You are on page 1of 50

CO NTENTS

Is s ue 4 Re l e as e d Q1 2006 ht t p:/ / w w w .o3m agazine .com
@ O 3 M AGAZ INE
V O IP

/V ID EO

CO M M UNICATIO NS

Priorit izing V oice Com m unicat ions Edit orial Upcom ing Ev e nt s O pe n Source Re port 7 8 9

30

M uh am m ad H am m ad l ook s at QoS and it s rol e in h e l ping priorit ize V oIP com m unicat ions acros s IP dat a ne t w ork s . Th is art icl e f ocus e s on L inux 2.6 bas e d QoS and t h e opt im um conf igurat ions f or V oIP priorit izat ion.

SECURIT Y

IP NET W O RK ING

Se cure Int e rne t Sol ut ions

11

D e pl oying O pe n Source D NS

34

Gre g J ordan l ook s at de pl oying s e cure int e rne t s e rv ice s f rom a bus ine s s pe rs pe ct iv e . Art icl e e xam ine s bot h ph ys ical and l ogical s e curit y.
INT ERNET T ECH NO L O GIES

J oh n Bus w e l l l ook s at Bind 9 .3.2 and w al ks us t h rough a s e cure ins t al l at ion of t h e popul ar D NS s e rv er . Conf igurat ion and s e t up incl ude d!
NET W O RK APPL ICATIO NS

D ynam ic Rout ing Prot ocol s

16

L inux Sys t e m s M anage m e nt

41

Gre g J ordan int roduce s dynam ic rout ing prot ocol conce pt s , com pare s pol icy rout ing, QoS and ot h ert e ch niq ue s . P art 1 of a s e rie s .
BUSINESS SO L UTIO NS

D av id D e nnis of L ev ant al ook s at t h e pain of L inux Sys t e m s M anage m e nt and of f e rs t he L ev ant a Int re pid-M as one pos s ibl e s ol ut ion.
NET W O RK SECURIT Y

W h y Priorit ize Ne t w ork T raf f ic?

20

D e pl oying Snort ID S

45

Ne e d t oj us t if y QoS and pack e t cl as s if icat ion s ol ut ions t o m anage m e nt , or s im pl yt rying t o unde rs t and w h y QoS is ne e de d, t h is is f or you!
W EB T ECH NO L O GIES

Nav e e n Sh arm a w al k s us t h rough t h e de s ign, conce pt s , arch it e ct ure and ins t al l at ion of Snort ,t h e O pe n Source ID S s ol ut ion.
M O BIL E T ECH NO L O GIES

RRD t ool D e m ys t if ie d

24

Is s ue # 5 of o3 m agazine de but s our ne w m obil e t e ch nol ogie s col um n. V is it our ne w s it e on or af t e r M arch 22nd and ch e ck out a bonus O pe ra M ini int e rv ie w !!

Bh arat Sh e t t y e xpl ains RRD t ool . Th is art icl e int roduce s t h e popul ar graph ing t ool and l ook s at l igh t t pd's int e grat e d rrdt ool f e at ure s .

o3 m agazine /f e b 2006

-( page 4 )-

ED ITO RIAL

A Ne w L ook For o3 M agazine
ARM ED W ITH A NEW REL EASE O F SCRIBUS , TH REE M O NTH S O F FEED BACK AND EXPERIENCE W E H AV E UND ERT AK EN A M AJ OR OV ERH AUL O F O 3 AND W E H O PE YO U L IK E TH E RESUL T S ...

By J oh n Bus w e l l Wel com e t o Is s ue 4 of o3 m agazine . As you h av e probabl y not ice d, t h is is s ue l ook s cons ide rabl y dif f e re nt and in m y opinion, cons ide rabl y be t t er t h an t he f irs t t h re e is s ue s . M any t h ank s t ot he f ol k s ov e r at t h e Scribus proj e ct f or a cool 1.3.2 re l e as e , w h ich h as h e l pe d im prov e o3 m agazine . If you're not al re ady aw are , o3 m agazine is produce d us ing ope n s ource s of t w are e xcl us iv el y. Unl ik e s om e com m e rcial publ icat ions t h at cov e r ope n s ource but us e non-ope n s ource proj e ct s , w e 're 100% be h ind t he t e ch nol ogie s w e are bringing t o you e ach m ont h. I w oul dl ik e t o bring t o your at t e nt ion t he Canada on Rail s conf e re nce , w h ich is our f e at ure d e v e nt t h is m ont h . Th e Canada on Rail s ev e nt is t he f irs t Ruby on Rail s f ocus e d e v e nt of it s k ind. W e w is h t h e m al l t h e be s t , and if you can m ak e it ,t h e y h av e an e xce l l e nt l ine up of s pe ak e rs and w ork s h ops . O n be h al f of our e nt ire t e am , I w oul dl ik e t o apol ogize f or t h e de l ay in ge t t ing t h is is s ue out t h e re . I m ade t h e de cis ion t o de l ay t h is is s ue , s o t h at w e coul d re v ie w t h e publ icat ion, m ak e ch ange s , proce s s t he f e e dback f rom t he t h ous ands of re ade rs t h at s ubm it t edt h e ir opinion on t h e m agazine . W e h av e a ne w e dit orial t e am , I w oul dl ik e t o wel com e M ich e l l e J ordan t ot h e o3 t e am . Unf ort unat el y w e h ad t o bid f are w e l l t oJ am e s H ol l ings h e ad, J am e s h as w ork e d h ard t okeep m e in ch e ck ov ert h e pas t coupl e of m ont h s and w e w is h h im al l t h e be s t in h is f ut ure v e nt ure s . F inal l y, I w oul dl ik e t o w rap up t h is m ont h 's e dit orial by announcing our ne w w e b s it e w h ich goe s on-l ine on m id-M arch 2006. Is s ue 5 and Is s ue 6 w il l be h ot on t h e h eel s of t h is is s ue !!! o3 m agazine J oh n Bus w e l l Pub l is h e r and Edit or in Ch ie f Gre g J ordan M anaging Edit or M ich e l l e J ordan Cont rib ut ing Edit or Gas t on Th auv in Cov e r Ph ot ograph St e w Be ne dict Sh aw n W il s on Raj a H am m ad F rank Boyd J oh n Bus w e l l Bh are t Sh e t t y T e ch nical Re v ie w Pane l Adv e rt is ing Inf orm at ion: Andre w Cos t el l o acos t el l o@ o3m agazine .com Pub l is h e r Inf orm at ion: o3 m agazine is publ is h e d m ont hl y by Spl ice d Ne t w ork s L L C and dis t ribut edf re e of ch arge t o t h e publ ic.
o3 m agazine , s pl ice d ne t w ork s , AppO S, o3 ne w s and opaq ue ne t w ork s are re gis t e re d t rade m ark s or t rade m ark s of Spl ice d Ne t w ork s L L C., and/ or it s af f il iat e s in t h e USA and ce rt ain ot h e r count rie s . Al l ot h ert rade m ark s m e nt ione d in t h is publ icat ion are t h e prope rt y of t h e ir re ce pv ie d ow ne rs .

o3 m agazine copyrigh t © 2006 by Spl ice d Ne t w ork s L L C. Al l righ t s re s e rv e d.

o3 m agazine /f e b 2006

-( page 7 )-

UPCO M ING EV ENTS

e cl ips e con 2006 M arch 20t h - 23rd 2006 Sant a Cl ara, Cal if ornia, USA ht t p:/ / w w w .e cl ips e con.org/ s pring <b r / > 2006 M arch 23rd 2006 At h e ns , O h io, USA ht t p:/ / w w w .s e om ug.org/ conf e re nce .cf m PH P Que b e c 2006 M arch 29 t h - 31s t 2006 Que be c, Canada ht t p:/ / conf .ph pq ue be c.com / e n/ conf 2006/ L inuxW orl d Conf e re nce & Expo April 3rd - 6t h 2006 Bos t on, M A, USA ht t p:/ / w w w .l inuxw orl de xpo.com / 7t h Int e rnat ional F re e Sof t w are Forum April 19 t h - 22nd 2006 P ort o Al e gre , Brazil ht t p:/ / f is l .s of t w are l iv re .org Pe nguicon 4.0 April 21s t - 23rd 2006 L iv onia, M ich igan, USA ht t p:/ / w w w .pe nguicon.org L inux on W al l St re e t Sh ow and Conf e re nce April 24t h 2006 Ne w Y ork , Ne w Y ork , USA ht t p:/ / w w w .l inuxonw al l st re e t .com M ySQLUs e rs Conf e re nce April 24t h - 27t h 2006 Sant a Cl ara, Cal if ornia, USA ht t p:/ / w w w .m ys q l uc.com Apach e Con Europe 2006 J une 26t h - 30t h 2006 D ubl in, Ire l and ht t p:/ / w w w .e u.apach e con.com /

FEATURED EV ENT

h - April Canada on Rail s w il l be h e l d on April 13t t h 14 in V ancouv e r, Canada. Th is e v e nt w il l be t he f irs t Ruby on Rail s conf e re nce . Th e e v e nt s h ow cas e s 15 s pe ak e rs f rom around t h e w orl d incl uding D av id H ans s on, cre at or of Ruby on Rail s. O n D ay 1, t h e ev e nt ope ns at 07:30am , w it h a k e ynot e f rom D av id H ans s on ope ning t h e ev e nt at 09 :15am . Th is is f ol l ow e d by Ent e rpris e SO A w it h Rail s by J oe O 'Brie n at 11:00am . Th e af t e rnoon cov e rs t opics s uch as ID E/ T ool s, AJ AX, t h e be ne f it s of de v el oping Rail s appl icat ions t e st -f irs t , and a pre s e nt at ion on t he re duct ion of code ne ce s s ary t o s uppl yt ypical s ol ut ions t o bus ine s s probl e m s w it h Rail s. Th e s e cond day cont inue s t h e h igh q ual it yt al ks and pre s e nt at ions f rom D ay 1. Th e e v e nt s t art s at 08:00am on D ay 2 w it h Adv ance d Rail s AJ AX T e ch niq ue s giv e n by s pe ak e r Th om as F uch s . Th e s e cond day cont inue s w it h Engine s : T e am De v el opm e nt w it h Rail s , and Ge ne rat ing Gre at Graph s w it h Ruby on Rail s. Th e af t e rnoon rounds up t h e ev e n w it h al ook at Int e rnat ional izat ion, F il e Col um n, and Us ing Ruby on Rail s t o M ak e a M as s iv e M ul t ipl aye r Gam e . Sne ak ing Rail s Int o Th e (L e gacy) Sys t e m , on D ay 2 of t h e ev e nt w il l be of int e re s t t o any de v el ope r cons ide ring t h e us e of Rail s as a re pl ace m e nt f or an e xis t ing dat abas e driv en appl icat ion. ht t p:/ / w w w .canadaonrail s .com

o3 m agazine /f e b 2006

-( page 8 )-

O PEN SO URCE REPO RT

t rac 0.9 .4 ht t p:/ / w w w .e dge w al l .com / t rac/ Th is is s ue 's f e at ure d ope n s ource s of t w are proj e ct is t rac. T rac is an e nh ance d w ik i and is s ue t rack ing s ys t em f or s of t w are de v el opm e nt proj e ct s. T rac us e s a m inim al is t ic approach t o w e b-bas e d s of t w are proj e ct m anage m e nt . T rac prov ide s an int e grat e d s ys t em f or m anaging s of t w are proj e ct s , an e nh ance d w ik i, f l e xibl e w e b-bas e d is s ue t rack e r and an int e rf ace t ot he s ubv e rs ion re v is ion cont rol s ys t em. O ne of t h e m os t im port ant f e at ure s in T rac is it s capabil it yt o e as il y int e rf ace w it h Subv e rs ion. Subv e rs ion is a ne xt ge ne rat ion re v is ion cont rol s ys t em f or s of t w are proj e ct s , and is of t e n be ing us e d as a re pl ace m e nt f or CV S. T rac is an e xce l l e nt proj e ct f or s m al l and m e dium s ize d com panie s t h at w ant a st abl e , and w e l l de s igne d s ys t em f or m anaging s of t w are proj e ct s. T rac is de s igne d t ol e t s of t w are de v el ope rs w ork e f f ice nt l y by m inim izing t h e ef f ort as s ociat e d w it h m anaging s of t w are proj e ct s.

T ypo ht t p:/ / w w w .t ypos ph e re .org T ypo is a l e an e ngine t h at m ak e s bl ogging e as y. T ypo h as a w e b bas e d adm in int e rf ace t h at h andl es conf igurat ion and m anage m e nt .T ypo runs unde r Ruby on Rail s. RTRail s ht t p:/ / rubyf orge .org/ proj e ct s/ rt ail s/ RTRail s is Re al t im e on Rail s, a w e b bas e d col l aborat iv e e nv ironm e nt . It is de s igne d f or s m al l or m id-s ize d groups f or com m unicat ion, pl anning and incl ude s a ch at s ys t e m . It is an AJ AX bas e d s ol ut ion. Rail s Tidy ht t p:/ / w w w .cos inux.org/ bl ogs / dam / page s / rail s -t idy Rail s Tidy is a pl ugin f or Ruby on Rail s t h at al l ow s v al idat ion of rh t ml t e m pl at e s, h t ml out put of f unct ional t e st s and t o cl e an t he ht ml ge ne rat ed by rail s . It t ak e s adv ant age of bot h Tidy and Ruby Tidy ope n s ource proj e ct s.

o3 m agazine /f e b 2006

-( page 9 )-

SECURITY

D e pl oying a Se cure Int e rne t Pre s e nce
IN T O D AY' S BUSINESS W O RL D D EPL O YING INT ERNET SO L UTIO NS IS A NECESSARY M EASURE T O ATT RACT NEW CUST O M ERS AND PRO V ID E SERV ICES T O EXISTING CUST O M ERS D EPL O YING TH O SE SO L UTIO NS SECUREL Y IS A CRITICAL T ASK FO R ANY BUSINESS ...

By Gre g J ordan F or m os t m ode rn bus ine s s e s , t h e Int e rne t h as be com e a crucial part of dail y bus ine s s ope rat ions . Th e Int e rne t is us e d t o ge ne rat e ne w bus ine s s l e ads , s upport e xis t ing cus t om e rs , or ev ent o de l iv e r product s and s e rv ice s . D e pl oying a s e cure Int e rne t pre s e nce and m aint aining t h at s e curit y is a crit ical f act or in re m aining com pe t it iv e in t odays bus ine s s w orl d. In t h e pre v ious is s ue of o3 m agazine , w e dis cus s e d h ow t o de pl oy a gl obal Int e rne t pre s e nce , and t h e ne ce s s ary de cis ions and t he re as oning be h ind us ing s e rv ice s s uch as col ocat ion t o pus h l ocal ize d cont e nt cl os e r t ot he t arge t m ark e t s . Th is m ont h we l ook at is s ue s t h at s h oul d be addre s s e d t o your s at is f act ion w h e n se l e ct ing a co-l ocat ion f acil it y, t h ough t he is s ue s rais e d al s o appl yt o your l ocal IT f acil it ie s . Th is art icl e t ak e s a l aye re d approach t o addre s s ing t h e s e curit y conce rns re l at edt o m aint aining of f -s it e and on-s it e Int e rne t s e rv ice s . M any bus ine s s e s w il l h av e s om e of t he m e as ure s s ugge s t e d in pl ace al re ady. It is im port ant t ot ak e int o account t h at l aw m ak e rs , not onl y in t h e Unit e d St at e s but t h rough out t he w orl d, are put t ing int o pl ace l e gis l at ion t o prot e ct t h e ir cit ize ns ' dat a w h e ne v e r it is s t ore d or t rans m it t edel e ct ronical l y. Y ou m ay not e v en re s ide in t h e st at e or count ry inv ol v e d, but if your cus t om e rs re s ide t h e re , you m ay be s ubj e ct t ot h e ir l aw s w h e t h e r you l ik e it or not . A good e xam pl e , righ t h e re in O h io is s t at e l aw t h at w e nt int oef f e ct e arl ie r t h is m ont h t h at re q uire s t h e prope r s e curit y and h andl ing of O h io re s ide nt s pe rs onal inf orm at ion, if t h at inf orm at ion coul d be us e d t o caus e t h os e re s ide nt s dire ct l os s e s (s uch as f inancial l y t h rough ide nt it yt h ef t ). L et s t ak e a s m al l com pany t h at ope rat e s an on-l ine s t ore , t h at onl ine s t ore m igh t be h os t e d on a s e rv e r in a dat a ce nt e r at s om e w e b h os t ing com pany. W h il e t he com pany is not dire ct l y re s pons ibl e f or t he m anage m e nt of t h e s e rv e r, t h e y are dire ct l y re s pons ibl e f or t h e s e curit y and prot e ct ion of t h e ir cus t om e rs ' dat a. W h il e it is good bus ine s s pract ice t o prot e ct t h is dat a, l aw m ak e rs h av e de cide d t o back up t h at t ype of com m on s e ns e w it h st rict f ine s and pe nal t ie s . Th e O h io l aw t ak e s a f e w st e ps f urt h e r, re q uiring t h e com pany t o publ icl y not if y it s cus t om e rs of t h e bre ach of dat a. Th e re is not h ing m ore your com pe t it ors w oul dl ik e t h an you h av ing t o pay f or an adv e rt is e m e nt t h at adm it s you h av e poor s e curit y s ys t e m s in pl ace . If you are an IT prof e s s ional , pe rh aps a w e b de v el ope r, cons ul t ant or s ys t e m adm inis t rat or, t h e re is now a s t rong pos s ibil it y (e s pe cial l y if you are an inde pe nde nt cont ract or) t h at if you s im pl y rol l out a s ol ut ion f or a cl ie nt t h at inv ol v es t h e m anage m e nt of t h e ir cus t om e r dat a, t h at you be indire ct l yl iabl e f or t h e s e curit y of t h at dat a. P e rh aps you w e re n't inv ol v e d in t he h os t ing of t h at s it e , but if it w as your s of t w are t h at w as us e d t o st ore t h e dat a, t h e cl ie nt m ay be l ook ing f or s om e one t o bl am e . D id t h e y pay f or your s e rv ice s t o de pl oy a s e cure s ol ut ion? D id you adv is e t h e cus t om e r in w rit ing t h at t h ey ne e de d t o h av e t h e s of t w are cont inuous l y m aint aine d and h os t e d on a s ys t em t h at w as act iv el y adm inis t e re d by a t raine d prof e s s ional ? O ne dat a bre ach coul d re s ul t in your cl ie nt 's im age be ing ruine d- and pe rh aps e v e n in t he de s t ruct ion of t h e ir bus ine s s . Y ou coul d q uick l y f ind t h at your l ack of h os t ing guide l ine s - or e v en t h e s of t w are it se l f - be com ing a l e gal t arge t f or

o3 m agazine /f e b 2006

-( page 11)-

SECURITY

t h at bus ine s s t rying t o re coup t h e ir cos t s , or t rying t o dire ct bl am e aw ay f rom t h e ir com pany. A m ore pre carious s it uat ion m igh t be if you us e d a h os t ing prov ide r w h e re you obt ain a re gul ar com m is s ion f rom t h e ir h os t ing. D o you re gul arl y ch e ck t o m ak e s ure your cl ie nt s are be ing t ak e n care of ?W it h f ar t oo m any f ul l -t im e t e ch nical s upport age nt s t urne d part -t im e e nt re pre ne ur, do you re al l y k now w h o is h os t ing your Int e rne t s e rv ice s ? It doe s n't e v e n ne e d t o be a m e re part -t im e ope rat ion t o rais e conce rn. Som e h igh l y prof e s s ional bus ine s s e s - s uch as t h os e run by s e as one d bus ine s s pe opl e w h o unf ort unat el y pl ace t oo m uch f ait h in h igh price , brand nam e s ol ut ions , and w h o f av or rapid de pl oym e nt ov er appl icat ion s e curit y- can be e q ual l y ins e cure .
PH YSICAL SECURIT Y

l e git im at e us e rs gaining acce s s t ot h e ne t w ork w it h unaut h orize d de v ice s , is a good ide a as w e l l . Ph ys ical s e curit y, h ow e v e r, doe s n't s t op at cons ide rat ion of t h e ris k of m al icious us e rs or t h ef t . Ot h e r is s ue s , s uch as f ire , al s o put your Int e rne t s e rv ice s at ris k . As s uch , m ak ing s ure s uf f icie nt f ire s uppre s s ion s ys t e m s are in pl ace and re gul arl y m aint aine d is im port ant . Th e s e ch e ck s s h oul d not j us t be pe rf orm e d w h e n you s ign up. Each t im e an e m pl oye e v is it s t h e co-l ocat ion s it e , or w h e n your account e xe cut iv e cal l s s e e k ing addit ional s al e s , ch e ck w it h t h em t o s e e if t h e s e curit y m e as ure s are al l st il l in pl ace , if any im prov e m e nt s h av e be e n m ade , or if any s e curit y bre ach e s or probl ems h av e occurre d re ce nt l y.
PH YSICAL NET W O RK SECURIT Y

Be f ore you s t art t ol ook at pack e t s, f ire w al l s , and appl icat ion s e curit y, ph ys ical s e curit y s h oul d be t he f irs t l ine of de f e ns e . Th e re is no point im pl e m e nt ing a s t at e -of -t h e -art s e curit y s ys t em if s om e one can ph ot ocopy an ID badge , w al k righ t int o your dat a ce nt e r and w al k out w it h your dat a on your ow n dis k s !! W h e t h e r it is your ow n dat a ce nt e r or t h at of a co-l ocat ion com pany, ge t t ing de t ail s on ph ys ical s e curit y is a good t h ing. Is t h e buil ding in a s e cure l ocat ion?If t he buil ding is in a bad part of t ow n or an are a w it h a h igh crim e rat e , it m ay not be t h e be s t l ocat ion. T ypical l y, t h e are a in w h ich t h e buil ding is l ocat e d s h oul d giv e you s om e ide a as t ot he de gre e of ph ys ical s e curit y m e as ure s t h at s h oul d be in pl ace . Is t h e re a s e curit y guard on dut y 24/ 7/ 365?Is k e y card acce s s re q uire d t o e nt ert h e buil ding af t e r h ours , on h ol idays ?Is a s pe cial k e y-card acce s s re q uire d t o e nt ert he f l oor w h e re t h e s e rv e rs are l ocat e d?Is t he buil ding's pow e r s ys t e m s e cure ?Th e re is no point in h av ing s t at e of t h e art s e curit y if t he f us e box in t h e bas e m e nt is l ef t uns e cure d. If you're at a s h are d h os t ing f acil it y, are v is it ing cus t om e rs e s cort e d w h il e on t h e pre m is e s ?D o cus t om e rs h av e acce s s onl yt ot h e ir e q uipm e nt or t h e e nt ire f l oor?Are UPS s ol ut ions s h are d or de dicat e d?D o e m pl oye e s h av e t of ol l ow a ch e ck l is t w h e n m aint e nance on adj ace nt rack s is pe rf orm e d? A s im pl e m at t e r of an e m pl oye e unpl ugging t he w rong cus t om e r f rom a UPS, or unh ook ing t he w rong port f rom a s h are d s w it ch can re s ul t in crit ical dow n t im e . In f act , a ch e ck t o m ak e s ure 802.1x port -bas e d acce s s cont rol is im pl e m e nt e d on t h e ne t w ork , t o pre v e nt

Ph ys ical ne t w ork s e curit y st art s at L aye r 1, t he cabl ing. Som e t h ing as s im pl e as a de ce nt cabl e m anage m e nt s ol ut ion w il l add a de gre e of s e curit yt ot h e cabl ing s ys t e m . Th is coul d be as s im pl e as t ie -w rapping f l e xibl e conduit once t he cabl ing h as be e n ins t al l e d, or running cabl ing in conduit t h at is h igh e nough t o re q uire e q uipm e nt in orde r t o re ach . Th e s e s t e ps m ak e it a l ot h arde r f or a m al icious e m pl oye e or ot h er us e rs t o cut a cabl e in orde r t o caus e a s e rious ne t w ork out age . P ort -bas e d acce s s cont rol us e s t h e h ardw are M AC addre s s of t h e cl ie nt de v ice , al ong w it h pot e nt ial l y ot h e r m e as ure s t o aut h e nt icat e a us e rs acce s s t ot h e ne t w ork . Sol ut ions s uch as dynam ic PV ID /P ort V L AN m e m be rs h ip pre v e nt a us e r f rom at t e m pt ing t o m ov e t h e ir e q uipm e nt f rom one port t o anot h e r in orde r t o gain h igh e r de gre e s of ne t w ork priv il e ge s . St rict port -bas e d acce s s cont rol can l im it ne w de v ice s f rom e v en acce s s ing t h e ne t w ork w it h out prior pe rm is s ion f rom t h e ne t w ork adm inis t rat or . Such f e at ure s are im port ant , again t o pre v e nt ph ys ical s e curit y v iol at ions .
L O GICAL NET W O RK SECURIT Y

In a s w it ch e d e nv ironm e nt V L ANs are us e d t o re s t rict t he f l ow of dat a acros s a s h are d re s ource , s uch as a s w it ch . In a s h are d h os t ing e nv ironm e nt , s uch as co-l ocat ion or de dicat ed h os t ing, it is de s irabl e t o h av e your e q uipm e nt conne ct e d on it s ow n V L AN, pe rh aps w it h it s ow n IP s ubne t . Th is can pre v e nt anot h er cus t om e r e it h e r accide nt al l y or de l ibe rat el y as s igning t h e ir e q uipm e nt t h e s am e IP addre s s e s as s igne d t o your e q uipm e nt . St at ef ul f ire w al l s running on s e rv e rs dire ct l y, as wel l as a ne t w ork f ire w al l st rat e gy, can prov ide a

o3 m agazine /f e b 2006

-( page 12)-

SECURITY

good f irs t l ine of de f e ns e . If you're running a w e b s e rv e r re m ot el y, it is l ik e l yt h at you w il l ne e d t o adm in t h e s ys t e m re m ot el y. M ak ing s ure t h at you us e an up-t o-dat e re l e as e of O pe nSSH , st rong e ncrypt ion al gorit h m s , and l im it SSH acce s s t o onl y a s m al l num be r of ne ce s s ary s ubne t s v ia t he f ire w al l w il l gre at l y e nh ance t he s e curit y of your s e rv er . Pl acing t he f ire w al l rul es on t h e s e rv e r prov ide s a de gre e of re dundancy in t h e ev e nt t h at h um an e rrors re s ul t in f ire w al l rul e s be ing re l axe d t h at coul d put your s e rv ice s at ris k . Sim pl y running a com m and s uch as ne t st at -nap w il l giv e you an ide a of t h e ope n port s on t h e s ys t em ,wh et h e r you ne e d t h e m or not ,et c.
SIT E RED UND ANCY

de dicat e d w e b s e rv e r, t e ch niq ue s s uch as ch root ing apach e , w h ich h as be e n m ade e as y w it h s ol ut ions s uch as m ods e curit y, is a m us t . L im it ing dynam ic s cript s , and us ing s t at ic cont e nt w h e re pos s ibl e - w h il e m aint aining a cl os e e ye on w h at is h appe ning on your w e b s e rv ert h rough l og anal ys is is a m us t . In m os t s ol ut ions , s om e cus t om e r dat a w il l be st ore d l ocal l y and/ or t rans m it t edt o s om e f orm of paym e nt proce s s ing gat e w ay. It is v it al t h at you onl y st ore t h e inf orm at ion t h at is ne ce s s ary f or t he t rans act ion, and once t h at t rans act ion h as be e n approv e d, t h at onl yt h e ne ce s s ary el e m e nt s f or t rack ing t he t rans act ion are k e pt . If t h at inf orm at ion ne e ds t o be t rans m it t e d, it s h oul d be done ov e r a s e cure m e dium s uch as SSL .
ENCRYPT ED FIL E SYST EM S

M aint aining a s e cure Int e rne t pre s e nce m e ans t h at you ne e d t o m ak e s ure your s e rv ice s are up 24/ 7/ 365, and t h at at l e as t one aut h orit at iv e s e rv e r is in cont rol at any one giv e n m om e nt . If it 's pos s ibl e f or your s e rv ice s t o go dow n due t o a s ingl e at t ack agains t one ne t w ork , or be caus e of a ph ys ical dis as t e r, s uch as a f l ood or e v ena m aj or pow e r out age , t h e n you ne e d t o de pl oy s om e f orm of s it e re dundancy. Th is coul d be a s im pl e as h av ing a s ingl e s e rv e r co-l ocat ed out s ide of your ne t w ork . D NS is a crit ical part of s it e re dundancy, and is dis cus s e d f urt h e r in t h is m ont h 's D NS art icl e.
SM TP

W h e n st oring cus t om e r inf orm at ion l ocal l y, it s h oul d be s t ore d in t h e dat abas e in an e ncrypt e d m anne r, not as pl ain t e xt . Ide al l y, t h at dat abas e s h oul d be s t ore d on s om e f orm of e ncrypt edf il e s ys t e m , so t h at in t h e ev e nt t h at t h e dis k is ph ys ical l y st ol e n, t h e cus t om e r dat a is s t il l not pos s ibl e t o re cons t ruct . An e xt ra l ev el w oul d be t o e ncrypt t he l ocal s w ap part it ions , t o pre v e nt at t ack s w h ich m igh t pus h v it al s ys t e m dat a int o s w ap w h e re it coul d t h e n be pos s ibl y re ad or m anipul at edt o com prom is e t h e s ys t em.
CO NCL USIO N

Wh et h e r you us e e m ail t o cont act your cus t om e rs , t o run dis t ribut ion l is t s , or s im pl y ut il ize it as a m e ans of com m unicat ion be t ween e m pl oye e s , e m ail is v ul ne rabl e t o a w ide range of out s ide probl e m s , ranging f rom SP AM and V irus e s t o Ph is h ing at t e m pt s . A good SM TP s ys t e m w il l ut il ize a prim ary m ail de l iv e r s it e, w it h one or m ore re m ot e s it es t h at pe rf orm proxying. Th e re are a w ide range of t ool s f or int e grat ing ant i-v irus s canning int o e m ail s ol ut ions . Cl am AV is a w ide l y us e d ope n s ource s ol ut ion. Com bine d w it h s ol ut ions s uch as D SP AM , w h it el is t , gre yl is t and bl ack l is t t e ch niq ue s , it is pos s ibl e t o el im inat e a h igh num be r of t h re at s . Com bine t h is w it h a good corporat e pol icy on e m ail us age , and it can re s ul t in a s im pl e and s e cure SM TP s ol ut ion. /H TTPS D e pl oym e nt of a de dicat e d w e b s e rv e r rat h er t h an a s h are d s ys t e m is a good ide a, as it re duce s t h e num be r of w ays a s e rv e r can be com prom is e d f rom t h e out s ide . Ev e n on a
H TTP

W h il e t he t radit ional f ocus of de pl oym e nt of s e cure Int e rne t re s ource s w il l f ocus on f ire w al l s, int rus ion de t e ct ion, pack e t ins pe ct ion, and int rus ion pre v e nt ion t e ch nol ogie s , it is v e ry im port ant not t ol os e s igh t of com m on s e ns e is s ue s s uch as ph ys ical s e curit y. As cont ract IT prof e s s ional s , it is e q ual l y as im port ant t o m ak e s ure t h e cus t om e r is aw are of t h e re s pons ibil it ie s of m aint aining a s e cure Int e rne t pre s e nce , s o t h at e v enl ong af t e r you h av e l ef tt h e s ce ne , you cannot be h e l dl iabl e f or not inf orm ing t he cus t om e r of t h e ir dut ie s .

Gre g J ordan is M anaging Edit or at o3 m agazine . Gre g h as ov ert w o de cade s e xpe rie nce in t h e Inf orm at ion T e ch nol ogy indus t ry w it h af ocus on Int e rne t Se rv ice Prov ide rs and T el e com m unicat ion Carrie rs .

o3 m agazine /f e b 2006

-( page 13)-

INTERNET TECH NO L O GIES

D ynam ic Rout ing Prot ocol s
D YNAM IC RO UTING PRO T O CO L S ENABL E A NET W O RK T O RESPO ND T O CH ANGES BO TH INSID E AND O UT SID E O F TH E NET W O RK . TH EY PRO V ID E TH E CAPABIL IT Y T O BUIL D H IGH L Y AV AIL ABL E NET W O RK S TH AT CAN RESPO ND T O BO TH L INK FAIL URE AND CH ANGES IN NET W O RK T RAFFIC

By Gre g J ordan and W ik ipe dia.com D ynam ic Rout ing P rot ocol s are us e d t o aut om at ical l y updat e t h e pre f e rre d pat h t h at pack e t s t ak e ov e r a ne t w ork , bas e d on a rout e r's re s pons e t o condit ions on t h e ne t w ork . Th e re are a num be r of dynam ic rout ing prot ocol s, t h e m os t w ide l y-us e d on t h e Int e rne t is BGP (Borde r Gat e w ay P rot ocol ). Th e s e dynam ic rout ing prot ocol s are im port ant be caus e t h ey h el pt o buil df aul tt ol e rant and h igh pe rf orm ance ne t w ork s t h at are ne ce s s ary in t oday's bus ine s s w orl d. Th is art icl e is int e nde d t o prov ide a v e ry bas ic, h igh -l ev el v ie w of dynam ic rout ing and IP rout ing in ge ne ral .
BASICS

broadcas t s.
NET W O RK M ASK S

Som e bas ic inf orm at ion re garding IP ne t w ork ing is re q uire d. Th e f ol l ow ing inf orm at ion on Subne t w ork s , Ne t w ork M as k s and Subne t w ork ing h as be e n prov ide d court e s y of W ik ipe dia, t he f re e e ncycl ope dia. D ue t ot he incl us ion of t h is inf orm at ion, t h is art icl e is be ing re l e as e d unde r t he t e rm s of t h e GNU F re e D ocum e nt L ice ns e .
SUBNET W O RK S

Th e w ord s ubne t w ork (s ubne t f or s h ort ) h as t wo re l at e d m e anings . In t h e ol de r and m ore ge ne ral m e aning, it m e ant one ph ys ical ne t w ork of an int e rne t w ork . In t h e Int e rne t P rot ocol (IP), a s ubne t w ork (us ual l y k now n as a s ubne t ) is a div is ion of a cl as s f ul ne t w ork . Th e re s t of t h is art icl e is about t h e s e cond m e aning. Subne t t ing an IP ne t w ork al l ow s you t o bre ak dow n w h at appe ars (l ogical l y) t o be a s ingl e l arge ne t w ork int o s m al l e r one s . It w as original l y int roduce d be f ore t h e int roduct ion of cl as s f ul ne t w ork num be rs in IPv 4, t o al l ow a s ingl e s it e t o h av e a num be r of l ocal are a ne t w ork s . Ev en af t ert h e int roduct ion of cl as s f ul ne t w ork num be rs , it cont inue d t o be us e f ul , as it re duce d t h e num be r of e nt rie s in t h e Int e rne t -w ide rout ing t abl e (by h iding inf orm at ion about al l t he indiv idual s ubne t s ins ide a s it e ). As a s ide be ne f it , it al s o re s ul t e d in re duce d ne t w ork ov e rh e ad by div iding t h e part s w h ich re ce iv e IP

A ne t w ork m as k , al s o k now n as a s ubne t m as k , ne t m as k or addre s s m as k , is a bit m as k us e d t o t el l h ow h ow m any bit s in an O ct et (s ) ide nt if y t h e s ubne t w ork , and h ow m any bit s prov ide room f or h os t addre s s e s . Subne t m as k s are us ual l y re pre s e nt e d in t he s am e re pre s e nt at ion us e d f or addre s s e s t h e m se l v e s ;in IPv 4, dot t e d de cim al not at ion f our num be rs f rom ze ro t o 255 s e parat e d by pe riods , e .g. 255.128.0.0. But in s ubne t m as k s onl y s om e of t h e num be rs are al l ow e d: 0,128,19 2,224,240,248,252,254,255 L e s s com m onl y, it can be re pre s e nt e d as an e igh t -digit h e xade cim al num be r (e .g. FF .80.00.00 = 255.128.0.0). A s h ort erf orm , w h ich is k now n as Cl as s l e ss Int e r-D om ain Rout ing (CID R) not at ion, giv es t he ne t w ork num be r f ol l ow e d by a s l as h and t he num be r of 'one ' bit s in t h e binary not at ion of t he ne t m as k (i.e . t h e num be r of re l ev ant bit s in t he ne t w ork num be r). F or e xam pl e , 19 2.0.2.9 6/ 28 indicat e s an IP addre s s w h e re t he f irs t 28 bit s are us e d as t h e ne t w ork addre s s (s am e as 255.255.255.240).
SUBNETTING

Subne t t ing is t h e proce s s of al l ocat ing bit s f rom t h e h os t port ion as a ne t w ork port ion. F or e xam pl e , giv ing t h e cl as s A ne t w ork 10.0.0.0 a s ubne t m as k of 255.255.0.0 w oul d bre ak it dow n int o 256 s ub-ne t w ork s (10.0.0.0 t o 10.255.0.0). Indicat ing t h at t he f irs t oct e t of t h e IP addre s s s h ow s t h e ne t w ork addre s s , t h e s e cond one s h ow s t h e s ubne t num be r and t he l as t t w o s h ow t h e h os t part . A bit w is e AND ope rat ion of t he h os t addre s s w it h t h e s ubne t m as k e xt ract s t he com pl et e s ubne t w ork addre s s (s e e e xam pl e be l ow ). Subne t m as k s are not l im it edt o w h ol e oct et s, e it h er .F or e xam pl e 255.254.0.0 (or / 15) is al so a v al id m as k . Appl ie d t o a cl as s A addre s s t h is w oul d cre at e 128 s ubne t w ork s in int e rv al s of t wo

o3 m agazine /f e b 2006

-( page 16)-

INTERNET TECH NO L O GIES

W H AT IS RO UTING?

Rout ing is e s s e nt ial l yt he f orw arding of pack e t s f rom one ne t w ork t o anot h er . Th e Int e rne t , and m os t corporat e ne t w ork s , are m ade up of m any s m al l e r s ubne t w ork s cal l e d s ubne t s . An IP s ubne t is a s ubs e t of a l arge r ne t w ork , and is de f ine d by t h e ne t w ork m as k . Th e ne t w ork m as k de f ine s t h e range or s ize of t h e s ubne t .F or ev e ry s ubne t ,t h e re is a ne t w ork addre s s (at t he st art of t h e s ubne t ) and a broadcas t addre s s (t h e e nd of t h e s ubne t ). Th e broadcas t addre s s is us e d on Et h e rne t ne t w ork s f or e xam pl e t o s e nd a s pe cial broadcas t pack e t w h ich al l de v ice s on t h e ne t w ork are e xpe ct edt o re s pond t o. T ypical l y, a rout e r w il l h av e an int e rf ace (l ogical or v irt ual ) in t h e s ubne t . Th e cl ie nt s on t h at s ubne t are conf igure d t o pas s pack e t s t ot he rout er . Th is is us ual l y done by s e nding t h e IP pack e t de s t ine d f or a re m ot e addre s s but w it h t h e M AC addre s s of t h e rout e r's int e rf ace . Th e pack e t is t h e n pick e d up by t h e rout e r, w h ich us e s t h e de s t inat ion IP addre s s t o de t e rm ine h ow it s h oul d rout e t h e pack e t , if it can at al l . In it s bas ic f orm , a rout e r coul d h av e an addre s s in t w o s ubne t s, l et s s ay 19 2.168.1.0/ 24 and 10.1.2.0/ 24 are t he t w o s ubne t s . Th e rout er m ay e xis t as 19 2.168.1.1 and 10.1.2.1 in e ach s ubne t . A cl ie nt 19 2.168.1.10 w ant s t o s e nd a pack e t t o 10.1.2.100. T o do t h is , it w il l s e nd t he pack e t de s t ine d t o 10.1.2.100 but w it h t h e M AC addre s s of t h e 19 2.168.1.1 int e rf ace . W h e n t he rout e r re ce iv es t h e pack e t , it l ook s in it s rout ing t abl e t o s e e h ow t of orw ard t h e pack e t . If it f inds a s uit abl e rout e , it w il l f orw ard t h e pack e t t ot he de s t inat ion by ch anging t h e de s t inat ion M AC addre s s t ot h at of 10.1.2.100 and f orw ard t he pack e t out t h e int e rf ace as s ociat e d w it h 10.1.2.1. If t h e rout e r doe s n't h av e a s uit abl e rout e , it w il l s e nd a s pe cial ICM P re s pons e back t ot he s ource IP (19 2.168.1.10) adv is ing t h at t he de s t inat ion h os t or ne t w ork is unre ach abl e.
RO UTING T ABL E

be com e s unav ail abl e,t h e back up rout e is s t il l in t he t abl e t o pre v e nt rout ing f ail ure s .
PO L ICY RO UTING

P ol icy rout ing is a t e rm you probabl y h av e com e acros s . T o av oid conf us ion be t w e e n pol icy rout ing and dynam ic rout ing prot ocol s , a brie f prim e r on pol icy rout ing is prov ide d. P ol icy rout ing inv ol v es t agging pack e t s t h at h av e be e n cl as s if ie d w it h a s pe cif ic priorit y or t ype of s e rv ice , or t o m at ch at t ribut e s about a s pe cif ic pack e t and m ak e rout ing de cis ions bas e d upon t h os e at t ribut e s. D ynam ic rout ing prot ocol s af f e ct ov e ral l rout es on t h e ne t w ork bas e d on ne t w ork condit ions or conf igurat ion, rat h ert h an s pe cif ic pack e t at t ribut e s. F or e xam pl e , w it h BGP rout es t h at are announce d, BGP w il l ch ange t h e rout ing t abl e t o pre f e r one rout e ov e r anot h e r bas e d on t he condit ions of t h e ne t w ork e xch ange d be t ween t w o BGP pe e rs . P ol icy rout ing m ay ch ange h ow a s pe cif ic pack e t or s t re am of pack e t s is rout ed ov ert h e ne t w ork bas e d on t h e s ource port or original of t h e pack e t . (AS) In t h e Int e rne t , an aut onom ous s ys t e m (AS) is a col l e ct ion of IP ne t w ork s and rout e rs unde r t he cont rol of one e nt it y (or s om e t im e s m ore ) t h at pre s e nt s a com m on rout ing pol icy t ot he Int e rne t . Se e RFC 19 30 f or addit ional de t ail on t h is updat e d de f init ion. O riginal l y, t h e de f init ion re q uire d cont rol by a s ingl e e nt it y, t ypical l y an Int e rne t s e rv ice prov ide r or a v e ry l arge organizat ion w it h inde pe nde nt conne ct ions t o m ul t ipl e ne t w ork s , t h at adh e re t o a s ingl e and cl e arl y de f ine d rout ing pol icy. Se e RFC 1771, t h e original de f init ion (now obs ol et e ) of t h e Borde r Gat e w ay P rot ocol . Th e ne w e r de f init ion of RFC 19 30 cam e int o us e be caus e m ul t ipl e organizat ions can run BGP us ing priv at e AS num be rs t o an ISP t h at conne ct s al l t h os e organizat ions t ot h e Int e rne t . Ev ent h ough t h e re are m ul t ipl e aut onom ous s ys t e m s s upport e d by t h e ISP, t h e Int e rne t onl y se e s t h e rout ing pol icy of t h e ISP . Th at ISP m us t h av e a publ ic, re gis t e re d ASN. A uniq ue AS num be r (or ASN) is al l ocat edt o e ach AS f or us e in BGP rout ing. W it h BGP, AS num be rs are im port ant be caus e t h e ASN uniq ue l y ide nt if ie s e ach ne t w ork on t h e Int e rne t .
AUT O NO M O US SYT EM S RO UTING PRO T O CO L S

Th e rout ing t abl e in s om e f orm or anot h e r e xis t s on al l IP capabl e de v ice s . At t he v e ry l e as t ,t he rout ing t abl e prov ide s de s t inat ion and gat e w ay inf orm at ion. Th e gat e w ay be ing t h e IP t of orw ard pack e t s t ot h at de s t inat ion. Som e t im e s t he rout ing t abl e m ay cont ain s pe cif ic inf orm at ion s uch as t h e int e rf ace t o s e nd t h e pack e t s out . It m ay al s o cont ain w h at is cal l edamet ric. A met ric is a v al ue w h ich giv e s a part icul ar rout e priorit y. M e t rics are im port ant be caus e t h ey e nabl e you t o pre f e r one rout e ov e r anot h e r, but if t h e h igh e r priorit y rout e

Th e re are a num be r of rout ing prot ocol s – IGRP, EIGRP, RIP, O SPF, IS-IS and BGP . Rout ing prot ocol s are t ypical l y int e rior or e xt e rior t o

o3 m agazine /f e b 2006

-( page 17)-

INTERNET TECH NO L O GIES

an AS. Int e rior rout ing prot ocol s are us e d t o e xch ange inf orm at ion and m aint ain rout es w it h in a s ingl e AS. Ext e rior prot ocol s , s uch as BGP, are us e d t o e xch ange dat a be t ween m ul t ipl e AS. IGRP and EIGRP are Cis co s ol ut ions . RIP is av ail abl e in v e rs ion 1 and v e rs ion 2. RIP is al im it e d and bas ic prot ocol , ide al f or s m al l er ne t w ork s w h o do not w is h t o add t h e com pl e xit y of O SPF t ot h e ir ne t w ork .
O SPF

O pe n Sh ort e s tP at h F irs t (O SPF) is a l ink -s t at e, h ie rarch ical Int e rior Gat e w ay P rot ocol (IGP) rout ing prot ocol . D ij k st ra's al gorit h m is us e d t o cal cul at e t h e s h ort e s t pat h t re e . It us e s cos t as it s rout ing m e t ric. A l ink s t at e dat abas e is cons t ruct e d of t h e ne t w ork t opol ogy w h ich is ide nt ical on al l rout e rs in t h e are a. O SPF is pe rh aps t h e m os t w ide l y us e d IGP in l arge ne t w ork s . It can ope rat e s e cure l y, us ing MD5 t o aut h e nt icat e pe e rs be f ore f orm ing adj ace ncie s , and be f ore acce pt ing l ink -s t at e adv e rt is e m e nt s . A nat ural s ucce s s or t o RIP, it w as V L SM capabl e or cl as s l e ss f rom it s ince pt ion. A ne w e r v e rs ion of O SPF (O SPFv 3) now s upport s IPv 6 as w e l l . M ul t icas t e xt e ns ions t o O SPF (M O SPF) h av e be e n de f ine d, h ow e v er t h e s e are not w ide l y us e d. O SPF can " t ag" rout e s , and propagat e t h e se t ags al ong w it h t he rout e s. An O SPF ne t w ork can be brok e n up int o s m al l er ne t w ork s . A s pe cial are a cal l edt h e back bone are a f orm s t h e core of t h e ne t w ork , and ot h er are as are conne ct edt o it . Int e r-are a rout ing goe s v ia t h e back bone . Al l are as m us t conne ct t ot he back bone ;if no dire ct conne ct ion is pos s ibl e,a v irt ual l ink m ay be e s t abl is h e d. Rout e rs in t h e s am e broadcas t dom ain or at e ach e nd of a point t o point l ink f orm adj ace ncie s w h e n t h e y h av e dis cov e re d e ach ot h er . Th e rout e rs e l e ct a de s ignat e d rout e r (D R) and back up de s ignat e d rout e r (BD R) w h ich act as h ub t o re duce t raf f ic be t w e e n rout e rs . O SPF us e s bot h unicas t and m ul t icas t t o s e nd 'h e l l o pack e t s ' and l ink s t at e updat e s . M ul t icas t addre s s e s 224.0.0.5 and 224.0.0.6 are us e d. In cont ras t t o RIP or BGP, O SPF doe s not us e TCP or UD P but us e s IP dire ct l y, us ing IP prot ocol 89 .
BGP

met rics , but m ak e s rout ing de cis ions bas e d on ne t w ork pol icie s or rul e s . Th e curre nt v e rs ion of BGP, BGP v e rs ion 4, is s pe cif ie d in re q ue s t f or com m e nt RFC 4271 (as pe r J an 2006). Th is RFC obs ol et e s RFC 1771. BGP s upport s cl as s l e s s int e rdom ain rout ing and us e s rout e aggre gat ion t o de cre as e t h e s ize of rout ing t abl e s . Since 19 9 4, v e rs ion f our of t he prot ocol h as be e n in us e on t h e Int e rne t ;al l pre v ious v e rs ions are cons ide re d obs ol et e. BGP w as cre at edt o re pl ace t h e EGP rout ing prot ocol t o al l ow f ul l y de ce nt ral ize d rout ing in orde r t o al l ow t h e re m ov al of t h e NSFNET Int e rne t back bone ne t w ork . Th is al l ow e d t he Int e rne t t o be com e a t rul y de ce nt ral ize d s ys t em. V e ry l arge priv at e IP ne t w ork s can al s o m ak e us e of BGP;an e xam pl e w oul d be t he j oining of a num be r of l arge O pe n Sh ort e s tP at h F irs t (O SPF) ne t w ork s w h e re O SPF by it se l f w oul d not s cal e t o s ize . Anot h e r re as on t o us e BGP w oul d be m ul t ih om ing a ne t w ork f or be t t e r re dundancy. M os t Int e rne t us e rs do not us e BGP dire ct l y. H ow e v e r, s ince m os t Int e rne t s e rv ice prov ide rs m us t us e BGP t o e st abl is h rout ing be t w e e n one anot h e r, it is one of t h e m os t im port ant prot ocol s of t h e Int e rne t . Com pare and cont ras t t h is w it h Signal l ing Sys t e m 7, w h ich is t h e int e rprov ide r core cal l se t up prot ocol on t h e PSTN.
O PEN SO URCE IM PL EM ENT ATIO NS

Th e re are a num be r of ope n s ource im pl e m e nt at ions incl uding O pe nBGPD , Quagga, Xorp, GNU Z e bra and BIRD .
FURTH ER ARTICL ES

Th is art icl e w as de s igne d t o int roduce t he conce pt s be h ind dynam ic rout ing prot ocol s t o you. In is s ue 7 of o3 m agazine , t h e ne t w ork col um n w il l cont inue on f rom t h is art icl e l ook ing at t he V yat t a rout e r pl at f orm bas e d of f Xorp and anot h e r art icl e in t h e s am e is s ue w il l l ook at conf iguring ze bra t o s pe ak BGP w it h a Cis co IO S 12.2 bas e d rout er .

Th e Borde r Gat e w ay P rot ocol (BGP) is t h e core rout ing prot ocol of t h e Int e rne t . It w ork s by m aint aining a t abl e of IP ne t w ork s or 'pre f ixe s ' w h ich de s ignat e ne t w ork re ach abil it y be t ween aut onom ous s ys t e m s (AS). It is de s cribe d as a pat h v e ct or prot ocol . BGP doe s not us e t e ch nical

o3 m agazine /f e b 2006

-( page 18)-

BUSINESS SO L UTIO NS

W h y Priorit ize Ne t w ork T raf f ic?
BAND W ID TH T O TH E INT ERNET IS A FINIT E RESO URCE AND O FT EN AN EXPENSIV E O NE TH IS M O NTH W E L O O K AT W H Y CL ASSIFICATIO N O F T RAFFIC AND PRIO RITIZ ING TH AT T RAFFIC T O M AINT AIN QUAL IT Y O F SERV ICE IS CRITICAL T O D AIL Y BUSINESS O PERATIO NS AS SERV ICES CO NV ERGE O N IP D AT A NET W O RK S ...

By J oh n Bus w e l l Th is m ont h we l ook at conv e rge nce and t h e ne w capabil it ie s t h at dat a ne t w ork s m us t prov ide in orde r f or v it al bus ine s s ope rat ions now and in t he f ut ure . Th e k e y t o m anaging t he conv e rge nce of v oice , t el e ph ony, v ide o, dat a and ot h e r s e rv ice s is t o cl as s if y and priorit ize ne t w ork t raf f ic s ucce s s f ul l y.
CO NV ERGENCE

ne t w ork in t he f ut ure , it is v it al t h at your dat a ne t w ork h as t h e ne ce s s ary f ram e w ork t o priorit ize ne t w ork t raf f ic. W it h out t h at f ram e w ork , as m ore s e rv ice s are conv e rge d, you m ay f ind re s ource s h av e not be e n al l ocat edt o incre as e bandw idt h or de pl oy ne w e q uipm e nt v it al t o bus ine s s ope rat ions in t he f ut ure .
PRO BL EM S

T e ch nol ogical conv e rge nce is an on-going ch al l e nge in t odays dat a ne t w ork s . Conv e rge nce is a t e rm com m onl y us e d in re f e re nce t ot he com binat ion of v oice , t el e ph ony, dat a and v ide o s e rv ice s ont o a s ingl e ne t w ork . Conv e rge nce can re duce cos t s , prov ide ne w f e at ure s and s e am l e s s int e grat e dat a. H ow e v e r, as m ore re al t im e appl icat ions s uch as v ide o, v oice and t el e ph ony are pl ace d ont ot h e ne t w ork , it be com e s incre as ingl y im port ant t o priorit ize ne t w ork t raf f ic.
BAND W ID TH

Al l dat a ne t w ork s h av e af init e am ount of bandw idt h av ail abl e . If you pl an t o add v oice and t el e ph ony s e rv ice s t ot h e dat a ne t w ork , you m us t al s o pl an t o incre as e t h e bandw idt h av ail abl e t ot h e ne t w ork . A bus ine s s t h at m igrat e s it s t el e ph one s e rv ice s t oaV oice ov er IP s ys t e m pe rh aps t h rough a t h ird part y s uch as V onage , is s t il l ut il izing t h e ir bandw idt h us e d f or dat a com m unicat ions ov ert h e Int e rne t .T oo m uch v oice t raf f ic w it h out incre as ing t he bandw idt h w il l de grade t h e dat a s e rv ice s us e d w it h in t h e com pany. If no priorit y is giv ent o v oice com m unicat ions t h ough , rout e rs w il l s im pl y at t e m pt t o de l iv e r on a f irs t com e f irs t s e rv e met h od of de l iv e ry. W h il e it doe s n't m at t er if t h e re is a 30 s e cond paus e during a dow nl oad, it doe s m at t e r if t h e re is a 30 s e cond paus e during a conf e re nce cal l w it h an im port ant cl ie nt . W it h out h av ing a m e ch anis m on t he ne t w ork t o cl as s if y and priorit ize t h is t ype of inf orm at ion, you are l e av ing s e rv ice q ual it yt o ch ance . As m ore s e rv ice s are conv e rge d ont ot h e dat a

Th e re are a num be r of probl ems t h at e f f e ct t odays dat a ne t w ork s t h e s e incl ude dat al os s , de l ay, j it t e r, out of orde r de l iv e ry, e rrors and e xt e rnal probl e m s s uch as D e nial of Se rv ice at t ack s . Th e e dge of your dat a ne t w ork re f e rs t ypical l y t ot h e e q uipm e nt be t w e e n your ne t w ork and t he Int e rne t . Th is t ypical l y inv ol v e s s om e k ind of rout er . A rout e r is s im pl y a s pe cial com put ert h at t ak e s ne t w ork t raf f ic, and f orw ards it t ot he corre ct l ocat ion. Y ou m aybe f am il iar w it h t e rm s s uch as f ire w al l s. A f ire w al l is a s e t of condit ions or rul es t h at are appl ie d t ot h e ne t w ork t raf f ic t o de t e rm ine if it is t raf f ic t h at is pe rm it t e d or not . In m os t cas e s t h e h igh e s t num be r of conv e rge nce and bandw idt h probl e m s w il l inv ol v e t raf f ic e nt e ring and l e av ing your ne t w ork t h rough t h is e dge point . Th e s e rout e rs h av e af init e am ount of m e m ory, w h e n dat a com e s in at a rat e f ar gre at ert h an t h e bandw idt h can s upport ,t h at dat a is pl ace d in a q ue ue . Th e be s t w ay t ot h ink of it is a q ue ue at a bus s t op. Th e bus com e s al ong, a f init e num be r of pe opl e are cram m e d ont ot h e bus , and it l e av e s . A num be r of pe opl e are l ef t at t he bus s t op w ait ing f or t h e ne xt bus . If t h e q ue ue or w ait f or t h e bus is t oo l ong, t h e n pe opl e st art t o l e av e t h e q ue ue and t ry anot h erm et h od s uch as at axi. Rout e rs w ork in a s im il ar m anne r, if t he q ue ue w ait ing t o s e nd dat a out be com e s t oo l ong, and t h e rout e r st art s t o run out of m e m ory, t h e rout e r w il l se l e ct iv el y drop inf orm at ion. Th e rout e r w il l dis card dat a indis crim inat el y, it doe s n't care if t h e inf orm at ion is part of an im port ant ph one cal l or s om e one in t h e s al es de part m e nt ch e ck ing t h e ir s t ock port f ol io.

o3 m agazine /f e b 2006

-( page 20)-

BUSINESS SO L UTIO NS

If t h e rout e r doe s n't run out of q ue ue m e m ory, but t h e bandw idt h is s e v e re l y ov e r ut il ize d, you w il l ge t de l ay. Us ing our bus anal ogy, it w oul d be s im il ar t ot h e bus running 30-40 m inut es l at e on e ach run. O bv ious l y, j us t l ik e droppe d pack e t s, de l aye d pack e t s , e s pe cial l y in re al t im e appl icat ions s uch as t el e ph ony is unacce pt abl e.
J ITT ER

Th is is a probl e m caus e d by t he v ariat ion in t im e it t ak e s f or dif f e r pack e t s t o pas s t h rough t he s am e s e t of rout e rs acros s t h e Int e rne t . In a st re am of inf orm at ion, one pack e t m ay t ak e a l onge r am ount of t im e t h an anot h er . Now if pack e t s t ak e dif f e re nt rout e s acros s t h e Int e rne t , it s pos s ibl e f or t h os e pack e t s t o arriv e out of orde r at t h e re m ot e e nd.
O UT O F O RD ER D EL IV ERY

P ack e t s are t ypical l y s m al l pie ce s of a l arge pie ce of inf orm at ion. P ack e t s v ary in s ize de pe nding on t he t ype of ne t w ork t h at dat a is t rav el ing t h rough . If a pie ce of inf orm at ion is t oo big t of it ins ide a s ingl e pack e t it is brok e n up int o a s e rie s of pack e t s . Th e w ay t h e Int e rne t is de s igne d, it s pos s ibl e f or t h os e t o arriv e out of orde r . In a conge s t e d ne t w ork , t h e rout e r m ay drop t h e out of orde r pack e t s as t h e e arl ie r pie ce s of t h e s e q ue nce do not arriv e q uick l y e nough .
D ENIAL O F SERV ICE ATT ACK S

ope rat ions and w h at is l ow e r priorit y. P ack e t cl as s if icat ion s h oul d st art at a t op l ev el , w h ich s e rv ice s are im port ant t ot h e bus ine s s . T ypical l y t h is w il l be m e t h ods us e d t o com m unicat e w it h cus t om e rs and t h os e ne ce s s ary t o conduct bus ine s s . F or m os t com panie s t h is w il l be V oice , Em ail , Ecom m e rce and pe rh aps Ins t ant M e s s aging. O ut of t h e se t e ch nol ogie s , w e w il l s ay t h at v oice s h oul d h av e t h e h igh e s t priorit y, f ol l ow e d by ins t ant m e s s aging. In our e xam pl e,t he com pany re l ie s h e av il y on ins t ant m e s s age t o f ol l ow up on Int e rne t bas e d s al es l e ads . Th e com pany's e -com m e rce s ol ut ions are e q ual l y as im port ant but not q uit e as s e ns it iv e as t he v oice appl icat ions . Cus t om e rs can h andl e af ew s e conds of de l ay w ait ing f or t h e page s t ol oad in t h e ev e nt of ne t w ork conge s t ion. F inal l y, Em ail is giv ent he l ow e s t priorit y as m ail s e rv e rs w il l re t ry e v e ry 4 h ours f or at l e as t a f e w days t o at t e m pt de l iv e ry in t h e ev e nt of h e av y conge s t ion. Cl as s if icat ion t h e n cont inue s , w ork ing dow n out bound t raf f ic s uch as w e b us age , and pe rh aps bl ock ing unde s irabl e s e rv ice s . Th is cl as s if icat ion is t h ent rans l at e d int o conf igurat ions f or rout e rs , s w it ch e s , f ire w al l s and ot h e r e q uipm e nt on t h e ne t w ork .
QO S

D e nial of Se rv ice at t ack s are a dif f e re nt probl em. Unl ik e t h e pre v ious probl ems t h at w e 'v e h igh l igh t e d, D oS at t ack s appe ar at f ace v al ue t o be l e git im at e ne t w ork t raf f ic. D oS at t ack s are de s igne d t o us e up t h e re s ource s of t he t arge t so t h at l e git im at e us e rs cannot us e t h os e s e rv ice s . Cl as s if ying and priorit izing crit ical t raf f ic can h e l p m aint ain s om e de gre e of orde r during a D oS at t ack , t h e re are al so m e t h ods of m it igat ing D oS at t ack s t h rough a num be r of dif f e re nt m e t h ods . W e w il l dis cus s D oS at t ack m it igat ion in a l at e r art icl e , it is im port ant t o not e h e re t h at cl as s if icat ion and priorit izing of ne t w ork t raf f ic prov ide s a good f oundat ion f or s uch s ol ut ions .
PACK ET CL ASSIFICATIO N

Th e good ne w s is t h at m os t m ode rn rout e rs can be ins t ruct e d as t o w h at s im port ant and crit ical and w h at s not . Th e t e ch nical t e rm f or t h is is cal l e d pack e t cl as s if icat ion. Succe s s f ul pack e t cl as s if icat ion inv ol v e s bot h bus ine s s and t e ch nical unit s of a bus ine s s w ork ing cl os e l y, t o ide nt if y w h at s crit ical t o dail y bus ine s s

Y ou m ay al re ady h av e w h at is k now n as an Se rv ice L ev el Agre e m e nt , or SL A w it h your Int e rne t Se rv ice P rov ide r(s ). Th e SL A is a guarant e e of s e rv ice , indicat ing t h e guarant eed l ev el of pe rf orm ance , t h rough put and l at e ncy bas e d on m ut ual l y agre e d m e as ure s . Th e s e rv ice prov ide t ypical l y us e s QoS bas e d t e ch nol ogie s s uch as priorit izing t raf f ic t o e ns ure t h e SL A is m aint aine d t h rough out t he l if e of t he cont ract . P rior t o de pl oying QoS, it is im port ant t h at s im il ar int e rnal SL A-l ik e docum e nt s are draf t ed t o prov ide guide l ine s f or w h at is e xpe ct edf rom t h e ne t w ork . By cre at ing SL At ype docum e nt s , it is v e ry e as y t o de t e rm ine if ne t w ork upgrade s and addit ional Int e rne t bandw idt h purch as e s are re al l y ne ce s s ary t ot h e bus ine s s . QoS is t ypical l y de pl oye d us ing D if f Se rv or dif f e re nt iat e d s e rv ice s . In t h e dif f s e rv e m ode l , pack e t s are m ark e d according t ot he t ype of s e rv ice t h e y ne e d. In orde r t o m ark t h e se pack e t s, t h ey f irs t m us t be ide nt if ie d or cl as s if ie d, w h ich is w h at w e dis cus s e d in t he pre v ious s e ct ion. Th e SL At ype docum e nt s draf t e d prov ide e as y guide l ine s f or ne t w ork e ngine e ring s t af f on h ow t o m ark t h e s e rv ice s .

o3 m agazine /f e b 2006

-( page 21)-

BUSINESS SO L UTIO NS

O nce t h e pack e t s are m ark e d, t h e rout e rs and s w it ch e s acros s t h e ne t w ork w il l q ue ue and priorit ize t he t raf f ic accordingl y.
PO L ICY RO UTING

o3 m agazine s pons ore d b y:

P ol icy rout ing is a m e t h od of l ook ing at pack e t s as t h e y com e int ot h e rout e r, and bas e d on at t ribut es t h os e pack e t s h av e,t of orw ard t h em al ong a s pe cif ic pat h . In a l ocal ne t w ork , you m ay h av e m ul t ipl e Int e rne t conne ct ions . It m igh t be de s irabl e t o rout e al l v oice com m unicat ions ov era l arge r bandw idt h conne ct ion, or rout e al l t raf f ic t o a part icul ar s it e ov e r one l ink be caus e it h as a s h ort dis t ance t ot rav el .P ol icy rout ing is s im il ar t o QoS in t h at pack e t s are cl as s if ie d, opt ional l y m ark e d and t h e n h andl e d dif f e re nt l y t h rough t h e ne t w ork . L inux h as a w ide range of f e at ure s t h at can be us e d t o prov ide pol icy rout ing.
T RAFFIC SH APING

Th e t e rm t raf f ic s h aping re f e rs t ot he m e ch anis m s us e d t o cont rol t he f l ow of t raf f ic be ing s e nt int o a ne t w ork . It is a com binat ion of bandw idt h t h rot t l ing and rat e l im it ing. T raf f ic s h aping can be us e d t o re s t rict t h e inbound f l ow of dat a on a h igh -s pe e d int e rf ace pe rh aps at a co-l ocat ion ce nt e r w h e re t h e int e rf ace is capabl e of h igh e r s pe e ds t h an t h e rat e be ing paid f or . As a re s ul t , bandw idt h t h rot t l e f or e xam pl e can be us e d t ol im it t h e ch ance s t h at bandw idt h ov e rage ch arge s w il l appl y and t h us re duce cos t s. T raf f ic s h aping can re duce pack e t l os s , prov ide l ow e r l at e ncie s and re duce j it t er .T raf f ic s h aping prov ide s a cont rol l edf l ow of inf orm at ion ins t e ad of burs t s of inf orm at ion. Ins t e ad of h av ing 10 pack e t s in one s e cond, 0 pack e t s in t h e ne xt s e cond, 10 pack e t s in t h e ne xt s e cond and s o on. Th e ne t w ork w il l t rans m it 1 pack e t e v e ry 0.2 s e conds ins t e ad.
BO TT OM L INE

D ail y bus ine s s ope rat ions are re l ying m ore and m ore on h igh t e ch nol ogy Int e rne t bas e d s ol ut ions . M any com panie s ut il ize s e rv ice s s uch as V onage t o prov ide l ocal ph one num be rs in f ore ign count rie s t o com pe t e in t h os e m ark e t s. As bus ine s s com m unicat ions re l y on t h e dat a ne t w ork s of t oday, it is im port ant t h at ne t w ork s h av e t h e capabil it yt o m anage and cont rol t he t raf f ic f l ow ing acros s t h e m . As bandw idt h is a f init e re s ource , m anaging t h at bandw idt h ef f icie nt l y can de cre as e t h e num be r of cos t l y bandw idt h upgrade s re q uire d w h il e ins uring t h at crit ical s e rv ice s s t il l f unct ion corre ct l y.

o3 m agazine /f e b 2006

-( page 22)-

W EB TECH NO L O GIES

RRD t ool D e m ys t if ie d
W ANT AN IND UST RY ST AND ARD D AT A L O GGING AND GRAPH ING APPL ICATIO N? W ANT T O W RIT E CUST O M W EB BASED M O NIT O RING SCRIPT S? USE RRD T OOL , A TIM E- SERIES D ATA STO RAGE AND D ISPL AY SYST EM .

By Bh arat Sh e t t y H av e you e v e r w onde re d h ow t o gat h e r st at us inf orm at ion f rom al l s ort s of t h ings , ranging f rom t he t e m pe rat ure in your of f ice t ot h e num be r of oct et s w h ich h av e pas s e d t h rough t h e FD D I int e rf ace of your rout e r?Gat h e ring t h e dat a is n't a big is s ue , but it is not s o t riv ial t o st ore t h is dat a in an e f f icie nt and s ys t e m at ic m anne r . D on't f re t . RRD t ool l et s you l og and anal yze t he dat a you gat h erf rom al l k inds of dat a-s ource s (D S).
W H AT IS RRD ?

• Ot h e r dat abas e s s t ore t he v al ue s as s uppl ie d. RRD t ool can be conf igure d t o cal cul at e t h e rat e of ch ange f rom t he pre v ious t ot h e curre nt v al ue and s t ore t h is inf orm at ion ins t e ad. • Ot h e r dat abas e s are updat ed wh en v al ue s are s uppl ie d. Th e RRD t ool dat abas e is st ruct ure d in s uch a w ay t h at it ne e ds dat a at pre de f ine d t im e int e rv al s . If it doe s not ge t a ne w v al ue during t h e int e rv al , it s t ore s an UNKNO W N v al ue f or t h at int e rv al . So, w h e n us ing t h e RRD t ool dat abas e , it is im pe rat iv e t o us e s cript s t h at run at re gul ar int e rv al s t o e ns ure a cons t ant dat af l ow t o updat e t h e RRD t ool dat abas e . An as s ociat edt im e s t am p is s t ore d and can be as s igne d f or e v e ry dat a updat e . Tim e is al w ays e xpre s s e d in s e conds pas s e d s ince e poch (01-0119 70). w h e re t o obt ain it ? D ow nl oad l at e s t s rc code pack age (rrdt ool 1.2.12.t ar .gz), f rom t h is s it e: ht t p:/ / pe opl e .e e .e t h z.ch / ~ oe t ik e r/ w e bt ool s/ rrdt oo l / pub/ ? M =D Buil ding ins t ruct ions are av ail abl e h e re : ht t p:/ / pe opl e .e e .e t h z.ch / ~ oe t ik e r/ w e bt ool s/ rrdt oo l / doc/ rrdbuil d.e n.h t ml Be s ure t h at you h av e t h e se l ibrarie s ins t al l e d. Ge t t h em f rom : ht t p:/ / pe opl e .e e .e t h z.ch / ~ oe t ik e r/ w e bt ool s/ rrdt oo l / pub/ l ibs / dat a graph ing Cre at e an e m pt y RRD dat abas e us ing rrdt ool cre at e.

RRD is t h e abbre v iat ion f or Round Robin D at abas e . RRD e nabl e s you t o st ore and dis pl ay t im e -s e rie s dat a (s uch as ne t w ork bandw idt h, m ach ine -room t e m pe rat ure , s e rv erl oad av e rage ). D at a can be s t ore d in a v e ry com pact w ay, and cre at ion of be aut if ul graph s be com e s an e as y t as k . It can be us e d v ia s im pl e sh e l l s cript s or as a P e rl m odul e. RRD t ool is a GNU l ice ns e d s of t w are de v el ope d by T obias O e t ik e r, a s ys t e m m anage r at t he Sw is s F e de ral Ins t it ut e of T e ch nol ogy. T e ch nical l y s pe ak ing, it is a dat abas e . St il l ,t h e re are s om e dis t inct dif f e re nce s be t w e e n RRD t ool dat abas e s and ot h e r dat abas e s : • RRD t ool h el ps s t ore dat a;t h at m ak e s it a back -e nd t ool . Th e RRD t ool com m and s e t al l ow s t h e cre at ion of graph s ;t h at m ak e s it a f ront -e nd t ool as w e l l . Ot h e r dat abas e s j us t st ore dat a and cannot cre at e graph s . • In cas e of you w onde r w h e re t h e RRD nam e aris e s : Ne w dat a is appe nde d at t h e bot t om of t h e dat abas e t abl e in cas e s of l ine ar dat abas e s . Th us it s s ize k e e ps incre as ing, w h e re as t h e s ize of an RRD t ool dat abas e is de t e rm ine d at cre at ion t im e . Im agine an RRD t ool dat abas e as t h e pe rim e t e r of a circl e . D at a is adde d al ong t h e pe rim e t er . W h e n ne w dat a re ach e s t h e st art ing point , it ov e rw rit e s e xis t ing dat a. Th is w ay, t h e s ize of an RRD t ool dat abas e al w ays re m ains cons t ant .

o3 m agazine /f e b 2006

-( page 24)-

W EB TECH NO L O GIES

rrdt ool cre at e f il e nam e [--s t art | -b s t art t im e ][-st e p| -s s t e p][D S:ds -nam e :D ST :ds t argum e nt s] [RRA:CF :cf argum e nt s] rrdt ool cre at e l oadav .rrd --s t e p 10 D S:l oad:GAUGE:30:0:100 \ RRA:AV ERAGE:0.5:1:9 600 \ RRA:AV ERAGE:0.5:4:9 600 \ RRA:AV ERAGE:0.5:24:6000 H e re you are cre at ing a dat abas e nam e d l oadav .rrd t o graph l oad av e rage on your m ach ine . St e p of 10 s e conds m e ans t h at t he dat abas e h as t o be updat edev e ry 10 s e conds . T o updat e you can us e a s cript w h ich w il l h av e t o run e v e ry 10 s e conds . D S (D at a Source ) is t h e act ual v ariabl e w h ich re l at es t ot h e param e t e r on t h e de v ice t h at h as t o be m onit ore d. In t h e e xam pl e abov e,l oad is t h e D at a Source . D S:v ariabl e _nam e :D ST :h e art be at :m in:m ax Y ou can h av e as m any D at a Source s as you w ant . Th e D at a Source T ype [D ST]de f ine s t he t ype of t h e D at a Source [ D S] . In t h is e xam pl e it h as be e n de cl are d t o be of t he f orm GAUGE s o t h at it doe s n't s av e t h e rat e of ch ange . Ins t e ad, t h e act ual v al ue s t h e m se l v e s are s av e d. F or e xam pl e , you can pl ot t h e m e m ory cons um pt ion us ing t h is . Th e ne xt param e t e r w e w il l dis cus s is h e art be at . As you s e e in t h e e xam pl e , w e h av e de f ine d h e art be at t o be 30 s e conds . Th at m e ans t h at if t h e dat abas e doe s n't ge t a prim ary dat a point w it h in t h e 15 s e cs , it w il l w ait f or anot h er 15 s e cs , 30 s e conds in t ot al . If no dat a is giv e n, an unk now n v al ue w il l be s av e d int ot he dat abas e . Th e ne xt param e t e rs are m in and m ax. Th e y s pe cif yt h e m inim um and m axim um v al ue s of t he v ariabl e (l oad) w h os e v al ue s w e are s t oring int ot h e dat abas e . Any v al ue w h ich f al l s out of t h is range w il l be m ark e d as unk now n. Now w e com e t ot h e dis cus s ion of Round robin arch iv e s [RRA]. Y ou w il l de f ine a round robin arch iv e us ing t h e k e yw ord RRA. Th e s ynt ax f or de f ining an RRA is as be l ow . RRA:CF :xf f :s t e p:row s If w e s e e our e xam pl e,f irs t RRA de f init ion is l ik e t h is . RRA:AV ERAGE:0.5:1:9 600

H e re cons ol idat ion f unct ion [ CF]is AV ERAGE. A cons ol idat e d dat a point is av e rage d. O t h er cons ol idat ion m e t h ods al l ow e d are L AST, M AXIM UM , and M INIM UM . O nl y 1 PD P is av e rage d t of orm a CD P .At ot al of 9 600 row s of t h e s e CD P s are be ing arch iv e d h e re . Each PD P s h al l occur at 15 s e conds . M any RRAs can be de f ine d f or s ingl e dat abas e . F or e xam pl e , h e re 1 or 4 or 5 PD PS can be av e rage d.
CREAT E SCRIPT S T O W RAP RRD T OOL

Y ou can w rap t h e rrdt ool ins ide a s cript (s h e l l / P e rl et c.). L et 's dis cus s t h is e xam pl e. # !/ bin/ bas h e ch o " updat ing l oad.." e ch o " " CURL O AD =`cat / proc/ l oadav g |cut -f 1 -d \ ` rrdt ool updat e l oadav .rrd N:$ CURL O AD CURTIM EIS=`dat e` e ch o " updat e d at " $ CURTIM EIS"w it h " $ CURL O AD e ch o " " sl e e p 10s CURL O AD is a v ariabl e w h ich w il l be us e d t o st ore t h e out put of t h e com m and cat / proc/ l oadav g |cut -f 1 -d \ cut -f 1 -d \ m e ans re m ov e s e ct ions f rom e ach l ine of t he f il e and t h e n out put onl yt h at f ie l d. So t he v al ue in / proc/ l oadav g w il l be copie d int o CURL O AD e ach t im e you run t h e s cript .
PL O TTING USING RRD T OOL

RRD t ool h as t h e nice f e at ure of ge ne rat ing graph s f rom t h e st at is t ics s t ore d in t he dat abas e . Th e param e t e rs s uppl ie d on t he com m and l ine are us e d t o ge ne rat e t h e graph . A graph can s h ow m any dat a s ource s . graph l oadav .png \ D EF :l oad=l oadav .rrd:l oad:AV ERAGE \ L INE1:l oad# 0000f f :L oad --s t art -1h D if f e re nt v ariabl e s can be pre s e nt e d in f iv e dif f e re nt s h ape s in a graph - AREA, L INE1, L INE2, L INE3, and STACK. AREA is us ual l y re pre s e nt ed by a s ol id col ore d are a w it h v al ue s as t he boundary of t h is are a. L INE1/ 2/ 3 (incre as ing w idt h ) are j us t pl ain l ine s re pre s e nt ing t he v al ue s . STACK is al s o an are a but it is “STACKe d” on t op AREA or L INE1/ 2/ 3. Th e pl ot t ing t ak e s pl ace in t h e orde r in w h ich v ariabl e s h av e be e n de f ine d in graph com m and. Th e re s ul t ing graph is s h ow n on t h e ne xt page .

o3 m agazine /f e b 2006

-( page 25)-

W EB TECH NO L O GIES

L IGH TTPD RRD T O O L M O D UL E

Now w e w il l dis cus s t he l igh t t pd RRD t ool m odul e . Th is m odul e is a s e cure , f as t , com pl iant , and v e ry f l e xibl e w e b s e rv ert h at h as be e n opt im ize d f or h igh -pe rf orm ance e nv ironm e nt s . It h as a v e ry l ow m e m ory f oot print com pare d t o ot h e r w e b s e rv e rs , and t ak e s care of CPU-l oad. It s adv ance d f e at ure -s e t (F as t CGI, CGI, Aut h, O ut put -Com pre s s ion, URL -Re w rit ing, and m any m ore ) m ak e l igh t t pd t h e pe rf e ct w e b s e rv er s of t w are f or e v e ry s e rv ert h at s uf f e rs l oad probl e m s. l igh t t pd is av ail abl e f rom t h e url be l ow , al ong w it h t h e ins t al l at ion ins t ruct ions . ht t p:/ / w w w .l igh t t pd.ne t / dow nl oad/ ht t p:/ / t rac.l igh t t pd.ne t / t rac/ w ik i/ T ut orial Ins t al l at io n conf iguring l igh t t pd t o us e rrdt ool m odul e If you com pil edf rom t h e s ource , t h e n copy t he t e m porary conf igurat ion f il e f rom doc dire ct ory w it h in t h e s ource dire ct ory f or l igh t t pd t o / et c/ l igh t t pd/ . O pe n l igh t t pd.conf us ing an e dit or l ik e v im or e m acs . Now care f ul l y e xam ine t he conf igurat ion f il e . O bs e rv e t h e s e ct ion nam e d s e rv er .m odul es : s e rv er .m odul es =( # " m od_re w rit e" , # " m od_re dire ct " , # " m od_al ias " , ... ... # " m od_rrdt ool " , # " m od_acce s s l og" )

Pl e as e not e t h at t h e m od_rrdt ool h as be e n uncom m e nt e d h e re . Th is uncom m e nt ing w il l al l ow us t o us e t h e rrdt ool . Ne xt obs e rv e t h e s e rv er .docum e nt .root . M ak e s ure it point s t ot h e corre ct dire ct ory / v ar/ www/ page s Ne xt , s e tl ogging as be l ow : s e rv er .e rrorl og = " / v ar/ www/ l ogs / l igh t t pd.e rror .l og" Se t t h e port on w h ich l igh t t pd s h oul d run on your s ys t em. s e rv er .port = 3000 F inal l y, s e t t h e rrdt ool pat h and t h e round robin dat abas e arch iv e t h at you w il l us e t o pl ot t he graph s in t h e conf igurat ion f il e. rrdt ool .binary = " / us r/ bin/ rrdt ool " rrdt ool .db-nam e = " / v ar/ www/ page s / l igh t t pd.rrd" Now you are re ady t o run t h e s e rv er .F irs t , ch e ck t h at your conf ig is ok ay: $l igh t t pd -t -f l igh t t pd.conf If it is ok ay, you w il l ge t a SYNTAX O K m e s s age . Now s t art t h e s e rv erf or t e st ing: $l igh t t pd -D -f l igh t t pd.conf and point your brow s e r t o ht t p:/ / 127.0.0.1:3000/ T o st op t h e s e rv e r again, j us t pre s s ct rl -c.

o3 m agazine /f e b 2006

-( page 26)-

W EB TECH NO L O GIES

GENERATING GRAPH S

Cre at ing t h e dat abas e : rrdt ool cre at e l igh t t pd.rrd --s t e p 10 \ D S:l oad:GAUGE:30:0:100 \ RRA:AV ERAGE:0.5:1:9 600 \ RRA:AV ERAGE:0.5:4:9 600 \ RRA:AV ERAGE:0.5:24:6000 Th is w il l cre at e t h e dat abas e in t h e dire ct ory t h at h as be e n s pe cif ie d in t h e conf igurat ion f il e. Ne xt w e w il l updat e t he v al ue s int ot h e dat abas e us ing t h is s h e l l s cript . (updat e .s h ) # !/ bin/ bas h e ch o " updat ing l oad.." e ch o " " CURL O AD =`cat / proc/ l oadav g |cut -f 1 -d \ ` rrdt ool updat e l oadav .rrd N:$ CURL O AD CURTIM EIS=`dat e` e ch o " updat e d at " $ CURTIM EIS"w it h " $ CURL O AD e ch o " " sl e e p 10s F inal l y w e ne e d t o ge ne rat e t h e graph , s o w e w il l cre at e anot h e r sh e l l s cript rrd.s h as s h ow n be l ow . # !/ bin/ sh RRD TO O L =/ us r/ bin/ rrdt ool O UTD IR=/ v ar/ www/ page s / INFIL E=/ v ar/ www/ page s / l igh t t pd.rrd D ISP="D EF :l oad=$ INFIL E:l oad:AV ERAGE \ L INE1:l oad# a0a0a0:L oad " $ RRD TO O Lgraph $ O UTD IR/ l oadav .png --s t art 1h $ D ISP $ RRD TO O Lgraph $ O UTD IR/ l oadav .png --s t art 2h $ D ISP Th is s h e l l s cript is s im pl e . Th e RRD TO O Lv ariabl e h as t h e pat h t ot h e rrdt ool binary on t h e s ys t em. O UTD IR h ol ds t h e pat h w h e re t h e PNG (im age of t h e graph ) w il l be ge ne rat e d. Th e dat abas e pat h h as be e n as s igne d t o INFIL E. D ISP w il l h ol dt he rrdt ool graph de f init ion param e t e rs . W e w il l t h e m pl ot t h e graph us ing t h e rrdt ool graph com m and. Run updat e .s h f or f e w m inut e s . Th e n run rrd.s h . Th is s h oul d cre at e a PNG of t h e graph in t h e pat h de f ine d in O UTD IR t h at is / v ar/ www/ page s . Ne xt w e w il l cre at e H TM Lt o dis pl ay on our w e b s e rv er( l igh t t pd s e rv e r ).

<H TM L > <H EAD > <TITL E> L oad Av e rage Graph </ TITL E> </ H EAD > <BO D Y> <H 1> L oad Av e rage Graph </ H 1> <IM G s rc=" l oadav .png"al t =" L oad Av e rage " > </ BO D Y> </ H TM L > F ire up your brow s e r and t ype : ht t p:/ / l ocal h os t :3000/ inde x.h t ml As you'l l se e f rom t h e re s ul t s , you are l ook ing at t h e re al t im e l oad av e rage s t at is t ics on t he m ach ine it se l f .Y ou can al s o m onit or ot h er met rics s uch as CPU us age and m e m ory us age . So t h is is h ow w e us e t h e RRD t ool l igh t t pd m odul e.
CACTI: A CO M PL ET E RRD T OOL - BASED GRAPH ING SYSTEM

Cact i is a com pl et e ne t w ork graph ing s ol ut ion de s igne d t o h arne s s t h e pow e r of dat a st orage and graph ing f unct ional it ie s prov ide d by RRD t ool . Cact i prov ide s a f as t pol l e r, adv ance d graph t e m pl at e capabil it y, m ul t ipl e dat a acq uis it ion m e t h ods , and e as y us e r m anage m e nt .
CACTI: D AT A SO URCES

Th e pat hs t o any e xt e rnal s cript / com m and, al ong w it h any dat at h at t h e us e r w il l ne e d t o " f il l in"can be f edt o cact if or t h e purpos e of dat a gat h e ring. A cron j ob gat h e ring of t h is dat a and s ubs e q ue nt l y popul at ion of t h e M ySQL dat abas e /Round Robin D b w il l h appe n.
CACTI: GRAPH S

O nce one or m ore dat a s ource s are de f ine d, a RRD t ool graph can be cre at e d us ing t h e dat a, al l of t h e st andard RRD t ool graph t ype s , and cons ol idat ion f unct ions . A col or s e l e ct ion are a and an aut om at ic t e xt padding f unct ion al s o aid in t h e cre at ion of graph s t o m ak e t h e proce s s e as ie r . It is s ort of m ore robus t f ront e nd m anage m e nt s ol ut ion f or RRD t ool w h ich m ak e s t he t as k of RRD t ool us e rs e as ie r . Som e of t he w ays t o dis pl ay t h e graph s are av ail abl e s uch as st andard " l is t v ie w "and a " pre v ie w m ode ,” w h ich re s e m bl es t h e RRD t ool f ront e d, " t re e v ie w "(w h ich al l ow s you t o put graph s ont oa h ie rarch ical t re e f or organizat ional purpos e s ).
CACTI: USER M ANAGEM ENT

A us e r bas e d m anage m e nt t ool is buil t in s o t h at you can add us e rs and giv e t h e m righ t s t o

o3 m agazine /f e b 2006

-( page 27)-

W EB TECH NO L O GIES

ce rt ain are as of cact i. Y ou can cre at e us e rs w h o can ch ange graph param e t e rs , w h il e al l ow ing ot h e rs t o onl yv ie w graph s . Each us e r s h al l al so m aint ains t h e ir ow n s e t t ings f or t he v ie w ing of graph s .
CACTI: T EM PL ATING SCAL ABIL IT Y

L as t l y, cact i is abl e t o s cal e t oal arge num be r of dat a s ource s and graph s t h rough t h e us e of t e m pl at e s . Th is al l ow s t h e cre at ion of a s ingl e graph or dat a s ource t e m pl at e w h ich de f ine s any graph or dat a s ource as s ociat e d w it h it . H os t t e m pl at e s e nabl e you t o de f ine t h e capabil it ie s of a h os t s o cact i can pol l it f or inf orm at ion upon t h e addit ion of a ne w h os t . F or m ore inf orm at ion pl e as e v is it ht t p:/ / cact i.ne t
CO NCL USIO N

RRD t ool is an e f f e ct iv e , robus t , and s e am l e ss s ol ut ion f or graph ing ne arl y ev e ry im aginabl e ch ore on our s ys t e m s, L AN ne t w ork s , and s e rv e rs . W e h av e al s o il l us t rat e d, us ing s im pl e e xam pl e s , h ow t o col l e ct dat a in Round Robin dat abas e t o produce a graph f or m onit oring t he l oad av e rage . Th is can be e xt e nde d t o m onit or ot h e r param e t e rs s uch as CPU us age and m e m ory us age .

Bh arat Sh e t t y, age d 23 ye ars is a s of t w are e ngine e r b y prof e s s ion. H e is a s upport er of f re e s of t w are m ov e m e nt and is act iv e m e m b e r of s e v e ral L UGs in India. H e h as re m aine d a GNU/ L inux e nt h us ias t and h ob b yis t s ince h e s t art e d e ngine e ring st udie s com put e r s cie nce w h il e at SJ CE, M ys ore , India. H e is v e ry pas s ionat e ab out program m ing and during h is f re e t im e h e l ik e s t o go on t re k s and s h oot pict ure s . Ot h e r pas s ions incl ude s re ading b ook s , w rit ing e t c. Bh arat w ork s f or IBM India.

o3 m agazine /f e b 2006

-( page 28)-

V O IP /V ID EO CO M M UNICATIO NS

Priorit izing V oice Com m unicat ion
QUAL IT Y O F SERV ICE

(QO S) CAN

BE USED T O PRIO RITIZ E V O ICE T RAFFIC O V ER

BUSY IP D AT A NET W O RK S . M UH AM M AD H AM M AD L O O K S AT TH E BEST M ETH O D S FO R PRIO RITIZ ING V O ICE T RAFFIC AND TH E CAPABIL ITIES W ITH IN TH E L INUX K ERNEL ...

By M uh am m ad H am m ad Qual it y of Se rv ice (QoS) h as e m e rge d in t he f ie l d of ne t w ork ing in t he l as t de cade or s o as a re l at iv e t e rm . It m e ans " as a cl ie nt , h ow s at is f ie d are you w it h q ual it y of s e rv ice of t he ne t w ork / Int e rne t ? ”. QoS can be m e as ure d in a v arie t y of param e t e rs , s uch as av ail abil it y, bandw idt h, l os s , and l at e ncy. QoS is of t e n re l at edt ot he capabil it y of t h e ne t w ork t o prov ide be t t er s e rv ice t ot h e se l e ct edt raf f ic t ype . Such div e rs e t ype s of t raf f ic is pos s ibl e be caus e of t he f l e xibil it y of IP ne t w ork s , and e nd-t o-e nd t rans port prot ocol s running ov e r IP, w h il e IP it se l f prov ide s be s t -e f f ort s e rv ice s and doe s not guarant e e any QoS. F or one us e r, QoS m ay re f ert ot h e s m oot h ne s s of v ide o pl ayback , w h il e at t h e s am e t im e , and ov ert h e s am e ne t w ork , w e b brow s ing coul d be m ore im port ant f or anot h e r us e r . Such t ype s of t raf f ic h av e com pl et el y dif f e re nt s e t s of re q uire m e nt s , in t e rm s of acce pt abl e param e t e rs f or l os s , l at e ncy et c., and ye t bot h us e rs are on t h e s am e ne t w ork and re q uire QoS. It is s om e t im e s argue d t h at one s h oul d aim t o incre as e bandw idt h , as oppos e d t o de pl oying com pl e x QoS s ol ut ions , but t h at 's re al l ya s e parat e de bat e . Th e im port ant q ue s t ion h e re is " h ow QoS can be ach ie v e d anyw ay? " QoS can be m e as ure d prim aril y in t e rm s of ne t w ork av ail abil it y, bandw idt h , de l ay, j it t e r, and l os s . Th e re coul d be ot h e r param e t e rs as w e l l . F or ins t ance , ATM s pe cif ie s pe ak -t o-pe ak ce l l de l ay v ariat ion, ce l l l os s rat io, m axim um ce l l t rans f e r de l ay, e t c. W e f irs t ne e d t o ide nt if yt he t ype s of ne t w ork t raf f ic, and t h e n ide nt if yt he be h av ior and re q uire m e nt s im pos e d by e ach t ype of t raf f ic. QoS arch it e ct ure is rat h e r com pl e x, and e m pl oys a num be r of dif f e re nt t e ch niq ue s , s uch as ide nt if icat ion and m ark ing t e ch niq ue s , q ue uing, s ch e dul ing, t raf f ic s h aping and pol icing, conge s t ion m anage m e nt and av oidance , and s o on. End-t o-e nd QoS l ev el s can be cat e gorize d as f ol l ow s :
BEST - EFFO RT SERV ICE

Th is is a ge ne ral purpos e s e rv ice m ode l s uit abl e f or appl icat ions s uch as e m ail and f il e t rans f er . Th e appl icat ion s e nds dat a w it h out any agre e m e nt in any q uant it y, and t h e ne t w ork de l iv e rs t h e dat a w it h out guarant e e ing any s e rv ice q ual it y.
D IFFERENTIAT ED SERV ICE

Th is s e rv ice m ode l is us e d t o m e e tt h e de s irabl e QoS f unct ional it ie s . Each ne t w ork de v ice t rie s t o prov ide t h e re q ue s t e d QoS be h av ior bas e d on s pe cif icat ions in e ach pack e t . Th e s pe cif icat ions can be m ade , f or e xam pl e , by s e t t ing t ype of s e rv ice (TO S) oct et , now cal l e d as dif f e re nt iat ed s e rv ice s f ie l d (D S), in t h e IP h e ade r . Us ing t h e se QoS s pe cif icat ions , t h e int e rm e diat e ne t w ork de v ice w il l be abl e t o cl as s if yt h e pack e t s and prov ide t h e de s ire d l ev el of s e rv ice s .
INT EGRAT ED SERV ICE

Th is is s im il ar t ot h e dif f e re nt iat e d s e rv ice m ode l , but h e re t h e appl icat ion e xpl icit l y not if ie s t h e ne t w ork de v ice s of it s t raf f ic prof il e- t h at is , it re q ue s t s a s pe cif ic k ind of s e rv ice . Th e appl icat ion w il l s e nd dat a onl y af t ert h e re q ue s t is conf irm e d f rom t h e ne t w ork .
V O IP

V oIP is a re al -t im e appl icat ion and is e xt re m e l y s e ns it iv e t o de l ay and l os s . Running v oice ov er t radit ional t el e ph one ne t w ork s doe s not cre at e probl e m s be caus e t he t ot al bandw idt h of t he ne t w ork is de dicat edt ov oice t raf f ic. But ,f or V oIP, de l ay, l os s , and j it t e r pl ay a s ignif icant rol e in q ual it y of v oice t rans m is s ion, be caus e of ot h ert raf f ic running on IP . H ow can w e ach ie v e q ual it yv oice t rans m is s ion ov e r an IP ne t w ork ? Th e s ol ut ion l ie s in priorit izing v oice t raf f ic and re q ue s t ing t h at t h e int e rm e diat e ne t w ork de v ice s giv e it pre f e re nce . Th e proce s s of priorit izing v oice t raf f ic inv ol v e s se v e ral key st e ps . A brie f ov e rv ie w of is giv e n be l ow : Be f ore appl ying QoS m e ch anis m s , w e ne e d f irs t

o3 m agazine /f e b 2006

-( page 30)-

V O IP /V ID EO CO M M UNICATIO NS

t o cl as s if yt he t ype of t raf f ic. Cl as s if icat ion is t he proce s s of ide nt if ying t h e pack e t s and grouping t h e m on t h e bas is of t h e ir be h av ior .F or e xam pl e,f or V oIP t raf f ic, a ne t w ork de v ice m us t f irs t ide nt if y it . Th is can be done is s e v e ral w ays ; • at l aye r 4: us ing s ource and de s t inat ion port num be rs . • at l aye r 3: us ing s ource and de s t inat ion IP Th e abov e met h ods of cl as s if ying pack e t s are done on a pe r-h op bas is , as e v e ry int e rm e diat e ne t w ork de v ice h as t o pe rf orm t h e ide nt if icat ion met h od t o ide nt if y pack e t s . A m ore e f f icie nt and s im pl ert e ch niq ue is t o m ark t h e pack e t s f or ne t w ork -w ide us e . Th is can be ach ie v e d by se t t ing t he t ype of s e rv ice (TO S) in t h e IP h e ade r . TO S f ie l d is one byt e in l e ngt h , and it s t h re e m os t s ignif icant bit s are cal l e d an IP pre ce de nce . IP pre ce de nce de f ine s e igh t pos s ibl e v al ue s t h at can be us e d f or t h e de s ire d q ual it y of s e rv ice . D if f e re nt iat e d s e rv ice s (D S) arch it e ct ure int roduce s D S f ie l d, w h ich s upe rs e de s t h e e xis t ing TO S and de f ine s a dif f e re nt iat e d s e rv ice s code point (D SCP). D SCP us e s t he f irs t s ix bit s of TO S f ie l d, and t h us now 64 D S cl as s e s can be de f ine d. Th e re m aining t w o bit s in TO S are unus e d at t h e m om e nt . Th e f irs t t h re e bit s in D SCP de s ignat e t h e cl as s se l e ct or and are com pat ibl e w it h IP pre ce de nce . D SCP cl as s e s incl ude be s t e f f ort , as s ure d f orw arding 1, as s ure d f orw arding 2, as s ure d f orw arding 3, as s ure d f orw arding 4, and e xpe dit edf orw arding. Expe dit edf orw arding prov ide s l ow -l at e ncy and h igh priorit y s e rv ice s , and is re com m e nde d f or V oIP . O nce t he V oIP t raf f ic h as be e n cl as s if ie d, e ach int e rm e diat e ne t w ork de v ice can t h e n appl y QoS f e at ure s t o ach ie v e t h e de s ire d q ual it y of v oice com m unicat ion.
QO S QUEUING

m e ch anis m s are abl e t o dis t inguis h t raf f ic bas e d on t h e cl as s if icat ion t e ch niq ue dis cus s e d e arl ie r . A pack e t is cl as s if ie d at t h e e dge of t h e ne t w ork so t h at t h e int e rm e diat e rout e rs , al ong t h e pat h, ide nt if y and proce s s t h e m accordingl y.
L INUX K ERNEL SUPPO RT FO R QO S

Th e L inux k e rne l incl ude s opt ions f or conf iguring QoS on int e rf ace s . Th e QoS opt ions can be e nabl e d in t h e k e rne l in " Ne t w ork ing-> Ne t w ork ing Support -> Ne t w ork ing O pt ions -> QoS and/ or f air q ue uing" . If " QoS opt ions "is dis abl e d, t h e k e rne l w il l , by de f aul t , ch oos e FIFO s ch e m e f or q ue uing. Th e L inux k e rne l 2.6.15 prov ide s pl e nt y of q ue uing al gorit h m s and cl as s if icat ions incl uding cl as s bas e d q ue uing, random e arl y de t e ct ion , t ok e n buck e t f il t e r, e t c. M ore ov e r, it al s o s upport s re s ource re s e rv at ion prot ocol (RSV P), cl as s if ying pack e t s according t o ne t f il t e r m ark s , a ne t w ork e m ul at or t o s im ul at e W AN condit ions (l os s , de l ay e t c.), rat e e st im at or t o e st im at e rat e -of -f l ow f or ne t w ork de v ice s and q ue ue s , e t c. QoS opt ions can be h andl e d by us ing iprout e 2 s uit e , w h ich incl ude s ip and t cf or TCP/ IP conf igurat ion and t raf f ic cont rol re s pe ct iv el y. Ke rne l s , prior t o 2.6.15, al s o incl ude QoS opt ions but t h e h ie rarch y m ay be s l igh t l y dif f e re nt f rom t h e one m e nt ione d abov e. Be f ore w e s e e an e xam pl e on h ow t o priorit ize V O IP us ing L inux QoS m e ch anis m s , w e ne e d t o f irs t unde rs t and s om e im port ant conce pt s of L inux t raf f ic cont rol .L inux t raf f ic cont rol l e r h as t he f ol l ow ing im port ant com pone nt s:

QD ISC

A q ue uing dis cipl ine or a s ch e dul ert h at de f ine s t h e be h av ior of q ue uing- i.e ., h ow t o q ue ue t he pack e t s and w h ich pack e t t o s e rv e f irs t .F or ins t ance , FIFO q ue uing t re at s t h e pack e t s on a " f irs t com e , f irs t s e rv e d"bas is .

Anot h e r im port ant QoS f unct ion is q ue uing. W h e n conge s t ion occurs , q ue uing al l pack e t s in a s ingl e q ue ue w il l not be t h e opt im um s ol ut ion. Conge s t ion m anage m e nt de al s w it h t h is s it uat ion and us e s q ue uing al gorit hms t o s ort out t he t raf f ic and t h e n s e rv ice it us ing s om e priorit izat ion t e ch niq ue s . Th e re are m any dif f e re nt q ue uing al gorit h m s , e ach w it h it s ow n uniq ue ch aract e ris t ics . Al gorit h m s incl ude F irs t in, f irs t -out (FIFO ), P riorit y q ue uing (PQ), and Cus t om q ue uing (CQ). PQ is re q uire d f or V oIP, and t h e re com m e nde d PQ f or V oIP is L ow l at e ncy q ue uing. Que uing

CL ASS

q dis c can be cl as s if ie d int o cl as s f ul q dis c and cl as s l e s s q dis c. A cl as s f ul q dis c it se l f is not a q ue ue , but rat h e r as s ociat e s it se l f w it h m ul t ipl e cl as s e s , and e ach of t h os e cl as s cont ain a q dis c. In ot h e r w ords , a cl as s f ul q dis c doe s not q ue ue pack e t s it se l f , but rat h e r, it f urt h e r cl as s if ie s q ue ue s , w h ich are re s pons ibl e f or q ue ing t he pack e t s . A cl as s can be t ie d w it h a q ue ue , w h ich in t urn can de f ine anot h e r cl as s . Th us , a h ie rarch y of cl as s e s and q dis cs can be prov ide d t o s upport com pl ext raf f ic cont rol s ce narios . F or ins t ance , a priorit y q ue uing s ch e m e cont ains

o3 m agazine /f e b 2006

-( page 31)-

V O IP /V ID EO CO M M UNICATIO NS

m ul t ipl e cl as s e s and e ach cl as s h as pf if o q ue ue t h re e cl as s e s of priorit y, 1 t h rough 3, w it h 3 be ing t he l ow e s t priorit y. W h e n a pack e t arriv e s, it is put int o one of t h os e cl as s e s , bas e d on s om e cl as s if icat ion. At t h e m om e nt , cl as s bas e d q ue uing (CBQ), h ie rarch y t ok e n buck e t (H TB), and priorit y (PRIO ) cl as s f ul q dis cs are s upport e d. Cl as s l e s s q dis c, on t h e ot h e r h and, is pure l ya s ingl e q ue ue e .g. FIFO . L inux s upport s FIFO , random e arl y de t e ct ion (RED ), s t och as t ic f airne s s q ue uing (SFQ), and t ok e n buck e t f il t er (TBF) cl as s l e s s q dis cs .
FIL T ER

# t cf il t e r add de v e t h 0 pare nt 1: prot ocol ip \ prio 2 u32 m at ch ip ds t \ 19 2.168.100.100/ 24 m at ch ip dport 80 \ 0xf f f ff l ow id 1:2 Th e f irs t com m and abov e cre at es af il t e r on node 1:, as s igns it a priorit y 1 bas e d on t h e RTSP t raf f ic (de s t inat ion port 554), and s e nds it t o band 1:1. Th e s e cond com m and adds f il t ert h at m at ch e s t h e de s t inat ion IP addre s s and port num be r, as s igns priorit y 2, and s e nds it t o band 1:2. Th e h e xade cim al num be r 0xf f f f de f ine s t he pat t e rn m as k . # t cf il t e r add de v e t h 0 pare nt 1: prio 1 \ prot ocol ip u32 m at ch ip \ t os 0x28 0xf ff l ow id 1:1 Us ing TO S f ie l d w e can as s ign t he t raf f ic w h ich re q uire s l ow l at e ncy, e .g. V O IP, t ot h e h igh e s t priorit y q ue ue . Th e abov e com m and s h ow s s uch capabil it y, and t h e TO S v al ue us e d h e re , 0x28, can be re pl ace d w it h t h e de s ire d f il t e ring crit e ria t o priorit ize t raf f ic. Th e e xam pl e s s h ow n h e re are s im pl e ye t pow e rf ul e nough t o de m ons t rat e t h e capabil it ie s of L inux t raf f ic cont rol , w h ich can be us e d t o h andl e com pl ext raf f ic cont rol s ce narios . In addit ion, t c can al s o m ark t h e DS f ie l d in t he pack e t s , but it re q uire s m ore de e pe r unde rs t anding of t c and t h us cannot be cov e re d in t h is int roduct ion. M ore ov e r, pack e t s can al so be m ark e d us ing ipt abl e s , and t c can t ak e adv ant age of s uch a m e ch anis m t of il t ert he t raf f ic. In a nut sh e l l ,L inux prov ide s a com pl e x ye t pow e rf ul and f l e xibl e t ool t o h andl e t raf f ic QoS.
REFERENCES :

F il t e rs are us e d t o se l e ct pack e t s , bas e d on s om e cl as s if icat ion, and dis pat ch t h em accordingl yt o one of t h e as s ociat e d q ue ue s w it h cl as s f ul q dis c. F or ins t ance , w e w ant a pack e t com ing f rom a part icul ar s ource t o be giv ent he h igh e s t priorit y in PRIO , and w oul dt h e n us e f il t ert o dis t inguis h and f orw ard t h e pack e t t o h igh e s t priorit y q ue ue . In t h e e xam pl e giv e n be l ow , a s am pl e PRIO q ue ue is cre at e d us ing t c. PRIO is a cl as s f ul q ue ue and cre at es t h re e de f aul t priorit y cl as s e s , k now n as bands . Each cl as s it se l f us e s pf if o q ue uing dis cipl ine t o st ore and f orw ard pack e t s. By de f aul t , in t h e abs e nce of any f il t e ring s ch e m e , pack e t s are m appe d t o a band bas e d on t h e TO S v al ue . Each int e rf ace h as one " root q ue ue "and e v e ry cl as s and cl as s f ul q dis c is ide nt if ie d by a h andl e. Th e h andl e cons is t s of <m aj or:m inor> num be r . Al l cl as s e s h av ing t h e s am e pare nt h av e t he s am e m aj or num be r and uniq ue m inor num be r . Th e root s t art s w it h 1: (w e don’ t ne e d t o w rit e ze ro f or root ). # t c q dis c add de v e t h 0 root h andl e 1: prio Th is abov e com m and cre at e s PRIO q dis c. Th e PRIO q ue ue cre at e s , by de f aul t ,t h re e cl as s e s , 1:1, 1:2, and 1:3, and e ach cl as s h as pf if o q dis c. Th e com m and s ays " at t ach q dis c prio t o de v ice et h 0 and as s ign it a h andl e r 1:" . Ne xt w e ne e d t of il t ert he t raf f ic f or a s pe cif ic port .F or e xam pl e , RTSP (554), t o h igh e s t priorit y cl as s i.e ., 1:1. By de f aul t ,t h e PRIO q ue ue f il t e rs t he t raf f ic bas e d on TO S- t h at is , t h e h igh e s t priorit y is dire ct edt o 1:1 (band 0), m e dium priorit yt o 1:2 (band1), and l ow e s t priorit yt o 1:3 (band 2). # t cf il t e r add de v e t h 0 prot ocol ip pare nt 1: prio 1 u32 m at ch ip \ dport 554 0xf f f ff l ow id 1:1

RFCs : 1349 , 2474, 2475 ht t p:/ / w w w .cis co.com / univ e rcd/ cc/ t d/ doc/ cis int wk / int s ol ns / q os s ol / q os v oip.h t m ht t p:/ / w w w .cis co.com / univ e rcd/ cc/ t d/ doc/ product / l an/ cat 4000/ 12_1_19 / conf ig/ q os .h t m ht t p:/ / opal s of t .ne t / q os /

M uh am m ad H am m ad, b as e d out of Pak is t an is Ge ne ral M anage r , Ent e rpris e D at a Ne t w ork ing at Spl ice d Ne t w ork s L L C.

o3 m agazine /f e b 2006

-( page 32)-

IP NETW O RK ING

D e pl oying O pe n Source D NS Sol ut ions
TH E D O M AIN NAM E SYST EM

(D NS) IS

A M ISSIO N CRITICAL SERV ICE TH AT PO W ERS TH E

INT ERNET O N A D AIL Y BASIS . L EARN H O W T O D EPL O Y O PEN SO URCE D NS SO L UTIO NS IN A SECURE AND O PTIM AL M ANNER ...

By J oh n Bus w e l l Th e D om ain Nam e Sys t e m (D NS) prov ide s t he h um an re adabl e nam e t o IP addre s s m apping t h at is us e d acros s t h e Int e rne t . D NS is a s pe cial t ype of dis t ribut e d dat abas e s ys t em t h at m aint ains s pe cif ic inf orm at ion as s ociat e d w it h a dom ain nam e . Th e m os t im port ant pie ce of inf orm at ion is t h e IP addre s s as s ociat e d w it h a s pe cif ic h os t nam e or t h e dom ain nam e it se l f . D NS is an im port ant m is s ion crit ical s e rv ice f or any Int e rne t bas e d bus ine s s , and prov ide s cus t om e r acce s s t o al l your publ ic Int e rne t s e rv ice s t h rough a h um an re adabl e nam e s uch as w w w .googl e .com . W it h out D NS, if you w ant ed t o us e Googl e , you w oul d h av e t o re m e m be r 64.233.167.9 9 , and if t h at s e rv e r w as dow n, 64.233.167.104, and s o on. Now , add s om e of your f av orit e s it e s , pe rh aps w w w .cnn.com , w w w .l inux.com , w w w .cis co.com and s udde nl y t h at 's a l ot of num be rs t o re m e m be r w it h out D NS.
D O M AIN REGIST RATIO N AND TL DS

Godaddy.com f re e D NS s e rv ice s .
D O M AIN CH ECK S

Som e dom ain re gis t rie s h av e st rict e r re gul at ions t h at ot h e rs . F or e xam pl e , s om e count ry s pe cif ic re gis t rie s re q uire t h at your prim ary and s e condary D NS s e rv e rs are on s e parat e IP ne t w ork s . M os t w il l re q uire t h at you h av e at l e as t t w o D NS s e rv e rs , a prim ary and s e condary s e rv er . If you onl y h av e one s e rv e r, a num be r of com panie s of f e r D NS s e condary s e rv ice s , w h e re t h e y act as your s e condary D NS s e rv er . M os t ISP s if you are a cus t om e r w it h s om e k ind of bus ine s s -cl as s s e rv ice s uch as T1, w il l prov ide s e condary D NS s e rv ice s f or f re e or a re l at iv el y l ow cos t .
SERV ER O PERATING M O D ES

Th e T op L ev el D om ain (or TL D ) is t h e righ t m os t part of t h e dom ain nam e - .com , .ne t , .org, e t c. In t oday's w orl d, t h e re are a w ide range of TL Ds, ranging f rom cont e nt -s pe cif ic s uch as .m us e um , t o count ry-s pe cif ic, s uch as .ie f or Ire l and. Th e f irs t s t e p in ge t t ing your bus ine s s or w e bs it e onl ine is t o re gis t e r a dom ain. D om ains are uniq ue , and t ypical l y cons is t of your bus ine s s nam e , brand or s om e com binat ion de pe nding on w h at 's av ail abl e . If you h av e a m ore ge ne ric bus ine s s nam e s uch as Acm e Com put e rs Inc, you m igh t f ind t h at s om e one h as al re ady re gis t e re d acm e com put e rs .com . Th is coul d be s om e one ope rat ing a com pany w it h t h e s am e nam e in a f ore ign count ry, or s om e one w h o h as s im pl y re gis t e re d popul ar nam e com binat ions . O nce you h av e de cide d upon a nam e , you re gis t e r it , and prov ide s om e bas ic inf orm at ion about your ne t w ork , s uch as cont act inf orm at ion, and your D NS s e rv e r IP addre s s e s . Now at t h is point you m igh t h av e a ch ick e n-e gg s ce nario w h e re you w ant t o re gis t ert h e dom ain prior t o rol l ing out your D NS. V arious re gis t rars s uch as

Th e re are t w o m ode s of ope rat ion f or D NS s e rv e rs – Cach ing and Aut h orit at iv e . Cach ing D NS s e rv e rs t ak e q ue rie s f rom a re s t rict e d group of cl ie nt s (s uch as an of f ice L AN) and q ue ry s e rv e rs on t h e Int e rne t f or re s pons e s . W h e n a re s pons e com e s back , t h e cach ing D NS s e rv er w il l f orw ard t h e re s pons e on t ot h e cl ie nt . D e pe nding on t h e TTL(Tim e t oL iv e ) on t he re s pons e , t h e cach ing D NS s e rv e r w il l cach e t he re s pons e f or t h at s pe cif ic am ount of t im e . W h at t h is m e ans is t h at t h e ne xt t im e a cl ie nt re q ue s t s t h e s am e D NS inf orm at ion, if t h e TTLh as not e xpire d, t h e D NS s e rv e r w il l re s pond w it h t he inf orm at ion w it h in it s cach e ins t e ad of q ue rying t h e Int e rne t again. Aut h orit at iv e s e rv e rs ans w e r re q ue s t s f rom ot h e r D NS s e rv e rs and cl ie nt s f or onl yt he dom ains f or w h ich t h e y are conf igure d as e it h er a m as t e r or s l av e . O n our D NS s e rv e r w e are aut h orit at iv e f or o3m agazine .com , t h us re q ue s t s f or o3m agazine .com are ans w e re d, but re q ue s t s f or googl e .com are re f us e d. Bind 9 .x s upport s an int e rnal /e xt e rnal v ie w s ol ut ion t h at al l ow s a D NS s e rv ert o prov ide dif f e re nt re s pons e s t o int e rnal and e xt e rnal cl ie nt s . Th is f e at ure can be us e d t o s af el y run bot h a cach ing and aut h orit at iv e D NS s e rv e r on

o3 m agazine /f e b 2006

-( page 34)-

IP NETW O RK ING

t h e s am e s ys t e m . H ow e v e r, if you h av e t he re s ource s and t h e capabil it ie s t o run m ul t ipl e D NS s e rv e rs , running cach ing and aut h orit at iv e on dif f e re nt s e rv e rs is t h e pre f e rre d m e t h od.
CO M M O N SENSE

W h il e it am aze s m e t h at t h is is of t e n ov er l ook e d, a s m al l am ount of com m on s e ns e w h e n de pl oying D NS s e rv e rs goe s a l ong w ay. T ak ing a s m al l ne t w ork as an e xam pl e , w it h t w o D NS s e rv e rs , pl acing e ach D NS s e rv e r on s e parat e UPS on dif f e re nt pow e r out l et s goe s a l ong w ay. If a UPS f ail s , it doe s n't t ak e out your e nt ire D NS s e rv ice . If you h av e m ul t ipl e Et h e rne t s w it ch e s or h ubs on your core ne t w ork , m ak e s ure t h at e ach D NS s e rv e r is pl ugge d int o a dif f e re nt one , and s o on. M os t D NS s e rv e rs can ope rat e as bot h a cach ing and aut h orit at iv e s e rv er . Th e be s t approach is t o us e s e parat e s e rv e rs f or cach ing and aut h orit at iv e re q ue s t s . Ge ne ral l y it is a good pract ice t o us e m ul t ipl e D NS s e rv e rs . D NS is a m is s ion crit ical s e rv ice - if your cach ing D NS s e rv ice goe s dow n, your l ocal s e rv e rs and w ork s t at ions t h at us e t h at D NS s e rv ice can no l onge r re s ol v e D NS nam e s s uch as w w w .googl e .com . Unl e ss t h e us e rs are aw are of t h e IP addre s s e s t o us e , t h e ne t w ork av ail abil it y is s e v e re l y de grade d. If you h av e m ore t h an one cach ing D NS s e rv e r, t he l ik e l ih ood of t h at occurring is s ignif icant l yl ow e r . L ik e w is e , if your aut h orit at iv e D NS s e rv e r goe s dow n, out s ide us e rs , incl uding cus t om e rs . can no l onge r ge t t o your s e rv ice s . If e it h e r D NS s e rv ice is com prom is e d, t h e n an at t ack e r can re dire ct your us e rs and cus t om e rs t o any l ocat ion t h ey l ik e . Th is can be us e d t o dire ct us e rs t o “f ak e ” copie s of bank ing or ot h e r s it e s, and us e d t o h arv e s tt h e ir l ogin inf orm at ion. It is v e ry im port ant t o k e e p in m ind t h at your D NS s e rv e r is a t rus t e d re s ource . W h e t h e r you re al ize it or not , you im pl icit l yt rus t your D NS s e rv er . W h e ne v e r you t ype w w w .m yonl ine bank .com in your brow s e r, you are t rus t ing t h at your D NS s e rv e r is s e nding you t ot h e bank and not t o a m al icious us e rs w e b s it e w h e re you're about t o giv e t h e m your inf orm at ion. Th is re as on al one is s uf f icie nt f or m os t bus ine s s e s t o cons ide r de pl oym e nt of t h e ir ow n l ocal D NS s e rv e rs ov e r us ing t h os e prov ide d by t h e ir ISP .
O PEN SO URCE D NS SO L UTIO NS

prov ide s you w it h s e curit yf e at ure s and is m aint aine d by indiv idual s w h o are s e curit y cons cious . F or t h e purpos e of t h is art icl e w e are going t of ocus on BIND 9 , av ail abl e f rom ht t p:/ / w w w .is c.org. M araD NS av ail abl e at ht t p:/ / w w w .m aradns .org and dj bdns av ail abl e at ht t p:/ / cr .yp.t o/ dj bdns .h t ml are w ort hy al t e rnat iv es t o bind. In f act dj bdns of f e rs a h igh l y s e cure s ol ut ion and is w e l l w ort h al ook .
D EPL O YING BIND

Be f ore you de pl oy bind on your s e rv e rs it is im port ant t o m ak e s ure t h at t h os e s e rv e rs are s e cure in t he f irs t pl ace . T ool s s uch as ne t st at nap and ps aux w il l prov ide you w it h v al uabl e inf orm at ion as t o w h ich port s are ope n on t he s ys t e m and w h at proce s s e s are running. Y ou s h oul d s h ut dow n any proce s s e s you don't ne e d, and dis abl e any unne e de d s e rv ice s and ope n port s . Th e n f ol l ow ing one of t h e m any s e curit y guide s av ail abl e on t h e Int e rne t f or your ope rat ing s ys t e m is ge ne ral l y a good pract ice . If your ope rat ing s ys t e m s upport s a pack age m anage m e nt s ys t em,t h e re is of t ent he t e m pt at ion t ot ak e t h e e as y w ay out . H ow e v er buil ding f rom s ource h as s e v e ral s e curit y adv ant age s w h e n done corre ct l y. 9 .3.2 FRO M SO URCE F irs t , s im pl y ge t and unt ar t h e s ource . H e re w e 're going t o s av e our s ource buil d in our proj e ct s/ dns dire ct ory w it h in our h om e dire ct ory f or f ut ure re f e re nce .
BUIL D ING BIND

m k dir -p ~ / proj e ct s/ dns cd ~ / proj e ct s/ dns w ge t f t p:/ / f t p.is c.org/ is c/ bind9 / 9 .3.2/ bind9 .3.2.t ar .gz Th e f ol l ow ing com m ands , as s um ing you h av e GPG ins t al l e d, are us e d t o ch e ck t h e s ignat ure f or t h is re l e as e : w ge t f t p:/ / f t p.is c.org/ is c/ bind9 / 9 .3.2/ bind9 .3.2.t ar .gz.as c w ge t ht t p:/ / w w w .is c.org/ about / ope npgp/ pgpk e y2004.t x t gpg – im port < pgpk e y2004.t xt gpg – v e rif y bind-9 .3.2.t ar .gz.as c O nce you are h appy w it h t h e gpg out put , you can unt ar t h e s ource :

Th e re are a w ide range of ope n s ource D NS s ol ut ions av ail abl e . As D NS is a t rus t e d re s ource , you ne e d t o be s ure t h at t h e proj e ct you s e l e ct

o3 m agazine /f e b 2006

-( page 35)-

IP NETW O RK ING

t ar zxv f bind-9 .3.2.t ar .gz cd bind-9 .3.2 W e are going t o de pl oy bind in a ch root e nv ironm e nt , s o w e 're going t o ins t al l t h e s ource t o/ us r/ l ocal / apps / dns . Ins t e ad of doing t he de f aul t/ us r/ l ocal ins t al l at ion, h e re w e can k e e p t h e ins t al l at ion of BIND s e parat e f rom t he / us r/ l ocal t re e s o w e k now e xact l y w h at bind h as ins t al l e d. Th is m ak e s it a l ot e as ie r t o re m ov e at al at e r dat e. W e 're going t o buil d w it h – e nabl e -t h re ads w h ich e nabl es t h re ad s upport . In cas e you are not f am il iar w it h t h re ads , t h re ads is an approach w h ich al l ow s m ul t ipl e t h ings t o h appe n at w h at appe ars t o be t h e s am e t im e , al l ow ing e ach t h re ad t o giv e up cont rol or re s um e w h e n s pe cif ic e v e nt s occur .T ypical l yt h re ads w il l s pe e d up t h e s ys t e m a bit , so t h at it 's not s it t ing idl e w ait ing f or I/ O acce s s , and can do s om e t h ing e l s e . Th e – w it h -pic buil d pos it ion inde pe nde nt code , and – dis abl e -s t at ic pre v e nt s t h e st at ic binarie s f rom be ing buil t . ./ conf igure – pre f ix=/ us r/ l ocal / apps / dns – e nabl et h re ads – w it h -pic --dis abl e -s t at ic Y ou l e tt h at run, and w h e n it s done s im pl y run : m ak e s u - (s w it ch e s t o root ) m ak e ins t al l (now as root ) W e h av e now buil t and ins t al l e d bind. H ow e v e r, w e ne e d t o cre at e a us e r and group, and al so se t up t h e ch root are a. F irs t w e w il l cre at e a group cal l e d ch dns and a us e r cal l e d ch dns : m k dir -p / h om e / ch root groupadd -g 8000 ch dns us e radd -u 8000 -g ch dns -d / h om e / ch root / ch dns -c “D NS” -m ch dns Now t h at w e h av e a us e r and group w it h a UID / GID of 8000 and a h om e dire ct ory of / h om e / ch root / ch dns , w e are re ady t o se t up t he e nv ironm e nt : cd / h om e / ch root / ch dns m k dir -p de v e t c/ zone s / sl av e v ar/ run m k nod de v / nul l c1 3 m k nod de v / random c 1 8 ch m od 666 de v / { random ,nul l } cp / et c/ l ocal t im e e t c/

W e 'v e now cre at e d s om e dire ct orie s ne e de d by bind ins ide of t h e ch root are a. Th e m k nod com m ands cre at e t h e nul l and random de v ice s , and ch m od ch ange s t h e pe rm is s ions . Ne xt w e ne e d t o e nabl e l ogging. If you are running s ys l ogd t h e n you ne e d t o add : -a / h om e / ch root / ch dns / de v / l og If you are running F e dora, Ce nt O S, Re dH at or M andriv af or e xam pl e,t h is is t ypical l y in / et c/ s ys conf ig/ s ys l og.conf . Sim pl y add it ins ide t h e SYSL O GD _O PTIO NS: SYSL O GD _O PTIO NS =”-m 0” F or s ys l og-ng us e rs you w il l w ant t o add t he f ol l ow ing ins t e ad t h e s ource s rc { } ;bl ock of your conf ig: unix-s t re am (“/ h om e / ch root / ch dns / de v / l og”); F inal l y, w e ne e d t o s e t s om e pe rm is s ions : cd / h om e / ch root ch ow n root . ch m od 700 . ch ow n ch dns :ch dns ch dns / ch m od 700 ch dns / cd ch dns / W h e n you h av e conf igure d and s e t up your zone s , you s h oul d al s o run t h e s e com m ands unde r L inux: ch ow n -R ch dns :ch dns \ / h om e / ch root / ch dns / et c/ zone s / sl av e ch ow n ch dns :ch dns / h om e / ch root / ch dns / v ar/ run cd / h om e / ch root / ch dns ch at t r+ i et cet c/ l ocal t im e v ar
CO NFIGURING BIND

Th e bind conf igurat ion w il l be s t ore d in / h om e / ch root / ch dns / et c/ nam e d.conf .F or t he purpos e of t h is art icl e w e w il l l ook at t he nam e d.conf f il e in 3 s e ct ions – ACL s (Acce s s Cont rol L is t s ), O pt ions , and Z one Conf igurat ion. conf iguring acce s s cont rol l is t s (acl s) F or our D NS conf igurat ion w e w il l h av e t h re e ACL s . Th e s e can be nam e d w h at you l ik e , but h e re w e w il l cal l t h em t rans f e r, pe rm it t e d, and bogon. Th e f irs t l is t “t rans f e r” is a l is t of s e rv e rs t o w h ich w e pe rm it t he t rans f e r of our dom ains . T ypical l yt h e onl y s e rv e r you w ant t ol is t in t he

o3 m agazine /f e b 2006

-( page 36)-

IP NETW O RK ING

t rans f e r ACLare your s e condarie s . Th e “t rus t e d” ACLs h oul d be l im it edt ol ocal h os t unl e s s you are conf iguring a cach ing nam e s e rv e r, in w h ich cas e incl ude j us t your IP s ubne t s t h at you w is h t o pe rm it .F inal l y, t h e bogon l is t cont ains a l is t of IP s ubne t s w h ich are k now n t o be not in us e or re s e rv e d, and w h ich s h oul d not be t h e s ource of re q ue s t s . Som e of t h e s e , h ow e v e r, are RFC 19 18 re s e rv e d bl ock s , and s ince m os t com panie s us e RFC19 18 bl ock s f or priv at e IP addre s s ing, s o you w il l ne e d t o m odif yt h e bogon l is t accordingl y. Y ou can dow nl oad t h e bogon ACLf rom ht t p:/ / w w w .cym ru.com / D ocum e nt s/ s e cure -bindt e m pl at e .h t ml . acl “t rus t e d” { 19 2.168.1.0/ 24;/ /l ocal L AN l ocal h os t ;/ /l ocal h os t } ; As you can s e e t h e ACLl is t h as a f airl y s im pl e f orm at , it cons is t s of t h e acl k e yw ord, t h e nam e in q uot e s , e nt rie s and brack e t s. { }; Th e re are m any opt ions you can conf igure ; be l ow w e h av e out l ine d t h e bas ics f or running a s e cure aut h orit at iv e D NS s e rv er . Th e conf igurat ion is be l ow and is com m e nt e d.
CO NFIGURING O PTIO NS

Th e l is t e n-on and t rans f e r-s ource are us e f ul if you h av e m ul t ipl e IP addre s s e s conf igure d on your s e rv er . By us ing dif f e re nt IP addre s s e s f or t rans f e rs and q ue rie s , you m ak e l if e m ore dif f icul tf or anyone l ook ing t o as s e s s h ow your ne t w ork is conf igure d, e s pe cial l y if you f ire w al l t h e D NS s e rv ice s on t he t rans f e r IP corre ct l y.
CO NFIGURING Z O NES

W e are going t o us e t h e int e rnal /e xt e rnal v ie w s so t h at t he l ocal D NS s e rv e r can us e it se l ft o pe rf orm D NS l ook ups . If you are cre at ing a cach ing nam e s e rv e r, you onl y ne e d t h e int e rnal in v ie w . v ie w " int e rnal -in"in { m at ch -cl ie nt s { t rus t e d;} ; re curs ion ye s ; addit ional -f rom -aut h ye s ; addit ional -f rom -cach e ye s ; zone " ."in { t ype h int ; f il e " db.cach e " ; } ; zone " 0.0.127.in-addr .arpa"in { t ype m as t e r; f il e " db.127.0.0" ; al l ow -q ue ry { any;} ; al l ow -t rans f e r { none ;} ; } ; } ; v ie w " e xt e rnal -in"in { m at ch -cl ie nt s { any;} ; re curs ion no; addit ional -f rom -aut h no; addit ional -f rom -cach e no; zone " ."in { t ype h int ; f il e " db.cach e " ; } ; zone “o3m agazine .com ” { t ype m as t e r; f il e “db.o3m agazine .com ”; al l ow -q ue ry { any;} ; al l ow -t rans f er{ t rans f e r;} ; } ; } ; Now t h at you h av e t h e conf igurat ion s e t up, you

opt ions { dire ct ory “/ et c/ zone s ”; pid-f il e “/ v ar/ run/ nam e d.pid”; st at is t ics -f il e “/ v ar/ run/ nam e d.s t at s ”; m e m st at is t ics -f il e “/ v ar/ run/ nam e d.m e m s t at s ”; dum p-f il e “/ v ar/ run/ nam e d.dum p”; zone -s t at is t ics ye s ; l is t e n-on { 19 2.168.100.53;} ; t rans f e r-s ource { 19 2.168.100.153;} ; / /l im it D oS at t ack s not if y no; / /Fas t t rans f e rs t rans f e r-f orm at m any-ans w e rs ; m ax-t rans f e r-t im e -in 30; int e rf ace -int e rv al 0; al l ow -t rans f er{ t rans f e r;/ /t rans f e r ACL } ; al l ow -q ue ry { pe rm it t e d; } ; bl ack h ol e { bogon; } ; } ;

o3 m agazine /f e b 2006

-( page 37)-

IP NETW O RK ING

ne e d t o cre at e t h e ph ys ical zone f il e s . Th e db.cach e f il e is cre at e d w it h t h e dig com m and: dig @ a.root -s e rv e rs .ne t . ns > db.cach e Th e 0.0.127.in-addr .arpa f il e cont ains w h at is k now n as a re v e rs e D NS. W h il e D NS is t ypical l ing m apping s om e t h ing l ik e w w w .googl e .com , re v e rs e D NS is al s o im port ant , as it m aps an IP addre s s t o a h os t nam e . Th e f orm at f or re v e rs e D NS is t he f irs t t h re e oct et s of t h e IP addre s s in re v e rs e w it h .in-addr .arpa appe ne d t ot h e e nd. H e re t h e 0.0.127.inaddr .arpa f il e prov ide s t h e re v e rs e D NS f or 127.0.0.0/ 8. $ TTL3D $ O RIGIN 0.0.127.in-addr .arpa. @ IN SO A 0.0.0.in-addr .arpa. root .l ocal h os t .( 1 ;s e rial 8H ;re f re s h 2H ;re t ry 1W ;e xpire 1D ) ;m in t t l IN NS 127.0.0.1. 1 IN PTR l ocal h os t .

w w3 web

IN CNAM E h t t pd.o3m agazine .com . IN CNAM E h t t pd.o3m agazine .com . IN CNAM E h t t pd.o3m agazine .com .

Th e IN SO A () inf orm at ion cont ains t h e s e rial num be r, re f re s h , re t ry, e xpirat ion and m inim um TTLcach ing v al ue f or t h e dom ain. Th e f irs t t wo IN NS l ine s s pe cif yt h e nam e s e rv e rs w h ich are aut h orit at iv e f or t h is dom ain. Th e M X l ine s l is t t h e m ail s e rv e rs f or re ce iv ing m ail f or t h is dom ain. Th e l ow e r t h e MX v al ue t h e h igh e r t he priorit y. Th e A re cords (IN A) s pe cif y a dire ct h os t nam e t o IP m apping. Th e h t t pd e nt ry h as t wo A re cords ;t h is w il l caus e t h e D NS s e rv ert o pe rf orm bas ic “round robin” (pick ing one f or t he f irs t re q ue s t ,t h e ot h erf or t h e ne xt re q ue s t and s o on). Th e CNAM E e nt rie s prov ide al ias e s w h ich point t ot he ht t pd e nt ry.
AD D ING SECO ND ARY NAM E SERV ERS

H e re is an e xam pl e zone f il e f or o3m agazine .com : $ TTL3D $ O RIGIN o3m agazine .com . @ IN SO A ns 1.e ur1.s pl ice dne t w ork s .ne t . noc.s pl ice dne t w ork s .com . ( 2006012502 ;s e rial 2H ;re f re s h 1H ;re t ry 1W ;e xpire 1D ) ;m in t t l IN NS ns 1.s pl ice dne t w ork s .com IN NS ns 2.s pl ice dne t w ork s .com IN M X 10 s m t p1.s pl ice dne t w ork s .com . IN M X 20 s m t p2.s pl ice dne t w ork s .com . IN M X 30 s m t p3.s pl ice dne t w ork s .com . l ocal h os t @ irc ht t pd wwww www ww IN A 127.0.0.1 IN A 19 2.168.1.100 IN A 19 2.168.20.200 IN A 19 2.168.20.105 IN A 19 2.168.20.106 IN CNAM E h t t pd.o3m agazine .com . IN CNAM E h t t pd.o3m agazine .com . IN CNAM E h t t pd.o3m agazine .com .

Adding a s e condary or s l av e D NS s e rv e r is re l at iv el y st raigh t f orw ard. Y ou w oul df ol l ow t he s am e conf igurat ion e xce pt t h at you w ant t o add a m as t e rs { } ;s e ct ion t ot h e conf igurat ion, and t h e zone e nt rie s are a l it t l e dif f e re nt .Y ou do not ne e d t o cre at e t h e indiv idual zone f il e s on t he s e condary s e rv er . Th e D NS s e rv e r w il l do t h at f or you, j us t m ak e s ure t h e s e rv e r h as pe rm is s ion t o w rit e t ot h e appropriat e dire ct ory. m as t e rs “m ym as t e rs ” { 19 2.168.100.30; } ; zone " o3m agazine .com "{ t ype s l av e; f il e " sl av e/ o3m agazine .com " ; al l ow -q ue ry { any;} ; al l ow -t rans f e r { none ;} ; m as t e rs { m ym as t e rs ;} ; } ; Y ou ne e d t o m ak e s ure t h at t he t rans f e r-s ource v al ue on t h e s e condary s e rv e r is in t he “t rans f e r” ACLon t h e m as t e r s e rv er .
CO NFIGURING RD NC

BIND incl ude s a ut il it y cal l e d RD NC w h ich al l ow s you t o us e t h e com m and l ine t o adm in t h e D NS s e rv e r re m ot el y or l ocal l y. F irs t you ne e d t o ge ne rat e a s e t of k e ys : / us r/ l ocal / dns / s bin/ dns s e c-k e yge n -a h m ac-m d5 b 128 -n us e r rndc

o3 m agazine /f e b 2006

-( page 38)-

IP NETW O RK ING

Th is w il l cre at e t wo f il e s st art ing w it h Krndc, one w it h .priv at e and t h e ot h e r w it h .k e y. Th e l ine you are int e re s t e d in is t h e Ke y: l ine in t he .priv at e f il e , it s h oul dl ook s om e t h ing l ik e t h is : Ke y: t Ygbq 8Ff RASq s M 0dbiJ o3g==

addre s s . Th e ps aux com m and can be us e d t o m ak e s ure t h at D NS is running as ch dns , and t ail -f / v ar/ l og/ m e s s age s w il l al l ow you t o s e e any e rrors t h at m igh t h av e occurre d if D NS did not st art corre ct l y.
FIREW AL L ING T CP D NS

Y ou ne e d t o cre at e / et c/ rndc.conf : opt ions { de f aul t -s e rv e r 19 2.168.1.53; de f aul t -k e y rndc_k e y; } ; s e rv erl ocal h os t { k e y rndc_k e y; } ; k e y rndc_k e y { al gorit h m h m ac-m d5; s e cre t “t Ygbq 8Ff RASq s M 0dbiJ o3g==”; } ; Th e n in nam e d.conf : k e y rndc_k e y { al gorit h m h m ac-m d5; s e cre t “t Ygbq 8Ff RASq s M 0dbiJ o3g==”; } ; cont rol s { ine t 19 2.168.1.53 port 9 53 al l ow {l ocal h os t ; } k e ys { rndc_k e y; } ; } ; Y ou m us t re pl ace 19 2.168.1.53 w it h t h e IP addre s s of your s e rv e r, but you can now us e t he rndc com m and. F or e xam pl e , rndc re l oad w il l re l oad t h e zone f il e s af t e r you h av e m ade a m odif icat ion t o a m as t e r zone .
ST ARTING BIND

D NS ope rat e s on bot h TCP and UD P port 53. Al m os t al l D NS re q ue s t s f rom cl ie nt s w il l com e in as UD P re q ue s t s . TCP re q ue s t s are t ypical l y us e d onl yf or t as k s s uch as zone t rans f e rs . H ow e v e r, TCP is al s o us e d w h e n t h e re s pons e dat a s ize e xce e ds 512 byt e s . Th e re is no dif f e re nce be t ween t h e D NS prot ocol running ov e r TCP and t h e one running ov e r UD P . W h il e m any D NS “e xpe rt s ” w il l adv is e you t of ire w al l TCP port 53, t h is is ge ne ral l y a bad ide a. Th e onl y re al re as on f or bl ock ing TCP port 53 is t o s e cure zone t rans f e rs . H ow e v e r, m os t m ode rn D NS s e rv e rs , s uch as BIND , can be conf igure d t o s e cure zone t rans f e rs . Bl ock ing D NS TCP can caus e al l s ort s of int e re s t ing and bizarre probl ems t h at are dif f icul t t ot rack dow n t ot h e act ual caus e . Bl ock ing TCP port 53 al s o int e rf e re s w it h t h e norm al ope rat ion of t h e prot ocol , and t h at is ge ne ral l y a bad ide a. If you s t il l w ant t o bl ock TCP 53, and you are ce rt ain you w il l not is s ue re s pons e s l arge r t h an 512 byt e s, t h ent h ink v e ry care f ul l y and do your re s e arch be f ore cas ual l y bl ock ing TCP port 53.
CO NCL USIO N

Th is art icl e h as w al k e d you t h rough t he conf igurat ion and de pl oym e nt of D NS s e rv ice s us ing Bind, an ope n s ource D NS s ol ut ion t h at is us e d by m any bus ine s s e s w orl dw ide . Conf iguring a s e cure D NS s e rv e r is n't t oo inv ol v e d, and is w e l l w ort h t h e ef f ort .

Now t h at you h av e bind buil t , conf igure d and ins t al l e d, you can s t art it . St art ing bind in ch root m ode is s im pl e: / us r/ l ocal / dns / s bin/ nam e d -u ch dns -t / h om e / ch root / ch dns -c / et c/ nam e d.conf Th e -u t el l s nam e d t o run as ch dns , t h e -t com m and t el l s nam e d t o run in ch root and -c t el l s nam e d w h e re t h e conf igurat ion f il e is l ocat e d. O ne im port ant t h ing t o not e:t h e -c com m and re f e re nce s t h e nam e d.conf ins ide t he ch root , so / et c/ nam e d.conf is re f e rring t o / h om e / ch root / ch dns / et c/ nam e d.conf . Y ou can us e ne t st at -nap t o m ak e s ure t h at D NS is running on port 53, and on t h e appropriat e

J oh n Bus w e l l is F ounde r and Ch ie f T e ch nol ogy O f f ice r at Spl ice d Ne t w ork s L L C.

o3 m agazine /f e b 2006

-( page 39 )-

NETW O RK APPL ICATIO NS

L inux Sys t e m s M anage m e nt w it h Int re pid
TH E PAIN AND PRESCRIPTIO N FO R L INUX SYST EM S M ANAGEM ENT A NEW L O O K AT L INUX M ANAGEM ENT T OOL S REV EAL A L EV EL O F M AT URIT Y AND SO PH ISTICATIO N O N PAR W ITH W IND O W S CO UNT ERPART S

By D av id D e nnis In t h e pas t , M icros of t and s om e indus t ry anal ys t s h av e cl aim e d t h at L inux h as a h igh e r t ot al cos t of ow ne rs h ip (TCO ) t h an W indow s , and h av e cit e d h igh e r s ys t e m s m anage m e nt cos t s as t h e s ignif icant s h ort com ing f or L inux. Th e l ine of re as oning is t h at t h ough t he L inux h ardw are and O S m ay be ch e ape r, t h e cos t and com pl e xit y of m anaging L inux s ys t e m s are m ore com pe l l ing re as ons t o st e e r cl e ar . W h il e it ’ s im port ant t ot ak e a l ook at s om e of t h e re port e dl y com m on ch al l e nge s as s ociat ed w it h L inux m anage m e nt in t h e e nt e rpris e , t h e re ’ s pl e nt y of “l igh t at t h e e nd of t he t unne l ,” so t o s pe ak . A re ce nt Ent e rpris e M anage m e nt As s ociat e s st udy t it l e d “Ge t t he T rut h on L inux M anage m e nt ”f inds t h at m anage m e nt t ool s com m e rcial l y av ail abl e t oday f or L inux e nv ironm e nt s are be com ing as s oph is t icat e d as w h at ’ s in us e f or W indow s e nv ironm e nt s . It concl ude s t h at m anage m e nt s h oul d not be v ie w e d as a re d f l ag w h e n cons ide ring t he ov e ral l TCO of L inux. Th e re port is av ail abl e in it s e nt ire t y, f or f re e dow nl oad, at ht t p:/ / w w w .l ev ant a.com / l inuxs t udy/ . So, f irs t ,l et ’ s t ak e at t h e propagat e d pain s urrounding ant i-L inux m anage m e nt …
ABUND ANCE O F SERV ERS L ACK O F SO PH ISTICAT ED T OOL S

Th e re 's an ov e ral l al ack of m at urit y on t h e point of s ys t e m m anage m e nt and conf igurat ion m anage m e nt t ool s . Th at is t o s ay, L inux is n't on a par ye t w it h w h at 's av ail abl e f or UNIX. M os t L inux s ys t ems t oday are adm inis t e re d t h rough a s e rie s of s cript s and f re e w are t h at are v e ry f l e xibl e and giv e good " h ands on"cont rol , but t h at al s o re q uire s ignif icant t im e f or ins t al l at ion and m aint e nance . Script ing and proce dural adm inis t rat ion f or m anaging h undre ds or e v en t h ous ands of ne arl y ide nt ical s e rv e rs is gros s l y ine f f icie nt . Re purpos ing s e rv e rs on-t h e -f l yt o accom m odat e ch anging w ork l oads onl y incre as e s t h e nigh t m are .
V ERSIO N CO NT RO L AND CO NFL ICT S

W it h L inux, you h av e a h uge num be r of dis t ribut ions w it h v arie t ie s w it h in t h os e dis t ribut ions . In addit ion, m anage rs of t ent w e ak t h e dis t ribut ions in w ays t h at are s pe cif ic t ot he purpos e t h e y're s e rv ing. By doing t h is , t h e y e nd up w it h a cus t om ize d f l av or of L inux t h at incre as e s t h e ch al l e nge s as s ociat e d w it h v e rs ion cont rol .
M O NIT O RING

Th e re are m any ins t ance s w h e re e nt e rpris e s are m igrat ing f rom UNIX t oL inux - and in t he proce s s are re pl acing l arge boxe s w it h an abundance of com m odit y h ardw are . Th us , t he L inux e nv ironm e nt t ypical l y cons is t s of m any m ore pie ce s of h ardw are t o m anage . Giv ent he s ignif icant s av ings in h ardw are and s of t w are cos t s , com m odit y com put ing w it h L inux s e rv e rs m ak e s s e ns e . H ow e v e r, w h il e t he L inux h ardw are and s of t w are cos t s t ruct ure s are st rik ing, de pl oying 10 t im e s as m any s e rv e rs caus e s a daunt ing adm inis t rat iv e burde n. Th e prol if e rat ion of L inux s e rv e rs caus e s a probl em of abundance - t h e m ore s e rv e rs in us e , t he m ore dif f e re nce s and int e rde pe nde ncie s .

W h il e t h e re 's an incre as ing am ount of s upport in t he L inux k e rne l f or h ardw are m onit oring, it 's im port ant t o not e t h at , s ince L inux is de v el ope d by m e m be rs of t h e O pe n Source com m unit y, t h e re are dif f e re nt groups of de v el ope rs at dif f e re nt com panie s . Th is prov ide s f re e dom of ch oice , but can cre at e ch al l e nge s f or t h e s ys t em m anage r s e e k ing an int e grat e d, ce nt ral ize d m onit oring and m anage m e nt s ys t em.
D IAST ER RECO V ERY ISSUES

W h e n 10 s e rv e rs re pl ace a s ingl e s e rv e r, t he ch ance of h ardw are f ail ure incre as e s m ore t h an 10 t im e s . IT m anage rs running L inux on com m odit y s e rv e rs re al ize t h at t h e h ardw are doe s n't h av e as m any re dundant com pone nt s and pl an f or h ardw are f ail ure . F ort unat el y, t h e re are a num be r of h igh -av ail abil it y s ol ut ions f or

o3 m agazine /f e b 2006

-( page 41)-

NETW O RK APPL ICATIO NS

L inux. H av ing one L inux s e rv erf ail in a cl us t e r of 10 s e rv e rs doe s n't im pact s ys t e m upt im e , but t h e s ys t e m adm inis t rat or m us t s t il l re ins t al l and re conf igure L inux on ne w re pl ace m e nt h ardw are . Re dundant com pone nt s on com m odit y h ardw are m e ans t h at t h e s ys t e m adm inis t rat or is f ace d w it h dis as t e r re cov e ry of indiv idual s e rv e rs .
PAT CH M ANAGEM ENT AND D EPL O YM ENT

M os t IT m anage rs are f ace d w it h m anaging m ul t ipl e dis t ribut ions and conf igurat ions f rom one or m ore v e ndors . Th e gre at ope nne s s and f l e xibil it y of L inux can cre at e probl e m s. TH E L INUX M ANAGEM ENT PRESCRIPTIO N -- L EV ANT A' S INT ERPID M . L inux m at urit y cont inue s t oev ol v e and h as cl e arl y re ach e d a l ev el of m at urit y w h e re by organizat ions of al l s ize s can run m is s ion-crit ical appl icat ions w it h m inim al m anage m e nt e f f ort , e s pe cial l yt h os e t h at ut il ize s oph is t icat ed m anage m e nt t ool s . O ne s uch t ool is L ev ant a’ s Int re pid M . Th e Int re pid M is a t urnk e y L inux m anage m e nt appl iance t h at ut il ize s an int uit iv e int e rf ace t o de pl oy, rol l back and m igrat e RPM -bas e d L inux s e rv e rs (w h e t h e r running Re dH at , SUSE, or F e dora dis t ribut ions ) f rom a ce nt ral l ocat ion - al l w it h out t h e ne e d t o ins t al l t h e ope rat ing s ys t em or appl icat ions dire ct l y on com put e rs . Int re pid M’ s dis k l e s s approach t o prov is ioning m arrie s ch ange cont rol w it h dat av irt ual izat ion, de l iv e ring dram at ical l yf as t e r and m ore f l e xibl e cont rol of L inux on com m odit y h ardw are , rack s , bl ade s , boxe s , v irt ual m ach ine s , and e v en m ainf ram e s . Th e Int re pid M incl ude s re ady-t o-go t e m pl at es f or a v arie t y of w ork s t at ions and s e rv e rs , as w e l l as t h e ope n s ource s of t w are ne e de d t o de pl oy t h e m al l ow ing us e rs t o cre at e and cus t om ize t h e ir ow n t e m pl at e s and add s of t w are of t h e ir ch oice t ot h e re pos it ory. Th is “pl ug-and-pl ay ” L inux m anage m e nt s ol ut ion goe s be yond m anage m e nt w it h in t h e dat a ce nt e r and incl ude s 1.4 t e rabyt e s of s t orage s pace t h at is us e d t o h ol d s of t w are re pos it orie s and rol l back inf orm at ion f or t h e m anage d s ys t e m s . Running ov e r dual Gigabit Et h e rne t NICS, t h e Int re pid M al l ow s l ine of bus ine s s e s and/ or SM Es t o m anage t h e ir L inux boxe s f rom a ce nt ral l ocat ion. D e s igne d f or us e by a L inux s ys t ems adm inis t rat or w it h as l it t l e as 1 ye ar of e xpe rie nce , t h e Int re pid M is e xt re m e l y e as y t o ins t al l and us e . Com pare d t o ot h e r prov is ioning and ins t al l at ion s e rv e rs s uch as IBM ’ s CSM (Cl us t e r Se rv e r M anage m e nt ) and Re d H at ’ s

Kick s t art – w h ich are v e ry com pl icat e d and re q uire adv ance d L inux s ys t e m s adm inis t rat ors t o ope rat e t h em - t h e Int re pid M can be s e t -up t o st art m anaging s ys t e m s w it h in an h our . W it h buil t -in s t orage , t h e Int re pid M appl iance re m ov es t h e ne ce s s it y of f it t ing t h e s of t w are int o t h e e cos ys t e m . Conv e rs e l y, ot h erL inux s ys t ems m anage m e nt s of t w are s ol ut ions are m ul t i-t ie r, and h av e t o be h ook e d up t o a s h are d s t orage ne t w ork . Th e y al s o m us t be f it t e d int ot he curre nt s h are d s t orage arch it e ct ure , f or s pe cif ic purpos e s or appl icat ions . Al s o of not e,t h e Int re pid h andl es V M w are v irt ual m ach ine s and Xe n h ype rv is ors , m ak ing it one of t he f irs t m anage m e nt cons ol es t h at al l ow s L inux s h ops t o accom m odat e v irt ual s e rv e rs s e am l e ssl y.
TH E PRO O F IS IN TH E FIEL D

Approxim at el y 100,000 s t ude nt s at t h e Cit y Univ e rs it y of Ne w Y ork (CUNY) us e Bl ack board (a w e b-bas e d e -l e arning s of t w are appl icat ion t h at prov ide s onl ine t e ach ing and l e arning t ool s ) and D e gre e W ork s (w h ich l et s st ude nt s com pare t h e ir cre dit s and cours e s t o de gre e re q uire m e nt s onl ine ). Th e L inux s e rv e rs t h at pow e r t h e se appl icat ions w e re dif f icul tt o k e e p running running due t o cons t ant s e rv erf ail ure s and t he ne e d f or h ands -on f ixe s . CUNY ch os e Re d H at L inux running on a s ingl e ch as s is of IBM bl ade s e rv e rs t o s upport t h e se appl icat ions . Unf ort unat el y, t h e s e rv e rs h ad " l apt op-q ual it y ” ID E driv e s ins t al l e d on e ach bl ade and w oul df ail f re q ue nt l y. T of ix e ach f ail ure , CUNY's IT s t af f h ad t o re pl ace h ard driv es and prov is ion t h e bl ade s m anual l y. CUNY ow ne d IBM 's prov is ioning s e rv e r, CSM (cl us t e r s ys t ems m anage m e nt ) and s h oul d not h av e h ad t o do f ixe s m anual l y, but t h e y ne v e r us e d it due t o it s com pl e xit y. Rat h ert h an CSM , t h e y de cide d t o us e Re d H at 's Kick s t art ins t al l at ion s of t w are f or ins t al l at ions and prov is ioning. W it h Kick s t art , one can cre at e a s ingl e f il e cont aining t he ans w e rs t o q ue s t ions norm al l y as k e d during a Re d H at L inux ins t al l at ion. Again, dif f icul t y in us ing t h e s of t w are l edt of rus t rat ion. D ocum e nt at ion f or t h e RAID adapt e r w as dif f icul t t o obt ain. O n-board rat e adapt e rs m ade t h e onboard ID B (int el l ige nt dis k back up) driv e s appe ar as iSCSI driv es t ot h e appl icat ions running on t h e O S. W h e n k ick s t art ing a bl ade , s t af f h ad t o w al k ov ert ot h e cons ol e or t h e bl ade at t he appropriat e t im e and l oad t h e driv e rs f or t he h ard driv e.T o add t ot h e nigh t m are , bl ade h ard driv es f re q ue nt l y burnt out . Ov e r a s ix-w e e k pe riod, one bl ade h ard driv e die d e ach w e e k .

o3 m agazine /f e b 2006

-( page 42)-

NETW O RK APPL ICATIO NS

Each s e rv erf ail ure cos t CUNY about e igh t h ours of one pe rs on's l abor, a h igh t ol l f or t h e s ixpe rs on CIS group. Af t ert w o m ont h s of s e rv e r cras h e s , Art y Ecock (M anage r of V M Ent e rpris e Sys t ems f or CUNY Com put ing and Inf orm at ion Sys t e m s ) be gan ev al uat ing s e rv e r prov is ioning s ol ut ions , incl uding l ook ing at adv ance m e nt s in Re d H at Kick s t art and IBM CM S. H e ch os e t h e Int re pid M f or it s e as y-t o-us e appl iance m ode l and dis k l e ss approach t o prov is ioning. Kick s t art is not ne ce s s ary anym ore at CUNY . As a bl ade s e rv er ne e ds t o be re -prov is ione d, a t e m pl at e is cre at e d on t h e Int re pid M . As bl ade s f ail , CIS s im pl y us e s e xis t ing t e m pl at es t o re -prov is ion t h e bl ade , t ak ing about 10 m inut e s.
TH E T RUTH REV EAL ED

A curre nt l ook at t h e m at ure L inux m anage m e nt s ol ut ions av ail abl e t oday (s uch as t h e Int re pid M ) run cont rary t o M icros of t ’ s “Ge t t he F act s” cam paign w h ich , am ong ot h ert h ings , aim s t o dis parage L inux m anage m e nt as m ore com pl ex and e xpe ns iv e t h an W indow s . Th e curre nt EM A “Ge t Th e T rut h on L inux M anage m e nt ” st udy ans w e rs t h e s e s e nt im e nt s by s t at ing t h at m anage m e nt t ool s t h at are com m e rcial l y av ail abl e f or L inux e nv ironm e nt s are be com ing as s oph is t icat e d as w h at ’ s in product ion us e f or W indow s e nv ironm e nt s. F rom a T ot al Cos t of O w ne rs h ip (TCO ) pe rs pe ct iv e,t h e pl aying f ie l d is now e v e n, if not in L inux’ s f av or . Re dm ond, cons ide r t h e FUD e xpos e d.

D av id D e nnis b rings m ore t h an 10 ye ars of e xpe rie nce in e nt e rpris e s of t w are , s ys t em s m anage m e nt and Int e rne t s e gm e nt s . Prior t oL ev ant a, D e nnis s e rv e d in s e nior product and t e ch nical m ark e t ing rol e s w it h Ce nt rat a, M e rcury Int e ract iv e and H P , as wel l as e arl ie r pos it ions w it h Sym ant ec Corporat ion and Ne t w ork Ge ne ral .

o3 m agazine /f e b 2006

-( page 43)-

NETW O RK SECURITY

D e pl oying Snort Int rus ion D e t e ct ion Sys t em s
NAV EEN SH ARM A H AS CO NT RIBUT ED TH IS ARTICL E O N D EPL O YING SNO RT INT RUSIO N D ET ECTIO N SYST EM S . NAV EEN W AL K S US TH RO UGH TH E D ESIGN, INST AL L ATIO N AND CO NFIGURATIO N O F A SNO RT BASED INT RUSIO N D ET ECTIO N SYST EM

By Nav e e n Sh arm a According t o Sun Tzu, in t h e Art of W ar, “W e s h oul d not re l y on t he l ik e l ih ood of t h e e ne m y not com ing, but on our ow n re adine s s t o re ce iv e h im ;not on t h e ch ance of h is not at t ack ing, but rat h e r on t he f act t h at w e h av e m ade our pos it ion unas s ail abl e ”. O ne of t h e w ays t o pre pare ours e l v e s is t o us e an Int rus ion D e t e ct ion Sys t e m (ID S) and t okeep a w at ch on t he t raf f ic f l ow ing t h rough our ne t w ork s . Int rus ion D e t e ct ion Sys t e m s prov ide e arl y w arning of at t ack s or m al icious act iv it y t ak ing pl ace f rom ins ide or out s ide your ne t w ork . Be f ore h and inf orm at ion w il l e nabl e us t o pre pare , act , and count e r-at t ack (if de s ire d). Broadl y, ID S can be div ide d int o Ne t w ork Int rus ion D e t e ct ion Sys t e m s (NID S) and H os t bas e d Int rus ion D e t e ct ion Sys t e m s (H ID S). NID S are l ocat e d at s t rat e gic point s on t h e ne t w ork . Th e y m onit or t he t raf f ic f or m al icious act iv it y and t ak e pre -de f ine d act ion agains t t he e xce pt ion t h at w as obs e rv e d/ l ogge d. Th is al l ow s t h e s ys t e m adm in t ot ak e appropriat e st e ps . NID S de t e ct at t ack s by m onit oring pack e t s in re al t im e on t h e ne t w ork . NID S m at ch e s one or m ore pack e t s agains t a dat abas e of k now n “at t ack s ignat ure s ,” and pe rf orm s prot ocol de code s t o de t e ct anom al ie s . Th e s e s ignat ure dat abas e s are updat e d re gul arl y by t he v e ndors and t h e ope n s ource com m unit y. F igure 1 s h ow s t h e s ugge s t e d NID S s e ns or pl ace d be t w e e n your f ire w al l and ne t w ork . In t h is conf igurat ion, you ge t al l t h e al e rt s wh en at t ack s are t ak ing pl ace f rom out s ide or ins ide of t h e ne t w ork . A s e cond NID S coul d be on t he D M Z port of your f ire w al l , if you h av e one , or j us t be f ore your s e rv e r cl us t er . Again, de cis ion of s e ns or pl ace m e nt m ay v ary f rom com pany t o com pany. F igure 2 s h ow s NID S in act ion. H ID S is a dif f e re nt t e ch niq ue , in w h ich H ID S m onit ors l ocal h os t f or unaut h orize d ch ange s in crit ical f il e s , s uch as conf igurat ion f il e s on t he l ocal h os t . O nce an e xce pt ion is de t e ct e d, it ge ne rat e s an al e rt by s e nding e m ail or SM S t e xt m e s s age s , by l ogging t h e act ion in a t e xt f il e , or s om e ot h e r act ion. Th us , t h e adm inis t rat or is al e rt e d w h e ne v ert h e re is m al icious act ion on t h e ne t w ork and s e rv e rs . Norm al l y, t he e nt e rpris e can us e a com binat ion of bot h NID S and H ID S t o h arne s s be ne f it s of bot h t e ch niq ue s . Since m os t of t oday ’ s ne t w ork s are s w it ch bas e d, t h e pos it ioning and num be r of NID S s e ns ors is im m e ns e l y im port ant . O ne prom ine nt candidat e f or NID S s e ns or pl ace m e nt is im m e diat el y af t ert he f ire w al l . Som e s e curit y prof e s s ional s re com m e nd pl acing a NID S s e ns or out s ide as w e l l . In m y v ie w , you are prim aril y int e re s t e d in any m al icious act iv it yf rom ins ide your f ire w al l , and any out s ide at t ack s t h at s ucce s s f ul l y pe ne t rat e your gat e w ay f ire w al l . Th e addit ional t im e re q uire d by a s e curit y prof e s s ional t o anal yze t h e se e v e nt s w il l cons um e t h at prof e s s ional 's t im e and m ay indire ct l y incre as e t h e cos t of your ID S de pl oym e nt ov ert im e . H ow e v e r, m al icious us e rs do ne e d t o gat h e r inf orm at ion prior t o at t e m pt ing an at t ack on a ne t w ork . Th e inf orm at ion gat h e re d by an NID S s e ns or on t he publ ic s ide of t he f ire w al l , m ay gat h e r crit ical inf orm at ion t h at pre l ude s an at t ack . Th us , t he pos it ioning of a s e ns or on t h e publ ic s ide of t he f ire w al l , m ay prov ide k e y pie ce s of inf orm at ion during an inv e st igat ion. It w il l al s o prov ide you w it h us e f ul inf orm at ion on w h at m al icious us e rs are re q ue s t ing, and w h at k ind of inf orm at ion your ne t w ork is prov iding t h e m . H ow e v e r, t h is t ype of inf orm at ion m ay al s o be s ucce s s f ul l y gat h e re d t h rough a good l ogging s t rat e gy on your f ire w al l . Th us , t h e pl ace m e nt of an ID S s e ns or on t h e publ ic s ide of t he f ire w al l is s om e t h ing t h at ne e ds t o be cons ide re d on a cas e by cas e bas is . W h e n se v e ral ID Ss are pl ace d at s t rat e gic point s , but m anage d at a ce nt ral m anage m e nt st at ion, t h is arrange m e nt is cal l e d D is t ribut ed Int rus ion D e t e ct ion Sys t e m (D ID S). F igure 3 s h ow s h os t bas e d Int rus ion D e t e ct ion Sys t em (H ID S) on a m ail s e rv e r and a w e b s e rv er . H ID S m onit ors l ocal f il es f or any unaut h orize d ch ange s .

o3 m agazine /f e b 2006

-( page 45)-

NETW O RK SECURITY

o3 m agazine /f e b 2006

-( page 46)-

NETW O RK SECURITY

ge ne ral t e rm s us e d in cont e xt of ids • Af al s e pos it iv e is an int rus ion de t e ct ion e rror t h at occurs w h e n a norm al act iv it y is m is t ak e n f or an at t ack . Th is is al s o cal l ed T ype 1 e rror . • Af al s e ne gat iv e is an int rus ion de t e ct ion e rror w h e re an at t ack is m is t ak e n as norm al act iv it y. Th is is al s o cal l edaT ype 2. • Signat ure s are uniq ue dat a pat t e rns indicat ing s om e m al icious act iv it y. A s ignat ure coul d point t oav irus , f or ins t ance , or t o an unaut h orize d at t e m pt t o acce s s re s ource s . • Anom al y de t e ct ion us e s rul e s or pre de f ine d conce pt s about 'norm al ' and abnorm al s ys t e m be h av ior (cal l e d h e uris t ics ) t o dis t inguis h anom al ie s f rom s ys t e m be h av ior and t o m onit or, re port on, or bl ock anom al ie s as t h e y occur . Som e anom al y de t e ct ion ID Ss im pl e m e nt us e r prof il e s . Th e s e prof il e s are bas e d on norm al act iv it y, and can be cons t ruct e d by us ing s t at is t ical s am pl ing, a rul e -bas e d approach , or v ia ne ural ne t w ork s . • Signat ure de t e ct ion -- ID S h as a dat abas e of k now n at t ack s , and com pare s t raf f ic / act iv it y pat t e rns w it h t h e k now n-at t ack dat abas e . If t h e re is a ne w t ype of at t ack not de s cribe d in it s at t ack dat abas e , ID S w il l not e de t e ct t h is at t ack and h e nce no al e rt w il l be ge ne rat e d. L ik e any ot h e r m an-m ade t e ch nol ogie s , ID Ss al s o h av e ce rt ain draw back s , s uch as t he pos s ibil it y of f al s e pos it iv e and f al s e ne gat iv e e rrors . O ur prim ary aim is t o re duce bot h of t h e s e e rrors f or t h e ef f icie ncy of ID S. F igure 4 de pict s D ID S. Th e re are com m e rcial NID S product s , s uch as Re al Se cure f rom ISS, and Snort f rom t h e ope n s ource com m unit y. T ypical H ID S incl ude T ripw ire , Sam h ain and AID E. In F igure 4, h ard l ine s re pre s e nt norm al ne t w ork conne ct ions , w h il e dot t edl ine s de not e out of band com m unicat ion be t w e e n NID S s e ns ors and t h e NID S m anage m e nt s t at ion. Th is arch it e ct ure of f e rs a t w of ol d be ne f it .F irs t , m anage m e nt and al e rt inf orm at ion is k e pt s e cre t f rom anyone s nif f ing t raf f ic on t h e ne t w ork . Se condl y, t raf f ic ge ne rat e d by NID S s e ns ors and NID S m anage m e nt doe s not dis t urb norm al ne t w ork t raf f ic. Al l NID S w il l s e nd al l al e rt s t o one ce nt ral ize d m anage m e nt s t at ion. Th is m ak e s l if e

e as ie r f or s e curit y adm inis t rat ors . In t h is art icl e , I w il l dis cus s Snort -bas e d ID S and v arious f e at ure s as s ociat e d w it h it s im pl e m e nt at ion. Snort is an ope n s ource GNU P ubl ic L ice ns e (GPL ) Ne t w ork Int rus ion D e t e ct ion Sys t e m capabl e of pe rf orm ing re al -t im e t raf f ic anal ys is and pack e t l ogging. Snort can do prot ocol anal ys is , cont e nt s e arch ing/ m at ch ing, and can de t e ct at t ack s and probe s s uch as port s cans , CGI, at t ack s , and s poof ing. I ch os e Snort be caus e it is f re e and h as an act iv e ope n s ource com m unit y inv ol v e d in t he cont inue d de v el opm e nt of Snort and it s rul e s. Snort is w ide l y de pl oye d in product ion ne t w ork s w orl d-w ide , prot e ct ing m ore t h an 100,000 ne t w ork s . Snort h as t h re e bas ic m ode s : s nif f e r, pack e t l ogge r, and ne t w ork int rus ion de t e ct ion. In s nif f e r m ode , Snort re ads pack e t s f rom t h e w ire and dis pl ays t h e m in a cont inuous s t re am on t he cons ol e . In pack e t l ogge r m ode , Snort l ogs t he pack e t s t ot h e dis k , and t h e y can be e xam ine d by TCP dum p f or l at e r anal ys is . Th e m os t j uicy m ode is int rus ion de t e ct ion m ode , in w h ich Snort anal yze s ne t w ork t raf f ic f or m at ch e s agains t pre de f ine d rul e se t s. O ne is s ue w it h s w it ch e d ne t w ork s is t h at t raf f ic is s e nt t ot h e int e nde d port onl y- unl ik e in h ubbas e d ne t w ork s , w h e re t raf f ic is v is ibl e t oev e ry node conne ct edt ot h e m e dium . If you s im pl y conne ct ID S t o one of t h e s w it ch port s, t h e n it w il l not capt ure anyt h ing e xce pt broadcas t t raf f ic. Th e w ork -around f or t h is probl e m is t o us e a f e at ure cal l edt h e Sw it ch P ort Anal yze r port , or s im pl y SP AN port . SP AN al l ow s t h e us e r t o copy t raf f ic t ot h is port f or anal ys is or f or ot h e r purpos e s . Se e F igure 5 t o se e P ort SP AN f e at ure in act ion. H e re , port 10 is conne ct edt o t h e int e rnal s e rv e r (t h e s e rv e r unde r NID S prot e ct ion) and is SP AN on port # 5. F ul l t raf f ic on port # 10 is copie d t o port # 5 of t h e s w it ch , and no t opol ogy ch ange s are re q uire d in pe rf orm ing SP AN. Al t e rnat el y, you m ay conne ct a s m al l h ub j us t be f ore t h e s e rv ert o be m onit ore d as s h ow n in F igure 6. Th is w il l re q uire dis conne ct ion of t he s e rv erf rom ne t w ork and re conne ct ion t ot he h ub;de dicat e d ne t w ork t aps are av ail abl e f or bot h coppe r and f ibe r cabl ing. T aps re m ain on your ne t w ork f or any conne ct e d NID S or ne t w ork / P rot ocol anal yze r t o m onit or t raf f ic.
SNO RT ARCH IT ECT URE

Unde rs t anding Snort arch it e ct ure w il l e nh ance your t roubl e s h oot ing capabil it ie s . F igure 7 s h ow s Snort arch it e ct ure . Snort cons is t s of f our

o3 m agazine /f e b 2006

-( page 47)-

NETW O RK SECURITY

com pone nt s. 1. 2. 3. 4. Th e Snif f er Th e P re proce s s or Th e D e t e ct ion Engine Al e rt s /L ogging

com pil e d Snort f or W indow s and ins t al l at ion is st raigh t f orw ard w it h e xe cut abl e w it h docum e nt at ion.
INST AL L ATIO N O F SNO RT

Norm al l y NIC cards are de s igne d t o ope rat e in non-prom is cuous m ode - i.e . Th e NIC w il l acce pt onl y pack e t s dire ct edt o it , and w il l dis card ot h e rs . NID S (Snort in t h is cas e ) f orce s t h e NIC t o ope rat e in prom is cuous m ode , t h e re by al l ow ing t h e capt ure of 100% of t he t raf f ic on t h e cabl e . Th e s nif f e r com pone nt capt ure s f ul l t raf f ic and pas s e s t h e pack e t s t ot he pre proce s s or m odul e . Th e pre proce s s or t ak e s raw pack e t s and ch e ck s t h e m agains t ce rt ain pl ug-ins (l ik e t h e RPC pl ug-in). Th e pl ug-in ch e ck s f or ce rt ain t ype of be h av ior f rom pack e t s. O nce a part icul ar be h av ior is de t e rm ine d, it is pas s e d on t h e ne xt com pone nt ,t h e De t e ct ion Engine . Th e pre proce s s or can be e nabl e d or dis abl e d as pe r our ne e ds . Th e de t e ct ion e ngine h as a rul e s e t (at t ack s ignat ure ) w h ich it com pare s w it h incom ing pack e t s f rom t h e pre proce s s or . If t h e rul e m at ch e s t h e dat a in t h e pack e t ,t h ent h e y are f orw arde d t ot h e al e rt proce s s or . Th e Al e rt P roce s s or t ak e s t h e re s pons ibil it y of inf orm ing t h e us e r of t h e rul e -m at ch ing e it h e r by s e nding al e rt s t oal og f il e , us ing a w indow s P opup (SM B), or by SNM P t rap. Al t e rnat el y, t h e se al e rt s can be s t ore d in an SQLdat abas e s uch as M ySq l or P os t gre s . Th e re are al so t h ird-part y s of t w are pack age s f or dis pl aying l ogs and m anaging Snort rul e s. Th e de f aul tl ocat ion f or Snort l ogs is / v ar/ l og/ s nort . Th e re f ore it is good ide a t o de dicat e s e parat e part it ions at t he t im e of ins t al l at ion (pe rh aps 10 GB or m ore ). Y ou m ay w is h t o s e nd t h e s e al e rt s t o a ce nt ral ize d s ys l og s e rv e r, w h ich can gat h e r al e rt s f rom m ul t ipl e s e ns ors . Sw at ch can aut om at e t h e proce s s of s e nding al e rt s by e m ail . ? Snort w as de v el ope d f or * nix ope rat ing s ys t ems and is pe rf e ct l y m arrie d t oL inux, Unix, BSD e t c. I us ual l y re com m e nd ins t al l ing Snort on L inux, as it can out pe rf orm ot h e rs in t e rm s of s t abil it y, cus t om izat ion and e f f icie ncy. Re ce nt l y, Snort h as be e n port edt ot h e W indow s pl at f orm as w e l l . V is it ht t p:/ / w w w .e ngage s e curit y.com / dow nl oads / # ids c e nt erf or de t ail s of ID S Ce nt e r Snort -bas e d ID S f or W indow s . O n t h is s it e you w il l f ind f ul l y
W H ICH O S

D ow nl oad t he l at e s tv e rs ion of Snort f rom ht t p:/ / w w w .s nort .org. At t he t im e of w rit ing, Snort w as in 2.X.X v e rs ion, av ail abl e f or dow nl oad. I w il l us e 2.X f or t h is art icl e . Sav e t he dow nl oade d Snort t o a dire ct ory and is s ue f ol l ow ing com m ands in t h e s am e s e q ue nce . I am as s um ing Snort is dow nl oade d t o one t e m porary dire ct ory. # # # # # t ar – zxv f s nort – 2.1.0.t ar .gz cd s nort – 2.1.0 ./ conf igure m ak e m ak e ins t al l

Th at is al l . M ak e ch ange s t o your s nort .conf f il e f or f inal conf igurat ion de s cribe d l at e r in t h is art icl e.T e s t by is s uing t h e com m and s nort -v W it h t h is com m and, you w il l dis pl ay t he capt ure d pack e t s. us ing s nort as a pack e t s nif f er Snort ’ s gre at e s t pow e r l ie s in it s us e as NID S. But it can al s o be us e d t o s nif ft h e ne t w ork and s h ow t h e pack e t s on cons ol e , or t ol og t oaf il e f or l at e r anal ys is . Is s uing a s im pl e com m and w il l put t h e s nort int o bas ic s nif f ing m ode and w il l e ch o t h e TCP/ IP h e ade r t ot h e cons ol e: # s nort v If you w ant t o se e t he t raf f ic capt ure d l at e r, t he f ol l ow ing com m and w il l do e xact l yt h at , and s av e t he t raf f ic inf orm at ion in / v ar/ l og/ s nort dire ct ory: # s nort l / v ar/ l og/ s nort h 19 2.168.1.0/ 24 It w il l cre at e s ub dire ct orie s unde r / v ar/ l og/ s nort , one f or e ach IP addre s s . In t h is m ode you can m onit or t raf f ic f rom s pe cif ic IP s al s o. O ne m ore adv ant age you can av ail is t h at Snort f orm at s are re ad by TCP dum p al s o. O ne cardinal aim is t o s h ow Snort as NID S, t h e re f ore t h e ne xt s e ct ion is de dicat edt ot h at .

o3 m agazine /f e b 2006

-( page 48)-

NETW O RK SECURITY

conf iguring s nort as a nids By de f aul t ,t h e Snort conf igurat ion f il e is l ocat ed in / et c/ s nort / s nort .conf . In t h is f il e you are re q uire d t ot el l Snort about your h om e ne t w ork , e xt e rnal ne t w ork addre s s , your l ocal SM TP/ PO P s e rv e r, w e b, D NS s e rv eret c. Se t t ing t h e h om e ne t w ork f or 19 2.168.1.0/ 24 is as s im pl e as adding t he f ol l ow ing t ot h e conf igurat ion: v ar H O M E_NET 19 2.168.1.0/ 24 As m e nt ione d e arl ie r, ID S de pe nds upon at t ack s ignat ure s . Sim il arl y, Snort re l ie s upon a s e rie s of rul es t o de t e ct s pe cif ic t ype s of at t ack s . Snort ins t al l at ion l oads rul es f rom f il e s in t h e Snort conf igurat ion dire ct ory, or f rom a s ub dire ct ory of it , s uch as rul e s . Th e s e f il e s h av e nam e s t h at e nd in rul e s . Snort h as docum e nt at ion av ail abl e f or ins t al l at ion, conf igurat ion and im pl e m e nt at ion, and you can f ind it at ht t p:/ / w w w .s nort .org. If you are re al l y int e re s t ed f ul l f l e dge d Snort -bas e d s e ns ors , you m ay dow nl oad t h e Snort im pl e m e nt at ion guide f rom ht t p:/ / w w w .int e rne t s e curit yguru.com . Y ou m ay w rit e rul es f or your e nv ironm e nt -f or e xam pl e , if you are int e re s t e d in ge t t ing al e rt s w h e ne v er s om e one t rie s t o m ak e an F TP conne ct ion t o your account s s e rv er . Snort rul e w rit ing can e as il y be l e arne d, and docum e nt at ion is av ail abl e at h t t p:/ / w w w .s nort .org. Th ird-part yt ool s are av ail abl e t o m ak e your l if e e as ie r by m anaging al e rt s v ia e m ail , SM S, or t h rough a nice GUI f or v ie w ing al e rt s. P rom ine nt one s are ACID , Snort Snarf and Razor Buck . A Googl e s e arch m igh t t urn up addit ional t ool s. O f al l of t h e s e , I pe rs onal l yl ik e ACID f or it s nice GUI, and f or it s f e at ure s and e as e of us e . O ne l as t point is t o s e cure your L inux box f or im pl e m e nt at ion. Th is incl ude s s w it ch ing of f unne ce s s ary s e rv ice s , re m ov ing unne e de d pack age s and re m ov ing IP addre s s e s f rom t he box s o t h at no conne ct ion t o s e ns ors w il l be e nt e rt aine d. Again, you h av e t o ge t t o cons ol e t o v ie w t h e al e rt s in t h at cas e . Al t e rnat el y, you can h av e t w o int e rf ace s , one be ing us e d f or s nif f ing and conne ct edt ot h e point of int e re s t , and t he ot h e r one f or m anage m e nt of s e ns ors (not conne ct edt ot h e product ion ne t w ork ). As t im e s pas s e s , ne w at t ack s are dis cov e re d and rul es are m ade f or t h e m and are adde d t o rul e se t . Y ou s h oul d updat e your rul e s e t in pe rh aps 2-3 m ont h int e rv al s. In s um m ary, Snort bas e d ID S can inf orm you of t h e h e al t h and s e curit y of your ne t w ork . H appy Snort ing !!

o3 m agazine /f e b 2006

-( page 49 )-