Thursday, September 14, 2006

Privacy New Buzz Word In Business World.


Recently I have gone through a traning program which is said to be standard ethical practices and in that traning some question arised related to privacy. Although organization are on document defining what is ethical and what is non ethical but how many of IT manager understand it. Key buzz word which is responsible for revolution in US healthcare sector is privacy. Lets understand this and its relevance in ethical part for IT managers.

Does information’s availability justify its use?

Governments collect massive amounts of data on individuals and organizations and use it for a variety of purposes: national security, accurate tax collection, demographics, international geopolitical strategic analysis, etc. Corporations do the same for commercial reasons; to increase business, control expense, enhance profitability, gain market share, etc. Technological advances in both hardware and software have significantly changed the scope of what can be amassed and processed. Massive quantities of data, measured in petabytes and beyond, can be centrally stored and retrieved effortlessly and quickly. Seemingly disparate sources of data can be cross-referenced to glean new meanings when one set of data is viewed within the context of another. In the 1930s and 1940s the volumes of data available were miniscule by comparison and the "processing" of that data was entirely manual. Had even a small portion of today’s capabilities existed, the world as we now know it would probably be quite different. Should organizations’ ability to collect and process data on exponentially increasing scales be limited in any way? Does the fact that information can be architected for a particular purpose mean it should be, even if by so doing individual privacy rights are potentially violated? If data meant for one use is diverted to another process which is socially redeeming and would result in a greater good or could result in a financial gain, does that mitigate the ethical dilemma, no matter how innocent and pure the motivation?

How much effort and expense should managers incur in considering questions of data access and privacy?
This is an issue with both internal and external implications. All organizations collect personal data on employees, data that if not properly safeguarded can result in significant negative implications for individuals. Information such as compensation and background data and personal identification information, such as social security number and account identifiers, all have to be maintained and accessed by authorized personnel. Systems that track this data can be secured, but at some point data must leave those systems and be used. Operational policies and procedures can address the proper handling of that data but if they’re not followed or enforced, there’s hardly any point in having them. Organizations routinely share data with each other, merging databases containing all kinds of identifiers. What’s the extent of the responsibility we should expect from the stewards of this data? Since there’s no perfect solution, where’s the tipping point beyond which efforts to ensure data can be accessed only by those who are authorized to do so can be considered reasonable and appropriate?
What can employers expect from employees with regard to nondisclosure when going to work for another firm?

Many people are required to sign NDAs (nondisclosure agreements) and noncompete clauses in employment contracts, legal documents that restrict their ability to share information with other future employers even to the point of disallowing them to join certain companies or continue to participate in a particular industry. What about the rest of us, who have no such legal restrictions? In the course of our work for employer A, we are privy to trade secrets, internal documents, proprietary processes and technology, and other information creating competitive advantage. We can’t do a brain dump when we leave to go to work for employer B; we carry that information with us. Is it ethical to use our special knowledge gained at one employer to the benefit of another? How do you realistically restrict yourself from doing so?

What part of an information asset belongs to an organization and what is simply part of an employee’s general knowledge?

Information, knowledge, and skills we develop in the course of working on projects can be inextricably intertwined. You’re the project manager for an effort to reengineer your company’s marketing operations system. You have access to confidential internal memoranda on key organization strategic and procedural information. To build the new system, you and your team have to go for some advanced technical training on the new technology products you’ll be using. The new system you build is completely revolutionary in design and execution. Although there are areas of patent law that cover many such situations, there’s not much in the way of case law testing this just yet, and of course laws vary between countries. Clearly, you’ve built an asset owned by your company, but do you have a legitimate claim to any part of it? Can you take any part of this knowledge or even the design or code itself with you to another employer or for the purpose of starting your own company? Suppose you do strike out on your own and sell your system to other companies. Is the ethical dilemma mitigated by the fact that your original company isn’t in the software business? Or that you’ve sold your product only to noncompeting companies? What if we were talking about a database instead of a system?
In a bygone era, there was less data to work with, and the only quality assurance that needed to be performed was on data…operations and procedures were manual, so it was the output of those functions that was most critical. Technology has enabled vastly more complicated and interconnected processes, such that a problem far upstream in a process has a ripple effect on the rest of the process. Sarbanes Oxley requires the certification of all internal controls in large part for this reason.

Does data gathered violate employee privacy rights?
Many organizations have started adding a credit and background check to the standard reference check during the hiring process. Are those organizations obligated to tell us they’re doing this and what results they’ve received? The justification for doing the credit check typically is that a person who can’t manage his or her own finances probably can’t be trusted with any fiduciary responsibility on behalf of the organization. Does this pass the smell test or is this actually an infringement of privacy? Performing these checks is a relatively recent phenomenon, brought on in part by the desire of organizations to protect themselves in the wake of the numerous corporate scandals of the past few years but also because technology has enabled this data to be gathered, processed, and accessed quickly and inexpensively. Is technology responsible for enabling unethical behavior?

Do employees know the degree to which behavior is monitored?
Organizations have the right to monitor what employees do (management is measurement) and how technology systems are used. It’s common practice to notify employees that when they use organizational assets such as networks or Internet access, they should have no expectation of privacy. Even without that disclaimer, they really don’t need the warning to know this monitoring is, or could be, taking place. Do organizations have an obligation to notify employees as to the extent of that monitoring? Should an organization make it clear that in addition to monitoring how long employees are using the Internet, it's also watching which Web sites they visit? If employees are told there’s no expectation of privacy when using the e-mail system, is it an ethical violation when they later find out the organization was actually reading their e-mails?

Monday, September 11, 2006

Security Policies

Recently I was doing an audit for one of the BS7799 Certified organization. But after reviewing their security policies I was just shocked. Its totally mesh and not easily understandable . But then how organization got an certification. Reason being their is hardly a qualified auditors and professional available in industry. Some say that put lots of tool to show to auditors some say that create lots of document to review . I think auditors should react on it because any control say that the reports and log should be easily tracible and give concise and required information when asked. Bye the way enclosed an example of policies a its writing trick here.
Security policies help you define the level of security that is acceptable in yourorganization; they set a standard of care for every employee (and contractor).Security policies help you plan. Without them, there would be no way to tell which securitydecisions help increase your security and which are wastes of time and money. Even worse,there would be no way to identify areas that were overlooked.

Contents of a Security Policy: A security policy is a document although typically approved at the highest levels, it is not a high-level document (like a Mission Statement). Your security policy defines the resources that your organization needs to protect and the measures that you can take toprotect them. In other words, it is, collectively, the codification of the decisions that went into your security stance. Policies should be published and distributed to all employees andother users of your system. Management should ensure that everyone reads, understands, and acknowledges their role in following the policies and in the penalties that violations will bring.
When separate policies deal with secure networks, publication of those policies should be restricted to individuals who have authorized access to those networks. Security policies should emphasize what is allowed, not what is prohibited. Where appropriate, examples of permitted and prohibited behavior should be supplied. That way, there is no doubt; if not specifically permitted by the security policy, it is prohibited. The policy should also describe ways to achieve its goals.
An example of a security policy for passwords. This example is divided into several sections.
Generic Description of a Security Policy’s
Overview Justifies the reason for the policy and identifies the risks the policyaddresses.
Purpose Explains why the policy exists and the goal that it is written toaccomplish.
Scope Defines the personnel covered by the policy. This might range from a single group in a department to the entire company.
Policy This is the policy itself. It is often divided into several subsections.Examples are commonly used to illustrate points.
Enforcement Defines the penalty for failure to follow the policy. It is usually written as “everything up to and including…” so that a series of sanctions canbe applied. Dismissal is typically the most severe penalty but, in a fewcases, criminal prosecution should be listed as an option.
Definitions Any terms that might be unclear or ambiguous should be listed anddefined here.
Revision History Dates, changes, and reasons go here. This ties into enforcement in thatthe infraction should be measured against the rules in place at the timeit occurred, not necessarily when it was discovered.

Creating Your Own Security Policy
Creating security policies is a four-step process:
  • Decide on your level of trust.
  • Define appropriate behavior.
  • Create a policy review team.
  • Use the work of others.

Step 1: Decide on Your Level of Trust Assuming that people will do the right thing is easy and tempting. Don’t let yourself take this shortcut. Spell out what is expected and what is prohibited. Decide on the controls youwill use to measure adherence to the good practices that you are about to define. (This applies to programs as well as people.) Specify repercussions that will follow if employeesdo not adhere to practices. Trust different employees in different ways. Those withunprivileged access are in a different category than those with high levels of accessprivilege.

Step 2: Define Appropriate Behavior Whether the topic is email usage, password policies, or keeping company secrets, yoursystem’s users and the people who evaluate them must know what is expected. Your policiesare necessary to support an HR action in the face of inappropriate behavior, or even toprosecute a criminal case in extreme examples.

Step 3: Create a Policy Review Team The members of this team are responsible for drafting new policies and revising existingones.

Step 4: Use the Work of Others The previous section gave a pointer to a set of policies suitable for a large company. A Google.com search turns up literally dozens of sample policies for sale. Amazon has several books. You should investigate these resources and find one that matches your organization’sprofile. This will save you significant amounts of work. Even more important, it will keep you from accidentally omitting vital areas from consideration.

Members of the Policy Review Team

Representative From Duties Management Someone who can enforce the policy. This is often a senior memberof the HR staff. Information Security Department Someone who can provide technical insight and research. User Areas Someone who can view the policies the way a user might view them. Legal Department Possibly part time, but someone who can review policies with respect to applicable laws. For multinational firms, this review is exponentially more complicated. Publications Someone who can make suggestions on communicating the policies to the organization’s members and getting their buy in. Also, a goodwriter is always helpful.

A Sample Security Policy (Password Policy Extracted From Book )

1.0 Overview

Passwords are an important aspect of computer security. They are the front line of protection for user accounts. A poorly chosen password may result in the compromise of Example Corporation’s entire corporate network. As such, all Example Corporation employees (including contractors and vendors with access to Example Corporation systems) are responsible for taking the appropriate steps, as outlined below, to select andsecure their passwords.

2.0 Purpose

The purpose of this policy is to establish a standard for creation of strong passwords, the protection of those passwords, and the frequency of change.

3.0 Scope

The scope of this policy includes all personnel who have or are responsible for an account(or any form of access that supports or requires a password) on any system that resides atany Example Corporation facility, has access to the Example Corporation network, orstores any non-public Example Corporation information.

4.0 Policy

4.1 General

  • All system-level passwords (e.g., root, enable, NT admin, application administrationaccounts, etc.) must be changed on at least a quarterly basis.
  • All production system-level passwords must be part of the Information SecurityDepartment administered global password management database.
  • All user-level passwords (e.g., email, web, desktop computer, etc.) must be changedat least every six months. The recommended change interval is every four months.
  • User accounts that have system-level privileges granted through group membershipsor programs such as “sudo” must have a unique password from all other accounts heldby that user.
  • Passwords must not be inserted into email messages or other forms of electroniccommunication.
  • Where SNMP is used, the community strings must be defined as something other thanthe standard defaults of “public,” “private” and “system” and must be different fromthe passwords used to log in interactively. A keyed hash must be used where available(e.g., SNMPv3).
  • All user-level and system-level passwords must conform to the guidelines describedbelow.

4.2 Guidelines

A. General Password Construction Guidelines Passwords are used for variouspurposes at Example Corporation. Some of the more common uses include: user level accounts, web accounts, email accounts, screen saver protection, voicemail password, and local router logins. Since very few systems have support for one-time tokens (i.e., dynamic passwords which are only used once), everyone should be aware of how to select strong passwords. Poor, weak passwords have the following characteristics:

  1. The password contains less than eight characters
  2. The password is a word found in a dictionary (English or foreign)
  3. The password is a common usage word such as:
  • — Names of family, pets, friends, co-workers, fantasy characters, sports teams,etc.
  • — Computer terms and names, commands, sites, companies, hardware,software.
  • — The words “Example Corporation”, “EXMC”, “BigApple” or anyderivation.
  • — Birthdays and other personal information such as addresses and phonenumbers.
  • — Word or number patterns like aaabbb, qwerty, zyxwvuts, 123321, etc.— Any of the above spelled backwards.
  • — Any of the above preceded or followed by a digit (e.g., secret1, 1secret)

Strong passwords have the following characteristics:

  1. Contain both upper and lower case characters (e.g., a-z, A-Z)Strong passwords have the following characteristics:
  2. Contain both upper and lower case characters (e.g., a-z, A-Z)
  3. Have digits and punctuation characters as well as letters e.g., 0-9, mailto:!@#$%^&*()_+~-=\`{}[]:“;’<)
  4. Are at least eight alphanumeric characters long.
  5. Are not a word in any language, slang, dialect, jargon, etc.
  6. Are not based on personal information, names of family, etc.

B. Password Protection Standards Do not use the same password for Example Corporation accounts as for other non-Example Corporation access (e.g., personal ISPaccount, option trading, benefits, etc.). Where possible, don’t use the same password for various Example Corporation access needs. For example, select one password for the Engineering systems and a separate password for IT systems. Also, select a separate password to be used for an NT account and a UNIX account. Do not share Example Corporation passwords with anyone, including administrative assistants or secretaries. All passwords are to be treated as sensitive, Confidential Example Corporation information.

List of don’ts:

  • Don’t reveal a password over the phone to ANYONE
  • Don’t reveal a password in an email message
  • Don’t reveal a password to the boss
  • Don’t talk about a password in front of others
  • Don’t hint at the format of a password (e.g., “my family name”)
    Don’t reveal a password on questionnaires or security forms
  • Don’t share a password with family members
  • Don’t reveal a password to co-workers while on vacationIf someone demands a password, refer them to this document or have them call someone inthe Information Security Department.
  • Do not use the “Remember Password” feature of applications (e.g., Eudora, OutLook,Netscape Messenger).Again, do not write passwords down and store them anywhere in your office.
  • Do not storepasswords in a file on ANY computer system (including Palm Pilots or similar devices)without encryption.

Change passwords at least once every six months (except system-level passwords whichmust be changed quarterly). The recommended change interval is every four months. If an account or password is suspected to have been compromised, report the incident to theInformation Security Department and change all passwords. Password cracking or guessing may be performed on a periodic or random basis by theInformation Security Department or its delegates. If a password is guessed or cracked during one of these scans, the user will be required to change it.

C. Application Development Standards Application developers must ensure their programs contain the following security precautions.

Applications:
• Should support authentication of individual users, not groups.

• Should not store passwords in clear text or in any easily reversible form.

• Should provide for some sort of role management, such that one user can take overthe functions of another without having to know the other’s password.

• Should support TACACS+ , RADIUS and/or X.509 with LDAP security retrieval,wherever possible.

D. Use of Passwords and Passphrases for Remote Access Users Access to theExample Corporation Networks via remote access is to be controlled using either a onetimepassword authentication or a public/private key system with a strong passphrase.

E. Passphrases Passphrases are generally used for public/private key authentication. Apublic/private key system defines a mathematical relationship between the public key thatis known by all, and the private key, that is known only to the user. Without the passphraseto “unlock” the private key, the user cannot gain access. Passphrases are not the same as passwords. A passphrase is a longer version of a passwordand is, therefore, more secure. A passphrase is typically composed of multiple words.Because of this, a passphrase is more secure against “dictionary attacks.”A good passphrase is relatively long and contains a combination of upper and lowercaseletters and numeric and punctuation characters. An example of a good passphrase:“The*?#>*@TrafficOnTheBridgeWas*&#!#ThisMorning”All of the rules above that apply to passwords apply to passphrases.

5.0 Enforcement

Any employee found to have violated this policy may be subject to disciplinary action, upto and including termination of employment.

6.0 Definitions

Terms DefinitionsApplication Administration Account Any account that is for the administration of anapplication (e.g., Oracle database administrator,Notes administrator).

7.0 Revision History
Policies commonly apply to less than all sections of the organization. Policies on acquiring commercial software or running a test lab or training department apply only to segments ofthe company, whereas policies such as an Information Sensitivity Policy (deals with keeping confidential company information private) or Password Policies apply across the enterprise.

Example Security Policies Several model security policies are available on the web. A good starting place is RFC 2196, “Site Security Handbook,” which discusses all aspects of security policies, fromcontent development to implementation. Another source of sample policies comes fromSANS. The direct link is www.sans.org/newlook/resources/policies/policies.htm. If thelink breaks, key the title of the page, The SANS Security Policy Project, into the searchthis-site box on the SANS home page.

Effectively Implementing Your Security Policy When you develop policies, you need to balance productivity and security. The goal of all good employees is to get their work done. If you create a rule that the employee thinks is just in the way, that employee will either ignore it or bypass it. Sometimes, you can implement technical controls to make sure that policies are followed (password changeperiods, for example), but other times you cannot. (A rule about never giving your passwordto someone else cannot be enforced by software.) You must make security a part of the corporate culture. This does not have to be done in a punitive way.

Here are two examples. A company whose policy called for password-protected screen savers or locked workstations whenever an employee was not using the PC was enforced by having security staff (uniformed guards on patrol) write “tickets”—they looked like parking tickets—and taping them to the monitor. The tickets reminded the users of the rules. The guards were taught how to Ctl-Alt-Del and pick Lock Workstation, and were instructed to do so whenever issuing a ticket. Another company had guards walk around after the close of business looking for laptop sleft unattended. They took laptops they found and left a “luggage receipt” on the desk saying that the lost luggage could be claimed at the security station. Avoiding Failure One sure way to make a policy fail is to apply it unevenly. If certain people, because of their position or influence, can bypass policies with impunity, the policies will all become unenforceable. You must get management buy-in, even if doing so is painful.

Security and Risk

Recently I got lots of mail from few of my friens specifying that they are interested to write an policies for organization. Soe are interested to know specifically a security policies. Although I explained to then its anot as simple as they think . Their is lots of misconsecptions present in Industry related to Security.

First of all understand that Security is not a firewall or cryptography or a virus scanner; although, they are all components of a security solution. It is a process that examines and then mitigates the risks that arise from your company’s day-to-day activities.
Or
We can say that Its an Tools and techniques that prevent unauthorized people or processes from doing anything with or to your data, computers, or peripherals.
If you think that technology will solve your security problems, then you don’t understand security and you don’t understand your problems.

Security includes a necessary mindset for every employee and specified procedures to follow, in addition to technology, to minimize the risk.

Risks come in a wide variety of forms. Here are some examples:
• Loss of assets (theft)
• Service disruption (business interruption)
• Loss of reputation (disparagement)
• Expenses of recovery (profitability impact)
Shareholders expect managers to protect or enhance the value of the company. Security breaches that affect any of these items violate shareholders’ expectations.

Another kind of risk is just now emerging: the risk of running afoul of the law. Many new laws include punitive measures (usually fines). Three examples from the United States are Graham-Leach-Billey, which affects U.S. financial institutions and requires disclosure of privacy policies customers; the Health Insurance Privacy and Portability Act (HIPPA), which restricts disclosure of health-related data along with personally identifying information; and the Electronic Communications Privacy Act (ECPA), which specifies who can read whose e-mails under what conditions.

You (or your management) can take five approaches with regard to any risk:
• Accept the risk—You must accept the risks in the following two cases:
— You cannot do anything about the risk (for example, a vendor goes out of business or a product is dropped).
— The cost of mitigation is not economical.
• Defend against the risk—You can deploy firewalls, antivirus products, encryption technologies, and so on. You can also establish procedures and policies.
• Mitigate the risk—Even if you assume that there is no such thing as a web server that cannot be broken into, you still don’t have to just accept the risk. Some of the things you can do include the following:
— You can reduce the harsh effects of a successful break-in by being ready to reinstall the web server at a moment’s notice.
— You can take steps to maintain the web server’s security.
— You can regularly audit its contents.
— You can examine its logs.
• Pass on the risk—You can ensure against the risk (sometimes).
• Ignore the risk—This is the only foolish choice. Ignoring the risk is not the same as accepting it. Ignoring it is merely hoping that someone else will be attacked.

Three of these (accepting, mitigating, and passing on the risks) are examples of threat reduction techniques. Reducing the threat is made easier if the proper security stance is selected. With every defense, you will use one of the following approaches:
• Permit nothing (the paranoid approach).
• Prohibit everything not specifically permitted (the prudent approach).
• Permit everything not specifically prohibited (the permissive approach).
• Permit everything (the promiscuous approach).
Of these, the prudent choice makes the most practical sense and is the assumed approach of this book. It is the one that most vendors choose. For example, Cisco access lists automatically deny everything not specifically permitted.

Thursday, July 06, 2006

Old Memories











Rahul its for U .

Tuesday, July 04, 2006

Time Synchronization across enterprize with Windows 2003 SNTP

Configure windows as master time source.

The Windows 2003 time service is configured with w32tm, a command line tool included with the standard Windows installation.
The following three steps set up and activate time synchronization with an Internet time source:
1. w32tm /config /syncfromflags:manual /manualpeerlist:Peerlist
PeerList is a comma-separated list of DNS names or IP addresses of the desired Internet time sources.
2. w32tm /config /reliable:YES
This command configures the Windows time service to announce itself as a reliable time source so other computers can synchronize to it.
3. w32tm /config /update
This command notifies the time service of the changes to the configuration, causing the changes to take effect.

Below are the commands run for this configuration to set up time synchronization to an Internet time source:
1. w32tm /config /syncfromflags:manual /manualpeerlist:time.nist.gov,swisstime.ethz.ch
2. w32tm /config /reliable:YES
3. w32tm /config /update


NTP Configuration on Solaris 9

To configure time services on Solaris, perform the following three steps:
1. Copy the template file provided to ntp.conf:
cp /etc/inet/ntp.client ./ntp.conf

2. Modify ntp.conf to include the time server that will be used by this client.
Minimal required entries in ntp.conf include the time servers that the client should synchronize with and the location of the drift file, which is used to record information regarding the accuracy of the local clock.
eg of /etc/inet/ntp.conf

server patryk.keekar.com
server marc.keekar.com
driftfile /etc/ntp.drift

3. The ntpd daemon must be restarted in order for configuration changes to take effect.
/etc/init.d/xntpd stop
/etc/init.d/xntpd start

NTP Configuration on Linux

To configure time services on the Linux clients, perform the following two steps:
1. Modify ntp.conf to include the time servers that will be used by this client.
Minimal required entries in ntp.conf include the time servers that the client should synchronize with.
/etc/ntp.conf
# Permit all access over the loopback interface. This could
# be tightened as well, but to do so would effect some of
# the administrative functions.
restrict 127.0.0.1
server patryk.keekar.com
server marc.keekar.com

2. For the configuration changes to take effect, restart the ntpd daemon:
/etc/init.d/ntpd restart

Cisco CallManager server

Complete these steps in order to configure the Cisco CallManager server to automatically synchronize, and stay synchronized, with a Time server.

Note: You cannot use NTP to synchronize between two Cisco CallManagers. The NTP that is installed in Cisco CallManager is a client NTP service and only synchronizes to an NTP server.

1 file(s) copied.(NTP Operations Guide) in the C:\WINNT\..\xntp directory...
  1. Complete these steps in order to verify that the NetworkTimeProtocol service is configured to launch automatically upon start-up:
    1. Right-click on My Computer and select Manage.

    2. Expand the Services and Applications section.

    3. Select Services.

    4. Double-click on the Network Time Protocol service.

    5. Ensure that Start-up Type is set to Automatic.

  2. Configure the C:\WINNT\system32\drivers\etc\ntp.conf file.

    This file contains the list of Time Servers that Cisco CallManager becomes synchronized with. You can configure Cisco CallManager to point to specific Time Servers, or you can configure it to receive NTP broadcasts on the local LAN segment from the router (as long as the router is configured to do so).

    • Sample ntp.conf file that uses static Time Servers:

      • server patryk.keekar.com

      • server marc.keekar.com

      • driftfile %windir%\ntp.drift

    • Sample ntp.conf file that uses an NTP broadcast router:

      • broadcastclient

      • driftfile %windir%\ntp.drift

  3. Go to the Services Control Panel and stop/start the NetworkTimeProtocol service. Allow several minutes for the update to take place.

If the NetworkTimeProtocol Service does not run on the Cisco CallManager

Note: This procedure only applies to Cisco CallManager.

Complete these steps in order to install the NetworkTimeProtocol service:

Open a command prompt and change to this directory:

C:\>cd C:\Program Files\Cisco\Xntp


Run install.bat:

C:\Program Files\Cisco\Xntp>install.bat

Installing Configuration Files

1 file(s) copied.

Installing Executables

1 file(s) copied.

1 file(s) copied.

1 file(s) copied.

1 file(s) copied.

The NTP service is already installed

Remove it first if you need to re-install a new version

.

The NTP Service is now installed.


Please modify the NTP.CONF file in C:\WINNT appropriately.

.

See readme.txt for more information.

.

After modifying the configuration file, use the services control panel

to make NTP autostart and either reboot or manually start it.

When the system restarts, the NTP service will be running.

For more information on NTP Operations please see the NTPOG.Wri

C:\Program Files\Cisco\Xntp>


Synchronize Time Manually with the Time Server Using NTP

Note: This procedure only applies to Cisco CallManager.

Complete these steps in order to synchronize time manually with the Time Server using NTP.

Stop the NetworkTimeProtocol service in the Services Control Panel.
Synchronize the clock by using this commands from a command prompt:
In order to synchronize with a remote Time server:

ntpdate marc.keeker.com

Restart the NetworkTimeProtocol service in the Services Control Panel.


Configuring CISCO Multilayer Switch for Time Server
Configuration example for Catlyst 6500 series

--------------------------Start --------------------------
!--- Enable service timestamps datetime!
service timestamps debug datetime msec localtime
service timestamps log datetime msec localtime
!
!
!
!--- Hostnames for the MSFCs.
hostname MSFC15 alt hostname MSFC16
!
!
!
!Both MSFCs are in the PST timezone
clock timezone PST -8
!
!--- Both MSFCs will adjust the clock for Daylight Saving Time.
clock summer-time PDT recurring
!
!--- If connectivity to the NTP server is lost, the calendar is used.
!as an authoritative time source
clock calendar-valid
!
no ip finger
ip domain-name corp.com
ip name-server 172.16.55.120
ip name-server 171.16.60.120
!
!
!--- Each MSFC uses the IP address of the loopback0 interface as
!--- the source IP for NTP packets.

ntp source Loopback0
!
!--- The MSFCs will update the hardware calendar with the NTP time.
ntp update-calendar
!
!--- Both MSFCs are getting the time from 10.100.100.1.
ntp server patryk.keekar.com
!
end
--------------------------END --------------------------

Cisco 1000 Series Router

SNTP generally is supported on those platforms that do not provide support for NTP, such as the Cisco 1000 series, 1600 series, and 1700 series platforms. SNTP is disabled by default. In order to enable SNTP, use one or both of the following commands in global configuration mode:

Configures SNTP to request NTP packets from an NTP server.

Router(config)# sntp server patryk.keekar.com [version number]

Configures SNTP to accept NTP packets from any NTP broadcast server.

Router(config)# sntp broadcast client

Enter the sntp server command once for each NTP server. The NTP servers must be configured to respond to the SNTP messages from the router.

If you enter both the sntp server command and the sntp broadcast client command, the router will accept time from a broadcast server but prefer time from a configured server, assuming that the strata are equal. To display information about SNTP, use the show sntp EXEC command.


Router which support NTP
outer# conf t
Router# ntp server marc.keekar.com
Router# ntp server patryk.keekar.com
Router# clock timezone IST +5.30



Friday, June 30, 2006

Network Security Platforms

In the past, best-of-breed security solutions have been the most-effective choices for securing enterprise networks. However, this approach has resulted in the deployment of a disparate set of point products for firewall, intrusion detection,antivirus blocking, vulnerability analysis, and other network-centric security functions. This has led to gaps in protection and a high cost of ownership because of the need for multiple management consoles and a lack of integration.Gartner believes that the rise of network security platforms will enable best-of-breed security solutions to blur the lines between firewalls, network-based intrusion detection, and vulnerability scanning, as well as other network-centric security technologies.

What are network security platforms?
Network security platforms are network-attached devices that can apply multiple security functions (at a minimum, firewall, intrusion detection, and vulnerability scanning)at wire speeds. They provide environmental inputs (power, cooling and console) for the security capabilities, a common backplane for communications, and a structure for controlling communications between
security processing functions. Network security platforms use a variety of algorithms and techniques to inspect incoming and outgoing network traffic to determine if connections and payloads are dangerous to enterprises. The platforms decide whether to raise an alert regarding
suspected malicious activity or to take specific actions—such as blocking connections, dropping packets, or terminating sessions—when malicious activity is detected. These platforms perform functions that currently are performed by firewall network- and application-level), intrusion detection, vulnerability assessment, gateway antivirus, and URL blocking products.
Many network security platforms will include virtual private network capabilities; however, we believe that these capabilities will not be long-term platform requirements, except for site-to-site connections. Network security platforms must run at wire speeds; for most enterprises, these will be in the 100 Mbps to 1 Gbps range for single connections, and much higher for multiple networks. For “in the cloud” security applications, with which telecom and Internet service providers provide security processing in the network, throughput of 2 Gbps or higher will be required. These requirements will drive most network security platforms to be based on custom, application-specific, integrated circuits or network-security processors to support complex processing at high data rates. However, the platforms will need to support software-based updates, customization, and scripting similar to software-based systems. Hardware-based stack and protocol processing will be required to perform deep packet inspection without introducing unacceptable network latency.Software processing that runs on generic computing platforms will be sufficient where the network security platform primarily will be used for detection, not prevention; applications are simple or repetitive; or network data rates are low enough (see Figure ).

There are four primary types of network security platforms:

Closed integrated platforms—The network security platform vendor implements all security functions in a proprietary environment and can integrate processing across functions, which enables security functions to make processing decisions based on the results of other processing functions. Vendors in this category include Tipping Point Technologies, NetScreen Technologies, BlueCoat Systems, and Array Networks.

Closed separate platforms—The vendor implements all security functions in a proprietary environment without supporting integration across functions. Vendors include Symantec, with its initial Gateway Security product, and Cisco Systems, with its blade approach.

Open integrated platforms—The vendor licenses security functions from other vendors (or supports open source) or partners with multiple security vendors that port their applications to the network security platform. Vendors include Nortel/Alteon, CloudShield, and Ingrian Networks.

Open separate platforms—The vendor licenses security functions from other vendors (or supports open source) or partners with multiple security vendors that port their applications to the platform; however, integrated processing across functions isn’t supported. Vendors include Crossbeam Systems, Blade Fusion, and OmniCluster Technologies.

Closed integrated platforms offer more effective security via tighter integration between functions, but they require that enterprises abandon the best-of-breed approach to individual functions. Open integrated platforms enable enterprises to stay with best-of-breed options and preserve investments in network security products, as well as reduce the need to migrate security policies to new products.

Both types of separate platforms will be interim offerings until fully integrated capabilities are available. Meaningful integration across functions is a complex issue. Gartner believes that this integration will not provide reliable results until 2H04.
Within these types of platforms, different performance/price points will emerge:Carrier class—Products that run at OC24 and higher rates, and that allow network service providers to offer “in the cloud” security services, which eliminate the need for customer premises equipment and enable low-cost managed service offerings. Enterprise class—Platforms that can process multiple 100 Mbps networks that are used by Global 2000-class enterprises as enterprise intrusion prevention systems. Small and midsize enterprise class—Products that offer limited flexibility or operate at 100 Mbps or lower rates at low price points.

Types of network security platform vendors
Network security product vendors will migrate to offering security platforms, while other network performance management vendors also will provide these platforms. Network-security-focused vendors (such as firewall, intrusion detection, and gateway antivirus companies) will begin to offer security platforms to meet the challenges of blended and application-level attacks, and to address market demand to lower total cost of ownership. By 2006, 60 percent of firewall and intrusion detection functionality will be delivered via network security platforms.

Content-switching and load-balancing vendors will add security functionality to their platforms, which already offer high-speed processing and deep packet inspection for making caching/load balancing type decisions. These vendors see security as a new revenue stream from their installed base, and as a way to avoid the threat of network security platform vendors that are adding switching and load-balancing functions to their platforms. Although content-switching/load-balancing vendors have extensive experience in wire-speed traffic processing, they don't have deep security expertise. This will prompt network performance vendors to acquire network security technology companies that specialize in deep packet processing.

Network security platform market road map

In 2002, firewall vendors such as Check Point Software Technologies, Symantec, and NetScreen took steps toward becoming network security platform vendors. Check Point announced Smart Defense, which integrates intrusion detection capabilities onto Firewall-1. Symantec's Gateway Security product combines firewall, intrusion detection, gateway antivirus, and URL blocking functions into one appliance. NetScreen’s implementation of simple, signature-based filtering and its acquisition of OneSecure were strong moves in the platform direction.

However, these first-generation efforts provide minimal integration between functions, and they generally don’t add vulnerability assessment capabilities. Newer market entrants such as TippingPoint provide tighter integration of the required functions, but in a closed architecture that will require enterprise testing to determine the effectiveness of the individual firewall, intrusion detection, and antivirus functions, as well as integrated capabilities.

Gartner believes products that fully-integrated network security functions that can operate at wire speeds will not affect the firewall and intrusion detection markets until 2H04. After 2H04, intrusion detection vendors that do not offer network security platforms will begin to exit the market through acquisition by network security platform players or loss of market share.

The initial product focus between 2004 and 2006 will be at the enterprise level, with price points in the $25,000 to $75,000 range. If the telecom market recovers from the economic downturn before 2006, mainstream telecom and Internet service providers will begin to offer managed security services that will drive the development of higher-speed, lower-priced offerings and use-based pricing models. Gartner believes that aggressive telecom providers will offer some “in the cloud” services by late 2004. The low-end, small-and-midsize-enterprise-class network security platform will not be a market factor until 2007, when platforms with limited functionality and processing speeds will be available at price points of less than $10,000.

Managing multiple security devices

Most enterprises have deployed numerous firewalls, and many also have deployed one or more intrusion detection products. Network security platforms will be viable enterprise solutions by 2006, and they will transform today’s disparate network security market. Until that occurs, enterprises that have deployed firewalls and intrusion detection systems can use security device management products to gain a preliminary level of integration between network security products. These products support alarm/alert normalization, aggregation, data reduction and a degree of correlation to greatly reduce the false alarm rate and the operational burden of monitoring security devices. Although the loose integration that is provided by these products doesn't support the speed of response necessary to implement intrusion prevention, security management products enable enterprises to extend their investments in security products and provide a management structure for incorporating advanced security products.

Security management price points will have to drop below the six-figures of current offerings to reach the broad market. Outsourcing the monitoring and management of perimeter network security devices is another option for enterprises that are looking to avoid investing in early-stage technology or limited security staffing levels.

Bottom line

Tighter integration and common management across network security controls is a panacea of Internet security. Network security platforms maintain best-of-breed security approaches while supporting improved attack blocking and lowering total cost of ownership.

Thursday, June 15, 2006

Significant increase in probes reported by FBI

The probes are searching for systems that have vulnerable versions of LPRng, the "Next Generation" version of the widely used LPR printing utility, as well as the RPC daemon used with Network File System (NFS) services. While a large portion of these attacks were the result of U.S./Chinese cyberskirmishes following the downing of a U.S. spy plane, the subsequent hacking traffic has not died down. Check your software distribution's home page for an updated version of LPRng and RPC, and do so without delay!

Remember that automated probes are looking for TCP/IP listening ports that are associated with known system weaknesses. Make sure that you're running your Linux system with all ports disabled; save the ones that you absolutely need. In a terminal window, switch to superuser status, open /etc/inetd.conf, and comment out ports you're not using (for a single-user system that isn't functioning as a server, likely candidates include anonymous FTP, POP3, Telnet, rlogin, and rcp).

New vulnerability in wu-ftpd

I have recently found a article on net that vulnerability has been confirmed in the wu-ftpd FTP daemon. This vulnerability is remotely exploitable and can be used to execute arbitrary code on the vulnerable FTP server.

Because wu-ftpd is such a popular and widely used FTP server, not only for Linux but for other UNIX-derivatives like BSD systems, the security impact is quite high. The fact that most FTP servers in use these days provide anonymous FTP access compounds the problem. This means that a user doesn't even have to authenticate himself or herself on the server as a real user in order to exploit this vulnerability.

The problem is due to the "file globbing" support in wu-ftpd. This globbing allows clients to organize files for FTP actions, such as list and download, based on patterns. A heap corruption problem in the wu-ftpd, in its most innocent form, will simply cause the FTP server to die with a segfault. Unfortunately, this same corruption problem can be exploited to run programs on the server that the user should not be permitted to execute.

Most vendors have released updates to fix this problem quickly. Therefore, if you are running a version of wu-ftpd installed prior to Nov. 27, 2001, you are vulnerable and need to obtain an update from your vendor.

Wednesday, April 26, 2006

Streaming the Desktop

Application streaming creates a virtualized desktop that can be managed centrally, yet offers the speed of local execution. Automated software distribution has been a hot topic in desktop management, but the next big thing is on-demand software delivery. While ASD tools help control desktop support costs by making software installations consistent, the on-demand software-delivery technologies go one step further: They can virtualize the local installation and stream the applications -- and even the operating system -- from a central distribution server in real time.
It creates and stores complete system images on a server and streams portions of the operating system and applications to desktop users at boot-up. "It didn't require a large investment in server infrastructure and provided immediate ROI," .
Application streaming technology takes advantage of the fact that LANs are getting faster -- and that most applications require only a small fraction of the total program code in order to run. The minimum needed can be as little as 10% to 15% .
Once the user is up and running, additional application and operating system components are fetched as needed. After the initial launch of a program, some products allow portions of the applications to reside in a local cache for faster subsequent loads. The result: Applications can be maintained and updated on central servers but run on the end user's local machine. The issue of managing locally installed programs on individual desktops is eliminated.
This concept is not new. But in late 90s such concept is very popular with Novell Netware. Few of my friends are asking alot abt it saying the new technology. But my friends I already did such thing in Late 90s only difference is that now things are much more optimised and in big scale. Ist somthing which I remember I read an add of an bike they mentioned that Big has fins in engine in their advertisiments. But now every one tnow that any air cooled engine required an fis to dissapate the maximum of heat.

Lets take a deeper look on the topic.

Vendors of just-in-time streaming products fall into one of two categories. Companies such as Ardence offer products that stream complete disk images that include the Windows operating system and a predetermined application set. Companies like AppStream Inc. stream only the applications but offer more granular control over application delivery.
Still other vendors, including Softricity Inc. and Stream Theory Inc., take application streaming one step further by creating a self-contained virtual environment in which each streamed application can run. The virtualization layer traps and isolates registry entries, Dynamic Link Libraries (DLL) and other changes the application wants to make to Windows settings. This avoids application conflicts and eliminates the need for administrators to do regression testing and build images for every combination of applications.
Since applications are delivered centrally, software streaming products allow application licenses to be tightly controlled. "The idea is to create an environment where applications can be made available on devices in a very managed, controlled way and then removed from the device so they can be used somewhere else," .Streaming technology lowered desktop support costs by reducing help desk calls resulting from malware problems. "Now, when they get [a virus], they just reboot and get a new image,". One of the vendor an case study says that centralized management also made upgrades easier. A typical upgrade to the company's Avaya Call Center software, which used to take 75 hours to test and roll out, is now completed in about one hour, he says, because fewer images are needed and the software doesn't have to be installed on each machine.
Time Warner's PCs support PXE boot technology, which lets the machines remote-boot directly from the system image that the Ardence server delivers. PCs boot over the Gigabit Ethernet network faster than they did when running locally, and bypassing the local disk drive has saved on support costs. "Eighty percent of our trouble tickets are hard-drive-related," .
The downside, is that building the images used for streaming can be time-consuming currently.
Neoware's Image Manager attempts to reduce the number of images required by creating a virtualization layer that allows a single image to run on different systems. "We have a virtualized driver model that lets the operating system boot regardless of what the hardware is," says Neoware CEO Michael Kantrowitz. It is limited, however, to only those drivers that are built into Windows. Applications with unique drivers require a separate image. With both products, administrators still must create different images for each desired application set.

Speed and Flexibility

"It takes less than a minute before they can use the [updated] applications. That's definitely better than having someone walk around to 2,000 PCs," .
Managing multiple images is impractical at Suncor Energy Services Inc., which has 1,600 applications on some 4,500 PCs. Between 75% and 85% of those applications are now delivered by way of Softricity's SoftGrid server. SoftGrid includes a "sequencer" utility that encapsulates all of the system changes that the application's installation routine makes and places those in a semi-isolated virtual environment on the PC, along with the installed application image. Applications are delivered automatically based on policies set in Active Directory and are removed when the session ends.

Some useful quotes

Software updates that used to take a month to deploy are now completed in one day. Weiszhaar doesn't need to first perform regression testing on the application, produce a distribution package and test it. "Within five minutes we can deploy it to every single person in the company," he says.
Stream Theory claims to offer application environment virtualization that's more flexible. AppExpress lets the administrator specify which DLLs or other application components can be virtualized and which need to talk to one another, says Chief Technology Officer Arthur Hitomi. The software won't, however, allow incompatible versions of an Oracle or Office application to run simultaneously, as Soft-Grid does.
"We had to silo-out hardware due to different versions of Office or Oracle," says Weiszhaar. SoftGrid eliminated the conflicts, and Weiszhaar was then able to distribute those applications across more servers.
Deployments of new applications via MetaFrame are also easier. "We can take your new application that we've never run before, put it on a server with production applications running, and we don't have to worry about it breaking anything," O'Brien says.
While approaches to application streaming vary, in the end all vendors attempt to deliver applications to the end device in a managed, secure way, says IDC's Kusnetzky. While SoftGrid's offering is the most mature, administrators will need to examine each approach carefully before making a decision, he says. "There may be six or seven ways to do it. That's got to be very confusing for an organization trying to decide what is the best solution for their needs."

Interesting Facts ( to laugh only ) But true.

Year 1981.
  • Prince Charles got married2.
  • Liverpool crowned Champions of Europe3.
  • Australia lost the Ashes4.
  • Pope Died

Year 2005.

  • Prince Charles got married2.
  • Liverpool crowned Champions of Europe3.
  • Australia lost the Ashes .
  • Pope Died

In future, if Prince Charles decides to re-marry . please warn the Pope!!

Friday, March 24, 2006

Source Code Security Vulnerability Scanners

In last few weeks I attended lots of web cast and seminars regarding security. Also served different companies in different positions and roles. Its my observation companies are trying hard to protect their assets and get compliant so that they will not be target for hackers or so. Every one talks allot abt Network security , Application security , and so on . All those people talks abt big words like SQL injection , Buffer overflow, Format string vulnerabilities. But what these actually are and what precaution we have to take to get away from these is missing . I talked allot abt security with different vendors and finally found that only information which is coming to me is for Firewalls , IDS ; VPN , network audits , procedure audits and so . These things are essential but I was asking abt the complete security solutiuon no one highlited abt that we can also supress bugs related to these vulnaribilities at the time of devlopment too. Above aspects are most common and trust every guy working in security knows too. Hence net out come is that all vendors are trying to sell product not solutions.
Lots of well know bugs are present in already deployed software so ist essential to pretect them but what ever is going to be future please concentrate on that too. I worked with highly qualified test engineers they all talk abt the big testing software like Jtest, Robo J etc . But man where is mechanism which will tell u that the developers are generating an secure codes against the well know vulnerabilities. I know by this time this article seems boring to u . But this is the fact . Very few people know that their are automated tool present in market with the help of which you can suppress the mistakes already done earlier means vulnerability.
These automated tools do the audit on the principle of know mistakes or signature. For example if I am saying that buffer overflow vulnerability means their is improper usage of gets() , scanf(), sprint (), strcat (), strcp () function calls. Definitely these function call are required but some time by mistakes its not properly used which generate different kind of vulnerabilities. As per one survey their is 10000 + know vulnerabilities present and trust almost 50% of this figure is also analyzed by experts to know the patterns which commonly come to create vulnerabilities. So these automated audit tools match ur codes against these know patterns and if it find matching pattern of strings then it will give an alert for potential vulnerabilities. Some of the known audit tools are described below.

Automated Source Code Security Vulnerability Scanners
There are intelligent tools available to help you examine large amounts of source code for security vulnerabilities.

Flawfinder
Examines source code and reports possible security vulnerabilities
RATS from Secure Software Solutions
Scans C, C++, PERL, PHP and Python source code for potential security vulnerabilities.
ITS4 from Cigital
Scans source code looking for potentially vulnerable function calls and preforms source code analysis to determine the level of risk
PScan
A limited problem scanner for C source files
BOON
Buffer Overrun detectiON
MOPS
MOdelchecking Programs for Security properties
Cqual
A tool for adding type qualifiers to C
MC
Meta-Level Compilation
SLAM
Microsoft
ESC/Java
Extended Static Checking for Java
Splint
Secure Programming Lint
MOPED
A Model-Checker for Pushdown Systems
JCAVE
JavaCard Applet Verification Environment
The Boop Toolkit
Utilizes abstraction and refinement to determine the reachability of program points in a C program
Blast
Berkeley Lazy Abstraction Software Verification Tool
Uno
Simple tool for source code analysis
PMD
Scans Java source code and looks for potential problems
C++ Test
Unit testing and static analysis tool

Monday, March 20, 2006

Subhash and his wife



Demo , Me and Ramesh


Mritunjay organizer
Keekar

Its too strange faces
Keekar

Holi in black
Keekar

Bit OK
Keekar
Ravi and Anil
Demo and Lalit
Add caption


So colour full
Keekar

Corina, Stephen, and her friend (Sorry name I forgot again)

Wednesday, March 15, 2006

Decisive Dilemma

Some time very silly things itch you a lot. Its not an that much big problem but still you will feel it . That happened to me today . I am in great turmoil and not able to decide what I have to do. One side I have an colleague/friend and other side I have my ethics ideology and my word to fairly known person. Whom should I support . Concern or issue is very materlistic and not having that much sense . But friend said some words which really stressed me too much to think . One side I have a friend who feel and also tell me what all he didn't like in me its very rare to get such friend (specially for me ) approx 80% of society pampers you directly or indirectly. I am just scared that if I will take my decision as per myself he feel hurt or indirectly I am going to spoil my relationship with him. I am in state of perplexity as I have choice between equally unfavorable options.

Although I know my friend is very dice and too much confused and because of that he never owe by his words which I definitely didn't liked. But should I also do same thing for him with others ? Could I do things which I didn't liked ? Then whats the difference between him and me ? I was just thinking all these scrap since from last 4 hrs. But after putting above 6 lines on paper I am more clear and out from my dilemma .

Its really help a person if u write it down in neat an clean paper. Because thoughts are frequently come in your mind and override earlier thought. But if its on paper your analytical brain is able to tell you what's wrong and what's right. So I decided to owe by my words, without fearing abt friend and a relationship with him. Because if he is friend of mine then he is able to understand me and if its not like that then he is not friend of mine he is just an opportunist so why should I bother abt him. And definitely it give lesson to him too; and he could be more aware in future abt such things.

Bye the way why I published it because I fell its very small and common thing (every one face such situation once every month) but certainly its create more stress for a person in his day to day life. Such thing worked for me . But it took lot of time to remove instance and person name from article. Hopefully you are also going to try such solution. Don't forgot to post comment of yours abt my decision. I am looking forward for your help too. I already decided but yes your feedback will be helpful for me in future.

Saturday, March 11, 2006

GPL and Open Source

Recently in one meeting their is an small discussion abt the Open Source Software. Although most of the guys in industry debate on that. Example Open Source is cheap useful so and so . But their is lots of hidden thing in it.

The "classic" licenses, GPL, LGPL, BSD, and MIT, were the most commonly used for open-source software. But what was it . Why should we bother abt it its an open source and free ? Such questions usually comes in 90% of people working in IT Industry.

But boss nothing is free in this word except of your mother love and affection. :)
After Blacberry/RIM case most of the organizations started doing audits on their envoirnment for use of Open source softwares. Have you ever paid attention in GPL publised in most of the Open Source Softwares.

I am able to dig down few of the important facts and questions which u should concerned abt. For your remark enclosed last four lines of GPL
"This General Public License does not permit incorporating your program into proprietary programs. If your program is a subroutine library, you may consider it more useful to permit linking proprietary applications with the library. If this is what you want to do, use the GNU Library General Public License instead of this License."

Microsoft calls attention to the implications of the GPL when an individual or organization creates derivative works using GPL-licensed code. Microsoft asserts that the GPL requires the release of both the derivative and original code. According to Microsoft, using GPL-licensed code as a basis for projects forces a company to make all derivative code available to the public, raising the risk that a firm could divulge trade secrets.

However, Microsoft's critique of the GPL ignores the GPL "nonrelease" provision, which states that private or internal use of GPL code in a derivative product does not require a company to release the resulting source code to the public. The GPL comes into play only when GPL code is incorporated into a derivative product that is made available or sold to the public. Any company planning to release software that incorporates GPL-licensed code into a single, unitary product must release the new code under the terms of the GPL.

Microsoft's critique raises the issues of proportionality and fairness; is it reasonable to require the release of a huge amount of new code when only a few lines of GPL-licensed code were incorporated into a new, derivative product? Richard Stallman, the Free Software Foundation's director, responds that companies cannot incorporate Microsoft Word source code into their publicly released products under any circumstances, including under the provisions of Microsoft's "shared source" venture.

The GPL provides an opportunity for developers to contribute to the growing body of freely available, GPL-licensed code, but they are not under any compulsion to do so. Developers that do not wish to contribute to the free software movement should simply refrain from incorporating GPL-licensed code in their products.

The above summary is not intended to serve as legal advice. If you're thinking about using GPL-licensed code in a publicly released derivative product, consult an attorney to ensure that your use of the code conforms to the terms of the GPL.

Friday, March 10, 2006

Result Johri Window

Arena

(known to self and others)

bold, confident, extroverted, independent, knowledgeable

Blind Spot

(known only to others)

able, accepting, adaptable, brave, cheerful, clever, complex, dependable, dignified, energetic, friendly, giving, happy, helpful, idealistic, ingenious, intelligent, introverted, logical, loving, modest, nervous, observant, organised, patient, powerful, proud, quiet, reflective, relaxed, religious, responsive, searching, self-assertive, self-conscious, sensible, sentimental, silly, spontaneous, sympathetic, tense, trustworthy, warm, wise, witty

Façade

(known only to self)

Unknown

(known to nobody)

calm, caring, kind, mature, shy

All Percentages

able (15%) accepting (3%) adaptable (7%) bold (15%) brave (7%) calm (0%) caring (0%) cheerful (11%) clever (3%) complex (3%) confident (11%) dependable (15%) dignified (11%) energetic (3%) extroverted (11%) friendly (38%) giving (7%) happy (11%) helpful (11%) idealistic (7%) independent (11%) ingenious (3%) intelligent (38%) introverted (3%) kind (0%) knowledgeable (23%) logical (7%) loving (7%) mature (0%) modest (3%) nervous (15%) observant (15%) organised (11%) patient (3%) powerful (3%) proud (3%) quiet (15%) reflective (15%) relaxed (15%) religious (7%) responsive (3%) searching (7%) self-assertive (3%) self-conscious (11%) sensible (19%) sentimental (7%) shy (0%) silly (11%) spontaneous (7%) sympathetic (3%) tense (15%) trustworthy (11%) warm (7%) wise (7%) witty (15%)

Created by the Interactive Johari Window on 9.3.2006, using data from 26 respondents.
view Mukesh Kesharwani's full data.

Thursday, February 02, 2006

SSH RSA Based Authentication

My Proof of concept for managing remote management server repository for automating the shutdown and startup of applications is based up on SSH and RSA authentication to make remote command execution secure. Although their is nothing rocket science is involved what all we are doing in our daily day to day life with rsh, rcp and rlogin I am trying to transform these with ssh without any password requirement.

Brief abt SSH:
Secure Shell (ssh) is a secure replacement for telnet, rlogin, rsh, and rcp. It uses encryption to keep information that you send over the network from being seen by others. It also uses public and private keys to validate that the host and client machines are who they say they are.

Brief abt connection using RSA
SSH gives you the ability to generate your own public/private key pair and use that to authenticate your logins. While this has some advantages over .rhosts authentication, there are some drawbacks and disadvantages. First, your private key must either be locked with a passphrase that you have to enter any time you log in, or it must be stored in a very secure machine. A private key without a passphrase is like storing your password on disk for anyone to read; anyone possessing it can log in as you. Second, RSA authentication does not get you an AFS token when you log in, though it will carry along a token that you already have on your remote machine. (This is the same as the .rhosts method; only method 3, password authentication will get you a new token.) If you do generate an RSA key, either protect it with a passphrase, or store it on a local hard disk or a floppy disk that you carry with you. Never store a private key that isn't protected by a passphrase in an NFS-mountable directory. To create a Protocol 1 RSA key pair on UNIX, use the command,
ssh-keygen -t rsa
Each host has a private key and a public key. In this explanation, we will call the host you are connecting from the client machine, and the host you are connecting to the server machine. When you first connect to a server that ssh on your client does not know about, it will ask whether you want to accept the public key of that machine. It will store that key in a file in your home directory on your client named ~/.ssh/known_hosts. Every connection after that will check the public key of the server, and will give you loud warnings if it is ever different. This protects you from hacker attacks in which another machine impersonates the trusted server machine to which you are trying to connect.

Forwarding other services with ssh
( Not yet used in my POC but hope can be used creatively if required )
SSH can forward other TCP services over the encrypted connection. Examples of such services would be FTP, POP, IMAP, and X-Windows. This keeps the passwords that these services forward over the network from being visible to hackers who may be watching the network traffic. These services have no encryption of their own built in, and need the protection of an external protocol. This forwarding is often referred to as tunneling, because the TCP traffic is sent through an encrypted tunnel that shields it from view.
FTP Tunneling (Port Forwarding) using SSH

Using SSH (Secure Shell), you have the possibility to tunnel any protocol. A tunnel connects a port of the local machine to a port on a remote machine, via the SSH connection. Tunneling is often called Port Forwarding. Using this technique you may access a FTP-Server behind a firewall in the DMZ (Demilitarized Zone) or even in the HSZ (High Secure Zone). The following prerequisite must be established:
The firewall is open for the SSH Port 22
There is a SSH-Server behind the firewall
The FTP-Server in the DMZ or HSZ must be known by the SSH-Server
You can enable secure connections over the internet using any application protocol, like ftp, telnet, sqlnet, etc. It sounds quite complex, but it is simple. Let's look at an example. The setup is as follows: You have a client that is connected to the internet. The FTP-Server you want to access via ftp is in a corporate LAN (HSZ), behind a firewall. The firewall does only allow the SSH protocol (port 22), you have access to the SSH-server.

This part of the communication is encrypted and appears as SSH communication on the network. The SSH-Server establishes a connection to port 21 on the FTP-Server (3). It decodes the SSH communication and forwards the ftp commands there (Port Forwarding). This part is not encrypted, it appears like normal ftp communication on the network. By physically connecting to port 2121 on your local machine using any ftp client you actually connected logically to port 21 on the remote machine indirectly, but completely transparent !. One such example I already posted earlier. POC not yet done so not able to produce commands used.

Commands Used
In order to authenticate yourself with a key, you will - of course - need to have a key. Generate your key-pair (private and public) using the Create RSA Identity... Two files have been generated. One with the filename you have specified that contains your private key, and one with the same name and the extension .pub that contains the public key.
ssh-keygen

ssh-agent: To enable RSA certificate authentication
ssh-add: To add the private key to authentication agent.
scp : To copy files
ssh –t : To establish ssh session.

Sequence of command used by me
$ ssh-keygen -b 2048 -t rsa
$ eval `ssh-agent –s`
$ ssh-add
$ chmod 0644 ~/.ssh/id_rsa.pub
$ scp –p ~/.ssh/id_rsa.pub max@server1.keekar.com:~/.ssh/authorized_keys
$ ssh-agent –k



You can also Disable PasswordAuthentication - in the OpenSSH configuration file (often /usr/local/etc/sshd_config), find the setting for PasswordAuthentication and change the value to no. This then permits only public key authentication and prevents "regular" passwords from working. We feel strongly that allowing people to guess passwords is a really bad idea, and by insisting on RSA keys, a whole raft of shenanigans can be avoided.


Saturday, January 28, 2006

Avoid Automatic Virus sending from ur email server or box

Presently their are various mail worms are spreading these worms are intelligent worms some time send mails to all of ur contact list with any of the previous mail subject line.

To avoid this following measures are very useful.

1) Create 2 mail ids in address book one with name:
!0000
( so that it wil be the 1st contact, and should not enter any email address for that)
and another with ID: **aaa@aaa.com*
this creates confusion to any normal virus/worms in the first try of its sending the mail itself!*

Second mail box is very handy tool for any mail server administrator because they can track easily weather their network having such virus or not . If their is mails coming on this mail box means virus/worms are their.

Saturday, January 21, 2006


Kabhi kabhi
Keekar

Ruko Ruko
Keekar

Bye Bye
Keekar