SG24-2133-00 The Technical Side of Being an Internet Service Provider October 1997 This soft copy for use by IBM employees only. IBM International Technical Support Organization SG24-2133-00 The Technical Side of Being an Internet Service Provider October 1997 This soft copy for use by IBM employees only. This soft copy for use by IBM employees only. Take Note! Before using this information and the product it supports, be sure to read the general information in Appendix C, “Special Notices” on page 357. First Edition (October 1997) This edition applies to the concept of an Internet Service Provider and it is not attached to any IBM product in specific. Comments may be addressed to: IBM Corporation, International Technical Support Organization Dept. HZ8 Building 678 P.O. Box 12195 Research Triangle Park, NC 27709-2195 When you send information to IBM, you grant IBM a non-exclusive right to use or distribute the information in any way it believes appropriate without incurring any obligation to you. Copyright International Business Machines Corporation 1997. All rights reserved. Note to U.S. Government Users — Documentation related to restricted rights — Use, duplication or disclosure is subject to restrictions set forth in GSA ADP Schedule Contract with IBM Corp. This soft copy for use by IBM employees only. Contents Preface . ix The Team That Wrote This Redbook ......................... ix Comments Welcome . x Chapter 1. Introduction . 1 1.1 Sample Network Design for an ISP ....................... 1 Chapter 2. Connectivity . 5 2.1 Internet Topology . 5 2.2 Internet Backbone Connection .......................... 6 2.2.1 Upstream Provider . 7 2.2.2 Access Technologies . 9 2.2.3 Networking Hardware . 17 2.2.4 Domain and IP Address ........................... 44 2.2.5 IBM As a Service Provider ......................... 49 2.3 Downstream Connections . 54 2.3.1 Types of Users ................................. 54 2.3.2 Access Issues . 55 2.3.3 ISP Networking Hardware .......................... 61 2.3.4 Customer Requirements . 100 Chapter 3. Server Hardware Platforms ...................... 107 3.1 IBM Server′s Strategy .............................. 108 3.1.1 IBM Server Business ............................ 108 3.1.2 Servers in the Age of the Internet .................... 109 3.1.3 The Open IBM ................................ 110 3.1.4 Summary of IBM′s Server Strategy ................... 111 3.1.5 Prospects for the Future .......................... 112 3.2 IBM PC Server .................................. 113 3.2.1 The New PC Server Strategy ....................... 114 3.2.2 IBM PC Server Family Overview ..................... 115 3.3 IBM RS/6000 . 117 3.3.1 RS/6000 As a Platform for ISPs ...................... 120 3.4 AS/400 . 123 3.4.1 Advanced Series . 123 3.4.2 Future Direction . 125 3.4.3 Where AS/400 Systems Fit ......................... 126 3.5 IBM System/390 . 127 3.5.1 Mainframes Morph into Microframes .................. 128 3.5.2 OS/390 . 129 3.5.3 IBM System/390 within Internet Environment .............. 130 3.6 Summary . 131 Chapter 4. Internet Services ............................. 133 4.1 Domain Name Service .............................. 133 4.1.1 Berkeley Internet Name Daemon ..................... 133 4.2 Mail Service . 133 4.2.1 POP Server . 134 4.2.2 SMTP Server . 134 4.2.3 IBM Messaging Solutions for ISPs .................... 134 4.3 Web Service . 135 Copyright IBM Corp. 1997 iii This soft copy for use by IBM employees only. 4.4 FTP Service . 135 4.5 Chat Service . 135 4.5.1 Internet Relay Chat ............................. 135 4.6 News Service . 135 4.6.1 USENET . 137 4.6.2 Netscape News Server ........................... 138 Chapter 5. Management . 139 5.1 Authentication . 139 5.1.1 Challenge Handshake Authentication Protocol/Password Authentication Protocol (CHAP/PAP) ..................... 140 5.1.2 Kerberos . 142 5.1.3 Remote Authentication Dial-In User Service (RADIUS) ........ 142 5.1.4 Terminal Access Controller Access System (TACACS) ........ 143 5.2 Accounting . 146 5.3 Network Management . 149 5.3.1 Standards . 149 5.3.2 Structure and Identification of Management Information (SMI) ... 151 5.3.3 Management Information Base (MIB) .................. 151 5.3.4 Simple Network Management Protocol (SNMP) ............ 151 5.3.5 Common Management Information Protocol over TCP/IP (CMOT) . 152 5.3.6 Tools . 153 5.4 Usage Management . 154 Chapter 6. Electronic Commerce . 159 6.1 Electronic Money (E-Money) .......................... 159 6.1.1 Types of E-Money .............................. 159 6.1.2 The Double-Spending Problem ...................... 160 6.2 Electronic Checks (E-Check) .......................... 162 6.3 Secure Electronic Payment Protocol ..................... 162 6.4 IBM Corporation iKP (Internet Keyed Payment Protocols) ........ 163 6.4.1 Security Considerations . 164 6.5 Secure Electronic Transactions (SET) ..................... 165 6.6 Net.Commerce . 166 6.6.1 Store Manager . 167 6.6.2 The Store Creator .............................. 167 6.6.3 The Store Administrator .......................... 168 6.6.4 The Template Editor ............................ 168 6.6.5 The Net.Commerce Director ........................ 168 6.6.6 The Net.Commerce Daemon ....................... 168 6.6.7 The Lotus Payment Switch ........................ 169 6.6.8 The Olympic Ticket Sales - An Example of Net.Commerce ..... 169 6.7 Example Electronic Commerce Solution ................... 174 Chapter 7. Tools . 179 7.1 Multimedia . 179 7.1.1 Image Formats . 179 7.1.2 Audio File Formats ............................. 183 7.1.3 Musical Instruments Digital Interface (MIDI) .............. 184 7.1.4 Digital Movie Formats ........................... 186 7.1.5 Multimedia Applications on the Internet ................. 188 7.2 Java . 191 7.2.1 Applets and Applications ......................... 192 Chapter 8. Internet Security . 193 iv The Technical Side of Being an Internet Service Provider This soft copy for use by IBM employees only. 8.1 The Costs of Security Breaches ........................ 193 8.2 The Internet and Security ............................ 194 8.2.1 Orange Book Security Classes ...................... 194 8.2.2 Red Book Security ............................. 196 8.2.3 C2 and Your Security Requirements ................... 196 8.3 Defining Security Threats ............................ 196 8.3.1 Internal Threats . 196 8.3.2 External Threats . 197 8.3.3 Intruders Are People ............................ 197 8.3.4 Securing Hardware . 197 8.3.5 Securing Software . 197 8.3.6 Securing Information . 198 8.3.7 The Threat from Viruses .......................... 198 8.4 How Intruders Break In To Your System ................... 198 8.4.1 Sendmail . 198 8.4.2 Checking CGI Scripts ............................ 198 8.4.3 FTP Problems . 199 8.4.4 Telnet Problems . 199 8.4.5 E-Mail Problems . 200 8.4.6 Keystroke Grabbers . 200 8.4.7 Password Attacks . 201 8.4.8 Spoofing Your System ........................... 201 8.4.9 Sniffers . 201 8.4.10 Closing a Back Door on Your System ................. 202 8.5 How to Control the Risk? ............................ 202 8.6 What Should You Secure? ........................... 202 8.6.1 Network Security . 203 8.6.2 Application Security ............................. 203 8.6.3 Transaction Security . 203 8.6.4 System Security . 203 8.6.5 The Security Checklists .......................... 204 8.7 Establishing a Security Policy ......................... 206 8.7.1 Who Makes the Policy? ........................... 206 8.7.2 Who Is Involved? .............................. 206 8.7.3 Responsibilities . 206 8.7.4 Risk Assessment . 207 8.7.5 Defining Security Goals .......................... 207 8.7.6 Establishing Security Measures ..................... 208 8.7.7 Know Your Server .............................. 209 8.7.8 Locking In or Out .............................. 209 8.7.9 Policy Issues . 210 8.7.10 General Internet Security Principles .................. 213 8.8 Establishing Procedures to Prevent Security Problems .......... 214 8.8.1 Steps to Implement Secure Internet Applications ........... 214 8.8.2 Identifying Possible Problems ....................... 215 8.8.3 Controls to Protect Assets in a Cost-Effective Way .......... 216 8.9 Physical Security . 217 8.9.1 Procedures to Recognize Unauthorized Activity ............ 217 8.9.2 Tools for Monitoring the System ..................... 217 8.9.3 Vary the Monitoring Schedule ....................... 218 8.9.4 Communicating Security Policy ...................... 219 8.10 Firewall ...................................... 221 8.10.1 Why Are Firewalls Needed? ....................... 222 8.10.2 Firewall Principles . 223 8.10.3 Firewall Elements . 223 Contents v This soft copy for use by IBM employees only. 8.10.4 Glossary of the Most Common Firewall-Related Terms ....... 228 8.11 Cryptography . 229 8.11.1 Layers - Introduction ........................... 230 8.11.2 Layers - Detail ............................... 231 8.11.3 Conclusion . 240 8.12 Router Security . 240 8.12.1 Introduction to PPP Authentication Protocols ............. 240 8.12.2 Challenge-Handshake Authentication Protocol (CHAP) ....... 241 8.12.3 Password Authentication Protocol (PAP) ............... 241 8.12.4 Scenario: PPP with Bridging between Two IBM 2210s ....... 241 8.13 Remote Access Security ............................ 242 8.13.1 IBM 8235 Security Features ....................... 243 8.14 Secure Web Servers .............................. 255 8.14.1 Secure Hypertext Transfer Protocol (S-HTTP) ............. 256 8.14.2 Secure Socks Layer ............................ 257 8.14.3 Control Access Products to Web Sites and Home Pages ...... 259 8.15 Security Mailing Lists .............................. 264 Chapter 9. Capacity Planning . 267 9.1 Introduction . 267 9.2 Content Type . 267 9.2.1 Internet Services . 268 9.2.2 Electronic Commerce . ..