System iNetwork

October 2005

October 28, 2005 8:39 AM

Hot Off The Press: Perfect Passwords

There are two sets of passwords I must deal with in my life: my own and everyone else's. Users constantly forget their passwords, or mistype them because they're so CoNv0Lut3d, and only a technologist can resolve the problem for them. My own problem isn't not remembering my passwords, but being confident in them. I just don't think there is as much variation in the passwords I use to prevent massive data exposure should one of my passwords be compromised. I need something to educate my users -- and myself -- about the best means of password construction. Mark Burnett's book Perfect Passwords: Selection, Protection, and Authentication (2005 Syngress), aims to do just that.

Burnett knows a lot about passwords, because he's analyzed over a million of them. His research shows that most passwords are much less secure than their users believe. We all know people who choose passwords like "LetMeIn" with the misplaced expectation that they've hit on the perfect code. We're not so naive.

More sophisticated users employ password "strategies" -- little systems for creating passwords that presumably nobody will figure out. For example, a character substitution strategy that replaces certain letters with similar-looking digits (e.g., "s3cr3t5" mutated from "secrets") seems like it should be a vast improvement over ordinary dictionary words as passwords. Burnett shows how far wrong that intuition can be, by demonstrating the vulnerability of that and myriad other supposedly safe password strategies.

Sometimes users have random character string passwords forced upon them by well-meaning systems, but users can rarely commit such strings to memory and thus resort to writing them down, which leaves even complex passwords open to sudden compromise. Or a system can try to demand complexity by insisting that passwords contain a mix of letters and numbers -- a requirement most users readily circumvent. Even the common practice of frequently changing passwords is foiled by users making minor, but predictable, modifications to their previous password.

The solution to the password problem, Burnett points out, is understanding the ways hackers crack passwords, and knowing how to predict the vulnerabilities of a given password strategy. Armed with this information, and the handy tips the author provides, you can create passwords that are secure, compliant with strict password policies, and still memorable. And you'll be well equipped to train users in safer password strategies to boot.

http://www.syngress.com/catalog/?pid=3420

Posted by mbeckman on October 28, 2005 at 8:39 AM | Comments (3)

October 17, 2005 11:40 PM

Out of IPv4 Addresses in Five Years?

A recent report by Cisco networking guru Tony Hain predicts the end of IPv4 address space in about 2010, just five years from now. This is in contrast to the prior prediction of 2022 made by the Asian Pacific Network Information Center (APNIC). Why the suddenly sooner deadline? According to A Pragmatic Report on IPv4 Address Space Consumption, the APNIC report does not take into account the temporary growth slowdown of IP address allocations from 2000 to 2003 due to the dot-com crash. Since 2003, IP address allocations have accelerated dramatically.

Today a new /24 (formerly termed a Class C) block of 256 addresses is allocated to somebody every 30 seconds. At that rate, the Internet loses an entire /16 block (a Class B - 65,536 addresses) every two hours. That's 24/7 friends, and the rate is accelerating. Based on the current rate of growth, which Hain documents extensively in his report, we'll have allocated all IPv4 address space in just half a decade.

This prediction adds a new sense of urgency to the IPv6 migration debate. IPv6, which uses 128-bit rather than 32-bit addresses, provides essentially unlimited IP space. But switching the entire Internet over to IPv6 is an expensive undertaking, and many IPv6 opponents have argued that the original 2022 prediction meant that IPv6 is still far off. Some (whose initials are NSF) even say IPv6 is no longer necessary, proposing that we go back to the drawing board and design yet another IP addressing scheme, given that the IPv6 design is already 10 years old.

Hain says we don't have time for that, and his argument is persuasive. He uses the actual IP address allocation history from the Internet Assigned Numbers Authority (IANA) in his analysis, points out the reasons for the APNIC's previous rosy outlook, and explains why those reasons are no longer valid.

I'm often leery of statistical predictions because there are so many ways to lie with statistics. However, Hain bends over backward to be fair and transparent in his reasoning, and even gives the author of APNIC's report, Geoff Huston, a chance to respond in the same document. Huston's answer boils down to the two predictions being within the margins of statistical error. However, the difference between the two dates is significant: moving to IPv6 within five years means everyone needs to begin planning their migration strategy now.

Both authors agree that market forces will automatically curtail IPv4 growth at some point, by making IP addresses more and more expensive as the end approaches. Both also agree that this effect will not be good for business, and in the long run will be more expensive than the cost of moving to IPv6.

Both writers also point out that predictions presume that growth conditions remain as they are, which is almost certainly not likely to be true for the remainder of IPv4's lifetime. Already new network applications, such as mobile computing, are hungrily chewing through IP addresses. And many third-world countries have yet to get much of their populace on the Internet. Both of those foreseeable demands could exhaust IPv4 space even sooner than five years.

Conversely, there could be a growth-slowing technology collapse like the dot-com crash, but given the business lessons learned since 2000 that seems a foolish bet.

The report includes a lively and fascinating roundtable discussion between Hain, Huston, and Internet gurus John Klensin and Fred Baker. All participants concur that IPv4 has entered its end game, and the time has come to get serious about IPv6 migration.

Tony Hain's report A Pragmatic Report on IPv4 Address Space Consumption:
http://www.cisco.com/en/US/about/ac123/ac147/archived_issues/ipj_8-3/ipv4.html

Geoff Huston's APNIC IPv4 Address Space Report:
http://bgp.potaroo.net/ipv4/

Here's a bonus goody. APNIC produced a movie showing the actual consumption of IP addresses over time, based on Internet routing table data. It's a fun, and frightening, look at the rate of IPv6 network growth:
http://www.potaroo.net/avi/comp.m1v

Posted by mbeckman on October 17, 2005 at 11:40 PM

October 13, 2005 8:47 AM

Hot Off the O'Reilly Press: Switching to VoIP

Voice over IP has been around for years, and many were wondering when it would grow up. It just did. VoIP slammed through adolescence over the last year or so and is now a "newly mature" technology with many benefits and rapidly dropping deployment costs. But if you're new to the technology, it can be hard to get your arms around. That's where O'Reilly's new book "Switching to VoIP" fills a void. This gem of a techno primer by Theodore Wallingford explains VoIP better than any other book I've seen to date.

The book starts out with an essential introduction to the differences between legacy business phone systems, such as Key systems and PBXs, and VoIP switching. If you aren't familiar with such terms as POTS, trunk, T1, TDM, Dial Plan, ACH, and the like, Wallingford's first five chapters will give you a thorough grounding in telco talk. He also introduces the idea of running a Linux computer as an enterprise PBX, which will be shocking to some, but turns out to be very doable using the open-source VoIP software called Asterisk.

The book then dives into the details of VoIP signaling and transport, various sound encoding algorithms, and a checklist of issues you should address before rolling out a new VoIP implementation. For example, are your users ready to accept a major paradigm shift in their voice communications? Is your network beefy enough to accommodate the increased traffic of VoIP, and can you give VoIP packets the priority they need to maintain call quality and reliability? Do you have special security or regulatory compliance needs?

All these factors affect the cost and time to deploy VoIP. Wallingford helps you make a business case for (or against) VoIP, and if VoIP is in your future, explains how to construct a competent implementation plan, including vendor RFPs for equipment and software acquisition.

Once you begin rolling out a VoIP system, you'll encounter technical problems. Wallingford addresses these with seven chapters on operational topics: QoS, security and monitoring, troubleshooting tools, PSTN trunk issues, network infrastructure, legacy applications, and common problems. These chapters concentrate valuable old-hand VoIP deployment experience that you'd have to spend years accumulating on your own.

The book ends with chapters summarizing VoIP vendors and services, and the Asterisk open-source product. Three appendices provide handy references to SIP transactions, AGI commands, and Asterisk management APIs.

If you're seriously considering VoIP in your enterprise, this is the go-to book. It's available both in print and through O'Reilly's excellent Safari online book reading service.

http://www.oreilly.com/catalog/switchingvoip

Posted by mbeckman on October 13, 2005 at 8:47 AM