Automating the Management of Network Devices through the Command-Line
Alan Holt
Holt describes how to automate the remote management of a domain of network devices using the Python programming language.
Automating Signature Updates for Cisco IPS/IDS Sensors
Lisa Hamet Bernard
Bernard developed a set of Perl scripts to automate the process of signature update discovery and retrieval. In this article, she describes the details of these processes, highlighting remote management of a Cisco IPS device via SSH.
Console Servers Product Survey
Steve Michnick
Michnick and the Sys Admin staff present the latest console server product information.
Conserver: An Update on the Open Source Console Management System
Bryan Stansell
Stansell updates his coverage of the Conserver project.
Console Server Design Considerations
Ron McCarty
McCarty provides an overview of console server issues to consider.
Navigating the System Virtualization Maze — Part 2
Peter Baer Galvin
In part 2 of this column, Galvin describes how to determine the best virtualization solution for your environment.
MLN — Taking Virtual Machines to the Next Level
Kyrre Begnum, John Sechrest
The authors describe MLN, which provides systems
administrators with an easy and powerful tool for virtual
machine management.
Xen Master is Yum
Faye Gibbins
Gibbins shows how to set up a self-managed Xen cluster.
Dynamic Patching via State and Run-time Control
James Hartley
Hartley shows how to use state to control the operation of scripts and gain high-level control of system operation by dynamically altering system files during the execution of patching scripts.
Monitoring Changes on Your Network over Time Using PBNJ
Joshua D. Abraham
Abraham provides an introduction to PBNJ, a suite of tools written in Perl that parses, correlates, and stores the information harvested from Nmap.
MySQL 5 Cluster with Solaris(TM) 10 Zones/ZFS/Resource Control
Derek Crudgington
Solaris 10 introduced several pieces of technology that can benefit systems administrators, particularly when used together. Zones can provide application isolation and assist in server consolidation efforts. Combining the Fair Share Scheduler (FSS) with zones gives the administrator control over the amount of system resources allocated to each zone. Running zones on top of the ZFS file system allows each zone to be set up in a matter of minutes and can also provide other benefits such as compression, snapshots, and self healing.
Using DNSBLs to Monitor Network Security
Luis E. Munoz
Many email administrators are turning to DNSBLs -- DNS Block Lists -- as useful weapons in the arsenal against spam. There are DNSBLs covering many aspects of the security spectrum related to spam. A brief sample of the overall focus of the most common lists include:
Open HTTP proxies
Open SMTP proxies
Zombies or trojaned machines
Miscellaneous open proxies
Hosts that send spam to spamtrap addresses
Accessing Windows Resources from a Linux Desktop
Marcel Gagné
You're one of the lucky ones. Despite incredible pressures, you've somehow managed to convince your boss to let you run Linux on your workstations instead of Windows. It could be that you've already saved your organization tens of thousands of dollars by convincing them to upgrade to OpenOffice.org instead of the latest Microsoft Office, and now the company is willing to explore other possibilities. However, you are still going to have to deal with the Windows workgroup or domain and the appropriate shared files and printers.
IBM/Rational ClearCase VOB Automounting
Victor Burns
In the June 2006 issue of Sys Admin magazine, I discussed some commonly used as well as a few more advanced features of the automounter. One of these advanced features is the "autofs" file system that makes the automounter possible. I illustrated the dynamic use of the "autofs" file system in conjunction with the -fstype mount option. This combination can support VOB automounting by using cascading indirect automount maps.
Network Device Configuration Management
Anshuman Kanwar
Your most elaborate disaster recovery plans are only as good as your backups. In the context of routers (and most firewalls), all configuration is normally stored as a plain-text file in flash memory or some sort of NVRAM. Creating a replica of a router in case of catastrophic failure is simply a matter of physically plugging in a cold standby and copying the configuration from some backup medium onto the new device.
Sendmail's New GreetPause Feature
Hal Pomeranz
In most cases, spammers are motivated to send their unsolicited emails as rapidly as possible. Slamming is a technique where the spammer simply fires all of the SMTP commands necessary to transmit an email message to another mail server without waiting for the normal SMTP responses from the remote machine. Typically, the remote mail server will end up accepting the message despite the fact that the slammer is actually disobeying the SMTP behavior mandated by various Internet RFCs.
Getting to Know Your Network -- Part IV
Luis E. Munoz
Previously in this series, I presented aconfig, a tool that allows the execution of configuration commands mixed with Perl in our network devices. I showed how to use this tool to extract information about the network topology and configuration and store it into a database for simplified querying and reporting. This, in itself, is a valuable addition to incident response and vulnerability management processes, which eases the task of determining the significance of daily threats to our network.
Getting to Know Your Network -- Part I
Luis E. Muñoz
If your job is like mine, you've heard the words "vulnerability management" a lot during the past couple of years. Generally speaking, "VM" comprises all the tasks we must do -- such as patching, device and machine inventories, and security audits -- to keep our networks working despite the various software flaws exploited by malware.
Routing and Alias Management with OpenLDAP and Sendmail
John D'Emic
LDAP and Sendmail offer sys admins considerable advantages for dynamic mail routing and centralized alias management. A common requirement, as an organization grows, is to support geographically dispersed mailservers. While this can be achieved by using subdomaining (i.e., bill@nyc.acme.com, jane@dublin.acme.com), it is generally preferable to route the mail dynamically from a single address (jane@acme.com). I'll explore how this can be accomplished using Sendmail in conjunction with OpenLDAP.
Trap Customization in an Enterprise OpenView Operations/NNM Environment
Andy Yuen
Many of the enterprise customers I've worked with manage a large number of servers and network devices using the scalability features of OpenView Operations (OVO) and Network Node Manager (NNM). They tend to end up with a configuration similar to that depicted in Figure 1. OVO is used as the manager of managers responsible for centralized event browsing and the management of servers with multiple NNM collection stations handling SNMP events from network devices.
Questions and Answers
Amy Rich
Questions and Answers
Creating Cross-Platform Solutions with Open Database Connectivity
D. Hageman
Systems administrators can often find themselves in a situation where they are forced to support a product lacking in adequate documentation, stability, and technical support. The stories vary, but the end result is generally the same. You can probably hear your boss right now, saying: "We can't get rid of this product, because it is essential to our business."
FreeTDS for Database Connectivity
Kevin M. Lyons
It has often been said that the world would be a nicer place for programmers and administrators if everyone used the same operating system, if only one database were needed, only one programming language... Let us pause for a moment while you stop laughing.
Remote Logging with SSH and Syslog-NG
Hal Pomeranz
One of the points I make repeatedly in my training classes is the value of centralized logging. Keeping an off-line copy of your site's logs on some central, secure log server not only gives you greater visibility from a systems management perspective but also can prove invaluable after a security incident when the local copies of the log files on the target system(s) have been compromised by the attacker.
Branded VPN Deployment and Seamless Remote Management
Adam Olson
Bridging the gap between production network systems and remote users has always posed challenges. Initial infrastructure design, access privileges, and client software needs all must be addressed to ensure that network capacity and maintenance issues remain manageable as the user base grows. Perhaps the most important consideration is ease of use for the end user. Software, in general, is becoming more and more intuitive and end users expect a certain level of usability and aesthetic quality.
Remote Site Setup within the Prison Environment
Lee Ratzan
In this article, I will discuss some issues encountered by systems and network administrators when a major health care provider network becomes responsible for integrating their services into a highly restrictive security-conscious prison environment. The job mandate involves information access and cooperation in a setting not necessarily known for either. Two large organizations concerned with different aspects of security must work together. These issues pose challenges to routine remote site setup.
Using NetReg to Check for Viruses and Patch Deficiencies
Ronald Nutter
Using DHCP to handle IP addresses frees administrators from manually assigning the settings for every workstation or network device and reduces the chances of error. In today's environment, you need to know that every device is authorized to be on the network, is free from viruses, and is devoid of any serious patch deficiency. The trick to using this type of solution is to implement it so that users can't opt out of being checked before accessing the network.
Portable Jumpstart Environment
Michael R. Sbailo Jr.
Automating system builds has greatly increased systems administrators' ability to build and recover environments in a more uniform manner. Each platform has its own method of accomplishing this, such as Jumpstart (Solaris), Autoyast (SUSE), Kickstart (Red Hat), etc. In this article, I'll focus on running Solaris's Jumpstart technology from a Linux-based laptop. Because of the need to support sites in the field that are scaled down and thus cannot support a full-blown boot environment, I wanted to combine all the components of Jumpstart into one.
Capacity Planning for Oracle Databases Using Legato NetWorker
John Ouellette
While planning for backups, I wanted to know how large our databases would be in a year. No one I asked could provide an answer, so I decided to figure it out for myself. In this article, I will explain my process.
Taking Back Your Mailbox with Greylisting
Sean Reifschneider
Unsolicited commercial email, a.k.a. spam, is an attack on the Internet. It's as simple as that. Until we start really treating it as such, the problem is only going to get worse. In the meantime, we've got greylisting.
More Tools for Network Security Monitoring
Richard Bejtlich
In the April 2004 issue of Sys Admin magazine (http://www.samag.com/documents/s=9102/sam0404d/), I introduced the Network Security Monitoring (NSM) model and several open source tools to collect full content, statistical, session, and alert data. These tools and techniques help analysts in the collection, analysis, and escalation of indications and warnings to detect and respond to intrusions. To identify and contain incidents, NSM focuses more on network audit and situational awareness, and less on recognizing malicious traffic patterns and alert-centric intrusion detection methods. Those practicing NSM believe it is helpful to collect as much network-based evidence as legally and technically possible. Such collection aids all aspects of the security process, especially those supporting incident response.
Contingency Planning: Lessons Learned from the 9/11 Tragedy
Lisa M. Jaworski
The terrorist attacks that occurred on September 11, 2001, resulted in terrible human loss. Additionally, many buildings were destroyed or damaged to the extent that they had to be condemned. From an Information Technology (IT) perspective, networks were brought down, equipment and cabling were obliterated, and on-site and local backup tapes were destroyed. Because of the lengthy, ensuing chaos in the local area, it was very difficult for businesses, whose key IT functions were disabled, to bring disaster recovery personnel into the area. An unknown number of users lost Internet connectivity because their Internet Service Providers (ISPs) had points of presence in the World Trade Center [14].
tSmoke: Automating Availability Measures with Smokeping
Dan McGinn-Combs
I manage a global network. Although I am on call all the time, it is not unusual for my colleagues in different time zones to refrain from calling me during my night. Even so, I like to know whether something is down on the network when I wake up in the morning. That way, I have some idea about how much of my day will be consumed with fighting fires and how much I can dedicate to my day job.
DNS Security Protocols I: Dynamic Updates
Kerry Thompson
Of all of the many network protocols used in computer networking, DNS is one of the most fundamental and important. The task of mapping domain names to IP addresses seems simple, and at first approach it is. However, issues arise when that protocol becomes extensively trusted by systems. Packets within the DNS protocol are all sent as clear text, which means that they can easily be read and modified while in transit. DNS uses the UDP protocol, which has no handshaking between clients and servers and is therefore quite susceptible to spoofing attacks. We no longer have a trusted Internet in which we can trust insecure services -- there are malicious attackers that will do their very best to make users go to spoofed banking sites, to swamp everyone with spam, and to generally wreak havoc.
Embedded Linux Router
Tom Erjavec
Embedding Linux to create a networking device has long been a desired project of mine. With the advent of many micro-Linux distributions, it has become an easy task that can be done by any Linux lover. My goal was a high-performance secure Internet gateway, so I built a PC/Linux device that could offer full speed on an Ethernet port and provide a firewalled connection to the Internet.
Keeping Data in Sync::rsync -- Part II
Chris Hare
Data management is an ongoing issue that plagues many companies. Regardless of the size of the enterprise, organizations are constantly trying to find ways to move data securely between systems in an automated fashion, keep file systems or data files synchronized, or simply ensure that a group of systems has common data.
Disruptions of Service: Types and Effects
Peter Salus
Because of its very nature, it is difficult to destroy a packet-switching network, much less the network of networks that is the Internet. However, a number of events have disrupted Internet service -- some large, some limited in extent. This article is an attempt at a typology and a spur to discussion.
RSVP: Signaling Quality of Service
Ron McCarty
The convergence of voice and data networks has created many efforts to guarantee adequate bandwidth with minimal delay for voice applications within IP networks.
QoS Through the Network
Gilbert Held
In this article, I will point out some of the limitations of DiffServ and then examine an alternative approach to QoS based on Integrated Services and the use of RSVP. I will briefly describe and discuss a few techniques that can facilitate obtaining a QoS capability under different networking environments. There are many aspects associated with QoS that make network managers and LAN administrators yearn for the good old days when the use of 64-Kbps time slots was the only way to obtain a Quality of Service.
Getting Out/Getting In
David Beecher
It's 3 a.m. and you have been paged by one of your monitoring systems that another service is down. Your employer requires extreme security. There is no modem pool behind your fireline with which you can get inside, and no one can justify the cost of a VPN to your CEO. Also, because your fireline is managed by another corporate entity, there is no access through the "front door" to allow you to tunnel in to do maintenance. That means it's time to drive down to the office and hope your keycard still works. Here's an alternative.
Replacing rdist and ftp with scp and Associated Utilities
Michael Watson
At some point, manually logging into every server to repetitively make changes gets rather tiresome. Therefore, my team decided to automate these procedures. With thirty-plus Solaris systems, we began by utilizing a set of simple ftp scripts (see the Listings at www.sysadminmag.com) to get, display (in the case of text files), or put files to some or all of our servers.
TCP -- Either Fast or Efficient
Noah Davids
TCP/IP can be a very inefficient protocol. The TCP and IP headers require a minimum of 40 bytes. Packets with only a few bytes of data, for example a telnet or rlogin session or a bank transaction, have extremely high overhead. A TCP acknowledgement packet may contain no data at all, making the entire packet overhead. Ethernet additionally imposes a 14-byte header and a 4-byte trailer for an increased overhead of 58 bytes. Because the minimum-sized Ethernet frame is 64 bytes, there can also be up to an additional 6 bytes of overhead. To add insult to injury, Ethernet also requires an 8-byte preamble and a gap between each frame that is equivalent to 12 bytes. Thus, sending 1 to 6 bytes of data effectively requires an 84-byte Ethernet frame.
Virtual Hosting, FTP, and LDAP
Tristan Greaves
Virtual hosting (serving more than one domain from a single server) is a prime area of development for many ISPs, with Apache generally being the Web server of choice. However, the Web hosting is just one side of the story -- customers must also be granted whatever access is appropriate to maintain their sites. Recently, we performed a move of all the domains that our ISP division (Argonet) hosts to a new architecture. We saw this as an opportunity to re-evaluate our approach to solving the problem.
Redundant NICs on Solaris
Tom Kranz
You have your resilient network in place. Dual switches, dual routers, HSRP, failover, redundant firewalls -- they're all there. Now, what about your Sun boxes? Having two network interface cards (NICs) on your Solaris server, with the primary NIC failing over to the secondary, seems like an obvious and easy task, yet there are many pitfalls that make it unnecessarily complicated. In this article, I'm going to explore how to provide redundant NICs simply and cheaply.
Proxy FTP without the Browser
Anthony Caruso, Robert Chuba
Consider a small unregarded little network, which is in protected RFC 1918 IP space sitting behind a firewall. Direct access to the Internet is not allowed. Instead, Web access is provided by an HTTP proxy server. While this meets most of the office needs, downloading files from an ftp site is only possible through the browser. Writing an ftp script to periodically download files, such as virus .dat files, is impossible. Instead of opening a port on the firewall for ftp and breaking the rules just for us, we decided to try something else.
Multi-Vendor LAN Troubleshooting
Tom Podnar
During an infrastructure planning session, our IT department realized that we were running out of IP addresses more quickly than anticipated. Given the current rate of expansion, we estimated that we would be out of usable IP addresses within 90 days. We Ddecided a NAT (Network Address Translation) implementation would remedy the situation and selected a Cisco router-based solution as the foundation of our NAT LAN upgrade project.
Building a Secure Wireless Network Using FreeRADIUS
Markos Gogoulos, Konstantinos Lizos
Wireless networks have penetrated our daily lives in the most amazing and rapid way. The wireless capabilities, the ease of accessing network resources, and increasing bandwidth utilization have all lead to the substitution of obsolete copper wire networks with new, cutting-edge wireless technologies such as Wi-Fi networks.
Pushing Corporate Email out to Wireless Devices
Pam Rissmann
For the most part, email is delivered to employees' desktop computers. However, what happens when important email is delivered and one of the key decision makers is out of the office? Or if a meeting at 2 P.M. is cancelled, but some of the attendees are offsite when the cancellation email is delivered? To address these issues, many companies extend email to wireless devices like pagers, cell phones, and PDAs, allowing urgent and timely email to reach recipients no matter where they are. This article will explain how Sendmail can be linked with wireless messaging software to push email out to wireless devices.
Network Operations Center On-line
Ron McCarty
Despite the tremendous advances in network management systems, many of us find ourselves in need of network monitoring tools that are not as complex as commercial network management systems, or tools that are not licensed based upon the number of nodes monitored. Sometimes we just need a monitoring system that can be put together in less than a day. Whatever the reason, if you need a network monitoring tool that supports both a CLI and Web interface, you should consider the Network Operations Center On-line (nocol). (Major future versions of nocol will be called System and Network Integrated Polling Software [SNIPS].)
Automating ftp with Expiring Passwords
Russ Hill
Most networks require passwords that have a finite lifetime. By limiting the life of the password, you limit the time in which a stolen password can be exploited by an intruder. One disadvantage of expiring passwords, however, is that they make some tasks more difficult to automate. An automated process that requires a client computer to use a password will not connect if the client's password for the server has expired.
Quality of Service
Gilbert Held
The new millennium represents a network-based millennium. When we shop, our purchases are automatically charged to our accounts, and then they are deleted from the inventory control system, which facilitates the reordering of merchandise. At home, we can purchase stocks and pay bills, as well as sign up for and take college courses using our computers. By connecting and installing a sound card and connecting a microphone in our computer, it becomes possible to use the computer as a telephone. The addition of a miniature camera can provide a videoconferencing capability, making the PC a ubiquitous device. However, while the number of potential network-based applications is only limited by our imaginations, the characteristics of each application can differ.
The World According to ARP
Ron McCarty
Address Resolution Protocol (ARP) happens daily millions of times on the networks we manage often without issues or problems. However, network design challenges and support issues with ARP do arise, and unfortunately, many administrators must attend the certification seminar school of hard knocks and quickly get up to speed on the protocol under poor circumstances. This month's column covers ARP fundamentals, design issues, and shows ARP requests with tcpdump. (Note: While writing this article, I discovered that version 3.4 of tcpdump distributed with RedHat 6.1 incorrectly reported Ethernet broadcast addresses with 00:00:00:00:00:00 as opposed to the correct FF:FF:FF:FF:FF:FF. An upgrade to tcpdump version 3.5 available at http://www.tcpdump.org/ fixed the problem.)
Scaring Crackers Away with TCP Wrapper
Adam Olson
Would it not be great if computers could be connected to a network without any regard for malicious users and other security threats? In this fairy tale world, you could focus solely on tuning your systems to function as smoothly as possible. You wouldn't have to worry about a thing while implementing that intricate backup system you conjured up in your head. It is too bad this isn't the case, but there are tools out there to increase the security of these networked computer systems.
Layer 2 Quality of Service
Gilbert Held
In the International Standards Organization (ISO) Open System Interconnection (OSI) Reference Model, layer 2 is the Data Link Layer. That layer is responsible for the creation of frames to include applicable addressing and the computation of a cyclic redundancy check, as well as the transmission of such frames. Other functions performed at layer 2 include error detection and correction, as well as acknowledgments to indicate whether the destination received frames error free. One function omitted from the original OSI Reference Model for layer 2 operations is the topic of this article -- Quality of Service (QoS).
QoS into the Network: Router Queuing
Gilbert Held
In this third article of a series focused upon Quality of Service (QoS), I focus on the manner by which traffic can be differentiated as it flows into a wide area network. "Quality of Service", the first article in the series (Sys Admin, September 2000), focused on obtaining an overview of QoS and various methods that could be used to differentiate types of traffic. The second article, "Layer 2 Quality of Service", (Sys Admin, October 2000) examined QoS by focusing on the data link layer and discussing the role of the IEEE d802.1p standard in a switch-based LAN environment. In that article, I noted that eight levels of priority could be specified that enable switches to place frames into predefined queues based upon the priority tag inserted into the frame. I also noted that because 802.1p tagging occurs within an extended layer 2 frame, priority tagging is lost at router boundaries. Due to this, 802.1p is a LAN QoS mechanism, and the differentiation of traffic as data flows into and through a layer 3 network requires different traffic differentiation mechanisms. This third article primarily illustrates two methods used to provide a quality of service to traffic as it enters a wide area network. These methods include the configuration of router queues and the use of the Type of Service (ToS) byte within the IP header. A recent revision to the use of the ToS byte, which enables the byte to be used as the Differentiated Services (DiffServ) byte, will be the focus of a later article.
Virtual Router Redundancy Protocol
Ron McCarty
The Virtual Router Redundancy Protocol (VRRP) has been around since 1997, and although it has been formalized by the Internet Engineering Task Force, it is a little-known protocol outside the realm of full-time network design engineers. VRRP (version 2) is defined in RFC 2338, "Virtual Router Redundancy Protocol". This month's column will cover VRRP, VRRP design considerations, and an implementation using Linux and the vrrpd daemon.
Designing a Scalable NNTP Server Network
Chris Josephes
Five years ago, it was hard to find an Internet service provider that didn't maintain a news server on their network. Every site was expected to have one to provide Usenet access to its users. Usenet has changed considerably since then. With the increasing number of users on the Internet, Usenet traffic has grown by leaps and bounds. More articles are being posted, and the average article size has increased due to the popularity of the alt.binaries newsgroups. Most Usenet servers receive 100 GB of articles every day.
QoS Into the Network: Part 2
Gilbert Held
This article is a continuation of a series focused upon various methods and standards associated with Quality of Service (QoS). The first article provided an overview of QoS. The second article examined how the IEEE 802.1p standard provides a mechanism for traffic differentiation in a LAN switching environment. In the third article, I examined QoS through the WAN, covering egress from the LAN into the WAN and some of the methods that could be used to prioritize traffic. That article also represents the first of a two-part series (within a series) concerning the entry of data into a layer 3 network. In it, I examined four types of router queuing methods, as well as the use of the IPv4 Type of Service (ToS) byte. I mentioned in that article that the limited use of the ToS byte resulted in the IETF redefining its composition as a mechanism to differentiate service, resulting in the names "DiffServ byte" and "differentiated services" used to reference the revised composition of the byte and the use of the byte's contents. This article will cover DiffServ in more detail.
Questions and Answers
Amy Rich, Jim McKinstry
Questions and Answers
NetReg: An Automated DHCP Registration System
Todd K. Watson, Peter Valian
It's almost unfathomable how we ever lived without DHCP. We no longer need to visit each machine and assign it an available IP address, let alone deal with the roaming laptop users that hop around the network with an IP reserved for them on every subnet. DHCP took care of all of that -- machines want IP and network settings; the DHCP server wants to give IPs and network settings. It sounds almost too good to be true.
Perl Advisor: Monitoring Net Traffic with OpenBSD's Packet Filter
Randal L. Schwartz
The server for stonehenge.com lives somewhere in Texas, in a place I've never seen. I rent a box from Sprocket Data Systems, and they provide my remote eyes and ears, and hook me up to their networks and power grid. I'm limited to a certain bandwidth each month for the rate I pay, and to offset the costs, I also sublease the box to geekcruises.com and redcat.com.
Emulating Networks Using User-Mode Linux
Ralf Spenneberg
When evaluating a new product or planning your firewall or VPN, it is always handy to be able to emulate your network virtually. Many people use VMware for this task and, although VMware does a very good job, it is quite cost-intensive. In this article, I'll describe how to use User-Mode Linux (UML) to model a network. UML is a Linux kernel capable of running on Linux. It offers networking, access to the host filesystem, jail, and honeypot features. Using virtual switches, you can combine several hosts to form a network. To use UML, you just need a Linux filesystem that the UML kernel can boot. I will also show how to use UML to emulate a testbed for a VPN solution.
Managing Network IP Assignment with a Database and Web Interface
Jim McBride
The Garvan Institute of Medical Research is a growing organization with about 350 researchers and support staff, and roughly the same number of computers throughout the building. We recently ran out of IP addresses within the two subnets we operated, so we launched a project to remodel the IP address space and reconfigure each computer with a new IP address. This required a visit to each computer in the organization -- an arduous task that we prefer to avoid.
Advanced SNMP Monitoring with RRDTool
Adam Denenberg
In today's economy, monitoring devices via SNMP is crucial to determining where bottlenecks may exist, and where we may have placed too much capacity. Many network-monitoring tools have evolved to handle SNMP data, but these have all been based around the work of one tool -- MRTG. MRTG (Multi Router Traffic Grapher) allows you to visually graph and trend anything imaginable out of SNMP, no matter what the data represents. MRTG has been around for about a decade, and most systems or network engineers are probably graphing something with it. While MRTG is an important tool, RRDTool (another tool written by the author of MRTG), is going to be the main focus of this article.
Questions and Answers
Amy Rich
Questions and Answers
VOCP Command Shells -- Managing Your Systems through the Telephone
Patrick Deegan
Imagine you're out for a night on the town or just driving through the countryside, then your pager goes off or your cell phone rings telling you something's wrong at work. If you are responsible for one or more systems, this will eventually happen. But with a little forethought, VOCP, and a telephone, you can still solve the problem no matter where you are.
Build IPSec VPNs Using the Linux Kernel 2.6
Ralf Spenneberg
Virtual private networks (VPNs) have been around for quite some time. Several protocols are available to implement VPN solutions. The most prominent protocols are the Point-to-Point-Tunneling-Protocol (PPTP) and the IP Security Protocols (IPSec). I have played around with both protocols during the past 5 to 6 years building both small and worldwide implementations. Most often I used open source operating systems like Linux or OpenBSD to implement the VPN gateways. Using Linux to build an IPSec VPN usually means using the FreeS/WAN IPSec stack.
NFSv4 -- An Early Implementation
Mark Perino
When RFC 2624 was published in 1999, people running NFS began looking forward to a significant change in NFS that would address what some saw as its major deficiencies. RFC 3530 followed in April of 2003 and placed NFS version 4 on the protocol standards track.
Securing Wireless Campus Networks
Clark Gaylord, Steven Lee
While no Ethernet-based network can be considered a "secure" communications medium, network operators take some solace that the exposure of traffic for a LAN is limited to those stations that have "physical access" to it. With a wireless LAN (WLAN), there is not even this meager security, as physical access to radio waves is defined by nothing stronger than geographic proximity. Unfortunately, the standard method for addressing this proximity vulnerability, "Wired Equivalent Privacy" (WEP), is not suitable for large-scale networks due to its shared-key nature and deficiencies in the encryption algorithm. As a result, enterprises and service providers alike have struggled with how to control access to their WLAN infrastructures so that the network is both usable and no worse than wired Ethernet in terms of data privacy.
Web-Based Printer Management
Brett Lymn
Some years ago, pundits predicted that there would soon be the paperless office -- an office where all communications and reporting would be performed electronically without consuming paper. At the time of this writing, I see little evidence of this happening, but I have seen the opposite -- more printers with more capabilities are being added to the office. The burgeoning printer population can be problematic for administrators when users want help removing print jobs from the printer queue.
Securing Public-Access Networks: Stopping the IP Thieves
Walt jones
When I was a student at the University of Puget Sound in Tacoma, Washington, I worked in the ResNet office as a Senior ITT consultant. The ResNet office handles all aspects of student networked computing on campus. Particularly, the office is responsible for the pay-for-service Ethernet network that currently includes 9 subnets covering 9 dorms, 8 Greek houses, and 78 university-owned residential houses for a total of 1450 student connections. This IP-based network not only allows users to access university-only Intranet resources, but also the external Internet.
Another Way of Centralizing and Customizing Crontabs
YiHua Philip Sheng
The article "Centralizing Your Crontabs", by Richard Hellier (Sys Admin, November 2001) presented a useful tip for UNIX systems administrators. However, the technique was bit complicated because it involved making an extra NIS map. In this article, I will introduce a simpler method to centralize the management of crontabs without losing customization ability, and I will also provide case examples of utilizing this method.
IP Space Monitoring System
ChokSheak Lau
Systems and network administrators typically deal with hundreds and thousands of computers, and it can be hard to track all the IP addresses that are actively in use. This article presents a concept of implementing IP address space monitoring software for statically assigned IP addresses, and how we currently use it to provide real-time network data online.
Writing an SNMP Agent
Damir Delija
A few years ago, during the summer of 2000, we faced serious overheating problems. Our Sun ULTRA 250 machines were in trouble, and we had an immediate need for monitoring. Our first try was with the prtdiag command and syslog report, but that turned out to be unusable and unreliable. The prtdiag output dump was too big and caused additional trouble to our log monitor. It was obvious that we needed something better.
Mail Routing Using LDAP
Enrique Flores R
In an effort to mitigate the spam and virus problems in our user community, the IT group at Cypress Semiconductor Corporation has implemented Brightmail Solution Suite, an anti-spam/anti-virus mailwall solution. Brightmail's product refers to spam and infected email as "graymail". For each user, the mailwall software creates individual graymail mailboxes where illegitimate email is sidelined. Through the use of a Web interface, users are given the option to delete or retrieve their graymail messages. Retrieved graymail, or email not filtered by the mailwall rule sets, is forwarded to our site mail hub, where it is either spooled for local users or relayed to the appropriate remote site. Figure 1 details the specifics of our mail flow. Figure 2 is a flowchart depicting the sidelining process.
Making Servers SNMP Aware with net-snmp
Brent Bice
You may have MRTG, RRDtool, and Cricket monitoring all your SNMP devices, and Scotty monitoring the real-time status and health of your SNMP devices and diagramming your networks. However, it would also be nice to be able to monitor all of your UNIX machines. You may already be running various SNMP agents that came with the operating systems on those UNIX machines, but it would even be better if the SNMP agent on the Sun, Linux, HP-UX, AIX, and other UNIX systems all had the same data available from the same MIB tree. It would also be great if you could add your own functionality (your own MIB OIDs) that would allow you to monitor things, such as the internal temperature of your APC UPS or the number of spam messages your SMTP gateway rejected, with your SNMP tools of choice. net-snmp (the tool previously known as ucd-snmp) makes all this possible with minimal effort.
Network Management with Overlapping IP Address Ranges
Scott Kirkwood
Every UNIX systems administrator has some knowledge of networks and routing, and most have basic experience with network devices. For example, configuring NFS, DNS, or NIS are all common network configuration tasks for a sys admin, but the network infrastructure does not typically require more than an Ethernet cable, an IP address, and an entry in the DNS server for each new Unix system. There are, however, certain implementations in which the network infrastructure must be designed as an integral component of the systems architecture. This article will detail just such a scenario, and will show how expanding your knowledge of network infrastructure configuration can make the difference between a dead project and a functional architecture.
TCP/IP Networking in Gawk 3.1.0
Mike Warner
In 1997, Jurgen Kahrs and Arnold Robbins added TCP/IP networking capability to "gawk", the Free Software Foundation's implementation of the awk programming language. The networking subsystem that Kahrs and Robbins added to gawk began as a set of patches that eventually migrated into the main source tree in time for Gawk 3.1.0. Just after Arnold Robbins announced the availability of Gawk 3.1.0 on comp.lang.awk, I began downloading the source archive and building Gawk 3.1.0 on various flavors of Linux and BSD. It has always built flawlessly, and the networking capability has worked just as advertised.
sockspy Knows TCP/IP
Cameron Laird
sockspy is a convenient tool for a range of networking diagnostic and programming problems. You probably already use a general-purpose "sniffer" such as tcpdump or ethereal; so do I. Although different from these, sockspy also has a place. It complements other networking tools by focusing specifically on the "dialogues" of typical TCP/IP protocols. sockspy's programmability means that it is also handy for prototyping proxy clients and servers for these protocols.
Visual Cron 2.1
Chip Castle
Systems administrators often need to schedule tasks for some later date or have some of those tasks recur at regular intervals. The best tools to accomplish these tasks are "cron", for scheduling recurring jobs, and "at" for scheduling one-time tasks. Both of these tools are extremely handy and have been around for quite some time, but when I use cron I often find myself trying to recall the correct time format to use. Recently, however, I came across the niftiest little utility I've found in quite awhile, and it is great for handling job scheduling. It's called "Visual Cron" and is an open source utility (licensed under the GPL). Visual Cron was written by Daniel Roche and is an excellent GUI-based tool for managing cron or "at" jobs. System requirements for Visual Cron include Tcl/Tk 8.0 and the cron and "at" utilities.
Increasing Bandwidth with Wireless Devices
Henry Psenicka, Bob Pocius
Many organizations are faced with the challenge of increasing available WAN bandwidth while controlling costs. Ours is no exception. We work for a local government, serving a municipality of about 40,000 residents. Our network provides services to almost 200 staff members, one third of whom work from satellite offices connected via dedicated WAN links. By 2001, we were outgrowing the capacity of our ISDN-based 128-kbps links and were exploring options for upgrading our network infrastructure. Although we found a number of commercial options for increasing our bandwidth, including leasing 100-Mbps fiber-optic connections from a local utility company, we wanted a more cost-effective solution.
Dangerous ARPs
Noah Davids
The ARP protocol works quietly in the background, and most of the time it works flawlessly. Unfortunately, such reliability can lead to complacency; when TCP connection problems occur, no one ever thinks of the ARP protocol. In this article, I'll provide a quick review of the ARP protocol and describe some ways in which ARP can create problems. I'll also show how to diagnose these problems using a protocol analyzer like tcpdump.
Administering a Distributed Intrusion Detection System
Johannes B. Ullrich, Wayne Larmon
The authors describe Dshield.org's efforts to build a distributed intrusion detection system to gather and analyze logs from around the world. They address issues such as the scalability and agility of such a vast system.
Auditing Your Airspace
Tony Howlett
Howlett describes Kismet, an open source auditing program that can help you catalog and test the security of all the wireless LANs within your company's perimeter.
Maintaining DNS Sanity with Hawk
Greg Heim
Heim describes Hawk, GPL software that can help track which hosts in DNS are really on your network as well as which hosts are on your network but not in DNS.
Troubleshooting Solaris™ Network Performance
Alex Golomshtok
Golomshtok describes a simple yet powerful Perl extension called Solaris::MIB2. This module allows for easy access to most statistical and operational data maintained by Solaris stream modules, while imposing only a minimal load on a monitored system.
Centralize Your Crontabs
Hellier describes the use of NIS (Network Information Service) to centralize the adminstration of cron.
Open Shortest Path First Protocol
Ron McCarty
Network Diagramming and Monitoring with Scotty
Brent Bice
Like many open source tools, Scotty is actually a collection of tools that have grown together. It can be used as a network-diagramming tool in addition to an SNMP network console. After you use Scotty to draw a network diagram,you can then use it to monitor and troubleshoot the objects in your diagram.
Volume Management and File Systems Usage and Implementation
Henry Newman
Current file systems trace their roots from the UFS file system, which was proposed in 1965. By the early 1970s, the UNIX file system was up and running. Since then, not much has changed in file systems and there have only been incremental hardware changes. I think the file system and volume manager are the most critical components in achieving I/O performance from both the OS and underlying hardware. Even the best file system and volume manager can be configured so that the performance is poor. Therefore, my next couple of columns will cover file system and volume management, in addition to file system configuration and tuning.
SNAREing Intruders in Linux
Kristy Westphal
Westphal shows how to install SNARE, a host-based Linux Intrusion Detection System. She describes how to test it and suggests some practical uses for it.
Questions and Answers
Amy Rich
Let Sys Admin solve your problems!
Submit your technical systems administration questions to our contributing editor, Amy Rich, President of Oceanwave Consulting Inc. Each month, Amy will select several challenging questions to answer in her column. Or check out the Questions and Answers archives.
SNIPS
Ron McCarty
SNIPS, or System and Network Integrated Polling Software, is Netplex Technologies’ revamp of Network Operations Center On-line (nocol), which I wrote about in the August 2000 Net Admin column. SNIPS is a network-monitoring tool that provides both a command-line and Web interface to monitoring alarms. SNIPS provides alarm levels that provide an escalation of conditions based on the number of failures. This allows flexibility in reporting and prevents one-time anomalies (such as a network engineer resetting an Ethernet port) from creating alarms for network services that were temporarily unreachable while the Ethernet port was resetting.
Compiling PalmTM Apps on Linux
Alex Lange
One of the latest waves in systems administration is to use handheld devices to administer systems remotely. As sys admins need to be everywhere at once, the convenience and ease of administering systems via a PalmTM Pilot (as one example) is becoming more and more apparent. Small programs called Palm Query Applications (PQAs), can be the front-end to systems administration tools, making them accessible to sys admins on the go. However, building a PQA is problematic for the Linux or UNIX systems administrator because Palm's development tools for PQAs run exclusively on Microsoft Windows.
Questions and Answers
Let Sys Admin solve your problems!
Submit your technical systems administration questions to our contributing editor, Amy Rich, President of Oceanwave Consulting Inc. Each month, Amy will select several challenging questions to answer in her column. Or check out the Questions and Answers archives.
RAM RAID: Improving Web Access
Bo Adler
Using a file cache, such as Squid, is a familiar strategy to increase the throughput to a Web site. It eliminates the overhead of disk access by keeping static HTML content in memory, but fails to address the issue of CGI scripts that need to write data back to disk. Given that written data is often small and infrequent (compared to reads), the OS file-buffering strategy is sufficient to accommodate this load. However, in the case where written data becomes a serious issue, the traditional solution is to implement some form of RAID array to increase the bandwidth of disk access.
Managing Bandwidth
Jonathan Kline
With the increasing interest in streaming and broadband content, systems administrators are faced with a dilemma — bandwidth. Sys admins dread the call complaining about the slowness of the Web and the inaccessibility of the email servers, only to discover that the culprit is streaming content and live video. How can you get the bandwidth under control? Do you deny and block this offending traffic at the perimeter firewall? Increase the amount of network bandwidth available? Control and filter this content? You may decide to manage this offending traffic, which will guarantee the availability of critical services, while still allowing non-critical functions and services, such as streaming video.
Name Services: Another View
Ron McCarty
In the November 1999 issue of Sys Admin, I covered “Domain Name System Design Considerations”. This month, I will cover several name server topologies as well as the BIND 9.2.0 new view feature that will add another tool to your name server tool chest.
Prior to BIND version 8, name servers were identified by their roles as either “primary” or “secondary”. The primary server contained the actual zone databases, and the secondary servers pulled the zones from the primary. With version 8 of BIND, the terminology changed to “master” and “slave”. Regardless of the terminology, it is important to realize that the client is not aware of a name server’s role within a particular domain.
Supporting Screened Hosts with BIND 9.x Views
Scott DeJong
Views is a powerful feature of the new version of BIND that can help solve complex DNS problems. DeJong describes a setup that can be implemented in a secure, redundant, highly available, and load-balanced manner using ten workstations.
Wireless (In)Security
Ido Dubrawsky
Dubrawsky provides an overview of the IEEE 802.11 standard governing wireless networks and describes some security concerns.
Configuring a FreeBSD Access Point for your Wireless Network
Michael S. DeGraw-Bertsch
The author describes how to configure a PC running FreeBSD to serve as an access point for your wireless network.
Administering Linux IPSec Virtual Private Networks
Duncan Napier
In a previous article, "Introducing FreeS/WAN and IPSec", Napier discussed the basics of setting up IPSec for Linux using the FreeS/WAN package. This article describes some of the more advanced features of FreeS/WAN that can be leveraged to implement flexible and reliable IPSec VPNs.
Integrating Macintosh Computers into Your Network
Haletky shows how to integrate legacy and new Macintosh equipment into an existing TCP/IP-based network.
WINE: The Open Source Way to Run Windows Applications
WINE, which stands for “WINE Is Not an Emulator”, allows you to run Microsoft Windows programs on your system, but does not require a copy of Microsoft Windows, thereby saving the cost of a license. Gagné explains how.
Little Known Cisco IOS Security Features
Sammut explains the use of Reflexive Access Control Lists, TCP Intercept, Unicast Reverse Path Forwarding, and other Cisco features that help increase network security.
Implementing IPsec in the Solaris 8 Environment
Wenchel provides a brief introduction to the architecture of the IPsec protocol, describes the tools used for managing IPSec on Solaris 8, and demonstrates a practical implementation.
Getting on the 6bone Quickly with SolarisTM 8
The authors describe some of the benefits of IPv6 and provide a step-by-step method to get a workstation on the 6bone, the IPv6 test bed.
Interoperating Linux with NetWare
A.J. Weinzettel
Passwords are a necessity in keeping information secure. The drawback is having so many of them -- one for email, one to access files, telnet/ssh sessions, etc. In this article, I will introduce an Apache module that allows users to use their Novell NDS password to access secure Web pages on a Linux Web server.
Reliable Network with SolarisTM
Peter Baer Galvin
Until recently, it was very difficult to configure a Solaris machine to have redundant connections to a network, and to use them automatically in case of a failure. Because of the magic of Solaris 8, the task is now easy. If you are not IP Multipathing yet, you should be.
NFS: Part I, The Protocol
Ron McCarty
The Network File Server (NFS) protocol provides an open standard for giving clients remote access to file systems. NFS allows administrators to create centralized file systems that ease management tasks such as backups and virus checking. Large, centralized drivers are easier to maintain than many distributed small drives.
Quick Network Redundancy Schemes
Simple bash scripting and IP aliasing can be used to implement quick and easy host redundancy schemes based either on host availability or service availability. In this article, I describe a very simple way to implement such a scheme.
A Complete Network Information Center
A Look at ngrep
Communicating with Intermec and Zebra Bar Code Printers
R.I.P. RIP?
The routing information protocol (RIP) is a topic of discussion among network administrators, and whether the protocol still has a place in enterprise networking especially in new deployments instigates many debates. Most network administrators seem to love or hate the protocol, based upon their previous experiences with RIP. Due to the high speed LAN connections and superior switching products, many networks are flattened and include more nodes per logical (IP) network than in the past.
Introducing FreeS/WAN and IPsec
FreeS/WAN (Secure Wide Area Network) is a tool that permits the secure transmission of data over untrusted networks, such as the Internet. The central component of FreeS/WAN is the IETF’s (Internet Engineering Task Force) IPsec (Internet Protocol SECurity) specification. Among other things, IPsec is designed to support Virtual Private Networks (VPNs). While FreeS/WAN is Linux-based, it conforms to the IETF’s IPsec specification and is known to be interoperable with many other vendor’s implementations of IPsec. (Refer to the official Web site,
http://www.freeswan.org, for the latest news.) The FreeS/WAN project was started by John Gilmore, is maintained by numerous energetic individuals, and is freely available in source code under the GNU General Public License.
Installing and Configuring OpenSSH
Thanks to the proliferation of packet sniffers and the escalating reasons for data security and integrity, it should no longer be acceptable to allow network logins to be sent in plain text. By discovering passwords sent over the wire or hijacking a connection via man-in-the-middle attacks, a malicious cracker could quickly commandeer your network for her own nefarious purposes. Luckily, a solution has been created, Secure Shell, which replaces plain-text communication protocols, such as telnet, rsh, and rlogin.
How to Make a Solaris 2.5.1 Workstation Support PPP Dial-Up from Windows
Skill-Based Training
Vendor Supplement
In the new e-business economy, today's enterprise IT systems must do more than just provide the traditional support mechanisms such as payroll, transaction processing, and so on. Now they must be Web-centric and customer-focused--the backbone of the enterprise's undertakings. Increasingly, IT systems are the initial, and often primary, customer contact. Yet IT departments are still staffed by people. The enterprise's human capital remains its foremost mission-critical asset, and it is increasingly understood that investments made in IT education help to increase productivity, decrease downtime, and utilize IT resources more efficiently.
IT Security Coming of Age
Many articles have been written about the latest and greatest tools for securing your machines and network from unwanted attack. Firewalls, security analysis tools, intrusion monitoring, and other topics have inundated the press for the past few years. Yet, the topic that is rarely discussed, and in which system administrators play a role is security architecture.
Yes, information security is only one component, but a well-rounded and well thought out architecture, even if focused only on information security plays a vital part in the protection of your corporate information.
This article suggests a sample model for the design of a security infrastructure, and is founded on published documentation and my experience as a systems administrator and information security specialist.
Questions and Answers
Questions and Answers
v09, i12: MPLS: Delivering Next-Generation Networking Services
A Perl Package for Monitoring Traffic
Systems and network administrators constantly struggle to know what is happening on their networks. This job is difficult at best, and at worst, it can be downright exasperating.
Securing SNMP on Solaris
The default SNMP configuration, while perhaps reasonably secure, can be made substantially more secure with a little effort. If you require SNMP services (e.g., to monitor a server in case of failover), you should configure it better.
Monitoring Usenet News
Running Usenet news on a large server has never been easy because the nature of Usenet has been to expand to fill all resources. In the days of dial-up modems when I started running news, the Telebit Trailblazer modem came out with 18-Kb connections. We thought the bandwidth problems were over, because we could handle several MB a day — now we handle several MB a second. To help run news on the least hardware available, I have generated some tools to help me see what the systems are doing.
An Introduction to IBM's Network Dispatcher
The Internet has brought us many new technologies as well as new requirements for the Web-based application. One urgent need is for high availability and rapid scalabilty of the infrastructure supporting our Web-based application. To meet this need, I am going to discuss "client spraying". In a basic setup, an HTTP client will connect to one HTTP server. However, if this server is down or is busy, there is not a backup server for the client to connect to. Although there are other ways to correct this problem, the method used by IBM's Network Dispatcher is called "client spraying".
|
