|
ISP Resources |
Home | About | Contact | Networking | Supporters | Workshops | Help Desk | Where is the NSRC? | Search 
|
|
ISP Resources |
Home | About | Contact | Networking | Supporters | Workshops | Help Desk | Where is the NSRC? | Search
Satellites and Operators
Undersea Cables and Trans-Oceanic Backbones
To obtain network addressed we recommend that you read the RFC 2901, "The Guide to Administrative Procedures of the Internet Infrastructure". It is available in multiple different languages at:
Other Information about IP Addressing
Regional Internet Registries (RIRs)
As you progress in the process of obtaining address space, each of the four regional organizations that deal with IP address registration and administration have pages discussing how to request IP address space for new and continuing ISPs, links to these documents are located below.
As this is such a large topic we strongly suggest that you go over in detail the excellent resources presented at the AfNOG Workshop web site for the Scalable Network Infrastructure track at:
IP Numbers and AS NumbersUnderstand how you request a range of IP addresses for your network and how data from your network will be routed to the rest of the Internet.
Learn how to set up your network and your network hardware in a practical manner.
As an ISP you will be responsible for maintaining several core services that your clients use to gain Internet connectivity. Some of the most critical are DNS, DHCP, and maybe dialup. Each of these is discussed below with pointers to information about setting them up and using them.
DNS (Domain Name Server)
It's important that you set this up correctly from a functional standpoint. For instance, you run your primary DNS server locally, but ideally you should have your secondary, or backup, DNS server on a different network. This way if your other network functions are up, but your DNS box is down your clients can still make use of their Internet connections.
Below we present some first-level discussion of DNS, then we have more comprehensive list of Registries and DNS setup and maintenance links, including mulitple RFCs and their descriptions.
The Domain Internet Groper (DIG) comes as part of the Bind (http://www.isc.org/products/BIND/) distribution. DIG (the command "dig" is lowercase when you use it) allows you to find domain information as needed. This tool is used in place of nslookup.
Setting up and Maintaining a DNS Server
DHCP (Dynamic Host Control Protocol)
DHCP is not all that difficult to setup, but in a large environment it is important to decide upon the rules of engagement. If you have a fixed number of IP addresses then how you allocate them, for how long, and who gets static IP addresses becomes important. As you implement your DHCP services consider the following issues:
One of the best DHCP resources is the man pages for dhcp. Simply type "man dhcp" at the operating system prompt under any UNIX system to get started. The current version of the DHCP server for UNIX can be found at:
And, information about DHCP is available from these sites:
Dialup (RADIUS)
Setting up a process by which you authenticate users dialing in to your network (modem pool) is likely to be a critical piece of your operation as an ISP. In addition this is one point at which you can monitor user access to your services and keep track of usage for billing or statistical purposes. Below is a short list of some excellent Radius resources:
Proxy and Cache Servers
World Wide Web proxy servers speed up the access to web based resources by locally storing copies of frequently accessed web sites. Instead of having to reconnect to a slow webserver, after the first view, the web page will be served from the local proxy cache. This results in much faster page views than reloading the page from the origional server. The more disk space on your proxy, the better chance you will have of improving the performance of your client's web browsing as well as reducing the total bandwitdth used for your incoming network connection(s). The most widely used, and freely available, proxy server for Linux and FreeBSD is squid. You can find this at http://www.squid-cache.org/. In addition, here are some more useful links:
MTA (Mail Transfer Agent)
There are threes interface involved in this discussion. These include:In general you will run one command to transfer mail from your machine to another, or to receive incoming mail. Under UNIX the most used server to do this is sendmail. The next most used product is qmail. After this comes Exim. The NSRC recommends and uses Exim whenever possible running under FreeBSD. Exim is very secure and has been used in extremely large-scale implementations (up to a million users!).
Exim has been shown to scale to massive implementations, is generally easier to implement than sendmail, and is quite secure. You can read about the latest book, written by the auther of Exim (Philip Hazel), at http://www.oreilly.com/catalog/exim/. Otherwise, be sure to see the official web site at http://www.exim.org/.
Another alternative to sendmail. Previously known as vmailer and as the IBM Secure Mailer when released in 1998. Postfix is preferred by administers at some sites. Read all about it, download it, and find updates at http://www.postfix.org/.
qmail is famous for its ease of use, quick response to reader input for changes, and the $1,000 reward to the first person who could crack it - the prize went unclaimed and there is currently a $500 prize that you can read about at http://cr.yp.to/qmail/guarantee.html. You can read about qmail at http://www.qmail.org/.
Sendmail is the grandfather of Open Source MTA programs. O'Reilly has
printed the definitive sendmail guide that you can read about at http://www.oreilly.com/catalog/sendmail2/,
and you can see the Desktop reference at http://www.oreilly.com/catalog/sendmailqr/.
The main sendmail site is located at http://www.sendmail.org/.
One thing to be aware of is if you use sendmail there are numerous security
exploits with this product. Whatever you do, do not run old versions
of sendmail! There are well-known, and commonly exploited security
issues. You should make it a point of keeping your sendmail versions
up-to-date.
sendmail has been the de facto standard of mail delivery agents for years, but with the maturing of products such as Exim and qmail this is no longer as true.
If you need to scale your mail server there are two things that can help dramatically:
Email Delivery - IMAP/POP/Webmail/Console
This is a difficult topic. Which protocol or method do you wish to use
to allow your users access to their email on your site? There is no perfect
answer to this question. Generally the answer you come up with will be
a balance of security, reliability, and convenience.
The fundamental issue will come down to whether you use IMAP, POP, or something like webmail as your primary mail access method. The advantages and disadvantages of each method are described below. If you choose to use IMAP, then there are several IMAP servers available for use. Generally IMAP servers will include POP servers as well. You can read about some of the IMAP servers available for FreeBSD/UNIX/Linux at http://www.imap.org/. A popular IMAP server for UNIX/FreeBSD/Linux come from the University of Washington and is availble at: http://www.washington.edu/imap/. And for a long list of IMAP products see:
http://www.imap.org/products/longlist.htm
Summary of Email Delivery Mechanisms and Links
http://www.washington.edu/imap/
Advantages
The end user can have their email saved in multiple places (server, desktop at work, laptop for the road, desktop at home).
POP allows you to "pop" (i.e., "get") email in a single, quick session, then work on the email received offline and send them at the next opportunity without needing to be constantly connected.
Many, many clients speak and understand POP.
Disadvantages
Running POP from multiple locations can cause problems.
Many uses forget to ever delete email from the server, and will fill their disk space, which results in rejected email by most systems.
If the user evers gets (i.e., "pops") their email to a foreign system, then their email is on that system unless the user remembers to delete it.
To secure webmail you just need to run a secure webserver. This is generally easier than generating certificats to run POP or IMAP servers in secure mode.
Users can get their email from any machine with a web browser and an Internet connection. This bears repeating... Users can get their email from any machine in the world with a web browser and an Internet connection. This singlehandedly has made Microsoft's Hotmail one of the most successful email clients in the world.
Their are many webmail servers to choose from and many are free.
Disadvantages
The webmail interface, filter abilities, etc. are often inferior to what standalone clients may offer.
You may have to put up with advertising or large amounts of spam (see Microsoft Hotmail in this regard) to use a webmail service.
Console-based email packages such as Pine are 100% compliant when it comes to email standards (i.e., they tend to send ASCII only!).
You can manipulate your email directly and with considerable power once you learn the console-based client well.
You can access your email from any Internet connected machine that runs telnet (most all machines, but this is not secure!) or ssh.
If you connect to the server, then you must stay connected to send and receive email. This is expensive and impractical in some situations or countries.
If you are connected over a slow connection, then typing in telnet or ssh can be painfully slow.
When you pick the system that you are going to support you will have several tradeoffs between ease of use, security, reliability of the connection method, and cost. Webmail has become very popular and allows you to secure the email sessions easily. Remember, SSL connections require considerably more CPU time so you must scale your hardware appropriately. Webmail, however, requires a constant connection. POP clients are good for users who want to get their email, download it, disconnect, respond, reconnect and send. But, POP is largely insecure. Most POP clients will talk to a POP server via SSL. We strongly recommend you implement this since POP without SSL passes a user's password and ID in clear text each time they check for mail.
One final issue to remember if you, or your users, run multiple protocols for accessing email is that these methods can cause problems with the state of email. For instance, some versions of POP and IMAP do not mix well. If you "touch" your mailbox using IMAP, and then attempt to access it using POP you may find that POP suddenly thinks that all your messages are new again. In addition, dependent on the servers in use, a user trying to access their email from multiple locations using multiple protocols at once can cause problems. Generally the first process accessing the email will lock out others from having write access, but this is not always guarranteed under all circumstances.
Mailing Lists (Majordomo, Mhonarc)
There are many tools available for managing mailing lists, but the one tool we recommend over the rest is Majordomo. You can read about Majordomo in detail at the links below:
Additional tools and mailing list software that you may want to look at include:
Securing your system from attack is a basic responsibility of any good system administrator. Doing this is not an easy task and staying on top of how to secure you system is of critical importance. At this stage of the Internet ) if you do not secure your site, then you are guaranteed to be compromised. Your site will be broken in to and you are likely to lose data, have data corrupted, and lose service. Securing your system and knowing how to respond to security threats and breaches is of the utmost importance. If you have any doubts about this you should see statistics from the HoneyNet Project at http://project.honeynet.org/, which includes reports of one unsecured Linux box that was compromised within 45 minutes of being placed on the net.
Below we give you a few basic guidelines about securing network servers, but before you install, configure and place a server on-line we strongly suggest that you read our entire security document located at (opens in a separate window): http://nsrc.org/security/ This document contains detailed advice, pointers, and specific information about the steps you need to secure your network servers. You should do this before you allow any of your servers to be connected to the Internet.
Security is an ongoing process, but there are some basic guidelines you can follow to secure most servers. Securing an entire network involves additional planning and work. Larger organizations will usually have an entire staff person dedicated to security. Generally, security is much easier to implement if you do it from the start and you provide just the services you need vs. providing everything out of the box and then trying figure out what you can turn off.
General Guidelines
Very quickly, here are some general guidelines for securing a server on your network. If you are new to security be sure that you go to some of the links listed below and read them in depth. A few pointers include:
This cannot be stressed enough. At some point you will lose data. Your system will experience a hardware failure. You may have a security breach that results in data loss or corruption. The power will go out or or spike. You will experience a natural or man-made disaster. One of these, or more, is guarranteed to happen. Your only method for recovering from such situations is to have a safe, usable, tested (many people forget this step), and reliable backup of your data.
How you decide to implement this will depend on your hardware setup, amount of data that needs backing up, and your budget. The general rule of thumb is the easier and more data backed up, then the more expensive the solution. Often administrator's attempt to backup entire systems, when the real goal is to be able to get your user's data back and your current configuration up and running.
When designing your network and server setup try to design so that unique configuration files and user data is segmented in to distinct areas. If, for instance, you know that you need to backup /home, /data/ and a few system directories like /etc, /usr/local, etc., then your backup setup and configuration will be much easier.
Your next step is to decide how quickly you need to be able to recover your system and user's data in case of failure. Remember, even if you decide this must be fast, you will need the additional hardware and ability to restore to that hardware to make this happen.
Here are some good sites that discuss backup solutions (commercial and freeware) for servers:
When planning to set up an ISP be sure that you pay close and careful attention to your physical space and infrastructure. It is easy to think about hardware and software, but forget about the supporting pieces. Below are items that you should consider and links to some good pages that discuss these are in more detail:
Space and Power
Do you have a large enough space set aside to hold your staff and your equipment? In addition, can you get the necessary power and phone lines to your chosen location. Are there any issues with the location and bringing the network to that location? What about power? If you include air conditioning, servers, desktop machines, modems, routers, switches, etc are there enough? You should probably do some planning to figure out how much power your equipment will need, then how far you can scale before you run in to problems.
Racks and Wiring
As your organization grows you will quickly realize that having a well thought out and clean system for your patch cables in place can save you countless hours of crawling around, tracking ends, and accidentally disconnecting machines. In addition, this can be faciliated by placing your switches, routers, hubs, and CPUs in racks.
UPS and/or Generators
If your area experiences power outtages, brown-outs, or power spikes, then you will need more robust UPS equipment. But, in all cases you need to protect your equipment with a Uninterrupted Power Supply (UPS) system and/or a generator. Power that is not clean can cause serious damage to equipment. If you lose your modems due to a power outtage or spike, then how long will it take before you are back up and running? If the answer is days or weeks, then your business is not likely to survive such outtages. A reliable and robust system of UPSs and/or generators becomes critical. A great place to start planning for what you will need is the American Power Conversion web site at http://www.apcc.com/. They have excellent UPS products, but they also have very useful on-line planning tools as well.
Implementing a proper Help Desk from the beginning will be critical to your long term success. If you can get clients up and running quickly with your service and you can support them well, then it will be all that much easier to grow. For a detailed look at how to set this up and to see what some other organizations have done take a look at our Help Desk section at:
Trying to implement a help desk after you have attracted a large user base can be quite painful. If you read through the pages above, particularly the ones at the NSRC, you will get a good feeling for what you are likely to be implementing as your ISP becomes successful and grows. A Help Desk and Support organization does not stop at just creating a number, or email address where your customers can reach you, but becomes a philosophy behind how you provide service. Remember, this document stresses scalability in all phases of your operation. This includes how what you do will affect your ability to be able to support your clients. The NSRC Help Desk pages, particularly the Setting up a Functional Support Organization section (http://www.nsrc.org/helpdesk/creating.html) goes over these ideas in detail with practical examples and solutions.
This document is meant to give you a first level look at the pieces involved with setting up an ISP and then point you to much more detailed documents and tools that you can use to get up and running. We welcome your feedback. As you can see, there are a very large number of links in this document. If you wish to report broken links, suggest new, different or better links to resources, changes to content, etc. please fee free to email us at nsrc@nsrc.org.
If you have other questions or coments about content in this document please feel free to send email to nsrc@nsrc.org as well.
|
Running on LAMP (Linux/Apache/MySQL/PHP)
Site statistics |
Last modified: Fri Dec 19 08:05:38 2008
nsrc@nsrc.org |