You are on page 1of 48

CO NTENTS

NEXT M O NTH @ O3
6 8 9 Edit orial Ev e nt s Re port Th e f ocus is on cre at ing a s e cure I nt e rne tpre s e nce . Running dynam ic ne t w ork prot ocol s , QoS and m ore ..

SECURI TY
Grs e curit y Re v ie w e d 11

I NTERNET
I nt e rne tI nf ras t ruct ure 17

A ne xtge ne rat ion L inux k e rne l s e curit y pat ch s uit e prov ide s be t t e r prot e ct ion t h an SEL inux w it h outl os ing RBAC.

Jam e s H ol l ings h e ad l ook s at met h ods t oev al uat e Gl obal I nt e rne tI nf ras t ruct ure .

W EB TECH
H igh Pe rf orm ance W e b 20

BUSI NESS
L inux on t h e Big I ron 25

Jam e s H ol l ings h e ad l ook s att he be ne f it s ofl ocal iz ing de l iv e ry of w e b cont e ntf or dif f e re ntm ark e t s around t h e w orl d.

Dav e Jone s l ook s atL inux on t he I BM z Se rie s , t h e adv ant age s and h ow L inux is e xt e nding t he m ainf ram e int ot h e 21s tce nt ury.

NETW O RK I NG
M ainf ram e Ne t w ork ing 28

V OI P (V oice ov e rI P)
RTSP 35

Dav e Jone s int roduce s us t o ne t w ork ing on t he I BM z Se rie s . I nt roducing dNM S Upcom ing NM S s ol ut ion I nt rus ion De t e ct ion 44 40

Att he v e ry h e artofSI P is RTSP , Re al Tim e St re am ing Prot ocol Raj a H am m ad l ook s att he prot ocol in-de pt h.

L oad bal ancing Snortw it h Nort el Appl icat ion Sw it ch e s .

O 3 M agaz ine /January 2006 Page 4

EDI TO RI AL
Som e t im e s t h ings ..
JUST DO N'T GO ACCO RDI NG TO PL AN. TH I S M O NTH S I SSUE DEV I ATES SL I GH TL Y F RO M O UR PL ANNED CO NTENT BUT I S I N NO W AY W O RSE O FF FO R I T... BY JO H N BUSW EL L

O 3 M agaz ine
January 2006 I s s ue 3
EDI TO R I N CH I EF

JO H
s om e t h ing w e h ope w e can cont inue t o e nj oy, and t h e conce ptof o3 seem s t o be far m ore t h re at e ning t o t h e m ainst re am IT m e dia t h an our fre e publ icat ion. If you are a prof e s s ional IT w rit er and you s e e us m ak e a m ist ak e , pl e as e l e tus k now . Th e e nt ire o3 publ icat ion is buil tby e ngine e rs , not Engl is h m aj ors , s o your h e l p is appre ciat e d. D ue t o s pace const raint s, t he pl anne d art icl ef or buil ding s e cure appl iance s h as be e n post pone d unt il al at e r dat e , and re pl ace d w it h an art icl et h atint roduce s grs e curit y. Th e nextis s ue of o3 (Fe bruary 2006) is al m ostcom pl et e , and again, part of our re as oning be h ind t h e de l ay of t h is is s ue w as t o ge tah e ad. Th at is s ue l ook s atbuil ding a s e cure Int e rne tpre s e nce w it h af ocus on D ynam ic Ne t w ork Prot ocol s , QoS, rrdt ool , de pl oying s e cure D NS and m uch m ore . If you're conce rne d your Int e rne tpre s e nce is n'tde pl oye d prope rl y, t h e n don'tm is s our next is s ue . Final l y, w e 're pl e as e d t o announce t h e addit ion of our ow n de dicat ed Europe an s e rv e r and anot h er 10M bps of bandw idt h in Fl orida. If you h appe n t o be ne ar O h io on Th urs day M arch 23rd 2006, ch e ck outt h e ad on t h e back page . Th is w il l be t h e firstev e nts ince O h io L inuxFe st2005 t h atyou'l l be abl et o m e e tand gre e tt he t e am be h ind o3 and AppO S in pe rs on. W e 'l l be h appy t o dis cus s o3, s cribus , ope n s ource and ans w e r your q ue st ions .

W el com e t o Is s ue 3 of o3 m agazine . Ith as be e n an excit ing firstt h re e m ont h s w it h Is s ue 2 dow nl oads ev e nt ual l y exce e ding t h e init ial Is s ue 1 dow nl oads by ov e r 100,000 re ade rs . W e w oul dl ik e t ot h ank ev e ryone w h o t ook t he t im e t o cont actus by m ail , ph one and e m ail t o prais e t h e publ icat ion. W e w oul d al so l ik e t ot h ank t h e brav e indiv idual s whot ook t he t im e t o prov ide publ ic crit icis m re garding our firstt w o is s ue s in t h e ir bl ogs . If you ne e d t o bl am e s om e one f or h av ing t o w aitan ext ra t w o w eek s f or Is s ue 3, l ook no furt h e r. Th e de cis ion w as m ade t o giv e ours e l v es e nough t im e t o rev iew al l of t he f e e dback , bot h dire ctand indire ct , and m ak e im prov e m e nt st ot he pre s e nt at ion and de l iv e ry of o3. Is s ue 3 w as buil tus ing a cust om e nv ironm e ntbuil te nt ire l y from s ource unde r M andriv a 2006. W e 're now running Scribus 1.3.2 w h ich , if you are unfam il iar w it h it , is an ope n s ource publ is h ing appl icat ion av ail abl e from ht t p:/ / w w w .s cribus .org.uk . Th is l at e stdev el opm e ntre l e as e h as im prov e d PD F exportcapabil it ie s , s o h ope ful l yt h ats h oul d addre s s t he page l ayoutcom pl aint s w e re ce iv ed aboutprev ious is s ue s dis pl aying 4 page s ata t im e in s om e PD F v iew e rs . H ope ful l y w e h av e corre ct ed t he bas e l ine t e ch nical it ie s t h ats om e prof e s s ional publ is h e rs point e d out abouto3 w it h t h e upgrade and s om e im prov e d q ual it y cont rol m e as ure s . Th e ov e ral l s ucce s s of o3 is

BUSW EL L EDI T O R @ O 3M AGAZ I NE .CO M
N EXECUTI V E EDI TO R

JAM ES H O L L I NGSH EAD JAM ES @ O 3M AGAZ I NE .CO M
ART W O RK

JO H

N

BUSW EL L

PRO O F READERS

G REG JO RDAN S H AW N W IL SO N FRANK BO YD S TEW BENEDICT
SAL ES AND M ARKETI NG

G REG JO RDAN SAL ES @ O 3M AGAZ I NE .CO M
SUBSCRI PTI O NS

O 3 M AGAZ INE

I S DI ST RI BUT ED

EL ECT RO NI CAL L Y FREE O F CH ARGE BY SPL I CED NETW O RK S L L C. T O SUBSCRI BE V I SI T W W W .O 3M AGAZ I NE .CO M . SO FT W ARE

1.3.2 GI M P 2.0.5 O PENO FFI CE 1.1.2
SCRI BUS CO PYRI GH T (C) 2002-2006 SPL I CED NETW O RK S L L C

O 3 M agaz ine /January 2006 Page 6

EV ENTS
UPCO M I NG EV ENT S
D EV EL O PER R EL ATI O NS CO NFERENCE FEBRUARY 6 - 7, 2006 SAN F RANCI SCO , CAL I FO RNI A, USA H TTP:/ / W W W .EV ANSDATA.CO M / DRC2 I M PL EM ENTI NG I T S ECURI TY - S TRATEGY FEBRUARY 8 - 9 , 2006 SEATTL E , W ASH I NGTO N, USA H TTP:/ / W W W .I P3SEM I NARS .CO M / CH
ARTI NG TO

UPCO M I NG EV ENT S
O PEN S O URCE W O RLD CO NFERENCE FEBRUARY 15 - 17, 2006 M AL AGA, SPAI N H TTP:/ / W W W .O PENSO URCEW O RL DCO NFERENCE .CO M REALI TY S UN TECH D AYS 06 FEBRUARY 22 - 23, 2006 SI NGAPO RE , SI NGAPO RE H TTP:/ / DEV EL O PERS .SUN.CO M / EV ENTS / TECH PYCO N 2006 FEBRUARY 24 - 26, 2006 ADDI SO N, TEXAS , USA H TTP:/ / W W W .PYTH O N.O RG / PYCO N/ 2006/
H AV E AN UPCO M I NG EV ENT?TEL L US ABO UT I T, SEND

DAYS /

YO UR CO URSE TH RO UGH O PEN S O URCE FEBRUARY 11, 2006 BURL I NGTO N, M ASSACH USETT S , USA H TTP:/ / W W W .M I TFO RUM CAM BRI DGE .O RG / W W 06/ O PENS O URCE .H TM L S O UTH CALI FO RNI AL I NUX E XPO 11 - 12, 2006 L O S ANGEL ES , CAL I FO RNI A, USA H TTP:/ / W W W .SO CAL L I NUXEXPO .O RG /
ERN FEBRUARY

EM AI L TO EV ENT S @ O 3M AGAZ I NE .CO M W I TH DETAI L S.

FEATURED F UTURE EV ENT

RSA CO NFERENCE 06 FEBRUARY 13 - 17, 2006 SAN JO SE , CAL I FO RNI A, USA H TTP:/ / 2005.RSACO NFERENCE .CO M / US / C4P06/ O SBC W EST FEBRUARY 14 - 15, 2006 SAN F RANCI SCO , CAL I FO RNI A, USA H TTP:/ / W W W .O SBC.CO M / L I V E/ 13/ EV ENTS / 13SFO 06A E M BEDDED W O RLD 2006 FEBRUARY 14 - 16, 2006 NUREM BERG , GERM ANY H TTP:/ / W W W .EM BEDDED - W O RL D -2006.DE / L I NUXW O RL D CO NFERENCE & E XPO FEBRUARY 14 - 17, 2006 M EXI CO CI TY, M EXI CO H TTP:/ / W W W .L I NUXW O RL DEXPO .CO M .M X/

FO SDEM 2006
FEBRUARY BRUSSEL S , BEL GI UM

25 - 26 2006

H TTP:/ / W W W .FO SDEM .O RG / I NDEX

FO SDEM is a f re e and ope n s ource s of t w are de v el ope rs ' Europe an m e e t ing organiz e d by v ol unt e e rs . Th e e v e ntis a t w o day e v e ntt o prom ot e t h e us e ofFre e and O pe n Source s of t w are . Th is ye ar m ark s t h e s ixt h ev e nt , and is be ing h e l d in t h e cit y ofBrus s e l s , Be l gium . FO SDEM m e e t ings are re cognis e d as t h e be s t Fre e and O pe n Source e v e nt s in Europe . FO SDEM is a f re e e v e ntt h atre l ie s upon donat ions t ohel p organiz e and t okeept he ev e nt f re e .

O 3 M agaz ine /January 2006 Page 8

REPO RT
JANUARY O PEN SO URCE REPO RT
W el com e t ot h e O pe n Source Re port . Th is is t he s e ct ion of O 3 w h e re w e giv e a brie f run-dow n of t he m aj or appl icat ions w h ich m ade re l e as e s during t he m ont h. SCR IBUS ht t p:/ / w w w .s cribus .org.uk / Re l e as e : 1.3.2 Th e l at e stre l e as e of Scribus re s ol v e d ov e r 29 0 re q ue st s and bugs . A m aj or code re st ruct uring w as unde rt ak e n in pre parat ion f or a new m odul ar fil el oad and s av e s yst e m . Supportf or EXIF and m ore TIFF and PSD fil ef orm at s w e re adde d. Im age t int ing and s h arpe ning e ff e ct s w e re im pl e m e nt e d. Se ct ion-bas e d page num be ring is now s upport e d. Updat e s w e re m ade f or W indow s and M ac O S X com pat ibil it y. Significantupdat e s w e re m ade t ot h e docum e nt at ion. W INE ht t p:/ / w w w .w ine h q .org/ Re l e as e : 0.9 .6 Th e l at e stre l e as e of W ine incl ude s s ev e ral OL E fixe s and im prov e m e nt s , D ire ct Sound im prov e m e nt s, incl uding ful l dupl ex s upport , a fix f or t h e W indow s m et afil ev ul ne rabil it y, m any st at ic cont rol im prov e m e nt s , s om e fixe s f or copy prot e ct ion s upportand m any bugfixe s . F AST L O GGING P ROJ ECT F O R SNO R T ht t p:/ / w w w .ge s ch k e -onl ine .de / FL oP/ Re l e as e : 1.5.0 Th e l at e stre l e as e of .Fl oP , a cont rol t h re ad w as adde d s o t h ats om e param e t e rs can be ch aine d during runt im e . Th e re st rict ion of one s nortproce s s pe r s e ns or w as re m ov e d. Th is w ay itis al s o pos s ibl et o e ncryptt h e com m unicat ion v ia st unne l or an SSH t unne l . L IGH TTPD ht t p:/ / w w w .l igh t t pd.ne t / Re l e as e : 1.4.9 Th e l at e stre l e as e of l igh t t pd fixe d a crit ical s ource fil e re t riev al is s ue on cas e -ins e ns it iv e fil e -s yst em s l ik e H PF+ on M ac O S X and an is s ue w it h e ndl ess l ogfil e w rit ing if t h e fast cgi back e nd is de ad. A new st at ist ics fram ew ork w as adde d. m od_ cm l now h as a pow e r-m agne tf or rew rit ing re q ue st s w it h L UA. TH UNDER BIR D ht t p:/ / w w w .m ozil l a.com / t h unde rbird/ Re l e as e : 1.5 Th e l at e stre l e as e of Th unde rbird incl ude s new f e at ure s incl uding aut om at ic updat e s , ant i-ph is h ing prot e ct ion, inl ine s pe l l ch e ck ing, s av e d s e arch f ol de rs , podcast ing, R SS im prov e m e nt s, t h e abil it yt o de l et e at t ach m e nt s from m e s s age s , and a w h ol el otm ore . FR EE R ADIUS ht t p:/ / w w w .f re e radius .org/ Re l e as e : 1.1.0 Th e new re l e as e of Fre e R AD IUS is f ocus e d on new f e at ure s and bugfixe s w it h outs acrificing st abil it y. New f e at ure s incl ude m ore v e ndor dict ionarie s , s upportf or L uce ntand St are ntV SAs , s upportf or J unipe r e ncrypt ed V SAs , N-t ie r ce rt ificat e s , and l oadbal ance d acce s s t o back -e nd dat abas e s . In addit ion, t h e Pe rl m odul e is now st abl e , and a new "s q l l og" m odul e m ay be us e d t ol ow e r t he l oad on an SQL s e rv e r. PO STGR E SQL ht t p:/ / w w w .post gre s q l .org Re l e as e : 8.1.1 Th is re l e as e of Post gre s im prov e s concurre ntacce s s t ot h e s h are d buff e r cach e and al l ow s index s cans t o us e an int e rm e diat e in-m e m ory bit m ap. T w o-ph as e com m ith as be e n adde d. Cre at e s a new rol e s yst em t h atre pl ace s us e rs and groups . Aut om at ical l y us e s indexe s f or M IN() and M AX(). Adds s h are d row l ev el l ock s us ing SEL ECT ... FO R SH AR E. Adds de pe nde ncie s on s h are d obj e ct s , s pe cifical l y rol es. Im prov e s pe rf orm ance f or part it ione d t abl es.

O 3 M agaz ine /January 2006 Page 9

SECURI TY
Grs e curit y Re v ie w e d
GRSECURI TY I S A PATCH SUI TE FO R TH E L I NUX KERNEL TH AT PRO V I DES A W I DE RANGE O F I NTERESTI NG SECURI TY ENH ANCEM ENT S BY JO H N BUSW EL L

Grs e curit y s a s uit e of pat ch e s dist ribut e d in a s ingl e pat ch fil ef or t he L inux k e rne l t h atprov ide a w ide range of s e curit y e nh ance m e nt s . Earl ie r t h is m ont h, new s re port s uncov e re d t h e Unit e d St at e s gov e rnm e nt e ngaging in cov e rts urv e il l ance of it s ow n cit ize ns w it h outa w arrant . An e ff orts pe arh e ade d by t he NSA. Th e s am e NSA re s pons ibl ef or t h e SEL inux pat ch e s w h ich are curre nt l y us e d in t h e m ainst re am k e rne l . W h il e itis unl ik e l yt h e NSA h as t rie d t o ins e rtany s us pe ctcode int ot h e SEL inux pat ch e s , t he pos s ibil it y is t h e re . Th e NSA re l e as e d SEL inux unde r t h e GPLin J anuary 2001, approxim at el y 11 m ont h s prior t ot h e pre s ide nt ial orde r h anding t he NSA s pe cial pow e rs t o inv e st igat e w it h in t h e Unit ed St at e s . If you m anage a f ore ign bus ine s s or gov e rnm e ntne t w ork , t h e n you m igh tw antan al t e rnat iv et o SEL inux, or atl e astauditt h e SEL inux s ource code w it h caut ion. Arm e d w it h your dist rustf or t h e Unit e d St at es gov e rnm e nt , you w antt o run s om e t h ing t h atm igh tbe m ore pol it ical l y corre ctin your count ry, or s im pl y s om e t h ing t h atprov ide s s upe rior s e curit y. In t h at cas e , you'l l l ik e grs e curit y. Grs e curit y ph ys ical l y al t e rs t he L inux k e rne l , prov iding t igh t e r re st rict ions . Grs e curit yf e at ure s can be m anipul at ed t h rough t h e st andard / proc int e rface (s ys ct l ). Grs e curit y is av ail abl e from ht t p:/ / w w w .grs e curit y.ne t . Th e l at e stre l e as e att he t im e of w rit ing is pat ch e d againstL inux 2.6.14.6. [j oh nb @ x2 t m p] $ cd l inux-2.6.14.6 [j oh nb @ x2 l inux-2.6.14.6] $ pat ch -Np1 -i ../ grse curit y-2.1.8-2.6.14.6-200601211647.pat ch Sev e ral scre e ns rol l by, so ch e ck t h atnot h ing b rok e by scanning for .re jfil es : [j oh nb @ x2 l inux-2.6.14.6] $ find ./| gre p re j [j oh nb @ x2 l inux-2.6.14.6] $

Next , s im pl y cl e an t h e e nv ironm e ntand run t he k e rne l configurat ion t ool : [j oh nb @ x2 l inux-2.6.14.6] $ m ak e m rprope r [j oh nb @ x2 l inux-2.6.14.6] $ m ak e m e nuconfig Th e grs e curit yf e at ure s can be f ound unde r Se curit y opt ions . You w il l see t w o new m e nu opt ions , PaX and Grs e curit y. You ne e d t o e nabl e Grs e curit y unde r t h e Grs e curit y m e nu opt ion in orde r f or t h e PaX opt ions t o appe ar. [*]Grse curit y Se curit yL ev el (Cust om ) ---> Ad d re ss Space Prot e ct ion ---> R ol e Base d Acce ss Cont rol O pt ions ---> Fil e syst e m Prot e ct ions ---> Ke rne l Aud it ing ---> Exe cut ab l e Prot e ct ions ---> Ne t w ork Prot e ct ions ---> Sysct l support---> L ogging O pt ions ---> W h il e you can run w it h t he l ow , m e dium , h igh pre s e t s unde r Se curit yL ev el and cal l ita day, w e 're going t o run t h rough t h e Cust om opt ions . It sl ik e l y t h att h e pre s e t s w il l bre ak s om e appl icat ion you w ant t o us e , s o it s us ual l y a good ide a t o w al k t h rough t he cust om opt ions .
ADDR ESS SPACE PR O TECTIO N

If you don'tne e d t o us e l oadabl e m odul e s , w h ich is oft en t h e cas e on a de dicat e d s e rv e r, you can cl os e up s h op by e nabl ing D e ny w rit ing t o/ dev / k m em , et c. H ow ev e r, if you do ne e d t o us e m odul e s , pe rh aps a t h ird part yl oadabl e m odul et h at s onl y av ail abl e in exe cut abl ef orm at ,t h en t h is opt ion is s im pl y

O 3 M agaz ine /January 2006 Page 11

SECURI TY
unav ail abl et o you. D is abl ing priv il e dge d I/ O , bl ock s acce s s t o al l iope rm and iopl cal l s , w h ich can be us e d t o m odify a running k e rne l . Som e program s do ne e d t h e s e cal l s t o funct ion prope rl y, one is Xfre e 86, h ow ev e r s ince m osts e rv e rs don'trun X, t h is is pe rf e ct l y ok . Th e ot h e r not abl e appl icat ion is h w cl ock , w h ich can be fixe d by e nabl ing RTC s upportin t h e k e rne l . Th e D e t e r expl oitbrut ef orcing is a ne atf e at ure t h at h el ps de t e r brut ef orce at t ack s againstappl icat ions s uch as apach e or s s h d t h atf ork ch il d proce s s e s . W it h t h is f e at ure e nbl e d, t h e pare ntproce s s is de l aye d 30 s e conds upon ev e ry s ubs e q ue ntf ork f ol l ow ing an il l e gal inst ruct ion cras h or h av ing be e n k il l e d by PaX. Runt im e m odul e dis abl ing e nabl e s k e rne l m odul es t o be l oade d atboott im e , butonce l oade d, t h ey cannotbe unl oade d. Th is is a us e ful prot e ct ion againstrootk itinst al l at ion by m al icious us e rs . H iding k e rne l s ym bol s , prov ide d you are notus ing a pre com pil e d dist ribut ion k e rne l , and re st rict ing acce s s t ot h e k e rne l fil es t h em sel v e s , can h e l p prot e ct againstl ocal and re m ot e k e rne l expl oit at ion. In our s e rv e r configurat ion, itis s af et o e nabl et he l astt h re e opt ions . [ ]De ny w rit ing t o/ d ev / k m em , / d ev / m e m , and / d ev / port [ ]Disab l e priv il e ge d I/ O (NEW ) [ ]De t e r expl oitb rut e forcing (NEW ) [ ]R unt im e m od ul e d isab l ing (NEW ) [ ]H id e k e rne l sym b ol s (NEW )
ROL E BASED ACCESS CO NTR O L O PTIO NS

Firsts e ta pas s w ord: grad m -P ad m in Now you can l ogin w it h t h e adm in com m and: grad m -a Now you can s e t up R BAC by us ing grs e curit y's l e arning m ode . In t h is m ode , grs e curit y m onit ors t he s yst em l ook ing f or proce s s e s t h atrun w it h root priv il e ge s , acce s s t h e ne t w ork or w rit et o k ey fil es. Th e n grs e curit y ge ne rat e s an acce s s cont rol l ist (ACL )t o run t h e s e proce s s e s w it h m inim al priv il e ge s . grad m -F -L/ et c/ grse c/ l e arning.l og D uring t he l e arning proce s s , you ne e d t o av oid any adm inist rat ion t as k s inv ol v ing root . As itruns f or a f ew days , grs e curit y w il l h av e h ad e nough t im e t o re cognize norm al s yst e m act iv it y, t h e n it st im e t o dis abl el e arning m ode and l og int o gradm in adm in m ode . grad m -F -L/ et c/ grse c/ l e arning.l og -O / et c/ grse c/ acl Th e abov e com m and w il l w rit e outt h e ACLt o dis k . Final l y st artup t h e R BAC w it h t h e new ACL , atany t im e you can dis abl e R BAC w it h gradm -D . grad m -E
FIL ESYSTEM PR O TECTIO N

Th e R BAC m e nu e nabl e s you t o h ide k e rne l proce s s inf orm at ion and s e t sl im it st ol ock outpas s w ord at t e m pt s . O nce l ock e d t h e m e nu h as an opt ion t o w ait a s pe cific am ountof t im e be f ore unl ock ing. Cont rol ov e r grs e curit y's R BAC s yst e m is done w it h a ut il it y cal l e d gradm . Th e st e ps t o m anage R BAC are fairl y st raigh tf orw ard.

O ne of t h e be stf e at ure s of Grs e curit y is it s capabil it yt ol ock dow n ch root () w it h in t h e k e rne l . If your notfam il iar w it h ch root (), t h e e as ie stw ay t o de s cribe itis t h atitm anipul at es t h e rootdire ct ory (/ ) so t h atitbe com e s a s pe cific dire ct ory f or a running proce s s . For exam pl e, l et s s ay w e st artour appl icat ion in / ch root / dns / , h e re w e run t h e nam e d proce s s w it h /= / ch root / dns . Th e e nv ironm e nts e e s / ch root / dns as / , s o anyt h ing be l ow / ch root / dns is unav ail abl e , norm al l y (e g. You cannotcd ../from / ). Th e firsts e tof fil e s yst e m prot e ct ions re st ict/ proc t o e it h e r a part icul ar us e r (UID ) or a part icul ar (GID ),

O 3 M agaz ine /January 2006 Page 12

SECURI TY
m e aning you can run your appl icat ions unde r t h e ir ow n us e rnam e , butonl y us e rs in a s pe cial group can act ual l y acce s s / proc. If your nam e d us e r f or running bind (dns ) f or exam pl e is com prom is e d, if t h ey're not in t he / proc group or are nott he / proc UID , t h ey cannotacce s s / proc. If you s e l e ctt o re st rictt o a UID , you cannotus e t h e group f e at ure . [*]Proc re st rict ions [ ]R e st rict/ proc t o use r onl y [ ]Al l ow spe cial group (NEW ) Th e l ink ing re st rict ions prev e ntus e rs from f ol l ow ing s ym l ink s t h atare ow ne d by anot h e r us e r in w orl d-w rit abl e dire ct orie s . Th is prev e nt s/ t m p race expl oit s . Th e FIFO re st rict ions , do t h e s am e t h ing f or FIFO s . [*]L ink ing re st rict ions [*]FIFO re st rict ions Th e ch root () re st rict ions in Grs e curit y are v e ry im pre s s iv e . M ostof t h e opt ions are pre t t y st raigh t f orw ard, one s t h atm igh tnotbe s o appare nt , w e w il l dis cus s . Th e piv ot _ rootcapabil it y in L inux al l ow s you t o s w it ch t h e rootdire ct ory. It s int e nde d f or boot ing from init ial ram dis k s , h ow ev e r ith as pos s ibl e us e s t o com prom is e s e curit y. Th e opt ion can be e nabl ed v ia s ys ct l , e nabl ing t h e us e of t h e com m and during bootin an init rd, t h e n dis abl ing itonce t h at h as com pl et e d. If you run al l your appl icat ions w it h in ch root () t h en t h e D e ny s ys ct l w rit es, t idie s up any pot e nt ial rev e rs al of t h e s e curit y opt ions v ia s ys ct l . Th e D e ny doubl e -ch rootprev e nt s ch root () from be ing us e d w it h in an exist ing ch root () e nv ironm e ntt o bre ak outof t h e ch root . Th is com bine d w it h t he Enf orce ch dir(“/ ”) cl e ans up t h e s h ort fal l s w it h t he ch rootcom m and. Unf ort unat el y, m any adm inist rat ors re l yt oo m uch on ch root , and m any of t h e capabil it ie s Grs e curit y adds t o ch root () are t h ings t h atadm inist rat ors t h ink ch root () al re ady prov ide s w h e n itdoe s not . In our configurat ion, it s s af e and re com m e nde d t o e nabl e al l of t h ese. Th e ch rootpartof t h e fil e s yst e m prot e ct ion m e nu in t h e k e rne l configurat ion l ook s l ik e t h is : [*]Ch rootj ail re st rict ions [ ]De ny m ount s [ ]De ny d oub l e -ch root s [ ]De ny piv ot _ rootin ch root [ ]Enforce ch d ir("/ ") on al l ch root s [ ]De ny (f)ch m od + s [ ]De ny fch d ir outof ch root [ ]De ny m k nod [ ]De ny sh m at () outof ch root [ ]De ny acce ss t o ab st ractAF_ UNIX sock e t s out of ch root [ ]Prot e ctout sid e proce sse s [ ]R e st rictpriorit y ch ange s [ ]De ny sysct l w rit es [ ]Capab il it y re st rict ions
NETW O R K PR O TECTIO NS

Grs e curit y cl e ans up a num be r of t h ings w it h L inux Ne t w ork ing. Th e l arge r e nt ropy pool e nabl e s be t t er random izat ion. R andom ize d TCP s ource port s us e s a random v al ue bas e d al gorit h m inst e ad of s im pl e incre m e nt ing s ource portnum be rs . Th e s ock e t re st rict ions prov ide s cont rol st o bl ock s pe cific groups from cre at ing s ock e t s , cl ie nts ock e t s and s e rv er s ock e t s . If you run a dae m on t h atdoe s n'tne e d t o cre at e cl ie nts ock e t s, t h e n adding t h atus e r t ot he de ny cl ie nt s s ock e tgroup prev e nt st h ats e rv ice , if com prom is e d from be ing us e d t o s e nd pack e t st o s yst em s t h atm igh tt rustt h atnow com prom is e d s yst e m m ore t h an an out s ide IP . [*]L arge r e nt ropy pool s [*]R and om ize d TCP source port s [*]Sock e tre st rict ions [ ]De ny any sock e t st o group [ ]De ny cl ie ntsock e t st o group [ ]De ny se rv e r sock e t st o group (NEW ) Ke rne l Audit ing, L ogging and Sys ct l s upport Th e k e rne l audit ing m e nu prov ide s a w ide range of ev e nt st ol og. Grs e curit y h as t h e capabil it y of onl y audit ing a s pe cific group, w h ich e nabl e s an adm inist rat or t o add us e rs t o a s pe cific group t h at t h ey w antt o w at ch , inst e ad of h av ing t o w at ch t rust ed us e rs on t h e s yst e m , if de s ire d. Th e l ogging m e nu prov ide s cont rol t o rat el im itt h e am ountof l og

O 3 M agaz ine /January 2006 Page 13

SECURI TY
inf orm at ion t h atis l ogge d t o prev e ntfl ooding. Th e s ys ct l m e nu e nabl e s s ys ct l s upport , w h ich I w oul d h igh l y re com m e nd, and dis abl et urning on al l f e at ure s as de faul t . Itis be t t er t o h andl et urning t he f e at ure s on during bootas t o notov e r-re st rictt he s yst em so t h atitcannotboot .
EXECUTABL E PR O TECTIO N

(Pos it ion Inde pe nde ntcode ), it s pos s ibl et o add a h igh de gre e of s e curit y by e nabl ing t h is opt ion. For furt h e r inf orm at ion on PIE and t h is opt ion, re f er t o prev ious o3 s e curit y art icl e s in Is s ue #1.
PAX

Grs e curit y off e rs a num be r of prot e ct ions f or prot e ct ing exe cut abl e s . Itcan ch e ck f or re s ource l im it s during exe cv e () inst e ad of j ustduring f ork (). It can cl e ar unus e d s h are d m e m ory, itcan l im itacce s s t o dm e s g, random ize proce s s Ids and h as s upportf or Trust e d Pat h Exe cut ion. Furt h e r exe cut abl e prot e ct ion is off e re d unde r t he PaX m e nu unde r Non-exe cut abl e page s . Ut il izing t he Re st rictm prot e ct () and D is al l ow EL Ft ext re l ocat ions , if your ope rat ing s yst e m is com pil e d as PIE (pos it ion inde pe nde ntexe cut abl e s ) w it h PIC

PaX is cont rol l ed t h rough t h e paxct l appl icat ion. PaX is a pat ch t h atim pl e m e nt sl e astpriv il e ge prot e ct ions f or m e m ory page s in t he L inux k e rne l . PaX is a s ubst ant ial as s e tin s e curing a L inux s yst em , f or a de t ail e d expl anat ion of PaX and h ow PaX w ork s , t h e re is an exce l l e nte nt ry on W ik ipe dia (h t t p:/ / e n.w ik ipe dia.org/ w ik i/ PaX ) W h il e grs e curit y m ay noth av et h e h igh profil e of SEL inux, itis by far t h e m ore capabl e s ol ut ion.
J O H N BUSW EL L IS CTO O F SPL ICED NETW O R K S L L C. EM AIL J BUSW EL L @ SPL ICEDNETW O R KS.CO M .

O 3 M agaz ine /De ce m be r 2005 Page 14

I NTERNET
Ev al uat ing your I nt e rne tI nf ras t ruct ure
TO DAY I TI S NO L O NGER JUST A M ATTER O F H AV I NG AN I NTERNET PRESENCE TH AT PRESENCE M UST BE H I GH L Y AV AI L ABL E AND RESPO NSI V E FO R YO UR TARGET M ARKET BY JAM ES H O L L I NGSH EAD

Ev al uat ing your Int e rne tinfrast ruct ure h as a l otin com m on w it h t h e st rat e gic pl anning and ev al uat ion of m ostt h ings . Aft er t he t e ch no-s pe ak and bus ine s s s pe ak are st rippe d aw ay, itre al l y com e s dow n t ot wo bas ic conce pt s: W h atyou h av e and w h atyou ne e d.
W H AT DO I H AV E?

For t h e m om e nt , putt h e is s ue of ne e d as ide . Th e firstt h ing you w antt ol ook atare t h e re s ource s you curre nt l y h av e. Tak e a l ook att h e w ay your ne t w ork as itis righ t now . You ne e d t o as k yours e l ft he f ol l ow ing s e tof q ue st ions . D on'tw orry if you don'tk now al l of t he ans w e rs off t he t op of your h e ad, butitis im port ant t o find t h em . First , w h atpubl ic s e rv e rs do you h av e on your ne t w ork ? Is itj usta w e b or m ail s e rv e r or do you h av e h al f a doze n product ion boxe s , a m ail s e rv e r, and t h e Robos apie n t h atyou gotf or Ch rist m as ? H ow m any of t h e m ne e d t o be atyour ph ys ical l ocat ion? (h int– t h e Robos apie n probabl y is n'tone of t h e m .) W h ich of t h e s e rv ice s t h atyou h av e are bus ine s s crit ical ? If t h e re is any doubtas t o w h et h e r a s e rv ice is bus ine s s crit ical or not ,t h ink of w h atw oul d h appe n if its udde nl y w e ntdow n. If t h e ans w e r is t h at you and your e m pl oye e s w oul d notbe abl et o w ork , w oul d be unabl et o m ak e m oney, or w oul dl os e a gre atde al ,t h e n itis a bus ine s s crit ical s e rv ice . W h e re , ph ys ical l y, are your s e rv e rs ? Are t h ey in Ch icago, s om ew h e re on t h e e astcoast , Cal if ornia, or s om ew h e re e l se? W h e re are t h e m aj orit y of your cust om e rs ? Are t h ey in t h e e ast e rn Unit e d St at e s or in ce nt ral Ge rm any? If you h av e m ul t ipl el arge conce nt rat ions of cust om e rs , l istal l of t h e m . Th e im port antt h ing f or t h is pointis t o h av e al istof w h e re t h e bul k of your t raffic com e s from . H ow m uch t raffic do you h av e? D o you expe rie nce cons ist e ntt raffic or doe s itdoe s itcom e in s pik e s

w it h m il dt o m ode rat et raffic atal l ot h er t im e s ? If you expe rie nce m aj or t raffic s pik e s , do t h ey f ol l ow any ce rt ain pat t e rn? Do t h ey onl y h appe n f or a f ew h ours once a m ont h or do t h ey l astf or days ? Next , h ow m uch bandw idt h do you pay f or? Are you paying f or a T1, fract ional T1, bus ine s s cl as s D SL , or s om e ot h e r from of conne ct ion? If it 's a T1 or T3, re m e m be r t h att h e re are us ual l yt w o ch arge s – one f or t h e carrie r (w h o s uppl ie s t h e ph ys ical l ine – ge ne ral l yt h e ph one com pany) and one f or t h e ISP (w h o prov ide s your Int e rne tconne ct ion). H ow m uch dow nt im e do you expe rie nce in a t ypical m ont h? Is itj usta f ew h ours or can itbe m e as ure d in days ? D o you h av e a s e rv ice l ev el agre e m e nt(SL A) w it h your prov ide r? If s o, is its at is fact ory f or your ne e ds ? H ow m any ph ys ical conne ct ions t ot h e out s ide w orl d doe s your ne t w ork h av e? Is t h e re j ustone point of e nt ry f or your ne t w ork , or are t h e re m ul t ipl e one s ?
H O W DO I USE M Y R ESO UR CES?

I k now I s aid t h atitboil s dow n t o re s ource s and ne e ds (w h ich itdoe s ), butbe f ore you can ans w e r t he q ue st ion of w h atyou ne e d, you h av et ot h ink about h ow you us e t he t h ings t h atyou al re ady h av e. W h atare you us ing your publ ic s e rv e rs f or and h ow m uch of your bandw idt h do t h ey us e ? Are t h ey m ail or V oIP s e rv e rs (w h ich m ak e s e ns e t o h av e on s it e ) or are t h ey product ion boxe s w h ich can ge ne ral l y be pre t t y m uch anyw h e re ? If t h ey are product ion boxe s and t h ey are us ing a l otof bandw idt h , you m igh t w antt o s e e if itm ak e s s e ns e t o m ov et h em t o a col ocat ion s it e. H ow m uch bandw idt h do you us e ? You al re ady l ook e d ath ow m uch of your bandw idt h your product ion boxe s t ak e up. Now it 's t im e t ol ook att he ne t w ork as a w h ol e (bot h incom ing and out bound t raffic). Al s o cons ide r t h e am ountof bandw idt h you w oul d be us ing if your product ion boxe s w e re col ocat e d s om ew h e re e l se. Are you paying bandw idt h or t rans f e r ov e rage

O 3 M agaz ine /January 2006 Page 17

I NTERNET
ch arge s ? Som e s e rv ice prov ide rs off e r conne ct ions t h atnorm al l y funct ion atone s pe e d butare burst abl e t o a h igh e r s pe e d (s om e t im e s ch arging a f e e if you exce e d t h e norm al s pe e d f or a ce rt ain pe riod of t im e ). L ik ew is e , s om e prov ide rs m e t er t h e am ountof dat a t h atyou can t rans f e r pe r bil l ing pe riod and ch arge you ext ra f or t h e am ountt h atyou exce e d t h atl im itby. Are t h e s e rv ice s t h atyou ide nt ifie d as bus ine s s crit ical re dundant ? If t h e s e rv e r you h av e ith ost e d on expl ode d, w oul d you st il l be abl et o do w ork ? Be l iev e itor not ,t h is is s om e t h ing w h ich I h av e s e e n in t he past . Itw as im pre s s iv e and aw e ins piring butitw as al s o nott h e be stw ay t o st arta day atw ork (e s pe cial l y s ince itw as t h e m iddl e of Fe bruary and w e h ad t o ope n t h e w indow s in orde r t ov e ntt he re s ul t ing s m ok e ). You'v e ans w e re d t h e q ue st ions of w h e re your s e rv e rs are and w h e re your cust om e rs are . D o t h ese t w o ans w e rs com pl im e nte ach ot h e r? If m ostof your cust om e rs are in t h e w e st e rn port ion of t h e Unit ed St at e s and your s e rv e r is in Cal if ornia, t h en t he ans w e r is ye s . If m ostof your cust om e rs are in New York and your s e rv e rs are in Ge rm any, t h at 's s om e t h ing you m igh tw antt o ch ange . L ast l y, do you h av e h e av y conce nt rat ions of cust om e rs in count rie s ot h er t h an t h e one your h om e office is in?
W H AT DO I NEED ?

Now t h atyou'v e m ade a l istof w h atyou h av e and h ow you us e it , you can st artt ol ook ath ow t h ings ne e d t o be ch ange d. Are you paying f or a l otof bandw idt h t h atyou are n'tus ing or paying ov e rage ch arge s ? Th is q ue st ion is a l it t l et rick y be caus e t h e obj e ct iv e is t o h av e m ore bandw idt h t h an you ne e d, butnott oo m uch m ore . H av ing t oo m uch bandw idt h is a bad t h ing, butnot h av ing e nough is ev e n w ors e . First , cons ide r t h e am ountof bandw idt h t h atyour product ion s e rv e rs (or any ot h e r s e rv er t h atitm igh t m ak e s e ns e t o co-l ocat e ) are us ing. If you h av e m ul t ipl e T1s j ustt o s uppl y bandw idt h t o your product ion boxe s and t h ey don'tne ce s s aril y h av et o be on s it e w h il et h e bul k of your re m aining t raffic is s im pl e e m ail or brow s ing, itm igh tm ak e m ore financial s e ns e t o h av et h e m h ost ed el s ew h e re and dow ngrade t h e s e rv ice in your office t o bus ine s s D SL . On t h e ot h e r h and, if you h av e a fract ional T1 and act ual l y us e t h e bandw idt h , itm igh tm ak e m ore s e ns e

t o upgrade t o a T1 be caus e pricing f or a ful l T1 is ge ne ral l y ch e ape r due t o ext ra w ork re q uire d by t he ph one com pany f or fract ional T1. If you h av e any q ue st ions as t o w h et h e r you are ge t t ing a good price f or your T1 or T3 l ine , w w w .bandw idt h .com is a good pl ace t o ch e ck f or price q uot e s . Its h oul d al s o be not ed t h atinst al l at ion f e e s m igh tbe w aiv e d and your f ees l ow e re d if you s ign a l ong t e rm s e rv ice cont ract(m uch l ik e t he pricing diff e re nce be t w e e n a re gul ar ce l l ph one pl an and w it h at w o ye ar cont ract ). O ne t h ing t o k e e p in m ind if you w antt o ch ange t he t ype of conne ct ion you h av e is t h e SL A. T3 and T1 ge ne ral l y h av ev e ry good SL As w h il et h e SL Af or bus ine s s cl as s cabl et e nds t o be m uch poore r and not re al l y s uit ed f or running product ion s e rv e rs . D SL t e nds t o be s om ew h e re in be t w e e n cabl e and T1 in t e rm s of SL A butacce s s f or bus ine s s D SLis oft en bandw idt h or dist ance l im it e d. Now t h atyou k now w h e re your cust om e rs are and w h e re your s e rv e rs are , do you ne e d s e rv e rs in ot h er l ocat ions t o cat er t ot h em ? If s o, you m igh tw antt o l ook att h e w eb t e ch s e ct ion in t h is is s ue . If you h av e h e av y conce nt rat ions of cust om e rs in f ore ign count rie s , itw oul d al s o m ak e s e ns e t o h av e count ry s pe cific (i.e . .co.uk ) dom ains f or t h os e count rie s . Th is w il l al l ow you t o h av el anguage s pe cific s it e s as w e l l as s av e bot h you and your cust om e rs from t rying t o figure outh ow t o de al w it h curre ncy diff e re nce s , t ax, s h ipping, e t c. In t he l asts e ct ion, you l ook e d atw h e t h e r or not your bus ine s s crit ical s e rv ice s w e re re dundant . If t he ans w e r is no, you h av e af ew opt ions . • Sim pl y add anot h e r s e rv e r w h e re you are t h atw il l run back up v e rs ions of t h os e s e rv ice s in t h e ev e nt t h att h e m ain s e rv e r goe s dow n. Th is is oft en t he ch e ape stopt ion. H ow ev e r, if s om e t h ing w e re t o h appe n t o your buil ding (fire , fl ood, e art h q uak e , et c), your bus ine s s crit ical s e rv ice s w oul d st il l go dow n. • O pe n a re m ot e office w it h re dundants e rv e rs and st aff. W h il et h is opt ion w ork s re al l y w el l (prov iding you h av e a com pe t e ntst aff), itt e nds t o be m uch m ore expe ns iv et h an m ostcom panie s are abl e (or w il l ing) t o de al w it h.

O 3 M agaz ine /January 2006 Page 18

I NTERNET
• Pay t o h av e re dundants e rv e rs co-l ocat e d. W h il e m ore expe ns iv et h an s im pl y adding anot h e r s e rv er t o your rack , itis m ark e dl yl e s s expe ns iv et h an ope ning a w h ol e new office . Th is opt ion is dis cus s e d in m ore de pt h in t h e w eb t e ch nol ogie s s e ct ion of t h is is s ue . If t h e re is onl y one ph ys ical acce s s pointfrom your ne t w ork t ot h e out s ide w orl d, you m igh tw antt o cons ide r adding a s e cond one . Th e re as on f or t h is is t h att h ese l ink s occas ional l y fail f or v arious re as ons . Th e m ostinfam ous of t h e s e is oft e n re f e rre d t o as t he Back h oe of D oom w h ich is w h e n s om e one digging a t re nch doe s n'tm ak e abs ol ut el y ce rt ain t h att h e re is not h ing im port antburie d w h e re t h ey w antt o dig be f ore t h ey bring in t h e e art h m ov ing e q uipm e nt . If t h is h appe ns t o you and t h atl ink t ot h e out s ide w orl d is a s ingl e pointof fail ure , you're going t o be st uck pl aying s ol it aire and e m ail ing t ot h e ot h e r pe opl e in your buil ding be caus e you ce rt ainl y w on'tbe abl et o do m uch e l se. Abov e al l , you s h oul d re m e m be r t ol e av e yours e l f room t o grow as far as ne t w ork re q uire m e nt s are conce rne d. If you'v el ock e d yours e l f int o a ce rt ain pl an f or an ext e nde d pe riod of t im e in orde r t o ge ta good rat e and your ne e ds s udde nl y incre as e , you m ay find yours e l f st uck w it h e it h e r ov e rage ch arge s or a ne t w ork w h ich can noth andl et h e am ountof dat a be ing de m ande d of itif you st ay w it h t h atprov ide r or cance l l at ion f e e s if you ne e d t o go w it h a diff e re nt prov ide r be caus e your curre ntone no l onge r fit s your ne e ds (itis rare f or a prov ide r t o ch arge you f or bre ak ing a cont ractif you go f or a l arge r cont ract w it h t h atprov ide r) unl e s s you can us e co-l ocat ion and l oad bal ancing t o m ov e e nough t raffic t h rough a ne t w ork ot h er t h an t h e one atyour l ocat ion.
W H AT EL SE CO UL D I USE ?

can us e QoS (Qual it y of Se rv ice ), w h ich is now av ail abl e in t he L inux k e rne l ,t o rout e out bound t raffic from your product ion s e rv e rs ov er t h e T1 w h il e rout ing al l non-e s s e nt ial t raffic ov e r your D SL conne ct ion. Your infrast ruct ure is n'ts om e t h ing t h ats h oul d onl y be ev al uat e d once and t h en f orgot t e n. L ik e t h e re stof your bus ine s s , itm ay h av et o ch ange ov er t im e . You s h oul d re -ev al uat e itpe riodical l yt o s e e if you ne e d t o expand or s h rink . It 's al l a m at t e r of k now ing w h at you h av e , w h atyou ne e d, and h ow t o bal ance t he ris k s and rew ards of h ow you de al w it h your re s ource s . J AM ES H
M AGAZ INE . J AM ES CAN BE R EACH ED AT OL L INGSH EAD IS E XECUTIV E

E DITO R

AT O 3

J AM ES@ O 3M AGAZ INE .CO M . CO NTACT J AM ES IF YO U AR E INTER ESTED IN H AV ING BANDW IDTH .CO M QUO TE YO U F OR L O W ER CO ST BUSINESS DSL , T1 O R PR ICING.

T3

Cov e ring w h atyou ne e d is v it al . H ow ev e r, t h e re are t h ings w h ich , w h il e notne ce s s ary t o your ne t w ork and Int e rne tinfrast ruct ure , can h e l p im prov e it . Am ong t h e s e pos s ibl e non-v it al im prov e m e nt s , if you de cide t o k e e p your product ion s e rv e rs atyour l ocat ion, and w antt h e conne ct ion t h ey h av et ot he out s ide w orl dt o be s ol id w h il e itis al righ tf or t he re stof your t raffic (s uch as e m ail and brow s ing) t o go dow n on rare occas ions , you m igh tw antt o cons ide r k e e ping your product ion s e rv e rs on a T1 and t h e re st of your t raffic on bus ine s s cl as s D SL .T o do t h is , you

O 3 M agaz ine /January 2006 Page 19

W EB TECH
Prov iding H igh Pe rf orm ance W e b Se rv ice s
DO I NG BUSI NESS O N A GL O BAL SCAL E REQUI RES A GL O BAL I NTERNET PRESENCE L O CAL I Z ED CO NTENT I S A START BUT L O CAL I Z ED CO NTENT DEL I V ERY I S A REQUI REM ENT I N TO DAYS W O RL D BY JAM ES H O L L I NGSH EAD

Back in t h e m id 9 0's , w h e n t h e w orl d w ide w e b w as re l at iv el y new , j usth av ing a w e bs it et h ath ad inf orm at ion aboutyour com pany w as s ufficie nt . Th ey w e re pre t t y expe ns iv et o m aint ain be caus e of bandw idt h and s e rv e r cost s inv ol v e d, s o m ost bus ine s s e s onl y h ad one . Th ings are a l it t l e diff e re ntnow . W it h t h e de cre as e in t h e costof bandw idt h and s e rv e r grade com put e rs , t h os e w e bs it e s are now us e d f or ev e ryt h ing from s im pl y s uppl ying inf orm at ion t o e -com m e rce and t he l arge -s cal e dist ribut ion of cont e nt(s uch as t h is m agazine ). W it h t h e ch ange s in t h e w ay t h e Int e rne tis us e d, t he w ay t h atw e bs it e s w e re h ande d h ad t o ch ange as w e l l . O ne s e tof s e rv e rs in a s ingl e ge ograph ic l ocat ion prov iding al l t h e gl obal s e rv ice s f or your cust om e rs is no l onge r s ufficie nt .
W H Y SH O UL D I BE CO NCER NED ?

H av ing m ul t ipl e s e rv e rs w orl dw ide w h ich h ost s your bus ine s s s e rv ice s h as s ev e ral adv ant age s . Th e m ostobv ious is re dundancy. If one s e rv e r goe s dow n, cust om e rs can st il l acce s s t h e re m aining s e rv e rs . Th is is v e ry im port antif you us e your s e rv er f or e com m e rce or crit ical cust om e r s e rv ice s be caus e dow nt im e h as a dire cte ff e cton t h e bot t om l ine . Th e re w as one v e ry dram at ic exam pl e of w h atcan h appe n t o a s e rv e r in one l ocat ion w h e n H urricane Kat rina m ade l andfal l atNew O rl e ans . M any bus ine s s e s l ocat ed t h e re h ad gre atdifficul t ie s in re l ocat ing t h e ir s e rv e rs and expe rie nce d s ev e re am ount s of dow nt im e . O ne dat a ce nt er t h e re w as t he not abl e exce pt ion, be caus e t h ey st aff ed t h e ir fl oor of t h e buil ding t h rough t h e e nt ire orde al , k e e ping t he s e rv e rs up w it h a die s e l ge ne rat or and t he l oot e rs aw ay t h rough ot h e r m e ans . Th ey ev e n k e pta w e bl og during t h e ir orde al t o s h ow pe opl e w h att h e cit y w as l ik e during t he dis ast e r. In fact ,t h ey w e re one of t h e m ain, unbias e d s ource s of new s f or t h e cit y of New O rl e ans f or a s ignificantport ion of t h e dis ast e r. H ow ev e r, w h il e

t h e ir e ff ort s w e re ext re m e l y im pre s s iv e (and I adm it t h atI re ad t h e bl og dail y), notev e ry pl ace w h ich h ost s s e rv e rs w il l go t o s uch l e ngt hs t o e ns ure your upt im e . H av ing m ul t ipl e s e rv e rs in diff e re ntge ograph ic l ocat ions al l ow s you t ol e tcust om e rs in ot h e r part s of t h e w orl d h av e fast e r acce s s t o your s it e s and al l ow s you t o be t t er t ail or your cont e ntt o ot h e r cul t ure s . Th is m e ans t h ats om e one in As ia w oul d be abl et o acce s s your s it e on a s e rv e r cl os e r t o w h e re t h ey are rat h er t h an h av ing t o de al w it h t he l at e ncy of a conne ct ion be t w een t h e m and Nort h Am e rica (f or inst ance ) and w il l be abl et ov iew a s it e w it h ,t o t h e m , a m ore nat iv ef eel t h an t h e one t h atyour Am e rican cust om e rs w oul d us e . Th is is v e ry im port antbe caus e w e al l w antt of eel com f ort abl e w h e n us ing on-l ine s e rv ice s , and m ostpe opl e w il l notw aitm ore t h an a f ew s e conds t o be gin s e e ing re s ul t s w h e n acce s s ing your w e bs it e. Tie d t ot h e s e firstt w o point s is an im port antt h ird point– s om e t im e s itis n'tt h e s e rv er t h atgoe s dow n. W h il e it 's a v e ry good st art , it 's notal w ays e nough s im pl yt o h av e s e rv e rs in diff e re ntpart s of t h e w orl d. Th e unf ort unat et rut h is t h at , on t h ank ful l y rare occas ions , e nt ire ne t w ork s can l os e conne ct iv it yt o t h e out s ide w orl d. Th e bad new s is t h atitcan s om e t im e s t ak e days t o ge ts e rv ice ful l y re s ort e d if s om e t h ing cat ast roph ic h appe ns t ot h e ne t w ork . Th e s ol ut ion t ot h is is t o h av e atl e astone of your s e rv e rs on a diff e re ntne t w ork prov ide r t h an t he ot h e rs . D on'tw orry t oo m uch aboutt h is pointrigh t now , be caus e w e 'l l dis cus s itl at e r. H av ing m ul t ipl e s e rv e rs al s o al l ow s you t o do s om e t h ing e l se t h atcan be v e ry us e ful – l oad bal ancing. If one of your s e rv e rs is expe rie ncing h e av yt raffic f or w h at ev e r re as on (l ik e w e t e nd t o aft e r re l e as ing a new is s ue ), t raffic can be rout ed t o one of your ot h e r s e rv e rs w h ich is l e s s bus y. Th is m e ans t h at , inst e ad of h av ing t o w aitor m ak e m ul t ipl e at t e m pt st o conne ctt o your s it e , a cust om e r ge t s acce s s t o your s it e h ost e d on a diff e re nts e rv er

O 3 M agaz ine /January 2006 Page 20

W EB TECH
w it h l it t l e de l ay.
H O W DO I DO TH IS?

Th e re are a coupl e of w ays t o obt ain co-l ocat ion f or your s e rv e rs . O ne w ay is t o s e tup anot h e r office ata s e parat el ocat ion and h ire st aff f or itin orde r t o m anage your s e rv e rs . As you m igh texpe ct ,t h is opt ion is pre t t y expe ns iv e. Th e ot h e r opt ion is t o pay anot h e r com pany f or de dicat e d h ost ing and co-l ocat ion s e rv ice s . Th is s av e s you t h e costof h av ing ful l t im e st aff in m ul t ipl e l ocat ions , t h ough you st il l ne e d t o buy your ow n s e rv e rs . Itdoe s h ow ev e r com e w it h a gre atde al of ch oice and a f ew pit fal l st o ov e rcom e . Grant e d, you coul d al s o go w it h s h are d h ost ing (w h e re you s h are t h e s e rv er t h atyou us e att he h ost ing com pany w it h s om e of t h e ir ot h e r cust om e rs ) t o s av e ev e n m ore m oney, butt h atcom e s w it h a w h ol e ot h e r s e tof probl e m s . Th e firstof t h e s e is t h at itis n'tyour s e rv e r. You onl y h av e s o m uch s pace on it and t h e re stis re s e rv ed f or t h e ot h e r cust om e rs . You al s o h av et o h ope t h atw h att h ey are us ing t h e s e rv er f or is n'tt oo proce s s or or m e m ory int e ns iv e . Th e ups h otof t h is is , unl e s s you're re al l y st rappe d f or finance s , it 's us ual l y be t t er t o ge tyour ow n de dicat ed s e rv e r. First , you ne e d t o find a com pany t o h ostyour s e rv e r. W h e n ch e ck ing outpros pe ct iv e h ost ing com panie s , t h e firstt h ing you w antt o do is m ak e s ure t h att h ey're act ual l y up and running. W h il e it m ay be funny t o find h ost ing com panie s w h o can't ev en k eep t h e ir ow n s e rv e rs on-l ine , you re al l y don't w antt o us e one f or obv ious re as ons . Next ,t ry digging around a l it t l e on-l ine and s e e if you can find any rev iew s of t h e m . Googl e is re al l y your frie nd in t h is , be caus e s e e ing t h e prais e and com pl aint st h atot h e r cust om e rs h av e h ad f or t he com pany w il l giv e you a be t t e r ide a of w h att o expe ct . Re m e m be r t ot ak e al l rev iew s w it h a grain of s al t , be caus e notal l of t h e m are h one st , butt he ch ance s are if you s e e not h ing butbad rev iew s f or t he com pany, it 's be stt ol ook e l s ew h e re . Aft e r you'v el ook e d around f or rev iew s of your pot e nt ial h ost ing com pany, ge tin t ouch w it h t h em . As k t h em f or a t e stIP addre s s and ge titin w rit ing t h att h e addre s s is on t h e s am e ne t w ork as t h e s e rv ice t h atyou w ant . Pe rf orm a t race rout e on t h e IP t h at you'v e be e n giv en t o m ak e s ure t h atitdoe s n'tt ak e t oo m any h ops t o ge tt o.

Now it 's t im e t o ge tin t ouch w it h t h e pe opl et h atw il l act ual l y be running t h e s e rv e r. Be f ore w e ev e n ge tt o t h e ph ys ical re q uire m e nt s , as k t h e m w h atyour h ardw are opt ions are . D o t h ey h ostbot h t ow e rs and rack m ount e d s e rv e rs ? If t h ey h ostrack m ount ed s e rv e rs , do t h ey h ost(or ch arge m ore f or h ost ing) 1U, 2U and 3U s e rv e rs ? Do t h ey h av e de al s w it h s e rv er v e ndors w h ich m ay s av e you m oney on s upportin t he ev e ntof h ardw are fail ure ? W h atope rat ing s yst e m s do t h ey s upport ? If t h ey're a w indow s onl y s h op and you h av et h ings w h ich h av e t o run on L inux or BSD , t h en t h ey're re al l y notan opt ion. M ak e s ure t h att h ey do a m inim al inst al l on t h e s e rv e r. O ne of t h e m ain caus e s of s e curit y bre ach e s is h av ing a s e rv er t h atis running s e rv ice s w h ich you are n'tus ing. As k t h e m w h att h e ir pow e r s it uat ion is . Se e if t h ey h av e ade q uat e bat t e ry back ups and an on s it e ge ne rat or f or ext e nde d pow e r out age s . M ak e s ure t h att h e ir ne t w ork is in good orde r. Re m e m be r t h ata ne t w ork can onl yt rans m itdat a as q uick l y as it s sl ow e stpart . If t h ey're running a firew al l on a 386 box w h ich al l t raffic h as t o go t h rough , you're going t o h av et roubl e . Al s o m ak e s ure t h att h e num be r of h ops from your s e rv er t ot he out s ide w orl d is n'tt oo h igh . If t he t raffic j ustgoe s t h rough a coupl e of s w it ch e s , you're fine . If, on t he ot h e r h and, t o paraph ras e a col l e ague of m ine , itgoe s t h rough h al f a doze n h ubs , a h am st e r running on a w h eel ,t h e af ore m e nt ione d 386, a h otair bal l oon, and t h e n anot h e r h ub or t w o be f ore re ach ing your s e rv e r, t h e re 's going t o be a probl em . M ak e s ure t h att h e fibe r t h ey us e t o conne ctt ot he out s ide w orl d h as m ul t ipl e acce s s point s so t h e ir ne t w ork w on'tbe com e inacce s s ibl e in t h e ev e ntof a back h oe accide nt al l y cut t ing t h e cabl e . I k now it s ounds unl ik e l y, butitcan and doe s h appe n, and w h e n ith appe ns , itt ak e s a cons ide rabl e am ountof t im e t o fix. Be abs ol ut el y pos it iv et h att h e ir h ost ing facil it y is cl im at e cont rol l e d and h as appropriat e fire s uppre s s ion s yst e m s . Al s o m ak e s ure t h atit 's s e cure d – pre f e rabl y guarde d and in a buil ding w it h cl os e d circuitcam e ras and t h e s e rv e rs in cage s . Not h ing can ruin your day fast er t h an a h ard driv et h at 's die d from t h e h e atunl e s s it 's t h e s e rv e r be ing e ngul f e d in fl am e s or s om e one j ustcom pl et el y w al k ing off w it h it . It 's al s o im port antt o as k w h e n t h ey h av e st aff t h e re

O 3 M agaz ine /January 2006 Page 21

W EB TECH
in cas e of e m e rge ncy re bootand h ow oft en t h ey m ak e back ups of t h e s e rv e r. In addit ion, be s ure t o as k if t h ey k e e p a copy of t h e back ups off s it e in cas e of fire or fl ood. Final l y, ch e ck f or h idde n cost s . For exam pl e , if t h ey off er t h e s e rv e r as 5M bit / s e c buth av e iton a 100M Bit / s e c portw it h h uge ov e rage ch arge s , itm igh t be w ort h cons ide ring finding a diff e re nth ost .
W H Y W O UL D I NEED TO BE O N DIFF ER ENT NETW O R KS?

No m at t e r h ow m any pre caut ions are t ak e n, s om e t im e s back bone ne t w ork s do be com e inacce s s ibl et o ot h e r back bone ne t w ork s . Itcan be be caus e a back h oe cut s av it al cabl e or any num be r of ot h e r re as ons , butt he t rut h is t h atitdoe s h appe n al be itrare l y. Th e w ay t o prev e ntt h is from aff e ct ing your bus ine s s is t o h av e atl e astone of your co-l ocat ed s e rv e rs on a diff e re ntback bone ne t w ork t h an t he ot h e rs . For inst ance , if al l of your s e rv e rs are on ne t w ork s s uppl ie d by Qw e st , itw oul d be a good ide a t o h av e one h ost e d on a ne t w ork t h atis s uppl ie d by anot h e r back bone ne t w ork l ik e M CI. Th is m e ans t h at , ev e n if Qw e stdis appe ars off t h e face of t he e art h f or a f ew days , your s it e w il l st il l be acce s s ibl e. Th is can h e l p prev e nta l otof h e adach e s . Th e s h ortans w e r is no, you don'tne e d a s e parat e w e bs it ef or ev e ry s e rv e r. You m ay, h ow ev e r, w antt o h av e s e parat e w e bs it es f or re gion or l anguage s pe cific cont e nt . For exam pl e , com m e rce carrie d outin t h e Unit ed St at e s h as a w h ol e diff e re nts e tof t axe s , s h ipping re q uire m e nt s, et c com pare d t o com m e rce t h atm igh t be carrie d outin t h e Europe an Union. In orde r t o m inim ize t h e st rain on your cust om e rs , itw oul d m ak e s e ns e t o s e tup a s e parat e dom ain (s ay, .co.uk ) f or purch as e s m ade in t h atre gion.
H O W DO ES AL L TH IS W O R K ?

DO I NEED A SEPAR ATE W EBSITE F O R EV ER Y SER V ER ?

Com panie s s uch as Nort el (w w w .nort el .com ), F5 (w w w .f 5.com ), R adw are (w w w .radw are .com ) and Coyot e point(w w w .coyot e point .com ) s e l l ne t w ork ing dev ice s t h ath e l pt ak e care of t h is probl em f or you. Bas ical l y, t h e dev ice s t h ey s e l l f or t h is purpos e are D NS s e rv e rs t h atre pl y w it h a s pe cific s it e bas e d on t h e s ource of t h e cl ie nt . Th is w ay, if s om e one from As ia acce s s e s your s it e, t h ey ge ts e ntt ot h e s e rv er cl os e stt ot h e m inst e ad of t h e s e rv e r in t h e Unit ed St at e s or w h e rev e r itis you h appe n t o be . Th e ir product s are fairl y s im pl e and painl ess t o ge t up and running and s om e of t h e m can ev e n h andl e t h e ne t w ork l oad bal ancing t h atw as dis cus s e d e arl ie r. If you w antt o s av e yours e l ft h e costof buying an appl iance t o do t he j ob of m ak ing t h is al l w ork , you can do ityours e l f w it h t he l anguage and count ry dat a in w e b brow s e rs and ope n s ource t ool sl ik e m od_ rew rit e. Any w ay you l ook atit , unl e s s you're j ustrunning a pe rs onal s it e or one t h atis n'tv e ry im port antt o your bus ine s s , it 's a good ide a t o h av e its e tup in s uch a w ay t h att h e re is no s ingl e pointof fail ure and t h atit can be acce s s e d q uick l y from any partof t h e w orl d in w h ich you m igh tdo bus ine s s . You can e as il y s av e m ore t h an t h e costof t h e co-l ocat ion due t o incre as e d upt im e . W h il et h is h as n'tbe e n an ov e rl y in-de pt h l ook att he probl e m and it s s ol ut ions (t h atw oul dt ak e e nt ire book s ), I h ope ith as be e n a us e ful ov e rv iew and h as h el pe d pointoutw h y and h ow you s h oul d dist ribut e your w e b pre s e nce around t h e w orl d. If you're st il l in doubtas t o w h et h e r or notyou s h oul d dist ribut e your w e b pre s e nce , h one st l y cons ide r t he l os s your com pany w oul d expe rie nce in t h e ev e ntof t he cat ast roph ic de st ruct ion of your w e b s e rv er v e rs e s t he fairl y s m al l costof a de dicat e d co-l ocat ed set up. You'l l probabl y find t h att h e s e cond opt ion is a l ot ch e ape r. J am e s H ol l ingsh e ad is Exe cut iv e Ed it or of o3 m agazine . J am e s can b e re ach e d v ia e m ail -j am e s@ o3m agazine .com . If you are int e re st e d in w rit ing an art icl e , prov id ing fe e d b ack or h av e any com m e nt s or sugge st ions re gard ing o3 or t h is art icl e . Pl e ase fe e l fre e t o cont actJ am e s. If you l ik e d t h is art icl e or d iscov e re d an e rror w it h t he cont e nt , pl e ase l e tJ am e s k now d ire ct l y rat h er t h an com m e nt ing on itpriv at el y in your b l og.

I re al ize t h at , att h e m om e nt , h ow al l of t h is w ork s t oge t h e r is probabl y al it t l e fuzzy. Aft e r al l , w e 're t al k ing abouth av ing s e rv e rs in diff e re ntpart s of t he w orl dt h at , as far as anyone acce s s ing t h e m is conce rne d, are al l t h e s am e m ach ine . Th ey don'tw ant t o h av et o w orry aboutch oos ing a s e rv e r cl os e r t o t h e m , and you don'ts e e h ow t o ge taround t h at . D on'tw orry. Th e re 's h e l p w it h t h att oo.

O 3 M agaz ine /January 2006 Page 22

W EB TECH
FR EE ADV ER TISING

Th is publ icat ion w as st art ed t o h el p com panie s , cons ul t ant s and ot h e r IT de cis ion m ak e rs m ak e inf orm e d de cis ions w h e n itcam e t o sel e ct ing O pe n Source s ol ut ions f or Ent e rpris e D at a Ne t w ork ing probl em s. Som e t im e s t h e m ostinnov at iv et e ch nol ogy doe s n't m ak e itdue t oal esser t e ch nol ogy h av ing be t t er m ark e t ing. T o h el p innov at iv e com panie s de l iv er t h e ir product st ot h e h ands of IT de cis ion m ak e rs , w e are pl e as e t o announce a new adv e rt is ing program t o h el p innov at iv e s m al l bus ine s s e s . W h et h e r your an e st abl is h e d s m al l bus ine s s or s im pl y a dev el ope r l ook ing t o prom ot et h e ir ow n proj e ct , you now h av et h e opport unit yt o prom ot e your product st o ov e r 500,000 re ade rs in ov e r 140 count rie s . Each adv e rt is e m e ntt h atw e re ce iv e w il l be pl ace d int o a pool , e ach m ont h w e w il l random l y sel e ctat l e astt h re e adv e rt is e rs . W h e nev er t h e re is s pace att he e nd of an art icl e , w e w il l al so t ap t h e fre e adv e rt is m e ntpool . T o s ubm ityour adv e rt is m e nt s , pl e as e s e nd in J PEG f orm atat300 dpi, no com pre s s ion: Col um n 3.35" (w ide ) x 9 .00" (h igh ) Square 4.00" x 4.00" Adv e rt is e m e nt s s h oul d be s e ntt o s al e s @ o3m agazine .com w it h a Subj e ctcont aining o3 s m al lad pools ubm is s ion. R e quire m e nt s Al l appl icant s m usth av e an annual s al e s rev e nue unde r US$ 1,000,000 and h av e unde r 100 e m pl oye e s . o3 m agazine re s e rv es t h e righ tt o re fus e s ubm is s ions bas e d on cont e ntand q ual it y.

O 3 M agaz ine /January 2006 Page 23

BUSI NESS
L inux on Big I ron
EV ERYO NE K NO W S TH AT L I NUX I S REV OL UTI O NI ZI NG I T DATA CENTER O PERATI O NS A W EL LH I DDEN SECRET I S TH AT L I NUX I S REV OL UTI O NI ZI NG TH E I BM M AI NF RAM E BY DAV E JO NES

"BI G

I RO N"

By now , itis v e ry w e l l k now n t h atL inux is rev ol ut ionizing IT dat a ce nt e r ope rat ions , capabil it ie s and proce dure s in a w ide range of e nv ironm e nt s, from SM B (s m al l and m e dium bus ine s s ) s e t t ings t o Fort une 100 organizat ions . W h atis nots o w ide l y k now n is t h atL inux is al s o rev ol ut ionizing t h e IBM m ainfram e (“big iron”) e nv ironm e ntas w e l l . Th e re are m any re as ons f or t h is , butt h re e im port ant one s are : •L inux can t ak e opt im al adv ant age of t h e cl as s ical m ainfram e st re ngt hs •L inux al l ow s f or s ignificants e rv e r cons ol idat ion us ing m ainfram e v irt ual izat ion •L inux s upportof on-de m and e -bus ine s s init iat iv es t h atare grow ing in im port ance t ol arge organizat ions W e ’l l t ak e a l ook ate ach of t h e s e re as ons in t urn, st art ing w it h t h e cl as s ic m ainfram e st re ngt h s.
M AINFR AM E STR ENGTH S

Th e S/ 39 0, zSe rie s and now t h e new e stz9 fam il y of h ardw are h av e be e n IBM 's fl ags h ip e nt e rpris e s yst em off e ring f or de cade s . Th is fam il y of s yst e m s h as an unparal l el re cord f or h igh -av ail abil it y, re l iabil it y and s e curit yf or s upport ing m is s ion-crit ical s yst e m s and dat a acros s a w ide v arie t y of e nt e rpris e s and appl icat ions . Som e of t h e unriv al l e d st re ngt hs (st re ngt hs t h atare j ustnow s e e ing a re new e d f ocus of dev el opm e nte ff ortin com pe t it iv e off e rings ) of t he zSe rie s are it ’s av ail abil it y, s cal abil it y and m anage abil it y. T o s upportt h e h igh av ail abil it y ch aract e rist ics f ound in t h e zSe rie s de s ign, al l m aj or s yst em com pone nt s are re pl icat e d as a st andard f e at ure , prov iding aut om at ic re cov e ry capabil it y and aut om at ic s w it ch ov er t o s pare com pone nt s w it h out int e rrupt ing s yst e m ope rat ion. M ostm aj or

com pone nt s can be s e rv ice d concurre nt l y w it h norm al s yst e m ope rat ions , l im it ing t h e am ountof t im e s pe ntin uns ch e dul e d out age s . Th e new e st m e m be r of IBM ’s m ainfram e off e rings , t h e z9 -109 , act ual l y al l ow s a com pl et e “book ” of f our proce s s ors t o be concurre nt l y re m ov e d from t h e s e rv e r and re inst al l e d during an upgrade or re pair w it h out aff e ct ing t h e ope rat ion of t h e ot h e r inst al l ed proce s s or book s or of t h e s yst e m it sel f. Re dundant I/ O int e rconne ct ions be t w een t h e proce s s or book s prov ide s conne ct iv it yt o I/ O re s ource s on ot h e r book s during a proce s s or’s re m ov al . In t oday ’s l arge IT dat a ce nt e rs , it ’s notuncom m on t o find a num be r of s yst e m s w ork ing t oge t h e r in t ande m t o s upportan organizat ion’s crit ical bus ine s s dat a proce s s ing ne e ds . M ul t ipl e zSe rie s s yst em s, bot h ph ys ical and v irt ual , can be m onit ore d, cont rol l e d, and m aint aine d from a s ingl e ce nt ral point . Since ev e ryt h ing t h atruns on a s e rv e r doe s not s h are e q ual priorit yt ot h e bus ine s s , zSe rie s s yst em s al l ow s a s it et o m anage t h e re l at ions h ips of v arious t rans act ion t ype s , t h e int e rde pe nde ncie s and ch ange m anage m e ntin a com pl ex e nv ironm e nt . zSe rie s proce s s ors , I/ O ch anne l s and dev ice s , and com m unicat ions int e rface s are av ail abl e in a num be r of configurat ions de s igne d t o s upportt he re q uire m e nt s of a f ew t e ns of us e rs t ot h ous ands of concurre ntus e rs proce s s ing dat a from t h e m e gabyt e t ot h e m ul t i-t e rabyt e range . Proce s s ors can be incre m e nt al l y upgrade d or re pl ace d t o m e e tgrow ing de m ands , al l ow ing t h e bus ine s s t o q uick l y and non dis rupt iv el y adaptt o ch anging bus ine s s ne e ds and re q uire m e nt s. Th e O n/ O ff Capacit y on D e m and capabil it y of t he IBM zSe rie s proce s s ors is de s igne d t o prov ide ev en gre at e r fl exibil it y by al l ow ing IT dat a ce nt e rs t ot urn on addit ional ,t e m porary s yst e m re s ource s t o m eet t h e de m ands of bus ine s s cycl e s or unexpe ct ed de m and t h rough outt h e ye ar, and t h en t urn t h e m back off w h e n t h ey ’re no l onge r ne e de d. Th is can h e l p IT de part m e nt s cont rol cost s w h il e m eet ing

O 3 M agaz ine /January 2006 Page 25

BUSI NESS
unpre dict abl e , or t rans ie ntcapacit y ne e ds . Re ce ntev e nt s in t h e rapidl y expanding on-de m and e bus ine s s e conom y h av e h igh l igh t ed t h e cont inuing im port ance of t h e s e de s ign crit e ria – w h e re IT is not onl y a pe riph e ral com pone ntof t h e bus ine s s butis t h e core bus ine s s as is t h e cas e in e st abl is h e d e bus ine s s originat ions s uch as e Bay and am azon.com . Th e s e fact ors , coupl e d w it h IBM 's s ubst ant ial re duct ion in t h e costof zSe rie s com pone nts yst em s ov er t he l ast20 ye ars (f or exam pl e, t h e coppe r on s il icon ch ip t e ch nol ogy) are m ak ing a s ignificant im pactint ot h e m uch -t out e d "costs av ings " of al t e rnat iv e pl at f orm s . Be caus e of L inux’s m odul ar and w e l l de s igne d st ruct ure , itcan v e ry e as il y be adapt e d and t une d t o t ak e adv ant age of t h e m any st re ngt h s of t h e IBM zSe rie s . Arch it e ct ure -s pe cific ope n s ource pat ch e s t o t he L inux k e rne l , prov ide d by IBM and com m e rcial dist ribut ors l ik e Nov el l SuSE and Re dH at , now al l ow s L inux t o: • Ut il ize t h e h ardw are crypt ograph ic acce l e rat ors • Sh are appl icat ions in m e m ory v ia an “exe cut e in pl ace ” fil e s yst em • Sh are part s of t h e k e rne l am ong diff e re ntL inux v irt ual gue st s , re ducing t he t ot al am ountof re al m e m ory re q uire d • Ut il ize z/ V M s upportf or v irt ual dis k s and D CSS m e m ory are as as v e ry h igh pe rf orm ance s w ap dev ice s • Produce pe rf orm ance dat at h atcan be proce s s e d and re port e d on by pe rf orm ance m onit oring s oft w are
SER V ER CO NSO L IDATIO N

t w o el e m e nt s , a h ardw are e l e m e nt– t h e proce s s or, it s m e m ory and I/ O s ubs yst e m s , and a s oft w are e l e m e nt-t h e z/ V M ope rat ing s yst e m . Bot h of t h ese el e m e nt s are cons ide re d att he t im e t h e zSe rie s s e rv e r is be ing de s igne d;zSe rie s v irt ual izat ion is notan aft e rt h ough t , butis buil tin from t h e be ginning, and v irt ual izat ion is nota new conce ptt ot h e zSe rie s s yst em s. L inux running on IBM 's zSe rie s s e rv e rs h as brough t new m e aning t ot he t e rm s e rv e r cons ol idat ion. Th e zSe rie s pl at f orm h as l ong be e n re cognize d f or t he abil it yt o s cal et o s upportcons ol idat ion of div e rs e w ork l oads ont o zSe rie s s e rv e rs . In t h e pastt h is w as t ypical l y “v e rt ical ” s cal ing, or putanot h e r w ay, ge t t ing a m ore pow e rful proce s s or t o cont ain t he w ork l oads of l e s s pow e rful proce s s ors . L inux adds anot h e r dim e ns ion t ot h at . Now , w it h IBM 's pre m ie r v irt ual izat ion ope rat ing s yst e m , z/ V M running on a zSe rie s proce s s or, “h orizont al ” cons ol idat ions are pos s ibl e as w e l l . By s upport ing t h e cre at ion of m any v irt ual appl icat ion s e rv e rs on s ingl e zSe rie s s e rv e rs , IT s it e s now h av et h e adv ant age of be ing abl et o de pl oy s ol ut ions us ing t h e fam il iar “s ingl e s e rv er / s ingl e appl icat ion” m ode l , w h il et ak ing adv ant age of s av ings in fl oor s pace , pow e r, m aint e nance e ff ort , and ne t w ork ing com pl exit y by cons ol idat ing ont oa s ingl e zSe rie s s e rv e r.
O N- DEM AND E - BUSINESS SUPPO R T

Se rv e r cons ol idat ion re st s on t h e m ainfram e ’s abil it yt o e as il y and q uick l y cre at ev irt ual proce s s ors , com m unicat ions , st orage and I/ O dev ice s , t h us h el ping t o re duce t h e ov e rh e ad of pl anning, purch as ing and inst al l ing new h ardw are t o s upport new w ork l oads . Unl ik e m any of t h e popul ar proce s s ors in us e t oday, t h e zSe rie s proce s s or and it s inst ruct ion s e th av e be e n de s igne d from t h e out s e tt o s upporte fficie ntand fastv irt ual izat ion. Th e v irt ual izat ion t e ch nol ogy f or zSe rie s is com pos e d of

O n de m and e -bus ine s s can be de fine d as buil ding re s pons iv e ne s s int o ev e ry partof IT. Th is can be accom pl is h e d by buil ding an IT infrast ruct ure t h at can s upportrapid, butcont rol l e d, ch ange s t o ce nt ral bus ine s s obj e ct iv es. L inux on t h e zSe rie s can be a ce nt ral partof t he f oundat ion of an on de m and e bus ine s s e nv ironm e nt , be caus e itcom bine s t he indust rial st re ngt h s cal abil it y, s e curit y and re l iabil it y of t h e IBM zSe rie s w it h t h e fl exibil it y and ope n st andards of t he L inux ope rat ing s yst e m . Th is can h el pt o ach iev e obj e ct iv e and m e as urabl e re s ul t sf or t h e IT organizat ion. An on de m and e -bus ine s s infrast ruct ure h as t h ese ch aract e rist ics : • Itis int e grat e d s o appl icat ions and proce s s e s can int e rope rat e acros s pl at f orm s • Itis ope n s o IT organizat ions h av et h e fl exibil it y

O 3 M agaz ine /January 2006 Page 26

BUSI NESS
t o run appl icat ions on t h e pl at f orm s t h atm ak e t he m osts e ns e • Itis v irt ual ize d s o itcan h e l p im prov e ut il izat ion rat e s , re al ize cost -e fficie ncie s and l ev e rage exist ing as s e t s • Itis aut onom ic s o l e s s h um an int e rv e nt ion is ne e de d t o m anage t h e s yst em L inux on t h e IBM zSe rie s h e l ps prov ide a prope r f oundat ion f or buil ding an on-de m and e -bus ine s s st ruct ure . Th e L inux e nv ironm e nton t h e IBM zSe rie s m ainfram e is de s igne d t o prov ide t he f ol l ow ing capabil it ie s : • Infrast ruct ure s im pl ificat ion t h rough v irt ual izat ion f or rapid de pl oym e nt , configurat ion and m anage m e ntof v irt ual L inux s e rv e rs . V irt ual izat ion can be prov ide d e it h e r by z/ V M or by zSe rie s ’ L P AR capabil it ie s . z/ V M prov ide s a w ay t o s upporth undre ds t ot h ous ands of L inux gue st s , w h il e up t o 60 L inux im age s can be s upport e d on t h e new z9 s yst e m (up t o 30 L P AR S s upport e d on ol de r zSe rie s s yst e m s ). • Bus ine s s int e grat ion t h rough ope n and indust ry st andards , fastdat a acce s s , re s ource s h aring, and s yst e m ut il izat ion e fficie ncy t o e as il y int e grat e l arge am ount s of dat a and t h e ir appl icat ions . • Robustand st rong s e curit yf e at ure s buil t -in from bot t om t ot op: h ardw are , v irt ual izat ion, ope rat ing s yst e m , appl icat ions • Aut om at ic s yst e m s m anage m e ntf or rapid and dynam ic re s pons e s t o a w ide v arie t y of ch anging w ork l oads , w h il e prov iding h ardw are ut il izat ion e fficie ncie s . Running t he L inux ope rat ing s yst e m on an IBM zSe rie s m ainfram e , e it h e r dire ct l y in an L P AR or as a gue stof z/ V M , is a s m artch oice . In t oday ’s int e ns e l y com pe t it iv e on-de m and, e -bus ine s s w orl d, put t ing L inux on t h e zSe rie s m e ans t h atL inux can t rans pare nt l yt ak e adv ant age of t h e st rong IBM s upportf or it s m ainfram e h ardw are arch it e ct ure and it ’s re l iabil it y, av ail abil it y and s e rv ice abil it y (R AS) f e at ure s . Coupl e d w it h IBM ’s pre m ie r v irt ual izat ion e ngine , z/ V M,L inux can prov ide an IT organizat ion w it h t h e be stof bot h w orl ds , t h e robust ne s s , s e curit y and re l iabil it y of t h e IBM m ainfram e and t h e w e al t h of cut t ing e dge appl icat ions and t ool s av ail abl e in t he ope n s ource e nv ironm e nt ., as w e l l as appl icat ions from a num be r of l e ading s oft w are v e ndors . D AV EJ O NES IS A L EADING IBM Z SER IES EXPER T. D AV E CUR R ENTL Y W O R KS F OR V / SO FT SO FTW AR E BASED O UT O F H O USTO N, TEXAS. D AV E CAN BE R EACH ED BY SENDING EM AIL TO DAV E@ V SO FTSO FTW AR E .CO M .

O 3 M agaz ine /January 2006 Page 27

NETW O RK I NG
Ne t w ork ing on t he I BM z Se rie s
CO NNECTI NG TH E M AI NF RAM E TO TH E NET W O RK ..... I S F AR M O RE CO M PL EX TH AN SI M PL Y TURNI NG UP AN ETH ERNET I NTERF ACE BY DAV E JO NES

W it h L inux now running ev e r m ore m is s ion crit ical and bus ine s s ce nt ric appl icat ions on IBM 's new cl as s of zSe rie s m ainfram e s , ge t t ing t h e inf orm at ion from t h os e appl icat ions outon t h e ne tand t ot h e pe opl e t h atne e d itrapidl y and re l iabl y is im port ant . Th is art icl e w il l t ak e a l ook ath ow t h e zSe rie s m ainfram e s can be ph ys ical l y conne ct ed t o ne t w ork s and h ow indust ry st andard ne t w ork conne ct iv it y is im pl e m e nt e d. Fut ure art icl e s w il l cov e r h ow t h ese ph ys ical conne ct iv it y opt ions can be v irt ual ize d and us e d by a l arge num be r of L inux s yst e m s running on t h e m ainfram e .
PH YSICAL NETW O R K CO NNECTIO NS

Th e re are f our w ays a zSe rie s m ainfram e can s upportph ys ical conne ct ions t o ne t w ork s and ot h er s yst em s: • O pe n Syst e m s Adapt e r-Expre s s (and it 's ant e ce de nt ,t h e O pe n Syst e m s Adapt e r-2) • Com m on L ink Acce s s t o W ork st at ion (CL AW ) int e rface • Ch anne l -t o-Ch anne l Adapt e r (CTC) • H ipe rSock e t s L et 's t ak e a cl os e r l ook ate ach of t h e s e , in rev e rs e orde r.
H IPER SO CKETS

H ipe rSock e t s is IBM L ice ns e d Int e rnal Code w h ich runs on bot h st andard and Int e grat e d Facil it yf or L inux (IFL ) proce s s ors in bot h 31-bitand 64-bit e nv ironm e nt s , as w e l l as w it h t h e new zSe rie s Appl icat ion As s istProce s s or (zAAP). Itis partof z/ Arch it e ct ure t e ch nol ogy incl uding QD IO and adv ance d adapt e r int e rrupth andl ing t oj um p st art m e s s age proce s s ing and m inim ize t h e fre q ue ncy and ov e rh e ad as s ociat e d w it h I/ O int e rrupt s . Th e dat a

t rans f e r it sel f is h andl e d m uch l ik e a cros s addre s s s pace m e m ory m ov e , us ing t h e m e m ory bus , nott he Se l f-Tim e d Int e rface I/ O bus . O n z89 0, z9 9 0 and z9 109 proce s s ors , s panne d ch anne l s upportal l ow s s h aring of H ipe rSock e t s acros s m ul t ipl eL ogical Ch anne l SubSyst e m s (L CSS) and m ul t ipl eL P AR s . H ipe rSock e t s is de s igne d t o m inim ize cont e nt ion w it h ot h e r s yst e m I/ O act iv it y;itdoe s notus e CPU cach e re s ource , and t h us h as m inim al e ff e ctw it h ot h e r act iv it y in t h e zSe rie s s e rv e r. Curre nt l yL P -t o-L P com m unicat ion is t ypical l y done t h rough s om e t ype of ext e rnal TCP/ IP ne t w ork , s uch as ESCO N-at t ach e d ext e rnal dev ice s or ope n s yst e m s adapt e r. H ipe rSock e t s prov ide s “Ne t w ork in t h e Box” funct ional it yt h atal l ow s h igh -s pe e d any-t oany conne ct iv it y am ong diff e re ntope rat ing s yst em s im age s w it h in t h e zSe rie s m ainfram e s e rv e r w it h out re q uiring any ph ys ical cabl ing. Th is “Ne t w ork in t he Box” conce ptm inim ize s ne t w ork l at e ncy and m axim ize s bandw idt h capabil it ie s be t w een Z / V M, L inux f or zSe rie s and Z / O S im age s (or am ong com binat ions of t h e s e )t o e nabl e opt im ize d e bus ine s s and ER P s ol ut ions w it h in a s ingl e s e rv e r. Th e s e im age s can be first -l ev el (s uch as , dire ct l y unde r a L P AR ), or s e cond-l ev el im age s (s uch as , unde r V M or V IF). Up t of our s e parat e Cl ust er L ANs can be configure d w it h in a s e rv er t h e re by al l ow ing O S im age s t o be groupe d according t ot h e funct ion t h ey prov ide . Th e s e groupings are inde pe nde ntof s ys pl ex affil iat ion. H ipe rSock e t s can be t h ough tof as “int e rnal L ANs ” f or t h e zSe rie s . Itis appl icat ion t rans pare ntand appe ars as a t ypical TCP/ IP dev ice t ot h e ope rat ing s yst e m s oft w are . H ipe rSock e t s prov ide v e ry fast TCP/ IP com m unicat ions be t w e e n s e rv e rs running in diff e re ntl ogical part it ions (L P AR s ) on a zSe rie s m ach ine . Th e z89 0, z9 9 0, and t h e new e stz9 -109 proce s s ors s upportup t o 16 H ipe rSock e t s . Th e z800 and z9 00 proce s s ors s upportup t of our H ipe rSock e t s. T o com m unicat e be t w e e n s e rv e rs running in t he s am e zSe rie s Ce nt ral El e ct ronics Com pl ex (CEC),

O 3 M agaz ine /January 2006 Page 28

NETW O RK I NG
H ipe rSock e t s set s up I/ O q ue ue s in t h e zSe rie s proce s s or’s m e m ory. Th e pack e t s are t h en t rans f e rre d atm e m ory s pe e ds be t w een t h e s e rv e rs , t h e re by t ot al l y el im inat ing t h e I/ O s ubs yst e m ov e rh e ad and any ext e rnal ne t w ork l at e ncy. H ipe rSock e t s im pl e m e nt at ion is bas e d on t h e O SAExpre s s Que ue d D ire ctInput / O ut put(QD IO ) prot ocol ;t h e re f ore , H ipe rSock e t s is cal l e d int e rnal QD IO (iQD IO ). H ipe rSock e t s is im pl e m e nt e d in m icrocode t h ate m ul at es t he L ogical L ink Cont rol (L L C) l aye r of an O SA-Expre s s QD IO int e rface . Al t h ough H ipe rSock e t s is a t ype of v irt ual izat ion t e ch nol ogy, itre l ie s on zSe rie s m icrocode t o run, and f or t h e purpos e of t h is art icl e , itw il l be cat e gorize d as a ph ys ical ne t w ork ing opt ion. T ypical l y, be f ore a pack e tcan be t rans port e d on an ext e rnal L AN, a L AN fram e h as t o be buil t , and t he M AC addre s s of t h e de st inat ion h ostor rout e r on t h at L AN h as t o be ins e rt e d int ot h e fram e . H ipe rSock e t s doe s notus e L AN fram e s , de st inat ion h ost s , or rout e rs . TCP/ IP st ack s are addre s s e d by inbound dat a q ue ue addre s s e s inst e ad of M AC addre s s e s . Th e zSe rie s s e rv e r m icrocode m aint ains a l ook up t abl e of IP addre s s e s f or e ach H ipe rSock e t . Th is t abl e re pre s e nt s an int e rnal L AN. Att he t im e a TCP/ IP st ack st art s a H ipe rSock e t s dev ice , t h e dev ice is re gist e re d in t h e IP addre s s l ook up t abl e w it h it s IP addre s s and it s inputand out putdat a q ue ue point e rs . If a TCP/ IP dev ice is st oppe d, t h e e nt ry f or t h is dev ice is de l et e d from t h e IP addre s s l ook up t abl e. H ipe rSock e t s copie s dat a s ynch ronous l y from t he out putq ue ue of t h e s e nding TCP/ IP dev ice t ot he inputq ue ue of t h e re ce iv ing TCP/ IP dev ice by us ing t h e m e m ory bus t o copy t h e dat at h rough an I/ O inst ruct ion. Th e cont rol l ing ope rat ing s yst em t h at pe rf orm s I/ O proce s s ing is ide nt ical t o O SA-Expre s s in QD IO m ode . Th e dat at rans f er t im e is s im il ar t oa cros s -addre s s s pace m e m ory m ov e , w it h h ardw are l at e ncy cl os e t o ze ro. H ipe rSock e t s ope rat ions are exe cut e d on t he proce s s or w h e re t h e I/ O re q ue stis init iat e d by t he ope rat ing s yst e m . H ipe rSock e t s st art s w rit e ope rat ions ;t h e com pl et ion of a dat a m ov e is indicat e d by t h e s e nding s ide t ot h e re ce iv ing s ide w it h t h e s e nding s ide exe cut ing a Signal Adapt er (SIGA) inst ruct ion. O pt ional l y, t h e re ce iv ing s ide can us e dis pat ch e r pol l ing inst e ad of h andl ing SIGA int e rrupt s . Th e I/ O proce s s ing is pe rf orm e d w it h outus ing t h e Syst em As s istProce s s or (SAP). Th is new im pl e m e nt at ion is al s o cal l e d a “t h in int e rrupt ”. H ipe rSock e t s doe s not cont e nd w it h ot h e r s yst e m I/ O act iv it y and itdoe s not us e CPU cach e re s ource s ;t h e re f ore , ith as no pe rf orm ance im pactw it h ot h e r act iv it y in t h e s e rv e r. Th e H ipe rSock e t s ope rat ional fl ow cons ist s of fiv e st e ps : 1. Each TCP/ IP st ack (im age ) re gist e rs it s IP addre s s e s int o H ipe rSock e t s ’ s e rv e r-w ide Com m on Addre s s L ook up t abl e . Th e re is one l ook up t abl ef or e ach H ipe rSock e t sL AN. 2. Th e addre s s of t h e TCP/ IP st ack ’s re ce iv e buff e rs are appe nde d t ot h e H ipe rSock e t s q ue ue s . 3. W h e n dat a is be ing t rans f e rre d, t h e s e nd ope rat ion of H ipe rSock e t s pe rf orm s a t abl el ook up f or t he addre s s e s of t h e s e nding and re ce iv ing TCP/ IP st ack s and t h e ir as s ociat e d s e nd and re ce iv e buff e rs . 4. Th e s e nding proce s s or copie s t h e dat a from it s s e nd buff e rs int ot he t arge tproce s s or’s re ce iv e buff e rs (zSe rie s s e rv e r m e m ory). 5. Th e s e nding proce s s or opt ional l y de l iv e rs an int e rruptt ot he t arge tTCP/ IP st ack . Th is opt ional int e rruptus e s t h e “t h in int e rrupt ” s upportfunct ion of t h e zSe rie s s e rv e r w h ich m e ans t h e re ce iv ing h ost w il l “l ook ah e ad,” de t e ct ing and proce s s ing inbound dat a. Th is t e ch niq ue re duce s t h e fre q ue ncy of re al I/ O or ext e rnal int e rrupt s.
CH ANNEL - TO - CH ANNEL ADAPTER (CTC)

Ch anne l -t o-ch anne l (CTC) is a point -t o-point conne ct ion, us ing re al h ardw are ch anne l s . CTC t e ch nol ogy can be us e d t o int e rconne ctdiff e re nt ph ys ical s e rv e rs , l ogical part it ions , or bot h . Be caus e al l zSe rie s ope rat ing s yst e m s us e t h e s am e l ink prot ocol , itis pos s ibl et o conne cta L inux s e rv e r not onl yt o anot h er L inux im age , butal so t o z/ V M and z/ O S TCP/ IP st ack s . CTC s upportexist sf or a num be r of ch anne l IBM st andard t e ch nol ogie s incl uding ESCO N and FICO N® ch anne l s.
ESCO N CTC CO NNECTIV ITY

T o conne ctt w o s yst e m s us ing ESCO N, t w o s e parat e ch anne l s are de fine d. Th e ESACO N CTC

O 3 M agaz ine /January 2006 Page 30

NETW O RK I NG
conne ct ions can e it h e r be point -t o-pointor s w it ch e d point -t o-point(t h atis , t h ey can be conne ct ed t o an ESCO N dire ct or). L P AR s can s h are ch anne l pat h s , and s o opt ional l y, t h ey can s h are any cont rol unit s and as s ociat e d I/ O dev ice s configure d t ot h e s e s h are d ch anne l s . Sh aring ch anne l pat h s m e ans t h att h e num be r of ph ys ical conne ct ions be t w e e n proce s s or com pl exe s can be re duce d. Th is al so h el ps re duce t h e am ountof unde rfl oor cabl e s pace ne e de d.
FICO N CTC CO NNECTIV ITY

Al t h ough CTC bandw idt h is good (part icul arl y FICO N Expre s s ), CTC conne ct iv it y is l e s s faul t t ol e rantt h an ot h e r s ol ut ions . O ft e n, if one s ide of t he l ink h as a probl e m , one or ev e n bot h of t h e s yst em s h av et o be re -IPL e d in orde r t o re st artt h e CTC l ink . For com m unicat ions be t w een t h e zSe rie s m ach ine and ot h e r s yst e m s in t h e ne t w ork , O SA-Expre s s GigabitEt h e rne tor O SA-Expre s s 1000BASE-T adapt e rs s h oul d be us e d.
CO M M O N L INK ACCESS TO W O R K STATIO NS (CL AW )

Ch anne l -t o-ch anne l com m unicat ion in a FICO N e nv ironm e ntis prov ide d be t w een t w o FICO N (FC) ch anne l cont rol unit s . Th e re are s ev e ral diff e re nce s be t w een t h e ESCO N and FICO N CTC im pl e m e nt at ions as s h ow n h e re : Num b e r of re quire d ch anne l s ESCO N: Atl e ast2 FICO N CTC: 1 or 2 Ch anne l d e d icat ed t o CTC funct ion ESCO N: Ye s FICO N CTC: No Num b e r of unitad d re sse s support ed ESCO N: Up t o 512 FICO N CTC: Up t o 16384 Dat at ransfe r b and w id t h ESCO N: 12-17 M Bps FICO N CTC: Up t o 2 Gbps Num b e r of concurre ntI/ O ope rat ions ESCO N: 1 FICO N CTC: Up t o 32 Dat at ransfe r m od e ESCO N: H al f dupl ex FICO N CTC: Ful l dupl ex Itis notre com m e nde d t o us e ESCO N or FICO N CTCs as ne t w ork ing conne ct iv it y opt ions f or zSe rie s m ainfram e s yst e m s . For int e r-L P AR com m unicat ions , H ipe rSock e t s or O SA-Expre s s are a m uch m ore robustch oice .. For com m unicat ions ins ide a s ingl e z/ V M L P AR , v irt ual V SW ITCH s s h oul d be cons ide re d.

Com m on L ink Acce s s t o W ork st at ion (CL AW ) is a point -t o-pointprot ocol . A CL AW dev ice is an ESCO N ch anne l -at t ach e d dev ice t h ats upport s CL AW prot ocol . Th e s e dev ice s can be us e d t o conne cta L inux f or zSe rie s , z/ O S or z/ V M s yst em t o anot h e r s yst em , f or exam pl e , a pSe rie s proce s s or or a Cis co Ch anne l Int e rface Proce s s or (CIP) card. CL AW dev ice s are “ol dt e ch nol ogy ” and are notas e fficie ntor re l iabl e as s om e ot h e r s ol ut ions dis cus s e d in t h is art icl e . Inst e ad, f or com m unicat ions be t w een L inux and ot h e r s yst e m s in t h e ne t w ork , us e O SAExpre s s Gigabitor 1000BASE-T adapt e rs , if atal l pos s ibl e.
O PEN SYSTEM S ADAPTER (O SA- EXPR ESS AND O SA-2)

Th e IBM O pe n Syst e m s Adapt e r-Expre s s adapt er fam il y cons ist s of int e grat e d h ardw are f e at ure s t h at are de s igne d t o prov ide dire ctconne ct ion f or zSe rie s and S/ 39 0 Paral l el Ent e rpris e Se rv e rs G5 and G6 t o h igh s pe e d rout e rs and s w it ch e s , t o ot h e r h igh s pe e d s e rv e rs , and t o cl ie nt s on l ocal are a ne t w ork s (L ANs ).
O SA- EXPR ESS

Th e O SA-Expre s s f e at ure pl ugs int o a zSe rie s or S/ 39 0 I/ O sl otj ustl ik e a ch anne l card, prov iding a dire ct , pe e r-t o-pe e r ne t w ork conne ct ion. O SAExpre s s cons ist s of m ul t ipl e diff e re nth ardw are adapt er t ype s s upport ing a v arie t y of ne t w ork s : GigabitEt h e rne t ,1000BASE-T Et h e rne t , Fast Et h e rne t , 155 M bps ATM , and t h e 4/ 16/ 100 M bps T ok e n R ing. Al l f e at ure t ype s can us e IBM 's Que ue d D ire ctI/ O (QD IO ) arch it e ct ure t o h el p el im inat et h e ne e d f or ch anne l cont rol w ords (CCW s ) and int e rrupt s, re s ul t ing in acce l e rat e d TCP/ IP dat a pack e t t rans m is s ion and m ore e fficie ntTCP/ IP st ack proce s s ing. QD IO al s o e nabl e s dynam ic configurat ion of t h e adapt e r TCP/ IP addre s s e s , and

O 3 M agaz ine /January 2006 Page 31

NETW O RK I NG
offl oading of funct ions l ik e M AC h andl ing, pack e t fil t e ring and AR P funct ion. QD IO s upport s TCP/ IP onl y. Th e 1000BASE-T Et h e rne t , FastEt h e rne t ,T ok e n R ing, and ATM f e at ure s al s o s upportt h e non-QD IO ope rat ing m ode , w h ich is de s igne d t o prov ide s upportf or TCP/ IP and SNA prot ocol s s im il ar t ot he s upportprov ide d by t h e prior ge ne rat ion O SA-2, but att h e h igh e r pe rf orm ance l ev el s of t h e fast e r O SAExpre s s h ardw are . For exam pl e , us ing non-QD IO m ode , t h e new 1000BASE-T Et h e rne tcan s upport bot h TCP/ IP and nat iv e SNA t raffic atup t o Gigabit s pe e ds . Spe cific t ot h e 1000BASE-T Et h e rne tf e at ure , t he new O SA-Expre s s Int e grat e d Cons ol e Cont rol l er (O SA-ICC) funct ion is de s igne d t o prov ide up t o 120 cons ol e s e s s ion conne ct ions f or z89 0 and z9 9 0 Init ial Program L oad and z/ O S, z/ O S.e , z/ V M,V SE/ ESA, and TPF ope rat ional cons ol es. Each O SA-Expre s s card h as one porton G5 and G6 s e rv e rs and t w o port s on zSe rie s s e rv e rs and can be at t ach e d dire ct l yt oaL AN or ATM ne t w ork . Th e s e cards are re cognize d by t h e h ardw are I/ O configurat ion as one of t he f ol l ow ing ch anne l t ype s : • O SD (Que ue d D ire ctI/ O) • O SE (Non-Que ue d D ire ctI/ O Th e O SA-Expre s s card on t h e zSe rie s 9 9 0 proce s s or ope rat ing in QD IO m ode can s upportup t o 160 s e parat e TCP/ IP st ack s and 480 dev ice s pe r port .
QDIO M O DE

Que ue d D ire ctI/ O (QD IO ) is a h igh l y e fficie ntdat a t rans f e r m e ch anis m . Itre duce s s yst e m ov e rh e ad and im prov es t h rough putby us ing s yst e m m e m ory q ue ue s and a s ignal ing prot ocol t o dire ct l y exch ange dat a be t w een t h e O SA-Expre s s m icroproce s s or and TCP/ IP st ack . Th e QD IO -e nabl e d O SA-Expre s s adapt e r h as a m uch s h ort e r I/ O inst ruct ion pat h l e ngt h com pare d w it h t h e O SA-Expre s s adapt e r in non-QD IO m ode (w h ich h as t h e s am e I/ O pat h l e ngt h as t h e O SA-2 cards ). Cons e q ue nt l y, w h e n running in QD IO m ode , I/ O int e rrupt s and I/ O pat h l e ngt h s are m inim ize d. W h e n running in QD IO m ode , m e as ure m e nt s h av e s h ow n t h att h e re is a s ignificantim prov e m e ntin pe rf orm ance v e rs us non-QD IO m ode , in part icul ar, a re duct ion of Syst e m As s istProce s s or (SAP)

ut il izat ion and im prov e d re s pons e t im e . Th e TCP/ IP st ack (s ) of e ach ope rat ing s yst em (z/ O S, z/ V M , zL inux and z./ TPF are al l s upport e d) t h ats h are s a porton an O SA-Expre s s card in QD IO m ode dynam ical l y re gist e rs al l of t h e ir IP addre s s e s w it h t h e card. W h e nev e r IP addre s s e s are de l et ed from or adde d t o a ne t w ork st ack , t h e dev ice driv e rs dow nl oad t h e re s ul t ing IP addre s s l istch ange s t ot he O SA-Expre s s card. Th e O SA-Expre s s QD IO m icrocode as s ist s in IP proce s s ing and offl oads t h e TCP/ IP st ack funct ions in t he f ol l ow ing are as : a) m ul t icasts upport , b) broadcastfil t e ring, c) buil ding M AC and L L C h e ade rs , and d) AR P proce s s ing. O ffl oading t he proce s s ing of t h e s e funct ions t ot h e Pow e rPC ® proce s s ors t h atm ak e up t h e O SA-Expre s s adapt er m e ans t h atCP cycl e s are fre e d up t o do ot h e r w ork . In a s ingl e gue st ,t h e e ff e ctm igh tnotbe s ignificant , butin a z/ V M L P AR w it h L inux gue st s ge ne rat ing a m ode rat e -t o-h igh v ol um e of ne t w ork t raffic, t h e re can be gre ats av ings . Ch e ck s um proce s s ing cal cul at es t h e TCP/ UD P and IP h e ade r ch e ck s um s t ov e rify t h e int e grit y of dat a pack e t s . Th is funct ion is us ual l y pe rf orm e d by a h ost s yst e m ’s TCP/ IP st ack . O SA-Expre s s cards on t he z9 9 0 and z89 0 proce s s ors h av et h e abil it yt o pe rf orm ch e ck s um proce s s ing on be h al f of t h e upst re am TCP/ IP st ack us ing a funct ion cal l e d ch e ck s um offl oad. Th is funct ion is onl y av ail abl ef or IPv 4 pack e t s . By m ov ing t h e ch e ck s um cal cul at ions t o an O SA-Expre s s Gigabitor 1000BASE-T Et h e rne tcard, h ostCPU cycl e s are re duce d. Th is s upportis av ail abl e w it h z/ OSV 1R 5 and l at e r and L inux f or zSe rie s .
NO N- QDIO M O DE

W h e n running in non-QD IO m ode , a porton t he O SA-Expre s s card is de fine d as ch anne l t ype O SE. In non-QD IO m ode , t h e dat af ol l ow s t h e s am e l ogical I/ O pat h as an O SA-2 card. L inux us e s t he L CS dev ice driv er t o com m unicat e w it h t h e dev ice w h e n itis running in t h is m ode . Th e non-QD IO m ode re q uire s t h e us e of of t h e IBM O SA/ SF program productf or cust om izat ion of t h e O SAExpre s s if t h e adapt e r is t o be s h are d acros s m ul t ipl e L P AR s or L inux z/ V M gue st s . Th e O SA-Expre s s 1000BASE-T, FENET, and t ok e n-ring cards s upport bot h non-QD IO and QD IO m ode s . Th e O SA-Expre s s GigabitEt h e rne tcard onl y s upport s QD IO m ode .

O 3 M agaz ine /January 2006 Page 32

NETW O RK I NG
Unl ess t h e re is a s pe cific s it e re q uire m e ntf or nonQD IO m ode (s uch as s upport ing SNA t raffic), O SAExpre s s adapt e rs s h oul d al w ays be run in QD IO m ode .
O SA-2

Th e O pe n Syst e m s Adapt e r-2 (O SA-2) card w as de s igne d t o prov ide dire ct , indust ry-st andard ne t w ork conne ct iv it yf or t h e S/ 39 0® s e rv e r. Th e O SA-2 card s upport s ATM , Et h e rne t , FD D I, and t ok e n ring. O SA-2 cards , int roduce d in 19 9 5, us e t he Int e rconne ctCont rol l e r arch it e ct ure and t h us are not as e fficie ntas O SA-Expre s s cards running in QD IO m ode . Th e O SA-2 F astEt h e rne tcard, unde r t h e be st condit ions , h as a m axim um bandw idt h of 100 M bps . Th e O SA-Expre s s GigabitEt h e rne tand 1000BASE-T cards h av e , by com paris on, a m axim um bandw idt h of 1000 M bps . W it h t h atin m ind, our re com m e ndat ion is t h atyou m ov et o O SA-Expre s s GigabitEt h e rne tor 1000BASE-T. If t h e h ardw are e nv ironm e nts upport s onl y O SA-2 t e ch nol ogy, dire ct l y conne ct ing t he L inux L P AR s or L inux z/ V M v irt ual gue st st ot h e O SA-2 adapt e rs (s ) w il l be t h e m oste fficie ntm e ans of acce s s ing t he ne t w ork . Th e al t e rnat iv e approach is t o prov ide conne ct iv it yt ot he L inux gue st st h rough z/ O S, z/ V M , or a L inux gue stact ing as an int e rm e diat e rout e r. Th atrout e r m ach ine “ow ns ” t h e O SA-2 int e rface and t h e “back -e nd ” L inux s yst e m s are conne ct ed t ot h atrout er t h rough a v irt ual izat ion t e ch nol ogy (v irt ual CTC, IUCV , or Gue stL AN). Al t h ough t h is rout e r can prov ide adde d funct ional it y s uch as pack e tfil t e ring and V PN s upport , ital s o adds l at e ncy and ext ra CPU ov e rh e ard t ot h e e nv ironm e nt . O ne pointt o not e , h ow ev e r, is t h atO SA-2 cards can onl y s upport16 IP addre s s e s pe r port . Th is l im it st he num be r of L inux gue st s or L P AR s t h atcan s h are t he port .

D AV EJ O NES IS A L EADING IBM Z SER IES EXPER T. D AV E CUR R ENTL Y W O R KS F OR V / SO FT SO FTW AR E BASED O UT O F H O USTO N, TEXAS. D AV E CAN BE R EACH ED BY SENDING EM AIL TO DAV E@ V SO FTSO FTW AR E .CO M .

O 3 M agaz ine /January 2006 Page 33

V OI P
Re al Tim e St re am ing Prot ocol (RTSP)
TH E REAL TI M E STREAM I NG PRO TO CO L (RT SP) I S UTI L I Z ED BY A NUM BER O F I NTERNET M EDI A TECH NO L O GI ES F RO M V OI P TO M EDI A STREAM I NG BY RAJA H AM M AD

Int e rne tv ide o st re am ing is a de m anding and ch al l e nging t as k t h ath as ev ol v ed t re m e ndous l y in t he l astcoupl e of ye ars . St re am ing v ide o ov er t he Int e rne tinv ol v e s s ix k ey are as : v ide o com pre s s ion, appl icat ion-l aye r QoS cont rol , cont inuous m e dia dist ribut ion s e rv ice s , st re am ing s e rv e rs , m e dia s ynch ronizat ion m e ch anis m s and st re am ing prot ocol s . M ore ov e r, v ide o st re am ing appl icat ions h av e st ringe ntre q uire m e nt s in t e rm s of e nd t o e nd de l ay and re q uire h igh bandw idt h ,l ow pack e tl os s , v ide o-cas s e t t e (V CR ) l ik e funct ional it ie s and l ow de coding com pl exit y. Prot ocol sf or v ide o st re am ing can be cat e gorize d int o ne t w ork l aye r prot ocol ,t rans portprot ocol and s e s s ion cont rol prot ocol . Ne t w ork l aye r prot ocol , s uch as IP , prov ide s bas ic ne t w ork s e rv ice s w h e re as t rans portprot ocol , s uch as UD P , TCP , re al -t im e t rans portprot ocol (RTP) and re al -t im e cont rol prot ocol (RTCP) prov ide s e nd t o e nd ne t w ork t rans ports e rv ice s . Se s s ion cont rol prot ocol , on t he ot h e r h and, de fine s m e t h ods t o cont rol de l iv e ry of m ul t im e dia dat a during an e st abl is h e d conne ct ion. RTSP is a s e s s ion cont rol prot ocol , att he appl icat ion l aye r, t o st re am m ul t im e dia dat a ov er t he Int e rne t . W h il e itdoe s notde l iv e r m ul t im e dia dat a it sel f, itprov ide s a fram ew ork t o s upportV CR-l ik e ope rat ions s uch as st op, paus e , pl ay e t c, and s upport s t unne l ing RTP t raffic t o w ork around w it h firew al l s. RTP prov ide s m e dia pack e t izat ion t o de l iv e r dat a ov er t h e Int e rne tand RTCP prov ide s QoS m anage m e ntst at ist ics t o RTP w h e re as RTSP is re s pons ibl ef or cont rol l ing t h e de l iv e ry of dat a. RTSP is de s igne d t o be inde pe nde ntof t he t rans port m e ch anis m and t h us doe s notre l y s pe cifical l y on RTP . Th e prot ocol can cont rol m ul t ipl e dat a de l iv e ry s e s s ions , prov ide s m e ans t o ch oos e de l iv e ry ch anne l s (s uch as UD P , m ul t icastUD P or TCP) and de l iv e ry m e ch anis m s bas e d upon RTP and is de s igne d t o w ork f or m ul t icastas w e l l as unicast . Th e prot ocol is s im il ar in s ynt ax and ope rat ions t o H TTP butdiff e rs in m any w ays s uch as :

• RTSP is a st at e ful prot ocol as com pare d t o H TTP • Bot h cl ie ntand s e rv e r can is s ue re q ue st s as oppos e d t o H TTP w h e re cl ie ntis s ue s re q ue st s and t h e s e rv e r re s ponds . O ne of t h e m ain funct ions of RTSP is t o e st abl is h and cont rol e it h e r a s ingl e or m ul t ipl et im e s ynch ronize d cont inuous audio and v ide o m e dia st re am s be t w een t h e s e rv e r and cl ie nt . Fol l ow ing ope rat ions are s upport e d: • M e dia re t riev al : Th e cl ie ntcan re q ue sta pre s e nt at ion de s cript ion t o set up an RTSP s e s s ion t o s e nd t h e re q ue st e d m e dia. • Inv it at ion of a m e dia s e rv e r: A m e dia s e rv e r can be inv it ed t oj oin an exist ing conf e re nce t o pl ay back a pre s e nt at ion or t o re cord t h e pre s e nt at ion. • Addit ion of m e dia t o an exist ing pre s e nt at ion: Th e s e rv e r can not ify t h e cl ie ntaboutany addit ional m e dia t h atm ay be com e av ail abl e during an e st abl is h e d s e s s ion. A cl ie nts e t s up a RTSP s e s s ion w it h t h e s e rv er t o re t riev e m e dia. A s e s s ion, m aint aine d by t h e s e rv e r, t ypical l y cons ist s of s e t t ing up a t rans portm e ch anis m f or t h e m e dia st re am , st re am ing t h e m e dia and cl os ing t h e st re am . D uring a s e s s ion, m any t rans port conne ct ions , e it h e r TCP or UD P , can be ope ne d up by t h e cl ie ntt o is s ue RTSP re q ue st s. RTSP st re am s are de fine d by a pre s e nt at ion de s cript ion. Th e prot ocol de fine s a not ion of pre s e nt at ion w h ich is a com pl et e m e dia pack age , pre s e nt ed t ot h e cl ie nt , and m ay cons istof one or m ore st re am s . In m ostof t h e cas e s , t h is m e ans cont rol l ing m ul t ipl e st re am s us ing a s ingl et im e l ine by t h e s e rv e r (e .g. audio and v ide o st re am s cont rol l ed by a s ingl e ope rat ion s uch as paus e ). Th e inf orm at ion aboutt h e st re am s w it h in a pre s e nt at ion is s pe cifie d

O 3 M agaz ine /January 2006 Page 35

V OI P
pre s e nt at ion de s cript ion fil e . Th is inf orm at ion m ay incl ude s e tof e ncodings , ne t w ork addre s s and inf orm at ion aboutt h e cont e nt . Th e pre s e nt at ion de s cript ion fil e can be obt aine d by t h e cl ie ntus ing H TTP , e m ail or ot h e r m e ans . Each pre s e nt at ion (s e t of m e dia st re am s ) or a m e dia st re am is ide nt ifie d by an RTSP UR L . For exam pl e rt sp:/ / exam pl e .h ost .com / m at rix/ aud io de fine s t h e audio st re am w it h in t h e pre s e nt at ion “m at rix” w h e re as t h e RTSP UR L rt sp:/ / exam pl e .h ost .com / m at rix de fine s t h e pre s e nt at ion “m at rix”, w h ich m ay be com pos e d of audio and v ide o dat a. RTSP m ay us e a diff e re ntprot ocol s uch as TCP , com pare d t ot h e one us e d f or dat a de l iv e ry (s uch as UD P), t o cont rol a m e dia st re am . Th is m e ans t h at dat a de l iv e ry is inde pe nde ntand cont inue s ev e n if t h e re is no RTSP com m unicat ion be t w een t h e s e rv er and cl ie nt . RTSP is now an indust ry st andard prot ocol . W ork is in progre s s t o rev is e and corre ctt h e fl aw s in t he curre ntst andard, and f or t h is an updat ed v e rs ion RTSP 2.0 h as be e n propos e d.
SETTING UP AN R TSP SER V ER AND CL IENT

w rit ing t h e exactst e ps t h atare re q uire d t o inst al l and s e tup D SS f or st re am ing. [Th e s cript st h atcom e w it h t h e s ource code m ay or m ay notw ork on your s yst e m or re q uire l it t l et w e ak s t o fix brok e n pat h s ]. 1. D ow nl oad D SS s ource code from ht t p:/ / de v el ope r.appl e .com / darw in/ proje ct s/ st re a m ing/ . Th is st e p re q uire s re gist rat ion. 2. Unt ar t h e s ource fil e and cd t ot h e new l y cre at ed s ource dire ct ory. 3. Run t h e s criptbuil dt arbal l . Th is s h oul d com pil e t h e pack age . Th e s criptw il l t ak e a f ew m inut es, de pe nding on t h e m ach ine . You s h oul d see “Succe s s !” att h e e nd unl e s s you ge te rrors . 4. M ov et o new l y cre at e d “D arw inSt re am ingSrv r -L inux”. 5. Run t h e Inst al l s cript . Th e re are t wo v e rs ions of t h e Inst al l s cript , one unde r t h e rootdire ct ory of s ource code and t h e ot h e r one unde r “D arw inSt re am ingSrv r-L inux”. M ak e s ure you are in “D arw inSt re am ingSrv r-L inux” or you m igh tge te rrors . Th e Inst al l s criptw il l as k f or t he adm inist rat or us e rnam e and pas s w ord. You s h oul d s e e “Se t up Com pl et e !” att h e e nd of a s ucce s s ful inst al l at ion. 6. Unde r t h e dire ct ory “D arw inSt re am ingSrv r -L inux”, t h e re is st re am ingadm ins e rv e r.pl s cript t h atcan be us e d t o st artt h e s e rv e r. M ore ov e r, it al s o init iat es t h e st re am ing s e rv e r adm inist rat ion int e rface . Run t h is s cript . 7. Th e adm inist rat ion of t h e s e rv e r can be m anage d by e nt e ring t h e UR Lh t t p:/ / h ost nam e :1220 int o your brow s e r. Th e s cre e n w il l prom ptyou f or t he us e rnam e and pas s w ord e nt e re d e arl ie r. 8. Next , anot h e r s cre e n w il l appe ar t h atw il l as k f or t h e M P3 pas s w ord. Th is pas s w ord w il l be us e d f or st re am ing M P3. 9 . Th e nexts cre e n w il l prov ide an opt ion t o e nabl e SSLs upport . For t h e purpos e of t h is s e t up, you can s af el y ignore it .

For t h e purpos e of t h is art icl e , I us e d Appl e D arw in St re am ing s e rv e r and ope nRTSP cl ie ntt o de m onst rat e RTSP st re am ing ov e r RTP .
APPL E DAR W IN STR EAM ING SER V ER

Appl e D arw in St re am ing Se rv e r (D SS) is t h e ope n s ource v e rs ion of Appl e 's Quick Tim e St re am ing Se rv e r (av ail abl e unde r Appl e Publ ic Source L ice ns e (APSL )) t h atal l ow s st re am ing m e dia ov er t he Int e rne tus ing RTP and RTSP . D SS s upport s st re am ing Quick Tim e and M PEG-4 m e dia and can de l iv er l iv e as w e l l as on de m and m e dia. Itw ork s f or bot h m ul t icastand unicastne t w ork t rans portt o st re am m e dia, and itcan al s o be configure d t o actas a re l ay w h e re itl ist e ns t o an incom ing st re am and f orw ards itt o one or m ore de st inat ions . Inst al l at ion re q uire m e nt s can be f ound in t he official docum e nt at ion or in t h e “re adm e ” fil e bundl e d w it h t h e s ource code . I inst al l e d D SS on Fe dora Core 3. In t he f ol l ow ing s e ct ion, I w il l be

O 3 M agaz ine /January 2006 Page 36

V OI P
10. Th e nexts cre e n w il l pre s e ntyou w it h t h e de faul t pat h of t h e st re am ing m e dia f ol de r. You can ch ange itt o w h at ev e r you w ant . 11. Th e nexts cre e n w il l prov ide an opt ion t o bypas s firew al l s . You can ignore itf or t h e curre nt s ce nario. Aft e r finis h ing t h e w h ol e proce s s , you w il l see t he s e rv e r adm inist rat ion int e rface . Att he t op of t he s cre e n, you s h oul d s e e a m e s s age “Se rv e r is running”. You can brow s e t h rough ot h e r adm in opt ion av ail abl e. Now t h e st re am ing s e rv e r is configure d and re ady f or st re am ing t h e m e dia. D SS com e s up w it h s am pl e st re am ing m e dia, incl uding h int e d(1) m p4 fil es t h at can be f ound in t h e s ource dire ct ory. Th e s e fil e s are al s o copie d, w h il e inst al l ing t h e s e rv e r, t o / us r/ l ocal / m ov ie s . You s h oul d be abl et o st re am s am pl ev ide os by us ing any m e dia cl ie nt , w h ich s upport st h e s am pl e fil es f orm at , by e nt e ring t he RTSP UR Le .g. rt s p:/ / h ost nam e / s am pl e _ 100k bit .m p4. (1). H intt rack s cont ain inf orm at ion t o st re am m e dia prope rl y by t h e st re am ing s e rv e rs . R e f er t o D SS off icialguide f or m ore inf orm at ion.
O PENR TSP

1. D ow nl oad t he l ibrarie s from ht t p:/ / w w w .l iv e 555.com / l iv e M e dia/ publ ic/ l iv e .20 06.01.05.t ar.gz and uncom pre s s and unt ar it . Th is w il l cre at e a dire ct ory “l iv e ”. 2. Unde r t h e dire ct ory “l iv e ”, e nt er t h e com m and ./ ge nM ak e fil es l inux. Th is w il l ge ne rat e ne ce s s ary M ak e fil es. 3. Run m ak e t o com pil et h e s ource code . Th at ’s it .T ot e stt he l ibrary and s am pl e program s , t h e binary exe cut abl e s can be run dire ct l y from t h e ir re s pe ct iv e dire ct ory. Th e s e t e stprogram s can be f ound unde r “t e st Progs ” dire ct ory. For t h e nextpartof t h is art icl e , I going t o as s um e t h atD SS is notrunning righ tnow . T o s e e st at ist ics w h il e st re am ing, I w oul d re com m e nd notus ing st re am ingadm ins e rv e r.pl s criptand run t h e s e rv er m anual l y. T o do t h is , e nt er t he f ol l ow ing com m and unde r t h e “D arw inSt re am ingSrv r-L inux”. # ./ Darw inSt re am ingSe rv e r -d -S 10 Th e -d s w it ch w il l f orce t h e s e rv er t o run in t he f ore ground w h e re as -S w il l updat et h e st at ist ics ev e ry 10 s e conds . I am al s o going t o as s um e t h ats am pl e m ov ie fil es w h ich com e s w it h D SS are pl ace d unde r t he / us r/ l ocal / m ov ie s . Now it 's t im e t ot e stt h e set up us ing t h e O pe nRTSP cl ie nt . M ov et o “/ root / rt s p/ l iv e/ t e st Progs ” and e nt er t he f ol l ow ing com m and. # ./ ope nR TSP \ rt sp:/ / se rv e r_ h ost _ nam e / sam pl e _ 100k b it .m p4 You w il l see a l otof m e s s age s on t h e s cre e n. Th e s e are bas ical l y w h att h e cl ie ntis com m unicat ing w it h t h e s e rv e r ov e r RTSP . Att h e s am e t im e , you s h oul d s e e st re am ing t raffic by l ook ing att h e st at ist ics running on s e rv e r. O pe nRTSP w il l notpl ay anyt h ing on t h e s cre e n, s ince it ’s nota m e dia pl aye r;inst e ad it w il l w rit et h e re ce iv e d dat a int o an out putfil e . Th e ope nRTSP cl ie ntw il l re t riev e al l t h e s ubs e s s ions (audio/ v ide o) and w rit et h e m int o a s e parat e fil e . So in t h e abov e s ce nario, w e s h oul d h av e ”v ide o-M P4V ES-1” and “audio-M PEG4-GENER IC-2”.

L iv e 555 St re am ing M e dia (h t t p:/ / w w w .l iv e 555.com ) is a s e tof C+ + l ibrarie s f or st re am ing m e dia ov er t he Int e rne t . Th e l ibrarie s are bas e d on RTP , RTCP , RTSP and SIP and can be com pil ed f or diff e re nt pl at f orm s . Som e popul ar appl icat ions s uch as l iv e Cast e r, M pl aye r, and V L C are al re ady us ing t h ese l ibrarie s . Th e s ource code is av ail abl e unde r L GPL and incl ude s s om e s am pl e program s t ot e stt he st re am ing s e t up. O pe nRTSP is a com m and l ine ut il it y, bundl e d w it h t he l ibrarie s , t h atcan be us e d t o ope n, st re am , re ce iv e and (opt ional l y) re cord m e dia st re am s . Th e program it sel f doe s notpl ay t h e st re am s butcan be us e d t of orw ard t h em t o anot h er appl icat ion. Th e l ibrarie s can be com pil e d e as il y by f ol l ow ing t h e inst ruct ions on t h e w e bs it e . I com pil e d and inst al l e d iton bot h Re d H atEnt e rpris e L inux Se rv er 3.0 and Fe dora Core 3. Fol l ow ing are t h e st e ps re q uire d t o be w ork ing w it h O pe nRTSP:

O 3 M agaz ine /January 2006 Page 37

V OI P
Th e out putfil e s can be pl aye d inde pe nde nt l y by a m e dia pl aye r or can be com bine d t o re ge ne rat et he com pl et e pre s e nt at ion. Al t e rnat iv el y, any m e dia pl aye r, t h ats upport st h e m p4 f orm atcan st re am and pl ay. For inst ance , M Pl aye r can be com pil ed t o pl ay t h e m e dia st re am s by e nabl ing t he L iv e m e dia s upport . Th is can be done by pas s ing --e nabl e -l iv e and – w it h -l iv el ibdir=<pat h t ol iv e m e dia l ibrary> opt ion. In orde r, t o st re am your ow n m p4 fil e s , you m ay h av et o h intt h e m be f ore st re am ing. Pl e as e re f er t o D SS official docum e ntf or furt h e r de t ail s. L iv e M e dia l ibrary com e s w it h anot h e r us e ful t ool , onD e m andRTSPSe rv e r, unde r t h e “t e st Progs ” dire ct ory t h atcan be us e d as a t e sts e rv er t o st re am m e dia fil e . Al l you ne e d t o do is re nam e t h e m e dia fil e (f or inst ance , “t e st .m pg” as t h e s e rv e r expe ct s) and putitunde r t h e s am e dire ct ory from w h e re t he s e rv e r is running. Us ing ope nRTSP w e can now st re am t h e m e dia fil es.
O PEN SO UR CE R TSP IM PL EM ENTATIO NS

V ide oL AN is anot h e r ope n s ource , GPLL ice ns e d, productf or st re am ing v ide o ov e r h igh bandw idt h ne t w ork s and s upport s al arge num be r of m ul t im e dia f orm at s . Itis av ail abl ef or m ul t ipl e pl at f orm s incl uding L inux, W indow s , Sol aris , fre e BSD , Ne t BSD e t c and off e rs t w o diff e re ntfl av ors of s oft w are s : V ide oL AN Se rv e r (V L S) w h ich can st re am m ul t im e dia dat a and V ide oL AN Cl ie nt(V L C) w h ich can be us e d as a st re am ing s e rv e r and a cl ie nt . Ot h e r popul ar ope n s ource s ol ut ions f or m e dia st re am ing incl ude Pe e rcast , Ice cast ,l iv e Cast e r, and V ov ida RTSP St ack .
R EF ER ENCES

ht t p:/ / w w w .ie t f .org/ rf c/ rf c2326.t xt ht t p:/ / s ource f orge .ne t / proje ct s/ rt s ps pe c ht t p:/ / t ool s .ie t f .org/ w g/ m m us ic/ draf t -ie t f -m m us icrf c2326bis / ht t p:/ / t ool s .ie t f .org/ w g/ m m us ic/ draf t -ie t f -m m us icrf c2326bis / draf t -ie t f -m m us ic-rf c2326bis -11.t xt ht t p:/ / de v el ope r.appl e .com / darw in/ proje ct s/ st re am in g ht t p:/ / w w w .l iv e 555.com ht t p:/ / m pe g4ip.s ource f orge .ne t ht t p:/ / w w w .v ide ol an.org/ ht t p:/ / w w w .pe e rcast .org/

RTSP is a st andard prot ocol f or st re am ing m e dia and h as be e n a partof m any st re am ing appl icat ions . Fol l ow ing is a brie f ov e rv iew of s om e popul ar st re am ing s ol ut ions : M PEG4IP is an ope n s ource pack age , l ice ns e d unde r M ozil l a Publ ic L ice ns e , and prov ide s a st re am ing s e rv e r and cl ie nt . Itint e grat e s a bunch of ot h e r ope n s ource pack age s and can w ork w e l l w it h D SS. Th e proj e ctis int e nde d f or dev el ope rs t ot ak e adv ant age of t he v ide o/ audio st re am ing and is not m e antf or an e nd us e r. Itis prim aril yt arge t ed t ow ard L inux buth as be e n t e st ed f or fre e BSD , Sol aris and W indow s . M PEG4IP inst al l at ion inst al l s an addit ional h andful t ool st h atcan be us e d f or e ncoding, cre at ing h intt rack s , e t c. H el ix pl at f orm , k now n as H e l ix D NA , is a digit al m e dia pl at f orm s upport ing m e dia st re am ing ov er t he Int e rne tus ing ope n st andard prot ocol s s uch RTP and RTSP . Th e pl at f orm is dev el ope d by t h e H el ix com m unit y and s pons ore d by Re al Ne t w ork s and is av ail abl e unde r bot h ope n s ource and com m e rcial l ice ns e s . Th e s ol ut ion can be de pl oye d t o a div e rs e s e tof pl at f orm s s uch as de s k t ops , m obil e s and s e t -t op boxe s and s upport s m any ope n and proprie t ary f orm at s . Itoff e rs bot h a s e rv e r and a m e dia pl aye r.

R AJ A H AM M AD IS TH E GENER AL M ANAGER O F ADV ANCED DATA NETW O R K ING SO L UTIO NS AT SPL ICED NETW O R KS L L C. H E IS BASED O UT O F PAK ISTAN.

O 3 M agaz ine /January 2006 Page 38

NETW O RK APPL I CATI O NS
I nt roducing dNM S
DNM S I S AN UPCO M I NG O PEN SO URCE PRO JECT DESI GNED TO PRO V I DE A DI STRI BUTED NET W O RK M ANAGEM ENT SYSTEM (NM S ) BASED O N RUBY, SNM P AND PO STGRESQL BY JO H N BUSW EL L

Th is is s ue w e are l ook ing atdNM S. Unl ik e past is s ue s , w e are f ocus ing on an e m e rging ope n s ource t e ch nol ogy t h ath as gre atpot e nt ial rat h er t h an an exist ing proj e ct . Th e dNM S proj e ctis a dist ribut ed Ne t w ork M anage m e ntSyst e m de s igne d t o prov ide a t op dow n w e b bas e d m anage m e ntand m onit oring s yst em f or gl obal IP ne t w ork s and t h e dev ice s cont aine d w it h in t h os e ne t w ork s . Th e proj e ctis l ed by a s pe cial e ngine e ring t e am atO h io bas e d Spl ice d Ne t w ork s L L C. Sch e dul ed f or an init ial be t a re l e as e l at er t h is q uart e r, dNM S l ook s t o be an excit ing new proj e ct .
W H AT IS D NM S ?

Th e s h ortans w e r t ot h is q ue st ion is t h atdNM S e nabl e s you t o configure , m onit or and m anage anyt h ing on your ne t w ork t h atcan unde rst and SNM P and h as an IP addre s s re gardl e s s of w h ich partof t he ne t w ork itre s ide s on. Th e s yst e m is al s o capabl e of m onit oring non-SNM P s pe ak ing dev ice s as w e l l . Adv ance d capabil it ie s s uch as h igh -pe rf orm ance re al t im e st at ist ics and st at us inf orm at ion are pos s ibl e w it h ce rt ain dev ice s . Th e s yst e m ut il ize s a com binat ion of exist ing t e ch nol ogie s - SNM P , Sys l og and SQL . Sim il ar t o t he t h ink ing be h ind new t e ch nol ogie s s uch as AJ AX, dNM S t ak e s t h e s e exist ing t e ch nol ogie s and t ie s t h em t oge t h e r in an int e re st ing m anne r. Th e ide a be h ind dNM S prov ide s a h igh l y cust om ize d rol e bas e d v iew of your ne t w ork . W h atyou s e e de pe nds on your acce s s priv il e ge s and your adm inist rat iv e rol e on t h e ne t w ork . Th is cust om ize d v iew of t he ne t w ork giv e s you acce s s t ot he l ogs , ev e nt s , st at us and configurat ion opt ions t h atare re l ev antt o your j ob.
H O W DO ES IT W O R K ?

Th e t e ch nol ogy be h ind dNM S is re l at iv el y st raigh t f orw ard. SNM P , Sim pl e Ne t w ork M anage m e ntProt ocol , is an indust ry st andard m anage m e ntprot ocol us e d f or s e nding and re t riev ing

m anage m e ntinf orm at ion from dev ice s on an IP ne t w ork . In dNM S, SNM P is us e d t o configure and pol l dev ice s ov e r a s e cure priv at e m anage m e nt ne t w ork , w h ich m ostorganizat ions h av e de pl oye d on t h e ir ne t w ork s in s om e f orm or anot h e r. SNM P v 1 and v 2 are curre nt l y s upport e d, w it h SNM P v 3 s upportpl anne d f or l at er t h is ye ar. O n a ne t w ork w h ich h as de pl oye d dNM S, e ach s yst e m w oul d s e nd SYSL O G inf orm at ion t ot he dNM S s e rv e r or pool of dNM S s e rv e rs (de pe nding on t h e s ize of t h e ne t w ork ). Th is inf orm at ion is t ak e n by t h e dNM S s e rv e r, pars e d and st ore d int o an SQL dat abas e . H ow dat a is l ogge d (w h e t h e r itw as s om e t h ing us e ful or s im pl y back ground nois e ) is configure d by t h e adm inist rat or. Not h ing is dis carde d;t h e inf orm at ion t agge d as l ess t h an us e ful is l ogge d t o a dat abas e w h e re dat a is st ore d on a s h ort -t e rm bas is , inst e ad of be ing int e nde d f or arch iv al . Th e dNM S s yst e m adds IP bas e d m onit oring int o t h e m ix. Th is is a h igh l y cust om ize d s ol ut ion t h at e nabl e s an adm inist rat or t o us e a w ide v arie t y of h e al t h ch e ck s as w e l l as cust om ize d appl icat ion t e st s t o ins ure t h e ir s yst e m s are w ork ing corre ct l y. Not onl y can dNM S ch e ck t o s e e if your D NS s e rv e r is re s ponding corre ct l y, itcan ch e ck f or ch ange s in re t urne d dat a, and cros s re f e re nce t h os e ch ange s w it h configurat ion ch ange s m ade on t h e ne t w ork . If dat a h as be e n ch ange d w it h outa v e rifie d configurat ion ch ange t h rough dNM S, t h e adm inist rat or is al e rt e d. Th e dNM S proj e ctis a col l e ct ion of appl icat ions , w h ich are cont rol l e d by a w e b bas e d appl icat ion w rit t e n in Ruby. Curre nt l yt h e proj e cts upport sa num be r of L inux bas e d product s incl uding AppO S bas e d h ardw are appl iance s from Spl ice d Ne t w ork s . Supportf or m ore dev ice s is be ing adde d on a dail y bas is .
F EATUR ES

Th e dNM S proj e ctprov ide s a dist ribut e d ne t w ork m anage m e nts yst e m , w h il e ith as be e n de s igne d t o be

O 3 M agaz ine /January 2006 Page 40

NETW O RK APPL I CATI O NS
h igh l y s cal abl e and e nabl e h undre ds of m anage m e nt s e rv e rs t o w ork in unis on, itis al so v e rs at il e e nough t o run on a s ingl e m anage m e nts e rv e r. Th e f ol l ow ing is a l istof it sf e at ure s . • Ne t w ork D ev ice /Se rv e r Configurat ion v ia SNM P • Ne t w ork D ev ice /Se rv e r St at ist ics col l e ct ion v ia SNM P • Ne t w ork D ev ice /Se rv e r M onit oring • Adv ance d Appl icat ion H e al t h M onit oring • Re portGe ne rat ion •L og pars ing and arch iv al • Ev e ntge ne rat ion • Re portge ne rat ion • Aut onom ous Ev e ntH andl ing • Rol e bas e d v iew s and t as k s • Ne t w ork W ide Traffic As s e s s m e nt • Configurat ion Arch iv al
TH E GL O BAL V IEW

adm inist rat or h as groupe d int o a “Ne t w ork ”. T ypical l y, a s it e cons ist s of atl e astone ne t w ork , but oft e n h as m any. H e re t h e adm inist rat or h as acce s s t o ne t w ork l ev el firew al l s, t h e abil it yt ot rack t roubl e s pot s on t h e ne t w ork , and t h e abil it yt ov iew indiv idual s yst e m s on t h atne t w ork .
SYSTEM V IEW

Th e s yst em v iew is s pe cific t o a part icul ar dev ice and itis oft en t he l ow e stl ev el v iew configure d w it h in dNM S. H e re , part icul ar s yst em l ev el de t ail s s uch as m e m ory, cpu and ne t w ork int e rface ut il izat ion are av ail abl e . Th is inf orm at ion is oft e n brok e n dow n int o m ore de t ail e d s e gm e nt s s uch as pe r appl icat ion ut il izat ion. Th e s yst em v iew is al s o w h e re an adm inist rat or can m ak e al l t h e ne ce s s ary ch ange s t oa part icul ar s yst em .
APPL ICATIO N V IEW

Att he v e ry t op, w e h av et h e gl obal v iew . Th is v iew is onl y s ignificantt o e nt e rpris e s w it h m ore t h an one ph ys ical s it e s uch as Spl ice d Ne t w ork s (w h ich h as t h re e s it e s bas e d in O h io, s it e s in Cal if ornia and Fl orida, and one s it e in t h e UK). Th is v iew s h ow s t he bandw idt h and s e rv ice ut il izat ion ate ach s it e, t he st at us of l ink s and s e rv ice s , as w e l l as t h at inf orm at ion ov er t im e , and any crit ical s e curit y is s ue s . Al l of t h is inf orm at ion is dis pl aye d in t he gl obal v iew , w h ich is a t ype of w e b bas e d das h board. From t h is das h board, t he t op l ev el adm inist rat or h as t h e capabil it y of zoom ing in t ot h e fine stde gre e of de t ail abouta s ingl e s e rv e r atone l ocat ion, as t h ey st e p dow n t h rough t he v iew s . Crit ical is s ue s are h ot l ink e d from t h is gl obal v iew .
SITE V IEW

A s pe cial v iew cal l e d an Appl icat ion v iew w h ich prov ide s m ore fine grain cont rol t h an t h e Syst em V iew is al s o av ail abl e . Th e appl icat ion v iew f ocus e s on a part icul ar s e rv ice s uch as FTP running on t he s yst e m . H ow ev e r, t h e appl icat ion v iew is s pe cial be caus e w h il e itbe l ongs t o a Syst em V iew , t h e s am e appl icat ion on a num be r of s yst e m s can be us e d t o prov ide Ne t w ork , Sit e and Gl obal appl icat ion v iew s , w h ich al l ow s e rv ice bas e d configurat ion ch ange s and m onit oring t o occur acros s t h e e nt e rpris e .
TASK QUEUING

Th is is t he t op l ev el v iew f or s ingl e -s it e ne t w ork s and prov ide s a m ore de t ail e d, s it e bas e d l ook att h at part icul ar port ion of t h e ne t w ork . Anyt h ing done at t h e s it el ev el is s pe cific t ot h ats it e and doe s n'te ff e ct t h e ot h e r s it e s . Th e s it ev iew cont ains m ore de t ail ed inf orm at ion, acce s s t o s w it ch ing and V L AN inf orm at ion, as w e l l as s it e -ce nt ric st at s and m onit oring inf orm at ion.
NETW O R K V IEW

Th e ne t w ork v iew prov ide s a de t ail ed l ook ata part icul ar V L AN or group of V L ANs t h att he

In a l arge organizat ion, t as k s w h ich m igh tbe pe rf orm e d by t h e s am e pe rs on ats m al l e r bus ine s s e s are oft e n brok e n dow n int ot as k s pe rf orm e d by diff e re ntgroups of indiv idual s be l onging t o diff e re nt t e ch nical groups w it h in a com pany. Th e goal w it h dNM S t as k q ue uing is t o pe rm ite ach indiv idual t o com pl et et h e ir t as k w it h outre l ying on anot h er t as k be ing com pl et e d first . Tas k Que uing al l ow s t he adm inist rat or t o do t h e ir j ob, run s anit y ch e ck s , t h en pl ace t he t as k int ot h e q ue ue . O nce t he t as k is in t h e q ue ue , a m anage r de t e rm ine s t h e orde r in w h ich t he t as k s are com pl et e d in a s pe cial proj e ctv iew and ov e rs e e s t h e aut om at ed de pl oym e ntof t h os e t as k s . Th e goal w it h t h is part icul ar f e at ure is t o el im inat et h e oft en t im e cons um ing and cost l y pract ice atm any m aj or corporat ions of h ol ding day-l ong conf e re nce cal l st o com pl et e re l at iv el y s im pl et as k s w h ich , due t ot he

O 3 M agaz ine /January 2006 Page 41

NETW O RK APPL I CATI O NS
w ide v arie t y of s k il l l ev el s w it h in t h e organizat ion, be com e bogge d dow n in re d-t ape and point l ess t e st s.
TASK ESCAL ATIO N

Sim il ar t o Tas k Que uing, Tas k Es cal at ion is int e nde d f or a l ow e r l ev el adm inist rat or inv e st igat ing a part icul ar ne t w ork probl em t o h av et h e abil it yt o priorit ize and s e nd t h e ir w ork upst re am f or furt h er inv e st igat ion once itinv ol v e s s yst e m s or ne t w ork s t h ey do noth av e acce s s t o.
SAF ETY L O CK - O UTS

W h il e dNM S off e rs a t ype of buff e r zone be t w een a dev ice and it s adm inist rat or, t h e s af et yl ock -out s prov ide an adv ance d f e at ure w it h in t h e m anage m e nt s yst e m . Th e s af et yl ock -out s e nabl e a s e nior adm inist rat or t o de fine s pe cific boundarie s w h ich m ay prev e nta j unior adm inist rat or from pe rf orm ing t as k s t h att h ey w oul d norm al l y h av et h e capabil it y of carrying out . If us e d corre ct l y, t h e s e nior adm inist rat or can us e t h e s af et yl ock out st o prev e nt h um an e rror from re s ul t ing in cost l y dow nt im e . An exam pl e of a s af et yl ock outm igh tbe t h ata j unior adm inist rat or h as t h e capabil it y of re st art ing t h e product ion w e b s e rv ice s be t w een t he t im e s of 9 pm and 6am EST. Th e com pany h as st art ed t o do bus ine s s in Europe , s o t h e adm inist rat or doe s n'tw ant t he j unior adm inist rat or t o re st artt h e s e rv ice s out s ide of a m aint e nance w indow or abov e a s pe cific t raffic t h re s h ol d. W it h dNM S, t h e adm inist rat or can de fine t he t h re s h ol d, and e nf orce iton indiv idual adm inist rat ors or col l e ct iv e groups of adm inist rat ors .
STATISTICS AND R EPO R TING

St at s Trans f e r). Th e D ST s ol ut ion is a s e parat e appl icat ion w h ich is int e grat e d int o AppO S 2.0 and w il l be av ail abl e unde r t h e GPL . D ST acce pt s SNM P com m ands t o group s pe cific s e t s of st at s or l ogs , or dum p al l st at s /l ogs , dire ct l yt o a dat abas e . Th e conce ptis fairl y s im pl e-t h e re are oft en a l arge num be r of st at s and l ogs t h atne e d t o be t rans f e rre d. T o pol l t h is inf orm at ion v ia SNM P is ine fficie nt s ince itcan re s ul tin h undre ds of SNM P re q ue st s and re s pons e s . Inst e ad, D ST w ork s by h av ing t he m anage m e nts yst e m s e nd a coupl e of e ncode d SNM P re q ue st st ot h e s yst e m . Th e s e SNM P re q ue st s inst ruct t h e re m ot e s yst em t o cre at e a re s ul t s set , w h e re t o s e nd it , w h att o s e nd, w h e t h e r it s re occurring or not , and t he f orm att o s e nd itin (t ypical l yt h e SQLt abl e f orm atf or t h e dat a). Th e s e s e t s are t ypical l y set up once , and t h e n one SNM P com m and is us e d t ot rigge r t h e D ST dum p. Th e re m ot e s yst em t h en t al k s dire ct l yt ot h e dat abas e . O nce t h e dat a is dum pe d t ot h e dat abas e , t he m anage m e nts yst e m is fre e t o pol l t h e dat abas e t o produce st at s . In a t radit ional s yst em , t h e dat a is pol l ed v ia SNM P , dum pe d t o a dat abas e and t h en re l oade d from a dat abas e t o produce re s ul t s.
AV AIL ABIL ITY

Th e curre ntv e rs ion of dNM S is 0.3.0 and a publ icl y av ail abl e re l e as e of dNM S is pl anne d f or l at er t h is q uart e r. Th e dNM S proj e ctw il l be av ail abl e from ht t p:/ / w w w .s pl ice dne t w ork s .com l at er t h is q uart er and it s av ail abil it y w il l be announce d in an upcom ing is s ue of o3.
DEV EL O PER S

Th e bot t om l ine of any m anage m e nts yst e m is t o obt ain st at ist ics from t h e ne t w ork and buil d re port s so t h atm anage m e ntcan j ust ify s pe cific IT s pe nding s uch as incre as ing bandw idt h , purch as ing addit ional s e rv e rs or adding an addit ional s it e . Th e dNM S proj e ctcol l e ct s st at s and ide nt ifie s probl e m are as on t h e ne t w ork aut om at ical l y, bas e d on e it h e r fact ory pre f e re nce s or cust om ize d t h re s h ol ds pl ace d by t he adm inist rat or. Th e s e st at s and l ogs are t h e n com pil ed from t h e dat abas e and us e d t o ge ne rat e a w ide range of re port s w h ich can be cre at e d aut om at ical l y on a s ch e dul e d bas is and e m ail ed t o w h om ev e r in t he com pany ne e ds t o see t h em . In addit ion t ot h e us ual st at s and re port ing capabil it ie s , dNM S h as a f e at ure cal l e d D ST (D ire ct

If you are fam il iar w it h SNM P , Ruby and Post gre s q l , and are int e re st e d in be com ing partof t he dev el opm e ntt e am w ork ing on t h e GPLv e rs ion of t h is proj e ct , pl e as e cont actJ oh n Bus w e l l v ia e m ail at j bus w e l l @ s pl ice dne t w ork s .com

J O H N BUSW EL L IS CO - F O UNDER AND CTO O F SPL ICED O F ATH ENS, O H IO . H E CAN BE R EACH ED V IA EM AIL , J BUSW EL L @ SPL ICEDNETW O R KS.CO M .

NETW O R KS L L C. J O H N IS BASED A F EW M IL ES O UTSIDE

O 3 M agaz ine /January 2006 Page 42

NETW O RK SECURI TY
I nt rus ion De t e ct ion Se rv e rL oad Bal ancing
O FTEN A SI NGL E I DS SERV ER I S SI M PL Y NO T ENO UGH TO H ANDL E TH E BANDW I DTH UTI L I Z ATI ON ON A NET W O RK . I NTRUSI O N DETECTI O N SERV ER L O AD BAL ANCI NG O R I DSL B O FFERS A SO L UTI O N TO TH I S PRO BL EM BY JO H N BUSW EL L

W e 'v e s pe ntt he l astt w o is s ue s l ook ing att h e O pe n Source Int rus ion D e t e ct ion Syst e m , Snort . Th is m ont h w e 're us ing Snortin unis on w it h a com m e rcial e nt e rpris e productt o prov ide an adv ance d Int rus ion Det e ct ion s ol ut ion. Som e t im e s t he t e ch nol ogy is s im pl y nott h e re t o ach iev et h e de s ire d s ol ut ion excl us iv el y w it h O pe n Source . Som e t im e s t h e O pe n Source al t e rnat iv e is s im pl y notm at ure e nough or t h e s ol ut ion re q uire s s pe cial ize d h ardw are t o ach iev et h e de s ire d capacit ie s w h ich are onl y av ail abl et h rough com m e rcial s ol ut ions . Th rough a com binat ion of O pe n Source s oft w are and com m e rcial product s , it s pos s ibl et o ach iev e a s upe rior s ol ut ion ata s ubst ant ial l yl ow e r costt h an us ing com m e rcial product s excl us iv el y. Int rus ion D e t e ct ion Syst e m s w ork by anal yzing ne t w ork t raffic and us ing t e ch niq ue s s uch as pat t e rn m at ch ing t o pre dictev e nt st h atare al e rt st o pot e nt ial s e curit y bre ach e s or act iv it yt h atis a pre l ude t o an at t e m pt e d s e curit y bre ach . Int rus ion Prev e nt ion Syst e m s w ork by ide nt ifying t h e at t ack in progre s s and updat ing ot h e r s e curit y s yst e m s s uch as firew al l s and acce s s l ist st o bl ock t h e at t ack in re al t im e . Th e s e s yst e m s oft e n pl ay an im port antfirstl ine of de f e ns e rol e w it h in a ne t w ork , and itis de s irabl et o prov ide a de gre e of re dundancy. W h il e bas ic re dundancy can be prov ide d by s im pl y adding a s e cond Int rus ion D e t e ct ion Syst em , t h atdoe s not re s ol v et h e probl em s l arge r ne t w ork s face w h e re a s ingl e s yst e m m igh tnoth av et h e ph ys ical bandw idt h or t h e CPU capacit yt o proce s s t he l arge am ount s of dat a inv ol v e d. Th is is w h e re ID S L oad Bal ancing com e s int o pl ay. Th e Nort el Appl icat ion Sw it ch l ine of product s can prov ide a w ide range of L aye r 2-7 int el l ige nt s w it ch ing capabil it ie s f or a ne t w ork . For t h e purpos e of t h is art icl e , w e w il l be us ing a Nort el Appl icat ion Sw it ch 2424 w it h t wo L inux s e rv e rs running Snort . W e w il l l ook att w o s ol ut ions , one us ing ID S L oad Bal ancing on t h e 2424 w it h Snortt o prov ide an adv ance d ID S s ol ut ion and t h e ot h e r us ing Firew al l

L oad Bal ancing on t w o 2424s w it h Snortt o prov ide an Int rus ion Prev e nt ion Syst em .
H O W IDS L O AD BAL ANCING W O R KS

Th e Nort el Appl icat ion Sw it ch ach iev e s ID S l oad bal ancing by f orw arding a copy of t h e IP pack e t st o ID S s e rv e rs . Th e ID S s e rv e rs are pl ace d in w h atis cal l e d a Re al Se rv e r Group. A s e rv e r group is s im pl y a col l e ct ion of s e rv e rs , w it h a m et ric as s igne d t ot h at group. A m e t ric is a s pe cial al gorit hm t h att el l st he s w it ch h ow its h oul d sel e cta s e rv e r w h e n a pack e tis re ce iv e d. Th e ID S SL Bf e at ure is e nabl e d on inbound port s on t h e s w it ch and e nabl ed f or t h e s e rv e r group t h att h e ID S s e rv e rs are as s igne d t o.
W ITH O R W ITH O UT IP ADDR ESSES

Th e Nort el Appl icat ion Sw it ch s upport st wo m et h ods of s e nding dat at o a group of ID S s e rv e rs . Th e pre f e rre d m e t h od is w it h outan IP addre s s w h e re t h e s e rv e rs im pl y conne ctt ot h e s w it ch and m onit or al l t raffic t h atis pas s e d dow n t ot h ats e rv e r int e rface . Th e ot h er m et h od is t o prov ide e ach int e rface on t he s e rv e r w it h a dum m y IP . Th e l at t e r off e rs t h e opt ion of s av ing port s on t h e Nort el Appl icat ion Sw it ch , as t h e s e rv e rs m aybe conne ct ed t h rough anot h er L aye r 2 s w it ch t ot h e Nort el Appl icat ion Sw it ch . For t h e re st of t h is art icl e , w e as s um e t h e us e of t h e IP -l ess m et h od.
H EAL TH STATUS

Th e Nort el Appl icat ion Sw it ch pe rf orm s w h atis cal l e d a h e al t h ch e ck . If you're fam il iar w it h t he k e e pal iv e d proj e ct (h t t p:/ / k e e pal iv e d.s ource f orge .ne t ), itis a s im il ar conce pt . Th e s w it ch w il l ch e ck pe riodical l yt h att he s e rv e r is st il l act iv e , and if t h e s e rv e r fail s a h e al t h ch e ck , itis re m ov e d from t h e s e rv e r group unt il ith as s ucce s s ful l y pas s e d a num be r of h e al t h ch e ck s , at w h ich t im e itis adde d back int ot h e group. Th e 2424 off e rs a w ide range of h e al t h ch e ck s , h ow ev er f or IP -l e s s ID S l oad bal ancing, you h av et wo

O 3 M agaz ine /January 2006 Page 44

NETW O RK SECURI TY
opt ions . If you h av e e ach s e rv e r pl ugge d dire ct l y int o a de dicat e d porton t h e 2424, t h en t he L ink h e al t h ch e ck m e t h od can be us e d. Th e Re al s e rv e r ID m ust be w it h in t h e first26 as w e l l in orde r f or t h att o w ork . Th e s e cond m e t h od is t o us e t h e SNM P h e al t h ch e ck t ot e stt h e st at us of a porton a re m ot e s w it ch . H e re you m usth av et h e s e rv e r pl ugge d int o a s w it ch capabl e of SNM P , al t e rnat iv el y you coul d set up ne t s nm p and w rit e a s m al l age nt(in Ruby or Pyt h on f or exam pl e ), t o re s pond back w it h t h e appropriat e SNM P re s pons e m onit oring t h e st at us of t h e s nort proce s s on t h e s e rv e r. Th is is a good exam pl e of h ow O pe n Source can be us e d t o ext e nd t h e funct ional it y, be caus e w it h outit , onl yt he l ink up/ dow n st at us w oul d be m onit ore d, l e av ing t h e pos s ibil it y of pack e t s be ing f orw arde d t o a s yst e m w h e re t h e ID S proce s s h as cras h e d.
CO NFIGUR ING SNO R T

Nextw e add t h e ID S s e rv e rs t o a new group w h ich m ustbe w it h in t h e first63 groups . H e re w e 'v e us e d group 20, adding re al s e rv e r 10 and 11 t h atw e j ust cre at e d abov e: >> >> >> >> #/ cfg/ sl b/ group 20 R e al Se rv e r Group 20# ad d 10 R e al Se rv e r Group 20# ad d 11 R e al Se rv e r Group 20# m e t ric h ash

You configure Snortin t h e norm al m anne r. Th e re is no s pe cial configurat ion, you s im pl y prov ide a de dicat e d int e rface . In our configurat ion, w e us e d et h 1 dire ct l y conne ct ed t ot h e Nort el Appl icat ion Sw it ch .
CO NFIGUR ING SINGL E GR O UP IDS L O AD BAL ANCING

Th e l astcom m and t el l st h e s w it ch w e w antt o us e t h e h as h m e t ric. Th e h as h m e t ric us e s a h as h al gorit hm t of orce t raffic from t h e s am e s ource IP t o al w ays go t ot h e s am e s e rv e r. Th us , t h e h as h al gorit h m e ns ure s cont inuit y. ID S L oad Bal ancing onl y w ork s w it h t h is h as h m e t ric. Nextw e de fine t he h e al t h ch e ck as l ink , as w e h av e re al 10 and re al 11 pl ugge d int o port s 10 and 11 re s pe ct iv el y on our 2424 s w it ch . >> R e al Se rv e r Group 20# h e al t h l ink Next ,t h e im port antcom m ands . W e e nabl e ID S l oad bal ancing and s e l e ctal l t raffic t o be s e ntt ot h is group: >> R e al Se rv e r Group 20# id s e na >> R e al Se rv e r Group 20# id srprtany Now our inbound port s are 1 and 24 re s pe ct iv el y. Port1 h as our rout er t ot h e Int e rne t , and port24 is conne ct ed t o our upst re am L AN s w it ch . O n t he Nort el Appl icat ion Sw it ch , w e m uste nabl e ID S l oad bal ancing on t h e s e pot e nt ial ingre s s port s: >> # / cfg/ sl b/ port1/ id s e na >> # / cfg/ sl b/ port24/ id s e na Final l y, w e m ustcre at e a fil t er t o re dire ctt he t raffic t ot h e ID S. Th e fil t e r prov ide s a m e ch anis m t o prov ide a fine r grain of cont rol in m ore com pl ex configurat ions inv ol v ing m ul t ipl e groups of ID S s e rv e rs . Th e com m ands be l ow s e tt h e s ource and de st inat ion IP t o any, s e t st h e fil t e r act ion t o al l ow , and e nabl es t h e fil t e r. Th e l astcom m and e nabl es ids h as h ing on bot h t h e s ource and de st inat ion IP addre s s f or a pack e tt o m ak e s ure ital w ays goe s t o t h e corre cts e rv e r.

Configuring ID S l oad bal ancing on t h e Nort el Appl icat ion Sw it ch is re l at iv el y s im pl e . W h il et he s w it ch can be configure d v ia SNM P and Brow s e r Bas e d Int e rface as w e l l as a s e parat e m anage m e nt appl icat ion from Nort el , w e 're l ook ing att he com m and l ine int e rface f or t h is art icl e . Th e s yst em us e s a m e nu /prom ptst yl e CL I. In t h is exam pl e, w e 're going t o configure ID S l oad bal ancing t o s e nd al l inbound dat at o a s ingl e pair of ID S s e rv e rs running Snort . Firstw e configure t h e ID S s e rv e rs as re al s e rv e rs . Th e CL I re q uire s t h atw e giv et h e configurat ion dum m y IP addre s s e s - t h is is a s af e -guard t o m ak e s ure t h e re al s e rv e rs h av e n'tbe e n accide nt al l y configure d w it h outan IP addre s s . W e h av e sel e ct ed an unus e d, un-rout abl e ne t w ork of 10.255.255.0/ 24 f or t h is purpos e . Th e s e IP addre s s e s are not configure d on t h e Snorts e rv e rs t h em sel v e s unl ess you w e re us ing t h e al t e rnat iv e IP bas e d h e al t h ch e ck ing m e t h od. >> # / cfg/ sl b/ re al 10/ rip 10.255.255.10/ e na >> # / cfg/ sl b/ re al 11/ rip 10.255.255.11/ e na

O 3 M agaz ine /January 2006 Page 45

NETW O RK SECURI TY
>> >> >> >> >> >> #/ cfg/ sl b/ fil t100 Fil t e r 100# sip any Fil t e r 100# d ip any Fil t e r 100# act ion al l ow Fil t e r 100# e na Fil t e r 100# ad v / id sh ash b ot h We t h e n m onit ore d t he t cpdum p on t h e ID S s e rv er s ide f or t h e pack e t , as w e l l as t cpdum p on t he L AN s ide (19 2.168.1.100) t o m ak e s ure t h e s w it ch w as al so onl y s e nding a copy of t h e pack e tt ot h e ID S group. Th e s w it ch h as a com m and / inf o/ sl b/ ids h as h w h ich is a us e ful t ool t o de t e rm ine w h ats ource and de st inat ion IP addre s s pair w il l re s ul tin a h iton a s pe cific ID S s e rv e r. Us ing t h att ool , w e q uick l y put t oge t h e r a s e cond pair in Scapy t o m ak e s ure t h at t raffic w oul d h as h t o bot h s e rv e rs . T o rol l t h e s yst e m int o product ion w e s im pl y st art Snorton t h e s e rv e rs and pl ug t h e product ion Int e rne t rout e r and L AN s w it ch int o port s 1 and 24 re s pe ct iv el y.
ADV ANCED IDS L O AD BAL ANCING CO NFIGUR ATIO NS

Th e n t h e fil t e r is appl ie d t ot h e ingre s s port s 1 and 24 re s pe ct iv el y: >> >> >> >> >> >> >> >> #/ cfg/ sl b/ port1 SL BP ort1# ad d 100 SL BP ort1# fil te na SL BP ort1# / cfg/ sl b/ port24 SL BP ort24# ad d 100 SL BP ort24# fil te na SL BP ort24# appl y SL BP ort24# sav e

Th e l astt w o com m ands com m itt h e configurat ion and m ak e s itact iv e.
TESTING IDS L O AD BAL ANCING

Now t h atev e ryt h ing is configure d, be f ore w e rol l it int o product ion w e ne e d t o m ak e s ure t h atitis w ork ing corre ct l y. T o do t h is , s im pl y run t cpdum p againstt h e ID S int e rface on bot h of your ID S/ Snort s e rv e rs . W e s im pl y ran t cpdum p -i e t h 1 on bot h s e rv e rs , as e t h 1 w as our int e rface conne ct ed t ot he Appl icat ion Sw it ch . You can us e ip l ink e t h 1 up t o m ak e s ure t he l ink is up as w e l l be f ore st art ing t he t e st . Next , w e conne ct ed a Del l 6350 running Ge nt oo t o port1 (10.1.2.3) on t h e s w it ch t o s im ul at e Int e rne t t raffic, and anot h er t o port24 t o actas t he l ocal L AN (19 2.168.1.100). For t h e purpos e s of t e st ing, w e st art ed l igh t t pd on t he L AN s ide and ran Scapy on t h e Int e rne ts ide t o s im ul at et raffic. W el com e t o Scapy (1.0.2.34b e t a) >>> a = IP(d st ="19 2.168.1.100")/ TCP(se q =0,sport =2100,d p ort =80) >>> a.src = "10.1.2.3" >>> se nd (a) . Se nt1 pack e t s. >>>

So far w e 'v ej ustl ook e d ats e nding al l ingre s s t raffic int ot h e s w it ch t o a s ingl e s e tof ID S s e rv e rs . H ow ev e r, Th e Nort el Appl icat ion Sw it ch al l ow s f or a m uch fine r grain of cont rol .L et s s ay a l arge organizat ion h as a s pe cific W e b Se curit y Group, and a Ne t w ork Se curit y Group. H e re itm igh tbe de s irabl e t o s e nd al l H TTP t raffic t o a s e tof ID S s e rv e rs m anage d by t h e W e b Se curit y Group w h il e ot h er t raffic is rout ed t ot h e Ne t w ork Se curit y Group's ID S pool .T o do t h is , w e s im pl y add anot h e r s e tof re al s e rv e rs and a new group t o our original configurat ion: >># / cfg/ sl b/ re al 15/ rip 10.255.255.15/ e na >># / cfg/ sl b/ re al 16/ rip 10.255.255.16/ e na >># / cfg/ sl b/ group 30/ ad d 15 >># / cfg/ sl b/ group 30/ ad d 16 >># / cfg/ sl b/ group 30/ m et ric h ash >># / cfg/ sl b/ group 30/ h e al t h l ink >># / cfg/ sl b/ group 30/ id sl b e na >># / cfg/ sl b/ group 30/ id srprth t t p H e re you w il l see t h e configurat ion proce s s is al m ostide nt ical exce ptf or t h e ids rprth t t p com m and w h e re , inst e ad of any, w e are s pe cifying h t t p (port 80). T ot e stt h is configurat ion, w e t ook our firsts nort s e rv e r and pl ugge d e t h 2 int o port11, and us e d e t h1 and e t h 2 on t h e s e cond s norts e rv er t o port s 15 and 16. Es s e nt ial l y, our s e cond s norts e rv e r w as now t he W e b Se curit y Groups ID S pool . Nextw e s im pl y pas s e d port80 t raffic from Scapy, and ch e ck e d t cpdum p on e t h 1 and e t h 2 on t h e s e cond s norts e rv e r. Th e port80 t raffic onl y s h ow s up on t h ats e rv e r. Next

O 3 M agaz ine /January 2006 Page 46

NETW O RK SECURI TY
we t e sts om e SM TP (port25) t raffic by ch anging t he portnum be r in Scapy, and st art ing post fix on 19 2.168.1.100. Th e f orw arde d copy of t h e SM TP t raffic onl y s h ow s up on t h e firstID S s e rv er s im ul at ing re al 10 and 11, s o t h ings are w ork ing as expe ct e d.
FUR TH ER ADV ANCED CO NFIGUR ATIO N

A w ide range of configurat ions is pos s ibl et h rough m anipul at ion of t h e fil t e r at t ribut e s and t h e re al group ids rprtcom m and. Th e fil t e r opt ions al so cont ain an ids grp opt ion w h ich e nabl e s you t o s pe cify a fil t er t o a s pe cific ID S group, al l ow ing t raffic from or t o a s pe cific s ubne t ,f or exam pl e, t o be rout ed t o a s pe cific s e rv e r group. By s e t t ing t he ids grp opt ion in t h e adv ance d fil t e r configurat ion, you can al s o do pe r V L AN l oad bal ancing of ID S t raffic.
INTR USIO N PR EV ENTIO N L O AD BAL ANCING

Nort el Appl icat ion Sw it ch 2424
?

W H ICH SW ITCH

Snortin-l ine us e s ipt abl e s rat h er t h an l ibpcap, al l ow ing s nortt o m anipul at et raffic in re al t im e as it is pas s e d t h rough t h e s yst e m . In t h is cas e , Snortinl ine act s m ore l ik e a firew al l t h an an ID S s e rv e r. So ID S L oad Bal ancing w on'tw ork as it s de al ing w it h a copy of t he f orw arde d pack e t s rat h er t h an t h e re al t raffic. Th e Nort el Appl icat ion Sw it ch h as a capabil it y cal l e d Firew al l L oad Bal ancing. Th is adv ance d f e at ure s e tcan be us e d w it h Snortin-l ine t o ach iev e Int rus ion Prev e nt ion L oad Bal ancing. Bas ic Firew al l L oad Bal ancing (FW L B) w ork s by h av ing a “dirt y ” (Int e rne ts ide ) and “cl e an” (L AN s ide ) of t h e Firew al l s . A Nort el Appl icat ion s w it ch is pl ace d on bot h s ide s , s o t h is adv ance d configurat ion re q uire s atl e astt w o Nort el Appl icat ion s w it ch e s . Each firew al l is conne ct ed t ot h e dirt y s ide , and a s e cond int e rface conne ct ed t ot h e cl e an s ide . Pack e t st rav e rs e t h e dirt y s ide s w it ch , are pas s e d t o t h e firew al l , and m ay or m ay notm ak e itt ot h e cl e an s ide de pe nding on t h e firew al l . In our IPS s ol ut ion, w e ut il ize Snortin-l ine inst e ad of a re gul ar firew al l , al l ow ing f or de e pe r pack e tins pe ct ion, and prev e nt ion of int rus ions in re al t im e .
CO NCL USIO N

Th e curre ntNort el Appl icat ion Sw it ch l ine of product s incl ude s t h e 2208, 2216, 2424, 2424-SSL and 3408. Th e 3408 is an 8 portAppl icat ion Sw it ch w it h GBIC s l ot s on port s 3t h ru 6. Th e s e GBIC s l ot s prov ide dual m e dia (FastEt h e rne tand Gigabit ) on port s 3t h ru 6. Th e 3408 al s o h as st andal one GBIC port s on 9 t h ru 12. Th e 2424-SSLis a 24 portAppl icat ion Sw it ch , itis s im il ar t ot h e 2424 buth as t h e addit ion of a buil t -in SSLacce l e rat or m odul e. Th e 2216 and 2208 are 16 and 8 portappl icat ion s w it ch e s re s pe ct iv el y. Th e 2216 and 2208 h av e re duce d capacit ie s com pare d t ot h e 2424 and 3408. Th e 2208 and 2216 are exce l l e ntproduct sf or s m al l and m e dium e nt e rpris e s w h o do noth av et he av ail abl e budge tf or a 2424 or 3408. For m ore inf orm at ion on Nort el Appl icat ion Sw it ch e s , cont actyour ne are stNort el part ne r or v is it ht t p:/ / w w w .nort el .com .

Th is art icl e de m onst rat e s h ow O pe n Source s oft w are in com binat ion w it h com m e rcial ne t w ork ing s ol ut ions can prov ide a cost -e ff e ct iv e s ol ut ion f or l arge s cal e ne t w ork probl em s.

Nort el Appl icat ion Sw it ch 2208

O 3 M agaz ine /January 2006 Page 47