Open Source Magazine

CO NTENTS NEXT M O NTH Rapid W e b De ve l opm e nt De ve l oping AJAX Appl ications Al ook atm od_ s e curity Pos tgre SQL and m uch m ore ..

@ O3 6

Editorial

8

Eve nts

SECURITY

9

Re port

AppO S Se curity

AppO S a ne w upcom ing Ente rpris e Linux dis tribution, ge t a firs tl ook atits advance d s e curity fe ature s .

INTERNET Googl e H one ypots

15

AbulAs im M . R. Qars h i l ook s at Googl e H ack H one ypots , and h ow Googl e can re ve al probl e m s w ith uns e cure s e rve rs .

BUSINESS Intro to O pe n Source

11

W EB TECH Ligh ttpd Re vie w e d

18

M ath e w Burford l ook s at Ligh ttpd 1.4.7, a l igh tw e igh tw e b s e rve r w ith a focus on s pe e d, com pl iance , s e curity and m ore ..

23

Jam e s H ol l ings h e ad provide s a de tail e d introduction to O pe n Source , and tips for h aving a pos itive im pacton th e com m unity

VO IP (Voice ove r IP)

NETW O RK ING M ul ti Laye r Sw itch ing

28

Al ook atLISA and m ul til aye r s w itch ing fram e w ork s for Linux. W ifidog Captive Portal 36

O pe n Source Te l e ph ony 32 Th e firs tpartin a s e rie s on O pe n Source Te l e ph ony, s tarting w ith an introduction to As te ris k , th e be ne fits and m ore ...

Th e Link s ys W RT54G captive portal Intrus ion De te ction

40

Introduction to Snortand IDS.

O 3 M agaz ine /Nove m be r 2005 Page 4

EDITO RIAL and s o itbe gins ...

O 3 M agaz ine

RIGH T NO W YO UR CO M PETITO RS ARE PITCH ING LINUX TO YO UR CUSTO M ERS , W H Y AREN'T YO U ?

EDITO R IN CH IEF

BY JO H N BUSW ELL

h ank you for tak ing th e tim e to re ad th rough our firstis s ue of O 3 M agazine . O 3 is an e lectronic publication de dicate d to ope n s ource Ente rpris e D ata Ne tw ork ing s olutions . Each m onth O 3 w il llook atallas pe cts of e nte rpris e data ne tw ork ing from ne tw ork leve ls olutions s uch as firew alls, route rs , s w itch ing to s e rve r s ide applications s uch as Fre e R adius , O pe nLDAP and Apach e . O ur goalatO 3 is to introduce Ente rpris e D ata Ne tw ork ing te ch nol ogie s to s m al land m e dium s ize d bus ine s s e s , dis cus s ope n s ource s olutions for providing th os e te ch nol ogie s and to provide th e te ch nicalinform ation on h ow to de pl oy and m aintain th os e s olutions . O 3 h ow eve r is notjusttarge te d at s m alland m e dium s ize d bus ine s s , th e s olutions w e dis cus s are alre ady de pl oye d in m ostlarge bus ine s s e s , gove rnm e ntage ncie s and e ducationalinstitutions , not ne ce s s aril y ope n s ource s olutions th ough . CIO s , CTO s , IT m anage m e ntand staff atlarge r e ntitie s w il lbe ne fitfrom expos ure to low e r costope n s ource alte rnative s . I don'tpe rs onall y s e e th e pointof prom oting ope n s ource s olutions if you do notus e th e m yours e lf, as s uch O 3 is de s igne d, deve lope d and publ is h e d us ing ope n s ource te ch nol ogy exclus ive l y. Eve ry article in O 3, incl uding th is e ditorialis w ritte n in O pe n O ffice (w w w .ope noffice .org) unde r Linux, th os e articles are th e n im porte d into Scribus (w w w .s cribus .org.uk ), w h ile graph ics artw ork is cre ate d w ith th e Gim p. Scribus is us e d to exportth e com plete d publication in PD F form at.

Nove m be r 2005 Is s ue 1

JO H Each m onth O 3 provide s a round up of ope n s ource eve nts , as w e l las an upcom ing eve ntcalende r, w e h ave done our be stto track dow n as m any m ajor eve nts as pos s ible, butif you h ave an eve nt, w h e th e r its a local LUG m e e ting or a fulls cale trade s h ow w e w ould lik e to h e ar aboutit. O 3 also provide s an “O pe n Source Re port”, th is is a s h ortround up of inte re sting ope n s ource s oftw are th at h as be e n re leas e d ove r th e past m onth . Each is s ue of O 3 fe ature s Se curity, Inte rne t, W e b Te ch , Bus ine s s , Ne tw ork ing, VoIP, Ne tw ork Applications and Ne tw ork Se curity colum ns . Th is firstis s ue of O 3 is m ore of an introductory is s ue , starting nextm onth (D e ce m be r) e ach is s ue w illh ave a particular th e m e . For D e ce m be r itis rapid w e b application deve lopm e nt. W e h ave an exciting line up for 2006, in th e firstq uarte r w e w il lbe look ing atLinux on th e zSe rie s m ainfram e , including a firstlook at s om e new innovative Linux s olutions for th e zSe rie s . A de tailed look at ne tw ork ing te ch nologie s in Linux including O SPF, R IP and BGP, as w e llas a look atproviding e nd to e nd QoS s olutions w ith Linux. W e w illw rap up Q1 2006 w ith a de tailed look atO pe n Source Te leph ony. Finall y, I w ould lik e to tak e a m om e ntto th ank our adve rtis e rs w h o ve ry gracious l y putth e ir nam e s on a brand new m agazine . Enjoy th e is s ue and fe e lfre e to s e nd fe e dback .

O 3 M agaz ine /Nove m be r 2005 Page 6

BUSW ELL EDITO R @ O 3M AGAZ INE .CO M N

EXECUTIVE EDITO R

JAM ES H O LLINGSH EAD JAM ES @ O 3M AGAZ INE .CO M ARTW O RK

JO H

N

BUSW ELL

PRO O F READERS

G REG JO RDAN S H AW N W ILSO N FRANK BO YD S TEW BENEDICT SALES AND M ARKETING

G REG JO RDAN SALES @ O 3M AGAZ INE .CO M SUBSCRIPTIO NS

O 3 M AGAZ INE

IS DISTRIBUTED

ELECTRO NICALLY FREE O F CH ARGE BY SPLICED NETW O RK S LLC. TO SUBSCRIBE VISIT W W W .O 3M AGAZ INE .CO M . SO FTW ARE

1.3.1 GIM P 2.0.5 O PENO FFICE 1.1.2 SCRIBUS

CO PYRIGH T (C) 2002-2005 SPLICED NETW O RK S LLC

EVENTS UPCO M ING EVENTS (DECEM BER )

NO VEM BER EVENTS

O PEN S O URCE D EVELO PERS CO NFERENCE 2005 DECEM BER 5 - 7 2005 M ELBO URNE , AUSTRALIA H TTP://W W W .O SDC.CO M .AU

O PEN S O URCE D ATABASE CO NFERENCE NO VEM BER

8, 9 2005

FRANK FURT, GERM ANY H TTP://W W W .O PENDBCO N.NET

LINUXW O RLD E XPO NO VEM BER

9 , 10 2005 (UTRECH T, NETH

NO VEM BER

15 - 17 2005 (FRANK FURT, GERM ANY )

APRIL 3

- 6 2006 (BO STO N, UNITED

ERLANDS )

STATES )

H TTP://W W W .LINUXW O RLDEXPO .CO M

INTERO P DECEM BER

12 - 16

NEW YO RK , USA

H TTP://W W W .INTERO P.CO M H AVE AN UPCO M ING EVENT?TELL US ABO UT IT, SEND

SC|05 (S UPERCO M PUTING CO NFERENCE ) NO VEM BER

APACH E CO N 2005 DECEM BER 10 - 14 2005 SAN DIEGA, CALIFO RNIA, USA H TTP://W W W .APACH ECO N.CO M

EM AIL TO EVENTS @ O 3M AGAZ INE .CO M W ITH DETAILS .

12 - 18 2005

FEATURED PAST EVENT

SEATTLE , W ASH INGTO N, USA H TTP://SC05.SUPERCO M PUTING .O RG

O H IO LINUXFEST 2005 1ST 2005 CO LUM BUS , O H IO , USA H TTP://W W W .O H IO LINUX.O RG O CTO BER

IP.4.IT NO VEM BER

14 - 16 2005

LAS VEGAS , NEVADA, USA

O h io LinuxFe s tis a com m unity focus e d fre e e ve nt th atis run by a vol unte e rs and funde d by s pons ors . Th is ye ar k e y s pons ors ofth e e ve nt w e re Nove l land Digium , additionals pons ors incl ude d IBM , Spl ice d Ne tw ork s , Rock e tCal c, Sybas e , Pante k , Im age s tre am and m any oth e rs .

H TTP://W W W .IP4IT.CO M

GULEV NO VEM BER

17 - 19 2005

VERACRUZ , M EXICO H TTP://W W W .GULEV.O RG .M X

FO SS.IN (INDIA'S NO VEM BER

29 -

PREM IER O PEN SO URCE EVENT)

DECEM BER

2ND

BANGALO RE PALACE , BANGALO RE , INDIA H TTP://W W W .FO SS .IN

Th e e ve ntove ral lw as gre atfor both th e vis itors and th e s pons ors . Eve ry s pons or w e s pok e w ith indicate d th e y w e re h appy w ith th e e ve ntand w oul d re turn again ne xtye ar. O ve r 700 vis itors atte nde d th e th ird annuale ve ntw h ich ran al lday and into th e e ve ning. Th e q ual ity ofth e s pe ak e rs w as good, w ith k e ynote s from Ch ris H ick s ofIBM , and Nove l l 's Je rry M ayfie l d. Som e ofth e s l ide s are avail abl e from th e e ve nt's w e bs ite .

O 3 M agaz ine /Nove m be r 2005 Page 8

REPO RT NO VEM BER O PEN SO URCE REPO RT W e lcom e to th e O pe n Source Re port. Th is is th e s e ction of O 3 w h e re w e give a brie f run-dow n of th e m ajor applications w h ich m ade re leas e s during th e m onth . LINUX KER NEL h ttp://w w w .k e rne l.org/ Re leas e : 2.6.14 Th e late stre leas e of th e Linux k e rne lh as m any new fe ature s incl uding H ostAP s upportto actas a w ire les s acce s s point, a Linux portof th e plan9 9 P protocol,FUSE (w h ich allow s ful l y functional files yste m s in a us e rs pace program ), lock -fre e file de s criptor look up, and s eve ralnew drive rs . A PACH E h ttp://w w w .apach e .org/ Re leas e : 2.0.55 Th e late stre leas e of Apach e incl ude s s eve rals e curity fixe s , corre cts a few instance s of pos s ibl e m e m ory leak s and bad program be h avior and adds extra logging capabilitie s . M ANDR IVA h ttp://w w w .m andrivalinux.com / Re leas e : M and riva 2006 Th e 2006 re leas e of M andriva include s a de s k top s e arch tool(Kat) w h ich allow s s e arch ing for both file nam e s and file conte nt, and inte ractive firew al l, officials upportfor Inte lCe ntrino m obile te ch nology, inte gration of Sk ype , and an auto-installation s e rve r.

A STER ISK h ttp://w w w .aste ris k .org/ Re leas e : 1.2 Th e 1.2 re leas e for Aste ris k include s im prove d voice m ailfe ature s , e as ie r configuration, im prove d SIP s upport, new fe ature s for th e IAX protocol , us e of s ound files for native -on-h old m us ic, and im prove m e nts to th e dialplan. PR O FTPD h ttp://w w w .proftpd.org/ Re leas e : 1.3.0 A “tim ing attack ” prote ction m odule h as be e n re leas e d to h e lp s ol ve th e tim ing leak de s cribe d by Le on Juranic. LIGH TTPD h ttp://w w w .ligh ttpd.ne t/ Re leas e : 1.4.7 Ligh ttpd is cove re d by M ath ew Burford on page 18 of th is is s ue . SCAPY h ttp://w w w .s e cde v.org/proje cts /s capy/ Re leas e : 1.0.2 Scapy is a pow e rfulinte ractive pack e tm anipulation program capable of forging or de coding pack e ts from a w ide range of protocols. Scapy is an exce llenttool for te sting and re produce com plex ne tw ork /ne tw ork device problem s .

SNO R T h ttp://w w w .s nort.org/ Re leas e : 2.4.3

NATSTAT h ttp://s ve arik e .s yte s .ne t/natstat/ Re leas e 0.0.11

Th e 2.4.3 re leas e of Snortfixe s a buffe r ove rflow vul ne rability w h ich existe d in th e Back O rifice pre proce s s or.

Ne tw ork m onitoring toolproviding re altim e inform ation bas e d on th e iptabl e s configuration.

O 3 M agaz ine /Nove m be r 2005 Page 9

SECURITY Be h ind AppO S Se curity DISCO VER TH E M ULTI- TIER SECURITY APPRO ACH BEH IND TH IS UPCO M ING LINUX DISTRIBUTIO N FO CUSED O N RESH APING TH E DATACENTER BY JO H N BUSW ELL

ppO S is a h igh l y s e cure Linux bas e d appliance fram ew ork th atis de s igne d to l im itth e dam age th atcan occur in th e eve ntth ata s e rvice or appliance is com prom is e d by a th ird party due to an un-patch e d or a previous l y unk now n vul ne rability. In m oste nte rpris e e nvironm e nts , s om e of th e ne tw ork s e curity te ch niq ue s e m ploye d by AppO S are al re ady in production, s o m igrating to or adding AppO S into th e data ce nte r is ofte n a trivialtas k . For s m aller bus ine s s e s th e re m ay be s om e ne tw ork ch ange s re q uire d in orde r to conform to th e AppO S fram ew ork , particularl y th os e re late d to outof band m anage m e ntand ne tw ork storage . O UT O F BAND M ANAGEM ENT

AppO S utilize s outof band m anage m e ntand storage ne tw ork s to provide an extra l aye r of s e curity. O utof band m e ans th atth e m anage m e ntand storage ne tw ork s are noton th e s am e ne tw ork as re gul ar appl ication traffic (s uch as h ttp “w e b” traffic). AppO S s upports outof band m anage m e ntin s eve ral form s including ph ys icall y s e parate Eth e rne t s e gm e nts , VPN bas e d m anage m e ntand th e us e of 802.1q VLANS. Ph ys icall y s e parate Eth e rne t s e gm e nts are th e pre fe rre d m e th od of outof band m anage m e nt. In th e eve ntan Inte rne tfacing inte rface is D oS (D e nialof Se rvice ) attack e d, th e re m ay notbe s ufficie ntbandw idth to re liabl y m anage th e device re m ote l y. H e re a s e parate ph ys icalEth e rne tinte rface on its ow n private s e gm e ntw illre m ain full y acce s s ible unles s th e s e rve r its e lf h as cras h e d. A s e parate ph ys icalinte rface e nables an adm inistrator to dis able th e Inte rne tfacing inte rface w ith outl os ing conne ctivity to th e s yste m . M anage m e nttraffic can include traffic s uch as s ys log, s nm p, s s h , h ttps , and eve n D NS. As ide from lim iting th e acce s s to th is inform ation for s e curity purpos e s , outof band m anage m e nte nables s ys log and s nm p trap traffic to continue to w ork re l iabl y eve n if th e Inte rne tfacing Eth e rne tports are conge ste d.

Anoth e r advantage to outof band m anage m e ntis th at itfre e s up traffic on production ne tw ork s , e s pe ciall y if you offload D NS traffic to th e m anage m e nt ne tw ork to be h andled by s e cure /truste d cach ing nam e s e rve rs . Itis for th is re as on th atoutof band m anage m e ntcan as s istin im proving th e s calability of eve n s m allne tw ork s . An im portantpartof th e AppO S ne tw ork s e curity fram ew ork is to place us e r data in outof band storage ne tw ork s . Storage ne tw ork s can be as s im ple as a gigabits w itch e d Eth e rne ts e gm e ntrunning a ne tw ork file s e rve r us ing NFS or GFS be tw e e n th e file s e rve rs and th e application s e rve rs on th e ne tw ork . Placing us e r data on an outof band ne tw ork h as m any advantage s including re ducing th e load on your production “Inte rne tfacing” ne tw ork , th us im proving s calability and e nabling a fine r acce s s controlove r th e us e r data. In a w e b h osting e nvironm e ntfor exam ple, a s m allnum be r of re stricte d acce s s s e rve rs m ay h ave w rite acce s s to us e r data, m ak ing it pos s ible for s e curity policie s to lim itacce s s to th at infrastructure , w h ile allow ing for a l arge num be r of publicl y acce s s ible w e b s e rve rs to s e rve data w ith onl y re ad-onl y acce s s . In th e eve ntof a ze ro-day s e curity vulne rability existing in your w e b s e rve r s oftw are , th e publicl y acce s s ible w e b s e rve rs onl y h ave re ad-onl y acce s s to th e data, preve nting pote ntialm alicious us e rs from uploading code to exe cute on th e s e rve r. Advance d acce s s controllists , m ountoptions and oth e r m e as ure s can be us e d to preve ntexe cution of unapprove d exe cutabl e s on th e publicl y acce s s ible w e b s e rve rs . W h ile th is approach offe rs an extra de gre e of s e curity itcan caus e problem s w ith legitim ate w e b applications th atne e d to h ave th e capability to w rite to us e r data. Typicall y, us e r data is w ritte n via databas e trans actions , s uch as inform ation for e Com m e rce trans actions , cre ating accounts or ofte n

O 3 M agaz ine /Nove m be r 2005 Page 11

SECURITY eve n uploading fil e s , th e AppO S approach to th is problem is to tak e databas e trans actions outof band and to pas s file upl oads th rough an outof band ins pe ction s yste m be fore m ak ing th e files acce s s ibl e. W h ile th e approach can caus e problem s for existing w e b appl ications w h e re s e curity m ay noth ave be e n tak e n into account, th e e ffortinvol ve d to m igrate s uch appl ications ofte n invol ve s justputting a good s e curity and be stpractice s policy into place . QO S

Th e finalpie ce of th e ne tw ork s e curity fram ew ork in AppO S is to rate -lim itapplication traffic, e m pl oy Quality of Se rvice (QoS), pack e tq ue uing te ch niq ue s and provide h igh availability s olutions th rough industry standard protocols s uch as VR R P (Virtual Route r Re dundancy Protocol). Th e s e te ch niq ue s aid in prote cting th e ne tw ork againsta varie ty of ne tw ork bas e d attack s w h ile providing h igh availability. LINUX IM AGE M ANAGEM ENT / BO O T SYSTEM

(LIM BS) AppO S provide s a h igh l y s e cure Linux bas e d ope rating s yste m th atutilize s th e Linux Im age M anage m e nt/BootSyste m (LIM BS). LIM BS, e s s e ntial l y runs a Linux bas e d O S from a s ingl e im age fil e m ounte d via loop back on a ram dis k . Th e s e curity com e s in th e type of file s yste m us e d in th e im age fil e , us ing s om e th ing s uch as ext3 is onl y going to provide you w ith th e s am e de gre e of s e curity as a norm alLinux s yste m , butus ing an “unw ritable” fil e s yste m s uch as Sq uas h FS m e ans th atin orde r to “w rite ” to th e fil e s yste m , th e e ntire im age fil e h as to be re ge ne rate d and re place d. AppO S w ork s by placing th e righ tfil e s on th e Sq uas h FS file s yste m and th e righ tfiles on th e ram dis k to ins ure prope r ope ration of th e Linux s yste m . LIM BS, curre ntl y atre leas e 1.1.9 , is available unde r th e GPL. LIM BS pe rform s s om e e rror de te ction and e s s e ntial l y s e ts up th e s yste m for booting by loading th e appropriate O S im age . Th e fram ew ork th at AppO S and LIM BS provide h as gre atpote ntialfor booting diffe re ntk e rne ls (Linux, BSD , O pe nSolaris ) w h il e re taining th e s am e application im age s . LIM BS h ands ove r controlto init, w h ich in an AppO S bas e d s yste m w illh and ove r controlto ExM S, th e m anage m e nts yste m .

APPLICATIO N IM AGES

AppO S place s a s pe cific application s uch as a D NS s e rve r into s e parate application s pe cific im age called an ASI. Th e ASI is us e d to ge ne rate s e parate file s yste m im age s , one for configuration fil e s , and one for exe cutables . Th e s e tw o files along w ith us e r data are m ounte d into th re e dire ctorie s w ith in a ch root e nvironm e ntw h ile files th e m s e l ve s existouts ide of th e ch roote nvironm e nt. Th e e nd re s ultis th atif your D NS s e rve r h as a vulne rability, eve n if it's expl oite d and th e attack gains rootacce s s w ith in th e ch root, th ey cannot“bre ak out” of th e ch rootdue to Grs e curity. Th ey cannotm odify th e configuration due to th e factth ey are s itting on an unw ritable Sq uas h FS file s yste m , and for th e s am e re as on th ey cannotove rw rite or re place th e exe cutables , th e Linux k e rne lh as no m e ans of w riting to th e file s yste m and th e attack e r doe s noth ave acce s s to th e im age files or th e tools to re ge ne rate th e m . If th e us e r data is s e cure d th rough a re ad-onl y ne tw ork storage fram ew ork as dis cus s e d e arlie r in th is articl e , th e n th e attack e r cannotdo anyth ing;th ey cannoteve n dis ruptth e s e rvice . GR SECUR ITY, PAX, STACK SM ASH PR O TECTIO N AND PIE

AppO S is Glibc bas e d, and utilize s Grs e curity, PaX, Pos ition Inde pe nde ntExe cutabl e s (PIE), e nh ance d random num be r ge ne rators , privilege s e paration for dae m ons , Stack Sm as h ing Prote ctor, non-l azy binding and re location re ad-onl y link ing. Th e latte r tw o are now standard in binutils. Grs e curity is an innovative ope n s ource proje ct lice ns e d unde r th e GNU Public Lice ns e (GPL). It tak e s a m ulti-laye r de te ction, preve ntion and containm e ntapproach to s e curity. Grs e curity provide s ch rooth arde ning, a robustRole-Bas e d Acce s s Controls yste m , preve ntion of exploits re l ate d to addre s s s pace bugs (th rough PaX), e nh ance d random ne s s in th e Linux TCP/IP stack , re stricte d acce s s to proce s s lists , advance d auditing and m any oth e r fe ature s . Stack s m as h ing prote ctor is an exte ns ion to th e GNU Com piler Collection (GCC) for prote cting applications from stack -s m as h ing attack s . Th e prote ction is provide d by buffe r ove rfl ow de te ction and a variable re orde ring fe ature to avoid corruption

O 3 M agaz ine /Nove m be r 2005 Page 12

SECURITY of pointe rs . Th e prote ction is appl ie d w h e n AppO S is built(atcom pile tim e ). Binary exe cutabl e s contain m e m ory locations cal led virtualaddre s s e s , th e s e addre s s e s are ofte n us e fulfor de bugging as th e s am e functions are locate d atth e s am e m e m ory l ocation on any s yste m running th e s am e binary. Unfortunate l y w h atm ak e s for e as ie r de bugging also e nabl e s an attack e r to load up th e s am e exe cutable l ocal l y to de te rm ine m e m ory locations on a re m ote targe ts yste m . So if you're running Apach e from Re d H at9 , and an attack e r de te rm ine s th is by q ue rying your w e b s e rve r w ith a standard H EAD /H TTPD /1.1 re q ue st, and ins pe cting th e s e rve r tok e n. Th ey can s im pl y dow nload th e s am e Re d H at9 apach e binarie s and de te rm ine w h at m e m ory locations are be ing us e d by your s e rve r be caus e itis running th e s am e exe cutable. Pos ition Inde pe nde ntExe cutabl e s e s s e ntiall y m ak e e ach s yste m diffe re nt, random izing th os e m e m ory locations , m ak ing itm uch m ore difficultfor an attack e r to de te rm ine th e addre s s . CO NCLUSIO N

AppO S provide s state of th e artne tw ork and s yste m s e curity th rough a m ulti-laye re d approach . By tak ing s im ple ste ps s uch as im plem e nting m anage m e ntand ne tw ork storage outof band, strong ne tw ork s e curity pol icie s and be stpractice s itis pos s ibl e to tigh te n controlove r your ne tw ork w h il e re taining functionality and im proving s calability. AppO S util ize s state of th e artope n s ource s e curity s olutions s uch as Grs e curity/PaX, Stack s m as h ing prote ctor, Pos ition Inde pe nde ntExe cutabl e s , e nh ance d random ization and file s yste m acce s s controllists . AppO S tak e s th e s e te ch nologie s a ste p furth e r by im plem e nting applications in a s e cure ch root e nvironm e ntw ith in a s yste m of unw ritable loop back bas e d file s yste m s . Th us cre ating a s afe ty ne tin th e eve nta te ch niq ue is deve lope d to circum ve ntth e s e gre atope n s ource te ch nologie s de s igne d to prote ct vul ne rable s oftw are . Th e bottom line is th atAppO S provide s th e be st avail able ze ro-day prote ction againstapplications w h ich contain undis cove re d vul ne rabilitie s and exploits .

APPO S AVAILABILITY

Th e curre ntre leas e of AppO S is 1.0.0, w h ich s h ips on AppO S bas e d SN s e rie s appliance s . AppO S 2.0.0 is s ch e duled for re leas e on Jan 3rd 2006. A public be ta of AppO S 2.0.0 s h allbe available from Splice d Ne tw ork s LLC from Nove m be r 28th 2005. FUR TH ER R EADING

grse curity h ttp://w w w .grs e curity.ne t PaX h ttp://pax.grs e curity.ne t Stack Sm ash ing Prote ctor h ttp://w w w .trl.ibm .com /proje cts /s e curity/s s p/ Frand om h ttp://frandom .s ource forge .ne t Squash FS h ttp://s q uas h fs .s ource forge .ne t Disk /Sw ap Encryption h ttp://w w w .s dc.org/~ leila/us b-dongle/re adm e .h tm l Joh n Busw e l lis co-found e r and Ch ie f Te ch nol ogy O ffice r of Spl ice d Ne tw ork s LLC. H e can b e re ach e d by e m ail(joh nb @ spl ice d ne tw ork s.com ). Spe cialth ank s to Sh aw n W il son (Tim e W arne r Cab l e /R oad R unne r Busine ss Cincinnati), Stew Be ne d ict(M and riva), Frank Boyd (Spl ice d Ne tw ork s), R aja H am m ad (Spl ice d Ne tw ork s) and M atBurford (Spl ice d Ne tw ork s) for provid ing te ch nicalreview of th is articl e.

O 3 M agaz ine /Nove m be r 2005 Page 13

INTERNET O pe ning th e Jar on Googl e H one ypots GO O GLE PRO VIDES A PO W ERFUL SEARCH ENGINE H O W EVER AN UNINTENDED USE H AS BEEN TH E ABILITY FO R M ALICIO US USERS TO SEARCH FO R VULNERABLE SERVERS BY ABUL ASIM M .R . QARSH I

h e Inte rne t's h orizons h ave incre as e d m as s ive l y ove r th e last10 ye ars . Now th e re are billions of w e b page s containing conte nt re l ate d to ne arl y eve ry as pe ctof pe rs onaland bus ine s s inform ation. W ith th is grow th in th e Inte rne t, a problem aros e : finding th e page w ith th e inform ation you are actuall y look ing for. Th is is w h e re s e arch e ngine s com e into play, allow ing Inte rne tus e rs to find th e page th atth ey w ant. H ow eve r, All th ew e b, AltaVista, Yah oo, M SN, e tc w e re allgiving lim ite d s e arch functionality and none of th e m took itas ch allenge and bus ine s s opportunity untilGoogle cam e along. Eve ry s e arch e ngine ve ndor w ants to be com e m ore e ffe ctive , e fficie nt, and to find accurate re s ults in th e leasttim e pos s ible. M osts e arch e ngine s index th e page s to s e arch and rank th e m to m aintain accuracy. To do th is , m osts e arch e ngine s’ bots or craw lers start trave rs ing th e w e b by us ing link s th atappe ar on th e page s . Inform ation col l e cte d by th e s e arch e ngine is m ostl y com pris e d of th e nam e , file type , url , e tc. Th e s e s e arch e ngine s also index th e dynam ic page s bas e d on ph p, s h tm l,e tc. for exam ple h ttp://w w w .dom ain.com /?id=m yd FILE SEAR CH

M osts e arch e ngine s provide th e functionality to s e arch files on th e Inte rne t. Th atm e ans th e s e arch botindexe s th e diffe re nttype s of “re adable” files . M osts e arch e ngine ve ndors cl aim th atth is w il l incre as e th e pe rform ance of th e ir s yste m . For exam ple, Google claim s th e be ne fitof s e arch ing nonh tm lfil e s is “a w ide r view of th e conte nts avail able on th e W orld W ide W e b”. W h ile Se arch Engine s index non-h tm lfil e type s s uch as PD F, doc, txte tc., th ey al s o index oth e r file type s , s o be aw are th atyour pw d, h tacce s s , or any oth e r ve ry criticalfile th atcould m ak e your s yste m vul ne rable could also be found via Google. According to M attKe s ne r, ch ie f te ch nology office r

atM ountain View , Calif.-bas e d law firm Fe nw ick & W e stLLP, "Th e ability of s e arch e ngine s to dis cove r a lotof inform ation th atw as notne ce s s aril y h idde n butw as a l otles s availabl e previous l y is s cary." SEAR CH ING PO W ER

Se arch e ngine ve ndors , s pe cificall y Googl e , h ave give n us k eyw ords s uch as “info” “link ”, and “re late d” to incl ude in th e s e arch q ue ry w h ich re ctify and give us m ore accurate re s ul ts . Th e com plete listof k eyw ords can be found at h ttp://w w w .googleguide .com /advance d_ ope rators .h tm l

Now w e w illanal yze s om e w e l lcrafte d q ue rie s to find appropriate re s ults . Firstof allw e are going to s e arch pe opl e’s CVs . Place th e follow ing q ue ry in th e Google s e arch box, and look atth e re s ult: (fil e type :pd f O R fil e type :d oc O R fil e type :rtf) (intitl e :re sum e O R inurl :re sum e O R "m y re sum e ")(-appl y O R -sub m itO R b e ne fits O R -re cruite r O R -O pe nings)

O 3 M agaz ine /Nove m be r 2005 Page 15

INTERNET Next, let's try to brow s e to a particular UR Lth atw e k now is pas s w ord prote cte d. Th e s e rve r im m e diate l y prom pts you for a us e rnam e and pas s w ord, but de pe nding on th e UR L, you m igh tbe able to plug it into Googl e , s e lectth e Cach e l ink and re ad th e pas s w ord prote cte d page . A good exam ple is s e arch ing for conte ntw ith inurl :w e bstats or inurl:acce s s w atch , or th e de faulturlof any oth e r popul ar w e b stats program . M any of th e s e are prote cte d by .h tacce s s files butplugging th e m into Google reve als th e page w h e n fol l ow ing th e cach e option. Google is able to do th is be caus e th e adm inistrators of th e s e s e rve rs unw ittingl y h ave th e s e rve rs m is configure d, butw ith Google, a cl eve r m alicious us e r now h as acce s s to inform ation th atth e adm inistrator be lieve s is h idde n. VULNER ABLE SYSTEM DETECTIO N

To ge tinto any s yste m , a m alicious us e r ne e ds to k now inform ation aboutth ats yste m , and s e arch e ngine s provide an e as y toolto h e lp th e m de te ct vul ne rabilitie s to exploit. For exam ple, Apach e can be configure d to h ide ve rs ion inform ation us ing th e Se rve rTok e ns dire ctive , butif an adm inistrator h as n't re m ove d th e m anual s installed in th e h tdocs dire ctory, a q uick s e arch can reve alth e re leas e ve rs ion th e adm inistrator is us ing. Th e s am e s e arch coul d be us e d to locate unconfigure d de fault installations of Apach e on th e Inte rne t:

SEAR CH ING PASSW O R DS

If you h ave any re adable files th atcontain pas s w ords uploade d on th e s e rve r, th e n it’s tim e for s om e bad new s : h ack e rs can us e q ue rie s on s e arch e ngine s to find pas s w ords . For exam ple, inurl:pas s list.txtcan be us e d for th is purpos e . PR EVENTIO N

To preve nts e arch e ngine bas e d attack s , a w e b s ite adm inistrator can indicate w h ich parts of th e s ite s h ould notbe vis ite d by a robotby providing a s pe ciall y form atte d file on th e ir s ite in robots .txt. In addition, a w e b auth or can indicate if a page m ay or m ay notbe indexe d or anal yze d for link s th rough th e us e of a s pe cialH TM LM ETA tag. For exam ple, a <M ETA NAM E="Googlebot" CO NTENT="nofollow "> tag in th e h e ade r can stop Googlebotfrom indexing th e page s . To Preve ntGooglebotfrom follow ing any particular link on th e page th atm igh tlink to your criticalpage or any s e cre tw e b s e rve r you can add re l=”nofol low ” in th e h ype rlink . I can'tvouch for th is link . Note th atth e s e m e th ods re l y on coope ration from th e robot, and are by no m e ans guarante e d to w ork for eve ry robot. If you ne e d stronge r prote ction from robots and oth e r age nts , you s h ould us e al te rnative m e th ods s uch as pas s w ord prote ction. GO O GLE H ACK H O NEYPO TS

inurl :"/m anual /" + Apach e 1.3 Th e s e type s of q ue rie s are e as y to s e arch for de fault files , m ak ing ite as y for m alicious us e rs to de te ct s yste m s w h e re th e adm inistrator m ay h ave leftfiles th ey've as s um e d are h idde n from th e public. If an adm inistrator h as l e ftth e de faultfiles , itm igh tbe an indication th ey are inexpe rie nce d and th us an e as ie r targe t. Th e above q ue ry can e as il y be com e m ore s pe cific by us ing s ite : ope rator w h ich w illre strictit to any s pe cific dom ain. Sim ilarl y a m alicious us e r can also find de fault installations of particular applications s uch as W e bM ailby s im pl y crafting th e q ue ry w ith intitl e :"W e l com e to M ail traq W e b M ail " (M ailtraq is a W e b bas e d Em ailClie nt). Such q ue rie s can ofte n find te sts yste m s on live ne tw ork s th atadm inistrators are us ing to te stoutnew and uns e cure d applications .

Th e m e th ods dis cus s e d s o far in th is article are called Google H ack s . Th e "Google H ack " H oneypot proje cth ttp://gh h .s ource forge .ne tprovide s a m e ans to obs e rve s e arch e ngine h ack e rs us ing Google againstyour re s ource s by e m ulating a vul ne rabl e w eb application, allow ing its e lf to be indexe d by s e arch e ngine s . Th e trans pare ntlink m e th od us e d w ill re duce false pos itive s and avoid m alicious us e rs de te cting th e h oneypot. Th e h oneypotth e n logs to a file inform ation about th e atte m pte d attack s , th e s ource IP, re fe rral inform ation and us e r age nt. Us ing th is inform ation, th e adm inistrator can de te ctand m onitor attack e rs pe rform ing re connais s ance againstth e ir re s ource s and ge ta de tailed view of s pe cific attack e rs . A BUL A SIM M .R Q AR SH I IS A NETW O R K SECUR ITY SPECIALIST FO R SPLICED NETW O R K S LLC BASED O UT O F PAKISTAN.

O 3 M agaz ine /Nove m be r 2005 Page 16

W EB TECH Ligh ttpd 1.4.7 Re vie w LIGH TTPD IS A LIGH TW EIGH T W EB SERVER W ITH A FO CUS O N PERFO RM ANCE , SECURITY AND FLEXIBILITY W O RTH Y O F CO NSIDERATIO N IN TH E DATACENTER BY M ATH EW J. BURFO RD

f your w e b s e rve r's pe rform ance is s uffe ring due to h igh load th e n your s olution m ay be h e re . Th e re is inte re stbrew ing in Ligh ttpd, a re lative l y new w e b s e rve r deve l ope d by Jan Kne s ch k e e tal.In addition to claim s of a low m e m ory footprint, its m ain w e bs ite w w w .ligh ttpd.ne t boasts th atLigh ttpd h as s e curity, s pe e d, com pliance , flexibility and an advance d fe ature s e t. Ligh ttpd is a "h igh load pe rform ance optim ize d" w e b s e rve r th atis inte nde d to be us e d for w e b s e rve rs w h ich m usts e rve lots of s m allfiles rapidl y and ph p s e rve rs w h ich are place d unde r h igh load. D e s pite th is , Ligh ttpd s e e m s to be us e fulin m any oth e r are as , s uch as an e m be dde d s yste m w h ich h ave lim ite d re s ource s . Th is article w il llook into Ligh ttpd's claim s and fe ature s and dis cus s th e m . I installed Ligh ttpd on a 1.7Gh z Pe ntium 4 w ith 775636Kbyte s D D R SD R AM running Ge ntoo Linux (k e rne lve rs ion 2.6.11). For te sting purpos e s , Sie ge (de s cribe d be low ) w as install e d on a 15” Pow e rbook (1.5Gh z Pow e rPC G4 w ith 512M byte s D D R SD R AM ) running M acO SX, ve rs ion 10.4.2. Both m ach ine s w e re conne cte d to a Ne tge ar 54M bps w ire les s route r (W GR 614 v4). BASIC TESTING

Atfirstglance of Ligh ttpd, th e s ource dow nload file of ve rs ion 1.3.16 cons iste d of 69 0 k byte s , ve ry ligh tinde e d. Com pilation and installation us e d th e typical'configure /m ak e /m ak e instal l's yste m . I w as pleas e d to find th e re w as m inim alcom pl exity ge tting th e w e bs e rve r up. Th e us ualexam ple configuration file is s h ippe d w ith Ligh ttpd, w h ich follow s th e "include onl y if you ne e d" ph ilos oph y. H e nce itw as ve ry s m all,w e llcom m e nte d and e as y to fol l ow . Surpris ingl y, in 10 m inute s Ligh ttpd w as up and running and s e rving static fil e s w ith a bas ic configuration. Th e installation dire ctory w as 2688k b in s ize . Th is include d various unus e d m odules and random docs . Th e Ligh ttpd exe cutable file s ize is 9 25Kbyte s .W h e n running, th e m e m ory us age

for Ligh ttpd w as 418Kbyte s . O ve rall,itappe ars to be q uite a ve ry com pactprogram . For Ge ntoo us e rs , th e installcan be s im plifie d to 'e m e rge w w w s e rve rs /Ligh ttpd'. You m igh th ave to s e tan unstable flag to dow nload th e late stve rs ion. Th is autom ate s th e installation, butalso s e ts up a Ligh ttpd account for th e s e rve r to run w ith in and various oth e r th ings to ge titw ork ing fast. I w as e age r to te stth e bas e instal lof Ligh ttpd. I dow nloade d th e late stve rs ion (2.63) of Sie ge , an h ttp w e b s e rve r be nch m ark ing tool , (fre s h m e at.ne t/proje cts /s ie ge /) from fre s h m e atand installed it. I h ad to be care fulw ith s ie ge , as it s e e m e d to us e a lotof re s ource s . O n m y M acO SX Pow e rbook , I us e d Sie ge to s im ulate 15 us e rs , and I re com m e nd you do th is for yours e lf th rough your ow n ne tw ork s o th atyou can com pare itw ith your curre ntw e b s e rve r's pe rform ance . Ch oos e a docum e ntto s e rve w h ich w illus e th e fe ature s th at your w e b s e rve r typicall y s e rve s . Afte r te sting w ith 1000+ concurre nts im ulate d us e rs , I w as floode d w ith e rrors w h ich indicate d th at I h ad run outof file de s criptors and as a re s ult re q ue sts to th e s e rve r w e re be ing de nie d. Th e Ligh ttpd w e bs ite docum e ntation (w w w .ligh ttpd.ne t/docum e ntation/pe rform ance .h tm l) h as a fix for th is if you find you are h aving trouble h e re . Th e s olution invol ve s low e ring th e de faults of H TTP Ke e p Alive s o th atfile de s criptors are n'th e ld on to as long. O th e rw is e you can s im pl y incre as e th e file de s criptors w ith a q uick % e ch o 76680 > /proc/s ys /fs /file-m ax PER FO R M ANCE ENH ANCEM ENTS

W h ile th e Ligh ttpd w e bs ite provide s a good am ount of docum e ntation, in m y opinion th e docum e ntation is stillunde rdeve lope d and m uch of w h atis th e re ne e ds revis ion. Th is is m ostl ik e l y due to th e proje ct stillbe ing in its e arl y stage s , s o th is w illce rtainl y im prove .

O 3 M agaz ine /Nove m be r 2005 Page 18

W EB TECH O ne inte re sting s e ction is pe rform ance (w w w .l igh ttpd.ne t/docum e ntation/pe rform ance .h tm l), w h ich state s th atLigh ttpd can be configure d s o th at itus e s th e native 'eve nth andler' provide d by th e th e ope rating s yste m . For Linux k e rne l2.6.* th is s h ould be 'e poll'and w ould re q uire a l ine lik e th is to be adde d to th e Ligh ttpd config fil e: s e rve r.eve nt-h andl e r = "linux-s ys e poll" Th e advantage of us ing 'e poll'ove r th e de faul t 's e lect' is th ats e lectis lim ite d to FD _ SETSIZ E h andl e s . Th is is h ard code d in, and note as il y ch ange d, us ing 'e poll ' h ow eve r ove rcom e s th is problem . I w ould re com m e nd you s e tth is e s pe ciall y if your s e rve r te nds to s e rve a l arge num be r of clie nts . For m ore inform ation on th is topic s e e w w w .k e gal.com /c10k .h tm l.

Te s t2 's e l e ct'

Te s t3 's e l e ct'

Te s t2 'e pol l '

Te s t3 'e pol l '

71210

779 50

73074

7339 9

Avail abil ity (% )

100.00%

100.00%

100.00%

100.00%

El aps e d Tim e (s e conds )

60.36

59 .9 1

59 .67

60.44

Data Trans fe rre d (M B)

176.16

19 2.84

180.77

181.58

Re s pons e

0.00

0.01

0.01

0.01

1179 .75

1301.12

1224.62

1214.41

2.9 2

3.22

3.03

3.00

Concurre ncy

5.83

12.84

7.47

7.05

Succe s s ful trans actions

71210

779 50

73074

7339 9

Fail ed trans actions

0

0

0

0

Longe s t

0.51

0.52

0.51

0.51

Sh ore s t trans action (s e conds )

0.00

0.00

0.00

0.00

Ligh ttpd ve rs ion te s te d

1.4.7

1.4.7

1.4.7

1.4.7

Trans actions (h its )

Tim e

EVENT H ANDLER TESTING R ESULTS

Th e s e te sts are notide al,buts h ow a ge ne ral anal ys is of th e s e rve r w h e n th e 'e poll's yste m is us e d. Itdoe s note ffe ctive l y te stth e fe ature s of 'e poll'. Be low are th e re s ults w h e n s im ulating 15 us e rs abnorm all y flooding th e s e rve r w ith re q ue sts . Note : 3 te sts w e re run w ith th e firstte stw as cons ide re d a s e rve r 'w arm -up' s o is notliste d. Th is com m and w as us e d to starts ie ge : % ./s ie ge w w w .m ys e rve r.ne t-b -t1M > /dev/null Th is instructs s ie ge to conne ctto w w w .m ys e rve r.ne t and re ady 15 us e rs . Th e -b option e nables be nch m ark ing of th rough putand -t1M instructs th e s im ulation to run for 1 m inute . Th e lasts e ction (> /dev/nul l ) w illforw ard unne ce s s ary output(w h ich s low s th e te st) to /dev/null.D uring al lth e te sts be low I m onitore d th e CPU us age us ing th e 'top' utility. CPU us age ave rage d about35% and varie d about 10%. Th e te stre s ul ts oppos ite s ugge stth atth e re is little pe rform ance diffe re nce in us ing e pollove r s e l e ct, s o w h y us e it?W e l l,as I m e ntione d be fore , e poll ove rcom e s ce rtain re strictions of s e lect. Inte re stingl y, th e re s ults of 'e poll'deviate d m uch l e s s th an th os e of 's e lect' w h ich s ugge sts m ore re l iability.

(s e conds ) Trans action Rate (trans actions pe r s e cond) Th rough put (M B/s e c)

trans action (s e conds )

O 3 M agaz ine /Nove m be r 2005 Page 19

W EB TECH SECUR ITY SUPPO R T

Th e aim h e re is to preve ntLigh ttpd be ing us e d as a pointof attack againstth e s yste m . O ne m e th od w h ich lim its th e dam age an intrude r can pe rform is to run th e Ligh ttpd dae m on in a ch rootjail.Ch rooting w il l lim itLigh ttpd to a s ub dire ctory of th e files yste m , w h ich Ligh ttpd w il ls e e as root. Ligh ttpd s upports be ing run in a ch rootjailand itis h igh l y re com m e nde d to do s o as itis also notove rl y com plex to s e tone up. Th e Ligh ttpd w e bs ite h as a link w h ich w illguide you th rough m uch of th e proce s s (h ttp://w w w .ligh ttpd.ne t/docum e ntation). In ge ne ralitis a bad ide a to run Ligh ttpd w ith root privilege s , as be fore th e aim is to lim itany dam age an intrude r can pe rform . Anoth e r s upporte d m e th od is to drop root-privilege s and run Ligh ttpd as a l ow privilege us e r. Th is is trivialand e ffe ctive . First cre ate a us e r called 'Ligh ttpd' by adding a l ine s im ilar to th e line be low to your /e tc/pas s w d fil e. ligh ttpd:x:100:400:ligh ttpd:/w w w /page s /:/bin/false Next, you s h oul d add a line s im ilar to th e l ine be low to your /e tc/group file w h ile m ak ing s ure th atth e num be rs 100 and 400 are nottak e n by any oth e r e ntrie s in th e s e files . ligh ttpd:x:400: To s e tLigh ttpd to run as th is non-privilege us e r/group s im pl y m odify th e configuration fil e to contain th e s e s e ttings : ## ch ange uid to (de fault: don'tcare ) s e rve r.us e rnam e = "ligh ttpd" ## ch ange uid to (de fault: don'tcare ) s e rve r.groupnam e = "ligh ttpd" Itis al s o im portantth atyour s e rve r doe s note as il y give its e lf aw ay to us e rs . O ne m e th od attack e rs m ay us e to gain inform ation abouta s yste m is to s im pl y re ad th e h tm lh e ade r. Th is is trivialto counte r in Ligh ttpd, as de s cribe d be low .

Firstyou m igh tlik e to s e e w h atinform ation th e w e b s e rve r is giving out. As s um ing you h ave te lne t installed th is can be done by e nte ring th e com m and: % te lne tlocalh ost80 You s h ould re ce ive a prom ptas be low : Trying 127.0.0.1... Conne cte d to localh ost. Es cape ch aracte r is '^]'. You s h ould now e nte r th e be low H TTP com m and, follow e d by tw o e nte r k eystrok e s : H EAD /H TTP/1.0 (h ite nte r tw ice ) You s h ould re ce ive s om e th ing s im ilar to th is : H TTP/1.0 200 O K Conne ction: clos e Conte nt-Le ngth : 80 D ate : Th u, 11 Aug 2005 20:47:04 GM T Last-M odifie d: W e d, 10 Aug 2005 12:14:49 GM T ETag: "-1257421618" Acce pt-R ange s : byte s Conte nt-Type : te xt/h tm l Se rve r: ligh ttpd/1.3.16 As you can s e e , th e s e rve r by de faults e nds outits nam e and ve rs ion num be r. Th is provide s an attack e r w ith e nough inform ation to look up w e ak ne s s e s in your particular s oftw are and ve rs ion. I re com m e nd for th e s e s e curity re as ons th atyou s e tth is to s om e th ing non-h e lpful.To ch ange th is tag, again m odify th e configuration file to contain a line s im il ar to th is : s e rve r.tag = "h ttpd" Afte r re starting your s e rve r, you m ay re trieve th e h e ade r from th e s e rve r and you s h ould h ave m odifie d th attag:

O 3 M agaz ine /Nove m be r 2005 Page 20

W EB TECH O TH ER FEATUR ES

H TTP/1.0 200 O K Conne ction: clos e Conte nt-Le ngth : 80 D ate : Th u, 11 Aug 2005 20:49 :30 GM T Last-M odifie d: W e d, 10 Aug 2005 12:14:49 GM T ETag: "-1257421618" Acce pt-R ange s : byte s Conte nt-Type : te xt/h tm l Se rve r: h ttpd H e re you h ave be e n introduce d to s om e bas ic as pe cts of Ligh ttpd's h igh configurablil ity. For m ore options , s e e th e docum e ntation provide d w ith Ligh ttpd or l ook atth e copie s available on th e ir w e bs ite : (h ttp://w w w .ligh ttpd.ne t/docum e ntation/). FEATUR ES

O ne of th e bigge sts e l l ing points of Ligh ttpd is its rich listof fe ature s . Be l ow I look atFastCGI and M ySQLbas e d VirtualH osting, tw o of th e m ore popul ar fe ature s . Ligh ttpd h ow eve r h as a ve ry clear cutstate e ngine and plugin inte rface , w h ich m ak e s Ligh ttpd ve ry e as y to m odify s h ould you ne e d to ins e rts pe cialize d capabilitie s into th is s m allh ttpd. FASTCGI

Th e aim of FastCGI is to re m ove a lotof th e pe rform ance is s ue s pos e d by CGI program s . Support for th is is provide d by th e m odule m od_ fastcgi and can be e nabled by uncom m e nting th e appropriate line in your configuration file, found unde r s e rve r.m odules . FastCGI allow s fastand exte ns ive ph p s upportfor Ligh ttpd, For m ore inform ation s e e (w w w .ligh ttpd.ne t/docum e ntation/fastcgi.h tm l). M YSQL BASED VIR TUAL H O STING

Th e re are a tw o vh ostm odules available for Ligh ttpd. An inte re sting one is m od_ m ys q l _ vh ost, w h ich allow s you to provide virtualh osts us ing a M ySQLtable. Ligh ttpd re com m e nds notto m ix vh ostm odules as onl y one is s uppos e d to be active at any give n pointin tim e . M ySQLvh ostallow s you to place docrootand dom ain pairs in a tabl e , th e n ligh ttpd w il lq ue ry th e M ySQLs e rve r to locate th e docroot.

I fe ltth atitw as im portantto m e ntion s om e of th e oth e r fe ature s in Ligh ttpd. SSLs upportis inte grate d into Ligh ttpd, and bas ic rate lim iting s upporte ith e r on a pe r conne ction or s e rve r (al lconne ctions ) bas is . Lik e Apach e its upports com pre s s ion, th e standard gzip com pre s s ion w h ich is s upporte d on th e m ajority of w e b brow s e rs can de cre as e w e b s e rve r bandw idth utilization, Ligh ttpd also s upports de flate and bzip2. O th e r inte re sting fe ature s include an rrdtoolm odule for outputing bandw idth and load util ization, SCGI w h ich is bas e d h e avil y on FastCGI and is prim aril y us e d for Pyth on + W SGI. Som e anti-h otlink ing fe ature s including trigge r b4 dow nload round out s om e of Ligh ttpds uniq ue fe ature s e t. EXPANDING LIGH TTPD

Ligh ttpd h as be e n docum e nte d ve ry clearl y and in gre atde tailby th e Ligh ttpd deve lopm e ntte am . Th e docum e ntation l ink off th e ir m ain w e b page h as full state m ach ine inform ation for both FastCGI and th e h ttpd state m ach ine . Th e docum e ntation eve n include s th e function nam e s w h e re th e proce s s ing occurs . Th is m ak e s Ligh ttpd, al ong w ith its s ize a ve ry te m pting s ol ution for deve lope rs w h o ne e d uniq ue fe ature s or proce s s ing. Itw ouldn'ttak e m uch to m odify th e Ligh ttpd code by ins e rting your ow n additionalproce s s ing to pe rform custom UR Lor oth e r m odifications beyond th os e s upporte d in m od_ rew rite . Ligh ttpd also incl ude s ve ry us e ful plugin docum e ntation. CO NCLUSIO N

Ligh ttpd is an exciting proje ctw h ich rais e s th e expe ctations of s m allfootprintw e b s e rve rs . As its us e rbas e incre as e s , m uch m ore docum e ntation w ill be available. Th is s e rve r is h igh l y configurabl e in a non-com plicate d w ay, w h ich e nables new us e rs to q uick l y ge tth e ir w e b s e rve r running w ith little trouble. Ligh ttpd is a com pe titive option to oth e r popular w e b s e rve rs , and m ay be run alongs ide oth e r w e bs e rve rs , s uch as tom cator apach e , to tak e advantage of th e be ne fits offe re d by e ach . Itw illbe inte re sting to s e e th e dire ction Ligh ttpd tak e s on th e Inte rne tas itm ature s . M ATH EW BUR FO R D IS AN A PPLICATIO N D EVELO PER FO R SPLICED NETW O R K S LLC BASED O UT O F W O LLO NGO NG, AUSTR ALIA .

O 3 M agaz ine /Nove m be r 2005 Page 21

BUSINESS An Introduction to Linux and O pe n Source for Bus ine s s LINUX AND O PEN SO URCE M IGH T BE TERM S YO U H AVE H EARD BUT ARE NO T QUITE FAM ILIAR W ITH LINUX AND O PEN SO URCE CAN BENEFIT BUSINESSES O F ANY SIZ E ... AND NO IT IS NO T JUST FO R BANK S ... BY JAM ES H O LLINGSH EAD

pe n s ource . It's am azing h ow m uch confus ion and m ixe d fe e lings th os e tw o little w ords can caus e . W h atis it?H ow doe s itw ork ?Is itfor our bus ine s s ? Th is article is an atte m ptto ans w e r your q ue stions and give a brie f ove rview of w h atope n s ource is , h ow itcan h e lp you and your bus ine s s , and w h atyou can do to h e lp. Since itis a h uge s ubje ctand ans w e ring eve ryone 's q ue stions w ould tak e e ntire book s , th is is re all y justa fairl y h igh leve llook at ope n s ource arrange d as a s ortof q ue stion and ans w e r s e s s ion. W H AT IS TH IS " O PEN SO UR CE " TH ING I KEEP H EAR ING ABO UT?

Th at's a ve ry s im ple q ue stion to w h ich th e re are a num be r of ans w e rs . Atth e m ostbas ic leve l,ope n s ource is th e s oftw are deve lopm e ntcom m unity and bus ine s s e s w ork ing toge th e r in orde r to m ak e q uality s oftw are th atanyone can us e . It's a w ay for groups and individual s to contribute according to th e ir s k ill s e ts on proje cts th atth ey find inte re sting s o th at eve ryone can com e outah e ad. It's re alde fining points are th e lice ns e th atth e s oftw are is re leas e d unde r and th e factth atth e program is distribute d fre e of ch arge . Th e re are q uite a few l ice ns e s th atare cons ide re d to be ope n s ource by th e O pe n Source Initiative (w w w .ope ns ource .org), th e non-profitorganization w h ich k e e ps track of and prom ote s ope n s ource lice ns e s . W h atm ostof th e acce pte d lice ns e s boildow n to is th atth e s ource code for th e s oftw are is ope n for th e w orl d to s e e , m odify, contribute to, and us e . Ce rtain lice ns e s re q uire th atyou re leas e allch ange s you m ak e w h ile oth e rs justre q uire you to give th e m cre ditfor h aving code in your proje ct. I H EAR D TH AT LINUX IS H AR D TO SETUP AND USE IS TH AT TR UE ?

If you h ad as k e d m e th atq ue stion in 19 9 8 w h e n I firsttrie d to installLinux on a new de s k top th at

I bough t, I w ould h ave s aid itw as a nigh tm are to ge t running. Now , h ow eve r, it's a gre atde albe tte r and is actuall y re ady for a lotof h om e and bus ine s s us e s . M any of th e applications now h ave graph ic inte rface s th atare justas good as w h atyou are us e d to now and h ave th e functionality th atyou've com e to expe ctfrom your bus ine s s apps . Th at's notto s ay th at th e re is n'ta little bitof a learning curve , butitre all y is a pre tty s ligh tone . O n top of th is , Linux is now a bre e ze to instal lon m osth ardw are . To give you an ide a, I re ce ntl y installed Linux on m y laptop. Anyone w h o h as installed W indow s on a laptop w illte l lyou aboutth e fun th atyou're in for. Ittak e s a stack of cds , m ostof th e day, and constantl y babys itting th e laptop to ans w e r q ue stions and s w itch outdis k s . O n top of th at, you h ave to provide th e righ tvide o, audio, and ne tw ork drive rs and th e n you h ave to run s e curity update s and installs e rvice pack s . W ith Linux, ittook four cds , a ne tw ork conne ction, and aboutth re e h ours to installth e ope rating s yste m , m ostof th e s oftw are th atI us e , and to update th e e ntire s yste m . Eth e rne tw ork e d outof th e box;s o did th e vide o. To installth e lasttw o program s th atI w ante d to us e re q uire d tw o ve ry s h ortcom m ands and updating th e e ntire laptop re q uire d one m ore . M ostof th e tim e th atw as s pe ntinstall ing Linux w as us e d to do oth e r th ings w h ile m y laptop w ork e d q uie tl y in th e oth e r room w ith outne e ding m e to babys itit. It's com e th atfar. IF I W ANT TO USE O PEN SO UR CE SO FTW AR E , DO I H AVE TO R UN LINUX?

W h ile m osts oftw are re leas e d for Linux is ope n s ource , notallope n s ource s oftw are is Linux-onl y (or eve n runs on Linux). Itis pos s ible to h ave ope n s ource proje cts on oth e r platform s , s uch as W indow s and O SX, and inde e d m any popular proje cts , s uch as th e Fire fox w e b brow s e r and th e Eclips e program m ing e nvironm e ntfor Java, are re leas e d on a w ide varie ty of platform s .

O 3 M agaz ine /Nove m be r 2005 Page 23

BUSINESS Th e deve lope rs and com panie s be h ind th e proje cts re alize th atnoteve ryone can standardize on a s ingl e platform , s o th ey ofte n do th e ir be stto provide s olutions w h e re th ey m ak e s e ns e . W H AT SO R T O F O PEN SO UR CE SO FTW AR E IS TH ER E ?

O pe n s ource s oftw are exists acros s th e s pe ctrum of appl ications . •

•

For ope rating s yste m s , you h ave various form s of Linux and BSD , w h ich are al lUnix-lik e ope rating s yste m s . W h il e th ey allow fine control of practicall y eve ryth ing th atyou could w antto do w ith your com pute r from a functionality and s e curity standpoint, th ey also h ave rath e r nice graph ic inte rface s , allow ing both cas ualus e rs and th e m ore expe rie nce d to us e th e m w ith e as e . Th e popular w e b brow s e r, Fire fox, is a pie ce of ope n s ource s oftw are th atgrew outof th e old Ne ts cape brow s e r. Italso h as s ibl ing program s Th unde rbird for e m ailand Bugzill a, a bug track ing s oftw are pack age us e d by m any deve lope rs . Allof th e s e program s m ay be found atw w w .m ozilla.org

•

O pe n O ffice (w w w .ope noffice .org) is a popular ope n s ource s uite th atinclude s w ord proce s s or, s pre ads h e e t, and pre s e ntation s oftw are and is available on both Linux and W indow s .

•

GIM P (w w w .gim p.org) is an ope n s ource graph ics program w h ich is available both on Linux and W indow s and is us e d by th is m agazine .

•

M any program m ing e nvironm e nts s uch as Eclips e (w w w .e clips e .org) are ope n s ource as are th e s ource controltool s Subve rs ion (h ttp://s ubve rs ion.tigris .org) and CVS (w w w .nongnu.org/cvs ).

•

Th e re are eve n s eve ralve ry good ope n s ource databas e s outth e re s uch as M ySQL (w w w .m ys q l.com ) and Postgre SQL (w w w .postgre s q l.org).

Th e re are m any oth e r ope n s ource offe rings out th e re . If you're inte re ste d in look ing for ope n s ource applications , a good place to startis Th e O pe n CD proje ct(w w w .th e ope ncd.org), w h ich l ists applications for W indow s , butalso link s back to w e bs ite s for th e proje cts s o you can ge tve rs ions for diffe re nt platform s . BUT IF IT'S FR EE , H O W DO W E M AKE M O NEY O N IT?

Th at's a ve ry good q ue stion. Th e ans w e r is th at, just lik e eve ryth ing e lse in bus ine s s , m ak ing your proje ct ope n s ource is n'tfor eve ryone . H ow eve r, th e re are s eve ralfairl y standard w ays th atcom panie s are m ak ing m oney w ith ope n s ource proje cts . •

Support– com panie s lik e Re dh at (w w w .re dh at.com ), m aintaine rs of a popular Linux distribution, ch arge m oney for providing profe s s ionalte ch nicals upport.

•

Se l lh ard w are – com panie s lik e D igium (w w w .digium .com ), th e m ak e rs of Aste ris k , an ope n s ource PBX s oftw are , m ak e a gre atde alof th e ir m oney s e lling pre -m ade PBX s olutions w h ile also providing th e s oftw are to th e ge ne ral public for th os e w h o fe e ladve nturous .

•

Training – m any pie ce s of s oftw are , w h e th e r ope n or clos e d, re all y be ne fitfrom pe ople be ing able to go to clas s e s in orde r to learn h ow to ge t th e m ostus e outof th e m . W h o be tte r to provide th e training th an th e com pany w h o m ak e s th e product?

•

Custom b uil d s – no s oftw are w illdo eve ryth ing th ateve ryone w ants itto do, be caus e th e re are s o m any th ings th atits cre ators neve r th ough tof. In s om e cas e s , bus ine s s e s m ay w ant functionality adde d to th e program s th atyou m ak e w h ich th ey are w ill ing to pay for.

Th e re are m any oth e r w ays th atcom panie s are m ak ing m oney on ope n s ource s oftw are , butw h atit allcom e s dow n to is w h e re you expe ctto m ak e your m oney. If you justplan to s e llyour s oftw are , th e n ope n s ourcing your proje ctprobabl y is n'tfor you. Th e re are exce ptions to th is . M ySQL, a popular ope n s ource databas e , offe rs its s oftw are for fre e if itis us e d in-h ous e and as k s th atyou pay a m ode stfe e

O 3 M agaz ine /Nove m be r 2005 Page 24

BUSINESS if you include itin a com m e rcialproduct. H ow eve r, if your re alm oney com e s from s om ew h e re e l s e , th e n you h ave a de ce ntch ance of m ak ing a s ucce s s ful bus ine s s .

look ing at(and w ork ing on) your proje ct, you m ay e nd up w ith functionality th atyou neve r cons ide re d be fore . •

M any eye s l ook ing atyour proje ct- Th e m ore pe ople w h o review th e s ource code of your proje ct, th e gre ate r th e ch ance th atbugs and s e curity flaw s w illbe caugh t, allow ing th e m to be fixe d s oone r.

•

Com m unity good w il l- Neve r unde re stim ate th e pow e r of fre e adve rtis ing. If your proje ct be com e s popular w ith in th e te ch nical com m unity, lik e Linux h as , th atpopularity can s pillove r into th e bus ine s s are na.

W H AT DO I GET O UT O F M AK ING M Y SO FTW AR E O PEN SO UR CE ?

By m ak ing your s oftw are proje ctope n s ource , you gain pote ntialacce s s to th e profe s s ionaldeve lopm e nt com m unity atlarge . As I s aid be fore , m any m ajor ope n s ource proje cts are staffe d partiall y by deve lope rs be ing paid by te ch nicalcom panie s in orde r to add th e fe ature s and functionality th atth e ir e m ploye rs w ant. H ow eve r, m any profe s s ional deve lope rs w ork on ope n s ource proje cts on th e ir ow n tim e as w e llfor a num be r of re as ons incl uding to k e e p th e ir s k ills s h arp, to add new s k ills, and eve n justbe caus e th e proje ctinte re sts th e m . Th is m e ans s eve ralth ings to anyone w h o w ants to h ave a s ucce s s fuls oftw are proje ct: •

Acce ss to outsid e sk il l s - Eve ryone w h o starts a pie ce of s oftw are w ants th e pe ople w ork ing on it to be th e be st. Unfortunate l y, your budge tofte n doe s n'tallow to you h ire th e m and k e e p th e m fulltim e . W ith ope n s ource , you can h ave acce s s to pe ople (e ith e r on a contractbas is or, in s om e cas e s , justbe caus e th ey're inte re ste d in your proje ct) th atyou oth e rw is e w oul dn'tbe able to h ire .

•

R e d uce d d eve l opm e nttim e - W ith th e pos s ibility of m ore pe ople w ork ing on your proje ctth an you could oth e rw is e afford, th e re is a good ch ance th atitw il ltak e l e s s tim e to com plete your proje ct. For exam ple, W indow s Vista (form e rl y code nam e d Longh orn) w as announce d ye ars ago and is n'ts uppos e d to be de live re d untils om e tim e in 2006. By contrast, Fe dora, Re dh at's non-bus ine s s Linux distribution, h as gone from ve rs ion 1 to ve rs ion 4 s ince I firststarte d us ing itin 2003, and e ach new ve rs ion h as be e n a m ark e d im prove m e nt ove r th e previous one .

•

Diffe re ntpoints of view - Th e re are alw ays us e fulfe ature s or us e s for your s oftw are th at you didn'toriginall y th ink of. W ith m e m be rs of th e s oftw are deve lope r com m unity at-large

W H Y W O ULD PEO PLE W ANT TO VO LUNTEER TO W O R K O N M Y PR O JECT?

W e deve lope rs (ye s , I am one of th e m ) are strange pe ople. W e lik e to w ork on proje cts th atw e find inte re sting or th atch allenge us . It's a ch ance to gain expe rie nce th atw e can pointto w h e n l ook ing for a new job. It's also a w ay to ge tre cognize d by th e com m unity as a capable deve lope r. O n top of allof th os e th ings , it's a ch ance for us to give s om e th ing back to th e pe ople w h o h ave h e lpe d us outal ong th e w ay and to h e lp oth e rs w h o m ay notbe s o fortunate . Som e of us th ink of itas a form of voluntary com m unity s e rvice . IF EVER YO NE CAN LO O K AT M Y SO FTW AR E , W H AT'S TO STO P TH EM FR O M JUST TAK ING IT?

Th at's a ve ry good q ue stion, and one th atI h e ar q uite ofte n. Th e ans w e r is itallcom e s dow n to th e lice ns e th atyou ch oos e to re leas e your w ork unde r. Th e re are a lotof acce pte d ope n s ource l ice ns e s , s o I am onl y going to give a brie f de s cription of a few of th e m ore popular one s . •

BSD – Th e pe rs on w h o m odifie s th e proje ct m ay ch oos e w h e th e r or notto ope n s ource th e ir de rivative , butth e copyrigh tnotice for th e originalproje ctm ustbe include d w ith th e docum e ntation (if th e de rivative w ork is clos e d) or in th e code (if th e de rivative w ork is ope n). Bas icall y, unde r th is lice ns e , anyone can do anyth ing w ith th e code th atth ey w antas long as th ey s ay th atth e code is in th e re .

O 3 M agaz ine /Nove m be r 2005 Page 25

BUSINESS •

Apach e – If a s oftw are deve l opm e ntproje ct contains code re leas e d unde r th e Apach e l ice ns e , th e ir copyrigh tnotice and dis claim e r m ustbe include d in th e docum e ntation and th e s ource is al low e d to be e ith e r ope n or clos e d.

•

GPLv2 – If th e proje ctth atcontains code l ice ns e d unde r th e GPLv2 is re leas e d, al l ch ange s to th e code m ustalso be re leas e d unde r th e GPL. Th is is th e lice ns e us e d by m any ope n s ource proje cts including th e Linux k e rne l.

LET M E GET TH IS STR AIGH T. IF I USE CO DE LICENSED

GPL, I H AVE TO R ELEASE W H AT I M AKE W ITH IT TH E SAM E W AY ? If you re leas e th e proje ctth atyou incorporate th e GPL'e d code in, th e n ye s , you h ave to ope n s ource your proje ctas w e ll.If, on th e oth e r h and, you just us e th e s oftw are you m ak e in-h ous e , you don'th ave to publ is h your code . H ow eve r, eve n if itis justinh ous e , you s h oul d th ink aboutw h e th e r th e re is actuall y anyth ing to be gaine d by k e e ping pe opl e from s e e ing it. If th e ans w e r is notre all y, th e n cons ide r ope ning itup anyw ay. UNDER TH E

I LIKE TH E IDEA O F TH E

GPL, BUT DO

I H AVE TO

ACCEPT EVER YTH ING TH AT SO M EO NE O FFER S M Y PR O JECT?

W h ile th e GPLh as a gre atde alof be ne fits th at com e from acce pting contributions to your proje ct (functionality and bug fixe s am ong th e big one s ), at th e e nd of th e day, you're th e one in controlof th e proje ctand can de cide w h o you w antto be able to contribute th ings to it. You don'th ave to acce pt anyth ing s us pe ctor th atyou don'tw antto if you're in controlof th e proje ct. H O W DO I JO IN TH E CO M M UNITY ?

Th e e as ie stw ay is to contribute . Starta proje ctor w ork on an existing one by adding functionality or s ubm itting patch e s . Source forge (w w w .s ource forge .ne t) is an exce llentpl ace to find or startproje cts . You can also join th e m ailing listfor th e proje ctth atinte re sts you in orde r to com m unicate w ith th e oth e r pe opl e w h o are w ork ing on th e proje ct. As tim e goe s on, you w illbe abl e to tak e on m ore re s pons ibility on th atproje ct, and th us in

th e com m unity, if you w ant. I h ope th is article h e lpe d ans w e r m ostof th e q ue stions th atyou h ad conce rning ope n s ource for your bus ine s s . As I s aid atth e be ginning, th is w as justa brie f ove rview of w h atope n s ource is and h ow itcan w ork for you. If you h ave m ore q ue stions , th e re are a gre atde alof place s th atyou can turn to. O ne of th e be stof th e s e is your localLinux Us e r's Group, m any of w h ich can be found via Linux.org's listof us e r's groups locate d atw w w .linux.org/groups /. JAM ES H O LLINGSH EAD IS TH E EXECUTIVE EDITO R FO R O 3 M AGAZ INE . JAM ES IS BASED O UT O F CH ILLICO TH E , O H IO . JAM ES CAN BE R EACH ED VIA EM AIL AT JAM ES@ O 3M AGAZ INE .CO M .

"... LINUX, ISN'T TH AT FO R BANK S?I DO N'T NEED TH AT KIND O F SECUR ITY !" -- INTER NET CAFE O W NER Seve ralye ars ago I w as as k e d to puttoge th e r a q uote for an Inte rne tcafe on th e w e stcoastof Ire land. Seve rallocaland nationalcom pute r re tail e rs h ad alre ady q uote d butw e re too h igh for th is ve ry s m al l startup run by a bus ine s s l ady w h o h ad no com pute r expe rie nce atall. Th e ow ne r w as conce rne d aboutW indow s and conne cting W indow s to th e Inte rne tbe caus e of s e curity. I puttoge th e r tw o q uote s , one for Linux de s k tops and one for justs e curing th e W indow s de s k tops w ith a Linux bas e d firew al l/route r. W h atw as inte re sting aboutth is particular expe rie nce w as th atth e bus ine s s ow ne r didn'tw antanyth ing to do w ith Linux, notbe caus e it"l ook s diffe re nt" but be caus e itw as "too s e cure ". Sh e fe ltth ats h e didn't ne e d th atleve lof s e curity and th atLinux s olutions w e re re all y for bank s . Five ye ars l ate r, th is particular individualgotin contactw ith m e th rough one of m y previous e m ploye rs . H e r ne tw ork of W indow s de s k tops w e re be ing constantl y com prom is e d by both l ocalstude nts and re m ote us e rs . Turns outth ata nationalcom pute r com pany s ales re p told h e r Linux w as for bank s , th is type of s ales re p FUD re s ul te d in a s ol ution th ats costm ore and in th e long run fail e d. -- Com m e nts from th e Ed itor

O 3 M agaz ine /Nove m be r 2005 Page 26

NETW O RK ING M ul tiLaye r Sw itch ing in Linux LINUX H AS H AD SO M E FO RM O F BRIDGING AND VLAN SUPPO RT IN IT FO R AW H ILE M ULTILAYER SW ITCH ING , SPANNING TREE AND O TH ER ADVANCED SW ITCH ING FEATURES ARE NO W PO SSIBLE BY JO H N BUSW ELL

tfirstglance LISA, th e Linux Sw itch ing Appl iance proje ctlook s l ik e a ve ry inte re sting proje ct, providing Laye r 2/3 pack e ts w itch ing s upportto Linux. O riginall y w e planne d to w rite an article s pe cificall y on LISA, unfortunate l y, w e q uick l y dis cove re d th atLISA is stil lve ry m uch in a deve lopm e ntalstage , s o th is articl e h as be e n expande d to cove r th e w ide r range of s w itch ing s olutions for Linux. Th is is an introductory article, ove r th e com ing m onth s th e NETW O R KING s e gm e ntof O 3 w il lgo into de tailon im plem e nting various ne tw ork ing s olutions in Linux and us ing ope n s ource proje cts to te stand exte nd th e s e curity of traditionalne tw ork protocols. W e te ste d LISA unde r Linux 2.6.10, itcons ists of a k e rne lpatch providing th e “Eth e rne tSw itch ” m odul e unde r Ne tw ork ing O ptions and a coupl e of us e rs pace tool s . Th e proje ctprovide s a m ini-distribution, h ow eve r al lyou re all y ne e d is th e patch e d k e rne land th e s w ctlus e rs pace toolth atis provide d by th e proje ct. Th e s w ctltoolallow s you to add/re m ove inte rface s from th e s w itch , add/re m ove vl ans from th e vl an databas e , cre ate trunk s and cre ate virtualinte rface s for a give n vlan. W e te ste d its laye r 2/3 s w itch ing capabilitie s , pe rform ance w as pre tty good and th e s w itch e s forw arding databas e w ork e d as expe cte d. Inte rope rabil ity w ith oth e r VLAN s pe ak ing device s s e e m e d to w ork w e ll,w e te ste d LISA conne cte d to Cis co Catal yst5505 and Norte l3408 Appl ication Sw itch e s , laye r 2 and laye r 3 conne ctivity ove r th e VLANs , and VLAN routing w ork e d. Th e dow ns ide to th is proje ctis clearl y its future , th e lastre leas e w as back in June 2005, and itlook s lik e a finalye ar proje ctfor tw o Rom anian stude nts . If you plan to s e rious l y cons ide r us ing LISA, de s pite th e s pons ors , I w oul d w aitand s e e if th e proje ct continue s deve lopm e ntunles s you plan to m aintain th e code yours e lf. Atth e tim e th is article w as w ritte n th e late stre leas e of LISA re q uire s s om e patch ing to w ork w ith Linux 2.6.14. Th e us e rs pace tools are

h ard-code d, s o you h ave to m odify th e path to th e Linux h e ade r files in e ach M ak e file, and w ith ch ange s to th e s k b code in 2.6.14, you w illne e d to m odify th e calls to de live r_ s k b() and oth e r pos s ibl y oth e r s k b routine s th atth e s w itch ing code us e s . O ve rall,LISA h as a good de alof pote ntial,w h e th e r its curre ntdeve lope rs plan to continue deve lopm e nt beyond Unive rs ity re m ains to be s e e n. LISA can be obtaine d from h ttp://lis a.ine s .ro/. SPANNING TR EE PR O TO CO L (802.1D )

M oste nte rpris e laye r 2 s w itch e s s upportIEEE 802.1d “Spanning Tre e Protocol”, w h il e LISA its e l f doe s n'tprovide STP, th e Linux bridging s uite (h ttp://bridge .s ource forge .ne t) doe s provide good STP s upport. STP allow s m ultiple bridge s to w ork

STP.1 EXAM PLE SPANNING TR EE NETW O R K

O 3 M agaz ine /Nove m be r 2005 Page 28

NETW O RK ING toge th e r by providing path re dundancy w h ile e lim inating loops in th e ne tw ork , itis a Laye r 2 protocol.STP w ork s by s e nding outa s pe cialpack e t called a BPD U (bridge pack e tdata unit) com m unicating w ith oth e r bridge s to dis cove r h ow e ach is inte rconne cte d. Th e exch ange of BPD Us re s ul ts in th e e lection of a rootbridge . Th is is call ed s panning tre e conve rge nce . O nce an STP h as conve rge d, e ach bridge s e ts a l ink to e ith e r a FO RW AR D ING or a BLO CKED state . Itis th is de te rm ination of BLO CKED or FO RW AR D ING w h e n m ultiple active path s existbe tw e e n bridge s th at preve nts loops in th e ne tw ork . Spanning tre e loops are nota good th ing, th ey can flood th e ne tw ork , and m ore ofte n th an notlead to ne tw ork failure . Th e be st w ay to de s cribe th e BLO CKED state is th atitis an active l ink s itting in standby In diagram stp.1 w e h ave 5 s w itch e s , during conve rge nce a “rootbridge ” is e l e cte d th rough th e exch ange of BPD Us as m e ntione d above . O nce th e rootbridge is s e lecte d, alll ink s notre q uire d to re ach th e rootbridge are pl ace d into a BLO CKED state . In our diagram , s w itch 2 is be stcandidate for be com ing th e roots w itch . You can s e e h ow conve rge nce plays outin th ats ituation in th e s e cond diagram stp.2. Spanning tre e doe s noth ave any auth e ntication, and a de gre e of trustm ustbe as s um e d for e ach bridge /s w itch participating in th e s panning tre e . W h ile th is is typicall y a non-is s ue for s w itch e d e nvironm e nts , w h e n cons ide ring th e us e of STP s upporton a Linux s yste m th rough th e bridging s uite , you ne e d to m ak e s ure th atyou don'tcre ate th e capability of a re m ote attack e r inje cting STP BPD Us into your ne tw ork e ith e r by com prom is ing th e bridge or th e bridge s im pl y forw arding pack e ts re ce ive d, th is is e s pe cial l y im portantw h e n bridging be tw e e n a private ne tw ork and th e Inte rne tor public W iFi ne tw ork . STP filte ring is pos s ible w ith e btables (h ttp://e btables .s ource forge .ne t) as partof th e bridging s uite . Th e re are tw o “exte ns ions ” to Spanning Tre e th at are typical l y of inte re stth e s e are 802.1w and 802.1s . 802.1s is m ultiple s panning tre e s and im pl e m e nts s panning tre e groups . A num be r of com panie s offe r Laye r 2 /Laye r 3 s w itch ing s olutions as proprie tary s olutions th atw ork unde r Linux, one s uch com pany is ipinfus ion (w w w .ipinfus ion.com ). Atth e tim e of th is article, no ope n s ource 802.1s proje ctw as found. 802.1w is th e rapid re configuration of s panning tre e ,

STP.2 SW ITCH

2 AS R O O T BR IDGE /CO NVER GENCE CO M PLETED

ofte n called rapid s panning tre e , fasts panning tre e or fastconve rge nce . 802.1w be com e s im portantin large r m ore com plex s w itch e d e nvironm e nts w h e re traditionals panning tre e conve rge nce can tak e a longe r pe riod of tim e due to th e com plexity of th e ne tw ork . 802.1w s upportis planne d for th e Linux bridging s uite , and an R STP library and s im ul ator existove r ath ttp://rstplib.s ource forge .ne t. 2 FILTER ING, EBTABLES, VLANS AND VM PS An im portantpartof th e bridge s uite is e btables , e btables is e s s e ntiall y th e iptables for th e l aye r 2 w orld. e btables can filte r e th e rne tprotocols, m ac addre s s e s , s im ple IP h e ade rs , arp h e ade rs , 802.1q , inte rface s . Itcan also pe rform M AC addre s s trans lation, logging, fram e counte rs , m ark and m atch fram e s . Anoth e r im portantpartto Eth e rne ts w itch ing is VLAN s upport. Linux h as de ce nt802.1Q s upport. VLAN (VirtualLAN) cre ate s a logicalEth e rne t broadcastdom ain, th is e nables a s w itch for exam ple to h ave m ultiple device s in diffe re ntne tw ork s plugge d into th e s am e s w itch , and be h ave as if you h ad a s e parate s w itch for e ach ne tw ork .VLANs in Linux are re lative l y e as y to s e tup, you justm ark th e inte rface (e g. e th 0) as up, th e n us e th e vconfig utility to add th e inte rface to a particular vlan. Linux s e e s LAYER

O 3 M agaz ine /Nove m be r 2005 Page 29

NETW O RK ING th e vlan as a typicalne tw ork inte rface , you can as s ign an IP to itand s o forth . Som e ne tw ork drive rs in Linux ne e d s pe cific patch e s to m ak e th e m w ork w ith 802.1Q. VLAN M anage m e ntPolicy Se rve r (VM PS) us e s a s pe cialprotocolcalled VQP (VLAN Que ry Protocol ) to autom aticall y de te rm ine VLAN m e m be rs h ip bas e d on th e M AC addre s s of th e device conne cting to th e ne tw ork . VM PS is s upporte d on Cis co Catal yst s w itch e s , and th e O pe nVM PS proje ct (h ttp://vm ps .s ource forge .ne t) provide s an ope n s ource im plem e ntation. M ULTIPR O TO CO L LABEL SW ITCH ING (M PLS)

Anoth e r type of s w itch ing is M PLS, M ultiprotocol Labe lSw itch ing. M PLS w ork s by h aving a “l abe l e dge route r” as s ign a labe lto incom ing pack e ts . Pack e ts are forw arde d along a “labe ls w itch path (LSP)” w h e re e ach labe ls w itch route r (LSR ) m ak e s forw arding de cis ions bas e d s olel y on th e conte nts of th e labe l.Ate ach h op, th e LSR re m ove s th e existing labe land applie s a new labe lw h ich te l l s th e nexth op h ow to forw ard th e pack e t. LSPs provide a varie ty of s olutions s uch as pe rform ance guarante e s , routing around ne tw ork conge stion or to cre ate IP tunne ls for ne tw ork bas e d VPNs . Linux h as exce llentM PLS s upport, th e re is an M PLS forw arding plane for th e 2.6.x k e rne l,and an im plem e ntion of LD P (R FC3036). Th e M PLS proje ctcan be found ath ttp://m plslinux.s ource forge .ne tand h ttp://w w w .m plsrc.com is an exce llents ource of inform ation on M PLS if you are inte re ste d in learning m ore aboutM PLS. 2 NETW O R K SECUR ITY Ye rs inia is a ne tw ork s e curity toolde s igne d to tak e advantage of w e ak ne s s e s in s eve ralprotocols including Spanning Tre e Protocol , Cis co D is cove ry Protocol , D ynam ic Trunk ing Protocol,D H CP, H SR P, 802.1q , Inte r-Sw itch Link Protocol(ISL) and VLAN Trunk ing Protocol . Ye rs inia is an ope n s ource proje ct and can be found ath ttp://ye rs inia.s ource forge .ne t. Nextis s ue , w e w il ltak e an in-de pth look atYe rs inia, and th e attack s us e d againstne tw ork protocols m ost e nte rpris e s h ave de pl oye d in th e ir production ne tw ork s . Ye rs inia provide s an im portanttool,e s pe ciall y for large r com panie s th atm aintain l ab dupl icate e nvironm e nts of th e ir production ne tw ork . for TESTING LAYER

te sting and unde rstanding h ow your ne tw ork w ill re s pond to a particular attack , as w e l las to te stnew fe ature s provide d by ve ndors de s igne d to preve ntor re duce th e im pactof s pe cific attack s . 4 SW ITCH ING W ITH LINUX VIR TUAL SER VER Laye r 4 s w itch ing, m ore com m onl y re fe rre d to as IP load balancing, is th e proce s s of inte ll ige ntl y s w itch ing pack e ts de stine d for a s pe cific IP and port (TCP/UD P) to a diffe re ntIP and/or ports . Es s e ntiall y itis a fancy form of NAT and addre s s trans lation w h e re th e de stination is s e lecte d dynam icall y bas e d on s pe cific crite ria, s uch as load balancing m e trics , QoS or th e h e alth of th e propos e d de stination. Th e device be tw e e n th e s ource and th e targe tm aintains state . Th e Linux VirtualSe rve r proje ct (h ttp://w w w .linuxvirtualse rve r.org) provide s an O pe n Source s olution for Laye r 4 s w itch ing. For h igh capacity, portde ns ity or m is s ion critical applications w h e re h igh e r s e s s ion capability, advance d fe ature s and pe rform ance are a k ey factor, th e n proprie tary s olutions s uch as Norte lAppl ication Sw itch e s (form e rl y Alte on), Cis co, F5, Foundry Ne tw ork s and R adw are alloffe r Laye r 4 - Laye r 7 s olutions . LAYER

FUR TH ER R EADING

Linux h as a good s e lection of proje cts for im plem e nting m ultilaye r s w itch ing. Be low are a couple of us e fullink s th atw e re valid atth e tim e th is article w as w ritte n, if you are inte re ste d in learning m ore abouts om e of th e conce pts dis cus s e d in th is article. DYNAM IC VLANS

h ttp://w w w .ne tcrafts m e n.ne t/w e lch e r/pape rs /s w itch vm ps .h tm l UNDER STANDING SPANNING TR EE PR O TO CO L

h ttp://w w w .cis co.com /unive rcd/cc/td/doc/product/rtrm gm t/s w _ ntm an/cw s im ain/cw s i2/cw s iug2/vlan2/stpapp. h tm 4-7 SW ITCH ING PR IM ER h ttp://w w w .norte l.com /s olutions /e nte rpris e /e nabling_ t e ch /laye r4-7/ LAYER

O 3 M agaz ine /Nove m be r 2005 Page 30

VO IP O pe n Source Te l e ph ony O PEN SO URCE TELEPH O NY IS RELATIVELY EASY TO SETUP AND CAN SAVE YO UR BUSINESS TH O USANDS SM ALL BUSINESSES CAN NO W DEPLO Y ADVANCED VO ICE SO LUTIO NS W H EN TH EY W ERE PREVIO USLY CO ST PRO H IBITIVE BY JO H N BUSW ELL

h e Private Branch Exch ange (PBX) is a criticalcom pone ntfor any bus ine s s re gardles s of s ize . Th e PBX provide s a private , com pany ow ne d te leph one exch ange w h ich can drastical l y re duce th e costof s e rvice s re q uire d from th e te l e ph one com pany. Traditionall y, PBX s yste m s h ave be e n expe ns ive and re q uire d s pe cial ize d te ch nicians to de ploy. H ow eve r, th ath as ch ange d w ith th e daw n of O pe n Source Te leph ony and th e digitalPBX. Th e PBX tak e s a lim ite d num be r of trunk l ine s from th e bus ine s s to th e ph one com pany's ce ntraloffice (localexch ange ), and e nables th e m to be s h are d am ong th e ph one e q uipm e ntw ith in th e com pany. Th rough th e us e of IP te leph ony and VirtualPrivate Ne tw ork s (VPN) itis pos s ible to conne ctand s h are PBX s olutions atdiffe re nt com pany office s . Th is article w illintroduce you brie fl y to s om e of th e te rm s , dis cus s a s olution, th e costs aving be ne fits and various ope n s ource proje cts . T1, E 1, J1, FXO AND FXS

Conne cting your PBX to th e public ph one s yste m w il le ith e r invol ve a re gular R J11/PSTN (ph one jack ) conne cte d to an FXO port, or s om e form of ch anne lize d trunk from th e ph one com pany. In North Am e rica th e s e trunk s are called T1, th e e q uival e ntof 24 ph one line s (ch anne ls). In Europe th ey are called E1 (32 ch anne ls) and in Japan J1 (24 ch anne ls). An FXS portis a porton your PBX th atyou w ould conne cta re gular analog ph one to. Th e FXS port ge ne rate s th e voltage on th e w ire to ope rate th e analog ph one . VO IP Voice ove r IP is anal og audio (ph one ) conve rte d to a digitalform atand distribute d ove r an IP ne tw ork to a de stination. Th e re are a num be r of diffe re ntprotocols th atcan be us e d to ach ieve VoIP;for th e m ostpart w e w il lfocus on SIP (Se s s ion Initiation Protocol ) and IAX (Inte r Aste ris k Exch ange ) in our VoIP s e rie s . Cis co h as a proprie tary protocolcalled SCCP

(Sk inny) and th e re is also H .323. M ostCis co IP ph one s s upportSIP, h ow eve r th ey are typicall y s h ippe d w ith SCCP s oftw are loade d. H AR DW AR E

D igium (h ttp://w w w .digium .com ), th e com pany be h ind th e m ostpopular ope n s ource PBX s oftw are , Aste ris k (h ttp://w w w .aste ris k .org), provide s a num be r of h ardw are options for conne cting your ope n s ource PBX to th e ph one com pany. If you are a s m allbus ine s s w ith outth e ne e d for too m any line s , th e n th e TD M 400 is a nice m odular card th atallow s you to m ix and m atch up to four m odules (FXS or FXO ) pe r card to m e e tyour ne e ds . Th ey al s o s uppl y T1/E1/J1 cards , s ingle, dualand q uad portcards . In addition to D igium , Sangom a Te ch nologie s (h ttp://w w w .s angom a.com ) also s e l ls s eve ralAste ris k com patible ch anne lize d cards . Us ing th e TD M 400 cards you can also conne ctre gular anal og te l e ph one s to your PBX. Alte rnative l y, you can us e m any of th e available VoIP ph one s or ATA units on th e m ark e t today. ATA (Analog Te leph one Adapte r) is e s s e ntiall y a s m alle m be dde d device th atconve rts VoIP to analog, s im ilar to h aving a s m alls yste m running aste ris k and a TD M 400 w ith FXS ports to drive your analog ph one s from a VoIP ne tw ork . You w illalso ne e d a s e rve r to actas your PBX w ith th e appropriate h ardw are (dis cus s e d above ) to conne ctto th e ph one com pany, as w e llas th e appropriate h ardw are to conne cte ith e r to your VoIP ne tw ork or your analog ph one s . ASTER ISK

Atth e h e artof th e O pe n Source PBX, w e h ave Aste ris k . Aste ris k is a full y fe ature d PBX, providing allth e fe ature s of traditionalPBX s yste m s , s uch as callq ue uing, confe re nce bridging, voice m ailand m uch m ore . Th e re is a fulllistof fe ature s available on th e Aste ris k s ite (h ttp://w w w .aste ris k .org/fe ature s /). If you are us ing th e D igium h ardw are you ne e d to dow nload th e

O 3 M agaz ine /Nove m be r 2005 Page 32

VO IP zapte ls uite as w e llas aste ris k . Th e zapte ls uite provide s k e rne ldrive rs for th e D igium h ardw are . Com piling aste ris k is re lative e as y. O nce uncom pre s s e d, itonl y re q uire s a s im ple m ak e ;m ak e install.Itis im portantto re ad th rough th e s e curity m ate rialon Aste ris k . Notonl y do you h ave to focus on th e s e curity of th e s e rve r on w h ich Aste ris k re s ide s , butyou m ustal s o cons ide r th e s e curity of Aste ris k its e lf, and to m ak e s ure th atinbound dialers (or re stricte d outbound dialers ) don'th ave th e capability to m ak e tollcalls or oth e rw is e acce s s parts of Aste ris k via th e ph one s yste m th atw ould be unde s irable. Configuring Aste ris k is an invol ve d proce s s , w e llbeyond th e s cope of th is article. O 3 w ill look atconfiguring Aste ris k in de pth in few is s ue s . EXAM PLE DEPLO YM ENT

In th e figure oppos ite , w e h ave a s am ple de pl oym e ntcons isting of tw o office locations and a re m ote te lecom m ute r. Th e firsts ite is bas e d in Cincinnati, O h io in th e Unite d State s , w h il e th e s e cond s ite is locate d in D ublin, Ire land. Th e firsts ite is conne cte d via a T1 trunk (24 ch anne ls) to th e local 513 are a code , w h il e th e s e cond s ite is conne cte d via four standard PSTN line s to th e localexch ange in D ublin. Both s ite s are us ing Linux s e rve rs running Aste ris k and are conne cte d to th e Inte rne tvia a h igh s pe e d broadband conne ction. For th e s ak e of th is exam ple, lets s ay th atth e D ublin office is a s ales office , w h ile th e Cincinnati office contains te ch nicals upportstaff. Th e com pany w is h e s to provide te ch nicals upportfrom th e Cincinnati office to custom e rs in th e D ublin are a. Th is w oul d be an expe ns ive proje ctto com pl e te us ing traditional te ch nol ogy, h ow eve r w ith Aste ris k and O pe n Source te ch nol ogie s itis pos s ible to im pl e m e ntth is w ith re lative l y low costs to th e com pany. Th e tw o office s can be conne cte d toge th e r us ing O pe nVPN (h ttp://w w w .ope nvpn.ne t), providing a s e cure trans portfor th e com m unication be tw e e n th e tw o PBX s yste m s . Aste ris k com e s w ith its ow n exch ange protocolcal led IAX;al te rnative l y you can run SIP as w e l l.W h ile IAX2 doe s h ave PKI style auth e ntication and trunk ing, itw on'tprote ctth e conte nts of your call s from be ing s niffe d off th e w ire , s o utilizing a VPN te ch nology w h e n routing private calls be tw e e n office s ove r th e Inte rne tis your be st be t. O nce configure d corre ctl y, a cl ie ntcalling th e l ocal

office in D ublin (localcall), now h as th e ir callroute d upon s e lecting th e s upportoption ove r th e Inte rne tto th e Cincinnati s upportq ue ue . Now th e com pany can be ne fitfrom th e expe rtis e ith as e stablis h e d local l y in Cincinnati are a to its D ublin custom e rs , w ith out re q uiring th e custom e rs to calllong distance . In addition, staff atth e D ublin office can call, confe re nce and pe rform a w ide range of oth e r tas k s as if th e Cincinnati location w as local,and vice ve rs a. Th e exam ple s h ow s a re m ote w ork e r. Th is m igh tbe an on callte ch nicals upporte ngine e r to cove r th e e arl y m orning bus ine s s h ours in Europe from th e ir h om e . H e re th e e ngine e r conne cts to th e Cincinnati office via VPN, and h as a firew allin place to prote ct th e ir localne tw ork . Th e firew al lis also running a SIP Proxy, w h ich allow s th e SIP /s oftph one to re giste r w ith th e Aste ris k PBX w h ile re m aining be h ind its firew all. SIP PR O XY Siproxd (h ttp://s iproxd.s ource forge .ne t) and PartySIP (h ttp://w w w .nongnu.org/partys ip/) are tw o ope n s ource SIP proxie s . A SIP proxy h andles re gistration of SIP clie nts on a private ne tw ork and pe rform s rew rite s on th e SIP m e s s age s to m ak e

O 3 M agaz ine /Nove m be r 2005 Page 33

VO IP SIP conne ctions pos s ible th rough a firew all providing NAT (Ne tw ork Addre s s Trans lation). SIP (Se s s ion Initiation Protocol) is de fine d by R FC 3261 and is one of th e protocols us e d by s oftw are and VoIP ph one s . Th e alte rnative approach is a m e th od called STUN w h ich e nabl e s a SIP clie ntto de te rm ine th e public IP addre s s , butfor th is to w ork a w ide range of ports m ustbe ope ne d on th e firew all. Inste ad, proje cts s uch as s iproxd actuall y pe rform laye r 7 pack e tins pe ction and rew rite on th e SIP pack e ts s e ntth rough th e proxy. ASTLINUX

AstLinux (h ttp://w w w .astlinux.org) is a custom Linux distribution ce nte re d around aste ris k . AstLinux provide s an outof th e box s olution w ith a w ide range of fe ature s , m ak ing ita us e fuls olution for a q uick e m be dde d or com m e rcialAste ris k installation. W ith a little e ffort, itcan be e as il y m odifie d to fitalm ostany s ituation. Th e proje ct provide s a num be r of us e fulim age s , incl uding a bootable ISO im age . Th e proje ctis ge are d tow ards us ing olde r Pe ntium -M M X, and e m be dde d s olutions s uch as th e Soe k ris l ine of e m be dde d device s . If you're look ing to provide a large s ol ution w ith m ultiple T1 line s , m ultiple IAX trunk s and l arge am ounts of s pace for IVR /Voice m ails olutions , s e lecting your favorite e nte rpris e Linux distribution and install ing Aste ris k from s ource m igh tbe a be tte r approach . ASTER ISK @ H O M E

Aste ris k @ H om e , w h ich can be found onl ine at h ttp://aste ris k ath om e .s ource forge .ne tis a fastand s im ple s olution for ge tting Aste ris k up and running q uick l y. Aste ris k @ H om e is a Linux distribution th at util ize s Ce ntO S (w w w .ce ntos .org) and provide s a w e b bas e d inte rface for configuring and m anaging Aste ris k . Th e s olution include s anoth e r proje ctAM P (Aste ris k M anage m e ntPortal) w h ich can be found at h ttp://coales ce nts yste m s .ca/inde x.ph p. AM P is w e b bas e d w ith a flas h ope rator pane l.Itprovide s a w ide range of m anage m e nttas k s . If you w antto ge t Aste ris k running q uick l y w ith outgoing in-de pth , Aste ris k @ H om e is a gre ats olution. ENUM , E .164 AND DUNDI

ENUM is e s s e ntiall y D NS for your te leph one num be r. E.164 is an inte rnationalte leph one

num be ring plan adm iniste re d by th e ITU, w h ich provide s th e form at, structure and adm inistrative h ie rarch y of te leph one num be rs . A ful l y q ualifie d E.164 num be r contains th e country code (e g. + 353 for Ire land), are a code and ph one num be r for th e de stination. ENUM provide s e s s e ntiall y reve rs e D NS m apping on th e ph one num be r, to conve rtth at num be r to an IP addre s s th atw ould typical l y be able to h andle callrouting to th atnum be r (e g. a SIP proxy run by th e ph one com pany th atprovide s PSTN s e rvice to th e particular are a code in th atcountry). D UND i is a distribute d pe e r to pe e r s yste m for locating Inte rne tgatew ays to ph one s e rvice s . D UND i is a distribute d s olution w ith no ce ntral ize d auth ority as w ith ENUM . D UND i is a routing protocols o th at s e rvice s m aybe route d and acce s s e d us ing industry standard VoIP te ch nologie s s uch as IAX, SIP or H .323. D UND i provide s a s olution th ate nables th e cre ation of h igh l y available e nte rpris e PBX s olutions , w h e re no one PBX cre ate s a ce ntralpointof failure . D UND i also provide s an Inte rne tbas e d E.164 pe e ring s yste m , for m ore de tails review th e docum e ntation and m e m be rs ath ttp://w w w .dundi.com . SIPX

s ipX (h ttp://w w w .s ipfoundry.org/s ipX/s ipXus e r/) is an O pe n Source PBX s olution bas e d on SIP. s ipX provide s m any of th e PBX capabilitie s of aste ris k s uch as D ID , H untgroups , Callforw arding, voice m ailand s o on. s ipX doe s n'tprovide any gatew ay capabilitie s w ith th e PSTN, itis a pure SIP IP PBX s olution. Ith as s om e inte re sting fe ature s s uch as XM Lbas e d callrouting and th e ability to configure attach e d ph one s and gatew ays . SIP EXPR ESS R O UTER

Th e SIP Expre s s Route r, is a h igh pe rform ance configurable fre e SIP s e rve r w h ich can actas a proxy, re dire ctor re gistrar s e rve r ch e ck itoutat h ttp://w w w .ipte l.org/s e r/. Th e re is also th e O pe nSER proje ctath ttp://w w w .ope ns e r.org/. R UBY O N R AILS INTEGR ATIO N

Nextis s ue a look atw e b inte gration w ith Aste ris k us ing ragi (h ttp://ragi.s ource forge .ne t). D UND i, IAX and Aste ris k are trade m ark s of D igium Inc. (h ttp://w w w .digium .com ).

O 3 M agaz ine /Nove m be r 2005 Page 34

NETW O RK APPLICATIO NS De pl oying W ifidog -- Th e e m be dde d Captive Portal W IFIDO G

IS A C BASED CAPTIVE PO RTAL DESIGN FO R TH E LINK SYS W RT54G BUT RUNS

O N ANY LINUX PLATFO RM . IT PRO VIDES ACCESS CO NTRO L, BANDW IDTH ACCO UNTING AND M UCH M O RE BY JO H N BUSW ELL

ifidog is a ligh tw e igh tcaptive portals olution de s igne d to run on e m be dde d device s s uch as th e Link Sys W RT54G. Th e Link Sys W RT54G and W RT54GS are low costw ire l e s s route rs from Link Sys th atrun Linux. Th e s e device s can run alte rnative firm w are , be care fulbe caus e running s uch firm w are w il lVO ID YO UR W AR R ANTY. H ow eve r m ostre tailoutl e ts h ave th e s e route rs for unde r $70, s o itis nottoo m uch to ris k . O pe nW RT is th e alte rnative firm w are ch oice for running ope n s ource applications on th e W RT54G, from th is pointon I'l lre fe r to th e W RT54G/GS as AP (acce s s point). Building O pe nW RT is re lative l y e as y, you s im pl y dow nload th e late stre leas e from w w w .ope nw rt.org, uncom pre s s , run m ak e m e nuconfig, run th rough th e m e nu options to s uit your ne e ds , th e n run m ak e . From th atpointon its pre tty m uch autom ate d, you w illne e d an Inte rne t conne ction, broadband is re com m e nde d due to s om e large r dow nl oads s uch as th e Linux k e rne l. W h y w ould you w antto ris k your w arranty ove r s om e fre e s oftw are , s ure l y Link s ys h as th e be st firm w are ?W e llLink s ys h ave th e productde s igne d for your ave rage us e r, w h ich w ork s gre at, butth e h ardw are platform is extre m e l y flexible running O pe nW RT. O nce you h ave O pe nW RT on th e re you are fre e to upload al m ostany ope n s ource application th atw illcom pile and fiton th e h ardw are . You m igh t w antto run a SIP ph one be h ind th e w ire les s route r, w el lw ith O pe nW RT you can l oad s iproxd onto th e Link s ys along w ith iptables and th ats it. As you start to us e O pe nW RT m ore , you'lls e e exactl y h ow flexible and h ow gre atitis to be abl e to add new capabilitie s to your ne tw ork .

ne tw ork as th e ir privilege s al low . Th e us e r doe s n't h ave to k now a particular addre s s , w h e n th ey atte m pt to us e th e ir brow s e r th ey are trans pare ntl y re dire cte d to th e auth e ntication page . W ifidog is inte re sting in th atitis l igh tw e igh t e nough to run dire ctl y on low costw ire les s h ardw are s uch as th e AP, and ch e ck s ne tw ork activity rath e r th an us ing a javas criptw indow . Th us allow ing PDA, Ce llph one s and Sony PSPs to utilize th e re s ource s . H O W DO ES W IFIDO G W O R K ?

Th e s olution w ork s by us ing firew allrul e s to controltraffic th rough th e route r. W h e n a new us e r atte m pts to acce s s a w e b s ite , th e w ifidog com pone nt on th e AP w illtrans pare ntl y re dire ctth e us e r to th e auth s e rve r w h e re th ey can e ith e r log in or s ign up. Th e auth s e rve r and th e w ifidog com pone nton th e AP w illne gotiate h ow to h andle th e clie nt, w h e th e r to pe rm itor de ny ce rtain ne tw ork acce s s . Th e AP talks to th e auth s e rve r pe riodicall y to update statistics s uch as uptim e , load, traffic pe r cl ie ntand to actas a h e artbe at. Th e flow diagram be low illustrate s th e proce s s th at W ifidog utilize s (courte s y of il e s ans fil (w w w .w ifidog.org)).

W H AT IS A CAPTIVE PO R TAL

A captive portalis e s s e ntiall y a m e ans to preve nta us e r from acce s s ing ne tw ork re s ource s (m ainl y th e Inte rne t) untilth ey h ave auth e nticate d w ith a s e rve r. Typicall y a captive portalis us e d atw ire les s h ots pots , allow ing th e us e r to log in, auth e nticate and us e th e

O 3 M agaz ine /Nove m be r 2005 Page 36

NETW O RK APPLICATIO NS Th e clie ntdoe s h is initialre q ue st, as if h e w as alre ady conne cte d, (e .g.: h ttp://w w w .google.ca) • Th e Gatew ay's firew allrules m angle th e re q ue stto re dire ctitto a localporton th e Gatew ay. W h e n th at's th e done , th e Gatew ay provide s an H TTP Re dire ctre pl y th atcontains th e Gatew ay ID , Gatew ay FQD N and oth e r inform ations • Th e Cl ie ntdoe s h is re q ue stto th e Auth Se rve r as s pe cifie d by th e Gatew ay • Th e Gatew ay re plie s w ith a (pote ntial l y custom ) s plas h (login) page • Th e Cl ie ntprovide s h is ide ntification inform ations (us e rnam e and pas s w ord) • Upon s ucce s fulauth e ntication, th e clie ntge ts an H TTP Re dire ctto th e Gatew ay's ow n w e b s e rve r w ith h is auth e ntication proof (a one -tim e tok e n) • Th e Cl ie ntth e n conne cts to th e Gatew ay and th us give s ith is tok e n • Th e Gatew ay re q ue sts val idation of th e tok e n from th e Auth Se rve r • Th e Auth Se rve r confirm s th e tok e n • Th e Gatew ay th e n s e nds a re dire ctto th e Clie ntto obtain th e Succe s s Page from th e Auth Se rve r • Th e Auth Se rve r notifie s th e Clie ntth ath is re q ue st w as s ucce s s ful GETTING O PENW R T O N TH E W R T54G/GS

O pe nW RT tak e s s om e tim e to com pil e , once itis done , if you h ave n'trun O pe nW RT previous l y you ne e d to do s om e w ork on your route r first. Th e AP by de faultstarts outon 19 2.168.1.1/24. Th e e as ie stw ay to configure th e route r is if you h ave a s e cond e th e rne tinte rface in your Linux w ork station, conne ct th e AP on port1 to th e s e cond e th e rne tinte rface , and us e ip l ink se te th 1 up ;ip ad d r ad d 19 2.168.1.10/24 d eve th 1 to configure it. Nextdo a q uick ping 19 2.168.1.1 to m ak e s ure th atyou can s e e th e AP. Now s im pl y pointa brow s e r at h ttp://19 2.168.1.1 and us e adm in/adm in as th e

us e rnam e /pas s w ord. Th is is th e de faultfor th e AP. Th e firstth ing you ne e d to do is ch e ck th e firm w are ve rs ion, th is is dis playe d in th e uppe r righ th and corne r. For th e AP w e us e d th e ve rs ion w as 3.37.7 butw e ne e de d 3.37.2 to e nable th e boot_ w aitoption on th e AP to installO pe nW RT. A q uick dow nload from Link Sys , th e n follow th e Adm inistration -> Firm w are upgrade option. Unzip th e file from Link Sys , and in th is cas e w e us e d W RT54GS_ 3.37.2_ US_ code .bin to dow ngrade th e route r. Sim pl y s e lectbrow s e , s e lectth e file and s e lect upgrade . Click continue once itcom plete s , now you s h oul d s e e 3.37.2 (or 3.01.3 if you are us ing a W RT54G v3.0). Re fe r to th e O pe nW RT docum e ntation for de tails and s pe cific ve rs ion num be rs as th ey te nd to ch ange pe riodicall y. In orde r for th e O pe nW RT instal lation to proce e d w e h ave to e nable th e boot_ w aitoption in th e firm w are , th is te lls th e AP to ch e ck for TFTP prior to loading th e actualfirm w are , w h ich give s us th e opportunity to fe e d th e AP, a O pe nW RT im age . Th e h ack is re lative l y s im ple, justpaste e ach line in turn be low and s e lectth e ping button afte r e ach paste in th e addre s s partof th e ping w e b toolin th e Link Sys firm w are . If you did itcorre ctl y, you'lls e e an output of NVR AM atth e e nd of th e l astping. You m ust configure a static IP addre s s on th e Inte rne tinte rface be fore trying th is , oth e rw is e itw on'tw ork . You don't ne e d link up, justa configure d IP on th e Inte rne t (W AN) inte rface . ;cp${IFS}*/*/nvram ${IFS}/tm p/n ;*/n${IFS}se t${IFS}b oot_ w ait=on ;*/n${IFS}com m it ;*/n${IFS}sh ow >tm p/ping.l og W h e n O pe nW RT com plete s its build, th e im age s are store d in bin/. Sim pl y figure outth e corre ctone for your h ardw are , th e n us e tftp to trans fe r it. Re m ove th e pow e r from th e AP, th e n is s ue : tftp 19 2.168.1.1 tftp> binary tftp> re xm t1 tftp> tim e out60

O 3 M agaz ine /Nove m be r 2005 Page 37

NETW O RK APPLICATIO NS tftp> trace on tftp> putope nw rt-ve rs ion.bin [ Now Pow e r Up th e Link Sys W R T54GS ] Give ita few m inute s , as O pe nW RT h as to go th rough a few h oops be fore th e AP w il lre s pond to pings . Now te lne tto 19 2.168.1.1 once itre s ponds to pings and you s h oul d s e e th e O pe nW RT banne r. If you us e th e s q uas h fs im age , you ne e d to follow th e com m ands in th e O pe nW RT docs to re m ove th e /e tc/ipk g.conf s ym link and copy th e actualfil e from rom . You m ay also ne e d to us e th e nvram com m and to s e tth e w an_ ipaddr and w an_ gatew ay options in th e firm w are . Re m oving /e tc/re s ol v.conf and cre ating th e file m anuall y w il lal s o be re q uire d. GETTING W IFIDO G O N TH E W R T54G/GS

Nextto dow nload and installw ifidog s im pl y:

cd /tm p w ge t h ttp://ol d .il e sansfil .org/d ist/w ifid og/w ifid og_ 1.1.1_ m ipse l .ipk ipk g instal lw ifid og_ 1.1.1_ m ipse l .ipk -force ove rw rite Th e -force -ove rw rite is re q uire d if you are running a late r ve rs ion of O pe nW RT w ith iptables as w ifidog trie s to installtw o iptexte ns ions th atiptables h as alre ady installed. Now th e w ifidog clie ntis installed on th e AP. Edit /e tc/w ifidog.conf, and run w ifidog -f -d 7 (de bug m ode ). Th e configuration file is w e lldocum e nte d and s e lf explanatory. W IFIDO G QUICKSTAR T CO NFIG

Th is is notinte nde d to provide a production configuration, buta q uick startguide on w h atto s e tup in th e config, bare m inim um to ge tw ifidog running. Editth e Gatew ayID to m atch your Auth Se rve r configuration

Auth Se rve r { H ostnam e auth .m ydom ain.com SSLAvailable ye s Path / } Ch e ck Inte rval60 Clie ntTim e out5 ... Le ave th e firew allrules to th e de fault. Nextconfigure th e Auth Se rve r, and th e n startw ifidog on th e AP. AUTH SER VER

Postgre SQL, Apach e and PH P 5 are re q uire d to ge t th e Auth Se rve r running. You installth is on a local Linux box (notth e AP). Sim pl y dow nload th e auth s e rve r, m ak e s ure you h ave allth e pre re q uis ite s liste d in th e INSTALLfile available, copy th e w ifidog dire ctory to your w e b s e rve r, plug th e urlinto your brow s e r (e .g. h ttp://w ifidog.m ycom pany.com /w ifidog/install.ph p) and go th rough th e ste ps . TESTING

Now s im pl y conne cta W iFi device to th e AP, try to brow s e s om ew h e re and if you corre ctl y configure d w ifidog you'llbe pre s e nte d w ith th e captive portal s ign-up /login page . FUR TH ER R EADING

O pe nW R T h ttp://w w w .ope nw rt.org W ifid og h ttp://w w w .w ifidog.org NoCat h ttp://w w w .nocat.ne t Link Sys h ttp://w w w .link s ys .com

Exte rnalInte rface vlan 1 Gatew ayInte rface br0

O 3 M agaz ine /Nove m be r 2005 Page 38

NETW O RK SECURITY Intrus ion De te ction INTRUSIO N DETECTIO N SYSTEM S (IDS ) M AKE UP AN IM PO RTANT PART O F ANY NETW O RK SECURITY PO LICY W H Y DO YO U NEED IDS , W H ERE DO YO U PUT IDS AND H O W DO YO U DEPLO Y IT? BY JO H N BUSW ELL

n Intrus ion is unauth orize d ne tw ork or s yste m activity on your s e rve rs or ne tw ork s . Intrus ion D e te ction is th e artof de te cting th is unauth orize d activity am ongstlegitim ate ne tw ork traffic by s ifting th rough th e data flow ing acros s your ne tw ork . Th is article focus e s on Ne tw ork Intrus ion D e te ction Syste m s (NID S), anoth e r form of ID S is H ostIntrus ion D e te ction Syste m s (H ID S). Th e diffe re nce is prim aril y th atth e latte r focus e s on th e prote ction of justone s yste m . Th e re are advance d s olutions s uch as distribute d ID S and ID S load bal ancing, th e s e w illbe dis cus s e d in de dicate d articles l ate r in th is s e rie s on ID S. Som e bus ine s s e s fe e lth atcom plex ID S s olutions are ove rk il lbe caus e th ey ope rate a s m allbus ine s s th atnobody is going to be conce rne d w ith . H ow eve r, th e s e days , itis th e com puting re s ource s and your bandw idth to th e Inte rne tth atattack e rs w ant, not ne ce s s aril y your inte l lectualprope rty or to dis rupt your bus ine s s . Th ink of attack e rs as ne tw ork “carjack e rs ”, th ey don'tcare w h o you are , th ey justw ant your “car”. An ID S s olution w illh e lp de te cts igns th ats om e one is look ing or trying s pe cific exploits againstyour infrastructure in an atte m ptto gain furth e r inform ation or acce s s . Th e re is one as pe ctof ID S th atis ofte n ove rlook e d by te ch nicalstaff and th atis th e legalitie s of pe rform ing Ne tw ork ID S. In m any countrie s th e re are strictw ire -tapping l aw s and re gul ations , if you do notalre ady h ave an ID S in place , e s pe cial l y for s m all and m e dium s ize d bus ine s s e s itis alw ays w orth cons ulting w ith a legalexpe rtto de te rm ine w h atlaw s and re gulations you m ustabide by, as th is m ay de te rm ine w h atyou m ustdis clos e to e m ploye e s , custom e rs and h ow ID S inform ation is re porte d. Snortis th e de facto standard for intrus ion de te ction /preve ntion s yste m s . Snortutilize s a rule-drive n language , w h ich com bine s th e be ne fits of s ignature , protocoland anom al y bas e d ins pe ction m e th ods . Snortis th e m ostw ide l y de ploye d ID S te ch nol ogy in th e w orld. If you w antto do ne tw ork ID S, th e n Snort

is th e w ay to go. Snorts upports IP de fragm e ntation, TCP stre am re as s e m bl y and state fulprotocol anal ys is . Th is article is going to brie fl y introduce Snortto you, h ow to attach itto your ne tw ork and w h e re to look next. As th e s e rie s progre s s e s , w e w il l look atadvance d te ch niq ue s s uch as de fragm e ntation, custom rules and m uch m ore . ATTACH ING SNO R T TO YO UR NETW O R K S

Be fore going into com piling and configuring s nort, itis im portantto unde rstand th atSnort, lik e oth e r Ne tw ork ID S s olutions m ustbe attach e d to your ne tw ork atth e corre ctlocation, oth e rw is e th e e ffe ctive ne s s of th e ID S s olution is re duce d. Typicall y th e be stlocation for s m alland m e dium s ize d bus ine s s e s is to m onitor link s to/from th e Inte rne t. In a s w itch e d e nvironm e ntth e route r(s ) to th e Inte rne tare conne cte d to a s w itch portor VLAN, m oste nte rpris e grade s w itch e s s upportw h ats called portm irroring, or for Cis co us e rs “SPAN”. Th is allow s you to configure th e s w itch to tak e portor vlan traffic and duplicate itouta m irroring port. Th e dow ns ide to portm irroring is th aton s om e s w itch e s unde r h e avy load you can s e rious l y im pactth e pe rform ance of th e s w itch , also if th e traffic you are trying to m onitor exce e ds th e capabilitie s of th e m irroring port, you w illnotbe able to m irror all pack e ts ath igh ne tw ork utilization. Anoth e r option is to ins e rta h ub in-line , and attach th e ID S to th e h ub, allow ing norm altraffic to fl ow acros s th e h ub. Th e dow ns ide to th is m e th od is th at data los s occurs due to collis ions ath igh bandw idth utilization, itcre ate s an additionals ingl e pointof failure and you w illlos e full-duplex capabilitie s . A m ore expe ns ive option is to us e ne tw ork taps , taps are dis cus s e d in length at h ttp://w w w .s nort.org/docs /#de ploy. Cost, m ultipl e NICs and s ligh tl y m ore com plex installation due to th e addition of ch anne lbonding in orde r to do state fulanal ys is are th e dow ns ide s to us ing ne tw ork taps .

O 3 M agaz ine /Nove m be r 2005 Page 40

NETW O RK SECURITY For a typicals m al lor m e dium bus ine s s ne tw ork , w h e re LAN bandw idth utilization is low , and th e ID S is focus e d on low -bandw idth Inte rne tlink s , a s w itch capabl e of portm irroring s h ould be s ufficie nt. W ith large r ne tw ork s th e costof a tap is les s cost proh ibitive . GETTING SNO R T

Th e late stve rs ion of s nortatth e tim e th is article w as w ritte n is 2.4.3. Be fore instal ling s nort, you m ay h ave to installpcre (Pe rlCom patible Re gular Expre s s ions ) re q uire d by s nort. Both pcre and s nort s upportth e us ualPO SIX ./configure ;m ak e & & m ak e install. If you're notbuilding from s ource , you'l lne e d to ch e ck if s nortis available for your Linux distribution. O nce buil tand installed, w e can do a couple of ch e ck te sts of s nortin s niffe r m ode . Running ./s nortvde s h oul d dum p re altim e pack e tdate outto th e localte rm inal,h itctrl+ c to stop it, and s crol lup to m ak e s ure its w ork ing. Snortw il lal so l og pack e tdata for you, ./s nort-l/tm p/te stlog -b (as s um ing you h ave cre ate d a /tm p/te stl og dire ctory) w illlog th e pack e ts , w h ich can th e n be re ad back via Eth e re alor s nort its e lf us ing ./s nort-dv-r pack e t.log. SNO R T IN- LINE

Snorts upports inte grate d intrus ion preve ntion s yste m capabilitie s w ith th e s nort_ inline fe ature . Th is fe ature re ce ive s pack e ts from iptables inste ad of libpcap and th e n appl ie s rules to h e lp iptables acce pt or drop pack e ts bas e d on Snortrules . W e w illlook at Snort's IPS fe ature s in a future article. CO NFIGUR ING SNO R T

Since th e purpos e of th is article is to introduce s nort. Th e config fil e for s nortis locate d in /e tc/s nort.conf if you installed from s ource , you'l lne e d to copy it from ./e tc/s nort.conf in th e s ource tre e . Th e configuration file is fairl y straigh tforw ard, to ge t running s im pl y configure th e H O M E_ NET to m atch your localne tw ork , you m ay al s o w antto tw e ak th e rules e ts de pe nding on th e rules you are us ing. M odify RULE_ PATH to /e tc/rules or your ow n custom ize d path . In addition to s nort.conf, you w ill ne e d to copy cl as s ification.conf, re fe re nce .conf and unicode .m ap to /e tc. Th e s e are allin th e ./e tc dire ctory in th e s ource tre e .

R ULES

Atth e h e artof s nortare th e rules . W ith outth e rules Snortbe com e s q uick l y outdate d and is l e s s e ffe ctive . Th e re are four diffe re nts e ts of rul e s distribute d for Snort. Th e Com m unity Rules are avail able for fre e and are distribute d unde r th e GPL. Th e oth e r th re e s e ts are variations of th e Source fire VRT Ce rtifie d Rules – unre giste re d, re giste re d and s ubs cription. Th e unre giste re d rules are update d w ith e ach m ajor re leas e of Snort, m aybe once a q uarte r. Th e re giste re d rules re q uire agre e ing to a lice ns ing agre e m e nt, and are re leas e d 5 days afte r th ey are m ade available to s ubs cribe rs . Subs cribe rs pay a m ode stfe e for re al-tim e acce s s to new rules . O nce you h ave your rules , copy th e rul e s /conte nts ove r to /e tc/rules unles s you ch ange d th e path in th e s nort.conf. R UNTIM E

Snortis now re ady to go, to startitup s im pl y exe cute : m k dir -p /tm p/te stlog ./s nort-d -l/tm p/te stlog/-c /e tc/s nort.conf Th e /tm p/te stlog dire ctory is w h e re s nortw illstore its log files , you w illw antto m onitor th e alertlog. Now th atyou are up and running, you w illne e d to go back ove r th e configuration files in de tail,look atth e Snortdocum e ntation on h ow to w rite your ow n rules , and tw e ak th e rules e ts to be sts uityour ne e ds . FUR TH ER R EADING

Th e s nort.org w e bs ite h as a cons ide rabl e am ountof docum e ntation, pape rs and articles th atgo into m any diffe re ntas pe cts of s nortand intrus ion de te ction. If you are inte re ste d in a book , Snort2.1 Intrus ion D e te ction by Syngre s s is a good w ay to ge tstarte d q uick l y w ith s nort, butdoe s n'tcove r th e Intrus ion Preve ntion fe ature s in 2.3.0 and late r. Th e Pre lude ID S fram ew ork for inte grating diffe re nt ID S s ource s is w orth a look , th e proje cts ite is available ath ttp://w w w .pre lude -ids .org. NEXT

Th e nextID S article w illlook atte sting th e Snort installation, autom ate d rule update s , barnyard and Snortfronte nds .

O 3 M agaz ine /Nove m be r 2005 Page 41