August 2005

My work with INN 2.3.5 as an internal news server is progressing, and I must admit that the configuration of authentication and SSL is going well.  Authentication works like a champ, leveraging PAM and therefore automatically leveraging the Kerberos/LDAP integration with Active Directory I implemented a short while ago.  The SSL stuff is just a bit trickier; I initially tried the old faithful Stunnel, but found that INN thought the connection was coming from itself and not a reader.  That caused INN to respond differently.  I’ll start looking at native SSL support within INN next, but that can wait until tomorrow.

Technorati Tags: Newsgroups, OSS, SSL

I finally managed to get an internal news server running INN 2.3.5 up and running, and transferring data from the proprietary platform that is currently hosting some internal newsgroups.  I decided to use my first real installation of CentOS for the internal news server, and so far it has worked out well.

I have a newsfeed to transfer new postings from the proprietary application over to INN, and I’m using pullnews right now as I write this to transfer the old articles over.  Aside from some limitations and failures which I believe to be the result of the proprietary application’s specific implementation of NNTP (which I, personally, feel is another nonstandard implementation), everything seems to be transferring over rather well.  The next step will be to add authentication to the INN installation, and then add SSL support.

One more nail in the coffin of a certain proprietary groupware application…

Technorati Tags: Linux, Newsgroups, OSS

As I mentioned in an earlier entry, I’m trying out the CentOS distribution, a “clone” of Red Hat Enterprise Linux.  So far, I’ve been pretty impressed with it.  Granted, I was coming from Red Hat Linux 9.0 (RH9), a (now) old distribution using the 2.4 kernel.  So, many of the changes I’m seeing with CentOS 4.1 may be more due to the fact that it is running the 2.6.x kernel, has SELinux installed, etc., rather than anything else.  It seems to boot more slowly than RH9, but is otherwise reasonably equivalent with regards to performance and memory utilization.  I’m already using a mix of RH9 and Fedora Core packages on the existing servers, so there isn’t that much new (with regards to packages) with CentOS 4.1 that I don’t already use.

Barring some unforeseen problem that I have not yet encountered, I will probably migrate the majority of the Linux servers I currently maintain over to CentOS 4.1 over the next few months.

By the way, it doesn’t hurt that Asterisk@Home (the “pre-packaged” VoIP PBX installation) also runs on CentOS.

Technorati Tags: Linux

Among many other online appearances, the article First Windows Vista viruses unleashed from ComputerWorld describes the first family of viruses (virii?) that appear to be targeted specifically at the new Windows Vista operating system.

I would be ridiculously easy to make a joke here, but let me take a different tack.  First, this is beta (some would say pre-beta) code, so of course there are going to be “security holes” (I use this term loosely) that have not yet been closed.  Microsoft, take this as a signal that you need to continue to focus on security and making sure that any new functionality you are add to Windows Vista gets properly secured.

Second, the target of this virus is not Windows Vista per se, but rather the “Monad” object-oriented scripting environment.  According to what I’ve seen, this environment is not slated to be included by default with Windows Vista.  Included by default or not, Microsoft, let’s make sure that you don’t turn “Monad” into a virus-writer’s delight.  Make it work, make it work well, and make it secure.

Technorati Tags: Microsoft, Security

I was thinking about getting a car with built-in Bluetooth at some point in the future (like when I win the lottery), but now I’m not so sure. Here’s why:  ‘Car Whisperer’ puts hackers in the driver’s seat.

Technorati Tags: Bluetooth, Security

For quite some time now, a minor task I’ve been experimenting with is establishing transport mode IPSec security associations between Mac OS X and Windows Server 2003.  I’ve been using a freeware IPSec client called IPSecuritas.  Up until just a few days ago, I could never get anything to work.  After working on getting a PPTP-based VPN working from my PowerBook, I realized that just as I had to modify my ipfw rules (using BrickHouse) to allow the PPTP traffic, I’d have to modify the rules to allow IPSec traffic as well.  Duh!

After making the changes to allow ISAKMP (UDP port 500), ESP (IP protocol 50), and AH (IP protocol 51), I created a quick-and-dirty IP Security policy on the Windows box.  Lo and behold, it looked as if an SA was established.  However, within just a few seconds after IPSecuritas’ log showed the SA established, then it appeared as if racoon (the back-end for IPSec on Mac OS X) crashed.  I have not yet figured out why.

Even with the apparent racoon crash, it looked like the SA was still valid.  I was not able to verify encryption by sniffing the traffic, but it certainly seemed like everything was working.

Despite the problems thus far, this is still good news to me.  Here’s hoping I can figure the rest of the problem out.

Technorati Tags: Encryption, IPSec, Macintosh, Microsoft, Windows

I just found a very handy add-on for Mac OS X.  It’s called RDC Menu and it is a tool that provides an easy way of launching multiple instances of Microsoft’s Remote Desktop Connection application for the Mac.  If you manage Windows-based networks, you already know how useful Remote Desktop Connection (RDC) is, but the one key flaw in RDC was that you couldn’t launch multiple instances and thus couldn’t be connected to more than one Windows computer at a time.  With RDC Menu, all that changes.  Working as either a Dock item or as a Menu Extra, it allows you to easily launch multiple instances of RDC to connect to multiple Windows-based systems.  I run RDC Menu as a Dock item (I don’t like too many Menu Extras).

Technorati Tags: Macintosh, Microsoft

I’ve always heard good things about SuSE, but have never had the opportunity to work with it in greater depth.  Now, Novell has detailed its plans to open SuSE to community development in a manner similar to the approach used by Red Hat with its Fedora Project.

I think it’s a good thing.  Anything that Novell can do to broaden the reach and influence of SuSE will certainly help both Novell and the SuSE Linux distribution itself.  As it gains more attention, people will be more likely to develop on and for SuSE.

Technorati Tags: Linux, Novell

I have been searching for the last few days on some techniques to integrate a Squid web cache with a PIX firewall in a transparent fashion.  Most of the information I am finding involves using the Squid web cache as the default gateway along with an iptables firewall that transparently redirects outbound TCP port 80 traffic to port 3128 (the Squid web cache port).  The web cache then talks to the PIX, which takes it from there.  Certainly, this works, but it is not what I was hoping to find.  I’d really like a way to have the PIX redirect the traffic, but it appears that the PIX OS does not support that functionality.  How can this be?  The pf firewall in OpenBSD supports redirection, if I’m not mistaken.  The iptables firewall in Linux supports redirection.  But not Cisco’s PIX OS?  Is it just me, or does anyone else see a problem with this?

Technorati Tags: Cisco, Security

Phil Zimmerman, the creator of PGP (Pretty Good Privacy), is back, this time working to provide secure VoIP.  Apparently, Phil resurrected PGPfone, updated it with modern protocols, and has created Zfone, a prototype application that will provide encryption for voice-over-IP calls.

This will be something to watch.  I agree with Phil that nobody is really paying any attention to the security of VoIP traffic moving across the Internet, and it’s about time somebody thought about it.

Technorati Tags: Encryption, Networking, Security