System iNetwork

September 2005

September 29, 2005 9:57 AM

Learn IPv6 Today; Hackers Are

One of the most interesting data points I took away from the recent 2005 North American IPv6 Technology Conference in San Jose is that IPv6 acceptance is growing rapidly in one unexpected "market segment:" the hacker community. Hackers are exploiting freely available IPv6 technology on Macintosh, Unix, and Windows systems to skirt around firewalls and other network security measures. There could be a hacker right now tunneled into your network over IPv6, and chances are your intrusion detection software isn't looking for them and thus can't see them.

In a correctly deployed IPv6 network, security is enhanced over the older IPv4 protocol, because address spoofing can be detected and tracked, and every IP session can be encrypted using IPSec. The operative phrase in the preceding sentence is correctly deployed. Many network administrators haven't given IPv6 a second thought, believing falsely that IPv6 will wait for them. But a slew of open-source programs and free services let hackers deploy IPv6 in your network without your permission, using the advanced protocol to sneak around IDS and IPS systems and to surreptitiously pump data to outside hacker lairs.

A hacker gains an IPv6 foothold using the standard virus and Trojan propagation techniques: contaminated e-mail, spyware, DNS poisoning, and phishing attacks. Once landed on a victim desktop computer, a hacker can enable IPv6 on that system and use IPv6's autoconfiguration facilities to acquire an IPv6 address on your network -- or simply make up an IPv6 address using the target machine's MAC address. If you don't currently have an IPv6 router on your network, the hacker can convert the victim host into one.

The vast majority of successfully penetrated desktop systems run Windows, and Windows 2003 and XP have IPv6 built in -- it only needs to be enabled using the netsh DOS command. Windows IPv6 supports a transition protocol called 6to4 tunneling, which encapsulates IPv6 packets in a special protocol envelope and routes them to a distant IPv6 gateway, where they're turned back into IPv6 packets. Most IDS systems don't recognize 6to4 packets, or don't report them as a security risk. 6to4 packets don't look like ordinary IP packets, because they use network protocol 41, rather than TCP (6) or UDP (17). Yet many networking components, and virtually all ISPs, will cheerfully route these packets without complaint. The only good news is that most NAT firewalls block everything except TCP and UDP, and thus filter out protocol 41.

Hackers have alternatives should they find 6to4 tunneling infeasible. Windows also supports another IPv6 transition mechanism, called Teredo, that encapsulates IPv6 packets in an IPv4 UDP envelope. These packets pass right through NAT firewalls without trouble, and can even be made to look like DNS queries, which virtually every firewall passes out unmolested. Teredo is also built into Windows XP, as well as being available in a number of open-source IPv6 migration tools.

IPv6 tunneling techniques give attackers a permanent, invisible conduit from the outside world directly to the heart of your network, just as if you ran a Cat-5 cable from some clerk's desk to the far side of your firewall. Worse, once a hacker awakens IPv6 in one workstation, server, or router, he can then enable IPv6 in dozens or hundreds of machines on the same LAN.

The only cure is to block both 6to4 and Teredo at your borders, and upgrade your IDS and IPS to watch for unauthorized IPv6 traffic on your LAN. Check with your security software vendor today for IPv6 sensing capabilities. The open-source Snort IDS has an experimental IPv6 decoder, and many commercial IDS systems use Snort under the covers, so you may be able to install IPv6 awareness yourself.

But most importantly, become IPv6 savvy by giving yourself a short course in this new networking technology. I tell you how in the Dr. I. Doctor entry Take IPv6 Out for a Spin and my review of O'Reilly's book IPv6 Network Administration.

Posted by mbeckman on September 29, 2005 at 9:57 AM

September 18, 2005 5:15 PM

Dr. I Doctor's First Podcast: An ARPAnet Pioneer Reminisces

In Dr. I Doctor's first in a series of Podcast interviews with computing pioneers, I speak with Larry Green, one of the original ARPAnet researchers and an engineer responsible for the design of the Internet Message Processor interface to IBM System/360 mainframes. Listen in as Larry describes the earliest moments of Internet history, and thinks back over a career spanning 40 years -- and still going strong!

In the mid 1960s, the U.S. Department of Defense Advanced Research Projects Agency (ARPA) began work on the network that ultimately grew into the Internet as we know it today. The very first stage of the ARPAnet connected mainframes at just four locations over blazingly fast (for the time) 56 Kbps leased telephone lines. Larry Green was one of the engineers involved in this development at the University of California Santa Barbara (UCSB).

Larry Green is a technologist with a long track record of founding successful computing enterprises: Communication Machinery Corporation, Efficient Networks, Wavefront Technologies, Web Power Authority, and Protocol Engines. But Larry is also an Internet pioneer, designing and deploying the Internet Message Processor (IMP) on the first node of the Internet at UCSB. While listening to this interview, be sure to browse the pictures and diagrams that Larry references as he describes those heady days of inventiveness.

Download the podcast here.

Click on any of the images below for a larger image.

Larry explains the S/360 IMP interface	"So the IMP says 'There's your IMP bit'..."
Detailed documentation for the IMP survives	ARPA Report #1822: The IMP Manual
1200 pound IMP with convenient lift rings	IMP mainframe interface protocol diagram
A detail of the UCLA IMP log book, showing the successful connection to SRI.	4-node ARPANET diagram.
ARPANET Map, 1973.	ARPANET Map, 1975.

(The podcast is an MP3 audio file playable on most any MP3 player, including Apple's iPod and free desktop software iTunes, available at http://www.apple.com/itunes)

Posted by mbeckman on September 18, 2005 at 5:15 PM

September 15, 2005 1:03 AM

Mac mini How-To: Build a TruffleBox

Here's the first how-to article promised by the preceding item about the Mac mini. It explains how to set up a Mac mini as a world-class intrusion detection system (IDS) probe running Snort. The complete step-by-step instructions are included (in a link at the end of this item). But here are the highlights.

Intrusion detection is an essential network function, but many network admins never get around to deploying it because it's (a) expensive and (b) time consuming to learn. One of the most popular open-source intrusion detection programs is called Snort. Short for..., um, well, nothing, I guess. "Snort" must be an oblique reference to the vacuum-cleaner-like behavior of network sniffers, of which Snort is one.

In any event, Snort is software designed to run on a dedicated, low-end computer, which scans all your network traffic looking for anomalous behavior such as DOS attacks, unauthorized network scanning, virus traffic, etc. It's a rule-driven program, so you can readily enhance it without altering the Snort program itself. And in fact, it's already been highly enhanced, with thousands of user-contributed rules and plug-ins that can flag any of a zillion hacker attack methods.

Building a single Snort IDS probe is not all that exciting, and not even all that hard, although it's pretty tedious if you don't have help. The problem is that a single probe is often not enough -- you need a separate Snort probe device for every Ethernet LAN segment in your enterprise -- and building multiple probes can quickly eat all your availble time. The Mac mini is so well configured by Apple that the total time to build a Snort probe drops from many hours to under one hour.

It's called a TruffleBox because certain species of swine are known for their ability to seek out elusive mushrooms called truffles. Snort = swine; Truffles = intrusions. Hence the term TruffleBox. Get it?

OK, well, it doesn't really matter.

I won't go into all the gory details here, since they're better described (with pictures) in the PDF document explaining the construction process step-by-step (see below). If you don't currently operate an IDS, then you owe it to yourself and your employer to go out right now and buy a Mac mini and build your own TruffleBox! Right now, on your lunch break!

What are you waiting for?

Truffle Box step-by-step setup instructions

Posted by mbeckman on September 15, 2005 at 1:03 AM

Mac mini: The Universal Network Appliance

If you've been looking for a small, inexpensive, pre-configured Unix server to use as a workhorse for small network missions, look no futher than Apple Computer. That's exactly what Apple has unwittingly delivered in its $499 Mac mini platform. Originally intended to woo Windows users to the Mac, the mini is a cunning combination of packaging and features made to order for networking chores. Whether it's DHCP and DNS, e-mail, Web hosting, or intrusion detection, the mini will meet your utility server needs faster than you can call Steve Jobs to make a lunch appointment.

Here's what you get for $499: A svelte 6" by 6" by 2" machine with 40GB disk, 512MB RAM, monitor, USB, FireWire and modem ports, all fully operational right out of the box. That alone is worth a lot, since installing your average Linux distribution and securely configuring it on the average generic CPU is easily a half-day project. Multiply your hourly value by four, and I'll wager you come awfully close to the mini's $500 cost, which means that Linux alternative costs twice the mini's price, assuming you can find bare hardware that small and cheap (I couldn't).

Did I mention the mini is small? It's way small. So small that you could put fifteen of them in the space occupied by a 1U rackmount server. This makes the mini perfect for out-of-space environments such as wiring closets, remote offices, and overfilled data centers. You can (and will) run the mini headless, administering it from afar with VNC, so the little slab that is the mini itself is all you need to make room for in deployment.

But wait, there's more. The mini isn't pre-loaded with some shaky Linux distribution supported by technomonks working out of a Helsinki moose lodge. No, the mini runs Apple's award-winning, open-source Mac OS X version of Unix, based on BSD Unix but cored by the Mach kernel. Mac OS X is a finely engineered, battle tested, school-kid hardened operating system with an extraordinary GUI interface that is both immensely easier to use than Linux and more reliable to boot.

And the mini is secure out of the box. Do not underestimate the importance of this aspect. Locking down Linux takes hours for experienced Linusites; ordinary mortals may never master the task. I won't even mention that the Mac (knock on chrome) has ZERO spyware and so few viruses that Mac users just toss off the need for anti-virus software. Unlike Windows XP and Linux, virtually no ports are left open on a mini fresh from its package. It's simply impenetrable by default, which is how all computers should be delivered.

But wait, there's more. This home computer box is really server-class hardware with built-in remote admin tools (SSH and VNC), IPSec VPN, hardware that can restart automatically from a power failure, and a sophisticated journaling file system. It will run perfectly well on the supplied 512MB RAM and 1.25 GHz processor. And that's RISC-CPU GHz, which puts it in the same class as a 2.5 GHz intel CPU.

But wait, there's more. Secreted in the heart of every Mac, including the mini, is a dang useful suite of open-source server programs: Apache (Web), BIND (DNS), PHP, MySQL, miniSQL, all the BSD Unix tools, and very nice interfaces for them all. This is yet more pre-installed software that will save you time and trouble.

But wait, there's more. The MacOS X install DVD delivered with every Mac includes the celebrated Apple Development Tools, a self-contained package of compilers, editors, and other goodies. You won't be writing your own code, though (but you could). You'll be compiling other people's open-source software, which gives you access to a universe of open-source software.

But wait, there's more. Unlike Linux and its ilk, the mini has Apple's extraordinary software update service, which you can readily initiate remotely. This service, similar to Microsoft's Windows Update feature, but infinitely better done and much more reliable, lets your keep your mini up to date without taking it out of its mission.

But wait, there's more. But I must defer that to future items. Watch Dr. I Doctor for "how-to" articles on the Mac mini. Together we'll explore the outside of the envelope of this secret wonder. In fact, the first installement is posted right after this entry.

Posted by mbeckman on September 15, 2005 at 12:21 AM | Comments (5)

September 6, 2005 8:32 AM

MIB Views 1.0: SNMP Microscope for Network Admins

Every network admin has a toolkit, and SNMP tools are among the most numerous in mine. Although I use a slew of open-source SNMP gadgets for reading SNMP Management Information Base (MIB) tables, querying devices, and the like, it seems like no one tool works on all the platforms I use. So I end up with a patchwork of utilities, most text-based, that at times are very painful to use. Now MIB Views from Muonics, Inc. brings a truly cross-platform GUI SNMP query tool to the table. At $95 it's affordable. It's also very, very well written.

MIB Views provides an elegant graphical interface into the intricate world of SNMP, letting you query devices, extract entire MIBs, and even compile them. It can query multiple SNMP agents at once, search MIBs -- both the variable names and values -- and decode hex dumps of SNMP transactions. Supporting the whole spectrum of SNMP versions, v1, v2c, and v3, the tool provides HMAC MD5-96 and SHA-96 encryption, as well as CBC-DES. I know of no other tool that offers all these features -- at any price -- and does so with the ease of use of a Web browser.

The utility runs on five platforms, which covers all of the ones I use regularly: Windows, FreeBSD, Linux, Solaris, and MacOS X. The vendor says he is open to porting to additional platforms as the need arises, an attitude I really appreciate.

You start out with MIB View's tree view, which lets you drill down into a MIBs complexity as needed, without having to manhandle the entire MIB at one time. The SNMP Walk feature will retrieve an entire MIB from any SNMP agent, and the Table View tool lets you view table-oriented variables clearly. You can also monitor for traps with Trap Watch. The built-in MIB compiler reads and validates vendor-provided MIBs and then lets you use those MIBs to interpret SNMP queries and browse live MIB data.

My favorite use for SNMP analysis tools is to locate undocumented MIB variables in a device so that I can monitor them with an NMS, such as Dartware's Intermapper. MIB Views works very well for this, showing me the precise Object Identifier (OID) I am looking for, letting me easily create an NMS monitor for that variable.

http://http://www.muonics.com/Products/MIBViews/

Posted by mbeckman on September 6, 2005 at 8:32 AM

WeatherGoose: Environmental Monitor for the Masses

With the ever-increasing power and heat density of today's networking gear, IT pros need to keep close tabs on environmental conditions in equipment closets and data centers. We need a variety of sensors -- temperature, humidity, water, airflow, security -- and lots of them. One temperature sensor in a rack or closet is not enough, since one device buried in the rack could overheat, yet only slightly increase the total temperature of the whole stack. Yes, you could always build your own sensor systems out of networking components and clever programming, but that's tedious. Turn-key solutions have been available, but until recently, cost one arm and two legs. WeatherGoose from IT Watchdogs changes all that.

WeatherGoose is a 1-U five-inch-deep sensor array with embedded Web server and SNMP support. It has five sensors on board: temperature, humidity, airflow, light, and sound. The $400 Wx-Goos-1 model also sports three zero-to-five volt analog sensor connectors for bus-based sensors using the Maxim (formerly Dallas Semiconductor) OneWire network. OneWire lets you string dozens of individually-addressable sensors daisy-chain style along a single RJ-11 connector bus.

One very slick feature of this device is its internal data log and graphing capabiltiy. Unlike many other commercial sensors (costing three times as much), the WeatherGoose saves an archive of all its data internally, and provides its own graphs via a built-in Web server. You can extract this log as a CSV file using a single HTML request. This means you don't have to run an SNMP NMS to collect its data, although you can if you want, as the WeatherGoose has excellent SNMP support.

The Web interface also lets you configure e-mail notification for various alarm conditions, and this is about the only such device I've seen intelligently support POP-before-SMTP e-mail authentication -- essential if you want your e-mail notifcations to get delivered to an offsite e-mail service. The Web interface also provides URL access for PDA- and WPA-form factor displays.

The Wx-Goos-2 SuperGoose version adds a back-lit LCD display, alarm horn, and support for a video camera for another $100. For $800 you can get the PowerGoose, a WeatherGoose with 10 individually controllable 5-20R A.C. receptacles built in and power state monitoring to boot.

You can try one live at:

http://www.weathergoose.com

Full product details are on the vendor's Web page:

http://www. itwatchdogs.com

Posted by mbeckman on September 6, 2005 at 8:10 AM