Beruflich Dokumente
Kultur Dokumente
NEXT M O NTH
Rapid W e b De ve l
opm e nt
De ve l
oping AJAX Appl ications
@ O3 Al ook atm od_ s e curity
Pos tgre SQL and m uch m ore ..
6 Editorial
8 Eve nts
SECURITY
Jam e s H ol l
ings h e ad provide s a NETW O RK ING
de taile d introduction to O pe n
Source , and tips for h aving a M ul
ti Laye r Sw itch ing 28
pos itive im pacton th e com m unity
Al ook atLISA and m ul til
aye r
s w itch ing fram e w ork s for Linux.
VO IP (Voice ove r IP)
W ifidog Captive Portal 36
O pe n Source Te l
e ph ony 32
Th e Link s ys W RT54G captive
Th e firs tpartin a s e rie s on portal
O pe n Source Te l e ph ony, s tarting
w ith an introduction to As te ris k , Intrus ion De te ction 40
th e be ne fits and m ore ...
Introduction to Snortand IDS.
h ank you for tak ing th e tim e Each m onth O 3 provide s a round EDITO R @ O 3M AGAZ INE .CO M
to re ad th rough our firstis s ue up of ope n s ource eve nts , as w e l las
of O 3 M agazine . O 3 is an an upcom ing eve ntcalende r, w e h ave EXECUTIVE EDITO R
e lectronic publication done our be stto track dow n as m any
de dicate d to ope n s ource Ente rpris e JAM ES H O LLINGSH EAD
m ajor eve nts as pos s ible, butif you
D ata Ne tw ork ing s olutions . Each JAM ES @ O 3M AGAZ INE .CO M
h ave an eve nt, w h e th e r its a local
m onth O 3 w il llook atallas pe cts of
e nte rpris e data ne tw ork ing from LUG m e e ting or a fulls cale trade
ne tw ork leve ls olutions s uch as s h ow w e w ould lik e to h e ar aboutit. ARTW O RK
firew alls, route rs , s w itch ing to s e rve r O 3 also provide s an “O pe n Source
Re port”, th is is a s h ortround up of JO H N BUSW ELL
s ide applications s uch as Fre e R adius ,
O pe nLDAP and Apach e . inte re sting ope n s ource s oftw are th at
O ur goalatO 3 is to introduce h as be e n re leas e d ove r th e past PRO O F READERS
Ente rpris e D ata Ne tw ork ing m onth .
te ch nol ogie s to s m al land m e dium G REG JO RDAN
Each is s ue of O 3 fe ature s Se curity,
s ize d bus ine s s e s , dis cus s ope n Inte rne t, W e b Te ch , Bus ine s s , S H AW N W ILSO N
s ource s olutions for providing th os e
Ne tw ork ing, VoIP, Ne tw ork FRANK BO YD
te ch nol ogie s and to provide th e
te ch nicalinform ation on h ow to Applications and Ne tw ork Se curity S TEW BENEDICT
de pl oy and m aintain th os e s olutions . colum ns . Th is firstis s ue of O 3 is
O 3 h ow eve r is notjusttarge te d at m ore of an introductory is s ue ,
s m alland m e dium s ize d bus ine s s , starting nextm onth (D e ce m be r) e ach SALES AND M ARKETING
th e s olutions w e dis cus s are alre ady is s ue w illh ave a particular th e m e . G REG JO RDAN
de pl oye d in m ostlarge bus ine s s e s , For D e ce m be r itis rapid w e b SALES @ O 3M AGAZ INE .CO M
gove rnm e ntage ncie s and application deve lopm e nt.
e ducationalinstitutions , not W e h ave an exciting line up for
ne ce s s aril y ope n s ource s olutions 2006, in th e firstq uarte r w e w il lbe SUBSCRIPTIO NS
th ough . CIO s , CTO s , IT
look ing atLinux on th e zSe rie s O 3 M AGAZ INE IS DISTRIBUTED
m anage m e ntand staff atlarge r
e ntitie s w il lbe ne fitfrom expos ure to m ainfram e , including a firstlook at ELECTRO NICALLY FREE O F CH ARGE
low e r costope n s ource alte rnative s . s om e new innovative Linux s olutions
for th e zSe rie s . A de tailed look at BY SPLICED NETW O RK S LLC. TO
I don'tpe rs onall y s e e th e pointof
prom oting ope n s ource s olutions if ne tw ork ing te ch nologie s in Linux SUBSCRIBE VISIT
you do notus e th e m yours e lf, as including O SPF, R IP and BGP, as W W W .O 3M AGAZ INE .CO M .
s uch O 3 is de s igne d, deve lope d and w e llas a look atproviding e nd to
publ is h e d us ing ope n s ource e nd QoS s olutions w ith Linux. W e
te ch nol ogy exclus ive l y. Eve ry article w illw rap up Q1 2006 w ith a SO FTW ARE
in O 3, incl uding th is e ditorialis de tailed look atO pe n Source SCRIBUS 1.3.1
w ritte n in O pe n O ffice
Te leph ony. GIM P 2.0.5
(w w w .ope noffice .org) unde r Linux,
th os e articles are th e n im porte d into Finall y, I w ould lik e to tak e a
O PENO FFICE 1.1.2
Scribus (w w w .s cribus .org.uk ), w h ile m om e ntto th ank our adve rtis e rs
graph ics artw ork is cre ate d w ith th e w h o ve ry gracious l y putth e ir nam e s
Gim p. Scribus is us e d to exportth e on a brand new m agazine . Enjoy th e CO PYRIGH T (C) 2002-2005
com plete d publication in PD F form at. is s ue and fe e lfre e to s e nd fe e dback . SPLICED NETW O RK S LLC
M ANDR IVA
h ttp://w w w .m andrivalinux.com / SCAPY
Re leas e : M and riva 2006 h ttp://w w w .s e cde v.org/proje cts /s capy/
Re leas e : 1.0.2
Th e 2006 re leas e of M andriva include s a de s k top
s e arch tool(Kat) w h ich allow s s e arch ing for both file Scapy is a pow e rfulinte ractive pack e tm anipulation
nam e s and file conte nt, and inte ractive firew al l, program capable of forging or de coding pack e ts from
officials upportfor Inte lCe ntrino m obile te ch nology, a w ide range of protocols. Scapy is an exce llenttool
inte gration of Sk ype , and an auto-installation s e rve r. for te sting and re produce com plex ne tw ork /ne tw ork
device problem s .
SNO R T NATSTAT
h ttp://w w w .s nort.org/ h ttp://s ve arik e .s yte s .ne t/natstat/
Re leas e : 2.4.3 Re leas e 0.0.11
Th e 2.4.3 re leas e of Snortfixe s a buffe r ove rflow Ne tw ork m onitoring toolproviding re altim e
vul ne rability w h ich existe d in th e Back O rifice inform ation bas e d on th e iptabl
e s configuration.
pre proce s s or.
DISCO VER TH E M ULTI- TIER SECURITY APPRO ACH BEH IND TH IS UPCO M ING
BY JO H N BUSW ELL
ppO S is a h igh l y s e cure Linux bas e d appliance Anoth e r advantage to outof band m anage m e ntis th at
fram ew ork th atis de s igne d to l im itth e itfre e s up traffic on production ne tw ork s , e s pe ciall y
dam age th atcan occur in th e eve ntth ata if you offload D NS traffic to th e m anage m e nt
s e rvice or appliance is com prom is e d by a ne tw ork to be h andled by s e cure /truste d cach ing
th ird party due to an un-patch e d or a previous l y nam e s e rve rs . Itis for th is re as on th atoutof band
unk now n vul ne rability. In m oste nte rpris e
m anage m e ntcan as s istin im proving th e s calability of
e nvironm e nts , s om e of th e ne tw ork s e curity
eve n s m allne tw ork s .
te ch niq ue s e m ploye d by AppO S are al re ady in
production, s o m igrating to or adding AppO S into An im portantpartof th e AppO S ne tw ork s e curity
th e data ce nte r is ofte n a trivialtas k . For s m aller fram ew ork is to place us e r data in outof band storage
bus ine s s e s th e re m ay be s om e ne tw ork ch ange s ne tw ork s . Storage ne tw ork s can be as s im ple as a
re q uire d in orde r to conform to th e AppO S gigabits w itch e d Eth e rne ts e gm e ntrunning a ne tw ork
fram ew ork , particularl y th os e re late d to outof band file s e rve r us ing NFS or GFS be tw e e n th e file s e rve rs
m anage m e ntand ne tw ork storage . and th e application s e rve rs on th e ne tw ork . Placing
us e r data on an outof band ne tw ork h as m any
O UT O F BAND M ANAGEM ENT advantage s including re ducing th e load on your
AppO S utilize s outof band m anage m e ntand production “Inte rne tfacing” ne tw ork , th us im proving
storage ne tw ork s to provide an extra l aye r of s e curity.
s calability and e nabling a fine r acce s s controlove r
O utof band m e ans th atth e m anage m e ntand storage
th e us e r data. In a w e b h osting e nvironm e ntfor
ne tw ork s are noton th e s am e ne tw ork as re gul ar
appl ication traffic (s uch as h ttp “w e b” traffic). exam ple, a s m allnum be r of re stricte d acce s s s e rve rs
AppO S s upports outof band m anage m e ntin s eve ral m ay h ave w rite acce s s to us e r data, m ak ing it
form s including ph ys icall y s e parate Eth e rne t pos s ible for s e curity policie s to lim itacce s s to th at
s e gm e nts , VPN bas e d m anage m e ntand th e us e of infrastructure , w h ile allow ing for a l arge num be r of
802.1q VLANS. Ph ys icall y s e parate Eth e rne t publicl y acce s s ible w e b s e rve rs to s e rve data w ith
s e gm e nts are th e pre fe rre d m e th od of outof band onl y re ad-onl y acce s s . In th e eve ntof a ze ro-day
m anage m e nt. In th e eve ntan Inte rne tfacing inte rface s e curity vulne rability existing in your w e b s e rve r
is D oS (D e nialof Se rvice ) attack e d, th e re m ay notbe s oftw are , th e publicl y acce s s ible w e b s e rve rs only
s ufficie ntbandw idth to re liabl y m anage th e device h ave re ad-onl y acce s s to th e data, preve nting
re m ote ly. H e re a s e parate ph ys icalEth e rne tinte rface
pote ntialm alicious us e rs from uploading code to
on its ow n private s e gm e ntw illre m ain full y
exe cute on th e s e rve r. Advance d acce s s controllists ,
acce s s ible unles s th e s e rve r its e lf h as cras h e d. A
s e parate ph ys icalinte rface e nables an adm inistrator m ountoptions and oth e r m e as ure s can be us e d to
to dis able th e Inte rne tfacing inte rface w ith outl os ing preve ntexe cution of unapprove d exe cutabl e s on th e
conne ctivity to th e s yste m . M anage m e nttraffic can publicl y acce s s ible w e b s e rve rs .
include traffic s uch as s ys log, s nm p, s s h , h ttps , and W h ile th is approach offe rs an extra de gre e of
eve n D NS. As ide from lim iting th e acce s s to th is s e curity itcan caus e problem s w ith legitim ate w e b
inform ation for s e curity purpos e s , outof band applications th atne e d to h ave th e capability to w rite
m anage m e nte nables s ys log and s nm p trap traffic to to us e r data. Typicall y, us e r data is w ritte n via
continue to w ork re l iably eve n if th e Inte rne tfacing databas e trans actions , s uch as inform ation for e -
Eth e rne tports are conge ste d. Com m e rce trans actions , cre ating accounts or ofte n
Next, let's try to brow s e to a particular UR Lth atw e SEAR CH ING PASSW O R DS
k now is pas s w ord prote cte d. Th e s e rve r im m e diate l y If you h ave any re adable files th atcontain
prom pts you for a us e rnam e and pas s w ord, but pas s w ords uploade d on th e s e rve r, th e n it’s tim e for
de pe nding on th e UR L, you m igh tbe able to plug it s om e bad new s : h ack e rs can us e q ue rie s on s e arch
into Googl e , s e lectth e Cach e l
ink and re ad th e e ngine s to find pas s w ords . For exam ple,
pas s w ord prote cte d page . A good exam ple is inurl:pas s list.txtcan be us e d for th is purpos e .
s e arch ing for conte ntw ith inurl :w e bstats or
inurl:acce s s w atch , or th e de faulturlof any oth e r PR EVENTIO N
popul ar w e b stats program . M any of th e s e are To preve nts e arch e ngine bas e d attack s , a w e b s ite
prote cte d by .h tacce s s files butplugging th e m into adm inistrator can indicate w h ich parts of th e s ite
Google reve als th e page w h e n fol low ing th e cach e s h ould notbe vis ite d by a robotby providing a
option. Google is able to do th is be caus e th e s pe cially form atte d file on th e ir s ite in robots .txt. In
adm inistrators of th e s e s e rve rs unw ittingl y h ave th e addition, a w e b auth or can indicate if a page m ay or
s e rve rs m is configure d, butw ith Google, a cl eve r m ay notbe indexe d or anal yze d for link s th rough th e
m alicious us e r now h as acce s s to inform ation th atth e us e of a s pe cialH TM LM ETA tag. For exam ple, a
adm inistrator be lieve s is h idde n. <M ETA NAM E="Googlebot"
CO NTENT="nofollow "> tag in th e h e ade r can stop
VULNER ABLE SYSTEM DETECTIO N Googlebotfrom indexing th e page s .
To ge tinto any s yste m , a m alicious us e r ne e ds to To Preve ntGooglebotfrom follow ing any particular
k now inform ation aboutth ats yste m , and s e arch link on th e page th atm igh tlink to your criticalpage
e ngine s provide an e as y toolto h e lp th e m de te ct or any s e cre tw e b s e rve r you can add re l=”nofol low ”
vul ne rabilitie s to exploit. For exam ple, Apach e can in th e h ype rlink . <a h re f=h ttp://w w w .exam ple.com /
be configure d to h ide ve rs ion inform ation us ing th e re l="nofollow "> I can'tvouch for th is link </a> .
Se rve rTok e ns dire ctive , butif an adm inistrator h as n't Note th atth e s e m e th ods re ly on coope ration from
re m ove d th e m anual s installed in th e h tdocs th e robot, and are by no m e ans guarante e d to w ork
dire ctory, a q uick s e arch can reve alth e re leas e for eve ry robot. If you ne e d stronge r prote ction from
ve rs ion th e adm inistrator is us ing. Th e s am e s e arch robots and oth e r age nts , you s h ould us e al te rnative
coul d be us e d to locate unconfigure d de fault m e th ods s uch as pas s w ord prote ction.
installations of Apach e on th e Inte rne t:
GO O GLE H ACK H O NEYPO TS
inurl
:"/m anual
/" + Apach e 1.3 Th e m e th ods dis cus s e d s o far in th is article are
called Google H ack s . Th e "Google H ack " H oneypot
Th e s e type s of q ue rie s are e as y to s e arch for de fault proje cth ttp://gh h .s ource forge .ne tprovide s a m e ans
files , m ak ing ite as y for m alicious us e rs to de te ct to obs e rve s e arch e ngine h ack e rs us ing Google
s yste m s w h e re th e adm inistrator m ay h ave leftfiles againstyour re s ource s by e m ulating a vul ne rable w eb
th ey've as s um e d are h idde n from th e public. If an application, allow ing its e lf to be indexe d by s e arch
adm inistrator h as l e ftth e de faultfiles , itm igh tbe an e ngine s . Th e trans pare ntlink m e th od us e d w ill
indication th ey are inexpe rie nce d and th us an e as ie r re duce false pos itive s and avoid m alicious us e rs
targe t. Th e above q ue ry can e as il y be com e m ore de te cting th e h oneypot.
s pe cific by us ing s ite : ope rator w h ich w illre strictit Th e h oneypotth e n logs to a file inform ation about
to any s pe cific dom ain. th e atte m pte d attack s , th e s ource IP, re fe rral
Sim ilarl y a m alicious us e r can also find de fault inform ation and us e r age nt. Us ing th is inform ation,
installations of particular applications s uch as th e adm inistrator can de te ctand m onitor attack e rs
W e bM ailby s im pl y crafting th e q ue ry w ith pe rform ing re connais s ance againstth e ir re s ource s
intitl e :"W e l com e to M ail traq W e b M ail " (M ailtraq and ge ta de tailed view of s pe cific attack e rs .
is a W e b bas e d Em ailClie nt). Such q ue rie s can ofte n
find te sts yste m s on live ne tw ork s th atadm inistrators A BUL A SIM M .R Q AR SH I IS A NETW O R K SECUR ITY
are us ing to te stoutnew and uns e cure d applications . SPECIALIST FO R SPLICED NETW O R K S LLC BASED O UT
O F PAKISTAN.
BY M ATH EW J. BURFO RD
f your w e b s e rve r's pe rform ance is s uffe ring for Ligh ttpd w as 418Kbyte s . O ve rall,itappe ars to be
due to h igh load th e n your s olution m ay be q uite a ve ry com pactprogram . For Ge ntoo us e rs , th e
h e re . Th e re is inte re stbrew ing in Ligh ttpd, installcan be s im plifie d to 'e m e rge w w w -
a re lative l y new w e b s e rve r deve lope d by Jan s e rve rs /Ligh ttpd'. You m igh th ave to s e tan unstable
Kne s ch k e e tal.In addition to claim s of a low flag to dow nload th e late stve rs ion. Th is autom ate s
m e m ory footprint, its m ain w e bs ite w w w .ligh ttpd.ne t th e installation, butalso s e ts up a Ligh ttpd account
boasts th atLigh ttpd h as s e curity, s pe e d, com pliance , for th e s e rve r to run w ith in and various oth e r th ings
flexibility and an advance d fe ature s e t. Ligh ttpd is a to ge titw ork ing fast.
"h igh load pe rform ance optim ize d" w e b s e rve r th atis I w as e age r to te stth e bas e instal lof Ligh ttpd. I
inte nde d to be us e d for w e b s e rve rs w h ich m usts e rve dow nloade d th e late stve rs ion (2.63) of Sie ge , an h ttp
lots of s m allfiles rapidl y and ph p s e rve rs w h ich are w e b s e rve r be nch m ark ing tool ,
place d unde r h igh load. D e s pite th is , Ligh ttpd s e e m s (fre s h m e at.ne t/proje cts /s ie ge /) from fre s h m e atand
to be us e fulin m any oth e r are as , s uch as an installed it. I h ad to be care fulw ith s ie ge , as it
e m be dde d s yste m w h ich h ave lim ite d re s ource s . Th is s e e m e d to us e a lotof re s ource s . O n m y M acO SX
article w il llook into Ligh ttpd's claim s and fe ature s Pow e rbook , I us e d Sie ge to s im ulate 15 us e rs , and I
and dis cus s th e m . re com m e nd you do th is for yours e lf th rough your
I installed Ligh ttpd on a 1.7Gh z Pe ntium 4 w ith ow n ne tw ork s o th atyou can com pare itw ith your
775636Kbyte s D D R SD R AM running Ge ntoo Linux curre ntw e b s e rve r's pe rform ance . Ch oos e a
(k e rne lve rs ion 2.6.11). For te sting purpos e s , Sie ge docum e ntto s e rve w h ich w illus e th e fe ature s th at
(de s cribe d be low ) w as install e d on a 15” Pow e rbook your w e b s e rve r typicall y s e rve s .
(1.5Gh z Pow e rPC G4 w ith 512M byte s D D R Afte r te sting w ith 1000+ concurre nts im ulate d
SD R AM ) running M acO SX, ve rs ion 10.4.2. Both us e rs , I w as floode d w ith e rrors w h ich indicate d th at
m ach ine s w e re conne cte d to a Ne tge ar 54M bps I h ad run outof file de s criptors and as a re s ult
w ire les s route r (W GR 614 v4). re q ue sts to th e s e rve r w e re be ing de nie d. Th e
Ligh ttpd w e bs ite docum e ntation
BASIC TESTING (w w w .ligh ttpd.ne t/docum e ntation/pe rform ance .h tm l)
Atfirstglance of Ligh ttpd, th e s ource dow nload h as a fix for th is if you find you are h aving trouble
file of ve rs ion 1.3.16 cons iste d of 69 0 k byte s , ve ry h e re . Th e s olution invol ve s low e ring th e de faults of
ligh tinde e d. Com pilation and installation us e d th e H TTP Ke e p Alive s o th atfile de s criptors are n'th e ld
typical'configure /m ak e /m ak e instal l's yste m . I w as on to as long. O th e rw is e you can s im pl y incre as e th e
pleas e d to find th e re w as m inim alcom pl exity ge tting file de s criptors w ith a q uick
th e w e bs e rve r up. Th e us ualexam ple configuration
file is s h ippe d w ith Ligh ttpd, w h ich follow s th e % e ch o 76680 > /proc/s ys /fs /file-m ax
"include onl y if you ne e d" ph ilos oph y. H e nce itw as
ve ry s m all,w e llcom m e nte d and e as y to fol low . PER FO R M ANCE ENH ANCEM ENTS
Surpris ingl y, in 10 m inute s Ligh ttpd w as up and W h ile th e Ligh ttpd w e bs ite provide s a good am ount
running and s e rving static fil e s w ith a bas ic of docum e ntation, in m y opinion th e docum e ntation
configuration. Th e installation dire ctory w as 2688k b is stillunde rdeve lope d and m uch of w h atis th e re
in s ize . Th is include d various unus e d m odules and ne e ds revis ion. Th is is m ostl ik e l
y due to th e proje ct
random docs . Th e Ligh ttpd exe cutable file s ize is stillbe ing in its e arly stage s , s o th is w illce rtainl
y
9 25Kbyte s .W h e n running, th e m e m ory us age im prove .
O TH ER FEATUR ES
FEATUR ES
Ligh ttpd h as be e n docum e nte d ve ry clearl y and in
O ne of th e bigge sts e l ling points of Ligh ttpd is its gre atde tailby th e Ligh ttpd deve lopm e ntte am . Th e
rich listof fe ature s . Be l ow I look atFastCGI and docum e ntation l ink off th e ir m ain w e b page h as full
M ySQLbas e d VirtualH osting, tw o of th e m ore state m ach ine inform ation for both FastCGI and th e
popul ar fe ature s . Ligh ttpd h ow eve r h as a ve ry clear h ttpd state m ach ine . Th e docum e ntation eve n
cutstate e ngine and plugin inte rface , w h ich m ak e s include s th e function nam e s w h e re th e proce s s ing
Ligh ttpd ve ry e as y to m odify s h ould you ne e d to occurs . Th is m ak e s Ligh ttpd, al ong w ith its s ize a
ins e rts pe cialize d capabilitie s into th is s m allh ttpd. ve ry te m pting s olution for deve lope rs w h o ne e d
uniq ue fe ature s or proce s s ing. Itw ouldn'ttak e m uch
FASTCGI
to m odify th e Ligh ttpd code by ins e rting your ow n
Th e aim of FastCGI is to re m ove a lotof th e additionalproce s s ing to pe rform custom UR Lor
pe rform ance is s ue s pos e d by CGI program s . Support oth e r m odifications beyond th os e s upporte d in
for th is is provide d by th e m odule m od_ fastcgi and m od_ rew rite . Ligh ttpd also incl ude s ve ry us e ful
can be e nabled by uncom m e nting th e appropriate plugin docum e ntation.
line in your configuration file, found unde r
CO NCLUSIO N
s e rve r.m odules . FastCGI allow s fastand exte ns ive
ph p s upportfor Ligh ttpd, For m ore inform ation s e e Ligh ttpd is an exciting proje ctw h ich rais e s th e
(w w w .ligh ttpd.ne t/docum e ntation/fastcgi.h tm l). expe ctations of s m allfootprintw e b s e rve rs . As its
us e rbas e incre as e s , m uch m ore docum e ntation w ill
M YSQL BASED VIR TUAL H O STING
be available. Th is s e rve r is h igh l y configurabl e in a
Th e re are a tw o vh ostm odules available for non-com plicate d w ay, w h ich e nables new us e rs to
Ligh ttpd. An inte re sting one is m od_ m ys q l _ vh ost, q uick l y ge tth e ir w e b s e rve r running w ith little
w h ich allow s you to provide virtualh osts us ing a trouble. Ligh ttpd is a com pe titive option to oth e r
M ySQLtable. Ligh ttpd re com m e nds notto m ix popular w e b s e rve rs , and m ay be run alongs ide oth e r
vh ostm odules as onl y one is s uppos e d to be active at w e bs e rve rs , s uch as tom cator apach e , to tak e
any give n pointin tim e . M ySQLvh ostallow s you to advantage of th e be ne fits offe re d by e ach . Itw illbe
place docrootand dom ain pairs in a tabl e , th e n inte re sting to s e e th e dire ction Ligh ttpd tak e s on th e
ligh ttpd w illq ue ry th e M ySQLs e rve r to locate th e Inte rne tas itm ature s .
docroot.
M ATH EW BUR FO R D IS AN A PPLICATIO N D EVELO PER
FO R SPLICED NETW O R K S LLC BASED O UT O F
W O LLO NGO NG, AUSTR ALIA .
LINUX AND O PEN SO URCE M IGH T BE TERM S YO U H AVE H EARD BUT ARE NO T QUITE FAM ILIAR W ITH
LINUX AND O PEN SO URCE CAN BENEFIT BUSINESSES O F ANY SIZ E ... AND NO IT IS NO T JUST FO R BANK S ...
pe n s ource . It's am azing h ow m uch confus ion I bough t, I w ould h ave s aid itw as a nigh tm are to ge t
and m ixe d fe e lings th os e tw o little w ords can running. Now , h ow eve r, it's a gre atde albe tte r and is
caus e . W h atis it?H ow doe s itw ork ?Is itfor actuall y re ady for a lotof h om e and bus ine s s us e s .
our bus ine s s ? M any of th e applications now h ave graph ic
Th is article is an atte m ptto ans w e r your q ue stions inte rface s th atare justas good as w h atyou are us e d
and give a brie f ove rview of w h atope n s ource is , to now and h ave th e functionality th atyou've com e to
h ow itcan h e lp you and your bus ine s s , and w h atyou expe ctfrom your bus ine s s apps . Th at's notto s ay th at
can do to h e lp. Since itis a h uge s ubje ctand th e re is n'ta little bitof a learning curve , butitre all y
ans w e ring eve ryone 's q ue stions w ould tak e e ntire is a pre tty s ligh tone .
book s , th is is re all
y justa fairl y h igh leve llook at O n top of th is , Linux is now a bre e ze to instal lon
ope n s ource arrange d as a s ortof q ue stion and m osth ardw are . To give you an ide a, I re ce ntl y
ans w e r s e s s ion. installed Linux on m y laptop. Anyone w h o h as
installed W indow s on a laptop w illte l lyou aboutth e
W H AT IS TH IS " O PEN SO UR CE " TH ING I KEEP H EAR ING fun th atyou're in for. Ittak e s a stack of cds , m ostof
ABO UT? th e day, and constantl y babys itting th e laptop to
Th at's a ve ry s im ple q ue stion to w h ich th e re are a ans w e r q ue stions and s w itch outdis k s . O n top of
num be r of ans w e rs . Atth e m ostbas ic leve l,ope n th at, you h ave to provide th e righ tvide o, audio, and
s ource is th e s oftw are deve lopm e ntcom m unity and ne tw ork drive rs and th e n you h ave to run s e curity
bus ine s s e s w ork ing toge th e r in orde r to m ak e q uality update s and installs e rvice pack s .
s oftw are th atanyone can us e . It's a w ay for groups W ith Linux, ittook four cds , a ne tw ork conne ction,
and individual s to contribute according to th e ir s k ill and aboutth re e h ours to installth e ope rating s yste m ,
s e ts on proje cts th atth ey find inte re sting s o th at m ostof th e s oftw are th atI us e , and to update th e
eve ryone can com e outah e ad. e ntire s yste m . Eth e rne tw ork e d outof th e box;s o did
It's re alde fining points are th e lice ns e th atth e th e vide o. To installth e lasttw o program s th atI
s oftw are is re leas e d unde r and th e factth atth e w ante d to us e re q uire d tw o ve ry s h ortcom m ands and
program is distribute d fre e of ch arge . Th e re are q uite updating th e e ntire laptop re q uire d one m ore . M ostof
a few l ice ns e s th atare cons ide re d to be ope n s ource th e tim e th atw as s pe ntinstall ing Linux w as us e d to
by th e O pe n Source Initiative (w w w .ope ns ource .org), do oth e r th ings w h ile m y laptop w ork e d q uie tly in th e
th e non-profitorganization w h ich k e e ps track of and oth e r room w ith outne e ding m e to babys itit.
prom ote s ope n s ource lice ns e s . It's com e th atfar.
W h atm ostof th e acce pte d lice ns e s boildow n to is
th atth e s ource code for th e s oftw are is ope n for th e IF I W ANT TO USE O PEN SO UR CE SO FTW AR E , DO I H AVE
w orl d to s e e , m odify, contribute to, and us e . Ce rtain TO R UN LINUX?
lice ns e s re q uire th atyou re leas e allch ange s you W h ile m osts oftw are re leas e d for Linux is ope n
m ak e w h ile oth e rs justre q uire you to give th e m s ource , notallope n s ource s oftw are is Linux-onl y (or
cre ditfor h aving code in your proje ct. eve n runs on Linux). Itis pos s ible to h ave ope n
s ource proje cts on oth e r platform s , s uch as W indow s
I H EAR D TH AT LINUX IS H AR D TO SETUP AND USE IS and O SX, and inde e d m any popular proje cts , s uch as
TH AT TR UE ? th e Fire fox w e b brow s e r and th e Eclips e
If you h ad as k e d m e th atq ue stion in 19 9 8 w h e n I program m ing e nvironm e ntfor Java, are re leas e d on a
firsttrie d to installLinux on a new de s k top th at w ide varie ty of platform s .
Th e deve lope rs and com panie s be h ind th e proje cts Th e re are m any oth e r ope n s ource offe rings out
re alize th atnoteve ryone can standardize on a s ingl e th e re . If you're inte re ste d in look ing for ope n s ource
platform , s o th ey ofte n do th e ir be stto provide applications , a good place to startis Th e O pe n CD
s olutions w h e re th ey m ak e s e ns e . proje ct(w w w .th e ope ncd.org), w h ich l ists applications
for W indow s , butalso link s back to w e bs ite s for th e
W H AT SO R T O F O PEN SO UR CE SO FTW AR E IS TH ER E ? proje cts s o you can ge tve rs ions for diffe re nt
O pe n s ource s oftw are exists acros s th e s pe ctrum of platform s .
applications .
BUT IF IT'S FR EE , H O W DO W E M AKE M O NEY O N IT?
• For ope rating s yste m s , you h ave various form s Th at's a ve ry good q ue stion. Th e ans w e r is th at, just
of Linux and BSD , w h ich are al lUnix-lik e lik e eve ryth ing e lse in bus ine s s , m ak ing your proje ct
ope rating s yste m s . W h il
e th ey allow fine control ope n s ource is n'tfor eve ryone . H ow eve r, th e re are
of practicall y eve ryth ing th atyou could w antto s eve ralfairl y standard w ays th atcom panie s are
do w ith your com pute r from a functionality and m ak ing m oney w ith ope n s ource proje cts .
s e curity standpoint, th ey also h ave rath e r nice
graph ic inte rface s , allow ing both cas ualus e rs • Support– com panie s lik e Re dh at
and th e m ore expe rie nce d to us e th e m w ith e as e . (w w w .re dh at.com ), m aintaine rs of a popular
Linux distribution, ch arge m oney for providing
• Th e popular w e b brow s e r, Fire fox, is a pie ce of profe s s ionalte ch nicals upport.
ope n s ource s oftw are th atgrew outof th e old
Ne ts cape brow s e r. Italso h as s ibl
ing program s • Se l lh ard w are – com panie s lik e D igium
Th unde rbird for e m ailand Bugzill a, a bug (w w w .digium .com ), th e m ak e rs of Aste ris k , an
track ing s oftw are pack age us e d by m any ope n s ource PBX s oftw are , m ak e a gre atde alof
deve lope rs . Allof th e s e program s m ay be found th e ir m oney s e lling pre -m ade PBX s olutions
atw w w .m ozilla.org w h ile also providing th e s oftw are to th e ge ne ral
public for th os e w h o fe e ladve nturous .
• O pe n O ffice (w w w .ope noffice .org) is a popular
ope n s ource s uite th atinclude s w ord proce s s or, • Training – m any pie ce s of s oftw are , w h e th e r
s pre ads h e e t, and pre s e ntation s oftw are and is ope n or clos e d, re ally be ne fitfrom pe ople be ing
available on both Linux and W indow s . able to go to clas s e s in orde r to learn h ow to ge t
th e m ostus e outof th e m . W h o be tte r to provide
• GIM P (w w w .gim p.org) is an ope n s ource th e training th an th e com pany w h o m ak e s th e
graph ics program w h ich is available both on product?
Linux and W indow s and is us e d by th is
m agazine . • Custom b uil d s – no s oftw are w illdo
eve ryth ing th ateve ryone w ants itto do, be caus e
• M any program m ing e nvironm e nts s uch as th e re are s o m any th ings th atits cre ators neve r
Eclips e (w w w .e clips e .org) are ope n s ource as th ough tof. In s om e cas e s , bus ine s s e s m ay w ant
are th e s ource controltool s Subve rs ion functionality adde d to th e program s th atyou
(h ttp://s ubve rs ion.tigris .org) and CVS m ak e w h ich th ey are w ill ing to pay for.
(w w w .nongnu.org/cvs ).
Th e re are m any oth e r w ays th atcom panie s are
• Th e re are eve n s eve ralve ry good ope n s ource m ak ing m oney on ope n s ource s oftw are , butw h atit
databas e s outth e re s uch as M ySQL allcom e s dow n to is w h e re you expe ctto m ak e your
(w w w .m ys q l.com ) and Postgre SQL m oney. If you justplan to s e llyour s oftw are , th e n
(w w w .postgre s q l.org). ope n s ourcing your proje ctprobabl y is n'tfor you.
Th e re are exce ptions to th is . M ySQL, a popular ope n
s ource databas e , offe rs its s oftw are for fre e if itis
us e d in-h ous e and as k s th atyou pay a m ode stfe e
if you include itin a com m e rcialproduct. H ow eve r, if look ing at(and w ork ing on) your proje ct, you
your re alm oney com e s from s om ew h e re e l
s e , th e n m ay e nd up w ith functionality th atyou neve r
you h ave a de ce ntch ance of m ak ing a s ucce s s ful cons ide re d be fore .
bus ine s s .
• M any eye s l ook ing atyour proje ct- Th e m ore
W H AT DO I GET O UT O F M AK ING M Y SO FTW AR E O PEN pe ople w h o review th e s ource code of your
SO UR CE ? proje ct, th e gre ate r th e ch ance th atbugs and
By m ak ing your s oftw are proje ctope n s ource , you s e curity flaw s w illbe caugh t, allow ing th e m to
gain pote ntialacce s s to th e profe s s ionaldeve lopm e nt be fixe d s oone r.
com m unity atlarge . As I s aid be fore , m any m ajor
ope n s ource proje cts are staffe d partiall y by • Com m unity good w il l- Neve r unde re stim ate
deve lope rs be ing paid by te ch nicalcom panie s in th e pow e r of fre e adve rtis ing. If your proje ct
orde r to add th e fe ature s and functionality th atth e ir be com e s popular w ith in th e te ch nical
e m ploye rs w ant. H ow eve r, m any profe s s ional com m unity, lik e Linux h as , th atpopularity can
deve lope rs w ork on ope n s ource proje cts on th e ir s pillove r into th e bus ine s s are na.
ow n tim e as w e llfor a num be r of re as ons incl uding
to k e e p th e ir s k ills s h arp, to add new s k ills, and eve n W H Y W O ULD PEO PLE W ANT TO VO LUNTEER TO W O R K
justbe caus e th e proje ctinte re sts th e m . O N M Y PR O JECT?
Th is m e ans s eve ralth ings to anyone w h o w ants to W e deve lope rs (ye s , I am one of th e m ) are strange
h ave a s ucce s s fuls oftw are proje ct: pe ople. W e lik e to w ork on proje cts th atw e find
inte re sting or th atch allenge us . It's a ch ance to gain
• Acce ss to outsid e sk il ls - Eve ryone w h o starts a expe rie nce th atw e can pointto w h e n l ook ing for a
pie ce of s oftw are w ants th e pe ople w ork ing on it new job. It's also a w ay to ge tre cognize d by th e
to be th e be st. Unfortunate l y, your budge tofte n com m unity as a capable deve lope r. O n top of allof
doe s n'tallow to you h ire th e m and k e e p th e m th os e th ings , it's a ch ance for us to give s om e th ing
fulltim e . W ith ope n s ource , you can h ave acce s s back to th e pe ople w h o h ave h e lpe d us outal ong th e
to pe ople (e ith e r on a contractbas is or, in s om e w ay and to h e lp oth e rs w h o m ay notbe s o fortunate .
cas e s , justbe caus e th ey're inte re ste d in your Som e of us th ink of itas a form of voluntary
proje ct) th atyou oth e rw is e w oul dn'tbe able to com m unity s e rvice .
h ire .
IF EVER YO NE CAN LO O K AT M Y SO FTW AR E , W H AT'S TO
• R e d uce d d eve lopm e nttim e - W ith th e STO P TH EM FR O M JUST TAK ING IT?
pos s ibility of m ore pe ople w ork ing on your Th at's a ve ry good q ue stion, and one th atI h e ar
proje ctth an you could oth e rw is e afford, th e re is q uite ofte n. Th e ans w e r is itallcom e s dow n to th e
a good ch ance th atitw il ltak e l
e s s tim e to lice ns e th atyou ch oos e to re leas e your w ork unde r.
com plete your proje ct. For exam ple, W indow s Th e re are a lotof acce pte d ope n s ource l ice ns e s , s o I
Vista (form e rl y code nam e d Longh orn) w as am onl y going to give a brie f de s cription of a few of
announce d ye ars ago and is n'ts uppos e d to be th e m ore popular one s .
de live re d untils om e tim e in 2006. By contrast,
Fe dora, Re dh at's non-bus ine s s Linux • BSD – Th e pe rs on w h o m odifie s th e proje ct
distribution, h as gone from ve rs ion 1 to ve rs ion m ay ch oos e w h e th e r or notto ope n s ource th e ir
4 s ince I firststarte d us ing itin 2003, and e ach de rivative , butth e copyrigh tnotice for th e
new ve rs ion h as be e n a m ark e d im prove m e nt originalproje ctm ustbe include d w ith th e
ove r th e previous one . docum e ntation (if th e de rivative w ork is clos e d)
or in th e code (if th e de rivative w ork is ope n).
• Diffe re ntpoints of view - Th e re are alw ays Bas icall y, unde r th is lice ns e , anyone can do
us e fulfe ature s or us e s for your s oftw are th at anyth ing w ith th e code th atth ey w antas long as
you didn'toriginall y th ink of. W ith m e m be rs of th ey s ay th atth e code is in th e re .
th e s oftw are deve lope r com m unity at-large
M ul
tiLaye r Sw itch ing in Linux
M ULTILAYER SW ITCH ING , SPANNING TREE AND O TH ER ADVANCED SW ITCH ING FEATURES ARE NO W PO SSIBLE
BY JO H N BUSW ELL
tfirstglance LISA, th e Linux Sw itch ing h ard-code d, s o you h ave to m odify th e path to th e
Appl iance proje ctlook s l ik e a ve ry inte re sting Linux h e ade r files in e ach M ak e file, and w ith
proje ct, providing Laye r 2/3 pack e ts w itch ing ch ange s to th e s k b code in 2.6.14, you w illne e d to
s upportto Linux. O riginall y w e planne d to m odify th e calls to de live r_ s k b() and oth e r pos s ibl
y
w rite an article s pe cificall y on LISA, unfortunate l y, oth e r s k b routine s th atth e s w itch ing code us e s .
w e q uick l y dis cove re d th atLISA is stil lve ry m uch in O ve rall,LISA h as a good de alof pote ntial,w h e th e r
a deve lopm e ntalstage , s o th is articl e h as be e n its curre ntdeve lope rs plan to continue deve lopm e nt
expande d to cove r th e w ide r range of s w itch ing beyond Unive rs ity re m ains to be s e e n. LISA can be
s olutions for Linux. Th is is an introductory article, obtaine d from h ttp://lis a.ine s .ro/.
ove r th e com ing m onth s th e NETW O R KING
s e gm e ntof O 3 w il lgo into de tailon im plem e nting SPANNING TR EE PR O TO CO L (802.1D )
various ne tw ork ing s olutions in Linux and us ing M oste nte rpris e laye r 2 s w itch e s s upportIEEE
ope n s ource proje cts to te stand exte nd th e s e curity of 802.1d “Spanning Tre e Protocol”, w h il e LISA its e l
f
traditionalne tw ork protocols. doe s n'tprovide STP, th e Linux bridging s uite
W e te ste d LISA unde r Linux 2.6.10, itcons ists of a (h ttp://bridge .s ource forge .ne t) doe s provide good
k e rne lpatch providing th e “Eth e rne tSw itch ” m odul e STP s upport. STP allow s m ultiple bridge s to w ork
unde r Ne tw ork ing O ptions and a coupl e of us e rs pace
tool s . Th e proje ctprovide s a m ini-distribution,
h ow eve r al lyou re all y ne e d is th e patch e d k e rne land
th e s w ctlus e rs pace toolth atis provide d by th e
proje ct.
Th e s w ctltoolallow s you to add/re m ove inte rface s
from th e s w itch , add/re m ove vl ans from th e vl an
databas e , cre ate trunk s and cre ate virtualinte rface s
for a give n vlan. W e te ste d its laye r 2/3 s w itch ing
capabilitie s , pe rform ance w as pre tty good and th e
s w itch e s forw arding databas e w ork e d as expe cte d.
Inte rope rabil ity w ith oth e r VLAN s pe ak ing device s
s e e m e d to w ork w e ll,w e te ste d LISA conne cte d to
Cis co Catal yst5505 and Norte l3408 Appl ication
Sw itch e s , laye r 2 and laye r 3 conne ctivity ove r th e
VLANs , and VLAN routing w ork e d.
Th e dow ns ide to th is proje ctis clearl y its future , th e
lastre leas e w as back in June 2005, and itlook s lik e a
finalye ar proje ctfor tw o Rom anian stude nts . If you
plan to s e rious l y cons ide r us ing LISA, de s pite th e
s pons ors , I w oul d w aitand s e e if th e proje ct
continue s deve lopm e ntunles s you plan to m aintain
th e code yours e lf. Atth e tim e th is article w as w ritte n
th e late stre leas e of LISA re q uire s s om e patch ing to STP.1 EXAM PLE SPANNING TR EE NETW O R K
w ork w ith Linux 2.6.14. Th e us e rs pace tools are
th e vlan as a typicalne tw ork inte rface , you can te sting and unde rstanding h ow your ne tw ork w ill
as s ign an IP to itand s o forth . Som e ne tw ork drive rs re s pond to a particular attack , as w e llas to te stnew
in Linux ne e d s pe cific patch e s to m ak e th e m w ork fe ature s provide d by ve ndors de s igne d to preve ntor
w ith 802.1Q. re duce th e im pactof s pe cific attack s .
VLAN M anage m e ntPolicy Se rve r (VM PS) us e s a
s pe cialprotocolcalled VQP (VLAN Que ry Protocol ) LAYER 4 SW ITCH ING W ITH LINUX VIR TUAL SER VER
to autom aticall y de te rm ine VLAN m e m be rs h ip bas e d Laye r 4 s w itch ing, m ore com m onl y re fe rre d to as IP
on th e M AC addre s s of th e device conne cting to th e load balancing, is th e proce s s of inte ll ige ntl y
ne tw ork . VM PS is s upporte d on Cis co Catal yst s w itch ing pack e ts de stine d for a s pe cific IP and port
s w itch e s , and th e O pe nVM PS proje ct (TCP/UD P) to a diffe re ntIP and/or ports . Es s e ntiall y
(h ttp://vm ps .s ource forge .ne t) provide s an ope n s ource itis a fancy form of NAT and addre s s trans lation
im plem e ntation. w h e re th e de stination is s e lecte d dynam icall y bas e d
on s pe cific crite ria, s uch as load balancing m e trics ,
M ULTIPR O TO CO L LABEL SW ITCH ING (M PLS) QoS or th e h e alth of th e propos e d de stination. Th e
Anoth e r type of s w itch ing is M PLS, M ultiprotocol device be tw e e n th e s ource and th e targe tm aintains
Labe lSw itch ing. M PLS w ork s by h aving a “l abe l state . Th e Linux VirtualSe rve r proje ct
e dge route r” as s ign a labe lto incom ing pack e ts . (h ttp://w w w .linuxvirtualse rve r.org) provide s an O pe n
Pack e ts are forw arde d along a “labe ls w itch path Source s olution for Laye r 4 s w itch ing.
(LSP)” w h e re e ach labe ls w itch route r (LSR ) m ak e s For h igh capacity, portde ns ity or m is s ion critical
forw arding de cis ions bas e d s olely on th e conte nts of applications w h e re h igh e r s e s s ion capability,
th e labe l.Ate ach h op, th e LSR re m ove s th e existing advance d fe ature s and pe rform ance are a k ey factor,
labe land applie s a new labe lw h ich te l ls th e nexth op th e n proprie tary s olutions s uch as Norte lAppl ication
h ow to forw ard th e pack e t. LSPs provide a varie ty of Sw itch e s (form e rl y Alte on), Cis co, F5, Foundry
s olutions s uch as pe rform ance guarante e s , routing Ne tw ork s and R adw are alloffe r Laye r 4 - Laye r 7
around ne tw ork conge stion or to cre ate IP tunne ls for s olutions .
ne tw ork bas e d VPNs .
Linux h as exce llentM PLS s upport, th e re is an FUR TH ER R EADING
M PLS forw arding plane for th e 2.6.x k e rne l,and an Linux h as a good s e lection of proje cts for
im plem e ntion of LD P (R FC3036). Th e M PLS im plem e nting m ultilaye r s w itch ing. Be low are a
proje ctcan be found ath ttp://m pls- couple of us e fullink s th atw e re valid atth e tim e th is
linux.s ource forge .ne tand h ttp://w w w .m plsrc.com is article w as w ritte n, if you are inte re ste d in learning
an exce llents ource of inform ation on M PLS if you m ore abouts om e of th e conce pts dis cus s e d in th is
are inte re ste d in learning m ore aboutM PLS. article.
O pe n Source Te l
e ph ony
O PEN SO URCE TELEPH O NY IS RELATIVELY EASY TO SETUP AND CAN SAVE YO UR BUSINESS TH O USANDS
SM ALL BUSINESSES CAN NO W DEPLO Y ADVANCED VO ICE SO LUTIO NS W H EN TH EY W ERE PREVIO USLY CO ST PRO H IBITIVE
BY JO H N BUSW ELL
h e Private Branch Exch ange (PBX) is a (Sk inny) and th e re is also H .323. M ostCis co IP
criticalcom pone ntfor any bus ine s s re gardles s ph one s s upportSIP, h ow eve r th ey are typicall
y
of s ize . Th e PBX provide s a private , com pany s h ippe d w ith SCCP s oftw are loade d.
ow ne d te leph one exch ange w h ich can
drastical ly re duce th e costof s e rvice s re q uire d from H AR DW AR E
th e te le ph one com pany. Traditionall y, PBX s yste m s D igium (h ttp://w w w .digium .com ), th e com pany
h ave be e n expe ns ive and re q uire d s pe cial ize d be h ind th e m ostpopular ope n s ource PBX s oftw are ,
te ch nicians to de ploy. H ow eve r, th ath as ch ange d Aste ris k (h ttp://w w w .aste ris k .org), provide s a
w ith th e daw n of O pe n Source Te leph ony and th e num be r of h ardw are options for conne cting your
digitalPBX. Th e PBX tak e s a lim ite d num be r of ope n s ource PBX to th e ph one com pany. If you are a
trunk l ine s from th e bus ine s s to th e ph one com pany's s m allbus ine s s w ith outth e ne e d for too m any line s ,
ce ntraloffice (localexch ange ), and e nables th e m to th e n th e TD M 400 is a nice m odular card th atallow s
be s h are d am ong th e ph one e q uipm e ntw ith in th e you to m ix and m atch up to four m odules (FXS or
com pany. Th rough th e us e of IP te leph ony and FXO ) pe r card to m e e tyour ne e ds . Th ey al s o s upply
VirtualPrivate Ne tw ork s (VPN) itis pos s ible to T1/E1/J1 cards , s ingle, dualand q uad portcards . In
conne ctand s h are PBX s olutions atdiffe re nt addition to D igium , Sangom a Te ch nologie s
com pany office s . Th is article w illintroduce you (h ttp://w w w .s angom a.com ) also s e l ls s eve ralAste ris k
brie fl y to s om e of th e te rm s , dis cus s a s olution, th e com patible ch anne lize d cards . Us ing th e TD M 400
costs aving be ne fits and various ope n s ource proje cts . cards you can also conne ctre gular anal og te le ph one s
to your PBX. Alte rnative l y, you can us e m any of th e
T1, E 1, J1, FXO AND FXS available VoIP ph one s or ATA units on th e m ark e t
Conne cting your PBX to th e public ph one s yste m today. ATA (Analog Te leph one Adapte r) is
w ille ith e r involve a re gular R J11/PSTN (ph one jack ) e s s e ntiall
y a s m alle m be dde d device th atconve rts
conne cte d to an FXO port, or s om e form of VoIP to analog, s im ilar to h aving a s m alls yste m
ch anne lize d trunk from th e ph one com pany. In North running aste ris k and a TD M 400 w ith FXS ports to
Am e rica th e s e trunk s are called T1, th e e q uival e ntof drive your analog ph one s from a VoIP ne tw ork . You
24 ph one line s (ch anne ls). In Europe th ey are called w illalso ne e d a s e rve r to actas your PBX w ith th e
E1 (32 ch anne ls) and in Japan J1 (24 ch anne ls). An appropriate h ardw are (dis cus s e d above ) to conne ctto
FXS portis a porton your PBX th atyou w ould th e ph one com pany, as w e llas th e appropriate
conne cta re gular analog ph one to. Th e FXS port h ardw are to conne cte ith e r to your VoIP ne tw ork or
ge ne rate s th e voltage on th e w ire to ope rate th e your analog ph one s .
analog ph one .
ASTER ISK
VO IP Atth e h e artof th e O pe n Source PBX, w e h ave
Voice ove r IP is anal og audio (ph one ) conve rte d to a Aste ris k . Aste ris k is a full y fe ature d PBX, providing
digitalform atand distribute d ove r an IP ne tw ork to a allth e fe ature s of traditionalPBX s yste m s , s uch as
de stination. Th e re are a num be r of diffe re ntprotocols callq ue uing, confe re nce bridging, voice m ailand
th atcan be us e d to ach ieve VoIP;for th e m ostpart m uch m ore . Th e re is a fulllistof fe ature s available
w e w illfocus on SIP (Se s s ion Initiation Protocol ) and on th e Aste ris k s ite
IAX (Inte r Aste ris k Exch ange ) in our VoIP s e rie s . (h ttp://w w w .aste ris k .org/fe ature s /). If you are us ing
Cis co h as a proprie tary protocolcalled SCCP th e D igium h ardw are you ne e d to dow nload th e
zapte ls uite as w e llas aste ris k . Th e zapte ls uite office in D ublin (localcall), now h as th e ir callroute d
provide s k e rne ldrive rs for th e D igium h ardw are . upon s e lecting th e s upportoption ove r th e Inte rne tto
Com piling aste ris k is re lative e as y. O nce th e Cincinnati s upportq ue ue . Now th e com pany can
uncom pre s s e d, itonl y re q uire s a s im ple m ak e ;m ak e be ne fitfrom th e expe rtis e ith as e stablis h e d locall
y in
install.Itis im portantto re ad th rough th e s e curity Cincinnati are a to its D ublin custom e rs , w ith out
m ate rialon Aste ris k . Notonl y do you h ave to focus re q uiring th e custom e rs to calllong distance .
on th e s e curity of th e s e rve r on w h ich Aste ris k In addition, staff atth e D ublin office can call,
re s ide s , butyou m ustal s o cons ide r th e s e curity of confe re nce and pe rform a w ide range of oth e r tas k s
Aste ris k its e lf, and to m ak e s ure th atinbound dialers as if th e Cincinnati location w as local,and vice
(or re stricte d outbound dialers ) don'th ave th e ve rs a.
capability to m ak e tollcalls or oth e rw is e acce s s parts Th e exam ple s h ow s a re m ote w ork e r. Th is m igh tbe
of Aste ris k via th e ph one s yste m th atw ould be an on callte ch nicals upporte ngine e r to cove r th e
unde s irable. Configuring Aste ris k is an invol ve d e arl y m orning bus ine s s h ours in Europe from th e ir
proce s s , w e llbeyond th e s cope of th is article. O 3 w ill h om e . H e re th e e ngine e r conne cts to th e Cincinnati
look atconfiguring Aste ris k in de pth in few is s ue s . office via VPN, and h as a firew allin place to prote ct
th e ir localne tw ork . Th e firew al lis also running a SIP
EXAM PLE DEPLO YM ENT Proxy, w h ich allow s th e SIP /s oftph one to re giste r
In th e figure oppos ite , w e h ave a s am ple w ith th e Aste ris k PBX w h ile re m aining be h ind its
de pl oym e ntcons isting of tw o office locations and a firew all.
re m ote te lecom m ute r. Th e firsts ite is bas e d in
Cincinnati, O h io in th e Unite d State s , w h il e th e SIP PR O XY
s e cond s ite is locate d in D ublin, Ire land. Th e firsts ite Siproxd (h ttp://s iproxd.s ource forge .ne t) and
is conne cte d via a T1 trunk (24 ch anne ls) to th e local PartySIP (h ttp://w w w .nongnu.org/partys ip/) are tw o
513 are a code , w h il e th e s e cond s ite is conne cte d via ope n s ource SIP proxie s . A SIP proxy h andles
four standard PSTN line s to th e localexch ange in re gistration of SIP clie nts on a private ne tw ork and
D ublin. Both s ite s are us ing Linux s e rve rs running pe rform s rew rite s on th e SIP m e s s age s to m ak e
Aste ris k and are conne cte d to th e Inte rne tvia a h igh
s pe e d broadband conne ction.
For th e s ak e of th is exam ple, lets s ay th atth e D ublin
office is a s ales office , w h ile th e Cincinnati office
contains te ch nicals upportstaff. Th e com pany w is h e s
to provide te ch nicals upportfrom th e Cincinnati
office to custom e rs in th e D ublin are a. Th is w oul d be
an expe ns ive proje ctto com pl e te us ing traditional
te ch nol ogy, h ow eve r w ith Aste ris k and O pe n Source
te ch nol ogie s itis pos s ible to im pl e m e ntth is w ith
re lative ly low costs to th e com pany.
Th e tw o office s can be conne cte d toge th e r us ing
O pe nVPN (h ttp://w w w .ope nvpn.ne t), providing a
s e cure trans portfor th e com m unication be tw e e n th e
tw o PBX s yste m s . Aste ris k com e s w ith its ow n
exch ange protocolcal led IAX;al te rnative ly you can
run SIP as w e l l.W h ile IAX2 doe s h ave PKI style
auth e ntication and trunk ing, itw on'tprote ctth e
conte nts of your call s from be ing s niffe d off th e w ire ,
s o utilizing a VPN te ch nology w h e n routing private
calls be tw e e n office s ove r th e Inte rne tis your be st
be t.
O nce configure d corre ctl y, a cl ie ntcalling th e l ocal
SIP conne ctions pos s ible th rough a firew all num be ring plan adm iniste re d by th e ITU, w h ich
providing NAT (Ne tw ork Addre s s Trans lation). SIP provide s th e form at, structure and adm inistrative
(Se s s ion Initiation Protocol) is de fine d by R FC 3261 h ie rarch y of te leph one num be rs . A ful ly q ualifie d
and is one of th e protocols us e d by s oftw are and E.164 num be r contains th e country code (e g. + 353
VoIP ph one s . Th e alte rnative approach is a m e th od for Ire land), are a code and ph one num be r for th e
called STUN w h ich e nabl e s a SIP clie ntto de te rm ine de stination. ENUM provide s e s s e ntiall y reve rs e D NS
th e public IP addre s s , butfor th is to w ork a w ide m apping on th e ph one num be r, to conve rtth at
range of ports m ustbe ope ne d on th e firew all. num be r to an IP addre s s th atw ould typical l
y be able
Inste ad, proje cts s uch as s iproxd actuall y pe rform to h andle callrouting to th atnum be r (e g. a SIP proxy
laye r 7 pack e tins pe ction and rew rite on th e SIP run by th e ph one com pany th atprovide s PSTN
pack e ts s e ntth rough th e proxy. s e rvice to th e particular are a code in th atcountry).
D UND i is a distribute d pe e r to pe e r s yste m for
ASTLINUX locating Inte rne tgatew ays to ph one s e rvice s . D UND i
AstLinux (h ttp://w w w .astlinux.org) is a custom is a distribute d s olution w ith no ce ntral ize d auth ority
Linux distribution ce nte re d around aste ris k . as w ith ENUM . D UND i is a routing protocols o th at
AstLinux provide s an outof th e box s olution w ith a s e rvice s m aybe route d and acce s s e d us ing industry
w ide range of fe ature s , m ak ing ita us e fuls olution for standard VoIP te ch nologie s s uch as IAX, SIP or
a q uick e m be dde d or com m e rcialAste ris k H .323.
installation. W ith a little e ffort, itcan be e as il
y D UND i provide s a s olution th ate nables th e cre ation
m odifie d to fitalm ostany s ituation. Th e proje ct of h igh l y available e nte rpris e PBX s olutions , w h e re
provide s a num be r of us e fulim age s , incl uding a no one PBX cre ate s a ce ntralpointof failure . D UND i
bootable ISO im age . Th e proje ctis ge are d tow ards also provide s an Inte rne tbas e d E.164 pe e ring s yste m ,
us ing olde r Pe ntium -M M X, and e m be dde d s olutions for m ore de tails review th e docum e ntation and
s uch as th e Soe k ris l
ine of e m be dde d device s . If m e m be rs ath ttp://w w w .dundi.com .
you're look ing to provide a large s ol ution w ith
m ultiple T1 line s , m ultiple IAX trunk s and l arge SIPX
am ounts of s pace for IVR /Voice m ails olutions , s ipX (h ttp://w w w .s ipfoundry.org/s ipX/s ipXus e r/) is
s e lecting your favorite e nte rpris e Linux distribution an O pe n Source PBX s olution bas e d on SIP. s ipX
and install ing Aste ris k from s ource m igh tbe a be tte r provide s m any of th e PBX capabilitie s of aste ris k
approach . s uch as D ID , H untgroups , Callforw arding, voice
m ailand s o on. s ipX doe s n'tprovide any gatew ay
ASTER ISK @ H O M E capabilitie s w ith th e PSTN, itis a pure SIP IP PBX
Aste ris k @ H om e , w h ich can be found onl ine at s olution. Ith as s om e inte re sting fe ature s s uch as
h ttp://aste ris k ath om e .s ource forge .ne tis a fastand XM Lbas e d callrouting and th e ability to configure
s im ple s olution for ge tting Aste ris k up and running attach e d ph one s and gatew ays .
q uick ly. Aste ris k @ H om e is a Linux distribution th at
util ize s Ce ntO S (w w w .ce ntos .org) and provide s a SIP EXPR ESS R O UTER
w e b bas e d inte rface for configuring and m anaging Th e SIP Expre s s Route r, is a h igh pe rform ance
Aste ris k . Th e s olution include s anoth e r proje ctAM P configurable fre e SIP s e rve r w h ich can actas a
(Aste ris k M anage m e ntPortal) w h ich can be found at proxy, re dire ctor re gistrar s e rve r ch e ck itoutat
h ttp://coales ce nts yste m s .ca/inde x.ph p. AM P is w e b h ttp://w w w .ipte l.org/s e r/. Th e re is also th e O pe nSER
bas e d w ith a flas h ope rator pane l.Itprovide s a w ide proje ctath ttp://w w w .ope ns e r.org/.
range of m anage m e nttas k s . If you w antto ge t
Aste ris k running q uick l y w ith outgoing in-de pth , R UBY O N R AILS INTEGR ATIO N
Aste ris k @ H om e is a gre ats olution. Nextis s ue a look atw e b inte gration w ith Aste ris k
us ing ragi (h ttp://ragi.s ource forge .ne t).
ENUM , E .164 AND DUNDI
ENUM is e s s e ntially D NS for your te leph one D UND i, IAX and Aste ris k are trade m ark s of D igium
num be r. E.164 is an inte rnationalte leph one Inc. (h ttp://w w w .digium .com ).
De pl
oying W ifidog -- Th e e m be dde d Captive Portal
W IFIDO G IS A C BASED CAPTIVE PO RTAL DESIGN FO R TH E LINK SYS W RT54G BUT RUNS
O N ANY LINUX PLATFO RM . IT PRO VIDES ACCESS CO NTRO L, BANDW IDTH ACCO UNTING AND M UCH M O RE
BY JO H N BUSW ELL
ifidog is a ligh tw e igh tcaptive portals olution ne tw ork as th e ir privilege s al low . Th e us e r doe s n't
de s igne d to run on e m be dde d device s s uch as h ave to k now a particular addre s s , w h e n th ey atte m pt
th e Link Sys W RT54G. Th e Link Sys W RT54G to us e th e ir brow s e r th ey are trans pare ntly re dire cte d
and W RT54GS are low costw ire l e s s route rs to th e auth e ntication page .
from Link Sys th atrun Linux. Th e s e device s can run W ifidog is inte re sting in th atitis l igh tw e igh t
alte rnative firm w are , be care fulbe caus e running s uch e nough to run dire ctl y on low costw ire les s h ardw are
firm w are w il lVO ID YO UR W AR R ANTY. H ow eve r s uch as th e AP, and ch e ck s ne tw ork activity rath e r
m ostre tailoutl e ts h ave th e s e route rs for unde r $70, th an us ing a javas criptw indow . Th us allow ing PDA,
s o itis nottoo m uch to ris k . Ce llph one s and Sony PSPs to utilize th e re s ource s .
O pe nW RT is th e alte rnative firm w are ch oice for
running ope n s ource applications on th e W RT54G, H O W DO ES W IFIDO G W O R K ?
from th is pointon I'l lre fe r to th e W RT54G/GS as AP Th e s olution w ork s by us ing firew allrul e s to
(acce s s point). Building O pe nW RT is re lative l y e as y, controltraffic th rough th e route r. W h e n a new us e r
you s im pl y dow nload th e late stre leas e from atte m pts to acce s s a w e b s ite , th e w ifidog com pone nt
w w w .ope nw rt.org, uncom pre s s , run m ak e on th e AP w illtrans pare ntl y re dire ctth e us e r to th e
m e nuconfig, run th rough th e m e nu options to s uit auth s e rve r w h e re th ey can e ith e r log in or s ign up.
your ne e ds , th e n run m ak e . From th atpointon its Th e auth s e rve r and th e w ifidog com pone nton th e
pre tty m uch autom ate d, you w illne e d an Inte rne t AP w illne gotiate h ow to h andle th e clie nt, w h e th e r
conne ction, broadband is re com m e nde d due to s om e to pe rm itor de ny ce rtain ne tw ork acce s s . Th e AP
large r dow nl oads s uch as th e Linux k e rne l. talks to th e auth s e rve r pe riodicall y to update
W h y w ould you w antto ris k your w arranty ove r statistics s uch as uptim e , load, traffic pe r cl ie ntand
s om e fre e s oftw are , s ure l y Link s ys h as th e be st to actas a h e artbe at.
firm w are ?W e llLink s ys h ave th e productde s igne d Th e flow diagram be low illustrate s th e proce s s th at
for your ave rage us e r, w h ich w ork s gre at, butth e W ifidog utilize s (courte s y of il e s ans fil
h ardw are platform is extre m e l y flexible running (w w w .w ifidog.org)).
O pe nW RT. O nce you h ave O pe nW RT on th e re you
are fre e to upload al m ostany ope n s ource application
th atw illcom pile and fiton th e h ardw are . You m igh t
w antto run a SIP ph one be h ind th e w ire les s route r,
w el lw ith O pe nW RT you can l oad s iproxd onto th e
Link s ys along w ith iptables and th ats it. As you start
to us e O pe nW RT m ore , you'lls e e exactl y h ow
flexible and h ow gre atitis to be abl e to add new
capabilitie s to your ne tw ork .
W H AT IS A CAPTIVE PO R TAL
A captive portalis e s s e ntiall y a m e ans to preve nta
us e r from acce s s ing ne tw ork re s ource s (m ainly th e
Inte rne t) untilth ey h ave auth e nticate d w ith a s e rve r.
Typicall y a captive portalis us e d atw ire les s h ots pots ,
allow ing th e us e r to log in, auth e nticate and us e th e
INTRUSIO N DETECTIO N SYSTEM S (IDS ) M AKE UP AN IM PO RTANT PART O F ANY NETW O RK SECURITY PO LICY
BY JO H N BUSW ELL
n Intrus ion is unauth orize d ne tw ork or s yste m is th e w ay to go. Snorts upports IP de fragm e ntation,
activity on your s e rve rs or ne tw ork s . Intrus ion TCP stre am re as s e m bl y and state fulprotocol
D e te ction is th e artof de te cting th is anal ys is . Th is article is going to brie fl
y introduce
unauth orize d activity am ongstlegitim ate Snortto you, h ow to attach itto your ne tw ork and
ne tw ork traffic by s ifting th rough th e data flow ing w h e re to look next. As th e s e rie s progre s s e s , w e w il
l
acros s your ne tw ork . Th is article focus e s on Ne tw ork look atadvance d te ch niq ue s s uch as de fragm e ntation,
Intrus ion D e te ction Syste m s (NID S), anoth e r form of custom rules and m uch m ore .
ID S is H ostIntrus ion D e te ction Syste m s (H ID S).
Th e diffe re nce is prim aril y th atth e latte r focus e s on ATTACH ING SNO R T TO YO UR NETW O R K S
th e prote ction of justone s yste m . Th e re are advance d Be fore going into com piling and configuring s nort,
s olutions s uch as distribute d ID S and ID S load itis im portantto unde rstand th atSnort, lik e oth e r
bal ancing, th e s e w illbe dis cus s e d in de dicate d Ne tw ork ID S s olutions m ustbe attach e d to your
articles l ate r in th is s e rie s on ID S. ne tw ork atth e corre ctlocation, oth e rw is e th e
Som e bus ine s s e s fe e lth atcom plex ID S s olutions e ffe ctive ne s s of th e ID S s olution is re duce d.
are ove rk il lbe caus e th ey ope rate a s m allbus ine s s Typicall y th e be stlocation for s m alland m e dium
th atnobody is going to be conce rne d w ith . H ow eve r, s ize d bus ine s s e s is to m onitor link s to/from th e
th e s e days , itis th e com puting re s ource s and your Inte rne t. In a s w itch e d e nvironm e ntth e route r(s ) to
bandw idth to th e Inte rne tth atattack e rs w ant, not th e Inte rne tare conne cte d to a s w itch portor VLAN,
ne ce s s arily your inte l lectualprope rty or to dis rupt m oste nte rpris e grade s w itch e s s upportw h ats called
your bus ine s s . Th ink of attack e rs as ne tw ork “car- portm irroring, or for Cis co us e rs “SPAN”. Th is
jack e rs ”, th ey don'tcare w h o you are , th ey justw ant allow s you to configure th e s w itch to tak e portor
your “car”. An ID S s olution w illh e lp de te cts igns vlan traffic and duplicate itouta m irroring port. Th e
th ats om e one is look ing or trying s pe cific exploits dow ns ide to portm irroring is th aton s om e s w itch e s
againstyour infrastructure in an atte m ptto gain unde r h e avy load you can s e rious l y im pactth e
furth e r inform ation or acce s s . pe rform ance of th e s w itch , also if th e traffic you are
Th e re is one as pe ctof ID S th atis ofte n ove rlook e d trying to m onitor exce e ds th e capabilitie s of th e
by te ch nicalstaff and th atis th e legalitie s of m irroring port, you w illnotbe able to m irror all
pe rform ing Ne tw ork ID S. In m any countrie s th e re pack e ts ath igh ne tw ork utilization.
are strictw ire -tapping l aw s and re gul ations , if you do Anoth e r option is to ins e rta h ub in-line , and attach
notalre ady h ave an ID S in place , e s pe cial ly for s m all th e ID S to th e h ub, allow ing norm altraffic to fl ow
and m e dium s ize d bus ine s s e s itis alw ays w orth acros s th e h ub. Th e dow ns ide to th is m e th od is th at
cons ulting w ith a legalexpe rtto de te rm ine w h atlaw s data los s occurs due to collis ions ath igh bandw idth
and re gulations you m ustabide by, as th is m ay utilization, itcre ate s an additionals ingl e pointof
de te rm ine w h atyou m ustdis clos e to e m ploye e s , failure and you w illlos e full-duplex capabilitie s . A
custom e rs and h ow ID S inform ation is re porte d. m ore expe ns ive option is to us e ne tw ork taps , taps
Snortis th e de facto standard for intrus ion de te ction are dis cus s e d in length at
/preve ntion s yste m s . Snortutilize s a rule-drive n h ttp://w w w .s nort.org/docs /#de ploy. Cost, m ultipl e
language , w h ich com bine s th e be ne fits of s ignature , NICs and s ligh tl y m ore com plex installation due to
protocoland anom al y bas e d ins pe ction m e th ods . th e addition of ch anne lbonding in orde r to do
Snortis th e m ostw ide l y de ploye d ID S te ch nol ogy in state fulanal ys is are th e dow ns ide s to us ing ne tw ork
th e w orld. If you w antto do ne tw ork ID S, th e n Snort taps .