Mettle News

Mettle News August, 2010

2010-08-30T13:13:20Z

METTLE NEWS
[News letter on Mettle(tm) brand of products; Industry updates, Tips and Case
studies]

August 2010

Volume 3, Issue 6

In this issue:

* Editorial

* IT Industry news: Google's Speedy

* Tip of the month: Backup & Restore Mettle SE Running Configuration

* Mettle SE feature: Event logging on Remote Sys log Server

* Editorial *

Greetings,

Most of the IT managers are keen on updating Internet link bandwidth to speed up browsing experience. But the situation is more complex now. Even if there is more than enough bandwidth, the page load often exceeds acceptable limit. The "Industry News" section talks about a presentation by Google in the Velocity conference on this subject.

Mettle SE is designed to make you feel confident about your IT infrastructure besides performing its basic functions. This month's "Tip of the Month" describes how you can retain your most trusted configuration even if you play around with it or if you replace/upgrade your Mettle SE.

Logs provides live information about what happens in the system. Mettle SE has a provision to connect a log server to it so that you can process the logs using third-party tools of your choice. This month's "Feature of the Month" explains this facility.

With you a month ahead filled with technology and excitement.

Editor, Mettle News
(mettlenews@mettle.in)

* IT Industry News: Speedy - Google's SPDY Protocol

During the Velocity conference in Santa Clara, CA, Google's VP of Engineering Urs Holzle has warned that any improvement to the network bandwidth will be wasted unless the underlying protocols are updated. He said that even though the average network bandwidth will grow by a factor of three from 1.8Mbps to 5.4Mbps users will not be able to exploit the increase in bandwidth unless the underlying protocol is fixed.

Internal tests conducted by Google has obtained the result that average website size is 320KB. So with average user bandwidth at 1.84Mbps, website load times should be around 1.4secs. But Google's tests have shown that real load times were close to 5secs. Holzle reckons this variation in theoretical to actual speeds is not due to the network bandwidth but due to the protocol and the browser.

Holzle said in the conference that Google's goal is to achieve 100millisecond load times on the Google Chrome web browser and this will only be possible with the improvements to the Internet's underlying protocols. Chrome was one of the fastest web browsers when it arrived in 2008, the increased speed, in part, was contributed by the revamped JavaScript engine.

Google boosted its image search engine speed by 18 percent by making some modest changes to the TCP protocol, but without making any changes to the site itself. Google believes that on an average 12 percent speed boost can be had with TCP tweaks. Holzle said the modest change which involved increasing TCP's initial congestion window involved changing about 10 lines of code.

Pushing the speed envelope, Google is developing a new application protocol it calls SPDY (pronounced Speedy) meant to reduce web latency via multiplexed streams, request prioritisation and HTTP header compression. According to Holzle the new protocol can reduce packet count by 40pc and byte count by 15pc and an improvement in downloading speed of upto 55pc over simulated home connections. SPDY creates a session layer between HTTP application layer and TCP transport layer, it is not a HTTP replacement protocol but augments it. SPDY overrides parts of HTTP protocol such as connection management and data transfer formats. Holzle said that on low bandwidth links with SPDY's header compression alone has seen a latency reduction of 85pc.

http://arstechnica.com/web/news/2009/11/spdy-google-wants-to-speed-up-the-web-by-ditching-http.ars

* Tip of the month: Backup & Restore Mettle SE Running Configuration *

Backing up:

It is wise to backup the running configuration of Mettle SE after you have made changes to the system settings. Keeping backup of running configuration ready allows you to relax and be on the safe side if things go wrong. To take backup of your running configuration:

- Go to Diagnostics --> Backup/Restore.

- It is recommended to keep the backup area as 'All'

- Click on 'Download configuration' button.

- The configuration file would be downloaded into your system and named in this format - config-<host name>-<timestamp>.xml

- Keep the configuration backup file safe.

Restoring from backup:

You can restore Mettle SE to a running configuration as saved in the backup file from the same screen you did the backing up from. To restore to a saved configuration:

- Select a restore area, usually 'All'

- Click 'Browse' and select the backup configuration file from your computer.

- Click on 'Restore configuration' button.

Mettle SE would reboot once you have clicked on the 'Restore configuration' button and restored settings would be applied.

http://kb.mettle.in/entry/53/

* Mettle SE Feature: Event logging on Remote Sys log Server

Factory setting of Mettle SE is set to store the log entries locally in the hard drive. But it is possible for you to enable remote logging in Mettle SE which will store the long entries remotely in a sys log server. Log entries in Mettle SE can only be of a specific size and as new log is generated old logs are deleted. If you have a sys log server, enabling remote logging is a good practice as it will aid with troubleshooting and long term monitoring and there is no limit to the log size except for your hard drive capacity.

- To enable remote sys log logging go to:

- Status --> System Logs

- Go to the 'Settings' tab and tick on 'Enable sys log'ing to remote sys log server'

- To disable local logging you may tick on 'Disable writing log files to the local ram disk'. But this is neither required nor recommended.

- Enter the IP address of the remote sys log server in the text field.

- Next you have to select what all events are to be logged in the sys log server. Tick each category you want to have logged.

- Click on 'Save' once the settings are confirmed.

http://kb.mettle.in/entry/54/

--
We would like to receive feedback regarding the content of this newsletter and
request for articles. Please send in your valuable suggestions to
mettlenews@mettle.in.

--
Mettle and Linuxense are trademarks of Linuxense Information Systems Pvt. Ltd.
Other trademarks belong to respective owners. 2008 (C) Linuxense Information
Systems Pvt. Ltd. All rights reserved.

Mettle News May, 2010

2010-05-31T17:00:45Z

METTLE NEWS
[News letter on Mettle(tm) brand of products; Industry updates, Tips and Case
studies]

May 2010
Volume 3, Issue 5

In this issue:

* Editorial
* IT Industry news: How fragile is the Internet?
* Tip of the month: Troubleshooting Firewall Rules
* Mettle SE feature: Firewall logs

* Editorial *

Greetings!

Networking has two faces: Enterprise networking and the Internet (as seen by ISPs and carriers). The Internet
side of networking is quite challenging and demands a lot of co-operation and trust among operators for it to
work. This month's Industry News provides an interesting but scary problem that prevails in the Internet.

Many a time, every network administrator faces the problem is firewall rule verification-basically finding out
whether the rule written matches the packets. Mettle SE provides a mechanism for this. This saves time and
effort. Also let you know, positively, how good you are in writing firewall policies.

This month's feature section, we explain you the firewall rules and how effectively you can use them them.

Happy networking.

Editor, Mettle News
(mettlenews@mettle.in)

* IT Industry news: How fragile is the Internet? *

Brief Description: Unfixed routing glitch causing concern

Story:

In 1998 a hacker claimed that Internet could be brought down to its heels in 30minutes by exploiting a flaw
which caused online outages occasionally by misdirecting data.

In 2010 the flaw still causes outages every year, although most of the outages are innocent and fixed quickly,
the problem still could be exploited by a hacker to spy on data traffic or take down websites. Reliance on the
Internet has only increased in all these years and an outage could disrupt businesses and governments which
require Internet to function normally.

These outages are called "hijackings" and are caused by the haphazard way through which traffic is passed
between companies that carry Internet data. It is the Internet's open nature which has stimulated its dazzling
growth, and it is this same open nature which is contributing to the outage problem of the Internet.

When an email is sent and a website is opened or done anything else online, the data you send and receive is
handed from one carrier of Internet to another. The data might be handed from your ISP to a third party
company which operates a global network of fiber-optic lines that carry Internet data across long distances.
It, in turn, might pass the data to another carrier that's connected directly to the server computers the data
is intended for.

The crux of the problem is that each carrier along the way figures out how to route the data based only on
what the surrounding carriers in the chain say, rather than by looking at the whole path. Because carriers
pass information between themselves about where data should go, and this system has no secure automatic
means of verifying the routing information is correct, data can be routed to some carrier that isn't
expecting the information. The carrier doesn't know what to do with it, and usually just drops it.

On April 25, 1997, millions of people in North America lost access to all of the Internet for about an hour,
caused by an employee mis-programming a router at a small Internet service provider. That's what happens
when an Internet route gets hijacked. It falls into a "black hole." Routing errors has previously blocked
Internet access in different parts of the world, at different times, often for millions of people.

Last month a Chinese Internet service provider halted access from around the world to a vast number of sites,
including Dell.com and CNN.com, for about 20 minutes.

In 2008, Pakistan Telecom tried to comply with a government order to prevent access to YouTube from the
country and intentionally "black-holed" requests for YouTube videos from Pakistani Internet users. But it also
accidentally published the route international upstream carrier, the upstream carrier accepted the routing
message, and passed it along to other carriers across the world, which started sending all requests for
YouTube videos to Pakistan Telecom. Soon, even Internet users in the U.S. were denied YouTube access for a few
hours.

In 2004, the flaw was put to malicious use when someone got a computer in Malaysia to tell Internet service
providers that it was part of Yahoo Inc. A flood of spam was sent out, appearing to come from Yahoo.

In 2003, the Bush administration's Critical Infrastructure Protection Board assembled a "National Strategy to
Secure Cyberspace" that concluded that it was vital to fix the routing system and make sure route always point
in the right direction.

Unlike other Internet bugs that get discovered and fixed relatively quickly, the routing system has been
unreformed for more than a decade. There is some progress being made but there's little industry-wide momentum
behind efforts to introduce a permanent remedy. Data carriers regard the fallibility of the routing system as
the price to be paid for the Internet's open, flexible structure. The simplicity of the routing system makes
it easy for service providers to connect, a quality that has probably helped the explosive growth of the
Internet.

Peiter Zatko, a member of the "hacker think tank" called the L0pht, told Congress in 1998 that he could use
the BGP vulnerability to bring down the Internet in half an hour. In recent years, Zatko, who now works for
the Pentagon's DARPA, has said the exploit would still work. However he added, it would likely take a few
hours rather than 30 minutes, partly because a greater number of Internet carriers would need to be hit.

Plenty of solutions have been proposed in the Internet engineering community since 1995. The U.S. government
has supported these efforts, spurred in part by the Bush administration's 2003 strategy statement. It has
resulted in some trials of new technology, but adoption by data carriers still appears distant. And the
federal government doesn't have any direct authority to force changes.

One solution being tested would stop short of making the routing system fully secure but would at least verify
part of it. Yet this system also worries carriers because they would have to work through a central database.

Weakness in the system are in the routing between carriers. It doesn't help if one carrier introduces a new
system, every one it connects with has to make the change as well.

As Doug Maughan of the US Homeland Security puts it, "It's kind of everybody's problem, because it impacts the
stability of the Internet, but at the same time it's nobody's problem because nobody owns it".

Meanwhile, network administrators deal with hijacking an old-fashioned way: calling their counterparts close
to where the hijacking is happening to get them to manually change data routes. Let us hope that researchers
will come up with something robust and practical to keep the Internet secure soon.

http://detnews.com/article/20100508/BIZ04/5080399/Unfixed-Internet-glitch-could-strand-users-offline

* Tip of the month: Troubleshooting Firewall Rules *

This month we will help you troubleshoot your firewall rules if they are not behaving as you expect it to.

Check firewall logs:- First step to take while debugging suspected blocked traffic is to check the firewall
logs. With factory setting Mettle SE logs all dropped traffic and will not log passed traffic. If there is no
traffic with a red X next to it in your firewall logs, Mettle SE is not dropping the traffic.
(Firewall logs explained in "Feature of the month"section).

Review rule parameters:- Edit the suspected rule and review the parameters you have specified for each field.
For TCP and UDP traffic the source and destination ports are almost never the same and should be set to any.
If the default deny rule is the cause of problem, you have to create a new pass rule that will match the
traffic that is to be allowed.

Review rule order:- First matching rule for a case wins. No further rules are evaluated.

Rules and interfaces:- Make sure the rules are assigned on the correct interface. Traffic is filtered only by
the rule set configured on the interface where traffic is initiated.

Enable rule logging: By enabling logging on your pass rules, you can view firewall logs and click on an entry
to determine which rule passed the traffic. This can be helpful to determine which rule is matching the
traffic in question.

Packet captures:- This is a mighty good tool for troubleshooting and debugging firewall and traffic issues.
With packet capture you can tell if the traffic is reaching the outside interface or leaving the inside
interface and among many other uses.

How to use packet capture:- http://kb.mettle.in/entry/43/

* Mettle SE feature: Firewall logs *

A firewall log entry is made for each rule that is set to log and for the default deny rule. To view the
parsed logs you have to go to Status -> System Logs on the Firewall tab.

Parsed logs are displayed in 6 columns: Action - Time - Interface - Source - Destination - Protocol. Action
tells what happened to the packet which generated the log entry - its either Pass, Block, or Reject. Time
tells the time when the packet has arrived. Interface is the interface through which the packet entered
Mettle SE. Source is the source IP address and the port the packet originated from, Destination is the
destination IP address and port of the packet. Protocol is the protocol of the packet.

The 'Action' icon displayed in the logs is a link, clicking it will lookup and display the rule which caused
the log entry.

If the Protocol is TCP, you will see extra fields that represent TCP flags present in the packet. These flags
indicate various connection states or packet attributes, some common flags are:

S (Syn) - Synchronise sequence numbers. Indicates a new connection attempt when only SYN is set.
A (Ack) - Acknowledgement to the data received.
F (Fin) - Indicates there is no more data from the sender, connection closing.
R (Rst) - Connection reset

http://kb.mettle.in/entry/52/

--
We would like to receive feedback regarding the content of this newsletter and
request for articles. Please send in your valuable suggestions to
mettlenews@mettle.in.

--
Mettle and Linuxense are trademarks of Linuxense Information Systems Pvt. Ltd.
Other trademarks belong to respective owners. 2008 (C) Linuxense Information
Systems Pvt. Ltd. All rights reserved.

Mettle News April, 2010

2010-04-30T17:08:05Z

METTLE NEWS
[News letter on Mettle(tm) brand of products; Industry updates, Tips and Case
studies]

April 2010
Volume 3, Issue 4

In this issue:
* Editorial
* IT Industry news: Accidentally Importing Foreign Censorship Policy
* Tip of the month: Firewall Rule Best Practices
* Mettle SE feature: Server Load Balancing
* Case Study: Mettle SE at a Research and Education Institute in Kerala

* Editorial *

Greetings,

This month passes with yet another episode of wrong BGP advertisement hogging the Internet. This occurred in
China this time. Result: China's censorship was enforced outside their country. Read the full story in the
Industry News section.

A badly maintained system is prone to go wrong and will turn into a maintenance nightmare. Firewall is no
exception. This month's Tip of the Month section describes how the firewall configuration in Mettle SE can be
kept neat and tidy. It is nothing but a set of conventions that can be followed easily.

Redundancy is what we think when it comes to high availability. It is easier said than done when it comes to
setting up redundant servers or services and putting them into use effectively. This requires additional
infrastructure components to direct traffic and check out availability etc. Mettle SE supports this and this
feature is part of standard firmware. Read about this in this month's Mettle SE Feature column.

This month's case study explains how Mettle SE enabled a premier research institute to implement a secure IT
infrastructure and policy enforcement in their campus.

Happy networking!

Editor, Mettle News
(mettlenews@mettle.in)

* IT Industry News: Accidentally Importing Foreign Censorship Policy *

You're browsing the Internet from a place with no Internet censorship, but one fine day the websites you used
to visit have become unavailable or you're presented with restricted user access. You may not have realised,
but your computer must have come under the Internet censorship policy of another country! Sounds strange?
Read on!

With advancing technology, sophisticated filtering technologies are increasingly being applied to restrict
access to the Internet. Internet filtering is done by corporations and by some governments. Given the open
nature of the Internet, one country's restrictions, if not handled very carefully, can foul global Internet
access. This article is about one such incident, Internet filtering done in China affecting other parts of the
world and going undetected for 3 weeks. Given the increasing complexity and efficiency of this technology, and
the difficulty in controlling a very open Internet, and the desire of some to do just that could be a
harbinger of things to come.

To understand this, one needs a bit of Internet routing know how, the behaviour of DNS and the root name
servers, and the economics of Internet routing.

When you type www.facebook.com into your browser, your computer first contacts a DNS server to convert this
name into an IP address in order to contact the host serving this content. Answers to DNS requests are cached
on both your machine and the servers involved to save time and to reduce the load of subsequent identical
queries. Now suppose that the caches on your computer and your DNS server are both empty and you make the
above query. Your DNS server first contacts a Root name server with your request. If configured according to
convention, the Root name server will not provide the answer to your query by itself, instead directs your DNS
server to the .com Name servers. In turn, .com name servers will direct your DNS server to the Facebook.com's
name server, which will ultimately provide IP address to of Facebook's web servers.

Now suppose corporate Z runs a root name server and Z wants to restrict Facebook access. Nothing requires Z to
direct you to the .com name servers as in the chain of resolution described above. Since Z sees your complete
request, it could just answer it directly. If Z gave you the wrong answer, it would effectively block your
access to Facebook. Since Internet runs on trust, you'll also end up caching Z's invalid response (called
“cache poisoning”) and with Z being the one who tells you how long to cache the result. Or Z could actually
provide the correct answer, but a firewall in front of Z could alter the DNS query response on its way back
to you.

Incident Details

This scenario might seem very unlikely but it in fact just happened with the I-Root instance that runs out of
China. The problem existed from March 3rd until March 25th, before it was reported and corrected. Despite the
fact that a lot of people could have been impacted, the chances of any one of them having gotten the incorrect
DNS response are extremely remote. Thanks again to the way DNS operates and the overall resiliency of the
Internet.

China censors the Internet in a variety of ways, one way is to return invalid answers to DNS requests to
Chinese users. For example, a Chinese DNS server is returning 46.82.174.68 as an IP address for
www.facebook.com, when in fact all legitimate Facebook IPs are of the form 66.220.x.y or 69.63.x.y. Such
seemingly random IPs are also returned for www.twitter.com, www.youtube.com and many other domains. This is
normal and expected behavior inside China.

However, China hosts an instance of a Root name server, the I-Root, when this server became visible outside of
China on March 3rd, anyone who happened to query it could have got bogus responses. There are thirteen
different root name server IP addresses and the I-root is just one of these, namely 192.36.148.17. In
addition, there are dozens of instances of the I-Root housed in many locations around the world. To get a
bogus DNS response outside of China, you not only had to query the I-Root but you had to query the Chinese
version of it. Not surprisingly, the most exposed countries were all in Asia, but some prefixes in the US were
also vulnerable, more than half of which geo-locate to California.

Let us review the unlikely series of events that would have been required to observe a bogus answer to
www.facebook.com.

1. You attempt to go to www.facebook.com.
2. You don't have this entry in your DNS cache, nor does your DNS server.
3. Your DNS server does not have the .com servers cached either.
4. Your DNS server happens to choose the I-root (as opposed to A-root, B-root, C-root,... M-root etc).
5. Due to current Internet routing in place at your location, your DNS server happens to be directed to
China's instance.

Since Facebook is blocked in China, your DNS server does not get the expected list of .com servers, but rather
a bogus response to your original request, either from the I-root itself or a firewall in between.

You don't have any control over which I-root instance you see from your location. That is determined by
Internet routing. Many of the root name servers are “anycast” from multiple locations around the world. This
means that the associated IP prefixes are announced from multiple locations, all of which house servers with
copies of the appropriate data. BGP, the Internet routing protocol, is then used to sort out who sees which
instance of the root servers from which locations. In general, the Chinese I-root instance is supposedly only
visible from within China, but for 3 weeks these routes leaked out to the global Internet which created this
issue. This announcement leaked out of China when it was leaked by China Network Information Center.

Internet routing is driven more by economics than by physical distance, although the two are often related.
For example, two smaller Internet service providers X and Y, agree to exchange traffic with each other for
free. This common arrangement on the Internet is known as peering and allows X and Y to save money in transit
costs to larger ISPs. Suppose further that X (or one of its customers) is running the I-root. If Y needs to
get to the I-root it should pick its peering link with X, rather than its link to a larger carrier for whom
they have to pay. China Telecom, the largest carrier in China, peers with nearly 100 other ISPs. If those ISPs
or their customers aren't running an instance of the I-root themselves, they might use their peering link to
China Telecom to reach their instance. This is how countries far from China could end up selecting the Chinese
I-root as the "best" of many possibilities.

Conclusions

The article illustrates both the fragility and the resiliency of the Internet. Its fragile because it is
ultimately trust-based and almost anyone can violate that trust, deliberately or by accident. Its resilient
because there are often many alternatives or workarounds for any sabotage or attempts to control it.

Reference: Renesys blog: http://www.renesys.com/blog/2010/03/fouling-the-global-nest.shtml

* Tip of the month: Firewall Rule Best Practices *

Below are general best practice tips to consider when configuring firewall rules. Following best practices
tips will help you to create a secure and robust computer network and easy trouble shooting.

1) Default deny: Two philosophies in computer security related access control are default allow and default
deny. Best practice is to have the default deny strategy. Configure your rules to permit only the bare minimum
required traffic for your networking needs, and let the rest drop with Mettle SE's built in default deny rule.

2) Keep it short: The shorter the rule set, the easier it is to manage. Long rule sets are difficult to work
with, increase human error, tend to become overly permissive and significantly more difficult to audit.
Utilise 'Aliases' to help keep your rule set as short as possible.

3) Review your rules: You should manually review your firewall rules and NAT configuration on a periodic basis
to ensure they still match minimum requirements of your current network environment. The recommended frequency
of such review will vary from one scenario to another. In networks that do not change frequently with a small
number of network administrators and good change control procedures, quarterly or semi-annually is usually
adequate. For fast changing environments or those with poor change control and several network administrators,
the configuration should be reviewed at least on a monthly basis.

4) Document your configuration: Use of the 'description' field in firewall and NAT rules is always recommended
to document the purpose of each rule. In larger or more complex deployments, you should also maintain a more
detailed configuration document describing your entire Mettle SE configuration. When reviewing your
configuration in the future this should help you determine which rules are necessary and why they are there.

5) Reducing log noise: Logging is enabled on the default deny rule in Mettle SE by default. This means all the
noise getting blocked from the Internet is going to get logged. Sometimes you won't see much noise, but in
many environments you will find something incessantly spamming your logs. Sometimes spamming cover up logs
that are important, and its a good idea to add a block rule on the WAN interface for repeated noise traffic.
By adding a block rule without logging enabled on the WAN interface, the traffic will still be blocked, but no
longer fill your logs.

6) Logging Practices: By default Mettle SE does not log any passed traffic and logs all dropped traffic. This
is a practical setting as logging all passed traffic should rarely be done due to log levels generated. There
is a catch in this, blocked traffic cannot harm the network, but traffic that gets passed could be very
important log information to have if a system is compromised. After eliminating useless block noise as
described in the previous section, the remainder is of some value for pattern analysis purpose. If you are
seeing a significantly more or less log volume than usual, its probably good to investigate why.

* Mettle SE Feature: Server Load Balancing *

Server load balancing allows you to distribute traffic between multiple internal servers. It is commonly used
with web servers and SMTP servers though it can be used for any service that uses TCP.

There are two portions of configuration for the server load balancer. Virtual server pools define the list of
servers to be used, which port they listen on, and monitoring method to be used. Virtual servers define the IP
address and port to listen on, and the appropriate pool to direct the incoming traffic to that IP address and
port.

To configure Virtual server pools:

1) Go to: Services --> Load Balancer --> Click + button to add a new pool.
2) Name --> Enter a name for the pool here. The name is referenced later when configuring virtual server.
3) Description --> You may enter an optional description here/
4) Type --> Select 'Server'
5) Behaviour --> Select 'Load Balancing'
6) Port --> This is the port your servers are listening on internally. This can be different from the external
port.
7) Monitor --> Defines the type of monitoring to use. Selecting 'TCP' will make the balancer connect to the
port defined above, if it cannot connect, server is considered down. Choosing 'ICMP' will monitor the defined
servers by pinging them, and will be marked down if there is no ping response.
8) Monitor IP --> Not applicable with server load balancing
9) Server IP Address --> Fill in the IP address of the servers in the pool.
10) List --> Shows the list of servers you have added to this pool. You can remove a server from the pool by
clicking on its IP address and clicking remove from pool.
11) Click on 'Save' and proceed to configure virtual servers.

To Configure virtual servers:

1) Name --> Enter a name for the virtual server here, this is not parsed.
2) Description --> You may enter a long description here, its not parsed.
3) IP Address --> Enter the IP address that the virtual server will listen on. This is usually your WAN IP or
a Virtual IP on WAN interface.
4) Port --> This is the port the virtual server will listen on. It can be different from the port on your
servers are listening internally.
5) Virtual Server Pool --> Select the previously configured pool from the list.

After configuring server pool and servers, you should create a firewall rule to allow the traffic to the
servers and the ports they are listening on. Please refer to our KB article for detailed information.

http://kb.mettle.in/entry/51/

* Case Study: Mettle SE at a Research and Education Institute in Kerala *

Vertical: Education/Campus
Geography: Trivandrum, Kerala

Client Profile:

This client is an autonomous research institute, established in 1971, with an objective to promote research,
teaching and training in disciplines relevant to development. The institute is considered to be one of the
foremost development economics research centers in the country. The core activities of the institute are
research, teaching and training. They conduct programmes affiliated to Jawaharlal Nehru University. Institute
has gained recognition from the University of Kerala as a center for its doctoral studies. Institute is
supported financially by the Government of Kerala and Indian Council of Social Science and Research.

Problems:

Institute is served by a single high bandwidth WAN link. LAN networks is not secured from Virus attacks from
the Internet as they don't have a gateway antivirus installed in their network. Secure WiFi service was to be
made available in the campus. Content Filtering is to be implemented to filter out unacceptable Internet
content and services as a part of the acceptable usage policy laid down by the management. Internet access log
needs to be maintained for the campus. They have servers deployed in their local area network which has to be
made available to authorised users on the Internet. Few users need access to the campus servers remotely.

Solution:

Mettle SE was deployed at the campus to handle their IT infrastructure needs. Solutions provided by Mettle SE
can be grouped into the following sections:

a) ISP Link Termination and Gateway Antivirus
b) Firewall and DMZ
c) NAT and PAT
d) VPN with RADIUS Server
e) Proxy Server and Content Scanning

a) ISP Link Termination and Gateway Antivirus

The Institute is served by a single ISP providing a high bandwidth link. Mettle SE is the terminating point
for the ISP link at the campus. Mettle SE is the gateway for all the computers and server on the campus
network. Mettle SE protects the LAN subnets and computers in the network from viruses, worms, trojans and
other malicious codes and threats from the Internet. Mettle SE updates its internal virus signature database
automatically over the Internet to provide maximum security for the campus network.

b) Firewall and DMZ

To provide optimum security to the computers in the campus, Mettle SE implements a security barricade. Campus
users are served by the campus LAN and WiFi subnets. Mettle SE Firewalls the LAN and WiFi subnets thus keeping
the computers connected to the Internet via Mettle SE safe and secured.

A DMZ also has been setup where their public access servers are kept. The purpose of a DMZ is to add an
additional layer of security to the institute's LAN, an external attacker only has access to hosts in the DMZ,
rather than the whole of the network. The publicly accessible servers are hosted in the DMZ. This setup allows
servers in the DMZ to service both internal and external network, while keeping the LAN safe from possible
threats from the Internet. IP traffic between LAN and DMZ is monitored by Mettle SE, thus keeping out suspect
and unauthorised traffic out of the LAN. In the unlikely situation that security of DMZ is breached, Mettle SE
would keep the LAN and critical machines secured.

c) NAT and PAT

Mettle SE provides Internet connectivity for Desktops, Laptops and Servers hosted in the corporate network.
Mettle SE is configured as the gateway for the computers on the LAN subnets. Manual Network Address
Translation (NAT) is enabled in Mettle SE to provide Internet connectivity to computers which require direct
access to the Internet. Content Scanning is skipped for such computers which connect to the Internet via NAT.
Mettle SE is set as the proxy server for other computers, for which Internet connection needs to be monitored
and controlled.

Port forwarding (PAT) is enabled in Mettle SE to allow an authorised user, to connect to a specific computer
in the LAN, over the Internet. Port forwarding transfers IP packets between the private IP addresses of the
computer on a particular port and a public IP address with a specific port. This ensures that a service in the
host computer can be accessed from the Internet but is secured.

d) VPN with RADIUS Server

A PPTP VPN service has been enabled in Mettle SE to allow authorised users to connect to the campus network
for administrative and academic purposes. Users are issued with unique username and password combination with
which they can connect to Mettle SE from anywhere in the world. VPN user credentials are stored in a RADIUS
server which is linked with Mettle SE. VPN users trying to connect to Mettle SE is authorised against the user
credentials stored in the RADIUS server. Valid users are allowed to connect after verification. Mettle SE VPN
service also allows users to access campus resources irrespective of their location, without compromising
security.

e) Proxy Server and Content Scanning

Routing all IP traffic from the local subnets to the Internet via a proxy service has its advantages. A
research institute would like their students and faculty to use the Internet according to the acceptable usage
policy (AUP). Mettle SE helps the network administrator to enforce AUP with its Proxy Server and Content
scanning engines. The Internet usage policy is best if enforced at the point of presence of the ISP links,
which ensures that content is filtered before it is passed on to the LAN.

Mettle SE has been serving the institute reliably and efficiently since its deployment, meeting the needs of
the management and the system administrators. Mettle SE has proved its Mettle once again, serving our client
reliably round the clock.

--
We would like to receive feedback regarding the content of this newsletter and
request for articles. Please send in your valuable suggestions to
mettlenews@mettle.in.

--
Mettle and Linuxense are trademarks of Linuxense Information Systems Pvt. Ltd.
Other trademarks belong to respective owners. 2008 (C) Linuxense Information
Systems Pvt. Ltd. All rights reserved.

Mettle News March, 2010

2010-03-31T16:23:36Z

METTLE NEWS
[News letter on Mettle(tm) brand of products; Industry updates, Tips and Case
studies]

March 2010
Volume 3, Issue 3

In this issue:

* Editorial
* IT Industry news: Websites that can take a punch!
* Tip of the month: Firewall States
* Mettle SE feature: RRD Graphs

* Editorial

Greetings!

We are at the closing of one more financial year. The year passing by was both exciting and troublesome for
many. But the year ahead seems very promising in the soaring economy. We wish all of our clients a prosperous
year ahead and hope to strengthen our relationships further!

This issue's Industry News examines how MIT succeeded in preparing Web sites can stand an attack.

Tip of the month this month features “Firewall States” in Mettle SE. Feature of the month column introduces
RRD Graphs in Mettle SE.

Once again all at Linuxense wish readers a prosperous year ahead!

Yours truly,
Editor, Mettle News
(mettlenews@mettle.in)

* IT Industry News: Websites that can take a punch!

The recent, well-publicised cyber attack on Google was just the latest skirmish in a long war. And like most
long wars, this one features an arms race, as hackers seek out new security holes, and web site administrators
try to close them.

When a web site is under attack, its only viable defence may be to take its servers offline, which in the
short term can cost them money in lost revenue and productivity and, in the long term, could hurt its
credibility. Indeed knocking a site offline may be an attackers’ sole intention.

MIT researchers have developed a system to keep web servers or any Internet-connected computers running even
when they’re under attack. The work was funded largely by the U.S. Defence Department. In a pair of tests
whose thoroughness is unusual in academia, DARPA hired a group of computer security professionals outside MIT
to try to bring down a test network protected by the new system. In both tests the system exceeded all the
performance criteria that DARPA set for it, says Martin Rinard the professor of electrical engineering and
computer science who led the research.

The MIT system during its operation, monitors the programs running on an Internet-connected computer to
determine their normal range of behaviour, and during an attack, it simply refuses to let them wander outside
that range. Suppose that a program running on a web server routinely stores data in one of two memory
locations - A and B. During an attack, malicious code tries to trick the program into storing data at location
C instead. The MIT system won't let that operation happen,it sends the data to either location A or location B.

Of course, the data may not be of a type that belongs at either of those locations. And the system will modify
behaviours that could be even more disruptive than data storage. At sites with large banks of servers the MIT
system gets several chances to find the best response to an attack. If storing at location A causes one server
in the bank to crash, the MIT system will tell the other servers to store it at location B, instead.

"The idea is that you've got hundreds of machines out there," Rinard says. "We're saying, 'Okay, fine, you can
take out six or 10 of my 200 machines.'" But, he adds, "by observing what happens with the executions of those
six or 10 machines, we'll be able to deploy patches out to protect the rest of the machines." The entire
process of recognizing an attack, testing a number of countermeasures and deploying the most effective ones
can take a matter of seconds.

Read the complete article at:
http://web.mit.edu/newsoffice/2010/web-attacks-0317.html

* Tip of the month: Firewall States

Mettle SE has a stateful firewall and uses one state to track each connection to and from the system. These
states may be viewed in the web interface.

To view the states go to Diagnostics --> States. Here you will see the protocol for each connection, its
Source, Router, Destination and its connection state. When viewing NAT entries the three entries in the center
column represent the system which made the connection, the IP address and port Mettle SE is using for NAT
connection and the remote system to which the connection has been made.

Individual states may be removed by clicking the 'X' button at the end of each row.

* Mettle SE Feature: RRD Graphs

RRD graphs are a useful set of data provided by Mettle SE. It keeps track of various sets of data and how the
system performs and stores this data in RRD files. To view RRD graphs go to: Status --> RRD Graphs.

Some graphs can be viewed in 'Inverse style' or 'Absolute style'. In the Inverse style the graph is split in
the middle horizontally, incoming traffic is shown as going up and outgoing traffic is shown as going down. In
the Absolute style graph is superimposed. Each graph is available in several time span and each of these is
averaged over a different period of time based on how much time is being covered in each graph. Each graph
will have a legend and summarisation of the data being shown.

There are six tabs on the RRD graphs page: System, Traffic, Packets, Quality, Queues and Settings.

a) System graph: This shows a general overview of the system utilisation, including CPU usage, total
throughput and firewall states.

b) Processor Graph: This shows the CPU usage for user and system processes, interrupts and the number of
running processes.

c) Throughput Graph: Shows the incoming and outgoing traffic totalled up for all interfaces.

d) States Graph: Shows the system states but breaks down the value in several ways. It shows the filter states
from firewall rules, NAT states from NAT rules and the count of unique active source and destination IP
addresses and the number of state changes per second.

e) Traffic Graphs: Shows the amount of bandwidth used on each available interface in bits per second. There is
an 'All graphs' choice which will show all of the graphs in a single page.

f) Packet Graphs: This works like traffic graphs but instead of reporting based on bandwidth used it reports
the number of packets per second (pps) passed.

g) Quality Graph: This graph tracks the quality of WAN interfaces with gateways specified. Response time from
the gateway in milliseconds and percentage of lost packets is reported in this graph. Any loss on graph
indicates connectivity issues or times of excessive bandwidth use.

h) Queue Graphs: If traffic shaping is enabled queue graphs will show a composite of each traffic shaper
queue. Each queue will be shown represented by a unique colour. You can view either the graph of all queues or
the graph representing the drops from all queues.

RRD Graph Settings:

RRD graphs can be customised to suit your preferences. Its possible to turn of RRD graphing is you prefer to
use third party external graphing solution. Remember to click on 'Save' when you're finished.

a) Enable Graphing: Check the box to turn ON RRD graphing. Uncheck the box to turn OFF RRD graphing.

b) Default Category: This option selects the tab to be displayed as default when you visit RRD Graphs page.

c) Default Style: This option selects which style of graph to be displayed by default, Inverse or Absolute.

d) Save the settings when finished.

KB Article: http://kb.mettle.in/entry/50/

--
We would like to receive feedback regarding the content of this newsletter and
request for articles. Please send in your valuable suggestions to
mettlenews@mettle.in.

--
Mettle and Linuxense are trademarks of Linuxense Information Systems Pvt. Ltd.
Other trademarks belong to respective owners. 2008 (C) Linuxense Information
Systems Pvt. Ltd. All rights reserved.

Mettle News February, 2010

2010-02-23T13:02:44Z

METTLE NEWS
[News letter on Mettle(tm) brand of products; Industry updates, Tips and Case
studies]

February 2010
Volume 3, Issue 2

In this issue:
* IT Industry news: Hacker attacks from China
* Tip of the month: Traffic Graph
* Mettle SE feature: Time-based Firewall Rules
* Case Study

Greetings,

Presenting you yet another edition of Mettle News with more tips, news and case studies.

To thank your patronage and to celebrate the completion of one year of Mettle News, we are giving out
Mettle(tm) goodies to Mettle News readers. To get yours, just send an email to goodies@mettle.in saying hello.

This edition presents you a Mettle SE tip that explains how to use the traffic graph facility to troubleshoot
and analyse WAN/Internet traffic in real time.

Time-based firewall rules are handy when it comes to transparent enforcement of organisational policies.
Feature of the month explains how to do this in Mettle SE.

Case study of the month explains how Mettle SE helped a premier University in the country to secure and manage
their fairly complex campus LAN using Mettle SE.

As usual, we expect your feed back and suggestions to improve Mettle News. Requests for HTML version of this
news letter is being considered. Soon you will have the option of opting HTML version if you like it.

Yours truly,
Editor, Mettle News
(mettlenews@mettle.in)

* IT Industry News: Hacker Attacks from China *

Last month Google announced that it had been the target of a highly sophisticated hack attack against its
corporate infrastructure. Google said that hackers had stolen intellectual property and gained access to the
email accounts of human rights activists. This attack, according to Google, originated from China.

It has been reported that Google managed to gain access to a computer in Taiwan that was suspected of being
the source of the attacks. Probing inside that machine Google engineers found evidence of attacks not only at
Google but also at 33 other companies including Adobe Systems and Juniper Networks. Adobe acknowledged in a
blog post that it discovered on 2nd January that it had also been the target of a “sophisticated, coordinated
attack against corporate network systems managed by Adobe and other companies.”

The attackers used a dozen pieces of malware and several levels of encryption to burrow deep into the bowels
of corporate networks and obscure their activity. The encryption was supposedly highly successful in obscuring
the attack and avoiding common detection methods. Even though China has denied that it has anything to do with
the hacker attacks, experts believe that the attack might have been supported by Chinese Government agencies.

Once the attackers were in systems they siphoned off data to command-and-control servers in Illinois, Texas
and Taiwan. Alperovitch, VP of threat research at McAfee, wouldn’t identify the systems in the United States
that were involved in the attack but reports indicate that Rackspace, a hosting firm in Texas, was used by
hackers. Rackspace disclosed on their blog that they inadvertently played a very small part in the attack.

http://www.nytimes.com/2010/02/19/technology/19china.html?em
http://www.wired.com/threatlevel/2010/01/operation-aurora/#ixzz0frmLPVlU

* Tip Of The Month: Traffic Graphs *

Mettle SE provides you with a solution to view network traffic on any of the Interfaces in real time. Traffic
graphs in SVG (Scalable Vector Graphics) format is being rendered constantly live showing the traffic flow of
the selected network interface.

To view Traffic Graph go to: Status --> Traffic Graph

Choose which interface to view from the Interface drop down list. When you select an interface, the page will
automatically refresh and start displaying the graph. Traffic graph is a quick tool that helps to analyse the
network speed and find out if any link is showing unexpected traffic.

* Mettle SE feature: Time-based Firewall Rules *

Time-based rules allow to set up firewall rules that come into effect only on specified days and/or time
period. The schedule determines when to apply the rules specified.

To configure a Schedule go to:

1) Firewall --> Schedules --> Click on the '+' (Add) button
2) Enter a Schedule Name of your choice containing only letters and digits

Now specify schedule:

3) A schedule can apply to specific days of a month or days of the week
4) To select any given day within the year, choose month from the drop down list and click on specific days on
the calendar.
5) To select for any day regardless of the month click on Mon, Tue, Wed, Thu etc. This will make the schedule
active for Mondays, Tuesdays, Wednesdays etc.

Defining Time Range:

6) Select the Schedule start and end time in Hours and Minutes from the drop down box.
7) You may enter a Time Range Description for ease of understanding.
8) Click 'Add Time' once time range has been selected.
9) You can add more than one time ranges. You may use same time range for identical days and another time
range for each day with different times (For e.g. Working hours on Monday to Tuesday might be from 9Am to
5Pm and on Saturdays it might be from 9Am to 2Pm).
10) Save the changes once defining Schedule has been completed.

Using the Schedule in a Firewall Rule:

11) Create a Firewall Rule as you would normally create to allow or deny particular traffic.
12) Inside Firewall Rule editing page you can find the 'Schedule' heading and a drop down list box next to it.
13) Select the Schedule you have created from this drop box.
14) Configure the rest of the Firewall settings and Save the configuration.

The Firewall Rule you have now created would be active during the Schedule you have defined.

See the Mettle Knowledge article: http://kb.mettle.in/entry/49/

* Case Study *

Vertical: Education/Campus
Geography: Trivandrum, Kerala

Client Profile:

This client is the oldest University in the state of Kerala, established in the year of 1937 in the then
Travancore state. The University has sixteen faculties and 41 departments of teaching and research and there
are around 157 affiliated colleges under the wings of the university. The University Departments offer a wide
range of teaching and research at post-graduate and higher levels.

Problems to be solved:

Campus is connected to the Internet by multiple ISP links to satiate the demand for high bandwidth
necessitated by large number of computers requiring Internet connectivity. Unequal bandwidth ISP links are
deployed at the campus. Load balancing two ISP links is to be implemented taking care not to over saturate the
link with lower bandwidth. College campus network was not secured from Internet borne virus attacks and
threats since they do not have a gateway anti virus solution. To keep the campus network from offensive and
inappropriate content, content filtering is to be implemented. Students and faculties rely upon video feeds as
a part of their curriculum and such content has to be accessed from the campus network. Servers hosted in the
campus running public services have to be made accessible from the Internet.

Solutions built up with Mettle SE are classified into the following sections:

a. Terminating redundant ISP links with fail over and load balancing
b. Firewall, Gateway Anti-virus and Content Filtering
c. Port Forwarding

a. Redundant ISP links

Internet connection to the campus is provided by two ISP links. These two links are of unequal bandwidth, one a
higher bandwidth link and the other comparatively lower in bandwidth. Both links are terminated at Mettle SE
and configured in a load balanced set up. ISP links being of different bandwidth, Mettle SE has been
configured to pass proportionately more traffic through the broader link and direct less traffic through the
narrow bandwidth link. Load balancing is set at a ratio of 4:1. Such a set up has been implemented to ensure
the best possible utilisation of the links.

With load balancing enabled, automatic fail over mode is also active. If an ISP link goes down Internet
traffic is diverted over to the active link. Though browsing speed will be proportionately lower one of the
link goes down, Mettle SE will keep the campus connected without interruption. Once the ISP link is back up
Mettle SE adds it back into the load balancing pool.

b. Firewall, Gateway Anti-virus and Content Filtering

Campus network at the time of deployment did not have an effective gateway anti-virus system, firewall and
content filtering service. With Mettle SE the the aim was to provide maximum security for the campus network
with Mettle SE's inbuilt Firewall, Gateway Anti-virus system and Content Filtering services. Campus LAN is
divided into two different subnets based on the security and management requirements. Main network is the
campus LAN and the smaller network is the DMZ network.

Mettle SE's firewall secures the LAN from unauthorised access from other networks. Firewall rules combined
with Aliases feature in Mettle SE enables restricting unauthorised access to resources hosted in the LAN and
DMZ network with ease. Public servers are hosted behind Mettle SE's Firewall to protect them from Internet
borne threats and attacks.

Mettle SE has an inbuilt Gateway Anti virus engine which filters all viruses and worms coming from the Internet
before it reaches the local area network. The Gateway Anti-virus engine inside Mettle SE automatically
maintains an up-to-date virus definition without user intervention. This helps to identify and quarantine most
viruses propagating over the Internet. Thus Mettle SE Gateway Anti-virus goes a long way in keeping the campus
network safer from viruses and malicious codes.

University wished to implement an Acceptable Usage Policy (AUP) with the aim of enforcing effective Internet
usage in the campus. Best way to enforce such a policy is to enforce it at the point of presence of ISP links,
which helps to filter out content before it reaches the local network. With Mettle SE implementing AUP was
made easy. Mettle SE was configured to block certain types of web sites and web resources that goes against
University's general policies and websites which allow Internet users to circumvent usage policy. Mettle SE's
White List and Grey List feature allows complete exclusion and partial exclusions of web sites respectively.
If a particular website is white listed, it will not be scanned and thus the website access will be faster for
the user. If a website is Grey listed then the website will be scanned and if that website content falls
within the AUP it shall be allowed. Black listing a website is possible and doing so those websites will be
blocked.

c. Mettle SE for Port Forwarding

The institution hosts several servers in the local network which needs to be accessed from the Internet by
authorised users and general public. These servers are hosted behind Mettle SE and protected from hacker
attacks and viruses. To make these servers available on the Internet Mettle SE uses port forwarding which
translates the the local IP address assigned to the servers to a public IP address for a specific port or set
of ports.

Conclusion:

Mettle SE enabled the University to provide high quality Internet and Internet enabled services in the campus.
Mettle SE is the secure gateway for their connections to public networks and secures the servers and computers
in the local networks. Mettle SE does bandwidth aggregation of two unequal bandwidth WAN links with load
balancing providing the campus with high bandwidth and redundancy.

--
We would like to receive feedback regarding the content of this newsletter and
request for articles. Please send in your valuable suggestions to
mettlenews@mettle.in.

--
Mettle and Linuxense are trademarks of Linuxense Information Systems Pvt. Ltd.
Other trademarks belong to respective owners. 2008 (C) Linuxense Information
Systems Pvt. Ltd. All rights reserved.

Mettle News January, 2010

2010-01-28T12:22:15Z

METTLE NEWS
[News letter on Mettle(tm) brand of products; Industry updates, Tips and Case
studies]

January 2010
Volume 3, Issue 1

In this issue:

* Editorial
* IT Industry news: Scraping the bottom of IPv4 barrel!
* Tip of the month: Configuration History
* Mettle SE feature: DHCP Server
* Case Study: e-Governance Kerala State Department

* Editorial *

Wish you a happy new year!

Hope you had a great year behind. Let us look forward to an exciting year ahead!

This new year begins with a warning on IPv4 address space run out. So regional NICs are going to be stringent
on terms to release new IP address blocks and in turn ISPs are going to put cap on free IP address pool they
provide. This months Industry News takes a look at this scenario and the proposed solution of IPv6.

Tip of the Month this issue shows a cool way to keep track the configuration changes in your Mettle SE. This
is handy when you want to revert a change that you made or want to do a forensic analysis.

In the Feature of the Month section, it is an in-depth view of the DHCP service that is available in Mettle SE.

As always, we appreciate your feedback, suggestions and brickbats. Enjoy!

Once again, wish you a Happy New Year!

Yours truly,
Editor, Mettle News
(mettlenews@mettle.in)

* IT Industry News – Scraping the bottom of IPv4 barrel *

We are facing an IP address crunch and at the rate we are using the current IPv4 addresses and we will soon
extinguish the available supply in a few more years! We used up 1370 million IPv4 addresses in this past
decade and we have only 722 million left!

Of the 3,706,650,624 IPv4 addresses, approximately 1615 million, 44 percent of the pool, were in use on
January 1 2000 and 2092 million were still available. Fast forward to the present 81 percent of the pool,
approximately around 2985 million, IPv4 addresses are in use and 722 million are available. So its only a
matter of time before you have to get into the IPv6 way of addressing.

IANA allocates blocks of 16,777,216 addresses called "/8s" to the five Regional Internet Registries - AfriNIC,
APNIC, ARIN, LACNIC and the RIPE NCC - which in turn supply address space to ISPs and end-user organizations.
At the end of 2008, IANA held 34 unused /8s and the RIRs together held 371.91 million unused addresses.

IANA global pool was only reduced by 8/8s, but the RIRs collectively reduced their working inventory by
another 5/8s, bringing total reduction of the free address space 13/8s, or 203.4 million IPv4 addresses, to be
exact. 2009 is the first year since 1992 that the number of IPv4 addresses given out has been more than 200
million.

If IANA goes back to giving out 12/8s to the RIRs per year, IANA will be giving out the fifth-to-last /8
somewhere in 2011 and then automatically also the other four. APNIC's Geoff Huston predicts September 14, 2011
as the day the IANA global pool runs out, and November 1, 2012, as the day we last scrape the bottom of the
IPv4 barrel.

Source: http://arstechnica.com/tech-policy/news/2010/01/dont-publish-the-decade-in-ipv4-addresses.ars

* Mettle SE tip of the month: Configuration History *

Backup/Restore screen allows you to easily take backup of your Mettle SE running configuration or allows you
to load a saved configuration and make it active. But for minor problems you may use Mettle SE internal
backups to revert to a previous configuration, sort of like an 'undo' feature. Previous 30 configurations are
stored along with current running configuration.

1. Diagnostics --> Backup/Restore
2. Select tab 'Config History'
3. Listed are the previous 30 configurations along with the current running configuration.
4. To make a previous config active click on the '+' button next to it.
5. To delete a stored config click on the 'x' button next to it.

Please note that Mettle SE will not automatically reboot if required. Minor changes may not need a reboot, but
recovering some major changes will need a reboot.

(Best practice is to always take the backup of the running configuration into an admin PC on the LAN before
you make any major changes to Mettle SE).

* Mettle SE feature: DHCP Server *

DHCP server assigns IP addresses and related configuration options to client PCs on your network. It is
enabled by default on the LAN interface with the default IP range of 192.168.1.10 through 192.168.1.199. In
its default configuration Mettle SE assigns its LAN IP as the gateway and DNS server if DNS forwarder is
enabled.

To configure DHCP server go to Services --> DHCP server. On the DHCP configuration page there is a tab for
each non-WAN interface and each interface has its own separate DHCP configuration and they may be enabled and
configured independently of each other.

1. Check 'Enable DHCP Server' to enable DHCP on an Interface.
2. Check 'Deny unknown clients' to deny DHCP lease to clients except for those which are defined with static
mapping.
3. Range - Enter the start IP address and the finish IP address for use as DHCP pool. DHCP range must be
contained within the subnet of the interface being configured.
4. WINS Servers - Enter the IP address of WINS servers if you use WINS servers. They need not be on the same
network but proper routing and firewall rules should be in place.
5. DNS Servers - Depending on your LAN setup you may or may not fill in the DNS servers. Leaving the fields
blank and if you enable DNS forwarder in Mettle SE, mettle SE will assign itself as the DNS forwarder for
client PCs. If the fields are left blank and if DNS forwarder is disabled Mettle SE will pass on the DNS
server assigned in System --> General Setup. If you wish to use your own DNS servers instead of automatic
choices, enter the IP addresses of the DNS servers here.
6. Gateway - If LAN is using Mettle SE as the default gateway, the field can be left blank. If not enter the
IP address of your gateway.
7. Default and Maximum Lease Time - Value to be entered in 'seconds'. It control the life of the DHCP lease.
Default lease time is supplied by Metle SE when the client does not request for a specific lease time.
Maximum lease time will control how long lease will last even if the client asks for a longer lease time.
8. Fail-over Peer IP - If Mettle SE is setup in a failover stack enter the IP address of the slave Mettle SE
here.
9. Static ARP - If enabled Mettle SE will deny DHCP lease to unknown MAC addresses and also restrict any
unknown client from communicate with Mettle SE. Before enabling static ARP make sure that clients which
need to communicate with Mettle SE are listed inside static mapping list, especially the machine you need
to access Mettle SE web interface from.
10. Dynamic DNS - Click on 'Advanced' button to go to Dynamic DNS settings. Check the check box to enable it.
If using Mettle SEs DNS forwarder you can leave this blank and configure it inside DNS forwarder setup.
11. NTP Servers - Click on the 'Advanced' button to enter NTP server IP addresses.
12. Enable Network Booting - Click 'Advanced' button to view or enable network booting settings. Check the box
to enable it. Enter the IP address of the 'Network boot server' and the 'File name of the boot image'.
13. After changes have been made click on 'Save' to save settings. This must be done before creating static
mappings.
14. Static Mappings - This allows you to provide specific IP addresses to specific clients inside the LAN.
To set static mapping click on '+' button and you will be forwarded to a new page. Here you will need to
enter the MAC address of the particular client PC in the 'MAC Address' field and enter the IP address in
the 'IP address' field. 'Host name' and 'Description' is not parsed so you may enter it or not. Please
note that IP addresses issued for static mapping must be outside of the DHCP pool. Save the changes before
navigating away from the page.

KB Article: http://kb.mettle.in/entry/4/

* Case Study *

Vertical: Government/e-Governance
Geography: Kerala, India

Client profile:

Department of the State of Kerala.

Requirements & Solution:

Their district head quarters are spread across the state and the Head Office (H.O) is stationed at
Thiruvananthapuram. Remote offices need to connect to the e-Governance application located at H.O,
Thiruvananthapuram. Also the servers which run the e-Governance applications at the H.O require protection from
unauthorised access from the Internet. Secondly Desktop computers at HO need to be protected from viruses,
Internet threats, malicious codes and offensive content.

Mettle SE was deployed at the H.O as the solution to satisfy all the connectivity and security requirements.
They can be categorised into:

a. VPN Solution
b. Port Forwarding
c. Firewall and Routing
d. Gateway Anti-virus and Content Scanning

a. VPN Solution.

Mettle SE made it possible to connect district offices and range offices spread across the 14 districts of
Kerala to the H.O through SSL-VPN. Remote VPN users on different operating systems seamlessly connect to the
H.O using and can reliably access servers according to their user privileges.

b. Port Forwarding

Certain servers hosted at the H.O to be accessible over the Internet. Mettle SE provided port address
translation service to the servers that has to be accessed from a public network. Mettle SE has made it
possible to map internal servers to public IP addresses and they can be accessed from the Internet for users
with valid credentials.

c. Firewall and Routing

For extended security, PCs and servers are deployed in two different local networks: User-LAN and Server-LAN.
Firewall rules specified in Mettle SE controls the access to the computers in the User-LAN, servers in
Server-LAN and secure publicly accessible servers. Remote users access to servers in the H.O is strictly
controlled based on their requirement. Mettle SE blocks all unspecified traffic from reaching the HO network.

There are two routable LAN segments in the network. Servers are placed in a secured Server LAN subnet to
separate them from User LAN traffic. Mettle SE routes users on User-LAN to the server network when they
access their servers.

b. Content Scanning and Gateway Antivirus

Mettle SE is the terminating point for the ISP link at the H.O. Mettle SE is the Gateway for desktop computers
and servers. Mettle SE protects the local network from viruses and worms from the Internet with its built-in
Gateway Antivirus service. Mettle SE updates virus signature database automatically with the latest anti-virus
definitions available so as to block any new virus.

Internet traffic is filtered by Mettle SE's proxy Server. Web sites and services that violate Internet usage
policy are blocked preventing users from accessing it. Mettle SE keeps a log of the Websites users visit on
the Internet; and the Web services they use like, instant messengers or download clients. Mettle SE keeps the
Internet content distribution in the H.O, clean and safe.

Conclusion:

Mettle SE has been serving the department for many years since its deployment. Mettle SE team is happy to
report that Mettle SE is working flawlessly ever since satisfying the requirement of the department.

--
We would like to receive feedback regarding the content of this newsletter and
request for articles. Please send in your valuable suggestions to
mettlenews@mettle.in.

--
Mettle and Linuxense are trademarks of Linuxense Information Systems Pvt. Ltd.
Other trademarks belong to respective owners. 2008 (C) Linuxense Information
Systems Pvt. Ltd. All rights reserved.

Mettle News May 2009

2009-05-15T08:37:11Z

METTLE NEWS
[News letter on Mettle(tm) brand of products; Industry updates, Tips and Case
studies]

May 2009
Volume 2, Issue 5

In this issue:

* Editorial
* IT industry news: Mega Botnet Discovered *
* Mettle SE feature: Port Forwarding *
* Tip of the month: Package Updates *
* Case study: Mettle SE at a prestigious private engineering college *

* Editorial *

Greetings,

Welcome to another edition of Mettle News!

Bots are software robots, which are usually part of a large network of bots, which infect
a computer and lets the botnet controller to control the PC remotely. This month's
industry news is about a extensive botnet which has infected atleast 1.95 million PCs
around the world.

In this edition of Mettle News we will familiarise you with Mettle SE's Port Forwarding
feature. Port forwarding makes a specified port of a computer inside LAN accessible to a
user from a public network. Tip section explains the process of updating installed
packages in Mettle SE as and when updates are available.

This edition of Mettle News brings you the case study of the deployment of Mettle SE at a
famous private Engineering college at Kanjirapally, Kottayam. Mettle SE helped the college
streamline and manage their IT operations and computer lab facilities for engineering
students.

Shoot us your comments and feedback as usual!

Yours truly,

Editor, Mettle News
(mettlenews@mettle.in)

* Industry News: Mega botnet discovered *

At least 1.95 million computers world wide have come under undetected control of a newly
discovered mega botnet. The discovery was made by researchers at Finjan Internet Security
Company based in San Jose, CA. Finjan, noted on its blog that the number of infected
computers it detects is rising every year. Only four out of 39 antivirus products it
tested were able to detect the bots.

Botnet is a term for a collection of codes referred as software robots, or bots, which run
autonomously and automatically. The term is often associated with malicious software but
it can also refer to the network of computers using distributed computing software. While
the term "botnet" can be used to refer to any group of bots, this word is generally used
to refer to a collection of compromised computers (called Zombie computers), under a
common command-and-control center, running malicious software usually installed via worms,
Trojan horses, or backdoors. The largest known botnet, Conficker, has infected over 10
million computers.

The new botnet has infected machines from approximately 77 govt owned domains out of which
51 are US government domains. Finjan revealed that the Botnet is controlled by a 6 member
hacker group based out of Ukraine. Around 45 percent of the bots are in the U.S., and the
machines are Windows XP. Nearly 80 percent run Internet Explorer; 15 percent, Firefox; 3
percent, Opera; and 1 percent Safari. Finjan says the bots were found in banks, large
corporations and as well as consumer machines.

Aside from its massive size and scope, what is also striking about the botnet is what its
malware can do to an infected machine. The bot malware lets an attacker read the victim's
email, communicate via HTTP in the botnet, inject code into other processes, visit
Websites without the user knowing, and register as a background service on the infected
machine, for instance. The bots communicate with their command and control systems via
HTTP.

It appears that the botnet operators may be buying and selling bots or portions of their
botnet based on a communique Finjan discovered on an underground black-hat hacker forum in
Russia.

For further reading please check the link below:
http://www.finjan.com/MCRCblog.aspx?EntryId=2237

* A Mettle SE feature: Port Forwarding *

Port forwarding, sometimes referred to as port mapping, is the act of forwarding an
external network address and port to an internal network address and port. When you have
port forwarding rules set up, Mettle SE takes the data off of the external IP address:port
number and sends that data to an internal IP address:port number. This technique can allow
an external user to reach a port on a private IP address (inside a LAN) from the outside
via a NAT-enabled router.

Following instructions will help you set up a port forwarding rule in your Mettle SE.

1. Go to Firewall --> NAT
2. Select the tab 'Port Forwarding'
3. Interface --> Choose the interface to use. Normally the WAN interface.
4. External Address --> Choose the external address to use for Port Forwarding. Choosing
'Interface Address' will use the WAN IP address. To use a different public IP address
create a Virtual IP address.
5. Protocol --> Choose the protocol, TCP/UDP in most cases.
6. External Port Range --> Give the external port range to be used. Use Alias feature if
multiple ports are to be used.
7. NAT IP --> Enter the LAN IP address which is the target IP address for port forwarding.
8. Local Port --> Enter the port which is the port forwarding target port of the LAN
computer. Usually this is the same port as the external port.
9. Description --> Enter a description for this port forwarding rule.
10. Tick the check box which says 'Auto-add a firewall rule to permit traffic through this
NAT rule'.
11. Click on Save and Apply Changes.

If your ISP has allocated you with a block of IP addresses you can use a different public
IP address from that block instead of your WAN IP address for Port Forwarding. This way
you don't have to reveal the actual WAN IP address of Mettle SE to port forward users. For
doing that you need to define a virtual IP address in Mettle SE.

KB article for port forwarding: http://kb.mettle.in/entry/20/

* Tip of the month: Package Updates *

Updates are made available to packages running inside Mettle SE on a periodic basis. To
update the packages installed in Mettle SE follow the steps below.

1. Go to System --> Packages
2. To see the installed packages click the tab 'Installed Packages'.
3. There will be three buttons next to each installed package - 'x' to remove that
package, 'pkg' to re-install the package and 'xml' to re-install the GUI components of
the package.
4. In the column marked 'Package Version' you can see the version number of the latest
available package and the installed package.
5. To update a package click on the 'pkg' button.

KB article is here: http://kb.mettle.in/entry/45/

* Case Study: Mettle SE at a prestigious private engineering college *

Vertical: Education/Campus
Geography: Kottayam, Kerala

Client Profile:

Our client featured in this month's Mettle SE case study is one of the very prestigious
private engineering colleges in Kerala. Located at Kanjirapally, Kottayam is a large
complex with a built up area of around 6lac square feet on the Kanjirapally - Sabarimala
state highway. The engineering college has nine departments and provide higher education
in domains of Electrical, Electronics, Computer Science, Information Technology,
Mechanical and Civil. Students are provided with a large computer lab facility and is
allowed free Internet access inside the campus. The college is one of the first private
engineering colleges in Kerala to be accredited by AICTE.

Problems:

College LAN subnets are not secured from Virus attacks from the Internet as they don't
have Gateway Antivirus installed in their network. Content Filtering is to be implemented
to filter out offensive content as a part of the acceptable usage policy laid down by the
management. Students Internet access needs to be controlled and time wasting services
like Orkut and chat should be banned. Internet access log needs to be maintained for the
campus. College requires a WAN link management solution for implementing a failover link
for the Internet. Access to other subnets should be restricted for some users, whereas few
privileged users should be able to access hosts on other subnets.

Solution:

A Mettle SE 3700 was deployed at the campus to handle their total IT infrastructure.
Solutions built up with Mettle SE are classified into the following sections:

a. Redundant WAN link with failover
b. Firewalling & Routing
c. Content Scanning & Gateway Antivirus

a. Redundant WAN link with failover

College is served by two different ISP links so as to provide a stable Internet connection
with failover. Both WAN links are of different bandwidth, one is a very high bandwidth
link and the other is a relatively lower throughput link. Both links are terminated at
Mettle SE. Due to unequal bandwidth available for the campus Mettle SE has configured the
links to be in failover mode. The primary WAN uplink is the one with the higher bandwidth
and the secondary failover link duty is assigned to the link with lower bandwidth. Such a
setup has been implemented at the campus to provide best browsing speeds to web users
since all Internet traffic will be sent via the higher bandwidth link. If the high
bandwidth link goes down at the ISP's end, Mettle SE will switch over to the backup WAN
uplink. Browsing speed will be comparatively lower while the main link is down but still
Mettle SE keeps the campus connected to the Internet. Once the primary WAN link is up
Mettle SE will automatically switch over to it.

b. Firewalling & Routing

College campus LAN is divided into 4 different subnets based on their needs and
activities. The firewall engine in Mettle SE secure each local subnet from unauthorised
access from other subnets and from the Internet. Inter LAN routing enables authorised
users from other LAN subnets access to hosts in another subnets. One of the prime
requirements of our client was to prohibit students from using chat services in college
campus, to accomplish this the Firewall blocks access to the ports and IP addresses of the
most commonly used chat servers of the most popular chat services. It is implemented in a
manner that does not restrict the users from checking their webmail accounts but will
prohibit the chat service from working.

c. Content Scanning & Gateway Antivirus

As an educational institution responsible for the activities of it's students it was in
their agenda to block certain web services and web resources available on the Internet.
Such a policy decision has been taken by the management for the benefit and the betterment
of their students. It was decided by the management that certain groups of users should
have an unfiltered access to the Internet and while certain other user groups should have
limited filtered access to the Internet.

To help implement this access policy, different groups of users are created in Mettle SE
and users are added into these groups based on their IP addresses. Each group has a set of
filter rules associated with them. Internet content is served to the users in the
respective groups according to the filter rules set for each group. Students are put in
the filtered group where objectionable content is blocked. Mettle SE provides the system
administrator with a detailed web usage report containing the websites visited and amount
of data downloaded by a user, identified by the IP address, for each date in a neat
tabular form.

To further secure the campus LAN subnets from Internet borne threats and viruses, Mettle
SE with its in built antivirus engine actively monitors the content passing through
the gateway. Virus codes and other threats are identified and blocked from gaining access
to host machines inside campus LAN subnets. The virus definition database in Mettle SE is
always kept updated by Mettle SE automatically.

Mettle SE team is happy to report that the Mettle SE 3700 deployed at the campus has been
working flawlessly ever since meeting the needs of the college management and the system
administrators.

--
We would like to receive feedback regarding the content of this newsletter and
request for articles. Please send in your valuable suggestions to
mettlenews@mettle.in.

--
Mettle and Linuxense are trademarks of Linuxense Information Systems Pvt. Ltd.
Other trademarks belong to respective owners. 2008 (C) Linuxense Information
Systems Pvt. Ltd. All rights reserved.

Mettle News April 2009

2009-04-15T14:36:41Z

METTLE NEWS
[News letter on Mettle(tm) brand of products; Industry updates, Tips and Case
studies]

April 2009
Volume 2, Issue 4

In this issue:

* Editorial
* IT industry news: Routers owned by Botnet *
* Mettle SE feature: Packet Capture *
* Tip of the month: Traceroute *
* Case study: Mettle SE at Kerala's leading share broking company *

* Editorial *

Greetings,

This is the first time Internet sees the break out of a worm that is targeted to routers
and DSL modems. This pose a very different type of security issues. This month's industry
news explains the story of "psyb0t".

Case study of the month explains how a stock broking company owned by Kerala-based
conglomerate built their IT infrastructure around Mettle SE. This is yet another success
story of Mettle SE in the Financial Services sector.

Regular "Tip of the month" and "Feature of the month" columns included with information
useful for day-to-day practice.

As usual, we request you to continue sending your feedback which help us to improve this
newsletter.

Enjoy!

Yours truly,
Editor, Mettle News
(mettlenews@mettle.in)

* Industry News: Routers Owned by Botnet *

Security researchers at DroneBL have spotted a stealthy router-based botnet worm targeting
Routers and DSL modems. The worm, called "psyb0t", has been circulating since at least
January this year, infecting vulnerable embedded Linux mipsel devices. Once the malware
takes hold, it locks legitimate users out of the device by blocking telnet, sshd, and web
access. It then makes the devices part of a botnet. The researchers said they first
learned of the worm while investigating DDoS attacks that hit DroneBL's infrastructure two
weeks ago.

The "psyb0t" worm is believed to be the first piece of malware to target home networking
gear. It has already infiltrated an estimated 100,000 hosts. According to DroneBL, the
worm can infect any Linux mipsel routing device (including openwrt/dd-wrt devices)
configured with a weak username/password and has a router administration interface or sshd
or telnetd in a DMZ. It has been used to carry out DDoS, or distributed denial of service,
attacks and is also believed to use deep-packet inspection to harvest user names and
passwords. The worm also helps to identify exploitable phpMyAdmin and MySQL servers.

DroneBL researchers in their blog says, "This technique is one to be extremely concerned
about because most end users will not know their network has been hacked, or that their
router is exploited,". "This means that in the future, this could be an attack vector for
the theft of personally identifying information. This technique is not going away."

Below listed are few peculiar characteristics of psyb0t worm:

* It is the first botnet worm to target routers and DSL modems
* It contains shellcode for many mipsel devices
* It is not targeting PCs or servers
* It uses multiple strategies for exploitation, including brute force username and
password combinations
* It can harvest user names and passwords through deep packet inspection
* It can scan for exploitable phpMyAdmin and MySQL servers

To disinfect the psyb0t worm, reset/power cycle your device, update to the latest
firmware, and use an unique admin user name with secure password to lock it down.

Read more about psyb0t here http://www.dronebl.org/blog/8

* A Mettle SE feature: Packet Capture *

Packet Capture is a tool bundled with Mettle SE which will help the administrator to
better diagnose networking problems. With packet Capture Mettle SE administrators will be
able to diagnose connection issues by analysing packets captured with this tool. Packets
passing through specific interface to/from a particular IP address and/or port can be
filtered and captured for analysis. Using Packet Capture is simple but should you need
help, instructions below will help you.

a) Go to Diagnostics --> Packet Capture
b) Interface --> From the drop down list you can choose the Interface on which the Packets
are to be captured.
c) Host Address --> This value is either Source or Destination IP address. This allows you
to capture packets addressed to or coming from a specific host.
d) Port --> The port can be either source or destination port. This allows you to capture
packets intended for a specific port. If it is left blank packets to all ports would be
captured.
e) Packet length --> The Packet length is the number of bytes packet capture will capture
for each payload. For most scenarios default value would suffice.
f) Count --> This is the number of packets the packet capture will grab. Enter 0 for no
count limit.
g) Level of Detail --> This is the level of detail that will be displayed after hitting
'Stop' when the packets have been captured. This option does not affect the level of
detail when downloading the packet capture. Choose from Normal, Medium, High or Full.
h) Reverse DNS Lookup --> This check box will cause the packet capture to perform a
reverse DNS lookup associated with all IP addresses. This will slow down the packet
capture because of DNS resolution time.
i) Start --> Click on Start Button to start Packet Capture process.
j) Download --> Captured packets will be downloaded into your computer as a "*.cap" file.

The KB article can be found here http://kb.mettle.in/entry/43/

* Tip of the month: Traceroute *

Traceroute is a network diagnostics utility used to determine the route taken by packets
across an IP network. By showing a list of routers traversed, it allows the user to
identify the path taken to reach a particular destination on the network. This can help
identify routing problems or firewalls that may be blocking access to a destination.

a) Go to Diagnostics --> Traceroute
b) Host --> Enter the IP address or the fully qualified domain name of the target.
c) Maximum Number of Hops --> Enter the maximum number of hops allowed before the packet
is dropped. Default is 18, maximum allowed is 64. If destination is not reached with in
default number of hops you may increase the hop number.
d) Use ICMP --> Check the box to do ICMP traceroute. Default is UDP. If default traceroute
doesn't take you to the destination, try with ICMP.
e) Traceroute --> Click on this button to begin traceroute.

The KB article can be found at http://kb.mettle.in/entry/44/

* Case study: Mettle SE at Kerala's leading share broking company *

Vertical: Financial, Shares
Geography: Pan India, HO at Cochin

Our client is a major business house with pan-India presence and diverse products with a
thrust in the financial sector and share market. With the client's sustained efforts to
emerge as a financial supermarket for its diverse customers, the group now makes its foray
into securities trading space making it a natural progression on the company's substantial
presence in Wealth Management Services.

The Group has emerged as one of the India's largest financial group of its kind with
business interests in Seventeen diverse fields, a network of over a thousand branches
nationwide, with more than Ten thousand employees serving millions of customers across the
country. The client with their pan-Indian presence and varied bouquet of products serves
over Forty thousand customers every day.

The client's Corporate Head Office is the hub of all activities and coordinating things
that go on at different parts of the country. To provide high availability to their
services, provide security to their IT operations and make available the resources to
authorised users across the world, the following solutions were proposed.

* Link load balancing
* Mettle SE active failover stack
* Firewall & DMZ
* Gateway Antivirus
* Routing
* VPN
* NAT & PAT

* Link Load Balancing

To run a high availability network system it is mandatory to have a minimum of two WAN
links at the least. The corporate office has two WAN links provided by two different ISPs
and Mettle SEs job is to aggregate the links and provide a load balanced WAN link with
failover. If for any reason a WAN link goes down, Mettle SE re-routes the traffic via the
active WAN link, to provide access to the Internet. Total bandwidth would be reduced when
a link goes down but still the servers would be accessible.

* Mettle SE active failover stack

The client's business is focussed on money management, shares and finance, since this is
an ever changing market the systems should be up and running all the time so as to keep up
with the developments. For such a high availability requirement the client have chosen to
go with a high availability setup using two Mettle SE 3700. These two Mettle SE devices
are configured in an active/standby failover mode where one is the Master device and the
other a Slave device. If in the unlikely event that the master Mettle SE fails the slave
Mettle SE will take over and take care of the network without affecting work done by
users. This ensures that the computer network is up and running all the time without fail
even if a device fails.

* Firewall & DMZ

To provide optimum security to the host machines at the corporate office Mettle SE
implements a security barricade. Firewalling the private network which has the host
computers are placed helps keep the machines safe and secured. A DMZ also has been created
where all of their public access servers are kept. This setup allows servers in the DMZ to
service both internal and external network, while keeping the LAN safe from possible
threats from the Internet. Traffic into LAN and DMZ is monitored by Mettle SE allowing
traffic that is implicitly allowed by the firewall rules. This keeps out suspect and
unauthorised traffic out of the LAN. In the unlikely situation that security of DMZ is
breached, Mettle SE would keep the LAN and critical machines secured.

* Gateway Antivirus

The most common entry point for viruses into a corporate LAN is through the Internet. To
curb the virus infection on a LAN with Internet access it is ideal to implement a gateway
antivirus system that will detect, disinfect or quarantine a threat before it enters the
LAN. Mettle SE has such a gateway antivirus system built in. Mettle SE's Gateway antivirus
engine filters all viruses and worms that come from the Internet before it reach the LAN
subnet. Mettle SE's antivirus engine automatically keeps its virus definitions updated to
identify and quarantine even the latest virus that is out on the Internet. A huge risk of
virus infections of the host machines are thus protected by Mettle SE.

* Routing

Corporate office of the client has two local networks the LAN subnet and the DMZ subnet.
Routing is implemented in Mettle SE which enables the host machines placed in the LAN to
access the servers kept in DMZ. Routing is enabled for the VPN clients which will enable
the remote clients to gain access to the resources available in the corporate local
network.

* VPN

The corporate office uses PPTP VPN service provided by Mettle SE to help connect the road
warriors to office base. Other VPN services provided by Mettle SE are IPsec VPN and
OpenVPN, but the administrator have chosen to use PPTP because of it's user friendliness
and tight integration with Windows operating systems. Executives while on the move can now
connect to the corporate network from anywhere in the world from his/her Laptop. As the
clients connect to Mettle SE they are routed to the right part of the corporate network
that they are allowed to access. Accessing resources other than which is authorised by the
administrator is blocked by the firewall which ensures that the security is not
compromised.

* 1to1 NAT and Port Forwarding

Our client has servers which are hosted in the DMZ and they need to be available on the
Internet with it's own public IP address. Such servers which are hosted in the DMZ are
assigned with a public IP addresses using 1:1 NAT. In this scheme, each private host has a
direct and fixed mapping to a public IP address. Port forwarding allow remote computers to
connect to a specific computer within a private LAN. In Mettle SE port forwarding (PAT) is
enabled to allow an authorised user from the Internet to connect to a specific computer
within the private LAN for administrative purposes or special requirements. Port
forwarding transfers IP packets between the private IP addresses of the computer on a
particular port and a public IP address with a specific port. This ensures that a service
in the host computer can be accessed from the Internet but is secured.

Mettle SE has proved its Mettle in demanding situations such as this; serving our client
reliably round the clock.

--
We would like to receive feedback regarding the content of this newsletter and
request for articles. Please send in your valuable suggestions to
mettlenews@mettle.in.

--
Mettle and Linuxense are trademarks of Linuxense Information Systems Pvt. Ltd.
Other trademarks belong to respective owners. 2008 (C) Linuxense Information
Systems Pvt. Ltd. All rights reserved.

Mettle News March 2009

2009-03-14T08:46:16Z

METTLE NEWS
[News letter on Mettle(tm) brand of products; Industry updates, Tips and Case
studies]

March 2009
Volume 2, Issue 3

In this issue:
* Editorial
* IT Industry news: Long AS path causes pandemonium on the Internet *
* Mettle SE Feature: Mettle SE Active Failover Stack *
* Tip Of The Month: Changing Default Web GUI Administration Port *
* Case Study: Mettle SE at the Indian subsidiary of US based Asset Management Company *

* Editorial *

Greetings,

In this month's news letter we present the case study of a client that uses two Mettle SE
devices in two campuses a few kilometres apart.

Learn how to set up a failover stack using Mettle SE in this issue's Mettle SE fail
feature.

As usual we expect your feedback and suggestions which help to improve this newsletter and
the Mettle Range of products.

Thank you.

Yours truly,

Editor, Mettle News
(mettlenews@mettle.in)

* Industry News: Long AS path causes pandemonium on the Internet *

Internet routing is a cooperative effort, routers inform their neighbouring routers about
routing announcements and what they know; the information is relayed all over the world.
The information that is passed around to neighbouring routers are prefixes, which are
blocks of IP address that are routed in the same way. There is often more than one way to
reach a given prefix. Routing announcements relayed by routers include various attributes
so that everyone can choose a preferred path to each prefix; one such attribute is the
Autonomous System (AS) Path, which is the list of organisations (list is the Autonomous
System Number (ASN) of each organisation) that have to be traversed to reach the prefix.

If network administrators don't want routers to select a particular path they artificially
lengthen the path so that it is only chosen as a secondary route. They could effect this
by making the announced path artificially long. The average path length on the Internet is
only around 4 AS numbers. So if the path is made a little bit longer, by one or two AS
numbers, it generally will not get selected and will accomplish the objective of being the
path of last resort.

On Monday, Feb 16th a slight misconfiguration on a Czech company's router slowed down the
entire Internet. The small company briefly caused widespread router problems across the
globe which slowed down the Internet. The problem was caused when the company, SuproNet,
provided a crucial bit of information to other routers telling them how to reach
SuproNet's site or IP address from other locations. In this recent mishap, SuproNet
lengthened its path for its secondary route by several orders of magnitude greater than
was either needed on the Internet. As its routing announcements were propagated over the
Internet, the sheer length of SuproNet's path information caused routers to end their
sessions with the immediate source of that data.

What seems to have happened was a massive buffer overflow. While most core routers of
major ISPs were unaffected, older routers choked by processing the ridiculous path and
sending it on. This caused widespread network disruptions and slowdown around the globe.
While SuproNet's AS path length was unusually long, that alone should not have created the
cascading set of problems around the Internet. Instead the problem has to do with a bug in
Cisco routers that makes its Internetwork Operating System susceptible to problems when
they encounter such long AS paths. These Cisco routers were located all over the world
which made it a global event. The Cisco routers choked on the path and
assumed that the input was junk and broke down connections with the source.

The matter was resolved when SuproNet changed the AS-path information after apparently
being informed about the problems its routing update was causing around the Internet.

For more details:
http://www.renesys.com/blog/2009/02/longer-is-not-better.shtml

* Mettle SE Feature: Mettle SE Active Failover Stack *

Hardware redundancy is a de facto standard of a high availability installation. Hardware
redundancy provides immense reassurance and relief for businesses running mission critical
operations. Active hardware redundancy provides a very high level of reliability which
will keep the operations up and running seamlessly even if a core device fails. For an
active hardware redundancy to work, the participating core devices should support it.
Mettle SE has the support for such a configuration if need arises. Mettle SE implements
active hardware redundancy with the help of Common Address Redundancy Protocol (CARP).

The pre requisites for setting up an active Mettle SE failover stack are:-

1. Two Mettle SE devices, name them as, say, Master and Slave
2. Three IP addresses in local Network for using in LAN side. (One is a floating IP
address)
3. Three IP addresses in WAN Network for using in WAN side.(One is a floating IP address)
4. Two IP addresses from a /28 subnet to synchronise two Mettle SEs. (Sync Network)
5. One dedicated interface in each Mettle SEs for Synchronising (Sync)

The following steps will walk you through the configuration of CARP.

A) Create a SYNC Interface (In both Mettle SE devices):

1. Go to Interfaces --> Assign --> click on + Button. Assign a free interface and rename
it SYNC
2. Connect SYNC interfaces of each Mettle SE's together with a crossover Ethernet cable
3. Give SYNC interfaces two unique IP addresses from the /28 subnet not used anywhere
else.
4. Create a firewall rule in both Mettle SE devices to allow all traffic between SYNC
interfaces.

B) Configure Virtual IPs (In Master Mettle SE):

1. Go to Firewall --> Virtual IPs
2. Click '+' to add a new Virtual IP address
3. Type - select CARP
4. Interface - select WAN
5. IP Address(es) - enter floating IP address reserved for WAN with the correct CIDR
value
6. Virtual IP Password - enter a password
7. VHID Group - enter VHID group number set as 1, or 2 if this is the second CARP
VirtualIP.
8. Advertising Frequency - should be set to 0
9. Description - enter a description for this set of configuration.
10. Click on 'Save'
11. Repeat this same procedure for LAN also, incrementing 'VHID Group'
12. Apply Settings.

C) CARP configuration in Master Mettle SE:
1. Go to Firewall --> Virtual IPs --> CARP Settings
2. Check 'Synchronise Enabled'
3. Use SYNC as 'Synchronise Interface'
4. Check 'Synchronise Rules'
5. Check 'Synchronise Firewall Schedules'
6. Check 'Synchronise Aliases'
7. Check 'Synchronise NAT'
8. Check 'Synchronise IPsec'
9. Check 'Synchronise Wake on LAN'
10. Check 'Synchronise Static Routes'
11. Check 'Synchronise Load Balancer'
12. Check 'Synchronise Virtual IPs'
13. Check 'Synchronise Traffic Shaper'
14. Check 'Synchronise DNS Forwarder'
15. Synchronise to IP - Enter the IP address of the SYNC interface of slave Mettle SE
16. Enter the webGUI password of Slave Mettle SE in 'Remote System Password'
17. Click on 'Save'

D) CARP configuration in Slave Mettle SE:
1. Go to Firewall --> Virtual IPs --> CARP Settings
2. Check 'Synchronise Enabled'
3. Synchronise Interface - Select the SYNC interface created earlier.
4. Save.

E) Verify Settings:
1. Take Status -> CARP
2. Master should show both Virtual IP address as MASTER
3. Slave should show both Virtual IP address as BACKUP

F) Additional Settings:

NAT
1. NAT should use CARP VIP as outgoing IP instead of WAN IP
2. Edit NAT rule and change "Translation" to CARP address

DHCP

Master
1. DHCP should send LAN-CARP address as DNS and GATEWAY addresses.
2. "Failover peer IP" should be the real IP address of slave.

Slave
1. DHCP should send LAN-CARP address as DNS and GATEWAY addresses.
2. "Failover peer IP" should be the real IP address of master.

KB article:
http://kb.mettle.in/entry/18/

* Tip Of The Month: Changing Default Web GUI Administration Port *

In Mettle SE the default protocol the webGUI uses is HTTPS and the default port number is
443. When you use port forwarding using the same WAN IP as your Mettle SE's it will be
necessary for you to change the default webGUI port number from 443 to some other random
number. It's easy to change the default port number of webGUI, just follow the steps
below.

1) Go to System --> General
2) On the page, scroll down to "webGUI Protocol" - The default protocol selected will be
HTTPS. You can make it HTTP but for security reasons leave it as HTTPS.
3) Next item would be webGUI port - If using the default webGUI port 443 this would be
blank. To change the port enter a random port number of your choice.
4) Scroll down and click on Save.

When you try to access the webGUI after this over a WAN link or from LAN you will have to
append the port number after the link address. For example https://192.168.1.1:2222 if the
port number you gave was 2222. It is recommended to use a port number above 1024. Also
avoid well known ports.

KB article: http://kb.mettle.in/entry/42/

* Case Study: Mettle SE at the Indian Subsidiary of US based Asset Management Company *

Vertical: Financial Service
Geography: Trivandrum, India

Our client is the Indian subsidiary of a US-based asset management company, they have two
campuses in Trivandrum located couple of kilo metres apart.

Founded in 1999, the company began with an idea that would revolutionise the services that
financial advisers provide to their clients. Today their capabilities are unparalleled,
merging the expertise of top investment managers, a broad range of fee-based investment
products and an array of enhanced financial technology. Over the years, we have grown into
one of the largest providers of wealth management solutions to independent financial
advisers in the industry, with more than 400 employees in their Chicago headquarters and
offices spread across US and Trivandrum, India.

Both their Trivandrum offices have separate WAN links, Campus A has 2 WAN links and Campus
B has 1 WAN link. Both these campuses are connected together by three redundant fiber
optic links. Both sites needed securing the local network, they needed to provide
authenticated Internet access to employees, and Internet content has to be monitored. At
Campus A the two ISP links has to be aggregated and loadbalanced for better throughput.
Campus B has only one WAN link, so if the WAN link goes down an alternate method has to be
devised to keep the Internet connectivity alive.

Mettle SE was chosen by our client as the 'Silver Bullet' to solve all these challenges.
Mettle SE provides the following set of solutions. At Campus A, two Mettle SE devices are
deployed in active failover mode for very high availability, at Campus B a single Mettle
SE 2400 is deployed. Solutions are categorised into:

* Multiple ISP bandwidth aggregation
* Failover loadbalancing with routing
* Firewall
* Gateway antivirus
* Content scanning
* Authenticated Internet access and Active Directory Integration

1) Multiple ISP bandwidth aggregation

Two ISPs provide Internet connectivity to the company. Campus A has two Internet links
from two ISPs and campus B has only one ISP link. At campus A Mettle SE handles the
bandwidth aggregation and load balancing of the WAN links. Campus A has 2+2 Mbps of
aggregated bandwidth and Campus B has 2Mbps bandwidth. Approximately 200 users across the
two campuses share the 6mbps of total bandwidth across each campus.

2) Failover Loadbalancing with routing

At campus A the two ISP links are terminated at Mettle SE, both ISPs provide 2Mbps each.
The links are aggregated and loadbalanced to provide 4Mbps throughput to the users. If one
WAN link fails Internet traffic would be diverted over the active WAN link automatically.

Campus B is serviced by a single 2Mbps WAN link. Even with a single ISP an active failover
is implemented at campus B in a innovative way. When Mettle SE at campus B detects that
the WAN link is down, it automatically routes Internet traffic to the fiber optic link to
Mettle SE stationed at Campus A. Campus A Mettle SE routes all the Internet traffic from
Campus B through it's loadbalanced WAN links! Thus users in campus B continue to have
Internet access.

3) Mettle Secure: Firewall, Gateway Antivirus and Content Scanning

One of the prime reasons why the client chose our product was to secure their network. For
total security of the local network from the Internet Mettle SE provides impeccable level
of security to the host computers in the local network with the help of three security
services - Firewall, gateway Antivirus and Content Scanning.

At both campuses Mettle SE firewall secures the LAN by blocking unauthorised networks and
host machines from accessing the local network. Host computers in the local network are
also denied access to the Internet directly and they are made to use the proxy service.

The Gateway Antivirus engine within Mettle SE always keep the virus signatures updated.
The company's local networks are secured from worms, viruses and malicious codes
originating from the Internet. Updated virus definitions give no chance for a virus or
worm to sneak past Mettle SE and harm the host computers in the local network. A huge risk
of virus infections of the computers in LAN is thus solved by Mettle SE.

Routing all web traffic from the host machines to the Internet via a proxy service has its
advantages. An organisation would like their employees to use the Internet according to
the acceptable usage policy (AUP). Mettle SE helps the system administrator to enforce the
AUP with Mettle SE's Proxy and Content scanning engines. The Internet usage policy is
enforced at the point of presence of the WAN links, which ensures that unwanted content is
not passed on to the LAN. Content scanning along with authenticated Internet access, which
is explained in the next section, together is a powerful tool to keep a watch over the
Internet usage and to make sure AUP is adhered to by the users.

4) Authenticated Internet Access and Active Directory Integration

Authenticated Internet is a service provided by Mettle SE with the help of Active
Directory which ensures Internet access is given only to authorised users. Mettle SE at
each campus will contact Windows 2003 Domain controllers at each campus. When a user tries
to access a website, a window will pop up asking him to log in to proceed. Once the user
enter the credentials the information is passed to domain controllers and get it verified
by Mettle SE and access is granted in case if the user is authenticated by the Domain
Controller.

A group policy is implemented in Active Directory to force the Mettle SE IP address as the
proxy server to all desktop machines. Each desktop receives the proxy information via
TACACAS from Active Directory, and asks for the user credentials and sends the requests to
Mettle SE proxy server. Default gateway of all desktops is also set as Mettle SE, where it
controls the traffic to the Internet based on the policy.

Our client is completely satisfied with the Mettle SE based solution provided. We are
proud to quote the comment of Mr Jayagopan on Mettle SE.

"You don't need to add n number of modules, you don't need to buy and configure n number
of devices. You don't need to make your network more complex with cables and boxes. You
just get this , configure whatever you want in easy steps, you have everything you need in
the box right in front of you!"

Jayagopan Gopinathan
Technical Lead of Systems
Envestnet Asset Management India Pvt. Ltd.

--
We would like to receive feedback regarding the content of this newsletter and
request for articles. Please send in your valuable suggestions to
mettlenews@mettle.in.

--
Mettle and Linuxense are trademarks of Linuxense Information Systems Pvt. Ltd.
Other trademarks belong to respective owners. 2008 (C) Linuxense Information
Systems Pvt. Ltd. All rights reserved.

Mettle News February 2009

2009-02-14T10:56:50Z

METTLE NEWS
[News letter on Mettle(tm) brand of products; Industry updates, Tips and Case
studies]

February 2009
Volume 2, Issue 2

In this issue:
* Editorial *
* IT Industry news: SQL Injection *
* Mettle SE feature: Virtual IP Address *
* Tip of the month: Blocking Yahoo Messenger & Gtalk *
* Case Study: Mettle SE at a Leading ISP *

* Editorial *

Greetings,

Presenting you the February edition of Mettle News.

SQL injection is not a new attack vector. But this technique is still being used by
attackers. This month's news column features such an attack and the victim is a security
company--this means that it can happen to anyone if applications are not carefully coded.

Virtual IP address is one of the popular features of Mettle SE and this is covered in the
"Feature you might have missed" column.

Admins always talk about blocking IM services such as Yahoo! chat and GTalk. "Tip of the
month" column of this issue discusses how to do this with Mettle SE.

Case study of the month covers an interesting story of how an enterprise with state-wide
operations deploys Mettle SE as their multi-technology VPN concentrator.

Enjoy!

Yours truly,

Editor, Mettle News
(mettlenews@mettle.in)

* IT Industry News: SQL Injection *

SQL Injection is not the latest exploit haunting the Internet, but very recently an
attacker, using this exploit, managed to gain access to the customer database of a leading
Anti Virus company (referred to as "company" in this article). SQL injection exploits the
security vulnerability, if present, in the database layer of an application by injecting
carefully crafted SQL statements. The vulnerability is a result of user input being
incorrectly filtered for string literal escape characters embedded in SQL statements or
when user input is blindly trusted and executed.

Using SQL injection an attacker gained access to the databases used by the usa.company.com
website, allowing him to gain access to users accounts, activation codes and possibly
personal data of company's customers. This type of critical flaw can probably be used to
usurp legitimate purchases and renewals of their products - which could include the
linking to malicious and backdoored versions of their software - thereby infecting those
very same customers that were seeking protection from malware in the first place.

To protect against SQL injection, user input must not directly be embedded in SQL
statements. Instead, parameterised statements must be used (preferred), or user input must
be carefully escaped or filtered. Moral of the story? Even people in the security business
have bad days and make mistakes, if they're not careful!

Read more about it here:
http://securityandthe.net/2009/02/08/kaspersky-database-exposed/

* Mettle SE Feature: Virtual IP Address *

One of the coolest features of Mettle SE is that it will allow the usage of Virtual IP
addresses (VIP). A virtual IP address is an IP address that is not connected to any
specific network interface on a computer. Incoming packets are sent to the VIP address,
but all packets travel through real network interfaces. In Mettle SE you can assign
Virtual IP addresses for Proxy ARP, for CARP and for other use (for example for 1:1 NAT).

To set up a Virtual IP address follow the instructions below.

1. Go to: Firewall --> Virtual IPs
2. Click on the '+' button
3. Type --> Choose Proxy ARP/CARP/Other.
3.a. For port forwarding choose Proxy ARP.
3.b. To set up an active failover Mettle SE cluster choose CARP.
3.c. For 1:1 outbound NAT use Other.
4. IP Address --> Enter the IP address.
5. VHID Password --> Enter VHID password (Only for CARP)
6. VHID Group --> Select VHID group (Only for CARP)
7. Advertising Frequency --> Select the advertising frequency (Only for CARP)
8. Description --> Enter the description (Not parsed)

After you have set up a Virtual IP address, you can use it as it is set up for in the
respective Mettle SE configuration page.

Read the KB article: http://kb.mettle.in/entry/32/

In the next issue of the newsletter we will look at setting up a Mettle SE active failover
stack using CARP.

* Tip Of the Month: Blocking Yahoo Messenger and Gtalk *

We have been asked many times by system administers to help them block the Yahoo and
Google chat services on their LANs for policy related reasons. Chat services, even though
very useful, in certain situations, can be counter productive in most environments. To
block the chat services using your Mettle SE follow the instructions below.

Blocking Yahoo Messenger

1. Configure the internal DNS to return 127.0.0.1 for webcs.msg.yahoo.com and
httpcs.msg.yahoo.com

2. Add the DNS names webcs.msg.yahoo.com and httpcs.msg.yahoo.com in the web proxy
server black list.

3. To make it more effective: We recommended to allow only known HTTPS web sites from your
LAN through the Web proxy server. This can be done by entering "**s" (without quotes) in
the web proxy server black list and then add the known "https" sites to the white list.

Blocking Google Chat

1. Configure your internal DNS to return 127.0.0.1 for talk.google.com,
talkx.l.google.com, chatenabled.mail.google.com

2. Also add the above DNS names in the Web proxy server black list.

3. To make it more effective:

Google chat uses the following ports and servers for it's chat service; Ports (80, 443,
5223, 5222), Servers (216.239.37.125, 72.14.253.125, 72.14.217.189, 209.85.137.125)

Create two Aliases and club all the ports together in one Alias and the IP addresses of
the servers in another Alias. Now create a rule in Mettle SE for the local networks where
in you block all the traffic from LAN to google chat servers on the mentioned ports. Use
the Alias you have created in the firewall rules. To block only Google chat file transfers
block the ports 20 & 21.

Read more here:
http://kb.mettle.in/entry/22/
http://kb.mettle.in/entry/23/

* Case Study: Mettle SE at a Leading ISP *

Vertical: Internet Service Provider
Geography: Headquartered at Trivandrum. Kerala

Client Profile:

This month's featured client is one of the leading ISP's in Kerala and one of the pioneers
in Internet through cable. They have more than thirty five thousand customers spread
across different cities and towns in Kerala. They are one of the largest private investors
in Kerala with over Rupees 350 crore in investments consisting of Earth stations, seven
hundred kilometre long optic-fibre backbone and forty thousand kilometre long hybrid
fibre-coaxial cable network spread over cities and towns in the state. They provide
services to corporations, educational institutions and residential customers. They have
set up their own international satellite gateways at Trivandrum and Kochi.

Problems to be solved:

They're a leading ISP providing service to more than thirty five thousand customers.
Handling such a large number of customers produces a huge Customer Relationship Management
(CRM) database that has to be stored at a central location which should be accessible from
area offices. Their existing VPN concentrator device was not keeping up with the high
throughput requirements in addition to that the database server at the central location
needs to be secured and firewalled in a De-Militarised Zone (DMZ). The local network at
the site also had to be firewalled and protected.

Solution:

Mettle SE 4300 was deployed at their administrative office to resolve their IT
infrastructure related issues. Solutions built up on Mettle SE are classified into the
following sections:

Mettle SE as a high throughput VPN Concentrator
Firewall & DMZ

Mettle SE as a VPN concentrator

The servers at the administrative office hold the huge CRM customer back end database used
for administrative purposes. The branch offices spread across the length and breadth of
Kerala need access to this database for billing and for resolving customer complaints.
Earlier the client had another VPN concentrator which couldn't deliver the high through
put required. There are around 75 area offices that connect to the CRM database server.
Mettle SE handles the VPN connections from all 75 area offices simultaneously and provides
high throughput required by the front-end CRM application to pull data from the back end
server. The client and its remote branches prefer to use IPsec and PPTP, provided by
Mettle SE, for their VPN connectivity.

Firewall & DMZ

Mettle SE provides two levels of protection at the administrative office, it secures the
LAN network and provides a secure DMZ. The purpose of a DMZ is to add an additional layer
of security to an organisation's LAN, an external attacker only has access to hosts in the
DMZ, rather than the whole of the network. The publicly accessible servers and database
back end servers are hosted in the DMZ. This allows hosts in the DMZ to provide services
to both the internal and external network, while Mettle SE controls the traffic between
the DMZ servers and the internal network clients. Mettle SE monitors the traffic into
servers hosted in DMZ. The remote users connecting from branch offices are provided
restricted access to the database back end servers for the services they require. Requests
from unspecified public addresses are blocked and any attempts to break into the DMZ is
foiled. In the unlikely situation that an attacker manages to get into the DMZ, hosts in
LAN would still be inaccessible to the attacker. LAN is again secured independently by
Mettle SE firewall and is separated from the DMZ. Mettle SE blocks all unspecified traffic
from reaching the corporate network.

Conclusion:

Mettle SE provides an efficient solution to link together the client's administrative
functions spread over various branches via high throughput VPN. Mettle SE helps to
streamline their customer handling and problem solving by giving quick access to the CRM
database. Mettle SE firewall secures their LAN network from unauthorised access from the
public domains. The firewalled DMZ built with Mettle SE provides an additional level of
security to the LAN. Mettle SE has provided with the best IT infrastructure solution at
their administrative office.

--
We would like to receive feedback regarding the content of this newsletter and
request for articles. Please send in your valuable suggestions to
mettlenews@mettle.in.

--
Mettle and Linuxense are trademarks of Linuxense Information Systems Pvt. Ltd.
Other trademarks belong to respective owners. 2008 (C) Linuxense Information
Systems Pvt. Ltd. All rights reserved.

Mettle News January 2009

2009-01-16T07:51:45Z

METTLE NEWS
[News letter on Mettle(tm) brand of products; Industry updates, Tips and Case
studies]

January 2009
Volume 2, Issue 1

In this issue:
* Editorial
* IT Industry news: SSL Certificate Forging
* Mettle SE feature: Inbound Load balancing
* Tip of the month: Grey List
* Case Study: Mettle SE at Kerala's Home Grown ISP

* Editorial *

Greetings,

Happy New Year 2009!

New Year break is a good time to make new resolutions in general and it is a
good time to take network security resolutions too. Make sure that you take
adequate measures to protect your digital assets. Your Mettle SE will help
you achieve and maintain that.

Linuxense is committed to help you to maintain your network security. Towards
this, in this new year, Linuxense is offering a free Network scanning
free of cost for existing Mettle customers. Customers who have their Mettle
devices under warranty or AMC shall qualify. Get in touch with your support
contact at Linuxense for details.

***

In this issue of Mettle News we present an exciting case study of India's
leading cable ISP using Mettle SE as its core firewall. And still more interesting tips
and features of Mettle SE included. Enjoy.

Wish you a prosperous year ahead!

Yours truly,

Editor, Mettle News
(mettlenews@mettle.in)

* Recent News in IT Industry *

SSL Certificate Forging

A group of hackers in the U.S. and Europe have found a way to target a known weakness in
the MD5 algorithm to create a rogue Certification Authority (CA)--a breakthrough that
allows forging of certificates that are fully trusted by all modern web browsers. The
research presented by Alex Sotirov and Jacob Appelbaum, at the 25C3 conference in Germany,
effectively defeats the way modern web browsers trust secure web sites and provides a way
for attackers to conduct phishing attacks that are virtually undetectable.

The attack exploits a mathematical vulnerability in the MD5 algorithm, one of the standard
cryptographic functions used to check that SSL certificates (and thus the corresponding
Web sites) are valid. This function has been publicly known to be weak since 2004, but
until now no one had figured out how to turn this theoretical weakness into a practical
attack.

An SSL certificate is a small file which links a real-world entity to a website address
and a corresponding public encryption key. This is presented to a private certificate
authority firm, which is supposed to verify the link between entity and domain name and
then cryptographically "sign" the certificate to vouch for it. The problem arises when
someone else is able to forge the same signature.

Unlike most other security issues, this problem cannot be fixed with a software update.
Sotirov said that the bug is not in the software or the browser. The browser does exactly
what it's supposed to do but what it's told to do is wrong.

By combining this MD5 weakness with other known online vulnerabilities like Dan Kaminsky's
DNS attack, users can be redirected to malicious sites that appear exactly the same as the
trusted banking or e-commerce websites they believe to be visiting. User passwords and
other private data can fall into wrong hands.

The report also provided a list of CAs still offering MD5-based SSL certificates including
RapidSSL, FreeSSL, TC TrustCenter AG, RSA Data Security, Thawte and Verisign.co.jp

Read more of this news at the following pages:

http://news.cnet.com/8301-1009_3-10129693-83.html
http://www.thewhir.com/web-hosting-news/123008_Hackers_Forge_SSL_Certificate
http://blogs.zdnet.com/security/?p=2339
http://www.win.tue.nl/hashclash/rogue-ca/

* A Mettle SE Feature That You Might Have Missed: Inbound Load Balancer *

If you have multiple WAN links you must have been using the Outbound Load balancing
feature in Mettle SE to aggregate the available bandwidth of multiple WAN links. Like the
outbound load balancing, Mettle SE also provides a means for inbound load balancing.
Inbound load balancing is a feature that lets you keep multiple servers in your network
and distributes requests from the Internet across these servers.

Inbound load balancing can be set up in load balancing mode or in mere failover mode like
it is being done for outbound load balancing. To enable Inbound load balancing follow the
steps below.

1) Go to Services --> Load Balancer
2) In the tab "Pools" click on the "+" button

In the load balancer pool editing page:

3) Name -- Give a name to the pool
4) Description -- Enter a short description
5) Type -- Select "Server"
6) Behaviour -- Choose whether the server pool is to be in Load balancing or Failover mode.
7) Ports -- Enter the port number the server listens on
8) Monitor -- Here you select the protocol to monitor. Select TCP
9) Server IP address -- Enter the IP addresses of the servers, one by one, and click on
"Add to Pool"
10) List -- The IP addresses you have added would be listed here. To remove an IP address
select the IP address and click on "Remove from Pool"
11) Click on "Save" when you are finished.

Setup the virtual servers after you have created the pool:

1) Click on the "Virtual Servers" tab inside Load Balancer
2) Click on the "+" button to add virtual servers
3) Name -- Enter a descriptive name for the virtual server
4) Description -- Enter a short description
5) IP address -- Here you enter the IP address of you WAN Link
6) Port -- Enter the respective port
7) Virtual Server Pool -- Here you enter the load balancing pool you have created
8) Pool Down Server -- Enter the IP address of the server in case the pool is down
9) Click on "Submit" button

Before you have the inbound Load Balancer up and running you need to create an "Alias" and
specify the firewall rules.

Creating an Alias. Add the IP addresses of all the servers in the pool to this Alias as
given below:

1) Go to Firewall --> Aliases
2) Click on the "+" button
3) Name -- Enter a name for the Alias
4) Description -- Enter a description
5) Type -- Select Type as "Hosts"
6) IP -- Enter the IP address of the host
7) Click "+" to add another IP address
8) Click on "Save"

Create a Firewall rule to allow the traffic to the servers in the Load balancer pool:

1) Go to Firewall --> Rules
2) Select the correct WAN Interface if you have multiple WAN links.
3) Click on the "+" button to create a rule
4) Action -- Pass
5) Interface -- Make sure that the interface is correct
6) Protocol -- Choose the right protocol, TCP mostly
7) Source -- Define the source
8) Destination -- Select "Single host or Alias" and type the Alias name in the red box.
9) Destination port range -- Specify the port range you have given in the load balancer
pool
10) Description -- Give a description to identify the rule
11) Click on "Save" and apply the changes.

Now your inbound load balancer pool should be active and available from the Internet.

To know more, refer the following KB articles:
http://kb.mettle.in/entry/40/
http://kb.mettle.in/entry/30/
http://kb.mettle.in/entry/17/

* Tip Of The Month: Grey List *

This month we will tell you how you should use the "Grey List" in Mettle SE's Content
Scanner to fine tune the content scanning.

When you use the "Website Category Lists" to block certain type of Internet content on
your Local network you are in fact implementing a blanket block on many websites
suspicious of dishing out inappropriate content. Sometimes it happens that few harmless
websites could also get blocked in the process.

For example, if you block the category "Ads", a good website like "forexample.com" might
get blocked because of the advertisements and keywords found on that website. But if you
unblock "Ads" category it will let forexample.com in along with all other Ad related
website.

To counter this situation you can add "forexample.com" in the Grey List in the Content
Scanner. When you add a domain/URL in the Grey List, Mettle SE will parse the content from
that URL and if it is found to be safe and free from offensive content it will be send to
the requester.

If Black List and White List are two extreme ends of content filtering, the Grey List,
conceptually, takes a moderate middle path (black Listing a web resource will
unconditionally block that particular domain/URL. White Listing would unconditionally let
the domain/URL without parsing the content).

You can read more about Fine Tuning the content scanner here.
http://kb.mettle.in/entry/9/

* Case Study: Mettle SE at a Leading ISP *

Vertical: Internet Service Provider
Geography: Headquartered at Trivandrum, Kerala

Client Profile:

Our featured client in this edition of Mettle News is Kerala's own home-grown ISP. They
are one of the pioneers of Internet-through-cable which has brought always-on Internet
access across Kerala. They are one of the largest private investors in Kerala with
infrastructure consisting of 700km long optic-fibre backbone and 40000km of hybrid
fibre-coaxial cable network spread over cities and town in the state.

They provide services to corporates, educational institutions and residential customers.
They have also set up their own international satellite gateways at Trivandrum and
Ernakulam.

Problems to be solved:

As a leading ISP their customer base is huge. To comply with governmental regulations and
to implement security norms, the Internet traffic generated in their network has to be
filtered before it leaves the ISP and traffic from upstream networks has to be filtered as
it enters the ISP. At the same time there shouldn't be any latency added in the whole
procedure. And the device should be able to handle the vast number of sessions generated.
Being an ISP NOC (Network Operating Centre), downtime is not affordable.

Solution:

Two Mettle SE 5700 devices are deployed at ISP's Trivandrum and Ernakulam NOCs to work as
bridge-mode firewall to take care of their Internet traffic filtering requirements. The
Mettle SE installed at NOCs are of service provider-grade in terms of performance and
ruggedness. The devices can handle 1gbps of traffic on a 24/7 basis with near-wire speed
deterministic performance.

- Zero down time

Each NOC has two redundant power sources powering the devices. To ensure zero device
downtime Mettle SE 5700 comes with rugged redundant power supply units which allow it to
take power from two independent power sources at the same time. Power sources at NOC
undergoes preventive maintenance. It is done by taking down one power source at a time.
The redundant PSU configuration in Mettle SE continues functioning as it can take power
from the second source.

- Firewall

Mettle SE runs as a bridge-mode firewall at the NOCs. Mettle SE has been deployed in a way
that it is invisible to other network devices but at the same time traffic flowing through
it is filtered. Mettle SE devices, at each NOCs, has more than 1100 firewall rules
specified in it as of this writing. Latency is a concern for an ISP since it introduces
delay in processing network traffic which in turn leads to a slow Internet experience for
the subscribers. Mettle SE handles the traffic with minimal latency.

Conclusion:

Though Mettle SE is an integrated network services engine, at this ISP, it is deployed
just as a bridge-mode firewall. This installation is a clear case of how rugged, reliable
and powerful Mettle SE is in a 24x7 service provider environment. This installation is
three-year old and this period is enough to prove how good a device is.

--
We would like to receive feedback regarding the content of this newsletter and
request for articles. Please send in your valuable suggestions to
mettlenews@mettle.in.

--
Mettle and Linuxense are trademarks of Linuxense Information Systems Pvt. Ltd.
Other trademarks belong to respective owners. 2008 (C) Linuxense Information
Systems Pvt. Ltd. All rights reserved.