My web wanderings

Firewalls’ False Sense of Security - Computerworld

FEBRUARY 28, 2005 (COMPUTERWORLD) - The Internet front door to almost every bank and financial services company in the world is guarded by two sets of firewalls defining a DMZ. Nearly every e-commerce site sits in a similar DMZ in what has become the de facto standard in Web security architecture. According to Sun Microsystems, “In today’s tumultuous times, having a sound firewall/DMZ environment is your first line of defense against external threats.” But I would argue that guarding the perimeter is lulling organizations into a false sense of security that results in ignoring the implementation of other security mechanisms in their applications and databases.

In contrast, the Internet front door to MIT doesn’t have a DMZ and pretty much doesn’t even have a firewall. Universities begin with an assumption that everything is open, but these large organizations are arguably no more vulnerable to external threats than banks and financial institutions, and perhaps less vulnerable to internal threats.

A key reason for reduced vulnerability is the approach many universities take to creating authorization and application-level security in the absence of a secure perimeter. For more than a decade, universities have been implementing homegrown systems and working with vendors to ensure that their products don’t make assumptions about working behind a firewall. We look for systems to incorporate application-level security based on verifiable user identities — an approach that continues to gain ground as organizations realize that firewalls alone don’t provide the level of security they need in today’s world.

Interesting article from SecurityFocus on IPsec VPN’s

Here is an article on Filesystem integrety checkers. There are several filesystem integrity checker applications, both commercial and open source. I chose to deploy afick, because it is written in Perl, which makes it lightweight and easily portable between different operating systems. Though by nature designed for the command line, afick also has an optional Webmin module and a graphical interface written in perl-Tk.

Here is an article on Filesystem integrety checkers. There are several filesystem integrity checker applications, both commercial and open source. I chose to deploy afick, because it is written in Perl, which makes it lightweight and easily portable between different operating systems. Though by nature designed for the command line, afick also has an optional Webmin module and a graphical interface written in perl-Tk.

Here is an ONLamp article that is interesting. “By recording performance metrics, web server administrators can have a historical record of how the server handled incoming HTTP requests. This article expands on that concept by adding a couple of logging directives and recording the logging data directly in a MySQL database.”

RTG: Real Traffic Grabber
RTG is a flexible, scalable, high-performance SNMP statistics monitoring system. It is designed for enterprises and service providers who need to collect time-series SNMP data from a large number of targets quickly. All collected data is inserted into a relational database that provides a common interface for applications to generate complex queries and reports. RTG includes utilities that generate configuration and target files, traffic reports, 95th percentile reports and graphical data plots. These utilities may be used to produce a web-based interface to the data.

Considering the capabilities of Samba 3 and what they could mean for your workplace network.
http://www.linuxjournal.com/article/8069

First off I always recommend a complete format for any machine that has been infected with any virus, worm or trojan. Basically if your computer has been compromised then treat it as so and start over to be safe. That being said you probably want your data off your computer prior to formating it. Now don’t just go copying data off the infected windows computer to another windows computer. You are likely to just spread the infection. So here is an excellent article on how to clean the data using Knoppix prior to moving it to another computer.

www.leastprivilege.com - Turning on Remote Desktop - remotely

if you want to turn on Remote Desktop on a WinXP or 2003 machine over the the network, this little WMIC command will help

wmic /NODE:Server /USER:administrator RDTOGGLE WHERE ServerName=”Server” CALL SetAllowTSConnections 1

Why DNS Based Global Server Load Balancing (GSLB) Doesn’t Work
Why DNS Based Global Server Load Balancing (GSLB) Doesn’t Work

Note to self. When installing Debian Sarge on VMware Workstation make sure to use IDE virtual disks not SCSI.

Overview and Background

Microsoft’s terminal services client (also called ‘Remote Desktop Connection’) has one main thing against it. Remote applications do not appear as if they are running on the local desktop, instead they appear in a separate window which represents the server’s desktop. This is fine if you just want to work exclusively on the server, but can be a pain if you want to switch between applications on the server and the local desktop or want to run applications on different servers. What is needed is a way to display the remoted applications as ‘Seamless Windows’ on the client.

Commercial products have been written to achieve this in a Windows enviroment, the most well known would be Citrix. Citrix uses it’s own protocol (ICA) to publish applications to the client. Others have used Microsoft’s protocol called RDP (Remote Desktop Protocol) with additional software to achieve the same effect (the most notable of these is Tarentalla’s Canaveral IQ – I suspect they use a similar, but more sophisticated, method to the one presented in this article).

While these products provide a lot more than just seamless windows, they are also quite expensive. It would be nice to have this feature in a regular RDP client without having to buy a whole application publishing product.

This article provides a possible solution to this problem by extending Microsoft’s RDP client using virtual channels to communicate between the server and client. This option has been chosen over writing or extending an existing open source RDP client (such as rdesktop) because we will still be able to take advantage of all the features in Microsoft’s client (and presumably all new features they add in the future). Also an advantage to using Microsoft’s client is that we can get some rudimentary application publishing over a web page since their terminal services client has and ActiveX component to do this.

By Martin Wickett

Build an Open Source Network Sniffer
This article reviews common issues of wireless security, and shows how to use open source software to suss out wireless networks, get information about them, and start recognizing common security problems. You will learn how build a lightweight wireless sniffer that runs on open source software and see how simple it is to interact with wireless networks

I have found the following useful items for my project at work to automate our deployment process.

freshmeat.net: Project details for LinkChecker
With LinkChecker, you can check HTML documents for broken links. It features recursion, robots.txt exclusion protocol support, HTTP proxy support, i18n support, multithreading, regular expression filtering rules for links, and user/password checking for authorized pages. Output can be colored or normal text, HTML, SQL, CSV, or a sitemap graph in GML or XML format. Supported link types are HTTP/1.1 and 1.0, HTTPS, FTP, mailto:, news:, nntp:, Gopher, Telnet, and local files.

A tool that collects configuration data on Unix/Windows systems.

Here is something I want to check out. freshmeat.net: Project details for Debian System Wide Information Manager
DSWIM is a powerful informational tool for Debian’s packaging system. Designed with an integrated approach it combines the functionality found in several other programs and scripts. This provides users with a centralized approach for querying the installation, allowing programmers the liberty of writing smaller and simpler code.

After nearly five months of development, version 2.3 of the Metasploit Framework has been released. Version 2.3 includes a dozen new exploits, new and improved payloads, a new msfweb interface, the Meterpreter, and many speed and functionality enhancements. Please see the release notes for more information. Additionally, the Opcode Database has been refactored and is currently in beta mode.

When someone claims five 9’s of availibilty what does that really mean?
Translating the Metrics

Formula = (3651/4 x 24)

As you can see It would take a lot to get five 9’s of availibilty. Most of all it requires no single point of failure and that includes physical locations.

SourceForge.net: Project Info - Enterprise Monitoring, Windows Systems
Centrally monitor eventlogs, no agents needed; Send alerts to different people on different events; Integrated with ticket tracking system; Forward events to syslogd; Archive events into MYSQL/MSSQL; Web interface to search for events;