Præsentation er lastning. Vent venligst

Præsentation er lastning. Vent venligst

IT Arkitektur og Sikkerhed

Lignende præsentationer


Præsentationer af emnet: "IT Arkitektur og Sikkerhed"— Præsentationens transcript:

1 IT Arkitektur og Sikkerhed
Lektion 1 Version 1.00

2 Indhold Undervisere Kurset Kursister
Gennemgang af format for forelæsninger, øvelser, og hjemmeopgaver Gennemgang af indholdet i de enkelte forelæsninger Bøger og kompendium Start på materialet

3 Undervisere Michael Strand Tilknyttet ITU som ekstern lektor
Ansat i Netcompany (www.netcompany.com) Har været i IT branchen siden 1989 DTU fra 1989 til 1992 (Forskningsmedarbejder) NESA fra 1992 til 1995 (Udvikler) HP Danmark fra 1995 til 2002 (Løsningsarkitekt) PFA Pension fra 2003 til 2004 (Afdelingsleder, Chefarkitekt) HP Danmark fra 2004 til 2005 (Senior Løsningsarkitekt) Netcompany fra januar 2006 (Manager) Fokus er i Java og .Net systemudvikling og –integration, samt Identifikationssystemer Arbejdet de sidste år i større SOA systemmoderniseringsprogrammer. Arbejder næsten altid i blandede miljøer med forskellige platforme, teknologier osv.

4 Undervisere Christian Stahl Tilknyttet ITU som ekstern lektor
Ansat i Microsoft (www.microsoft.dk) Har været i IT branchen siden 1996 HP Danmark fra 1996 til 2000 (Konsulent) HP USA fra 2000 til 2002 (Konsulent) HP Danmark fra 2002 til 2004 (Senior konsulent) Saxo bank 2004 til 2005 (Senior manager) Microsoft fra juli 2005 (Engagement manager) Fokus har altid været IT sikkerhed, infrastruktur og mobility Arbejdet de sidste mange år som løsningsarkitekt i større komplekse projekter involverende alt fra fysiske serverrum til netværk og applikationsdesign Arbejder næsten altid i blandede miljøer med forskellige platforme, teknologier osv. 4 4

5 Hvem er jeg? Personlig er jeg meget løsningsorienteret. Det betyder at jeg er fleksibel med teknologi (ikke religiøs) så længe problemet bliver løst på den rigtige måde. Jeg har erkendt at jeg ikke ved alt om alt, så jeg allierer mig gerne med dem der ved hvad jeg ikke ved. Det er også det jeg fokuserer på, når I løser opgaver. Resultatet og de metoder I anvender for at nå frem til resultatet er vigtigere end stavefejl, opsætning, korrekte kildehenvisninger osv.

6 Kurset Dette er 6 gang kurset kører og første gang (så vidt jeg ved) at IT Arkitektur og Sikkerhed er blevet koblet sammen i samme kursus. Kurset er et FÆLLES projekt. I er MEGET med til at forme kurset. Jeres input, hele vejen igennem, er altafgørende for det bedst mulige kursus. Groft sagt handler kurset dog om to ting: IT Arkitektur IT Sikkerhed

7 IT Arkitektur MEGET bred disciplin.
Vi ser bredt og kigger på alt fra netværksarkitektur til applikationsarkitektur til service orienteret arkitektur til enterprise arkitektur. Formålet er, at I som IT-chefer skal have overblik over det meste af det, som jeres ansatte snakker om - hvad end det er netværksfolk eller applikationsudviklere eller konsulenter, der kommer ind og bruger en masse fremmedord og skriver lange rapporter. Kurset er ikke dybt teknisk.

8 IT Sikkerhed MEGET snæver disciplin.
Formålet her er at I skal forstå hvad I er oppe mod. Hvad er trusselsbilledet? Hvordan hacker man? Hvordan beskytter man sig? Hvad siger loven? Hvad er en sikkerhedspolitik osv. Efter kurset vil I være i stand til at evaluere relevante sikkerhedsteknologier og snakke med omkring sikkerhed på et overordnet niveau.

9 Kursister Fortæl kort hvem I er? Hvor I kommer fra?
Hvad I grundlæggende håber at få ud af dette kursus? 15-30 sekunder i alt pr. person.

10 Forelæsninger Gennemgang af udvalgte emner i pensum.
Tager ikke udgangspunkt i at I har læst på forhånd. Hver mandag fra kl. 17 til ca. kl. 19 (alt mellem 1 ½ og 3 timer). Intet krav om at I er til stede. Det kan dog være en god idé i relation til eksamen. Stil spørgsmål ligeså snart I har nogen. Føler jeg, at der er for mange eller at vi kommer ud på et sidespor, skal jeg nok sige til. Pauser efter behov. Præsentationen (PowerPoint, PDF, og ODF) bliver lagt på kursushjemmeside 1 dag før forelæsningen, dvs. om søndagen. Præsentationen er en disposition for os, dvs. I skal ikke nødvendigvis regne med at i vil forstå dem uden at have været til forelæsningen. Der har været forespørgsel om at kunne optage forelæsningerne, og som udgangspunkt tillader vi ikke det.

11 Gruppeopgaver Gruppeopgaver af lidt sværere karakter der relaterer sig til forelæsningsindholdet. I finder selv sammen i grupper, helst 2 eller mere i hver gruppe. Hver mandag efter forelæsninger, fra kl. ca. 19 til 21. Vi er tilstede til at hjælpe jer. Gruppeopgaver bliver ikke besvaret.

12 Hjemmeopgaver og læsning
Frivilligt igen. En service som vi tilbyder. Dog en god idé at lave for forståelse af det vigtigste i pensum. Nogen vil føle af pensum er trivielt. Andre helt det modsatte. Pensum er dog pensum og I forventes at have læst det ved eksamen. Der er forholdsvis meget pensum. Jeg forventer ikke at I kan det udenad, men overordnet forståelse er meget vigtigt. I må gerne have bøger med til eksamen.

13 Hjemmeopgaver og læsning
Da der er fuld besat på kurset (60 elever) skal hjemmeopgaverne afleveres senest torsdag aften efter en undervisningsgang for at blive rettet til næste undervisningsgang. Hvis I sender dem senere end torsdag, vil de blive samlet op og rettet til undervisningsgangen efter igen (altså 2 uger senere). Vi skal nok rette hvad der kommer!

14 Eksamen Skriftlig med alle hjælpemidler tilladt.
Opgaver vil handle om forståelse af koncepter og helheder mere end en masse spørgsmål i detaljer af pensum. Vis os hvad I kan og har forståelse af og ikke hvad I kan lære udenad.

15 Bøger Der er to bøger og et kompendium. De kan alle købes i Bogladen.
Vi har to bøger som vi bruger meget i kurset og som efterfølgende er gode at have stående som opslagsbøger. Kompendiet er sammensat specielt til kurset. Der vil også som kurset skrider frem komme links til flere artikler på kursushjemmeside. De supplerer det formelle materiale. Kender desværre intet til priserne.

16 Forelæsningsplan L1 Grundlæggende Netværk & Computere (michael) L2 IT Arkitektur - IT Infrastruktur (christian) L3 IT Arkitektur - Service Orienteret Arkitektur (gæst) L4 IT Arkitektur - Business Process Mgmt + COTS (michael) L5 Enterprise Arkitektur (michael) L6 Kryptering & Enterprise Sikkerhedsmodeller (michael) L7 Prøveeksamen (michael) L8 Netværks, Internet & Applikationssikerhed (christian) L9 Security awareness, love, politikker og BCP/DRP (gæst) L10 Mobil sikkerhed og trådløse teknologier (christian) L11 Praktisk Hacking (michael/gæst) L12 Hvordan kommer man ind i et netværk og hvad er trusselbilledet (christian) L13 Risiko vurdering og vurdring af IT sikkerheds løsninger (michael) For detaljer - se

17 Og så går vi rigtigt i gang…

18 I dag vil vi gennemgå… Netværk Protokoller og OSI
Internetværk Protokol (IP) IP adresser Domain Name System (DNS) Routing protokoller (RIP, OSPF, BGP) Transport protokoller (TCP, UDP) Computere OS Filsystemer

19 Netværk Et netværk er pr. definition et hierarkisk system af bokse og ledninger organiseret i umiddelbar nærhed af hinanden rent geografisk LAN (Local Area Network) er begrænset til en bygning eller lille område. (eksempel Ethernet) WAN (Wide-Area Network) kan nærmest være vilkårlig stort og sprede sig over store områder i et land eller lande. (eksempel Telekommunikationsnetværk). Internetværk (internet) er inter-connected netværk.

20 Internettets struktur
Tæt på hierarkisk I centrum: “Tier-1” ISP’er (f.eks., UUNet, BBN/Genuity, Colt, AT&T) Tier 1 ISP Tier-1 ISP’er forbinder hinanden indbyrdes NAP Tier-1 ISP’er forbindes også ved såkaldte Network Access Points (NAPs) A Tier 1 Network is an IP network (typically but not necessarily an Internet Service Provider) which connects to the entire Internet solely via Settlement Free Interconnection, commonly known as peering. There are many reasons why networking professionals use the "Tier Hierarchy" to describe networks, but the most important one is better understanding of a particular network's political and economic motivations in relationship to how and with whom it peers. * AT&T (AS7018) * Global Crossing (GX) (AS3549) * Level 3 (AS3356) * Verizon Business (formerly UUNET) (AS701) * NTT Communications / (formerly Verio) (AS2914) * Qwest (AS209) * SAVVIS (AS3561) * Sprint Nextel Corporation (AS1239) The original Internet backbone was the ARPANET. It was replaced by in 1989 by the NSFNet backbone. This was similar to a Tier 1 backbone. The four Network Access Points (NAPs) were defined under the U.S. National Information Infrastructure (NII) document as transitional data communications facilities at which Network Service Providers (NSPs) would exchange traffic. Now history.

21 Tier-1 ISP eksempel

22 Internettets struktur
“Tier-2” ISP’er: mindre (typisk regionale/lande) ISP’er Forbinder sig typisk til en eller flere tier-1 ISP’er, og nogle gange andre Tier-2 ISP’er Eksempel: TDC, Telia Tier-2 ISP’er forbinder sig også mange gange med hinanden (UNI-C og TDC) Tier-2 ISP Tier-2 ISP betaler typisk tier-1 ISP’er for forbindelse til Internettet Tier 1 ISP NAP A Tier 2 Network is an Internet service provider who engages in the practice of peering with other networks, but who still purchases IP transit to reach some portion of the Internet. Tier 2 providers are the most common providers on the Internet as it is much easier to purchase transit from a Tier 1 network than it is to peer with them and then attempt to push into becoming a Tier 1 carrier. IP transit is a form by which wholesale Internet bandwidth is sold to Internet service providers (ISPs) and content providers. Pricing is typically offered on a per megabit per second per month basis (Mbit/s/Month) and requires the purchaser to commit to a minimum volume of bandwidth. Pricing for the bandwidth can be reduced significantly by purchasing larger volumes or extending the contract term. Modern IP transit agreements typically provide service level guarantees to almost all of the major Internet Exchange Points within a continental geography such as North America. These service level agreements still provide only best-effort delivery since they do not guarantee service from the Internet Exchange Point to the final destination. Tier 1 ISP Tier 1 ISP

23 Internettets struktur
“Tier-3” ISP’er og lokale ISP’er Agerer typisk sidste hub i forhold til adgang til Internettet. Eksempler er Cybercity, Tele2 osv. lokal ISP Tier 3 Tier-2 ISP Tier 1 ISP Lokale og tier- 3 ISP’er er typisk kunder hos ISP’er højere oppe NAP The term Tier 3 is sometimes also used to describe networks who solely purchase IP transit from other networks (typically Tier 1 or Tier 2 networks) to reach the Internet. Tier 1 ISP Tier 1 ISP

24 Internettets struktur
lokal ISP Tier 3 ISP lokal ISP lokal ISP lokal ISP Tier-2 ISP Tier 1 ISP NAP Tier 1 ISP Tier 1 ISP lokal ISP lokal ISP lokal ISP lokal ISP

25 Protokoller Hvordan snakker forskellige noder og netværk sammen.
Protokoller er til for at skabe orden i kaos.

26 Eksempel – En fly rejse København New York Billet (køb)
Bagage (check-in) Gaten (indstigning) Runway takeoff Fly ruteinfo (ud) Billet (klager) Bagage (bånd) Gates (udstigning) Runway landing Fly ruteinfo (ind) fly international routing København New York En serie veldefinerede skridt Hvert lag tilbyder en service og tilbyder sin egen service til laget ovenpå via veldefinerede interfaces

27 Hvorfor dele det hele i lag?
Smart når man har med komplekse systemer at gøre: Gør det nemt at identificere og forstå de enkelte dele af komplekse systemer i stedet for det hele på en gang. Når ting er nedbrudt i moduler er det nemt at lave små ændringer i moduler uden at påvirke den store sammenhæng. F.eks. er vi ligeglade med hvad der er inden i kasserne så længe service til lag oven over og nedenunder er konsistent. F.eks. at vi ændrer gate fra A7 til B5 ændrer ikke synderligt ved hele flyrejsen og specielt ikke flow beskrevet på forrige slide så længe passageren stadig kan boarde.

28 Internet protokol Application supporterer netværks applikationer
FTP, SMTP, HTTP Transport host til host data transport TCP, UDP Internet routing af data fra source til destination IP, routing protokoller, ICMP, IGMP, ARP Link data transport PPP, Ethernet Physical bits “on the wire” Applikationslag DHCP • DNS • FTP • HTTP • IMAP4 • IRC • MIME • POP3 • SIP • SMTP • SNMP • SSH • TELNET • BGP • RPC • RTP • RTCP • TLS/SSL • SDP • SOAP • L2TP • PPTP Transportlag TCP • UDP Internet IP (IPv4 • IPv6) • ARP • RARP • ICMP • IGMP • RSVP • IPSec Link ATM • DTM • Ethernet • FDDI • Frame Relay • GPRS • PPP Address Resolution Protocol (ARP) is the method for finding a host's hardware address when only its network layer address is known. Due to the overwhelming prevalence of IPv4 and Ethernet, ARP is primarily used to translate IP addresses to Ethernet MAC addresses. The Internet Control Message Protocol (ICMP) is one of the core protocols of the Internet protocol suite. It is chiefly used by networked computers' operating systems to send error messages—indicating, for instance, that a requested service is not available or that a host or router could not be reached. ICMP differs in purpose from TCP and UDP in that it is usually not used directly by user network applications. One exception is the ping tool, which sends ICMP Echo Request messages (and receives Echo Response messages) to determine whether a host is reachable and how long packets take to get to and from that host. The Internet Group Management Protocol is a communications protocol used to manage the membership of Internet Protocol multicast groups. IGMP is used by IP hosts and adjacent multicast routers to establish multicast group memberships

29 Protokol lag og datastrømme
Hvert lag får data fra laget ovenover Adderer header information og danner en ny pakke Sender data til laget nedenunder

30 OSI modellen Open Systems Interconnection (OSI) reference modellen er udviklet af International Organization for Standardization (ISO). 7 lag vs. de 4 lag i TCP/IP Alle referer til OSI og I skal kunne den, men rent praktisk når I skriver programmer eller arbejder med netværk til dagligt, er det TCP/IP modellen der er gældende. Problemet TCP/IP var allerede udbredt og moden. OSI modellen er unødig kompleks og har et par lag for meget In the 1980s, the European-dominated International Organization for Standardization (ISO), began to develop its Open Systems Interconnection (OSI) networking suite. OSI has two major components: an abstract model of networking (the Basic Reference Model, or seven-layer model), and a set of concrete protocols. The seven layer model is sometimes humorously extended to refer to non-technical issues or problems. A common joke is the 10 layer model, with layers 8, 9, and 10 being the "user", "financial", and "political" layers, or the "money", "politics", and "religion" layers. The OSI model has also been jokingly called the "Taco Bell model", since the restaurant chain has been known for their seven layer burrito.

31 OSI protocol stack application presentation session transport network
link physical Application giver adgang for brugere og informations services X.500 (directory), X.400 ( ), etc. Presentation Giver uafhængighed for applikationer mht. hvordan data er repræsenteret ASN.1 (abstract syntax notation) Session Giver en kontrol struktur for kommunikation mellem applikationer ved at etablere, styre og lukke sessioner (SSL) Transport, network, link, physical det samme som i Internet model The Application layer provides a means for the user to access information on the network through an application. This layer is the main interface for the user(s) to interact with the application and therefore the network. Some examples of application layer protocols include Telnet, applications which use File Transfer Protocol (FTP), applications which use Simple Mail Transfer Protocol (SMTP) and applications which use Hypertext Transfer Protocol (HTTP). Applications built to utilize a protocol, such as FTP, should not be confused with the protocols themselves, which often reside at the session layer. The Presentation layer transforms data to provide a standard interface for the Application layer. MIME encoding, data compression, data encryption and similar manipulation of the presentation is done at this layer to present the data as a service or protocol developer sees fit. Examples: converting an EBCDIC-coded text file to an ASCII-coded file, or serializing objects and other data structures into and out of, e.g., XML. The Session layer controls the dialogues (sessions) between computers. It establishes, manages and terminates the connections between the local and remote application. It provides for either full-duplex or half-duplex operation and establishes checkpointing, adjournment, termination, and restart procedures. The OSI model made this layer responsible for "graceful close" of sessions, which is a property of TCP, and also for session checkpointing and recovery, which is not usually used in the Internet protocols suite.

32 TCP/IP og OSI

33 Internet Protokol (IP)
Lag 3 (OSI) protokol der udfører forward af datagrams på Internettet. Benytter routningstabeller der forberedes af routning protokoller, som f.eks. Open Shortest Path Finder (OSPF), og Routing Information Protokol (RIP) Connectionless vs. Connection-orientated (circuit) IP is a connectionless protocol, which means that IP does not exchange control information (called a handshake) to establish an end-to-end connection before transmitting data. In contrast, a connection-oriented protocol exchanges control information with the remote computer to verify that it is ready to receive data before sending it. When the handshaking is successful, the computers are said to have established a connection. IP relies on protocols in other layers to establish the connection if connection-oriented services are required. IP also relies on protocols in another layer to provide error detection and error recovery. Because it contains no error detection or recovery code, IP is sometimes called an unreliable protocol. The functions performed at this layer are as follows Define the datagram, which is the basic unit of transmission in the Internet. Define the Internet addressing scheme Move data between the Network Access Layer and the Host-to-Host Transport Layer Route datagrams to remote hosts Fragment and reassemble datagrams Each type of network has a maximum transmission unit (MTU), which is the largest packet it can transfer. If the datagram received from one network is longer than the other network's MTU, it is necessary to divide the datagram into smaller fragments for transmission. This division process is called fragmentation. The Internet de facto standard MTU is 576 octets (eight-bit bytes), but ISPs often suggest using 1500 octets (eight-bit bytes)

34 IP datagram Protocol: TCP, UDP m.m. Version: IPv4 eller IPv6
Time To Live (TTL). An 8-bit time to live (TTL) field helps prevent datagrams from persisting (e.g. going in circles) on an internetwork. Historically the TTL field limited a datagram's lifetime in seconds, but has come to be a hop count field. Each packet switch (or router) that a datagram crosses decrements the TTL field by one. When the TTL field hits zero, the packet is no longer forwarded by a packet switch and is discarded. Protocol: TCP, UDP m.m. The biggest problem in IPv4 is the lack of a big enough address field, 32 bits, and its capability was not used very efficiently. IPv6 in the contrary can support at least 10^12 nodes and 10^9 networks. The routing algorithm have no knowledge how the network has been made and can support all IPv4's routing algorithms, and also support much larger number of hops then IPv4 (limit of 256). IPv6 can handle different speed of networks, from Extra Low Frequency networks to very high speed of 500Gbits/s. IPv6 provide a security layer that places "options" in separate extension headers while IPv4 does not. The extension headers can be of arbitrary length and has no limit to the amount of options that can be carried. IPv6 has an anycast address that allows nodes to control the path which their traffic flows, IPv4 does not. IPv6 headers are extensible, the option in IPv4 is not efficient to decode. IPv6 connects to global internet using a combination of it's global prefixes (see details in IPv6 Addressing) , while IPv4 manually renumbers to connect to the internet. IPv6 renumbers automatically. IPv6 2025??

35 IP adresser An identifier for a computer or device on a TCP/IP network. Networks using the TCP/IP protocol route messages based on the IP address of the destination. The format of an IP address is a 32-bit numeric address written as four numbers separated by periods. Each number can be zero to 255. For example, could be an IP address. Within an isolated network, you can assign IP addresses at random as long as each one is unique. However, connecting a private network to the Internet requires using registered IP addresses (called Internet addresses) to avoid duplicates. The four numbers in an IP address are used in different ways to identify a particular network and a host on that network. Four regional Internet registries -- ARIN, RIPE NCC, LACNIC and APNIC -- assign Internet addresses from the following three classes. # Class A - supports 16 million hosts on each of 126 networks # Class B - supports 65,000 hosts on each of 16,000 networks # Class C - supports 254 hosts on each of 2 million networks The number of unassigned Internet addresses is running out, so a new classless scheme called CIDR is gradually replacing the system based on classes A, B, and C and is tied to adoption of IPv6. CIDR is principally a bitwise, prefix-based standard for the interpretation of IP addresses. It facilitates routing by allowing blocks of addresses to be grouped together into single routing table entries. These groups, commonly called CIDR blocks, share an initial sequence of bits in the binary representation of their IP addresses. IPv4 CIDR blocks are identified using a syntax similar to that of IPv4 addresses: a four-part dotted-decimal address, followed by a slash, then a number from 0 to 32: A.B.C.D/N Alle noder skal have en unik 32-bit adresse. Eksempelvis = Alle noder i et netværk har den samme netværkspræfiks

36 IP adresser IP adresser blev indtil 1998 uddelt af EN organisation i verdenen og det er InterNIC (http://www.internic.net) I dag er det ICANN der er ansvarlig, og det er igennem IANA IP adresser allokeres. IANA kontrolleres af ICANN. InterNIC or Internet Network Information Center was the Internet governing body primarily responsible for domain name and IP address allocations until September 18, 1998 when this role was assumed by the ICANN body. ICANN (pronounced "I can") is the Internet Corporation for Assigned Names and Numbers. The tasks of ICANN include managing the assignment of domain names and IP addresses. To date, much of its work has concerned the introduction of new generic top-level domains. The technical work of ICANN is referred to as the IANA function; the rest of ICANN is mostly concerned with defining policy. The Internet Assigned Numbers Authority (IANA) is the entity that oversees global IP address allocation, DNS root zone management, and other Internet protocol assignments. It is operated by ICANN. Both IPv4 and IPv6 addresses are assigned in a delegated manner. Users are assigned IP addresses by Internet service providers (ISPs). ISPs obtain allocations of IP addresses from a local Internet registry (LIR) or national Internet registry (NIR), or from their appropriate Regional Internet Registry (RIR): AfriNIC (African Network Information Centre) - Africa Region APNIC (Asia Pacific Network Information Centre) - Asia/Pacific Region ARIN (American Registry for Internet Numbers) - North America Region LACNIC (Regional Latin-American and Caribbean IP Address Registry) – Latin America and some Caribbean Islands RIPE NCC (Réseaux IP Européens) - Europe, the Middle East, and Central Asia

37 Private IP adresser Alle organisationer kan bruge private IP adresser. Private IP adresser kan IKKE bruges på Internettet.

38 Forward IP datagram C:\TRACERT SUN.COM
Routers leverer IP datagrammer til destinationsnetværk Routers vedligeholder routingtabeller af ”hops” ”Hops” findes IKKE i datagrammerne In the simplest model, hop-by-hop routing, each routing table lists, for all reachable destinations, the address of the next device along the path to that destination; the next hop. Assuming that the routing tables are consistent, the simple algorithm of relaying packets to their destination's next hop thus suffices to deliver data anywhere in a network. In practice, hop-by-hop routing is being increasingly abandoned in favor of layered architectures such as MPLS, where a single routing table entry can effectively select the next several hops, resulting in reduced table lookups and improved performance. The need to record routes to large numbers of devices using limited storage space represents a major challenge in routing table construction. Perhaps the fundamental assumptions of routing is that similar addresses are located near each other in the network, allowing groups of destination addresses to be matched by single routing table entries. The exact nature of how this grouping is done has changed over time and still represents an active area of networking research. In the Internet, the currently dominant address grouping technology is a bitwise prefix matching scheme called Classless Inter-Domain Routing. A mask used to determine what subnet an IP address belongs to. An IP address has two components, the network address and the host address. For example, consider the IP address Assuming this is part of a Class B network, the first two numbers ( ) represent the Class B network address, and the second two numbers ( ) identify a particular host on this network. Subnetting enables the network administrator to further divide the host part of the address into two or more subnets. In this case, a part of the host address is reserved to identify the particular subnet. C:\TRACERT SUN.COM

39 Domain Name Server (DNS)
DNS er “mapping” mellem en IP adresse og et logisk navn (en slags telefonbog): DNS:  Kæææmpe directory Distribueret management baseret på domain .dk, .com, .net, .se, …ca, er alle top-level domainer .dr er et sub domane som er styret af .dk .www er et hostnavn som er styret af DR www er på netværket , og er host nummer 1

40 DNS processen DK ITU A DNS client sends a recursive query to the local DNS server. Before forwarding the request to a root server, the DNS server checks its local cache to determine whether the name has recently been resolved. If there is an entry in the local cache, the IP address is returned to the client. If no entry exists in the cache for the hostname, an iterative query is sent by the DNS server to a root name server. The root name server refers the DNS server to a name server responsible for the first-level domain within the hostname. For example, the root name server would refer the request to the bayside.net DNS server. The original DNS server is referred to second-level DNS servers, and then third-level DNS servers, until one of them can resolve the host-name to an IP address and return the results back to the client. Important categories of data stored in the DNS include the following: An A record or address record maps a hostname to a 32-bit IPv4 address. An AAAA record or IPv6 address record maps a hostname to a 128-bit IPv6 address A CNAME record or canonical name record is an alias of one name to another. The A record that the alias is pointing to can be either local or remote - on a foreign name server. Useful when running multiple services from a single IP address, where each service has its own entry in DNS. An MX record or mail exchange record maps a domain name to a list of mail exchange servers for that domain. A PTR record or pointer record maps an IPv4 address to the canonical name for that host. Setting up a PTR record for a hostname in the in-addr.arpa domain that corresponds to an IP address implements reverse DNS lookup for that address. For example (at the time of writing), has the IP address , but a PTR record maps in-addr.arpa to its canonical name, referrals.icann.org. An NS record or name server record maps a domain name to a list of DNS servers authoritative for that domain. Delegations depend on NS records. An SOA record or start of authority record specifies the DNS server providing authoritative information about an Internet domain, the of the domain administrator, the domain serial number, and several timers relating to refreshing the zone. An SRV record is a generalized service location record.

41 DNS navne corp05.contoso.com. corp01.sales.contoso.com. “.” Root FQDN
DNS Suffix Host Name corp01 = corp05 = com “.” Root contoso sales DNS zone transfer, also sometimes known by its (commonest) opcode mnemonic AXFR, is a type of DNS transaction. It is one of the many mechanisms available for administrators to employ for replicating the databases containing the DNS data across a set of DNS servers. Zone transfer comes in two flavours, full (opcode AXFR) and incremental (IXFR). Nearly universal at one time, it is now falling by the wayside somewhat, in favour of the use of other database replication mechanisms that modern DNS server packages provide. Master/slave: In the traditional master/slave DNS relationship, (one or more) DNS slave servers load zone data from the master server on startup and at intervals specified in the start of authority (SOA) record for each zone. This method of redundancy has one huge advantage: When a zone file is changed, the changes are automatically propagated to the slave servers. This process normally happens as soon as the changes are made if the NOTIFY DNS feature is supported. Multiple master: If you're more concerned with having DNS available at all times rather than having the convenience provided by a master/slave configuration, you can use a multiple master configuration. This concept is simple: All DNS servers are master servers for each zone. The most difficult part of having multiple master DNS servers comes when a change is made to a zone file or the DNS configuration.

42 Routing protokoller Et autonomt system er et internetværk der er forbundet af routers under administrativ kontrol af én entitet. Interior Router Protokoller (IRP) (indenfor et autonomt system) Routing Information Protocol (RIP) Open Shortest Path First (OSPF) Exterior Router Protokoller (ERP, EGP) (mellem autonomt systemer) Border Gateway Protocol (BGP) Exterior Gateway Protocol (EGP) Inter-Domain Routing Protocol (IDRP) In the Internet, an autonomous system (AS) is a collection of IP networks and routers under the control of one entity (or sometimes more) that presents a common routing policy to the Internet. See RFC 1930 for additional detail on this updated definition. Networks within an autonomous system communicate routing information to each other using an Interior Gateway Protocol (IGP). An autonomous system shares routing information with other autonomous systems using the Border Gateway Protocol (BGP). Previously, the Exterior Gateway Protocol (EGP) was used. In the future, the BGP is expected to be replaced with the OSI Inter-Domain Routing Protocol (IDRP). IRP/IGP A set of routing protocols that are used within an autonomous system are referred to as interior gateway protocols (IGP). In contrast an exterior gateway protocol is for determining network reachability between autonomous systems (AS) and make use of IGPs to resolve route within an AS. BGP (Border Gateway Protocol) is a protocol for exchanging routing information between gateway hosts (each with its own router) in a network of autonomous systems. BGP is often the protocol used between gateway hosts on the Internet. The routing table contains a list of known routers, the addresses they can reach, and a cost metric associated with the path to each router so that the best available route is chosen. Exterior Gateway Protocol (EGP) is a protocol for exchanging routing information between two neighbor gateway hosts (each with its own router) in a network of autonomous systems. EGP is commonly used between hosts on the Internet to exchange routing table information.

43 RIP Med RIP undersøger routeren hvor mange ”hops” der er til alle destinationer. Dette benyttes til at bestemme bedste route. RIP sørger for at sende oplysninger fra sin routing tabel om ”hops” til sine naboer hver 30 sek. RIP sørger for at sammenligne egen routing tabel med fremsendte oplysninger, og opdatere hvis nødvendigt. RIP is a distance-vector routing protocol, which employs the hop count as a routing metric. The maximum number of hops allowed with RIP is 15, and the hold down time is 180 seconds. Each RIP router transmits full updates every 30 seconds by default, generating large amounts of network traffic in lower bandwidth networks. It runs at the network layer of the Internet protocol suite. A mechanism called split horizon with limited poison reverse is used to avoid routing loops. Routers of some brands also use a holddown mechanism known as heuristics, whose usefulness is arguable and is not a part of the standard protocol. RIPv1 RIPv1, defined in RFC 1058, uses classful routing. The routing updates do not carry subnet information, lacking support for variable length subnet masks (VLSM). This limitation makes it impossible to have different-sized subnets inside of the same network class. In other words, all subnets in a network class must be the same size. There is also no support for router authentication, making RIPv1 slightly vulnerable to various attacks. RIPv2 Due to the above deficiencies of RIPv1, RIPv2 was developed in 1994 and included the ability to carry subnet information, thus supporting Classless Inter-Domain Routing (CIDR). However to maintain backwards compatibility the 15 hop count limit remained. Rudimentary plain text authentication was added to secure routing updates; later, MD5 authentication was defined in RFC 2082. RIPv2 is specified in RFC 2453 or STD 56.

44 OSPF Fixer de problemer der er med RIP m.fl.
I stedet for blot at tælle ”hops” benyttes yderligere netværks oplysninger til at at finde bedste rute. Muliggør load-balancing. Muliggør sikkerhed. Større netværk brydes ned i backbone net, og areas. Hver area har et eller flere subnets. Og for hvert subnet en designated router OSPF (Open Shortest Path First) is a router protocol used within larger autonomous system networks in preference to the Routing Information Protocol (RIP), an older routing protocol that is installed in many of today's corporate networks. Like RIP, OSPF is designated by the Internet Engineering Task Force (IETF) as one of several Interior Gateway Protocols (IGPs). Using OSPF, a host that obtains a change to a routing table or detects a change in the network immediately multicasts the information to all other hosts in the network so that all will have the same routing table information. Unlike the RIP in which the entire routing table is sent, the host using OSPF sends only the part that has changed. With RIP, the routing table is sent to a neighbor host every 30 seconds. OSPF multicasts the updated information only when a change has taken place. Rather than simply counting the number of hops, OSPF bases its path descriptions on "link states" that take into account additional network information. OSPF also lets the user assign cost metrics to a given host router so that some paths are given preference. OSPF supports a variable network subnet mask so that a network can be subdivided. RIP is supported within OSPF for router-to-end station communication. Since many networks using RIP are already in use, router manufacturers tend to include RIP support within a router designed primarily for OSPF.

45 TCP Point-to-Point kommunikation. Der er to slutpunkter.
Connection orienteret. Full duplex kommunikation. Reliable transport Data leveres i rækkefølge. Tabte data pakker sendes igen. Applications send streams of octets (8-bit bytes) to TCP for delivery through the network, and TCP divides the byte stream into appropriately sized segments (usually delineated by the maximum transmission unit (MTU) size of the data link layer of the network to which the computer is attached). TCP then passes the resulting packets to the Internet Protocol, for delivery through a network to the TCP module of the entity at the other end. TCP checks to make sure that no packets are lost by giving each packet a sequence number, which is also used to make sure that the data are delivered to the entity at the other end in the correct order. The TCP module at the far end sends back an acknowledgement for packets which have been successfully received; a timer at the sending TCP will cause a timeout if an acknowledgement is not received within a reasonable round-trip time (or RTT), and the (presumably lost) data will then be re-transmitted. The TCP checks that no bytes are damaged by using a checksum; one is computed at the sender for each block of data before it is sent, and checked at the receiver. To establish a connection, TCP uses a 3-way handshake. Before a client attempts to connect with a server, the server must first bind to a port to open it up for connections: this is called a passive open. Once the passive open is established, a client may initiate an active open. To establish a connection, the three-way (or 3-step) handshake occurs: 1. The active open is performed by sending a SYN to the server. 2. In response, the server replies with a SYN-ACK. 3. Finally the client sends an ACK (usually called SYN-ACK-ACK) back to the server. Connection termination The connection termination phase uses, at most, a four-way handshake, with each side of the connection terminating independently. When an endpoint wishes to stop its half of the connection, it transmits a FIN packet, which the other end acknowledges with an ACK. Therefore, a typical teardown requires a pair of FIN and ACK segments from each TCP endpoint.

46 TCP header The TCP receive window size is the amount of received data (in bytes) that can be buffered during a connection. The sending host can send only that amount of data before it must wait for an acknowledgment and window update from the receiving host. When a receiver advertises the window size of 0, the sender stops sending data and starts the persist timer. The persist timer is used to protect TCP from the dead lock situation. For more efficient use of high bandwidth networks, a larger TCP window size may be used. The TCP window size field controls the flow of data and is limited to between 2 and 65,535 bytes.

47 UDP og UDP header Connection-less end-to-end service.
Unreliable transport Ingen flow control. Ingen fejlhåndtering. Ingen retransmission af tabte pakker. Bruges typisk til Audio/Video Fejl rapportering er valgfrit. The User Datagram Protocol (UDP) is one of the core protocols of the Internet protocol suite. Using UDP, programs on networked computers can send short messages sometimes known as datagrams (using Datagram Sockets) to one another. UDP does not provide the reliability and ordering guarantees that TCP does. Datagrams may arrive out of order or go missing without notice. Without the overhead of checking if every packet actually arrived, UDP is faster and more efficient for many lightweight or time-sensitive purposes. Also, its stateless nature is useful for servers that answer small queries from huge numbers of clients. Compared to TCP, UDP is required for broadcast (send to all on local network) and multicast (send to all subscribers). Common network applications that use UDP include the Domain Name System (DNS), streaming media applications such as IPTV, Voice over IP (VoIP), Trivial File Transfer Protocol (TFTP) and online games.

48 Hvad er et Operativ System (OS)?
Et program der bliver startet af BOOT processen. Et program der tilgås via. Et applikationsprogram interface (API) En brugergrænseflade (GUI) Styrer brugen af CPU’en, herunder multi-tasking af applikationer Styrer brugen af den interne hukommelse i systemet Styrer input til og output fra tilknyttet hardware; såsom diske, printere, m.m. Sender beskeder til applikationer og brugere om status på operationer der udføres, og eventuelle fejl der sker. 48 48

49 Hvor bliver OS brugt? Flere og flere steder… På desktop og servere
MAC OSX Server Windows NT, 2000, XP, 2003 og VISTA BSD Linux varianter; Kommercielle såvel som Open Source Novell/SuSE (OpenSuSE) RedHat (Fedora) Debian Ubuntu Gentoo Kommercielle UNIX varianter: Solaris (BSD), AIX (AT&T), HPUX (AT&T) Andre; OpenVMS, OS/400, m.fl. På netværksudstyr Routere 49 49

50 Hvor bliver OS brugt? PDA’er Mobiltelefoner Spillekonsoller Andet
PalmOS Windows Mobile Embedded Linux Mobiltelefoner Symbian OS Spillekonsoller Xbox, Xbox360 PSP, PS2, PS3 Andet Biler Lyd & Billede 50 50

51 UNIX Ken Thompson starter med at arbejde på UNIX i 1969
Bill Joy starter med at arbejde på BSD i 1976 Avie Tevanian starter med at arbejde på MACH i 1985 Steve Jobs starter med at arbejde på NextStep i 1985 Richard Stallman starter med at arbejde på GNU i 1984 Linus Thorvaldsen starter med at arbejde på Linux i 1991 51 51

52 BOOT processen Eksempel, PC
Når maskinen startes, initieres basic input-ouput system (BIOS) der er gemt på systemets read-only memory (ROM). BIOS udfører først en POST check for at sikre at systemets komponenter er tilstede og virker. BIOS er konfigureret til at vide hvor den skal finde OS. Normalt kigger den på disk, og herefter på CD-ROM. Rækkefølgen kan ændres. Når BIOS har bestemt hvor OS er, indlæser den første sektor (512-byte) på disken med Master Boot Record (MBR) MBR starter OS setup, og henter kærnen af OS ind i systemets hukommelse. 52 52

53 OS er lagdelt 53 53

54 Kærnen Kærnen ”kernel” er den inderste og grundlæggende del af OS, som bliver startet af BOOT processen og lagt ind i hoved hukommelsen. Kærnen er ALTID i hoved hukommelsen. Det varierer fra OS til OS hvad kærnen indeholder. 54 54

55 Typer af kærner Monolitiske kærner
Hele kærnen kører i hukommelsen og udstiller alle systemkald til services såsom netværk, process styring, hukommelsesstyring m.m. Det betyder i teorien at alt funktionalitet i kærnen bliver initieret ved systemstart. Moderne monolitiske kærner understøtter dog loadable modules dynamisk kan hentes ind i kærnen. Eksempler: DOS, Linux, BSD, Solaris m.fl. A monolithic kernel is a kernel architecture where the entire kernel is run in kernel space in supervisor mode. In common with other architectures (microkernel, hybrid kernels), the kernel defines a high-level virtual interface over computer hardware, with a set of primitives or system calls to implement operating system services such as process management, concurrency, and memory management in one or more modules.[citation needed] Even if every module servicing these operations is separate from the whole, the code integration is very tight and difficult to do correctly, and, since all the modules run in the same address space, a bug in one module can bring down the whole system. However, when the implementation is complete and trustworthy, the tight internal integration of components allows the low-level features of the underlying system to be effectively utilized, making a good monolithic kernel highly efficient. In a monolithic kernel, all the systems such as the filesystem management run in an area called the kernel mode 55 55

56 Typer af kærner Mikrokærner
En minimal kærne kører i hukommelsen og udstiller kun de mest basale systemkald til services såsom process styring, hukommelsesstyring m.m. Andre services der ellers ville være forventet i kærnen leveres af programmer uden for kærnen kaldt servers. Mikrokærner er blevet interessante i de senere år pg.a. sikkerhed. Eksempler: AmigaOS, SymbianOS m.fl. In 2006 the debate about the potential security benefits of the microkernel design has increased[3]. Many attacks on computer systems take advantage of bugs in various pieces of software. For instance, one of the common attacks is the buffer overflow, in which malicious code is "injected" by asking a program to process some data, and then feeding in more data than it stated it would send. If the receiving program does not specifically check the amount of data it received, it is possible that the extra data will be blindly copied into the receiver's memory. This code can then be run under the permissions of the receiver. This sort of bug has been exploited repeatedly, including a number of recent attacks through web browsers. To see how a microkernel can help address this, first consider the problem of having a buffer overflow bug in a device driver. Device drivers are notoriously buggy[4], but nevertheless run inside the kernel of a traditional operating system, and therefore have "superuser" access to the entire system[5]. Malicious code exploiting this bug can thus take over the entire system, with no boundaries to its access to resources [6]. For instance, under open-source monolithic kernels such as Linux or the BSDs a successful attack on the networking stack over the internet could proceed to install a backdoor that runs a service with arbitrarily high privileges, so that the intruder may abuse the infected machine in any way[7] and no security check would be applied because the rootkit is acting from inside the kernel. Even if appropriate steps are taken to prevent this particular attack[8], the malicious code could simply copy data directly into other parts of the kernel memory, as it is shared among all the modules in the kernel. A microkernel system is somewhat more resistant to these sorts of attacks[9] for two reasons. For one, an identical bug in a server would allow the attacker to take over only that program, not the entire system; in other words, microkernel designs obey the principle of least authority. This isolation of "powerful" code into separate servers helps isolate potential intrusions, notably as it allows a CPU's memory management unit to check for any attempt to copy data between the servers. 56 56

57 Typer af kærner Hybride kærner
Kombinerer elementer fra monolitiske- og mikrokærner. Ideen er at have en kærne lig en mikrokærne, men implementeret som en monolitisk kærne. Alle servers kører i kærnen. Eksempler: MAC OSX, Windows NT, 2000, 2003, XP & VISTA 57 57

58 OS bloat Op. Sys. SLOC Windows NT 16 millioner Red Hat Linux 7.1
Der har gennem tiden været en tendens, startende fra BSD med at inkludere flere og flere services til OS.. OS Bloats. Der kører heftige debatter om hvilke kærne typer der er bedst. Den voldsomeste og længstlevende debat er mellem Andrew S. Tanenbaum og Linus Torvalds Google: The Tanenbaum-Torvalds Debate Op. Sys. SLOC Windows NT 16 millioner Red Hat Linux 7.1 30 millioner Windows 2000 29 millioner Debian 3.1 213 millioner Windows XP 40 millioner Sun Solaris 7.5 millioner Windows VISTA 50 millioner MAC OS X 10.4 86 millioner Linux kernel 2.6 6 millioner The Tanenbaum-Torvalds debate is a debate between Andrew S. Tanenbaum and Linus Torvalds, regarding Linux and kernel architecture in general. Tanenbaum began the debate in 1992 on the Usenet discussion group comp.os.minix,[1] Tanenbaum arguing that microkernels are superior to monolithic kernels and that, for this reason, Linux is obsolete. The debate was not restricted to just Tanenbaum and Torvalds, as it was on a Usenet group; other notable hackers such as Ken Thompson (one of the founders of Unix) and David Miller joined in as well. Due to the strong tone used in the newsgroup posts, the debate has widely been recognized as a “flame war”, a deliberately hostile exchange of messages, between the two camps (of Linux and MINIX, or alternatively, of monolithic kernel enthusiasts and microkernel enthusiasts) and has been described as such in various publications.[2] Torvalds himself also acknowledged this in his first newsgroup post about the issue, stating (verbatim) “I'd like to be able to just 'ignore the bait', but ... Time for some serious flamefesting!”[3] This subject was revisited in 2006, again with Tanenbaum as initiator, after he had written a cover story for Computer magazine titled “Can We Make Operating Systems Reliable and Secure?”[4] While Tanenbaum himself has mentioned that he did not write the article for the purpose of entering a debate on kernel design again,[5] the juxtaposition of the article and an archived version of the 1992 debate on the technology site Slashdot caused the subject to be rekindled.[6] After Torvalds posted a rebuttal of Tanenbaum's arguments via an online discussion forum,[7] several technology news sites began reporting the issue.[8] 58 58

59 Modes og Processer Modes Processer En proces består af fem dele
Normalt kører processer i user mode der har begrænset adgang til kærnen. For at lave system kald til underliggende enheder i kærnen kræves kernel/supervisor mode hvor trusted code udfører funktionerne. Processer En proces er en instans af et kørende program. En proces består af fem dele En kopi af koden i programmet Hukommelse (real memory eller virtual memory) der indeholder koden, og proces specifik data OS ressourcer (descriptors) der er allokeret til processen Sikkerheds attributter, såsom proces ejer og proces rettigheder Processens kontekst In computer terms, supervisor mode (sometimes called kernel mode) is a hardware-mediated flag which can be changed by code running in system-level software. System-level tasks or threads will have this flag set while they are running, whereas user-space applications will not. This flag determines whether it would be possible to execute machine code operations such as modifying registers for various descriptor tables, or performing operations such as disabling interrupts. The idea of having two different modes to operate in comes from "with more control comes more responsibility" - a program in supervisor mode is trusted never to fail, because if it does, the whole computer system may crash. In general, a computer system process consists of (or is said to 'own') the following resources: An image of the executable computer code associated with a program. Memory (typically some region of virtual memory and/or real memory), which contains the executable code and process-specific data, including initial, intermediary, and final products. Operating system descriptors of resources that are allocated to the process, such as file descriptors (Unix terminology) or handles (Windows). Security attributes, such as the process owner and the process' set of permissions. Processor state (context), such as the content of registers, physical memory addressing, etc. The state is typically stored in computer registers when the process is executing, and in memory otherwise. Any subset of resources, but typically at least the processor state, may be associated with each of the process' threads in operating systems that support threads or 'daughter' processes. 59 59

60 Multitasking For at flere processer kan køre samtidigt og deles om de samme ressourcer, såsom CPU, er der behov at multitaske. CPU’en kan kun give opmærksomhed til én proces ad gangen, d.v.s. at CPU’en aktivt udfører instruktioner for denne proces. Med multitasking skemalægges hvilken proces der får opmærksomhed hvornår, og hvornår den næste proces for opmærksomhed Det kaldes context switch når CPU’en skifter opmærksomhed fra en proces til en anden. Hvis context switching sker hurtigt nok, virker det som om processerne kører i parallel Selv med computere med flere CPU’er (multiprocessor maskiner) hjælper multi-tasking med at køre flere processer end der er CPU’er In computing, multitasking is a method by which multiple tasks, also known as processes, share common processing resources such as a CPU. In the case of a computer with a single CPU, only one task is said to be running at any point in time, meaning that the CPU is actively executing instructions for that task. Multitasking solves the problem by scheduling which task may be the one running at any given time, and when another waiting task gets a turn. The act of reassigning a CPU from one task to another one is called a context switch. When context switches occur frequently enough the illusion of parallelism is achieved. Even on computers with more than one CPU (called multiprocessor machines), multitasking allows many more tasks to be run than there are CPUs. Operating systems may adopt one of many different scheduling strategies, which generally fall into the following categories: * In multiprogramming systems, the running task keeps running until it performs an operation that requires waiting for an external event (e.g. reading from a tape) or until the computer's scheduler forcibly swaps the running task out of the CPU. Multiprogramming systems are designed to maximize CPU usage. * In time-sharing systems, the running task is required to relinquish the CPU, either voluntarily or by an external event such as a hardware interrupt. Time sharing systems are designed to allow several programs to execute apparently simultaneously. * In real-time systems, some waiting tasks are guaranteed to be given the CPU when an external event occurs. Real time systems are designed to control mechanical devices such as industrial robots, which require timely processing. The term time-sharing is no longer commonly used, having been replaced by simply multitasking. 60 60

61 Multithreading Multitasking lader programmørerne udvikle programmer der kører i flere samtidige processer (eksempelvis en til at samle data, en til at behandle data, en til at skrive resultatet til disk). Det kræver at flere programinstanser kan tilgå en process samtidigt. En Thread er en mappe for information som er tilknyttet én programinstans i en proces, d.v.s. at der kan findes flere threads under en process, dette kaldes Multithreading As multitasking greatly improved the throughput of computers, programmers started to implement applications as sets of cooperating processes (e.g. one process gathering input data, one process processing input data, one process writing out results on disk.) This, however, required some tools to allow processes to efficiently exchange data. Threads were born from the idea that the most efficient way for cooperating processes to exchange data would be to share their entire memory space. Thus, threads are basically processes that run in the same memory context. Threads are described as lightweight because switching between threads does not involve changing the memory context. Multithreading is the ability of a program or an operating system process to manage its use by more than one user at a time and to even manage multiple requests by the same user without having to have multiple copies of the programming running in the computer. Each user request for a program or system service (and here a user can also be another program) is kept track of as a thread with a separate identity. As programs work on behalf of the initial request for that thread and are interrupted by other requests, the status of work on behalf of that thread is kept track of until the work is completed. 61 61

62 Hukommelsesstyring Når flere programmer kører på engang, så risikerer man at et dårligt skrevet (eller bevidst ødelæggende) kørende program overskriver et andet kørende programs hukommelsesallokering. OS sørger derfor at allokere hukommelse til et kørende program, og sikre at programmet ikke får lov til at tilgå hukommelse udenfor allokeringen. En måde for et OS at øge den tilgængelige memory er ved at benytte en swap fil eller swap partition (virtual memory). In NT-based versions of Windows (such as Windows 2000 and Windows XP), the swap file is named pagefile.sys. The default location of the page file is in the root directory of the partition where Windows is installed. Windows can be configured to use free space on any available drives for page files. Occasionally, when the page file is gradually expanded, it can become heavily fragmented and cause performance issues. The common advice given to avoid this problem is to set a single "locked" page file size so that Windows will not resize it. Other people believe this to be problematic in the case that a Windows application requests more memory than the total size of physical and virtual memory. In this case, memory is not successfully allocated and as a result, programs, including system processes may crash. Supporters of this view will note that the page file is rarely read or written in sequential order, so the performance advantage of having a completely sequential page file is minimal. It is however, generally agreed that a large page file will allow use of memory-heavy applications, and there is no penalty except that more disk space is used. In the Linux and *BSD operating systems, it is common to use a whole partition of a HDD for swapping. Though it is still possible to use a file for this, it is recommended to use a separate partition, because this excludes chances of file system fragmentation, which would reduce performance. However with the 2.6 Linux kernel swap files are just as fast as swap partitions, this recommendation doesn't apply much to current Linux systems and the flexibility of swap files can outweigh those of partitions 62 62

63 Filsystemer Den sidste store ting, et OS hjælper med, er et filsystem.
Hierarkisk WIN: FAT, FAT32, NTFS MAC: HFS, HFS+, NTFS (ro), FAT32 (ro), ZFS (10.5) Linux/Unix: ext2, ext3, ReiserFS, Reiser4, UDF, UFS, UFS2, XFS, ZFS, FAT32, NTFS (ro) Distribueret AFS NFS SMB Distribueret (fault-tolerant – delt over flere noder) CODA DFS Record-orienteret Mainframe: VSAM, ISAM m.fl. (en samling records) Server Message Block. SMB works through a client-server approach, where a client makes specific requests and the server responds accordingly. One section of the SMB protocol is specifically for filesystem access, such that clients may make requests to a file server, but there are other sections of the SMB protocol that specialise in inter-process communication — IPC. The SMB protocol was optimized for local subnet usage, but one could use it to access different subnets across the Internet — on which MS Windows file-and-print sharing exploits usually focus Coda is a distributed file system with its origin in AFS2. It has many features that are very desirable for network file systems. Currently, Coda has several features not found elsewhere. 1. disconnected operation for mobile computing 2. is freely available under a liberal license 3. high performance through client side persistent caching 4. server replication 5. security model for authentication, encryption and access control 6. continued operation during partial network failures in server network 7. network bandwidth adaptation 8. good scalability 9. well defined semantics of sharing, even in the presence of network failures 63 63

64 Logiske volumer Logisk lag over fysiske diske Fordele
Sammensæt flere fysiske diske til logiske diske Ændre på størrelse af logiske diske ”On the fly” Volume managers differ but some basic concepts exist across most versions. The volume manager starts with physical volumes (or PVs), which can be hard disk partitions, RAID devices or SAN LUNs. PVs are split into small chunks called physical extents (or PEs). Some volume managers (such as that in HP-UX and Linux) will have PEs of an even size; others (such as that in Veritas) will have variably-sized PEs that can be split and merged at will. The PEs are then pooled into a volume group or VG. The pooled PEs can then be concatenated together into virtual disk partitions called logical volumes or LVs. These LVs behave just like hard disk partitions: mountable file systems can be created on them, or they can be used as raw block devices for swap. The LVs can be grown by concatenating more PEs from the pool. Some volume managers allow LV shrinking; some allow online resizing in either direction. Changing the size of the LV does not necessarily change the size of a filesystem on it; it merely changes the size of its containing space. A file system that can be resized online is recommended because it allows the system to adjust its storage on-the-fly without interrupting applications. PVs may also be organized into physical volume groups or PVGs. This allows LVs to be mirrored by pairing together its PEs with redundant ones on a different PVG, so that the failure of one PVG will still leave at least one complete copy of the LV online. In practice, PVGs are usually chosen so that their PVs reside on different sets of disks and/or data buses for maximum redundancy. 64 64

65 Hvilket OS skal jeg vælge?
Afhænger af opgave og kompetence Hvert OS har forskellige interfaces Programmer skrives specifikt til OS En applikation til et OS kører ikke på et andet Trends Cross-over som f.eks WINE, VMWare, Parallels, CodeWeavers 65 65

66 De forskellige OS og kendetegn
Mainframe OS Mission kritisk High-Volume interfaces: batch, transaction processing, time-sharing. Java support UNIX og Linus API Simpel GUI SNA, TCP/IP Eksempler: z/OS, z/VM 66 66

67 De forskellige OS og kendetegn
Server OS Kører på en server. Hvad er en server? Fokuserer på deling af hardware- og softwareressourcer Services kan f.eks. være: fil, print eller webservices Eksempler: Linux, MAC OS X Server, Windows 2000/2003, OpenVMS 67 67

68 De forskellige OS og kendetegn
Klient OS God GUI Ressource management og OS beskyttelse er mange gange lavere i og med single-user Eksempler: MAC OS X, Linux, Windows XP, Windows VISTA 68 68

69 De forskellige OS og kendetegn
Embedded OS’er Bruges typisk på devices som mobiltelefoner etc. Brugeren har typisk ikke adgang til operativsystemet TV, mikrobølgeovne, mobiltelefoner, PDA’er, Har typisk mindre memory, CPU, skærm osv. Eksempler: PalmOS, Mobile Windows. 69 69

70 Opgaver  70 70


Download ppt "IT Arkitektur og Sikkerhed"

Lignende præsentationer


Annoncer fra Google