Planet SysAdmin

For the familiar and impatient: Loghetti has moved to github and has been updated. An official release hasn’t been made yet, but cloning the repository and installing argparse will result in perfectly usable code. More on the way.

For the uninitiated, Loghetti is a command line log sifting/reporting tool written in Python to parse Apache Combined Format log files. It was initially released in late 2008 on Google Code. I used loghetti for my own work, which involved sifting log files with tens of millions of lines. Needless to say, it needed to be reasonably fast, and give me a decent amount of control over the data returned. It also had to be easy to use; just because it’s fast doesn’t mean I want to retype my command because of confusing options or the like.

So, loghetti is reasonably fast, and reasonably easy, and gives a reasonable amount of control to the end user. It’s certainly a heckuva lot easier than writing regular expressions into ‘grep’ and doing the ol’ ‘press & pray’.

Loghetti suffered a bit over the last several months because one of its dependencies broke backward compatibility with earlier releases. Such is the nature of development. Last night I finally got to crack open the code for loghetti again, and was able to put a solution together in an hour or so, which surprised me.

I was able to completely replace Doug Hellmann’s CommandLineApp with argparse very, very quickly. Of course, CommandLineApp was taking on responsibility for actually running the app itself (the main loghetti class was a subclass of CommandLineApp), and was dealing with the options, error handling, and all that jazz. It’s also wonderfully generic, and is written so that pretty much any app, regardless of the type of options it takes, could run as a CommandLineApp.

argparse was not a fast friend of mine. I stumbled a little over whether I should just update the namespace of my main class via argparse, or if I should pass in the Namespace object, or… something else. Eventually, I got what I needed, and not much more.

So loghetti now requires argparse, which is not part of the standard library, so why replace what I knew with some other (foreign) library? Because argparse is, as I understand it, slated for inclusion in Python 3, at which point optparse will be deprecated.

So, head on over to the GitHub repo, give it a spin, and send your pull requests and patches. Let the games begin!

So, I happened across this post about hiring programmers, which references two other posts about hiring programmers. There seems to be a demand for blog posts about hiring programmers, but that’s not why I’m writing this. I’m writing because there was this sort of nagging irony that I couldn’t help but stumble upon.

In a blog post, Joel Spolsky talks about the mathematical inaccuracies associated with claims of “only hiring the top 1%”. It seemed pretty obvious to me that whether or not you’re hiring the top 1% of all programmers is pretty much unknowable, and when managers say they hire “the top 1%”, I assume they’re talking about the top 1% of their applicants. Note too that I always thought it was idiotic to point this out, because, well, isn’t that what you’re SUPPOSED to do? You’re not very well going to aim for the middle & hope for the best are you?

Apparently I’ve been giving too much credit to management. There I go giving people with ties on the benefit of the doubt again.

Then, in another blog post, Jeff Atwood talks about how it’s very difficult to even get interviews with programmers who can actually program. The problem is real.

The original blog post that pointed me at the two others is one by Roberto Alsina where he talks about his own methods for weeding out the non-programmers. He’s clearly seen the issue as well.

But if you open all three of these posts in separate tabs and read them, you’re likely to come away with the same basic problem I did:

• Who the hell are these managers who can’t figure out a dead simple statistics problem?
• How can a person fairly inept at simple math be qualified to make a hiring decision for anything but a summer intern?

That sorta blew my mind a little. But it blew my mind a lot when Atwood started describing the problems that interviewees *couldn’t* perform in an interview! One task described by Imran was called a ‘FizzBuzz’ question. Here’s one such question:

Write a program that prints the numbers from 1 to 100. But for multiples of three print “Fizz” instead of the number and for the multiples of five print “Buzz”. For numbers which are multiples of both three and five print “FizzBuzz”.

Here’s the part that blew my mind: He says, and I quote:

Most good programmers should be able to write out on paper a program which does this in a under a couple of minutes.

Want to know something scary ? – the majority of comp sci graduates can’t. I’ve also seen self-proclaimed senior programmers take more than 10-15 minutes to write a solution.

That’s amazing to me. I decided to quickly pop open a Python prompt and see if I could do it:

>>> for i in range(1,101):
...     if (i % 3 == 0) and (i % 5 == 0):
...             print i,'FizzBuzz'
...     elif i % 3 == 0:
...             print i, 'Fizz'
...     elif i % 5 == 0:
...             print i, 'Buzz'
...     else:
...             print i
...

Turns out it worked on the first try! That was pasted directly from my terminal screen. I didn’t time myself, but it took far less than 5 minutes. This leads to my other question, of course, which is “if you’re going to complain about CS degree holders not writing good code, maybe it’s time to open the doors to non-CS degree holders?”

Should you change your passwords often? What’s the risk if you don’t? Little did I know, listening to one podcast would cause me to rethink how I would answer those questions.

—————————————————————————————

I now understand why my friend insisted I listen to Episode 229 of the Security Now series. He wanted to introduce me to Cormac Herley, Principle Researcher at Microsoft and his paper, “So Long, and No Thanks for the Externalities: The Rational Rejection of Security Advice by Users.”

Dr. Herley introduced the paper this past September at the New Security Paradigms Workshop, a fitting venue. See if you agree after reading the group’s mandate:

“NSPW’s focus is on work that challenges the dominant approaches and perspectives in computer security. In the past, such challenges have taken the form of critiques of existing practice as well as novel, sometimes controversial, and often immature approaches to defending computer systems.

By providing a forum for important security research that isn’t suitable for mainstream security venues, NSPW aims to foster paradigm shifts in information security.”

Herley’s paper is of special interest to the group. Not only does it meet one of NSPW’s tenets of being outside the mainstream. It forces a rethink of what’s important when it comes to computer security.

Radical thinking

To get an idea of what the paper is about, here’s a quote from the introduction:

“We argue that users’ rejection of the security advice they receive is entirely rational from an economic perspective. The advice offers to shield them from the direct costs of attacks, but burdens them with far greater indirect costs in the form of effort. Looking at various examples of security advice we find that the advice is complex and growing, but the benefit is largely speculative or moot.”

The above diagram (courtesy of Cormac Herley) shows what he considers as direct and indirect costs. So, is Herley saying that heeding advice about computer security is not worth it? Let’s find out.

Who’s right

Researchers have different ideas as to why people fail to use security measures. Some feel that regardless of what happens, users will only do the minimum required. Others believe security tasks are rejected because users consider them to be a pain. A third group maintains user education is not working.

Herley offers a different viewpoint. He contends that user rejection of security advice is based entirely on the economics of the process. He offers the following as reasons why:

• Users understand, there is no assurance that heeding advice will protect them from attacks.
• Users also know that each additional security measure adds cost.
• Users perceive attacks to be rare. Not so with security advice; it’s a constant burden, thus costs more than an actual attack.

To explain

As I read the paper, I sensed Herley was coaxing me to stop thinking like an IT professional and start thinking like a mainstream user. That way, I would understand the following:

• The sheer volume of advice is overwhelming. There is no way to keep up with it. Besides that, the advice is fluid. What’s right one day may not be the next. I agree, this link is to US-CERT security bulletins for just the week of March 1, 2010.
• The typical user does not always see benefit from heeding security advice. I once again agree. Try to explain to someone who had a password stolen by a key logger, why a strong password is important.
• The benefit of heeding security advice is speculative. I checked and could not find significant data on the number and severity of attacks users encounter. Let alone, data quantifying positive feedback from following security advice.

Cost versus benefit

I wasn’t making the connection between cost-benefit trade-offs and IT security. My son, an astute business-type, had to explain that costs and benefits do not always directly refer to financial gains or losses. After hearing that, things started making sense. One such cost analysis was described by Steve Gibson in the podcast.

Gibson simply asked, how often do you require passwords to be changed? I asked several system administrators what time frame they used, most responded once a month. Using Herley’s logic, that means an attacker potentially has a whole month to use the password.

So, is the cost of having users struggle with new password every month beneficial? Before you answer, you may also want to think about bad practices users implement because of the frequent-change policy:

• By the time a user is comfortable with a password, it’s time to change. So, users opt to write passwords down. That’s another whole debate; ask Bruce Schneier.

• Users know how many passwords the system remembers and cycle through that amount, which allows them to keep using the same one.

Is anything truly gained by having passwords changed often? The only benefit I see is if the attacker does not use the password within the password-refresh time limit. What’s your opinion? Is changing passwords monthly, a benefit or a cost?

Dr. Herley does an in-depth cost-benefit analysis in three specific areas, password rules, phishing URLs, and SSL certificate errors. I would like to spend some time with each.

Password rules

Password rules place the entire burden on the user. So, they understand the cost from having to abide by the following rules:

• Length
• Composition (e.g. digits, special characters)
• Non-dictionary words (in any language).
• Don’t write it down
• Don’t share it with anyone
• Change it often
• Don’t re-use passwords across sites

The report proceeds to explain how each rule is not really helpful. For example, the first three rules are not important, as most applications and Web sites have a lock out rule that restricts access after so many tries. I already touched on why “Change it often” is not considered helpful.

All said and done, users know that strictly observing the above rules is no guarantee of being safe from exploits. That makes it difficult for them to justify the additional effort and associated cost.

Phishing URLs

Trying to explain URL spoofing to users is complicated. Besides, by the time you get through half of all possible iterations, most users are not listening. For example, the following slide (courtesy of Cormac Herley) lists some spoofed URLs for PayPal:

To reduce cost to users, Herley wants to turn this around. He explains that users need to know when the URL is good, not bad:

“The main difficulty in teaching users to read URLs is that in certain cases this allows users to know when something is bad, but it never gives a guarantee that something is good. Thus the advice cannot be exhaustive and is full of exceptions.”

Certificate errors

For the most part, people understand SSL, the significance of https, and are willing to put up with the additional burden to keep their personal and financial information safe. Certificate errors are a different matter. Users do not understand their significance and for the most part ignore them.

I’m as guilty as the next when it comes to certificate warnings. I feel like I’m taking a chance, yet what other options are available? After reading the report, I am not as concerned. Why, statistics show that virtually all certificate errors are false positives.

The report also reflects the irony of thinking that ignored certificate warnings will lead to problems. Typically, bad guys do not use SSL on their phishing sites and if they do, they are going to make sure their certificates work, not wanting to bring any undue attention to their exploit. Herley states it this way:

“Even if 100% of certificate errors are false positives it does not mean that we can dispense with certificates. However, it does mean that for users the idea that certificate errors are a useful tool in protecting them from harm is entirely abstract and not evidence-based. The effort we ask of them is real, while the harm we warn them of is theoretical.”

Outside the box

There you have it. Is that radical-enough thinking for you? It is for me. That said, Dr. Herley offers the following advice:

“We do not wish to give the impression that all security advice is counter-productive. In fact, we believe our conclusions are encouraging rather than discouraging. We have argued that the cost-benefit trade off for most security advice is simply unfavorable: users are offered too little benefit for too much cost.

Better advice might produce a different outcome. This is better than the alternative hypothesis that users are irrational. This suggests that security advice that has compelling cost-benefit trade off has real chance of user adoption. However, the costs and benefits have to be those the user cares about, not those we think the user ought to care about. “

Herley offers the following advice to help us get out of this mess:

• We need an estimate of the victimization rate for any exploit when designing appropriate security advice. Without this we end up doing worst-case risk analysis.

• User education is a cost borne by the whole population, while offering benefit only to the fraction that fall victim. Thus the cost of any security advice should be in proportion to the victimization rate.

• Retiring advice that is no longer compelling is necessary. Many of the instructions with which we burden users do little to address the current harms that they face.

• We must prioritize advice. In trying to defend everything we end up defending nothing. When we provide long lists of unordered advice we abdicate all opportunity to have influence and abandon users to fend for themselves.

• We must respect users’ time and effort. Viewing the user’s time as worth $2.6 billion an hour is a better starting point than valuing it at zero.

Final thoughts

The big picture idea I am taking away from Dr. Herley’s paper is that users have never been offered security. All the advice, policies, directives, and what not offered in the name of IT security only promotes reduced risk. Could changing that be the paradigm shift needed to get information security on track?

I want to thank Dr. Cormac Herley for his thought-provoking paper and e-mail conversation.

PRESS RELEASE

Discounted fee schedule ends Sunday, March 21st

New Brunswick, NJ, Today 42, 2010 – The Professional IT Community Conference (PICC) early bird registration prices have been extended for one week, in order to assist area administrators who have been hit with the economic downturn. This short term rate reduction ends Sunday, March 21st. Until that time, the price for the two-day conference is $249, or $399 for the conference and training. Special low prices are available for students, as well, with conference and training only $99.

The New Jersey chapter of the League of Professional System Administrators, an organization dedicated to facilitating information exchange pertaining to the field of system administration, extended the reduced rate “early bird” registration, citing their desire to ensure that all area system administrators had a chance to take part in the conference. The significantly reduced pricing schedule has been designed to appeal to administrators from infrastructures of all sizes. The conference will be held Friday, May 7th through Saturday, May 8th at the Hyatt Regency in New Brunswick.

The Professional IT Community Conference is a gathering of people from the diverse IT community in New Jersey to learn, share ideas, and network. The conference will include invited speakers and keynotes, top-notch training sessions that are relevant, useful, and recession-friendly, as well as an “unconference” track where attendees propose and host their own topics.

LOPSA-NJ and the Professional IT Community Conference are dedicated to fostering our local expert community and strengthening tomorrow’s computing infrastructure.

For Media Inquiries:

Matt Simmons
PICC Marketing Chairman
http://www.picconf.org
Email: media@lopsanj.org
Tel: +1 (740) 403-9997

I've had quite a bit of experience with the process of centralizing IT. At my last job I was at ground zero as I was on the committee that was charged with rationalizing an IT job family structure that was grounded in the early 1980's (key clue, the phrase, "electronic data processing" was slathered across many job titles, a phrase not at all in vogue in the 1990's). This particular consolidation event was driven from a directive from on high, above the CIO. So, as it were, it happened in spite of the grumbling.

WWU has gone through some of its own consolidations, but there are natural barriers to complete consolidation in the Higher Ed market. I'll get to those in a bit. The one thing acting as a serious barrier to consolidation in any organization are departments that are large enough to support their own multi-person IT departments. Departments with one or two people effectively doing the full IT stack (stand-alone sysadmins who also do desktop support, database maintenance, to-the-desk network wiring, and maybe a bit of app-dev along the side) are most vulnerable to being consolidated into the central Borg.

Some departments are all too happy to join the central IT infrastructure, as they see it as a way to shed costs onto another business unit. Others are happy because their own IT people are so overworked, the idea of getting them help is seen as a cost-free mercy; or put another way agreeing to consolidation is seen as a cost-free way to increase IT investment. Still others are happy to join because they want some nifty new technology and their stick-in-the-mud IT people keep saying, "no," and view the central Borg as a way to get that thing.

The big reason departments don't want their IT people consolidated away from them is personalized service. These are people who know the business intimately, something those central-office folk don't. The cost of maintaining an independent IT infrastructure is seen as a perfectly valid business investment in operational efficiency. Any centralization initiative will have to deal with this concern.

The other big reason shows up less often, but is very hard to overcome without marching orders delivered from On High: distrust of central IT in specific. If the business unit that contains central IT is seen to be less competent as compared to the local IT people, that business unit will not consent to centralization. If the people in central IT are collectively viewed as a bunch of idiots, or run by idiots, the only way that unit is centralizing is if a metaphorical gun is held to their heads.

My last job handled the all of the above and eventually came to an agreement. First and foremost, it was a fiat from On High that IT centralization would happen. All IT job titles started being paid out of the same budget. We then spent the next four years hammering out the management structure, which meant that for a long time a whole bunch of people had their salary paid by people with 0% influence on their work direction.

Many departments gleefully joined the central infrastructure, driven in large part by their own IT people. They'd been overworked, you see, and the idea of gaining access to a much wider talent pool, and a significantly deeper one as well, was hard to not take advantage of. These were the departments with 1-3 IT people. In almost every case the local IT people stayed in their areas as the local IT contact, which maintained the local knowledge they'd developed over the years.

There was one small department that was a holdout until the very end. An attempt to merge some 5 years earlier had gone horribly wrong, and institutional memory remembered that very clearly. It wasn't until that department got a new director that an agreement was reached. The one IT guy up there stayed up there after the merger and stopped doing server and desktop support in favor of department-specific app-dev work, what he was hired to do in the first place as it happened.

Then the arm-wrestling over the bigger departments took place. For the most part they kept near complete control over their own IT staffs, but their top level IT managers were regularly hauled back to the home IT office for 'management team meetings'. This ended up being a good move, since it reduced the barriers for communication at the very top level, and ultimately lead to some better efficiencies overall; especially in the helpdesk area as staff started to move between stacks after a while. Also, the departments that had been deeply skeptical of this whole centralized IT thing started working with other IT managers and getting their concerns heard, which reduced some of the inherent distrust.

With Higher Ed, there is an additional factor or two that my previous job didn't face. First of all, the historic independence of specific Colleges. Second, Universities are generally a lot less command-and-control than their .com or even .gov brethren. This means that centralization relies far more on direct diplomacy between IT business units than it does on direct commands from on high. Distrust in this environment is much more hard to overcome as coercion is not a readily available option.

Back in the day, WWU had 7 separate NDS trees. 7. That's a lot. Obviously, there wasn't much in the way of cross-departmental access of data. Over the course of around 5 years we consolidated down to a single 'WWU' NDS tree. Some departments happily stopped spending IT time on account maintenance tasks and let central IT do it all. Some departments gave up their servers all together. Time passed and still more areas decided they really didn't need to bother keeping local replicas, and let central IT handle that problem.

In the end, handling IT in Higher Ed means dealing with a more heterogeneous environment than is otherwise cost-effective. I've mentioned before how network management on Higher Ed networks resembles ISPs more than it does corporate networks, and that unfortunately applies to things like server and storage purchases. Now that we're in the process of migrating off of NetWare and onto Windows, it means we're now in the process of wrangling over rules governing Active Directory management.

We wrangled NDS control back in the 90's and early 00's, and now it's Microsoft's turn. As with the last round of NDS wrangling, some departments have gleefully turned over control (GPOs and file-server management specifically) of their department over to us in ITS. Others, specifically one with a large local IT presence, is really holding out for complete control of their area. They're clearly angling to just use us as an authentication provider and they'll do the rest, something that... well... negotiations are ongoing.

My crystal ball says we have somewhere between 5 to 10 years before the next wave of 'directory' upgrade forces another consolidation. That consolidation just might involve consolidating with a State agency of some kind. Perhaps the State will force us to use a directory rooted in the wa.gov DNS domain (wwu.univ.wa.gov perhaps), and our Auth servers will be based in Olympia rather than on our local network. Don't know. What is true, is that we'll be going through this again, probably within the next decade.

Recently Lau Jensen wrote a post talking about the features of Emacs and why it increases the productivity of Clojure programmers. While I don’t disagree that lisp programming in general benefits greatly from using Emacs as an editor, there are simply people who are too heavily invested into Vim (like myself) for things like viper-mode to work for them. So, I thought I’d share how I do Clojure development with Vim. Throw in my 2 cents.

The key (for me) to editing Clojure code in Vim is a combination of two plugins, VimClojure and slime.vim (see associated blog post). One of the difficult things is that slime.vim doesn’t actually exist anywhere on vim.org’s list of scripts, so it has to be downloaded from the aforementioned blog post. Stick it in the ~/.vim/plugins directory to install it.

First, VimClojure. I tend not to use Nailgun at all, some people like it, I don’t. So instead of the regular install for vimclojure, I copy over the files from the autoload, doc, ftdetect, ftplugin, indent and syntax folders to their respective Vim folders. If you think you’ll want the Nailgun functionality, you should use the installation instructions provided by Kotarak.

Now, add the settings you need for VimClojure to your .vimrc:

" Settings for VimClojure
let g:clj_highlight_builtins=1      " Highlight Clojure's builtins
let g:clj_paren_rainbow=1           " Rainbow parentheses'!

I have to say, rainbow parentheses’ is one of the best features of vimclojure, making it easy to see exactly what parentheses closes which statement:

Now that VimClojure is set up, time to set up the integration with Clojure’s REPL, to do that I use slime.vim. Slime.vim uses screen to send the input from your editor to any window in a running screen session, so to get started we’ll have to start up a screen session. To make it easier, you can name it something so you don’t have to look up the pid, I’ll call this session “clojure”:

‹ ~ › : screen -S clojure

If you didn’t name your session, or forgot what you named it, you can use screen -ls to look up all the screen sessions you’ve started:

‹ ~ › : screen -ls
There are screens on:
41837.clojure (Attached)
8970.ttys000.Xanadu (Attached)
8990.ttys001.Xanadu (Attached)
9010.ttys002.Xanadu (Attached)
4 Sockets in /tmp/screens/S-hinmanm.


Now, start a REPL in the screen terminal window (use ‘clj’ or ‘lein REPL’ or however you like to start a Clojure REPL). Next, open a clojure file with Vim, highlight a block of code (slime.vim will automatically select a paragraph if your cursor is in the middle of something like a defn), now, press Control-c + Control-c (Ctrl+c twice in a row). You should be prompted by Vim like this:

Enter the name of the screen term, if you named your session “clojure” you’d enter “clojure”, if you didn’t name it, use the pid number you see from the output of ’screen -ls’, next it will ask for which window to send the output to:

If you’ve used screen before (and I’m assuming you have), this is the window number your REPL is running on. After you enter this information the plugin will send the paragraph/line of text to the REPL. From here on the session id and window will be cached, so hitting ctrl+c,ctrl+c again will immediately send whatever function the cursor is on to the REPL. You can also select a block of code using visual mode and use ctrl+c,ctrl+c to send everything selected to the REPL. If you used the wrong numbers, use ctrl+c,v (Control+c, then v) to have slime.vim ask you for the numbers again.

There you go, you now have a 1-way pipe from your Vim editor to any kind of REPL (be it Clojure, Ruby or Python). Here’s a couple of screenshots of the plugin in action:

I know this doesn’t even come close to the amount of integration the Emacs has using SLIME, but for me, this is exactly what I want out of a Clojure development environment, develop some code and be able to easily send it to a REPL. Hopefully a Vim user or two out there will find this setup useful.

UPDATE: If you’re interested in my full Vim setup for some reason, you can check it out here.

Microsoft’s Craig Mundie is building on his legacy of advocating terrible “security” policy. This time, he has picked up the Internet Driving License bug.

---

Microsoft executive Craig Mundie has a solid track record for supporting heavily restrictive technologies and technology policies. He has been a vociferous advocate of both the Trusted Computing initiative and DRM, both of which present serious privacy and security issues for individual computer users.

With that track record in mind, it should be no surprise that Mr. Mundie has taken on the mantle of champion of yet another ill-conceived “security” measure that, if implemented worldwide, would have disturbing consequences for individual security and privacy. At the Davos Economic Forum in Switzerland, he called for requirements for individuals to acquire licenses before they can access the Internet. While this sounds like a good idea in theory — if we could ensure everybody who uses the Internet was competent to do so, we really would have a safer Internet — it is not quite so palatable in practice.

As any (real) engineer can tell you, theory and practice are the same in theory, but they are quite different things in practice. When was the last time you saw a licensing system that actually guaranteed competence or, for that matter, at least guaranteed that competent people would not be excluded in favor of the incompetent at least some of the time?

As someone who has been licensed and certified in a number of different areas (including Microsoft certifications, physical security and deadly force management licensing, heavy equipment operation, and even hazardous materials transportation, among others), your humble author can tell you with a fair bit of confidence that it does not take much to corrupt a licensing system to the point that it no longer guarantees anything in particular, other than that a lot of money will be spent, and the more money one has to spend the more likely one is to get licensed.

The problems with Mundie’s suggestions do not stop with licensing itself, however. He also suggested that the United Nations should be granted the power to “organize the systematic quarantine of computers without their owner’s permission.”

Of course, there appears to be little danger of Craig Mundie’s fever dreams becoming a reality. Any effective licensing policy for ensuring that only competent people get to use the Internet would probably effectively bar 80% or more of current users (your humble author’s guesstimate is something more like 98%), and that certainly will not fly. Even ignoring the tremendous outcry of dissent from the populace at large, ISPs will not stand for having the majority of their customers taken away from them.

The alternative (and more likely) licensing scheme would be one that is wholly ineffective, and more prone to ensuring that only people who like the “right” brands and have memorized the “right” corporate-mandated policies will have access to the Internet, aside from those who gain illicit access. It seems unlikely that this sort of mandatory licensing scheme could come to pass as well, though it is at least a vague possibility if the whole world goes nuts next week.

It also seems unlikely that the UN would be granted the power to arbitrarily cut off Internet access for individuals, if only because many of the most powerful nations simply are not strongly inclined to let the UN cut into their economic sovereignty so egregiously. We should keep our fingers crossed, though, just to be sure.

Let’s keep our ears to the ground, listening for the sound of approaching legislation, just in case some technophobes in government might otherwise manage to slip one by us. When dealing with the technologically incompetent in government trying to manage the lives of technical experts in the general populace, there is always the danger that incompetence might win the day.

After a bit of discussion, I got approval to go to the PICC Conference in Jersey.  I’m looking to jump on the storage and NAS/SAN workshops.  I little knowledge of IPv6, so I’m going to jump on that session as well.  I haven’t gone to a conference in at least half a decade, so I’m looking forward to this.

I’ll probably be the only person who admins a “Novell” network at the conference. 

How fast should your switches be?

Sure, the answer is “as fast as you can get”, but we don’t all have the budget for, say, this beast (chassis sold separately). Lots of us don’t have money for even a 48 port Gb managed switch.

So when deciding on a switch to buy, there are a lot of variables to examine.

First, the hard requirement is the number of nodes we have to connect to the network. Then we have niceties such as management (so that we can configure and monitor them, use VLANs, etc etc), whether or not they’re stackable and all that…but where does speed come in?

Obviously, a 100Mb/s switch costs less than an otherwise equivalent Gb/s switch.

The rule of thumb I’ve been operating by is that the end user switch shouldn’t be the bottleneck. In other words, the users in my offices talk to servers over the WAN. I’m never (not soon, anyway) going to get a GbE WAN link between my sites. Because of that, the 100Mb/s switches we’re using don’t hold us back. We don’t share files between the users directly, so anything bigger would be overkill.

If my users used local servers, though, an increase in switch speed would dramatically improve the response of the server. The quality of experience would improve, and it would be worth upgrading the switch.

What kind of mental calculations do you use when picking a switch? I’m interested in learning if there’s a “right” way, and if not, maybe we can aggregate all the ways we make the decision into some smart ideas…comment below!

Protocol Basics
Layer:	Application
Transport:	TCP or UDP
Port(s):	5060, 5061
RFC(s):	2543, 3261

SIP (Session Initiation Protocol)

SIP is by far the most popular protocol used in VoIP communication today. SIP was designed as a signaling protocol in charge of setting up and tearing down sessions between two or more devices. Additionally, SIP can be used to modify existing sessions. The protocol was designed to be independent of transport protocols. Thus, SIP can be used over both TCP and UDP. As of this writing, popular open source PBX Asterisk only supports SIP over UDP.

Protocol Basics
Layer:	Application
Transport:	TCP or UDP
Port(s):	1720
RFC(s):

H.323

H.323 isn’t a single protocol as much a system of protocols. It is an ITU recommendation focused on providing multimedia communication in IP networks. On of its strengths over purely audio-based protocols is the ability to provide video conferencing. Other protocols often used in conjunction with H.323 include H.225 for call signaling, H.245 for call control, and Real-time Transport Protocol (RTP) for multimedia communication.

Protocol Basics
Layer:	Application
Transport:	TCP or UDP
Port(s):	200
RFC(s):

MGCP (Media Gateway Control Protocol)

Like SIP, MGCP is a signaling protocol. Unlike SIP, MGCP relies on another protocol, Session Description Protocol (SDP), to handle session creation and termination. MGCP was originally designed to handle scaling issues experienced by large service providers. The original purpose of the protocol was to handle communication between call routing devices and media conversion gateways. For example, MGCP might be used between an Asterisk server and a Cisco AS5350 Universal Access Server connected to the PSTN.

Protocol Basics
Layer:	Application
Transport:	UDP
Port(s):	2427
RFC(s):	3435

SCCP (Skinny Client Control Protocol)

Skinny is a proprietary protocol originally developed by Selsius Systems and now owned and maintained by Cisco Systems. Although proprietary, open source versions of the protocol have been implemented. Although Cisco 7900 series phones use Skinny to communicate with Cisco CallManager, the SMB-targeted Linksys IP phones use SIP.

Protocol Basics
Layer:	Application
Transport:	UDP
Port(s):	4569
RFC(s):	5456

Inter-Asterisk Exchange (IAX / IAX2)

IAX was designed to provide call control functionality between Asterisk PBXs. One of the benefits of IAX is that both control and data traffic are included in the same stream. Therefore, if a connection can be established, audio will pass successfully. This is not true of signaling protocols that rely on other protocols to provide audio traffic. This makes IAX particularly useful in firewalled / NATed environments. Mark Spencer detailed the benefits of IAX versus SIP.

For many IT pros, the ability to have a robust test environment at home is critical for success on the job or to learn a new skill. IT pro Rick Vanover shares his favorite tools to build up a home lab storage.

————————————————————————————-

Last week’s post by Brad Bird hit home with me. Making a home lab is important, but it can really add up! I maintain a private lab at home where I do extensive testing with virtualization for various network and Windows Server technologies. The one technology, above all else, that needs to be in place to make any degree of home lab effective is some form of shared storage.

My lab has a DroboPro device for my network-based storage. Both the DroboPro and DroboElite units can function as an iSCSI target for SMB or home lab situation. Be sure to check Scott Lowe’s review of the DroboElite in this TechRepublic post. I’ve used the DroboPro as a storage target in my lab, and have been generally satisfied with it. The Drobo series of iSCSI storage devices support VMware connectivity, but not fully supporting Hyper-V with clustered shared volumes (CSV) as persistent SCSI-3 reservations are required for Hyper-V virtualization in clusters.

Another popular product is the iomega StorCenter series of products. These offer iSCSI connectivity at a nice entry price as well. Storage expert Stephen Foskett has done a nice independent review of the ix4-200d device on his personal blog site. The StorCenter does have VMware and Hyper-V compatibility, but again does not support persistent SCSI-3 reservations for clustering operations with Hyper-V.

The shared storage wish-list item does not have to be met by purchasing a storage device, however. There are a number of free products that can function as shared storage resources for labs. Here is a breakdown of the one’s I’ve used over the years:

StarWind Free: This free software engine can virtualize the storage on a local server, and present it as an iSCSI target. You can purchase software to increase the feature set, including mirroring and failover. StarWind does support Hyper-V clustering with persistent SCSI-3 reservations with their iSCSI target implementation.

Openfiler: This free software-based storage virtualization engine is multi-protocol, including iSCSI and NFS. Should also have a fibre channel or CIFS itch to scratch, this free product can help here as well.

NexentaStor: This software-based storage virtualization engine also can do many different protocols, including iSCSI and NFS. Further, there is a VMware-based image as a storage device to plug into your existing test installation.

FalconStor Network Storage Server: This software-based storage virtual appliance has a free offering for the small business or remote office.

When it comes to deciding between a dedicated, purpose-built storage device like the Drobo or StorCenter devices or software-based devices like StarWind or Openfiler; there are a number of considerations one must take into account. First of all, both products should be given their own network. Running a storage protocol over a network that may approach line rate with normal traffic will be less than optimal. Performance wise, you may have better disk access from the software-based solutions that utilize potentially higher-performing array controllers.

One last recommendation is to create two classes of logical unit numbers (LUNs). One class would be for static data that will never be erased. The second class would be true lab use LUNs. The best way to distinguish between them is to do both LUN masking at the storage controller (if possible) and in my case, I make them a special size. For example, I know that the 2 TB LUN is the permanent LUN with all of my CD-ROM .ISO files and permanent virtual machines. Therefore, any 1 TB LUN is a lab-use LUN that I can break down and re-use as needed.

Above all else, dedicated storage allows the lab to reset and be rebuilt. Whether or not virtualization is in play, it is important to have a storage environment that is relatively removed from the constant tear-down and rebuild of the lab systems.

How do you provision storage in your lab? Do you use a network-based storage protocol? If so, which product?

My new O'Reilly blogpost about getting the motivation to write docs.

Derek Schauland introduces the Desktop Authority Password Self-Service app from ScriptLogic that allows users to reset their own passwords.

—————————————————————————————

Keeping track of passwords is increasingly difficult, with PIN numbers, bank passwords, Web site logons, Windows passwords, and more; it’s an ever-increasing list to manage. It’s also no wonder that the password reset feature gets used so often.

In business, the Windows logon password is the key to many employees’ work lives. Occasionally, they are going to forget their password or enter it incorrectly too many times, which may lock them out for a period of time. This is where Desktop Authority Password Self-Service (DAPSS) by ScriptLogic comes in, helping out users and help desk staff in a pinch.

Specifications

DAPSS requires SQL 2000 or 2005 for data storage and reporting and Internet Information Server on the server end.

Supported operating systems:

• Windows 2000
• Windows XP
• Windows Vista
• Windows 7
• Windows Server 2003 SP1 or higher

Who’s it for?

DAPSS is great for organizations of all sizes where resources are stretched thin or at a premium because of other challenges. The product also licenses for about US$7 per user, less if you are already a Desktop Authority customer, which makes the application very affordable for organizations of any size.

What problem does it solve?

The application puts password control in the hands of the users. Allowing a user to change an expired or forgotten password or unlock a user account by answering some challenge questions eliminates the need for the user to call the help desk. It also makes the password accessible 24 hours per day. This improves the convenience for the users as well.

Standout features

DAPSS is very easy to configure. The user information is imported from Active Directory to speed setup and avoid record duplication. The tool also comes with a help desk component which allows users to get help if they have not yet registered with the service or need help getting the hang of it. Because the help desk does not need to access the user account directly to reset the password or unlock the account, the users needing help will get it much faster.

The user experience within the application is very simple. You can search for a user’s account by certain characteristics from the user name to partial first or last name. Challenge questions are configured during the initial setup and used to aid with the account actions going forward.

DAPSS includes a free trial to allow you to test it in your environment with a pilot group or to get it configured and ensure it works as needed before paying for a license.

Figure A

The user experience for registered users of Password Self-Service

Figure B

The Admin console

What’s wrong?

Changing the password policies at any organization can be a challenge for IT, but will be a benefit for the users in the long run. It will take some time to change the habit of your users to manage their own passwords rather than calling the help desk.

Because users are allowed to manage their own passwords through a Web interface, some vulnerability is introduced. Social engineering scammers (or just employees who already know a lot about each other) could guess the answers to challenge questions for their fellow users, leaving the door open to unauthorized use of accounts.

The application can set the questions to be configured by the user, and the answers to these questions are specific to the user, but employees should be cautioned to create questions that are “secret” or at least, would be very hard to guess. In production, it would make sense to refresh the challenge questions every year or so, just to keep things more secure.

Competitive products

• ReAct Password Reset
• Password Manager Pro
• Password Reset PRO for Active Directory

Bottom line for business

If your help desk staff is overwhelmed by projects or day to day operations, allowing users to maintain their own passwords can be a huge time saver for everyone. Allowing password resets and account unlocking to be handled completely by the user can also removes frustration on the part of the employee because the employee does not need to contact the help desk and wait until they have time to assist.

Let me start my [much delayed] coverage of RSA 2010 conference with the awesomeness of Metricon 4.5 (technically, a Mini-Metricon 4.5 :-)) where I spent my first RSA day (sacrificing the Cloud Security Alliance meeting that was reported to be packed).

Here is an agenda for the meeting with my comments:

08:45 - 10:05: Morning Session I - Chair: Jeremy Epstein

• Qualitative Tuning as Preparation for Quantitative Methods, Pete Lindstrom

This was one of the most fun presentations, focusing on expert opinion vs. fact/metric in security. Pete showed an interesting approach for assessing the opinions in order to come up with something that looks more like fact.

• Metrics for insights on the state of application security, Ashish Larivee

This was an interesting presentation of Veracode research of binary analysis (paper, some highlights). A few thing actually blew me away first, but, upon further consideration, started to look perfectly logical. For example,  software industry is worse at developing secure software than financial service industry. It can be explained that FS folks develop only mission-critical software though. Still, this seems to prove that in some areas “if you want it done well, do it yourself and do NOT trust the professionals to do it” :-) In fact, commercial software overall fared worse [vulnerability-wise] than internally developed AND outsourced software. It also had longest remediation cycle, while open source had the shortest (for methodology details see their full report)

10:20 - 11:40: Morning Session II - Chair: Joe Magee

• Translating the Narrative into Metrics: The Verizon Incident Sharing Framework,Alex Hutton and Wade Baker

Verizon VerIS was released via this presentation (release, exec summary, document [PDF]). VerIS “translates the incident narrative (the attacker did this, then that, then the other thing) into a data set” and thus allows the creation of such awesomeness as DBIR.

• Ontologies for Modeling Enterprise Level Security Metrics, Anoop Singhal

This presentation was a bit of a cruel joke. It carried unfortunate signs of being done by somebody who never ventured in the real world of security (for example, single number “asset value”, “risk = damageValue”, “security measures that reduce the frequency of attacks”, etc, etc, etc). And, what was even more embarrassing, it came after the stellar presentation by the Verizon team; I think I have seen the grimaces on their faces :-) And every time the NIST speaker mentioned “this was done on tax payer dime” or uttered the word “ontology”, I wanted to just reach for a ShmooBall. To make his material even more insulting, he was also a bad presenter. Yuck!

13:10 - 14:40: Afternoon Session I - Chair: Caroline Wong

• Improving CVSS-based vulnerability prioritization with business context information, Christian Fruhwirth

This was a curious little preso that basically can be summarized in one phrase “using CVSS as it was intended by the original team – with Env scores – is valuable.” Even though there was one “cringe moment” when the speaker expected a normal distribution of vulnerability CVSS scores (pray tell me, why medium severity are more likely than low severity?)

• Security Metrics Field Research, Ramon Krikken

This presentation by a Burton …eh... Gartner… analyst Ramon Krikken was hugely insightful. They did some metrics research among their clients and came up with some surprising conclusion that shows metrics programs largely in the Stone Age (in fact, what was before the Stone Age? Ah, yes, Sharpened Stick Age! The maybe the metrics are in that age…). Here are some of the themes, but get the presentation materials when they are posted – very worthwhile. As expected, “compliance metrics are easy; security metrics are hard”, “assessments and audits matter”, “need to map to ” and “ONLY prevention of ‘business being stopped’ matters at many companies.” The research showed no focus on improvements, no peer benchmarking, etc. Regarding tools, MS Excel was by far the #1, couple of times RSA/Archer and SIEM.

 15:10 - 16:30: Afternoon Session II - Chair: Ray Kaplan

• Metrics for Cloud Security, Lynn Terwoerds, Caroline Wong, Betsy Nichols

This panel announced that CSA is starting a cloud security metrics effort, which was in a VERY early stage. No material has been created yet.

• Identifying critical information security areas with a Threat Agent Risk Assessment, Matthew Rosenquist

I read the TARA paper back when it came out, but this presentation (and the discussion) was still VERY interesting. The main idea is that vulnerability or asset focused approach makes no sense since there are way too many vulnerabilities (presenter example was “data center is vulnerable to a meteor strike”) and thus the way to go is to focus on threat agents that are motivated to cause damage and that can realistically to do so. The logic thus becomes: threat agent –> vulnerability –> control –> what remains is the risk that needs to be dealt with somehow. But read the paper instead of this, Intel folks explain it much better :-)

 

So, as I said, Metricon was the most thought-provoking part of RSA for me! And I am not even mentioning the level of hallway discussions there…

Murray Stokely has completed his captioning project and provides the following update:

It is a fact of modern life that you can't unsend email. The problem is that to really unsend email you need a time travel device.

It's a shame, really.

MS-Exchange has the ability to send a request that will hide the email, but most non-Exchange providers don't support the protocol. Besides, the horse has left the barn. You can't put the toothpaste back in the tube.

Gmail has the ability to unsend an email if you sent it in the last 10 seconds. Useful and cute, but not awesome. (Awesomer is their "prove you are sober before sending a message" feature.)

One way to mitigate this risk of wishing you had an "undo" is to send out a first paragraph plus a URL to the entire message. This way you can rewrite, refine, and update the body of the email as much as you want.

We use this technique at work. Suppose we want to tell people that the printing system will be down on Thursday evening so that we can upgrade the print server software. We put the basic message in a 1-paragraph email, and list a link to a document with more info. The link might be to a ticket # that tracks the issue, or a blog post (yes, we have internal blogs), a web page, or a document. We can constantly update the document over time.

Maybe we should extend this. All email should be a subject line plus a URL to the actual message. Made a typo? Correct it. Regretted what you said? Delete it. Called your boss an asshole? Change it to be a loverletter.

You still need to get the subject right, but the message can change. Maybe we could invent a way for the email to be "frozen" once the person reads it (one way would be for the email client to cache the message once it is downloaded). Spammers would have a harder time spamming us, since we'd be able to track their message back to their web site and therefore identifying them would be, well, if not easier, differently harder.

Or maybe we shouldn't even send email. The user interface would still look the same. Behind the scenes it would just be sending URLs.

Usenet made this transition. Usenet was replaced by RSS feeds, which are just lists of URLs. Maybe email should make the same change.

Earlier this month Verizon Business announced their Verizon Incident Sharing Framework (VerIS framework). This document is a means to describe digital security incidents, using four main groupings: 1. Demographics, 2. Incident Classification, 3. Discovery and Mitigation, and 4. Impact Classification.

The idea is to provide a framework that incident investigators can complete for every digital security incident. Using the output, security teams can better identify trends and make recommend improved security strategies and tactics. For example, Verizon builds their Data Breach Investigation Report using data from their incident responses as formatted using the VerIS framework.

Verizon asked me to participate on a "board" affiliated with this project, so you can expect to hear more from me. Verizon started a Zoho Forum to discuss the framework, but I think a Wiki would better facilitate collaboration and development of the document. At work we are working on our next generation incident management system, so I think the VerIS framework might help us identify information to collect on incidents.

Hi All,

I spent some time last night upgrading the blog to the latest versions of Wordpress and plugins. I also added a mobile version of the site, so handheld device users can actuallly use the site now without zooming in.

Also, with the help of Greg over at Reject Reality, I got WP SuperCache working. This will hopefully let the blog take more and more traffic as time goes on, and delay me ordering a new virtual host (I go with the guys at prgmr.com).

Anyway, the point of this post is to ask you to let me know if you notice anything strange. Drop me an email if you see anything weird, or if the mobile site shows up but shouldn’t, or any of that. This is my blog, and I write in it, but you all are the ones who are good enough to read my stuff. The least I could do is make it easily accessible to you.

Thanks for your patience, and thanks for reading!

PS – I’ve added a Google Translate widget to the far right bar. This is the first step in what I hope will be many that enable this blog to be read by non-english speaking people from around the world. Please let me know if you have any questions or problems with it.

I don’t know why I didn’t know about this before (or why I forgot about it, more likely), but I came across MySQLTuner recently and was most pleasantly surprised. It’s a Perl script that only requires your MySQL user and password to provide detailed and useful checks of a running MySQL instance. First though, check out the awesome URL you download it at:

Yeah, that’s the actual URL that works. Pretty sweet.

Anyway, next you make it executable, run it, enter creds:

Then the goodies appear:

Oh, that query_cache_limit is tiny! At this point, no changes have been made to your setup. But at a glance you get helpful stats, validate that changes you’ve decided to make are in place, and get alerted to potential improvements.

If I knew Perl now and refreshed my MySQL tuning knowledge, I’d love to help as a maintainer of this lovely script. Maybe sometime soon…

Checking your HDD!

I am pleased to report that I've been invited to deliver the keynote at VizSec 2010 on 14 Sep in Ottawa, Ontario. I am on the Program Committee for a third year and will be evaluating papers soon. Please visit my post on calls for papers for DFRWS, VizSec, and RAID. Thank you.

There's been a lot of talk over the years about kernel-level rootkits in linux. Typically the attacker will gain access to a mis-configured (or neglected) linux box via an exploitable service, gain root access, and then load a tainted kernel module, or replace the existing kernel (noisy, fairly uncommon). This is not an all-inclusive list of course. The less talked about half-brother of the kernel rootkit world is a

Lenny Backports

After a couple of days I've spotted a few things that don't work so well on Lenny:

gtk-gnutella

gtk-gnutella is a client for a peer-to-peer filesharing system. Unfortunately the version of the client in Lenny dies on startup "This version is too old to connect".

gimp

The graphics program, The Gimp, doesn't show a live preview when carrying out things such as colour desaturation.

Although not an insurmountable problem it is moderately annoying if you do such things often.

So I've placed backported packages online.

I expected to have to backport KVM, and I guess I realised I needed a new kernel to match too. So they're available in the kvm-hosting repository; take the kernel with "birthday" in its name - the other is more minimal and has no USB support, etc.

blog spam

Since I last reset the statistics the blog spam detector has reported, rejected, and refused just over half a million bogus comments.

It can and should do better.

I've been planning on overhauling this for some time; even to the extent of wondering if I can move the XML::RPC service into a C daemon with embedded lua/perl to do the actual analysis.

(Right now the whole service is Perl, but I'm a little suspicious of the XML::RPC library - my daemon dies at times and I don't understand why.)

I'd say "test suggestions welcome", but then I'd have to explain what is already done. If you're curious take a look at the code...

ObSubject: Hot Fuzz

My reputation as a die-hard supporter of Ubuntu Linux apparently proceeds me. A number of Ubuntu faithful who have recently upgraded to Lucid Alpha have encountered a nasty problem where, mid-boot, they are greeted with this error message: mountall: error while loading shared libraries: libplybootclient.so.2: cannot open shared object file: No such file or directory Fear not, my fello

I haven't mentioned the purchase proposal from Elliot Associates before now, in large part because coverage is a lot better elsewhere. For those of you who haven't paid attention, Elliot Associates, an investment fund, offered Novell a buy-out of $5.75/share. This is not the IBM purchase everyone has been expecting for the last 14 years. Until today, people had been theorizing that their motivation is to sell off the profitable bits, and quietly phase out the non-profitable bits while pocketing Novell's large cash stash.

According to PRNews Wire, Elliot has no plans to slice-n-dice and plans to own the company. They can still do a lot, like kill products surviving more on nostalgia and a historical userbase rather than profitability, while living within their statements. Small encouragement, at least.

Virtualization is not a new topic but how many of us use it at home? I hang around with a bunch of geeks, so all of my colleagues have been virtualizing at home since it has been possible.

Early last year, I spent a couple of thousand dollars and set out to build a lab I could use for testing/development/training. Basically, the lab is for anything and everything that I cannot do on a company’s production servers, including developing presentation scenarios that companies like so that they will hire me to reproduce them on their production servers!

I thought I would share what set up I am using, in case you’re thinking about this too. Or, if you have one of your own, I would appreciate your thoughts on the home lab.

So this is what I am working with:

• 1 router/4-port gigabit switch (working as gateway/firewall)
• 1 16-port gigabit switch
• 1 4GB AMD 64-bit (dual core) small form factor PC with roles:
  • Server 2008 Domain Controller
  • Virtual Machine Manager 2008 R2
  • SQL Server 2008 x64 physical host
  • Virtual Server 2005 R2 SP1 host
• 1 16GB Intel 64-bit (quad core) small form factor PC as a Hyper-V host with VMs:
  • Server 2008 R2 Domain Controller
  • System Center DPM 2007 Server
  • MOSS 2007 Server
  • System center Operations Manager 2007 R2 Server
• 1 4GB Dell Latitude D820 Core Duo laptop
• 1 4GB Dell latitude D830 Core2 Duo laptop (just found out this goes to 8GB, sweet!)

Plans:

• The 16GB system is doing fine since I have been conservative when allocating resources to my VMs; I can maybe get an SCCM 2007 R2 VM on there as well to showcase operating system deployment, patch distribution, and application virtualization.
• I went to the D830 possibly controlled from an external eSATA drive as a DPM 2010 server with some mass storage to showcase the product and to back up my entire environment.
• Mass storage is needed. I was going to purchase either a Drobo, or maybe a Dell MD3000i, Thecus, or the like (chime in here with experiences). I don’t have to purchase iSCSI mass storage since I can use Starwind to create iSCSI targets to connect my systems to.
• The 16-port switch was purchased to retire an older 10/100 8-port switch because some network cards in my systems and in my OfficeJet printer won’t communicate below 1000MB and my router only has 4 ports. I may need another switch to handle iSCSI dedicated traffic.
• I intend to leave my lab accessible all the time so I am going to purchase a Fortigate or comparable device to handle port filtering and offset processor load from my router/gateway.
• I may need another system to install VMWare ESX (VSphere) on since I am showing customers how to manage both MS and VMWare virtual environments.

So far, $4,000 has been spent on my lab over the last 30 months. More is needed but as you can see, because of virtualization, these dollars can go pretty far.

Virtualization is great but it does not eliminate all costs, as you can see.

IT pros, have a look at what I am doing and if I can help anyone with more details, I am happy to do so. I am also looking for experiences or feedback to help improve my lab.

I’ve got another column up at Simple Talk: Sysadmin today. It’s called Unteachable Disaster Recovery Techniques.

This is a true story, and it happened last week. I felt so strongly about it that I wrote the entire entry in one sitting.

Please give it a read through, and remember to rate it using the stars! Thanks!

Highlights from Planet Network Management for Week 10.

• New Stable and Unstable Releases – new OpenNMS releases are now available for download
• RiverMuse Core 4.2 Released and Available for Download – RiverMuse Core 4.2 has now been released
• WhatsUp Gold Wins Again! Named 2010 Network Management Product of the Year – What’s Up Gold were thrilled to find out that WhatsUp Gold has won the Network Computing Network Management Product of the Year award
• Reasons for selecting RiverMuse PRO for Real-Time Consolidated Operations Part 1 – RiverMuse PRO builds on top of RiverMuse Core and provides a presence management discovery engine, a powerful enterprise desktop console, dynamic alert enrichment from external systems, enhanced scalability, and additional functionalities to streamline organizational processes and dramatically simplify system maintenance.
• Nagios Core 3.2.1 Released – including a number of bug fixes for incorrect scheduling when time changes occur
• Wireshark – Getting Started Tips (by Tony Fortunato) – basic tips for getting more out of Wireshark
• Easily adding double and triple gauges for Universal Device Pollers – how to add gauges to SolarWinds Orion

I was looking over the release notes for OpenSSH 5.4. Among the list of nice things (key revocation, better passphrase protection, and certificates - though not X.509) in there I noticed support for a new -W option. The manual has this to say about it:

-W host:port
        Requests that standard input and output on the client be for-
        warded to host on port over the secure channel.  Implies -N, -T,
        ExitOnForwardFailure and ClearAllForwardings and works with Pro-
        tocol version 2 only.

The release notes specifically state:

 * Added a 'netcat mode' to ssh(1): "ssh -W host:port ..." This connects
   stdio on the client to a single port forward on the server. This
   allows, for example, using ssh as a ProxyCommand to route connections
   via intermediate servers. bz#1618

That sounds nice and like it will save me from having to do things in a two step process. Normally I have to do ssh -L 7272:gmail-smtp-in.l.google.com:25 syn and use nc localhost -p 7272 or something else in another terminal to get data out through the tunnel. Now with -W it's combined into one simple step.

wxs@ack wxs % ssh -W gmail-smtp-in.l.google.com:25 syn     
220 mx.google.com ESMTP 14si5094846qyk.3
EHLO PANTS!
250-mx.google.com at your service, [129.21.50.215]
250-SIZE 35651584
250-8BITMIME
250-ENHANCEDSTATUSCODES
250 PIPELINING

I like things that make my life easier.

If you have an interest in information security from a technical or managerial point of view, check out Principles of Information Security. It does an excellent job of presenting material for both audiences.

If you have other vendors you would like to see on this list, send me a message. I’ll keep updating the list until we have everything we need.

Working in a datacenter, it is often required to apply the same intereface configuration on many ports; Cisco has an embedded useful command to do it: the smartports macros.

Smartports macros provide a convenient way to save and share common configurations. You can use Smartports macros to enable features and settings based on the location of a switch in the network and for mass configuration deployments across the network.

Each Smartports macro is a set of CLI commands that you define. Smartports macros do not contain new CLI commands; they are simply a group of existing CLI commands.

When you apply a Smartports macro on an interface, the CLI commands within the macro are configured on the interface. When the macro is applied to an interface, the existing interface configurations are not lost. The new commands are added to the interface and are saved in the running configuration file.

Use Smartports Macros
It’s easy to configure and to use smartports macros:

1. configure smartports macros
2. apply the smartports macros
3. (optional) see smartports macros configuration

1. To create a smartport macro, use the command macro name ‘macro-name’; then enter the macro commands with one command per line. Use the @ character to end the macro. Use the # character at the beginning of a line to enter comment text within the macro.  You can define keywords within a macro by using a help string to specify the keywords. Enter # macro keywords word to define the keywords that are available for use with the macro. Separated by a space, you can enter up to three help string keywords in a macro.

Remember:

• Macro names are case sensitive. For example, the commands macro name Sample-Macro and macro name sample-macro will result in two separate macros.
• A macro definition can contain up to 3000 characters.

2. To apply each individual command defined in the macro to the interface by entering macro apply ‘macro-name’. Specify macro trace ‘macro-name’ to apply and print each command before it is applied to the interface.

3. (optional) To display the Smartports macros, use one or more of the privileged EXEC commands.

• show parser macro: Displays all configured macros.
• show parser macro name ‘macro-name’: Displays a specific macro.
• show parser macro brief: Displays the configured macro names.
• show parser macro description ‘interface interface-id’: Displays the macro description for all interfaces or for a specified interface.

There are Cisco-default Smartports macros embedded in the switch software. You can display these macros and the commands they contain by using the show parser macro user EXEC command.

Cisco-Default Smartports Macros

• cisco-global: Use this global configuration macro to enable load balancing across VLANs, provide rapid convergence of spanning-tree instances and to enable port error recovery.
• cisco-desktop: Use this interface configuration macro for increased network security and reliability when connecting a desktop device, such as a PC, to a switch port.
• cisco-phone: Use this interface configuration macro when connecting a desktop device such as a PC with a Cisco IP Phone to a switch port. This macro is an extension of the cisco-desktop macro and provides the same security and resiliency features, but with the addition of dedicated voice VLANs to ensure proper treatment of delay-sensitive voice traffic.
• cisco-switch: Use this interface configuration macro when connecting an access switch and a distribution switch or between access switches connected using GigaStack modules or GBICs.
• cisco-router: Use this interface configuration macro when connecting the switch and a WAN router.
• cisco-lre-cpe: Use this interface configuration macro to optimize performance when the switch is installed in apartment buildings or hotels, or when it is used to deliver Video-on-Demand (VoD), or multicast video.
• cisco-wireless: Use this interface configuration macro when connecting the switch and a wireless access point.

Below the default smartports macros existing on my cisco Catalysy 2950 (IOS 12.1(22)EA8A):

Ciscozine#sh parser macro brief
default global   : cisco-global
default interface: cisco-desktop
default interface: cisco-phone
default interface: cisco-switch
default interface: cisco-router
default interface: cisco-wireless
Switch#
Switch#sh parser macro
Total number of macros = 6
--------------------------------------------------------------
Macro name : cisco-global
Macro type : default global
# Enable dynamic port error recovery for link state
# failures
errdisable recovery cause link-flap
errdisable recovery interval 60

# Config Cos to DSCP mappings
mls qos map cos-dscp 0 8 16 26 32 46 46 56

# Enable aggressive mode UDLD on all fiber uplinks
udld aggressive

# Enable Rapid PVST+ and Loopguard
spanning-tree mode rapid-pvst
spanning-tree loopguard default
spanning-tree extend system-id
--------------------------------------------------------------
Macro name : cisco-desktop
Macro type : default interface
# macro keywords $access_vlan
# Basic interface - Enable data VLAN only
# Recommended value for access vlan should not be 1
switchport access vlan $access_vlan
switchport mode access

# Enable port security limiting port to a single
# MAC address -- that of desktop
switchport port-security
switchport port-security maximum 1

# Ensure port-security age is greater than one minute
# and use inactivity timer
switchport port-security violation restrict
switchport port-security aging time 2
switchport port-security aging type inactivity

# Configure port as an edge network port
spanning-tree portfast
spanning-tree bpduguard enable

# Remark all inbound data packets with COS=0 & DSCP =0
mls qos cos override
--------------------------------------------------------------
Macro name : cisco-phone
Macro type : default interface
# Cisco IP phone + desktop template

# macro keywords $access_vlan $voice_vlan

# VoIP enabled interface - Enable data VLAN
# and voice VLAN
# Recommended value for access vlan should not be 1
switchport access vlan $access_vlan
switchport mode access

# Update the Voice VLAN value which should be
# different from data VLAN
# Recommended value for voice vlan should not be 1
switchport voice vlan $voice_vlan

# Enable port security limiting port to a 2 MAC
# addressess -- One for desktop and one for phone
switchport port-security
switchport port-security maximum 2

# Ensure port-security age is greater than one minute
# and use inactivity timer
switchport port-security violation restrict
switchport port-security aging time 2
switchport port-security aging type inactivity

# Enable auto-qos to extend trust to attached Cisco phone
auto qos voip cisco-phone

# Configure port as an edge network port
spanning-tree portfast
spanning-tree bpduguard enable
--------------------------------------------------------------
Macro name : cisco-switch
Macro type : default interface
# macro keywords $native_vlan
# Access Uplink to Distribution
# Do not apply to EtherChannel/Port Group

# Define unique Native VLAN on trunk ports
# Recommended value for native vlan should not be 1
switchport trunk native vlan $native_vlan

# Update the allowed VLAN range (ALL) such that it
# includes data, voice and native VLANs
switchport trunk allowed vlan ALL

# Hardcode trunk and disable negotiation to
# speed up convergence
switchport mode trunk
switchport nonegotiate

# Configure qos to trust this interface
auto qos voip trust

# 802.1w defines the link as pt-pt for rapid convergence
spanning-tree link-type point-to-point
--------------------------------------------------------------
Macro name : cisco-router
Macro type : default interface
# macro keywords $native_vlan
# Access Uplink to Distribution

# Define unique Native VLAN on trunk ports
# Recommended value for native vlan should not be 1
switchport trunk native vlan $native_vlan

# Update the allowed VLAN range (ALL) such that it
# includes data, voice and native VLANs
switchport trunk allowed vlan ALL

# Hardcode trunk and disable negotiation to
# speed up convergence
switchport mode trunk
switchport nonegotiate

# Configure qos to trust this interface
auto qos voip trust
mls qos trust dscp

# Ensure fast access to the network when enabling the interface.
# Ensure that switch devices cannot become active on the interface.
spanning-tree portfast trunk
spanning-tree bpduguard enable
--------------------------------------------------------------
Macro name : cisco-wireless
Macro type : default interface
# macro keywords $native_vlan
# Access Uplink to Distribution

# Define unique Native VLAN on trunk ports
# Recommended native vlan should NOT be 1
switchport trunk native vlan $native_vlan

# Update the allowed VLAN range such that it
# includes data, voice and native VLANs
switchport trunk allowed vlan ALL

# Hardcode trunk and disable negotiation to speed up convergence
switchport mode trunk
switchport nonegotiate

# Configure qos to trust this interface
auto qos voip trust
mls qos trust cos

# Ensure that switch devices cannot become active on the interface.
spanning-tree bpduguard enable
--------------------------------------------------------------
Ciscozine#

Remember: Cisco-default Smartports macros vary depending on the software version running on your switch.

Smartports Macro Configuration Guidelines

• When creating a macro, do not use the exit or end commands or change the command mode by using interface interface-id. This could cause commands that follow exit, end, or interface interface-id to execute in a different command mode.
• When creating a macro, all CLI commands should be in the same configuration mode.
• When creating a macro that requires the assignment of unique values, use the parameter value keywords to designate values specific to the interface. Keyword matching is case sensitive. All matching occurrences of the keyword are replaced with the corresponding value. Any full match of a keyword, even if it is part of a larger string, is considered a match and is replaced by the corresponding value.
• Macro names are case sensitive. For example, the commands macro name Sample-Macro and macro name sample-macro will result in two separate macros.
• Some macros might contain keywords that require a parameter value. You can use the macro global apply macro-name ? global configuration command or the macro apply macro-name ? interface configuration command to display a list of any required values in the macro. If you apply a macro without entering the keyword values, the commands are invalid and are not applied.
• When a macro is applied globally to a switch or to a switch interface, all existing configuration on the interface is retained. This is helpful when applying an incremental configuration.
• If you modify a macro definition by adding or deleting commands, the changes are not reflected on the interface where the original macro was applied. You need to reapply the updated macro on the interface to apply the new or changed commands.
• You can use the macro global trace macro-name global configuration command or the macro trace macro-name interface configuration command to apply and debug a macro to find any syntax or configuration errors. If a command fails because of a syntax error or a configuration error, the macro continues to apply the remaining commands.
• Some CLI commands are specific to certain interface types. If a macro is applied to an interface that does not accept the configuration, the macro will fail the syntax check or the configuration check, and the switch will return an error message.
• Applying a macro to an interface range is the same as applying a macro to a single interface. When you use an interface range, the macro is applied sequentially to each interface within the range. If a macro command fails on one interface, it is still applied to the remaining interfaces.
• When you apply a macro to a switch or a switch interface, the macro name is automatically added to the switch or interface. You can display the applied commands and macro names by using the show running-config user EXEC command.

 

Example

In this example, I want to configure a smartport macro named ‘test’  to the fastethernet0/2; the macro will have these features:

• vlan $VLANID, where $VLANID is the parameter

  switchport  mode access
  switchport access vlan $VLANID

• only 1 mac-address per port

  switchport port-security

• port-fast features

  spanning-tree portfast

• speed 100

  speed 100

• duplex full

  duplex full

• no shutdown

  no shut

 

1. The command executed to create the smartport macro are:

Ciscozine(config)#macro name test
Enter macro commands one per line. End with the character '@'.
switchport  mode access
switchport access vlan $VLANID
switchport port-security
spanning-tree portfast
speed 100
duplex full
no shut
#macro keywords $VLANID
@
Ciscozine(config)#

 

2. To apply the ‘test’ macro to fasthernet0/2:

Ciscozine(config)#inter fas0/2
Ciscozine(config-if)#macro trace test $VLANID 10
Applying command... 'switchport  mode access'
Applying command... 'switchport access vlan 10'
Applying command... 'switchport port-security'
Applying command... 'spanning-tree portfast'
%Warning: portfast should only be enabled on ports connected to a single
host. Connecting hubs, concentrators, switches, bridges, etc... to this
interface  when portfast is enabled, can cause temporary bridging loops.
Use with CAUTION

%Portfast has been configured on FastEthernet0/2 but will only
have effect when the interface is in a non-trunking mode.
Applying command... 'speed 100'
Applying command... 'duplex full'
Applying command... 'no shut'
Ciscozine(config-if)# 

 

3. To show the new macro and the fastethernet0/2 configuration:

Ciscozine(config)#do show parser macro name test
Macro name : test
Macro type : customizable
switchport  mode access
switchport access vlan $VLANID
switchport port-security
spanning-tree portfast
speed 100
duplex full
no shut
#macro keywords $VLANID
Ciscozine(config)#do sh run int fas0/2
Building configuration...

Current configuration : 182 bytes
!
interface FastEthernet0/2
switchport access vlan 10
switchport mode access
switchport port-security
speed 100
duplex full
macro description test
spanning-tree portfast
end
Ciscozine(config)#

 

References: http://www.ciscosystems.com/…/guide/swmacro.html

---

© Fabio Semperboni for CiscoZine, 2010. | Permalink | No comment
Post tags: Advanced configuration, Smartports Macros, Video

At RSA 2010, I was given a unique opportunity to interview Bob Russo (GM at PCI SSC) and Troy Leach (CTO at PCI SSC). I have prepared a deck of very tough questions and then had an hour-long discussion with Bob and Troy around those questions. What follows is the interview reconstruction from my notes with minimum edits and clarifications by the Council folks.

Anton Introduction:  I think PCI DSS is the most valuable thing to hit security industry since its inception – both as a driving force for security improvements and as a source for security guidance. However, there are skeptics among merchants (too much security) and some security professionals (too little security). Some of my questions below focus on dispelling the misconceptions such skeptics might hold.
Anton Question 1: What, in your opinion, is the main value of PCI DSS – to the community at large? Merchants? Banks? Brands?
Bob and Troy @ PCI Council answer:
You have answered this question yourself above: it is security. Motivation for payment security improvements is the value of PCI. For some companies it is also a springboard for additional security improvements needed for their businesses. This benefits everybody!
PCI value can also be rephrased as demonstrating trust across organizational boundaries and. As we know, payment security has many sides and PCI compliance is one way of demonstrating trust across organizational boundaries.

Anton Question 2: Way too many companies seem to focus on compliance and not on security. What is the best way to prevent “teaching to the test” for PCI DSS compliance?
Bob and Troy @ PCI Council answer:
Too many companies focus on studying for the test. We believe the PCI Standards provide a solid foundation for a security strategy to look after payment and other types of data, but security does not start and end with compliance with standards.
Education is very important and that is why the PCI Council will focus even more on educating the merchants and changing their mindset from one of compliance to security. Their old way of doing business – retaining card data, for example- was viable one day, but not today.One of the steps we see is increased outsourcing of payment processing to trusted providers.

Anton Question 3: Some people say that “the brands must just change the system” since Level4 merchants [=typically smaller merchants] can never be educated and this never can be secured. What do you say to this?
Bob and Troy @ PCI Council answer:
It’ll happen eventually, but it is obviously not so easy. We’re talking 5 to 10 years here. The payment system is diverse and incredibly complex. Any drastic changes will probably be more costly and disrupt merchants’ business even more than PCI DSS ever could, so they have to happen gradually. The PCI Council’s mandate is to get as much done to improve payment security as possible - within the existing system. Security has to become part of every business that deals with card data.

Anton Question 4: There are many debates about PCI DSS in security industry, among merchants, etc. How can the impact of PCI DSS payment security be measured? Who might have the data to do it?
Bob and Troy @ PCI Council answer:
Security breach statistics demonstrating a root cause that can be mapped to PCI DSS requirements is one such possible way to prove the value of PCI. For example, if the company did not take any measures to protect against SQL injection and got breached through that, they need to pay more attention to Requirement 6.6.
On the other hand, trying to analyze what the non-breached companies are doing right with PCI is harder since you don’t hear about the myriad of success stories of companies that are defending against breaches through following DSS or have minimized card data compromise in breach situations through strong logging and monitoring, mandated by PCI.
PCI DSS prescribes logging and monitoring, which help detect data loss. Unfortunately some recent incidents had breach evidence present in logs, but since logs were not reviewed until breach became public (contrary to PCI DSS requirements) this was not utilized for detecting the breach.
More education efforts are needed to explain to merchants that PCI is not only about breach prevention, but also about detection of intrusions and security monitoring. Thus, judging its value only on breach prevention is shortsighted.
Enhanced information sharing will drive more improvements here.

Anton Question 5: What is your opinion of mandating the discovery of stored card data and especially track and other prohibited data? This technology was not high on the list in PWC report.
Bob and Troy @ PCI Council answer:
Many QSAs already use data discovery tools today. Since PCI scope covers systems where card data is present, payment card data discovery should be part of scope validation. “Forgotten” credit card data dumps were indeed present in some recent breaches stories.
Methods of such discovery can vary- using an automated tool is one of the options, but such tools are still not mature.

Anton Question 6: Do you think that there should be tiered security requirements for small and large organizations (that go beyond today’s SAQ validation levels)? For example, daily log review seems onerous to many merchants.
Bob and Troy @ PCI Council answer:
You cannot dumb security down below a certain level. More education efforts will be needed to explain to merchants how to satisfy requirements and become compliant [and stay compliant].
However, the Council is planning to build more tools in order to help merchants understand what exactly they need to do to become compliant. A wizard interface or some other method to simplify the SAQ process can be used here to highlight which controls the merchant needs to implement.

Anton Question 7: The “None were compliant when breached” rings true to me. Why do you think so many people object to this?
Bob and Troy @ PCI Council answer:
People simply need to know the facts and find out what happened in those breach stories. For example, some breached companies had massive stores of prohibited data, such as authorization data. Or they were not adequately protected at the application or database level against things like SQL injections. There is a difference between “breached due to negligence” and “breached due to bad luck.” Being diligent but still ultimately failing to protect the information is possible (so safe harbor does exist for such companies); it just isn’t what happened in those incidents.

You just need to get the facts. If a company gained compliant status by misrepresenting the facts to a QSA, PCI standards are not at fault when the breach happened.

Anton Question 8: What is the best way to balance PCI DSS lifecycle with both merchants complaints about “moving target” and with rapidly changing threats?
Bob and Troy @ PCI Council answer:
So far, the current two year lifecycle has provided a good balance between structured development and staying abreast of rapidly changing threats. Feel free - and have your readers - to suggest changes to that lifecycle, if you think it needs to be changed! We are considering how it might evolve.

Anton Question 9: What do you think of using PCI DSS controls for non-payment-card data?
Bob and Troy @ PCI Council answer:
It is a good thing, if you keep in mind that PCI DSS controls are the foundation or the minimum baseline for an effective security strategy. Organizations will likely need to build more security on top of the PCI foundation to protect other sensitive data. Layering technology solutions and combining with the necessary people and processes continues to be the most effective means in protecting cardholder data.
PCI has certainly raised awareness for all data protection, not just payment card data.
Anton Summary
Overall, the main themes I picked in the conversation were:

• “PCI compliance” is a means to an end. And the end is “security!”
• Education is one of the ways to change the thinking of merchants and to improve security.

Thanks to Bob and Troy for the insightful discussion!

My company has decided that I need to learn more about administration of the Postgres database…which is to say that I should learn something about it. My knowledge is really pretty scant at the moment.

To that end, they’re sending my boss, my junior admin, and me to PostgreSQL East, a conference held in Philadelphia from March 25-28th. We’re doing the conference thing, plus doing training on Sunday.

Anyone out there attending, too?

If so, a reader has a question about network connectivity:

As I was last year, I am again pleased to report that the vulnerabilities I've been happily and responsibly disclosing and posting have resulted in 6th place on the list of Top Vulnerability Discoverers of 2009. Thanks to Scott Moore of the IBM ISS Frequency X Blog who compiled the list for 2009.
I remain both pleased and disconcerted to find myself on this list and wish to convey a few thoughts on the subject.

1) First, a reminder that my work has focused entirely on vulnerable web apps and pales in comparison to the likes of others named on both the all-time list and the list for 2009. Congratulations and well done to you all.

2) My efforts resulted in what the Frequency X post indicates is 48 unique web application vulnerabilities in 2009. This again serves as a stark reminder of what a challenged state of affairs the development process is for so many web application vendors. May the SDL and its ilk prevail.

3) I will continue my discovery and reporting efforts with the intention of somehow making a dent in the statistics (unrealistic, I know). I focused heavily on cross-site request forgery (CSRF) issues in 2009 and was not surprised to find that the average number of days for CSRF vulnerabilities to be resolved increased by 37 days to 93 days.



The above figure can be found on page 7 of the 8th Edition of WhiteHat's Website Security Statistics Report.
I believe, as the report states, that much of the reason CSRF issues linger unabated is that "no one at the organization knows about, understands, or respects the issue."
I can tell you from personal experience, I heard this many times in 2009.
It should therefore surprise no one that CSRF is number four on the 2010 CWE/SANS Top 25 Most Dangerous Programming Errors.
Hopefully, each application discovered and reported as vulnerable to this issue leads to a downward statistical trend in the likes of the WhiteHat report.

I look forward to continued discussions of these issues with you, dear readers, and hope we can make a difference.

Cheers.

del.icio.us | digg | Submit to Slashdot

New blog post up on O'Reilly's Author Blogs.

It's that time, make sure you don't forget to Vote in the OpenSolaris annual elections. You'll notice that I'm not going to comment on the issue of the constitution this year, but I do ask for you to consider Octave Orgeron, Joerg Schilling, Peter Tribble, Moinak Ghosh, and all the community guys for OGB. There is a great list of folks on the ballot, including also John Plocher and Dennis Clarke who are fantastic enthusiastic folks.