Tuesday, October 26, 2004
Triangle NUG meeting about server colocation
This evening I went to the Triangle Novell Users' Group meeting, which for a change was held at Inflow's Data Center in RTP instead of our usual meeting place at Alphanumeric Systems Inc.'s headquarters.
Inflow provides colocation and managed services, server space and engineering to support those servers, data backup services, hosting and business continuity. Currently they do not provide Novell services yet, but are planning to in the near future.
They have had multiple redundant SONET OC3s coming into the building. They have been in this location since 1999. They have 14 data centers in "Tier 2" cities.
Servers are now smaller and produce a LOT more heat than they did a few years ago. They are adding more HVAC capacity to their facilities. IBM "Blade Centers" use an amazing amount of power. A lot of buildings don't have the power capabilities to handle these kinds of machines.
Offers predefined and custom SLAs.
After the presentation we got an extensive tour of the data center.
Comments []
Inflow provides colocation and managed services, server space and engineering to support those servers, data backup services, hosting and business continuity. Currently they do not provide Novell services yet, but are planning to in the near future.
They have had multiple redundant SONET OC3s coming into the building. They have been in this location since 1999. They have 14 data centers in "Tier 2" cities.
Servers are now smaller and produce a LOT more heat than they did a few years ago. They are adding more HVAC capacity to their facilities. IBM "Blade Centers" use an amazing amount of power. A lot of buildings don't have the power capabilities to handle these kinds of machines.
Offers predefined and custom SLAs.
After the presentation we got an extensive tour of the data center.
Comments []
Friday, October 15, 2004
TriLUG meeting about DNS
I attended the monthly Triangle Linux Users' Group meeting on 10/14/04, at which Aaron Joyner gave a presentation entitled "DNS: How it works. Why it works. How you can work with it."
My notes from this meeting are as follows:
Introductory overview of DNS...
DNS Server Software:
BIND
DJBDNS
MS DNS Server
History of the servers:
BIND, originally written at UCB, funded by ARPS through v. 4.8.3
Picked up by DEC (now Compaq)
After 4.9.1 picket up by Paul Vixie and Bob Halley
v.8 was released in 1997
Current version is 9.12
If anything older than BIND 9 is used, upgrade is recommended
History of DJBDNS
written by Dan Bernstein, author of qmail
Written because Dan was unhappy with the status quo
Considered by some to be easier to config
History of MS-DNS
Has a somewhat bad rep, but runs largely on DynDNS
DNS Client/Tools
Resolver Library
(nslookup): about to go away
host: preferred alternative to nslookup for simple queries
dig: if you want to know it all. Very verbose. Originally a debugging tool. Output is config file.
host
command outputs name or IP addy
dig
does recursion
very recursive
Recursive DNS query
All queries start with a cache (sometimes ".") The "." is called the DNS root. The root can be a security concern.
The hints file contains all of the names and addresses of root servers.
DNS queries proceed right to left through the name.
The pattern can be followed with dig using the +norec option, which forces you to walk step by step.
The domain example.com is reserved by IANA to be used for example purposes only.
DNS is usually sent out over UDP. If you have a DNS server, it should really be on a high bandwidth connection. If there is a bottleneck in your WAN, using a local caching server is a really good idea, although it is not the answer to everything.
Alternate Record Types:
MX records
mail exchange. If there is no MX record, the query will talk to the A record. How well it works depends on the mail server type used. Unlike most record types, MX records have a priority assigned to them. An MX record should not point to an address or a CNAME but rather to a host name (A record)
PTR records
pointer record. What you get when you ask for an inverse query. Getting increasingly important to have these right, for example if you are sending mail to AOL since they do reverse lookups to see if DNS record is right to help in the fight against spam.
CNAME
canonical name. It is a reference. For example if www and ftp uses the same record, ftp can be associated with a CNAME.
SRV records
server record.
How to set up a domain in BIND
/etc/named.conf - all the major options, such as the hints file, are located here
/var/named
/var/named/domain.zone
Various locations for config files, varies by distro
type hint contains the cache of all of the root servers.
rndc
rndc reload: common way to reload a server, however it throws away the cache
rndc reconfig: great way to reload the information in name/conf
rndc reload - won't throw away the cache
Views
Allows you to define different "views" of the DNS, based on IP/Subnet matching
Extremely simple
Dynamic DNS
documentation on the web. Look it up there, since we're out of time here.
For the presentation Aaron used his Bluetooth phone to control his slides on the projector. A few jokers in the audience tried to throw him off-balance by sending heckles via SMS to his phone during the presentation.
Comments []
My notes from this meeting are as follows:
Introductory overview of DNS...
DNS Server Software:
BIND
DJBDNS
MS DNS Server
History of the servers:
BIND, originally written at UCB, funded by ARPS through v. 4.8.3
Picked up by DEC (now Compaq)
After 4.9.1 picket up by Paul Vixie and Bob Halley
v.8 was released in 1997
Current version is 9.12
If anything older than BIND 9 is used, upgrade is recommended
History of DJBDNS
written by Dan Bernstein, author of qmail
Written because Dan was unhappy with the status quo
Considered by some to be easier to config
History of MS-DNS
Has a somewhat bad rep, but runs largely on DynDNS
DNS Client/Tools
Resolver Library
(nslookup): about to go away
host: preferred alternative to nslookup for simple queries
dig: if you want to know it all. Very verbose. Originally a debugging tool. Output is config file.
host
command outputs name or IP addy
dig
does recursion
very recursive
Recursive DNS query
All queries start with a cache (sometimes ".") The "." is called the DNS root. The root can be a security concern.
The hints file contains all of the names and addresses of root servers.
DNS queries proceed right to left through the name.
The pattern can be followed with dig using the +norec option, which forces you to walk step by step.
The domain example.com is reserved by IANA to be used for example purposes only.
DNS is usually sent out over UDP. If you have a DNS server, it should really be on a high bandwidth connection. If there is a bottleneck in your WAN, using a local caching server is a really good idea, although it is not the answer to everything.
Alternate Record Types:
MX records
mail exchange. If there is no MX record, the query will talk to the A record. How well it works depends on the mail server type used. Unlike most record types, MX records have a priority assigned to them. An MX record should not point to an address or a CNAME but rather to a host name (A record)
PTR records
pointer record. What you get when you ask for an inverse query. Getting increasingly important to have these right, for example if you are sending mail to AOL since they do reverse lookups to see if DNS record is right to help in the fight against spam.
CNAME
canonical name. It is a reference. For example if www and ftp uses the same record, ftp can be associated with a CNAME.
SRV records
server record.
How to set up a domain in BIND
/etc/named.conf - all the major options, such as the hints file, are located here
/var/named
/var/named/domain.zone
Various locations for config files, varies by distro
type hint contains the cache of all of the root servers.
rndc
rndc reload: common way to reload a server, however it throws away the cache
rndc reconfig: great way to reload the information in name/conf
rndc reload
Views
Allows you to define different "views" of the DNS, based on IP/Subnet matching
Extremely simple
Dynamic DNS
documentation on the web. Look it up there, since we're out of time here.
For the presentation Aaron used his Bluetooth phone to control his slides on the projector. A few jokers in the audience tried to throw him off-balance by sending heckles via SMS to his phone during the presentation.
Comments []
Annual CTC retreat
The annual Carolina Technology Consultants Retreat was held on 10/14/04 in Murphy Hall on UNC's campus.
The Keynote Speaker was Dan Reed, the new Chief Information Officer of UNC. My notes from his speech are as follows:
IT: An Intellectual Lever
IT has become an intellectual lever for human endeavor
It's intended to be an intelligence amplifier
Most successful when invisible
Presentation outline:
Lessons from experience
Consilience examples
Technology enablers
Sociological lessons
ITS reorganization
Information consumes the attention of its recipients.
"Crackberry"
ITS Organizational Change
Principles:
customer focused
opportunity and need driven
nimble, adaptive practices and structures
open to engagement and possibilities
Implications:
organizational flexibility
rapid restructuring
strategic planning and response
empowering and valuing people
CIO's office:
Integrated financial management/budgets
Personnel and human resources
Public relations and communications
Campus and State coordination
Security and regulatory compliance
Strategic planning
Deputy CIO Search Status:
finalists selected; campus interviews are now being scheduled
Four high level components:
Deputy CIO/Associate Vice Chancellor
Associate Vice Chancellor for Planning/Special Projects
area advisory committees
Assistant Vice Chancellor
All slides are on ITS web site (under Dan Reid's homepage) here for example
Our campus is 3-5 years behind the state of the art
Next, of the two morning breakout sessions, I attended the presentation on Wireless Connectivity, which was presented by Chris Colomb, Todd Meath, Mark Ingram, David Rankin
Mark Ingram from Development Office started with a presentation on Blackberries
Uses Exchange and for a few years has had a Blackberry Enterprise server. Integrates with calendar. Blackberry synchs with Blackberry Desktop Manager. For future wants Advise interface for Blackberry. Enterprise server provides encryption and security. Integrates easily with Exchange. Device can be disabled from the management console if it is ever lost (left in a cab, etc.). Ease of use makes it best choice for his department. Wants to see a broader, campus-wide deployment of Blackberry Enterprise Server so he won't need to run his own email server.
Uses Virtual Office in NetWare 6.5. Can do file sharing. File sharing added to Intranet. Demoed Virtual Office. Ties in with Net Storage. This allows distributed access to avoid need for large email attachments. Touts ease of use. No need for VPN client.
According to Chris Colomb the Outlook Connector is a rapidly evolving application and new versions are put up on Shareware frequently. Current version is barely three weeks old.
Mark has several remote users who can get in just fine through an ISP and a VPN and can synch their Blackberries.
Todd Meath
Talked about Push-Pull data with Palm Pilots in Family Medicine. For Push still uses Avantgo, Epocrates drug database, and Campus Calendar. For Pull uses IR beaming. And uses Pendragon for Interactive data. Avantgo.com is still a free service. It's used to retrieve HTML data from any web server. Uses it for both static and highly dynamic data. Uses it to replace several printed documents. Cost savings for printing and lamination of pager numbers alone was $1200 annually. Printing savings of $9000 since 1999. Uses selected calendars from Campus calendar server. Uses groups, resources and other users. Enabled via web access to Campus calendar. Under Security set "Allow Global Agenda Viewing". All Entries must be set to Access=Public. "Email Agenda to a friend" creates an URL that is used to create an Avantgo Channel. It's not an active synchronization.
Uses IR Beaming to pull in speaker notes, presentations, applications, handouts, etc. Uses "Documents to Go" as reader/editor.
For future wants to see synching independent of PC.
Pendragon Internet Forms. It's web based; uses it to easily create and edit forms. It's Pull controlled. Easy to create interactive forms, no coding required. Can be synchronized via PC, IR, 802.11, cell modem. Data is encrypted and inserted into database. Uses a large scale version of the software. Pricey - $5000 (with educational discount). There is also a small scale version for a dedicated, standalone PC which costs $400.
Trouble spots: understanding the methods are available for device/needs. Understanding what "wireless" means: cellular, infrastructure (802.11), Bluetooth, IR. Understanding the limitations. Not all applications support non PC based Sync methods. Applications must be synched sequentially; can't synch all applications in a batch methods. Conduits installed onto Users' systems work well in supported environments. Outcomes diminished as user involvement increased. To solve this, IR is an inexpensive solution: removes standalone PC from the synching equation.
David Rankin was up next with a presentation about handheld computer security.
Presentation is a brief summary of findings on research he did this summer.
The facts: Use of handheld computers (PDAs) is increasing. Useful software on PDA platform increasingly available. PDAs are much more powerful - more memory, more storage, wireless communications.
The challenge: No organizational policies on support of PDAs. No organizations policies on PDA security. Unchecked and unsupported PDAs can be a security problem. A mobile threat vector; can easily bypass perimeter security defenses.
PDA vulnerabilities: Loss of PDA, Virus infection and transmission. Unencrypted corporate/university data. Unsecured wireless technologies. Physical loss of device is #1 security risk. Hardware is trivial, however data on it can be priceless. Research shows that 40% of lost PDAs are lost in taxicabs!! 20% are left in restaurants. Viruses are #2 threat. Majority of PDAs now run a slimmed down version of Microsoft software. Pocket Word & Excel are vulnerable to the same macro viruses as desktop versions of the software.
So, what's on a lost PDA? 85% meeting notes, 80% business names, addresses & email addresses 32% Organizational email and attachments 33% PIN numbers and passwords. ALL UNENCRYPTED!
What can YOU do about it? Establish support, management and security policies. Control PDA purchases. Control loss of PDAs, Password protection.(require a power on password as a minimum. If possible, incorporate biometrics. Include a routine to delete content after certain amount, for example 15, unsuccessful login attempts). Encrypt PDA data (include not only for integrated memory but also removable storage cards). Anti-virus software.
What more can you do? VPN for wireless communication, etc.
See here for more information.
Next up was Chris Colomb who gave a talk on devices supported. Does not want to enforce proprietary device. Supports standards. Life of wireless devices is usually shorter than even laptops and other devices. Phones are getting smarter. PDAs as they are now may not be around much longer. Mentioned Cingular Express mail pilot program. Currently only available for Treo 600. Future is here today with the CWI program. Mentioned calendar synchronization program, after which wireless capabilities already in student calendar will be available for faculty/staff calendar as well.
Palm encryption software: Teal Lock, Splash ID, PDA Defense.
After lunch I attended the breakout session about Teleworking, which was moderated by Ken Yow and featured several panelists. My notes from this session are as follows:
Teleworking training: Carol Vandenboom, Training Coordinator, Enterprise Applications
Teleworking Training Plan:
Pre-training activities
Introduction memos with links to websites, policy draft, FAQ, etc. to present information about what teleworking is and how it works/what works and what doesn't
Actual training
Teleworker's Curriculum
Understand policies and guidelines
Explore communications
Plan workloads & schedules
Address telework issues
distractions, such as children, family that makes noise with TV, chatty neighbors, etc.
Career opportunities: "outta sight outta mind"
what if you hate it?
insurance, taxes, who pays for what?
Plan for success
Manager's Curriculum
Create a concerns list
Manage teleworkers
Manage workloads
how to supervise work and productivity
Explore communication
Build a telework team
How to schedule and plan meetings. What about impromptu meetings?
Address telework issues
Plan for success
Combined Group Curriculum
Answer questions concerning the Telework Policy - Lisa Lipscomb
Identify HR Deliverables - Lisa
Discuss security issues - Andrew Lee
Review the concerns list
Non-Teleworking curriculum
Create a concerns list
Jealousy?
Explore communication
Plan for success
Post training
Teleworking tips for managers & teleworkers
Teleworking websites
Teleworking articles
Manager's Perspective, presented by Ken Yow, Manager, ITS On-Site Support, User Services and Engagement (USE)
There is a written telework policy!
Positives:
improvement in morale (no-cost benefit)
seemingly getting 8+ hours per day
Happy employees work harder
Flexible hours no set work schedule
Varies by manager
No problems, so far, with deadlines being methods
Truly using results oriented evaluation techniques (it's done on time or it's not)
The managers need to get comfortable with the concept of telework before it will happen. The managers won't be able to get to 'watch' the employee.
Negatives:
Scheduling meetings can be difficult
Getting full picture of problems can become difficult
Teleworker's Perspective
Sharon P. Glover, Systems Accountant, Enterprise Applications, Coesus Team
Office setup
Space. Do you have space? Is it converted to office use?
Equipment? Bring machine from office or use own? Tech Support?
Completed off-campus use agreement
Family Impact
Family needs to understand that work time is work time and shouldn't be interrupted
Encountered more problems with in-laws than immediate family. Treated her as 'errand runner,' so had to set boundaries and learn how to say "No" to family and in-laws.
Communication
Had seven team members, 6 of whom telework. Decided that all come in to office on Wednesdays to take care of meetings and other stuff that requires physical interaction.
Used same phone greeting as in the office so that teleworking appears transparent to customers
Organizing for Productivity
Organize tasks that require uninterrupted concentration to do at home and tasks that require interaction or don't require so much focus for office day
Efficient Use of Resources
Telework Statistics
presented by Ken Yow
Total number of original participants: 61
Current number of teleworkers - about 30 (based on ISP reimbursements; may be a bit higher)
Number that started after the original group - 4
Average% of hours per week teleworked - 30%
The final session of the day was a presentation about spam management, and it too featured several panelists.
Doug Douillard: Dental School
Using GFI Spam management on top of Exchange 2003
Uses blacklisting, whitelisting, keyword matching, header checking to identify spam.
Searches headers for malformed MIME, multinumber email address, etc. to identify spam. Searches also in body of message.
Uses Bayesian filter to learn as it goes
Has public folders available to which users can drag and drop messages to identify messages to blacklist, whitelist, etc. They don't use this feature at Dental school to avoid misuse.
Has a spamblock list so that admins can review messages to add to filter.
Admin tools lets you view messages, traffic for one day, and more. Keeps info in a SQL database.
Has options for listservs, footers with disclaimers, web interface, etc.
Users in Dental school have given positive feedback.
Costs $1500/year.
Has been running it for the last six months. Has approx. 760 Exchange accounts.
The setup that they have didn't require any user training
Larry Fritsche - Business School
Pharmaceuticals and health care are currently the most prolific spammers, surpassing even porn. Mortgages and gambling are way off as well. Spam is so prevalent because it works.
Can Spam Act is ineffective. Only about 4% of spam is actually compliant. Don't rely on government to take care of this situation.
Has about 2500 full time active Exchange accounts, as well as grad student accounts.
Spam filtering process: IIS, Banned subnets and IPs. Next, goes through GFI mail Essentials and Antigen. Then goes through Exchange 2003 Intelligent Mail Filers.
In GFI a suite of filters is applied, such as Spamhaus, Subject content, blacklist, message content, embedded only, Bayesian, etc.
Antigen is an antivirus product that contains a spam component, but that is only an added feature and shouldn't be relied on exclusively.
Customer service:
You must know your customers
Are your med students studying Viagra and Cialis
Is someone researching marketing and pornography?
Did your Korean student expect a valid email from a family member or employer?
Privacy - How sensitive are your customers to inspection?
Regulations? Hippa, Sarbox, etc.
Pilot your solutions
Communicate
Primary Decisions
Delete, Quarantine or Deliver? - Products that rate spam are the most flexible
How much admin control do you need? - Antigen vs GFI vs Exchange/Brightmail
Initial cost vs. ongoing? - Brightmail vs. GFI
Outsource? - Valid option but NOT recommended
Best Practices/Tips
Eliminate or greatly reduce the risk of false positives
Costs - Prepare your customers and IT staff for the labor involved. For example, Spam has a labor cost no matter what options your choose
Evaluate the vendor AND the product - Check their business and technical status
Monitor your systems and stay in touch with your customers
Chris Colomb - ITS Messaging
Evolution of Spam
Cantor & Siegel "How to make a fortune of the Information Superhighway" - and spammed 6000 newsgroups
Open relays
Open proxies
Trojan/zombie PCs - when viruses and spam collide
current estimate: 50 - 100 million of these compromised hosts
ROKSO - Registry of Known Spam Operations
200 known spam operations responsible for 90% of spam
How does UNC handle Spam
spam@unc.edu & spam reporting
Source based blocking
Spam blocking: our dynamic block list
updated four times a day (now every hour)
several hundred entries per update
from 7800 entries in May 2003 to 1.6 million entries today
proactive additions based on traffic analysis
Content based locking
Heuristic spam filtering - At 99% effective spam filtering about 5000 spams would go through at UNC
Internal Challenges
http://mail.unc.edu/spam - Spam filter. Uses spamassasin. Marcus Cox is the principal implementer of this product.
New feature: Whitelist sender: way to deal with false positives
Hope to roll this out to general users soon. Main holdup has been a lack of hardware.
New, revised webmail coming soon. http://webmail2.isis.unc.edu
Ken Bradley - ITS Security
You get spam because you are on some sort of list
signed up for promotions or email lists.
downloading applications and registering them
try using a different email account for this kind of thing
'strafing' web pages. Harvesting web pages for email addresses.
Has been used by 12 year old script kiddies.
Avoid by not putting your email addy in web pages or reformatting it, for example by using 'name at x dot y'
Impossible to avoid all of it. Spam will happen!
Spam can be minimized by using rule sets and filters available in email clients.
Comments []
The Keynote Speaker was Dan Reed, the new Chief Information Officer of UNC. My notes from his speech are as follows:
IT: An Intellectual Lever
IT has become an intellectual lever for human endeavor
It's intended to be an intelligence amplifier
Most successful when invisible
Presentation outline:
Lessons from experience
Consilience examples
Technology enablers
Sociological lessons
ITS reorganization
Information consumes the attention of its recipients.
"Crackberry"
ITS Organizational Change
Principles:
customer focused
opportunity and need driven
nimble, adaptive practices and structures
open to engagement and possibilities
Implications:
organizational flexibility
rapid restructuring
strategic planning and response
empowering and valuing people
CIO's office:
Integrated financial management/budgets
Personnel and human resources
Public relations and communications
Campus and State coordination
Security and regulatory compliance
Strategic planning
Deputy CIO Search Status:
finalists selected; campus interviews are now being scheduled
Four high level components:
Deputy CIO/Associate Vice Chancellor
Associate Vice Chancellor for Planning/Special Projects
area advisory committees
Assistant Vice Chancellor
All slides are on ITS web site (under Dan Reid's homepage) here for example
Our campus is 3-5 years behind the state of the art
Next, of the two morning breakout sessions, I attended the presentation on Wireless Connectivity, which was presented by Chris Colomb, Todd Meath, Mark Ingram, David Rankin
Mark Ingram from Development Office started with a presentation on Blackberries
Uses Exchange and for a few years has had a Blackberry Enterprise server. Integrates with calendar. Blackberry synchs with Blackberry Desktop Manager. For future wants Advise interface for Blackberry. Enterprise server provides encryption and security. Integrates easily with Exchange. Device can be disabled from the management console if it is ever lost (left in a cab, etc.). Ease of use makes it best choice for his department. Wants to see a broader, campus-wide deployment of Blackberry Enterprise Server so he won't need to run his own email server.
Uses Virtual Office in NetWare 6.5. Can do file sharing. File sharing added to Intranet. Demoed Virtual Office. Ties in with Net Storage. This allows distributed access to avoid need for large email attachments. Touts ease of use. No need for VPN client.
According to Chris Colomb the Outlook Connector is a rapidly evolving application and new versions are put up on Shareware frequently. Current version is barely three weeks old.
Mark has several remote users who can get in just fine through an ISP and a VPN and can synch their Blackberries.
Todd Meath
Talked about Push-Pull data with Palm Pilots in Family Medicine. For Push still uses Avantgo, Epocrates drug database, and Campus Calendar. For Pull uses IR beaming. And uses Pendragon for Interactive data. Avantgo.com is still a free service. It's used to retrieve HTML data from any web server. Uses it for both static and highly dynamic data. Uses it to replace several printed documents. Cost savings for printing and lamination of pager numbers alone was $1200 annually. Printing savings of $9000 since 1999. Uses selected calendars from Campus calendar server. Uses groups, resources and other users. Enabled via web access to Campus calendar. Under Security set "Allow Global Agenda Viewing". All Entries must be set to Access=Public. "Email Agenda to a friend" creates an URL that is used to create an Avantgo Channel. It's not an active synchronization.
Uses IR Beaming to pull in speaker notes, presentations, applications, handouts, etc. Uses "Documents to Go" as reader/editor.
For future wants to see synching independent of PC.
Pendragon Internet Forms. It's web based; uses it to easily create and edit forms. It's Pull controlled. Easy to create interactive forms, no coding required. Can be synchronized via PC, IR, 802.11, cell modem. Data is encrypted and inserted into database. Uses a large scale version of the software. Pricey - $5000 (with educational discount). There is also a small scale version for a dedicated, standalone PC which costs $400.
Trouble spots: understanding the methods are available for device/needs. Understanding what "wireless" means: cellular, infrastructure (802.11), Bluetooth, IR. Understanding the limitations. Not all applications support non PC based Sync methods. Applications must be synched sequentially; can't synch all applications in a batch methods. Conduits installed onto Users' systems work well in supported environments. Outcomes diminished as user involvement increased. To solve this, IR is an inexpensive solution: removes standalone PC from the synching equation.
David Rankin was up next with a presentation about handheld computer security.
Presentation is a brief summary of findings on research he did this summer.
The facts: Use of handheld computers (PDAs) is increasing. Useful software on PDA platform increasingly available. PDAs are much more powerful - more memory, more storage, wireless communications.
The challenge: No organizational policies on support of PDAs. No organizations policies on PDA security. Unchecked and unsupported PDAs can be a security problem. A mobile threat vector; can easily bypass perimeter security defenses.
PDA vulnerabilities: Loss of PDA, Virus infection and transmission. Unencrypted corporate/university data. Unsecured wireless technologies. Physical loss of device is #1 security risk. Hardware is trivial, however data on it can be priceless. Research shows that 40% of lost PDAs are lost in taxicabs!! 20% are left in restaurants. Viruses are #2 threat. Majority of PDAs now run a slimmed down version of Microsoft software. Pocket Word & Excel are vulnerable to the same macro viruses as desktop versions of the software.
So, what's on a lost PDA? 85% meeting notes, 80% business names, addresses & email addresses 32% Organizational email and attachments 33% PIN numbers and passwords. ALL UNENCRYPTED!
What can YOU do about it? Establish support, management and security policies. Control PDA purchases. Control loss of PDAs, Password protection.(require a power on password as a minimum. If possible, incorporate biometrics. Include a routine to delete content after certain amount, for example 15, unsuccessful login attempts). Encrypt PDA data (include not only for integrated memory but also removable storage cards). Anti-virus software.
What more can you do? VPN for wireless communication, etc.
See here for more information.
Next up was Chris Colomb who gave a talk on devices supported. Does not want to enforce proprietary device. Supports standards. Life of wireless devices is usually shorter than even laptops and other devices. Phones are getting smarter. PDAs as they are now may not be around much longer. Mentioned Cingular Express mail pilot program. Currently only available for Treo 600. Future is here today with the CWI program. Mentioned calendar synchronization program, after which wireless capabilities already in student calendar will be available for faculty/staff calendar as well.
Palm encryption software: Teal Lock, Splash ID, PDA Defense.
After lunch I attended the breakout session about Teleworking, which was moderated by Ken Yow and featured several panelists. My notes from this session are as follows:
Teleworking training: Carol Vandenboom, Training Coordinator, Enterprise Applications
Teleworking Training Plan:
Pre-training activities
Introduction memos with links to websites, policy draft, FAQ, etc. to present information about what teleworking is and how it works/what works and what doesn't
Actual training
Teleworker's Curriculum
Understand policies and guidelines
Explore communications
Plan workloads & schedules
Address telework issues
distractions, such as children, family that makes noise with TV, chatty neighbors, etc.
Career opportunities: "outta sight outta mind"
what if you hate it?
insurance, taxes, who pays for what?
Plan for success
Manager's Curriculum
Create a concerns list
Manage teleworkers
Manage workloads
how to supervise work and productivity
Explore communication
Build a telework team
How to schedule and plan meetings. What about impromptu meetings?
Address telework issues
Plan for success
Combined Group Curriculum
Answer questions concerning the Telework Policy - Lisa Lipscomb
Identify HR Deliverables - Lisa
Discuss security issues - Andrew Lee
Review the concerns list
Non-Teleworking curriculum
Create a concerns list
Jealousy?
Explore communication
Plan for success
Post training
Teleworking tips for managers & teleworkers
Teleworking websites
Teleworking articles
Manager's Perspective, presented by Ken Yow, Manager, ITS On-Site Support, User Services and Engagement (USE)
There is a written telework policy!
Positives:
improvement in morale (no-cost benefit)
seemingly getting 8+ hours per day
Happy employees work harder
Flexible hours no set work schedule
Varies by manager
No problems, so far, with deadlines being methods
Truly using results oriented evaluation techniques (it's done on time or it's not)
The managers need to get comfortable with the concept of telework before it will happen. The managers won't be able to get to 'watch' the employee.
Negatives:
Scheduling meetings can be difficult
Getting full picture of problems can become difficult
Teleworker's Perspective
Sharon P. Glover, Systems Accountant, Enterprise Applications, Coesus Team
Office setup
Space. Do you have space? Is it converted to office use?
Equipment? Bring machine from office or use own? Tech Support?
Completed off-campus use agreement
Family Impact
Family needs to understand that work time is work time and shouldn't be interrupted
Encountered more problems with in-laws than immediate family. Treated her as 'errand runner,' so had to set boundaries and learn how to say "No" to family and in-laws.
Communication
Had seven team members, 6 of whom telework. Decided that all come in to office on Wednesdays to take care of meetings and other stuff that requires physical interaction.
Used same phone greeting as in the office so that teleworking appears transparent to customers
Organizing for Productivity
Organize tasks that require uninterrupted concentration to do at home and tasks that require interaction or don't require so much focus for office day
Efficient Use of Resources
Telework Statistics
presented by Ken Yow
Total number of original participants: 61
Current number of teleworkers - about 30 (based on ISP reimbursements; may be a bit higher)
Number that started after the original group - 4
Average% of hours per week teleworked - 30%
The final session of the day was a presentation about spam management, and it too featured several panelists.
Doug Douillard: Dental School
Using GFI Spam management on top of Exchange 2003
Uses blacklisting, whitelisting, keyword matching, header checking to identify spam.
Searches headers for malformed MIME, multinumber email address, etc. to identify spam. Searches also in body of message.
Uses Bayesian filter to learn as it goes
Has public folders available to which users can drag and drop messages to identify messages to blacklist, whitelist, etc. They don't use this feature at Dental school to avoid misuse.
Has a spamblock list so that admins can review messages to add to filter.
Admin tools lets you view messages, traffic for one day, and more. Keeps info in a SQL database.
Has options for listservs, footers with disclaimers, web interface, etc.
Users in Dental school have given positive feedback.
Costs $1500/year.
Has been running it for the last six months. Has approx. 760 Exchange accounts.
The setup that they have didn't require any user training
Larry Fritsche - Business School
Pharmaceuticals and health care are currently the most prolific spammers, surpassing even porn. Mortgages and gambling are way off as well. Spam is so prevalent because it works.
Can Spam Act is ineffective. Only about 4% of spam is actually compliant. Don't rely on government to take care of this situation.
Has about 2500 full time active Exchange accounts, as well as grad student accounts.
Spam filtering process: IIS, Banned subnets and IPs. Next, goes through GFI mail Essentials and Antigen. Then goes through Exchange 2003 Intelligent Mail Filers.
In GFI a suite of filters is applied, such as Spamhaus, Subject content, blacklist, message content, embedded only, Bayesian, etc.
Antigen is an antivirus product that contains a spam component, but that is only an added feature and shouldn't be relied on exclusively.
Customer service:
You must know your customers
Are your med students studying Viagra and Cialis
Is someone researching marketing and pornography?
Did your Korean student expect a valid email from a family member or employer?
Privacy - How sensitive are your customers to inspection?
Regulations? Hippa, Sarbox, etc.
Pilot your solutions
Communicate
Primary Decisions
Delete, Quarantine or Deliver? - Products that rate spam are the most flexible
How much admin control do you need? - Antigen vs GFI vs Exchange/Brightmail
Initial cost vs. ongoing? - Brightmail vs. GFI
Outsource? - Valid option but NOT recommended
Best Practices/Tips
Eliminate or greatly reduce the risk of false positives
Costs - Prepare your customers and IT staff for the labor involved. For example, Spam has a labor cost no matter what options your choose
Evaluate the vendor AND the product - Check their business and technical status
Monitor your systems and stay in touch with your customers
Chris Colomb - ITS Messaging
Evolution of Spam
Cantor & Siegel "How to make a fortune of the Information Superhighway" - and spammed 6000 newsgroups
Open relays
Open proxies
Trojan/zombie PCs - when viruses and spam collide
current estimate: 50 - 100 million of these compromised hosts
ROKSO - Registry of Known Spam Operations
200 known spam operations responsible for 90% of spam
How does UNC handle Spam
spam@unc.edu & spam reporting
Source based blocking
Spam blocking: our dynamic block list
updated four times a day (now every hour)
several hundred entries per update
from 7800 entries in May 2003 to 1.6 million entries today
proactive additions based on traffic analysis
Content based locking
Heuristic spam filtering - At 99% effective spam filtering about 5000 spams would go through at UNC
Internal Challenges
http://mail.unc.edu/spam - Spam filter. Uses spamassasin. Marcus Cox is the principal implementer of this product.
New feature: Whitelist sender: way to deal with false positives
Hope to roll this out to general users soon. Main holdup has been a lack of hardware.
New, revised webmail coming soon. http://webmail2.isis.unc.edu
Ken Bradley - ITS Security
You get spam because you are on some sort of list
signed up for promotions or email lists.
downloading applications and registering them
try using a different email account for this kind of thing
'strafing' web pages. Harvesting web pages for email addresses.
Has been used by 12 year old script kiddies.
Avoid by not putting your email addy in web pages or reformatting it, for example by using 'name at x dot y'
Impossible to avoid all of it. Spam will happen!
Spam can be minimized by using rule sets and filters available in email clients.
Comments []
Wednesday, October 13, 2004
Triangle NT User's Group meeting
Yesterday I attended the monthly Triangle NT User's Group meeting. Even though the email advertising the meeting made it sound like we would be treated to an interesting presentation, the presenter once again failed to show up. The pizza was delivered and the few people in attendance got to eat. Afterwards we waited until one hour after the supposed starting time and since the presenter still had not shown up we all went home. This meeting was just sad!
Comments []
Comments []
NCSA meeting about Securing your Infrastructure
The other day I attended the monthly North Carolina System Administrators' meeting, at which Tim Crofton, Manager for Security Consulting from NEC Unified Solutions, Inc. gave a presentation entitled "Crossing the Bridge Before you come to it. Securing Your Infrastructure."
According to the speaker, NEC Unified Solutions is a subsidiary of NEC America and was formed in Jan 04. It is a business and professional consulting organization. On 10/28 they are going to hold an open house at their Blue Ridge Road offices.
Following are the notes that I took during this meeting:
Overview:
Network risk basics
Risk and Vulnerabilities
Risk Assessment
- Over the years, hacker tools have become more sophisticated and the technical knowledge required has decreased drastically.
- No business is without risk.
Loss factors
- Most organizations don't know they're being hacked.
- 55% of respondents report unauthorized access by insiders
- 26% reported theft of proprietary information.
- 80% of all illegal access occurs within the organization by an employee.
(Source: FBI computer security institute)
- happens when employees are fired and access is not removed.
- Convergence between different systems is taking place - becomes issue for security.
Asset protection considerations:
- Paranoid is good
- Technology alone will not make you safe
- Identify your weakness
- Know your enemy
- Always be ready for the worst case scenario
Before staging your strategy:
- Define what is important to protect
- Categorize threats
- Identify vulnerabilities
- vulnerabilities are not just technical. Social engineering, etc.
- Identify the risk
- Build a roadmap
Issues to keep in mind:
- Recognize that traditional TCP/IP risk management principles apply.
- Establish acceptable levels of risk for the environment.
- Don't forget that you are living in a common and open environment.
- Recognize that enterprise infrastructure risk exposes the environment.
- Identify pre-existing environment vulnerabilities.
Where do you start?
- Design a plan!! around pre-existing industry recognized standards for managing technology risk, related to your business...
ISO 17799
BS 7799
GLB
Sarbanes & Oxley
HIPAA
EHNAC
Common Sense!!!
- Adopt a risk management model
--Monitor -Validate & Test - Implement - Monitor etc.
- Identify vulnerabilities:
- Perform a network security assessment to canvas the entire enterprise
- includes social engineering, war driving, information security policies and procedures, security architecture and infrastructure, authentication, etc.
- People, process, systems, networks, applications, physical protections
- Presenter thinks that grinding hard disks is more cost effective and preferable to data wiping (!!)
- Often it's the low tech and not the high tech systems that are the most exploitable.
- Most important part of designing plan is to provide for security awareness.
Assessment approach
- Look at the enterprise as a "system"
- Remember that security is a "process"
- Don't overlook business culture weakness
- Don't forget that you can control system configuration...but you cannot control people.
- Don't focus only on technology alone.
- Don't cross the bridge until you come to it.
- Review all policies, templates and procedures
- Review all system management practice
- Check all configuration settings based on policies
- Port scan all TCP/IP devices
- Discover vulnerabilities
Assessment tools
- use a combination of:
commercial tools
freeware
manual processes
Do it yourself or hire someone?
Hire someone:
advantage: experience, better toolkit, assessment will most likely be more comprehensive and timely
disadvantage: Cost
DIY:
advantage: you gain some experience and insight
disadvantage: Cost, you may need to hire someone anyways due to regulatory compliance directives.
- If you do it yourself, make sure to have written buy-in from management all the way up the food-chain. Otherwise you leave yourself vulnerable to criminal prosecution.
What you should get when it's all said and done:
- Make sure deliverables include a vulnerability reduction plan.
-Security gap analysis
- vulnerability reports
- recommendations
--turn this into a vulnerability reduction plan.
VoIP phones (soft phones) are **just as vulnerable** as other TCP/IP devices
Integrate a "holistic" plan approach
- Configure firewall logging
- Device security
- practice robust log management
- monitor voice server integrity (in case of VoIP)
- exercise control over eavesdropping, if possible.
If all fails: find out what went wrong:
- Do forensics
Vulnerability reduction strategy
Remember: Nothing is more expensive than an incident!!
Comments []
According to the speaker, NEC Unified Solutions is a subsidiary of NEC America and was formed in Jan 04. It is a business and professional consulting organization. On 10/28 they are going to hold an open house at their Blue Ridge Road offices.
Following are the notes that I took during this meeting:
Overview:
Network risk basics
Risk and Vulnerabilities
Risk Assessment
- Over the years, hacker tools have become more sophisticated and the technical knowledge required has decreased drastically.
- No business is without risk.
Loss factors
- Most organizations don't know they're being hacked.
- 55% of respondents report unauthorized access by insiders
- 26% reported theft of proprietary information.
- 80% of all illegal access occurs within the organization by an employee.
(Source: FBI computer security institute)
- happens when employees are fired and access is not removed.
- Convergence between different systems is taking place - becomes issue for security.
Asset protection considerations:
- Paranoid is good
- Technology alone will not make you safe
- Identify your weakness
- Know your enemy
- Always be ready for the worst case scenario
Before staging your strategy:
- Define what is important to protect
- Categorize threats
- Identify vulnerabilities
- vulnerabilities are not just technical. Social engineering, etc.
- Identify the risk
- Build a roadmap
Issues to keep in mind:
- Recognize that traditional TCP/IP risk management principles apply.
- Establish acceptable levels of risk for the environment.
- Don't forget that you are living in a common and open environment.
- Recognize that enterprise infrastructure risk exposes the environment.
- Identify pre-existing environment vulnerabilities.
Where do you start?
- Design a plan!! around pre-existing industry recognized standards for managing technology risk, related to your business...
ISO 17799
BS 7799
GLB
Sarbanes & Oxley
HIPAA
EHNAC
Common Sense!!!
- Adopt a risk management model
--Monitor -Validate & Test - Implement - Monitor etc.
- Identify vulnerabilities:
- Perform a network security assessment to canvas the entire enterprise
- includes social engineering, war driving, information security policies and procedures, security architecture and infrastructure, authentication, etc.
- People, process, systems, networks, applications, physical protections
- Presenter thinks that grinding hard disks is more cost effective and preferable to data wiping (!!)
- Often it's the low tech and not the high tech systems that are the most exploitable.
- Most important part of designing plan is to provide for security awareness.
Assessment approach
- Look at the enterprise as a "system"
- Remember that security is a "process"
- Don't overlook business culture weakness
- Don't forget that you can control system configuration...but you cannot control people.
- Don't focus only on technology alone.
- Don't cross the bridge until you come to it.
- Review all policies, templates and procedures
- Review all system management practice
- Check all configuration settings based on policies
- Port scan all TCP/IP devices
- Discover vulnerabilities
Assessment tools
- use a combination of:
commercial tools
freeware
manual processes
Do it yourself or hire someone?
Hire someone:
advantage: experience, better toolkit, assessment will most likely be more comprehensive and timely
disadvantage: Cost
DIY:
advantage: you gain some experience and insight
disadvantage: Cost, you may need to hire someone anyways due to regulatory compliance directives.
- If you do it yourself, make sure to have written buy-in from management all the way up the food-chain. Otherwise you leave yourself vulnerable to criminal prosecution.
What you should get when it's all said and done:
- Make sure deliverables include a vulnerability reduction plan.
-Security gap analysis
- vulnerability reports
- recommendations
--turn this into a vulnerability reduction plan.
VoIP phones (soft phones) are **just as vulnerable** as other TCP/IP devices
Integrate a "holistic" plan approach
- Configure firewall logging
- Device security
- practice robust log management
- monitor voice server integrity (in case of VoIP)
- exercise control over eavesdropping, if possible.
If all fails: find out what went wrong:
- Do forensics
Vulnerability reduction strategy
Remember: Nothing is more expensive than an incident!!
Comments []
