VIPER IT PRODUCTS

December 31, 2013, 10:01 pm

≫ Next: ISO/IEC 27001 DOMAINS

≪ Previous: Happy New Year 2014

http://viper.pk/viperpk/?page_id=1027

GOOD TO SEE COMPACT IT PRODUCTS FROM VIPER....!

Big performance in a small package
General Specifications:

CPU: Intel® Core i3/Celeron

Graphics: Intel® HD 4000 Support Dual Display

Memory: 2GB DDR3 upto

Storage: 30GB SSD upto

Size: 4×4 inch

Connectivity: 802.11 Wi-Fi

Video: HDMI 1.4a Full HD 1080p

Audio Out: HDMI

OS: Windows 7 (Win 8 Compatible), Office 2010
Powered by Visibly Smart 3rd generation Intel® Core™ processors (Celeron, Core i3, and Core i5) on a 4 inch x 4 inch motherboard and enclosed in a tiny case. Available in N1, N2, N3 Modules.

↧

ISO/IEC 27001 DOMAINS

January 2, 2014, 9:17 pm

≫ Next: IBM Security QRadar SIEM

≪ Previous: VIPER IT PRODUCTS

ISO 27001 DOMAINS CATEGORIZATION

↧

IBM Security QRadar SIEM

January 4, 2014, 2:15 am

≫ Next: SNORT - IDS

≪ Previous: ISO/IEC 27001 DOMAINS

IBM Security QRadar SIEM

Security intelligence for protecting assets and information from advanced threats

IBM® Security QRadar® SIEM consolidates log source event data from thousands of devices endpoints and applications distributed throughout a network. It performs immediate normalization and correlation activities on raw data to distinguish real threats from false positives. As an option, this software incorporates IBM Security X-Force® Threat Intelligence which supplies a list of potentially malicious IP addresses including malware hosts, spam sources and other threats. IBM Security QRadar SIEM can also correlate system vulnerabilities with event and network data, helping to prioritize security incidents.

IBM Security QRadar SIEM:

Provides near real-time visibility for threat detection and prioritization, delivering surveillance throughout the entire IT infrastructure.

Reduces and prioritizes alerts to focus investigations on an actionable list of suspected incidents.

Enables more effective threat management while producing detailed data access and user activity reports.

Supports easier, faster installation and includes time-saving tools and features.

Produces detailed data access and user activity reports to help manage compliance.

IBM Offer Security Products:

IBM QRadar Security Intelligence Platform

IBM Security zSecure Compliance and Auditing

Tivoli Security Information and Event Manager

↧

SNORT - IDS

January 4, 2014, 8:58 pm

≫ Next: APACHE HADOOP

≪ Previous: IBM Security QRadar SIEM

What is Intrusion Detection?

Intrusion detection is a set of techniques and methods that are used to detect suspicious activity both at the network and host level.

Intrusion detection systems fall into two basic categories:
signature-based intrusion detection systems and anomaly detection systems. Intruders have signatures, like computer viruses, that can be detected using software. You try to find data packets that contain any known intrusion-related signatures or anomalies related to Internet protocols. Based upon a set of signatures and rules, the detection system is able to find and log suspicious activity and generate alerts.

Anomaly-based intrusion detection usually depends on packet anomalies present in protocol header parts. In some cases these methods produce better results compared to signature-based IDS. Usually an intrusion detection system captures data from the network and applies its rules to that data or detects anomalies in it. Snort is primarily a rule-based IDS, however input plug-ins are present to detect anomalies in protocol headers.

Snort uses rules stored in text files that can be modified by a text editor. Rules are grouped in categories. Rules belonging to each category are stored in separate files. These files are then included in a main configuration file called snort.conf. Snort reads these rules at the start-up time and builds internal data structures or chains to apply these rules to captured data. Finding signatures and using them in rules is a tricky job, since the more rules you use, the more processing power is required to process captured data in real time. It is important to implement as many signatures as you can using as few rules as possible. Snort comes with a rich set of pre-defined rules to detect intrusion

activity and you are free to add your own rules at will. You can also remove some of the built-in rules to avoid false alarms.

Some Definitions

Before we go into details of intrusion detection and Snort, you need to learn some definitions related to security. These definitions will be used in this book repeatedly in the coming chapters. A basic understanding of these terms is necessary to digest other complicated security concepts.

IDS

Intrusion Detection System or IDS is software, hardware or combination of both

used to detect intruder activity. Snort is an open source IDS available to the general public. An IDS may have different capabilities depending upon how complex and sophisticated the components are. IDS appliances that are a combination of hardware and software are available from many companies. As mentioned earlier, an IDS may use signatures, anomaly-based techniques or both.

Network IDS or NIDS

NIDS are intrusion detection systems that capture data packets traveling on the

network media (cables, wireless) and match them to a database of signatures. Depending upon whether a packet is matched with an intruder signature, an alert is generated or the packet is logged to a file or database. One major use of Snort is as a NIDS.

Host IDS or HIDS

Host-based intrusion detection systems or HIDS are installed as agents on a host. These intrusion detection systems can look into system and application log files to detect any intruder activity. Some of these systems are reactive, meaning that they inform you only when something has happened. Some HIDS are proactive; they can sniff the network traffic coming to a particular host on which the HIDS is installed and alert you in real time.

Signatures

Signature is the pattern that you look for inside a data packet. A signature is used to detect one or multiple types of attacks. For example, the presence of “scripts/iisad-min” in a packet going to your web server may indicate an intruder activity. Signatures may be present in different parts of a data packet depending upon the nature of the attack. For example, you can find signatures in the IP header, transport layer header (TCP or UDP header) and/or application layer header or payload. You will learn more about signatures later in this book. Usually IDS depends upon signatures to find out about intruder activity. Some vendor-specific IDS need updates from the vendor to add new signatures when a new type of attack is discovered. In other IDS, like Snort, you can update signatures your-self.

Alerts

Alerts are any sort of user notification of an intruder activity. When an IDS detects an intruder, it has to inform security administrator about this using alerts. Alerts may be in the form of pop-up windows, logging to a console, sending e-mail and so on. Alerts are also stored in log files or databases where they can be viewed later on by security experts. You will find detailed information about alerts later in this book. Snort can generate alerts in many forms and are controlled by output plug-ins. Snort can also send the same alert to multiple destinations. For example, it is possible to log alerts into a database and generate SNMP traps simultaneously. Some plug-ins can also modify firewall configuration so that offending hosts are blocked at the firewall or

router level.

Logs

The log messages are usually saved in file. By default Snort saves these messages under /var/log/snort directory. However, the location of log messages can be changed using the command line switch when starting Snort. Log messages can be saved either in text or binary format. The binary files can be viewed later on using Snort or tcpdump program. A new tool called Barnyard is also available now to analyze binary log files generated by Snort. Logging in binary format is faster because it saves some formatting overhead. In high-speed Snort implementations, logging in binary mode is necessary.

False Alarms

False alarms are alerts generated due to an indication that is not an intruder activity. For example, misconfigured internal hosts may sometimes broadcast messages that trigger a rule resulting in generation of a false alert. Some routers, like Linksys home routers, generate lots of UPnP related alerts. To avoid false alarms, you have to modify and tune different default rules. In some cases you may need to disable some of the rules to avoid false alarms.

Sensor
The machine on which an intrusion detection system is running is also called the
sensor in the literature because it is used to “sense” the network. Later in this book if the word sensor is used, it refers to a computer or other device where Snort is running.

Where IDS Should be Placed in Network Topology Depending upon your network topology, you may want to position intrusion detection systems at one or more places. It also depends upon what type of intrusion activities you want to detect: internal, external or both. For example, if you want to detect only external intrusion activities, and you have only one router connecting to the Internet, the best place for an intrusion detection system may be just inside the router or a firewall. If you have multiple paths to the Internet, you may want to place one IDS box at every entry point. However if you want to detect internal threats as well, you may want to place a box in every network segment. In many cases you don’t need to have intrusion detection activity in all network segments and you may want to limit it only to sensitive network areas. Note that more intrusion detection systems mean more work and more maintenance costs. Your decision really depends upon your security policy, which defines what you really want to protect from hackers. Below Figure shows typical locations where you can place an intrusion detection system.

Typical locations for an intrusion detection system.

Honey Pots

Honey pots are systems used to lure hackers by exposing known vulnerabilities

deliberately. Once a hacker finds a honey pot, it is more likely that the hacker will stick around for some time. During this time you can log hacker activities to find out his/her actions and techniques. Once you know these techniques, you can use this information later on to harden security on your actual servers.

There are different ways to build and place honey pots. The honey pot should have common services running on it. These common services include Telnet server (port 23), Hyper Text Transfer Protocol (HTTP) server (port 80), File Transfer Protocol (FTP) server (port 21) and so on. You should place the honey pot somewhere close to your production server so that the hackers can easily take it for a real server. For example, if your production servers have Internet Protocol (IP) addresses 192.168.10.21 and 192.168.10.23, you can assign an IP address of 192.168.10.22 to the honey pot.You can also configure your firewall and/or router to redirect traffic on some ports to a honey pot where the intruder thinks that he/she is connecting to a real server. You should be careful in creating an alert mechanism so that when your honey pot is compromised, you are notified immediately. It is a good idea to keep log files on some other machine so that when the honey pot is compromised, the hacker does not have the ability to delete these

files.

↧

APACHE HADOOP

January 5, 2014, 9:38 pm

≫ Next: EVENTUM - INSTALLATION AND CONFIGURATION

≪ Previous: SNORT - IDS

Apache™ Hadoop® project develops open-source software for reliable, scalable, distributed computing.

The Apache Hadoop software library is a framework that allows for the distributed processing of large data sets across clusters of computers using simple programming models. It is designed to scale up from single servers to thousands of machines, each offering local computation and storage. Rather than rely on hardware to deliver high-availability, the library itself is designed to detect and handle failures at the application layer, so delivering a highly-available service on top of a cluster of computers, each of which may be prone to failures.
The project includes these modules:

Hadoop Common: The common utilities that support the other Hadoop modules.
Hadoop Distributed File System (HDFS™): A distributed file system that provides high-throughput access to application data.
Hadoop YARN: A framework for job scheduling and cluster resource management.
Hadoop MapReduce: A YARN-based system for parallel processing of large data sets.

Other Hadoop-related projects at Apache include:

Ambari™: A web-based tool for provisioning, managing, and monitoring Apache Hadoop clusters which includes support for Hadoop HDFS, Hadoop MapReduce, Hive, HCatalog, HBase, ZooKeeper, Oozie, Pig and Sqoop. Ambari also provides a dashboard for viewing cluster health such as heatmaps and ability to view MapReduce, Pig and Hive applications visually alongwith features to diagnose their performance characteristics in a user-friendly manner.
Avro™: A data serialization system.
Cassandra™: A scalable multi-master database with no single points of failure.
Chukwa™: A data collection system for managing large distributed systems.
HBase™: A scalable, distributed database that supports structured data storage for large tables.
Hive™: A data warehouse infrastructure that provides data summarization and ad hoc querying.
Mahout™: A Scalable machine learning and data mining library.
Pig™: A high-level data-flow language and execution framework for parallel computation.
ZooKeeper™: A high-performance coordination service for distributed applications.

↧

EVENTUM - INSTALLATION AND CONFIGURATION

January 5, 2014, 9:54 pm

≫ Next: HYPER-V - FREE CERTIFICATION

≪ Previous: APACHE HADOOP

Eventum is a user-friendly and flexible issue tracking system that can be used by a support department to track incoming technical support requests, or by a software development team to quickly organize tasks and bugs.

System Requirements:

A Webserver that is capable of handling PHP scripts (i.e Apache HTTPD Server)

PHP 5.1.0 or newer with the following extensions
PCRE Extension
Session handling enabled
MySQL Extension
GD Extension
IMAP Extension (c-client imap library)
gettext support if you want to use localization
An SMTP and POP Server for email support
MySQL Database Server (you can get it from the MySQL Download page)

Download Eventum from below Link

http://dev.mysql.com/downloads/other/eventum/

Anyway, all you should have to do is place the Eventum files in a directory that is viewable from the web, and open it up with your browser.

Eventum should redirect you to the installation screen, and it will try to guess some of required parameters, like path in the server and etc.

http://yourserver.com/eventum/

If Eventum's installation script finds that it needs a few directories or permissions changed, it will print the warnings before actually displaying the installation screen. Just fix what it says is wrong/missing and everything should go well.

After the installation is done, you should go and take all of the available privileges from the '/setup' directory, so other people are not allowed to go in there and mess with your configuration.

IMPORTANT: By default, the admin user login is set to to admin@example.com during installation. Be sure to change this to a valid email address with a new password immediately. Note that eventum will attempt to send the new password to the specified address, which should be valid to prevent the password from being exposed if the email is bounced.

↧

HYPER-V - FREE CERTIFICATION

January 5, 2014, 10:43 pm

≫ Next: SE-TOOLKIT CAN'T UPGRADE

≪ Previous: EVENTUM - INSTALLATION AND CONFIGURATION

MICROSOFT HYPER-V CERTIFICATION IS FREE (WITH VOUCHER) TILL JUNE 2014

FOLLOW BELOW LINK
http://www.virtualizationsquared.com/#section-intro

create your account and submit hyper-v training then you can get voucher from that account

As you prepared with hyper-v register to prometric and book your exam with voucher

↧

SE-TOOLKIT CAN'T UPGRADE

January 8, 2014, 9:54 pm

≫ Next: IDENTIFY PHISHING EMAIL

≪ Previous: HYPER-V - FREE CERTIFICATION

social engineering svn 'http://svn.trustedesec.com/social_engineering_toolkit' path not found

error processing se-toolkit

se-toolik was moved to git

Alter your vi /var/lib/dpkg/info/se-toolkit.postinst

comment svn line and add:
git clone https://github.com/trustedsec/social-engineer-toolkit/ set/

Now you can upgrade

↧

IDENTIFY PHISHING EMAIL

January 9, 2014, 8:24 pm

≫ Next: SECURE YOUR DEVICE

≪ Previous: SE-TOOLKIT CAN'T UPGRADE

Be Careful....!

↧

SECURE YOUR DEVICE

January 13, 2014, 1:53 am

≫ Next: NTP DDos ATTACK

≪ Previous: IDENTIFY PHISHING EMAIL

↧

NTP DDos ATTACK

January 13, 2014, 8:42 pm

≫ Next: VMWARE PLAYER ERROR

≪ Previous: SECURE YOUR DEVICE

Overview

UDP protocols such as NTP can be abused to amplify denial-of-service attack traffic. Servers running the network time protocol (NTP) based on implementations of ntpd prior to version 4.2.7p26 that use the default unrestricted query configuration are susceptible to a reflected denial-of-service (DRDoS) attack. Other proprietary NTP implementations may also be affected.

Description

NTP and other UDP-based protocols can be used to amplify denial-of-service attacks. Servers running the network time protocol (NTP) based on implementations of ntpd prior to version 4.2.7p26 that use the default unrestricted query configuration are susceptible to a reflected denial-of-service (DRDoS) attack. Other proprietary NTP implementations may also be affected. This is similar in scope to DNS Amplification Attacks.

In a reflected denial-of-service attack, the attacker spoofs the source address of attack traffic, replacing the source address with the target's address. Certain NTP control messages provide significant bandwidth amplification factors (BAF).

NTP is designed for time synchronization, and may also implement other features such as server administration, maintenance, and monitoring. NTP relies on the user datagram protocol (UDP) to send and receive messages, which does not validate the source (IP address) of the sender. The NTP DRDoS attack is similar to the reflective DoS attacks used on open DNS resolvers. The attacker sends a packet with their source address being the IP of a victim. The NTP server replies to this request, but the number of bytes sent in the response is an amplified amount compared to the initial request, resulting in a denial-of-service on the victim. The two highest message types,REQ_MON_GETLIST and REQ_MON_GETLIST_1 amplify the original request by a factor of up to 3660 and 5500 respectively. This bandwidth amplification factor (BAF) is a bandwidth multiplier based on the number of UDP payload bytes that are sent by the server in comparison to the UDP payload bytes of the request. Other message types can also be used in this attack, but REQ_MON_GETLIST and REQ_MON_GETLIST_1 create the biggest impact.

Impact

An unauthenticated remote attacker may leverage the vulnerable NTP server to conduct a distributed reflective denial-of-service (DRDoS) attack on another user.

Solution

Apply an Update
Affected users are advised to update to ntpd versions 4.2.7p26 and greater.

ntpd version 4.2.7p26 disables REQ_MON_GETLIST and REQ_MON_GETLIST_1, removing the two most significant BAF control messages.

The 4.2.6.x and earlier production branches are still vulnerable to this attack, however.

If an update is not possible, please consider one or more of the following workarounds.

Check if the amplified responses are enabled
Entering the following commands can help users verify if the REQ_MON_GETLIST and REQ_MON_GETLIST_1responses of NTP are currently enabled:

ntpq -c rv
ntpdc -c sysinfo
ntpdc -n -c monlist

These commands only verify if the specified functions are enabled. If they are enabled, implement at least one of the following:

Perform Egress Filtering
Configure your router/firewall to perform egress filtering, which may help to mitigate attacks that utilize source IP spoofing. Please refer to your product's documentation for instructions on how to perform egress filtering.

Disable status queries or restrict access.
The ntpd status query features provided by ntpq/ntpdc will reveal some information about the system running ntpd (e.g. OS version, ntpd version) that you may not wish others to know. Disabling this feature may also help to reduce the likelihood of this vulnerability taking place. If the NTP implementation is vulnerable, adding the following lines to yourntp.conf file will restrict informational queries to authorized recipients only.

restrict default kod nomodify notrap nopeer noquery

restrict -6 default kod nomodify notrap nopeer noquery

It is also possible to restrict access per network segment (be sure to modify line 3 to match your LAN settings) and per host (line 4):

restrict default noquery

restrict localhost

restrict 192.168.0.0 netmask 255.255.0.0

restrict 192.168.1.27

↧

VMWARE PLAYER ERROR

January 15, 2014, 2:02 am

≫ Next: QRadar SIEM ARCHITECTURE

≪ Previous: NTP DDos ATTACK

ERROR WHILE POWERING ON: INTERNAL ERROR

Open ContolPanel --> Administrative Tools --> Services
Run the "VMware Authorization Service" and set it to "Automatic"

↧

QRadar SIEM ARCHITECTURE

January 15, 2014, 9:21 pm

≫ Next: SSD Vs HDD Comparison

≪ Previous: VMWARE PLAYER ERROR

QRADAR QLABS SIEM ARCHITECTURE
QRADAR SIEM APPLIANCES ARCHITECTURE

QRadar SIEM (Security Information & Event Management) collects information that includes:

Security events: Events from firewalls, virtual private networks, intrusion detection systems, intrusion prevention systems and more
Network events: Events from switches, routers, servers, hosts and more
Network activity context: Layer 7 application context from network and application traffic
User or asset context: Contextual data from identity and access-management products and vulnerability scanners
Operating system information: Vendor name and version number specifics for network assets
Application logs: Enterprise resource planning (ERP), workflow, application databases, management platforms and more

QRadar 2000 Series Appliance
All in One
Small/Medium Business/Enterprises
Sold Only Through Channel

Features:

15,000 Flows
200 EPS
250 Log Sources
Built in QFlow Collector for low utilized links
Supports SPAN Connection and Accepts 3rd Party Flows

QRadar 2100 Appliance

All in One

Small/Medium Enterprises

Features:

25,000 Flows Base (Option for 50K)

1000 EPS

750 Log Sources

Onboard QFlow for SPAN or Tap

Supports distributed QFlow Collectors

2 TB of Storage

QRadar 31xx Series Appliance

QRadar server

Medium/Large enterprises

Features:

Base: 1K EPS and 25K flows

Upgrade options up to 5K EPS and 200K flows

750 Log Sources

Embedded support for NetFlow and JFlow

For Layer 7 requires external QFlow collectors

Upgradable to 3100 Console through use of 1601 or 1701 Processors and upgrade processor appliance

Dedicated Storage for All Data

3100: 3TB

3105: 6TB

3124: 16TB

QRadar 31xx Appliance (dedicated console)

Large enterprise environment

Scales above 5K EPS and supports distributed processors

Features:

Console dedicated to managing distributed or large QRadar deployments.

Processing and analysis of offenses

Report and view generation

Requires 16XX or 17XX

Dedicated Storage for offenses, reporting, saved searches

3100 Console: 3TB

3105 Console: 6TB

3124 Console: 16TB

QRadar Distributed Architecture

QRadar 16xx Event Processor

Scalable or Distributed Log Collection for large enterprises

Sold with 31XX Console

Features:

2500 EPS Base

2500 EPS Upgrade Options to 10K EPS (20,000 for 1605/24)

Dedicated Storage

1601-3TB

1605-6TB

1624-16TB

QRadar 1701 Flow Processor

Sold with 3100 Distributed Console

Distributed Environments

Supports NetFlow Directory

Supports QFlow Collectors

Features:

100K Flows Base

100K Upgrade Options up to 600K Flows

Dedicated Storage

1701: 3TB

1724: 16TB

QRadar 1801 Event & Flow Processor

Scalable or Distributed Log and Flow Collection for enterprises

Supports NetFlow Directory

Supports QFlow Collectors

Sold with 3100 Console

Features:

1000 EPS

25,000 Flows per minute

Optional upgrade to 50,000 flows

2 TB of onboard storage

↧

SSD Vs HDD Comparison

January 16, 2014, 3:59 am

≫ Next: SAN Vs NAS Comparison

≪ Previous: QRadar SIEM ARCHITECTURE

SSD Vs HDD Comparison

Attribute	SSD (Solid State Drive)	HDD (Hard Disk Drive)
Power Draw / Battery Life	Less power draw, averages 2 – 3 watts, resulting in 30+ minute battery boost	More power draw, averages 6 – 7 watts and therefore uses more battery
Cost	Expensive, $1.00 per gigabyte (based on buying a 240GB drive)	Only around $0.075 per gigabyte, very cheap (buying a 4TB model)
Capacity	Typically not larger than 512GB for notebook size drives	Typically 500GB – 2TB for notebook size drives
Operating System Boot Time	Around 22 seconds average bootup time	Around 40 seconds average bootup time
Noise	There are no moving parts and as such no sound	Audible clicks and spinning can be heard
Vibration	No vibration as there are no moving parts	The spinning of the platters can sometimes result in vibration
Heat Produced	Lower power draw and no moving parts so little heat is produced	HDD doesn’t produce much heat, but it will have a measurable amount more heat than an SSD due to moving parts and higher power draw
Failure Rate	Mean time between failure rate of 2.0 million hours	Mean time between failure rate of 1.5 million hours
File Copy / Write Speed	Generally above 200 MB/s and up to 500 MB/s for cutting edge drives	The range can be anywhere from 50 – 120MB / s
Encryption	Full Disk Encryption (FDE) Supported on some models	Full Disk Encryption (FDE) Supported on some models
File Opening Speed	Up to 30% faster than HDD	Slower than SSD
Magnetism Affected?	An SSD is safe from any effects of magnetism	Magnets can erase data

↧

SAN Vs NAS Comparison

January 16, 2014, 4:06 am

≫ Next: PCoIP (PC over IP)

≪ Previous: SSD Vs HDD Comparison

SAN Vs NAS

The primary difference between NAS and SAN solutions is the type of access protocol. NAS protocols such as NFS and CiFS provide shared file level access to storage resources. The management of the file system resides with the NAS device. SAN protocols such as iSCSI and fibre channel provide block level access to storage resources. Block level devices are accessed by servers via the SAN, and the servers manage the file system.

NAS	SAN
Almost any machine that can connect to the LAN (or is interconnected to the LAN through a WAN) can use NFS, CIFS or HTTP protocol to connect to a NAS and share files.	Only server class devices with SCSI Fibre Channel can connect to the SAN. The Fibre Channel of the SAN has a limit of around 10km at best
A NAS identifies data by file name and byte offsets, transfers file data or file meta-data (file's owner, permissions, creation data, etc.), and handles security, user authentication, file locking	A SAN addresses data by disk block number and transfers raw disk blocks.
A NAS allows greater sharing of information especially between disparate operating systems such as Unix and NT.	File Sharing is operating system dependent and does not exist in many operating systems.
File System managed by NAS head unit	File System managed by servers
Backups and mirrors (utilizing features like NetApp's Snapshots) are done on files, not blocks, for a savings in bandwidth and time. A Snapshot can be tiny compared to its source volume.	Backups and mirrors require a block by block copy, even if blocks are empty. A mirror machine must be equal to or greater in capacity compared to the source volume.

↧

PCoIP (PC over IP)

January 16, 2014, 11:16 pm

≫ Next: ZERO CLIENT (UTC-ULTRA THIN CLIENT)

≪ Previous: SAN Vs NAS Comparison

PCoIP

PCoIP is a high performance display protocol purpose-built to deliver virtual desktops and to provide end users with the best, total rich desktop experience regardless of task or location. With PCoIP, the entire computing experience is compressed, encrypted and encoded in thedatacenter before being transmitted across a standard IP network to PCoIP-enabled endpoint devices.

The software implementation of PCoIP uses TCP and UDP over port 50002. The TCP port is used for session establishment and control while the UDP port can be leveraged for optimal performance of media and streaming content. The PCoIP protocol can tolerate high latency and low bandwidth and still deliver a responsive desktop experience. The adaptive network management functions within the protocol address of quality of service controls and configuration. The display stream is encrypted with 128bit AES and when used in its hardware implementation can use AES or Salsa20.

Essential features of PCoIP:

Host rendering

Host rendering preserves the PC environment, so that applications perform as they should. Once the image is rendered on the host, the PCoIP protocol broadcasts just the encrypted pixels (not the data) across the network to the client which makes it possible to have stateless, decode-only client devices - true zero clients - with all the benefits they bring such as low maintenance, increased security, and cost savings.

Multi-codec display processing

Intelligent image decomposition and optimized image encoding using multiple codecs enables efficient transmission and decoding, and saves your bandwidth. And, PCoIP codecs build every pixel to a loss less state once they stop changing, to ensure a pixel-perfect image regardless of network limitations.

Dynamically adapting to network conditions

Because PCoIP protocol doesn’t transfer data files, just the pixels themselves, it makes sense to use a real-time protocol to ensure a responsive, interactive remote user experience. For that reason the PCoIP technology uses UDP, the same protocol as Voice over IP and IPTV, to reduce bandwidth requirements and deliver the best interactive user experience for the network bandwidth that’s available.

↧

ZERO CLIENT (UTC-ULTRA THIN CLIENT)

January 16, 2014, 11:33 pm

≫ Next: NIKTO2 INSTALLATION & USAGE

≪ Previous: PCoIP (PC over IP)

ZERO CLIENT (UTC - Ultra Thin Client)

A zero-client is an I/O redirector device that allows peripheral devices to be deployed at the desired point of service without a dedicated PC or thin client at that same location.

Zero-clients are network-based and contain interfaces for a variety of peripheral device types including VGA and other video monitor interfaces, serial, USB and optionally others such as audio or PS/2. The zero-client contains network protocols, allowing each of these interface types to be supported over a wired or wireless IP network without a local PC or thin client. They are connected over the network to applications running on a PC or server elsewhere on the IP network.

Zero-clients may run in two modes:
standard remote device mode or terminal emulation mode.
Remote device mode allows remote peripherals to connect to applications running on PCs elsewhere on the network.

Terminal emulation mode allows the zero-client and standard devices such as printers and keyboards to replace legacy terminals.

↧

NIKTO2 INSTALLATION & USAGE

January 17, 2014, 4:02 am

≫ Next: EMAIL SYSTEM ARCHITECTURE WITH ACTIVE DIRECTORY

≪ Previous: ZERO CLIENT (UTC-ULTRA THIN CLIENT)

NIKTO2

Nikto is an Open Source (GPL) web server scanner which performs comprehensive tests against web servers for multiple items, including over 6700 potentially dangerous files/CGIs, checks for outdated versions of over 1250 servers, and version specific problems on over 270 servers. It also checks for server configuration items such as the presence of multiple index files, HTTP server options, and will attempt to identify installed web servers and software. Scan items and plugins are frequently updated and can be automatically updated.

Nikto is not designed as an overly stealthy tool. It will test a web server in the quickest time possible, and is fairly obvious in log files. However, there is support for LibWhisker's anti-IDS methods in case you want to give it a try (or test your IDS system).

NOTE:
Perl must be installed on the system to run the Nikto

## To download Nikto2 use below link
http://www.cirt.net/Nikto2

tar -xzvf nikto-2.1.5.tar.gz

cd nikto-2.1.5

perl nikto.pl -h 172.16.10.10

perl nikto.pl -h 172.16.10.10:8080

Features:
Here are some of the major features of Nikto.

SSL Support (Unix with OpenSSL or maybe Windows with ActiveState's
Perl/NetSSL)
Full HTTP proxy support
Checks for outdated server components
Save reports in plain text, XML, HTML, NBE or CSV
Template engine to easily customize reports
Scan multiple ports on a server, or multiple servers via input file (including nmap output)
LibWhisker's IDS encoding techniques
Easily updated via command line
Identifies installed software via headers, favicons and files
Host authentication with Basic and NTLM
Subdomain guessing
Apache and cgiwrap username enumeration
Mutation techniques to "fish" for content on web servers
Scan tuning to include or exclude entire classes of vulnerability
checks
Guess credentials for authorization realms (including many default id/pw combos)
Authorization guessing handles any directory, not just the root
directory
Enhanced false positive reduction via multiple methods: headers,
page content, and content hashing
Reports "unusual" headers seen
Interactive status, pause and changes to verbosity settings
Save full request/response for positive tests
Replay saved positive requests
Maximum execution time per target
Auto-pause at a specified time
Checks for common "parking" sites
Logging to Metasploit

↧

EMAIL SYSTEM ARCHITECTURE WITH ACTIVE DIRECTORY

January 19, 2014, 10:25 pm

≫ Next: WEB SECURITY SCANNING TOOLS

≪ Previous: NIKTO2 INSTALLATION & USAGE

EMAIL SYSTEM ARCHITECTURE WITH AD & CYRUS-IMAP
The Cyrus-IMAP package is proven to be robust and suitable in large settings. It differs from other Maildir or mbox IMAP servers in that it is intended to run as a “sealed” mailbox server—the Cyrus mailbox database is stored in parts of the filesystem that are private to the Cyrus-IMAP system. More important, a multiple server setup using Cyrus Murder aggregation is supported. It scales out the system's load by using multiple front-end IMAP proxies to direct IMAP/POP3 traffic to multiple back-end mail store nodes.

Instead of using a separate directory service (such as OpenLDAP) for user authentication, this design integrates user identities with Windows Active Directory (AD).
Rather than using an LDAP server to store user e-mail routing settings, The architecture is designed a relational database to store these settings.
In the mail store setup, instead of using an active-passive high-availability cluster setup, this design deployed the Cyrus-Murder Aggregator. The design consolidate both MTA and Cyrus Proxy functions to run on our front-end mail hub nodes.

The design principle of the new e-mail system is to scale out from a single, monolithic architecture to multiple nodes sharing the same processing load. In a large e-mail environment, scaling out the front-end MTA system is considerably easier compared with scaling out the back-end mail store. As the front-end nodes are essentially data-less, using DNS or IP-based load balancing on multiple front-end servers is a typical practice. However, the same technique cannot be applied to design the back-end mail store where the user data resides. Without clustering, shared storage or additional software components (such as a proxy server), multiple mail store servers cannot share the same IMAP/POP3 process load under a unified service namespace. Because of this, using a single mail store server tends to be an obvious solution. However, one node usually implies elevated server hardware expenses when more powerful server hardware needs to be purchased to accommodate the ever-increasing system load. The price of a mid-range server with four CPUs is usually much higher than the total price of three or more entry-class servers. Furthermore, a single-node architecture reduces system scalability and creates a single point of failure.

EMAIL SYSTEM ARCHITECTURE WITH CYRUS-PROXY

Two Cyrus back-end servers set up, and each handles half the user population. Two Postfix MTA front-end nodes are designated to serve the proxy functions. When e-mail clients connect through SMTP/IMAP/POP3 to the front-end servers, the Cyrus Proxy service will communicate with the Cyrus Master node using the MUPDATE protocol, so that it gets the information about which Cyrus back-end node stores e-mail for the current client. Furthermore, the back-end Cyrus nodes will notify the Master node about the mailbox changes (creating, deleting and renaming mailboxes or IMAP folders) in order to keep the Master updated with the most current mailbox location information. The Master node replicates these changes to the front-end proxy nodes, which direct the incoming IMAP/POP3/LMTP traffic. The MUPDATE protocol is used to transmit mailbox location changes.

Although it is not a fully redundant solution (the Master node is still a single point of failure), and half of users will suffer a usage outage if either one of the back-end nodes is down, the aggregator setup divides the IMAP processing load across multiple servers with each taking 50% of the load. As a result of this division of labor, the new mail store system is now scalable to multiple servers and is capable of handling a growing user population and increasing disk usage. More back-end Cyrus nodes can join with the aggregator to scale up the system.

↧

WEB SECURITY SCANNING TOOLS

January 19, 2014, 10:49 pm

≫ Next: NETWORK SECURITY SCANNING TOOLS

≪ Previous: EMAIL SYSTEM ARCHITECTURE WITH ACTIVE DIRECTORY

Web Security Scanning Tools

Scanning websites is an entirely different ballgame from network scans. In the case of websites, the scope of the scan ranges from Layer 2 to 7, considering the intrusiveness of the latest vulnerabilities. The correct approach for scanning websites starts from Web-level access, right up to scanning all backend components such as databases. While most Web security scanners are automated, there could be a need for manual scripting, based on the situation.

Nikto (http://www.cirt.net/Nikto2)

Let’s start with this tool because of its feature set. This open source tool is widely used to scan websites, mainly because it supports HTTP and HTTPS, and also provides findings in an interactive fashion. Nikto can crawl a website just the way a human would, and that too in the least amount of time. It uses a technique called mutation, whereby it creates combinations of various HTTP tests together to form an attack, based on the Web server configuration and the hosted code.

Thus, it finds critical loopholes such as file upload misconfiguration, improper cookie handling, cross-scripting errors, etc. Nikto dumps all findings in a verbose mode, which helps in knowing more about the Web vulnerabilities, in detail. However, it can also result in too many things getting notified, some of which may be false alarms. Hence, care should be taken while interpreting Nikto logs.

Samurai framework (http://samurai.inguardians.com)

Once a baseline check is performed by Nikto, the next step is to take the “deep-dive” approach. Samurai is a framework — a bunch of powerful utilities, each one targeted for a specific set of vulnerabilities.

It comes as a Linux distribution, purely focusing on penetration-testing tools such as WebScarab for HTTP mapping, W3AF plugins for application-based attacks, and it also has tools to test browser-based exploits. It is amazing to note that the most recent version can find vulnerabilities that are usually not detected even by a few commercial software products.

Safe3 scanner (http://sourceforge.net/projects/safe3wvs)

While the first two tools are good for static websites, for portals needing user ID and password, we need something that can deal with HTTP sessions and cookies. Safe3 scanner is a fantastic open source project, which has gained momentum and fame because it can handle almost all types of authentication, including NTLM.

It contains a Web crawler (a spider like that of search engines) capable of ignoring duplicate page scans and yet detect client-side JavaScript vulnerabilities. Safe3 scans also detect the possibility of the latest AJAX-based attacks and even report vulnerable script libraries. It comes with a user-friendly GUI and is capable of creating nice management reports.

Websecurify (http://www.websecurify.com)

Though very similar to Samurai, Websecurify also brings application-level assessment into play. In case of a large Web farm where code is maintained by a team of developers, following standards can sometimes yield insecure code like passwords mentioned in code, physical file paths in libraries, etc. Websecurify can traverse code and find such loopholes swiftly.

A nice feature is that it allows you to create screenshots of the problem areas automatically, which helps in preparing audit reports. It is one of the very few platform-independent tools and also supports mobile coding, which is helping it get more popular in the cyber-security assessment world.

SQLmap (http://sqlmap.org)

Unless I mention a tool to detect SQL-injection attacks, this article would not be complete. Though this is a very old “first-generation” type of attack, many public websites still fail to fix it. SQLmap is capable of not just exploiting SQL-injection faults, but can also take over the database server. Since it focuses on a specific task, it works at great speed to fingerprint databases, find out the underlying file system and OS, and eventually fetch data from the server. It supports almost all well-known database engines, and can also perform password-guessing attacks. This tool can be combined with the other four tools mentioned above to scan a website aggressively.

A vulnerability assessment tool should include network scanning as well as website vulnerability exploitation. Open source software is prone to attacks too; hence, network administrators must know about the reputed scanners and use them in their daily tasks to make their infrastructure secure and stable.

↧