Mettle News

Mettle News November, 2010

2010-11-29T17:29:42Z

METTLE NEWS
[News letter on Mettle(tm) brand of products; Industry updates, Tips and Case
studies]

November 2010
Volume 3, Issue 9

In this issue:

* Editorial
* IT Industry news: Stuxnet Worm
* Tip of the month: Deactivating Content Filter & Gateway Anti virus
* A Mettle SE feature: Captive Portal

* Editorial

If you keep a log of viruses and worms coming out every month, you won't be amazed on new break outs and only
thing is that you need to be prepared for it. Preparation is a vague word to describe this scenario. And this
time, the threat is in the form of a worm called Stuxnet and its destruction power is not limited to just
computer system but process control system. See this months industry news for more information.

Many a time, you might need to turn off Content scanning and Gateway anti-virus feature for one reason or
other. This month's Tip of the Month column describes how to do this.

Captive Portal is one of the admired features in Mettle SE that allows you to prompt your users to login
before accessing WAN/Internet. This month's Mettle SE Feature describes how easy it is to set up.

As we enter into the last month of the year, we are preparing to for a change for the better; details will
follow.

Warm regards,

Editor, Mettle News
(mettlenews@mettle.in)

* IT Industry News: Stuxnet Worm

US government officials revealed that a malicious computer worm which targets Iran's nuclear plants could be
modified to wreak havoc on industrial computer systems around the world and could be the most severe cyber
threat known to industry.

As industrial houses merge the networks and computer systems to increase efficiency and productivity they are
becoming more vulnerable to the Stuxnet worm. Stuxnet's complex code is able to infiltrate and take over
systems that control manufacturing and critical operations and has sophisticated abilities to steal
intellectual property and sensitive data. Symantec Corporation's Global Intelligence Director, Dean Turner,
told the US homeland officials that the real world implications of the Stuxnet worm is is beyond any threat
seen so far.

Experts warned that the industries are becoming increasingly vulnerable to the so-called Stuxnet worm as they
merge networks and computer systems to increase efficiency. The growing danger, said lawmakers, makes it
imperative that Congress move on legislation that would expand government controls and set requirements to
make systems safer.

Stuxnet targets businesses using Windows operating system and a control system designed by Siemens AG.
Sean McGurk, the acting director of US Homeland Security's cyber security operations center, says that this
Windows and Siemens combination software is used in many critical sectors, like automobile assembly and
chemical industries. Experts have warned that attackers can use information made public about the Stuxnet worm
to develop variations targeting other industries.

Michael Assante, President of the National Board of Information Security Examiners have told authorities that
control systems needs to be walled off from other networks to secure it from unauthorized access from the
hackers and make it harder for them to access it. Mr. Assante participated in a research in 2007 at the
national lab, in which during a test they used commands delivered over the Internet to destroy a Diesel
generator. He believes stuxnet worm could be such a weapon but with capability to wreak chaos on a larger
scale.

India ranks 4th, followed by United States in 5th in the Stuxnet invasion statistics.

Read more:

http://news.yahoo.com/s/ap/20101117/ap_on_hi_te/us_cyber_threats
http://news.yahoo.com/s/csm/20101118/ts_csm/344234_1
http://en.wikipedia.org/wiki/Stuxnet

* Tip of the month: Deactivating Content Filter & Gateway Anti virus

Turning off the Content Filter or the Gateway Anti virus is not recommended operation for the sake of your
network security. But if you ever need to disable these services for this is how you do it.

1. In the Mettle SE web interface go to Status -->Services. You can see the list of running services here.
2. The green 'Play' button against each item means that it is active.
3. To stop the Content filtering service, click on the 'Stop' button next to Dansguardian.
4. To stop the Gateway anti virus service, click on the 'stop' button next to ClamAV.

Once you have stopped these two services the content filtering will no longer work and the network will be
vulnerable to viruses, worms, trojans and similar threats from the Internet. Be sure to re-activate these two
services as soon as the need for them being inactive is over.

To re-activate these services, come back to the same page and click on the 'Restart' button next to them.

KB article: http://kb.mettle.in/entry/8/

* A Mettle SE feature: Captive Portal

Captive portal is the technique in which a device trying to access the Internet is forced to a login page
asking for credentials before it is allowed to access the Internet. Mettle SE supports Captive Portal used for
HTTP authentication with a web browser. When Captive Portal is enabled the clients on the network will be
re-directed to a HTTP authentication web page before they can access the Internet.

This is how you enable Captive Portal feature in your Mettle SE.

1. Go to Services --> Captive Portal --> Captive Portal tab
2. To enable captive portal check the box "Enable Captive Portal"
3. Choose the interface captive portal is to enabled. Usually this is your local network.
4. Enter the maximum number of concurrent connections to be allowed
5. Enter the idle timeout in minutes. Idle clients will be logged out after the timeout.
6. Enter the hard timeout in seconds. Clients including active clients will be logged out after the timeout.
7. Check the box to enable logout pop up window if required.
8. Redirection URL - All clients will be redirected to the specified URL after logging in.
9. Concurrent logins - If enabled only the most recent login of a user will be active. Previous logins of the
same user will be logged out.
10. MAC filtering - If disabled, attempts will not be made to ensure that the MAC address of clients stays the
same while they're logged in. This is required when the MAC address of the client cannot be determined
(usually when there are routers between Mettle SE and client computers). RADIUS MAC authentication cannot
be used when MAC filtering is enabled.
11. Authentication - Select an authentication method; 'No Authentication', 'Local user manager' or 'RADIUS'.
If RADIUS is chosen, enter RADIUS server details below. If 'Local User Manager' is selected you can manage
users in the "Users" tab.
12. Enable HTTPS login - If enabled, login information would be transmitted over secure HTTPS connection.
13. Enter HTTPS server details in the fields below.
14. Click on 'Save'

Captive Portal Pass through MAC

Pass through MAC If a pass through MAC is added to Captive portal then users logging in from this MAC address
will not be taken to a portal authentication page.

1. Select Services --> Captive Portal-- > Pass through MAC tab to enable this.
2. Click on the '+' button
3. Enter the MAC address
4. Enter a description (not parsed)
5. Click on 'Save'

Captive Portal Allowed IP address

Adding allowed IP addresses will allow IP access to/from these addresses through the captive portal without
being taken to the portal page. This can be used for a web server serving images for the portal page or a DNS
server on another network, for example. By specifying from addresses,

1. Select Services --> Captive Portal --> Allowed IP addresses
2. Click on the '+' button to add an IP address
3. Choose the direction either From or To
4. Enter the IP address to be allowed
5. Enter a description for the IP address added (not parsed)
6. Click on 'Save'

Managing Captive Portal Users

1. Select Services --> Captive Portal --> Users
2. To add an user click on the '+' button
3. Enter the user name
4. Enter the password
5. Confirm the password
6. Enter users full name (not parsed)
7. Enter an expiry date for the user you have created by clicking on the 'Calendar' button next to the text
area. If a date is not entered the account will not expire.
8. Click on 'Save'

KB article: http://kb.mettle.in/entry/31/

--
We would like to receive feedback regarding the content of this newsletter and
request for articles. Please send in your valuable suggestions to
mettlenews@mettle.in.

--
Mettle and Linuxense are trademarks of Linuxense Information Systems Pvt. Ltd.
Other trademarks belong to respective owners. 2010 (C) Linuxense Information
Systems Pvt. Ltd. All rights reserved.

Mettle News October, 2010

2010-11-02T13:10:43Z

METTLE NEWS
[News letter on Mettle(tm) brand of products; Industry updates, Tips and Case
studies]

October 2010
Volume 3, Issue 8

In this issue:

* Editorial
* IT Industry news: SpamBot wants to be your friend
* Tip of the month: NAT Reflection
* A Mettle SE feature: Split-Horizon DNS

* Editorial *

Greetings,

Social networking has been a boom; it helped us to connect back with our lost friends, maintain business
relationships, etc. It has come to a culture that it is near impossible to maintain our social life without an
account in one of the social networking sites. This month's industry news talks about security and privacy
problems posed by social networking web sites.

In many enterprise/campus networks, there will be a set of services hosted in the DMZ (with port forwarding)
which are publically accessible. There are occasions that requires accessing those services from within the
private LAN as well. "Tip of month" sections describes about a feature of Mettle SE, called, NAT Reflection
and how to attain this.

Split Horizon is a feature that can meet the above requirement if it is possible to configure DMZ servers with
private IP addresses. But this requires that those who are accessing those servers from inside the LAN should
get that private IP addresses of those servers. Mettle SE provide a feature called Split Horizon to meet this
requirement. Read in detail in the "A Mettle SE Feature" section.

Happy networking!

Editor, Mettle News
(mettlenews@mettle.in)

* IT Industry News: SpamBot wants to be your friend *

Finding new friends and contacts on social networking sites and keeping in touch with your old and new friends
and relatives have become just as routine as texting or emailing. As more and more number of people migrate
to social networking websites security risks of these websites pose are becoming more common.

Gilbert Wondracek and Christian Platzer of the Secure Systems Lab at Vienna University of Technology have been
doing research on such security issues. With a few simple tricks they managed to match more than 1.2 million
social network profiles with corresponding email addresses. Gilbert and Platzer did this experiment for
scientific research, but what if next attack is launched by hackers intending to cause grief?

For an average user creating a profile on social networking sites they want to get into contact with as many
contacts as possible. These social networking websites offer an easy way to find contacts you may know from
your email address book and the website list profiles matching the email addresses in your address book.
Christian Platzer says it is a cause for concern because even if an user has chosen to hide the email address
in his profile, the social networking website would still use it to identify the user.

The researchers used email addresses taken from an offline spam-server and using simple computer programs,
email addresses could be checked on various social networking sites in a short period of time. If the social
network site responds that there is indeed a user profile for a given email address, then it is most likely
that an address still in use and in addition, the user profile provides valuable personal information about
the owner of the email address. In someone's user profile a list of names of their friends can be found
usually, from this list, new email addresses can be generated. The researchers used a computer program to
create a list of possible email addresses for each name. Then these email addresses can again be tested like
previously to find out if any of these addresses are registered on a social network site. That way, hundreds
of thousands of valid email addresses could be found rapidly.

Further dangers are posed by user groups on various social network sites. On user groups, people discuss their
favourite topics and get to know other people with similar interests. But such groups can cause users to lose
their web anonymity. A harmless-looking website may search the user's browser history and find out which group
websites have been visited recently. If the malicious website knows the list of groups the user has joined and
then his identity can, in many cases, be determined quite accurately. It is rather improbable that several
users are members of exactly the same set of groups. That way the website can even guess the user's name even
if the site itself is in no way affiliated with social network sites.

The most harmless thing that could happen to the victim is they're going to get truckloads of spam, but
serious frauds are also possible. Tricksters could pretend to be friends or business partners and contact the
victim using text made using victim's personal data obtained from the social network profile, and the victim
is tempted to believe that the sender is the person he claims to be.

Researchers have already reported the new found security hazards to the social networking websites and the
problems have been fixed in some cases. But for Internet users it pays to be careful but not paranoid,
following some simple safety steps could prevent you from becoming a victim.

1) It is never a good idea to upload one's email address book anywhere on the Internet. Valuable data which
should better be kept private is distributed that way.
2) Most social network sites offer the possibility of deciding what information should be visible to others
and which should be restricted to personal friends. It is advisable to choose restrictive settings.
3) Special care should be taken with tagging photographs. Not everybody needs to identify you in photos posted
by others.
4) Telephone numbers or private addresses should never be posted in the profile. Data like that should only be
given personally to people who are actually supposed to have it.

For detailed reading: http://www.tuwien.ac.at/news/news_detail/article/6670//EN/

* Tip of the month: NAT Reflection *

NAT Reflection refers to the ability to access services hosted in DMZ from the internal network by its
public IP address. Mettle SE offers NAT Reflection.

To enable NAT Reflection:

1) Go to: System --> Advanced
2) Scroll down to Network Address Translation and uncheck "Disable NAT Reflection" check box
3) Click on "Save".

NAT reflection will now be enabled.

Read more here: http://kb.mettle.in/entry/56/

* A Mettle SE Feature: Split-Horizon DNS *

In a Split-Horizon DNS infrastructure two DNS zones are created for the same domain, one to be used by
Internal network and the other to be used by the external network. A split DNS routes the internal hosts to an
internal domain name server for name resolution and external hosts are directed to an external domain name
server for name resolution.

If you're using Mettle SE as the DNS server for internal hosts you can use DNS forwarder override to implement
split DNS deployment.

Adding an override to DNS forwarder:

1) Go To: Services --> DNS Forwarder
2) Click the '+' button under "You may enter records that override the results from the forwarders below"
3) This brings up the DNS forwarder: Edit host screen You will need to add an override for each hostname in
use behind your firewall.

Examples for DNS overrides for mettle.in www.mettle.in

a) Host:
Domain: mettle.in
IP Address: 192.168.1.5
Description: Override for mettle.in web server

b) Host: www
Domain: mettle.in
IP Address: 192.168.1.5
Description: Override for www.mettle.in

If using other DNS servers in your internal network like Microsoft Active Directory, you will need to create
zones for all the domains hosted inside the network along with all other records for those domains.

In network scenarios with BIND DNS server where the public DNS is hosted on the same server as the private
DNS, BIND's views feature is used to resolve DNS differently for internal hosts and external ones.

Read more here: http://kb.mettle.in/entry/55/

--
We would like to receive feedback regarding the content of this newsletter and
request for articles. Please send in your valuable suggestions to
mettlenews@mettle.in.

--
Mettle and Linuxense are trademarks of Linuxense Information Systems Pvt. Ltd.
Other trademarks belong to respective owners. 2008 (C) Linuxense Information
Systems Pvt. Ltd. All rights reserved.

Mettle News September, 2010

2010-09-30T16:17:07Z

METTLE NEWS
[News letter on Mettle(tm) brand of products; Industry updates, Tips and Case
studies]

September 2010
Volume 3, Issue 7

In this issue:

* Editorial
* IT Industry news: 64bit Linux Kernel Vulnerability
* Tip of the month!: How to make OpenVPN clients use the VPN as the default gateway?
* Introducing a Mettle SE feature!: Establishing an IPsec VPN Tunnel

* Editorial

This month's Industry News section contain the information about a 64 bit Linux kernel vulnerability. We have
included this article because many of our Mettle customers have deployed Linux machines for production use.
More over, those of our readers who are interested in knowing what this vulnerability is all about can dig
deeper with the links provided.

Usage of VPN is on the increase. Those who have deployed Mettle SE would make that job easier and not to
mention in a very economic way. This month's tip of the month describes how Mettle SE SSL VPN server lets you
determine the gateway of the SSL VPN client.

Continuing with the subject of VPN, this month's Mettle SE feature too deal with the subject. This month the
section talks about how to establish an IPSec VPN tunnel using Mettle SE.

Yours Sincerely,

Editor, Mettle News
(mettlenews@mettle.in)

* IT Industry News: 64bit Linux Kernel Vulnerability

On 17th September a potentially harmful security vulnerability was identified which affects computers running
on 64bit Linux operating systems (CVE-2010-3081 ). This backdoor vulnerability allows a hacker to take over a
server and give him full root access. This is a critical security lapse since this vulnerability has been
exploited much quicker than usual. This security vulnerability was introduced into the the 64bit Linux Kernel
in April 2008 and it means every 64bit Linux distribution is affected including the most popular ones.

If a system was already compromised using CVE-2010-3081 exploit, a simple update will not heal and seal the
exploit. The exploit may continue to be active even after it has been updated because of the backdoor
installed by the exploit. It is also possible that the hacker could have installed other backdoors in your
server. Use the 'chkrootkit' command to scan for known and detectable backdoors and rootkits.

Ksplice has published an application with which you can check is the vulnerability has been exploited in your
server and if a backdoor is running into memory. If your system has not been compromised it is recommended
that you should patch your kernel now, most popular distributions have come up with a kernel patch.

If you use or administer a 64bit Linux computer we suggest you use the tool to ascertain whether the machines
were compromised and act accordingly. You can get the tool from here.

http://www.ksplice.com/uptrack/cve-2010-3081

You can read More for more information regarding the CVE-2010-3081 exploit and also for the links to kernel
patches at the following link.
http://blog.iweb.com/en/2010/09/64bits-linux-important-security-vulnerability-identified/5437.html

* Tip of the month: How to make OpenVPN clients use the VPN as the default gateway?

Certain VPN deployment scenarios may require that the VPN client use the VPN as the gateway of host PC. You
can implement this with Mettle SE VPN by issuing a simple command.

1) Go to: VPN --> OpenVPN
2) Under Server tab click the 'e' button to edit the OpenVPN server configuration
3) Then in the server configuration page go down to 'Custom Options' and in the text field enter the text
- push "redirect-gateway def1";
4) Save the settings

KB Article: http://kb.mettle.in/entry/46/

* Introducing a Mettle SE feature!: Establishing an IPsec VPN Tunnel

If your offices or campuses are located at different regions separated by long distances you might need to
establish a permanent VPN tunnel between different locations for reasons mainly to do with secure transmission
of data. Described below is how you can create a IPsec VPN tunnel to establish the connection.

Step 1: VPN Tunnel Creation

a) Go to VPN --> IPsec--> Tunnels
b) Under 'Tunnels' check the 'Enable IPsec' check box and click on 'Save'
c) To create a new IPsec tunnel click on '+' button
d) Select WAN interface
e) At 'Local Subnet' enter local Network IP address, this is the Network to give access to VPN hosts
f) At 'Remote Subnet' enter IP address of the remote Network which will be connecting to the VPN
g) At 'Remote Gateway' enter public IP address of the remote Gateway
h) Enter a name or description for the Tunnel

Step 2: The Phase 1 (Authentication) of configuration. Options selected here and changes made should reflect
in the remote VPN device.

a) Select negotiation mode - Main for more security
b) Choose and set an Identifier
c) Choose an encryption mode - DES for low security 3DES for higher security
d) Choose a hash algorithm
e) Choose a DH key group
f) Enter key lifetime in seconds. Lower number for increased security & lower performance or higher number for
vice versa
g) Choose authentication method - RSA signature for higher security. Pre Shared Key for ease of use
h) If the RSA signature is selected RSA certificates then certificate and key should be generated and pasted
in their respective fields
h.1) Remote host should have matching RSA certificates and key string
i) If pre shared key is the preferred method then a key string should be entered in the field for 'Pre Shared
Key'
i.1) Remote VPN host should have matching key string

Step 3: The Phase 2 (SA/Key exchange) configuration.

a) Choose ESP as protocol
b) Choose encryption algorithm(s)
c) Choose hash algorithm(s)
d) Choose PFS key group
e) Enter lifetime in seconds
f) Enter IP address of the remote host to ping so as to keep the connection alive (optional)

KB article: http://kb.mettle.in/entry/25/

--
We would like to receive feedback regarding the content of this newsletter and
request for articles. Please send in your valuable suggestions to
mettlenews@mettle.in.

--
Mettle and Linuxense are trademarks of Linuxense Information Systems Pvt. Ltd.
Other trademarks belong to respective owners. 2008 (C) Linuxense Information
Systems Pvt. Ltd. All rights reserved.

Mettle News August, 2010

2010-08-30T13:13:20Z

METTLE NEWS
[News letter on Mettle(tm) brand of products; Industry updates, Tips and Case studies]

August 2010
Volume 3, Issue 6

In this issue:

* Editorial
* IT Industry news: Google's Speedy
* Tip of the month: Backup & Restore Mettle SE Running Configuration
* Mettle SE feature: Event logging on Remote Sys log Server

* Editorial *

Greetings,

Most of the IT managers are keen on updating Internet link bandwidth to speed up browsing experience. But the situation is more complex now. Even if there is more than enough bandwidth, the page load often exceeds acceptable limit. The "Industry News" section talks about a presentation by Google in the Velocity conference on this subject.

Mettle SE is designed to make you feel confident about your IT infrastructure besides performing its basic functions. This month's "Tip of the Month" describes how you can retain your most trusted configuration even if you play around with it or if you replace/upgrade your Mettle SE.

Logs provides live information about what happens in the system. Mettle SE has a provision to connect a log server to it so that you can process the logs using third-party tools of your choice. This month's "Feature of the Month" explains this facility.

With you a month ahead filled with technology and excitement.

Editor, Mettle News
(mettlenews@mettle.in)

* IT Industry News: Speedy - Google's SPDY Protocol

During the Velocity conference in Santa Clara, CA, Google's VP of Engineering Urs Holzle has warned that any improvement to the network bandwidth will be wasted unless the underlying protocols are updated. He said that even though the average network bandwidth will grow by a factor of three from 1.8Mbps to 5.4Mbps users will not be able to exploit the increase in bandwidth unless the underlying protocol is fixed.

Internal tests conducted by Google has obtained the result that average website size is 320KB. So with average user bandwidth at 1.84Mbps, website load times should be around 1.4secs. But Google's tests have shown that real load times were close to 5secs. Holzle reckons this variation in theoretical to actual speeds is not due to the network bandwidth but due to the protocol and the browser.

Holzle said in the conference that Google's goal is to achieve 100millisecond load times on the Google Chrome web browser and this will only be possible with the improvements to the Internet's underlying protocols. Chrome was one of the fastest web browsers when it arrived in 2008, the increased speed, in part, was contributed by the revamped JavaScript engine.

Google boosted its image search engine speed by 18 percent by making some modest changes to the TCP protocol, but without making any changes to the site itself. Google believes that on an average 12 percent speed boost can be had with TCP tweaks. Holzle said the modest change which involved increasing TCP's initial congestion window involved changing about 10 lines of code.

Pushing the speed envelope, Google is developing a new application protocol it calls SPDY (pronounced Speedy) meant to reduce web latency via multiplexed streams, request prioritisation and HTTP header compression. According to Holzle the new protocol can reduce packet count by 40pc and byte count by 15pc and an improvement in downloading speed of upto 55pc over simulated home connections. SPDY creates a session layer between HTTP application layer and TCP transport layer, it is not a HTTP replacement protocol but augments it. SPDY overrides parts of HTTP protocol such as connection management and data transfer formats. Holzle said that on low bandwidth links with SPDY's header compression alone has seen a latency reduction of 85pc.

http://arstechnica.com/web/news/2009/11/spdy-google-wants-to-speed-up-the-web-by-ditching-http.ars

* Tip of the month: Backup & Restore Mettle SE Running Configuration *

Backing up:
It is wise to backup the running configuration of Mettle SE after you have made changes to the system settings. Keeping backup of running configuration ready allows you to relax and be on the safe side if things go wrong. To take backup of your running configuration:

- Go to Diagnostics --> Backup/Restore.
- It is recommended to keep the backup area as 'All'
- Click on 'Download configuration' button.
- The configuration file would be downloaded into your system and named in this format - config-<host name>-<timestamp>.xml
- Keep the configuration backup file safe.

Restoring from backup:
You can restore Mettle SE to a running configuration as saved in the backup file from the same screen you did the backing up from. To restore to a saved configuration:

- Select a restore area, usually 'All'
- Click 'Browse' and select the backup configuration file from your computer.
- Click on 'Restore configuration' button.

Mettle SE would reboot once you have clicked on the 'Restore configuration' button and restored settings would be applied.
http://kb.mettle.in/entry/53/

* Mettle SE Feature: Event logging on Remote Sys log Server

Factory setting of Mettle SE is set to store the log entries locally in the hard drive. But it is possible for you to enable remote logging in Mettle SE which will store the long entries remotely in a sys log server. Log entries in Mettle SE can only be of a specific size and as new log is generated old logs are deleted. If you have a sys log server, enabling remote logging is a good practice as it will aid with troubleshooting and long term monitoring and there is no limit to the log size except for your hard drive capacity.

- To enable remote sys log logging go to:
- Status --> System Logs
- Go to the 'Settings' tab and tick on 'Enable sys log'ing to remote sys log server'
- To disable local logging you may tick on 'Disable writing log files to the local ram disk'. But this is neither required nor recommended.
- Enter the IP address of the remote sys log server in the text field.
- Next you have to select what all events are to be logged in the sys log server. Tick each category you want to have logged.
- Click on 'Save' once the settings are confirmed.

http://kb.mettle.in/entry/54/

--
We would like to receive feedback regarding the content of this newsletter and
request for articles. Please send in your valuable suggestions to
mettlenews@mettle.in.

--
Mettle and Linuxense are trademarks of Linuxense Information Systems Pvt. Ltd.
Other trademarks belong to respective owners. 2008 (C) Linuxense Information
Systems Pvt. Ltd. All rights reserved.

Mettle News May, 2010

2010-05-31T17:00:45Z

METTLE NEWS
[News letter on Mettle(tm) brand of products; Industry updates, Tips and Case
studies]

May 2010
Volume 3, Issue 5

In this issue:

* Editorial
* IT Industry news: How fragile is the Internet?
* Tip of the month: Troubleshooting Firewall Rules
* Mettle SE feature: Firewall logs

* Editorial *

Greetings!

Networking has two faces: Enterprise networking and the Internet (as seen by ISPs and carriers). The Internet
side of networking is quite challenging and demands a lot of co-operation and trust among operators for it to
work. This month's Industry News provides an interesting but scary problem that prevails in the Internet.

Many a time, every network administrator faces the problem is firewall rule verification-basically finding out
whether the rule written matches the packets. Mettle SE provides a mechanism for this. This saves time and
effort. Also let you know, positively, how good you are in writing firewall policies.

This month's feature section, we explain you the firewall rules and how effectively you can use them them.

Happy networking.

Editor, Mettle News
(mettlenews@mettle.in)

* IT Industry news: How fragile is the Internet? *

Brief Description: Unfixed routing glitch causing concern

Story:

In 1998 a hacker claimed that Internet could be brought down to its heels in 30minutes by exploiting a flaw
which caused online outages occasionally by misdirecting data.

In 2010 the flaw still causes outages every year, although most of the outages are innocent and fixed quickly,
the problem still could be exploited by a hacker to spy on data traffic or take down websites. Reliance on the
Internet has only increased in all these years and an outage could disrupt businesses and governments which
require Internet to function normally.

These outages are called "hijackings" and are caused by the haphazard way through which traffic is passed
between companies that carry Internet data. It is the Internet's open nature which has stimulated its dazzling
growth, and it is this same open nature which is contributing to the outage problem of the Internet.

When an email is sent and a website is opened or done anything else online, the data you send and receive is
handed from one carrier of Internet to another. The data might be handed from your ISP to a third party
company which operates a global network of fiber-optic lines that carry Internet data across long distances.
It, in turn, might pass the data to another carrier that's connected directly to the server computers the data
is intended for.

The crux of the problem is that each carrier along the way figures out how to route the data based only on
what the surrounding carriers in the chain say, rather than by looking at the whole path. Because carriers
pass information between themselves about where data should go, and this system has no secure automatic
means of verifying the routing information is correct, data can be routed to some carrier that isn't
expecting the information. The carrier doesn't know what to do with it, and usually just drops it.

On April 25, 1997, millions of people in North America lost access to all of the Internet for about an hour,
caused by an employee mis-programming a router at a small Internet service provider. That's what happens
when an Internet route gets hijacked. It falls into a "black hole." Routing errors has previously blocked
Internet access in different parts of the world, at different times, often for millions of people.

Last month a Chinese Internet service provider halted access from around the world to a vast number of sites,
including Dell.com and CNN.com, for about 20 minutes.

In 2008, Pakistan Telecom tried to comply with a government order to prevent access to YouTube from the
country and intentionally "black-holed" requests for YouTube videos from Pakistani Internet users. But it also
accidentally published the route international upstream carrier, the upstream carrier accepted the routing
message, and passed it along to other carriers across the world, which started sending all requests for
YouTube videos to Pakistan Telecom. Soon, even Internet users in the U.S. were denied YouTube access for a few
hours.

In 2004, the flaw was put to malicious use when someone got a computer in Malaysia to tell Internet service
providers that it was part of Yahoo Inc. A flood of spam was sent out, appearing to come from Yahoo.

In 2003, the Bush administration's Critical Infrastructure Protection Board assembled a "National Strategy to
Secure Cyberspace" that concluded that it was vital to fix the routing system and make sure route always point
in the right direction.

Unlike other Internet bugs that get discovered and fixed relatively quickly, the routing system has been
unreformed for more than a decade. There is some progress being made but there's little industry-wide momentum
behind efforts to introduce a permanent remedy. Data carriers regard the fallibility of the routing system as
the price to be paid for the Internet's open, flexible structure. The simplicity of the routing system makes
it easy for service providers to connect, a quality that has probably helped the explosive growth of the
Internet.

Peiter Zatko, a member of the "hacker think tank" called the L0pht, told Congress in 1998 that he could use
the BGP vulnerability to bring down the Internet in half an hour. In recent years, Zatko, who now works for
the Pentagon's DARPA, has said the exploit would still work. However he added, it would likely take a few
hours rather than 30 minutes, partly because a greater number of Internet carriers would need to be hit.

Plenty of solutions have been proposed in the Internet engineering community since 1995. The U.S. government
has supported these efforts, spurred in part by the Bush administration's 2003 strategy statement. It has
resulted in some trials of new technology, but adoption by data carriers still appears distant. And the
federal government doesn't have any direct authority to force changes.

One solution being tested would stop short of making the routing system fully secure but would at least verify
part of it. Yet this system also worries carriers because they would have to work through a central database.

Weakness in the system are in the routing between carriers. It doesn't help if one carrier introduces a new
system, every one it connects with has to make the change as well.

As Doug Maughan of the US Homeland Security puts it, "It's kind of everybody's problem, because it impacts the
stability of the Internet, but at the same time it's nobody's problem because nobody owns it".

Meanwhile, network administrators deal with hijacking an old-fashioned way: calling their counterparts close
to where the hijacking is happening to get them to manually change data routes. Let us hope that researchers
will come up with something robust and practical to keep the Internet secure soon.

http://detnews.com/article/20100508/BIZ04/5080399/Unfixed-Internet-glitch-could-strand-users-offline

* Tip of the month: Troubleshooting Firewall Rules *

This month we will help you troubleshoot your firewall rules if they are not behaving as you expect it to.

Check firewall logs:- First step to take while debugging suspected blocked traffic is to check the firewall
logs. With factory setting Mettle SE logs all dropped traffic and will not log passed traffic. If there is no
traffic with a red X next to it in your firewall logs, Mettle SE is not dropping the traffic.
(Firewall logs explained in "Feature of the month"section).

Review rule parameters:- Edit the suspected rule and review the parameters you have specified for each field.
For TCP and UDP traffic the source and destination ports are almost never the same and should be set to any.
If the default deny rule is the cause of problem, you have to create a new pass rule that will match the
traffic that is to be allowed.

Review rule order:- First matching rule for a case wins. No further rules are evaluated.

Rules and interfaces:- Make sure the rules are assigned on the correct interface. Traffic is filtered only by
the rule set configured on the interface where traffic is initiated.

Enable rule logging: By enabling logging on your pass rules, you can view firewall logs and click on an entry
to determine which rule passed the traffic. This can be helpful to determine which rule is matching the
traffic in question.

Packet captures:- This is a mighty good tool for troubleshooting and debugging firewall and traffic issues.
With packet capture you can tell if the traffic is reaching the outside interface or leaving the inside
interface and among many other uses.

How to use packet capture:- http://kb.mettle.in/entry/43/

* Mettle SE feature: Firewall logs *

A firewall log entry is made for each rule that is set to log and for the default deny rule. To view the
parsed logs you have to go to Status -> System Logs on the Firewall tab.

Parsed logs are displayed in 6 columns: Action - Time - Interface - Source - Destination - Protocol. Action
tells what happened to the packet which generated the log entry - its either Pass, Block, or Reject. Time
tells the time when the packet has arrived. Interface is the interface through which the packet entered
Mettle SE. Source is the source IP address and the port the packet originated from, Destination is the
destination IP address and port of the packet. Protocol is the protocol of the packet.

The 'Action' icon displayed in the logs is a link, clicking it will lookup and display the rule which caused
the log entry.

If the Protocol is TCP, you will see extra fields that represent TCP flags present in the packet. These flags
indicate various connection states or packet attributes, some common flags are:

S (Syn) - Synchronise sequence numbers. Indicates a new connection attempt when only SYN is set.
A (Ack) - Acknowledgement to the data received.
F (Fin) - Indicates there is no more data from the sender, connection closing.
R (Rst) - Connection reset

http://kb.mettle.in/entry/52/

--
We would like to receive feedback regarding the content of this newsletter and
request for articles. Please send in your valuable suggestions to
mettlenews@mettle.in.

--
Mettle and Linuxense are trademarks of Linuxense Information Systems Pvt. Ltd.
Other trademarks belong to respective owners. 2008 (C) Linuxense Information
Systems Pvt. Ltd. All rights reserved.

Mettle News April, 2010

2010-04-30T17:08:05Z

METTLE NEWS
[News letter on Mettle(tm) brand of products; Industry updates, Tips and Case
studies]

April 2010
Volume 3, Issue 4

In this issue:
* Editorial
* IT Industry news: Accidentally Importing Foreign Censorship Policy
* Tip of the month: Firewall Rule Best Practices
* Mettle SE feature: Server Load Balancing
* Case Study: Mettle SE at a Research and Education Institute in Kerala

* Editorial *

Greetings,

This month passes with yet another episode of wrong BGP advertisement hogging the Internet. This occurred in
China this time. Result: China's censorship was enforced outside their country. Read the full story in the
Industry News section.

A badly maintained system is prone to go wrong and will turn into a maintenance nightmare. Firewall is no
exception. This month's Tip of the Month section describes how the firewall configuration in Mettle SE can be
kept neat and tidy. It is nothing but a set of conventions that can be followed easily.

Redundancy is what we think when it comes to high availability. It is easier said than done when it comes to
setting up redundant servers or services and putting them into use effectively. This requires additional
infrastructure components to direct traffic and check out availability etc. Mettle SE supports this and this
feature is part of standard firmware. Read about this in this month's Mettle SE Feature column.

This month's case study explains how Mettle SE enabled a premier research institute to implement a secure IT
infrastructure and policy enforcement in their campus.

Happy networking!

Editor, Mettle News
(mettlenews@mettle.in)

* IT Industry News: Accidentally Importing Foreign Censorship Policy *

You're browsing the Internet from a place with no Internet censorship, but one fine day the websites you used
to visit have become unavailable or you're presented with restricted user access. You may not have realised,
but your computer must have come under the Internet censorship policy of another country! Sounds strange?
Read on!

With advancing technology, sophisticated filtering technologies are increasingly being applied to restrict
access to the Internet. Internet filtering is done by corporations and by some governments. Given the open
nature of the Internet, one country's restrictions, if not handled very carefully, can foul global Internet
access. This article is about one such incident, Internet filtering done in China affecting other parts of the
world and going undetected for 3 weeks. Given the increasing complexity and efficiency of this technology, and
the difficulty in controlling a very open Internet, and the desire of some to do just that could be a
harbinger of things to come.

To understand this, one needs a bit of Internet routing know how, the behaviour of DNS and the root name
servers, and the economics of Internet routing.

When you type www.facebook.com into your browser, your computer first contacts a DNS server to convert this
name into an IP address in order to contact the host serving this content. Answers to DNS requests are cached
on both your machine and the servers involved to save time and to reduce the load of subsequent identical
queries. Now suppose that the caches on your computer and your DNS server are both empty and you make the
above query. Your DNS server first contacts a Root name server with your request. If configured according to
convention, the Root name server will not provide the answer to your query by itself, instead directs your DNS
server to the .com Name servers. In turn, .com name servers will direct your DNS server to the Facebook.com's
name server, which will ultimately provide IP address to of Facebook's web servers.

Now suppose corporate Z runs a root name server and Z wants to restrict Facebook access. Nothing requires Z to
direct you to the .com name servers as in the chain of resolution described above. Since Z sees your complete
request, it could just answer it directly. If Z gave you the wrong answer, it would effectively block your
access to Facebook. Since Internet runs on trust, you'll also end up caching Z's invalid response (called
“cache poisoning”) and with Z being the one who tells you how long to cache the result. Or Z could actually
provide the correct answer, but a firewall in front of Z could alter the DNS query response on its way back
to you.

Incident Details

This scenario might seem very unlikely but it in fact just happened with the I-Root instance that runs out of
China. The problem existed from March 3rd until March 25th, before it was reported and corrected. Despite the
fact that a lot of people could have been impacted, the chances of any one of them having gotten the incorrect
DNS response are extremely remote. Thanks again to the way DNS operates and the overall resiliency of the
Internet.

China censors the Internet in a variety of ways, one way is to return invalid answers to DNS requests to
Chinese users. For example, a Chinese DNS server is returning 46.82.174.68 as an IP address for
www.facebook.com, when in fact all legitimate Facebook IPs are of the form 66.220.x.y or 69.63.x.y. Such
seemingly random IPs are also returned for www.twitter.com, www.youtube.com and many other domains. This is
normal and expected behavior inside China.

However, China hosts an instance of a Root name server, the I-Root, when this server became visible outside of
China on March 3rd, anyone who happened to query it could have got bogus responses. There are thirteen
different root name server IP addresses and the I-root is just one of these, namely 192.36.148.17. In
addition, there are dozens of instances of the I-Root housed in many locations around the world. To get a
bogus DNS response outside of China, you not only had to query the I-Root but you had to query the Chinese
version of it. Not surprisingly, the most exposed countries were all in Asia, but some prefixes in the US were
also vulnerable, more than half of which geo-locate to California.

Let us review the unlikely series of events that would have been required to observe a bogus answer to
www.facebook.com.

1. You attempt to go to www.facebook.com.
2. You don't have this entry in your DNS cache, nor does your DNS server.
3. Your DNS server does not have the .com servers cached either.
4. Your DNS server happens to choose the I-root (as opposed to A-root, B-root, C-root,... M-root etc).
5. Due to current Internet routing in place at your location, your DNS server happens to be directed to
China's instance.

Since Facebook is blocked in China, your DNS server does not get the expected list of .com servers, but rather
a bogus response to your original request, either from the I-root itself or a firewall in between.

You don't have any control over which I-root instance you see from your location. That is determined by
Internet routing. Many of the root name servers are “anycast” from multiple locations around the world. This
means that the associated IP prefixes are announced from multiple locations, all of which house servers with
copies of the appropriate data. BGP, the Internet routing protocol, is then used to sort out who sees which
instance of the root servers from which locations. In general, the Chinese I-root instance is supposedly only
visible from within China, but for 3 weeks these routes leaked out to the global Internet which created this
issue. This announcement leaked out of China when it was leaked by China Network Information Center.

Internet routing is driven more by economics than by physical distance, although the two are often related.
For example, two smaller Internet service providers X and Y, agree to exchange traffic with each other for
free. This common arrangement on the Internet is known as peering and allows X and Y to save money in transit
costs to larger ISPs. Suppose further that X (or one of its customers) is running the I-root. If Y needs to
get to the I-root it should pick its peering link with X, rather than its link to a larger carrier for whom
they have to pay. China Telecom, the largest carrier in China, peers with nearly 100 other ISPs. If those ISPs
or their customers aren't running an instance of the I-root themselves, they might use their peering link to
China Telecom to reach their instance. This is how countries far from China could end up selecting the Chinese
I-root as the "best" of many possibilities.

Conclusions

The article illustrates both the fragility and the resiliency of the Internet. Its fragile because it is
ultimately trust-based and almost anyone can violate that trust, deliberately or by accident. Its resilient
because there are often many alternatives or workarounds for any sabotage or attempts to control it.

Reference: Renesys blog: http://www.renesys.com/blog/2010/03/fouling-the-global-nest.shtml

* Tip of the month: Firewall Rule Best Practices *

Below are general best practice tips to consider when configuring firewall rules. Following best practices
tips will help you to create a secure and robust computer network and easy trouble shooting.

1) Default deny: Two philosophies in computer security related access control are default allow and default
deny. Best practice is to have the default deny strategy. Configure your rules to permit only the bare minimum
required traffic for your networking needs, and let the rest drop with Mettle SE's built in default deny rule.

2) Keep it short: The shorter the rule set, the easier it is to manage. Long rule sets are difficult to work
with, increase human error, tend to become overly permissive and significantly more difficult to audit.
Utilise 'Aliases' to help keep your rule set as short as possible.

3) Review your rules: You should manually review your firewall rules and NAT configuration on a periodic basis
to ensure they still match minimum requirements of your current network environment. The recommended frequency
of such review will vary from one scenario to another. In networks that do not change frequently with a small
number of network administrators and good change control procedures, quarterly or semi-annually is usually
adequate. For fast changing environments or those with poor change control and several network administrators,
the configuration should be reviewed at least on a monthly basis.

4) Document your configuration: Use of the 'description' field in firewall and NAT rules is always recommended
to document the purpose of each rule. In larger or more complex deployments, you should also maintain a more
detailed configuration document describing your entire Mettle SE configuration. When reviewing your
configuration in the future this should help you determine which rules are necessary and why they are there.

5) Reducing log noise: Logging is enabled on the default deny rule in Mettle SE by default. This means all the
noise getting blocked from the Internet is going to get logged. Sometimes you won't see much noise, but in
many environments you will find something incessantly spamming your logs. Sometimes spamming cover up logs
that are important, and its a good idea to add a block rule on the WAN interface for repeated noise traffic.
By adding a block rule without logging enabled on the WAN interface, the traffic will still be blocked, but no
longer fill your logs.

6) Logging Practices: By default Mettle SE does not log any passed traffic and logs all dropped traffic. This
is a practical setting as logging all passed traffic should rarely be done due to log levels generated. There
is a catch in this, blocked traffic cannot harm the network, but traffic that gets passed could be very
important log information to have if a system is compromised. After eliminating useless block noise as
described in the previous section, the remainder is of some value for pattern analysis purpose. If you are
seeing a significantly more or less log volume than usual, its probably good to investigate why.

* Mettle SE Feature: Server Load Balancing *

Server load balancing allows you to distribute traffic between multiple internal servers. It is commonly used
with web servers and SMTP servers though it can be used for any service that uses TCP.

There are two portions of configuration for the server load balancer. Virtual server pools define the list of
servers to be used, which port they listen on, and monitoring method to be used. Virtual servers define the IP
address and port to listen on, and the appropriate pool to direct the incoming traffic to that IP address and
port.

To configure Virtual server pools:

1) Go to: Services --> Load Balancer --> Click + button to add a new pool.
2) Name --> Enter a name for the pool here. The name is referenced later when configuring virtual server.
3) Description --> You may enter an optional description here/
4) Type --> Select 'Server'
5) Behaviour --> Select 'Load Balancing'
6) Port --> This is the port your servers are listening on internally. This can be different from the external
port.
7) Monitor --> Defines the type of monitoring to use. Selecting 'TCP' will make the balancer connect to the
port defined above, if it cannot connect, server is considered down. Choosing 'ICMP' will monitor the defined
servers by pinging them, and will be marked down if there is no ping response.
8) Monitor IP --> Not applicable with server load balancing
9) Server IP Address --> Fill in the IP address of the servers in the pool.
10) List --> Shows the list of servers you have added to this pool. You can remove a server from the pool by
clicking on its IP address and clicking remove from pool.
11) Click on 'Save' and proceed to configure virtual servers.

To Configure virtual servers:

1) Name --> Enter a name for the virtual server here, this is not parsed.
2) Description --> You may enter a long description here, its not parsed.
3) IP Address --> Enter the IP address that the virtual server will listen on. This is usually your WAN IP or
a Virtual IP on WAN interface.
4) Port --> This is the port the virtual server will listen on. It can be different from the port on your
servers are listening internally.
5) Virtual Server Pool --> Select the previously configured pool from the list.

After configuring server pool and servers, you should create a firewall rule to allow the traffic to the
servers and the ports they are listening on. Please refer to our KB article for detailed information.

http://kb.mettle.in/entry/51/

* Case Study: Mettle SE at a Research and Education Institute in Kerala *

Vertical: Education/Campus
Geography: Trivandrum, Kerala

Client Profile:

This client is an autonomous research institute, established in 1971, with an objective to promote research,
teaching and training in disciplines relevant to development. The institute is considered to be one of the
foremost development economics research centers in the country. The core activities of the institute are
research, teaching and training. They conduct programmes affiliated to Jawaharlal Nehru University. Institute
has gained recognition from the University of Kerala as a center for its doctoral studies. Institute is
supported financially by the Government of Kerala and Indian Council of Social Science and Research.

Problems:

Institute is served by a single high bandwidth WAN link. LAN networks is not secured from Virus attacks from
the Internet as they don't have a gateway antivirus installed in their network. Secure WiFi service was to be
made available in the campus. Content Filtering is to be implemented to filter out unacceptable Internet
content and services as a part of the acceptable usage policy laid down by the management. Internet access log
needs to be maintained for the campus. They have servers deployed in their local area network which has to be
made available to authorised users on the Internet. Few users need access to the campus servers remotely.

Solution:

Mettle SE was deployed at the campus to handle their IT infrastructure needs. Solutions provided by Mettle SE
can be grouped into the following sections:

a) ISP Link Termination and Gateway Antivirus
b) Firewall and DMZ
c) NAT and PAT
d) VPN with RADIUS Server
e) Proxy Server and Content Scanning

a) ISP Link Termination and Gateway Antivirus

The Institute is served by a single ISP providing a high bandwidth link. Mettle SE is the terminating point
for the ISP link at the campus. Mettle SE is the gateway for all the computers and server on the campus
network. Mettle SE protects the LAN subnets and computers in the network from viruses, worms, trojans and
other malicious codes and threats from the Internet. Mettle SE updates its internal virus signature database
automatically over the Internet to provide maximum security for the campus network.

b) Firewall and DMZ

To provide optimum security to the computers in the campus, Mettle SE implements a security barricade. Campus
users are served by the campus LAN and WiFi subnets. Mettle SE Firewalls the LAN and WiFi subnets thus keeping
the computers connected to the Internet via Mettle SE safe and secured.

A DMZ also has been setup where their public access servers are kept. The purpose of a DMZ is to add an
additional layer of security to the institute's LAN, an external attacker only has access to hosts in the DMZ,
rather than the whole of the network. The publicly accessible servers are hosted in the DMZ. This setup allows
servers in the DMZ to service both internal and external network, while keeping the LAN safe from possible
threats from the Internet. IP traffic between LAN and DMZ is monitored by Mettle SE, thus keeping out suspect
and unauthorised traffic out of the LAN. In the unlikely situation that security of DMZ is breached, Mettle SE
would keep the LAN and critical machines secured.

c) NAT and PAT

Mettle SE provides Internet connectivity for Desktops, Laptops and Servers hosted in the corporate network.
Mettle SE is configured as the gateway for the computers on the LAN subnets. Manual Network Address
Translation (NAT) is enabled in Mettle SE to provide Internet connectivity to computers which require direct
access to the Internet. Content Scanning is skipped for such computers which connect to the Internet via NAT.
Mettle SE is set as the proxy server for other computers, for which Internet connection needs to be monitored
and controlled.

Port forwarding (PAT) is enabled in Mettle SE to allow an authorised user, to connect to a specific computer
in the LAN, over the Internet. Port forwarding transfers IP packets between the private IP addresses of the
computer on a particular port and a public IP address with a specific port. This ensures that a service in the
host computer can be accessed from the Internet but is secured.

d) VPN with RADIUS Server

A PPTP VPN service has been enabled in Mettle SE to allow authorised users to connect to the campus network
for administrative and academic purposes. Users are issued with unique username and password combination with
which they can connect to Mettle SE from anywhere in the world. VPN user credentials are stored in a RADIUS
server which is linked with Mettle SE. VPN users trying to connect to Mettle SE is authorised against the user
credentials stored in the RADIUS server. Valid users are allowed to connect after verification. Mettle SE VPN
service also allows users to access campus resources irrespective of their location, without compromising
security.

e) Proxy Server and Content Scanning

Routing all IP traffic from the local subnets to the Internet via a proxy service has its advantages. A
research institute would like their students and faculty to use the Internet according to the acceptable usage
policy (AUP). Mettle SE helps the network administrator to enforce AUP with its Proxy Server and Content
scanning engines. The Internet usage policy is best if enforced at the point of presence of the ISP links,
which ensures that content is filtered before it is passed on to the LAN.

Mettle SE has been serving the institute reliably and efficiently since its deployment, meeting the needs of
the management and the system administrators. Mettle SE has proved its Mettle once again, serving our client
reliably round the clock.

--
We would like to receive feedback regarding the content of this newsletter and
request for articles. Please send in your valuable suggestions to
mettlenews@mettle.in.

--
Mettle and Linuxense are trademarks of Linuxense Information Systems Pvt. Ltd.
Other trademarks belong to respective owners. 2008 (C) Linuxense Information
Systems Pvt. Ltd. All rights reserved.

Mettle News March, 2010

2010-03-31T16:23:36Z

METTLE NEWS
[News letter on Mettle(tm) brand of products; Industry updates, Tips and Case
studies]

March 2010
Volume 3, Issue 3

In this issue:

* Editorial
* IT Industry news: Websites that can take a punch!
* Tip of the month: Firewall States
* Mettle SE feature: RRD Graphs

* Editorial

Greetings!

We are at the closing of one more financial year. The year passing by was both exciting and troublesome for
many. But the year ahead seems very promising in the soaring economy. We wish all of our clients a prosperous
year ahead and hope to strengthen our relationships further!

This issue's Industry News examines how MIT succeeded in preparing Web sites can stand an attack.

Tip of the month this month features “Firewall States” in Mettle SE. Feature of the month column introduces
RRD Graphs in Mettle SE.

Once again all at Linuxense wish readers a prosperous year ahead!

Yours truly,
Editor, Mettle News
(mettlenews@mettle.in)

* IT Industry News: Websites that can take a punch!

The recent, well-publicised cyber attack on Google was just the latest skirmish in a long war. And like most
long wars, this one features an arms race, as hackers seek out new security holes, and web site administrators
try to close them.

When a web site is under attack, its only viable defence may be to take its servers offline, which in the
short term can cost them money in lost revenue and productivity and, in the long term, could hurt its
credibility. Indeed knocking a site offline may be an attackers’ sole intention.

MIT researchers have developed a system to keep web servers or any Internet-connected computers running even
when they’re under attack. The work was funded largely by the U.S. Defence Department. In a pair of tests
whose thoroughness is unusual in academia, DARPA hired a group of computer security professionals outside MIT
to try to bring down a test network protected by the new system. In both tests the system exceeded all the
performance criteria that DARPA set for it, says Martin Rinard the professor of electrical engineering and
computer science who led the research.

The MIT system during its operation, monitors the programs running on an Internet-connected computer to
determine their normal range of behaviour, and during an attack, it simply refuses to let them wander outside
that range. Suppose that a program running on a web server routinely stores data in one of two memory
locations - A and B. During an attack, malicious code tries to trick the program into storing data at location
C instead. The MIT system won't let that operation happen,it sends the data to either location A or location B.

Of course, the data may not be of a type that belongs at either of those locations. And the system will modify
behaviours that could be even more disruptive than data storage. At sites with large banks of servers the MIT
system gets several chances to find the best response to an attack. If storing at location A causes one server
in the bank to crash, the MIT system will tell the other servers to store it at location B, instead.

"The idea is that you've got hundreds of machines out there," Rinard says. "We're saying, 'Okay, fine, you can
take out six or 10 of my 200 machines.'" But, he adds, "by observing what happens with the executions of those
six or 10 machines, we'll be able to deploy patches out to protect the rest of the machines." The entire
process of recognizing an attack, testing a number of countermeasures and deploying the most effective ones
can take a matter of seconds.

Read the complete article at:
http://web.mit.edu/newsoffice/2010/web-attacks-0317.html

* Tip of the month: Firewall States

Mettle SE has a stateful firewall and uses one state to track each connection to and from the system. These
states may be viewed in the web interface.

To view the states go to Diagnostics --> States. Here you will see the protocol for each connection, its
Source, Router, Destination and its connection state. When viewing NAT entries the three entries in the center
column represent the system which made the connection, the IP address and port Mettle SE is using for NAT
connection and the remote system to which the connection has been made.

Individual states may be removed by clicking the 'X' button at the end of each row.

* Mettle SE Feature: RRD Graphs

RRD graphs are a useful set of data provided by Mettle SE. It keeps track of various sets of data and how the
system performs and stores this data in RRD files. To view RRD graphs go to: Status --> RRD Graphs.

Some graphs can be viewed in 'Inverse style' or 'Absolute style'. In the Inverse style the graph is split in
the middle horizontally, incoming traffic is shown as going up and outgoing traffic is shown as going down. In
the Absolute style graph is superimposed. Each graph is available in several time span and each of these is
averaged over a different period of time based on how much time is being covered in each graph. Each graph
will have a legend and summarisation of the data being shown.

There are six tabs on the RRD graphs page: System, Traffic, Packets, Quality, Queues and Settings.

a) System graph: This shows a general overview of the system utilisation, including CPU usage, total
throughput and firewall states.

b) Processor Graph: This shows the CPU usage for user and system processes, interrupts and the number of
running processes.

c) Throughput Graph: Shows the incoming and outgoing traffic totalled up for all interfaces.

d) States Graph: Shows the system states but breaks down the value in several ways. It shows the filter states
from firewall rules, NAT states from NAT rules and the count of unique active source and destination IP
addresses and the number of state changes per second.

e) Traffic Graphs: Shows the amount of bandwidth used on each available interface in bits per second. There is
an 'All graphs' choice which will show all of the graphs in a single page.

f) Packet Graphs: This works like traffic graphs but instead of reporting based on bandwidth used it reports
the number of packets per second (pps) passed.

g) Quality Graph: This graph tracks the quality of WAN interfaces with gateways specified. Response time from
the gateway in milliseconds and percentage of lost packets is reported in this graph. Any loss on graph
indicates connectivity issues or times of excessive bandwidth use.

h) Queue Graphs: If traffic shaping is enabled queue graphs will show a composite of each traffic shaper
queue. Each queue will be shown represented by a unique colour. You can view either the graph of all queues or
the graph representing the drops from all queues.

RRD Graph Settings:

RRD graphs can be customised to suit your preferences. Its possible to turn of RRD graphing is you prefer to
use third party external graphing solution. Remember to click on 'Save' when you're finished.

a) Enable Graphing: Check the box to turn ON RRD graphing. Uncheck the box to turn OFF RRD graphing.

b) Default Category: This option selects the tab to be displayed as default when you visit RRD Graphs page.

c) Default Style: This option selects which style of graph to be displayed by default, Inverse or Absolute.

d) Save the settings when finished.

KB Article: http://kb.mettle.in/entry/50/

--
We would like to receive feedback regarding the content of this newsletter and
request for articles. Please send in your valuable suggestions to
mettlenews@mettle.in.

--
Mettle and Linuxense are trademarks of Linuxense Information Systems Pvt. Ltd.
Other trademarks belong to respective owners. 2008 (C) Linuxense Information
Systems Pvt. Ltd. All rights reserved.

Mettle News February, 2010

2010-02-23T13:02:44Z

METTLE NEWS
[News letter on Mettle(tm) brand of products; Industry updates, Tips and Case
studies]

February 2010
Volume 3, Issue 2

In this issue:
* IT Industry news: Hacker attacks from China
* Tip of the month: Traffic Graph
* Mettle SE feature: Time-based Firewall Rules
* Case Study

Greetings,

Presenting you yet another edition of Mettle News with more tips, news and case studies.

To thank your patronage and to celebrate the completion of one year of Mettle News, we are giving out
Mettle(tm) goodies to Mettle News readers. To get yours, just send an email to goodies@mettle.in saying hello.

This edition presents you a Mettle SE tip that explains how to use the traffic graph facility to troubleshoot
and analyse WAN/Internet traffic in real time.

Time-based firewall rules are handy when it comes to transparent enforcement of organisational policies.
Feature of the month explains how to do this in Mettle SE.

Case study of the month explains how Mettle SE helped a premier University in the country to secure and manage
their fairly complex campus LAN using Mettle SE.

As usual, we expect your feed back and suggestions to improve Mettle News. Requests for HTML version of this
news letter is being considered. Soon you will have the option of opting HTML version if you like it.

Yours truly,
Editor, Mettle News
(mettlenews@mettle.in)

* IT Industry News: Hacker Attacks from China *

Last month Google announced that it had been the target of a highly sophisticated hack attack against its
corporate infrastructure. Google said that hackers had stolen intellectual property and gained access to the
email accounts of human rights activists. This attack, according to Google, originated from China.

It has been reported that Google managed to gain access to a computer in Taiwan that was suspected of being
the source of the attacks. Probing inside that machine Google engineers found evidence of attacks not only at
Google but also at 33 other companies including Adobe Systems and Juniper Networks. Adobe acknowledged in a
blog post that it discovered on 2nd January that it had also been the target of a “sophisticated, coordinated
attack against corporate network systems managed by Adobe and other companies.”

The attackers used a dozen pieces of malware and several levels of encryption to burrow deep into the bowels
of corporate networks and obscure their activity. The encryption was supposedly highly successful in obscuring
the attack and avoiding common detection methods. Even though China has denied that it has anything to do with
the hacker attacks, experts believe that the attack might have been supported by Chinese Government agencies.

Once the attackers were in systems they siphoned off data to command-and-control servers in Illinois, Texas
and Taiwan. Alperovitch, VP of threat research at McAfee, wouldn’t identify the systems in the United States
that were involved in the attack but reports indicate that Rackspace, a hosting firm in Texas, was used by
hackers. Rackspace disclosed on their blog that they inadvertently played a very small part in the attack.

http://www.nytimes.com/2010/02/19/technology/19china.html?em
http://www.wired.com/threatlevel/2010/01/operation-aurora/#ixzz0frmLPVlU

* Tip Of The Month: Traffic Graphs *

Mettle SE provides you with a solution to view network traffic on any of the Interfaces in real time. Traffic
graphs in SVG (Scalable Vector Graphics) format is being rendered constantly live showing the traffic flow of
the selected network interface.

To view Traffic Graph go to: Status --> Traffic Graph

Choose which interface to view from the Interface drop down list. When you select an interface, the page will
automatically refresh and start displaying the graph. Traffic graph is a quick tool that helps to analyse the
network speed and find out if any link is showing unexpected traffic.

* Mettle SE feature: Time-based Firewall Rules *

Time-based rules allow to set up firewall rules that come into effect only on specified days and/or time
period. The schedule determines when to apply the rules specified.

To configure a Schedule go to:

1) Firewall --> Schedules --> Click on the '+' (Add) button
2) Enter a Schedule Name of your choice containing only letters and digits

Now specify schedule:

3) A schedule can apply to specific days of a month or days of the week
4) To select any given day within the year, choose month from the drop down list and click on specific days on
the calendar.
5) To select for any day regardless of the month click on Mon, Tue, Wed, Thu etc. This will make the schedule
active for Mondays, Tuesdays, Wednesdays etc.

Defining Time Range:

6) Select the Schedule start and end time in Hours and Minutes from the drop down box.
7) You may enter a Time Range Description for ease of understanding.
8) Click 'Add Time' once time range has been selected.
9) You can add more than one time ranges. You may use same time range for identical days and another time
range for each day with different times (For e.g. Working hours on Monday to Tuesday might be from 9Am to
5Pm and on Saturdays it might be from 9Am to 2Pm).
10) Save the changes once defining Schedule has been completed.

Using the Schedule in a Firewall Rule:

11) Create a Firewall Rule as you would normally create to allow or deny particular traffic.
12) Inside Firewall Rule editing page you can find the 'Schedule' heading and a drop down list box next to it.
13) Select the Schedule you have created from this drop box.
14) Configure the rest of the Firewall settings and Save the configuration.

The Firewall Rule you have now created would be active during the Schedule you have defined.

See the Mettle Knowledge article: http://kb.mettle.in/entry/49/

* Case Study *

Vertical: Education/Campus
Geography: Trivandrum, Kerala

Client Profile:

This client is the oldest University in the state of Kerala, established in the year of 1937 in the then
Travancore state. The University has sixteen faculties and 41 departments of teaching and research and there
are around 157 affiliated colleges under the wings of the university. The University Departments offer a wide
range of teaching and research at post-graduate and higher levels.

Problems to be solved:

Campus is connected to the Internet by multiple ISP links to satiate the demand for high bandwidth
necessitated by large number of computers requiring Internet connectivity. Unequal bandwidth ISP links are
deployed at the campus. Load balancing two ISP links is to be implemented taking care not to over saturate the
link with lower bandwidth. College campus network was not secured from Internet borne virus attacks and
threats since they do not have a gateway anti virus solution. To keep the campus network from offensive and
inappropriate content, content filtering is to be implemented. Students and faculties rely upon video feeds as
a part of their curriculum and such content has to be accessed from the campus network. Servers hosted in the
campus running public services have to be made accessible from the Internet.

Solutions built up with Mettle SE are classified into the following sections:

a. Terminating redundant ISP links with fail over and load balancing
b. Firewall, Gateway Anti-virus and Content Filtering
c. Port Forwarding

a. Redundant ISP links

Internet connection to the campus is provided by two ISP links. These two links are of unequal bandwidth, one a
higher bandwidth link and the other comparatively lower in bandwidth. Both links are terminated at Mettle SE
and configured in a load balanced set up. ISP links being of different bandwidth, Mettle SE has been
configured to pass proportionately more traffic through the broader link and direct less traffic through the
narrow bandwidth link. Load balancing is set at a ratio of 4:1. Such a set up has been implemented to ensure
the best possible utilisation of the links.

With load balancing enabled, automatic fail over mode is also active. If an ISP link goes down Internet
traffic is diverted over to the active link. Though browsing speed will be proportionately lower one of the
link goes down, Mettle SE will keep the campus connected without interruption. Once the ISP link is back up
Mettle SE adds it back into the load balancing pool.

b. Firewall, Gateway Anti-virus and Content Filtering

Campus network at the time of deployment did not have an effective gateway anti-virus system, firewall and
content filtering service. With Mettle SE the the aim was to provide maximum security for the campus network
with Mettle SE's inbuilt Firewall, Gateway Anti-virus system and Content Filtering services. Campus LAN is
divided into two different subnets based on the security and management requirements. Main network is the
campus LAN and the smaller network is the DMZ network.

Mettle SE's firewall secures the LAN from unauthorised access from other networks. Firewall rules combined
with Aliases feature in Mettle SE enables restricting unauthorised access to resources hosted in the LAN and
DMZ network with ease. Public servers are hosted behind Mettle SE's Firewall to protect them from Internet
borne threats and attacks.

Mettle SE has an inbuilt Gateway Anti virus engine which filters all viruses and worms coming from the Internet
before it reaches the local area network. The Gateway Anti-virus engine inside Mettle SE automatically
maintains an up-to-date virus definition without user intervention. This helps to identify and quarantine most
viruses propagating over the Internet. Thus Mettle SE Gateway Anti-virus goes a long way in keeping the campus
network safer from viruses and malicious codes.

University wished to implement an Acceptable Usage Policy (AUP) with the aim of enforcing effective Internet
usage in the campus. Best way to enforce such a policy is to enforce it at the point of presence of ISP links,
which helps to filter out content before it reaches the local network. With Mettle SE implementing AUP was
made easy. Mettle SE was configured to block certain types of web sites and web resources that goes against
University's general policies and websites which allow Internet users to circumvent usage policy. Mettle SE's
White List and Grey List feature allows complete exclusion and partial exclusions of web sites respectively.
If a particular website is white listed, it will not be scanned and thus the website access will be faster for
the user. If a website is Grey listed then the website will be scanned and if that website content falls
within the AUP it shall be allowed. Black listing a website is possible and doing so those websites will be
blocked.

c. Mettle SE for Port Forwarding

The institution hosts several servers in the local network which needs to be accessed from the Internet by
authorised users and general public. These servers are hosted behind Mettle SE and protected from hacker
attacks and viruses. To make these servers available on the Internet Mettle SE uses port forwarding which
translates the the local IP address assigned to the servers to a public IP address for a specific port or set
of ports.

Conclusion:

Mettle SE enabled the University to provide high quality Internet and Internet enabled services in the campus.
Mettle SE is the secure gateway for their connections to public networks and secures the servers and computers
in the local networks. Mettle SE does bandwidth aggregation of two unequal bandwidth WAN links with load
balancing providing the campus with high bandwidth and redundancy.

--
We would like to receive feedback regarding the content of this newsletter and
request for articles. Please send in your valuable suggestions to
mettlenews@mettle.in.

--
Mettle and Linuxense are trademarks of Linuxense Information Systems Pvt. Ltd.
Other trademarks belong to respective owners. 2008 (C) Linuxense Information
Systems Pvt. Ltd. All rights reserved.

Mettle News January, 2010

2010-01-28T12:22:15Z

METTLE NEWS
[News letter on Mettle(tm) brand of products; Industry updates, Tips and Case
studies]

January 2010
Volume 3, Issue 1

In this issue:

* Editorial
* IT Industry news: Scraping the bottom of IPv4 barrel!
* Tip of the month: Configuration History
* Mettle SE feature: DHCP Server
* Case Study: e-Governance Kerala State Department

* Editorial *

Wish you a happy new year!

Hope you had a great year behind. Let us look forward to an exciting year ahead!

This new year begins with a warning on IPv4 address space run out. So regional NICs are going to be stringent
on terms to release new IP address blocks and in turn ISPs are going to put cap on free IP address pool they
provide. This months Industry News takes a look at this scenario and the proposed solution of IPv6.

Tip of the Month this issue shows a cool way to keep track the configuration changes in your Mettle SE. This
is handy when you want to revert a change that you made or want to do a forensic analysis.

In the Feature of the Month section, it is an in-depth view of the DHCP service that is available in Mettle SE.

As always, we appreciate your feedback, suggestions and brickbats. Enjoy!

Once again, wish you a Happy New Year!

Yours truly,
Editor, Mettle News
(mettlenews@mettle.in)

* IT Industry News – Scraping the bottom of IPv4 barrel *

We are facing an IP address crunch and at the rate we are using the current IPv4 addresses and we will soon
extinguish the available supply in a few more years! We used up 1370 million IPv4 addresses in this past
decade and we have only 722 million left!

Of the 3,706,650,624 IPv4 addresses, approximately 1615 million, 44 percent of the pool, were in use on
January 1 2000 and 2092 million were still available. Fast forward to the present 81 percent of the pool,
approximately around 2985 million, IPv4 addresses are in use and 722 million are available. So its only a
matter of time before you have to get into the IPv6 way of addressing.

IANA allocates blocks of 16,777,216 addresses called "/8s" to the five Regional Internet Registries - AfriNIC,
APNIC, ARIN, LACNIC and the RIPE NCC - which in turn supply address space to ISPs and end-user organizations.
At the end of 2008, IANA held 34 unused /8s and the RIRs together held 371.91 million unused addresses.

IANA global pool was only reduced by 8/8s, but the RIRs collectively reduced their working inventory by
another 5/8s, bringing total reduction of the free address space 13/8s, or 203.4 million IPv4 addresses, to be
exact. 2009 is the first year since 1992 that the number of IPv4 addresses given out has been more than 200
million.

If IANA goes back to giving out 12/8s to the RIRs per year, IANA will be giving out the fifth-to-last /8
somewhere in 2011 and then automatically also the other four. APNIC's Geoff Huston predicts September 14, 2011
as the day the IANA global pool runs out, and November 1, 2012, as the day we last scrape the bottom of the
IPv4 barrel.

Source: http://arstechnica.com/tech-policy/news/2010/01/dont-publish-the-decade-in-ipv4-addresses.ars

* Mettle SE tip of the month: Configuration History *

Backup/Restore screen allows you to easily take backup of your Mettle SE running configuration or allows you
to load a saved configuration and make it active. But for minor problems you may use Mettle SE internal
backups to revert to a previous configuration, sort of like an 'undo' feature. Previous 30 configurations are
stored along with current running configuration.

1. Diagnostics --> Backup/Restore
2. Select tab 'Config History'
3. Listed are the previous 30 configurations along with the current running configuration.
4. To make a previous config active click on the '+' button next to it.
5. To delete a stored config click on the 'x' button next to it.

Please note that Mettle SE will not automatically reboot if required. Minor changes may not need a reboot, but
recovering some major changes will need a reboot.

(Best practice is to always take the backup of the running configuration into an admin PC on the LAN before
you make any major changes to Mettle SE).

* Mettle SE feature: DHCP Server *

DHCP server assigns IP addresses and related configuration options to client PCs on your network. It is
enabled by default on the LAN interface with the default IP range of 192.168.1.10 through 192.168.1.199. In
its default configuration Mettle SE assigns its LAN IP as the gateway and DNS server if DNS forwarder is
enabled.

To configure DHCP server go to Services --> DHCP server. On the DHCP configuration page there is a tab for
each non-WAN interface and each interface has its own separate DHCP configuration and they may be enabled and
configured independently of each other.

1. Check 'Enable DHCP Server' to enable DHCP on an Interface.
2. Check 'Deny unknown clients' to deny DHCP lease to clients except for those which are defined with static
mapping.
3. Range - Enter the start IP address and the finish IP address for use as DHCP pool. DHCP range must be
contained within the subnet of the interface being configured.
4. WINS Servers - Enter the IP address of WINS servers if you use WINS servers. They need not be on the same
network but proper routing and firewall rules should be in place.
5. DNS Servers - Depending on your LAN setup you may or may not fill in the DNS servers. Leaving the fields
blank and if you enable DNS forwarder in Mettle SE, mettle SE will assign itself as the DNS forwarder for
client PCs. If the fields are left blank and if DNS forwarder is disabled Mettle SE will pass on the DNS
server assigned in System --> General Setup. If you wish to use your own DNS servers instead of automatic
choices, enter the IP addresses of the DNS servers here.
6. Gateway - If LAN is using Mettle SE as the default gateway, the field can be left blank. If not enter the
IP address of your gateway.
7. Default and Maximum Lease Time - Value to be entered in 'seconds'. It control the life of the DHCP lease.
Default lease time is supplied by Metle SE when the client does not request for a specific lease time.
Maximum lease time will control how long lease will last even if the client asks for a longer lease time.
8. Fail-over Peer IP - If Mettle SE is setup in a failover stack enter the IP address of the slave Mettle SE
here.
9. Static ARP - If enabled Mettle SE will deny DHCP lease to unknown MAC addresses and also restrict any
unknown client from communicate with Mettle SE. Before enabling static ARP make sure that clients which
need to communicate with Mettle SE are listed inside static mapping list, especially the machine you need
to access Mettle SE web interface from.
10. Dynamic DNS - Click on 'Advanced' button to go to Dynamic DNS settings. Check the check box to enable it.
If using Mettle SEs DNS forwarder you can leave this blank and configure it inside DNS forwarder setup.
11. NTP Servers - Click on the 'Advanced' button to enter NTP server IP addresses.
12. Enable Network Booting - Click 'Advanced' button to view or enable network booting settings. Check the box
to enable it. Enter the IP address of the 'Network boot server' and the 'File name of the boot image'.
13. After changes have been made click on 'Save' to save settings. This must be done before creating static
mappings.
14. Static Mappings - This allows you to provide specific IP addresses to specific clients inside the LAN.
To set static mapping click on '+' button and you will be forwarded to a new page. Here you will need to
enter the MAC address of the particular client PC in the 'MAC Address' field and enter the IP address in
the 'IP address' field. 'Host name' and 'Description' is not parsed so you may enter it or not. Please
note that IP addresses issued for static mapping must be outside of the DHCP pool. Save the changes before
navigating away from the page.

KB Article: http://kb.mettle.in/entry/4/

* Case Study *

Vertical: Government/e-Governance
Geography: Kerala, India

Client profile:

Department of the State of Kerala.

Requirements & Solution:

Their district head quarters are spread across the state and the Head Office (H.O) is stationed at
Thiruvananthapuram. Remote offices need to connect to the e-Governance application located at H.O,
Thiruvananthapuram. Also the servers which run the e-Governance applications at the H.O require protection from
unauthorised access from the Internet. Secondly Desktop computers at HO need to be protected from viruses,
Internet threats, malicious codes and offensive content.

Mettle SE was deployed at the H.O as the solution to satisfy all the connectivity and security requirements.
They can be categorised into:

a. VPN Solution
b. Port Forwarding
c. Firewall and Routing
d. Gateway Anti-virus and Content Scanning

a. VPN Solution.

Mettle SE made it possible to connect district offices and range offices spread across the 14 districts of
Kerala to the H.O through SSL-VPN. Remote VPN users on different operating systems seamlessly connect to the
H.O using and can reliably access servers according to their user privileges.

b. Port Forwarding

Certain servers hosted at the H.O to be accessible over the Internet. Mettle SE provided port address
translation service to the servers that has to be accessed from a public network. Mettle SE has made it
possible to map internal servers to public IP addresses and they can be accessed from the Internet for users
with valid credentials.

c. Firewall and Routing

For extended security, PCs and servers are deployed in two different local networks: User-LAN and Server-LAN.
Firewall rules specified in Mettle SE controls the access to the computers in the User-LAN, servers in
Server-LAN and secure publicly accessible servers. Remote users access to servers in the H.O is strictly
controlled based on their requirement. Mettle SE blocks all unspecified traffic from reaching the HO network.

There are two routable LAN segments in the network. Servers are placed in a secured Server LAN subnet to
separate them from User LAN traffic. Mettle SE routes users on User-LAN to the server network when they
access their servers.

b. Content Scanning and Gateway Antivirus

Mettle SE is the terminating point for the ISP link at the H.O. Mettle SE is the Gateway for desktop computers
and servers. Mettle SE protects the local network from viruses and worms from the Internet with its built-in
Gateway Antivirus service. Mettle SE updates virus signature database automatically with the latest anti-virus
definitions available so as to block any new virus.

Internet traffic is filtered by Mettle SE's proxy Server. Web sites and services that violate Internet usage
policy are blocked preventing users from accessing it. Mettle SE keeps a log of the Websites users visit on
the Internet; and the Web services they use like, instant messengers or download clients. Mettle SE keeps the
Internet content distribution in the H.O, clean and safe.

Conclusion:

Mettle SE has been serving the department for many years since its deployment. Mettle SE team is happy to
report that Mettle SE is working flawlessly ever since satisfying the requirement of the department.

--
We would like to receive feedback regarding the content of this newsletter and
request for articles. Please send in your valuable suggestions to
mettlenews@mettle.in.

--
Mettle and Linuxense are trademarks of Linuxense Information Systems Pvt. Ltd.
Other trademarks belong to respective owners. 2008 (C) Linuxense Information
Systems Pvt. Ltd. All rights reserved.

Mettle News May 2009

2009-05-15T08:37:11Z

METTLE NEWS
[News letter on Mettle(tm) brand of products; Industry updates, Tips and Case
studies]

May 2009
Volume 2, Issue 5

In this issue:

* Editorial
* IT industry news: Mega Botnet Discovered *
* Mettle SE feature: Port Forwarding *
* Tip of the month: Package Updates *
* Case study: Mettle SE at a prestigious private engineering college *

* Editorial *

Greetings,

Welcome to another edition of Mettle News!

Bots are software robots, which are usually part of a large network of bots, which infect
a computer and lets the botnet controller to control the PC remotely. This month's
industry news is about a extensive botnet which has infected atleast 1.95 million PCs
around the world.

In this edition of Mettle News we will familiarise you with Mettle SE's Port Forwarding
feature. Port forwarding makes a specified port of a computer inside LAN accessible to a
user from a public network. Tip section explains the process of updating installed
packages in Mettle SE as and when updates are available.

This edition of Mettle News brings you the case study of the deployment of Mettle SE at a
famous private Engineering college at Kanjirapally, Kottayam. Mettle SE helped the college
streamline and manage their IT operations and computer lab facilities for engineering
students.

Shoot us your comments and feedback as usual!

Yours truly,

Editor, Mettle News
(mettlenews@mettle.in)

* Industry News: Mega botnet discovered *

At least 1.95 million computers world wide have come under undetected control of a newly
discovered mega botnet. The discovery was made by researchers at Finjan Internet Security
Company based in San Jose, CA. Finjan, noted on its blog that the number of infected
computers it detects is rising every year. Only four out of 39 antivirus products it
tested were able to detect the bots.

Botnet is a term for a collection of codes referred as software robots, or bots, which run
autonomously and automatically. The term is often associated with malicious software but
it can also refer to the network of computers using distributed computing software. While
the term "botnet" can be used to refer to any group of bots, this word is generally used
to refer to a collection of compromised computers (called Zombie computers), under a
common command-and-control center, running malicious software usually installed via worms,
Trojan horses, or backdoors. The largest known botnet, Conficker, has infected over 10
million computers.

The new botnet has infected machines from approximately 77 govt owned domains out of which
51 are US government domains. Finjan revealed that the Botnet is controlled by a 6 member
hacker group based out of Ukraine. Around 45 percent of the bots are in the U.S., and the
machines are Windows XP. Nearly 80 percent run Internet Explorer; 15 percent, Firefox; 3
percent, Opera; and 1 percent Safari. Finjan says the bots were found in banks, large
corporations and as well as consumer machines.

Aside from its massive size and scope, what is also striking about the botnet is what its
malware can do to an infected machine. The bot malware lets an attacker read the victim's
email, communicate via HTTP in the botnet, inject code into other processes, visit
Websites without the user knowing, and register as a background service on the infected
machine, for instance. The bots communicate with their command and control systems via
HTTP.

It appears that the botnet operators may be buying and selling bots or portions of their
botnet based on a communique Finjan discovered on an underground black-hat hacker forum in
Russia.

For further reading please check the link below:
http://www.finjan.com/MCRCblog.aspx?EntryId=2237

* A Mettle SE feature: Port Forwarding *

Port forwarding, sometimes referred to as port mapping, is the act of forwarding an
external network address and port to an internal network address and port. When you have
port forwarding rules set up, Mettle SE takes the data off of the external IP address:port
number and sends that data to an internal IP address:port number. This technique can allow
an external user to reach a port on a private IP address (inside a LAN) from the outside
via a NAT-enabled router.

Following instructions will help you set up a port forwarding rule in your Mettle SE.

1. Go to Firewall --> NAT
2. Select the tab 'Port Forwarding'
3. Interface --> Choose the interface to use. Normally the WAN interface.
4. External Address --> Choose the external address to use for Port Forwarding. Choosing
'Interface Address' will use the WAN IP address. To use a different public IP address
create a Virtual IP address.
5. Protocol --> Choose the protocol, TCP/UDP in most cases.
6. External Port Range --> Give the external port range to be used. Use Alias feature if
multiple ports are to be used.
7. NAT IP --> Enter the LAN IP address which is the target IP address for port forwarding.
8. Local Port --> Enter the port which is the port forwarding target port of the LAN
computer. Usually this is the same port as the external port.
9. Description --> Enter a description for this port forwarding rule.
10. Tick the check box which says 'Auto-add a firewall rule to permit traffic through this
NAT rule'.
11. Click on Save and Apply Changes.

If your ISP has allocated you with a block of IP addresses you can use a different public
IP address from that block instead of your WAN IP address for Port Forwarding. This way
you don't have to reveal the actual WAN IP address of Mettle SE to port forward users. For
doing that you need to define a virtual IP address in Mettle SE.

KB article for port forwarding: http://kb.mettle.in/entry/20/

* Tip of the month: Package Updates *

Updates are made available to packages running inside Mettle SE on a periodic basis. To
update the packages installed in Mettle SE follow the steps below.

1. Go to System --> Packages
2. To see the installed packages click the tab 'Installed Packages'.
3. There will be three buttons next to each installed package - 'x' to remove that
package, 'pkg' to re-install the package and 'xml' to re-install the GUI components of
the package.
4. In the column marked 'Package Version' you can see the version number of the latest
available package and the installed package.
5. To update a package click on the 'pkg' button.

KB article is here: http://kb.mettle.in/entry/45/

* Case Study: Mettle SE at a prestigious private engineering college *

Vertical: Education/Campus
Geography: Kottayam, Kerala

Client Profile:

Our client featured in this month's Mettle SE case study is one of the very prestigious
private engineering colleges in Kerala. Located at Kanjirapally, Kottayam is a large
complex with a built up area of around 6lac square feet on the Kanjirapally - Sabarimala
state highway. The engineering college has nine departments and provide higher education
in domains of Electrical, Electronics, Computer Science, Information Technology,
Mechanical and Civil. Students are provided with a large computer lab facility and is
allowed free Internet access inside the campus. The college is one of the first private
engineering colleges in Kerala to be accredited by AICTE.

Problems:

College LAN subnets are not secured from Virus attacks from the Internet as they don't
have Gateway Antivirus installed in their network. Content Filtering is to be implemented
to filter out offensive content as a part of the acceptable usage policy laid down by the
management. Students Internet access needs to be controlled and time wasting services
like Orkut and chat should be banned. Internet access log needs to be maintained for the
campus. College requires a WAN link management solution for implementing a failover link
for the Internet. Access to other subnets should be restricted for some users, whereas few
privileged users should be able to access hosts on other subnets.

Solution:

A Mettle SE 3700 was deployed at the campus to handle their total IT infrastructure.
Solutions built up with Mettle SE are classified into the following sections:

a. Redundant WAN link with failover
b. Firewalling & Routing
c. Content Scanning & Gateway Antivirus

a. Redundant WAN link with failover

College is served by two different ISP links so as to provide a stable Internet connection
with failover. Both WAN links are of different bandwidth, one is a very high bandwidth
link and the other is a relatively lower throughput link. Both links are terminated at
Mettle SE. Due to unequal bandwidth available for the campus Mettle SE has configured the
links to be in failover mode. The primary WAN uplink is the one with the higher bandwidth
and the secondary failover link duty is assigned to the link with lower bandwidth. Such a
setup has been implemented at the campus to provide best browsing speeds to web users
since all Internet traffic will be sent via the higher bandwidth link. If the high
bandwidth link goes down at the ISP's end, Mettle SE will switch over to the backup WAN
uplink. Browsing speed will be comparatively lower while the main link is down but still
Mettle SE keeps the campus connected to the Internet. Once the primary WAN link is up
Mettle SE will automatically switch over to it.

b. Firewalling & Routing

College campus LAN is divided into 4 different subnets based on their needs and
activities. The firewall engine in Mettle SE secure each local subnet from unauthorised
access from other subnets and from the Internet. Inter LAN routing enables authorised
users from other LAN subnets access to hosts in another subnets. One of the prime
requirements of our client was to prohibit students from using chat services in college
campus, to accomplish this the Firewall blocks access to the ports and IP addresses of the
most commonly used chat servers of the most popular chat services. It is implemented in a
manner that does not restrict the users from checking their webmail accounts but will
prohibit the chat service from working.

c. Content Scanning & Gateway Antivirus

As an educational institution responsible for the activities of it's students it was in
their agenda to block certain web services and web resources available on the Internet.
Such a policy decision has been taken by the management for the benefit and the betterment
of their students. It was decided by the management that certain groups of users should
have an unfiltered access to the Internet and while certain other user groups should have
limited filtered access to the Internet.

To help implement this access policy, different groups of users are created in Mettle SE
and users are added into these groups based on their IP addresses. Each group has a set of
filter rules associated with them. Internet content is served to the users in the
respective groups according to the filter rules set for each group. Students are put in
the filtered group where objectionable content is blocked. Mettle SE provides the system
administrator with a detailed web usage report containing the websites visited and amount
of data downloaded by a user, identified by the IP address, for each date in a neat
tabular form.

To further secure the campus LAN subnets from Internet borne threats and viruses, Mettle
SE with its in built antivirus engine actively monitors the content passing through
the gateway. Virus codes and other threats are identified and blocked from gaining access
to host machines inside campus LAN subnets. The virus definition database in Mettle SE is
always kept updated by Mettle SE automatically.

Mettle SE team is happy to report that the Mettle SE 3700 deployed at the campus has been
working flawlessly ever since meeting the needs of the college management and the system
administrators.

--
We would like to receive feedback regarding the content of this newsletter and
request for articles. Please send in your valuable suggestions to
mettlenews@mettle.in.

--
Mettle and Linuxense are trademarks of Linuxense Information Systems Pvt. Ltd.
Other trademarks belong to respective owners. 2008 (C) Linuxense Information
Systems Pvt. Ltd. All rights reserved.

Mettle News April 2009

2009-04-15T14:36:41Z

METTLE NEWS
[News letter on Mettle(tm) brand of products; Industry updates, Tips and Case
studies]

April 2009
Volume 2, Issue 4

In this issue:

* Editorial
* IT industry news: Routers owned by Botnet *
* Mettle SE feature: Packet Capture *
* Tip of the month: Traceroute *
* Case study: Mettle SE at Kerala's leading share broking company *

* Editorial *

Greetings,

This is the first time Internet sees the break out of a worm that is targeted to routers
and DSL modems. This pose a very different type of security issues. This month's industry
news explains the story of "psyb0t".

Case study of the month explains how a stock broking company owned by Kerala-based
conglomerate built their IT infrastructure around Mettle SE. This is yet another success
story of Mettle SE in the Financial Services sector.

Regular "Tip of the month" and "Feature of the month" columns included with information
useful for day-to-day practice.

As usual, we request you to continue sending your feedback which help us to improve this
newsletter.

Enjoy!

Yours truly,
Editor, Mettle News
(mettlenews@mettle.in)

* Industry News: Routers Owned by Botnet *

Security researchers at DroneBL have spotted a stealthy router-based botnet worm targeting
Routers and DSL modems. The worm, called "psyb0t", has been circulating since at least
January this year, infecting vulnerable embedded Linux mipsel devices. Once the malware
takes hold, it locks legitimate users out of the device by blocking telnet, sshd, and web
access. It then makes the devices part of a botnet. The researchers said they first
learned of the worm while investigating DDoS attacks that hit DroneBL's infrastructure two
weeks ago.

The "psyb0t" worm is believed to be the first piece of malware to target home networking
gear. It has already infiltrated an estimated 100,000 hosts. According to DroneBL, the
worm can infect any Linux mipsel routing device (including openwrt/dd-wrt devices)
configured with a weak username/password and has a router administration interface or sshd
or telnetd in a DMZ. It has been used to carry out DDoS, or distributed denial of service,
attacks and is also believed to use deep-packet inspection to harvest user names and
passwords. The worm also helps to identify exploitable phpMyAdmin and MySQL servers.

DroneBL researchers in their blog says, "This technique is one to be extremely concerned
about because most end users will not know their network has been hacked, or that their
router is exploited,". "This means that in the future, this could be an attack vector for
the theft of personally identifying information. This technique is not going away."

Below listed are few peculiar characteristics of psyb0t worm:

* It is the first botnet worm to target routers and DSL modems
* It contains shellcode for many mipsel devices
* It is not targeting PCs or servers
* It uses multiple strategies for exploitation, including brute force username and
password combinations
* It can harvest user names and passwords through deep packet inspection
* It can scan for exploitable phpMyAdmin and MySQL servers

To disinfect the psyb0t worm, reset/power cycle your device, update to the latest
firmware, and use an unique admin user name with secure password to lock it down.

Read more about psyb0t here http://www.dronebl.org/blog/8

* A Mettle SE feature: Packet Capture *

Packet Capture is a tool bundled with Mettle SE which will help the administrator to
better diagnose networking problems. With packet Capture Mettle SE administrators will be
able to diagnose connection issues by analysing packets captured with this tool. Packets
passing through specific interface to/from a particular IP address and/or port can be
filtered and captured for analysis. Using Packet Capture is simple but should you need
help, instructions below will help you.

a) Go to Diagnostics --> Packet Capture
b) Interface --> From the drop down list you can choose the Interface on which the Packets
are to be captured.
c) Host Address --> This value is either Source or Destination IP address. This allows you
to capture packets addressed to or coming from a specific host.
d) Port --> The port can be either source or destination port. This allows you to capture
packets intended for a specific port. If it is left blank packets to all ports would be
captured.
e) Packet length --> The Packet length is the number of bytes packet capture will capture
for each payload. For most scenarios default value would suffice.
f) Count --> This is the number of packets the packet capture will grab. Enter 0 for no
count limit.
g) Level of Detail --> This is the level of detail that will be displayed after hitting
'Stop' when the packets have been captured. This option does not affect the level of
detail when downloading the packet capture. Choose from Normal, Medium, High or Full.
h) Reverse DNS Lookup --> This check box will cause the packet capture to perform a
reverse DNS lookup associated with all IP addresses. This will slow down the packet
capture because of DNS resolution time.
i) Start --> Click on Start Button to start Packet Capture process.
j) Download --> Captured packets will be downloaded into your computer as a "*.cap" file.

The KB article can be found here http://kb.mettle.in/entry/43/

* Tip of the month: Traceroute *

Traceroute is a network diagnostics utility used to determine the route taken by packets
across an IP network. By showing a list of routers traversed, it allows the user to
identify the path taken to reach a particular destination on the network. This can help
identify routing problems or firewalls that may be blocking access to a destination.

a) Go to Diagnostics --> Traceroute
b) Host --> Enter the IP address or the fully qualified domain name of the target.
c) Maximum Number of Hops --> Enter the maximum number of hops allowed before the packet
is dropped. Default is 18, maximum allowed is 64. If destination is not reached with in
default number of hops you may increase the hop number.
d) Use ICMP --> Check the box to do ICMP traceroute. Default is UDP. If default traceroute
doesn't take you to the destination, try with ICMP.
e) Traceroute --> Click on this button to begin traceroute.

The KB article can be found at http://kb.mettle.in/entry/44/

* Case study: Mettle SE at Kerala's leading share broking company *

Vertical: Financial, Shares
Geography: Pan India, HO at Cochin

Our client is a major business house with pan-India presence and diverse products with a
thrust in the financial sector and share market. With the client's sustained efforts to
emerge as a financial supermarket for its diverse customers, the group now makes its foray
into securities trading space making it a natural progression on the company's substantial
presence in Wealth Management Services.

The Group has emerged as one of the India's largest financial group of its kind with
business interests in Seventeen diverse fields, a network of over a thousand branches
nationwide, with more than Ten thousand employees serving millions of customers across the
country. The client with their pan-Indian presence and varied bouquet of products serves
over Forty thousand customers every day.

The client's Corporate Head Office is the hub of all activities and coordinating things
that go on at different parts of the country. To provide high availability to their
services, provide security to their IT operations and make available the resources to
authorised users across the world, the following solutions were proposed.

* Link load balancing
* Mettle SE active failover stack
* Firewall & DMZ
* Gateway Antivirus
* Routing
* VPN
* NAT & PAT

* Link Load Balancing

To run a high availability network system it is mandatory to have a minimum of two WAN
links at the least. The corporate office has two WAN links provided by two different ISPs
and Mettle SEs job is to aggregate the links and provide a load balanced WAN link with
failover. If for any reason a WAN link goes down, Mettle SE re-routes the traffic via the
active WAN link, to provide access to the Internet. Total bandwidth would be reduced when
a link goes down but still the servers would be accessible.

* Mettle SE active failover stack

The client's business is focussed on money management, shares and finance, since this is
an ever changing market the systems should be up and running all the time so as to keep up
with the developments. For such a high availability requirement the client have chosen to
go with a high availability setup using two Mettle SE 3700. These two Mettle SE devices
are configured in an active/standby failover mode where one is the Master device and the
other a Slave device. If in the unlikely event that the master Mettle SE fails the slave
Mettle SE will take over and take care of the network without affecting work done by
users. This ensures that the computer network is up and running all the time without fail
even if a device fails.

* Firewall & DMZ

To provide optimum security to the host machines at the corporate office Mettle SE
implements a security barricade. Firewalling the private network which has the host
computers are placed helps keep the machines safe and secured. A DMZ also has been created
where all of their public access servers are kept. This setup allows servers in the DMZ to
service both internal and external network, while keeping the LAN safe from possible
threats from the Internet. Traffic into LAN and DMZ is monitored by Mettle SE allowing
traffic that is implicitly allowed by the firewall rules. This keeps out suspect and
unauthorised traffic out of the LAN. In the unlikely situation that security of DMZ is
breached, Mettle SE would keep the LAN and critical machines secured.

* Gateway Antivirus

The most common entry point for viruses into a corporate LAN is through the Internet. To
curb the virus infection on a LAN with Internet access it is ideal to implement a gateway
antivirus system that will detect, disinfect or quarantine a threat before it enters the
LAN. Mettle SE has such a gateway antivirus system built in. Mettle SE's Gateway antivirus
engine filters all viruses and worms that come from the Internet before it reach the LAN
subnet. Mettle SE's antivirus engine automatically keeps its virus definitions updated to
identify and quarantine even the latest virus that is out on the Internet. A huge risk of
virus infections of the host machines are thus protected by Mettle SE.

* Routing

Corporate office of the client has two local networks the LAN subnet and the DMZ subnet.
Routing is implemented in Mettle SE which enables the host machines placed in the LAN to
access the servers kept in DMZ. Routing is enabled for the VPN clients which will enable
the remote clients to gain access to the resources available in the corporate local
network.

* VPN

The corporate office uses PPTP VPN service provided by Mettle SE to help connect the road
warriors to office base. Other VPN services provided by Mettle SE are IPsec VPN and
OpenVPN, but the administrator have chosen to use PPTP because of it's user friendliness
and tight integration with Windows operating systems. Executives while on the move can now
connect to the corporate network from anywhere in the world from his/her Laptop. As the
clients connect to Mettle SE they are routed to the right part of the corporate network
that they are allowed to access. Accessing resources other than which is authorised by the
administrator is blocked by the firewall which ensures that the security is not
compromised.

* 1to1 NAT and Port Forwarding

Our client has servers which are hosted in the DMZ and they need to be available on the
Internet with it's own public IP address. Such servers which are hosted in the DMZ are
assigned with a public IP addresses using 1:1 NAT. In this scheme, each private host has a
direct and fixed mapping to a public IP address. Port forwarding allow remote computers to
connect to a specific computer within a private LAN. In Mettle SE port forwarding (PAT) is
enabled to allow an authorised user from the Internet to connect to a specific computer
within the private LAN for administrative purposes or special requirements. Port
forwarding transfers IP packets between the private IP addresses of the computer on a
particular port and a public IP address with a specific port. This ensures that a service
in the host computer can be accessed from the Internet but is secured.

Mettle SE has proved its Mettle in demanding situations such as this; serving our client
reliably round the clock.

--
We would like to receive feedback regarding the content of this newsletter and
request for articles. Please send in your valuable suggestions to
mettlenews@mettle.in.

--
Mettle and Linuxense are trademarks of Linuxense Information Systems Pvt. Ltd.
Other trademarks belong to respective owners. 2008 (C) Linuxense Information
Systems Pvt. Ltd. All rights reserved.