Date: January 28th 2010

METTLE NEWS
[News letter on Mettle(tm) brand of products; Industry updates, Tips and Case
studies]

January 2010
Volume 3, Issue 1


In this issue:

* Editorial
* IT Industry news: Scraping the bottom of IPv4 barrel!
* Tip of the month: Configuration History
* Mettle SE feature: DHCP Server
* Case Study: e-Governance Kerala State Department


* Editorial *

Wish you a happy new year!

Hope you had a great year behind. Let us look forward to an exciting year ahead!

This new year begins with a warning on IPv4 address space run out. So regional NICs are going to be stringent
on terms to release new IP address blocks and in turn ISPs are going to put cap on free IP address pool they
provide. This months Industry News takes a look at this scenario and the proposed solution of IPv6.

Tip of the Month this issue shows a cool way to keep track the configuration changes in your Mettle SE. This
is handy when you want to revert a change that you made or want to do a forensic analysis.

In the Feature of the Month section, it is an in-depth view of the DHCP service that is available in Mettle SE.

As always, we appreciate your feedback, suggestions and brickbats. Enjoy!

Once again, wish you a Happy New Year!

Yours truly,
Editor, Mettle News
(mettlenews@mettle.in)


* IT Industry News – Scraping the bottom of IPv4 barrel *

We are facing an IP address crunch and at the rate we are using the current IPv4 addresses and we will soon
extinguish the available supply in a few more years! We used up 1370 million IPv4 addresses in this past
decade and we have only 722 million left!

Of the 3,706,650,624 IPv4 addresses, approximately 1615 million, 44 percent of the pool, were in use on
January 1 2000 and 2092 million were still available. Fast forward to the present 81 percent of the pool,
approximately around 2985 million, IPv4 addresses are in use and 722 million are available. So its only a
matter of time before you have to get into the IPv6 way of addressing.

IANA allocates blocks of 16,777,216 addresses called "/8s" to the five Regional Internet Registries - AfriNIC,
APNIC, ARIN, LACNIC and the RIPE NCC - which in turn supply address space to ISPs and end-user organizations.
At the end of 2008, IANA held 34 unused /8s and the RIRs together held 371.91 million unused addresses.

IANA global pool was only reduced by 8/8s, but the RIRs collectively reduced their working inventory by
another 5/8s, bringing total reduction of the free address space 13/8s, or 203.4 million IPv4 addresses, to be
exact. 2009 is the first year since 1992 that the number of IPv4 addresses given out has been more than 200
million.

If IANA goes back to giving out 12/8s to the RIRs per year, IANA will be giving out the fifth-to-last /8
somewhere in 2011 and then automatically also the other four. APNIC's Geoff Huston predicts September 14, 2011
as the day the IANA global pool runs out, and November 1, 2012, as the day we last scrape the bottom of the
IPv4 barrel.

Source: http://arstechnica.com/tech-policy/news/2010/01/dont-publish-the-decade-in-ipv4-addresses.ars


* Mettle SE tip of the month: Configuration History *

Backup/Restore screen allows you to easily take backup of your Mettle SE running configuration or allows you
to load a saved configuration and make it active. But for minor problems you may use Mettle SE internal
backups to revert to a previous configuration, sort of like an 'undo' feature. Previous 30 configurations are
stored along with current running configuration.

1. Diagnostics --> Backup/Restore
2. Select tab 'Config History'
3. Listed are the previous 30 configurations along with the current running configuration.
4. To make a previous config active click on the '+' button next to it.
5. To delete a stored config click on the 'x' button next to it.

Please note that Mettle SE will not automatically reboot if required. Minor changes may not need a reboot, but
recovering some major changes will need a reboot.

(Best practice is to always take the backup of the running configuration into an admin PC on the LAN before
you make any major changes to Mettle SE).


* Mettle SE feature: DHCP Server *

DHCP server assigns IP addresses and related configuration options to client PCs on your network. It is
enabled by default on the LAN interface with the default IP range of 192.168.1.10 through 192.168.1.199. In
its default configuration Mettle SE assigns its LAN IP as the gateway and DNS server if DNS forwarder is
enabled.

To configure DHCP server go to Services --> DHCP server. On the DHCP configuration page there is a tab for
each non-WAN interface and each interface has its own separate DHCP configuration and they may be enabled and
configured independently of each other.

1. Check 'Enable DHCP Server' to enable DHCP on an Interface.
2. Check 'Deny unknown clients' to deny DHCP lease to clients except for those which are defined with static
mapping.
3. Range - Enter the start IP address and the finish IP address for use as DHCP pool. DHCP range must be
contained within the subnet of the interface being configured.
4. WINS Servers - Enter the IP address of WINS servers if you use WINS servers. They need not be on the same
network but proper routing and firewall rules should be in place.
5. DNS Servers - Depending on your LAN setup you may or may not fill in the DNS servers. Leaving the fields
blank and if you enable DNS forwarder in Mettle SE, mettle SE will assign itself as the DNS forwarder for
client PCs. If the fields are left blank and if DNS forwarder is disabled Mettle SE will pass on the DNS
server assigned in System --> General Setup. If you wish to use your own DNS servers instead of automatic
choices, enter the IP addresses of the DNS servers here.
6. Gateway - If LAN is using Mettle SE as the default gateway, the field can be left blank. If not enter the
IP address of your gateway.
7. Default and Maximum Lease Time - Value to be entered in 'seconds'. It control the life of the DHCP lease.
Default lease time is supplied by Metle SE when the client does not request for a specific lease time.
Maximum lease time will control how long lease will last even if the client asks for a longer lease time.
8. Fail-over Peer IP - If Mettle SE is setup in a failover stack enter the IP address of the slave Mettle SE
here.
9. Static ARP - If enabled Mettle SE will deny DHCP lease to unknown MAC addresses and also restrict any
unknown client from communicate with Mettle SE. Before enabling static ARP make sure that clients which
need to communicate with Mettle SE are listed inside static mapping list, especially the machine you need
to access Mettle SE web interface from.
10. Dynamic DNS - Click on 'Advanced' button to go to Dynamic DNS settings. Check the check box to enable it.
If using Mettle SEs DNS forwarder you can leave this blank and configure it inside DNS forwarder setup.
11. NTP Servers - Click on the 'Advanced' button to enter NTP server IP addresses.
12. Enable Network Booting - Click 'Advanced' button to view or enable network booting settings. Check the box
to enable it. Enter the IP address of the 'Network boot server' and the 'File name of the boot image'.
13. After changes have been made click on 'Save' to save settings. This must be done before creating static
mappings.
14. Static Mappings - This allows you to provide specific IP addresses to specific clients inside the LAN.
To set static mapping click on '+' button and you will be forwarded to a new page. Here you will need to
enter the MAC address of the particular client PC in the 'MAC Address' field and enter the IP address in
the 'IP address' field. 'Host name' and 'Description' is not parsed so you may enter it or not. Please
note that IP addresses issued for static mapping must be outside of the DHCP pool. Save the changes before
navigating away from the page.

KB Article: http://kb.mettle.in/entry/4/


* Case Study *

Vertical: Government/e-Governance
Geography: Kerala, India

Client profile:

Department of the State of Kerala.

Requirements & Solution:

Their district head quarters are spread across the state and the Head Office (H.O) is stationed at
Thiruvananthapuram. Remote offices need to connect to the e-Governance application located at H.O,
Thiruvananthapuram. Also the servers which run the e-Governance applications at the H.O require protection from
unauthorised access from the Internet. Secondly Desktop computers at HO need to be protected from viruses,
Internet threats, malicious codes and offensive content.

Mettle SE was deployed at the H.O as the solution to satisfy all the connectivity and security requirements.
They can be categorised into:

a. VPN Solution
b. Port Forwarding
c. Firewall and Routing
d. Gateway Anti-virus and Content Scanning

a. VPN Solution.

Mettle SE made it possible to connect district offices and range offices spread across the 14 districts of
Kerala to the H.O through SSL-VPN. Remote VPN users on different operating systems seamlessly connect to the
H.O using and can reliably access servers according to their user privileges.

b. Port Forwarding

Certain servers hosted at the H.O to be accessible over the Internet. Mettle SE provided port address
translation service to the servers that has to be accessed from a public network. Mettle SE has made it
possible to map internal servers to public IP addresses and they can be accessed from the Internet for users
with valid credentials.

c. Firewall and Routing

For extended security, PCs and servers are deployed in two different local networks: User-LAN and Server-LAN.
Firewall rules specified in Mettle SE controls the access to the computers in the User-LAN, servers in
Server-LAN and secure publicly accessible servers. Remote users access to servers in the H.O is strictly
controlled based on their requirement. Mettle SE blocks all unspecified traffic from reaching the HO network.

There are two routable LAN segments in the network. Servers are placed in a secured Server LAN subnet to
separate them from User LAN traffic. Mettle SE routes users on User-LAN to the server network when they
access their servers.

b. Content Scanning and Gateway Antivirus

Mettle SE is the terminating point for the ISP link at the H.O. Mettle SE is the Gateway for desktop computers
and servers. Mettle SE protects the local network from viruses and worms from the Internet with its built-in
Gateway Antivirus service. Mettle SE updates virus signature database automatically with the latest anti-virus
definitions available so as to block any new virus.

Internet traffic is filtered by Mettle SE's proxy Server. Web sites and services that violate Internet usage
policy are blocked preventing users from accessing it. Mettle SE keeps a log of the Websites users visit on
the Internet; and the Web services they use like, instant messengers or download clients. Mettle SE keeps the
Internet content distribution in the H.O, clean and safe.

Conclusion:

Mettle SE has been serving the department for many years since its deployment. Mettle SE team is happy to
report that Mettle SE is working flawlessly ever since satisfying the requirement of the department.



--
We would like to receive feedback regarding the content of this newsletter and
request for articles. Please send in your valuable suggestions to
mettlenews@mettle.in.

--
Mettle and Linuxense are trademarks of Linuxense Information Systems Pvt. Ltd.
Other trademarks belong to respective owners. 2008 (C) Linuxense Information
Systems Pvt. Ltd. All rights reserved.