With the growing number of areas that can access always-on high speed
Internet connections and growing sophistication of free software,
a new possibility is presented to both small and home based businesses,
as well as domestic users with multiple PCs. Many functions that were
impractical, too costly or indeed just plain impossible for the dial up
generation, are now open. This article outlines how one can unhook
oneself from ISP lock-in and at the same time take a step up in both
functionality and ease of use.
The Anvil Organisation's own system
is a concrete example of the concepts outlined by this article
You may not have considered just how reliant you are on your ISP. You
may not even realise that this is a question until the day you decide
to
move on to a different supplier. Your email address(es) will likely end
in "mega-isp.com" or some such. There is no way that you can keep this
address if and when you move to a different ISP. This so called "Domain
Name" is the property of your current ISP. Even if the address is
actually "myname.mega-isp.com" it still ends with their name and so is
still owned by them. The same goes for the web site. For a business,
this name represents a potentially significant investment in time and
materials. Think how many adverts, bits of stationary and customers
brains this address is embedded in. How much will it cost to switch to
another domain name. How long will it take? How many potential contacts
will be lost during the transition? If you do this, why should you
switch to another locked in domain name and so store up the the same
set of problems for the next time you need to do this. Do it too many
times and your marginal customers may well lose track completely and
just take the easy route by going to someone else.
The domestic user is in a similar position. More and more people are
using email in preference to the post office and the phone to keep in
contact with friends and relations. Switching address is quite frankly
a
pain. Try it a few times if you don't believe me. You run the definite
risk of losing touch with people who don't write so often. Sit back a
moment and think how many people you know, whose email address you
have,
but nothing else.
It is used to be prohibitively expensive and complicated to have a
domain name of one's own. This is no longer the case and in fact hasn't
been the case for some little while. If you take the obvious direct
route to having your own, it may well seem that it still is. Many ISPs
still treat having your own domain name as the preserve of large
corporates and price it accordingly. It no longer costs that much to do.
Hosting Services
A hosting service is quite often the first step away from complete
reliance on an ISP. It involves having a machine, or part a part share
in a machine dedicated to your use. They look after the nitty gritty
hardware issues and you set the thing up how you want it, or pay them
to
do it for you. The prices for this kind of service vary quite
considerably, as does the quality of service. You are paying not just
for the machine being connected to the 'net but for depreciation on the
machine itself and the work required to keep it up and running.
In order to update your hosted machine, you need a connection yourself,
and a machine of your own to talk through it. You therefore already
have
a machine that is quite likely even more powerful than the machine you
pay them for. You already need to keep this machine up and running.
There is no good reason why this machine could not perform all of the
functions you pay your hosting service to do for you.
Free Software
Over the last decade or so a great deal of software has been been
developed under a quite bizarre sort of license. A "Normal" software
license says something along the lines of "This software is ours. You
can't change it. You can't give it someone else. We accept no
responsibility for anything that goes wrong with it". The "General Public License"
(GPL) is pretty much the exact opposite. It allows that anyone can use
and share the software and that if anyone changes it, they have to
share their changes. The creation of this license has allowed nothing
short of a revolution in the software industry. If you didn't already
know, you would likely be astounded at the amount of software that you
already use and rely on that is developed and distributed in this way.
Don't be fooled into the old adage "You get what you pay for". A vast
number of hard nosed business people have switched from the old locked
in software to GPL based equivalents. They have been forced to conclude
that it is more reliable and more secure by their own research. Even
the very biggest "non-GPL" software companies have been forced to
change tack by the growing presence of the GPL based systems.
ADSL and Cable v.
Leased Lines and modems
In days of yore, the choice was either pay a great deal of money for a
permanently-on leased line or use a slow and clunky dial-up modem. Big
corporates would use leased lines and the rest of us would slog out to
the 'net through a dial-up modem line. The coming of ISDN was supposed
to help with this, but for various reasons didn't actually help that
much and was still out of reach, price-wise, to the average home/Soho
user.
Slowly, far too slowly some would say, we are all coming within reach
of a new kind of service. A high speed, always-on Internet connection
priced in the few 10s of pounds a month bracket. For those that were
not aware, ADSL is a service that connects using your existing phone
line, but doesn't block the line for normal telephony. It does so at
speeds 10 times or so faster than a dial-up modem. Cable Modems are
devices that sit alongside your domestic cable TV service, are also
always-on and are even quicker than ADSL.
DIY ISP
Your ISP quite likely has a large number of very expensive, highly
reliable machines dedicated to providing their various services to
their customers. Do bear in mind however how many customers they have.
The reliability of a system is a mathematical function of the
reliability of each of its components. ISPs need to have a great number
of "components" to their systems to service all these users and they do
not want to be running round fixing them all day and night. They pay
for the extra reliability and power in order to not as many machines
and not have to pay for as much expensive human intervention. If the
small business or home user wants to duplicate these services on their
own kit, they do not necessarily need such expensive equipment. The
number of components needed is one. The number of customers serviced is
one .. themselves.
The software used by the ISPs is very often drawn from the pool of free
GPL software. They may very well write special extensions to the basic
free programs in order to more easily maintain their huge customer
base, but the unedited version would be perfectly serviceable for the
small business and home user. As mentioned above, the packages
concerned are of the very highest quality and will run, untouched
indefinitely once set up and configured.
So what are these services, what do they do and what software will
perform them? Read on.
DNS - The Domain Name
Service
In order to have your own domain (eg anvil.org) you will need to choose
an unused name and book it. This costs a few tens of pounds a year. You
will also need to be able convert names based on this domain to the
addresses of the relevant machines. In order to actually pull down
content from a web site at www.anvil.org, the web browser needs to ask
some machine or other for the actual numerical address of that machine.
This conversion from textual name "www.anvil.org) to numerical address
(1.2.3.4) is done by a service called DNS. If you already have a domain
name of your own, but don't self host, this conversion is likely
performed by your ISP. Once the relevant magic numbers are embedded in
their DNS software, they need do nothing more, and neither would you if
you did it yourself. The vast majority of ISPs use a software package
called "The Berkeley
Internet Name Domain" or "Bind" for short. As you can see from the
authors' "About ISC" page it is
entirely free.
While this software can do some remarkably powerful things and can be
extremely complex to set up for such scenarios, the basic setup is
relatively simple and can be done using so called "Configurators".
These are also free and are simple applications that get the basics
done. The average home/Soho setup will be trivial compared to that
needed by an ISP serving a large number of different domain names.
You have your own domain name. You now need to have something waiting
to receive email destined to names within it. For this you need an
email server. By far the most popular email server system is another
free package called "Sendmail".
This software takes care of passing your email in and out of your
system. As for BIND above, it is also capable of doing some quite
advanced and powerful things, but the basic configuration is also
relatively straight forward. There are also free configurators to help
you through this step as well.
The other side of the equation is the software to allow you to pick
your mail up
from the server. You may have seen the terms "IMAP" or "POP3" when you
set up your mail
reader application. One of the most popular packages used for this
function is Dovecot.
This can provide everything from the simplest setup to the most
sophisticated arrangement
for multiple users across multiple separate domain names.
This is the program that examines everything that passes through your
email system and only lets it through untouched if there is nothing
wong with it. It is a framework on which you can hang all sorts of
extras; virus scanners, spam detection, size limiters etc.
For the same price as the above two software packages (ie Nothing)
you can provide yourself with a much higher level of anti-snooper
protection than that enabled by most ISPs. If you use your laptop or
PDA on a publicly available wireless LAN, anyone in your general area
can grab any passwords you send over the Internet ... unless you
encrypt them. Please believe me, it really is very VERY easy to do.
The thief doesn't need any specialist knowledge, and very little in
the way of specialist software. They don't even need to pay for any
time on the wireless LAN. They would just sit there scanning,
grab your username and password and leave. They can then use your
email account as their own.
If you use the above software though, you can protect yourself
against this kind of abuse. You can configure them to use secure
certificates in exactly the same way as the Internet banks. Your
username and password would still go over the Internet, but they
would be heavily encoded to prevent the thieves from grabbing them.
As always there are companies who will charge you a great deal of
money for providing you with server certificates for your machines.
Now however, there is another project like the ones mentioned above
who, instead of providing free software, provide free server
certificates.
As always, there is a software project to handle the certificates.
It has been around a fair while and is as solid as a rock. These are
the tools used to create your personal keys and lock them away until
they are needed. The same tools can be used to take this key and ask
the CAcert.org people to certify it. The certificate they give you back
is then used by your servers to prove to those who connect to them that
they really are who they say they are.
Another piece of free software called "Apache"
takes care of serving more web sites than the rest put put together ..
with quite some margin. The same comments made above about DNS and
Email apply here. It is free, it is reliable and there are simple
configurators to set it up.
At the risk of becoming laborious I will just say "Squid" and ditto.
The Web Proxy Server can perform two services for you. It can store (or
cache) pages that users have accessed for quicker access by another
user. Instead of having to reach out across the 'net all over again to
pull in a page that has already been seen recently by another user on
the system, the Proxy Server can perform a quick check to ensure that
the page hasn't changed and then if it hasn't deliver it to the users
web browser straight from a local hard drive. It can also be used to
police the pages accessed by users and keep a log of what they have
seen. If the proxy is set up in this way, the user will have to enter
their own username and password in order to get external pages. The
system owner then has a record of web accesses and can use this to
ensure that the users on the system aren't accessing pages that they
should not be seeing. This applies equally to businesses and to home
users with underaged users. The simple fact that their Internet use is
being monitored is enough to dissuade most users from abusing it. In
more extreme cases, the proxy can be configured to bar access to
certain sites completely.
While not something that would normally be provided by an ISP, a file
server can be an invaluable addition to a system. This does pretty much
what it says on the can. It allows access to a common area of disk on
the server for all users on the system. It again can (and usually is)
protected by password and can be configured to allow only a certain set
of people in. It could, for example be mapped over the web server's
store of web pages, allowing authorised users to edit the web site, by
simply accessing files in a certain drive on their own machines. This
is a great deal easier and more intuitive than having to use a complex
application to send the new pages out over the web to the ISP's web
server equipment.
It will probably not come as a shock by now to know that, once again,
this function can be provided by a piece of free software. In this case
the package is called "Samba".
This is a network based address book. It's like the address list in the
back of your diary, or your Palm Pilot or your phone or your email
program or all the other places that addresses seem to lodge that
aren't where you are when you need to know it because you'd like to
phone them. If you've never had that happen to you, then you're way
more organised that I am. I would like to tell you that the Open Source
community can just wave a magic wand and let you talk seamlessly
between these different devices. Mind you, given that the software
running the handheld devices is generally the closed domain of the
people that sold you the thing, it has to be said that progress is
good. There is another article that
deals with where we stand on that one.
As of this date, there are a number of closed proprietary systems that
can do part of the job. There are however a number of Open solutions
that can also do part of the job and as long as the handhelds and mail
programs used, are carefully considered, you have a perfectly workable
system. In pulling all this information together you are opening the
door to some very useful ways of keeping a team of people working
together on the same information. If you are using crypto certificates
as mentioned above, you can help keep the information you are sharing
from being shared wider than you wanted.
The LDAP sever can also hold the core information for a number of
different systems and act to bind them together. One of the key things
that a lot of the servers discussed above need, is the ability to make
sure that you are who you say you are, and to enable you to talk to
them without being snooped. The same software can be used as a password
server, by simply embedding the password in your entry in the
directory. You log in to your own address book entry and in so doing
prove you are who you say you are. You, or rather your programs can
then use the certificate, in your entry, to connect up to other
machines and exchange information safely.
A user sitting at the airport, or in their lounge, using a laptop
configured using these techniques can be fully connected up to their
home base and the rest of the Internet without transmitting anything
that can be understood by the guy at the next table, or the nosy
neighbour. Given that there is then no need to have the machine
configured differently for each location, it isn't. It treats all local
networks as hostile and just has eyes for the servers it trusts. It's
own. If the snooper were to try and break into your kit, they would
find a machine that is barely visible and as far as they wee concerned,
talking completely untranslatable gibberish.
All this goodness needs a lot of very important key files to be stored
and dished out as appropriate. The LDAP server has a central part to
play in this function.
Once again though, all of these powerful and sophisticated features are
just extensions of the basic need to keep your names and numbers in
order. As your colleagues, club members or family become more used to
using this stuff, you can add in extras. It won't cost anything but
time and maybe a bigger machine if your current one is struggling.
Many businesses are becoming more and more annoyed at having to pay
increasingly large sums of money simply to make their hardware work,
before even considering what they want to do with it. The software that
forms the ground floor of your computing systems is called the
"Operating System". Microsoft Windows is an example of this kind
software. It will be news to some users that there is also a free
alternative to the use of a paid for Operating System. That in fact the
entire stack of functions from the Operating System upwards can be
performed by high quality free software. This web page, for example,
was written using, is stored on, and is served out to you using
entirely free software. The most popular free operating system is
called "Linux". In a large number
of cases, the systems you are currently using at your ISP are based on
Linux. If not Linux, then they may well be using another free (although
not GPL) operating system from the "BSD"
family.
While it is entirely possible, anvil.org being an example, to use Linux
throughout, the above article does not mandate this. As you will see in
the System Design section below, only the
machine directly connected to the 'net need be based on Linux. Linux
can happily co-exist with and talk to machines based on other operating
systems. All of the above services can be served out to (for example)
Windows workstations. After all, as also mentioned above, your ISP is
quite likely to be using some or all of the above software; operating
system included. You are therefore quite likely to be doing this today.
All it means is that you are taking over these functions from your ISP,
using all the same software.
This is a piece of software that tries to prevent unwanted connections
to your systems from outside. It is only once you implement a firewall
of some sort that you realise how often malicious Internet users are
trying to damage or take control of your machines. Your ISP will have
some sort of firewall up to prevent malicious users from damaging their
systems. How about you?
There are a number of Microsoft Windows based firewall packages,
free(ish) and otherwise, that can be downloaded onto your machines for
your protection. While any firewall (almost) is better than none at
all, they do vary quite considerably in their ability to protect your
machines. One of the most powerful (if not *the most powerful) firewall
systems is called "IPTables". It
has features built in as standard that many other systems can only
dream of. When properly set up, it would place your system out of reach
of all but the most skilled and determined attacker. It is in fact the
firewall system built into the heart of the Linux operating system as
standard. It is therefore also entirely free.
If you would rather just delegate the occational ongoing tweaks and
changes to another organisation, then a package called "OpenSSH" can be installed to allow
only those in posession of a unique secure keycode, access to your
systems from outside. None of the above packages are in any way locked
in and the system is entirely yours, so you still hold the whip hand.
If you don't like the service offered by one remote admin, you can
simply drop them and use someone else. Nothing else changes. You keep
all your web pages and email addresses .. they are yours after all.
Home AND Business AND
Clubs
There are a very large number of home based businesses in the UK.
According the Federation of Small
Businesses well over 90% of UK businesses have less than 10 people.
It is quite likely therefore that the systems were are refering to in
this article are for both business and home use. If so desired the
machines can be used for both business and home purposes at the same
time. They can host two (or many more) entirely separate domain names
on the same equipment and internet connection. The setup is of course
slightly more involved, but the ongoing maintenance overhead is the
same for two or three as for one. One could, for example, host a club
or charity web site alongside the business. As well as providing a
useful service, it also provides an opportunity to place a company logo
on the club or society page saying something like "Hosting Sponsored by
The Anvil Organisation Ltd - Computing services by and for Small
Businesses" with a link back to your business site. Anvil.org already
does exactly that for a number of different clubs and charities.
System Design
Well, there's the theory, how do we actually do it.
As previously mentioned The Anvil
Organisation Ltd is already doing exactly what is outlined by this
article and offers assistance in getting this lot set up and keeping it
running on a "Time Used" basis. Alternatively, all of these packages
will be perfectly familar to any other competent Linux Systems
Administrator. If you want to have a crack at doing it entirely
yourself, then the package home pages linked above will lead you to
help systems. Also most of the packages are sponsored by commercial
organisations that themselves offer setup and maintenance services.
The choice is yours.
Conclusion
... and that's the whole point, the choice is yours. It's up to you how you want all this done and
changing your mind doesn't affect your presentation to the outside
world. You could, for example, get it set up by someone else and then
as you become more familiar, gradually reduce your use of that outside
body and eventually look after the whole thing yourself. You don't have
to make a "Big Bang", all or nothing switch from one ISP or Hoster to
another.
This is the very reason why the anvil.org systems were set up this way
in the first place. We no longer wanted to be dictated at by some
inflexible corporate who charged extra for every last thing we wanted
to do. We wanted to take control of our own systems, set them up how we
wanted them and change them when and how we liked.
You may not like the visual style of the web pages on this site, I
don't claim to be an artist, but at the end of the day if the system
didn't work, you wouldn't be reading this.
Over to you.
Author: Andrew Meredith <andrew@anvil.org>
Date: 13th Aug 2003
Update: 4th Dec 2006
Copyright: The Anvil Organisation Ltd
2003-2006
