You are on page 1of 42

CO NTENTS

NEXT M O NTH @ O3
6 8 9 Edit orial Ev e nt s Re port Rapid W e b De v el opm e nt De v el oping AJAX Appl icat ions Al ook atm od_ s e curit y Pos t gre SQL and m uch m ore ..

SECURI TY
AppO S Se curit y 11

I NTERNET
Googl e H one ypot s 15

AppO S a ne w upcom ing Ent e rpris e L inux dis t ribut ion, ge t af irs tl ook atit s adv ance d s e curit yf e at ure s .

Abul As im M . R. Qars h i l ook s at Googl e H ack H one ypot s , and h ow Googl e can re v e al probl e m s w it h uns e cure s e rv e rs .

W EB TECH
L igh t t pd Re v ie w e d 18

BUSI NESS
I nt ro t o O pe n Source 23

M at h e w Burf ord l ook s at L igh t t pd 1.4.7, a l igh t w e igh tw e b s e rv e r w it h af ocus on s pe e d, com pl iance , s e curit y and m ore ..

Jam e s H ol l ings h e ad prov ide s a de t ail e d int roduct ion t o O pe n Source , and t ips f or h av ing a pos it iv e im pacton t h e com m unit y

NETW O RK I NG
M ul t iL aye r Sw it ch ing 28

V OI P (V oice ov e rI P)
O pe n Source Te l e ph ony 32 Th e f irs tpartin a s e rie s on O pe n Source T el e ph ony, s t art ing w it h an int roduct ion t o As t e ris k , t h e be ne f it s and m ore ...

Al ook atL I SA and m ul t il aye r s w it ch ing f ram e w ork s f or L inux. W if idog Capt iv e Port al 36 Th e L ink s ys W RT54G capt iv e port al I nt rus ion De t e ct ion 40

I nt roduct ion t o Snortand I DS.

O 3 M agaz ine /Nov e m be r 2005 Page 4

EDI TO RI AL
and s o itbe gins ...
RI GH T NO W YO UR CO M PETI TO RS ARE PI TCH I NG L I NUX TO YO UR CUSTO M ERS , W H Y AREN'T YO U ? BY JO H N BUSW EL L

O 3 M agaz ine
Nov e m be r 2005 I s s ue 1
EDI TO R I N CH I EF

JO H
Each m ont h O 3 prov ide s a round up of ope n s ource ev e nt s , as w e l l as an upcom ing ev e ntcal e nde r, w e h av e done our be stt ot rack dow n as m any m aj or ev e nt s as pos s ibl e , butif you h av e an ev e nt , w h et h e r it s al ocal L UG m e e t ing or a ful l s cal et rade s h ow w e w oul dl ik e t o h e ar aboutit . O 3 al s o prov ide s an “O pe n Source Re port ”, t h is is a s h ortround up of int e re st ing ope n s ource s oft w are t h at h as be e n re l e as e d ov er t h e past m ont h. Each is s ue of O 3 f e at ure s Se curit y, Int e rne t , W e b Te ch , Bus ine s s , Ne t w ork ing, V oIP , Ne t w ork Appl icat ions and Ne t w ork Se curit y col um ns . Th is firstis s ue of O 3 is m ore of an int roduct ory is s ue , st art ing nextm ont h (D e ce m be r) e ach is s ue w il l h av e a part icul ar t h em e. For D e ce m be r itis rapid w e b appl icat ion dev el opm e nt . W e h av e an excit ing l ine up f or 2006, in t h e firstq uart e r w e w il l be l ook ing atL inux on t h e zSe rie s m ainfram e , incl uding a firstl ook at s om e new innov at iv eL inux s ol ut ions f or t h e zSe rie s . A de t ail ed l ook at ne t w ork ing t e ch nol ogie s in L inux incl uding O SPF , R IP and BGP , as w el l as a l ook atprov iding e nd t o e nd QoS s ol ut ions w it h L inux. W e w il l w rap up Q1 2006 w it h a de t ail ed l ook atO pe n Source Te l e ph ony. Final l y, I w oul dl ik e t ot ak e a m om e ntt ot h ank our adv e rt is e rs whov e ry gracious l y putt h e ir nam e s on a brand new m agazine . Enj oy t he is s ue and f eel fre e t o s e nd f e e dback .

h ank you f or t ak ing t he t im e t o re ad t h rough our firstis s ue of O 3 M agazine . O 3 is an el e ct ronic publ icat ion de dicat ed t o ope n s ource Ent e rpris e D at a Ne t w ork ing s ol ut ions . Each m ont h O 3 w il l l ook atal l as pe ct s of e nt e rpris e dat a ne t w ork ing from ne t w ork l ev el s ol ut ions s uch as firew al l s , rout e rs , s w it ch ing t o s e rv er s ide appl icat ions s uch as Fre e R adius , O pe nL DAP and Apach e . O ur goal atO 3 is t o int roduce Ent e rpris e D at a Ne t w ork ing t e ch nol ogie s t o s m al l and m e dium s ize d bus ine s s e s , dis cus s ope n s ource s ol ut ions f or prov iding t h os e t e ch nol ogie s and t o prov ide t he t e ch nical inf orm at ion on h ow t o de pl oy and m aint ain t h os e s ol ut ions . O 3 h ow ev e r is notj ustt arge t e d at s m al l and m e dium s ize d bus ine s s , t h e s ol ut ions w e dis cus s are al re ady de pl oye d in m ostl arge bus ine s s e s , gov e rnm e ntage ncie s and e ducat ional inst it ut ions , not ne ce s s aril y ope n s ource s ol ut ions t h ough . CIO s , CTO s , IT m anage m e ntand st aff atl arge r e nt it ie s w il l be ne fitfrom expos ure t o l ow e r costope n s ource al t e rnat iv es. I don'tpe rs onal l y see t h e pointof prom ot ing ope n s ource s ol ut ions if you do notus e t h e m yours e l f, as s uch O 3 is de s igne d, dev el ope d and publ is h e d us ing ope n s ource t e ch nol ogy excl us iv el y. Ev e ry art icl e in O 3, incl uding t h is e dit orial is w rit t e n in O pe n O ffice (w w w .ope noff ice .org) unde r L inux, t h os e art icl e s are t h e n im port e d int o Scribus (w w w .s cribus .org.uk ), w h il e graph ics art w ork is cre at e d w it h t he Gim p. Scribus is us e d t o exportt he com pl et e d publ icat ion in PD F f orm at .

BUSW EL L EDI T O R @ O 3M AGAZ I NE .CO M
N EXECUTI V E EDI TO R

JAM ES H O L L I NGSH EAD JAM ES @ O 3M AGAZ I NE .CO M
ART W O RK

JO H

N

BUSW EL L

PRO O F READERS

G REG JO RDAN S H AW N W IL SO N FRANK BO YD S TEW BENEDICT
SAL ES AND M ARKETI NG

G REG JO RDAN SAL ES @ O 3M AGAZ I NE .CO M
SUBSCRI PTI O NS

O 3 M AGAZ INE

I S DI ST RI BUT ED

EL ECT RO NI CAL L Y FREE O F CH ARGE BY SPL I CED NETW O RK S L L C. T O SUBSCRI BE V I SI T W W W .O 3M AGAZ I NE .CO M . SO FT W ARE

1.3.1 GI M P 2.0.5 O PENO FFI CE 1.1.2
SCRI BUS CO PYRI GH T (C) 2002-2005 SPL I CED NETW O RK S L L C

O 3 M agaz ine /Nov e m be r 2005 Page 6

EV ENTS
NO V EM BER EV ENT S
O PEN S O URCE D ATABASE CO NFERENCE
NO V EM BER

UPCO M I NG EV ENT S (DECEM BER )
O PEN S O URCE D EV EL O PERS CO NFERENCE 2005 DECEM BER 5 - 7 2005 M EL BO URNE , AUSTRAL I A H TTP:/ / W W W .O SDC.CO M .AU APACH E CO N 2005 DECEM BER 10 - 14 2005 SAN DI EGA, CAL I FO RNI A, USA H TTP:/ / W W W .APACH ECO N.CO M I NTERO P
DECEM BER

8, 9 2005

F RANK F URT, GERM ANY H TTP:/ / W W W .O PENDBCO N.NET

L I NUXW O RL D E XPO
NO V EM BER NO V EM BER APRI L3

9 , 10 2005 (UTRECH T, NETH

ERL ANDS )

15 - 17 2005 (FRANK FURT, GERM ANY )
STATES )

- 6 2006 (BO STO N, UNI TED

12 - 16

H TTP:/ / W W W .L I NUXW O RL DEXPO .CO M

H TTP:/ / W W W .I NTERO P .CO M H AV E AN UPCO M I NG EV ENT?TEL L US ABO UT I T, SEND EM AI L TO EV ENT S @ O 3M AGAZ I NE .CO M W I TH DETAI L S.

NEW YO RK , USA

SC|05 (S UPERCO M PUTI NG CO NFERENCE )
NO V EM BER

12 - 18 2005

SEATTL E , W ASH I NGTO N, USA H TTP:/ / SC05.SUPERCO M PUTI NG .O RG

FEATURED PAST EV ENT OH I O L I NUXFEST 2005
1ST 2005 CO L UM BUS , O H I O , USA H TTP:/ / W W W .O H I OL I NUX.O RG
O CTO BER

I P .4.I T
NO V EM BER

14 - 16 2005

L AS V EGAS , NEV ADA, USA H TTP:/ / W W W .I P4I T.CO M

GUL EV
NO V EM BER

17 - 19 2005

O h io L inuxFe s tis a com m unit yf ocus e d f re e e v e nt t h atis run by a v ol unt e e rs and f unde d by s pons ors . Th is ye ar k e y s pons ors oft he ev e nt w e re Nov el l and Digium , addit ional s pons ors incl ude d I BM , Spl ice d Ne t w ork s , Rock e t Cal c, Sybas e , Pant ek,I m age s t re am and m any ot h e rs . Th e e v e ntov e ral l w as gre atf or bot h t he v is it ors and t h e s pons ors . Ev e ry s pons or w e s pok e w it h indicat edt h e y w e re h appy w it h t he ev e ntand w oul d re t urn again ne xtye ar . Ov e r 700 v is it ors at t e nde d t he t h ird annual ev e ntw h ich ran al l day and int ot he ev e ning. Th e q ual it y oft h e s pe ak e rs w as good, w it h k e ynot es f rom Ch ris H ick s ofI BM , and Nov el l 's Je rry M ayf ie l d. Som e oft h e sl ide s are av ail abl e f rom t he ev e nt 's w e bs it e.

V ERACRUZ , M EXI CO H TTP:/ / W W W .GUL EV .O RG .M X

FO SS.I N (I NDI A'S
NO V EM BER

PREM I ER O PEN SO URCE EV ENT)

29 -

DECEM BER

2ND

BANGAL O RE PAL ACE , BANGAL O RE , I NDI A H TTP:/ / W W W .FO SS .I N

O 3 M agaz ine /Nov e m be r 2005 Page 8

REPO RT
NO V EM BER O PEN SO URCE REPO RT
W el com e t ot h e O pe n Source Re port . Th is is t he s e ct ion of O 3 w h e re w e giv e a brie f run-dow n of t he m aj or appl icat ions w h ich m ade re l e as e s during t he m ont h. L INUX KER NEL ht t p:/ / w w w .k e rne l .org/ Re l e as e : 2.6.14 Th e l at e stre l e as e of t he L inux k e rne l h as m any new f e at ure s incl uding H ost AP s upportt o actas a w ire l e s s acce s s point ,aL inux portof t h e pl an9 9 P prot ocol , FUSE (w h ich al l ow s ful l y funct ional fil e s yst e m s in a us e rs pace program ), l ock -fre e fil e de s cript or l ook up, and s ev e ral new driv e rs . A PACH E ht t p:/ / w w w .apach e .org/ Re l e as e : 2.0.55 Th e l at e stre l e as e of Apach e incl ude s s ev e ral s e curit y fixe s , corre ct s af ew inst ance s of pos s ibl e m e m ory l e ak s and bad program be h av ior and adds ext ra l ogging capabil it ie s . M ANDR IV A ht t p:/ / w w w .m andriv al inux.com / Re l e as e : M and riv a 2006 Th e 2006 re l e as e of M andriv a incl ude s a de s k t op s e arch t ool (Kat ) w h ich al l ow s s e arch ing f or bot h fil e nam e s and fil e cont e nt , and int e ract iv e firew al l , official s upportf or Int el Ce nt rino m obil et e ch nol ogy, int e grat ion of Sk ype , and an aut o-inst al l at ion s e rv e r. SNO R T ht t p:/ / w w w .s nort .org/ Re l e as e : 2.4.3 Th e 2.4.3 re l e as e of Snortfixe s a buff e r ov e rfl ow v ul ne rabil it y w h ich exist e d in t h e Back O rifice pre proce s s or. A STER ISK ht t p:/ / w w w .ast e ris k .org/ Re l e as e : 1.2 Th e 1.2 re l e as e f or Ast e ris k incl ude s im prov ed v oice m ail f e at ure s , e as ie r configurat ion, im prov ed SIP s upport , new f e at ure s f or t h e IAX prot ocol , us e of s ound fil es f or nat iv e -on-h ol d m us ic, and im prov e m e nt st ot h e dial pl an. PR O FTPD ht t p:/ / w w w .prof t pd.org/ Re l e as e : 1.3.0 A “t im ing at t ack ” prot e ct ion m odul e h as be e n re l e as e d t o h el p s ol v et he t im ing l e ak de s cribe d by L e on J uranic. L IGH TTPD ht t p:/ / w w w .l igh t t pd.ne t / Re l e as e : 1.4.7 L igh t t pd is cov e re d by M at h ew Burf ord on page 18 of t h is is s ue . SCAPY ht t p:/ / w w w .s e cde v .org/ proje ct s/ s capy/ Re l e as e : 1.0.2 Scapy is a pow e rful int e ract iv e pack e tm anipul at ion program capabl e of f orging or de coding pack e t s from a w ide range of prot ocol s . Scapy is an exce l l e ntt ool f or t e st ing and re produce com pl ex ne t w ork /ne t w ork dev ice probl em s. NATSTAT ht t p:/ / sv e arik e .s yt e s .ne t / nat st at / Re l e as e 0.0.11 Ne t w ork m onit oring t ool prov iding re al t im e inf orm at ion bas e d on t h e ipt abl e s configurat ion.

O 3 M agaz ine /Nov e m be r 2005 Page 9

SECURI TY
Be h ind AppO S Se curit y
DI SCO V ER TH E M UL TI - TI ER SECURI TY APPRO ACH BEH I ND TH I S UPCO M I NG L I NUX DI STRI BUTI O N FO CUSED O N RESH API NG TH E DATACENTER BY JO H N BUSW EL L

ppO S is a h igh l y s e cure L inux bas e d appl iance fram ew ork t h atis de s igne d t ol im itt he dam age t h atcan occur in t h e ev e ntt h ata s e rv ice or appl iance is com prom is e d by a t h ird part y due t o an un-pat ch e d or a prev ious l y unk now n v ul ne rabil it y. In m oste nt e rpris e e nv ironm e nt s , s om e of t h e ne t w ork s e curit y t e ch niq ue s e m pl oye d by AppO S are al re ady in product ion, s o m igrat ing t o or adding AppO S int o t h e dat a ce nt e r is oft en a t riv ial t as k . For s m al l er bus ine s s e s t h e re m ay be s om e ne t w ork ch ange s re q uire d in orde r t o conf orm t ot h e AppO S fram ew ork , part icul arl yt h os e re l at ed t o outof band m anage m e ntand ne t w ork st orage .
O UT O F BAND M ANAGEM ENT

AppO S ut il ize s outof band m anage m e ntand st orage ne t w ork s t o prov ide an ext ra l aye r of s e curit y. O utof band m e ans t h att h e m anage m e ntand st orage ne t w ork s are noton t h e s am e ne t w ork as re gul ar appl icat ion t raffic (s uch as h t t p “w e b ” t raffic). AppO S s upport s outof band m anage m e ntin s ev e ral f orm s incl uding ph ys ical l y s e parat e Et h e rne t s e gm e nt s, V PN bas e d m anage m e ntand t h e us e of 802.1q V L ANS. Ph ys ical l y s e parat e Et h e rne t s e gm e nt s are t h e pre f e rre d m e t h od of outof band m anage m e nt . In t h e ev e ntan Int e rne tfacing int e rface is D oS (D e nial of Se rv ice ) at t ack e d, t h e re m ay notbe s ufficie ntbandw idt h t o re l iabl y m anage t h e dev ice re m ot el y. H e re a s e parat e ph ys ical Et h e rne tint e rface on it s ow n priv at e s e gm e ntw il l re m ain ful l y acce s s ibl e unl ess t h e s e rv e r it sel f h as cras h e d. A s e parat e ph ys ical int e rface e nabl e s an adm inist rat or t o dis abl et h e Int e rne tfacing int e rface w it h outl os ing conne ct iv it yt ot h e s yst e m . M anage m e ntt raffic can incl ude t raffic s uch as s ys l og, s nm p, s s h , h t t ps , and ev e n D NS. As ide from l im it ing t h e acce s s t ot h is inf orm at ion f or s e curit y purpos e s , outof band m anage m e nte nabl e s s ys l og and s nm p t rap t raffic t o cont inue t o w ork re l iabl y ev e n if t h e Int e rne tfacing Et h e rne tport s are conge st e d.

Anot h e r adv ant age t o outof band m anage m e ntis t h at itfre e s up t raffic on product ion ne t w ork s , e s pe cial l y if you offl oad D NS t raffic t ot h e m anage m e nt ne t w ork t o be h andl e d by s e cure /t rust e d cach ing nam e s e rv e rs . Itis f or t h is re as on t h atoutof band m anage m e ntcan as s istin im prov ing t h e s cal abil it y of ev e n s m al l ne t w ork s . An im port antpartof t h e AppO S ne t w ork s e curit y fram ew ork is t o pl ace us e r dat a in outof band st orage ne t w ork s . St orage ne t w ork s can be as s im pl e as a gigabits w it ch e d Et h e rne ts e gm e ntrunning a ne t w ork fil e s e rv e r us ing NFS or GFS be t w een t h e fil e s e rv e rs and t h e appl icat ion s e rv e rs on t h e ne t w ork . Pl acing us e r dat a on an outof band ne t w ork h as m any adv ant age s incl uding re ducing t he l oad on your product ion “Int e rne tfacing” ne t w ork , t h us im prov ing s cal abil it y and e nabl ing a fine r acce s s cont rol ov er t h e us e r dat a. In a w e b h ost ing e nv ironm e ntf or exam pl e , a s m al l num be r of re st rict e d acce s s s e rv e rs m ay h av e w rit e acce s s t o us e r dat a, m ak ing it pos s ibl ef or s e curit y pol icie s t ol im itacce s s t ot h at infrast ruct ure , w h il e al l ow ing f or a l arge num be r of publ icl y acce s s ibl e w e b s e rv e rs t o s e rv e dat a w it h onl y re ad-onl y acce s s . In t h e ev e ntof a ze ro-day s e curit yv ul ne rabil it y exist ing in your w e b s e rv er s oft w are , t h e publ icl y acce s s ibl e w e b s e rv e rs onl y h av e re ad-onl y acce s s t ot h e dat a, prev e nt ing pot e nt ial m al icious us e rs from upl oading code t o exe cut e on t h e s e rv e r. Adv ance d acce s s cont rol l ist s, m ountopt ions and ot h e r m e as ure s can be us e d t o prev e ntexe cut ion of unapprov e d exe cut abl e s on t he publ icl y acce s s ibl e w e b s e rv e rs . W h il et h is approach off e rs an ext ra de gre e of s e curit y itcan caus e probl e m s w it h l e git im at e w eb appl icat ions t h atne e d t o h av et h e capabil it yt o w rit e t o us e r dat a. T ypical l y, us e r dat a is w rit t en v ia dat abas e t rans act ions , s uch as inf orm at ion f or e Com m e rce t rans act ions , cre at ing account s or oft en

O 3 M agaz ine /Nov e m be r 2005 Page 11

SECURI TY
ev e n upl oading fil es, t h e AppO S approach t ot h is probl e m is t ot ak e dat abas e t rans act ions outof band and t o pas s fil e upl oads t h rough an outof band ins pe ct ion s yst e m be f ore m ak ing t h e fil e s acce s s ibl e. W h il et h e approach can caus e probl em s f or exist ing w e b appl icat ions w h e re s e curit y m ay noth av e be e n t ak e n int o account ,t h e e ff ortinv ol v ed t o m igrat e s uch appl icat ions oft e n inv ol v es j ustput t ing a good s e curit y and be stpract ice s pol icy int o pl ace .
QO S APPL ICATIO N IM AGES

Th e final pie ce of t h e ne t w ork s e curit y fram ew ork in AppO S is t o rat e -l im itappl icat ion t raffic, e m pl oy Qual it y of Se rv ice (QoS), pack e tq ue uing t e ch niq ue s and prov ide h igh av ail abil it y s ol ut ions t h rough indust ry st andard prot ocol s s uch as V R R P (V irt ual Rout e r Re dundancy Prot ocol ). Th e s e t e ch niq ue s aid in prot e ct ing t h e ne t w ork againsta v arie t y of ne t w ork bas e d at t ack s w h il e prov iding h igh av ail abil it y.
L INUX IM AGE M ANAGEM ENT / BO O T SYSTEM

(L IM BS) AppO S prov ide s a h igh l y s e cure L inux bas e d ope rat ing s yst em t h atut il ize s t he L inux Im age M anage m e nt/BootSyst e m (L IM BS). L IM BS, e s s e nt ial l y runs a L inux bas e d O S from a s ingl e im age fil e m ount ed v ia l oop back on a ram dis k . Th e s e curit y com e s in t he t ype of fil e s yst e m us e d in t he im age fil e , us ing s om e t h ing s uch as ext 3 is onl y going t o prov ide you w it h t h e s am e de gre e of s e curit y as a norm al L inux s yst e m , butus ing an “unw rit abl e ” fil e s yst e m s uch as Sq uas h FS m e ans t h atin orde r t o “w rit e” t ot h e fil e s yst em , t h e e nt ire im age fil e h as t o be re ge ne rat e d and re pl ace d. AppO S w ork s by pl acing t h e righ tfil e s on t he Sq uas h FS fil e s yst e m and t h e righ tfil e s on t h e ram dis k t o ins ure prope r ope rat ion of t he L inux s yst em . L IM BS, curre nt l y atre l e as e 1.1.9 , is av ail abl e unde r t h e GPL .L IM BS pe rf orm s s om e e rror de t e ct ion and e s s e nt ial l y set s up t h e s yst em f or boot ing by l oading t h e appropriat e O S im age . Th e fram ew ork t h at AppO S and L IM BS prov ide h as gre atpot e nt ial f or boot ing diff e re ntk e rne l s (L inux, BSD , O pe nSol aris ) w h il e re t aining t h e s am e appl icat ion im age s . L IM BS h ands ov e r cont rol t o init , w h ich in an AppO S bas e d s yst e m w il l h and ov e r cont rol t o ExM S, t h e m anage m e nts yst em .

AppO S pl ace s a s pe cific appl icat ion s uch as a D NS s e rv e r int o s e parat e appl icat ion s pe cific im age cal l ed an ASI. Th e ASI is us e d t o ge ne rat e s e parat e fil e s yst e m im age s , one f or configurat ion fil e s , and one f or exe cut abl e s . Th e s e t w o fil e s al ong w it h us e r dat a are m ount e d int ot h re e dire ct orie s w it h in a ch root e nv ironm e ntw h il e fil es t h em sel v e s existout s ide of t h e ch roote nv ironm e nt . Th e e nd re s ul tis t h atif your D NS s e rv e r h as a v ul ne rabil it y, ev e n if it 's expl oit ed and t h e at t ack gains rootacce s s w it h in t h e ch root , t h ey cannot“bre ak out ” of t h e ch rootdue t o Grs e curit y. Th ey cannotm odify t h e configurat ion due t ot h e factt h ey are s it t ing on an unw rit abl e Sq uas h FS fil e s yst e m , and f or t h e s am e re as on t h ey cannotov e rw rit e or re pl ace t h e exe cut abl es, t he L inux k e rne l h as no m e ans of w rit ing t ot h e fil e s yst e m and t h e at t ack e r doe s noth av e acce s s t ot he im age fil e s or t he t ool st o re ge ne rat et h e m . If t h e us e r dat a is s e cure d t h rough a re ad-onl y ne t w ork st orage fram ew ork as dis cus s e d e arl ie r in t h is art icl e, t h en t h e at t ack e r cannotdo anyt h ing;t h ey cannotev en dis ruptt h e s e rv ice .
GR SECUR ITY, PAX, STACK SM ASH PR O TECTIO N AND PIE

AppO S is Gl ibc bas e d, and ut il ize s Grs e curit y, PaX, Pos it ion Inde pe nde ntExe cut abl e s (PIE), e nh ance d random num be r ge ne rat ors , priv il e ge s e parat ion f or dae m ons , St ack Sm as h ing Prot e ct or, non-l azy binding and re l ocat ion re ad-onl yl ink ing. Th e l at t er t w o are now st andard in binut il s. Grs e curit y is an innov at iv e ope n s ource proj e ct l ice ns e d unde r t h e GNU Publ ic L ice ns e (GPL ). It t ak e s a m ul t i-l aye r de t e ct ion, prev e nt ion and cont ainm e ntapproach t o s e curit y. Grs e curit y prov ide s ch rooth arde ning, a robustRol e -Bas e d Acce s s Cont rol s yst e m , prev e nt ion of expl oit s re l at ed t o addre s s s pace bugs (t h rough PaX), e nh ance d random ne s s in t he L inux TCP/ IP st ack , re st rict ed acce s s t o proce s s l ist s , adv ance d audit ing and m any ot h er f e at ure s . St ack s m as h ing prot e ct or is an ext e ns ion t ot he GNU Com pil e r Col l e ct ion (GCC) f or prot e ct ing appl icat ions from st ack -s m as h ing at t ack s . Th e prot e ct ion is prov ide d by buff e r ov e rfl ow de t e ct ion and a v ariabl e re orde ring f e at ure t o av oid corrupt ion

O 3 M agaz ine /Nov e m be r 2005 Page 12

SECURI TY
of point e rs . Th e prot e ct ion is appl ie d w h e n AppO S is buil t(atcom pil et im e ). Binary exe cut abl e s cont ain m e m ory l ocat ions cal l ed v irt ual addre s s e s , t h e s e addre s s e s are oft e n us e ful f or de bugging as t h e s am e funct ions are l ocat e d att he s am e m e m ory l ocat ion on any s yst e m running t he s am e binary. Unf ort unat el y w h atm ak e s f or e as ie r de bugging al s o e nabl e s an at t ack e r t ol oad up t he s am e exe cut abl el ocal l yt o de t e rm ine m e m ory l ocat ions on a re m ot et arge ts yst e m . So if you're running Apach e from Re d H at9 , and an at t ack e r de t e rm ine s t h is by q ue rying your w e b s e rv e r w it h a st andard H EAD /H TTPD / 1.1 re q ue st , and ins pe ct ing t h e s e rv er t ok e n. Th ey can s im pl y dow nl oad t h e s am e Re d H at9 apach e binarie s and de t e rm ine w h at m e m ory l ocat ions are be ing us e d by your s e rv er be caus e itis running t h e s am e exe cut abl e . Pos it ion Inde pe nde ntExe cut abl e s e s s e nt ial l y m ak e e ach s yst e m diff e re nt , random izing t h os e m e m ory l ocat ions , m ak ing itm uch m ore difficul tf or an at t ack e r t o de t e rm ine t h e addre s s .
CO NCL USIO N APPO S AV AIL ABIL ITY

Th e curre ntre l e as e of AppO S is 1.0.0, w h ich s h ips on AppO S bas e d SN s e rie s appl iance s . AppO S 2.0.0 is s ch e dul ed f or re l e as e on J an 3rd 2006. A publ ic be t a of AppO S 2.0.0 s h al l be av ail abl e from Spl ice d Ne t w ork s L L C from Nov e m be r 28t h 2005.
FUR TH ER R EADING

grse curit y ht t p:/ / w w w .grs e curit y.ne t PaX ht t p:/ / pax.grs e curit y.ne t St ack Sm ash ing Prot e ct or ht t p:/ / w w w .t rl .ibm .com / proje ct s/ s e curit y/ s s p/ Frand om ht t p:/ / f random .s ource f orge .ne t Squash FS ht t p:/ / s q uas h f s .s ource f orge .ne t Disk /Sw ap Encrypt ion ht t p:/ / w w w .s dc.org/ ~l e il a/ us b-dongl e/ re adm e .h t ml J oh n Busw e l l is co-found e r and Ch ie f Te ch nol ogy O ffice r of Spl ice d Ne t w ork s L L C. H e can b e re ach e d by e m ail (j oh nb @ spl ice d ne t w ork s.com ). Spe cial t h ank s t o Sh aw n W il son (Tim e W arne r Cab l e /R oad R unne r Busine ss Cincinnat i), St ew Be ne d ict(M and riv a), Frank Boyd (Spl ice d Ne t w ork s), R aj a H am m ad (Spl ice d Ne t w ork s) and M atBurford (Spl ice d Ne t w ork s) for prov id ing t e ch nical rev iew of t h is art icl e.

AppO S prov ide s st at e of t h e artne t w ork and s yst em s e curit yt h rough a m ul t i-l aye re d approach . By t ak ing s im pl e st e ps s uch as im pl e m e nt ing m anage m e ntand ne t w ork st orage outof band, st rong ne t w ork s e curit y pol icie s and be stpract ice s itis pos s ibl et ot igh t en cont rol ov e r your ne t w ork w h il e re t aining funct ional it y and im prov ing s cal abil it y. AppO S ut il ize s st at e of t h e artope n s ource s e curit y s ol ut ions s uch as Grs e curit y/ PaX, St ack s m as h ing prot e ct or, Pos it ion Inde pe nde ntExe cut abl e s , e nh ance d random izat ion and fil e s yst e m acce s s cont rol l ist s. AppO S t ak e s t h ese t e ch nol ogie s a st e p furt h e r by im pl e m e nt ing appl icat ions in a s e cure ch root e nv ironm e ntw it h in a s yst e m of unw rit abl el oop back bas e d fil e s yst e m s . Th us cre at ing a s af et y ne tin t he ev e nta t e ch niq ue is dev el ope d t o circum v e ntt h ese gre atope n s ource t e ch nol ogie s de s igne d t o prot e ct v ul ne rabl e s oft w are . Th e bot t om l ine is t h atAppO S prov ide s t h e be st av ail abl e ze ro-day prot e ct ion againstappl icat ions w h ich cont ain undis cov e re d v ul ne rabil it ie s and expl oit s.

O 3 M agaz ine /Nov e m be r 2005 Page 13

I NTERNET
O pe ning t h e Jar on Googl e H one ypot s
GO O GL E PRO V I DES A PO W ERF UL SEARCH ENGI NE H O W EV ER AN UNI NTENDED USE H AS BEEN TH E ABI L I TY FO R M AL I CI O US USERS TO SEARCH FO R V UL NERABL E SERV ERS BY ABUL ASI M M .R . QARSH I

h e Int e rne t 's h orizons h av e incre as e d m as s iv el y ov er t he l ast10 ye ars . Now t h e re are bil l ions of w e b page s cont aining cont e nt re l at ed t o ne arl y ev e ry as pe ctof pe rs onal and bus ine s s inf orm at ion. W it h t h is grow t h in t he Int e rne t , a probl e m aros e : finding t h e page w it h t he inf orm at ion you are act ual l yl ook ing f or. Th is is w h e re s e arch e ngine s com e int o pl ay, al l ow ing Int e rne tus e rs t o find t h e page t h att h ey w ant . H ow ev e r, Al l t h ew e b, Al t aV ist a, Yah oo, M SN, e t c w e re al l giv ing l im it e d s e arch funct ional it y and none of t h em t ook itas ch al l e nge and bus ine s s opport unit y unt il Googl e cam e al ong. Ev e ry s e arch e ngine v e ndor w ant st o be com e m ore e ff e ct iv e , e fficie nt , and t o find accurat e re s ul t s in t he l e astt im e pos s ibl e . M osts e arch e ngine s index t he page s t o s e arch and rank t h em t o m aint ain accuracy. T o do t h is , m osts e arch e ngine s ’ bot s or craw l e rs st art t rav e rs ing t h e w e b by us ing l ink s t h atappe ar on t he page s . Inf orm at ion col l e ct e d by t h e s e arch e ngine is m ost l y com pris e d of t h e nam e , fil et ype , url , et c. Th e s e s e arch e ngine s al s o index t h e dynam ic page s bas e d on ph p, s h t ml , et c. f or exam pl e ht t p:/ / w w w .dom ain.com / ? id=m yd
FIL E SEAR CH

M osts e arch e ngine s prov ide t h e funct ional it yt o s e arch fil e s on t h e Int e rne t . Th atm e ans t h e s e arch botindexe s t h e diff e re ntt ype s of “re adabl e ” fil es. M osts e arch e ngine v e ndors cl aim t h att h is w il l incre as e t h e pe rf orm ance of t h e ir s yst e m . For exam pl e , Googl e cl aim s t h e be ne fitof s e arch ing nonht ml fil e s is “a w ide r v iew of t h e cont e nt s av ail abl e on t h e W orl d W ide W e b ”. W h il e Se arch Engine s index non-h t ml fil et ype s s uch as PD F , doc, t xte t c., t h ey al s o index ot h e r fil e t ype s , s o be aw are t h atyour pw d, h t acce s s , or any ot h er v e ry crit ical fil et h atcoul d m ak e your s yst em v ul ne rabl e coul d al s o be f ound v ia Googl e. According t o M at tKe s ne r, ch ie f t e ch nol ogy office r

atM ount ain V iew , Cal if.-bas e d l aw firm Fe nw ick & W e stL L P , "Th e abil it y of s e arch e ngine s t o dis cov er a l otof inf orm at ion t h atw as notne ce s s aril y h idde n butw as a l otl e s s av ail abl e prev ious l y is s cary."
SEAR CH ING PO W ER

Se arch e ngine v e ndors , s pe cifical l y Googl e , h av e giv e n us k eyw ords s uch as “inf o” “l ink ”, and “re l at e d” t o incl ude in t he s e arch q ue ry w h ich re ct ify and giv e us m ore accurat e re s ul t s . Th e com pl et el istof k eyw ords can be f ound at
ht t p:/ / w w w .googl e guide .com / adv ance d_ ope rat ors .h t ml

Now w e w il l anal yze s om e w e l l craft e d q ue rie s t o find appropriat e re s ul t s . Firstof al l w e are going t o s e arch pe opl e ’s CV s . Pl ace t he f ol l ow ing q ue ry in t h e Googl e s e arch box, and l ook att h e re s ul t : (fil et ype :pd f O R fil et ype :d oc O R fil et ype :rt f) (int it l e :re sum e O R inurl :re sum e O R "m y re sum e ")(-appl y O R -sub m itO R b e ne fit s O R -re cruit e r O R -O pe nings)

O 3 M agaz ine /Nov e m be r 2005 Page 15

I NTERNET
Next ,l et 's t ry t o brow s e t o a part icul ar UR Lt h atw e k now is pas s w ord prot e ct e d. Th e s e rv e r im m e diat el y prom pt s you f or a us e rnam e and pas s w ord, but de pe nding on t h e UR L , you m igh tbe abl et o pl ug it int o Googl e, sel e ctt h e Cach e l ink and re ad t he pas s w ord prot e ct e d page . A good exam pl e is s e arch ing f or cont e ntw it h inurl :w e bst at s or inurl :acce s s w at ch , or t h e de faul turl of any ot h er popul ar w e b st at s program . M any of t h e s e are prot e ct e d by .h t acce s s fil e s butpl ugging t h e m int o Googl e rev e al st h e page w h e n f ol l ow ing t h e cach e opt ion. Googl e is abl et o do t h is be caus e t he adm inist rat ors of t h e s e s e rv e rs unw it t ingl y h av et he s e rv e rs m is configure d, butw it h Googl e , a cl ev er m al icious us e r now h as acce s s t o inf orm at ion t h att he adm inist rat or be l iev e s is h idde n.
V UL NER ABL E SYSTEM DETECTIO N SEAR CH ING PASSW O R DS

If you h av e any re adabl e fil es t h atcont ain pas s w ords upl oade d on t h e s e rv e r, t h e n it ’s t im e f or s om e bad new s : h ack e rs can us e q ue rie s on s e arch e ngine s t o find pas s w ords . For exam pl e, inurl :pas s l ist .t xtcan be us e d f or t h is purpos e .
PR EV ENTIO N

T o ge tint o any s yst e m , a m al icious us e r ne e ds t o k now inf orm at ion aboutt h ats yst e m , and s e arch e ngine s prov ide an e as y t ool t o h el pt h e m de t e ct v ul ne rabil it ie s t o expl oit . For exam pl e , Apach e can be configure d t o h ide v e rs ion inf orm at ion us ing t he Se rv e rT ok e ns dire ct iv e , butif an adm inist rat or h as n't re m ov ed t h e m anual s inst al l e d in t he ht docs dire ct ory, a q uick s e arch can rev e al t h e re l e as e v e rs ion t h e adm inist rat or is us ing. Th e s am e s e arch coul d be us e d t ol ocat e unconfigure d de faul t inst al l at ions of Apach e on t h e Int e rne t : inurl :"/ m anual / " + Apach e 1.3 Th e s e t ype s of q ue rie s are e as y t o s e arch f or de faul t fil e s , m ak ing ite as y f or m al icious us e rs t o de t e ct s yst e m s w h e re t h e adm inist rat or m ay h av el e ftfil es t h ey'v e as s um e d are h idde n from t h e publ ic. If an adm inist rat or h as l e ftt h e de faul tfil e s , itm igh tbe an indicat ion t h ey are inexpe rie nce d and t h us an e as ie r t arge t . Th e abov e q ue ry can e as il y be com e m ore s pe cific by us ing s it e : ope rat or w h ich w il l re st rictit t o any s pe cific dom ain. Sim il arl y a m al icious us e r can al s o find de faul t inst al l at ions of part icul ar appl icat ions s uch as W e bM ail by s im pl y craft ing t h e q ue ry w it h int it l e :"W e l com e t o M ail t raq W e b M ail " (M ail t raq is a W e b bas e d Em ail Cl ie nt ). Such q ue rie s can oft en find t e sts yst e m s on l iv e ne t w ork s t h atadm inist rat ors are us ing t ot e stoutnew and uns e cure d appl icat ions .

T o prev e nts e arch e ngine bas e d at t ack s , a w e b s it e adm inist rat or can indicat e w h ich part s of t h e s it e s h oul d notbe v is it e d by a robotby prov iding a s pe cial l yf orm at t e d fil e on t h e ir s it e in robot s .t xt . In addit ion, a w e b aut h or can indicat e if a page m ay or m ay notbe indexe d or anal yze d f or l ink s t h rough t he us e of a s pe cial H TM LM ETA t ag. For exam pl e, a <M ETA NAM E="Googl e bot " CO NTENT="nof ol l ow "> t ag in t h e h e ade r can st op Googl e botfrom indexing t h e page s . T o Prev e ntGoogl e botfrom f ol l ow ing any part icul ar l ink on t h e page t h atm igh tl ink t o your crit ical page or any s e cre tw e b s e rv e r you can add re l =”nof ol l ow ” in t h e h ype rl ink . <a h re f=h t t p:/ / w w w .exam pl e .com / re l ="nof ol l ow "> I can'tv ouch f or t h is l ink </ a> . Not et h att h ese m et h ods re l y on coope rat ion from t h e robot , and are by no m e ans guarant eed t o w ork f or ev e ry robot . If you ne e d st ronge r prot e ct ion from robot s and ot h e r age nt s , you s h oul d us e al t e rnat iv e m et h ods s uch as pas s w ord prot e ct ion.
GO O GL E H ACK H O NEYP O TS

Th e m e t h ods dis cus s e d s o far in t h is art icl e are cal l e d Googl e H ack s . Th e "Googl e H ack " H oneypot proj e cth t t p:/ / gh h .s ource f orge .ne tprov ide s a m e ans t o obs e rv e s e arch e ngine h ack e rs us ing Googl e againstyour re s ource s by e m ul at ing a v ul ne rabl e w eb appl icat ion, al l ow ing it sel ft o be indexe d by s e arch e ngine s . Th e t rans pare ntl ink m e t h od us e d w il l re duce fal s e pos it iv e s and av oid m al icious us e rs de t e ct ing t h e h oneypot . Th e h oneypott h en l ogs t o a fil e inf orm at ion about t h e at t e m pt e d at t ack s , t h e s ource IP , re f e rral inf orm at ion and us e r age nt . Us ing t h is inf orm at ion, t h e adm inist rat or can de t e ctand m onit or at t ack e rs pe rf orm ing re connais s ance againstt h e ir re s ource s and ge ta de t ail ed v iew of s pe cific at t ack e rs . A BUL A SIM M .R Q AR SH I IS A NETW O R K SECUR ITY SPECIAL IST F O R SPL ICED NETW O R K S L L C BASED O UT O F PAKISTAN.

O 3 M agaz ine /Nov e m be r 2005 Page 16

W EB TECH
L igh t t pd 1.4.7 Re v ie w
L I GH TTPD I S AL I GH T W EI GH T W EB SERV ER W I TH A FO CUS O N PERFO RM ANCE , SECURI TY AND FL EXI BI L I TY W O RTH Y O F CO NSI DERATI ON I N TH E DATACENTER BY M ATH EW J. BURFO RD

f your w e b s e rv e r's pe rf orm ance is s uff e ring due t o h igh l oad t h e n your s ol ut ion m ay be h e re . Th e re is int e re stbrew ing in L igh t t pd, a re l at iv el y new w e b s e rv e r dev el ope d by J an Kne s ch k e e tal . In addit ion t o cl aim s of a l ow m e m ory f oot print , it s m ain w e bs it e w w w .l igh t t pd.ne t boast st h atL igh t t pd h as s e curit y, s pe e d, com pl iance , fl exibil it y and an adv ance d f e at ure s e t .L igh t t pd is a "h igh l oad pe rf orm ance opt im ize d" w e b s e rv er t h atis int e nde d t o be us e d f or w e b s e rv e rs w h ich m usts e rv e l ot s of s m al l fil e s rapidl y and ph p s e rv e rs w h ich are pl ace d unde r h igh l oad. D e s pit et h is , L igh t t pd s e e m s t o be us e ful in m any ot h e r are as , s uch as an e m be dde d s yst e m w h ich h av el im it e d re s ource s . Th is art icl e w il l l ook int oL igh t t pd's cl aim s and f e at ure s and dis cus s t h em . I inst al l ed L igh t t pd on a 1.7Gh z Pe nt ium 4 w it h 775636Kbyt e s D D R SD R AM running Ge nt oo L inux (k e rne l v e rs ion 2.6.11). For t e st ing purpos e s , Sie ge (de s cribe d be l ow ) w as inst al l e d on a 15” Pow e rbook (1.5Gh z Pow e rPC G4 w it h 512M byt es DDR SD R AM ) running M acO SX, v e rs ion 10.4.2. Bot h m ach ine s w e re conne ct ed t o a Ne t ge ar 54M bps w ire l e s s rout e r (W GR 614 v 4).
BASIC TESTING

Atfirstgl ance of L igh t t pd, t h e s ource dow nl oad fil e of v e rs ion 1.3.16 cons ist e d of 69 0 k byt es, v e ry l igh tinde e d. Com pil at ion and inst al l at ion us e d t he t ypical 'configure / m ak e / m ak e inst al l ' s yst e m . I w as pl e as e d t o find t h e re w as m inim al com pl exit y ge t t ing t h e w e bs e rv e r up. Th e us ual exam pl e configurat ion fil e is s h ippe d w it h L igh t t pd, w h ich f ol l ow s t he "incl ude onl y if you ne e d" ph il os oph y. H e nce itw as v e ry s m al l , w el l com m e nt e d and e as y t of ol l ow . Surpris ingl y, in 10 m inut es L igh t t pd w as up and running and s e rv ing st at ic fil e s w it h a bas ic configurat ion. Th e inst al l at ion dire ct ory w as 2688k b in s ize . Th is incl ude d v arious unus e d m odul e s and random docs . Th e L igh t t pd exe cut abl e fil e s ize is 9 25Kbyt e s .W h e n running, t h e m e m ory us age

f or L igh t t pd w as 418Kbyt es. O v e ral l , itappe ars t o be q uit e av e ry com pactprogram . For Ge nt oo us e rs , t he inst al l can be s im pl ifie d t o 'e m e rge w w w s e rv e rs / L igh t t pd'. You m igh th av et o s e tan unst abl e fl ag t o dow nl oad t he l at e stv e rs ion. Th is aut om at es t h e inst al l at ion, butal so set s up a L igh t t pd account f or t h e s e rv er t o run w it h in and v arious ot h er t h ings t o ge titw ork ing fast . I w as e age r t ot e stt h e bas e inst al l of L igh t t pd. I dow nl oade d t he l at e stv e rs ion (2.63) of Sie ge , an h t t p w e b s e rv e r be nch m ark ing t ool , (fre s h m e at .ne t / proj e ct s/ s ie ge / ) from fre s h m e atand inst al l e d it . I h ad t o be care ful w it h s ie ge , as it seem ed t o us e a l otof re s ource s . O n m y M acO SX Pow e rbook , I us e d Sie ge t o s im ul at e 15 us e rs , and I re com m e nd you do t h is f or yours e l ft h rough your ow n ne t w ork s o t h atyou can com pare itw it h your curre ntw e b s e rv e r's pe rf orm ance . Ch oos e a docum e ntt o s e rv e w h ich w il l us e t he f e at ure s t h at your w e b s e rv er t ypical l y s e rv es. Aft er t e st ing w it h 1000+ concurre nts im ul at ed us e rs , I w as fl oode d w it h e rrors w h ich indicat ed t h at I h ad run outof fil e de s cript ors and as a re s ul t re q ue st st ot h e s e rv e r w e re be ing de nie d. Th e L igh t t pd w e bs it e docum e nt at ion (w w w .l igh t t pd.ne t / docum e nt at ion/ pe rf orm ance .h t ml ) h as a fix f or t h is if you find you are h av ing t roubl e h e re . Th e s ol ut ion inv ol v es l ow e ring t h e de faul t s of H TTP Ke e p Al iv e so t h atfil e de s cript ors are n'th e l d on t o as l ong. O t h e rw is e you can s im pl y incre as e t he fil e de s cript ors w it h a q uick % e ch o 76680 > / proc/ s ys / f s/ f il e -m ax
PER F O R M ANCE ENH ANCEM ENTS

W h il et he L igh t t pd w e bs it e prov ide s a good am ount of docum e nt at ion, in m y opinion t h e docum e nt at ion is st il l unde rdev el ope d and m uch of w h atis t h e re ne e ds rev is ion. Th is is m ostl ik e l y due t ot h e proj e ct st il l be ing in it s e arl y st age s , s o t h is w il l ce rt ainl y im prov e.

O 3 M agaz ine /Nov e m be r 2005 Page 18

W EB TECH
O ne int e re st ing s e ct ion is pe rf orm ance (w w w .l igh t t pd.ne t / docum e nt at ion/ pe rf orm ance .h t ml ), w h ich st at es t h atL igh t t pd can be configure d s o t h at itus e s t h e nat iv e 'ev e nth andl e r' prov ide d by t he t he ope rat ing s yst e m . For L inux k e rne l 2.6.* t h is s h oul d be 'e pol l ' and w oul d re q uire a l ine l ik e t h is t o be adde d t ot he L igh t t pd config fil e: s e rv e r.ev e nt -h andl e r = "l inux-s ys e pol l " Th e adv ant age of us ing 'e pol l ' ov er t h e de faul t 's e l e ct ' is t h ats e l e ctis l im it ed t o FD _ SETSIZ E h andl e s . Th is is h ard code d in, and note as il y ch ange d, us ing 'e pol l ' h ow ev e r ov e rcom e s t h is probl e m . I w oul d re com m e nd you s e tt h is e s pe cial l y if your s e rv er t e nds t o s e rv e al arge num be r of cl ie nt s . For m ore inf orm at ion on t h is t opic s e e w w w .k e gal .com / c10k .h t ml .
EV ENT H ANDL ER TESTING R ESUL TS

Te s t2 's e l e ct '
Trans act ions (h it s) Av ail abil it y (% )

Te s t3 's e l e ct '

Te s t2 'e pol l '

Te s t3 'e pol l '

71210 100.00% 60.36 176.16 0.00 1179 .75 2.9 2 5.83 71210 0 0.51 0.00 1.4.7

779 50 100.00% 59 .9 1 19 2.84 0.01 1301.12 3.22 12.84 779 50 0 0.52 0.00 1.4.7

73074 100.00% 59 .67 180.77 0.01 1224.62 3.03 7.47 73074 0 0.51 0.00 1.4.7

7339 9 100.00% 60.44 181.58 0.01 1214.41 3.00 7.05 7339 9 0 0.51 0.00 1.4.7

El aps e d Tim e (s e conds ) Dat a Trans f e rre d (M B) Re s pons e Tim e (s e conds ) Trans act ion Rat e (t rans act ions pe r s e cond) Th rough put (M B/ s e c) Concurre ncy

Th e s e t e st s are notide al , buts h ow a ge ne ral anal ys is of t h e s e rv er w h en t h e 'e pol l ' s yst e m is us e d. Itdoe s note ff e ct iv el yt e stt he f e at ure s of 'e pol l '. Be l ow are t h e re s ul t s w h e n s im ul at ing 15 us e rs abnorm al l y fl ooding t h e s e rv e r w it h re q ue st s . Not e: 3 t e st s w e re run w it h t h e firstt e stw as cons ide re d a s e rv e r 'w arm -up' s o is notl ist e d. Th is com m and w as us e d t o st arts ie ge : % ./ s ie ge w w w .m ys e rv e r.ne t-b -t 1M > / dev / nul l Th is inst ruct s s ie ge t o conne ctt o w w w .m ys e rv e r.ne t and re ady 15 us e rs . Th e -b opt ion e nabl es be nch m ark ing of t h rough putand -t 1M inst ruct st he s im ul at ion t o run f or 1 m inut e . Th e l asts e ct ion (> / dev / nul l ) w il l f orw ard unne ce s s ary out put(w h ich sl ow s t he t e st )t o/ dev / nul l . D uring al l t he t e st s be l ow I m onit ore d t h e CPU us age us ing t h e 't op' ut il it y. CPU us age av e rage d about35% and v arie d about 10%. Th e t e stre s ul t s oppos it e s ugge stt h att h e re is l it t l e pe rf orm ance diff e re nce in us ing e pol l ov er sel e ct , so w h y us e it ? W el l , as I m e nt ione d be f ore , e pol l ov e rcom e s ce rt ain re st rict ions of s e l e ct . Int e re st ingl y, t h e re s ul t s of 'e pol l ' dev iat e d m uch l ess t h an t h os e of 's e l e ct ' w h ich s ugge st s m ore re l iabil it y.

Succe s s f ul t rans act ions

F ail ed t rans act ions L onge s t t rans act ion (s e conds ) Sh ore s t t rans act ion (s e conds ) L igh t t pd v e rs ion t est ed

O 3 M agaz ine /Nov e m be r 2005 Page 19

W EB TECH
SECUR ITY SUPP ORT

Th e aim h e re is t o prev e ntL igh t t pd be ing us e d as a pointof at t ack againstt h e s yst e m . O ne m e t h od w h ich l im it st h e dam age an int rude r can pe rf orm is t o run t he L igh t t pd dae m on in a ch rootj ail . Ch root ing w il l l im itL igh t t pd t o a s ub dire ct ory of t h e fil e s yst em , w h ich L igh t t pd w il l s e e as root .L igh t t pd s upport s be ing run in a ch rootj ail and itis h igh l y re com m e nde d t o do s o as itis al s o notov e rl y com pl ex t o s e tone up. Th e L igh t t pd w e bs it e h as a l ink w h ich w il l guide you t h rough m uch of t he proce s s (h t t p:/ / w w w .l igh t t pd.ne t / docum e nt at ion). In ge ne ral itis a bad ide a t o run L igh t t pd w it h root priv il e ge s , as be f ore t h e aim is t ol im itany dam age an int rude r can pe rf orm . Anot h e r s upport ed m et h od is t o drop root -priv il e ge s and run L igh t t pd as a l ow priv il e ge us e r. Th is is t riv ial and e ff e ct iv e . First cre at e a us e r cal l e d 'L igh t t pd' by adding a l ine s im il ar t ot he l ine be l ow t o your / et c/ pas s w d fil e. l igh t t pd:x:100:400:l igh t t pd:/ www/ page s / :/ bin/ f al se Next , you s h oul d add a l ine s im il ar t ot he l ine be l ow t o your / et c/ group fil e w h il e m ak ing s ure t h att he num be rs 100 and 400 are nott ak e n by any ot h er e nt rie s in t h e s e fil es. l igh t t pd:x:400: T o s e tL igh t t pd t o run as t h is non-priv il e ge us e r/ group s im pl y m odify t h e configurat ion fil et o cont ain t h ese set t ings : ## ch ange uid t o <uid> (de f aul t : don'tcare ) s e rv e r.us e rnam e = "l igh t t pd" ## ch ange uid t o <uid> (de f aul t : don'tcare ) s e rv e r.groupnam e = "l igh t t pd" Itis al s o im port antt h atyour s e rv e r doe s note as il y giv e it sel f aw ay t o us e rs . O ne m e t h od at t ack e rs m ay us e t o gain inf orm at ion abouta s yst e m is t o s im pl y re ad t he ht ml h e ade r. Th is is t riv ial t o count e r in L igh t t pd, as de s cribe d be l ow .

Firstyou m igh tl ik e t o s e e w h atinf orm at ion t h e w eb s e rv e r is giv ing out . As s um ing you h av et el ne t inst al l ed t h is can be done by e nt e ring t h e com m and: %t el ne tl ocal h ost80 You s h oul d re ce iv e a prom ptas be l ow : T rying 127.0.0.1... Conne ct ed t ol ocal h ost . Es cape ch aract e r is '^]'. You s h oul d now e nt er t h e be l ow H TTP com m and, f ol l ow e d by t w o e nt e r k eyst rok e s : H EAD /H TTP/ 1.0 (h ite nt er t w ice ) You s h oul d re ce iv e s om e t h ing s im il ar t ot h is : H TTP/ 1.0 200 O K Conne ct ion: cl os e Cont e nt -L e ngt h : 80 D at e : Th u, 11 Aug 2005 20:47:04 GM T L ast -M odif ie d: W e d, 10 Aug 2005 12:14:49 GM T ET ag: "-1257421618" Acce pt -R ange s : byt es Cont e nt -T ype : t e xt / ht ml Se rv e r: l igh t t pd/ 1.3.16 As you can s e e , t h e s e rv e r by de faul ts e nds outit s nam e and v e rs ion num be r. Th is prov ide s an at t ack e r w it h e nough inf orm at ion t ol ook up w e ak ne s s e s in your part icul ar s oft w are and v e rs ion. I re com m e nd f or t h e s e s e curit y re as ons t h atyou s e tt h is t o s om e t h ing non-h e l pful .T o ch ange t h is t ag, again m odify t h e configurat ion fil et o cont ain a l ine s im il ar t ot h is : s e rv e r.t ag = "h t t pd" Aft e r re st art ing your s e rv e r, you m ay re t riev et he h e ade r from t h e s e rv e r and you s h oul d h av e m odifie d t h att ag:

O 3 M agaz ine /Nov e m be r 2005 Page 20

W EB TECH
O TH ER F EATUR ES

H TTP/ 1.0 200 O K Conne ct ion: cl os e Cont e nt -L e ngt h : 80 D at e : Th u, 11 Aug 2005 20:49 :30 GM T L ast -M odif ie d: W e d, 10 Aug 2005 12:14:49 GM T ET ag: "-1257421618" Acce pt -R ange s : byt es Cont e nt -T ype : t e xt / ht ml Se rv e r: h t t pd H e re you h av e be e n int roduce d t o s om e bas ic as pe ct s of L igh t t pd's h igh configurabl il it y. For m ore opt ions , s e e t h e docum e nt at ion prov ide d w it h L igh t t pd or l ook att h e copie s av ail abl e on t h e ir w e bs it e : (h t t p:/ / w w w .l igh t t pd.ne t / docum e nt at ion/ ).
F EATUR ES

If el tt h atitw as im port antt o m e nt ion s om e of t he ot h er f e at ure s in L igh t t pd. SSLs upportis int e grat ed int oL igh t t pd, and bas ic rat el im it ing s upporte it h er on a pe r conne ct ion or s e rv e r (al l conne ct ions ) bas is . L ik e Apach e its upport s com pre s s ion, t h e st andard gzip com pre s s ion w h ich is s upport e d on t h e m aj orit y of w e b brow s e rs can de cre as e w e b s e rv e r bandw idt h ut il izat ion, L igh t t pd al s o s upport s de fl at e and bzip2. Ot h e r int e re st ing f e at ure s incl ude an rrdt ool m odul e f or out put ing bandw idt h and l oad ut il izat ion, SCGI w h ich is bas e d h e av il y on F ast CGI and is prim aril y us e d f or Pyt h on + W SGI. Som e ant i-h ot l ink ing f e at ure s incl uding t rigge r b4 dow nl oad round out s om e of L igh t t pds uniq ue f e at ure s e t .
EXPANDING L IGH TTPD

O ne of t h e bigge sts e l l ing point s of L igh t t pd is it s rich l istof f e at ure s . Be l ow I l ook atF ast CGI and M ySQLbas e d V irt ual H ost ing, t w o of t h e m ore popul ar f e at ure s . L igh t t pd h ow ev e r h as a v e ry cl e ar cutst at e e ngine and pl ugin int e rface , w h ich m ak e s L igh t t pd v e ry e as y t o m odify s h oul d you ne e d t o ins e rts pe cial ize d capabil it ie s int ot h is s m al l ht t pd.
F ASTCGI

Th e aim of Fast CGI is t o re m ov e al otof t he pe rf orm ance is s ue s pos e d by CGI program s . Support f or t h is is prov ide d by t h e m odul e m od_ fast cgi and can be e nabl e d by uncom m e nt ing t h e appropriat e l ine in your configurat ion fil e, f ound unde r s e rv e r.m odul es. F ast CGI al l ow s fastand ext e ns iv e ph p s upportf or L igh t t pd, For m ore inf orm at ion s e e (w w w .l igh t t pd.ne t / docum e nt at ion/ f ast cgi.h t ml ).
M YSQL BASED V IR TUAL H O STING

L igh t t pd h as be e n docum e nt ed v e ry cl e arl y and in gre atde t ail by t he L igh t t pd dev el opm e ntt e am . Th e docum e nt at ion l ink off t h e ir m ain w e b page h as ful l st at e m ach ine inf orm at ion f or bot h F ast CGI and t he ht t pd st at e m ach ine . Th e docum e nt at ion ev en incl ude s t h e funct ion nam e s w h e re t h e proce s s ing occurs . Th is m ak e s L igh t t pd, al ong w it h it s s ize a v e ry t e m pt ing s ol ut ion f or dev el ope rs w h o ne e d uniq ue f e at ure s or proce s s ing. Itw oul dn'tt ak e m uch t o m odify t he L igh t t pd code by ins e rt ing your ow n addit ional proce s s ing t o pe rf orm cust om UR Lor ot h e r m odificat ions beyond t h os e s upport e d in m od_ rew rit e. L igh t t pd al s o incl ude s v e ry us e ful pl ugin docum e nt at ion.
CO NCL USIO N

Th e re are a t wo v h ostm odul e s av ail abl ef or L igh t t pd. An int e re st ing one is m od_ m ys q l _v h ost , w h ich al l ow s you t o prov ide v irt ual h ost s us ing a M ySQLt abl e. L igh t t pd re com m e nds nott o m ix v h ostm odul e s as onl y one is s uppos e d t o be act iv e at any giv e n pointin t im e . M ySQLv h ostal l ow s you t o pl ace docrootand dom ain pairs in a t abl e, t h en l igh t t pd w il l q ue ry t h e M ySQLs e rv er t ol ocat et he docroot .

L igh t t pd is an excit ing proj e ctw h ich rais e s t he expe ct at ions of s m al l f oot printw e b s e rv e rs . As it s us e rbas e incre as e s , m uch m ore docum e nt at ion w il l be av ail abl e . Th is s e rv e r is h igh l y configurabl e in a non-com pl icat e d w ay, w h ich e nabl e s new us e rs t o q uick l y ge tt h e ir w e b s e rv e r running w it h l it t l e t roubl e. L igh t t pd is a com pe t it iv e opt ion t o ot h er popul ar w e b s e rv e rs , and m ay be run al ongs ide ot h er w e bs e rv e rs , s uch as t om cator apach e , t ot ak e adv ant age of t h e be ne fit s off e re d by e ach . Itw il l be int e re st ing t o see t h e dire ct ion L igh t t pd t ak e s on t he Int e rne tas itm at ure s . M ATH EW BUR FO R D IS AN A PPL ICATIO N D EV EL O PER F O R SPL ICED NETW O R K S L L C BASED O UT O F W OL L O NGO NG, A USTR AL IA .

O 3 M agaz ine /Nov e m be r 2005 Page 21

BUSI NESS
An I nt roduct ion t oL inux and O pe n Source f or Bus ine s s
L I NUX AND O PEN SO URCE M I GH T BE TERM S YO U H AV E H EARD BUT ARE NO T QUI TE F AM I L I AR W I TH L I NUX AND O PEN SO URCE CAN BENEFI T BUSI NESSES O F ANY SI Z E ... AND NO I TI S NO T JUST FO R BANK S ... BY JAM ES H O L L I NGSH EAD

pe n s ource . It 's am azing h ow m uch confus ion and m ixe d f eel ings t h os e t wo l it t l e w ords can caus e . W h atis it ? H ow doe s itw ork ? Is itf or our bus ine s s ? Th is art icl e is an at t e m ptt o ans w e r your q ue st ions and giv e a brie f ov e rv iew of w h atope n s ource is , h ow itcan h e l p you and your bus ine s s , and w h atyou can do t o h el p. Since itis a h uge s ubj e ctand ans w e ring ev e ryone 's q ue st ions w oul dt ak e e nt ire book s , t h is is re al l yj usta fairl y h igh l ev el l ook at ope n s ource arrange d as a s ortof q ue st ion and ans w e r s e s s ion.
W H AT IS TH IS " O PEN SO UR CE " TH ING I KEEP H EAR ING ABO UT?

Th at 's a v e ry s im pl e q ue st ion t o w h ich t h e re are a num be r of ans w e rs . Att h e m ostbas ic l ev el , ope n s ource is t h e s oft w are dev el opm e ntcom m unit y and bus ine s s e s w ork ing t oge t h e r in orde r t o m ak e q ual it y s oft w are t h atanyone can us e . It 's a w ay f or groups and indiv idual st o cont ribut e according t ot h e ir s k il l set s on proj e ct st h att h ey find int e re st ing s o t h at ev e ryone can com e outah e ad. It 's re al de fining point s are t he l ice ns e t h att he s oft w are is re l e as e d unde r and t h e factt h att he program is dist ribut e d fre e of ch arge . Th e re are q uit e af ew l ice ns e s t h atare cons ide re d t o be ope n s ource by t h e O pe n Source Init iat iv e (w w w .ope ns ource .org), t h e non-profitorganizat ion w h ich k e e ps t rack of and prom ot e s ope n s ource l ice ns e s . W h atm ostof t h e acce pt ed l ice ns e s boil dow n t o is t h att h e s ource code f or t h e s oft w are is ope n f or t he w orl dt o s e e , m odify, cont ribut et o, and us e . Ce rt ain l ice ns e s re q uire t h atyou re l e as e al l ch ange s you m ak e w h il e ot h e rs j ustre q uire you t o giv et h em cre ditf or h av ing code in your proj e ct .
I H EAR D TH AT L INUX IS H AR D TO SETUP AND USE IS TH AT TR UE ?

I bough t , I w oul d h av e s aid itw as a nigh t m are t o ge t running. Now , h ow ev e r, it 's a gre atde al be t t e r and is act ual l y re ady f or a l otof h om e and bus ine s s us e s . M any of t h e appl icat ions now h av e graph ic int e rface s t h atare j ustas good as w h atyou are us e d t o now and h av et h e funct ional it yt h atyou'v e com e t o expe ctfrom your bus ine s s apps . Th at 's nott o s ay t h at t h e re is n'ta l it t l e bitof a l e arning curv e , butitre al l y is a pre t t y sl igh tone . On t op of t h is , L inux is now a bre e ze t o inst al l on m osth ardw are . T o giv e you an ide a, I re ce nt l y inst al l ed L inux on m y l apt op. Anyone w h o h as inst al l e d W indow s on a l apt op w il l t el l you aboutt he fun t h atyou're in f or. Itt ak e s a st ack of cds , m ostof t h e day, and const ant l y babys it t ing t he l apt op t o ans w e r q ue st ions and s w it ch outdis k s . O n t op of t h at , you h av et o prov ide t h e righ tv ide o, audio, and ne t w ork driv e rs and t h e n you h av et o run s e curit y updat e s and inst al l s e rv ice pack s . W it h L inux, itt ook f our cds , a ne t w ork conne ct ion, and aboutt h re e h ours t o inst al l t h e ope rat ing s yst em , m ostof t h e s oft w are t h atI us e , and t o updat et he e nt ire s yst e m . Et h e rne tw ork e d outof t h e box;s o did t he v ide o. T o inst al l t he l astt w o program s t h atI w ant ed t o us e re q uire d t wo v e ry s h ortcom m ands and updat ing t h e e nt ire l apt op re q uire d one m ore . M ostof t he t im e t h atw as s pe ntinst al l ing L inux w as us e d t o do ot h er t h ings w h il e myl apt op w ork e d q uie t l y in t he ot h e r room w it h outne e ding m e t o babys itit . It 's com e t h atfar.
IF I W ANT TO USE O PEN SO UR CE SO FTW AR E , DO I H AV E TO R UN L INUX?

If you h ad as k e d m e t h atq ue st ion in 19 9 8 w h e n I firstt rie d t o inst al l L inux on a new de s k t op t h at

W h il e m osts oft w are re l e as e d f or L inux is ope n s ource , notal l ope n s ource s oft w are is L inux-onl y (or ev e n runs on L inux). Itis pos s ibl et o h av e ope n s ource proj e ct s on ot h e r pl at f orm s , s uch as W indow s and O SX, and inde e d m any popul ar proj e ct s , s uch as t h e Fire f ox w e b brow s e r and t h e Ecl ips e program m ing e nv ironm e ntf or J av a, are re l e as e d on a w ide v arie t y of pl at f orm s .

O 3 M agaz ine /Nov e m be r 2005 Page 23

BUSI NESS
Th e dev el ope rs and com panie s be h ind t h e proj e ct s re al ize t h atnotev e ryone can st andardize on a s ingl e pl at f orm , s o t h ey oft e n do t h e ir be stt o prov ide s ol ut ions w h e re t h ey m ak e s e ns e .
W H AT SO R T O F O PEN SO UR CE SO FTW AR E IS TH ER E ?

O pe n s ource s oft w are exist s acros s t h e s pe ct rum of appl icat ions . • For ope rat ing s yst e m s , you h av ev arious f orm s of L inux and BSD , w h ich are al l Unix-l ik e ope rat ing s yst e m s . W h il et h ey al l ow fine cont rol of pract ical l y ev e ryt h ing t h atyou coul d w antt o do w it h your com put e r from a funct ional it y and s e curit y st andpoint ,t h ey al s o h av e rat h e r nice graph ic int e rface s , al l ow ing bot h cas ual us e rs and t h e m ore expe rie nce d t o us e t h e m w it h e as e . Th e popul ar w e b brow s e r, Fire f ox, is a pie ce of ope n s ource s oft w are t h atgrew outof t h e ol d Ne t s cape brow s e r. Ital s o h as s ibl ing program s Th unde rbird f or e m ail and Bugzil l a, a bug t rack ing s oft w are pack age us e d by m any dev el ope rs . Al l of t h e s e program s m ay be f ound atw w w .m ozil l a.org O pe n O ffice (w w w .ope noff ice .org) is a popul ar ope n s ource s uit et h atincl ude s w ord proce s s or, s pre ads h e e t , and pre s e nt at ion s oft w are and is av ail abl e on bot h L inux and W indow s . GIM P (w w w .gim p.org) is an ope n s ource graph ics program w h ich is av ail abl e bot h on L inux and W indow s and is us e d by t h is m agazine . M any program m ing e nv ironm e nt s s uch as Ecl ips e (w w w .e cl ips e .org) are ope n s ource as are t h e s ource cont rol t ool s Subv e rs ion (h t t p:/ / s ubv e rs ion.t igris .org) and CV S (w w w .nongnu.org/ cv s ). Th e re are ev e n s ev e ral v e ry good ope n s ource dat abas e s outt h e re s uch as M ySQL (w w w .m ys q l .com ) and Post gre SQL (w w w .post gre s q l .org).

Th e re are m any ot h e r ope n s ource off e rings out t h e re . If you're int e re st e d in l ook ing f or ope n s ource appl icat ions , a good pl ace t o st artis Th e O pe n CD proj e ct(w w w .t h e ope ncd.org), w h ich l ist s appl icat ions f or W indow s , butal so l ink s back t o w e bs it es f or t he proj e ct s s o you can ge tv e rs ions f or diff e re nt pl at f orm s .
BUT IF IT'S FR EE , H O W DO W E M AKE M O NEY O N IT?

Th at 's a v e ry good q ue st ion. Th e ans w e r is t h at ,j ust l ik e ev e ryt h ing e l s e in bus ine s s , m ak ing your proj e ct ope n s ource is n'tf or ev e ryone . H ow ev e r, t h e re are s ev e ral fairl y st andard w ays t h atcom panie s are m ak ing m oney w it h ope n s ource proj e ct s. • Support– com panie s l ik e Re dh at (w w w .re dh at .com ), m aint aine rs of a popul ar L inux dist ribut ion, ch arge m oney f or prov iding prof e s s ional t e ch nical s upport . Se l l h ard w are – com panie s l ik e D igium (w w w .digium .com ), t h e m ak e rs of Ast e ris k , an ope n s ource PBX s oft w are , m ak e a gre atde al of t h e ir m oney s e l l ing pre -m ade PBX s ol ut ions w h il e al s o prov iding t h e s oft w are t ot h e ge ne ral publ ic f or t h os e w h o f eel adv e nt urous . Training – m any pie ce s of s oft w are , w h e t h er ope n or cl os e d, re al l y be ne fitfrom pe opl e be ing abl et o go t o cl as s e s in orde r t ol e arn h ow t o ge t t h e m ostus e outof t h e m . W h o be t t er t o prov ide t he t raining t h an t h e com pany w h o m ak e s t he product ? Cust om b uil d s – no s oft w are w il l do ev e ryt h ing t h atev e ryone w ant s itt o do, be caus e t h e re are s o m any t h ings t h atit s cre at ors nev er t h ough tof. In s om e cas e s , bus ine s s e s m ay w ant funct ional it y adde d t ot h e program s t h atyou m ak e w h ich t h ey are w il l ing t o pay f or.

Th e re are m any ot h e r w ays t h atcom panie s are m ak ing m oney on ope n s ource s oft w are , butw h atit al l com e s dow n t o is w h e re you expe ctt o m ak e your m oney. If you j ustpl an t o sel l your s oft w are , t h en ope n s ourcing your proj e ctprobabl y is n'tf or you. Th e re are exce pt ions t ot h is . M ySQL , a popul ar ope n s ource dat abas e , off e rs it s s oft w are f or fre e if itis us e d in-h ous e and as k s t h atyou pay a m ode stf ee

O 3 M agaz ine /Nov e m be r 2005 Page 24

BUSI NESS
if you incl ude itin a com m e rcial product . H ow ev e r, if your re al m oney com e s from s om ew h e re e l se, t h en you h av e a de ce ntch ance of m ak ing a s ucce s s ful bus ine s s .
W H AT DO I GET O UT O F M AK ING M Y SO FTW AR E O PEN SO UR CE ?

l ook ing at(and w ork ing on) your proj e ct , you m ay e nd up w it h funct ional it yt h atyou nev er cons ide re d be f ore . • M any eye s l ook ing atyour proj e ct- Th e m ore pe opl e w h o rev iew t h e s ource code of your proj e ct ,t h e gre at er t h e ch ance t h atbugs and s e curit y fl aw s w il l be caugh t , al l ow ing t h em t o be fixe d s oone r. Com m unit y good w il l - Nev e r unde re st im at e t h e pow e r of fre e adv e rt is ing. If your proj e ct be com e s popul ar w it h in t he t e ch nical com m unit y, l ik e L inux h as , t h atpopul arit y can s pil l ov e r int ot h e bus ine s s are na.

By m ak ing your s oft w are proj e ctope n s ource , you gain pot e nt ial acce s s t ot h e prof e s s ional dev el opm e nt com m unit y atl arge . As I s aid be f ore , m any m aj or ope n s ource proj e ct s are st aff e d part ial l y by dev el ope rs be ing paid by t e ch nical com panie s in orde r t o add t he f e at ure s and funct ional it yt h att h e ir e m pl oye rs w ant . H ow ev e r, m any prof e s s ional dev el ope rs w ork on ope n s ource proj e ct s on t h e ir ow n t im e as w e l l f or a num be r of re as ons incl uding t o k eep t h e ir s k il l s s h arp, t o add new s k il l s , and ev en j ustbe caus e t h e proj e ctint e re st st h em . Th is m e ans s ev e ral t h ings t o anyone w h o w ant st o h av e a s ucce s s ful s oft w are proj e ct : • Acce ss t o out sid e sk il l s - Ev e ryone w h o st art sa pie ce of s oft w are w ant st h e pe opl e w ork ing on it t o be t h e be st . Unf ort unat el y, your budge toft en doe s n'tal l ow t o you h ire t h e m and k e e p t h em ful l t im e . W it h ope n s ource , you can h av e acce s s t o pe opl e (e it h e r on a cont ractbas is or, in s om e cas e s , j ustbe caus e t h ey're int e re st e d in your proj e ct )t h atyou ot h e rw is e w oul dn'tbe abl et o h ire . R e d uce d d ev el opm e ntt im e - W it h t he pos s ibil it y of m ore pe opl e w ork ing on your proj e ctt h an you coul d ot h e rw is e aff ord, t h e re is a good ch ance t h atitw il l t ak e l ess t im e t o com pl et e your proj e ct . For exam pl e , W indow s V ist a (f orm e rl y code nam e d L ongh orn) w as announce d ye ars ago and is n'ts uppos e d t o be de l iv e re d unt il s om e t im e in 2006. By cont rast , Fe dora, Re dh at 's non-bus ine s s L inux dist ribut ion, h as gone from v e rs ion 1 t ov e rs ion 4 s ince I firstst art e d us ing itin 2003, and e ach new v e rs ion h as be e n a m ark e d im prov e m e nt ov er t h e prev ious one . Diffe re ntpoint s of v iew - Th e re are al w ays us e ful f e at ure s or us e s f or your s oft w are t h at you didn'toriginal l yt h ink of. W it h m e m be rs of t h e s oft w are dev el ope r com m unit y at -l arge

W H Y W O UL D PEO PL E W ANT TO V OL UNTEER TO W O R K O N M Y PR O J ECT?

W e dev el ope rs (ye s , I am one of t h e m ) are st range pe opl e. W e l ik e t o w ork on proj e ct st h atw e find int e re st ing or t h atch al l e nge us . It 's a ch ance t o gain expe rie nce t h atw e can pointt o w h en l ook ing f or a new j ob. It 's al s o a w ay t o ge tre cognize d by t he com m unit y as a capabl e dev el ope r. O n t op of al l of t h os e t h ings , it 's a ch ance f or us t o giv e s om e t h ing back t ot h e pe opl e w h o h av e h el pe d us outal ong t he w ay and t o h el p ot h e rs w h o m ay notbe s o f ort unat e. Som e of us t h ink of itas a f orm of v ol unt ary com m unit y s e rv ice .
IF EV ER YO NE CAN L O O K AT M Y SO FTW AR E , W H AT'S TO STO P TH EM FR O M J UST TAK ING IT?

Th at 's a v e ry good q ue st ion, and one t h atI h e ar q uit e oft e n. Th e ans w e r is ital l com e s dow n t ot he l ice ns e t h atyou ch oos e t o re l e as e your w ork unde r. Th e re are a l otof acce pt e d ope n s ource l ice ns e s , s o I am onl y going t o giv e a brie f de s cript ion of a f ew of t h e m ore popul ar one s . • BSD – Th e pe rs on w h o m odifie s t h e proj e ct m ay ch oos e w h e t h e r or nott o ope n s ource t h e ir de riv at iv e , butt h e copyrigh tnot ice f or t he originalproj e ctm ustbe incl ude d w it h t he docum e nt at ion (if t h e de riv at iv e w ork is cl os e d) or in t h e code (if t h e de riv at iv e w ork is ope n). Bas ical l y, unde r t h is l ice ns e , anyone can do anyt h ing w it h t h e code t h att h ey w antas l ong as t h ey s ay t h att h e code is in t h e re .

O 3 M agaz ine /Nov e m be r 2005 Page 25

BUSI NESS
• Apach e – If a s oft w are dev el opm e ntproj e ct cont ains code re l e as e d unde r t h e Apach e l ice ns e , t h e ir copyrigh tnot ice and dis cl aim e r m ustbe incl ude d in t h e docum e nt at ion and t he s ource is al l ow e d t o be e it h e r ope n or cl os e d. GPL v 2 – If t h e proj e ctt h atcont ains code l ice ns e d unde r t h e GPL v 2 is re l e as e d, al l ch ange s t ot h e code m ustal s o be re l e as e d unde r t h e GPL . Th is is t he l ice ns e us e d by m any ope n s ource proj e ct s incl uding t he L inux k e rne l . t h e com m unit y, if you w ant . I h ope t h is art icl e h el pe d ans w e r m ostof t he q ue st ions t h atyou h ad conce rning ope n s ource f or your bus ine s s . As I s aid att h e be ginning, t h is w as j usta brie f ov e rv iew of w h atope n s ource is and h ow itcan w ork f or you. If you h av e m ore q ue st ions , t h e re are a gre atde al of pl ace s t h atyou can t urn t o. O ne of t h e be stof t h e s e is your l ocal L inux Us e r's Group, m any of w h ich can be f ound v ia L inux.org's l istof us e r's groups l ocat e d atw w w .l inux.org/ groups / . J AM ES H O L L INGSH EAD IS TH E EXECUTIV E EDITO R F OR O 3 M AGAZ INE . J AM ES IS BASED O UT O F CH IL L ICO TH E , O H IO . J AM ES CAN BE R EACH ED V IA EM AIL AT J AM ES@ O 3M AGAZ INE .CO M .

L ET M E GET TH IS STR AIGH T. IF I USE CO DE L ICENSED

GPL , I H AV E TO R EL EASE W H AT I M AKE W ITH IT TH E SAM E W AY ? If you re l e as e t h e proj e ctt h atyou incorporat et he GPL 'e d code in, t h e n ye s , you h av et o ope n s ource your proj e ctas w e l l . If, on t h e ot h e r h and, you j ust us e t h e s oft w are you m ak e in-h ous e , you don'th av e t o publ is h your code . H ow ev e r, ev e n if itis j ustinh ous e , you s h oul dt h ink aboutw h e t h er t h e re is act ual l y anyt h ing t o be gaine d by k e e ping pe opl e from s e e ing it . If t h e ans w e r is notre al l y, t h en cons ide r ope ning itup anyw ay.
UNDER TH E IL IKE TH E IDEA O F TH E PR O J ECT? ACCEPT EV ER YTH ING TH AT SO M EO NE O FF ER S M Y

"... L INUX, ISN'T TH AT F O R BANK S? I DO N'T NEED TH AT KIND O F SECUR ITY ! " -- INTER NET CAFE O W NER Sev e ral ye ars ago I w as as k e d t o putt oge t h e r a q uot e f or an Int e rne tcaf e on t h e w e stcoastof Ire l and. Sev e ral l ocal and nat ional com put e r re t ail e rs h ad al re ady q uot e d butw e re t oo h igh f or t h is v e ry s m al l st art up run by a bus ine s s l ady w h o h ad no com put er expe rie nce atal l . Th e ow ne r w as conce rne d aboutW indow s and conne ct ing W indow s t ot h e Int e rne tbe caus e of s e curit y. I putt oge t h er t w o q uot e s , one f or L inux de s k t ops and one f or j usts e curing t h e W indow s de s k t ops w it h aL inux bas e d firew al l /rout e r. W h atw as int e re st ing aboutt h is part icul ar expe rie nce w as t h att h e bus ine s s ow ne r didn'tw antanyt h ing t o do w it h L inux, notbe caus e it"l ook s diff e re nt " but be caus e itw as "t oo s e cure ". Sh e f el tt h ats h e didn't ne e d t h atl ev el of s e curit y and t h atL inux s ol ut ions w e re re al l yf or bank s . Fiv e ye ars l at e r, t h is part icul ar indiv idual gotin cont actw it h met h rough one of m y prev ious e m pl oye rs . H e r ne t w ork of W indow s de s k t ops w e re be ing const ant l y com prom is e d by bot h l ocal st ude nt s and re m ot e us e rs . T urns outt h ata nat ional com put e r com pany s al e s re p t ol d h er L inux w as f or bank s , t h is t ype of s al e s re p FUD re s ul t e d in a s ol ut ion t h at s costm ore and in t he l ong run fail e d. -- Com m e nt s from t h e Ed it or

GPL , BUT DO

I H AV E TO

W h il et h e GPLh as a gre atde al of be ne fit st h at com e from acce pt ing cont ribut ions t o your proj e ct (funct ional it y and bug fixe s am ong t h e big one s ), at t h e e nd of t h e day, you're t h e one in cont rol of t he proj e ctand can de cide w h o you w antt o be abl et o cont ribut et h ings t o it . You don'th av et o acce pt anyt h ing s us pe ctor t h atyou don'tw antt o if you're in cont rol of t h e proj e ct .
H O W DO I J O IN TH E CO M M UNITY ?

Th e e as ie stw ay is t o cont ribut e . St arta proj e ctor w ork on an exist ing one by adding funct ional it y or s ubm it t ing pat ch e s . Source f orge (w w w .s ource f orge .ne t ) is an exce l l e ntpl ace t o find or st artproj e ct s . You can al so j oin t h e m ail ing l istf or t h e proj e ctt h atint e re st s you in orde r t o com m unicat e w it h t h e ot h e r pe opl e w h o are w ork ing on t he proj e ct . As t im e goe s on, you w il l be abl et ot ak e on m ore re s pons ibil it y on t h atproj e ct , and t h us in

O 3 M agaz ine /Nov e m be r 2005 Page 26

NETW O RK I NG
M ul t iL aye r Sw it ch ing in L inux
L I NUX H AS H AD SO M E FO RM O F BRI DGI NG AND V L AN SUPPO RT I NI T FO R AW H I L E M UL TI L AYER SW I TCH I NG , SPANNI NG TREE AND O TH ER ADV ANCED SW I TCH I NG FEATURES ARE NO W PO SSI BL E BY JO H N BUSW EL L

tfirstgl ance L ISA, t he L inux Sw it ch ing Appl iance proj e ctl ook s l ik e a v e ry int e re st ing proj e ct , prov iding L aye r 2/ 3 pack e ts w it ch ing s upportt oL inux. O riginal l y w e pl anne d t o w rit e an art icl e s pe cifical l y on L ISA, unf ort unat el y, w e q uick l y dis cov e re d t h atL ISA is st il l v e ry m uch in a dev el opm e nt al st age , s o t h is art icl e h as be e n expande d t o cov er t h e w ide r range of s w it ch ing s ol ut ions f or L inux. Th is is an int roduct ory art icl e, ov er t h e com ing m ont hs t h e NETW O R KING s e gm e ntof O 3 w il l go int o de t ail on im pl e m e nt ing v arious ne t w ork ing s ol ut ions in L inux and us ing ope n s ource proj e ct st ot e stand ext e nd t h e s e curit y of t radit ional ne t w ork prot ocol s. We t e st ed L ISA unde r L inux 2.6.10, itcons ist s of a k e rne l pat ch prov iding t h e “Et h e rne tSw it ch ” m odul e unde r Ne t w ork ing O pt ions and a coupl e of us e rs pace t ool s . Th e proj e ctprov ide s a m ini-dist ribut ion, h ow ev e r al l you re al l y ne e d is t h e pat ch e d k e rne l and t h e s w ct l us e rs pace t ool t h atis prov ide d by t he proj e ct . Th e s w ct l t ool al l ow s you t o add/ re m ov e int e rface s from t h e s w it ch , add/ re m ov ev l ans from t he v l an dat abas e , cre at et runk s and cre at ev irt ual int e rface s f or a giv en v l an. W e t e st e d it sl aye r 2/ 3 s w it ch ing capabil it ie s , pe rf orm ance w as pre t t y good and t he s w it ch e s f orw arding dat abas e w ork e d as expe ct e d. Int e rope rabil it y w it h ot h er V L AN s pe ak ing dev ice s seem ed t o w ork w e l l ,we t e st ed L ISA conne ct ed t o Cis co Cat al yst5505 and Nort el 3408 Appl icat ion Sw it ch e s , l aye r 2 and l aye r 3 conne ct iv it y ov er t he V L ANs , and V L AN rout ing w ork e d. Th e dow ns ide t ot h is proj e ctis cl e arl y it s fut ure , t he l astre l e as e w as back in J une 2005, and itl ook s l ik e a final ye ar proj e ctf or t w o Rom anian st ude nt s . If you pl an t o s e rious l y cons ide r us ing L ISA, de s pit et he s pons ors , I w oul d w aitand s e e if t h e proj e ct cont inue s dev el opm e ntunl e s s you pl an t o m aint ain t h e code yours e l f. Att he t im e t h is art icl e w as w rit t en t he l at e stre l e as e of L ISA re q uire s s om e pat ch ing t o w ork w it h L inux 2.6.14. Th e us e rs pace t ool s are

h ard-code d, s o you h av et o m odify t h e pat h t ot he L inux h e ade r fil e s in e ach M ak e fil e , and w it h ch ange s t ot h e s k b code in 2.6.14, you w il l ne e d t o m odify t h e cal l st o de l iv e r_ s k b() and ot h e r pos s ibl y ot h e r s k b rout ine s t h att h e s w it ch ing code us e s . Ov e ral l ,L ISA h as a good de al of pot e nt ial , w h et h er it s curre ntdev el ope rs pl an t o cont inue dev el opm e nt beyond Univ e rs it y re m ains t o be s e e n. L ISA can be obt aine d from h t t p:/ / l is a.ine s .ro/ .
SPANNING TR EE PR O TO CO L (802.1D )

M oste nt e rpris e l aye r 2 s w it ch e s s upportIEEE 802.1d “Spanning Tre e Prot ocol ”, w h il eL ISA it sel f doe s n'tprov ide STP ,t he L inux bridging s uit e (h t t p:/ / bridge .s ource f orge .ne t ) doe s prov ide good STP s upport . STP al l ow s m ul t ipl e bridge s t o w ork

STP .1 EXAM PL E SPANNING TR EE NETW O R K

O 3 M agaz ine /Nov e m be r 2005 Page 28

NETW O RK I NG
t oge t h e r by prov iding pat h re dundancy w h il e el im inat ing l oops in t h e ne t w ork , itis a L aye r 2 prot ocol . STP w ork s by s e nding outa s pe cial pack e t cal l e d a BPD U (bridge pack e tdat a unit ) com m unicat ing w it h ot h e r bridge s t o dis cov e r h ow e ach is int e rconne ct e d. Th e exch ange of BPD Us re s ul t s in t h e el e ct ion of a rootbridge . Th is is cal l ed s panning t re e conv e rge nce . O nce an STP h as conv e rge d, e ach bridge s e t s al ink t o e it h er a FO RW AR D ING or a BL O CKED st at e . Itis t h is de t e rm inat ion of BL O CKED or FO RW AR D ING w h e n m ul t ipl e act iv e pat h s existbe t w e e n bridge s t h at prev e nt sl oops in t h e ne t w ork . Spanning t re e l oops are nota good t h ing, t h ey can fl ood t h e ne t w ork , and m ore oft en t h an notl e ad t o ne t w ork fail ure . Th e be st w ay t o de s cribe t h e BL O CKED st at e is t h atitis an act iv el ink s it t ing in st andby In diagram st p.1 w e h av e 5 s w it ch e s , during conv e rge nce a “rootbridge ” is e l e ct ed t h rough t he exch ange of BPD Us as m e nt ione d abov e . O nce t he rootbridge is s e l e ct e d, al l l ink s notre q uire d t o re ach t h e rootbridge are pl ace d int o a BL O CKED st at e . In our diagram , s w it ch 2 is be stcandidat ef or be com ing t h e roots w it ch . You can s e e h ow conv e rge nce pl ays outin t h ats it uat ion in t h e s e cond diagram st p.2. Spanning t re e doe s noth av e any aut h e nt icat ion, and a de gre e of t rustm ustbe as s um e d f or e ach bridge / s w it ch part icipat ing in t h e s panning t re e . W h il et h is is t ypical l y a non-is s ue f or s w it ch e d e nv ironm e nt s , w h e n cons ide ring t h e us e of STP s upporton a L inux s yst em t h rough t h e bridging s uit e , you ne e d t o m ak e s ure t h atyou don'tcre at et he capabil it y of a re m ot e at t ack e r inj e ct ing STP BPD Us int o your ne t w ork e it h e r by com prom is ing t h e bridge or t h e bridge s im pl yf orw arding pack e t s re ce iv e d, t h is is e s pe cial l y im port antw h e n bridging be t w een a priv at e ne t w ork and t h e Int e rne tor publ ic W iFi ne t w ork . STP fil t e ring is pos s ibl e w it h e bt abl es (h t t p:/ / e bt abl e s .s ource f orge .ne t ) as partof t he bridging s uit e. Th e re are t w o “ext e ns ions ” t o Spanning Tre e t h at are t ypical l y of int e re stt h e s e are 802.1w and 802.1s . 802.1s is m ul t ipl e s panning t re e s and im pl e m e nt s s panning t re e groups . A num be r of com panie s off er L aye r 2 /L aye r 3 s w it ch ing s ol ut ions as proprie t ary s ol ut ions t h atw ork unde r L inux, one s uch com pany is ipinfus ion (w w w .ipinf us ion.com ). Att he t im e of t h is art icl e , no ope n s ource 802.1s proj e ctw as f ound. 802.1w is t h e rapid re configurat ion of s panning t re e ,

STP .2 SW ITCH

2 AS R O O T BR IDGE /CO NV ER GENCE CO M PL ETED

oft e n cal l e d rapid s panning t re e , fasts panning t re e or fastconv e rge nce . 802.1w be com e s im port antin l arge r m ore com pl ex s w it ch e d e nv ironm e nt s w h e re t radit ional s panning t re e conv e rge nce can t ak e a l onge r pe riod of t im e due t ot h e com pl exit y of t he ne t w ork . 802.1w s upportis pl anne d f or t he L inux bridging s uit e , and an R STP l ibrary and s im ul at or existov e r ath t t p:/ / rst pl ib.s ource f orge .ne t . 2 FIL TER ING, EBTABL ES, V L ANS AND V M PS An im port antpartof t h e bridge s uit e is e bt abl es, e bt abl e s is e s s e nt ial l yt h e ipt abl es f or t he l aye r 2 w orl d. e bt abl e s can fil t er et h e rne tprot ocol s , m ac addre s s e s , s im pl e IP h e ade rs , arp h e ade rs , 802.1q , int e rface s . Itcan al s o pe rf orm M AC addre s s t rans l at ion, l ogging, fram e count e rs , m ark and m at ch fram e s . Anot h e r im port antpartt o Et h e rne ts w it ch ing is V L AN s upport .L inux h as de ce nt802.1Q s upport . V L AN (V irt ual L AN) cre at es a l ogical Et h e rne t broadcastdom ain, t h is e nabl e s a s w it ch f or exam pl e t o h av e m ul t ipl e dev ice s in diff e re ntne t w ork s pl ugge d int ot h e s am e s w it ch , and be h av e as if you h ad a s e parat e s w it ch f or e ach ne t w ork .V L ANs in L inux are re l at iv el y e as y t o set up, you j ustm ark t he int e rface (e g. e t h 0) as up, t h e n us e t he v config ut il it y t o add t h e int e rface t o a part icul ar v l an. L inux s e e s
L AYER

O 3 M agaz ine /Nov e m be r 2005 Page 29

NETW O RK I NG
t he v l an as a t ypical ne t w ork int e rface , you can as s ign an IP t o itand s o f ort h . Som e ne t w ork driv e rs in L inux ne e d s pe cific pat ch e s t o m ak e t h e m w ork w it h 802.1Q. V L AN M anage m e ntPol icy Se rv e r (V M PS) us e s a s pe cial prot ocol cal l ed V QP (V L AN Que ry Prot ocol ) t o aut om at ical l y de t e rm ine V L AN m e m be rs h ip bas e d on t h e M AC addre s s of t h e dev ice conne ct ing t ot he ne t w ork . V M PS is s upport e d on Cis co Cat al yst s w it ch e s , and t h e O pe nV M PS proj e ct (h t t p:/ / v m ps .s ource f orge .ne t ) prov ide s an ope n s ource im pl e m e nt at ion.
M UL TIPR O TO CO L L ABEL SW ITCH ING (M PL S)

t e st ing and unde rst anding h ow your ne t w ork w il l re s pond t o a part icul ar at t ack , as w e l l as t ot e stnew f e at ure s prov ide d by v e ndors de s igne d t o prev e ntor re duce t h e im pactof s pe cific at t ack s . 4 SW ITCH ING W ITH L INUX V IR TUAL SER V ER L aye r 4 s w it ch ing, m ore com m onl y re f e rre d t o as IP l oad bal ancing, is t h e proce s s of int el l ige nt l y s w it ch ing pack e t s de st ine d f or a s pe cific IP and port (TCP/ UD P) t o a diff e re ntIP and/ or port s . Es s e nt ial l y itis a fancy f orm of NAT and addre s s t rans l at ion w h e re t h e de st inat ion is s e l e ct e d dynam ical l y bas e d on s pe cific crit e ria, s uch as l oad bal ancing m e t rics , QoS or t h e h e al t h of t h e propos e d de st inat ion. Th e dev ice be t w een t h e s ource and t he t arge tm aint ains st at e . Th e L inux V irt ual Se rv e r proj e ct (h t t p:/ / w w w .l inuxv irt ual s e rv e r.org) prov ide s an O pe n Source s ol ut ion f or L aye r 4 s w it ch ing. For h igh capacit y, portde ns it y or m is s ion crit ical appl icat ions w h e re h igh e r s e s s ion capabil it y, adv ance d f e at ure s and pe rf orm ance are a k ey fact or, t h e n proprie t ary s ol ut ions s uch as Nort el Appl icat ion Sw it ch e s (f orm e rl y Al t e on), Cis co, F5, Foundry Ne t w ork s and R adw are al l off er L aye r 4 - L aye r 7 s ol ut ions .
L AYER FUR TH ER R EADING

Anot h er t ype of s w it ch ing is M PL S, M ul t iprot ocol L abe l Sw it ch ing. M PL S w ork s by h av ing a “l abe l e dge rout e r” as s ign a l abe l t o incom ing pack e t s. Pack e t s are f orw arde d al ong a “l abe l s w it ch pat h (L SP)” w h e re e ach l abe l s w it ch rout e r (L SR ) m ak e s f orw arding de cis ions bas e d s ol el y on t h e cont e nt s of t he l abe l . Ate ach h op, t he L SR re m ov es t h e exist ing l abe l and appl ie s a new l abe l w h ich t el l st h e nexth op h ow t of orw ard t h e pack e t .L SPs prov ide a v arie t y of s ol ut ions s uch as pe rf orm ance guarant e e s , rout ing around ne t w ork conge st ion or t o cre at e IP t unne l sf or ne t w ork bas e d V PNs . L inux h as exce l l e ntM PL S s upport ,t h e re is an M PL Sf orw arding pl ane f or t h e 2.6.x k e rne l , and an im pl e m e nt ion of L D P (R FC3036). Th e M PL S proj e ctcan be f ound ath t t p:/ / m pl sl inux.s ource f orge .ne tand h t t p:/ / w w w .m pl s rc.com is an exce l l e nts ource of inf orm at ion on M PL S if you are int e re st e d in l e arning m ore aboutM PL S. 2 NETW O R K SECUR ITY Ye rs inia is a ne t w ork s e curit yt ool de s igne d t ot ak e adv ant age of w e ak ne s s e s in s ev e ral prot ocol s incl uding Spanning Tre e Prot ocol , Cis co D is cov e ry Prot ocol , D ynam ic Trunk ing Prot ocol , D H CP , H SR P , 802.1q , Int e r-Sw it ch L ink Prot ocol (ISL ) and V L AN Trunk ing Prot ocol . Ye rs inia is an ope n s ource proj e ct and can be f ound ath t t p:/ / ye rs inia.s ource f orge .ne t . Nextis s ue , w e w il l t ak e an in-de pt h l ook atYe rs inia, and t h e at t ack s us e d againstne t w ork prot ocol s m ost e nt e rpris e s h av e de pl oye d in t h e ir product ion ne t w ork s . Ye rs inia prov ide s an im port antt ool , e s pe cial l yf or l arge r com panie s t h atm aint ain l ab dupl icat e e nv ironm e nt s of t h e ir product ion ne t w ork . f or
TESTING L AYER

L inux h as a good s e l e ct ion of proj e ct sf or im pl e m e nt ing m ul t il aye r s w it ch ing. Be l ow are a coupl e of us e ful l ink s t h atw e re v al id att he t im e t h is art icl e w as w rit t e n, if you are int e re st e d in l e arning m ore abouts om e of t h e conce pt s dis cus s e d in t h is art icl e.
DYNAM IC V L ANS

ht t p:/ / w w w .ne t craf t s m e n.ne t / wel ch e r/ pape rs / s w it ch v m ps .h t ml
UNDER STANDING SPANNING TR EE PR O TO CO L

ht t p:/ / w w w .cis co.com / univ e rcd/ cc/ t d/ doc/ product / rt rm gm t / s w _ nt m an/ cw s im ain/ cw s i2/ cw s iug2/ v l an2/ st papp. ht m 4-7 SW ITCH ING PR IM ER ht t p:/ / w w w .nort el .com / s ol ut ions / e nt e rpris e / e nabl ing_ t e ch / l aye r4-7/
L AYER

O 3 M agaz ine /Nov e m be r 2005 Page 30

V OI P
O pe n Source Te l e ph ony
O PEN SO URCE TEL EPH O NY I S REL ATI V EL Y EASY TO SETUP AND CAN SAV E YO UR BUSI NESS TH O USANDS SM AL L BUSI NESSES CAN NO W DEPL O Y ADV ANCED V OI CE SO L UTI O NS W H EN TH EY W ERE PREV I O USL Y CO ST PRO H I BI TI V E BY JO H N BUSW EL L

h e Priv at e Branch Exch ange (PBX) is a crit ical com pone ntf or any bus ine s s re gardl ess of s ize . Th e PBX prov ide s a priv at e , com pany ow ne d t el e ph one exch ange w h ich can drast ical l y re duce t h e costof s e rv ice s re q uire d from t he t el e ph one com pany. Tradit ional l y, PBX s yst em s h av e be e n expe ns iv e and re q uire d s pe cial ize d t e ch nicians t o de pl oy. H ow ev e r, t h ath as ch ange d w it h t h e daw n of O pe n Source Te l e ph ony and t he digit al PBX. Th e PBX t ak e s a l im it e d num be r of t runk l ine s from t h e bus ine s s t ot h e ph one com pany's ce nt ral office (l ocal exch ange ), and e nabl es t h em t o be s h are d am ong t h e ph one e q uipm e ntw it h in t he com pany. Th rough t h e us e of IP t el e ph ony and V irt ual Priv at e Ne t w ork s (V PN) itis pos s ibl et o conne ctand s h are PBX s ol ut ions atdiff e re nt com pany office s . Th is art icl e w il l int roduce you brie fl yt o s om e of t he t e rm s , dis cus s a s ol ut ion, t he costs av ing be ne fit s and v arious ope n s ource proj e ct s.
T1, E 1, J 1, FXO AND FXS

(Sk inny) and t h e re is al s o H .323. M ostCis co IP ph one s s upportSIP , h ow ev er t h ey are t ypical l y s h ippe d w it h SCCP s oft w are l oade d.
H AR DW AR E

Conne ct ing your PBX t ot h e publ ic ph one s yst em w il l e it h e r inv ol v e a re gul ar R J 11/ PSTN (ph one j ack ) conne ct ed t o an FXO port , or s om e f orm of ch anne l ize d t runk from t h e ph one com pany. In Nort h Am e rica t h ese t runk s are cal l e d T1, t h e e q uiv al e ntof 24 ph one l ine s (ch anne l s ). In Europe t h ey are cal l ed E1 (32 ch anne l s ) and in J apan J 1 (24 ch anne l s ). An FXS portis a porton your PBX t h atyou w oul d conne cta re gul ar anal og ph one t o. Th e FXS port ge ne rat es t he v ol t age on t h e w ire t o ope rat et he anal og ph one . V O IP V oice ov e r IP is anal og audio (ph one ) conv e rt ed t oa digit al f orm atand dist ribut e d ov e r an IP ne t w ork t oa de st inat ion. Th e re are a num be r of diff e re ntprot ocol s t h atcan be us e d t o ach iev eV oIP;f or t h e m ostpart w e w il l f ocus on SIP (Se s s ion Init iat ion Prot ocol ) and IAX (Int e r Ast e ris k Exch ange ) in our V oIP s e rie s . Cis co h as a proprie t ary prot ocol cal l e d SCCP

D igium (h t t p:/ / w w w .digium .com ), t h e com pany be h ind t h e m ostpopul ar ope n s ource PBX s oft w are , Ast e ris k (h t t p:/ / w w w .ast e ris k .org), prov ide s a num be r of h ardw are opt ions f or conne ct ing your ope n s ource PBX t ot h e ph one com pany. If you are a s m al l bus ine s s w it h outt h e ne e d f or t oo m any l ine s , t h en t h e TD M 400 is a nice m odul ar card t h atal l ow s you t o m ix and m at ch up t of our m odul e s (FXS or FXO ) pe r card t o m e e tyour ne e ds . Th ey al s o s uppl y T1/ E1/ J 1 cards , s ingl e , dual and q uad portcards . In addit ion t o D igium , Sangom a Te ch nol ogie s (h t t p:/ / w w w .s angom a.com ) al so sel l s s ev e ral Ast e ris k com pat ibl e ch anne l ize d cards . Us ing t h e TD M 400 cards you can al s o conne ctre gul ar anal og t el e ph one s t o your PBX. Al t e rnat iv el y, you can us e m any of t he av ail abl eV oIP ph one s or ATA unit s on t h e m ark e t t oday. ATA (Anal og Te l e ph one Adapt e r) is e s s e nt ial l y a s m al l e m be dde d dev ice t h atconv e rt s V oIP t o anal og, s im il ar t o h av ing a s m al l s yst em running ast e ris k and a TD M 400 w it h FXS port st o driv e your anal og ph one s from a V oIP ne t w ork . You w il l al s o ne e d a s e rv er t o actas your PBX w it h t he appropriat e h ardw are (dis cus s e d abov e )t o conne ctt o t h e ph one com pany, as w e l l as t h e appropriat e h ardw are t o conne cte it h er t o your V oIP ne t w ork or your anal og ph one s .
ASTER ISK

Att h e h e artof t h e O pe n Source PBX, w e h av e Ast e ris k . Ast e ris k is a ful l yf e at ure d PBX, prov iding al l t he f e at ure s of t radit ional PBX s yst e m s , s uch as cal l q ue uing, conf e re nce bridging, v oice m ail and m uch m ore . Th e re is a ful l l istof f e at ure s av ail abl e on t h e Ast e ris k s it e (h t t p:/ / w w w .ast e ris k .org/ f e at ure s / ). If you are us ing t h e D igium h ardw are you ne e d t o dow nl oad t he

O 3 M agaz ine /Nov e m be r 2005 Page 32

V OI P
zapt el s uit e as w e l l as ast e ris k . Th e zapt el s uit e prov ide s k e rne l driv e rs f or t h e D igium h ardw are . Com pil ing ast e ris k is re l at iv e e as y. O nce uncom pre s s e d, itonl y re q uire s a s im pl e m ak e ;m ak e inst al l . Itis im port antt o re ad t h rough t h e s e curit y m at e rial on Ast e ris k . Notonl y do you h av et of ocus on t h e s e curit y of t h e s e rv e r on w h ich Ast e ris k re s ide s , butyou m ustal s o cons ide r t h e s e curit y of Ast e ris k it sel f, and t o m ak e s ure t h atinbound dial e rs (or re st rict e d out bound dial e rs ) don'th av et he capabil it yt o m ak e t ol l cal l s or ot h e rw is e acce s s part s of Ast e ris k v ia t h e ph one s yst em t h atw oul d be unde s irabl e . Configuring Ast e ris k is an inv ol v ed proce s s , w e l l beyond t h e s cope of t h is art icl e . O 3 w il l l ook atconfiguring Ast e ris k in de pt h in f ew is s ue s .
EXAM PL E DEPL O YM ENT

In t h e figure oppos it e , w e h av e a s am pl e de pl oym e ntcons ist ing of t w o office l ocat ions and a re m ot et el e com m ut e r. Th e firsts it e is bas e d in Cincinnat i, O h io in t h e Unit e d St at e s , w h il et he s e cond s it e is l ocat e d in D ubl in, Ire l and. Th e firsts it e is conne ct ed v ia a T1 t runk (24 ch anne l s )t ot he l ocal 513 are a code , w h il et h e s e cond s it e is conne ct ed v ia f our st andard PSTN l ine s t ot he l ocal exch ange in D ubl in. Bot h s it e s are us ing L inux s e rv e rs running Ast e ris k and are conne ct ed t ot h e Int e rne tv ia a h igh s pe e d broadband conne ct ion. For t h e s ak e of t h is exam pl e, l et s s ay t h att h e D ubl in office is a s al e s office , w h il et h e Cincinnat i office cont ains t e ch nical s upportst aff. Th e com pany w is h e s t o prov ide t e ch nical s upportfrom t h e Cincinnat i office t o cust om e rs in t h e D ubl in are a. Th is w oul d be an expe ns iv e proj e ctt o com pl et e us ing t radit ional t e ch nol ogy, h ow ev e r w it h Ast e ris k and O pe n Source t e ch nol ogie s itis pos s ibl et o im pl e m e ntt h is w it h re l at iv el yl ow cost st ot h e com pany. Th e t w o office s can be conne ct ed t oge t h e r us ing O pe nV PN (h t t p:/ / w w w .ope nv pn.ne t ), prov iding a s e cure t rans portf or t h e com m unicat ion be t w een t he t w o PBX s yst e m s . Ast e ris k com e s w it h it s ow n exch ange prot ocol cal l e d IAX;al t e rnat iv el y you can run SIP as w e l l . W h il e IAX2 doe s h av e PKI st yl e aut h e nt icat ion and t runk ing, itw on'tprot e ctt he cont e nt s of your cal l s from be ing s niff e d off t h e w ire , s o ut il izing a V PN t e ch nol ogy w h e n rout ing priv at e cal l s be t w e e n office s ov er t h e Int e rne tis your be st be t . O nce configure d corre ct l y, a cl ie ntcal l ing t he l ocal

office in D ubl in (l ocal cal l ), now h as t h e ir cal l rout ed upon s e l e ct ing t h e s upportopt ion ov er t h e Int e rne tt o t h e Cincinnat i s upportq ue ue . Now t h e com pany can be ne fitfrom t h e expe rt is e ith as e st abl is h e d l ocal l y in Cincinnat i are a t o it s D ubl in cust om e rs , w it h out re q uiring t h e cust om e rs t o cal l l ong dist ance . In addit ion, st aff att h e D ubl in office can cal l , conf e re nce and pe rf orm a w ide range of ot h er t as k s as if t h e Cincinnat il ocat ion w as l ocal , and v ice v e rs a. Th e exam pl e s h ow s a re m ot e w ork e r. Th is m igh tbe an on cal l t e ch nical s upporte ngine e r t o cov er t he e arl y m orning bus ine s s h ours in Europe from t h e ir h om e . H e re t h e e ngine e r conne ct st ot h e Cincinnat i office v ia V PN, and h as a firew al l in pl ace t o prot e ct t h e ir l ocal ne t w ork . Th e firew al l is al s o running a SIP Proxy, w h ich al l ow s t h e SIP /s oftph one t o re gist er w it h t h e Ast e ris k PBX w h il e re m aining be h ind it s firew al l . SIP PR O XY Siproxd (h t t p:/ / s iproxd.s ource f orge .ne t ) and Part ySIP (h t t p:/ / w w w .nongnu.org/ part ys ip/ ) are t wo ope n s ource SIP proxie s . A SIP proxy h andl es re gist rat ion of SIP cl ie nt s on a priv at e ne t w ork and pe rf orm s rew rit e s on t h e SIP m e s s age s t o m ak e

O 3 M agaz ine /Nov e m be r 2005 Page 33

V OI P
SIP conne ct ions pos s ibl et h rough a firew al l prov iding NAT (Ne t w ork Addre s s Trans l at ion). SIP (Se s s ion Init iat ion Prot ocol ) is de fine d by R FC 3261 and is one of t h e prot ocol s us e d by s oft w are and V oIP ph one s . Th e al t e rnat iv e approach is a m e t h od cal l e d STUN w h ich e nabl e s a SIP cl ie ntt o de t e rm ine t h e publ ic IP addre s s , butf or t h is t o w ork a w ide range of port s m ustbe ope ne d on t h e firew al l . Inst e ad, proj e ct s s uch as s iproxd act ual l y pe rf orm l aye r 7 pack e tins pe ct ion and rew rit e on t h e SIP pack e t s s e ntt h rough t h e proxy.
ASTL INUX

Ast L inux (h t t p:/ / w w w .ast l inux.org) is a cust om L inux dist ribut ion ce nt e re d around ast e ris k . Ast L inux prov ide s an outof t h e box s ol ut ion w it h a w ide range of f e at ure s , m ak ing ita us e ful s ol ut ion f or a q uick e m be dde d or com m e rcial Ast e ris k inst al l at ion. W it h al it t l e e ff ort , itcan be e as il y m odifie d t o fital m ostany s it uat ion. Th e proj e ct prov ide s a num be r of us e ful im age s , incl uding a boot abl e ISO im age . Th e proj e ctis ge are d t ow ards us ing ol de r Pe nt ium -M M X, and e m be dde d s ol ut ions s uch as t h e Soe k ris l ine of e m be dde d dev ice s . If you're l ook ing t o prov ide a l arge s ol ut ion w it h m ul t ipl e T1 l ine s , m ul t ipl e IAX t runk s and l arge am ount s of s pace f or IV R/ V oice m ail s ol ut ions , sel e ct ing your fav orit e e nt e rpris e L inux dist ribut ion and inst al l ing Ast e ris k from s ource m igh tbe a be t t er approach .
ASTER ISK @ H O M E

num be ring pl an adm inist e re d by t h e ITU, w h ich prov ide s t he f orm at , st ruct ure and adm inist rat iv e h ie rarch y of t el e ph one num be rs . A ful l y q ual ifie d E.164 num be r cont ains t h e count ry code (e g. + 353 f or Ire l and), are a code and ph one num be r f or t he de st inat ion. ENUM prov ide s e s s e nt ial l y rev e rs e D NS m apping on t h e ph one num be r, t o conv e rtt h at num be r t o an IP addre s s t h atw oul dt ypical l y be abl e t o h andl e cal l rout ing t ot h atnum be r (e g. a SIP proxy run by t h e ph one com pany t h atprov ide s PSTN s e rv ice t ot h e part icul ar are a code in t h atcount ry). D UND i is a dist ribut e d pe e r t o pe e r s yst em f or l ocat ing Int e rne tgat ew ays t o ph one s e rv ice s . D UND i is a dist ribut e d s ol ut ion w it h no ce nt ral ize d aut h orit y as w it h ENUM . D UND i is a rout ing prot ocol so t h at s e rv ice s m aybe rout e d and acce s s e d us ing indust ry st andard V oIP t e ch nol ogie s s uch as IAX, SIP or H .323. D UND i prov ide s a s ol ut ion t h ate nabl es t h e cre at ion of h igh l y av ail abl e e nt e rpris e PBX s ol ut ions , w h e re no one PBX cre at e s a ce nt ral pointof fail ure . D UND i al s o prov ide s an Int e rne tbas e d E.164 pe e ring s yst em , f or m ore de t ail s rev iew t h e docum e nt at ion and m e m be rs ath t t p:/ / w w w .dundi.com .
SIPX

Ast e ris k @ H om e , w h ich can be f ound onl ine at ht t p:/ / ast e ris k at h om e .s ource f orge .ne tis a fastand s im pl e s ol ut ion f or ge t t ing Ast e ris k up and running q uick l y. Ast e ris k @ H om e is a L inux dist ribut ion t h at ut il ize s Ce nt O S (w w w .ce nt os .org) and prov ide s a w e b bas e d int e rface f or configuring and m anaging Ast e ris k . Th e s ol ut ion incl ude s anot h e r proj e ctAM P (Ast e ris k M anage m e ntPort al ) w h ich can be f ound at ht t p:/ / coal e s ce nt s yst e m s .ca/ inde x.ph p. AM P is w e b bas e d w it h a fl as h ope rat or pane l . Itprov ide s a w ide range of m anage m e ntt as k s . If you w antt o ge t Ast e ris k running q uick l y w it h outgoing in-de pt h, Ast e ris k @ H om e is a gre ats ol ut ion.
ENUM , E .164 AND DUNDI

s ipX (h t t p:/ / w w w .s ipf oundry.org/ s ipX/ s ipXus e r/ ) is an O pe n Source PBX s ol ut ion bas e d on SIP . s ipX prov ide s m any of t h e PBX capabil it ie s of ast e ris k s uch as D ID , H untgroups , Cal l f orw arding, v oice m ail and s o on. s ipX doe s n'tprov ide any gat ew ay capabil it ie s w it h t h e PSTN, itis a pure SIP IP PBX s ol ut ion. Ith as s om e int e re st ing f e at ure s s uch as XM Lbas e d cal l rout ing and t h e abil it yt o configure at t ach e d ph one s and gat ew ays .
SIP EXPR ESS R O UTER

Th e SIP Expre s s Rout e r, is a h igh pe rf orm ance configurabl e fre e SIP s e rv e r w h ich can actas a proxy, re dire ctor re gist rar s e rv e r ch e ck itoutat ht t p:/ / w w w .ipt el .org/ s e r/ . Th e re is al so t h e O pe nSER proj e ctath t t p:/ / w w w .ope ns e r.org/ .
R UBY O N R AIL S INTEGR ATIO N

Nextis s ue a l ook atw e b int e grat ion w it h Ast e ris k us ing ragi (h t t p:/ / ragi.s ource f orge .ne t ). D UND i, IAX and Ast e ris k are t rade m ark s of D igium Inc. (h t t p:/ / w w w .digium .com ).

ENUM is e s s e nt ial l y D NS f or your t el e ph one num be r. E.164 is an int e rnat ional t el e ph one

O 3 M agaz ine /Nov e m be r 2005 Page 34

NETW O RK APPL I CATI O NS
De pl oying W if idog -- Th e e m be dde d Capt iv e Port al
WI FI DO G
I S A C BASED CAPTI V E PO RTAL DESI GN FO R TH E L I NK SYS W RT54G BUT RUNS

O N ANY L I NUX PL ATFO RM . I T PRO V I DES ACCESS CO NTRO L , BANDW I DTH ACCO UNTI NG AND M UCH M O RE BY JO H N BUSW EL L

ifidog is a l igh t w e igh tcapt iv e port al s ol ut ion de s igne d t o run on e m be dde d dev ice s s uch as t he L ink Sys W RT54G. Th e L ink Sys W RT54G and W RT54GS are l ow costw ire l e s s rout e rs from L ink Sys t h atrun L inux. Th e s e dev ice s can run al t e rnat iv e firm w are , be care ful be caus e running s uch firm w are w il l V O ID YO UR W AR R ANTY. H ow ev er m ostre t ail out l et s h av et h e s e rout e rs f or unde r $ 70, s o itis nott oo m uch t o ris k . O pe nW RT is t h e al t e rnat iv e firm w are ch oice f or running ope n s ource appl icat ions on t h e W RT54G, from t h is pointon I'l l re f er t ot h e W RT54G/ GS as AP (acce s s point ). Buil ding O pe nW RT is re l at iv el y e as y, you s im pl y dow nl oad t he l at e stre l e as e from w w w .ope nw rt .org, uncom pre s s , run m ak e m e nuconfig, run t h rough t h e m e nu opt ions t o s uit your ne e ds , t h e n run m ak e . From t h atpointon it s pre t t y m uch aut om at e d, you w il l ne e d an Int e rne t conne ct ion, broadband is re com m e nde d due t o s om e l arge r dow nl oads s uch as t he L inux k e rne l . W h y w oul d you w antt o ris k your w arrant y ov er s om e fre e s oft w are , s ure l yL ink s ys h as t h e be st firm w are ? W el l L ink s ys h av et h e productde s igne d f or your av e rage us e r, w h ich w ork s gre at , butt he h ardw are pl at f orm is ext re m e l y fl exibl e running O pe nW RT. O nce you h av e O pe nW RT on t h e re you are fre e t o upl oad al m ostany ope n s ource appl icat ion t h atw il l com pil e and fiton t h e h ardw are . You m igh t w antt o run a SIP ph one be h ind t h e w ire l e s s rout e r, w el l w it h O pe nW RT you can l oad s iproxd ont ot he L ink s ys al ong w it h ipt abl e s and t h at s it . As you st art t o us e O pe nW RT m ore , you'l l s e e exact l y h ow fl exibl e and h ow gre atitis t o be abl et o add new capabil it ie s t o your ne t w ork .
W H AT IS A CAPTIV EP O R TAL

ne t w ork as t h e ir priv il e ge s al l ow . Th e us e r doe s n't h av et o k now a part icul ar addre s s , w h e n t h ey at t e m pt t o us e t h e ir brow s e r t h ey are t rans pare nt l y re dire ct ed t ot h e aut h e nt icat ion page . W ifidog is int e re st ing in t h atitis l igh t w e igh t e nough t o run dire ct l y on l ow costw ire l e s s h ardw are s uch as t h e AP , and ch e ck s ne t w ork act iv it y rat h er t h an us ing a j av as criptw indow . Th us al l ow ing PDA, Ce l l ph one s and Sony PSPs t o ut il ize t h e re s ource s .
H O W DO ES W IFIDO G W O R K ?

Th e s ol ut ion w ork s by us ing firew al l rul es t o cont rol t raffic t h rough t h e rout e r. W h e n a new us e r at t e m pt st o acce s s a w e b s it e, t h e w ifidog com pone nt on t h e AP w il l t rans pare nt l y re dire ctt h e us e r t ot he aut h s e rv e r w h e re t h ey can e it h er l og in or s ign up. Th e aut h s e rv e r and t h e w ifidog com pone nton t he AP w il l ne got iat e h ow t o h andl et h e cl ie nt , w h et h er t o pe rm itor de ny ce rt ain ne t w ork acce s s . Th e AP t al ks t ot h e aut h s e rv e r pe riodical l yt o updat e st at ist ics s uch as upt im e , l oad, t raffic pe r cl ie ntand t o actas a h e art be at . Th e fl ow diagram be l ow il l ust rat es t h e proce s s t h at W ifidog ut il ize s (court e s y of il e s ans fil (w w w .w if idog.org)).

A capt iv e port al is e s s e nt ial l y a m e ans t o prev e nta us e r from acce s s ing ne t w ork re s ource s (m ainl yt he Int e rne t ) unt il t h ey h av e aut h e nt icat e d w it h a s e rv e r. T ypical l y a capt iv e port al is us e d atw ire l e s s h ot s pot s, al l ow ing t h e us e r t ol og in, aut h e nt icat e and us e t he

O 3 M agaz ine /Nov e m be r 2005 Page 36

NETW O RK APPL I CATI O NS
Th e cl ie ntdoe s h is init ial re q ue st , as if h e w as al re ady conne ct e d, (e .g.: h t t p:/ / w w w .googl e .ca) • Th e Gat ew ay's firew al l rul e s m angl et h e re q ue stt o re dire ctitt oal ocal porton t h e Gat ew ay. W h e n t h at 's t h e done , t h e Gat ew ay prov ide s an H TTP Re dire ctre pl yt h atcont ains t h e Gat ew ay ID , Gat ew ay FQD N and ot h e r inf orm at ions • Th e Cl ie ntdoe s h is re q ue stt ot h e Aut h Se rv e r as s pe cifie d by t h e Gat ew ay • Th e Gat ew ay re pl ie s w it h a (pot e nt ial l y cust om ) s pl as h (l ogin) page • Th e Cl ie ntprov ide s h is ide nt ificat ion inf orm at ions (us e rnam e and pas s w ord) • Upon s ucce s ful aut h e nt icat ion, t h e cl ie ntge t s an H TTP Re dire ctt ot h e Gat ew ay's ow n w e b s e rv er w it h h is aut h e nt icat ion proof (a one -t im e t ok e n) • Th e Cl ie ntt h e n conne ct st ot h e Gat ew ay and t h us giv e s ith is t ok e n • Th e Gat ew ay re q ue st sv al idat ion of t he t ok e n from t h e Aut h Se rv er • Th e Aut h Se rv e r confirm s t he t ok e n • Th e Gat ew ay t h e n s e nds a re dire ctt ot h e Cl ie ntt o obt ain t h e Succe s s Page from t h e Aut h Se rv er • Th e Aut h Se rv e r not ifie s t h e Cl ie ntt h ath is re q ue st w as s ucce s s ful
GETTING O PENW R T O N TH E W R T54G/ GS

us e rnam e /pas s w ord. Th is is t h e de faul tf or t h e AP . Th e firstt h ing you ne e d t o do is ch e ck t h e firm w are v e rs ion, t h is is dis pl aye d in t h e uppe r righ th and corne r. For t h e AP w e us e d t he v e rs ion w as 3.37.7 butw e ne e de d 3.37.2 t o e nabl et h e boot _ w aitopt ion on t h e AP t o inst al l O pe nW RT. A q uick dow nl oad from L ink Sys , t h en f ol l ow t h e Adm inist rat ion -> Firm w are upgrade opt ion. Unzip t h e fil e from L ink Sys , and in t h is cas e w e us e d W RT54GS_ 3.37.2_ US_ code .bin t o dow ngrade t he rout e r. Sim pl y sel e ctbrow s e , s e l e ctt h e fil e and s e l e ct upgrade . Cl ick cont inue once itcom pl et e s , now you s h oul d s e e 3.37.2 (or 3.01.3 if you are us ing a W RT54G v 3.0). Re f er t ot h e O pe nW RT docum e nt at ion f or de t ail s and s pe cific v e rs ion num be rs as t h ey t e nd t o ch ange pe riodical l y. In orde r f or t h e O pe nW RT inst al l at ion t o proce e d w e h av et o e nabl et h e boot _ w aitopt ion in t he firm w are , t h is t el l st h e AP t o ch e ck f or TFTP prior t o l oading t h e act ual firm w are , w h ich giv e s us t he opport unit yt of eed t h e AP , a O pe nW RT im age . Th e h ack is re l at iv el y s im pl e, j ustpast e e ach l ine in t urn be l ow and s e l e ctt h e ping but t on aft e r e ach past e in t h e addre s s partof t h e ping w e b t ool in t he L ink Sys firm w are . If you did itcorre ct l y, you'l l s e e an out put of NV R AM att h e e nd of t he l astping. You m ust configure a st at ic IP addre s s on t h e Int e rne tint e rface be f ore t rying t h is , ot h e rw is e itw on'tw ork . You don't ne e d l ink up, j usta configure d IP on t h e Int e rne t (W AN) int e rface . ; cp$ { IFS}*/ */ nv ram $ { IFS}/ t m p/ n ; */ n$ { IFS}se t $ { IFS}b oot _ w ait =on ; */ n$ { IFS}com m it ; */ n$ { IFS}sh ow >t m p/ ping.l og W h e n O pe nW RT com pl et e s it s buil d, t h e im age s are st ore d in bin/ . Sim pl y figure outt h e corre ctone f or your h ardw are , t h e n us e t ft pt ot rans f e r it . Re m ov e t h e pow e r from t h e AP ,t h e n is s ue : t ft p 19 2.168.1.1 t f t p> binary t f t p> re xm t1 t f t p> t im e out60

O pe nW RT t ak e s s om e t im e t o com pil e , once itis done , if you h av e n'trun O pe nW RT prev ious l y you ne e d t o do s om e w ork on your rout e r first . Th e AP by de faul tst art s outon 19 2.168.1.1/ 24. Th e e as ie stw ay t o configure t h e rout e r is if you h av e a s e cond et h e rne tint e rface in your L inux w ork st at ion, conne ct t h e AP on port1 t ot h e s e cond e t h e rne tint e rface , and us e ip l ink se te t h 1 up ;ip ad d r ad d 19 2.168.1.10/ 24 d eve t h1t o configure it . Nextdo a q uick ping 19 2.168.1.1 t o m ak e s ure t h atyou can s e e t h e AP . Now s im pl y pointa brow s e r at ht t p:/ / 19 2.168.1.1 and us e adm in/ adm in as t he

O 3 M agaz ine /Nov e m be r 2005 Page 37

NETW O RK APPL I CATI O NS
t f t p> t race on t f t p> putope nw rt -v e rs ion.bin [ Now P ow e r Up t heL ink Sys W R T54GS ] Giv e ita f ew m inut e s , as O pe nW RT h as t o go t h rough a f ew h oops be f ore t h e AP w il l re s pond t o pings . Now t el ne tt o 19 2.168.1.1 once itre s ponds t o pings and you s h oul d see t h e O pe nW RT banne r. If you us e t h e s q uas h fs im age , you ne e d t of ol l ow t he com m ands in t h e O pe nW RT docs t o re m ov et he / et c/ ipk g.conf s ym l ink and copy t h e act ual fil e from rom . You m ay al s o ne e d t o us e t h e nv ram com m and t o s e tt h e w an_ ipaddr and w an_ gat ew ay opt ions in t h e firm w are . Re m ov ing / et c/ re s ol v .conf and cre at ing t h e fil e m anual l y w il l al s o be re q uire d.
GETTING W IFIDO G O N TH E W R T54G/ GS

Aut h Se rv er { H ost nam e aut h .m ydom ain.com SSL Av ail abl e ye s Pat h / } Ch e ck Int e rv al 60 Cl ie nt Tim e out5 ... L e av et h e firew al l rul es t ot h e de faul t . Nextconfigure t h e Aut h Se rv e r, and t h e n st artw ifidog on t h e AP .
AUTH SER V ER

Nextt o dow nl oad and inst al l w ifidog s im pl y:

cd / t mp w ge t ht t p:/ / ol d .il e sansfil .org/ d ist / w ifid og/ w ifid og_ 1.1.1_ m ipse l .ipk ipk g inst al l w ifid og_ 1.1.1_ m ipse l .ipk -force ov e rw rit e Th e -force -ov e rw rit e is re q uire d if you are running a l at er v e rs ion of O pe nW RT w it h ipt abl e s as w ifidog t rie s t o inst al l t w o iptext e ns ions t h atipt abl e s h as al re ady inst al l e d. Now t h e w ifidog cl ie ntis inst al l e d on t h e AP . Edit / et c/ w ifidog.conf, and run w ifidog -f -d 7 (de bug m ode ). Th e configurat ion fil e is w e l l docum e nt ed and s e l f expl anat ory.
W IFIDO G QUICKSTAR T CO NFIG

Post gre SQL , Apach e and PH P 5 are re q uire d t o ge t t h e Aut h Se rv e r running. You inst al l t h is on a l ocal L inux box (nott h e AP). Sim pl y dow nl oad t h e aut h s e rv e r, m ak e s ure you h av e al l t h e pre re q uis it es l ist ed in t h e INSTAL Lfil e av ail abl e , copy t h e w ifidog dire ct ory t o your w e b s e rv e r, pl ug t h e url int o your brow s e r (e .g. ht t p:/ / w if idog.m ycom pany.com / w if idog/ inst al l .ph p) and go t h rough t h e st e ps .
TESTING

Now s im pl y conne cta W iFi dev ice t ot h e AP ,t ry t o brow s e s om ew h e re and if you corre ct l y configure d w ifidog you'l l be pre s e nt e d w it h t h e capt iv e port al s ign-up /l ogin page .
FUR TH ER R EADING

O pe nW R T ht t p:/ / w w w .ope nw rt .org W ifid og ht t p:/ / w w w .w if idog.org NoCat ht t p:/ / w w w .nocat .ne t L ink Sys ht t p:/ / w w w .l ink s ys .com

Th is is notint e nde d t o prov ide a product ion configurat ion, buta q uick st artguide on w h att o set up in t h e config, bare m inim um t o ge tw ifidog running. Editt h e Gat ew ayID t o m at ch your Aut h Se rv e r configurat ion Ext e rnal Int e rface v l an 1 Gat ew ayInt e rface br0

O 3 M agaz ine /Nov e m be r 2005 Page 38

NETW O RK SECURI TY
I nt rus ion De t e ct ion
I NTRUSI O N DETECTI O N SYSTEM S (I DS ) M AKE UP AN I M PO RTANT PART O F ANY NET W O RK SECURI TY PO L I CY W H Y DO YO U NEED I DS , W H ERE DO YO U PUT I DS AND H O W DO YO U DEPL OY I T? BY JO H N BUSW EL L

n Int rus ion is unaut h orize d ne t w ork or s yst em act iv it y on your s e rv e rs or ne t w ork s . Int rus ion Det e ct ion is t h e artof de t e ct ing t h is unaut h orize d act iv it y am ongstl e git im at e ne t w ork t raffic by s ift ing t h rough t h e dat a fl ow ing acros s your ne t w ork . Th is art icl ef ocus e s on Ne t w ork Int rus ion D e t e ct ion Syst e m s (NID S), anot h er f orm of ID S is H ostInt rus ion D e t e ct ion Syst e m s (H ID S). Th e diff e re nce is prim aril yt h att he l at t er f ocus e s on t h e prot e ct ion of j ustone s yst e m . Th e re are adv ance d s ol ut ions s uch as dist ribut e d ID S and ID S l oad bal ancing, t h e s e w il l be dis cus s e d in de dicat ed art icl es l at e r in t h is s e rie s on ID S. Som e bus ine s s e s f eel t h atcom pl ex ID S s ol ut ions are ov e rk il l be caus e t h ey ope rat e a s m al l bus ine s s t h atnobody is going t o be conce rne d w it h . H ow ev e r, t h e s e days , itis t h e com put ing re s ource s and your bandw idt h t ot h e Int e rne tt h atat t ack e rs w ant , not ne ce s s aril y your int el l e ct ual prope rt y or t o dis rupt your bus ine s s . Th ink of at t ack e rs as ne t w ork “carj ack e rs ”, t h ey don'tcare w h o you are , t h ey j ustw ant your “car”. An ID S s ol ut ion w il l h el p de t e cts igns t h ats om e one is l ook ing or t rying s pe cific expl oit s againstyour infrast ruct ure in an at t e m ptt o gain furt h e r inf orm at ion or acce s s . Th e re is one as pe ctof ID S t h atis oft e n ov e rl ook e d by t e ch nical st aff and t h atis t he l e gal it ie s of pe rf orm ing Ne t w ork ID S. In m any count rie s t h e re are st rictw ire -t apping l aw s and re gul at ions , if you do notal re ady h av e an ID S in pl ace , e s pe cial l yf or s m al l and m e dium s ize d bus ine s s e s itis al w ays w ort h cons ul t ing w it h al e gal expe rtt o de t e rm ine w h atl aw s and re gul at ions you m ustabide by, as t h is m ay de t e rm ine w h atyou m ustdis cl os e t o e m pl oye e s , cust om e rs and h ow ID S inf orm at ion is re port e d. Snortis t h e de fact o st andard f or int rus ion de t e ct ion /prev e nt ion s yst e m s . Snortut il ize s a rul e -driv en l anguage , w h ich com bine s t h e be ne fit s of s ignat ure , prot ocol and anom al y bas e d ins pe ct ion m e t h ods . Snortis t h e m ostw ide l y de pl oye d ID S t e ch nol ogy in t h e w orl d. If you w antt o do ne t w ork ID S, t h e n Snort

is t h e w ay t o go. Snorts upport s IP de fragm e nt at ion, TCP st re am re as s e m bl y and st at e ful prot ocol anal ys is . Th is art icl e is going t o brie fl y int roduce Snortt o you, h ow t o at t ach itt o your ne t w ork and w h e re t ol ook next . As t h e s e rie s progre s s e s , w e w il l l ook atadv ance d t e ch niq ue s s uch as de fragm e nt at ion, cust om rul e s and m uch m ore .
ATTACH ING SNO R T TO YO UR NETW O R K S

Be f ore going int o com pil ing and configuring s nort , itis im port antt o unde rst and t h atSnort ,l ik e ot h er Ne t w ork ID S s ol ut ions m ustbe at t ach e d t o your ne t w ork att h e corre ctl ocat ion, ot h e rw is e t he e ff e ct iv e ne s s of t h e ID S s ol ut ion is re duce d. T ypical l yt h e be stl ocat ion f or s m al l and m e dium s ize d bus ine s s e s is t o m onit or l ink s t o/ from t he Int e rne t . In a s w it ch e d e nv ironm e ntt h e rout e r(s ) t o t h e Int e rne tare conne ct ed t o a s w it ch portor V L AN, m oste nt e rpris e grade s w it ch e s s upportw h at s cal l ed portm irroring, or f or Cis co us e rs “SP AN”. Th is al l ow s you t o configure t h e s w it ch t ot ak e portor v l an t raffic and dupl icat e itouta m irroring port . Th e dow ns ide t o portm irroring is t h aton s om e s w it ch e s unde r h e av yl oad you can s e rious l y im pactt he pe rf orm ance of t h e s w it ch , al s o if t he t raffic you are t rying t o m onit or exce e ds t h e capabil it ie s of t he m irroring port , you w il l notbe abl et o m irror al l pack e t s ath igh ne t w ork ut il izat ion. Anot h e r opt ion is t o ins e rta h ub in-l ine , and at t ach t h e ID S t ot h e h ub, al l ow ing norm al t raffic t o fl ow acros s t h e h ub. Th e dow ns ide t ot h is m e t h od is t h at dat al os s occurs due t o col l is ions ath igh bandw idt h ut il izat ion, itcre at e s an addit ional s ingl e pointof fail ure and you w il l l os e ful l -dupl ex capabil it ie s . A m ore expe ns iv e opt ion is t o us e ne t w ork t aps , t aps are dis cus s e d in l e ngt h at ht t p:/ / w w w .s nort .org/ docs / #de pl oy. Cost , m ul t ipl e NICs and s l igh t l y m ore com pl ex inst al l at ion due t o t h e addit ion of ch anne l bonding in orde r t o do st at e ful anal ys is are t h e dow ns ide s t o us ing ne t w ork t aps .

O 3 M agaz ine /Nov e m be r 2005 Page 40

NETW O RK SECURI TY
For a t ypical s m al l or m e dium bus ine s s ne t w ork , w h e re L AN bandw idt h ut il izat ion is l ow , and t h e ID S is f ocus e d on l ow -bandw idt h Int e rne tl ink s , a s w it ch capabl e of portm irroring s h oul d be s ufficie nt . W it h l arge r ne t w ork s t h e costof a t ap is l e s s cost proh ibit iv e.
GETTING SNO R T R UL ES

Th e l at e stv e rs ion of s nortatt he t im e t h is art icl e w as w rit t e n is 2.4.3. Be f ore inst al l ing s nort , you m ay h av et o inst al l pcre (Pe rl Com pat ibl e Re gul ar Expre s s ions ) re q uire d by s nort . Bot h pcre and s nort s upportt h e us ual PO SIX ./ conf igure ;m ak e & & m ak e inst al l . If you're notbuil ding from s ource , you'l l ne e d t o ch e ck if s nortis av ail abl ef or your L inux dist ribut ion. O nce buil tand inst al l e d, w e can do a coupl e of ch e ck t e st s of s nortin s niff e r m ode . Running ./ s nortv de s h oul d dum p re al t im e pack e tdat e outt ot he l ocal t e rm inal , h itct rl + ct o st op it , and s crol l up t o m ak e s ure it s w ork ing. Snortw il l al so l og pack e tdat a f or you, ./ s nort-l/ t m p/ t e st l og -b (as s um ing you h av e cre at ed a / t m p/ t e st l og dire ct ory) w il l l og t h e pack e t s, w h ich can t h e n be re ad back v ia Et h e re al or s nort it sel f us ing ./ s nort-dv-r pack e t .l og.
SNO R T IN- L INE

Att h e h e artof s nortare t h e rul e s . W it h outt h e rul es Snortbe com e s q uick l y out dat e d and is l e s s e ff e ct iv e. Th e re are f our diff e re nts e t s of rul e s dist ribut ed f or Snort . Th e Com m unit y Rul e s are av ail abl ef or fre e and are dist ribut e d unde r t h e GPL . Th e ot h er t h re e set s are v ariat ions of t h e Source fire V RT Ce rt ifie d Rul e s – unre gist e re d, re gist e re d and s ubs cript ion. Th e unre gist e re d rul e s are updat e d w it h e ach m aj or re l e as e of Snort , m aybe once a q uart e r. Th e re gist e re d rul e s re q uire agre e ing t oal ice ns ing agre e m e nt , and are re l e as e d 5 days aft er t h ey are m ade av ail abl et o s ubs cribe rs . Subs cribe rs pay a m ode stf ee f or re al -t im e acce s s t o new rul e s . O nce you h av e your rul e s , copy t h e rul e s /cont e nt s ov er t o / et c/ rul e s unl e s s you ch ange d t h e pat h in t he s nort .conf.
R UNTIM E

Snortis now re ady t o go, t o st artitup s im pl y exe cut e: m k dir -p / t m p/ t e st l og ./ s nort-d -l/ t m p/ t e st l og/-c / et c/ s nort .conf Th e / t m p/ t e st l og dire ct ory is w h e re s nortw il l st ore it sl og fil e s , you w il l w antt o m onit or t h e al e rtl og. Now t h atyou are up and running, you w il l ne e d t o go back ov er t h e configurat ion fil e s in de t ail ,l ook att he Snortdocum e nt at ion on h ow t o w rit e your ow n rul es, and t w e ak t h e rul eset st o be sts uityour ne e ds .
FUR TH ER R EADING

Snorts upport s int e grat e d int rus ion prev e nt ion s yst e m capabil it ie s w it h t h e s nort _ inl ine f e at ure . Th is f e at ure re ce iv e s pack e t s from ipt abl e s inst e ad of l ibpcap and t h e n appl ie s rul es t o h el p ipt abl e s acce pt or drop pack e t s bas e d on Snortrul e s . W e w il l l ook at Snort 's IPS f e at ure s in a fut ure art icl e.
CO NFIGUR ING SNO R T

Since t h e purpos e of t h is art icl e is t o int roduce s nort . Th e config fil ef or s nortis l ocat e d in / et c/ s nort .conf if you inst al l e d from s ource , you'l l ne e d t o copy it from ./ et c/ s nort .conf in t h e s ource t re e . Th e configurat ion fil e is fairl y st raigh tf orw ard, t o ge t running s im pl y configure t h e H O M E_ NET t o m at ch your l ocal ne t w ork , you m ay al s o w antt ot w e ak t he rul eset s de pe nding on t h e rul e s you are us ing. M odify RUL E_ P ATH t o/ et c/ rul e s or your ow n cust om ize d pat h . In addit ion t o s nort .conf, you w il l ne e d t o copy cl as s ificat ion.conf, re f e re nce .conf and unicode .m ap t o/ et c. Th e s e are al l in t h e ./ et c dire ct ory in t h e s ource t re e .

Th e s nort .org w e bs it e h as a cons ide rabl e am ountof docum e nt at ion, pape rs and art icl es t h atgo int o m any diff e re ntas pe ct s of s nortand int rus ion de t e ct ion. If you are int e re st e d in a book , Snort2.1 Int rus ion Det e ct ion by Syngre s s is a good w ay t o ge tst art ed q uick l y w it h s nort , butdoe s n'tcov er t h e Int rus ion Prev e nt ion f e at ure s in 2.3.0 and l at e r. Th e Pre l ude ID S fram ew ork f or int e grat ing diff e re nt ID S s ource s is w ort h al ook , t h e proj e cts it e is av ail abl e ath t t p:/ / w w w .pre l ude -ids .org.
NEXT

Th e nextID S art icl e w il l l ook att e st ing t h e Snort inst al l at ion, aut om at e d rul e updat e s , barnyard and Snortfront e nds .

O 3 M agaz ine /Nov e m be r 2005 Page 41