410 likes | 524 Views
NAT, Samba. TCP/IP source. NAT Network Addr Trans. TCP/IP destination cnn.com. Network Address Translation (NAT). LAN. External. Enables reuse of IP addresses, gets around IP’s limited 32-bit address space TCP-level semantic knowledge is required TCP/IP source
E N D
TCP/IP source NAT Network Addr Trans TCP/IP destination cnn.com Network Address Translation (NAT) LAN External • Enables reuse of IP addresses, gets around IP’s limited 32-bit address space • TCP-level semantic knowledge is required • TCP/IP source • Wants to send to cnn.com • creates packet <IP sender, TCP sender port, IP dest, TCP dest port> • NAT has a local IP LAN address and an external IP address
NAT (2) TCP/IP source NAT Network Addr Trans TCP/IP destination cnn.com LAN External • NAT receives packet and • Replaces IP sender addr with its own external IP address • Replaces TCP sender port with its own TCP source port, chosen from a list of available source ports • Sends packet to destination • Stores a mapping of <sender IP, sender TCP port> to <NAT IP, NAT TCP src port>
NAT (3) TCP/IP source NAT Network Addr Trans TCP/IP destination cnn.com LAN External • When a reply packet is received from cnn.com on NAT TCP src port • NAT substitutes the original sender’s IP sender address and TCP sender port • Even if two sources on same LAN choose the same TCP sending port, they’ll differ in their IP addresses – input/output mapping still unique • Extends IP address spaces by qualifying addresses with TCP port #’s
TCP/IP source NAT Network Addr Trans TCP/IP destination NAT (4) LAN External • NAT needs to modify IP address and TCP port and TCP/IP checksums • Adds latency • The type of NAT described thus far is called a “Dynamic” NAT • Internal hosts can use any non-reserved IP address to connect to external hosts • External hosts don’t know about internal IP addresses – NAT’s as “masquerading” firewalls!
TCP/IP destination Web server NAT Network Addr Trans TCP/IP source/ client LAN External NAT (5) • Static NAT’s allow an external client to connect to an internal TCP/IP server, e.g. a Web server, at a specific address • External host can’t just send a Web request to NAT’s external IP address, port 80, because NAT won’t know to which internal host to route the http request • Static NAT allocates a fixed IP address for the Web server and constructs a static mapping from ISP-assigned external IP to internal IP • Static NAT also called “inbound mapping”
TCP/IP destination Web server NAT Network Addr Trans TCP/IP source/ client LAN External NAT (6) • Static NAT’s work with FTP and other application layer protocols as well • Static NAT’s introduce security risk – allowing unknown outsiders to connect into a local computer • Configure your NAT router to have two Ethernet LAN ports with separate IP addresses • Place machines you wish to be public on one IP addresses, and keep private hosts on 2nd IP address
TCP/IP destination TCP/IP destination NAT (7) TCP/IP source NAT Network Addr Trans LAN • NAT’s can be used as load balancers too • TCP/IP Packets into a NAT are rewritten with the IP address and TCP port of the most lightly loaded destination • Reply packets from destination also rewritten by NAT on way back to source
TCP/IP source NAT Network Addr Trans TCP/IP destination cnn.com NAT (8) LAN External • Comparing NATs and Proxies: • Similar architecture of intermediary between client and server • NATs are lower level (IP and TCP) vs. Proxies (HTTP) • NATs are arguably faster than higher-layer proxies • NATs are “transparent” to source and destination nodes, whereas HTTP clients are explicitly aware that there is an HTTP proxy intermediary in their path to the HTTP server
Samba/SMB • Server Message Block (SMB) Protocol • File sharing protocol that ships with Microsoft OS’s • Basis for Network Neighborhood • Application-layer protocol over TCP/UDP/IP • Open-source SAMBA Server suite enables other OS’s such as Linux to speak SMB • Enables an MS client to access files on a UNIX server – very useful!
Samba/SMB • For historical reasons, SMB first ran across the NETBIOS API, which then ran across various network protocols, e.g. TCP/UDP, IPX, SNA, DECnet, etc. • SMB packets can be framed in NETBIOS packets which are encapsulated by TCP/UDP • NETBIOS over TCP/UDP is called NBT SMB NETBIOS TCP/UDP, IPX, SNA or …
Samba/SMB • Four Samba Elements • File and Print Services • Authentication and Authorization • Name Resolution • Service Announcement (Browsing) • As of version 3, • provides file and print services for various Microsoft Windows clients • integrate with a Windows Server domain • Primary Domain Controller (PDC) or • Domain Member • an Active Directory domain.
Domain • A domain is a concept used in NT server operating systems whereby a user may be granted access to a number of computer resources with the use of a single username and password combination.
Primary Domain Controller • A Primary Domain Controller (PDC) is a server computer in a pre-Windows 2000 NT server Domain • The PDC has the master copy of the user accounts database to which it can access and modify. • The PDC will replicate its account database to the BDCs on a regular basis. • Backup Domain Controllers (BDCs) have a copy of this database, but these copies are read-only.
Active Directory • An implementation of LDAP directory services by Microsoft for use in Windows environments. • Allows administrators to assign • Enterprise-wide policies • Enable access of username/password recognized users with same access rights domain wide. • History • Previewed in 1996 • Released first with Windows 2000 • Extended functionality and improved administration in Windows Server 2003
Forests, Trees and Domains • At the top of the structure is the Forest • the collection of every object, its attributes and rules (attribute syntax) in the AD. • The forest holds one or more transitive trust linked Trees. • A tree holds one or more Domains and domain trees, again, linked in a transitive trust hierarchy. • Domains are identified by their DNS name structure, the namespace. A domain has a single DNS name.
Forests, Trees and Domains • The objects held within a domain can be grouped into containers called Organizational Units (OUs). • give a domain a hierarchy • ease its administration • OUs can contain OUs • The OU is the common level at which to apply group policies, which are AD objects themselves called Group Policy Objects (GPOs), although policies can also be applied to domains or sites (see below). The OU is the lowest level at which administrative powers can be delegated. • As a further subdivision AD supports the creation of Sites: • physical, rather than logical, groupings defined by one or more IP subnets. • distinguish between locations connected by low-speed (e.g. WAN, VPN) and high-speed (e.g. LAN) connections. • can contain one or more domains and domains can contain one or more sites.
Windows NT version 4 Master domain model • Uses a single domain to exert control over user account information • Separate resource domains manage resources such as networked printers
Model Samba Network Source: “Using Samba” by Robert Eckstein, David Collier-Brown, Peter Kelly
What Samba Does • Samba runs on Unix platforms. It speaks to Windows clients. • It allows a Unix system to move into a Windows “Network Neighborhood”. • Windows users can access file and print services.
SMBD • File and print services are provided by smbd, the SMB Daemon. • Handles "share mode" and "user mode" authentication and authorization. You can protect shared file and print services by requiring passwords. • Each user has their own username and password and the System Administrator can grant or deny access.
NMBD • The other two CIFS (Common Internet File System) pieces, name resolution and browsing, are handled by nmbd. • These two services basically involve the management and distribution of lists of NetBIOS (Network Basic Input Output System) names. NetBIOS is software loaded into memory. • Provides an interface between programs and the network hardware.
Name Resolution • Name resolution takes two forms: broadcast and point-to-point. • Client shouts out the name of the service it is looking for and waits for the machine with that name to answer with an IP address. • It is restricted to the local LAN so it doesn't cause too much trouble.
Name Resolution • Point-to-point includes use of an NBNS (NetBIOS Name Service) server • The clients send their NetBIOS names & IP addresses to the NBNS server, which keeps the information in a database. • When a client wants to talk to another client, it sends the other client's name to the NBNS server. If the name is on the list, the NBNS hands back an IP address.
Service Announcement (Browsing) • Ability to examine the servers and shares available on the network • A browse list keeps a list of current, active servers. This is stored on one machine in a network. • A local master browser updates the information in the browse list as computers sign on and off. This can be any server on the network.
smb.conf file • [global] • [home] • [printers] • Each section describes the accessibility for users
SWAT • SWAT Samba Web Administration Tool • Locates parameters supported by Samba • Always up to date as Samba parameters change • Provides context-sensitive help for each configuration parameter • Stores only parameters settings other than defaults • Port 901 Uses ISS RealSecure
Installing Samba • Downloaded latest version from samba.org • Configured /etc/xinted.conf • Enable SWAT service • SWAT http://localhost:901 • Configured smb.conf • Add IP addresses of Windows machines • Password server – lab2.research.cs.uofs.edu
Problems • Windows machine recognizes Samba server, but does not allow access. • Solution: Different encryption/decryption systems for Windows and Unix. • Find enableplaintextpassword and disenable Windows encryption.
Adding Samba Users • Each user must be added • adduser –g 100 plishka • Create passwords for user • passwd plishka • Create Samba domain login passwords • In /usr/bin smbpasswd –a plishka
Browsing Elections • A computer becomes a local master browser by holding a browsing election. • Samba can rig a browsing election for a variety of outcomes,including always becoming the local master browser of the subnet or never becoming it. • In smb.conf, [global] #Browsing election options os level = 34 local master = yes
Browsing Elections • Each machine in the election broadcasts information. • Version of election protocol • Operating system • Amount of time client has been signed on • Host name of client
Browsing Elections • How elections are decided • Operating system is assigned a binary value according to version • Each computer is assigned a value according to its role • The machine with the highest election protocol version wins OR The machine with the highest operating system values • In case of tie, • machine with setting of preferred master browser wins • OR client signed on the longest wins • OR client name that comes first alphabetically wins
ISS RealSecure • RealSecure provides an intrusion detection system that monitors suspicious behavior, making changes to the system in real time, such as terminating sessions or changing the firewall • The current versions of RealSecure Network Sensor include the ability to decode SAMBA/CIFS protocols for Windows networking. • Comprised of Network Sensor, OS Sensor, and Console
ISS RealSecure • Network Sensors work by comparing the traffic on the network against a set of rules defined in a number of policies. • OS Sensors runs as a process on the server that is being monitored. Every time a new log-file entry is generated by the operating system, OS Sensor reads it, and compares it against the signatures currently in force. If a match is found, it initiates the appropriate response. OS Sensor is able to detect local attacks and abuses that would normally be missed by the Network Sensor. • Console and the Sensors communicate with each other. The console defines the policy for each sensor. Includes: • Network Sensor security events • connection events, • OS Sensor security events
Synchronization of Usernames and Passwords • The Unixpasswordsync global option allows Samba to update Unix password file when user changes his/her password. The password is stored on a Samba server in the smbpasswd file, located in /usr/local/samba/private by default. • [global] unix password sync = yes • Samba changes the encrypted password and attempts to change the standard Unix password by passing the username and new password to the program specified by the passwdprogram option.
Synchronization of Usernames and Passwords • Samba does not necessarily have access to the plaintext password for the user, so the password changing program must be invoked as root.
References • www.samba.org • http://www.mcsr.olemiss.edu/bookshelf/articles/Samba.html • http://www.linuxhomenetworking.com/linux-hn/samba.htm#_Toc91165136 • http://www.oreilly.com/catalog/samba/chapter/book/