Академический Документы
Профессиональный Документы
Культура Документы
ISP Workshops
Agenda
p DNS
Server placement
p Mail Server placement
p News Server placement
p Services network design
p Services Network Security
ISP Services
p
ISP Services:
DNS
p Domain
Name System
Primary nameserver
p Secondary nameserver
p Caching nameserver resolver
p
ISP Services:
DNS
p Primary
n
nameserver
ISP Services:
DNS
p Secondary
nameserver
At different PoPs
p On a different continent e.g. via services offered by
ISC, PCH and others
p At another ISP
p
ISP Services:
Secondary DNS Example
$ dig apnic.net ns
;; ANSWER SECTION:
apnic.net.
apnic.net.
apnic.net.
apnic.net.
apnic.net.
apnic.net.
apnic.net.
apnic.net.
;; ADDITIONAL SECTION:
ns1.apnic.net.
ns3.apnic.net.
ns4.apnic.net.
ns5.apnic.com.
cumin.apnic.net.
tinnie.apnic.net.
ns-sec.ripe.net.
tinnie.arin.net.
10800
10800
10800
10800
10800
10800
10800
10800
3600
3600
3600
10800
3600
3600
113685
10800
NS
NS
NS
NS
NS
NS
NS
NS
A
A
A
A
A
A
A
A
ns1.apnic.net.
ns3.apnic.net.
ns4.apnic.net.
ns5.apnic.com.
cumin.apnic.net.
ns-sec.ripe.net.
tinnie.arin.net.
tinnie.apnic.net.
202.12.29.25
202.12.28.131
202.12.31.140
203.119.43.200
202.12.29.59
202.12.29.60
193.0.0.196
199.212.0.53
Brisbane
Tokyo
Hong Kong
Washington
Brisbane
7
Amsterdam
Washington
ISP Services:
Secondary DNS Example
p
apnic.net zone
n
n
Zone secondaried by
p
p
Brisbane
Hong Kong
Tokyo
Washington
RIPE NCC in Amsterdam
ARIN in Washington
ISP Services:
DNS
p Caching
nameserver
ISP Services:
Caching Nameserver
Web Cache
DIAL network
To Core Routers
Switch redundancy
Router redundancy
DNS Cache redundancy
DNS Cache
Radius proxy
DNS Cache
10
ISP Services:
Anycasting the Caching Nameserver
p One
11
ISP Services:
DNS
p Efficient
12
ISP Services:
DNS
p Software
n
13
ISP Services:
DNS
p Implementation
n
14
ISP Services:
Mail
p
ISP Services:
Mail Configuration
Incoming mail
from Internet
Mail out to
the Internet
SpamAssassin
ClamAV
mail.isp.net
ISP Mail Gateway
smtp.isp.net
Customer mail relay
SpamAssassin
ClamAV
Incoming mail
from customer
pop3.isp.net
Customer POP3/IMAP server
Mail pulled by
customer client
16
ISP Services:
Mail Example
p
$ dig cisco.com mx
;; ANSWER SECTION:
cisco.com.
cisco.com.
cisco.com.
cisco.com.
cisco.com.
cisco.com.
cisco.com.
cisco.com.
cisco.com.
86400
86400
86400
86400
86400
86400
86400
86400
86400
MX
MX
MX
MX
MX
MX
MX
MX
MX
10
10
10
10
10
10
15
20
25
sj-inbound-a.cisco.com.
sj-inbound-b.cisco.com.
sj-inbound-c.cisco.com.
sj-inbound-d.cisco.com.
sj-inbound-e.cisco.com.
sj-inbound-f.cisco.com.
rtp-mx-01.cisco.com.
ams-inbound-a.cisco.com.
syd-inbound-a.cisco.com.17
ISP Services:
Mail
p Software
n
ISP Services:
News
p News
19
ISP Services:
News System Placement
Customer
connections
News Feeder
POP Two
Customer
connections
Customer
connections
POP Three
News Feeder
POP One
External
connections
News Collector
News Distributor
News Feeder
External
connections
20
ISP Services:
News System Placement
Customer
connections
News Feeder
POP Two
Customer
connections
Customer
connections
POP Three
News Feeder
POP One
External
connections
News Collector
News Distributor
News Feeder
External
connections
21
ISP Services:
News
p Software
n
Services Security
23
Security
p
p
p
p
Protect themselves
Help protect their customers from the Internet
Protect the Internet from their customers
24
server security
p Hosted
services security
Protect
routers
n Protect
routers
n
To core routers
DNS
POP3
secondary
Service Network
Gateway Routers
Mail
Relay
NEWS
DNS
cache
Web
server
To core routers
Service Network
Gateway Routers
Outbound
ICMP
Allow DNS udp/53 and
tcp/53
Block all access to ISP
address range
Premises security
n
n
n
Staff responsibility
n
n
RFC2196
n
RFC3871
n
p How
29
30
31
32