You also want an ePaper? Increase the reach of your titles
YUMPU automatically turns print PDFs into web optimized ePapers that Google loves.
The Technical Side of Being an<br />
Internet Service Provider<br />
October 1997<br />
This soft copy for use by <strong>IBM</strong> employees only.<br />
SG24-2133-00
<strong>IBM</strong>L<br />
International Technical Support Organization<br />
The Technical Side of Being an<br />
Internet Service Provider<br />
October 1997<br />
This soft copy for use by <strong>IBM</strong> employees only.<br />
SG24-2133-00
Take Note!<br />
This soft copy for use by <strong>IBM</strong> employees only.<br />
Before using this information and the product it supports, be sure to read the general information in<br />
Appendix C, “Special Notices” on page 357.<br />
First Edition (October 1997)<br />
This edition applies to the concept of an Internet Service Provider and it is not attached to any <strong>IBM</strong> product in<br />
specific.<br />
Comments may be addressed to:<br />
<strong>IBM</strong> Corporation, International Technical Support Organization<br />
Dept. HZ8 Building 678<br />
P.O. Box 12195<br />
Research Triangle Park, NC 27709-2195<br />
When you send information to <strong>IBM</strong>, you grant <strong>IBM</strong> a non-exclusive right to use or distribute the information in any<br />
way it believes appropriate without incurring any obligation to you.<br />
© Copyright International Business Machines Corporation 1997. All rights reserved.<br />
Note to U.S. Government Users — Documentation related to restricted rights — Use, duplication or disclosure is<br />
subject to restrictions set forth in GSA ADP Schedule Contract with <strong>IBM</strong> Corp.
This soft copy for use by <strong>IBM</strong> employees only.<br />
Contents<br />
Preface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ix<br />
The Team That Wrote This Redbook . . . . . . . . . . . . . . . . . . . . . . . . . ix<br />
Comments Welcome . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x<br />
Chapter 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1<br />
1.1 Sample Network Design for an ISP . . . . . . . . . . . . . . . . . . . . . . . 1<br />
Chapter 2. Connectivity . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5<br />
2.1 Internet Topology . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5<br />
2.2 Internet Backbone Connection . . . . . . . . . . . . . . . . . . . . . . . . . . 6<br />
2.2.1 Upstream Provider . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7<br />
2.2.2 Access Technologies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9<br />
2.2.3 Networking Hardware . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17<br />
2.2.4 Domain and IP Address . . . . . . . . . . . . . . . . . . . . . . . . . . . 44<br />
2.2.5 <strong>IBM</strong> As a Service Provider . . . . . . . . . . . . . . . . . . . . . . . . . 49<br />
2.3 Downstream Connections . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 54<br />
2.3.1 Types of Users . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 54<br />
2.3.2 Access Issues . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 55<br />
2.3.3 ISP Networking Hardware . . . . . . . . . . . . . . . . . . . . . . . . . . 61<br />
2.3.4 Customer Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . 100<br />
Chapter 3. Server Hardware Platforms . . . . . . . . . . . . . . . . . . . . . . 107<br />
3.1 <strong>IBM</strong> Server′s Strategy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 108<br />
3.1.1 <strong>IBM</strong> Server Business . . . . . . . . . . . . . . . . . . . . . . . . . . . . 108<br />
3.1.2 Servers in the Age of the Internet . . . . . . . . . . . . . . . . . . . . 109<br />
3.1.3 The Open <strong>IBM</strong> . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 110<br />
3.1.4 Summary of <strong>IBM</strong>′s Server Strategy . . . . . . . . . . . . . . . . . . . 111<br />
3.1.5 Prospects for the Future . . . . . . . . . . . . . . . . . . . . . . . . . . 112<br />
3.2 <strong>IBM</strong> PC Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 113<br />
3.2.1 The New PC Server Strategy . . . . . . . . . . . . . . . . . . . . . . . 114<br />
3.2.2 <strong>IBM</strong> PC Server Family Overview . . . . . . . . . . . . . . . . . . . . . 115<br />
3.3 <strong>IBM</strong> RS/6000 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 117<br />
3.3.1 RS/6000 As a Platform for ISPs . . . . . . . . . . . . . . . . . . . . . . 120<br />
3.4 AS/400 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 123<br />
3.4.1 Advanced Series . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 123<br />
3.4.2 Future Direction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 125<br />
3.4.3 Where AS/400 Systems Fit . . . . . . . . . . . . . . . . . . . . . . . . . 126<br />
3.5 <strong>IBM</strong> System/390 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 127<br />
3.5.1 Mainframes Morph into Microframes . . . . . . . . . . . . . . . . . . 128<br />
3.5.2 OS/390 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 129<br />
3.5.3 <strong>IBM</strong> System/390 within Internet Environment . . . . . . . . . . . . . . 130<br />
3.6 Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 131<br />
Chapter 4. Internet Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 133<br />
4.1 Domain Name Service . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 133<br />
4.1.1 Berkeley Internet Name Daemon . . . . . . . . . . . . . . . . . . . . . 133<br />
4.2 Mail Service . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 133<br />
4.2.1 POP Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 134<br />
4.2.2 SMTP Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 134<br />
4.2.3 <strong>IBM</strong> Messaging Solutions for ISPs . . . . . . . . . . . . . . . . . . . . 134<br />
4.3 Web Service . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 135<br />
© Copyright <strong>IBM</strong> Corp. 1997 iii
This soft copy for use by <strong>IBM</strong> employees only.<br />
4.4 FTP Service . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 135<br />
4.5 Chat Service . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 135<br />
4.5.1 Internet Relay Chat . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 135<br />
4.6 News Service . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 135<br />
4.6.1 USENET . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 137<br />
4.6.2 Netscape News Server . . . . . . . . . . . . . . . . . . . . . . . . . . . 138<br />
Chapter 5. Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 139<br />
5.1 Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 139<br />
5.1.1 Challenge Handshake Authentication Protocol/Password<br />
Authentication Protocol (CHAP/PAP) . . . . . . . . . . . . . . . . . . . . . 140<br />
5.1.2 Kerberos . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 142<br />
5.1.3 Remote Authentication Dial-In User Service (RADIUS) . . . . . . . . 142<br />
5.1.4 Terminal Access Controller Access System (TACACS) . . . . . . . . 143<br />
5.2 Accounting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 146<br />
5.3 Network Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 149<br />
5.3.1 Standards . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 149<br />
5.3.2 Structure and Identification of Management Information (SMI) . . . 151<br />
5.3.3 Management Information Base (MIB) . . . . . . . . . . . . . . . . . . 151<br />
5.3.4 Simple Network Management Protocol (SNMP) . . . . . . . . . . . . 151<br />
5.3.5 Common Management Information Protocol over TCP/IP (CMOT) . 152<br />
5.3.6 Tools . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 153<br />
5.4 Usage Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 154<br />
Chapter 6. Electronic Commerce . . . . . . . . . . . . . . . . . . . . . . . . . . 159<br />
6.1 Electronic Money (E-Money) . . . . . . . . . . . . . . . . . . . . . . . . . . 159<br />
6.1.1 Types of E-Money . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 159<br />
6.1.2 The Double-Spending Problem . . . . . . . . . . . . . . . . . . . . . . 160<br />
6.2 Electronic Checks (E-Check) . . . . . . . . . . . . . . . . . . . . . . . . . . 162<br />
6.3 Secure Electronic Payment Protocol . . . . . . . . . . . . . . . . . . . . . 162<br />
6.4 <strong>IBM</strong> Corporation iKP (Internet Keyed Payment Protocols) . . . . . . . . 163<br />
6.4.1 Security Considerations . . . . . . . . . . . . . . . . . . . . . . . . . . 164<br />
6.5 Secure Electronic Transactions (SET) . . . . . . . . . . . . . . . . . . . . . 165<br />
6.6 Net.Commerce . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 166<br />
6.6.1 Store Manager . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 167<br />
6.6.2 The Store Creator . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 167<br />
6.6.3 The Store Administrator . . . . . . . . . . . . . . . . . . . . . . . . . . 168<br />
6.6.4 The Template Editor . . . . . . . . . . . . . . . . . . . . . . . . . . . . 168<br />
6.6.5 The Net.Commerce Director . . . . . . . . . . . . . . . . . . . . . . . . 168<br />
6.6.6 The Net.Commerce Daemon . . . . . . . . . . . . . . . . . . . . . . . 168<br />
6.6.7 The Lotus Payment Switch . . . . . . . . . . . . . . . . . . . . . . . . 169<br />
6.6.8 The Olympic Ticket Sales - An Example of Net.Commerce . . . . . 169<br />
6.7 Example Electronic Commerce Solution . . . . . . . . . . . . . . . . . . . 174<br />
Chapter 7. Tools . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 179<br />
7.1 Multimedia . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 179<br />
7.1.1 Image Formats . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 179<br />
7.1.2 Audio File Formats . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 183<br />
7.1.3 Musical Instruments Digital Interface (MIDI) . . . . . . . . . . . . . . 184<br />
7.1.4 Digital Movie Formats . . . . . . . . . . . . . . . . . . . . . . . . . . . 186<br />
7.1.5 Multimedia Applications on the Internet . . . . . . . . . . . . . . . . . 188<br />
7.2 Java . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 191<br />
7.2.1 Applets and Applications . . . . . . . . . . . . . . . . . . . . . . . . . 192<br />
Chapter 8. Internet Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 193<br />
iv The Technical Side of Being an Internet Service Provider
This soft copy for use by <strong>IBM</strong> employees only.<br />
8.1 The Costs of Security Breaches . . . . . . . . . . . . . . . . . . . . . . . . 193<br />
8.2 The Internet and Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . 194<br />
8.2.1 Orange Book Security Classes . . . . . . . . . . . . . . . . . . . . . . 194<br />
8.2.2 Red Book Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 196<br />
8.2.3 C2 and Your Security Requirements . . . . . . . . . . . . . . . . . . . 196<br />
8.3 Defining Security Threats . . . . . . . . . . . . . . . . . . . . . . . . . . . . 196<br />
8.3.1 Internal Threats . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 196<br />
8.3.2 External Threats . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 197<br />
8.3.3 Intruders Are People . . . . . . . . . . . . . . . . . . . . . . . . . . . . 197<br />
8.3.4 Securing Hardware . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 197<br />
8.3.5 Securing Software . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 197<br />
8.3.6 Securing Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . 198<br />
8.3.7 The Threat from Viruses . . . . . . . . . . . . . . . . . . . . . . . . . . 198<br />
8.4 How Intruders Break In To Your System . . . . . . . . . . . . . . . . . . . 198<br />
8.4.1 Sendmail . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 198<br />
8.4.2 Checking CGI Scripts . . . . . . . . . . . . . . . . . . . . . . . . . . . . 198<br />
8.4.3 FTP Problems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 199<br />
8.4.4 Telnet Problems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 199<br />
8.4.5 E-Mail Problems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 200<br />
8.4.6 Keystroke Grabbers . . . . . . . . . . . . . . . . . . . . . . . . . . . . 200<br />
8.4.7 Password Attacks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 201<br />
8.4.8 Spoofing Your System . . . . . . . . . . . . . . . . . . . . . . . . . . . 201<br />
8.4.9 Sniffers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 201<br />
8.4.10 Closing a Back Door on Your System . . . . . . . . . . . . . . . . . 202<br />
8.5 How to Control the Risk? . . . . . . . . . . . . . . . . . . . . . . . . . . . . 202<br />
8.6 What Should You Secure? . . . . . . . . . . . . . . . . . . . . . . . . . . . 202<br />
8.6.1 Network Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 203<br />
8.6.2 Application Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 203<br />
8.6.3 Transaction Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . 203<br />
8.6.4 System Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 203<br />
8.6.5 The Security Checklists . . . . . . . . . . . . . . . . . . . . . . . . . . 204<br />
8.7 Establishing a Security Policy . . . . . . . . . . . . . . . . . . . . . . . . . 206<br />
8.7.1 Who Makes the Policy? . . . . . . . . . . . . . . . . . . . . . . . . . . . 206<br />
8.7.2 Who Is Involved? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 206<br />
8.7.3 Responsibilities . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 206<br />
8.7.4 Risk Assessment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 207<br />
8.7.5 Defining Security Goals . . . . . . . . . . . . . . . . . . . . . . . . . . 207<br />
8.7.6 Establishing Security Measures . . . . . . . . . . . . . . . . . . . . . 208<br />
8.7.7 Know Your Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 209<br />
8.7.8 Locking In or Out . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 209<br />
8.7.9 Policy Issues . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 210<br />
8.7.10 General Internet Security Principles . . . . . . . . . . . . . . . . . . 213<br />
8.8 Establishing Procedures to Prevent Security Problems . . . . . . . . . . 214<br />
8.8.1 Steps to Implement Secure Internet Applications . . . . . . . . . . . 214<br />
8.8.2 Identifying Possible Problems . . . . . . . . . . . . . . . . . . . . . . . 215<br />
8.8.3 Controls to Protect Assets in a Cost-Effective Way . . . . . . . . . . 216<br />
8.9 Physical Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 217<br />
8.9.1 Procedures to Recognize Unauthorized Activity . . . . . . . . . . . . 217<br />
8.9.2 Tools for Monitoring the System . . . . . . . . . . . . . . . . . . . . . 217<br />
8.9.3 Vary the Monitoring Schedule . . . . . . . . . . . . . . . . . . . . . . . 218<br />
8.9.4 Communicating Security Policy . . . . . . . . . . . . . . . . . . . . . . 219<br />
8.10 Firewall . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 221<br />
8.10.1 Why Are Firewalls Needed? . . . . . . . . . . . . . . . . . . . . . . . 222<br />
8.10.2 Firewall Principles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 223<br />
8.10.3 Firewall Elements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 223<br />
Contents v
This soft copy for use by <strong>IBM</strong> employees only.<br />
8.10.4 Glossary of the Most Common Firewall-Related Terms . . . . . . . 228<br />
8.11 Cryptography . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 229<br />
8.11.1 Layers - Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . 230<br />
8.11.2 Layers - Detail . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 231<br />
8.11.3 Conclusion . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 240<br />
8.12 Router Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 240<br />
8.12.1 Introduction to PPP Authentication Protocols . . . . . . . . . . . . . 240<br />
8.12.2 Challenge-Handshake Authentication Protocol (CHAP) . . . . . . . 241<br />
8.12.3 Password Authentication Protocol (PAP) . . . . . . . . . . . . . . . 241<br />
8.12.4 Scenario: PPP with Bridging between Two <strong>IBM</strong> 2210s . . . . . . . 241<br />
8.13 Remote Access Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . 242<br />
8.13.1 <strong>IBM</strong> 8235 Security Features . . . . . . . . . . . . . . . . . . . . . . . 243<br />
8.14 Secure Web Servers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 255<br />
8.14.1 Secure Hypertext Transfer Protocol (S-HTTP) . . . . . . . . . . . . . 256<br />
8.14.2 Secure Socks Layer . . . . . . . . . . . . . . . . . . . . . . . . . . . . 257<br />
8.14.3 Control Access Products to Web Sites and Home Pages . . . . . . 259<br />
8.15 Security Mailing Lists . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 264<br />
Chapter 9. Capacity Planning . . . . . . . . . . . . . . . . . . . . . . . . . . . . 267<br />
9.1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 267<br />
9.2 Content Type . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 267<br />
9.2.1 Internet Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 268<br />
9.2.2 Electronic Commerce . . . . . . . . . . . . . . . . . . . . . . . . . . . . 269<br />
9.3 Number of Clients . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 269<br />
9.4 Bandwidth . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 270<br />
9.4.1 Formulas for Bandwidth Use . . . . . . . . . . . . . . . . . . . . . . . 270<br />
9.4.2 Internal and External Connections . . . . . . . . . . . . . . . . . . . . 272<br />
9.5 Telephone Lines . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 273<br />
9.6 Networking Hardware . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 274<br />
9.6.1 Upstream Connection . . . . . . . . . . . . . . . . . . . . . . . . . . . . 275<br />
9.6.2 Downstream Connection . . . . . . . . . . . . . . . . . . . . . . . . . . 276<br />
9.6.3 Choosing the Protocols . . . . . . . . . . . . . . . . . . . . . . . . . . . 277<br />
9.7 Servers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 279<br />
9.7.1 Hardware Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . 279<br />
9.7.2 Growth and Scalability . . . . . . . . . . . . . . . . . . . . . . . . . . . 282<br />
9.8 Domain and IP Addressing . . . . . . . . . . . . . . . . . . . . . . . . . . . 283<br />
9.8.1 Design Considerations . . . . . . . . . . . . . . . . . . . . . . . . . . . 284<br />
9.8.2 DNS Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 284<br />
9.8.3 A Word of Caution . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 284<br />
9.9 Staff Members . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 285<br />
9.9.1 Project Leader . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 285<br />
9.9.2 Rest of Team . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 286<br />
9.9.3 Using Consultants . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 287<br />
9.9.4 Outside Partners . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 287<br />
9.9.5 Dream Team . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 287<br />
9.10 CGI Programming . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 288<br />
9.10.1 Selecting Your Programming Language . . . . . . . . . . . . . . . . 288<br />
9.10.2 Programming Languages . . . . . . . . . . . . . . . . . . . . . . . . . 289<br />
9.11 How to Estimate Costs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 290<br />
9.11.1 Telephone Costs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 290<br />
9.11.2 Internet Service Provider Costs . . . . . . . . . . . . . . . . . . . . . 290<br />
9.11.3 Hardware Costs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 291<br />
9.11.4 Software Costs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 291<br />
9.12 Recommendations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 291<br />
9.13 Planning for Future Expansion . . . . . . . . . . . . . . . . . . . . . . . . 293<br />
vi The Technical Side of Being an Internet Service Provider
This soft copy for use by <strong>IBM</strong> employees only.<br />
9.14 Final Considerations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 293<br />
9.14.1 Questions about Your ISP . . . . . . . . . . . . . . . . . . . . . . . . 295<br />
Appendix A. Availability Services . . . . . . . . . . . . . . . . . . . . . . . . . 297<br />
A.1 <strong>IBM</strong> Business Protection Model . . . . . . . . . . . . . . . . . . . . . . . . 297<br />
A.1.1 Risk Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 297<br />
A.1.2 Recovery Strategy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 298<br />
A.1.3 Recovery Capability . . . . . . . . . . . . . . . . . . . . . . . . . . . . 299<br />
A.1.4 Recovery Plan . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 301<br />
A.1.5 Business Continuity . . . . . . . . . . . . . . . . . . . . . . . . . . . . 302<br />
A.2 BRS - Worldwide Locations . . . . . . . . . . . . . . . . . . . . . . . . . . 303<br />
A.3 BRS - Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 303<br />
A.3.1 e-Business Recovery Services . . . . . . . . . . . . . . . . . . . . . . 304<br />
A.3.2 Internet Emergency Response Service (IERS) . . . . . . . . . . . . . 307<br />
A.3.3 Final Considerations about Availability Services . . . . . . . . . . . 311<br />
Appendix B. <strong>IBM</strong> Solutions for ISPs . . . . . . . . . . . . . . . . . . . . . . . . 317<br />
B.1 <strong>IBM</strong>: Preparing ISPs for the Second Wave . . . . . . . . . . . . . . . . . . 317<br />
B.2 Introducing <strong>IBM</strong> Solutions for ISPs . . . . . . . . . . . . . . . . . . . . . . 318<br />
B.2.1 Operations, Administration, Maintenance and Provisioning . . . . . 319<br />
B.3 <strong>IBM</strong>: Professional Services . . . . . . . . . . . . . . . . . . . . . . . . . . . 319<br />
B.4 Explore the Possibilities . . . . . . . . . . . . . . . . . . . . . . . . . . . . 319<br />
B.5 <strong>IBM</strong>: The Source for ISP Solutions . . . . . . . . . . . . . . . . . . . . . . 320<br />
B.6 What Are the <strong>IBM</strong> Solutions for ISPs . . . . . . . . . . . . . . . . . . . . . 320<br />
B.6.1 The <strong>IBM</strong> Solutions for ISPs Family . . . . . . . . . . . . . . . . . . . . 320<br />
B.7 RS/6000 As a Platform for Internet Service Providers . . . . . . . . . . . 321<br />
B.8 <strong>IBM</strong> Messaging Solution for ISPs . . . . . . . . . . . . . . . . . . . . . . . 323<br />
B.8.1 Solution Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 324<br />
B.8.2 Software . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 324<br />
B.8.3 Hardware . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 328<br />
B.8.4 Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 329<br />
B.8.5 Summary and Conclusion . . . . . . . . . . . . . . . . . . . . . . . . . 330<br />
B.9 Lotus GO Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 330<br />
B.9.1 HACMP and Network Dispatcher . . . . . . . . . . . . . . . . . . . . . 331<br />
B.9.2 Scalability and Network Dispatcher . . . . . . . . . . . . . . . . . . . 331<br />
B.9.3 Installation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 332<br />
B.9.4 Hardware and Software Requirements . . . . . . . . . . . . . . . . . 332<br />
B.10 Lotus Domino RS/6000 POWERsolution . . . . . . . . . . . . . . . . . . . 332<br />
B.10.1 Packaging and Installation . . . . . . . . . . . . . . . . . . . . . . . . 333<br />
B.10.2 Lotus Domino on the RS/6000 Reference Configurations . . . . . . 335<br />
B.10.3 Lotus Domino on the RS/6000 in the Enterprise . . . . . . . . . . . 336<br />
B.10.4 HACMP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 336<br />
B.10.5 Network Dispatcher . . . . . . . . . . . . . . . . . . . . . . . . . . . . 337<br />
B.10.6 Scalability . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 338<br />
B.11 Net.Commerce . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 338<br />
B.11.1 High Availability . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 339<br />
B.11.2 Network Dispatcher . . . . . . . . . . . . . . . . . . . . . . . . . . . . 339<br />
B.11.3 Connectivity . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 339<br />
B.11.4 Scalability . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 339<br />
B.11.5 Billing Support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 340<br />
B.12 <strong>IBM</strong> Interactive Network Dispatcher . . . . . . . . . . . . . . . . . . . . . 340<br />
B.12.1 Challenge . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 340<br />
B.12.2 Description . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 341<br />
B.12.3 Benefits . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 342<br />
B.12.4 Internet Service Provider Applications . . . . . . . . . . . . . . . . . 342<br />
Contents vii
This soft copy for use by <strong>IBM</strong> employees only.<br />
B.12.5 Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 343<br />
B.13 <strong>IBM</strong> Firewall 3.1 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 343<br />
B.13.1 HACMP and Scalability . . . . . . . . . . . . . . . . . . . . . . . . . . 344<br />
B.13.2 Connectivity . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 344<br />
B.13.3 Packaging and Installation . . . . . . . . . . . . . . . . . . . . . . . . 345<br />
B.13.4 Hardware and Software Requirements . . . . . . . . . . . . . . . . 346<br />
B.14 <strong>IBM</strong> Solutions Available to ISPs . . . . . . . . . . . . . . . . . . . . . . . 347<br />
B.14.1 Tivoli . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 347<br />
B.14.2 VideoCharger . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 348<br />
B.14.3 Electronic Yellow Pages . . . . . . . . . . . . . . . . . . . . . . . . . 348<br />
B.14.4 Electronic White Pages . . . . . . . . . . . . . . . . . . . . . . . . . . 349<br />
B.14.5 Other Solutions for ISPs . . . . . . . . . . . . . . . . . . . . . . . . . 349<br />
B.15 Lotus Press Release . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 350<br />
Appendix C. Special Notices . . . . . . . . . . . . . . . . . . . . . . . . . . . . 357<br />
Appendix D. Related Publications . . . . . . . . . . . . . . . . . . . . . . . . . 359<br />
D.1 International Technical Support Organization Publications . . . . . . . . 359<br />
D.2 <strong>Redbooks</strong> on CD-ROMs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 359<br />
D.3 Other Publications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 359<br />
How to Get ITSO <strong>Redbooks</strong> . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 361<br />
How <strong>IBM</strong> Employees Can Get ITSO <strong>Redbooks</strong> . . . . . . . . . . . . . . . . . . 361<br />
How Customers Can Get ITSO <strong>Redbooks</strong> . . . . . . . . . . . . . . . . . . . . . 362<br />
<strong>IBM</strong> Redbook Order Form . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 363<br />
Index . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 365<br />
ITSO Redbook Evaluation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 367<br />
viii The Technical Side of Being an Internet Service Provider
This soft copy for use by <strong>IBM</strong> employees only.<br />
Preface<br />
This redbook provides information about building Internet Service Provider (ISP)<br />
functionality. It focuses on the technical areas that a business should be aware<br />
of when considering providing ISP services. The redbook includes information<br />
on the services and procedures needed to connect to the Internet backbone and<br />
the hardware choices not only on the connection point but also acting as several<br />
function servers on the network. Management concepts and procedures are<br />
included in areas line security, accounting and network management.<br />
When providing a service on an ISP it is also important to know the technical<br />
support needed for some Internet applications. This redbook gives information<br />
on how to support these applications, which include electronic commerce,<br />
E-mail, multimedia objects manipulation and server hosting, such as HTTP, FTP<br />
and CHAT servers.<br />
When building an ISP it is very important to know the security threats and how to<br />
avoid them in different Internet applications. The redbook outlines those threats<br />
and describes a security policy needed to prevent them, including firewall,<br />
physical security, cryptography, connection security and server security.<br />
The redbook also details capacity planning procedures in different ISP services<br />
and resources, with descriptions on bandwidth allocation and the hardware size<br />
needed, telephone lines provisioning, server sizes and considerations on future<br />
planning and staffing.<br />
The appendix gives a detailed technical description of the <strong>IBM</strong> solution for the<br />
ISPs, including not only the hardware and software needed but also a full set of<br />
services available through <strong>IBM</strong>.<br />
This redbook will be helpful for anyone considering building, designing or<br />
implementing ISP services. It will help readers to make an informed decision<br />
about establishing an ISP. The information presented here is primarily technical<br />
in nature and does not cover the financial or legal aspects of running an ISP. It<br />
identifies <strong>IBM</strong> solutions where available and, in some cases, solutions available<br />
from other sources. General knowledge of the Internet and networking is<br />
assumed.<br />
The Team That Wrote This Redbook<br />
This redbook was produced by a team of specialists from around the world<br />
working at the Systems Management and Networking ITSO Center, Raleigh.<br />
Ricardo Haragutchi is a Senior ITSO Specialist for Networking, Internet and<br />
Multimedia at the Systems Management and Networking ITSO Center, Raleigh.<br />
He holds a Bachelors of Science degree in Electrical Engineering from Escola<br />
Politecnica in Sao Paulo University. He writes extensively and teaches <strong>IBM</strong><br />
classes worldwide on such areas as routing, remote access, and Internet<br />
environment. Before joining the ITSO two years ago, Ricardo worked in the Field<br />
Systems Center (FSC) in <strong>IBM</strong> Brazil as a Senior System Engineer.<br />
Cristina Canto is an Assessor System Specialist in Brazil. She has worked for<br />
<strong>IBM</strong> Brazil for five years. She holds a degree in Computer Science from the<br />
© Copyright <strong>IBM</strong> Corp. 1997 ix
Comments Welcome<br />
This soft copy for use by <strong>IBM</strong> employees only.<br />
Pontifícia Universidade Católica de Santos - São Paulo. Her areas of expertise<br />
include RISC/6000, LAN environment and network solutions design.<br />
Edmund Wilhelm is a Systems Analyst in Germany. He has 18 years of<br />
experience in the Telecommunications field. He has worked at <strong>IBM</strong> for ten<br />
years. His areas of expertise include S/390 Operating System VSE/ESA, in<br />
particular VSAM, Workstations and the Internet.<br />
Jefferson da Silva is an Assessor Segment Specialist in Brazil. He has seven<br />
years of experience in the Networking and Support field. He holds a degree in<br />
Systems Analysis from PUCC - Pontifícia Universidade Católica de Campinas.<br />
His areas of expertise include LAN/WAN environment, technical solutions design,<br />
and business recovery services. He has written extensively on networking,<br />
routers and gateways.<br />
Thanks to the following people for their invaluable contributions to this project:<br />
Linda Robinson, Mike Haley, and Paul Braun of the ITSO Center, Raleigh<br />
Allen Beebe<br />
Casey Cannon<br />
David Watts<br />
Earl Mathis<br />
Ed Merenda<br />
Jay Beck<br />
Lynda Linney<br />
Frank V. Tutone<br />
Martin Murhammer<br />
Marty Slatnick<br />
Roberto Morizi Oku<br />
Sandy Blyth<br />
The Appendix: Availability Services was contributed by Luis R. Hernandez and<br />
Michael S. Solter, from <strong>IBM</strong> Business Recovery Services Center in Sterling<br />
Forest, New York.<br />
The Appendix: <strong>IBM</strong> Solutions for ISPs was contributed by Niel A. Katz and the<br />
RS/6000 Division Network Computing Solutions Team.<br />
Your comments are important to us!<br />
We want our redbooks to be as helpful as possible. Please send us your<br />
comments about this or other redbooks in one of the following ways:<br />
• Fax the evaluation form found in “ITSO Redbook Evaluation” on page 367 to<br />
the fax number shown on the form.<br />
• Use the electronic evaluation form found on the <strong>Redbooks</strong> Web sites:<br />
For Internet users http://www.redbooks.ibm.com<br />
For <strong>IBM</strong> Intranet users http://w3.itso.ibm.com<br />
• Send us a note at the following address:<br />
redbook@vnet.ibm.com<br />
x The Technical Side of Being an Internet Service Provider
This soft copy for use by <strong>IBM</strong> employees only.<br />
Chapter 1. Introduction<br />
An Internet Service Provider (ISP) is a company that has access to the Internet<br />
and sells this ability to connect to the Internet to members of the general public.<br />
There are various ways that a provider can be connected to the Internet;<br />
normally a provider will be connected with some type of telecommunication line<br />
that provides a much higher throughput than any one individual would need or<br />
could afford. This throughput and cost are then “shared” by all subscribers.<br />
An Internet Service Provider is not the same as an Information Service. At one<br />
time it was easy to distinguish between an Internet Service Provider and an<br />
information service, such as Compuserve or America On-Line (AOL). These<br />
services provided access to their own network, and sometimes even allowed<br />
e-mail to be sent to other networks. However, these types of information<br />
services are becoming more and more entwined with the Internet and also<br />
almost all now provide the ability to directly access the Internet. They advertise<br />
as being Internet Service Providers and provide services such as News, WWW<br />
and even Chat. These information services have seen the increased<br />
opportunities available in being an Internet Service Provider.<br />
The first and most popular service provided by Internet Service Providers is<br />
e-mail. Initially it was considered sufficient to just provide e-mail access.<br />
Nowadays, e-mail is considered to be the absolute minimum service that an ISP<br />
should provide. The services that are now available range from basic e-mail to<br />
a full-fledged company presence on the Internet including a home page, product<br />
catalogs and secure online ordering, as well as customer support with real-time<br />
audio and video.<br />
As the Internet was beginning to become popular relatively few people had the<br />
necessary hardware to access these services. To access the services properly<br />
you need a Transmission Control Protocol/Internet Protocol (TCP/IP) network<br />
connection. Initially this type of connection was only available on platforms<br />
running UNIX. In the meantime, however, this type of connection is available on<br />
almost all major operating systems, from Microsoft Windows to <strong>IBM</strong>′s OS390.<br />
1.1 Sample Network Design for an ISP<br />
Figure 1 on page 2 shows an example of a network design for an Internet<br />
Service Provider (ISP). Basically this design consists of servers running<br />
software that provide various services. It also includes routers that provide<br />
connectivity to the Internet and dial-in access for remote users.<br />
© Copyright <strong>IBM</strong> Corp. 1997 1
Figure 1. Example Network Design for an Internet Service Provider<br />
This soft copy for use by <strong>IBM</strong> employees only.<br />
Implementing a network such as this for an ISP requires many decisions among<br />
the various platforms, hardware, software and connectivity options. This<br />
redbook is intended to assist in this decision making process. It does not<br />
provide all the information that you need in every instance, but addresses all<br />
important topics and provides assistance in obtaining further information.<br />
Choosing server hardware is discussed in Chapter 3, “Server Hardware<br />
Platforms” on page 107. Various services that can be provided by an ISP are<br />
discussed in Chapter 4, “Internet Services” on page 133. Selecting the<br />
connection to the Internet and the hardware to implement it is discussed in<br />
Chapter 2, “Connectivity” on page 5.<br />
A decision to establish an ISP is usually a financial decision; either it is seen as<br />
an opportunity to make money or to save money that is currently being paid to<br />
another ISP. To protect your investment and ensure that an ISP continues to<br />
meet its financial expectations it must be properly managed. Management of the<br />
ISP is discussed in Chapter 5, “Management” on page 139 and various means<br />
to earn money and perform financial transactions on the Internet is discussed in<br />
Chapter 6, “Electronic Commerce” on page 159. Various tools that are<br />
2 The Technical Side of Being an Internet Service Provider
This soft copy for use by <strong>IBM</strong> employees only.<br />
available to assist in providing services on the Internet are discussed in<br />
Chapter 7, “Tools” on page 179.<br />
Finally, to complete the items that need to be considered when establishing an<br />
ISP, security is discussed in Chapter 8, “Internet Security” on page 193 and<br />
capacity planning is discussed in Chapter 9, “Capacity Planning” on page 267.<br />
Although each of these topics is addressed in its own chapter, these topics are<br />
highly interrelated. We recommend that you initially read this redbook in its<br />
entirety. After an initial reading, chapters can be referred to for specific<br />
information.<br />
Chapter 1. Introduction 3
4 The Technical Side of Being an Internet Service Provider<br />
This soft copy for use by <strong>IBM</strong> employees only.
This soft copy for use by <strong>IBM</strong> employees only.<br />
Chapter 2. Connectivity<br />
2.1 Internet Topology<br />
This chapter describes the networking connections an ISP needs in order to<br />
provide Internet access services to its customers. It contains information related<br />
to both the Internet backbone and client connections.<br />
We begin by examining the Internet topology to show the way an ISP is located<br />
within this network.<br />
The Internet consists of high-speed circuits connecting routers that transmit data<br />
through Transmission Control Protocol/Internet Protocol (TCP/IP). It doesn′t<br />
belong to only one group, company or country. All the different parts belong to<br />
several organizations, but the Net itself doesn′t belong to anyone.<br />
The circuits are maintained by large telecommunications companies in each<br />
country such as MCI, Sprint, Worldcomm in the USA and Embratel in Brazil. The<br />
national ISPs, such as IGN, lease high-speed circuits from the<br />
telecommunications companies to be connected in their Points Of Presence<br />
(POPs - not to be confused with the POP mail protocol) through routers. In this<br />
way they have access to the Network Access Points (NAPs) where they can<br />
exchange routes and traffic, shuffling information from one machine to another.<br />
The largest NAPs are connected by very high-speed data circuits, often between<br />
45 and 144 Mbps.<br />
Regional and local ISPs purchase connections from these national ISPs or, in<br />
some cases, directly from the large telecommunications companies.<br />
Consequently they can offer Internet access and services to their customers.<br />
Therefore, as the Internet backbone is really made up of several complex<br />
backbones that are joined at the various NAPs, you won′ t be able to be<br />
connected directly to the Internet. This is not the way it works.<br />
You will need a TCP/IP network connection to another Internet provider that is<br />
already connected to the Internet. It can be a national ISP or another ISP. The<br />
ISPs who offer this type of service are usually called Internet backbone providers<br />
or upstream providers.<br />
This upstream connection gives the ISP and its customers access to the Internet<br />
backbone. The customers links to the ISP, however, are called downstream<br />
connections.<br />
The terms upstream and downstream are used when discussing connections<br />
from an ISP to other sites, where upstream circuits route data closer to the<br />
Internet core while downstream connections refer to those that route information<br />
further away from it. Another way of looking at it is that an ISP pays for<br />
upstream links and charges for downstream links.<br />
Figure 2 on page 6 shows a sample network design with ISP connections to the<br />
Internet backbone and to its customers.<br />
© Copyright <strong>IBM</strong> Corp. 1997 5
Figure 2. Example of Upstream/Downstream Internet Connections for an ISP<br />
2.2 Internet Backbone Connection<br />
This soft copy for use by <strong>IBM</strong> employees only.<br />
Connecting an ISP to the Internet backbone requires several steps, including<br />
identifying the organization that is going to provide the Internet access, choosing<br />
the technology and network hardware that will be used in the connection, and<br />
getting the domain and IP address.<br />
6 The Technical Side of Being an Internet Service Provider
This soft copy for use by <strong>IBM</strong> employees only.<br />
2.2.1 Upstream Provider<br />
Choosing an upstream provider is one of your most critical decisions. You have<br />
to choose circuits that are going to connect you and your customers to the<br />
Internet. The capability, performance and reliability of these circuits are<br />
important. However, as they represent a major expense, they must be chosen<br />
carefully.<br />
Buying an Internet connection is a lot like buying a computer. Just as when you<br />
are buying a computer, your choice of an Internet service provider should be<br />
driven by your intended use. If you are looking for minimum cost, you might<br />
seek out the lowest-priced system in the back of a magazine or even assemble<br />
something yourself from parts bought at a flea market. There are some low-cost<br />
IP service suppliers who claim to be just as good as the others, but may not be<br />
in business next year to prove it. Since you are buying something your business<br />
will depend on, this is not the wisest choice. If you make the arrangements with<br />
a backbone provider whose connections are small or bad, your customer base<br />
will know it. They will feel it when using your service.<br />
It also doesn′t mean that buying the most expensive solution is going to be the<br />
best choice, supporting the theory that you get what you pay for. You should<br />
analyze the options you have carefully, paying attention to the different services,<br />
price structures, peak bandwidth limitations, personal service quality and<br />
geographical constraints.<br />
Some topics you need to think about when evaluating upstream providers are:<br />
• Network Topology<br />
This is one of the most important criteria to consider when choosing a<br />
provider. Looking at the network topology can help you understand how<br />
vulnerable the network is to outages, how much capacity is available when<br />
the network is loaded more heavily than usual, and the most important, how<br />
well the provider understands network engineering.<br />
• Network Link Speeds<br />
It is important to look closely at the speeds of the backbone links. To be<br />
able to do that, you should consider what kind of link services you are going<br />
to provide to your customers in order to size your needs. Do you intend to<br />
be an upstream provider to other ISPs or to just have dial-up customers?<br />
Another point to understand is that your network connection can only be as<br />
fast as the slowest link in the path. It doesn′t matter if the node you will be<br />
connected to is a T3 if the link between you and it will be only 56 kbps. The<br />
limit will be the 56 kbps link, not how much capacity the T3 node has.<br />
On the other hand, if the provider only has 256 kbps to its upstream<br />
connection, there is no sense buying a T1 from it.<br />
Don′t forget to ask if the topology you are being shown is operational now.<br />
Some providers like to show links that are not operational as part of their<br />
backbone infrastructure. It is also important not to be confused between the<br />
press release about a new high-speed network link and that link actually<br />
being operational.<br />
• External Network Links<br />
Take a look at the external links of each provider′s backbone. Do they have<br />
a single connection to the rest of the world? This is a potential single point<br />
of failure. Look for multiple, direct connections to other network providers.<br />
Chapter 2. Connectivity 7
This soft copy for use by <strong>IBM</strong> employees only.<br />
The more of these connections, the better. This shows that the provider is<br />
concerned about external connectivity and does not want to be dependent on<br />
some third party for interconnection. If they have a single connection to the<br />
outside world, ask them how often it fails and how long they usually are<br />
isolated. If they can′t give you these statistics, are they managing their own<br />
network well enough to manage yours?<br />
One extremely important point is how far it is from the high-speed data<br />
circuits. The performance and throughput for your customers will be related<br />
to how close you are to the major NAP circuits.<br />
Upgrades can also be difficult if you are far from the backbone circuits. Even<br />
if you start small, you′ll eventually want to increase your bandwidth. And<br />
changing your provider incurs considerable costs, both in changing IP<br />
addresses (in most cases) and the work time to complete the task.<br />
• Location<br />
You must consider if you can connect to high-speed backbones for a<br />
reasonable cost. The POPs locations the upstream provider offers to you are<br />
extremely relevant. The distance from your office location to the nearest<br />
POP can make or break your business, due to the varying level of circuit<br />
availability and bandwidth costs.<br />
In the former, there are some areas where there are very long lead times for<br />
a new specific circuit.<br />
In the latter, the provider requires that you buy the local loop segment that is<br />
going to make the connection between your company office to its closest<br />
POP. You will have to buy this directly or indirectly from one of the<br />
telephone companies serving your local area. The local loop charges are<br />
often the highest costs in the communications chain. So pay attention to the<br />
whole solution cost, which must include the local loop and the service<br />
provider fee.<br />
• Technology<br />
The technology being used to operate the network is also critically important.<br />
Today, there is a great deal of commercial quality router, switch and modem<br />
technology available from companies whose business it is to make that<br />
equipment.<br />
Sometimes a provider can have a bad case of the not invented here<br />
syndrome. This is a sure sign of long-term problems. Any provider still<br />
relying on their own internally developed equipment is doing you a<br />
disservice. You deserve the benefits of leading-edge production technology,<br />
not aging hardware that has been contorted into a use never intended by its<br />
designers.<br />
Remember, you are buying a service. The provider of this service should be<br />
using the best available technology to deliver this service.<br />
• Technical Staff<br />
8 The Technical Side of Being an Internet Service Provider<br />
Another aspect to consider when choosing a provider is the quality of its<br />
technical staff. They are the ones who will get your connection running to<br />
begin with and then keep it and the network running in the future. They have<br />
to be experienced in TCP/IP data networking.<br />
Make sure the provider has adequate staffing to cover the usual situations.<br />
If they send people to trade shows for a week, how many people are back at<br />
the office running things and how skilled are they? Find out what their
This soft copy for use by <strong>IBM</strong> employees only.<br />
technical staff turnover is. If people are leaving, find out why and who is left<br />
to keep your connection operational. Many suppliers of service have single<br />
points of failure in their staff capacity as well.<br />
• Help Desk Infrastructure<br />
Check out their help desk infrastructure. It should be 24x7 (24 hours a day<br />
and 7 days a week) staffed by at least one person, including nights,<br />
weekends and holidays. Make sure that they will have someone capable of<br />
dealing with your problem and not someone who will just answer the phone<br />
all the time.<br />
• Organization<br />
2.2.2 Access Technologies<br />
Find out how long the company has been in the IP business. Try to<br />
determine if they are going to be in business for the long run. Quality<br />
networks are not built on a small budget. The pricing may look attractive<br />
now, but the passage of time often reveals hidden costs and price increases,<br />
the greatest of which can be having to switch providers.<br />
Another way of getting good information is by talking to other ISPs. You can<br />
try looking up their information in some Internet forums. If you don′t find<br />
anything about whose backbone providers to use, at least you will find<br />
whose you should not.<br />
• Full Range of Services<br />
Does your provider have a full range of services or is it just filling a niche? If<br />
you need to increase or decrease your service level, will you need to switch<br />
providers?<br />
There is a wide variety of data circuit technology choices to connect an ISP to an<br />
upstream provider. They vary from dial-up to leased lines, ISDN, frame relay,<br />
ATM, satellite and cable modem as well many others.<br />
Because there are so many options, we describe the access technologies most<br />
commonly used.<br />
Most ISPs use two types of available circuits: point-to-point and shared physical<br />
networks.<br />
In the point-to-point connection we can find two distinct physical terminations for<br />
the link, meaning its physically connected through wires. The most often used<br />
links are leased lines, from 56 kbps to T3 circuits.<br />
In the shared network, the connection is divided among several customers and<br />
the circuit disappears into a cloud. In this topic we discuss the frame relay<br />
technology.<br />
Important<br />
Whatever technology you use, both you and your upstream provider must<br />
have the same network strategy. This means that the methods of exchanging<br />
data must be compatible on both sides.<br />
Chapter 2. Connectivity 9
This soft copy for use by <strong>IBM</strong> employees only.<br />
2.2.2.1 Leased Lines<br />
Leased lines (also called dedicated lines) are the most common way to connect<br />
an ISP environment to the upstream provider. Here you have a private network<br />
between you and your provider, available through twisted-pair copper wires<br />
between the two points.<br />
Dedicated lines are stable and reliable, and in some countries you can get very<br />
cheap high-speed channels. However, as the connection is always open and<br />
available for you, you will have to pay the full utilization of the circuit. The cost<br />
of the connection depends on the distance between the two linked points as well.<br />
Although this may not make much difference when the connection stays in the<br />
same city, large increases can occur if your connection travels through other<br />
exchanges. Despite the differences between the providers, the nearer the POP,<br />
the better.<br />
The bandwidth rates vary with the type of connection you will need, from<br />
low-speed to high-speed circuits.<br />
Although there are many different kinds of leased connections and they can vary<br />
depending on the country, the most popular speed and standards are as follows:<br />
• 56 kbps<br />
This is an entry point for dedicated circuits and is called Dataphone Digital<br />
Service (DDS). It is a digital phone-line connection capable of carrying<br />
56,000 bps.<br />
At this speed, a megabyte will take about three minutes to transfer. This is<br />
3.7 times as fast as a 14,400 bps modem.<br />
• 64 kbps<br />
This is also a digital phone-line connection capable of carrying 64,000 bps.<br />
At this basic speed rate a megabyte will take about two minutes to transfer.<br />
This is 4.4 times as fast as a 14,400 bps modem.<br />
It is also called DS0 (that means Data Speed 0, Digital Service 0 or Digital<br />
Signal 0, depending on the reference book).<br />
• Fractional T1<br />
10 The Technical Side of Being an Internet Service Provider<br />
A fractional T1 (FT1 or FracT1) is a subchannel of a full T1 channel, which is<br />
a percentage use of the available data channel.<br />
A full 1.5 Mbps T1 circuit contains 24 fractional T1 lines, each with a<br />
bandwidth of 56 or 64 kbps. The purchase of the circuit can be one or more<br />
fractional lines. For example, a 256-kbps link can be accomplished with four<br />
of the above channels. For 512 kbps, we will need eight channels, and so<br />
on. Upgrades can also be done just by adding the extra fractional T1 lines<br />
needed to the current leased channel.<br />
Although you don′t need to purchase a complete T1 line, you may be<br />
surprised with the cost of the lower-speed connections. This is because<br />
fractional T1 and full T1 services are not functions of the physical connection<br />
speed, but have to do with choices programmed into the data<br />
communications equipment. In this way, although FracT1 uses only some of<br />
the available channels, you will need to purchase a full T1 circuit anyway.<br />
For this reason the money you pay for an initial 256-kbps connection is not<br />
equally proportional to an upgrade to a 512 kbps or a full T1.
This soft copy for use by <strong>IBM</strong> employees only.<br />
• T1<br />
T1, also called DS1, is a leased-line connection at 1.5 Mbps, that is 1,544,000<br />
bps. This term is used in the USA, Australia and in some other countries.<br />
A T1 circuit has 24 channels that provide a total bandwidth of 1.536 Mbps or<br />
1.344 Mbps and depending on the line encoding channel, 64 kbps or 56 kbps.<br />
At maximum theoretical capacity, a T1 line could move a megabyte in less<br />
than 10 seconds.<br />
• E1<br />
Similar to a T1 link, this standard is used in Europe, South America and in<br />
other parts of the world.<br />
In an E1, each circuit is composed of 32 64-kbps channels that provide a total<br />
bandwidth of 2,048,000 bps. It is also called a 2-Mbps link.<br />
• E3<br />
In an E3 line there are 480 channels for a total bandwidth of 34,368,000 bps.<br />
Also used in Europe and other countries.<br />
• T3<br />
A T3 circuit, also known as DS3, is a high-speed leased-line connection<br />
capable of providing 44,736,000 bps. It is equivalent to 28 T1 circuits.<br />
As a T1 circuit is constructed from lower bandwidth slices, a T3 link carries<br />
672 channels of 64 kbps. It is usually available over high-speed fiber-optic<br />
cable, generally in large Internet backbones.<br />
Fractional T3 lines are also available in the same way as in T1.<br />
The previous circuits are the most often used by ISPs. However, there are two<br />
other T-carrier services standards: T2 and T4.<br />
T2 provides up to 4 T1 channels, but is not available commercially. T4 carries<br />
168 T1 channels for a total bandwidth of 274.176 bps.<br />
Note<br />
Table 1 (Page 1 of 2). Line Options<br />
The T-carrier service is available through several layers:<br />
• DS0 is equivalent to a 64-kbps circuit.<br />
• DS1 is equivalent to a T1.<br />
• DS2 comprises 4 DS1.<br />
• DS3 comprises 7 DS2.<br />
• DS4 comprises 6 DS3.<br />
For your reference, Table 1 shows a summary of the leased lines options<br />
available.<br />
Category Service Grade Circuit Speed<br />
Low-speed DS0 56/64 kbps<br />
Fractional T1 56/64 kbps up to 1.544 Mbps<br />
Chapter 2. Connectivity 11
Table 1 (Page 2 of 2). Line Options<br />
This soft copy for use by <strong>IBM</strong> employees only.<br />
Category Service Grade Circuit Speed<br />
Medium-speed T1 (DS1) 1.544 Mbps<br />
E1 2.048 Mbps<br />
High-speed E3 34.368 Mbps<br />
T3 (DS3) 44.736 Mbps<br />
For information about how to measure the capacity lines and connection types,<br />
refer to 9.4, “Bandwidth” on page 270.<br />
2.2.2.2 Frame Relay<br />
Frame relay is a data communication interface originating from ISDN, designed<br />
to provide high-speed frame or packet transmission with minimum delay and<br />
efficient use of bandwidth. It is a variation on the X.25 interface and a form of<br />
fast packet switching.<br />
It derives its name from using the data link or frame OSI layer 2 to route or relay<br />
a packet directly to its destination instead of terminating the packet at each<br />
switching node. This eliminates processing overheads and increases throughput<br />
speed. It′s based on the ITU-TS Lap-D standard and uses variable-length<br />
packets.<br />
Like Ethernet or token-ring, frame relay assumes that connections are reliable.<br />
It does not have error detection and error control within the network, which<br />
helps to speed up the protocol. When errors occur, frame relay relies on higher<br />
level protocols for error control.<br />
We can also think of frame relay as a point-to-point connection, but in this case<br />
we are referring to the virtual connection between two sites. They appear to<br />
have a dedicated connection but they are actually sharing networking hardware<br />
with many others, as you can see in Figure 3 on page 13.<br />
12 The Technical Side of Being an Internet Service Provider
This soft copy for use by <strong>IBM</strong> employees only.<br />
Figure 3. Example of Frame Relay Physical and Virtual Connections<br />
Frame relay is offered by most large telecommunications companies and<br />
Regional Bell Operating Companies (RBOC) with a bandwidth range from 56<br />
kbps to 2 Mbps. Although possible voice transport over frame relay is possible,<br />
it′s considered to be restricted to data transport because of the constant<br />
transmission required.<br />
Chapter 2. Connectivity 13
This soft copy for use by <strong>IBM</strong> employees only.<br />
Using frame relay you will probably get a lower cost connection service. This is<br />
because it works with a common cloud, where its total bandwidth is divided<br />
among all the other customers. However, there′s a standard - Committed<br />
Information Rate (CIR) - that guarantees some amount of bandwidth. For<br />
example, you can purchase a 512-kbps link from a frame relay provider and set<br />
the CIR to 128 kbps. In this way, you can not always have 512 kbps, but you will<br />
have at least 128 kbps guaranteed. But when the traffic on the frame relay cloud<br />
is low, you can have up to the full 512 kbps. You pay for the CIR you choose, of<br />
course.<br />
For more information about frame relay, refer to the <strong>IBM</strong> Frame Relay Guide,<br />
GG24-4463.<br />
2.2.2.3 ATM<br />
Asynchronous Transfer Mode (ATM) is a relatively new, very high digital data<br />
transmission circuit capable of data transfer rates up to 2.488 Gbps under<br />
experimental circumstances. However, initial implementations are around 155<br />
Mbps or 622 Mbps.<br />
ATM is a cell-based data transfer technique in which channel demand<br />
determines packet allocation. It offers fast packet technology, real time,<br />
demand-led switching for efficient use of network resources. It can deal with all<br />
kinds of traffic: data, voice and video.<br />
All information is transported through the network in very short blocks called<br />
cells. In contrast to frame relay, which allows variable frame sizes, each cell is<br />
always 53 bytes long - 48 bytes of data plus 5 bytes of header. Information flow<br />
is along paths (called virtual channels) set up as a series of pointers through the<br />
network. The cell header contains an identifier that links the cell to the correct<br />
path to take towards its destination.<br />
Cells on a particular virtual channel always flow on the same path through the<br />
network and are delivered to the destination in the same order in which they<br />
were received.<br />
ATM is designed so that simple hardware-based logic elements may be<br />
employed at each node to perform the switching. For example, on a link of 1<br />
Gbps, a new cell arrives and a cell is transmitted every .43μsec. There is not a<br />
lot of time to decide what to do with an arriving packet.<br />
ATM can be used in two distinct environments: carrier, provided as a service to<br />
the end user, and private network, where a large organization purchases lines<br />
from a carrier (or installs them itself) and builds a private ATM network.<br />
Although ATM will be the high-bandwidth networking standard of the decade, it<br />
is a technology that is maturing slowly in wide area networks. One of the major<br />
problem is government regulation. In most countries, governments regulate the<br />
detailed technical characteristics of everything that connects to a public<br />
communications network. This is often called homologation, and part of its<br />
process requires protocol testing, which is an extremely expensive and very<br />
slow task.<br />
At the moment, ATM is starting to appear only at the NAP level or in connections<br />
between the NAPs. It′s a very expensive option, but something that could be<br />
considered in cases where T-carrier is not enough anymore.<br />
14 The Technical Side of Being an Internet Service Provider
This soft copy for use by <strong>IBM</strong> employees only.<br />
For further information about ATM technology, refer to:<br />
• ATM Technical Overview, SG24-4625<br />
• http://www.atmforum.com<br />
2.2.2.4 Other Technologies<br />
There are some other trends to obtain bandwidth into the Internet network. We<br />
discuss three of them.<br />
Optical Cabling: In the most commonly used method of connection, through the<br />
leased lines, the communications infrastructure is almost completely based on<br />
copper lines, which increases the local loop charges.<br />
As optical cabling becomes cheaper to install and maintain than traditional<br />
copper wires, the telephone and cable companies are replacing aging<br />
infrastructures with this type of cabling. With this upgraded infrastructure, the<br />
ability to transmit data in the local loop will be increased, and bandwidth cost<br />
will tend to climb.<br />
Some research results show that this physical link, about the size of a human<br />
hair, is able to deliver 1000 billion bps - roughly 2000 times faster than the<br />
theoretical maximum of twisted pair.<br />
Cable TV and Satellite: Other growing options for Internet access are the use of<br />
cable TV and satellite. Cable Internet access has been tested in some countries,<br />
while some satellite companies have been using solutions in the ″Direct TV″<br />
style dishes. Although there are still many restrictions for an ISP upstream<br />
connection, these emerging technologies may be used on a large scale in future.<br />
But before explaining the restrictions, you need to understand some concepts:<br />
cable technology, one-way and two-way communications methods of cable<br />
system.<br />
The cable system technology has a starting point in each community that is<br />
responsible for the origin of the community′s signals and the reception of signals<br />
that come from satellites through the air. From this point, the signals are carried<br />
in a coaxial cable throughout the community.<br />
The transmission method called Frequency Division Multiplexing (FDM) allocates<br />
6 MHz of bandwidth on the coaxial cable for each signal, which allows multiple<br />
channels to be carried over the same coaxial cable.<br />
In order to cover all the community, the cable is split and the entire signal is<br />
reproduced on each cable after each split. This results in a tree topology.<br />
In some ways, the cable architecture is similar to Ethernet LANs, which send all<br />
the information to all hosts on the network, but only the correct host gets all of<br />
the Ethernet packages addressed to it.<br />
Although the cable system has been used by the cable companies for many<br />
years, it has been modified due to the advances in fiber-optic transmission<br />
technology. They are changing this tree topology to a new hybrid<br />
fiber-and-coaxial (HFC) system. In this system fiber is used in the neighborhoods<br />
and coaxial cable is used for the connection to each door. This technology can<br />
transmit more information than coaxial cable because it has more frequency<br />
Chapter 2. Connectivity 15
This soft copy for use by <strong>IBM</strong> employees only.<br />
ranges. Also, as it uses light instead of electricity, it can carry the signal for<br />
longer distances without amplification.<br />
Despite all these improvements, the cost of optic fiber prevents the telephone<br />
companies from installing it. So there′s a new configuration called<br />
Fiber-to-Fiber-Neighborhood (FTTN) that takes optic fiber into a group of houses.<br />
As a consequence, many coaxial cables are replaced by fiber while small<br />
connections remain coaxial. In addition, the signal quality is improved, the<br />
number of amplifiers is reduced.<br />
This FTTN infrastructure permits the use of two-way communications, but it<br />
depends on the geographical implementation. To bypass this situation, there′s a<br />
temporary solution called one-way communication.<br />
In the one-way concept, the cable company only provides the path responsible<br />
for receiving data, which is called downstream bandwidth (not to be confused<br />
with a downstream connection related to ISP customers). An example of this<br />
downstream bandwidth usage is the Web page requested information that comes<br />
into a Web browser.<br />
The path that sends data the other way is called upstream bandwidth. It is used,<br />
for example, when you request a site page within the Web browser field. This<br />
path has to be provided by other different connections (such as a dial-up line)<br />
with an ISP. As a result, the upstream connection is slower than the<br />
downstream one.<br />
In two-way connection, we can have both paths on the same link, but it requires<br />
HFC technology. Also it will need some changes.<br />
First of all, adequate spectrum has to be allocated for the upstream data,<br />
followed by the replacement of the amplifiers to divide upstream and<br />
downstream data into the correct frequency. Finally, the cable company must<br />
implement a method to multiplex all the upstream data from multiple users onto<br />
the coaxial cable.<br />
The satellite technology for Internet access is very similar to cable connectivity.<br />
In one-way satellite communication another link is needed to perform the<br />
upstream transmission (that is zero). This method has only been available<br />
recently.<br />
On the other hand, two-way transmission is well established, but only very few<br />
ISPs offer this type of connection.<br />
As you can see, the use of cable or satellite technologies to connect an ISP to its<br />
upstream provider has a lot of limitations. In one-way solutions, there is no<br />
upstream bandwidth and it is necessary a to have a complementary upstream<br />
link. Two-way cable technology depends on the cable company offerings, and in<br />
two-way satellite communication there are very few ISP providers.<br />
You should consider satellite link if you are in a remote area, where stretching a<br />
T1 circuit across several hundred miles can be very expensive, or if you want to<br />
transmit a very large amount of data.<br />
If you need more information about satellites, see the International<br />
Telecommunications Satellite Organization Web site at:<br />
16 The Technical Side of Being an Internet Service Provider
This soft copy for use by <strong>IBM</strong> employees only.<br />
http://www.intelsat.int<br />
2.2.3 Networking Hardware<br />
In this section we explain the networking hardware needed to connect an ISP to<br />
its upstream provider in the two most common methods: leased lines and frame<br />
relay. We also include some <strong>IBM</strong> products that can be used in this connection:<br />
the 2210/2216 routers and the 8224/8237 hubs. We begin by explaining the<br />
different functions of the networking hardware components.<br />
2.2.3.1 Hardware Components<br />
The basic networking hardware components for an upstream connection are<br />
discussed in the following sections.<br />
Router: This is the crucial equipment required in an Internet upstream<br />
connection. It′s responsible for the IP datagrams flow between the ISP and the<br />
Internet core in both directions.<br />
As the principal function is to examine the IP headers and decide where they<br />
should be sent, it can be accomplished by a UNIX machine or a stand-alone<br />
router. However, as this simple-seeming function has to be done at extremely<br />
high speeds (or the consequences of errors can be disastrous), the stand-alone<br />
router is recommended because it has considerably faster routing than the UNIX<br />
machine.<br />
For an initial ISP, the router must have at least two interfaces: one for the<br />
backbone provider and the other to the ISP local network. However, depending<br />
on the type of bandwidth coming to the ISP, the router may support other<br />
interfaces, one for each dedicated data circuit.<br />
Some important characteristics that you should observe in a router are:<br />
• Performance: A router has performance characteristics measured in packets<br />
per second. Consequently, the more connections and bandwidth, the more<br />
pps is required from the router.<br />
• Management: The management tools should indicate what is happening and<br />
allow easy adjustment and restoration of parameters.<br />
• Routing protocols: The router protocol must be compatible with the one used<br />
on the other end of the data circuit. The most common routing protocols<br />
used on the Internet are RIP, OSPF and BGP-4.<br />
• Filters: The router should include the basic filters capabilities in order to<br />
permit or not a specific packet flow, if you need basic firewall capabilities in<br />
the future.<br />
CSU/DSU: This equipment provides the interface between the telephone<br />
company′s network and the ISP network. Although it′s often referred to as one<br />
equipment, it has two distinct functions.<br />
The Channel Service Unit (CSU) is a simple device that interfaces with the<br />
telecommunication network. The Data Service Unit (DSU) is the data unit that<br />
″speaks″ to the data terminal equipment (the router) and is responsible for<br />
filtering the digital signal, synchronizing the signal with the network clock and<br />
providing networking control codes; it is similar to an analog modem. This<br />
CSU/DSU device depends on the connection speed. In general, it′s a V.35<br />
interface and is already provided in the routers with DSU functionality.<br />
Chapter 2. Connectivity 17
This soft copy for use by <strong>IBM</strong> employees only.<br />
Hub: This equipment, although not directly related to the upstream connection,<br />
will be present in the ISP network. It connects the equipment in the network,<br />
such as routers and servers, in a star cabling topology. This helps in<br />
management due to the fact that a defect is isolated in its segment. The hubs<br />
can support several LAN types such as Ethernet, 100Base-T, token-ring, FDDI<br />
and ATM. The most commonly used hubs are Ethernet with RJ45 connectors.<br />
2.2.3.2 Upstream Hardware Connections<br />
A DDS or T1 connection will need the following prerequisites:<br />
• A communication line<br />
• A CSU/DSU<br />
• A router<br />
The router will be connected both in the ISP LAN (through a hub) and in the<br />
CSU/DSU (if not already integrated in the router). From the CSU/DSU device, the<br />
telephone line will connect to the telephone company′s network termination unit<br />
(NTU), and then to the upstream provider.<br />
Normally, it is the ISP′s responsibility to get the equipment from the NTU up to<br />
its network, but depending on the arrangement, the line can also be rented from<br />
the upstream provider or from the telephone company.<br />
An example of this connection can be seen in Figure 4 on page 19.<br />
18 The Technical Side of Being an Internet Service Provider
This soft copy for use by <strong>IBM</strong> employees only.<br />
Figure 4. Example of DDS/T1 Network Connection<br />
In a T3 link, the connection will depend on the media purchased. If it is<br />
delivered on two coaxial cables, you will connect them directly onto the DSU. (A<br />
CSU is not required.) But if it comes in optic fiber or microwave, you will<br />
connect them in a terminal first. The link between the DSU and the router can<br />
be V.35, High-Speed Serial Interface (HSSI) or SCSI.<br />
A typical frame relay connection has similar prerequisites than a T1, but the<br />
equipment must be able to use frame relay to send data to the WAN.<br />
Usually the ISP is connected to the nearest frame relay POP through normal<br />
wire. The POP is responsible for the physical connection into the cloud.<br />
Figure 5 on page 20 shows this implementation.<br />
Chapter 2. Connectivity 19
Figure 5. Example of Wire Connection with Frame Relay<br />
This soft copy for use by <strong>IBM</strong> employees only.<br />
2.2.3.3 <strong>IBM</strong> 2210<br />
This section gives an overview of the <strong>IBM</strong> 2210 router. This equipment can be<br />
used either in an ISP or even in the upstream provider itself, in its connection<br />
with its ISP customers. It includes a brief description of the hardware and<br />
software package options.<br />
Further information can be found in:<br />
• <strong>IBM</strong> 2210 Nways Multiprotocol Router Maintenance Information, SY27-0345<br />
• <strong>IBM</strong> 2210 Nways Multiprotocol Router Planning and Setup Guide, GA27-4068<br />
• <strong>IBM</strong> Models 1Sx and 1Ux Installation Guide, GC30-3867<br />
• <strong>IBM</strong> 2210 Nways Multiprotocol Router Description and Configuration<br />
Scenarios, SG24-4446<br />
• http://www.raleigh.ibm.com/220/220prod.html<br />
Overview: The <strong>IBM</strong> 2210 Nways Multiprotocol Routers provide an extensive<br />
range of connectivity, protocols and price granularity to enable you to cost<br />
effectively implement network computing across a broad range of remote<br />
locations, branch offices and regional sites. New entry models of the 2210 offer<br />
one Ethernet port and either one serial WAN port or one ISDN BRI port to<br />
provide the most economical 2210 solution for the smallest offices in your<br />
enterprise. The mid-range models of the 2210 offer one LAN port (Ethernet or<br />
token-ring) and two serial WAN ports for larger branch offices. Some mid-range<br />
models also provide a single ISDN BRI port. The high-end models of the 2210<br />
double the connectivity and performance of the other models with up to two LAN<br />
20 The Technical Side of Being an Internet Service Provider
This soft copy for use by <strong>IBM</strong> employees only.<br />
ports and four serial WAN ports to support large branch offices and regional<br />
locations. In addition, the high-end models of the 2210 include an open adapter<br />
slot that supports any one of the following adapters: ISDN BRI, ISDN PRI,<br />
25-Mbps ATM, four-port and eight-port WAN concentrations.<br />
Models of 2210: The <strong>IBM</strong> 2210 is available in several models to accommodate<br />
the types of networks you want to support. Keep in mind that there are two<br />
memory choices that you must evaluate before deciding on which model best<br />
meets your needs. Each type of memory has a specific purpose and should be<br />
considered separately:<br />
1. Flash memory. Flash memory is used to store a compressed version of the<br />
executable program product, <strong>IBM</strong> Nways Multiprotocol Routing Services<br />
(MRS, product number 5765-B86 V1R1), as well as one or more configuration<br />
images. Customers often want to store more than one release of the code<br />
and multiple configuration images in flash as part of their management<br />
strategy.<br />
The chart below shows the amount of flash memory consumed by each MRS<br />
V1R1 software code load.<br />
Please note that only the x4x models have expandable flash memory. All the<br />
other models have a fixed amount of flash memory (either 2 MB or 4 MB,<br />
depending on the model).<br />
Table 2. Flash Memory Consumption - Models 1X4, 1X8<br />
Model<br />
Amount of<br />
flash<br />
Total<br />
number of<br />
banks<br />
Number of banks consumed by one code load<br />
Software preload feature code number<br />
5121 5122 5123 5124<br />
1s4 2MB 32 20 22 24 N/A<br />
1u4 2MB 32 20 22 24 N/A<br />
1s8 4MB 64 20 22 24 27<br />
1u8 4MB 64 20 22 24 27<br />
Note: Each configuration takes one bank.<br />
Table 3. Flash Memory Consumption - Models 12T, 12E<br />
Model<br />
Amount<br />
of flash<br />
Total<br />
number<br />
of banks<br />
Number of banks consumed by one code load<br />
Software preload feature code number<br />
5002 5003 5005 5007 5008<br />
12T 4MB 64 20 22 25 42 48<br />
12E 4MB 64 20 22 25 42 48<br />
Note: Each configuration takes one bank.<br />
Table 4. Flash Memory Consumption - Models 127, 128<br />
Model<br />
Amount of<br />
flash<br />
Total<br />
number of<br />
banks<br />
Number of banks consumed by one code load<br />
Software preload feature code number<br />
5023 5024 5026 5027<br />
127 4MB 64 24 27 44 50<br />
128 4MB 64 24 27 44 50<br />
Note: Each configuration takes one bank.<br />
Chapter 2. Connectivity 21
This soft copy for use by <strong>IBM</strong> employees only.<br />
Table 5. Flash Memory Consumption - Models X4X without Adapter or with WAN<br />
Concentration Adapter<br />
Model<br />
Amount of<br />
flash<br />
Total<br />
number of<br />
banks<br />
Number of banks consumed by one code load<br />
Software preload feature code number<br />
5043 5044 5046 5047<br />
14T 4 MB * 14 * 6 7 11 13<br />
24T 4 MB * 14 * 6 7 11 13<br />
24E 4 MB * 14 * 6 7 11 13<br />
24M 4 MB * 14 * 6 7 11 13<br />
Note: * Double for 8-MB calculations. Each configuration takes one bank.<br />
Table 6. Flash Memory Consumption - Models X4X with ISDN BRI Adapter<br />
Model<br />
Amount of<br />
flash<br />
Total<br />
number of<br />
banks<br />
Number of banks consumed by one code load<br />
Software preload feature code number<br />
5063 5064 5066 5067<br />
14T 4 MB * 14 * 7 7 11 13<br />
24T 4 MB * 14 * 7 7 11 13<br />
24E 4 MB * 14 * 7 7 11 13<br />
24M 4 MB * 14 * 7 7 11 13<br />
Note: * Double for 8-MB calculations. Each configuration takes one bank.<br />
Table 7. Flash Memory Consumption - Models X4X with ISDN PRI Adapter<br />
Model<br />
Amount of<br />
flash<br />
Total<br />
number of<br />
banks<br />
Number of banks consumed by one code load<br />
Software preload feature code number<br />
5083 5084 5086 5087<br />
14T 4 MB * 14 * 7 7 12 13<br />
24T 4 MB * 14 * 7 7 12 13<br />
24E 4 MB * 14 * 7 7 12 13<br />
24M 4 MB * 14 * 7 7 12 13<br />
Note: * Double for 8-MB calculations. Each configuration takes one bank.<br />
Table 8. Flash Memory Consumption - Models X4X with ATM Adapter<br />
Model<br />
Amount of<br />
flash<br />
Total<br />
number of<br />
banks<br />
Number of banks consumed by one code load<br />
Software preload feature code number<br />
5103 5104 5106 5107<br />
14T 4 MB * 14 * 8 9 13 14<br />
24T 4 MB * 14 * 8 9 13 14<br />
24E 4 MB * 14 * 8 9 13 14<br />
24M 4 MB * 14 * 8 9 13 14<br />
Note: * Double for 8-MB calculations. Each configuration takes one bank.<br />
2. DRAM. Dynamic random access memory (DRAM) provides the working<br />
memory for the 2210. The router code and router tables both run from<br />
DRAM. The amount of DRAM in a given 2210 will determine the size and<br />
complexity of the network it can support. There are three sizes of DRAM<br />
available for the x2x models: 4 MB, 8 MB, and 16 MB. There are four sizes<br />
of DRAM available for the x4x models: 4 MB, 8 MB, 16 MB, and 32 MB. Four<br />
megabytes (4 MB) of DRAM is the default for all models. The other DRAM<br />
sizes are available by the addition of the respective memory expansion<br />
feature. These memory expansion features are available as both factory- or<br />
22 The Technical Side of Being an Internet Service Provider
This soft copy for use by <strong>IBM</strong> employees only.<br />
field-installed features. Field-installed memory expansion features on the<br />
x2x models must be installed by trained service personnel. Field-installed<br />
memory expansion features on x4x models are customer-installable features.<br />
DRAM on models 1Sx and 1Ux is not upgradeable.<br />
Use of the 2210STOR EXEC is recommended prior to each machine order to<br />
ensure the correct configuration is ordered. The following chart is provided<br />
as a guideline.<br />
Table 9. DRAM Requirement Estimates per Software Load<br />
Models Software Description Minimum DRAM<br />
Required<br />
1x4 IP+ISDN BRI 4 5121<br />
IP+IPX+ISDN BRI 4 5122<br />
1x8 IP+DLSw+ISDN BRI 8 5123<br />
IP+IPX+DLSw+ISDN BRI 8 5124<br />
12T IP+IPX 4 5002<br />
12E IP+IPX 4 5003<br />
IP+IPX+DLSw 8 5005<br />
IP+DLSw+APPN 16 5007<br />
All Protocol+APPN 16 5008<br />
127 IP+DLSw+ISDN BRI 8 5023<br />
128 IP+IPX+DLSw+ISDN BRI 8 5024<br />
x4x Empty or<br />
with WAN<br />
Connection<br />
Adapter<br />
x4x with ISDN<br />
BRI Adapter<br />
x4x with ISDN<br />
PRI Adapter<br />
x4x with ATM<br />
Adapter<br />
IP+DLSw+APPN+ISDN BRI 16 5026<br />
All Protocol+APPN+ISDN BRI 16 5027<br />
IP+DLSw 8 5043<br />
IP+IPX+DLSw 8 5044<br />
IP+DLSw+APPN 16 5046<br />
All Protocol+APPN 16 5047<br />
IP+DLSw+ISDN BRI 8 5063<br />
IP+IPX+DLSw+ISDN BRI 8 5064<br />
IP+DLSw+APPN+ISDN BRI 16 5066<br />
All Protocol+APPN+ISDN BRI 16 5067<br />
IP+DLSw+ISDN PRI 8 5083<br />
IP+IPX+DLSw+ISDN PRI 8 5084<br />
IP+DLSw+APPN+ISDN PRI 16 5086<br />
All Protocol+APPN+ISDN PRI 16 5087<br />
IP+DLSw+ATM 8 5103<br />
IP+IPX+DLSw+ATM 8 5104<br />
IP+DLSw+APPN+ATM 16 5106<br />
All Protocol+APPN+ATM 16 5107<br />
Note: All Protocol includes DLSw and LNM.<br />
Preload Feature<br />
Code Number<br />
Table 10 on page 24 shows the different models and the offerings of the <strong>IBM</strong><br />
Nways Multiprotocol Routing Services that are available.<br />
Note: Certain models of the <strong>IBM</strong> 2210 support ISDN. You cannot use one of the<br />
standard WAN ports for ISDN. Software support for ISDN must be ordered<br />
separately.<br />
Chapter 2. Connectivity 23
Table 10. <strong>IBM</strong> 2210 Models<br />
Model<br />
Replaced by<br />
model<br />
LAN<br />
No. of WANs<br />
(See Note)<br />
ISDN BRI Port<br />
This soft copy for use by <strong>IBM</strong> employees only.<br />
Flash Memory<br />
(base/max)<br />
DRAM<br />
(base/max)<br />
Adapter Slot<br />
▐1▌<br />
1S4 - Ethernet 1 ▐2▌ 1 ▐2▌ 2 MB/2 MB 4 MB/4 MB No<br />
1S8 - Ethernet 1 ▐2▌ 1 ▐2▌ 4 MB/4 MB 8 MB/8 MB No<br />
1U4 - Ethernet 1 ▐2▌ 1 ▐2▌ 2 MB/2 MB 4 MB/4 MB No<br />
1U8 - Ethernet 1 ▐2▌ 1 ▐2▌ 4 MB/4 MB 8 MB/8 MB No<br />
12T - Token-Ring 2 0 4 MB/4 MB 4 MB/16 MB No<br />
12E - Ethernet 2 0 4 MB/4 MB 4 MB/16 MB No<br />
127 - Token-Ring 2 1 4 MB/4 MB 4 MB/16 MB No<br />
128 - Ethernet 2 1 4 MB/4 MB 4 MB/16 MB No<br />
14T - Token-Ring 4 opt 4 MB/12 MB 4 MB/32 MB Yes<br />
24T -<br />
24E -<br />
24M -<br />
2 (two)<br />
Token-Ring<br />
2 (two)<br />
Ethernet<br />
1 (one)<br />
Token-Ring, 1<br />
(one) Ethernet<br />
4 opt 4 MB/12 MB 4 MB/32 MB Yes<br />
4 opt 4 MB/12 MB 4 MB/32 MB Yes<br />
4 opt 4 MB/12 MB 4 MB/32 MB Yes<br />
▐1▌ Support for ISDN BRI, ISDN PRI, ATM, four and eight serial port adapters.<br />
▐2▌ Only one of the two ports (either WAN or ISDN BRI) can be configured/used<br />
at any given time on these models.<br />
Note: The standard WAN ports on the <strong>IBM</strong> 2210 will support any of these<br />
physical interfaces:<br />
• EIA RS 232-D/V.24<br />
• V.35<br />
• V.36<br />
• X.21<br />
The ISDN BRI port on the 1Sx models provides a four-wire twisted pair S/T<br />
interface with an RJ-45 connector. The ISDN BRI port will support the same<br />
signaling specifications as the other 2210 models, namely EuroISDN in Europe,<br />
INS-64 in Japan, National ISDN-1 and -2, AT&T 5ESS and Nortel DMS-100 in North<br />
America, and TS 013 in Australia.<br />
The 1Ux models include a fully integrated NT-1, incorporating the U interface.<br />
This support is provided at no additional cost compared with the S/T interface<br />
models. This saves customers the expense and inconvenience of having to<br />
purchase and configure a stand-alone NT-1.<br />
24 The Technical Side of Being an Internet Service Provider
This soft copy for use by <strong>IBM</strong> employees only.<br />
Table 11. Features Supported by Model<br />
8MB<br />
DRAM<br />
Memory<br />
FC<br />
#4108<br />
8-port<br />
WAN<br />
conc<br />
Adapter<br />
FC<br />
#3121<br />
4-port<br />
WAN<br />
conc<br />
Adapter<br />
FC<br />
#3120<br />
25<br />
Mbps<br />
ATM<br />
Adapter<br />
FC<br />
#3901<br />
ISDN<br />
PRI-E1<br />
Adapter<br />
FC<br />
#3108<br />
ISDN<br />
PRI-T1/J1<br />
Adapter<br />
FC<br />
#3107<br />
ISDN<br />
BRI<br />
Adapter<br />
FC<br />
#3101<br />
16MB<br />
DRAM<br />
FC<br />
#4056/577<br />
8MB<br />
DRAM<br />
Memory<br />
FC<br />
#4048/49<br />
4MB<br />
Flash<br />
Memory<br />
FC<br />
#4104<br />
32 M B<br />
DRAM<br />
Memory<br />
FC<br />
#4032<br />
16 M B<br />
DRAM<br />
Memory<br />
FC<br />
#4016<br />
8MB<br />
DRAM<br />
Memory<br />
FC<br />
#4008<br />
Adapter<br />
Enable<br />
Feature<br />
FC#3001/2<br />
Second<br />
Service<br />
Port FC<br />
#2832<br />
Integrated<br />
Modem<br />
Feature<br />
FC<br />
#2814<br />
Model<br />
no<br />
no<br />
no<br />
no<br />
no<br />
no<br />
no<br />
no<br />
no<br />
no<br />
no<br />
no<br />
no<br />
no<br />
no<br />
no<br />
no<br />
no<br />
no<br />
no<br />
no<br />
no<br />
no<br />
no<br />
no<br />
no<br />
no<br />
no<br />
no<br />
no<br />
no<br />
no<br />
no<br />
no<br />
no<br />
no<br />
no<br />
no<br />
no<br />
no<br />
no<br />
no<br />
no<br />
no<br />
no<br />
no<br />
no<br />
no<br />
no<br />
no<br />
no<br />
yes<br />
yes<br />
no<br />
no<br />
no<br />
no<br />
no<br />
no<br />
no<br />
no<br />
no<br />
yes<br />
yes<br />
no<br />
no<br />
no<br />
no<br />
no<br />
no<br />
no<br />
no<br />
no<br />
yes<br />
yes<br />
no<br />
no<br />
no<br />
no<br />
no<br />
no<br />
no<br />
no<br />
no<br />
yes<br />
yes<br />
no<br />
no<br />
yes<br />
yes<br />
yes<br />
yes<br />
yes<br />
yes<br />
yes<br />
no<br />
no<br />
yes<br />
yes<br />
yes<br />
yes<br />
yes<br />
yes<br />
yes<br />
yes<br />
yes<br />
no<br />
no<br />
yes<br />
yes<br />
yes<br />
yes<br />
yes<br />
yes<br />
yes<br />
yes<br />
yes<br />
no<br />
no<br />
yes<br />
yes<br />
yes<br />
yes<br />
yes<br />
yes<br />
yes<br />
yes<br />
yes<br />
no<br />
no<br />
yes<br />
yes<br />
1S4<br />
no<br />
no<br />
no<br />
no<br />
no<br />
1S8<br />
no<br />
no<br />
no<br />
no<br />
no<br />
1U4<br />
no<br />
no<br />
no<br />
no<br />
no<br />
1U8<br />
no<br />
no<br />
no<br />
no<br />
no<br />
12T<br />
no<br />
no<br />
no<br />
no<br />
no<br />
12E<br />
no<br />
no<br />
no<br />
no<br />
no<br />
127<br />
no<br />
no<br />
no<br />
no<br />
no<br />
128<br />
no<br />
no<br />
no<br />
no<br />
no<br />
14T<br />
yes<br />
yes<br />
yes<br />
yes<br />
yes<br />
24T<br />
yes<br />
yes<br />
yes<br />
yes<br />
yes<br />
24E<br />
yes<br />
yes<br />
yes<br />
yes<br />
yes<br />
24M<br />
yes<br />
yes<br />
yes<br />
yes<br />
yes<br />
Note: Serial/LAN cables and power cords are common across all models.<br />
Chapter 2. Connectivity 25
Figure 6. Model 12T<br />
Figure 7. Model 12E<br />
Figure 8. Model 127<br />
Figure 9. Model 128<br />
This soft copy for use by <strong>IBM</strong> employees only.<br />
The ports of the different models are shown in Figure 6 on page 26 through<br />
Figure 13 on page 28.<br />
26 The Technical Side of Being an Internet Service Provider
This soft copy for use by <strong>IBM</strong> employees only.<br />
Figure 10. Model 14T<br />
Figure 11. Model 24T<br />
Figure 12. Model 24E<br />
Chapter 2. Connectivity 27
Figure 13. Model 24M<br />
This soft copy for use by <strong>IBM</strong> employees only.<br />
The double-density models support an additional service port and an adapter slot that can support<br />
ISDN basic rate, ISDN primary rate and ATM. The availability of these adapter cards is defined in the<br />
announcement letter.<br />
Figure 14. Model 24M with the ISDN Adapter<br />
Figure 15. Model 1Sx and 1Ux<br />
Networks Supported by the <strong>IBM</strong> 2210: The <strong>IBM</strong> 2210 supports the following LAN<br />
connections:<br />
• Token-ring (IEEE 802.5) with STP or UTP connection<br />
• Ethernet (IEEE 802.3) with AUI or 10Base-T connection<br />
Every <strong>IBM</strong> 2210 supports the following serial connections:<br />
• EIA 232D/V.24<br />
28 The Technical Side of Being an Internet Service Provider
This soft copy for use by <strong>IBM</strong> employees only.<br />
• V.35<br />
• V.36<br />
• X.21<br />
Note: RS449 is also supported, using the V.36 cable available for the <strong>IBM</strong> 2210.<br />
In addition to these serial connections, you can order optional support for ISDN.<br />
Software Package: All models of the 2210 use a common set of software<br />
functions called <strong>IBM</strong> Nways Multiprotocol Routing Services (Nways MRS).<br />
Nways MRS is a member of <strong>IBM</strong>′s family of multiprotocol services products that<br />
includes the Nways Multiprotocol Access Services (Nways MAS) for the <strong>IBM</strong> 2216<br />
Nways Multiaccess Connector and the Nways Multiprotocol Switched Services<br />
(Nways MSS) for the <strong>IBM</strong> 8210 Nways MSS Server and the <strong>IBM</strong> 8260 Nways MSS<br />
Module. Together, <strong>IBM</strong>′s multiprotocol services products provide the benefits of<br />
switching, distributed routing, bridging and virtual LANs and enable the<br />
implementation of switched virtual networking (SVN). It is <strong>IBM</strong>′s comprehensive,<br />
high-performance framework to implement enterprise-wide network computing.<br />
Nways Multiprotocol Routing Services (MRS, product number 5765-B86 V1R1)<br />
comes as a base suite package, plus four separately orderable packages. It<br />
extends the function of <strong>IBM</strong> 2210 Nways Multiprotocol Routing Network Services<br />
(MRNS) Release 3 Enhanced.<br />
In addition to current MRNS Release 3, the new MRS provide:<br />
• APPN NN/HPR/DLUR support<br />
• ISDN BRI and PRI adapter and worldwide ISDN switch support<br />
• ATM support including LAN emulation client and Classical IP<br />
• Broad range of LAN, WAN and ATM network connectivity options<br />
• Compatibility between products supported by the multiprotocol service<br />
software<br />
• Many protocol enhancements<br />
• Easy configuration, installation, and maintenance<br />
MRS Base Suite versus Additional Routing Suite Contents<br />
The base suite contains the following functional capabilities from a<br />
price/packaging perspective:<br />
• TCP/IP, including OSPF<br />
• Bridging (SR, TB, SRT and SR-TB)<br />
• MAC filtering<br />
• Data link controls (PPP, FR, X.25 and SDLC)<br />
• AIW Version 1 DLSw(RFC 1795), including NetBIOS<br />
• NetBIOS name caching/filtering<br />
• SDLC primary and secondary support<br />
• SDLC relay<br />
• APPN/HPR/DLUR<br />
• V.25bis<br />
• Bandwidth reservation system<br />
• EasyStart (with MRS)<br />
• WAN reroute<br />
• Specific device drivers where appropriate, that is, to support ISDN BRI or PRI<br />
and ATM<br />
Chapter 2. Connectivity 29
This soft copy for use by <strong>IBM</strong> employees only.<br />
The Base + Additional Routing Suite includes the following additional protocols<br />
available in specific package options noted below. IPX is included in several<br />
package options; the other protocols listed are contained only where All Protocol<br />
is noted.<br />
• IPX<br />
• AppleTalk Phase 2<br />
• Banyan VINES<br />
• DECnet IV<br />
• DECnet V/OSI<br />
• BGP-4<br />
Note: Backup media diskettes will no longer be shipped with basic license<br />
orders. Only the configuration program diskettes and CD-ROM containing the<br />
documentation files will be provided. Hard copy of software documents may be<br />
selected as optional deliverable.<br />
In addition, a letter is included with instructions on how to retrieve the specific<br />
code option from the pre-loaded 2210 itself or from the appropriate 2210<br />
Internet-accessible server. The <strong>IBM</strong> 2210 home page can be accessed at:<br />
http://www.raleigh.ibm.com/220/220prod.html<br />
2.2.3.4 <strong>IBM</strong> 2216<br />
This section provides an introduction to the <strong>IBM</strong> 2216, a piece of equipment that<br />
can be utilized in the backbone provider′s upstream connection that requires<br />
more powerful resources.<br />
Further information can be found in:<br />
• <strong>IBM</strong> 2216 Maintenance Information, GA27-4105<br />
• <strong>IBM</strong> 2216 Planning and Setup Guide, GA27-4106<br />
• Nways 2216 Multiaccess Connector Description and Configuration, SG24-4957<br />
• http://www.networking.ibm.com/216/216prod.html<br />
Overview: The <strong>IBM</strong> 2216 Nways Multiaccess Connector can be used as a<br />
concentrator or high-capacity access point. The 2216 plays a vital role by<br />
interconnecting sites to exploit network computing. It provides WAN access,<br />
network optimization, device attachment and concentration. The 2216 fits<br />
naturally between <strong>IBM</strong>′s workgroup and campus routers and switches.<br />
The 2216 uses the same routing, bridging and SNA capabilities proven in the<br />
popular, award-winning <strong>IBM</strong> 8210 Nways MSS Server and 2210 Nways Router.<br />
These functions, called Multiprotocol Access Services (MAS), include<br />
standards-based, interoperable support for routing and bridging, with security<br />
and re-routing, on leased and switched networks.<br />
Hardware of the 2216: The <strong>IBM</strong> 2216 is available in Model 400, according to the<br />
types of networks you want to support. It has eight adapter slots and a system<br />
card with a PowerPC 604 processor. Figure 16 on page 31 illustrates the <strong>IBM</strong><br />
2216 hardware.<br />
30 The Technical Side of Being an Internet Service Provider
This soft copy for use by <strong>IBM</strong> employees only.<br />
Figure 16. <strong>IBM</strong> 2216 Hardware Overview<br />
The base <strong>IBM</strong> 2216 hardware consists of the following:<br />
1. A 19-inch cabinet, which may be placed either on a tabletop or installed in a<br />
rack.<br />
2. One power supply (with redundant power option)<br />
3. A cooling fan tray assembly<br />
4. A system backplane<br />
5. A system card containing:<br />
• 604 133-Mhz PowerPC Microprocessor<br />
• 512 KB L2 Cache<br />
• 512 KB Boot Flash<br />
• 64 MB DRAM<br />
• 1.08 GB Hard Drive<br />
DRAM: Dynamic random access memory (DRAM) provides the working memory<br />
for the 2216. The router code and router tables both run from DRAM. Currently,<br />
the size of DRAM available for the Model 400 is 64 MB.<br />
Note: We recommend you use the 2216STOR EXEC file prior to ordering the<br />
machine to ensure the correct configuration is ordered. This file is in the<br />
MKTTOOLS and is a REXX program. If you issue the EXEC 2216STOR command<br />
on the VM, some question menus will appear. When you answer these<br />
questions, the required memory space is made as the output.<br />
Chapter 2. Connectivity 31
This soft copy for use by <strong>IBM</strong> employees only.<br />
Boot Flash: The boot flash contains the power-on self-test (POST) code and<br />
initiates the IPL process. Support for the POST PCMCIA modem and an external<br />
modem is provided so there is a remote interface into the box in the absence of<br />
the operating system code. Some of the main components that reside in the<br />
boot flash are listed below:<br />
• POST code<br />
• Boot code<br />
• MAS operational system (open kernel)<br />
• PCMCIA modem device driver<br />
• External modem device driver<br />
• SLIP, BootP, TFTP, and TCP/IP code<br />
• EIDE hard drive device driver<br />
Hard Drive: The <strong>IBM</strong> 2216 contains a 1.08 GB EIDE hard drive that is mounted<br />
on the system card. The hard drive is used to store the compressed <strong>IBM</strong> Nways<br />
Multiprotocol Access Services (Nways MAS V1R1, product number 5765-B87)<br />
operational code (=Load Image File), configuration file, trace and dump logs.<br />
On the 2216, there is a fixed preservation area for image file and configuration<br />
files. There are two areas for image files and eight areas for configuration files.<br />
Interfaces Supported by the <strong>IBM</strong> 2216: Adapters can be inserted and removed<br />
while the <strong>IBM</strong> 2216 is operational. Failed adapters can be replaced without<br />
taking the system down or rebooting the software. The replaced adapter<br />
assumes the configuration of the failed adapter. New adapters can be added<br />
without powering the system down and activated at a convenient time by<br />
rebooting.<br />
• The LANs supported by the <strong>IBM</strong> 2216 are:<br />
− Token-ring (IEEE 802.5) with STP or UTP connection<br />
− Ethernet or IEEE 802.3 with 10Base2 or 10Base-T connection<br />
• The WAN interfaces supported by the <strong>IBM</strong> 2216 are:<br />
− EIA 232D/V.24<br />
− V.35<br />
− V.36<br />
− X.21<br />
− ISDN - Primary (T1/J1)<br />
− ISDN - Primary (E1)<br />
• The ATM interfaces supported by the <strong>IBM</strong> 2216 are:<br />
− ATM 155 Mbps multimode fiber<br />
− ATM 155 Mbps single-mode fiber<br />
• ESCON channel interface<br />
Adapters: The following adapters are available for the <strong>IBM</strong> 2216:<br />
• 2-Port Token-Ring (FC 2280)<br />
32 The Technical Side of Being an Internet Service Provider<br />
This adapter can continually process frames of data to and from system
This soft copy for use by <strong>IBM</strong> employees only.<br />
memory and the token-ring at a speed of either 4 Mbps or 16 Mbps. The<br />
physical shape of the token-ring interface is RJ-45 only.<br />
• 2-Port Ethernet (FC 2281)<br />
This adapter has an RJ-45 jack (10Base-T) and a BNC (10Base2) connector.<br />
There is no AUI interface.<br />
• 8-Port V.24/EIA-232E (FC 2282)<br />
Provides eight attachments to ITU-T V.24/EIA-232E WANs. Each attachment<br />
provides:<br />
− Support for receiving clock (modem attached) at a line speed from 9.6<br />
kbps to 64 kbps<br />
− Support for providing clock (directly attached) from 9.6 kbps to 64 kbps<br />
− A 100-pin D-shell female connector<br />
− Support for cable FC 2701<br />
• 6-Port V.35/V.36 (FC 2290)<br />
Provides six attachments to ITU-T V.35 or V.36 WANs. Each attachment<br />
provides:<br />
− Support for receiving clock (modem attached) at a line speed from 9.6<br />
kbps to 2.048 Mbps<br />
− Support for providing clock (directly attached) from 9.6 kbps to 460.8 kbps<br />
as well as 1.544 Mbps and 2.048 Mbps<br />
− A 100-pin D-shell female connector<br />
− Support for cable FC 2702 and FC 2703<br />
• 8-Port X.21 (FC 2291)<br />
Provides eight attachments to ITU-T X.21 WANs. Each attachment provides:<br />
− Support for receiving clock (modem attached) at a line speed from 9.6<br />
kbps to 2.048 Mbps<br />
− Support for providing clock (directly attached) from 9.6 kbps to 460.8 kbps<br />
as well as 1.544 Mbps and 2.048 Mbps<br />
− A 100-pin D-shell female connector<br />
− Support for cable FC 2704<br />
• 1-Port ISDN PRI for T1/J1 (FC 2283)<br />
Provides one attachment to an ISDN primary rate service at T1/J1 speed.<br />
This attachment provides:<br />
− Support for T1/J1 line speed of 1.544 Mbps<br />
− Twenty-three 64-kbps B-channels for data and one 64-kbps D-channel for<br />
signaling<br />
− Selectable framing to D4 (SF), D5 (ESF), or SLC-96R formats<br />
− DB-26 (26-pin D-shell) female connector<br />
− Support for cables FC 2714 and FC 2716<br />
• 1-Port ISDN PRI for E1 (FC 2292)<br />
Provides one attachment to an ISDN primary rate service at E1 speed. This<br />
attachment provides:<br />
Chapter 2. Connectivity 33
− Support for E1 line speed of 2.048 Mbps<br />
This soft copy for use by <strong>IBM</strong> employees only.<br />
− Thirty 64-kbps B-channels for data and two 64-kbps D-channels for<br />
signaling<br />
− Selectable framing to FAS, CAS, and CRC4 formats<br />
− DB-26 (26-pin D-shell) female connector<br />
− Support for cables FC 2715<br />
• 1-Port 155-Mbps Multimode Fiber ATM (FC 2284)<br />
Provides one attachment to an ATM switch over a multimode fiber optic<br />
cable. This attachment provides:<br />
− 8 MB of packet memory and 2 MB of control memory for<br />
high-performance support<br />
− A specialized ATM support chip to perform the segmentation and<br />
reassembly function (SAR) for ATM adaptation layer 5 (AAL-5)<br />
− SONET OC3c framing<br />
− Support for a 62.5/125 um(micron) multimode fiber<br />
− A multimode duplex SC connector<br />
Note: A cable is not provided for this adapter.<br />
• 1-Port 155-Mbps Single-Mode Fiber ATM (FC 2293)<br />
Provides one attachment to an ATM switch over a multimode fiber optic<br />
cable. This attachment provides:<br />
− 8 MB of packet memory and 2 MB of control memory for<br />
high-performance support<br />
− A specialized ATM support chip to perform the segmentation and<br />
reassembly function (SAR) for ATM Adaptation Layer 5 (AAL-5)<br />
− SONET OC3c framing<br />
− Support for a 9/125 um(micron) single-mode fiber<br />
− Transceiver support for a maximum cable length of 20 km<br />
− A multimode polarized duplex SC connector<br />
Note: A cable is not provided with <strong>IBM</strong> 2216 for this adapter.<br />
• 1-Port ESCON Channel (FC 2287)<br />
34 The Technical Side of Being an Internet Service Provider<br />
Provides one ESCON channel attachment and the ability to attach directly to<br />
the mainframe ESCON channel or to an ESCON Director.<br />
− Serial link data rate of 200 Mbps and data transfer rate of 17 Mbps.<br />
− Maximum cable length of 3 km. Longer distances can be supported via<br />
an ESCON Director with an ESCON Extended Distance interface (up to 23<br />
km total) or two cascaded ESCON Directors with ESCON Extended<br />
Distance interface (up to 43 km total).<br />
− Support for a 62.5/125 um(micron) multimode fiber.<br />
− Cable group #3797 available for this adapter via separate order.
This soft copy for use by <strong>IBM</strong> employees only.<br />
Cables: The following adapters are available for the <strong>IBM</strong> 2216:<br />
• EIA-232E/V.24 Fanout Cable (#2701)<br />
• V.35 Fanout Cable (#2702)<br />
• V.36 Fanout Cable (#2703)<br />
• X.21 Fanout Cable (#2704)<br />
• EIA-232E/V.24 Serial Interface Cable (#2705)<br />
• EIA-232E/V.24 Direct Attach Cable (#2706)<br />
• V.35 Serial Interface Cable (#2707)<br />
• V.35 Direct Attach Cable (#2708)<br />
• V.36 Direct Attach Cable (#2709)<br />
• V.36 Serial Interface Cable (#2710)<br />
• X.21 Serial Interface Cable (#2711)<br />
• X.21 Direct Attach Cable (#2712)<br />
• Multipurpose RJ-45 adapter Cable (#2713)<br />
Supports token-ring, Ethernet 10Base-T<br />
• RJ-48 T1 ISDN PRI Cable (#2714)<br />
• ISDN PRI (E1) Cable (#2715)<br />
• RJ-48 J1 ISDN PRI Cable (#2716)<br />
The Attachment Cable for V.35 DCE (#2799) - 0.3 meters is also available in<br />
France.<br />
The following cables are not provided as options for the <strong>IBM</strong> 2216 and must be<br />
obtained by the customer as required:<br />
• Token-ring STP network adapter cable<br />
• Ethernet 10Base2 cable<br />
• ATM multimode fiber adapter cable<br />
• ATM single-mode fiber adapter cable<br />
Physical Interface Connectivity: <strong>IBM</strong> 2216 consists of a rack-mountable or<br />
free-standing mechanical package that houses the power and cooling<br />
subsystems, system card, and eight feature adapter card slots.<br />
The front view of the box is shown in Figure 17 on page 36.<br />
Chapter 2. Connectivity 35
Figure 17. Card Position<br />
Note<br />
This soft copy for use by <strong>IBM</strong> employees only.<br />
The <strong>IBM</strong> 2216 has a few plugging restrictions. The current restriction is that<br />
only one PCI adapter (token-ring, or Ethernet) can be installed in slots 3 and<br />
4. Once a PCI adapter is installed in slot 3 then slot 4 is unusable, and vice<br />
versa. The same restriction also applies to slots 7 and 8. On the 2216:<br />
• Slots 3 and 4 share common PCI-Bus Request/Grant lines. If a token-ring<br />
or an Ethernet card is present and enabled in one of these slots, then the<br />
other slot may not contain an enabled the adapter card of any type.<br />
• Slots 7 and 8 share common PCI-Bus Request/Grant lines. If a token-ring<br />
or an Ethernet card is present and enabled in one of these slots, then the<br />
other slot may not contain an enabled the adapter card of any type.<br />
The following table shows the maximum number of each adapter card and port.<br />
Table 12. Maximum Number of an <strong>IBM</strong> 2216 Physical Interface<br />
Max. # of<br />
Adapter<br />
Cards<br />
Max. # of<br />
Ports<br />
Token-Ring<br />
(2280)<br />
Ethernet<br />
(2281)<br />
V.24/EIA232<br />
(2282)<br />
V.35/V.36<br />
(2290)<br />
X.21<br />
(2291)<br />
ISDN PRI<br />
(2283/2292)<br />
ATM<br />
155M<br />
(2284/2293)<br />
6 6 8 8 8 4 2 1<br />
12 12 64 48 64 4 2 4<br />
36 The Technical Side of Being an Internet Service Provider<br />
ESCON<br />
(2287)
This soft copy for use by <strong>IBM</strong> employees only.<br />
MAS Supporting Protocols: For MAS, all routing protocols in the following table<br />
are included in a single package with the option to choose a code load with or<br />
without the APPN/HPR/DLUR support.<br />
Table 13. Protocols or Functions Supported on Data Link Controls (DLCs)<br />
PPP FR X.25 SDLC TR Eth ATM/1483 ATM/LEC<br />
TCP/IP Yes Yes Yes No Yes Yes Yes Yes<br />
IPX Yes Yes Yes No Yes Yes Yes Yes<br />
AppleTalk<br />
2<br />
Yes Yes No No Yes Yes No Yes<br />
DECnet 4 Yes Yes Yes No Yes Yes No Yes<br />
DECnet<br />
5/OSI<br />
Banyan<br />
VINES<br />
Bandwidth<br />
reservation<br />
(BRS)<br />
FR BAN<br />
SNA end<br />
system<br />
DLSw<br />
SNA end<br />
system<br />
DLSw<br />
NetBIOS<br />
end<br />
system<br />
APPN<br />
ISR<br />
APPN<br />
HPR<br />
APPN<br />
DLUR<br />
Yes Yes No No Yes Yes No Yes<br />
Yes Yes Yes No Yes Yes No Yes<br />
Yes Yes No No No No No No<br />
Yes Yes No Yes Yes Yes No Yes<br />
Yes Yes No Yes Yes Yes No Yes<br />
Yes Yes No No Yes Yes No Yes<br />
Yes Yes No Yes Yes Yes No Yes<br />
Yes Yes No No Yes Yes No Yes<br />
No Yes No Yes Yes Yes No Yes<br />
Bridging Yes Yes No No Yes Yes No Yes<br />
WAN<br />
restoral<br />
WAN<br />
reroute<br />
Yes No No No No No No No<br />
Yes Yes No No No No No No<br />
Dial-on-demandYes Yes No No No No No No<br />
Note: MAS (2216) does not support ISDN BRI or EasyStart client function.<br />
2.2.3.5 <strong>IBM</strong> 8224<br />
Here we provide an overview of the <strong>IBM</strong> 8224, a suitable hub for an initial ISP<br />
environment.<br />
The 8224 provides a flexible and comprehensive Ethernet network connectivity<br />
and management tool for a wide range of environments. Each 8224 provides up<br />
to 17 ports of Ethernet connectivity: sixteen 10Base-T ports and one optional<br />
media expansion port for connecting to an existing 10Base2, 10Base5, or fiber<br />
Ethernet network.<br />
The 8224 is available in two models; Model 001 and 002. Model 001 is an<br />
unmanaged unit that can be managed by an 8224 Model 002 in a stack. Model<br />
Chapter 2. Connectivity 37
This soft copy for use by <strong>IBM</strong> employees only.<br />
002 is an SNMP management unit that can manage up to nine Model 001s in a<br />
stack. Up to ten 8224s can be stacked together, for a total port count of 170.<br />
Stacked units can be separated by a distance of up to 250 feet.<br />
In addition to the stackable function, the 8224 does the following:<br />
• Supports segmentation. The 8224 stack can be divided into several<br />
segments (collision domains). Stacked 8224s can be segmented while<br />
maintaining management capability through a single management unit<br />
(Model 002). The minimum segment size is one hub as a single hub cannot<br />
be segmented.<br />
• Supports cascading through its media expansion ports or 10Base-T ports.<br />
• Provides centralized management of remote sites and branch offices through<br />
its out-of-band management support via the SLIP protocol. IS managers can<br />
dial up a remote site or branch office and receive the management<br />
information from the 8224 at that site.<br />
• Supports MIB-II (RFC 1213), the hub repeater MIB (RFC 1516), and the Novell<br />
Repeater MIB through the SNMP agent. These MIBs are open and can be<br />
managed by most DOS or AIX network management applications, including<br />
NetView for AIX.<br />
• Supports SNMP over IP and IPX. The 8224 can be managed by an SNMP<br />
network management station running in a TCP/IP network or via Novell′s<br />
NetWare Management Station.<br />
• Provides for redundant links between 10Base-T port pairs via the <strong>IBM</strong> MIB<br />
extensions.<br />
• Provides for redundant management units (Model 002s) in the stack.<br />
Technical Description: This section provides a technical overview of the 8224<br />
Ethernet Stackable Hub.<br />
Figure 18 on page 39 shows the front panel of both 8224 models. The hardware<br />
features include an operator panel indicating the following:<br />
• Sixteen 10Base-T Ports<br />
• Media Expansion Port<br />
• Communications Port<br />
• Hub Expansion Port<br />
• Port and Machine status LEDs<br />
• Uplink Switch<br />
• Power On/Off Switch<br />
38 The Technical Side of Being an Internet Service Provider
This soft copy for use by <strong>IBM</strong> employees only.<br />
Figure 18. <strong>IBM</strong> 8224 Model 001 and 002 Front Panel<br />
Connectivity Features: Below is a description of the 8224′s connectivity<br />
features:<br />
• Media Expansion Port (MEP)<br />
This port can be used as the 17th port or for cascading to another Ethernet<br />
network. The available pluggable expansion port module options are:<br />
− <strong>IBM</strong> 8224 AUI Media Expansion Port Module (f/c 9730) provides a<br />
standard DB-15 connector for an AUI cable or transceiver.<br />
− <strong>IBM</strong> 8224 10Base2 Media Expansion Port Module (f/c 9731) provides a<br />
standard BNC connector for coax (ThinNet).<br />
− <strong>IBM</strong> 8224 Optical Fiber Media Expansion Port Module (f/c 9732) provides<br />
standard ST connectors to support both FOIRL and 10Base-FL over fiber<br />
media (50/125μm, 62.5/125μm, 100/140μm).<br />
Figure 19. Front Views of 8224 Media Expansion Port Modules<br />
• 10Base-T Ports<br />
Sixteen ports with shielded RJ-45 connectors are standard per unit.<br />
Category 3, 4, 5 UTP or STP cable is supported. The 16th port has selectable<br />
pair reversal for easy cascading without the need for crossover cables.<br />
• Uplink switch<br />
When set to the equals symbol (=), this switch reverses the internal<br />
crossover of the receive and transmit signal pairs in port 16 of every hub,<br />
allowing standard, straight-through, 10Base-T cables to be used for<br />
cascading through those ports.<br />
Chapter 2. Connectivity 39
• Communications Port<br />
This soft copy for use by <strong>IBM</strong> employees only.<br />
This is a standard DB-9 connector for an EIA 232-C interface. The following<br />
functions are provided:<br />
− Out-of-Band Management (SNMP over SLIP)<br />
− Configuration (via XMODEM)<br />
− Microcode Upgrade (via XMODEM or via TFTP over SLIP)<br />
• Hub Expansion Port (HEP)<br />
This port connects individual units into a stack that acts as a single repeater.<br />
It contains an Ethernet bus and bidirectional serial control bus and uses<br />
standard 4-pair UTP cable (category 3 minimum) with RJ-45 connectors. The<br />
hub expansion port allows up to 76.2 meters (250 feet) end-to-end distance<br />
between units in the stack.<br />
Display Features: The <strong>IBM</strong> 8224 provides LED indicators for comprehensive<br />
machine and port status. These are detailed below.<br />
• 10Base-T Port LED indications:<br />
− Link OK<br />
− Activity<br />
− Auto-Partitioned<br />
− Management Disabled<br />
• Media Expansion Port LED indications:<br />
− Link OK (Fiber Only)<br />
− Activity<br />
− Auto-Partitioned<br />
− Management Disabled<br />
• Unit Status indications:<br />
− Power On, Diagnostics Complete<br />
− Management Agent Present<br />
− Collision<br />
Inter-8224 Communications in Managed Stacks: In a stack with one or more<br />
8224 Model 002s, an inter-hub control bus is activated inside the hub expansion<br />
cables in addition to the Ethernet bus. The control bus is used to pass stack<br />
control information from 8224 to 8224. Figure 20 on page 41 gives a logical view<br />
of the inside of the hub expansion cable for a managed stack.<br />
40 The Technical Side of Being an Internet Service Provider
This soft copy for use by <strong>IBM</strong> employees only.<br />
Figure 20. A Managed Stack of 8224s<br />
Using an SNMP-based management application, you can get the following<br />
information about all 8224s in a stack while attached to any 8224 in a stack:<br />
• Model number and media expansion port module type<br />
• MAC address<br />
• IP address<br />
• IP subnet mask<br />
• IP default gateway<br />
• Whether the 8224 is segmented from the external Ethernet bus<br />
Using an SNMP-based network manager, you can perform any of the following<br />
actions on any 8224 in a stack while attached to any 8224 in a stack:<br />
• Set the IP address<br />
• Set the IP subnet mask<br />
• Set the IP default gateway<br />
• Segment the 8224 from the external Ethernet bus or rejoin the 8224 to the<br />
bus<br />
• Set the write community name<br />
• Enable or disable write protect<br />
• Reset the 8224 to make the new settings take effect<br />
Even if 8224s have been segmented from the Ethernet bus, the inter-hub control<br />
bus allows you to set IP information and segment 8224s from a stack.<br />
Why Segment 8224s from a Stack?: Three major uses of segmentation are to<br />
improve performance, to troubleshoot, and to isolate groups of users. This<br />
section details those uses.<br />
1. Improving Performance<br />
An unsegmented stack is a single collision domain. All devices attached<br />
anywhere to an unsegmented stack see all the Ethernet frames generated<br />
anywhere else in the stack.<br />
Chapter 2. Connectivity 41
This soft copy for use by <strong>IBM</strong> employees only.<br />
As network traffic increases, excessive collisions can cause network<br />
performance to slow. You can improve performance by segmenting any<br />
number of 8224s from the other 8224s in a managed stack. Each segmented<br />
8224 is in its own collision domain as long as it is not linked to any other<br />
8224s.<br />
To enable segmented 8224s to communicate with the rest of the stack, you<br />
can interconnect them using a bridge, router, or Ethernet switch.<br />
2. Troubleshooting<br />
Segmentation can help you isolate areas of your network that are<br />
experiencing problems. You can segment 8224s one at a time from the rest<br />
of the stack while monitoring stack performance. This technique can help<br />
you localize a problem area to the devices attached to one 8224.<br />
3. Isolating User Groups<br />
You may have users in your network who have no need for connectivity<br />
outside their department or workgroup. By connecting their workstations to<br />
one or more segmented 8224s, you can limit their network access while<br />
keeping control of the 8224s.<br />
Configuration: Refer to Chapter 2 of the 8224 Ethernet Stackable Hub Installation<br />
and User′s Guide, GA27-4024, for step-by-step instructions for installing the 8224<br />
and the optional media expansion port modules.<br />
2.2.3.6 <strong>IBM</strong> 8237<br />
The <strong>IBM</strong> 8237 is a hub eligible not only for small Ethernet ISP networks, that<br />
need only a minimal number of ports with or without management, but also for<br />
larger networks that require large number of ports with sophisticated<br />
management and high-performance switching connectivity with other Ethernet<br />
LANs, switches, and routers.<br />
Overview: The <strong>IBM</strong> 8237 Stackable Ethernet Hub-10Base-T is a<br />
high-performance, cost-effective 10Base-T repeater platform that supersedes the<br />
8224 Ethernet Hub. It connects high-performance workstations to Ethernet local<br />
area networks (LANs) and provides high-performance inter-LAN connectivity<br />
using switching technology. The 8237 offers cost-effective solutions for both<br />
large and small LAN environments by providing many security and connectivity<br />
features, and three backbone LAN/hub segmentation.<br />
The 8237 is available in three models that provide multiple choices of network<br />
management:<br />
• Model 001 is a stackable 16-port 10Base-T Ethernet repeater plus a network<br />
expansion/inter-LAN connectivity port. It is a manageable unit that can be<br />
managed by Model 002 and Model 003.<br />
• Model 002 contains the same flexible port features of the Model 001 along<br />
with an SNMP management agent that provides extensive in-band and<br />
out-of-band management for itself or a full 10-unit 8237 stack.<br />
• Model 003 contains both an SNMP agent and an RMON agent. The RMON<br />
agent is capable of performing all nine groups of RMON on one of the three<br />
backplane segments of an 8237 stack. In addition, the Model 003 contains<br />
the same flexible port features of the Model 001 and the SNMP management<br />
agent that is provided in the Model 002.<br />
42 The Technical Side of Being an Internet Service Provider
This soft copy for use by <strong>IBM</strong> employees only.<br />
Up to ten 8237s can be stacked together, for a total port count of 170. In addition<br />
to the stackable function, the 8237 does the following:<br />
• Provides centralized management of remote sites and branch offices through<br />
its out-of-band management support via the SLIP protocol. IS managers can<br />
dial up a remote site or branch office and receive the management<br />
information from the 8237 at that site. It′s also possible to remotely<br />
download software upgrades, using a dial-up or in-band connection.<br />
• Supports MIB-II (RFC 1213), the hub repeater MIB (RFC 1516), Ethernet MIB<br />
(RFC 1643) and the Novell Hub MIB (RFC 1289). These MIBs can be<br />
managed by most network management applications, including <strong>IBM</strong> Nways<br />
Manager. Model 002 can manage up to nine Model 001s in a stack. A<br />
user-installed field upgrade allows the Model 002 to incorporate the same<br />
RMON management capability as the Model 003.<br />
• The Model 003 Advanced Management Unit contains, in addition to the<br />
SNMP management features of the Model 002, a remote monitoring agent<br />
that supports all nine groups of the RMON MIB. This agent employs a<br />
dedicated 386 processor with 4-MB RAM standard (20 MB maximum).<br />
• Provides three separate internal Ethernet backplanes (segments).<br />
• Provides up to 18 pairs of redundant links that can be configured to connect<br />
the 8237 system to other devices. One link of the pair is active and the other<br />
serves as a backup link for improved availability of the mission-critical<br />
devices.<br />
• Provides for redundant management units (Model 002s and 003s) in the<br />
stack. If the primary management unit must be taken out of service, the<br />
backup management unit automatically takes over with no loss of<br />
management function or management data.<br />
• All models of the 8237 are hot-pluggable. They can be replaced individually<br />
without disrupting the other hubs in the stack.<br />
• Configuration data is stored in non-volatile memory and is automatically<br />
restored after power disruption.<br />
• Provides excessive collision protection. The 8237 will partition (disable) any<br />
of the 10Base-T ports when more than 32 consecutive collision-causing<br />
frames are transmitted from that port. While the port is disabled,<br />
transmissions from the network to that device are maintained. The port is<br />
automatically reenabled when the condition clears.<br />
• Provides jabber protection, that makes the 8237 partition a port when a node<br />
transmits continuously for 6.5 milliseconds. The port is automatically<br />
reenabled when transmission from that port stops for 9.6 microseconds.<br />
Connectivity Features: Each stand-alone 8237 provides workstation ports with<br />
shielded RJ-45. The maximum number of 8237 in a stack is 10, for a total of 170<br />
ports. The 8237 provides optional inter-LAN connectivity via field-installable<br />
expansion modules:<br />
• Media Expansion Ports:<br />
− AUI/10Base-2 (BNC)<br />
− 10Base-FL/FOIRL (Fiber)<br />
• Fast Expansion Modules:<br />
− 10Base-T/100Base-TX (two-pair Category-5 wiring)<br />
Chapter 2. Connectivity 43
− 100Base-FX (fiber)<br />
Networks Supported by the <strong>IBM</strong> 8237<br />
This soft copy for use by <strong>IBM</strong> employees only.<br />
The <strong>IBM</strong> 8237 Stackable Ethernet Hub-10B-T is interoperable with other repeaters<br />
that conform to the IEEE802.3 10B-T and IEE802.3U international standards. The<br />
<strong>IBM</strong> 8237 provides inter-LAN connectivity with the following networks:<br />
• 10Base-T<br />
• 10Base-FL/FOIRL<br />
• 10Base2<br />
• 100BASE-TX<br />
• 100BASE-FX<br />
2.2.4 Domain and IP Address<br />
If you need more information, refer to 8237 Ethernet Stackable Hub Installation<br />
and Planning Guide, GA27-4186.<br />
Finally, we see the essential requisites for an ISP′s Internet backbone<br />
connection: the domain and IP addresses.<br />
All equipment on the Internet needs an IP address. It has to be a globally<br />
routable IP address that is allocated to you by someone and is routed by your<br />
upstream provider to the rest of the Internet. But how do people get IP<br />
addresses and domains? Before answering this question, we have an overview<br />
of Internet domains and IP addresses, and also the organizations responsible for<br />
them.<br />
2.2.4.1 Internet Domains<br />
We usually refer to the equipment on the Internet by symbolic names, which are<br />
associated with IP addresses. This mapping between IP addresses and host<br />
names is made through a group of servers called Domain Name System (DNS).<br />
The DNS is a distributed database, because no single site on the Internet knows<br />
all the information.<br />
The domain allocation in the Internet has the objective to avoid using the same<br />
name in more than one system and to decentralize the registration. Therefore,<br />
the Internet was divided in distinct administrative domains in which equipment or<br />
subdomains can′t have duplicate names. Recursively, we guarantee that there<br />
is only one name for each Internet equipment.<br />
This name space is built as a hierarchical tree structure with a root on top.<br />
44 The Technical Side of Being an Internet Service Provider
This soft copy for use by <strong>IBM</strong> employees only.<br />
Figure 21. The Tree Structure of the Domain Name Space<br />
Therefore, the symbolic name of Internet equipment is made up of a local name<br />
and its domain hierarchy, called Fully Qualified Domain Name (FQDN). This<br />
name is separated by dots and is read from left to right, from the most specific<br />
name to the highest hierarchical level.<br />
The Internet domains can be either institutional or geographical types. In the<br />
USA, the institutional domains are most often used. They are in the Table 14:<br />
Table 14. Institutional Domains<br />
For example, we could have:<br />
www.raleigh.ibm.com<br />
www.nasa.gov<br />
The other countries adopted a geographical domain in the top-level domain<br />
(TLD) by using the two-letter country code taken from the ISO standard 3166.<br />
The second-level structure varies from country to country, but often also takes<br />
the form of co or com for commercial companies, re for research groups, etc. In<br />
some countries, such as Canada and France, the organizations are even put<br />
directly below the country TLD.<br />
Here are some examples:<br />
www.whitchurch.cardiff.sch.uk<br />
www.dtag.de<br />
www.embratel.net.br<br />
Domain Institution Type<br />
mil Military<br />
edu Educational<br />
com Commercial<br />
gov Government<br />
org Non-profit<br />
net Backbone Providers<br />
int International<br />
However, it should be noticed that some of the TLDs are international and can<br />
be used in other countries without including the country code, for example, com,<br />
org, net.<br />
Chapter 2. Connectivity 45
This soft copy for use by <strong>IBM</strong> employees only.<br />
2.2.4.2 The Registries<br />
The Internet Assigned Numbers Authority (IANA) is responsible for the overall<br />
coordination and management of the Internet Domain Name System. It is the<br />
central coordinator for the assignment of unique parameter values for Internet<br />
protocols and especially the delegation of portions of TLDs, most of them the<br />
two-letter country codes. The IANA is chartered by the Internet Society (ISOC)<br />
and the Federal Network Council (FNC).<br />
Furthermore, a central Internet Registry (IR) has been selected and designated<br />
to handle most of the day-to-day administration of the DNS. Applications for new<br />
top-level domains are handled by the IR with consultation with the IANA. The<br />
current IR is InterNIC 1 .<br />
However, the Internet activity growth has led to a further delegation of authority<br />
for the domain name space to some other regional/national registries. The<br />
InterNIC takes care of registry for the Americas that includes (but is not limited<br />
to) North America, South America, South Africa and the Caribbean. Other<br />
registration requests should be directed to the appropriate regional/national<br />
registry.<br />
Table 15 shows a list of some of them.<br />
Table 15. Regional Registries<br />
Organization Area URL for Information E-mail<br />
Internic US and<br />
Americas<br />
www.internic.net hostmaster@internic.net<br />
RIPE Europe www.ripe.net ncc@ripe.net<br />
APNIC Asian<br />
Pacific<br />
www.apnic.net admin@apnic.net.<br />
NIC-Mexico Mexico www.nic.mx webmaster@nic.mx<br />
RNP Brazil www.cg.org.br registro@fapesp.br<br />
2.2.4.3 IP Address<br />
Each computer needs to have an IP address. The routing decisions made by the<br />
routers on the Internet rely on addressing alone.<br />
An ISP needs to allocate a set of addresses accordingly to its dedicated<br />
business customers, dial-in users, remote POPs, ISP-related servers and<br />
networking equipment.<br />
The technique used to allocate addresses is called subnetting. The routers on<br />
the Internet deal with the subnetwork part of the address; their tables are<br />
updated to determine in which data circuit the packet should be forward to. The<br />
challenge to the Internet is to keep the routing tables as small as possible on the<br />
very high-speed backbones and NAPs, and allow the routers in the ISPs to<br />
handle the routing to individual business and dial-in users.<br />
1 At the time of writing, IANA has proposed the InterNIC to be split in two to separate the DNS and Internet Number Registration<br />
activities. The new organization would administer IP registration and is called American Registry for Internet Numbers<br />
(ARIN). See http://www.arin.net.<br />
46 The Technical Side of Being an Internet Service Provider
This soft copy for use by <strong>IBM</strong> employees only.<br />
Theoretically, an ISP could get one of the three IP address classes (A, B or C)<br />
that fits its needs. However, as there are no class A addresses anymore, and<br />
few class B, most ISP networks are assigned multiple class C address blocks. A<br />
class C network block uses the network mask of 255.255.255.0, meaning that<br />
there are 255 addresses available. An ISP may assign an entire class C block of<br />
addresses to a business or may further subnet the block of addresses to service<br />
multiple businesses. For example, if the network mask is changed to<br />
255.255.255.248, then eight addresses are available to that particular customer.<br />
From the Internet point of view, any class C address that is within the ISP′s<br />
range gets routed to the ISP.<br />
2.2.4.4 Classless Inter-Domain Routing<br />
To talk about IP allocations today, it′s also necessary to understand the modern<br />
terminology used to talk about blocks of IP addresses.<br />
As it was mentioned, the IP address space was allocated in class A, B or Class<br />
C. Class A networks have almost 17 million addresses, class B networks have<br />
65,536 addresses and class C networks have 256 addresses. Actually, those<br />
numbers are high, since a certain percentage of the numbers in any network<br />
have special meaning and aren′t available for hosts.<br />
Those IP ranges are called classful networks because of the class X<br />
nomenclature. Currently, address are allocated in Classless Inter-Domain<br />
Routing (CIDR) notation.<br />
However, in the early 1990s there was some worry about the end of address<br />
space. This was because of inefficient utilization of giving out all of these class<br />
Bs, but the real problem was that the routers of the Internet were about to<br />
explode and would be unable to continue making the Internet work primarily<br />
because the number of routes on the Internet was growing exponentially.<br />
So the members of the Internet Engineering Task Force (IETF 2 ) developed a new<br />
methodology. It consisted of extending the subnet idea to the entire 32 bits of<br />
address space, where subnets are subsections of a classful network. They are<br />
specified using the subnet masks that you′ve probably all seen. For example,<br />
255.255.255.192 represents a 64-IP subnet of a class C-sized chunk and<br />
255.255.192.0 represents a 64 class-C-sized chunk of address space.<br />
Therefore, instead of allocating networks in chunks on byte boundaries, they<br />
allocate networks sized any power of 2 from 1 to 32 bits. They called this plan<br />
CIDR.<br />
CIDR notation names a network by simply specifying how many bits, out of 32<br />
possible bits, that the network has. So a class C in CIDR notation is a /24, a<br />
class B is a /16, and a class A is a /8.<br />
2 IETF is a large open international community of network designers, operators, vendors and researches concerned with the<br />
evolution of the Internet architecture and smooth operation. They are who make the RFCs.<br />
Chapter 2. Connectivity 47
This soft copy for use by <strong>IBM</strong> employees only.<br />
2.2.4.5 How to Get IP Addresses<br />
You can get your IP address range directly from your upstream provider or<br />
through the regional register. However, the best (and easiest) way of getting<br />
your IP address space is by getting it from the upstream provider, who also got<br />
its address space from its upstream provider or directly from a registry.<br />
The provider will give you IP addresses that come from the IP address space<br />
allocated to its backbone. It can use subnetting or CIDR techniques.<br />
These globally unique addresses owned by the upstream provider are called<br />
Provider Access (PA) IP addresses. When a customer terminates the contract<br />
with the provider, any assigned PA addresses must be relinquished. The<br />
advantage is that these addresses can minimize the network routing tables,<br />
resulting in better performance. This is the policy the IANA recommends to be<br />
adopted.<br />
If you do not want to get the IP range from a service provider you must apply<br />
directly to the regional registry responsible for your country.<br />
You will receive Provider Independent (PI) IP addresses. They are also globally<br />
unique addresses, but are owned by the customers and can be transferred from<br />
one provider to another. Its use is mandatory you have upstream connections<br />
with different providers.<br />
Unlike PA addresses, the routing of PI addresses through the Internet is not<br />
guaranteed; if the size of the network routing tables gets too large, ISPs may<br />
remove PI addresses from their tables. For this reason, the use of PI addresses<br />
is not recommended, and the use of PA addresses encouraged.<br />
Finally, as the address allocation is very important for the ISP (from what is<br />
actually being used to what is available) the ISP should carefully map out the<br />
addressing strategy before getting it. In fact, when an ISP contacts any provider<br />
to get an IP subnet, it will require a network topology diagram and engineering<br />
plans. And to require more than one you will probably have to prove this need<br />
and guarantee that most of the addresses will be used immediately.<br />
2.2.4.6 How to Obtain a Domain Name<br />
As discussed before, to use domain names we need to resolve host names into<br />
their corresponding IP addresses. These functions rely on machines called<br />
name servers. In a typical Internet dial-up connection, the name server is<br />
located in the provider. That′s because the customer uses his or her provider′s<br />
domain name, and normally only for e-mail.<br />
However, as you will be the provider, you will probably want to have your own<br />
domain name server so you can have more flexibility to provide services to your<br />
customers. For example, if you have Web hosting services for a set of<br />
businesses, each one will want a unique home page for their customers. To do<br />
that, you need a primary DNS that also refers to other alternate addresses and<br />
aliases.<br />
Finally, for a domain name registration it′s necessary to contact the regional<br />
registry. This task can be accomplished directly (by you) or indirectly (by your<br />
provider).<br />
If you need or want to get your domain name directly, these are the general<br />
steps for a registration:<br />
48 The Technical Side of Being an Internet Service Provider
This soft copy for use by <strong>IBM</strong> employees only.<br />
1. Find out if the domain name that you want is available. You can do this by<br />
querying the Whois database of a registry.<br />
2. Configure the DNS server. Without DNS, the registry will not process your<br />
registration.<br />
3. Fill out the Domain Name Registration Agreement. This form is used to<br />
gather the information needed to process your registration and add your<br />
domain to the Whois database. It is usually downloaded from the registry<br />
site through an ftp command.<br />
4. Send e-mail agreement to the registry.<br />
5. The request is automatically processed and assigned a tracking number.<br />
You should immediately make a note of this number to check on the status<br />
of the registration.<br />
6. The agreement is automatically checked for errors.<br />
7. The agreement is processed and sends an e-mail back to you.<br />
8. Information for the new domain is added to the registry′s Whois database.<br />
Normally these procedures takes from days to weeks and you also have to pay a<br />
fee.<br />
For additional information about getting an IP address and domain, refer to:<br />
• http://www.internic.net<br />
• http://www.ripe.net<br />
• http://www.apnic.net<br />
• http://www.iahc.org<br />
2.2.5 <strong>IBM</strong> As a Service Provider<br />
<strong>IBM</strong> Global Services (IGS), with more than $22.9 billion in revenues and<br />
operations in 164 countries, is the world′s leading provider of product,<br />
professional and network services. Its managed network services for content,<br />
collaboration and electronic commerce as well as network outsourcing services<br />
are provided over the <strong>IBM</strong> Global Network (IGN) which serves more than 30,000<br />
customer enterprises in 860 cities and 100 countries.<br />
To provide international support for users wishing to access the Internet, <strong>IBM</strong><br />
sets up networks and communication connections to service providers all around<br />
the world. These service provider connections have been combined with <strong>IBM</strong>′s<br />
vast network resources to form the <strong>IBM</strong> Global Network.<br />
IGN operates the world′s largest high-speed network for telecommunications<br />
services and network-centric computing. It brings together <strong>IBM</strong>′s capabilities to<br />
provide seamless, value-added network services globally through wholly-owned<br />
subsidiaries and joint ventures around the world.<br />
The network services and applications provided by <strong>IBM</strong> are:<br />
• Internet dial-up access (a local call) in more than 800 cities in nearly 50<br />
countries<br />
• Worldwide high-speed multiprotocol network supporting SNA/SDLC, X.25,<br />
APPN, ASYNCH, BISYNCH, NETBIOS, Novell IPX and TCP/IP<br />
• Leased-line connections<br />
Chapter 2. Connectivity 49
• Wireless communications<br />
• LAN Internetworking and multiprotocol solutions<br />
• Electronic Data Interchange<br />
• Electronic mail services<br />
• <strong>IBM</strong> InterConnect for Lotus Notes<br />
• Content services<br />
• Information service<br />
• Network outsourcing<br />
In the next section we show the leased-line services.<br />
For information about <strong>IBM</strong> Global Services, please see:<br />
http://www.ibm.com/services/globalservices.html<br />
This soft copy for use by <strong>IBM</strong> employees only.<br />
For additional information about <strong>IBM</strong> Network Services, refer to:<br />
http://www.ibm.com/globalnetwork<br />
2.2.5.1 <strong>IBM</strong> Leased Line Internet Connection Services<br />
The <strong>IBM</strong> Global Network offers a secure, reliable and flexible set of high-speed,<br />
leased-line Internet access solutions that can include network connectivity<br />
resources, and security options designed, installed and managed by the <strong>IBM</strong><br />
Global Network. Customers can establish high-speed leased-line access to the<br />
Internet, without having to install and manage their own network hardware,<br />
software and telecommunications links.<br />
The Leased Line Internet Connection Services is part of the range of Internet<br />
services provided by the <strong>IBM</strong> Global Network. It offers a high-speed permanent<br />
and fully managed access link to the resources of the Internet. This service is a<br />
custom offering that is ordered, scheduled and priced based on specific<br />
customer access, transport and application requirements.<br />
IGN provides leased line access to the Internet at speeds equivalent to corporate<br />
data networks. The services also expand the capabilities of IGN Internetworking<br />
and multiprotocol solutions by allowing secure Internet access from their existing<br />
corporate networks.<br />
Capabilities include:<br />
• Access for full TCP/IP connectivity to the Internet.<br />
• Managed dedicated leased line access to the Internet at high-speed data<br />
rates of 19.2, 56, 64, 128, 256, 512 kbps, 1.544 Mbps and 45 Mbps access on a<br />
special bid basis.<br />
• Assignment of IP address ranges for the customer network.<br />
• Assistance with registration of the customer private domain name with the<br />
responsible naming authority.<br />
• Fixed-price connections based on site connectivity requirements.<br />
50 The Technical Side of Being an Internet Service Provider
This soft copy for use by <strong>IBM</strong> employees only.<br />
2.2.5.2 Features<br />
<strong>IBM</strong> provides the planning, design, network components, installation,<br />
maintenance and operation required to attach customers′ systems to <strong>IBM</strong> Global<br />
Network′s Internet network.<br />
The Leased Line Internet Connection Service includes:<br />
• Backbone network, facilities and network connectivity to the Internet through<br />
the <strong>IBM</strong> Global Network′s Internet network.<br />
• Customer premise router and backbone router(s).<br />
• If required, an <strong>IBM</strong> 2210 Nways Multiprotocol Router for use as the customer<br />
site router (CSR), including an asynchronous modem for remote<br />
support/problem determination.<br />
• Installation, maintenance and support of <strong>IBM</strong>-provided solution components.<br />
• Data service units (DSUs)/customer service units (CSUs).<br />
• LAN interface.<br />
• Physical link (56 kbps-T1)n<br />
• If required, an IP address range for use in the customer′s network will be<br />
assigned by <strong>IBM</strong>.<br />
• Domain Name Services (DNS), where IGN will act as the external primary<br />
and/or secondary name server on behalf of a customer′s network. IGN will<br />
negotiate with the Internet Network Information Center (NIC) to acquire<br />
network numbers as well as provide proper registration of IP addresses with<br />
the NIC on behalf of the customer and will assist in connecting the<br />
customer′s DNS to the global DNS infrastructure. This support is available<br />
immediately as part of the leased line Internet Connection capabilities.<br />
• Network Management:<br />
− 24-hour, seven-day-a-week network monitoring<br />
− Problem determination and management<br />
− Performance monitoring<br />
− Capacity planning and management of the IGN backbone network<br />
− Capacity monitoring of the CSR and circuit to the customer premise<br />
− Notification to the customer if an upgrade of the customer circuit is<br />
required<br />
• Customer support<br />
− 24-hour, seven-day-a-week customer assistance<br />
2.2.5.3 Physical Attachment Design<br />
LAN Internetworking Version 1.1 offers firewall security protection via the <strong>IBM</strong><br />
Global Network′s product, TCPGATE2. It allows users with TCP/IP and/or SNA<br />
platforms to access limited Internet protocols. The supported features are<br />
Domain Name Server service, FTP, WWW browsing (via a SOCKS gateway for<br />
TCP/IP users), Gopher, and Telnet. E-mail and Newsgroups support will be<br />
available in the future. Figure 22 on page 52 shows all network access paths to<br />
the <strong>IBM</strong> Global Network.<br />
Chapter 2. Connectivity 51
Figure 22. LAN Internetworking/Direct Leased Line via <strong>IBM</strong> Global Network<br />
52 The Technical Side of Being an Internet Service Provider<br />
This soft copy for use by <strong>IBM</strong> employees only.
This soft copy for use by <strong>IBM</strong> employees only.<br />
The Leased Line Internet Connection Service (ICS) provides a permanent<br />
(non-switched) high-speed direct attachment to the <strong>IBM</strong> Global Network for<br />
customer′s IP-based LANs, as shown in Figure 23 on page 53.<br />
Figure 23. Direct Leased Line Internet Access Physical Attachment<br />
The customer′s LAN is attached, using a network interface card, to a customer<br />
site router (CSR). The CSR is then connected, via a leased line, to another router<br />
(the entry node router), which is directly connected to the <strong>IBM</strong> Global Network′s<br />
Internet backbone (OpenNet). The CSR is also equipped with an analog dial-up<br />
port and a high-speed modem to allow <strong>IBM</strong> support personnel to access the CSR<br />
over the public switched telephone network (PSTN) to perform remote<br />
configuration, maintenance, and support.<br />
2.2.5.4 Hardware and Software Requirements<br />
<strong>IBM</strong> supplies and installs, if they are necessary, the following equipment at the<br />
customer site:<br />
• A CSR with an appropriate network interface card to connect to the<br />
customer′s LAN<br />
• A PSTN modem and cables for use with the CSR′s dial-up facility<br />
Customers must provide:<br />
• A TCP/IP-enabled host and LAN, using the appropriate IP addresses.<br />
• The appropriate cabling and connectors required to connect the customer′s<br />
LAN to the network interface card on the CSR. The supported network types<br />
are:<br />
− Ethernet (10 Mbps)<br />
− Token-ring (4 Mbps and 16 Mbps)<br />
• An analog PSTN circuit for use by the dial-up modem.<br />
Note: Customers planning to switch this circuit through a digital private<br />
automatic branch exchange (PABX), must ensure that the PABX is configured<br />
to provide an analog connection for the circuit. Customers with PABXs that<br />
Chapter 2. Connectivity 53
2.3 Downstream Connections<br />
2.3.1 Types of Users<br />
This soft copy for use by <strong>IBM</strong> employees only.<br />
do not support analog connections must ask the local PTT provider to supply<br />
a direct analog circuit for use by the dial-up modem.<br />
• The leased line circuit from the customer site to the allocated <strong>IBM</strong> Global<br />
Network entry node. Where permitted by local legal and PTT regulations,<br />
<strong>IBM</strong> will order the appropriate leased line circuit on behalf of customers.<br />
• The primary name server and its administration and support for names<br />
within the LAN. The primary name server should also be configured for<br />
inverse name address resolution.<br />
If required, <strong>IBM</strong> can supply the primary name server facilities for customers.<br />
However, a maximum of three network devices and two mail hosts only will<br />
be supported per customer.<br />
• Security facilities, such as a firewall, to protect their network as required.<br />
For additional information about Leased Line Internet Connection Service, refer<br />
to:<br />
• http://www.ibm.com/globalnetwork/leasedbr.htm<br />
• Leased Line Internet Connection Service - E/ME/A Attachment Guide,<br />
UH01-1003-00<br />
The principal objective of an ISP is to offer services to users so that they are<br />
able to access the Internet and its resources. That′s where the ISP earns<br />
money.<br />
Therefore, the downstream connections are the second fundamental item of<br />
Internet connectivity. In this subject, we see the types of users, the access<br />
issues for both the ISP and the customers, and the <strong>IBM</strong> 8235.<br />
The following are the different types of customers an ISP could have:<br />
• Home Users<br />
These are the individual users, commonly called small office/home office<br />
(SOHO) users. They usually get connected to the Internet to access Web<br />
pages and e-mail services. As a rule, this kind of user accesses the Internet<br />
during non-working hours and weekends. These are the most typical<br />
customers of an ISP.<br />
• Corporate Users<br />
These are business customers who connect their networks to the Internet.<br />
Typically they use the Internet to provide a Web site, to communicate with<br />
their other locations and customers, and to provide Internet access to their<br />
employees. Their heaviest traffic is during business hours.<br />
• ISP Customers<br />
54 The Technical Side of Being an Internet Service Provider<br />
These are other ISPs that will also resell Internet access and services to<br />
their customers. This a smaller market, so you will need to have enough<br />
resources to be able to offer these services.
This soft copy for use by <strong>IBM</strong> employees only.<br />
2.3.2 Access Issues<br />
Here we focus on the SOHO and corporate users. The issues for the ISP<br />
customers can be seen in section 2.2, “Internet Backbone Connection” on<br />
page 6, where we explain the ISP and its provider connection.<br />
For customers to be able to access the Internet and its resources, they will need<br />
to access their ISP LAN servers first. There are two ways of providing this<br />
remote connection: through dial-up or dedicated circuits, depending on the<br />
customer type and needs. They are available through SLIP or PPP protocols.<br />
In this section we focus on these items.<br />
2.3.2.1 Dial-Up Connection<br />
This is the simplest kind of connection, commonly made available through the<br />
conventional telephone lines and modems in which the connection speed may<br />
vary from 9.600 bps to 33.600 bps. These physical devices are used with enlace<br />
protocols that make the users′ equipment available to run TCP/IP applications.<br />
The analog modem is most typical, but digital systems (ISDN) have also been<br />
used. The digital system connection speed carries 128 kbps.<br />
This is the most common access type used by SOHO or even by business<br />
employees whose companies don′t have a network connection. Normally, these<br />
users have access to the following ISP services (see Chapter 4, “Internet<br />
Services” on page 133 for detailed information):<br />
• TPC/IP tools such as WWW, ftp and telnet<br />
• E-mail server<br />
• News<br />
• Their own Web home pages<br />
For related information about these topics, see also:<br />
• 2.3.2.4, “SLIP and PPP” on page 58<br />
• 2.3.3, “ISP Networking Hardware” on page 61<br />
2.3.2.2 Dedicated Connection<br />
Here there′s a permanent link available, usually through private line, where both<br />
the ISP and the customers LANs are connected through routers. Switched<br />
packet networks, such as frame relay, can also be used.<br />
The corporate and the ISP customers are the ones who utilize this kind of link.<br />
Despite the issues for an ISP customer, the typical services offered in this<br />
category are:<br />
• IP and DNS negotiation with the responsible registry (see 2.2.4.5, “How to<br />
Get IP Addresses” on page 48 and 2.2.4.6, “How to Obtain a Domain Name”<br />
on page 48)<br />
• Secondary DNS server<br />
• Primary DNS server (optional)<br />
• News feed<br />
• Web hosting<br />
Chapter 2. Connectivity 55
Note<br />
This soft copy for use by <strong>IBM</strong> employees only.<br />
There are also two other kinds of connection. The first is UUCP, which was<br />
widely used for the Bulletin Board Systems (BBS) but offers only e-mail and<br />
news access. The second one is a shell account which only has terminal<br />
emulation.<br />
They are not included here because nowadays the customers usually want<br />
the whole range of Internet services.<br />
2.3.2.3 Integrated Services Digital Network (ISDN)<br />
ISDN is an acronym for Integrated Services Digital Network, in which it is<br />
possible to gain the benefits of digital speeds or connectivity without using<br />
dedicated lines. From voice and data to complex images, full-color video and<br />
stereo quality sound, all are transmitted with digital speed and accuracy through<br />
what is now a totally digital network. ISDN replaces today′s slow modem<br />
technology with speeds of up to 128 kbps (kilobits per second) before<br />
compression. With compression, users in many applications today can achieve<br />
throughput speeds from 256 kbps to more than 1,024 kbps, more than a megabit<br />
per second.<br />
Digital lines are almost totally error free, which means that the slowdowns and<br />
errors typically encountered in today′s modern transmissions are no longer a<br />
problem. A single ISDN line can serve as many as eight devices: digital<br />
telephones, facsimiles, desktop computers, video units and much more.<br />
Each device, in turn, can be assigned its own telephone number, so that<br />
incoming calls can be routed directly to the appropriate device. Any two of<br />
these devices can be in use at the same time for voice for data transmissions,<br />
and the lines can also be combined for higher data speeds. In addition, an<br />
almost unlimited number of lower-speed data transmissions (for e-mail, credit<br />
card authorization, etc.) can go on at the same time. In most cases, the same<br />
copper wires used today for what is typically called plain old telephone service<br />
can be used successfully for ISDN. This means most homes and offices are<br />
ISDN-ready today.<br />
That are three types of ISDN services:<br />
• Basic Rate ISDN (BRI)<br />
The BRI service has three data channels: two 64-kbps 3 B (bearer) channels<br />
and one 16-kbps D (delta) channel. The B channels carry voice and data,<br />
and the D channel is responsible for the control or signaling information. It′s<br />
also possible to use both B channels together and get 128 kbps.<br />
The BRI interface uses two twisted pairs of copper wires.<br />
3 In some areas it may be 56 kbps due to phone system limitation.<br />
56 The Technical Side of Being an Internet Service Provider
This soft copy for use by <strong>IBM</strong> employees only.<br />
Figure 24. Basic Rate ISDN (BRI) Interface<br />
• Primary Rate ISDN (PRI)<br />
Figure 25. Primary Rate ISDN (PRI) Interface<br />
In the PRI service there are 23 64-kbps B channels and 1 64-kbps D channel,<br />
that provides a total bandwidth of 1.544 Mbps. In some countries the number<br />
of B channel are 30 or 31, which gives a bandwidth of 2.048 Mbps. The B<br />
channels are combined to be used according to the needs: data<br />
transmission, phone lines, etc.<br />
This service is utilized in the ISP side to connect the BRI customers.<br />
• Broadband-ISDN (B-ISDN)<br />
This is a the proposed advanced version of ISDN for providing speeds of<br />
155.52 Mbps and higher. However, the standards and switching technology<br />
that will work this fast are under development. The B-ISDN promises<br />
universal coverage based on ATM/SDH technologies and optical fiber.<br />
Although ISDN has been available for many years, it has just beginning to<br />
become popular with users. In some countries it may not even be supported.<br />
Chapter 2. Connectivity 57
This soft copy for use by <strong>IBM</strong> employees only.<br />
2.3.2.4 SLIP and PPP<br />
Serial Line Internet Protocol (SLIP) and Point-to-Point Protocol (PPP) are always<br />
associated with dial-up connections protocols. Although they are actually widely<br />
used in part-time Internet connections over analog modems, they can be used<br />
for full-time connections as well.<br />
However, these protocols are solutions that have two requirements: the<br />
connection point number must be two and the link must be full-duplex. Then<br />
they are used in dial-up connections over analog modems, in leased-line<br />
connections with routers and even with ISDN. Frame relay and X.25 are also<br />
possible.<br />
The SLIP is just a very simple protocol designed quite a long time ago and is<br />
merely a packet framing protocol. It defines a sequence of characters that frame<br />
IP packets on a serial line, and nothing more. SLIP has been replaced by PPP<br />
because of the drawbacks:<br />
• It cannot support multiple protocols across a single link; all packets must be<br />
IP datagrams.<br />
• It does no form of frame error detection which forces retransmission by<br />
higher level protocols in the case of errors on noisy lines.<br />
• It provides no mechanism for compressing frequently used IP header fields.<br />
Many applications over slow serial links tend to be single-user interactive<br />
TCP traffic such as TELNET. This frequently involves small packet sizes and<br />
therefore a relatively large overhead in TCP and IP headers which do not<br />
change much between datagrams, but which can have a noticeably<br />
detrimental effect on interactive response times. However, many SLIP<br />
implementations now use Van Jacobsen Header Compression. This is used<br />
to reduce the size of the combined IP and TCP headers from 40 bytes to 8<br />
bytes by recording the states of a set of TCP connections at each end of the<br />
link and replacing the full headers with encoded updates for the normal case<br />
where many of the fields are unchanged or are incremented by small<br />
amounts between successive IP datagrams for a session. This compression<br />
is described in RFC 1144.<br />
PPP addresses these problems. It has three main components:<br />
1. A method for encapsulating datagrams over serial links.<br />
2. A Link Control Protocol (LCP) for establishing, configuring, and testing the<br />
data link connection.<br />
3. A family of Network Control Protocols (NCPs) for establishing and configuring<br />
different network layer protocols. PPP is designed to allow the simultaneous<br />
use of multiple network layer protocols such as IP, OSI, IPX, etc.<br />
Before a link is considered to be ready for use by network layer protocols, a<br />
specific sequence of events must happen. The LCP provides a method of<br />
establishing, configuring, maintaining and terminating the connection. LCP goes<br />
through the following phases:<br />
1. Link establishment and configuration negotiation: In this phase, link control<br />
packets are exchanged and link configuration options are negotiated. Once<br />
options are agreed upon, the link is open, but not necessarily ready for<br />
network layer protocols to be started.<br />
58 The Technical Side of Being an Internet Service Provider
This soft copy for use by <strong>IBM</strong> employees only.<br />
2. Link quality determination: This phase is optional. PPP does not specify the<br />
policy for determining quality, but does provide low-level tools, such as echo<br />
request and reply.<br />
3. Authentication: This phase is optional. Each end of the link authenticates<br />
itself with the remote end using authentication methods agreed to during<br />
phase 1.<br />
4. Network layer protocol configuration negotiation: Once LCP has finished the<br />
previous phase, network layer protocols may be separately configured by the<br />
appropriate NCP.<br />
5. Link termination: LCP may terminate the link at any time. This will usually<br />
be done at the request of a human user, but may happen because of a<br />
physical event.<br />
The IP Control Protocol (IPCP) is the NCP for IP and is responsible for<br />
configuring, enabling and disabling the IP protocol on both ends of the<br />
point-to-point link. The IPCP options negotiation sequence is the same as for<br />
LCP, thus allowing the possibility of reusing the code.<br />
One important option used with IPCP is Van Jacobsen Header Compression<br />
which is used to reduce the size of the combined IP and TCP headers from 40<br />
bytes to approximately 4 by recording the states of a set of TCP connections at<br />
each end of the link and replacing the full headers with encoded updates for the<br />
normal case where many of the fields are unchanged or are incremented by<br />
small amounts between successive IP datagrams for a session. This<br />
compression is described in RFC 1144.<br />
2.3.2.5 Other Technologies<br />
There are new technologies that have just been started to be used by SOHO<br />
users. We discuss some of them: wireless, cable and satellite.<br />
Wireless When we talk about wireless access, there′s always a confusion<br />
between wireless WANs and wireless LANs. The wireless LANs are local area<br />
networks that allow devices with radios to connect to local servers. These<br />
radios use the direct sequence spread spectrum technology. The wireless link is<br />
between a PC and an access point wired to a wired LAN connected to a server.<br />
The user with a PC or terminal with one of these radios must be in the local<br />
vicinity of a wireless access point for his wireless LAN adapter to work.<br />
The WAN radios required to connect to servers that are located far distances<br />
away from where the user machine actually is are very different than the LAN<br />
radios described previously. The WAN radios act the same as wired modems<br />
that you may be familiar with. When you use a WAN radio, you connect to a<br />
service provider (not an ISP but one that provides wireless connectivity to its<br />
customers) such as AT&T, RAM Mobitex or ARDIS. These providers offer their<br />
customers the ability to use a radio that wirelessly connects to their services<br />
from which they can connect to the existing worldwide telephone service. For<br />
example, a thinkpad with a wireless WAN radio would ″dial″ out on a special<br />
number and get connected to its ISP via a TCP/IP link, the same as if it plugged<br />
in a modem to a phone line. The main difference is that its ″phone line″ is<br />
actually a wireless connection to a wireless service provider.<br />
The key components in wireless WANs are PCMCIA adapters that represent the<br />
latest in wireless communication. Currently, <strong>IBM</strong> offers systems with integrated<br />
Chapter 2. Connectivity 59
This soft copy for use by <strong>IBM</strong> employees only.<br />
WAN modems for CDPD, ARDIS (U.S. and Canada only) and Mobitex (not yet<br />
offered in EMEA). Each modem has a different business application.<br />
Cellular Digital Packet Data (CDPD 4 ) is unique to the Advanced Mobile Phone<br />
Service (AMPS) cellular network, the largest in the United States. <strong>IBM</strong>′s 2489<br />
Rugged Notebook Computer Model 600 with the optional wireless modem for<br />
CDPD includes an internal PCMCIA radio modem and radio antenna.<br />
Advanced Radio Data Information Service (ARDIS 5 ) provides interactive,<br />
real-time data communications throughout the U.S. and Canada. The <strong>IBM</strong><br />
2489-600 with integrated Wireless Modem for ARDIS supports automatic<br />
nationwide roaming, which means users can move seamlessly from one city to<br />
another and still communicate. The use of this radio modem requires the<br />
purchase of ARDIS services from a service provider.<br />
Mobitex runs on the RAM Mobile Data 6 network that serves some European<br />
countries and about 8,000 cities across the United States with fax, e-mail,<br />
two-way messaging and server applications. The <strong>IBM</strong> 2489-600 with integrated<br />
Wireless Modem for Mobitex consists of an integrated PCMCIA adapter (not yet<br />
available in EMEA) with an integrated antenna.<br />
Due to distinct country differences in communications standards, it is currently<br />
impossible to say one network provides wireless WAN services in EMEA. In most<br />
cases, analog data is transmitted using a cellular-enabled modem with a<br />
handheld phone. GSM/DCS 1800 data wireless networks are further made up of<br />
GSM, the digital equivalent of AMPS, and DCS 1800, an 1800MHz system with<br />
similar protocols to GSM and a data adapter. CT2 (Cellular Telephone) is a<br />
short-range campus and public network. It requires an integrated<br />
adapter/transceiver connected to a local base station for campus work that is<br />
connected to a PSTN for WAN communications.<br />
<strong>IBM</strong> Global Services has recently announced a set of services that offers<br />
end-to-end solution for customers operating in a mobile computing environment<br />
and/or wireless distributed network. Further information can be found in:<br />
http://www.as.ibm.com/asus/mobilepr.html<br />
For more information about the system units, please refer to the <strong>IBM</strong> Mobile and<br />
Wireless Systems Web site at:<br />
http://www.networking.ibm.com/wireless<br />
Cable and Satellite Although not suitable for ISP upstream connections, the<br />
one-way cable and satellite technologies (see 2.2.2.4, “Other Technologies” on<br />
page 15) can be suitable for downstream SOHO users. Despite that, these<br />
services are not widely provided.<br />
4 CPDP is a technology that is being deployed by a number of cellular companies, including Bell Atlantic, Ameritech, GTE, and<br />
AT&T.<br />
5 ARDIS was originally created and jointly owned by Motorola and <strong>IBM</strong> to serve <strong>IBM</strong>′s field technicians.<br />
acquired 100% ownership of it.<br />
In 1995, Motorola<br />
6 RAM Mobile Data is a business venture between RAM Broadcasting Corporation (RBC) and BellSouth and is based on<br />
Ericsson′s Mobitex technology.<br />
60 The Technical Side of Being an Internet Service Provider
This soft copy for use by <strong>IBM</strong> employees only.<br />
2.3.3 ISP Networking Hardware<br />
In this section we include the networking hardware that must be available in the<br />
ISP for downstream connections and one <strong>IBM</strong> product that is typical for this<br />
environment: the 8235. The new RLAN function of the 2210 is also included.<br />
We begin by explaining the functions of the networking hardware components.<br />
2.3.3.1 Downstream Hardware Components<br />
The basic networking hardware used in the connections between the ISP and its<br />
customers are:<br />
• Remote Access Server<br />
The Remote Access Server (RAS) is the device used to connect the remote<br />
PCs of the users through dial-in connections. It is also called terminal server<br />
because historically it was used to connect character-based terminals to<br />
interactive hosts. Usually its contains one LAN interface that is attached to<br />
the hub, and many serial ports where the modems are connected.<br />
The first function of an RAS is to capture the authentication information from<br />
the client and then ask the authentication server for approval. Once the<br />
authorization is approved, the protocol switches to PPP, and the RAS gives<br />
an IP address to the client. The IP address given is based on a user name,<br />
port or a pool of addresses. In this way, the client is ″in″ the ISP LAN and<br />
therefore can have its IP packets forward to the Internet.<br />
The RAS are available in two different kinds of solutions: in a server with<br />
multiserial adapters or in a distinct hardware, that can be integrated or not<br />
within a router. The server-based solution has the advantage of being<br />
cheaper. However, the second one has some important features. It′s not<br />
connected to the server. As in a LAN there′s usually more than one RAS. In<br />
case of failure only one RAS goes down and the other users still have<br />
access to the LAN while in the server everybody looses contact. It is also<br />
highly scalable and manageable. Another point is that it alleviates the<br />
server load.<br />
• Modem<br />
This device is used between the RAS and the telephone lines. Its function is<br />
to modulate an outgoing binary bit stream to an analog carrier, and<br />
demodulate an incoming binary bit stream from an analog carrier.<br />
The standards defined by the International Telecommunications Union (ITU)<br />
are:<br />
− V.32<br />
Up to 9.600 bps for use over dial-up or leased lines.<br />
− V.32 bis<br />
Up to 14.400 bps for use over dial-up or leased lines.<br />
− V.42<br />
It′s not for modem, but for error control procedures.<br />
− V.42 bis<br />
Data compression technique for use with V.42.<br />
− V.34<br />
Chapter 2. Connectivity 61
This soft copy for use by <strong>IBM</strong> employees only.<br />
28.800 bps for use over dial-up line V.42. With the addition of V.42 bis<br />
compression, in theory it can reach up to 115.200 bps.<br />
− V.34-1996<br />
It provides two additional, optional data transmission speeds of 31.2 and<br />
33.6 kbps. Further enhancements to supporting protocols allow devices<br />
implementing V.34-1996 to deliver more robust and more frequent 26.4<br />
and 28.8 kbps connections. With additional, optional speeds of 31.2 and<br />
33.6 kbps, modems implementing the V.34-1996 standard can<br />
communicate at speeds up to 16.6 percent faster than existing V.34<br />
modems.<br />
Although several different names were used to describe this new<br />
revision of the V.34 standard (for example, Rockwell suggested V.34+ or<br />
V.34 Plus and Lucent Technologies ″extended rate V.34″), in October<br />
1996, Study Group 14 of the ITU-T standards committee finalized the<br />
naming of the new standard as V.34-1996.<br />
There are four areas of improvement that distinguish devices<br />
implementing V.34-1996 from those using the initial version of the<br />
standard:<br />
- Higher Data Rates<br />
The potential for increased communication speed and faster data<br />
throughput always attracts the most excitement in a new or revised<br />
standard. In many instances, using modems that support the<br />
optional connection speeds of 31.2 and 33.6 kbps in the V.34-1996<br />
standard should provide attractive performance gains in real-world<br />
operation. Faster file downloads and reduced online connection<br />
charges are key potential benefits to the end user.<br />
- More Frequent High-Speed Connections<br />
Testing by Xircom and its modem ASIC partners indicates that on<br />
about 60 percent of networks currently supporting 26.4-kbps data<br />
transmission, the enhancements in V.34-1996 offer 2.4 to 4.8 kbps<br />
improvement in connection speeds.<br />
- V.8bis<br />
62 The Technical Side of Being an Internet Service Provider<br />
The original V.34 standard includes a component protocol known as<br />
V.8. This protocol specifies the negotiation startup or handshaking<br />
procedures used between modems before a data exchange. The<br />
V.34-1996 proposal includes an updated startup protocol, V.8bis,<br />
providing quicker connection initialization. Additionally, while certain<br />
types of echo canceling equipment previously caused V.8 to fall back<br />
to V.32bis automode negotiation (limiting speed to a 14.4 kbps<br />
maximum), V.8bis delivers a true V.34-protocol connection. V.8bis<br />
also improves faxing, reduces connection delays and provides more<br />
reliable support when switching between fax and telephone<br />
operation.<br />
- Signaling System 5 Problem Resolved<br />
Most modern telephone networks in the United States use Signaling<br />
System 7 (SS7) protocols to manage data transmission between<br />
central office (CO) switches. However, some older COs still use an<br />
earlier version known as Signaling System 5 (SS5). Two<br />
first-generation V.34 modems communicating between COs using<br />
SS5 occasionally experience connection failures. In V.34-1996, the
This soft copy for use by <strong>IBM</strong> employees only.<br />
Figure 26. Traditional Analog Modems Connection<br />
startup algorithms are modified allowing successful operation on<br />
older networks using SS5.<br />
The ISP must be concerned about the quality of the modems. As some have<br />
more reliable quality calls than others, it can avoid having unanswered calls,<br />
downgrade to a lower speed, disconnection in the middle of the call and<br />
unability to reset after disconnection.<br />
At the moment there′s a new 56 kbps modem technology that has been<br />
revolutionary in Internet communications. It′s an asymmetrical modem<br />
modulation scheme that provides data transmissions speeds up to 56 kbps<br />
downstream over the Public Switched Telephone Network (PSTN). It takes<br />
advantage of today′s Internet access where a customer′s analog modem<br />
connects to a site that is linked to a digital telephone network.<br />
In a connection between two analog V.34 modems, the telephone network<br />
converts the analog signal transmitted from the first point modem to a digital<br />
signal. It is then transmitted to the the second point, where it′s converted<br />
back to an analog signal.<br />
Chapter 2. Connectivity 63
This soft copy for use by <strong>IBM</strong> employees only.<br />
The analog information must be transformed to binary digits in order to be<br />
sent over the PSTN. The incoming analog waveform is sampled 8,000 times<br />
per second, and each time its amplitude is recorded as a pulse code<br />
modulation (PCM) code. The sampling system uses 256 discrete 8-bit PCM<br />
codes. Because analog waveforms are continuous and binary numbers are<br />
discrete, the digits that are sent across the PSTN and reconstructed at the<br />
other end approximate the original analog waveform. The difference<br />
between the original waveform and the reconstructed quantized waveform in<br />
this analog-to-digital conversion is called quantization noise, that limits the<br />
communications channel to about 35 kbps (determined by Shannon′s Law).<br />
However, the quantization noise affects only analog-to-digital conversion, not<br />
digital-to-analog. This is the fundamental point of this technology: taking<br />
advantage of having direct access to the digital telephone network at one<br />
side of the connection instead of the analog loop. In this way, in a<br />
communication between a home user and an ISP with a digital link to the<br />
PSTN, there′s no analog-to-digital conversions in the server-to-client path<br />
data transmission. This eliminates the quantization noise and makes<br />
possible a higher transmission rate.<br />
The upstream direction data flow remains slower because the<br />
analog-to-digital conversion must still be made at the client side.<br />
Figure 27. A 56-kbps Connection between a Home User and an ISP<br />
64 The Technical Side of Being an Internet Service Provider<br />
This technique is specially indicated for the Internet access. The<br />
requirement of having digital access to the PSTN to one side is satisfied,
This soft copy for use by <strong>IBM</strong> employees only.<br />
since most ISPs have one T1, for example. And the other end connects<br />
through an analog line, that is typically the case of the ISP′s customers. The<br />
Internet access is also the best application. Nowadays the customer<br />
downloads files, graphics and games (that always require more and more<br />
bandwidth) and send usually only mouse clicks in the upstream<br />
transmission.<br />
To take advantage of this technology, it′s necessary to have a pair of<br />
equipments: a server modem at the ISP and a modem at the customer′s<br />
house. No special lines are required, but both modems equipments must be<br />
of the same supplier. This is because the basic concepts are similar, but the<br />
protocols are not the same. More importantly, the 56-kbps technology is not<br />
a standard. In October 1996, the ITU-T formed an initial working group to<br />
begin the lengthy standardization process. It is expected that this process<br />
will take at least 18 months and likely longer. Additionally, several<br />
companies have received patents on proprietary algorithms that are core to<br />
the 56-kbps technologies. For example, we have the 56flex (from Rockwell<br />
and used by Motorola) and the x2 (from 3Com and used by USRobotics). It is<br />
likely that an extended period of licensing battles will need to be resolved<br />
before the widespread acceptance of 56 kbps is a reality.<br />
For information about 56-kbps technologies, see:<br />
• http://www.56kflex.com<br />
• http://x2.usr.com<br />
Remember<br />
The router and hub components were discussed previously. Please refer to<br />
2.2.3.1, “Hardware Components” on page 17.<br />
2.3.3.2 Downstream Hardware Connections<br />
Finally, we have the typical networking environments for the ISP downstream<br />
connections.<br />
In the most often offered connection, analog dial-up with modems, the ISP will<br />
need:<br />
• RAS<br />
• Modems<br />
• Telephone Lines<br />
The RAS will be connected in the ISP LAN hub and in the modems through its<br />
serial ports. Depending on the RAS ports number, it will be necessary to have<br />
more than one to attend the whole number of users.<br />
The customers will then make a call to the ISP′s telephone numbers to get their<br />
connections into the LAN. They will need a PC and a modem (integrated or not)<br />
and PPP or SLIP to be able to do that. Figure 28 on page 66 shows an example<br />
of this kind of connection:<br />
Chapter 2. Connectivity 65
Figure 28. Example of Analog Dial-Up Connections<br />
This soft copy for use by <strong>IBM</strong> employees only.<br />
On the other hand, if the connections will be made by ISDN, the RAS must have<br />
PRI support, and the modems will be replaced by CDU/DSUs.<br />
The ISDN service will connect from the telephone company switch to the home<br />
user through a two-wire cable. Then it will connect to a Terminal Adapter (TA),<br />
a kind of ISDN modem, that can be either a stand-alone unit or an interface card<br />
within the PC. If in North America, a Network Termination 1 (NT1) will be<br />
required between the telephone company and the TA.<br />
If the customer has a LAN, it will be necessary to include an NT 2, which is<br />
usually a router or bridge with a LAN adapter.<br />
For the corporate customers that require dedicated connections, the usual way<br />
of establishing these links is through routers in both sides. The RAS is not used<br />
in this case.<br />
66 The Technical Side of Being an Internet Service Provider
This soft copy for use by <strong>IBM</strong> employees only.<br />
2.3.3.3 <strong>IBM</strong> 8235<br />
This section gives an overview of the the <strong>IBM</strong> 8235 Remote Access to LAN<br />
Server.<br />
The <strong>IBM</strong> 8235 is now in its fourth major release. It has proved the potential of its<br />
approach by adding features, by increasing the number of supported platforms,<br />
and by enhancing the flexibility of its hardware introducing modularity, thus<br />
increasing the range of supported physical interfaces.<br />
Further information can be found in:<br />
• <strong>IBM</strong> 8235 Dial-in Access to LANs Server Concepts and Implementation,<br />
SG24-4816<br />
• http://www.networking.ibm.com/82s/82sprod.html<br />
Overview: The <strong>IBM</strong> 8235 Dial-In Access to LAN (DIAL) server for token-ring and<br />
Ethernet is a dedicated multiport, multiprotocol remote access hardware server.<br />
This server supports remote personal computer (PC) users dialing in to<br />
applications the same way users access applications from workstations directly<br />
attached to a token-ring or Ethernet local area network. With routing and<br />
bridging support for the following multiple protocols, a user can remotely access<br />
a variety of applications:<br />
• NetBIOS for LAN servers<br />
• IPX for NetWare<br />
• 802.2 LLC for 3270 and SNA<br />
• IP for TCP/IP applications<br />
• AppleTalk Apple Remote Access (ARA) 2.0 (Ethernet Only)<br />
Using standard dial networks, users (with PCs and modems) who are remote<br />
from the LAN can access LAN resources and work with applications as if they<br />
were working at locally attached LAN workstations.<br />
Users in the field, such as agents, sales representatives, and employees who<br />
travel or work at home, have the ability to access their applications from any<br />
location that has dial-up telephone service. This extends the productivity of the<br />
workstation to the remote workplace. Using standard analog modems and<br />
dial-up telephone lines, the <strong>IBM</strong> 8235 and the <strong>IBM</strong> DIALs Client for OS/2, DOS,<br />
and Windows operating in the remote PC allow easy access to resources that<br />
users normally access from a workstation connected to a LAN. With support for<br />
multiple protocols and with high-performance filtering and compression<br />
techniques, excellent performance can be achieved when addressing a variety of<br />
applications remotely.<br />
8235 System Components: The 8235 remote access system is made up of three<br />
basic components:<br />
1. The Dial-in Access to LAN Client<br />
A software application that runs on the remote PC providing the dial-in<br />
function. The DIALs Client supports DOS, Windows, and OS/2.<br />
2. The 8235 Management Facility<br />
A Windows application that allows the 8235 to be configured and managed<br />
from any LAN-attached workstation running IPX and Windows.<br />
Chapter 2. Connectivity 67
3. The 8235<br />
This soft copy for use by <strong>IBM</strong> employees only.<br />
A stand-alone hardware device that attaches to either a token-ring or<br />
Ethernet LAN and the public switched telephone network. The function of the<br />
8235 hardware and its associated software is to:<br />
• Provide physical attachment to the LAN and to eight modems.<br />
• Forward data from the LAN to the remote PCs and from the remote PCs<br />
to the LAN using any of the following protocols: IPX, IP, NetBEUI,<br />
AppleTalk ARA 2.0 and LLC.<br />
• Filter and compress data so as to minimize the amount of unnecessary<br />
traffic between the LAN and the remote PC.<br />
• Prevent unauthorized access to the LAN.<br />
Dial-In Access to LAN Servers (DIALs) Client Software: DIALs Client is <strong>IBM</strong>′s<br />
multiprotocol dial-in software for workstations. It allows your modem to fully<br />
access resources of remote networks. The DOS and DOS/WINDOWS client<br />
requires approximately 850 KB disk and 19 KB RAM.<br />
Note<br />
The DIALs Client is shipped with the 8235 with an unlimited right to copy.<br />
DIALs Client contains the following software:<br />
• OS/2 Drivers (NDIS and ODI)<br />
These provide support for OS/2-based communication programs. ODI can be<br />
provided with LAN adapter and protocol support (LAPS).<br />
• DOS Drivers (NDIS and ODI)<br />
These provide support for your DOS-based or Windows-based<br />
communications programs.<br />
• Connect Application<br />
This allows you to create, store, and use connection files to dial in to remote<br />
networks from the OS/2, DOS and windows environments. The connect<br />
program:<br />
− Provides traffic-flow statistics<br />
− Displays error information<br />
− Displays the modem status<br />
− Displays the modem configuration<br />
<strong>IBM</strong> 8235 New Features: This section describes the new features provided by<br />
DIALs Release 4.0.<br />
1. Dial-In<br />
• Multiprotocol support: Simultaneous multiprotocol dial-in over PPP: IPX<br />
(VLMs and NETX supported) TCP/IP, NetBEUI, 802.2/LLC.<br />
• VxD Windows Client feature summary:<br />
enable support for:<br />
Client has been redesigned to<br />
− Windows Virtual Device Driver VxD that only uses 2 KB of client<br />
conventional DOS memory (versus 34 KB)<br />
− Multilink PPP protocol (MLP)<br />
68 The Technical Side of Being an Internet Service Provider
This soft copy for use by <strong>IBM</strong> employees only.<br />
− Channel aggregation (2B)<br />
− STAC 4.0 compression<br />
− Port driver for internal ISDN adapters<br />
− Native driver support for <strong>IBM</strong> WaveRunner digital modem<br />
− New port driver programming interface (API)<br />
− Virtual connections<br />
− New intelligent setup facility<br />
− Easy client installation scripting<br />
− Client event logging application<br />
• Virtual connections: This is the ability to automatically suspend and<br />
resume a physical connection while spoofing network protocols, routing<br />
and applications. The physical connection is only brought up<br />
on-demand.<br />
• Spoofing: This is the ability for a device to determine what is not<br />
meaningful traffic when a virtual connection is suspended. Rather than<br />
establishing the connection, the device responds to the source of the<br />
traffic with the response that would have been generated by the intended<br />
destination device.<br />
• Dial-in channel aggregation: This is the ability to use more than one<br />
communications channel per connection. By aggregating both 64-kbps<br />
ISDN B-channels, users can take advantage of 128-kbps dial-in<br />
connections. Fast 128-kbps data transfer rates reduce file transfer times.<br />
• <strong>IBM</strong> WaveRunner Digital Modem (Internal ISDN terminal adapter):<br />
Provides support for the MCA, ISA and PCMCIA versions of the <strong>IBM</strong><br />
WaveRunner digital modem. The three supported modes are Async V.32<br />
bis modem, ISDN V.120, and Sync Clear Channel.<br />
• Easy client setup:<br />
− An intelligent client setup program that includes a Connection File<br />
Wizard that walks the user through the installation and modifications<br />
to client software.<br />
− The ability to automatically detect attached communications<br />
adapters.<br />
− Powerful file copy mastering capability.<br />
− The client event logging application provides extensive<br />
troubleshooting information. Log information can be displayed to the<br />
screen or to a file.<br />
• Power switching: Allows users to switch back and forth between<br />
communications adapters. Perfect for employees who use one type of<br />
communications adapter when working at home (ISDN) and another<br />
adapter (V.34 modem) when traveling.<br />
• Express installation: A new client installation scripting utility that enables<br />
network managers to establish defined defaults that make client<br />
installation and deployment easier.<br />
• Third-party client support: Dial-in access from Windows 95 and Windows<br />
NT 3.5, Apple′s ARA, and <strong>IBM</strong>′s OS/2 DIALS.<br />
Chapter 2. Connectivity 69
This soft copy for use by <strong>IBM</strong> employees only.<br />
Customers using Windows 95, Windows NT, MAC OS or OS/2 can<br />
seamlessly use an <strong>IBM</strong> 8235 as their dial-in server.<br />
• Client event logging application: Events can be displayed on the screen<br />
and/or saved in a text file. The logged events include:<br />
− Buffer allocation/management<br />
− PPP events and state transitions<br />
− PPP negotiation options<br />
− All frames transmitted and received<br />
− Multilink (MLP)<br />
− Compression<br />
− Network protocol decoding (basic IPX, IP and NetBEUI frames)<br />
• New port driver: The new port driver provides support for internal client<br />
ISDN terminal adapters such as the <strong>IBM</strong> WaveRunner.<br />
• Internal ISDN adapters eliminate the async-to-sync conversion overhead<br />
required by external terminal adapters.<br />
2. New Application Programming Interface (API): The <strong>IBM</strong> DIALs 4.0 port driver<br />
API enables third parties to independently develop <strong>IBM</strong> DIALs drivers for<br />
their hardware. Many internal ISDN terminal adapters do not present a<br />
standard PC 8250/16450/16550 UART interface.<br />
3. Enhanced Stac 4.0 Compression: <strong>IBM</strong> upgraded the Stac compression<br />
algorithm from 3.0 to 4.0. Stac 4.0 is faster and more memory efficient. For<br />
digital terminal adapters where there is no compression done by the ISDN<br />
TA or X.25 PAD, it is essential that the compression algorithm used on the<br />
client be as lean and fast as possible.<br />
4. LAN-to-LAN Features:<br />
70 The Technical Side of Being an Internet Service Provider<br />
• Virtual connections (VCs): This is the ability to automatically suspend<br />
and resume a physical connection while spoofing network protocols,<br />
routing and applications. The physical connection is only brought up<br />
on-demand.<br />
• Spoofing: This is the ability for a device to determine what is not<br />
meaningful traffic when a virtual connection is suspended. Rather than<br />
establishing the connection, the device responds to the source of the<br />
traffic with the response that would have been generated by the intended<br />
destination device. Spoofing is done for file server connections (NetWare<br />
drive mapping), routing tables (IP RIP and IPX RIP), SAP tables, TCP<br />
connections, and SPX connections.<br />
• Floating virtual connections (FVC): This is the ability to resume a<br />
suspended virtual connection on a port other than the port on which the<br />
original virtual connection was established. It can reduce the need to<br />
dedicate ports to specific users.<br />
• Juggling virtual connections (JVC): This is the ability to have more<br />
suspended virtual connections than there are ports on the <strong>IBM</strong> 8235.<br />
Customers can have many more suspended users than they have ports.<br />
JVC maximizes the utilization of server communications ports.<br />
• Persistent connections (PC): An <strong>IBM</strong> 8235 configuration option that<br />
allows the server to reestablish the connection in the event of an<br />
unexpected line drop.
This soft copy for use by <strong>IBM</strong> employees only.<br />
• Timed LAN-to-LAN connections (TLC): This is the ability for network<br />
managers to schedule LAN-to-LAN connections. (For example, establish<br />
a LAN-to-LAN connection at 10 a.m. and terminate the connection at 1<br />
p.m.)<br />
• Piggybacking updates: This is a virtual connection synchronizing<br />
mechanism where routing update messages are sent across the link only<br />
when the link is open for real data traffic.<br />
• Timed updates: This is the virtual connection synchronizing mechanism<br />
where at a specified interval the suspended virtual connection is<br />
resumed to enable routing update messages to be sent across the link.<br />
• Triggered updates:<br />
− This is a virtual connection synchronizing mechanism where routing<br />
update messages are sent across the link only when there is a RIP<br />
or SAP database change.<br />
− Triggered update setup options include additions only, deletions only,<br />
or additions and deletions.<br />
• Channel aggregation (multilink PPP, MLP): This is the ability to use more<br />
than one communication channel per connection. LAN-to-LAN<br />
connections can aggregate all <strong>IBM</strong> 8235 channels (analog or digital) up<br />
to the number of ports on the server.<br />
• Packet fragmentation: This is the ability to configure a default packet<br />
size over which packets will be fragmented for more efficient distribution<br />
over aggregated communications links.<br />
• Lan Connect applets: LanConnect applets for both PC and MAC allow for<br />
scripting of on-demand LAN-to-LAN connections.<br />
• Delta technology: Specialized remote adaptive routing protocols for<br />
optimizing bandwidth. It prevents unnecessary traffic from being sent<br />
over slow WAN connections by only sending the changes (deltas).<br />
5. Management and Security Features<br />
• PC and MAC server management: Protocols and features can be<br />
managed by MAC or Windows versions of <strong>IBM</strong> NetManager (MAC<br />
AppleTalk, PC/Windows IPX and IP).<br />
• IP download: <strong>IBM</strong> MF will be able to download new code images and<br />
configurations when running over either IP or IPX protocol stack.<br />
• SNMP management: MIB II and others.<br />
• Security: Provides support for agent software from Security Dynamics &<br />
Digital Pathways. Centralized authentication via <strong>IBM</strong> user list, NetWare<br />
Bindery, TACACS and most third-party hardware security solutions are<br />
supported.<br />
Virtual Connection: A virtual connection is a standard LAN-to-LAN or PC<br />
single-user dial-in connection that is enhanced to detect when no meaningful<br />
traffic has been sent over the connection for a period of time; at this time, the<br />
physical connection is suspended while network protocols (IPX and TCP/IP) are<br />
spoofed by devices at either end of the connection. Subsequently, when<br />
meaningful traffic has to be transmited by the client, the physical connection is<br />
automatically resumed and the data is forwarded over the communications link.<br />
Virtual connections minimize connect-time costs by physically disconnecting the<br />
circuit when there is no meaningful traffic.<br />
Chapter 2. Connectivity 71
Figure 29. 8235 Management Facility Window<br />
This soft copy for use by <strong>IBM</strong> employees only.<br />
Another benefit of a virtual connection is ease-of-use and management. Once<br />
the original connection is established, no user or system administrator<br />
intervention is required. The physical link is automatically suspended and<br />
resumed on-demand.<br />
Channel Aggregation: New high-performance channel aggregation technology<br />
enables dial-in and LAN-to-LAN users to establish more than one<br />
communications channel per connection. <strong>IBM</strong> channel aggregation technology<br />
utilizes the industry-standard protocol known as Multilink PPP for maximum<br />
client/server device interoperability and investment protection. Packet<br />
fragmentation is also available for maximum performance.<br />
Management Facility: The Management Facility program is a Windows<br />
application that enables you to configure and manage the 8235s on your network,<br />
create user lists, and manage the security of your 8235s. This program is<br />
provided with your 8235. The <strong>IBM</strong> 8235 Management Facility requires a<br />
workstation with Windows 3.1 or later, initially attached to the network. All 8235<br />
models operate with the same 8235 Management Facility. You also need to load<br />
IPX or IP on the machine running the Management Facility to communicate with<br />
the 8235.<br />
In Figure 29 you can see the Management Facility window.<br />
8235 Hardware: Figure 30 on page 73 shows the front panel for all models of<br />
the 8235.<br />
72 The Technical Side of Being an Internet Service Provider
This soft copy for use by <strong>IBM</strong> employees only.<br />
Figure 30. 8235 Front View<br />
The front panel contains LEDs that indicate:<br />
• Power status<br />
• Network status<br />
• Serial port status<br />
Table 16 shows the meanings of the status indicator LEDs on the front panel of<br />
the 8235 in various operating modes, and Table 17 shows the meaning of the<br />
power LED.<br />
Table 16. Meanings of 8235 Network Status and Port Status LEDs<br />
Status Network Status LED Port Status LEDs<br />
OFF No power or no network<br />
connection<br />
Green Connected to network but<br />
idle<br />
Green flashing<br />
(consistent)<br />
Green flashing<br />
(inconsistent)<br />
Green and Orange<br />
flashing<br />
Orange flashing<br />
(consistent)<br />
Orange flashing<br />
(inconsistent)<br />
Not in use<br />
User connected<br />
<strong>Download</strong>ing microcode <strong>Download</strong> mode<br />
Connected to the network<br />
and transmitting<br />
Connected to the network<br />
and transmitting with<br />
errors<br />
User connected and<br />
transmitting data<br />
Power on self-test <strong>Download</strong> mode<br />
Connected and<br />
transmitting with errors<br />
-<br />
Connected to the modem<br />
and transmitting with<br />
transmit or receive<br />
errors<br />
Orange (solid) 8235 hardware failure Port or 8235 hardware<br />
failure<br />
Table 17. Meaning of 8235 Power Status LED<br />
Status Meaning<br />
ON Indicates that the 8235 is powered on<br />
Chapter 2. Connectivity 73
Figure 31. 8235 Model 021 Rear Panel<br />
Figure 32. 8235 Model 031 Rear Panel<br />
This soft copy for use by <strong>IBM</strong> employees only.<br />
LAN Connection: The 8235 comes with one LAN connection, a token-ring or an<br />
Ethernet port.<br />
The 8235 is also available as a module for the 8250 multiprotocol hub in<br />
token-ring and Ethernet models.<br />
Figure 31 shows the rear view of the token-ring Model 8235-021.<br />
Figure 32 shows the rear panel of the token-ring Model 8235-031.<br />
You make all connections on the 8235 rear panel, so the token-ring model<br />
includes one token-ring connector (DB-9) and a ring data rate switch to select<br />
the data rate of 4 or 16 Mbps.<br />
74 The Technical Side of Being an Internet Service Provider
This soft copy for use by <strong>IBM</strong> employees only.<br />
Note<br />
Figure 33. 8235 Model 022 Rear Panel<br />
Figure 34. 8235 Model 032 Rear Panel<br />
The data rate you set must match the data rate of the token-ring network. Be<br />
sure to set the power switch to Off (O) before you set the data rate.<br />
Figure 33 shows the rear panel of the 8235 Ethernet Model 022.<br />
Figure 34 shows the rear panel of the 8235 Ethernet Model 032.<br />
The 8235 Ethernet models provide three connectors for Ethernet: AUI (Thick<br />
Ethernet), BNC (Thin Ethernet) and UTP as shown in Figure 33. You must select<br />
the Ethernet connector that you want to use with the switch that is at the back of<br />
the 8235.<br />
Three Ethernet wiring schemes are supported:<br />
Chapter 2. Connectivity 75
• Thin (10Base2)<br />
• Thick (10Base5)<br />
• UTP (10Base-T)<br />
Figure 35. 8235 Model 052 Rear Panel<br />
This soft copy for use by <strong>IBM</strong> employees only.<br />
When twisted-pair is selected, the LED next to the twisted-pair port on the rear<br />
panel of the 8235 Ethernet models indicates the network status. Table 18<br />
summarizes what the various flashing patterns mean and what actions, if any,<br />
you should take.<br />
Table 18. 8235 LED Error Code Flashing Patterns<br />
LED Pattern Meaning Action to Take<br />
On Normal link is established. None; normal operation.<br />
Off 10Base-T is not selected. Set the Ethernet connector<br />
switch to the 10Base-T (far left)<br />
position.<br />
One flash Link to 10Base-T is down. Check that the hardware<br />
connections are secure.<br />
Reestablish the link.<br />
Two flashes Jabber error (possibly<br />
transient). The 10Base-T<br />
transceiver has detected a<br />
continuous frame transmission<br />
of 131 milliseconds or greater<br />
by the LAN controller in the<br />
8235 Ethernet models.<br />
Transmission on the network is<br />
inhibited.<br />
Wait a few seconds to see<br />
whether the problem goes<br />
away. If not, restart the 8235<br />
Ethernet models, or contact<br />
<strong>IBM</strong> Product Support.<br />
Two new low-entry models are now available in the 8235 family. Figure 35<br />
shows you the rear panel of the 8235 Model 052.<br />
76 The Technical Side of Being an Internet Service Provider
This soft copy for use by <strong>IBM</strong> employees only.<br />
Two new models are available, Model 052 with Ethernet port and Model 051 with<br />
token-ring port. These 2-port models address the needs of the small and remote<br />
offices for remote LAN access supporting the same features as the other models.<br />
8235 Code Structure: The software that runs in the 8235 server can be<br />
separated into three pieces:<br />
• Boot PROM<br />
The Boot PROM resides in ROM and performs the function of downloading a<br />
software image if there is no valid image in the VROM. Otherwise, the<br />
VROM performs software downloads. The Boot PROM accomplishes<br />
software downloads via Boot Protocol (BOOTP) and trivial file transfer<br />
protocol (TFTP) or via SPX. In addition to software downloads, the Boot<br />
PROM performs power-on self-test (POST) and switches the device to<br />
diagnostic mode if the POST fails.<br />
• VROM<br />
The VROM serves to isolate the mainline programs from the hardware by<br />
providing the following:<br />
− Device drivers for LAN and serial port I/O<br />
− Buffer and memory management<br />
− Management of non-volatile storage<br />
− LED manipulation<br />
− Message logging<br />
− Acquiring VROM maintained data<br />
− Acquiring hardware configuration information<br />
The VROM also contains a bootstrap application that is capable of acquiring<br />
a new download by unattended BOOTP and TFTP or a NetWare SPX<br />
download from the Management Facility. The 8235 downloads new images<br />
through the LAN port (token-ring or Ethernet).<br />
• Main Software Image<br />
The bulk of the run-time function in the 8235 is contained in the main<br />
software image. This image consists of the software kernel, frame<br />
forwarding support, management, and security.<br />
Updating Microcode: The system structure for the 8235 makes it an excellent<br />
platform for future enhancements that can be obtained via software updates.<br />
• <strong>Download</strong>ing Modes<br />
The 8235 can be put into several different boot-up sequences under the<br />
control of one of the following:<br />
− Management Facility<br />
− Command shell<br />
− Physical interruption (power on and off, pin reset)<br />
The different modes are described in the following paragraphs.<br />
• Warm Boot<br />
Under normal circumstances, the 8235 will contain a software image and<br />
configuration that has been stored in battery-backed RAM. When the system<br />
is rebooted (powered on or restarted due to a configuration change), it goes<br />
through a normal cycle. During this cycle, it will temporarily appear to the<br />
Management Facility to be in download mode. The device list window will<br />
indicate that the device is in DL mode. This condition should last for only a<br />
Chapter 2. Connectivity 77
This soft copy for use by <strong>IBM</strong> employees only.<br />
few seconds. If for some reason the 8235 has lost its code image or has<br />
been pin reset, it will remain in download mode until a management entity<br />
has loaded new code.<br />
• <strong>Download</strong> Code Only<br />
The 8235 can be instructed to download a new code image only by issuing a<br />
download command from the Management Facility. This means that it will<br />
load a new code image, but will maintain its configuration data.<br />
• Clear and <strong>Download</strong><br />
A clear and download command from the Management Facility will put the<br />
8235 into download mode from the Boot PROM on the 8235 and will load both<br />
code and VROM, and will cause any configuration data in the 8235 to be lost.<br />
It will remain in download mode until a management entity loads a new<br />
version of code.<br />
• Pin Reset Switch<br />
The 8235 has a tiny pinhole at the back that is not labeled. It is a pin reset<br />
which corresponds to an internal switch that performs the hard reset of the<br />
8235 and is often overlooked. It should be used if you lose contact with the<br />
Management Facility due to hardware problems or if you lose the<br />
administrator′s password. It performs the same function as the clear and<br />
download command. No indication of this pin reset is noted on the hardware<br />
itself.<br />
Models Summary: The main difference between all the 8235 models is the<br />
communication port that is used.<br />
Table 19. 8235 Models<br />
Model<br />
Feature<br />
Note<br />
Token-Ring Ethernet HS Serial<br />
Port (115.2<br />
kbps)<br />
8235-021 X X<br />
8235-022 X X<br />
The Models 031 and 032 have empty slots, into which you can install up to<br />
eight cards (eight modem cards, or eight serial cards, or eight ISDN BRI<br />
cards, or a combination of them).<br />
Communication Options: Here is a brief description of the different<br />
communication options that the 8235 has:<br />
• Models 021 (token-ring) and 022 (Ethernet)<br />
Internal<br />
Modem or<br />
ISDN BRI<br />
Serial Port<br />
(57.6<br />
kbps)<br />
8235-031 X 1-8 1-8 1-8<br />
8235-032 X 1-8 1-8 1-8<br />
8235-051 X 2<br />
8235-052 X 2<br />
8250<br />
module<br />
8250<br />
module<br />
78 The Technical Side of Being an Internet Service Provider<br />
X X<br />
X X
This soft copy for use by <strong>IBM</strong> employees only.<br />
The high-speed base Models 021 and 022 support serial port speeds up to<br />
115.2 kbps, enhancing the 8235 model offerings. These new models are<br />
shipped with eight RS-232-D (V.24/V.28) ports for attachment of up to eight<br />
modems with 115.2 kbps serial port speed. Excellent performance can be<br />
achieved with the high-speed V.34 data compression modems.<br />
• Models 031 (token-ring) and 032 (Ethernet)<br />
These models do not contain a fixed port configuration. The customer<br />
configures the ports to meet their needs with any combination of modems<br />
and/or serial cards.<br />
Model 031 is an unpopulated token-ring base server, and Model 032 is an<br />
unpopulated Ethernet base server. Both models provide plug-in slots for<br />
V.34 modem cards and serial cards. These models support a total of eight<br />
cards (eight modem cards or eight serial cards or eight ISDN BRI cards, or a<br />
combination of them totaling eight).<br />
These models can support eight remote users simultaneously with reliable<br />
asynchronous transmission speeds up to 115.2 kbps. With the serial cards,<br />
you can configure some or all of the ports to attach external asynchronous<br />
terminal adapters for digital services, such as ISDN or Switched 56.<br />
The Management Facility of 8235 Models 031 and 032 is an extension to the<br />
facility provided with the other models of the 8235 and is enhanced to include<br />
management of the new V.34 integrated modems and serial cards.<br />
<strong>IBM</strong> has extended the flexibility of the <strong>IBM</strong> 8235 Models 031 and 032 remote<br />
access server with several new upgrade modules:<br />
<strong>IBM</strong> 8235-031 and 032 BRI module:<br />
− 2B+D with V.110 and V.120 rate adaption.<br />
− S/T and U interface versions are available.<br />
− BRI module can be monitored from <strong>IBM</strong> MF. Configuration setup,<br />
revisions, and troubleshooting can all be managed remotely.<br />
<strong>IBM</strong> 8235-031 and 032 Sync/Async module:<br />
− Users can connect synchronous devices (ISDN BRI TAs, CSU/DSUs and<br />
modem eliminators) directly to the <strong>IBM</strong> 8235 Models 031 and 032. The<br />
direct synchronous connection takes advantage of the faster line speed<br />
(128 kbps versus 115 kbps), the elimination of extra timing bits (Async<br />
has two extra timing bits per character transmitted), and the overhead of<br />
converting a synchronous transmission into asynchronous transmission.<br />
− Supports either synchronous or asynchronous communications channels.<br />
• Models 051 (token-ring) and 052 (Ethernet)<br />
These 2-port models have the same functionality as the 8235 8-port models.<br />
They are for those who want to take advantage of the 8235 functions in a<br />
small office network where only a few remote-access ports are needed.<br />
• 8250 Modules<br />
These modules integrate <strong>IBM</strong> 8235 remote LAN access server product<br />
functions into the 8250 hub.<br />
There are two kinds of 8235 modules:<br />
− One for attaching an Ethernet network<br />
− One for token-ring network attachment<br />
Chapter 2. Connectivity 79
This soft copy for use by <strong>IBM</strong> employees only.<br />
These modules occupy a single slot in the 8250 hub chassis. The Ethernet<br />
module provides one Ethernet attachment switchable to any of the three<br />
Ethernet segments on the 8250 backplane. Likewise, the token-ring module<br />
provides one token-ring attachment that can operate at either 4 or 16 Mbps.<br />
The attachment is switchable to any of the seven token-ring backplane<br />
segments.<br />
Each module has eight serial communication ports. Each port has an<br />
RS-232-D (V.24/V.28) interface with a DIN connector for attachment to<br />
standard asynchronous modems. Data transfer speed ranges from 2400 bps<br />
up to 28.8 kbps, or even up to 115.2 kbps when using high-speed data<br />
compression modems. The modules come with eight DIN-to-25 pin RS232<br />
patch cables to attach to external modems.<br />
Supported Protocols: The 8235 supports remote clients using any of all the<br />
following protocols:<br />
• NetBIOS and 802.2<br />
The 8235 software filters on LLC service access points (SAPs) and on<br />
NetBIOS names based on the filter tables contained in the server. The<br />
tables will be set up in the box, but the information can be overridden using<br />
the operating system shell. There are no external parameters available to<br />
manage filtering as there are for an <strong>IBM</strong> Token-Ring Bridge or for LAN<br />
Distance software. LLC SAP filters allow X′02, X′04, X′05, X′08, X′E0, X′F0<br />
and X′F4 SAPs to be bridged. These are also configurable.<br />
Frame forwarding (that is, the process of forwarding data from the client<br />
workstation to the LAN and from the LAN to the client) is accomplished<br />
differently depending on the protocol selected during the configuration of the<br />
connections.<br />
• Bridging<br />
Figure 36. Source Routing Bridge<br />
80 The Technical Side of Being an Internet Service Provider<br />
The token-ring acts like an <strong>IBM</strong> token-ring bridge with NetBIOS and 802.2<br />
protocols as shown in Figure 36.
This soft copy for use by <strong>IBM</strong> employees only.<br />
Figure 37. 8235 Acting As a Transparent Bridge<br />
The bridged frames appear on the ring as if they came from an adapter.<br />
NetBIOS and 802.2 dial-in also supports specialized filtering to protect clients<br />
from broadcast traffic on the dial-in links.<br />
The 8235 acts like a transparent bridge for Ethernet as shown in the<br />
Figure 37.<br />
• Ring Parameter Server<br />
The ring parameter server (RPS) function has been implemented in the case<br />
where the 8235 is the only bridge on the ring. Here is an explanation of what<br />
the RPS function provides.<br />
The RPS is the target for all request initialization MAC frames that are sent<br />
by ring stations during their attachment to the ring segment. The RPS<br />
function makes the following parameters available to all ring stations on the<br />
ring in response to the request initialization MAC frame:<br />
− Ring number<br />
− Ring station soft error report time value (default of 2 seconds)<br />
− Physical location (not currently implemented)<br />
There can be more than one RPS function active on any given ring segment.<br />
Note<br />
This differs from an <strong>IBM</strong> source routing bridge in that LAN reporting<br />
mechanism functions are not present in the 8235, which would allow it to<br />
report configuration information to LAN Network Manager (LNM) or to<br />
accept configuration changes from LNM.<br />
• IP Traffic<br />
The 8235 will transparently forward IP traffic based on the IP address. The<br />
8235 implements the proxy address resolution protocol (ARP) function to<br />
reduce broadcast traffic over the remote lines.<br />
Chapter 2. Connectivity 81
Figure 38. 8235 Proxy ARP<br />
Note<br />
This soft copy for use by <strong>IBM</strong> employees only.<br />
This means that the 8235 will respond to all ARP queries for remote client<br />
addresses with its own hardware address instead of having the ARPs go<br />
across the WAN. The source stations will then forward packets to the<br />
remote clients to the 8235′s physical address. The 8235 will then route<br />
the packet to the correct client based on the IP address.<br />
An example of how the network would appear is shown in Figure 38:<br />
The 8235 will implement the following IP functions:<br />
− IP Address Resolution Protocol (ARP)<br />
− Internet Protocol<br />
− Internet Control Message Protocol (ICMP)<br />
− Transmission Control Protocol (TCP)<br />
− User Datagram Protocol (UDP)<br />
− Trivial File Transfer Protocol (TFTP)<br />
− Boot Protocol (BOOTP)<br />
− Telnet<br />
− Routing Information Protocol (RIP)<br />
82 The Technical Side of Being an Internet Service Provider<br />
For IP traffic, Van Jacobson Header compression is supported. This is<br />
transparent to the user, but enhances performance over the telephone<br />
network connection.<br />
IP environments pose a unique challenge to dial-in access, as the addresses<br />
contain the identification of the network. If the users provide their own IP<br />
address, then they are limited to dialing in to the network for which they
This soft copy for use by <strong>IBM</strong> employees only.<br />
have been preconfigured. There are, however, some environments where<br />
the user will dial in to the same network all of the time and want to keep the<br />
same IP address. Furthermore, because of the nature of IP address<br />
discovery (ARP), it is desirable to limit the amount of ARP traffic across the<br />
WAN.<br />
Because of this, the 8235 supports address assignment in two ways:<br />
1. Proxy ARP with static client addressing, which has the following<br />
properties:<br />
− Dial-in client has a configured IP address, provided to the box by<br />
IPCP.<br />
− A user must dial-in or attach to the same network all of the time.<br />
− Full end-user TCP/IP application suite support.<br />
− IP address for each dial-in client is resolved to MAC address of the<br />
LAN port (proxy ARP).<br />
− Packets are routed based on host ID. If the network ID does not<br />
match the host ID, the packets will not be forwarded.<br />
− Remote-to-remote is a special case. The 8235 recognizes it and<br />
forwards the traffic as a special case.<br />
− Header compression is supported.<br />
2. Proxy ARP with dynamic client addressing, which has the following<br />
properties:<br />
• IPX Traffic<br />
− The 8235 provides unique client IP address through IPCP.<br />
− Dial-in users can dial in to any network that is reachable from the<br />
LAN to which the 8235 is connected.<br />
− The user does not own a well-known IP address. While this may<br />
prohibit the use of dial-in clients as servers, it allows the use of most<br />
user-oriented software.<br />
− The IP address for each dial-in client is resolved to the MAC address<br />
of a LAN port.<br />
− Packets are routed based on host ID.<br />
− Remote-to-remote is a special case. The 8235 recognizes it and<br />
forwards the traffic as a special case.<br />
− Header compression is supported.<br />
The 8235 implements an IPX router function as defined by Novell.<br />
Chapter 2. Connectivity 83
Figure 39. 8235 IPX Router<br />
Basic IPX protocols implemented by the 8235 are:<br />
This soft copy for use by <strong>IBM</strong> employees only.<br />
− Internet packet exchange (IPX) providing the basic network layer<br />
transport for NetWare IPX.<br />
− Sequenced Packet eXchange (SPX) for a reliable byte stream protocol.<br />
This is used for NetWare diagnostics and for downloading code images<br />
over IPX.<br />
− Routing information protocol (RIP), which provides a mechanism for IPX<br />
routers to exchange network topology information as needed to maintain<br />
routing tables. RIP uses a distance vector algorithm to calculate best<br />
routes.<br />
− Service advertising protocol (SAP), which provides a mechanism for end<br />
systems to locate NetWare services. The 8235 advertises its management<br />
via SAP.<br />
The 8235 supports dial-in routing by the remote user for IPX onto the local<br />
LAN. The network number of the dial-in port can be assigned by the<br />
administrator. If the assigned number is in use on the network when a user<br />
dials in, the box can be configured to take one of three actions: use the net<br />
number anyway, use a random number, or refuse the connection. If the<br />
dial-in client uses a non-zero node address, the server will accept it. If the<br />
client uses a zero node address, the server will provide the client′s address.<br />
The 8235 supports the following IPX frame types:<br />
− Ethernet II (Ethernet)<br />
− 802.3 (Ethernet)<br />
− 802.2 (Ethernet)<br />
− SNAP (Ethernet)<br />
84 The Technical Side of Being an Internet Service Provider
This soft copy for use by <strong>IBM</strong> employees only.<br />
− SNAP (token-ring)<br />
− 802.2 (token-ring)<br />
• AppleTalk ARA 2.0<br />
You can configure the 8235 as an end node or router and assign it to an<br />
AppleTalk zone.<br />
AppleTalk protocols support zones for managing user access to network<br />
devices and services. Zones are logical names associated with networks.<br />
The network administrator chooses an AppleTalk Phase 2 default zone<br />
during the initial setup of the network. The 8235 can be placed in this default<br />
zone or in a valid Phase 2 zone in the zone list.<br />
Note: The 8235 supports AppleTalk Phase 2 networks only.<br />
The 8235 may appear as one of the following on the AppleTalk network:<br />
− A node<br />
− A router<br />
End nodes<br />
Apple Remote Access (ARA) software allows Apple users to connect to an<br />
AppleTalk network through a modem/serial link. The ARA remote client<br />
calls a locally attached ARA server. The ARA server provides the client with<br />
access to LAN resources (electronic mail, file servers, printers, and network<br />
applications).<br />
An ARA server operating in end-node mode is responsible for forwarding<br />
packets sent to and from the ARA client. The ARA server examines packets<br />
sent on the network. If the destination is the ARA server or a remote ARA<br />
client, or it is a broadcast packet, then the server accepts the packet. If the<br />
destination is a remote ARA client, the server sends the packet across the<br />
serial link to the remote client.<br />
AppleTalk remote access protocol (ARAP) requires the ARA server to<br />
prevent broadcast routing table maintenance protocol (RTMP) information<br />
from being forwarded to the client over the serial link. The ARA client does<br />
not need the RTMP broadcast information.<br />
A packet sent from an ARA client to a user on a different network is<br />
forwarded by the ARA server to a router using the most recent router<br />
method. This method is used because the ARA server operating in end-node<br />
mode is not a router and must forward the packet based on the most recent<br />
information it has received about the destination. The most recent router<br />
method does not ensure the packet is routed to its destination by the fastest<br />
available path. The ARA server in end-node mode provides for easy<br />
configuration. An end node does not require a new (additional) network<br />
number and is less intrusive on large networks because it does not<br />
broadcast RTMP packets as a router does.<br />
Advantages Using the 8235 in End-Node Mode<br />
− Easy setup.<br />
− Network number not required.<br />
− Serial link traffic could be minimized.<br />
- NBP broadcasts not destined for the client are not forwarded.<br />
- RTMP packets are not forwarded. The 8235 is not a router in this<br />
mode.<br />
Chapter 2. Connectivity 85
This soft copy for use by <strong>IBM</strong> employees only.<br />
The end-node implementation of ARAP in the 8235 is compatible with Apple′s<br />
ARAP implementation. When the 8235 is configured to function as an end<br />
node, the 8235 forwards the data packets to and from the ARA clients in the<br />
same way as an ARA server.<br />
With the 8235 functioning as an end node, all 8235s on the network can be<br />
assigned to one zone in the Phase 2 zone list with the “8235 appears in”<br />
option. Network administrators would only need to access one zone to find<br />
all the 8235s on the network.<br />
8235 ARA clients can be assigned to a different Phase 2 zone. Assigning<br />
ARA users to a different zone can help reduce NBP broadcasts over the<br />
serial link if the zone chosen does not receive many NBP broadcasts. This<br />
can significantly improve performance over the serial link.<br />
ARA Routers<br />
An ARA server in router mode acts as a router between two networks: the<br />
local Internetwork on which the server resides and a network into which<br />
remote clients are assigned. In contrast to an ARA end-node server, which<br />
makes a remote ARA client a node on the network, an ARA server in router<br />
mode makes an ARA client a node on a separate dial-in (remote) network.<br />
The dial-in network has as many nodes as there are ARA clients connected<br />
to the server. This ARA client network can be assigned to any zone on the<br />
network, including a zone in the Phase 2 zone list, or a newly created zone.<br />
When acting as a router, the ARA server maintains complete zone and<br />
routing tables of the Internetwork in memory. When a node on the<br />
Internetwork sends a packet, the router examines the packet header and<br />
determines the destination by checking the routing table. If the destination is<br />
a remote ARA client, the packet is routed to the dial-in network and sent to<br />
the node number of the ARA client.<br />
When a packet is sent from an ARA client to the local network over the serial<br />
link, the ARA server uses its routing table information to route the packet to<br />
its destination by the most efficient path in the routing table.<br />
An ARA server configured as a router can isolate the ARA client from<br />
AppleTalk broadcast packets by permitting the client to be located in a<br />
dial-in zone. This improves performance over the serial link, as only<br />
broadcasts into the dial-in zone are sent over the serial link.<br />
Advantages Using the 8235 in Router Mode<br />
86 The Technical Side of Being an Internet Service Provider<br />
The 8235 can be configured to function as a conforming router or as a seed<br />
router. A conforming router obtains routing information from other routers<br />
on the network. A seed router provides the routing information to the other<br />
routers on the network.<br />
The 8235 operating in router mode provides some advantages:<br />
− AppleTalk broadcast packets sent over the remote link can be limited by<br />
placing the remote link into a dial-in zone. Only broadcasts into that<br />
zone are sent over the link.<br />
− The 8235 knows the fastest route to all networks and will route client<br />
packets by the most efficient path.<br />
− The 8235 can be assigned to a different zone in the Phase 2 zone list. By<br />
assigning all 8235s to a particular management zone, network<br />
administrators only need to access one zone to find all 8235s on the<br />
network.
This soft copy for use by <strong>IBM</strong> employees only.<br />
− The 8235 can isolate ARA clients from the rest of the Internet by<br />
assigning clients to a dial-in zone. Each client has a different node<br />
number in this zone. The dial-in zone may be a newly created zone. It<br />
does not have to be in the Phase 2 zone list. All dial-in clients can be<br />
placed into this dial-in zone. Network administrators can monitor dial-in<br />
activity by monitoring this zone.<br />
− Network and zone information is configurable for ARA clients.<br />
− For LAN-to-LAN connections, the 8235 must be in router mode.<br />
IP Information<br />
IP forwarding allows the 8235 to provide IP address assignment for dial-in<br />
clients. The clients IP address must be part of the Ethernet/IP network.<br />
Other IP hosts on the network communicate with the dial-in users through<br />
the 8235. The 8235 responds to Address Resolution Protocol (ARP) requests<br />
that are destined for a client IP address. This is referred to as proxy ARP.<br />
When an IP host requests an 8235 client IP address, the 8235 responds to the<br />
host with its own Ethernet address, specified on the IP configuration page.<br />
The 8235 accepts client packets and forwards the packet to the correct IP<br />
client/address.<br />
IP packets are routed across an AppleTalk network by means of<br />
encapsulation. The 8235 sends IP packets to Macintosh dial-in clients by<br />
encapsulating the IP packet within an AppleTalk packet. The 8235 forwards<br />
IP packets from an ARA client to an IP host by de-encapsulating the IP<br />
packet.<br />
The 8235 ARA dial-in clients appear as if they are directly connected nodes<br />
within the IP network. The IP host and the dial-in client are not affected by<br />
the fact that their packets are being routed through the 8235.<br />
The Macintosh dial-in client uses the name binding protocol (NBP) to search<br />
for an IPGATEWAY device type in a specified zone. Since the 8235 is the<br />
ARA server for the client, the 8235 processes all of the client′s AppleTalk<br />
packets and checks its configuration to see if it is configured as an IP<br />
gateway for that zone. If it is, the 8235 responds to the Macintosh dial-in<br />
client that it is an IPGATEWAY.<br />
The dial-in client sends a Kinetics Internet Protocol (KIP) command to the<br />
8235 asking for an IP address. The 8235 responds with the dial-in client′s IP<br />
address, subnet mask, broadcast address and the IP address of the name<br />
server.<br />
To communicate with an IP host, the user must have an IP address. IP<br />
addresses are assigned to a Macintosh client as follows:<br />
− Per user: When a dial-in connection is made, the 8235 checks the user<br />
list to see if there is a user IP address. If there is a user IP address in<br />
the user list, the 8235 assigns this IP address to the client.<br />
− Per port: If there is no IP address in the user list, the 8235 assigns the<br />
port IP address to the client.<br />
Security: The 8235 provides several security features. Passwords for both<br />
dial-in and LAN-to-LAN connections are automatically encrypted. User lists store<br />
user profiles that include user names, passwords, permissions and dial-back. If<br />
dial-back is selected in a user profile, the 8235 will hang up after the dial-in or<br />
LAN-to-LAN connection is established; it will then call the user back at a<br />
configured (required dial-back) number or at a number entered by the user when<br />
Chapter 2. Connectivity 87
This soft copy for use by <strong>IBM</strong> employees only.<br />
the connection was established (roaming dial-back). Unauthorized access to the<br />
8235 device configuration or user list can be prevented by assigning the 8235 an<br />
administrator password. This password is stored in the 8235 device<br />
configuration information, not in the user list.<br />
The 8235 has a unified security architecture that allows any security server on<br />
the LAN to be used to authenticate any user regardless of the protocol being<br />
used. This allows a centralized security method to be used for all<br />
authentications. 8235 Version 2.0 code or later supports the authentication<br />
databases:<br />
• 8235 User List<br />
• NetWare Bindery<br />
• SecurID ACE/Server<br />
• Master/Slave User List<br />
The 8235 prompts separately for the user name and password for each method<br />
of authentication. Thus, more than one security method can be used<br />
simultaneously. SecurID could be used to authenticate an individual user who<br />
then logs in to a NetWare Bindery group and is granted the access privileges<br />
associated with that group. Because the user protocol does not matter, the<br />
NetWare Bindery could be used to authenticate an Apple Remote Access (ARA)<br />
Version 2.0 dial-in user.<br />
• 8235 User List<br />
Using the 8235 Management Facility, a user list can be created, edited, and<br />
then saved to a file or loaded into the 8235. The 8235 user list stores the<br />
names, passwords, and permissions of users authorized to dial in to or out<br />
of the network or to connect to another network. User lists are stored in<br />
battery backed-up RAM in the 8235. Each 8235 can have a different user list<br />
or one user list can be downloaded to multiple 8235s. The NetWare Bindery<br />
or SecurID is recommended if there are more than 500 users.<br />
• Using the NetWare Bindery<br />
The NetWare Bindery is a database that resides on a NetWare server. This<br />
database contains profiles of network users that define each user′s NetWare<br />
name, password, dial-back number, and the permissions to use one or more<br />
8235 functions such as dial-in, dial-out or LAN-to-LAN.<br />
When bindery authentication is enabled, it replaces the 8235 user list<br />
authentication.<br />
With bindery security enabled the bindery services utility can be used to<br />
create bindery groups for dial-in, dial-out, and LAN-to-LAN users. The group<br />
names are 8235_DIALIN, 8235_DIALOUT, and 8235_LAN-to-LAN. The bindery<br />
dial-in user groups are used when a user dials in to the network using a<br />
NetWare name and password. The 8235 logs in to the NetWare server with<br />
this user name and password and then logs out. If the 8235 logon to the<br />
server was successful, the 8235 allows the user to access the network<br />
through the 8235.<br />
• Bindery and Apple Remote Access (ARA)<br />
To use the bindery, ARA Version 2.0 users must have the 8235 Security<br />
Module in their Macintosh systems Extensions folder in the System folder.<br />
This module supplies a security drop-in, which provides 8235 password<br />
encryption (thereby allowing bindery security to work with ARA Version 2.0.)<br />
• Using SecurID<br />
88 The Technical Side of Being an Internet Service Provider
This soft copy for use by <strong>IBM</strong> employees only.<br />
Figure 40. 8235 Security System<br />
Security Dynamics, Inc. manufactures two security solutions that are<br />
compatible with the 8235. The first is a multiport, stand-alone device that<br />
can be inserted between the 8235 and the modem. This solution requires no<br />
particular configuration of the 8235. The device dialing in must be capable of<br />
handling the authentication dialog.<br />
Macintosh users who have the external SecurID client box installed for their<br />
8235 can still use their Connection Control Languages (CCL) as before;<br />
however, SecurID should not be enabled in the 8235 Management Facility, as<br />
this will trigger the 8235 internal SecurID client.<br />
SDI′s second security solution is the Security Dynamics ACE/Server, which is<br />
a system of server and client software and SecurID cards. Once enabled,<br />
SecurID authentication is used for all protocols (IP, IPX, NetBEUI, 802.2 LLC,<br />
and ARA).<br />
The 8235 can use SecurID to protect its serial ports from unauthorized dial-in<br />
access. SecurID authenticates users and may be used in conjunction with<br />
the 8235 user list or the NetWare Bindery. See Figure 40 for the SecurID<br />
configuration.<br />
SecurID authentication is not required of dial-out users, users managing the<br />
8235 with the command shell, or users managing the 8235 with the 8235<br />
Management Facility. SecurID does not protect the 8235 from dial-out,<br />
LAN-to-LAN, or local area network shell access. If the 8235 is using SecurID<br />
authentication, incoming LAN-to-LAN connections are not permitted.<br />
The components of a full implementation of SecurID are as follows:<br />
− SecurID server software<br />
This software runs on a UNIX machine. The user data protocol (UDP) is<br />
used to communicate with the client software running on the 8235. This<br />
server software is purchased from Security Dynamics, Inc.<br />
Chapter 2. Connectivity 89
− SecurID client<br />
This soft copy for use by <strong>IBM</strong> employees only.<br />
This is the component running on the 8235 that communicates with the<br />
SecurID server via UDP. It is compatible with SecurID server software<br />
Version 1.1 or later.<br />
− SecurID card<br />
This component is a card that provides the user with a passcode number<br />
needed to access the SecurID server.<br />
− Dial-in client software<br />
This is the standard 8235 Remote Dial-in Client Version 2.0 or later for<br />
PC users or Apple Remote Access (ARA) Client Version 2.0 or later for<br />
Macintosh users.<br />
The Activity Logger: The Activity Logger runs under Microsoft Windows and<br />
DOS. It provides information about 8235s and their dial-in activity on the<br />
network.<br />
The logger carries out the following tasks:<br />
• It records the dial-in activity of the 8235 on the network.<br />
• It notifies the network administrator of 8235 activity according to a set of<br />
priorities and classes selected by the administrator.<br />
The 8235 logs its activity to another station using a mechanism of SNMP called a<br />
trap. Each time the 8235 logs an event, it sends a trap message to its trap host.<br />
The trap host can be one of the following:<br />
• A workstation running the 8235 Activity Logger<br />
• An IP host with an SNMP manager<br />
There can only be one trap host associated with an 8235 at any given time. This<br />
trap host is configured in the 8235 Management Facility on the SNMP<br />
configuration window. There are two host types to choose from: None and IP.<br />
If you select IP, then you can also specify the IP address of the trap host. This IP<br />
host must be an SNMP manager and have some facility for displaying SNMP trap<br />
messages if it is to be used as the activity logger. For example, this could be a<br />
NetView for AIX management station.<br />
If you select None, then the trap host address cannot be specified via the 8235<br />
Management Facility. Instead, once the 8235 activity logger (which runs on top<br />
of IPX) selects an 8235 as a device to be logged to that workstation, the selected<br />
8235 sends all of its trap messages to that workstation. If an 8235 is selected on<br />
one activity logger workstation while another activity logger workstation is the<br />
current trap host, the new workstation becomes the new trap host. This provides<br />
flexibility in case a trap host goes down because it is easy to switch over to a<br />
backup host.<br />
2.3.3.4 <strong>IBM</strong> 8235-I40<br />
This section gives an overview of the <strong>IBM</strong> 8235 Dial-in Access.<br />
Further information can be found in:<br />
• <strong>IBM</strong> 8235 Dial-in Access to LANs Server Concepts and Implementation,<br />
SG24-4816<br />
90 The Technical Side of Being an Internet Service Provider
This soft copy for use by <strong>IBM</strong> employees only.<br />
• http://www.networking.ibm.com/82s/82sprod.html<br />
Introduction: The 8235 Model I40 DIAL Switch (from here on being referred to as<br />
I40) is an enterprise-level device that attaches to one LAN (current release<br />
supports Ethernet only) and several high-speed communication lines such as T1,<br />
E1 and primary rate ISDN (PRI) interfaces. Unlike the other 8235 models, it does<br />
not directly attach to analog lines (except for its out-band management ports) or<br />
basic rate ISDN lines. However, it accepts calls from clients being attached to<br />
those lines that are being directed to its high-speed line interface by the public<br />
carrier.<br />
Disclaimer<br />
Some of the information contained in this chapter may not apply to the initial<br />
release. In particular, this is the case for ARA 1.0, which is not supported,<br />
and any dial-out capabilities, including call-back. However, this is contained<br />
in some of the panels of the Management Facility. For that reason and<br />
because these functions are likely to be added in a future release, they have<br />
not been removed from this chapter.<br />
This is by no means a pre-announcement of any of these features. Plans<br />
may change; for the actual set of functions, refer to the manuals that come<br />
with the product.<br />
We had only limited test opportunity with the I40; for this reason, many of<br />
details described here were derived from working with the Management<br />
Facility; there was no way to test some of them with actual WAN lines and<br />
actual dial-in connections.<br />
Model I40 Hardware Overview: Here we discuss the hardware components of<br />
the I40. They are:<br />
• Chassis<br />
• Slots<br />
− Slots 1-3, dedicated, PCI only<br />
− Slots 4-11, multipurpose, ISA or PCI<br />
• Cards<br />
− CPU card<br />
− LAN card (Ethernet)<br />
− WAN cards (single and dual, T1 and E1)<br />
− Modem card (DMC)<br />
• Bus connections between the cards<br />
• Limitations in current (first) release<br />
Chassis: The I40 has the size and shape of a desktop PC (rack-mountable) and<br />
is populated with cards via a PCI bus just like a PC. But it is not a PC; it does not<br />
allow for the attachment of keyboard, mouse, monitor and it does not have a<br />
processor-equipped motherboard. The base unit mainly houses some front-panel<br />
LEDs, an auto-detecting power supply, cooling devices and a board with a PCI<br />
bus (133 MBps data throughput) to receive up to 11 cards. These cards actually<br />
Chapter 2. Connectivity 91
This soft copy for use by <strong>IBM</strong> employees only.<br />
carry out the functions of the machine. For a view from the top refer to Figure 41<br />
on page 92. There are two groups of slots: 1-3 and 4-11.<br />
Figure 41. 8235-I40 Top View with Upper Cover Removed<br />
Slots 1-3: These slots are PCI only and for dedicated purposes only:<br />
• Slot 1 must be equipped with the main CPU card, carrying the main<br />
processor and its memory.<br />
• Slot 2 must take the LAN adapter. At this initial release there is only one<br />
option, an Ethernet adapter with AUI and 10Base-T connectors. Only one of<br />
those connectors can be used at a time.<br />
• Slot 3 is reserved for future use and must currently be empty.<br />
Slots 4-11: These slots each have a PCI connector and an ISA connector, so<br />
either a PCI card or an ISA card can be installed into each slot. For cooling<br />
reasons (fan airflow) the ISA WAN cards (T1 or E1) have to be installed in slot 4<br />
and 5. The remaining six slots can be used to install Digital Modem Cards<br />
(DMCs).<br />
92 The Technical Side of Being an Internet Service Provider
This soft copy for use by <strong>IBM</strong> employees only.<br />
Figure 42. 8235-I40 Front View - Sample Configuration<br />
Cards: There are four types of cards. See Figure 42 for their placement and<br />
faceplate layout.<br />
1. The CPU card carries the main processor, a Motorola 68060, two<br />
asynchronous serial ports for out-band management and the memory. There<br />
are several types of memory, as follows:<br />
• Flash memory. One part of this is permanent VROM (PVROM); this can<br />
only be replaced by a flash upgrade. The other part is upgradeable<br />
VROM (UVROM); it holds the firmware image; this can be replaced by<br />
selecting Clear and <strong>Download</strong> from the Management Facility.<br />
• Dynamic RAM (DRAM). This is a special 32-bit, EDO, 50 ns memory.<br />
There is 4 MB on board; 4-MB SIMMs can be added up to a total of 64<br />
MB. The box may be shipping with some SIMMs already installed.<br />
Attention<br />
Never attempt to use any off-the-shelf memory here. This is likely to<br />
be destructive.<br />
• VROM. Code and image are loaded here for execution, transmits to and<br />
receives from the LAN card are stored here and all data buffering takes<br />
place here.<br />
• Static RAM (SRAM). This stores data that is to be retained when the<br />
machine is powered off, among which is configuration data, the IP<br />
address of the device and the user list. This memory is battery-backed.<br />
Figure 43 on page 94 shows a sample display provided by the Management<br />
Facility Device Info... function, giving details on these memory types.<br />
Chapter 2. Connectivity 93
Figure 43. Device Info Page - Memory<br />
This soft copy for use by <strong>IBM</strong> employees only.<br />
2. The LAN card currently has to be the Ethernet card. Future possible<br />
enhancements are token-ring and others. Unlike other models of the 8235,<br />
the LAN connection is not a fixed, built-in interface, but a removable,<br />
replaceable card. For this reason there is no need to distinguish between<br />
token-ring models and Ethernet models, as is the case with all other current<br />
non-I40 8235 models.<br />
Attention<br />
This LAN card is a feature code of the 8235-I40; it cannot be replaced by<br />
any other general purpose PCI Ethernet adapter.<br />
3. There are four types of WAN cards. They all have three connectors at the<br />
back, marked Port B, Port A and Diagnostics Port from top to bottom.<br />
Depending on the type of card (single or dual), either port A is inactive and<br />
port B only is active (single) or both ports are active (dual).<br />
Port A corresponds to line 1 in the WAN card configuration page; port B<br />
corresponds to line 2. Consequently, a single WAN card has only a line 2, not<br />
a line 1.<br />
The Diagnostic port is not used for data transfer and is not described here.<br />
All four WAN cards have an ISA connector to plug in to the PCI bus. They all<br />
have an integrated processor. These are the different types of cards:<br />
• PR Single T1<br />
Primary Rate Interface - Single T1 WAN Card<br />
This card has one physical T1 interface. On board is an integrated CSU.<br />
• PR Dual T1<br />
Primary Rate Interface - Dual T1 WAN Card<br />
This card has two physical T1 interfaces. On board is an integrated CSU.<br />
• PR Single E1<br />
Primary Rate Interface - Single E1 WAN Card<br />
This card has one physical E1 interface. It does not require a CSU;<br />
however, it has straps where the CSU could be placed. These straps<br />
must not be removed.<br />
• PR Dual E1<br />
Primary Rate Interface - Dual E1 WAN Card<br />
94 The Technical Side of Being an Internet Service Provider
This soft copy for use by <strong>IBM</strong> employees only.<br />
This card has two physical E1 interfaces and no integrated CSU (see<br />
above).<br />
4. There is one type of digital modem card (DMC). It has a PCI connector. It<br />
carries 12 Rockwell V.34 chip sets, so it accounts for 12 analog modems.<br />
Each of them can support a 28.8-kbps connection with a port speed of up to<br />
115.2 kbps. The card has a dedicated microprocessor and is<br />
flash-upgradeable.<br />
Bus Connections: In addition to the Peripheral Component Interconnect (PCI)<br />
bus, there is a second connection, only between the WAN cards and the DMCs.<br />
This is the Multi Vendor Integration Protocol (MVIP) flat cable bus. The MVIP<br />
connectors are located near the top edge of these cards, so the cable is running<br />
across the top of the vertically inserted cards in slots 4 to 11 (see Figure 44).<br />
Figure 44. 8235-I40 Card Insertion (MVIP Flat Cable)<br />
MVIP is an industry-standard TDM bus technology, carrying 256 64-kbps<br />
full-duplex channels, yielding 16 Mbps overall throughput capacity. This MVIP<br />
bus is being used for communication between DMCs and WAN cards for analog<br />
calls that require modem processing. When an analog call comes in, the WAN<br />
card is capable of detecting this and routing it to a modem. The modem (one out<br />
of 12 residing on a DMC) does the DSP processing and then, in turn, routes the<br />
data stream, which is now digital, to the main CPU over the PCI bus. When a<br />
digital call comes in, the WAN card directly forwards the data to the main CPU.<br />
So there is no additional impact on the PCI bus imposed by analog calls as<br />
Chapter 2. Connectivity 95
This soft copy for use by <strong>IBM</strong> employees only.<br />
compared to digital calls, even though analog calls require more processing.<br />
(See Figure 45 on page 96 for the data flow.)<br />
Figure 45. 8235-I40 Data Flow<br />
Capacity Limitations: For the initial release, the following limitations apply:<br />
• Two WAN cards can be present with a maximum of three WAN interfaces. So<br />
the maximum is one single and one dual WAN card.<br />
• There can be up to five DMCs present. This accounts for 60 modems.<br />
• The number of supported connections depends on the type of WAN interface<br />
being used and on the type of calls (digital or analog):<br />
− 60 analog sessions maximum (five DMCs)<br />
− 78 sessions maximum (mix of digital and analog) for E1 (three E1<br />
interfaces)<br />
− 71 sessions maximum (mix of digital and analog) for T1 (three T1<br />
interfaces)<br />
These limitations are likely to change in future releases, as they are not design<br />
limits.<br />
2.3.3.5 RLAN Function of 2210<br />
Another option for a dial equipment is the <strong>IBM</strong> 2210 with RLAN. Its function<br />
makes it possible to use the 2210 either as a remote access server in the ISP or<br />
as a dial-out server for the LAN customers.<br />
This new RLAN function implemented new RFCs in the 2210:<br />
• PPP Internet Protocol Control Protocol Extensions for Name Server Address<br />
(RFC 1877)<br />
• Dynamic Host Configuration Protocol (RFC 1541)<br />
• Microsoft Point to Point Compression (MPPC) Protocol (RFC 2118)<br />
The RLAN additions implement:<br />
• Callback/Dialback<br />
96 The Technical Side of Being an Internet Service Provider
This soft copy for use by <strong>IBM</strong> employees only.<br />
This is a feature associated with remote access solutions. It attempts to<br />
accomplish two objectives:<br />
1. It can be used as a form of security. When used in this way, callback is<br />
generally referred to as required callback. When it′s negotiated the user<br />
will be dialed back at a predetermined number. Only then the PPP link<br />
will be allowed to come up.<br />
2. Callback can also be implemented as a toll-saver feature. When used in<br />
this way, callback is generally referred to as roaming callback. Unlike<br />
required callback, roaming callback is requested by the client. The<br />
primary function of roaming callback is to bill the company maintaining<br />
the dial server the toll charges instead of the user.<br />
The user configuration is done via the PPP user list.<br />
Callback is not supported in some backend authentication protocols that<br />
don′t support more than a user/password pair.<br />
• Dial-In<br />
In this design, a dial-circuit can be configured to support PPP dial-in on the<br />
2210. The dial-in client runs on remote workstation and access to the<br />
resources as if it was attached to the LAN. This is supported in the WAN<br />
ports configured to handle V.34 modems.<br />
Chapter 2. Connectivity 97
Figure 46. Dial-In Design<br />
This soft copy for use by <strong>IBM</strong> employees only.<br />
The V.34 handler facilitates data flow and commands between virtual nets<br />
(dial-circuits) and the Connection Management Library (CML).<br />
Enhancements to CML include the ability to allow PAP/CHAP authentication<br />
in addition to the proprietary method.<br />
This function provides more reliable modem control as well as the capability<br />
to provide WAN restoral over analog modems.<br />
• Dial-Out BBS, FAX<br />
98 The Technical Side of Being an Internet Service Provider<br />
The dial-out functions on the 2210 allow LAN users access to networked<br />
modems. These outgoing calls can be placed to FAX machines, BBS and<br />
ISPs.
This soft copy for use by <strong>IBM</strong> employees only.<br />
Figure 47. Dial-Out Design<br />
This feature is configured on the 2210 by adding a dial-out net. This net is<br />
then linked to one of the base modem ports. The access to elementary<br />
modem functions on the network is limited to outbound access only.<br />
• Proxy DHCP<br />
The negotiation of an IP address for a remote access client is made through<br />
PPP via IPCP. Currently, the IP address that is chosen for the client is<br />
selected via one of the following three methods:<br />
− Client specified<br />
− User ID specified<br />
− Port specified<br />
The user ID and port specified require that an IP address be stored locally<br />
on the box in SRAM or some other persistent memory. Proxy DHCP is an<br />
additional method to determine the IP address for a dial-in client based on<br />
the Dynamic Host Configuration Protocol outlined in RFC 1541.<br />
This protocol allows for the dynamic allocation of IP addresses from a pool<br />
located on a server accessible by the 2210. This server is queried upon<br />
connection by a remote user and returns a suitable IP address from a pool.<br />
Chapter 2. Connectivity 99
This soft copy for use by <strong>IBM</strong> employees only.<br />
This address is then used during ICPC negotiation with the client. Access to<br />
the DHCP server is then transparent to the dial-in user.<br />
The Proxy DHCP helps customers manage large networks.<br />
• MPPC Compression<br />
2.3.4 Customer Requirements<br />
MPPC Compression consists of the addition of support for STAC-Extended<br />
(mode 4) and Microsoft Point-to-Point Compression (MPPC) protocol for PPP<br />
link. STAC mode-4 uses the same compression engine as the already<br />
supported STAC modes. However, STAC mode-4 uses a packet format that<br />
is different from other STAC modes. For MPPC, the compression engine<br />
code provided by Microsoft is used. This function allows clients that support<br />
STAC-Extended and MPPC to negotiate a link with compression enabled<br />
allowing performance increases for low-speed links.<br />
In this section we point out the basic hardware and software that can be used in<br />
the clients connections. As we can have a larger number of variations based on<br />
the type of users (with or without a LAN) and the connection type and<br />
technologies (dial-up, dedicated, ISDN, etc.), we mention the hardware and<br />
software that can be used in the SOHO-users dial-up and dedicated connections.<br />
2.3.4.1 Hardware<br />
In general, the minimum requirements for the dial-up connections are:<br />
• PC 386 (recommended 486 or higher)<br />
• Clock speed of 25 MHz<br />
• 8 MB RAM<br />
• Modem at 9.600 bps (recommended higher)<br />
All these items may also vary depending on the operational system<br />
prerequisites.<br />
However, these are the basic requirements to just make the connection. As the<br />
Internet applications are getting more and more rough with graphical and<br />
multimedia resources, these minimum hardware requirements will be<br />
insufficient. The ISP should help its customers to find the ideal configuration for<br />
their proposals and needs.<br />
For the dedicated connections through leased lines, the customer will need a<br />
router and a circuit compatible with the throughput he or she needs. (See 9.4,<br />
“Bandwidth” on page 270 for capacity planning information.)<br />
2.3.4.2 Software<br />
The clients will need several programs to achieve the Internet resources. The<br />
most important are the ones that provide these functions:<br />
• PPP<br />
• Web browser<br />
• E-mail<br />
• News reader<br />
These programs can be used in different combinations and are usually:<br />
100 The Technical Side of Being an Internet Service Provider
This soft copy for use by <strong>IBM</strong> employees only.<br />
• A starter kit given by the provider<br />
• Commercial solutions<br />
• Shareware or public domain products<br />
The first requirement is for the PPP or SLIP communication program to call the<br />
provider and make the IP connection. The software to do that is called dialer and<br />
can be supplied by:<br />
• The client RAS (for example, the 8235 client to connect to 8235 server)<br />
• Within the operation system (for example, Windows95, Windows NT, OS/2<br />
Internet Dialer)<br />
• TCP/IP package (for example, Chameleon)<br />
The 8235 is shipped with software packages that provide the support for three<br />
different system environments: DOS, Windows and OS/2.<br />
Windows NT, Windows 95 and OS/2 Warp 4 come with PPP support. UNIX is also<br />
pretty self-sufficient. However, Windows 3.1 and Windows for Workgroups 3.11<br />
don′t come with TCP/IP and PPP so it′s necessary to use some additional<br />
winsocks. Although there is a large number of companies developing these<br />
winsock.dlls, the choice of which winsock to use is governed be a couple of<br />
factors:<br />
• The winsock.dll the ISP recommends.<br />
• The network environment the customer has. If he or she has a commercial<br />
networking software, he or she must obtain it from the respective vendor.<br />
• The personal preference, as even though the winsocks follow the same<br />
TCP/IP standard, they each have different features.<br />
Finally, the customer can obtain it by:<br />
• Purchasing a commercial product, if he or she already uses network<br />
software.<br />
• <strong>Download</strong>, evaluate and purchase some shareware winsock.dll such as<br />
Trumpet.<br />
• <strong>Download</strong> and use a freely available one.<br />
Some ISPs give a starter kit that contains a dialer and can also includes a Web<br />
browser, e-mail and news support. However, it has become less important as<br />
we have such facilities as the PPP support that comes in operational systems.<br />
With the starter kit the installation and configuration of the products are<br />
automatically done; it creates the proper directories, installs the files and asks<br />
some needed questions. Sometimes even the new user account can be<br />
configured automatically, as it sends the user name to the ISP site and it<br />
receives a password. For the optional software included in the starter package,<br />
the ISP needs to pay a fee to the software′s owner, and software such as<br />
Netscape cannot be distributed in a disk without a license. One example of<br />
these installer packages that can be used is InetMgr. (See<br />
http://www.ccsweb.com for more information.)<br />
If a new subscriber prefers to use the dialer that comes within the operational<br />
system, he or she will need to configure its fields manually with the IP numbers<br />
of the various servers. He or she will also need to contact the ISP to get his or<br />
Chapter 2. Connectivity 101
This soft copy for use by <strong>IBM</strong> employees only.<br />
her user name and password. Both tasks can be set up with a 5-minutes talk<br />
over the telephone line.<br />
This previous scenario is typical for a SOHO user. The corporate user may<br />
connect to the ISP through a proxy server or a firewall.<br />
A proxy is a program that runs on a gateway host that acts as an intermediary<br />
for the other machines on the network, so they can connect to the Internet via a<br />
LAN using the same phone or dedicated connection provided in the gateway. A<br />
proxy server establishes the actual Internet connection, and the other machines<br />
on the LAN make requests for Internet resources of the proxy server. The proxy<br />
server then passes along the request to the Internet, receives the information<br />
requested, and then passes back this information to the machine on the LAN that<br />
requested it. The proxy server itself can be used to access the Internet; it just<br />
doesn′t need to pass the requested information back. With the firewall there′s<br />
this same (and more) functionality plus the security issues. In both cases, the<br />
corporate users will use only the browser and optional softwares. The dialer is<br />
not needed due to the dedicated connection.<br />
Note<br />
It′s important to test the the client starter kit or the market-used dialers to<br />
check if their are compatible with your RAS.<br />
There is a wide range of software available for those applications. We show<br />
only some of them:<br />
102 The Technical Side of Being an Internet Service Provider
This soft copy for use by <strong>IBM</strong> employees only.<br />
Table 20 (Page 1 of 2). Client Software Applications<br />
Type Name Platform Support Comments<br />
Dialer Windows 95<br />
Dial-up<br />
Networking<br />
Windows<br />
OS/2 Mac UNIX PPP SLIP<br />
X X X The Windows 95 Dialer is an<br />
interface that works over the<br />
built-in Windows 95 dialer program<br />
called Dial-Up Networking (DUN).<br />
Windows NT X X X As NT was specifically designed<br />
for non-dial up network<br />
connections, LAN and dial<br />
connections can and will conflict,<br />
so some help is needed on<br />
network and dial connections.<br />
Windows NT RAS v3.5x does not<br />
support dynamic IP addressing<br />
using SLIP, so a true automated<br />
script is not possible.<br />
Trumpet<br />
Winsock<br />
Netmanage<br />
Chameleon<br />
Netscape<br />
Navigator<br />
Personal<br />
Edition<br />
OS/2 Warp Dial<br />
Other<br />
Providers<br />
X X X This is a shareware TCP/IP stack<br />
and dialer.<br />
X X X This package includes a TCP/IP<br />
stack and applications such as<br />
e-mail, news reader, tn3270, etc.<br />
X X X This is Netscape′s dial-up Internet<br />
connectivity kit, which includes<br />
Netscape Navigator and a dialer<br />
written by Shiva.<br />
X X X The OS/2 Warp dialer is an<br />
interface over the built in TCP/IP<br />
software provided by <strong>IBM</strong>.<br />
Version 1.67 and earlier do not<br />
support PPP, only Version 1.68<br />
and above. OS/2 Warp Connect<br />
and OS/2 Warp V4 (also known as<br />
Merlin) include the dialer, the<br />
WebExplorer browser and e-mail.<br />
MacPPP X X Open Transport or MacTCP may<br />
be used with MacPPP but never at<br />
the same time, because they<br />
conflict with one another. System<br />
7.5.3 and later are preinstalled<br />
with Open Transport.<br />
Chapter 2. Connectivity 103
Table 20 (Page 2 of 2). Client Software Applications<br />
This soft copy for use by <strong>IBM</strong> employees only.<br />
Type Name Platform Support Comments<br />
Windows<br />
OS/2 Mac UNIX PPP SLIP<br />
Dialer InterSLIP X X This is a shareware Internet<br />
dialer.<br />
FreePPP X X A combined effort of several<br />
individuals who made<br />
enhancements to MacPPP.<br />
Supports Open Transport. Open<br />
Transport or MacTCP may be used<br />
with FreePPP but never at the<br />
same time, because they conflict<br />
with one another. System 7.5.3<br />
and later are preinstalled with<br />
Open Transport. FreePPP is a<br />
Freeware software package and<br />
does not have any software<br />
support.<br />
Internet in a<br />
Box<br />
X X X By Spry.<br />
FTP OnNet X X V1.2 requires the server to send a<br />
login sequence to the client and<br />
some services do not support this.<br />
It′s better to obtain Version 2.0 or<br />
higher.<br />
Pathway<br />
Access<br />
X X X This is a TCP/IP suite by<br />
Attachmate.<br />
Crosstalk X X Also by Attachmate.<br />
AIX v4.1.5 or<br />
v4.2<br />
X X Prior versions of AIX do not<br />
support Password Authentication<br />
Protocol (PAP) so can not be used<br />
with servers that have PPP with<br />
PAP implementations.<br />
Linux X X X SLIP and PPP setup procedures<br />
are available. You may find SLIP<br />
the easier of the two to set up.<br />
Note: The customer must use SLIP or PPP depending on the configuration that<br />
will be used in the ISP.<br />
104 The Technical Side of Being an Internet Service Provider
This soft copy for use by <strong>IBM</strong> employees only.<br />
Table 21. Client Software Applications<br />
Type Name Platform Comments<br />
Windows<br />
OS/2 Mac UNIX<br />
Mail Eudora X X Eudora Mail is a Macintosh and Windows<br />
(16-bit and 32-bit versions are available)<br />
based e-mail application. There are many<br />
different versions of Eudora Mail (all with<br />
a slightly different interface), and also two<br />
different Eudora types: Eudora Light<br />
(freeware version) and Eudora Pro (fully<br />
registered and supported version from<br />
Qualcomm).<br />
Netscape Mail X X X X Netscape browser Version 2 and higher<br />
have a built in e-mail program. Netscape<br />
is not an offline mail program and it does<br />
not offer a spell checker.<br />
Pegasus X Pegasus Mail is a Windows-based e-mail<br />
application (32 and 16-bit versions are<br />
available). There may be slight<br />
differences in the interface of the many<br />
Pegasus versions but the overall concept<br />
is nearly identical. Also there are many<br />
help resources available to Pegasus user<br />
including extensive help in the application<br />
itself and the news group<br />
comp.mail.pegasus-mail.ms-windows.<br />
Ultimail X Ultimail is the e-mail software that is<br />
provided in the bonus pack of the <strong>IBM</strong><br />
operating system OS/2 Warp.<br />
Browser Netscape X X X X The world′s leading Internet browser.<br />
News<br />
Reader<br />
Internet Explorer X Internet Explorer (IE) is the WWW<br />
Browser provided by Microsoft and it is<br />
available via download from Microsoft′ s<br />
Web site.<br />
Web Explorer X Web Explorer is the WWW browser that is<br />
provided in the bonus pack of the <strong>IBM</strong><br />
operating system OS/2 Warp.<br />
NCSA Mosaic X X X Developed at the National Center for<br />
Supercomputing Applications at the<br />
University of Illinois in Urbana -<br />
Champaign.<br />
WinVN X This is one of the first newsreader<br />
packages, with fewer features than<br />
FreeAgent.<br />
FreeAgent X One of the best News reader packages<br />
available on the Internet; has many<br />
functions and options and makes picture<br />
decoding very simple.<br />
Netscape X X X X Built-in newsreader program that comes<br />
with the browser.<br />
Internet Explorer X Built-in newsreader program that comes<br />
with the browser.<br />
NewsReader/2 X Package that comes with the OS/2 Warp<br />
Bonus Pack and Netsuite.<br />
Chapter 2. Connectivity 105
This soft copy for use by <strong>IBM</strong> employees only.<br />
Finally, for a customer to be able to make the connection to the ISP and use the<br />
Internet applications, in general he or she will need the following information:<br />
• A PPP/SLIP account▐1▌<br />
• A user name▐1▌<br />
• A password▐1▌<br />
• The phone number to be used<br />
• The serial protocol used (PPP or SLIP)<br />
• Whether the IP address is permanently assigned (static) or it will be obtained<br />
from the RAS (dynamic)<br />
• Name server configuration<br />
− The customer machine′s hostname<br />
− The TCP/IP domain name<br />
− The addresses of the DNS servers (primary and secondary)<br />
− Netmask<br />
• E-mail configuration<br />
− POP server name<br />
− SMTP server name<br />
− E-mail address<br />
• WWW Server URL<br />
• News server name<br />
▐1▌Supplied during the installation process within the starter kit or in a previous<br />
ISP telephone contact.<br />
For information of how to configure the dial-up connection in Windows95 see:<br />
http://www.windows95.com.<br />
106 The Technical Side of Being an Internet Service Provider
This soft copy for use by <strong>IBM</strong> employees only.<br />
Chapter 3. Server Hardware Platforms<br />
Server computers do many things: run transaction systems, manage Web sites,<br />
control intranets, manage databases, store data for decision support, as well as<br />
provide file and printing services for local PCs. Choosing the right servers can<br />
be one of the most important information technology decisions an organization<br />
makes.<br />
The term server was first applied to the small computers used to share disk<br />
space, printers, and network access for PCs. Over time, server has become the<br />
commonly used name for all multiuser computers. Technically speaking, a<br />
computer acts as a server when it responds to requests from other computers in<br />
a network. In practice, this is what multiuser computers spend most of their time<br />
doing.<br />
Before PCs, almost all computers were servers. As PCs became the center of<br />
the information universe, a name was needed for the other computers that<br />
worked behind the scenes. For a while it seemed like natural evolution would<br />
lead to most computing being done by very powerful desktop or laptop systems.<br />
The less visible computers that linked them together therefore didn′t seem as<br />
important. Calling them servers reinforced the feeling that their role was<br />
subservient to the PC masters they existed to serve.<br />
Client/server computing is the popular name given to the approach of shifting<br />
much of the computing workload to powerful distributed PCs. While a number of<br />
great applications have been created around the client/server model, in general<br />
it has proven too complex and expensive to administer for most organizations.<br />
High support costs and the need to constantly upgrade PC hardware have<br />
limited the appeal of client/server.<br />
The information technology industry has begun to focus on a different approach.<br />
Internet Web-based computing, Java, and network computers hold out the hope<br />
of reducing support and hardware costs by shifting more of the computing<br />
workload back to larger servers. Suddenly, servers are back in vogue.<br />
Demand for server capacity could grow at an even higher rate due to the<br />
increasing popularity of the Internet and intranets, the extra processing power<br />
required for applications written in object languages such as Java, greater use of<br />
multimedia in applications, and the growing popularity of data mining.<br />
<strong>IBM</strong> is the largest provider of server computers. During 1997 almost $16 billion<br />
is expected to be spent on <strong>IBM</strong>′s four families of servers: S/390, AS/400,<br />
RS/6000, and PC server. Each represents a large and successful business for<br />
<strong>IBM</strong>. While <strong>IBM</strong> no longer dominates the computer industry, what it does still<br />
impacts almost every organization. It is therefore important for decision makers<br />
to understand <strong>IBM</strong>′s plans for its four server lines.<br />
This chapter offers a high-level view of <strong>IBM</strong>′s four server platforms and where<br />
each is headed. By helping decision makers better understand the offerings<br />
available from <strong>IBM</strong>, we also provide a useful perspective on the entire market for<br />
servers.<br />
© Copyright <strong>IBM</strong> Corp. 1997 107
3.1 <strong>IBM</strong> Server′s Strategy<br />
3.1.1 <strong>IBM</strong> Server Business<br />
This soft copy for use by <strong>IBM</strong> employees only.<br />
Different types of servers are needed to accomplish the growing number of<br />
missions that information technology must accomplish. As a result, it has<br />
become commonplace for advanced users of information technology to employ<br />
many different types of servers. This has led to the challenge of controlling and<br />
supporting increasingly complex computing environments.<br />
<strong>IBM</strong> sells a number of different types of computers. This improves the chances<br />
that it will be able to meet any particular need but also makes its product line<br />
harder to explain. Customers need alternatives but also want everything they<br />
buy to work well together. <strong>IBM</strong> has responded by becoming a leader in the<br />
integration of divergent systems.<br />
During the 1980s, <strong>IBM</strong> had gone too far in offering variety. Its hodgepodge of<br />
incompatible computers confused everyone including its own sales people. Over<br />
a period of years, <strong>IBM</strong> phased out marginal products such as the 8100, Series 1,<br />
and System/36. Four server families now remain: S/390, AS/400, RS/6000, and PC<br />
server. Further consolidation appears unnecessary.<br />
In the early 1990s, server hardware was not a robust business for <strong>IBM</strong>. Success<br />
with AS/400 and RS/6000 systems did not offset rapidly declining mainframe<br />
revenues. At that time all traditional servers seemed destined to decline in<br />
popularity in favor of PCs and Intel-based servers.<br />
As the end of the century approaches, the outlook for <strong>IBM</strong>′s server families is<br />
considerably brighter. The S/390 and AS/400 product lines have each undergone<br />
major redesigns that make them much more competitive and that took longer<br />
than originally planned. After letting others take the lead in PC servers and<br />
UNIX systems, <strong>IBM</strong> has become an important force in both of these markets.<br />
Each <strong>IBM</strong> server family focuses on very specific customer needs. S/390s are<br />
excellent at continuous computing and large-scale processing; AS/400s offer a<br />
wide selection of application packages and exceptional ease of use; RS/6000s<br />
feature a great version of the UNIX operating system and strength handling<br />
commercial and technical-computing workloads; and <strong>IBM</strong>′s PC servers cover the<br />
fast growing market for Intel-based systems. There are points where these<br />
products overlap in price, capacity, and features, but each offers its own unique<br />
value proposition to buyers.<br />
<strong>IBM</strong> will not abandon the customers of any of these servers. Doing so would not<br />
make sense since each has a loyal customer following and helps generate sales<br />
in other parts of <strong>IBM</strong> including software, hardware maintenance, consulting, and<br />
peripherals. <strong>IBM</strong> also has a strong tradition of protecting the investment of past<br />
buyers.<br />
<strong>IBM</strong> will continue to invest heavily in improving all four server lines.<br />
Management does not secretly favor one of them over the others. Having four<br />
horses in the race improves the odds of success. It also creates a number of<br />
advantages and disadvantages. Some of the advantages of having four product<br />
lines include:<br />
• An option is provided for each type of server buyer.<br />
• Customers become loyal to specific server types.<br />
108 The Technical Side of Being an Internet Service Provider
This soft copy for use by <strong>IBM</strong> employees only.<br />
• One-stop shopping appeals to many buyers.<br />
• Deciding to buy from <strong>IBM</strong> does not lock buyers into one type of server.<br />
Problems associated with four lines include:<br />
• The effort to keep <strong>IBM</strong>′s sales force and Business Partners up to date.<br />
• The confusion among potential buyers.<br />
• The added cost of developing and marketing four products.<br />
<strong>IBM</strong> is working hard to reduce redundant costs. For example, all <strong>IBM</strong><br />
microprocessor chips are now manufactured in the same factory. The savings<br />
from sharing this manufacturing capacity have increased with the shift of the<br />
S/390 to the same underlying CMOS technology that other <strong>IBM</strong> systems use.<br />
Starting in 1997 the AS/400 and RS/6000 will go even further by sharing the same<br />
microprocessor design, a RISC chip with the code name Apache. <strong>IBM</strong> will<br />
further cut costs by assembling both systems in their Rochester, Minnesota<br />
factory. Customers benefit from <strong>IBM</strong>′s product diversity in a number of ways.<br />
For example, a hotel chain might be halfway through the rollout of hundreds of<br />
new UNIX-based front-desk systems when it is acquired by a larger chain that is<br />
standardized on NT. In situations like this, <strong>IBM</strong> can be much more flexible than<br />
a vendor that only provides one type of server.<br />
It is rare for any organization to buy everything from one vendor. A large<br />
organization might be using Windows 3.1 PCs, NetWare file and print servers,<br />
AS/400s as local application servers, traditional mainframes for headquarter′s<br />
applications, and UNIX systems for data warehousing and decision support. This<br />
same company might be building a Web site using Lotus Domino running on NT<br />
servers accessed by Netscape browsers. It is even possible that the Engineering<br />
department still uses DEC VAX design systems and Marketing has some<br />
Macintoshes.<br />
The cost and difficulty of supporting the complex array of software products<br />
listed above is very high. The trend is therefore to reduce the complexity by<br />
setting standards and phasing products out. In situations like this, <strong>IBM</strong> can help<br />
by reducing the number of vendors involved. Its consulting organization can<br />
also help create and implement plans to make complex environments easier to<br />
manage.<br />
In addition to its own line of servers, <strong>IBM</strong> offers technical advice and<br />
maintenance support for most types of hardware and software, including<br />
products made by competitors. This gives those with many types of computers<br />
the option of dealing with fewer vendors. It also allows <strong>IBM</strong> to take a broader<br />
view of the market than others. One benefit of this is the emergence of hybrid<br />
products such as the Integrated PC Server feature offered on AS/400 computers.<br />
3.1.2 Servers in the Age of the Internet<br />
It is too early to tell how the Internet revolution will play out, but one thing<br />
seems certain - growth will surpass anything seen before. In the past year<br />
alone, a great deal has occurred. The number of commercial Web sites<br />
increased from under 25,000 to over 200,000, the base of users grew to over 40<br />
million, and the effort to build Web-style applications was lowered by an order of<br />
magnitude.<br />
Chapter 3. Server Hardware Platforms 109
3.1.3 The Open <strong>IBM</strong><br />
This soft copy for use by <strong>IBM</strong> employees only.<br />
Millions of organizations of all sizes will build and expand intranets and public<br />
Web sites in the next few years. This will create a tidal wave of demand for<br />
computing capacity. Much of this demand will be for very large servers for a<br />
combination of reasons:<br />
• The better sites will attract a great deal of traffic as they mature.<br />
• The number of users will grow rapidly as will their amount of usage.<br />
• Agent technology will increase the traffic each user generates. Multimedia<br />
will increase the size and complexity of transactions.<br />
• Software written in object languages such as C++ and Java will require<br />
much more compute capacity.<br />
• Internet Service Providers (ISPs) will achieve economies of scale by using<br />
very large servers.<br />
• An increasing percentage of small sites will be hosted by ISPs. The ability to<br />
create Web applications rapidly will stimulate growth.<br />
The trend toward larger servers is good news for <strong>IBM</strong>. No other vendor can<br />
match <strong>IBM</strong>′s experience in solving the unique problems that high-volume<br />
applications create. The S/390, RS/6000, and AS/400 will each benefit in a<br />
different way from the growth in demand for large servers.<br />
As workloads and complexity increase, S/390 systems become more attractive.<br />
Certain high-volume applications that Internet technology will make possible will<br />
only be practical when hosted on S/390 computers. The RS/6000 SP series is<br />
also well positioned as the most expandable UNIX alternative. SP systems<br />
incorporate some of the same advanced parallel processing technology <strong>IBM</strong><br />
developed for the S/390.<br />
AS/400 systems will not match the top-end capacity of S/390 or SP systems. Over<br />
time they will offer unique advantages as servers for Java-based applications.<br />
This is because the architecture of the AS/400 is a perfect match for the Java<br />
concept of a high-level, standard-programming interface. The large memory<br />
addressing capability built into AS/400 computers also gives them an advantage<br />
in serving applications written in object-oriented languages such as Java and<br />
C++.<br />
During the 1980s when the openness movement was gaining momentum, <strong>IBM</strong><br />
initially fought the idea. In that era when <strong>IBM</strong> came up with innovative<br />
technology such as the Micro Channel, it tried to use the technology to lock<br />
buyers into its product line. <strong>IBM</strong>′s mainframes were once the best illustration of<br />
closed and proprietary systems.<br />
<strong>IBM</strong>′s attitude toward openness has changed. The most dramatic example is the<br />
incorporation of UNIX-based openness standards into the latest S/390 operating<br />
system. As a result, popular UNIX application packages such as SAP R3 are<br />
now being offered on S/390 systems.<br />
The UNIX community can take credit for developing the concept of openness.<br />
Unfortunately, vendors in the UNIX market have done a less-than-perfect job of<br />
following it. As a result, each UNIX environment is somewhat unique. After<br />
coming late to the openness party, <strong>IBM</strong> has actually become a leader in the<br />
effort to re-unify UNIX.<br />
110 The Technical Side of Being an Internet Service Provider
This soft copy for use by <strong>IBM</strong> employees only.<br />
<strong>IBM</strong>′s AS/400 series has also made great progress in supporting openness.<br />
Major changes in the AS/400′s design, including the introduction of a completely<br />
new programming model, have been made to accommodate open standards.<br />
There is more work to be done, but a number of high-profile UNIX developers<br />
have already brought their applications to the AS/400.<br />
The old <strong>IBM</strong> strategy was to add unique features to its products to lock<br />
customers in. The new approach involves introducing new technology by<br />
licensing it to competitors, publishing specifications, and working to get the<br />
approval of standards bodies.<br />
The new <strong>IBM</strong> openness attitude makes its servers more attractive. Buyers now<br />
have less concern about becoming locked into one specific technology. Software<br />
developers are also more comfortable offering their products on <strong>IBM</strong> servers<br />
since they can now follow accepted standards to a degree never before possible.<br />
A growing number of the most popular applications are now available on all of<br />
the widely used server environments: S/390, AS/400, NT, and the leading Unix<br />
platforms. For example, customers can buy applications from SAP, PeopleSoft,<br />
Lawson, SSA, or J.D. Edwards on an AS/400 knowing they can later move them<br />
to a UNIX or a large systems environment if their needs change.<br />
Much of the attention of openness advocates is now centered on Java. The new<br />
approach to application development and deployment that Java has pioneered<br />
has the potential to become a universal programming environment for all types<br />
of computers. It extends rather than replaces the many standards that have<br />
evolved out of the UNIX community.<br />
Java has become the rallying point for those who wish to limit Microsoft′s<br />
control over software development. <strong>IBM</strong> has not only become a leader within the<br />
openness movement, it is working its way toward the front of the Java parade.<br />
Each of <strong>IBM</strong>′s server platforms will fully support the standard known as the Java<br />
Virtual Machine. <strong>IBM</strong> is working on highly optimized Java compilers for each<br />
server. Java is also the foundation for an ambitious <strong>IBM</strong> project called San<br />
Francisco, an effort to create a set of Java program objects that software<br />
developers can use as a foundation for creating advanced applications. San<br />
Francisco-based applications will be able to run on any computers that support<br />
the Java Virtual Machine.<br />
3.1.4 Summary of <strong>IBM</strong>′s Server Strategy<br />
<strong>IBM</strong> has concluded that no single type of server can satisfy the diverse needs of<br />
computer buyers. Each of <strong>IBM</strong>′s four server families offers a unique value<br />
proposition and appeals to an important group of customers. Collectively, they<br />
cover the needs of a high percentage of server users. Selling the broadest<br />
server product line puts <strong>IBM</strong> in an excellent position. While each server family<br />
is unique, they all strive to offer a common set of values:<br />
• Competitive pricing<br />
• Low cost of ownership.<br />
• High quality and reliability.<br />
• Leadership in taking advantage of network technology.<br />
• Upward scalability.<br />
• Superior advice and support before and after the sale.<br />
• Investment protection over time.<br />
Chapter 3. Server Hardware Platforms 111
3.1.5 Prospects for the Future<br />
• Help when serious emergencies arise.<br />
• Global sales and support coverage.<br />
This soft copy for use by <strong>IBM</strong> employees only.<br />
<strong>IBM</strong> doesn′t always offer the hottest microprocessor, the lowest price, or the<br />
longest list of esoteric features. Industry-shaking innovations more often come<br />
from smaller companies such as Netscape, Sun Microsystems, or even Apple.<br />
<strong>IBM</strong> is less likely than others to throw an immature product out and let the<br />
market debug it. The <strong>IBM</strong> style is more often to wait for a new concept to prove<br />
itself in the market before jumping in with an improved second-generation<br />
version. <strong>IBM</strong> uses the combination of all the factors discussed above to<br />
differentiate itself from its competitors. Buying products or services from <strong>IBM</strong> is<br />
intended to be more than a one-time experience. Ideally it is one transaction<br />
within a long-term relationship. <strong>IBM</strong> cannot always live up to its ideals, but it<br />
does tend to set a higher standard for itself than other firms in the industry.<br />
<strong>IBM</strong>′s server business is in a position to contribute high profits and modest<br />
annual revenue growth for a number of years. The reasons why prospects are<br />
good include:<br />
• A five-year effort to transform the S/390 into a more cost-effective,<br />
standards-compliant, and less complex alternative is nearing completion.<br />
The payoff could be large, especially when buyers fully grasp what has been<br />
accomplished.<br />
• The AS/400 line is also now reaping the benefits of a multi-year transition to<br />
the Advanced Series.<br />
• The RS/6000 SP series is one of the hottest selling large-scale servers in the<br />
UNIX marketplace. It offers unmatched growth potential for both commercial<br />
and technical computing.<br />
• <strong>IBM</strong>′s PC servers are competing aggressively for a share of this rapidly<br />
growing market. The ambiguity <strong>IBM</strong> once had about NT is gone. Compaq will<br />
not be unseated as the market leader any time soon, but <strong>IBM</strong> does not have<br />
to do so to be successful. Growth rates for all types of servers are likely to<br />
increase. Network computing is the most important driving force, and it<br />
appears to favor the larger servers that <strong>IBM</strong> is skilled at creating.<br />
• <strong>IBM</strong>′s Software Group is strongly focused on middleware and systems<br />
management. In a world where most organizations use a very complex<br />
combination of PCs, workstations, servers, operating systems, and networks,<br />
the products that work best with everything else have an advantage.<br />
The opportunity for <strong>IBM</strong>′s server business is large, but so are the challenges it<br />
faces. Some of the things <strong>IBM</strong> must do better if it is to reach its potential include:<br />
• Communicating its value propositions more effectively.<br />
• Overcoming any impressions that products are outdated, expensive, and<br />
proprietary.<br />
• Bringing products to market faster.<br />
• Turning excellent research work into useful products before competitors do.<br />
• Helping Java become the preferred development environment for hot new<br />
applications.<br />
112 The Technical Side of Being an Internet Service Provider
This soft copy for use by <strong>IBM</strong> employees only.<br />
3.2 <strong>IBM</strong> PC Server<br />
More about each of <strong>IBM</strong>′s four server families is provided in the following<br />
sections.<br />
<strong>IBM</strong> has a history of letting competitors establish a new market before jumping<br />
in with a second-generation product. In the 1950s, Univac proved that there was<br />
a market for business computers before <strong>IBM</strong> came roaring in. Apple blazed a<br />
trail in personal computing that <strong>IBM</strong> turned into a highway, and DEC showed the<br />
way with its minicomputers before the <strong>IBM</strong> AS/400 took over.<br />
A similar pattern may be occurring with PC servers. Although <strong>IBM</strong> played a<br />
pivotal role in the evolution of the PC, it was not the first to see the potential of<br />
PC servers. Even when it was clear that a major market opportunity existed, it<br />
took <strong>IBM</strong> time to become serious.<br />
Novell pioneered the idea of controlling LANs with a network operating system<br />
running on a local server. The early servers were simply large PCs. At first, they<br />
did little more than help PC users share disk space and access to printers. As<br />
time passed, the capabilities of PC servers grew rapidly.<br />
Compaq was the first PC vendor to see the need for specialized servers. As a<br />
result, they have established themselves as the market leader. Knocking them<br />
off their perch will not be easy for <strong>IBM</strong> or anyone else. In the market for<br />
Intel-based computers, however, fortunes can shift rapidly. Part of the reason is<br />
that new microprocessor generations arrive frequently.<br />
The Intel PentiumPro represents the sixth generation of processors since the<br />
introduction of the PC. A seventh generation is likely to arrive in 1998. Each<br />
generation provides opportunities and risks. This rapid improvement has also<br />
become the driving force in the entire computer market since it has created a<br />
cost curve that all types of servers must now follow.<br />
Symmetrical multiprocessing has significantly increased the top-end capacity of<br />
Intel servers. Microsoft is working on a technique for clustering Intel processors<br />
called Wolfpack planned for introduction at the end of 1997. Over time, clustering<br />
will greatly increase the range of PC server systems. <strong>IBM</strong> tried to build PC<br />
servers based on its own PowerPC processors but backed off when it became<br />
clear that Intel-based processors had won the battle for this market segment. It<br />
therefore wasn′t until 1995 that <strong>IBM</strong> began a serious effort to become a leader in<br />
Intel-based PC servers. <strong>IBM</strong> also needed to admit that OS/2 was not going to<br />
overtake Windows. Doing so made it possible to concentrate heavily on the fast<br />
growing opportunity for NT servers.<br />
The success of NT is a major driving force in the PC server market. At the<br />
moment, a high percentage of NT installations are either replacements for<br />
NetWare servers or are for new opportunities such as data warehousing. As<br />
such they represent a potential lost opportunity for other <strong>IBM</strong> servers more than<br />
a direct threat to their franchises. <strong>IBM</strong> has come to understand that it cannot<br />
miss out on the growth opportunity that NT servers represent.<br />
At the moment, NT is not in the same class as AIX, OS/400, or OS/390 as a<br />
full-function operating system. On the other hand, NT is already much more than<br />
a simple PC OS. Microsoft does not yet claim that NT is ready to replace the<br />
more mature server operating systems. For the moment, there is plenty of room<br />
Chapter 3. Server Hardware Platforms 113
This soft copy for use by <strong>IBM</strong> employees only.<br />
for NT to grow as an operating system for the advanced desktop user, file and<br />
print serving, application development, and modest-sized distributed<br />
applications.<br />
While Microsoft is content with the near-term success of NT, in the long term<br />
their ambition for it is unlimited. As time passes, the gap between NT and more<br />
mature server operating systems may narrow.<br />
3.2.1 The New PC Server Strategy<br />
At first it looked like 1996 would be a banner year for <strong>IBM</strong> PC servers. The<br />
upgraded product line won a number of industry awards such as the PC World<br />
1996 PC Server Product of the Year. Many hard-to-please industry analysts and<br />
large customers also were quite impressed. Unfortunately, manufacturing<br />
problems limited the number of units <strong>IBM</strong> was able to ship. With limited product<br />
to sell, it made little sense to call attention to the upgraded product line. As a<br />
result, many potential buyers are not aware of the progress <strong>IBM</strong> has made as an<br />
Intel PC server vendor.<br />
In spite of all the past problems, <strong>IBM</strong> is still second only to Compaq in PC server<br />
sales with Hewlett-Packard close behind. It is a minor consolation to <strong>IBM</strong> that<br />
they have remained a major competitor without yet putting their best foot<br />
forward.<br />
The production problems seem now to be solved, and the new management<br />
team running <strong>IBM</strong>′s PC Server Division enters 1997 with reason to be optimistic.<br />
A clear strategy for taking on Compaq has been developed based on the<br />
following elements:<br />
• Follow accepted standards. Intel processors will be used and there will be no<br />
more efforts like the Micro Channel to establish exclusive ownership of new<br />
technology.<br />
• Provide unqualified support for NT. This includes building a strong<br />
relationship with Microsoft′s NT developers.<br />
• Leverage <strong>IBM</strong> knowledge of large-scale processing. <strong>IBM</strong>′s leading-edge<br />
clustering technology will be brought to Intel servers.<br />
• Major in systems management. Using <strong>IBM</strong> products such as NetFinity and<br />
TME 10 make <strong>IBM</strong> PC servers the easiest to use on the market.<br />
• Compete aggressively in price and features.<br />
• Offer the traditional <strong>IBM</strong> values of high quality, excellent support,<br />
international sales coverage, and investment protection.<br />
• Target specific market segments including Notes serving.<br />
• Work with <strong>IBM</strong>′s new Network Computer Division to create an attractively<br />
packaged offering of PC servers and NCs.<br />
• Take advantage of <strong>IBM</strong>′s strong relationships with larger enterprises.<br />
Become a better partner for resellers.<br />
Good margins will be hard to achieve in a market where <strong>IBM</strong> controls neither<br />
the processor nor the operating system. Compaq, Hewlett-Packard, and the<br />
other competitors face the same problem. However, <strong>IBM</strong> has shown with<br />
products such as the ThinkPad and RS/6000 SP series that it can take a<br />
leadership role in a highly competitive market. The challenge in PC servers is<br />
great but not insurmountable.<br />
114 The Technical Side of Being an Internet Service Provider
This soft copy for use by <strong>IBM</strong> employees only.<br />
The PC server market is very competitive, but it is also growing very rapidly.<br />
Many industry experts have forecast continuing growth of over 20%. If growth at<br />
these rates does not materialize, <strong>IBM</strong>′s other server lines will almost certainly<br />
benefit. Assuming that the market for PC servers will grow rapidly, there is no<br />
reason why <strong>IBM</strong> as well as its competitors cannot be very successful.<br />
3.2.2 <strong>IBM</strong> PC Server Family Overview<br />
PC servers are a good choice for a wide range of Internet applications, creating<br />
a scalar and low-cost solution. You can initialize using a PC server with basic<br />
features and, depending on the model that you choose, improve the processor<br />
power, memory, storage and communication capability. There are a lot of<br />
operating systems available to the Intel platform that can perform an Internet<br />
server solution. They are as follows:<br />
• <strong>IBM</strong> OS/2 Warp Connect<br />
• <strong>IBM</strong> OS/2 Warp Server<br />
• Microsoft Windows 3.1<br />
• Microsoft Windows95<br />
• Microsoft WindowsNT Family<br />
• SCO UNIX<br />
• Linux<br />
• Solaris<br />
• Novell NetWare<br />
• Novell UNIXWare<br />
<strong>IBM</strong> PC Server offers a robust product line to meet a wide range of network,<br />
application and database serving needs, across all sizes of organizations:<br />
• PC Server 310 and PC Server 315<br />
These entry-level products are targeted for file and print serving, as well as<br />
entry-level application serving, ideally suited for small and growing<br />
enterprises, and workgroup and distributed network environments. Powered<br />
by the latest Intel Pentium processor (PC Server 310) and Intel Pentium Pro<br />
processor (PC Server 315), these uniprocessor platforms have all of the key<br />
server features you expect, at the most aggressive price points (Ultra SCSI,<br />
ECC Memory, etc.).<br />
• PC Server 325 and PC Server 330<br />
These mid-range products are targeted for application and database serving,<br />
as well as large file and print serving applications. By offering more power<br />
and scalability than the entry offerings, they meet the needs of growing<br />
organizations, Internet providers and enterprise rollouts. Key server<br />
features include rack drawer capability (PC Server 325), scalable I/O<br />
subsystem with five PCI slots, RAID and hot-swap disk capabilities, and dual<br />
processing Pentium Pro processor complexes. Additionally, the PC Server<br />
325 and 330 are upgradable to Intel′s recently introduced Pentium II<br />
processor technology.<br />
• PC Server 704<br />
For the ultimate in power and scalability, while enhancing the manageability<br />
and control expected in intensive application and database serving<br />
Chapter 3. Server Hardware Platforms 115
This soft copy for use by <strong>IBM</strong> employees only.<br />
environments, the PC Server 704 is the obvious choice. Powered by<br />
four-way symmetrical multiprocessing with Intel′s fastest Pentium Pro<br />
processors, the scalability of the PC Server 704 is matched by disk scalability<br />
of 100+ GB of RAID/hot-swap storage and memory scalability to 2 GB. For<br />
the ultimate in local and remote manageability, the PC Server 704 can be<br />
enhanced with the Advanced Systems Management Adapter.<br />
In conjunction with these servers, <strong>IBM</strong> PC Server is dedicated to offering flexible<br />
and scalable storage solutions to meet a wide range of needs.<br />
To drive scalable, powerful and manageable storage solutions, you first need a<br />
robust offering of disk controllers. <strong>IBM</strong> offers the state-of-the-art <strong>IBM</strong> PC<br />
ServeRAID adapter for the UltraSCSI environment. Driven by a powerful RISC<br />
processor, the ServeRAID adapter has the power to drive three channels of up to<br />
15 devices. Other features include the ability to manage the ServeRAID adapter<br />
remotely, allowing you to add new disk drives and create new arrays from<br />
remote locations.<br />
For more scalable disk storage needs, <strong>IBM</strong> offers the <strong>IBM</strong> SSA PCI RAID<br />
Adapter. Serial Storage Architecture (SSA) allows for up to 96 devices on one<br />
string (or channel), and multiple adapters are supported in most PC Server<br />
products.<br />
In the SCSI and UltraSCSI environments, external storage capacity can be<br />
enhanced with either tower or rack-mounted drawer expansion units:<br />
• 3517 SCSI Multi-Storage Enclosure — Offering seven drive bays for up to 22.5<br />
GB of storage.<br />
• 3518 PC Server Enterprise Expansion Enclosure — Offering 18 hot-swap drive<br />
bays for up to 40 GB of storage.<br />
• 3519 PC Server Rack Storage Expansion Enclosure — Offering six hot-swap<br />
drive bays for up to 27 GB of storage as well as three additional media bays<br />
for tape or CD-ROM solutions.<br />
When your storage needs require enhanced scalability and high-availability, <strong>IBM</strong><br />
PC Server offers connection to Serial Storage Architecture devices. The<br />
following SSA solutions can be added to the PC Server products:<br />
• 3527 SSA Entry Storage Subsystem — Offering five bays for SSA devices for<br />
up to 22.5 GB of storage.<br />
• 7133 SSA Rack-Mounted Disk Subsystem — Offering 16 hot-swap disk drive<br />
bays (over 140 GB).<br />
To allow efficient site management, PC Server offers multiple rack solutions to<br />
meet your needs. If you have existing PC Server system units, you can combine<br />
these into the PC Server 9306 Rack Enclosures very quickly and efficiently.<br />
System units attach to base plates on sliding shelves, thus providing<br />
consolidated floor space, while maintaining full serviceability of the server units,<br />
as well as allowing you to deploy the servers in the future with minimal change.<br />
For industry-standard (EIA 19″) solutions, such as the PC Server 325 Rack<br />
Drawer, PC Server 3519 Server Rack Storage Expansion or the SSA 7133 Rack<br />
Storage solutions, <strong>IBM</strong> supports these products in industry-standard 19″ racks,<br />
such as the APC NetShelter rack enclosure.<br />
116 The Technical Side of Being an Internet Service Provider
This soft copy for use by <strong>IBM</strong> employees only.<br />
3.3 <strong>IBM</strong> RS/6000<br />
Note: The servers described here may not be available in all countries.<br />
Similarly, other servers may still be available in the country where you live.<br />
The server family has a number of features common to all of its members:<br />
• Pentium and Pentium Pro microprocessors — Each of the servers is based<br />
on Pentium and Pentium Pro technology from a single Pentium 200 MHz<br />
processor in the entry-level machines to four-way Pentium Pro 200 MHz<br />
processor-based systems at the high end.<br />
• SCSI performance — Each server has an UltraSCSI storage subsystem. RAID<br />
controllers are standard on some models for added performance and<br />
security. Serial Storage Architecture (SSA) is available as an option.<br />
• Lotus Domino Server 4.5 — The premier groupware product is supplied with<br />
all <strong>IBM</strong> PC Servers.<br />
• NetFinity — This is a comprehensive systems management tool that allows<br />
LAN administrators to monitor and manage servers and workstations. It<br />
provides an easy-to-use graphical set of local and remote services designed<br />
to make the PC Server and client systems simple and affordable to manage.<br />
It has a flexible, modular design that allows for a variety of system-specific<br />
configurations.<br />
• ServerGuide — This is a set of CD-ROM disks that contain the most popular<br />
operating systems and management tools such as NetFinity. It provides a<br />
simple interface to install and configure the operating system and tools. It is<br />
provided free of charge with each new <strong>IBM</strong> PC Server.<br />
• SVGA video — All models in the family offer super video graphics array<br />
(SVGA) subsystems for displaying high resolutions and colors. This is a<br />
benefit especially where systems and network management are performed<br />
from the server itself.<br />
• CD-ROM drive — Each server is configured with a CD-ROM drive to make it<br />
easier to install software.<br />
• Enhanced keyboard and mouse — Supplied standard with each server.<br />
Further information such as available models, supported devices and technical<br />
details about the <strong>IBM</strong> PC Server family can be found in the <strong>IBM</strong> Personal<br />
Computing home page at:<br />
http://www.pc.ibm.com.<br />
Although <strong>IBM</strong> did not join the UNIX movement until almost 20 years after it<br />
started, they have made up for lost time and have become an important force in<br />
its evolution. During the formative period when UNIX focused largely on technical<br />
computing, interest was very low at <strong>IBM</strong>. In the late 1980s, as the open systems<br />
concept gained acceptance among commercial computer buyers, it became<br />
essential for <strong>IBM</strong> to be involved.<br />
Ironically, the technology breakthrough that made UNIX so successful was the<br />
RISC microprocessor, something invented by <strong>IBM</strong> researchers. At first, however,<br />
<strong>IBM</strong> took little advantage of RISC, letting Sun Microsystems, Silicon Graphics,<br />
Hewlett-Packard, and others take the early lead. It was not until 1990 that <strong>IBM</strong><br />
became a serious contender in the UNIX market.<br />
Chapter 3. Server Hardware Platforms 117
This soft copy for use by <strong>IBM</strong> employees only.<br />
The RS/6000 series entered the UNIX market with a hot new RISC processor. It<br />
quickly forced the established vendors to improve their price/performance.<br />
While the RS/6000 hardware was highly competitive, it was the introduction of<br />
<strong>IBM</strong>′s AIX operating system that caused the greater stir.<br />
Before AIX, UNIX operating systems were optimized for sophisticated users who<br />
wanted maximum flexibility and minute technical control. Mundane functions<br />
such as security, backup, and recovery were after-thoughts, making UNIX<br />
inadequate at the time for many commercial applications.<br />
AIX changed the UNIX market forever by setting new standards for reliability,<br />
recovery, security, operations interfaces, and system management. Traditional<br />
UNIX vendors were forced to scramble to catch up. While the gap has been<br />
narrowed considerably, AIX remains a leader in these areas, especially in<br />
systems management.<br />
During the 1990s, <strong>IBM</strong> has solidified its position as a leader in adapting Unix to<br />
the needs of the business community. UNIX computers remain the leading<br />
choice for technical and academic computing, and RS/6000 systems are making<br />
important inroads in these markets as well. <strong>IBM</strong> recently won a hotly contested<br />
contract to create the largest UNIX-based scientific supercomputer yet built for<br />
the U.S. Department of Energy. This system will handle the nuclear weapon<br />
simulations made necessary by the nuclear test ban.<br />
For a period of time, UNIX and openness were the same thing. Over the past few<br />
years that has changed primarily because other types of computers began<br />
offering the best of the UNIX standards including the C and C++ languages,<br />
Ethernet, TCP/IP, and the X/Open programming interfaces.<br />
The RS/6000 Part of the early appeal of RS/6000 computers was that they offered<br />
the fastest RISC processors available. <strong>IBM</strong> remains competitive but can no<br />
longer claim processor/performance leadership. That honor shifts regularly as<br />
vendors leap-frog each other every few months. The modest market share<br />
obtained by DEC′s Alpha systems demonstrates that technical excellence alone<br />
does not guarantee success.<br />
Since performance leadership is something no vendor can sustain for long, <strong>IBM</strong><br />
has learned to rely on other factors to maintain sales momentum. The RS/6000<br />
value proposition rests on:<br />
• The reliability and capability of AIX<br />
• More room for upward growth than competitors<br />
• Excellent systems management<br />
• Competitive cost of ownership<br />
• Exceptional capability serving large Web sites<br />
• Excellent sales and support around the world<br />
• A large library of advanced applications and tools<br />
The greatest competitive advantage of the RS/6000 at the moment comes from<br />
the highly parallel SP models. Early development of these models was done by<br />
<strong>IBM</strong>′s S/390 Division which has the best understanding of large-scale parallel<br />
computing in the world. <strong>IBM</strong> is good at some things and not so good at others. It<br />
is at their very best in building computers for large, complex, critical tasks. The<br />
SP shows off all these skills.<br />
118 The Technical Side of Being an Internet Service Provider
This soft copy for use by <strong>IBM</strong> employees only.<br />
The SP is especially good as a server for large Web sites. Advantages include:<br />
• The SP series leads the UNIX market in parallel processing. An SP<br />
configuration can include as many as 512 microprocessors working together.<br />
• AIX was built to handle large-scale commercial processing. It excels at<br />
backup and recovery, systems management, and reliability.<br />
• The RS/6000 design is better than most UNIX systems at managing I/O and<br />
memory. Web site transactions are very I/O and memory intensive, making<br />
them a perfect fit.<br />
• RS/6000s were the first to offer the Web Object Management (WOM)<br />
technology <strong>IBM</strong> developed for its Deep Blue and Olympics Web sites. <strong>IBM</strong><br />
has more practical experience setting up and managing large-scale Web<br />
sites than anyone else.<br />
• Many of the largest Web sites use SP servers including the Netscape site<br />
that currently handles as many as 100 million hits per day.<br />
The market for large-scale UNIX Web servers is <strong>IBM</strong>′s to lose. Sun, NCR, and<br />
Cray are working hard to catch up but will have to overcome <strong>IBM</strong>′s edge in<br />
experience. Eventually, Compaq is sure to offer an NT/Intel-based system for<br />
very large Web sites as well. <strong>IBM</strong>′s unique expertise lies in squeezing the most<br />
out of parallel processors, balancing workloads, handling recovery, insuring that<br />
the system doesn′t fail, and providing system operators with the information they<br />
need.<br />
RS/6000 systems are also popular servers for Lotus Domino, <strong>IBM</strong>′s leading<br />
Internet software product. The SP models are well suited for serving large<br />
numbers of Lotus Notes users. <strong>IBM</strong> itself has become the world′s largest Notes<br />
user and has chosen to use SP hardware for its internal Notes applications.<br />
The current dynamics of the UNIX market seem favorable for <strong>IBM</strong> for the<br />
following reasons:<br />
• The strongest challenge to UNIX from NT is coming in the low-end system<br />
and technical workstation segment. This is hurting other UNIX vendors more<br />
than <strong>IBM</strong>.<br />
• The fastest growing segment of the market is large scale, the area where<br />
<strong>IBM</strong> is strongest.<br />
• The increasing complexity of computer environments is putting a premium<br />
on systems management, the RS/6000′s greatest advantage.<br />
• Hardware price and performance are beginning to take a back seat to<br />
reliability, support, upgrade potential, investment protection, and other<br />
intangible factors that <strong>IBM</strong> is known for.<br />
The UNIX market will remain fiercely competitive, and NT will put added<br />
pressure on UNIX providers. In spite of this, <strong>IBM</strong> has every reason to be<br />
optimistic about the RS/6000. It will continue to play an important role in a<br />
growing market.<br />
Chapter 3. Server Hardware Platforms 119
3.3.1 RS/6000 As a Platform for ISPs<br />
This soft copy for use by <strong>IBM</strong> employees only.<br />
The first wave of Internet services were characterized by ad hoc designs, lack of<br />
security, static publishing, basic access, and limited scalability. As would be<br />
expected, the second wave of Internet services requires solutions that support<br />
security, commerce, and transaction-oriented activities; as well as multi-services<br />
integration that is reliable, scalable, and highly-available. The RS/6000′s<br />
strengths which include reliability, scalability, availability, robust portfolio,<br />
end-to-end security, and superlative service and support, make it a flagship<br />
network computing platform fully enabled to support the second wave of<br />
requirements.<br />
• Reliability<br />
RS/6000 delivers reliability via:<br />
− Superior storage<br />
− Management function<br />
− Non-intrusive and low-level performance tools<br />
− Journaled file system (JFS)<br />
− Intuitive systems management (SMIT)<br />
− A wide range of connectivity applications and devices<br />
− Superior I/O storage subsystems<br />
• Scalability<br />
RS/6000 delivers scalability through its:<br />
− Binary compatibility across the product line from work group server to<br />
large scale server.<br />
− In the Internet space, customers don′t know how fast their server needs<br />
will grow and the RS/6000′s scalability enables seamless stability of an<br />
application set as their requirements increase.<br />
− SMP scalable performance enables applications to achieve measurable<br />
performance improvements when processors are added in an SMP<br />
configuration.<br />
− Dynamic capacity expansion enables customers to achieve linear<br />
performance bandwidth gains by adding nodes (on-the-fly) to an SP.<br />
− As resources and nodes are added to an SP, systems administration is<br />
handled from a central control workstation making the SP a superior<br />
platform for LAN and Server consolidation efforts.<br />
• Availability<br />
The industry leading HACMP product set and the recently introduced<br />
Phoenix APIs for applications to exploit high availability and restart as real<br />
advantages today. Inherent RS/6000 features such as the service processors<br />
combined with the Call Home services create another availability advantage<br />
to exploit, particularly with the introduction of the F50 as a price/performance<br />
leader.<br />
• Robust Portfolio<br />
RS/6000 delivers a hardware platform and operating system software<br />
optimized for Symmetric Multiprocessing (SMP), Massively Parallel<br />
Processing (MPP), and TP monitor-type multithreading and load balancing.<br />
Built on this foundation is the most robust collection of integrated network<br />
120 The Technical Side of Being an Internet Service Provider
This soft copy for use by <strong>IBM</strong> employees only.<br />
computing solutions (POWERsolutions) offered by any system vendor. This<br />
single point of contact for the major components exploits the strengths of<br />
<strong>IBM</strong>′s services and support combined with vendor applications in demand by<br />
our customers.<br />
• Security<br />
A key element to satisfying the second wave requirement is end-to-end<br />
security. Security begins in the hardware and can be accelerated with<br />
cryptography hardware adapters. The AIX Operating System is designed for<br />
C2 level security, and provides an excellent base for a separately available B<br />
level security offering. Secure Sockets Layer (SSL) support in AIX as a client<br />
and server provides security at a connection level. The first implementation<br />
of Secure Electronic Transactions (SET) is introduced in <strong>IBM</strong>′s<br />
Net.Commerce v2 products.<br />
To embellish services for RS/6000′s customers, the <strong>IBM</strong> SecureWay family of<br />
security offerings is a broad portfolio of security hardware, software,<br />
consulting and services to help users secure their information technology.<br />
The offerings apply to server-based and distributed systems and to the<br />
integration of security across enterprises that have extended their reach to<br />
the Internet.<br />
• Support<br />
One of the strongest distinguishers for <strong>IBM</strong> and the RS/6000 is the services<br />
(IGS) and Datapro award-winning support capabilities that round out each of<br />
the solutions. An example of service and support integration was the<br />
significant undertaking of supporting the Atlanta Summer Olympics on<br />
RS/6000 servers. Single point of contact for support of network computing<br />
applications allows customers and business partners to exploit the highly<br />
acclaimed <strong>IBM</strong> support structure for non-<strong>IBM</strong> products.<br />
RS/6000 and AIX provide the level of robustness, scalability and availability that<br />
ISP solutions require.<br />
RS/6000 servers are powerful, cost-effective systems with excellent growth and<br />
availability options to meet the needs of network-based applications such as the<br />
Internet server, Notes server and database server.<br />
<strong>IBM</strong>′s Internet RS/6000 solutions contain the hardware and software that you<br />
need to establish your presence on the Internet. These solutions are designed<br />
to operate in a multivendor, networking environment.<br />
The <strong>IBM</strong> Telecom and Media Industry Solution Unit (ISU) has also implemented a<br />
comprehensive family of solutions designed to meet the reliability and scalability<br />
requirements of Internet Service Providers - the <strong>IBM</strong> Solutions for ISPs family.<br />
The <strong>IBM</strong> Solutions for ISPs consist of packaged hardware, software, and services<br />
offerings designed to allow ISPs the opportunity to quickly get to market with a<br />
variety of new revenue generating services.<br />
The first release of the <strong>IBM</strong> Solutions for ISPs family consists of the following:<br />
• Content Management<br />
− <strong>IBM</strong> Solutions for ISPs Lotus Go Webserver<br />
− <strong>IBM</strong> Solutions for ISPs Web Hosting Server<br />
• Communications and Messaging<br />
Chapter 3. Server Hardware Platforms 121
− <strong>IBM</strong> Solutions for ISPs Scalable Mail Server<br />
• Collaboration<br />
This soft copy for use by <strong>IBM</strong> employees only.<br />
− <strong>IBM</strong> Solutions for ISPs Lotus Domino Server (with business partners)<br />
• Security<br />
− <strong>IBM</strong> Solutions for ISPs Firewall Server<br />
• Commerce<br />
− <strong>IBM</strong> Solutions for ISPs Net.Commerce Server<br />
• Infrastructure<br />
− <strong>IBM</strong> Solutions for ISPs Network Dispatcher Server<br />
In addition to the <strong>IBM</strong> Solutions for ISPs solutions listed above, additional<br />
companion products are available from <strong>IBM</strong> that can apply to ISP customers:<br />
• Content Management<br />
− <strong>IBM</strong> Videocharger Server<br />
− Telecom & Media ISU Electronic Yellow Pages<br />
− Telecom & Media ISU Electronic White Pages<br />
− Netscape Enterprise Server<br />
• Messaging and Communications<br />
− Netscape News Server<br />
− Netscape Mail Server<br />
• Commerce<br />
− Netscape Merchant Server<br />
• Security<br />
− Checkpoint FireWall-1<br />
− WebStalker Pro<br />
− Netscape Proxy Server<br />
• Infrastructure<br />
− Tivoli TME Product Family<br />
See Appendix B, “<strong>IBM</strong> Solutions for ISPs” on page 317 for detailed information<br />
about the packages and offerings.<br />
For information such as available models, supported devices and technical<br />
details about the <strong>IBM</strong> RS/6000 family go to the <strong>IBM</strong> RS/6000 home page on the<br />
Internet at:<br />
http://www.austin.ibm.com.<br />
122 The Technical Side of Being an Internet Service Provider
This soft copy for use by <strong>IBM</strong> employees only.<br />
3.4 AS/400<br />
3.4.1 Advanced Series<br />
The metamorphosis of the S/390 into the microframe was not the only important<br />
transformation going on over the past few years within <strong>IBM</strong>. The AS/400 series<br />
also spent more than three years going through a major transition. The much<br />
improved system is now called the AS/400 Advanced Series. Because the<br />
change took place in stages and the name remained the same, the mistaken<br />
perception outside the AS/400 community is that not much happened.<br />
AS/400 computers have always been difficult to describe and to categorize. They<br />
have attracted a very loyal following and enjoy the highest customer satisfaction<br />
of any server on the market. To those not familiar with the AS/400, it is often<br />
something of a mystery. Part of the problem is that AS/400 advocates use a<br />
special jargon to describe their favorite computer. Phrases such as single-level<br />
addressability, technology-independent machine interface, and object persistence<br />
often fill the air when discussing the AS/400. The success of the AS/400 has<br />
come partially because of the unusual design under the covers. Its unique value<br />
proposition, however, is the real reason behind its popularity. AS/400 systems<br />
are attractive because of:<br />
• OS/400 is the most fully integrated operating system in the world.<br />
• The availability of a broad portfolio of high quality application packages.<br />
• Ease of installation, operation, programming, and use.<br />
• Low total cost of ownership.<br />
• Hardware and software reliability.<br />
• The ease and low cost of use for distributed processing.<br />
• Advanced capability without the need for an army of technicians.<br />
• Support for important industry standards.<br />
In spite of all these advantages, sales of AS/400 computers began to flatten in<br />
the early 1990s for a number of reasons:<br />
• Most AS/400 applications used a character-oriented interface at a time when<br />
PC-oriented graphical client/server applications were becoming popular.<br />
• Interest in UNIX-based openness standards was peaking.<br />
• AS/400 hardware costs were high in relation to UNIX systems.<br />
• Capacity range was less than other alternatives.<br />
The Advanced Series was developed to address these problems.<br />
After their introduction in 1988, AS/400 systems quickly became a major source<br />
of revenue and profit for <strong>IBM</strong>. Over $4 billion per year is spent on the basic<br />
processors and operating systems alone. Billions more are spent on related<br />
devices, software, and services. In order to protect this valuable franchise, <strong>IBM</strong><br />
was willing to spend a great deal creating a second generation of AS/400<br />
systems.<br />
The Advanced Series offers improvements in every important aspect of the<br />
AS/400:<br />
Chapter 3. Server Hardware Platforms 123
This soft copy for use by <strong>IBM</strong> employees only.<br />
• New 64-bit RISC processors based on the PowerPC design have lowered<br />
cost, improved performance, and increased top-end capacity.<br />
• No software conversion was needed to take full advantage of 64-bit<br />
processors.<br />
• Improved adherence to openness standards made it easier to use AS/400s<br />
alongside other types of systems and to develop portable applications.<br />
• A much wider range of models has lowered the entry cost and greatly<br />
increased top-end capacity.<br />
• A graphical interface is now available for OS/400 as well as improved PC<br />
interface software.<br />
• A number of the most popular client/server applications are now available<br />
from leading developers such as SAP, PeopleSoft, Platinum, and J.D.<br />
Edwards.<br />
• The Integrated PC Server eliminates the need for separate servers dedicated<br />
to running network operating systems and to handling functions such as PC<br />
file and print serving.<br />
The Advanced Series became available in stages over three years (1994-1996).<br />
This gradual arrival blunted some of the impact, especially since the new name<br />
was introduced in 1994 when relatively little changed except the shape and color<br />
of the hardware. While all the new technology is now in place, it will take time<br />
for applications to become available that take advantage of the new capabilities.<br />
One of the most important benefits of the switch to PowerPC RISC processors<br />
will come in mid-1997 when new models become available based on the second<br />
generation of RISC processors code named Apache. These processors will also<br />
be used in RS/6000 systems which will provide development and manufacturing<br />
economies to <strong>IBM</strong>.<br />
AS/400 hardware has always been more expensive than comparable UNIX-based<br />
systems. Other factors have given the AS/400 an overall advantage in cost of<br />
ownership. By the end of 1997 there will be little price difference for AS/400<br />
hardware, and the other benefits will remain. For the rest of the 1990s, AS/400<br />
systems are likely to remain a leader in cost of ownership.<br />
One of the most important behind-the-scenes changes in the Advanced Series<br />
was the redesign of the lower levels of OS/400 using object technology. It was<br />
also one of the reasons the transition took as long as it did. The payback for this<br />
investment will come over many years starting in 1997. The most important<br />
benefit will be that <strong>IBM</strong> will be able to introduce future improvements in less<br />
time.<br />
The object technology orientation of the AS/400 will also make it more attractive<br />
as a server as the number of applications written using object techniques<br />
increases. Most observers of the computer industry agree that this is inevitable<br />
given the huge increases in programming productivity that object technology can<br />
provide.<br />
Object-oriented applications can be developed quickly, but they tend to perform<br />
poorly. The AS/400 Advanced Series will help overcome this problem with a<br />
facility called object persistence. In simple terms this means that AS/400s have<br />
a large enough address space to allow them to assign every object a unique<br />
permanent address. Less computing power is therefore needed when AS/400<br />
124 The Technical Side of Being an Internet Service Provider
This soft copy for use by <strong>IBM</strong> employees only.<br />
3.4.2 Future Direction<br />
servers handle the transfer of control from one object to another because the<br />
permanent virtual address can quickly be used to locate any object even if it is<br />
on another computer in a network.<br />
Advanced Series AS/400s have also been adapted to interface directly with the<br />
Internet. They can be used as Web site servers or can control intranets. A<br />
facility called HTML Gateway automatically makes any existing AS/400<br />
applications accessible through a Web browser. AS/400 systems offer an added<br />
advantage when attached to the Internet because of the way security is built into<br />
OS/400s. Most of the strategies hackers use to create viruses will not work with<br />
AS/400 systems.<br />
<strong>IBM</strong> continues to invest heavily in improving the AS/400 family. Near-term<br />
enhancements will center around increasing top-end capacity through the<br />
Apache processors and through greater use of symmetrical multiprocessing (up<br />
to 12-way in 1997). During 1998 NT will become available on the Integrated PC<br />
Server. In the same timeframe, Lotus Domino will be fully integrated within<br />
OS/400 as will a high-performance version of the Java Virtual Machine. While all<br />
of <strong>IBM</strong> is in love with Java, the AS/400 Division is where the flame burns<br />
brightest. The reasons why the AS/400 and Java are such a good match include:<br />
• The Java Virtual Machine is a high-level programming interface that takes a<br />
standard language and allows it to run on any hardware. This is exactly what<br />
the AS/400′s Technology Independent Machine Interface (TIMI) does. <strong>IBM</strong><br />
only needs to enhance TIMI to make the AS/400 into an excellent Java<br />
server.<br />
• Java creates object-oriented applications that the AS/400 can serve<br />
especially well because of the object persistence capability discussed above.<br />
• Openness advocates see Java as the best hope for a universal programming<br />
language. If Java becomes the most popular language for application<br />
developers, the AS/400′s image as an open system will be greatly enhanced.<br />
This will also insure that the best new applications are immediately available<br />
on AS/400s.<br />
The Java language provides the technical foundation for a project <strong>IBM</strong> calls San<br />
Francisco. Its goal is to help application developers take advantage of object<br />
technology. This will make it possible for developers to create leading-edge<br />
applications at a fraction of the current cost. <strong>IBM</strong> will sell pre-built application<br />
building blocks called frameworks. Developers will take these Java frameworks<br />
and build unique applications on top of them.<br />
Java runs on most popular computers. Applications built with the San Francisco<br />
frameworks will therefore be able to run on many computers. In spite of this, the<br />
AS/400 Division expects to be the major beneficiary of San Francisco because it<br />
expects to offer the best Java servers. Within <strong>IBM</strong>, San Francisco is being<br />
developed in the same laboratory as the AS/400 because of their unique<br />
understanding of object technology and Java.<br />
This same laboratory in Rochester, Minnesota is also where <strong>IBM</strong> does the<br />
development for its new network computer (NC). <strong>IBM</strong> believes that NCs will<br />
evolve into a cost-effective alternative to PCs, especially if Java succeeds. A<br />
special division, headed by Bob Dies, former General Manager of the AS/400<br />
Division, has been formed just to develop network computers. As a result, it is<br />
Chapter 3. Server Hardware Platforms 125
3.4.3 Where AS/400 Systems Fit<br />
This soft copy for use by <strong>IBM</strong> employees only.<br />
reasonable to expect a great deal of future synergy between the AS/400 and<br />
NCs. Lotus Notes represents another opportunity for synergy with other <strong>IBM</strong><br />
products. The Notes/Domino server now runs on the AS/400′s Integrated PC<br />
Server. During 1998 <strong>IBM</strong> plans to fully integrate Notes into OS/400. D.H.<br />
Andrews group′s new report ″Lotus Notes and Domino″ provides a high-level<br />
explanation of these very unique products.<br />
AS/400 systems compete in the same general price and capacity range as many<br />
UNIX computers. The value proposition AS/400 and UNIX computers offer is very<br />
different. The largest parts of the UNIX market technical workstations and<br />
servers for compute-intensive applications are segments where AS/400 systems<br />
have little to offer. Where the two do overlap is in commercial application<br />
serving.<br />
The primary disadvantage of UNIX in commercial computing is its complexity.<br />
Buyers who require an environment that is easy to install and use will tend to<br />
prefer the AS/400. Those who want the ability to select and integrate many<br />
different middleware products to create the exact environment needed will be<br />
attracted to UNIX.<br />
AS/400 also overlaps with the lower end of the S/390 product line. As a result,<br />
many organizations have moved applications from S/390 systems to the AS/400<br />
in the past. The heart of the S/390 market is not threatened by the AS/400 since<br />
organizations with very large-scale problems tend to value the unique benefits<br />
that only S/390 can provide.<br />
The most important factor in deciding which to use is the projected workload and<br />
its expected growth. Applications that are accessed by tens of thousands of<br />
workstations, store multiple terabytes of data, and process thousands of<br />
transactions per second are obvious candidates for the S/390. The greater the<br />
need for a completely fail-safe operation, the more likely S/390 is the answer.<br />
When the workload is primarily batch processing or is a good candidate for a<br />
highly centralized approach, then S/390 systems also tend to be more attractive.<br />
The most obvious reason to use an AS/400 is the availability of an application<br />
well suited to the buyer′s need. When an application workload can comfortably<br />
fit on an AS/400, it is an option worth considering because of the much greater<br />
simplicity. AS/400s also make sense when there is a need to distribute<br />
computing power to a number of remote locations.<br />
In the longer term, the greatest potential threat to the AS/400 franchise is Intel<br />
servers running NT. At the moment, AS/400 systems offer a great deal of<br />
capability not yet available with NT, especially in terms of system management.<br />
There are also currently not nearly as many NT applications on the market. On<br />
the other hand, NT is changing and improving at a very rapid rate.<br />
A growing number of AS/400 sites are using NT as the network operating system<br />
for their PC networks. The threat to <strong>IBM</strong> is not that NT will instantly take over but<br />
that a slowly increasing percentage of computing tasks will go on servers<br />
running NT. To counter this threat <strong>IBM</strong> will offer NT on their Integrated PC<br />
Servers within AS/400s.<br />
<strong>IBM</strong> is counting on Java to slow the momentum of NT. Java will not stop NT<br />
from overtaking NetWare as the leading network operating system. The real<br />
126 The Technical Side of Being an Internet Service Provider
This soft copy for use by <strong>IBM</strong> employees only.<br />
3.5 <strong>IBM</strong> System/390<br />
question is what will become the preferred programming environment for<br />
software developers. If Java is a winner, then the AS/400 will benefit<br />
substantially.<br />
3.4.3.1 <strong>IBM</strong> AS/400 within Internet Environment<br />
The AS/400 platform is an excellent choice to create an Internet server because<br />
Internet Connection for AS/400 supports HTTP drivers that can serve any native<br />
AS/400 application without a rewrite or recompile over the Internet. Even<br />
traditional, host-based applications can be served to terminals running popular<br />
Web browsers. Internet users are also able to download files or software, as<br />
well as access the AS/400 database, from Web browsers.<br />
Using the HTTP protocol, customers can enhance existing AS/400 applications<br />
with hypertext capabilities or attention-getting graphics, audio and video. With<br />
Internet Connection, users can also monitor the attention people are paying to<br />
their presences on the Web.<br />
AS/400 supports the TCP/IP Serial Link Internet Protocol (SLIP), which provides<br />
native TCP/IP connectivity to the Internet over telephone lines.<br />
AS/400 also supports the popular Internet Post Office Protocol (POP3), enabling<br />
AS/400 to deliver electronic correspondence to OS/2, UNIX, Windows and<br />
Macintosh clients running the most popular mail products.<br />
With support for Lotus Notes Release 4, AS/400 users can use a solution that<br />
integrates messaging, groupware and the World Wide Web for building and<br />
distributing custom client/server, Internet and intranet applications.<br />
Notes open architecture leverages and maximizes existing AS/400 investments<br />
by providing a client/server application development environment, bidirectional<br />
field-level replication, client/server messaging and integration with relational<br />
databases. Lotus Notes also provides Internet integration, allowing users to<br />
publish, locate and share Internet information through functions included in<br />
Notes Release 4. Lotus Notes will reside under OS/2 on a dedicated AS/400<br />
Integrated PC Server (FSIOP). The Integrated PC Server can manage up to eight<br />
networks, consisting, for example, of Notes, OS/2 or Novell NetWare.<br />
AS/400 has an integrated operating system that provides unrivaled security on<br />
the Internet. AS/400 security features protect against hackers and viruses.<br />
If you need information such as available models, supported devices and<br />
technical details about AS/400 Family go to the <strong>IBM</strong> AS/400 home page at:<br />
http://www.as400.ibm.com<br />
For a long period of time it was fashionable to dismiss S/390 systems as relics of<br />
a bygone era. The mainframe age appeared to have passed, and it seemed to be<br />
only a matter of time before a combination of Intel and RISC-based servers<br />
replaced them all. Had <strong>IBM</strong> left the System/390 alone, it surely would have faded<br />
away as predicted.<br />
Since the S/360 series was introduced in 1965, mainframes have been a key<br />
source of profitability for <strong>IBM</strong>. Every few years something new has come along to<br />
Chapter 3. Server Hardware Platforms 127
This soft copy for use by <strong>IBM</strong> employees only.<br />
threaten this franchise. The most recent attack came the closest to succeeding<br />
because by the early 1990s mainframes had become non-competitive in four<br />
important ways:<br />
• Costs were much higher than alternatives.<br />
• S/390s were too complex.<br />
• Available applications were old and tired.<br />
• Industry-standard interfaces and development tools were unavailable.<br />
<strong>IBM</strong> began to overhaul the S/390 line in 1993. By mid-1997 the transformation will<br />
be largely complete. Since the changes have taken over five years, their<br />
significance has been easy to miss. It hasn′t helped that <strong>IBM</strong> stuck to its old<br />
habit of using esoteric jargon to describe what it was doing.<br />
The key elements of the mainframe makeover were:<br />
• Reducing cost by changing chip technology.<br />
• Adopting industry standards.<br />
• Bundling middleware products and lowering software costs.<br />
• Attracting a new wave of leading applications.<br />
As the dust begins to settle, it is clear that the new S/390 is different enough so<br />
that <strong>IBM</strong> would have been justified in changing its name. At the very least, the<br />
change should be sufficient to bury the meaningless name mainframe.<br />
The new S/390 systems are physically small, no longer require water cooling,<br />
and can run many more applications. They achieve almost unlimited growth<br />
potential through the parallel connection of large numbers of microprocessors.<br />
A more accurate nickname for them (and the alternatives that will soon come<br />
from Hitachi and Amdahl) would be microframe. The rest of this report will use<br />
microframe as the generic name for the new type of computer that S/390s have<br />
become.<br />
3.5.1 Mainframes Morph into Microframes<br />
The first challenge <strong>IBM</strong> faced in 1993 was to phase out the high-speed, but<br />
expensive bipolar processors that powered all of the larger S/390s. The plan<br />
was to switch to the same type of chips other computers were using<br />
Complementary Metal Oxide Semiconductor (CMOS) in order to get on the same<br />
volume driven cost curve as Intel processors.<br />
The new S/390 microframes use a CMOS chip with a unique instruction set but<br />
are able to benefit from all the other economies of scale. Each year since 1993<br />
<strong>IBM</strong> has increased the speed of its CMOS processors. In mid-1997 a processor<br />
called the G4 will rival the speed of <strong>IBM</strong>′s bipolar processors. <strong>IBM</strong> is therefore<br />
now ramping down its bipolar production lines.<br />
Having decided to use CMOS processors, <strong>IBM</strong> needed a way to grow top-end<br />
capacity faster than processor chip speeds. The practical limitations of<br />
symmetrical multiprocessing were being reached; so another approach was<br />
needed. The result was a highly parallel architecture called Parallel Sysplex<br />
that clustered large numbers of CMOS processors together into integrated<br />
systems.<br />
128 The Technical Side of Being an Internet Service Provider
This soft copy for use by <strong>IBM</strong> employees only.<br />
3.5.2 OS/390<br />
It is not difficult to physically connect large numbers of processors together.<br />
Allowing them to operate as one system and to divide up a complex workload is<br />
another matter. The necessary system software changes represented a huge<br />
challenge that took longer than planned. Parallel capability needed to be added<br />
to MVS as well as middleware products such as CICS, IMS, VSAM, and DB2.<br />
Third-party middleware products from companies such as Oracle, Informix,<br />
Sybase, and Computer Associates also needed to be upgraded.<br />
The system software for Parallel Sysplex has arrived in stages over the past<br />
three years. 1997 will be the first year when Parallel Sysplex computers are able<br />
to run almost any application that large-scale customers are likely to have. As<br />
Parallel Sysplex matures, it could become the standard approach for large-scale<br />
transaction processing.<br />
The investment in Parallel Sysplex should begin to pay off in 1997 as the demand<br />
for large-scale systems explodes. Other alternatives will find it hard to match the<br />
top-end growth and price/performance of Parallel Sysplex.<br />
<strong>IBM</strong> has also helped make S/390 more competitive by lowering the cost of<br />
software on CMOS and Parallel Sysplex systems and by creating OS/390 an<br />
integrated package of the most popular S/390 middleware products and the<br />
latest version of MVS.<br />
In addition to solving the S/390′s cost problem, <strong>IBM</strong> has worked hard to make it<br />
much more open. Important openness enhancements include:<br />
• Support for connection interfaces such as Ethernet, FDDI, and ATM.<br />
• Offering TCP/IP as an alternative to SNA for network management.<br />
• Adopting UNIX-standard programming interfaces.<br />
• Allowing the attachment of industry-standard devices.<br />
The combination of competitive costs and open interfaces has made it possible<br />
to begin to attract quality application packages. S/390 microframes are now in a<br />
better position to compete for computing workloads because:<br />
• They excel at providing continuous computing for high-traffic applications.<br />
• Parallel Sysplex offers almost unlimited growth potential.<br />
• High-bandwidth remote communication makes greater centralization<br />
feasible.<br />
• Very large database servers are needed for client/server applications such<br />
as SAP.<br />
• DB2 excels in high-volume situations.<br />
• <strong>IBM</strong> is working with its largest customers on industry solutions, many on<br />
S/390.<br />
• The incremental cost of adding S/390 capacity is usually low.<br />
All this will result in rapid growth in demand for S/390 capacity even though the<br />
total number of S/390 installations in the world will increase slowly.<br />
Because economies of scale strongly encourage consolidation, the initial<br />
investment to set up a full-function S/390 environment is very large. The<br />
Chapter 3. Server Hardware Platforms 129
This soft copy for use by <strong>IBM</strong> employees only.<br />
hardware cost is only a starting point. A number of highly specialized technical<br />
people are needed to surround any large S/390 system. In some places the<br />
talent needed is not available at any cost. Small S/390 systems are available, but<br />
they are best used as satellites for larger complexes. Those not using OS/390<br />
and a full suite of middleware do not gain the benefit of the full S/390<br />
experience.<br />
Once the investment has been made to establish a S/390 environment, the<br />
marginal cost to add capacity is very small. When a certain size is reached,<br />
there is a limited need to add expensive technical support people. For this<br />
reason CMOS and Parallel Sysplex make it easy for current S/390 users to keep<br />
upgrading. It also makes it attractive to add additional S/390 capacity when a<br />
new requirement comes along, such as building a data warehouse.<br />
An important source of new S/390 installations will be emerging economies<br />
including Asia, Eastern Europe, and Latin America. Rapid economic growth often<br />
triggers the need for large-scale processing especially within the government<br />
sector. It makes little sense, for example, to use anything other than a<br />
microframe for processing tax returns.<br />
The economies of scale make S/390 an excellent platform for outsourcing. Over<br />
time, fiber-optic technology will make channel-speed communications affordable<br />
over long distances. This will greatly increase the appeal of using S/390 capacity<br />
provided from large central data centers, outsourcing providers, or computer<br />
utility firms.<br />
The trend toward distribution of computing resources has largely been driven by<br />
high communication costs, limited line speeds, and poor response times. As<br />
these factors diminish, there is certain to be a return to greater centralization.<br />
3.5.3 <strong>IBM</strong> System/390 within Internet Environment<br />
With S/390, you can meet the needs of thousands of Internet and intranet users.<br />
As a server designed for large-volume transactions, it can easily handle just<br />
about anything in global networking.<br />
S/390 lets you link existing applications to the World Wide Web with minimal<br />
modifications and without moving data to other Web-serving platforms. The <strong>IBM</strong><br />
Internet Connection Server for MVS/ESA has a direct connection to CICS, IMS,<br />
DB2 and MQSeries. The S/390 allows you to start small on your Internet and<br />
intranet offerings, then scale up as needed to handle thousands of transactions.<br />
The S/390 can rely on cryptography functions to protect your data. You can<br />
establish a wide range of security measures and procedures, such as access<br />
control policies, passwords, and special user privileges.<br />
Built into the current Internet Connection Server for MVS/ESA, through the<br />
System Access Facility, is access to such MVS system resource managers as<br />
RACF or the OS/390 security server. You can use this technology to control<br />
access to files and other system resources.<br />
Instead of adding servers to meet changing performance demands, you can<br />
allocate S/390 server capacity to the public network partition.<br />
S/390 gives you all the security and performance that you need to create a<br />
powerful Internet server.<br />
130 The Technical Side of Being an Internet Service Provider
This soft copy for use by <strong>IBM</strong> employees only.<br />
3.6 Summary<br />
Figure 48. Platforms and Services<br />
If you need more information such as available models, supported devices and<br />
technical details about S/390 go to the <strong>IBM</strong> S/390 home page on the Internet at:<br />
http://www.s390.ibm.com<br />
Figure 48 shows the <strong>IBM</strong> platforms and their indicated use in the Internet<br />
environment:<br />
Today you can use all these platforms to deliver information on the Internet. The<br />
choice will be made based on your performance needs and investment limits.<br />
Chapter 3. Server Hardware Platforms 131
132 The Technical Side of Being an Internet Service Provider<br />
This soft copy for use by <strong>IBM</strong> employees only.
This soft copy for use by <strong>IBM</strong> employees only.<br />
Chapter 4. Internet Services<br />
4.1 Domain Name Service<br />
There are several services you should consider supporting for your user base.<br />
This chapter outlines several of the key services commonly supported by ISPs.<br />
It is important to note that you won′t be expected to run a server for every single<br />
service discussed here. You should treat this list as food for thought. You may<br />
also find that some, or all of these services may be provided either free<br />
(included in the cost of your link), or at an additional cost from your upstream<br />
provider.<br />
Throughout this chapter, server refers to the program running on one of your<br />
machines providing the service being discussed. You will be able to run more<br />
than one server on each machine in most cases.<br />
The Domain Name Service (DNS) has become the glue that binds the Internet<br />
together. It provides a mechanism for converting easy-to-remember names such<br />
as www.ibm.com, into the less easy to remember IP addresses that are used in<br />
the underlying protocols. It is also used for other services, for example, using a<br />
special record in the DNS. You can make use of your upstream provider′s mail<br />
backup servers (if they provide that service). DNS issues are discussed in the<br />
comp.protocols.tcp-ip.domains news group.<br />
4.1.1 Berkeley Internet Name Daemon<br />
4.2 Mail Service<br />
Before you can register any domains (see 2.2.4.6, “How to Obtain a Domain<br />
Name” on page 48), you need to have the domains configured on a name<br />
server. If you choose to run your own name server, the most commonly used<br />
server is Berkeley Internet Name Daemon (BIND, which is now maintained by<br />
the Internet Software Consortium (ISC). Other DNS implementations have been<br />
made available, but the majority of name servers in the field are either running<br />
BIND, or a product that is based on BIND. BIND is released in source code<br />
format for free by the ISC, and a lot of effort has been made to support as many<br />
operating systems as possible.<br />
If you are running UNIX as your server platform, the chances are that the<br />
provided DNS daemon is an (albeit out of date) implementation of BIND.<br />
The support Web page for BIND can be found at http://www.isc.org/bind.html and<br />
it includes lots of links to other DNS-related sites. BIND has its own support<br />
newsgroup: comp.protocols.dns.bind.<br />
It used to be the case that if you provided an e-mail address for your users, then<br />
you were classed as an ISP. Although this perception has changed, e-mail is<br />
still a critical service to provide. Your users will expect at least one e-mail<br />
address from you, most ISPs now provide around three e-mail addresses per<br />
account.<br />
© Copyright <strong>IBM</strong> Corp. 1997 133
4.2.1 POP Server<br />
4.2.2 SMTP Server<br />
This soft copy for use by <strong>IBM</strong> employees only.<br />
You will need two mail servers, one to your users to collect their ow mail (POP<br />
server), and one to receive the incoming mail and place it on the POP server<br />
and allow your users to send mail (SMTP server or relay).<br />
Because your dial up users won′t be connected to the Internet 24 hours a day,<br />
they won′t always be connected when somebody sends them mail, so you will<br />
have to hold their mail for them, until they pick it up.<br />
The most common method of mail retrieval by clients is via the POP3 (Post<br />
Office Protocol Version 3). The user′s e-mail software connects to the POP<br />
server, logs on with a user ID and password, downloads any waiting mail,<br />
deletes the mail from your server and disconnects.<br />
Most UNIX operating systems come with a POP server supplied, but there are<br />
several alternatives available on the Internet.<br />
4.2.1.1 Internet Mail Application Protocol<br />
Internet Mail Application Protocol, currently at Version 4 (IMAP4), is less<br />
common than POP3, but is gaining popularity all the time. The most significant<br />
difference between POP and IMAP, is that IMAP clients leave the mail on the<br />
server, rather than downloading the messages and removing them from the<br />
server as POP clients do. IMAP provides folders on the server to provide a<br />
remote mailbox which can be manipulated in the same way as local mailboxes.<br />
The way that e-mail is sent from source to destination has changed very slightly<br />
since it was first used. It used to be the case that the source machine connected<br />
directly to the target machine, transferred the note and disconnected. If the<br />
target machine was down, then the source machine would try again later, and<br />
keep trying until either the mail was delivered, or some time-out limit was<br />
reached. However, some machines wanted to receive e-mail, but weren′t<br />
directly connected to the Internet. This was accomplished by placing mail relays<br />
on the Internet that knew how to contact these non-Internet connected machines.<br />
These principles still hold, but the mail relays now have an extra role to perform,<br />
as some, or all of your customers won′t be connected to the Internet 24 hours a<br />
day, so if the destination is down, their machines may not be able to retry. The<br />
solution to this, is for you to provide a mail relay for them. In this case, the<br />
user′s e-mail software sends the mail to your mail relay, which then attempts to<br />
send it on to the destination on behalf of the user.<br />
Every single UNIX implementation comes with a mail server. The most popular<br />
one is Sendmail which is supported by its author, Eric Allman<br />
(http://www.sendmail.org/). Sendmail is not without some very subtle bugs<br />
though. It is highly recommended that if you choose Sendmail, you keep<br />
updated with any fixes or new releases.<br />
4.2.3 <strong>IBM</strong> Messaging Solutions for ISPs<br />
The <strong>IBM</strong> Messaging Solutions for ISPs is described in B.8, “<strong>IBM</strong> Messaging<br />
Solution for ISPs” on page 323. This is a scalable solution which means that<br />
you can start small and build up as your user base increases. Its based on a set<br />
of modular application servers which include SMTP, POP3 and IMAP4 servers. It<br />
also includes an Lightweight Directory Access Protocol (LDAP) compliant<br />
134 The Technical Side of Being an Internet Service Provider
This soft copy for use by <strong>IBM</strong> employees only.<br />
4.3 Web Service<br />
4.4 FTP Service<br />
4.5 Chat Service<br />
4.5.1 Internet Relay Chat<br />
4.6 News Service<br />
directory, which allows clients such as Netscape Navigator to issue directory<br />
enquiries.<br />
In today′s Internet, you are nobody without a Web site. Your users will also<br />
expect some space on your Web server to put up some pages of their own. This<br />
could be accomplished by either asking your users to e-mail you their Web<br />
pages and graphics for you to upload onto the Web server, or by giving each<br />
user FTP access to their own area on the Web server.<br />
There are literally hundreds of Web servers available on the Internet to<br />
download, including one from Lotus: Go Webserver available from<br />
http://www.ics.raleigh.ibm.com/dominogowebserver/. Go Webserver is<br />
described in B.9, “Lotus GO Server” on page 330.<br />
FTP or File Transfer Protocol is a simple protocol that is supported by all Internet<br />
server and client platforms. An FTP server can be used to distribute updates to<br />
client programs to your users, and your users may want to share data with other<br />
people via FTP.<br />
This section describes the real-time chat services available.<br />
IRC or Internet Relay Chat was created in Finland in 1988. It allows users from<br />
all over the world to get together online and chat in real time.<br />
It is unlikely that you will need to run an IRC server yourself, as there are lots of<br />
IRC networks already in existance. An IRC network is a group of IRC servers<br />
connected together so that a user on one server can participate in a discussion<br />
with a user on another server, possibly on the other side of our planet.<br />
The Internet Relay Chat Help Web site at http://www.irchelp.org/ provides lots of<br />
help with IRC, and also lists all of the major IRC networks.<br />
You may also wish to put the <strong>IBM</strong> IRC Client for Java on your Web site. This will<br />
allow your users to connect to an IRC network and start chatting without having<br />
to download any software, other than a Java applet. The <strong>IBM</strong> IRC Client for Java<br />
is available from AlphaWorks: http://www.alphaWorks.ibm.com/.<br />
USENET is made up of several thousand newsgroups. A newsgroup can be<br />
thought of as a bulletin board. Users can read that newsgroup, and if they have<br />
something to contribute, then they post to it. (A user′s post is referred to as an<br />
article.)<br />
Each news server maintains its own copy of the newsgroup and sends a copy of<br />
each new article to all of its neighbors that it thinks are interested in it. Thus<br />
Chapter 4. Internet Services 135
This soft copy for use by <strong>IBM</strong> employees only.<br />
news propogates as a flood. Two articles may take completely different paths to<br />
get from one point to another because some sites may have backlogs, or may<br />
only transfer news at a certain time, etc.<br />
Newsgroups are collected into hierarchies of similar interest, either<br />
geographically or topically. Hierarchies are then usually split into<br />
subhierarchies and so on, right down to news groups. For example, the<br />
newsgroup discussing the software that drives the USENET is:<br />
news.software.nntp.<br />
news - Discussion about USENET<br />
software - Discussion about USENET software<br />
nntp - Discussion about the USENET software that implements NNTP<br />
(Network News Transport Protocol).<br />
There are nearly 500 official hierarchies, with at least two more on the way. The<br />
Master List of Hierarchies is maintained by Lewis S. Eisen (leisen@pfx.on.ca),<br />
and is available on the Web at:<br />
http://home.magmacom.com/leisen/master_list.html and is posted to USENET<br />
every second Monday in the groups news.answers, news.admin.hierarchies and<br />
news.groups.<br />
The big-8 news hierarchies are:<br />
comp. USENET computer newsgroups<br />
humanities. USENET discussions about Humanities<br />
misc. USENET miscellaneous newsgroups<br />
news. USENET news<br />
rec. USENET recreational newsgroups<br />
sci. USENET science newsgroups<br />
soc. USENET social issues newsgroups<br />
talk. USENET talk newsgroups<br />
Humanities hasn′t really taken off, so the big-7 are often discussed where the<br />
big-8 would be expected.<br />
The big-8 have very explicit rules regarding creating new groups. A discussion<br />
must be had and a vote taken before the control message is sent out. When this<br />
process was being created, a group of people decided that they didn′t like the<br />
formality, and so created the alt. hierarchy, where anybody in the world can<br />
create new groups.<br />
Alt. is often described as being an abbreviation for alternative that is, an<br />
alternative to the big-8. Eric Ziegast (ziegast@uunet.uu.net) stated: ″ALT stands<br />
for ′Anarchists, Lunatics and Terrorists″, as quoted by David Barr in his ″So You<br />
Want to Create an Alt Newsgroup″ FAQ<br />
(http://www.cis.ohio-state.edu/barr/alt-creation-guide.html).<br />
The necessary configuration files are also posted to the USENET every month by<br />
Simon Lyall (simon@darkmere.gen.nz) in the news.lists.misc and<br />
news.admin.hierarchies newsgroups with the subject ″USENET Hierarchies:<br />
Config Files FAQ″.<br />
136 The Technical Side of Being an Internet Service Provider
This soft copy for use by <strong>IBM</strong> employees only.<br />
4.6.1 USENET<br />
USENET is rapidly approaching crisis state. A handful of companies are viewing<br />
USENET as free marketing.<br />
This has had several adverse side-effects:<br />
• In many newsgroups, it is now almost impossible to hold a discussion on the<br />
original topic of the newsgroup, because of the volume of spam. Such<br />
newsgroups are described as having a signal-to-noise ration approaching<br />
zero. Signal-to-noise is a term stolen from radio enthusiasts describing the<br />
quality of the transmission. A high signal-to-noise ratio means that there is<br />
little background noise or static.<br />
• A small group of people have taken it upon themselves to try and clear up<br />
some of the spam by sending out cancel messages. These cancellers have<br />
programs that monitor the USENET and when a post′s Breidbart Index (BI)<br />
hits a certain threshold it is cancelled. For a detailed description of the<br />
Breidbart Index, see http://www.math.uiuc.edu/tskirvin/faqs/spam.html.<br />
• The volume of the SPAM and the cancels are severely impacting the<br />
performance of the news servers. For a full feed, the approximate figures for<br />
August 1997 are 600,000 articles and 10 GB. Of those 600,000 approximately<br />
10% will be cancel messages.<br />
Another problem with USENET is that alt groups are created, but never die.<br />
The USENET community have several initiatives in plan to try and fix the<br />
situation.<br />
1. USENET2 or 2senet<br />
2. The other USENET2<br />
3. The mod hierarchy<br />
Each of these approaches the situation differently, and with differing goals.<br />
4.6.1.1 USENET2 or 2senet<br />
This initiative is being undertaken by a group of system administrators fed up<br />
with the current anarchy that is USENET. This currently takes the form of a<br />
single hierarchy, although it is expected to grow with time.<br />
2senet lays down some very explicit rules about what is and what is not<br />
permitted in an article. The rules revolve around the term soundness. Sound<br />
articles are defined in the rules, as are sound sites. Unsound articles are either<br />
dropped or cancelled by a net-monitor program that monitors 2senet. Unsound<br />
sites are cut off from the 2senet completely. See http://www.usenet2.org/ for<br />
more details about 2senet.<br />
4.6.1.2 The Other USENET2<br />
The other USENET2 (a unfortunate name space collision) was proposed by Joe<br />
Greco (joe@ns.sol.net). Rather than start from scratch with brand new<br />
newsgroups, Greco proposes that USENET2 is set up with the same list of<br />
newsgroups, and that articles from the old USENET are gatewayed in by a few<br />
gateway machines, after they have been delayed for a short amount of time to<br />
be processed by SPAM filters and for cancel messages to catch them up.<br />
Chapter 4. Internet Services 137
4.6.2 Netscape News Server<br />
This soft copy for use by <strong>IBM</strong> employees only.<br />
If a site is found to break any of the USENET2 rules, it is to be disconnected from<br />
USENET2 until a vote by USENET2 administrators affirms that they are willing to<br />
give the site a second chance. The USENET2 rules can be found at:<br />
http://www.nntp.sol.net/usenet2.txt.<br />
4.6.1.3 The mod. Hierarchy<br />
The mod. hierarchy is attempting to solve the problems of the alt. hierarchy.<br />
Mod. tries to keep as much of the character as alt. as possible. The main<br />
differences are:<br />
• Anyone can request that a newsgroup is created, rather than create it<br />
themselves. With very few exceptions, any requested newsgroup will be<br />
created.<br />
• Every newsgroup is moderated. What this means is that rather than posts<br />
going straight to the newsgroup, they are e-mailed to the moderator who will<br />
post them on behalf of the user. The moderator is under no pressure to<br />
approve all postings, in fact many people who follow USENET are hoping that<br />
the moderator won′t approve SPAM or off-topic posts, etc.<br />
• Newsgroups that appear to have died, that is have no traffic, will be<br />
removed.<br />
Discussion of mod. takes place in the news.admin.hierarchies newsgroup. The<br />
manifesto is published at http://www.uiuc.edu/ph/www/tskirvin/faqs/manif.html.<br />
The <strong>IBM</strong> Solutions for ISP′s recommended news server is Netscape News<br />
server, which has been renamed to Collabra in its latest release. Netscape<br />
News, or Collabra is based on INN mentioned above, and adds administrative<br />
tools, such as a Web-based admin tool, and on the NT version, a graphical front<br />
end. All of the above considerations apply to Netscape News, as they would for<br />
any other news server.<br />
138 The Technical Side of Being an Internet Service Provider
This soft copy for use by <strong>IBM</strong> employees only.<br />
Chapter 5. Management<br />
5.1 Authentication<br />
Though the planning and setup of your ISP will initially require all your attention,<br />
once your ISP has been established you will be spending most of your time<br />
managing your ISP resources. The manner in which you manage these<br />
resources is a critical factor in the success of your ISP. Success means being<br />
able to provide customers with high levels of service and performance. This is<br />
essential to ensure your customers′ satisfaction. Proper management will allow<br />
you to react to network outages or increased customer demand. You will need<br />
to manage the users that have access to your system, the amount of time they<br />
spend on your system, the amount of time others spend looking at their<br />
offerings, as well as your own connection to the Internet. Tools available to help<br />
you with these tasks are discussed in the following sections.<br />
Anytime a modem is added to a network, the network becomes more vulnerable<br />
to security breaches. An ISP, of course, wants to guard against such break-ins.<br />
However, valid users must be permitted to access the services that you provide.<br />
The security system that an ISP puts in place must not be so cumbersome as to<br />
cause valid users difficulty in accessing the system. All popular authentication<br />
solutions keep track of users and their authorizations. When a user attempts to<br />
access your services a sequence of identification is performed.<br />
The typical identification sequence consists of obtaining a user name and<br />
password from the user and then verifying this through the authorization system.<br />
If the user name and password are correct, the user is granted access to<br />
specific resources on the network. If the conditions of the log-in process are not<br />
met, the user is denied access to the network.<br />
There are many authentication protocols in use today. Table 22 shows some of<br />
these. Of course it is important that an authentication system support as many<br />
different types of clients as possible. Ideally, there is a link between the<br />
authorization and the billing system, which is discussed next.<br />
Table 22 (Page 1 of 2). Authentication Protocols<br />
Protocol Sponsor Platform<br />
CHAP/PAP Microsoft<br />
www.internic.net/rfc/rfc1994.txt<br />
Kerberos MIT Athena project<br />
web.mit.edu<br />
Macintosh<br />
UNIX<br />
Windows 95<br />
DOS<br />
OS/2<br />
OS/390<br />
UNIX<br />
VM<br />
Windows<br />
Windows 95<br />
© Copyright <strong>IBM</strong> Corp. 1997 139
Table 22 (Page 2 of 2). Authentication Protocols<br />
This soft copy for use by <strong>IBM</strong> employees only.<br />
Protocol Sponsor Platform<br />
RADIUS Livingston Enterprises<br />
www.livingston.com<br />
TACACS CISCO<br />
cio.cisco.com<br />
AIX<br />
BSD/OS<br />
HP/UX<br />
Linux<br />
OSF/1<br />
RADIUS NT<br />
SGI Irix<br />
Solaris<br />
SunOS<br />
Cisco IOS<br />
5.1.1 Challenge Handshake Authentication Protocol/Password Authentication<br />
Protocol (CHAP/PAP)<br />
The Point-to-Point Protocol (PPP) provides a standard method of encapsulating<br />
Network Layer protocol information over point-to-point links. PPP also defines<br />
an extensible Link Control Protocol, which allows negotiation of an<br />
Authentication Protocol for authenticating its peer before allowing Network Layer<br />
protocols to transmit over the link.<br />
After a PPP link has been established, PPP provides for an optional<br />
Authentication phase before proceeding to the Network Layer Protocol phase.<br />
By default, authentication is not mandatory. If authentication is desired, the<br />
Authentication Protocol Configuration Option must be specified during the link<br />
establishment phase.<br />
These authentication protocols are intended for use primarily by hosts and<br />
routers that connect to a PPP network server via switched circuits or dial-up<br />
lines, but might be applied to dedicated links as well. The server can use the<br />
identification of the connecting host or router in the selection of options for<br />
network layer negotiations. CHAP and PAP are two authentication protocols for<br />
PPP links.<br />
5.1.1.1 PAP<br />
The Password Authentication Protocol (PAP) provides a simple method for the<br />
peer to establish its identity using a 2-way handshake. This is done only upon<br />
initial link establishment.<br />
After the link establishment phase is complete, an ID/password pair is<br />
repeatedly sent by the peer to the authenticator until authentication is<br />
acknowledged or the connection is terminated.<br />
PAP is not a strong authentication method. Passwords are sent over the circuit<br />
“in the clear”, and there is no protection from playback or repeated trial and<br />
error attacks. The peer is in control of the frequency and timing of the attempts.<br />
Any implementations which include a stronger authentication method (such as<br />
CHAP, described below) must offer to negotiate that method prior to PAP. This<br />
140 The Technical Side of Being an Internet Service Provider
This soft copy for use by <strong>IBM</strong> employees only.<br />
authentication method is most appropriately used where a plain text password<br />
must be available to simulate a login at a remote host. In such use, this method<br />
provides a similar level of security to the usual user login at the remote host.<br />
Note: It is possible to limit the exposure of the plain text password to<br />
transmission over the PPP link, and avoid sending the plain text password over<br />
the entire network. When the remote host password is kept as a one-way<br />
transformed value, and the algorithm for the transform function is implemented<br />
in the local server, the plain text password should be locally transformed before<br />
comparison with the transformed password from the remote host.<br />
5.1.1.2 CHAP<br />
CHAP basically uses a random challenge, with a cryptographically hashed<br />
Response which depends upon the challenge and a secret key.<br />
CHAP is used to periodically verify the identity of the peer using a three-way<br />
handshake. This is always done upon initial link establishment and may be<br />
repeated anytime after the link has been established.<br />
A typical protocol sequence is as follows:<br />
1. After the link establishment phase is complete, the authenticator sends a<br />
challenge message to the peer.<br />
2. The peer responds with a value calculated using a one-way hash function.<br />
3. The authenticator checks the response against its own calculation of the<br />
expected hash value. If the values match, the authentication is<br />
acknowledged; otherwise the connection should be terminated.<br />
4. At random intervals, the authenticator sends a new challenge to the peer,<br />
and repeats steps 1 to 3.<br />
CHAP provides protection against a playback attack by another peer through the<br />
use of changing identifiers and variable challenge values. The authenticator is<br />
in control of the frequency and timing of challenges.<br />
This authentication method depends upon a secret known only to the<br />
authenticator and that peer. The secret is not sent over the link.<br />
Although the authentication is only one-way, by negotiating CHAP in both<br />
directions the same secret set may easily be used for mutual authentication.<br />
Since CHAP may be used to authenticate many different systems, name fields<br />
may be used as an index to locate the proper secret in a large table of secrets.<br />
This also makes it possible to support more than one name/secret pair per<br />
system, and to change the secret in use at any time during the session.<br />
CHAP requires that the secret be available in plaintext form. Irreversibly<br />
encrypted password databases commonly available cannot be used.<br />
It is not as useful for large installations, since every possible secret is<br />
maintained at both ends of the link.<br />
Note: To avoid sending the secret over other links in the network, it is<br />
recommended that the challenge and response values be examined at a central<br />
server, rather than each network access server. Otherwise, the secret should be<br />
sent to such servers in a reversibly encrypted form. Either case requires a<br />
trusted relationship, which is outside the scope of this specification.<br />
Chapter 5. Management 141
5.1.2 Kerberos<br />
This soft copy for use by <strong>IBM</strong> employees only.<br />
The Kerberos Authentication and Authorization System is an encryption-based<br />
security system that provides mutual authentication between the users and the<br />
servers in a network environment. Kerberos performs the following functions for<br />
a system:<br />
• Authentication to prevent fraudulent requests/responses between users and<br />
servers that must be confidential and on groups of at least one user and one<br />
service.<br />
• Authorization can be implemented independently from the authentication by<br />
each service that wants to provide its own authorization system. The<br />
authorization system can assume that the authentication of a user/client is<br />
reliable.<br />
• Permits the implementation of an accounting system that is integrated,<br />
secure and reliable, with modular attachment and support for charge backs<br />
or billing purposes.<br />
The Kerberos system is primarily used for authentication purposes, but it also<br />
provides the flexibility to add authorization information.<br />
In the Kerberos system, a client that wants to contact a server for its service,<br />
first has to ask for a ticket from a mutually trusted third party, the Kerberos<br />
Authentication Server (KAS). This ticket is obtained as a function where one of<br />
the components is a private key known only by the service and the Kerberos<br />
Authentication Server, so that the service can be confident that the information<br />
on the ticket originates from Kerberos.<br />
The Kerberos Authentication Model permits only the service to verify the identity<br />
of the requestor and gives no information on whether the requester can use the<br />
service or not. The Kerberos Authorization Model is based on the principal that<br />
each service knows the user so that each one can maintain its own authorization<br />
information. However, the Kerberos Authorization System could be extended<br />
and used for authorization purposes. Kerberos could then check if a user/client<br />
is allowed to use a particular service.<br />
5.1.3 Remote Authentication Dial-In User Service (RADIUS)<br />
Remote Authentication Dial-In User Service (RADIUS) is a good example of an<br />
open and easily integrated authentication protocol. The RADIUS server allows<br />
or denies access to the network. It allows all security information to be located<br />
in a single, central database, instead of scattered around the network on several<br />
different devices. It creates a single, centrally located database of users and<br />
services. It also performs extensive tracking and logging of user activities. This<br />
type of information is used for billing purposes as discussed in the next section.<br />
The next release of <strong>IBM</strong>′s Interactive Network Dispatcher will provide support for<br />
the RADIUS authentication server. See B.12.4, “Internet Service Provider<br />
Applications” on page 342 for more information.<br />
Another product that interfaces with RADIUS is InstantReg from Expansion<br />
Systems Corporation. It also has a billing component that provides seamless<br />
integration between user authorization and accounting, as discussed in 5.2,<br />
“Accounting” on page 146.<br />
142 The Technical Side of Being an Internet Service Provider
This soft copy for use by <strong>IBM</strong> employees only.<br />
5.1.4 Terminal Access Controller Access System (TACACS)<br />
Originally, TACACS allowed a router that accepted dial-up access to accept a<br />
user name and password and send a query to a TACACS authentication server,<br />
sometimes called a TACACS daemon or simply TACACSD. This server was<br />
normally a program running on a host. The host would determine whether to<br />
accept or deny the request and sent a response back. The router then allowed<br />
access or not, based upon the response.<br />
While routers accepting dial-in access are no longer a major presence on the<br />
Internet, terminal servers are. Cisco Systems terminal servers implement an<br />
extended version of this TACACS protocol. Thus, the access control decision is<br />
delegated to a host. In this way, the process of making the decision is opened<br />
up and the algorithms and data used to make the decision are under the<br />
complete control of whoever is running the TACACS daemon. For example:<br />
Anyone with a first name of Joe can only log in after 10:00 p.m. Monday-Friday,<br />
unless his last name is Smith or there is a Susan already logged in.<br />
The extensions to the protocol provide for more types of authentication requests<br />
and more types of response codes than were in the original specification.<br />
The original TACACS protocol specification does exist. However, due to<br />
copyright issues, it is not publicly available. RFC 1492 An Access Protocol<br />
Sometimes Called TACACS was written to alleviate this lack of access. This<br />
version of the specification was developed with the assistance of Cisco Systems,<br />
who has an implementation of the TACACS protocol that is believed to be<br />
compatible with the original specification. To be precise, the Cisco Systems<br />
implementation supports both the simple (non-extended) and extended versions.<br />
It is the simple version that would be compatible with the original.<br />
In this protocol a request/response pair is the basic unit of interaction. In this<br />
pair, the client sends a request and the server replies with a response. All<br />
requests must be acknowledged with a response. This requirement implies that<br />
all requests can be denied, although it is probably futile to attempt to deny a<br />
logout request.<br />
In some cases, a string of request/response pairs forms a larger unit, called a<br />
connection. There are three types of connections:<br />
1. Authenticate only, no connection<br />
2. Login connection<br />
3. SLIP connection<br />
Requests supported by this protocol are:<br />
• AUTH (user name, password, line, style)<br />
This request asks for an authentication. The parameters are:<br />
− The user name<br />
− The password<br />
− An indication of which line the request is for<br />
− A style of authentication<br />
The user name is a string that identifies the user. In principle, it can be of<br />
any length and contain any characters. In practice, it should be no longer<br />
Chapter 5. Management 143
This soft copy for use by <strong>IBM</strong> employees only.<br />
than 128 characters and should contain only the ASCII characters “!” (33<br />
decimal) through “∼ ” (126 decimal), inclusive.<br />
The password is a string that is used to authenticate the user identified by<br />
the user name. In principle, it can be of any length and contain any<br />
characters. In practice, it should be no longer than 128 characters and<br />
should contain only the ASCII characters “!” (33 decimal) through “∼ ” (126<br />
decimal), inclusive.<br />
The line is a non-negative decimal integer. If the client supports multiple<br />
physical access channels, this value identifies the particular channel. By<br />
convention, lines are numbered starting from one, although this should be<br />
taken with a grain of salt. For example, Cisco Systems′ implementation uses<br />
zero to designate the console port, then continues with one for the main<br />
serial lines. Clients that support only one channel should use line zero.<br />
The authentication style is a possibly empty string. It identifies the particular<br />
style of authentication to be performed. Its syntax and semantics are local.<br />
• LOGIN (user name, password, line) returns (result1, result2, result3)<br />
This request asks for an authentication and signals that, if the authentication<br />
succeeds, a login connection is starting. The parameters are:<br />
− The user name<br />
− The password<br />
− An indication of which line the request is for<br />
The meanings of the input fields are the same as the AUTH request. If the<br />
request is successful, this request returns three result values in addition to<br />
the success status. The result values are non-negative integers. Their<br />
interpretation is local. For example, Cisco Systems terminal servers<br />
interpret result3 to be the identifier of a local access list to use for additional<br />
validation.<br />
• CONNECT (user name, password, line, destinationIP, destinationPort) returns<br />
(result1, result2, result3)<br />
This request can only be issued when the user name and line specify an<br />
already-existing connection. As such, no authentication is required and the<br />
password will in general be the empty string. It asks, in the context of that<br />
connection, whether a TCP connection can be opened to the specified<br />
destination IP address and port.<br />
The return values are as for LOGIN.<br />
• SUPERUSER (user name, password, line)<br />
This request can only be issued when the user name and line specify an<br />
already-existing connection. As such, no authentication is required and the<br />
password will in general be the empty string. It asks, in the context of that<br />
connection, whether the user can go into superuser or enable mode on the<br />
terminal server.<br />
As an example of the flexibility inherit in this whole scheme, the TACACSD<br />
supplied by Cisco Systems ignores the user name part and instead checks<br />
whether the password matches that of the special user $enable$.<br />
• LOGOUT (user name, password, line, reason)<br />
This request can only be issued when the user name and line specify an<br />
already-existing connection. As such, no authentication is required and the<br />
144 The Technical Side of Being an Internet Service Provider
This soft copy for use by <strong>IBM</strong> employees only.<br />
password will in general be the empty string. It indicates that the connection<br />
should be terminated (but see SLIPON). It must be acknowledged, but the<br />
success/fail status of the acknowledgment is irrelevant. The reason value<br />
indicates why the connection is terminating. A null reason value is supplied<br />
when the connection is going into SLIP mode.<br />
• SLIPON (user name, password, line, SLIPaddress) returns (result1, result2,<br />
result3)<br />
This request can only be issued when the user name and line specify an<br />
already-existing connection. As such, no authentication is required and the<br />
password will in general be the empty string. It asks, in the context of that<br />
connection, whether the specified SLIPaddress can be used for the remote<br />
end of the connection.<br />
If the server replies with a success, the client can proceed to a SLIPON<br />
request. (It need not do so right away, however.)<br />
Note that semantics of user name can get hairy. For example, the Cisco<br />
Systems implementation encodes information in this way:<br />
− If the user just requested the default address be assigned, this field<br />
holds the user name in lowercase.<br />
− If the user requested a specific IP address or host name for the SLIP<br />
connection, this field contains the requested host name in UPPER case.<br />
If the server replies with a success, the client will immediately send a<br />
LOGOUT request. However, the connection will remain established until a<br />
SLIPOFF request is sent. No other authentication requests will be sent for<br />
that connection.<br />
SLIPaddress specifies the IP address used by the remote host. If a<br />
SLIPADDR request has been made, it will be that address. Otherwise, it will<br />
be the default address assigned by the client (for example, Cisco terminal<br />
server).<br />
The return values are as for LOGIN.<br />
• SLIPOFF (user name, password, line, reason)<br />
This request can only be issued when the user name and line specify an<br />
already-existing connection that is in SLIP mode. As such, no authentication<br />
is required and the password will in general be the empty string. It indicates<br />
that the connection should be terminated. It must be acknowledged, but the<br />
success/fail status of the acknowledgment is irrelevant. The reason value<br />
indicates why the connection is terminating.<br />
This protocol carries the user name and password in clear text. As such, if an<br />
attacker is capable of monitoring that data, the attacker could capture user<br />
name/password pairs. Implementations can take several steps to minimize this<br />
danger:<br />
• Use point-to-point links where possible.<br />
• Physically secure the transmission medium.<br />
• If packets must traverse multiple network segments, use a secure routing<br />
subsystem. This implies:<br />
− Tight control over router configurations.<br />
− Tight control over routing protocols.<br />
Chapter 5. Management 145
5.2 Accounting<br />
This soft copy for use by <strong>IBM</strong> employees only.<br />
− Avoid use of bridges, as they can be silently fooled into duplicating<br />
packets.<br />
This protocol potentially opens up a new way of probing user names and<br />
passwords. Thus, implementations may wish to have servers:<br />
• Limit responses to a controlled list of clients<br />
• Throttle the rate of responding to requests<br />
• Log all failures (and possibly successes, too)<br />
This protocol essentially allows clients to offload accept/reject decisions to<br />
servers. While an obvious implementation would simply use the server′s native<br />
login mechanism to make the determination, there is no reason to limit<br />
implementations to that mechanism. Servers could:<br />
• Use alternate lists of accounts (for example, password files),<br />
• Use alternate mechanisms for accessing the accounts (for example, a<br />
database, NIS),<br />
• Use alternate algorithms (for example, SecureID cards),<br />
• Translate the request to another protocol and use that protocol to make the<br />
determination (for example, Kerberos).<br />
Regardless of the billing policy of an ISP, some kind of system is needed to keep<br />
track of customers, their account details and their payment history. Billing used<br />
to be one of the last considerations in establishing an ISP. This is no longer the<br />
case. The right billing package can make or break an ISP′s operation. A billing<br />
package should provide the flexibility to react to market changes.<br />
An accounting system for an ISP can be something as simple as a utility that<br />
creates time-stamped records of when each user logged in and logged out. It<br />
can quickly get complicated and include information such as which port they<br />
used, what their IP address was, what filters are in effect and so on.<br />
This information can be used to calculate total online time for users, which could<br />
then be used for billing purposes. This type of facility is not normally a part of a<br />
server. There are, however, separate packages that will perform these tasks.<br />
Some packages tailored for ISPs are just starting to emerge on the market. If at<br />
all possible there should be a link to the authentication system. This would<br />
allow the billing database to be derived from the user authorization database.<br />
<strong>IBM</strong>′s Net.Commerce, for instance, provides a large set of APIs that can be used<br />
to interface with other systems to provide billing support. See 6.6,<br />
“Net.Commerce” on page 166 and B.11, “Net.Commerce” on page 338 for more<br />
information.<br />
Another package that has an integrated authorization component is TotalBilling<br />
from Expansion Systems Corporation. This package provides online credit card<br />
processing, and bills can be generated to be transmitted via e-mail or printed<br />
and sent via regular mail. It can also automatically configure RADIUS<br />
authorization files. An example of a TotalBilling Account Payment/Billing<br />
Information screen is shown in Figure 49 on page 147.<br />
146 The Technical Side of Being an Internet Service Provider
This soft copy for use by <strong>IBM</strong> employees only.<br />
Figure 49. TotalBilling Account Payment/Billing Information Screen<br />
Table 23 (Page 1 of 2). Billing Packages<br />
Table 23 shows more billing packages that are available.<br />
Product Vendor Platform<br />
Arbor/BP Kenan System<br />
www.kenan.com<br />
Billing and Tracking System<br />
(BATS)<br />
Astroarch Counsulting, Inc.<br />
www.astroarch.com<br />
HAWK-i MGL Systems<br />
www.mgl.ca<br />
UNIX platforms:<br />
DEC<br />
HP<br />
<strong>IBM</strong><br />
NCR<br />
SUN<br />
AIX<br />
BSDI<br />
FreeBSD<br />
HP-UX<br />
IRIX<br />
Linux<br />
MachTen<br />
OSF/1<br />
SCO<br />
Solaris<br />
SunOS<br />
UNIXware<br />
Windows 95<br />
Windows NT<br />
Chapter 5. Management 147
Table 23 (Page 2 of 2). Billing Packages<br />
This soft copy for use by <strong>IBM</strong> employees only.<br />
Product Vendor Platform<br />
Internet Administration<br />
Framework (IAF)<br />
Solect<br />
www.solect.com<br />
Internet Back Office Billing (BOB) GreenSoft Solutions, Inc.<br />
www.greensoft.com<br />
Internet Billing Coolworld.com<br />
www.coolworld.com<br />
ISP Billing Software & A/R<br />
Software<br />
LPAC<br />
www.lpac.com<br />
ISP Power ISP Power Corp.<br />
www.isppower.com<br />
ISPTrack cyberacs.com<br />
www.cyberacs.com<br />
NT PayMaster Imagen Communications Inc.<br />
www.imagen.net<br />
Platypus Boardtown Corp.<br />
www.boardtown.com<br />
TotalBill Expansion Systems Corp.<br />
www.expansion.com<br />
User Tracking & Accounting (UTA) RTD<br />
www.rtd.com<br />
Solaris<br />
Windows NT<br />
Windows95<br />
WindowsNT<br />
AIX<br />
DOS<br />
FreeBSD<br />
Linux<br />
Novell<br />
SCO<br />
Solaris<br />
Windows 95<br />
Windows 95<br />
Windows NT<br />
UNIX<br />
Windows NT<br />
Windows NT<br />
Windows 95<br />
Windows NT<br />
DEC Alpha<br />
DEC UNIX<br />
HP-UX<br />
Solaris<br />
Sun Sparc<br />
Sun Ultra<br />
Windows NT<br />
BSD/OS<br />
BSDI<br />
FreeBSD<br />
Linux<br />
Solaris<br />
SunOS<br />
The RADIUS authentication protocol, mentioned previously, is a popular protocol<br />
and has been ported to many different hardware and software platforms. The<br />
log files from RADIUS can be used to compute usage and a customer could be<br />
billed for any usage overtime dependant on their type of account. Almost all the<br />
products in Table 23 on page 147 can work with these log files.<br />
148 The Technical Side of Being an Internet Service Provider
This soft copy for use by <strong>IBM</strong> employees only.<br />
5.3 Network Management<br />
5.3.1 Standards<br />
If an ISP is to remain competitive, then it will have to effectively manage its<br />
network. It will be necessary to determine if the connection to the Internet is<br />
operational and what the actual throughput of the network has been.<br />
Network Management consists of all the activities and products that are used to<br />
plan, configure, control, monitor, tune and administrate your computer network.<br />
This can be extremely complex dependent upon:<br />
• The number and variety of network components for example, servers,<br />
modems, routers and gateways<br />
• System mix: for example, operating systems, protocols and versions<br />
• Geographic location of components<br />
• Number of companies involved<br />
• Number of services provided<br />
Unfortunately managing all these different aspects has been characterized by<br />
individual management tools. Each vendor offers its own interfaces for the same<br />
management task, requiring knowledge of each management tool. Fortunately,<br />
tools are appearing that help to provide a global view of the system.<br />
Management via a global view of the system is accomplished through integrated<br />
network management.<br />
Essential to integrated network management is that the managed components<br />
deliver information in a format that can be interpreted independent of the<br />
product originating the information. This requires standardization of interfaces<br />
and protocols.<br />
The current network management framework for TCP/IP-based Internets consist<br />
of:<br />
1. SMI (RFC 1155) - Describes how managed objects contained in the<br />
Management Information Base (MIB) are defined. (See 5.3.2, “Structure and<br />
Identification of Management Information (SMI)” on page 151 for more<br />
information.)<br />
2. MIB-II (RFC 1213) - Describes the managed objects contained in the MIB.<br />
(See 5.3.3, “Management Information Base (MIB)” on page 151 for more<br />
information.)<br />
3. SNMP (RFC 1098) - Defines the protocol used to manage these objects. (See<br />
5.3.4, “Simple Network Management Protocol (SNMP)” on page 151 for more<br />
information.)<br />
The Internet Architecture Board (IAB) issued an RFC detailing its<br />
recommendation, which adopted two different approaches:<br />
• In the short term SNMP should be used.<br />
The IAB recommends that all IP and TCP implementations be<br />
network-manageable. At the current time, this implies implementation of the<br />
Internet MIB-II (RFC 1213), and at least the recommended management<br />
protocol SNMP (RFC 1157).<br />
Chapter 5. Management 149
This soft copy for use by <strong>IBM</strong> employees only.<br />
Note that the historic protocols Simple Gateway Monitoring Protocol (SGMP),<br />
RFC 1028 and MIB-I (RFC-1156) are not recommended for use.<br />
• In the long term, use of the emerging OSI network management protocol<br />
(CMIP) would be investigated. This is known as over TCP/IP (CMOT). (See<br />
5.3.5, “Common Management Information Protocol over TCP/IP (CMOT)” on<br />
page 152 for more information.)<br />
Both SNMP and CMOT use the same basic concepts in describing and<br />
defining management information called Structure and Identification of<br />
Management Information (SMI) described in RFC 1155 and Management<br />
Information Base (MIB) described in RFC 1156.<br />
Simple Network Management Protocol (SNMP) is an Internet standard protocol.<br />
Its status is recommended. Its current specification can be found in RFC 1157 -<br />
Simple Network Management Protocol (SNMP).<br />
MIB-II is an Internet standard protocol. Its status is recommended. Its current<br />
specification can be found in RFC 1213 - Management Information Base for<br />
Network Management of TCP/IP-based Internets: MIB-II.<br />
Common Management Information Protocol (CMIP) and Common Management<br />
Information Services (CMIS) are defined by the ISO/IEC 9595 and 9596 standards.<br />
CMIS/CMIP Over TCP/IP (CMOT) is an Internet proposed standard protocol. Its<br />
status is elective. Its current specification can be found in RFC 1189 - Common<br />
Management Information Services and Protocols for the Internet (CMOT) and<br />
(CMIP).<br />
OIM-MIB-II is an Internet proposed standard protocol. Its status is elective. Its<br />
current specification can be found in RFC 1214 - OSI Internet Management:<br />
Management Information Base.<br />
Other RFCs issued by the Internet Architecture Board (IAB) on this subject are:<br />
• RFC 1052 - IAB Recommendations for the Development of Internet Network<br />
Management Standards<br />
• RFC 1085 - ISO Presentation Services on Top of TCP/IP-based Internets<br />
• RFC 1155 - Structure and Identification of Management Information for<br />
TCP/IP-based Internets<br />
• RFC 1156 - Management Information Base for Network Management of<br />
TCP/IP-based Internets<br />
• RFC 1215 - Convention for Defining Traps for Use with the SNMP<br />
• RFC 1227 - SNMP MUX Protocol and MIB<br />
• RFC 1228 - SNMP-DPI: Simple Network Management Protocol Distributed<br />
Programming Interface<br />
• RFC 1230 - IEEE 802.4 Token Bus MIB<br />
• RFC 1231 - IEEE 802.5 Token-Ring MIB<br />
• RFC 1239 - Reassignment of Experimental MIBs to Standard MIBs<br />
• RFC 1351 - SNMP Administrative Model<br />
• RFC 1352 - SNMP Security Protocols<br />
150 The Technical Side of Being an Internet Service Provider
This soft copy for use by <strong>IBM</strong> employees only.<br />
5.3.2 Structure and Identification of Management Information (SMI)<br />
The SMI defines the rules for how managed objects are described and how<br />
management protocols may access these objects. The description of managed<br />
objects is made using a subset of the ASN.1 (Abstract Syntax Notation 1, ISO<br />
standard 8824), a data description language. The object type definition consists<br />
of five fields:<br />
• Object: A textual name, termed the object descriptor, for the object type<br />
along with its corresponding object identifier defined below.<br />
• Syntax: The abstract syntax for the object type. It can be a choice of<br />
SimpleSyntax (Integer, Octet String, Object Identifier, Null) or an<br />
ApplicationSyntax (NetworkAddress, Counter, Gauge, TimeTicks, Opaque) or<br />
other application-wide types. (See RFC 1155 for more details.)<br />
• Definition: A textual description of the semantics of the object type.<br />
• Access: One of read-only, read-write, write-only or not-accessible.<br />
• Status: One of mandatory, optional, or obsolete.<br />
5.3.3 Management Information Base (MIB)<br />
The MIB defines the objects that may be managed for each layer in the TCP/IP<br />
protocol. There are two versions, MIB-I and MIB-II. MIB-I was defined in RFC<br />
1156, and is now classified as an historic protocol with a status of not<br />
recommended.<br />
The list of managed objects defined has been derived from those elements<br />
considered essential. This approach of taking only the essential objects is not<br />
restrictive, since the SMI provides extensibility mechanisms such as the<br />
definition of a new version of the MIB and definition of private or non-standard<br />
objects.<br />
5.3.4 Simple Network Management Protocol (SNMP)<br />
The SNMP added the improvement of many years of experience in SGMP and<br />
allowed it to work with the objects defined in the MIB with the representation<br />
defined in the SIM.<br />
RFC 1157 defines the Network Management Station (NMS) as the one that<br />
executes network management applications (NMA) that monitor and control<br />
network elements (NE) such as hosts, gateways and terminal servers. These<br />
network elements use a management agent (MA) to perform the network<br />
management functions requested by the network management stations. The<br />
Simple Network Management Protocol (SNMP) is used to communicate<br />
management information between the network management stations and the<br />
agents in the network elements.<br />
All the management agent functions are only alterations (set) or inspections (get)<br />
of variables limiting the number of essential management functions to two and<br />
avoiding more complex protocols. In the other direction, from NE to NMS, a<br />
limited number of unsolicited messages (traps) are used to inform about<br />
asynchronous events. In the same way, trying to preserve the simplicity, the<br />
interchange of information requires only an unreliable datagram service and<br />
every message is entirely and independently represented by a single transport<br />
datagram. This means also that the mechanisms of the SNMP are generally<br />
suitable for use with a wide variety of transport services. The RFC 1157 specifies<br />
Chapter 5. Management 151
This soft copy for use by <strong>IBM</strong> employees only.<br />
the exchange of messages via the UDP protocol, but a wide variety of transport<br />
protocols can be used.<br />
The entities residing at management stations and network elements that<br />
communicate with one another using the SNMP are termed SNMP application<br />
entities. The peer processes that implement it are the protocol entities. An<br />
SNMP agent with some arbitrary set of SNMP application entities is called an<br />
SNMP community, where each one is named by a string of octets that need to be<br />
unique only to the agent participating in the community.<br />
A message in the SNMP protocol consists of a version identifier, an SNMP<br />
community name and a protocol data unit (PDU). It is mandatory that all<br />
implementations of the SNMP support the five PDUs:<br />
• GetRequest: Retrieve the values of a specific object from the MIB.<br />
• GetNextRequest: Walk through portions of the MIB.<br />
• SetRequest: Alter the values of a specific object from the MIB.<br />
• GetResponse: Response from a GetRequest, a GetNextRequest and a<br />
SetRequest.<br />
• Trap: Capability of the network elements to generate events to network<br />
management stations such as agent initialization, agent restart and link<br />
failure. There are seven trap types defined in RFC 1157: coldStart,<br />
warmStart, linkDown, linkUp, authenticationFailure, egpNeighborLoss and<br />
enterpriseSpecific.<br />
5.3.5 Common Management Information Protocol over TCP/IP (CMOT)<br />
CMOT is the network management architecture that has been developed to<br />
move towards a closer relationship with the Open System Interconnection (OSI)<br />
network management standards named Common Management Information<br />
Protocol (CMIP). With these premises CMOT, as in the OSI model, can be<br />
divided into an organizational model, functional model and informational model.<br />
In the organizational and informational models the same OSI concept is used in<br />
CMOT and in SNMP. The object identification is formed using the subtree<br />
related to the DoD with subdivisions in management, directory, experimental and<br />
private. All the management objects are defined in the Management Information<br />
Base (MIB) being represented by the Structure and Identification of Management<br />
Information (SMI), a subset of the ASN.1 (OSI Abstract Syntax Notation 1).<br />
In the functional model CMOT adopted the OSI model that divides the<br />
management components into managers and agents. The agent collects<br />
information, performs commands and executes tests and the manager receives<br />
data, generates commands and sends instructions to the agents. This manager<br />
and agent are formed by a set of specific management information per<br />
communication layer named the Layer Management Entities (LME).<br />
All the LMEs are coordinated by a System Management Application Process<br />
(SMAP) that can communicate between different systems over the Common<br />
Management Information Protocol (CMIP).<br />
In the OSI approach the management can occur only over fully established<br />
connections between the managers and the agents. CMOT allows management<br />
information exchange over connectionless services (datagram). But to maintain<br />
the same service interface required by CMIP, called Common Management<br />
152 The Technical Side of Being an Internet Service Provider
This soft copy for use by <strong>IBM</strong> employees only.<br />
5.3.6 Tools<br />
Figure 50. WhatsUp Main Window<br />
Information Services (CMIS), the CMOT architecture defined a new<br />
communication layer, the Lightweight Presentation Protocol (LPP). This layer<br />
has been defined to provide the presentation services required for the CMIP so<br />
that the entirely defined network management standards defined by OSI will fit in<br />
the TCP/IP CMOT architecture.<br />
Depending on your needs and the complexity of your network, it may be possible<br />
to manage your network with a simple program, such as WhatsUp or you may<br />
require a sophisticated heterogeneous network management system, such as<br />
Tivoli′s Management Environment (TME).<br />
Although WhatsUp is small, it is powerful. It is a network monitoring tool for<br />
small-to-medium sized TCP/IP networks. It provides graphical network<br />
monitoring tools that initiate both visual and audible alarms when monitored<br />
network elements do not respond to polling. WhatsUp will even notify you<br />
remotely by digital beeper, alphanumeric pager, or e-mail. Basically, you can<br />
build a map of your network and the status of each component to be monitored<br />
can be displayed. This status can be logged and analyzed to determine system<br />
downtime and performance. Figure 50 shows the main window of WhatsUp with<br />
its graphical display of network elements and connections. This window also<br />
provides access to other WhatsUp features. More information can be found at<br />
www.ipswitch.com/products/whatsup/.<br />
Tivoli′s Management Environment (TME) can provide centralized control and<br />
management of heterogeneous distributed networks. Specifically, TME 10<br />
NetView enables an administrator to monitor a network through a centralized<br />
TME 10 NetView console. It automatically provides logical discovery of network<br />
resources and places those resources and their relationships in topology maps.<br />
Through the integration with TME 10 Framework it is able to provide support<br />
across multiple operating systems. More information can be found at<br />
www.tivoli.com.<br />
Chapter 5. Management 153
5.4 Usage Management<br />
This soft copy for use by <strong>IBM</strong> employees only.<br />
Along with the need to manage network operability and performance, there are<br />
many other considerations that need to be made with regard to network<br />
management. If any of your subscribers are content providers, they will<br />
eventually come to you with questions such as:<br />
• How many people have looked at my home page?<br />
• Which of my pages is the most popular?<br />
• How many copies of my demo have been downloaded?<br />
These content providers may even be selling advertising on the Web presence<br />
that you are providing them. Their ability to charge for advertising on their site<br />
will be directly coupled with their ability to determine how many visitors they<br />
have had to their site. The typical method of selling advertising is by the<br />
number of times that an ad is displayed. This requires some kind of tracking<br />
tool. Another method of selling advertising is called click-through. This is based<br />
on the amount of visitors who actually click on an advertisement that will lead<br />
them to the advertisers site. There is no getting around a tracking tool for this<br />
advertising method. The most recent form of advertising is called Intermercials.<br />
These type of ads provide animation, product information and interactivity, all<br />
without taking the visitor away from the original site. A tool to track the amount<br />
of time that a visitor interacts with this type of advertisement remains to be<br />
developed.<br />
One such product that provides a tracking capability is WebTrends. WebTrends<br />
will analyze the log files created by your Web servers and provide you with<br />
information about your site and the users that access it. WebTrends is<br />
compatible with log files created by many Web servers. WebTrends main screen<br />
can be seen in Figure 51 on page 155.<br />
154 The Technical Side of Being an Internet Service Provider
This soft copy for use by <strong>IBM</strong> employees only.<br />
Figure 51. WebTrends Main Screen<br />
Reports generated by WebTrends include statistical information as well as<br />
graphs that show trends, usage, and market share among other things. Reports<br />
can be generated as HTML files that can be viewed by a Web browser, as well<br />
as formats for many popular word processors. A sample report can be seen in<br />
Figure 52 on page 156.<br />
Chapter 5. Management 155
Figure 52. WebTrends Sample Report<br />
156 The Technical Side of Being an Internet Service Provider<br />
This soft copy for use by <strong>IBM</strong> employees only.
This soft copy for use by <strong>IBM</strong> employees only.<br />
WebTrends can even track ad views and click-throughs as can be seen in<br />
Figure 53 on page 157.<br />
Figure 53. WebTrends Ad Views and Clicks Configuration Screen<br />
Table 24 shows more of the packages that are available to assist in tracking,<br />
analyzing and reporting on system usage.<br />
Table 24 (Page 1 of 2). System Usage Analysis Software<br />
Product Vendor Platform<br />
AccessWatch Dave Maher<br />
www.accesswatch.com<br />
Analog Freeware<br />
www.statslab.cam.ac.uk/∼ sret1/analog/<br />
Bazaar Analyzer Aquas<br />
www.bazaarsuite.com<br />
net.Analysis net.Genesis<br />
www.netgen.com<br />
NetIntellect Webmanage<br />
www.webmanage.com<br />
Statbot Freeware<br />
www.xmission.com/∼ dtubbs/club/cs.html<br />
UNIX<br />
Windows NT<br />
Macintosh<br />
RISCOS<br />
UNIX<br />
VMS<br />
Windows NT<br />
Java-based,<br />
platform-independent<br />
Solaris<br />
Windows NT<br />
Windows 95<br />
Windows NT<br />
AIX<br />
BSDI<br />
DEC Alpha/OSF<br />
DEC Ultrix<br />
FreeBSD<br />
HP/UX<br />
IRIX<br />
Linux<br />
MS-DOS<br />
Solaris<br />
SunOS<br />
Chapter 5. Management 157
Table 24 (Page 2 of 2). System Usage Analysis Software<br />
This soft copy for use by <strong>IBM</strong> employees only.<br />
Product Vendor Platform<br />
WebTrends For example, Software<br />
www.webtrends.com<br />
Windows 95<br />
Windows NT<br />
Currently, a leading industry trade group, the Internet Advertising Bureau, is<br />
trying to help standardize the terms used in online advertising. The organization<br />
has already developed a preliminary list of definitions for several terms. More<br />
information about these terms and other working committees can be found at<br />
www.iab.net. If these standards are adopted, it will hopefully be easier to<br />
understand and compare different online advertising options.<br />
158 The Technical Side of Being an Internet Service Provider
This soft copy for use by <strong>IBM</strong> employees only.<br />
Chapter 6. Electronic Commerce<br />
6.1 Electronic Money (E-Money)<br />
6.1.1 Types of E-Money<br />
From an ISP perspective, the initial source of revenue obviously comes from<br />
providing access to the Internet. This in and of itself could provide substantial<br />
revenue. There are, however, many other means of obtaining revenue via the<br />
Internet. Some additional services that can be sold to customers as an<br />
extension to a basic connectivity package have been discussed in Chapter 4,<br />
“Internet Services” on page 133. These services are, in essence, an extended<br />
form of advertising. They provide customers 24-hour access to product<br />
descriptions, demos and technical information. However an ISP can not afford to<br />
ignore the ongoing economic explosion known as electronic commerce.<br />
According to Randall E. McComas, segment executive, emerging markets, <strong>IBM</strong><br />
Global Telecommunications & Media Industries business unit, “The successful<br />
Internet service providers of tomorrow can′t just provide access and content.<br />
They have to enable electronic commerce and collaboration, and <strong>IBM</strong> is helping<br />
them do just that.”<br />
Electronic commerce is basically using the Internet to conduct business involving<br />
the exchange of money. Every financial transaction over the Internet is<br />
theoretically vulnerable to manipulation. In order to develop the Net into a<br />
reliable channel for commerce several different protocols have been developed.<br />
Two consortia have proposed extensions to SSL and S-HTTP for electronic<br />
commerce. These extensions, currently in draft form, have been submitted for<br />
comments. One consortium, of which <strong>IBM</strong> is a member, has chosen to build<br />
commerce-specific extensions on top of already widespread protocols such as<br />
SSL and S-HTTP. This includes the Internet Keyed Payments (iKP) system (see<br />
6.4, “<strong>IBM</strong> Corporation iKP (Internet Keyed Payment Protocols)” on page 163), a<br />
family of secure payment protocols that enable credit card payments via the<br />
Internet. Subsequently, <strong>IBM</strong> has worked with MasterCard, Visa and other<br />
technology vendors to develop Secure Electronic Transaction (SET) (see 6.5,<br />
“Secure Electronic Transactions (SET)” on page 165), a standard for credit card<br />
payments over the Net that is based on the same principles as iKP.<br />
Public-key cryptography and digital signatures make e-money possible. It would<br />
take too long to go into detail how public-key cryptography and digital signatures<br />
work. But the basic idea is that anyone can verify a signature using the readily<br />
available public key but only the holder of the private key can place a valid<br />
signature.<br />
In general, there are two distinct types of e-money:<br />
• Identified e-money contains information revealing the identity of the person<br />
who originally withdrew the money from the bank. Also, in much the same<br />
manner as credit cards, identified e-money enables the bank to track the<br />
money as it moves through the economy.<br />
• Anonymous e-money (also known as digital cash) works just like cash. Once<br />
anonymous e-money is withdrawn from an account, it can be spent or given<br />
away without leaving a transaction trail.<br />
There are two varieties of each type of e-money:<br />
© Copyright <strong>IBM</strong> Corp. 1997 159
• Online e-money<br />
• Offline e-money<br />
This soft copy for use by <strong>IBM</strong> employees only.<br />
Online means you need to interact with a bank (via modem or network) to<br />
conduct a transaction with a third party. Offline means you can conduct a<br />
transaction without having to directly involve a bank. Offline anonymous<br />
e-money (true digital cash) is the most complex form of e-money because of the<br />
double-spending problem.<br />
6.1.2 The Double-Spending Problem<br />
Since e-money is a bunch of bits, a piece of e-money is very easy to duplicate.<br />
Since the copy is indistinguishable from the original you might think that<br />
counterfeiting would be impossible to detect. A trivial e-money system would<br />
allow us to copy of a piece of e-money and spend both copies. We could<br />
become millionaires in a matter of a few minutes. Obviously, real e-money<br />
systems must be able to prevent or detect double spending.<br />
Online e-money systems prevent double spending by requiring merchants to<br />
contact the bank′s computer with every sale. The bank computer maintains a<br />
database of all the spent pieces of e-money and can easily indicate to the<br />
merchant if a given piece of e-money is still spendable. If the bank computer<br />
says the e-money has already been spent, the merchant refuses the sale. This<br />
is very similar to the way merchants currently verify credit cards at the point of<br />
sale.<br />
Offline e-money systems detect double spending in a couple of different ways.<br />
One way is to create a special smart card containing a tamper-proof chip called<br />
an observer (in some systems). The observer chip keeps a mini database of all<br />
the pieces of e-money spent by that smart card. If the owner of the smart card<br />
attempts to copy some e-money and spend it twice, the imbedded observer chip<br />
would detect the attempt and would not allow the transaction. Since the<br />
observer chip is tamper-proof, the owner cannot erase the mini-database without<br />
permanently damaging the smart card.<br />
The other way offline e-money systems handle double spending is to structure<br />
the e-money and cryptographic protocols to reveal the identity of the double<br />
spender by the time the piece of e-money makes it back to the bank. If users of<br />
the offline e-money know they will get caught, the incidence of double spending<br />
will be minimized (in theory). The advantage of these kinds of offline systems is<br />
that they don′t require special tamper-proof chips. The entire system can be<br />
written in software and can run on ordinary PCs or cheap smart cards.<br />
It is easy to construct this kind of offline system for identified e-money. Identified<br />
offline e-money systems can accumulate the complete path the e-money made<br />
through the economy. The identified e-money information increases each time it<br />
is spent. The particulars of each transaction are appended to the piece of<br />
e-money and travel with it as it moves from person to person, merchant to<br />
vender. When the e-money is finally deposited, the bank checks its database to<br />
see if the piece of e-money was double spent. If the e-money was copied and<br />
spent more than once, it will eventually appear twice in the spent database. The<br />
bank uses the transaction trails to identify the double spender.<br />
Offline anonymous e-money (sans observer chip) information also increases with<br />
each transaction, but the information that is accumulated is of a different nature.<br />
The result is the same however. When the anonymous e-money reaches the<br />
160 The Technical Side of Being an Internet Service Provider
This soft copy for use by <strong>IBM</strong> employees only.<br />
bank, the bank will be able to examine its database and determine if the<br />
e-money was double spent. The information accumulated along the way will<br />
identify the double spender.<br />
The big difference between offline anonymous e-money and offline identified<br />
e-money is that the information accumulated with anonymous e-money will only<br />
reveal the transaction trail if the e-money is double spent. If the anonymous<br />
e-money is not double spent, the bank can not determine the identity of the<br />
original spender nor can it reconstruct the path the e-money took through the<br />
economy.<br />
With identified e-money, both offline or online, the bank can always reconstruct<br />
the path the e-money took through the economy. The bank will know what<br />
everyone bought, where they bought it, when they bought it, and how much they<br />
paid. And what the bank knows, the taxation authority knows.<br />
There are a lot of companies developing products based on the e-money<br />
technology. Some of the more popular products are:<br />
Digicash This is the largest electronic cash scheme, based on electronic coins.<br />
It has a large number of subscribers, both buyers and merchants, and<br />
is supported by a number of banks. It uses an innovative blind<br />
signature scheme to protect the anonymity of the buyer.<br />
Mini-pay This is a scheme proposed by <strong>IBM</strong> research. Its unique feature is<br />
that for small payments there is no need for the seller to request<br />
funds from the server that holds the account. Each buyer has a daily<br />
spending limit and, as long as it is not exceeded, the seller can be<br />
relatively sure that the bill will be paid. The advantage of this<br />
scheme is faster, lighter transactions, at the cost of a small additional<br />
risk.<br />
Netbill This is a scheme developed at Carnegie Mellon University. In this<br />
case the cash is not held directly by the buyer, but by a Netbill server.<br />
It is primarily designed for delivering for-fee data content. When the<br />
buyer elects to buy the data or service, the seller sends the data in<br />
an encrypted form. It also sends a billing request to the Netbill<br />
server. If there are sufficient funds in the buyer′s account, the server<br />
sends the buyer the key to unlock the data. If the buyer accepts, the<br />
cost is deducted from his or her account.<br />
Table 25 shows the locations of the Web sites of these and other e-money<br />
products.<br />
Table 25 (Page 1 of 2). E-Money Product Locations<br />
Product Web Site<br />
CheckFree www.checkfree.com<br />
CyberCash www.cybercash.com<br />
Digicash www.digicash.com<br />
First Union Bank www.firstunion.com<br />
First Virtual www.fv.com<br />
MasterCard www.mastercard.com<br />
Mini-pay www.ibm.net.il/ibm_il/int-lab/mpay<br />
Mondex www.mondex.com<br />
Chapter 6. Electronic Commerce 161
Table 25 (Page 2 of 2). E-Money Product Locations<br />
Product Web Site<br />
Netbill www.netbill.com<br />
NetCheque www.netcheque.org<br />
NetMarket www.netmarket.com<br />
This soft copy for use by <strong>IBM</strong> employees only.<br />
Sandia′s Electronic Cash System www.cs.sandia.gov/HPCCIT/el_cash.html<br />
Security First Network Bank www.sfnb.com<br />
USC′s Netcash gost.isi.edu/info/netcash<br />
Visa www.visa.com<br />
6.2 Electronic Checks (E-Check)<br />
A current method of money exchange that could be efficiently handled over the<br />
Internet is the use of paper checks. Currently a person must fill out a paper<br />
check, which is then typically mailed to the payee, who in turn must endorse it<br />
and take it to a bank. The bank must process the paper check, ship it to a<br />
clearinghouse bank, which in turn sends it back to the payees bank where the<br />
amount is credited to the payee′s account. The paper check is either kept in a<br />
file or scanned and sent back to the check′s originator.<br />
This whole process can be handled much more efficiently over the Internet. This<br />
is the central idea behind the e-check. The Financial Services Technology<br />
Consortium (FSTC), comprised of major U.S. banks and technology companies,<br />
including <strong>IBM</strong>, is working on assessment and demonstration of the feasibility of<br />
electronic checks.<br />
Elaine Palmer, manager of embedded cryptographic systems at <strong>IBM</strong>′s Watson<br />
Lab says, “For years, the United States Department of the Treasury has been<br />
trying to get its payees to get on an Electronic Data Interchange (EDI) system so<br />
that they send in their bills and receive their payments electronically.” However,<br />
setting up to do business on an EDI system costs about $100,000 and small<br />
businesses have not wanted to take the plunge. The Internet provides an<br />
opportunity to accomplish the same thing with a much lower cost of investment.<br />
E-checks are claimed against funds held in a regular bank demand deposit<br />
account. They′re designed for purchases of US $10 or more. In many ways, an<br />
e-check works like a paper check. Chances are that e-checks will use the<br />
existing SET protocol (see 6.5, “Secure Electronic Transactions (SET)” on<br />
page 165) which will be interfaced with the existing infrastructure for check<br />
clearing, settlement and records keeping.<br />
6.3 Secure Electronic Payment Protocol<br />
<strong>IBM</strong>, Netscape, GTE, CyberCash, and Master Card have cooperatively developed<br />
extensions they call the Secure Electronic Payment Protocol (SEPP). <strong>IBM</strong> has<br />
contributed both security technology including Internet Keyed Payment Protocol<br />
(iKP), a secure payment technology developed at <strong>IBM</strong>′s research laboratory in<br />
Zurich, Switzerland, and its long-standing experience building and operating very<br />
large financial networks. SEPP protects transactions between a card holder and<br />
a merchant, and between the merchant and card holder′s financial institution.<br />
162 The Technical Side of Being an Internet Service Provider
This soft copy for use by <strong>IBM</strong> employees only.<br />
There are seven major business requirements addressed by the Secure<br />
Electronic Payment Protocol (SEPP) system:<br />
• Confidentiality of payment information.<br />
• Integrity of all payment data transmitted via public networks.<br />
• Authentication that a card holder is the legitimate owner of a credit card<br />
account.<br />
• Authentication that a merchant can accept credit card payments with an<br />
acquiring member financial institution.<br />
• Interoperability of bank card/credit card programs among software and<br />
network providers.<br />
• Protection from electronic commerce-related attacks.<br />
• Separate privacy mechanisms for general information exchange and<br />
payment data exchange.<br />
The scope of SEPP encompasses both interactive online and non-interactive<br />
store-and-forward (e-mail message-based) payment transactions. Several<br />
transaction messages are required; others add the ability to operate when the<br />
customer or the financial institution are not available. Card holder account and<br />
payment data information must be secured as it travels across the network,<br />
preventing interception and alteration of this data by unauthorized parties. The<br />
SEPP standard guarantees that message content is not altered during<br />
transmission. Payment data sent from card holders to merchants is protected in<br />
such a manner as to be verifiable. If any component is altered in transit, the<br />
transaction will not be processed accurately. SEPP provides the means to<br />
ensure that the contents of all payment messages sent match the contents of<br />
messages received. Merchants will be able to verify that a card holder is using<br />
a valid account number.<br />
A mechanism that links a card holder to a specific account number reduces the<br />
incidence of fraud and therefore the overall cost of payment processing. SEPP<br />
also provides a mechanism to prevent intruders from establishing a phony<br />
storefront and collecting payment data. Merchants who receive payment data<br />
are sponsored by a financial institution and display a certificate verifying this<br />
relationship.<br />
6.4 <strong>IBM</strong> Corporation iKP (Internet Keyed Payment Protocols)<br />
The <strong>IBM</strong> Research Division has developed a family of secure payment protocols,<br />
called iKP that circumvent most of the above problems. While developed at <strong>IBM</strong>,<br />
the technology has been immediately disclosed for public review, and it is being<br />
openly discussed in a number of fora and consortia (for example, W3C, FSTC,<br />
IETF, etc.) and with a number of financial and technical partners as <strong>IBM</strong> has no<br />
intention of keeping it proprietary. The technology uses strong cryptography in a<br />
very secure way but packages it so that it should satisfy usage and<br />
import/export restrictions in most countries. It was designed to work with any<br />
browser and server on any platform; the first prototype is designed to work with<br />
credit cards, but the intrinsic design is flexible and will allow supporting other<br />
payment instruments in due time. This first prototype is also entirely in software<br />
because typical Internet stations today do not include secure hardware or<br />
support smart card readers, but provisions are made in the design to<br />
accommodate such devices later, and work is already in progress in that<br />
Chapter 6. Electronic Commerce 163
Figure 54. <strong>IBM</strong> iKP<br />
6.4.1 Security Considerations<br />
This soft copy for use by <strong>IBM</strong> employees only.<br />
direction. The iKP technology is designed to allow customers to order goods,<br />
services, or information over the Internet, while relying on existing secure<br />
financial networks to implement the necessary payments, as suggested in<br />
Figure 54 on page 164.<br />
The intent of iKP is to address certain security issues related to three-party<br />
payment mechanisms conducted over the Internet. Note that iKP does not<br />
address security concerns applicable to negotiations that may occur before iKP<br />
is initiated. Depending upon the communications method utilized, security<br />
protocols such as SSL, S-HTTP, PEM, or MOSS should be utilized if privacy,<br />
authentication, signatures, or other security attributes are required for the<br />
negotiations.<br />
Public key signature mechanisms are critically dependent upon the security of<br />
the corresponding private keys. iKP requires private and public keys of<br />
acquirers and optionally of sellers and buyers. Implementers should pay<br />
particular attention to the methods used to store the private keys of these<br />
participants. Encryption of stored private keys, tamper-proof hardware,<br />
certificate revocation mechanisms, and certificate expiration dates should all be<br />
164 The Technical Side of Being an Internet Service Provider
This soft copy for use by <strong>IBM</strong> employees only.<br />
considered. iKP expects that public keys are distributed via certificates signed<br />
by well-known certification authorities (CAs).<br />
The definition of such CAs, and the distribution mechanism for their root public<br />
keys, is outside the scope of iKP. The security of iKP ultimately relies upon the<br />
security of the root keys as utilized by the buyer, seller, and acquirer software.<br />
Implementers should consider carefully how software configures and stores<br />
these root keys. It is suggested that there be mechanisms by which buyers,<br />
sellers, and acquirer employees/users can verify the certificate authorities and<br />
root keys recognized by their software.<br />
6.5 Secure Electronic Transactions (SET)<br />
Banks and financial institutions have had networks for electronic payment<br />
processing for many years. These networks connect highly secure, trusted<br />
computer systems, using dedicated links and powerful cryptographic hardware.<br />
A number of international standards exist to define the protocol for messages<br />
exchanged over the network.<br />
The challenge for Internet credit card processing lies in producing a scheme that<br />
can provide adequate protection at a reasonable cost without compromising<br />
trust in any of the existing systems.<br />
During 1995, various financial organizations and technology companies formed a<br />
number of alliances aimed at producing standards for credit card payment. This<br />
was a confusing time, with a number of competing standards and consortia. The<br />
technical community would probably still be arguing the merits of one solution or<br />
another, but the two largest credit card companies, Visa and MasterCard,<br />
realized that nothing would happen without a globally accepted standard. They<br />
joined forces with the key software companies to produce a single proposal,<br />
SET.<br />
SET is based on ideas from previous proposed standards and is also heavily<br />
influenced by Internet Keyed Payment Protocols (iKP ) as mentioned in 6.4, “<strong>IBM</strong><br />
Corporation iKP (Internet Keyed Payment Protocols)” on page 163.<br />
Other credit card payment systems do exist, but they are generally not as broad<br />
a market as SET is. For example, First Virtual Internet Payments System<br />
(FVIPS), operated by First Virtual Holdings Inc. is a scheme in which the<br />
prospective buyer registers credit card details with First Virtual and receives a<br />
personal identification number (PIN). The buyer can then use the PIN in place of<br />
a card number at any merchant that has an account with First Virtual. Payment<br />
details must be confirmed by e-mail before any purchase is completed.<br />
Although this scheme has been successful it is limited due to the requirement<br />
for both buyer and seller to be affiliated with the same service. SET more<br />
closely follows the model of normal credit card payments, in which the only<br />
relationship between the organization that issues the card and the one that<br />
processes the purchase is that they subscribe to the same clearing network.<br />
SET is specifically a payment protocol. It defines the communication between<br />
card holder, merchant and payment gateway for card purchases and refunds. It<br />
defines the communication between the different parties and certification<br />
authorities for public key signature. It does not define anything beyond that.<br />
Chapter 6. Electronic Commerce 165
6.6 Net.Commerce<br />
This soft copy for use by <strong>IBM</strong> employees only.<br />
If you want some further insight into these processes, refer to the Secure<br />
Electronic Transactions Specification, which is in three parts:<br />
• Book 1, Business Description<br />
• Book 2, Programmer′s Guide<br />
• Book 3, Formal Protocol Definition<br />
The documents are available in several different formats from<br />
www.mastercard.com/set.<br />
The Net.Commerce product allows you, as the merchant or service provider, to<br />
create an electronic store where your products or services can be sold to<br />
potential customers on the Internet′s World Wide Web (WWW). Using<br />
Net.Commerce, your shoppers can browse and purchase goods and services<br />
described in your electronic store. This store will make the shoppers feel like<br />
they are shopping in a real store.<br />
Net.Commerce can be used with a standard Web browser, such as the Netscape<br />
Navigator 2.0 or another Java-compatible browser. In addition, Lotus payment<br />
switch technology provides the integrity and the authentication necessary to<br />
allow your shoppers to securely purchase products and services over the<br />
Internet. Net.Commerce is now SET-enabled to allow a more secure credit card<br />
transaction than SSL. It also interfaces with CyberCash to help automate the<br />
purchasing process.<br />
Net.Commerce consists of a Store Manager, a Net.Commerce director, and a<br />
Net.Commerce daemon. Figure 55 on page 167 shows these components and<br />
how they interact with other products that are part of <strong>IBM</strong>′s world of electronic<br />
commerce.<br />
166 The Technical Side of Being an Internet Service Provider
This soft copy for use by <strong>IBM</strong> employees only.<br />
Figure 55. Net.Commerce<br />
6.6.1 Store Manager<br />
6.6.2 The Store Creator<br />
Store Manager is a component of Net.Commerce that provides the tools that a<br />
store administrator needs to create and administer electronic stores. Store<br />
Manager also provides the tools for keeping track of prices, orders, shoppers,<br />
and groups of shoppers for group discounting or group pricing.<br />
Store Manager contains a collection of Java applets that are installed on the<br />
Net.Commerce server and that can be accessed from any Java-compatible<br />
browser on the World Wide Web. Store Manager consists of the following<br />
components: the store creator, store administrator, and the template editor.<br />
For more information about Store Manager and its components, and how to<br />
create and maintain a virtual storefront on the World Wide Web, refer to the<br />
Net.Commerce Store Manager Handbook.<br />
The store creator is a series of easy-to-use interfaces on the World Wide Web<br />
that guide a user through the initial steps of creating a basis for an electronic<br />
store. The store creator provides the basic elements of an electronic store, and<br />
directs the user to the store administrator and to the template editor to provide<br />
the remaining content and design of the electronic store.<br />
The store creator enables a store administrator to perform the following basic<br />
store operations:<br />
• Create a store basis<br />
• Configure the electronic store<br />
• Design the store′s home page<br />
Chapter 6. Electronic Commerce 167
• Categorize the store′s products<br />
• Design a default store header and footer<br />
• Design the shopping basket<br />
• Define shopper groups<br />
• Configure Net.Commerce<br />
6.6.3 The Store Administrator<br />
6.6.4 The Template Editor<br />
This soft copy for use by <strong>IBM</strong> employees only.<br />
The store administrator is a collection of Java forms on the World Wide Web that<br />
provides easy access to entering, editing, and maintaining store information in<br />
the merchant server database.<br />
Using the store administrator, a user can:<br />
• Create an electronic store<br />
• Configure Net.Commerce and the electronic store<br />
• Change and maintain the stores information<br />
• Enter and modify product and price information<br />
• Maintain shopper records<br />
• Maintain groups of shoppers<br />
• Assign custom headers and footers to store pages<br />
• Customize the store display for different shopper groups<br />
• Keep track of orders<br />
The template editor provides a what-you-see-is-what-you-get (WYSIWYG)<br />
environment allowing you to design the look and feel of your electronic store, so<br />
that your shoppers feel like they are in a real store. With it you can create your<br />
store pages that includes the store′s home page, interactive navigational pages<br />
and dynamic catalog pages.<br />
6.6.5 The Net.Commerce Director<br />
The Net.Commerce director is a non-parse header common gateway interface<br />
(pph-cgi) program allowing two-way communication between the <strong>IBM</strong> Internet<br />
Connection Secure Server and the Net.Commerce daemon. It is called by the<br />
<strong>IBM</strong> Internet Connection Secure Server to display products and services offered<br />
for sale to your shoppers. The Net.Commerce director communicates via a<br />
TCP/IP socket with the Net.Commerce daemon to quickly access the store′s<br />
database. The TCP/IP communication is secured through a public/private key<br />
encryption mechanism.<br />
6.6.6 The Net.Commerce Daemon<br />
The Net.Commerce daemon is a program used to access information stored in a<br />
DB2 database from which your online product catalogs are built. It can assist in<br />
building pages dynamically and rapidly, in maintaining and multiplexing the<br />
connections to the database, and managing the security and administration of<br />
the Net.Commerce.<br />
168 The Technical Side of Being an Internet Service Provider
This soft copy for use by <strong>IBM</strong> employees only.<br />
6.6.7 The Lotus Payment Switch<br />
The Lotus payment switch performs authorization for credit card transactions<br />
when shoppers place their orders.<br />
The transaction information is transmitted in a secure fashion to the payment<br />
server for processing. The response is returned to the Net.Commerce server<br />
where an appropriate URL tells the shopper whether the transaction has been<br />
accepted or rejected.<br />
6.6.8 The Olympic Ticket Sales - An Example of Net.Commerce<br />
The Atlanta 1996 Olympic Ticket Sales was an example of a large electronic<br />
commerce application on the Internet. It was implemented with <strong>IBM</strong><br />
Net.Commerce. This example demonstrates the potential of Net.Commerce.<br />
Let′s buy some tickets.<br />
Figure 56. The Olympic Ticket Sale Start Page<br />
We start at the ticket sale home page at sales2.atlanta.olympic.org. In the upper<br />
part of the screen you can see the heading definition done with Net.Commerce.<br />
You will find this heading on every page in the ticket sale.<br />
After choosing the Start button, the selection page appears. Here you see the<br />
different search possibilities you have for getting tickets. In the same way you<br />
can build selection categories for your business using Net.Commerce.<br />
Chapter 6. Electronic Commerce 169
Figure 57. Search for Tickets Part 1<br />
Figure 58. Search for Tickets Part 2<br />
170 The Technical Side of Being an Internet Service Provider<br />
This soft copy for use by <strong>IBM</strong> employees only.
This soft copy for use by <strong>IBM</strong> employees only.<br />
Figure 59. Result of Search by Date<br />
We want to know if there are any tickets available on the 31st of July, so we<br />
choose the Search by Date function. The search result showed us all events for<br />
that date where tickets were available.<br />
We decided to go to a hockey game in the morning and to a handball game in<br />
the afternoon.<br />
Chapter 6. Electronic Commerce 171
Figure 60. Ticket Price and Quantity<br />
Figure 61. Ticket Request List<br />
This soft copy for use by <strong>IBM</strong> employees only.<br />
After every selection, we saw the list of all of our ticket requests, with the<br />
possibility to change the requests.<br />
172 The Technical Side of Being an Internet Service Provider
This soft copy for use by <strong>IBM</strong> employees only.<br />
Figure 62. Unsuccessful Security Test<br />
By clicking the OK button in the ticket request list, we started the payment<br />
process. Net.Commerce first checks if the browser supports SSL. Our browser<br />
didn′t support SSL, so we got the following page as a result:<br />
As you see, Net.Commerce offers your customers two ways to order and pay:<br />
• With SSL support in your browser, your customers can order online and pay<br />
with their credit card.<br />
• Without SSL support they can use the Net.Commerce for selecting the<br />
products or services they want and then they can order offline.<br />
Chapter 6. Electronic Commerce 173
Figure 63. Offline Purchase<br />
6.7 Example Electronic Commerce Solution<br />
174 The Technical Side of Being an Internet Service Provider<br />
This soft copy for use by <strong>IBM</strong> employees only.
This soft copy for use by <strong>IBM</strong> employees only.<br />
Figure 64. Example Electronic Commerce Solution. Electronic sales environment with built-in secure resources.<br />
The solution shown in Figure 64 is a basic electronic commerce solution. You<br />
can add more features to this solution providing more resources and improved<br />
service to the customers.<br />
There are some very important things to consider with regard to this solution,<br />
such as:<br />
• Link bandwidth: The link bandwidth must be high enough to provide an<br />
acceptable response time for the customers.<br />
• Server performance: The server performance is directly related to the link<br />
bandwidth. Always choose servers that can receive upgrades in storage<br />
capacity, memory and if possible, processors.<br />
• Security: You must develop applications that take advantage of current<br />
security transaction technologies, such as S-HTTP, SSL and e-money. If you<br />
Chapter 6. Electronic Commerce 175
This soft copy for use by <strong>IBM</strong> employees only.<br />
have a site that use these standardized technologies you are able to provide<br />
service to customers using various types of browsers.<br />
• Database server: This is a vital server where all information about product<br />
availability, customer information, prices, etc. will be stored. Always look for<br />
upgradeable servers. Take care when choosing database software. Some<br />
databases have limitations when used with Web-integrated environments.<br />
The <strong>IBM</strong> Web servers can be easily integrated with DB/2 servers running on<br />
OS/2, Windows NT, RS/6000, AS/400 and mainframes. The <strong>IBM</strong> servers also<br />
support CICS integration.<br />
• Firewall: The firewall is a vital part of this solution, because it provides the<br />
security for the internal LAN and to the internal servers, such as the<br />
database server.<br />
You can connect the headquarters LAN, where all the information-critical servers<br />
are located, to remote LANs at stock and delivery sites. This ensures that<br />
customers receive quick, reliable information based on an integrated logistics<br />
system.<br />
All computers on the internal LAN will be able to access the Internet using all<br />
resources, such as e-mail, WWW, Gopher, FTP, Telnet, etc.<br />
Table 26 (Page 1 of 2). Example Electronic Commerce Solution Specifications<br />
Resource Software requirements Hardware requirements<br />
Firewall • AIX 4.1.4<br />
• <strong>IBM</strong> Secure Network Gateway<br />
for AIX<br />
• Two LAN interfaces<br />
configured and running<br />
• <strong>IBM</strong> RS/6000 Model 43P<br />
• PowerPC 133 Mhz CPU<br />
• 64 MB RAM<br />
• 4.0 GB hard disk<br />
• Two LAN adapters<br />
External network Ethernet 10Base-T recommended,<br />
using <strong>IBM</strong> 8222 or <strong>IBM</strong> 8224 hubs<br />
Option #1 - Windows NT server • Windows NT 3.5.1 or later<br />
• <strong>IBM</strong> Internet Connection<br />
Secure Server<br />
• <strong>IBM</strong> Net.Commerce Server<br />
for Windows NT<br />
• <strong>IBM</strong> WWW DB/2 Gateway for<br />
Windows NT<br />
• TCP/IP configured and<br />
running<br />
• LAN interface configured and<br />
running<br />
• MS-Internet Explorer or<br />
Netscape Navigator 2.0<br />
176 The Technical Side of Being an Internet Service Provider<br />
• <strong>IBM</strong> PC Server 310<br />
• Pentium 90Mhz CPU<br />
• 32 MB RAM<br />
• 2.0 GB hard disk<br />
• LAN adapter<br />
• DAT backup tape<br />
• CD-ROM unit
This soft copy for use by <strong>IBM</strong> employees only.<br />
Table 26 (Page 2 of 2). Example Electronic Commerce Solution Specifications<br />
Resource Software requirements Hardware requirements<br />
Option #2 - <strong>IBM</strong> AIX server • <strong>IBM</strong> AIX 4.1 or later<br />
• <strong>IBM</strong> Internet Connection<br />
Secure Server<br />
• <strong>IBM</strong> Net.Commerce Server<br />
for Windows NT<br />
• <strong>IBM</strong> WWW DB/2 Gateway for<br />
Windows NT<br />
• TCP/IP configured and<br />
running<br />
• LAN interface configured and<br />
running<br />
• <strong>IBM</strong> WebExplorer or Netscape<br />
Navigator 2.0<br />
Database server • <strong>IBM</strong> AIX 4.1 or later<br />
• <strong>IBM</strong> DB/2 Database server for<br />
AIX<br />
• TCP/IP configured and<br />
running<br />
• LAN interface configured and<br />
running<br />
• <strong>IBM</strong> RS/6000 Model C10<br />
• PowerPC 120 Mhz CPU<br />
• 64 MB RAM<br />
• 4.0 GB hard disk<br />
• LAN adapter<br />
• DAT backup tape<br />
• CD-ROM unit<br />
• <strong>IBM</strong> RS/6000 Model C10<br />
• PowerPC 120 Mhz CPU<br />
• 64 MB RAM<br />
• 6.0 GB hard disk<br />
• LAN adapter<br />
• DAT backup tape<br />
• CD-ROM unit<br />
Router IP routing support level • <strong>IBM</strong> 2210 Model 12E<br />
• 8MB RAM<br />
Leased line You can use microwave radio,<br />
satellite, common leased-lines,<br />
ISDN, etc. The minimum<br />
recommended link speed is 128<br />
kbps<br />
Provider <strong>IBM</strong> Global Network services<br />
Table 27. Client Specifications on the Internal LAN<br />
Resource Software requirements Hardware requirements<br />
LAN client • <strong>IBM</strong> DOS, OS/2, AIX,<br />
MS-DOS, Windows 3.x, 95 or<br />
NT<br />
• TCP/IP configured and<br />
running<br />
• LAN interface configured and<br />
running<br />
• Browser compatible with the<br />
operating system<br />
• <strong>IBM</strong> PC or compatible<br />
• 486DX4 or Pentium CPU<br />
• 8 MB RAM<br />
• 500 MB hard disk<br />
• LAN adapter<br />
Chapter 6. Electronic Commerce 177
178 The Technical Side of Being an Internet Service Provider<br />
This soft copy for use by <strong>IBM</strong> employees only.
This soft copy for use by <strong>IBM</strong> employees only.<br />
Chapter 7. Tools<br />
7.1 Multimedia<br />
7.1.1 Image Formats<br />
If an Internet Service Provider is considering offering more than just plain access<br />
to the Internet, learning about the Internet environment can not be avoided. It is<br />
necessary to understand which aspects of the Internet can be utilized to<br />
implement new services. These include, as a minimum, numerous multimedia<br />
applications that are preconfigured to run over the Net and can range to various<br />
means of programming local applications. These can be used to implement new<br />
services, such as interactive presentations, distance learning, conferencing and<br />
entertainment.<br />
This section gives you an overview of the multimedia concepts and terms used<br />
in the Internet environment.<br />
The following are common image formats on the Internet.<br />
7.1.1.1 JPEG Image Format<br />
JPEG (pronounced jay-peg) is a standardized image compression mechanism.<br />
JPEG stands for Joint Photographic Experts Group, the original name of the<br />
committee that wrote the standard. All graphical browsers support the JPEG<br />
format. JPEG is designed for compressing either full-color or gray-scale images<br />
of natural, real-world scenes. It works well on photographs, naturalistic artwork,<br />
and similar material, but not so well on lettering, simple cartoons, or line<br />
drawings.<br />
JPEG handles only still images, but there is a related standard called MPEG for<br />
motion pictures. JPEG is lossy, meaning that the decompressed image isn′t<br />
quite the same as the one with which you started. There are lossless image<br />
compression algorithms, but JPEG achieves much greater compression than is<br />
possible with lossless methods.<br />
JPEG is designed to exploit known limitations of the human eye, notably the fact<br />
that small color changes are perceived less accurately than small changes in<br />
brightness. Thus, JPEG is intended for compressing images that will be looked<br />
at by humans. If you plan to machine-analyze your images, the small errors<br />
introduced by JPEG may be a problem for you, even if they are invisible to the<br />
eye.<br />
A useful property of JPEG is that the degree of lossiness (loss resolution) can be<br />
varied by adjusting compression parameters. This means that the image maker<br />
can trade off file size against output image quality. You can make extremely<br />
small files if you don′t mind poor quality; this is useful for applications such as<br />
indexing image archives. Conversely, if you aren′t happy with the output quality<br />
at the default compression setting, you can jack up the quality until you are<br />
satisfied and accept lesser compression.<br />
Another important aspect of JPEG is that decoders can trade off decoding speed<br />
against image quality by using fast but inaccurate approximations to the required<br />
calculations. Some viewers obtain remarkable speedups in this way. There are<br />
© Copyright <strong>IBM</strong> Corp. 1997 179
This soft copy for use by <strong>IBM</strong> employees only.<br />
two good reasons to use JPEG against other formats: to make your image files<br />
smaller, and to store 24-bit-per-pixel color data instead of 8-bit-per-pixel data.<br />
Making image files smaller is a win for transmitting files across networks and for<br />
archiving libraries of images. Being able to compress a 2-MB full-color file down<br />
to, for example, 100 KB makes a big difference in disk space and transmission<br />
time. JPEG can easily provide 20:1 compression of full-color data. If you are<br />
comparing GIF and JPEG, the size ratio is usually more like 4:1.<br />
If your viewing software doesn′t support JPEG directly, you′ll have to convert<br />
JPEG to some other format to view the image. Even with a JPEG-capable<br />
viewer, it takes longer to decode and view a JPEG image than to view an image<br />
of a simpler format such as GIF. Thus, using JPEG is essentially a time/space<br />
trade-off: you give up some time in order to store or transmit an image more<br />
cheaply. But it′s worth noting that when network or telephone transmission is<br />
involved, the time savings from transferring a shorter file can be greater than the<br />
time needed to decompress the file.<br />
The second fundamental advantage of JPEG is that it stores full color<br />
information: 24 bits/pixel (16 million colors). GIF, the other image format widely<br />
used on the Net, can only store 8 bits/pixel (256 or fewer colors). GIF is<br />
reasonably well matched to inexpensive computer displays. Most run-of-the-mill<br />
PCs can display no more than 256 distinct colors at once. But full-color<br />
hardware is getting cheaper all the time, and JPEG images look much better<br />
than GIFs on such hardware. Within a couple of years, GIF will probably seem<br />
as obsolete as the black-and-white MacPaint format does today. Furthermore,<br />
JPEG is far more useful than GIF for exchanging images among people with<br />
widely varying display hardware, because it avoids prejudging how many colors<br />
to use. Hence, JPEG is considerably more appropriate than GIF for use as a<br />
USENET and World Wide Web standard format.<br />
Many people are scared off by the term lossy compression. But when it comes<br />
to representing real-world scenes, no digital image format can retain all the<br />
information that impinges on your eyeball. By comparison with the real-world<br />
scene, JPEG loses far less information than GIF. The real disadvantage of lossy<br />
compression is that if you repeatedly compress and decompress an image, you<br />
lose a little quality each time.<br />
JPEG does not support transparency and is not likely to do so any time soon. It<br />
turns out that adding transparency to JPEG would not be a simple task. The<br />
traditional approach to transparency, as found in GIF and some other file<br />
formats, is to choose one otherwise-unused color value to denote a transparent<br />
pixel. That can′t work in JPEG because JPEG is lossy; a pixel won′t necessarily<br />
come out the exact same color that it started. Normally, a small error in a pixel<br />
value is OK because it affects the image only slightly. But if it changes the pixel<br />
from transparent to normal or vice versa, the error would be highly visible and<br />
annoying, especially if the actual background were quite different from the<br />
transparent color.<br />
A more reasonable approach is to store an alpha channel (transparency<br />
percentage) as a separate color component in a JPEG image. That could work<br />
since a small error in alpha makes only a small difference in the result. The<br />
problem is that a typical alpha channel is exactly the sort of image that JPEG<br />
does very badly on: lots of large flat areas and sudden jumps. You′d have to<br />
use a very high quality setting for the alpha channel. It could be done, but the<br />
penalty in file size is large. A transparent JPEG done this way could easily be<br />
180 The Technical Side of Being an Internet Service Provider
This soft copy for use by <strong>IBM</strong> employees only.<br />
double the size of a non-transparent JPEG. That′s too high a price to pay for<br />
most uses of transparency.<br />
The only real solution is to combine lossy JPEG storage of the image with<br />
lossless storage of a transparency mask using some other algorithm.<br />
Developing, standardizing, and popularizing a file format capable of doing that is<br />
not a small task and transparency doesn′t seem worth that much effort.<br />
7.1.1.2 GIF Image Format<br />
The GIF image format uses a built-in LZW compression algorithm. This<br />
compression algorithm is patented technology and currently owned by Unisys<br />
Corporation. As of 1995, Unisys decided that commercial vendors, whose<br />
products use the GIF LZW compression, must license its use from Unisys. End<br />
users, online services, and non-profit organizations do not pay this royalty.<br />
Since its inception, GIF has been a royalty-free format. Only as of 1995 did<br />
Unisys decide to collect royalties. To avoid this royalty, vendors have developed<br />
an alternative to GIF that supports transparency and interlacing called PNG<br />
(ping), the Portable Network Graphic. To our knowledge PNG, however, does not<br />
support a multiple image data stream.<br />
The GIF87a allowed for the following features:<br />
• LZW compressed images<br />
• Multiple images encoded within a single file<br />
• Positioning of the images on a logical screen area<br />
• Interlacing<br />
This means that nine years ago it was possible to do simple animation with GIFs<br />
by encoding multiple images, what we refer to as frames, in a single file. GIF89a<br />
is an extension of the 87a spec. GIF89a added:<br />
• How many 100ths of a second to wait before displaying the next frame<br />
• Wait for user input<br />
• Specify transparent color<br />
• Include unprintable comments<br />
• Display lines of text<br />
• Indicate how the frame should be removed after it has been displayed<br />
• Application-specific extensions encoded inside the file<br />
Netscape Navigator is the only browser than comes close to full GIF89a<br />
compliance. The lines of text and user input are not currently supported in<br />
Navigator 2.0, and the image removal doesn′t support removal by the previous<br />
image. Most browsers support single image GIF87a and will only recognize the<br />
transparency flag of GIF89a.<br />
GIF89a is still a 256-color (maximum) format. GIF allows for any number of<br />
colors between 2 and 256. The fewer the colors the less data and the smaller<br />
the graphic files. If your GIF only uses four colors, you can reduce the palette to<br />
only 2 bits (4 color) and decrease the file size by upwards of 75%.<br />
The following software lets you set bits-per-pixel for GIFs:<br />
• Adobe Photoshop<br />
Chapter 7. Tools 181
• Fractal Painter<br />
• Painter 2.0<br />
• PhotoStudio<br />
• PhotoGIF<br />
• PaintShop Pro<br />
• PaintIt<br />
• WebImage<br />
This soft copy for use by <strong>IBM</strong> employees only.<br />
GIFs are composed of blocks and extensions. Blocks can be classified into three<br />
groups:<br />
• Control<br />
• Graphic-Rendering<br />
• Special Purpose<br />
Control blocks, such as the header, the logical screen descriptor, the graphic<br />
control extension and the trailer, control how the graphic data is handled.<br />
Graphic-rendering blocks such as the image descriptor and the plain text<br />
extension contain data used to render a graphic. Special purpose blocks such<br />
as the comment extension and the application extension are not used by GIF<br />
decoders at all. The logical screen descriptor and the global color table affect<br />
all the images in a single file. Each control block will only affect a single image<br />
block that immediately follows it. A GIF file contains a global palette of common<br />
colors for all the images in its file to work from. This palette can have 2, 4, 8, 16,<br />
32, 64, 128, or 256 defined colors. Palettes are very important. Every color<br />
displayed in your GIF must come from a palette. The fewer colors used, the<br />
easier it will be for systems to display your images. The global palette is<br />
applied to all images in a GIF file. If an individual image differs greatly from that<br />
global palette, it may have a local palette that affects its color only. However, no<br />
image can every reference more than one palette, so 256 colors per image is the<br />
maximum. Having a bunch of local palettes with wildly varied colors can<br />
sometimes cause color shifts in your display.<br />
The following are the benefits of using GIF images:<br />
• All the benefits of GIF: transparency, compression, interlacing, 2, 4, 8, 16, 32,<br />
64, 128 and 256 color palettes for optimum size and compression.<br />
• Supported by the basic Netscape product and no plug-ins or additional<br />
software. Tested on Win 3.1x, Win95, Mac, UNIX, Sun, Linux, and Irix.<br />
• Web designer does not need access to Internet provider′s Web server,<br />
server-side includes (SSI), or CGI/PERL scripting. If you have a program that<br />
can make multi-image 89a GIFs, you can make this animation.<br />
• The animation is repeatable and reusable. You can place the same image<br />
on a page multiple times. It performs a single download for all and loops all<br />
from the cache.<br />
• The animation only loads once, so your modem doesn′t keep downloading<br />
constantly. It is faster than server-reliant methods.<br />
• The animations are surprisingly compact.<br />
• Anyone can use them on their page. Anyone with a Web page can include<br />
this animation. In fact, if you save any of the animated GIFs to your hard<br />
182 The Technical Side of Being an Internet Service Provider
This soft copy for use by <strong>IBM</strong> employees only.<br />
7.1.2 Audio File Formats<br />
drive, you will have the entire animation to put in your own pages. Please<br />
contact the creator for usage.<br />
• Works like any other GIF; include on your page in an IMG or FIG tag, even<br />
anchor it; it works invisibly.<br />
The following are the limitations of using GIF:<br />
• All the limitations of GIFs: maximum of 256 colors, photographs are better<br />
compressed by JPEG.<br />
• Only plays in Netscape 2.0 or higher, but does work with many platforms<br />
(Windows, Mac, UNIX, etc.).<br />
• Will play once or continuously. Refresh will not play the image again, but<br />
reload or resizing the windows will. If the viewer returns back to the page<br />
from elsewhere, the image will play, even if cached. Later revisions of<br />
Navigator may support finite iterations of the animations.<br />
• It cannot be used as a background GIF. Only the first frame will display.<br />
Compuserve released the technical specification for GIF89a in July of 1989. The<br />
technical specification is an exact breakdown of the byte-for-byte structure and<br />
rules for interpreting and building this format.<br />
Historically, almost every type of machine used its own file format for audio data,<br />
but some file formats are more generally applicable. In general, it is possible to<br />
define conversions between almost any pair of file formats. However,<br />
sometimes you lose information.<br />
File formats are a separate issue from device characteristics. There are two<br />
types of file formats: self-describing formats, where the device parameters and<br />
encoding are made explicit in some form of header, and raw formats, where the<br />
device parameters and encoding are fixed.<br />
Self-describing file formats generally define a family of data encodings, where a<br />
header field indicates the particular encoding variant used. Headerless formats<br />
define a single encoding and usually allow no variation in device parameters<br />
(except sometimes sampling rate, which can be hard to figure out other than by<br />
listening to the sample). The header of self-describing formats contains the<br />
parameters of the sampling device and sometimes other information (for<br />
example, a human-readable description of the sound, or a copyright notice).<br />
Most headers begin with a simple magic word. Some formats do not simply<br />
define a header format, but may contain chunks of data intermingled with chunks<br />
of encoding information. The data encoding defines how the actual samples are<br />
stored in the file (for example, signed or unsigned, as bytes or short integers, in<br />
little-endian or big-endian byte order, etc.). Strictly spoken, channel interleaving<br />
is also part of the encoding, although so far we have seen little variation in this<br />
area. Some file formats apply some kind of compression to the data (for<br />
example, Huffman encoding or simple silence deletion).<br />
Here′s an overview of popular file formats.<br />
Table 28 (Page 1 of 2). Popular Audio File Formats<br />
Extension, name Origin Variable parameters<br />
au or snd NeXT, Sun rate, #channels, encoding, info string<br />
Chapter 7. Tools 183
This soft copy for use by <strong>IBM</strong> employees only.<br />
Table 28 (Page 2 of 2). Popular Audio File Formats<br />
Extension, name Origin Variable parameters<br />
aif(f), AIFF Apple, SGI rate, #channels, sample width, lots of info<br />
aif(f), AIFC Apple, SGI same (extension of AIFF with<br />
compression)<br />
iff, IFF/8SX Amiga rate, #channels, instrument info (8 bits)<br />
voc Soundblaster rate (8 bits/1 ch; can use silence deletion)<br />
wav, WAVE Microsoft rate, #channels, sample width, lots of info<br />
sf IRCAM rate, #channels, encoding, info<br />
none, HCOM Mac rate (8 bits/1 ch; uses Huffman<br />
compression)<br />
mod or nst Amiga (see below)<br />
Note that the file name extension .snd is ambiguous; it can be either the<br />
self-describing NeXT format or the headerless Mac/PC format, or even a<br />
headerless Amiga format.<br />
IFF/8SVX allows for amplitude contours for sounds (attack, decay, etc).<br />
Compression is optional (and extensible) and volume (author, notes and<br />
copyright properties, etc.) is variable.<br />
AIFF, AIFC and WAVE are similar in spirit but allow more freedom in encoding<br />
style (other than 8 bit/sample), amongst others.<br />
There are other sound formats in use on Amiga by digitizers and music<br />
programs, such as IFF/SMUS.<br />
DEC systems use a variant of the NeXT format that uses little-endian encoding<br />
and has a different number.<br />
Standard file formats used in the CD-I world are IFF, but on the disc they are in<br />
real-time files.<br />
An interesting interchange format for audio data is described in the proposed<br />
Internet Standard MIME, which describes a family of transport encodings and<br />
structuring devices for electronic mail. This is an extensible format, and initially<br />
standardizes a type of audio data dubbed audio/basic, which is 8-bit U-LAW data<br />
sampled at 8000 samples/sec.<br />
Finally, a somewhat different but popular format are MOD files, usually with the<br />
extension .mod or .nst. (They can also have a prefix of mod.) This originated at<br />
the Amiga but players now exist for many platforms. MOD files are music files<br />
containing two parts:<br />
1. A bank of digitized samples<br />
2. A sequencing information describing how and when to play the samples<br />
7.1.3 Musical Instruments Digital Interface (MIDI)<br />
This international standard for digital music was established in 1982. It specifies<br />
the cabling and hardware required for connecting electronic musical instruments<br />
and computer systems. MIDI also specifies a communication protocol for<br />
passing data from one MIDI device to another. Any musical instrument can<br />
become an MIDI device by having the correct hardware interfaces and MIDI<br />
messages processing capabilities. Devices communicate with each other by<br />
sending messages that are digital representations of a musical score. MIDI data<br />
may include items such as sequences of notes, timings, instrument designations<br />
and volume settings. The standard multimedia platform can play MIDI files<br />
184 The Technical Side of Being an Internet Service Provider
This soft copy for use by <strong>IBM</strong> employees only.<br />
through either internal or external synthesizers. External MIDI devices are<br />
connected to the computer via the sound card′s MIDI port. MIDI expands the<br />
audio options available when developing multimedia. Use of MIDI is attractive<br />
because MIDI files require minimal storage space compared to digitized audio<br />
files, such as .WAV files.<br />
MIDI ports are used to send and receive MIDI data. There can be many MIDI<br />
ports installed in a system. Each MIDI port contains an MIDI IN, MIDI OUT, and<br />
MIDI THRU connection. MIDI IN receives messages sent from other MIDI<br />
devices. MIDI OUT transmits messages that are originating from the local<br />
device to other MIDI systems. MIDI THRU forwards messages that were<br />
received by the MIDI IN to other devices. Each port can handle 16 MIDI<br />
channels. A synthesizer is the device that produces sound. Generally it has a<br />
built-in keyboard. There are several different methods used in synthesizer<br />
technology to produce musical instrument sounds. By altering standard wave<br />
forms, such as the sine wave, a variety of sounds can be produced. Another<br />
method of producing sound is by playing back stored samples of real<br />
instruments. The newest synthesizer technology employs powerful computer<br />
technology to emulate musical instruments via mathematical algorithms that<br />
represent certain aspects of an instrument (for example, a bowed string, pipe<br />
blown). This technology gives musicians the ability to play a realistic instrument<br />
performance. New virtual instruments can also be created (for example, a<br />
saxophone that sounds when you blow in one end).<br />
There are two common standard types of synthesizers. They fall into the<br />
category of either extended or base devices.<br />
• A base level synthesizer device only supports channels/tracks 13-16. The<br />
first three of these channels are used for the main song parts (for example,<br />
bass, rhythm, and melody). Channel 16 is used as a percussive track (for<br />
example, drums). All MPC systems should support the base level.<br />
• Extended level devices support tracks 1-10. The first nine are for melodic<br />
tracks while the tenth is used for percussion.<br />
Most modern synthesizers allow all 16 tracks to be utilized and it doesn′t matter<br />
which tracks are used for which instruments.<br />
7.1.3.1 General MIDI Standard<br />
When assigning various instruments to each track in a MIDI recording, a patch<br />
number is used to specify the instrument or sound to use. To help standardize<br />
which instruments should be located on individual patch numbers, the general<br />
MIDI specification was developed by the MIDI Manufacturer′s Association (MMA).<br />
7.1.3.2 MIDI Mapper<br />
The MIDI Mapper, which is configured from the control panel, allows<br />
non-standard MIDI devices to have their instrument patch numbers reassigned<br />
(mapped) to conform to the general MIDI specifications. Percussion key<br />
assignments can also be altered.<br />
Chapter 7. Tools 185
7.1.4 Digital Movie Formats<br />
This soft copy for use by <strong>IBM</strong> employees only.<br />
7.1.3.3 MIDI Sequencer<br />
A sequencer system is used to record, edit and playback MIDI messages. The<br />
sequencer fundamentally acts like a multitrack tape recorder for MIDI<br />
instruments. On a computer system the sequencing functions are run by<br />
software applications.<br />
7.1.3.4 When to Use MIDI<br />
MIDI is a great alternative to digital audio in the following circumstances:<br />
• File size is a major consideration.<br />
files.<br />
MIDI files are far smaller than wave data<br />
• Digital audio will not perform properly. This is often due to the lack of<br />
system resources, such as CPU power, disk speed or available RAM.<br />
• You do not require speech overlay.<br />
• Sound quality may be better than digital audio in some cases. This occurs<br />
when you have a high-quality MIDI sound source.<br />
• MIDI can be more interactive. MIDI data can be easily manipulated. Details<br />
of a composition can be re-arranged.<br />
• Time scaling can be effected without loss of quality or pitch.<br />
7.1.3.5 Storage Formats<br />
MIDI data can be stored in three different formats: 0, 1, and 2. Multimedia on the<br />
Windows PC can only work with formats 0 and 1. Most sequencers can export to<br />
these formats. Type 0 is a single track format and is especially good for<br />
CD-ROM because it reduces the number of disc seeks and uses less RAM. Type<br />
1 format is for multiple track storage. Both formats have a .MID file extension.<br />
Digital movie files are multimedia files that integrate sounds, music, and voices<br />
with computer graphics and animation to present information in an exciting,<br />
dynamic way.<br />
Movies are made up of a series of still images played in sequence. Each image<br />
is called a frame. The number of frames per second is called frame rate, at<br />
which a movie is played or recorded.<br />
The movies you can play on your computer are probably different from what you<br />
see in the cinema or on TV. Most movie files you can get from the FTP sites are<br />
presented in a small window in your computer screen, and they can only be<br />
played several minutes, or several seconds. This is because movie files are<br />
huge files that take a lot of disk space. If you have a very powerful computer,<br />
you will be able to see the real movies on your screen. Actually, some<br />
commercial products that can create and play back good quality movies on your<br />
computer are already available in the market. If you don′t want to invest your<br />
money on these products until you know what they look like, you can get the<br />
product demos from the companies′ FTP sites for free.<br />
186 The Technical Side of Being an Internet Service Provider
This soft copy for use by <strong>IBM</strong> employees only.<br />
7.1.4.1 What You Need to Play Movie Files<br />
To play movie files on your computer, you need a relatively powerful computer.<br />
Hardware requirements:<br />
• Your microprocessor central processing unit, or CPU, must be a 16-Mhz<br />
386SX or higher. A true 32-bit microprocessor such as the 486 is better<br />
because it can process and transfer larger amounts of data quickly.<br />
• Your computer must have at least 4 MB of RAM.<br />
memory you have, the better.<br />
Of course, the more<br />
• The minimum hard disk size is 30 MB; however 80 to 200 MB hard disk<br />
drives are recommended. Slow hard disk access time can degrade<br />
multimedia performance. A 3.5-inch high-density (1.44 MB) floppy disk drive<br />
is also required.<br />
• A sound card with a pair of external speakers or a set of headphones is<br />
required to play digitized sound files in high-quality stereo format.<br />
• A VGA video board capable of at least 16 colors at 640x480 resolution. Most<br />
standard video boards and monitors meet this requirement. Support for 256<br />
colors is recommended.<br />
Software requirements:<br />
• Audio device drivers for different audio formats<br />
• A video device driver<br />
• Multimedia playback software, and multimedia players<br />
7.1.4.2 Movie File Formats<br />
Like other files, you can identify movie files by their file extensions. There are<br />
only a few movie file formats you can see from the Internet, which are<br />
international standard file formats for multimedia.<br />
MPEG: MPEG is a very popular movie file format for PCs. MPEG stands for<br />
Moving Pictures Expert Group. The members of this group come from more than<br />
70 companies and institutions worldwide including Sony, Philip, Matsushita and<br />
Apple. They meet under the International Standard Organization (ISO) to<br />
generate digital video standards for compact discs, cable TV, direct satellite<br />
broadcast and high-definition television. MPEG meets about four times a year<br />
for roughly a week each time. They have completed the committee draft of<br />
MPEG phase I that is called MPEG I. MPEG I defines a bit stream for<br />
compressed video and audio optimized to fit into a data rate of 1.5 Mbps. MPEG<br />
deals with three issues: video, audio, and system (the combination of the two<br />
into one stream). MPEG is developing the MPEG-2 Video Standard, which<br />
specifies the coded bit stream for high-quality digital video. As a compatible<br />
extension, MPEG-2 Video builds on the completed MPEG-1 Video Standard by<br />
supporting interlaced video formats and a number of other advanced features.<br />
Since MPEG deals with three issues, the file extensions by MPEG standards are<br />
a little bit different. The most common file extension is .mpg. You will also see:<br />
• .mp2 - MPEG II audio<br />
• .mps - MPEG system<br />
• .mpa - MPEG audio<br />
Chapter 7. Tools 187
This soft copy for use by <strong>IBM</strong> employees only.<br />
Apple QuickTime: QuickTime is an ISO standard for digital media. It was<br />
originally created by Apple Computer Inc. and used in Macintosh. It brings<br />
audio, animation, video, and interactive capabilities to personal computers and<br />
consumer devices. QuickTime movies are real movies. This standard is much<br />
more mature than the MPEG standard. In December 1993, Apple announced that<br />
it had begun demonstrating technology that will make future television and<br />
multimedia devices more compelling, interactive, and useful for people.<br />
Specifically, Apple demonstrated the integration of MPEG technology into<br />
applications using QuickTime technology. QuickTime for Windows is available<br />
for customers who use Microsoft′s Windows/DOS operating system. QuickTime<br />
movies have file extension .qt and .mov. You can play the .mov files on both<br />
MACs and PCs.<br />
Other Multimedia Video Formats: There are other multimedia file formats. For<br />
example, AVI is a video format for Microsoft Windows, and .awa/.awm are Gold<br />
Disk Animation. More and more .avi files are available on the Internet. If you<br />
have Windows in your computer, you can use Media Player to play (.avi) files.<br />
Media Player is in the Windows′ accessories group.<br />
7.1.4.3 Movie Players<br />
To play a movie on your computer, you need a piece of software called a<br />
multimedia player, specifically, MPEG player or QuickTime player. These<br />
players are also called decoders because they decode the MPEG or QuickTime<br />
compressed codes. Some software allows you to both encode and decode<br />
multimedia files (for example, to make and play the files). Some software only<br />
allows you to play back multimedia files. You have to be very careful to find the<br />
correct movie player when you get on the Information Highway. This is because<br />
different computers or operating systems use different movie players. There are<br />
more movie players for X-Windows and Macintosh machines than for PCs. You<br />
run your movie player on your computer and open the movie file within the<br />
movie player. Movies on floppy disks should be copied to your hard disk before<br />
you play them.<br />
7.1.5 Multimedia Applications on the Internet<br />
The following area covers some selected multimedia applications that are<br />
available on the Internet.<br />
7.1.5.1 Audio On-Demand<br />
It is now possible to deliver audio in real-time, on demand, and over the World<br />
Wide Web. Indeed it is not only possible; with the advent of faster connections<br />
and greater modem speeds, it has become easy. There is a profusion of audio<br />
streaming technologies available, such as:<br />
• RealAudio<br />
• Internet Wave<br />
• TrueSpeech<br />
• ToolVox<br />
• AudioLink<br />
• MPEG/CD<br />
• Streamworks<br />
• VDO<br />
188 The Technical Side of Being an Internet Service Provider
This soft copy for use by <strong>IBM</strong> employees only.<br />
• LiveMedia<br />
RealAudio still stands head and shoulders above the others in terms of<br />
availability and use but is not an obviously superior product in sound quality and<br />
speed. It is the only audio-on-demand software that is currently shipped with<br />
Netscape Navigator as a plug-in, and Progressive Networks (developers of<br />
RealAudio) have announced a collaboration with Microsoft.<br />
However, VDOLive and ToolVox are also available as plug-ins and other<br />
streaming products are likely to follow. It is by no means certain which of the<br />
current crop is going to end up as a standard or, indeed, if there is going to be<br />
one. As it becomes easier to download software interactively from the Web,<br />
there may be less of a need for any one standard to emerge.<br />
7.1.5.2 Video Conference<br />
Video is a sequence of still images. When presented at a high enough rate, the<br />
sequence of images (frames) gives the illusion of fluid motion. For instance, in<br />
the United States, movies are presented at 24 frames per second (fps) and<br />
television is presented at 30 fps. Desktop videoconferencing uses video as an<br />
input. This video may come from a camera, VCR, or other video device. An<br />
analog video signal must be encoded in the digital form so that it can be<br />
manipulated by a computer.<br />
To understand digital encoding, it helps to understand some background<br />
information about analog video, including basic color theory and analog<br />
encoding formats. Analog video is digitized so that it may be manipulated by a<br />
computer. Each frame of video becomes a two-dimensional array of pixels. A<br />
complete color image is composed of three image frames, one for each color<br />
component. Uncompressed images and video are much too large to deal with<br />
and compression is needed for storage and transmission. Important metrics of<br />
compression are the compression ratio and bits per pixel (the number of bits<br />
required to represent one pixel in the image). Video compression is typically<br />
lossy, meaning some of the information is lost during the compression step.<br />
This is acceptable though, because encoding algorithms are designed to discard<br />
information that is not perceptible to humans or information that is redundant.<br />
Some videoconference technologies available to use on the Internet include:<br />
• Network Video is an Internet videoconferencing tool developed at<br />
Xerox/PARC. It is the most commonly used video tool on the Internet<br />
MBone. The native nv encoding technique utilizes spatial (intraframe) and<br />
temporal (interframe) compression. The first step of the nv algorithm<br />
compares the current frame to the previous frame and marks the areas that<br />
have changed significantly. Each area that has changed is compressed<br />
using transform encoding.<br />
Either a DCT or a Haar wavelet transform is used. The nv encoder<br />
dynamically selects which transform is used based on whether network<br />
bandwidth (use DCT) or local computation (use Haar) is limiting the<br />
performance. The DCT is desired since it almost doubles the compression<br />
ratio. The output of the transform is quantized and run-length encoded.<br />
Periodically, unchanged parts of the image are sent at higher resolution,<br />
which is achieved by eliminating the quantization step. Typically, nv can<br />
achieve compression ratios of 20:1 or more.<br />
Chapter 7. Tools 189
This soft copy for use by <strong>IBM</strong> employees only.<br />
• CU-SeeMe is an Internet videoconferencing tool developed at Cornell<br />
University. It utilizes spatial (intraframe) and temporal (interframe)<br />
compression, with a few twists to optimize performance on a Macintosh, its<br />
original platform. CU-SeeMe represents video input in 16 shades of grey<br />
using 4 bits per pixel. The image is divided into 8x8 blocks of pixels for<br />
analysis. New frames are compared to previous frames, and if a block has<br />
changed significantly it is retransmitted. Blocks are also retransmitted on a<br />
periodic basis to account for losses that may have occurred in the network.<br />
Figure 65. Videoconference Screen Shots Using Cu-SeeMe (Cornell University)<br />
Transmitted data is compressed by a lossless algorithm developed at<br />
Cornell that exploits spatial redundancy in the vertical direction. The<br />
compressed size is about 60% of the original (a 1.7:1 compression ratio).<br />
The CU-SeeMe encoding algorithm was designed to run efficiently on a<br />
Macintosh computer, and operates on rows of eight 4-bit pixels as 32-bit<br />
words, which works well in 680x0 assembly code. The default transmitting<br />
bandwidth setting for CU-SeeMe is 80 kbps. This number is automatically<br />
adjusted on the basis of packet-loss reports returned by each person<br />
receiving the video. About 100 kbps is required for fluid motion in a typical<br />
talking heads scenario.<br />
• Indeo is a video compression technique designed by Intel. It evolved from<br />
Digital Video Interactive (DVI) technology. Indeo starts off with YUV input,<br />
with U and V subsampled 4:1 both horizontally and vertically. Indeo supports<br />
motion estimation, using the previous frame to predict values for the current<br />
frame and only transmitting data if the difference is significant. Transform<br />
encoding is done using an 8x8 Fast Slant Transform (FST) in which all<br />
operations are either shifts or adds (no multiplies). Quantization and<br />
run-length/entropy encoding are used as in previous algorithms. Indeo<br />
specifies that the encoded bit stream be a maximum of 60% of the input<br />
data, therefore compression is guaranteed to be at worst 1.7:1.<br />
190 The Technical Side of Being an Internet Service Provider
This soft copy for use by <strong>IBM</strong> employees only.<br />
7.2 Java<br />
Desktop Video-Conferencing Systems: There are three major platforms for<br />
desktop videoconferencing products: Intel-based personal computers running<br />
Microsoft Windows or <strong>IBM</strong> OS/2, Apple Macintosh computers, and UNIX-based<br />
workstations running the X Window System. Unfortunately, there is currently<br />
very little interoperability among products and platforms. Products are evolving<br />
towards conformance to the emerging desktop videoconferencing interoperability<br />
standards. All systems require hardware that captures and digitizes the audio<br />
and video. Video is typically input in NTSC or PAL formats.<br />
Most systems have some sort of graphical user interface that assists in making<br />
connections to other parties, usually utilizing the paradigm of placing a<br />
telephone call. Many products allow you to store information about other parties<br />
in a phone book or Rolodex format. Systems commonly have controls to adjust<br />
audio volume, picture contrast, etc. Many systems have controls that allow you<br />
to adjust the transmitted bandwidth for video to minimize traffic on a network.<br />
An additional feature found in most systems is a shared drawing area usually<br />
called a whiteboard which is analogous to the whiteboards found in many<br />
conference rooms and classrooms. These whiteboards commonly allow<br />
participants to import other graphics such as images and to make annotations.<br />
Whiteboards are good for simple sketches, but fine detail is difficult to achieve<br />
using a mouse.<br />
Many systems allow an easy way to transfer files between participants. Some<br />
systems allow application sharing, which enables a participant to take control of<br />
an application running on another participant′s computer. The usefulness of<br />
application sharing is often demonstrated with an example of sharing a<br />
spreadsheet or word processor program to facilitate group collaboration.<br />
Java is important because it brings to the computer society the binary<br />
compatibility that has been requested for a long time.<br />
All operating systems are incompatible with each other, including even<br />
programs for the same operating system on different hardware platforms.<br />
Sometimes this can be fixed with a standard language supported on all platforms<br />
(such as C and C++). You only have to use ANSI C code to make it portable,<br />
so you couldn′t make anything with the GUIs. The problem with interpreted<br />
languages was even worse, having no standardization (REXX has already an<br />
ANSI standard) and no GUI code portability.<br />
Java creates the concept of byte codes, which is a similar concept to the Virtual<br />
Machine on VM or the DOS Virtual Machine on OS/2. This translates from a set<br />
of codes previously declared (the API from DOS or the VM API) to the proper<br />
code for the operating system. Java has a Java Virtual Machine running in the<br />
operating system that responds to a code that is very similar to those on the<br />
computer processors. That′s why you have to compile it, and after that it has to<br />
be interpreted. The interpreter makes the translation faster than the regular<br />
interpreters because the classes (applications or applets) are in a similar code<br />
as the machine′s.<br />
The improvement on this is very simple. Now you have something very similar<br />
to a binary compatibility. Your code runs the same in OS/2, AIX or the Windows<br />
Chapter 7. Tools 191
7.2.1 Applets and Applications<br />
This soft copy for use by <strong>IBM</strong> employees only.<br />
32-bit family without recompiling it or changing something in the GUI code to<br />
keep the look and feel in all platforms.<br />
Java also provides a natural way to make object-oriented programming and one<br />
interface specially created to make applications for the World Wide Web using<br />
the browsers and extending the HTML language with the tag.<br />
Java is more than a tool to create cute pages on the WWW. It can be a tool to<br />
make client/server applications and stand-alone applications as well.<br />
The applications that already have the ability to run in a browser are called<br />
applets.<br />
The applications are not restricted in any way. You can do anything you want.<br />
You can run programs that read and write files, can make communications<br />
between two different machines (or more) using any port (using TCP/IP) and<br />
program your own protocol.<br />
When you are writing applets you are working in a restricted place.<br />
7.2.1.1 Applets Security Restrictions<br />
Sun allows people to try to break the security on both sides (server and client) of<br />
the applets in order to improve it. The restrictions are:<br />
1. Applets can not read or write from the file system. Except for those<br />
directories that the user defines in an access control list, it is empty by<br />
default. This list is specific for the browser you use, some browsers will not<br />
be allowed to read or write on the file system at all.<br />
2. Applets can only communicate with the server where the applet was stored.<br />
This restriction can also be avoided by the browser, so you can′t count on it.<br />
3. Applets can not run any program on the client system. For all UNIX systems<br />
this also includes forking a process.<br />
4. Applets can not load DLLs or native programs to the local platform.<br />
As you can see, almost all the security that Java provides is client-focused, so if<br />
you are planning to make an applet, you have to see about your server security.<br />
This is very important if you are planning to establish a communication between<br />
the client and the host. Avoid this approach if it is possible.<br />
192 The Technical Side of Being an Internet Service Provider
This soft copy for use by <strong>IBM</strong> employees only.<br />
Chapter 8. Internet Security<br />
Many companies are thinking of connecting their internal corporate networks to<br />
the Internet, and for good reasons. There are many rewards associated with<br />
both increased visibility and the opportunity to run new types of applications.<br />
At the same time, companies are concerned with the security of their systems.<br />
The Internet is a collection of connected networks, but nobody really knows the<br />
structure of the Internet. The Internet keeps changing all of the time. There is<br />
no centralized network management and no single authority is in charge.<br />
All data crossing the Internet is passed “in the clear” such as user names,<br />
passwords, and e-mail messages. The entire company is exposed to the outside<br />
world.<br />
In this redbook, we take a layered approach to securing your ISP when attaching<br />
it to the Internet. We strongly recommend not connecting your ISP to the<br />
Internet until you are 100% sure that you have thoroughly reviewed security and<br />
that the TCP/IP applications you have chosen to use across the Internet are<br />
properly and securely configured.<br />
Network security is a key component of Internet security and in this chapter we<br />
provide some elements that will help you to evaluate the need for a firewall or<br />
not.<br />
This chapter provides a general overview of the security issues and risks when<br />
connecting to the Internet and the technologies available to cope with those<br />
security challenges.<br />
8.1 The Costs of Security Breaches<br />
Let’s take a quick look at how much poor security costs both business and the<br />
U.S. government each year. The size of the figures involved should help you<br />
concentrate on implementing the appropriate security measures at your own<br />
site.<br />
According to information released by the U.S. Senate’s Permanent Investigations<br />
Subcommittee, intruders cost big business more than US $800 million last year.<br />
In most cases, the attacks on their systems and the resulting losses were not<br />
reported to law-enforcement agencies for fear that an extended investigation<br />
with its attendant publicity would harm the corporation.<br />
The report indicates that the problem is worse in private industry than in<br />
government computer systems, with intruders concentrating on banks (always a<br />
popular target) and hospitals, where cases of record-altering are on the rise. Of<br />
the US $800 million losses, about half, or US $400 million, were incurred by U.S.<br />
companies and the rest by companies operating in other countries.<br />
According to this same report, there were an estimated 250,000 attacks on the<br />
U.S. Department of Defense computers last year, and the rate of attack is<br />
doubling every year. And these are the attacks that were detected. Who knows<br />
how many were either undetected or went unreported for other reasons. Recent<br />
© Copyright <strong>IBM</strong> Corp. 1997 193
8.2 The Internet and Security<br />
This soft copy for use by <strong>IBM</strong> employees only.<br />
attacks on unclassified U.S. Department of Defense computers are reportedly<br />
successful 65 percent of the time.<br />
Some of these attacks were considered of nuisance value only, but some were a<br />
serious threat to national security. One of the best documented took place<br />
during spring 1994 at an Air Force laboratory in Rome, NY. Two intruders made<br />
more than 150 trips into the lab’s computer systems, collecting passwords from<br />
outside users and then using these passwords to invade more than 100 other<br />
computers attached to the Internet. An investigation led to the arrest of one of<br />
the intruders, a 16-year-old boy living in London, England. The other intruder<br />
was never identified and never apprehended.<br />
The problem is certainly considered serious because more than 90 percent of<br />
the Pentagon’s daily traffic is carried by unclassified computer systems<br />
connected to the Internet, and anyone tampering with logistical information or<br />
shipping information could cause chaos to military operations.<br />
When intruders gain access to your Web site, they may do one of several things.<br />
They may deface your Web pages with a message such as “The system has<br />
been Cracked!” or they may erase your Web site pages and replace them with<br />
their own. Sites as diverse as the British government, the American<br />
Psychoanalytic Association, and the Nations of Islam have suffered from such<br />
attacks in the recent past.<br />
A few years ago, security wasn’t a major concern for most sites connected to the<br />
Internet. As far as the universities participating in the Internet were concerned,<br />
the basic premise was to provide free access to everything, and if a few people<br />
took advantage, that was the price you had to pay. Many universities on the<br />
Internet still follow this philosophy and impose few restrictions of any kind. Most<br />
control access with only a user ID and a password, and many still allow<br />
anonymous use of their systems; anyone can log on without a valid user ID and<br />
a password.<br />
The huge potential for commerce on the Internet has changed much of this<br />
thinking, and many system and network administrators now feel that any user of<br />
their site is a potential for intrusion. This is actually true. Therefore, they<br />
usually begin with the premise of “don’t trust anyone”. Today, this is definitely<br />
the best policy.<br />
8.2.1 Orange Book Security Classes<br />
Even with this attitude of openness, security has still been a big concern of the<br />
non-university types participating in the Internet. The Internet started out as the<br />
ARPAnet and was driven mainly by the U.S. Department of Defense. As such, it<br />
should be apparent that the Department of Defense would be very concerned<br />
about security, and it is. The Department of Defense has published several<br />
documents relating to security and security specifications.<br />
One of the better known is commonly called the Orange Book, which is a<br />
nickname for Department of Defense specifications called Department of Defense<br />
Trusted Computer System Evaluation Criteria, which has a standard number of<br />
5200.28. The purpose is to provide technical hardware, firmware, and software<br />
194 The Technical Side of Being an Internet Service Provider
This soft copy for use by <strong>IBM</strong> employees only.<br />
security criteria and associated technical evaluation methodologies in support of<br />
the overall automatic data processing system security policy model.<br />
The Orange Book breaks security levels into four basic parts: A, B, C, and D.<br />
These classes are defined as follows in increasing order of security:<br />
• Division D: Minimal protection; operating systems such as DOS and System<br />
7 for the Macintosh that have no system security fall into this category.<br />
• Division C: Discretionary protection; most of the commercially used<br />
operating systems claim to meet the Division C security, usually C2. There<br />
is a big difference between being C2 certified by the National Computer<br />
Security Center (NCSC) and claiming your operating system adheres to the<br />
published C2 guidelines.<br />
− Class (C1): Discretionary security protection - Features include the use<br />
of passwords or other authentication methods; the ability to restrict<br />
access to files, directories, and other resources, and the ability to<br />
prevent the accidental destruction of system-level programs. Many<br />
versions of UNIX and certain network operating systems fall into this<br />
category.<br />
− Class (C2): Controlled access protection - Features include those found<br />
in C1 plus the ability to audit or track all user activity, to restrict<br />
operations for specific users, and to ensure that data left in memory<br />
cannot be accessed by other users or applications.<br />
• Division B: Mandatory protection; must be able to provide mathematical<br />
documentation of security and be able to maintain system security even<br />
during a system failure. Division B is divided into three classes:<br />
− Class (B1): Labeled Security Protection<br />
− Class (B2): Structured Protection<br />
− Class (B3): Security Domains<br />
• Division A: Verified protection; must be able to prove that the security<br />
system and policy match the security design specification. Division A is<br />
divided into two classes:<br />
− Class (A1): Verified Design<br />
− Beyond Class (A1)<br />
An operating system that allows anyone complete access to all system<br />
resources falls into Class D. C1 and C2 security can be reasonably implemented<br />
in a commercial environment. After B1, however, the computing environment<br />
rapidly changes, and many of the mandatory access-control mechanisms<br />
become impractical for normal commercial operations, although they have their<br />
place in ultra-secure systems run by government agencies.<br />
If you want to take an in-depth look at the contents of the Orange Book, check<br />
into this URL:<br />
http://tecnet0.jcte.jcs.mil:9000/htdocs/teinfo/directives/soft/stan.html<br />
Chapter 8. Internet Security 195
8.2.2 Red Book Security<br />
This soft copy for use by <strong>IBM</strong> employees only.<br />
Some aspects of C2 apply directly to computers in a networked environment,<br />
and so the National Computer Security Center released a separate publication,<br />
known as the Red Book, to address security implementation in a networked<br />
environment. The official title of this publication is Trusted Network<br />
Interpretation of the Trusted Computer System Evaluation Criteria, NSCS-TG-005.<br />
The Red Book is really a guide to interpreting the Orange Book; each of the C2<br />
criteria are described in the context of a network. The single most important<br />
distinction made in the Red Book is in defining the role of what it calls the<br />
network sponsor. Older mainframe systems have an easily defined owner in the<br />
mainframe itself, but networks make it more difficult to establish ownership.<br />
A second set of security principles is being developed by the Information<br />
Systems Security Association (ISSA). Called the Generally Accepted System<br />
Security Principles, it is usually known as GSSP. Fifteen principles have been<br />
defined and published in a draft form, and these principles relate more to the<br />
individuals managing the security of the system than do the actual system itself.<br />
We will be hearing more about GSSP in the future.<br />
8.2.3 C2 and Your Security Requirements<br />
The major features of the C2 standard are that a system must:<br />
• Enforce the security policy<br />
8.3 Defining Security Threats<br />
8.3.1 Internal Threats<br />
• Maintain an audit log and take steps to protect the audit log from tampering<br />
• Maintain a domain for itself and must protect that domain against tampering<br />
• Force identification and authentication of all users<br />
• Protect the identification and authentication mechanism against tampering<br />
• Maintain a security kernel and protect it from tampering<br />
• Require strict identification and authentication for any access to any security<br />
systems such as audit logs, password files, and the security kernel itself<br />
Windows NT, for example, falls into the C2 security division, complying with all<br />
guidelines, provided the server is constantly kept behind a locked door.<br />
The most common security threats range from complete network infiltration to<br />
simple virus contamination. Some threats are accidental, and others are<br />
malicious; some affect hardware, and others affect software. We look at them all<br />
in this next section.<br />
Internal security problems are probably the most common. Users entrusted with<br />
certain levels of access to systems and hardware can be a major threat if not<br />
controlled and monitored carefully. Put simply, you never know what someone<br />
is going to do. Even the most loyal employees or workers can change their tune<br />
and get into a malicious mode, wreaking havoc on your computing environment.<br />
Check your workers’ backgrounds, references, and previous employers carefully,<br />
and routinely change and audit your security methods.<br />
196 The Technical Side of Being an Internet Service Provider
This soft copy for use by <strong>IBM</strong> employees only.<br />
8.3.2 External Threats<br />
8.3.3 Intruders Are People<br />
8.3.4 Securing Hardware<br />
8.3.5 Securing Software<br />
External security threats are the most problematic. You never know when an<br />
outsider will attempt to breach your systems or who the perpetrator may be.<br />
Some people go to great extremes to gain access to your systems and<br />
information. There are many documented cases of outsiders easily gaining<br />
access to systems that were assumed to be protected. Even the Department of<br />
Defense admits that its computer systems were attacked more than 250,000<br />
times in 1995. That statistic alone should stop you in your tracks and make you<br />
think a bit. It has been recently theorized that a well-funded group of computer<br />
hackers could bring the entire country to a screeching halt within 90 days with<br />
almost no trouble at all.<br />
Intruders may use your own policies and routines against you. Any intruder<br />
could pose as a person from one of your departments or come in as a worker<br />
representing another firm that would normally be considered non-intrusive.<br />
Someone posing as part of the cleaning crew; as a utility worker, as a building<br />
inspector, as an insurance official, and so on could have only one purpose:<br />
gaining the knowledge needed to infiltrate your network. You can even assume<br />
that people are digging through your trash looking for keys to assist them in<br />
breaching your systems. You need to understand that anything is possible and<br />
that people will do anything to get what they want.<br />
Beware of strangers asking questions about how the system works, and never<br />
give anyone your password. The notorious Kevin Mitnik used very subtle<br />
persuasion techniques that came to be known as social engineering to first gain<br />
people’s confidence and then their passwords.<br />
The most obvious manifestation of your computer system is the hardware you<br />
use. Let’s take a look at some of the more common threats to your hardware:<br />
• Theft of a computer, printer, or other resource.<br />
• Tampering by a disgruntled employee who interferes with dip switches or<br />
cuts a cable.<br />
• Destruction of resources by fire, flood, or electrical power surges. And don’t<br />
forget that those sprinklers in the ceiling can put out hundreds of gallons of<br />
water a minute; most of the damage to computer systems comes not from<br />
fire, but from the water to put out the fire.<br />
• Ordinary wear and tear.<br />
inhibit wear and tear.<br />
A normal preventive maintenance program should<br />
The second component of your system is software. Threats to software include<br />
the following:<br />
• Deletion of a program, either by accident or by malicious intent.<br />
• Theft of a program by one of your users.<br />
• Corruption of a program, caused either by a hardware failure or by a virus.<br />
More on virus attacks in a moment.<br />
Chapter 8. Internet Security 197
8.3.6 Securing Information<br />
This soft copy for use by <strong>IBM</strong> employees only.<br />
• Bugs in the software; yes, they do happen, and their effect may be<br />
immediate and catastrophic or very subtle and not come to light for years.<br />
The third component of your system is the data and data files used by the<br />
corporation. Threats to information can include:<br />
• Deletion of a file or files. Again, make and test your backups regularly.<br />
• Corruption, caused either by hardware problems or by a bug in the software.<br />
• Theft of company data files.<br />
8.3.7 The Threat from Viruses<br />
One of the most common threats to computer security comes from a computer<br />
virus. There are literally thousands of strains of computer viruses, ranging from<br />
harmless ones that simply put a message on the screen, all the way to vicious<br />
ones that destroy all data they can reach on the local machine and the network.<br />
Most viruses can reproduce themselves over and over on every system they<br />
touch. Virus eradication can be a most painful experience indeed.<br />
Today, with the vastness and power of the Internet, malicious intruders can gain<br />
access to any number of viruses in a matter of seconds by doing a simple<br />
search on one of the popular search engines.<br />
8.4 How Intruders Break In To Your System<br />
8.4.1 Sendmail<br />
8.4.2 Checking CGI Scripts<br />
Intruders break in to your system in any number of ways. With the advent of the<br />
Internet, lots of UNIX software is being ported to Windows NT and other<br />
operating systems, and so are a lot of the security holes in that UNIX software.<br />
This means that your seemingly harmless and brand new software may in fact<br />
be a new generation of an age-old problem.<br />
Intruders have traditionally used services that run on computers to gain access<br />
to them. One of the most widely used holes is in Sendmail and its many<br />
derivatives. Sendmail can actually assist a potential intruder in creating files,<br />
altering files, and even mailing sensitive files to the intruder. Go over your mail<br />
server software carefully, and find out its origins. If it turns out to be a Sendmail<br />
port from UNIX, use the UNIX hacking techniques against it.<br />
Web servers by themselves pose only moderate security risks, particularly when<br />
protected by a firewall or a proxy server. But the one concern is how your<br />
system uses CGI scripts. Your Web server may be configured to create HTML<br />
pages on-the-fly using a script written in Perl or in some other scripting<br />
language.<br />
When considering these external programs, ask these questions:<br />
• Can a knowledgeable attacker trick the external program into doing<br />
something that you don’t want it to do?<br />
• Can a knowledgeable attacker upload an external program and have that<br />
program execute on your system?<br />
198 The Technical Side of Being an Internet Service Provider
This soft copy for use by <strong>IBM</strong> employees only.<br />
8.4.3 FTP Problems<br />
8.4.4 Telnet Problems<br />
You can minimize the threat from both these sources by using some of the<br />
techniques that will be discussed later in this chapter and by ensuring that your<br />
Web server does not contain anything that you don’t want revealed to the<br />
outside world.<br />
Do not take it for granted that someone’s really nifty Web enhancement software<br />
is completely safe and harmless. Writing CGI scripts is not particularly easy,<br />
and writing secure scripts can be a job for the experts. You cannot completely<br />
assume that some programmer is writing a nice little CGI script to complement<br />
your Web site, one that you won’t be able to resist trying out and that will<br />
invariably put the holes in place that others need to infiltrate your systems and<br />
networks.<br />
Lots of programmers hide backdoors, tricks, and traps in their seemingly<br />
harmless software for their own convenience in testing and debugging and then<br />
forget to remove these elements when they release the package. You may think<br />
you have just downloaded and installed the world’s greatest page counter,<br />
whereas in reality you have just installed an open door on your system. Always<br />
test shareware and freeware thoroughly on a stand-alone system, and ask<br />
others for their reviews on the software before you can place it on one of your<br />
production servers. Otherwise, you may lose everything.<br />
FTP can be a real problem, and you should take great care when configuring<br />
your FTP server. Double- and triple-check your file permissions for every FTP<br />
user account. Log on as that user, and ensure that the access is restricted in<br />
the way you want it. Additionally, many intruders use anonymous FTP servers to<br />
upload and stash pirated software, cracking tools, and other illegal material that<br />
you do not want on your FTP server. One easy way to protect your site is not to<br />
allow users to upload files to your FTP site; just let them download the material<br />
you originally established the FTP server to manage and distribute. If it is<br />
important that you allow uploads, set the directory permissions so that you have<br />
to explicitly specify who can upload files.<br />
You need to be aware of the potential exposures you can have when you enable<br />
a Telnet server:<br />
• The Telnet server cannot restrict a user from getting a sign-on display if the<br />
Telnet server is already started. There is no anonymous Telnet support.<br />
• When you type your user ID and password, both flow “in the clear” across<br />
your network. Hackers on the Internet or on your intranet can use sniffers<br />
(line-tracing equipment) to access your logon passwords.<br />
• The number of sign-on attempts is equal to the number of system sign-on<br />
attempts allowed multiplied by the number of virtual devices that can be<br />
created. This increases the number of attempts a hacker can try to log on to<br />
your system. Because of this, attacks can turn into denial of service.<br />
• The Telnet server application does not provide good logging procedures.<br />
Chapter 8. Internet Security 199
8.4.5 E-Mail Problems<br />
8.4.6 Keystroke Grabbers<br />
This soft copy for use by <strong>IBM</strong> employees only.<br />
There are a few risks associated with electronic mail; some examples are<br />
forging mail or snooping mail that might contain confidential or private<br />
information. But accepting e-mail opens the door to three major exposures that<br />
we cover in more detail in this section:<br />
• Denial-of-service attacks:<br />
Incoming mail, if it makes the form of mail bombing, can tie up your<br />
computer resources (disk space and processor) to the point where your<br />
server is put out of commission. Although we worry about this type of<br />
attack, in practice, you can probably have similar effects from an accident<br />
such as a chain letter or a few huge images (MIME attachments) sent to your<br />
users.<br />
• <strong>Download</strong>ing viruses:<br />
Attachments sent in e-mail can be stored in a shared folder or in the<br />
integrated file of the POP3 server and from there they can be downloaded to<br />
other users’ PCs or POP3 clients.<br />
• Snooping on POP3 user ID or password:<br />
Standard POP clients send the user’s ID and password in the clear;<br />
therefore, anyone snooping on the connection can see them. On the AS/400<br />
system, for example, each POP user needs a user profile and directory entry<br />
so if someone is able to capture the POP user’s ID and password, they also<br />
get the user ID and password of an AS/400 user. If the intruder manages to<br />
get hold of a powerful user profile (for example, one with *ALLOBJ special<br />
authority), the intruder can cause much damage to your system.<br />
• Snooping on sensitive e-mail:<br />
You need to think about the exposure of sending sensitive or confidential<br />
information over the Internet. Depending on your own environment, you<br />
might need to use alternative methods to exchange sensitive information.<br />
You can see more information about how to manage sensitive information on<br />
8.7.9.5, “What Do You Do with Sensitive Information?” on page 212.<br />
Another way intruders gain access is to implement a keystroke grabber. These<br />
programs actually monitor and record every keystroke on a given computer.<br />
Typically, a keystroke grabber records keystrokes on the machine on which the<br />
program is running. Thus, the intruder must have internal access or gain access<br />
externally through the network connections. If you want to take a look at some<br />
keystrokes grabbers, use one of the popular search engines on the Internet, and<br />
enter the keywords keycopy or playback. You will find several without much<br />
effort.<br />
One of the best ways to guard against unauthorized software installation is by<br />
using Microsoft’s Systems Management Server (SMS), part of the BackOffice<br />
suite of programs. SMS performs numerous tasks to help you manage the PCs<br />
on your network, and one of its more interesting features is the ability to monitor<br />
the software on one of your workstations.<br />
SMS will actually let you know when new software is installed and when<br />
software has been removed. This may tip you off to a potential problem before it<br />
gets to serious proportions. You will find information on SMS at Microsoft’s Web<br />
site.<br />
200 The Technical Side of Being an Internet Service Provider
This soft copy for use by <strong>IBM</strong> employees only.<br />
8.4.7 Password Attacks<br />
8.4.8 Spoofing Your System<br />
8.4.9 Sniffers<br />
Intruders use programs called password crackers more than any other tools to<br />
gain unauthorized access to systems, and poorly chosen passwords increase<br />
your risk of intrusion tremendously. <strong>Download</strong> at least one or more password<br />
crackers, and use it on your own systems to test the kinds of passwords that you<br />
routinely provide your users.<br />
And when you do crack a password, adjust your policies to disallow similar<br />
password schemes in the future, and obviously change that cracked password<br />
immediately.<br />
The <strong>IBM</strong> Emergency Response Team (<strong>IBM</strong> ERS) has a group that monitors<br />
security threats and preventive measures. They estimate that 80 percent or<br />
more of the intrusion problems they see have to do with poorly chosen<br />
passwords. You can obtain more information about this service on this redbook,<br />
located in the Appendix A, “Availability Services” on page 297.<br />
You should also have a procedure in place to manage expiring passwords so<br />
that users actually do change their passwords routinely. Old passwords are<br />
increasingly vulnerable to attack; the longer a password stays unchanged, the<br />
more time a potential intruder has to crack it. Intruders routinely use<br />
dictionaries in conjunction with password-cracking programs to automatically<br />
attempt various user ID and passwords combinations. These robotics software<br />
programs can run through thousands of combinations in a day, making an old<br />
and poorly chosen password a literal walk in the park to discover.<br />
You should also caution your uses against using the same passwords in different<br />
places, such as using their network logon to access their screen saver.<br />
Some intruders may attempt to use spoofing to gain access to your systems.<br />
Spoofing is the process of replacing parts of the TCP/IP header with bogus<br />
information in an effort to fool your firewall or proxy into thinking that the<br />
network traffic came from an allowed and trusted origin. Be sure your firewall<br />
can prevent this sort of trickery, and implement its prevention fiercely.<br />
Intruders don’t have to steal keystrokes to find out what is happening on your<br />
network; sometimes they use a sniffer to access information that you want to<br />
keep secret. A sniffer watches the network packets as they go to and from your<br />
site and a remote site; it can see the information being transferred.<br />
Hardware and software sniffers are readily available and are used to monitor<br />
network traffic. If that traffic happens to contain a user ID or a password, your<br />
network security is at risk. Hardware sniffers normally have to be used on the<br />
physical cable of your network, which reduces the threat from internal users<br />
somewhat. Software sniffers can run from a workstation attached to your<br />
network and even over a dial-up link.<br />
Intruders may use a sniffer to look at your passwords or your data. Protecting<br />
your passwords is easy; change them often. Protecting your data is more<br />
difficult and may involve end-to-end encryption techniques.<br />
Chapter 8. Internet Security 201
8.4.10 Closing a Back Door on Your System<br />
8.5 How to Control the Risk?<br />
8.6 What Should You Secure?<br />
Figure 66. Layer Approach to Security<br />
This soft copy for use by <strong>IBM</strong> employees only.<br />
When an intruder successfully breaks in to your system, he or she usually<br />
creates a back door for easy return. If you have detected and obstructed an<br />
intruder, scour your systems for back doors. One of the easiest, although<br />
sometimes painful, ways to wipe out back door is to simply reformat your<br />
server’s hard disk and reinstall the operating system. This wipes out anything<br />
out of the ordinary.<br />
There is always a risk with being attached to the Internet. However, the benefits<br />
for a company being present in the Internet are many. But it is a high-level<br />
management decision whether and how to deal with the Internet and to consider<br />
the risks. These policies are part of the overall I/T and networking policies and<br />
strategies.<br />
When you devise your security measures, you should think of a layer approach<br />
to security. When you connect an ISP to the Internet, there are many points<br />
where security is compromised and, therefore, that you should protect. You<br />
should think of this layer approach as a system with multiple locks; if a hacker<br />
manages to break one of them, you have others to protect you.<br />
Figure 66 shows different areas where you should apply security measures:<br />
• Network Security: Controlling access to your ISP.<br />
• Application Security: Application-specific security. Do you want to enable a<br />
particular application such as FTP or Telnet? Do you want to enable only<br />
anonymous users or do you want to require user ID and password?<br />
• Transaction Security: Ensuring data privacy and partners authentication.<br />
• System Security: You have to verify all the features and functions that your<br />
operating system has and use them properly. This can make your ISP a<br />
secure environment.<br />
202 The Technical Side of Being an Internet Service Provider
This soft copy for use by <strong>IBM</strong> employees only.<br />
8.6.1 Network Security<br />
8.6.2 Application Security<br />
8.6.3 Transaction Security<br />
8.6.4 System Security<br />
Network security control access to your ISP. Who is allowed to enter your<br />
corporation’s network to access your Internet server? Probably you do not want<br />
to generally limit the access but it is a major issue to protect your internal<br />
network and the productive systems within your company’s internal network.<br />
Network security can be achieved in various ways:<br />
• Isolating the Internet servers<br />
• Multiprotocol router blocking from non-wanted TCP/IP traffic<br />
• Securing the network gateway (usually called a firewall) to protect the<br />
company-internal network<br />
Internet network security also determines how your own users may access the<br />
Internet.<br />
Each application that you can use on your ISP connected to the Internet such as<br />
HTTP, FTP, Telnet, and so on offer different alternatives to limit access and make<br />
it safe to use.<br />
Commercial transactions through the Internet require safe communications. The<br />
parties need to be identified and exchanged data has to be protected. In this<br />
case:<br />
• How can you perform authentication without sending an user ID and<br />
password in the clear?<br />
• How can you protect the privacy of your data to ensure that only authorized<br />
persons may read it?<br />
• How can you assure that messages have not been altered between the<br />
sender and the recipient?<br />
There is a single technology that provides the foundation for solving all of these<br />
challenges called cryptography. Secure Sockets Layer (SSL) is an<br />
industry-standard providing cryptography. It includes encryption, message<br />
integrity verification, and authentication. For more information about<br />
cryptography see 8.11, “Cryptography” on page 229. For more information on<br />
SSL see 8.14.2, “Secure Socks Layer” on page 257.<br />
Depending of the operating system, an OS/400 for example, you can have a<br />
strong set of security tools, but you must take the time to learn about the tools<br />
and apply them.<br />
There are various areas of the system’s security to be considered before<br />
attaching your system to the Internet:<br />
• System-wide security values<br />
• User profile and password management<br />
• Resource security<br />
• General TCP/IP definitions<br />
Chapter 8. Internet Security 203
8.6.5 The Security Checklists<br />
This soft copy for use by <strong>IBM</strong> employees only.<br />
While establishing your security policies, you should keep in mind the checklists<br />
below.<br />
8.6.5.1 Connection Security Checklist<br />
Here are some of the basic problems facing administrators connecting their<br />
networks to the Internet:<br />
• Millions of people are connected to the Internet now, and more connect<br />
every day. Some will invariably behave unethically.<br />
• Proper security configuration and administration can become very<br />
complicated. Don’t be afraid to get some training.<br />
• Many host systems are run by administrators with little or no experience.<br />
Don’t be one of them. Get some training.<br />
• Most administrators connect their sites to the Internet and then think about<br />
security. You can’t make this mistake.<br />
• Many computers run software systems that have unpatched security holes.<br />
Even when you buy new software off the shelf, contact the publisher to see if<br />
any patches have been related or are planned.<br />
• Internet traffic, and network traffic in general for that matter, are very<br />
vulnerable to sniffers and other forms of electronic snooping. Encrypt<br />
sensitive network traffic, even if it is not destined for the Internet, you may<br />
have potential internal intruders.<br />
8.6.5.2 Network Security Checklist<br />
Here are some suggestions that you can use as you formulate network security<br />
policy for your own site:<br />
• Ensure that your file servers, routers, and gateway equipment are in a<br />
locked, secure location with a minimum number of people having access.<br />
This is part of the C2 security requirement.<br />
• Create and enforce a password assignment and use policy.<br />
• Inform users about your security policies and about their responsibilities.<br />
• Frequently back up your data and store it in a certified off-site facility.<br />
• Add expiration dates to user accounts to force password changes and the<br />
termination of short-term user accounts, such as those assigned to vendors<br />
and contractors.<br />
• Activate intruder detection and lockout features as provided in your<br />
operating system.<br />
• If you use dial-in access servers, implement the strongest authentication<br />
methods allowed by your software. Use call-back capabilities whenever<br />
possible.<br />
• Periodically, security sweep your network to detect potential problems.<br />
Third-party security-sweeping programs are available for most platforms.<br />
• Provide virus protection for all users, and scan all file servers and<br />
workstations daily. Use real-time virus scanners that stay loaded and run all<br />
the time.<br />
204 The Technical Side of Being an Internet Service Provider
This soft copy for use by <strong>IBM</strong> employees only.<br />
• Ensure that all operating system patches are installed immediately when<br />
they are distributed. Don’t expect the manufacturer to track you down and<br />
tell you about them.<br />
• Use the maximum level of auditing and logging capabilities to detect<br />
unauthorized activity before it creates damage.<br />
8.6.5.3 Internet Security Checklist<br />
If you plan to build and connect your ISP to the Internet, here are some tips to<br />
remember about Internet security and that are important in your computing<br />
environment:<br />
• Treat the Internet as the potentially hostile environment that it is.<br />
• Don’t allow the reuse of passwords. Use smart cards or card keys for user<br />
authentication to sensitive systems whenever possible.<br />
• If you must allow passwords that are valid for more than one logon, choose<br />
strong password policies that mandate frequent changes, and don’t allow the<br />
reuse of old passwords.<br />
• Install a firewall or a proxy server to protect your network.<br />
• Do not send confidential information in clear text across the network.<br />
Instead, encrypt all sensitive messages and files before transmitting them<br />
across any network, including the Internet.<br />
• Limit services that are offered on your network to those that are necessary.<br />
Never run software just for the sake of saying that you have it installed.<br />
• Provide security training for your network administrators.<br />
• Establish your network security properly. Install software patches, don’t use<br />
guest accounts, activate intruder detection schemes, and establish lock-out<br />
mechanisms for too many bad password attempts.<br />
8.6.5.4 E-Mail Security Checklist<br />
Consider these tips on e-mail security as part of your policies and procedures:<br />
• Assume that any unencrypted message you send via e-mail can be<br />
intercepted and read by prying eyes. Use an encryption tool to encrypt all<br />
sensitive e-mail. Over time, your e-mail could fit together like the pieces of a<br />
puzzle, eventually revealing vital information and facts you may not want<br />
known. The rule of thumb here is: never send any unencrypted information<br />
in e-mail that you wouldn’t want broadcasted on national television.<br />
• E-mail addresses can be spoofed, or faked, so that someone can make a<br />
message appear as if it came from someone else.<br />
• You may want to use a separate file for highly sensitive information: Encrypt<br />
it, attach the encrypted file to the e-mail message, and then encrypt that<br />
message and file attachment again as a whole.<br />
• Your e-mail passwords should always be different from any of your other<br />
network passwords. Never use the same password for two different things,<br />
and never reuse an old password.<br />
Chapter 8. Internet Security 205
8.7 Establishing a Security Policy<br />
8.7.1 Who Makes the Policy?<br />
8.7.2 Who Is Involved?<br />
8.7.3 Responsibilities<br />
This soft copy for use by <strong>IBM</strong> employees only.<br />
Today’s computer world is radically different from the computing environments of<br />
yesteryear. These days, many systems are in private offices and labs, often<br />
managed by individuals or persons employed outside the traditional computer<br />
data center or IS department. And more important, many systems are<br />
connected to the Internet, exposing them to the entire world and giving users of<br />
networks connected to the Internet the avenues they need to reach internal<br />
networks.<br />
Keep all that in mind as you read this section and establish your own policies.<br />
Policy creation must be a joint effort by technical personnel, who understand the<br />
full ramifications of the proposed policy and the implementation of the policy,<br />
and by decision makers who have the power to enforce the policy. A policy that<br />
is neither possible to implement nor enforceable is useless. Since a computer<br />
security policy can affect everyone in an organization, it is worth taking some<br />
care to make sure you have the right level of authority in on the policy decisions.<br />
Though a particular group (such as a campus information services group) may<br />
have responsibility for enforcing a policy, an even higher group may have to<br />
support and approve the policy.<br />
Establishing a site policy has the potential for involving every computer user at<br />
the site in a variety of ways. Computer users may be responsible for personal<br />
password administration. Systems managers are obligated to fix security holes<br />
and to oversee the system. It is critical to get the right set of people involved at<br />
the start of the process. There may already be groups concerned with security<br />
who would consider a computer security policy to be their area. Some of the<br />
types of groups that might be involved include auditing/control, organizations<br />
that deal with physical security, campus information systems groups, and so<br />
forth. Asking these types of groups to “buy in” from the start can help facilitate<br />
the acceptance of the policy.<br />
A key element of a computer security policy is making sure everyone knows<br />
their own responsibility for maintaining security. A computer security policy<br />
cannot anticipate all possibilities; however, it can ensure that each kind of<br />
problem does have someone assigned to deal with it. There may be levels of<br />
responsibility associated with a policy on computer security. At one level, each<br />
user of a computing resource may have a responsibility to protect his or her<br />
account. Users who allow their account to be compromised increase the<br />
chances of compromising other accounts or resources. System managers may<br />
form another responsibility level: they must help to ensure the security of the<br />
computer system. Network managers may reside at yet another level.<br />
206 The Technical Side of Being an Internet Service Provider
This soft copy for use by <strong>IBM</strong> employees only.<br />
8.7.4 Risk Assessment<br />
8.7.5 Defining Security Goals<br />
One of the most important reasons for creating a computer security policy is to<br />
ensure that efforts spent on security yield cost-effective benefits. Although this<br />
may seem obvious, it is possible to be mislead about where the effort is needed.<br />
As an example, there is a great deal of publicity about intruders on computers<br />
systems; yet most surveys of computer security show that for most<br />
organizations, the actual loss from “insiders” is much greater.<br />
Risk analysis involves determining what you need to protect, what you need to<br />
protect it from, and how to protect it. It is the process of examining all of your<br />
risks, and ranking those risks by level of severity. This process involves making<br />
cost-effective decisions on what you want to protect. The old security adage<br />
says that you should not spend more to protect something than it is actually<br />
worth.<br />
8.7.4.1 Identifying the Assets<br />
One step in a risk analysis is to identify all the things that need to be protected.<br />
Some things are obvious, such as all the various pieces of hardware, but some<br />
are overlooked, such as the people who actually use the systems. The essential<br />
point is to list all things that could be affected by a security problem, such as:<br />
• Hardware: CPUs, boards, keyboards, terminals, workstations, personal<br />
computers, printers, disk drives, communication lines, terminal servers and<br />
routers.<br />
• Software: Source programs, object programs, utilities, diagnostic programs,<br />
operating systems and communication programs.<br />
• Data: During execution, stored online, archived offline, backups, audit logs,<br />
databases and in transit over communication media.<br />
• People: Users and people needed to run systems.<br />
• Documentation:<br />
procedures.<br />
On programs, hardware, systems and local administrative<br />
• Supplies: Paper, forms, ribbons and magnetic media.<br />
8.7.4.2 Identifying the Threats<br />
Once the assets requiring protection are identified, it is necessary to identify the<br />
threats to those assets. The threats can then be examined to determine what<br />
potential for loss exists. It helps to consider the threats you are trying to protect<br />
your assets from.<br />
When you are defining security procedures against potential threats, consider<br />
the following:<br />
• Look at exactly what you are trying to protect.<br />
• Look at who you need to protect it from.<br />
• Look at what you need to protect it from.<br />
• Determine the likelihood or potential threats.<br />
• Implement measures that will protect your assets in a manner that is<br />
cost-effective for you or your firm.<br />
Chapter 8. Internet Security 207
This soft copy for use by <strong>IBM</strong> employees only.<br />
• Review your processes and procedures continuously, and improve them<br />
every time a weakness is found or a new security mechanism becomes<br />
available.<br />
The goals of your security policy should be to minimize all types of threat and<br />
ensure that threats are as infrequent as possible. A secondary goal is to<br />
minimize the effect of any security breach once it occurs.<br />
Aim your network security policy toward the following goals:<br />
• Preventing malicious damage to files and systems<br />
• Preventing accidental damage to files and systems<br />
• Limiting the results of any deletions or damage to files that occurs<br />
• Protecting the integrity and confidentially of data<br />
• Preventing unauthorized access to the system<br />
• Providing appropriate disaster recovery systems so that the server can be<br />
restored and be back online again quickly<br />
8.7.6 Establishing Security Measures<br />
Once your security goals are in place, you can decide which of the many<br />
available security techniques make sense for your installation. Here are some<br />
suggestions:<br />
• Be sure the server is physically secure.<br />
• Use power-conditioning devices such as line conditioners or a<br />
Uninterruptible Power Supply (UPS).<br />
• Implement fault-tolerant services on the server. Take advantage of<br />
Redundant Array of Inexpensive Disks (RAID). For example, Windows NT<br />
supports several levels of RAID, so choose the level that makes most sense<br />
for your operation.<br />
• Make regular and frequent backups and test them to ensure that they<br />
contain what you think they do.<br />
• Install call-back modems to prevent unauthorized logon attempts from<br />
remote locations.<br />
• Use the audit trail features of your operating system.<br />
• Control access to certain files and directories.<br />
• Control uploading privileges on your FTP server to minimize the possibility of<br />
someone infecting you with a virus.<br />
• Consider using traffic padding, a technique that equalizes network traffic and<br />
thus makes it more difficult for an hacker to infer what is happening on your<br />
network.<br />
• Implement packet filtering, which makes snooping almost impossible.<br />
• Prepare a plan that you can execute when you detect that your network is<br />
under attack. Decide what you will do and the sequence in which you will do<br />
it. Define when you will shut down the service, the connection to the<br />
Internet, or your own internal network.<br />
208 The Technical Side of Being an Internet Service Provider
This soft copy for use by <strong>IBM</strong> employees only.<br />
8.7.7 Know Your Server<br />
8.7.8 Locking In or Out<br />
The reason you are establishing your ISP should directly dictate a portion of your<br />
security policies. For example, if your ISP is designed to deliver information and<br />
content to people on the Internet and if you want to control who has access to<br />
that information, establish a portion of your security policy to dictate guidelines<br />
for access. Decide how you will control access. The most common way is with<br />
user IDs and passwords. You must establish the procedures used for verifying a<br />
user. Don’t assume that anyone will be truthful when filling in your online survey<br />
form, and verify as much of the information as you can.<br />
Some of the policies that you establish for preventing external intrusion of your<br />
ISP are the same as those for preventing internal threats. However, you can use<br />
other mechanisms, such as firewalls and proxy servers, to diminish external<br />
security threats.<br />
Whenever a site suffers an incident that compromises computer security, the<br />
strategies for reacting may be influenced by two opposing pressures.<br />
If management fears that the site is sufficiently vulnerable, it may choose a<br />
protect and proceed strategy. This approach will have as its primary goal the<br />
protection and preservation of the site facilities and to provide normality for its<br />
users as quickly as possible. Attempts will be made to actively interfere with the<br />
intruders processes, prevent further access and begin immediate damage<br />
assessment and recovery. This process may involve shutting down the facilities,<br />
closing off access to the network, or other drastic measures. The drawback is<br />
that unless the intruder is identified directly, they may come back into the site<br />
via a different path, or may attack another site.<br />
The alternate approach, pursue and prosecute, adopts the opposite philosophy<br />
and goals. The primary goal is to allow intruders to continue their activities at<br />
the site until the site can identify the responsible persons. This approach is<br />
endorsed by law enforcement agencies and prosecutors. The drawback is that<br />
the agencies cannot exempt a site from possible user lawsuits if damage is done<br />
to their systems and data.<br />
Prosecution is not the only outcome possible if the intruder is identified. If the<br />
culprit is an employee or a student, the organization may choose to take<br />
disciplinary actions. The computer security policy needs to spell out the choices<br />
and how they will be selected if an intruder is caught.<br />
Careful consideration must be made by site management regarding their<br />
approach to this issue before the problem occurs. The strategy adopted might<br />
depend upon each circumstance. Or there may be a global policy that mandates<br />
one approach in all circumstances. The pros and cons must be examined<br />
thoroughly and the users of the facilities must be made aware of the policy so<br />
that they understand their vulnerabilities no matter which approach is taken.<br />
The following is a checklist to help a site determine whether or not to adopt<br />
protect and proceed.<br />
Protect and Proceed<br />
• If assets are not well protected.<br />
• If continued penetration could result in great financial risk.<br />
Chapter 8. Internet Security 209
8.7.9 Policy Issues<br />
This soft copy for use by <strong>IBM</strong> employees only.<br />
• If the possibility or willingness to prosecute is not present.<br />
• If user base is unknown.<br />
• If users are unsophisticated and their work is vulnerable.<br />
• If the site is vulnerable to lawsuits from users.<br />
There are a number of issues that must be addressed when developing a<br />
security policy. These are:<br />
• Who is allowed to use the resources?<br />
• What is the proper use of the resources?<br />
• Who may have system administration privileges?<br />
• What are the user’s rights and responsibilities?<br />
• What do you do with sensitive information?<br />
• What happens when the policy is violated?<br />
These issues are discussed below. In addition you may wish to include a<br />
section in your policy concerning ethical use of computing resources.<br />
8.7.9.1 Who Is Allowed to Use the Resources?<br />
One step you must take in developing your security policy is defining who is<br />
allowed to use your system and services. The policy should explicitly state who<br />
is authorized to use what resources.<br />
8.7.9.2 What Is the Proper Use of the Resources?<br />
After determining who is allowed access to system resources it is necessary to<br />
provide guidelines for the acceptable use of the resources. You may have<br />
different guidelines for different types of users (that is, students, faculty, external<br />
users). The policy should state what is acceptable use as well as unacceptable<br />
use. It should also include types of use that may be restricted. Define limits to<br />
access and authority. You will need to consider the level of access various<br />
users will have and what resources will be available or restricted to various<br />
groups of people. Your acceptable use policy should clearly state that individual<br />
users are responsible for their actions. Their responsibility exists regardless of<br />
the security mechanisms that are in place. It should be clearly stated that<br />
breaking into accounts or bypassing security is not permitted.<br />
The following points should be covered when developing an acceptable use<br />
policy:<br />
• Is breaking into accounts permitted?<br />
• Is cracking passwords permitted?<br />
• Is disrupting service permitted?<br />
• Should users assume that a file being world-readable grants them the<br />
authorization to read it?<br />
• Should users be permitted to modify files that are not their own even if they<br />
happen to have write permission?<br />
• Should users share accounts?<br />
The answer to most of these questions will be no.<br />
210 The Technical Side of Being an Internet Service Provider
This soft copy for use by <strong>IBM</strong> employees only.<br />
You may wish to incorporate a statement in your policies concerning copyrighted<br />
and licensed software. Licensing agreements with vendors may require some<br />
sort of effort on your part to ensure that the license is not violated. In addition,<br />
you may wish to inform users that the copying of copyrighted software may be a<br />
violation of the copyright laws and is not permitted.<br />
Specifically concerning copyrighted and/or licensed software, you may wish to<br />
include the following information:<br />
• Copyrighted and licensed software may not be duplicated unless it is<br />
explicitly stated that you may do so.<br />
• Methods of conveying information on the copyright/licensed status of<br />
software.<br />
• When in doubt, don’t copy.<br />
Your acceptable use policy is very important. A policy that does not clearly state<br />
what is not permitted may leave you unable to prove that a user violated the<br />
policy.<br />
There are exception cases such as tiger teams and users or administrators<br />
wishing for licenses to hack, you may face the situation where users will want to<br />
hack on your services for security research purposes. You should develop a<br />
policy that will determine whether you will permit this type of research on your<br />
services and if so, what your guidelines for such research will be.<br />
Points you may wish to cover in this area:<br />
• Whether it is permitted at all.<br />
• What type of activity is permitted:<br />
viruses, etc.<br />
breaking in, releasing worms, releasing<br />
• What type of controls must be in place to ensure that it does not get out of<br />
control (separate a segment of your network for these tests).<br />
• How you will protect other users from being victims of these activities,<br />
including external users and networks.<br />
• The process for obtaining permission to conduct these tests.<br />
In cases where you do permit these activities, you should isolate the portions of<br />
the network that are being tested from your main network. Worms and viruses<br />
should never be released on a live network.<br />
You may also wish to employ, contract, or otherwise solicit one or more people<br />
or organizations to evaluate the security of your services, of which may include<br />
hacking. You may wish to provide for this in your policy.<br />
8.7.9.3 Who May Have System Administration Privileges?<br />
One security decision that needs to be made very carefully is who will have<br />
access to system administrator privileges and passwords for your services.<br />
Obviously, the system administrators will need access, but inevitably other users<br />
will request special privileges. The policy should address this issue. Restricting<br />
privileges is one way to deal with threats from local users. The challenge is to<br />
balance restricting access to these to protect security while giving people who<br />
need these privileges access so that they can perform their tasks. One<br />
approach that can be taken is to grant only enough privilege to accomplish the<br />
necessary tasks.<br />
Chapter 8. Internet Security 211
This soft copy for use by <strong>IBM</strong> employees only.<br />
Additionally, people holding special privileges should be accountable to some<br />
authority and this should also be identified within the site’s security policy. If the<br />
people you grant privileges to are not accountable, you run the risk of losing<br />
control of your system and will have difficulty managing a compromise in<br />
security.<br />
8.7.9.4 What Are The Users’ Rights and Responsibilities?<br />
The policy should incorporate a statement on the users’ rights and<br />
responsibilities concerning the use of the site’s computer systems and services.<br />
It should be clearly stated that users are responsible for understanding and<br />
respecting the security rules of the systems they are using. The following is a<br />
list of topics that you may wish to cover in this area of the policy:<br />
• What guidelines you have regarding resource consumption (whether users<br />
are restricted, and if so, what the restrictions are).<br />
• What might constitute abuse in terms of system performance.<br />
• Whether users are permitted to share accounts or let others use their<br />
accounts.<br />
• How secret should users keep their passwords.<br />
• How often users should change their passwords and any other password<br />
restrictions or requirements.<br />
• Whether you provide backups or expect the users to create their own.<br />
• Disclosure of information that may be proprietary.<br />
• Statement on electronic mail privacy (Electronic Communications Privacy<br />
Act).<br />
• Your policy concerning controversial mail or post to mailing lists or<br />
discussion groups (obscenity, harassment, etc.).<br />
• Policy on electronic communications: mail forging, etc.<br />
8.7.9.5 What Do You Do with Sensitive Information?<br />
The primary solution for the possibility of sniffing confidential data is education.<br />
You need to update your security policy and educate your users. They should<br />
treat a public network just as they treat unprotected phone lines and public<br />
places.<br />
• If information is sensitive enough that you would not read it on a bus or a<br />
plane, then you probably should not send it across the Internet.<br />
• If information is confidential enough that you would not repeat it on a cellular<br />
telephone, then you probably should not send it across the Internet.<br />
• If you would not send it through the normal mail, except perhaps with a<br />
double envelop, then you probably should not send it across the Internet.<br />
• Consider providing separate user profiles for Internet and e-mail usage, at<br />
least for users with powerful profiles. That way, if someone sees an e-mail<br />
that an employee sends, the hacker will not have the name of a powerful<br />
profile on your system.<br />
• Put this information in an area with restrict access in your server.<br />
• Limit the access for those users who really have to manage the information.<br />
• Guarantee that you will always have a backup copy of the area with these<br />
sensitive information to recover in cases of attacks by the intruder.<br />
212 The Technical Side of Being an Internet Service Provider
This soft copy for use by <strong>IBM</strong> employees only.<br />
8.7.9.6 What Happens When the Policy Is Violated?<br />
It is obvious that when any type of official policy is defined, be it related to<br />
computer security or not, it will eventually be broken. The violation may occur<br />
due to an individual’s negligence, accidental mistake, having not been properly<br />
informed of the current policy, or not understanding the current policy. It is<br />
equally possible that an individual (or group of individuals) may knowingly<br />
perform an act that is in direct violation of the defined policy.<br />
When a policy violation has been detected, the immediate course of action<br />
should be pre-defined to ensure prompt and proper enforcement. An<br />
investigation should be performed to determine how and why the violation<br />
occurred. Then the appropriate corrective action should be executed. The type<br />
and severity of action taken varies depending on the type of violation that<br />
occurred.<br />
8.7.10 General Internet Security Principles<br />
The general Internet security principles are:<br />
• Simplicity: You are probably to find that Internet security can be quite<br />
complicated. Since Internet security can involve lots of complex<br />
configurations, there is the opportunity for introducing errors that can be<br />
exploited by a hacker. As a matter of fact, configuration holes are one of the<br />
most common means of intrusion. The simpler your configuration, the more<br />
likely it is to be correct.<br />
• Explicit authority: Your defaults should be set up to deny access. Only the<br />
specific users you authorize should be able to perform functions. Everything<br />
else should be denied.<br />
• Choke points: Limiting the number of connections or routes data can take<br />
allows you to concentrate on your defenses. It makes it easier to control and<br />
monitor. This choke point may be physical or logical.<br />
• Secondary defense: Do not assume your defenses always work. You can<br />
make configuration errors or hackers can get past one of your defenses, but<br />
if you have another roadblock in place, it either slows them down or stops<br />
them completely. Developing a healthy paranoia helps you to do a good job.<br />
• Do not trust: Do not trust any information you receive from the Internet such<br />
as IP addresses, hostnames, or passwords. These can be forged.<br />
Figure 67 on page 214 shows all the elements to build a good security policy to<br />
your environment before connecting it to the Internet.<br />
Chapter 8. Internet Security 213
Figure 67. Security Policy and the Internet<br />
8.8 Establishing Procedures to Prevent Security Problems<br />
This soft copy for use by <strong>IBM</strong> employees only.<br />
The security policy by itself doesn’t say how things are protected. The security<br />
policy should be a high-level document, giving general strategy. The security<br />
procedures need to set out, in detail, the precise steps your site will take to<br />
protect itself.<br />
The security policy should include a general risk assessment of the types of<br />
threats a site is mostly likely to face and the consequences of those threats.<br />
Part of doing a risk assessment will include creating a general list of assets that<br />
should be protected. This information is critical in devising cost-effective<br />
procedures.<br />
It is often tempting to start creating security procedures by deciding on different<br />
mechanisms first: our site should have logging on all hosts, call-back modems,<br />
and smart cards for all users. This approach could lead to some areas that have<br />
too much protection for the risk they face, and other areas that aren’t protected<br />
enough. Starting with the security policy and the risks it outlines should ensure<br />
that the procedures provide the right level of protection for all assets.<br />
8.8.1 Steps to Implement Secure Internet Applications<br />
The steps to implement secure Internet applications are:<br />
• Design for Security: Based on policies decided by observing your company’s<br />
general I/T and networking security directions. For later testing, auditing,<br />
and extension, document the security measures you decided to implement.<br />
• Test: Do not assume that all of the security features you implemented are<br />
running properly; test them. And test them on a regular basis. Any time you<br />
make a change in a configuration, you want to verify that you have not<br />
inadvertently opened a security hole.<br />
214 The Technical Side of Being an Internet Service Provider
This soft copy for use by <strong>IBM</strong> employees only.<br />
8.8.2 Identifying Possible Problems<br />
Engage a neutral or company-external person to test the security measures<br />
of your Internet environment.<br />
There are utilities available, mostly UNIX-based, to test Internet security.<br />
These programs check mainly the network access.<br />
• Control: Logging the activities provides information on the usage of your<br />
Internet applications. Develop queries to analyze this data and to find<br />
possible attacks and misuse.<br />
PC based utilities are available to analyze and present the result graphically.<br />
Check for attacks that can be detected and for attacks where appropriate<br />
action can be taken immediately. For example, an attempt to use a<br />
non-existing user ID should result at least in a message to the QSYSOPR<br />
message queue (in cases of AS/400 Internet servers), generation of an SNA<br />
alert (in cases of S/390 Internet servers), or an SNMP trap or transmission of<br />
a paper message.<br />
• User Education: You cannot assure security alone. You need to make sure<br />
that your users are helping. All of the complex security features in the world<br />
are not going to help you if users share their passwords in e-mail messages.<br />
Users must be educated on the risks associated with the Internet and be<br />
given clear instructions on what they should and should not do.<br />
• Revision: Time changes things. Technology is getting more advanced,<br />
Internet applications are enhanced, and hackers are getting smarter.<br />
Consequently, your security measures need to be revised periodically.<br />
To determine risk, vulnerabilities must be identified. Part of the purpose of the<br />
policy is to aid in finding the vulnerabilities and thus decreasing the risk in as<br />
many areas as possible.<br />
8.8.2.1 Access Points<br />
Access points are typically used for entry by unauthorized users. Having many<br />
access points increases the risk of access to an organization’s computer and<br />
network facilities. Network links to networks outside the organization allow<br />
access into the organization for all others connected to that external network. A<br />
network link typically provides access to a large number of network services,<br />
and each service has a potential to be compromised. Dial-up lines, depending<br />
on their configuration, may provide access merely to a login port of a single<br />
system. If connected to a terminal server, the dial-up line may give access to<br />
the entire network. Terminal servers themselves can be a source of problems.<br />
Many terminal servers do not require any kind of authentication. Intruders often<br />
use terminal servers to disguise their actions, dialing in on a local phone and<br />
then using the terminal server to go out to the local network. Some terminal<br />
servers are configured so that intruders can Telnet in from outside the network,<br />
and then Telnet back out again, again making it difficult to trace them.<br />
8.8.2.2 Software Bugs<br />
Software will never be bug free. Publicly known security bugs are common<br />
methods of unauthorized entry. Part of the solution to this problem is to be<br />
aware of the security problems and to update the software when problems are<br />
detected. When bugs are found, they should be reported to the vendor so that a<br />
solution to the problem can be implemented and distributed.<br />
Chapter 8. Internet Security 215
This soft copy for use by <strong>IBM</strong> employees only.<br />
8.8.2.3 Insider Threats<br />
An insider to the organization may be a considerable threat to the security of the<br />
computer systems. Insiders often have direct access to the computer and<br />
network hardware components. The ability to access the components of a<br />
system makes most systems easier to compromise. Most desktop workstations<br />
can be easily manipulated so that they grant privileged access. Access to a<br />
local area network provides the ability to view possibly sensitive data traversing<br />
the network.<br />
8.8.3 Controls to Protect Assets in a Cost-Effective Way<br />
After establishing what is to be protected, and assessing the risks these assets<br />
face, it is necessary to decide how to implement the controls which protect these<br />
assets. The controls and protection mechanisms should be selected in a way so<br />
as to adequately counter the threats found during risk assessment, and to<br />
implement those controls in a cost-effective manner. It makes little sense to<br />
spend an exorbitant sum of money and overly constrict the user base if the risk<br />
of exposure is very small.<br />
8.8.3.1 Choose the Right Set of Controls<br />
The controls that are selected represent the physical embodiment of your<br />
security policy. They are the first and primary line of defense in the protection of<br />
your assets. It is therefore most important to ensure that the controls that you<br />
select are the right set of controls. If the major threat to your system is outside<br />
penetrations, it probably doesn’t make much sense to use biometric devices to<br />
authenticate your regular system users. On the other hand, if the major threat is<br />
unauthorized use of computing resources by regular system users, you will<br />
probably want to establish very rigorous automated accounting procedures.<br />
8.8.3.2 Use Common Sense<br />
Common sense is the most appropriate tool that can be used to establish your<br />
security policy. Elaborate security schemes and mechanisms are impressive,<br />
and they do have their place, yet there is little point in investing money and time<br />
on an elaborate implementation scheme if the simple controls are forgotten. For<br />
example, no matter how elaborate a system you put into place on top of existing<br />
security controls, a single user with a poor password can still leave your system<br />
open to attack.<br />
8.8.3.3 Use Multiple Strategies to Protect Assets<br />
Another method of protecting assets is to use multiple strategies. In this way, if<br />
one strategy fails or is circumvented, another strategy comes into play to<br />
continue protecting the asset. By using several simpler strategies, a system can<br />
often be made more secure than if one very sophisticated method were used in<br />
its place. For example, dial-back modems can be used in conjunction with<br />
traditional logon mechanisms. Many similar approaches could be devised that<br />
provide several levels of protection for assets. However, it’s very easy to go<br />
overboard with extra mechanisms. One must keep in mind exactly what it is that<br />
needs to be protected.<br />
216 The Technical Side of Being an Internet Service Provider
This soft copy for use by <strong>IBM</strong> employees only.<br />
8.9 Physical Security<br />
It is a given in computer security that if the system itself is not physically secure,<br />
nothing else about the system can be considered secure. With physical access<br />
to a machine, an intruder can halt the machine, bring it back up in privileged<br />
mode, replace or alter the disk, plant virus programs, or take any number of<br />
other undesirable (and hard to prevent) actions. Critical communications links,<br />
important servers, and other key machines should be located in physically<br />
secure areas. Some security systems (such as Kerberos) require that the<br />
machine be physically secure. If you cannot physically secure machines, care<br />
should be taken about trusting those machines. Sites should consider limiting<br />
access from non-secure machines to more secure machines. In particular,<br />
allowing trusted access from these kinds of hosts is particularly risky. For<br />
machines that seem or are intended to be physically secure, care should be<br />
taken about who has access to the machines. Remember that custodial and<br />
maintenance staff often have keys to rooms and may not knowingly allow access<br />
to unauthorized individuals.<br />
8.9.1 Procedures to Recognize Unauthorized Activity<br />
Several simple procedures can be used to detect most unauthorized uses of a<br />
computer system. These procedures use tools provided with the operating<br />
system by the vendor, or tools publicly available from other sources.<br />
8.9.1.1 Monitoring System Use<br />
System monitoring can be done either by a system administrator or by software<br />
written for the purpose. Monitoring a system involves looking at several parts of<br />
the system and searching for anything unusual. The most important thing about<br />
monitoring system use is that it be done on a regular basis. Picking one day out<br />
of the month to monitor the system is pointless, since a security breach can be<br />
isolated to a matter of hours. Only by maintaining a constant vigil can you<br />
expect to detect security violations in time to react to them.<br />
8.9.2 Tools for Monitoring the System<br />
This section describes some of the tools for monitoring the system.<br />
8.9.2.1 Logging<br />
Most operating systems store numerous bits of information in log files.<br />
Examination of these log files on a regular basis is often the first line of defense<br />
in detecting unauthorized use of the system.<br />
Compare Lists of Currently Logged in Users and Past Login Histories: Most<br />
users typically log in and out at roughly the same time each day. An account<br />
logged in outside the normal time for the account may be in use by an intruder.<br />
Many Systems Maintain Accounting Records for Billing Purposes: These<br />
records can also be used to determine usage patterns for the system; unusual<br />
accounting records may indicate unauthorized use of the system.<br />
System Logging Facilities, Such As the UNIX syslog: Utility should be checked<br />
for unusual error messages from system software. For example, a large number<br />
of failed login attempts in a short period of time may indicate someone trying to<br />
guess passwords.<br />
Chapter 8. Internet Security 217
This soft copy for use by <strong>IBM</strong> employees only.<br />
Operating System Commands: That list currently executing processes can be<br />
used to detect users running programs they are not authorized to use, as well as<br />
to detect unauthorized programs that have been started by an intruder.<br />
8.9.2.2 Monitoring Software<br />
Other monitoring tools can easily be constructed using standard operating<br />
system software, by using several, often unrelated, programs together. For<br />
example, checklists of file ownerships and permission settings can be<br />
constructed (for example, with ls and find on UNIX) and stored offline. These<br />
lists can then be reconstructed periodically and compared against the master<br />
checklist (on UNIX, by using the diff utility). Differences may indicate that<br />
unauthorized modifications have been made to the system.<br />
8.9.2.3 Other Tools<br />
Other tools can also be used to monitor systems for security violations, although<br />
this is not their primary purpose. For example, network monitors can be used to<br />
detect and log connections from unknown sites.<br />
8.9.3 Vary the Monitoring Schedule<br />
The task of system monitoring is not as daunting as it may seem. System<br />
administrators can execute many of the commands used for monitoring<br />
periodically throughout the day during idle moments (for example, while talking<br />
on the telephone), rather than spending fixed periods of each day monitoring the<br />
system. By executing the commands frequently, you will rapidly become used to<br />
seeing normal output, and will easily spot things that are out of the ordinary. In<br />
addition, by running various monitoring commands at different times throughout<br />
the day, you make it hard for an intruder to predict your actions. For example, if<br />
an intruder knows that each day at 5:00 p.m. the system is checked to see that<br />
everyone has logged off, he or she will simply wait until after the check has<br />
completed before logging in. But the intruder cannot guess when a system<br />
administrator might type a command to display all logged in users, and thus he<br />
or she runs a much greater risk of detection.<br />
Despite the advantages that regular system monitoring provides, some intruders<br />
will be aware of the standard logging mechanisms in use on systems they are<br />
attacking. They will actively pursue and attempt to disable monitoring<br />
mechanisms. Regular monitoring therefore is useful in detecting intruders, but<br />
does not provide any guarantee that your system is secure. Also, monitoring<br />
should not be considered an infallible method of detecting unauthorized use.<br />
8.9.3.1 Define Actions to Take When Unauthorized Activity Is<br />
Suspected<br />
The procedures for dealing with these types of problems should be written down.<br />
Who has authority to decide what actions will be taken? Should law enforcement<br />
be involved? Should your organization cooperate with other sites in trying to<br />
track down an intruder? Whether you decide to lock out or pursue intruders, you<br />
should have tools and procedures ready to apply. It is best to work up these<br />
tools and procedures before you need them. Don’t wait until an intruder is on<br />
your system to figure out how to track the intruder’s actions; you will be busy<br />
enough if an intruder strikes.<br />
218 The Technical Side of Being an Internet Service Provider
This soft copy for use by <strong>IBM</strong> employees only.<br />
8.9.4 Communicating Security Policy<br />
Security policies, in order to be effective, must be communicated to both the<br />
users of the system and the system maintainers.<br />
8.9.4.1 Educating the Users<br />
Users should be made aware of how the computer systems are expected to be<br />
used, and how to protect themselves from unauthorized users.<br />
Proper Account/Workstation Use: All users should be informed about what is<br />
considered the “proper” use of their account or workstation. This can most<br />
easily be done at the time a user receives their account by giving them a policy<br />
statement. Proper use policies typically dictate things such as whether or not<br />
the account or workstation may be used for personal activities (such as<br />
checkbook balancing or letter writing), whether profit-making activities are<br />
allowed, whether game playing is permitted, and so on. These policy statements<br />
may also be used to summarize how the computer facility is licensed and what<br />
software licenses are held by the institution; for example, many universities have<br />
educational licenses that explicitly prohibit commercial use of the system.<br />
Account/Workstation Management Procedures: Each user should be told how to<br />
properly manage their account and workstation. This includes explaining how to<br />
protect files stored on the system, how to log out or lock the terminal or<br />
workstation, and so on. Much of this information is typically covered in the<br />
beginning user documentation provided by the operating system vendor,<br />
although many sites elect to supplement this material with local information. If<br />
your site offers dial-up modem access to the computer systems, special care<br />
must be taken to inform users of the security problems inherent in providing this<br />
access. Issues such as making sure to log out before hanging up the modem<br />
should be covered when the user is initially given dial-up access. Likewise,<br />
access to the systems via local and wide area networks presents its own set of<br />
security problems which users should be made aware of. Files that grant trusted<br />
host or trusted user status to remote systems and users should be carefully<br />
explained.<br />
Determining Account Misuse: Users should be told how to detect unauthorized<br />
access to their account. If the system prints the last login time when a user logs<br />
in, he or she should be told to check that time and note whether or not it agrees<br />
with the last time he or she actually logged in. Command interpreters on some<br />
systems maintain histories of the last several commands executed. Users<br />
should check these histories to be sure someone has not executed other<br />
commands with their account.<br />
Problem Reporting Procedures: A procedure should be developed to enable<br />
users to report suspected misuse of their accounts or other misuse they may<br />
have noticed. This can be done either by providing the name and telephone<br />
number of a system administrator who manages security of the computer<br />
system, or by creating an electronic mail address to which users can address<br />
their problems.<br />
Chapter 8. Internet Security 219
This soft copy for use by <strong>IBM</strong> employees only.<br />
8.9.4.2 Educating the Host Administrators<br />
In many organizations, computer systems are administered by a wide variety of<br />
people. These administrators must know how to protect their own systems from<br />
attack and unauthorized use, as well as how to communicate successful<br />
penetration of their systems to other administrators as a warning.<br />
Account Management Procedures: Care must be taken when installing accounts<br />
on the system in order to make them secure. When installing a system from<br />
distribution media, the password file should be examined for standard accounts<br />
provided by the vendor. Many vendors provide accounts for use by system<br />
services or field service personnel. These accounts typically have either no<br />
password or one that is common knowledge. These accounts should be given<br />
new passwords if they are needed, or disabled or deleted from the system if they<br />
are not. Accounts without passwords are generally very dangerous since they<br />
allow anyone to access the system.<br />
Even accounts that do not execute a command interpreter (accounts that exist<br />
only to see who is logged in to the system) can be compromised if set up<br />
incorrectly. A related concept is that of anonymous file transfer (FTP), which<br />
allow workstations users from all over the network to access your system to<br />
retrieve files from (usually) a protected disk area. You should carefully weigh<br />
the benefits that an account without a password provides against the security<br />
risks of providing such access to your system. If the operating system provides<br />
a shadow password facility that stores passwords in a separate file accessible<br />
only to privileged users, this facility should be used. It protects passwords by<br />
hiding their encrypted values from unprivileged users. This prevents an attacker<br />
from copying your password file to his or her machine and then attempting to<br />
break the passwords at his or her leisure. Keep track of who has access to<br />
privileged user accounts (the root user ID on UNIX or the MAINT user ID on<br />
VMS). Whenever a privileged user leaves the organization or no longer has<br />
need of the privileged account, the passwords on all privileged accounts should<br />
be changed.<br />
Configuration Management Procedures: When installing a system from the<br />
distribution media or when installing third-party software, it is important to check<br />
the installation carefully. Many installation procedures assume a trusted site,<br />
and hence will install files with world-writeable permission enabled, or otherwise<br />
compromise the security of files. Network services should also be examined<br />
carefully when first installed. Many vendors provide default network permission<br />
files which imply that all outside hosts are to be trusted, which is rarely the case<br />
when connected to wide area networks such as the Internet.<br />
Many intruders collect information on the vulnerabilities of particular system<br />
versions. The older a system, the more likely it is that there are security<br />
problems in that version that have since been fixed by the vendor in a later<br />
release. For this reason, it is important to weigh the risks of not upgrading to a<br />
new operating system release (thus leaving security holes unplugged) against<br />
the cost of upgrading to the new software (possibly breaking third-party software,<br />
etc.).<br />
Bug fixes from the vendor should be weighed in a similar fashion, with the added<br />
note that security fixes from a vendor usually address fairly serious security<br />
problems. Other bug fixes, received via network mailing lists and the like,<br />
should usually be installed, but not without careful examination. Never install a<br />
bug fix unless you’re sure you know what the consequences of the fix are;<br />
220 The Technical Side of Being an Internet Service Provider
This soft copy for use by <strong>IBM</strong> employees only.<br />
8.10 Firewall<br />
there’s always the possibility that an intruder has suggested a fix which actually<br />
gives him or her access to your system.<br />
Recovery Procedures - Backups: It is impossible to overemphasize the need for<br />
a good backup strategy. File system backups not only protect you in the event of<br />
hardware failure or accidental deletions, but they also protect you against<br />
unauthorized changes made by an intruder. Without a copy of your data the way<br />
it’s supposed to be, it can be difficult to undo something an attacker has done.<br />
Backups, especially if run daily, can also be useful in providing a history of an<br />
intruder’s activities. Looking through old backups can establish when your<br />
system was first penetrated. Intruders may leave files around which, although<br />
deleted later, are captured on the backup tapes. Backups can also be used to<br />
document an intruder’s activities to law enforcement agencies if necessary. A<br />
good backup strategy will dump the entire system to tape at least once a month.<br />
Partial (or incremental) dumps should be done at least twice a week, and ideally<br />
they should be done daily. Commands specifically designed for performing file<br />
system backups (UNIX dump or VMS BACKUP command) should be used in<br />
preference to other file copying commands, since these tools are designed with<br />
the express intent of restoring a system to a known state.<br />
8.9.4.3 Problem Reporting Procedures<br />
As with users, system administrators should have a defined procedure for<br />
reporting security problems. In large installations, this is often done by creating<br />
an electronic mail alias that contains the names of all system administrators in<br />
the organization. Other methods include setting up some sort of response team<br />
similar to the CERT, or establishing a hotline serviced by an existing support<br />
group.<br />
A firewall provides a means of protecting your internal corporate network from<br />
unauthorized access from the Internet. They are just one of the tools for defense<br />
that can be employed.<br />
A firewall is used to help implement your Internet security policy. The firewall<br />
provides a barrier between a secure network and unsecured network such as<br />
the Internet. The firewall controls access to and from the secure network.<br />
Chapter 8. Internet Security 221
Figure 68. Protecting Your Internal Network with an Internet Firewall<br />
Things a firewall can do:<br />
This soft copy for use by <strong>IBM</strong> employees only.<br />
• Let the internal users access Web servers on the Internet.<br />
• Let the users exchange mail with other users on the Internet.<br />
• Prevent users on the Internet from accessing systems in your corporate<br />
network.<br />
• Prevent information about your network (for instance, IP addresses) from<br />
being exposed to the users on the Internet.<br />
Things a firewall cannot do:<br />
8.10.1 Why Are Firewalls Needed?<br />
• A firewall is able to protect from intrusion from the outside. A firewall does<br />
not protect you from an inside user sending sensitive information over the<br />
Internet.<br />
• A firewall does not provide protection of data that is sent from an internal<br />
user to an Internet user.<br />
• Most firewall are not able to check for viruses.<br />
There are potential intruders on the Internet. These intruders attempt to exploit<br />
the known weaknesses in the IP, TCP, and ICMP protocols and the applications<br />
that use them.<br />
Many people believe that since a system can have a strong host security, as<br />
AS/400 for example, it can be directly connected to the Internet. Unfortunately,<br />
this is not true because the AS/400 system has to contend with the same<br />
unsecured TCP/IP protocols as other systems.<br />
It is not just the server that you need to protect. Once you connect to the<br />
Internet, every system of your internal network is accessible from the Internet.<br />
Firewalls are needed so that a security exposure on any of the systems in your<br />
internal network cannot be exploited by users on the Internet.<br />
222 The Technical Side of Being an Internet Service Provider
This soft copy for use by <strong>IBM</strong> employees only.<br />
8.10.2 Firewall Principles<br />
8.10.3 Firewall Elements<br />
When setting up a firewall, there are a number of principles that you are advised<br />
to follow. Some are:<br />
• Make sure that you do not have any other connections to the Internet. The<br />
firewall provides a choke point, forcing all traffic to and from the Internet to<br />
flow through it.<br />
• There should be no direct TCP/IP connections between the applications on<br />
the internal systems and the servers on the Internet. A direct connection<br />
enables the server to learn information (such as the IP address) about the<br />
client system. All communication connections should be broken at the<br />
firewall.<br />
• Information about the internal network should be prevented from reaching<br />
the Internet. Information on host names and IP addresses is valuable.<br />
• Systems that are intended to be accessed by users on the Internet should be<br />
on the outside of the firewall. Once you start letting Internet traffic through<br />
the firewall, you open new holes for an intruder.<br />
Some people assume that a firewall is a single box with one wire in and one<br />
wire out. This is not always the case. A firewall is constructed from one or<br />
more software products that run on one or more hosts that may be general<br />
purpose systems or routers.<br />
Major technologies implemented with a firewall are:<br />
• Packet filtering to limit traffic<br />
• Proxy servers or SOCKS servers to break TCP/IP connections<br />
• Domain name services to hide network information<br />
Policy plays an important role because the various technologies can be used in<br />
many ways. It is important that a company decides on its Internet security policy<br />
before it begins the process of building a firewall.<br />
8.10.3.1 IP Packet Filtering<br />
IP packet filtering is a technology inserted at a low level in the IP protocol stack.<br />
A packet filter compares the packet against a set of rules that say which packets<br />
are permitted (this means which packets have to be forwarded or discarded).<br />
Packet filters are a good way to selectively allow some traffic into a subnetwork<br />
to protect from unwanted traffic. A packet filter is completely transparent to the<br />
user.<br />
Packet filters check the packet header to determine whether to forward or to<br />
discard the packet. Most packet filters allow filtering by:<br />
• Source and destination IP address<br />
• Protocols such as TCP, UDP, or ICMP<br />
• Source and destination ports (ports identify a TCP/IP application such as FTP<br />
or Telnet)<br />
• Whether the packet is destined for or originated from a local application<br />
• Whether the packet is inbound or outbound<br />
Chapter 8. Internet Security 223
Figure 69. Packet Filtering Router<br />
This soft copy for use by <strong>IBM</strong> employees only.<br />
Your initial thought might be that this is going to be real easy. But we have to<br />
make a distinction between inbound/outbound packets and inbound/outbound<br />
connections. Inbound packets resulting from an outbound connection are OK.<br />
That means packet filters need to pay attention to the flags in the TCP header<br />
(SYN or ACK) that indicate if this is a new connection or a response to an<br />
existing connection.<br />
A typical installation has 50 to 100 of these rules. They usually come in sets that<br />
allow a particular application to run between a set of IP addresses. And at the<br />
end, there is a rule that says to deny all other traffic. This is an implementation<br />
of one of the Internet security principles: That which is not expressly permitted<br />
is denied.<br />
8.10.3.2 Packet Filtering Router<br />
Most popular routers have some sort of packet filtering technology. Although by<br />
themselves they are not really a firewall, they may provide enough protection in<br />
some circumstances.<br />
Let’s take the situation where you want to attach your server as a Web server to<br />
the Internet. This server is a public server, which means you want users on the<br />
Internet to be able to easily find it. You want to provide some protection for this<br />
server but you cannot isolate it. Using packet filtering support on the router is<br />
probably all you need. You can set up your rules to allow HTTP requests in and<br />
HTTP requests out but block unwanted traffic such as Telnet and FTP.<br />
Notice the network is broken into two pieces. The internal or secure network<br />
has all internal users and production machines. It is kept separate from the<br />
perimeter network, which has your server intended to be accessed from the<br />
Internet. We keep these two networks unlinked because a router alone cannot<br />
provide enough protection for your internal systems.<br />
This network scenario with an isolated Internet server is a cheap solution since<br />
you need a router anyway to connect to the ISP. But this solution has some<br />
limitations:<br />
• There is no logging of packets discarded by the router.<br />
224 The Technical Side of Being an Internet Service Provider
This soft copy for use by <strong>IBM</strong> employees only.<br />
Figure 70. Proxy Server<br />
• It is hard to keep the isolated system current since it cannot be reached from<br />
the internal network.<br />
• Internet applications cannot work with your productive database.<br />
8.10.3.3 Proxy Server<br />
A proxy server is a TCP or UDP application. Its purpose is to receive requests<br />
from a client and resend them to a server and to resend responses from the<br />
server back to the client.<br />
Proxy servers are unique to the particular protocol that they handle (for instance,<br />
an HTTP proxy or a Telnet proxy).<br />
The most important objective of a proxy server is to break the TCP/IP<br />
connection. Clients no longer talk directly to servers. The server only sees the<br />
IP address of the proxy server, not of the originating client. This is useful to<br />
keep the internal network information private.<br />
The clients need to know the address of the proxy server to send the request to<br />
the proxy instead of the server it wants to communicate with. This means the<br />
client application needs to be proxy-aware, which means specific definitions are<br />
required. The servers, on the other hand, are standard. They have no<br />
knowledge that a proxy server is being used.<br />
One of the bad things about proxy servers is that they are unique to a particular<br />
application. If you obtain a new TCP/IP application, you may have a difficult time<br />
finding a proxy server to support it.<br />
Probably the most common example of a proxy server is the HTTP proxy server.<br />
An HTTP proxy server relays requests from a Web browser to a Web server.<br />
The client’s browser is configured to send requests for URLs to the proxy server<br />
instead of the server.<br />
Chapter 8. Internet Security 225
Figure 71. SOCKS Server<br />
This soft copy for use by <strong>IBM</strong> employees only.<br />
Not all proxy servers are quite so easy to use. A Telnet proxy server, for<br />
example, may require the users to Telnet to the proxy server, to log on, and to<br />
Telnet again to the system that they want to communicate with. The IP address<br />
of the proxy server is used as the source address, hiding the IP address of the<br />
ISP.<br />
Another common proxy is one that relays mail between internal mail servers and<br />
other mail servers on the Internet. Because the mail proxy server simply<br />
forwards mail, sometimes it is called a mail relay. The mail proxy server relays<br />
all incoming mail to an internal mail server where it can be accessed by the<br />
internal users. All outgoing mail is also routed through the mail proxy server.<br />
Mail proxy servers use SMTP. The workstations, when communicating with the<br />
internal mail server, communicate through POP.<br />
8.10.3.4 SOCKS Server<br />
Sockets server, SOCKS for short, is another TCP/IP application that resends<br />
requests and responses between clients and servers.<br />
The SOCKS server can be thought of as a multi-talent proxy server. Instead of<br />
handling one type of application protocol, it handles them all (HTTP, Telnet, FTP,<br />
and so on).<br />
The purpose of the SOCKS server is the same as the proxy server; it breaks the<br />
TCP/IP connection and hides internal network information.<br />
However, to use a SOCKS server, the client must be written to support the<br />
SOCKS protocol. Some applications such as Web browsers support SOCKS.<br />
There are also some systems such as OS/2 that support SOCKS in their TCP/IP<br />
protocol stack so that all client applications can use a SOCKS server.<br />
226 The Technical Side of Being an Internet Service Provider
This soft copy for use by <strong>IBM</strong> employees only.<br />
Figure 72. Domain Name Services<br />
The client configuration gives the name of the SOCKS server to use and rules for<br />
when it should be used.<br />
To avoid the need to have individual proxy servers such as for HTTP, TELNET,<br />
and FTP, there is a move to SOCKS servers.<br />
8.10.3.5 Domain Name Services<br />
Domain Name Services is the application that enables a client to determine the<br />
IP address of a given host name. Most of the time, we use host names such as<br />
www.mycompany.com when talking about hosts on the Internet. The Domain<br />
Name Server (DNS) translates host names into IP addresses.<br />
When constructing a firewall, we use Domain Name Services so that internal<br />
users can locate the IP addresses of all systems, internal and public, while users<br />
on the Internet can only locate the IP addresses of our Internet servers.<br />
We need two Domain Name Services, one for internal names and one for<br />
external names. The internal Domain Name Service is responsible for your<br />
internal systems. It forwards name resolution requests to the external Domain<br />
Name Service if it does not know the host name. The external Domain Name<br />
Service is configured to forward requests to name servers on the Internet if it<br />
does not know the host name. This allows internal users to access hosts on the<br />
Internet.<br />
Users on the Internet send requests to the external Domain Name Service to<br />
locate your Internet server.<br />
Domain Name Service requests only go out. The external Domain Name Service<br />
does not forward requests to the internal Domain Name Service.<br />
Chapter 8. Internet Security 227
8.10.4 Glossary of the Most Common Firewall-Related Terms<br />
This soft copy for use by <strong>IBM</strong> employees only.<br />
Abuse of privilege: When a user performs an action that they should not have<br />
according to organizational policy or law.<br />
Application-level firewall: A firewall system in which service is provided by<br />
processes that maintain complete TCP connection state and sequencing.<br />
Application level firewalls often readdress traffic so that outgoing traffic appears<br />
to have originated from the firewall, rather than the internal host.<br />
Authentication: The process of determining the identity of a user that is<br />
attempting to access a system.<br />
Authentication token: A portable device used for authenticating a user.<br />
Authentication tokens operate by challenge/response, time-based code<br />
sequences, or other techniques. This may include paper-based lists of one-time<br />
passwords.<br />
Authorization: The process of determining what types of activities are permitted.<br />
Usually, authorization is in the context of authentication: once you have<br />
authenticated a user, they may be authorized different types of access or<br />
activity.<br />
Challenge/response: An authentication technique whereby a server sends an<br />
unpredictable challenge to the user, who computes a response using some form<br />
of authentication token.<br />
Defense in-depth: The security approach whereby each system on the network<br />
is secured to the greatest possible degree. May be used in conjunction with<br />
firewalls.<br />
DNS spoofing: Assuming the DNS name of another system by either corrupting<br />
the name service cache of a victim system, or by compromising a domain name<br />
server for a valid domain.<br />
Firewall: A system or combination of systems that enforces a boundary between<br />
two or more networks.<br />
Host-based security: The technique of securing an individual system from attack.<br />
Host-based security is operating system and version dependent.<br />
Insider attack: An attack originating from inside a protected network.<br />
Intrusion detection: Detection of break-ins or break-in attempts either manually<br />
or via software expert systems that operate on logs or other information<br />
available on the network.<br />
IP spoofing: An attack whereby a system attempts to illicitly impersonate<br />
another system by using its IP network address.<br />
Logging: The process of storing information about events that occurred on the<br />
firewall or network.<br />
Log retention: How long audit logs are retained and maintained.<br />
Log processing: How audit logs are processed, searched for key events, or<br />
summarized.<br />
228 The Technical Side of Being an Internet Service Provider
This soft copy for use by <strong>IBM</strong> employees only.<br />
8.11 Cryptography<br />
Network-level firewall: A firewall in which traffic is examined at the network<br />
protocol packet level.<br />
Perimeter-based security: The technique of securing a network by controlling<br />
access to all entry and exit points of the network.<br />
Policy: Organization-level rules governing acceptable use of computing<br />
resources, security practices, and operational procedures.<br />
Proxy: A software agent that acts on behalf of a user. Typical proxies accept a<br />
connection from a user, make a decision as to whether or not the user or client<br />
IP address is permitted to use the proxy, perhaps does additional authentication,<br />
and then completes a connection on behalf of the user to a remote destination.<br />
Trojan horse: A software entity that appears to do something normal but which,<br />
in fact, contains a trap door or attack program.<br />
Tunneling router: A router or system capable of routing traffic by encrypting it<br />
and encapsulating it for transmission across an untrusted network for eventual<br />
de-encapsulation and decryption.<br />
Social engineering: An attack based on deceiving users or administrators at the<br />
target site. Social engineering attacks are typically carried out by telephoning<br />
users or operators and pretending to be an authorized user, to attempt to gain<br />
illicit access to systems.<br />
Virtual network perimeter: A network that appears to be a single protected<br />
network behind firewalls, which actually encompasses encrypted virtual links<br />
over untrusted networks.<br />
Virus: A self-replicating code segment. Viruses may or may not contain attack<br />
programs or trap doors.<br />
New commercial and business applications using network computing have<br />
dramatically emphasized the need for security in business transactions. In fact,<br />
the requirements go well beyond the encoding and decoding of business<br />
transactions, to functions such as user identification and authorization, access<br />
control to resources and services, confidentiality, data integrity, non-repudiation<br />
of transactions, and security management/audit. The science of cryptography<br />
provides the technologies to support these functions. <strong>IBM</strong>’s support of these<br />
cryptographic functions is referred to as <strong>IBM</strong>’s cryptographic infrastructure. The<br />
use of cryptographic services in I/T systems can occur at various levels, from the<br />
applications down to the cryptographic engines, depending on the degree of<br />
cryptographic awareness of the application, that is, the level of cryptographic<br />
functionality the application must know in order to meet its objectives. This<br />
suggests a layering of cryptographic functions, with the option for application<br />
access at whatever layer is appropriate.<br />
Layering reduces the level of cryptographic awareness needed and increases<br />
the portability of applications through the use of standardized APIs.<br />
Cryptographic algorithms can be embedded into applications through the use of<br />
common libraries and toolkits. A layered approach helps identify and manage<br />
the infrastructure of supporting functions.<br />
Chapter 8. Internet Security 229
8.11.1 Layers - Introduction<br />
This soft copy for use by <strong>IBM</strong> employees only.<br />
The identification and description of these layers, their implementation, use and<br />
management is necessary to fully communicate <strong>IBM</strong>’s extensive support for<br />
cryptographic functions that help secure business applications.<br />
Any layering approach will inevitably represent an oversimplification of the<br />
relative positioning and use of the various functions. However, a layered<br />
approach does communicate <strong>IBM</strong>’s strategy to support additional functions in the<br />
layers and to include selected components into solutions. The complexity of<br />
using cryptographic functions is reduced while increasing flexibility in the choice<br />
of APIs and cryptographic engines.<br />
We can arrange the cryptographic infrastructure into four conceptual layers, as<br />
shown.<br />
Applications<br />
--------------------------------------------<br />
Supporting Services and Subsystems<br />
--------------------------------------------<br />
APIs and Toolkits<br />
--------------------------------------------<br />
Cryptographic engines<br />
Layers are used to describe functions within a layer that are both<br />
complementary and related. Functions in one layer may exploit functions in any<br />
other layer. The layering is not rigid or insulated; functions may exploit other<br />
functions within the same layer. These functions are selectable and extensible,<br />
defining an open infrastructure with content driven by industry standards, where<br />
appropriate.<br />
The Application layer can use the Supporting Services or API layer directly,<br />
depending upon the level of cryptographic awareness required by the<br />
application. An example is electronic commerce applications over the Internet.<br />
The Supporting Services and Sub-systems layer consists of an extensible set of<br />
services that invoke and exploit the APIs according to the level of cryptographic<br />
knowledge required by the service. These services facilitate the use of<br />
cryptographic functions by applications. An example is certificate management<br />
for public key infrastructures, consisting of a set of services used to generate,<br />
store, distribute, revoke, and renew certificates for other related applications.<br />
The APIs and Toolkits layer consists of the industry-standard sets of calls to the<br />
underlying cryptographic engines or sets of linkable library routines that<br />
incorporate cryptographic algorithms into applications or supporting services.<br />
Regardless of the API set or cryptographic engine used for a given function, the<br />
functional results obtained will be the same, thus validating the modular<br />
mix/match suggested by the layered infrastructure.<br />
The Cryptographic Engines layer is a common set of cryptographic functions,<br />
implemented across a variety of platforms. This set of functions is available in<br />
hardware or software. Hardware implementations have the advantage of<br />
superior speed of execution and resistance to tampering. Some examples of<br />
this layer are integrated cryptographic co-processors, cryptographic adapters<br />
(add-on to any platform) and software routines.<br />
230 The Technical Side of Being an Internet Service Provider
This soft copy for use by <strong>IBM</strong> employees only.<br />
8.11.2 Layers - Detail<br />
Figure 73. The <strong>IBM</strong> Cryptography Infrastructure<br />
8.11.2.1 Applications<br />
Networked business applications have exploited cryptographic capabilities to<br />
enhance security for years. Businesses are extending these applications to the<br />
Internet at a rapid rate.<br />
The broad set of business applications that exploit the Internet are often referred<br />
to as e-commerce. Examples include Internet shopping, Internet banking,<br />
Internet information services and Internet-health related services. An overview<br />
of these e-commerce applications serves to illustrate how encryption services,<br />
APIs and cryptographic engines are all used by the application.<br />
Internet Shopping Mall: After browsing merchandise offered through the Web<br />
pages of a merchant at any convenient time and place, a user would select<br />
items to purchase. The user may select a credit card as the method of payment<br />
for the goods or services and the application invokes a secure payment<br />
cryptographic service using the industry-defined Secure Electronic Transaction<br />
(SET) protocols. The application would not have to be programmed at the<br />
cryptographic API level since that would be handled by the SET subsystem (see<br />
8.11.2.2, “Supporting Services and Subsystems” on page 232). The<br />
cryptographic functions used would be invoked transparently between the<br />
communicating parties using the Protocol for Payment Negotiation (PPN). The<br />
added cryptographic value to the user is integrity and confidentiality of credit<br />
and payment information, plus verification of the merchant. The merchant can<br />
prove that the transaction occurred and that he or she will be paid.<br />
Chapter 8. Internet Security 231
This soft copy for use by <strong>IBM</strong> employees only.<br />
Internet Banking: Banking on the Internet is clearly an opportunity where<br />
proper security measures must be in place to protect the financial assets of the<br />
consumer and the corporate assets of the financial institution. Consumers can<br />
be authorized to use these banking services through the use of certificate<br />
management services. These services provide the consumer and the browser<br />
application a certificate that would be used to authenticate the client, authorize<br />
the client to banking applications, and select the level of confidentiality and<br />
integrity appropriate to the application. Internet banking uses the public key<br />
infrastructure services and the APIs and encryption algorithms below those<br />
services. All three levels of service will be transparent to the client application<br />
and the consumer.<br />
<strong>IBM</strong> InfoMarket Service: <strong>IBM</strong> InfoMarket Service addresses the need to control<br />
the distribution of information over the Internet and protect intellectual property<br />
rights. With the proliferation of search engines on the Internet, the challenge to<br />
users is to find those items of value and to pay for them, where appropriate.<br />
The challenge to publishers is to protect their intellectual property and to get<br />
paid for items ordered. <strong>IBM</strong>’s InfoMarket Service is an Internet-based content<br />
distribution utility for publishers who want to reach new customers, featuring<br />
security and copyright management, and allows for publisher control over<br />
content and pricing. Complete network and back-office support services are<br />
included. The <strong>IBM</strong> InfoMarket Service provides compatibility with leading<br />
information storage and retrieval vendors. The use of encryption is transparent<br />
to the user.<br />
Internet Health Care: With an Internet-based health care system, patient<br />
records can be stored in a central location and accessed immediately by all<br />
properly authorized personnel required in the various processes. The<br />
information may be used by a primary care physician, by medical specialists, in<br />
the hospital and pharmacy and by the insurance company. Cryptographic<br />
functions, such as confidentiality, integrity, and authentication, are necessary<br />
and are invoked by the application, transparent to the users. Smart cards could<br />
also be incorporated, as a method of transporting patient medical records.<br />
8.11.2.2 Supporting Services and Subsystems<br />
The supporting services and subsystems are:<br />
Key Recovery Services: <strong>IBM</strong> is working on a solution to key recovery that will<br />
support all existing key distribution schemes and encryption algorithms.<br />
SecureWay key recovery technology will be a process that associates<br />
information with an encrypted message, perhaps as header information. Key<br />
recovery schemes could make use of underlying cryptographic functions and<br />
could extend already existing cryptographic APIs.<br />
Secure Content Distribution (Cryptolope Containers): The availability of the<br />
Internet has led to the proliferation of illegal copies of copyrighted, digital<br />
information. Software enforcement of copyright can be circumvented, posing the<br />
question of how to effectively protect the intellectual property of digital content<br />
owners. The <strong>IBM</strong> solution is to secure the content in a Cryptolope container.<br />
Cryptolope containers are advancing a new frontier in the world of electronic<br />
commerce.<br />
Cryptolope containers feature advanced cryptographic enveloping technology,<br />
enabling businesses to penetrate new markets and launch themselves into the<br />
next century. Cryptolope containers are based on a new packaging technology<br />
232 The Technical Side of Being an Internet Service Provider
This soft copy for use by <strong>IBM</strong> employees only.<br />
that enables and enhances electronic commerce on the Internet and<br />
communication within enterprises. A Cryptolope container is a sophisticated<br />
electronic package that holds an encrypted version of a text document or an<br />
electronic commodity, such as music, film, art, software, graphics and<br />
multimedia products.<br />
Each container also has an abstract attached that describes its contents, their<br />
price (when applicable) and the terms and conditions for using the contents.<br />
While the contents are protected, the abstract is accessible. Cryptolope<br />
containers can only be opened using cryptographic keys that are provided to<br />
users who have purchased the contents.<br />
Cryptolope containers protect copyrighted material on the Internet, directing the<br />
material to the authorized customer and providing a method for receiving<br />
payment for usage. Cryptolope containers are digitally signed using RSA<br />
technology to identify the originator of the contents and to protect against<br />
alteration during transmission. DES is used for encryption, decryption, and key<br />
generation.<br />
Cryptolope containers are deployed today in <strong>IBM</strong>’s infoMarket Service. <strong>IBM</strong> is<br />
exploring the use of Cryptolope containers in multiple applications, including<br />
direct marketing, software distribution, electronic document delivery, and<br />
entertainment applications.<br />
Virtual Private Network: Businesses want to communicate with partners and<br />
suppliers over the Internet. This creates a concern for how to keep information<br />
confidential while flowing over a public network. The <strong>IBM</strong> firewall brings the<br />
capability of having a virtual private network, which can address this concern.<br />
Even though the traffic travels over the Internet you can still have confidential<br />
communications.<br />
The firewall encrypts Internet Protocol (IP) packets, creating a private IP tunnel<br />
to transfer data. This process, called tunneling, provides data integrity,<br />
authentication, and confidentiality as the data flows across a public network<br />
between two firewalls that support the Internet Engineering Task Force IPsec<br />
specifications.<br />
Applet Security: The growing popularity of the Internet has led to a frenzy of<br />
development on the World Wide Web. Most noted of such developments has<br />
been the introduction by SUN Microsystems of the popular capability to<br />
download applications that run transparently inside the Web browser. The<br />
language used is Java and the downloaded applications are known as applets.<br />
The browser has no control over or knowledge of the applet contents. If the user<br />
is security-aware, he/she may be obliged to treat each applet as a potential<br />
virus, Trojan horse, worm or simply a badly behaving program with respect to<br />
resource consumption. This realization has generated activity to address the<br />
pressing question of Java security, since Java’s popularity is widely expanding<br />
and is commonly used as the language for Web page executable and other<br />
e-commerce executable. <strong>IBM</strong> has activities underway in the areas of:<br />
cryptographic services for Java applets, code signing combined with applet<br />
resource credentials, access control, and identification and authentication of<br />
applets. <strong>IBM</strong> intends to work openly with industry to share the results of these<br />
research activities.<br />
Chapter 8. Internet Security 233
This soft copy for use by <strong>IBM</strong> employees only.<br />
Certificate Management: Distributed computing in a commercial context nearly<br />
always involves the exchange of information and execution of transactions that<br />
have value and need to be protected. Confidentiality, integrity and especially the<br />
authenticity of the unseen communication partners all become important<br />
requirements. How is such electronic business conducted with the same degree<br />
of confidence as face-to-face business? The need to provide secure<br />
communications across public networks is a top priority for businesses in this<br />
environment. The <strong>IBM</strong> Public Key Infrastructure will supply the technology to<br />
create, publish, maintain, revoke and renew digital certificates and to distribute<br />
them to various destinations, such as Web browsers and smart cards. It<br />
supports authentication, encryption, digital signature and access control<br />
operations using the certificate contents. It also provides a communications<br />
transport that enables client and server applications to exploit protected<br />
communications over public or private networks. The certificate management<br />
services available with <strong>IBM</strong>’s PKI shows how cryptographic functions and APIs<br />
can be applied without user knowledge of the details. To further address this<br />
need, <strong>IBM</strong> is working with Nortel’s Entrust technology to define and implement<br />
the infrastructure needed to ensure that digital identities can be created and<br />
used in electronic commerce applications.<br />
Identities are issued by a trusted authority and are represented by a certificate<br />
that includes standard information such as a public key, a globally accessible<br />
name, expiration dates, and application-unique information such as a title, a<br />
degree earned, a license owned, and job responsibility. This certificate is<br />
digitally signed by the trusted authority, known as a certificate authority. The<br />
certificate authority validates information in the certificate and signs it thereby<br />
validating the authenticity of the information signed.<br />
Secure Electronic Transactions (SET): SET is not the only electronic payment<br />
system designed for the World Wide Web. It is, however, emerging as the only<br />
significant standard for credit card transactions. In this section we give a brief<br />
history of the origins of SET, and also discuss other payment approaches.<br />
Banks and financial institutions have had networks for electronic payment<br />
processing for many years. These networks connect highly secure, trusted<br />
computer systems, using dedicated links and powerful cryptographic hardware.<br />
A number of international standards exist to define the protocol for messages<br />
exchanged over the network.<br />
The challenge for Internet credit card processing lies in producing a scheme that<br />
can provide adequate protection at a reasonable cost without compromising<br />
trust in any of the existing systems.<br />
During 1995, various financial organizations and technology companies formed a<br />
number of alliances aimed at producing standards for credit card payment.<br />
This was a confusing time, with a number of competing standards and consortia.<br />
The technical community would probably still be arguing the merits of one<br />
solution or another, but the two largest credit card companies, Visa and<br />
MasterCard, realized that nothing would happen without a globally accepted<br />
standard. They joined forces with the key software companies to produce a<br />
single proposal, SET.<br />
SET is based on ideas from previous proposed standards and is also heavily<br />
influenced by Internet Keyed Payment Protocols (iKP), which is the result of<br />
research carried out at the <strong>IBM</strong> Zurich Laboratory.<br />
234 The Technical Side of Being an Internet Service Provider
This soft copy for use by <strong>IBM</strong> employees only.<br />
Other credit card payment systems do exist, but they are generally not aimed at<br />
the broad market, as SET is. For example, First Virtual Internet Payments<br />
System (FVIPS), operated by First Virtual Holdings Inc. is a scheme by which the<br />
prospective buyer registers credit card details with First Virtual and receives a<br />
personal identification number (PIN). The buyer can then use the PIN in place of<br />
a card number at any merchant that has an account with First Virtual. Payment<br />
details must be confirmed by e-mail before any purchase is completed.<br />
Although this scheme has been successful it is limited due to the requirement<br />
for both buyer and seller to be affiliated with the same service. SET more<br />
closely follows the model of normal credit card payments, in which the only<br />
relationship between the organization that issues the card and the one that<br />
processes the purchase is that they subscribe to the same clearing network.<br />
<strong>IBM</strong> was a key contributor to the design of SET and is supporting SET for<br />
consumer payment (using a browser such as Netscape), in its Merchant Server<br />
(Net.Commerce Payment Manager), and in a new Payment Gateway, which<br />
connects the consumer/merchant to the financial institution for payment.<br />
<strong>IBM</strong> Directions for Web Payments, SuperSET: Having delivered products and<br />
services that cover all of the roles and functions in the SET framework, <strong>IBM</strong><br />
development is working to expand the product set to embrace any other<br />
payment method. This development effort, known internally as SuperSET, will<br />
deliver electronic wallet and electronic till software that provides a number of<br />
interfaces to allow other payment modules to be easily integrated. It will also<br />
provide protocol negotiation capability, including JEPI, as soon as it is finalized.<br />
8.11.2.3 APIs and Toolkits<br />
The APIs and toolkits are:<br />
Common Cryptographic Architecture (CCA): The <strong>IBM</strong> Common Cryptographic<br />
Architecture (CCA) is a cryptographic API for secret key algorithms (DES) and<br />
public key algorithms (RSA). It provides services for data privacy, data integrity,<br />
key generation, distribution, and installation and Personal Identification Number<br />
(PIN) processing using the Data Encryption Standard (DES). It also supports<br />
digital signature generation and verification and distribution of Data Encryption<br />
Algorithm (DEA) key encrypting keys using the RSA algorithm. The architecture<br />
provides interoperability between products that are compliant, regardless of<br />
platform. CCA is designed for use within most standard programming<br />
languages.<br />
CCA provides advanced key management through the use of control vector<br />
technology. Control vectors are non-secret quantities cryptographically bound to<br />
the key, providing key separation and limiting the valid uses of the key.<br />
The CCA API provides a common set of services for cryptographically-aware<br />
applications to exploit without knowledge of the underlying cryptographic<br />
engines.<br />
BSAFE: BSAFE is RSA’s portable C programming toolkit that provides<br />
re-entrant, linkable code that supports a complete palette of the most popular<br />
cryptographic and hashing algorithms and a random number generator. BSAFE<br />
provides an API into encryption engines without the application programmer<br />
having to access the APIs. BSAFE supports many standards including the PKCS<br />
series, the Public Key interoperability specification, including PKCS #11, which is<br />
oriented to portable tokens (PC Cards or Smart Cards). BSAFE simplifies the<br />
Chapter 8. Internet Security 235
This soft copy for use by <strong>IBM</strong> employees only.<br />
integration into any C program state-of-the-art confidentiality and authentication<br />
features. BSAFE is licensed for use by a large number of vendors, including<br />
<strong>IBM</strong>. <strong>IBM</strong> and RSA announced plans for BSAFE to exploit the CCA API. <strong>IBM</strong> is<br />
ensuring that when its hardware cryptographic engines are present, they will be<br />
chosen by BSAFE over software implementations.<br />
Generic Security Services API (GSS-API): GSS-API is a session-oriented<br />
interface developed by the Internet Engineering Task Force (IETF) in conjunction<br />
with X/Open (now the Open Group) to facilitate the secure communication in a<br />
client/server environment. Its objective is to isolate the calling program from the<br />
security mechanisms being invoked.<br />
The GSS-API includes support for mutual authentication and the establishment of<br />
appropriate levels of message confidentiality and integrity. <strong>IBM</strong> supports<br />
GSS-API through its various DCE deliverables. The advantage of using the<br />
GSS-API is the low level of security awareness required of the application<br />
program.<br />
Generic Cryptographic Services (GCS-API): GCS-API is a generic,<br />
comprehensive, algorithm-independent, cryptographic API, produced by the<br />
Open Group’s Security Working group (together with NIST and NSA) and is being<br />
designed to provide convergence on a single, multivendor standard.<br />
Microsoft Crypto API (C-API): Microsoft’s C-API provides extensible, exportable,<br />
system-level access to common cryptographic functions such as encryption,<br />
hashing and digital signatures. Microsoft’s C-API requires a Cryptographic<br />
Service Provider (CSP) to implement cryptographic algorithms.<br />
Cryptographic APIs/toolkits will be supported within the SecureWay<br />
cryptographic infrastructure as they appear in the industry and are required by<br />
customers.<br />
Privacy Enhanced Mail: Electronic mail normally transits the network in the<br />
clear (anyone can read it). This is obviously not the optimal solution. Privacy<br />
enhanced mail provides a means to automatically encrypt electronic mail<br />
messages so that a person snooping at a mail distribution node is not (easily)<br />
capable of reading them. Several privacy-enhanced mail packages are currently<br />
being developed and deployed on the Internet. The Internet Activities Board<br />
Privacy Task Force has defined a draft standard, elective protocol for use in<br />
implementing privacy enhanced mail.<br />
8.11.2.4 Cryptographic Engines<br />
The cryptographic engines are:<br />
Kerberos: Kerberos, named after the dog who in mythology is said to stand at<br />
the gates of Hades, is a collection of software used in a large network to<br />
establish a user′s claimed identity. Developed at the Massachusetts Institute of<br />
Technology (MIT), it uses a combination of encryption and distributed databases<br />
so that a user at a campus facility can log in and start a session from any<br />
computer located on the campus. This has clear advantages in certain<br />
environments where there are a large number of potential users who may<br />
establish a connection from any one of a large number of workstations. Some<br />
vendors are now incorporating Kerberos into their systems.<br />
236 The Technical Side of Being an Internet Service Provider
This soft copy for use by <strong>IBM</strong> employees only.<br />
Smart Cards: Smart cards will play an important role in cryptography because<br />
they are tamper-resistant, cost-effective, and a simple means by which a user<br />
can be authenticated across an insecure network. Smart cards can enhance the<br />
Secure Electronic Transaction protocol (SET) by storing user certificates. This<br />
would mean that a SET-enabled smart card could be used in a secure browser<br />
equipped with an appropriate reader, increasing security and mobility by<br />
allowing SET transactions from a number of sources, in addition to the user’s<br />
home workstation.<br />
Figure 74. Smart Card. The password synchronized smart card.<br />
Smart cards can provide these services because they contain a microprocessor<br />
and a tamper-resistant enclosure that can securely store cryptographic keys,<br />
certificates, and other data. Operations can be performed on the data within the<br />
secure boundary. An example of such a smart card is <strong>IBM</strong>’s MultiFunction Card<br />
(MFC). The MFC can separate and protect the data required by multiple<br />
applications on the same card and secure network transactions. An example<br />
smart card application is for a single card to be used to access, reserve, and<br />
pay for travel and entertainment. This same card could store user preferences<br />
to be used by the application. Tickets and any loyalty schemes (for example,<br />
frequent flyer miles) could be downloaded directly to the same smart card. This<br />
card would be presented at the airport during travel and would contain any<br />
necessary travel documents including the user’s passport, credit, and debit<br />
cards. <strong>IBM</strong> Smart Consumer Services leverage <strong>IBM</strong> experience in I/T to deliver<br />
end-to-end solutions. Smart Consumer Services are available from <strong>IBM</strong> now.<br />
The services consist of management consultancy, feasibility/business case<br />
analysis, design, development and card creation, management and<br />
administration, together with the prerequisite readers and modules. Applications<br />
have been delivered and others are under development for availability later.<br />
Chapter 8. Internet Security 237
This soft copy for use by <strong>IBM</strong> employees only.<br />
JEPI: The emergence of a single standard for credit card payments, SET, is a<br />
very positive development for Web payments. However, as the previous sections<br />
have shown, there are many situations in which SET is not appropriate, and<br />
many other payment systems that browser and server software needs to<br />
accommodate.<br />
In fact this diversity implies two requirements:<br />
1. Electronic wallet and till technology that can handle multiple payment types<br />
2. A negotiation protocol for client and server to determine what payment<br />
options they share<br />
In real life, we take this latter protocol for granted. It goes something like this:<br />
Buyer: Do you accept American Express?<br />
Seller: No, we only take MasterCard and Visa.<br />
Buyer: How about a personal check?<br />
Seller: (laughs) That′ s very funny.<br />
Buyer: I′ ll have to pay in cash then.<br />
Seller:<br />
(etc...)<br />
No problem, so long as it′ s in small-denomination used bills.<br />
In cyberspace, the same exchange has not yet been finalized, but a project<br />
called Joint Electronic Payments Initiative (JEPI) is working hard to define the<br />
protocol. This is a combined effort of CommerceNet and the World Wide Web<br />
Consortium (W3C). You can find out more about JEPI at:<br />
http://www.w3.org/pub/WWW/Payments/jepi.html.<br />
Data Encryption Standard (DES): DES is perhaps the most widely used data<br />
encryption mechanism today. Many hardware and software implementations<br />
exist, and some commercial computers are provided with a software version.<br />
DES transforms plain text information into encrypted data (or ciphertext) by<br />
means of a special algorithm and seed value called a key. So long as the key is<br />
retained (or remembered) by the original user, the ciphertext can be restored to<br />
the original plain text. One of the pitfalls of all encryption systems is the need to<br />
remember the key under which a thing was encrypted. (This is not unlike the<br />
password problem discussed elsewhere in this document.) If the key is written<br />
down, it becomes less secure. If forgotten, there is little (if any) hope of<br />
recovering the original data. Most UNIX systems provide a DES command that<br />
enables a user to encrypt data using the DES algorithm.<br />
Crypt: Similar to the DES command, the UNIX crypt command allows a user to<br />
encrypt data. Unfortunately, the algorithm used by crypt is very insecure (based<br />
on the World War II Enigma device), and files encrypted with this command can<br />
be decrypted easily in a matter of a few hours. Generally, use of the crypt<br />
command should be avoided for any but the most trivial encryption tasks.<br />
Workstation Interface Adapters: <strong>IBM</strong> is developing a PCI-based cryptographic<br />
co-processor. The co-processor has a general purpose PC-compatible<br />
subsystem, random number generator, and cryptographic functions, all inside a<br />
tamper-responding enclosure. The device will support high-speed cryptographic<br />
operations and will provide a protected environment for sensitive applications<br />
and data. <strong>IBM</strong>’s plan is to include a rich set of data privacy and authentication<br />
functions in the initial PCI offering, including DES and CDMF encryption, ANSI<br />
message authentication, RSA digital signature generation and verification and<br />
key distribution. The hardware will be designed to meet the Federal Information<br />
238 The Technical Side of Being an Internet Service Provider
This soft copy for use by <strong>IBM</strong> employees only.<br />
Processing Standard 140-1 level 3. A PCMCIA (notebook) version is under<br />
consideration.<br />
S/390 Integrated Cryptographic Co-Processor Feature: The <strong>IBM</strong> Integrated<br />
Cryptographic Co-Processor Feature (packaged as a single CMOS chip), together<br />
with the Integrated Cryptographic Service Facility (ICSF), will provide the ability<br />
to support high-volume cryptographic transaction rates and bulk data security<br />
requirements. The programming interface to use the facilities conforms to the<br />
Common Cryptographic Architecture (CCA) and allows interoperability with other<br />
conforming systems. The cryptographic co-processor provides facilities for<br />
public and private key encryption (DES, CDMF, and RSA), hashing algorithms,<br />
digital signature, and key management.<br />
Transaction Security System (TSS): The <strong>IBM</strong> Transaction Security System range<br />
of products and services provides comprehensive support for DES and RSA<br />
based cryptographic processing. The system uses the Common Cryptographic<br />
Architecture (CCA), described above, for interoperability across all the<br />
workstation and host environments.<br />
The <strong>IBM</strong> 4755 Cryptographic adapter provides the DES and RSA-based<br />
cryptographic processing for use with DOS, OS/2, AIX and OS/400 environments.<br />
The <strong>IBM</strong> 4754 Security Interface Unit, together with the <strong>IBM</strong> Personal Security<br />
card, supports strong authentication of users, optionally using a Signature<br />
Verification feature, and supports encryption on the smart card as an alternative<br />
encryption source. The <strong>IBM</strong> 4753 network security processor provides the<br />
cryptographic services for the MVS host environment.<br />
Checksums: Easily the simplest mechanism, a simple checksum routine can<br />
compute a value for a system file and compare it with the last known value. If<br />
the two are equal, the file is probably unchanged. If not, the file has been<br />
changed by some unknown means. Though it is the easiest to implement, the<br />
checksum scheme suffers from a serious failing in that it is not very<br />
sophisticated and a determined attacker could easily add enough characters to<br />
the file to eventually obtain the correct value. A specific type of checksum,<br />
called a CRC checksum, is considerably more robust than a simple checksum. It<br />
is only slightly more difficult to implement and provides a better degree of<br />
catching errors. It too, however, suffers from the possibility of compromise by<br />
an attacker. Checksums may be used to detect the altering of information.<br />
However, they do not actively guard against changes being made. For this,<br />
other mechanisms such as access controls and encryption should be used.<br />
Cryptographic Checksums: Cryptographic checksums (also called cryptosealing)<br />
involve breaking a file up into smaller chunks, calculating a (CRC) checksum for<br />
each chunk, and adding the CRCs together. Depending upon the exact algorithm<br />
used, this can result in a nearly unbreakable method of determining whether a<br />
file has been changed. This mechanism suffers from the fact that it is<br />
sometimes computationally intensive and may be prohibitive except in cases<br />
where the utmost integrity protection is desired. Another related mechanism,<br />
called a one-way hash function (or a manipulation detection code (MDC)) can<br />
also be used to uniquely identify a file. The idea behind these functions is that<br />
no two inputs can produce the same output, thus a modified file will not have the<br />
same hash value. One-way hash functions can be implemented efficiently on a<br />
wide variety of systems, making unbreakable integrity checks possible. (Snefru,<br />
a one-way hash function available via USENET as well as the Internet is just one<br />
example of an efficient one-way hash function.)<br />
Chapter 8. Internet Security 239
8.11.3 Conclusion<br />
8.12 Router Security<br />
This soft copy for use by <strong>IBM</strong> employees only.<br />
This infrastructure is open, supports industry and defacto standards, and<br />
provides a choice of APIs, toolkits, and services. It can be extended as new<br />
cryptographic engines, toolkits, and APIs evolve.<br />
A total cryptographic function set is provided, supporting the many aspects of<br />
security across the <strong>IBM</strong> product line. Through the supporting services, the<br />
infrastructure can provide a cryptographic programming environment, which can<br />
be inserted into the broader business environment of object technologies and<br />
program development aids. The implied consistency helps with validation and<br />
scenario checking. The infrastructure provides a cryptographic product and<br />
services roadmap, allowing ISVs and end users alike to anticipate cryptographic<br />
extensions and enhancements.<br />
By exploiting these four layers of cryptographic functions, APIs, services and<br />
applications across a variety of hardware and software platforms, businesses<br />
can build and extend applications. Businesses must be confident that they can<br />
fully and efficiently secure their applications in a consistent manner, independent<br />
of the platform used to provide the services and of the APIs most appropriate to<br />
those applications.<br />
This infrastructure enables consistency, choice, full function, high performance<br />
and simplicity to the high level of security required for today’s business<br />
applications.<br />
This section discusses PPP Authentication Protocols on the router <strong>IBM</strong> 2210 at<br />
PPP interfaces. It includes these sections:<br />
• Introduction to PPP Authentication Protocols<br />
• Challenge-Handshake Authentication Protocol (CHAP)<br />
• Password Authentication Protocol (PAP)<br />
8.12.1 Introduction to PPP Authentication Protocols<br />
PPP Authentication Protocols provide a form of security between two nodes<br />
connected via a PPP link. If authentication is required on a box, then<br />
immediately after the two boxes successfully negotiate the use of the link at the<br />
LCP layer (LCP packets are exchanged until LCP goes into an open state), they<br />
go into an authentication phase where they exchange authentication packets. A<br />
box is neither able to carry network data packets nor negotiate the use of a<br />
network protocol (NCP traffic) until authentication negotiations have been<br />
completed.<br />
There are different authentication protocols in use, Password Authentication<br />
Protocol (PAP) and Challenge-Handshake Authentication Protocol (CHAP).<br />
These are described in detail in RFC 1334, and briefly described later in this<br />
section.<br />
Whether a box requires the other end to authenticate itself (and if so, with what<br />
protocol) is determined during the LCP negotiation phase. Hence, in some<br />
sense authentication can be considered to fail even at the link establishment<br />
phase (LCP negotiation), if one end does not know how, or refuses, to use the<br />
authentication protocol that the other end requires.<br />
240 The Technical Side of Being an Internet Service Provider
This soft copy for use by <strong>IBM</strong> employees only.<br />
Each end of a link sets its own requirements for how it wants the other end to<br />
authenticate itself. For example, given two routers A and B connected over a<br />
PPP link, side A may require that B authenticate itself by using PAP, and side B<br />
may require that A similarly identify itself by using CHAP. It is valid for one end<br />
to require authentication while the other end requires none.<br />
In addition to initial authentication during link establishment, with some protocols<br />
an authenticator may demand that the peer reestablish its credentials<br />
periodically. With CHAP, for example, a rechallenge may be issued at any time<br />
by the authenticator and the peer must successfully reply or lose the link. If<br />
more than one authentication protocol is enabled, the router initially attempts to<br />
use them in priority order:<br />
1. CHAP<br />
2. PAP<br />
8.12.2 Challenge-Handshake Authentication Protocol (CHAP)<br />
The Challenge-Handshake Authentication Protocol (CHAP) is used to periodically<br />
verify the identity of the peer using a three-way handshake. This is done upon<br />
initial link establishment, and may be repeated any time after the link has been<br />
established. After the initial link establishment, the authenticator sends a<br />
challenge message to the peer. The peer responds with a value calculated<br />
using a one-way hash function. The authenticator checks the response against<br />
its own calculation of the expected hash value. If the values match, the<br />
authentication is acknowledged; otherwise the connection is terminated.<br />
The Nways MRS Software User’s Guide covers the information about the PPP<br />
Authentication Protocols in detail.<br />
8.12.3 Password Authentication Protocol (PAP)<br />
The Password Authentication Protocol (PAP) provides a simple method for the<br />
peer to establish its identity using a two-way handshake. This is done only upon<br />
initial link establishment. Following link establishment, the peer sends an<br />
ID/password pair to the authenticator until authentication is acknowledged or the<br />
connection is terminated. Passwords are sent over the circuit in the clear, and<br />
there is no protection from playback or repeated trial-and-error attacks. The<br />
peer controls the frequency and timing of the attempts.<br />
8.12.4 Scenario: PPP with Bridging between Two <strong>IBM</strong> 2210s<br />
In this scenario, we have a 2210 with a token-ring interface (2210A) and a 2210<br />
with an Ethernet interface (2210B). Both 2210s are linked together using a PPP<br />
link with RS-232 modems.<br />
The 2210A is a source route translational bridge. The 2210B is a transparent<br />
bridge.<br />
• Interfaces:<br />
2210A token-ring runs at 16 Mbps, and is attached to the LAN using the STP<br />
connector.<br />
2210B Ethernet is attached to the Ethernet LAN using the 10Base-T<br />
connector.<br />
• Bridging:<br />
Chapter 8. Internet Security 241
This soft copy for use by <strong>IBM</strong> employees only.<br />
2210A is a source route translational bridge with SRB on the token-ring<br />
interface, and STB on the serial 1 interface. The bridge number of 2210A is<br />
A. The LAN segment number of the 2210A on the token-ring is 111, and the<br />
TB domain is seen from SRB Domain as the LAN segment number 222.<br />
2210B is a transparent bridge with STB on both serial 1 and Ethernet<br />
interfaces.<br />
• PPP Authentication Protocol:<br />
2210A is configured to authenticate the remote router with the following<br />
configuration:<br />
Authenticate Protocol: PAP<br />
PPP_USER: 2210B<br />
Password: remote<br />
2210B is configured to identify itself on the link when being authenticated by<br />
2210A as shown in the following configuration:<br />
Local name: 2210B<br />
Password: remote<br />
Figure 75. Scenario: PPP Authentication Protocol<br />
8.13 Remote Access Security<br />
Optimizing security in a remote access system requires trade-offs among level of<br />
security, complexity, manageability, cost, ease-of-use, and a myriad of other<br />
factors. Each network manager makes those trade-offs differently, so there is no<br />
single optimal solution for remote access security. There are, however,<br />
optimization strategies that make sense for certain specific categories of remote<br />
access system.<br />
242 The Technical Side of Being an Internet Service Provider
This soft copy for use by <strong>IBM</strong> employees only.<br />
A small, relatively simple remote access installation with straightforward security<br />
requirements should place as few demands on its network manager as possible.<br />
Therefore, the optimal security system for such installations is simple and<br />
requires minimal initial setup time. Simplicity and low startup effort are best<br />
obtained by using the remote access servers internal database to store<br />
authentication and authorization information.<br />
A remote access server’s internal database should be simple, easy to use, and<br />
require very little up-front time to get working. In addition to storing user names<br />
and passwords, an internal database should also store a configurable set of<br />
attributes for each user, such as call-back, maximum connection time, IP<br />
address, and server administration permissions. The database may also add<br />
security options such as a user lockout feature that disables a user name after a<br />
number of unsuccessful login attempts.<br />
Since each remote access server maintains its own copy of an internal<br />
database, it is imperative that the database can be replicated quickly and easily<br />
for multiple servers. Ideally, user information in a set of remote access servers<br />
should be manageable as if they comprise one integrated system.<br />
For larger-scale remote access systems with straightforward security<br />
requirements, it makes sense for a network manager to trade lengthier initial<br />
setup for long-term time savings in managing the system. Large system security<br />
is best optimized by integrating the remote access system’s authentication and<br />
authorization with a robust centralized authentication service that serves the<br />
network as a whole.<br />
This section discusses about all the features and third-party methods to be used<br />
with the <strong>IBM</strong> 8235 Remote Access.<br />
8.13.1 <strong>IBM</strong> 8235 Security Features<br />
Regarding these security features, you can split the environment into three<br />
different areas:<br />
• The 8235 itself<br />
• The WAN side of the 8235: All components that are connected to the WAN<br />
ports, such as modems, the client systems and possible external security<br />
devices.<br />
• The LAN side of the 8235: All components that can have a LAN connection<br />
with the 8235. In the security context discussed here these will be security<br />
servers.<br />
In accordance with these areas, we discuss the main security features and<br />
options available in three groups, as shown in Figure 76 on page 244:<br />
Chapter 8. Internet Security 243
Figure 76. Overview of Security Options<br />
• 8235 built-in security<br />
This soft copy for use by <strong>IBM</strong> employees only.<br />
This includes user ID and password protection as well as other features.<br />
• The WAN side<br />
This is also referred to as out-band, and cover the gatekeeper devices.<br />
• The LAN side<br />
This is also referred to as in-band and, in this section, we cover the six<br />
supported in-band third-party methods.<br />
This discussion includes options built in to the product, external options with<br />
explicit support within the range of 8235 components and black-box external<br />
options of which the 8235 is not aware.<br />
A basic aspect, sometimes underestimated, is physical access to the device. It is<br />
generally recommended to protect the 8235 physically at your location by placing<br />
the device in a secure room or cabinet that can maintain the correct operating<br />
environment. This is not only for security reasons, but also to ensure<br />
uninterrupted operation.<br />
244 The Technical Side of Being an Internet Service Provider
This soft copy for use by <strong>IBM</strong> employees only.<br />
The device can be administered from any location through the IPX or IP<br />
protocols, or through a dial-in or LAN-to-LAN connection. Only during initial<br />
installation and in case of maintenance should physical access to the device be<br />
necessary.<br />
You can find a lot of information and configuring examples about the features<br />
and third-party methods discussed in this section in <strong>IBM</strong> 8235 Dial-In Access to<br />
LANs Server: Concepts and Implementation, SG24-4816.<br />
8.13.1.1 Security Options on the WAN Side of the 8235<br />
This section includes two areas that are closely related:<br />
• The DIALs clients themselves, their configuration options and how they<br />
support third-party components<br />
• The third-party security devices that have been tested with the 8235 and the<br />
DIALs clients and possible special considerations that apply<br />
DIALs Client Security:<br />
The security features of the 8235 product are mainly carried out by the 8235 box<br />
itself and additional external security servers on the LAN. There is not much a<br />
DIALs client can do to improve its own security by itself, given the fact that a<br />
potential intruder can steal the machine on which the DIALs client is running.<br />
A simple, but important feature is that the client does not store its password. If<br />
a configuration file is stored while the password field is filled in, the password<br />
will not be stored.<br />
Any other security feature needs to be outside the client by the very nature of<br />
the problem. However, the client has to support those external security options.<br />
Third-Party Security Feature<br />
The DIALs client (applies to DOS, Windows and OS/2 version) has a feature to<br />
provide support for entering third-party security information using a terminal<br />
interface.<br />
If you are calling an 8235 that uses a third-party security device, you need to<br />
enter the security information (in addition to your dial-in name and password)<br />
when you connect to the remote network. For this to be possible you need to be<br />
able to enter a dialog mode, receiving prompts and typing answers.<br />
Automating Third-Party Security<br />
The DIALs Client can enter third-party security information for you automatically,<br />
either when you press certain function keys or when the third-party security<br />
phase begins.<br />
Basically, this is possible only by adding some information in the connection file.<br />
Advanced Security Dialog<br />
This is a feature of the DIALs client for Windows only and OS/2.<br />
If you are calling an 8235 that uses a supported third-party security device (such<br />
as SecurID from Security Dynamics, Inc.) that is able to use the Advanced<br />
Security dialog box in the DIALs Client, you will need to enter the security<br />
Chapter 8. Internet Security 245
This soft copy for use by <strong>IBM</strong> employees only.<br />
information (in addition to your dial-in name and password) when you connect to<br />
the remote network. To use the Advanced Security dialog box, make sure that<br />
both of the following conditions are true:<br />
• The 8235 is Version 4.0 (or higher) and is configured to use Advanced<br />
Security.<br />
• The DIALs client is also at Version 4.0, at least.<br />
• You did not select the Third-Party Security Device Installed check box in the<br />
Connection File Options dialog box.<br />
External WAN Security Devices:<br />
There are two manufacturer’s devices that have been developed to work with the<br />
8235. The concept of these products, as shown in Figure 76 on page 244, is to<br />
be transparent and invisible for both client and 8235, once the authentication is<br />
done. The two products are:<br />
• Security Dynamics ACM<br />
• Digital Pathways’ Defender 5000<br />
These devices work with the same token devices as their software LAN side<br />
counterparts, the Security Dynamics ACE server and the Digital Pathways server.<br />
They differ in terms of number of supported users, number of ports and<br />
scalability.<br />
For a general discussion of token devices and two-factor authentication, refer to<br />
“Two-Factor Authentication-Only Solutions” on page 253.<br />
There are pros and cons for this approach:<br />
• Pros<br />
− Can use another serial service in addition to the 8235<br />
− Strong accounting and management<br />
• Cons<br />
− Cannot be used with 8235 modem cards<br />
− Different (yet another) configuration<br />
− Different troubleshooting<br />
− Different modem configuration (Make sure your modem’s speed is<br />
supported.)<br />
To overcome the problem of the integrated modems, there is another approach:<br />
a device that attaches directly to the telephone line. The modem is then<br />
attached to the security device in turn. However, attaching to a public phone<br />
line requires legal ratification. So a product like this might not be available in all<br />
countries.<br />
8.13.1.2 8235 Built-In Security<br />
The main security feature built in to the 8235 is the user list and its capabilities<br />
for both global settings that apply to all users and user-specific profiles with<br />
detailed user privilege configurations.<br />
In addition to that, there are several other integrated security features. They are<br />
described in “Other Built-In Security Features” on page 247.<br />
246 The Technical Side of Being an Internet Service Provider
This soft copy for use by <strong>IBM</strong> employees only.<br />
User List:<br />
The 8235 and the Management Facility store user information in the 8235<br />
disk-based files called user lists.<br />
When user list security has been configured, the 8235 controls the access of<br />
Dial-In, Dial-Out, and LAN-to-LAN users by the means of user lists. After you<br />
download the user list to the 8235, the 8235 stores the user list in non-volatile<br />
RAM, which means that this information is not lost when you switch the 8235 off.<br />
Note: However, it is recommended that you store the user list on your<br />
Management Facility’s hard disk prior to sending it to the device. Otherwise, if<br />
there is a problem with the 8235 and you cannot continue, you will lose your<br />
work. You can always retrieve the list from disk and reattempt sending it once<br />
the problem is removed.<br />
What can you do with a user list?<br />
• Create a new one<br />
• Open a user list file for editing<br />
• Pull the user list from the selected 8235<br />
In all the cases above, you will be able to manipulate the user list in the same<br />
way using Management Facility panels. When you are finished, you can:<br />
• Store the user list on your disk<br />
• Send it to the device from which you had previously obtained it or send it to<br />
the selected device, if you have just created it<br />
If you want, you can remove a user list that has previously been sent to a<br />
device. These functions allow you to create the same user list for a number of<br />
8235 devices without having to retype every parameter for each box. This is an<br />
advantage when you have several 8235s. However, if you allow users to change<br />
their own password, you must be careful not to end up with different passwords<br />
on each machine. It is recommended that you use centralized user lists in this<br />
case.<br />
Other Built-In Security Features:<br />
The ordinary user passwords are stored in the user list. However, there is<br />
password information in the configuration file as well. This section tells you<br />
where. The general rule is that no password is ever stored without encryption.<br />
The Administrator Password, Shell Access<br />
It is strongly recommended that you assign a non-trivial administrator password<br />
to each 8235. Otherwise, an unauthorized person can reconfigure it. For a<br />
dial-in box such as the 8235, this is even more important than for other devices,<br />
because it accepts switched connections.<br />
Note: The password is not stored in the user list, but in the device configuration.<br />
This password is required for any attempt, not only to reconfigure the device or<br />
the user list, but also to obtain information such as statistics, log file or port<br />
status. Further, port and connection management functions require this<br />
password.<br />
Chapter 8. Internet Security 247
Security Features Specific to Configuration Options<br />
The security features specific to configuration options are:<br />
This soft copy for use by <strong>IBM</strong> employees only.<br />
• LAN-to-LAN: For the establishment of LAN-to-LAN connections, a user<br />
ID-based process is used. A user ID authorized for LAN-to-LAN is required<br />
on the local side, and a user ID authorized for LAN-to-LAN is required on the<br />
remote side. However, this process requires storage of user ID and<br />
password information in the configuration (site definition) in addition to the<br />
respective user list.<br />
• AppleTalk: If AppleTalk is enabled, device and zone filtering can be used<br />
effectively to limit access to certain parts of the network for particular ARA<br />
clients or groups.<br />
• Token-Ring: If bridged protocols are used on token-ring, a parameter can be<br />
set in the Additional Configurations page to the effect that source route<br />
bridging is deactivated in the 8235. The 8235 then only bridges these<br />
protocols from the dial-up line into the segment to which it is attached.<br />
NetBIOS and LLC 802.2 access now is limited to that ring.<br />
Note: This parameter exists because there are token-ring networks that do<br />
not employ source route bridging. In those cases the 8235 needs to be able<br />
to turn it off. The security aspect is a side effect.<br />
8.13.1.3 External LAN Security Devices<br />
8235 Version 4.0 or higher directly supports six third-party authentication<br />
databases:<br />
• The NetWare Bindery<br />
• The TACACS server<br />
• The TACACS+ server<br />
• The RADIUS server<br />
• The Security Dynamics ACE server<br />
• The Digital Pathways Defender server<br />
The Bindery as well as the 8235 user lists can store a full user profile. RADIUS<br />
is also capable of full authorization. TACACS and TACACS+ support can work<br />
with a generic user profile that applies to all users being authorized by these<br />
methods.<br />
SecurID and Defender, however, validate only the user identity; they cannot<br />
supply a profile for the user.<br />
Their additional benefit is that they require a token to be provided by the user in<br />
addition to user ID and password. This token (a character string) is obtained<br />
from a token device in possession of the person owning the user ID.<br />
The way to think about such a security design is that SecurID is used to<br />
authenticate users; the other databases are used to both authenticate users and<br />
to authorize access to the 8235’s services. The same applies respectively to<br />
Defender Server.<br />
The token methods are used in conjunction with any one of the authorization<br />
methods. For example, you can use SecurID to authenticate users and the<br />
NetWare Bindery to set up departmental access privileges for groups of users.<br />
248 The Technical Side of Being an Internet Service Provider
This soft copy for use by <strong>IBM</strong> employees only.<br />
The 8235 then prompts separately for the user name and password for each<br />
method of authentication; this allows you to use some forms of authentication for<br />
group authorizations. (For example, SecurID authenticates the individual, who<br />
then logs in to the Bindery with a user ID of sales to obtain Sales group<br />
permissions.)<br />
Note: If an 8235 is configured to use external security and cannot access the<br />
external security server when a user dials in, then the authentication fails, and<br />
the 8235 denies service to the user. For this reason, it is advisable, if possible,<br />
to have back-up security servers available to avoid a single point of failure.<br />
Servers Providing Authentication and Authorization:<br />
The following methods are mutually exclusive. The activation of any of them<br />
also excludes the activation of both internal user lists and the user list server.<br />
However, there may still be an internal user list to provide global settings for the<br />
chosen method via a special generic user ID.<br />
NetWare Bindery<br />
Note<br />
The 8235 has Bindery Services support only for NetWare 3.x, not for 4.x. The<br />
corresponding service offered by NetWare 4.x, NDS (NetWare Directory<br />
Service) is currently not supported by the 8235.<br />
Do not attempt to use NetWare 4.x Bindery emulation instead. If it is not<br />
supported, it does not work. The reason for this is the fact that Bindery<br />
emulation does not support the slash commands used by the 8235 to store<br />
user profile information that otherwise would go into the internal user list.<br />
NetWare Bindery is a database that resides on a NetWare network 8235 over<br />
IPX. This database contains profiles of users of the network. These profiles<br />
define each user’s name, password, dial-back number, and permission to use<br />
one or more 8235 functions (Dial-In, Dial-Out, and LAN-to-LAN).<br />
TACACS<br />
The Terminal Access Controller Access Control System (TACACS) is a security<br />
protocol used to communicate between 8235s and an IP authentication database.<br />
It is based on UDP.<br />
An 8235 functions as a proxy TACACS client for dial-in users. It forwards the<br />
user’s ID and password to a centralized database that also has the TACACS<br />
protocol. The centralized database looks up the information and sends back an<br />
accept or deny message, which either allows or denies the user access. This<br />
process is entirely transparent to the dial-in user.<br />
Note: Although TACACS runs over IP, the dial-in user need not be using IP to<br />
be authenticated by an 8235 using TACACS.<br />
However, an 8235 using TACACS must have IP enabled.<br />
For more information about TACACS, refer to RFC 1492, An Access Control<br />
Protocol, Sometimes Called TACACS. TACACS and other remote access security<br />
protocols are designed to support thousands of remote connections. In a large<br />
Chapter 8. Internet Security 249
This soft copy for use by <strong>IBM</strong> employees only.<br />
network, the user database is usually large, and is best kept on a centralized<br />
server.<br />
Note: The centralized server can either be a TACACS database or a database<br />
such as the UNIX password file /etc/password with TACACS protocol support.<br />
For example, the UNIX server with TACACS passes requests to the UNIX<br />
database and sends the accept or reject message back to the access server.<br />
In extended TACACS, enhancements were made to support new and advanced<br />
features:<br />
• Multiple TACACS servers.<br />
• syslog - Sends accounting information to a UNIX host.<br />
• connect - The user is authenticated into the access server shell and can<br />
Telnet or initiate SLIP or PPP or ARA.<br />
Extended TACACS is multiprotocol-capable and can authorize connections with:<br />
• SLIP<br />
• Enable<br />
• PPP (IP or IPX)<br />
• ARA<br />
• EXEC<br />
• Telnet<br />
TACACS+, BLOCKADE<br />
TACACS+ is a completely new version of the TACACS protocol referenced by<br />
RFC 1492. It is currently studied by the IETF in order to become an RFC. It is<br />
based on TCP as opposed to UDP to increase security and reliability. We<br />
describe here the potential of this protocol. This does not imply that every<br />
implementation is using all those functions; in particular, the 8235 currently uses<br />
the authentication part only. This may change, once an RFC exists.<br />
• TACACS + General Description:<br />
TACACS+ has three major components: the protocol support within the<br />
access servers and routers, the protocol specification, and the centralized<br />
security database. Similar to an internal security database, TACACS+<br />
supports the following three required features of a security system, which<br />
are three separate protocol components, each of which can be implemented<br />
on separate servers:<br />
− Authentication<br />
- Login and password query<br />
- Challenge/response (CHAP)<br />
- Messaging support (any)<br />
- Encrypted in MD5<br />
- Replaceable with Kerberos 5<br />
− Authorization<br />
250 The Technical Side of Being an Internet Service Provider<br />
- One authentication<br />
- Authorization for each service<br />
- Per-user access list and user profile<br />
- Users can belong to groups<br />
- IP and Telnet support (IPX, ARA future)<br />
- Any access or command and permission or restrictions
This soft copy for use by <strong>IBM</strong> employees only.<br />
− Accounting<br />
TACACS+ provides accounting information to a database through TCP<br />
to ensure a more secure and complete accounting log. The accounting<br />
portion of the TACACS+ protocol contains the network address of the<br />
user, the user name, the service attempted, protocol used, time and<br />
date, and the packet-filter module originating the log. For Telnet<br />
connections, it also contains source and destination port, action carried<br />
(communication accepted, rejected), log, and alert type. Formats are<br />
open and configurable.<br />
The billing information includes connect time, user ID, location connected<br />
from, start time, and stop time. It identifies the protocol that the user is<br />
using and may contain commands being run if the users are connected<br />
through exec and Telnet.<br />
• TACACS + and the 8235:<br />
The following features are supported for TACACS+ servers:<br />
− Authentication through the TACACS+ server when a user logs in to an<br />
8235.<br />
− Challenge/response dialogs are transmitted to the TACACS+ server by<br />
the 8235 if the TACACS+ server is configured for challenge/response.<br />
− Data encryption of TACACS+ packets sent over the network.<br />
Note: Since the authorization capabilities of TACACS+ are not used<br />
currently, all users are given the same user privileges. These privileges can<br />
be modified through a generic user profile TACACS or through the Additional<br />
Configuration page. There is only one generic user ID TACACS that applies<br />
to both TACACS and TACACS+.<br />
• Blockade - A sample TACACS + Server<br />
An example of a TACACS+ server that has been tested with the 8235 is<br />
Blockade for <strong>IBM</strong> 8235. There are four systems along with their respective<br />
components involved in the authentication (currently authentication is the<br />
only supported feature):<br />
1. The DIALs client, attempting to log in.<br />
2. The 8235, configured with TACACS+ as an external security device.<br />
3. An OS/2 system, having IP connectivity with the 8235, running the<br />
Blockade for <strong>IBM</strong> 8235 software. This is the TACACS+ server to be<br />
specified in the 8235. Within the Blockade terminology this is called a<br />
Distributed Third-party Authentication Server (DAS).<br />
4. An MVS system with RACF (other supported options: ACF2, Top Secret),<br />
running the Blockade Enterprise Security Server (ESS), which acts as a<br />
link between RACF and the DAS. Note that the VM platform is not<br />
supported by this product.<br />
This is a short description based on Blockade System’s documentation. (You<br />
can see all the information available on http://www.blockade.com.)<br />
Blockade for <strong>IBM</strong> 8235 enhances the functionality of the <strong>IBM</strong> remote access<br />
server by providing centralized administration, extended user authentication<br />
and enhanced logging and audit. All security management is centralized on<br />
the MVS platform using RACF. Blockade for <strong>IBM</strong> 8235 operates as a DAS<br />
that communicates with the <strong>IBM</strong> 8235. The Blockade for <strong>IBM</strong> 8235 DAS in<br />
turn communicates with the Blockade ESS residing on the MVS platform.<br />
Chapter 8. Internet Security 251
This soft copy for use by <strong>IBM</strong> employees only.<br />
When a user attempts to connect to the LAN using the <strong>IBM</strong> 8235, the<br />
Blockade DAS collects the necessary identification information (this may be<br />
user ID and password, user ID/password/dynamic token information, etc.). It<br />
then passes the information to the ESS for authentication against user profile<br />
information stored in the RACF database.<br />
There is no technical limit to the number of 8235s supported by one DAS.<br />
Blockade for <strong>IBM</strong> 8235 supports all leading token devices for extended user<br />
authentication. All support is provided by the ESS without requiring any<br />
additional hardware or software. Token device manufacturers explicitly<br />
listed by Blockade are Security Dynamics, Digital Pathways and<br />
CRYPTOCard. For more details on token devices, see “Two-Factor<br />
Authentication-Only Solutions” on page 253.<br />
The bottom line is that control of remote LAN access is centralized around<br />
an existing mainframe security product. As an additional benefit, you get<br />
remote LAN access audit records written to SMF.<br />
RADIUS<br />
Remote Authentication Dial-In User Service (RADIUS) is another distributed<br />
security solution to centralize authentication for multiple, distributed<br />
communication servers such as the 8235. It has a feature important for service<br />
providers: it is capable of providing accounting and billing information.<br />
RADIUS includes two pieces: an authentication server and client protocols.<br />
The server is a UNIX software product developed by Livingston Enterprises (see<br />
http://www.livingston.com). It is being shipped in source code format and can be<br />
adapted to work with systems and protocols already in use. Ports have been<br />
reported to the following platforms:<br />
• AIX<br />
• HP/UX<br />
• SunOS<br />
• Solaris<br />
• Ultrix<br />
• Alpha OSF/1<br />
• BSDI BSD/386<br />
• Linux<br />
• SCO<br />
• UnixWare<br />
The RADIUS protocol defines how authentication and authorization information of<br />
users is sent between the server and the 8235 that acts as a client. The full<br />
protocol specification is available as an Internet-draft form in the Internet<br />
Engineering Task Force (IETF).<br />
This communication is conducted using UDP. The packets traveling between the<br />
8235 and the RADIUS server are encrypted with a method that uses a 64-byte<br />
key.<br />
The authentication request is sent over the network from the 8235 to the RADIUS<br />
server. This communication can be done over a local or wide area network,<br />
allowing network managers to locate RADIUS clients such as the 8235 remotely<br />
from the RADIUS server. If the server cannot be reached, the client can route<br />
the request to an alternate server.<br />
252 The Technical Side of Being an Internet Service Provider
This soft copy for use by <strong>IBM</strong> employees only.<br />
Note: This enables global enterprises to offer their users a dial-in service with a<br />
unique login user ID for corporate wide access, no matter what access point is<br />
being used.<br />
When an authentication request is received, the server validates the request,<br />
then decrypts the data packet to access the user name and password<br />
information. This information is passed on to the appropriate security system<br />
being supported.<br />
This could be UNIX password files, Kerberos, a commercially available security<br />
system or even a custom developed security system.<br />
If the user name and password are correct, the server sends an authentication<br />
acknowledgment. If at any point in this log-in process conditions are not met,<br />
the RADIUS server sends an authentication reject to the 8235 and the user is<br />
denied access to the network.<br />
A single RADIUS server can support hundreds of communication servers and<br />
tens of thousands of users.<br />
The RADIUS architecture supports third-party security enhancements, similar to<br />
the 8235 itself. So it allows centralization and unification of enhanced, tokenized<br />
authentication even if a mix of different communication servers is used including<br />
some that cannot invoke tokenized authentication servers themselves. This is<br />
not the case with the 8235, which supports SecurID and Digital Pathways<br />
Defender of its own. However, if a method not supported by the 8235 is<br />
preferred, it can be integrated via RADIUS.<br />
RADIUS Accounting is a recent enhancement. It uses the RADIUS protocol for<br />
its packet format and adds attributes to handle the additional information needed<br />
for accounting. The accounting server listens for UDP packets at port 1646, and<br />
is not required to run on the same host as the RADIUS server, although that can<br />
be done and is often convenient. A backup accounting server is supported.<br />
Note: The current Release 4.0 of the 8235 only supports RADIUS authentication.<br />
The 8235-I40 will support RADIUS Accounting. At the time of writing no details<br />
were available.<br />
Two-Factor Authentication-Only Solutions:<br />
For a sophisticated hacker or a determined insider it is relatively easy to<br />
compromise a user’s password and gain access to valuable information<br />
resources.<br />
Single-factor identification (a static password) may hence be considered<br />
insecure. Many people choose poor passwords or store them in unsecured<br />
places; they attach them to their keyboard, PC or monitor, for example. A high<br />
percentage of successful break-ins into networks are due to guessed or stolen<br />
passwords.<br />
Before any other security measure is meaningful, authorized system users<br />
should be reliably identified, while all unauthorized users must be locked out.<br />
The method discussed in this section is a two-factor authentication. It consists<br />
of:<br />
Chapter 8. Internet Security 253
This soft copy for use by <strong>IBM</strong> employees only.<br />
• Something secret that a person knows, such as a memorized password or<br />
personal identification number (PIN)<br />
• Something unique that a person owns, such as a smart card that generates a<br />
random token<br />
The 8235 supports two external two-factor authorization methods:<br />
• Security Dynamics’ SecurID ACE Server<br />
• Digital Pathways Defender Server<br />
SecurID<br />
There are four components of a full implementation of SecurID:<br />
• ACE/Server<br />
This component, which uses the UDP Protocol to communicate with an 8235,<br />
runs on a UNIX machine. Supported platforms listed by Security Dynamics<br />
Inc. are <strong>IBM</strong> AIX, Sun Microsystems’ SunOS/Solaris, Hewlett Packard’s<br />
HP-UX. (The 8235 is compatible with any ACE/Server Version 1.1 or higher.)<br />
You must purchase this server software from Security Dynamics, Inc. (see<br />
more information on http://www.securid.com).<br />
The 8235 supports the use of secondary ACE/Servers. A secondary ACE<br />
server is a backup to the primary server. When the primary server is down,<br />
the secondary server authenticates user logins and maintains an audit trail.<br />
• SecurID client<br />
This component runs on the 8235 and communicates with the SecurID server<br />
via UDP. It is enabled when you configure the 8235 for SecurID.<br />
• SecurID token<br />
The SecurID token is an access control security token that is used to<br />
positively identify users of computer systems and networks. It automatically<br />
generates a unique, unpredictable access code every 60 seconds. This<br />
access code, in combination with the user’s PIN, is typed by the user at login<br />
time. The SecurID client function within the 8235 passes this on to the<br />
SecurID server. Relying on a correct system clock, the server is<br />
synchronized with the token and thus either permits or denies access for this<br />
user.<br />
Security Dynamics lists two types of token devices:<br />
1. The SecurID card with a 6-digit display.<br />
2. The SecurID PINPAD card that requires the PIN to be entered before a<br />
token is displayed. This is so the secret PIN is not transmitted over any<br />
line and is not exposed to snooping.<br />
• Dial-in client software<br />
This component is the DIALs Client program for PC users or the ARA<br />
program for Macintosh users.<br />
Digital Pathways Defender Security Server<br />
You can find any information about this product on Digital Pathways, Inc.’s Web<br />
site:<br />
http://www.digpath.com<br />
254 The Technical Side of Being an Internet Service Provider
This soft copy for use by <strong>IBM</strong> employees only.<br />
8.14 Secure Web Servers<br />
There are four components involved in this two-factor authorization:<br />
• Defender security server<br />
This software component, which must be purchased from Digital Pathways,<br />
Inc., runs either on NetWare (as an NLM), Windows NT or UNIX. It provides<br />
the centralized authentication database. It supports multiple servers.<br />
Currently the 8235 supports two of them.<br />
• Communication server as agent<br />
This is the 8235 configured as the Defender security server agent. When the<br />
8235 starts up, it uses IP (in case of Windows NT or UNIX) or IPX (in case of<br />
NetWare as the server platform) to connect to the primary Digital Pathways<br />
server. The Digital Pathways server authenticates the 8235 using the agent<br />
ID and agent key. These need to be configured identically on both machines.<br />
If the authentication is successful, the connection remains active.<br />
• SecureNet Key token<br />
SecureNet Key token devices must be purchased from Digital Pathways, Inc.<br />
They use a challenge/response process with the Defender server. The<br />
server sends an 8-digit challenge. The user enters this and the PIN into<br />
SecureNet Key. SecureNet Key then displays an 8-digit response which, in<br />
turn is typed in by the user and is used to either accept or deny this login.<br />
With this method, only one-time information gets transmitted over the line;<br />
no PIN or password can be overheard by a hacker.<br />
• Dial-in client software<br />
This component is the DIALs Client program for PC users, having the<br />
Third-Party Security feature enabled. After modem negotiation, a TTY<br />
window appears and displays the challenge prompt coming from the<br />
Defender server. This is how the user carries out the challenge/response<br />
dialog imbedded in the 8235 dial-in procedure.<br />
Note: An 8235 configured to use Digital Pathways authentication can answer<br />
LAN-to-LAN connections, but the LAN-to-LAN connection establishment will not<br />
use Digital Pathways authentication; the connection will be made using only the<br />
primary authentication method.<br />
The World Wide Web (WWW) is a distributed hypermedia system which is rapidly<br />
gaining acceptance among Internet users. Although many WWW browsers<br />
support other, preexisting Internet application protocols, the native and primary<br />
protocol used between WWW clients and servers is the HyperText Transfer<br />
Protocol. The ease of use of the Web has prompted widespread interest in its<br />
employment as a client/server architecture for many applications. Many such<br />
applications require the client and server to be able to authenticate each other<br />
and exchange sensitive information confidentially. Current HTTP implementations<br />
have only modest support for the cryptographic mechanisms appropriate for<br />
such transactions. Secure HTTP (S-HTTP) and Secure Socks Layer are special<br />
protocols that provide secure communication mechanisms between the browser<br />
and the server in order to enable spontaneous commercial transactions for a<br />
wide range of applications.<br />
Chapter 8. Internet Security 255
This soft copy for use by <strong>IBM</strong> employees only.<br />
Figure 77. Secure Web Server. All data is encapsulated using a secure protocol and sent across the TCP/IP<br />
channel. Only the server and the relative client at this moment can understand the data built in this secure<br />
protocol.<br />
8.14.1 Secure Hypertext Transfer Protocol (S-HTTP)<br />
Secure HTTP (S-HTTP) provides secure communication mechanisms between an<br />
HTTP client/server pair in order to enable spontaneous commercial transactions<br />
for a wide range of applications.<br />
Our design intent is to provide a flexible protocol that supports multiple<br />
orthogonal operation modes, key management mechanisms, trust models,<br />
cryptographic algorithms and encapsulation formats through option negotiation<br />
between parties for each transaction.<br />
Secure HTTP supports a variety of security mechanisms to HTTP clients and<br />
servers, providing the security service options appropriate to the wide range of<br />
potential end uses possible for the World Wide Web. The protocol provides<br />
symmetric capabilities to both client and server (in that equal treatment is given<br />
to both requests and replies, as well as for the preferences of both parties) while<br />
preserving the transaction model and implementation characteristics of the<br />
current HTTP. Several cryptographic message format standards may be<br />
incorporated into S-HTTP clients and servers, including, but not limited to,<br />
PKCS-7, PEM, and PGP.<br />
S-HTTP supports interoperation among a variety of implementations, and is<br />
compatible with HTTP. S-HTTP aware clients can talk to S-HTTP oblivious<br />
256 The Technical Side of Being an Internet Service Provider
This soft copy for use by <strong>IBM</strong> employees only.<br />
8.14.2 Secure Socks Layer<br />
servers and vice versa, although such transactions obviously would not use<br />
S-HTTP security features.<br />
S-HTTP does not require client-side public key certificates (or public keys),<br />
supporting symmetric session key operation modes. This is significant because it<br />
means that spontaneous private transactions can occur without requiring<br />
individual users to have an established public key. While S-HTTP will be able to<br />
take advantage of ubiquitous certification infrastructures, its deployment does<br />
not require it.<br />
S-HTTP supports end-to-end secure transactions, in contrast with the existing<br />
defacto HTTP authorization mechanisms which require the client to attempt<br />
access and be denied before the security mechanism is employed. Clients may<br />
be primed to initiate a secure transaction (typically using information supplied in<br />
an HTML anchor); this may be used to support encryption of fill-out forms, for<br />
example.<br />
With S-HTTP, no sensitive data need ever be sent over the network in the clear.<br />
S-HTTP provides full flexibility of cryptographic algorithms, modes and<br />
parameters. Option negotiation is used to allow clients and servers to agree on<br />
transaction modes. Should the request be signed? Encrypted? Both? What<br />
about the reply?<br />
S-HTTP attempts to avoid presuming a particular trust model, although its<br />
designers admit to a conscious effort to facilitate multiply-rooted hierarchical<br />
trust, and anticipate that principals may have many public key certificates.<br />
Message protection may be provided on three orthogonal axes: signature,<br />
authentication, and encryption. Any message may be signed, authenticated,<br />
encrypted, or any combination of these (including no protection).<br />
The SSL protocol is designed to provide privacy between two communicating<br />
applications (a client and a server). Second, the protocol is designed to<br />
authenticate the server, and optionally the client. SSL requires a reliable<br />
transport protocol for data transmission and reception. The advantage of the<br />
SSL protocol is that it is application protocol-independent. A higher level<br />
application protocol (for example: HTTP, FTP, TELNET, etc.) can layer on top of<br />
the SSL protocol transparently. The SSL protocol can negotiate an encryption<br />
algorithm and session key as well as authenticate a server before the<br />
application protocol transmits or receives its first byte of data. All of the<br />
application protocol data is transmitted encrypted, ensuring privacy. The SSL<br />
protocol provides channel security which has three basic properties:<br />
• The channel is private. Encryption is used for all messages after a simple<br />
handshake is used to define a secret key.<br />
• The channel is authenticated. The server endpoint of the conversation is<br />
always authenticated, while the client endpoint is optionally authenticated.<br />
• The channel is reliable.<br />
check (using a MAC).<br />
The message transport includes a message integrity<br />
In SSL, all data sent is encapsulated in a record, an object that is composed of a<br />
header and some non-zero amount of data. The primary goal of the SSL<br />
protocol is to provide privacy and reliability between two communicating<br />
applications. The protocol is composed of two layers. At the lowest level,<br />
Chapter 8. Internet Security 257
This soft copy for use by <strong>IBM</strong> employees only.<br />
layered on top of some reliable transport protocol is the SSL Record Protocol.<br />
The SSL Record Protocol is used for encapsulation of various higher level<br />
protocols. One such encapsulated protocol, the SSL Handshake Protocol, allows<br />
the server and client to authenticate each other and to negotiate an encryption<br />
algorithm and cryptographic keys before the application protocol transmits or<br />
receives its first byte of data. One advantage of SSL is that it is application<br />
protocol independent. A higher level protocol can layer on top of the SSL<br />
Protocol transparently. The SSL protocol provides connection security that has<br />
three basic properties:<br />
• The connection is private. Encryption is used after an initial handshake to<br />
define a secret key. Symmetric cryptography is used for data encryption.<br />
• The peer′s identity can be authenticated using asymmetric, or public key,<br />
cryptography.<br />
• The connection is reliable. Message transport includes a message integrity<br />
check using a keyed MAC. Secure hash functions (for example, SHA, MD5,<br />
etc.) are used for MAC computations.<br />
The goals of SSL Protocol, in order of their priority, are:<br />
• Cryptographic security: SSL should be used to establish a secure connection<br />
between two parties.<br />
• Interoperability: Independent programmers should be able to develop<br />
applications utilizing SSL that will then be able to successfully exchange<br />
cryptographic parameters without knowledge of one another′s code.<br />
• Extensibility: SSL seeks to provide a framework into which new public key<br />
and bulk encryption methods can be incorporated as necessary. This will<br />
also accomplish two sub-goals: to prevent the need to create a new protocol<br />
(and risking the introduction of possible new weaknesses) and to avoid the<br />
need to implement an entire new security library.<br />
• Relative efficiency: Cryptographic operations tend to be highly CPU-intensive,<br />
particularly public key operations. For this reason, the SSL protocol has<br />
incorporated an optional session caching scheme to reduce the number of<br />
connections that need to be established from scratch. Additionally, care has<br />
been taken to reduce network activity.<br />
258 The Technical Side of Being an Internet Service Provider
This soft copy for use by <strong>IBM</strong> employees only.<br />
Figure 78. SSL and S-HTTP Protocols. The browsers that supports SSL and HTTP can access servers that are not<br />
using security resources, but the non-secure browsers cannot access this secure server when the security<br />
resources are enabled.<br />
8.14.3 Control Access Products to Web Sites and Home Pages<br />
The Internet is fast becoming a part of everyone’s life. And with access<br />
becoming easier and easier, the already staggering number of 30 million<br />
subscribers is growing exponentially each month. Soon nearly all people with<br />
home computers will be a part of the Internet community.<br />
This has many benefits: sharing of resources and ideas, communicating with<br />
people in remote corners of the globe, and huge amounts of readily accessible<br />
reference materials. But like any community it has its darker side. Hate mail,<br />
racist speeches, pornographic material, bomb and drug formulas, and other<br />
sensitive and inappropriate information is being sent right into our homes along<br />
with everything else.<br />
The following products below are available in the Internet and have the intention<br />
to prevent or block the access to a Web site containing some prohibited or<br />
immoral material. You can indicate them for your users when they ask you<br />
about how to control or block the access, for example, when parents don’t want<br />
their children to see a pornographic home page.<br />
8.14.3.1 SurfWatch<br />
SurfWatch is an award-winning easy-to-use filtering software solution that<br />
parents, educators and employers can use to screen the Internet providing a<br />
unique technical alternative to government censorship. SurfWatch is provided by<br />
Spyglass and you can get more information on http://www.surfwatch.com.<br />
Evaluation Policies: A site will be blocked if it meets the following guidelines:<br />
• A disclaimer indicating restricted access; a screen or warning that identifies<br />
the site as adult-oriented or containing information unsuitable for those<br />
under age.<br />
Chapter 8. Internet Security 259
This soft copy for use by <strong>IBM</strong> employees only.<br />
• The publisher has requested that his/her site be blocked.<br />
• Any page or site that predominantly contains links to sites matching the<br />
following criteria:<br />
− Sexually explicit<br />
− Violence or hate speech<br />
− Drugs or alcohol<br />
− Gambling<br />
Customizing SurfWatch Filters<br />
SurfWatch may block sites that some users will want to have available, and may<br />
allow access to some sites that users may want blocked. SurfWatch products<br />
provide the ability to customize filtering according to individual standards. The<br />
SurfWatch Manager feature allows your user to customize the filters that<br />
SurfWatch employs.<br />
SurfWatch Family<br />
• SurfWatch for Windows and Macintosh<br />
SurfWatch is available for Windows95, Windows 3.1 and Macintosh and can<br />
easily be installed and used with any WWW browser. SurfWatch blocks tens<br />
of thousands of explicit sites locally at the user′s machine, without restricting<br />
the access rights of other Internet users. Filters are constantly updated<br />
using a combination of pattern-matching technologies and a tracking of<br />
known adult-oriented sites. Monthly updates provide users the most recent<br />
list of blocked sites.<br />
• SurfWatch for Microsoft Proxy Server<br />
Spyglass is offering SurfWatch for Microsoft Proxy Server. In addition to the<br />
high-speed Internet access you gain from the Microsoft Proxy Server, user<br />
organizations can take advantage of the trusted Internet content filters<br />
provided by SurfWatch.<br />
• SurfWatch for Oracle Proxy Server<br />
Spyglass announced a new alliance with Oracle. In addition to all of the<br />
advantages your users gain from the Oracle Proxy Server, user<br />
organizations can now take advantage of the trusted Internet content filters<br />
provided by SurfWatch for Oracle Proxy Server.<br />
8.14.3.2 Net Nanny<br />
Net Nanny is a software program that allows you to monitor, screen and block<br />
access to anything residing on, or running in, out or through your PC, online or<br />
off. It′s two-way screening in real-time and only you determine what is screened<br />
with the help of its site list which can be downloaded free from the Net Nanny’s<br />
Web site. It′s a complete Internet and PC management tool. It runs with all the<br />
major online providers too.<br />
Net Nanny operates on the Internet, non-Internet BBSs, all major online services<br />
such as Compuserve, AOL & Prodigy (Both proprietary and Internet components)<br />
and all local applications running on the PC.<br />
There are no monthly site update subscription fees ever.<br />
260 The Technical Side of Being an Internet Service Provider
This soft copy for use by <strong>IBM</strong> employees only.<br />
This software was designed with the safety of users′ children as top priority. But<br />
this software may also be used to prevent access to certain information on your<br />
PC. Here are some examples of the benefits to use Net Nanny:<br />
• Prevents users′ personal information (address, phone and credit card<br />
numbers) from being given out on the Internet.<br />
• Provides users with free can go and can’t go site lists to download into the<br />
screening databases.<br />
• Prevents loading, downloading and running of unauthorized software or<br />
CD-ROMs.<br />
• Prevents user-definable words, phrases, sites, URLs, Newsgroups and IRC<br />
Chat Rooms from being sent from, received by, or accessed by your PC.<br />
• Mask inappropriate words, phrases or language.<br />
• Block images too. Screen individual sites let your user know the name of<br />
like “Playmate.html”. Block GIFs or JPEGs and release the function when<br />
you′re supervising.<br />
• Prevent users′ disks and hard drives from being reformatted.<br />
• Prevent users′ files from being deleted or tampered with.<br />
• Develop users′ own screening list for sites, words, phrases and subjects.<br />
• Audit Trail of monitored sites, words, phrases and user-defined content on<br />
the PC.<br />
• Audit Trail indicates PC startup, and triggered violation shutdown item dates<br />
and times.<br />
• Operates with all major online providers and in e-mail and IRC.<br />
• Screens all PC activity including TCP/IP streams, Internet tools and other<br />
Bulletin Board Services (BBS) online, and any and all Windows or DOS<br />
applications offline.<br />
• Net Nanny has other convenient functions. Tell Net Nanny what your user<br />
does not want entered or received on his/her terminal.<br />
• Select the terminal action you want to take for violations: monitor, log,<br />
mask, warn, block, application shutdown, or all.<br />
• Installs, enables, disables or removes easily.<br />
• Administration Program allows access to all Net Nanny functions.<br />
• Leaves no extra files on disk when removed.<br />
• Parents, teachers or employers may add, modify, or delete screening list<br />
items at any time.<br />
• Parents, teachers or employers may turn Net Nanny on and off, at their own<br />
discretion.<br />
• Cannot be turned off unless done through the Administration Program.<br />
• Net Nanny operates with or without the children knowing.<br />
See http://www.netnanny.com for more information.<br />
Chapter 8. Internet Security 261
This soft copy for use by <strong>IBM</strong> employees only.<br />
8.14.3.3 CYBERsitter 97<br />
CYBERsitter 97 is even more advanced than previous versions. Strictly 32-bit,<br />
CYBERsitter 97 is designed for Windows 95 and Windows NT exclusively. It<br />
works with dial-up networking and network connections.<br />
CYBERsitter 97 gives the parent or other concerned individual the ability to limit<br />
their children′s access to objectionable material on the Internet. Parents can<br />
choose to block, block and alert, or simply alert them when access to these<br />
areas is attempted.<br />
Working secretly in the background, CYBERsitter analyzes all Internet activity.<br />
Whenever it detects activity the parent has elected to restrict, it takes over and<br />
blocks the activity before it takes place. If desired, CYBERsitter will maintain a<br />
complete history of all Internet activity, including attempts to access blocked<br />
material.<br />
Password protected, CYBERsitter is easy to deactivate or reconfigure by the<br />
parent, and virtually impossible for the child to detect or defeat.<br />
CYBERsitter 2.1 was picked as “Editor’s Choice” in the filtering software<br />
category by PC Magazine, April 1997.<br />
CYBERsitter includes:<br />
• Lists that can block literally 1000s of World Wide Web sites that are not<br />
suitable for children. Any site that focuses on topics such as adult or sexual<br />
issues, illegal activities, bigotry, racism, drugs, or pornography are included<br />
in the list.<br />
• CYBERsitter′s bad site list also includes hundreds of USENET Newsgroups<br />
that focus on the same types of topics as the above WWW sites. You can<br />
optionally block access to all Newsgroups.<br />
• CYBERsitter′s can optionally block all access to Internet chat (IRC).<br />
• One of CYBERsitter′s most unique features is its state of the art phrase<br />
filtering function. Rather than block single words or pre-defined phrases,<br />
CYBERsitter actually looks at how the word or phrase is used in context. Not<br />
only does this provide an excellent blocking method for objectionable text,<br />
but it eliminates the possibility that words with double meanings will be<br />
inadvertently blocked.<br />
• It can be set to block all FTP access.<br />
from unauthorized downloads.<br />
This can help to keep your system safe<br />
• It has a built-in, one mouse click function for updating its filter file. It takes<br />
just a few seconds, and it′s always free.<br />
Its filter file is updated daily and because the Internet changes on a daily<br />
basis, CYBERsitter give users the capability to always be up-to-date.<br />
CYBERsitter 97 includes AutoUpdate. It is no longer necessary to manually<br />
update filter files. CYBERsitter automatically updates users′ filter files every<br />
week while users are doing other online activities. This new feature<br />
operates secretly in the background.<br />
CYBERsitter is provided by Solid Oak Software and you can find more<br />
information on http://www.solidoak.com.<br />
262 The Technical Side of Being an Internet Service Provider
This soft copy for use by <strong>IBM</strong> employees only.<br />
Figure 79. CYBERtimer Control Access Product<br />
8.14.3.4 CYBERtimer<br />
CYBERtimer is a program for Windows 95 Internet access control and is part of<br />
the CYBERsitter family of products designed to help parents, educators, and<br />
other adults responsible for children’s Internet access to better manage their<br />
time online as well protect them from objectionable material.<br />
Designed as two separate utilities, CYBERtimer and CYBERsitter can be used<br />
separately or together to suit user needs. CYBERtimer was developed primarily<br />
at the request of a great number of CYBERsitter’s customers. While CYBERsitter<br />
does an outstanding job of restricting access to objectionable material on the<br />
Internet, many customers have reported that their children spend far too much<br />
time online and have become ”Internet junkies“. Others report finding that their<br />
children have been spending half the night in chat rooms while their parents<br />
thought they were asleep.<br />
CYBERtimer addresses these problems by allowing parents to specify a<br />
maximum amount of time online a child can spend on a daily, weekly, or monthly<br />
basis. Additionally, parents can specify a time period when Internet access will<br />
be allowed.<br />
Features include:<br />
• Simple 1 minute setup<br />
• Control online access by time of day<br />
• Specify an allowable number of hours online per day, week, or month<br />
• Easily reconfigure when needed<br />
• Password protected<br />
• Works with America On-line<br />
Chapter 8. Internet Security 263
8.15 Security Mailing Lists<br />
This soft copy for use by <strong>IBM</strong> employees only.<br />
8.14.3.5 Cyber Patrol<br />
Cyber Patrol is an Internet access management utility that parents and teachers<br />
use to control children′s access to the Internet.<br />
It allows those responsible for children to restrict access to certain times of day,<br />
limit the total time spent online in a day, and block access to Internet sites they<br />
deem inappropriate. Cyber Patrol also can be used to control access to the<br />
major online services and to local applications such as games and personal<br />
financial managers.<br />
Cyber Patrol comes loaded with Microsystems Software’s The CyberNOT List, a<br />
listing of researched Internet sites containing materials which parents may find<br />
questionable as well as the “The CyberYES List”; a listing of researched Internet<br />
sites containing fun and educational material for children. Parents can choose<br />
to use either the CyberNOT Block List or the CyberYES Allowed Sites List<br />
according to the individual child′s needs. Using the block list allows users to go<br />
everywhere except to prohibited sites. Using the allowed sites list restricts the<br />
user to only the sites on the list.<br />
The block list is divided into categories and access can be managed down to the<br />
file directory or page level. This means that appropriate material at an Internet<br />
address need not be blocked simply because there is some restricted material<br />
elsewhere at the address. Parents and teachers may select all or any of the<br />
categories to be blocked by general content, time of day, or specific Internet site.<br />
A lot of information can be found on http://www.cyberpatrol.com.<br />
The UNIX Security Mailing List exists to notify system administrators of security<br />
problems before they become common knowledge, and to provide security<br />
enhancement information. It is a restricted-access list, open only to people who<br />
can be verified as being principal systems people at a site. Requests to join the<br />
list must be sent by either the site contact listed in the Defense Data Network′s<br />
Network Information Center′s (DDN NIC) WHOIS database, or from the root<br />
account on one of the major site machines. You must include the destination<br />
address you want on the list, an indication of whether you want to be on the mail<br />
reflector list or receive weekly digests, the electronic mail address and voice<br />
telephone number of the site contact if it isn′t you, and the name, address, and<br />
telephone number of your organization. This information should be sent to<br />
SECURITY-REQUEST@CPD.COM.<br />
The RISKS digest is a component of the ACM Committee on Computers and<br />
Public Policy. It is a discussion forum on risks to the public in computers and<br />
related systems, and along with discussing computer security and privacy<br />
issues, has discussed such subjects as the Stark incident, the shooting down of<br />
the Iranian airliner in the Persian Gulf (as it relates to the computerized<br />
weapons systems), problems in air and railroad traffic control systems, software<br />
engineering, and so on. To join the mailing list, send a message to<br />
RISKS-REQUEST@CSL.SRI.COM. This list is also available in the USENET<br />
newsgroup comp.risks.<br />
The VIRUS-L list is a forum for the discussion of computer virus experiences,<br />
protection software, and related topics. The list is open to the public, and is<br />
implemented as a moderated digest. Most of the information is related to<br />
264 The Technical Side of Being an Internet Service Provider
This soft copy for use by <strong>IBM</strong> employees only.<br />
personal computers, although some of it may be applicable to larger systems.<br />
To subscribe, send to the address<br />
LISTSERV%LEHI<strong>IBM</strong>1.BITNET@MITVMA.MIT.EDU the line:<br />
SUB VIRUS-L your full name<br />
This list is also available via the USENET newsgroup comp.virus.<br />
The TCP/IP Mailing List is intended to act as a discussion forum for developers<br />
and maintainers of implementations of the TCP/IP protocol suite. It also<br />
discusses network-related security problems when they involve programs<br />
providing network services, such as Sendmail. To join the TCP/IP list, send a<br />
message to TCP/IP-REQUEST@NISC.SRI.COM. This list is also available in the<br />
USENET newsgroup comp.protocols.tcp/ip. The USENET groups misc.security<br />
and alt.security also discuss security issues. Misc.security is a moderated group<br />
and also includes discussions of physical security and locks. Alt.security is<br />
un-moderated.<br />
Chapter 8. Internet Security 265
266 The Technical Side of Being an Internet Service Provider<br />
This soft copy for use by <strong>IBM</strong> employees only.
This soft copy for use by <strong>IBM</strong> employees only.<br />
Chapter 9. Capacity Planning<br />
9.1 Introduction<br />
9.2 Content Type<br />
This chapter contains useful information to do efficient server capacity planning,<br />
as well as considerations about programming, domain and IP addressing, staff<br />
members and how to estimate the costs that are involved to build your ISP<br />
environment.<br />
Sizing a Web server for the Internet can be a very difficult task. The Internet<br />
includes millions of interconnected individuals who are navigating from one Web<br />
server to the next in search of information that has value to them.<br />
Rapid advances in Internet technology are changing the way we work. New<br />
technologies of software and hardware are announced every day. Selecting the<br />
proper server hardware is vital to those ISPs who want to be productive now and<br />
in the future. Internet applications need servers capable of providing information<br />
that is available full-time with good performance.<br />
Availability and performance are fundamental requirements when we talk about<br />
servers that will be connected on the Internet and about the recommendations at<br />
the end of this chapter. There is no Internet user that likes to wait to receive<br />
information. You need to guarantee that your server will deliver information<br />
faster so that these users will want to be consumers of your products and<br />
services.<br />
Today you can use all existing platforms to deliver information on the Internet,<br />
such as Intel and RISC-based machines, AS/400 and mainframes. You need to<br />
choose the system that fills your performance needs and investment limits.<br />
Another consideration that you must have in mind during the capacity planning<br />
is that the operating system on which your server is going to run is probably the<br />
decisive factor in your choice of a Internet programming language. Not all<br />
Internet programming languages are available on every platform.<br />
This fact is not only essential when you plan to develop Internet or intranet<br />
applications, but also if you consider migrating your server to another platform.<br />
As with equipment and programming applications, the initial evaluation process<br />
should take into account the number of staff and the level of expertise necessary<br />
to plan, build, launch and maintain the ISP’s site.<br />
The following sections describe the considerations necessary when choosing a<br />
hardware system, a programming interface, your staff members and a lot of<br />
other important information, as well as a planning for future expansion.<br />
To specify the size of your Web content, you must first attempt to measure the<br />
amount of data that is likely to flow to and from your Web site. Initially, doing so<br />
can be difficult because if you are offering something new and unusual on your<br />
site, you may see much more traffic than you expect; some popular sites<br />
© Copyright <strong>IBM</strong> Corp. 1997 267
9.2.1 Internet Services<br />
This soft copy for use by <strong>IBM</strong> employees only.<br />
generate 100,000 hits a day; in other words, the number of times a day that you<br />
think your site will be visited.<br />
The physical size of the Web content is important in looking at the resources<br />
required for a server, indicating the necessary data storage requirements.<br />
A major portion of the content on the Web is static. This includes both images<br />
and textual data. The CPU resources required to serve such data are minimal.<br />
The <strong>IBM</strong> server products have a large performance range from basic Intel<br />
processor-based systems to highly parallel processing servers.<br />
Additionally, when the content on the Web server is dynamically generated,<br />
substantial processing resources may be required. Dynamic content on a Web<br />
site can be generated in many ways, from a simple counter that displays the<br />
number of hits that a page has received, to a system that uses analysis of user<br />
clicks to tailor the information (and advertisements in some cases) that the user<br />
sees at the site. In some configurations, there are still situations where the<br />
performance is network bound.<br />
The best choice is to talk with other network administrators to get an idea of how<br />
they approached estimating their needs, and then ask how well (or badly) they<br />
think they did.<br />
Generally, a Web text page is about 500 words, or about 7 KB, but as soon as<br />
you add a graphic or two, you must increase this size estimate. Maybe<br />
something about 30 KB or 50 KB is a reasonable starting point. So use this<br />
number if you have not yet designed any of your Web pages.<br />
To get an idea of the traffic all this involves, multiply the hit rate you expect by<br />
the average size of your Web pages; for example, if you expect a hit rate of<br />
10,000 a day, and your average Web page is 50 KB, your daily server traffic will<br />
be on the order of 5,000 MB of data.<br />
You can take these calculations further and estimate your average hourly traffic,<br />
but remember that the Internet pays no attention to time zones; it is always<br />
there, not just for an 8-hour workday, but 24-hours every day. You will certainly<br />
see peaks and troughs in your hit rates during any 24-hour period. For example,<br />
when it is 8:00 p.m. in Europe, and people are accessing your site after a day at<br />
work, it is only noon in California, and it is still early in the morning in Alaska<br />
and Hawaii.<br />
Besides all of these considerations above, you cannot forget about the other<br />
services you plan to offer on your ISP, such as:<br />
• E-mail<br />
• POP (Post Office Protocol)<br />
• FTP<br />
• Telnet<br />
• SMTP<br />
• Chat<br />
• Gopher<br />
You can find detailed information about each one of these services on<br />
Chapter 4, “Internet Services” on page 133.<br />
268 The Technical Side of Being an Internet Service Provider
This soft copy for use by <strong>IBM</strong> employees only.<br />
9.2.2 Electronic Commerce<br />
9.3 Number of Clients<br />
As Electronic Commerce requires special protocols to attend security issues<br />
involved in this service (see more information in Chapter 6, “Electronic<br />
Commerce” on page 159), there is an increase on the average file size between<br />
the users and the ISP′s business transactions.<br />
Basically, the users have to fill out forms with some personal and financial<br />
information, besides some technical information about the product or service<br />
that they want to buy and/or sell through the Internet.<br />
Generally, this service generates a high hits a day due its characteristics, mainly<br />
if your E-Commerce becomes a very known Web site by the users.<br />
The link bandwidth must be high enough to provide an acceptable response time<br />
for all of customers.<br />
The number of simultaneous users of a site is very challenging to characterize.<br />
Unlike other types of client/server architectures, the weight of an individual client<br />
on the Web server is quite small and short-lived. Connections to a Web server<br />
are traditionally stateless sessions that begin with an open from the client, a<br />
request for data, a server reply with data, and then the session closes.<br />
Depending on the speed of the network connection, the size of the data<br />
requested and the server load, this session can last from tenths to tens of<br />
seconds.<br />
Table 29 compares several communications technology circuits in terms of the<br />
maximum available bandwidth. It is important to emphasize that there are many<br />
other influencing factors that come into play when you attempt to calculate<br />
actual bandwidth rates, including protocol overhead, the speed of intermediate<br />
connecting circuits, configuration of intermediate host computer systems, and<br />
many others. But the information below can give you some initial dimensions.<br />
Table 29. Comparison of Maximum Bandwidth and Maximum Number of Users for<br />
Popular Internet Connections<br />
Connection Type Maximum Bandwidth Maximum number of<br />
Users<br />
V.32 or V.42 modem 14.4 kbps 1 to 3<br />
V.34 modem 28.8 kbps 1 to 3<br />
V.34-1996 modem 33.6 kbps 1 to 3<br />
56 k modem 56 kbps 1 to 3<br />
Frame relay 56 kbps 10 to 20<br />
ISDN 128 kbps 10 to 55<br />
Fractional T1 64 kbps increments 10 to 20<br />
T1 1.544 Mbps 100 to 500<br />
T3 44.736 Mbps more than 5,000<br />
You can check a couple of other places to help build these estimates. If your<br />
Web site will be designed primarily to help handle technical support material,<br />
ask the existing Technical Support staff how many calls a day they get, or if your<br />
Chapter 9. Capacity Planning 269
9.4 Bandwidth<br />
This soft copy for use by <strong>IBM</strong> employees only.<br />
site will offer customer service information, ask the current staff to describe their<br />
workload.<br />
In working with a customer to size up a Web solution, it is important to<br />
understand the implications of the speed of the networking connection to the<br />
Web server. More often than not, many potential Web content providers are very<br />
focused on the vague hits per day quantity. The level of traffic that a particular<br />
Web server can support will be dependent on the server type, the content<br />
accessed on the server and the speed of the connection of the server to the<br />
intra/Internet environment.<br />
An Internet service provider will deliver a connection of defined speed.<br />
The simplest kind of connection to the Internet is via a dial-up connection,<br />
sometimes called an on-demand connection. This can be through a conventional<br />
modem or through a digital system such as ISDN. This type of connection is<br />
only available part time, as its name suggests, and is not really suitable for an<br />
ISP that should be available 24 hours every day. Besides that, the dial-up<br />
connection has little or no extra bandwidth to allow for future expansion.<br />
The most commonly used protocols to the dial-up connection are SLIP or PPP,<br />
but due its lacks error-correction capabilities, SLIP is slowly being replaced by<br />
PPP. This last one, on the other hand, provides router-to-router, host-to-router,<br />
and host-to-host connections, as well as an automatic method of assigning an IP<br />
address so that mobile users can connect to the network at any point.<br />
A leased line, also known as a dedicated circuit, on the order hand is always<br />
available and can be provided by modem, by ISDN, and by many other kinds of<br />
communication circuits. For most Web servers, these options of connection<br />
makes much more sense.<br />
Needless to say that the price of the service rises with the available bandwidth.<br />
9.4.1 Formulas for Bandwidth Use<br />
The following formula provides a general idea of the amount of bandwidth used<br />
in any one time period:<br />
wo + wi + eo + ei + is + ms - ch = tb<br />
where:<br />
wo = WWW output (information sent to external requests)<br />
wi = WWW input (information retrieved for internal requests)<br />
eo = e-mail out<br />
ei = e-mail in<br />
is = Internet services (news, Telnet, FTP, audio and video, and so on)<br />
ms = management services (DNS, routing information, and so on)<br />
ch = caching (via WWW browsers or servers, or a local news server)<br />
tb = total bandwidth<br />
270 The Technical Side of Being an Internet Service Provider
This soft copy for use by <strong>IBM</strong> employees only.<br />
9.4.1.1 A Very Simple Example<br />
To determine the bandwidth usage for a small computer consulting firm, we can<br />
see the following example using the previous formula:<br />
6 staff receiving 20 e-mail per day = 120 e-mail messages<br />
6 staff sending 10 e-mail per day = 60 e-mail messages<br />
4 development staff with WWW access = 6 MB access per day<br />
2 support staff with WWW access = 2 MB access per day<br />
Complete Usenet feed = 60 MB<br />
Telnet sessions to clients = 500 KB per day<br />
FTP of files to/from clients = 1.5 MB per day<br />
FTP files for demos/bug fixes = 4 MB per day<br />
Management services = 20 bytes/datagram x approx. 370,000 datagrams<br />
Accesses to WWW site per day = 75<br />
Total size of WWW site = 3.2 MB<br />
Average Amount of WWW site viewed = 40 %<br />
Caching = Little other than USENET news feeds (Each person works in a<br />
separate development area.)<br />
The total bandwidth used in one day would be:<br />
wo = 75 x 3.2 MB x 0.4 = 96 MB<br />
wi = 6 MB + 2 MB = 8 MB<br />
eo = 60 x 8 KB ⇒ approx. 0.5 MB<br />
ei = 120 x 8 KB ⇒ approx. 1 MB<br />
is = 60 + 0.5 + 1.5 + 4 = 66 MB<br />
ms = 20 x approx. 370,000 ⇒ approx. 7 MB<br />
ch = NA<br />
tb = 178.5 MB<br />
Bandwidth via 28.8 kbps connection per day is, therefore:<br />
28,800 bps x 60 s/min x 60 min/hr. x 24 hrs. = 2,488,320,000 bits<br />
2,488,320,000 ÷ 8 bits/B x 1,024 B/KB x 1,024 KB/MB ⇒ approx. 296 MB per<br />
day<br />
At first glance, a 28.8 kbps dedicated connection seems sufficient for the<br />
consulting firm. Unfortunately, the actual usable bandwidth for staff activities is<br />
much lower:<br />
296 MB x (7.5 ÷ 24) = 92.5 MB per work day<br />
The lower amount of bandwidth is due to the limited number of work hours per<br />
day. All activity based on human access in the office and the local area<br />
generally takes place in a 7.5-hour period. As a result, the total bandwidth used<br />
during each business day is better estimated as follows:<br />
wo = 75 x 3.2 MB x 0.4 x 0.7 ⇒ approx. 67 MB<br />
wi = 6 MB + 2 MB = 8 MB<br />
Chapter 9. Capacity Planning 271
eo = 60 x 8 KB ⇒ approx. 0.5 MB<br />
ei = 120 x 8 KB ⇒ approx. 1 MB<br />
is = 0.5 + 1.5 + 4 = 6 MB<br />
ms = 20 x approx. 160,000 ⇒ approx. 3 MB<br />
ch = NA<br />
tb = 85.8 MB<br />
This soft copy for use by <strong>IBM</strong> employees only.<br />
In the revised table, the amount of WWW output is reduced by 30 percent to<br />
account for after-hours accesses, and the Internet services value is reduced by<br />
the entire USENET feed. Because the feed can take place at one time during<br />
off-peak hours, the amount need not to be included in the daytime bandwidth<br />
usage. Consequently, the management services overhead is reduced due to the<br />
lower number of datagrams required to handle the information.<br />
In this example, the total utilization is 85.5 MB ÷ 92.5 MB or approximately 92<br />
percent. This level of utilization probably is sustainable, although staff and<br />
clients will likely experience slow-downs during peak periods of the day (8:00 to<br />
9:30 a.m. and 1:00 to 2:30 p.m.). The actual degree of lag depends on the work<br />
habits of both your staff and clients.<br />
9.4.2 Internal and External Connections<br />
In general, Internet sites with largely static data are connected by Ethernet-LAN<br />
intranet sites (internal connection). Sites with high-bandwidth connections to the<br />
Internet and intranet sites can utilize FDDI.<br />
Sites that will generate significant Web content in response to user actions or<br />
potential E-Commerce sites should consider the FDDI technology for the intranet<br />
as their internal connection and T1 lines to the Internet backbone as their<br />
external connection.<br />
In Chapter 2, “Connectivity” on page 5 you can find all the information<br />
available to define the type of the most used upstream (connection between your<br />
ISP and the Internet backbone) or downstream connections (connection between<br />
your ISP and the users) and what you need to know about them.<br />
Table 30 can give you some examples about the most used types of connection:<br />
Table 30 (Page 1 of 2). Line Options<br />
272 The Technical Side of Being an Internet Service Provider<br />
Category Service Grade Circuit Speed<br />
Dial-up Modems 9.6 modem 9.6 kbps<br />
14.4 modem 14.4 kbps<br />
28.8 modem 28.8 kbps<br />
33.6 modem 33.6 kbps<br />
56k modem 56 kbps<br />
Low-speed DS0 56/64 kbps<br />
Fractional T1 56/64 kbps up to 1.544<br />
Mbps<br />
Medium-speed T1 (DS1) 1.544 Mbps<br />
E1 2.048 Mbps
This soft copy for use by <strong>IBM</strong> employees only.<br />
9.5 Telephone Lines<br />
Table 30 (Page 2 of 2). Line Options<br />
Which connection methodology is best for your ISP depends in large on the<br />
services and issues that are important for you. In every case, examine the<br />
following factors to determine their importance to your organization:<br />
• Internal connectivity needed<br />
• WWW bandwidth needed<br />
• Type of information provided<br />
• Tolerance for delays or failures<br />
• Technical expertise available<br />
• Complexity of the WWW site<br />
• Availability of connectivity options<br />
• Costs of connectivity options<br />
• Security issues of each option<br />
• Site size<br />
Category Service Grade Circuit Speed<br />
High-speed E3 34.368 Mbps<br />
Intranet or Network<br />
Connection<br />
T3 (DS3) 44.736 Mbps<br />
Ethernet 10 Mbps<br />
Token-ring 16 Mbps<br />
FDDI and Fast Ethernet 100 Mbps<br />
ATM 155 Mbps up to 622 Mbps<br />
One of the first questions that you can ask yourself after estimating the number<br />
of clients and your bandwidth to the Internet backbone is the following:<br />
How many phone lines do I need?<br />
To start, it pretty much depends on your budget. Initially, we can estimate that<br />
you can have 8-10 lines, once you′re ready to give your system a bit of publicity.<br />
But it really all depends on your market and how high a profile you can maintain.<br />
As a general rule, ten users per line is suggested for conventional dial-up<br />
connections.<br />
After about 400 users, it goes to about 12:1 and then goes to 15:1 around 1000.<br />
(These are only estimates based on vague sources of data input.)<br />
If you have under 16 lines on you system, you may wind up having to buy a line<br />
for every 6-8 users.<br />
Permanent SLIP connections by definition take precisely one dial-up line per<br />
user, and should be priced accordingly. Some people have gone to 4-6 users<br />
per line even for non-permanent SLIP.<br />
Chapter 9. Capacity Planning 273
This soft copy for use by <strong>IBM</strong> employees only.<br />
Here is a summary of what can happen when your telephone lines go over that<br />
ratio:<br />
• Good services will have a ratio of 10 to 12 users per line. At this level, you<br />
generally will not see busy signals except for brief periods of time during<br />
peak hours (which are usually 5:00 p.m. until midnight local time). Users<br />
seem not to mind at all if they get a busy signal for a couple of minutes<br />
every few days, so it seems to be OK.<br />
• At a ratio around 15:1, you see people talking about longer periods of busies<br />
(10 minutes or more) regularly every night, and you start to get complaints.<br />
• At 18:1, your users start defecting in masses as they can′t get on for hours<br />
on end.<br />
• Above this rate, for example, 20:1, you can have a terrible situation where<br />
several hundred of defecting customers will be very displeased with your<br />
service.<br />
Finally, don’t forget that lines can take a long time to install. We recommend<br />
you at least give 2-4 months lead time from when you decide to add more lines<br />
to when they are live. Some examples of time delaying problems:<br />
• V.34 chip shortages industry wide put new modem orders on hold.<br />
• Telephone company can run into facility problems at your location.<br />
• Telephone company can mess up your order and takes weeks to straighten it<br />
out.<br />
9.6 Networking Hardware<br />
• Electrical upgrades required.<br />
• Wiring upgrades.<br />
• UPS/power backup upgrades.<br />
We are sure there is a slew of other possible problems that can arise. If you are<br />
at 12:1 now and decide to put new lines in, you are too late, expect possibly a<br />
few months of busy signals. And add more lines than you need; proactive is the<br />
key.<br />
This is especially good advice for a large ISP that runs sizable numbers of lines<br />
and has to order lines in bulk.<br />
The basic networking hardware components to build an ISP environment are the<br />
following:<br />
• Upstream Connection<br />
− Router<br />
− CSU/DSU<br />
− Hub<br />
• Downstream Connection<br />
− Remote Access Server<br />
− Modem<br />
You can find a lot of information about these networking hardwares and the <strong>IBM</strong><br />
products that you have to implement these connections on 2.2.3, “Networking<br />
Hardware” on page 17.<br />
274 The Technical Side of Being an Internet Service Provider
This soft copy for use by <strong>IBM</strong> employees only.<br />
9.6.1 Upstream Connection<br />
There are some <strong>IBM</strong> products that you can use to plan and build the ISP’s<br />
upstream connection: the 2210 / 2216 routers and the 8224 / 8237 hubs.<br />
9.6.1.1 Router<br />
The most important characteristics that you should observer in a router are:<br />
• Performance: The more number of connections and bandwidth, the more pps<br />
(packets per second) is required from the router.<br />
• Management: The more management tools to indicate what is happening and<br />
allow easy adjustment and restoration of parameters you have in your<br />
router, the easier it is to track problems and errors to maintain your ISP site<br />
operational and with a good performance.<br />
• Routing protocols: Try to choose a router that offers the largest possibility of<br />
protocols support and configuration. The most common routing protocols<br />
used on the Internet are RIP, OSPF and BGP-4.<br />
• Filters: Security capabilities are very important too. The router should<br />
include the basic filter capabilities in order to permit or not a specific packet<br />
flow, as well as support to firewall capabilities in the future if you want.<br />
There are some other useful characteristics that you should verify before buying<br />
a router:<br />
• Dial On-Demand: Capability of the router to establish a telephone connection<br />
only when necessary. This can be useful in scenarios where telephone<br />
connection time is at a premium, because it is a long distance call, or if your<br />
telephone company is charging you less with the understanding that the line<br />
will not be used 24-hours a day.<br />
• Dynamic Redial: Capability to sense that the telephone connection has been<br />
broken, and to automatically attempt to reestablish the connection. This<br />
could be useful if you occasionally or frequently receive noisy telephone<br />
connections or have other problems, such as power outages.<br />
• Expandability: An extremely useful capability of a router. For example, you<br />
may be able to use your SLIP/PPP router over normal telephone lines, and<br />
then upgrade to another data link technology, such as ISDN or leased lines,<br />
when it becomes available or affordable. It is also a good idea to purchase<br />
a router that can have its software updated easily, just in case you need to<br />
receive updates from your vendor.<br />
Finally, if you intend to buy an <strong>IBM</strong> router, you can find useful technical<br />
information about them on 2.2.3.3, “<strong>IBM</strong> 2210” on page 20 and 2.2.3.4, “<strong>IBM</strong><br />
2216” on page 30.<br />
9.6.1.2 CSU/DSU<br />
This Channel Service Unit/Data Service Unit (CSU/DSU) device depends on the<br />
connection speed and the characteristics of your network. In general, it’s a V.35<br />
interface and is already provided in the routers with DSU functionality, which<br />
improve your cost investments because it is much cheaper than buying a DSU<br />
separate unit.<br />
Chapter 9. Capacity Planning 275
9.6.2 Downstream Connection<br />
This soft copy for use by <strong>IBM</strong> employees only.<br />
9.6.1.3 Hub<br />
This equipment, although not directly related to the upstream connection, will be<br />
present in your ISP network to connect the equipments in you network, such as<br />
routers and servers, in a star cabling topology (Ethernet LAN type) or in a ring<br />
topology (token-ring LAN type).<br />
The most common used hubs are Ethernet with RJ45 connectors, but you can<br />
also have hubs that support token-ring, FDDI or ATM.<br />
In general, you have to contemplate the following characteristics before buying<br />
your hub(s):<br />
• Number of ports<br />
• Media expansion ports<br />
• Stackable function<br />
• Segmentation support<br />
• Cascading support through its media expansion ports<br />
• Provides centralized management of remote sites and branch offices<br />
• Supports MIB-II (RFC 1213), the hub repeater MIB (RFC 1516), and the Novell<br />
Repeater MIB through the SNMP agent<br />
• Supports SNMP over IP and IPX ports<br />
You can find useful technical information about hubs in 2.2.3.5, “<strong>IBM</strong> 8224” on<br />
page 37 and 2.2.3.6, “<strong>IBM</strong> 8237” on page 42.<br />
There are also two <strong>IBM</strong> products that you can use in your ISP environment for<br />
the Remote Access Server in downstream connections: the <strong>IBM</strong> 8235 / 8235-I40.<br />
You can find detailed information in 2.3.3.3, “<strong>IBM</strong> 8235” on page 67 and 2.3.3.4,<br />
“<strong>IBM</strong> 8235-I40” on page 90.<br />
9.6.2.1 Remote Access Server (RAS)<br />
The RAS requirements also depend of the connection type. If you are going to<br />
use dial-up only with modems, RAS must have the following characteristics:<br />
• A number of serial ports available<br />
• Cascading support if you need more than one RAS to attend the whole<br />
number of users through the serial ports<br />
On the other hand, if you are going to use an ISDN connection, the must have<br />
the ISDN PRImary support feature besides those mentioned above.<br />
Finally, if you are going to use leased and/or dedicated connections, the usual<br />
way of establishing these links is through routers in both sides (ISP and user′s<br />
side). Then the RAS is not used in this case.<br />
Some other characteristics that you can look for before buying your RAS are:<br />
• Multiprotocol support<br />
• Virtual connections<br />
• Persistent connections<br />
• Spoofing<br />
• Client Event Log Applications<br />
• Management<br />
• Security features<br />
276 The Technical Side of Being an Internet Service Provider
This soft copy for use by <strong>IBM</strong> employees only.<br />
9.6.3 Choosing the Protocols<br />
9.6.2.2 Modems<br />
When planning your ISP site, take care to select a high-quality modem to save<br />
you a great deal of hassle in the long run. Low-quality modems, on the other<br />
hand, are not necessarily slower; they are just less reliable due to software and<br />
hardware bugs. They also are often difficult or impossible to upgrade. Don’t<br />
assume that well-known modem manufacturers necessarily have the highest<br />
quality of modems; the opposite is often the case.<br />
To find a high-quality modem, read multiple reviews of modems written by<br />
independent third parties. You can find such reviews in the trade press, on the<br />
Web, or in USENET (comp.dcom.modems, for example). Keep in mind that<br />
reviews are often aimed at the consumer market, rather than at using the<br />
modem for a dedicated connection. In addition, it is important to find out if a<br />
given modem works with the software, operating system, and hardware you<br />
intend to use.<br />
Some large, well-known modem manufacturers sell modems at a cost that is<br />
quite low, compared to their lesser-known competitors. People buy these<br />
modems due to name recognition, and the fact that everybody else seems to be<br />
buying them.<br />
Unfortunately, sometimes later you become surprised to discover that your<br />
modem is unstable, and that the manufacturer is offering a “free upgrade” to the<br />
modem’s firmware, which fixes the problem(s).<br />
Information about upgrades and bug fixes is generally available from the modem<br />
manufacturer’s telephone support line, BBS, or Web site.<br />
Another thing that frequently happens is today’s modems come with a wide<br />
range of features, from fax capabilities to being able to store the phone numbers<br />
of incoming calls, to dial back capability. Given that you are going to use these<br />
modems for a dial-up connection with your users, many of these features are of<br />
very limited use to you. One feature that can prove invaluable, however, is the<br />
capability to perform upgrades to the modem’s software. This enables you to fix<br />
bugs in the modem’s software quickly, and possibly even for free. The bottom<br />
line is just common sense: never pay extra for features that you don’t need, if<br />
you have the choice.<br />
You are free to choose the interior protocols that best meet your needs for<br />
routing inside your own network. This choice will be restricted, however, by the<br />
compatibility of routing protocols. Each Interior Gateway Protocols (IGP) has its<br />
own specific characteristics which must be considered before attempting to mix<br />
protocols. The choice may also be restricted based on your chosen<br />
implementation because some products will only use a specific IGP.<br />
In theory, you are also free to choose the EGP or BGP you will use to connect to<br />
the Internet, but in practice the assignment of Autonomous System (AS) numbers<br />
is now restricted to your service provider. Therefore, your service provider will<br />
provide the connection to the Internet, including the EGP implementation, on<br />
your behalf.<br />
Routing within your network can be accomplished using either static or dynamic<br />
routing.<br />
Chapter 9. Capacity Planning 277
This soft copy for use by <strong>IBM</strong> employees only.<br />
9.6.3.1 Static Routing<br />
The task of statically defining all the necessary routes may be simple for a small<br />
network, and has the advantage of reducing traffic in the network. Another<br />
advantage is that static routing enforces rigid control on the allocation of<br />
addresses and the ability of one resource to access another. One major<br />
disadvantage is that hosts and routers will require reconfiguration if you move a<br />
resource or add another resource to the network.<br />
Static routes have an important role to play in a router network and can be used<br />
to define routes to networks accessible via passive routers and routes to remote<br />
networks or subnets where dynamic protocols are undesirable due to link cost.<br />
9.6.3.2 Dynamic Routing<br />
When should you use dynamic routing? We recommend that static routing be<br />
used in small networks or networks with a small number of routers, but dynamic<br />
routing should be used in the following cases:<br />
• Large networks with multiple routers.<br />
• Several subnets have been implemented.<br />
• Multiple connections have been implemented between subnets or to other<br />
networks where hosts or routers are being moved, or network configuration<br />
is being regularly altered.<br />
• Dynamic environments.<br />
9.6.3.3 Which Interior Protocol?<br />
We do not recommend the use of HELLO in any new TCP/IP implementation.<br />
The decision may be forced due to the types of hosts and routers you already<br />
have in your network. RIP is used widely and is supported in AIX, UNIX, OS/2,<br />
DOS and Windows environments, making it very suitable for LAN<br />
implementations. RIP is also supported on MVS and VM hosts, making it<br />
suitable as a network-wide protocol in all but the largest networks (that is, those<br />
networks where routes may contain more than 15 hops).<br />
OSPF, on the other hand, has not been widely implemented as yet on hosts but<br />
is widely available on routers. OSPF has the added advantages of supporting<br />
variable length subnetting and cost-based routing that allows the best path to be<br />
chosen instead of only the shortest path. This makes OSPF an attractive choice<br />
for interconnecting networks or subnets. OSPF is also the best choice for very<br />
large networks where RIPs limitation of 15 hops becomes a consideration.<br />
If dynamic routing is implemented, it must be remembered that most host<br />
implementations utilize RIP which does not allow variable length subnetting.<br />
This will not be an issue for most small or medium-sized networks, but for large<br />
networks using variable length subnet masks, a mixture of dynamic protocols<br />
may need to be investigated. Perhaps the best method in these cases is to<br />
implement RIP within subnets and then connect the subnets with an OSPF<br />
backbone.<br />
You can find much more information about routing protocols in Chapter 4 -<br />
″Routing″ included in The Basics of IP Network Design, SG24-2580.<br />
278 The Technical Side of Being an Internet Service Provider
This soft copy for use by <strong>IBM</strong> employees only.<br />
9.7 Servers<br />
You need to choose the perfect combination between a hardware platform and<br />
the operating system. This is because some platforms do not support the<br />
newest powerful applications that can be useful to improve the quality of your<br />
Internet server.<br />
Some companies use an existing operational platform as the Internet server. It<br />
can be a problem if this server has confidential documents, corporative<br />
applications and highly secure data. A hacker will be able to steal or destroy<br />
this important data using daemons such as HTTP, GOPHER, and FTP servers as<br />
gates to go inside your system. The best option is to create a server on a<br />
dedicated machine that will be exposed to the Internet without any confidential<br />
data. The majority of servers connected to the Internet are running on UNIX<br />
systems on RISC-based machines, but today a lot of new servers running OS/2,<br />
Windows NT and Linux on Intel-based machines are being used. Some<br />
companies are also using mainframes running VM and MVS and AS/400 as<br />
servers. The following table shows the available services on each platform.<br />
Table 31. Available Services on Different Operating Systems<br />
Operating<br />
System<br />
DNS E-mail GOPHER HTTP TELNET FTP NEWS DB/2 LOTUS<br />
NOTES<br />
AIX YES YES YES YES YES YES YES YES YES YES<br />
OS/2 YES YES YES YES YES YES YES YES YES YES<br />
NT YES YES YES YES YES YES YES YES YES YES<br />
OS/400 NO YES YES YES YES YES NO YES YES NO<br />
MVS YES YES YES YES YES YES NO YES YES YES<br />
9.7.1 Hardware Requirements<br />
JAVA<br />
The competition for hardware is becoming stronger day after day. PC prices, for<br />
example, are falling down, fueled in part by the rapid pace of processor<br />
development, oversupply of memory components, and effective cost reductions<br />
in other pieces. PC and UNIX system vendors with products targeted for Internet<br />
servers are also looking for your money, with subtle schemes to increase<br />
capabilities and availability while keeping costs low. In fact, many high-end<br />
manufacturers of fault-tolerant computers also want to make inroads into the<br />
WWW server market.<br />
As dedicated connections become commodities in the Internet world, vendors<br />
will compete with value-added services such as Web hosting. Many will offer<br />
package prices to attract new customers.<br />
This can be a tremendous opportunity - or a large trap. Desperation produces<br />
both good and bad deals. While your network connections are being obtained,<br />
you have time for a careful selection process of hardware servers and<br />
components. This will be necessary to separate the good deals from the bad.<br />
Another important reason is compatibility. Just because the WWW is based on<br />
standards does not mean everything interoperates.<br />
Chapter 9. Capacity Planning 279
This soft copy for use by <strong>IBM</strong> employees only.<br />
Applications compatibility is a complex topic, full of sublets that even<br />
professionals often miss. Allowing time for a good design will help minimize the<br />
number and severity of problems that arise down the road.<br />
Make sure the high-level system design is finished and relatively stable before<br />
proceeding with the servers hardware purchase. Remember that while the<br />
Internet is based on standards, there are still several from which to choose.<br />
Given the turbulence and rapid change on the market due to a variety of<br />
technologies totally revolutionary, besides the numberless options of<br />
configurations, platforms and products, consultant expertise could be particularly<br />
valuable to you in this area. Many times, the experience needed to evaluate<br />
servers will not be located in-house, let alone other Web developments. If that is<br />
true for you, these are several external resources to consider:<br />
• Consultants<br />
The most directly beneficial is the external consultant. You should be sure<br />
to get a list of clients and references, complete with URLs, and it is essential<br />
to check them out online. Try them out on numerous occasions and at<br />
different times during the day. If you already have e-mail access, don’t be<br />
shy about sending mail to Webmaster@foo.com (or whatever reference is<br />
listed) and asking for people’s experiences. Most people on the Web tell it<br />
like it is.<br />
• Newsgroups<br />
Almost every type of protocol and almost every product has at least one<br />
related bulletin board or newsgroup available. Checking on them can be<br />
beneficial.<br />
• Magazine Reviews and Periodicals<br />
Many magazine reporters and freelance authors spend their time<br />
summarizing their products with stories that often include useful charts and<br />
screen shots.<br />
• Vendors<br />
We recommend this with caution. They often know a great deal about the<br />
products in the industry, but they can be biased as well. You should ask<br />
them for detailed documentation of their products, and then read those with<br />
a critical eye. You also should ask them for references.<br />
• CPU<br />
There is a variety of CPUs available for each platform that you choose. You<br />
have to follow the considerations above before you decide this essential item<br />
in your server configuration. For example:<br />
− In Intel world, you can use a Pentium processor running at 100 Mhz or<br />
faster, or even choose a multiprocessor machine according to your<br />
needs.<br />
− If you′re using a RISC system, you will want a machine using one or<br />
more PowerPC processors or an MIPS RISC system.<br />
• RAM<br />
As you add more users and applications to your server, you will need to add<br />
more memory. Even then you may have to add as your site attracts more<br />
visitors.<br />
• Internal Bus<br />
280 The Technical Side of Being an Internet Service Provider
This soft copy for use by <strong>IBM</strong> employees only.<br />
Any system should have one of the advanced 32-bit buses; EISA, PCI, and<br />
Micro Channel are good choices. The important thing is that the bus support<br />
mastering, which makes a VESA bus system a poor choice.<br />
• Video<br />
You will need at least a VGA video card, but you don’t need the latest<br />
technology and most expensive product available. For Intel platform, for<br />
example, boards based on the S3 chip set give good performance; they have<br />
been around for a long time and so are generally well supported. The S3<br />
systems are also available for a good price these days.<br />
These days, most video cards come with at least 1 MB of RAM installed,<br />
which normally gives you 256 colors at 1024 by 768 pixels.<br />
• CD-ROM<br />
Today you will definitely need a CD-ROM; no one loads large software<br />
packages from floppy disks any more. In fact, some server software is not<br />
available on floppy disks, only on CD-ROM. An SCSI interface is usually<br />
better supported better than any of the proprietary interfaces.<br />
• Tape Drive<br />
It is absolutely essential for every installation to have a tape drive available<br />
for system backup and for reloading software in the event of a system or<br />
hardware failure. The tape can also use the SCSI interface; just make sure<br />
that the tape is big enough to back up the whole file server at one go. No<br />
one likes doing attended backups and waiting around to swap tapes.<br />
• Hard Disk<br />
Again, an SCSI-based disk system is a good idea because the operating<br />
systems today support a wide variety of SCSI products. Another excellent<br />
reason for using an SCSI-based hard disk system is that fault-tolerance<br />
mechanisms such as Redundant Array of Inexpensive Disks (RAID) and disk<br />
mirroring require properly working SCSI systems. You certainly can create a<br />
mirrored set of non-SCSI hard disks, which are less expensive, but they will<br />
not have sector remapping capability.<br />
The server storage space requirements is determined by the amount of<br />
information that will be stored on the server at any one time. This amount is<br />
not just that of your initial site, but should include some room for<br />
enhancements and growth. Because disk storage is relatively inexpensive<br />
for your ISP site, the amount of space you require should not heavily affect<br />
your costs.<br />
Use the following formula to determine the appropriate additional disk<br />
storage needed for your site, to minimize costs while providing you with<br />
some degree of flexibility:<br />
i + k + ((i+k) x g) - b = t<br />
where:<br />
i = initial site size in MBs<br />
k = known enhancements to site in MBs<br />
g = growth factor<br />
b = basic WWW space<br />
t = total space required<br />
Chapter 9. Capacity Planning 281
This soft copy for use by <strong>IBM</strong> employees only.<br />
In this equation, the formula adds all the known factors (site size,<br />
enhancements to site, and basic space available for the WWW account) and<br />
then adds in a site growth factor. The ratio of growth you expect over the<br />
next 1-year period depends on the type of site you have developed. If your<br />
site will maintain continual historical data for the entire year, your site will<br />
grow rapidly. If the site will provide only a simple profiles pages, then<br />
growth may be limited to 10 up to 20 percent.<br />
• Mice and Serial Ports<br />
If you intend to use a PC or a RISC machine, you will often need three serial<br />
ports on your server: one for the mouse, one to attach to the UPS system<br />
(more on this item will be talked later on this section), and one for the<br />
modem to support Remote Access Services (RAS). Sometimes using three<br />
serial ports can be a problem, and using a parallel mouse such as a InPort<br />
mouse can partly solve this. Multiport serial adapters may be needed.<br />
• Modems<br />
If you use or plan to use RAS, you will need a modem so that remote users<br />
can access the server. You can find more about modems in 9.6.2,<br />
“Downstream Connection” on page 276.<br />
• UPS<br />
9.7.2 Growth and Scalability<br />
A Uninterruptible Power Supply (UPS) takes over and continues to provide<br />
power when the main power to the server fails. You will want your ISP site<br />
available at all times, and so a UPS is an excellent way to ensure this. Be<br />
sure that all the equipment you need for continued operation, not just the<br />
server itself, has UPS support, including all the communications equipment.<br />
The best choices UPS systems suitable for use are available from American<br />
Power Conversion (APC) and from Best Power Technology.<br />
• Communications Equipment<br />
You will also need the appropriate communications equipment to support the<br />
type of link you have chosen. This can be small and compact in the case of<br />
an ISDN terminal adapter (TA) assembly, for example, or it can be a whole<br />
group of equipment for some of the larger data communication connections;<br />
in some instances, most of the communications equipment may be located<br />
on the phone company’s premises. The larger the communications<br />
requirement, the more equipment you will need, and the more crucial proper<br />
air-conditioning becomes, even in northern climates and in Europe, areas<br />
that don’t normally use air-conditioners at any time.<br />
The preceding list defines the main hardware components for your ISP site, but<br />
what should you do if you are adding a Web server to your existing server(s)<br />
network, which already has certain hardwares installed and a population of<br />
users?<br />
Do not underestimate the impact that Web traffic may have on the performance<br />
of your server, and be ready to upgrade your hardware if the existing installation<br />
proves inadequate. If you insist on running with the existing systems, you will<br />
not only alienate new visitors to your site as they wait for a slow server to<br />
respond, but you will also make your corporate users very angry indeed as they<br />
watch their previously speedy applications grind to a halt.<br />
282 The Technical Side of Being an Internet Service Provider
This soft copy for use by <strong>IBM</strong> employees only.<br />
9.8 Domain and IP Addressing<br />
Part of the system administrator’s job is to monitor system performance and<br />
make the appropriate recommendations and upgrades as they are needed.<br />
The demand for scalable systems is growing. Stated simply, a scalable system<br />
is one that permits the addition of processing power, storage, memory,<br />
input/output (I/O), and connectivity with relative ease, so user organizations can<br />
deploy larger, more complex, more sophisticated applications to exploit<br />
constantly growing databases and make both available to increasing numbers of<br />
users through very high bandwidth networks.<br />
Technically, the simplest way to provide scalability is to build larger and faster<br />
uniprocessors. Systems can also be made faster using highly sophisticated<br />
architectures (either alone or in combination with unique technologies). The<br />
advantage of scaling uniprocessors is that the software remains the same; it<br />
simply runs on a faster processor.<br />
One can also scale by integrating multiple uniprocessors into a single system in<br />
which they share resources such as memory, I/O, the operating system, and<br />
application software. Having one of each resource makes a symmetric<br />
multiprocessor (SMP) system relatively easy to program and manage. In<br />
addition, the SMP will run essentially the same software as the uniprocessor,<br />
although it may have to be modified to remove bottlenecks than the faster<br />
multiprocessor could expose.<br />
Another way to get scalability is to use parallel systems where multiple<br />
processors are connected to each other by a high-performance interconnect<br />
mechanism. Each processor has its own memory, its own I/O configuration, and<br />
its own copy of the operating system. Thus, far higher levels of scalability are<br />
achievable. Indeed, such systems become almost infinitely scalable because the<br />
incremental processor does not increase contention for resources; it comes with<br />
all it needs to do productive work.<br />
The AIX systems can scale efficiently to four or eight processors using PowerPC<br />
technology on SMP systems. So, using parallel systems based on Power and<br />
Power2 processors, AIX can deliver extremely high performances. Because it′s<br />
relatively new, NT does not scale nearly as well as UNIX. Theoretically, NT is<br />
designed to support up to 32 processors; in reality it is currently limited to four<br />
processors in most situations. Depending on the mix of applications and<br />
hardware architectures, the number of processors can be as low as two or as<br />
high as eight. The OS/2 can scale up to 16 processors on the Warp Server<br />
version and is a good choice for Internet applications that demand performance<br />
and integration with CICS, IMS and DB/2. If you are writing in-house<br />
applications for multiprocessor systems, you must write code so that instructions<br />
are handled as a series of threads. This lets the operating system efficiently<br />
direct processes to different CPUs.<br />
If you do not take time to plan your network, the apparent calmness of<br />
interconnection using TCP/IP can lead to problems.<br />
For example, lack of effective planning of network addresses may result in<br />
serious limitations in the number of hosts you are able to connect to your<br />
network. Lack of centralized coordination may lead to duplicate resource names<br />
and addresses, which may prevent you from being able to interconnect isolated<br />
Chapter 9. Capacity Planning 283
9.8.1 Design Considerations<br />
9.8.2 DNS Security<br />
9.8.3 A Word of Caution<br />
This soft copy for use by <strong>IBM</strong> employees only.<br />
networks. Address mismatches may prevent you from connecting to the<br />
Internet, and other possible problems may include the inability to translate<br />
resource names to resource addresses because connections have not been<br />
made between name servers.<br />
When faced with the task of either designing a new TCP/IP network or allowing<br />
existing networks to interconnect, there are several important design issues that<br />
will need to be resolved. For example, how to allocate addresses to network<br />
resources, how to alter existing addresses, whether to use static or dynamic<br />
routing, how to configure your name servers, and how to protect your network<br />
are all questions that need to be answered. At the same time the issues of<br />
reliability, availability and backup will need to be considered, along with how you<br />
will manage and administer your network.<br />
Once you have gone down the DNS route, then most design issues will depend<br />
on your requirements and the implementation you adopt. Check for electronic<br />
mail, network security via firewalls, resilience and high availability. To ensure<br />
the last of those points, you will need to run at least two name servers, probably<br />
more, and remember that the location and position of the name servers are vital.<br />
You can find a lot of information about the security issues, possible threats,<br />
firewall, and much more in this redbook in Chapter 8, “Internet Security” on<br />
page 193.<br />
If you tackle the issues in a methodical way, then you shouldn’t have too many<br />
problems. The following list summarizes the main issues:<br />
• Before you begin designing your IP network, a word of caution may be<br />
appropriate: IP network design is not an exact science, but more a<br />
pragmatic one.<br />
• You will probably avoid many unpleasant surprises if you test out each<br />
TCP/IP implementation you intend to use in your IP network to ensure that<br />
each product behaves as your design expects it to.<br />
• Make the correct decision on whether to use a private or public IP address.<br />
• Plan the size and growth of your network and allocate the most suitable<br />
class of IP address; don′t forget that some IP addresses are special and<br />
cannot be used.<br />
• Implement subnets if appropriate, but ensure they are administered<br />
correctly; remember to keep a constant subnet mask for each class of<br />
address.<br />
• Depending on the size and mobility of your network (or parts of it) you may<br />
want to make use of dynamic address allocation with DHCP to reduce the<br />
administrative burden.<br />
• Finally, if you are opting for a public network number, don′t forget to register<br />
with your local IANA authority or your chosen service provider.<br />
See 2.2.4, “Domain and IP Address” on page 44 if you want more information<br />
about domain and IP addresses. For a completely guide on how to plan and<br />
284 The Technical Side of Being an Internet Service Provider
This soft copy for use by <strong>IBM</strong> employees only.<br />
9.9 Staff Members<br />
9.9.1 Project Leader<br />
design your network, you can refer to The Basics of IP Network Design,<br />
SG24-2580.<br />
In this section, we discuss who will identify the human resources necessary to<br />
complete your Internet project. After this, we discuss about those who actually<br />
implement your ISP.<br />
The project leader has the most influential role in determining the success of<br />
your plan. It is almost always a full-time employee, usually someone with at<br />
least a year or more of corporate experience, and definitely someone with a<br />
successful track record. Selecting this project “czar” is the most important<br />
decision this redbook helps you make. Some of the qualities you should seek<br />
include the following:<br />
• Organization: The leader is someone who can coordinate all aspects of the<br />
project and isn’t reluctant to delegate authority.<br />
• Vision: This is a person who can envision the strategic and tactical business<br />
advantages that the ISP project has for the company.<br />
• Thorough: Building a successful ISP project is complex, so someone who will<br />
expect each person to fulfill each task in a timely and orderly fashion is<br />
required.<br />
• Flexible: Your leader must be able to adjust to new demands and<br />
requirements, and seize upon new opportunities, because the Internet and<br />
Web technologies are changing so quickly.<br />
• Comfortable with technology: The leader doesn’t necessarily have to be<br />
proficient in the use of the Internet and Web but must be eager to learn and<br />
to share that knowledge with others.<br />
• Innovator: The right leader is someone who has a record of accomplishment<br />
and showing initiative.<br />
• Team player: This is a corporate project, not an individual career builder.<br />
The leader must be able to reach across departmental lines to recruit the<br />
necessary support that will unite the company behind this new venture.<br />
• Decisive: Crucial decisions will have to be made, and the company’s<br />
executive management must have confidence that the team leader will make<br />
the best ones.<br />
In addition to these qualities, this individual must be empowered to push the ISP<br />
plan to completion, with authority to delegate tasks, expedite and define<br />
processes, cut through red tape, mobilize the necessary resources, and keep all<br />
parties on track. The higher placed this individual, the quicker and better your<br />
chances for effectiveness.<br />
Chapter 9. Capacity Planning 285
9.9.2 Rest of Team<br />
This soft copy for use by <strong>IBM</strong> employees only.<br />
The size of the team is dependent upon the size of the company, the number of<br />
departments, and the judgment of the project leader. The team could be two<br />
people or it could be twelve, although large groups can prove to be difficult to<br />
manage and prone to stagger over microscopic details.<br />
Only after you have picked the leader should the rest of the team be assembled.<br />
This group should represent key departments within your organization.<br />
Team members should reflect the qualities of the team leader. They also should<br />
be enthusiastic but realistic about the ISP project. On the other hand, a dose of<br />
reality will be needed occasionally to keep the team’s perspective. Hands-on<br />
experience with the Internet technologies, content production, electronic<br />
marketing, or any other related elements are strongly recommended.<br />
The following members could be identified and included in ISP’s Web site staff:<br />
• Site engineering: This is a general heading of the person or people<br />
responsible for the technological side of the Web site. This would include<br />
hardware, software, and connectivity planning and systems. If the site is<br />
hosted on an ISP server, much of this job function should be included with<br />
the hosting arrangement.<br />
• Webmaster’s: One or more people should be responsible for the Web site<br />
itself, including the design, construction and maintenance of the HTML<br />
pages, programming of any CGI scripts, and general maintenance of the Web<br />
site. In most cases, very little of this would be handled by an ISP. If the<br />
page design is outsourced to a Web developer, there still be a person in<br />
charge of interacting with the developers.<br />
• Accounting: Businesses live on money, thus there is a need for accountants<br />
and other accounting staff. Accounts receivable and payable positions must<br />
be filled. You also need a person to prepare the taxes or act as the main<br />
contact to an outside accounting agency.<br />
• Business management: Business managers drive the direction of the<br />
company and ensure that employees’ work gets the company where it needs<br />
to be. Of course, small operations may have only one or two people, but<br />
one or both still need to think in business terms about the history, current<br />
status, and future potential of the Web venture.<br />
• Customer service: A big catch-all category of persons responsible for<br />
keeping the customer happy. This could include technical support for<br />
products that require it, handling customer complaints and other such<br />
day-to-day responses to customer needs. But in a Web commerce site, for<br />
example, this category of personnel need not be technically proficient,<br />
because little interaction with the technology, other than phone and e-mail, is<br />
required.<br />
• Marketing and advertising: Getting the word out, generating leads, and<br />
building the corporate identity are crucial to the success of any business.<br />
With a Web site, the company has to face both online and standard<br />
advertising hurdles, as well as giving the customer peace of mind that the<br />
company and its products are legitimate. Again, these types of functions can<br />
also be outsourced to third-party advertising agencies.<br />
286 The Technical Side of Being an Internet Service Provider
This soft copy for use by <strong>IBM</strong> employees only.<br />
9.9.3 Using Consultants<br />
9.9.4 Outside Partners<br />
9.9.5 Dream Team<br />
There are many circumstances in which using consultants makes perfect sense.<br />
When the requisite technical or production skills are lacking in-house, when<br />
internal resources are already stretched thin, or when staff has difficult seeing<br />
how an Internet or Web application can be useful, it’s time to look for outside<br />
assistance.<br />
Technical and business consultants can be found through existing vendor<br />
relationships, or by asking peers who have gone through a similar ISP project.<br />
Also, many firms can be located by searching the Web and by looking through<br />
various local, regional, and national computer or Internet publications, where<br />
these companies are most likely to advertise.<br />
After compiling a list of prospective companies, you can further screen them by<br />
submitting a Request for Information. This series of questions should ask for a<br />
wide range of information, including:<br />
• Scope of service, from Web site development to maintenance<br />
• Types of Internet connectivity and support that are available<br />
• Experience in providing security and firewalls<br />
• Experience in dealing with electronic commerce<br />
• Resumes of contracted individuals<br />
• Rates<br />
• Samples of work (especially online samples you can visit and evaluate)<br />
• References<br />
You should also use this screening process with prospective consultants to brief<br />
them about your project, and to ask them for ideas and suggestions.<br />
An important fact to remember when retaining outside expertise: Unless they<br />
are contracted (often at great expense) to remain onsite every day, they will<br />
work with other clients and therefore may not be ready to respond quickly to<br />
your needs. Be sure to engage whatever facet of your organization authorizes<br />
contracts early, so outside contracts can be written and enacted quickly.<br />
In consideration of external resources already employed by your company, you<br />
need to consider whether they can assist, and to what extent you need to involve<br />
them. Technical consultants, advertising and marketing, order fulfillment, and<br />
even banking partners can play valuable roles in your ISP project in addition to<br />
their on-going responsibilities.<br />
If circumstances do not permit their full involvement, keep your partners advised<br />
of relevant decisions and progress. Often, they can provide unexpected aid, or<br />
can at least make better decisions based on your input.<br />
To summarize this section, here is what your project dream team will consist of:<br />
• A manager with strong leadership<br />
• Creative yet realistic individuals<br />
• Empowered representatives from key corporate departments<br />
• People (on staff or external) with technical knowledge of the Internet and<br />
Web<br />
• A team-oriented group excited about their assignment<br />
Chapter 9. Capacity Planning 287
9.10 CGI Programming<br />
This soft copy for use by <strong>IBM</strong> employees only.<br />
CGI programs are often called CGI scripts, but as you will see in the examples<br />
below, you can develop your own CGI programs in many languages, not only in<br />
scripting languages. The reason they are referred to as scripts is historical in<br />
that they were originally developed in sh, bash, and perl on UNIX platforms.<br />
9.10.1 Selecting Your Programming Language<br />
The principle of the Common Gateway Interface is that you should be able to use<br />
any programming language. You choose the one you will be using according to:<br />
• The platform on which your server is running<br />
• The task your application has to perform<br />
• Your programming skills<br />
• The response time of your applications<br />
9.10.1.1 Your Server Platform<br />
The operating system on which your server is running is probably the decisive<br />
factor in your choice of a programming language.<br />
Not all programming languages are available on every platform. For example,<br />
there is no port of Visual Basic for AIX, OS/2 or MVS. This fact is not only<br />
essential when you plan to develop intranet or Internet applications, but also if<br />
you consider migrating your server to another platform. Imagine you have set<br />
up a server that has become so popular that it has outgrown the resources of<br />
the Windows NT host on which you have installed it. Because the Internet<br />
Connection Servers are ported from the same code, you can easily migrate your<br />
server to a more powerful AIX or MVS system, unless you programmed your<br />
applications in a platform-specific programming language, such as Visual Basic.<br />
Furthermore, some languages are more suited to an operating system than<br />
others. This is typically the case of C for AIX and REXX for OS/2. We advise you<br />
to use a standard language that is supported on most platforms rather than<br />
exotic flavors of rare but nevertheless powerful languages. This will assure you<br />
of better support and will allow you to share the experience and sometimes even<br />
the applications of other developers. Check your favorite search engine and<br />
your news server to find them.<br />
9.10.1.2 The Purpose of Your Application<br />
Another important criterion in selecting a programming language is the purpose<br />
of your application. Not all languages are suited to every application. For<br />
example, a batch file under Windows NT is all it takes to switch to a different<br />
page depending on the browser used to view it. However, DOS commands are<br />
clearly inappropriate to query and update complex databases. Therefore, make<br />
sure the programming language you choose allows you to do want you want it to<br />
do, and even a little more. A good way of finding out if it does is to search the<br />
Internet for examples of applications similar to the ones you want to create.<br />
288 The Technical Side of Being an Internet Service Provider
This soft copy for use by <strong>IBM</strong> employees only.<br />
9.10.2 Programming Languages<br />
9.10.1.3 Your Programming Skills<br />
The two previous criteria may still leave you with a choice among several<br />
programming languages. In this case, use a programming language that you<br />
are familiar with. This will allow you to develop safe and reliable applications<br />
easily. After all, you are developing potentially exposed applications. You need<br />
to have sufficient knowledge of the language to ensure that your CGI scripts are<br />
reliable and do not expose your server to hackers and other undesirables.<br />
Furthermore, you want to deliver the relevant information continuously and<br />
safely for your network. This will be much easier if you are comfortable with<br />
your programming environment.<br />
9.10.1.4 Response Time<br />
The response time of your application may determine whether you will use an<br />
interpreted or a compiled programming language. If the required response time<br />
are to be small then you will want to opt for a compiled language. Some<br />
languages, such as REXX, may be run interpreted or compiled, thus offering both<br />
the easy testing and debugging of an interpreted language, and the speed of a<br />
compiled language.<br />
In this section we list some of the programming languages with which it is<br />
possible to develop CGI scripts. Select the one you will use based upon the<br />
above criteria.<br />
A complete description of these languages would exceed the scope of this book<br />
so we do not attempt it.<br />
Furthermore, updated descriptions of the languages most commonly used on the<br />
Internet are available on the Internet. We recommend that you consult these<br />
descriptions before you start a large project. A good starting point is Yahoo<br />
which can be found at:<br />
http://www.yahoo.com/Computers_and_Internet/Programming_Languages/<br />
Please refer to Table 32 for a summary of some available languages by each<br />
platform.<br />
Table 32 (Page 1 of 2). CGI Programming Languages by Platform<br />
Scripting<br />
Languages<br />
Windows NT OS/2 AIX HP-UX Solaris MVS<br />
DOS, batch<br />
files<br />
OS/2, batch<br />
files,<br />
command<br />
files<br />
Shell<br />
Scripts<br />
(Bourne,<br />
Korn, C,<br />
bash, and<br />
so on)<br />
C Freeware Freeware Operating<br />
System,<br />
Freeware,<br />
Commercial<br />
Shell<br />
Scripts<br />
(Bourne,<br />
Korn, C,<br />
bash, and<br />
so on)<br />
Operating<br />
System,<br />
Freeware<br />
Shell<br />
Scripts<br />
(Bourne,<br />
Korn, C,<br />
bash, and<br />
so on)<br />
Operating<br />
System,<br />
Freeware<br />
OMVS<br />
POSIX Shell<br />
Script<br />
Commercial<br />
Perl Freeware Freeware Freeware Freeware Freeware Freeware<br />
REXX Evaluation,<br />
Commercial<br />
Operating<br />
System<br />
Freeware,<br />
Shareware,<br />
Commercial<br />
Freeware,<br />
Shareware<br />
Freeware,<br />
Shareware<br />
Operating<br />
System<br />
Chapter 9. Capacity Planning 289
Table 32 (Page 2 of 2). CGI Programming Languages by Platform<br />
NetRexx Not<br />
Available<br />
Java Not<br />
Available<br />
This soft copy for use by <strong>IBM</strong> employees only.<br />
Windows NT OS/2 AIX HP-UX Solaris MVS<br />
9.11 How to Estimate Costs<br />
9.11.1 Telephone Costs<br />
Freeware Not<br />
Available<br />
Not<br />
Available<br />
Not<br />
Available<br />
Not<br />
Available<br />
Freeware Freeware Freeware Freeware Not<br />
Available<br />
Notice that Perl is available on all platforms for which there is an Internet<br />
connection server. This explains why Perl is one of the most popular CGI<br />
programming languages.<br />
However, Java is now becoming the Internet programming language, because of<br />
its adaptation to the Internet. Although Java is mainly used in applets imbedded<br />
into HTML documents, it is possible to write stand-alone Java programs that can<br />
thus be used as CGI scripts.<br />
When making the decision and planning to build an ISP, you have to consider all<br />
the costs that are involved on it. This section gives you the main costs and<br />
considerations about them that you must have in mind during the process to<br />
choose what will be the best choice for your future ISP.<br />
The intention of this section is not to be a financial guide but only a reference<br />
point.<br />
It is important to note that telephone companies charge for telephone lines<br />
based on their intended use. This is why business lines are more expensive<br />
than residential lines. Your telephone company may have a different rate for<br />
data lines. To avoid loss or mistakes, get the kind of phone line appropriate for<br />
use with a dedicated data connection. In addition to this monthly charge, you<br />
may also have to pay a one-time setup charge, or installation fee.<br />
9.11.2 Internet Service Provider Costs<br />
If you are not going to connect directly to the Internet backbone, but through a<br />
bigger ISP, then the costs apply to you.<br />
Your service provider may also charge you both one-time setup fees and<br />
on-going fees. The one-time setup charge may include services such as routing<br />
configuration at their site, domain name registration, domain name service, and<br />
so on. The on-going fees may include administration costs when you need you<br />
provider to maintain these services.<br />
The main on-going cost will be for bandwidth. Your service provider will either<br />
charge you a flat rate or a rate based on your usage. In the case of a dedicated<br />
28.8-kbps connection, it is likely that your provider will charge you a flat rate;<br />
even if you continuously transferred data over your connection, this would not<br />
impact the provider or other customers.<br />
290 The Technical Side of Being an Internet Service Provider
This soft copy for use by <strong>IBM</strong> employees only.<br />
9.11.3 Hardware Costs<br />
9.11.4 Software Costs<br />
9.12 Recommendations<br />
Hardware costs include any hardware you will need to purchase. You will need<br />
a modem or a router at each of the connections.<br />
If you are not planning on using routers on your end, but need to connect your<br />
whole LAN to the Internet, you will also need a computer to act as a router. If<br />
you don’t have a capable machine, you will need to purchase one.<br />
You may need to purchase additional software. PPP and SLIP software, for<br />
example, will sometimes, but not always, come free with the operating system<br />
you are using for your gateway. Excellent free software is also available for<br />
most platforms. Even if the operating system for your gateway supports TCP/IP,<br />
you may need to purchase a separate server version in order to perform routing<br />
functions. The required software is generally included free, or is available as a<br />
free add-on with UNIX-based operating systems.<br />
The basic Internet structure is the World Wide Web (WWW) server and the e-mail<br />
server. You can use other resources such as the FTP server, Telnet server,<br />
database server, Gopher server, News server, Chat server, and DNS server, but<br />
the WWW server and the e-mail server are all you need to create an initial<br />
Internet structure. Depending on the hardware technology and the power of your<br />
server, you can run some of these server daemons on same machine. When the<br />
performance needs to increase, you will need to improve server performance or<br />
divide these daemons on other servers.<br />
Creating an Internet structure can be a low, medium or high-cost investment; it<br />
depends on the type of service and information that you will provide on the<br />
Internet. In general, Internet sites that are connected by T1 lines and<br />
Ethernet-LAN connected intranet sites with largely static data, are adequately<br />
served by a entry uniprocessor system with adequate disk storage for the<br />
content provided. It is important to have enough RAM to accommodate both the<br />
http server processes and for file caching of page content that resides on disk.<br />
Sites with high-bandwidth connections to the Internet and intranet sites that can<br />
utilize FDDI will benefit from mid-range and SMP solutions. Sites that will<br />
generate significant Web content in response to user actions or potential<br />
E-Commerce sites should consider such systems even if they are connected by<br />
T1 lines to the Internet or Ethernet-LAN to the intranet.<br />
Table 33 (Page 1 of 2). How to Calculate Maximum HTTP Operation/Sec for a<br />
Determinable Bandwidth and File Size<br />
Network<br />
connection<br />
type<br />
Bandwidth File average<br />
size - 1 KB<br />
File average<br />
size - 10 KB<br />
9.6 modem 9.6 kbps 1.2 0.1 0.0<br />
14.4 modem 14.4 kbps 1.8 0.2 0.0<br />
28.8 modem 28.8 kbps 3.6 0.3 0.0<br />
33.6 modem 33.6 kbps 4.2 0.4 0.0<br />
56 k modem 56 kbps 7.0 0.7 0.1<br />
File average<br />
size - 100 KB<br />
Chapter 9. Capacity Planning 291
This soft copy for use by <strong>IBM</strong> employees only.<br />
Table 33 (Page 2 of 2). How to Calculate Maximum HTTP Operation/Sec for a<br />
Determinable Bandwidth and File Size<br />
Network<br />
connection<br />
type<br />
Bandwidth File average<br />
size - 1 KB<br />
File average<br />
size - 10 KB<br />
56 kb leased 56 kbps 7.0 0.7 0.1<br />
64 kb leased 64 kbps 8.0 0.8 0.1<br />
ISDN 1 64 kbps 8.0 0.8 0.1<br />
ISDN 2 128 kbps 16.0 1.6 0.2<br />
T1 1.5 Mbps 187.5 18.7 1.8<br />
Ethernet 10 Mbps 1250.0 125.0 12.5<br />
T3 45 Mbps 5625.0 562.0 56.2<br />
FDDI 100 Mbps 12500.0 1250.0 125<br />
Fast Ethernet 100 Mbps 12500.0 1250.0 125<br />
ATM/155 155 Mbps 19375.0 1937.0 193.0<br />
ATM/622 622 Mbps 77750.0 7775.0 777.0<br />
File average<br />
size - 100 KB<br />
Table 4 shows the questions that can help you choose the right platform to fit<br />
your needs.<br />
Table 34 (Page 1 of 2). Main Questions to Consider before Configuring a Server<br />
Questions Commentary<br />
Should AIX, OS/2, VM or Windows NT serve as the<br />
Internet server platform?<br />
You need to consider your budget, people skills,<br />
your existing in-house environment and performance<br />
needs before choosing one platform.<br />
How many hits per day on the server? You can use this information to do an effective<br />
capacity planning. Generally, on a low-hit site you<br />
can use an Intel platform, and on a high-hit site it is<br />
indicated that you use RISC-based machines.<br />
What are the pages medium size? You can multiply the medium page size (KB) by the<br />
number of hits daily on the server and obtain how<br />
much information will be delivered.<br />
Must your external users have access to the<br />
databases?<br />
If so, what type of database support is required, such<br />
as <strong>IBM</strong> DB/2, Oracle, Sybase, Ingress or Informix<br />
integration?<br />
What are your security requirements? For example,<br />
will it be necessary to protect highly confidential<br />
information and restrict access to the internal<br />
corporate network?<br />
Will multiple home pages be installed on the same<br />
server?<br />
292 The Technical Side of Being an Internet Service Provider<br />
If yes, you will need a more powerful server because<br />
in most cases the database gateway daemon<br />
degenerates the system performance.<br />
The database gateways can have different<br />
behaviors. First contact your database supplier to<br />
check the needs of this software.<br />
If yes, you will need a secure server that supports<br />
SSL or S-HTTP. This server gets part of the<br />
processor power to make security validations.<br />
If yes, first consider all the questions listed above,<br />
and if necessary add additional memory and/or<br />
processor power on your server.
This soft copy for use by <strong>IBM</strong> employees only.<br />
Table 34 (Page 2 of 2). Main Questions to Consider before Configuring a Server<br />
Questions Commentary<br />
What type of interface do you need to use? It must<br />
be intuitive, Motif or Windows-like and easy to use?<br />
9.13 Planning for Future Expansion<br />
9.14 Final Considerations<br />
This is a very important item when you do not have<br />
specialized skills on different platforms. The<br />
Windows and Motif-based operating systems such as<br />
Windows NT, AIX X-Windows and OS/2 are easier to<br />
use, administrate and install. The VM, MVS and<br />
OS/400 operating systems do not support graphical<br />
applications.<br />
You will undoubtedly need to increase both the amount of the hardware disk<br />
storage on your Web server, as your site becomes more popular with both<br />
visitors and staff within the corporation, and the bandwidth of your<br />
communications link in the fairly immediate future, and certainly within a couple<br />
of years. Internet applications will continue to grow in terms of computing and<br />
storage needs, as well as in terms of the loads they impose on your<br />
communications link.<br />
Selecting certain communications options can be expensive when it is time to<br />
upgrade your service. Don’t put it off; just assume that you will have to upgrade<br />
and that you will be upgrading sooner than your current plans indicate. Both<br />
ISDN and Fractional T1 services are scalable, and you can work to add<br />
bandwidth as soon as it becomes obvious that you need a little extra.<br />
Some ISPs offer service guarantees, and others offer rebates based on down<br />
time. All networks fail at some point, and the important factor here is how<br />
quickly your ISP isolates the problem and how fast it is fixed and full service<br />
restored.<br />
We give a useful tips below on how you can improve your services and make<br />
your ISP become one of the best choice for your customers.<br />
• Coping with Power Outages<br />
The most common cause of service loss is one that is not actually under the<br />
control of the ISP, a power outage at the customer site. A blackout on a<br />
neighboring construction site can bring the best-made plans crashing. A<br />
power outage will either be transient and very, very short, resulting in no<br />
loss or virtually no loss in service, or it will last for several hours or even<br />
days, depending on the severity. A long power outage is also likely to affect<br />
your ISP. When a problem like this occurs, you can help your customers and<br />
provide them with a unique specialized service on this area: <strong>IBM</strong> Business<br />
Recovery Services. See all the information about this and other services on<br />
Appendix A, “Availability Services” on page 297.<br />
• Circuit Failure Rates<br />
The next most common failure after a power failure is loss of the<br />
communications circuit. Again, this can range from a very brief interruption<br />
to a total loss in service that lasts for several hours or even days. Ask your<br />
Chapter 9. Capacity Planning 293
This soft copy for use by <strong>IBM</strong> employees only.<br />
telephone companies for detailed statistics on its circuit interruptions, and<br />
ask what contingency plans are in place to provide an alternative service if<br />
the break lasts for longer than expected.<br />
• Maintenance Outages<br />
Finally, there are two areas of maintenance to consider. Unscheduled<br />
maintenance relates to fixing unexpected hardware or software problems<br />
and should amount to less than an hour per occurrence. Scheduled<br />
maintenance, on the other hand, is planned well in advance, and your ISP<br />
should be able to give to your users a list of all scheduled and preventive<br />
maintenance operations, the length of time they are expected to take, and<br />
their potential impact on services.<br />
• Recovery Plan and Site Backup<br />
If your really intend to be the best option to your customers when they<br />
decide to contract an ISP, then you must have a recovery plan against all the<br />
disasters that may occur to your environment (some of them commented on<br />
previously).<br />
This plan should contain all the information that you need to know on how to<br />
start a contingency plan, all the staff members that will be involved and their<br />
responsibilities, beside the procedures that will be taken to maintain your<br />
customers on the air.<br />
A site backup is a fully complete environment outside your installations that<br />
can restore your tape backups and your staff members when some disaster<br />
occur to your physical installations.<br />
<strong>IBM</strong> offers these services to you. You can find more information about these<br />
services in Appendix A, “Availability Services” on page 297.<br />
• Assessing Technical Support<br />
Another way to assess an ISP’s ability to provide continuing service is to find<br />
out when its network operations center is fully staffed. As you expect<br />
Internet access 24-hours a day, 7-days a week, you need to plan your ISP to<br />
solve technical problems outside normal business hour. The support must<br />
be there when your users needs it. ISPs with people on-site provide better<br />
service than those whose support staff are on call. If your staff is on call<br />
during the night, try to get some statistics about average response time and<br />
about how many service outages of what duration take place during the<br />
night. You should also plan an ISP’s policies for staffing the Technical<br />
Support desk during major holidays.<br />
Be sure that your ISP has an adequate supply of spares on hand to be able<br />
to act quickly when common emergencies associated with hardware failures<br />
occur.<br />
• Value-Added Services<br />
Many ISPs also provide additional information or services. Many can<br />
provide activity statistics, and most publish a newsletter. Ask other ISPs to<br />
see copies of all the reports you would receive if you were a customer of<br />
them.<br />
• Installation and Operation Costs<br />
Any ISP must be able to provide their customers with information on<br />
installation and operating costs, and also about any charges that might apply<br />
in the future if they decide to upgrade your services. High prices do not<br />
necessarily mean good service.<br />
294 The Technical Side of Being an Internet Service Provider
This soft copy for use by <strong>IBM</strong> employees only.<br />
9.14.1 Questions about Your ISP<br />
Communications is an area where we can look forward to declining costs<br />
over the years, as the ISP’s costs also fall. Just be sure you understand<br />
exactly what you are getting for your money.<br />
To close out this section, here is a summary of the most frequently questions<br />
that you should answer to your customers about the services you are offering:<br />
• How long has your company been providing Internet services?<br />
services do you provide?<br />
Which<br />
• Do you give a service guarantee or a rebate against system outages?<br />
• Do you have a recovery plan or a site backup to operate even in cases of<br />
disasters to your ISP environment?<br />
• Which services outages do you expect and how long will each last? How do<br />
you inform subscribers that the service is down, by phone or by e-mail?<br />
• What kind of network monitoring equipment do you have?<br />
• What are your plans to upgrade your hardware software, and<br />
communications circuits?<br />
• When is your operations center staffed and how do we report problems?<br />
• Are there any restrictions on how I can use the Internet connection?<br />
• To which other networks are you connected and at what speeds?<br />
• What security techniques do you use at your site and recommend that I use<br />
at mine?<br />
• How will you ensure that my data is kept private?<br />
• Can you provide the names of three references who run sites similar in size<br />
and scope to the one I am establishing?<br />
Chapter 9. Capacity Planning 295
296 The Technical Side of Being an Internet Service Provider<br />
This soft copy for use by <strong>IBM</strong> employees only.
This soft copy for use by <strong>IBM</strong> employees only.<br />
Appendix A. Availability Services<br />
How well should you prepare for something that probably won’t happen?<br />
Chances are that your company will never be hit by an earthquake or a tornado,<br />
but it is possible. A more common occurrence might be a construction crew<br />
cutting through your phone lines or a computer hacker worming his or her way<br />
into your network. Disasters don’t have to be major events from mother nature<br />
to disrupt the flow of business and your relationship with customers. In fact, the<br />
smallest disruption can turn into a large-scale catastrophe. The secret to<br />
survival is never to be caught by surprise.<br />
<strong>IBM</strong> Business Recovery Services (BRS) can help protect your ability to service<br />
and support your customers, whether you are a local company or a highly<br />
networked global enterprise, or whether you are running LANs, WANs, large<br />
centralized servers or distributed client systems through consulting and planning<br />
services to help you design, implement and manage a comprehensive business<br />
protection and recovery program that takes into consideration your business<br />
faces. It’s an approach that not only helps you recover when your business<br />
experiences a disruption, but also protects against the kinds of events that can<br />
cause those disruptions. This approach to total business protection is termed,<br />
<strong>IBM</strong> Business Protection Model.<br />
A.1 <strong>IBM</strong> Business Protection Model<br />
A.1.1 Risk Management<br />
The following pages describe the five-part <strong>IBM</strong> Business Protection Model which<br />
is designed to help prepare for, and recover from everything from a minor local<br />
disruption to a major regional disaster.<br />
It is always cheaper, smarter and faster to avoid a disaster than recover from<br />
one. <strong>IBM</strong> can help you identify and minimize risks, as well as prevent<br />
disruptions that are indeed preventable.<br />
If risk is the likelihood that something bad will occur, then risk management<br />
allows an organization to control and protect all of their asset base, as well as<br />
measure, integrate and consider cost effective mitigation efforts.<br />
First you must determine the business value of all your assets, then your task is<br />
to identify, on an on-going basis, threats to those assets. Everything from<br />
earthquakes, to hurricanes, to destruction caused by a disgruntled employee or<br />
political upheaval. Next you must identify vulnerabilities, those weaknesses that<br />
can be exploited by a threat and where you are most at risk.<br />
Finally, you must develop safeguards that will eliminate, or at least minimize,<br />
your vulnerabilities.<br />
Through the process of risk analysis you can compare the cost of a disruption to<br />
your business that might be caused by a threat, with the cost of implementing a<br />
safeguard. This way you can develop priorities, and also prevent some disasters<br />
by taking the appropriate precautions. For example, one of our clients, as a<br />
result of a risk analysis, determined that their data center was located next to a<br />
rail line that regularly carried hazardous materials. This threat was eliminated<br />
© Copyright <strong>IBM</strong> Corp. 1997 297
A.1.2 Recovery Strategy<br />
This soft copy for use by <strong>IBM</strong> employees only.<br />
by relocating the data center. The message here is that the more you invest in<br />
risk management, the lower your ultimate risk.<br />
A.1.1.1 Risk Management Services<br />
It is always cheaper, smarter and faster to avoid a disaster than recover from<br />
one. <strong>IBM</strong> can help you identify and minimize risks, as well as prevent<br />
disruptions that are indeed preventable<br />
Education: <strong>IBM</strong> offers technical education covering a range of business<br />
protection topics, from risk analysis and critical business components, to<br />
systems-specific recovery strategies and planning techniques.<br />
Integrated Risk Management Products and Services: Using industry-leading<br />
tools, <strong>IBM</strong> can help establish a quantitative approach to identifying and<br />
neutralizing the types of events that can disrupt your business.<br />
Internet Security Services: <strong>IBM</strong> offers products and services designed to<br />
protect your I/T environment against hackers and other breaches of security.<br />
Hackers make headlines. Internet Security Services can help ensure that you<br />
are not in them.<br />
Anti-Virus Software and Services: <strong>IBM</strong> AntiVirus is a comprehensive and<br />
reliable anti-virus software tool that protects critical applications and data<br />
throughout your company, whether you have stand-alone PCs or a complex<br />
LAN/WAN environment. <strong>IBM</strong> also offers virus training and education, <strong>IBM</strong><br />
AntiVirus deployment and virus emergency incident management services.<br />
Business Capacity Services: <strong>IBM</strong> offers temporary facilities with hardware and<br />
support personnel for evaluating capacity requirements, new applications,<br />
software upgrades or for testing your year 2000 conversion efforts.<br />
This is the second essential discipline.<br />
While you should always focus on risk management first and prevent those<br />
disasters that you can, you must be prepared in the event your company does<br />
encounter some type of outage.<br />
Your company’s recovery strategy must be dictated by which resources are most<br />
critical to the continued operation of your business. All facets of your daily<br />
operations must be examined to identify which of your processes and resources<br />
generate the most revenue and are therefore the most critical. The recovery<br />
strategy is truly the analytical phase of your business protection program. This<br />
is where the decisions need to be made on what is required to keep you in<br />
business, in what time frame and what is the financial impact to your business of<br />
not recovering.<br />
If information is required to take orders, respond to customer requests or create<br />
new products, what are the minimum service levels, network availability and<br />
response times that must be met to sustain your client requests?<br />
You must identify critical business processes, applications, information, key<br />
personnel, and the financial consequences of an outage. Once you have<br />
identified them, you can focus on the options available to bring your critical<br />
resources back on line in the required time frame.<br />
298 The Technical Side of Being an Internet Service Provider
This soft copy for use by <strong>IBM</strong> employees only.<br />
A.1.3 Recovery Capability<br />
A.1.2.1 Recovery Strategy services<br />
One of the keys to a successful recovery plan is a sound recovery strategy. <strong>IBM</strong><br />
can pinpoint your company’s critical assets and determine the best way to<br />
protect them.<br />
Business Impact Analysis: Which of your business’ processes, applications,<br />
technology and resources are most critical? What are the potential financial<br />
losses if they are disrupted? This in-depth analysis gives you the answers.<br />
Environment Analysis: <strong>IBM</strong> offers a structured evaluation of your I/T<br />
environment that focuses on hardware, software, networks and workflow. <strong>IBM</strong><br />
can help you understand your systems and their relationship to your total<br />
business and recommend a preliminary recovery strategy, whether your<br />
technology environment is distributed or centralized.<br />
Enterprise Solutions Study: The Enterprise Solutions Study provides a team of<br />
highly skilled <strong>IBM</strong> Business Recovery Consultants to analyze the unique<br />
business protection requirements of large companies with complex system<br />
environments or mega-site installations.<br />
Voice Recovery Analysis: <strong>IBM</strong> consultants can help you design, implement and<br />
manage a voice recovery plan that ensures your calls are handled promptly and<br />
professionally in the event of a disruption.<br />
Network Recovery Analysis: Experienced <strong>IBM</strong> Consultants can help you develop<br />
a comprehensive recovery solution that quickly reconnects your employees,<br />
suppliers and customers to your organization’s critical business information and<br />
applications.<br />
The third essential discipline, Recovery Capability, is the sum total of the human,<br />
technological and physical resources required to substitute for your normal<br />
operating function. You must make the decision on how these capabilities<br />
should be provided.<br />
Can you do it all in-house, or do you outsource to a recovery specialist for the<br />
capability you need?<br />
As you make your decision to stage, acquire, or subscribe the support you<br />
desire, you must ensure that whether your own “recovery support group” or<br />
your external provider has the experience and skills in the various technologies<br />
you employ, the resources they can bring to answer your needs, and the ability<br />
to anticipate change. Above all, because of the on-going and dynamic nature of<br />
this process, the service provider you choose today should be able to serve you<br />
capably as your business develops, changes, and expands.<br />
A.1.3.1 Recovery Capability Services<br />
Recreating an entire information technology environment on demand requires a<br />
massive infrastructure of facilities, multiple-vendor equipment inventories,<br />
services and skills. <strong>IBM</strong> offers a comprehensive worldwide network of<br />
leading-edge resources and unparalleled recovery capacity.<br />
Appendix A. Availability Services 299
This soft copy for use by <strong>IBM</strong> employees only.<br />
Alternate Sites: Actually, <strong>IBM</strong> stands ready to provide recovery support at 110<br />
permanent recovery centers in 62 countries around the world.<br />
<strong>IBM</strong> maintains:<br />
• Fully-equipped hot sites for large, midrange and client/server environments<br />
in Gaithersburg, MD, and Sterling Forest, NY, with an additional center in<br />
Boulder, CO, scheduled to open in January 1997.<br />
• Additional fully maintained large, midrange, client/server and end user hot<br />
sites strategically located around the world.<br />
• Conveniently located Remote Customer Suites that allow access through the<br />
recovery network to all of our recovery resources. Our dedicated recovery<br />
network facility also allows for the option to recover remotely from any<br />
location you designate.<br />
• Recovery support for a wide range of information technology, including:<br />
− <strong>IBM</strong><br />
− Unisys<br />
− Dell<br />
− DEC<br />
− Hewlett-Packard<br />
− Optical Storage<br />
− Tandem<br />
− Sun<br />
− Xerox<br />
− Data General<br />
− Apple<br />
− Check Sorters<br />
− Stratus<br />
− Compaq<br />
• Unique rollback capabilities, providing access to the full range of resources<br />
in <strong>IBM</strong> data centers around the world. This helps ensure an alternate site<br />
will be available to you even if the disaster that strikes you also affects a<br />
large number of other companies.<br />
• Cold sites that are available for up to six months for customers whose<br />
recovery requirements exceed six weeks.<br />
High Availability:<br />
<strong>IBM</strong> offers services designed to rapidly restore system function and preserve the<br />
integrity of data from on-going transactions. These services ultimately reduce<br />
recovery windows to hours, minutes or even seconds.<br />
Network Recovery:<br />
The loss of a location can be transparent to customers, as long as information is<br />
available somewhere else. <strong>IBM</strong> can quickly reconstruct and redirect your<br />
network, including your critical Internet connections, and provide flexible,<br />
reliable high-bandwidth links between your site and our recovery resources<br />
worldwide.<br />
Equipment Quickship: Temporary hardware replacement for a wide range of<br />
environments can be shipped within 24 to 48 hours of disaster declaration to a<br />
customer-designated site. Flexible terms and conditions allow you to configure<br />
300 The Technical Side of Being an Internet Service Provider
This soft copy for use by <strong>IBM</strong> employees only.<br />
A.1.4 Recovery Plan<br />
your hardware subscription as your requirements change. Available technology<br />
includes DEC, HP, <strong>IBM</strong> PC, Apple, Compaq, Sun, AST, CISCO, Shiva, Synoptics<br />
and more.<br />
End User Services: <strong>IBM</strong> provides complete and cost-effective solutions to help<br />
you resume business operations and get your end user environments back up<br />
and running. We can provide equipment to duplicate any workplace, including<br />
alternate space, telecommunication equipment, fax machines, copiers, LANs,<br />
workstations, file servers, hubs and routers. Nowadays, more than 7,500 end<br />
user spaces are available worldwide to meet the recovery needs of a wide range<br />
of work group sizes.<br />
Voice Recovery: With the industry’s most sophisticated and comprehensive<br />
voice recovery solutions, <strong>IBM</strong> can meet the recovery requirements of a wide<br />
range of call center environments. Solutions range from simply providing space<br />
and equipment for your call center personnel, to rerouting your incoming calls to<br />
trained <strong>IBM</strong> agents who answer calls on your behalf.<br />
Mail and Distribution Services: Through an alliance with Pitney Bowes, <strong>IBM</strong> can<br />
provide highly-qualified, full-service print/mail/finishing sites to help get your<br />
mailroom back up and operating at an alternate site.<br />
Recovery planning is the fourth essential discipline.<br />
Once you have your recovery strategy in place and have positioned your<br />
recovery capability, you should formulate your recovery plan and document the<br />
tasks required to implement it.<br />
An effective plan should focus on three specifics: backup, recovery and<br />
implementation. The backup process documents the information and procedures<br />
to preserve all your critical resources. It should focus not only on the<br />
information, and technology reserves but also alternate staff members and their<br />
responsibilities. It should record the substitute facilities acceptable to support<br />
your recovery capability requirements.<br />
The recovery process records the procedures needed to restore these vital<br />
functions and resume normal business functions. The implementation process<br />
outlines all associated tasks and responsibilities.<br />
The purpose of testing your business recovery plan is to prove that your<br />
recovery capability exists and that all or part of your plan will work. The best<br />
way to assure maximum recoverability is to conduct unannounced tests and act<br />
aggressively on the results. Plans must be amended to accommodate changes<br />
that have occurred that affect your assets and critical business functions.<br />
A.1.4.1 Recovery Plan services<br />
After you have outlined a business recovery strategy based on a realistic<br />
understanding of your requirements, <strong>IBM</strong> can help you develop, implement, test<br />
and maintain a total business protection program.<br />
Plan Development: <strong>IBM</strong> Business Recovery Consultants, using <strong>IBM</strong>’s proven<br />
methodology and tools, can help you develop, test and maintain your business<br />
recovery plan. Plans can be developed for any platform and any aspect of your<br />
Appendix A. Availability Services 301
A.1.5 Business Continuity<br />
This soft copy for use by <strong>IBM</strong> employees only.<br />
business. <strong>IBM</strong> offers customized planning engagements, workshops and<br />
software tools to help you develop your recovery plan.<br />
Recovery Management Services: <strong>IBM</strong> offers support services to augment or<br />
mirror your recovery team by providing skills and resources to perform recovery<br />
testing or disaster support activities. These services can range from simple tape<br />
management to total recovery outsourcing.<br />
The fifth essential discipline is business continuity.<br />
No matter how strong your focus is on managing risk and how well prepared you<br />
are for an unexpected event, there are disasters and events that go beyond the<br />
normal bounds of recovery programs.<br />
In response to these events we see a growing need to focus on areas that have<br />
not traditionally been seen as part of the disaster recovery process.<br />
For example, before a major disaster strikes, you should:<br />
• Establish relationships with key suppliers of potentially scarce resources<br />
such as office equipment, real estate, construction services.<br />
• Work with government agencies that are involved in disaster recovery, such<br />
as FEMA and the Red Cross.<br />
• Develop a plan to deal with the emotional toll your employees experience<br />
during a large scale disaster.<br />
The hurricanes in southern Florida, not only caused power outages but leveled<br />
city blocks. The earthquakes in Kobe and Mexico caused devastation not to just<br />
the business districts, but to whole communities as well.<br />
Business continuity involves a focus on the activities you should take to ensure<br />
the resumption of your business in the event of a catastrophic event as well as<br />
the management process that should be in place to support the on-going<br />
evolution of your business protection demands.<br />
A.1.5.1 Business Continuity Services<br />
Once a recovery program is put in place, you need to focus on ways to augment<br />
that program to help ensure the continuous availability of your business’<br />
infrastructure. <strong>IBM</strong> can help you integrate a total business protection plan that<br />
includes your technology, your facilities and your employees.<br />
Business Resumption Services: <strong>IBM</strong> offers a crisis team that can be dispatched<br />
to any designated site to coordinate and manage your recovery in the event of a<br />
disaster. These services can include:<br />
• Relocation services<br />
• Construction services<br />
• Acquisition services<br />
• Workplace services<br />
• Crisis management services<br />
Performance Testing Services: Your ability to serve your customers, deliver<br />
your products and services to the marketplace and stay in business depends in<br />
large part on how well your information systems perform. It’s not something you<br />
302 The Technical Side of Being an Internet Service Provider
This soft copy for use by <strong>IBM</strong> employees only.<br />
A.2 BRS - Worldwide Locations<br />
A.3 BRS - Services<br />
want to leave to guesswork so we provide a complete range of I/T planning,<br />
design, implementation, operation, upgrade and evaluation services.<br />
Business Recovery Services has presence worldwide in 62 countries, across four<br />
geographies providing consulting services and recovery support for large<br />
systems, midrange and distributed environment customers.<br />
<strong>IBM</strong> brings to you the convenience of doing business in your own language and<br />
culture with reduced travel, therefore permitting easy access to a business<br />
environment in which you are comfortable.<br />
BRS offers highly trained and experienced personnel, a recovery center, facilities<br />
and equipment to support your international needs. Should a regional disaster<br />
occur, you are able to receive the unsurpassed capabilities only BRS can<br />
provide. A true benefit of local access - global reach.<br />
Table 35. Summary<br />
International Presence 62 Countries<br />
Large Systems 37 Countries<br />
Mid-Range Systems 54 Countries<br />
Distributed Systems 29 Countries<br />
Consulting Services 50 Countries<br />
The <strong>IBM</strong> Business Recovery Services has a wide range of services to offer:<br />
• Business Resumption Services<br />
• Consultation Services<br />
• Distributed Systems and Multi-Vendor Services<br />
• e-Business Recovery Services<br />
• High Availability Services<br />
• <strong>IBM</strong> AntiVirus Products and Services<br />
• Internet Emergency Response Services<br />
• Large Systems Services<br />
• Recovery Management Services<br />
• Workgroup/Voice Recovery Services<br />
• Year 2000 Testing Services<br />
However, in this redbook we give an explanation about e-Business Recovery<br />
Services and Internet Emergency Response Services only.<br />
If you want, you can obtain more information about the other services on the <strong>IBM</strong><br />
Business Recovery Services’ Web sites:<br />
http://www.brs.ibm.com<br />
Appendix A. Availability Services 303
A.3.1 e-Business Recovery Services<br />
Figure 80. e-Business Recovery Services Areas<br />
This soft copy for use by <strong>IBM</strong> employees only.<br />
e-Business is business conducted via the Internet and includes electronic<br />
commerce, collaboration, and content management. Each day more companies<br />
are experimenting with or implementing business function applications on the<br />
Internet that are mission critical. The need for the ability to recover from a<br />
service outage has never been greater. If a disaster forces you to shut down<br />
your Internet presence, you could be left out of touch with customers,<br />
employees, or key suppliers. This could result in a loss of revenue, as well as<br />
customer dissatisfaction.<br />
With the <strong>IBM</strong> e-Business Recovery Services, provided by <strong>IBM</strong> Business Recovery<br />
Services (BRS), if you experience an unplanned outage of an Internet-based<br />
application, <strong>IBM</strong> provides the network access, networking equipment and server<br />
equipment necessary to reestablish your electronic presence on the global<br />
Internet. <strong>IBM</strong> can also provide for the backup and recovery of the critical data<br />
needed to continue business operations in a time frame that meets the needs of<br />
your business.<br />
The <strong>IBM</strong> e-Business Recovery Services combine the industry-leading strength of<br />
<strong>IBM</strong> in three areas of business recovery capability:<br />
• Internet access and network equipment<br />
• Server hardware and peripherals<br />
• Safe backup and recovery of data<br />
<strong>IBM</strong> BRS will work with you to design and implement a business recovery<br />
solution to meet the requirements of your critical Internet business applications.<br />
The e-Business Recovery Services areas are:<br />
• Internet access and network equipment<br />
<strong>IBM</strong> BRS offers access to multiple Internet Service Providers (ISPs) to enable<br />
you to reestablish your electronic presence on the Internet. <strong>IBM</strong> can help<br />
you to redirect network traffic from the location experiencing an outage to an<br />
<strong>IBM</strong> BRS center. In addition to Internet access, <strong>IBM</strong> BRS is equipped with<br />
304 The Technical Side of Being an Internet Service Provider
This soft copy for use by <strong>IBM</strong> employees only.<br />
the latest in multivendor, multiprotocol networking equipment and<br />
infrastructure. So whether it&c sq.s your Internet access, or your entire<br />
enterprise network environment that needs to be recovered, <strong>IBM</strong> can provide<br />
a total business recovery solution.<br />
• Server hardware and peripherals<br />
<strong>IBM</strong> BRS is the industry leader in multiplatform, multivendor interim<br />
processing solutions that protect your business from unplanned outages of<br />
your information technology systems. Whether you have chosen to run your<br />
web site on a UNIX, AIX, Windows NT, OS/400, MVS, or other platform, <strong>IBM</strong><br />
has the equipment and support needed to successfully recover your<br />
application. And, if you are like many other businesses that are linking your<br />
web site to existing back-end database systems, we can support those<br />
systems, too, enabling you to implement a seamless and cost-effective<br />
recovery plan.<br />
• Safe backup and recovery of data<br />
The traditional model for recovery of unplanned data center outages called<br />
for a 24 to 48 hour recovery window. But in the electronic marketplace, you<br />
may not be able to tolerate an outage of that duration. In response to our<br />
customers need to minimize their exposure, <strong>IBM</strong> has developed a suite of<br />
high availability solutions ranging from off-site storage of backup data on<br />
tape to mirrored systems that deliver the highest level of availability and<br />
data integrity in the industry.<br />
A.3.1.1 <strong>IBM</strong> Provides the Complete Solution<br />
<strong>IBM</strong>’s Internet expertise and experience is long-standing and world recognized.<br />
We have an extensive history of Internet contributions, including design and<br />
implementation of the router technology for NFSnet. With <strong>IBM</strong> e-Business<br />
Recovery Services, <strong>IBM</strong> is continuing this tradition by offering the services you<br />
need to ensure your electronic marketplace presence can continue, even if your<br />
site struck by disaster. No matter what the size of your implementation, <strong>IBM</strong><br />
BRS can help you to make sure your business critical Internet-based<br />
applications stay available.<br />
Appendix A. Availability Services 305
Figure 81. e-Business Recovery Services Implementation<br />
<strong>IBM</strong> provides:<br />
This soft copy for use by <strong>IBM</strong> employees only.<br />
• Access line and site router with Ethernet and token-ring interfaces at the<br />
recovery center<br />
• One registered IP address per host system subscribed to at the recovery<br />
center<br />
• Server and peripheral equipment required to reestablish the application<br />
Customer responsibility:<br />
• Provide for the redirection of Internet traffic to the <strong>IBM</strong> BRS Center<br />
• Provide for any information security required<br />
The more you depend on networking to keep in touch with your customers,<br />
employees and business partners, the more critical your networking capability is<br />
to the survival of your business. <strong>IBM</strong> can help you stay in touch, even during a<br />
disaster.<br />
306 The Technical Side of Being an Internet Service Provider
This soft copy for use by <strong>IBM</strong> employees only.<br />
A.3.2 Internet Emergency Response Service (IERS)<br />
Offered through <strong>IBM</strong> Business Recovery Services organization, the Internet<br />
Emergency Response Service (IERS) is a component of <strong>IBM</strong> SecureWay line of<br />
security products and services. IERS is designed to increase a customer’s<br />
Internet security skills, enabling them to utilize the Internet with reduced<br />
exposure. The service is based on <strong>IBM</strong>’s eight years of experience managing its<br />
own 40 Internet connections and those of its customers, as well as extensive<br />
incident response experience in virus and network security. The service draws<br />
on the expertise of the <strong>IBM</strong> T.J. Watson Research Center, which is<br />
world-renowned in the fields of network security and encryption technology.<br />
(You can see more information about the Research Center on<br />
http://www.watson.ibm.com.)<br />
The primary Internet Emergency Response Service offering is a packaged<br />
solution that includes the five principal components of the service as described<br />
below. The package is priced on a per-connection basis, where a connection is<br />
defined as a host (IP address) that is directly connected to the Internet.<br />
Generally, this means firewalls and the systems outside them, such as Web<br />
servers, name servers, and so forth. It is designed and priced for larger<br />
companies that have a business need for their Internet connection, and have<br />
created a centralized incident management capability.<br />
In order to accommodate smaller customers who have a less substantial need<br />
for the Internet, the initialization workshop, security advisory subscription,<br />
monthly and weekly periodic testing, and incident management services are<br />
offered on an self-service basis. To be eligible for this plan, the customer must<br />
have an Internet firewall deployed, and a centralized incident response<br />
capability.<br />
In order to assist customers who want to learn more about Internet security, are<br />
unsure how they should handle Internet security incident response, or simply<br />
wish to learn more about the IERS offering, we offer the Initialization Workshop<br />
as a separate one-time-cost item. The cost of this workshop is fully refundable<br />
against the IERS package subscription charge.<br />
The annual subscription service covers five key components:<br />
A.3.2.1 Initialization Workshop<br />
In order to implement this service effectively, the IERS team plans and conducts<br />
a one-day workshop on the customer’s premises. The workshop is preceded by<br />
an exchange of Internet Security Policy and Implementation text. Presentations<br />
are made by the customer and the IERS team in the first half of the workshop.<br />
The second half of the session is reserved for case study analysis. The<br />
workshop helps form the close working relationship which characterizes this<br />
service by leveraging the customer’s staff through an extension of their own<br />
skills.<br />
This workshop is a standard component of the IERS service, but is also offered<br />
separately to prospective IERS customers for a reduced fee (which is fully<br />
refundable against the IERS package subscription charge).<br />
Workshop Focus:<br />
The workshop generally focuses on three areas:<br />
1. Customer’s level of Internet preparedness<br />
Appendix A. Availability Services 307
This soft copy for use by <strong>IBM</strong> employees only.<br />
Examine the current state of the customer’s Internet access and security<br />
procedures, and how these relate to the customer’s business model.<br />
Examine the importance of risk analysis and how to do it. Examine the<br />
customer’s Internet security policy, key issues in policy management, and<br />
how to develop and maintain a policy.<br />
2. Translating policy into implementation<br />
How to develop router, gateway, and firewall configurations from the security<br />
policy document. Understanding potential vulnerabilities, and the risks<br />
associated with particular technologies and access methods. Available<br />
security tools and services, and how they relate to the customer’s needs.<br />
3. The incident management process<br />
How to detect a security breach, how to respond to an attempted/successful<br />
security breach, how to prevent further breaches, how to recover from the<br />
breach, how to track down the source of an incident. Essential preparation<br />
steps. Legal issues and evidence collection.<br />
Internet Security Workshop Preparation:<br />
In order to maximize the customer’s value from the workshop, the IERS team will<br />
customize the session to meet the customer’s needs. The workshop is tailored<br />
to address the issues determined from a prior analysis of the customer’s Internet<br />
connectivity architecture, security policy, and implementation.<br />
We ask that the customer provide the following information at least one week<br />
prior to the date of the workshop:<br />
1. A short summary of the organization - Type of business, national or<br />
international scope, organizational relationships (subsidiaries, joint ventures,<br />
etc.).<br />
2. A short summary of the organization’s use of the Internet - Why the<br />
organization is connected, what the connection is used for, what it means to<br />
the business (that is, is it tied to profit and loss).<br />
3. A description of the internal corporate networking architecture, including<br />
network diagrams, computing platforms and operating systems, protocols in<br />
use, etc.<br />
4. A description of all Internet connections, including firewalls, Web servers, ftp<br />
servers, name servers, etc. Network diagrams should be included as well.<br />
5. A copy of the corporate Internet security policy, if such a policy exists, and<br />
information about how that policy is distributed to the employees.<br />
6. A copy of any parts of the corporate Information security policies that relate<br />
to Internet connection or use.<br />
A.3.2.2 Incident Management<br />
IERS provides coverage 7 days a week, 24 hours a day to help customers<br />
respond to perceived attacks and exposures across their secure connections to<br />
the Internet. In this capacity, IERS acts as an extension to the customer’s<br />
existing computer security staff, giving them the depth of experience from a team<br />
that deals with Internet intrusions daily. Incidents are treated as strictly<br />
confidential.<br />
308 The Technical Side of Being an Internet Service Provider
This soft copy for use by <strong>IBM</strong> employees only.<br />
A.3.2.3 Periodic Electronic Verification<br />
IERS will periodically remotely test the customer’s Internet connections. This<br />
testing will help ensure that secure connections do not become vulnerable as a<br />
result of system or configuration changes, or developments in break-in<br />
technology. Through the expertise of the <strong>IBM</strong> Global Security Analysis<br />
Laboratory, the testing tools are continually improved to incorporate the latest<br />
known vulnerabilities.<br />
Internet ERS periodic electronic verification <strong>IBM</strong>’s Internet Emergency Response<br />
Service (IERS) team provides both weekly and monthly testing of your Internet<br />
connections.<br />
Weekly Connection Policy Compliance Testing: Once a week, we test your<br />
Internet connection(s) to make sure that it is configured according to your<br />
security policy. For example, if your policy says that you do not allow Telnet<br />
from the Internet into your corporate network, we check to make sure that you<br />
are not allowing it, and if you are for some reason, we notify you immediately.<br />
We also check your connection for a number of well-known vulnerabilities and<br />
notify you if we find any. This testing is designed primarily to detect changes in<br />
the configuration of your connection, whether they were made by authorized or<br />
unauthorized means.<br />
Monthly Connection Vulnerability Testing: Once a month, we test your Internet<br />
connection(s) to make sure that it is not vulnerable to any known methods of<br />
attack. In performing this test, we use well-known tools such as Internet Security<br />
Scanner (ISS), SATAN, and others. We also make use of tools that have been<br />
custom-developed for our service by the <strong>IBM</strong> Global Security Analysis<br />
Laboratory. If we discover anything during our testing, we notify you<br />
immediately and work with you to remove the vulnerability.<br />
Monthly Testing Report: Every month we provide you with a written report. This<br />
report contains the detailed results of your monthly vulnerability test, as well as<br />
a summary of the previous month’s weekly policy compliance tests. It also<br />
includes a summary of all actions that were taken on your account in the<br />
previous month. These reports may be kept in a binder, and reviewed at any<br />
time for information about the security of your Internet connection.<br />
A.3.2.4 Tailored Security Vulnerability Advisories<br />
Through IERS’s on-going monitoring of a wide array of sources including the<br />
underground customized alerts and advisories specific to the customer’s<br />
environment will be provided. Though potentially similar to advisories the<br />
customer may be used to seeing from other sources, IERS’s are generally<br />
earlier, more specific, and from broader sources.<br />
<strong>IBM</strong>-ERS Advisories: You can browse the advisories using the links below, or<br />
you can search them for specific topics.<br />
Security Vulnerability Alerts<br />
<strong>IBM</strong>-ERS Security Vulnerability Alerts (SVA) are designed to provide the<br />
customers of the <strong>IBM</strong> Emergency Response Service with information about new<br />
or recently discovered security vulnerabilities in operating system or network<br />
software. They provide a description of the problem, an analysis of the<br />
problem’s impact, and suggested solutions.<br />
Outside Advisory Redistributions<br />
Appendix A. Availability Services 309
This soft copy for use by <strong>IBM</strong> employees only.<br />
The <strong>IBM</strong>-ERS Outside Advisory Redistribution is designed to provide customers<br />
of the <strong>IBM</strong> Emergency Response Service with access to the security advisories<br />
sent out by other computer security incident response teams, vendors, and other<br />
groups concerned about security.<br />
For Your Information <strong>IBM</strong>-ERS<br />
For Your Information (FYI) documents are designed to provide customers of the<br />
<strong>IBM</strong> Emergency Response Service with information about current topics in the<br />
Internet security field. FYI documents will be issued periodically as the need<br />
arises. Topics may include security implications of new protocols in use on the<br />
Internet, implementation suggestions for certain types of services, and answers<br />
to frequently asked questions.<br />
A.3.2.5 Ongoing Relationship<br />
Because the IERS team functions as an extension of the customer’s security<br />
skills, IERS encourages on-going non-emergency communications about Internet<br />
security issues with its customers. This allows the customer to leverage the vast<br />
security experience and depth of multivendor multiproduct familiarity within the<br />
IERS team, thereby better ensuring that the evolving customer environment<br />
remains secure.<br />
A.3.2.6 Other Internet Emergency Response Services<br />
The Internet Emergency Response Service may be augmented with the following<br />
services, which are not a part of the basic offering:<br />
Firewall Remote Administration: The IERS team will administer the customer’s<br />
firewall system remotely from a secure facility, via a strongly-authenticated and<br />
fully encrypted connection. Requests for administrative changes to the firewall<br />
are made to the IERS team by the customer’s Firewall Coordinator (or his or her<br />
backup or designate), and are subject to call-back authentication.<br />
Firewall Remote Monitoring: The IERS team will perform periodic remote<br />
analysis of the firewall log files. This service involves the weekly transmittal of<br />
the firewall log files to an <strong>IBM</strong> location via the Internet. All log files transmitted<br />
to <strong>IBM</strong> are encrypted before they are sent, to prevent the disclosure of<br />
confidential information. At the <strong>IBM</strong> location, the log files will be subjected to<br />
automatic analysis procedures designed to identify well-known attack signatures.<br />
Any anomalies discovered by this process will be communicated to the<br />
customer’s Firewall Coordinator (or his or her backup or designate).<br />
Real-Time Intrusion Detection to IERS: Recently, <strong>IBM</strong> Global Services<br />
announced in Chicago, IL (USA) that it has entered into an agreement with<br />
WheelGroup Corporation to use WheelGroup’s NetRanger product to detect<br />
network attacks and send an alarm as the attacks are occurring.<br />
This announcement is a significant expands security offering for e-business.<br />
It is a major addition to the portfolio of services offered through the <strong>IBM</strong> Internet<br />
Emergency Response Service, which addresses and helps to eliminate security<br />
concerns related to Internet/intranet activity. With this announcement, <strong>IBM</strong><br />
strengthens its e-Business capabilities for customers seeking to confidently<br />
conduct business over the Internet and through their intranets.<br />
<strong>IBM</strong> can deploy NetRanger intrusion detection sensors at critical locations on a<br />
company’s network such as its Internet connection and strategic intranet<br />
310 The Technical Side of Being an Internet Service Provider
This soft copy for use by <strong>IBM</strong> employees only.<br />
connections, similar to the way a security firm installs alarm systems for<br />
residential customers. <strong>IBM</strong> also can pro-actively monitor the sensors, 24 hours<br />
a day, seven days a week, from its Network Security Operations Center (NSOC)<br />
in Boulder, Colo. When the sensors detect a security violation or misuse, an<br />
alarm message is sent to the NSOC. <strong>IBM</strong>’s security experts can then<br />
immediately take action to neutralize the problem.<br />
By immediately detecting attacks against the customer network, <strong>IBM</strong> is able to<br />
repel the attack and diminish the impact. Even the most security conscious<br />
companies can now realize the advantages of e-business.<br />
This relationship joins <strong>IBM</strong>’s full-service security expertise with WheelGroup’s<br />
leading edge intrusion detection technology. It provides an unmatched security<br />
monitoring solution for corporations using the Internet and intranets.<br />
The suite of network security services and consulting methodologies delivered<br />
through <strong>IBM</strong>’s Business Recovery Services offerings provides companies with an<br />
array of security capabilities including assessing a customer’s Internet/intranet<br />
security preparedness, educating a customer in the components of<br />
Internet/intranet security, deploying security components, managing the risk<br />
associated with doing business electronically, and responding to emergency<br />
situations.<br />
A.3.3 Final Considerations about Availability Services<br />
As companies continue to integrate the Internet and their own intranets with<br />
mission-critical applications, they become vulnerable to new and unanticipated<br />
security threats. Such exposures can place organizations at risk at every level,<br />
down to the very credibility upon which they build their reputations.<br />
While network security is on everyone’s mind these days, few companies can<br />
afford to dedicate their own resources to building and implementing a sound and<br />
lasting security strategy. At the same time, no enterprise can afford to have its<br />
business become a casualty of poor planning or preventable harm.<br />
As a developer of much of the technology that evolved into today’s Internet, <strong>IBM</strong><br />
is uniquely positioned to offer your business the confidence it needs to safely<br />
conduct and benefit from e-business.<br />
<strong>IBM</strong>-ERS is a Member Team of the Forum of Incident Response and Security<br />
Teams (FIRST), a global organization established to foster cooperation and<br />
response coordination among computer security teams worldwide.<br />
<strong>IBM</strong> is a Management Team Member of the Manhattan Cyber Project, whose<br />
mission is to improve on the availability and effectiveness of technology, people,<br />
and processes, that safeguard U.S. Corporations and critical infrastructure areas<br />
from the pervasive cyber threat.<br />
A.3.3.1 The Four Phases of Internet Adoption<br />
To help its customers develop their plans for integrating the Internet into their<br />
businesses, <strong>IBM</strong> has identified four principal phases along the road of Internet<br />
adoption:<br />
• Access<br />
In this first phase of adoption, a company has just begun to explore the<br />
Internet, and to learn about its potential benefits. A few employees are using<br />
Appendix A. Availability Services 311
This soft copy for use by <strong>IBM</strong> employees only.<br />
modems, connected to their desktop PCs, to dial into either a local Internet<br />
service provider, or a national service such as America Online. In this<br />
phase, the company is using the Internet as a resource for getting<br />
information only; all requests for access are in the outbound direction, and<br />
all information flow is in the inbound direction. Exchanging electronic mail<br />
and browsing the Web make up the majority of activities in this phase.<br />
• Presence<br />
In this phase, the company has begun to make use of the Internet not only as<br />
a resource for getting information, but also as a means of providing<br />
information to others. Direct connection of the company’s internal network<br />
means that now all employees have the ability to access the Internet<br />
(although this may be restricted by policy), allowing them to use it as an<br />
information resource, and also enabling processes such as customer support<br />
via e-mail. The creation of a Web server, either by the company’s own staff<br />
or through a content hosting service, allows the company to provide static<br />
information such as product catalogs and data sheets, company background<br />
information, software updates, etc. to its customers and prospects.<br />
• Integration<br />
In this phase, the company has begun to integrate the Internet into its<br />
day-to-day business processes, by connecting its Web server directly<br />
(through a firewall or other protection system) to its back-office systems. In<br />
the previous phase, updates to the Web server’s data were made manually,<br />
via tape or other means. In this phase, the Web server can obtain<br />
information on-demand, as it is requested by users. To use banking as an<br />
example, this phase enables the bank’s customers to obtain their account<br />
balances, find out when checks cleared, and other information retrieval<br />
functions.<br />
• E-Business<br />
In the final phase, the company has enabled bidirectional access requests<br />
and information flow. This means that not only can customers on the<br />
Internet retrieve information from the company’s back-office systems, but<br />
they can also add to or change information stored on those systems. At this<br />
stage, the company is conducting business electronically; customers can<br />
place orders, transfer money (via credit cards or other means), check on<br />
shipments, and so forth. Business partners can update inventories, make<br />
notes in customer records, etc. In short, the entire company has become<br />
accessible via the Internet.<br />
While your company may choose not to follow this road to its end, you are most<br />
likely right now somewhere on it, either at one of the phases or in transition<br />
between them.<br />
A.3.3.2 The Five Stages of Internet and Intranet Security<br />
Use of the Internet is not without its risks. However, <strong>IBM</strong> believes that while it’s<br />
important to recognize these risks, it’s also important not to exaggerate them.<br />
After all, crossing the street is not without its risks, either. But by recognizing<br />
the dangers, and taking the proper precautions (such as looking both ways<br />
before stepping off the curb), millions of people cross the street safely every day.<br />
<strong>IBM</strong> has defined five stages of Internet and intranet security:<br />
• Assess<br />
312 The Technical Side of Being an Internet Service Provider
This soft copy for use by <strong>IBM</strong> employees only.<br />
This stage examines your current state of Internet and intranet security<br />
preparedness, and identifies areas in which improvement is needed.<br />
• Educate<br />
In this stage, you learn more about protecting those things (protocols,<br />
systems, and applications) that were identified in the assess stage.<br />
• Deploy<br />
Once you have identified what needs to be secured, and learned how to<br />
protect it, you deploy solutions (technology, policies, and procedures) to<br />
implement that protection.<br />
• Detect<br />
No security solution is perfect. This stage uses a variety of techniques to<br />
detect weaknesses before they can be exploited.<br />
• Respond<br />
In the event that a vulnerability is successfully exploited, this stage makes<br />
sure that a plan is in place to respond to that emergency.<br />
The Internet and intranets are in a state of constant change (new protocols, new<br />
applications, new technologies) and a company’s security practices must be able<br />
to adapt to these changes. To enable this, the five stages above should be<br />
viewed as forming a circle; after deploying a security solution, enabling some<br />
detection, and devising a response plan, the assess stage is repeated, looking<br />
for further weaknesses. Those new weaknesses are then learned about and<br />
dealt with, and a third round begun. This continuous improvement makes sure<br />
that your corporate assets are always protected.<br />
A.3.3.3 <strong>IBM</strong>: Total Security Solutions<br />
<strong>IBM</strong> offers a total security solution. Regardless of which phase of Internet<br />
adoption you find yourself in, or which security stage you are currently<br />
addressing, the Emergency Response Service offers technologies and services<br />
to help you keep your business secure.<br />
Some of the key services we offer are:<br />
Assess Stage<br />
• Vulnerability Evaluation<br />
Assessment of potential vulnerabilities to unauthorized access or use<br />
because of improper configuration or out-of-date software.<br />
• Planning and Implementation Workshop<br />
One-day workshop to examine current state of Internet access and security<br />
policies and procedures, and to develop a plan to advance to the next stage.<br />
• Security Controls Review<br />
Identifies the strengths and weaknesses of I/T security controls, determines<br />
exposures, recommends process for improvement.<br />
• Business Impact Analysis<br />
Identifies critical information assets, their exposure risk, and tactical and<br />
strategic actions for safeguarding them.<br />
Appendix A. Availability Services 313
Educate Stage:<br />
• Advisories<br />
This soft copy for use by <strong>IBM</strong> employees only.<br />
Timely information from a variety of sources about security vulnerabilities in<br />
protocols and applications.<br />
• Security Workshop<br />
Two-day workshop, conducted by senior consultants, on topic(s) of specific<br />
interest to the attendees.<br />
• Training<br />
Available in several forms including white papers and technical publications,<br />
classroom-based short courses, and one-on-one hands-on instruction.<br />
• <strong>Redbooks</strong><br />
“How to” books on a variety of security-related topics, published by <strong>IBM</strong>’s<br />
International Technical Support Organization (see more information at<br />
http://www.redbooks.ibm.com).<br />
DEPLOY STAGE:<br />
• <strong>IBM</strong> Firewall<br />
Combines all three firewall architectures (circuit gateway, proxies, packet<br />
filtering) into one security system (see more information at<br />
http://www.ics.raleigh.ibm.com/firewall).<br />
• <strong>IBM</strong> AntiVirus<br />
Protects against more than 10,000 strains of computer viruses on Windows<br />
3.1, Windows 95, Windows NT, OS/2, and NetWare (see more information at<br />
http://www.av.ibm.com).<br />
• <strong>IBM</strong> Global Network<br />
Serves over 30,000 companies in over 850 cities in 100 countries worldwide.<br />
• Asset Protection Planning and Policy<br />
Custom-developed security architecture that includes a variety of security<br />
management processes.<br />
• Security Solution Design<br />
Comprehensive design including systems, networks, physical and intellectual<br />
assets and personnel.<br />
Detect Stage:<br />
• Penetration Testing<br />
Simulated attempts to initiate unauthorized activities on, or gain access to,<br />
networks or computer systems.<br />
• Intrusion Detection<br />
Deployed at critical connection points on a network, monitors network traffic<br />
for misuse/security violations.<br />
• Log File Analysis<br />
Analysis of firewall log files for evidence of well-known attacks, plus<br />
inbound/outbound traffic analysis.<br />
• Audit Reports<br />
314 The Technical Side of Being an Internet Service Provider
This soft copy for use by <strong>IBM</strong> employees only.<br />
Describe the results of vulnerability evaluation, log file analysis, and<br />
intrusion detection activities.<br />
• War Dialing<br />
Sequential search of telephone exchanges for modems configured in answer<br />
mode.<br />
Respond Stage:<br />
• Incident Investigation<br />
Expert guidance and assistance in all six phases of security incident<br />
management: detection, containment, eradication, recovery, prevention, and<br />
prosecution.<br />
• E-Business Recovery<br />
Network access and equipment to quickly reestablish electronic presence on<br />
the Internet in the event of an unplanned outage, whatever the cause (see<br />
more information at http://www.brs.ibm.com/website.html).<br />
• Business Recovery Services<br />
Business protection, recovery, and resumption services for large, midrange<br />
and distributed multiplatform computing environments (see more information<br />
at http://www.brs.ibm.com).<br />
• Centralized Virus Management<br />
Processes and procedures for tracking and reacting to virus incidents on an<br />
enterprise-wide basis.<br />
A.3.3.4 On-Call, One-Call<br />
<strong>IBM</strong> Emergency Response Service provides companies with an array of security<br />
services and consulting methodologies. As a subscriber to these services, you<br />
will have access to the best resources in the business - <strong>IBM</strong> technology and<br />
expertise - on call 24 hours a day, 7 days a week:<br />
• <strong>IBM</strong> Global Services<br />
The most comprehensive and complete information technology services<br />
provider in the world (see more information at http://www.ibm.com/services).<br />
• <strong>IBM</strong> SecureWay<br />
Broad portfolio of security solutions, services, and technologies (see more<br />
information at http://www.ibm.com/Security).<br />
• <strong>IBM</strong> Global Network<br />
Managed network services for content, collaboration, and electronic<br />
commerce, as well as network outsourcing services (see more information at<br />
http://www.ibm.com/globalnetwork).<br />
• <strong>IBM</strong> Global I/T Security Consulting Practice<br />
Assessment, planning, design, and implementation services based on the<br />
<strong>IBM</strong> Security Architecture (see more information at<br />
http://www.ibm.com/Security/html/consult.html).<br />
• <strong>IBM</strong> Global Security Analysis Laboratory<br />
Researches the vulnerability of networks and systems; develops new<br />
technologies to counter future threats (see more information at<br />
http://www.zurich.ibm.com/Technology/Security/extern/Internet/gsal.html).<br />
Appendix A. Availability Services 315
This soft copy for use by <strong>IBM</strong> employees only.<br />
And because we continue to update and revise our services, you will have the<br />
assurance of knowing that your network security processes and strategies won’t<br />
fall prey to obsolescence. To find out more about the services available through<br />
the <strong>IBM</strong> Emergency Response Service, choose from the links below, or send<br />
your questions to ers-sales@vnet.ibm.com. For information about ERS in<br />
Europe, the Middle East, and Africa, contact ers@emea.ers.ibm.com.<br />
Table 36. Useful Links about <strong>IBM</strong> Emergency Response Service<br />
Internet Emergency Response Service http://www.ers.ibm.com/sales-info/iers/index.html<br />
Information about the ERS team http://www.ers.ibm.com/team-info/index.html<br />
<strong>IBM</strong>-ERS press releases http://www.ers.ibm.com/sales-info/press-releases/index.html<br />
Meet the ERS advisory board http://www.ers.ibm.com/team-info/advboard.html<br />
Generic information about ERS http://www.ers.ibm.com/sales-info/moreinfo.html<br />
316 The Technical Side of Being an Internet Service Provider
This soft copy for use by <strong>IBM</strong> employees only.<br />
Appendix B. <strong>IBM</strong> Solutions for ISPs<br />
Internet usage is exploding. As the industry evolves with breathtaking speed,<br />
Internet Service Providers are in the historic position of transforming the way<br />
average citizens and businesses worldwide conduct their everyday lives. ISPs<br />
are also in a strong position to transform themselves from companies that only<br />
deliver Internet access to multiservice providers that deliver online services with<br />
real business value.<br />
The opportunities for Internet Service Providers go far beyond providing simple<br />
access to the Internet. Millions of people are looking to the Internet as their<br />
primary gateway to communicate, to form virtual communities, and increasingly,<br />
to purchase merchandise. In short, the second wave of Internet services,<br />
focused on electronic business (e-business), is quickly gaining momentum. With<br />
a requirement for high-volume transactions, legacy data integration, security,<br />
and scalable and reliable platforms, <strong>IBM</strong>′s years of experience with mission<br />
critical communications applications begs the question ... Who better than <strong>IBM</strong><br />
can help create the new world of Internet business services?<br />
Over the past several years, <strong>IBM</strong> has been involved in designing some of the<br />
largest Web sites in the world. From the 1996 Olympic games, to Wimbledon, to<br />
the Masters, <strong>IBM</strong> has developed the technology and know-how to build scalable<br />
Internet services. Now we are taking the technology and expertise gained from<br />
these major events and packaging a family of integrated solutions customized<br />
for ISPs. Leveraging <strong>IBM</strong> strengths in hardware, software, and services, these<br />
solutions are designed to deliver reliable services to large numbers of Internet<br />
subscribers.<br />
B.1 <strong>IBM</strong>: Preparing ISPs for the Second Wave<br />
While many opportunities abound for Internet Service Providers, they must also<br />
overcome the significant challenges presented by the second wave of Internet<br />
services. First generation Internet infrastructure is frequently based on ad hoc<br />
solutions developed with minimal attention to reliability and scalability. The<br />
number of online service outages making headlines is enough to drive this point<br />
home. With a focus on providing Internet access, these solutions will have<br />
trouble supporting the services required for the second wave: real-time<br />
collaboration, personalized content, and secure electronic transactions.<br />
<strong>IBM</strong> believes that preconfigured, integrated solutions supporting a broad range<br />
of services will be driving force that enables ISPs to address the challenges of<br />
the second wave. For this reason, <strong>IBM</strong> is introducing a family of solutions<br />
specifically developed for the ISPs, with a focus on reliability, scalability, and<br />
service flexibility. <strong>IBM</strong>′s Solutions for ISPs deliver capabilities in the following<br />
areas:<br />
• Content management<br />
• Collaboration<br />
• Commerce<br />
• Security<br />
• Infrastructure<br />
© Copyright <strong>IBM</strong> Corp. 1997 317
This soft copy for use by <strong>IBM</strong> employees only.<br />
Leveraging the best Internet technology from <strong>IBM</strong>, Lotus, Tivoli, and <strong>IBM</strong><br />
Business Partners, the <strong>IBM</strong> solutions for ISPs are the platform of choice for<br />
Internet Service Providers who are looking to differentiate their services in this<br />
competitive marketplace. The <strong>IBM</strong> Solutions for ISPs run on the industry leading<br />
open platform for mission-critical applications -the <strong>IBM</strong> RS/6000. Exploiting the<br />
price/performance advantages of RISC technology, and the network tested<br />
reliability of the AIX operating system, the <strong>IBM</strong> Solutions for ISPs are supported<br />
by an operating environment second to none for business critical Internet<br />
services.<br />
B.2 Introducing <strong>IBM</strong> Solutions for ISPs<br />
In this dynamic marketplace, <strong>IBM</strong> is providing the servers, software, and<br />
services to ensure that Internet Service Provider′s infrastructure can meet the<br />
requirements of the second wave. <strong>IBM</strong> understands the challenges and<br />
opportunities facing ISPs and combines its expertise in networking and<br />
transaction processing with new Internet technologies that will dramatically<br />
impact how ISPs conduct their business. To help capitalize on the revenue<br />
opportunities opening up with the Internet′s second wave, <strong>IBM</strong> offers the<br />
solutions for ISPs. The solution components include:<br />
• Network access technology supporting residential dial-up, high-speed leased<br />
lines for business, and interconnection to Internet backbones. <strong>IBM</strong> Global<br />
Network (IGN) services can be utilized for NAP access, and to provide local<br />
POP support on a global basis.<br />
• Computing platforms including a choice of RS/6000 servers to meet the<br />
performance and price/performance requirements of ISPs, from new entrants<br />
to large ISPs who need to support millions of subscribers. Representing the<br />
broadest UNIX product family in the industry, the RS/6000 is a reliable and<br />
scalable platform for Internet services. The flexible server options supported<br />
by <strong>IBM</strong> Solutions for ISPs include entry rack systems, enterprise rack<br />
systems, and scalable RS/6000 SP frames.<br />
• The supported operating system is AIX, <strong>IBM</strong>′s commercial grade<br />
implementation of UNIX. Options for High Availability Cluster<br />
Multiprocessing (HACMP), <strong>IBM</strong>′s acclaimed technology for minimizing<br />
service outages, and <strong>IBM</strong> Enterprise Connectors, software to efficiently<br />
access legacy applications, complete a robust operating environment which<br />
leads the industry in reliability, and data and transaction integration.<br />
• <strong>IBM</strong>′s breakthrough Internet middleware developed to support large scale<br />
Web sites will be integrated with the <strong>IBM</strong> Solutions for ISPs, including<br />
technology from the Web Object Manager (WOM) developed to support the<br />
1996 Olympics. A key component of this technology is Net.Dispatcher, a load<br />
balancing software used in some of the most scalable Web sites ever built.<br />
• A set of application servers are the centerpiece of the <strong>IBM</strong> solutions for ISPs<br />
family, serving as the delivery vehicle for value added services.<br />
Incorporating the leading Internet technologies from <strong>IBM</strong>, Lotus, and<br />
Business Partners, the application servers support solutions for content<br />
management, collaboration, commerce, and security.<br />
• Revenue generating Value Added Solutions running on top of the <strong>IBM</strong><br />
solutions for ISPs application servers offer the differentiation required in the<br />
competitive Internet marketplace. From hosting storefronts with commerce<br />
solutions, to supporting virtual communities with collaboration solutions, to<br />
hosting Electronic Yellow Pages with content management solutions, the<br />
318 The Technical Side of Being an Internet Service Provider
This soft copy for use by <strong>IBM</strong> employees only.<br />
services which can be implemented with <strong>IBM</strong>′s Solutions for ISPs are<br />
virtually unlimited.<br />
B.2.1 Operations, Administration, Maintenance and Provisioning<br />
B.3 <strong>IBM</strong>: Professional Services<br />
B.4 Explore the Possibilities<br />
A key component of any solution deployed by Internet Service Providers is<br />
OAM&P. <strong>IBM</strong>′s Solutions for ISPs are supported by service management<br />
technology.<br />
The service management system is based on industry leading management<br />
software from <strong>IBM</strong>′s Tivoli Systems. Including capabilities for consolidated<br />
console, server and network management, application monitoring, Internet<br />
service management, software distribution, and system backup and recovery.<br />
The foundation for the <strong>IBM</strong> solutions for ISPs service management system is the<br />
robust, object-based Tivoli Management Framework (TMF).<br />
The <strong>IBM</strong> solutions for ISPs are supported by <strong>IBM</strong>′s highly skilled services<br />
personnel. Designed to accelerate the implementation of Internet solutions and<br />
accelerate time to market, professional services available include Internet<br />
consulting, product support services, solution installation, integration, and<br />
customization, and education.<br />
The <strong>IBM</strong> Solutions for ISPs family is designed to allow ISPs the opportunity to<br />
offer a broad range of revenue generating services for the second wave. With a<br />
focus on content management, collaboration, and commerce, the three ″Cs″ of<br />
e-business, the <strong>IBM</strong> Solutions for ISPs family offers the following range of<br />
solutions required to meet the expanding requirements of your business and<br />
residential customers:<br />
• Offer core Internet services including Web access, news, and mail using<br />
technology from industry leader Netscape Communications.<br />
• Host storefronts for business customers with the <strong>IBM</strong> solutions for ISPs<br />
Net.Commerce solution, providing the comfort of secure transactions with the<br />
industry-standard SET protocol.<br />
• Transform published Yellow pages directory into a an online multimedia<br />
database for business customers. Let electronic Yellow pages entries<br />
mature into additional service opportunities for secure Web site hosting and<br />
links to electronic commerce.<br />
• Augment Web site and storefront hosting services with streaming video<br />
using <strong>IBM</strong>′s Videocharger Server for customer self-service and training, or<br />
online product demonstrations.<br />
• Host business customers intranets with the rich infrastructure provided by<br />
the <strong>IBM</strong> solutions for ISPs Lotus Domino Solution.<br />
• Support community services for business and residential subscribers using<br />
the collaborative power of the <strong>IBM</strong> solutions for ISPs Lotus Domino Server.<br />
These are some of the revenue-generating services that ISPs can implement<br />
with <strong>IBM</strong>′s Solutions for ISPs family. The breadth of services available is limited<br />
only by imagination.<br />
Appendix B. <strong>IBM</strong> Solutions for ISPs 319
B.5 <strong>IBM</strong>: The Source for ISP Solutions<br />
This soft copy for use by <strong>IBM</strong> employees only.<br />
<strong>IBM</strong> has been a leader in providing business support systems for provisioning,<br />
customer service and billing. <strong>IBM</strong>′s Telecom and Media Industry Solutions Units<br />
focus on enhanced services, information services, and network operations, has<br />
established a strong presence for <strong>IBM</strong> as a solution provider to<br />
telecommunications and media customers. Now we are leveraging our<br />
experience, strength, and investments in network computing to deliver a family<br />
of Internet Service Provider solutions. Let <strong>IBM</strong>′s experience pay off by<br />
partnering with your customers in the race to provide electronic business on the<br />
Internet.<br />
B.6 What Are the <strong>IBM</strong> Solutions for ISPs<br />
The <strong>IBM</strong> Telecom and Media Industry Solution Unit (ISU) has implemented a<br />
comprehensive family of solutions designed to meet the reliability and scalability<br />
requirements of Internet Service Providers, the <strong>IBM</strong> Solutions for ISPs family.<br />
The <strong>IBM</strong> Solutions for ISPs consist of packaged hardware, software, and services<br />
offerings designed to allow ISPs the opportunity to quickly get to market with a<br />
variety of new revenue generating services.<br />
A typical <strong>IBM</strong> Solution for an ISP consists of the following:<br />
• An RS/6000 workgroup server, entry rack server, enterprise rack server, or<br />
an SP node.<br />
• AIX Version 4.2.<br />
• <strong>IBM</strong> Solutions for ISPs Web Integration Center documenting the <strong>IBM</strong><br />
Solutions for ISPs family solutions.<br />
• <strong>IBM</strong> Solutions for ISPs application software. The application software may<br />
be an existing AIX Licensed Program Product (LPP) or a Telecom and Media<br />
ISU PRPQ.<br />
• Installation and implementation services. Depending on the complexity of<br />
the solution, these services could be <strong>IBM</strong> Global Services (IGS) SmoothStart<br />
Services, IGS Professional Services or Telecom and Media ISU Professional<br />
Services<br />
• Advanced application services. These services are designed to enhance the<br />
availability, scalability, and manageability of the <strong>IBM</strong> Solutions for ISPs<br />
solution. Advanced application services include high availability (HACMP),<br />
disaster recovery (HAGEO), Business Recovery Services, scalability<br />
(Interactive Network Dispatcher, Service Management (Tivoli) and<br />
backup/restore (ADSM).<br />
B.6.1 The <strong>IBM</strong> Solutions for ISPs Family<br />
The first release of the <strong>IBM</strong> Solutions for ISPs family consists of the following:<br />
• Content Management<br />
− <strong>IBM</strong> Solutions for ISPs Lotus Go Webserver<br />
− <strong>IBM</strong> Solutions for ISPs Web Hosting Server<br />
• Communications and Messaging<br />
− <strong>IBM</strong> Messaging Solution for ISPs<br />
320 The Technical Side of Being an Internet Service Provider
This soft copy for use by <strong>IBM</strong> employees only.<br />
• Collaboration<br />
− <strong>IBM</strong> Solutions for ISPs Lotus Domino Server (with business partners)<br />
• Security<br />
− <strong>IBM</strong> Solutions for ISPs Firewall Server<br />
• Commerce<br />
− <strong>IBM</strong> Solutions for ISPs Net.Commerce Server<br />
• Infrastructure<br />
− <strong>IBM</strong> Solutions for ISPs Network Dispatcher Server<br />
In addition to the <strong>IBM</strong> Solutions for ISPs solutions listed above, additional<br />
companion products are available from <strong>IBM</strong> which can apply to ISP customers:<br />
• Content Management<br />
− <strong>IBM</strong> Videocharger Server<br />
− Telecom and Media ISU Electronic Yellow Pages<br />
− Telecom and Media ISU Electronic White Pages<br />
− Netscape Enterprise Server<br />
• Messaging and Communications<br />
− Netscape News Server<br />
− Netscape Mail Server<br />
• Commerce<br />
− Netscape Merchant Server<br />
• Security<br />
− Checkpoint FireWall-1<br />
− WebStalker Pro<br />
− Netscape Proxy Server<br />
• Infrastructure<br />
− Tivoli TME Product Family<br />
The Telecom and Media ISU has developed boilerplate customer proposals for<br />
the <strong>IBM</strong> Solutions for ISPs family. A services team is in place within the<br />
Telecom and Media ISU to support customers proposals and to manage the <strong>IBM</strong><br />
Solutions for ISPs installations.<br />
B.7 RS/6000 As a Platform for Internet Service Providers<br />
The first wave of Internet services were characterized by ad hoc designs, lack of<br />
security, static publishing, basic access, and limited scalability. As would be<br />
expected, the second wave of Internet services requires solutions that support<br />
security, commerce, and transaction-oriented activities; as well as multiservices<br />
integration that is reliable, scalable, and highly available. The RS/6000′s<br />
strengths which include reliability, scalability, availability, robust portfolio,<br />
end-to-end security, and superlative service and support, make it a flagship<br />
network computing platform fully enabled to support the second wave of<br />
requirements.<br />
Appendix B. <strong>IBM</strong> Solutions for ISPs 321
This soft copy for use by <strong>IBM</strong> employees only.<br />
RS/6000 delivers reliability via superior storage management functions,<br />
non-intrusive low-level performance tools, journaled file system, intuitive<br />
systems management (SMIT), a wide range of connectivity applications and<br />
devices, and superior I/O storage subsystems.<br />
RS/6000 delivers scalibility via binary compatibility across the product line from<br />
work group server to large scale server and in the Internet space, customers<br />
don′t know how fast their server needs will grow and the RS/6000′s scalability<br />
enables seamless stability of an application set as their requirements increase.<br />
SMP scalable performance enables applications to achieve measurable<br />
performance improvements when processors are added in an SMP configuration.<br />
Dynamic capacity expansion enables customers to achieve linear performance<br />
bandwidth gains by adding nodes (on-the-fly) to an SP. Finally, as resources and<br />
nodes are added to an SP, systems administration is handled from a central<br />
control workstation making the SP a superior platform for LAN and server<br />
consolidation efforts.<br />
RS/6000 delivers availibility via the industry leading HA-CMP product set and the<br />
recently introduced Phoenix APIs for applications to exploit high availability and<br />
restart as real advantages today. Inherent RS/6000 features such as the service<br />
processors combined with the Call Home services create another availability<br />
advantage to exploit, particularly with the introduction of the F50 as a<br />
price/performance leader.<br />
The RS/6000 robust portfolio delivers a hardware platform and operating system<br />
software optimized for Symmetric Multiprocessing (SMP), Massively Parallel<br />
Processing (MPP), and TP-monitor-type multithreading and load balancing. Built<br />
on this foundation is the most robust collection of integrated network computing<br />
solutions (POWERsolutions) offered by any system vendor. This single point of<br />
contact for the major components exploits the strengths of <strong>IBM</strong>′s services and<br />
support combined with vendor applications in demand by our customers.<br />
A key element to satisfying the second wave requirement is end-to-end security.<br />
Security begins in the hardware and can be accelerated with cryptography<br />
hardware adapters. The AIX Operating System is designed for C2 level security,<br />
and provides an excellent base for a separately available B level security<br />
offering (available from Bull). Secure Sockets Layer (SSL) support in AIX as a<br />
client and server provides security at a connection level. The first<br />
implementation of Secure Electronic Transactions (SET) is introduced in <strong>IBM</strong>′s<br />
Net.Commerce v2 products (6/97 GA). To embellish services for RS/6000′s<br />
customers, the <strong>IBM</strong> SecureWay family of security offerings is a broad portfolio of<br />
security hardware, software, consulting and services to help users secure their<br />
information technology. The offerings apply to server-based and distributed<br />
systems and to the integration of security across enterprises that have extended<br />
their reach to the Internet.<br />
One of the strongest distinguishers for <strong>IBM</strong> and the RS/6000 is the service (IGS)<br />
and Datapro award-winning support capabilities that round out each of the<br />
solutions. An example of service and support integration was the significant<br />
undertaking of supporting the Atlanta Summer Olympics on RS/6000 servers. A<br />
single point of contact for support of network computing applications allows<br />
customers and business partners to exploit the highly acclaimed <strong>IBM</strong> support<br />
structure for non-<strong>IBM</strong> products.<br />
RS/6000 and AIX provide the level of robustness, scalability and availability that<br />
ISP solutions require, characteristics that Intel/NT workstations currently lack.<br />
322 The Technical Side of Being an Internet Service Provider
This soft copy for use by <strong>IBM</strong> employees only.<br />
Table 37. AIX vs. Sun: Features<br />
The largest UNIX competitor for ISP solutions is Sun. Both Sun and <strong>IBM</strong> have<br />
their sights set on becoming the leader in network computing. By all accounts,<br />
Sun is a formidable competitor. Take a look at the SPECWeb and TPC-M results<br />
to get an indication of how the performance of the RS/6000 and Sun systems<br />
stack up. While these results are important, they are not the only factor in<br />
determining how production environments for commerce will perform.<br />
For example, Sun′s Ultra Enterprise series has expansion limitations. Enterprise<br />
3000, 5000, 6000 trade-off CPU RAM for I/O slots and the Enterprise 4000 trades<br />
CPU/RAM for internal disk and/or I/O slots. But perhaps the RS/6000′s real<br />
advantage lies in AIX itself. The following table shows the advantages that AIX<br />
has over Solaris, advantages which are critical for reliable and<br />
easy-to-administer services solutions.<br />
Feature AIX Solaris<br />
Logical Volume Manager included nonintegrated server offering<br />
Disk Mirroring included nonintegrated server offering<br />
Journal File System included nonintegrated server offering<br />
Table 38. AIX vs. Sun: Plans<br />
In fact, DH Brown consultants rated AIX superior to Solaris in overall commercial<br />
and technical function, as well as in high availability software capabilities<br />
(HACMP). For 1997, Sun has a catch-up plan for high availability to add the<br />
features that AIX has today.<br />
SUN′s 1997 Plan AIX-HACMP Support<br />
Integration of HA failover and parallel (PDB) function available today<br />
Disaster recovery available today<br />
HA support of 4 node clusters (today only 2 nodes) available today for up to 8 nodes<br />
Another source of information on <strong>IBM</strong> and Sun is the recent article by Enabling<br />
Technologies Group (ETG), industry consultants.<br />
B.8 <strong>IBM</strong> Messaging Solution for ISPs<br />
Today, with over 125 million users, electronic messaging is a vital element in our<br />
nation′s communications infrastructure. This document provides an overview of<br />
the <strong>IBM</strong> Messaging Solution for ISPs, which is designed to help Internet Service<br />
Providers (ISPs) thrive on the opportunities in this environment.<br />
The <strong>IBM</strong> Messaging Solution for ISPs is a scalable, highly-available Internet<br />
standards-based messaging system from <strong>IBM</strong> and Soft-Switch which is designed<br />
to meet the high volume and performance demands of Telcos, ISPs and VANs.<br />
The system supports the full suite of Internet messaging standards including:<br />
SMTP, ESMTP, MIME, SNMP, LDAP, POP3 and IMAP4. The <strong>IBM</strong> Messaging<br />
Solution for ISPs provides near-linear scalability by supporting hundreds of<br />
thousands of mailboxes per server, and enabling the clustering of multiple<br />
mailbox and protocol servers. The system combines <strong>IBM</strong>′s unparalleled systems<br />
and service with Soft-Switch′s corporate and VAN messaging experience to<br />
deliver a solution which enables ISPs to offer value-added messaging services.<br />
Appendix B. <strong>IBM</strong> Solutions for ISPs 323
B.8.1 Solution Overview<br />
B.8.2 Software<br />
This soft copy for use by <strong>IBM</strong> employees only.<br />
Today′s Internet Service Provider exists in a high-volume, low-margin business<br />
environment. Because of the extremely competitive nature of the ISP business,<br />
some analysts predict there will be 50% fewer ISPs by the year 2000. Only the<br />
ISPs who can profitably offer popular services on controllable margins will<br />
succeed. A messaging system that isn′t reliable could quickly convert profits to<br />
customer service costs. The key to success in this environment is to reduce<br />
customer support requirements with an infrastructure that is highly available,<br />
incredibly reliable, and backed by the best service organization in the world.<br />
<strong>IBM</strong> understands the requirements for a messaging infrastructure that is highly<br />
scalable, reliable and easily managed. To meet this need, <strong>IBM</strong>′s Network<br />
Computing, Telecom and Media Industry Solutions Unit has coordinated<br />
resources from Soft-Switch, the RS/6000 division, the <strong>IBM</strong> Internet division and<br />
other internal <strong>IBM</strong> communities to package and deploy the best products and<br />
services to meet the needs of Internet Service Providers. This solution, which is<br />
called the <strong>IBM</strong> Messaging Solution for ISPs, includes software and hardware that<br />
will enable ISPs to offer comprehensive consumer and business<br />
Internet-standard messaging services to their customers.<br />
The development of this system was undertaken only after an extensive review<br />
of existing products revealed their inability to handle the projected volume for a<br />
successful commercial ISP. This research also set clear design goals; that is, to<br />
take advantage of the most efficient hardware and operating system, and to<br />
design the system to be modular and scalable. This mandate has yielded a<br />
system that is flexible, scalable, and extensible, and has been proven in a live<br />
production environment.<br />
<strong>IBM</strong> and Soft-Switch have been involved in the design and implementation of all<br />
facets of e-mail, including pioneering work in messaging, directory services and<br />
multiprotocol switching systems. <strong>IBM</strong> and Soft-Switch are offering “Best of<br />
Breed” ISP-oriented products which take advantage of the native strengths of<br />
both parties: <strong>IBM</strong>′s expertise in highly available, fault-tolerant hardware<br />
systems, and Soft-Switch′s years of meeting the messaging needs of the largest<br />
networks in the world.<br />
The <strong>IBM</strong> Messaging Solution for ISPs is not a single monolithic server, but rather<br />
a modular system based on a number of application servers that can be<br />
deployed on a single CPU, or across a number of hardware servers. The<br />
solution overview describes each of the components from the software and<br />
hardware point of view.<br />
The <strong>IBM</strong> Messaging Solution for ISPs is made up of software application servers<br />
and other components. Incoming messages enter from the Internet and are<br />
routed to the most available SMTP switch, which parses the message and<br />
validates the receiver and originator through the directory. The message is then<br />
either sent to the Message Store or forwarded (if the user is remote).<br />
Subscriber access to stored messages comes from the Internet to the router,<br />
which connects the request to the nearest, least busy POP3/IMAP4 server to<br />
handle the request. The subscriber is authenticated and the message store<br />
location is determined, and the message is accessed.<br />
324 The Technical Side of Being an Internet Service Provider
This soft copy for use by <strong>IBM</strong> employees only.<br />
B.8.2.1 Network Dispatcher (IP Routing)<br />
The SMTP data stream coming in from the Internet is routed by <strong>IBM</strong>′s Network<br />
Dispatcher to the most available SMTP server in the protocol server cluster. The<br />
Network Dispatcher continuously monitors server workload and balances traffic<br />
across teams of servers. By always routing the SMTP data to an available<br />
server, the Network Dispatcher provides a highly available presence for a given<br />
Web site.<br />
The Network Dispatcher provides a single, well-known, virtual IP address for a<br />
cluster of IP servers. This means that a high-volume site can be horizontally<br />
scaled across a number of servers (each with a unique IP network address), and<br />
can receive mail even if some of the servers are busy or offline. These servers<br />
can be serviced by any number of machines.<br />
The Network Dispatcher is proven technology and has been used to host<br />
high-volume Web sites such as for the Deep Blue chess match, the Master′s Golf<br />
Tournament, and the 1996 Summer Olympics.<br />
B.8.2.2 SMTP Server<br />
After receiving the SMTP data stream from the Network Dispatcher, the SMTP<br />
server parses the message, validates the recipient through the directory,<br />
performs a number of operations on the message, and then either sends it to the<br />
mailbox for storage or forwards it to another recipient.<br />
In addition to the Internet-standard simple mail transport protocols, the SMTP<br />
server supports some ESMTP commands, including:<br />
• Delivery Status Notification Support - Returns a positive or negative indicator<br />
of delivery to the message originator as described in RFC 1891-1894.<br />
• 8-Bit MIME Transport - Enables more efficient transport of large binary<br />
objects.<br />
• Message Sizing - Proactively alerts clients of message size acceptance<br />
criteria. Prevents a dial-in user from transmitting a huge message only to<br />
find it was rejected after 20 minutes of transmission time.<br />
SMTP servers can be deployed in clusters for redundancy and load balancing.<br />
B.8.2.3 POP3/IMAP4 Protocol Server<br />
When a user connects to the system from the Internet to retrieve their mail, the<br />
Network Dispatcher routes their request to the most-available POP3 or IMAP4<br />
protocol server. The protocol server then retrieves the message from the<br />
mailbox (sometimes called a message store) and returns it to the client (in the<br />
case of POP3), or allows the client to access the appropriate folders in the<br />
mailbox (in the case of IMAP4). The protocol servers can be deployed on one or<br />
many machines, and can easily be scaled to handle thousands of simultaneous<br />
connections.<br />
Post Office Protocol 3 (POP3) stores mail messages on a server and downloads<br />
pending mail to the client when it logs in. Internet Mail Access Protocol (IMAP4)<br />
allows for messages to be acted upon by the client while they are still resident<br />
on the server, allowing for more selective downloading. For more information on<br />
mail protocols, please refer to the Internet Mail Consortium Web site at<br />
www.imc.org.<br />
Appendix B. <strong>IBM</strong> Solutions for ISPs 325
This soft copy for use by <strong>IBM</strong> employees only.<br />
The protocol server supports the complete set of POP3 commands, including<br />
APOP, the POP3 secure authentication command. APOP uses a<br />
challenge-response authentication model to guarantee that a password cannot<br />
be hacked from the client/server data stream.<br />
B.8.2.4 Message Store (Mailbox) Server<br />
The mailbox database is where the SMTP server stores messages, and from<br />
where the POP3 and IMAP4 servers retrieve mail. (The mailbox database is<br />
sometimes referred to as the message store.) The message store is based on<br />
the Oracle RDBMS (Version 7.3.2.3). and has been tested with Oracle′s Parallel<br />
server and HACMP. The mail protocol servers communicate with the message<br />
store server through standard SQL*Net.<br />
The structure of the message store enables mailbox storage to be divided into<br />
unique realms. A realm is a message store partition that contains a definable<br />
number of mailboxes that share a common set of attributes. A realm provides a<br />
convenient way to partition users for the purposes of administration and Internet<br />
addressing. Realms make it easy to set up virtual intranets for multiple<br />
customers within a single server environment. This realm functionality is the<br />
key element that uniquely qualifies the <strong>IBM</strong> Messaging Solution for ISPs to meet<br />
the needs of ISPs who are trying to outsource messaging from small- to<br />
medium-sized companies. Each realm has:<br />
• Web Browser Administration - After the initial setup, the administration of the<br />
realm can be given to the customer. Realm administrators can use an HTML<br />
browser to add, delete or modify user names and passwords and to set<br />
mailbox quotas through a Web page interface, allowing end users to<br />
maintain administrative control.<br />
• Realm & Mailbox Quotas - Each realm can be assigned quotas for numbers<br />
of mailboxes and overall disk space. Each mailbox within a realm can also<br />
be assigned a disk space and message quota. If a definable threshold is<br />
reached for any of these quotas (some percentage of the quota), a<br />
customizable message will automatically be sent to the appropriate realm<br />
administrator or mailbox owner, warning them to read/delete their mail.<br />
• Unique User IDs - User names are guaranteed to be unique within each<br />
realm. For example, there can be more than one Joe Smith at multiple<br />
companies using an ISP′s service, as long as they are in separate realms.<br />
• Internet vanity domains - The <strong>IBM</strong> Messaging Solution for ISPs allows the<br />
assignment vanity domains to end user realms. This allows the ISP to set up<br />
client domains with names like MalvernHardware.com, instead of<br />
MalvernHardware.bigISP.net. Domain names still need to be registered<br />
through the IANA.<br />
• Customizable realm messages - The realm administrator can customize all of<br />
the messages associated with a realm, such as the welcome message and<br />
quota warning.<br />
• Mass mailings - Messages can be sent to large groups of subscribers or<br />
entire communities of users, and only one copy of a message is stored,<br />
regardless of the number of recipients.<br />
The message store is designed to use machine resources efficiently.<br />
Benchmark tests and production experience indicate a single message store<br />
server can easily support more than 1 million subscribers and 3000 simultaneous<br />
POP3 sessions.<br />
326 The Technical Side of Being an Internet Service Provider
This soft copy for use by <strong>IBM</strong> employees only.<br />
The mailboxes themselves also have special attributes. For example, mailboxes<br />
can have unlimited aliases of up to 100 characters each. The system can also<br />
track the age of mail in mailboxes and automatically delete messages that<br />
exceed a defined holding period.<br />
In addition to the features designed for the corporate market, the <strong>IBM</strong> Messaging<br />
Solution for ISPs also supports consumer-oriented functionality. For example,<br />
the server supports household accounts for families. From the ISP point of view,<br />
household accounts are a way to bundle together multiple mailboxes for a single<br />
point of billing and administration.<br />
B.8.2.5 Operations Management<br />
The <strong>IBM</strong> Messaging Solution for ISPs has extensive system monitoring and<br />
management capabilities that can be accessed through management programs<br />
which utilize the Internet-standard Simple Network Management Protocol<br />
(SNMP).<br />
One of the key design considerations for the <strong>IBM</strong> Messaging Solution for ISPs<br />
was to have the system integrate smoothly with an ISP′s existing operational<br />
infrastructure. This design requirement was implemented using SNMP and Mail<br />
and Directory Management (MADMAN) Management Information Base (MIB).<br />
This implementation covers operational statistics and system status related to<br />
the application and the message transfer agent (RFC 1565 and 1566).<br />
Since the <strong>IBM</strong> Messaging Solution for ISPs is instrumented with SNMP, existing<br />
network management applications can be used to monitor exception notifications<br />
(SNMP traps) generated by the server. The system includes the following<br />
SNMP-based instrumentation that can be used to collect data that is useful for<br />
measuring capacity planning, service level compliance, and monitoring message<br />
processing:<br />
• Total number of simultaneous sessions<br />
• Average response time per session<br />
• Queue size<br />
• Total number of messages received and sent per operating period<br />
• Total number of bytes received and sent per operating period<br />
This management methodology significantly reduces the effort required to<br />
monitor the system, as opposed to some competitive systems, whose proprietary<br />
management schemes require the installation of additional monitors in the<br />
operations center. This level of integrated management also makes it easier to<br />
handle larger amounts of data with existing staff levels, further mitigating<br />
operational costs. Most of the configuration and management functions of the<br />
system can also be accessed via browser-based interfaces.<br />
Message tracking is one of the most labor-intensive tasks for any e-mail<br />
administrator. The <strong>IBM</strong> Messaging Solution for ISPs includes message tracking<br />
capabilities that help administrators identify whether or not a message has been<br />
delivered, whether it is sitting in a queue, and how long it took to process<br />
through the SMTP server. The message tracking system has been specifically<br />
designed to allow unsophisticated users (such as help desk personnel) to track<br />
mail status.<br />
Appendix B. <strong>IBM</strong> Solutions for ISPs 327
B.8.3 Hardware<br />
This soft copy for use by <strong>IBM</strong> employees only.<br />
The <strong>IBM</strong> Messaging Solution for ISPs is already integrated with the <strong>IBM</strong><br />
Solutions for ISPs Subscriber Management system, and <strong>IBM</strong> services personnel<br />
can help you integrate it with existing accounting, billing and subscriber<br />
management systems.<br />
B.8.2.6 LDAP-Compliant Directory, X.500 Directory Support<br />
The <strong>IBM</strong> Messaging Solution for ISPs comes with an integrated user directory<br />
which can be accessed using the Lightweight Directory Access Protocol (LDAP).<br />
This enables directory queries from standard desktop clients such as Netscape<br />
Navigator, as well as remote user administration. The directory can be<br />
administered through an API, forms, and/or directory-enabled applications.<br />
For ISPs that have already invested in implementing an X.500 directory, or are<br />
interested in doing so, the user directory can be replicated to an X.500 directory.<br />
If the customer does not already have an X.500 directory, they can purchase one<br />
from Soft-Switch which supports DAP, DSP, DISP, authentication, and access<br />
control lists.<br />
B.8.2.7 Software Scalability<br />
The software components contained within the <strong>IBM</strong> Messaging Solution for ISPs<br />
facilitate both horizontal and vertical scalability for the entire solution. The<br />
product has been specifically designed to take advantage of RAM, processors<br />
(including SMP), and hard disk arrays to offer near-linear vertical scalability. For<br />
horizontal scalability, the protocol servers, message stores and directories can<br />
all be arrayed across multiple machines yet still function as a single, coherent<br />
unit. As an ISP′s customer community grows, additional protocol servers and<br />
message store servers can be added as needed, while the service maintains a<br />
constantly available presence on the Internet. By integrating key IP and<br />
application routing technology, such as <strong>IBM</strong>′s Network Dispatcher, multiple<br />
servers for both scalability and redundancy can be effectively deployed, offering<br />
scalability far beyond any other product offered in today′s market.<br />
The <strong>IBM</strong> Messaging Solution for ISPs runs on the RS/6000 platform. The <strong>IBM</strong><br />
AIX OS (Version 4.1.4) is also required. The following table details the hardware<br />
in a production network that supports 200,000 mailboxes and 750 concurrent<br />
SQL*Net connections to the message store′s Oracle Server.<br />
Table 39. Low-Scale Production Network Hardware<br />
Server Machine Network RAM Disk<br />
Oracle Server 2-Way R40 10 Mb Ethernet 512 MB 75GB DASD<br />
Protocol Servers (Inbound) 3 Peripheral<br />
single F30s<br />
SMTP Server (Outbound) Peripheral single<br />
F30<br />
HTTP and STAMP Server Peripheral single<br />
F30<br />
10/100 Mb<br />
Ethernet<br />
10/100 Mb<br />
Ethernet<br />
10/100 Mb<br />
Ethernet<br />
256 MB 8GB<br />
256 MB 8GB<br />
256 MB 8GB<br />
Mail Platform Lotus Mail Client, Eudora Pro, Microsoft Exchange and Internet<br />
Explorer, Netscape Navigator and Communicator, and any other<br />
Internet standards-compliant mail system<br />
The following table details the estimated hardware to support 1,000,000<br />
mailboxes and 2,000 concurrent SQL*Net connections to the Oracle Server.<br />
328 The Technical Side of Being an Internet Service Provider
This soft copy for use by <strong>IBM</strong> employees only.<br />
Table 40. High-Scale Production Network Hardware<br />
Server Machine Network RAM Disk<br />
Oracle Server 4 Way 200 MHz<br />
PPC 604e R50<br />
Protocol Servers (Inbound) 3 Peripheral 2<br />
way 200 MHz<br />
604e J50s<br />
SMTP Server (Outbound) Peripheral single<br />
F30<br />
HTTP and STAMP Server Peripheral single<br />
F30<br />
B.8.4 Services<br />
10 Mb Ethernet 2GB Six 300 MB<br />
7137s in RAID 5<br />
DASD<br />
10/100 Mb<br />
Ethernet<br />
10/100 Mb<br />
Ethernet<br />
10/100 Mb<br />
Ethernet<br />
256 MB 16 GB<br />
256 MB 16 GB<br />
256 MB 8GB<br />
This estimate is based on preliminary sizing which will be verified in benchmark<br />
tests. The actual systems will vary in deployment depending on a customer′s<br />
risk tolerance and desired level of performance. In most production<br />
environments, Soft-Switch will strongly recommend clustering all of the servers<br />
with at least three machines where the server utilization will be below 33%.<br />
This strategy will mitigate risk by enabling automatic failovers and enabling<br />
regular maintenance schedules without causing service outages.<br />
B.8.3.1 Hardware Scalability<br />
The <strong>IBM</strong> Messaging Solution for ISPs, as an application on the RS/6000 platform,<br />
can be used to fully exploit the power of the RS/6000 product line, including<br />
single processor and multiprocessor systems, as well as the SP complex, which<br />
enables clustering of RS/6000 for manageable hardware scalability for very large<br />
deployments. This, in conjunction with the implementation of <strong>IBM</strong>′s High<br />
Availability Clustering Management Protocol, enables unmatched scalability and<br />
reliability to meet the demands of today′s ISP customers. Also, with HA-GO,<br />
service providers can build and deploy a thoroughly comprehensive remote site<br />
disaster recovery architecture, should their business plan demand such a<br />
capability.<br />
B.8.3.2 High Availability<br />
The Oracle database (which is the only single point of failure in the system) can<br />
be deployed in a highly available manner, including the integration between<br />
HACMP and Oracle′s parallel server code. The architecture of the system<br />
enables multiple levels of the POP3 and SMTP software to be run in parallel<br />
against the database. This allows new levels of software to be tested in parallel<br />
with production level components for staging of an upgrade migration.<br />
<strong>IBM</strong> and Soft-Switch offer a comprehensive program of services and training<br />
including system installation and configuration, maintenance services, growth<br />
consulting and disaster recovery.<br />
Soft-Switch installation specialists will provide whatever consultancy,<br />
troubleshooting and hands-on support is required to install the <strong>IBM</strong> Messaging<br />
Solution for ISPs. The installation process consists of:<br />
• Initial installation<br />
• Configuration<br />
Appendix B. <strong>IBM</strong> Solutions for ISPs 329
This soft copy for use by <strong>IBM</strong> employees only.<br />
• Adjustment to meet agreed-upon customer requirements<br />
• Running load simulation tools for capacity planning<br />
• Functional testing<br />
• Production implementation<br />
B.8.5 Summary and Conclusion<br />
B.9 Lotus GO Server<br />
Soft-Switch can supply tools and consulting for smooth migration from an ISP′s<br />
or end user′s existing system, including the conversion of user lists and<br />
multiprotocol message switching between legacy systems and the <strong>IBM</strong><br />
Messaging Solution for ISPs.<br />
<strong>IBM</strong>′s Messaging Solution for ISPs is a solution that meets the stringent<br />
requirements of today′s Telcos, VANs and ISPs for a messaging solution that is<br />
flexible, scalable, and extensible. It is based on technology that has been<br />
proven in a large service provider environment and takes advantage of the<br />
scalable, high available RS/6000 product line. Packaged with comprehensive<br />
services that only <strong>IBM</strong> can provide, this complete solution is unmatched in<br />
today′s dynamic market.<br />
The <strong>IBM</strong> Messaging Solution for ISPs is only one component of <strong>IBM</strong>′s broad set<br />
of ISP solutions described throughout this document. As with the other<br />
components, the breadth and depth of the features and functions represents the<br />
leveraged intellectual capital and applied technologies of many organizations<br />
across <strong>IBM</strong>, all brought to bear as a solution for today′s service providers—a<br />
solution for success.<br />
The Lotus GoWeb Server is a complete Web server product with advanced<br />
security and development features. With the Lotus GoWebserver ISP′s have<br />
everything they need to quickly and easily establish a Web presence, and get<br />
started on the road to working the Web for business. With Java on the server<br />
side an ISP can build powerful and portable Web applications. The Web server<br />
provides a JDK V1.1 Java development environment based upon Sun<br />
Microsystems, Inc. standards for Java Servlets (server-side applications), Java<br />
Beans, and JDBC for database access.<br />
Features Overview<br />
• Acts as a repository for home pages created with HTML.<br />
• Answers requests from a Web browser (client) using HTTP to transfer<br />
documents.<br />
• Provides proxy server support, allowing a Web browser to access remote<br />
servers not directly accessible to it.<br />
• Supports proxy caching by temporarily storing files and then quickly<br />
responding to the next request for the files delivering fast HTML page<br />
performance to browser users.<br />
• Provides language neutral server application support which is consistent<br />
across the full spectrum of supported platforms, for both Common Gateway<br />
Interface (CGI) applications and server extension applications.<br />
330 The Technical Side of Being an Internet Service Provider
This soft copy for use by <strong>IBM</strong> employees only.<br />
• Allows users to write Web server extensions that customize the processing<br />
of client requests, to include Java servlet support. Lets an ISP easily port<br />
their existing NSAPI (Netscape API) programs to run on the Web server<br />
without any loss of function.<br />
• Allows server applications to dynamically insert information into an HTML<br />
document that the server sends to a client.<br />
• Efficiently maintains multiple Web sites on a single server with multiple IP<br />
address support.<br />
• Delivers enhanced logging and reporting, plus error message customization.<br />
• Includes a utility to generate X.509 Security Certificates for use within an<br />
enterprise or between business partners.<br />
Serving up static content from a file system the Lotus Go Server can deliver 150<br />
pages per second with 3000 active users on a 39H class node; about 160 pages<br />
per second for a 4-way H10 and about 900 per second for a 4-way F50. If the<br />
enterprise server is serving up the content via port 443 (that is, SSL encryption),<br />
then these numbers should be halved. But the biggest hit to performance is the<br />
execution of applications in the server to pull data from a back-end database,<br />
HTML the data, and send it out to the clients. Under these dynamic content<br />
distribution scenarios, a 39H class node can do five pages per second; six for an<br />
H10, and 30 for a 4-way F50.<br />
Therefore, the most important questions to understand when deploying the<br />
server piece of the solution is to understand the type of work being<br />
accomplished with the server.<br />
B.9.1 HACMP and Network Dispatcher<br />
If the Web server piece of the solution is of critical importance then HACMP<br />
needs to be deployed and we need to assign a backup server to the<br />
configuration. Further, if the backup will be there, then it makes sense to<br />
configure the backup to earn its keep by handling requests distributed to it by a<br />
front-end ND which is collocated with the primary Web server.<br />
B.9.2 Scalability and Network Dispatcher<br />
Network Dispatcher only makes sense in the case where more than one<br />
hardware box will be applied to a similar service. This may happen for all<br />
services envisioned since it may require a backup server to be called into action<br />
in the case of primary server outage. But it may also be necessary to have<br />
multiples of similarly configured boxes to address the performance requirements<br />
of the solution. In this case Network Dispatcher is also ideally suited to allow<br />
this scalability and should be configured into the solution where the performance<br />
requirements dictate aggregating the performance of each separate AIX box in<br />
the solution.<br />
In the case of the SMP boxes, scalability can also be achieved by increasing the<br />
number of processor cards. But, the cost of additional processor cards is very<br />
low so it probably makes more sense to order a server with a max processor<br />
configured solution (for example, the price for a 1-way F50 is 29K and only 50K<br />
for a 4-way F50). But if this price differential is significant from a customer<br />
perspective, then configure for fewer processors and add additional processor<br />
cards as the actual workload indicates it is necessary.<br />
Appendix B. <strong>IBM</strong> Solutions for ISPs 331
B.9.3 Installation<br />
This soft copy for use by <strong>IBM</strong> employees only.<br />
The Web server with Network Dispatcher and HACMP can be installed in the<br />
plant prior to shipping to the customer location. In order to configure this<br />
software to meet the customers needs a detailed communication of network<br />
interfaces and addresses needs to be communicated and an expert in the plant<br />
will have to be assigned to accomplish the desired effect.<br />
B.9.4 Hardware and Software Requirements<br />
The hardware and software requirements are a RISC System/6000 or <strong>IBM</strong> Power<br />
Series Family with AIX:<br />
• Version 4.1.3 or later.<br />
• Approximately 8 MB of free disk space to install the server, which includes<br />
the base file sets, security file sets, and message catalog. An additional 4<br />
MB of free disk space is required to install the DB2 and CICS Gateway<br />
features.<br />
• A minimum of 32 MB of RAM; recommended RAM is 64 MB.<br />
• A mouse, trackball, TrackPoint, or pen. Although all functions can be<br />
performed with the keyboard, a pointing device is recommended.<br />
• Any communication hardware adapter supported by the TCP/IP protocol<br />
stack to make network connections.<br />
• AIX Version 4.1.3 or later.<br />
• If the server handles a large number of incoming connections, request APAR<br />
IX52752 for AIX Version 4.1.3. The fix for this APAR increases from 10 to 100<br />
the listen() backlog maximum limit that is set by AIX.<br />
For the DB2 Gateway:<br />
• DB2/6000 or access to a DB2 server through the client<br />
• Application Enabler (CAE), DataJoiner, or the Distributed Database<br />
Connection Services (DDCS) features of DB2<br />
• 2.5 MB of free disk space in the /usr/lpp partition<br />
• 0.5 MB of free disk space in the root directory<br />
• For the CICS Gateway:<br />
− CICS/6000 Version 2.1 or CICS/6000 Client 2.1<br />
− 1 MB of free disk space in the /usr/lpp partition<br />
B.10 Lotus Domino RS/6000 POWERsolution<br />
Collaboration, or groupware, includes applications that allow teams to really<br />
work together. Applications in this space include electronic mail and messaging,<br />
project management, distance learning, intranet sites that disseminate critical<br />
information to team members, online human resource applications, sales force<br />
automation tools, concurrent product development enablers, and<br />
intranets/extranets that link internal teams with vendors, suppliers and partners<br />
to share information and streamline processes.<br />
Lotus Domino Server and Lotus Notes Workstation is a client/server environment<br />
that allows users (or clients) to communicate securely over a local area network<br />
332 The Technical Side of Being an Internet Service Provider
This soft copy for use by <strong>IBM</strong> employees only.<br />
or telecommunications link, and create and/or access documents residing on a<br />
shared computer (or server). With Lotus Domino Server and Lotus Notes<br />
Workstation, people can work together regardless of their software or hardware<br />
platform or technical, organizational, or geographical boundaries.<br />
Lotus Notes Workstation combines an application development environment, a<br />
document database and a sophisticated messaging system, giving you the power<br />
to create custom applications for improving the quality of everyday business<br />
processes in areas such as product development, customer service, sales and<br />
account management. At its most basic level, Lotus Notes Workstation is a<br />
document database, serving as a repository for both textual and other<br />
information, for example, images, presentations, spreadsheets.<br />
Lotus Domino Server and Lotus Notes Workstation provide the ability to<br />
distribute this information throughout an enterprise via replication, yet only those<br />
who need to see the information have access to it. In short, the intent is to<br />
improve communication, coordination and collaboration across any enterprise.<br />
Two primary components compose this solution:<br />
Domino Server: Provides services to Notes Workstation users and other<br />
Domino servers, including storage and replication of shared databases and<br />
mail routing. The Lotus Domino Server can run on PCs under OS/2 Windows<br />
NT. It can also run as a NetWare NLM, or under UNIX systems such as <strong>IBM</strong><br />
AIX, HP-UX and Sun Solaris. Note that only the Transmission Control<br />
Protocol/Internet Protocol (TCP/IP) and Internetwork Packet<br />
eXchange/Sequenced Packet eXchange (IPX/SPX) network protocols are<br />
supported for Lotus Domino Server Release 4.5 running on AIX.<br />
Notes Workstation: Communicates with one or more Domino servers,<br />
providing the interface that allows a Notes user to access shared databases<br />
and to read and send mail. The Lotus Notes Workstation can run under<br />
OS/2, Windows 3.1, Windows 95, Apple′s System 7 and on UNIX graphical<br />
workstations such as Xstations.<br />
Shared databases exist on Domino servers. Users place icons representing<br />
individual databases (for example the mail file, bulletin boards, documentation<br />
databases) on their workstations in their individual workspaces. By selecting an<br />
icon, a user can open a database to perform such actions as accessing an<br />
existing document or creating a new document. Users also can maintain local<br />
(non-shared) databases and replicate these databases so that users always have<br />
access to the latest version of a document. Replication is the process of<br />
synchronizing multiple copies of a database so the information is the same on<br />
multiple servers.<br />
B.10.1 Packaging and Installation<br />
Lotus Domino is available as an Internet POWERSolution or as a separate<br />
software product. <strong>IBM</strong>′s family of Internet POWERsolutions contain ready-to-run<br />
packages including choice of Internet software to establish your presence and<br />
conduct business on the World Wide Web or benefit from Internet technology or<br />
enterprise-wide intranet. The RS/6000 Internet POWERSolution with Lotus<br />
Domino includes the following items:<br />
RS/6000 Server<br />
• AIX Version 4.2 including POP3 and IMAP4 mail server protocols<br />
Appendix B. <strong>IBM</strong> Solutions for ISPs 333
This soft copy for use by <strong>IBM</strong> employees only.<br />
• Lotus Domino 4.5 Server and Lotus Notes Desktop Client<br />
• RS/6000 Welcome Center, Internet Edition<br />
• <strong>IBM</strong>′s implementation of Sun′s Java programming environment<br />
• Netscape Navigator<br />
• Adobe Acrobat Reader<br />
• Get Connected Guide<br />
• RS/6000 Web Server Software Sampler CD<br />
If you are going to install Lotus Domino on AIX yourself, refer to the installation<br />
instructions available in the Lotus Domino on the RS/6000 Welcome Guide<br />
(packaged with your Lotus Domino for AIX CD-ROM) or the <strong>IBM</strong> redbook, Lotus<br />
Domino Server Release 4.5 on AIX Systems: Installation, Customization, and<br />
Administration (SG24-4694-01).<br />
The Domino POWERsolution functionality is enhanced via two additional products<br />
available on the RS/6000 Web Servers Software Sampler CD: Business in a Box ,<br />
a suite of 20 integrated business applications developed by Emerging<br />
Technology Solutions, Inc. integrating six primary company functions and backup<br />
agent for Lotus Domino, by Cheyenne Software, provides online data protection<br />
for Lotus Domino databases.<br />
The RS/6000 Lotus Domino POWERsolution enables:<br />
• Secure, interactive application development and secure, easy access to<br />
business applications and processes for employees, suppliers, and<br />
customers<br />
• Standards-based implementation of Internet business solutions<br />
• Integrated productivity support including e-mail, workflow, calendar and<br />
scheduling, database and transaction system support, and collaboration<br />
• Development and management of a company′s Internet presence<br />
Simplified ordering of preconfigured, pretested and preinstalled solutions on a<br />
range of RS/6000 systems<br />
Lotus Domino can transform intranets from an information delivery mechanism<br />
into vehicles for conducting business. Companies can host team discussions<br />
about projects and involve customers in these discussions enabling<br />
customer-driven decision making; customers can order products online or be<br />
provided with self-service. Lotus Domino provides the function needed to<br />
support a rich collaboration base and extend this function to the Internet<br />
including:<br />
• A powerful object store to contain data and applications<br />
• A directory to manage people and resources<br />
• Agent development and support for automated processes<br />
• Calendar and scheduling plus Workflow increase resource utilization and<br />
people productivity<br />
• Mobile support for traveling users<br />
• A rich set of services to build secure, interactive applications for doing<br />
business on the Internet or intranet<br />
334 The Technical Side of Being an Internet Service Provider
This soft copy for use by <strong>IBM</strong> employees only.<br />
• Messaging system that provides scalability and reliability over a range<br />
network protocols<br />
• Integrated application development to develop custom business applications<br />
using a choice of development tools<br />
• Integration with RDBMSs and transaction systems<br />
• Flexible security that controls access to information and function<br />
• Support for replication technology for local, remote and mobile users<br />
• Support for SNMP management tools<br />
• Integrated site builder and management tools<br />
B.10.2 Lotus Domino on the RS/6000 Reference Configurations<br />
These are Lotus Domino on the RS/600 reference configurations:<br />
2-way J40 Reference Configurations Feature Description<br />
7013-J40 RISC SYSTEM 6000<br />
2412 ENHANCED SCSI-2 DIFF F/W ADAPT<br />
2441 CBL SCSI SHORT INT DEVICES<br />
2934 ASYNCH TERM/PRT CABLE EIA-232<br />
2972 AUTO TR LANSTREAMER 32 MC ADP<br />
3053 2.2 GB SCSI-2 DISK DRIVE (x5)<br />
3094 2.2 GB F/W DIFF MODULE SEL (x2)<br />
4148 512 MB MEM SELECT<br />
5005 SOFTWARE PRELOAD OPTION<br />
9051 DUAL POWERPC 604 112MHZ PR CAR<br />
9212 BASE ENHAN SCSI-2 DIFF F/W ADAP<br />
9221 3.5 IN 1.44 MB DISKETTE DR<br />
9300 LANGUAGE GROUP,U.S.ENGLISH<br />
9441 BASE SCSI CBL-INT DEVICES<br />
9607 8X SPEED TRAY LOADING CD-ROM<br />
9800 POWER CORD SPECIFY US CANADA<br />
4-way J40 Reference Configuration Feature Description<br />
013-J40 RISC SYSTEM 6000<br />
2412 ENHANCED SCSI-2 DIFF F/W ADAPT<br />
2441 CBL SCSI SHORT INT DEVICES<br />
2934 ASYNCH TERM/PRT CABLE EIA-232<br />
2972 AUTO TR LANSTREAMER 32 MC ADP<br />
3053 2.2 GB SCSI-2 DISK DRIVE (x5)<br />
3094 2.2 GB F/W DIFF MODULE SEL (x2)<br />
4148 512 MB MEM SELECT<br />
4158 512 MB CARD<br />
4301 DUAL POWERPC 604 112MHZ PROC<br />
5005 SOFTWARE PRELOAD OPTION<br />
9051 DUAL POWERPC 604 112MHZ PR CAR<br />
9212 BASE ENHAN SCSI-2 DIFF F/W ADAP<br />
9221 3.5 IN 1.44 MB DISKETTE DR<br />
9300 LANGUAGE GROUP,U.S.ENGLISH<br />
9441 BASE SCSI CBL-INT DEVICES<br />
9607 8X SPEED TRAY LOADING CD-ROM<br />
F50 REFERENCE CONFIGURATION<br />
Appendix B. <strong>IBM</strong> Solutions for ISPs 335
This soft copy for use by <strong>IBM</strong> employees only.<br />
F50, 2-WAY, 384 MB MEMORY, 6 4.5 GB DISKS Feature Description<br />
7025-F50 RS/6000 DESKSIDE SERVER SMP<br />
2446 SCSI-2 16-BIT CBL SPT 6-PK #1<br />
2901 4.5 GB ULTRA-SCSI 16-BIT HOT SW (x5)<br />
2934 ASYNCH TERM/PRT CABLE EIA-232<br />
2979 PCI AUTO LANSTREAM TOKEN-RING<br />
4106 256 MB(2X128MB) DIMMS 200PIN 1<br />
4110 256 MB(2X128MB) DIMMS 200PIN 10<br />
4303 POWERPC 604E 166MHZ 2-WAY PROC<br />
5005 AIX OPERATING SYSTEM PREINSTALLED<br />
6206 <strong>IBM</strong> PCI SIN-END ULTRA SCSI AD<br />
9300 LANGUAGE GROUP SPECIFY US ENG<br />
9394 BASE 4.5 GB F/W ULTRA SCSI DASD<br />
9800 PWR CORD SPEC US/CAN 125V,15A<br />
(THE FOLLOWING FEATURES ARE PART OF THE F50 BASE SYSTEM SO<br />
THEY DO NOT APPEAR IN THE CONFIGURATION REPORT.)<br />
8X CD-ROM<br />
3.5 INCH 1.44 MB DRIVE<br />
SCSI 6-PACK 1 KIT (IF NOT SELECTED OUT)<br />
UNPOPULATED MEMORY CARD -HOLDS EIGHT DIMM PAIRS<br />
SERVICE PROCESSOR<br />
TWO INTEGRATED SCSI-2 F/W ADAPTERS<br />
INTEGRATED ETHERNET ADAPTER<br />
B.10.3 Lotus Domino on the RS/6000 in the Enterprise<br />
B.10.4 HACMP<br />
Both Lotus Domino Server and Notes Workstation are functionally<br />
platform-independent. That is, they will look the same to the end user and<br />
perform most of the same functions regardless of platform. However, clearly<br />
there are differences in the underlying operating systems′ platforms<br />
B.10.4.1 Planning Domino Servers for High Availability<br />
The following information is from the Planning, Installing, and Configuring the<br />
Lotus Domino Server on the RS/6000 SP (<strong>IBM</strong> Poughkeepsie - RS/6000 SP<br />
Parallel Subsystem Integration Team Version 1.0 - January 28, 1997).<br />
HACMP can be configured (through use of directories on external disks) in up to<br />
eight node SP clusters or across SMP machines, where a designated node (or<br />
SMP server) will detect and restart a Domino server on another node (or SMP<br />
server), either a hot spare or active node or server. This process is called<br />
failover. HACMP can be used with any of the mail routing, mail, replication, and<br />
application servers in your configuration.<br />
In the Domino Server Powered by Notes Release 4.5, Domino Advanced Services<br />
(a separate product for Domino) provides event driven replication of any<br />
selected database, between all nodes in a configured (up to six nodes) cluster or<br />
between SMP machines. Should a server of one of the database replicas fail,<br />
Domino Advanced Services will failover the user to a server of another replica.<br />
This is very similar to an HACMP failover, with the added benefit of user load<br />
balancing of across the cluster.<br />
Since Domino advanced services provides nearly identical function to HACMP, is<br />
there any need for HACMP in your implementation? The answer is up to you, but<br />
336 The Technical Side of Being an Internet Service Provider
This soft copy for use by <strong>IBM</strong> employees only.<br />
the following recommendations are those that are the easiest to implement and<br />
most cost-effective.<br />
Table 41. Domino Server Recommendations<br />
Domino Server<br />
Function<br />
Preferred Availability<br />
Solution<br />
Mail either HACMP or Domino<br />
Advanced Services<br />
Rationale<br />
Domino Advanced Services will support Mail user<br />
failover if a mail server is unavailable. However,<br />
shared mail is not yet supported and HACMP may be<br />
easier to implement for Mail availability.<br />
Mail Router HACMP ▐*▌ Domino Advanced Services does not fail over mail<br />
routing functions. HACMP can failover/restart and<br />
recover this functionality.<br />
Application Domino Advanced Services Domino Advanced Services will load balance and<br />
failover users to a backup for properly replicated<br />
databases.<br />
Out-of-Domain<br />
Replication<br />
HACMP ▐**▌ Domino Advanced Services does not failover<br />
out-of-domain replication.<br />
Therefore if it is required to keep a dedicated<br />
replication server available, use HACMP.<br />
Internet HACMP▐***▌ Domino http/IP addresses not failed over by Domino<br />
advanced services as with HACMP.<br />
Internotes Domino Advanced Services Internotes Servers are part of the advanced services<br />
functions/servers that can be failed over.<br />
Note:<br />
B.10.5 Network Dispatcher<br />
▐*▌ HACMP may not be required. Your requirements may not demand<br />
that the mail router be available all of the time, since no data will be lost<br />
(if mail spool disks on this server are mirrored). Mail-in-flight will be<br />
delayed until the mail router is repaired.<br />
▐**▌ HACMP may not be required, since you might not demand that a<br />
replication server be available all of the time, since replication can be<br />
completed when the server is repaired, or there might be multiple<br />
replication servers each covering different priority replication which will<br />
cover the replication on a different time scale.<br />
▐***▌ If you are using load balancing (LoadLeveler ISS) across multiple<br />
Domino servers with the same data, HACMP might not be required.<br />
<strong>IBM</strong>′s Interactive Network Dispatcher dynamically and continuously monitors<br />
server workloads balancing traffic across teams of servers located anywhere in<br />
the world. Interactive Network Dispatcher′s functionality is fully supported by<br />
Lotus Domino on AIX. See http://www.ics.raleigh.ibm.com/netdispatch/ for more<br />
information about the Interactive Network Dispatcher product.<br />
Appendix B. <strong>IBM</strong> Solutions for ISPs 337
B.10.6 Scalability<br />
B.11 Net.Commerce<br />
This soft copy for use by <strong>IBM</strong> employees only.<br />
Lotus Domino on RS/6000 servers have been shown to support thousands of<br />
users on single servers in both NotesBench reports (see the following) and in<br />
real-world application deployment. And the Domino server itself specifically<br />
offers increased server capacity through features such as Domino Advanced<br />
Services, symmetric multiprocessor (SMP) support and object storage of<br />
unlimited size.<br />
Net.Commerce is a packaged solution that provides a rich set of tools to enable<br />
a business to host and operate its own E-commerce server. Operating<br />
Net.Commerce on an RS6000 offers a business a very reliable and scalable<br />
solution. Included components of Net.Commerce consist of the following<br />
products or features:<br />
• DB2 with the option of using Open Database Connectivity (ODBC) such as<br />
Oracle 7.3.<br />
• Internet Connection Secure Server (ICSS) 4.2.1 which supports SSL2.<br />
• Application Programming Interfaces (APIs) which allow the customization of<br />
the product and the flexibility of integrating with legacy systems.<br />
• Merchant Server manages the interface to the customer and allows flexibility<br />
with the dynamic page creation capability.<br />
• Net.Data which is an application that gives developers the ability to use Web<br />
macros to access a variety of databases on various platforms.<br />
• Store and site managers provide intuitive interfaces for managing the store<br />
and products, etc.<br />
• Template Designer is a Java-based design tool that includes templates for<br />
creating Web pages for Net.Commerce.<br />
Net.Commerce is now SET-enabled to allow a more secure credit card<br />
transaction than SSL. (The customer will need to purchase Net.Commerce<br />
Payment to utilize SET). Net.Commerce interfaces with Taxware International<br />
(U.S. only) and CyberCash to help automate the purchasing processes.<br />
Depending on your system size, the following items apply:<br />
• 43P 140 256-512 MB of RAM and 4-9 GB of disk<br />
A small size installation of the product. A single 43P-132 has been used to<br />
manage a store, but for performance reasons this would be a better choice.<br />
The amount of disk and memory requirements will vary on size of product<br />
and customer database and possible price points. This is a single machine<br />
configuration where the Web server and the database are on the same<br />
machine. The firewall is assumed to be provided by the Internet Service<br />
Provider (ISP).<br />
• 2 F50s 512-1 GB RAM and 20 GB of disk on database machine.<br />
A medium size installation of the product. A large store is currently using a<br />
G40 for the database, while a medium sized mall is using a J40. The size for<br />
the database server will depend mainly on number of products, customers<br />
and traffic. The reason the F50 is recommended is due to its TPC-C<br />
performance and its scalability. It could be installed as a single CPU server<br />
338 The Technical Side of Being an Internet Service Provider
This soft copy for use by <strong>IBM</strong> employees only.<br />
and utilizing its internal raid, and then expanded later to a multiple CPU<br />
external disk configuration. Please note that to implement HACMP that<br />
external disk utilization would be required. The F50 was chosen for its price<br />
performance as a Web server and its scalability.<br />
• SP<br />
B.11.1 High Availability<br />
B.11.2 Network Dispatcher<br />
B.11.3 Connectivity<br />
B.11.4 Scalability<br />
A large size installation of the product. This solution has not been<br />
implemented in a single store configuration, but it is being considered and/or<br />
implemented in a mall configuration.<br />
High Availibility is a vital key in the reliability and availability of the RS/6000<br />
hardware solution. The minimum number of RS/6000 machines that could be<br />
utilized in an HACMP environment is three. This would involve a single RS/6000<br />
Web server. This configuration would have two RS/6000s running the database.<br />
The two database machines would share the disk drives so that if the first<br />
machine failed, it would rollover to the second RS/6000 and it would take over<br />
the database drives. Careful consideration should be given to the type and<br />
number of disk drives that are used in the raid or mirroring setup. (Database<br />
performance is affected by disk configuration.) If an additional Web server is<br />
needed due to the large number of users, then Network Dispatcher could be<br />
implemented. Care1ul planning should be done to ensure that the environment<br />
gives the customer the reliability they expect.<br />
This is a software product that allows load balancing across multiple servers.<br />
This allows a customer to scale his or her Web server needs dynamically by<br />
adding additional machines with minimal work. A single machine runs the<br />
dispatcher function that distributes the traffic across the machines defined in its<br />
configuration. This could also be set up with HACMP so that in the event the<br />
Network Dispatcher failed that another RS/6000 could take over the Dispatcher.<br />
The type of connection provided to an RS/6000 setup will depend on the store<br />
type and design. Please analyze the throughput of the adapters used in the<br />
systems to ensure the best performance. Care should be taken to guarantee<br />
that there is ample bandwidth and number of concurrent sessions available for<br />
the users.<br />
The ICSS Web Server used with Network Dispatcher (Network Dispatcher is a<br />
separately purchasable product) that allows the customer to start with a single<br />
RS/6000 and add separate servers to the configuration as needed. The F50 can<br />
start out as a single processor machine and be upgraded to a total of 4<br />
processors. The SP is a scalable solution by nature. Thus allowing the<br />
customer to protect his investment in his original hardware and add the needed<br />
hardware to meet his current operational loads.<br />
Appendix B. <strong>IBM</strong> Solutions for ISPs 339
B.11.5 Billing Support<br />
This soft copy for use by <strong>IBM</strong> employees only.<br />
Net.Commerce provides a large set of APIs that can be used to interface with<br />
other systems to provide billing support. Thus allowing the product to meet the<br />
specific needs of each customer. Net.Commerce also is enabled to support<br />
Net.Commerce Payment ( separate product) which uses SET to provide secure<br />
credit card transactions. Net.Commerce also can be teamed up with CyberCash<br />
to facilitate credit card transactions. To help the merchant handle the complexity<br />
of handling sales tax from state to state etc. Taxware International (U.S. only)<br />
can be integrated into Net.Commerce.<br />
B.12 <strong>IBM</strong> Interactive Network Dispatcher<br />
B.12.1 Challenge<br />
The Interactive Network Dispatcher is an advanced IP packet level<br />
load-balancing and traffic management software solution that′s a integral<br />
component of any customer′s Internet or Web based application deployment. It′s<br />
a member of the eBusiness Enhancer category of the <strong>IBM</strong> Network Computing<br />
Framework announced on April 15, 1997. It originated from advanced research<br />
at <strong>IBM</strong>′s Watson Research Laboratory and was first successfully used in the<br />
“1996 Deep Blue vs Gary Kasparov” chess competition and its use has been<br />
repeated in some of the world′s most highly visible and visited Web sites<br />
including the 1996 Summer Olympics, the US Open, Masters Tournament, the<br />
French Open, and Wimbledon. It will be used in the upcoming 1998 Nagano<br />
Olympics.<br />
The need for application scalability and availability are common across a broad<br />
number of industries and organizational sizes. This product is key for customers<br />
that want to deploy applications across 2 or more servers at a single site or<br />
across multiple sites. It is ideal at the departmental level or across the<br />
enterprise. It plays an essential role in providing an infrastructure that can<br />
address scalability and availability requirements. It is currently being used by a<br />
growing number of organizations in various industries, namely the financial<br />
services and the ISP/telco organizations. They have clearly recognized the<br />
benefits and competitive edge that can be gained by deploying this technology.<br />
As Web site traffic and volume grows, organizations are faced with challenges to<br />
expand capacity, manage and leverage existing resources, continue to improve<br />
user services and deliver new ones. It is therefore critical to build a Web<br />
architecture that can respond to changing and increasing customer demands<br />
while supporting business objectives. This decision is important to small,<br />
medium and large organizations that are deploying Internet and intranet<br />
applications.<br />
Organizations typically add additional Web servers to support the growing Web<br />
site traffic and to enhance availability of their Web sites. The addition of servers<br />
moves the bottleneck of performance to other parts of the system. The<br />
challenge now becomes how to manage the incoming traffic and balance the<br />
requests across the multiple servers. Customers have developed a number of<br />
home-grown solutions or have employed common techniques such as<br />
Round-Robin DNS to address these requirements. Unfortunately these<br />
techniques don′t provide optimal load balancing and availability to support user<br />
demands, are not easily manageable and do not scale well because hot spots<br />
340 The Technical Side of Being an Internet Service Provider
This soft copy for use by <strong>IBM</strong> employees only.<br />
B.12.2 Description<br />
occur causing server load asymmetry. This often results in site outages and<br />
poor utilization of servers.<br />
The Interactive Network Dispatcher enables multiple Web servers to efficiently<br />
function as a single system to better manage high volumes of information and<br />
electronic transactions over networks. This optimizes Web site performance,<br />
maximizes existing hardware investments, simplifies the administration of Web<br />
servers and improves availability of Web site resources and end user<br />
satisfaction.<br />
The Interactive Network Dispatcher optimally manages incoming IP traffic within<br />
a local Web site or across multiple Web sites. It delivers the performance,<br />
administration and availability advantages by using a number of <strong>IBM</strong> patented<br />
routing algorithms. The Interactive Network Dispatcher provides multiple<br />
configuration options to address any users′ needs. It supports multiple virtual<br />
clusters of Web servers, whereby you can configure multiple domains<br />
(www.ibm.com, www.isp.com, etc.) behind a single IP address. (Multiple IP<br />
addresses can be easily supported.) Within each cluster, multiple ports can be<br />
configured (HTTP, SSL, FTP, etc.). Also multiple servers can be supported within<br />
each port.<br />
Load balancing and traffic management is accomplished by using a weighting<br />
load assignment, which is based on various feedback and monitoring<br />
mechanisms. The number of connections (new and existing) are maintained for<br />
each of the servers. Also, application advisors routinely request the status of<br />
TCP/IP applications (for example, Web HTTP servers) to determine their<br />
availability and load. Acknowledgments are collected from each of the servers<br />
and are used to dynamically adjust the server weights enabling an appropriate<br />
routing decision incoming packets. An additional level of feedback is possible by<br />
installing agent code that resides on the actual server. This provides a more<br />
complete set of system metrics (CPU utilization, I/O, etc.) to enrich the<br />
decision-making capability. This is useful in mixed application, high-energy Web<br />
sites.<br />
Individually or collectively, these various feedback mechanism can be used to<br />
provide a customized load-balancing solution for any customer.<br />
The product runs on the popular operating systems (<strong>IBM</strong>′s AIX, Win NT, Sun<br />
Solaris) machine which receives the incoming packet requests, and can support<br />
any standard TCP/IP-based application server behind it (SunOS, SGI, HPUX,<br />
OS/390, OS/2, MAC, OS/400, SCO, Linux and more). It can manage traffic and<br />
balance load across a single Web site or across multiple sites in a WAN<br />
environment to leverage your enterprise or company-wide server resources.<br />
The design philosophy behind the Interactive Network Dispatcher is to ensure<br />
the product is easy to install and configure, requires no operating system<br />
modifications or physical alterations to a network and is highly scalable to<br />
respond to peak demands. Also the product does not modify incoming IP<br />
packets for data integrity, sees only the incoming requests and not outgoing<br />
server responses for performance, and is totally transparent to clients or users<br />
except for improved service.<br />
Appendix B. <strong>IBM</strong> Solutions for ISPs 341
B.12.3 Benefits<br />
This soft copy for use by <strong>IBM</strong> employees only.<br />
The Interactive Network Dispatcher has several key benefits for customers:<br />
• Improved user service - Optimized to handle peak loads and eliminate<br />
blackouts. Provides ability to route around scheduled and unscheduled<br />
outages. It makes multiple servers function as one.<br />
• Application support - Supports any TCP/IP application. Allows you to<br />
partition server(s) to support multiple application types (FTP, HTTP, SSL,<br />
Telnet, mail, ...).<br />
• Lower incremental investments - Maximizes hardware by using existing<br />
resources and provides the ability to dynamically and incrementally add<br />
resources as needed. Can support heterogeneous server environments<br />
(different operating systems and server sizes).<br />
• Ease server administration - Single point of control for easy setup,<br />
configuration and maintenance.<br />
• Improved site and data security - IP address of backend servers are not<br />
visible providing additional site security.<br />
B.12.4 Internet Service Provider Applications<br />
Internet Service Providers (ISPs) are a key audience for this type of technology.<br />
Because of the growth of the World Wide Web, ISPs now offer much more than<br />
just Internet access to their customers. Because of their extensive Internet<br />
backbone, ISPs can also provide Web hosting services and additional security<br />
solutions to the customers enabling them to effectively outsource their company<br />
Web site or their corporate intranets. If a customer uses an ISP for both their<br />
Internet access and Web hosting services, the ISP needs to ensure that the<br />
customer can connect to the Internet as well as support large numbers to the<br />
customer′s Web site. Because ISPs provide services targeted to individual<br />
consumers and to businesses they have scalability and availability requirements<br />
for a broad range of applications. They range from Internet access support,<br />
e-mail, news, chat, security, IP traffic management and much more. With<br />
customers spread across large geographic areas, ISPs need to be able to<br />
dynamically leverage resources in LAN and WAN environments. ISPs need to<br />
manage the distribution of IP traffic in these diverse application requirement<br />
environments, and protect and ensure their infrastructure investments are<br />
consistent with the profile of growth and the changing demands placed on them.<br />
ISPs can use the Interactive Network Dispatcher to support those infrastructure<br />
and application requirements.<br />
Here are just a few application areas where significant benefit can be gained by<br />
ISPs:<br />
• News servers<br />
• Scalable mail servers<br />
• Security and firewall support<br />
• Collaborative services (chat, teleconferencing, etc.)<br />
• Streaming Video services<br />
• Web site content hosting<br />
• Event and special promotion management<br />
• Subscriber management<br />
342 The Technical Side of Being an Internet Service Provider
This soft copy for use by <strong>IBM</strong> employees only.<br />
B.12.5 Summary<br />
B.13 <strong>IBM</strong> Firewall 3.1<br />
• intranet applications (integrated applications - HR, Mfg, Sales, Logistics, etc.<br />
for example, SAP, BAAN, PeopleSoft, etc.)<br />
• SET or payment services and gateways<br />
An ISP can utilize the Interactive Network Dispatcher to build and support<br />
customized Web sites for its customers. It enables the ISP to add additional Web<br />
servers as needed, without changing the IP infrastructure. The ISP is able to<br />
host Web sites that can be continuously accessed since the Interactive Network<br />
Dispatcher provides the capability to automatically route around unexpected<br />
failures or scheduled down-times for system maintenance. With the Interactive<br />
Network Dispatcher, IP traffic can be managed to ensure optimal performance,<br />
partition resources economically and offer support for mixed application<br />
environments.<br />
The next release of the Interactive Network Dispatcher includes features that<br />
enhance the ability of ISPs to deploy advanced applications that provide optimal<br />
performance and availability. They include a hot standby or backup capability<br />
should the primary machine fail. We are also delivering additional mail and<br />
news protocol advisor support to enhance the granularity of the load balancing<br />
for POP3, SMTP, NNTP and Telnet application protocols. Stateless UDP support<br />
is also being provided for applications such as RADIUS authentication servers.<br />
Additional flexibility is being provided to allow customers more flexibility in<br />
configuring and customizing feedback metrics from server environments. Our<br />
focus is to maintain <strong>IBM</strong>′s industry leading-edge advantage in this arena. Our<br />
research, development and marketing teams are tightly coupled and poised to<br />
timely deliver advanced functions to meet the needs of the marketplace.<br />
The Interactive Network Dispatcher′s advanced design benefits have been<br />
recognized as essential components of any Web-based infrastructure, based on<br />
our early experiences, including several key ISP customers. It delivers value in<br />
any environment where customers want application scalability and availability.<br />
Its benefits quickly become visible to end users or clients and business<br />
customers. It offers businesses such as ISPs an opportunity to respond to<br />
changing user demand and growth, the ability to economically manage and<br />
expand their infrastructure and deliver new services to enhance their<br />
competitive position in the dynamic marketplace.<br />
The <strong>IBM</strong> Firewall stops network intruders in their tracks. It combines all three<br />
leading firewall architectures (application proxies, SOCKS circuit gateway, and<br />
filtering architectures) in one flexible, powerful security system. It runs on an<br />
<strong>IBM</strong> RS/6000 workstation with AIX Version 4.1.5 or 4.2.<br />
The firewall node′s major responsibilities are to allow accumulation of evidence<br />
of attempted break-ins to the secure network from the nonsecure side, and an<br />
ability to quickly shut down a break-in path when one is detected. This is<br />
accomplished by defining filter rules to be deployed in the firewall to limit traffic<br />
per the security guidelines of the installation, to log the traffic patterns, and<br />
review those logs and take appropriate action where the logs indicate actual<br />
activity does not conform to the security policy of the site/installation.<br />
Appendix B. <strong>IBM</strong> Solutions for ISPs 343
B.13.1 HACMP and Scalability<br />
B.13.2 Connectivity<br />
This soft copy for use by <strong>IBM</strong> employees only.<br />
In the case of ISP solution deployment, the firewall will remove the registered<br />
user and account database from open access to the Internet community. And it<br />
will also, in the case of some content hosting and commerce opportunities, be<br />
the bridge to secure/private information from the Web server interface available<br />
on the Internet side.<br />
Security experts agree that the best application of the firewall is to force the HW<br />
box running the firewall code to be stand-alone. That is, do not collocate other<br />
functions/processes on the FW node. This does, of course, add cost to the<br />
equation and one needs to have a discussion about the cost the customer is<br />
willing to incur for what degree of relative security. For this paper, we are<br />
assuming maximum security possible for an environment where we are allowing<br />
some traffic to flow to/from the Internet from/to the intranet. That is, a Bastion<br />
host with the firewall containing a network adapter to allow Internet nodes to<br />
send/receive packets from the firewall node and a separate adapter to allow<br />
intranet nodes to send/receive packets from the firewall nodes. Then routes are<br />
added to the Internet and intranet nodes to cause packets to flow through the<br />
firewall node when a server on one side wants to communicate with a server on<br />
the other side.<br />
As the firewall represents a single point of failure for the ISP solution, it needs to<br />
be made a highly available link. HACMP is supported across a cluster of SNG<br />
firewall nodes. So in the ISP deployment we would have one node act as the<br />
active/primary firewall and another node waiting as a hot-standby. The size<br />
node to be deployed for the firewall application is a function of the number and<br />
size of packets to be processed per second, the type of activity the firewall is<br />
going to perform (for example, just packet filtering or SOCKS and/or proxy work),<br />
and the number/type of network adapters to be configured. A 39h class node<br />
with FDDI adapter can handle 4000 packets/second on the Internet side and<br />
another 4000 packets/second on the intranet side before all its cycles are<br />
consumed. This translates into about 900 short TCP/IP conversations per<br />
second. Unfortunately, increasing processing power alone will not increase that<br />
performance. Although added processing power could allow the firewall node to<br />
handle longer conversations (read bigger packets and/or more complex filtering<br />
like proxy), the adapter itself is gated by about 5000 packets per second. So to<br />
exploit the added horsepower of the 4-way H10 or 4-way F50 such that you could<br />
see 1000 conversations/second with the H10 or 5000 conversations/second with a<br />
4-way F50 then you would need several network adapters to feed the packets<br />
through the server.<br />
The network connectivity concerns and issues were described in the scalability<br />
section where it was pointed out that the network adapter itself can be a limiting<br />
factor in the routing/filtering of packets. 10 Base-T Ethernet is worse than FDDI<br />
and ATM is better than FDDI. There are price differences associated with these<br />
different connectivity options. The FDDI reference above is a good performing<br />
solution. the connectivity chosen will probably be more of a function of the<br />
network already in use by the customer.<br />
344 The Technical Side of Being an Internet Service Provider
This soft copy for use by <strong>IBM</strong> employees only.<br />
B.13.3 Packaging and Installation<br />
Any deployment of a firewall requires the help of consultants and security<br />
experts to insure the security policy is enforced.<br />
B.13.3.1 Specific SNG Considerations<br />
Without modification, installation of the SNG node on the SP will not be able to<br />
be monitored and controlled from the SP′s CWS. To allow the single point of<br />
management and control to be applied to the SNG nodes, some slight<br />
modifications to the SNG node will be required. In particular, both the<br />
/etc./inittab and /etc./inetd.conf files need to be changed to allow some daemon<br />
processes to survive the SNG install lockdown, and there will need to be<br />
additions to the filter rules on the SNG node to allow packets to flow between the<br />
SNG node and the SP′s control workstation. Those modifications are referenced<br />
in the document titled Consolidation of Internet and Intranet Servers on the SP<br />
and they should be reviewed with the customer′s security team to determine if<br />
these modifications are intolerable from a security perspective. If the customer′s<br />
security team decides the exposure is too great, then the SP may not be a<br />
suitable platform for this customer.<br />
To deliver a secure solution on the SP when Internet and intranet nodes are<br />
located in the same frame, the internal networks of the SP need to be configured<br />
in a certain way. When a switch is part of the configuration, it will need to be<br />
partitioned using the SP partitioning functions to logically break the switch<br />
network into two separate networks. The firewall and intranet nodes should be<br />
placed in one switch partition and the Internet nodes should be placed in a<br />
different switch partition.<br />
The Ethernet segregation is accomplished by physically connecting the Internet<br />
nodes on one Ethernet LAN segment and the intranet nodes on a different<br />
Ethernet LAN segment. Each of these LAN segments would be connected to<br />
separate adapters in the SP control workstation. This goes a long way to<br />
isolating the two networks, but it still leaves a common interface point that needs<br />
to be addressed to yield the secure solution: the control work station.<br />
The control workstation intersection point is best addressed by forcing the<br />
Internet nodes to communicate with the CWS via the firewall. This is<br />
accomplished by adding a route from the CWS to the firewall and from the<br />
Internet nodes to the firewall and adding filter rules to the firewall that will<br />
permit monitor and control packets to flow between the CWS and Internet nodes.<br />
After the routes are set up and the SNG product installed on the firewall node,<br />
then the Ethernet adapter with which the CWS was originally connected to the<br />
Internet nodes should be unconfigured. With this setup all communication<br />
between the CWS and the Internet will be accomplished in a secure manner.<br />
And the intranet nodes will be protected from the Internet nodes via the firewall<br />
installation.<br />
But the aforementioned setup does lead to a small complication. In particular,<br />
the PSSP does not support IP address takeover of the EN0 traffic on an SP node.<br />
Therefore, an SNG node failure could disrupt the administrator′s ability to<br />
monitor and control the Internet nodes when the SNG node is experiencing an<br />
outage. Our sense is that this is the last thing that an administrator would want<br />
to do when his or her primary firewall node is down; but we do have a<br />
recommendation to alleviate this limitation. We recommend that the route from<br />
the Internet to the CWS be through the backup firewall node. Therefore, an<br />
primary SNG node outage is not accompanied by an inability to control all of the<br />
Appendix B. <strong>IBM</strong> Solutions for ISPs 345
This soft copy for use by <strong>IBM</strong> employees only.<br />
nodes in the SP cluster. Further, when installing the Internet nodes, the<br />
administrator should configure the firewall node as the boot/install server for the<br />
Internet nodes so that if it were necessary to rebuild a broken Internet node later<br />
in time this could be easily accomplished without a direct connection to the<br />
control workstation.<br />
For a full description of SNG and HACMP integration with SNG please refer to<br />
the following Web site:<br />
http://hawww.ak.munich.ibm.com/HACMP/HA-FW/HA-FW.HTML.<br />
For a full description of integrating Internet and intranet nodes in an SP<br />
configuration please see the white paper Consolidating Internet and Intranet<br />
servers on the SP.<br />
B.13.4 Hardware and Software Requirements<br />
Table 42. Tested Interfaces<br />
The following are the hardware and software requirements for Firewall Version<br />
3.1:<br />
• RISC System/6000 that is supported by the AIX/6000 4.1.5 or 4.2 operating<br />
system, excluding shared memory multiprocessors.<br />
• Any communication hardware interface supported by the TCP/IP protocol<br />
stack.<br />
• For the IPSec remote client, an <strong>IBM</strong> PC or compatible that is supported by<br />
Windows 95.<br />
• At least two network interfaces to the firewall. One network interface<br />
connects to the secure, internal network that the firewall protects. The other<br />
network interface connects to the non-secure, outside network or Internet.<br />
The interfaces that have been tested are:<br />
Interface 1 Interface 2<br />
Token-Ring Token-Ring<br />
Token-Ring Ethernet<br />
While we cannot guarantee that other IP interfaces work, we expect that they<br />
should.<br />
Note:<br />
Token-ring adapters can operate at either 4 or 16 Mb per second.<br />
Ethernet adapters can operate at 10 Mb per second.<br />
These are the disk requirements for AIX (approximately 800 MB to 1000<br />
MB of disk space):<br />
• 7 MB of disk space for the base firewall<br />
346 The Technical Side of Being an Internet Service Provider<br />
• 10 MB for Netscape Navigator (or 20 MB if a tar object of Netscape is<br />
downloaded and unpacked)<br />
• 7 MB for AIX patches (The required AIX patch is:<br />
bos.net.tcp.client.4.2.0.1.bff.)<br />
• 5 MB for SystemView packages (required for SNMP, and packaged<br />
with firewall)
This soft copy for use by <strong>IBM</strong> employees only.<br />
• 1 MB for Report Utilities<br />
• Approximately 50 MB for log files<br />
Depending on how the firewall is configured, the storage needs for logs will vary.<br />
For example, if there is little recorded in the log file, the need be as little as 1<br />
MB of log storage per day. However, if a full socks firewall is implemented, you<br />
could need as much as 30 MB per day for log files. Assuming the need is to<br />
keep seven days worth of logs, this is 7 - 210 MB disk space for logs.<br />
• At least 64 MB of memory.<br />
• Security authentication devices. The <strong>IBM</strong> Firewall directly supports the<br />
following security devices that provide remote authentication of users:<br />
− AssureNet Pathways SecureNet Key Card (Models SNK-010 and SNK-004)<br />
− + Security Dynamics SecurID Card (Model SD200 is the standard card<br />
without buttons; PINPAD is the card with buttons.)<br />
• <strong>IBM</strong> AIX/6000 Version 4.1.5 or 4.2<br />
• For the IPSec remote client, Microsoft Windows 95<br />
• For the IPSEC remote client, Microsoft ISDN Accelerator Pack<br />
• Java-enabled Netscape browser<br />
B.13.4.1 Navigator V3.1<br />
The Netscape Navigator is available for download at:<br />
http://home.netscape.com/eng/mozilla/3.0/relnotes/unix-3.0.HTML.<br />
It is also included in the AIX 4.1.5 Value Pak and the AIX 4.2 Bonus Pak.<br />
B.14 <strong>IBM</strong> Solutions Available to ISPs<br />
B.14.1 Tivoli<br />
The following applications, although not part of the <strong>IBM</strong> Solutions for ISPs family<br />
of solutions, are available to ISPs to help them create a competitive service<br />
environment.<br />
TME 10 products provide centralized control of a service providers applications.<br />
TME 10 solves the challenges of network and applications management, while<br />
still using the management disciplines known from legacy systems.<br />
With TME 10, a service provider can:<br />
• Improve the availability, reliability, security, and integrity of your<br />
applications.<br />
• Get a solid, rapid return on your investment. An in-depth study of 13<br />
companies showed average break even in 116 days.<br />
• Deploy applications with unprecedented levels of security and control.<br />
• Reduce the time required to bring new applications to users.<br />
TME 10 allows for full-cycle applications management, from S/390 data centers to<br />
UNIX and Windows NT servers to laptops to the Internet, all controlled with one<br />
coherent approach.<br />
Appendix B. <strong>IBM</strong> Solutions for ISPs 347
B.14.2 VideoCharger<br />
This soft copy for use by <strong>IBM</strong> employees only.<br />
Using an industry-standard, open object-oriented framework, TME 10 solves the<br />
major problems of applications management, including software deployment,<br />
resource availability, task automation, user administration, and much more.<br />
TME 10 products handle the most compelling management tasks, organized<br />
according to the following four management disciplines:<br />
• Deployment<br />
• Security<br />
• Availability<br />
• Operations and administration<br />
B.14.3 Electronic Yellow Pages<br />
VideoCharger Server for AIX provides a client/server solution for the delivery of<br />
audio and video to Internet- or intranet-connected clients. The video is streamed<br />
across the network, enabling real-time delivery and eliminating the need to<br />
download or save a file before video and audio is played. With the additional<br />
stream support provided in this release of VideoCharger Server for AIX,<br />
scalability is significantly enhanced. For more information on the video charger<br />
products please look into the following Web site:<br />
http://www.rs6000.ibm.com/solutions/videoservers.<br />
This offering can be used to start a base service that can accommodate a much<br />
greater depth of content and services than the Yellow Pages print directory,<br />
while leveraging the familiar print Yellow Pages product. The software for the<br />
base service supports familiar categories/headings and advertising features<br />
such as bold listings and display ads. It also offers the ability to link to product<br />
and service provider Web sites, e-mail, coupons, maps, consumer guides and<br />
reviews, community interest information, catalogs and electronic shopping.<br />
Users interact with a publisher-customized graphical user interface (GUI) to<br />
conduct a search by geographical area, by heading, by keyword and by brand.<br />
The core of the solution is the <strong>IBM</strong> DB2 Multimedia Relational Extenders, which<br />
add the capability to define and implement new complex data types (text, image,<br />
audio, and video). DB2 Extenders allow the solution to deliver listing, brand and<br />
display advertising to the user similar to that which is delivered by the paper<br />
product today. The solution primarily resides on the RS/6000 hardware platform.<br />
The most important services components are:<br />
• Client/server technology supporting all required standard interfaces<br />
(RS/6000, AIX).<br />
• Availability of electronic commerce options for future incorporation into the<br />
online yellow page directory service.<br />
• A highly flexible search engine design supporting retrieval of any<br />
combination of elements (DB2); flexible business model options; choice of<br />
self-owned and -supported directory service or one owned and hosted by<br />
<strong>IBM</strong>. <strong>IBM</strong>′s Internet Yellow Page Solution is a collection of <strong>IBM</strong> software and<br />
hardware products. These off-the-shelf products are integrated with custom<br />
software to create a solution targeted at the needs of the telecommunication<br />
industry. This generic solution can be customized by <strong>IBM</strong> or customers to<br />
meet exact requirements.<br />
348 The Technical Side of Being an Internet Service Provider
This soft copy for use by <strong>IBM</strong> employees only.<br />
B.14.4 Electronic White Pages<br />
The Electronic White Pages solution provides a way to access the <strong>IBM</strong> ISx<br />
Listing Services Inquiry Program (LSIP) white pages database via the Internet.<br />
Using a standard Web browser, and LSIP type of query can be submitted and<br />
presented to the end user in a simple listing format. Taking advantage of<br />
existing ISx (Directory Assistance) products, this generic solution provides a very<br />
economical means of providing white pages information to end users via the<br />
new electronic medium.<br />
Hardware: RS/6000, end user PC<br />
B.14.5 Other Solutions for ISPs<br />
Software: AIX, Windows or OS/2 for end user PC, Netscape Web browser<br />
Services: Services are likely to include solution customization, meaning<br />
additional chargeable features to meet customer requirements beyond those<br />
provided by the basic solution. As this is a customer installable product,<br />
services for turnkey installation by <strong>IBM</strong> will be available.<br />
The following solutions are available as LPPs or RS/6000 Internet<br />
POWERsolutions. <strong>IBM</strong> RS/6000 Internet POWERsolutions are a comprehensive<br />
family of packages designed specifically to help customers take advantage of the<br />
Internet. Built around <strong>IBM</strong>′s award-winning AIX and RS/6000 technologies, each<br />
package includes a choice of an RS/6000 server and a selection of Internet or<br />
intranet products.<br />
Some POWERsolutions provide preinstalled software on the RS/6000 of choice.<br />
Others are more complex and require a great deal of installation and<br />
customization work. These more complex ones, such as Net.Commerce, are<br />
provided as a reference to facilitate the task of assembling the POWERsolution.<br />
B.14.5.1 Netscape Proxy<br />
An organization can use Netscape Proxy Server to cache frequently requested<br />
information at Internet gateways, departments, and remote offices, providing<br />
users with fast access to information while tracking and controlling access to<br />
network resources.<br />
B.14.5.2 Netscape Mail<br />
Send e-mail with rich, multimedia content across the enterprise and the Internet.<br />
Netscape Mail Server quickly delivers e-mail with embedded sound, graphics,<br />
video files, HTML forms, Java applets, and desktop applications. They<br />
outperform other messaging systems in the speed of message processing,<br />
handling of queues, and power of directory lookups, and they can communicate<br />
with virtually all mail systems and gateways.<br />
B.14.5.3 Netscape News<br />
Netscape News Server makes collaboration and knowledge sharing among<br />
teams easy and effective. A company′s employees can participate in private<br />
virtual meetings that break down barriers of time and distance. Users can<br />
create their own discussion groups to share product development ideas, allow<br />
customers to discuss problems and request information, check the status of<br />
requests and billing information, track and distribute competitive information<br />
from the field, and develop communities of interest around products and<br />
services.<br />
Appendix B. <strong>IBM</strong> Solutions for ISPs 349
B.15 Lotus Press Release<br />
This soft copy for use by <strong>IBM</strong> employees only.<br />
B.14.5.4 Netscape Merchant<br />
Netscape Merchant System allows businesses to quickly and easily build<br />
full-featured Web-based shopping sites. Netscape Merchant System handles the<br />
nuts and bolts, providing all the features needed to operate a sophisticated<br />
online storefront from front to back, including product information and display<br />
updates, order processing and calculation of shipping and sales tax charges,<br />
secure credit card transaction processing, and secure delivery of completed<br />
orders for fulfillment processing.<br />
B.14.5.5 Netscape Enterprise Server<br />
Netscape Enterprise Sever is a high-performance, secure World Wide Web<br />
server for creating, managing, and intelligently distributing information and<br />
running Internet applications. It is an open platform for creating network-centric<br />
applications using cross-platform tools based on the Java and JavaScript<br />
programming languages.<br />
B.14.5.6 Haystack WebStalker<br />
WebStalker Pro for AIX is an automated software tool that acts as a<br />
“watchdog-in-a-box,” actively patrolling the entire Web site, helping to ensure<br />
the integrity of the server 24 hours a day. Developed by Haystack Labs Inc.,<br />
WebStalker Pro operates in real-time, watching all processes on the entire Web<br />
server, cutting off abusive connections as they happen, and sending immediate<br />
alarms with details of suspicious activities. WebStalker Pro is available as an<br />
additional option for qualified RS/6000 Internet POWERsolutions, which are<br />
prepackaged Internet server systems.<br />
B.14.5.7 Check Point Firewall<br />
The Check Point FireWall-1 enterprise security solution is a comprehensive<br />
application suite that integrates access control, authentication, encryption,<br />
network address translation, content security, auditing, and connection control.<br />
The suite is unified by Check Point′s OPSEC policy management framework,<br />
which provides integration and enterprise management for FireWall-1 and many<br />
third-party network security applications.<br />
Contact: Dawn Geary Lisa Burke<br />
Lois Paul & Partners Lotus Development Corp.<br />
(617) 238-5700 (617) 693-1571<br />
Dawn_Geary@lpp.com Lisa_Burke@lotus.com<br />
Lotus Announces Instant!TEAMROOM<br />
Rentable Collaborative Application<br />
Extends Global Collaboration to Any Size Organization via Web Browsers;<br />
Interliant and NETCOM to Host Initial Rental Availability<br />
NEW YORK, June 17, 1997 -- As part of its initiative to extend Notes and Domino<br />
technology to small and medium sized businesses as well as to extranets, Lotus<br />
Development Corp. today announced the immediate availability of<br />
350 The Technical Side of Being an Internet Service Provider
This soft copy for use by <strong>IBM</strong> employees only.<br />
Instant!TEAMROOM, a rentable application hosted by Internet Service Providers<br />
(ISPs). Instant!TEAMROOM (formerly code-named Domino.Collaboration) allows<br />
workgroups to quickly and easily establish a private workspace outside of any<br />
one corporate firewall on the World Wide Web for collaborating on projects in an<br />
accessible, secure and affordable manner. Designed for teams in and among<br />
companies of all sizes to share ideas and information, store documents and<br />
track team progress and project status, Instant!TEAMROOM brings the power of<br />
collaboration well within the technical and financial reach of any group or<br />
organization.<br />
Instant!TEAMROOM is available now through Interliant and will be available<br />
through NETCOM Online Communications within 30 days. Instant!TEAMROOM<br />
will be offered by additional Internet Service Providers and other Lotus ′Net<br />
Service Provider, Alliance Partners (′NSP, Alliance Partners -- formerly known as<br />
Lotus Notes Public Network providers). The combined reach of these ISPs and<br />
′NSP, Alliance Partners makes Instant!TEAMROOM available to the entire global<br />
Internet community.<br />
Instant!TEAMROOM establishes a new category of application that leverages the<br />
Domino Instant! Host (formerly code-named SPA.Host) platform, enabling ISVs to<br />
develop and ISPs to host a catalog of rentable applications (see “Lotus and<br />
Business Partners Create Standard Platform for Developing and Hosting<br />
Rentable Applications”). Applications for the Domino Instant! platform -- to be<br />
developed by Lotus and its business partners worldwide -- are designed to<br />
provide organizations with easy and convenient access to a wide variety of<br />
solutions for collaborating on the Web.<br />
Both Instant!TEAMROOM and the Domino Instant! Host platform are part of<br />
Lotus′ long-term strategy to extend and leverage the benefits of Lotus Domino<br />
technology by establishing new categories of rentable applications through new<br />
initiatives with Lotus Business Partners, ISPs and value-added resellers.<br />
“Instant!TEAMROOM is all about bringing the benefits of collaboration to any<br />
organization of any size, whether it be an ad hoc team of consultants managing<br />
a fundraising campaign, or a corporate division that needs to do business with<br />
geographically dispersed customers and suppliers,” said Brian Bell, vice<br />
president, Emerging Products Group, Lotus. “The Domino Instant! applications<br />
initiative gives our Business Partners and partner ISPs and ′NSP, Alliance<br />
Partners unprecedented opportunity for new revenue, opening a whole new<br />
market. We look forward to succeeding together in the emerging rentable<br />
applications space.”<br />
“With Instant!TEAMROOM, Lotus continues to be the leading innovator in the<br />
collaborative computing space,” said Eric Arnum, contributing editor, Electronic<br />
Mail and Messaging Systems. “Instant!TEAMROOM is unique in that it breaks<br />
down any existing barrier to entry -- administrative, technical, financial -- to<br />
collaborative computing. The rental applications market has big potential for<br />
software solutions vendors, ISPs and NSPAPs, and end users. With<br />
Instant!TEAMROOM, Lotus is providing groupware for the rest of us, signifying a<br />
winning opportunity for all parties.”<br />
Point, Click and Assemble a Team<br />
A PC with a Web browser supporting file attachments is all that is needed to<br />
create a teamroom. The team leader goes to the Instant!TEAMROOM Web site<br />
(http://www.lotus.com/instant) and selects a service provider from the list<br />
Appendix B. <strong>IBM</strong> Solutions for ISPs 351
This soft copy for use by <strong>IBM</strong> employees only.<br />
provided. Following step-by-step instructions, including selecting a teamroom<br />
URL, user name and password, the team leader completes a simple subscription<br />
form using a credit card number for payment. Within seconds, the team leader<br />
is notified that their private teamroom is ready to use. Once inside, the team<br />
leader can begin inviting other members to join. Each new invited member is<br />
automatically e-mailed a secure password along with their user name. As new<br />
documents and responses are created, authors are able to select specific user<br />
and group access rights for each document. The team leader is billed monthly<br />
by the ISP for only as long as the teamroom is active. Once a project is<br />
completed, teamroom contents can be deleted or, for a fee, archived.<br />
Work the Web Anytime from Anywhere -- Easily and Securely<br />
Instant!TEAMROOM is accessible through the Web, 24 hours a day, from<br />
wherever team members are located. Because Instant!TEAMROOM is based on<br />
Lotus′ Domino technology, users can be assured that any communications or<br />
transactions involved are secure.<br />
Louis P. Batson III Architects of Greenville, SC first utilized Instant!TEAMROOM<br />
as an extended intranet site through which the organization collaborates with a<br />
staff architect who works from home.<br />
“In this instance we are using Instant!TEAMROOM as an internal CAD<br />
management tool, allowing us to share drawings and respond to questions,”<br />
explained Clay Gandy, Intern Architect. “But now that we′ve seen how powerful<br />
this process can be, we′re about to start a site with a consulting engineer. By<br />
sharing information with critical members of our extended team, we hope to<br />
capture the design development process, and to see how it serves us as a<br />
history of the project.” Gandy noted that, in addition to being a powerful<br />
resource, Instant!TEAMROOM was “a lot more configurable than I originally<br />
thought. I′ve been able to customize it quite a bit in order to make it work<br />
specifically for our industry.”<br />
Create an Instant!TEAMROOM Now<br />
Today, users can subscribe to Instant!TEAMROOM through Interliant via the<br />
Instant!TEAMROOM Web site (http://www.lotus.com/instant/).<br />
Instant!TEAMROOM will also be available through NETCOM within 30 days.<br />
Additional ISPs and many of the Lotus ′Net Service Provider, Alliance Partners<br />
will soon be offering Instant!TEAMROOM.<br />
“Hosting Instant!TEAMROOM is a natural extension of Interliant′s corporate<br />
strategy of building global communities. It provides our customers with a secure<br />
space to collaborate with business partners, clients and other contacts on the<br />
Web. By offering Instant!TEAMROOM on a rental basis, we are delivering<br />
revolutionary collaborative tools to our customers without imposing long-term<br />
commitments to infrastructure or deployment cycles,” said Jim Lidestri,<br />
President and CEO of Interliant. Mike Kallet, senior vice president of products<br />
and services at NETCOM commented, “With Instant!TEAMROOM, our customers<br />
will benefit from immediate collaborative computing. This partnership with Lotus<br />
enables NETCOM to continue to provide customers with value-added Internet<br />
services for advanced productivity.”<br />
Systems Requirements, Pricing, Availability<br />
352 The Technical Side of Being an Internet Service Provider
This soft copy for use by <strong>IBM</strong> employees only.<br />
Instant!TEAMROOM subscriptions are available through a growing list of Lotus<br />
Business Partner ISPs and ′NSP, Alliance Partners via links from the<br />
Instant!TEAMROOM Web site (www.lotus.com/instant). Subscription rates are<br />
determined by the individual ISPs and ′NSP, Alliance Partners hosting the<br />
service. Instant!TEAMROOM currently supports Netscape Navigator 3.x, and will<br />
support Microsoft Internet Explorer 4.x when it becomes commercially available.<br />
Lotus Development Corporation, founded in 1982, is a subsidiary of <strong>IBM</strong><br />
Corporation. Lotus offers high quality software products and services that reflect<br />
the company′s unique understanding of the new ways in which individuals and<br />
businesses must work together to achieve success. Lotus′ innovative approach<br />
is evident in a new class of applications that allow users to access and<br />
communicate information in ways never before possible, both within and beyond<br />
organizational boundaries. Lotus now markets its products in more than 80<br />
countries worldwide and provides numerous professional consulting, support and<br />
education services through the Lotus Services Group.<br />
###<br />
Lotus and Lotus Notes are registered trademarks, and Domino, Domino Instant!,<br />
Domino Instant! Host, Instant!TEAMROOM, Instant! Host, Lotus ′Net Service<br />
Providers and Alliance Partners are trademarks of Lotus Development<br />
Corporation. All other company names and products are trademarks or<br />
registered trademarks of their respective companies.<br />
EDITOR′S NOTE: All Lotus news releases are available on the Internet, via the<br />
Lotus Development Corp. Home Page at http://www.lotus.com/. The Lotus<br />
Home Page is an easy way to find information about Lotus and its business<br />
partners′ products and services.<br />
A copy of this release and other company information are also available via fax<br />
by dialing 1-800-57-LOTUS within the U.S. and Canada or 201-946-2336 outside<br />
the U.S. and Canada<br />
Contact: Dawn Geary or Rick McLaughlin Lisa Burke<br />
Lois Paul & Partners Lotus Development Corp.<br />
(617) 238-5700 (617) 693-1571<br />
Dawn_Geary@lpp.com Lisa_Burke@lotus.com<br />
Rick_McLaughin@lpp.com<br />
FOR IMMEDIATE RELEASE<br />
PC Expo Booth # 3422 & 3436<br />
Lotus and Business Partners Create Standard Platform<br />
for Developing and Hosting Rentable Applications<br />
Combined Efforts to Fuel Rentable Applications Market; Lotus and Interliant<br />
Team to Develop Domino Instant! Host<br />
Appendix B. <strong>IBM</strong> Solutions for ISPs 353
This soft copy for use by <strong>IBM</strong> employees only.<br />
NEW YORK, June 17, 1997 -- Lotus Development Corp. today announced<br />
relationships under which Lotus and its Business Partners will provide<br />
Domino-based enabling tools and platforms to small and medium sized<br />
enterprises, which will facilitate the growth of the emerging rentable applications<br />
industry. Lotus Business Partners - Independent Software Vendors (ISV),<br />
Internet Service Providers (ISP) and other Lotus ′Net Service Providers, Alliance<br />
Partners (′NSP, Alliance Partners) - will be able to develop and provide catalogs<br />
of rentable applications that will allow end users to quickly and easily access<br />
and self-manage collaborative Web-based applications.<br />
As part of these relationships, Lotus and Interliant are jointly developing Domino<br />
Instant! Host, the hosting platform by which Domino-based applications may be<br />
rented through ISPs and ′NSP, Alliance Partners (formerly known as Lotus Notes<br />
Public Network providers), and a new version of the Domino Instant! Host<br />
Software Developer Kit which will allow ISVs to modify existing or develop and<br />
test new Domino-based applications so that they are rentable via the Domino<br />
Instant! Host platform.<br />
In addition, Lotus announced that it has completed work with Changepoint<br />
International Corporation to ensure that Changepoint′s Involv application suite<br />
and the Involv Host platform, which enables ISVs to develop, host and manage<br />
their own end-user self-service applications are compatible with the Domino<br />
Instant! Host application programming interface (API). This provides ISVs<br />
interested in developing and servicing their own collaborative applications today,<br />
for either rental on the Web or for deployment on corporate intranets, with a<br />
level of assurance that those applications will be upwardly compatible to the<br />
Domino Instant! Host platform.<br />
“Together with our Business Partners, we will leverage our combined<br />
experience in delivering collaborative solutions to lead this emerging market.<br />
Lotus, our Business Partners, ISPs and ′NSP, Alliance Partners see the<br />
tremendous value that rentable applications can provide our customers,” said<br />
Steve Brand, director of Hosted Internet Solutions, Lotus′ Emerging Products<br />
Group. “The concept of making Web-based collaborative applications universally<br />
accessible through a rentable model offers tremendous opportunities for ISVs<br />
and service providers. ISVs can reach previously inaccessible businesses and<br />
organizations of all sizes. For ISPs and ′NSP, Alliance Partners rentable<br />
Domino-based applications represent an opportunity to provide their customers<br />
with a new class of collaborative Web applications.”<br />
“Lotus is providing the tools to make rentable applications a reality,” said Eric<br />
Arnum, contributing editor, Electronic Mail and Messaging Systems. “Lotus, its<br />
partners and customers - especially small and medium sized enterprises - will<br />
benefit from rentable applications because they do not require an IS staff to run<br />
them and they reduce the cost of ownership. Service providers will gain a vast<br />
set of vertical, valued-added applications to offer customers. Business Partners<br />
will gain a new market opportunity for their applications, and customers will<br />
have easy access to thousands of applications in an affordable and timely<br />
manner.”<br />
Applications developed for the Domino Instant! Host platform are designed for<br />
use by individuals or organizations who need to collaborate but lack either the<br />
technical expertise, time or financial resources required to set up a Web server<br />
for a single application, or simply need to move quickly on a project. Because<br />
354 The Technical Side of Being an Internet Service Provider
This soft copy for use by <strong>IBM</strong> employees only.<br />
the applications are rented through ISPs and other ′NSP, Alliance Partners<br />
customers pay for them only as long as they have a need for them.<br />
These agreements are part of an overarching strategy to allow Lotus and its<br />
Business Partners to establish a new category of applications that leverages<br />
Domino to provide rentable applications and further extend Domino to the small<br />
and medium enterprise market. Domino Instant! Host and leading-edge<br />
rentable applications based on this platform are possible through Domino, the<br />
premier collaborative Web applications server.<br />
Interliant and Lotus to Provide Hosting Platform and Developers Kit<br />
Interliant and Lotus are jointly developing Domino Instant! Host and the Domino<br />
Instant! Host Software Developer Kit to help ensure that thousands of existing<br />
and future horizontal and vertical Domino-based applications will be offered by<br />
service providers by allowing ISVs to develop and test rentable Domino-based<br />
applications. The technologies greatly simplify the steps developers and ISPs<br />
would otherwise need to take to make applications available for rent by<br />
eliminating the need for service providers and Web application developers to<br />
customize, respectively, their hosting environments and applications. This will<br />
result in providing Web users of all needs access to catalogs of rentable<br />
business solutions on a “pay as you go” basis.<br />
The development of Domino Instant! Host merges Lotus′ experience with<br />
groupware and Interliant′s expertise in providing support for network-centric<br />
applications to bring a powerful, versatile platform to market. The Domino<br />
Instant! Host platform is designed to be run by service providers and facilitates<br />
the interaction between the platform and the application, including billing,<br />
tracking and maintenance of applications. Applications hosted on the platform<br />
can be initiated from any Web browser supporting file attachments through an<br />
easy, step-by-step process that establishes a billing record, registers authorized<br />
participants and obtains a URL for the site. The applications will also automate<br />
such administrative tasks as reserving space on the service provider′s Web<br />
server, installing the application and managing the disposition of the hosted<br />
content at the end of a project.<br />
The Domino Instant! Host Software Developer Kit includes a development and<br />
runtime environment where ISVs can develop and test their applications, an<br />
architectural overview of the Domino Instant! Host platform and an API<br />
specification that delivers standardized methods for interaction between the<br />
service provider′s hosting environment and the Lotus Business Partner′s<br />
application.<br />
“Lotus has consistently pushed the envelope of collaborative computing. We<br />
welcome the opportunity to work closely with Lotus to develop new technologies<br />
that will enable our ISV partners to develop network-centric applications quickly<br />
and easily,” said Jim Lidestri, president and CEO of Interliant. “We′ve already<br />
received an excellent response from partners eager to deliver rental applications<br />
with Domino Instant! Host and Interliant.”<br />
“By leveraging our service providers′ experience we′ll provide the breadth and<br />
depth of offerings required to drive the rentable applications market,” said Lotus′<br />
Brand. “Interliant brings valuable insight into the way that ISPs will integrate and<br />
ISVs will develop to this platform.”<br />
Platform Compatibility Extends Opportunities for ISVs<br />
Appendix B. <strong>IBM</strong> Solutions for ISPs 355
This soft copy for use by <strong>IBM</strong> employees only.<br />
By developing and freely distributing the Domino Instant! Host APIs via the<br />
Domino Instant! Host Software Developers Kit, Lotus is establishing one standard<br />
for all Domino-based rental applications. As part of this effort, Lotus is working<br />
with Changepoint International Corporation to ensure that applications developed<br />
for Changepoint′s Involv Host (see related Changepoint release) are written to<br />
the same Instant! Host APIs that are supported by the Domino Instant! Host<br />
platform. This enables Business Partners to develop, test and deploy<br />
self-service collaborative applications today while allowing their development<br />
efforts to be leveraged to the Domino Instant! Host platform.<br />
“The Domino Instant! Host platform is setting the standard for rentable or<br />
self-service collaborative applications designed for use over the Web, via a<br />
private intranet infrastructure or extranet,” said Brand. “Working closely with<br />
Changepoint ensures that ISVs have a single standard allowing them to have a<br />
major presence in the rentable applications market today and in the future.”<br />
Availability and Pricing<br />
Version 1.1 of the Domino Instant! Host Software Developer Kit (a.k.a. Domino<br />
SPA Developers Kit) will be available in July and the Domino Instant! Host<br />
platform is scheduled for first availability to ISPs in the third quarter. Pricing for<br />
use of applications will be set individually by the service provider.<br />
The Domino Instant! Host Software Developer Kit is available to all authorized<br />
Lotus Business Partners via Lotus′ Web site (http://www.lotus.com/). Web<br />
developers interested in receiving the Domino Instant! Host Software Developer<br />
Kit should register to become a Lotus Business Partner via Lotus′ Web site or<br />
via the Instant! applications home page (http://www.lotus.com/instant).<br />
Lotus Development Corporation, founded in 1982, is a subsidiary of <strong>IBM</strong><br />
Corporation. Lotus offers high quality software products and services that reflect<br />
the company′s unique understanding of the new ways in which individuals and<br />
businesses must work together to achieve success. Lotus′ innovative approach<br />
is evident in a new class of applications that allow users to access and<br />
communicate information in ways never before possible, both within and beyond<br />
organizational boundaries. Lotus now markets its products in more than 80<br />
countries worldwide and provides numerous professional consulting, support and<br />
education services through the Lotus Services Group.<br />
###<br />
Lotus and Lotus Notes are registered trademarks, and Domino, Domino Instant!,<br />
Domino Instant! Host, Instant!TEAMROOM, Instant! Host, Lotus ′Net Service<br />
Providers and Alliance Partners are trademarks of Lotus Development<br />
Corporation. All other company names and products are trademarks or<br />
registered trademarks of their respective companies.<br />
EDITOR′S NOTE: All Lotus news releases are available on the Internet, via the<br />
Lotus Development Corp. Home Page at http://www.lotus.com/. The Lotus<br />
Home Page is an easy way to find information about Lotus and its business<br />
partners′ products and services.<br />
A copy of this release and other company information are also available via fax<br />
by dialing 1-800-57-LOTUS within the U.S. and Canada or 201-946-2336 outside<br />
the U.S. and Canada.<br />
356 The Technical Side of Being an Internet Service Provider
This soft copy for use by <strong>IBM</strong> employees only.<br />
Appendix C. Special Notices<br />
This publication is intended to help <strong>IBM</strong>ers, business partners and customers to<br />
decide on offering an ISP service. The information in this publication is not<br />
intended as the specification of any programming interfaces that are provided by<br />
any <strong>IBM</strong> product. See the PUBLICATIONS section of the <strong>IBM</strong> Programming<br />
Announcement for each <strong>IBM</strong> product for more information about what<br />
publications are considered to be product documentation.<br />
References in this publication to <strong>IBM</strong> products, programs or services do not<br />
imply that <strong>IBM</strong> intends to make these available in all countries in which <strong>IBM</strong><br />
operates. Any reference to an <strong>IBM</strong> product, program, or service is not intended<br />
to state or imply that only <strong>IBM</strong>′s product, program, or service may be used. Any<br />
functionally equivalent program that does not infringe any of <strong>IBM</strong>′s intellectual<br />
property rights may be used instead of the <strong>IBM</strong> product, program or service.<br />
Information in this book was developed in conjunction with use of the equipment<br />
specified, and is limited in application to those specific hardware and software<br />
products and levels.<br />
<strong>IBM</strong> may have patents or pending patent applications covering subject matter in<br />
this document. The furnishing of this document does not give you any license to<br />
these patents. You can send license inquiries, in writing, to the <strong>IBM</strong> Director of<br />
Licensing, <strong>IBM</strong> Corporation, 500 Columbus Avenue, Thornwood, NY 10594 USA.<br />
Licensees of this program who wish to have information about it for the purpose<br />
of enabling: (i) the exchange of information between independently created<br />
programs and other programs (including this one) and (ii) the mutual use of the<br />
information which has been exchanged, should contact <strong>IBM</strong> Corporation, Dept.<br />
600A, Mail Drop 1329, Somers, NY 10589 USA.<br />
Such information may be available, subject to appropriate terms and conditions,<br />
including in some cases, payment of a fee.<br />
The information contained in this document has not been submitted to any<br />
formal <strong>IBM</strong> test and is distributed AS IS. The use of this information or the<br />
implementation of any of these techniques is a customer responsibility and<br />
depends on the customer′s ability to evaluate and integrate them into the<br />
customer′s operational environment. While each item may have been reviewed<br />
by <strong>IBM</strong> for accuracy in a specific situation, there is no guarantee that the same<br />
or similar results will be obtained elsewhere. Customers attempting to adapt<br />
these techniques to their own environments do so at their own risk.<br />
The following terms are trademarks of the International Business Machines<br />
Corporation in the United States and/or other countries:<br />
AIX AIX/6000<br />
AlphaWorks APPN<br />
AS/400 AT<br />
CICS CICS/6000<br />
Cryptolope Current<br />
DataJoiner DB2<br />
DB2 Extenders Deep Blue<br />
ESCON <strong>IBM</strong><br />
<strong>IBM</strong> Global Network IMS<br />
© Copyright <strong>IBM</strong> Corp. 1997 357
LAN Distance LoadLeveler<br />
Micro Channel MVS/ESA<br />
Net.Data NetFinity<br />
NetView Nways<br />
OS/2 OS/390<br />
OS/400 Parallel Sysplex<br />
Personal Security Power Series<br />
PowerPC 604 PowerPC<br />
RACF RISC System/6000<br />
RS/6000 S/390<br />
SecureWay SP<br />
System/36 SystemView<br />
System/390 ThinkPad<br />
TrackPoint VSE/ESA<br />
WaveRunner WebExplorer<br />
Workplace <strong>IBM</strong>®<br />
The following terms are trademarks of other companies:<br />
C-bus is a trademark of Corollary, Inc.<br />
This soft copy for use by <strong>IBM</strong> employees only.<br />
Java and HotJava are trademarks of Sun Microsystems, Incorporated.<br />
Microsoft, Windows, Windows NT, and the Windows 95 logo are trademarks<br />
or registered trademarks of Microsoft Corporation.<br />
PC Direct is a trademark of Ziff Communications Company and is used<br />
by <strong>IBM</strong> Corporation under license.<br />
Pentium, MMX, ProShare, LANDesk, and ActionMedia are trademarks or<br />
registered trademarks of Intel Corporation in the U.S. and other<br />
countries.<br />
UNIX is a registered trademark in the United States and other<br />
countries licensed exclusively through X/Open Company Limited.<br />
Other company, product, and service names may be trademarks or<br />
service marks of others.<br />
358 The Technical Side of Being an Internet Service Provider
This soft copy for use by <strong>IBM</strong> employees only.<br />
Appendix D. Related Publications<br />
The publications listed in this section are considered particularly suitable for a<br />
more detailed discussion of the topics covered in this redbook.<br />
D.1 International Technical Support Organization Publications<br />
For information on ordering these ITSO publications see “How to Get ITSO<br />
<strong>Redbooks</strong>” on page 361.<br />
• <strong>IBM</strong> 8235 Dial-In Access to LANs Server: Concepts and Implementation,<br />
SG24-4816<br />
D.2 <strong>Redbooks</strong> on CD-ROMs<br />
D.3 Other Publications<br />
• <strong>IBM</strong> 2210 Nways Multiprotocol Router Description and Configuration<br />
Scenarios, SG24-4446<br />
• The Basics of IP Network Design, SG24-2580<br />
• <strong>IBM</strong> Frame Relay Guide, GG24-4463<br />
• ATM Technical Overview, SG24-4625<br />
• <strong>IBM</strong> 2210 Nways Multiprotocol Router Description and Configuration<br />
Scenarios, SG24-4446<br />
• Nways 2216 Multiaccess Connector Description and Configuration, SG24-4957<br />
• Building the Infrastructure for the Internet, SG24-4824<br />
• <strong>IBM</strong> PC Server Technology and Selection Reference, SG24-4760<br />
• LAN Concepts and Products: Adapters, Hubs and ATM, SG24-4754<br />
<strong>Redbooks</strong> are also available on CD-ROMs. Order a subscription and receive<br />
updates 2-4 times a year at significant savings.<br />
CD-ROM Title Subscription Collection Kit<br />
Number Number<br />
System/390 <strong>Redbooks</strong> Collection SBOF-7201 SK2T-2177<br />
Networking and Systems Management <strong>Redbooks</strong> Collection SBOF-7370 SK2T-6022<br />
Transaction Processing and Data Management Redbook SBOF-7240 SK2T-8038<br />
AS/400 <strong>Redbooks</strong> Collection SBOF-7270 SK2T-2849<br />
RS/6000 <strong>Redbooks</strong> Collection (HTML, BkMgr) SBOF-7230 SK2T-8040<br />
RS/6000 <strong>Redbooks</strong> Collection (PostScript) SBOF-7205 SK2T-8041<br />
Application Development <strong>Redbooks</strong> Collection SBOF-7290 SK2T-8037<br />
Personal Systems <strong>Redbooks</strong> Collection SBOF-7250 SK2T-8042<br />
These publications are also relevant as further information sources:<br />
• Trusted Network Interpretation of the Trusted Computer System Evaluation<br />
Criteria, NSCS-TG-005<br />
• RFC 1492 - An Access Control Protocol, Sometimes Called TACACS<br />
© Copyright <strong>IBM</strong> Corp. 1997 359
360 The Technical Side of Being an Internet Service Provider<br />
This soft copy for use by <strong>IBM</strong> employees only.
This soft copy for use by <strong>IBM</strong> employees only.<br />
How to Get ITSO <strong>Redbooks</strong><br />
This section explains how both customers and <strong>IBM</strong> employees can find out about ITSO redbooks, CD-ROMs,<br />
workshops, and residencies. A form for ordering books and CD-ROMs is also provided.<br />
This information was current at the time of publication, but is continually subject to change. The latest<br />
information may be found at http://www.redbooks.ibm.com.<br />
How <strong>IBM</strong> Employees Can Get ITSO <strong>Redbooks</strong><br />
Employees may request ITSO deliverables (redbooks, BookManager BOOKs, and CD-ROMs) and information about<br />
redbooks, workshops, and residencies in the following ways:<br />
• PUBORDER — to order hardcopies in United States<br />
• GOPHER link to the Internet - type GOPHER.WTSCPOK.ITSO.<strong>IBM</strong>.COM<br />
• Tools disks<br />
To get LIST3820s of redbooks, type one of the following commands:<br />
TOOLS SENDTO EHONE4 TOOLS2 REDPRINT GET SG24xxxx PACKAGE<br />
TOOLS SENDTO CANVM2 TOOLS REDPRINT GET SG24xxxx PACKAGE (Canadian users only)<br />
To get BookManager BOOKs of redbooks, type the following command:<br />
TOOLCAT REDBOOKS<br />
To get lists of redbooks, type one of the following commands:<br />
TOOLS SENDTO USDIST MKTTOOLS MKTTOOLS GET ITSOCAT TXT<br />
TOOLS SENDTO USDIST MKTTOOLS MKTTOOLS GET LISTSERV PACKAGE<br />
To register for information on workshops, residencies, and redbooks, type the following command:<br />
TOOLS SENDTO WTSCPOK TOOLS ZDISK GET ITSOREGI 1996<br />
For a list of product area specialists in the ITSO: type the following command:<br />
TOOLS SENDTO WTSCPOK TOOLS ZDISK GET ORGCARD PACKAGE<br />
• <strong>Redbooks</strong> Web Site on the World Wide Web<br />
http://w3.itso.ibm.com/redbooks<br />
• <strong>IBM</strong> Direct Publications Catalog on the World Wide Web<br />
http://www.elink.ibmlink.ibm.com/pbl/pbl<br />
<strong>IBM</strong> employees may obtain LIST3820s of redbooks from this page.<br />
• REDBOOKS category on INEWS<br />
• Online — send orders to: USIB6FPL at <strong>IBM</strong>MAIL or DK<strong>IBM</strong>BSH at <strong>IBM</strong>MAIL<br />
• Internet Listserver<br />
With an Internet e-mail address, anyone can subscribe to an <strong>IBM</strong> Announcement Listserver. To initiate the<br />
service, send an e-mail note to announce@webster.ibmlink.ibm.com with the keyword subscribe in the body of<br />
the note (leave the subject line blank). A category form and detailed instructions will be sent to you.<br />
Redpieces<br />
For information so current it is still in the process of being written, look at ″Redpieces″ on the <strong>Redbooks</strong> Web<br />
Site (http://www.redbooks.ibm.com/redpieces.htm). Redpieces are redbooks in progress; not all redbooks<br />
become redpieces, and sometimes just a few chapters will be published this way. The intent is to get the<br />
information out much quicker than the formal publishing process allows.<br />
© Copyright <strong>IBM</strong> Corp. 1997 361
How Customers Can Get ITSO <strong>Redbooks</strong><br />
This soft copy for use by <strong>IBM</strong> employees only.<br />
Customers may request ITSO deliverables (redbooks, BookManager BOOKs, and CD-ROMs) and information about<br />
redbooks, workshops, and residencies in the following ways:<br />
• Online Orders — send orders to:<br />
<strong>IBM</strong>MAIL Internet<br />
In United States: usib6fpl at ibmmail usib6fpl@ibmmail.com<br />
In Canada: caibmbkz at ibmmail lmannix@vnet.ibm.com<br />
Outside North America: dkibmbsh at ibmmail bookshop@dk.ibm.com<br />
• Telephone orders<br />
United States (toll free) 1-800-879-2755<br />
Canada (toll free) 1-800-<strong>IBM</strong>-4YOU<br />
Outside North America (long distance charges apply)<br />
(+45) 4810-1320 - Danish<br />
(+45) 4810-1420 - Dutch<br />
(+45) 4810-1540 - English<br />
(+45) 4810-1670 - Finnish<br />
(+45) 4810-1220 - French<br />
• Mail Orders — send orders to:<br />
<strong>IBM</strong> Publications<br />
Publications Customer Support<br />
P.O. Box 29570<br />
Raleigh, NC 27626-0570<br />
USA<br />
• Fax — send orders to:<br />
• 1-800-<strong>IBM</strong>-4FAX (United States) or (+1)001-408-256-5422 (Outside USA) — ask for:<br />
Index # 4421 Abstracts of new redbooks<br />
Index # 4422 <strong>IBM</strong> redbooks<br />
Index # 4420 <strong>Redbooks</strong> for last six months<br />
• Direct Services - send note to softwareshop@vnet.ibm.com<br />
• On the World Wide Web<br />
<strong>Redbooks</strong> Web Site http://www.redbooks.ibm.com<br />
<strong>IBM</strong> Direct Publications Catalog http://www.elink.ibmlink.ibm.com/pbl/pbl<br />
• Internet Listserver<br />
With an Internet e-mail address, anyone can subscribe to an <strong>IBM</strong> Announcement Listserver. To initiate the<br />
service, send an e-mail note to announce@webster.ibmlink.ibm.com with the keyword subscribe in the body of<br />
the note (leave the subject line blank).<br />
Redpieces<br />
(+45) 4810-1020 - German<br />
(+45) 4810-1620 - Italian<br />
(+45) 4810-1270 - Norwegian<br />
(+45) 4810-1120 - Spanish<br />
(+45) 4810-1170 - Swedish<br />
<strong>IBM</strong> Publications<br />
144-4th Avenue, S.W.<br />
Calgary, Alberta T2P 3N5<br />
Canada<br />
United States (toll free) 1-800-445-9269<br />
Canada 1-403-267-4455<br />
Outside North America (+45) 48 14 2207 (long distance charge)<br />
<strong>IBM</strong> Direct Services<br />
Sortemosevej 21<br />
DK-3450 Allerød<br />
Denmark<br />
For information so current it is still in the process of being written, look at ″Redpieces″ on the <strong>Redbooks</strong> Web<br />
Site (http://www.redbooks.ibm.com/redpieces.htm). Redpieces are redbooks in progress; not all redbooks<br />
become redpieces, and sometimes just a few chapters will be published this way. The intent is to get the<br />
information out much quicker than the formal publishing process allows.<br />
362 The Technical Side of Being an Internet Service Provider
This soft copy for use by <strong>IBM</strong> employees only.<br />
<strong>IBM</strong> Redbook Order Form<br />
Please send me the following:<br />
Title Order Number Quantity<br />
First name Last name<br />
Company<br />
Address<br />
City Postal code Country<br />
Telephone number Telefax number VAT number<br />
• Invoice to customer number<br />
• Credit card number<br />
Credit card expiration date Card issued to Signature<br />
We accept American Express, Diners, Eurocard, Master Card, and Visa. Payment by credit card not<br />
available in all countries. Signature mandatory for credit card payment.<br />
How to Get ITSO <strong>Redbooks</strong> 363
364 The Technical Side of Being an Internet Service Provider<br />
This soft copy for use by <strong>IBM</strong> employees only.
This soft copy for use by <strong>IBM</strong> employees only.<br />
Index<br />
Numerics<br />
1.5 Mbps 11<br />
10Base-T (UTP) 76<br />
10Base2 (Thin Ethernet) 76<br />
10Base5 (Thick Ethernet) 76<br />
44.6Mb/s 11<br />
56 kbps 10<br />
64 kbps 10<br />
8250 79<br />
A<br />
Abuse of privilege 228<br />
Access points 215<br />
accounting 251, 253<br />
ACE/Server 89, 254<br />
Activity 211<br />
Activity Logger 90<br />
address resolution protocol (ARP) 81, 82<br />
administrator password 247<br />
advertising 154, 158<br />
allocation of addresses 278<br />
Analysis 207<br />
API (application programming interface) 70<br />
Apple Remote Access (ARA) 85, 86, 88<br />
AppleTalk 85, 248<br />
application programming interface (API) 70<br />
ARA (Apple Remote Access) 85, 86, 88<br />
ARA routers 86<br />
ARAP (AppleTalk remote access protocol) 85<br />
ARP (address resolution protocol) 81, 82, 83<br />
AS numbers 277<br />
AS/400 267<br />
AS/400 FSIOP 127<br />
AS/400 native applications on the Web 127<br />
AS/400 Notes support 127<br />
AS/400 POP3 implementation 127<br />
AS/400 security 127<br />
Audio File Formats<br />
.aif,.aiff and .aifc 183<br />
.au and .snd 183<br />
.mod 184<br />
.wav 183<br />
Audio formats 183<br />
AUI (Thick Ethernet) 75<br />
authentication 228, 248, 249, 250, 252, 253<br />
protocols 139<br />
Authentication Protocols for PPP 240<br />
Authorization 228, 248, 249, 250<br />
Average Web response size 268<br />
B<br />
Backup 221<br />
Bandwidth 270<br />
bibliography 359<br />
billing 251<br />
Bindery 248, 249<br />
Blockade 251<br />
Blockade DAS 251<br />
BNC (Thin Ethernet) 75<br />
BOOTP (boot protocol) 82<br />
BRI module 79<br />
bridging 80<br />
broadcast packets 86<br />
C<br />
CA 165<br />
cables<br />
Calculating HTTP operations 291<br />
Campus 206<br />
Care 206<br />
CCL (Connection Control Language) 89<br />
certification authority 165<br />
challenge 141, 228<br />
Challenge-Handshake Authentication Protocol<br />
(CHAP) 241<br />
channel aggregation 71, 72<br />
CHAP 250<br />
CHAP/PAP 140<br />
Checksums 239<br />
CICS 130<br />
class of address 284<br />
clear and download 78<br />
client event logging 70<br />
CMIP 150, 152, 153<br />
CMIS 150, 153<br />
CMOT 150, 152, 153<br />
Common sense 216<br />
Communications programs 207<br />
Compact discs 187<br />
Compuserve GIF 183<br />
Computer users 206<br />
computers 207<br />
Configuring a server 292<br />
connect application 68<br />
Connection Control Language (CCL) 89<br />
Connection File Wizard 69<br />
Connection speed 270<br />
connectivity features 39, 43<br />
Content type 267<br />
Controls 216<br />
Copyright 211<br />
Cost 207<br />
© Copyright <strong>IBM</strong> Corp. 1997 365
cost based routing 278<br />
CPU card 93<br />
CRC 239<br />
Creation 206<br />
Critical 206<br />
Crypt 238<br />
Cryptosealing 239<br />
CSU/DSU 79<br />
CyberCash 162, 163, 166<br />
D<br />
DB/2 130<br />
Decisions 206<br />
Defender 248, 254<br />
Defender security server 255<br />
delta technology 71<br />
DES 238<br />
design considerations 284<br />
design problems 283<br />
DHCP 284<br />
dial-in 67, 68, 255<br />
dial-up 140, 143, 219<br />
DIFF 218<br />
Digicash 161<br />
Digital movie formats 186<br />
Digital phone-line 10<br />
Digital video file formats 187<br />
Digital video hardware requirements 187<br />
Digital video players 188<br />
Digital video software requirements 187<br />
Direct Satellite Broadcast 187<br />
Dividing daemons 291<br />
DMC 95, 96<br />
modem card 95<br />
domain name service 227<br />
Domain Name Services 51<br />
DOS drivers 68<br />
download 78<br />
DRAM (dynamic RAM) 93<br />
DUMP 221<br />
dynamic address allocation 284<br />
Dynamic content 268<br />
dynamic environments 278<br />
dynamic protocols 278<br />
dynamic RAM (DRAM) 93<br />
E E1 94<br />
ECPA 212<br />
EDI 162<br />
Educating 220<br />
EGP implementation 277<br />
electronic commerce<br />
protocols 159<br />
electronic store 166<br />
encryption 252<br />
366 The Technical Side of Being an Internet Service Provider<br />
This soft copy for use by <strong>IBM</strong> employees only.<br />
end nodes 85<br />
ESS 252<br />
Ethernet 75, 77, 78, 94, 272<br />
event logging 70<br />
express installation 69<br />
F<br />
FAQ about capacity planning 292<br />
Fast Ethernet 272<br />
FDDI 272<br />
filtering<br />
IP packet 223<br />
filters, LLC SAP 80<br />
firewall 221<br />
element 223<br />
principles 223<br />
Fix 206, 221<br />
flash memory 93<br />
floating virtual connections (FVC) 70<br />
Forms 207<br />
frame types 84<br />
Full-color video 56, 179<br />
FVC (floating virtual connections) 70<br />
G game playing 219<br />
gatekeeper 244<br />
GIF 181<br />
GIF Frames 181<br />
GIF limitations 183<br />
GIF logical screen area 181<br />
GIF, benefit to use 182<br />
GIF87a 181<br />
GIF89a 181<br />
good performance 267<br />
Gray-scale video 179<br />
GTE 163<br />
H<br />
hacker 279<br />
handshake 140, 141<br />
Hardware 91, 207<br />
Hardware and software combination 279<br />
HELLO 278<br />
High-definition television 187<br />
hops 278<br />
Hot Plugging 32<br />
I<br />
I/O 283<br />
I40 91<br />
IAB 149, 150<br />
IANA 284<br />
<strong>IBM</strong> 2210 Nways 51
This soft copy for use by <strong>IBM</strong> employees only.<br />
<strong>IBM</strong> AS/400 127<br />
<strong>IBM</strong> RS/6000 121<br />
<strong>IBM</strong> S/390 130<br />
ICMP (Internet control message protocol) 82<br />
identification 253<br />
IETF (Internet Engineering Task Force) 250, 252<br />
IGP 277<br />
iKP 159, 163, 164, 165<br />
Implementation 206<br />
IMS 130<br />
In-house applications 283<br />
Infrastructure investment 291<br />
Intel 267<br />
Interface 293<br />
interface connectivity 35<br />
interface supported 32<br />
Interlacing 181<br />
Internet control message protocol (ICMP) 82<br />
Internet Engineering Task Force (IETF) 250, 252<br />
Internet Packet Exchange (IPX) 83, 84<br />
Internet protocol (IP) 81, 82<br />
InterNIC 51<br />
intranet 270<br />
IP packet filtering 223<br />
IPGATEWAY 87<br />
IPX (Internet Packet Exchange) 83, 84<br />
ISA 92<br />
ISDN 56, 272<br />
J<br />
Java Virtual Machine 191<br />
JPEG 179<br />
JPEG compression 180<br />
juggling virtual connections (JVC) 70<br />
K<br />
Kerberos 140, 142, 236, 250, 253<br />
Key element 206<br />
kinetics Internet protocol (KIP) 87<br />
KIP (kinetics Internet protocol) 87<br />
L LAN 272<br />
LAN implementations 278<br />
LAN-to-LAN 248, 255<br />
LanConnect applets 71<br />
large networks 278<br />
Large-volume transactions 130<br />
Leased lines 272<br />
Levels of responsibility 206<br />
limitations 96<br />
Linux 279<br />
LLC (low-layer capability) 80<br />
LLC SAP filters 80<br />
LME 152<br />
Logging 228<br />
lossy compression 180<br />
low-layer capability (LLC) 80<br />
LPP 153<br />
LS 218<br />
LZW compressed images 181<br />
M<br />
MAC 257<br />
Macintosh 87<br />
Magnetic media 207<br />
MAINT 220<br />
Management Facility (MF) 67, 72, 247<br />
MAS<br />
supporting protocols 37<br />
Master Card 163<br />
mastering 69<br />
MD5 250<br />
MDC 239<br />
MIB 149, 150, 151, 152<br />
MIDI<br />
channels 185<br />
device 185<br />
General standard 185<br />
mapper 185<br />
Sequencer 186<br />
Synthesizers, types of 185<br />
When to Use 186<br />
Mini-pay 161<br />
MIT 236<br />
MLP (Multilink protocol) 68, 71<br />
model I40 253<br />
Monitoring tools 217<br />
MOSS 164<br />
most recent router 85<br />
MPEG 187<br />
MPEG-2 187<br />
MQSeries 130<br />
MRS<br />
software packages 29<br />
Multilink protocol (MLP) 68, 71<br />
Multiple GIF images 181<br />
Multiple home-pages 293<br />
Multiple strategies 216<br />
Multiprocessing with AIX 283<br />
Multiprocessing with OS/2 283<br />
Multiprocessors 283<br />
multiprotocol 68<br />
MVIP 95<br />
MVS 251<br />
N<br />
name binding protocol (NBP) 87<br />
NDIS (network driver interface specification) 68<br />
NDS (NetWare Directory Service) 249<br />
Net.Commerce<br />
Daemon 168<br />
Index 367
Net.Commerce (continued)<br />
Director 168<br />
electronic store 166, 167, 168<br />
Lotus Payment Switch 169<br />
merchant 166<br />
Store Administrator 168<br />
Store Creator 167<br />
Store Manager 167<br />
Template Editor 168<br />
Netbill 161<br />
NetBIOS 80<br />
NetWare 255<br />
Network managers 206<br />
networks supported 28<br />
NETX 68<br />
new port driver 70<br />
NMA 151<br />
NMS 151<br />
Novell NetWare 115<br />
Novell UNIXWare 115<br />
O Obscenity 212<br />
open data-link interface (ODI) 68<br />
Operating systems 207<br />
OS/2 drivers 68<br />
OSI 152, 153<br />
OSPF backbone 278<br />
out-band 244<br />
Overlooked 207<br />
P<br />
packet filtering router 224<br />
Paper 207<br />
Parallel servers 268<br />
passive routers 278<br />
password<br />
254<br />
139, 140, 141, 143, 144, 145, 146, 245, 247,<br />
Password Authentication Protocol (PAP) 241<br />
PCI 91, 92<br />
PDU 152<br />
PEM 164<br />
persistent connections (PC) 70<br />
personal identification number (PIN) 254<br />
physical access 244<br />
Physical security 217<br />
piggybacking updates 71<br />
PIN (personal identification number) 254<br />
pin reset switch 78<br />
PINPAD 254<br />
Playing movie files 187<br />
Policy 229<br />
Possible problems 215<br />
power status 73<br />
power switching 69<br />
PowerPC 283<br />
368 The Technical Side of Being an Internet Service Provider<br />
This soft copy for use by <strong>IBM</strong> employees only.<br />
PPP 140<br />
PPP Authentication Protocols<br />
introduction to PPP Authentication Protocols 240<br />
Password Authentication Protocol (PAP) 241<br />
Scenario: PPP with Bridging 241<br />
Privileges 210<br />
Procedures 217<br />
Proper use 210<br />
Protect and proceed 209<br />
protocols 67<br />
proxy ARP 83<br />
proxy server 225<br />
public switched telephone network 68<br />
Pursue and prosecute 209<br />
Q QuickTime 188<br />
R<br />
RACF 130, 251<br />
RADIUS 140, 142, 146, 148, 248, 252<br />
RAW audio format 183<br />
rear panel 74<br />
Recommendations 291<br />
remote access 67<br />
Remote Authentication Dial-In User Service<br />
(RADIUS) 252<br />
Response 228<br />
Responsibilities 210<br />
Restrictions in applets 192<br />
RFC 249, 250<br />
ring parameter server (RPS) 81<br />
RIP 278<br />
RIP (routing information protocol) 82, 84<br />
RISC 267<br />
Risk 207<br />
ROOT 220<br />
router 143<br />
router network 278<br />
routing information protocol (RIP) 82, 84<br />
routing table maintenance protocol (RTMP) 85<br />
RPS (ring parameter server) 81<br />
RTMP (routing table maintenance protocol) 85<br />
S<br />
S-HTTP 159, 164, 256<br />
S/390 267<br />
S/390 security 130<br />
SAP (service advertising protocol) 84<br />
Scalability 283<br />
Scenario: PPP with Bridging 241<br />
SCO UNIX 115<br />
Secure Electronic Payment Protocol 163<br />
Secure servers 293<br />
Secure WWW Servers 255
This soft copy for use by <strong>IBM</strong> employees only.<br />
SecureNet Key 255<br />
SecurID 245, 248, 254<br />
SecurID (Security Dynamics ACE/Server) 88<br />
SecurID client 254<br />
SecurID token 254<br />
Security 71, 87, 242<br />
Security Mailing Lists 264<br />
Self-describing audio format 183<br />
SEPP 163<br />
Sequenced Packet eXchange (SPX) 84<br />
serial port status 73<br />
server<br />
proxy 225<br />
SOCKS 226<br />
service advertising protocol (SAP) 84<br />
service provider 277, 284<br />
SET 159, 162, 165, 166<br />
SGMP 150, 151<br />
SIM 151<br />
simple network management protocol (SNMP) 71, 90<br />
Simultaneous users 269<br />
Sizing a server 267<br />
Slip 127, 145<br />
slot 92<br />
SMAP 152<br />
smart card 254<br />
SMI 149, 150, 151, 152<br />
SMP applications 283<br />
SMP Systems 283<br />
SNMP 149, 150, 151, 152<br />
SNMP (simple network management protocol) 71, 90<br />
SNMP Management 71<br />
SNMP manager 90<br />
SOCKS server (Sockets) 226<br />
Software bugs 215<br />
software packages 29<br />
Solaris 115<br />
source route bridging 80<br />
Special privileges 211<br />
spoofing 69, 70, 228<br />
SPX (Sequenced Packet eXchange) 84<br />
SSL 159, 164, 166, 173, 257<br />
Stac 4.0 compression 70<br />
static definitions 278<br />
static RAM (SRAM) 93<br />
static routing 278<br />
Stereo sound 56<br />
Storage formats 186<br />
supporting protocols 37<br />
switched circuit 140<br />
Sync/Async module 79<br />
Synthesizer 185<br />
SYSLOG 217<br />
System managers 206<br />
T<br />
T1 11, 94, 272<br />
T3 11, 272<br />
TACACS 140, 143<br />
TACACS (Terminal Access Controller Access Control<br />
System) 249<br />
TACACS+ 248, 250<br />
Tapes 221<br />
TCP (transmission control protocol) 82, 250<br />
TDM 95<br />
Telephone lines 127<br />
Telnet 82, 215<br />
Terminal Access Controller Access Control System<br />
(TACACS) 249<br />
TFTP (trivial file transfer protocol) 82<br />
the Internet 277<br />
Thick Ethernet (10Base5) 76<br />
Thick Ethernet (AUI) 75<br />
Thin Ethernet (10Base2) 76<br />
Thin Ethernet (BNC) 75<br />
third-party security 245<br />
timed LAN-to-LAN connections (TLC) 71<br />
timed updates 71<br />
Tivoli 153<br />
TME 153<br />
token 248, 253, 254<br />
token device 246, 252<br />
token-ring 74, 77, 78, 248, 272<br />
transmission control protocol (TCP) 82, 250<br />
Transmitting video 180<br />
transparent bridging 81<br />
triggered updates 71<br />
trivial file transfer protocol (TFTP) 82<br />
Trojan horse 229<br />
Tunneling router 229<br />
two-factor authentication 246, 253<br />
U<br />
UDP (user datagram protocol) 82, 249, 252, 254<br />
Uniprocessors 283<br />
UNIX 250, 252, 254, 255, 279<br />
USENET 264<br />
user ID 139, 140, 143, 144, 145, 146<br />
user name 139, 140, 143, 144, 145, 146<br />
User responsibilities 212<br />
Users 207<br />
Using existing systems as Web servers 279<br />
UTP 75<br />
UTP (10Base-T) 76<br />
UVROM 93<br />
V<br />
variable length subnetting 278<br />
Video compression 179<br />
video formats 188<br />
Index 369
Video quality 179<br />
Violated 210<br />
Violated policy 213<br />
virtual connection (VC) 69, 70, 71<br />
Virtual network 229<br />
Virtual ROM (VROM) 93<br />
Virus 229, 264<br />
VM 251<br />
VxD 68<br />
W<br />
WAN (wide area network) 94<br />
WAN card 94<br />
warm boot 77<br />
Warp Server 283<br />
WaveRunner 69<br />
Windows NT 255<br />
Z<br />
zone 85, 86<br />
370 The Technical Side of Being an Internet Service Provider<br />
This soft copy for use by <strong>IBM</strong> employees only.
This soft copy for use by <strong>IBM</strong> employees only.<br />
ITSO Redbook Evaluation<br />
The Technical Side of Being an Internet Service Provider<br />
SG24-2133-00<br />
Your feedback is very important to help us maintain the quality of ITSO redbooks. Please complete this<br />
questionnaire and return it using one of the following methods:<br />
• Use the online evaluation form found at http://www.redbooks.com<br />
• Fax this form to: USA International Access Code + 1 914 432 8264<br />
• Send your comments in an Internet note to redbook@vnet.ibm.com<br />
Please rate your overall satisfaction with this book using the scale:<br />
(1 = very good, 2 = good, 3 = average, 4 = poor, 5 = very poor)<br />
Overall Satisfaction ____________<br />
Please answer the following questions:<br />
Was this redbook published in time for your needs?<br />
If no, please explain:<br />
Yes____ No____<br />
_____________________________________________________________________________________________________<br />
_____________________________________________________________________________________________________<br />
_____________________________________________________________________________________________________<br />
_____________________________________________________________________________________________________<br />
What other redbooks would you like to see published?<br />
_____________________________________________________________________________________________________<br />
_____________________________________________________________________________________________________<br />
_____________________________________________________________________________________________________<br />
Comments/Suggestions: ( THANK YOU FOR YOUR FEEDBACK! )<br />
_____________________________________________________________________________________________________<br />
_____________________________________________________________________________________________________<br />
_____________________________________________________________________________________________________<br />
_____________________________________________________________________________________________________<br />
_____________________________________________________________________________________________________<br />
© Copyright <strong>IBM</strong> Corp. 1997 371
<strong>IBM</strong>L ®<br />
This soft copy for use by <strong>IBM</strong> employees only.<br />
Printed in U.S.A.<br />
SG24-2133-00