Title: HandsOn Novell Open Enterprise Server for NetWare and Linux
1Hands-On Novell Open Enterprise Server for
NetWare and Linux
- Chapter 11
- Implementing and Securing Internet Services
2Objectives
- After reading this chapter and completing the
activities, - you will be able to
- Describe Novells Web Services and Net Services
- Install and configure Web Services components
- Describe technologies for securing Web services,
including firewalls and virus protection - Explain encryption security techniques, Novell
Certificate Services, and OpenSSH - Describe Novells backup services
3Introduction to Novell Internet Services
- Novell Internet and intranet services
- Simplify setting up business networks
- NetWare 6.5 Internet service components
- Web Services
- TCP/IP-based applications
- Make network data and services available to users
- Net Services
- Extend the capabilities of standard Web services
- Include services such as iFolder, NetStorage,
iPrint, iManager, and Remote Manager
4Introduction to Novell Internet Services
(continued)
5Apache Web Server for NetWare
- Apache Web Server
- Open-source Web server software
- Apache Web Server is used in two ways on Open
Enterprise Server - To support Novell Net Services
- As a dedicated Web server
- For hosting an organizations Web site or
corporate intranet
6Tomcat Servlet Engine for NetWare
- Used to run Java-based Web applications
- Used by several Net Services components including
- Novell Portal Services (NPS)
- NetWare Web Search Server
- Network administrators
- Rarely need to configure or manage the Tomcat
Servlet Engine - Web-based applications programmers
- Often work with Tomcat
7Novell Portal Services (NPS)
- Portal strategy
- For delivering the right information to the
people who are authorized to use it - NPS consists of a number of Java servlets
- That run on Apache Web Server
- Tomcat Servlet Engine runs Java servlets
- It must support the Sun Microsystems Java 2.2
Servlet specification - NetWare 6.5 creates eDirectory objects
- To support NPSs additional capabilities
8Novell Portal Services (NPS) (continued)
9Novell QuickFinder Server (formerly NetWare Web
Search Server)
- Makes data on your network or the Internet
searchable in minutes - Bridges all types of networks
- To deliver requested information in a minimum
amount of time - Installed by default during the NetWare 6.5
installation - A browser based utility
10NetWare Web Manager
- Portal service
- Used to access the utilities for
- Configuring, accessing, and managing other
Web-based management tools - Based on the users access rights
- NetWare Web Manager is a Java-based browser
utility - You can use it to access Web Services from any
location on the Internet
11Installing and Configuring Web Services
- Web services classification
- Web servers
- File transfer servers
- Web servers
- Operate in a client-server relationship
- NetWare server processes requests
- Web browser acts as a client
- File transfer services
- Allow users to download/upload files efficiently
and securely
12Working with Apache Web Server
- Installing Apache Web Server
- Admin instance is installed automatically during
NetWare 6.5 installation - Use iManager to install System instance of Apache
Web Server - Configuring Apache Web Server
- Use directives stored in Httpd.conf
- Requires knowledge of directives
- Apache Manager
- GUI interface for editing the Httpd.conf file
13Working with Apache Web Server (installed
components screen)
14Configuring Apache Web Server
- Httpd.conf, a simple text file, contains all the
information to configure Apache Web Server - Apache Manager -a GUI for editing httpd.conf
- Stop and restart Apache Web Server
- To install updates or change features
- Changing administration mode
- From File to eDirectory
- Simplifies management
- By storing configuration directives as an
eDirectory object - Which can be accessed by all Apache Web servers
15Working with Apache Web Server (Httpd.conf file)
16Working with Apache Web Server (IManager-Open
Source)
17Working with Apache Web Server (continued)
- Change the path of default Web content
- To prevent the SYS volume from filling up
- Creating additional document sites
- Giving each department a separate content
directory - Can simplify management
18Working with FTP Server
- FTP Server
- Enables users to transfer files to and from
NetWare volumes - FTP services require server and client components
- Disadvantage
- FTP does not encrypt data packets
- Setting up FTP Server requires
- Installing the software on the NetWare 6.5 server
- And then configuring it
19Working with FTP Server (continued)
- Installing FTP Server
- Copy files from Products CD 2
- Use iManager to set IP address and start FTP
service - Configuring FTP server
- Use FTP option under the File Protocols heading
in iManager - Use User tab to
- Enable the FTP service for Web publishing
- Set the default home server and directory
- Enable anonymous users
20Securing Web Services
- Most common attacks on information systems
- Intrusion
- Spoofing
- Virus attacks
- Denial-of-service attacks
- Information theft
- Demilitarized zone (DMZ)
- Where packets from outside first enter the
network - Area most vulnerable to attacks
- Where Internet router and firewall are located
21Securing Web Services
- Intrusion
- Unauthorized person gaining access through
illegal use of another users account. - Spoofing
- Masquerading as an authorized user or entity
- Sending packets that have been modified
- Virus attacks
- Programs embedded in software or email attachments
22Securing Web Services
- Denial-of-service attacks
- Prevents users from accessing network
- Caused by a bombardment of packets
- Information theft
- Illegally intercepting and reading information
transmitted - Wire taps and sniffer software
23Securing Web Services (continued)
24Firewall Security
- Firewalls
- Software that runs on a server or specialized
hardware - Can be configured to protect against external
threats - Trusted network
- Consists of your organizations private network
- Along with the firewall server and networks it
covers - Virtual private network (VPN)
- Trusted network that sends packets over an
untrusted network
25Firewall Security (continued)
- Untrusted network
- External network
- With administration and security policies that
are either unknown or out of your control - Unknown network
- Neither trusted nor untrusted
- By default, is treated the same as an untrusted
network
26Firewall Security (continued)
- Use firewalls to enable the following measures
- Packet filtering-examines IP addresses
- Virtual private networks (VPN)-secure channel
- Network Address Translation (NAT)-hides client
- IPX/IP gateways-same as NAT
- Circuit-level gateways-inspects packets
- Proxy services-monitors network
27Protection Against Virus Attacks
- Virus signature
- Bit pattern created when virus is embedded in a
program - Or an e-mail attachment
- Virus classification
- Boot sector virus-attack boot record
- File virus-Trojan-attach to code in the program
- Macro virus-attack programs that run macros
- Stealth virus-mask themselves-cannot detect
- Polymorphic virus (stealth)-creates mutations
- Worms-independent programs that spread
28Protection Against Virus Attacks (continued)
- Virus prevention techniques involve
- Installing a virus protection system
- Making regular backups
- Training users on how to reduce the risk of virus
attacks - Virus protection systems
- Scan programs on servers and user computers
- Monitor program files as they are loaded to
detect known virus signatures - Create virus removal planning
29Defense Against Denial-of-Service Attacks
- Denial-of-Service attacks
- Do not usually damage or steal a companys data
directly - Can result in high costs
- Usually caused by flooding a server with packets
- Or sending oversized packets to a service,
causing it to crash - Best defense against these attacks
- Correctly configured firewall
30Defense Against Denial-of-Service Attacks
(continued)
31Working with Encryption Security
- Encryption
- Process of converting plaintext into a secret
message - Called ciphertext
- Which can be read only after its decrypted
- By reversing the encryption process
- Cipher
- Algorithm used to encrypt and decrypt a message
- Cryptography
- Science of encrypting data
- Use algorithms with a special value called a key
32Working with Encryption Security (continued)
33Cryptography Techniques
- Major types of cryptography techniques
- Symmetric
- Same key is used to encrypt and decrypt a message
- Advantages simple and efficient
- Disadvantage secure key exchange
- Asymmetric
- Also called public key cryptography
- Uses a set of two keys a public key and a
private key - Private key is kept solely by pairs owner
- Used to create and decrypt data
- Public key is made available to all network users
- Used to decrypt data
34Cryptography Techniques (continued)
35Cryptography Techniques (continued)
- Digital signatures
- Authenticate an electronic document
- As being from a specific user or organization
- Employs public key cryptography
- Digital certificates
- Provide reliable public keys
- At minimum, contains
- Entitys public key
- Subject name
- CA-generated digital signature
- Use the X.509v3 format
36Cryptography Techniques (continued)
37Cryptography Techniques (continued)
38Using Novells Certificate Services
- Novell Certificate Server
- Integrates public key cryptography services into
eDirectory - Enables administrators to create, issue, and
manage user and server certificates - Novell International Cryptography Infrastructure
(NICI) - Used to support all cryptography and signature
functions - Must be installed on both the Novell server and
client
39Using Novells Certificate Services (continued)
- Common administrative tasks
- Creating server certificates
- One for the DNS service and one for other IP
services - Used to create secure SSL connections with client
computers - Creating trusted root certificates
- Provide the certificates from other organizations
- That your server will trust automatically
- Use iManager to add trusted root certificates to
your eDirectory tree - Creating user certificates
40Encryption Protocols
- Secure data and password transmission
- Symmetric processing
- A type of encryption where the same key is used
to encrypt and decrypt the message. - Asymmetric processing
- or public key which uses one key to encrypt a
message and another to decrypt the message
41Encryption Protocols
- IP Security Protocol (IPSec)
- Developed by the Internet Engineering Task Force
(IETF) - Secures the network layer by using Encapsulating
Security Payload (ESP) - To perform encryption and decryption at IP packet
level - Secure Sockets Layer and Transport Layer Security
- Protocols for securing message transmission
across the Internet - Use a hybrid of symmetric and asymmetric
encryption to encrypt data packets
42Encryption Protocols (continued)
- Secure Hypertext Transfer Protocol (HTTPS)
- Secure communication protocol
- Designed to transfer encrypted information
between computers over the Web - HTTPS is essentially an enhancement of HTTP
- Uses SSL/TLS for secure data transmission
- Message digest security
- Ensures data has not been tampered with
- Or changed since it left the sender
43Encryption Protocols (continued)
44Working with the Secure Shell Protocol OpenSSH
- OpenSSH
- Offers the same functions as Telnet, Rlogin, and
FTP - Includes encryption to protect data and passwords
- Users of telnet, rlogin, and ftp may not realize
that their password is transmitted across the
Internet unencrypted, but it is. OpenSSH encrypts
all traffic (including passwords) to effectively
eliminate eavesdropping, connection hijacking,
and other attacks. Additionally, OpenSSH provides
secure tunneling capabilities and several
authentication methods, and supports all SSH
protocol versions.
45Working with the Secure Shell Protocol OpenSSH
- OpenSSH utilities
- SSH, which replaces Rlogin and Telnet
- SCP, which replaces RCP
- S/FTP, which replaces FTP
- OpenSSH Manager
46Working with the Secure Shell Protocol OpenSSH
(continued)
- Using the OpenSSH Service
- You can use one of several client programs
- To access NetWare 6.5 server console securely
- One popular choice is the PuTTy utility
47Backing Up Network Data
- Organizations data plays a critical role
- Use the Storage Management System
- To implement a disaster recovery plan that
includes - Backing up and restoring data
48The Storage Management System
- Storage Management System (SMS)
- Backs up complex networks
- Consisting of data stored on multiple file
servers and DOS and OS/2 workstations - Host server
- NetWare server that runs the backup program
- Has the attached backup medium
- Target servers
- Other servers and client computers being backed up
49The Storage Management System (continued)
50The Storage Management System (continued)
- SMS software components
- Storage device drivers
- The enhanced SBCON utility
- Target Server Agents (TSAs)
- Workstation TSAs
51Establishing a Backup System
- Involves six steps
- Determine your networks storage needs
- Determine a backup strategy
- Assign a backup user
- Run the backup software on a scheduled basis
- Test the backup
- Develop a disaster recovery procedure
52Establishing a Backup System (continued)
- Determine your networks storage needs
- Calculate how much data needs to be copied to the
backup tape - On a daily basis
- Determine a backup strategy
- Full
- Incremental
- Differential
53Establishing a Backup System (continued)
54Establishing a Backup System (continued)
- Assign a backup user
- Has the advantage of allowing you to assign other
people to perform the backup - Limits the number of times you need to log in to
the network as Admin - Run the backup software on a scheduled basis
- Use SBCON to back up files
- Testing the backup
- Try restoring selected files from the backup
media - Developing a disaster recovery procedure
55Establishing a Backup System (continued)
56Summary
- Novell provides Internet services
- Web services include
- Apache Web Server
- FTP Server
- Internet security involves
- Protecting Web and Net services from threats
- Information theft
- Intrusion
- Computer viruses
- Internet security plan should include a firewall
57Summary (continued)
- Public key cryptography
- Encrypt data transmission
- Provide authentication with digital signatures
- Used to create digital signatures
- Certification Authorities (CAs)
- Issue public key certificates
- For verifying that the public key belongs to the
entity distributing it