This essay has been submitted by a student. This is not an example of the work written by our professional essay writers.
In order to reduce their overheads a large charity has decided to migrate from Microsoft Windows to a Linux operating system. They see the licence fees charged by Microsoft Windows as being exorbitant and a drain on their finances. Whilst they have already decided on the desktop applications to be used, they would like some advice before making the decision about their internal network services. The services they require include a central file system, access to a number of network printers and the ability for users to login anywhere on the network. This report will look at some of the solutions available for a Linux system, evaluate these solutions and make a final recommendation for implementation by the charity
Proposals for Account Sharing
Account sharing centralises the application settings, user profiles, group data, policies and access control information for the network. This practice lowers administration costs, increases availability and security within the network. One aspect of account sharing is that user profiles are stored centrally and this allows users to login and authenticate login from any machine in the network. This type of profile is known as a roaming profile and is stored on the network server.
NIS (Network Information Service)
NIS can be used to centralise authentication over a network by creating all of the user logins on a single server which the user accesses for authentication. After this centralisation has taken place the administrator needs to create a roaming profile for the user. A NTF mount has to be created in order to export the users profile to the client machines so that it appears to be a local directory on that machine.
The master server on a NIS system creates NIS maps which are replicated to the slave severs within the domain. These maps are databases of configuration files and are used when a client makes a request from the server. A broadcast request for a server is sent from a client at start-up, this may be replied to by any server on the network which holds the map to the client's domain and the answering server will deal with all of the clients queries, after the client 'binds' to it. The ypbind daemon is used on the NIS client machine for it to bind with any network server the client can also use a Directed Bind which would restrict it to using only one server. When a file search is instigated by a client the /etc files are searched first for group, password information and mail aliases and if they cannot be found there the search continues in NIS. (Hewlett-Packrd Development Compay, L.P., 2004)
Kerberos can be used set up a roaming profile on the network, and is an authentication system which achieves secure authentication by the use of encryption technology and a trusted arbitrator. Kerberos issues cryptographic tickets to users to allow them to access network resources without sending their passwords in plain text. The fact that the usernames and password are encrypted deters even the most persistent hackers, who can use password sniffing to gain access to a system. The databases and passwords are protected against password database stealing. The Kerberos daemons are run on a server called the Key Distribution Centre (KDC) which is the trusted arbitrator. The user's password is a cryptographic key and is a shared secret between the user and the KDC. In order to perform authentication Kerberos stores the principals (users) and the security keys in a database. kadmin and krb5kdc are the two significant daemons run on the KDC. The steps that are taken in Kerberos are:
A request for a ticket is made to the krb5kdc daemon by the user who wants to be authenticated.
The daemon searches for principal in the principals' database.
The principal's secret key is read and encrypted in a special ticket known as a ticket Granting Ticket (TGT) and sent back to the principal.
The principal gets the TGT and if the principal knows the password, decrypts it and sends the ticket to a Ticket Granting Service (TGS).
The TGS will send a successive ticket to give the principal the authentication needed to access the network.
Kerberos requires two or more dedicated servers, which can only be accessed by the administrator of the network. It is also a very good idea to lock these servers in a secure room or cabinet and for them to be accessed by an attached dedicated machine. (Brennen, 2004)
Some Advantages and Disadvantages of Proposals for Account Sharing
The advantage of NIS is that it is easy to implement and administer.
The main disadvantage of NIS I that usernames and passwords are sent in clear text. Another disadvantage is that NIS relies upon the installation of NFS to mount the file system on the client machine. (Hewlett-Packrd Development Compay, L.P., 2004)
The main advantage of Kerberos is that it that it does not send the users password or other confidential information in plain text but with a high level of encryption. Another advantage is that Kerberos centralises the user names and password details for all users on the network, which eases the administrator's task of maintaining and managing this data.
The main disadvantage of Kerberos is that it must have a dedicated server that no other services can access. Kerberos' capability for redundancy involves having at least two dedicated servers on the network. (Brennen, 2004)
Proposals for File-sharing
File-sharing is a vital part of an organisation IT infrastructure and provides access to files and databases for users within the network. The central storage of files on shared disks allows users and applications to access files as if they were on the users own machine.
NFS (Network File Sharing)
NFS facilitates network access to shared directories and files by storing these files and directories on a server. This network access means that files that are used by everyone in the network only have to be stored on the server and as a direct result of this the client machines use less disk space. NFS can also be configured to share removable media over the network which would reduce hardware cost on the network. NFS can connect directly into a file system tree and the user will probably not realise that these file are not stored on the local machine. On the server side of this system there is a pointer to the shared files and on the client side the remote file system must be mounted in the local file system. There are several daemons that must be running on the server for this system to work e.g. nfsd, mountd, and rpcbind. On the client machine in an NFS system there is a daemon that whist not essential can improve performance, this daemon is called nfsiod. NFS utilises a system known as RPC (Remote Procedure Call), this procedure is started when a request for a file is made by the client machine. A response is sent back to the client allowing the client to login to the server and access the shared files. (Bautts, 2005)
SAMBA is free software which uses the CIFS/SMB (Common Internet File System/Server Message Block) protocol. CIFS can allow remote access for a vast number of computers at any given time. It can be used to access computers and share files over different operating platforms. The transport protocol used in CIFS is TCP/IP and the access protocol is SMB. SMB is a message format used to share files which can be configured to limit access. SAMBA prompts for a username and password if the access to the file has been limited. Any user who has a configured account n SAMBA will have a home share folder on the SAMBA server and an automatic backup program will save the user's files to the server. The administration of a SAMBA server is very low after the initial setup has taken place. (Collier-Brown, 1999)
Some Advantages and Disadvantages of Proposals for File Sharing
The main advantage of NFS is the centralisation of files to be accessed over the network. Another advantage is that files can be accessed in different ways e.g. IP addresses, groups or users.
The main disadvantage of NFS is that it is based on RPC which is not secure and this means that NFS should only be in operation on a network behind a firewall. Another disadvantage of NFS is that if there is heavy network traffic the system will slow down considerably. (Webber, 2006)
The main advantage of SAMBA is that it is free and can be run on a very memory poor machine. Other advantages of SAMBA include the fact that it does not need a lot of administration time and there is online support for this system.
The main disadvantage of SAMBA is that it sends usernames and passwords in clear text. (Collier-Brown, 1999)
Proposal for Printing
CUPS (Common UNIX Printing System)
This software enables a computer to at as a print server, to facilitate this service CUPS uses the following components:
A print spooler/ scheduler
The scheduler is responsible for dispatching print jobs, processing commands and showing the status of the network printers. It manages all of the network printers and sends print jobs to the appropriate network printer. The scheduler holds configuration files which detail the class of printer, HTTP server configuration files, filter system PPD (Postscript Printer Description) files and MIME (Multipurpose Internet Mail Extensions) type and conversion files for use in the filter.
A filter system
The filter uses the MIME files to change the data into whichever format is suitable for the printer. This is made possible by two databases that are loaded by CUPS daemon at start-up. These databases are MIME types and MIME convs.
The backend system defines the type of connection the printer is using e.g. parallel, USB, serial or other.
For network printing CUPS uses "printer browsing". With this feature a client can routinely see a printer and send print jobs to it from any network server as long as the server has been configured correctly. For security CUPS can be configured to use the Kerberos authentication system.
The "implicit class" feature in CUPS lets clients send jobs to a class of printer and the job will be printed on the first available printer in that class. When a printer is defied on many servers, failsafe and load balancing are enabled. (Apple.inc, 2007-2010)
Recommendations and Justification
Kerberos as this is the more secure system. As the charity will be dealing with finance, security will be of the utmost importance. Kerberos can deal with such things as password stealing/ database stealing and password sniffing which can be a very real threat to users logging on to a remote system. Although Kerberos requires dedicated servers and this may be more expensive, in the long run protecting the charity's data will be worth the initial extra costs. (Brennen, 2004)
The recommendation for file sharing is that the charity use SAMBA as this a very well established system with a lot of online support. SAMBA could also utilise any of the older machines that the charity may have therefore there would be no additional cost to setting SAMBA up. (Collier-Brown, 1999)
The recommendation for printing is that the charity use CUPS as it was purposely created for use by the UNIX/LINUX operating system and there are operating manuals available from the CUPS website. There is also a large CUPS Newsgroups which can give added support if there is a problem. For security CUPS can be configured to use the Kerberos authentication system which was the recommendation made for he account sharing therefore if the recommendations are implemented Kerberos would already be used on the network. (Apple.inc, 2007-2010)