For my RSS readers – wanted to let you know that Nirlog.com just got a facelift as well. I’ve changed my theme to Simple Balance 2.2, it’s a free theme loaded with pro features. I just love it. After testing around 20+ themes I settled for Simple Balance. It has a very clean look, options to choose different colors, supports widgets and has a built-in banner ads management system. It’s just perfect! Thanks Blogsessive for making such a nice theme and giving it for free. I’ve also tweaked the ads placement (hopefully this will give a better reading experience for those who read directly on the site). I’m displaying my last 5 tweets using a twitter widget, which is kinda cool. BTW, you can follow me on Twitter at http://twitter.com/nirlog

I’ve also moved my domain nirlog.com and this blog to hostmonster (affiliate link). They seem to have quite nice reviews and was recommended by my friend Mahesh. It’s pretty cheap too. One of the most important feature for me was the SSH access, which they have. So far so good, let’s see how it goes…

I would like to thank ISL (my previous employer in Hong Kong) for hosting my blog for free for such a long time

Basically you’ve two choice — go for the hardware solutions (expensive with many nice features) or software solutions (possibly free but with limited features). If you want a free and open source solution then Pound is the choice.

Pound is a Free Open Source reverse-proxy, load balancer, SSL wrapper, http/https sanitizer, fail over server and a request redirector:

1. a reverse-proxy: it passes requests from client browsers to one or more back-end servers.
2. a load balancer: it will distribute the requests from the client browsers among several back-end servers, while keeping session information.
3. an SSL wrapper: Pound will decrypt HTTPS requests from client browsers and pass them as plain HTTP to the back-end servers.
4. an HTTP/HTTPS sanitizer: Pound will verify requests for correctness and accept only well-formed ones.
5. a fail over-server: should a back-end server fail, Pound will take note of the fact and stop passing requests to it until it recovers.
6. a request redirector: requests may be distributed among servers according to the requested URL.

Pound is built with security in mind, it can run as setuid/setgid and/or in a chroot jail. It’s a very small, robust and efficient program.

It’s very easy to install and configure.

Installation

pound can be installed from the source or the binary depending on your os distribution.

Configuration

Here’s an example of simple configuration to share the loading between two web servers behind the Pound load balancer

ListenHTTP
Address <real ip address>
Port 80
End
ListenHTTPS
Address <real ip address>
Port 443
Cert “/etc/pound/ssl-cert.pem”
End

Service
BackEnd
Address 192.168.1.2
Port 80
End
BackEnd
Address 192.168.1.3
Port 80
End
End

Pound can keep track of sessions between a client and a back-end server by client address, Basic authentication, URL parameter, cookie or header value. Here’s how we keep the session by cookies

Session
Type Cookie
ID “sess”
TTL 300
End

Pound is straight forward to configure and understand. It’s a perfect choice for free and open source load balancer.

ntop is a tool that shows network traffic usage. It is based on libpcap and when installed in a place where it can capture network traffic (hub or a mirrored port of a switch), it logs and reports information concerning IP and Fibre Channel traffic generated by each host in the network. ntop has a very rich and user-friendly web interface for reporting.

This is what ntop can do for you:

* Sort network traffic according to many protocols
* Show network traffic sorted according to various criteria
* Display traffic statistics
* Store on disk persistent traffic statistics in RRD format
* Identify the indentity (e.g. email address) of computer users
* Passively (i.e. withou sending probe packets) identify the host OS
* Show IP traffic distribution among the various protocols
* Analyse IP traffic and sort it according to the source/destination
* Display IP Traffic Subnet matrix (who’s talking to who?)
* Report IP protocol usage sorted by protocol type
* Act as a NetFlow/sFlow collector for flows generated by routers (e.g. Cisco and Juniper) or switches (e.g. Foundry Networks)
* Produce RMON-like network traffic statistics

Installation
ntop is available for Linux/Unix, Windows and Mac OSX. Windows demo version with limited packet capability is freely available for download. If you want to use the Windows version on production environment, you either need to compile it by yourself or buy a binary version with updates and support. But Linux/Unix and Mac versions are freely available, both source and binary.

Installation of ntop is pretty straight forward, here I’m going to demonstrate a binary rpm installation in CentOS 5.x. We’ll use RPMForge repository for ntop installation, so first we need to upgrade our rpm to rpmforge.

Download the rpm and upgrade it.

# rpm -Uhv rpmforge-release-0.3.6-1.el5.rf.i386.rpm

Install the dependencies

#yum install glib libpcap

Install ntop

# yum install ntop

Edit the config file /etc/ntop.conf, and comment out the setting to run in daemon mode

Change –daemon to # –daemon

Set to the network interface that you use for sniffing data

–interface eth1

Comment out the option for port 3001 for SSL

Change #–https-server 3001 to –https-server 3001

Run the ntop to set your password

# /usr/bin/ntop @/etc/ntop.conf -A

Edit the config file /etc/ntop.conf and set back to daemon mode

Change #–daemon to –daemon

Use chkconfig to make the service start on every reboot

# chkconfig ntop on

Start the service.

# service ntop start

That’s it, now you can use your web browser to access the ntop web interface. It has a lot of user-friendly reporting and admin options. Here’re few screenshots from the web interface of ntop.

Browse https://ip_address:3001 and you’ll see the Global Traffic Statics

Network Load Statics displays the network traffic history: last 10 minutes, last hour, current day and last month.

Active TCP/UDP session shows which client in the network is connected to which server, the information includes source/destination ip address/port numbers and duration of the connection.

Local Matrix, shows the amount of data exchanged between hosts in the local subnet.

Network Traffic All Protocols/All Hosts displays the amount of data sent/received by each local and remote hosts. After reviewing the data usage we can zoom in to the individual hosts for more detail.

The details of a single host, includes almost every detail you would like to know about this host.

* User enters pass-phrase to begin using the system. Browser retains the pass-phrase as a global variable.
* User requests a list of all data belonging to him.
* For each record, the system stores the associated user ID in plain-text, the record ID in plain form, and the record content only in encrypted form. (The message content is one or more database columns, each encrypted.) Thus, system is able to return a list of record IDs for this user.
* User selects one of the record IDs.
* System checks that this user ID is associated with the record ID, and returns the corresponding message content.
* Browser uses stored pass-phrase to decrypt the contents.

Ok, with that background if you’re ready to store your sensitive information online, here are few choices for you.

Halfnote
Halfnote is a very simple and secure notepad. Easy to register — provide your email address, choose a password, and you’re done. A simple blank notepad is presented, where you can write your secret passwords or documents. It’s very fast and the information is auto-saved as you type. The information you send is encrypted with your pass-phrase but it lacks SSL protection, which could have provided extra security by encrypting the session information.

Passlet
Passlet is a typical online password manager, currently in beta. It has an easy to input entry from where you can input: Title, Username, Password, and Notes. It encrypts the data by deriving 128-bit AES key from your master password. The key derivation is completely performed within the browser. In addition to secure data, Passlet uses SSL for session encryption, we can be sure of connecting to Passlet server by viewing the SSL Certificate.

eSecureKey
eSecureKey is another online password manager, currently in beta. It has a Portlet, which can be accessed with a Secure Key. This Secure Key is different from your login password, and is never transmitted to the server. This is the key used to encode and decode data. The portlet lists the existing entries and allows to add new information with tags for easy listing and searching. eSecureKey sends encrypted data to the server but lacks SSL for the session encryption.

PassPack
PassPack is currently in beta. It uses Packing Key to pack/unpack (encrypt/decrypt) data, which is all done in client side, inside the browser, no keys are sent to the server. It uses AES encryption and special security techniques, like disposable logins, which can be created in advance. Disposable logins are good for one time login only. This is useful when you access your data using a public computer. PassPack has taken the fight against phishing to a new level by allowing users to setup their custom Greeting Message after login, and ip address restriction, where users can choose to allow only certain ip address to have login access. PassPack uses SSL to encrypt session data as well. Other useful features in PassPack are import/export from/to a csv file. You can make an encrypted backup of your secret data using the packing key, and the restoration from the backup file is very easy too.

Clipperz
Clipperz uses local encryption within the browser so, your data is safe like all other online password managers. But Clipperz has some useful features that other online password managers lack. For example, it has a cool feature called direct login, which allows to quickly create a “direct login” link: just one click to authenticate and access the online service without typing any username and password. Another good feature is offline copy, which allows users to dump their encrypted data from Clipperz servers to a local hard disk or USB drive and create a read-only version of Clipperz to be used when there’s no internet connection available. Clipperz is currently available in English, Japanese and Chinese. It stores the passwords and other confidential data in predefined templates called cards. Clipperz has several predefined templates for storing websites, banking, credit card, address book and custom card. There’re some new features coming soon, among them Import and Sharing should be very useful.

Conclusion
I think online password managers are handy and secure enough to store the username/passwords of many websites that we visit on daily basis like, digg, delicious, flicker, etc …. but for myself, I wouldn’t store critical secrets and financial data online yet! If you’re a system admin you might want to check KeePass that works across all platforms. Having said that, if you’re ready to take a plunge into online password managers then technology is ready and there’re excellent choices available. So, if you love simplicity, Halfnote is for you, if you want cool features like direct login or multiple language support, then go for Clipprez, if you want extra security like disposable logins and phishing protection go for PassPack.

Currently Cisco is the leader in Networking market, and Linux, the leader in Server market. So, if you want to test your complex (or not so complex) network configurations before buying any actual linux servers or the very expensive cisco routers, then you can use Dynamips to simulate Cisco Router/Switch and VNUML (Virtual Network User Mode Linux) to simulate your linux servers/routers. Both Dynamips and VNUML are open source and free.

Dynamips

Dynamips is a Cisco router emulator. It’s different from other router simulators in a sense that it doesn’t try to simulate the cisco IOS but loads and runs the real Cisco IOS. The software simulates the cisco router’s hardware, which then becomes capable of booting real cisco IOS. The goals of Dynamips are:

*To be used as a training platform, with software used in real world. It would allow people to become more familiar with Cisco devices, Cisco being the world leader in networking technologies ;
*Test and experiment the numerous and powerful features of Cisco IOS ;
* Check quickly configurations to be deployed later on real routers.

If you want to use Dynamips, then it’s recommended to be used together with Dynagen, which is an user-friendly front-end for the Dynamips cisco router emulator. It uses a simple INI like configuration file to define the routers, switches and networks. You can download Dynagen for Linux, Windows or OS X (the package already includes Dynamips). The Dynagen installation includes very useful Tutorial and sample labs.

Dynamips loading Cisco IOS

VNUML

VNUML is a virtualization tool based on User Mode Linux virtualization software, initially developed to simulate IPv6 scenarios based on Linux and zebra routing daemon. It’s also a very useful tool in simulating general Linux based network scenarios.

VNUML is aimed to help in testing network applications and services over complex testbeds made of several nodes (even tens) and networks inside one Linux machine, without involving the investment and management complexity needed to create it using real equipment.

To use VNUML tool you need VNUML language for describing simulations in XML, and an interpreter of the language (vnumlparser.pl), that builds and manages the simulation, hiding all UML complex details to the user. It is available in package format for .deb based Linux distributions like Debian, Ubuntu, and in source format for other distributions. VNUML Live DVD makes it possible to try VNUML without installing anything into your computer. Here are some useful documentaions: Installation guide, Tutorial and Example Scenarios. This VNUML and Dynamips/Dynagen mixed scenario is quite interesting because it simulates cisco router using Dynamips/Dynagen and Linux Servers using VNUML.

Simple VNUML Description

1. Passwords

Cryptographic methods, biometrics, and two-factor authentication are becoming popular these days, but in reality we still have to deal with passwords most of the time. So, proper management of password is absolutely critical to the security. It doesn’t have to be complicated. Here are few simple things I recommend to do with the passwords:

Use password manager
Manually keeping up with 100s of login ids and passwords is very difficult, impractical and sometimes impossible. So, use some kind of password management tool. With a proper password manager you don’t have to worry about generating secure passwords, you’ll stop writing passwords in paper, and you don’t have to remember any of them. The password manager will help you with all of these tasks. I use KeePass to manage the passwords. It’s an excellent multi-platform password manager available for Windows, Linux, Mac OS X and Windows Mobile.

Change passwords regularly
Never use same password for two servers or devices, and change them regularly, at least once every 3 months. By using an unique passwords per system you’ll reduce the damage in case a single password is compromised, and by changing the passwords regularly you’ll make the guessing and attacking for the bad guys much harder.

Never send naked passwords
What I mean is, never send a clear-text password over the network. The packets can be easily captured with many freely available tools and packet sniffers. Always use some form of protection when you need to transmit the passwords, e.g. SSL, SSH or VPN connection. You should never use HTTP or Telnet to manage anything over the network. Replace them with HTTPS (SSL) and SSH.

2. Security Updates

Keeping your systems up-to-date is very important, there’re new security patches released by most of the vendors all the time. Sometimes the security updates negatively affect production environment, so it’s recommended to first test the fixes and then only apply to production environment. Anyway, patching the known security holes is critical to stay secure. The longer you take to patch a known security hole the more you’re exposed to attacks.

3. Changes

There’s a nice saying about the change — “Change is the only constant”. I think that’s true for life, and for systems, and networks. We make changes all the time, change firewall rules, add users, delete users, install security patches and so on. The system and network environment keeps changing. It is very important to keep a backup of the last known working configuration of everything, and maintain a change document. So, if suddenly after changing a firewall rule everyone in the network complains about not being able to access a server in DMZ, we should be able to fall back to the previous rule-set easily. If you’ve made some manual changes to a config file to improve the performance of a linux server, you should note it down because after few months you won’t remember the exact changes you’ve made. Knowing what changes you’ve made and being able to fall back keeps you and your environment productive and secure.

4. Stop unnecessary services
Most of the Operating Systems and security devices come with a lot of services installed and running by default. The more services that are running, the more your system is exposed to attack. So, you need to identify all the services running in the system and stop the unnecessary ones. If it’s a firewall, explicitly deny everything first, and start allowing the necessary connection and services. If it’s an operating system, find and stop all the unnecessary services.

By following these 4 simple measures you’ll be able to keep your system and network secure and stable. I’m not saying that just these measures would be enough in all environments, but they’re the basic foundation. I think not only admins but normal users should be following these 4 measures to keep themselves secure in todays wild internet.

Any other simple measures that you take to keep your system and network secure? Comments and emails are welcome.

Snort captures enormous amount of data from the network and generates alert based on the rules and signatures. There’re currently 3 excellent and relatively user friendly ways to manage and analyze the snort data:

1. ACID (Analysis Console for Intrusion Databases)

The Analysis Console for Intrusion Databases (ACID) is a PHP-based analysis engine to search and process a database of security events generated by various IDSes, firewalls, and network monitoring tools.

ACID: Installation and Configuration

2. BASE (Basic Analysis and Security Engine).

It is based on the code from the Analysis Console for Intrusion Databases (ACID) project. This application provides a web front-end to query and analyze the alerts coming from a SNORT IDS system.

Snort, Apache, SSL, PHP, MySQL, and BASE Install on CentOS 4, RHEL 4 or Fedora Core (pdf)

3. Sguil (Snort GUI for LamerZ)

Sguil (pronounced sgweel) is built by network security analysts for network security analysts. Sguil’s main component is an intuitive GUI that provides access to realtime events, session data, and raw packet captures.

Sguil on RedHat HOWTO

If you’re asking what’s the difference between them, then here’s five reasons why Sguil is different from ACID, BASE, and similar products.

Currently I’m trying Sguil to see how good it is. I’ve installed Sguil Server and Sensor in CentOS 4.x and Sguil-Client in my Mac OS X. The server installation was not that easy but once installed, it runs smoothly. I must say that there are many good features in Sguil, among them I like: alerts in near real-time, escalation and accountability features, collection of session data using SANCP and summaries of conversations.

ZFS stands for Zettabyte File System and was developed by Sun, it offers many advanced features and can handle much more space than the current filesystems used by Windows, OS X or Linux.

ZFS presents a pooled storage model that completely eliminates the concept of volumes and the associated problems of partitions, provisioning, wasted bandwidth and stranded storage. Thousands of filesystems can draw from a common storage pool, each one consuming only as much space as it actually needs. The combined I/O bandwidth of all devices in the pool is available to all filesystems at all times.

All operations are copy-on-write transactions, so the on-disk state is always valid. There is no need to fsck(1M) a ZFS filesystem, ever. Every block is checksummed to prevent silent data corruption, and the data is self-healing in replicated (mirrored or RAID) configurations. If one copy is damaged, ZFS will detect it and use another copy to repair it.

ZFS introduces a new data replication model called RAID-Z. It is similar to RAID-5 but uses variable stripe width to eliminate the RAID-5 write hole (stripe corruption due to loss of power between data and parity updates). All RAID-Z writes are full-stripe writes. There’s no read-modify-write tax, no write hole, and — the best part — no need for NVRAM in hardware. ZFS loves cheap disks.

Do you want to protect your pictures online? The short answer is: you cannot do it, but you can create technical roadblocks and aesthetic roadblocks. Of Zen and Computing has a nice article on How to Protect Your Pictures and Photos on the Internet.

I have tried most of the RSS Readers available including Google Reader but I’ve come back NetNewsWire for the features and ease of use. After seeing the ProBlogger’s poll result on Which Feed Reader is Best? I’m going to seriously give Google Reader another try. Actually, I’m already using it with Google Gears. Check How Google Gears Will Change Your Life.

Every blogger wants the new visitor to come back to their blog again. WordPress offers many plugins to help you make your blog sticky, and Aaron Brazell at Technosailor suggests some excellent plugins for Intelligent Design and Stickiness