Tuesday, November 18, 2008

ICND1 Networking Summarization Cont'd

A sudden burst of serenity, I believe life is but what you make it to be. We live in the millennium now, any thing is possible, creation is but at the tip of our fingers....

Now who do you know that dual screens with a blog on a 37" and dictionary on a 21" hmmmmm, well your reading his notes.

Now to stray from my digression and soak our heads back into the networking world, as I left off:

Ping is an important part of survival with a device, no answer to your request a diagnosis is required. We just about have every detail and step by step instructions on how to set any service on a machine. The real hard problem, getting it to work interactively with other machines. Imagine a group of people playing a friendly game of soccer, 5 to be exact, they are playing for 2 hours straight, and boom one of them hurt their leg and unable to join. Our soccer players are actually nice people that figure out that the only way to include their hurt friend is to play catch in a circle with the ball. Now that is how networking works, you add something new you use the machine to adapt to the new service or something is wrong with the machine you configure it to run the services. Some common mistakes when creating a universal deploy of any application, machines are not reaching each other this is caused by a interference between a machine(shutdown of machine, user logged off), or another machine doing its job that won't let you do yours. A little advice when handling new installations setups or whatever... know your network and know it well.

I will be attacking the Datalink Layer:

Another hard part to the puzzle of connection, MAC address its a 48 bit 6 byte mac address that has precedence within our networking worlds. MAC is derived from Ethernet, Ethernet is the standard low bit encapsulation package that has become the renown in the world of networking, screw token ring.

Why so important MAC, MAC is burned into your network card, each MAC address contains specifics of your NIC, part of your MAC is learned by our lovely powerful devices called switches, there for in order to understand a switch clearly you must understand MAC.

Starting from the inside out, I would like to yet again to imagine a picture that I have been looking at for the last 2 years, one that should be so familiar to you that every time it is mentioned you should gasp in AH!! meaning you do understand.

4 PCS attached to 1 SWITCH


SWITCH
------------|-----------
| | | |
PC1 PC2 PC3 PC4

Each connected to a switch port, what do you know about a SWITCH, each RJ-45 has a separate collision domain, the other half of the DataLink Layer is deciphered as the LLC layer, this layer tells the PC when passing the packet to the physical layer what lucky protocol will get the job in delivering the packet.

Stick with me here this is important, and I'm not showing you any history to learn, I'm showing modern day logic and fact.

Each PC is on a separate line and because each have a separate collision domain no interference (internal) will occur. Embedded within MAC/LLC is CSMA/CD stands for the acts exactly has it sounds

Carrier : Signal
Sense : Detect
Multiple : Equals Access
Collision : Two devices at one
Detections: How to handle the collision

to send the signal containing the 1's and 0's to the switch for it to be compiled and understood and sent to the right interpreter to be received.

Damn how I've strayed away from my original question...if you don't remember.... Why do we need MAC.

Well we'll get their real soon, as for signals a device can send out their are three

UNICAST - 1 to 1
Multicast - 1 to many
Broadcast - 1 to every 1

to send to multiple clients servers whatever you may be doing within your network, the whole point of this is that MAC traces your PC in a table in order to identify where you are in the network, no not to spy on you, but make it easier for the other users to send stuff to your PC. MAC addresses are stored in ARP, ARP is backward compatible with IP and make a great datalink layer protocol in order to send data fast to the recipient.

And to be VERY clear on it ARP saves time, MAC is saved within your NICS arp table and MAC is saved in the CAMTable within switch's this creates the switch to become intelligent and your PC to be even more intelligent.

This function of ARP is called gratuitous ARP sending a broadcast (0xFFFFFFFFFFFF)to let know every machine on its segment that is connected. Most likely notified the router. ARP(0x0806) is encapsulated in the Ethernet Frame.

----------------------------------
As I can ramble on about the ARP protocol for years I think this is sufficient enough post to have you up to par with the common ground of networking....boy is their alot more to come.......


---All we have is time

Saturday, November 15, 2008

ICND1 Networking Summarization

The studying for my ICND1 has been doing rather well, due to some minor set backs from the last week I should be done all my ICND1 videos for my CCNET certification. This blog entry will summarize all 14 videos I have viewed. In the course that I have skipped any critical information I will be using my notes and this entry as a reference when re-viewing the videos before the exam.

Brace yourself here is what I've got out of 14 videos:


The common question that anyone should ask a network engineer is WHAT IS A NETWORK?

Now before reading on please ask yourself the question and consider.

Okay since you have the answer I will share what I have come up with:

Through civilization we have always strive to come together, build as one, and most of the trying actually got done. Sometimes what got done was by force by now is usually compensated with mula the bucks. As I vision it like we use cement to build roads and highways, we use wire(copper. coaxial, (air)frequencies) to build roads for information sharing. When we share information before computing we used the post office, and Networking is similar as sending a letter in the mail, the envelope(packet) gets tossed(transmitted) in a bin(NIC card) then carried to the post office(wire) where it's sorted out (digital device like a router) and sent to the right destination, and sometimes it must hit multiple destinations before it arrives.

So for a more simple answer a Network is the fabric that ties, through multiple digital devices, information to reach its destination.

Some key attributes in networking:

Switch - Central meeting place for all packets, has separate collision domains

Router - Relays information to the WAN (Internet)

Internet - Multiple routers connected together

WAN - fast link ---AT&T


In order to use a network efficiently companies and people have needs in order for them to co-operate and operated effectively in today's modern fast changing world. The dire commonality is the communication between services within high end servers. Like human's computers now have a set a tools that have a commonality with standards which are called ports.

Some well known PORT numbers:
TCP UDP
21 -FTP
22 -SSH
23 -Telnet -69 TFTP
25 -SMTP
53 -DNS -53
80 -HTTP
110 - POP3
443 -HTTPS

Each port has its funcation which should be already be known at this stage of the game by the reader, due to the practice of hard school work.

In order to test things are working properly and things are 'alive' as I like to call it, a ping request is sent to the ports, alive will signal back !!!!!!!.



--------------------
Yes it has to end now I seem to have gone into a mind flux which needs a bit of entertainment.

Stay tuned to next post it will be more dynamic and lengthier.

Wednesday, July 2, 2008

SEC703 1st Lecture

Core Distribution and Access Layers



Router , Firewall, DMZ then another firewall,



The first router does basic access control lists,



Standard things to block, telnet traffic, secure shell traffic except for specific devices, at the router level



then the Firewall gets specific,



Then DMZ, any devices that needs to be accessed from the internet, web servers, databases (sales), the web server access the database server,



you put ur e-mail transfer agent, then the transfer goes inside,



A DNS here at DMZ, broadcasting the name resolution on the dmz, receiving info from the inter organization,



Look by name instead of ip, nothing transferred out, another firewall in DMZ



realistically another firewalls to the entrance to the data center



Separate them through blades, firewall blade, diff ports for different functions,



VPN blade terminates inside the firewall, VPN access secure encrypted tunnel between point A and B

-adds a second address header, it will have ENCRYPTED[Application Presentation Session Transport network ]Network Data link and physical



IDS -specific blade, specific traffic at all times, shows you whats going on, you must write the list and implement it



IPS - write information to block new traffic , does it auto magically.



Honeypots, put in DMZ to attract hackers,



-------------------------

Traffic shaping aka QoS guardsmen throughput, throttle back specific types of traffic, organizations you this all the time,



Mission critical and non mission critical data, if info is going slow theirs something wrong,



Info that music flow, Voice and Video, priority



Internet Proxy - (Specific HTTP and HTTPS traffic) Single device buffering and monitoring device, everyone goes through the proxy, all HTTP HTTPD traffic, through the firewall is the proxy device, it will collect the info and send into you, 1 line in the ACL, you can put web monitoring tools into the proxy, block stuff



Networking Devices - talking about controlling traffic

Friday, June 27, 2008

Mitnick - Communications Technology

Mail Drop - The Social engineer's term a rental mailbox, typically rented under an assumed name which is used to deliver documents or packages the victim has been duped into sending.

Data Classification Policy - the differentiation of securing public and private information

Innocuous - not harmful or injurious, harmless

Information Security Department - ISD
Conducts:
-awareness training
-detail methods

Explanation: Social Engineer Employees

-Lingo| "Use None Sensitive things" [Poker Chip]

Types of Security Violations

Here are some basic component violation in security, in the perspective of the malicious code,

Virus :Typical piece of code copies itself into a program, and executes when the program runs

-modifys other programs
-loss or contamination of data, or program

Worm: Reproduces itself until slowd down or shuts down a comptuer system or network, does not notify other programs

Clogging or Flodding : Form of a worm
- sending large amounts of bogus traffic too a node until clogged and unable to serve a legitamate user. AKA DoS Attack (Denial of Service)

Trojan Horse : piece of code, hides itself in another piece of a program

"Think" a simple login screen
Login Code
Hidden Code <--------interlopes exits with no trace (steals info)
Login Code

BOMB: Same as a Trojan
signature" time or logic trigger

Trigger software routine, upon detecting the absence of the rogue program records, initiats actions to damage the system

Trap Door: Allows penetration into the system can be programmed in code by programmer. Usually used in case you must get back into the program to fix something. Usually guarded by authentication process.

Salami: Small alteration of numbers in files having of numbers and distorting the system.

Replay violation: Active attack on a resource.
entails: capturing data, perhaps modifying and resending it.

Monday, June 23, 2008

John Searle, The Chinese Room

Philosophy professor at Berkeley, On Intelligence

The Chinese Room:

Suppose you have a room with a slot in one wall, and inside is an English-speaking person sitting at a desk, He has a big book of instructions and all the pencils and scratch paper he could ever need. Flipping through the book, he sees that the instructions, written in English, dictate ways to manipulate, sort and compare Chinese characters. Mind you, the directions say nothing about the meanings of the Chinese characters; they only deal with how the characters are to be copied, erased reordered, transcribed and so forth.

Someone outside the room slips a piece of paper through the slot. On it is written a story and questions about the story, all in Chinese. The man inside doesn't speak or read a word of Chinese, but he picks up the paper and goes to work with the rulebook. He toils and toils, rotely following instructions in the book. At the times the instructions tell him tow rite characters on scrap paper, and at the other times to move and erase characters. Applying rule after rule, writing and erasing characters, the man works until the book's instructions tell him he is done. When he is finished at last he has written a new page of characters, which unbeknownst to him are the answers to the questions. The book tells him to pass his paper back through the slot. He does it, and wonders what this whole tedious exercise has been about.

Outside, a Chinese speaker reads the page. The answers are all correct, she notes--even insightful. If she is asked whether those answers came from an intelligent mind that had understood the story, she will definitely say yes. But can she be right? Who understood the story? It wasn't the fellow inside, certainly; he is ignorant of Chinese and has no idea what the story was about. It wasn't the book, which is just, well, a book, sitting inertly on the writing desk amid piles of paper. So where did the understanding occur? Searle's answer is that no understanding did occur; it was just an bunch of mindless page flipping and pencil scratching. And now the bait-and-switch: the Chinese Room is exactly analogous to a digital computer. The person is the CPU, mindlessly executing instructions, the book is the software program feeding instructions to the CPU, and the scratch paper is the memory. Thus, no matter how cleverly a computer is designed to simulate intelligence by producing the same behavior as a human, it has no understanding and it is not intelligent. (Searle made it clear he didn't know what intelligence is; he was only saying that whatever it is, computers don't have it)

--Jeff Hawkins, On Intelligence

Saturday, June 14, 2008

SEC520: 10 More

Here are 10 more Security Log Management at both the Infrastructure and System Levels

Log parsing: using log data to be used as another part of the logging process

Event filtering: suppress data that is not needed like the duplication of a record.

Event Aggregation: Logging same events as one and counting each occurrence.
Log rotation: rotate logs to make them manageable, ex: examine archived logs to perform filtering.

Log archival: keeping logs for a extended period of time on a SAN’s network, two types Log retention archive on a regular basis, or Log preservation, keeping logs that would be discarded because they contain records of activity of particular interest.
--------------------------
Log compression: reduce the amount of storage space needed (filter)

Log reduction: remove entries of no important to make the log smaller

Log conversion: convert logs to different formats XML or database

Log Normalization: Ordered in a particular data representation and categorized consistently. DATES and TIME in a single format

Log file integrity checking - having a message digest for each file MD5 or SHA1
-------------------------------------
Event correlation: finding relationships between one or more entries

Log viewing :Display log entries in human readable format

Log reporting: displays the results of log analysis
-------------------------------------
Log clearing: removing all entries from the log that precede certain date and time. Remove old logged data b/c importance has been archived.
-------------------------------------
Syslog is a central framework for log entry generation, storage and transfer, the syslog format assigns messages based on importance. Two attributes to consider are message type, known as a facility(kernel messages, mail system messages, authorization messages, printer messages, and audit messages). Severity a value assigned, from 0(emergency) to 7 debug.
Mar 1 06:25:43 server1 sshd[23170]: Accepted publickey for server2 from 172.30.128.115 port 21011 ssh2
Mar 1 07:16:42 server1 sshd[9326]: Accepted password for murugiah from 10.20.30.108 port 1070 ssh2
Mar 1 07:16:53 server1 sshd[22938]: reverse mapping checking getaddrinfo for ip10.165.nist.gov failed - POSSIBLE BREAKIN ATTEMPT!
----------------------------
Syslog security does not conform to the use of basic security controls that would give it the confidentiality, integrity and availability of logs. Weaknesses the syslog protocol encounters is the UDP transfer of data, anyone can send information to the syslog server(DOS ATTACKS). MITM on the syslog, and analyze the syslog for a vector.
----------------------------
Reliable Log Delivery, TCP
Transmission Confidentiality Protection, SSH TLS
Transmission Integrity Protection and Authentication,MD5 SHA-1
----------------------------
Robust Filtering –handles messages based on programs or hosts that generate a message or RE matching content in the body.

Log Analysis –Use separate add on programs to analysis data

Event Response – Alert admins through pages or e-mails

Database storage logs, log file encryption,

----------------------------
Security Information and Event Management Software that is a centralized loggin software , SEIM does its job
Agentless which would mean it pulls logs from the hosts by authenticating to each host and retrieving logs, or the host pushing log files on the server this server will then perform even filtering and aggregation and log normalization and analysis on the collected logs

Advantage no installation on hosts, Disadvantage – large amounts of data transferred, some need credentials so you have to install an agent on the host.

Agent-Based all the filtering and aggregation and log normalization is done at the host then transmitted

Advantage all filtering and aggregation don’t on the host, small load going over the network , Disadvantage – installing agents on every host

Thursday, June 12, 2008

SEC520: Whizzing About - Senecan

Since I've been to busy \n I haven't been posting ANYTHING OH NO! \t Well I decided I'm just going to go on a snippet| \ spree->(enjoy) since this semester has taught me well...these condensed courses have put me in the mind_frame of shaving the bits off everything and putting it to light,_\ I'm going to share my mini definitions.

10 - Question Answers SEC520:

Services such as firewalls, routers, authentication servers, and intrusion detection and intrusion prevention systems provide logs useful information for security purposes.

\System Events – ex: LDAP/Kerberos authentication response for services, error codes, user accounts and systems account with an event are logged and checked for any suspicious activity.

Audit Records – pertain to more administratively tasks that are generated and logged, ex: security policy changes, policy folders/file access, account changes

Client request and server responses are logged in order to check on persons transactions between systems when accessing/ using certain resources or networked resources ex: E-mail, web browsers,, business applications.

Account Information: checks the failed authentication attempts, account changes, and use of privileges. This also identifies any malicious attacks toward the account and the use of what applications used by the client.

Usage information: checks the number of transactions occurred in the case that any malware threat or anything abnormal in size might indicate suspicious activity such as the transfer of company internal information.

Significant operational actions: checks application startup and shutdowns, application failures and major application configurations changes

Log management is necessary to provide sufficient detail of processes for an appropriate period of time. This will enable revision of logs in order to identify any security incidents, policy violations, fraudulent activity, and operational problems shortly after the initial occurrence.

Log Generation: Hosts generate log data; they are retrieved by logging client applications, services that are automated retrieving processes either by authentication or networked log servers.

Log Analysis and Storage: Receive the log data from the hosts that are gathered in real-time, near-real-time, or batches the servers are often called collectors or aggregator's. (Multiple: 1 analysis, 1 storage)

Log Monitoring: Analysis of the data and generation of automated reports.

Monday, May 26, 2008

SEC520W2L2

PAM Today

AAA Friday,

Next week hardening Linux, he will rejig Lab5 and Lab5b


Tuesday next week is a lab day

He moved the test from this week to the 27 till the end of week3 the test is up to


ChaPTER 5 and the intrusion discovery, n Hardening Linux

Put off the take home tank lab,

Finish up to lab 4 by Friday,


When he says its due, he is going to take the open boodle, PDF file report and upload it to open

And He will mark it online, and you must upload it by the due date


NO distatory recovery,

Test is on exploits and the text the stuff we do on labs,



PAM a lot of the labs are about

This week Access Control,

Linux comes with a lot of services working independently,

Till Pam came alone in the terms of Authorization and Authentication you would have to do everything independly

PAM is basically a system you can set all the authentication parameters through one program and have it affect all the services,


Theirs a directory PAM.d their use to be PAM.conf one file with the services, PAM is the same as xinet.d what ever you want to control with pam you put the config in the directory theirs another file called other and is the default that will handle the services, it comes in modules. Modules use permission and passwords,

Is the password strong enough, you can determine is the auth is going to fail or a warning you might say they have a weak password and go in or password weak you cannot go through you can do this all through PAM,


If you look at pam it carriers a lot of files and you can also see all the services that have configuration files, the default is other,

Looking at the files we can see …the login one… we can see four interface types, theirs AUTH this is called stacking modules, the login process uses 11 modules, and each modules everyone uses login the modules are executed one at a time, the first thing is authentication auth , after that required means this must succeed or the login field, more then 4 required mean both requisite means this this failed then the login failsso if 4 fail it will fail in the end, if it says requisite it will stop.

Option will give a warning,


Sufficient that means if there are all sufficient then some will pass,

So you have interface the parameter how it will work then the module, to find out how they work you gotta do research on the module, some commonly and some aren’t

System.auth is used often, after the module theirs parameters that are sent to the module

You can find out on the net how these works, if you look at the links on the course notes you can look at everything and see what it says,

Going through the lab do backup reading and see what it does, no ignorance!

We will look at password checking and setting criteria for authentication for the needs at the time, we are looking at the basic of using one thing you always do , is so ssh does not allow root login, people will try to brute force password for root login, never login as root through ssh or login as all if exposed to the net ,

Pam solves the previous problem.

Wednesday, May 21, 2008

SEC520 Types To Regard As Security Personnel

You always need to access something pretend you want to print you must switch to partial system administration your software uses the network, its controlled but parts are making use of kernel states that have admin control,

Hackers will break the software right when that’s happening if they do that they can break the shell and have access control of the tat process, and that’s one of escalating privileges and that’s where the loop holes are, its like the cgi programs, it does things that a user cannot do that an escalation of privileges, implementing is really hard because its so hard its always going to flawed the trick is not to have it prefect but now be the low hanging side , the bigger the value of the prize the more stringent you have to be, if they can make 10million they will spend 1 mil,

You come up with policy rationale three things to think of ,


One thing is

1. Due Diligence – your legal obligations, protect it

2. Risk Analysis – Cost of Benefit “How much will it cost and how much am I going to lose” Intelligent guessing

3. Exceed the Standards - Why? Bear chase phenomenon if you in a party of campers you try to be faster then the other people,

History:

In the beginning of computers, their were no passwords wasent an issue originally first computers were batch operators, they do one job at a time, so a computer center, it would be in a basement where the banks of memory the size of a huge cabnit and you would do your punch card, so one job at a time controlled by an operator, one job at a time you couldn’t cross boundaries, “think” MIT came up with the concept of time sharing that not all process is busy all the time, theirs I/O, its split into chunks and they all had a dumb terminal, except for a big centralized machine, what happen that some people were getting access to things they weren’t suppose to, and some errors and data would overwrite because their were not access control stuff, because in the early days they didn’t know so they came with access and password, they didn’t like the idea the machine control what they could do, suddenly the system would dictate to them and was a huge loss of freedom, Richard Stallman, Their was quite a resisted against password, then they broke into the password file and tried to live in access one famous incident, one was setting the login procedure and he look at the login and a password file would come up.

Someone would have a password file like the /etc/passwd in linux when you login program must have access to the file to see if ur their it use to be user name and password what they came up with is a
one way hash(cryptography technique) user puts into a password and given to a hashing algorithm MD5, if you give this the same input it will come out with the same output, so they store the hash of the pass except the password itself whats stored is not the same what is put in,
2 characteristics

1. It cannot be reversed,
if I have this I cant figure out this,

2. Given input always produces same output,
2a. any change to input how ever small produces completely different output

If I change 1 letter the output will be completely different,

Have a good logging system, everything being keyed were being cached in the buffer and waiting to be given to the hash,

Other thing realize in login you shouldn’t log password, which means also logging user names with failed attempts

You want to store them from successful ones, you want ot know who they were and where they came from, something simple become complex,

You remember the CIA if you kick ur users off the system cause their making mistakes you are failing accessibility, once they solved that stuff, what’s the weakest link, the first element the employee, social engineering, they will use passwords that are easy, or they can use social engineering, have educations and user friendly policy easy to understand and educate the user why the policy is important, you can do this well, sec625 is human side of the security,

Issue of sniffing,

Don’t use telnet use ssh, make sure you have ssl happening, any password in the wire should be encrypted before going in the wire

ShoulderSurfing, someone watching u type,
They can be grayed the Astrix

Other types of sniffing, one of the links, think geek, it’s a key sniffer, if going on a pc keyboard it’s a key logger,

Monitor Radiation, Vantek, if you invest something monitoring e


Key board timing attacks – you can decrypt them

Cost benefit analysis

The Trojan login, thinking when you login you see a prompt user name and password, its not hard to duplicate that, here what you can do if you have access, you leave th screen on so write a program so ur program runs inside of the login then you present a error then it passes it to the system,

Ettercap, is an evil program, it makes it easy for man in the middle attacks insert urself in the browser and server, it makes arp poisoning easy, knowing this if your on a lan with strangers you should not do anything that private,

Authentication factors, three factors of authentication,
1. Something you know the most common example is a password
2. Something you have – token key
3. Something you are – bio metrics

First password, they are easy to implement , no need to buy hardware or software, weakness choose weak password, we all know this,

Strangth if someone has it,

Weakness it can be forgotten come to work without ur token you cannot login, stolen, required extra hardware, you have to install a token reader on every machine, if you use a special card or device it can be expensive

4. Bio-metrics – easy to fool, you cant get 100% of the percent the higher percent the more it costs, if I gets easy if can interfere with it you need a huge database something the gnarl public is using it needs a huge database, if you their checking ur finger at the boarder what kinda pipe line would you need, so yo need to think about things like this they can take photos of your eyes,

ATM strategy

Well in today’s world everything is moving fast we are all learning and re-learning new things over and over. Before I start I wanted to ask the class why do they think emerging communication technologies are here? Basically why do we need to communicate them?

Well Uyless Black, a lecturer on communications technologies says

Today emerging technologies are here to overcome the deficiencies of the current technologies. Each new technology must meet the needs of applications

What he’s basically saying is we don’t need faster computers, we don’t need faster applications WE HAVE THEM and they are advancing in a millisecond rate, we need better communications between systems to be more accurate between Wide and Local area networks.

We choose Asynchronous Transfer Mode not because it’s a any protocol it’s the mother of all protocols and you will learn why in just a few minutes.

Just to define some how some of the information is handled before it actually transmits data, PMD synchronizes the transmission and reception of the connection and maintains continuous flow and TC allows devices to locate cells within a stream of bits.

Now I know what you guys are all thinking, How then this information directed…well first in front of the information you want to send there is header which contains all specifications about the load that will come after it, this is similar to an envelope, What do you need for an envelop? A Stamp, Mail Address and an optional Return address, you might even need two stamps!

So when your first going to send out your letter you put the right information on the top then drop it off to the closest mail box, after the header there is the pay load and we can see this similar to the mail carrier that carriers all ur letters and delivers them to the right destination, and like your envelope when they reach their destination the Name on the envelope is the person you want to be reading your message. That is similar to what the payload incorporates.

Now your thinking I got the envelop I wrote the letter but then who’s going to carrier my letter to my friend! Well actually you don’t care, but for ATM and as a Technician you must know which device you’re going to hook up

You basically use Switches/Bridges, they are two devices but are usually now embedded into one and perform functions what is inside the header and payload. Now we know how its directed and how its carried, now how is it handled?

Well inside each header there are bits called the VC and VP each of these are similar to telephone numbers but only regarded to each switch/bridge/router locally and no significance when transmitted except during the process of the switch where it translates that number to the right path in the opposing network.

Sunday, May 18, 2008

INT525 Compile Process

Just some stuff I've been working on.....you know this one actually is good instructions.....Apache Installation

Creating symbolic links to start up Apache, S__ and K__ in init

We download the source tarbal

Untar it with tar –xzvf

Make sure no one can log in if you do this to their account /bin/false

7 fields per user etc passwd

Everydeamon /bin/false

When installing we user

Do not do this as root,

Make
Make test

Make a dedicated directory to deal with your source code

/exp/src

Your configuration needs,

Document Root
Server Root
Extract Binaries
Change Executable Directory
Configuration Files












All command line switches, and easier more quickly with config.layout

# SuSE 6.x layout

prefix: /usr
exec_prefix: ${prefix}
bindir: ${prefix}/bin
sbindir: ${prefix}/sbin
libdir: ${prefix}/lib
libexecdir: ${prefix}/lib/apr
mandir: ${prefix}/share/man
sysconfdir: /etc/httpd
datadir: /usr/local/httpd
installbuilddir: ${datadir}/build
includedir: ${prefix}/include/apr
localstatedir: /var/lib/httpd
runtimedir: /var/run


Buildconf (first time system inspection and change system tree appropriately)
./configure (command line switches –withlayout)
Make
Make Test
Make Install (Don’t Do)
Make Clean

We are done unless we want to statically compile some modules, modify the build dso capabilities, we must compile the mod_so

Run shell script to automate this and make modifications to it and run it

Tuesday, May 13, 2008

INT525W2L2

Modules you can add them dynamically or statically

Statically – part of the binary

Mod.so is required if you want the rest of the modules linked dynamically,

Dso vs Static


Mod.speling in the url simple module that makes you make one typographic submission in the resource you are going, cgi-bin without the - that will be an error mod.spelling will correct.

Mod.alias, gives you ability to alias directory,

Script.alias, like alias with executable power, don’t use it, does not give you the control of flexibility alias does with a directory container,

Talk about basic directive in apache we know, and some modules that supply them,

When you come to a website you are virtually hosting, the main thing that must be set, you have a principal one that you might call default or main,

If you ask for a IP it doesn’t know or a Name VH they don’t know, they have to have a default way for the request, one of the metrics it must be rebout and must be forgiving for arrant behaviour a forgiving behaviour

When it does not know the deafualt behaviour will give to the main server,

WE need to learn the simple procedure this is the default place to go and you come in for a name server, this is the place to go if we are not servicing that IP,

What things need to go into the virtual host container for the main or default server

ServerRoot parent of the apache binary trees,




LockFile /var/log/apache2/accept.lock



IfModule directive all supplied by modules, nested tree of a fork, the later one will hold true, the last declaration has more authority, precedence

Which one has higher precedence, the example is not particularly authoritative but they actually fork the decision tree, not at run time, the service is running, we are either going to go around it or go through it

So binary executable for the binary,

.c static linked component of the kernel,

This says IfModule, if you move the config to a machine and you recompile it wont blow simply trying to start so it will not do these things



This is the global configuration file httpd.conf

Reaps the child processes,

MaxSpare initiates repeaing responses,

MaxClients = Maximum requests

Worker.c

443 ssl’

Directory < “/export/srv/www/vhosts/main/htdocs”>

Main => ALL FQDN
Perl

AllowOverride None


Worker.c
A typical configuration of the process-thread controls in the worker MPM could look as follows:
ServerLimit 16
StartServers 2
MaxClients 150
MinSpareThreads 25
MaxSpareThreads 75
ThreadsPerChild 25

Server limit identifies what will initially launch when the server is started it must be greater or equal MaxClients / ThreadsPerChild

MinSpareThreads and MaxSpareThreads identify the the idle threads in all processes and forks or kills processes to keep this number within the declaration

MaxClients the maximum total number of threads in all processes.

MaxClients / ThreadsPerChild = Max Child Processes

150 / 25 = 6

ThreadLimit must be greater or equal to ThreadsPerChild

While the processes are started as root under Unix intorder to bind processes and threads binding them to port 80 Apache will use less-privileged users.



#
# If you wish httpd to run as a different user or group, you must run
# httpd as root initially and it will switch.
#
# User/Group: The name (or #number) of the user/group to run httpd as.
# It is usually good practice to create a dedicated user and group for
# running httpd, as with most system services.
#
User daemon
Group daemon



MaxRequestsPerChild controls how frequently the server recycles processes by killing old ones and launching new ones.
Description:Multi-Processing Module implementing a hybrid multi-threaded multi-process web server
worker.c
it retains much of the stability of a process-based server by keeping multiple processes available, each with many threads.
Or
Prefork.c
It is also the best MPM for isolating each request, so that a problem with a single request will not affect any other.
Directive and Declorations

Declarations = Server Name

Directive = alias this directory their

Directive that configure this to the relation to mother child

\

ONE PARENT


worker.c has a different parent the child process then prefork.c
worker.c uses ThreadsPerChild that controls the number of threads deployed by each child prcess and Max Clients right
while prefork.c uses MinServer and MaxServer that spawns childprocesses that are indepent from the kernel
threads works as a stream as prefork words as a dependent entity


First thing that your going run out of when your worker.c is cpu and prefork.c is memory

Remember to check
http://httpd.apache.org/docs/2.2/mod/prefork.html
http://httpd.apache.org/docs/2.2/mod/worker.html

SEC520W2L1

Exploits - things that can go wrong


5 years script kiddies, now its criminal activity and has really changed, over the next few
Years it’s going to change again.


The change from operating attacks to application attacks, when you have applicatios you have a lot more variables then with dealing with the os many more applications and all doing different things, OS are straight forward applicationts are dynamic.


You still have the same things the attackers will do,

What is a DoS

CIA

Confidentiality,

Keep it secret

Integrity

Information from the data is what it should be, for instance you look at your bank account and you want to know the numbers are really their.

What it should be when it should be.

Lot of do who changed it who can change it.

Identity how do you prove someone is who they are.

Accessibility


Avaliable when its needed in a timely fashion.

DoS denies accessibility

DDoS – Distributed Denial of service

One way is to break the software this is one way another common one its not through breaking the software but overloading or clogging the piped to it.

Thisi is where DDoS, BogNets one central system which controls many computers so no one can access the service

DoS the basic, it has been mostly preformed for kids in basements or unhappy employees, They have been used for extortion, if you shut down your site it can cost you 30000 dollars it can be a real problem and it has in some palces ,


Why is the web to vulnerable to risk,

When it first came out everything was open and a kind of utopian world,

John Morris, the son of a internet pioneer the son wrote a program to find how mayn users are on the internet, thousands of the them, it used the finger deamon and it would move itself on the machine and do finger searches, he forgot to do make it see if its their, it was a naïve thing, he wrote a program that invaded other peoples computers,

Firewalls – controls what gets in and out, a firewall originally, first basic fire wall did packet filtering, looks at each packet and looks at the ports what ports is it asking for suppose you have telnet inside which is port23 and you have ssh 22 and http 80 and so , suppose you want telnet internally but not externally lets say it gets stop at the fire wall if you wna the public to have access to your web server then you make them go through that only port, may port for 25 but you restrict it to the ports you want to get through,


What happened when it was in place, everyone started having a webserver, webservers would give you some documents, well the people that wrote webservers what if it can expand to dynamic content or video they made more expansive webserver and create dynamic content.

Dynamic more accessible to the public, then they explanded the firewall they had web services goes through mysql, and come up more complex and they have holes to powerful complex software, the attacks change what they do and start aiming at the dynamic attributes of the server not just HTTP, but HTTP are common cause they do so many things and because theya re complex they are perfect targets for running exploits the exploits have gotten more and more toward webbrowsers.


Embed macros, it’s a program in a program web applications become a good target

Email targets are great bc of spam

Media players complexity, YouTube.com vector to get into the system passed the firewall.


On the server side service os the OS security software becomes a target for attackers, get a couruppted version. File management servers and database software.


Also things aimed at people, user rights unauthed devices,

Phishing, your account is over due give ur password, got all the right graphics but its false,

Spear phishing when you target people, or you lap top of usb keys, wireless if a grate vector

Instant messaging, easy for all the dumbasses.



Zero Day Attack, an attack where the attackers know it can mount it before the vendors know its their, it usually happens with hacks someone finds the weakness posts it then it the software vendors will patch it.

Because we have sophisticated criminals before they use


Storm Worm,


Recognize trends

Talking about DoS

Another privileged escalation – its like a user getting root access, some users on a a system but you want to get higher.


Trying to get from out in the cloud through a couple of a server, if they see outside traffic doing into system they have logs or IDS, they can call your service, or police come knocking

They will break in further away to get closer to the machine, trying to get machines to do the work for them, this is slow so they can get privileged escalation.






Common things, two things you will see a lot of,

XSS - Cross Site Scripting

SQL Injection



Everyone is blogging, websites allow users to put stuff in, cross site scripting when you put data in a blog that will effect the behaviour of a server, thing about it like this someone goes to a site, and look at someone’s blog the big thing now is java script, Java script embeds some code in your webpage, when the browser gets the webpage it runs that code, it allows the code to run on the clients machine however evil stuff can get in it, in cross site scription when you look at a wikipage or a blog, that will not be visible by you that will be executed by ur browser.


A lot of sites and wikis check this, but if its sophisticated it will always get through,


SQL injection when a web server is sending queires to a database databases by nature have a lot of data, its in a hackers intrest to get access to this.

If you design ur self right you, you use –T cause if you web server is interactions with database server if someone slips some sql code in the stuff that gets stuff into the data server can do bad things, get access, integrity, unauthorized, find credit card numbers.


DNS poisoning put false entries, collecting data,

Identity theft,

New devices for password, MLS and email password for only 30 seconds


Assignment 1


WHOIS
GOOGLE
DNS Tools


CanadianISP.com

Take it a generate a report a .pdf file and you can upload it

Tuesday, April 15, 2008

INT420 SSL Encryption and Certification

ALlow for hyphens make sure your regular expressions are valuable
Display the Format of what you would want in side your text boxes

When you make the user registration validate all the data being entered, is it a valid e-mail phone number, name, come up with the regular expressions to this.

Common security hold is cgi scripts,

Understand the dangers and what we can use perl to pervent this
its called Taint mode

When you get data from a script(a form) so you have to be careful what they
enter in


Run your perl script sin taint mode all you got to do is add a -T anything supplied by the user can not be used in a os system, it will not be allowed to be used for a system call.


if you need to use the data you need to figure it how to untaint it, is to make it its not supplied by the forum but produced by the script itself, the dangers things you can do with data is system calls, system function you're executing a os command

0Back quotes thats dangerous, opening a file through a pipe thats os interaction anything we are doing opening deleting or renameing files, anything we are going to do you must un taint that data
0
e00xample a form were we colelct an 00000000e-mail address, and we want to use the email to email it to the user it will not work in taint mode, cause it can be possible that they wrote in a command like deleting files or w.e they can do to the systemEncryption on the exam,

When we want to send and encrypt data securly, the basic process
take the original data and an encryption key, random string of
characters, random very large number

take the data and teh encryption key and put them into a encryption alogrithem or prgram
what you get out of that in encrypted data, in order to read that data

you take the encrpyted data and a decryption key put it through the same algorithem/program,
then you end up with the original data,

Two basic models

semitrical encryption - a shared secret

with semitrical encryption you have a single key, and you use the same key to encrypt and decrypt the data

asymetrical encryption - public/private key pairs

two keys, that are designed to work togeter, a public and a private key, in this encryption you encrypt with one or decrypt with the other, u must use the other part of the pair, en pri / de pub



Client Machine Alice
AB-----
Connected to the Net
----AB
Client Machin Bob

using this semitrical encryption alas would need a copy of the key and bob will need the copy of the same key

Its good cause its fast,
you can generate a new key for every process/
---_FAST SECURE__----
Problem how do they get the copy of the same key, especially over a line, the problem with session key how do you get the key on both sides


in the past, generate it on place and take it from one to the other and install but again thats a 1 kind operation. Asymtrical alias an encrypted connect4ion for bob, he has the public key B and a private key B the private key never leaves bob,

BOb takes his public key gives it to aliace, she encrypts the data with the public and encryps with the private key,

so the communicatiosn going back to alice are not secure, when we encrypt wioth the private anyone can read it

so its not good coming back in the opposite direction but it does have a purpose,

When he sends it to alice and has the private, what does this prove to us anyone can read what bob is sending, it can only have only come from bob. Because bob only has the private this is called a digital signature, anyone with the public key can read the private key but it must come from that source,

its use for authentication as a signature
Alice can gen4erat her own public/private send it to bob send it and she can use it, heres the problem its slow and alot of work, and somewhat more compicated then it needs to be, in the internet when we want to secure over the wweb we use

SSL ---- secure socet layer, you know this from https


SSL uses all the things that were discussed above, this is how it essentially works


Bob the server alice the client,

in order to facilite encrypted communication, bob needs a public and a private key for bob, now

the admin of bob wneeds a 3rd party company to create a certificate to tell the company this is the company, they take the public keye

they take the public key and send it to CERTIFICATE AUTHORITY, dozens of company's that do this
CERTIFICATE REQUEST, name server e-mail the FQDN all info about the orginations and the computer along with the public key,
the certificate authority preforms sum auth then creats a certificate contains all the info from the certificate request + bob public key then the certificate signs it with their private key, so its digitally signed through the CA.
SSL connection
Alice sends a httpds conn to bob then he says ok then sends the certificate and it contained the public key and the didtal sign of the CA alice reciuves the certificate alices browsers is already wiiht the key of all the private ca's auth, now we accept that public key as coming to bob
BOb has his private key and alice has his public key now alice generates a symettrical key thats only good for this session and encrypts using bob public key, bob is the only way he can use it cause he has a private key



Conenection to his web server his e-mail server it puts the https yellow bar and the pad lock
if you go to Tools page info

You look at the page info and you look at security it tells the identify has been varified by Equifax

View the certificate


In the LAB
Re-install apache to include SSL you need to isntall it into a diff directory you will install OPEN SSL, allows you to generate pub and private keys and request and authority, install apache fresh,
M
M
M
we use to for trust, and the mechinism for a public key then facilitae a session key, then they use that session key

Wednesday, April 2, 2008

Building a Fast Internet

http://www.newsweek.com/id/129639

I don't really get the tech side of it...doesn't explain very much but at least their trying to steer away from packet switched networks (too slow).

I haven't been updating TOO MUCH WORK! During my break I will be finishing Uyless Black Emerging Communications Technologies and while taking school in the summer I will be discussing many of the professional classes here on this blog.

Saturday, March 22, 2008

Chapter 1 - Introduction - ECT - Uyless Black

When examining the communications infrastructure and the major problems that are associated with using current technologies we see that the point of new technology is to over come deficiencies of current technologies.

The world is moving at fast pace, processors and applications just keep getting faster and faster, so we look at data communications and how it can improve the movement of information within a networked environment.

This chapter gives the general overview of the emerging technology to meet needs of applications.

Needs for Services
The Past
Development of high-speed inexpensive computers to meet the needs of the average person. This opened a vista to new powerful application. Examples of the applications that may be used are interactive real-time simulations, three dimensional modeling and color images.

The T1/E1 Legacies
1970s & 1980s = 1.5 to 2.048 Mbs
- T1/E1 meet the needs for most user applications

VPN - Share communications channels with other users

Switches - Relay traffic from multiple users.

Frame Relay fast packet service
-Lets the user support error recovery
-bandwidth and demand services
-data applications and some voice applications
-Suppose to solve WAN bottle neck services

MAN IEEE Standard 802.6
-distributed queue dual bus (DQDB) protocol to support integraded networks for multimedia applications
-interconnects LANs accross WANs

Switched Multimegabit Data Service (SMDS)
-Relies on the MAN technologies
-provides public high-speed transport system US and Eurpose
Services - highspeed ata applications that require bursts for high-speed data applications that require bursts of high bandwidth transmission for applications.
Such as, file transfer, CADéCAM, and imaging.

Asynchronous Transfer Mode
- part of B-ISDN solution
- cell relay technology
includes - high speed
- multiplexing and switching services for voice, data and video applications

Cell in ATM and IEEE 802.6 (MAN)
802.6 = basis of SMDS

CELL vs FR

Cell at the CPE a computer or PBX
which can be variable
is - segmented into smaller fixed length units called cells
5 header 48 payload

Supports transmission and reception of voice, video data and other applications

Interests = Large companies that have developed multiple networks to handle transmission schemes.

Why do we prefer cell

Cell is better then variable length frames, which provides the delay to be predictable in fixed length frames with the performance in the network then with variable length frames

-ATM queuing is done inside switch
-Fixed length buffers more easier to manage then variable.
-Cell relay has superior Quality of Service.

Wide spread commercial inception of computer and communication's networks in the 1960`s

1970`s - Communications archietecture was all software
Typically

Physical Layer = hardware
Datalink Layer = software
Late 1970`s early 1980`s
implemented into hardware some of the Data Link functions

Fostered HDLC which would
lead to -Link Access Procedure Balanced (LAPB)
-Link Access Procedure For the D channel (LAPD)
-Chip sets and firmware

Thats all I am going to introduce for now next post will continue Chapter 1, in later chapters Uyless Black goes into detail with every protocol mentioned here and that will be in next post. So don`t be to overwhelmed, I know I was the first time I read half the book.

Little note to me: Ch1 Pg5

Friday, March 21, 2008

About New Postings

Due to the Hands On Work in my program I will only be posting relevant information on every lecture for my courses.

I will be focusing on, Data Communications,

Book:

Emerging Communication Technology by Uyless Black

that will gradually move to

IP Routing Protocols by Uyless Black.

Any relevant information to courses within the Computer System Technology Diploma will be posted with the Title of the Course Code and Topic, mostly theory.

Note: Future online posting will change.

INT420 - Secure Socket Layer

Encryption on the exam,

When we want to send and encrypt data securly, the basic process
take the original data and an encryption key, random string of
characters, random very large number

take the data and teh encryption key and put them into a encryption alogrithem or program
what you get out of that in encrypted data, in order to read that data

you take the encrpyted data and a decryption key put it through the same algorithem/program,
then you end up with the original data,

Two basic models

symitrical encryption - a shared secret

with semitrical encryption you have a single key, and you use the same key to encrypt and decrypt the data

asymetrical encryption - public/private key pairs

two keys, that are designed to work togeter, a public and a private key, in this encryption you encrypt with one or decrypt with the other, u must use the other part of the pair, en pri / de pub



Client Machine Alice
AB-----
Connected to the Net
----AB
Client Machin Bob

using this semitrical encryption alas would need a copy of the key and bob will need the copy of the same key

Its good cause its fast,
you can generate a new key for every process/
---_FAST SECURE__----
Problem how do they get the copy of the same key, especially over a line, the problem with session key how do you get the key on both sides

in the past, generate it on place and take it from one to the other and install but again thats a 1 kind operation.


Asymtrical alias an encrypted connect4ion for bob, he has the public key B and a private key B the private key never leaves bob,

BOb takes his public key gives it to aliace, she encrypts the data with the public and encryps with the private key,

so the communicatiosn going back to alice are not secure, when we encrypt wioth the private anyone can read it

so its not good coming back in the opposite direction but it does have a purpose,

When he sends it to alice and has the private, what does this prove to us anyone can read what bob is sending, it can only have only come from bob. Because bob only has the private this is called a digital signature, anyone with the public key can read the private key but it must come from that source,

its use for authentication as a signature
Alice can gen4erat her own public/private send it to bob send it and she can use it, heres the problem its slow and alot of work, and somewhat more compicated then it needs to be, in the internet when we want to secure over the wweb we use
SSL ---- secure socet layer, you know this from https


SSL uses all the things that were discussed above, this is how it essentially works


Bob the server alice the client,

in order to facilite encrypted communication, bob needs a public and a private key for bob, now

the admin of bob wneeds a 3rd party company to create a certificate to tell the company this is the company, they take the public keye

they take the public key and send it to CERTIFICATE AUTHORITY, dozens of company's that do this
CERTIFICATE REQUEST, name server e-mail the FQDN all info about the orginations and the computer along with the public key,
the certificate authority preforms sum auth then creats a certificate contains all the info from the certificate request + bob public key then the certificate signs it with their private key, so its digitally signed through the CA.

SSL connection
Alice sends a httpds conn to bob then he says ok then sends the certificate and it contained the public key and the didtal sign of the CA alice reciuves the certificate alices browsers is already wiiht the key of all the private ca's auth, now we accept that public key as coming to bob
BOb has his private key and alice has his public key now alice generates a symettrical key thats only good for this session and encrypts using bob public key, bob is the only way he can use it cause he has a private key


Conenection to his web server his e-mail server it puts the https yellow bar and the pad lock

if you go to Tools page info

You look at the page info and you look at security it tells the identify has been varified by Equifax


View the certificate


In the LAB
Re-install apache to include SSL you need to isntall it into a diff directory you will install OPEN SSL, allows you to generate pub and private keys and request and authority, install apache fresh,
M
M
M
we use to for trust, and the mechinism for a public key then facilitae a session key, then they use that session key