Ubuntu for Intranet Services This work is licensed under the Creative Commons Attribution-Share Alike 3.0 Philippines License. To view a copy of this license, visit http://creativecommons.org/licenses/by-sa/3.0/ph/ or send a letter to Creative Commons, 171 Second Street, Suite 300, San Francisco, California, 94105, USA. By Dominique Gerald Cimafranca [email_address]

Definition An intranet is a private computer network that uses Internet technologies to securely share any part of an organization's information or operational systems with its employees

An intranet is a private computer network that uses Internet technologies to securely share any part of an organization's information or operational systems with its employees

Objectives Evaluate possible intranet/Internet setups Identify essential intranet services Set up Ubuntu as an Intranet server Automated remote installation of Linux clients Discuss alternative options

Evaluate possible intranet/Internet setups

Identify essential intranet services

Set up Ubuntu as an Intranet server

Automated remote installation of Linux clients

Discuss alternative options

Ubuntu Guide http://doc.ubuntu.com/ubuntu/serverguide/C/index.html

Why Intranets? Security Administrative control Application flexibility Bandwidth savings Offline operations

Security

Administrative control

Application flexibility

Bandwidth savings

Offline operations

Intranet Configurations Single Site Multi-Site

Intranet / Internet Setup A Internet Router / Switch

Intranet / Internet Setup B Internet Router Switch

Parameters Organization connected through SOHO broadband Internal IP addresses are RFC1918 private IP addresses External IP address is dynamic and randomly allocated May make use of external hosting services with permanent IP addresses Small internal LAN (<100 users)

Organization connected through SOHO broadband

Internal IP addresses are RFC1918 private IP addresses

External IP address is dynamic and randomly allocated

May make use of external hosting services with permanent IP addresses

Small internal LAN (<100 users)

Key Intranet server functions DNS server DHCP server Mail server File server Print server Authentication server Firewall Web / FTP server CMS server

DNS server

DHCP server

Mail server

File server

Print server

Authentication server

Firewall

Web / FTP server

CMS server

DNS Domain Name Service (DNS) is an Internet service that maps IP addresses and fully qualified domain names (FQDN) to one another DNS alleviates the need to remember IP addresses Ubuntu ships with BIND (Berkley Internet Naming Daemon), the most common program used for maintaining a name server on Linux

Domain Name Service (DNS) is an Internet service that maps IP addresses and fully qualified domain names (FQDN) to one another

DNS alleviates the need to remember IP addresses

Ubuntu ships with BIND (Berkley Internet Naming Daemon), the most common program used for maintaining a name server on Linux

Internal DNS vs. External DNS Internal DNS is designed only to serve client's DNS queries ( primary nameserver ) Limited to the internal domain Needs to forward queries for other domains ( caching nameserver ) Required for accessing public servers Required for mail services Use external DNS hosting services

Internal DNS is designed only to serve client's DNS queries ( primary nameserver )

Limited to the internal domain

Needs to forward queries for other domains ( caching nameserver )

Required for accessing public servers

Required for mail services

Use external DNS hosting services

DNS queries Who is www.internal.com? Who is www.external.com? Who is www.external.com? It's 54.189.12.11. It's 192.168.11.1. It's 54.189.12.11.

Example DNS zone file ; ; BIND data file for local loopback interface ; $TTL 604800 @ IN SOA ns.example.com. root.example.com. ( 2 ; Serial 604800 ; Refresh 86400 ; Retry 2419200 ; Expire 604800 ) ; Negative Cache TTL ; @ IN NS ns.example.com. @ IN A 127.0.0.1 ns IN A 192.168.1.10 www IN A 192.168.1.11

Key Intranet server functions DNS server DHCP server Mail server File server Print server Authentication server Firewall Web / FTP server CMS server

DNS server

DHCP server

Mail server

File server

Print server

Authentication server

Firewall

Web / FTP server

CMS server

DHCP The Dynamic Host Configuration Protocol (DHCP) is a network service that enables host computers to be automatically assigned settings from a server as opposed to manually configuring each network host Computers configured to be DHCP clients have no control over the settings they receive from the DHCP server, and the configuration is transparent to the computer's user

The Dynamic Host Configuration Protocol (DHCP) is a network service that enables host computers to be automatically assigned settings from a server as opposed to manually configuring each network host

Computers configured to be DHCP clients have no control over the settings they receive from the DHCP server, and the configuration is transparent to the computer's user

DHCP interaction D'oh! My MAC address is 48:24:AC:33:03:21. Who am I supposed to be? You are 192.168.11.15. Your DNS server is 192.168.11.1. Your default gateway is 192.168.11.254.

DHCP via router vs. DHCP via server SOHO router / switches offer a basic DHCP server Simple to configure, but very limited options DNS and gateway services usually point back to the router Slightly more complex to configure, server must be up before network More flexible setup Needed for remote automated installations

SOHO router / switches offer a basic DHCP server

Simple to configure, but very limited options

DNS and gateway services usually point back to the router

Slightly more complex to configure, server must be up before network

More flexible setup

Needed for remote automated installations

Sample DHCP configuration file # Sample /etc/dhcpd.conf # (add your comments here) default-lease-time 600; max-lease-time 7200; option subnet-mask 255.255.255.0; option broadcast-address 192.168.1.255; option routers 192.168.1.254; option domain-name-servers 192.168.1.1, 192.168.1.2; option domain-name &quot;mydomain.example&quot;; subnet 192.168.1.0 netmask 255.255.255.0 { range 192.168.1.10 192.168.1.100; range 192.168.1.150 192.168.1.200; }

Key Intranet server functions DNS server DHCP server Mail server File server Print server Authentication server Firewall Web / FTP server CMS server

DNS server

DHCP server

Mail server

File server

Print server

Authentication server

Firewall

Web / FTP server

CMS server

MTA A Mail Transfer Agent , also known as Simple Mail Transfer Protocol (SMTP) daemon , is a program that transfers mail from one system to another Postfix is the default Mail Transfer Agent (MTA) in Ubuntu Other MTA programs: Exim4, Sendmail, and Qmail

A Mail Transfer Agent , also known as Simple Mail Transfer Protocol (SMTP) daemon , is a program that transfers mail from one system to another

Postfix is the default Mail Transfer Agent (MTA) in Ubuntu

Other MTA programs: Exim4, Sendmail, and Qmail

MTA operation This message is meant for buboy@internal.com. Cool. I'll keep it in his mailbox here. This message is meant for gaga@external.com. Okay. I'll send it to the mail server of external.com.

How about email from outside? External Mail Server Internal Mail Server Okay. I'll keep it here. This message is meant for buboy@internal.com. Fetchmail It's 9:00. I'm collecting all the email you got.

IMAP An Internet Message Access Protocol server allows a local client to access e-mail on a remote server. IMAP supports both connected (online) and disconnected (offline) modes of operation Alternative older protocol is Post Office Protocol (POP) Ubuntu can use either Dovecot or Courier IMAP

An Internet Message Access Protocol server allows a local client to access e-mail on a remote server.

IMAP supports both connected (online) and disconnected (offline) modes of operation

Alternative older protocol is Post Office Protocol (POP)

Ubuntu can use either Dovecot or Courier IMAP

Other considerations Email clients: client-based applications or web-based front end? Spam filtering Digital certificates for encryption and authentication Mailbox quotas Shared address books

Email clients: client-based applications or web-based front end?

Spam filtering

Digital certificates for encryption and authentication

Mailbox quotas

Shared address books

Evolution

SquirrelMail

Key Intranet server functions DNS server DHCP server Mail server File server Print server Authentication server Firewall Web / FTP server CMS server

DNS server

DHCP server

Mail server

File server

Print server

Authentication server

Firewall

Web / FTP server

CMS server

Samba File and Print Services for Unix/Linux Samba is a free software re-implementation of SMB/CIFS networking protocol Samba provides file and print services for various Microsoft Windows clients Can integrate with a Windows Server domain as Primary Domain Controller or domain member Can also integrate with Active Directory domain

File and Print Services for Unix/Linux

Samba is a free software re-implementation of SMB/CIFS networking protocol

Samba provides file and print services for various Microsoft Windows clients

Can integrate with a Windows Server domain as Primary Domain Controller or domain member

Can also integrate with Active Directory domain

File-and-Print Services Samba

Do away with traditional file sharing! Insecure No accountability No version management No organization Ineffecient use of disk space

Insecure

No accountability

No version management

No organization

Ineffecient use of disk space

CUPS The Common Unix Printing System (CUPS) , a modular printing system for Unix-like computer operating systems, allows a computer to act as a print server. A computer running CUPS is a host that can accept print jobs from client computers, process them, and send them to the appropriate printer. Primarily for Unix clients and Unix servers

The Common Unix Printing System (CUPS) , a modular printing system for Unix-like computer operating systems, allows a computer to act as a print server.

A computer running CUPS is a host that can accept print jobs from client computers, process them, and send them to the appropriate printer.

Primarily for Unix clients and Unix servers

Printing considerations Who's allowed to print? What time can they print? Printing quotas Physical security Printer compatibility with Linux (see http://www.linuxprinting.org)

Who's allowed to print?

What time can they print?

Printing quotas

Physical security

Printer compatibility with Linux (see http://www.linuxprinting.org)

Key Intranet server functions DNS server DHCP server Mail server File server Print server Authentication server Firewall Web / FTP server CMS server

DNS server

DHCP server

Mail server

File server

Print server

Authentication server

Firewall

Web / FTP server

CMS server

Centralized authentication Manage users from one single location Define access to services within the intranet Single sign-on for applications Security restrictions Backup authentication servers

Manage users from one single location

Define access to services within the intranet

Single sign-on for applications

Security restrictions

Backup authentication servers

OpenLDAP LDAP is an acronym for Lightweight Directory Access Protocol , it is a simplified version of the X.500 protocol LDAP can be used in numerous ways: authentication, shared directory (for mail clients), address book, etc. Interoperates with Active Directory (via Samba) Pluggable authentication for Linux clients

LDAP is an acronym for Lightweight Directory Access Protocol , it is a simplified version of the X.500 protocol

LDAP can be used in numerous ways: authentication, shared directory (for mail clients), address book, etc.

Interoperates with Active Directory (via Samba)

Pluggable authentication for Linux clients

Kerberos Kerberos is a network authentication system based on the principal of a trusted third party The other two parties being the user and the service the user wishes to authenticate to Not all services and applications can use Kerberos, but for those that can, it brings the network environment one step closer to being Single Sign On (SSO) Applications need to be kerberized (e.g., Apache's modauthkerb and PHP's kadm5)

Kerberos is a network authentication system based on the principal of a trusted third party

The other two parties being the user and the service the user wishes to authenticate to

Not all services and applications can use Kerberos, but for those that can, it brings the network environment one step closer to being Single Sign On (SSO)

Applications need to be kerberized (e.g., Apache's modauthkerb and PHP's kadm5)

Key Intranet server functions DNS server DHCP server Mail server File server Print server Authentication server Firewall Web / FTP server CMS server

DNS server

DHCP server

Mail server

File server

Print server

Authentication server

Firewall

Web / FTP server

CMS server

Firewall The Linux kernel includes the Netfilter subsystem, which is used to manipulate or decide the fate of network traffic headed into or through your server The default firewall configuration tool for Ubuntu is ufw IP Masquerading is allows machines with private, non-routable IP addresses on your network to access the Internet through the machine doing the masquerading

The Linux kernel includes the Netfilter subsystem, which is used to manipulate or decide the fate of network traffic headed into or through your server

The default firewall configuration tool for Ubuntu is ufw

IP Masquerading is allows machines with private, non-routable IP addresses on your network to access the Internet through the machine doing the masquerading

Server-based vs. router-based Server-based firewalls are more complex to install More flexibility in configuration Logging capabilities Pre-installed, simple to configure Limited configuration options No logging capabilities

Server-based firewalls are more complex to install

More flexibility in configuration

Logging capabilities

Pre-installed, simple to configure

Limited configuration options

No logging capabilities

Firestarter

Key Intranet server functions DNS server DHCP server Mail server File server Print server Authentication server Firewall Web / FTP server CMS server

DNS server

DHCP server

Mail server

File server

Print server

Authentication server

Firewall

Web / FTP server

CMS server

Web / FTP / CMS ...you know about this already...

Webmin Webmin is a web-based interface for system administration for Unix Using any modern web browser, you can setup user accounts, Apache, DNS, file sharing and much more Webmin removes the need to manually edit Unix configuration Lets you manage a system from the console or remotely http://webmin.com

Webmin is a web-based interface for system administration for Unix

Using any modern web browser, you can setup user accounts, Apache, DNS, file sharing and much more

Webmin removes the need to manually edit Unix configuration

Lets you manage a system from the console or remotely

http://webmin.com

Webmin

ISPConfig ISPConfig is an open source hosting control panel for Linux ISPConfig simplifies the complicated details of setting up DNS, multiple unique domain name websites on one physical server box, and e-mail accounts for multiple users on those websites. http://www.ispconfig.org

ISPConfig is an open source hosting control panel for Linux

ISPConfig simplifies the complicated details of setting up DNS, multiple unique domain name websites on one physical server box, and e-mail accounts for multiple users on those websites.

http://www.ispconfig.org

Google Apps Google Apps is a service from Google for using custom domain names with several Google products It features several Web applications with similar functionality to traditional office suites, including: Gmail , Google Calendar , Talk , Docs and Sites.

Google Apps is a service from Google for using custom domain names with several Google products

It features several Web applications with similar functionality to traditional office suites, including: Gmail , Google Calendar , Talk , Docs and Sites.

Google Apps

Google Apps vs. Roll-your-own Easy to set up Minimal internal infrastructure to manage Accessible anywhere Accountability and uptime Privacy issues Ads Complicated to set up Need to maintain servers and apps Remote access issues Greater administrative control Greater security Offline access

Easy to set up

Minimal internal infrastructure to manage

Accessible anywhere

Accountability and uptime

Privacy issues

Ads

Complicated to set up

Need to maintain servers and apps

Remote access issues

Greater administrative control

Greater security

Offline access

Other general considerations Hosting services Digital certificates Virtual Private Networks Remote access Remote automated installation System management

Hosting services

Digital certificates

Virtual Private Networks

Remote access

Remote automated installation

System management

Questions?

Ubuntu for Intranet Services This work is licensed under the Creative Commons Attribution-Share Alike 3.0 Philippines License. To view a copy of this license, visit http://creativecommons.org/licenses/by-sa/3.0/ph/ or send a letter to Creative Commons, 171 Second Street, Suite 300, San Francisco, California, 94105, USA. By Dominique Gerald Cimafranca [email_address]