Chapter 14 Implementing and Securing

Document Sample
Chapter 14  Implementing and Securing Powered By Docstoc
					        Chapter 14: Implementing and Securing
                  Network Services
       After reading this chapter and completing the exercises students will be able to:

      Describe NetWare 6 Internet/intranet services, including Net Services and Web Services
      Install and configure Novell Web Services components.
      Describe public key cryptography and use the Novell Certificate Authority service to export public
       and private keys.
      Describe internal and external security policies and strategies, including firewalls, virus protection,
       and defense against denial-of-service attacks.

Teaching Tips
  1.   The projects in this chapter require that the NetWare 6 CD be available in order to install both
       NetWare Enterprise Server and NetWare FTP Server.

NetWare 6 Internet Service Components
  1.   Use Figure 14-1 to provide students with a brief introduction to the various web services provided
       as part of NetWare 6.

  2.   Explain the concept of web services, reminding students that these services run over are
       essentially server-based TCP/IP applications that allow users access via a client-side application
       such as a web browser.

  3.   Discuss the way in which port numbers are used to direct packets to services running on host
       computer. Use Table 14-1 to identify commonly used TCP/IP port numbers.

  4.   Provide students with an overview of the Net services included with NetWare 6, outlining how
       these services communicate in a TCP/IP environment.

  5.   Explain the concept of a well-defined server-side port number, providing examples of commonly
       used port numbers and their associated application-level services. Explain how IP-based clients
       and servers communicate using sockets, outlining how client port numbers are assigned.

Apache Web Server for NetWare
  1.   Provide students with an overview of the Apache web server, explaining how it is used by various
       services in NetWare. Point out that students do not need to be concerned with the actual
       configuration of Apache for the purpose of the CNA exam, since the server is configured as
       required by these applications by default.

    2.   Identify the following NetWare 6 services that rely on the Apache Web Server:
              NetWare Web Manager
              NetWare Web Search Server
              NetWare WebAccess
              iFolder
              iManager

Tomcat Servlet Engine for NetWare
    1.   Provide students with an overview of the Tomcat servlet engine, explaining its role in running
         Java-based web applications. For students who may not be familiar with the concept of a servlet,
         take the time to explain how a servlet is essentially a server-side Java applet, unlike many of the
         client-side Java applets that they may be familiar with. Mention that a servlet’s role is to extend
         the functionality of a web server beyond the capabilities of common scripting techniques like CGI.

Novell Portal Services

    1.   Provide students with a generic overview of the concept of a portal, explaining how a portal
         aggregates different types of information targeted at a particular audience. Provide examples of
         commonly used Internet portals such as Yahoo, outlining the different types of information or
         services that they provide to users.

    2.   Use Figure 14-2 to introduce Novell Portal Services (NPS) as a way to provide users in a NetWare
         environment with access to the information that they require via a web browser in a consolidated
         manner. Give an example of how NPS might be used include the creation of a portal for a certain
         group of users that require access to ERP data, messaging, and calendaring within a single, simple

    3.   Provide students with an overview of how NPS uses Java servlets to communicate with various
         back-end services such as eDirectory for the purpose of authentication.

    4.   If time permits, demonstrate how NPS works by showing students how the content shown to a
         user in Novell Web Manager (https//ip_address:2200) differs if a user logs in with or without an
         account with Supervisor privileges as illustrated in Figure 14-3.

NetWare Web Search Server
    1.   Provide students with an overview of the NetWare Web Search Server, outlining how it provides
         search services to a website. Point out that this tool is essentially an indexing service, similar to
         the Index Server found in Windows 2000.

NetWare Enterprise Web Server
    1.   Provide students with an overview of NetWare Enterprise Web Server, explaining that unlike
         Apache (which is included to support the web-based NetWare tools), Enterprise Web Server’s role
         is to act as a scalable web server for serving pages to the Internet or corporate intranet.

    2.   Briefly explain the differences between Internet, intranet, and extranet web services in terms of the
         audience to which they are aimed and the types of functionality that they might typically supply.

FTP Server
   1.   Provide students with an introduction to the NetWare FTP Server, explaining the basic function
        that an FTP Server serves in the transfer of files across an IP-based internetwork. Provide
        examples of common reasons why a company might implement an FTP server. For example, the
        company may use the FTP server to upload files for their web site, or may make files available for
        download by this method.

NetWare Web Manager
   1.   Provide students with an overview of the NetWare Web Manager, explaining how it is used to
        configure and manage the various web-based services on a NetWare server from a web browser.

Installing and Configuring Web Services
   1.   Provide students with an introduction to the configuration of web services, outlining the concept
        of a content directory that serves as the “root” directory of a web site in a typical web server

   2.   Provide students with a brief overview of other web server products on the market including
        iPlanet, Apache, IIS, and PWS. Provide examples of the relative advantages and disadvantages of
        each platform in term of the additional capabilities they natively support. For example, iPlanet is
        fully LDAP compliant while IIS natively support Active Server Pages (ASP).

   3.   Provide students with examples of common criteria that a company might use when trying to
        decide on a web server platform. Issues to be considered here include security, availability of
        source code, adherence to open standards, interoperability, and protecting existing investments.

Working with NetWare Enterprise Web Server
   1.   Use the procedure on pages 779-780 to provide students with a step-by-step demonstration of the
        process of installing NetWare Enterprise Web Server on the classroom server.

   2.   Have students note that the web server can be configured with a different IP address than the
        primary address assigned to the server. Comment on why this might be necessary and a good idea.

   3.   Use Figure 14-5 along with Table 14-2 to identify the purpose of each of the buttons at the top of
        the screen and the options that can be found in the associated section.

Starting and Stopping Web Services
   1.   Show students how to start the web server using the Web Manager interface, being sure to
        mention that by default the server is stopped. After starting the web server, demonstrate that it is
        working by accessing the server using Internet Explorer.

   2.   If possible, demonstrate the process of shutting down the web server from the server console by
        issuing the NSWEBDN command.

Changing the Path of the Default Web Content
   1.   Provide students with an overview of the default path used as the root directory for web content,
        pointing out that it resides on the SYS volume by default. Show students how to change the path
        to a different location. Consider placing a very simple HTML file in that directory to prove that
        the server is using the new directory.

   2.   Use the procedure on page 783 to demonstrate changing the path of the primary document

Creating a Virtual Document Directory
   1.   Explain the purpose of a virtual document directory, noting that its purpose is to create a
        subdirectory in the site, which can ultimately point to a totally independent non-contiguous path
        on the server. Explain why an administrator might want to use virtual rather than real directories to
        separate content. Be sure to relate this to file system security.

   2.   Provide students with an overview of the different directory browsing options available,
        demonstrating what happens when a directory doesn’t include an index file.

   3.   Use the procedure on page 784 along with Figure 14-7 to describe and demonstrate the steps used
        to create a virtual document directory.

Configuring Document Preferences
   1.   Describe how the Document Preferences screen shown in Figure 14-8 can be used control how
        directory indexes are displayed as well as the default name of the index file name (home page).
        Explain how the Web server can be configured using the Index File radio button to display the
        names of all files in the root of the default document directory if one of the index files specified in
        the Index Filename field is not found.

Setting Up Public and Restricted Access
   1.   Provide students with an overview of restricting access to certain directories. Use Figure 14-9 to
        describe how this is accomplished using Web Manager, walking students through the process step-

Working with NetWare FTP Server
   1.   Having already explaining the basic purpose of an FTP Server, provide students with an overview
        of how connections are made to an FTP server using FTP client software. Outline the basic
        commands uses during a command-line FTP session such as GET and PUT. Be sure to outline the
        difference between binary and ASCII file transfers, and how they are configured.

   2.   Use Table 14-3 to identify basic FTP clients.

   3.   Reinforce the importance of users knowing how to upload and download files from the command
        line, pointing out that in many cases, this will be the fastest way of accessing an FTP site,
        especially on systems without other FTP client software installed.

   4.   Use the procedure on pages 787-788 to walk students through the process of installing the
        NetWare FTP Server step-by-step on the classroom server.

   5.   Provide students with an overview of the default configuration of the NetWare FTP Server,
        pointing out that it uses SYS:Public as its default directory.

   6.   Provide students with an overview of how restrictions can be placed on FTP users via the
        configuration of the ftprest.txt file that resides in the Etc directory on the SYS volume. Outline
        each of the 5 different restrictions that can be configured in this file. Be sure to explain the order in
        which restrictions are applied to users, pointing out that the last restriction applied to a user
        becomes the effective restriction. Demonstrate this functionality after restarting the server.
             DENY
             READONLY
             NOREMOTE
             GUEST
             ALLOW

Accessing FTP Folders and Files
   1.   Explain the purpose of the anonymous user account and the purpose it serves on an FTP server.
        Outline the purpose of requiring users to submit their email address as a password.

   2.   Describe the process of implementing changes to the FTP server by stopping and restarting the
        FTP service.

   3.   Describe the importance of implementing FTP logging to monitor your system and look for
        inconsistencies or possible intruder attacks. Use Figure 14-11 to describe the FTP Log settings.

   4.   Use Figure 14-12 to describe the FTP Security window.

   5.   Briefly review the additional FTP features listed on pages 790 and 791.

Quick Quiz 1
   1.   Which of the following FTP restrictions will allow a user to both read and write to an FTP server?
        a. ALLOW
        b. GUEST
        c. APPLY
        d. READONLY

        Suggested answer: a

   2.   Which web server software is used by utilities like iFolder?
        a. NetWare Enterprise Web Server
        b. IIS
        c. iPlanet
        d. Apache

        Suggested answer: d

   3.   What directory is used as the default content directory after installing the NetWare FTP Server?
        a. SYS:Ftp
        b. SYS:Etc
        c. SYS:Public
        d. SYS:Ftpserver

        Suggested answer: c

   4.   ___________ is used to set FTP server restrictions.
        a. iManager
        b. ConsoleOne
        c. FTPrest.txt file
        d. WebManager

        Suggested answer: c

Working with Certificate Services
   1.   Provide students with a detailed overview of public key cryptography concepts, including how
        certificates are commonly used to secure resources like web servers (SSL). Explain common PKI
        applications including encryption, user verification, and so forth.

   2.   Use Table 14-4 to review how public key cryptography relates to other security systems students
        have studied.

   3.   Explain the concept of public, private, and session keys, outlining their responsibilities in securing
        communication between users and applications. Use the example of an SSL session between a
        web browser and a web server as an example.

   4.   Walk students through a common PKI example that illustrates the functions of both public and
        private keys, such as in the exchange of digitally signed and/or encrypted email messages between

   5.   Provide students with an overview of the concept of a Certificate Authority, outlining some of the
        differences between a public and a private CA. Be sure to mention issues associated with choosing
        one or the other including expense, trustworthiness, and so forth.

   6.   Explain the concept of a certificate hierarchy, outlining how an organization might develop an
        infrastructure consisting of root and subordinate CAs.

   7.   Use Figure 14-13 and Figure 14-14 to walk students through the process of a certificate request,
        outlining how a client submits a request, and how a CA processes the request.

Novell Certificate Server
   1.   Provide students with an overview of the Novell Certificate Server, outlining its responsibilities in
        added cryptographic services to eDirectory. Describe the features and functions of this certificate
        server as outlined on page 453.

   2.   Point out that Novell Certificate Server is installed on the first server in an eDirectory tree as part
        of the installation process. Explain that even though Certificate Server is installed by default, it
        still needs to be properly configured in order for secured communication to be possible. Outline
        the configuration tasks carried out on the server as part of the classroom setup.

Securing Net Services
   1.   Provide students with an overview of the importance of properly securing net services, both from
        internal users and those who many be accessing these services from the Internet. Point out that
        hackers aren’t necessarily outside users only, and that in reality, 70% of security issues originate
        from within an organization.

   2.   Provide students with an overview of network intrusion, outlining how it involves unauthorized
        users gaining access to network resources. Outline different techniques that can be used to stop
        these types of attacks, such as the implementation of secure passwords, proper access rights,
        intrusion detection systems, and so forth.

   3.   Explain the concept of Social Engineering and how users need to be aware of ways in which
        outside individuals may gain information through social contacts.

   4.   Explain the concept of spoofing and how it is a type of impersonation attack that usually involves
        changing the content of packets such that a system thinks it is communicating with another trusted

   5.   Explain the concept of a virus attack, outlining that these can be both malicious and accidental in
        nature. Outline some of the different ways in which a company can protect itself from viruses,
        outside of simple desktop virus software.

   6.   Explain the concept of a denial-of-service attack, and its goal in preventing users from accessing
        network services. Provide examples of common DoS attacks such as the ping of death, as well as
        larger scale attacks such as DDoS attacks that use multiple systems to attack a target.

   7.   Outline the concept of information theft and the possible repercussions to corporations whose
        businesses rely heavily on their intellectual property remaining guarded.

   8.   Use Figure 14-15 to describe the concept of a perimeter network. Point out that this network is
        also known as a DMZ, and is usually where bastion hosts such as publicly accessible servers such
        as DNS servers, mail servers, and web servers are located. Provide students with a list of best
        practices for securing bastion hosts such as using a separate network addressing range, removing
        unnecessary services, and so forth.

   9.   Explain the concept of a firewall and a proxy server. Outline the security elements and general
        operations of each. Describe how a firewall might be configured in an environment like UAS.

Internal Security
   1.   Provide students with an overview of the different ways in which internal systems can be properly
        secured, including both configuration and physical security. Be sure to discuss secure server room
        facilities, server configuration, password policies, the need for regular security audits, and so forth.
        Have students contribute to the conversation by outlining some of the different security measures
        that have been taken at their current or previous work environments.

Common Internal Security Violations
   1.   Provide students with an overview of common internal security violations as outlined in the text.
        Point out that many of these are easily avoided with proper planning, configuration, and regular
             Password security
             Physical server security
             Rogue administrator account

   2.   Use the procedure on page 803 to describe the process of tracing internal security problems.

   3.   Explain the concept of auditing and provide students with a brief overview of the Novell
        Advanced Auditing Service included with NetWare 6.

   4.   Provide students with an overview of how access to the server console should be secured on all
        NetWare servers, and some of the potential issues that may arise if the console is not secured.

Firewall External Security
   1.   Provide students with a detailed overview of the types of capabilities provided by a network
        firewall, outlining how such a system can be used to control and log both incoming and outgoing
        traffic. Explain the concept of a trusted network versus an untrusted network (such as the Internet).
        Point out that firewall hardware and software often include additional gateway features such as
        NAT and VPN capabilities.

   2.   Explain the concept of packet filtering to students, providing examples of common packet filters
        that a company might put in place in order to protect their internal network from an untrusted
        network like the Internet. Explain how packet filters can be configured to permit or deny certain
        types of traffic based on criteria such as IP address or port number.

   3.   Provide students with an overview of what a VPN is and the functionality that it provides in
        creating secure connections across untrusted networks. Describe the different types of VPN
        tunnels that can be created such as a connection between an external client and a VPN server on a
        DMZ, or a permanent VPN connection between routers or servers in different locations. Explain
        why a company might choose a location-to-location VPN as opposed to a dedicated private WAN

   4.   Provide students with an overview of Network Address Translation, outlining how it allows
        computers using private internal IP address ranges to communicate with publicly addressed hosts
        on the Internet.

   5.   Explain the purpose of a protocol translation gateway such as one that translates IPX to IP and
        vice versa. Point out that back in the mid 1990’s, many companies connecting to the Internet used
        such devices to allow their IPX-addressed hosts to access the IP-based Internet.

   6.   Provide students with a brief overview of circuit-level gateways, outlining the extended packet
        filtering capabilities that they provide.

   7.   Explain the purpose of a proxy server, outlining the fact that these servers typically provide both
        content caching and firewall-like packet-filtering services.

Protection Against Virus Attacks
   1.   Provide students with an overview of the different types of viruses that a company may come up
        against. Use the information provided on page 462 in the text to outline each of the different virus
        types in order to help students recognize some of the common virus threat they might encounter.

Virus Prevention Techniques
   2.   Provide students with an overview of different virus prevention techniques. Outline some of the
        common ways that a company can help to prevent virus outbreaks, such as ensuring that all
        systems are configured with virus prevention software, and that definition files are regularly
        updated. Provide examples of some of the more popular desktop and server antivirus engines.

   3.   Provide students with examples of some of the less common ways in which viruses can be
        avoided, such as the use of virus scanning gateway software at the perimeter of networks.

   4.   Explain the importance of user education in developing a sound virus prevention strategy.

Virus Removal Planning
   1.   Walk students through the eight steps outlined in the text related to effective virus removal.
        Remind students that while not all new viruses can be defended against immediately, a sound
        strategy for dealing with new viruses is an important consideration in limiting their impact.

Defense Against Denial-of-Service Attacks
   1.   Provide students with an overview of the most common types of DoS attacks, as outlined in Table
        14-5. Point out that the best strategy in defending against these types of attacks is usually a
        combination of correct firewall configuration and the use of packet filters or access lists on border

   2.   Briefly outline some of the capabilities that exist within Novell’s Border Manager firewall to help
        prevent DoS attacks.

Quick Quiz 2
   1.   Which of the following is a type of impersonation hacking threat?
        a. Spoofing
        b. DoS
        c. Virus attack

        Suggested answer: a

   2.   What is the name of the NLM file that loads certificate services?
        a. CA.NLM
        b. CS.NLM
        c. PKI.NLM
        d. PKICS.NLM

        Suggested answer: c

   3.   Which of the following are common DoS attacks?
        a. Ping of death
        b. Snoopy
        c. Smurf
        d. Teardrop attack

        Suggested answer: a, c, and d

   4.   The “ping of death” is an example of a __________________.
        a. Virus
        b. Denial of service attack
        c. Land attack
        d. Smurf attack

        Suggested answer: b

Class Discussion Topics
  1.   Have students discuss their experiences with different web server products. What platform do they
       prefer to work with and why? What functions or features do they consider to be of primary
       importance when choosing a web server? How much impact does the operating system on which
       the web server runs have on their decision making process?

  2.   Have students discuss some of the ways in which a company can secure network resources from
       internal users. What policies or procedure have been in place in environments that they’ve worked
       in? In cases where a user was accused of breaching security policies, how was this person dealt
       with? Do students think that companies place more emphasis on internal or external security?

Additional Projects
  1.   Have students research online to find out more information about bv-Control and its capabilities in
       a NetWare eDirectory environment. Have students compile a list of its main features and outline
       how these are useful when attempting to properly secure an eDirectory implementation.

  2.   Have students create a list of common firewall products and techniques used on corporate
       networks. For example, have them outline the relative advantages and disadvantages of hardware
       versus software-based firewalls. Have them also research and explain the main features of some of
       the different design principles involved with firewall design, such as the three-pronged firewall.

Additional Resources
  1.   Apache Server:

  2.   Java Servlets:

  3.   Novell Portal Services:

  4.   Introduction to PKI:

  5.   CERT Advisory Center:

  6.   Firewalls FAQ:

  7.   Denial-of-service Attacks:

Technical Notes for the Hands-On Projects
   The lab setup for the Chapter 14 hands-on projects includes the following elements (see the table):

HANDS-ON            TIME         SERVER                   WORKSTATION              OTHER
PROJECT                          CONFIGURATION            CONFIGURATION            RESOURCES
                                 REQUIREMENTS             REQUIREMENTS             REQUIRED
Project 14-1:       Written                                                        Describe the format you
Identifying Net     project                                                        want students to use when
and Web Services                                                                   submitting their results.
Project 14-2:       Written                               Internet Explorer        Describe the format you
Researching         project                               with access to the       want students to use when
Hacking Sites                                             Internet                 submitting their memo.


Shared By:
Jun Wang Jun Wang Dr
About Some of Those documents come from internet for research purpose,if you have the copyrights of one of them,tell me by mail you!