VCE IT Theory Slideshows

1
VCE IT Theory Slideshows
Web serversand related hardware and software

• By Mark Kelly
• mark_at_vceit.com
• Vceit.com

2
Contents

• Operating systems
• Web server software
• Protocols
• Security
• Proxy servers

3
Operating systems

• Choices
• Windows
• Linux, Unix, FreeBSD

4
Windows OS

• Smoothly integrates with MS apps like Access, MS
  SQL, Frontpage
• Less stable under heavy web traffic
• Can be more vulnerable to viruses, hackers
• Good if you run ASP

5
nix

• Stable, even under heavy web traffic load
• Can run Frontpage extensions if you use Frontpage
  to develop the site
• Cheaper than Windows
• Preferred if using PHP and MySQL

6
Web server software

• Handles the processing of HTTP protocol web page
  requests
• Delivers web pages to visitors
• Hosts application software e.g. wiki, blog,
  forum, CMS, databases.

7
Web server software

• Choices
• Apache the most popular. Free. Open source.
  Runs under Windows, Mac OS X or nix.
• Microsoft IIS (only runs under Windows)
• Dozens of other small and large, free
  proprietary packages

8
From Wikipedia
Vendor Product Web Sites Hosted Percent
Apache Apache 148,085,963 59.36
Microsoft IIS 56,637,980 22.70
9
Not just for websites

• Can even be embedded in devices e.g. routers,
  printers, NAS devices to act as control panels
• E.g. to control your home router, do you go to
  10.1.1.1 or 192.168.1.1?
• If so, the device has a little web server
  embedded in it!
• No software except a browser needed on client PCs
  to administer the device.

10
(No Transcript)
11
Web server functionality

• Decode requests for webpages
• Map a URL (uniform resource locator) to either
• a static HTML file in the local file system
• Software to handle the request for dynamic
  content (e.g. PHP, ASP, SSI, CGI)
• E.g. http//www.example.com/path/file.html is
  mapped to //server2//home/www/path/file.html
• Deliver webpages to clients

12
Functionality

• Virtual hosting many websites can be served
  from a single server with a single IP address
• Bandwidth control to limit upload speeds to
  prevent clients hogging bandwidth, and share
  bandwidth with many clients
• Server-side scripting to generate dynamic
  websites without interfering with the web server
  software

13
(No Transcript)
14
Web Server Protocols

• TCP/IP, of course to get files between browsers
  and the web server
• Web servers must run HTTP
• File transfer FTP to upload pages to the web
  server

15
Web Server Protocols

• May also need mail SMTP Simple Mail Transfer
  Protocol) to send/receive mail.
• Client mail apps use SMTP to send mail, and POP
  or IMAP to download mail from a server.
• SSL (Secure Socket Layer) or the newer TLS
  (Transport Layer Security) to encrypt outgoing
  web traffic and decrypt incoming data.

16
Other Web Server Protocols

• telnet protocol to remotely control a server
• NNTP - to send Usenet news posts
• RIP a dynamic routing protocol
• NTP network time protocol, to synchronise
  clocks of computers and servers
• RTP - Real-time Transport Protocol, delivers
  audio video, and is foundation for VoIP

17
Web Server Security

• Protecting yourself The moment you install a Web
  server at your site, you've opened a window into
  your local network that the entire Internet can
  peer through.
• Protecting the site Unauthorised access can lead
  to damaged or stolen data

18
Create a written Security Policy

• Lays down your organisation's policies about
• who is allowed to use the system
• when they are allowed to use it
• what they are allowed to do (different groups may
  be granted different levels of access)
• procedures for granting access to the system
• procedures for revoking access (e.g. when an
  employee leaves)
• what is acceptable use of the system
• remote and local login methods
• system monitoring procedures
• protocols for responding to suspected security
  breaches

19
Benefits of a security policy

• You will understand what is and is not permitted
  on the system. If you don't have a clear picture
  of what is permitted, you can never be sure when
  a violation has occurred.
• Others in your organisation will understand what
  is allowed. People cant claim ignorance of the
  rules when they misbehave.
• A written policy raises the level of security
  consciousness.
• The security policy serves as a requirements
  document to guide later equipment purchases, rule
  changes etc. (Thanks to w3.org)

20
Web server security

• Put the server in a secure location (e.g. data
  centre)
• Environmental control, flood fire prevention
• Uninterruptible power supply, including backup
  generators
• Backup servers redundant data feeds
• Effective firewall
• Secured operating system, with patches up to date

21
Security

• Dont do application testing on working servers
  bad software can make systems vulnerable to
  attack or crashing.
• Monitor and audit the server regularly, looking
  for suspicious activity in the logs.
• Disable idle accounts

22
Web server security

• Disable unnecessary services e.g. remote access.
• Secure remote access with encryption and strong
  passwords, limit user privileges, use single-use
  sign-ons.
• Tight control over administrator passwords and
  permissions
• Disable unnecessary anonymous access (e.g. FTP
  without needing a login)

23
Web server security

• Dont store sensitive corporate or financial data
  on web servers.

24
Proxy servers

• Proxy server is hardware or software that sits
  between a web server and its users
• E.g. at an ISP, in large LANs
• Stores recent downloads
• Filters new download requests
• If a user requests content thats stored in the
  proxy, a caching proxy delivers a copy from its
  store

25
Proxy advantages

• Faster access to resources the original data
  does not have to be downloaded again from the
  source.
• Cheaper on bandwidth.
• Gives control over local internet usage

26
Proxy power

• Proxy servers can also be used to
• Keep machines behind it anonymous (for
  security).
• Block undesired sites
• Filter out undesired content.
• To log / audit usage, i.e. record who downloads
  what via user authentication and access logs.
• Rewrite requests (e.g. if the named server is
  overloaded it can use an idle server instead)

27
Proxy power

• To bypass security/ parental controls using an
  open proxy.
• To scan content for malware before delivery.
• To scan outbound content, e.g. to detect and
  prevent the leaking of sensitive data.
• To circumvent regional restrictions.

28
Proxy Problems

• Since all data flow goes through a proxy,
  operators can eavesdrop on the data-flow between
  client machines and the web including passwords
  and account numbers.
• Is vital that passwords to online services (e.g.
  webmail and banking) should always be exchanged
  using SSL or TLS.

29
Resources

• wikipedia.org/wiki/Web_server
• w3.org
• www.ibm.com/developerworks/linux/library/s-wssec.h
  tml
• www.acunetix.com/websitesecurity/webserver-securit
  y.htm

30
VCE IT THEORY SLIDESHOWS

• By Mark Kelly
• mark_at_vceit.com
• vceit.com

These slideshows may be freely used, modified or
distributed by teachers and students anywhere on
the planet (but not elsewhere). They may NOT be
sold. They must NOT be redistributed if you
modify them.