System iNetwork

Product Recommendations

September 15, 2005

Mac mini: The Universal Network Appliance

If you've been looking for a small, inexpensive, pre-configured Unix server to use as a workhorse for small network missions, look no futher than Apple Computer. That's exactly what Apple has unwittingly delivered in its $499 Mac mini platform. Originally intended to woo Windows users to the Mac, the mini is a cunning combination of packaging and features made to order for networking chores. Whether it's DHCP and DNS, e-mail, Web hosting, or intrusion detection, the mini will meet your utility server needs faster than you can call Steve Jobs to make a lunch appointment.

Here's what you get for $499: A svelte 6" by 6" by 2" machine with 40GB disk, 512MB RAM, monitor, USB, FireWire and modem ports, all fully operational right out of the box. That alone is worth a lot, since installing your average Linux distribution and securely configuring it on the average generic CPU is easily a half-day project. Multiply your hourly value by four, and I'll wager you come awfully close to the mini's $500 cost, which means that Linux alternative costs twice the mini's price, assuming you can find bare hardware that small and cheap (I couldn't).

Did I mention the mini is small? It's way small. So small that you could put fifteen of them in the space occupied by a 1U rackmount server. This makes the mini perfect for out-of-space environments such as wiring closets, remote offices, and overfilled data centers. You can (and will) run the mini headless, administering it from afar with VNC, so the little slab that is the mini itself is all you need to make room for in deployment.

But wait, there's more. The mini isn't pre-loaded with some shaky Linux distribution supported by technomonks working out of a Helsinki moose lodge. No, the mini runs Apple's award-winning, open-source Mac OS X version of Unix, based on BSD Unix but cored by the Mach kernel. Mac OS X is a finely engineered, battle tested, school-kid hardened operating system with an extraordinary GUI interface that is both immensely easier to use than Linux and more reliable to boot.

And the mini is secure out of the box. Do not underestimate the importance of this aspect. Locking down Linux takes hours for experienced Linusites; ordinary mortals may never master the task. I won't even mention that the Mac (knock on chrome) has ZERO spyware and so few viruses that Mac users just toss off the need for anti-virus software. Unlike Windows XP and Linux, virtually no ports are left open on a mini fresh from its package. It's simply impenetrable by default, which is how all computers should be delivered.

But wait, there's more. This home computer box is really server-class hardware with built-in remote admin tools (SSH and VNC), IPSec VPN, hardware that can restart automatically from a power failure, and a sophisticated journaling file system. It will run perfectly well on the supplied 512MB RAM and 1.25 GHz processor. And that's RISC-CPU GHz, which puts it in the same class as a 2.5 GHz intel CPU.

But wait, there's more. Secreted in the heart of every Mac, including the mini, is a dang useful suite of open-source server programs: Apache (Web), BIND (DNS), PHP, MySQL, miniSQL, all the BSD Unix tools, and very nice interfaces for them all. This is yet more pre-installed software that will save you time and trouble.

But wait, there's more. The MacOS X install DVD delivered with every Mac includes the celebrated Apple Development Tools, a self-contained package of compilers, editors, and other goodies. You won't be writing your own code, though (but you could). You'll be compiling other people's open-source software, which gives you access to a universe of open-source software.

But wait, there's more. Unlike Linux and its ilk, the mini has Apple's extraordinary software update service, which you can readily initiate remotely. This service, similar to Microsoft's Windows Update feature, but infinitely better done and much more reliable, lets your keep your mini up to date without taking it out of its mission.

But wait, there's more. But I must defer that to future items. Watch Dr. I Doctor for "how-to" articles on the Mac mini. Together we'll explore the outside of the envelope of this secret wonder. In fact, the first installement is posted right after this entry.

Posted by mbeckman on September 15, 2005 at 12:21 AM | Comments (5)

September 6, 2005

MIB Views 1.0: SNMP Microscope for Network Admins

Every network admin has a toolkit, and SNMP tools are among the most numerous in mine. Although I use a slew of open-source SNMP gadgets for reading SNMP Management Information Base (MIB) tables, querying devices, and the like, it seems like no one tool works on all the platforms I use. So I end up with a patchwork of utilities, most text-based, that at times are very painful to use. Now MIB Views from Muonics, Inc. brings a truly cross-platform GUI SNMP query tool to the table. At $95 it's affordable. It's also very, very well written.

MIB Views provides an elegant graphical interface into the intricate world of SNMP, letting you query devices, extract entire MIBs, and even compile them. It can query multiple SNMP agents at once, search MIBs -- both the variable names and values -- and decode hex dumps of SNMP transactions. Supporting the whole spectrum of SNMP versions, v1, v2c, and v3, the tool provides HMAC MD5-96 and SHA-96 encryption, as well as CBC-DES. I know of no other tool that offers all these features -- at any price -- and does so with the ease of use of a Web browser.

The utility runs on five platforms, which covers all of the ones I use regularly: Windows, FreeBSD, Linux, Solaris, and MacOS X. The vendor says he is open to porting to additional platforms as the need arises, an attitude I really appreciate.

You start out with MIB View's tree view, which lets you drill down into a MIBs complexity as needed, without having to manhandle the entire MIB at one time. The SNMP Walk feature will retrieve an entire MIB from any SNMP agent, and the Table View tool lets you view table-oriented variables clearly. You can also monitor for traps with Trap Watch. The built-in MIB compiler reads and validates vendor-provided MIBs and then lets you use those MIBs to interpret SNMP queries and browse live MIB data.

My favorite use for SNMP analysis tools is to locate undocumented MIB variables in a device so that I can monitor them with an NMS, such as Dartware's Intermapper. MIB Views works very well for this, showing me the precise Object Identifier (OID) I am looking for, letting me easily create an NMS monitor for that variable.

http://http://www.muonics.com/Products/MIBViews/

Posted by mbeckman on September 6, 2005 at 8:32 AM

WeatherGoose: Environmental Monitor for the Masses

With the ever-increasing power and heat density of today's networking gear, IT pros need to keep close tabs on environmental conditions in equipment closets and data centers. We need a variety of sensors -- temperature, humidity, water, airflow, security -- and lots of them. One temperature sensor in a rack or closet is not enough, since one device buried in the rack could overheat, yet only slightly increase the total temperature of the whole stack. Yes, you could always build your own sensor systems out of networking components and clever programming, but that's tedious. Turn-key solutions have been available, but until recently, cost one arm and two legs. WeatherGoose from IT Watchdogs changes all that.

WeatherGoose is a 1-U five-inch-deep sensor array with embedded Web server and SNMP support. It has five sensors on board: temperature, humidity, airflow, light, and sound. The $400 Wx-Goos-1 model also sports three zero-to-five volt analog sensor connectors for bus-based sensors using the Maxim (formerly Dallas Semiconductor) OneWire network. OneWire lets you string dozens of individually-addressable sensors daisy-chain style along a single RJ-11 connector bus.

One very slick feature of this device is its internal data log and graphing capabiltiy. Unlike many other commercial sensors (costing three times as much), the WeatherGoose saves an archive of all its data internally, and provides its own graphs via a built-in Web server. You can extract this log as a CSV file using a single HTML request. This means you don't have to run an SNMP NMS to collect its data, although you can if you want, as the WeatherGoose has excellent SNMP support.

The Web interface also lets you configure e-mail notification for various alarm conditions, and this is about the only such device I've seen intelligently support POP-before-SMTP e-mail authentication -- essential if you want your e-mail notifcations to get delivered to an offsite e-mail service. The Web interface also provides URL access for PDA- and WPA-form factor displays.

The Wx-Goos-2 SuperGoose version adds a back-lit LCD display, alarm horn, and support for a video camera for another $100. For $800 you can get the PowerGoose, a WeatherGoose with 10 individually controllable 5-20R A.C. receptacles built in and power state monitoring to boot.

You can try one live at:

http://www.weathergoose.com

Full product details are on the vendor's Web page:

http://www. itwatchdogs.com

Posted by mbeckman on September 6, 2005 at 8:10 AM

June 30, 2005

World Flattener: M-Tech's GPS NTP Server

The world is getting flatter every day according to Thomas L. Friedman, author of The World is Flat: A Brief History of the Twenty-first Century. And nowhere is that more apparent than in e-commerce, where you can purchase stuff online, pay for it in whatever coin of the realm you choose, and still get it delivered with instant-gratification speed. Such is the case with M-Tech's very inexpensive, and thus novel, Network Time Protocol (NTP) server, which at $500 is one third the price of the nearest competitor.

You probably already know what an NTP server is, but just to refresh your memory, it provides an accurate time source for the clock/calendar chips built into all your network devices: routers, switches, servers, even desktop systems. The NTP server gets its time from some authoritative source -- ultimately one of the atomic time standards available from various governments -- and then passes it on to end-user devices. To prevent any one NTP server from being saturated, the entire galaxy of NTP servers are organized in a hierachy, with each existing in a particular level in that hierarchy, called a Stratum, which represents its distance from the atomic standard. Stratum-0 servers are the atomic sources themselves, with Stratum-1 servers being once removed, Stratum-2 twice removed, and so on. The farther removed a server is from Stratum-0, the less accurate and reliable it is.

Most network admins get their NTP service from an NTP server on the Internet, and are lucky if they can find a usable Stratum-3 server. That makes their own network server of Stratum-4 quality, which is none too good, let me tell you. If your Internet connection goes down, your devices depending on the Internet-resident NTP server may simply revert their clocks to some ancient date and time.

Network time synchronization is important to network administrators. First, tracing events through the time-stamped logs of various devices requires those devices to agree on the time to make sense of their logs. Second, some protocols, such as SSL and VPN, are very time-dependent, and may fail if clocks get too far out of synch. Third, many applications are ill-equiped to handle a sudden blast-to-the-past and will explode spectacularly when such timequakes occur. A possibly apocrypal incident had one employee getting 60 years of back pay when the clock reset on a computer running his company's payroll.

It turns out that there is one spectacularly wonderful Stratum-0 time standard whirling constantly above our heads: the Global Positioning System. With the right equipment you can suck the Stratum-0 time right out of the air, making your local network a Stratum-1 time standard. And so far the GPS system has not crashed once (knock on wood), so you can pretty much be assured of 100% reliability. Alas, until recently, the "right equipment" cost at least $1,500, took up a whole rack space, and was designed to be painfully difficult to configure and deploy. I suspect mostly phone companies buy these things ("At the tone, the time will be...").

Enter the Slovakian company M-Tech, who sells a very nice-looking, Web-adminstered GPS NTP server the size of a compact modem. You plug Ethernet in one side, hand the supplied GPS antenna out the window, and you're a Stratum-1 NTP site! As a bonus, the thing supports SNMP traps to let you know if all the GPS satellites disappear (a grim prospect), and NMEA-standard GPS output that you can use for other things GPS, such as tracking the location of your building. Out here in California that's a useful function.

I know what you're asking. "Slovakia? Where the heck is that? Is it near Outer Mongolia? [It isn't.] Do they have FedEx? I don't want to wait six months to get this thing!." My answer is that it doesn't really matter where Slovakia is. You pay with a credit card in U.S. dollars and if they don't deliver you reverse the charge. Except by all accounts they do deliver, so it's really no different than buying a book from Amazon. Maybe even faster.

OKAY, okay, if you insist. Here's what the capital of Slovakia looks like:
[Click here to see Bratislava] I don't know if M-Tech is in Bratislava or some other corner of Slovakia, because I can't read Slovensky, but it doesn't matter, does it, because they have an English catalog page and online ordering:

http://www.mtechba.sk/gpsntp/gpsntp_selection.html

I love it. I've just made the world a little flatter.

Posted by mbeckman on June 30, 2005 at 12:31 PM

June 17, 2005

Password Safe: Bruce Schneier's Blowfish Utility

Keeping track of passwords and user IDs is tedious; doing so securely seems almost impossible. Numerous commercial products have pretended to solve the problem, but all that I've seen have fallen short in security, convenience, or both. Bruce Schneier -- a well-known security consultant, author of the classic security tome Applied Cryptography, and the creator of the Blowfish encryption algorithm -- has released to the open-source community his own personal password managagment tool called Password Safe.

Password Safe runs on both Windows and Pocket PC operating systems from either the local hard drive or a removeable USB thumb drive. Schneier's company, Counterpane Labs, verified the program's security, and the source code is available for public scrutiny on Source Forge. The program is easy to use -- interacting with the Windows copy/paste buffer. After gaining access to Password Safe through your master password, you click on the password entry you want to copy and then paste the associated user ID and password into the log-in screen or other authentication interface. This has the benefit of being both simple and secure from shoulder-surfing attacks.

The utility also sports an auto-type feature that generates the actual keystrokes required to fill a user ID and password field, letting you avoid the copy/paste step altogether. And for creating secure passwords on the spot, Password Safe incorporates a policy-driven password generator that produces secure passwords resistant to dictionary and other brute-force attacks.

Password Safe includes a thorough, HTML-based user guide that you can view readily in any Web browser.

http://passwordsafe.sourceforge.net/.

Posted by mbeckman on June 17, 2005 at 9:50 AM

June 2, 2005

Seen at Interop: Anakam's Cellphone-based Two-Factor Authentication

E-commerce authentication is a bugaboo. Users typically log in with just a user ID and password, and these are easily compromised with phishing attacks and password guessers. The result is the current flood of e-commerce fraud and identity theft, which dampens users' enthusiasm for e-commerce and represents a huge liability for e-vendors. One fix to the problem is to use two-factor authentication -- a second credential that a user must supply in order to log into his or her e-commerce account. The second factor could be biometric or some sort of token, such as a smartcard or one-time-password generator. Alas, biometric readers are not commonplace, and distributing tokens is too cumbersome and expensive.

Anakam LLC has a clever solution to the problem in its Whisper product: Employ a token nearly everyone has already, the ordinary cell phone.

When a user logs into a Whisper-enabled Web site, Whisper generates a unique one-time access key and transmits it to the user's registered cell phone address via an e-mail or SMS message. The user then completes the e-commerce login by entering this key into the logon page, which permanently authorizes that particular computer to the site for a pre-determined time interval.

This approach blocks phishing attacks, because the phisher does not know the victim's registered cell phone number. It thwarts password guessers by changing the effective password with every login, guaranteeing that the password can't be brute-forced by systematic guessing.

Whisper isn't expensive either -- it can be deployed at the cost of just pennies per user in large applications like online banking, but costs only a few dollars per user in smaller deployments, making it practical for even specialized e-commerce applications.

http://www.anakam.com

Posted by mbeckman on June 2, 2005 at 9:26 AM

Seen at Interop: LogLogic's Log Management Appliance

An interesting new product niche for network managers is log management. All of our network devices spew reams of log information, in multiple formats and stored on multiple ancillary systems. These logs must be tended regularly to be useful -- both to detect significant events and to prevent the logs from overflowing available storage. New regulatory requirements -- such as Sarbannes-Oxley and HIPPA -- will likely mandate that we keep these logs on hand for a long time and protect them from tampering. A log management appliance does all that for you by providing log post-processing and analysis, data compression and storage, and digital signatures to detect alterations.

LogLogic is one of the first vendors of a drop-in log management appliance, and an Interop Best-of-Show winner. Offered in two flavors -- ST for long-term archival storage and LX for short-term storage, analysis, and alerting -- these devices are one-U boxes that set up in minutes. You configure them to accept SYSLOG records from routers, switches, servers, firewalls, and the like, and they then automatically manage these logs without further attention.

A LogLogic appliance processes entries in realtime, adding digital signatures and compressing them, then spooling the entries into an indexed store. LogLogic units can have their own 2.5 terabyte storage, or they can work with a third-party network attached storage (NAS) device. LogLogic claims compression ratios as high as 12:1, which is believable since log files often contain a great deal of repetitive data. You have the option of rolling the oldest log entries to DVD or tape, making this a virtually inexhaustible data sink.

The ST version lets you archive prodigious amounts of log data while retaining the ability to search and retrieve entries via a Web browser interface. The LX version lacks the vast storage abilities of the ST, but provides realtime log analysis, alerting for pre-selected conditions, and extensive reporting capabilities. As with the ST, you can view entries with a Web browser; but the LX also supports a live viewer application to let you watch log entries stream by as they occur.

The LX only holds 90 days of data, but you can team an LX box with an ST for long-term storage. In fact, you can mix and match versions to extend logging capabilities to everywhere in your enterprise, making this solution very scalable.

The products have list prices starting at about $20,000, so they're aimed at enterprises rather than small shops. But if you're in a mid-sized enterprise facing serious labor costs to comply with data retention mandates, a log management appliance may well be the cheapest solution available.

http://www.loglogic.com

Posted by mbeckman on June 2, 2005 at 8:45 AM

May 2, 2005

AT&T CallVantage: Help Desk in a Box

Voice-over-IP services are all the rage for home users wanting to cut the cord to their local exchange carrier. But these services have a sleeper application that network administrators should carefully investigate: the voice-processing core of your enterprise help desk system. I tested several VoIP products and found one, AT&T's CallVantage, whose combination of features make it near-perfect as the call nexus for an in-house help desk.

Setting up the phone system for a help desk in the average corporate environment is problematic, because you must live within the limitations of the organization's existing phone switch. Few of these support such useful features as e-mail-delivered voice mail, n-way conference calling, and hunt-me-down call blasting. Using the enterprise phone system for your call center may also make it difficult for telecommuters and other outside users to call into the system.

VoIP providers like AT&T, Lingo, and Vonage, however, offer all of these features and have the advantage of giving offsite users ready access. In fact, I argue that severing the help desk from the in-house phone system is a valuable reliability enhancement. I tested the three listed commercial VoIP offerings, along with the open-source Skype, and found compelling reasons to choose AT&T over the others. More about that in a moment, but first take a look at how a VoIP package can give you a help desk-in-a-box for about $50/month.

The three big features of VoIP that help desk managers will love are Web-based message management, inbound call redirecting, and n-way conference calling. Web-based message management gives you browser access to incoming calls and voicemail messages stored as audio files. You can easily forward those messages to anyone via e-mail, or store them as attachments in a trouble ticket archive. You can also automatically forward incoming voice messages for re-broadcast to your entire support staff. This gives you a permanent, pervasive record of what help desk callers said when they called in.

Inbound call redirecting lets you instantly change where callers land. You can forward all calls to an on-duty staffer's cellphone, or send them all straight to voicemail while the help desk staff is in a meeting. You also can forward incoming calls to more than one destination simultaneously, a feature called call blasting, which helps your callers get through to an available staffer quickly.

N-way conference calling lets you bridge four or more people into a call during the problem-solving process. Most corporate phone systems support three-way conference calling, but that's rarely enough to untangle problems that might involve several consulting parties. If the VoIP conferencing feature is also Web-enabled, VoIP solves the problem of dropping only the party you want to drop, by letting you simply click on that party in the Web-displayed list of people on the call.

There are lots of other features in VoIP systems that add additional value to the help desk application, but these are the big three. Of the four systems I tested -- AT&T, Lingo, Skype, and Vonage -- I found AT&T's CallVantage the best for the help desk. Lingo and Vonage both lacked features found in CallVantage, and voice quality was sometimes lacking as well. AT&T had consistently great sound. Skype, the open-source solution, is very interesting, but lacks the off-the-shelf packaging of commercial VoIP. Even though it can cost much less per month, since you only pay for calls that leave the Skype network to or from a landline, the hidden cost of staff labor overwhelms this advantage.

CallVantage's best features include a 10-way Web-enabled conference calling bridge that lets you initiate calls from your browser and easily drop just the callers you want during the course of a conference; LocateMe, a call blaster that can either sequentially or simultaneously call five destination numbers to get a help desk staffer on the phone; fax e-mail forwarding; caller-ID name and number in pager notifications, and call filtering, which lets you direct calls to voicemail based on the caller-ID information. AT&T's $50 small-business package includes two VoIP phone lines and all the necessary hardware. I found that with only minor e-mail-server scripting I was able to tie voicemail attachments into my existing trouble ticket system.

The best feature of all of these systems is that they're inexpensive to try out. All offer a trial plan that you can buy without making a long contract commitment.

Posted by mbeckman on May 2, 2005 at 7:46 AM

March 11, 2005

ModSecurity: Open Source Application Firewall

Many successful network penetrations use attacks against Web-based applications: SQL server injection, HTTP path evasion, embedded argument manipulation, and cross-site scripting - to name just a few. The problem is that ordinary network firewalls don't inspect application-layer data, and so can't protect against these attacks. ModSecurity is a nifty open-source application firewall that anyone can deploy at low cost to help protect Apache-based Web servers against common application vulnerabilites.

ModSecurity is a rule-driven security scanner that runs as a plug-in module to Apache. You can run the plug-in directly on your Web server, or set up a separate server running Apache with ModSecurity in reverse-proxy mode. In either case, ModSecurity receives all HTTP requests, filters them, and passes the safety-checked requests on to your application server. ModSecurity also looks at your application server's response to detect possibly successful intrusions. Configured correctly, ModSecurity adds very little overhead to application Web serving.

The rules database lets it detect various attacks, and you configure the actions you want from ModSecurity for each detected violation: report, repair, or reject. The rule syntax is based on the open source Snort IDS; you can enhance the base rule library with custom detection rules of your own devising.

Rules come in two varieties: input and output. Input rules guard against malformed requests and other attacks from the Internet; output rules check HTTP responses to make sure they don't contain sensitive information. The rule set to protect against the most common Web application attacks is surprisingly short: just 15 lines. You'll customize this base set for your specific application language. Currently Java, PHP, and Web Services are supported.

Output rules guard against information leaks by watching for telltale strings such as "Command Completed", "Index of /cgi-bin", and "file(s) copied". Such strings indicate an attack, such as remote command execution, has partially succeeded; output filtering prevents the attacker from reaping the fruits of his attack.

Download ModSecurity today from:
http://www.modsecurity.org

Posted by mbeckman on March 11, 2005 at 10:08 AM

February 27, 2005

Nsauditor: Network Security Auditing on the Cheap

Conducting a network security audit isn't very easy the first time you do it. You've got to either purchase a commercial audit package and learn how it works or assemble your own adhoc toolkit from open source offerings. Either way, you're looking at hours of effort to get even a quick look at the security condition of your network.

Now you can conduct an initial audit in just minutes, with a total cash investment of only $37, thanks to Nsasoft's Nsauditor.

Nsauditor is a suite of 34 ready-to-run security scanners that will probe your network for common vulnerabilities and give you a quick heads up of any glaring exposures. It includes probes for MS and Sun RPC ports, MSSQL Server, NetBIOS, SNMP, SMTP, Web proxy, CGI, and LM/NTLM password vulnerabilities. It also includes a reasonably capable Security Events monitor, an IP ARP watcher, a routing monitor, a local connection analyzer, and a bevy of tools for performing various common network assessment tasks, such as validating DNS servers, verifying routing, and capturing and decoding Ethernet packets.

A built-in discovery scanner detects all live hosts on your network and executes more detailed scans on each automatically. A report generator creates XML-formatted reports detailing the results of each audit run.

Is this as complete a tool as heavy-weight vulnerability assesment packages sold by the likes of eEye, Foundstone, and ReddShell? No, but it's definitely way more than $37 worth of securityware. The package is a little rough around the edges, and documentation could be more complete, but any network professional with basic mouse-clicking skills can drive this program through its paces. If you're new to VA, this tool will let you get some basic hands-on experience at low cost. If you're an experienced network security auditor, Nsauditor can still give you a quick initial assemement to help you see where to best concentrate more detailed analysis.

http://www.nsauditor.com

Posted by mbeckman on February 27, 2005 at 7:51 PM

January 31, 2005

D-Link DSA-3200: WiFi Hotspot-in-a-Box

If you�re building a community wireless project, or setting up guest wireless access for your enterprise, you face several difficult problems that make rollout a little more complicated than just plugging in a cheap WiFi access point. The first problem is user authentication: assigning user IDs and passwords, and keeping track of usage. The second is keeping network usage fair, by preventing bandwidth hogs and one or two malicious users from spoiling the party for everyone else.

While it�s always been possible to cobble together the pieces you need to pull this off � one or more APs, a managed Ethernet switch, and a Linux box running security and rate-limiting software � now you can get the whole package in a single box for under $600. The D-Link DSA-3200 Wireless G Public/Private Hot Spot Gateway combines an 802.11g access point with an authentication server supporting 250 user accounts in an internal non-volatile database. The unit also sports URL redirection, bandwidth control, network policy enforcement, timed sessions, traffic monitoring, and denial-of-service attack prevention.

The URL redirection feature captures users in their browsers, displaying a customized, branded Web page unique to your hotspot network no matter what URL a user initially surfs to. This page provides user log-in fields, as well as any pricing, policy, or usage disclaimers you wish to post. No user can fully access the WiFi network without passing through this page.

Bandwidth control and network policy enforcement let you prevent one or two users from hogging all the bandwidth, by organizing users into one of several usage groups. You can, for example, configure a limited free user group at low speeds useful for email and light browsing, reserving higher speed access for paying users. Network policy enforcement lets you limit how certain protocols are used, such as outgoing SMTP mail, to prevent network abuse by spammers and other evildoers.

Timed sessions help you provide fair access when more users compete to get online than you have resources to support; once someone�s limited session time has expired, another user gets a chance to go online. Traffic monitoring and DoS attack detection and prevention let you monitor the network to make sure it�s healthy and detected problem users, such as those with viruses that might otherwise shut down the network.

The DSA-3200 is perfect for a single-AP hotspot, providing a working radius of 300 feet or so in open space. If your hotspot network expands, you can extend the network with generic APs, making the DSA-3200 the hub of your WiFi network.

The box provides dual diversity antennas, three Ethernet ports � LAN, WAN, and DMZ � and supports SNMP, SSH, and HTTPS (SSL/TLS) management protocols. Authentication can use a built-in RADIUS server, or an external RADIUS authentication service.

Find out more about the DSA-3200 online at:
http://www.dlink.com/products/?pid=402

Posted by mbeckman on January 31, 2005 at 8:02 AM | Comments (1)

December 15, 2004

HA7NET: Remote Environmental Monitoring on the Cheap

Environmental monitoring is an important aspect of network administration, but it�s always been kind of pricey to do remotely. Most environmental monitoring platforms cost several hundred to several thousand dollars, support only a few expensive, proprietary sensors, and aren�t readily automated through web interactions. As a result, we network administrators tend to monitor one or two environmental variables � temperature, and perhaps humidity � per data center or rack, even though we�d like to measure many more things.

The HA7Net from Embedded Data Systems is a palm-sized Ethernet-equipped Web-enabled environmental monitoring platform that costs only $150.

It supports a huge array of standard off-the-shelf sensors based on the famous Maxim (formerly Dallas Semiconductor) OneWire interface. If you�re not familiar with it, the OneWire interface is a simple single-wire daisy-chain network for slow speed communication with tiny, cheap remote sensing and control devices. These devices include temperature, humidity, and contact closure sensors, remote relays, analog-to-digital and digital-to-analog converters, digital displays, digital key readers, and audible alarms. The operative word here is �cheap.� Unlike competing sensors costing $100 each or more, these typically cost under $20 in single quantities, and you can buy the OneWire components themselves for two or three dollars each and make your own sensors.

Every OneWire device has a unique 64-bit serial number programmed into it, and you can individually address, read, and write to as many as 100 device on the OneWire network through the HA7Net. In OneWire lingo, the HA7Net is a �Bus Master�. But because it�s both Ethernet and Web enabled, it�s an eminently programmable Bus Master that you can easily integrate into your existing network management system.

You interact with the HA7Net using a web browser, over either http or https (SSL) connections. The box has a reasonably friendly Web GUI, but actually manipulating OneWire devices requires a bit of study to understand how the OneWire protocol works. In a nutshell, every OneWire interaction consists of two steps: selecting a device, and then communicating with it. You perform these steps using two HTML transactions, which you can enter manually by hand using any Web browser or automate using a Web scripting engine such as Wget or Lynx.

One of the HA7Net�s HTML commands returns an inventory of all the devices connected to the OneWire network, which lets you quickly verify in a single operation that all your sensors and controls are online and available. You can then communicate with devices individually using additional HTML commands.

Internally the HA7Net sports a multi-user Web server, a battery-backed, SNTP-capable real time clock, a DHCP client, and three-port One-Wire hub that lets you quickly connect off-the-shelf sensors using ordinary modular phone cable. The HA7Net is purely a Web device � it does not support FTP or SNMP -- but it does include telnet terminal access for debugging purposes.

The basic package doesn�t include any sensors, but you can buy plug-and-play units from Embedded Data Systems for $15 or so each, or go right to the source at Maxim and buy raw devices for $2 or $3 each and wire them up yourself. The HA7Net includes a thorough manual that teaches you everything you need to know about OneWire programming, and a number of ready-to-run examples.

In just a few minutes I was able to hook the HA7Net into my Intermapper network management system using a custom script.

Find out more about the HA7Net online at:

http://embeddeddatasystems.com/page/EDS/PROD/HA/HA7Net

You can purchase OneWire devices directly from Maxim at:

http://www.maxim-ic.com/1-Wire.cfm

To find out more about Intermapper, Dr. I. Doctor�s network monitoring tool of choice, visit:

http://www.intermapper.com

Posted by mbeckman on December 15, 2004 at 10:46 AM | Comments (3)