* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project
Download CPSC 463 Networks and Distributed Processing
Remote Desktop Services wikipedia , lookup
Wake-on-LAN wikipedia , lookup
Computer network wikipedia , lookup
Zero-configuration networking wikipedia , lookup
Network tap wikipedia , lookup
Airborne Networking wikipedia , lookup
List of wireless community networks by region wikipedia , lookup
Wireless security wikipedia , lookup
Computer security wikipedia , lookup
Deep packet inspection wikipedia , lookup
Piggybacking (Internet access) wikipedia , lookup
Internet protocol suite wikipedia , lookup
Cracking of wireless networks wikipedia , lookup
UniPro protocol stack wikipedia , lookup
Distributed firewall wikipedia , lookup
Recursive InterNetwork Architecture (RINA) wikipedia , lookup
Top Three Layers • Session Layer • Presentation Layer • Application Layer 1 Session Layer Design • Marks the division between “upper layers and lower layers” – lower layers:= end to end communications – upper layers:= user-oriented services • • • • Invented by ISO Can support transport layer QoS Not explicitly used by TCP/IP “Generally connection-oriented” 2 Session Layer & Transport Layer • Usually a transport connection is required to establish a session • Session Layer provides Control. It says what to do, not necessarily how to do it. • Can provide redundancy and multiplexing of transport layer resources • Administrative control point 3 Dialog Management • In principle, all OSI connections are full duplex • Some upper layer software is structured to be half-duplex • This is to simplify the software and has nothing to do with hardware limitations • The session layer supports data token schemes to support half-duplex transmissions 4 Synchronization • Transport layer provides error recovery only from communication errors • Synchronization in the transport layer provides for returning the session entries back to the last known correct state. • Example: Session established and large file transmitted; receiving end has no storage and directly prints the incoming data. The printer dies and data is lost. • Session users could split the text into pages and insert a synchronization point between each page. 5 Activity Management • Users split the message stream into activities • delimiters are added in the session to separate activities First File Sent Second File Sent Session Stop Start Start Stop 6 Remote Procedure Calls • • • • Based on the connectionless model Generally outside the OSI model Can be implemented in the application layer Multiple Flavors – {Sun} ONC RPC – {OSF} DCE RPC 7 “RPC School of Thought” • Clients sending messages are viewed as procedure calls with the reply being the return from the procedure • Contrast this to the more “conventional” school which views I/O with primitives such as X-DATA.request and X-DATA.return as I/O and interrupts respectively. 8 RPC Invocation Client Client Stub Network {Portmapper} Server Stub Server 1 2 3 4 5 6 7 9 RPC Semantics and Orphans • Operations – exactly once – at most once – at least once • Handling crashes: – 1. Hang forever, waiting for reply that never comes – 2. Time out and raise an exception – 3. Time out and retransmit • Orphans – – – – extermination expiration reincarnation (kill & restart) gentle reincarnation (selectively kill and restart) 10 Presentation Layer Information Transformation Network Format Local Format “few standards, but a lot of ideas” 11 Presentation Functions These are examples! • Syntax (format) conversion • Compression • Encryption – Sub-issue: Does it belong here? 12 Presentation Layer, cont. • Providing a way to specify complex data structures • Managing the set of data structures required • Converting data between internal and external form 13 Data Representation • ASCII vs. EBCDIC • two’s complement vs. one’s complement • FFF0 hex is -15 1’s complement; -16 2’s complement • byte order right left vs. left right • Text File formats 14 Abstract Syntax Notation 1 (ASN.1) • • • • • Data Structures Abstract Syntax Transfer Syntax International Standard 8825 Notation used to encode, transfer and decode data structures across a wide range of applications • Both connection-oriented and connectionless primitives 15 Data Compression • Encoding a Finite Set of Equally Likely Symbols – Finiteness of the set of symbols. • Frequency Dependent Coding – The relative frequencies with which the symbols are used. • Context Dependent Encoding – The context in which a symbol appears. 16 Compression • Elimination of Redundancy – (increased susceptibility to error) • Examples – – – – Run Length Encoding Predictive Codes Huffman LZW 17 Frequency Dependent Coding • In English, “E” occurs ~100 times more than the letter “Q” • So give common symbols short codes and longer symbols longer codes. • Theoretical minimum encoding often requires fractional bits, but close approximations available. 18 Huffman Coding • 1. Write down all symbols and associated probability of each. Eventually a binary tree is built on these nodes, with the symbols representing terminal nodes. • 2. Find the two smallest nodes and mark them. Add a new node with arcs to each of the nodes just marked. Set the probability of the new node to the sum of the probabilities of the two nodes connected to the new node. • 3. Repeat until all symbols are marked except one. The probability of the unmarked node will always be 1.0. • 4. The encoding for each symbol is found by tracing the path from the unmarked symbol to that symbol, recording the sequence of left and right branches taken. The code is the path, left = 0, right = 1. 19 Context Dependent Encoding • Uses conditional probability instead of independent probability. • What is P(u|q)? • So determine the conditional probability for each possible predecessor and store in a table. • For k symbols this requires k2 entries. 20 Compression (Summary) • Problem Domain determines the “best” compression scheme • Lossy vs Loss-less schemes • One-pass vs multi-pass schemes 21 Network Security and Privacy • Protecting data from being read by unauthorized persons. • Preventing unauthorized persons from inserting and deleting messages. • Verifying the sender of each message. • Allowing electronic signatures on documents. 22 Cryptography • Traditional Cryptography – Substitution Ciphers – Codes – Transposition Ciphers • Data Encryption Standard • Key Distribution • Public Key Crytography – MIT Algorithm • Authentication & Digital Signatures – Federal Standards 23 Cryptography Users • Military • Diplomatic • Diarists • Lovers • Curmugdeons 24 Cyptography Terms • Ciphertext or Cryptogram -- encrypted message • Cryptanalysis -- breaking ciphers • Cryptography -- devising ciphers • Cryptology := Cryptanalysis and Cryptography 25 Encryption Model Passive Listener Plaintext Ciphertext Plaintext Key-1 Active Intruder 26 Key-2 Keys • If Key-1 is the same as Key-2, then it has to be a secret key process. They can differ, making it a Public Key Process. • Big Problems: key distribution and key security 27 Fundamental Truths of Cryptology • Potential intruders know the general encryption method. • Message contents may be guessed. • Cryptographic systems may be changed, but rarely are. • Non-technical compromises always outnumber successful cryptanalysis. 28 Ciphers • Substitution (preserve order, disquise) – – – – Caesar code = “shift 4” Alphabet shifted by k letters --”enigma” Exhaustive search infeasible Words and phrases may be guessed • Codes – Purple code, Japanese translated into Latin – Navajo talkers • Transposition Ciphers (reorder, do not disguise) – Game is up when key length is guessed – Once close, easy to guess 29 Data Encryption Standard • • • • Developed by IBM in 1977 Implemented in hardware Widely used 128 bit key proposed, 56 bit key specified Any guesses why? • Now, study AES. 30 Public Key Encryption • Applying the decryption key to an encrypted message must return the plaintext message. • The decryption key can’t be guessed from an encyption key. • The encryption key cannot be broken by a plaintext attack. • Key Point: the decryption key must be privately held. 31 Digital Signatures • A’s secret key must remain secret • B has A’s public key and A has B’s public key • B received a encypted message from A that he decypts with A’s public key • B can later show that lacking A’s private key that he could not have produced the encrypted message 32 Politics of Cryptography • • • • • Software as Munition “Clipper” Chip Digital Telephony Bill Digital Signature Standard Other Countries • Current Legislation 33 Application Layer • File Transfer, Access and Management – virtual file store – file servers and requesting clients • Electronic Mail – process to process traffic expected to dominate Internet – actually email dominates the Internet • Virtual Terminals – representing the abstract state of the real terminal • Remote Job Execution – JTM: Job Transfer and Manipulation 34 ISO Applications • • • • FTAM ~ FTP File Transfer, Access & Manipulation VTS ~ TELNET Virtual Terminal Service JTM ~ ??? Job Transfer & Manipulation {maybe rsh, RPC?} MHS ~ SMTP Message Handling System (X.400) 35 ISO Terminology “applications” SASE SASE CASE [Specific|Common] Application Service Elements “think of them as programming libraries or APIs” 36 Electronic Mail • Motis and X.400 CCITT has aligned them for compatibility Won’t replace SMTP! • The user agent user interface • Message transfer agent post office 37 Virtual Terminals • Scroll mode terminals no local resources; dumb display and transmission • Page mode terminals 25 x 80 character display screen editing via termcap • Form mode terminals local processing enabled • Bitmapped terminals like X stations • Browsers? 38 File Transfer Protocol • FTP recognizes four file types: • 1. Image – bit by bit transfer • 2. ASCII • 3. EBCDIC • 4. Logical Byte files – binary files which use byte size other than 8 bits 39 Electronic Mail • Pioneered by ARPANET • RFC 822 (widely used) • Simple Mail Transfer Protocol (SMTP) • Supports only ASCII text (see MIME) • name@domain addressing 40 Virtual Terminals - TELNET • Designed for scroll mode terminals • Hit a key , 8-bit bytes are sent • 95 ASCII and 7 control characters legal 41 The Web • “the” killer application for the Internet • Two components for popularity – http combines multiple access (gopher, ftp, etc) methods – hypertext interface supports point-and-click interface • Who will organize the information? – No one... – Database experts – Librarians (!) 42 Web Future Directions • HTML Enhancements • Secure Transactions • Uniform Naming • Librarians & Brokers • Information “push” or “pull” 43 Layer 7 Summary • Service Element Model • Not all Apps belong here... • Common Network Services 44 What is a Distributed System? Just insert a network? Mass Storage Computing (CPU) User Interface 45 Distributed System Services Servers (Storage, Compute) Network Users User Interfaces Users 46 D.S. Design Issues • Transparency • Flexibility • Reliability • Performance • Scalability 47 More Design Issues • Global Clocks? • Causality • Information Consistency 48 Distributed Control • Master/Slave (Issue: Response Time) – Polled – Command -> <-Response – Schedule under control of server • Client/Server (Issue: Server Size) – Interrupt, or Event, Driven – Aperiodic Scheduling • Peer-to-Peer (Issue: Coordination) – No single critical node – Hard to describe or predict 49 Distributed System: Why or Why not? • Performance • Economics • Reliability • Security 50 D. S. Architectures • Cooperating Peers • Client-Server • Tiered Client-Server – Data Repository – Compute Servers – Client Stations 51 “Intranets” • Definition – Using Internet protocols, especially Web tools, for internal MIS • Motivation – Information “push” vs “pull” • Problems – User Capabilities – Corporate Policy or Personal Opinion 52 Key Protocol Areas • • • • • Directory Services RPCs Security/Authentication (Performance) Management Programming Models 53 References • ISO RM-ODP – ITU-T X.901/ISO 10746-1/2/3/4 • Amjad Umar Distributed Computing: A Practical Synthesis – PTR Prentice-Hall, Englewood Cliffs, NJ, 1993 • Sape Mullender Distributed Systems, 2d ed. – Addison Wesley, 1993 54 Network Management Definition "...deploying and coordinating resources in order to plan, operate, administer, analyze, evaluate, design and expand communication networks to meet service-level objectives at all times, at a reasonable cost, and with optimum capacity." 55 Network Management Functional Areas • Fault Management detect -- diagnose -- repair •Configuration/Name Mgmt a database problem... •Performance Mgmt measure and predict •Accounting Mgmt look at individual usage •Security Mgmt access control and encryption 56 Management Protocols • SNMP - Simple Network Management Protocol – Internet • CMIP - Common Management Information Protocol – ISO • TMN - Telecommunications Management Network – ITU-T 57 Management Protocols Philosophy • SNMP - Simple Network Management Protocol – keep it simple! (cf the Internet toaster) • CMIP - Common Management Information Protocol – the bazaar: whatever you want • TMN - Telecommunications Management Network – actually a separate network specification 58 SNMP vs CMIP {round 1} SNMP CMIP Requirements from various vendors and user communities 59 ISO Management Overview Fault Configuration Performance Security Accounting Management Management Management Management Management System Management Functions Object Mgmt Alarm Mgmt Event Report Mgmt Workload Monitoring State Mgmt Log Control Security Alarm Security Reporting Measurement Summarization Bill Verification Billing Resource Utilization Test Mgmt Relation Mgmt CMISE Services Initialize Event Report Set Get Delete Cancel Terminate Action Create Abort Confirmed Event Report Confirmed Get 60 SNMP Architecture • Keep the agent as simple as possible • Support remote management operations to the fullest extent possible • Plan for future additions & expansion • Be independent of specific hosts or devices • Operate at the Application level 61 Internet Management Model Agent Managed Entities Network Management Proxy Agent 62 Managed Entities SNMP • Intersection of vendor/user requirements • Few ‘verbs’: – – – – get / get-next get-bulk {SNMPv2} set trap • Polled, Master-Slave, Request-Response 63 SNMP Format • <header><verb><value><variable>[<verb><value><variable>] • ASN.1 subset to describe value format • MIB-II{Management Information Base} to identify variables • UDP as a Transport layer • Now out! SNMPv2 64 The MIB • Standard set of data for managing network devices • Variable names are part of the ISO/CCITT object identifier namespace • Provides globally unique identifiers • Variables governed by Structure of Management Information (SMI) specification 65 Accessing MIB Data • SNMP Communities • SNMP Views • SNMP Authentication 66 Abstract Syntax Notation 1 (ASN.1) • • • • • Data Structures Abstract Syntax Transfer Syntax International Standard 8825 Notation used to encode, transfer and decode data structures across a wide range of applications • Both connection-oriented and connectionless primitives 67 Example SNMP PDU using ASN.1 SEQUENCE len=41 INTEGER len=1 vers=0 30 29 02 01 00 string len=6 p u b l i c 04 06 70 75 62 6C 69 63 getreq. len=28 INTEGER len=4 -------request ID---------------A0 1c 02 04 05 AE 56 02 INTEGER len=1 status INTEGER len=1 error index 02 01 00 02 01 00 SEQ. len=14 SEQ len=12 objectid len=8 30 0E 30 0C 06 08 1.3 6 1 2 1 1 1 0 2B 06 01 02 01 01 01 00 null len=0 05 00 68 SNMP vs SNMPv2 • History in Brief • More features (more complex) • BIG increase in security – authentication and integrity – access controls – security and privacy • Better access controls in Views • Trap confirmations • Knowledge of multiple managers 69 Enterprise Architecture • SNMP is designed for simple, manager-toagent communications • CMIP is complex and bulky, but complete • Most Enterprise networks can’t be managed directly from a single place 70 Enterprise Management CMIP Managers Separate Organization SNMP Managers Local Networks 71 Management Tools • • • • Packet Analyzer Media Analyzers (TDR, OTDR, BER Tester) RMON devices Hosts (?) 72 Software Tools • Hosted on PCs • Hosted on Unix Workstations • Commercial Packages 73 Decent Books • Network Management Standards 2d ed – Uyless Black • The Simple Book, 2d ed – Marshall T. Rose • Communication Networks Management, 2d ed – Kornel Terplan • Internetworking with TCP/IP, Vol I, 3d ed – Douglas E. Comer 74 Defining Network Security Security is prevention of unwanted information transfer • What are the components? – – – – ...Physical Security …Operational Security …Human Factors …Protocols 75 Areas for Protection • • • • Privacy Data Integrity Authentication/Access Control Denial of Service 76 Regulations and Standards • Computer Crime Laws • Encryption • Government as “Big Brother” 77 Security Threat, Value and Cost Tradeoffs • Identify the Threats • Set a Value on Information • Add up the Costs (to secure) Cost < Value * Threat 78 Threats • • • • • Hackers/Crackers (“Joyriders”) Criminals (Thieves) Rogue Programs (Viruses, Worms) Internal Personnel System Failures 79 Network Threats • • • • • IP Address spoofing attacks TCP SYN Flood attacks Random port scanning of internal systems Snooping of network traffic SMTP Buffer overrun attacks 80 Network Threats (cont.) • SMTP backdoor command attacks • Information leakage attacks via finger, echo, ping, and traceroute commands • Attacks via download of Java and ActiveX scripts • TCP Session Hijacking • TCP Sequence Number Prediction Attacks 81 Threat, Value and Cost Tradeoffs • • • • • Operations Security Host Security Firewalls Cryptography: Encryption/Authentication Monitoring/Audit Trails 82 Host Security • • • • Security versus Performance & Functionality Unix, Windows NT, MVS, etc PCs “Security Through Obscurity” L 83 Host Security (cont) • Programs • Configuration • Regression Testing 84 Network Security • Traffic Control • Not a replacement for Host-based mechanisms • Firewalls and Monitoring, Encryption • Choke Points & Performance 85 Access Control • Host-based: – – – – Passwords, etc. Directory Rights Access Control Lists Superusers L • Network-based: – – – – Address Based Filters Encryption Path Selection 86 Network Security and Privacy • Protecting data from being read by unauthorized persons. • Preventing unauthorized persons from inserting and deleting messages. • Verifying the sender of each message. • Allowing electronic signatures on documents. 87 FIREWALLS • • • • • Prevent against attacks Access Control Authentication Logging Notifications 88 Types of Firewalls • Packet Filters Application – Network Layer • Stateful Packet Filters – Network Level • Circuit-Level Gateways – Session Level • Application Gateways – Application Level 89 Presentation Session Transport Network Data Link Physical Packet Level • Sometimes part of router • TAMU “Drawbridge” Drawbridge Campus 90 ROTW Router Circuit Level • Dedicated Host • Socket Interfaces Local FW ROTW 91 Application Level • Needs a dedicated host • Special Software most everywhere Firewall telnet ROTW 92 Firewall Installation Issues FTP INTERNET DNS Web Router 93 Mail Firewall Installation Issues • • • • • • DNS Problems Web Server FTP Server Mail Server Mobile Users Performance 94 Address Transparency • Need to make some addresses visible to external hosts. • Firewall lets external hosts connect as if firewall was not there. • Firewall still performs authentication 95 Gateway Internet 10.0.0.0 128.194.103.0 Network Address Translation Firewall 96 Network Address Translation Host B: External Host Gateway Host Host A: Internal Host gw control ftpd ftp proxy ftp TCP IP TCP Data Link IP Hardware Data Link TCP IP Data Link Hardware Hardware A GW Datagram A B Datagram 97 IP Packet Handling • • • • • Disables IP Packet Forwarding Cannot function as a insecure router eg. ping packets will not be passed Fail Safe rather than Fail Open Only access is through proxies 98 DNS Proxy Security INTERNET External DNS Server DNSd Eagle Gateway eagle.xyz.com finance.xyz.com sales.xyz.com marketing.xyz.com 99 Virtual Private Tunnels Encapsulate Hello Authenticate Hello Encrypt Hello INTERNET !@@%* !@@%* !@@%* Creates a “ Virtual Private Network “ 100 Hello Decapsulate Hello Authenticate Hello Decrypt VPN Secure Tunnels • Two types of Tunnels supported – SwIPe and IPsec tunnels • Encryption – DES, triple DES and RC2 • Secret key used for used for authenticatio and encryption • Trusted hosts are allowed to use the tunnel on both ends 101 Designing DMZ’s DMZ INTERNET Web FTP Company Intranet Mail 102 Screening Router Firewall Design Project San Jose File Server INTERNET Mail Server Wide Area Router Dallas Internet Router Raptor Eagle Raptor Remote Hawk Console 103 Monitoring • Many tools exist for capturing network traffic. • Other tools can analyze captured traffic for “bad” things. • Few tools are real-time. 104 Summary • Security must be comprehensive to be effective. • Remember threat, value, cost when implementing a system. • Security is achievable, but never 100%. • Make your system fault tolerant. 105 Where Do the 7 layers “fit”? Or, where is the dividing line between hdw & s/w? Application 7 Presentation 6 ? Session 5 Transport 4 Network 3 Data/Link 2 Physical 1 106 ? Implementing the Model User Space Software OS Space Software Firmware Hardware 107 Some More Definitions • User Space Software - Code that executes as any program that a normal user could compile and run • OS Space Software - Code that executes on the host CPU but in a mode or with special access that normal users can not use • ‘Firmware’ - Code that executes on a processor (special or general purpose) that is different from the host CPU; may be in PROM or RAM downloaded from another source • Hardware - Generally special purpose VLSI and analog/linear interface components 108 Assigning the 7 layers • Performance • vs • Flexibility 109