Rahul its for U .
Thursday, July 06, 2006
Tuesday, July 04, 2006
Time Synchronization across enterprize with Windows 2003 SNTP
Configure windows as master time source.
The Windows 2003 time service is configured with w32tm, a command line tool included with the standard Windows installation.
The following three steps set up and activate time synchronization with an Internet time source:
1. w32tm /config /syncfromflags:manual /manualpeerlist:Peerlist
PeerList is a comma-separated list of DNS names or IP addresses of the desired Internet time sources.
2. w32tm /config /reliable:YES
This command configures the Windows time service to announce itself as a reliable time source so other computers can synchronize to it.
3. w32tm /config /update
This command notifies the time service of the changes to the configuration, causing the changes to take effect.
Below are the commands run for this configuration to set up time synchronization to an Internet time source:
1. w32tm /config /syncfromflags:manual /manualpeerlist:time.nist.gov,swisstime.ethz.ch
2. w32tm /config /reliable:YES
3. w32tm /config /update
NTP Configuration on Solaris 9
To configure time services on Solaris, perform the following three steps:
1. Copy the template file provided to ntp.conf:
cp /etc/inet/ntp.client ./ntp.conf
2. Modify ntp.conf to include the time server that will be used by this client.
Minimal required entries in ntp.conf include the time servers that the client should synchronize with and the location of the drift file, which is used to record information regarding the accuracy of the local clock.
eg of /etc/inet/ntp.conf
server patryk.keekar.com
server marc.keekar.com
driftfile /etc/ntp.drift
3. The ntpd daemon must be restarted in order for configuration changes to take effect.
/etc/init.d/xntpd stop
/etc/init.d/xntpd start
NTP Configuration on Linux
To configure time services on the Linux clients, perform the following two steps:
1. Modify ntp.conf to include the time servers that will be used by this client.
Minimal required entries in ntp.conf include the time servers that the client should synchronize with.
/etc/ntp.conf
# Permit all access over the loopback interface. This could
# be tightened as well, but to do so would effect some of
# the administrative functions.
restrict 127.0.0.1
server patryk.keekar.com
server marc.keekar.com
2. For the configuration changes to take effect, restart the ntpd daemon:
/etc/init.d/ntpd restart
Configuring CISCO Multilayer Switch for Time Server
Configuration example for Catlyst 6500 series
--------------------------Start --------------------------
Cisco 1000 Series Router
SNTP generally is supported on those platforms that do not provide support for NTP, such as the Cisco 1000 series, 1600 series, and 1700 series platforms. SNTP is disabled by default. In order to enable SNTP, use one or both of the following commands in global configuration mode:
Router which support NTP
outer# conf t
Router# ntp server marc.keekar.com
Router# ntp server patryk.keekar.com
Router# clock timezone IST +5.30
The Windows 2003 time service is configured with w32tm, a command line tool included with the standard Windows installation.
The following three steps set up and activate time synchronization with an Internet time source:
1. w32tm /config /syncfromflags:manual /manualpeerlist:Peerlist
PeerList is a comma-separated list of DNS names or IP addresses of the desired Internet time sources.
2. w32tm /config /reliable:YES
This command configures the Windows time service to announce itself as a reliable time source so other computers can synchronize to it.
3. w32tm /config /update
This command notifies the time service of the changes to the configuration, causing the changes to take effect.
Below are the commands run for this configuration to set up time synchronization to an Internet time source:
1. w32tm /config /syncfromflags:manual /manualpeerlist:time.nist.gov,swisstime.ethz.ch
2. w32tm /config /reliable:YES
3. w32tm /config /update
NTP Configuration on Solaris 9
To configure time services on Solaris, perform the following three steps:
1. Copy the template file provided to ntp.conf:
cp /etc/inet/ntp.client ./ntp.conf
2. Modify ntp.conf to include the time server that will be used by this client.
Minimal required entries in ntp.conf include the time servers that the client should synchronize with and the location of the drift file, which is used to record information regarding the accuracy of the local clock.
eg of /etc/inet/ntp.conf
server patryk.keekar.com
server marc.keekar.com
driftfile /etc/ntp.drift
3. The ntpd daemon must be restarted in order for configuration changes to take effect.
/etc/init.d/xntpd stop
/etc/init.d/xntpd start
NTP Configuration on Linux
To configure time services on the Linux clients, perform the following two steps:
1. Modify ntp.conf to include the time servers that will be used by this client.
Minimal required entries in ntp.conf include the time servers that the client should synchronize with.
/etc/ntp.conf
# Permit all access over the loopback interface. This could
# be tightened as well, but to do so would effect some of
# the administrative functions.
restrict 127.0.0.1
server patryk.keekar.com
server marc.keekar.com
2. For the configuration changes to take effect, restart the ntpd daemon:
/etc/init.d/ntpd restart
Cisco CallManager server
Complete these steps in order to configure the Cisco CallManager server to automatically synchronize, and stay synchronized, with a Time server.
Note: You cannot use NTP to synchronize between two Cisco CallManagers. The NTP that is installed in Cisco CallManager is a client NTP service and only synchronizes to an NTP server.
1 file(s) copied.(NTP Operations Guide) in the C:\WINNT\..\xntp directory...- Complete these steps in order to verify that the NetworkTimeProtocol service is configured to launch automatically upon start-up:
Right-click on My Computer and select Manage.
Expand the Services and Applications section.
Select Services.
Double-click on the Network Time Protocol service.
Ensure that Start-up Type is set to Automatic.
Configure the C:\WINNT\system32\drivers\etc\ntp.conf file.
This file contains the list of Time Servers that Cisco CallManager becomes synchronized with. You can configure Cisco CallManager to point to specific Time Servers, or you can configure it to receive NTP broadcasts on the local LAN segment from the router (as long as the router is configured to do so).
Sample ntp.conf file that uses static Time Servers:
server patryk.keekar.com
server marc.keekar.com
driftfile %windir%\ntp.drift
Sample ntp.conf file that uses an NTP broadcast router:
broadcastclient
driftfile %windir%\ntp.drift
Go to the Services Control Panel and stop/start the NetworkTimeProtocol service. Allow several minutes for the update to take place.
If the NetworkTimeProtocol Service does not run on the Cisco CallManager
Note: This procedure only applies to Cisco CallManager.
Complete these steps in order to install the NetworkTimeProtocol service:
Open a command prompt and change to this directory:
C:\>cd C:\Program Files\Cisco\Xntp
Run install.bat:
C:\Program Files\Cisco\Xntp>install.bat
Installing Configuration Files
1 file(s) copied.
Installing Executables
1 file(s) copied.
1 file(s) copied.
1 file(s) copied.
1 file(s) copied.
The NTP service is already installed
Remove it first if you need to re-install a new version
.
The NTP Service is now installed.
Please modify the NTP.CONF file in C:\WINNT appropriately.
.
See readme.txt for more information.
.
After modifying the configuration file, use the services control panel
to make NTP autostart and either reboot or manually start it.
When the system restarts, the NTP service will be running.
For more information on NTP Operations please see the NTPOG.Wri
C:\Program Files\Cisco\Xntp>
Synchronize Time Manually with the Time Server Using NTP
Note: This procedure only applies to Cisco CallManager.
Complete these steps in order to synchronize time manually with the Time Server using NTP.
Stop the NetworkTimeProtocol service in the Services Control Panel.
Synchronize the clock by using this commands from a command prompt:
In order to synchronize with a remote Time server:
ntpdate marc.keeker.com
Restart the NetworkTimeProtocol service in the Services Control Panel.
Configuring CISCO Multilayer Switch for Time Server
Configuration example for Catlyst 6500 series
--------------------------Start --------------------------
!--- Enable service timestamps datetime!--------------------------END --------------------------
service timestamps debug datetime msec localtime
service timestamps log datetime msec localtime
!
!
!
!--- Hostnames for the MSFCs.
hostname MSFC15 alt hostname MSFC16
!
!
!
!Both MSFCs are in the PST timezone
clock timezone PST -8
!
!--- Both MSFCs will adjust the clock for Daylight Saving Time.
clock summer-time PDT recurring
!
!--- If connectivity to the NTP server is lost, the calendar is used.
!as an authoritative time source
clock calendar-valid
!
no ip finger
ip domain-name corp.com
ip name-server 172.16.55.120
ip name-server 171.16.60.120
!!
!--- Each MSFC uses the IP address of the loopback0 interface as
!--- the source IP for NTP packets.
ntp source Loopback0
!
!--- The MSFCs will update the hardware calendar with the NTP time.
ntp update-calendar
!
!--- Both MSFCs are getting the time from 10.100.100.1.
ntp server patryk.keekar.com
!
end
Cisco 1000 Series Router
SNTP generally is supported on those platforms that do not provide support for NTP, such as the Cisco 1000 series, 1600 series, and 1700 series platforms. SNTP is disabled by default. In order to enable SNTP, use one or both of the following commands in global configuration mode:
Configures SNTP to request NTP packets from an NTP server.
Router(config)# sntp server patryk.keekar.com [version number]
Configures SNTP to accept NTP packets from any NTP broadcast server.Router(config)# sntp broadcast client
Enter the sntp server command once for each NTP server. The NTP servers must be configured to respond to the SNTP messages from the router.
If you enter both the sntp server command and the sntp broadcast client command, the router will accept time from a broadcast server but prefer time from a configured server, assuming that the strata are equal. To display information about SNTP, use the show sntp EXEC command.
Router which support NTP
outer# conf t
Router# ntp server marc.keekar.com
Router# ntp server patryk.keekar.com
Router# clock timezone IST +5.30
Friday, June 30, 2006
Network Security Platforms
In the past, best-of-breed security solutions have been the most-effective choices for securing enterprise networks. However, this approach has resulted in the deployment of a disparate set of point products for firewall, intrusion detection,antivirus blocking, vulnerability analysis, and other network-centric security functions. This has led to gaps in protection and a high cost of ownership because of the need for multiple management consoles and a lack of integration.Gartner believes that the rise of network security platforms will enable best-of-breed security solutions to blur the lines between firewalls, network-based intrusion detection, and vulnerability scanning, as well as other network-centric security technologies.
What are network security platforms?
Network security platforms are network-attached devices that can apply multiple security functions (at a minimum, firewall, intrusion detection, and vulnerability scanning)at wire speeds. They provide environmental inputs (power, cooling and console) for the security capabilities, a common backplane for communications, and a structure for controlling communications between
security processing functions. Network security platforms use a variety of algorithms and techniques to inspect incoming and outgoing network traffic to determine if connections and payloads are dangerous to enterprises. The platforms decide whether to raise an alert regarding
suspected malicious activity or to take specific actions—such as blocking connections, dropping packets, or terminating sessions—when malicious activity is detected. These platforms perform functions that currently are performed by firewall network- and application-level), intrusion detection, vulnerability assessment, gateway antivirus, and URL blocking products.
Many network security platforms will include virtual private network capabilities; however, we believe that these capabilities will not be long-term platform requirements, except for site-to-site connections. Network security platforms must run at wire speeds; for most enterprises, these will be in the 100 Mbps to 1 Gbps range for single connections, and much higher for multiple networks. For “in the cloud” security applications, with which telecom and Internet service providers provide security processing in the network, throughput of 2 Gbps or higher will be required. These requirements will drive most network security platforms to be based on custom, application-specific, integrated circuits or network-security processors to support complex processing at high data rates. However, the platforms will need to support software-based updates, customization, and scripting similar to software-based systems. Hardware-based stack and protocol processing will be required to perform deep packet inspection without introducing unacceptable network latency.Software processing that runs on generic computing platforms will be sufficient where the network security platform primarily will be used for detection, not prevention; applications are simple or repetitive; or network data rates are low enough (see Figure ).
There are four primary types of network security platforms:
Closed integrated platforms—The network security platform vendor implements all security functions in a proprietary environment and can integrate processing across functions, which enables security functions to make processing decisions based on the results of other processing functions. Vendors in this category include Tipping Point Technologies, NetScreen Technologies, BlueCoat Systems, and Array Networks.
Closed separate platforms—The vendor implements all security functions in a proprietary environment without supporting integration across functions. Vendors include Symantec, with its initial Gateway Security product, and Cisco Systems, with its blade approach.
Open integrated platforms—The vendor licenses security functions from other vendors (or supports open source) or partners with multiple security vendors that port their applications to the network security platform. Vendors include Nortel/Alteon, CloudShield, and Ingrian Networks.
Open separate platforms—The vendor licenses security functions from other vendors (or supports open source) or partners with multiple security vendors that port their applications to the platform; however, integrated processing across functions isn’t supported. Vendors include Crossbeam Systems, Blade Fusion, and OmniCluster Technologies.
Closed integrated platforms offer more effective security via tighter integration between functions, but they require that enterprises abandon the best-of-breed approach to individual functions. Open integrated platforms enable enterprises to stay with best-of-breed options and preserve investments in network security products, as well as reduce the need to migrate security policies to new products.
Both types of separate platforms will be interim offerings until fully integrated capabilities are available. Meaningful integration across functions is a complex issue. Gartner believes that this integration will not provide reliable results until 2H04.
Within these types of platforms, different performance/price points will emerge:Carrier class—Products that run at OC24 and higher rates, and that allow network service providers to offer “in the cloud” security services, which eliminate the need for customer premises equipment and enable low-cost managed service offerings. Enterprise class—Platforms that can process multiple 100 Mbps networks that are used by Global 2000-class enterprises as enterprise intrusion prevention systems. Small and midsize enterprise class—Products that offer limited flexibility or operate at 100 Mbps or lower rates at low price points.
What are network security platforms?
Network security platforms are network-attached devices that can apply multiple security functions (at a minimum, firewall, intrusion detection, and vulnerability scanning)at wire speeds. They provide environmental inputs (power, cooling and console) for the security capabilities, a common backplane for communications, and a structure for controlling communications between
security processing functions. Network security platforms use a variety of algorithms and techniques to inspect incoming and outgoing network traffic to determine if connections and payloads are dangerous to enterprises. The platforms decide whether to raise an alert regarding
suspected malicious activity or to take specific actions—such as blocking connections, dropping packets, or terminating sessions—when malicious activity is detected. These platforms perform functions that currently are performed by firewall network- and application-level), intrusion detection, vulnerability assessment, gateway antivirus, and URL blocking products.
Many network security platforms will include virtual private network capabilities; however, we believe that these capabilities will not be long-term platform requirements, except for site-to-site connections. Network security platforms must run at wire speeds; for most enterprises, these will be in the 100 Mbps to 1 Gbps range for single connections, and much higher for multiple networks. For “in the cloud” security applications, with which telecom and Internet service providers provide security processing in the network, throughput of 2 Gbps or higher will be required. These requirements will drive most network security platforms to be based on custom, application-specific, integrated circuits or network-security processors to support complex processing at high data rates. However, the platforms will need to support software-based updates, customization, and scripting similar to software-based systems. Hardware-based stack and protocol processing will be required to perform deep packet inspection without introducing unacceptable network latency.Software processing that runs on generic computing platforms will be sufficient where the network security platform primarily will be used for detection, not prevention; applications are simple or repetitive; or network data rates are low enough (see Figure ).
There are four primary types of network security platforms:
Closed integrated platforms—The network security platform vendor implements all security functions in a proprietary environment and can integrate processing across functions, which enables security functions to make processing decisions based on the results of other processing functions. Vendors in this category include Tipping Point Technologies, NetScreen Technologies, BlueCoat Systems, and Array Networks.
Closed separate platforms—The vendor implements all security functions in a proprietary environment without supporting integration across functions. Vendors include Symantec, with its initial Gateway Security product, and Cisco Systems, with its blade approach.
Open integrated platforms—The vendor licenses security functions from other vendors (or supports open source) or partners with multiple security vendors that port their applications to the network security platform. Vendors include Nortel/Alteon, CloudShield, and Ingrian Networks.
Open separate platforms—The vendor licenses security functions from other vendors (or supports open source) or partners with multiple security vendors that port their applications to the platform; however, integrated processing across functions isn’t supported. Vendors include Crossbeam Systems, Blade Fusion, and OmniCluster Technologies.
Closed integrated platforms offer more effective security via tighter integration between functions, but they require that enterprises abandon the best-of-breed approach to individual functions. Open integrated platforms enable enterprises to stay with best-of-breed options and preserve investments in network security products, as well as reduce the need to migrate security policies to new products.
Both types of separate platforms will be interim offerings until fully integrated capabilities are available. Meaningful integration across functions is a complex issue. Gartner believes that this integration will not provide reliable results until 2H04.
Within these types of platforms, different performance/price points will emerge:Carrier class—Products that run at OC24 and higher rates, and that allow network service providers to offer “in the cloud” security services, which eliminate the need for customer premises equipment and enable low-cost managed service offerings. Enterprise class—Platforms that can process multiple 100 Mbps networks that are used by Global 2000-class enterprises as enterprise intrusion prevention systems. Small and midsize enterprise class—Products that offer limited flexibility or operate at 100 Mbps or lower rates at low price points.
Types of network security platform vendors
Network security product vendors will migrate to offering security platforms, while other network performance management vendors also will provide these platforms. Network-security-focused vendors (such as firewall, intrusion detection, and gateway antivirus companies) will begin to offer security platforms to meet the challenges of blended and application-level attacks, and to address market demand to lower total cost of ownership. By 2006, 60 percent of firewall and intrusion detection functionality will be delivered via network security platforms.
Content-switching and load-balancing vendors will add security functionality to their platforms, which already offer high-speed processing and deep packet inspection for making caching/load balancing type decisions. These vendors see security as a new revenue stream from their installed base, and as a way to avoid the threat of network security platform vendors that are adding switching and load-balancing functions to their platforms. Although content-switching/load-balancing vendors have extensive experience in wire-speed traffic processing, they don't have deep security expertise. This will prompt network performance vendors to acquire network security technology companies that specialize in deep packet processing.
Network security platform market road map
In 2002, firewall vendors such as Check Point Software Technologies, Symantec, and NetScreen took steps toward becoming network security platform vendors. Check Point announced Smart Defense, which integrates intrusion detection capabilities onto Firewall-1. Symantec's Gateway Security product combines firewall, intrusion detection, gateway antivirus, and URL blocking functions into one appliance. NetScreen’s implementation of simple, signature-based filtering and its acquisition of OneSecure were strong moves in the platform direction.
However, these first-generation efforts provide minimal integration between functions, and they generally don’t add vulnerability assessment capabilities. Newer market entrants such as TippingPoint provide tighter integration of the required functions, but in a closed architecture that will require enterprise testing to determine the effectiveness of the individual firewall, intrusion detection, and antivirus functions, as well as integrated capabilities.
Gartner believes products that fully-integrated network security functions that can operate at wire speeds will not affect the firewall and intrusion detection markets until 2H04. After 2H04, intrusion detection vendors that do not offer network security platforms will begin to exit the market through acquisition by network security platform players or loss of market share.
The initial product focus between 2004 and 2006 will be at the enterprise level, with price points in the $25,000 to $75,000 range. If the telecom market recovers from the economic downturn before 2006, mainstream telecom and Internet service providers will begin to offer managed security services that will drive the development of higher-speed, lower-priced offerings and use-based pricing models. Gartner believes that aggressive telecom providers will offer some “in the cloud” services by late 2004. The low-end, small-and-midsize-enterprise-class network security platform will not be a market factor until 2007, when platforms with limited functionality and processing speeds will be available at price points of less than $10,000.
Managing multiple security devices
Most enterprises have deployed numerous firewalls, and many also have deployed one or more intrusion detection products. Network security platforms will be viable enterprise solutions by 2006, and they will transform today’s disparate network security market. Until that occurs, enterprises that have deployed firewalls and intrusion detection systems can use security device management products to gain a preliminary level of integration between network security products. These products support alarm/alert normalization, aggregation, data reduction and a degree of correlation to greatly reduce the false alarm rate and the operational burden of monitoring security devices. Although the loose integration that is provided by these products doesn't support the speed of response necessary to implement intrusion prevention, security management products enable enterprises to extend their investments in security products and provide a management structure for incorporating advanced security products.
Security management price points will have to drop below the six-figures of current offerings to reach the broad market. Outsourcing the monitoring and management of perimeter network security devices is another option for enterprises that are looking to avoid investing in early-stage technology or limited security staffing levels.
Bottom line
Tighter integration and common management across network security controls is a panacea of Internet security. Network security platforms maintain best-of-breed security approaches while supporting improved attack blocking and lowering total cost of ownership.
Thursday, June 15, 2006
Significant increase in probes reported by FBI
The probes are searching for systems that have vulnerable versions of LPRng, the "Next Generation" version of the widely used LPR printing utility, as well as the RPC daemon used with Network File System (NFS) services. While a large portion of these attacks were the result of U.S./Chinese cyberskirmishes following the downing of a U.S. spy plane, the subsequent hacking traffic has not died down. Check your software distribution's home page for an updated version of LPRng and RPC, and do so without delay!
Remember that automated probes are looking for TCP/IP listening ports that are associated with known system weaknesses. Make sure that you're running your Linux system with all ports disabled; save the ones that you absolutely need. In a terminal window, switch to superuser status, open /etc/inetd.conf, and comment out ports you're not using (for a single-user system that isn't functioning as a server, likely candidates include anonymous FTP, POP3, Telnet, rlogin, and rcp).
New vulnerability in wu-ftpd
I have recently found a article on net that vulnerability has been confirmed in the wu-ftpd FTP daemon. This vulnerability is remotely exploitable and can be used to execute arbitrary code on the vulnerable FTP server.
Because wu-ftpd is such a popular and widely used FTP server, not only for Linux but for other UNIX-derivatives like BSD systems, the security impact is quite high. The fact that most FTP servers in use these days provide anonymous FTP access compounds the problem. This means that a user doesn't even have to authenticate himself or herself on the server as a real user in order to exploit this vulnerability.
The problem is due to the "file globbing" support in wu-ftpd. This globbing allows clients to organize files for FTP actions, such as list and download, based on patterns. A heap corruption problem in the wu-ftpd, in its most innocent form, will simply cause the FTP server to die with a segfault. Unfortunately, this same corruption problem can be exploited to run programs on the server that the user should not be permitted to execute.
Most vendors have released updates to fix this problem quickly. Therefore, if you are running a version of wu-ftpd installed prior to Nov. 27, 2001, you are vulnerable and need to obtain an update from your vendor.Wednesday, April 26, 2006
Streaming the Desktop
Application streaming creates a virtualized desktop that can be managed centrally, yet offers the speed of local execution. Automated software distribution has been a hot topic in desktop management, but the next big thing is on-demand software delivery. While ASD tools help control desktop support costs by making software installations consistent, the on-demand software-delivery technologies go one step further: They can virtualize the local installation and stream the applications -- and even the operating system -- from a central distribution server in real time.
It creates and stores complete system images on a server and streams portions of the operating system and applications to desktop users at boot-up. "It didn't require a large investment in server infrastructure and provided immediate ROI," .
Application streaming technology takes advantage of the fact that LANs are getting faster -- and that most applications require only a small fraction of the total program code in order to run. The minimum needed can be as little as 10% to 15% .
Once the user is up and running, additional application and operating system components are fetched as needed. After the initial launch of a program, some products allow portions of the applications to reside in a local cache for faster subsequent loads. The result: Applications can be maintained and updated on central servers but run on the end user's local machine. The issue of managing locally installed programs on individual desktops is eliminated.
This concept is not new. But in late 90s such concept is very popular with Novell Netware. Few of my friends are asking alot abt it saying the new technology. But my friends I already did such thing in Late 90s only difference is that now things are much more optimised and in big scale. Ist somthing which I remember I read an add of an bike they mentioned that Big has fins in engine in their advertisiments. But now every one tnow that any air cooled engine required an fis to dissapate the maximum of heat.
Lets take a deeper look on the topic.
Vendors of just-in-time streaming products fall into one of two categories. Companies such as Ardence offer products that stream complete disk images that include the Windows operating system and a predetermined application set. Companies like AppStream Inc. stream only the applications but offer more granular control over application delivery.
Still other vendors, including Softricity Inc. and Stream Theory Inc., take application streaming one step further by creating a self-contained virtual environment in which each streamed application can run. The virtualization layer traps and isolates registry entries, Dynamic Link Libraries (DLL) and other changes the application wants to make to Windows settings. This avoids application conflicts and eliminates the need for administrators to do regression testing and build images for every combination of applications.
Since applications are delivered centrally, software streaming products allow application licenses to be tightly controlled. "The idea is to create an environment where applications can be made available on devices in a very managed, controlled way and then removed from the device so they can be used somewhere else," .Streaming technology lowered desktop support costs by reducing help desk calls resulting from malware problems. "Now, when they get [a virus], they just reboot and get a new image,". One of the vendor an case study says that centralized management also made upgrades easier. A typical upgrade to the company's Avaya Call Center software, which used to take 75 hours to test and roll out, is now completed in about one hour, he says, because fewer images are needed and the software doesn't have to be installed on each machine.
Time Warner's PCs support PXE boot technology, which lets the machines remote-boot directly from the system image that the Ardence server delivers. PCs boot over the Gigabit Ethernet network faster than they did when running locally, and bypassing the local disk drive has saved on support costs. "Eighty percent of our trouble tickets are hard-drive-related," .
The downside, is that building the images used for streaming can be time-consuming currently.
Neoware's Image Manager attempts to reduce the number of images required by creating a virtualization layer that allows a single image to run on different systems. "We have a virtualized driver model that lets the operating system boot regardless of what the hardware is," says Neoware CEO Michael Kantrowitz. It is limited, however, to only those drivers that are built into Windows. Applications with unique drivers require a separate image. With both products, administrators still must create different images for each desired application set.
Speed and Flexibility
"It takes less than a minute before they can use the [updated] applications. That's definitely better than having someone walk around to 2,000 PCs," .
Managing multiple images is impractical at Suncor Energy Services Inc., which has 1,600 applications on some 4,500 PCs. Between 75% and 85% of those applications are now delivered by way of Softricity's SoftGrid server. SoftGrid includes a "sequencer" utility that encapsulates all of the system changes that the application's installation routine makes and places those in a semi-isolated virtual environment on the PC, along with the installed application image. Applications are delivered automatically based on policies set in Active Directory and are removed when the session ends.
Some useful quotes
Software updates that used to take a month to deploy are now completed in one day. Weiszhaar doesn't need to first perform regression testing on the application, produce a distribution package and test it. "Within five minutes we can deploy it to every single person in the company," he says.
Stream Theory claims to offer application environment virtualization that's more flexible. AppExpress lets the administrator specify which DLLs or other application components can be virtualized and which need to talk to one another, says Chief Technology Officer Arthur Hitomi. The software won't, however, allow incompatible versions of an Oracle or Office application to run simultaneously, as Soft-Grid does.
"We had to silo-out hardware due to different versions of Office or Oracle," says Weiszhaar. SoftGrid eliminated the conflicts, and Weiszhaar was then able to distribute those applications across more servers.
Deployments of new applications via MetaFrame are also easier. "We can take your new application that we've never run before, put it on a server with production applications running, and we don't have to worry about it breaking anything," O'Brien says.
While approaches to application streaming vary, in the end all vendors attempt to deliver applications to the end device in a managed, secure way, says IDC's Kusnetzky. While SoftGrid's offering is the most mature, administrators will need to examine each approach carefully before making a decision, he says. "There may be six or seven ways to do it. That's got to be very confusing for an organization trying to decide what is the best solution for their needs."
It creates and stores complete system images on a server and streams portions of the operating system and applications to desktop users at boot-up. "It didn't require a large investment in server infrastructure and provided immediate ROI," .
Application streaming technology takes advantage of the fact that LANs are getting faster -- and that most applications require only a small fraction of the total program code in order to run. The minimum needed can be as little as 10% to 15% .
Once the user is up and running, additional application and operating system components are fetched as needed. After the initial launch of a program, some products allow portions of the applications to reside in a local cache for faster subsequent loads. The result: Applications can be maintained and updated on central servers but run on the end user's local machine. The issue of managing locally installed programs on individual desktops is eliminated.
This concept is not new. But in late 90s such concept is very popular with Novell Netware. Few of my friends are asking alot abt it saying the new technology. But my friends I already did such thing in Late 90s only difference is that now things are much more optimised and in big scale. Ist somthing which I remember I read an add of an bike they mentioned that Big has fins in engine in their advertisiments. But now every one tnow that any air cooled engine required an fis to dissapate the maximum of heat.
Lets take a deeper look on the topic.
Vendors of just-in-time streaming products fall into one of two categories. Companies such as Ardence offer products that stream complete disk images that include the Windows operating system and a predetermined application set. Companies like AppStream Inc. stream only the applications but offer more granular control over application delivery.
Still other vendors, including Softricity Inc. and Stream Theory Inc., take application streaming one step further by creating a self-contained virtual environment in which each streamed application can run. The virtualization layer traps and isolates registry entries, Dynamic Link Libraries (DLL) and other changes the application wants to make to Windows settings. This avoids application conflicts and eliminates the need for administrators to do regression testing and build images for every combination of applications.
Since applications are delivered centrally, software streaming products allow application licenses to be tightly controlled. "The idea is to create an environment where applications can be made available on devices in a very managed, controlled way and then removed from the device so they can be used somewhere else," .Streaming technology lowered desktop support costs by reducing help desk calls resulting from malware problems. "Now, when they get [a virus], they just reboot and get a new image,". One of the vendor an case study says that centralized management also made upgrades easier. A typical upgrade to the company's Avaya Call Center software, which used to take 75 hours to test and roll out, is now completed in about one hour, he says, because fewer images are needed and the software doesn't have to be installed on each machine.
Time Warner's PCs support PXE boot technology, which lets the machines remote-boot directly from the system image that the Ardence server delivers. PCs boot over the Gigabit Ethernet network faster than they did when running locally, and bypassing the local disk drive has saved on support costs. "Eighty percent of our trouble tickets are hard-drive-related," .
The downside, is that building the images used for streaming can be time-consuming currently.
Neoware's Image Manager attempts to reduce the number of images required by creating a virtualization layer that allows a single image to run on different systems. "We have a virtualized driver model that lets the operating system boot regardless of what the hardware is," says Neoware CEO Michael Kantrowitz. It is limited, however, to only those drivers that are built into Windows. Applications with unique drivers require a separate image. With both products, administrators still must create different images for each desired application set.
Speed and Flexibility
"It takes less than a minute before they can use the [updated] applications. That's definitely better than having someone walk around to 2,000 PCs," .
Managing multiple images is impractical at Suncor Energy Services Inc., which has 1,600 applications on some 4,500 PCs. Between 75% and 85% of those applications are now delivered by way of Softricity's SoftGrid server. SoftGrid includes a "sequencer" utility that encapsulates all of the system changes that the application's installation routine makes and places those in a semi-isolated virtual environment on the PC, along with the installed application image. Applications are delivered automatically based on policies set in Active Directory and are removed when the session ends.
Some useful quotes
Software updates that used to take a month to deploy are now completed in one day. Weiszhaar doesn't need to first perform regression testing on the application, produce a distribution package and test it. "Within five minutes we can deploy it to every single person in the company," he says.
Stream Theory claims to offer application environment virtualization that's more flexible. AppExpress lets the administrator specify which DLLs or other application components can be virtualized and which need to talk to one another, says Chief Technology Officer Arthur Hitomi. The software won't, however, allow incompatible versions of an Oracle or Office application to run simultaneously, as Soft-Grid does.
"We had to silo-out hardware due to different versions of Office or Oracle," says Weiszhaar. SoftGrid eliminated the conflicts, and Weiszhaar was then able to distribute those applications across more servers.
Deployments of new applications via MetaFrame are also easier. "We can take your new application that we've never run before, put it on a server with production applications running, and we don't have to worry about it breaking anything," O'Brien says.
While approaches to application streaming vary, in the end all vendors attempt to deliver applications to the end device in a managed, secure way, says IDC's Kusnetzky. While SoftGrid's offering is the most mature, administrators will need to examine each approach carefully before making a decision, he says. "There may be six or seven ways to do it. That's got to be very confusing for an organization trying to decide what is the best solution for their needs."
Interesting Facts ( to laugh only ) But true.
Year 1981.
- Prince Charles got married2.
- Liverpool crowned Champions of Europe3.
- Australia lost the Ashes4.
- Pope Died
Year 2005.
- Prince Charles got married2.
- Liverpool crowned Champions of Europe3.
- Australia lost the Ashes .
- Pope Died
In future, if Prince Charles decides to re-marry . please warn the Pope!!
Friday, March 24, 2006
Source Code Security Vulnerability Scanners
In last few weeks I attended lots of web cast and seminars regarding security. Also served different companies in different positions and roles. Its my observation companies are trying hard to protect their assets and get compliant so that they will not be target for hackers or so. Every one talks allot abt Network security , Application security , and so on . All those people talks abt big words like SQL injection , Buffer overflow, Format string vulnerabilities. But what these actually are and what precaution we have to take to get away from these is missing . I talked allot abt security with different vendors and finally found that only information which is coming to me is for Firewalls , IDS ; VPN , network audits , procedure audits and so . These things are essential but I was asking abt the complete security solutiuon no one highlited abt that we can also supress bugs related to these vulnaribilities at the time of devlopment too. Above aspects are most common and trust every guy working in security knows too. Hence net out come is that all vendors are trying to sell product not solutions.
Lots of well know bugs are present in already deployed software so ist essential to pretect them but what ever is going to be future please concentrate on that too. I worked with highly qualified test engineers they all talk abt the big testing software like Jtest, Robo J etc . But man where is mechanism which will tell u that the developers are generating an secure codes against the well know vulnerabilities. I know by this time this article seems boring to u . But this is the fact . Very few people know that their are automated tool present in market with the help of which you can suppress the mistakes already done earlier means vulnerability.
These automated tools do the audit on the principle of know mistakes or signature. For example if I am saying that buffer overflow vulnerability means their is improper usage of gets() , scanf(), sprint (), strcat (), strcp () function calls. Definitely these function call are required but some time by mistakes its not properly used which generate different kind of vulnerabilities. As per one survey their is 10000 + know vulnerabilities present and trust almost 50% of this figure is also analyzed by experts to know the patterns which commonly come to create vulnerabilities. So these automated audit tools match ur codes against these know patterns and if it find matching pattern of strings then it will give an alert for potential vulnerabilities. Some of the known audit tools are described below.
Automated Source Code Security Vulnerability Scanners
There are intelligent tools available to help you examine large amounts of source code for security vulnerabilities.
Flawfinder
Examines source code and reports possible security vulnerabilities
RATS from Secure Software Solutions
Scans C, C++, PERL, PHP and Python source code for potential security vulnerabilities.
ITS4 from Cigital
Scans source code looking for potentially vulnerable function calls and preforms source code analysis to determine the level of risk
PScan
A limited problem scanner for C source files
BOON
Buffer Overrun detectiON
MOPS
MOdelchecking Programs for Security properties
Cqual
A tool for adding type qualifiers to C
MC
Meta-Level Compilation
SLAM
Microsoft
ESC/Java
Extended Static Checking for Java
Splint
Secure Programming Lint
MOPED
A Model-Checker for Pushdown Systems
JCAVE
JavaCard Applet Verification Environment
The Boop Toolkit
Utilizes abstraction and refinement to determine the reachability of program points in a C program
Blast
Berkeley Lazy Abstraction Software Verification Tool
Uno
Simple tool for source code analysis
PMD
Scans Java source code and looks for potential problems
C++ Test
Unit testing and static analysis tool
Monday, March 20, 2006
Wednesday, March 15, 2006
Decisive Dilemma
Some time very silly things itch you a lot. Its not an that much big problem but still you will feel it . That happened to me today . I am in great turmoil and not able to decide what I have to do. One side I have an colleague/friend and other side I have my ethics ideology and my word to fairly known person. Whom should I support . Concern or issue is very materlistic and not having that much sense . But friend said some words which really stressed me too much to think . One side I have a friend who feel and also tell me what all he didn't like in me its very rare to get such friend (specially for me ) approx 80% of society pampers you directly or indirectly. I am just scared that if I will take my decision as per myself he feel hurt or indirectly I am going to spoil my relationship with him. I am in state of perplexity as I have choice between equally unfavorable options.
Although I know my friend is very dice and too much confused and because of that he never owe by his words which I definitely didn't liked. But should I also do same thing for him with others ? Could I do things which I didn't liked ? Then whats the difference between him and me ? I was just thinking all these scrap since from last 4 hrs. But after putting above 6 lines on paper I am more clear and out from my dilemma .
Its really help a person if u write it down in neat an clean paper. Because thoughts are frequently come in your mind and override earlier thought. But if its on paper your analytical brain is able to tell you what's wrong and what's right. So I decided to owe by my words, without fearing abt friend and a relationship with him. Because if he is friend of mine then he is able to understand me and if its not like that then he is not friend of mine he is just an opportunist so why should I bother abt him. And definitely it give lesson to him too; and he could be more aware in future abt such things.
Bye the way why I published it because I fell its very small and common thing (every one face such situation once every month) but certainly its create more stress for a person in his day to day life. Such thing worked for me . But it took lot of time to remove instance and person name from article. Hopefully you are also going to try such solution. Don't forgot to post comment of yours abt my decision. I am looking forward for your help too. I already decided but yes your feedback will be helpful for me in future.
Although I know my friend is very dice and too much confused and because of that he never owe by his words which I definitely didn't liked. But should I also do same thing for him with others ? Could I do things which I didn't liked ? Then whats the difference between him and me ? I was just thinking all these scrap since from last 4 hrs. But after putting above 6 lines on paper I am more clear and out from my dilemma .
Its really help a person if u write it down in neat an clean paper. Because thoughts are frequently come in your mind and override earlier thought. But if its on paper your analytical brain is able to tell you what's wrong and what's right. So I decided to owe by my words, without fearing abt friend and a relationship with him. Because if he is friend of mine then he is able to understand me and if its not like that then he is not friend of mine he is just an opportunist so why should I bother abt him. And definitely it give lesson to him too; and he could be more aware in future abt such things.
Bye the way why I published it because I fell its very small and common thing (every one face such situation once every month) but certainly its create more stress for a person in his day to day life. Such thing worked for me . But it took lot of time to remove instance and person name from article. Hopefully you are also going to try such solution. Don't forgot to post comment of yours abt my decision. I am looking forward for your help too. I already decided but yes your feedback will be helpful for me in future.
Saturday, March 11, 2006
GPL and Open Source
Recently in one meeting their is an small discussion abt the Open Source Software. Although most of the guys in industry debate on that. Example Open Source is cheap useful so and so . But their is lots of hidden thing in it.
The "classic" licenses, GPL, LGPL, BSD, and MIT, were the most commonly used for open-source software. But what was it . Why should we bother abt it its an open source and free ? Such questions usually comes in 90% of people working in IT Industry.
But boss nothing is free in this word except of your mother love and affection. :)
After Blacberry/RIM case most of the organizations started doing audits on their envoirnment for use of Open source softwares. Have you ever paid attention in GPL publised in most of the Open Source Softwares.
I am able to dig down few of the important facts and questions which u should concerned abt. For your remark enclosed last four lines of GPL
"This General Public License does not permit incorporating your program into proprietary programs. If your program is a subroutine library, you may consider it more useful to permit linking proprietary applications with the library. If this is what you want to do, use the GNU Library General Public License instead of this License."
Microsoft calls attention to the implications of the GPL when an individual or organization creates derivative works using GPL-licensed code. Microsoft asserts that the GPL requires the release of both the derivative and original code. According to Microsoft, using GPL-licensed code as a basis for projects forces a company to make all derivative code available to the public, raising the risk that a firm could divulge trade secrets.
However, Microsoft's critique of the GPL ignores the GPL "nonrelease" provision, which states that private or internal use of GPL code in a derivative product does not require a company to release the resulting source code to the public. The GPL comes into play only when GPL code is incorporated into a derivative product that is made available or sold to the public. Any company planning to release software that incorporates GPL-licensed code into a single, unitary product must release the new code under the terms of the GPL.
Microsoft's critique raises the issues of proportionality and fairness; is it reasonable to require the release of a huge amount of new code when only a few lines of GPL-licensed code were incorporated into a new, derivative product? Richard Stallman, the Free Software Foundation's director, responds that companies cannot incorporate Microsoft Word source code into their publicly released products under any circumstances, including under the provisions of Microsoft's "shared source" venture.
The GPL provides an opportunity for developers to contribute to the growing body of freely available, GPL-licensed code, but they are not under any compulsion to do so. Developers that do not wish to contribute to the free software movement should simply refrain from incorporating GPL-licensed code in their products.
The above summary is not intended to serve as legal advice. If you're thinking about using GPL-licensed code in a publicly released derivative product, consult an attorney to ensure that your use of the code conforms to the terms of the GPL.
The "classic" licenses, GPL, LGPL, BSD, and MIT, were the most commonly used for open-source software. But what was it . Why should we bother abt it its an open source and free ? Such questions usually comes in 90% of people working in IT Industry.
But boss nothing is free in this word except of your mother love and affection. :)
After Blacberry/RIM case most of the organizations started doing audits on their envoirnment for use of Open source softwares. Have you ever paid attention in GPL publised in most of the Open Source Softwares.
I am able to dig down few of the important facts and questions which u should concerned abt. For your remark enclosed last four lines of GPL
"This General Public License does not permit incorporating your program into proprietary programs. If your program is a subroutine library, you may consider it more useful to permit linking proprietary applications with the library. If this is what you want to do, use the GNU Library General Public License instead of this License."
Microsoft calls attention to the implications of the GPL when an individual or organization creates derivative works using GPL-licensed code. Microsoft asserts that the GPL requires the release of both the derivative and original code. According to Microsoft, using GPL-licensed code as a basis for projects forces a company to make all derivative code available to the public, raising the risk that a firm could divulge trade secrets.
However, Microsoft's critique of the GPL ignores the GPL "nonrelease" provision, which states that private or internal use of GPL code in a derivative product does not require a company to release the resulting source code to the public. The GPL comes into play only when GPL code is incorporated into a derivative product that is made available or sold to the public. Any company planning to release software that incorporates GPL-licensed code into a single, unitary product must release the new code under the terms of the GPL.
Microsoft's critique raises the issues of proportionality and fairness; is it reasonable to require the release of a huge amount of new code when only a few lines of GPL-licensed code were incorporated into a new, derivative product? Richard Stallman, the Free Software Foundation's director, responds that companies cannot incorporate Microsoft Word source code into their publicly released products under any circumstances, including under the provisions of Microsoft's "shared source" venture.
The GPL provides an opportunity for developers to contribute to the growing body of freely available, GPL-licensed code, but they are not under any compulsion to do so. Developers that do not wish to contribute to the free software movement should simply refrain from incorporating GPL-licensed code in their products.
The above summary is not intended to serve as legal advice. If you're thinking about using GPL-licensed code in a publicly released derivative product, consult an attorney to ensure that your use of the code conforms to the terms of the GPL.
Friday, March 10, 2006
Result Johri Window
Arena(known to self and others) bold, confident, extroverted, independent, knowledgeable | Blind Spot(known only to others) able, accepting, adaptable, brave, cheerful, clever, complex, dependable, dignified, energetic, friendly, giving, happy, helpful, idealistic, ingenious, intelligent, introverted, logical, loving, modest, nervous, observant, organised, patient, powerful, proud, quiet, reflective, relaxed, religious, responsive, searching, self-assertive, self-conscious, sensible, sentimental, silly, spontaneous, sympathetic, tense, trustworthy, warm, wise, witty |
Façade(known only to self)
| Unknown(known to nobody) calm, caring, kind, mature, shy |
All Percentages
able (15%) accepting (3%) adaptable (7%) bold (15%) brave (7%) calm (0%) caring (0%) cheerful (11%) clever (3%) complex (3%) confident (11%) dependable (15%) dignified (11%) energetic (3%) extroverted (11%) friendly (38%) giving (7%) happy (11%) helpful (11%) idealistic (7%) independent (11%) ingenious (3%) intelligent (38%) introverted (3%) kind (0%) knowledgeable (23%) logical (7%) loving (7%) mature (0%) modest (3%) nervous (15%) observant (15%) organised (11%) patient (3%) powerful (3%) proud (3%) quiet (15%) reflective (15%) relaxed (15%) religious (7%) responsive (3%) searching (7%) self-assertive (3%) self-conscious (11%) sensible (19%) sentimental (7%) shy (0%) silly (11%) spontaneous (7%) sympathetic (3%) tense (15%) trustworthy (11%) warm (7%) wise (7%) witty (15%)
Created by the Interactive Johari Window on 9.3.2006, using data from 26 respondents.
view Mukesh Kesharwani's full data.
view Mukesh Kesharwani's full data.
Thursday, February 02, 2006
SSH RSA Based Authentication
My Proof of concept for managing remote management server repository for automating the shutdown and startup of applications is based up on SSH and RSA authentication to make remote command execution secure. Although their is nothing rocket science is involved what all we are doing in our daily day to day life with rsh, rcp and rlogin I am trying to transform these with ssh without any password requirement.
Brief abt SSH:
Secure Shell (ssh) is a secure replacement for telnet, rlogin, rsh, and rcp. It uses encryption to keep information that you send over the network from being seen by others. It also uses public and private keys to validate that the host and client machines are who they say they are.
Brief abt connection using RSA
SSH gives you the ability to generate your own public/private key pair and use that to authenticate your logins. While this has some advantages over .rhosts authentication, there are some drawbacks and disadvantages. First, your private key must either be locked with a passphrase that you have to enter any time you log in, or it must be stored in a very secure machine. A private key without a passphrase is like storing your password on disk for anyone to read; anyone possessing it can log in as you. Second, RSA authentication does not get you an AFS token when you log in, though it will carry along a token that you already have on your remote machine. (This is the same as the .rhosts method; only method 3, password authentication will get you a new token.) If you do generate an RSA key, either protect it with a passphrase, or store it on a local hard disk or a floppy disk that you carry with you. Never store a private key that isn't protected by a passphrase in an NFS-mountable directory. To create a Protocol 1 RSA key pair on UNIX, use the command,
ssh-keygen -t rsa
Each host has a private key and a public key. In this explanation, we will call the host you are connecting from the client machine, and the host you are connecting to the server machine. When you first connect to a server that ssh on your client does not know about, it will ask whether you want to accept the public key of that machine. It will store that key in a file in your home directory on your client named ~/.ssh/known_hosts. Every connection after that will check the public key of the server, and will give you loud warnings if it is ever different. This protects you from hacker attacks in which another machine impersonates the trusted server machine to which you are trying to connect.
Forwarding other services with ssh
( Not yet used in my POC but hope can be used creatively if required )
SSH can forward other TCP services over the encrypted connection. Examples of such services would be FTP, POP, IMAP, and X-Windows. This keeps the passwords that these services forward over the network from being visible to hackers who may be watching the network traffic. These services have no encryption of their own built in, and need the protection of an external protocol. This forwarding is often referred to as tunneling, because the TCP traffic is sent through an encrypted tunnel that shields it from view.
FTP Tunneling (Port Forwarding) using SSH
Using SSH (Secure Shell), you have the possibility to tunnel any protocol. A tunnel connects a port of the local machine to a port on a remote machine, via the SSH connection. Tunneling is often called Port Forwarding. Using this technique you may access a FTP-Server behind a firewall in the DMZ (Demilitarized Zone) or even in the HSZ (High Secure Zone). The following prerequisite must be established:
The firewall is open for the SSH Port 22
There is a SSH-Server behind the firewall
The FTP-Server in the DMZ or HSZ must be known by the SSH-Server
You can enable secure connections over the internet using any application protocol, like ftp, telnet, sqlnet, etc. It sounds quite complex, but it is simple. Let's look at an example. The setup is as follows: You have a client that is connected to the internet. The FTP-Server you want to access via ftp is in a corporate LAN (HSZ), behind a firewall. The firewall does only allow the SSH protocol (port 22), you have access to the SSH-server.
This part of the communication is encrypted and appears as SSH communication on the network. The SSH-Server establishes a connection to port 21 on the FTP-Server (3). It decodes the SSH communication and forwards the ftp commands there (Port Forwarding). This part is not encrypted, it appears like normal ftp communication on the network. By physically connecting to port 2121 on your local machine using any ftp client you actually connected logically to port 21 on the remote machine indirectly, but completely transparent !. One such example I already posted earlier. POC not yet done so not able to produce commands used.
Commands Used
In order to authenticate yourself with a key, you will - of course - need to have a key. Generate your key-pair (private and public) using the Create RSA Identity... Two files have been generated. One with the filename you have specified that contains your private key, and one with the same name and the extension .pub that contains the public key.
ssh-keygen
ssh-agent: To enable RSA certificate authentication
ssh-add: To add the private key to authentication agent.
scp : To copy files
ssh –t : To establish ssh session.
Sequence of command used by me
$ ssh-keygen -b 2048 -t rsa
$ eval `ssh-agent –s`
$ ssh-add
$ chmod 0644 ~/.ssh/id_rsa.pub
$ scp –p ~/.ssh/id_rsa.pub max@server1.keekar.com:~/.ssh/authorized_keys
$ ssh-agent –k
You can also Disable PasswordAuthentication - in the OpenSSH configuration file (often /usr/local/etc/sshd_config), find the setting for PasswordAuthentication and change the value to no. This then permits only public key authentication and prevents "regular" passwords from working. We feel strongly that allowing people to guess passwords is a really bad idea, and by insisting on RSA keys, a whole raft of shenanigans can be avoided.
src="http://pagead2.googlesyndication.com/pagead/show_ads.js">
Brief abt SSH:
Secure Shell (ssh) is a secure replacement for telnet, rlogin, rsh, and rcp. It uses encryption to keep information that you send over the network from being seen by others. It also uses public and private keys to validate that the host and client machines are who they say they are.
Brief abt connection using RSA
SSH gives you the ability to generate your own public/private key pair and use that to authenticate your logins. While this has some advantages over .rhosts authentication, there are some drawbacks and disadvantages. First, your private key must either be locked with a passphrase that you have to enter any time you log in, or it must be stored in a very secure machine. A private key without a passphrase is like storing your password on disk for anyone to read; anyone possessing it can log in as you. Second, RSA authentication does not get you an AFS token when you log in, though it will carry along a token that you already have on your remote machine. (This is the same as the .rhosts method; only method 3, password authentication will get you a new token.) If you do generate an RSA key, either protect it with a passphrase, or store it on a local hard disk or a floppy disk that you carry with you. Never store a private key that isn't protected by a passphrase in an NFS-mountable directory. To create a Protocol 1 RSA key pair on UNIX, use the command,
ssh-keygen -t rsa
Each host has a private key and a public key. In this explanation, we will call the host you are connecting from the client machine, and the host you are connecting to the server machine. When you first connect to a server that ssh on your client does not know about, it will ask whether you want to accept the public key of that machine. It will store that key in a file in your home directory on your client named ~/.ssh/known_hosts. Every connection after that will check the public key of the server, and will give you loud warnings if it is ever different. This protects you from hacker attacks in which another machine impersonates the trusted server machine to which you are trying to connect.
Forwarding other services with ssh
( Not yet used in my POC but hope can be used creatively if required )
SSH can forward other TCP services over the encrypted connection. Examples of such services would be FTP, POP, IMAP, and X-Windows. This keeps the passwords that these services forward over the network from being visible to hackers who may be watching the network traffic. These services have no encryption of their own built in, and need the protection of an external protocol. This forwarding is often referred to as tunneling, because the TCP traffic is sent through an encrypted tunnel that shields it from view.
FTP Tunneling (Port Forwarding) using SSH
Using SSH (Secure Shell), you have the possibility to tunnel any protocol. A tunnel connects a port of the local machine to a port on a remote machine, via the SSH connection. Tunneling is often called Port Forwarding. Using this technique you may access a FTP-Server behind a firewall in the DMZ (Demilitarized Zone) or even in the HSZ (High Secure Zone). The following prerequisite must be established:
The firewall is open for the SSH Port 22
There is a SSH-Server behind the firewall
The FTP-Server in the DMZ or HSZ must be known by the SSH-Server
You can enable secure connections over the internet using any application protocol, like ftp, telnet, sqlnet, etc. It sounds quite complex, but it is simple. Let's look at an example. The setup is as follows: You have a client that is connected to the internet. The FTP-Server you want to access via ftp is in a corporate LAN (HSZ), behind a firewall. The firewall does only allow the SSH protocol (port 22), you have access to the SSH-server.
This part of the communication is encrypted and appears as SSH communication on the network. The SSH-Server establishes a connection to port 21 on the FTP-Server (3). It decodes the SSH communication and forwards the ftp commands there (Port Forwarding). This part is not encrypted, it appears like normal ftp communication on the network. By physically connecting to port 2121 on your local machine using any ftp client you actually connected logically to port 21 on the remote machine indirectly, but completely transparent !. One such example I already posted earlier. POC not yet done so not able to produce commands used.
Commands Used
In order to authenticate yourself with a key, you will - of course - need to have a key. Generate your key-pair (private and public) using the Create RSA Identity... Two files have been generated. One with the filename you have specified that contains your private key, and one with the same name and the extension .pub that contains the public key.
ssh-keygen
ssh-agent: To enable RSA certificate authentication
ssh-add: To add the private key to authentication agent.
scp : To copy files
ssh –t : To establish ssh session.
Sequence of command used by me
$ ssh-keygen -b 2048 -t rsa
$ eval `ssh-agent –s`
$ ssh-add
$ chmod 0644 ~/.ssh/id_rsa.pub
$ scp –p ~/.ssh/id_rsa.pub max@server1.keekar.com:~/.ssh/authorized_keys
$ ssh-agent –k
You can also Disable PasswordAuthentication - in the OpenSSH configuration file (often /usr/local/etc/sshd_config), find the setting for PasswordAuthentication and change the value to no. This then permits only public key authentication and prevents "regular" passwords from working. We feel strongly that allowing people to guess passwords is a really bad idea, and by insisting on RSA keys, a whole raft of shenanigans can be avoided.
src="http://pagead2.googlesyndication.com/pagead/show_ads.js">
Saturday, January 28, 2006
Avoid Automatic Virus sending from ur email server or box
Presently their are various mail worms are spreading these worms are intelligent worms some time send mails to all of ur contact list with any of the previous mail subject line.
To avoid this following measures are very useful.
1) Create 2 mail ids in address book one with name:
!0000
( so that it wil be the 1st contact, and should not enter any email address for that)
and another with ID: **aaa@aaa.com*
this creates confusion to any normal virus/worms in the first try of its sending the mail itself!*
Second mail box is very handy tool for any mail server administrator because they can track easily weather their network having such virus or not . If their is mails coming on this mail box means virus/worms are their.
To avoid this following measures are very useful.
1) Create 2 mail ids in address book one with name:
!0000
( so that it wil be the 1st contact, and should not enter any email address for that)
and another with ID: **aaa@aaa.com*
this creates confusion to any normal virus/worms in the first try of its sending the mail itself!*
Second mail box is very handy tool for any mail server administrator because they can track easily weather their network having such virus or not . If their is mails coming on this mail box means virus/worms are their.
Saturday, January 21, 2006
Subscribe to:
Posts (Atom)