize the operation of the network. A more progressive approach is to create a centralized help desk, or, in other words, a directory service, which is designed to maintain a database not only about all network users, but also about all its software and hardware components. Other examples of network services that provide a service to an administrator are a network monitoring service that captures and analyzes network traffic, a security service that may include, but is not limited to, a logon with password verification, a backup and archive service. The rich set of services offered by the operating system to end users, applications and network administrators determines its position in the general range of network operating systems. Network services are, by their very nature, client-server systems. Since when implementing any network service, a source of requests (client) and a requestor (server) naturally arise, then any network service contains two asymmetric parts - client and server (Fig. 2.2). A network service can be represented in the operating system by either both (client and server) parts, or only one of them.



It is usually said that the server provides its resources to the client, and the client uses them. It should be noted that when a network service provides a certain service, the resources of not only the server, but also the client are used. The client can spend a significant part of its resources (disk space, processor time, etc.) to maintain the network service. For example, when implementing a mail service, a client's disk may contain a local copy of a database containing his extensive correspondence. In this case, the client does a lot of work when forming messages in various formats, including complex multimedia, maintains an address book and performs many more different auxiliary work. The fundamental difference between the client and the server is that the client is always the initiator of the network service, and the server is always in the passively waiting mode for requests. For example, a mail server delivers mail to a user's computer only when it receives a request from a mail client. Typically, the interaction between the client and server parts is standardized, so that one type of server can be designed to work with different types of clients, implemented in different ways and maybe by different manufacturers. The only condition for this is that the clients and the server must support a common standard communication protocol.

Remote management tools for UNIX, Windows NT and NetWare operating systems.

When people talk about remote management, they usually mean SNMP-based network management platforms. Among the most common platforms are HP OpenView, Microsoft SMS, Novell ManageWise, and others. However, their capabilities are quite limited: they are well suited for monitoring network devices, but much worse for direct control of servers and OS. For example, using a network management platform, you cannot create a user account, run a program on a server, write an executable script, and much more. Therefore, instead of "management platform" it would be more correct to use the term "monitoring platform".

It is well known that the most convenient server administration tool is its console. (The NetWare operating system is a special case, which we will consider separately.) From the console, the administrator can monitor any activity on the server, as well as manage the resources of the network OS. However, the administrator is not always able to be at the UNIX or Windows NT console.

While it is now common practice to host servers in dedicated server rooms, network administrators are reluctant to move into such rooms. First, server rooms are filled not only with servers, but also with active network equipment, powerful uninterruptible power supplies, wiring closets, backup facilities, etc. Due to the unfavorable electromagnetic background, the constant presence of personnel in the server room is undesirable. Secondly, the noise level in such rooms is quite high, which makes it sometimes difficult to use even a telephone. After 8 hours of work in such conditions, a person feels completely overwhelmed. Third, there can be several server rooms in a large organization. For these reasons, the administrator would like to have a workplace outside the server room, but still enjoy all the benefits of the console.

In addition, users constantly have certain problems, and the administrator is forced to visit client sites. In such cases, it is important for him to be able to remotely manage the network OS, for example, to assign access rights, create a new user account, increase the size of the file system, etc.

Finally, problems can arise outside office hours, when the administrator is at home. In such cases, it is desirable that he, using his home computer and modem, can remotely identify and fix the problem, and not rush headlong into the office.

All network operating systems have remote administration tools, either built-in or provided by third parties. Some of them implement the concept of a remote console (or remote terminal), some provide scattered administration tools aimed at solving only some specific tasks.

OPERATING SYSTEMS AND ADMINISTRATION

Before talking about remote management of network operating systems, we will briefly review the principles of administration of the most popular operating systems: Windows NT, UNIX, and NetWare. Perhaps the most powerful system, not only in terms of functional parameters, but also in terms of administration capabilities, is the UNIX OS. In UNIX, the kernel is separated from the graphical shell, while the server does not need a graphical shell, although it is used quite often. Interactive interaction between the user and the OS is carried out through the command shell. It has several implementations, with the most popular being the Bourne shell (sh), the C shell (csh), the Korn shell (ksh), and the Bourne again shell (bash). Each of the shells has its own programming language for writing scripting programs. In addition, UNIX is famous for the richest set of application utilities, including utilities for sorting, searching, streaming editing, lexical analysis, macro processing, filters, and many others. Using the shell, system utilities, application programs, and pipelines, UNIX allows you to create extremely flexible administration programs.

UNIX uses the X Window System (X11) graphical shell. Unlike similar shells found in Microsoft Windows and Apple MacOS, X11 is networked and separate from the kernel. That is, from the point of view of the kernel, the X11 system is just a normal user program. With X11, any UNIX machine (with the proper permissions) can act as an X11 client or server. It should be borne in mind that, contrary to common practice, an X11 server refers to the computer on whose display the image is displayed, and the client is the machine on which the program is run. X11 server software exists for many common operating systems, including Windows, MacOS, and others, while client software is implemented primarily on UNIX.

In modern UNIX, utilities with three types of interfaces are used for management tasks: command line, interactive text, and graphical. However, the most powerful and comprehensive OS capabilities are the command line utilities. Such programs are widely used to perform repetitive operations such as creating a user account or assigning access rights. Interactive text and graphical utilities have appeared in UNIX relatively recently, but due to the interactive nature of communication, the benefits of using them in shell programs are far from obvious. Such utilities are mainly used for occasional and fine-tuning of the OS and hardware. Thus, any text terminal emulator will work for UNIX administration.

Despite its widespread adoption, Microsoft Windows NT cannot compete with UNIX in terms of administration. For ease of administration, yes, but not for its capabilities. As you know, the Windows graphical shell is inseparable from the system kernel. Although this is not the best option from the point of view of reliability, such an implementation allows achieving extremely high performance indicators on graphic operations. Another thing is that on the NT server there is little use from this - the purpose of the server is not in any way to quickly display graphical information. Microsoft actually drove users into a corner by offering essentially the same system as a client (NT Workstation) and a server (NT Server). In addition, the Windows graphical environment is not networked.

Several command line-based administration utilities are available for Windows NT. However, their set is rather limited, and besides, the capabilities of the built-in command processor cannot be compared with the UNIX shell. Windows NT Server also comes with a number of programs for remote management of users, domains, access rights, and so on. Such programs can be installed on Windows 9x and NT computers. However, many network applications, especially third-party applications, lack remote control capabilities. Therefore, to fully manage the network environment, the administrator is forced to sit down at the console or emulate the console using specialized programs.

NetWare's management structure is fundamentally different from that of other network operating systems. All server configuration operations, including launching applications, are carried out from the console. At the same time, the management of accounts, printers, files, and the NDS directory service is done from client sites. True, the latest version of NetWare 5 has a single network management console ConsoleOne, with which the administrator can manage network resources from anywhere on the network, including from the console. However, the capabilities of ConsoleOne are still too limited, and it is slow because it is written in Java. In addition, NetWare 5's share of the network operating system market is negligible, as the majority of Novell networks are based on NetWare 4.x. The NetWare console operates in text mode (the server also supports graphical mode in NetWare 5), so it is managed using command line programs and an interactive text interface. The NetWare command language is rather weak, but the OS includes Basic and Perl interpreters that allow you to create quite serious programs. The remote console program included with NetWare provides access to the server console over the network from DOS, Windows, MacOS, UNIX client machines.

Graphical and interactive text-based programs are available to manage NDS, accounts, printers, access rights, and more, for client-side operation. There are few command line utilities available and their capabilities are limited. In short, from the point of view of NDS management, graphical utilities (and primarily NetWare Administrator) have the most powerful capabilities, followed by interactive text programs (NETADMIN, PCONSOLE, etc.), and only then command line utilities.

Having reviewed the main features of the network operating system management structure, we can now move on to familiarize ourselves with the most common remote management tools.

TELNET

Perhaps the most famous UNIX remote control program is telnet, especially since it is included with almost any modern operating system. telnet is a terminal emulation program that uses the proprietary TELNET application protocol. To support the telnet service, the server must be running the system program (called the daemon in UNIX) telnetd, which handles telnet client requests. The telnet server can serve several clients at once, while the TELNET protocol uses TCP as the transport protocol (port 23).

Telnet can be used to control not only UNIX computers, but also network devices such as routers, switches, remote access servers, etc. telnet can also be used to administer Windows NT (server software for this service is available in several free and commercial programs), but only in command line mode. Telnet allows the user to connect to a remote server from his place and work with it in text mode. This creates a complete illusion for the user that he is sitting at the text terminal of this server.

Telnet is great for heterogeneous networks because it relies on the concept of a Network Virtual Terminal (NVT). It is known that different operating systems and hardware have specific features related to input / output and information processing. For example, UNIX uses LF as a line break, while MS-DOS and Windows use a pair of CR-LF characters. The NVT network virtual terminal allows you to abstract from the features of specific equipment by using a standard set of characters. The telnet client is responsible for converting the client codes to NVT codes, and the server does the opposite (see Figure 1).

Telnet provides a mechanism for configuring parameters, in which the client and server can agree on certain options, including data encoding (7- or 8-bit), transmission mode (half-duplex, character-by-character, line-by-line), terminal type, and some others. Commands and data in telnet are transmitted independently of each other. To do this, using a special code, telnet is switched from the data transfer mode to the command transfer mode, and vice versa. Commands are information used to control the telnet service, while data is what is input / output through terminal (client) or pseudo-terminal (server) drivers.

Telnet is a fairly powerful remote management program, but it has a number of fundamental drawbacks. The most important is that all data, including passwords, is transferred between computers in clear text. Once connected to the network, anyone using the simplest protocol analyzer can not only read information, but even get hold of a password for unauthorized access. In a local area network, the likelihood of such attacks can be reduced by using switches (switching hubs). Of course, in a local network, large-scale use of switches is very expensive, but it is better to connect administrator workstations through them. However, when accessing via the Internet, in particular, when the administrator works from home, the problem remains. However, you can provide access to servers through remote access servers using authentication protocols such as CHAP rather than using ISPs. Unfortunately, this approach is not acceptable for all organizations.

The second problem I would say is that the free telnet client programs that come with operating systems have limited capabilities. It often happens that an interactive text program cannot even start because the telnet client does not support the server's terminal type, and the interactive program does not want to work with the types of terminals that are included in the telnet client.

However, despite these shortcomings, telnet remains the most widely used remote control program.

RLOGIN

First introduced with 4.2BSD UNIX, rlogin was at one time extremely popular in the UNIX environment. As a terminal access tool, rlogin is very similar to telnet, but due to its tight integration with the OS, it has found very limited use in other systems. Rlogin lacks many of the options inherent in telnet, in particular the mode of negotiating parameters between the client and the server: terminal type, data encoding, etc. Therefore, the code size of the rlogin program is almost ten times smaller than that of telnet. However, rlogin provides for trust relationships between hosts: on the rlogin server, in special system files (usually /etc/hosts.equiv and $ HOME / .rhosts), the administrator can list computers that will be allowed access to this server without a password. Users of other computers (not listed in these files) can log into the server only after entering a password.

Another version of rlogin, known as rsh, lets you run programs on a remote machine with input and output on the local machine. Another program, rcp, is designed to copy files between computers on the network. The rlogin, rsh, and rcp utilities are often collectively referred to as r commands.

Unfortunately, experience has shown that hostname-based trusts are extremely dangerous because they open the door to unauthorized access. The widespread use of IP-spoofing and DNS-spoofing technology by hackers makes the r-command service insecure. This is true even when the trust relationship between hosts is not established at all. Therefore, at present, the rlogin service has found use only in networks that are completely closed from the Internet. Just like telnet, data and passwords (in the absence of a trust relationship) are transmitted in cleartext.

In addition, the client software for r-commands on DOS and Windows platforms is less common than for telnet, and it is mainly available only in fairly expensive commercial products.

SECURE SHELL

It is obvious that the transmission of data and especially passwords over the network in cleartext in telnet and rlogin cannot satisfy even the minimum security requirements. There are several ways to protect information systems from malicious attacks. Some of them provide for password protection, while others are aimed at encrypting the entire flow of information. Among the latter, the most popular is the Secure shell (ssh) program, which is part of any gentleman's suite for secure UNIX terminal access. The non-commercial version of Secure shell can be downloaded from the server of the author of the program T. Yalonen ( http://www.ssh.fi). However, the free version of ssh is only available for UNIX. Data Fellows ( http://www.datafellows.com) provides commercial, enhanced ssh, including for the Windows platform.

The secure shell provides similar capabilities to telnet and r-commands, including not only terminal access, but also means of copying between computers. But, unlike them, ssh also provides secure X11 connections.

The security of the ssh program is achieved through the use of the transport layer protocol, the authentication protocol and the connection protocol. The transport protocol is responsible for authenticating the server, the authentication protocol for strong identification and client authentication. The connection protocol forms an encrypted information transfer channel.

As already mentioned, Secure shell has become a kind of standard for secure access, including in Russia. This is a very interesting product that can be talked about for a very long time. However, we will not do this (more detailed information about the Secure shell can be found in the article by M. Kuzminsky "Ssh - an everyday means of secure work" in the journal "Open Systems" No. 2, 1999). The thing is that this product, like many others, is prohibited for use in Russia.

According to the Decree of the President of the Russian Federation No. 334 dated 04/03/95, individuals and any organizations, including public, private and joint stock companies, are prohibited from operating cryptography systems that have not been certified by the FAPSI. Secure shell is just such a system. However, you should not be offended by our special services - we are not alone in the world, in some countries, for example, in France, the rules are even stricter (in fairness, it should be noted that in France, since March of this year, restrictions on encryption systems have been significantly weakened). You should also not think that they are trying to prevent us from protecting confidential information: organizations not only can, but are obliged to protect important information. Only for this they must use certified tools, and not freely distributed on the Internet. Of course, programs based on ssh, SSL, PGP, etc. are ubiquitous in our country, but it should be remembered that their use is fraught with considerable troubles. Users of such programs are potentially at risk of investigation by intelligence agencies. In any case, we have no right and no desire to promote such an approach.

SECURE AUTHENTICATION

In most management tasks, administrators are not interested in the protection of transmitted data, but in reliable user authentication so that an attacker cannot intercept and use the administrator password. There may be several solutions. First of all, it is Kerberos technology based on the issuance of tickets (tickets). (In fact, Kerberos provides not only authentication, but also encryption of network communications, which, again, falls under the Presidential Decree.) However, due to export restrictions of the US government, the encryption mechanism is significantly weakened. In corporate dial-up systems, robust authentication services such as RADIUS, TACACS +, and XTACACS can be used. But all of these services (including Kerberos) involve large-scale redesign of the network infrastructure, which entails high costs. This is hardly justified if the range of remote access tasks is limited only by the problems of managing network operating systems.

One-Time Password (OTP) tools are more suitable for such tasks. The essence of such systems is that the user's password transmitted over the network is valid for only one communication session. That is, even if the attacker managed to intercept the password, he will not be able to use it, since the password will already be changed during the next session.

To enable OTP on the server, the telnet, rlogin, ftp daemons will have to be replaced (of course, new services can be started selectively, for example, use the upgraded telnetd, but keep the "native" ftpd). At the same time, the client software does not need to be updated, which is very convenient. A workable OTP system was first released by Bell Core (now Telcordia Technologies) in 1991 under the name S / Key. An important feature of S / Key is that it was originally a non-commercial product that works with many UNIX versions. Now the most popular are the following versions of OTP systems (all of them, except for S / Key version 2.0 and higher, are distributed free of charge):

  • S / Key of Telcordia Technologies (ftp://ftp.bellcore.com);
  • OPIE US Navy Research Laboratory (ftp://ftp.nrl.navy.mil);
  • LogDaemon, developed by Vietse (ftp://ftp.porcupine.org/pub/security).

The listed systems are backward compatible with S / Key 1.0. Current OTP implementations are based on MD4 and MD5 hashing algorithms (S / Key 1.0 used MD4 exclusively).

How do OTP systems work? When initializing OTP on the server, each user assigns two parameters: a secret key (it is not transmitted over the network) and the number of iterations, i.e., the number of logins during which this secret key will be valid. On the server, MD4 or MD5 is applied to the private key, and the hashed value is remembered. After that, the user can work with the server over the network via ordinary telnet, ftp, etc.

User authentication for terminal access is carried out as follows. After entering the username, he is given the number of the next iteration and a certain source (seed). The beginning of the user authentication procedure is shown in Figure 2. Here the iteration number is 967 and the origin is jar564. In the Password field, the user must enter not his own secret key, but a passphrase consisting of six words. This phrase is generated based on the secret key, iteration number and source using a special calculator (see Figure 3). To obtain a passphrase, the user enters the iteration number, source, and his secret key (in the given example, the final passphrase looks like: "NO HUFF ODE HUNK DOG RAY").

Then the passphrase is entered into the Password field of the terminal access program, after which the user is identified by the server. It should be borne in mind that during the next authentication, the iteration number will decrease by one, the source will not change, and the passphrase will be completely different. Thus, intercepting a passphrase will give nothing to an attacker, since the system does not identify him when he tries to register. The main component of security is the secret key, and it is never transmitted over the network. Due to the use of the MD4 and MD5 algorithms, it is almost impossible to calculate the secret key from the passphrase, iteration number and source.

When the iteration number reaches zero, the user account must be reinitialized.

It may seem that the main inconvenience for the user is the calculator. But this is not entirely true, since the calculator is a very small program that does not require any settings. These calculators are freely available for all popular platforms, including MS-DOS, Windows, Macintosh, and UNIX. Moreover, passphrases can be memorized (or written down) in advance, for several terminal access sessions ahead, sequentially decreasing the iteration number. Thus, in order to remotely manage the server, the administrator does not need to install the calculator on all client locations where he may need to work.

X WINDOW SYSTEM

Although virtually all UNIX management tasks can be performed in text mode, administrators often prefer a graphical interface as it is more user-friendly. In addition, some of the UNIX applications that are currently on the market can only be operated in a graphical environment. X-server graphical output software is available for a variety of platforms, including DOS, Windows, Macintosh, UNIX, and so on. However, in most cases (except UNIX), it comes with expensive commercial products. As X11 clients (as already outlined, the concept of client and server in the X Window System is not common practice) are mainly UNIX servers.

It should be borne in mind that the use of the X Window System requires a fairly large network bandwidth. The system works fine on local networks, but very slowly - on global channels. Therefore, when using the X Window System on the administrator's home computer, it is better to control it through terminal utilities like xterm, rather than through graphical utilities.

When connected to a UNIX server (running X11 clients), authentication can be done in two ways: through terminal utilities (telnet, rlogin, etc.) and through the X Display Manager (xdm). In the first variant, the transmission of the password in clear text can be avoided by using the already mentioned ssh and OTP programs instead of telnet and rlogin. In the case of X Display Manager, passwords are transmitted in clear text by default. Therefore, if you remotely manage a UNIX server over public networks, you should not use xdm.

Administrators should be very careful about using a UNIX server as an X server (that is, in plain language, running the X11 graphical shell on a UNIX server). The X Window System is designed so that a user can run an X client from his machine on a remote X server and intercept I / O on it. As a result, an attacker gains the ability to read confidential information from the X server, including passwords entered by the user on the X server (although the xterm terminal emulator allows you to block password interception, this opportunity is rarely used by anyone).

X servers use two client authentication schemes: by hostname and by magic buns (MIT-MAGIC-COOKIE-1). When using hostname authentication on server X, system files are created that list the hosts from which X client programs are allowed to run on this server X. But such protection cannot be called sufficient, since an attacker can carry out an attack by spoofing IP addresses or domain names on X11. When using the scheme of "magic buns" (their support is built into the XDMCP protocol, on the basis of which the X Display Manager functions), authentication is performed based on user accounts. To be able to run a client on the X server, a user in his home directory of the X11 client machine must have a system file with the X server secret written down. This secret is called the magic bun. The only trouble is that the bun is transmitted over the network in an open form, so this method can hardly be considered safe either.

The X Window System 11 Release 5 adds two more schemes (XDM-AUTHORIZATION-1 and SUN-DES-1), similar to the MIT-MAGIC-COOKIE-1 scheme, but using the DES encryption algorithm. However, due to export restrictions, such schemes are not included with the X Window System. Based on the above considerations, you can only run X11 server software on a UNIX server when other computers are not allowed to access X11 clients.

Everything that has been said about the poor security of an X server based on a UNIX server fully applies to the administrative client machines on which the X Window System is running.

WINDOWS NT SERVER

When installing Microsoft Windows NT Server, it is assumed that the OS will be administered from the server console. However, the NT Server kit also contains remote management utilities. They are located on the Windows NT Server distribution in the \ Clients \ Srvtools directory. These utilities can be installed on both Windows NT Workstation and Windows 9x (see Figure 4). With their help, you can administer user and group accounts, rights and privileges, NT domains, monitor event logs on servers and workstations. The utilities work in graphical mode, similar to the "native" NT Server management utilities. While the remote management utilities allow you to do most of the system administration work, a number of important programs are missing from this set. For example, they cannot be used to perform server hardware configuration, backups, license management, performance monitoring, and so on. In addition, many third-party server applications do not have any remote control software.

The Windows NT Server Resource Kit, supplied by Microsoft, includes a number of additional administration programs, including command line-based ones. The most important of these are ADDUSER.EXE (creating new user and group accounts), CACLS.EXE (managing access rights), DUMPEL.EXE (displaying information about events from the event logs to the screen or file), RMTSHARE (managing network resources ). Using even a weak NT command processor, it will not be difficult for an administrator to write a typical program for creating a new account with automatic assignment of rights and privileges.

There are also several programs for Windows NT that implement the telnet server. It allows the administrator to remotely access the NT server and run command line-based programs. Again, remember that most telnet implementations pass the password in cleartext.

But, as noted, remote access utilities and command-line programs cannot solve all administrative tasks. Therefore, some solutions assume emulation of the Windows NT server GUI on a remote computer.

First of all, I would like to mention the products WinFrame from Citrix and Windows Terminal Server (WTS) from Microsoft. In accordance with the architecture of these products, applications run on the NT server and I / O occurs on client computers. According to their manufacturers, WinFrame and WTS are already acceptable at 28 Kbps, so you can even manage your servers from home. To use these tools, the server part of the software must be placed on the NT server, and the client software must be placed on the administrator's workstations. WinFrame and WTS do not transmit passwords in cleartext.

For the sake of fairness, it should be said that such solutions are redundant for administration tasks. WinFrame and WTS require multiple clients to connect to the server. (Usually, the administrator needs only one access to the server.) Because of this, solutions based on these products are quite expensive. For example, connecting a client to a WinFrame server will cost between $ 200 and $ 400, which is very expensive because an organization may have more than one server and more than one administrator.

More suitable, in my opinion, for remote administration are specialized remote management packages such as pcANYWHERE from Symantec and ReachOut from Stac. When using such products, the contents of the NT server screen are duplicated on the display of the local computer, information is entered from the keyboard (and mouse) of the local computer and transmitted to the remote one (in this case, to the NT server). Everything looks as if the administrator is sitting at the server console. pcANYWHERE and other similar products function well not only on a local network, but also over slow dial-up lines. However, they have a limit on the number of simultaneous connections to the server (usually only one connection). PcANYWHERE products have built-in encryption, so it is unlikely that the password will be intercepted.

A common disadvantage of Windows NT remote management tools is the need to install additional software products on the administrator's client sites.

NETWARE

Because of the unique architecture of Novell NetWare, the problems of remote console access should be separated from the problems of network resource management.

Management of user accounts, groups, NDS objects, access rights in NetWare is carried out from client sites, so the administration is initially remote. However, administrators can face one hurdle: Prior to NetWare 5, IPX / SPX was the primary network protocol. This has created and continues to be a major problem when managing NetWare servers over the Internet. If an administrator needs to be able to manage the network OS from a home computer, then he should consider connecting to a local network through a remote access server that supports IPX / SPX protocols. Fortunately, most hardware servers support this mode.

However, the costs of creating the necessary infrastructure can be unacceptable, so often the home computers of administrators are connected to the local network via the Internet. In such a situation, the following option can be proposed: install the pcANYWHERE program (or similar) on one of the computers in the local network, and control the network from the home computer through this intermediate link. This approach, by the way, may turn out to be more attractive from a performance point of view, because network management programs (especially NetWare Administrator) run very slowly over dial-up links. Another way is to upgrade NetWare to version 5 (or install NetWare / IP).

For remote console access, NetWare includes the Rconsole utility for accessing the console from a network workstation. However, it has two limitations: firstly, the console password is transmitted in clear text, and secondly, IPX / SPX is used as the protocol. Third-party utilities that provide secure remote access to the console allow you to avoid passing passwords in cleartext. The most famous among them is the commercial program SecureConsole for NetWare by Protocom Development Systems ( http://www.serversystems.com). It uses the encrypted administrator password when accessing.

As in other cases, the obstacle in the form of IPX / SPX protocols can be removed by using programs like pcANYWHERE (that is, using one of the computers on the local network as a transmission link). Another way is to use the xconsole program, which provides access to the console through the X Window System, that is, over TCP / IP. The Java remote access utility RConsoleJ in NetWare 5 also uses TCP / IP as its transport. However, the xconsole and RConsoleJ programs pass the password in clear text. In summary, we recommend that you use specialized tools like pcANYWHERE to remotely manage NetWare.

WEB TECHNOLOGY

Web technology is increasingly influencing the management of the network environment. Already, many routers, switches, network printers can be managed via Web browsers. But this list is far from being exhausted by them, the Web also invades the sphere of management of network operating systems. In the beginning, only HTTP and FTP servers could be managed from the Web, but the list is constantly expanding and now includes DBMSs, file systems, firewalls, DNS network services, DHCP and much more. Even the NDS directory service can be managed through browsers using special commercial software. Notwithstanding the above, Web-based technologies are not yet mature enough to fully manage the entire network environment. The problem is aggravated by the fact that for many applications and, especially, network devices, the password is transmitted over HTTP in clear text.

CONCLUSION

When organizing remote server management, it is necessary to take into account many factors, first of all, the characteristics of the network operating system, the performance of communication lines, and issues of secure authentication. UNIX provides the most comprehensive set of management tools, however, with the right approach, Windows NT and NetWare administrators are also not worried.

The set of server and client parts of the OS that provide access to a specific type of computer resource over a network is called network service. In the above example, the client and server parts of the OS, which together provide network access to the computer's file system, form a file service.

A network service is said to provide network users with a set of services. These services are sometimes also referred to as network service(from the English term "service"). Although these terms are sometimes used interchangeably, it should be borne in mind that in some cases the difference in the meanings of these terms is fundamental. Further in the text by "service" we mean a network component that implements a certain set of services, and by "service" - a description of the set of services that are provided by this service. Thus, a service is an interface between a service consumer and a service provider (service).

Each service is associated with a specific type of network resource and / or a specific way of accessing these resources. For example, a print service allows network users to access shared printers on a network and provides a print service, while a postal service provides access to an information resource on the network — emails. The method of accessing resources differs, for example, the remote access service - it provides users of a computer network with access to all its resources through dial-up telephone channels. To obtain remote access to a specific resource, such as a printer, the remote access service interacts with the print service. The most important for network operating system users are the file service and the print service.

Among the network services, one can single out those that are focused not on a simple user, but on an administrator. Such services are used to organize the operation of the network. For example, the Bindery service of the Novell NetWare 3.x operating system allows an administrator to maintain a database of network users on the computer on which the operating system is running. A more progressive approach is to create a centralized help desk, or, in other words, a directory service, which is designed to maintain a database not only about all network users, but also about all its software and hardware components. Novell's NDS is often cited as examples of directory services. Other examples of network services that provide a service to an administrator are a network monitoring service that captures and analyzes network traffic, a security service that may include, but is not limited to, a logon with password verification, a backup and archive service.

The rich set of services offered by the operating system to end users, applications and network administrators determines its position in the general range of network operating systems.

Network services are, by their very nature, client-server systems. Since when implementing any network service, a source of requests (client) and a requestor (server) naturally arise, then any network service contains two asymmetric parts - client and server. A network service can be represented in the operating system by either both (client and server) parts, or only one of them.

It is usually said that the server provides its resources to the client, and the client uses them. It should be noted that when a network service provides a certain service, the resources of not only the server, but also the client are used. The client can spend a significant part of its resources (disk space, processor time, etc.) to maintain the network service. The fundamental difference between a client and a server is that the client is always the initiator of the network service, and the server is always passively waiting for requests. For example, a mail server delivers mail to a user's computer only when a request comes from a mail client.

Typically, the interaction between the client and server parts is standardized, so that one type of server can be designed to work with different types of clients, implemented in different ways and maybe by different manufacturers. The only condition for this is that the clients and the server must support a common standard communication protocol.

And the server port, as a result of which a connection is established that allows two computers to communicate using the appropriate network application protocol.

Port numbers

The port number for "binding" a service is selected based on its functionality. The IANA is responsible for assigning port numbers to specific network services. Port numbers range from 0 - 65535 and are divided into 3 categories:

Port numbers Category Description
0 - 1023 Well-known ports Port numbers are assigned by the IANA and, on most systems, can only be used by processes in the system (or by root) or applications run by privileged users.

Should not be used without IANA registration. The registration procedure is defined in section 19.9 of RFC 4340.
1024 - 49151 Registered ports Port numbers are included in the IANA catalog and on most systems can be used by regular user processes or programs launched by regular users.

Should not be used without IANA registration. The registration procedure is defined in section 19.9 of RFC 4340.
49152 - 65535 Dynamically used ports and / or ports used inside closed (private) networks Intended for temporary use - as client ports, ports used by negotiation for private services, and for testing applications before registering dedicated ports. These ports cannot be registered .

List of correspondence between network services and port numbers

The IANA maintains an official list of correspondences between network services and port numbers.

Compliance regulation history

The issues of unifying the correspondence of network services to socket (port) numbers were raised in RFC 322 and 349, the first attempts at regulation were made by John Postel in RFC 433 and 503.

Current list

netstat -an

In Windows operating systems, the result of this command looks like this:

Active Connections Name Local Address External Address TCP Status 0.0.0.0:135 0.0.0.0 0 LISTENING TCP 0.0.0.0:445 0.0.0.0 0 LISTENING TCP 127.0.0.1:1026 0.0.0.0 0 LISTENING TCP 127.0.0.1:12025 0.0.0.0 0 LISTENING TCP 127.0.0.1:12080 0.0.0.0 0 LISTENING TCP 127.0.0.1:12110 0.0.0.0 0 LISTENING TCP 127.0.0.1:12119 0.0.0.0 0 LISTENING TCP 127.0.0.1:12143 0.0. 0.0: 0 LISTENING TCP 192.168.0.16:139 0.0.0.0 0 LISTENING TCP 192.168.0.16:1572 213.180.204.20:80 CLOSE_WAIT TCP 192.168.0.16:1573 213.180.204.35:80 ESTABLISHED UDP 0.0.0.0:445 *: * UDP 0.0.0.0:500 *: * UDP 0.0.0.0:1025 *: * UDP 0.0.0.0:1056 *: * UDP 0.0.0.0:1057 *: * UDP 0.0.0.0:1066 *: * UDP 0.0.0.0:4500 *: * UDP 127.0.0.1:123 *: * UDP 127.0.0.1:1900 *: * UDP 192.168.0.16:123 *: * UDP 192.168.0.16:137 *: * UDP 192.168.0.16:138 *: * UDP 192.168 .0.16: 1900 *: *

In UNIX-like OS, the result of the command netstat -an looks like this:

Active Internet connections (servers and established) Proto Recv-Q Send-Q Local Address Foreign Address State tcp 0 0 0.0.0.0:37 0.0.0.0:* LISTEN tcp 0 0 0.0.0.0:199 0.0.0.0:* LISTEN tcp 0 0 0.0.0.0:2601 0.0.0.0:* LISTEN tcp 0 0 0.0.0.0:3306 0.0.0.0:* LISTEN tcp 0 0 0.0.0.0:2604 0.0.0.0:* LISTEN tcp 0 0 0.0.0.0:2605 0.0. 0.0: * LISTEN tcp 0 0 0.0.0.0:13 0.0.0.0:* LISTEN tcp 0 0 0.0.0.0:179 0.0.0.0:* LISTEN tcp 0 0 0.0.0.0:21 0.0.0.0:* LISTEN tcp 0 0 0.0 .0.0: 22 0.0.0.0:* LISTEN tcp 0 0 0.0.0.0:1723 0.0.0.0:* LISTEN tcp 0 0 10.0.0.254:1723 10.0.0.243:2441 ESTABLISHED tcp 0 0 192.168.19.34:179 192.168.19.33: 33793 ESTABLISHED tcp 1 0 192.168.18.250:37 192.168.18.243:3723 CLOSE_WAIT tcp 0 0 10.0.0.254:1723 10.0.0.218:1066 ESTABLISHED tcp 1 0 192.168.18.250:37 192.168.18.243:2371 CLOSE_W : 1723 10.0.0.201:4346 ESTABLISHED tcp 0 0 10.0.0.254:1723 10.0.0.30:2965 ESTABLISHED tcp 0 48 192.168.19.34:22 192.168.18.18:43645 ESTABLISHED tcp 0 0 10.0.0.254:38562 10.0.0.243:22 ESTABLISHED ISHED tcp 0 0 10.50.1.254:1723 10.50.1.2:57355 ESTABLISHED tcp 0 0 10.50.0.254:1723 10.50.0.174:1090 ESTABLISHED tcp 0 0 192.168.10.254:1723 192.168.13.104:65535 ESTABLISHED tcp 0 0 10.0.0.254: 1723 10.0.0.144:65535 ESTABLISHED tcp 0 0 10.0.0.254:1723 10.0.0.169:2607 ESTABLISHED tcp 0 0 10.0.0.254:1723 10.0.0.205:1034 ESTABLISHED udp 0 0 0.0.0.0:1812 0.0.0.0:* udp 0 0 0.0.0.0:1813 0.0.0.0:* udp 0 0 0.0.0.0:161 0.0.0.0:* udp 0 0 0.0.0.0:323 0.0.0.0:* udp 0 0 0.0.0.0:123 0.0.0.0:* raw 0 0 192.168.10.254:47 192.168.13.104:* 1 raw 0 0 10.0.0.254:47 10.0.0.120:* 1 raw 0 0 10.10.204.20:47 10.10.16.110:* 1 raw 0 0 192.168.10.254:47 192.168.11.72:* 1 raw 0 0 10.0.0.254:47 10.0.0.144:* 1 raw 0 0 10.0.0.254:47 10.0.0.205:* 1 raw 0 0 10.50.0.254:47 10.50.0.174:* 1 raw 0 0 10.0.0.254:47 10.0.0.170:* 1 raw 0 0 10.0.0.254:47 10.0.0.179:* 1

State LISTEN (LISTENING) shows passively open connections (Listening sockets). They are the ones who provide network services. ESTABLISHED- These are established connections, that is, network services in the course of their use.

Checking the availability of network services

If problems are detected with a particular network service, various diagnostic tools are used to check its availability, depending on their presence in the given OS.

One of the most convenient tools is the tcptraceroute command (utility) (a kind of traceroute), which uses TCP packets to open a connection (SYN | ACK) with the specified service (by default - web server, port 80) of the host of interest and shows information about the transit time this type of TCP packets through routers, as well as information about the availability of the service on the host of interest, or, in case of problems with the delivery of packets, where they occurred in the path.

Alternatively can be used separately

  • traceroute for diagnosing the packet delivery route (the disadvantage is the use of UDP packets for diagnostics) and
  • telnet or netcat to the port of the problematic service to check its response.

Notes (edit)

see also

Links

  • RFC 322 Well Known Socket Numbers
  • RFC 349 Proposed Standard Socket Numbers (RFC 433 canceled)
  • RFC 433 Socket Number List (Deleted by RFC 503)
  • RFC 503 Socket Number List (canceled by RFC 739)
  • RFC 739 ASSIGNED NUMBERS (the first list of assigned numbers has been replaced by a number of RFCs, the last of which is RFC 1700)
  • RFC 768 User Datagram Protocol
  • RFC 793 TRANSMISSION CONTROL PROTOCOL
  • RFC 1700 ASSIGNED NUMBERS
  • RFC 3232 Assigned Numbers: RFC 1700 is Replaced by an On-line Database
  • RFC 4340 Datagram Congestion Control Protocol (DCCP) - PROPOSED STANDARD

Wikimedia Foundation. 2010.

  • Niflo, Isidore
  • Eggplant salads and caviar

See what "Network Services" is in other dictionaries:

    Social networking services- Social networking service is a virtual platform that connects people to networked communities using software, computers, networked (Internet) and network of documents (World Wide Web). Networked social services in ... ... Wikipedia

    Internet services- services provided on the Internet to users, programs, systems, levels, functional blocks. On the Internet, services are provided by network services. The most common Internet services are: data storage; transmission ... ... Financial vocabulary

    Port (network protocols)- Network port is a UDP protocol parameter that determines the destination of data packets in the format This is a conditional number from 0 to 65535, allowing various programs running on the same host to receive data independently of each other (they provide this ... ... Wikipedia

    Kernel (operating system)- This term has other meanings, see Core. Kernel is the central part of an operating system (OS) that provides applications with coordinated access to computer resources such as processor time, memory and external hardware ... ... Wikipedia

    Microkernel- This term has other meanings, see Micronucleus (cytology). The microkernel architecture is based on user-mode server programs ... Wikipedia

    Microkernel operating system- The microkernel architecture is based on user-mode server programs. The microkernel is the minimum implementation of the functions of the operating system kernel. Classic microkernels provide only a very small set of low-level primitives ... Wikipedia

    Simple Service Discovery Protocol- SSDP Name: Simple Service Discovery Protocol Level (according to OSI model): Session Family: TCP / IP Port / ID: 1900 / UDP Simple Service Discovery Protocol (SSDP ... Wikipedia

    Letopisi.ru- This page requires significant revision. It may need to be wikified, supplemented or rewritten. Explanation of the reasons and discussion on the Wikipedia page: For improvement / May 16, 2012. Date of staging for improvement May 16, 2012 ... Wikipedia

    Network scan- network attack. Description The purpose of this attack is to find out which computers are connected to the network and which network services are running on them. The first task is solved by sending Echo messages of the ICMP protocol using the ping c ... ... Wikipedia

    7ya.ru- Publisher ALP Media Editor-in-Chief Elena Konstantinovna Polyaeva Foundation date 2000 Mass media registration certificate El No. FS77 35954 Language ... Wikipedia

Books

  • Multiplayer games. Networked Application Development, Glazer Joshua, Networked Multiplayer Games is a multi-billion dollar business attracting tens of millions of players. This book, using real examples, tells about the features of the development of such games and ... Category:
Similar publications: