Network Hosts
This is a guide on network hosts.
Web Servers
In this presentation, we'll take a look at the web server, and this is a classic model of client/server computing. Typically, you open up a browser on any client's system, and you request a web page. The server locates and delivers that content back to you, and it's done so over the Hypertext Transfer Protocol, or HTTP. And you have likely noticed that anytime you open a browser, the first part of the address in the address line says HTTP, and this is indicating the protocol that is requested to be used.
Now, the web server itself is typically a dedicated system because it does have to be exposed to the Internet. So it generally does not run any other services other than what is minimally necessary. There might be other protocols such as the FTP protocol for uploading content to the web server, but it's usually pretty dedicated to web content. And the platform that you will typically find on a web server, in other words, the software that manages all of this, is probably one of either Apache Internet Information Server or N-G-I-N-X, which is actually pronounced engine-x.
[Video description begins] Examples of web servers [Video description ends]
Now Apache is very common. It's an open source platform that typically runs on UNIX or LINUX systems. Internet Information Server, or IIS, is a Microsoft proprietary platform, whereas NGINX is open source and runs on just about any operating system. In terms of considerations with respect to which one should you go with, well, most of them will deliver the services that you need but you do need to consider compatibility.
In other words, will it work well with the other servers and operating systems in your organization? What kind of security is going to be implemented? Is it only going to deliver unsecured web pages, or will it host secure sites? In which case, you also need to implement certificates for HTTPS access. And, of course, what kind of built-in tools are available for publishing sites, building the sites, and what types of search engines will be supported?
[Video description begins] Web Server Requests [Video description ends]
As far as the requests are concerned, as mentioned this is a classic model of client/server computing. So a browser is typically implemented on the client, and that could certainly be a desktop or a laptop, but really it could be anything. A mobile device, another server, essentially anything that supports a web browser such as Internet Explorer or Google Chrome or Firefox. So as soon as you put in an address, this issues an HTTP request to the server that is indicated by the address. The server locates the files that typically represent the default pages for that site, and the response simply includes those documents which are then rendered in your browser.
[Video description begins] The HTTP server renders an HTTP request to your browser. [Video description ends]
So it's a pretty simple process, but ultimately, it is the HTTP protocol that handles these requests. So as long as you ensure that you can contact the server and you know its address, there shouldn't be any issues with retrieving the content using a standard browser.
File Servers
In this presentation, we'll take a look at file servers. And again, this is a classic example of a client/server model, because the client simply requests a document, and the server returns that document. But, of course, the server itself is responsible for the central storage and management of those data files. Now, they could be just about anything. They could be documents or reports, or really any content that is typically used in a network environment.
But unlike a web server that we just talked about, the files are accessed by computers on the same internal network. So LAN access as opposed to Internet access. Now, in terms of the types of file servers, typically you find dedicated and/or non-dedicated. And dedicated servers will generally provide faster data access, and generally will offer more storage capacity. Now, this is typical for environments that are fairly large. So some kind of enterprise application that is accessing perhaps a more advanced storage array, such as network attached storage. So this would indicate a fairly busy environment with a lot of storage requirements.
[Video description begins] Network attached storage is abbreviated as NAS. [Video description ends]
And just essentially a lot of requests that are being issued to the file server. Whereas a non-dedicated could really be any computer on the network that hosts shared files. Just about every operating system in a LAN environment is able to share the content on that system. So it just could be your own desktop, for example. And that would represent a non-dedicated file server. But you are still acting as a file server as soon as you make anything available to share. Now, it still might be a server that is hosting files, but that server just might not be dedicated to just that role. In other words, it might be providing a number of other services as well such as DHCP or maybe DNS.
Because in some environments the file servers aren't all that busy. So they have the resources available to perform other tasks. Now, looking at some of the configurations. If it's a home network, or maybe just a small office, file servers are often used to automatically allow access to all devices on the local network. And this is typically referred to as a homegroup or a workgroup, whereby every system that joins has the option to share the content on that system. Now, I stress option because you certainly don't have to share access to your content if you don't want to.
But if you do, then it makes it available and other users can access it. But in a business network, this is typically a little more structured. This is used when security is a little more critical. In other words, not everyone should have access to all of the content. So clients, generally, have to authenticate. Or in other words, log in to identify themselves to ensure that they are allowed to access that server and, of course, the content on it. So you can be authorized to access this file, but not that file, so permissions can come into play. And this is typically implemented by a network administrator. Whereas, again, in the home network, there really isn't a dedicated administrator.
So it certainly depends on the implementation that you feel you need. But again, business networks typically tend to implement the more dedicated servers that are a little more controlled by some kind of administrative entity. And you just don't generally see that in a home environment.
Print Servers
Now, in this presentation we'll take a look at print servers, which, as their name indicates, are used to manage print requests. And provide clients with printer queue status information as to the availability of a printer, for example. And these are very commonly used in both the large enterprise network and the small or home network. But in the large environment it is typically a single dedicated computer that can manage hundreds of printers.
And you might even have multiple dedicated servers depending on the size of the environment. But in the small or the home network, it might be a dedicated system that still hosts the printer. But then it shares it with other users. Or you might have a network device, many small office, home office, or SOHO routers include a print server capability. Whereby the printer simply is available to all users on the network through the router. So again, the types of print servers
[Video description begins] A diagram is displayed in which file and print servers are connected to a printer and four PCs are labeled as clients. The first PC is connected to file and print servers, which is further connected to the printer through data for printing. The second PC is also connected to file and print servers. The third PC is connected to file and print servers through user files. The fourth PC is connected to file and print servers through login request. [Video description ends]
are typically dedicated servers, again, in the larger environments. And you can have as many as you want. But any one print server in a large network environment can handle many, many printers and many, many requests. They, typically, involve some kind of a login in the larger network so that you can authenticate. And, again, you then have permissions to access maybe just this printer or that set of printers. But that can all be controlled and managed in a network environment so that certain people can print to these printers, but other people cannot print to those printers.
Now, you may still have network devices that also control the printers and even client computers. Again, any client generally has the ability to share its printer. If, for example, you just had a local printer attached to your system, and it was just a regular desktop, you could maybe share that printer with a few other people that are, perhaps, close to you. But it's really up to the administration of any given environment as to how that is implemented. But once a client does establish a connection through to a file or print server, then they can quite simply print to the printers managed by that server. And I actually should mention that it's not uncommon at all for print servers to also be file servers and vice versa.
It's a very common coupling in network environments. Now there are other systems that just run printing protocols and then connect to the appropriate printers. There is the Microsoft Network Printing protocol, the Line Printer Daemon protocol for Unix or Linux systems, and then Internet Printing protocol, which just let you submit print jobs essentially over the Internet. But more specifically over HTTP in an internal LAN environment you typically do not use HTTP to submit a print job. It would be something like the Microsoft Network Printing protocol or the Line Printer Daemon protocol.
But that does actually allow for accessing a printer over the Internet or just at least using the HTTP protocol. Looking at some pros and cons of print servers, on the pros side, it's generally very easy to add client systems and printers to a print server. For example, if you are in a Windows network running Active Directory and one of your servers is hosting a printer, virtually any client who has permission can connect to that printer and start submitting print jobs. There are typically no restrictions with respect to the number of clients. Now any administrator can certainly restrict based on who you are and what permissions you might have. But the server itself would not care about the number of connections.
And administration is easily able to manage the print queues. They can see which jobs have been submitted. And if there is a problem, they can perhaps delete one of the requests out of the queue. Maybe it's caused it to lock up. They can reorder the job so that a small job might print sooner than a very large one. But on the con side, there could be a lack of support for some of the multifunction printers. So you could certainly print to it still, but you might not be able to access, for example, the scanner. The users may not be able to confirm the print status. So typically you might see on a home computer with a home printer that a little message comes back to tell you that the job has been successfully printed.
That may not be available in certain cases, depending on the make and model and the operating system that's being used. But you may have to actually just physically go to the printer to verify that it has printed. And there may be some port compatibility issues and limitations, again, depending on the operating system, and the make and model of the printer itself. I doubt that would be much of an issue these days. But for example, an older printer might have a physical interface that is no longer available on a very new server. So you might run into issues there. But most printers these days operate over a USB interface or a network interface, which would be just about universally available in most environments. So you typically won't encounter too many issues on the con side.
DHCP Servers
Now in this presentation, we'll take a look at DHCP servers, which implement the Dynamic Host Configuration Protocol. And this is used to automatically provide and assign IP addresses and other information that we'll see in a moment to your client systems. So clients rely on the DHCP server to provide this information to them. So they request an IP address and the server supplies one.
[Video description begins] DHCP is required to respond to client queries. [Video description ends]
Now unfortunately, this is a little bit of a noisy process. Because if you do not have an IP address, then there's no way that you can send direct unicast packets to the servers. So these are all broadcasts. So it's a little bit noisy, but it doesn't take very long. And once you get the IP address configuration, then you can stop broadcasting and start using unicast packets. But we'll take a look at each of those back and forth request and responses here in the next slide.
But again, it's noisy at first, and especially if a lot of clients are all booting up at the same time it can get even noisier. But I do want to stress that this only happens, in most cases, the first time that you request an address. Once you get an address, in theory, you could keep that address forever, and I'll clarify that in a little bit as well. But with respect to that process, it begins with discovery.
[Video description begins] DHCP Discovery Process [Video description ends]
So essentially, this means that the client boots up and realizes that its adapter has been configured to request an IP address automatically. This means invoke the DHCP process. So the first request is what's known as a discover packet, and this the client just looking for a server. So again, it is a broadcast, so all systems will hear this, including all DHCP servers. Now you may only have one. But in larger environments, it is not uncommon to have multiple DHCP servers. So the servers will then send back offers. These inform the client that the service is available and that they have a configuration for them to use. So again, if you only have one server, you'll only get one offer, but you might get several. In that event, the client will send a request which basically says, that looks good.
[Video description begins] Client uses discovery process to request network configuration data, including an IP address. [Video description ends]
I'd like to use that configuration. So again, if there's only one server it still gets the request. But if there are several, then the servers that did not get a request coming back will withdraw their offers. So they just drop all the packets from that point. Once the server that receives the request registers that, if you will, it sends back an acknowledgement to the client. And this basically says, I have registered the fact that you are using that address configuration. And that's pretty much the end of the process. Now you have an IP address. So all of the configuration data is registered on both the client and the server.
And all of the broadcasts can stop at this point. So then as mentioned, even if you shut down your system and you boot up, let's say, the next day, then in most cases you still have that same address. So you don't have to go through this process again. So it's not like it happens every single time you boot the computer. And in fact, if you were to never turn your computer off, you could end up using that same IP address in theory forever. So again, it's not like it's happening all the time.
[Video description begins] Network Configuration Information [Video description ends]
Now the information that you receive includes the IP address, which, of course, is necessary. The subnet mask, which is also necessary for all the systems on your subnet. And usually a default gateway. Now that wouldn't be 100% required if you were in an isolated lab, for example, you might not have a gateway. But in most implementations it's pretty common to get the default gateway. And usually the IP address for a DNS server so that you can resolve names. Now the other component that you get is what's known as a lease time. And this is a period during which the client can use the allocated IP address. On most systems, by default, it's around a week.
So again, that means that configuration is valid for one week. And in fact, if you boot up every day, Monday to Friday. Then in reality, that lease will never expire, because what happens in most cases is that when you hit 50% of that lease duration, you'll essentially re-request that configuration from the server that issued it to you in the first place. As long as you can contact that server and everything checks out, then the lease refreshes to another week, we'll say. And then the same thing happens at half duration again. So as long as you and the server remain healthy, you can keep re-requesting that same configuration, and as mentioned in theory, keep it forever. If for some reason you cannot contact the server during that 50% duration time, then it will usually try again at around maybe 75 to 85% of the lease duration time, because maybe the The server just had to be rebooted. And if it entirely expires, then you will essentially lose that address.
But when the server comes back up and you reboot again, then it will still invoke the same process. So that might involve some broadcasts. But in most cases, you will keep the same address from the same DHCP server for usually a fairly long time. Now DHCP scopes are what you configure on the server. This represents a valid range of IP addresses that are available for assignment. Now it can be really any number of addresses, depending on the size of the network. But it's usually up to an administrator to say these are the ones that I want to use. And in many cases it might not include all available addresses, because you might have servers or routers or other networking components that have statically configured addresses. So those ones should never be handed out by the DHCP server.
So it's just any range that clients can use. So again, you configure these on the server, to specify which ones are available to be selected by your clients. And you can configure the scope to allow or deny clients from IP addresses. In other words, you can specifically state that they should not get an IP address based on specifications such as the name of the computer, the MAC address of that computer, and possibly even the operating system. Now again, this is up to an administrator. You don't need to allow or deny any particular system for any specific reason other than what you feel to be appropriate. So if you want to, you can ensure that this particular system never gets an IP address.
Or you can kind of go the other way around and you can even state that this particular system will always get the same IP address. And in fact, that's known as a reservation. But again, all of that's up to you. You can define the scopes however you want with respect to which addresses to use and which clients will receive them.
DNS Servers
The next common network server that we'll take a look at in this presentation is the DNS server. And DNS stands for the Domain Name System. And DNS servers maintain a directory of domain names. The names are then translated to the corresponding IP address. And this is all based on the principle that domain names are much easier for us to remember than any kind of IP address, particularly when it comes to the Internet. We really don't know the IP addresses of our favorite websites, but we know the name of them. So it's really a service entirely for our benefit. But the TCP/IP protocol requires that the IP address be determined.
So DNS quite literally maps this name to that IP address so that we can contact the appropriate system. So conceptually, this is similar to a phone book. There is a central registry, which is used to gather information from all DNS servers across the Internet. So if you want a website, for example, you have to publicly register that name. And this public registry does ultimately contain all of the names in use on the Internet. Now a single server could never manage every single mapping, but this is arranged in a hierarchy. So in other words, there are servers that operate at what's known as the root level.
They are then aware of servers the next level down, which we call top-level domain servers such as .com, .ca, .us, .gov, .mil, .edu, all of those extensions that we are familiar with. Then within any one of those, we start to see the specific registered entries for mywebsite.com. So again, these are all ultimately publicly registered somewhere, and various Internet service providers regularly get updated DNS information from this central registry. It typically only takes a day or two, at most, for a brand new domain name to become recognized by the rest of the Internet. They propagate fairly rapidly.
[Video description begins] DNS Records [Video description ends]
Now the types of mappings that you'll find within a DNS server include what's known as the Address Mapping record, or simply an A record, A for Address. And this really is the bulk of a DNS database. It specifies the IP address for a given host. So again, this name equals that IP address. Now the same thing exists for TCP/IP version 6, but it uses four As, okay.
[Video description begins] IP Version 6 Address record. It specifies an IPv6 Address for a given host. [Video description ends]
The original A record is for TCP/IP version 4, which is, of course, still very, very common. A canonical name is, for all intents and purposes, a nickname, an alias.
[Video description begins] Canonical Name records (CNAME) [Video description ends]
This maps one domain name to another, and this is common if maybe you've done some kind of an acquisition of some other company or a merger, and you still want the two individual company names to point to the same site. So it literally is just another name for the same address. Some other records include a mail exchanger record, or MX record, and this specifies a mail exchange server for that particular DNS name.
And this allows you to quite simply use email. The SMTP protocol, or Simple Mail Transfer Protocol, is used to route email. So if you want to have publicly available email, you need to have an MX record so that the rest of the Internet can find your mail servers. So when I send an email to somebody at some domain.com, that email server essentially has to stand up and say, yes, that's me, I handle the email for this domain. Name Server records specifies what's known as an authoritative name server.
[Video description begins] Name Server Records or NS [Video description ends]
And when you publicly register your domain name, you specifically state this is the name server that is responsible for maintaining this name. As the authoritative server, no other server is able to respond to requests for that name. So this prevents somebody from just creating a DNS server themselves, and essentially trying to steal your name. Your client will only listen to an authoritative name server, and you can specify other servers as well for redundancy, so you can have multiple name servers. And finally, a Reverse Lookup Pointer record, or PTR, is essentially DNS in reverse.
So in most cases, we know the name and we need to look up the IP address, but sometimes you might know the IP address but not the name. So the reverse pointer can be used to work the other way around. It's more commonly used for just verification, so that you still supply a name. The IP address comes back, but then it could be used to look it up in reverse to make sure that the mapping is still the same, again, to ensure that maybe someone is not attempting to steal your domain name. But ultimately, DNS is the backbone of resolving names on the Internet so that we can get to the sites that we want, and, of course, find ourselves at the right server.
Proxy Servers
In this presentation, we'll talk about proxy servers, which are systems that will access some other server, usually an Internet website, but on behalf of a client. And really, if you think about it, that's what proxy means. I'll do that for you. And this enables caching, filtering, and security for Internet access. Now, we'll talk about that in greater detail in a moment. But essentially, what happens is that a client system is configured to submit its requests through the proxy. So it does not have direct access to the Internet. So the request will be sent to the proxy server. The proxy server will repackage that and send it out to the Internet. Now, the repackaging for the most part involves changing the return address because it's not the client that should receive the response, it's the proxy server.
So the response comes from the Internet web servers back to the proxies, and then the proxy server repackages that response and returns it back to the original client. So the client still gets to the site, and really, it might not even know that it's going through the proxy server. But ultimately, the experience really is the same. It's just that the proxy server went and got the site for you. So in terms of content caching one of those features, they can act as caching servers, which basically means that any user can submit a request through the proxy server. The proxy server can go out onto the Internet or even just an intranet to the origin servers where the content resides and retrieve whatever content was requested. The content engine then can simply say, all right, I'm going to hang on to that data. So that if another user requests the exact same site, then that content resides on the proxy server and it does not even have to go out on the Internet at all.
This results in greater security and much greater performance because the site requested by the second user comes back essentially at LAN speeds, not Internet speeds. Now, if, of course, the second user requests different content, well, it still has to go out and get that new content. But that content engine can just keep caching and caching and caching up to some kind of configured amount. Usually, an administrator will set that. But there can be a lot of content. And usually, people in the same environment will often request the same content. So, again, the proxy caching essentially says, here's your content from a local server as opposed to the Internet. That also enhances the security because there's less Internet traffic. Now, you can also have what's known as a dedicated caching device, which just means that this is all it does.
In other words, it's not concerned with any kind of filtering or any kind of security. It just caches content. And in many cases, the dedicated caching system might be used in conjunction with either another proxy server, or perhaps a dedicated firewall that is responsible for doing all of the security. So its job quite literally is to do nothing but cache the content. And these typically have larger caches so that you get a better ratio of hits coming from the cache as opposed to always having to go out onto the Internet. Now, that's up to you if you want to enable just caching servers. Most proxy servers can also cache.
[Video description begins] Proxy Content Filtering and Security [Video description ends]
So then finally, with respect to the security, proxy servers, in fact, are typically implemented for security purposes. They can perform content filtering. So quite literally, they can examine the content and they can determine which content is good and which content is bad. So since all HTTP requests go through the proxy, it is essentially the only device that's allowed to connect through the firewall. This means that clients cannot directly access the external network or the Internet. So everything has to go through the proxy. So this makes a single point of filtering and security.
So there are a number of different features that you can configure as an administrator. You can specify that certain domains are not allowed to be accessed, such as social networking sites, for example. It's not that they're bad per se, but you don't want your people at work spending all day social networking, so you can filter them out. If you know that a certain site is a scam, then you can block that. You can block based on IP address, domain name, or various other configuration options. And in many cases, they can actually examine the packets as well to ensure that the content is as it's supposed to be. So not only can they provide that better performance, they can help to ensure the overall security of your network environment. Because firewalls, all by themselves, really just operate on port numbers. It's yes or no based on the port. Proxies can examine the content more closely to determine whether or not it should be accepted.
Mail Servers
In this presentation, we'll take a look at mail servers, which, of course, are responsible for sending and receiving e-mail on behalf of the clients. Now, there are many different types of mail servers available, but the applications themselves that handle this include Microsoft's proprietary Exchange application, and Exim, and Sendmail. Which are both primarily used in open-source environments that are maybe running UNIX or Linux. But ultimately you do need some kind of software installed to be able to configure and manage the volume of mail that will be going through the servers.
[Video description begins] Messaging Systems [Video description ends]
Now, of course, the mail servers need to work closely with other programs, most notably the client application on your systems of your network. Now they can run a couple of different protocols. SMTP is the Simple Mail Transfer Protocol and this is involved only with sending mail. But if you are working in a proprietary configuration such as Microsoft Exchange, then all mail actually resides on the servers. Now you can cache copies of the mail locally on the clients, but every message simply resides in a mailbox that is on the server. So for the most part clients don't really send or receive anything. The messages just go from server to server to server within your environment.
In that case, SMTP is the only protocol that you need because you aren't concerned with really receiving mail at all. You just connect to your mailbox and view the messages that are in the mailbox. But if you do need to receive mail locally on your own computer, then this typically involves what's known as either IMAP or POP3, and both of these are recieve protocols only. They were both discussed earlier, but neither of these can send mail. IMAP is the Internet Message Application Protocol, and POP is the Post Office Protocol. And they're responsible for retrieving the message from the server down to your client systems. So it is stored locally with those protocols. That's typically what you find in a home environment when you have an email account with your Internet service provider. They don't keep the mail on their servers indefinitely. They require that you download it to your own computer.
[Video description begins] E-mail Security [Video description ends]
Now, typically these days, e-mail needs to be kept secure in many cases, so most modern e-mail systems can encrypt the e-mail traffic as it is sent over the network. And clients can use security features such as certificates and digital signatures to verify the identity of both the sender and the recipient. And to secure the content so that you would be informed if the message were to be intercepted and altered, it would essentially invalidate the digital signature and you would know not to trust it. Very much like if you go to a website that claims to be a particular site but it's just a hacked version.
The signature, the certificate, is simply invalid. Now this depends on the environment. It depends on the level of security. You typically don't have to secure every message, but certainly there could be scenarios where a particular message might contain confidential information, so you do need to keep it secure. Now again, in many cases this is a separate service, in a lot of environments, it's what's known as certificate services. And that's implemented separately from the e-mail but they integrate with each other so that you can obtain a certificate to use to help secure the messages and protect the content.
Authentication Server
Now in this presentation, we'll talk about the process of authentication and the devices that can perform this process. But when it comes right down to it, authentication in and of itself is simply the process of determining that someone or something is true, genuine, or valid. In other words, it's proved to me that you are who you claim to be, or that this is what it claims to be. Now many authentication systems may be as simple as requiring a username and a password. And if you have worked in an office environment, then you are likely very familiar with this. When you log in in the morning, you simply start your computer, and you have to enter a username and a password. But this can be used for authentication, because you have to supply the correct username, and hopefully you are the only one who knows your password.
So the server can compare what you supplied to what's stored in its own internal database and essentially say yes, that information matches what I have, in which case you are authenticated. Or it can say no if, for example, you typed in the wrong password, and it might prompt you again. But until you enter the correct password, you are not authenticated. Now, if it's a higher security environment, others might require additional security information such as a security token, a biometric verification such as a retinal scan or a fingerprint, or maybe a smart card. And this is typically known as multifactor authentication, because it needs more than just the username and the password. So an Authentication Server is really just the entity responsible for providing you with the authentication. It facilitates the ability for you to identify yourself, and then access the network as per the permissions that you have been assigned. So the types include a dedicated computer, and if you are familiar with working in a Windows Active Directory environment, then the system is known as the domain controller.
But that's not the only thing that can provide authentication. Ethernet switches, access points, or any other kind of network access server such as a VPN server, can all authenticate your request and it can be based on a number of different characteristics. The Ethernet switch, for example, might need to see a specific MAC address. If it doesn't you aren't allowed to connect. So this could prevent someone from bringing their laptop from home, for example, and connecting it to the workplace network. An access point, of course, could also request for a MAC address but generally they need a username and a password as well. And again, the network access servers typically for things like VPN connections. And they almost always require a username and a password. So there's lots of things that can prompt you for this information. And you have to provide it. And if it's correct, you are then authenticated. You have proven your identity. If it's incorrect, you simply are not allowed access.
Syslog
Now, in this presentation, we'll take a look at what's known as the Syslog. And this is a protocol that enables network devices to send event messages to a central logging server. For example, network appliances may send event information via Syslog messages to be logged on the Syslog server. And most network devices can send Syslog messages, such as routers or switches. But essentially, it's just a centralized gathering point for all of the information that is happening on these devices. This way you don't have to go to each device to examine the logs of that device itself to get a picture of what's been going on in the network environment. You can collect everything in a central location. Now, Windows based servers do not support Syslog natively. They require a third party tool to collect information to be forwarded to a Syslog server.
But I do want to make one clarification here, actually two. For starters, Windows-based servers in an active directory environment do have a folder called Syslog. The domain controllers use this folder to replicate files from domain controller to domain controller. So even though there is a Syslog directory, that's a different process, okay. It's not related to this Syslog. And the other clarification is that Windows-based servers do actually support collecting the logs from the servers or even the clients on a central system, so that you can effectively forward the logs from one Windows computer to another one. But, again, that is specifically for what's known as the event logs in Windows. These are the logs from things like network devices. So again, there are similar processes in Windows, but the Syslog directory, the folder, does not have anything to do with the Syslog protocol.
And event log forwarding is sort of a native process in Windows that's similar, but is purely for the Windows event logs. So looking at the process, there are syslog messages that are sent from the network devices. So they all have logging information. They can almost all keep track of what's been going on with their own devices, so they know when a user tries to access a specific port on the firewall. They know when a request comes in over the router. They know when a print job was submitted, or when a proxy server was accessed, so almost every device keeps some kind of internal log. So those messages containing that information are then sent to the Syslog server, and this is simply a central repository. So based on the Syslog messages, administrators can monitor or troubleshoot the devices if necessary because it's not just security information. For example, it really could be anything. If the device encounters a problem, then it can log that information and submit that via Syslog to the server. So you can then notify administrators via alerts if these particular events occur.
So some of them, of course, might be more important than others. So it's up to you to decide which kind of device or which kind of event is of the most importance to you. But this allows you to be a little bit more on top of what's going on in your environment. Now one thing to note is that Syslog messages are only ever sent from the devices to the server. In other words, the servers do not have any means to poll the devices, okay. So you have to configure the device to send the message to the Syslog server. So in terms of the components, you do have this Syslog listener, and again that indicates that it is just that one-way communication. So the listener is used to gather the Syslog data that is sent over UDP. So if there's a firewall between the device and the Syslog server, you need to make sure that port is open.
Then the database stores all of these messages and allows for a quick retrieval so that you can locate any particular message. And, of course, there's management software involved that allows you to filter and view the important log messages. So again, you can generate queries, if you will, to just look for specific types of entries. And, of course, you can generate those alerts and notifications so that if the switch is accessed by a Mac address that it shouldn't have, then I can be alerted about that. If the firewall encounters a request over a port that is closed over and over and over again, it can indicate somebody trying to intrude into the network. So, again, that's up to you, of course, in terms of what you consider to be important. But the management software allows you to configure and inform all of the necessary people when those types of events occur.
Internet Appliances
In this presentation, we'll take a look at a couple of methods to help enhance the security of your networking environment, beginning with what's known as Unified Threat Management, or UTM. Now this combines multiple security features and really it exists because of the fact that there are multiple ways by which a network can be accessed. Most larger networks involve gateways or anti-spyware or anti-virus servers, VPN servers, firewalls, email and anti-spam filtering servers, proxy servers, quality of service and bandwidth management servers, routers, of course, and web servers. So there's different security implementations for all of those. So it can be quite difficult to manage all of them. So a UTM, as its name indicates, is unified. It gives you the ability to control and manage consistent settings across all of those devices. Now it depends on what you're dealing with. You might not be able to configure everything through the UTM. But the devices can at least likely report back to the UTM and inform you of what they've been experiencing.
So the firewall, for example, can report what kind of requests were blocked, which kind were allowed. The proxy server can specify which sites were blocked, which ones were allowed. The anti-virus and anti-spam can report, of course, which viruses or spam were quarantined. So you can basically just get a much better picture of what's going on with all of these different entities. And again, in some cases what you can do is configure policies so that if there are consistent settings across multiple devices, you can implement that setting in a single place. So you can configure perhaps the firewall and the content filter with the same information. So again, it depends but in many cases this does allow centralized management of all of the devices that are standing guard for your network. Now the next type of implementation is what's known as an IDS or an Intrusion Detection System. Now what this will do is to monitor the network and the systems on it for malicious activity. Now malicious in and of itself can be difficult to determine.
So what it monitors for in most cases is what's out of the ordinary. So in other words, it quite literally learns what the normal traffic tends to look like. And if then something happens that is out of the ordinary, then that is certainly considered to be at least suspicious. And then if it continues to happen, then it might indicate that there certainly is problem. But the two primary configurations for an Intrusion Detection System are network-based or host-based and they're referred to as NIDS and HIDS. In both cases the IDS standing for Intrusion Detection System. But this is similar to firewalls. A network-based is usually a dedicated device and everything behind it is protected, whereas a host-based is a software application running on a specific computer. And it maybe doesn't provide as good of protection as the network-based, but it's certainly better than nothing. Now there is another level of above this, if you will, which is known as the Intrusion Prevention System or IPS. And this is a network security/threat prevention technology.
And that's actually the keyword. The IDS is only detection. In other words, it does not do anything to actively stop whatever is happening. So it's very reactive. You have to be on top of it. You have to check it out, and you have to see that this strange activity seems to be happening. So if you wanted to stop it, you'd have to be right there. But the IPS can detect and prevent vulnerability exploits. So it's proactive. You can implement something that will at least attempt to stop the attacker from getting in. Now, again, depending on the make and/or the model, it might just do one or the other but most of them these days actually do both. So it can just sort of keep an eye on things and learn that's the detection. But then when it looks like something is actually happening that looks like an intrusion, it can flat out stop it or at least try its best to give you the highest level of network protection.
Legacy Systems
In this presentation, we'll talk about what's known as Legacy Systems. And you may have heard the term fairly often, but Legacy quite literally refers to something that is old, outdated, or even unsupported. And networks these days can consist of a mix of old and new hardware, software, or services. So it's really dependent on what you're doing and what you needed this Legacy device, or system, or application for in the first place. But Legacy Systems tend not to be updated. Generally the original vendor just doesn't support it anymore.
So they can be a little bit expensive to maintain, they might often run proprietary software. And they may even require specialized programmers to maintain them, but this, of course, depends on what its function is. But the reason why they tend to still be around is because they were built or designed for a very specific purpose. And there really just isn't anything else that is suitable to replace it. So again, it depends on the environment. But you know as long as it works, you don't always have to keep up with the latest and greatest. If it's doing what it's supposed to do and it's reliable, then there's no real reason to get rid of it just because it's old. But one thing I would like to mention is that if it's a little bit older, it could be a security vulnerability.
Older devices, older programs weren't aware of some of the newer security implementations that are around these days, so it could be a vulnerability. But as long as you are mindful of that you can certainly still take steps to mitigate those vulnerabilities. But always something to just be mindful of. But again, as long as it's working, there's no reason to get rid of it.