You are on page 1of 54

TURBO G EARS

W EBSI TE

ht t p:/ / w w w .t urboge ars .org
L I CENSE

MI T /L GPL /O t h e r O pe n Source
AUDI ENCE

De V EL O PERS /W EB D EV EL O PERS
OV ERV I EW

TurboGe ars is a rapid w e b de v el opm e ntm e gaf ram e w ork w it h t h e goal ofcre at ing gre at w e b appl icat ions f as t er .

12

I NTRO DUCTI O N TO PYTH

ON

Pyt h on is a dynam ic obj e ct orie nt at e d program m ing l anguage . TurboGe ars is bas e d around Pyt h on, s o a w ork ing k now l e dge ofPyt h on is k e y t o ge t t ing t h e m os toutofTurboGe ars .

17

A Q UI CK L OOK

AT T URBO G EARS

25

D EPLO YM ENT AND

SCAL I NG

TurboGe ars Aut h or Ke v in Dangoor prov ide s a q uick int roduct ion t o TurboGe ars , h ow itw ork s and h ow t o ge ts t art e d.

Cre at ing gre atw e b appl icat ions in a q uick and e as y f as h ion is gre atf or w e b de v el ope rs , butw il l t he re s ul t ing s ol ut ion de pl oy e as il y and s cal e as w e l l as a t radit ional web appl icat ion ?

o3 m agaz ine :: page 4

CO NTENT S

I s s ue 5 Augus t2006

Se curit y
WI FI S ECURI TY 29

Ne t w ork ing
ATA O V ER E TH
ERNET

35

" I ns ide Th re at s f rom O ut s ide t he Ne t w ork " , an in-de pt h l ook ath ow t h ird part y W iFi de v ice s on l arge cam pus w ide ne t w ork s can be e as il y e xpl oit e d. Th e art icl e l ook s atunf ore s e e n t h re at s and l ook s ath ow cam pus w ide s e curit y of t e n re q uire s a com binat ion of t e ch nical and e ducat ional s ol ut ions in orde r t o be f ul l yef f e ct iv e.

Th e s t andard ATA com m and s e tis us e d t o com m unicat e w it h I DE de v ice s . ATA ov e r Et h e rne tis a uniq ue t e ch nol ogy pione e re d in t he L inux(R) k e rne l by Coraid. AoE e nabl e s ATA de v ice s t o be at t ach e d dire ct l yt ot he ne t w ork . Find outm ore as M uh am m ad H am m ad e xpl ains .

NETW O RK S ECURI TY

38

D EPLO YI NG T1S

I N

L I NUX

44

" L aye r Tw o Se curit yT e st ing w it h Ye rs inia" ,l ook s att h e uniq ue ne t w ork s e curit yt e st ing t ool -- Ye rs inia. Th is e xce l l e ntproj e ctprov ide s t he t ool s ne ce s s ary t o pe rf orm t e st s on V L AN, I SL , STP and m any ot h e r w ide l y de pl oye d t e ch nol ogie s t h atof t e n go unch e ck e d during s e curit y audit s.

Re pl acing Cis co att h e e dge h as ne v er be e n t h is e as y. Find outh ow t o de pl oy dat a T1s us ing Sangom a A10x bas e d T1 cards unde r L inux. I nt e grat ing your W AN acce s s s ol ut ions int o your L inux f ire w al l can of f e r cos ts av ing be ne f it s as w e l l as adde d pe rf orm ance .

Focus on Dat abas e s 48
D EPLO YI NG O PEN S O URCE D ATABASES : M Y SQL
" Focus on" is a ne w col um n in o3 t h atl ook s atope n s ource e nt e rpris e s ol ut ions . Th e col um n w il l f ocus on a part icul ar t e ch nol ogy or s ol ut ion f or s e v e ral is s ue s , be f ore m ov ing on t o s om e t h ing ne w . O ur f irs ts e rie s l ook s atope n s ource dat abas e s ol ut ions . Th e f irs tart icl e in t h e s e rie s l ook s atM ySQL , ne xtis s ue w e w il l l ook atPos t gre SQL , and l at e r art icl e s w il l l ook atm ore adv ance d s ol ut ions com paring t he t wot h rough outt h e s e rie s .

o3 m agaz ine :: page 5

EV ENT S

W EBSI TE

ht t p:/ / e urope .rail s conf .org
V ENUE

L ondon, UK
W H EN

Se pt e m be r 14 - 15, 2006
SPEAKERS

Dav id H e ine m e ie r H ans s on Dav e Th om as Jam e s Duncan Dav ids on Jim W e irich Kat h y Sie rra

Upcom ing Ev e nt s
YAPC::E URO PE 2006
ht t p:/ / w w w .birm ingh am 2006.com Birm ingh am , UK Aug 30 - Se pt1, 2006 Th e Ye tAnot h e r Pe rl Conf e re nce s (YAPCs ) are gras s root s s ym pos ia on t h e Pe rl program m ing l anguage .

AKADEM Y 2006
ht t p:/ / dot .k de .org/ 1142439 9 06/ Dubl in, I re l and Se p 23 - 30, 2006 Th e annual K DE W orl d Sum m it , Ak ade m y, w il l be h e l d atTrinit y Col l e ge , in Dubl in.

L I NUXW O RL D R USSI A 2006
ht t p:/ / w w w .l inuxw orl de xpo.ru M os cow , Rus s ia Se pt4 - 15, 2006 L inuxw orl d Rus s ia is t h e m os tf am ous e v e nt on t h e Rus s ian m ark e tand is t h e m eet ing pointf or e v e ryone w h o is int e re s t e d in ope n s ource s ol ut ions in Rus s ia.

OH

I O

L I NUXF EST 2006

ht t p:/ / w w w .oh iol inux.org Col um bus , O h io, USA Se pt30, 2006 O h io L inuxFe s tis a f re e annual conf e re nce and e v e ntf or t he L inux and O pe n Source com m unit y. H os t ing aut h orit iat iv e s pe ak e rs and a l arge e xpo, t h e ev e ntw e l com e s prof e s s ional s and e nt h us ias t s.

o3 m agaz ine :: page 6

SPO TL I GH T

W EBSI TE

ht t p:/ / de v el ope r .yah oo.com / pyt h on
DETAI L S

Yah oo! re ce nt l yl aunch e d a ne w Pyt h on De v el ope r Ce nt e r as partoft h e Yah oo! De v el ope r Ne t w ork . Th e ne w re s ource s is prim aril yt oh el p Pyt h on de v el ope rs t o int e ractw it h Yah oo! W e b s e rv ice s . Th e Yah oo! t e am h av e done a good j ob rounding up e xce l l e ntge ne ral purpos e Pyt h on re s ource s . W h e t h e r you're ne w t o Pyt h on or not , itis a good re f e re nce s it e f or Pyt h on de v el ope rs .

W EBSI TE

ht t p:/ / ch e ck out .googl e .com /
DETAI L S

Googl e Ch e ck out(t m ) is a ch e ck out s ol ut ion t h atcan e as il y be int e grat e d int o any w e bs it e . Googl e h av e a pre t t y sl ick s ol ut ion t h atis al s o int e grat e d int ot h e ir AdW ords s e rv ice . Th e int e grat ion is in t he f orm ofa s m al l carts ym bol ne xtt o AdW ords . W it h f e e s as l ow as 2% + $ 0.20 pe r t rans act ion, and dis count s f or AdW ords cus t om e rs . Googl e Ch e ck outis a v e ry com pe t it iv e of f e ring.

o3 m agaz ine :: page 7

EDI TO R @ O 3

o3 m agaz ine h as re t urne d
AFTER A SH O RT BREAK , NEW H ARDW ARE , NEW SERV ERS AND A NEW REL EASE O F SCRI BUS W E H AV E CO NTI NUED TH E M AJO R O V ERH AUL O F O 3 AND W E H O PE YO U L I KE TH E RESUL T S ...

By Joh n Bus w e l l Wel com e t oI s s ue 5 ofo3 m agaz ine . As you h av e probabl y not ice d, t h is is s ue is s e v e ral m ont hs l at e. Earl ie r t h is ye ar , I w as f orce d t o st e p back f rom o3 due t o pe rs onal re as ons . M y w if e h ad s om e s e rious com pl icat ions t ow ards t h e e nd ofh e r pre gnancy, w h ich re s ul t e d in de l e gat ing m os tofo3 t o a ne w and ine xpe rie nce d t e am . Th e good ne w s is t h atm y w if e and 4 m ont h ol d s on are h e al t h y and doing gre at .I 'v e al so l e arne d t h e h ard w ay t h atw h il e de l e gat ing is good, de l e gat ing t ot h e w rong pe opl e is n'tt h e be s tw ay t o k e e p a m agaz ine running. I am pl e as e d t o announce t h ough , t h atw e h av e av e ry aggre s s iv e s ch e dul e in pl ace f or cat ch ing up. W e pl an t o h av e caugh tup t o our m ont hl y re l e as e s ch e dul e by t h e e nd oft h e ye ar . Th at s righ t , 9 is s ue s be t w e e n now and t h e e nd oft h e ye ar . W e h av e m os toft h e cont e nt re ady t o go, s o you can e xpe ctan act iv e re l e as e s ch e dul e f or t h e m agaz ine ov e rt he l as tf e w m ont h s of 2006. o3 is now produce d us ing Scribus 1.3.3.3. I w oul dl ik e t ot h ank t h e Scribus t e am f or a s ol id re l e as e , w h ich h as hel pe d us puto3 t oge t h e ra l otf as t e rt h is m ont h . W e 're now us ing Scribus unde r Fe dora Cora 5, w it h a5L CD pane l conf igurat ion ut il iz ing 3 v ide o cards . O ur w ork s t at ions are AM D At hl on64 X2 bas e d, and s ince t h e m ov e aw ay f rom M andriv a, al l ofour pe rf orm ance probl e m s h av e gone . I w oul dl ik e t ot h ank Ke v in Dangoor f or h is h e l p in put t ing t oge t h e rt h is TurboGe ars f ocus e d e dit ion ofo3 m agaz ine . TurboGe ars is an e xce l l e ntw e b appl icat ion f ram e w ork bas e d on Pyt h on, de f init el ywel l w ort h a l ook . O v e rt h e com ing m ont h s w e w il l be com paring Rail s , TurboGe ars and s e v e ral ot h e rf ram e w ork s . Th is is s ue m ark s s e v e ral k e y cont e ntch ange s f or o3. W e h av e droppe d t h e re gul ar col um ns f or a m ore f e at ure orie nt at e d s ys t e m . Th e ne w s ys t e m w il l group sev e ral art icl es t oge t h e r unde r t h e m ain f e at ure f or t he is s ue , t h is m ont h it s TurboGe ars . Th e ne w “Focus O n” col um n is a m ul t i-is s ue f e at ure , f or t h e ne xtf e w is s ue s , w e w il l be f ocus e d on O pe n Source Dat abas e s . Se curit y and Ne t w ork ing col um ns w il l cov e r bot h w ire d and w ire l e s s s ol ut ions . I s s ue 6 w h ich w il l be h oton t he heel s oft h is is s ue , l ook s atbuil ding I T inf ras t ruct ure f rom s crat ch on a s m al l bus ine s s budge t . Th e e nt ire is s ue is a s t e p by st e p guide t o buil ding a com pl e x s w it ch e d ne t w ork prov iding bot h of f ice w ork s t at ions and s e rv e r acce s s . O h io L inuxFe s t2006 is rapidl y approach ing, I w il l be att h is e v e nt , att h e Spl ice d Ne t w ork s boot h . So ifyou'l l be ne ar t he ev e nton Se pt e m be r 30t h , pl e as e f eel f re e t o st op by t h e boot h.

o3 m agaz ine
ht t p:/ / w w w .o3m agaz ine .com Joh n Bus w e l l Publ is h e r and Edit or I n Ch ie f Gre g Jordan M anaging Edit or Cov e r Graph ic Th e TurboGe ars Gol de n Ge ar is t he prope rt y ofBl az ing Th ings L L C. TurboGe ars is a t rade m ark ofKe v in Dangoor . Publ is h e r I nf orm at ion o3 m agaz ine is publ is h e d and dis t ribut ed by Spl ice d Ne t w ork s L L C. o3 m agaz ine is at rade m ark ofSpl ice d Ne t w ork s L L C. Al l ot h e rt rade m ark s be l ong t ot h e ir re s pe ct iv e ow ne rs .

o3 m agaz ine :: page 10

I NTRO DUCTI O N TO PYTH

ON

int roduct ion t o pyt h on
PYTH O N I S TH E PRO GRAM M I NG L ANGUAGE TH AT TURBO GEARS I S BASED ARO UND I TI S REL ATI V EL Y EASY TO L EARN AND TH I S ARTI CL E WI L L GET YO U O FF TO TH E RI GH T START

By Joh n Bus w e l l Pyt h on is a dynam ic obj e ct -orie nt at e d program m ing l anguage t h atcan be us e d f or m any k inds ofs of t w are de v el opm e nt .I tof f e rs s t rong s upportf or int e grat ion w it h ot h e rl anguage s and t ool s , com e s w it h e xt e ns iv e st andard l ibrarie s , and can be l e arne d in a f e w days . M any Pyt h on program m e rs re ports ubs t ant ial product iv it y gains and f eel t he l anguage e ncourage s t h e de v el opm e ntofh igh e r q ual it y, m ore m aint ainabl e code . Pyt h on is dis t ribut e d unde r an O SI -approv ed ope n s ource l ice ns e , m ak ing itf re e t o us e e v enf or com m e rcial product s. Pl at f orm s Pyt h on runs on W indow s , L inux/ Unix, M acO S X, O S/ 2, Am iga, Pal m H andh e l ds and Nok ia m obil e ph one s . Pyt h on h as al s o be e n port edt ot h e Jav a and .NET v irt ual m ach ine s . Pyt h on v s . Ruby You h av e probabl y atl e as th e ard ofRuby, w h ich is anot h e rl anguage t h atis v e ry s im il ar t o Pyt h on. Th e re dif f e re nce s be t w e e n Ruby and Pyt h on are s m al l com pare d t ot he f e at ure s ofbot h l anguage s . I nf actif you l e arn one , m ov ing ov e rt ot h e ot h e r is pre t t y s im pl e. So ifyou al re ady k now Ruby, w h y l ook atPyt h on?I f you k now ne it her ,wh yl e arn Pyt h on, Ruby h as t h atcool Ruby on Rail s f ram e w ork righ t ?W e l l itdoe s n'th urtt o k now anot h e r program m ing l anguage , s o w h y not s im pl yl e arn bot h ?W h ich you ch oos e is e nt ire l y up t o you, and t h at s t h e nice t h ing aboutope n s ource , you h av e a ch oice . I fyou s e arch Googl e f or “dif f e re nce be t w e e n pyt h on ruby” , you w il l ge ta l otofh it s . O ne argum e ntyou'l l see t h atm igh tt ip you in one dire ct ion or anot h e r is t h e cl aim t h att h e O bj e ctO rie nt at edf e at ure s in Pyt h on are j us t“bol t e d on” , w h il e Ruby is f ul l y O bj e ct O rie nt at e d. Th is part icul ar argum e ntf ocus e s on a re al l y ol dv e rs ion ofPyt h on, t h e s e days Pyt h on and Ruby are pre t t y m uch on par w it h e ach ot her . Pyt h on h as e nj oye d al it t l e m ore popul arit y ov e rt h e ye ars , s o Pyt h on s om e t im e s h as a be t t e rs e l e ct ion ofl ibrarie s . You are l ess l ik e l yt o run int o probl ems t h atyou f ind on RubyForge , w h e re proj e ct s s ound good butt h e re is no code ye t , w it h Pyt h on. Pyt h on 2.5 w il l h av e s om e pe rf orm ance opt im iz at ions , f ol l ow ing a Ne e d For Spe e d

ev e ntin I ce l and e arl ie r t h is ye ar t h atf ocus e d on im prov ing t h e pe rf orm ance ofPyt h on. Probabl yt h e bigge s targum e ntf or Ruby is Rail s. H ow e v er , ifw e al l m ade de cis ions on popul arit y ata s pe cif ic t im e , you m ay h av e ne v e r bot h e re d t ol ook at L inux be caus e W indow s w as m ore popul ar?I nt h is is s ue , w e l ook atTurboGe ars , one of f e ring in t he Pyt h on w orl dt h atcom pe t e s w it h Rail s . O ne t h ing in f av or ofTurboGe ars is t h atitus e s m any s e as one d ope n s ource proj e ct s as com pone nt s , w h il e Rail s re inv e nt s t h e wh eel in m any cas e s . Ke e p in m ind t h at Rail s is de v el ope d by e s s e nt ial l y, w e b de v el ope rs . Th e Rail s proj e cts h ow e d is ine xpe rie nce e arl ie r t h is ye ar w h e n a s e curit y probl e m is re m ov e d and re int roduce d, t h e n s ort af ixe d and t h e n s ort a h al f -announce d. I don't re al l ysee t h e pointin notdis cl os ing t h e s e curit y probl e m , w h e n you t el l t h e publ ic itdis appe are d and w as re int roduce d. Pe rh aps t h e y h av e n'th e ard oft he unix dif fcom m and?Th is t ype ofproj e ctim m at urit y s h oul d m ak e de v el ope rs e xam ine t h e s ol ut ion t o s e e if itm e e t s t h e ir ne e ds be f ore j um ping on t h e popul arit y band w agon. Buil ding Pyt h on Due t o s om e product ion de l ays , w e 'v e h ad t im e t o updat e t h is art icl e t o re f l e ctPyt h on 2.5. Pyt h on 2.5 w as re l e as e d in Se pt e m be r , butt h is is t h e Augus tis s ue of o3. Pyt h on can be obt aine d f rom h t t p:/ / w w w .pyt h on.org. $t ar j xv fPyt h on-2.5.t ar .bz 2 $cd Pyt h on-2.5 Pyt h on-2.5]$./ conf igure \ – pre f ix=/ h om e / j oh nb/ proj e ct s/ pyt h on/ 2.5/ Pyt h on-2.5]$m ak e Pyt h on-2.5]$m ak e ins t al l Pyt h on-2.5]$cd ~ / proj e ct s/ pyt h on $PATH =/ h om e / j oh nb/ proj e ct s/ pyt h on/ 2.5/ bin/ :$ PATH $e xportPATH $w h ich pyt h on ~/ proj e ct s/ pyt h on/ 2.5/ bin/ pyt h on $pyt h on -V Pyt h on 2.5 $l s 2.5/ bin incl ude l ib m an

o3 m agaz ine :: page 12

I NTRO DUCTI O N TO PYTH

ON

H el l o W orl d W h il e you can w rit e pyt h on program s in f il e s , e m be d t h e m in ot h e rl anguage s s uch as C and s o on, w h e t her you're s t art ing outor a s e as one d pyt h on de v el ope r , it al w ays h e l ps t o e xe cut e s om e code and s e e t h e re s ul t . You can us e t h e pyt h on int e ract iv e int e rpre t e r by s im pl y t yping pyt h on. $pyt h on Pyt h on 2.5 (r25:519 08, Se p 29 2006, 01:11:26) [GCC 4.1.1 20060525 (Re d H at4.1.1-1)] on l inux2 T ype " hel p" ," copyrigh t " ," cre dit s " or " l ice ns e " f or m ore inf orm at ion. >>> print" hel l o w orl d" hel l o w orl d >>> x = 1 >>> y = 665 >>> printx+ y 666 >>> Fe e d t h e s nak e O k ay, H e l l o W orl d is n'tt h atim pre s s iv e.L et s t ak e a q uick l ook atw h atyou can do w it h pyt h on in a f ew l ine s ofcode , be l ow w e ch e ck t o s e e ife t h 0 and e t h 1 are up. >>> im portf cnt l ,st ruct , s ys >>> f rom s ock e tim port* >>> SI O CGI FFL AGS = 0x89 13 >>> t m p256 = '\0'*256 >>> if nam e =" et h 0" >>> s = s ock e t (AF_ I NET, SO CK _ DGRAM ) >>> rc = f cnt l .ioct l (s .f il e no(), SI O CGI FFL AGS, if nam e + t m p256) >>> f l ags , = s t ruct .unpack ('H ',rc[16:18]) >>> up = f l ags & 1 >>> print('DO W N','UP')[up] UP Th e e t h 0 int e rf ace is up, w h ataboute t h1: >>> if nam e =" et h 1" >>> s = s ock e t (AF_ I NET, SO CK _ DGRAM ) >>> rc = f cnt l .ioct l (s .f il e no(), SI O CGI FFL AGS, if nam e + t m p256) >>> f l ags , = s t ruct .unpack ('H ',rc[16:18]) >>> up = f l ags & 1 >>> print('DO W N','UP')[up] DO W N

So, w as pyt h on corre ct ,l et s ch e ck ip l ink : 2: e t h 1: <BROADCAST,M UL TI CAST> m t u 1500 q dis c noop q l e n 1000 l ink / et h e r 00:xx:xx:xx:xx:xx brd f f :f f :f f :f f :f f :f f 3: e t h 0: <BROADCAST,M UL TI CAST,UP ,10000> m t u 1500 q dis c pf if o_ f as tq l e n 1000 l ink / et h e r 00:xx:xx:xx:xx:xx brd f f :f f :f f :f f :f f :f f Sure w as . Going Furt her So Pyt h on is s t art ing t ol ook int e re s t ing t o you, h ow do you l e arn m ore ?Th e f irs tt h ing you m igh tw antis an e dit or , al t h ough your f av orit e t e xte dit or s h oul d w ork j us t f ine , you can f ind a com pre h e ns iv e l is tofPyt h on re l at e d e dit ors at ht t p:/ / w ik i.pyt h on.org/ m oin/ Pyt h onEdit ors . W h at s be t t e rt h an e dit ors , a good I DE. I DEs are int e grat e d de v el opm e nte nv ironm e nt s , Ecl ips e is a good one t h at s f re e , and t h e re is Pyt h on s upport .Af ul l l is tofI DEs can be f ound at ht t p:/ / w ik i.pyt h on.org/ m oin/ I nt e grat e dDe v el opm e nt Env ir onm e nt s. Book s are a gre atpl ace t o go, book s w il l giv e you ev e ryt h ing t h atyou ne e d t o ge ts t art e d as f as tas you can re ad it .I fyou're f am il iar w it h indus t ry s t andard obj e ctorie nt e d conce pt s s uch as cl as s e s and m e t h ods , t henl e arning Pyt h on can be done in a f e w h ours t oa f e w days . Pyt h on act ual l y h as a num be r off re e book s , I pe rs onal l yl ik e Div e I nt o Pyt h on, a f ul l l is tofbook s bot h f re e and com m e rcial can be f ound at ht t p:/ / w ik i.pyt h on.org/ m oin/ I nt roduct oryBook s . O 'Re il l y's L e arning Pyt h on and Pyt h on Cook book are h andy addit ions t o any Pyt h on program m e rs l ibrary. Cool t ool s O ne Pyt h on-ce nt ric t ool is cal l e d Scapy, w h ich can be f ound ath t t p:/ / w w w .s e cde v .org/ proj e ct s/ s capy/ .I tis a pack e tcraf t ing t ool , w rit t e n in Pyt h on. I te nabl e s you t o t w e ak a pack e tj us tt h e w ay you w antitand t h e n s e nd it h ow you w antt o. I t s av e ry v e ry cool t ool . Th e Pyt h on Cook book ov e r atO 'Re il l y's Act iv e St at e Program m e r Ne t w ork , w h ich can be f ound at ht t p:/ / as pn.act iv e st at e .com / ASPN/ Cook book / Pyt h on/ h as a w ide range ofcode re cipe s f rom be ginne r t o adv ance d. I t s de f init el y a good pl ace t ol e arn h ow t o do t h ings , and a gre atre f e re nce as w e l l .

o3 m agaz ine :: page 13

I NTRO DUCTI O N TO PYTH

ON

I Fs t at e m e nt s Be f ore w e w rap up w e w il l t ak e a q uick l ook ats om e l anguage bas ics w it h Pyt h on, s t art ing ifs t at e m e nt s.I n pyt h on you us e if<t e st >:el if<t e st 2>: e l se: Pyt h on 2.5 (r25:519 08, Se p 29 2006, 01:11:26) [GCC 4.1.1 20060525 (Re d H at4.1.1-1)] on l inux2 T ype " hel p" ," copyrigh t " ," cre dit s " or " l ice ns e " f or m ore inf orm at ion. >>> x = 1 >>> y = 2 >>> z = 3 >>> ifx: ... y + = 1 ... z -= 2 ... printx+ y+ z ... e l se: ... print'notx' ... 5 H e re w e s e tx.y and z v ariabl e s , ifx h as a v al ue , w e adde d t o y, and t ook aw ay f rom z , and print edt he re s ul t , ot h e rw is e w e print" notx" . Th e e nd re s ul tw as 5 (1 + 3 + 1). W h il e l oops A w h il e l oop bas ical l y runs a bl ock ofcode cont inous l y unt il a ce rt ain condit ion is m e t . Be l ow w e s e tp and q , add t o one , s ubt ractf rom t h e ot h e r unt il p is no l onge r gre at e rt h an q . >>> p = 20 >>> q = 0 >>> w h il e p> q: ... printp ... printq ... p -= 1 ... q + = 1 ... 20 0 19 1 18 2 17 3 16 4 15 5

14 6 13 7 12 8 11 9 >>> printp 10 >>> printq 10 >>> For l oops Pyt h on h as f or l oops t oo. Th e not at ion is v e ry s im pl e, it s f or <t arge t > in <obj e ct >: <code _ bl ock >. H e re is an e xam pl e w h ich t ak e s a group ofs ubne t s and cre at e s an ip rout e st ring f or t h e m al l us ing Pyt h on, m igh tas w e l l de m ons t rat e s om e t h ing us e f ul : >>> s ubne t s = [" 10.1.2.0" ," 10.1.3.0" ," 10.10.20.0" ," 10.10.30.0" ] >>> gw = " 19 2.168.1.20" >>> not at ion = " / 24" >>> de v = " et h 0" >>> f or x in s ubne t s: ... print'ip rout e add ' + x + not at ion + ' v ia ' + gw + ' de v ' + de v ... ip rout e add 10.1.2.0/ 24 v ia 19 2.168.1.20 de v e t h0 ip rout e add 10.1.3.0/ 24 v ia 19 2.168.1.20 de v e t h0 ip rout e add 10.10.20.0/ 24 v ia 19 2.168.1.20 de v e t h0 ip rout e add 10.10.30.0/ 24 v ia 19 2.168.1.20 de v e t h0 >>> Concl us ion Pyt h on is a v e ry us e f ul l anguage , as you'v e s e e n in j us t af ew l ine s ofcode , w e 'v e done s om e pre t t y ne atl it t l e t h ings w it h it . Th is is j us ta v e ry bas ic l ook atPyt h on, it is capabl e ofm uch m ore . W h e t h e r you ch oos e t o us e Pyt h on is up t o you, butyou now h av e al e as ta v e ry bas ic unde rs t anding t o be abl e t oev al uat e pl at f orm s s uch as TurboGe ars a l it t l e be t t er .I nt h e e nd, t h e ch oice is up t o you, I us e bot h Pyt h on and Ruby on a re gul ar bas is , I prim aril y us e C f or e m be dde d appl icat ions , but Ruby and Pyt h on are v e ry us e f ul l anguage s t o h av e around w h e n I ne e d t o do s om e t h ing com pl e x q uick l y. Th e y w il l de f inat el yhel p your product iv it y, noth urtit ,so wel l w ort h al ook .

o3 m agaz ine :: page 14

“A w h irl w ind t ou r... ”

- Fict it iou s D ail y Ne w spape r ofGre atSt at u re

L e arn m ore aboutt opics cov e re d in t h is m agaz ine !
T u rb oGe ars proj e ctl e ade r Ke v in D angoor t al k s ab ou tge ne ric f u nct ions and w idge t s, and t ak e s you on a t ou r of t heT u rb oGe ars code .Th is e xcl u siv e DV D - RO M incl u de s h igh - q u al it y H .264 e ncode d v ide os.It 's pl ayab l e on W indow s and M ac u sing t he f re e Q u ick T im e 7 pl aye r, or on L inu x u sing V L C, M Pl aye r or T ot e m .Th e D V D al so incl u de s an of f l ine b row sab l e copy of t heT u rb oGe ars, Ch e rryPy, SQ L O bj e ct , Kid and M och iKitdocu m e nt at ion. Fe at ure d V ide os • U sing J av aScriptw it h T u rb oGe ars • Int rodu cing Ge ne ric Fu nct ions (and t h e ir u se in T u rb oGe ars) • H ow W idge t sT ick (w idge tpack age w al kt h rou gh ) • T u rb oGe ars Core T ou r • Th e Fu t u re ofT u rb oGe ars • Th e 20 M inu t e W ik i • Ef f e ct iv e Aj ax w it h T u rb oGe ars (Fl ash f orm atofPyCon 2006 t al k) A BL AZ I NG TH I NGS REL EASE " TURBO GEARS UL TI M AT E DV D" ST ARRI NG KEV I N DANGO O R, W I TH SPECI ALGUEST BO B I PPO L I T O , SO FTW ARE CO NTRI BUTI O NS BY KEV I N DANGO O R, I AN BI CK I NG, REM I DEL O N, BO B I PPO L I T O , RYAN T O M AYKO , DAV I D ST ANEK , EL V EL I ND GRANDI N, RO NAL D JARAM I L L O , JEFF W ATK I NS, DAN JACO B, M AX I SCH ENKO , SI M O N BEL AK , AL BERT O V AL V ERDE GO NZ ÁL EZ , M I CH EL E CEL L A, JO RGE GO DO Y, O NDREJ Z ARA, I RM EN DE JO NG AND M O RE W RI TT EN AND DI RECT ED BY KEV I N DANGO O R

Sav e $ 5 w it h cou pon code o3m ag.

Q UI CK L O O K AT T URBO G EARS

a q uick l ook att urboge ars
KEV I N DANGO O R O F TURBO GEARS PRO V I DES A QUI CK I NTRO DUCTI O N TO TH E PO W ER O PEN SO URCE W EB APPL I CATI ON F RAM EW O RK FO R PYTH O N DEV EL O PERS

by Ke v in Dangoor TurboGe ars is an int e grat e d, f ront -t o-back w e b f ram e w ork w rit t e n in t h e Pyt h on program m ing l anguage . O t h e rs s ay " f ul l st ack " , butI l ik e f rontt o back , be caus e TurboGe ars incl ude s t ool s t ohel pf rom t he f ronte nd (Jav aScriptrunning in your us e r's brow s e r) t o t h e back e nd (t h e dat abas e ). TurboGe ars int e grat es a num be r ofdif f e re ntt ool s t h atare us e f ul on t h e ir ow n, buil ding pie ce s on t op t h atre al l y boos tyour product iv it y. Pyt h on is a gre atl anguage f or w e b appl icat ions . Pyt h on: •Ne at l y com bine s obj e ct -orie nt e d, proce dural and f unct ional l anguage f e at ure s . •I s v e ry re adabl e •Runs e v e ryw h e re •L e nds it sel fw e l l t o aut om at edt e st ing •I s re as onabl y pe rf orm antand prov ide s m any w ays t o opt im iz e t h e h ot s pot s ofyour appl icat ion. Th e t w o m os tcom m on de v el opm e ntm ode l s on t he web t oday are " code in page " and m ode l v ie w cont rol l er (M V C). " Code in page " is e norm ous l y popul ar be caus e it 's a nat ural f itf or PH P , and it 's a v e ry q uick w ay t o ge t t h ings done w h e n your appl icat ion is notcom pl e x. TurboGe ars f ol l ow s t h e MV C pat t e rn, w h ich l e nds it sel f be t t e rt ol arge r appl icat ions and l ong t e rm m aint ainabil it y. M V C al s o m ak e s itm uch e as ie r t ol et de s igne rs f ocus on de s ign and program m e rs f ocus on code . TurboGe ars w as born ofne ce s s it y. W h e n I s t art ed w ork on m y Z e s t y Ne w s product , I h ad t o pick and ch oos e am ong al l oft h e ch oice s oft e m pl at e l anguage s , web f ram e w ork s and dat abas e t ool s in Pyt h on. I al so ne e de d t o docum e nth ow t o w ork w it h t he t ool s sot h at pe opl e coul d w rit e pl ugins f or Z e s t y Ne w s . H av ing gone t h rough t h ate f f ort , It h ough titw oul d probabl yhel p ot h e rs ifI re l e as e d t h e w h ol e s h e bang as an ope n s ource pack age . TurboGe ars w as re l e as e d in Se pt e m be r , 2005 t o a h uge out pouring ofe nt h us ias m .

Turbo Ge ars incl ude s : •SQL O bj e ct , an obj e ct -re l at ional m apping (O RM ) dat abas e l aye r t o m anage your m ode l obj e ct s •Ch e rryPy, a w e b f ram e w ork t h ath andl e s URL re s ol ut ion t of ind your cont rol l e r code . I tal so prov ide s a robus ts e rv er . •K id, a t e m pl at e l anguage t h atis bot h de s igne r and program m e r-f rie ndl y. •M och iK it , a Jav aScriptl ibrary t h atis w e l l -w rit t e n, wel l -docum e nt e d, w e l l -t e st e d and e v e n a bit Pyt h onic. •A s upport ing cas tofs e v e ral ot h e rt ool s . A not abl e one is t h e ne w s e t upt ool s l ibrary w h ich prov ide s a us e f ul cros s -pl at f orm pack aging and pl ugin m e ch anis m f or Pyt h on l ibrarie s . Th e f irs tre l e as e d v e rs ion ofTurboGe ars didn'th av e t h atm any f e at ure s ofit s ow n. I tw as m os t l y pack aging and docum e nt at ion f or t h e col l e ct ion ofcom pone nt s.I t did prov ide as s is t ance t ohel p de v el ope rs ge tup and running q uick l y. As t h e proj e cth as grow n, h ow e v er ,t he int e grat edf e at ure s t h atTurboGe ars prov ide s h av e grow n t re m e ndous l y. TurboGe ars 1.0 buil ds on t op oft h os e com pone nt s t o of f e r: •I nt e rnat ional iz at ion •W idge t s •I de nt it y •Th e t g-adm in com m and l ine t ool •Th e T ool box •Ch oice s oft e m pl at e and dat abas e e ngine s •T as k s ch e dul ing •V al idat ion •T e st ing t ool s •RSS/ At om f e e ds

o3 m agaz ine :: page 17

Q UI CK L O O K AT T URBO G EARS

e as y ins t al l TurboGe ars t ak e s adv ant age ofPh il l ip Eby's s e t upt ool s, w h ich is de s t ine d t o be a core partofa f ut ure Pyt h on v e rs ion. O nce you h av e set upt ool s , you h av e a ne w com m and l ine t ool ,` e as y_ ins t al l ` ,t h atm ak e s ins t al l ing Pyt h on pack age s t riv ial , re gardl e s s ofyour pl at f orm . I t f inds t h e prope r dow nl oad s it e f or t h e pack age and dow nl oads itand al l ofit s de pe nde ncie s w it h one com m and. TurboGe ars w oul d h av e t o be pack age d v e ry dif f e re nt l y ifs e t upt ool s did note xis t , be caus e ` e as y_ ins t al l TurboGe ars ` ins t al l s sev e ral pack age s . I ns t al l ing t h atm any pack age s by h and w oul d be a pain w it h outs e t upt ool s. Addit ional l y, s e t upt ool s prov ide s us e f ul pl ugin capabil it ie s . As s oon as you'v e ` e as y_ ins t al l ` eda pl ugin, itis av ail abl e t o program s t h atcan us e it , w it h outany addit ional conf igurat ion or pat h set up. TurboGe ars us e s t h is f e at ure e xt e ns iv el y. t g-adm in O ne oft he f irs tt h ings e ncount e re d by a ne w TurboGe ars us e r is t he ` t g-adm in` com m and l ine t ool . Th e ` t g-adm in q uick s t art ` com m and w il l ge tyou running w it h a ne w proj e ctin s e conds , giv ing you a s t arts cript t o h av e a running de v el opm e ntw e b s e rv e r righ taw ay. ` t g-adm in` h as ot h e r us e f ul com m ands , incl uding an int e rnat ional iz at ion (i18n) h e l pe r (s e e be l ow ), dat abas e cre at ion t ool , a w rappe r around Pyt h on's s h e l l t h atadds e as y dat abas e acce s s , and a com m and t ol aunch t he T ool box (s e e be l ow ). You can al s o ins t al l ne w com m and pl ugins f or ` t g-adm in` or w rit e your ow n. Th e T ool box Th e TurboGe ars T ool box prov ide s a brow s e r-bas e d graph ical int e rf ace f or w ork ing w it h your TurboGe ars proj e ct s . Cat W al k l et s you brow s e and updat e your dat abas e , butw ork s in t e rm s ofyour Pyt h on obj e ct s rat h e rt h an t h e raw dat abas e . M ode l De s igne r l et s you v is ual l y de s ign your m ode l cl as s e s and ge ne rat e t he Pyt h on code att h e e nd. Th e W idge tBrow s e r l et s you pre v ie w and ge taddit ional inf orm at ion aboutal l oft he w idge t s on your s ys t e m (s e e be l ow f or m ore on w idge t s ). adm i18n h e l ps you m anage t h e i18n as pe ct s ofyour proj e ct s. L ik e ` t g-adm in` ,t he T ool box can be e xt e nde d w it h ne w t ool s . And, t he t ool s are al l j us tTurboGe ars apps , s o t h e y're e as y t o w rit e! I nt e rnat ional iz at ion TurboGe ars of f e rs int e rnat ional iz at ion f e at ure s t h rough out . TurboGe ars of f e rs a f unct ion f or prov iding l ocal e -s pe cif ic t e xtt ot h e us e r att he t im e ofre q ue s t .

Th is f unct ion is av ail abl e t h rough outyour Pyt h on code and in your K id t e m pl at e s . Th e re is al s o a s pe cial f e at ure w e 'v e adde d t o K id t o al l ow you t ot rans l at e s e ct ions ofyour K id t e m pl at e s w it h l it t l e ef f ort . As m e nt ione d e arl ie r , TurboGe ars prov ide s bot h com m and l ine and T ool box-bas e d t ool s f or m anaging t h e i18n proce s s : e xt ract ing s t rings f rom your code , updat ing and com pil ing your t rans l at e d m e s s age cat al ogs , e t c. As l ong as you are cons is t e ntin your t re at m e ntof st rings , Pyt h on h as e xce l l e ntUnicode s upport . TurboGe ars ' code is de s igne d t o m ak e w ork ing w it h Unicode as t rans pare ntas pos s ibl e , prov iding cons is t e nte ncodings ofe v e ryt h ing t h ath e ads outt ot he web f rom your appl icat ion. W idge t s and V al idat ion TurboGe ars W idge t s w rap up Jav aScript , CSS, H TM L and im age f il e s int o e as y t o us e and cus t om iz e obj e ct s. Th e W idge t s pack age is de s igne d f irs tand f ore m os tt o el e gant l y h andl e f orm s . Cre at ing a f orm f rom w idge t s is e as y and e ns ure s a cons is t e ntappe arance w h e re v er you us e t h atf orm in your appl icat ion. Addit ional l y, f orm s m ak e v al idat ion e as y. You j us tt el l TurboGe ars t h ata met h od is e xpe ct ing it s inputt o com e f rom a s pe cif ic f orm w idge t , and any v al idat ors us e d by t h os e w idge t s are v e rif ie d w h e n t h e dat a arriv es. V al idat ors in TurboGe ars are bas e d on I an Bick ing's Form Encode pack age . I n addit ion t ov al idat ion, t hey prov ide conv e rs ion t o and f rom Pyt h on. Th is m e ans t h atw h e n you us e t he ` I nt V al idat or` , your Pyt h on code is as s ure d ofge t t ing an int e ge r w h e n itruns , and not j us ta s t ring. I ft he v al idat or f ail s , an e rror h andl e rt ak e s ov er . For e ach m e t h od in your cont rol l e r code , you can t el l TurboGe ars w h ich m e t h od or f unct ion e rrors s h oul d be s e ntt o. For v al idat ion e rrors on a f orm , you can t riv ial l y h av e t he f orm be re dis pl aye d w it h e rror m e s s age s f or t h e us e r .

o3 m agaz ine :: page 18

Q UI CK L O O K AT T URBO G EARS

TurboGe ars incl ude s m any w idge t s , and you're abl e t o e as il yl ook t h rough t hem v ia t he T ool box. Th e w idge t s v ary f rom s im pl e t e xtf ie l ds up t ot h e Aj ax-driv en Aut oCom pl et e Fie l d. Th e Aut oCom pl et e Fie l d is an e xam pl e ofa w idge tt h atincl ude s Jav aScript , CSS, im age s and H TM Lal l atonce . W h e n you us e t h at w idge tin a f orm , al l oft h e ne ce s s ary re s ource s are aut om at ical l y incl ude d. No ne e d t o m anual l y w rit e out s criptt ags or l ink t ags . I de nt it y Aut h e nt icat ion and aut h oriz at ion ne e ds can v ary dram at ical l yf rom proj e ctt o proj e ct .Av e ry com m on pat t e rn is t h e not ion ofh av ing us e rs , pe rm is s ions and groups (or rol e s ). TurboGe ars prov ide s t h is k ind of aut h e nt icat ion and aut h oriz at ion righ toutoft h e box. Se curing part s ofyour w e b appl icat ion coul d h ardl y be e as ie r . Fl e xibl e O ut put I nat ypical TurboGe ars cont rol l e rm e t h od, you re t urn a dict ionary ofv al ue s t h atge t s pl ugge d int oat e m pl at e f or out put .I tl ook s s om e t h ing l ik e t h is : @ e xpos e (t e m pl at e =" o3de m o.t e m pl at e s .f oo" ) de ff oo(s e l f ): re t urn dict (curre nt _t im e = dat et im e .now (), we l com e _ m s g=" H i!" ) W h e n a us e r h it s / f oo, t h e out putis ge ne rat e d by cal l ing t he f oo m e t h od, t ak ing t h atre t urne d dict ionary and pl ugging itint ot he t e m pl at e cal l ed" f oo" t h atyou h av e in your proj e ct .I tt urns outt h att h is s t yl e ofout put h andl ing h as m any adv ant age s . Appl icat ion t e st ing is v e ry im port antand TurboGe ars incl ude s us e f ul t ool s f or t e st ing. Th e s t andard t e st ing int e rf ace us e d is a pack age cal l e d Nos e , w h ich is com pat ibl e w it h Pyt h on's s t andard unit t e s tm odul e but m ak e s a num be r oft h ings e as ie r . TurboGe ars incl ude s af unct ion f or running a re q ue s tf rom w it h in t he t e st ing proce s s w it h outa s e parat e w e b s e rv er . Th atm ak e s t e st ing running f as t . Addit ional l y, due t ot h e uniq ue s t yl e ofpas s ing dat at ot he t e m pl at e s m e nt ione d abov e, TurboGe ars prov ide s a f unct ion t h atl et s you e xam ine your cont rol l e r out put*be f ore * itge t s t ot he v ie w . You don'tne e d t o pars e outt h e H TM Lf or e v e ry t e st :j us t l ook att he v al ue s in a dict ionary and m ak e s ure t h at t h e y're corre ct . Th e ge ne ral TurboGe ars ph il os oph y is t o prov ide one cl e ar pat h t o ge t t ing t h ings done . H ow e v er , it 's im pos s ibl e t o ant icipat e ev e ry ne e d, and it 's al so im pos s ibl e f or t he t ool s incl ude d w it h TurboGe ars t o

t rul y cov e re v e ry cas e . O ne e xam pl e : K id is f ant as t ic at ge ne rat ing H TM Land XM L , butit 's nott h e be s t t e m pl at e l anguage f or ge ne rat ing pl ain t e xtor CSS. For t h atre as on, TurboGe ars m ak e s itv e ry e as y t o us e anot h e rt e m pl at e l anguage w it h t h e s am e e as e t h atyou can us e K id. I nf act , Ch e e t ah is incl ude d in t he dow nl oad. I nt h e s h orte xam pl e abov e , you coul d s ay t e m pl at e =" ch e e t ah :o3de m o.t e m pl at e s .t e st "t o pl ug t he dat a int o a Ch e e t ah t e m pl at e (w it h outch anging t he code in your m e t h od atal l ). I tal sot urns outt h atre t urning a dict ionary is us e f ul f or Aj ax. TurboGe ars can, atyour re q ue s t ,t urn t h at dict ionary int o Jav aScriptO bj e ctNot at ion (JSO N), l et t ing you us e t h e s am e code t o prov ide H TM Lt oweb brow s e rs and a JSO N-bas e d API f or Aj ax or w e b s e rv ice s . Ot h e r Fe at ure s H e re are a f e w ot h e r it e m s ofnot e in TurboGe ars ' core code . TurboGe ars h as a buil t -in, e as y t o us e t as k s ch e dul er . Do you h av e a cl e an up j ob t o do e v e ry h our?I t 's e as y t o s e tt h atup. And t h e s ch e dul e r can run t he j ob in a s e parat e t h re ad or e v e n a s e parat e proce s s de pe nding on t he j ob's re q uire m e nt s. You can act ual l y us e any Pyt h on dat abas e t e ch nol ogy w it h TurboGe ars . Spe cif ic s upportis incl ude d f or SQL O bj e ctand SQL Al ch e m y, w h ich w il l cov e rt he v as tm aj orit y ofdat abas e ne e ds t h at appl icat ions h av e . SQL Al ch e m y is a ne w e r obj e ct re l at ional m appe r t h atis am ong t h e m os tpow e rf ul and f l e xibl e O RM s av ail abl e f or *any* l anguage . I tw ork s e q ual l ywel l w it h brand ne w dat abas e s *and* l e gacy dat abas e s , w h ich is an are a in w h ich m any m appe rs f al l s h ort . TurboGe ars al s o prov ide s t h e buil t -in abil it yt o ge ne rat e RSS and At om f e e ds , s ince t h os e f orm at s are com m on t o s uch a w ide v arie t y ofappl icat ions t oday. Butw ait ,t h e re 's a l otm ore ! Th os e are j us tt he f e at ure s t h atTurboGe ars buil ds on t op oft he f our core com pone nt s . M och iK it , K id, Ch e rryPy and SQL O bj e ctal l h av e t h e ir ow n im pre s s iv e f e at ure l is t s . Se e t h e annot at e d e xam pl es f or a f eel f or e ach oft h e s e pack age s . Proj e ctSt at us Th e core pack age s h av e h ad s t abl e re l e as e s f or a l ong t im e . TurboGe ars 0.8 h as be e n in product ion us e by com panie s and indiv idual s s ince Nov e m be r 2005. TurboGe ars 1.0 w il l be t h e st abl e v e rs ion t h atcom e s outf rom t h e w ork on 0.9 , w h ich h as h ad al ph a t e st

o3 m agaz ine :: page 19

Q UI CK L O O K AT T URBO G EARS

re l e as e s s ince Fe bruary 2006. 0.9 is in product ion us e in s om e pl ace s , and t h e API is s t abl e . As I w rit e t h is , t h e m ain t as k w e 're w ork ing on f or 1.0 is bringing t he docum e nt at ion up t o s pe e d and e ns uring t h att h e docs re m ain up-t o-dat e af t e rt h e 1.0 re l e as e . I n addit ion t ot h e w ork on t he f re e docum e nt at ion on t h e w e b, t h e re is addit ional inf orm at ion av ail abl e v ia m y " TurboGe ars Ul t im at e DV D" (h t t p:/ / w w w .t urboge ars .org/ ul t im at e .h t ml ) and t he f ort h com ing book " Rapid W e b Appl icat ions w it h TurboGe ars " (h t t p:/ / w w w .t urboge ars book .com / ). F as t , Fun and M aint ainabl e TurboGe ars prov ide s a f as tand f un w ay t o w rit e appl icat ions t h atare m aint ainabl e and h igh -q ual it y. Your cus t om e rs w il l be h appy w it h h ow q uick l y ne w f e at ure s are im pl e m e nt e d, and you'l l be h appy w it h t he f actt h atyou coul df ocus on t h e appl icat ion ath and rat h e rt h an t h e m undane de t ail s ofH TTP param e t er m ars h al ing or XM L -bas e d conf igurat ion f il es t h atpl ague ot h e rf ram e w ork s . Th e TurboGe ars f ocus on s im pl e API s t o ge tyou going and a s m oot h l e arning curv e as your ne e ds incre as e is s ure t o m ak e you h appy you ch e ck e d itout . Aboutt h e Aut h or Ke v in Dangoor is proj e ctl e ad f or TurboGe ars and f ounde r ofBl az ing Th ings L L C. You can k e e p up t o dat e on al l t h ings TurboGe ars by ch e ck ing outKe v in's bl og ov e r ath t t p:/ / w w w .bl ue s k yonm ars .com . Figure 20.1 - Th ird Part y Com pone nt s TurboGe ars t ak e s t h e be s tcom pone nt s av ail abl e and com bine s t h e m int o one e as y-t o-ins t al l , docum e nt ed w h ol e . TurboGe ars incl ude s part s t h atj oin t h e pie ce s t oge t h e r and m ak e t h e m w ork t oge t h e r s e am l essl y, but doe s n'tobs cure e ach incl ude d proj e ct . Th is al l ow s you t ot ak e adv ant age ofal l e xis t ing docum e nt at ion, art icl e s , m ail ing l is t s and ot h e r re s ource s t h ath av e buil t up in t h e com m unit ie s f or e ach proj e ct . From f ront e nd t o back e nd: •M och iK itis a cl e an and pow e rf ul Jav aScriptl ibrary •K id is a de s igne r- and program m e r-f rie ndl yt e m pl at e s ys t em •Ch e rryPy m ak e s doing w e b input / out putas e as y as w rit ing a Pyt h on f unct ion! •SQL O bj e ctl et s you acce s s your dat abas e as you w oul d norm al Pyt h on cl as s e s , w it h outobs curing t he dat abas e it sel f .

o3 m agaz ine :: page 20

Q UI CK L O O K AT T URBO G EARS

o3 m agaz ine :: page 21

Q UI CK L O O K AT T URBO G EARS

o3 m agaz ine :: page 22

Q UI CK L O O K AT T URBO G EARS

o3 m agaz ine :: page 23

TG: D EPLO YM ENT AND S CALI NG

t urboge ars de pl oym e ntand s cal ing
JEFF M ARSH AL L AND GREG L I N OF F RO Z ENBEAR I NC L O O K AT TH E DEPL O YM ENT O F TURBO GEARS AND EXAM I NE H O W W EL L TH E F RAM EW O RK SCAL ES TO M EET TH E DEM ANDS O F A GRO W I NG NETW O RK

by Je f fM ars h al l and Gre g L in (h t t p:/ / f roz e nbe ar .com ) M ot iv at ion AtFroz e nBe ar w e h av e be e n rol l ing outw e bs it e s w it h TurboGe ars s ince 0.8. W e w ant e d a Pyt h on f ram e w ork t h atw as e as y t o us e , de pl oy, and s cal e and TurboGe ars h as f itt h e re q uire m e nt s . Th is art icl e w il l dis cus s our e xpe rie nce s w it h “e as y” de pl oym e ntand s cal ing. K now w h ata bas ic TurboGe ars proj e ctl ook s l ik e be f ore re ading on. De pl oym e nt De pl oying a TurboGe ars (TG) proj e ctis e as y. 1) Buil d a pyt h on e gg 2) e as y_ ins t al l t h e e gg on t h e product ion s e rv er . For an im aginary TG proj e ctnam e d “f oo” : # # m ak e t h e e gg # # [on t h e de v m ach ine ] cd / proj e ct s/ f oo pyt h on s e t up.py bdis t _ e gg Th e re s ul t ing e gg s h ow s up in / proj e ct s/ f oo/ dis t / f oo-1.0py2.4.e gg. # # de pl oy e gg # # [on t h e de v m ach ine ] cd / proj e ct s/ f oo/ dis t s cp f oo-1.0-py2.4.e gg \ us e r@ product ion:/ v ar/ www/ f oo/ e ggs s cp / proj e ct s/ f oo/ s am pl e -prod.cf g\ us e r@ product ion:/ v ar/ www/ f oo/ prod.cf g # ...e dityour prod.cf g as ne e de d... # [on t h e product ion m ach ine ] cd / v ar/ www/ f oo/ e ggs e as y_ ins t al l f oo-1.0-py2.4.e gg # [on t h e product ion m ach ine ] cd / v ar/ www/ f oo m ys q l adm in -h l ocal h os t-u root-p cre at e f oodb t g-adm in s q l cre at e --e gg f oo # run t h e s e rv er / us r/ bin/ f oo-s t art .py By de f aul t ,t h e e as y_ ins t al l com m and cre at e s a st art up s criptin / us r/ bin/ f oo-s t art .py and put s t h e e gg's f il e s in t h e dire ct ory / us r/ l ib/ pyt h on2.4/ s it e -pack age s / f oo-1.0py2.4.e gg. t g-adm in cre at es t he t abl es f or f oodb and f oo-s t art .py l aunch e s your s it e. Scal ing Now t h att h e s it e is running on t h e product ion m ach ine , t h ink abouth ow itw il l h andl e grow ing t raf f ic. Th e abil it y oft h e s it e t o s cal e w il l de pe nd on t he v arious l aye rs be t weent h e TG s e rv e r and t h e out s ide w orl d as w e l l as t he ef f icie ncy oft h e com m unicat ion be t weent h e TG s e rv e r and it s dat abas e . De v el op a conf igurat ion appropriat e f or your pl ans . Th ink about w h ich part s oft h e s ys t e m w il l be com e pe rf orm ance bot t l e ne ck s and t h e s im pl e s tw ays t h os e bot t l e ne ck s can be f ixe d. Scal ing us ual l y re q uire s a bal ance be t w e e n adding h ardw are and opt im iz ing code . Ge ne ral l y itis ch e ape r and m ore t im e -e f f e ct iv e t o e ns ure t h e appl icat ion w il l s cal e w it h s im pl e h ardw are addit ion rat h e rt h an re l ying on f ut ure code opt im iz at ion ef f ort s . Tim e s pe nton appl icat ion ov e r-opt im iz at ion w il l al m os tal w ays cos tm ore t h an adding e xt ra m ach ine s . I f your TG s e rv e r is ge t t ing l oade d dow n by t raf f ic, ge t m ore m ach ine s t o run anot h e r ins t ance oft h e TG s e rv e r and l e ta l oad bal ance r s pre ad outt h e re q ue s t s. Whent h e dat abas e re q ue s t s grow t oo big, part it ion/ re pl icat e/ cl us t e rt h e dat abas e ins t ance acros s m ore m ach ine s . Th e proj e ctne e ds t o be de s igne d w it h t h e s e s ce narios in m ind t o m ak e s cal ing e as y. Com pone nt s w e 'v e f ound h e l pf ul f or t h os e t as k s are Apach e , Sq uid, and Pound: •Apach e can be pl ace d in f rontofTurboGe ars t o s e rv e t h e cont e ntus ing H TTP 1.1 (t h e Ch e rryPy s e rv e r us e s H TTP 1.0 att h e m om e nt ), t o m ore ef f icie nt l y s e rv e up s t at ic cont e nt , and t o h andl e SSL

o3 m agaz ine :: page 25

TG: D EPLO YM ENT AND S CALI NG

ce rt if icat es. •Sq uid can be us e d as an H TTP acce l e rat or by cach ing cont e nt . Ch e rryPy h as a buil t -in cach ing f il t er , butSq uid can prov ide m uch m ore pow e rf ul cach ing opt ions w h il e re m ov ing l oad f rom your Ch e rryPy s e rv er . •Pound is an e as y-t o-us e s of t w are l oad bal ance r . By al l m e ans , m ov e on up t o h ardw are l oad bal ance rs if your proj e ctcan af f ord it . ButPound can pul l al otof w e igh tf or you in t h e m e ant im e . T o de m ons t rat e t h e s e com pone nt s and h ow t h e y can hel p s cal e , w e w il l w al k t h rough a cas e s t udy ofa TurboGe ars -bas e d w e b s e rv ice Froz e nBe ar h as re ce nt l y buil tcal l e d M e Com m e rce (h t t p:/ / m e com m e rce .goods t orm .com / ). M e Com m e rce is a us e f ul cas e s t udy be caus e w e ne e de d t o incorporat e e ach oft h e abov e com pone nt s in v arious w ays t o s ucce s s f ul l y s cal e. Th e re are t w o prim ary TurboGe ars proce s s e s running t h is s ys t e m : a s e cure orde r f orm and paym e nt proce s s ing s e rv e r running be h ind a SSL , and a nons e cure s e rv e r h andl ing a productbox s h ow ing in if ram e s on m any bl ogs and w e bs it e s al ong w it h a publ is h e r w e bs it e t o m anage account s.I tw as e as y t o ide nt if yt h att h e productbox w oul d h av e t h e m os t s cal ing is s ue s s ince t h e if ram e ne e ds t o ge tf re s h cont e nte v e ry f e w m inut es f or e ach bl og its it s on, and att h e s am e t im e itne e ds s e rious cach ing be caus e of t h e h e av yt raf f ic ite xpe rie nce s . W e ne e d t o be abl e t o add m ore products e rv ing capacit yv e ry q uick l y and al s o add m ore ins t ance s our ofTurboGe ars s e rv e rs ifne e de d. Pound Pound is av ail abl e f or dow nl oad f rom ht t p:/ / w w w .aps is .ch / pound/ . Pound h andl es t he incom ing (non-s e cure ) re q ue s t s and bal ance s t he l oad t ot h e bank ofSq uid s e rv e rs . (W e 'l l de pl oy Pound att he f rontoft h e s e cure re q ue s trout e wh ent h e s e cure t raf f ic de m ands m ul t ipl e ins t ance s of t h e TurboGe ars orde r proce s s ing s e rv er . Th e s e cure is int e nt ional l y k e pts e parat e f rom t h e non-s e cure pat h) Th e l oad bal ance r aut om at ical l y st ops f orw arding re q ue s t s t o s e rv e rs t h atare dow n, and ne w Sq uid s e rv e rs can be adde d as -ne e de d w h e n t raf f ic l ev el s out grow t h e e xis t ing capacit y. Sq uid w il l im prov e a s it e 's ov e ral l upt im e and re s pons iv e ne s s . A s im pl e Pound (v e rs ion 1.9 ) conf igurat ion f il e s uch as t h is w il l do t he j ob: Us e r dae m on Group dae m on Ext e nde dH TTP 0 W e bDAV0 L ogL ev el 1 Al iv e 30 # your s e rv e r's I P addre s s and portw h e re pound #l is t e ns L is t e nH TTP xxx.xxx.xxx.xxx,80 Url Group “.*” # e ach ofyour s q uid s e rv e rs ' I P addre s s e s and port s Back End xxx.xxx.xxx.xxx,80,1 Back End xxx.xxx.xxx.xxx,80,1 Back End xxx.xxx.xxx.xxx,80,1 Back End xxx.xxx.xxx.xxx,80,1 EndGroup Pound can be conf igure d t of orw ard s pe cif ic, uncach e abl e pat h s dire ct l yt ot h e TurboGe ars s e rv er and bypas s t h e Sq uid pool . Sq uid Th e Sq uid Cach ing Se rv e r can be obt aine d f rom ht t p:/ / w w w .s q uid-cach e .org/ . Th e Sq uid s e rv e rs are conf igure d as H TTP acce l e rat ors by s e t t ing t he ht t pd_ acce l opt ions :

o3 m agaz ine :: page 26

TG: D EPLO YM ENT AND S CALI NG

#t h e s e rv e r's h os t nam e ht t pd_ acce l _ h os tm yint e rnal .dom ain.com #t h e TurboGe ars port ht t pd_ acce l _ port8001 Sq uid w il l aut om at ical l y cach e t h e TG s e rv e r's s t at ic cont e nt . Th is is one oft h e m os tim port ants t e ps you s h oul dt ak e w h e n pre paring your proj e ctf or product ion t raf f ic. Ch e rryPy doe s a f ine j ob ofs e rv ing up s t at ic cont e nt , butw e h igh l y re com m e nd t h atyou us e Apach e or Sq uid t o s e rv e your s t at ic cont e ntins t e ad. Notonl y w il l Apach e and Sq uid do a be t t e rj ob ofs e rv ing up st at ic cont e nt ,t h e y w il l t ak e t he l oad of ft h e Ch e rryPy s e rv e r s o itcan f ocus on t h e m ore im portt as k s itne e ds t o do. W e us e Sq uid t o s e rv e st at ic cont e nton t h e nons e cure re q ue s t s , and w e t ak e adv ant age ofApach e 's m od_ re w rit e t o s e rv e st at ic cont e nton t h e s e cure re q ue s tpat h. Sq uid can h e l p cach e m ore t h an t h e st at ic cont e nt . For M e Com m e rce , itw as crit ical t h atSq uid h andl e t h e bul k oft h e productbox if ram e s . Th e productbox if ram e s appe ar on m any bl ogs and w e bs it es,f ar e cl ips ing t he ot h e rt raf f ic t h atM e Com m e rce s e rv e s . By de f aul t , Sq uid w il l cach e cont e ntf rom t h e TurboGe ars s e rv er according t ot h e H TTP cach ing h e ade rs t h atits e nds back . T o s e tt h e cach ing h e ade rs , cre at e a Ch e rryPy f il t e r: im portch e rrypy f rom t im e im ports t rf t im e , gm t im e , t im e cl as s Expire s Fil t e r(ch e rrypy.l ib.f il t er .bas e f il t er .Bas e Fil t e r): de fbe f ore Final iz e (s e l f ): ifnotch e rrypy.conf ig.ge t ('e xpire s f il t er .on', F al s e ): re t urn cach e _ s e conds = ch e rrypy.conf ig.ge t ('e xpire s f il t er .s e conds ', 300) ch e rrypy.re s pons e .h e ade rM ap['L as t -M odif ie d '] = st rf t im e ('% a, % d % b % Y % H :% M :% S GM T', gm t im e (t im e ())) ch e rrypy.re s pons e .h e ade rM ap['Expire s '] = st rf t im e ('% a, % d % b % Y % H :% M :% S GM T', gm t im e (t im e () + cach e _ s e conds ))

Add t h is f il t e rt ot h e Ch e rryPy rootbe f ore s t art ing t he s e rv e r: ch e rrypy.root= Root () ch e rrypy.root ._ cpFil t e rL is t= [Expire s Fil t e r()] ch e rrypy.s e rv er .s t art () Now , s e t" e xpire s f il t er .on = True " in t h e conf ig f il e f or e ach pat h Sq uid ne e ds t o cach e . Th e " e xpire s f il t er .s e conds " opt ion s e t s t h e e xpirat ion t im e f or e ach pat h. Apach e Apach e is av ail abl e f rom h t t p:/ / ht t pd.apach e .org/ .I nt he M e Com m e rce e xam pl e , Apach e is us e d prim aril yt o h andl e t h e SSLce rt if icat e on incom ing re q ue s t s on port 443. H ow e v er , w e can al sot ak e adv ant age ofApach e t o h andl e st at ic cont e ntal ong t h atpat h . Us ing m od_ re w rit e , conf igure Apach e l ik e t h is : <V irt ual H os t_ de f aul t _ :443> # ... your s t andard Se rv e rNam e and SSL Engine conf ig #l ine s ... # us e m od_ re w rit e t o rout e re q ue s t s Re w rit e Engine on # us e m od_ re w rit e t o s e rv e up t h e st at ic cont e nt # (s e tt h e pat h t o your s t at ic cont e nt ;itis a good ide a #t o cre at e a s ym bol ic l ink t o your de pl oye d e gg's # st at ic pat h. # unf ort unat el y you w il l ne e d t o updat e t h is s ym bol ic #l ink e ach #t im e you de pl oy a ne w e gg v e rs ion, butit 's e as ie r #t h an updat ing #t h is Apach e conf ig e ach t im e ) Re w rit e Rul e ^/ st at ic/ (.*) / pat h/ t o/ st at ic/ $ 1 # s e nd t h e re s toft he t raf f ic t o your TurboGe ars s e rv er # (s e tyour dom ain and TurboGe ars port ) Re w rit e Rul e ^/ (.*) ht t p:/ / m yint e rnal 2.dom ain.com :8002/ $ 1 [P] </ V irt ual H os t > De f init el y h av e Apach e h andl e st at ic cont e ntifs t at ic f il e s are l arge r t h an 100K B (i.e . im age s ). Concl us ion No f ram e w ork can guarant e e s cal abil it y, buta good f ram e w ork l ik e TurboGe ars giv e s you t he l at it ude t o m ak e a v arie t y ofs cal ing de cis ions . Be s m artin t he de s ign. Code as ift h e proj e ctw il l be init ial l y de pl oye d on t w o or m ore s e rv e rs . Your s pe cif ic us e cas e w il l dict at e w h ich pie ce s ne e d m ore at t e nt ion. Don'tov e rl y opt im iz e or h ardw are -s cal e unt il you k now t h e s it e 's us age prof il e . W e h igh l y re com m e nd TurboGe ars .

o3 m agaz ine :: page 27

U NSECURE W I FI

uns e cure w if i: t h e out s ide t h re atf rom ins ide
WI REL ESS NETW O RK S ARE AN I M PO RTANT PART O F I P M O BI L I TY SO L UTI O NS , DEPL O YI NG SECURE SO L UTI O NS CAN BE A CH AL L ENGE . TH I S ARTI CL E L OOKS W I REL ESS SECURI TY F RO M TH E M AL I CI O US USERS PERSPECTI V E

by Joh n Bus w e l l Th e us ual W iFi s e curit y art icl e w oul d dis cus s t he v arious w ays t o prot e ctyour ne t w ork , W PA2, dis abl ing SSI D broadcas t ,f ire w al l ing your W iFi ne t w ork as ifit w as partoft he I nt e rne t , and s o on. Th is h ow e v er , is not your us ual W iFi s e curit y art icl e . Uns e cure W iFi pos e s a s e rious s e curit y ris k t o any cam pus , bus ine s s , or I SP ne t w ork ;t h is art icl e us e s dat af rom re al w orl d e xam pl es t o s h ow h ow e as y itcan be f or a m al icious us e r t o caus e s e rious probl e m s . Som e t im e s it s us e f ul t ol ook at s e curit yf rom t h e ot h e r s ide . I nt h is art icl e we t ak e a uniq ue approach , l ook ing att h ings as ifw e w e re a m al icious us e r , w h atw oul d w e do and h ow w oul d w e do it ?No w ire l e s s ne t w ork s w e re h arm e d during t he re s e arch f or t h is art icl e. Re as oning Th e re are pl e nt y ofre as ons w h y a m al icious us e r m igh t w antt o acce s s a ne t w ork il l e gal l y. O n one h and you h av e pe opl e wh oj us tl ik e t o caus e t roubl e . You al so h av e pe opl e w h o w antt o m ak e m one y t h rough s pam , bot ne t s , and s o on. O n a m ore pract ical l ev el , you h av e pe opl e w h o w antt o col l e ctcre ditcard inf orm at ion, inf orm at ion f or ide nt it yt hef t , and pe opl e w h o w antt o col l e ctl ogins t oal arge r ne t w ork . You h av e pe opl e wh o w antt o do s om e t h ing il l e gal on t he I nt e rne tand notge t caugh t .I tcoul d be il l e gal cont e nts uch as ch il d pornograph y, t e rroris tcom m unicat ion or cybe r t e rroris m s uch as dis t ribut e d de nial ofs e rv ice at t ack s . Uns us pe ct ing V ict im Th e uns us pe ct ing v ict im h e re is t h e pe rs on or organiz at ion w h o h ad w h att heyt h ough tw as a s e cure s ol ut ion de pl oye d, butw e re t h e n bl am e d f or s om e il l e gal act iv it yt h att h e y w e re unaw are of .I nt h e cas e of ide nt it yt hef t , im agine a care f ul pe rs on w h o s h re ds docum e nt s w it h s e ns it iv e inf orm at ion, de s t roys ol d cre ditcards w it h a m e dia s h re dde r , us e s Fire f ox, pays f or s e curit yt ool s , and runs a f ire w al l be h ind t h e ir cabl e m ode m . Th e y don'th av e t o be t e ch s av v y, butt h e y'v e re s e arch e d e nough t o be s e cure . W h e n t h is pe rs on goe s t o buy a ne w PC, t h e y pick up a l apt op, ith as W iFi, and t h e s al e s pe rs on s e l l s t h e m a W iFi acce s s pointor rout er .I tpl ugs in, w ork s gre at , and t h e y can us e t h e ir l apt op w it h outw ire s f rom t h e s of a, t h e k it ch e n

nd e v e n be d. I s its e cure d?Do t h e y k now ?Do t hey care ?Probabl y not . Finding s uit abl e v ict im s Th e be s tl ocat ion f or f inding v ict im s are w h e re pe opl e are cl us t e re d. So apart m e ntcom pl e xe s , t ow nh ous e com pl e xe s , and col l e ge dorm s are good s t art ing point s. Of f ice dis t rict s and indus t rial e st at e s al s o of f e r pre t t y good t arge t s de pe nding on t he t ow n or cit y, and t he t e ch nical capabil it ie s ofl ocal com panie s . For t h e purpos e oft h is art icl e , w e 're going t ol ook ata re al w orl d s it uat ion. Since t h is appl ie s t o pract ical l y any t ow n or cit y w h e re broadband I nt e rne tis av ail abl e, w e 're going t o us e dat a com bine d f rom a num be r of undis cl os e d col l e ge t ow ns . Th e s e are nice , and pe ace f ul t ow ns , w h os e cit iz e ns are unaw are t h att hey coul d e as il y be com e an unw it t ing v ict im ofs om e t h ug w it h al apt op and s om e w if i ge ar .L ik e m any col l e ge t ow ns t h e s um m e r itis pre t t y q uie t ;w h e n t h e st ude nt s are in t ow n in t he f al l (aut um n), itcan be e xt re m e l y bus y. M os tcol l e ge t ow ns h av e col l e ge s t h atof f e ra w ide s e l e ct ion ofI T and non-I T cours e s . Th e re are a h andf ul ofI T com panie s in t ow n, and a coupl e ofI SPs . Th e m il e age you'l l ge tw it h t he l ocal I T bus ine s s e s v arie s ;s om e are not h ing m ore t h an gl orif ie d PC re pair and of f ice s uppl y com panie s w h o are run by bus ine s s pe opl e t urne d I T prof e s s ional s.L e arning t o ins t al l W indow s Se rv e r 2003 and Exch ange ov e rt h e pe riod of af e w m ont h s doe s n'tcl as s if y you as s om e one w h o s h oul d st arts e l l ing I T s ol ut ions , butunf ort unat el yt h at doe s n'ts t op pe opl e.Al it t l e k now l e dge is a dange rous t h ing, and unf ort unat el yf or non-t e ch nical pe opl e, s om e one w h o appe ars t o k now a l otm ore t h an t h e y do m us tbe an e xpe rt . Expe rt is e is re l at iv e , and unf ort unat el y m any bus ine s s ow ne rs don'tt ak e t h is int o accountw h e n purch as ing I T s ol ut ions . Eq uipm e nt I w ant edt okeept h is art icl e re l at iv el y s im pl e . So al t h ough I coul d pointt o gre atope n s ource t ool s t h at you can ins t al l unde r L inux t o do w ire l e s s pack e t s nif f ing, s canning and s o on, I 'm going t o st ick w it h of f t h e sh el ft h ings t h atyou can acq uire atyour t ypical nat ional re t ail st ore . I fyou are notf rom t h e Unit ed St at es,t h e re are pl e nt y ofs t ore s t h atre s e m bl e a h uge w are h ous e t h ats e l l s pract ical l yev e ryt h ing f or

o3 m agaz ine :: page 29

U NSECURE W I FI

re as onabl yl ow price s , and t h e re is s om e f orm oft h ese st ore s in or ne ar pract ical l yev e ry t ow n in t h e Unit ed St at es. L et s t ak e t h e s ce nario t h att h e m al icious us e r is outof t ow n. M os tcar re nt al com panie s of f e r unl im it ed m il e age , and m os tw il l re ntyou a nice m iniv an or SUV f or unde r $ 40.00 a day. Th e m iniv an is a good opt ion, as itis l e s s s us picious , m os th av e t int e d w indow s , and you can s t ore e q uipm e nts uch as UPS, f ul l s iz e d s e rv e rs and s o on in t h e back unde t e ct e d. You can pick up v ans f rom airport s t oo, s o t h e ore t ical l yat e rroris t coul d e as il yf l y int o any count ry, w it h cas h or cre dit cards on t h e m and not h ing e l se. O n a q uie tSat urday e v e ning, I grabbe d a s h opping cart(“t rol l e y” f or t h e Europe ans ) and t ook a s t rol l around one oft h ese l arge s t ore s t o s e e h ow m uch it w oul d cos t . Now I didn'tbuy any ge ar s ince I al re ady h ad it , butI did as k t h e s om e s t ore re pre s e nt at iv e s h ow e as y itw oul d be t o re t urn;e v e n h igh v al ue it e m s s uch as l apt ops ifI didn'tl ik e t hem.I tt urne d outt o be a l ot e as ie r t h atI e xpe ct e d. So t e ch nical l y s om e one coul df l y in, re nta car , buy ge ar atone oft h e s e w are h ous e st ore s , t ak e care ofbus ine s s , re t urn t h e ge ar t ot he st ore , re t urn t h e re nt al car and f l y h om e w it h m inim al cos t s !! So w h atdo w e ne e d?Th e f irs tt h ing on our s h opping l is tis a pow e r inv e rt er . A pow e r inv e rt e r is a s m al l met al box t h atyou pl ug int ot h e DC pow e re d cigare t t e l igh t er s ock e ton your car , and giv e s you AC pow e r out l et s so you can run re gul ar AC de v ice s , s uch as a l apt op pow e r ch arge r in your car .L ocal st ore - $ 17.69 . Ne xton t he l is t w as an APC pow e r s t rip, w e don'tw antt of ry t h atne w l apt op, s o again t he l ocal w are h ous e s t ore , a f e w ais l es ov er ,f or $ 14.9 5. Now a nice l apt op (again att he l ocal st ore ) w it h buil t -in W iFi and running W indow s XP -$ 69 7.00. Final l y, our m al icious us e r is s m art -t h e y w ant t o m ak e ith arde r f or aut h orit ie s t o inv e st igat e s h oul d t h e y ge tcaugh t - sot h e y buy a f e w USB W iFi adapt e rs and PC Card adapt e rs , s o note v e ryt h ing com e s f rom t h e s am e M AC addre s s . USB W iFi adapt e rs atbot h w are h ous e and of f ice s uppl y st ore s - $ 39 .9 5 e ach , PC Cards range d f rom t h e s am e price up t o$ 69 .9 5. I nt e re s t ing e nough , t he l ocal w are h ous e s t ore h ad abs ol ut el y no 802.11a e q uipm e nt , note v e n 802.11a/ b/ g rout e rs . Ev e ryt h ing w as 802.11g. Now ifw e w ant edt o pick up s om e W iFi rout e rs t o dupl icat e v ict im 's rout e rs , pe rh aps t o pack e ts nif fby bridging be t weent h e ir re al acce s s pointand our f ak e one , t hent he l ocal w are h ous e s t ore h ad e v e ryt h ing w e ne e de d incl uding 802.11g range e xt e nde rs and 802.11g acce s s point s.

O ur re al l y s m artat t ack e r , m ak e s a not e ofal l t he brands and m ode l s ofacce s s point s on s al e att he l ocal w are h ous e s t ore . Ch ance s are , our uns us pe ct ing v ict im s bough tt h e ir e q uipm e nth e re . I n our col l e ge t ow n USA, t h e onl y ot h e r pl ace t o buy ge ar is a nat ional ch ain of f ice s uppl y st ore . Th ank f ul l y, t h e y w e re w e l l st ock e d w it h 802.11a capabl e e q uipm e nt ,sot h os e us e rs are n'ts af e e it her . So, f or about$ 9 00.00 w e coul d be w e l l -e q uippe d, court e s y ofj us tone l ocal st ore . As I s aid, w e didn'tbuy any oft h e ge ar as w e al re ady h ad it , h ow e v e r it 's v e ry e as y t o do as our re s e arch h as prov e n. F al s e Se ns e ofSe curit y W h il e h anging around t h e W iFi ais l e att he l ocal w are h ous e s t ore , I ran int o a num be r ofpe opl e l ook ing atW iFi, s om e t im e s e age rl y re com m e nding W iFi s ol ut ions t h e y h ad pre v ious l y bough t . M os ts t ore s s t ock Be l k in, L ink s ys , and s om e of fbrand W iFi. O ne s t ude nt t ol dme t o buy L ink s ys be caus e ith ad I nt e rne tSe curit y and t h at s al l you ne e de d. H e w as re f e rring t ot he l ogo ofSym ant ecI nt e rne tSe curit y on t h e box t h atprov ide s an Ant i-V irus and Fire w al l in a 60-day t rial v e rs ion. Now L ink s ys h as gone t o s om e e f f ortt o m ak e ite as ie r t o conf igure W PA2 t h rough t h e ir “Se cure ” Eas y But t on. Unf ort unat el y, t h is is j us ts om e t h ing ne w , and m os t st ude nt s al re ady purch as e d W iFi e q uipm e nt . M any l apt ops don'ts upportt h e Se cure Eas y Se t up, and $ 69 .9 5 f or t h e e xt e rnal PC card is j us ta w as t e wh en you can buy book s , be e r , or pay re ntins t e ad, and be s ide s , your l apt op h as W iFi. W h at 's w ors e is t h atcom panie s l ook ing t o of f -l oad ol d st ock are s e l l ing 802.11b e q uipm e ntf or $ 9 .9 5. A nice dis countbas k e tatt he l ocal of f ice s uppl y st ore , and f or unde r $ 40.00 you can buil d a s m al l 802.11b ne t w ork . T o st ude nt s,$ 9 .9 5 l ook s a l otbe t t e rt h an $ 70 and it 's al l 2.4GH z w ire l e s s anyw ay, righ t ? ! Ge t t ing Sof t w are A num be r ofl ocal e st abl is h m e nt s of f e r FREE w ire l ess I nt e rne tt ot h e ir cus t om e rs , one I SP of f e rs FREE w ire l ess I nt e rne tin s e l e ctdow nt ow n are as . Dupl icat ing our m al icious us e r , w e driv e t o one oft h e s e FREE are as , park our v e h icl e and grab t he l apt op. A q uick cof f e e or t wol at er , and our l apt op is now e q uippe d w it h Ne t st um bl er , Fire f ox , and s om e ot h e rt ool s . W e al so h ad s om e t im e t o pok e around w it h t race rout e and ping t o ge ts om e ins ide inf orm at ion on t he I SP . Again, al l pe rf e ct l yl e gal . V arious l ocal w e bs it e s and googl e m aps prov ide us w it h e nough inf orm at ion t o pl an our rout e , and s h ow us w h e re t h e st ude ntdorm s and of fcam pus cl us t e re d

o3 m agaz ine :: page 30

U NSECURE W I FI

h ous ing is l ocat e d. Final l y, w e q uick l y dow nl oad t he m anual s f rom t he v arious s upports it es f or t h e rout e rs and acce s s point s w e s aw on s al e att he l ocal st ore s . Now w e h av e t h e de f aul tus e rnam e and pas s w ords . A re al l y cl ev e r at t ack e r w oul d al soj otdow n t he f irs t coupl e ofoct et s f rom t h e m ac addre s s e s , cl e arl y print e d on t h e pack aging, j us tin cas e Ne t st um bl e r can't ide nt if yt h e brand f rom t h e m ac addre s s during t he s cans . Back t ot h e car , and itis t im e t ol ook around. I m port antL e gal Not ice Atno pointw e re any acce s s point s acce s s e d or m odif ie d during t h e re s e arch f or t h is art icl e.I tis im port antt okeept h atin m ind, as t h is art icl e dis cus s e s w h atan at t ack e r coul d h av e done . Th e Re s ul t s O ur ne w t ow n is n'ta l arge t ow n, s o an h our l ong driv e atj us tunde r t h e s pe e d l im itaround t ow n, re v e al e d 781 acce s s point s in t h e are a. Abouth al foft h e acce s s point s h ad W EP e nabl e d. About40% h ad de f aul t SSI Ds , buts om e h ad W EP e nabl e d, w e w ork e d out t h atrough l y 30% oft he v is ibl e acce s s point s on our rout e , w h ich cov e re d j us tt h e m ain s t re e t s , h ad no W EP and de f aul tSSI Ds . W h il e w e didn'tconne ctt o any de v ice s , ch ance s are t h e m aj orit y oft h e m probabl y w e re conf igure d w it h j us tt h e de f aul tadm in pas s w ords . I tw as pre t t y e as y t o s e e a pat t e rn be t weenI SPs . For e xam pl e , one DSLprov ide r h ad s e rial iz e d SSI D num be rs , I k now t h is be caus e I h appe ne d t o us e a s m al l caf e t h atof f e re d FREE w if i us ing a s pe cif ic DSL prov ide r . A q uick h itt o any I Pl ook up page by a h ack e r ov e r one oft h os e s e rial iz e d SSI D conne ct ions w h ich w e re n'ts e cure d, w oul d m ak e ite as y t o de t e rm ine w h ich h ad DSLand t h os e t h ath ad s om e t h ing e l s e . Th e s e rial iz e d SSI Ds are a s e rious probl e m , paint ing a t arge ton t h e cus t om e rs W iFi ne t w ork , and l ik e l y one of t h os e s e l f -ins t al l k it s. I w as gl ad t osee t h atone I SP w as rol l ing out e q uipm e ntt ot h e ir corporat e cus t om e rs w it h s e cure , com m e rcial s ol ut ions ins t e ad oft rying t osel l of f -brand or re t ail ge ar . A coupl e ofh ot el s l ook e d l ik e t h e y w e re e it h e r w ide ope n or pos s ibl y us e d M AC addre s s f il t e ring, t h at s j us ta gue s s , giv ing cre ditt ot he I SP w h o rol l e d itout . M any oft h e broadcas tSSI Ds re v e al e d addre s s e s , nam e s or organiz at ions . W it h m os toft h e ch anne l us age ce nt e re d on ch anne l s 1, 6 and 11, w it h 6 be ing e xt re m e l y popul ar and t h e de f aul ts e t t ing w it h L ink s ys . I tal m os tl ook l ik e t h e SSI D w as be ing us e d t o e it her m ak e s ure t h e y didn'th op on t h e w rong uns e cure d W iFi or as a w arning t o ot h e r pe opl e h it t ing t h e ir AP by

m is t ak e . Now w e drov e around on a Sunday m orning, I w oul d im agine t h atm any m ore acce s s point s w oul d h av e s h ow n up h ad w e drov e around during a s ch ool nigh t , as s om e pe opl e do t urn of ft h e ir acce s s point s wh en t h e y are notath om e . Th e O ut s ide Th re atf rom I ns ide Adm inis t rat ors go t o gre atl e ngt hs t o pre v e ntbad t raf f ic re ach ing t h e ir us e rs . Th is range s f rom bl ock ing ne t bios t raf f ic, running int rus ion de t e ct ion and pre v e nts ys t ems, rat e l im it ing and ot h e rt e ch niq ue s e v e n on int e rnal s w it ch e s and rout e rs . Som e I SPs e v e n prot e ct cus t om e rs and us e rs f rom e ach ot her , bl ock ing v arious port s on t h e prov ide r s ide conne ct edt ot h e CPE, t h us pre v e nt ing your ne igh bor f rom h ack ing you or giv ing you t h atI nt e rne tW orm t h att h e y dow nl oade d v ia I M! Th e probl e m is t h atal l t h is prot e ct ion goe s outt he w indow w h e n t h e at t ack e r can s im pl y h itt h e us e r's l ocal s ys t e m ov e rt h e uns e cure d W iFi. O f t ent h e s e m ach ine s are art if icial l y s e cure , us e rs re l ying on t h e s e curit y prov ide d by rout e rs /f ire w al l s ins t e ad ofupdat e s and s of t w are f ire w al l s . St ude nt s w h o of t enl ik e t o pl ay gam e s ov e rt h e ir L AN w it h f rie nds , of t e n dis abl e s of t w are f ire w al l s be caus e t h e y bl ock t h e gam e t raf f ic f rom t he l ocal L AN. Th e s e l aps e s in s e curit y m ak e ite as y f or an out s ide r t o ins t al l key st rok e l ogge rs , re m ot e cont rol s of t w are , and ot h e r s of t w are on t he v ict im s com put er . Now t h at pe rs on is a ris k , a l e git im at e us e r , pe rh aps a V PN us e r , now h as t h e ir accountinf orm at ion com prom is e d. Th e m al icious us e r can now gain l e git im at e acce s s t o your ne t w ork , l urk around, and l ook f or v ul ne rabil it ie s . Att he v e ry l e as tt h e y can re ad int e rnal e m ail , s e nd e m ail , and pe rh aps e v e n gain cus t om e r inf orm at ion. W h atw ork s f or t h atEngl is h l anguage s t ude ntw it h t h e ir W iFi rout er , al so st ands t rue f or t h e s al es re pre s e nt at iv e l iv ing in an apart m e ntcom pl e x. Sam e l ev el oft e ch nical s av v y, s am e l ev el off al s e s e ns e of s e curit y. Sam e int e rnal t h re at . I nt e rnal BotNe t s Now w h e n m os tprov ide rs dis cov e r botne t s,t ypical l y t h rough bandw idt h s pik e s , s e curit y /abus e com pl aint s, t h e y s h utdow n t h e cont rol ch anne l . W h ath appe ns , t h ough , w h e n t h e cont rol ch anne l is out s ide oft h e ir ne t w ork , run ov e r W iFi by ch aining acce s s point s t oge t her , cre at ing one l arge ne t w ork ?Re m e m be r , m os t oft h e s e uns e cure W iFi rout e rs and acce s s point s h av e de f aul tSSI Ds . So it 's noth ard f or s om e m al icious us e r t o go in, ch ange t h e conf ig, and m ak e adj ace nt apart m e nt s run on t h e s am e ne t w ork . Th e at t ack e r m ay

o3 m agaz ine :: page 31

U NSECURE W I FI

h av e s e cure d t h e s e acce s s point s s o nobody can ide nt if yt h e m e as il y, f urt h e rm ore , t h e y m igh tus e a range e xt e nde r t o bridge a com pl et el y dif f e re ntacce s s pointw it h t h e ir botne t , and us e a com pl et el y dif f e re nt I SP t o acce s s t h e cont rol ch anne l f or t h e botne t re m ot el y. I fyou t h ink t h at s f ar f et ch e d, w e s pok e w it h al ocal apart m e ntcom pl e x m anage r w h o w as nice e nough t o s h ow us around t h e ir l aundry f acil it ie s . I tw oul d be e as y t o st as h a L ink s ys W RT54G running O pe nW RT, or a range e xt e nde r in any apart m e ntcom pl exl aundry room . Th e e q uipm e ntcoul d s itt h e re f or m ont h s be h ind a w as h e r or drye r be f ore anyone w oul d not ice . Sim pl y pl acing a s t ick e r w it h t he l ogo ofa l ocal I SP is s im pl e e nough t o k e e p m aint e nance and m anage m e ntf rom ev e n q ue s t ioning t h e de v ice . L uxury W ar-Sit t ing Th ank s t o urban pl anning, m any upm ark e tcol l e ge of f cam pus com pl e xe s are l ocat e d ne ar or ne xtt o h ot el s. Sim pl y book int o a h ot el , de pe nding on t h e dis t ance it m igh tbe ne ce s s ary t o pl ace a range e xt e nde r be t ween t h e com pl e x and t h e h ot el . H e re in our e xam pl e t ow n, atl e as tone h ot el w as cl os e e nough t o a com pl ext o s can dire ct l yf rom t h e h ot el . Ov e r a coupl e ofdays a m al icious us e r coul d col l e ctm ul t ipl e account s f or a w ide v arie t y ofl ocat ions . I n a col l e ge t ow n l ik e our s am pl e t ow n, itw oul d be re l at iv el y e as y t o obt ain accountinf orm at ion and t h us be com e a t h re atf or t he l ocal col l e ge s and Univ e rs it ie s . Th ank s t ot h e h ot el , it can be done in s t yl e , w h il e w at ch ing TV , and w it h out running t h e ris k ofge t t ing int e rrupt e d by curious t h ird part ie s or t h e pol ice . I nt e rnal De nial ofSe rv ice Th e at t ack e r doe s n'th av e t o h av e a re as on w h y, pe rh aps anot h e r at t ack e r t ook ov e rt h e ir botne t , or t hey s im pl y don'tl ik e t he I SP , or j us th av e a m is ch ie v ous nat ure . An int e rnal DoS at t ack m igh te v e n be dif f icul tt o de t e ct , a num be r ofl ocal cus t om e rs w it h h igh bandw idt h conne ct ions , dow nl oading f il es f rom t he s am e s it e , s om e t h ing l arge pe rh aps s om e DV D im age s , l ook ing l ik e norm al t raf f ic. A l arge e nough botne tcoul d be us e d t o conge s tt he l ocal I SP ne t w ork . I tcoul d be as e as y as bouncing dat a be t weenl ocal us e rs in a l oop, f l ooding t he l ocal ne t w ork . De pe nding on t he I SP ,t h is is of t e n e as ie r t o do t h an you m igh te xpe ct . Som e prov ide rs , e s pe cial l yt h os e t h at us e w ire l ess t e ch nol ogie s s uch as 9 00M H z , h av e l im it e d bandw idt h be t w e e n CPE and t h e ir t ow e rs . Th e y're “be t t ing t he f arm ” t h att h e ir us e rs w on'tal l

cons um e t h e bandw idt h att h e s am e t im e ;a w e l l orch e s t rat e d at t ack coul dl ook l ik e norm al ne t w ork t raf f ic and crippl e t he I SP . ButI t 's Jus tTim m y's PC Re m e m be r t h atol d W indow s 9 5 box t h atw as t he f am il y PC a f e w ye ars back ?Now its it s in Tim m y's room . Tim m y is now ol d e nough t o us e t he I nt e rne t , s o de ar ol d Dad goe s and buys s om e W iFi ge ar be caus e it 's ch e ape r t h an running cabl e s and dril l ing h ol e s in t he w al l . Th atcrim pe r t h ing l ook s s t range , s ince good ol d Dad w ork s in s al e s . Now w h il e Dad's l apt op is s e cure d, Tim m y's is not , and s e curit y is onl y as good as t he w e ak e s tl ink on t h e ne t w ork . Th atW indow s 9 5 box is j us tan inv it e f or an at t ack e r , probabl y notupdat e d, and w h atdoe s Tim m y ne e d w it h ant i-v irus and f ire w al l s,h e is j us ta k id, h ow m uch ofa t h re atis Cart oonNe t w ork .com ? Fixing t h e Probl em Note v e ryt h ing s e curit y re l at e d can be f ixe d e nt ire l y w it h t e ch nol ogy. Th e s oone r you re al iz e t h at ,t he f as t e r you can go abouts e curing your ne t w ork . Educat ion is t he f irs tl ine ofde f e ns e , and t h is can be as s im pl e as re gul ar I T aw are ne s s s e s s ions t h at st ude nt s (or e m pl oye e s ) m us tat t e nd t o k e e p ne t w ork acce s s . O f f e ring s e cure W iFi rout e rs , or h av ing I T e m pl oye e s re conf igure h om e W iFi rout e rs f or your nont e ch e m pl oye e s , can h e l p im prov e s e curit yt o a de gre e . I n a cit y-w ide probl e m , e s pe cial l y in a Univ e rs it yt ow n, t h e n going t h rough a ce nt ral organiz at ion s uch as t he Ch am be r ofCom m e rce or t h e Univ e rs it y, w il l hel p rais e aw are ne s s and prov ide a com m unit y s ol ut ion. Th is m igh tinv ol v e an I SP of f e ring f re e w ork s h ops s e curing W iFi rout e rs and giv ing inf orm at ion on h ow t o dow nl oad f re e ant iv irus and s o f ort h . Such e v e nt s can h e l p at t ract ne w cus t om e rs , and att he v e ry l e as tre duce t he t h re at t o your ne t w ork . I tis nota probl em t h atis going t o ge tre s ol v ed ov e rnigh t , m os ts t ude nt s carry l apt ops t h e s e days , s o f or Univ e rs it ie s itm igh tj us tpay of ft o of f e r s e rv ice s t h at ch e ck and audits t ude ntl apt ops f or s e curit y probl ems – v irus e s , w orm s , out dat edv ul ne rabl e code , k e ys t rok e l ogge rs , re m ot e cont rol s of t w are and s o on. Re m ot e us e rs w h o acce s s t h e ne t w ork v ia V PN, coul d us e a s im pl e w e b bas e d appl icat ion t h atf orce s t hem t o re gis t e rt h e ir l ocat ion. I fyou k now Dav e in Sal e s h as cabl e ath om e , and s udde nl y st art s t rying t ol ogin f rom a DSLconne ct ion, ifh e is re gis t e re d f or h is h om e l ocat ion, you can l ock outt h e accountift he aut h e nt icat ion inf orm at ion m at ch e s . I fDav e is on t he road, and you k now h e is t rav el ing t o a part icul ar cit y,

o3 m agaz ine :: page 32

U NSECURE W I FI

h av e t h e m re gis t e rt h atl ocat ion once t heyl ogin. Sim pl e w e b appl icat ions t h atcom m unicat e w it h t he f ire w al l t h rough w rit ing or updat ing dat a in a dat abas e or v ia L DAP , can prov ide an e xt ra l aye r ofs e curit y. For e xam pl e , Dav e ge t s t o h is h ot el , and v is it s ht t ps :/ / v pnre g.m ycom pany. Be f ore h e l ef tt h e of f ice , h e re gis t e re d t h ath e w as going t o Bois e , I dah o f or 3 days . W h e n h e h it s t he v pnre g, h e aut h e nt icat es,t h e n itas k s h im a s e rie s ofq ue s t ions re l at edt o h is t rip and l ocat ion. I fh e ge t s al l oft h e q ue s t ions righ t ,t he l ocat ion is re gis t e re d f or t h e days h e is aw ay. W h il e h e is aw ay, h e m igh tonl y ne e d e m ail and acce s s t o pre s e nt at ion docum e nt s,t h is t ype ofl ocat ion bas e d acce s s re s t rict ions can l im itt h e dam age done ifh is l apt op is st ol e n w h il e att h e h ot el . Concl us ion H ope f ul l yt h is art icl e h as giv e n you a ne w pe rs pe ct iv e on t h e probl e m s inv ol v e d w it h unw it t ing cus t om e rs and us e rs conne ct ing e q uipm e ntt o h igh bandw idt h ne t w ork s . Se curit y is onl y as good as it s w e ak e s tl ink . W h il e t h e ris k ofbe ing f ire d or e xpe l l e d w il l pre v e nt int e rnal us e rs f rom doing bad t h ings on your ne t w ork , it w on'ts t op t hem f rom doing irre s pons ibl e t h ings t h atcan re s ul tin t h ird part ie s gaining t h e ir priv il e ge s on your ne t w ork . A com binat ion ofe ducat ion and “t h ink ing out s ide oft h e box” is ne ce s s ary t ol im itt h e ris k oft he out s ide t h re atf rom ins ide . Aboutt h e aut h or Joh n Bus w e l l is Edit or in Ch ie foft h is m agaz ine , h e is al s o Ch ie fT e ch nol ogy O f f ice r and co-f ounde r of Spl ice d Ne t w ork s , a priv at el y ow ne d L inux appl iance com pany. H e w il l be giv ing a pre s e nt at ion atO h io L inuxFe s ton Se pt e m be r 30, 2006 t it l ed" O pe n Source Z e ro Day At t ack Prot e ct ion" . For f urt h e r inf orm at ion v is it ht t p:/ / w w w .s pl ice dne t w ork s .com and ht t p:/ / w w w .oh iol inux.org.

o3 m agaz ine :: page 33

ATA O V ER E TH

ERNET

at a ov e re t h e rne t
M UH AM M AD H AM M AD L O O K S AT TH E O PEN SO URCE STO RAGE SO L UTI O N TH AT USES REGUL AR L AYER AO E I S A SO L UTI O N PI O NEERED BY CO RAI D

2 SW I TCH

ES

by M uh am m ad H am m ad Dat a st orage s pace al w ays re ach e s t o it s l im it s , e it her t oday or t om orrow . Som e t im e s t h e re are v ide o/ audio dat at h atre q uire h uge s pace or m ay be a product ion s e rv e r ge ne rat ing m as s iv e l ogs or itcoul d be t h at back up is re q uire d on pe rm ane ntbas is . W h at ev e rt he re as on, one w il l ev e nt ual l y run outofs pace and is bound t o incre as e s t orage capacit y. Fort unat el y h ard dis k s t orage capacit y is incre as ing day by day w it h a st e ady de cl ine in cos t . Ov e r a ne t w ork , t h e st orage capacit y is l im it e d by t h e m ach ine 's h ardw are i.e . you can onl y at t ach l im it e d num be r ofh ard dis k s t oa m ach ine . I f , s om e h ow , w e coul dj us tat t ach an unl im it ed num be r ofh ard dis k s t o a m ach ine (s ), w e coul d ge t unl im it e d st orage capacit y. Th is is w h atATA ov er Et h e rne t(AoE) prot ocol s upport s - i.e . ATA s t orage de v ice s acce s s ibl e ov e r Et h e rne tt o ot h e r m ach ine s in t h e ne t w ork . AoE is an ope n s t andard Et h e rne tbas e d St orage Are a Ne t w ork (SAN). SANs ov e r Fibre Ch anne l are m ore com pl e x and e xpe ns iv e . Anot h e rv ariat ion ofSAN is iSCSI , w h ich us e s SCSI com m and s e tov e r TCP/ I P , t ypical l y ov e r Et h e rne t , and is acce s s ibl e ov e rL AN and W AN. O n t h e ot h e r h and, AoE runs on t op ofEt h e rne t , w h ich is m uch ch e ape r , e as y t o conf igure and de pl oy. Al s o, AoE is a l igh t w e igh tprot ocol s ince itre l ie s on Et h e rne tand doe s note m pl oy t h e com pl e xit y ofTCP/ I P prot ocol . H ow itw ork s ? AoE w ork s by prov iding t h e h os ts e rv e rs (w e b s e rv e rs , m ail s e rv e rs e t c.) acce s s t o dis k driv es t h rough AoE s e rv e rs . An AoE s e rv e r is a s m al l com put e rt h ath as a proce s s or and dis k driv e on a s m al l print e d circuit board. Th e s e boards are k now n as bl ade s . Th e h os t s e nds re q ue s tm e s s age s t ot h e AoE s e rv er , w h ich in t urn prov ide s bl ock acce s s t ot h e dis k , and re pl y m e s s age s are re t urne d back t ot h e h os t . Each m e s s age in AoE prot ocol com m unicat ion s h oul d be cons ide re d an unre l iabl e m e s s age . Re l iabil it y is ach ie v e d by t he cl ie nth os tAoE s of t w are t h atre s e nds t h e re q ue s t m e s s age ifno re s pons e in a s pe cif ic t im e . AoE pack e t s are e ncaps ul at e d in s t andard Et h e rne tf ram e s and s h are t h e Et h e rne th e ade r , and s o t h e AoE s e rv e rs and ot h e r m ach ine s can be on t h e s am e L AN. H ow e v er , itis

H ow e v er , itis re com m e nde d t h atyou s e parat e st orage ne t w ork f rom ot h e r ne t w ork t raf f ic t o ach ie v e t he h igh e s tpe rf orm ance . Th e l ocat ion ofan AoE s e rv e r bl ade is ide nt if ie d by a sh el fnum be r and s l otnum be r .Ash el fis com pos e d ofa num be r ofs l ot s , and e ach bl ade can be ins e rt e d int oa sl ot . AoE pack e th e ade r cont ains inf orm at ion aboutt he sh el fand t h e s pe cif ic s l otnum be r t o acce s s a s pe cif ic bl ade . I n AoE s pe cif icat ion, t h e s e num be rs are re f e rre d as m aj or and m inor num be rs . AoE de v ice s com m unicat e ov e r Et h e rne t , bas e d on Et h e rne t addre s s e s , and t h us doe s notre q uire I P conf igurat ion. I n orde r t of ind an Et h e rne taddre s s ofa s pe cial bl ade , a broadcas tm e s s age w oul d be s e ntw it h t h e sh el fand sl otnum be r and t h atpart icul ar bl ade w oul d re s pond cont aining t h e Et h e rne taddre s s . Th e prot ocol al so al l ow s t he f l e xibil it yt o com m unicat e w it h m ul t ipl e sh el v e s and bl ade s . For t h is purpos e , a s pe cif ic broadcas tv al ue , al l one s , is us e d f or s h e l fand s l ot num be r . For ins t ance , ifa s h e l fv al ue is al l one s and sl otnum be r is s pe cif ic t hent h e m e s s age w il l be proce s s e d by t h e s pe cif ic bl ade , ide nt if ie d by s l ot num be r , ofal l sh el v e s . On t h e ot h e r h and, ifs l ot num be r is al l one s w it h a s pe cif ic s h e l fv al ue t h e n al l t h e bl ade s w it h in t h ats h e l fw oul d re s pond. AoE m e s s age s AoE prot ocol cons is t s ofs e nding m e s s age s t ot he s e rv e rs and ge t t ing re pl yf rom t h e s e rv e rs . Th e re are t wot ype s ofm e s s age s t h atare ge ne rat e d- ATA com m ands and Que ry Conf ig inf orm at ion. Bot h t h ese f orm at s h av e t h e ir ow n f ie l ds in a m e s s age but t h e y s h are a com m on h e ade r . ATA com m ands are re q ue s t / re s pons e m e s s age s t o pe rf orm ATA t rans act ions on an ATA de v ice . ATA t rans act ions pe rf orm re ad/ w rit e f rom t h e dis k . Que ry Conf ig inf orm at ion is us e d by t h e h os t s t o ide nt if y bl ade s . I tis m ore f l e xibl e t h an s h e l fand s l otnum be r , w h ich is not v e ry s cal abl e f or a l arge num be r ofcl ie nth os t s and AoE s e rv e rs . Que ry Conf ig inf orm at ion al l ow s cl ie nt h os t s t oset / re t rie v e s pe cial inf orm at ion on AoE s e rv e rs , w h ich can be us e d l at e rf or ide nt if icat ion purpos e s . H ow t o im pl e m e ntAoE bas e d SAN in L inux? AoE is im pl e m e nt e d as bl ock de v ice driv e r in t h e h os t ope rat ing s ys t em t o prov ide t h e h os tacce s s t ot he

o3 m agaz ine :: page 35

ATA O V ER E TH

ERNET

st orage are a ne t w ork . Th e driv e r is re s pons ibl e f or conne ct ing t h e h os tt ot arge tAoE dis k s us ing h os tNI C. At arge tdis k is a dis k t h atis t o be acce s s e d by ot her m ach ine s ov e r AoE prot ocol . Th is al l ow s s e am l esss int e grat ion ofh os tand s t orage are a ne t w ork , w h ich appe ars as l ocal bl ock de v ice (s ) in t h e h os tope rat ing s ys t e m . AoE driv e rs are av ail abl e f or L inux k e rne l s 2.4 and 2.6 and Fre e BSD k e rne l s 4.11 and 5.3 f rom ht t p:/ / w w w .coraid.com / s upport / inde x.h t ml . Th e curre nt L inux k e rne l v e rs ion, 2.6.15.6 incl ude s AoE driv er , w h ich is note nabl e d by de f aul t . M ore ov er , dow nl oad aoe t ool s f rom h t t p:/ / s ource f orge .ne t / proj e ct s/ aoe t ool s/ . Th is t ool s e ts upport s L inux k e rne l AoE driv e r and prov ide s us e f ul program s t h atruns in us e r s pace . Coraid, t h e original de s igne r ofAoE prot ocol , h as al so m ade AoE h ard dis k k now n as Et h e rDriv e.I n orde r t o im pl e m e nts uch a s t orage are a ne t w ork bas e d on AoE, al l you ne e d is t o buy s om e Et h e rDriv e rs and conne ct t hem t ot h e Et h e rne t , w h e re a h os ts e rv e r(s ) is al so conne ct e d. Th e h os ts e rv er , running L inux, can t hen l oad AoE driv e r and can acce s s t h os e t arge tEt h e rDriv e bl ade s by / de v / et h e rd/ . Each Et h e rDriv e bl ade f ol l ow s t h e nam ing s ch e m e ofs h e l fand s l otnum be r re pre s e nt e d in L inux as / de v / et h e rd/ e X.Y, w h e re X and Y re pre s e nts h e l fand s l otnum be r re s pe ct iv el y. So, f or e xam pl e , bl ade in s h e l f0 and s l ot4 can be acce s s e d f rom t h e h os ts ys t e m as / de v / et h e rd/ e 0.4. I nt h is w ay, you can acce s s t arge tAoE dis k s as a s t andard l ocal bl ock de v ice in L inux and t h e driv e r h andl e s al l t he ne t w ork com m unicat ion. You can t h e n cre at e f il e s ys t em on Et h e rDriv e bl ade s , w h ich t h e n can be m ount e d in a norm al w ay and acce s s e d. M ore ov er , you can al so cre at e part it ions , conf igure RAI D, cre at e ne t w ork at t ach e d s ys t e m s and back up s t orage s e rv e rs on t h ese t arge tdis k s . I n cas e you are notint e re s t e d in buying Et h e rDriv e bl ade s f rom Coraid, you can e xporth ard dis k (s ) ofa L inux m ach ine (s ), w h ich can t h e n be acce s s e d ov er AoE by ot h e r m ach ine s . Th is can be done by a program v bl ade , w h ich runs as AoE s e rv e r and e xport s st orage dis k s . O t h e r m ach ine s t h atw antt o acce s s t h ese t arge t st orage re q uire AoE k e rne l driv e r and can acce s s by / de v / et h e rd/ . Th e re are t w o s e parat e im pl e m e nt at ions av ail abl e ofv bl ade , in us e r s pace (h t t p:/ / s ource f orge .ne t / proj e ct s/ aoe t ool s/ ) and k e rne l s pace (h t t p:/ / l pk .com .price .ru/ ~l el ik / AoE/ ). Concl us ion AoE is a s im pl e ye tv e ry f l e xibl e prot ocol t h atcan be us e d t o buil d SANs ata v e ry l ow cos t .I tdoe s not incoporat e I P , UDP and TCP and t h us is notrout abl e, w h ich prov ide s l ow com pl e xit y and l ow ov e rh e ad.

I fyou w antt o buil d a st orage ne t w ork f or l ocal acce s s onl y, t h e n AoE is de f init el y us e f ul f or you. Re f e re nce s ht t p:/ / w w w .coraid.com / docum e nt s/ EDProduct De s cript io n.pdf ht t p:/ / w w w .coraid.com / docum e nt s/ AoEDe s cript ion.pdf ht t p:/ / w w w .coraid.com / docum e nt s/ AoEr8.t xt ht t p:/ / w w w .l inuxj ournal .com / art icl e/ 8149 Aboutt h e Aut h or M uh am m ad H am m ad is an e xpe rie nce d I T prof e s s ional f rom Pak is t an. H e is curre nt l yt h e Ch ie fT e ch nol ogy Of f ice r f or an O pe n Source Ne t w ork ing St e al t h St art up. Prior t o co-f ounding t h e st art up, H am m ad h e l dt he pos it ion ofGM ofEnt e rpris e Dat a Ne t w ork ing atSpl ice d Ne t w ork s .

o3 m agaz ine :: page 36

L AYER 2 S ECURI TY T ESTI NG

l aye r 2 s e curit yt est ing w it h ye rs inia
L AYER

2 SECURI TY

I S O FTEN O V ERL O O KED BY V ENDO RS AND ADM I NI STRATO RS

YERSI NI AI S AN O PEN SO URCE TO O L DESGI NED TO H EL P TEST L AYER

2 PRO TO CO LS

O N YO UR NETW O RK

by Joh n Bus w e l l O pe n s ource ne t w ork s e curit yt ool s are us ual l y int e re s t ing, one in part icul ar t h att h is art icl e f ocus e s on is cal l e d Ye rs inia. Ye rs inia is uniq ue in t h atitf ocus e s prim aril y on L aye r 2, an are a of t enf orgot t e n by bot h adm inis t rat ors and v e ndors al ik e . So w h atis L aye r 2? Es s e nt ial l y, w h e n w e 're t al k ing L aye r 2, w e 're t al k ing Et h e rne t .L aye r 2 re f e rs t ot h e Dat aL ink L aye r in t he O SI m ode l .I fyou're de al ing w it h M AC addre s s e s , and notI P addre s s e s , t h e n you're in L aye r 2 l and. Ye rs inia f ocus e s s e curit yt e st ing on t h is crit ical l aye r by l ook ing ata num be r ofdif f e re ntprot ocol s . Ye rs inia l ook s at Spanning Tre e Prot ocol , Cis co Dis cov e ry Prot ocol , DH CP , H otSt andby Rout e r Prot ocol (H SRP), Dynam ic Trunk ing Prot ocol , 802.1Q, 802.1X and V L AN Trunk ing Prot ocol (V TP). So w h atare w e t e st ing? Th e prot ocol s m e nt ione d abov e m igh tnotbe one s you are f am il iar w it h . W h il e m os tare s upport e d unde r L inux, m os toft h e m are t ypical l yf ound on rout e rs and s w it ch e s in m ore com pl e x ne t w ork conf igurat ions . I f you're us ing Ye rs inia, you're l ik e l y e it h e r a ne t w ork adm inis t rat or cons cie nce oft h e s e curit y im pl icat ions at L aye r 2, or an e ngine e r ata v e ndor l ook ing t o im prov e L aye r 2 s e curit y in a s w it ch or rout e rt ype de v ice . Sw it ch e s and Rout e rs For t h e purpos e oft h is art icl e , w e 'l l be t e st ing a Ne t ge ar L aye r 3 s w it ch and a Cis co Rout e Sw it ch M odul e in a Cis co Cat al ys t5505. Spanning Tre e , 802.1Q, DH CP and 802.1X w e are t e st ing on t h e Ne t ge ar , and H SRP , CDP and V TP w e are t e st ing on t h e Cis co. W e are t e st ing DTP on bot h de v ice s . Be Sm art I tis nota good ide a t o run Ye rs inia agains tyour l iv e ne t w ork , unl e s s you k now e xact l y w h atyour doing and you are t rying t o re pl icat e a s pe cif ic probl em.I n w h ich cas e , Ye rs inia m igh tbe us e f ul in t rigge ring a s w it ch t o be h av e in a ce rt ain m anne r .I de al l y Ye rs inia h as it s gre at e s tus e in QA l abs , s upportl abs and e ngine e ring l abs , w h e re you can is ol at e at t ack s t ot e s tne t w ork s .

Ge t t ing Ye rs inia O ur L inux t e s ts ys t e m is an AM D64 X2 bas e d Fe dora Core 5 s e rv er . Ye rs inia is av ail abl e f rom ht t p:/ / w w w .ye rs inia.ne t . O ur s ys t e m w as m is s ing l ibne t and l ibne t -de v el , a q uick round ofins t al l s w it h yum and w e are re ady t o buil d. W e us e d t h e nigh t l y s naps h otof Ye rs inia s o t h atw e h ad t he l at e s tre l e as e . Buil ding Ye rs inia Th e us ual aut oconfm e t h od: [root @ [root @ [root @ [root @ ]# t ar z xv fye rs inia-s naps h ot .t gz ] # cd ye rs inia ]# ./ conf igure – w it h -ncurs e s ]# m ak e & & m ak e ins t al l

Running Ye rs inia Ye rs inia can run in com m and l ine m ode as w e l l as a GTK graph ical v e rs ion. Th e s naps h otw e t rie d, t h e GUI w as a l it t l e uns t abl e , butitw ork e d pre t t ywel l . Th e GUI us e s an e ditm ode , w h ich al l ow s you t o m odif yt he at t ribut es t h atare us e d. From t h e GUI ,t h e re are t abs f or CDP , DH CP , 802.1Q, 802.1X, DTP , H SRP ,I SL(I nt er Sw it ch L ink ), STP ,V TP and an appl icat ion l og. Since t h e GUI w as a l it t l e uns t abl e , coul d be our 64-bitFe dora Core 5 as w e l l , s o w e 'l l st ick w it h t h e com m and l ine . Ye rs inia al s o h as a pre t t ysl ick ncurs e s int e rf ace t h at you can acce s s w it h ye rs inia -I . Ye rs inia Ncurs e s Th e cons ol e bas e d ncurs e s m ode , giv e s you int e ract iv e cont rol ov e r Ye rs inia. I tis pre t t y st raigh tf orw ard, pre s s h f or t he hel p s cre e n and you can l e arn t h e appl icat ion w it h in a f e w m inut e s . Th e 'e ' k e y al l ow s you t o e ditt he pack e tf ie l ds , 'x' s t art s t h e at t ack , 'l ' giv es al is tofact iv e at t ack s , 'K ' k il l s of fact iv e at t ack s , and 'g' al l ow s you t o s w it ch be t w e e n prot ocol s cre e ns . Th is int e ract iv e m ode is t he f as t e s tw ay t o ge tup and running w it h Ye rs inia. O nce you'v e f igure d outt h e opt ions , you can e as il y put t oge t h e rt h e com m and l ine e q uiv al e nt . You can capt ure dat at oaf il e , w h ich w il l t h e n e nabl e you t o us e s om e t h ing l ik e W ire Sh ark (f orm al l y Et h e re al )t o pe rf orm anal ys is on your t e st s.

o3 m agaz ine :: page 38

L AYER 2 S ECURI TY T ESTI NG

Spanning Tre e Prot ocol (STP) Spanning Tre e is a l ink m anage m e ntprot ocol t h at prov ide s m ul t ipl e pat h re dundancy. W h e n a s w it ch h as m ul t ipl e pat h s,t h e pre f e rre d l ink (bas e d on cos t ) is pl ace d in FO RW ARDI NG w h il e t h e re dundantl ink is pl ace d in a BL O CK ED m ode . Spanning Tre e h as be e n dis cus s e d in de pt h pre v ious in o3. STP us e s Bridge Prot ocol Dat a Unit s (BPDU) t o e xch ange inf orm at ion be t w e e n bridge s . STP s upport s t h re e t ype s ofBPDUs – Conf igurat ion Ch ange , T opol ogy Ch ange Not if icat ion and T opol ogy Ch ange Ack now l e dgm e nt . Th e re are v ariat ions ofSpanning Tre e – STP , RSTP (Rapid Spanning Tre e ) and M STP (M ul t ipl e Spanning Tre e ). Ye rs inia s upport s al l t h re e t ype s and can s e nd bot h Conf igurat ion and TCN BPDUs . Ye rs inia s ugge s t7 dif f e re ntSTP re l at e d at t ack s , t h ese are : •Se nding RAW Conf igurat ion BPDU •Se nding RAW TCN BPDU •DoS s e nding RAW Conf igurat ion BPDU •DoS s e nding RAW TCN BPDU •Cl aim ing RootRol e •Cl aim ing O t h e r Rol e •Cl aim ing RootRol e dual h om e (M I TM ) L aunch ing t h e s e at t ack s is pre t t y e as y w it h Ye rs inia. Sim pl y pre s s 'g' and s e l e ctSTP . Se l e ct'e ' and f il l in s om e v al ue s f or your at t ack , pe rh aps s pooft h e M AC of av al id s w it ch on your ne t w ork . Th e n pre s s 'x' t osel e ct t h e at t ack you w is h t o st art . Th e at t ack s t h atpe rf orm De nial ofSe rv ice (READ: TH I S CO UL D BRI NG DOW N YO UR NETW O RK ) at t ack s are m ark e d w it h an X unde r t h e DoS h e ading. Ye rs inia al l ow s you t o e ditt he f ol l ow ing pack e tf ie l ds : •Source and De s t inat ion M AC addre s s e s •STP I D •STP V e rs ion (0 = STP , 1 = RSTP , 2 = M STP) •Type (Conf , Conf(M STP /RSTP), TCN) •FL AGS (TC, TC ACK , Propos al ,L e arning, Forw arding, Agre e m e nt ) •Root I D •Pat h cos t •Bridge I D •Port •Age •M ax •H e l l o •FW D

As you can s e e itof f e rs a com pre h e ns iv e and v e ry s im pl e w ay t o s poofan STP BPDU. Th e DoS f e at ure s are e xt re m e l y good, a q uick confDoS at t ack ge ne rat ed a 62M B pack e tcapt ure f il e in unde r 5 s e conds . Th is t ype oft ool is e xce l l e ntf or t e st ing l aye r 2 s w it ch product s , itcan be us e d t o s e nd norm al STP BPDUs f l agge d as RSTP or M STP , or s e t t ing f l ags t h atre gul ar STP s w it ch e s w oul dn'tunde rs t and t o s e e ift h e y cras h or s im pl y ignore t h e pack e t s . Running t h e s e k inds of t e st s on e q uipm e ntyou are e v al uat ing or pre paring t o pl ace int o product ion can l ocat e probl e m s BEFO RE s om e one e l se t rie s iton your product ion ne t w ork . Cis co Dis cov e ry Prot ocol CDP is a proprie t ary Cis co prot ocol t h atis us e d t o ide nt if y and l ocat e ot h e r Cis co de v ice s on a ne t w ork . Ye rs inia s upport s t h re e CDP at t ack s : •Se nding a RAW CDP pack e t •DoS f l ooding CDP ne igh bors t abl e (t h is is f un) •Se t t ing up a v irt ual de v ice Ye rs inia al l ow s you t o m odif y: •Source and De s t inat ion M AC addre s s e s •V e rs ion •TTL •Ch e ck s um Th e re is n'ta l otyou can do w it h CDP , you can s e e w h at h appe ns ifyou t ry t of il l t h e CDP t abl e on a ne igh boring rout er , and you can s e e h ow Cis co de v ice s re actt o s poof e d CDP pack e t s , one s w it h bad ch e ck s um s or w e ird TTL s.I n our cas e , w e did m anage t o DoS at t ack t h e RSM m odul e f airl y q uick l y. Dynam ic H os tConf igurat ion Prot ocol DH CP is us e d t o as s ign I P addre s s e s and ot her conf igurat ion inf orm at ion t o cl ie nt s on a ne t w ork . DH CP is us e d by pract ical l yev e ry I SP outt h e re . So l e tm e giv e you a q uick w arning, DO NOT, re gardl e s s ofh ow “cool ” you t h ink itm igh tbe t ot e s tt h e s e curit y ofyour cabl e or DSLprov ide rs DH CP s e rv e rs , t h e y don'tw ant you t ot ry, it s notcool , and you're l ik e l yt ol os e your acce s s . So j us tdon'tgo t h e re . On t h e ot h e r h and, w h il e I w ork e d atNort el on t he Nort el Appl icat ion Sw it ch l ine ofproduct s , I us e d Ye rs inia t ot e s ta DH CP h e al t h ch e ck f e at ure t h atI im pl e m e nt e d, by us ing it s v arious at t ack s and incorre ct v al ue s t ot e s tbot h t h e s w it ch and t h e s e rv e rs be h av ior during s uch an at t ack . Ye rs inia notonl y al l ow e d m e t o pe rf orm t e st ing t h atw oul d h av e t ak e n m uch l onge r t o

o3 m agaz ine :: page 39

L AYER 2 S ECURI TY T ESTI NG

s criptw it h s om e t h ing l ik e ScaPY or w rit e f rom s crat ch in C or Ruby, butt o run DoS at t ack s and s e nd bad pack e t s , and de t e rm ine w h ath appe ne d during s pe cif ic ne t w ork s it uat ions . Th e e nd re s ul tis t h att h e cus t om e r bas e e nde d up w it h af ar s upe rior f e at ure t h ank s t o Ye rs inia. Ye rs inia s upport s 4 DH CP bas e d at t ack s : •s e nding RAW DH CP pack e t s •DoS s e nding DI SCOV ER pack e t s (us ing up t h e ip pool ) •Se t t ing up rogue DH CP s e rv er •DoS s e nding REL EASE pack e t s (re l e as ing as s igne d ips ) As you can s e e al re ady, pl e nt y off un t o be h ad h e re w it h DH CP . Ye rs inia al l ow s you t o e ditt he f ol l ow ing f ie l ds : •Source and De s t inat ion M AC addre s s e s •Source and De s t inat ion I P addre s s e s •Source and De s t inat ion Port s •O p code s •H t ype Type (t h is is us ual l y Et h e rne t ) •H l e ngt h •H ops •Xid (t rans act ion I D) •Se cs (s e conds ) •Fl ags •CI , YI , SI and GI (I P addre s s e s s e e RFC 2131) •Cl ie ntM AC Addre s s Ye rs inia doe s n'tal l ow you e dits om e oft h e addit ional DH CP f ie l ds , s uch as m e s s ing t h e m agic num be r , or adding opt ions t o ch ange t h e pack e tint o a DH CP I NFO RM pack e te t c. 802.1Q Th e I EEE 802.1Q s t andard prov ide s a m e ans off or m ul t ipl e broadcas tdom ains t o s h are t h e s am e ph ys ical ne t w ork l ink w it h outl e ak age be t weent he t w o. 802.1Q is of t e n an im port ants t rat e gy in prov iding s om e s e curit y in l aye r 2 ne t w ork s . V L ANs or V irt ual L ANs are de f ine d by 802.1Q. V L AN t agging al l ow s m ul t ipl e V L ANs t ot rav e rs e t h e s am e ph ys ical l ink . An of f ice ne t w ork m igh th av e sev e ral V L ANs , f or e xam pl e t he f inance de part m e ntm igh tbe on V L AN 666 and t he s upporte ngine e rs m igh tbe on V L AN 102. Each V L AN h as it s ow n I P s ubne t . W it h outV L ANs and 802.1Q, t h e s e s ubne t s w oul d be on t h e s am e broadcas tdom ain

(l aye r 2), e s s e nt ial l y a H UB. I tw oul dn'tbe h ard f or s om e one in s upportt o s nif ft he f inance t raf f ic and f ind outh ow m uch ot h e r pe opl e are be ing paid. W it h 802.1Q, bot h t he f inance and s upportV L ANs m igh t t rav e rs e t h e s am e ph ys ical l ink s and e xis ton t h e s am e s w it ch , but802.1Q pre v e nt s l e ak age be t weent he t w o. Ye rs inia e nabl e s you t ot e s tj us th ow s e cure t h e 802.1Q im pl e m e nt at ion on your ne t w ork re al l y is . I n 802.1Q m ode , w e can e dit : •Source and De s t inat ion M AC addre s s e s •Tw o s e t s of : •V L AN I D •Priorit y •CFI (Canonical Form atI ndicat or , wh et h e rt h e M AC in t he f ram e is in canonical f orm ator not ) •L 2 Prot ocol (I P , .1Q, ARP , RARP , CDP ,V TP , DTP , PV ST, L O O P) •L aye r 3: •Source and De s t inat ion I P addre s s e s •I P Prot ocol (icm p, t cp, udp or os pf ) •Payl oad Ye rs inia s upport s t h re e pos s ibl e at t ack s , al t h ough l ik e w it h e ach prot ocol opt ion in Ye rs inia, t he f irs tone e nabl e s you t o craf tpract ical l y any t ype ofm al f orm e d or corruptpack e t .L e av ing t h e s cope ofpos s ibl e t e st ing as w ide as your im aginat ion. Th e at t ack s s upport e d are : •Se nding 802.1Q RAW pack e t s •Se nding doubl e e ncaps ul at e d 802.1Q pack e t s •Se nding 802.1Q ARP Pois oning (DoS) For our 802.1Q t e st , w e w ant edt o s e e ift h e Ne t ge ar s w it ch w oul d acce pt802.1Q pack e t s f or t h e w rong V L AN on a t e s tport . Ne xtw e t e st edt o s e e h ow w e l l it w oul d st and up agains tan ARP pois oning at t ack (not v e ry w e l l ). 802.1X Th e 802.1X is a portbas e d aut h e nt icat ion prot ocol , it s al s o us e d in m any w ire l e s s ne t w ork s . L inux s upport s 802.1X w it h aL inux s uppl icant (h t t p:/ / ope n1x.s ource f orge .ne t / ). Ye rs inia prov ide s t wo 802.1X at t ack s : •s e nding 802.1x RAW pack e t s •M I TM 802.1X w it h 2 int e rf ace s Th e Ye rs inia im pl e m e nt at ion al l ow s you t o e dita f ew EAP re l at e d opt ions :

o3 m agaz ine :: page 40

L AYER 2 S ECURI TY T ESTI NG

•Source and De s t inat ion M AC addre s s e s •V e rs ion •Type •EAPCode (REQUEST, RESPO NSE, SUCCESS, F AI L URE) •EAPI D •EAPType (I de nt it y, Not if icat ion, TL S, M D5, OTP , T ok e n Card, L EAP Cis co) •EAPI nf of ie l d W e s e nta barrage off ak e 802.1X pack e t s t ot he Ne t ge ar s w it ch , butour 802.1X conf igurat ion h e l d up pre t t ywel l . Th e Ne t ge ar ignore d t h e bad 802.1X pack e t s , and w e w e re abl e t o ge titt o e xch ange s om e inf orm at ion w h e n w e s e ntt h e corre ctdat a. Dynam ic Trunk ing Prot ocol Ye rs inia s upport s t w o at t ack s , w h ich can be us e d t ot e st t he t runk ing /portch anne l capabil it ie s ofa s w it ch : •Se nding RAW DTP pack e t s •Enabl ing Trunk ing Bot h at t ack s are good f or ch e ck ing conf igurat ions w h e re DTP m igh tbe e nabl e d on al l port s by de f aul tand notconf igure d prope rl y, al l ow ing anyone t ot ry t o cre at e at runk . Ye rs inia al l ow s you t o e dit : •Source and De s t inat ion M AC Addre s s e s •V e rs ion •Ne igh bor iD •St at us (ACCESS and TRUNK m ode s – DESI RABL E/ O N/ O FF/ AUTO and UNK NOW N) •Type (Nat iv e , 802.1Q and I SLm ode s – 802.1Q/ I SL / NATI V E/ NEGOTI ATED) •Dom ain H SRP H SRP is H otSt andby Rout e r Prot ocol , itis a proprie t ary Cis co prot ocol , m os tv e ndors s upporta s im il ar ope n prot ocol cal l edV RRP (V irt ual Rout e r Re dundancy Prot ocol ). H SRP w ork s by h av ing a pair ofrout e rs in a h ots t andby conf igurat ion, ift h e act iv e rout e r goe s dow n, t hent h e back up t ak e s ov er ,t h e e nd re s ul tt he I P addre s s conf igure d unde r H SRP appe ars t o al w ays be up, re gardl e s s ofa rout e rf ail ure . Ye rs inia of f e rs s om e pot e nt ial f or f un atCis co's e xpe ns e : •s e nding raw H SRP pack e t s •be com ing t h e act iv e H SRP rout er •be com ing t h e act iv e H SRP rout e r w it h m ul t ipl e int e rf ace s

Ye rs inia al l ow s us t o e dita com pl et e s e toff ie l ds : •Source and De s t inat ion M AC addre s s e s •Source and De s t inat ion I P addre s s e s •Source and De s t inat ion Port s •V e rs ion •O pcode (H e l l o, Coup, Re s ign) •St at e (I nit ,L e arn, L is t e n, Spe ak , St andby, Act iv e) •H e l l o •H ol d •Priorit y •Group •Re s e rv ed •Aut h V I P (V irt ual I P ,t h is is t he I Pt h at s be ing m ade h igh l y av ail abl e by H SRP) I fyou h av e n'tal re ady gue s s e d, t h e ide a h e re is t o ch e ck t h e s e curit y ofyour rout er . W h ath appe ns ifyou t el l bot h rout e rs conf igure d as H SRP t h att h e y are back up, can you bre ak t h e H SRP s t at e m ach ine on t he rout er , can you dow n t h e ne t w ork by t rying t of orce t he rout e rs int o s om e uns upport e d st at e , do your acce s s l is t s prot e ct ing your H SRP conf igurat ion w ork ?H e re you can t e s tbot h t h e H SRP im pl e m e nt at ion f or t h ings t h att h e ir QA t e am m igh tnoth av e t h ough tof , as w e l l as t h e s e curit y ofyour conf igurat ion. I SLm ode Att he t im e ofw rit ing t h e re w e re no pos s ibl e I SL at t ack s , t he f e at ure appe ars t o be part ial l y im pl e m e nt e d, s om e t h ing w e can l ook f orw ard t o in t he ne ar f ut ure , or ifyou f eel l ik e m odif ying t h e code and cont ribut ing, it s a good pl ace t o st art . V L AN Trunk ing Prot ocol (V TP) Ye rs inia h as a nice s e tofat t ack s f or V TP .V TP is a Cis co prot ocolt h atm anage s addit ions , de l et ions and re nam ing ofV L ANs on a ne t w ork -w ide bas is . De s igne d t o re duce adm inis t rat ion, t he v e ry de s cript ion s ounds l ik e a s e curit y nigh t m are . W it h ityou can l aunch : •Se nding RAW V TP pack e t s •De l et ing Al l V TP V L ANs •De l et ing s pe cif ic V L ANs •Adding a V L AN •Cis co Cat al ys tZ e ro Day at t ack Th is is an e xce l l e ntt ool f or t e st ing t h e s e curit y ofyour V TP conf igurat ion. Bas ic t e st s s h oul d incl ude m ak ing s ure de v ice s on your ne t w ork t h atare n'ts uppos e d t o be abl e t o add and de l et e V L ANs can't , ch e ck ing t osee

o3 m agaz ine :: page 41

L AYER 2 S ECURI TY T ESTI NG

w h ath appe ns w it h bad V TP pack e t s (w il l itcras h your curre ntim pl e m e nt at ion). Ye rs inia al l ow s you t o e ditt he f ol l ow ing V TP re l at ed f ie l ds in t h e pack e t s its e nds out : •Source and De s t inat ion M AC addre s s e s •V e rs ion •Code (Sum m ary, Subs e t , Re q ue s t , Join) •Dom ain •M D5 •Updat er •Re v is ion •Tim e s t am p •St artv al ue •Fol l ow e rs •Se q ue nce Anal ys is Ye rs inia is capabl e ofs pl it t ing capt ure f il e s int o pe r prot ocol or l um pe d t oge t her . W rit ing capt ure s outis crit ical f or anal ys is during or af t e rt he t e st s . A GUI pack e tanal ys is program s uch as W ire Sh ark (w w w .w ire s h ark .org) is a good ch oice f or ins pe ct ing t he re s ul t s . Ye rs inia is capabl e ofrunning m ul t ipl e at t ack s att h e s am e t im e , and it s an e xce l l e ntt e st ing t ool . Th e t ype ofanal ys is you do re al l y de pe nds on w h atyour goal is f or t e st ing. I fyou are l ook ing f or a s pe cif ic re s pons e , you s h oul d be l ook ing f or t h e M AC or I P addre s s oft h e re s ponding de v ice , t h e n ins pe ctt he re s pons e . I n m os tcas e s , you w il l w antt o s e e NO re s pons e t o m al f orm e d or j us tpl ain w rong pack e t s. Concl us ion Ye rs inia is an aw e s om e t ool , al t h ough itdoe s h av e s om e pot e nt ial f or abus e . I ff or no ot h e r re as on, any s ys t e m or ne t w ork adm inis t rat or outt h e re s h oul dl ook att h is t ool , and be f am il iar w it h t he L aye r 2 at t ack s . T ak ing s t e ps t o m ak e s ure s pe cif ic at t ack s are not pos s ibl e on s e gm e nt s ofyour ne t w ork is probabl ya good ide a, and s ince l aye r 2 s e curit y is of t en ov e rl ook e d by adm inis t rat ors and e ngine e rs , as Ye rs inia cont inue s t o add f e at ure s , w e can e xpe ctt of ind m ore and m ore v ul ne rabil it ie s . Ye rs inia is outt h e re , ignoring itw on'th e l p you, us ing itt o prot e ctyour ne t w ork be f ore s om e one us e s itt o at t ack your ne t w ork is a good ide a.

FI GURE

42.1 - YERSI NI A GTK I NTERF ACE

FI GURE

42.2 - YERSI NI A CURSES I NTERF ACE

o3 m agaz ine :: page 42

D EPLO YI NG T1S

WI TH

L I NUX

de pl oying t 1s w it h l inux
W AN L I NK S PL AY AN I M PO RTANT RO L E FO R BUSI NESSES , CI SCO I S TH E USUAL CH O I CE FO R T1 W AN L I NK S BUT DEPL O YM ENT UNDER L I NUX I S PO SSI BL E , CH EAPER AND O FFERS BETTER SECURI TY AND FL EXI BI L I TY

Th is m ont h we l ook atm igrat ing acce s s (e dge ) rout e rs f rom Cis co t oL inux. A T1 is t h e st andard conne ct ion t ype f or re l iabl e,f as tand cos te f f e ct iv e I nt e rne tacce s s f or bus ine s s e s in Am e rica. I n Europe t h e conne ct ion is cal l e d an E1, and in Japan J1. Th e bandw idt h v arie s be t weent h e dif f e re ntt ype s due t ot h e ch anne l s av ail abl e on e ach l ink . For t h e purpos e oft h is art icl e, w e w il l f ocus on T1, h ow e v e rt h e e q uipm e ntw e de s cribe in t h is art icl e can al s o run on E1 l ink s . A T1 prov ide s 1.54M bps ofbandw idt h ,t ypical l y a T1 w il l cos tm ore t h an bus ine s s cl as s DSLor cabl e conne ct s . H ow e v er , a T1 is t ypical l yf ar m ore re l iabl e, and us ual l y com e s w it h a m uch be t t e r Se rv ice L ev el Agre e m e nt(SL A). An SL At ypical l y de s cribe s t he m inim um pe rf orm ance t h e cus t om e r can e xpe ctf rom t h e ne t w ork . I fpe rf orm ance drops be l ow t h atl ev el ,t he cus t om e r h as re cours e w it h t h e prov ide r .L ik e w is e , an SL A us ual l y h as a s e rv ice re s pons e t im e , and t he conne ct ion is m onit ore d. I ft he l ink goe s dow n, t he I SP is cont ract edt o re s pond and re pair w it h in a s pe cif ic am ountoft im e . Th e SL A us ual l y s pe cif ie s w h e t h e rt he cus t om e r is e nt it l edf or a re f und ift h e conne ct ion is dow n f or any l e ngt h y am ountoft im e . A T1 is a good opt ion f or m is s ion crit ical appl icat ions , be caus e itis f ar m ore re l iabl e t h an a re gul ar DSLor Cabl e conne ct ion. Unl ik e DSLconne ct ions , t h e prov ide r doe s n'tt ypical l y s uppl yt h e rout er , ins t e ad t h e cus t om e r m os tpurch as e , ins t al l and conf igure t h e rout er . M os tprov ide rs w il l sel l you s e rv ice s w h e re t h eysel l you, ins t al l , conf igure and m anage t h e rout er . You w il l t ypical l y pay a pre m ium f or t h is t ype ofs e rv ice . I ft h e prov ide r is s uppl ying a Cis co rout er , and t h e y are prov iding f irm w are upgrade s , itm ay be w ort h t h e init ial ins t al l at ion f e e ov e rt im e , ift h e y are going t o upgrade t h e rout e rf or you. W it h Cis co you ne e d t o h av e a m aint e nance cont ractcal l e d a Sm art ne t Cont ractin orde r t o obt ain t he f irm w are f or your Cis co rout er , no e xce pt ions . Th e cos tov e ra f e w ye ars , m ay m ak e any ins t al l at ion f e e s s e e m m inim al , de pe nding on t he t ype ofCis co rout e r you h av e.I nf act , itm ay w e l l be be caus e oft h e cos tofupgrading an e xis t ing Cis co rout e rt h atyou are re ading t h is art icl e. I n our cas e , w e h ad a Cis co Rout e Sw it ch M odul e (RSM ), w h ich is bas ical l y a Cis co 7500 rout e r on a m odul e “s t ick ” f or t h e Cis co Cat al ys t5500 s w it ch ing pl at f orm , w it h aV I P2-40 m odul e .Th e V I P2-40 al l ow s you t o pl ug Cis co PortAdapt e r M odul e s int ot he

Cis co Cat al ys t5500 f or us e w it h t h e RSM . I n our cas e , w e h ad a PA-4T, q uad portT1 card t h atw as conne ct ed t o an Adt ran CSU/ DSU. Th is pl at f orm w ork e d f ine , but t h e Cat al ys t5500 is a h uge pie ce ofe q uipm e ntt h at is n'te xact l yf rie ndl y on t he el e ct ricit y bil l , af t e rw e upgrade d f rom F as tEt h e rne tt o GigabitEt h e rne t ne t w ork -w ide , w e ne e de d t o ph as e outt h e 5500. Se l e ct ing a Card Th e re are a num be r ofT1 cards av ail abl e t h atw ork unde r L inux. W e ch os e t h e Sangom a T e ch nol ogie s A101 card w h ich is a s ingl e portT1 card t h ats upport s H DL C, and h as an int e grat e d CSU/ DSU. Th is m e antw e h ad atl e as tone pie ce ofe q uipm e ntl ess t o be conce rne d about , as w e no l onge r ne e de d t h e Adt ran. Sangom a s e l l dual and q uad portT1 cards . Th e A101 is re as onabl y price d, w e purch as e d ours f rom iF ax (w w w .if ax.com ) f or $ 474.00, pl us s h ipping. Th e A101 is a 32-bitPCI card. I ns t al l at ion I ns t al l at ion is s im pl e , w e ins t al l edt h e A101 int o a De l l 2450 running Ge nt oo L inux 2006.0. O ur ins t al l at ion of Ge nt oo w as running a 2.6.16 k e rne l , w e dow nl oade d t he l at e s tSangom a W anpipe s t abl e driv e rs f rom Sangom a's w e bs it e.I ns t al l at ion w as t riv ial , s im pl y unpack e d t h e driv e rt arbal l , ran ./ Se t up ins t al l ,f ol l ow e d t h e ins t ruct ions w h ich am ount edt o h it t ing e nt e r and ans w e ring ye s t oaf e w q ue s t ions . Th e driv e r ins t al l at ion w as e xt re m e l y s m oot h. Conf igurat ion w as j us tas e as y w it h Sangom a's w ancf g ut il it y. Sim pl y run w ancf g, and you are pre s e nt e d w it h a nice curs e s bas e d conf igurat ion t ool . Firs ts e l e ct > Cre at e a ne w conf igurat ion Fil e > w anpipe 2.conf– doe s note xis t W e ch os e t osel e ctf rom de t e ct e d cards , and itf ound our AFT-A101u card w it h outany probl e m s . Th e y Ph ys ical M e dium w as s e tby de f aul tt o T1, ifyou're in Europe , you'l l w antt o ch ange t h is t o E1. O ur T1 us e s B8Z S de coding w it h ESF f ram ing, t h is is pre t t y st andard, and al l t h e de f aul t s w ork e d re l iabl yf or us . Af t e r H ardw are Se t up, you ne e d t o de f ine a prot ocol .

o3 m agaz ine :: page 44

D EPLO YI NG T1S

WI TH

L I NUX

I fyou're upgrading f rom a Cis co rout er ,t h e n itis v e ry l ik e l y your curre nts e t up is us ing Cis co H DL C (CH DL C) as t h e prot ocol . You can ch e ck t h is by running t h e s h ow int e rf ace com m and on your Cis co rout er , you w antt o l ook f or t h e Encaps ul at ion l ine . Se rial 1/ 3 is up, l ine prot ocol is up H ardw are is cyBus Se rial De s cript ion: BQW T1-xxxxx-9 xxxxxx1 I nt e rne taddre s s is 10.14.21.166/ 30 M TU 1500 byt e s , BW 1544 K bit , DL Y 20000 us e c, re l iabil it y 255/ 255, t xl oad 1/ 255, rxl oad 10/ 255 Encaps ul at ion H DL C, crc 16, l oopback nots e t Ke e pal iv e s e t(10 s e c) Re s t art -De l ay is 0 s e cs L as tinput00:00:04, out put00:00:05, out puth ang ne v er L as tcl e aring of" s h ow int e rf ace " count e rs ne v er I nputq ue ue : 0/ 75/ 0/ 0 (s iz e / m ax/ drops / f l us h e s );Tot al out putdrops : 63 Que ue ing s t rat e gy: w e igh t edf air O ut putq ue ue : 0/ 1000/ 64/ 63 (s iz e / m ax t ot al / t h re s h ol d/ drops ) Conv e rs at ions 0/ 25/ 256 (act iv e/ m ax act iv e/ m ax t ot al ) Re s e rv e d Conv e rs at ions 0/ 0 (al l ocat e d/ m ax al l ocat e d) Av ail abl e Bandw idt h 1158 k il obit s/ sec 5 m inut e inputrat e 66000 bit s/ s e c, 0 pack e t s/ sec 5 m inut e out putrat e 0 bit s/ s e c, 0 pack e t s/ sec 459 9 9 72 pack e t s input , 3258648379 byt e s , 0 no buf f er Re ce iv e d 0 broadcas t s , 0 runt s , 0 giant s,0t h rot t l es 2 inpute rrors , 2 CRC, 0 f ram e , 0 ov e rrun, 0 ignore d, 0 abort 4680418 pack e t s out put , 1326559 419 byt es,0 unde rruns 0 out pute rrors , 0 col l is ions , 0 int e rf ace re s e t s 0 out putbuf f e rf ail ure s , 117120 out putbuf f e rs s w appe d out 1 carrie r t rans it ions RTS up, CTS dow n, DTR up, DCD up, DSR up Cis co H DL C re q uire s v e ry l it t l e conf igurat ion, t he de f aul t s w ork e d f ine f or us . I fyou us e anot h e rt ype of e ncaps ul at ion, you can t ypical l y pul l t h e inf orm at ion you ne e d f rom t h e Cis co rout e rt o conf igure t h e Sangom a card. You s h oul d now re t urn t ot h e pre v ious m e nu w h e re you'l l h av e: H ardw are Se t up --> A101/ 2 Prot ocol ------------> CH DL C I nt e rf ace Se t up ----> 1 de f ine d Se l e ctt he I nt e rf ace Se t up, you'l l s e e your int e rf ace

w 1g1ch dl ,sel e ctit .We l ef tt h e m ode as W ANPI PE, t h is is f ine ifyou're j us ts w apping outa re gul ar Cis co rout er and don'tne e d t o do anyt h ing f ancy. Conf igure t he I P inf orm at ion, your l ocal I P , you can pul l f rom t h e Cis co rout e r us ing s h ow ip int e rf ace brie fcom m and. Sim pl y l ook f or t h e int e rf ace t h atcorre s ponds t o your T1 on t he Cis co rout er , and on t h e s am e l ine you'l l f ind your I P addre s s . Th e Point -t o-Pointaddre s s is t he I P addre s s on t h e ot h e r s ide oft h e T1, your prov ide rs rout er . Typical l y an I SP w il l us e a / 30 (2 h os t ) s ubne t , s o you can e as il y de t e rm ine t h e re m ot e I Pf rom l ook ing att he as s igne d ip on t h e cis co t ot h atint e rf ace . Al t e rnat iv el y, you can l ook att h e rout ing t abl e on t h e cis co (s h ow ip rout e ) w h ich s h oul dl is tt h e re m ot e e nd as t h e gat e w ay ofl as tre s ort , butt h atm igh tnotal w ays be t h e cas e . I f you are unce rt ain, ch e ck w it h your prov ide r . Enabl ing Dynam ic I nt e rf ace Conf ig, w il l m ark t h e int e rf ace up and dow n as t he l ink goe s up and dow n, t h is m ak e s t h ings a l ote as ie r t o de bug, s o e nabl e it . Final l y, h e ad dow n t ot h e Adv ance d W ANPI PE opt ions m e nu, and w rap up t h e conf igurat ion. Sav e as you e xit out , and your conf igurat ion is com pl et e . Now , t ot e s tit , s im pl y pl ug t h e Sangom a card int o your s m artj ack w it h t h e s uppl ie d T1 cabl e , and run w anrout e rs t art w anpipe 1. W h e re w anpipe 1 w as t h e conf igurat ion w e sel e ct edt o us e . I fyou us e d a dif f e re ntconf igurat ion sl ot , adj us tt h e com m and accordingl y. Now , in dm e s g you s h oul d s e e s om e t h ing al ong t he l ine s of: w anpipe : W ANPI PE M odul e s Unl oade d. W ANPI PE(t m ) H ardw are SupportM odul e St abl e 2.3.33 (c) 19 9 4-2005 Sangom a T e ch nol ogie s I nc W ANPI PE(t m)I nt e rf ace SupportM odul e St abl e 2.3.3-3 (c) 19 9 4-2005 Sangom a T e ch nol ogie s I nc W ANPI PE(t m ) PPP/ Cis co H DL C Prot ocol St abl e 2.3.33 (c) 19 9 4-2005 Sangom a T e ch nol ogie s I nc W ANPI PE(t m ) M ul t i-Prot ocol W AN Driv e r M odul e St abl e 2.3.3-3 (c) 19 9 4-2005 Sangom a T e ch nol ogie s I nc w anpipe : Probing f or W ANPI PE h ardw are . ACPI : PCI I nt e rrupt0000:00:08.0[A] -> GSI 22 (l ev el , l ow ) -> I RQ 21 w anpipe : AFT-A101u T1/ E1 card f ound (H DL C re v .25), cpu(s ) 1, bus #0, s l ot#8, irq #21 w anpipe : Al l ocat ing m axim um 1 de v ice s : w anpipe 1 w anpipe 1. W ANPI PE(t m ) Sock e tAPI M odul e St abl e 2.3.3-3 (c) 19 9 4-2005 Sangom a T e ch nol ogie s I nc NET: Re gis t e re d prot ocol f am il y 25 af _ w anpipe : Re gis t e ring W anpipe API Sock e tM odul e

o3 m agaz ine :: page 45

D EPLO YI NG T1S

WI TH

L I NUX

W ANPI PE(t m)L .I .P Ne t w ork L aye r St abl e 2.3.3-3 (c) 19 9 5-2004 Sangom a T e ch nol ogie s I nc. W anpipe L I P: Prot ocol s : FR PPP CH DL CL I P_ ATM w anpipe 1: St art ing W AN Se t up Proce s s ing W AN de v ice w anpipe 1... w anpipe 1: L ocat ing: A101/ 2 card, CPU A, PciSl ot =8, PciBus =0 w anpipe 1: Found: A101/ 2 card, CPU A, PciSl ot =8, PciBus =0 ACPI : PCI I nt e rrupt0000:00:08.0[A] -> GSI 22 (l ev el , l ow ) -> I RQ 21 w anpipe 1: AFT PCI m e m ory at0xFE042000 w anpipe 1: I RQ 21 al l ocat edt ot h e AFT PCI card w anpipe 1: I nit ial iz ing f or SM P w anpipe 1: St art ing AFT H ardw are I nit . w anpipe 1: Enabl ing f ronte nd l ink m onit or w anpipe 1: H ardw are Adapt e rT ype 0x41 Scurit y 0x00 w anpipe 1: Se curit y1L ine UnCh w anpipe 1: Conf iguring PM C CO M ET T1 F rontEnd (Port1)! w anpipe 1: Al l ch anne l s e nabl ed w anpipe 1: Conf iguring De v ice :w anpipe 1 F rm V r=25 w anpipe 1: Gl obal M TU = 1500 w anpipe 1: Gl obal M RU = 1500 w anpipe 1: RBS Signal = Of f w anpipe 1: FE Re fCl ock = O s c w anpipe 1: TDM VSpan = NotCom pil ed w anpipe 1: Conf iguring I nt e rf ace : w 1g1 w anpipe 1: Us e dBy :ST ACK w anpipe 1: M RU :1500 w anpipe 1: M TU :1500 w anpipe 1: H DL C Eng :O n w anpipe 1: Tim e s l otM ap :0xFFFFFFFF w anpipe 1: DM A M RU :2048 w anpipe 1: RX DM A Pe r Ch :10 w anpipe 1: Ne tGat e w ay :No w anpipe 1: Re gis t e ring L I P w 1g1ch dl -> w 1g1 w 1g1ch dl : Running in W ANPI PE m ode w 1g1ch dl : Sync CI SCO Conf igurat ion w 1g1ch dl : Ke e p Al iv e Tim e r :5 w 1g1ch dl : Ke e p Al iv e Cnt:10 w anpipe 1: T1 dis conne ct e d! w anpipe 1: T1 conne ct e d! w 1g1: L ip L ink Carrie r Conne ct e d! w 1g1ch dl : prot ocol up w 1g1ch dl :L ip De v ProtSt at e Conne ct e d! Final l y, ip addr s h oul d dis pl ay t h e inf orm at ion f or t he T1. you'l l see t w o int e rf ace s , one f or t h e T1 and one f or t h e Cis co H DL C e ncaps ul at ion ov e rt h e T1:

7: w 1g1: <NO -CARRI ER,PO I NTO PO I NT,NOARP ,UP> mt u 1500 q dis c pf if o_ f as tq l e n 100 l ink / ppp 8: w 1g1ch dl : <NO CARRI ER,PO I NTO PO I NT,NOARP ,UP> m t u 1500 q dis c pf if o_ f as tq l e n 100 l ink / ppp ine t10.14.21.166 pe e r 10.14.21.165/ 30 s cope gl obal w 1g1ch dl H e re you s e e t he l ink s are dow n, t h e w 1g1 com e s up f irs t ,t h e n af t e r about30 s e conds , t h e w 1g1ch dl w il l com e up, t h e NO -CARRI ER is re m ov e d. As you s e e h e re : 19 : w 1g1: <PO I NTO PO I NT,NOARP ,UP> m t u 1500 q dis c pf if o_ f as tq l e n 100 l ink / ppp 20: w 1g1ch dl : <PO I NTO PO I NT,NOARP ,UP> m t u 1500 q dis c pf if o_ f as tq l e n 100 l ink / ppp ine t10.14.21.166 pe e r 10.14.21.165/ 30 s cope gl obal w 1g1ch dl Concl us ion Ov e ral l ,t he t ot al t im e t o s w it ch ov e rf rom t h e Cis co rout e rt ot he L inux box w it h t h e Sangom a card w as l ess t h an 30 m inut e s . Th is incl ude d t h e h ardw are ins t al l at ion oft h e Sangom a card int ot he L inux rout er .Af ew ipt abl e s com m ands t o conf igure NAT, or I P m as q ue rading de pe nding on your I P al l ocat ion, and pe rh aps a f e w ipt abl e s com m ands t o dupl icat e f unct ional it y oft h e Cis co Acce s s Cont rol L is t s on your cis co rout er , and you're done . Aboutt h e Aut h or Joh n Bus w e l l is Edit or in Ch ie foft h is m agaz ine , and Ch ie fT e ch nol ogy O f f ice r ofSpl ice d Ne t w ork s L L C. You h av e t h e opport unit yt o m e e tJoh n Bus w e l l atO h io L inuxFe s ton Sat urday Se pt e m be r 30t h 2006. For m ore inf orm at ion v is ith t t p:/ / w w w .oh iol inux.org.

o3 m agaz ine :: page 46

D EPLO YI NG M Y SQL

de pl oying ope n s ource dat abas e s : m ys q l
O UR FI RST SERI ES O F "FO CUS O N" ARTI CL ES L O O K S AT O PEN SO URCE DATABASES M YSQL I S TH E M O ST PO PUL AR O PEN SO URCE DATABASE SO I T S O NL Y FI TTI NG TH AT W E L O O K AT I T FI RST

by Joh n Bus w e l l Th is ne w f ocus on col um n h as be e n in t h e pipe l ine f or s om e t im e now , and t h e re is no be t t e r pl ace t o st art t h an w it h M ySQL . M ySQLis t h e m os tw ide l y us e d ope n s ource dat abas e s ol ut ion av ail abl e t oday. M ySQLis de v el ope d by a com pany cal l e d M ySQLAB, w h ich of f e rs com m e rcial product s bas e d of fM ySQLand a v arie t y ofs upports e rv ice s . M any w e b bas e d ope n s ource s ol ut ions ut il iz e d M ySQL , in f actt h e “M ” in t he inf am ous L AM P t e rm s t ands f or M ySQL .L AM P de s cribe s t he L inux, Apach e , M ySQL , PH P s uit e of ope n s ource appl icat ions t h atare pie ce d t oge t h e rt o prov ide a h igh pe rf orm ance w e b appl icat ion f ram e w ork . I nt h is art icl e , w e w il l int roduce you t o M ySQL , and w al k you t h rough t h e bas ic ins t al l at ion and conf igurat ion. Ne xtis s ue , w e w il l do t h e s am e w it h Pos t gre SQL , anot h e r w ide l y popul ar ope n s ource dat abas e s ys t em. Pos t gre SQLis of t e n pre f e rre d by de v el ope rs be caus e oft he l e s s re s t rict iv e l ice ns ing pl ace d on Pos t gre SQL , it s com pl et el yf re e . I nt roduct ion For t h e purpos e oft h is art icl e,we l ook atM ySQL5.0.22 [Com m unit y Edit ion]. As w it h m any ope n s ource proj e ct s back e d by com panie s , M ySQL 's com m unit y e dit ion h as a f as t e rl if e cycl e t h an it s com m e rcial count e rpart . Th is is notne ce s s aril y a bad t h ing, ifyou can pe rf orm t e st ing, and w ork outpot e nt ial bugs inh ous e . H av ing us e d M ySQLf or a num be r ofye ars , w e 'v e ye tt o run int o a m aj or probl e m as a re s ul tof us ing t h e Com m unit yv e rs ion oft h e dat abas e s ys t em. Typical l y, t h e com m unit y e dit ion h as n'tgone t h rough as rigorous a t e st ing cycl e as t h e com m e rcial v e rs ion, and it s l ik e l yt h e re is l e s s ofa de cis ion m ak ing proce s s be h ind w h atpat ch e s are w ork e d int ot h e com m unit y v e rs ion. I fyou are running s om e t h ing t h atis h igh l y bus ine s s crit ical , itis w e l l w ort h l ook ing att h e product of f e rings f rom M ySQLAB, ifon t h e ot h e r h and, you h av e t he t al e ntin h ous e , itcan of f e r s ignif icants av ings t o rol l w it h t h e Com m unit y Edit ion. M ySQLAB of f e rs a SAP ce rt if ie d dat abas e cal l ed M axDB. M axDB cont ains s om e f e at ure s t h atare notin M ySQL , w h il e M axDB m ay nots upportal l t h e pl at f orm s t h atM ySQLs upport s . Ke y dif f e re nce s in f unct ional it y re v ol v e around t h e ne t w ork prot ocol us e d f or cl ie nt/

s e rv e r com m unicat ions , and M axDB is dis t ribut e d w it h t e xt , graph ical and w e b bas e d int e rf ace s . So ifyou don'tne e d t h e SAP ce rt if icat ion, in t h e m aj orit y of cas e s , M ySQLCom m unit y Edit ion w il l w ork j us tf ine f or your proj e ct . Se t t ing up t h e e nv ironm e nt M ySQL5.0.22 is av ail abl e f rom a num be r ofm irrors l ocat edt h rough t h e De v el ope r Z one l ink on t h e M ySQL w e bs it e (h t t p:/ / w w w .m ys q l .com ). For t h e purpos e oft h is art icl e , w e us e d an AM D64 2.0GH z s ys t e m running Ge nt oo 2006.0 w it h 1GB ram . O nce dow nl oade d, s im pl y unt ar t h e arch iv e w it h t ar z xv fm ys q l -5.0.22.t ar .gz . Be f ore w e can buil dt h e s ource , w e ne e d t o add a us e r and group f or m ys q l . Th e de f aul tis t o us e m ys q l , h ow e v e r it s nota bad ide a t o us e s om e t h ing dif f e re ntt o m ak e ita l it t l e h arde r f or pot e nt ial m al icious us e rs . I tis al s o us e f ul ifyou w antt o run dif f e re ntv e rs ions ofm ys q l on t h e s am e s ys t e m or dif f e re ntins t ance s ofm ys q l on t h e s am e s ys t e m . W e w il l us e t h e de f aul tf or t h is art icl e. Since w e 're buil ding f rom s ource , w e al s o ne e d t o put m ys q l in a pl ace w h e re itw on'tge tconf us e d w it h f il es f rom t he l inux dis t ribut ion w e are us ing. You can put m ys q l anyw h e re you pl e as e , butf or t h is art icl e , w e 're going t o pl ace itin / opt / db/ m ys q l . W e 're us ing / opt / db/ m ys q l be caus e ne xtis s ue , w e w il l be us ing / opt / db/ pgs q l t o st ore Pos t gre SQL . # groupadd m ys q l # us e radd -g m ys q l -d / opt / db/ m ys q l m ys q l -m M ySQLcan prov ide cl ie nt/s e rv e rt rans portov e r SSL e ncrypt e d conne ct ions . T o do t h is , itne e ds ope ns s l . Now you can us e ope ns s l t h atcam e w it h your L inux dis t ribut ion, butI f ind t h atit s of t e n be t t e r w h e n buil ding code f rom s ource , t o us e your ow n s e tofl ibrarie s . So f or t h e purpos e oft h is art icl e , I buil tope ns s l 0.9 .8b: # w ge th t t p:/ / w w w .ope ns s l .org/ s ource / ope ns s l 0.9 .8b.t ar .gz #t ar z xv fope ns s l -0.9 .8b.t ar .gz # cd ope ns s l -0.9 .8b # ./ conf ig – pre f ix=/ opt / db/ ope ns s l \ – ope ns s l dir=/ opt / db/ ssl zl ib-dynam ic \ s h are d

o3 m agaz ine :: page 48

D EPLO YI NG M Y SQL

# m ak e # m ak e t est # m ak e ins t al l As you can s e e abov e,I 'v e ins t al l e d ope ns s l int o / opt / db/ ope ns s l . Ne xtis s ue , w e 'l l buil d pos t gre s q l agains tt h e s am e v e rs ion ofope ns s l . Th e s s l dire ct ory is w h e re t h e ssl ce rtand ot h e r conf igurat ion dat a is st ore d, t h is s h oul dn'tbe conf us e d w it h t h e pre f ix dire ct ory w h ich is w h e re t h e binarie s , l ibrarie s and incl ude s f or ope ns s l are ins t al l e d. Th e s e s h oul d be dif f e re ntpat h s! Buil ding f rom s ource Now t h att h e e nv ironm e ntis re ady t o go, itis t im e t o com pil e M ySQL . W h il e M ySQLAB h av e big w arning s igns aboutcom pil ing f rom s ource , f ol l ow ing t he ins t ruct ions be l ow w il l giv e you a product ion s af e e nv ironm e nt . # CFL AGS="-O 3" CXX=gcc CXXFL AGS="-O 3 \ -f el ide -cons t ruct ors \ -f no-e xce pt ions -f no-rt t i" ./ conf igure \ – pre f ix=/ opt / db/ m ys q l /\ --w it h -m ys q l d-us e r=m ys q l \ – w it h -unix-s ock e t -pat h =/ t m p/ m ys q l .s ock \ – e nabl e -as s e m bl e r\ --w it h -ope ns s l =/ opt / db/ ope ns s l /\ --w it h -ope ns s l -incl ude s =/ opt / db/ ope ns s l / incl ude \ --w it h -ope ns s l -l ibs =/ opt / db/ ope ns s l / l ib \ --e nabl e -t h re ad-s af e -cl ie nt I fyou don'tw antt o us e ope ns s l , you s h oul d incl ude t he l ine – w it h -m ys q l d-l df l ags =-al l -s t at ic, and re m ov e t he ope ns s l l ine s . Th e – e nabl e -t h re ad-s af e -cl ie ntis us e d sot h att h e e xt ra-t ool s f or m ys q l are buil t .I fyou don't ne e d t h e m , you can drop t h atl ine . Scrol l up t h rough t he out putf rom t h e conf igure com m and, m ak e s ure itdidn't produce any e rrors ifyour e nv ironm e ntis m is s ing s om e t h ing or t oo ol df or t h e curre ntv e rs ion. I fitdoe s produce e rrors aboutpack age s be ing t oo ol d, s im pl y f ol l ow t h e ins t ruct ions f or your dis t ribut ion t o updat e it . T o buil d m ys q l , w e s im pl y run m ak e , and grab a cup of cof f ee. # m ak e # m ak e ins t al l # m k dir -p / opt / db/ cf g # cp s upport =f il es/ m y-m e dium .cnf/ opt / db/ cf g/ m y.cnf #l n -s f/ opt / db/ cf g/ m y.cnf/ et c/ m y.cnf

Th e l as tt h re e l ine s abov e copy t h e de f aul tm e dium s e rv e r conf ig t o/ opt / db/ cf g, and s ym l ink / et c/ m y.cnft o t h is l ocat ion. Th e re as on w e are doing t h is is t o ce nt ral iz e our db conf igurat ions f or e as ie r m anage m e nt , butal s o al l ow s us t o granta db adm inis t rat or w rit e pe rm is s ions t o/ opt / db/ cf g w it h out h av ing t o giv e t h e m acce s s t o/ et c. Since w e buil tcus t om l ibrarie s , w e ne e d t o updat e / et c/ l d.s o.confw it h t h e pat hs f or s s l (/ opt / db/ ope ns s l / l ib) and m ys q l (/ opt / db/ m ys q l / l ib/ m ys q l / ). Sim pl y add t h ese t o/ et c/ l d.s o.confand run l dconf ig. I fyou are running Ge nt oo t h ough , you'l l ne e d t o add t h ese t oaf il e in / et c/ e nv .d/and run e nv -updat e . Ot h e rw is e you'l l l os e t h e pat h ne xtt im e Ge nt oo runs e nv -updat e. Now , w e ne e d t o do s om e conf igurat ion and s e t up. Since w e 're j us tint roducing M ySQLw e 're notgoing t o l ook atdoing anyt h ing com pl e x s uch as pl acing M ySQL in a ch roote nv ironm e nt . H ow e v er , af t e rt he Pos t gre SQLint roduct ion, w e w il l be l ook ing ath ow t o ch rootbot h dat abas e s ys t ems. # cd ~ m ys q l # bin/ m ys q l _ ins t al l _ db – us e r=m ys q l # ch ow n -R root. # ch ow n -R m ys q l v ar # ch grp -R m ys q l . # bin/ m ys q l d_ s af e – us e r=m ys q l & Th e abov e com m ands s e ts om e de f aul tpe rm is s ions , popul at e bas ic dat abas e inf orm at ion and t he l as tl ine st art s t h e m ys q l s e rv er . By de f aul t , m ys q l h as no adm inis t rat ion pas s w ord, s o w e ne e d t o s e tone up. O ne oft h e bad t h ings t h atm ys q l re com m e nds t h atyou do is is s ue t h e pas s w ord com m and t o m ys q l adm in f rom t h e com m and l ine . I fyou're us ing a s h e l l t h atcont ains com m and h is t ory, s om e one can j us trun h is t ory l at e r on and f ind outw h atyou s e tt h e pas s w ord t o. W h il e you m igh targue t h ats om e one w oul d ne e d root , butit s j us t a bad h abitt o ge tint ol e av ing pas s w ords in t he com m and h is t ory. T o ge taround t h is probl em,we s im pl y putt oge t h e r a s cript , w h ich w e can de l et e af t e rw ards . # nano -w ./ dbpas s .s h #!/ bin/ bas h / opt / db/ m ys q l / bin/ m ys q l adm in -u rootpas s w ord \ 'm yne w dbpas s ' / opt / db/ m ys q l / bin/ m ys q l adm in -u root-h \ m yh os t nam e .dom ain pas s w ord 'm yne w dbpas s ' rm -rf./ dbpas s .s h

o3 m agaz ine :: page 49

D EPLO YI NG M Y SQL

# ch m od 700 ./ dbpas s .s h # ./ dbpas s .s h #l s -l a | gre p dbpas s Th e l as tl ine s h oul d re t urn not h ing, and your dat abas e adm inis t rat ion pas s w ords h av e be e n ch ange d w it h out re cord on t he l ocal f il e s ys t em. Since w e 'l l w antt o opt im iz e m ys q l l at er , it s al w ays a good ide a t o ge ta bas e l ine on t h e s e rv e r pe rf orm ance , s o w e 're going t o run t h e sql -be nch be nch m ark ing t ool s t h atcom e w it h m ys q l . You'l l ne e d pe rl and t h e DBI m odul e f or pe rl , ifyou're running Ge nt oo, you can s im pl y do e m e rge DBI . You w il l st il l ne e d t h e pe rl DBI / m ys q l .pm m odul e,t h e e as ie s tw ay (atl e as tin Ge nt oo) w it h outh av ing Ge nt oo pul l dow n m ys q l again, is t o us e t h e CPAN s h e l l .I fit s t he f irs tt im e you'v e run t h is , it 'l l as k s om e q ue s t ions , j us tcus t om iz e itas you see f it . We st ore d our cach e in / v ar/ s pool / pe rl / CPAN. I f you did a f re s h ins t al l ofGe nt oo, you'l l probabl y w antt o e m e rge unz ip, f t p, l ynx, and gnupg. Don'tf orge tt o pre f ix w it h USE=” -X” t o av oid ins t al l ing al l t h e GUI s t uf f you probabl y don'tne e d. # PATH =$ PATH :/ opt / db/ m ys q l / bin # e xportPATH # pe rl -M CPAN -e s h e l l cpan> cpan> cpan> cpan> ge tDBD::m ys q l m ak e DBD::m ys q l t e s tDBD::m ys q l e xit

# cd s q l -be nch # pe rl run-al l -t e st s – s e rv e r=m ys q l – us e r=t e s t\ – pas s w ord=t e s t– l og # m ys q l – us e r=rootm ys q l -p Pas s w ord: ******** m ys q l > DRO P USER t e st ; m ys q l > FL USH PRI V I L EGES; m ys q l > q uit You'l l probabl y ge ts om e e rrors aboutpe rm is s ions w it h t h e DBD t e st ,j us tignore t h os e . Ne t w ork ing I n s om e s it uat ions you'l l h av e t h e m ys q l s e rv e r on t he s am e s ys t e m as t h e appl icat ion ne e ding t o us e t he dat abas e . Th is t ype ofs ce nario is t ypical ifyou h av e a s ingl e col ocat e d s e rv e r or you are l e as ing a de dicat ed s e rv e rf rom a prov ide r .I n s uch cas e s , you don'tne e d t h e adde d s e curit y ris k ofrunning M ySQLon a TCP port , ins t e ad you can us e unix s ock e t s f or com m unicat ion w it h M ySQL .T o conf igure M ySQLf or unix s ock e t s s im pl y e ditm y.cnf ,t h e m odif ie d l ine s are in bol d in t h e conf ig s e gm e nt s be l ow : [cl ie nt ] #port= 3306 s ock e t= / t m p/ m ys q l .s ock [m ys q l d] #port= 3306 s ock e t= / t m p/ m ys q l .s ock s k ip-ne t w ork ing Sim pl y conf igure your appl icat ion t o us e t h e s ock e t s met h od, t h is v arie s f rom appl icat ion t o appl icat ion, and is of t e n de t e ct e d aut om at ical l y. Th e re is s om e m agic ne e de d ifyou're running m ys q l in a ch root , w h ich w e w il l dis cus s in a l at e r art icl e. I n m os te nt e rpris e e nv ironm e nt s t h ough , you w il l l ik e l y w antt o run a de dicat e d dat abas e s e rv e r or cl us t e r of dat abas e s e rv e rs . M ySQL5.x prov ide s a v arie t y of f e at ure s f or running dat abas e s e rv e rs in cl us t e rs , sev e ral probl e m s w it h dat a int e grit y, e s pe cial l y w rit e int e grit y acros s m ul t ipl e s e rv e rs is a k e y probl em f or cl us t e re d dat abas e s ol ut ions . O ur buil d ofm ys q l didn't com pil e cl us t e r s upport , w e w il l dis cus s dat abas e cl us t e ring and l oad bal ancing in a f ut ure art icl e . Th e goal oft h is col um n is t o buil d up t o m ore com pl ex s ol ut ions , as you w oul d s cal e a s ol ut ion in a re al w orl d de pl oym e nt ,t h us al l ow ing us t o addre s s m igrat ion is s ue s al ong t h e w ay.

# cd / v ar/ s pool / pe rl / CPAN/ buil d #l s DBD-m ys q l -3.0006 # cd DBD-m ys q l -3.0006 # m ak e ins t al l # cd ~ m ys q l # m ys q l – us e r=rootm ys q l -p Pas s w ord: ******** m ys q l > GRANT AL LPRI V I L EGES O N *.* t o 't e st '@ 'l ocal h os t 'I DENTI FI ED BY 't e st 'W I TH GRANT O PTI O N; m ys q l > FL USH PRI V I L EGES; m ys q l > q uit

o3 m agaz ine :: page 50

D EPLO YI NG M Y SQL

M ySQLus e s TCP conne ct ions t o pe rf orm cl ie nt / s e rv er ope rat ions be t weent h e dat abas e s e rv e r and t he appl icat ion us ing t h e dat abas e . I fyou com pil e d M ySQL w it h SSLs upport ,t h e n itis im port antt o us e SSL e ncrypt e d s e s s ions f or t h e s e com m unicat ions . Th e re is no pointinv e st ing in h igh l y s e cure s ol ut ions on your w e b s e rv er , ifs om e one can s im pl y run t cpdum p and capt ure dat a by int e rce pt ing t h e M ySQLt raf f ic be t ween your w e b s e rv e r and your dat abas e . W h il e an out s ide at t ack e r m igh th av e t o com prom is e your ne t w ork , t h e re is not h ing s t opping s om e one on your l ocal ne t w ork f rom col l e ct ing dat at h e y are nots uppos e d t o h av e acce s s t o us ing a bas ic pack e tcapt ure t ool . De dicat e d Ne t w ork or V L AN Pl acing M ySQLt raf f ic on a de dicat e d ph ys ical ne t w ork or V L AN of f e rs an addit ional l aye r ofs e curit y, w h il e prov iding an im port antf oundat ion f or s cal ing t he ne t w ork up ata l at e rs t age . I ft h e de pl oym e nth as onl y a s m al l num be r ofs e rv e rs t h atne e d t o acce s s t he dat abas e s e rv er , and ifyou ant icipat e t h atyour SQL t raf f ic w il l grow rapidl y ov e rt h e ne xtcoupl e ofye ars , it is a w ort h w h il e inv e st m e ntt o purch as e s om e addit ional GbE (GigabitEt h e rne t ) adapt e rs and de pl oy a s e parat e ph ys ical ne t w ork f or your dat abas e t raf f ic. W h atdo w e m e an by s e parat e ph ys ical ne t w ork ? Sim pl y put , e ach s e rv e rt h atne e ds acce s s t ot he dat abas e , and e ach dat abas e s e rv e r w oul d h av e a de dicat edF as tEt h e rne tor GbE adapt e r conne ct edt o e it h e r a de dicat e d s w it ch or a de dicat edV L AN on a s w it ch . Al l dat abas e t raf f ic w oul d e xis ton a de dicat ed I P s ubne t(i.e 10.33.06/ 24), w h ich w oul d notbe rout ed out s ide oft he V L AN. I tis a w is e pre caut ion t o bl ock t he dat abas e I P s ubne tatyour f ire w al l s t o pre v e ntany pos s ibl e l e ak age . L ik e w is e us ing ipt abl e s on e ach of your s e rv e rs and dat abas e s e rv e rs t o bl ock al l nondat abas e and non-dat abas e I P s ubne tt raf f ic on t he int e rf ace at t ach e d t ot h e dat abas e V L AN is a good ide a. Th is t ype ofde pl oym e nth as adv ant age s as you add f e at ure s t o your ne t w ork . For e xam pl e , an I DS s e ns or can be at t ach e d t ot h e dat abas e V L AN. Since t he V L AN onl y pas s e s SQLt raf f ic, t he I DS s e ns or can be f ine t une d and opt im iz e d t ol ook s pe cif ical l y atSQL dat a. W h e n you add re pl icat ion t o your dat abas e de pl oym e nt , you al re ady h av e a de dicat e d h igh s pe e d ne t w ork f or pus h ing dat abas e t raf f ic be t w e e n s e rv e rs . Conce rns w it h ne t w ork pe rf orm ance , and s cal abil it y as your ne t w ork t raf f ic grow s are l e s s ofa conce rn, as t he dat abas e t raf f ic is noton your product ion V L ANs , and it doe s n'th av e t o co-e xis tw it h ot h e r dat a on t h e w ire . O pt im iz at ions t o s w it ch e q uipm e nt , s uch as M TU s iz e , can be opt im iz e d f or dat abas e t raf f ic. I nt he f ut ure ,

s h oul d you m igrat e t oal aye r 4 s w it ch e d e nv ironm e nt (e g. I Pl oad bal ancing) f or your dat abas e s e rv ice s , you s im pl y ne e d t o m ov e your dat abas e s e rv e rs be h ind t he l oad bal ance rs v irt ual s e rv er , and conf igure t he v irt ual s e rv e rt o m at ch your e xis t ing dat abas e s e rv e r's I P . F acil it at ing f as tand s im pl e m igrat ion t oal oad bal ance d e nv ironm e nt . Th e cos tf or a f e w s w it ch port s , and ne t w ork adapt e rs is q uick l y of f s e tby t h e im m e diat e pe rf orm ance gains , and l ong t e rm s e curit y and s cal abil it y adv ant age s . By pl anning your ne t w ork f or f ut ure s cal abil it y, w h e t her you're s t art ing w it h one s e rv e r and one dat abas e s e rv er , w il l s av e you f rom f ut ure h e adach e s . T e st ing M ySQL By now , t h e sql -be nch re s ul t s s h oul d be in. Th e y are st ore d in out put / RUN-m ys q l -*, w h e re * is s pe cif ic t o your k e rne l , dis t ribut ion and pl at f orm . Th e t e s tre s ul t s w il l v ary de pe nding on your h ardw are , and w h att he s ys t e m is doing att he t im e . O ur re s ul t s w e re pre t t y re s pe ct abl e f or t h e h ardw are w e us e d – ins e rt(683 w al l cl ock s e cs ), s e l e ct(263 w al l cl ock s e cs ), cre at e (444 w al l cl ock s e cs ) and conne ct(63 w al l cl ock s e cs ). Be l ow are a coupl e ofcom m ands t h atyou can us e t o ins pe ctt h e conf igurat ion, s t at us and dat abas e inf orm at ion in m ys q l .I tis a good ide a t of am il iariz e yours e l fw it h t h e out put , and m ak e s ure opt ions w h ich probabl y cont ain de f aul tv al ue s are conf igure d t h e w ay you ne e d t hem. # m ys q l adm in -p v e rs ion # m ys q l adm in -p v ariabl es # m ys q l s h ow -p # m ys q l s h ow -p m ys q l M ySQLAnonym ous Account s Earl ie r w e s e cure d t h e de f aul ts upe rus e r “root ” account by s e t t ing a pas s w ord. M ySQLal s o incl ude s t wo anonym ous account s w h ich by de f aul tcont ain no pas s w ord. Th e re is no l e git im at e re as on f or l e av ing t h e s e account s on t h e s e rv er , w h e n you add appl icat ions , ope n s ource , in-h ous e or com m e rcial ,t hey s h oul d al w ays h av e t h e ir ow n dat abas e and dat abas e account . Th atw ay, you can s e parat e pe rm is s ions , and ifone appl icat ion is com prom is e d, onl yt h e dat af rom t h atappl icat ion is atris k . Th e M ySQLdocum e nt at ion h as de t ail s on h ow t o s e tt h e pas s w ord on t h ese anonym ous account s , butw e 're j us tgoing t o de l et e t hem. # m ys q l -u root-p Pas s w ord: ******

o3 m agaz ine :: page 51

D EPLO YI NG M Y SQL

m ys q l > DEL ETE FRO M m ys q l .us e r W H ERE Us e r = ''; m ys q l > FL USH PRI V I L EGES; m ys q l > q uit Se curing M ySQL I fyou're us ing M ySQLon a s h are d dat a ne t w ork , w it h port3306 ope n, itis a good ide a t o us e ipt abl es t o re s t rictacce s s t ot h e M ySQLport . # ipt abl e s -A I NPUT -p t cp -s 10.20.30.40 \ – dport3306 -jACCEPT # ipt abl e s -A I NPUT -p t cp – dport3306 -jDRO P # ipt abl e s -A O UTPUT -p t cp -d 10.20.30.40 \ – s port3306 -jACCEPT # ipt abl e s -A O UTPUT -p t cp – s port3306 -jDRO P On t h e dat abas e s e rv e r it sel f , s im pl y run t h e abov e ipt abl e s com m ands . Th e e xam pl e s abov e w il l pe rm it M ySQLt raf f ic be t weent h e dat abas e s e rv e r and 10.20.30.40 (an appl icat ion s e rv e r on our ne t w ork ). I f you w antt o add ot h e r s e rv e rs , you can de f ine e it h e rt he s ubne t , or e ach s e rv e r's I P indiv idual l y by dupl icat ing t h e ACCEPT l ine s (butch anging t h e 10.20.30.40 I P addre s s ) and ins e rt ing t h e m be f ore t h e DRO P l ine s . I P binding M ySQLs upport s a conf igurat ion opt ion cal l e d bindaddre s s . Th is e nabl e s you t o bind t h e M ySQLs e rv e rt o a s pe cif ic I P addre s s . Th e com m and onl y pe rm it s you t o bind t o a s ingl e addre s s , s o you can bind itt o an I P s uch as 10.20.30.10, butt h e n you cannotbind itt o l ocal h os tatt h e s am e t im e . I fyou don'tne e d t o acce s s t h e dat abas e s e rv e rv ia l ocal h os t , s im pl y us e bindaddre s s t o bind itt o your dat abas e s e rv e rI P . H ow e v er , ifyou ne e d t o bind acros s m ul t ipl e I P addre s s e s , t hen you'l l h av e t o re m ov e t h e bind-addre s s conf igurat ion opt ion, and us e ipt abl es t o re s t rictacce s s . W h e n you re m ov e bind-addre s s itw il l bind t o 0.0.0.0:3306. Adding and Re m ov ing Dat abas e s Al m os tal l oft h e m anual dat abas e ope rat ions you w il l do, w il l be done t h rough t h e m ys q l program . # m ys q l -u root-p Pas s w ord: ****** m ys q l > SH O W DAT ABASES;

+ ----------------------------+ | Dat abas e | + ---------------------------+ | inf orm at ion_ s ch e m a | | m ys q l | | t e st | + ------------------------------+ 3 row s in s e t(0.00 s e c) Th e USE com m and al l ow s you t o acce s s a dat abas e : m ys q l > USE t est Dat abas e ch ange d Th e USE and q uitcom m ands do notre q uire a s e m icol on att h e e nd oft h e com m and. T o cre at e a dat abas e , us e t h e CREATE com m and: m ys q l > CREATE DAT ABASE o3dat abas e ; m ys q l > USE o3dat abas e m ys q l > CREATE T ABL Et e s t(nam e V ARCH AR(30), re s ul tV ARCH AR(20)); m ys q l > SH O W T ABL ES; m ys q l > DESCRI BE t est ; Th e L OAD com m and can be us e d t ol oad dat a int o your ne w t abl e f rom a f il e . You can al s o us e t he I NSERT com m and t o m anual l y ins e rtinf orm at ion int ot he dat abas e . Th e SEL ECT com m and is us e d t o re t rie v e dat af rom t he t abl e . You can re m ov e t h e dat abas e us e t h e DRO P DATABASE com m and: m ys q l > USE m ys q l m ys q l > DRO P DAT ABASE o3dat abas e ; Th e s e com m ands are SQL ,t h e M ySQLre f e re nce m anual f or 5.0 h as a good de al ofus e f ul inf orm at ion on h ow t o us e t h e s e com m ands , and t h e ir s ynt ax. Any good SQLbook s h oul d al s o cov e r com m ands t h atw ork w it h M ySQL .I n m any cas e s , you'l l be us ing t he dat abas e s e rv e r w it h a w e b appl icat ion, w h ich w il l t ypical l y inv ol v e im port ing pre -de f ine d com m ands int o m ys q l , af t e r cre at ing a ne w us e r and dat abas e cal l ed w e bapp1, t he f ol l ow ing com m and w as us e d t o im port t h e dat abas e s t ruct ure prov ide d by t h e w e b appl icat ion w e 're ins t al l ing: # m ys q l -D w e bapp1 -u w e bapp1 \ </ t m p/ w e bapp1-dat a.s q l Th e n you can us e m ys q l -u root-p and us e t h e GRANT com m and as w e 'v e us e d abov e t o s e tt h e pas s w ord f or t h e w e bapp1 us e r . Ne xtis s ue , w e int roduce Pos t gre SQL , anot h e r ope n s ource dat abas e s ol ut ion.

o3 m agaz ine :: page 52

"O pe n Source Z e ro Day At t ack Prot e ct ion"
pre s e nt e d by

Joh n Bus w e l l
Ch ie fTe ch nol ogy O f f ice r Spl ice d Ne t w ork s L L C

ht t p:/ / w w w .s pl ice dne t w ork s .com

4.00pm EST - Bal l room 2