Infrastructure Perspective
Ken Gottry May - 2001
www.gottry.com
Table of Contents
Overview
netstat Command
www.gottry.com
Socket Overview
www.gottry.com
What is a Socket?
Overview
A socket is a way for two programs (processes) to communicate. Socket = IP Address + Port Number
Uniquely identifies every program in the world 192.168.1.200:80 -- web server (port 80) on 192.168.1.200
UNIX domain sockets client and server on same computer. Much faster Internet domain sockets most commonly used. Client and server can
be on same or different computers.
Computer A 192.168.1.200 Computer B 66.66.34.202
Program X Port 23
Program X Port 23
Program Z Port 80
www.gottry.com
Types of Ports
Overview
Web server LISTENing on port 80 on Computer B Browser asks for socket connection to port 80 on 66.66.34.202 by saying: (http://ComputerB) The PC on which the browser is running assigns an anonymous port (33186) that the browser can use
www.gottry.com
What is a Server?
Overview
Some people call the computer a server (e.g. print server). Some people call the process a server (e.g. iPlanet web server). If there is little or no chance of confusion, or if little is to be gained from stressing the distinction, then I just say server. For example, The browser connects to the web server. Otherwise, Ill use the phrases server computer or server process. For example, the web server process is listening on port 443 on the web server computer. It can get complicated WebLogic app server process running on the app server computer contains a web server process.
www.gottry.com
Overview
A host is anything that can establish a socket connection actively or passively client or server. If its not a piece of wire, then I can telnet to it; I can point my browser at it. I can ftp to it. It can run a JVM with a JDBC connection pool. And so on. It may not have any or all of these services running on it but it could Examples of hosts: an IBM mainframe, a Sun E10000, your laptop, a router, your cell phone, your microwave, your refrigerator, your Tivo box, the lock on a hotel door, the Toyota Prius Examples of pieces of wire: anything thats not a host J
www.gottry.com
netstat
Command
www.gottry.com
Description of Command
netstat
netstat has lots of arguments. netstat -a shows the state of all sockets. netstat f inet shows Internet domain sockets. netstat P tcp shows TCP protocol.
-n suppresses DNS lookup. So, use netstat na The next slide contains sample output from netstat na
127.0.0.1 refers to localhost Output shows client end and server end of the connection. For example, the line in red shows that port 23 (telnet) on 192.168.1.200 (server) is connected to port 1714 (anonymous) on 192.168.1.150 (client) If both the client process and the server process are running on the same server computer, then netstat will show 2 lines for that connection.
www.gottry.com
2001 Ken Gottry
Sample Output
UDP
Local Address Remote Address State -------------------- -------------------- ------*.42 *.512 127.0.0.1.53 192.168.1.200.53 Idle Idle Idle Idle
netstat
TCP
Local Address Remote Address Swind Send-Q Rwind Recv-Q State -------------------- -------------------- ----- ------ ----- ------ ------*.21 *.23 *.80 192.168.1.200.23 192.168.1.200.80 192.168.1.200.80 192.168.1.200.80 192.168.1.200.80 *.* *.* *.* 192.168.1.150.1714 192.168.1.150.1716 192.168.1.150.1717 192.168.1.150.1718 192.168.1.150.1719 0 0 0 8732 9400 9315 9400 9300 0 0 0 1 0 0 0 0 0 0 0 9520 9520 9520 9520 9520 0 LISTEN 0 LISTEN 0 LISTEN 0 ESTABLISHED 0 TIME_WAIT 0 TIME_WAIT 0 TIME_WAIT 0 ESTABLISHED
www.gottry.com
10
netstat
What users are connected to my secured web server? (very important to use n because DNS lookup of all the connected browsers may time-out or fail)
netstat na | grep 443 | more
Note: The v option of grep says all lines except those that contain the string.
www.gottry.com
2001 Ken Gottry
11
Sample Infrastructure
www.gottry.com
12
Port Architecture
Go to any computer with an inbound arrow and netstat should show
1) 2) a process that is LISTENing on the indicated port a socket in the ESTABLISHed state
App Server 192.168.30.50 7001 28010
Sample Infrastructure
443
28004
getAccess Authorization
Go to any computer with an outbound arrow and netstat should show a socket in ESTABLISHed state Go to the Web Server computer and netstat | grep 28004 should show 2 lines representing the client end and server end of the socket
getAccess Authentication
389
Oracle
LDAP
www.gottry.com
13
www.gottry.com
14
Firewall Ruleset
Firewalls
Source Target
Web1 Web1 App1 App2 App1 App2 DB1 DB1
Port
7001 7001 1521 1521
Protocol
TCP TCP TCP TCP
Use
WebLogic WebLogic SQL SQL
443
Web Server #1
Test with ttcp utility Web1 cant access DB1 on port 1521 Do we want to allow telnet and ftp? We know port numbers. What about Source and Target? What about DNS (port 53)?
7001
Firewall
7001
1521
App Server #1
App Server #2
DB Server #1
www.gottry.com
15
Load Balancers
Load Balancer is a network device (host) that listens for requests and passes them to 1-to-n servers in an attempt to evenly distribute the workload Load Balancer Configuration:
1. Port and IP on which to LISTEN 2. Port and IP of each server across which the load should be balanced 3. Algorithm used to select server a) b) c) d) Round-robin Least number of connections Least CPU utilization etc
Web Server #1
10.3.22.13 port 8080
Client Browser
Load Balancer
Web Server #2
Web Server #3
www.gottry.com
16
Miscellany
www.gottry.com
17
Socket States
Miscellany
The active end requests the connection, passive end accepts it. Some states refer to the active end, and some to the passive end.
State
BOUND
Process A Active End
Explanation
Socket issued bind( ) call Socket is closed Closed; then remote shutdown; awaiting acknowledgment Remote shutdown; waiting for socket to close Connection has been established Socket closed; shutting down connection Socket closed; waiting for shutdown from remote Idle; opened, but not bound Remote shutdown; then closed; awaiting acknowledgment Listening for incoming connections Initial synchronization of the connection underway Actively trying to establish conenction Wait after close for remote shutdown retransmission
Process B
Passive End
Process C
www.gottry.com
18
lsof
Miscellany
lsof command displays list (ls) of open files (of). List shows which process (PID) has the file open. Sockets are files as far as UNIX is concerned so they show in the list. Helpful when you have lots of instances of the same process all listening on the same port (e.g. ATG Dynamo DRPs or Broadvision IMs)
ns-httpd ns-httpd ns-httpd ns-httpd in.telnet in.telnet in.telnet in.telnet in.telnet 2037 nobody 2037 nobody 2037 nobody 2037 nobody 8371 8371 8371 8371 8371 root root root root root root root root root root root cwd txt txt 260u txt txt 0u 1u 2u cwd txt cwd txt txt 15u VDIR VREG VREG 136,0 136,4 136,4 512 3692 4862 0t0 17256 19876 0t101 0t101 0t101 512 91668 512 25820 27884 0t0 111005 / (/dev/dsk/c0t0d0s0) 16116 /usr/local (/dev/dsk/c0t0d0s4) 16294 /usr/local -o_kgottryu10_dnlc_ref_per_per_s-daily.png TCP *:80 (LISTEN) 280771 /usr/platform/sun4u/lib/libc_psr.so.1 71721 /usr/lib/libmp.so.2 TCP kgottryu10:telnet->192.168.1.150:2170 (ESTABLISHED) TCP kgottryu10:telnet->192.168.1.150:2170 (ESTABLISHED) TCP kgottryu10:telnet->192.168.1.150:2170 (ESTABLISHED) 243203 / (/dev/dsk/c0t0d0s0) 137706 /usr/bin/sh 243203 / (/dev/dsk/c0t0d0s0) 336296 / (/dev/dsk/c0t0d0s0) 71751 /usr/lib/nss_files.so.1 TCP *:33239 (LISTEN)
inet 0x300008307b0 inet 0x300008307b0 inet 0x300008307b0 VDIR VREG VDIR VREG VREG 136,0 136,0 136,0 136,0 136,0
jmeter-se 24915 jmeter-se 24915 java java java java 24919 24919 24919 24919
inet 0x30000830670
www.gottry.com
19
Promiscuous Mode
Promiscuous mode (sniffers) listen for any port any IP address
Socket traffic between Client PC and Web Server travels over Subnet A. The sniffer in promiscuous mode can see all socket traffic on Subnet A Therefore, the sniffer can see everything the Client PC sends to the Web Server and everything the Web Server sends to the Client PC
Client PC
Miscellany
Subnet A
App Server Router DB Server
Subnet B
Socket traffic between Web Server and App Server travels over Subnet B. The sniffer in promiscuous mode cant see any socket traffic on Subnet B
Web Server Web Server
www.gottry.com
20
Everything Else
Miscellany
Use telnet host port (e.g. telnet www.nervewire.com 80) to establish a socket connection to any host on any port. If you omit port (i.e. just use telnet host) it will use the well-known telnet port 25 Windows has netstat command
Open DOS window and try netstat na See some LISTENing ports that hackers might attack? Use your browser to open some web sites. Then jump to DOS window and try netstat na. See some ESTABLISHed sockets? See some TIME_WAIT?
www.gottry.com
21