370 likes | 381 Views
This presentation provides an overview of the functions and design of the telecommunication and data handling system at Network Management Centres (NMCs). Topics covered include connecting to neighboring centres, providing data to local offices, and the use of PC-based systems.
E N D
Telecommunication and data handling system at NMC s Doc. 3.3 (1) Presentation version GTS Seminar 2002 (Thailand, 23 to 27 September 2002) Contents 1. Overview of function at NMCs 1.1 Connect to neighboringcentre 1.2 Provide data to local offices 2. PC-based system at NMCs 2.1 FTP service 2.2 Security setting 2.3 Tools 3. Design of Operation 3.1 Design of host switching 3.2 Design of trigger which processes received data 3.3 Introduction of RSMC server Submitted By Atsushi Sugano (Japan)
NAT Router Firewall Specific Protocol Router GTS network Internet FTP Office DMZ 1. Overview of function at NMC s ** Exchange data within a fixed time. ** Maintain the system 24 hours a day in the operation. ** Repair the system quickly. ** Easy extendable system. ** Connect system to TCP/IP network.
Router Network C Router Network A Network B Internet Internet user can only access Network C. Router rarely break. Even if Network B has a trouble, network A works normally with other networks.
Office side ( Internal ) NAT Internet side ( Global ) Address A Address A Address B Address C ** Firewall It’s used for purpose to guard from Hacker. ** DMZ ( De Militarized Zone ) DMZ is the area that the user accesses from Internet. ** NAT ( Network Address Transfer ) NAT automatically changes an IP address from internal to global. NAT saves your global addresses. Need to fix an address and port
Unix PC Unix server Terminal JOB-5 Any user can access a data base. JOB-1 JOB-2 JOB-3 Terminal JOB-4 Auto processing at time schedule on server. Windows PC
Linux server It works nonstop in months There are many Distributions There is much information on Internet and Books OS patch is updated free It operates on a cheap PC to an expensive UNIX. There are many kinds of OPEN SOURCE for Internet, office, Unix… Anyone can do a maintenance
Microsoft Access FTP server ProFTPD, Wu_ftpd, Ncftp… Security Many software Apache Web server OPEN SOURCE software Office works Open office, SAMBA Development C, COBOL,Perl, java… Data Base Postgre SQL
MSS finds a break line soon. 1.1 Connect to neighboring centre ** Currently Tokyo Message Switching System ( MSS ) has socket communication on TCP/IP for connection with neighboring centres. ** A socket processes messages as a sequential data stream, like Teletype. ** In the processing on a server, it is easy that a program takes in a socket data stream. ** The socket is convenient to control traffic on each line. New Delhi Tokyo Bangkok
GTS network Example of a socket system Port X AN Passive open Active open Port Y BI Port Z FX AN Port X Active open Passive open BI Port Y FX Port Z ** Each side system fixes port numbers for passive open and IP address of host. ** Each socket is used according to a type of data. ** Passive open port is always waiting for connection request from an other side. ** Data sender connects with receiver’s passive open port by active open. ** Active open host transmits data to passive open host.
socket header Message format for socket communication 30 30 30 30 30 33 31 3841 4E01 0D 0D 0A30 3000000318AN....0030 32 330D 0D 0A55 53 55 53 30 3120 4B 57 42023...USUS01 KWB43 20 30 38 30 30 30 30 20 52 52 420D 0D 0A 54 C 080000 RRB...T54 41 41 20 35 38 30 30 31 20 37 32 35 31 38 20 TAA 58001 7251839 39 30 31 30 20 30 33 35 36 32 20 33 32 30 30 99010 03562 3200 : : : : : : : : 35 20 35 34 39 37 31 20 32 38 30 35 39 20 38 38 5 54971 28059 8832 35 36 20 35 35 35 37 31 20 32 37 30 39 30 20 256 55571 2709037 37 32 39 32 20 32 36 35 39 38 0D 0D 0A 34 31 77292 26598...4135 30 38 3D 0D 0D 0A 03 508=....
carrier A carrier B Tokyo Other Centre 2. Analyze data 3. Capability under heavy loaded condition 4. switching GTS Circuit Upgrade We perform some tests in case GTS circuit is upgraded. • Carrier checks circuit quality. • We analyze received data and check their format. • Making heavy traffic, we look at the capability of a circuit and a server. • We check continuity of data exchange in case of a host switching. 1. Circuit quality
Mail for providing temporary data specific user access Internet FTP server for providing routine data anonymous user access 1.2 Provide data to local offices Internet is convenient to provide data and products to local offices, in case of a need quick action. ** It should use popular FTP service on Internet. ** There is many Free software. ** It is easy to take in FTP service to a program. ** Its service is given to an anonymous user and a specific user.
memory media 2. PC-based system at NMCs In consideration of reliability, you should build a PC server, because a PC server does not use the newest extension board for reliability. And it is desirable to use DAT. NMC system should be a duplicate system for non-stop operation. NMC system should have a memory media for operation and system log.
Trouble 2.1 FTP service When using FTP transmission between neighboring centers, FTP service has two transmitting methods : PUT and GET. PUT Base ** PUT baseprovides smooth transmission without delay time. ** PUT base has burden to check whether receiving system is alive. When does it re-send ? In case of PUT base, receiving system is required to keep a constant operation. Always one of hosts should be in operation. and..
** An imperfect file will be made if FTP transmission fails on the way. ** But a receiving host does not know whether a received file is imperfect. A transmitting host needs to show the signal of a transmission end. 2. Don’t use a file with TMP in name. 4. Use ABC.DAT file 1. Put `ABC.DAT.TMP` 3. Rename ABC.DAT.TMP ABC.DAT
GET ABC1.DAT ABC2.DAT ABC1.DAT GET Base In order to provide user with data, GET base is usually used by Internet server. Only get ABC2.DAT FTP software has functions to get only new data, so it has no stress. There are two methods in building FTP server, one is Anonymous server and another is Guest server.
Anonymous server ** Anyone is accessible. ** No password is needed ** Very strong internet security ** It is able to separate Real user from anonymous users Guest server ** only registered user is accessible ** strong internet security ** Use alias user name ** frequent change of pass word to guard data Notice ** Need to change root position Even if a hacker logs in for a password leak, he can not move to other directory including system directory. ** Need to have not real shell Even if a hacker tries another method, he can not login.
** ServerName “RSMC server“ ServerType inetd DefaultServer on DefaultRoot ~ !wheel AuthAliasOnly on RequireValidShell off UseReverseDNS off ** ExtendedLog /var/log/proftpd all Systemlog /var/log/messages SyslogFacility LOCAL6 Transferlog /var/log/xferlog ** Port 21 # Umask 022 is a good standard umask to prevent new dirs and files # from being group and world writable. Umask 022 Proftpd configuration
**# To prevent DoS attacks, set the maximum number of child processes # to 30. If you need to allow more than 30 concurrent connections # at once, simply increase this value. Note that this ONLY works # in standalone mode, in inetd mode you should use an inetd server # that allows you to limit maximum number of processes per service # (such as xinetd) MaxInstances 30 ** # Set the user and group that the server normally runs at. User nobody Group nobody ** # Normally, we want files to be overwriteable. <Directory /*> AllowOverwrite on </Directory> UserAlias anonymous ftp UserAlias apple suga UserAlias lemon naps Proftpd configuration
** # A basic anonymous configuration, no upload directories. <Anonymous ~ftp> User ftp Group ftp # We want clients to be able to login with "anonymous" as well as "ftp" # UserAlias anonymous ftp ** # Limit the maximum number of anonymous logins MaxClients 10 ** # We want 'welcome.msg' displayed at login, and '.message' displayed # in each newly chdired directory. DisplayLogin welcome.msg DisplayFirstChdir .message ** # Limit WRITE everywhere in the anonymous chroot <Limit WRITE> DenyAll </Limit></Anonymous> Proftpd configuration
Internet FW FTP XINETD IPCHAINS 2.2 Security setting ** IPCHAINS It works like a router, and only a specific protocol and IP address can access a server. ** XINETD It permits access to specific port from outside, and control number of session. ** PAM ( Plug gable Authentication Module ) In case of using the command with a need of authentication, a function is extended. For example.. In case of changing password, PAM does check user password with a easy word. ** SUDO Specific user can use super user command. ** SSH ( Secure Shell ) It’s secure remote shell.
2.3 Tools ** TOP It displays a list of tasks status on the host. ** PS It displays the current processes status. ** PING It requests to elicit a response ECHO from a host or gateway. ** TRACEROUTE It attempts to elicit a TIME_EXCEED_RESPONSE from each gateway along the path to some host. ** NETSTAT It print network connections, routing tables,interface statistics, masquerade connections. ** TCPDUMP It displays the headers of packets on a network interface that match the boolean expression. ** NMAP It displays a list of interesting ports on PC being scanned.
We don’t resume operation until cause of the trouble is known. Patch is installed in test host for checking whether it runs normally. 3. Design of Operation Make statistics on files retrieved by users Automatically get a system log If a trouble occurs, we will closely check the host. Go to a security site to check whether there is any patch for OS and OPEN SOURCE. In case of software modification, all hosts are not modified at once.
Static IP C Static IP B Maintenance 3.1 Design of host switching Standby host Duplicated system Operational host Alias IP A Alias IP A ** Only operational host has an alias IP address. ** When an operational host is switched, an alias address will be also taken over by the new operational host. ** Static addresses are used for a maintenance.
Real Check A Monitor Daemon A B C Up load directory 3.2 Design of trigger which processes received data Even if a host receives data, it does not start processing them without any trigger a mechanism that starts processing data is required. There are two executing methods schedule and data. Schedule trigger execute It can plan easily aconstant processing withCROND, but it can notprocess a non scheduled data. Data trigger execute It is always watching a specific directory, and if data are put there, it calls processing according to a kind of data.
An operation system log is got automatically. Office server RSMC server SAMBA service for windows clients ALARM mail Monitor system Windows PC 3.3 Introduction of RSMC server
PUT RSMC server Tripwire. It confirmes whether files were rewritten from file information every day. swatch It is always checking system log to find specific words related to an attack. Monitor system Security watch
decryption key encryption key Secure Shell It is intended to replace rlogin and rsh, and provide secure encrypted communications between two hosts over an insecure network. 1. Password login 2. rhost Generate an encryption key and decryption key. 3. use key
SAMBA SAMBA is sometimes also referred to as the Common Internet File System, LanManager or NetBIOS protocol. The usage is as follows. It check whether samba is installed. ( rpm -q samba, rpm -q samba-client, rpm -q samba-common, rpm -q samba-swat ) If samba does not install, goes rpm -iVh samba samba-client samba-common samba-swat. It checks whether samba and swat put a switch on at NTSYSV. It sets a swat protocol on XINETD. ( /etc/xinetd.d/ ) It sets password for oic ( samba user). ( smbpasswd -a oic ) It sets samba configuration at Internet Browser. ( http://localhost:901 ) It selects SHARE window, and sets oic at username, sets no write at guest. It selects GLOBALS window, and selects euc at a coding system, selects share at a security.
a standard set item in RedHat This is a sample shell for closing a system automatically, when there is not a windows and unix client after 7:00 p.m. First, set time schedule at CROND $ cat /etc/crontab SHELL=/bin/bash PATH=/sbin:/bin:/usr/sbin:/usr/bin MAILTO=root HOME=/ # run-parts 05,15,25,35,45,55 19,20,21,22,23 * * * root run-parts /etc/bye_check.sh 01 * * * * root run-parts /etc/cron.hourly 02 4 * * * root run-parts /etc/cron.daily 22 4 * * 0 root run-parts /etc/cron.weekly 42 4 1 * * root run-parts /etc/cron.monthly
bye_check.sh #!/bin/sh PATH=/bin:/usr/bin:/usr/local/bin:/usr/sbin export PATH # check samba user smb_client=`smbstatus -p|wc -l` # check linux user linux_client=`w -h|wc -l` time_chk=`date +%k` # echo `date` smb:$smb_client linux:$linux_client >> /var/log/work_log
#echo " Samba client .." $smb_client #echo " Linux client .." $linux_client if [ ${smb_client} -lt 1 ] then if [ ${linux_client} -lt 1 ] then echo shutdown for no users `date` >> /var/log/work_log /sbin/shutdown -h now > /dev/null #echo "finish OK!" fi fi
Back up copy Neighbor RSMC Daemon UPgms GmsUPchkd WORK Real time check UPgms BACK Up load data NAPS Introduction of back up of MDUS product on RSMC server ** Check a file in UPgms, confirm completion of receiving data by the `tmp` word. ** Backup to copy for neighbor RSMC ** Move a file in BACK directory ** Copy a file in WORK directory
DAT It can be used like the TAR command. Usually DAT is used as backup HDD. CDR & DVD-RAM If CDR is found on scsi, CD image can be written to CDR. It also use only one side of DVD-RAM, like a CDR. If MO drive is connectable with USB, it can be easily used like a floppy disk. Memory media
Daemon GmsProcd check GmsSplit WORK 160KB x 60 8MB PUB ORIGINAL PUB SPLIT Split a file into 60 parts for low speed users. check GmsPexp Delete files in public area after their available time expires.