Date: April 15th 2009

METTLE NEWS
[News letter on Mettle(tm) brand of products; Industry updates, Tips and Case
studies]

April 2009
Volume 2, Issue 4


In this issue:

* Editorial
* IT industry news: Routers owned by Botnet *
* Mettle SE feature: Packet Capture *
* Tip of the month: Traceroute *
* Case study: Mettle SE at Kerala's leading share broking company *


* Editorial *

Greetings,

This is the first time Internet sees the break out of a worm that is targeted to routers
and DSL modems. This pose a very different type of security issues. This month's industry
news explains the story of "psyb0t".

Case study of the month explains how a stock broking company owned by Kerala-based
conglomerate built their IT infrastructure around Mettle SE. This is yet another success
story of Mettle SE in the Financial Services sector.

Regular "Tip of the month" and "Feature of the month" columns included with information
useful for day-to-day practice.

As usual, we request you to continue sending your feedback which help us to improve this
newsletter.

Enjoy!

Yours truly,
Editor, Mettle News
(mettlenews@mettle.in)


* Industry News: Routers Owned by Botnet *

Security researchers at DroneBL have spotted a stealthy router-based botnet worm targeting
Routers and DSL modems. The worm, called "psyb0t", has been circulating since at least
January this year, infecting vulnerable embedded Linux mipsel devices. Once the malware
takes hold, it locks legitimate users out of the device by blocking telnet, sshd, and web
access. It then makes the devices part of a botnet. The researchers said they first
learned of the worm while investigating DDoS attacks that hit DroneBL's infrastructure two
weeks ago.

The "psyb0t" worm is believed to be the first piece of malware to target home networking
gear. It has already infiltrated an estimated 100,000 hosts. According to DroneBL, the
worm can infect any Linux mipsel routing device (including openwrt/dd-wrt devices)
configured with a weak username/password and has a router administration interface or sshd
or telnetd in a DMZ. It has been used to carry out DDoS, or distributed denial of service,
attacks and is also believed to use deep-packet inspection to harvest user names and
passwords. The worm also helps to identify exploitable phpMyAdmin and MySQL servers.

DroneBL researchers in their blog says, "This technique is one to be extremely concerned
about because most end users will not know their network has been hacked, or that their
router is exploited,". "This means that in the future, this could be an attack vector for
the theft of personally identifying information. This technique is not going away."

Below listed are few peculiar characteristics of psyb0t worm:

* It is the first botnet worm to target routers and DSL modems
* It contains shellcode for many mipsel devices
* It is not targeting PCs or servers
* It uses multiple strategies for exploitation, including brute force username and
password combinations
* It can harvest user names and passwords through deep packet inspection
* It can scan for exploitable phpMyAdmin and MySQL servers

To disinfect the psyb0t worm, reset/power cycle your device, update to the latest
firmware, and use an unique admin user name with secure password to lock it down.

Read more about psyb0t here http://www.dronebl.org/blog/8


* A Mettle SE feature: Packet Capture *

Packet Capture is a tool bundled with Mettle SE which will help the administrator to
better diagnose networking problems. With packet Capture Mettle SE administrators will be
able to diagnose connection issues by analysing packets captured with this tool. Packets
passing through specific interface to/from a particular IP address and/or port can be
filtered and captured for analysis. Using Packet Capture is simple but should you need
help, instructions below will help you.

a) Go to Diagnostics --> Packet Capture
b) Interface --> From the drop down list you can choose the Interface on which the Packets
are to be captured.
c) Host Address --> This value is either Source or Destination IP address. This allows you
to capture packets addressed to or coming from a specific host.
d) Port --> The port can be either source or destination port. This allows you to capture
packets intended for a specific port. If it is left blank packets to all ports would be
captured.
e) Packet length --> The Packet length is the number of bytes packet capture will capture
for each payload. For most scenarios default value would suffice.
f) Count --> This is the number of packets the packet capture will grab. Enter 0 for no
count limit.
g) Level of Detail --> This is the level of detail that will be displayed after hitting
'Stop' when the packets have been captured. This option does not affect the level of
detail when downloading the packet capture. Choose from Normal, Medium, High or Full.
h) Reverse DNS Lookup --> This check box will cause the packet capture to perform a
reverse DNS lookup associated with all IP addresses. This will slow down the packet
capture because of DNS resolution time.
i) Start --> Click on Start Button to start Packet Capture process.
j) Download --> Captured packets will be downloaded into your computer as a "*.cap" file.

The KB article can be found here http://kb.mettle.in/entry/43/


* Tip of the month: Traceroute *

Traceroute is a network diagnostics utility used to determine the route taken by packets
across an IP network. By showing a list of routers traversed, it allows the user to
identify the path taken to reach a particular destination on the network. This can help
identify routing problems or firewalls that may be blocking access to a destination.

a) Go to Diagnostics --> Traceroute
b) Host --> Enter the IP address or the fully qualified domain name of the target.
c) Maximum Number of Hops --> Enter the maximum number of hops allowed before the packet
is dropped. Default is 18, maximum allowed is 64. If destination is not reached with in
default number of hops you may increase the hop number.
d) Use ICMP --> Check the box to do ICMP traceroute. Default is UDP. If default traceroute
doesn't take you to the destination, try with ICMP.
e) Traceroute --> Click on this button to begin traceroute.

The KB article can be found at http://kb.mettle.in/entry/44/


* Case study: Mettle SE at Kerala's leading share broking company *

Vertical: Financial, Shares
Geography: Pan India, HO at Cochin

Our client is a major business house with pan-India presence and diverse products with a
thrust in the financial sector and share market. With the client's sustained efforts to
emerge as a financial supermarket for its diverse customers, the group now makes its foray
into securities trading space making it a natural progression on the company's substantial
presence in Wealth Management Services.

The Group has emerged as one of the India's largest financial group of its kind with
business interests in Seventeen diverse fields, a network of over a thousand branches
nationwide, with more than Ten thousand employees serving millions of customers across the
country. The client with their pan-Indian presence and varied bouquet of products serves
over Forty thousand customers every day.

The client's Corporate Head Office is the hub of all activities and coordinating things
that go on at different parts of the country. To provide high availability to their
services, provide security to their IT operations and make available the resources to
authorised users across the world, the following solutions were proposed.

* Link load balancing
* Mettle SE active failover stack
* Firewall & DMZ
* Gateway Antivirus
* Routing
* VPN
* NAT & PAT

* Link Load Balancing

To run a high availability network system it is mandatory to have a minimum of two WAN
links at the least. The corporate office has two WAN links provided by two different ISPs
and Mettle SEs job is to aggregate the links and provide a load balanced WAN link with
failover. If for any reason a WAN link goes down, Mettle SE re-routes the traffic via the
active WAN link, to provide access to the Internet. Total bandwidth would be reduced when
a link goes down but still the servers would be accessible.

* Mettle SE active failover stack

The client's business is focussed on money management, shares and finance, since this is
an ever changing market the systems should be up and running all the time so as to keep up
with the developments. For such a high availability requirement the client have chosen to
go with a high availability setup using two Mettle SE 3700. These two Mettle SE devices
are configured in an active/standby failover mode where one is the Master device and the
other a Slave device. If in the unlikely event that the master Mettle SE fails the slave
Mettle SE will take over and take care of the network without affecting work done by
users. This ensures that the computer network is up and running all the time without fail
even if a device fails.

* Firewall & DMZ

To provide optimum security to the host machines at the corporate office Mettle SE
implements a security barricade. Firewalling the private network which has the host
computers are placed helps keep the machines safe and secured. A DMZ also has been created
where all of their public access servers are kept. This setup allows servers in the DMZ to
service both internal and external network, while keeping the LAN safe from possible
threats from the Internet. Traffic into LAN and DMZ is monitored by Mettle SE allowing
traffic that is implicitly allowed by the firewall rules. This keeps out suspect and
unauthorised traffic out of the LAN. In the unlikely situation that security of DMZ is
breached, Mettle SE would keep the LAN and critical machines secured.

* Gateway Antivirus

The most common entry point for viruses into a corporate LAN is through the Internet. To
curb the virus infection on a LAN with Internet access it is ideal to implement a gateway
antivirus system that will detect, disinfect or quarantine a threat before it enters the
LAN. Mettle SE has such a gateway antivirus system built in. Mettle SE's Gateway antivirus
engine filters all viruses and worms that come from the Internet before it reach the LAN
subnet. Mettle SE's antivirus engine automatically keeps its virus definitions updated to
identify and quarantine even the latest virus that is out on the Internet. A huge risk of
virus infections of the host machines are thus protected by Mettle SE.

* Routing

Corporate office of the client has two local networks the LAN subnet and the DMZ subnet.
Routing is implemented in Mettle SE which enables the host machines placed in the LAN to
access the servers kept in DMZ. Routing is enabled for the VPN clients which will enable
the remote clients to gain access to the resources available in the corporate local
network.

* VPN

The corporate office uses PPTP VPN service provided by Mettle SE to help connect the road
warriors to office base. Other VPN services provided by Mettle SE are IPsec VPN and
OpenVPN, but the administrator have chosen to use PPTP because of it's user friendliness
and tight integration with Windows operating systems. Executives while on the move can now
connect to the corporate network from anywhere in the world from his/her Laptop. As the
clients connect to Mettle SE they are routed to the right part of the corporate network
that they are allowed to access. Accessing resources other than which is authorised by the
administrator is blocked by the firewall which ensures that the security is not
compromised.

* 1to1 NAT and Port Forwarding

Our client has servers which are hosted in the DMZ and they need to be available on the
Internet with it's own public IP address. Such servers which are hosted in the DMZ are
assigned with a public IP addresses using 1:1 NAT. In this scheme, each private host has a
direct and fixed mapping to a public IP address. Port forwarding allow remote computers to
connect to a specific computer within a private LAN. In Mettle SE port forwarding (PAT) is
enabled to allow an authorised user from the Internet to connect to a specific computer
within the private LAN for administrative purposes or special requirements. Port
forwarding transfers IP packets between the private IP addresses of the computer on a
particular port and a public IP address with a specific port. This ensures that a service
in the host computer can be accessed from the Internet but is secured.

Mettle SE has proved its Mettle in demanding situations such as this; serving our client
reliably round the clock.



--
We would like to receive feedback regarding the content of this newsletter and
request for articles. Please send in your valuable suggestions to
mettlenews@mettle.in.

--
Mettle and Linuxense are trademarks of Linuxense Information Systems Pvt. Ltd.
Other trademarks belong to respective owners. 2008 (C) Linuxense Information
Systems Pvt. Ltd. All rights reserved.