Date: May 15th 2009

METTLE NEWS
[News letter on Mettle(tm) brand of products; Industry updates, Tips and Case
studies]

May 2009
Volume 2, Issue 5


In this issue:

* Editorial
* IT industry news: Mega Botnet Discovered *
* Mettle SE feature: Port Forwarding *
* Tip of the month: Package Updates *
* Case study: Mettle SE at a prestigious private engineering college *


* Editorial *

Greetings,

Welcome to another edition of Mettle News!

Bots are software robots, which are usually part of a large network of bots, which infect
a computer and lets the botnet controller to control the PC remotely. This month's
industry news is about a extensive botnet which has infected atleast 1.95 million PCs
around the world.

In this edition of Mettle News we will familiarise you with Mettle SE's Port Forwarding
feature. Port forwarding makes a specified port of a computer inside LAN accessible to a
user from a public network. Tip section explains the process of updating installed
packages in Mettle SE as and when updates are available.

This edition of Mettle News brings you the case study of the deployment of Mettle SE at a
famous private Engineering college at Kanjirapally, Kottayam. Mettle SE helped the college
streamline and manage their IT operations and computer lab facilities for engineering
students.

Shoot us your comments and feedback as usual!

Yours truly,

Editor, Mettle News
(mettlenews@mettle.in)


* Industry News: Mega botnet discovered *

At least 1.95 million computers world wide have come under undetected control of a newly
discovered mega botnet. The discovery was made by researchers at Finjan Internet Security
Company based in San Jose, CA. Finjan, noted on its blog that the number of infected
computers it detects is rising every year. Only four out of 39 antivirus products it
tested were able to detect the bots.

Botnet is a term for a collection of codes referred as software robots, or bots, which run
autonomously and automatically. The term is often associated with malicious software but
it can also refer to the network of computers using distributed computing software. While
the term "botnet" can be used to refer to any group of bots, this word is generally used
to refer to a collection of compromised computers (called Zombie computers), under a
common command-and-control center, running malicious software usually installed via worms,
Trojan horses, or backdoors. The largest known botnet, Conficker, has infected over 10
million computers.

The new botnet has infected machines from approximately 77 govt owned domains out of which
51 are US government domains. Finjan revealed that the Botnet is controlled by a 6 member
hacker group based out of Ukraine. Around 45 percent of the bots are in the U.S., and the
machines are Windows XP. Nearly 80 percent run Internet Explorer; 15 percent, Firefox; 3
percent, Opera; and 1 percent Safari. Finjan says the bots were found in banks, large
corporations and as well as consumer machines.

Aside from its massive size and scope, what is also striking about the botnet is what its
malware can do to an infected machine. The bot malware lets an attacker read the victim's
email, communicate via HTTP in the botnet, inject code into other processes, visit
Websites without the user knowing, and register as a background service on the infected
machine, for instance. The bots communicate with their command and control systems via
HTTP.

It appears that the botnet operators may be buying and selling bots or portions of their
botnet based on a communique Finjan discovered on an underground black-hat hacker forum in
Russia.

For further reading please check the link below:
http://www.finjan.com/MCRCblog.aspx?EntryId=2237


* A Mettle SE feature: Port Forwarding *

Port forwarding, sometimes referred to as port mapping, is the act of forwarding an
external network address and port to an internal network address and port. When you have
port forwarding rules set up, Mettle SE takes the data off of the external IP address:port
number and sends that data to an internal IP address:port number. This technique can allow
an external user to reach a port on a private IP address (inside a LAN) from the outside
via a NAT-enabled router.

Following instructions will help you set up a port forwarding rule in your Mettle SE.

1. Go to Firewall --> NAT
2. Select the tab 'Port Forwarding'
3. Interface --> Choose the interface to use. Normally the WAN interface.
4. External Address --> Choose the external address to use for Port Forwarding. Choosing
'Interface Address' will use the WAN IP address. To use a different public IP address
create a Virtual IP address.
5. Protocol --> Choose the protocol, TCP/UDP in most cases.
6. External Port Range --> Give the external port range to be used. Use Alias feature if
multiple ports are to be used.
7. NAT IP --> Enter the LAN IP address which is the target IP address for port forwarding.
8. Local Port --> Enter the port which is the port forwarding target port of the LAN
computer. Usually this is the same port as the external port.
9. Description --> Enter a description for this port forwarding rule.
10. Tick the check box which says 'Auto-add a firewall rule to permit traffic through this
NAT rule'.
11. Click on Save and Apply Changes.

If your ISP has allocated you with a block of IP addresses you can use a different public
IP address from that block instead of your WAN IP address for Port Forwarding. This way
you don't have to reveal the actual WAN IP address of Mettle SE to port forward users. For
doing that you need to define a virtual IP address in Mettle SE.

KB article for port forwarding: http://kb.mettle.in/entry/20/


* Tip of the month: Package Updates *

Updates are made available to packages running inside Mettle SE on a periodic basis. To
update the packages installed in Mettle SE follow the steps below.

1. Go to System --> Packages
2. To see the installed packages click the tab 'Installed Packages'.
3. There will be three buttons next to each installed package - 'x' to remove that
package, 'pkg' to re-install the package and 'xml' to re-install the GUI components of
the package.
4. In the column marked 'Package Version' you can see the version number of the latest
available package and the installed package.
5. To update a package click on the 'pkg' button.

KB article is here: http://kb.mettle.in/entry/45/


* Case Study: Mettle SE at a prestigious private engineering college *

Vertical: Education/Campus
Geography: Kottayam, Kerala

Client Profile:

Our client featured in this month's Mettle SE case study is one of the very prestigious
private engineering colleges in Kerala. Located at Kanjirapally, Kottayam is a large
complex with a built up area of around 6lac square feet on the Kanjirapally - Sabarimala
state highway. The engineering college has nine departments and provide higher education
in domains of Electrical, Electronics, Computer Science, Information Technology,
Mechanical and Civil. Students are provided with a large computer lab facility and is
allowed free Internet access inside the campus. The college is one of the first private
engineering colleges in Kerala to be accredited by AICTE.

Problems:

College LAN subnets are not secured from Virus attacks from the Internet as they don't
have Gateway Antivirus installed in their network. Content Filtering is to be implemented
to filter out offensive content as a part of the acceptable usage policy laid down by the
management. Students Internet access needs to be controlled and time wasting services
like Orkut and chat should be banned. Internet access log needs to be maintained for the
campus. College requires a WAN link management solution for implementing a failover link
for the Internet. Access to other subnets should be restricted for some users, whereas few
privileged users should be able to access hosts on other subnets.

Solution:

A Mettle SE 3700 was deployed at the campus to handle their total IT infrastructure.
Solutions built up with Mettle SE are classified into the following sections:

a. Redundant WAN link with failover
b. Firewalling & Routing
c. Content Scanning & Gateway Antivirus

a. Redundant WAN link with failover

College is served by two different ISP links so as to provide a stable Internet connection
with failover. Both WAN links are of different bandwidth, one is a very high bandwidth
link and the other is a relatively lower throughput link. Both links are terminated at
Mettle SE. Due to unequal bandwidth available for the campus Mettle SE has configured the
links to be in failover mode. The primary WAN uplink is the one with the higher bandwidth
and the secondary failover link duty is assigned to the link with lower bandwidth. Such a
setup has been implemented at the campus to provide best browsing speeds to web users
since all Internet traffic will be sent via the higher bandwidth link. If the high
bandwidth link goes down at the ISP's end, Mettle SE will switch over to the backup WAN
uplink. Browsing speed will be comparatively lower while the main link is down but still
Mettle SE keeps the campus connected to the Internet. Once the primary WAN link is up
Mettle SE will automatically switch over to it.

b. Firewalling & Routing

College campus LAN is divided into 4 different subnets based on their needs and
activities. The firewall engine in Mettle SE secure each local subnet from unauthorised
access from other subnets and from the Internet. Inter LAN routing enables authorised
users from other LAN subnets access to hosts in another subnets. One of the prime
requirements of our client was to prohibit students from using chat services in college
campus, to accomplish this the Firewall blocks access to the ports and IP addresses of the
most commonly used chat servers of the most popular chat services. It is implemented in a
manner that does not restrict the users from checking their webmail accounts but will
prohibit the chat service from working.

c. Content Scanning & Gateway Antivirus

As an educational institution responsible for the activities of it's students it was in
their agenda to block certain web services and web resources available on the Internet.
Such a policy decision has been taken by the management for the benefit and the betterment
of their students. It was decided by the management that certain groups of users should
have an unfiltered access to the Internet and while certain other user groups should have
limited filtered access to the Internet.

To help implement this access policy, different groups of users are created in Mettle SE
and users are added into these groups based on their IP addresses. Each group has a set of
filter rules associated with them. Internet content is served to the users in the
respective groups according to the filter rules set for each group. Students are put in
the filtered group where objectionable content is blocked. Mettle SE provides the system
administrator with a detailed web usage report containing the websites visited and amount
of data downloaded by a user, identified by the IP address, for each date in a neat
tabular form.

To further secure the campus LAN subnets from Internet borne threats and viruses, Mettle
SE with its in built antivirus engine actively monitors the content passing through
the gateway. Virus codes and other threats are identified and blocked from gaining access
to host machines inside campus LAN subnets. The virus definition database in Mettle SE is
always kept updated by Mettle SE automatically.

Mettle SE team is happy to report that the Mettle SE 3700 deployed at the campus has been
working flawlessly ever since meeting the needs of the college management and the system
administrators.




--
We would like to receive feedback regarding the content of this newsletter and
request for articles. Please send in your valuable suggestions to
mettlenews@mettle.in.

--
Mettle and Linuxense are trademarks of Linuxense Information Systems Pvt. Ltd.
Other trademarks belong to respective owners. 2008 (C) Linuxense Information
Systems Pvt. Ltd. All rights reserved.