Date: February 14th 2009

METTLE NEWS
[News letter on Mettle(tm) brand of products; Industry updates, Tips and Case
studies]

February 2009
Volume 2, Issue 2


In this issue:
* Editorial *
* IT Industry news: SQL Injection *
* Mettle SE feature: Virtual IP Address *
* Tip of the month: Blocking Yahoo Messenger & Gtalk *
* Case Study: Mettle SE at a Leading ISP *


* Editorial *

Greetings,

Presenting you the February edition of Mettle News.

SQL injection is not a new attack vector. But this technique is still being used by
attackers. This month's news column features such an attack and the victim is a security
company--this means that it can happen to anyone if applications are not carefully coded.

Virtual IP address is one of the popular features of Mettle SE and this is covered in the
"Feature you might have missed" column.

Admins always talk about blocking IM services such as Yahoo! chat and GTalk. "Tip of the
month" column of this issue discusses how to do this with Mettle SE.

Case study of the month covers an interesting story of how an enterprise with state-wide
operations deploys Mettle SE as their multi-technology VPN concentrator.

Enjoy!

Yours truly,

Editor, Mettle News
(mettlenews@mettle.in)


* IT Industry News: SQL Injection *

SQL Injection is not the latest exploit haunting the Internet, but very recently an
attacker, using this exploit, managed to gain access to the customer database of a leading
Anti Virus company (referred to as "company" in this article). SQL injection exploits the
security vulnerability, if present, in the database layer of an application by injecting
carefully crafted SQL statements. The vulnerability is a result of user input being
incorrectly filtered for string literal escape characters embedded in SQL statements or
when user input is blindly trusted and executed.

Using SQL injection an attacker gained access to the databases used by the usa.company.com
website, allowing him to gain access to users accounts, activation codes and possibly
personal data of company's customers. This type of critical flaw can probably be used to
usurp legitimate purchases and renewals of their products - which could include the
linking to malicious and backdoored versions of their software - thereby infecting those
very same customers that were seeking protection from malware in the first place.

To protect against SQL injection, user input must not directly be embedded in SQL
statements. Instead, parameterised statements must be used (preferred), or user input must
be carefully escaped or filtered. Moral of the story? Even people in the security business
have bad days and make mistakes, if they're not careful!

Read more about it here:
http://securityandthe.net/2009/02/08/kaspersky-database-exposed/


* Mettle SE Feature: Virtual IP Address *

One of the coolest features of Mettle SE is that it will allow the usage of Virtual IP
addresses (VIP). A virtual IP address is an IP address that is not connected to any
specific network interface on a computer. Incoming packets are sent to the VIP address,
but all packets travel through real network interfaces. In Mettle SE you can assign
Virtual IP addresses for Proxy ARP, for CARP and for other use (for example for 1:1 NAT).

To set up a Virtual IP address follow the instructions below.

1. Go to: Firewall --> Virtual IPs
2. Click on the '+' button
3. Type --> Choose Proxy ARP/CARP/Other.
3.a. For port forwarding choose Proxy ARP.
3.b. To set up an active failover Mettle SE cluster choose CARP.
3.c. For 1:1 outbound NAT use Other.
4. IP Address --> Enter the IP address.
5. VHID Password --> Enter VHID password (Only for CARP)
6. VHID Group --> Select VHID group (Only for CARP)
7. Advertising Frequency --> Select the advertising frequency (Only for CARP)
8. Description --> Enter the description (Not parsed)

After you have set up a Virtual IP address, you can use it as it is set up for in the
respective Mettle SE configuration page.

Read the KB article: http://kb.mettle.in/entry/32/

In the next issue of the newsletter we will look at setting up a Mettle SE active failover
stack using CARP.


* Tip Of the Month: Blocking Yahoo Messenger and Gtalk *

We have been asked many times by system administers to help them block the Yahoo and
Google chat services on their LANs for policy related reasons. Chat services, even though
very useful, in certain situations, can be counter productive in most environments. To
block the chat services using your Mettle SE follow the instructions below.

Blocking Yahoo Messenger

1. Configure the internal DNS to return 127.0.0.1 for webcs.msg.yahoo.com and
httpcs.msg.yahoo.com

2. Add the DNS names webcs.msg.yahoo.com and httpcs.msg.yahoo.com in the web proxy
server black list.

3. To make it more effective: We recommended to allow only known HTTPS web sites from your
LAN through the Web proxy server. This can be done by entering "**s" (without quotes) in
the web proxy server black list and then add the known "https" sites to the white list.

Blocking Google Chat

1. Configure your internal DNS to return 127.0.0.1 for talk.google.com,
talkx.l.google.com, chatenabled.mail.google.com

2. Also add the above DNS names in the Web proxy server black list.

3. To make it more effective:

Google chat uses the following ports and servers for it's chat service; Ports (80, 443,
5223, 5222), Servers (216.239.37.125, 72.14.253.125, 72.14.217.189, 209.85.137.125)

Create two Aliases and club all the ports together in one Alias and the IP addresses of
the servers in another Alias. Now create a rule in Mettle SE for the local networks where
in you block all the traffic from LAN to google chat servers on the mentioned ports. Use
the Alias you have created in the firewall rules. To block only Google chat file transfers
block the ports 20 & 21.

Read more here:
http://kb.mettle.in/entry/22/
http://kb.mettle.in/entry/23/


* Case Study: Mettle SE at a Leading ISP *

Vertical: Internet Service Provider
Geography: Headquartered at Trivandrum. Kerala

Client Profile:

This month's featured client is one of the leading ISP's in Kerala and one of the pioneers
in Internet through cable. They have more than thirty five thousand customers spread
across different cities and towns in Kerala. They are one of the largest private investors
in Kerala with over Rupees 350 crore in investments consisting of Earth stations, seven
hundred kilometre long optic-fibre backbone and forty thousand kilometre long hybrid
fibre-coaxial cable network spread over cities and towns in the state. They provide
services to corporations, educational institutions and residential customers. They have
set up their own international satellite gateways at Trivandrum and Kochi.

Problems to be solved:

They're a leading ISP providing service to more than thirty five thousand customers.
Handling such a large number of customers produces a huge Customer Relationship Management
(CRM) database that has to be stored at a central location which should be accessible from
area offices. Their existing VPN concentrator device was not keeping up with the high
throughput requirements in addition to that the database server at the central location
needs to be secured and firewalled in a De-Militarised Zone (DMZ). The local network at
the site also had to be firewalled and protected.

Solution:

Mettle SE 4300 was deployed at their administrative office to resolve their IT
infrastructure related issues. Solutions built up on Mettle SE are classified into the
following sections:

Mettle SE as a high throughput VPN Concentrator
Firewall & DMZ

Mettle SE as a VPN concentrator

The servers at the administrative office hold the huge CRM customer back end database used
for administrative purposes. The branch offices spread across the length and breadth of
Kerala need access to this database for billing and for resolving customer complaints.
Earlier the client had another VPN concentrator which couldn't deliver the high through
put required. There are around 75 area offices that connect to the CRM database server.
Mettle SE handles the VPN connections from all 75 area offices simultaneously and provides
high throughput required by the front-end CRM application to pull data from the back end
server. The client and its remote branches prefer to use IPsec and PPTP, provided by
Mettle SE, for their VPN connectivity.

Firewall & DMZ

Mettle SE provides two levels of protection at the administrative office, it secures the
LAN network and provides a secure DMZ. The purpose of a DMZ is to add an additional layer
of security to an organisation's LAN, an external attacker only has access to hosts in the
DMZ, rather than the whole of the network. The publicly accessible servers and database
back end servers are hosted in the DMZ. This allows hosts in the DMZ to provide services
to both the internal and external network, while Mettle SE controls the traffic between
the DMZ servers and the internal network clients. Mettle SE monitors the traffic into
servers hosted in DMZ. The remote users connecting from branch offices are provided
restricted access to the database back end servers for the services they require. Requests
from unspecified public addresses are blocked and any attempts to break into the DMZ is
foiled. In the unlikely situation that an attacker manages to get into the DMZ, hosts in
LAN would still be inaccessible to the attacker. LAN is again secured independently by
Mettle SE firewall and is separated from the DMZ. Mettle SE blocks all unspecified traffic
from reaching the corporate network.

Conclusion:

Mettle SE provides an efficient solution to link together the client's administrative
functions spread over various branches via high throughput VPN. Mettle SE helps to
streamline their customer handling and problem solving by giving quick access to the CRM
database. Mettle SE firewall secures their LAN network from unauthorised access from the
public domains. The firewalled DMZ built with Mettle SE provides an additional level of
security to the LAN. Mettle SE has provided with the best IT infrastructure solution at
their administrative office.



--
We would like to receive feedback regarding the content of this newsletter and
request for articles. Please send in your valuable suggestions to
mettlenews@mettle.in.

--
Mettle and Linuxense are trademarks of Linuxense Information Systems Pvt. Ltd.
Other trademarks belong to respective owners. 2008 (C) Linuxense Information
Systems Pvt. Ltd. All rights reserved.