• Network services. Classification of network services. Local copy of the list

    And server port, resulting in a connection being established that allows two computers to interact using the appropriate application layer network protocol.

    Port numbers

    The port number for “binding” a service is selected depending on its functional purpose. IANA is responsible for assigning port numbers to specific network services. Port numbers range from 0 - 65535 and are divided into 3 categories:

    Port numbers Category Description
    0 - 1023 Well-known ports Port numbers are assigned by IANA and on most systems can only be used by system (or root) processes or by applications running by privileged users.

    Should not be used without IANA registration. The registration procedure is defined in section 19.9 of RFC 4340.
    1024 - 49151 Registered ports Port numbers are included in the IANA catalog and can be used by normal user processes or programs run by regular users on most systems.

    Should not be used without IANA registration. The registration procedure is defined in section 19.9 of RFC 4340.
    49152 - 65535 Dynamically used ports and/or ports used within private networks Intended for temporary use - as client ports, ports used by agreement for private services, as well as for testing applications before registering dedicated ports. These ports cannot be registered .

    List of mappings between network services and port numbers

    The official list of mappings between network services and port numbers is maintained by IANA.

    History of Compliance Regulation

    Issues of unifying the mapping of network services to socket (port) numbers were raised in RFCs 322 and 349, the first attempts at regulation were made by Jon Postel in RFCs 433 and 503.

    Current list

    netstat -an

    On Windows operating systems, the result of this command looks something like this:

    Active connections Name Local address External address State TCP 0.0.0.0:135 0.0.0.0:0 LISTENING TCP 0.0.0.0:445 0.0.0.0:0 LISTENING TCP 127.0.0.1:1026 0.0.0.0:0 LISTENING TCP 127.0.0.1:12025 0.0.0.0:0 LISTENING TCP 127.0.0.1:12080 0.0.0.0:0 LISTENING TCP 127.0.0.1:12110 0.0.0.0:0 LISTENING TCP 127.0.0.1:12119 0.0.0.0:0 LISTENING TCP 127.0.0.1: 12143 0.0. 0.0:0 LISTENING TCP 192.168.0.16:139 0.0.0.0:0 LISTENING TCP 192.168.0.16:1572 213.180.204.20:80 CLOSE_WAIT TCP 192.168.0.16:1573 213.180.204.35: 80 ESTABLISHED UDP 0.0.0.0:445 *:* UDP 0.0.0.0:500 *:* UDP 0.0.0.0:1025 *:* UDP 0.0.0.0:1056 *:* UDP 0.0.0.0:1057 *:* UDP 0.0.0.0:1066 *:* UDP 0.0.0.0:4500 *:* UDP 127.0.0.1:123 *:* UDP 127.0.0.1:1900 *:* UDP 192.168.0.16:123 *:* UDP 192.168.0.16:137 *:* UDP 192.168.0.16:138 *:* UDP 192.168 .0.16:1900 *:*

    On UNIX-like operating systems, the result of the command is netstat -an looks something like this:

    Active Internet connections (servers and established) Proto Recv-Q Send-Q Local Address Foreign Address State tcp 0 0 0.0.0.0:37 0.0.0.0:* LISTEN tcp 0 0 0.0.0.0:199 0.0.0.0:* LISTEN tcp 0 0 0.0.0.0:2601 0.0.0.0:* LISTEN tcp 0 0 0.0.0.0:3306 0.0.0.0:* LISTEN tcp 0 0 0.0.0.0:2604 0.0.0.0:* LISTEN tcp 0 0 0.0.0.0:2605 0.0. 0.0:* LISTEN tcp 0 0 0.0.0.0:13 0.0.0.0:* LISTEN tcp 0 0 0.0.0.0:179 0.0.0.0:* LISTEN tcp 0 0 0.0.0.0:21 0.0.0.0:* LISTEN tcp 0 0 0.0 .0.0:22 0.0.0.0:* LISTEN tcp 0 0 0.0.0.0:1723 0.0.0.0:* LISTEN tcp 0 0 10.0.0.254:1723 10.0.0.243:2441 ESTABLISHED tcp 0 0 192.168.19.34:17 9 192.168.19.33: 33793 ESTABLISHED tcp 1 0 192.168.18.250:37 192.168.18.243:3723 CLOSE_WAIT tcp 0 0 10.0.0.254:1723 10.0.0.218:1066 ESTABLISHED tcp 1 0 192.168 .18.250:37 192.168.18.243:2371 CLOSE_WAIT tcp 0 0 10.0.0.254 :1723 10.0.0.201:4346 ESTABLISHED tcp 0 0 10.0.0.254:1723 10.0.0.30:2965 ESTABLISHED tcp 0 48 192.168.19.34:22 192.168.18.18:43645 ESTABLISHED tcp 0 0 10.0.0.254:38562 10.0.0.243:22 ESTABLISHED tcp 0 0 10.50.1.254:1723 10.50.1.2:57355 ESTABLISHED tcp 0 0 10.50.0.254:1723 10.50.0.174:1090 ESTABLISHED tcp 0 0 192.168.10.254:1723 19 2.168.13.104:65535 ESTABLISHED tcp 0 0 10.0.0.254:1723 10.0.0.144:65535 ESTABLISHED tcp 0 0 10.0.0.254:1723 10.0.0.169:2607 ESTABLISHED tcp 0 0 10.0.0.254:1723 10.0.0.205:1034 ESTABLISHED udp 0 0. 0.0.0:1812 0.0.0.0:* udp 0 0 0.0.0.0:1813 0.0.0.0:* udp 0 0 0.0.0.0:161 0.0.0.0:* udp 0 0 0.0.0.0:323 0.0.0.0:* udp 0 0 0.0.0.0:123 0.0.0.0:* raw 0 0 192.168.10.254:47 192.168.13.104:* 1 raw 0 0 10.0.0.254:47 10.0.0.120:* 1 raw 0 0 10.10.204.20:47 10.10.16.110:* 1 raw 0 0 192. 168.10.254:47 192.168 .11.72:* 1 raw 0 0 10.0.0.254:47 10.0.0.144:* 1 raw 0 0 10.0.0.254:47 10.0.0.205:* 1 raw 0 0 10.50.0.254:47 10.50.0.174:* 1 raw 0 0 10.0.0.254:47 10.0.0.170:* 1 raw 0 0 10.0.0.254:47 10.0.0.179:* 1

    State LISTEN (LISTENING) shows passively open connections ("listening" sockets). They are the ones who provide network services. ESTABLISHED- these are established connections, that is, network services in the process of using them.

    Checking the availability of network services

    If problems are detected with a particular network service, various diagnostic tools are used to check its availability, depending on their availability in a given OS.

    One of the most convenient tools is the command (utility) tcptraceroute (a type of traceroute), which uses TCP packets for opening a connection (SYN|ACK) with the specified service (by default - web server, port 80) of the host of interest and displays information about the transit time of this type of TCP packets through routers, as well as information about the availability of the service on the host of interest, or, in case of problems with packet delivery, where in the path they arose.

    Alternatively can be used alone

    • traceroute for diagnosing the packet delivery route (the disadvantage is the use of UDP packets for diagnostics) and
    • telnet or netcat to the port of the problematic service to check its response.

    Notes

    See also

    Links

    • RFC 322 Well Known Socket Numbers
    • RFC 349 Proposed Standard Socket Numbers (rescinded by RFC 433)
    • RFC 433 (English) Socket Number List (rescinded by RFC 503)
    • RFC 503 (English) Socket Number List (rescinded by RFC 739)
    • RFC 739 ASSIGNED NUMBERS (the first list of assigned numbers, was replaced by a number of RFCs, most recently RFC 1700)
    • RFC 768 User Datagram Protocol
    • RFC 793 TRANSMISSION CONTROL PROTOCOL
    • RFC 1700 ASSIGNED NUMBERS (latest list of assigned numbers, superseded by RFC 3232)
    • RFC 3232 Assigned Numbers: RFC 1700 is Replaced by an On-line Database
    • RFC 4340 (English) Datagram Congestion Control Protocol (DCCP) - PROPOSED STANDARD

    Wikimedia Foundation. 2010.

    • Niflo, Isidore
    • Salads and eggplant caviar

    See what “Network services” are in other dictionaries:

      Social networking services- Social network service is a virtual platform that connects people into online communities using software, computers connected to a network (Internet) and a network of documents (World Wide Web). Network social services in... ... Wikipedia

      Internet services- services provided on the Internet to users, programs, systems, levels, functional blocks. On the Internet, services are provided by network services. The most common Internet services are: data storage; transmission... ... Financial Dictionary

      Port (network protocols)- Network port is a parameter of the UDP protocols that determines the purpose of data packets in the format This is a conditional number from 0 to 65535, allowing different programs running on the same host to receive data independently of each other (provided like this... ... Wikipedia

      Kernel (operating system)- This term has other meanings, see Core. The kernel is the central part of the operating system (OS), providing applications with coordinated access to computer resources, such as processor time, memory and external hardware... ... Wikipedia

      Microkernel- This term has other meanings, see Micronucleus (cytology). The microkernel architecture is based on user-mode server programs... Wikipedia

      Microkernel operating system- The microkernel architecture is based on user-mode server programs. A microkernel is a minimal implementation of the functions of the operating system kernel. Classic microkernels provide only a very small set of low-level primitives... Wikipedia

      Simple Service Discovery Protocol- SSDP Name: Simple Service Discovery Protocol Level (OSI model): Session Family: TCP/IP Port/ID: 1900/UDP Simple Service Discovery Protocol, SSDP ... Wikipedia

      Letopisi.ru- This page requires significant revision. It may need to be Wikified, expanded, or rewritten. Explanation of reasons and discussion on the Wikipedia page: For improvement / May 16, 2012. Date of setting for improvement May 16, 2012 ... Wikipedia

      Network Scan- network attack. Description The purpose of this attack is to find out which computers are connected to the network and what network services are running on them. The first task is solved by sending Echo ICMP messages using the ping c utility... ... Wikipedia

      7ya.ru- Publisher ALP Media Editor-in-Chief Elena Konstantinovna Polyaeva Date of foundation 2000 Certificate of media registration El No. FS77 35954 Language ... Wikipedia

    Books

    • Multiplayer games. Online Application Development , Joshua Glaser , Online multiplayer gaming is a multi-billion dollar business, attracting tens of millions of players. Using real examples, this book talks about the features of developing such games and... Category:

    The combination of server and client parts of the OS that provide access to a specific type of computer resource via a network is called a network service. The client and server parts of the OS, which together provide access via the network to the computer's file system, form a file service. A network service is said to provide a set of services to network users. These services are sometimes also called network services. A service is an interface between a service consumer and a service provider (service). Each service is associated with a specific type of network resource and/or a specific method of accessing those resources. For example, a print service provides network users with access to shared network printers and provides a print service, and a mail service provides access to a network information resource - emails. For example, the remote access service differs in the method of accessing resources - it provides users of a computer network with access to all its resources through dial-up telephone channels. To gain remote access to a specific resource, such as a printer, the Remote Access service communicates with the Print service. The most important ones for network OS users are the file service and the print service. Among the network services, we can highlight those that are aimed not at the average user, but at the administrator. Such services are used to organize the operation of the network. A more progressive approach is the creation of a centralized help service, or, in other words, a directory service, which is designed to maintain a database not only of all network users, but also of all its software and hardware components. Other examples of network services that provide services to the administrator are a network monitoring service, which allows you to capture and analyze network traffic, a security service, the functions of which may include, in particular, performing a login procedure with password verification, and a backup and archiving service. Its position in the general range of network operating systems depends on how rich a range of services the operating system offers to end users, applications and network administrators. Network services are, by nature, client-server systems. Since when implementing any network service there naturally arises a source of requests (client) and an executor of requests (server), then any network service contains two asymmetric parts - client and server (Fig. 2.2). A network service can be represented in the operating system either by both (client and server) parts, or only by one of them.



    It is usually said that the server provides its resources to the client, and the client uses them. It should be noted that when a network service provides a certain service, the resources of not only the server, but also the client are used. The client may spend a significant portion of its resources (disk space, CPU time, etc.) maintaining the network service. For example, when implementing an email service, a client's disk may contain a local copy of a database containing their extensive correspondence. In this case, the client does a lot of work when generating messages in various formats, including complex multimedia, supports maintaining an address book, and performs many other auxiliary works. The fundamental difference between the client and the server is that the client is always the initiator of the work performed by the network service, and the server is always in a passive mode of waiting for requests. For example, a mail server delivers mail to a user's computer only when a request is received from a mail client. Typically, the interaction between the client and server parts is standardized, so that one type of server can be designed to work with different types of clients, implemented in different ways, and perhaps by different manufacturers. The only condition for this is that the clients and server must support a common standard communication protocol.

    Parameter name Meaning
    Article topic: Network services
    Rubric (thematic category) Technologies

    System core

    The Linux operating system is a product of human labor, and humans are known to make mistakes, even in the kernel code. Hence the first security threat - errors in the system kernel. Such errors are not found as often as errors in other software, but they do happen. There is only one protection here (the same for all similar problems) - constant monitoring of security information (for example, a good source of information, in addition to the distribution list from the distribution manufacturer, is the site www.securityfocus.com and its mailing lists) and server readings.

    However, there are kernel patches that can improve the security of the system as a whole and the kernel in particular. The main focus of such patches (including cumulative ones) is on the ability to resist the system from general attacks on programs with a buffer overflow error, from attacks on programs with incorrect creation of temporary files, and also on the ability to reduce the amount of information that an attacker can obtain about the system ( http://www.openwall.com/).

    There are also patches that specialize in the network aspect of the OS kernel. Their tasks include embedding the anti-scanning function into the system kernel (http://www.lids.org), as well as making it difficult to determine the OS version using network scanners such as nmap.

    When all these patches are combined, a system kernel is obtained that will independently be able to protect the system from most types of known attacks: buffer overflow attacks, attacks on programs that do not work correctly with temporary files, network scanning of a machine to determine open ports and operating system version.

    In most cases, for reasons unknown to the author, on a “freshly installed” server, almost all possible services are launched by default (for example, the 7th port, the echo service, which is completely unnecessary today).

    Almost every day there are new programming errors in software. If an error is found in a service running on the server, then after a short (not very long) time you can expect people to compromise the server (since, for example, buffer overflow errors make it possible to execute any code with server rights, which often have superuser rights - root). You can protect yourself from such problems:

    first, by regularly monitoring security events (and again, www.securityfocus.com will be perhaps the most authoritative and comprehensive source of information);

    secondly, by slightly tweaking the system kernel (with various security patches, as described above);

    thirdly, simply using servers that are written with great care and taking into account security requirements, and of course, without using unnecessary services.

    Let's start with unnecessary services. The tasks, of course, are specific for each server, but we can still say that in most cases, ports (with corresponding services) from the first to the nineteenth inclusive are unnecessary and in some ways simply dangerous. Some of them are useful, but most of them are not used now. You should not open such ports as 37 (time), 69 (tftp), 79 (finger), 111 (sunrpc), 512 (TCP – exec; UDP – biff), 513 (TCP – login; UDP – who) without special reasons ), 514 (TCP – cmd; UDP – syslog), 517 (talk), 525 (timeserver).

    Now regarding the most commonly used services, namely: HTTP/HTTPS, FTP, Telnet/SSH, SMTP, POP3/IMAP and proxy services. Let's look at each service in detail.

    Network services - concept and types. Classification and features of the “Network Services” category 2017, 2018.

    Tools for remote control of UNIX, Windows NT and NetWare operating systems.

    When people talk about remote management, they usually mean network management platforms based on the SNMP protocol. Among the most common platforms are HP OpenView, Microsoft SMS, Novell ManageWise, etc. However, their capabilities are quite limited: they are well suited for monitoring network devices, but much worse for directly managing the operation of servers and operating systems. Thus, using the network management platform it is impossible to create a user account, run a program on the server, write an executable script, and much more. Therefore, instead of “management platform,” it would be more correct to use the term “monitoring platform.”

    It is well known that the most convenient means of server administration is its console. (The NetWare operating system presents a special case, which we will consider separately.) From the console, the administrator can monitor any activity on the server, as well as manage network OS resources. However, it is not always possible for an administrator to be behind a UNIX or Windows NT console.

    Although it is now commonplace to house servers in dedicated server rooms, network administrators are reluctant to move into such rooms. Firstly, server rooms are filled not only with servers, but also with active network equipment, powerful uninterruptible power supplies, switching cabinets, backup facilities, etc. Due to the unfavorable electromagnetic background, the constant presence of personnel in the server room is undesirable. Secondly, in such rooms the noise level is quite high, which sometimes makes it difficult to even use the telephone. After 8 hours of working in such conditions, a person feels completely overwhelmed. Thirdly, there may be several server rooms in a large organization. For these reasons, the administrator would like to have a workstation outside the server room, but still have all the benefits of the console.

    In addition, users constantly have one or another problem, and the administrator is forced to visit client sites. In such cases, it is important for him to be able to remotely manage the network OS, for example, to assign access rights, create a new user account, increase the size of the file system, etc.

    Finally, problems can also arise during non-working hours, when the administrator is at home. In such cases, it is desirable that he, using his home computer and modem, can remotely identify and fix the problem, rather than rush headlong to the office.

    All network operating systems have remote administration capabilities, either built-in or provided by third-party companies. Some of them implement the concept of a remote console (or remote terminal), while others provide disparate administration tools aimed at solving only some specific tasks.

    OPERATING SYSTEMS AND ADMINISTRATION

    Before we talk about remote management of network operating systems, we will briefly look at the principles of administering the most popular operating systems: Windows NT, UNIX and NetWare. Perhaps the most powerful system, not only in terms of functional parameters, but also in terms of administration capabilities, is the UNIX OS. In UNIX, the kernel is separated from the graphical shell, and the graphical shell is not needed to operate the server, although it is used quite often. Interactive interaction between the user and the OS is carried out through the shell command shell. It has several implementations, with the Bourne shell (sh), C shell (csh), Korn shell (ksh) and Bourne again shell (bash) being particularly popular. Each of the command shells has its own programming language for writing script programs. In addition, UNIX is famous for its rich set of application utilities, including sorting, searching, stream editing, lexical analysis, macro processing, filters, and many others. Using the shell, system utilities, application programs, and pipelines, UNIX allows you to create extremely flexible administration programs.

    UNIX uses the X Window System (X11) graphical shell. Unlike similar shells in Microsoft Windows and Apple MacOS, the X11 environment is networked and separate from the kernel. That is, from the kernel point of view, the X11 system is a regular user program. Within X11, any UNIX computer (with the appropriate rights) can act as an X11 client or server. It should be borne in mind that, contrary to generally accepted practice, the X11 server is the computer on whose display the image is displayed, and the client is the machine on which the program runs. X11 server software exists for many common operating systems, including Windows, MacOS, etc., while client software is implemented primarily on UNIX.

    In modern UNIX, management tasks use utilities with three types of interfaces: command line, interactive text and graphical. However, the most powerful and covering all OS capabilities are command line-based utilities. Such programs are actively used to perform repetitive operations such as creating a user account or assigning access rights. Interactive text and graphic utilities appeared in UNIX relatively recently, but due to the interactive nature of communication, the benefits of using them as part of shell programs are far from obvious. Such utilities are used mainly for occasional and fine-tuning of the OS and hardware. Thus, any text terminal emulator is suitable for administering UNIX.

    Despite its widespread use, Microsoft Windows NT cannot compete with UNIX in matters of administration. In terms of ease of administration - yes, but not in terms of its capabilities. As you know, the Windows graphical shell is inseparable from the system core. Although this is not the best option from a reliability point of view, such an implementation allows for exceptionally high performance in graphics operations. Another thing is that this is of little use on an NT server - the purpose of the server is not to quickly display graphic information. Microsoft has actually driven users into a corner by offering essentially the same system as a client (NT Workstation) and a server (NT Server). In addition, the Windows graphical environment is not networked.

    There are several command line-based administration utilities available for Windows NT. However, their set is quite limited, and the capabilities of the built-in command processor cannot be compared with the UNIX shell. Windows NT Server also comes with a number of programs for remote management of users, domains, access rights, etc. Such programs can be installed on Windows 9x and NT computers. However, many network applications, especially from third-party developers, do not have remote control capabilities. Therefore, to fully manage the network environment, the administrator is forced to sit at the console or emulate the console using specialized programs.

    NetWare's management structure is fundamentally different from that of other network operating systems. All server configuration operations, including launching applications, are carried out from the console. At the same time, accounts, printers, files, and the NDS directory service are managed from client sites. True, the latest version of NetWare 5 has a unified network management console, ConsoleOne, with which an administrator can manage network resources from anywhere on the network, including from the console. However, ConsoleOne's capabilities are still too limited, and it works slowly because it is written in Java. In addition, NetWare 5's share of the network OS market is negligible, since the bulk of Novell networks are based on NetWare versions 4.x. The NetWare console operates in text mode (in NetWare 5 the server also supports graphical mode), so management is carried out using command line programs with an interactive text interface. NetWare's command language is quite weak, but the OS includes Basic and Perl interpreters that allow you to create quite serious programs. The remote console program included in NetWare provides access to the server console over the network from DOS, Windows, MacOS, and UNIX client machines.

    To manage NDS, accounts, printers, access rights, etc., there are graphical and interactive text programs designed to work at client sites. The number of available command line utilities is small and their capabilities are limited. In short, from the point of view of managing NDS, graphical utilities (and primarily NetWare Administrator) have the most powerful capabilities, followed by interactive text programs (NETADMIN, PCONSOLE, etc.) and only then command line utilities.

    Having examined the main features of the network OS management structure, we can now move on to get acquainted with the most common remote management tools.

    TELNET

    Perhaps the most famous UNIX remote control program is telnet, especially since it is included with almost any modern operating system. telnet is a terminal emulation program that uses the proprietary TELNET application layer protocol. To support the telnet service, the server must be running a system program (called the telnet daemon in UNIX) that handles requests from telnet clients. The telnet server can serve several clients at once, and the TELNET protocol uses TCP (port 23) as a transport protocol.

    Telnet can be used to manage not only UNIX computers, but also network devices such as routers, switches, dial-up servers, etc. Telnet can also be used to administer Windows NT (server software for this service is available in several free and commercial programs), but only in command line mode. Telnet gives the user the opportunity to connect to a remote server from his place and work with it in text mode. In this case, a complete illusion is created for the user that he is sitting at the text terminal of this server.

    Telnet is well suited for heterogeneous networks because it relies on the Network Virtual Terminal (NVT) concept. It is known that different operating systems and hardware have specific features related to input/output and information processing. Thus, UNIX uses LF as a line break character, while MS-DOS and Windows use the CR-LF character pair. The NVT network virtual terminal allows you to abstract from the characteristics of specific equipment through the use of a standard character set. The telnet client is responsible for converting client codes to NVT codes, and the server does the reverse conversion (see Figure 1).

    Telnet provides a parameter configuration mechanism in which the client and server can agree on certain options, including data encoding (7- or 8-bit), transmission mode (half-duplex, character-by-line, line-by-line), terminal type, and several others. Commands and data in telnet are transmitted independently of each other. To do this, using a special code, telnet is switched from data transmission mode to command transmission mode, and vice versa. Commands are information used to control the telnet service, while data is what is input/output through terminal (client) or pseudo-terminal (server) drivers.

    Telnet is a fairly powerful remote control program, but it has a number of fundamental disadvantages. The most important thing is that all data, including passwords, is transferred between computers in clear text. Having connected to the network, anyone with the help of the simplest protocol analyzer can not only read the information, but even obtain the password for unauthorized access. In a local network, the likelihood of such attacks can be reduced by using switches (switching hubs). Of course, in a local network, large-scale use of switches is very expensive, but it is better to connect administrators’ workstations through them. However, when accessed via the Internet, in particular when the administrator works from home, the problem remains. However, it is possible to organize access to servers through remote access servers using authentication protocols such as CHAP, rather than using Internet provider communication channels. Unfortunately, this approach is not suitable for all organizations.

    The second problem I would say is that the free telnet client programs included with operating systems have limited capabilities. It often happens that an interactive text program cannot even be launched, because the telnet client does not support the server's terminal type, and the interactive program does not want to work with the types of terminals that are included in the telnet client.

    However, despite these disadvantages, telnet remains the most common remote control program.

    RLOGIN

    First introduced with 4.2BSD UNIX, the rlogin program was at one time extremely popular in the UNIX environment. As a terminal access tool, rlogin is very similar to telnet, but due to its tight integration with the OS, it has found very limited use in other systems. rlogin lacks many of the options inherent in telnet, in particular the mode of negotiating parameters between the client and server: terminal type, data encoding, etc. Therefore, the code size of the rlogin program is almost ten times smaller than that of telnet. However, rlogin provides for trust relationships between hosts: on the rlogin server, in special system files (usually /etc/hosts.equiv and $HOME/.rhosts), the administrator can list computers from which access to this server will be allowed without a password. Users of other computers (not listed in these files) can log into the server only after entering a password.

    Another variant of the rlogin program, known as rsh, allows you to run programs on a remote machine, with input and output occurring on the local computer. Another program - rcp - is intended for copying files between network computers. The rlogin, rsh, and rcp utilities are often collectively called r-commands.

    Unfortunately, experience has shown that trust relationships based on hostnames are extremely dangerous because they open the door to unauthorized access. The widespread use by hackers of technology for substituting IP addresses (IP-spoofing) and domain names (DNS-spoofing) makes the r-command service unprotected. This is true even when no trust has been established between the hosts at all. Therefore, at present, the rlogin service has found application only in networks completely closed from the Internet. Just like telnet, data and passwords (in the absence of a trust relationship) are transmitted in clear text.

    In addition, client software for r-commands on DOS and Windows platforms is less widespread than for telnet, and is generally only available as part of fairly expensive commercial products.

    SECURE SHELL

    It is obvious that transmitting data and especially passwords over the network in clear text in the telnet and rlogin programs cannot satisfy even the minimum security requirements. There are several ways to protect information systems from attacks by intruders. Some of them provide password protection, while others are aimed at encrypting the entire flow of information. Among the latter, the most popular is the Secure shell (ssh) program, which is included in any gentleman's kit for secure UNIX terminal access. A non-commercial version of Secure shell can be downloaded from the server of the program's author, T. Jalonen ( http://www.ssh.fi). However, the free version of ssh is only available for UNIX. Data Fellows Company ( http://www.datafellows.com) provides a commercial, advanced version of ssh, including for the Windows platform.

    Secure shell provides capabilities similar to those of telnet and r-commands, including not only terminal access, but also copying facilities between computers. But, unlike them, ssh also provides a secure connection via X11.

    The security of the ssh program is achieved through the use of a transport layer protocol, an authentication protocol, and a connection protocol. The transport layer protocol is responsible for server authentication, the authentication protocol is responsible for reliable identification and authentication of the client. The connection protocol forms an encrypted information transmission channel.

    As already mentioned, Secure shell has become a kind of standard for secure access, including in Russia. This is a very interesting product that we can talk about for a very long time. However, we will not do this (more detailed information about the Secure shell can be found in the article by M. Kuzminsky “Ssh - an everyday means of secure work” in the magazine “Open Systems” No. 2, 1999). The thing is that this product, like many similar ones, is prohibited for use in Russia.

    According to Decree of the President of the Russian Federation No. 334 dated April 3, 1995, individuals and any organizations, including public, private and joint-stock companies, are prohibited from operating cryptography systems that have not been certified by FAPSI. And Secure shell is just such a system. However, there is no need to be offended by our intelligence services - we are not alone in the world; in some countries, for example in France, the rules are even stricter (in fairness, it is worth noting that in France, since March of this year, restrictions in the field of encryption systems have been significantly weakened). We should also not think that they are trying to prohibit us from protecting confidential information: organizations not only can, but are also obliged to protect important information. Only for this they must use certified tools, and not freely distributed on the Internet. Of course, programs based on ssh, SSL, PGP, etc. are widespread in our country, but we should remember that their use is fraught with considerable troubles. Users of such programs are potentially at risk of investigation by intelligence agencies. In any case, we have no right or desire to promote such an approach.

    SECURE AUTHENTICATION

    In most management tasks, administrators are not interested in protecting transmitted data, but in reliable user authentication so that an attacker cannot intercept and use the administrator password. There may be several solutions. First of all, this is Kerberos technology, based on issuing tickets. (In fact, Kerberos provides not only authentication, but also encryption of network communications, which, again, is subject to Executive Order.) However, due to US government export restrictions, the encryption mechanism is significantly weakened. Enterprise dial-up systems can use strong authentication services such as RADIUS, TACACS+ and XTACACS. But all of these services (including Kerberos) involve large-scale redesign of the network infrastructure, which entails large costs. This is hardly justified if the range of remote access tasks is limited only to problems of managing network operating systems.

    For such tasks, tools supporting one-time passwords (One-Time Password, OTP) are more suitable. The essence of such systems is that the user's password transmitted over the network is valid for only one communication session. That is, even if an attacker managed to intercept the password, he will not be able to use it, since the password will already be changed during the next session.

    To enable OTP on the server, the telnet, rlogin, ftp daemons will have to be replaced (of course, new services can be launched selectively, for example, use the upgraded telnetd, but leave the “native” ftpd). At the same time, there is no need to update the client software, which is very convenient. The first working OTP system was released by Bell Core (now Telcordia Technologies) in 1991 under the name S/Key. An important feature of S/Key is that it was originally a non-commercial product that worked with multiple versions of UNIX. Now the most popular are the following versions of OTP systems (all of them, except S/Key version 2.0 and higher, are distributed free of charge):

    • S/Key by Telcordia Technologies (ftp://ftp.bellcore.com);
    • US Naval Research Laboratory OPIE (ftp://ftp.nrl.navy.mil);
    • LogDaemon by Vietse (ftp://ftp.porcupine.org/pub/security).

    The listed systems are backward compatible with S/Key 1.0. Current OTP implementations are based on MD4 and MD5 hashing algorithms (S/Key 1.0 used MD4 exclusively).

    How do OTP systems work? When initializing OTP on the server, each user assigns two parameters: a secret key (it is not transmitted over the network) and the number of iterations, i.e. the number of logins for which this secret key will be valid. On the server, the MD4 or MD5 algorithm is applied to the secret key, and the hashed value is stored. After this, the user can work with the server over the network via regular telnet, ftp, etc.

    User authentication for terminal access is carried out as follows. After entering the username, he is given the number of the next iteration and a certain source (seed). The beginning of the user authentication procedure is shown in Figure 2. Here the iteration number is 967 and the source is jar564. In the Password field, the user must enter not his secret key, but a passphrase consisting of six words. This phrase is generated based on the secret key, iteration number and source using a special calculator (see Figure 3). To obtain a passphrase, the user enters the iteration number, the source and his secret key (in the example given, the final passphrase is: “NO HUFF ODE HUNK DOG RAY”).

    The passphrase is then entered into the Password field of the terminal access program, after which the user is identified by the server. Keep in mind that the next time you authenticate, the iteration number will decrease by one, the source will not change, and the passphrase will be completely different. Thus, intercepting the passphrase will not give the attacker anything, since the system does not identify him when he tries to register. The main security component is the secret key, and it is never transmitted over the network. Due to the use of MD4 and MD5 algorithms, it is almost impossible to calculate the secret key from the passphrase, iteration number and source.

    When the iteration number reaches zero, the user account must be reinitialized.

    It may seem that the main inconvenience for the user is the calculator. But this is not entirely true, since the calculator is a very small program that does not require any settings. Such calculators are freely distributed for all popular platforms, including MS-DOS, Windows, Macintosh and UNIX. Moreover, passphrases can be remembered (or written down) in advance, several terminal access sessions ahead, successively decreasing the iteration number. Thus, to remotely manage the server, the administrator does not need to install the calculator on all client sites on which he may have to work.

    X WINDOW SYSTEM

    Although almost all UNIX management tasks can be performed in text mode, administrators often prefer the graphical interface as it is more convenient. In addition, some UNIX applications on the market can only be run in a graphical environment. X-server graphics software is available for a variety of platforms, including DOS, Windows, Macintosh, UNIX, etc. However, in most cases (with the exception of UNIX), it is bundled with expensive commercial products. X11 clients (as already emphasized, the concept of client and server in the X Window System does not correspond to generally accepted practice) are mainly UNIX servers.

    It should be borne in mind that the use of the X Window System requires a sufficiently large network bandwidth. The system works great in local networks, but very slowly over global channels. Therefore, when using the X Window System on an administrator's home computer, it is better to manage it through terminal utilities like xterm rather than through graphical utilities.

    When connecting to a UNIX server (which runs X11 clients), authentication can be accomplished in two ways: through terminal utilities (telnet, rlogin, etc.) and through the X Display Manager (xdm). In the first option, transmitting a password in clear text can be avoided by using the already mentioned ssh and OTP programs instead of telnet and rlogin. In the case of X Display Manager, passwords are sent in clear text by default. Therefore, when remotely managing a UNIX server over public networks, xdm should not be used.

    Administrators should be very careful when using a UNIX server as an X server (that is, in plain English, running an X11 graphical shell on a UNIX server). The X Window System is designed so that a user can run an X client from his machine on a remote X server and intercept input/output of information on it. As a result, the attacker is able to read confidential information from Server X, including passwords entered by the user on Server X (although the xterm terminal emulator allows you to block password interception, this feature is rarely used).

    On X servers, two client authentication schemes are used: by host name and using “magic buns” (MIT-MAGIC-COOKIE-1). When authenticating by host name on server X, system files are created that list the hosts from which client programs X are allowed to run on this server X. But such protection cannot be called sufficient, since by substituting IP addresses or domain names, an attacker can carry out an attack on X11. When using the “magic buns” scheme (their support is built into the XDMCP protocol, on the basis of which X Display Manager operates), authentication is carried out based on user accounts. To have the right to run a client on server X, the user must have a system file in his home directory of the X11 client machine with the server X secret code written down. This secret code is called the magic bun. The only trouble is that the bun is transmitted over the network in clear text, so this method can also hardly be considered safe.

    X Window System 11 Release 5 adds two more schemes (XDM-AUTHORIZATION-1 and SUN-DES-1) that resemble the MIT-MAGIC-COOKIE-1 scheme but use the DES encryption algorithm. However, due to export restrictions, such diagrams are not included with the X Window System. Based on the above considerations, you can run X11 server software on a UNIX server only if access to X11 clients from other computers is prohibited.

    Everything that has been said about the low security of an X server based on a UNIX server fully applies to administrator client machines running the X Window System.

    WINDOWS NT SERVER

    When installing Microsoft Windows NT Server, it is assumed that the OS administration will be carried out from the server console. However, NT Server also includes remote management utilities. They are located on the Windows NT Server distribution in the \Clients\Srvtools directory. These utilities can be installed on both Windows NT Workstation and Windows 9x (see Figure 4). With their help, you can administer user and group accounts, rights and privileges, NT domains, and monitor event logs on servers and workstations. The utilities operate in graphical mode, similar to the native NT Server management utilities. Although remote management utilities allow you to perform most of the system administration work, this set lacks a number of important programs. For example, with their help it is impossible to perform server hardware configuration, backup, license management, performance monitoring, etc. In addition, many third-party server applications do not have any remote management programs.

    The Windows NT Server Resource Kit, supplied by Microsoft, includes a number of additional administration programs, including command line ones. The most important of them are ADDUSER.EXE (creating new user and group accounts), CACLS.EXE (managing access rights), DUMPEL.EXE (outputting event information from event logs to the screen or to a file), RMTSHARE (managing network resources ). Using even a weak NT command processor, it is not difficult for an administrator to write a standard program for creating a new account with automatic assignment of rights and privileges.

    There are also several programs available for Windows NT that implement a telnet server. With its help, an administrator can gain remote access to an NT server and run command line-based programs. Again, remember that most telnet implementations transmit the password in clear text.

    But, as already noted, remote access utilities and command line-based programs cannot solve all administration tasks. Therefore, some solutions involve emulating a Windows NT server GUI on a remote computer.

    First of all, I would like to mention WinFrame from Citrix and Windows Terminal Server (WTS) from Microsoft. According to the architecture of these products, applications run on the NT server, and input/output of information is performed on client computers. According to their manufacturers, WinFrame and WTS operate acceptably at speeds of 28 Kbps, so you can manage servers even from home. To use these tools, you must host the server part of the software on the NT server, and the client software on the administrators' workstations. WinFrame and WTS do not transmit passwords in clear text.

    To be fair, it should be said that for administration tasks such solutions turn out to be redundant. WinFrame and WTS technology involve connecting several clients to the server. (Usually, it is enough for the administrator that only he alone has access to the server.) Because of this, solutions based on these products are quite expensive. For example, connecting a client to a WinFrame server will cost from 200 to 400 dollars, which is very expensive, since an organization may have more than one server and more than one administrator.

    More suitable, in my opinion, for remote administration are specialized remote management packages, such as Symantec's pcANYWHERE and Stac's ReachOut. When using such products, the contents of the NT server screen are duplicated on the display of the local computer, information is entered from the keyboard (and mouse) of the local computer and transferred to the remote one (in this case, to the NT server). Everything looks as if the administrator is sitting at the server console. pcANYWHERE and other similar products function well not only on a local network, but also over slow dial-up lines. However, they have a limit on the number of simultaneous connections to the server (usually only one connection). pcANYWHERE products have built-in encryption, making it unlikely that your password will be intercepted.

    A common disadvantage of Windows NT remote control tools is the need to install additional software products on administrators' client sites.

    NETWARE

    Because of the nature of Novell NetWare's architecture, remote console access issues should be separated from network resource management issues.

    Management of user accounts, groups, NDS objects, and access rights in NetWare is carried out from client sites, so administration is initially remote. However, administrators may encounter one obstacle: prior to NetWare version 5, the primary network protocol was IPX/SPX. This created and continues to create big problems when managing NetWare servers over the Internet. If an administrator must be able to manage a network OS from a home computer, then he should think about connecting to the local network through a remote access server that supports the IPX/SPX protocols. Fortunately, most hardware servers support this mode.

    However, the costs of creating the necessary infrastructure may be unacceptable, so administrators' home computers are often connected to the local network via the Internet. In such a situation, we can offer the following option: install the pcANYWHERE (or similar) program on one of the computers on the local network, and manage the network from your home computer through this intermediate link. This approach, by the way, may also be more attractive from a performance point of view, since network management programs (especially NetWare Administrator) work very slowly over dial-up communication channels. Another way is to upgrade NetWare to version 5 (or install NetWare/IP).

    As for remote console access, NetWare includes the Rconsole utility for accessing the console from a network workstation. However, it has two limitations: firstly, the console password is transmitted in clear text, and secondly, IPX/SPX is used as the protocol. Third-party utilities that provide secure remote access to the console can avoid transmitting passwords in clear text. Among them, the most famous is the commercial program SecureConsole for NetWare from Protocom Development Systems ( http://www.serversystems.com). When accessed, it uses the encrypted administrator password.

    As in other cases, the obstacle in the form of the IPX/SPX protocols can be eliminated by using programs like pcANYWHERE (that is, using one of the computers on the local network as a transfer link). Another way is to use the xconsole program, which provides access to the console via the X Window System, i.e. via TCP/IP. The RConsoleJ remote access utility included in NetWare 5, written in Java, also uses TCP/IP as a transport. However, the xconsole and RConsoleJ programs transmit the password in clear text. To summarize, we can say that for remote management of NetWare it is recommended to use specialized tools like pcANYWHERE.

    WEB TECHNOLOGY

    Web technology is increasingly influencing the way we manage our network environment. Already, many routers, switches, and network printers can be controlled via Web browsers. But this list is far from being exhausted by them; the Web is also invading the sphere of network OS management. At first, only HTTP and FTP servers could be managed from the Web, but this list is constantly expanding and now covers DBMS, file systems, firewalls, network services DNS, DHCP and much more. Even the NDS directory service can be managed through browsers using special commercial programs. Despite the above, Web-based technologies have not yet matured to fully manage the entire network environment. The problem is aggravated by the fact that for many applications and, especially, network devices, the password is transmitted in clear text over HTTP.

    CONCLUSION

    When organizing remote management of servers, it is necessary to take into account many factors, first of all, the characteristics of the network OS, the performance of communication lines, and issues of secure authentication. UNIX provides the most complete set of management tools, however, with the right approach, Windows NT and NetWare administrators also have no reason to worry.

    CCS

    Internet provider CCS provides packages of communication services, ranging from network access and telephony to equipment placement in data centers and system integration. The company's web channel is combined with powerful communication lines of the global and Russian segments of the Internet.

    Internet tariffs CCS

    The provider develops an organization scheme individually for each client, selecting technical options and creating complex and multi-level connections. Network connection can be achieved at a maximum speed of 10 Gbit per second.

    Peculiarities

    CCS perfectly combines services and technology, achieving maximum efficiency and organization. Working with one provider that provides the entire range of telecommunications services is easier and more convenient than working with several different ones. The quality of services is achieved through an individual approach and selection of optimal solutions for the development of clients’ business. Technical support for consultations and problem solving is available daily, around the clock.

    Read more: