You are on page 1of 44

CO NTENTS

NEXT M O NTH @ O3
6 8 9 Edit orial Ev e nt s Re port L inux on I BM m ainf ram e s Grids , Cl us t e rs and L inux Port ing t ot h e z Se rie s I nt roducing dNM S and m ore ..

SECURI TY
M od_ Se curit y 11

I NTERNET
I nt roduct ion t o AJAX 17

A ne xtge ne rat ion W e b Appl icat ion s e curit y s ol ut ion, prov iding I DS /Fire w al l f or W e b Appl icat ions . Support s Apach e .

Abul As im M . R. Qars h i l ook s at AJAX, a s ol ut ion f or re f re s h -l ess w e b appl icat ions . AJAX in act ion on Googl e M aps .

W EB TECH
On t h e righ tt rack 20

BUSI NESS
Rapid W e b De v 25

Ke e ping w e b proj e ct s on t rack and w it h in budge tus ing Rapid W e b De v el opm e ntt ool s s uch as Ruby on Rail s and Ruby Ge m s .

Jam e s H ol l ings h e ad prov ide s a de t ail e d int roduct ion t o Rapid W e b De v el opm e nt , and t h e cos t s av ings be ne f it s.

NETW O RK I NG
SCTP v s TCP Al ook atSCTP , and a com paris on w it h TCP . Pos t gre SQL 8.1 38 28

V OI P (V oice ov e rI P)
Rail s I nt e grat ion 34

As t e ris k /Ruby on Rail s int e grat ion w it h RAGI . An O pe n Source s ol ut ion t h ate nabl es rapid de v el opm e ntw it h As t e ris k .

Th e adv ance d ope n s ource dat abas e . I nt rus ion De t e ct ion 42

T e st ing Snort , e xt ras and rul e s ..

O 3 M agaz ine /De ce m be r 2005 Page 4

EDI TO RI AL
Dow n t o bus ine s s ..
WI TH O V ER H AL F A MI L L I O N READERS I N OV ER

O 3 M agaz ine
140 CO UNTRI ES
W O RL DW I DE

De ce m be r 2005 I s s ue 2
EDI TO R I N CH I EF

O3 H

AS ARRI V ED AND NO W I T S DO W N TO BUSI NESS ...

BY JO H N BUSW EL L

JO H
J am e s H ol l ings h e ad l ook s ata w ide v arie t y of t ool s incl uding t h os e f or PH P , Pyt h on and Ruby, as w e l l as a t op dow n v iew on rapid w e b dev el opm e ntin ge ne ral . Th is m ont h 's Int e rne tart icl el ook s at AJ AX and SAJ AX and exam ine s Googl e M aps as an exam pl e of w h at AJ AX is capabl e of. An in-de pt h l ook atRuby on R ail s , Int e grat ing Ruby on R ail s w it h Ast e ris k in our V oIP art icl e , al ong w it h al ook at SCTP , Post gre s and our cont inue d ID S s e rie s w rap up t h is m ont h 's art icl es. Nextm ont h ,O3 f ocus e s on “Big Iron” s ol ut ions . W e t ak e an in-de pt h l ook atL inux on t h e IBM zSe rie s m ainfram e s , port ing appl icat ions t o t h e zSe rie s , V oIP appl icat ions you can run on t h e zSe rie s and a l ook at al t e rnat iv es t o m ainfram e s (incl uding grids , cl ust e rs and ot h er dist ribut e d s yst e m s ). Is s ue 3 w il l cont inue our ID S s e rie s l ook ing at ID S L oad Bal ancing, buil ding s e cure L inux bas e d appl iance s and an int roduct ion t o a new proj e ctcal l ed dNM S. O 3 is a m e dia s pons or f or L inux As ia 2006, w e l ook f orw ard t ot he ev e ntand s pons oring m any ot h er ev e nt s in t h e ne ar fut ure . In concl us ion, I w oul d al so l ik e t o t ak e t h e opport unit yt o w is h al l of our re ade rs a h appy and pe ace ful h ol iday s e as on from ev e ryone h e re at O 3 M agazine . I f ound a gre atch arit y cal l e d Ch il ds Pl ay, itis w ort h al ook ov e r at ht t p:/ / w w w .ch il ds pl aych arit y.com .

v e ryone h e re atO 3 w oul dl ik e t ot h ank our re ade rs f or t ak ing t he t im e t o ch e ck outt he m agazine l astm ont h . We w oul d al so l ik e t o s e nd a s pe cial t h ank s t o ev e ryone w h o s e ntus s ugge st ions , and a v e ry s pe cial t h ank s t ot h e gre atScribus com m unit yf or point ing us in t he righ tdire ct ion w it h s om e adv ance d PD F t e ch niq ue s . Th is m ont h you w il l not ice s om e m aj or e nh ance m e nt s : w e h av e adde d R SS s ubs cript ion f e e ds , a “podcast ” st yl e aut om at e d R SS 2.0 f e e d, an announce m e ntm ail ing l istand, m ost im port ant l y, PD F l ink s . Pl e as e k e e p t h e s ugge st ions com ing, and w e w il l do our be stt o accom m odat e as m any of t h e re q ue st s as pos s ibl e. L astm ont h w as a h uge s ucce s s . O 3 w as re ad in ov e r 140 count rie s w it h m ore t h an h al f a m il l ion re ade rs , but m ostim port ant l y, t h e com m unit y h as ral l ie d around O 3. Th e f e e dback w e re ce iv e d s h ow s us t h atO 3 fil l s a gap w h ich h as exist ed f or q uit e s om e t im e in t h e O pe n Source w orl d. W e re al ize t h att h e gap O 3 fil l s re q uire s a gre atde al of re s pons ibil it y, and w e h ope you find our com m it m e ntt o O pe n Source (and h igh q ual it y cont e nt ) is w ort h y of your t im e e ach m ont h. Th is m ont h we l ook atrapid w e b dev el opm e ntand AJ AX. W h il e our f ocus is on Ruby and Ruby on R ail s, I w antt o h igh l igh tt h atRuby bas e d s ol ut ions are nott h e onl y ope n s ource rapid w e b dev el opm e ntt ool s av ail abl e.

BUSW EL L EDI T O R @ O 3M AGAZ I NE .CO M
N EXECUTI V E EDI TO R

JAM ES H O L L I NGSH EAD JAM ES @ O 3M AGAZ I NE .CO M
ART W O RK

JO H

N

BUSW EL L

PRO O F READERS

G REG JO RDAN S H AW N W IL SO N FRANK BO YD S TEW BENEDICT
SAL ES AND M ARKETI NG

G REG JO RDAN SAL ES @ O 3M AGAZ I NE .CO M
SUBSCRI PTI O NS

O 3 M AGAZ INE

I S DI ST RI BUT ED

EL ECT RO NI CAL L Y FREE O F CH ARGE BY SPL I CED NETW O RK S L L C. T O SUBSCRI BE V I SI T W W W .O 3M AGAZ I NE .CO M . SO FT W ARE

1.3.1 GI M P 2.0.5 O PENO FFI CE 1.1.2
SCRI BUS CO PYRI GH T (C) 2002-2005 SPL I CED NETW O RK S L L C

O 3 M agaz ine /De ce m be r 2005 Page 6

EV ENTS
UPCO M I NG EV ENT S
22ND CH
AO S

UPCO M I NG EV ENT S
O 'REI L L Y E M ERGI NG T EL EPH O NY CO NFERENCE JANUARY 24 - 26, 2006 SAN F RANCI SCO , CAL I FO RNI A, USA H TTP:/ / CO NFERENCES .O REI L L YNET.CO M / ETEL DI TA: G ETTI NG S TARTED JANUARY 31 - FEBRUARY 1, 2006 M O UNTAI NV I EW , CAL I FO RNI A, USA H TTP:/ / W W W .CO M TECH SERV .CO M / W O RK SH O PS / DI TA.SH TM L L I NUX S O L UTI O NS JANUARY 31 - FEBRUARY 2, 2006 PARI S, F RANCE H TTP:/ / W W W .SO L UTI O NSL I NUX.F R
H AV E AN UPCO M I NG EV ENT?TEL L US ABO UT I T, SEND EM AI L TO EV ENT S @ O 3M AGAZ I NE .CO M W I TH DETAI L S.

CO M M UNI CATI O N CO NGRESS

DECEM BER

27 - 30 2005

BERL I N, GERM ANY H TTP:/ / W W W .CCC.DE / CO NGRESS / 2005

L I NUXW O RL D E XPO
FEBRUARY M ARCH

14 - 17 2006 (M EXI CO

CI TY, M EXI CO )

28 - 30 2006 (SYDNEY, AUSTRALI A) - 6 2006 (BO STO N, UNI TED
STATES )

APRI L3

APRI L 20, 2006 (KUAL AL UM PUR , M AL AYSI A) APRI L 24

- 26 2006 (TO RO NTO , CANADA)

H TTP:/ / W W W .L I NUXW O RL DEXPO .CO M

O O P 06 (O BJECT O RI ENTATED PRO G . CO NFERENCE )
JANUARY M UNI CH

16 - 17 2006

FEATURED F UTURE EV ENT

, GERM ANY

H TTP:/ / W W W .SI GS DATACO M .DE / SD / KO NGRESSE / O O P_ 2006/ I NDEX.PH P

L I NUXASI A 2006
FEBRUARY

8 - 10 2006 NEW DEL H I ,I NDI A H TTP:/ / W W W .L I NUXASI A.NET L inuxAs ia is an ope n s ource conf e re nce and expo

O PEN S O URCE
JANUARY

I N TH E

E NTERPRI SE

23 - 25, 2006

SAN F RANCI SCO , CAL I FO RNI A H TTP:/ / W W W .M ARCUSEV ANSBB.CO M / O PENSO URCE

L I NUX.CO NF .AU
JANUARY

w h ich h as be e n h e l d annual l y in New D e l h i s ince 2004. itis a v e nue w h e re de cis ion m ak e rs , anal yst s , m anage rs , and t e ch nol ogist s from bot h indust ry and gov e rnm e ntcom e t ol e arn, ne t w ork , and int e ractw it h t h e ir ope n s ource pe e rs from bot h India and around t h e w orl d. L inuxAs ia is be ing organize d by t h e El e ct ronics For You (EFY ) Group (h t t p:/ / w w w .e l e ct ronics f oru.com / ) and Te ch ne t ra (h t t p:/ / w w w .t e ch ne t ra.com / ). Th e conf e re nce adv is ory com m it t e e incl ude s m e m be rs from IIT Bom bay, St anf ord Univ e rs it y, Int el , IBM , Re d H at , O pe n Source Init it iv e , Nov el l , and Int el Capit al . O 3 M agazine is a m e dia s pons or of L inuxAs ia 2006."

23 - 28, 2006

DUNEDI N, NEW Z EAL AND H TTP:/ / L CA2006.L I NUX.O RG .AU

O 3 M agaz ine /De ce m be r 2005 Page 8

REPO RT
DECEM BER O PEN SO URCE REPO RT
W el com e t ot h e O pe n Source Re port . Th is is t he s e ct ion of O 3 w h e re w e giv e a brie f run-dow n of t he m aj or appl icat ions w h ich m ade re l e as e s during t he m ont h. R UBY O N R AIL S ht t p:/ / w w w .rubyonrail s .org/ Re l e as e : 1.0 R ail s h as now re ach e d a 1.0 re l e as e , m ak ing ita m ore s ol id, st abl e and pol is h e d re l e as e ov e r prev ious v e rs ions . A PACH E ht t p:/ / w w w .apach e .org/ Re l e as e : 2.2.0 Th e l at e stre l e as e of Apach e is t h e st artof a new st abl e branch . Th is re l e as e h as adde d Sm artFil t e ring, Im prov e d Cach ing, AJ P Proxy, Proxy L oad Bal ancing, Grace ful Sh ut dow n s upport ,L arge Fil e Support ,t h e Ev e ntM PM , and re fact ore d Aut h e nt icat ion/ Aut h orizat ion. SIEGE ht t p:/ / w w w .joe dog.com Re l e as e : 2.65b 1 (b e t a) Th e l at e stre l e as e of Sie ge incl ude s s ev e ral bugfixe s and im prov e m e nt s , incl uding im prov e d h e ade r h andl ing. M IL L STO NE ht t p:/ / w w w .m il l st one .org/ Re l e as e : 3.1.0 Th e l at e stre l e as e of M il l st one incl ude s m any new f e at ure s f or UI com pone nt s , be t t e r int e grat ion w it h diff e re ntJ 2EE e nv ironm e nt s , and e nh ance m e nt s re q uire d f or upcom ing AJ AX s upport . XEN ht t p:/ / w w w .cl .cam .ac.uk / R e s e arch / SRG/ ne t os / xe n/ inde x.h t ml Re l e as e : 3.0.0 Th e l at e stre l e as e of Xe n adds s upportf or Int el 's h ardw are v irt ual izat ion m e ch anis m , SM P gue st s yst e m s (w it h h ot -pl uggabl ev irt ual CPUs ), l arge m e m ory s upport ,t rust e d pl at f orm m odul e s upport ,a portt ot h e IA-64, and init ial s upportf or Pow e rPC arch it e ct ure s as w e l l as num e rous bugfixe s and m inor updat es. R R D TO O L ht t p:/ / pe opl e .e e .e t h z.ch / oe t ik e r/ w e bt ool s/ rrdt ool / Re l e as e : 1.2.12 Bugfixe s : f ew e r m e m ory l e ak s and doubl e -fre e s , and prope r UNKNO W N h andl ing w h e n us ing N: f or updat ing. New f e at ure s : R R D t rac on t h e RRDt ool W e b s it e , no m ore l ibcgi re q uire m e nt , and fast er graph ing.

F ETCH M AIL ht t p:/ / f et ch m ail .be rl ios .de / Re l e as e : 6.3.0 (st ab l e) Th e l at e stre l e as e of Fe t ch m ail incl ude s a f ew configurat ion ch ange s and bugfixe s . Som e docum e nt at ion and t rans l at ion updat e s h av e al so be e n m ade in orde r t o im prov e st abil it y and prot ocol conf orm ance , im prov e bounce and w arning m e s s age s , and t o im prov e port abil it y.

Z O PE ht t p:/ / w w w .zope .org Re l e as e : 3.1.0 Z ope is an appl icat ion s e rv e r s pe cial izing in cont e nt m anage m e nt , int rane t s , and cust om W e b appl icat ions . Itis w rit t e n in Pyt h on and h as a l arge gl obal com m unit y of dev el ope rs and com panie s .

O 3 M agaz ine /De ce m be r 2005 Page 9

SECURI TY
M odSe curit y
M O DSECURI TY I S AN O PEN SO URCE W EB APPL I CATI O N FI REW AL L TH AT PRO V I DES I NTRUSI O N DETECTI O N AND PREV ENTI O N FO R W EB APPL I CATI O NS BY JO H N BUSW EL L

ods e curit y is an O pe n Source W e b Appl icat ion Firew al l w h ich prov ide s int rus ion de t e ct ion and prev e nt ion f or any w e b appl icat ion running on t h e s e rv er t h at M ods e curit y is prot e ct ing. Itis buil tas a m odul ef or Apach e , and f or t h e purpos e s of t h is art icl e , w e w il l be l ook ing atm ods e curit y 1.9 .1 running on Apach e 2.0.55. Itw ork s by appl ying a fil t e r e ngine t o inbound H TTP re q ue st s , running t h e re q ue stt h rough a num be r of buil t -in ch e ck s , us e r cust om ize d fil t er rul e s and t h e n, if a pos it iv e m at ch occurs , t ak ing a s pe cific act ion. SECCH R O O TD IR W h il et h e s e curit yf e at ure s M ods e curit y prov ide s are exce l l e nt , ith as one part icul ar f e at ure w h ich I f eel m ak e s itt h e k il l e r appl icat ion f or w e b s e curit y in ge ne ral . Th atf e at ure is ch root () capabil it ie s . If you h av e ev e r s pe ntt he t im e running l dd againstl ibrarie s and binarie s , m anual l y ch root ing Apach e (s om e t h ing w h ich be com e s far m ore of a ch ore once you st art adding PH P , M ySQLand ot h e r ext e ns ions int o Apach e ), t h e n you w il l re al l y appre ciat et h is f e at ure . O nce m ods e curit y is appl ie d t o Apach e , t ypical l y as a D SO m odul e , you s im pl y add t h e dire ct iv e Se cCh root D ir and t h e pat h as in t h e exam pl e be l ow : Se cCh root Dir / ch root / apach e Th at 's it- you don'tne e d t o k e e p binarie s , l ibrarie s and ot h er t h ings t h atyou'd norm al l y h av et ot rans f er ov e r. O bv ious l y, if you're running CGI s cript s , you'l l ne e d t o m ak e s ure t h os e s cript s don'tre q uire any addit ional l ibrarie s , butas f or Apach e it sel f, t he j ob is done . If you are running Apach e m ul t i-t h re ade d, t h e n you m ay ne e d t o add L oadFil e/ l ib/ l ibgcc_ s .s o.1 t o ge tpt h re ad_ cance l t o w ork . Fil e Upl oads and Se rv e r Ide nt it y M as k ing M ods e curit y h as t h e capabil it y of int e rce pt ing fil es upl oade d t h rough PO ST re q ue st s and m ul t ipart / f orm -

dat a e ncoding or t h rough PUT re q ue st s . Ital so

e nabl e s you t o upl oad t h os e fil es t oat e m porary dire ct ory us ing Se cUpl oadD ir and t h e n exe cut ea s criptt h rough Se cUpl oadApprov e Scriptt o aut h e nt icat et h e upl oad. Th e m ods e curit y docum e nt at ion al s o prov ide s a good exam pl e on h ow t o int e grat et h is f e at ure w it h t h e O pe n Source ant i-v irus s oft w are Cl am AV . W h il e Apach e 2.0 s upport st h e Se rv e rT ok e n dire ct iv e , itst il l rev e al st h rough t h e H TTPD / H TTPD / 1.1 com m and t h atyou are running Apach e . W h il e you can al w ays m odify t he s ource , m ods e curit y prov ide s a Se cSe rv e rSignat ure dire ct iv e w h ich you can us e t o s im pl y ch ange itt o any st ring t h atyou de s ire .
W EB APPL ICATIO N SECUR ITY V UL NER ABIL ITIES

Be f ore going int ot oo m uch de t ail on t he capabil it ie s of m ods e curit y and h ow t o us e t h em , w e w il l l ook att h e re as on you ne e d itin t h e first pl ace . Th e O pe n W e b Appl icat ion Se curit y Proj e ct(O W ASP) is de dicat ed t o finding and figh t ing t h e caus e s of ins e cure s oft w are . Th e O W ASP com m unit y cont inue s t o do a gre atj ob, and t h e docum e nt at ion t h ey prov ide is an exce l l e ntst art ing pointon w h att o do in orde r t o prot e ctyour w e b s e rv e r againstat t ack s w it h m ods e curit y. Itis ev e n m ore us e ful if you don't al re ady h av e ev e ntinf orm at ion from an exist ing Int rus ion D e t e ct ion Syst e m s uch as s nort . For t h e purpos e of t h is art icl e , w e w il l f ocus on re l ev ants e curit y is s ue s in t he t op 10 W e b Appl icat ion Se curit yV ul ne rabil it ie s publ is h e d by O W ASP: • • • • • • Unv al idat e d Input Brok e n Acce s s Cont rol Brok e n Aut h e nt icat ion /Se s s ion M anage m e nt Cros s Sit e Script ing Buff er O v e rfl ow s Inj e ct ion Fl aw s

O 3 M agaz ine /De ce m be r 2005 Page 11

SECURI TY
• • • • Im prope r Error H andl ing Ins e cure St orage D e nial of Se rv ice Ins e cure Configurat ion M anage m e nt pe rf orm ance cost . W h il et h e costof m ods e curit y is re l at iv el y s m al l and t h e be ne fit s far out w e igh t h e h it t o pe rf orm ance , itis pos s ibl yt o s av e re s ource s on your w e b s e rv e r by ins pe ct ing dynam ic re q ue st s onl y (PH P , Ruby, e t c) and ignoring your st at ic fil e s . Th is is ach iev e d by Se cFil t e rEngine D ynam icO nl y. M ods e curit y h as t h e capabil it y of s canning PO ST re q ue st s , and w h il e PO ST is t ypical l y us e d f or upl oads , s canning PO ST re q ue st s atl e astf or m ul t ipart / f orm -dat a and appl icat ion/ x-w w w -f orm url e ncode d w il l e nabl e you t o de t e ctpot e nt ial at t ack s com ing t h rough f orm s and h e l p prot e ctw e b appl icat ions t h atm ay notv al idat e inputcorre ct l y. O bv ious l y if you don'tus e PO ST or f orm s on your cont e nt , us ing m ods e curit yt o de ny t h ese t ype s of re q ue st s w oul d be partof your s e curit y pol icy. Scanning s pe cific cont e ntt ype s can be done dynam ical l y us ing e nv ironm e ntv ariabl e s s uch as M O D SEC_ NO PO STBUFFER ING.
R UL ES

Four of t h e s e is s ue s are probl em s t h atcan be addre s s e d t h rough ot h e r m e ans . W e w il l brie fl yl ook att h os e h e re and t h e n m ov e on t o us ing m ods e curit y t o prot e ctagainstt h e re st . Brok e n Acce s s Cont rol re f e rs t o im prope rl y e nf orce d acce s s cont rol - us e rs h av ing acce s s t o inf orm at ion t h att h ey s h oul dn't . Th is can be addre s s e d t h rough fil e s yst e m e nf orce m e nt com bine d w it h a prope r aut h e nt icat ion s yst e m s uch as R adius . Apach e 's acce s s cont rol s yst e m can e as il y be pat ch e d t o w ork w it h R adius . L ik ew is e , Brok e n Aut h e nt icat ion and Se s s ion M anage m e ntcan al s o be addre s s e d part ial l yt h atw ay. Ruby on R ail s is a good exam pl e of a s yst em t h at prov ide s an e nf orce abl e s e cure s e s s ion m anage m e nt s yst e m . Se s s ion M anage m e ntis s om e t h ing t h atyou w il l ne e d t o addre s s w it h in your brok e n appl icat ion. Ins e cure St orage re f e rs t o w e ak (or a l ack of) e ncrypt ion w h e n st oring s e ns it iv e inf orm at ion s uch as pas s w ords or cre ditcards . T ypical l yt h is inf orm at ion is st ore d in a dat abas e , butt he inf orm at ion s h oul d be st ore d in an e ncrypt e d m anne r in cas e t h e dat abas e is com prom is e d and t h e dat a dum pe d, s uch as t h rough an SQLInj e ct ion at t ack . Again, t h is is an appl icat ion de s ign/ coding re l at ed is s ue t h atne e ds t o be addre s s e d in t h e program it sel f. Th e l astit e m on t he l istt h atw e w on'tcov e r is Ins e cure Configurat ion M anage m e nt . M ods e curit y is an adv ance d s e curit y m e as ure , s o if you are l ook ing atm ods e curit y, w e are going t o m ak e t h e as s um pt ion t h atyou'v e al re ady t ak e n t h e bas ic st e ps t o s e cure your st andard w e b s e rv e r configurat ion. Th e Apach e docum e nt at ion is a good pl ace t o st art , I w oul d al so re com m e nd Apach e Se curit y by Iv an R ist ic and H arde ning Apach e by T ony M obil y. Bot h of t h os e book s w il l actas an exce l l e ntre s ource t o guide you t h rough s e curing your Apach e configurat ion.
W H AT TO INSPECT

As w it h al l s e curit y ins pe ct ions , w h e t h e r it s pack e t fil t e ring, H TTP re q ue stins pe ct ion or s e curit y att he airport ,t h e re w il l al w ays be s om e k ind of

Rul e s are com pare d t o incom ing H TTP re q ue st s. W h e n a pos it iv e m at ch is ach iev e d, t h e fil t e ring e ngine w il l pe rf orm t h e act ion as s ociat e d w it h t he rul e . Rul e s are de fine d w it h t h e dire ct iv e Se cFil t er f ol l ow e d by a k eyw ord. In it s s im pl e stf orm Se cFil t er f oobar t h e fil t e ring e ngine w oul d m at ch any occurre nce of f oobar in a H TTP re q ue st . Th e pow e r of t h e Se cFil t e r dire ct iv e is re al ize d w h e n you us e re gul ar expre s s ions inst e ad of j usta re gul ar k eyw ord. (Re gul ar expre s s ion is a t ype of t iny program m ing l anguage de s igne d t o m at ch pat t e rns w it h in a bl ock of t ext .) W h il e Se cFil t e r is gre atf or pe rf orm ing broad s e arch e s , t h e Se cFil t e rSe l e ct iv e dire ct iv e al l ow s you t o pe rf orm accurat e pat t e rn m at ch ing w it h in s pe cific l ocat ions of a H TTP re q ue st . Th e f orm atis Se cFil t e rSe l e ct iv eL O CATIO N KEYW O R D [ACTIO NS] . Th e Se cFil t e rSe l e ct iv e com m and s upport s al l CGI v ariabl e s as w e l l as a l ong l istof l ocat ion ide nt ifie rs . Th e s e ide nt ifie rs are l ist e d h e re in t h e m ods e curit y m anual . M ods e curit y s upport s inv e rt ed sel e ct ion us ing t he excl am at ion m ark (!) in frontof a part icul ar k eyw ord or l ocat ion. M ods e curit y al s o s upport s cook ie proce s s ing, by de faul tcook ie s us e v e rs ion 0

O 3 M agaz ine /De ce m be r 2005 Page 12

SECURI TY
(Ne t s cape -st yl e ) butital s o s upport s R FC 29 65 v e rs ion 1 cook ie s .
ACTIO NS

Act ions t el l m ods e curit y w h att o do w h e n a s pe cific m at ch occurs . Act ions can be com bine d w it h in q uot e s and com m a s e parat e d, f or exam pl e Se cFil t e rD e faul t Act ion “de ny,l og,st at us :500” w il l de ny, l og and re t urn a 500 st at us back t ot h e cl ie nt .A de faul tact ion s h oul d be de fine d as a cat ch al l , s im il ar t ot h atin pack e tfil t e ring. D e pe nding on your s e curit y pol icy, you m igh tw antt ot h e cat ch al l t o al l ow and l og, or de ny and l og. Act ions can be de fine d pe r rul e att h e e nd of a Se cFil t e r or Se cFil t e rSe l e ct iv e dire ct iv e . Itis al s o pos s ibl et o cre at el ist s w h ich fal l unde r t h e s am e s e tof act ions . Th is is ach iev e d by pre fixing a Se cFil t e rSignat ure Act ion dire ct iv e w it h t h e act ion at t he t op of a l istof Se cFil t e r /Se cFil t e rSe l e ct iv e dire ct iv e s . Th os e fil t e r com m ands be l ow t he Se cFil t e rSignat ure Act ion w il l inh e ritt h atact ion inst e ad of t h e de faul t . Th e pas s act ion al l ow s a fil t er t o m at ch and pe rh aps t ol og a s pe cific ev e nt , be f ore al l ow ing fil t e ring t o cont inue . Th e al l ow act ion is a pos it iv e m at ch , fil t e ring st ops and t h e re q ue stis pe rm it t ed t o cont inue . L ik ew is e , t h e de ny act ion w il l st op fil t e ring and prev e ntt h e re q ue stfrom cont inuing. If a part icul ar re q ue stis de nie d, you can us e t h e st at us : act ion t o re s pond back t ot h e cl ie ntw it h a s pe cific H TTP re s ul tcode . O n a fil t e r m at ch , t h e re dire ct act ion e nabl es t h e s e rv er t o re dire ctt o a giv e n UR L . If you h av e m od_ proxy inst al l e d, t h e proxy: dire ct iv e can be us e d t o rew rit et h e re q ue stt h rough t he int e rnal rev e rs e proxy, f or w e b cont e ntacce l e rat ion and ot h e r appl icat ions . Th e exe c act ion e nabl e s you t o exe cut e an ext e rnal appl icat ion h andl e r on a fil t e r m at ch , pe rh aps t o m it igat e a s pe cific at t ack . Th e s k ipnextand ch ain act ions al l ow you t o m anage m ul t ipl e rul e s as partof a group, w h il et h e paus e act ion al l ow s f or a s pe cific de l ay be f ore re s ponding t o a re q ue st . Th e re are l og, nol og, audit l og and noaudit l og act ions t o dict at e h ow a s pe cific re q ue stm ay or m ay notbe l ogge d. Th e re are al s o act ions f or cust om l ogging – id, rev , m s g and s ev e rit y. Th e m andat ory act ion m ark s a rul e , ch ain or

rul es f or m andat ory inh e rit ance in s ubcont ext s . Th e set e nvand s e t not e act ions prov ide t h e abil it yt o s e tor uns e ta nam e d e nv ironm e ntv ariabl e on an Apach e e nv ironm e ntv ariabl e.
L O GGING AND AUDITING

Se cFil t e rD e bugL og al l ow s you t o configure a de bug l og, al ong w it h t h e Se cFil t e rD e bugL ev el dire ct iv e, w h ich de fine s a 0-9 s cal ef or de bugging l ev el ,0 be ing none and 3 be ing m ostde t ail e d, w it h t h e re st us e d f or int e rnal de bugging. M ods e curit y, h ow ev er prov ide s a de t ail e d audit l og f e at ure w h ich is far s upe rior t ot he t ypical Apach e l og w h e n t rying t o t race back t h e act iv it ie s of a us e r or an at t ack e r. Th is f e at ure can ge ne rat e al otof l og dat a as e ach re q ue st cont ains ful l H TTP h e ade rs , s o if you h av e a bus y s e rv e r, expe cta l otof l ogs . Th e Se cAudit Engine O n/ O ff dire ct iv et oggl es t he f e at ure ;ital s o s upport s Re l ev ant O nl y and D ynam icO rRe l ev antw h ich l ogs onl y Re l ev antand D ynam ic re q ue st s re s pe ct iv el y. Th e Se cAudit L og dire ct iv e de fine s t he l og. W h e n us ing M odSe curit y on dynam ic re q ue st s , you s h oul d ch ange any AddT ype appl icat ion/ x-h t t pd-ph p .ph p l ine s in your config t o AddH andl e r inst e ad of AddT ype s o t h atApach e h andl es t h e re q ue st s in a m anne r w h ich M ods e curit y can auditprope rl y. Th e ch ange h as no e ff e cton funct ional it y, its im pl y e nabl e s m ods e curit yt o ut il ize t h e Apach e int e rnal h andl e r.
UNV AL IDATED INPUT

Th e t op s e curit y probl e m on t h e O W ASP l istis proce s s ing inputdat a w it h outprope rl yv al idat ing it . W h il et h is is re al l y s om e t h ing t h e appl icat ion dev el ope r s h oul d h av et ak e n int o account , in pract ice notal l w e b appl icat ion dev el ope rs t ak e s e curit y int o account . Th e com binat ion of re gul ar expre s s ions (re gex) and t h e Se cFil t e r com m and e nabl et he adm inist rat or t o configure fil t e r rul es t ol ook f or any addit ional dat a, s uch as pat h s or e s cape code s e q ue nce s , t ack e d ont ot h e e nd of v al id input .
CR O SS SITE SCR IPTING

A cros s s it e s cript ing at t ack (XSS) occurs w h e n H TM Land/ or J av as criptcode is inj e ct e d int o a w eb page by an at t ack e r and t h atcode is t h e n exe cut e d by

O 3 M agaz ine /De ce m be r 2005 Page 13

SECURI TY
ot h e r us e rs w h o v iew t h e page . W h e n s ucce s s ful l y exe cut e d, an at t ack e r coul d obt ain acce s s t ot he cook ie w it h in a s e s s ion and t h us gain ful l cont rol of your w e b appl icat ion. Th is t ype of an at t ack is fil t e re d outby us ing Se cFil t e r “<s cript ” and Se cFil t er “<.+ ” w h ich w il l prev e ntbot h J av as criptand H TM L code re s pe ct iv el y from be ing inj e ct e d. M any appl icat ions s uch as a CM S, f orum s and s o f ort h w h ich act ual l y w antH TM Lin param e t e rs . In s uch cas e s , you can us e Se cFil t e rSe l e ct iv e w it h in V irt ual H ostor L ocat ion dire ct iv e s in Apach e t o pe rm itand cont rol t h e exactparam e t e rs t h atne e d t o be pe rm it t ed t ot h e w e b appl icat ions .
BUFF ER O V ER FL OW S

A s im il ar t e ch niq ue , s uch as fil t e ring f or “bin/ ” or “opt / ” w it h in ARGS or ot h e r re q ue st s w il l prev e nt m ostat t ack s . H ow ev e r, if you h av e exe cut abl es acce s s ibl e from t h e w e b s e rv e r, cov e ring t h os e pat hs is ne ce s s ary as w e l l .
IM PR O PER ER R O R H ANDL ING

Buff e r ov e rfl ow s inv ol v e ov e rfl ow ing t h e st ack and adding as s e m bl e r code in an at t e m ptt o ge tt h atcode exe cut e d. M ods e curit y e nabl e s you t o prev e nts uch at t ack s by us ing Se cFil t e rByt e R ange 32 126. Th is pe rm it s ASCII code be t w e e n de cim al 32 (SP ACE) and de cim al 126 (~ ) (s e e m an as cii on any L inux s yst em f or inf orm at ion). H ow ev er t h e ch aract er e ncoding coul d prev e ntt h is from w ork ing al l t he t im e , s o t o back up t h is com m and you can us e Se cFil t e rSe l e ct iv e TH E_ R EQUEST “! ^[\x0a\x0d \x20-\x7f] +$ ” w h ich w il l ach iev et he s am e t h ing w it h re gul ar expre s s ions .
INJ ECTIO N FL AW S

Im prope r Error H andl ing re f e rs t ot h e dis pl ay of e rror m e s s age s and int e rnal inf orm at ion t ot h e us e r in t h e brow s e r. If a m al icious us e r can re produce t h ese t ype s of e rrors , t h ey can l e arn m ore aboutt h e s yst em in orde r t o dev el op an at t ack . In orde r t o prot e ct againstt h is t ype of e rror, you m uste nabl e O ut put fil t e ring, w h ich is onl y s upport e d in t h e Apach e 2 v e rs ion of m ods e curit y. Th e Se cFil t e rScanO ut putO n dire ct iv e w il l e nabl et he f e at ure , t h e n s im pl y us e O UTPUT as t he l ocat ion f or Se cFil t e rSe l e ct iv e . Th is m ak e s ite as y t o cat ch out pute rrors in l anguage s s uch as PH P , w h ich can be st oppe d w it h : Se cFil t e rSe l e ct iv e O UTPUT "F at al e rror:" d e ny,st at us:500 ErrorDocum e nt500 / ph p-fat al -e rror.h t ml
DENIAL O F SER V ICE

SQLinj e ct ion and ope rat ing s yst e m com m and exe cut ion are t w o com m on t ype s of inj e ct ion fl aw s t h atpl ague w e b appl icat ions . SQLinj e ct ion inv ol v es pl acing SQLcom m ands int o a re q ue stw h ich , if t he appl icat ion is notcare ful l y code d t o prot e ctit s dat abas e , w il l re s ul tin t h os e SQLcom m ands be ing exe cut e d againstt h e dat abas e . Th is coul d be e as il y us e d t o dum p us e r inf orm at ion or cre ditcards or s im pl yt o de l et et abl e s from t h e dat abas e . T o prot e ct againstt h ese t ype s of at t ack s , t he f ol l ow ing w il l ch e ck f or m ostSQLat t ack s by ch e ck ing f or SQL com m ands w it h in t h e re q ue st : Se cFil t e r “d e l et e [[:space :] ] + from ” Se cFil t e r “inse rt [[:space :] ] + int o” Se cFit l e r “se l e ct .+ from ”

M ods e curit y 1.9 com bine d w it h at ool cal l ed h t t pguardian (h t t p:/ / w w w .apach e s e curit y.ne t / t ool s ) can be us e d t o prov ide t h e st at e ful inf orm at ion re q uire d t o de f e nd againstD e nial of Se rv ice (D oS) at t ack s . Th e Se cGuardianL og com m and s e nds al l acce s s dat a t o anot h e r program us ing t h e pipe d l ogging f e at ure . Th e h t t p-guardian t ool us e s a bl ack l istt ool t o int e ract w it h ipt abl e s in orde r t o dynam ical l y bl ock off e nding IP addre s s e s during a D oS at t ack .
TESTING

M ods e curit y com e s w it h a s m al l t e stut il it y cal l ed run-t e st .pl w h ich e nabl e s you t o s e nd t o a h ostH TTP re q ue st s cont aine d w it h in a s pe cific fil e . Th e ut il it y al l ow s you t o craftH TTP re q ue st st h atm igh tbe us e d by an at t ack e r or a v al id us e r in orde r t o m ak e s ure your fil t e r rul e s and act ions are w ork ing corre ct l y. Nik t o is an O pe n Source w e b s e rv e r s canne r w h ich can pe rf orm com pre h e ns iv et e st s againstw e b s e rv e rs and is de finit el y w ort h al ook . Th e O W ASP proj e ctis al s o a good s ource of t ool s and w h it e pape rs on

O 3 M agaz ine /De ce m be r 2005 Page 14

SECURI TY
buil ding cust om s e curit y as s e s s m e ntt ool sf or w e b appl icat ions .
PER F O R M ANCE AND CO NCL USIO N

M ods e curit y h as a s m al l pe rf orm ance cost , and t he t im e t o proce s s re gex is ext re m e l y s h ort . O ur t e st ing s h ow e d around a t h ous and rul e s on Apach e 2 running on a s e rv e r w it h a 2.4 Gh z proce s s or t ook unde r 6 m s . W it h t he l at e stre l e as e of m ods e curit y f or Apach e 2 t h e re are a num be r of pe rf orm ance m e as ure m e nt s w h ich you can inj e ctint ot he Cust om L og dire ct iv e in Apach e 2. Th e s e are s pe cific t o m ods e curit y 1.9 and abov e . Th e dire ct iv e s are m od_ s e curit y-t im e 1, m od_ s e curit y-t im e 2 and m od_ s e curit y-t im e 3. Tim e 1 re pre s e nt st h at m ods e curit y init ial izat ion is com pl et e and t h e body of t h e re q ue sth as be e n re ad if PO ST s canning is e nabl e d, Tim e 2 t h e rul e proce s s ing h as com pl et e d, and att im e 3 t h e re s pons e is re ady and is w ait ing

t o be s e ntt ot h e cl ie nt . Th e out putis dis pl aye d in m icros e conds . Ov e ral l , m ods e curit y is ext re m e l y e as y t o buil d and inst al l and w it h a good s e curit y pol icy de s ign, is re l at iv el y s im pl et o configure . If pack e tfil t e ring on t h e e dge of your ne t w ork is your firstl ine of de f e ns e , t h e n M ods e curit y s h oul d be partof t he l astl ine of de f e ns e on your s e rv e r. M ods e curit y prev e nt s program m ing e rrors and s e curit y fl aw s w it h t h ird part y appl icat ions from be com ing cat ast roph ic s e curit y probl e m s . If you are running Apach e , and notrunning M ods e curit y, you ne e d t ol ook care ful l y atde pl oying M ods e curit y s oone r rat h er t h an l at e r. J oh n Busw e l l is co-found e r and Ch ie f Te ch nol ogy O ffice of Spl ice d Ne t w ork s L L C. H e can b e re ach e d by e m ail (j oh nb @ spl ice d ne t w ork s.com ).

O 3 M agaz ine /De ce m be r 2005 Page 15

I NTERNET
As ynch ronous Jav aScriptand XM L (AJAX)
AJAX I S A CO M BI NATI O N O F DI FFERENT TECH NO L O GI ES TO PRO V I DE A F RAM EW O RK FO R BUI L DI NG I NTERACTI V E W EB APPL I CATI O NS BY ABUL ASI M M .R . QARSH I

s ynch ronous J av aScriptand XM L(AJ AX) is a new dev el opm e ntapproach f or buil ding m ore rich , int e ract iv e and re s pons iv e w e b appl icat ions . AJ AX is nota t e ch nol ogy in it sel f, butrat h e r is a w ay of us ing s ev e ral t e ch nol ogie s incl uding H TM Lor XH TM L , Cas cading St yl e Sh e e t s, J av aScript ,t h e D ocum e nt O bj e ctM ode l , XM L , XSL T and Th e XM L Ht t pRe q ue stO bj e ct . Th e int e ract ion m e ch anis m of a w e b appl icat ion is diff e re ntfrom your av e rage de s k t op appl icat ion. Each inst ance of a w e b page ne e ds t o com m unicat e w it h t h e s e rv e r in orde r t o ge tt h e re s pons e w h ich it ne e ds t o updat e . Th is is t im e cons um ing and l ow e rs t h e us e r expe rie nce . L et ’s cons ide r an appl icat ion w h ich dis pl ays ph ot os as an exam pl e . Since t h e appl icat ion is running on t h e w e b s e rv e r and notatt h e cl ie nt 's s ide , w h e n t he us e r w ant st o see t h e nextph ot o, t h e w h ol e page h as t o be re nde re d from s crat ch ev en t h ough 9 5-9 9 % of t h e cont e ntnev e r ch ange s . Now cons ide r t h is s am e appl icat ion again, butt h is t im e running as a de s k t op appl icat ion - w h e n t h e us e r cl ick s t o see t h e next ph ot o, itgoe s s m oot hl y and onl y h as t o re nde r t he ph ot o, be caus e it ’s running e nt ire l y on t h e cl ie nts ide . Th e gap t h atexist s be t w een t h e pe rce iv e d be h av ior of de s k t op and w e b appl icat ions is cl os e d dow n by AJ AX s ince itis proce s s e d att h e cl ie nt ’s s ide . AJ AX can be us e d t o m ak e R ich Int e rne tAppl icat ions (R IA) w h ich can h av e an int e rface cons ist ing of a de s k t op-l ik e GUI com pone ntrunning on a st andard brow s e r w it h outincre as ing t h e s ize of t h e docum e nt .
H O W AJ AX W O R KS

H TTP:/ / M APS.GO O GL E .CO M (M AINSTR EAM AJ AX)

AJ AX Appl icat ions us e an AJ AX Engine w h ich re s ide s in an int e rm e diat e appl icat ion l aye r be t w een t h e us e r and w e b s e rv e r. Th is AJ AX Engine is w rit t e n pure l y in J av aScriptand s om e t im e s pl ace d in a h idde n fram e . Al t h ough s om e pe opl e m igh targue t h atus ing an int e rm e diat el aye r w il l m ak e itl ess re s pons iv e, t h e oppos it e is t rue in t h e cas e of AJ AX

s ince t h e re s ul t ing appl icat ions are act ual l y m ore re s pons iv e. H ow is t h is pos s ibl e? W h e n w e b page is acce s s e d by t h e us e r f or t h e firstt im e , t h e AJ AX Engine is l oade d by t h e brow s e r. Th is e ngine is re s pons ibl ef or re nde ring t h e us e r int e rface as w e l l as f et ch ing dat a from t h e w e b s e rv e r in f orm of XM Lby us ing t he XM L Ht t pRe q ue stobj e ct . Now t h e w h ol e appl icat ion is running on t h e AJ AX Engine and doe s n’tne e d t o re nde r t h e page att he s e rv e r. Th e AJ AX e ngine al l ow s t h e us e r’s int e ract ion w it h t he appl icat ion t o h appe n as ynch ronous l y (inde pe nde ntof com m unicat ion w it h t h e s e rv e r). Th is m e ans t h att h e us e r is nev e r st aring ata bl ank brow s e r w indow w h il e w ait ing around f or t h e s e rv er t o do s om e t h ing.
AJ AX DEV EL O PM ENT TO O L K ITS

AJ AX Engine s are rat h e r com pl ex pie ce s of code w rit t e n in j av as cript , and it ’s note as y t o w rit e one f or yours e l f. Fort unat el y, t h e re are s ev e ral t h ird part y D ev el opm e ntT ool k it st o w rit e AJ AX bas e d w e b appl icat ions . Th e t h re e l ist e d be l ow are by no m e ans an exh aust iv el ist , butt h ey are a nice pl ace t o st art .

O 3 M agaz ine /De ce m be r 2005 Page 17

I NTERNET
• Bind ow s: h t t p:/ / w w w .bindow s .com • Doj ot ool k it :ht t p:/ / dojot ool k it .org • Saj ax: h t t p:/ / w w w .m ode rnm e t h od.com / s ajax
AJ AX BASED W EB APPL ICATIO NS M IDNIGH TCO DER S

ht t p:/ / w w w .t h e m idnigh t code rs .com / e xam pl e s/ Sev e ral AJ AX bas e d appl icat ion exam pl e s are l ist ed h e re .
CAL ENDAR H UB

As AJ AX h as gaine d in popul arit y, it ’s got t e n outof t he l aborat rie s and ont o product ion s e rv e rs in t he f orm of bot h s im pl e and com pl ex re al w orl d w eb appl icat ions . Itev en seem s t o h av e be com e one of t he fav orit et e ch nol ogie s atGoogl e s ince t h ey h av e be e n cre at ing s o m any appl icat ions us ing AJ AX. Be l ow is a s h ortl istof s om e t h ings t h atAJ AX is curre nt l y be ing us e d f or outin t h e re al w orl d.
GO O GL E M APS

ht t p:/ / w w w .cal e ndarh ub.com An onl ine cal e ndar w h ich can e it h e r be k e ptpriv at e or m ade publ ic. Now t h atw e h av e done a brie f ov e rv iew of AJ AX and you’v e h ad a ch ance t o s e e s ev e ral s e rv ice s bas e d on t he t e ch nol ogy, w e h ope t h atyou cons ide r it s us e in t h e fut ure f or your w e b appl icat ions . In fact ,t h e re are s ev e ral rapid w e b dev el opm e ntfram ew ork s , incl uding Ruby on R ail s , w h ich al l ow you t o m ak e us e of AJ AX e as il y. A BUL A SUM M .R Q AR SH I IS A NETW O R K SECUR ITY SPECIAL IST F O R SPL ICED NETW O R K S L L C BASED O UT O F PAKISTAN. A BUL H AS A PASSIO N F O R NETW O R K
SECUR ITY AND BL EEDING EDGE W EB BASED TECH NO L O GIES. A BUL CAN BE R EACH ED V IA EM AIL

ht t p:/ / m aps .googl e .com O ne of t h e be stexam pl e s of t h e capabil it ie s of an AJ AX appl icat ion is Googl e M aps . For t h os e of you unfam il iar w it h t h is appl icat ion, itis a q uick l oading, re s pons iv e m ap of t h e w orl d w h ich off e rs a gre atde al of funct ional it y incl uding t h e abil it yt o s e arch f or l ocat ions and dire ct ions . Th e re al l y im pre s s iv et h ing, t h ough , is t h e factt h atitre s ponds bas ical l y in re al t im e t o bot h t h e s e arch e s and t o k eyboard and m ous e com m ands t o m ov e acros s t h e m ap and t o zoom . W e 're nott al k ing aboutzoom ing int o a s im pl e w ire fram e st yl e m ap e it h e r. Googl e M aps al l ow s f or brow s ing a st andard st yl e m ap com pl et e w it h borde rs , cit ie s , e t c, a s at el l it e m ap, or an ov e rl ay of t h e st andard m ap on t h e s at el l it e im age . Itre al l y h as t o be one of t h e m ostim pre s s iv e AJ AX appl icat ions t h atI'v e s e e n.
GM AIL

(AQAR SH I@ SPL ICEDNETW O R K S.CO M ).

ht t p:/ / w w w .gm ail .com Googl e ’s w e b m ail s e rv ice
M EEBO

ht t p:/ / w w w .m e e bo.com A m ul t ipl e cl ie ntinst antm e s s e nge r buil tw it h AJ AX w h ich al l ow s you t o us e AIM , Yah oo!, M SN, ICQ and J abbe r/ Gt al k w it h outh av ing t o inst al l any s oft w are .

O 3 M agaz ine /De ce m be r 2005 Page 18

W EB TECH
Ke e ping w e b proj e ct s on t rack and on budge tw it h Ruby on Rail s
RUBY O N RAI L S I S A RAPI D W EB APPL I CATI O N DEV EL O PM ENT F RAM EW O RK L EARN H O W RAI L S CAN H EL P YO U KEEP YO UR W EB PRO JECT S O N TRACK AND O N BUDGET W I TH RECO RD DEL I V ERY TI M ES BY JO H N BUSW EL L

uby on R ail s is an ope n Source w e b fram ew ork t h atis opt im ize d f or rapid w e b appl icat ion dev el opm e nt . R ail s prov ide s a st ruct ure d fram ew ork t h atm ak e s dev el opm e ntf eel nat ural and e as y t o m aint ain. Ruby is a re l at iv el y e as y program m ing l anguage t ol e arn; any program m e r w it h ev en j usta v ague ide a of J av a, Pyt h on or anot h e r obj e ctorie nt at e d program m ing l anguage w il l pick up Ruby fairl y q uick l y. W it h al it t l e e ff ort , Ruby on R ail s w il l al l ow you t o q uick l y dev el op and m odify w e b appl icat ions in an e fficie ntand cost -e ff e ct iv e m anne r. Proj e ct st ypical l y go ov e r budge tdue t o unre al ist ic t im e fram e s , unant icipat e d probl e m s or t he v arying s k il l s of dev el ope rs on t he t e am . Ruby on R ail s w il l h el p m it igat et h ese t radit ional probl e m s by prov iding a fastand e as y t of ol l ow fram ew ork f or buil ding w e b appl icat ions . Ruby on R ail s appl icat ions are dat abas e ce nt ric, and R ail s prov ide s an obj e ct -re l at ional m anage m e ntl aye r cal l e d Act iv e Re cord t h at s ignificant l y re duce s t h e h e adach e s caus e d t rying t o m ap obj e ctbas e d program m ing l anguage s w it h dat a cont aine d in re l at ional dat abas e s . R ail s prov ide s inst antgrat ificat ion - you m ak e a ch ange , you pointyour brow s e r, and you s e e t he ch ange in e ff e ct . It 's inst ant . Th is h as a k ey be ne fit w h e n de m onst rat ing an appl icat ion or proof of conce ptappl icat ion t o a cl ie nt .A l otof probl em s around cust om e r w e b appl icat ions ce nt e r around t he abil it y of t h e e ngine e ring t e am t o com m unicat e w it h t h e cust om e r and m any com panie s h av ea m anage m e nt“t rans l at or” w h o int e ract s be t w een t he cust om e r and t h e e ngine e rs . R ail s el im inat es t h is ne e d, as t h e cust om e r can s e e t h e appl icat ion in re al t im e . If t h e dev el ope r m is int e rpre t ed t h e cust om e r's f e at ure re q ue st ,t he dev el ope r can q uick l yl oad up an e dit or, m odify t he f e at ure and s h ow t h e cust om e r t h e ch ange inst ant l y. Th is al l ow s f or fast e r and e as ie r com m unicat ion w it h t h e cust om e r and w il l incre as e t h e cust om e r's at is fact ion w it h your bus ine s s . In fact , m any

non-t e ch nical cust om e rs w h o h av e de al tw it h dev el ope rs us ing t radit ional m e ans , s uch as t he docum e nt , dev el op, de m onst rat e , docum e nt , dev el op, and de m onst rat e cycl e s , w il l be h igh l y im pre s s e d by t h e inst antnat ure of rail s . I h ad one bus ine s s w om e n re f er t o itas “m agic”. If you are st il l notconv ince d aboutt h e s pe e d and s im pl icit y of R ail s, t h e n I s ugge styou t ak e a l ook at t h e s cre e ncast st h atare av ail abl e ov e r at ht t p:/ / w w w .rubyonrail s .com / s cre e ncast s.
GETTING STAR TED R UBY

Ruby is an int e rpre t e d, h igh -l ev el obj e ctorie nt at ed program m ing l anguage , and in s om e s it uat ions itm ay notpe rf orm as fastas l ow e r-l ev el l anguage s s uch as C. H ow ev e r, t h e re are a num be r of t h ings you can do t o im prov e pe rf orm ance . Sl ow running program s t ypical l y h av e af ew l ocat ions w h e re t h e proce s s e s are h e av il y h it . You can us e t h e Be nch m ark m odul e and code profil er t h atcom e w it h Ruby t o h el pl ocat e and fix t h ese t ype s of probl e m s . Since m ostw e b dev el ope rs w rit e code t h e s e days in h igh l ev el l anguage s s uch as Pyt h on, Pe rl and J av a anyw ay, and Ruby st ack s up v e ry w e l l in pe rf orm ance com pare d t ot h ese l anguage s , s o t h e pe rf orm ance h it , if any f or a s pe cific appl icat ion is w e l l w ort h t h e costand t im e s av ing be ne fit s of t he l anguage . If you w oul dl ik e t o l e arn m ore aboutt h e Ruby L anguage it sel f you can l ook ath t t p:/ / w w w .ruby-l ang.org/ . If you w oul d pre f e r a book , I w oul d h igh l y re com m e nd Program m ing Ruby: Th e Pragm at ic Program m e r's Guide by D av e Th om as .
R UBYGEM S

RubyGe m s is t h e pack age m anage m e nts yst em f or Ruby. Th e com m and w as s h ort e ne d t o ge m . Ge m s int e ract s ov er t h e Int e rne tw it h rubyf orge .com , a h uge re pos it ory of s oft w are code m aint aine d by t h e rapidl y grow ing Ruby com m unit y. RubyForge prov ide s

O 3 M agaz ine /De ce m be r 2005 Page 20

W EB TECH
acce s s t o ov e r 1,100 h ost e d proj e ct s , s o you w il l oft en find s om e t h ing you are l ook ing f or w it h outh av ing t o code ityours e l f.
BUIL DING TH E ENV IR O NM ENT

R ail s can be int e grat e d w it h Apach e , L igh t t pd and m any ot h e r w e b s e rv e rs t h ats upportSCGI or Fast CGI. L igh t t pd is a good opt ion, and w as rev iew e d in l astm ont h 's is s ue of O 3. T o ge tst art ed you w il l ne e d Ruby and RubyGe m s . Th e re com m e nd buil ds are l ist e d on t h e R ail s dow nl oad page (h t t p:/ / w w w .rubyonrail s .com / dow n).
BUIL DING R UBY

Th e re com m e nde d re l e as e f or R ail s is curre nt l y 1.8.2. Unt ar it , and go t h rough t h e us ual PO SIX m ot ions (./ configure & & m ak e & & m ak e inst al l ). If you w antt o m ak e us e of t h e ruby docum e nt at ion t ool (ri) t h e n you w il l al s o w antt o run m ak e inst al l -doc.
BUIL DING R UBYGEM S

Inst al l ing RubyGe m s is t riv ial - s im pl y unt ar and run ruby s e t up.rb from t h e rubyge m s -0.8.11 dire ct ory.
INSTAL L ING R AIL S

MV C MV C is an arch it e ct ure de s igne d by Trygv e Re e ns k aug back in 19 79 . Itis a M ode l ,V iew , Cont rol l e r arch it e ct ure . Th e m ode l m anage s t h e st at e of t h e appl icat ion. Itis notj usta re pre s e nt at ion of dat a s ince ite nf orce s t h e bus ine s s rul es t h atare appl icabl et ot h atdat a. Such rul e s m igh tbe t h at s h ipping w it h in t h e st at e s h oul d al w ays be UPS Ground be caus e itw il l ge tt h e re ov e rnigh tre gardl ess, t h ats al es t ax is ch arge d bas e d on t h e de st inat ion w it h in t h e st at e or t h atcust om e rs out s ide t he Europe an Union are notch arge d V AT. Th e v iew is t he v is ual pre s e nt at ion of t h e dat at ot he us e r. Th is is t h e us e r int e rface , and from a rail s point of v iew , is us ual l yt h e H TM Lt h atis dis pl aye d t ot he us e r's brow s e r. Th e v iew m igh tbe diff e re ntf or diff e re ntpe rs pe ct iv es, so t h e adm inist rat or m igh ts e e al l t h e us e rs , w h il e a s ingl e norm al us e r m ay onl y see t h e ir pre f e re nce s . As t h e nam e s ugge st s , a cont rol l e r m aint ains cont rol of t h e appl icat ion. Itt ak e s ev e nt s from t h e us e r, int e ract s w it h t h e m ode l (dat a) and prov ide s a new v iew t ot h e us e r.
ACTIV ER ECO R D

Now t h atyou h av e bot h Ruby and RubyGe m s inst al l e d, you can us e t h e ge m com m and t o grab rail s . You w il l ne e d t o m ak e s ure t h atyou h av e Int e rne tacce s s on t h e s yst e m you are us ing Ruby on be f ore running t he f ol l ow ing com m and: ge m inst al l rail s – incl ud e -d e pe nd e ncie s As s im pl e as t h at , rail s is now on your s yst e m . Ke e p in m ind t h atR ail s is dat abas e ce nt ric, m e aning you w il l ne e d t o h av e s om e k ind of dat abas e av ail abl et o you in orde r t o ut il ize R ail s . A w ide range of dat abas e s are s upport e d incl uding M ySQLand Post gre SQL . For t h is art icl e , I us e d Post gre SQL8.1.
AR CH ITECTUR E

Th e R ail s arch it e ct ure is buil taround M V C, Act iv e Re cord (O bj e ct -Re l at ional dat abas e m anage m e nt ) and UR Lm apping. Th e s e are core conce pt sf or us ing R ail s s o w e s h al l l ook att h em brie fl y.

Anyone fam il iar w it h inj e ct ing SQLcom m ands int o t h e ir PH P or C code is e ngage d in w h at s cal l ed D at abas e -ce nt ric program m ing. If you k now SQL , t h en t h is is a re l at iv el y e as y and pain fre e m e t h od of obt aining dat a from a dat abas e q uick l y and e as il y. If you are a good program m e r, you probabl y w rit e ce nt ral ize d funct ions t h atare cal l ed t h rough outyour code , s o t h atif you ne e d t o m odify h ow your appl icat ion int e ract s w it h t h e dat abas e or t o ch ange dat abas e s , you h av e a re l at iv el y pain fre e m e t h od of doing s o. Unf ort unat el y, notev e ryone is a good program m e r, and m aint aining code ov er t im e w it h h undre ds of SQLst at e m e nt st h rough outt h ous ands of l ine s of code can be com e a v e ry painful t as k . R ail s ut il ize s a m e t h od cal l e d O bj e ct / Re l at ional M apping w h e re dat abas e t abl e s are m appe d t o obj e ct cl as s e s . Th is is notan e as y t h ing t o ach iev e and oft en re q uire s cons ide rabl e am ount s of XM Lconfigurat ion fil e s . Act iv e Re cord s ol v es t h is probl e m by prov iding an O R M l aye r w it h in R ail s . Act iv e Re cord, l ik e m any as pe ct s of R ail s , re l ie s on conv e nt ion and s e ns ibl e de faul t s , m ak ing ite as y t o m odify and cust om ize t o your s pe cific ne e ds . Act iv e Re cord int e grat es s e am l essl y w it h t h e re stof t h e R ail s fram ew ork .

O 3 M agaz ine /De ce m be r 2005 Page 21

W EB TECH
url m apping Th e l astim port antconce ptt o gras p is t h atR ail s ut il ize s UR L st o m ap re q ue st st o a s pe cific cont rol l er and act ion. ht t p:/ / 19 2.168.9 9 .202/ rail s/ h el l ow orl d/ gre e t / h el l o In t h e UR Labov et he ht t p:/ / 19 2.168.9 9 .202/ rail s/ h el l ow orl d/ide nt ifie s t he appl icat ion, t h e gre e t /s e l e ct st h e cont rol l e r (gre e t ) and t h e h el l o prov ide s t h e act ion t o inv ok e . H ow ev e r, R ail s is re as onabl y fl exibl e abouth ow itpars e s t he UR L s , s o itis pos s ibl et o pars e t h e m diff e re nt l y s h oul d you w is h t o do s o.
BUIL DING A SIM PL E APPL ICATIO N

Now w e e ditapps / cont rol l e rs / gre e t _ cont rol l e r.rb. As you can s e e , ital re ady h as s om e code in t h e re f or us : cl as s Gre e t Cont rol l e r < Appl icat ionCont rol l er e nd W e w il l add t h e act ion “h e l l o” t o our cont rol l e r: cl ass Gre e t Cont rol l e r < Appl icat ionCont rol l er d e fh e l l o e nd e nd If you pointt h e brow s e r att h e s e rv er ht t p:/ / 19 2.168.9 9 .202:3000/ gre e t / h el l o/ , you w il l ge ta m e s s age abouta m is s ing t e m pl at e . Th is is produce d be caus e w e h av e n'tadde d t he v iew ye t . Th e v iew is adde d unde r app/ v iew s / gre e t / <act ion> .rh t ml . In our cas e h e l l o.rh t ml .
CR EATING TH E V IEW

W e w il l now w al k you t h rough t h e cre at ion of a s im pl e “h e l l o w orl d ” appl icat ion in rail s . Th e st e ps w e w il l t ak e w il l be t o cre at et h e appl icat ion, add a cont rol l e r, add a v iew , add s om e dynam ic cont e nt and t h en t e stt h e appl icat ion.
CR EATING TH E APPL ICATIO N

Cre at ing appl icat ions w it h rail s is t riv ial . W it h rail s inst al l e d e arl ie r, w e s im pl y ch ange dire ct ory ov er t o w h e re w e w antt o st ore our new proj e ctt h e n run rail s <proj e ct >, f or our appl icat ion w e w il l run rail s h el l ow orl d. Th is w il l cre at e a new dire ct ory cal l ed h el l ow orl d, and popul at e itw it h t h e de faul tfil es f or rail s. T o st artt he t e sts e rv e r (as s um ing your not running itv ia F ast CGI unde r anot h e r w e b s e rv e r) s im pl y run h e l l ow orl d/ s cript s/ s e rv e r and t h e n go ope n up a new t e rm inal .
ADDING A CO NTR O L L ER

Adding t he v iew is s im pl e. W e j ustcre at e h el l o.rh t ml w it h s om e h t ml in it : <h t ml > <h e ad > <t it l e >H e l l o W orl d! </ t it l e> </ h e ad > <b od y> <b >H e l l o W orl d! </ b> </ b od y> </ ht ml > Pointt h e brow s e r atR ail s again, and now w e ge t H el l o W orl d!
ADDING SO M E DYNAM IC CO NTENT

Nextw e w il l ne e d t o add a cont rol l e r. W e w il l add one cal l e d Gre e tas itw il l m anage t h e gre e t ing t ot he us e r. ruby script / ge ne rat e cont rol l e r Gre e t exist s app/ cont rol l e rs/ exist s app/ h el pe rs/ cre at e app/ v iew s/ gre e t exist st e st / funct ional / cre at e app/ cont rol l e rs/ gre e t _ cont rol l e r.rb cre at et e st / funct ional / gre e t _ cont rol l e r_ t e st .rb cre at e app/ h el pe rs/ gre e t _ h el pe r.rb

J ustt o de m onst rat e h ow e as y itis t o add dynam ic cont e ntin R ail s w e w il l m odify our code now t o dis pl ay t he t im e . T o do t h is , w e ne e d t o updat et he cont rol l e r (gre e t _ cont rol l e r.rb) t o capt ure t he t im e by m odifying t h e h el l o act ion t o:

O 3 M agaz ine /De ce m be r 2005 Page 22

W EB TECH
de f h e l l o @t im e = Tim e .now e nd Th e n you s im pl y e ditt h e h el l o.rh t ml fil et o dis pl ay t he t im e : <body> <b> H e l l o W orl d!</ b> <p / > Th e t im e is now <% = @ t im e % >. </ body> It 's as s im pl e as t h at . W e now ge tt he f ol l ow ing in our brow s e r w indow : H el l o W orl d! Th e t im e is now M on D e c 19 12:57:43 EST 2005.
CO NCL USIO N

Ov e ral l , Ruby is an int uit iv e and e as y l anguage t o l e arn and Ruby on R ail s prov ide s a fastand opt im ize d fram ew ork f or dev el oping w e b appl icat ions q uick l y. Notonl y is itgre atf or prot ot yping and proof of conce ptappl icat ions , but you can s im pl y expand upon t h e original proof of conce ptcode and ut il ize itas a bas e f or t h e act ual appl icat ion. Ruby on R ail s is w e l l w ort h al ook w h et h e r you're l ook ing f or a s im pl e in-h ous e proj e ct or t rying t o k e e p unre al ist ic proj e ctde adl ine s w it h t radit ional w e b s ol ut ions . Th e bot t om l ine f or bus ine s s e s , e s pe cial l y w e b dev el opm e ntbus ine s s e s , is t h atRuby can s av e you t im e and re s ource s re gardl e s s of t h e s ize of t h e proj e ct .

O 3 M agaz ine /De ce m be r 2005 Page 23

BUSI NESS
Rapid W e b De v el opm e nt
RAPI D W EB DEV EL O PM ENT CAN H EL P DEV EL O PERS PRO DUCE PRO O F O F CO NCEPT AND DEM O APPL I CATI O NS I N A M ATTER O F H O URS AND PERM I T RAPI D APPL I CATI O N CH ANGES BASED O N CUSTO M ER FEEDBACK BY JAM ES H O L L I NGSH EAD

nce upon a t im e , h av ing a w e b page m e ant sl apping t oge t h e r s om e H TM Land upl oading itt o a s e rv e r w h e re itcoul d be acce s s e d. It didn'tre al l y do m uch . In fact , m ostw e b page s t e nde d t ol ook l ik e e l e ct ronic v e rs ions of inf orm at ion book l et s. Th e s e page s w e re inf orm at iv e and t h ey w e re e as y t o m ak e . H ow ev e r, t h ey w e re boring and notv e ry us e ful pastim part ing s im pl e inf orm at ion. Th e n pe opl e st art e d com ing up w it h t h e ide a t o st art doing t h ings ot h er t h an j ustim part ing inf orm at ion on t h e Int e rne tTh ey t h ough titw oul d be gre atif w e coul d buy t h ings onl ine w it h outh av ing t o go t ot he ne are stst ore or t h atw e m igh tw antInt e rne t -bas e d s e rv ice s (l ik e w ays t o find ot h e r page s ). O ur q uick , s im pl e H TM Lw orl d gota l otm ore com pl icat e d re al l y q uick l y. Aft er a l otof t rial -ande rror, s ev e ral s e curit y fias coe s , and m uch gnas h ing of t eet h atpage s t h atre al l y didn'tdo w h atpe opl e t h ough tt h ey s h oul d, t h ings st art e d com ing t oge t h e r. Th is h as l e ad t ot h e ris e of rapid w e b dev el opm e nt .
W H Y SH O UL D I USE R APID W EB DEV EL O PM ENT?

Firstand f ore m ost , rapid w e b dev el opm e nts av es you t im e . Th is doe s one of t wo t h ings f or you – if you run a bus ine s s w h ich cre at e s w e b s it e s and w e b apps f or cl ie nt s , ital l ow s you t ot ak e on m ore j obs s ince t h e ov e ral l t im e f or ev e ry j ob is re duce d. If you h av e dev el ope rs w ork ing on int e rnal appl icat ions l ik e t he non-profitI w ork e d at , itl et st h em t ak e care of t h e ir proj e ct s m ore q uick l y so t h ey can do ot h e r us e ful t h ings , t h e re by s av ing you m oney t h atyou m igh t ot h e rw is e h av et o s pe nd on addit ional dev el opm e nt st aff. Se cond, rapid w e b dev el opm e ntt e ch nol ogie s al l ow you t o e as il y cre at e m aint ainabl e code . Th is is a w onde rful t h ing if you h av e a new dev el ope r t ak ing ov e r a proj e cts ince itw il l t ak e l ess t im e f or t h em t o unde rst and w h att h e code is doing. It 's al s o nice be caus e itis oft e n q uit e al ong t im e be t w een w h en t h e appl icat ion is dev el ope d and w h e n itis updat e d.

Th is can s av e h ours t h atyour dev el ope rs w oul d ot h e rw is e s pe nd in t h e purs uitof pul l ing outt h e ir h air be caus e t h ey s udde nl y find t h em sel v es l ook ing ats om e t h ing t h ey h av e n'tev e n h ad t ot h ink aboutf or m ont h s . I s pe ak from expe rie nce in t h is . M aint e nance is a dev el ope r's w orstnigh t m are and anyt h ing t h at can m ak e t h atpartof t h e ir l if e e as ie r w il l l ow e r t h e ir bl ood pre s s ure a f ew point s. Th ird, fl aw e d, buggy s oft w are cost s your bus ine s s m oney. Itcost s you t he t im e of your dev el ope rs t o fix s e curit y fl aw s and k e e ps t h e m from w ork ing on t h ings t h atm ak e m oney f or your com pany. Re l e as ing fl aw e d s oft w are can al s o dam age your re put at ion. L et 's face it– your gre at e stm e ans of ge t t ing new bus ine s s is from curre ntcl ie nt s . Adv e rt is ing is a gre atw ay t o ge teye s l ook ing atyour com pany, butif t h ey st artl ook ing around and find t h ata l otof pe opl e are unh appy w it h your s e rv ice s , t h ey w il l l ook s om ew h e re e l s e . R apid w e b dev el opm e nth e l ps h e re as w e l l s ince m ostof t he t e ch nol ogie s are de s igne d t o be s e cure from t h e ground up inst e ad of l e av ing s e curit y as an aft e rt h ough tor l e av ing itup t ot he dev el ope rs t o do al l of t h e s e curit y h e av yl ift ing. Final l y, it 's re al l y pre t t y e as y t o pick up. Ruby, one of t he l anguage s dis cus s e d be l ow , can be l e arne d in a coupl e of days and t h e R ail s fram ew ork t h atus e s it can be pick e d up e as il y as w e l l . You can ev e n port your exist ing appl icat ions pre t t y e as il y if you s o de s ire . Now t h atal l of t h e re as ons t o us e rapid w e b dev el opm e ntt e ch nol ogie s h av e got t e n your at t e nt ion, l et 's t ak e a l ook att h e conce ptt h att he t e ch nol ogie s are bas e d on.
M O DEL V IEW CO NTR O L L ER

Att h e core of t h e rapid w e b dev el opm e nt t e ch nol ogie s t h atw e 'l l be dis cus s ing in t h is art icl e is t h e M ode l -V iew -Cont rol l e r (M V C) conce pt . W h il e nota new ide a (itw as firstde s cribe d in 19 79 ), ith as f ound it s w ay int o m any pe opl es'v ocabul ary f or t he firstt im e .

O 3 M agaz ine /De ce m be r 2005 Page 25

BUSI NESS
Bas ical l y, w h atitboil s dow n t o is t h att h e s oft w are 's arch it e ct ure is brok e n dow n int ot h re e part s– t he M ode l (dat a m ode l ), t he V iew (us e r int e rface ), and t h e Cont rol l e r (cont rol l ogic). Th is al l ow s m odificat ions t o be m ade t o one are a of t h e s oft w are w it h outim pact ing t h e ot h er t w o a gre atde al . Th at m e ans t h atyou can ch ange t h e w ay t h att h e e nd re s ul t l ook s t o your cust om e r (us e r int e rface ) w it h out h av ing t o ch ange e it h er t h e dat a m ode l or t h e cont rol l ogic be h ind t h e appl icat ion. Th e s am e is t rue f or ch anging t h e bus ine s s l ogic (dat a m ode l ) or w h at h appe ns w h e n you cl ick a but t on (cont rol l ogic). Th is m ak e s m aint e nance e as ie r be caus e your dev el ope rs don'th av et ol ook f or t h ings t h atm ay bre ak in t h e ot h er t w o are as if t h ey ne e d t o m ak e a ch ange t o any partof t h e program . Ital s o m e ans t h at t h e appl icat ion is m ore s e cure be caus e none of t he bus ine s s or cont rol l ogic is be ing pre s e nt ed t o your cust om e rs or anyone w h o m igh tw antt o expl oityour appl icat ion (w h ich w as a big probl e m w it h prev ious approach e s t o w e b dev el opm e nt ). W h il e MV C is a nice , and rat h e r ne bul ous conce pt , w h atw e 're re al l y int e re st e d in is t h e act ual im pl e m e nt at ion of rapid w e b dev el opm e ntand h ow it can h e l p us ge tour bus ine s s done e fficie nt l y and h e l p s av e us m oney by s av ing us t im e . Th ats aid, l et 's t ak e al ook ats om e of t h e m ore popul ar fram ew ork s t h at l e tus q uick l y and s af el y ge tour program s outof t he conce ptph as e and ont ot h e s e rv e r w h e re t h ey can be us e d.
R UBY O N R AIL S

int e ract iv e cl ie nt -s ide funct ional it y w it h AJ AX. In fact , al l of t h is is s e tup f or your new appl icat ion w it h one com m and. Aft er t h at , you j ustst artfil l ing in t he bl ank s . Ith as a fairl yl arge am ountof docum e nt at ion onl ine and a h e l pful and s upport iv e com m unit y. In fact ,t he firste dit ion of one book on Ruby, Program m ing Ruby (curre nt l y in it s s e cond e dit ion), h as be e n m ade av ail abl e onl ine by it s aut h ors at (h t t p:/ / w w w .rubyce nt ral .com / book / ) W h il e al l of t he t h ings st at e d abov e are gre at re as ons t o us e R ail s , one of t h e be stre as ons is t he factt h atyou don'th av et o re com pil et h e program in orde r t o caus e any updat es t o your w e b appl icat ion t o t ak e e ff e ct . Th at 's righ t– you can s itt h e re w it h your cl ie ntand m ak e ch ange s on t h e fl y w h il et h ey giv e inputw it h outh av ing t o w aitf or t h e program t o re com pil e aft e r ev e ry ch ange . Anyone w h o h as ev er h ad t o go ge ta cup of coff e e and t h e n st il l h ad t im e l e ftov e r w h il et h e ir program com pil e s can t el l you h ow m uch t h is can de cre as e t h e dev el opm e ntt im e .
PH P SM AR TY

R ail s is a rapid dev el opm e ntfram ew ork bas e d on t h e Ruby l anguage . Ruby is a l anguage t h atst art ed outbe ing rough l y m ode l e d on Pe rl , s o it 's al s o us e d t o rapidl y dev el op program s t h atare n'tus e d onl ine . Att h e h e artof Ruby is t h e ide a t h atyou s h oul dn't h av et o configure ev e ryt h ing be caus e t h e norm al , ev e ryday t h ings be h av e exact l yt h e w ay any s ane pe rs on w oul d expe ctt h em t o. Th is m ak e s dev el opm e ntgo m uch fast e r be caus e your program m e rs don'th av et o w orry aboutev e ry t iny de t ail in orde r t o cre at et h e appl icat ion. R ail s buil ds on t h is by giv ing you t h e m ostcom m on pie ce s of bas ical l y any w e b appl icat ion t h atyou coul d care t o cre at e . Itincl ude s pre -w rit t en l ibrarie s f or t h ings l ik e com m unicat ing w it h dat abas e s , dat a v al idat ion from f orm s , s e nding and re ce iv ing e m ail , f orm at t ing dat e and t im e inf orm at ion, and

Sm art y (h t t p:/ / s m art y.ph p.ne t / ) is bas e d on PH P , w h ich h as be e n one of t h e m ostus e d l anguage s t o cre at e w e b appl icat ions . L ik e PH P , ith as a l arge num be r of pl ugins and h as a buil t -in de bugging cons ol e . Itprov ide s cach ing f or al l or j ustpart s of a page and al s o s upport st h e us e of configurat ion fil es t o k e e p com m on v al ue s in one l ocat ion, al l ow ing a ch ange in one pl ace t o e ff e ctt h e e nt ire program . For t h e pre s e nt at ion port ion of t h e fram ew ork , Sm art y us e s s pe cial t ags t h ath av e a s ynt ax fairl y cl os e t o norm al H TM L . W h il et h ese t e m pl at es, w h ich cl os e l y re s e m bl e w h att h e re s ul t ing page w il l l ook l ik e , cont ain no PH P t h em sel v es, t h ey are com pil e d int o PH P code in orde r t o re duce t he t im e t h att h e s e rv e r s pe nds pars ing t h e code . Since PH P h as be e n around f or a w h il e, t h e re is q uit e al otof docum e nt at ion on t h e bas e l anguage and t h e docum e nt at ion f or Sm art y is av ail abl e onl ine unde r t h e D ocum e nt s s e ct ion of t h e Sm art y h om e page .
J AV A STR UTS

St rut s (h t t p:/ / st rut s .apach e .org) h as be e n around t he l onge stof any of t h e fram ew ork s t h atw e 're cov e ring h e re . H av ing be e n cre at e d by t h e Apach e proj e ctas a w ay t ot ie t oge t h er t h ings l ik e J av a Se rv e r Page s ,

O 3 M agaz ine /De ce m be r 2005 Page 26

BUSI NESS
s e rv l et s , cust om t ags , and ot h e r re s ource s int oa unifie d fram ew ork , its upport s indust ry st andards s o it 's com pat ibl e w it h ot h er J av at e ch nol ogie s . St rut s is al so v e ry m at ure and h as a h uge am ountof docum e nt at ion av ail abl e onl ine (nott o m e nt ion m ore pape r bas e d book s t h an I care t o count ). Th e m aj or dow ns ide of St rut st h atm ostpe opl e pointoutis t he factt h at , be ing bas e d on J av a, itt e nds t o be rat h er v e rbos e , s o unl e s s you h av e a good e dit or w h ich al l ow s you t o aut ocom pl et et h ings l ik e v ariabl e nam e s , itt ak e s a w h il et o dev el op in j ustbe caus e of t h e am ountof t yping. O n t h e ups ide , itis v e ry pow e rful and h as v astam ount s of l ibrarie s w h ich prov ide a l otof t h e funct ional it yt h atm ostonl ine program s us e .
TUR BO GEAR S

T urbo Ge ars (h t t p:/ / w w w .t urboge ars .org) is a re l at iv el y new fram ew ork bas e d on t h e Pyt h on l anguage t h atprov ide s a f our-t ie r approach e t o rapid w e b dev el opm e nt . Be ing new , t h e re are st il l al otof f e at ure s be ing adde d and new docum e nt at ion be ing m ade w h il et h ey re ach a st abl e re l e as e . H av ing s aid t h at , itl ook s l ik e an int e re st ing proj e ct . SQL O bj e ctm ak e s dat abas e q ue rie s l ook m ore l ik e an obj e ctorie nt e d program m ing l anguage (t h ink C+ + or J av a). Ch e rryPy is us e d t o q uick l y cre at e dynam ic cont e nt . Kid prov ide s an XM Lt e m pl at ing s yst em . Final l y, M och iKitis a J av aScriptl ibrary t h atal l ow s program m e rs t o w ork w it h AJ AX capabil it ie s .
CO NCL USIO N

W h et h e r it 's bas e d on Ruby or J av a, PH P or Pyt h on, t h e us e of rapid w e b dev el opm e ntt e ch nol ogie s can h el p de cre as e t he t im e t h atyou're w ait ing f or your w e b-bas e d appl icat ions t o m ak e itt ot h e product ion s e rv e r w h il e k e e ping t h e probl e m s w it h m aint e nance and s e curit yt o a m inim um . Th e nextt im e you ne e d t o st arta new w e b appl icat ion, giv e s om e t h ough tt o h ow rapid w e b dev el opm e ntt e ch nol ogie s can h e l p you go l iv e s oone r and be s ure t o ch e ck t h e ot h e r art icl e s in t h is is s ue of O 3 w h ich de al w it h Ruby on R ail s in a m ore in-de pt h fas h ion. J am e s H ol l ingsh e ad is t h e Exe cut iv e Ed it or for O 3 M agazine . J am e s can b e re ach e d v ia e m ail (j am e s@ o3m agazine .com ).

O 3 M agaz ine /De ce m be r 2005 Page 27

NETW O RK I NG
SCTP v s TCP
SCTP I S A STREAM CO NTRO L TRANSM I SSI O N PRO TO CO L DESI GNED TO SI T O N TO P O F I P I T O FFERS ACK NO W L EDGED ERRO R- F REE NO N- DUPL I CATED TRANSFER O F DATAGRAM S BY RAJA H AM M AD

CP h as be e n t h e m ostdom inantand s ucce s s ful conne ct ion-orie nt at ed t rans port l aye r prot ocol al ong w it h it s conne ct ionl ess count e rpart , UD P ,f or t he l astf ew de cade s . D uring t h e s e ye ars , TCP h as gone t h rough m any ch ange s att h e de s ign l ev el , s uch as adv ance m e nt s in it s conge st ion cont rol m e ch anis m s , t h atk e ptit re l iabl ef or dat at rans f e rs ov e r conne ct ionl e s s IP prot ocol . Th e Int e rne th as grow n expl os iv el y in t he l ast de cade and new appl icat ions h av e e m e rge d t h ath av e re q uire m e nt s notoff e re d by TCP and UD P . O ne s uch appl icat ion is t he t rans portof Publ ic Sw it ch e d Te l e ph one Ne t w ork s (PSTN) s ignal ing m e s s age s ov er IP ne t w ork s w h ich h as st ringe ntre q uire m e nt s in t e rm s of re l iabil it y and t im ing. Th e l im it at ions of TCP , as dis cus s e d in R FC 29 60, are : • TCP off e rs re l iabl e dat at rans f e r s e rv ice onl y and t rans m it s dat a in a st rictorde r. Th is m ay be us e ful f or m any appl icat ions butot h er appl icat ions , s uch as t el e ph ony s ignal ing, re q uire onl y re l iabil it y and part ial orde ring of dat a. • A TCP st re am is a s e q ue nce of s e gm e nt s and st rictorde r-of-t rans m is s ion re q uire s de l iv e ry of t h os e s e gm e nt s in a part icul ar orde r. Th is can pot e nt ial l y int roduce de l ays in dat a de l iv e ry, a probl e m k now n as h e ad -of-l ine b l ock ing. Th is h appe ns w h e n a s ingl e TCP s e gm e ntis l ostw h ich re s ul t s in bl ock ing t h e w h ol e dat a unt il t he l ost s e gm e ntis re cov e re d. Such de l ays are not acce pt abl e in appl icat ions s uch as t el e ph ony s ignal ing. • TCP is a st re am -orie nt e d prot ocol w h ich m e ans it doe s notde fine t h e m e s s age boundarie s . Appl icat ions m ustde fine t h e ir ow n re cord m ark ing. • M ul t ih om ing is nots upport e d in TCP , w h ich is

re q uire d f or h igh av ail abil it yl ink s in appl icat ions s uch as t el e ph ony s ignal ing. • Se curit y is an im port antf e at ure , re q uire d f or m any appl icat ions butTCP is k now n t o be re l at iv el yv ul ne rabl e againstSY N fl ooding at t ack s . UD P is al s o nots uit abl ef or s uch appl icat ions . It off e rs unre l iabl e , unorde re d dat a s e rv ice s and h as no buil t -in conge st ion cont rol m e ch anis m s . For exam pl e, appl icat ions re q uiring re l iabl e de l iv e ry and part ial orde ring cannott ak e adv ant age of UD P and m ustadd t h e ir ow n re l iabil it y m e ch anis m s on t op of UD P . SCTP w as init ial l y dev el ope d by t h e Signal ing Trans port(SIGTR AN) w ork ing group in IETF in orde r t o ov e rcom e t he l im it at ions im pos e d by bot h by TCP and UD P f or t el e ph ony s ignal ing appl icat ions and l at e r itw as st andardize d f or broade r range of appl icat ions . In t he f ol l ow ing s e ct ions , I w il l be dis cus s ing t h e new f e at ure s of SCTP t h atm ak e itan im prov e m e ntov e r TCP and UD P . SCTP st ands f or St re am Cont rol Trans m is s ion Prot ocol , a new t rans portl aye r prot ocol . SCTP is de s igne d by k e e ping f e at ure s from TCP and UD P in addit ion t o it s ow n ch aract e rist ics . L ik e TCP , itis a unicastprot ocol w it h re l iabl et rans m is s ion, conge st ion cont rol and av oidance f e at ure s . L ik e UD P , itis m e s s age orie nt e d and s upport s unorde re d dat a de l iv e ry. Th e f ol l ow ing s e ct ion brie fl y out l ine s t wo prom ine ntf e at ure s of SCTP al ong w it h conge st ion cont rol h andl ing.
M UL TIH O M ING

M ul t ih om ing prov ide s ne t w ork re dundancy and h igh av ail abil it yf or a m ul t ih om e d h ostby s e t t ing up m ul t ipl e IP addre s s e s . Unl ik e TCP , SCTP al l ow s m ul t ih om ing by s e t t ing up an as s ociat ion (com m unicat ion re l at ions h ip be t w een t w o h ost s) be t w een t w o h ost s (e it h e r or bot h h ost s can be m ul t ih om e d), t h us prov iding pat h re dundancy be t w een t he t w o e ndpoint s .An SCTP h osts e nds dat a

O 3 M agaz ine /De ce m be r 2005 Page 28

NETW O RK I NG
on t h e prim ary t rans portaddre s s (t h e s e nde r s e l e ct s one of t h e m ul t ipl e addre s s e s of t h e re ce iv e r as prim ary t rans portaddre s s ) and prov ide s a m e ch anis m f or t h e s e nde r t o m onit or t h e re ach abil it y of t h e back up addre s s (e s ). Th us , in t h e cas e of fail ure of t h e prim ary addre s s , SCTP can t rans pare nt l y s w it ch ov er t ot h e back up addre s s w it h outappl icat ion l aye r int e rv e nt ion. Th e prim ary addre s s is s e l e ct ed during t h e init iat ion of an as s ociat ion. H ow ev e r, t h is can be ch ange d l at e r by t h e us e r appl icat ion. Itis t o be not ed t h atpat h re dundancy is notre com m e nde d by t h e curre ntst andard f or l oad s h aring purpos e s . H ow ev e r, w ork is in progre s s t o ext e nd t he capabil it ie s of SCTP f or l oad s h aring as of Int e rne t draftL oad Sh aring in SCTP .
M UL TISTR EAM ING

Th e f ol l ow ing s e ct ion com pare s and cont rast st he m aj or f e at ure s be t w e e n TCP and SCTP: [Not e : O ne im port antt h ing t o k e e p in m ind is t h atal l st re am s w it h in a s ingl e SCTP as s ociat ion are s ubj e ct ed t oa com m on fl ow and conge st ion cont rol m e ch anis m s . • L ik e TCP , SCTP us e s a s l ow st artand conge st ion cont rol av oidance s ch e m e t o gradual l y incre as e t h e s e nding rat e and t rans it ions from s l ow st artt o conge st ion cont rol av oidance ph as e t o av oid conge st ion col l aps e in t h e ne t w ork . • L ik e TCP , SCTP us e s t h re e v ariabl e s - re ce iv er adv e rt is e d w indow (rw nd) , conge st ion cont rol w indow (cw nd) and s l ow -st artt h re s h ol d (s st h re s h ) in orde r t o cont rol t he t rans m is s ion rat e. H ow ev e r, SCTP re q uire s one addit ional v ariabl e, part ial byt e s ack now l e dge d, t o cal cul at e conge st ion cont rol w indow grow t h. • SCTP h as a fastre t rans m ital gorit h m bas e d on Se l e ct iv e Ack now l e dgm e nt(SACK) ak in t o TCP . H ow ev e r, unl ik e TCP , SCTP doe s noth av e an expl icitfastre cov e ry ph as e , butrat h e r, t h is be h av ior is incorporat e d in fastre t rans m is s ion by us ing SACK. • Th e us e of SACK is m andat ory in SCTP as oppos e d t o TCP w h e re itis an opt ional f e at ure . • SCTP is de s igne d t o s upportm ul t ih om e d h ost s. Th is f e at ure com pl icat es t h e SCTP conge st ion cont rol proce s s and re q uire s a s e parat e conge st ion cont rol param e t er t o be s e tf or e ach of t he de st inat ion addre s s e s in t h e as s ociat ion. • Th e m ul t ist re am ing f e at ure of SCTP al l ow s itt o de l iv e r dat at o uppe r l aye rs , ev e n if s om e dat a ch unk s are m is s ing, as l ong as t h os e m is s ing ch unk s are notpartof a s ingl e st re am . Th is can aff e ctcw nd cal cul at ion. Th e f ol l ow ing t abl e s um m arize s t h e s im il arit ie s and diff e re nce s be t w e e n SCTP and TCP . O ne of t he not ice abl e diff e re nce is t h atof t h e w ay SCTP e st abl is h an as s ociat ion. SCTP as s ociat ion is e st abl is h e d by exch anging atl e astf our pack e t s (INIT, INIT-ACK, CO O KIE, CO O KIE-ECH O ) as oppos e d t o TCP . Th is m ay s e e m a l it t l e exce s s iv e from an

Th is f e at ure in SCTP al l ow s dat at o be t rans m it t ed in m ul t ipl e st re am s w it h in a s ingl e as s ociat ion. Th is al l ow s dat a de l iv e ry inde pe nde ntof dat at rans m is s ion m e ch anis m s w it h in SCTP as s ociat ion;m e s s age orde ring is pre s e rv e d w it h in a st re am in an as s ociat ion w h e re as dat al os s de t e ct ion, re t rans m is s ion t im e r cont rol , et c. are m aint aine d w it h in t h e w h ol e as s ociat ion. Th is is pot e nt ial l y us e ful f or m any appl icat ions w h e re t w o or m ore inde pe nde nts e q ue nce s of m e s s age s can be de l iv e re d w it h outint e r-de pe nde ncie s . For exam pl e , a w e b page cons ist s of diff e re nt inde pe nde ntm ul t im e dia obj e ct s e .g. J av a appl et s, im age s , e t c. and t h ey can be de l iv e re d in diff e re nt st re am s w it h in a s ingl e SCTP as s ociat ion. For inst ance , if an im age is l oston it s w ay t ot h e re ce iv e r, t h is w il l notaff e ctt h e de l iv e ry of t he J av a appl et . Th is is in cont rastt o a TCP st re am w h e re t he J av a appl e tw il l notbe de l iv e re d t ot h e us e r appl icat ion unt il t he l osts e gm e ntof t h e im age is re t riev e d.
CO NGESTIO N CO NTR O L

SCTP's conge st ion cont rol al gorit h m be h av es s im il arl yt o TCP's w e l l prov e n rat e -adapt iv e w indow s bas e d conge st ion cont rol s ch e m e . Th is e ns ure s t h at , in cas e of ne t w ork conge st ion, SCTP w il l adj ustt he pack e ts e nding rat e accordingl y. M ore ov e r, SCTP prov ide s re l iabl et rans m is s ion, re t rans m is s ion of l ost pack e t s and de t e ct ion of re orde re d, dupl icat e and corrupt e d pack e t s . H ow ev e r, SCTP conge st ion cont rol s ch e m e diff e rs from TCP in m any w ays .

O 3 M agaz ine /De ce m be r 2005 Page 30

NETW O RK I NG
ov e rh e ad st andpoint , butint e re st ingl y, SCTP al l ow s dat a exch ange w it h t w o of t h e pack e t s , CO O KIE and CO O KIE-ECH O , w it h outcom prom is ing on t he s e curit y. Anot h e r prom ine ntf e at ure of SCTP is t o al l ow dat a orde ring as an opt ional f e at ure . Th is m e ans t h at orde ring can e it h e r be pre s e rv e d w it h in t h e st re am or dat a can be de l iv e re d w it h outany orde r. M ore ov e r, SCTP al l ow s part ial re l iabil it y by w h ich re l iabil it y can de fine d on pe r m e s s age bas is , al l ow ing re l iabl e and unre l iabl e m e s s age s t o be m ul t ipl exe d ov er a s ingl e as s ociat ion. Th is can be part icul arl y us e ful f or re al -t im e appl icat ions s uch as V O IP ,v ide o st re am ing, et c. s ct p s ock e tapi s pe cificat ions SCTP s upport st w o st yl e s of s ock e tint e rface s t o accom m odat e and s upportal l of t h e pos s ibl ef e at ure s of t h e prot ocol . Th is s e ct ion w il l out l ine t h os e s pe cificat ions . Th e bas ic de s ign obj e ct iv e s of SCTP Sock e tAPI are : • M aint ain cons ist e ncy w it h exist ing s ock e tAPIs : T o m aint ain cons ist e ncy w it h ot h e r s ock e tAPIs (UD P , TCP , IPv 4, e t c.) s o t h att h e s yst e m cal l int e rface f or SCTP h as s am e s e m ant ic m e anings as in cas e of TCP s ock e tint e rface . • Supporta one -t o-m any, UD P , st yl e int e rface : Th is st yl e of int e rface is s im il ar t ot h atof UD P . Th e re as on f or t h is is t o expl oital l t h e pos s ibl e f e at ure s in SCTP s uch as s e nding dat a unre l iabl y w it h no orde ring. Th e out bound as s ociat ion s e t up is im pl icitand t h e re is a one -t o-m any re l at ions h ip be t w e e n s ock e tand as s ociat ion. Fol l ow ing is t he t ypical s e q ue nce of s ock e tcal l s us e d in t h e s e rv er and cl ie nt . Se rv e r: s ock e t (), bind(), l ist e n(), re cv m s g(), s e ndm s g(), cl os e () Cl ie nt : s ock e t (), s e ndm s g(), re cv m s g(), cl os e () Itis im port antt o not e h e re t h atbe caus e of t he conne ct ion-orie nt e d nat ure of SCTP , m ul t icastor broadcastcom m unicat ions are nots upport e d as oppos e d t o UD P . • Supporta one -t o-one , TCP , st yl e of int e rface : Th is int e rface s upport s conne ct ion-orie nt e d, TCP , st yl e of int e rface . Th e int e rface m usts upporta s ingl e SCTP as s ociat ion as in TCP . O ne of t he purpos e s of t h is int e rface is al l ow dev el ope rs t o portTCP appl icat ions t o SCTP w it h v e ry l it t l e e ff ort . Fol l ow ing is a t ypical s e q ue nce of s ock e t cal l s: Se rv e r: s ock e t (), bind(), l ist e n(), acce pt (), re cv (), s e nd(), cl os e () Cl ie nt : s ock e t (), conne ct (), s e nd(), re cv (), cl os e

O 3 M agaz ine /De ce m be r 2005 Page 31

NETW O RK I NG
Th e acce pt () cal l bl ock s unt il a new re q ue stis m ade by cl ie ntt o set up an as s ociat ion. Itre t urns a new s ock e tde s cript or and t h is de s cript or is us e d t o com m unicat e w it h t h e cl ie ntus ing re cv () and s e nd() cal l s. Since SCTP s upport s bot h UD P and TCP st yl e s ock e t s , s om e of t he f e at ure s cannotbe m appe d t o exist ing s ock e tint e rface s . O ne s uch exam pl e is bind() s yst e m cal l . In one -t o-m any st yl e int e rface , an SCTP e ndpointcan be as s ociat e d w it h m ul t ipl e addre s s e s and bind() cannotbe cal l e d m ul t ipl et im e s t o as s ociat e m ul t ipl e addre s s e s t o an e ndpoint . Th e SCTP s ock e tint e rface s pe cificat ion int roduce s a new s yst e m cal l s ct p_ bindx() t o ov e rcom e t h is l im it at ion. Re ade rs are e ncourage d t o s e e re f e re nce s t o expl ore t h e s e m ant ics of t h e s yst e m cal l s in re f e re nce t o SCTP m e nt ione d in t h is s e ct ion
SCTP IM PL EM ENTATIO NS

l k s ct p-t ool s -1.0.4-1.i386.rpm incl ude s SCTP run-t im e l ibrary, s am pl e SCTP appl icat ions l k s ct p-t ool s -dev el -1.0.4-1.i386.rpm incl ude s SCTP h e ade r fil e s , SCTP m an page s and s ource code f or s am pl e SCTP appl icat ions l k s ct p-t ool s -doc-1.0.4-1.i386.rpm incl ude s SCTP R FCs and Int e rne tdraft s. Aft e r a s ucce s s ful inst al l at ion, you w il l find t h re e s am pl e SCTP appl icat ions : s ct p_ darn, s ct p_ t e stand w it h s ct p. Th e s am pl e appl icat ions s ct p_ darn and s ct p_ t e stcan be us e d t ot e stL inux k e rne l re f e re nce im pl e m e nt at ion of SCTP . W it h s ct p is a t ool t h atcan be us e d t o re pl ace exist ing TCP binarie s w it h SCTP . s ct p appl icat ions , product s and s e rv ice s M ostof t h e com m e rcial product st h atare us ing SCTP are s ignal ing t rans ports ol ut ions , s ince SCTP w as prim aril y de s igne d f or t rans port ing s ignal ing t raffic. W it h it s new , at t ract iv ef e at ure s nots upport e d by bot h TCP and UD P , SCTP is now us e d by m any v e ndors f or t h e ir s ignal ing s ol ut ions . W h il e itis st il l in t h e e arl y ph as e s f or non-s ignal ing appl icat ions , it h as a prom is ing fut ure be caus e of it s prom ine nt f e at ure s and new ext e ns ions .
R EF ER ENCES

SCTP is curre nt l y in t h e re s e arch ph as e , butt h e re are m any im pl e m e nt at ions av ail abl ef or m ainst re am ope rat ing s yst e m s incl uding Fre e BSD , O pe nBSD , Ne t BSD , Sol aris , L inux, AIX and H P -UX. M ore ov e r, us e r s pace im pl e m e nt at ions al s o existf or Sol aris , L inux, V xW ork s , W indow s and proprie t ary pl at f orm s s uch as Cis co, Nok ia and Sie m e ns . Th e L inux k e rne l SCTP (l k s ct p.s ource f orge .ne t ) is an ope n s ource im pl e m e nt at ion of SCTP in t he L inux k e rne l (st il l in an expe rim e nt al ph as e ) unde r t he GNU Ge ne ral Publ ic L ice ns e . Th e proj e ctw as st art e d by one of t h e original de s igne rs of SCTP , R andal l St ew art . Th e curre ntv e rs ion of l k s ct p s upport sL inux k e rne l 2.6.14. SCTP can be buil tint ot h e k e rne l or can be l oade d as a m odul e . In orde r t ot e stt he L inux k e rne l SCTP re f e re nce im pl e m e nt at ion, you ne e d t o dow nl oad and inst al l l k s ct pt ool s , w h ich s h oul d be com pat ibl e w it h your k e rne l . Th e l k s ct p-t ool s pack age prov ide s us e rl ev el Cl anguage h e ade r fil e s and an API f or acce s s ing SCTP f or SCTP appl icat ion dev el ope rs and at e stfram ew ork and t e sts uit ef or l k s ct p proj e ct dev el ope rs . Th e l at e stv e rs ion of l k s ct pt ool s (1.0.4) runs on L inux k e rne l 2.6.14. T ot e stand run s am pl e SCTP appl icat ions , you are firstre q uire d t o grab k e rne l 2.6.14 and com pil e itby e nabl ing SCTP . Aft er l oading t h e new k e rne l , dow nl oad and inst al l t he f ol l ow ing pack age s from ht t p:/ / l k s ct p.s ource f orge .ne t /

R FCs : 29 60, 3257, 3286, 3578 Int e rne tdraft s : draft -ie t f-t sv w g-s ct ps ock e t -11.t xt ht t p:/ / l k s ct p.s ource f orge .ne t ht t p:/ / w w w .s ct p.org ht t p:/ / w w w .s ct p.de ht t p:/ / w w w .s ct p.be
R AJ A H AM M AD IS TH E GENER AL M ANAGER O F ADV ANCED DATA NETW O R K ING SO L UTIO NS AT SPL ICED

NETW O R KS L L C. H E IS BASED O UT O F PAK ISTAN.

O 3 M agaz ine /De ce m be r 2005 Page 32

V OI P
I nt e grat ing Ruby on Rail s and As t e ris k w it h RAGI
TH E RUBY ASTERI SK GATEW AY I NTERF ACE PRO V I DES A F RAM EW O RK FO R BRI DGI NG RUBY O N RAI L S WI TH ASTERI SK TH E O PEN SO URCE PBX FO R ENH ANCED CAL L H ANDL I NG BY JO H N BUSW EL L

st e ris k is an O pe n Source PBX s ol ut ion dev el ope d by D igium . Ruby on R ail s is a ful l -st ack fram ew ork f or dev el oping dat abas e back e d w e b appl icat ions us ing t h e M ode l V iew -Cont rol pat t e rn bas e d on Ruby. Ruby is an int e rpre t e d s cript ing l anguage de s igne d f or q uick and e as y obj e ct -orie nt e d program m ing. Th e Ruby Ast e ris k Gat ew ay Int e rface or R AGI is a re l at iv el y new fram ew ork f or int e grat ing Ast e ris k w it h your R ail s w e b appl icat ion. Pl e as e k e e p in m ind t h atR AGI is j usta fram ew ork . W h il e its ignificant l y re duce s t h e com pl exit y and t im e re q uire d t o buil d appl icat ions t h atint e ractw it h Ast e ris k , you do st il l h av et o code t h e appl icat ion. For m ore inf orm at ion of Ast e ris k and O pe n Source Te l e ph ony, re f er t o O pe n Source Te l e ph ony on page 32 of Is s ue #1 of O 3 M agazine . Th is art icl e w il l as s um e t h atyou h av e al re ady configure d and s e t up your Ast e ris k s e rv e r. W e w il l al s o as s um e t h atyou are running R ail s on a s e rv e r w it h t h e IP addre s s of 19 2.168.9 9 .20. W e w il l be us ing RubyGe m s , t he st andard Ruby pack age m anage r, t o obt ain Ruby re l at e d s oft w are , s o if you are f ol l ow ing al ong, t h en you w il l ne e d t o m ak e s ure t h e s yst e m h as Int e rne t acce s s . O ur dev el ope r, J oe (w h o h as a us e r nam e of j oe on 19 2.168.9 9 .20), is going t o inst al l a cl e an Ruby e nv ironm e ntin h is h om e dire ct ory. First ,v is it ht t p:/ / w w w .rubyonrail s .com / dow n and dow nl oad Ruby 1.8.2 or 1.8.4. You w il l al s o ne e d t o dow nl oad RubyGe m s . m k d ir -p ~ / proj e ct s/ cd ~ / proj e ct s/ t ar zxv fp ruby-1.8.2.t ar.gz cd ruby-1.8.2 ./ configure – pre fix=/ h om e / j oe / proj e ct s/ rubyd ev m ak e & & m ak e inst al l & & m ak e inst al l -d oc

As s um ing al l goe s w e l l f or J oe , h e now h as a copy of Ruby in h is h om e dire ct ory. Th e l astm ak e l ine buil ds and inst al l s Ruby and buil ds / inst al l st h e Ruby docum e nt at ion. Next , you ne e d t o unt ar RubyGe m s . t ar zxv f rubyge m s-0.8.11.t gz H ow ev e r, be f ore w e can us e RubyGe m s , w e ne e d t o adj ustt h e pat h al it t l e . In our exam pl e, J oe is running bas h . P ATH =$ P ATH :/ h om e / j oe / proj e ct s/ rubyd ev / b in exportP ATH cd rubyge m s-0.8.11 ruby se t up.rb Af ew s e conds l at e r and w e 're inst al l e d. Nextw e ne e d t o us e ge m s t o ge trail s and ragi. T o do t h is , s im pl y is s ue t he f ol l ow ing com m ands : ge m inst al l rail s – incl ud e -d e pe nd e ncie s ge m inst al l ragi – incl ud e -d e pe nd e ncie s Since t h is is t h e firstt im e ge m s h as be e n run, itm ay t ak e a f ew m inut e s , be caus e itw il l at t e m ptt o updat e t h e Ge m s ource index from h t t p:/ / ge m s .rubyf orge .org. O nce ge m s com pl et e s it s w ork , R agi can be f ound in / h om e / j oe / proj e ct s/ rubydev / l ib/ ruby/ ge m s / 1.8/ ge m s / ra gi-1.0.0. Next , w e cre at e our rail s app by running rail s apps / dayofw e e k w h e re dayofw e e k is t h e nam e of our appl icat ion. W e 're as s um ing J oe h as an apps dire ct ory in proj e ct s/ rubydev / .T o st artt h e int e grat ed w e b s e rv e r, w e s im pl y run ruby s cript / s e rv e r. Now , pointa brow s e r t oht t p:/ / 19 2.168.9 9 .20:3000/ , and w e 're up and running. In orde r f or R ail st o w ork , w e ne e d a dat abas e . L et s as s um e J oe 's box is dev oid of a dat abas e , and h e dow nl oads Post gre SQL8.1.1. T o ge titrunning, w e do t he f ol l ow ing:

O 3 M agaz ine /De ce m be r 2005 Page 34

V OI P
D e pe nde ncie s .m e ch anis m = :re q uire t ar j xv f post gre sq l -8.1.1.t ar.b z2 cd post gre sq l -8.1.1 ./ configure – pre fix=/ h om e / j oe / proj e ct s/ post gre s m ak e & & m ak e inst al l cd ~ / proj e ct s/ post gre s m k d ir -p d at a b in/ init d b -D / h om e / j oe / proj e ct s/ post gre s/ d at a/ b in/ pg_ ct l -D / h om e / j oe / proj e ct s/ post gre s/ d at a -l \ l ogfil e st art Now t h atw e h av e rail s , ragi and post gre s running, it 's t im e t o ge tdow n t o bus ine s s . First , w e cre at ea ragi/dire ct ory w it h in t he l ib/dire ct ory of our appl icat ion (rubydev / apps / dayofw e e k / l ib/ ragi). Th e n w e copy al l of t h e ruby fil e s (*.rb) f or ragi (t h e s e are st ore d in rubydev / l ib/ ruby/ ge m s / 1.8/ ge m s / ragi-1.0.0/ ) t ot h is new ragi dire ct ory. Next , w e cre at e a h andl e rs dire ct ory unde r apps / dayofw e e k / app/ . Th is is w h e re our cal l h andl e rs go. Norm al l y, in R ail s a cont rol l e r is us e d t o prov ide t he l ogic f or your w e b appl icat ion. In R AGI, a ph one cal l int e ract ion is cont rol l e d us ing a h andl e r. In config/ e nv ironm e nt .rb, you ne e d t o add s om e s h ortcode t o st art up t h e R AGI s e rv e r on l aunch as a s e parat et h re ad. Th e code oppos it et ak e s care of t h at . Now a l it t l e ast e ris k configurat ion is re q uire d in ext e ns ions .conf t o s e nd cal l cont rol t o your R AGI appl icat ion. In our exam pl e , w e w il l rout e al l cal l st o ext e ns ion 353 t o our dayofw e e k appl icat ion, and w e as s um e t h atw e are running on 19 2.168.9 9 .20. ext e n => 353,1,Answ e r() ext e n => 353,2,d e ad agi(agi:/ / 19 2.168.9 9 .20/ d ayofw e e k / d ial in ) ext e n => 353,3,H angup R AGI is capabl e of m ul t ipl e cal l h andl e rs w it h in an appl icat ion, and t h e s e are rout e d bas e d on a UR I. For our dayofw e e k appl icat ion, al l cal l st o ext e ns ion 353 are rout ed t ot h e h andl e r “dayofw e e k _ h andl e r” in t he h andl e rs dire ct ory, and t h e m et h od dial in w il l be cal l ed w h en t h e cal l goe s t h rough . Addit ional cal l h andl e rs are as e as y as adding t h em t ot h e h andl er dire ct ory and configuring ast e ris k t o rout e cal l st o # Sim pl e s e rv er t h ats paw ns a new t h re ad f or t h e s e rv er cl as s Sim pl e Th re adSe rv e r < W EBrick ::Sim pl e Se rv er de f Sim pl e Th re adSe rv e r.st art (& bl ock ) Th re ad.new do bl ock .cal l e nd e nd e nd re q uire 'ragi/ cal l _ s e rv e r' R AGI::Cal l Se rv e r.new (^M :Se rv e rT ype => Sim pl e Th re adSe rv er )

t h em .

Next , copy any ne ce s s ary s ound fil es f or t he appl icat ion t ot h e Ast e ris k s e rv e r's de faul ts ound dire ct ory. Final l y, w e ne e d t o code up t he h andl e r. Th e cont rol of t h e cal l is h andl e d by dial in. Pl e as e not et h atI h av e de l ibe rat el yl e ftoutt he code t o cal cul at et h e day, and t runcat ed t he if el s e if bl ock in announce _ day due t ot he l im it ed s pace f or t h is art icl e . H ow ev e r, t h e code be l ow doe s de m onst rat e h ow s im pl e itis t o buil d cal l h andl e rs w it h in Ruby on R ail st h ate as il y int e ractw it h Ast e ris k . W it h sl igh t l y m ore com pl ex code , you coul d e as il y us e R AGI t o im pl e m e nta s yst em t o re t riev et ick e tst at us in w e b bas e d bug t rack ing s yst e m s by ph one . It s h oul d al s o be not ed t h att h e nam e s w it h in pl ay_ s ound(“”) corre s pond t o fil e s st ore d in t he Ast e ris k s e rv e r's de faul ts ound dire ct ory.

O 3 M agaz ine /De ce m be r 2005 Page 35

V OI P
re q uire 'ragi/ cal l _ h andl e r' cl as s D ayofw e e k H andl e r < R AGI::Cal l H andl er APP_ NAM E='dayofw e e k ' de f dial in ans w e r w ait (1) re pe at D ay = t rue w h il e (re pe at D ay) gre e t ing ragiday = f oo_ ge t t oday announce _ day(ragiday) re pe at D ay = as k _ re pe at _ day e nd s ay_ goodbye h angup e nd de f gre e t ing pl ay_ s ound(“t oday-gre e t ing”) e nd de f announce _ day(ragiday) if (ragiday == 1) pl ay_ s ound(“t oday_ is _ m onday ”) # pl ay t h e day el s e if (ragiday == 2) pl ay_ s ound(“t oday_ is _ t ue s day ”) el s e if ... pl ay_ s ound("t oday_ is _ s unday") e nd e nd de f as k _ re pe at _ day # w aitabout1 s e cond f or t h e cal l er t o pre s s a k ey re t urn (ge t _ dat a(“re pe at -t im e ”, 3000, 1).l e ngt h > 0) e nd de f s ay_ goodbye pl ay_ s ound(“t oday-goodbye ”) e nd e nd Ov e ral l , R AGI prov ide s a fastand s im pl e m e ans f or int e ract ing w e b appl icat ions w it h Ast e ris k . W it h in an h our w e h ad a w ork ing appl icat ion up and running w it h in R ail s , and t h at 's incl uding t he t im e t o inst al l Ruby, R ail s and Post gre s . R AGI is s pons ore d by Snapv ine , w h o appe ar t o be a new O pe n Source Te l e ph ony st art up. You can l e arn m ore aboutSnapv ine ath t t p:/ / w w w .s napv ine .com . According t o Snapv ine 's w e bs it et h ey w il l be att he O 'Re il l y Em e rging Te l e ph ony conf e re nce on J anuary 24 t h ru 26 2006 in San Francis co. Et el brings t he be stof be stin cut t ing e dge IP t el e ph ony and h ow t h at new t e ch nol ogy is be ing de pl oye d by f orw ardt h ink ing pione e rs . You can find outm ore aboutEt el by v is it ing t h e ir s it e at ht t p:/ / conf e re nce s .ore il l yne t .com / et el / . J O H N BUSW EL L IS TH E CO - F O UNDER AND CH IEF TECH NO L O GY O FFICER O F SPL ICED NETW O R KS L L C. H E IS BASED O UT O F ATH ENS, O H IO W ITH O V ER 12 YEAR S EXPER IENCE IN TH E IT INDUSTR Y. H E CAN BE
R EACH ED V IA EM AIL

(JBUSW EL L @ SPL ICEDNETW O R K S.CO M ).

O 3 M agaz ine /De ce m be r 2005 Page 36

NETW O RK APPL I CATI O NS
Pos t gre SQL
PO STGRESQL I S A FEATURE - RI CH O BJECT- REL ATI O NAL DATABASE M ANAGEM ENT SYSTEM PO STGRES O FFERS A PO W ERF UL AND F REE AL TERNATI V E TO M YSQL , SQL SERV ER AND O RACL E BY JAM ES H O L L I NGSH EAD AND M ATH EW J. BURFO RD

Post gre SQL(al s o k now as Post gre s ) is a f e at ure -rich obj e ct -re l at ional dat abas e m anage m e nts yst e m , w it h al arge dev el ope r and us e r bas e . Itis a s e rious ch oice f or m any com m e rcial and non-com m e rcial dat abas e s ol ut ions , off e ring a pow e rful al t e rnat iv et o ot h e r s oft w are s uch as M ySQLand O racl e. Post gre SQLis a de s ce ndantof t h e Post gre s proj e ct , t h e nam e ch ange occurre d t o be t t e r re fl e ctit s s upport f or a l arge partof t h e SQLst andard. Th e h ist ory of Post gre s s pans an am azing 20 ye ars , w it h it s first be t a re l e as e be ing in 19 87. T oday Post gre s s upport s m any adv ance d f e at ure s s uch as com pl ex q ue rie s , f ore ign k eys , t rigge rs , v iew s , t rans act ional int e grit y, m ul t i-v e rs ion concurre ncy cont rol and m ore . Th e Post gre s dat abas e m anage m e nts yst e m can be ext e nde d by adding new dat a-t ype s , funct ions , ope rat ors , aggre gat e funct ions , index m e t h ods and proce dural l anguage s . O n Nov e m be r 8t h ,t h e Post gre SQLcom m unit y re l e as e d v e rs ion 8.1 w h ich s aw m any gre at im prov e m e nt s w it h ov e r 120 new f e at ure s and e nh ance m e nt s adde d. O ne of t h e m aj or new f e at ure s be ing s upportf or Rol e s , w h ich al l ow s a l arge num be r of us e rs t o be m anage d m ore e fficie nt l y. O t h er e nh ance m e nt s incl ude d t w o-ph as e com m it , IN/ O UT param e t e rs , s h are d row l ock ing, bit m ap s can and m any m ore . Spe e d and pe rf orm ance gain in ope rat ions w as al s o s e e n, e s pe cial l y in dual proce s s or s yst e m s . Th e aut om at ic v acuum f e at ure w as im prov e d, w h ich is gre atnew s f or 24/ 7 s e rv e rs . Th is h as be e n an ext re m e l y s ucce s s ful re l e as e f or Post gre s .
CO M PAR ISO N

m ade it s ope rat ions com parabl et o s om e of t h e m ost popul ar dat abas e s . Post gre s cl aim s t o be fast e r in s om e are as , and s l ow e r in ot h e rs . Post gre s h as al l of t h e bas ic f e at ure s s uch as j oins , v iew s , re f e re nt ial int e grit y, and e ncrypt ed conne ct ions t h atyou w oul d expe ctfrom a com m e rcial dat abas e and is s upport e d on L inux, W indow s , M ac O SX, BSD , and Unix unl ik e M S SQL Se rv e r (W indow s onl y) and O racl e , w h ich doe s not s upportBSD . In addit ion, ital s o al l ow s f or t h ings s uch as t abl e inh e rit ance , w h ich is n'ts upport e d by O racl e , and s e rv e r program m ing, w h ich is dis cus s e d be l ow .
INSTAL L ATIO N

If ound t h e inst al l at ion of Post gre s t o be fairl y st raigh t f orw ard. I f ol l ow e d t h e inst ruct ions prov ide d on t h e onl ine Post gre s m anual . Th is s e ct ion w il l expl ain h ow I s e tup Post gre SQLv 8.1 from t he s ource code dist ribut ion. Firstdow nl oad t he Post gre SQLv 8.1 s ource w h ich you s h oul d find on t h e UR Lbe l ow . ht t p:/ / w w w .post gre s q l .org/ dow nl oad/ Unzip t h e s ource , and e nt er t h e cre at e d dire ct ory $ t ar zxf post gre sq l -8.1.0.t ar.gz $ cd post gre sq l -8.1.0 Not e : If you are updat ing from a prev ious v e rs ion of Post gre SQL , you m ustback up your dat abas e dat a by dum ping itt o a fil e , and re st oring itonce t he inst al l at ion is com pl et e d. For a de faul tconfigurat ion, e nt er $ ./ configure

By com paris on, prev ious re l e as e s of Post gre s h av e be e n s l ow on pe rf orm ance . Th is is be l iev ed t o be due t ot h e diff e ring goal st h atPost gre s h as h ad during it s dev el opm e nt . Th os e goal s h av e oft e n be e n t o dev el op f e at ure s first , and w orry abouts pe e d l at e r if ne ce s s ary. Supe rbl y, re ce ntre l e as e s of Post gre s h av e t ak e n int o accountv arious s pe e d is s ue s , w h ich h av e

O 3 M agaz ine /De ce m be r 2005 Page 38

NETW O RK APPL I CATI O NS
Be l ow are s om e of t h e configure opt ions you can us e t o configure your inst al l at ion;m ore are av ail abl e in t h e docum e nt at ion. --pre fix=/ pat h/ t o/ inst al l : Ov e rride t h e de faul t inst al l at ion pat h --w it h -pe rl : incl ude PL / Pe rl --w it h -t cl : incl ude PL / Tcl --w it h -pyt h on : incl ude PL / Pyt h on --w it h -ope ns s l : Re q uire t h e appropriat e O pe nSSL set up t o be inst al l e d be f ore proce e ding Post gre SQLm ustbe buil tus ing GNU m ak e , ot h er m ak e ut il it ie s w il l notw ork as expe ct e d. $ gm ak e As a non-priv il e ge d us e r, you m ay pe rf orm re gre s s ion ch e ck s on your Post gre SQLbuil d (opt ional ) $ gm ak e ch e ck T o inst al l t h e buil tfil e s , you m ay ne e d t o be root . $ gm ak e inst al l
CO NFIGUR ATIO N

post gre s :x:70:70::/ v ar/ l ib/ post gre s q l :/ bin/ bas h Ent er t h is l ine in your / et c/ group fil e. post gre s ::70: M ak e a dat abas e cl ust e r dire ct ory, t h is is w h e re al l inf orm at ion w il l be st ore d. Ch ange t h e pe rm is s ions t o our post gre s us e r. $ m k d ir -p / usr/ l ocal / pgsq l / d at a $ ch ow n -R post gre s:post gre s / usr/ l ocal / pgsq l / d at a Sw it ch t ot h e us e r 'post gre s ' and init ial ize t he dat abas e cl ust e r. Th e -W opt ion w il l add l ocal s e curit yt o your dat abas e , adding pas s w ord aut h e nt icat ion. $ su post gre s $ init d b -DW / usr/ l ocal / pgsq l / d at a $ cre at edb t e st Itm ay al s o be ne ce s s ary t o copy t h e de faul t configurat ion fil e and e dititas inst ruct e d by t he com m e nt s. $ cp / usr/ sh are / post gre sq l / post gre sq l .conf.sam pl e / v ar/ l ib / post gre sq l / d at a/ post gre sq l .conf If ev e ryt h ing w e ntal righ t , you s h oul d now be abl et o e nt er t h e dat abas e . $ psq l t e st
CO NNECTO R S

Th is s e ct ion w il l configure Post gre SQLt o run as a l ow priv il e ge d us e r 'post gre s ', unde r group 'post gre s '. Itis re com m e nde d t o run Post gre SQLas a l ow priv il e ge d us e r t o com batt h e ev e ntt h atan at t ack e r t ak e s cont rol of t h e Post gre SQLs e rv e r. L ow priv il e ge s w il l e ns ure t h e at t ack e r is l im it e d on t he am ountof h arm h e or s h e can pe rf orm . You m uste nt er a l ine s im il ar t ot h is t o your / et c/ pas s w d fil e . Th is m ay ne e d t o be done as root us e r and you s h oul d not et h atyou re q uire a v al id sh el l t o pe rf orm s om e adm inist rat ion ope rat ions as t h is us e r.

Th e de faul tinst al l at ion of Post gre s onl y com e s w it h t h e C and e m be dde d C driv e rs . H ow ev e r, conne ct ors f or a l arge num be r of ot h er l anguage s are av ail abl e f or dow nl oad. Th e l istbe l ow is by no m e ans com pl et e , buta m ore com pre h e ns iv el istof driv e rs is h ost e d by t h e Post gre s m aint aine rs at ht t p:/ / gborg.post gre s q l .org/ brow s e .ph p unde r t he D riv e rs s e ct ion.

O 3 M agaz ine /De ce m be r 2005 Page 39

NETW O RK APPL I CATI O NS
PYTH O N:

PyGre SQL ht t p:/ / w w w .druid.ne t / pygre s q l /
R UBY:

M ore inf orm at ion aboutt h e s pe cific s e rv er program m ing l anguage s m e nt ione d abov e m ay be f ound in t he f ol l ow ing l ocat ions : Pyt h on (PL / Pyt h on) ht t p:/ / w w w .post gre s q l .org/ docs / curre nt / int e ract iv e/ pl p yt h on.h t ml Pe rl (PL / Pe rl )ht t p:/ / w w w .post gre s q l .org/ docs / curre nt / int e ract iv e/ pl p e rl .h t ml Tcl (PL / Tcl )ht t p:/ / w w w .post gre s q l .org/ docs / curre nt / int e ract iv e/ pl t cl .h t ml PL / pgSQLht t p:/ / w w w .post gre s q l .org/ docs / curre nt / int e ract iv e/ pl p gs q l .h t ml W it h af e at ure s e triv al ing t h os e of t he l e ading com m e rcial dat abas e s and s upporton a w ide num be r of pl at f orm s and program m ing l anguage s , Post gre s is a gre atopt ion f or your dat abas e ne e ds . It s e as e of set up and t h e abil it yt o w rit e s e rv e r-s ide funct ions f or itin v arious l anguage s h e l p itpul l ah e ad of M ySQL in t h e ope n s ource dat abas e are na and, f or t h os e of us whol ik e a graph ic int e rface f or m ak ing dat abas e s , t abl es, et c, ph ppgAdm in (h t t p:/ / ph ppgadm in.s ource f orge .ne t / ) giv e s you a ph pM yAdm in-l ik e graph ical front e nd. Th e re is al s o no re as on t o be w orrie d aboutadopt ing Post gre s as your dat abas e s ol ut ion be caus e you f e ar a l ack of com m e rcial s upport . Th e Post gre s t e am m aint ains a de t ail ed l istof com panie s off e ring s upportf or Post gre s , brok e n up by ge ograph ic re gion, at ht t p:/ / w w w .post gre s q l .org/ s upport / prof e s s ional _ s upp ort . H e re you can find cont actinf orm at ion, t he com pany's s pe cial t ie s , num be r of e m pl oye e s , bus ine s s h ours and ev en t he l anguage s t h ey s pe ak .
J AM ES H O L L INGSH EAD IS TH E EXECUTIV E EDITO R O F O3 J AM ES@ O 3M AGAZ INE .CO M .

Ruby-Post gre s ht t p:/ / ruby.s cript ing.ca/ post gre s / An ext e ns ion l ibrary t o acce s s a Post gre SQL dat abas e from t h e Ruby s cript ing l anguage . Al so s upport e d by Ruby on R ail s configurat ions . J av a: Post gre s J D BC ht t p:/ / jdbc.post gre s q l .org/ PER L : pgpe rl ht t p:/ / gborg.post gre s q l .org/ proje ct / pgpe rl / projdis pl ay .ph p A nat iv e Pe rl int e rface t o Post gre s .
SER V ER PR O GR AM M ING

Unl ik e m ostre l at ional dat abas e s , Post gre s st ore s inf orm at ion aboutdat at ype s , funct ions , acce s s m et h ods , e t c in it s s yst e m cat al og in addit ion t ot he st andard inf orm at ion aboutdat abas e s , t abl e s , and col um ns . Th is giv e s Post gre SQLt h e abil it yt ol et us e rs w rit e s e rv e r-s ide funct ions in l anguage s s uch as Pyt h on (PL / Pyt h on), Pe rl (PL / Pe rl ) and Tcl (PL / Tcl ) and PL / pgSQL ,al anguage w h ich re s e m bl e s O racl e 's PL / SQLl anguage . M ore inf orm at ion aboutt h e s pe cific s e rv er program m ing l anguage s m e nt ione d abov e m ay be f ound in t he f ol l ow ing l ocat ions :

M AGAZ INE . H E CAN BE R EACH ED V IA EM AIL AT

O 3 M agaz ine /De ce m be r 2005 Page 40

NETW O RK SECURI TY
Be yond I nt rus ion De t e ct ion
GETTI NG AN I NTRUSI O N DETECTI O N SYSTEM I NSTAL L ED I S O NL Y TH E FI RST STEP; M ANAGI NG AND M AI NTAI NI NG TH E I NTRUSI O N DETECTI O N SYSTEM CAN BE SI M PL I FI ED TH RO UGH TH E USE O F V ARI O US TH I RD PARTY APPL I CATI O NS BY JO H N BUSW EL L

astm ont h ,we t ook a broad l ook atO pe n Source Int rus ion D e t e ct ion Syst e m (ID S) s ol ut ions w it h af ocus on Snort ,t h e indust ry st andard ID S s ol ut ion. Th is m ont h w e w il l l ook ath ow t o h andl et h e dat a from t h e ID S, D ynam ic Ev e nth andl ing, Fronte nds , h ow t o k eep your ID S rul e s up t o dat e and t e st ing your ID S. L ik e l astm ont h ,t h is art icl e is int e nde d t o prov ide you w it h a q uick t op dow n as s e s s m e ntof your av ail abl e opt ions . L at e r in t h e s e rie s w e w il l f ocus in de t ail in buil ding and configuring a com pl et e ID S s ol ut ion.
EV ENT H ANDL ING

approach is innov at iv e and off e rs a m uch fast er s ol ut ion in a h igh -s pe e d ne t w ork w h e re m ul t ipl e s norts e ns ors are de pl oye d. Fl oP can be dow nl oade d from h t t p:/ / w w w .ge s ch k e -onl ine .de / FL oP/ . dynam ic ev e nth andl ing W h il e re port ing a crit ical ev e nts o an adm inist rat or or t h ird part y appl icat ion can do s om e t h ing aboutit is im port ant , re al -t im e dynam ic ev e nth andl ing is far m ore re s pons iv e and l ays t he f oundat ion f or a good Int rus ion Prev e nt ion Syst e m . St art ing w it h Snort 2.3.0 RC1, an int e grat e d IPS s ol ut ion cal l ed s nort _ inl ine w as adde d. Th is new capabil it y ut il ize s dat a from ipt abl e s (L inux firew al l ) inst e ad of l ibpcap and t h e n ge ne rat e s new rul es t o h el p ipt abl e s proce s s pack e t s bas e d on Snortrul e s . Th e re are t h re e rul es t h ats nort _ inl ine out put s : drop (and l og), re j e ct(and l og) and s drop (drop and don'tl og). Th e e nd re s ul tis t h ats nortcan updat et h e firew al l rul e s in re al -t im e bas e d ev e nt st h atoccur. Th e re are a num be r of ot h e r proj e ct st h atprov ide s im il ar funct ional it y. Fw s nort (h t t p:/ / w w w .ciph e rdyne .org/ proje ct s/ f w s nort / ) off e rs s im il ar ipt abl e s int e grat ion, s nort 2pf (h t t p:/ / unixgu.ru/ ? go=s nort 2pf ) off e rs t h e s am e funct ional it y butf or O pe nBSD pack e tfil t e r, and an im prov ed f ork cal l e d s nort 2c (h t t p:/ / s nort 2c.s ource f orge .ne t / ) al s o exist s.
FR O NT ENDS

Barnyard w ork s in a m anne r s im il ar t o Snort- it w ait st o re ce iv e an ev e ntfrom Snortand t h e n pas s e s t h e ev e ntt h rough one or m ore pl ug-ins . W h e n us e d w it h Barnyard, Snortis fre e t o cont inue ne t w ork proce s s ing s ince Barnyard h as t ak e n ov er t he h andl ing of t h e ev e nt . Th e m ain adv ant age t o us ing Barnyard is on h igh -s pe e d ne t w ork s w h e re Snorth as t o de al w it h l arge v ol um e s of dat a. Barnyard al so re q uire s l e s s priv il e ge s t h an Snort , w h ich re q uire s s om e de gre e of rootacce s s . Barnyard w ork s h and in h and w it h s om e f orm of dat abas e and s upport s bot h Post gre s and M ySQL . Barnyard s upport st w o m ode s - bat ch and cont inuous proce s s ing. W it h bat ch proce s s ing, Barnyard w il l proce s s a num be r of fil e s and t h e st op. W h il e cont inuous proce s s ing, Barnyard w il l proce s s t h e fil es t h e n w aitf or t h e nextSnortev e nt . Th is m ak e s itpos s ibl et o run Snorton one s yst e m , and ut il ize m ul t ipl e s yst e m s running Barnyard t o proce s s t h e dat a w h ich m igh tbe s h are d v ia NFS or anot h er ne t w ork fil e s yst em . FastL ogging Proj e ctf or Snort(Fl oP) prov ide s s im il ar ev e nth andl ing butw it h a uniq ue de l iv e ry s yst e m . Fl oP de coupl es t h e out putpl ugins from s nort , gat h e rs al l al e rt s and pas s e s t h e m on t oa ce nt ral s e rv e r. Th is ce nt ral s e rv er t h e n col l e ct s and st ore s t h e dat a in a dat abas e f or furt h e r proce s s ing. W h il et h e re s ul t s are s im il ar t o Barnyard, t he

Th e re are a num be r of fronte nds av ail abl ef or s nort t h ats im pl ify proce s s ing of s nortout putand/ or s nort configurat ion. Bas ic Anal ys is and Se curit y Engine (BASE), w h ich is av ail abl e from ht t p:/ / s e cure ide as .s ource f orge .ne t / , is a proj e ctbas e d off of ACID t h atprov ide s a w e b front -e nd t o q ue ry and pe rf orm s anal ys is on al e rt s from s nort . Anot h er proj e ct , Pl acid (h t t p:/ / s pe ak e as y.w pi.e du/ pl acid/ ), prov ide s s im il ar funct ional it y. O ne appl icat ion, cal l e d SnortRe port (h t t p:/ / w w w .s ym m e t rixt e ch .com / dow nl oad.h t ml ),

O 3 M agaz ine /De ce m be r 2005 Page 42

NETW O RK SECURI TY
prov ide s a q uick and st raigh t f orw ard s ol ut ion if you are l ook ing f or s im pl e re port ing capabil it ie s . Snort SM S prov ide s an exce l l e ntw e b bas e d front e nd f or re m ot el y adm inist e ring Snortand Barnyard bas e d ID S s ol ut ions . Itcan pus h configurat ion fil es, m anage rul e s and m onit or t h e s yst e m 's h e al t h and st at ist ics and is an exce l l e nts ol ut ion f or unifying m ul t ipl e s norts e ns ors . Snort SM S can be f ound at ht t p:/ / s nort s m s .s ource f orge .ne t / . SGUIL(h t t p:/ / s guil .s ource f orge .ne t / ) prov ide s a GUI bas e d Anal ystcons ol ef or ne t w ork s e curit y m onit oring. Itw ork s in a cl ie nt / s e rv e r configurat ion w it h a s ingl e SQUILs e rv e r w h ich int e ract s w it h t he s norts e ns ors and m any gui cl ie nt s w h ich int e ract w it h t h e SQUILs e rv e r. SQUIL 's prim ary adv ant age s ov e r ot h e r ACID bas e d s ol ut ions are s pe e d and t he capabil it yt o do adv ance d q ue rie s . Unl ik e t h e w eb bas e d front e nds , SGUILis a GUI appl icat ion. rul e s and updat es As w e m e nt ione d l astm ont h ,t h e rul e s are t h e h e art of your ID S s ol ut ion. Ke e ping t h os e rul e s up t o dat e is a crit ical t as k . O ink m ast er (h t t p:/ / oink m ast e r.s ource f orge .ne t ) is a pe rl s cript t h atw il l updat e and m anage s nortrul e s . Itis re l at iv el y s im pl et o configure - j uste dit oink m ast e r.conf t o de fine t h e ne ce s s ary s e t t ings and s ource s f or rul e s , and t h e n putoink m ast e r.pl -o / et c/ s nort / rul e s int ot h e cront ab. Al s o w ort h a m e nt ion is SigTrans l at or, a proj e ctde s igne d t o conv e rtID S s ignat ure s be t w e e n diff e re ntf orm at s . It can be f ound ath t t p:/ / t rans l at or.b59 .ne t / .
TESTING TH E IDS NEXT

In t h e nextis s ue , w e w il l l ook atl oad bal ancing s nort in a ID S l oad bal ancing s ol ut ion.

O nce you h av e your ID S in pl ace , ge tt h e ev e nt h andl ing s e t up and are pe rf orm ing anal ys is on t he dat a from t h e ID S, you w il l m ostl ik e l y w antt ot e st your ID S rat h er t h an w aitf or an at t ack t o do itf or you. Th e be stw ay t ot e styour ID S is t o us e any of t h e w ide l y us e d v ul ne rabil it y as s e s s m e ntt ool s . Such t ool s incl ude nm ap (h t t p:/ / w w w .ins e cure .org/ nm ap), ye rs inia (h t t p:/ / ye rs inia.s ource f orge .ne t /), Ne s s us (h t t p:/ / w w w .ne s s us .org), and D s niff (h t t p:/ / w w w .m onk e y.org/ ~ dugs ong/ ds niff / ) , or you coul d craftyour ow n t e st st ool s s uch as ScaPY (h t t p:/ / w w w .s e cde v .org/ proje ct s/ s capy/ ). Any of t h ese s ol ut ions w il l w ork v e ry w e l l f or t e st ing purpos e s .

SGUIL SCR EENSH O TS - EV ENTS (TO P), QUER Y BUIL DER (BO TTO M )

O 3 M agaz ine /De ce m be r 2005 Page 43