Doug Vitale Tech Blog

OSSEC, the free and open source IDS

Intrusion detection software is meant to monitor network traffic or host activities for malicious actions, such as successful or unsuccessful intrusion attempts, hostile traffic (i.e., malicious scans and denials of service), unauthorized configuration changes, malware symptoms, and user policy violations. An intrusion detection system (IDS) typically can produce reports describing the details of the potentially hazardous activity which generated alerts. OSSEC is particularly useful in this context for many reasons. First, it is an established, reputable product with a proven track record (OSSEC was first released in 2004 and has been owned by Trend Micro since 2009). Second, it is free and open source. Third, it is compatible with most modern operating systems such as Linux, Windows (Server 2008, Server 2003, 7, Vista, XP, 2000) BSD (Free/Open/Net), Unix (Solaris, HP-UX, AIX), and MacOS.

One of the key tenets of IT security is to keep intruders from gaining access to your organization’s network. Not only must the network’s edge be hardened to resist a myriad of attacks, but measures must be put into place to detect attackers who have successfully breached the perimeter. These two measures are important steps in achieving a “defense in depth” security posture, and OSSEC is an effective and affordable option to fulfill the IDS role.

OSSEC logo

Intrusion detection systems (IDS) are generally classified as either network-based or host-based in nature. A network-based IDS (NIDS) attempts to discover unauthorized access to a network by analyzing traffic as it flows between nodes for signs of malicious activity. A host-based IDS (HIDS), on the other hand, is designed to detect threats occurring on the hosts where they are installed (on servers, for example). A HIDS monitors local actions and attempts to identify those which could be hazardous. In this way a HIDS is similar to antivirus applications that identify and block certain attack patterns and raise alarms to alert users and administrators.

Read the rest of this entry »

Written by Doug Vitale

February 26, 2014 at 4:04 PM

Perform Web-based network queries with these sites

When you want to perform network queries for troubleshooting or data collecting purposes, the standard approach has been to launch a non-graphical command line interface (CLI) in Windows or a shell prompt (such as Bash) in Linux to display the input and output of the commands you use. While this practice is undoubtedly quick and lightweight, the functionality of many networking commands has been replicated on dozens of websites which allow network administrators the same capabilities in graphical, web-based environments.

Nearly all of the networking-related command utilities have been listed and described in this blog. Some of these commands include netstat, nslookup, ping, traceroute, and whois among others. This post will show you the best and most popular websites for using these types of commands in browser-based graphical user interfaces (GUIs). These websites will be listed in alphabetical order based on domain name.

Can You See Me issues probes to see if certain ports on your external IP address respond.

canyouseeme screenshot

Read the rest of this entry »

Written by Doug Vitale

November 21, 2013 at 2:55 PM

Posted in Useful Web-Based Tools

Tagged with , , , , , ,

Using TrueCrypt on Linux and Windows

After numerous revelations this year of the National Security Agency’s (NSA) frightening capabilities of mass spying on phone calls and Internet traffic (see, for example, PRISM), there has been a renewed interest in online privacy and the securing of our electronic data communications, such as Web and email activity. More and more Internet users are looking for solutions to keep their files, emails, and Web searches private. Help is not far off: one of the most effective ways to foil surveillance is by using encryption to make your data unreadable by other parties.

Data can be encrypted in two states – when it is in transmission through a communications network, or when it is at rest (i.e., stored on some sort of storage medium, such as a computer hard drive like the internal drive of your PC or an external USB flash drive). This blog has already covered SSH, RetroShare, and the Tor network as options for securing data in transit. Now we will look at TrueCrypt, perhaps the most popular solution for encrypting data at rest. This article will explain how TrueCrypt works and how you can utilize it on the two most popular operating systems, Microsoft Windows and Linux.

TrueCrypt logo

Read the rest of this entry »

Written by Doug Vitale

November 18, 2013 at 4:50 PM

Increase online privacy with RetroShare

In a previous article I described how to significantly increase your online privacy with the Tor service. RetroShare is another option for Internet users who are concerned with staying anonymous online. RetroShare is an application that lets you create private, secure network connections (based on 2048-bit RSA-encrypted SSL) with trusted individuals of your choice (a peer-to-peer network known as “Friend-2-Friend”, or F2F). Unlike some other P2P file sharing services like BitTorrent and Limewire/Frostwire which do not let you selectively share your files with certain users, RetroShare’s F2F functionality allows you to transfer files only with those users to whom you have given your explicit approval.

Once your computer establishes the decentralized F2F connection with your contacts, you can share files, send messages and chat, talk over VoIP, post and read messages in forums, etc. RetroShare not only fully encrypts all communications, it also provides reliable identification and authentication of your trusted contacts so you can be relatively sure that the other users participating in the F2F network are who they claim to be. RetroShare has the potential to be a completely independent social media venue where users’ private data and files are safe from advertisers, marketers, and other entities (i.e., Facebook, Google) looking to harvest personal information for profit, as well as entities engaging in surveillance and censorship. How safe is your online activity using RetroShare? As stated before, it uses SSL tunnels based on RSA 2048-bit encryption. To get an idea of how hard it would be to crack, this YouTube video should explain it.

Using RetroShare

Luckily, RetroShare is available for many different operating systems (Windows, Mac OSX, Linux, etc.). It is built on top of some very reputable and robust software libraries: GNU Privacy Guard/GPGME and OpenSSL.

After you download, install, and launch RetroShare you will first be prompted to create your RetroShare identity.

RetroShare create new identity

Then you will see the main graphical user interface (GUI) as shown below.

Read the rest of this entry »

Written by Doug Vitale

July 29, 2013 at 2:49 PM

Important tech organizations IT pros should be familiar with

The technical standards that govern how the Internet and modern computer networks operate are debated and approved by a number of organizations. These organizations exist to ensure the proper functionality and long term feasibility of network transmission methods. IT professionals should be familiar with these organizations, how they operate, and what their specific roles and responsibilities are. After all, it is clearly within our professional purviews to intimately know the standards which dictate how the Internet’s core technologies work. For example, detailed knowledge of IPv4 (and very soon, IPv6) is a must for today’s system and network administrators. But who determines how the IP protocol operates? Who sets the standards regarding networking technologies? Read on to find out.

ICANN logo IETF logo
IEEE logo IANA logo

Read the rest of this entry »

Written by Doug Vitale

June 3, 2013 at 2:26 PM

Posted in Commentary

Tagged with , , , , , ,

IPv6: how and why it enables Internet evolution

Internet Protocol version 6 (IPv6) is the next generation networking protocol that is slated to replace Internet Protocol version 4 (IPv4) as the dominant protocol powering modern computer networks and the global Internet.

The problem with IPv4 is that it was developed and initially rolled out in the 1970s and 80s, long before anyone had any idea of what the Internet would become (IPv4 is defined in RFC 791, published in 1981). Simply put, the ability for IPv4 to support modern Internet traffic is decreasing steadily. The Internet Engineering Task Force (IETF) recognized the potential for a crisis and commenced work on IPv4′s replacement in the mid-1990s.

The rest of this article will assume that you know why the Internet needs to evolve from IPv4 to IPv6. If you do not understand this, please stop reading and view this Youtube video of Vinton Cerf explaining the rationale behind the protocol migration (Cerf is considered one of the “fathers of the Internet”).

The death of IPv4 as a relevant networking protocol was delayed considerably by the deployment of two addressing-related solutions: Network Address Translation (NAT) and Classless InterDomain Routing (CIDR). However, given the current and projected growth in human population and the ever expanding quantity of devices connecting to the Internet, IPv6 is required to accommodate and sustain the necessary expansion of Internet availability and services. For example, two well-known technology growth sectors, mobile devices (e.g., smartphones) and cloud-based computing, require public IPv4 connectivity to function and therefore, they are contributing to the exhaustion of the public IPv4 address space (even with NAT relieving some pressure).

IPv6 evolution

Image source: Wikimedia Commons

Despite their differences in age, IPv4 and IPv6 do share some characteristics. Both protocols were designed to allow for host identification, host discovery, and optimal routing. They both work at Layer 3 of the OSI networking model and at the internet layer of the TCP/IP networking model. In order for hosts to properly communicate using IPv4 or IPv6, they must be assigned a unique IP address. IPv6 hosts need the same information as IPv4 hosts to properly network, e.g., they need to know the IP addresses of DNS servers (to translate host names to IP addresses) and default gateways (to transmit to remote destinations). As in IPv4, IPv6 hosts will send packets directly to destinations on the same subnet.

However, as IPv6 was developed from the ground up to be a future-oriented redesign and modernization of the IP structure, IT professionals will notice that it offers many distinct advantages over its aging cousin. Some noteworthy differences are:

  • IP addressing – as described below, IPv6 addresses use a different format and can provide an astonishingly huge address space for network hosts, far larger than what IPv4 can offer.
  • Multicast and broadcast – IPv6 utilizes more multicast traffic while dropping broadcast functionality altogether.
  • Multi-address interfaces – In IPv6, interfaces (such as network interface cards, or NICs) can natively operate using several IP addresses. IPv6 offers improved support for multiple addresses sharing one interface.
  • Automatic IP address assignment – While IPv4 clients can receive address assignments via DHCP, IPv6 hosts are capable of autoconfiguration with stateless address autoconfiguration (SLAAC) via Neighbor Discovery Protocol (NDP). Alternatively, IPv6 hosts can utilize the new DHCPv6 in a manner similar to traditional DHCP.
  • Packet fragmentation – Routers processing IPv6 will not fragment packets. Instead, fragmentation responsibility belongs to the originating hosts.
  • Checksum – the IPv6 header does not include a checksum while IPv4 does. Removing the checksum from OSI Layer 3 should improve IP throughput.
  • Layer 2 (data link) address discovery – while IPv4 uses Address Resolution Protocol (ARP), IPv6 uses ICMPv6-based Neighbor Discovery Protocol (NDP).
  • IPSec – IPSec support is optional in IPv4 but is required in IPv6.
  • IGMP – IPv6 replaces Internet Group Management Protocol (IGMP) with Multicast Listener Discovery (MLD).

Read the rest of this entry »

Written by Doug Vitale

March 28, 2013 at 12:27 AM

Understanding and performing IPv4 subnetting

Subnetting – it’s the subject that IT professionals love to hate. Believe it or not, the frustration that it caused me as a student years ago made me question whether I wanted to go into the information technology (IT) field. Furthermore, with the availability of many subnet calculator programs and subnetting websites, the ability to manually perform subnet calculations may seem superfluous at first. However, a solid understanding of IP subnetting will not only allow IT pros to create appropriately-sized networks in the absence of specialized software and web applications (on paper, for example), but given IP’s foundational role in modern computer networks and the global Internet, it behooves us to keep our comprehension of this protocol sharp. Lastly, if you plan on obtaining a networking certification like the Cisco CCNA, you are just going to have to master the material below.

The purpose of this article will be to thoroughly explain how IP subnetting works and to provide some relevant examples. Therefore a detailed analysis of all the workings of IP, such as packet structures, packet switching, and routing will not be provided. However, we will review what the Internet Protocol (IP) is, how it works, and what purpose it serves on networks. We will focus solely on Internet Protocol version 4 (IPv4) which is the version of IP that has powered the Internet revolution and remains the most widely utilized networking protocol today.

A subnetted network

A subnetted network using variously sized subnet masks

Computers must share a common protocol to communicate, and nowadays IP has become ubiquitous on nearly all operating systems. So what does IP do? Simply put, IP allows computers to locate and facilitate communications with other hosts that are either on the same logical network or on separate, distinct networks (for instance, networks such as those owned by different organizations – businesses, universities, Internet service providers, etc.). IP provides for this communication by enabling the routing of data packets between sources and destinations, often through multiple intermediary hosts.

Read the rest of this entry »

Written by Doug Vitale

March 5, 2013 at 3:50 PM

%d bloggers like this: