2.4 Summarize services provided by networked hosts.
- Server roles
- DNS
- DHCP
- Fileshare
- Print Servers
- Mail Servers
- Syslog
- Web Servers
- Authentication, Authorization, and Accounting (AAA)
- Internet Appliances
- SPAM Gateways
- Unified Threat Management (UTM)
- Load Balancers
- Proxy Servers
- Legacy/Embedded Systems
- Supervisory Control and Data Acquisition (SCADA)
- Internet of Things (IoT) Devices
Different roles of servers
A server is a computer that provides a centralized function. A single physical server can have multiple roles or functions. The word “server” can refer to a physical device or to one of the roles that a physical device fulfills.
Virtualization technology can divide a single physical server into multiple virtual servers, each of which can have a single or multiple roles.
If a single physical server cannot provide enough capacity for an application, multiple physical servers can be clustered together to provide a single role.
An end user is typically not concerned with the hardware setup of the servers – he or she just needs access to a specific application.
Let’s look at some server types
Server Type | Description |
Web Server | Hosts websites and website data Delivers website data to end users A web server may have processing technology such as ASP or PHP to interpret advanced website programming languages A web server may interact with a database server to provide necessary data Examples include Internet Information Server and Apache |
File Server | Hosts files for shared drives Can be a Network Attached Storage Device (a special type of server optimized for storing data) A file server will work with an authentication server to enforce permissions on the files. This allows an administrator to control who can access the data. Examples include Windows Server 2019 |
Print Server | A print server manages printers and print queues The printers are installed on the print server The print server connects users with the printers When a user prints a document, it is queued on the print server |
DHCP Server | A DHCP (Dynamic Host Configuration Protocol) server dynamically assigns IP addresses to devices on the network A DHCP server keeps track of the devices that it has assigned IP addresses to A router may provide DHCP server functionality |
DNS Server | A DNS (Domain Name Service) server converts domain names to IP addresses A DNS server keeps a cache of the most requested websites A router may provide DNS functionality |
Proxy Server | A proxy server is an intermediate server between a user and other servers. A user can make requests for websites, files, and other resources through the proxy server. The proxy server will forward the requests to other servers and provide the user with their responses. A proxy server can provide anonymous access, content filtering, and data leak protection A firewall may provide proxy server functionality |
Mail Server | A mail server sends and receives e-mail on behalf of users A mail server can also store e-mails so that users can access them remotely Examples include Microsoft Exchange Server |
Authentication, Authorization, and Accounting Server (AAA) | An authentication server identifies users and provides them with access to resources It also tracks access attempts Examples include Microsoft Active Directory Server and RADIUS |
syslog | Syslog is a standard for message logging A syslog server receives, and stores log messages sent by other network devices |
Internet Appliances
An internet appliance could be a dedicated physical device or could be a software application that runs on a server.
UTM | Unified Threat Management A UTM device provides multiple security functions (instead of having several devices each providing a single function) Features could include -Firewall -Intrusion Detection -Intrusion Prevention -Anti-Virus -Proxy -Data Leak Prevention -VPN |
IDS | Intrusion Detection System An Intrusion Detection System detects attacks that are already taking place inside the network An IDS only detects attacks; it does not prevent or block traffic |
IPS | Intrusion Prevention System Prevents inappropriate content and unauthorized users from entering the network An IPS can slow down the network, accidentally block legitimate traffic, or create a large amount of false alarms An IPS cannot monitor the content of encrypted traffic |
End-Point Management Server | An end-point management server manages “end points” or end user devices Devices could include desktops, laptops, mobile phones, VoIP phones, and printers The server can enforce security policies, install software updates, and monitor user activity Examples include SCCM |
Load Balancer | A load balancer distributes traffic among multiple resources. For example, consider that the Google.com website has only one URL (www.google.com), which would ordinarily point to one IP address. That IP address would ordinarily point to one web server. But one single web server would be overloaded by the traffic; in fact, the Google.com website has millions of web servers. The solution is to install a load balancer in front of those servers. The load balancer can distribute the incoming traffic among all the web servers. A load balancer uses a scheduling algorithm to determine how to distribute traffic among the servers connected to it. Consider a scenario where there is one load balancer and three servers, Server A, Server B, and Server C. There are several types of load balancing algorithms First Come First Served – each request is handled in the order that it arrives; when the servers are busy then additional requests are put on hold. The load balancer sends the first request to Server A, the second request to Server B, and the third request to Server C. The load balancer does not send additional requests to the servers until a server indicates that it has spare capacity (i.e., that it has completed the current request). Round-Robin – each request is handled in the order that it arrives. The load balancer sends the first request to Server A, the second request to Server B, and the third request to Server C. The fourth request is sent to Server A, the fifth request is sent to Server B, and so on. The round-robin algorithm assumes that all the servers have the same capacity, and that all requests are of the same size. If some requests take a server longer to process, they could overload the servers. If one server is more powerful then the rest, it could remain idle for extended periods of time (since all servers receive the same number of requests). Weighed Round-Robin – like round robin, but each server is given a specific weight based on its capacity. For example, if server A is twice as powerful as Server B or Server C, it can be given a weight of two, while Servers B and C are each given a weight of one. Server A would then receive twice as many requests as Server B and Server C. A sticky session allows a load balancer to remember each client (based on their HTTP session). When a returning client is recognized, the load balancer sends that client back to the same server that they were previously connected to, regardless of the server load. This allows the server to maintain the client’s data locally (and not in a central database). This is also known as affinity. Load balancers typically work in pairs or groups. This prevents the load balancer from becoming a single point of failure. In a logical network topology, the load balancer is shown to be connected between the internet and the servers that it is balancing. In the physical reality, the load balancer can be connected anywhere on the network. If a load balancer has 1000 servers connected behind it, it wouldn’t have 1000 physical connections to those servers, but instead would route traffic to them over the local network. Regardless of the load balancer’s location, it must have a good network connection, typically 1 Gbps or 10 Gbps. The group of servers connected to the load balancer can be active-passive or active-active. In an active-active configuration, the load balancer distributes the work among all the connected servers. In an active-passive configuration, some servers remain active (receive work), and some remain passive (do not receive work). In the event of a failure of one of the active servers, a passive server is activated and begins to receive work. An active-active configuration is better because it can quickly respond to surges in traffic and allows the system to fully utilize all its resources. In a Virtual IP scenario, the load balancer does not exist. Instead, all the servers work together to share the workload. Consider that we have three servers: Server A has a private IP of 10.0.0.1 Server B has a private IP of 10.0.0.2 Server C has a private IP of 10.0.0.3 The public IP address is 11.11.11.11 Servers A, B, and C communicate with each other over their private IPs 10.0.0.1, 10.0.0.2, and 10.0.0.3. The servers all set 11.11.11.11 as their public IP, and then elect one server to respond to requests. For example, Server A, B, and C choose to have Server B respond to all requests on 11.11.11.11. If Server B is overloaded, it may communicate this fact with Server A and C (over their private IPs), which designate Server A to temporarily respond to requests on 11.11.11.11. The servers continually ping each other to ensure that all the servers are functional. This form of communication is known as a heartbeat. If Server B were to stop responding within a specific period, Server A and Server C would choose to designate Server A to respond to new requests. The algorithm used to determine which server would respond will vary from scenario to scenario. |
SPAM Gateway | A SPAM gateway is a device that filters incoming e-mail messages and blocks the ones that contain SPAM. |
Proxy Server | A proxy or proxy server is a device that masks the true source of an internet connection. There are several types of proxies An anonymous (forward) proxy hides the source of the internet connection. For example, if a user visits Google through an anonymous proxy, Google’s servers will see the IP address of the proxy as originating the connection, and not that of the user’s PC. A popular website (such as Google) may see thousands or millions of requests from the same proxy and may choose to block them to avoid the risk of abuse or SPAM. A transparent (forward) proxy does not hide the source of the internet connection. For example, if a user visits Google through transparent proxy, Google’s servers will see the IP address of the proxy as originating the connection but will also see the IP address of the user’s PC. A transparent proxy can be used to cache a website. By caching a website, a transparent proxy reduces traffic on a network. A reverse proxy sits in front of a set of web servers. Consider that a website may have a single IP address, but multiple (even millions) of web servers. The reverse proxy filters incoming requests and forwards them to the appropriate server. A reverse proxy can · Provide load balancing · Encrypt data between the proxy and the user’s PC · Compress web content · Cache static web content A proxy can be used to · Cache web content · Filter/restrict users from accessing inappropriate web content · Block malware and viruses · Allow users to access web content that is blocked in their geographic location · Eavesdrop on all content transmitted over the internet connection In a large network, a proxy should be configured to prevent access to malicious websites and enforce the organization’s acceptable use policy. |
Legacy/Embedded Systems
Legacy systems are old systems that can’t be replaced. A legacy system may provide a critical business function. For example, a factory may have an old server that runs its conveyer belts. The factory can’t upgrade the server because a new server is not compatible with the electronics in the belt.
Companies have legacy systems because new software is not compatible with old hardware and new hardware is not compatible with old software, and neither of them are compatible with old equipment. The longer a business waits to change out a legacy system, the harder it is. A business must weigh the harm from the failure of a legacy system against the harm from the failure of a replacement.
Embedded systems are systems that are inside other systems. For example, a fridge or vehicle may have a computer inside it. The hardware and software on an embedded system may be proprietary and not well documented.
We must be careful when connecting a legacy or embedded system to the internet. These systems do not have good security and can be easily hacked.
SCADA stands for Supervisory Control and Data Acquisition while ICS stands for Industrial Control System. These systems are found at power plants, factories, utilities, and other critical forms of infrastructure.
An ICS is designed to operate reliably 24 hours per day, 7 days per week for many years, without interruption. Multiple ICSs can be combined to operate redundantly. An ICS may consist of many PLCs – Programmable Logic Controllers. A PLC is a special type of industrial computer that collects input from sensors, uses an algorithm to make decisions, and send an output to different control units.
For example, a PLC could be connected to a water pump that is filling a tank with water, and a sensor that is monitoring the tank’s water level. The PLC continuously monitors the tank’s water level. When the tank is empty, the PLC directs the pump to pump water, and when the tank is full, the PLC directs the tank to turn off.
Multiple ICSs can be connected to a SCADA system. The SCADA system collects data regarding a process. For example, the SCADA system can collect data from an oil refinery to determine the quantity of crude oil being turned into gasoline and can collect data from thousands of steps along that process. This data is typically sent to a control room where operators can analyse the data and detect discrepancies.
The different components of the SCADA system can be housed close together or may be far apart. SCADA system components may communicate over a standard IP network via copper or fiber links.
Ideally, a SCADA system should be air gapped and isolated from any commercial network. This is not always possible because a SCADA system may control facilities that are physically separated by hundreds of kilometers. For example,
- SCADA system that controls the traffic lights in a major metropolitan city
- SCADA system that controls the power grid in the Northwestern United States
- SCADA system that monitors multiple oil refineries in a state
The SCADA system’s communications should be
- Securely encrypted
- Air gapped and isolated from any commercial network, where possible
- On a dedicated WAN connection where air gapping is not possible due to distances
Yet there are many SCADA systems in use today that are accessible remotely (due to the negligence of the installer or manufacturer), some without a password. It is possible to locate these systems simply by running a port scan.
SCADA should be physically isolated from the commercial network. For example, a nuclear plant should not allow any part of the SCADA network to interact with the plant’s commercial network.
SCADA systems should not communicate wirelessly unless necessary, and where extreme precautions have been taken to ensure that all data is encrypted.
Many components inside the SCADA system may communicate without encryption. An air-gapped SCADA network can be easily disrupted if a malicious user has physical access to any SCADA network equipment or wiring. A malicious individual could splice the wiring between two SCADA system components and
- Disrupt the communication. For example, a conveyor belt is being used to load a truck with fertilizer. A hacker could cut the wire between the PLC and the conveyor belt motor, preventing trucks from being filled. This behavior would disrupt operations.
- Spy on the communication. For example, a hacker could spy on the content of the communication to determine the quantity of oil being refined; the hacker could use this data to predict oil prices on the open market and place trades.
- Substitute inaccurate data inside the communication. For example, SCADA systems are used to control traffic lights in many major cities. These systems connect over unencrypted wireless systems or analog telephone lines. A hacker could disrupt the traffic patterns and bring intersections to a halt.
According to NIST Guidelines for SCADA Systems (NIST Special Publication 800-82), good SCADA security should
- Restrict logical access to an ICS network (using firewalls, multiple network layers, a DMZ, and unidirectional gateways)
- Restrict physical access to an ICS network
- Protect ICS from exploitation (install and test patches when available, disable unused ports and services, restrict user privileges to only those that need it, monitor and audit use of the system, check for file integrity)
- Restrict modification of data
- Detect security incidents (detect security events before they become incidents, detect failed ICS components and overloaded resources)
- Maintain functionality during adverse conditions (ensure that there is no single point of failure, that critical components have redundant counterparts, that the failure of a specific component does not create additional traffic or cascading effects, that if the system is to operate in a degraded state it does so gracefully)
- Restore the system after an incident (organization should have an incident response plan which includes key roles for all individuals involved, a well documented system, back up of all configurations, readily available replacement parts, and support from manufacturers and vendors)
An example of a virus that affects SCADA systems is Stuxnet. The Stuxnet virus
- Infected computers and hid its presence through a root kit
- Infected the firmware on USB drives inserted on those computers (the firmware on a USB drive does not contain any user storage and is typically inaccessible by any form of operating system or antivirus program)
- Searched for and infected any computer running the Siemens Step7 software application (which controls PLCs)
- Once locating a PLC, modified the code on the PLC so that it would cause damage, but returned normal values to the computer (so that the operator was unaware as to the harm that was being caused)
Internet of Things (IoT)
The Internet of Things is a new concept that relates to devices that connect and communicate independently. It refers to devices other than computers. Many of these devices use Wi-Fi to connect to the internet. They do so to provide users with updates and to download firmware updates.
The internet has created a catch-22 scenario in that
- Many consumer devices have become complicated enough to connect to the internet
- The software required to run the devices has become more complicated
- Complicated software frequently experiences additional security vulnerabilities
- To patch the additional security vulnerabilities, the devices must stay connected to the internet to download software updates
As 5G cellular networks become more common, smarter IoT devices will connect directly to the cellular network and not Wi-Fi.
Some of the devices include
- Refrigerator – an example of a smart refrigerator is the Samsung with the Family Hub. The Hub is a touch screen, built into the refrigerator, that allows family members to share updates and calendars in a way that mimics the use of fridge magnets. The Hub also allows users to view recipes, watch television, and play music while cooking.
- Smart Speakers – Smart Speakers refers to a general set of devices with artificial intelligence. A smart speaker can include a device such as a Sonos, which is a battery-powered Wi-Fi connected speaker. When you link the speaker with your cellular phone, you can stream music to it.
More advanced speakers have “tablet” screens. They include Google Assistant, Amazon Alexa, and the Amazon Echo. These smart speakers can display content that you request, including news, videos, and music. They can also connect with other devices such as thermostats and doorbells. - Smart Thermostats – A smart thermostat is a device that uses artificial intelligence to regulate the temperature of a location.
A traditional thermostat has two functions. A user sets the desired temperature on the device. The thermostat continually monitors the temperature of the location. It also directly connects to the heat source. If the temperature of the location is too high, the thermostat does nothing. If the temperature of the location drops below the set temperature, the thermostat instructs the heat source to power on. When the temperature reaches the set point, the thermostat instructs the heat source to power off.
A smart thermostat does the same thing as a traditional thermostat. The only difference is that it monitors the environment and user habits to independently adjust the set temperature. For example, the smart thermostat might lower the temperature when nobody is home to reduce the cost of heating the building. The thermostat might set the temperature based on the user’s physical location. - Smart Doorbells – A smart doorbell is a device that replaces a traditional doorbell. A traditional doorbell has two components: a button and a speaker. When a person presses the button, the speaker inside the house generates a sound.
A smart doorbell replaces the button. It usually takes power from the doorbell wiring.
A smart doorbell may have the following features- Camera that a user can view on their phone or computer
- Two-way communication (speaker and microphone) to communicate with visitors
- Motion sensor
- Camera that a user can view on their phone or computer
The most popular smart doorbell is the Ring doorbell. Most doorbells have limited power, so they only record video when they sense motion.