Anda di halaman 1dari 87

This is the title of the page: sub-title goes like this PAGE 1

Lorem ipsum dolor sit amet, consetetur sadipscing elitr, sed diam
nonumy eirmod tempor invidunt ut labore et dolore magna aliquyam
et ea rebum.
Lorem ipsum dolor sit amet, consetetur sadipscing elitr, sed diam
nonumy eirmod tempor invidunt ut labore et dolore magna aliquyam
et ea rebum.
DISCUSSION
Lorem ipsum dolor sit amet, consetetur sadipscing elitr, sed diam
nonumy eirmod tempor invidunt ut labore et dolore magna aliquyam
AND REVISION
et ea rebum.

CLASS
Lorem ipsum dolor sit amet, consetetur sadipscing elitr, sed diam
nonumy eirmod tempor invidunt ut labore et dolore magna aliquyam
et ea rebum.

SYAHRIZAL SHAFIE

Company Proprietary and Confidential

Company Proprietary and Confidential


PAGE 2

System Administration

The subject matter of systems administration


includes computer systems and the ways people
use them in an organization.

This entails a knowledge of operating systems


and applications, as well as hardware and
software troubleshooting, but also knowledge of
the purposes for which people in the
organization use the computers.

Company Proprietary and Confidential

Company Proprietary and Confidential


PAGE 3

Definition
A system administrator, or sysadmin, is a
person employed to maintain, and operate a
computer system (sometimes also network).

System administrators may be members of an


information technology department.

Company Proprietary and Confidential

Company Proprietary and Confidential


PAGE 4

Duties of a S.A

A system administrator's responsibilities might


include:

Applying operating system updates, patches, and


configuration changes.
Installing and configuring new hardware and
software.
Adding, removing, or updating user account
information, resetting passwords, etc.
System performance tuning.
Company Proprietary and Confidential

Company Proprietary and Confidential


PAGE 5

Responsibility for documenting the configuration


of the system.
Responsibility for security.
Performing routine audits of systems and
software.
Performing backups.
Analyzing system logs and identifying potential
issues with computer systems.
Troubleshooting any reported problems.

Company Proprietary and Confidential

Company Proprietary and Confidential


PAGE 6

Introducing and integrating new


technologies into existing data center
environments.
Answering technical queries.
Insuring that the network infrastructure is
up and running

Company Proprietary and Confidential

Company Proprietary and Confidential


PAGE 7

Troubleshooting and
Maintenance
Planned downtime
is the time for scheduled maintenance and upgrade
during which a system cannot be used for normal
productive operations. This time is used for a variety of
purposes so that a system can function optimally and
reliably.
Hardware maintenance
Upgrades to new releases application components,
database, or operating system
Database reorganization
Database backup
Company Proprietary and Confidential

Company Proprietary and Confidential


PAGE 8

Unplanned Downtime
Unplanned downtime is the time during which a system
cannot be used for normal productive operations due to
unforeseen failure in hardware or software components,
or operator mistakes.
Unplanned downtime can be extremely costly to an
organization. The source of unplanned downtime:
Front-end and middleware services for connection to the
web.
Underlying hardware and software services, such as the
database services, network and operating system
services, and hardware services, including servers,
disks, memory, and uninterruptible power supply (UPS).
Company Proprietary and Confidential

Company Proprietary and Confidential


PAGE 9

What is Linux?

A free Unix-type operating system


developed under the GNU General
Public License.
Open source
Popular
Support most of the platforms available

Company Proprietary and Confidential

Company Proprietary and Confidential


PAGE 10

A Short History of UNIX


Multics, AT&T Bell Lab, GE, MIT
1969, UNIX, Ken Thompson, Dennis Ritchie
1973, Rewrite UNIX with C
Berkeley UNIX(BSD UNIX)
1983, System V
Commercial products
SunOS, Solaris, HP-UX, AIX, SCO UNIX
Standards
SVID, IEEE POSIX, X/Open XPG4.2

Company Proprietary and Confidential

Company Proprietary and Confidential


PAGE 11

Unix was a big success, AT&T cashed a lot of licensing


fees.
For business this was okay.
For academia it was not:
Only rich universities and schools could afford the
licensing fees
Often, a program needs some modification in a research
environment. But the program sources were usually not
included, so modifications could not be done by the
users, the academicians, the researchers

Company Proprietary and Confidential

Company Proprietary and Confidential


PAGE 12

A Short History of Linux

Company Proprietary and Confidential

Company Proprietary and Confidential


PAGE 13

He suggested to re-write all proprietary Unix


utilities under a license that allows to
exchange, modify and re-distribute the source
code freely.
He founded the Free Software Foundation
(FSF) for this purpose in 1985

Company Proprietary and Confidential

Company Proprietary and Confidential


PAGE 14

Free Software
The Free Software Foundation developed four essential
freedoms:

The freedom to run the program, for any purpose (freedom 0).
The freedom to study how the program works, and change it to
make it do what you wish (freedom 1).
The freedom to redistribute copies so you can help your neighbor
(freedom 2).
The freedom to distribute copies of your modified versions to others
(freedom 3). By doing this you can give the whole community a
chance to benefit from your changes.
Access to the source code is a precondition for freedom 1 and
freedom 3.

Company Proprietary and Confidential

Company Proprietary and Confidential


PAGE 15

A Short History of Linux

Company Proprietary and Confidential

Company Proprietary and Confidential


PAGE 16

GNU & Linux


GNU/Linux System
GNU software/library
Linux kernel
Linux kernel
GNU software/library

Distributions
Red Hat, Debian, Ubuntu SuSe,

Mandrake, Redflag, Backtrack.


Mobile
Android

Company Proprietary and Confidential

Company Proprietary and Confidential


PAGE 17

Kernel
The kernel is the central part in most computer operating
systems because of its task, which is the management of
the system's resources and the communication between
hardware and software components.
The kernel's responsibilities include managing the
system's resources (the communication
between hardware and software components).
Kernel is always store on memory until computer is turn
off
Kernel image is not an executable kernel, but a
compress kernel image
Company Proprietary and Confidential

Company Proprietary and Confidential


PAGE 18

Example Core Kernel


Applications

System Libraries (libc)

System Call Interface

I/O Related Process Related


Modules

File Systems Scheduler


Networking Memory Management
Device Drivers IPC

Architecture-Dependent Code

Hardware

Company Proprietary and Confidential

Company Proprietary and Confidential


PAGE 19

Kernel Architectural Approaches


Monolithic.
Layered.
Modularized.
Micro-kernel.
Virtual machine.

Company Proprietary and Confidential

Company Proprietary and Confidential


PAGE 20

Monolithic Kernel

The older approach is the monolithic kernel, of which


Unix, MS-DOS and the early Mac OS
It runs every basic system service like process and
memory management, interrupt handling and I/O
communication, file system, etc.
The inclusion of all basic services in kernel space has
three big drawbacks.
The kernel size increase.
Lack of extensibility.
The bad maintainability.

Company Proprietary and Confidential

Company Proprietary and Confidential


PAGE 21

Company Proprietary and Confidential

Company Proprietary and Confidential


PAGE 22

Micro Kernel

The concept was to reduce the kernel to basic process


communication and I/O control, and let the other system
services reside in user space in form of normal
processes (as so called servers).
That way, the -kernel is not a block of system services
anymore, but represents just several basic abstractions
and primitives to control the communication between the
processes and between a process and the underlying

Company Proprietary and Confidential

Company Proprietary and Confidential


PAGE 23

Company Proprietary and Confidential

Company Proprietary and Confidential


PAGE 24

In a simple way:
Monolithic Kernel (Macro Kernel): Kernel Image =
(Kernel Core+Kernel Services). When system boots up
entire services are loaded and resides in memory.
It is a single large processes running entirely in a single
address space. Example: Linux and Unix.
Micro kernel: Kernel Image = Kernel Core. Services are
build in to special modules which can be loaded and
unloaded as per need.
The kernel is broken down into separate processes,
known as servers. Some of the servers run in kernel
space and some run in user-space. All servers are kept
separate and run in different address spaces.

Company Proprietary and Confidential

Company Proprietary and Confidential


PAGE 25

Booting sequence

1. Turn on the computer


2. CPU jump to address of BIOS (0xFFFF0)
3. BIOS runs POST (Power-On Self Test)
4. Find bootable devices
5. Loads and execute boot sector form MBR
6. Load OS

25 Company Proprietary and Confidential


Company Proprietary and Confidential
PAGE 26

BIOS (Basic Input/Output System)


BIOS refers to the software code run by a computer when first
powered on
The primary function of BIOS is code program embedded on a
chip that recognizes and controls various devices that make up
the computer.

BIOS on board BIOS on screen

Company Proprietary and Confidential

Company Proprietary and Confidential


PAGE 27

MBR (Master Boot Record)

OS is booted from a hard disk, where the Master Boot


Record (MBR) contains the primary boot loader
The MBR is a 512-byte sector, located in the first
sector on the disk (sector 1 of cylinder 0, head 0)
After the MBR is loaded into RAM, the BIOS yields
control to it.

27 Company Proprietary and Confidential


Company Proprietary and Confidential
PAGE 28

MBR (Master Boot Record)

28 Company Proprietary and Confidential


Company Proprietary and Confidential
PAGE 29

MBR (Master Boot Record)

The first 446 bytes are the primary boot loader, which
contains both executable code and error message text
The next sixty-four bytes are the partition table, which
contains a record for each of four partitions
The MBR ends with two bytes that are defined as the
magic number (0xAA55). The magic number serves as
a validation check of the MBR

29 Company Proprietary and Confidential


Company Proprietary and Confidential
PAGE 30

Boot Loader

Boot loader could be more aptly called the kernel loader.


The task at this stage is to load the Linux kernel
Optional, initial RAM disk
GRUB and LILO are the most popular Linux boot loader
GRUB is default for Linux.

30 Company Proprietary and Confidential


Company Proprietary and Confidential
PAGE 31

Runlevel

A runlevel is a software configuration of


the system which allows only a selected
group of processes to exist
The processes spawned by init for each of
these runlevels are defined in the
/etc/inittab file
Init can be in one of eight runlevels: 0-6

31 Company Proprietary and Confidential


Company Proprietary and Confidential
PAGE 32

Runlevel

Reserved for local use. Also X-windows

32 Company Proprietary and Confidential


Company Proprietary and Confidential
PAGE 33

Changing Permissions

Company Proprietary and Confidential

Company Proprietary and Confidential


PAGE 34

Changing Permissions

Company Proprietary and Confidential

Company Proprietary and Confidential


PAGE 35

Default File Permissions


The default permission for newly created files
and directories are:
File: -rw-rw-r-- 644
Directory: drwxrwxr-x 775
Why?
umask: an octal number which contains

the bits that are NOT set as permission


bits.
Default 002 for normal user, 022 for root.

Company Proprietary and Confidential

Company Proprietary and Confidential


PAGE 36

File/Directory Commands

Files Directories
cp Copy ls List contents
mv Move/Rename mv Move/Rename
rm Remove cd Change Dir
cat View all pwd Current Dir
more View page mkdir Create
less View page rm/rmdir Remove

Company Proprietary and Confidential

Company Proprietary and Confidential


PAGE 37

Other Directory Commands

ls [-la] [file/dir list]


Lists files in a directory
mkdir dir1
Creates directory dir1
cd dir1
Makes dir1 the current directory
pwd
Displays the current directory path

Company Proprietary and Confidential

Company Proprietary and Confidential


PAGE 38

Linux File System Hierarchy

/ (root)

bin sbin home etc boot root usr var dev lib

scott alice bob bin sbin local lib tmp

n321 mail public_html bin man lib share src

Company Proprietary and Confidential

Company Proprietary and Confidential


PAGE 39

File System Layout

Company Proprietary and Confidential

Company Proprietary and Confidential


PAGE 40

Key Configuration File

The key file used in user account setup and


configuration is the /etc/passwd file.

This file is a simple ASCII text file.

Company Proprietary and Confidential

Company Proprietary and Confidential


PAGE 41

/etc/passwd File
Upon a successful installation, the contents of the
/etc/passwd file resemble the following:
root:x:0:0:root:/root:/bin/bash
bin:x:1:1:bin:/bin:
daemon:x:2:2:daemon:/sbin:
adm:x:3:4:adm:/var/adm:
lp:x:4:7:lp:/var/spool/lpd:
sync:x:5:0:sync:/sbin:/bin/sync
shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown
halt:x:7:0:halt:/sbin:/sbin/halt
mail:x:8:12:mail:/var/spool/mail:
news:x:9:13:news:/var/spool/news:
uucp:x:10:14:uucp:/var/spool/uucp:
operator:x:11:0:operator:/root:
games:x:12:100:games:/usr/games:
gopher:x:13:30:gopher:/usr/lib/gopher-data:
ftp:x:14:50:FTP User:/var/ftp:
nobody:x:99:99:Nobody:/:
xfs:x:43:43:X Font Server:/etc/X11/fs:/bin/false
apache:x:48:48:Apache:/var/www:/bin/false
named:x:25:25:Named:/var/named:/bin/false
gdm:x:42:42::/home/gdm:/bin/bash
rpcuser:x:29:29:RPC Service User:/var/lib/nfs:/bin/false
rpc:x:32:32:Portmapper RPC user:/:/bin/false
postgres:x:26:26:PostgreSQL Server:/var/lib/pgsql:/bin/bash
mailnull:x:47:47::/var/spool/mqueue:/dev/null
mysql:x:27:27:MySQL Server:/var/lib/mysql:/bin/bash
nscd:x:28:28:NSCD Daemon:/:/bin/false
pvm:x:24:24::/usr/share/pvm3:/bin/bash Company Proprietary and Confidential
squid:x:23:23::/var/spool/squid:/dev/null
Company Proprietary and Confidential
The /etc/passwd file PAGE 42

root:*:0:3:The Big Guy,143 MSB:/:/bin/sh


daemon:*:1:5::/:/bin/sh /etc/passwd
farrell:*:100:15:Paul Farrell:/users/research/farrell/:/bin/csh
stacke:*:101:15:Olaf P. Stackelberg:/users/fac/stack:/bin/csh
pwang:*:102:15:Paul S. Wang:/users/research/wang:/usr/local/bin/tcsh
abaqus57:x:53:13:License Manager:/var/log/abaqus57:/usr/bin/csh
matlab:x:54:13:Matlab License Manager:/usr/local/matlab5:/usr/bin/csh
catadm:x:55:13::/usr/local/abaqus:/bin/csh

login_name:password:user_id:group_id:user info:home:shell

Note
Each entry in /etc/passwd must be on one line.
Each field within each user's entry is separated from the next by a colon.
Company Proprietary and Confidential

Company Proprietary and Confidential


PAGE 43

/etc/shadow File
The /etc/shadow password file looks similar to the following:
root:$1$d5.gDvSX$nyQhvBgUGbw0GcNTxAdKR1:11507:0:99999:7:::

bin:*:11458:0:99999:7:::
daemon:*:11458:0:99999:7:::
adm:*:11458:0:99999:7:::
lp:*:11458:0:99999:7:::
sync:*:11458:0:99999:7:::
shutdown:*:11458:0:99999:7:::
halt:*:11458:0:99999:7:::
mail:*:11458:0:99999:7:::

Company Proprietary and Confidential

Company Proprietary and Confidential


PAGE 44

Secure Password Files

Modern UNIX systems like Linux and Solaris, place the


passwords in a secure file (commonly called a shadow
password file) or files elsewhere.
The format and location differs between systems, as
does the entry in the password section of the normal
password file.
The /etc/shadow file:
Its access permissions are much more restricted,
only view by the root.
Provides also Password Aging, like password
expiration.

Company Proprietary and Confidential

Company Proprietary and Confidential


PAGE 45

root:$1$d5X$nyQBgUGbw0GcNTxAdKR1:11507:0:99999:7:::

Much like the /etc/passwd file, the /etc/shadow file consists of


single-line entries with colon-delimited fields.

username:password:lastchg:min:max:warn:inactive:expire:flag

username The user's login name (UID).


password An encrypted password for the user, a lock string to indicate that the login is not
accessible, or no string, which shows that there is no password for the login.
lastchg The number of days between 1/1/70 and the date that the password was last
modified.
min The minimum number of days required between password changes.
max The maximum number of days the password is valid.
warn The number of days before password expires that the user is warned.
inactive The number of days after password expires until the a/c is permanently disable. (-
1 for disable the feature)
expire A date, YYYY-MM-DD, specifying when the user will be disabled. (-1 for disable)
flag Reserved for future use.

Company Proprietary and Confidential

Company Proprietary and Confidential


Adding Users PAGE 46

User accounts can be added by directly editing the


/etc/passwd file or by using a utility such as useradd,
available in all Linux distributions.

Default characteristics for each user account are defined by


the settings in the /etc/login .defs file, as follows

Company Proprietary and Confidential

Company Proprietary and Confidential


Shutting Down Linux PAGE 47

Turning off Linux computer without shutting it down in


orderly way can cause data loss.

Journaling file system


Tracks each disk operation to ensure it is either
completed or not done at all
Journal permits operating system to back out of disk
operation if not completed successfully

47 Company Proprietary and Confidential


Company Proprietary and Confidential
PAGE 48

Shutting Down Linux


Journaling file system
Means file systems are unlikely to ever be corrupted
by power loss

Graceful shutdown
Orderly or methodical shutdown of Linux
All Linux services are stopped
All data is written to disk
Kernel changes to run level 0 or 6

48 Company Proprietary and Confidential


Company Proprietary and Confidential
PAGE 49

Shutting Down Linux


Shut down Linux gracefully
Use reboot command
Use halt command
Use shutdown command
Pressing Ctrl+Alt+Del
Entering the command telinit 0
Halt system
Entering command telinit 6
Restart system

49 Company Proprietary and Confidential


Company Proprietary and Confidential
Shutting Down Linux PAGE 50

Graphical desktop
Use log out item on main menu of GNOME or
KDE
On servers or multiuser Linux systems
Only system administrator should be allowed
to shut down system

The Complete Guide to Linux System Administration 50 Company Proprietary and Confidential
Company Proprietary and Confidential
PAGE 51

Relative and Absolute Path


Commands expect you to give them a path to a file. Most
commands will let you provide a file with a relative path, or a path
relative to your working directory.
../directory - the .. refers to looking at our previous directory first
./executable - . says this directory, or our working directory
. Current Directory
.. Parent Directory
~ Home Directory
Example: ~/.. = /home
Absolute, or Full paths are complete. An easy way to know if a path
is absolute is does it contain the / character at the beginning?
/home/user/directory/executable - a full path to file executable
/usr/local/bin (Linux)
c:\windows\system32 (Windows)

Company Proprietary and Confidential

Company Proprietary and Confidential


ISO/OSI Reference Model PAGE 52

ISO/OSI Reference model

Application: Protocols for different


Application applications, HTTP, SMTP, FTP, etc
Presentation layer: Regulating data
Presentation presentation (formatting, ASN/1)
Session : Handling structured
Session message exchange, multiplexing
sessions
Transport Transport: End-to-end functions
between applications. Flow control,
packet ordering, etc.
Network
Network: Connecting networks.
Packet routing/forwarding
Data link Data link layer: Moving data between
two directly connected stations.
Physical Flow control, error detection, etc.
Shared medium: access control.
LLC/MAC
Physical: Media types, coding
methods, bit sequences vs. physical
signals

Company Proprietary and Confidential

Company Proprietary and Confidential


PAGE 53

ISO vs. The Internet

ISO/OSI reference model Internet reference model

7
Application
6
Application
Presentation (HTTP, SMTP, SSH)
5

Session
4

Transport Transport (TCP/UDP)


3

Network Internet (IPv4/v6)


2
Data link Data link
1 (802.x, PPP, SLIP)
Physical

Company Proprietary and Confidential

Company Proprietary and Confidential


PAGE 54

Classful and Classless IP Addressing

Company Proprietary and Confidential

Company Proprietary and Confidential


PAGE 55

Classful and Classless IP Addressing

The IPv4 Classful Addressing Structure


(RFC 790)
An IP address has 2 parts:
The network portion
Found on the left side of an IP address
The host portion
Found on the right side of an IP address

Company Proprietary and Confidential

Company Proprietary and Confidential


PAGE 56

Classful and Classless IP Addressing

Company Proprietary and Confidential

Company Proprietary and Confidential


Network Configuration PAGE 57

Display details of all interfaces, including disabled interfaces


$ ifconfig -a
Disable an interface
$ ifconfig eth0 down
Enable an interface
$ ifconfig eth0 up
Assign 192.168.2.2 as the IP address for the interface eth0
$ ifconfig eth0 192.168.2.2
Change Subnet mask of the interface wlan0
$ ifconfig wlan0 netmask 255.255.255.0
Assign ip-address and netmask at the same time to interface eth0
$ ifconfig eth0 192.168.2.2 netmask 255.255.255.0

Company Proprietary and Confidential

Company Proprietary and Confidential


PAGE 58

Security: Defense in Depth

Border Router
Perimeter firewall
Internal firewall
Intrusion Detection System
Policies & Procedures & Audits
Authentication
Access ControlsCompany Proprietary and Confidential
Company Proprietary and Confidential
Attacking the Network PAGE 59

What ways do you see of getting in?

Border Router/Firewall
The Internet

De-Militarized
Zone

Commercial Network

WLAN
Private Network

Private Network

Company Proprietary and Confidential

Company Proprietary and Confidential


Firewall Design Principles PAGE 60

The firewall is inserted between the private network and


the Internet
Aims:
Establish a controlled link
Protect the local network from Internet-based attacks
Provide a single choke point

60
Company Proprietary and Confidential

Company Proprietary and Confidential


PAGE 61

Firewall Characteristics

Design goals for a firewall


All traffic (in or out) must pass through the firewall
Only authorized traffic will be allowed to pass
The firewall itself is immune to penetration

61
Company Proprietary and Confidential

Company Proprietary and Confidential


PAGE 62

Firewall Characteristics

Four general techniques:

Service control
The type of Internet services that can be accessed
Direction control
Inbound or outbound
User control
Which user is attempting to access the service
Behavior control
e.g., Filter email to eliminate spam

62
Company Proprietary and Confidential

Company Proprietary and Confidential


PAGE 63

Components of Firewalls

Three common components of Firewalls:

Packet-filtering routers
Application-level gateways
Circuit-level gateways
(Bastion host)

63
Company Proprietary and Confidential

Company Proprietary and Confidential


PAGE 64

Components of Firewalls (I)

Packet-filtering Router

Company Proprietary and Confidential

Company Proprietary and Confidential


Packet-filtering Router PAGE 65

Packet-filtering Router
Applies a set of rules to each incoming IP
packet and then forwards or discards the
packet
Filter packets going in both directions
The packet filter is typically set up as a list of
rules based on matches to fields in the IP or
TCP header
Two default policies (discard or forward)

65
Company Proprietary and Confidential

Company Proprietary and Confidential


PAGE 66

Filters

The good, the bad & The Good


Filter
the ugly

The bad &


the ugly
Route Filter: Verifies sources and destination of IP
addresses

Packet Filter: Scans headers of packets and discards if


ruleset failed (e.g., Firewall or router)

Content Filter: Scans contents of packets and discards if


ruleset failed (e.g., Intrusion Prevention System or
firewall)
Company Proprietary and Confidential

Company Proprietary and Confidential


Packet Filter Firewall PAGE 67

Web Response
Illegal Dest IP Address
Web Request
Email Response
SSH Connect Request
DNS Request Web
Response
Ping Request

Illegal Source IP Address

Email Response

FTP request
Microsoft NetBIOS Name Service
Email Connect Request
Telnet Request

Company Proprietary and Confidential

Company Proprietary and Confidential


TCP/IP header PAGE 68

68
Company Proprietary and Confidential

Company Proprietary and Confidential


PAGE 69

Packet-filtering Router

Advantages:
Simplicity
Transparency to users
High speed

Disadvantages:
Difficulty of setting up packet filter rules
Lack of Authentication

69
Company Proprietary and Confidential

Company Proprietary and Confidential


PAGE 70

Packet-filtering Router

Open-source under UNIX:


IP firewall
IPFilter
IPchain

70
Company Proprietary and Confidential

Company Proprietary and Confidential


PAGE 71

Components of Firewalls (II)

Application-level Gateway

71
Company Proprietary and Confidential

Company Proprietary and Confidential


PAGE 72

Application-level Gateway

Application-level Gateway
Also called proxy server
Acts as a relay of application-level traffic

72
Company Proprietary and Confidential

Company Proprietary and Confidential


PAGE 73

Application-level Gateway

Advantages:
Higher security than packet filters
Only need to check a few allowable applications
Easy to log and audit all incoming traffic

Disadvantages:
Additional processing overhead on each connection
(gateway as splice point)

73
Company Proprietary and Confidential

Company Proprietary and Confidential


PAGE 74

Application-level Gateway

Open-source under UNIX:


squid (WWW),
delegate (general purpose),
osrtspproxy (RTSP),
smtpproxy (SMTP),

74
Company Proprietary and Confidential

Company Proprietary and Confidential


PAGE 75

Components of Firewalls (III)

Circuit-level Gateway

75
Company Proprietary and Confidential

Company Proprietary and Confidential


PAGE 76

Circuit-level Gateway
Similar to Application-level Gateway
However
it typically relays TCP segments from one connection
to the other without examining the contents
Determines only which connections will be allowed
Typical usage is a situation in which the system
administrator trusts the internal users

76
Company Proprietary and Confidential

Company Proprietary and Confidential


PAGE 77

In other word

Korean custom
Circuit-level gateway only checks your
nationality
Application-level gateway checks your
baggage content in addition to your nationality

77
Company Proprietary and Confidential

Company Proprietary and Confidential


PAGE 78

Components of Firewalls (III)

Open-source under UNIX


SOCKS
dante

78
Company Proprietary and Confidential

Company Proprietary and Confidential


Components of Firewalls PAGE 79

(II) & (III)

Bastion Host
serves as
application-level gateway
circuit-level gateway
both

79
Company Proprietary and Confidential

Company Proprietary and Confidential


PAGE 80

Bastion Host
Computer fortified
against attackers
Applications turned
off
Operating system
patched
Security configuration
tightened

Company Proprietary and Confidential

Company Proprietary and Confidential


Multi-Homed Firewall: PAGE 81

Separate Zones
Internet

Screening Router
Device
IDS
Screened Firewall
Host Demilitarized Zone
With Proxy
Interface External VPN
IDS Web E-Commerce
DNS Server Server

Protected
Internal
Network
Zone

The router serves as a screen for the


IDS
Firewall, preventing Denial of Service
Database/File attacks to the Firewall.
Servers
Company Proprietary and Confidential

Company Proprietary and Confidential


PAGE 82

Firewall Policies

A firewall policy dictates how firewalls should handle


network traffic for specific IP addresses and address
ranges, protocols, applications, and content types (e.g.,
active content) based on the organizations information
security policies.
Generally, firewalls should block all inbound and
outbound traffic that has not been expressly permitted
by the firewall policytraffic that is not needed by the
organization. Known as deny by default

Company Proprietary and Confidential

Company Proprietary and Confidential


PAGE 83

Company Proprietary and Confidential

Company Proprietary and Confidential


Writing Rules PAGE 84

Policies Network Filter Capabilities

Corrections Write Rules


Audit Failures

Protected Network

Company Proprietary and Confidential

Company Proprietary and Confidential


PAGE 85

Services and Servers


Workbook
Service Sensitivity Roles Server

Grades Confidential For Graduates: Transcripts StudentScholastic


For Current Students:
Advising, Students,
Faculty
Billing Confidential, For Current Students: StudentBilling
Registration, Accounting,
Advising
Payment: Students
Web Pages Public Students, Employees, Web services
Public

This shows 3 services provided by a university, as well as the sensitivity and roles that
normally access this information. We would not want to put the public web pages in the
Company Proprietary and Confidential
same network zone with Grades, for example.
Company Proprietary and Confidential
Protecting the Network PAGE 86

Border Router: Packet Filter

The Internet

De-Militarized
Zone

Bastion Hosts

Proxy server firewall


WLAN
Private Network

Company Proprietary and Confidential

Company Proprietary and Confidential


This is the title of the page: sub-title goes like this PAGE 87

Column Header Column Header Column Header

THANK YOU FOR YOUR


List Item Title Section Item Section Item Section Item

TIME..

ALL THE BEST IN YOUR


EXAMINATION

UNTIL SEE YOU THEN..


Company Proprietary and Confidential

Company Proprietary and Confidential

Anda mungkin juga menyukai