Written by zuzamodbal Friday, 04 February 2011 10:46
The traditional approach to implementing an intranet is to purchase a software package, modify it for your needs, and install it on your system.
Over the past few years, another option has grown in popularity – the implementation of a web-based solution.
As you consider the choice between installed software and a web-based intranet, here are some considerations:
1. The most important requirement of any intranet is that everyone uses it.
To assure broad-based participation, the intranet must be easy to implement, simple to use, cost-effective to maintain, and offer each individual user the power to post, access and use content in a way that serves their specific needs. In short, the intranet must have value to everyone.
Web-based intranets are designed around this concept. The interface and navigation are consistent with their use of the web – an environment in which they feel in control, using familiar tools.
In contrast, the business world is littered with countless elegant and feature-rich soft-ware based intranets that have failed. Why? Because they represented an alien environment into which the user was expected to venture. Few employees had the time or the interest (or courage) to enter, rendering the intranet impotent, with the powerful tools unused.
This is the plight of traditional, out-of-the-box software solutions. Unlike web-based intranets, they force users into a constrained environment requiring in-depth training, built around rules designed for the group, rather than the individual.
2. Software intranets have unpredictable costs: in time, attention and money.
Software based solutions require extensive internal support. The ongoing expense in both staff time and money takes the focus of your IT group away from mission-critical tasks.
System integration, Implementation, maintenance, technology upgrades, training and user support are all on-going tasks that represent a significant, recurring investment. The cost can be substantial, far exceeding your initial license cost and monthly fee.
3. Web-based intranets offer a predictable cost and cutting-edge technology.
Most web-based solutions offer a fixed monthly fee that covers all maintenance, technology upgrades, training and user support. The costs are predictable, the technology evolutionary, and it's all done with minimal involvement of your IT staff.
It's for these reasons that companies needing broad-based participation in a changing environment are choosing web-based intranets over traditional software solutions.
Written by zuzamodbal Friday, 04 February 2011 10:46
Scenario: You work in a corporate environment in which you are, at least partially, responsible for network security. You have implemented a firewall, virus and spyware protection, and your computers are all up to date with patches and security fixes. You sit there and think about the lovely job you have done to make sure that you will not be hacked.
You have done, what most people think, are the major steps towards a secure network. This is partially correct. What about the other factors?
Have you thought about a social engineering attack? What about the users who use your network on a daily basis? Are you prepared in dealing with attacks by these people?
Believe it or not, the weakest link in your security plan is the people who use your network. For the most part, users are uneducated on the procedures to identify and neutralize a social engineering attack. What’s going to stop a user from finding a CD or DVD in the lunch room and taking it to their workstation and opening the files? This disk could contain a spreadsheet or word processor document that has a malicious macro embedded in it. The next thing you know, your network is compromised.
This problem exists particularly in an environment where a help desk staff reset passwords over the phone. There is nothing to stop a person intent on breaking into your network from calling the help desk, pretending to be an employee, and asking to have a password reset. Most organizations use a system to generate usernames, so it is not very difficult to figure them out.
Your organization should have strict policies in place to verify the identity of a user before a password reset can be done. One simple thing to do is to have the user go to the help desk in person. The other method, which works well if your offices are geographically far away, is to designate one contact in the office who can phone for a password reset. This way everyone who works on the help desk can recognize the voice of this person and know that he or she is who they say they are.
Why would an attacker go to your office or make a phone call to the help desk? Simple, it is usually the path of least resistance. There is no need to spend hours trying to break into an electronic system when the physical system is easier to exploit. The next time you see someone walk through the door behind you, and do not recognize them, stop and ask who they are and what they are there for. If you do this, and it happens to be someone who is not supposed to be there, most of the time he will get out as fast as possible. If the person is supposed to be there then he will most likely be able to produce the name of the person he is there to see.
I know you are saying that I am crazy, right? Well think of Kevin Mitnick. He is one of the most decorated hackers of all time. The US government thought he could whistle tones into a telephone and launch a nuclear attack. Most of his hacking was done through social engineering. Whether he did it through physical visits to offices or by making a phone call, he accomplished some of the greatest hacks to date. If you want to know more about him Google his name or read the two books he has written.
It’s beyond me why people try and dismiss these types of attacks. I guess some network engineers are just too proud of their network to admit that they could be breached so easily. Or is it the fact that people don’t feel they should be responsible for educating their employees? Most organizations don’t give their IT departments the jurisdiction to promote physical security. This is usually a problem for the building manager or facilities management. None the less, if you can educate your employees the slightest bit; you may be able to prevent a network breach from a physical or social engineering attack.
Written by zuzamodbal Friday, 04 February 2011 10:46
Imagine a future in which your every belonging is marked with a unique number identifiable with the swipe of a scanner, where the location of your car is always pinpoint-able and where signal-emitting microchips storing personal information are implanted beneath your skin or embedded in your inner organs.
This is the possible future of radio frequency identification (RFID), a technology whose application has so far been limited largely to supply-chain management (enabling companies, for example, to keep track of the quantity of a given product they have in stock) but is now being experimented with for passport tracking, among other things. RFID is set to be applied in a whole range of consumer settings. Already being tested in products as innocuous as shampoo, lip balm, razor blades, clothing and cream cheese, RFID-enabled items are promoted by retailers and marketers as the next revolution in customer convenience. Consumer advocates say this is paving the way for a nightmarish future where personal privacy is a quaint throwback.
How RFID works
There are two types of RFID tags: active and passive. When most people talk about RFID, they talk about passive tags, in which a radio frequency is sent from a transmitter to a chip or card which has no power cell per se, but uses the transmitted signal to power itself long enough to respond with a coded identifier. This numeric identifier really carries no information other than a unique number, but keyed against a database that associates that number with other data, the RFID tag's identifier can evoke all information in the database keyed to that number.
An active tag has its own internal power source and can store as well as send even more detailed information.
The RFID value chain involves three parts: the tags, the readers and the application software that powers these systems. From there, the data generated by the application software can interface with other systems used in an enterprise, or, if they obtain the information or collect it themselves, concievably by governments or more nefarious organizations.
Where it’s used today
Global companies such as Gillette, Phillips, Procter & Gamble, Wal-Mart and others see huge savings to be made from the use of RFID, and there are numerous pilot projects underway which are indicating savings in supply chains as well as the ability to add value to both product owner, product reseller and customer.
But they’re just pilots, mostly. RFID is a long way from being everywhere, so far. Pharmaceutical tracking has long been held out as one of the flagship applications of RFID in the short term, yet just some 10 medications are expected be tagged using RFID technology on a large scale in the U.S. during 2006, analysts predict. Slow roll-outs are contrasting sharply with the optimism of a year ago, when evidence suggested tripling or even quadrupling of RFID for consumer goods tracking. Why? Uncertainty over pending legislation. There are a complex mixture of federal and new state laws (in particular Florida and California) intended to combat drug theft and counterfeiting that have implications for RFID. The details are still being worked out.
Where it’s likely to be used tomorrow
Depending which analysts you believe, the market for RFID technology will represent between 1.5 and 30 Billion USD by the year 2010. Analyst firm IDTechEx, which tracks the RFID industry, believes more than 585 billion tags will be delivered by 2016. Among the largest growth sectors, IDTechEx forsees the tagging of food, books, drugs, tires, tickets, secure documents (passports and visas), livestock, baggage and more.
Buses and subways in some parts of the world are being equipped with RFID readers, ready for multi-application e-tickets. These are expected to make things easier for the commuter, and help stem the fraud from the current paper-ticket system. However the biggest problem facing rollouts of RFID for commercial micropayment tracking is apparently not technical, but involves agreeing on the fees charged by the clearing house and how credit from lost and discarded tickets will be divided.
One of the highest profile uses of RFID will be passport tracking. Since the terrorist attacks of 2001, the U.S. Department of Homeland Security has wanted the world to agree on a standard for machine-readable passports. Countries whose citizens currently do not have visa requirements to enter the United States will have to issue passports that conform to the standard or risk losing their non-visa status.
American and other passports are being developed that include RFID-based chips which allow the storage of considerable amounts of data such as fingerprints and digitized photographs. In the U.S., these passports are due to start being issued in October of 2006. Early in the development of these passports there were gaping security holes, such as the capability of being read by any reader, not just the ones at passport control (the upshot of this was that travelers carrying around RFID passports would have been openly broadcasting their identity, making it easy for wrongdoers to easily – and surreptitiously – pick Americans or nationals of other participating countries out of a crowd.)
Those security blunders were initially corrected by adding metal shielding to the passport cover to minimize its readability when closed, dialing back the range of the electronics and adding a special electronic protocol called Basic Access Control (or BAC). This scheme required the passport to be opened and scanned before its data could have been properly interpreted by an RFID receiver. Unfortunately, in early February 2006, Dutch security experts managed to “listen in” on the communications between a prototype BAC-protected passport and a receiver and cracked the protocol. Which means the international authority developing this new global passport standard may need to go back to the drawing board as of this writing, because ‘bad guys’ could clearly stand in line at passport control and capture passport information. Details of the Dutch hack here.
Implications for privacy seekers
RFID has clear implications for those who are worried about their privacy and safety. Some of them are obvious, and some of them are not.
- Can be read without your knowledge – Since the tags can be read without being swiped or obviously scanned (as is the case with magnetic strips or barcodes), anyone with an RFID tag reader can read the tags embedded in your clothes and other consumer products without your knowledge. For example, you could be scanned before you enter the store, just to see what you are carrying. You might then be approached by a clerk who knows what you have in your backpack or purse, and can suggest accessories or other items.
- Can be read a greater distances with a high-gain antenna – For various technical reasons, RFID reader/tag systems are designed so that distance between the tag and the reader is kept to a minimum. However, a high-gain antenna can actually read tags from much further away, leading to privacy problems. Governments or others could punch through privacy screens and keep tabs on people.
- Difficult to remove – RFID tags are hard for consumers to remove; some are very small (less than a half-millimeter square, and as thin as a sheet of paper) - others may be hidden or embedded inside a product where consumers cannot see them. New technologies allow RFID tags to be printed right on a product and may not be removable at all
- Disruptions if maliciously jammed – RF signals can be jammed, which could complicate everyday life if RFID tags became essential. Imagine a central bus or train station, maybe an airport, where suddenly everyone could neither be ID'd or access their cash accounts. A single hour of jamming during morning rush over a large area could cost a large city untold millions of dollars in delayed commerce and transport. It would be worse than a mass-transit strike, and easier to repeat.
- Could be linked to a credit card number – The Universal Product Code (UPC) implemented with barcodes allows each product sold in a store to have a unique number that identifies that product. Work is proceeding on a global system of product identification that would allow each individual item to have its own number. When the item is scanned for purchase and is paid for, the RFID tag number for a particular item can be associated with the credit card number it was purchased with.
- Potential for counterfeit – If an RFID tag is being used to authenticate someone, anyone with access to an RFID reader can easily capture and fake someone else’s unique numeric identifier, and therefore, in essence, their electronic 'signature'. If an RFID-tagged smartcard is used for shopping, for instance, anyone who intercepted and reverse-engineered your number, and programmed another card with it, could make charges on your account.
- Marking for crime – Even after you leave a store, any RFID devices in things you buy are still active. A thief could walk past you in the mall and know exactly what you have in your bags, marking you as a potential victim. Someone could even circle your house with an RFID scanner and pull up data on what you have in your house before robbing it. As a result, there are now discussions of “zombie” RFID tags that expire upon leaving the store and reanimate if the product is ever returned to the store and returned to the supply chain.
- Marking for violence – Military hardware and even clothing are beginning to make use of RFID tags to help track these items through supply chains. RFID is being used today by the U.S. military to track materials in Iraq and Afghanistan. Some analysts are concerned about particular items being associated with high-level officers that could trigger roadside bombs via an RFID scan of cars going by. (Thankfully, RFID tags retained close to the body can rarely be scanned. For instance, UHF tags, the kind being most widely deployed, are virtually unreadable near the body because of its high water content.)
Some have suggested that mobile phones are already as great a threat to privacy as RFID. In the case of mobile phones, information about your whereabouts and calling patterns is regularly available to your service provider, a centralized and highly regulated source of information gathering. An adversary with special-purpose equipment would also have the capability of tracking your mobile phone, but this would require significant expertise and investment. See our separate article "Cell phone hazards".
What makes RFID a more significant privacy threat than mobile phones is the fact that readers will be readily available and ubiquitously deployed. In other words, RFID readers will soon be an accepted element of everyday life, while eavesdropping equipment for mobile phones is unlikely to be.
How to thwart RFID technology
There are a few approaches you can take to thwart RFID tags ... but before you take proactive steps, note that sometimes the very absence of a tag or its signal in places it’s expected could arouse suspicion. For instance, if you’re carrying what is expected to be an RFID-tagged passport and your tag isn’t working, say, you may invite unwanted scrutiny. Be careful which tags you choose to disrupt.
The simplest, most permanent approach to disable RFID tags is to destroy them. If you can detect them and wish to permanently render them useless, remove them and smash the small chip component with a hammer. If you’re not sure whether a product you own contains a tag, consider putting it in a microwave to destroy the tag if the object is otherwise safe to be microwaved. Be careful with some plastics. Note there have been reports of RFID materials catching fire in microwaves.
If removing the tag is not practical, there are four general ways to disrupt RFID tag detection.
- Blocking – Construct a conductive foil box (even tin foil is good) around the tag. If you are concerned about RFID emissions from work badges, school IDs, new generation drivers licenses, credit cards, and even cash in the future containing RFID tags, buy or make an RFID-proof wallet. RFID wallet project details are easy to find on the Internet.
- Jamming – Since RFID systems make use of the electromagnetic spectrum like wireless networks or cellphones, they are relatively easy to jam using a strong radio signal at the same frequency the tag operates. Although this would only be an inconvenience for consumers in stores (longer waits at the checkout), it could be disastrous in other environments where RFID is increasingly being used, like hospitals, or in military combat situations. Such jamming devices, however, would in most cases violate government regulations on radio emissions. A group of researchers in Amsterdam have theorized that a personal RFID jammer is possible (their paper is linked to from the version of this article that lives at our web site, www.powerprivacy.com) but the device seems only theoretical at this time.
- Repeated interrogation – Active RFID tags that use a battery to increase the range of the system can be repeatedly interrogated to wear the battery down, disrupting the system.
- Popping – Generating a very strong pulse of radiation at the right frequency can cause RFID tags to resonate and break.
What strategy you should pursue depends on what RFID privacy threats you are trying to thwart and your technical expertise.
Written by zuzamodbal Friday, 04 February 2011 10:46
Unlike the ISO/OSI reference model, TCP/IP architecture is only divided into 4 layers. The exchange of information between the layers is again exactly defined and again, each service uses the services of a lower level and provides its services to a higher layer.
1. Network interface(Data link) layer
2. Network layer
3. Transport layer
4. Application layer
Network interface layer
The lowest layer of the TCP/IP model. Its task is to provide access to the transmission physical medium and it differs according to the implementation of the medium.
The network layer provides network addressing, routing and datagram transmission. Used protocols that will be of interest further regarding DHCP are IP and ARP.
It is the basic protocol of the network layer and in general the internet as a whole. It sends datagrams, which are independent units that contain information about the destination, source and the sequence number of the datagram. The sequence number is used for message reconstruction, since the delivery order of the datagrams might not be the same as their order in the message and delivery reliability isn't guaranteed at all.
IP protocol versions:
" IP v4 - 32 bit addresses. Provides approximately 4 billion unique addresses which aren't sufficient at present times.
" IP v6 - 128 bit addresses. The transition to v6 will bring (is bringing) higher security, QoS, packet segmentation and many more IP addresses. (the transition from IP v4 to IP v6 must be supported by the system provider)
The ARP abbreviation stands for Address Resolution Protocol. This protocol is used to find the physical address (MAC) based on a known IP address. If required ARP sends information concerning the wanted address to all the stations in the network - Broadcast. The stations consequently answer with a message containing their MAC. If the wanted device/station is outside the node/segment, the appropriate router will answer instead of it.
The transport layer is implemented only in terminal devices and it adjusts the behavior of the network according to the requirements of the device/application.
The application layer is composed of programs that use net services to fulfill the needs of users. Examples of specific protocols are for instance FTP, DNS and DHCP.
Application protocols use TCP, UDP or both services at the same time. So called ports are used to differentiate between application protocols, they represent a type of label of the application. It is possible to change the ports in the settings of the service, but each service has a default port that isn't changed for most services and is used as an unwritten standard.
" FTP = 21
" DNS = 53
" DHCP = 67 + 68
Written by zuzamodbal Friday, 04 February 2011 10:46
It is a hierarchical representation of all the objects and their attributes available on the network. It enables administrators to manage the network resources, i.e., computers, users, printers, shared folders, etc., in an easy way. The logical structure represented by Active Directory consists of forests, trees, domains, organizational units, and individual objects. This structure is completely independent from the physical structure of the network, and allows administrators to manage domains according to the organizational needs without bothering about the physical network structure.
Following is the description of all logical components of the Active Directory structure:
Forest: A forest is the outermost boundary of an Active Directory structure. It is a group of multiple domain trees that share a common schema but do not form a contiguous namespace. It is created when the first Active Directory-based computer is installed on a network. There is at least one forest on a network. The first domain in a forest is called a root domain. It controls the schema and domain naming for the entire forest. It can be separately removed from the forest. Administrators can create multiple forests and then create trust relationships between specific domains in those forests, depending upon the organizational needs.
Trees: A hierarchical structure of multiple domains organized in the Active Directory forest is referred to as a tree. It consists of a root domain and several child domains. The first domain created in a tree becomes the root domain. Any domain added to the root domain becomes its child, and the root domain becomes its parent. The parent-child hierarchy continues until the terminal node is reached. All domains in a tree share a common schema, which is defined at the forest level. Depending upon the organizational needs, multiple domain trees can be included in a forest.
Domains: A domain is the basic organizational structure of a Windows Server 2003 networking model. It logically organizes the resources on a network and defines a security boundary in Active Directory. The directory may contain more than one domain, and each domain follows its own security policy and trust relationships with other domains. Almost all the organizations having a large network use domain type of networking model to enhance network security and enable administrators to efficiently manage the entire network.
Objects: Active Directory stores all network resources in the form of objects in a hierarchical structure of containers and subcontainers, thereby making them easily accessible and manageable. Each object class consists of several attributes. Whenever a new object is created for a particular class, it automatically inherits all attributes from its member class. Although the Windows Server 2003 Active Directory defines its default set of objects, administrators can modify it according to the organizational needs.
Organizational Unit (OU): It is the least abstract component of the Windows Server 2003 Active Directory. It works as a container into which resources of a domain can be placed. Its logical structure is similar to an organization's functional structure. It allows creating administrative boundaries in a domain by delegating separate administrative tasks to the administrators on the domain. Administrators can create multiple Organizational Units in the network. They can also create nesting of OUs, which means that other OUs can be created within an OU.
In a large complex network, the Active Directory service provides a single point of management for the administrators by placing all the network resources at a single place. It allows administrators to effectively delegate administrative tasks as well as facilitate fast searching of network resources. It is easily scalable, i.e., administrators can add a large number of resources to it without having additional administrative burden. It is accomplished by partitioning the directory database, distributing it across other domains, and establishing trust relationships, thereby providing users with benefits of decentralization, and at the same time, maintaining the centralized administration.
The physical network infrastructure of Active Directory is far too simple as compared to its logical structure. The physical components are domain controllers and sites.
Domain Controller: A Windows 2003 server on which Active Directory services are installed and run is called a domain controller. A domain controller locally resolves queries for information about objects in its domain. A domain can have multiple domain controllers. Each domain controller in a domain follows the multimaster model by having a complete replica of the domain's directory partition. In this model, every domain controller holds a master copy of its directory partition. Administrators can use any of the domain controllers to modify the Active Directory database. The changes performed by the administrators are automatically replicated to other domain controllers in the domain.
However, there are some operations that do not follow the multimaster model. Active Directory handles these operations and assigns them to a single domain controller to be accomplished. Such a domain controller is referred to as operations master. The operations master performs several roles, which can be forest-wide as well as domain-wide.
Forest-wide roles: There are two types of forest-wide roles:
Schema Master and Domain Naming Master. The Schema Master is responsible for maintaining the schema and distributing it to the entire forest. The Domain Naming Master is responsible for maintaining the integrity of the forest by recording additions of domains to and deletions of domains from the forest. When new domains are to be added to a forest, the Domain Naming Master role is queried. In the absence of this role, new domains cannot be added.
Domain-wide roles: There are three types of domain-wide roles: RID Master, PDC Emulator, and Infrastructure Master.
RID Master: The RID Master is one of the operations master roles that exist in each domain in a forest. It controls the sequence number for the domain controllers within a domain. It provides a unique sequence of RIDs to each domain controller in a domain. When a domain controller creates a new object, the object is assigned a unique security ID consisting of a combination of a domain SID and a RID. The domain SID is a constant ID, whereas the RID is assigned to each object by the domain controller. The domain controller receives the RIDs from the RID Master. When the domain controller has used all the RIDs provided by the RID Master, it requests the RID Master to issue more RIDs for creating additional objects within the domain. When a domain controller exhausts its pool of RIDs, and the RID Master is unavailable, any new object in the domain cannot be created.
PDC Emulator: The PDC emulator is one of the five operations master roles in Active Directory. It is used in a domain containing non-Active Directory computers. It processes the password changes from both users and computers, replicates those updates to backup domain controllers, and runs the Domain Master browser. When a domain user requests a domain controller for authentication, and the domain controller is unable to authenticate the user due to bad password, the request is forwarded to the PDC emulator. The PDC emulator then verifies the password, and if it finds the updated entry for the requested password, it authenticates the request.
Infrastructure Master: The Infrastructure Master role is one of the Operations Master roles in Active Directory. It functions at the domain level and exists in each domain in the forest. It maintains all inter-domain object references by updating references from the objects in its domain to the objects in other domains. It performs a very important role in a multiple domain environment. It compares its data with that of a Global Catalog, which always has up-to-date information about the objects of all domains. When the Infrastructure Master finds data that is obsolete, it requests the global catalog for its updated version. If the updated data is available in the global catalog, the Infrastructure Master extracts and replicates the updated data to all the other domain controllers in the domain.
Domain controllers can also be assigned the role of a Global Catalog server. A Global Catalog is a special Active Directory database that stores a full replica of the directory for its host domain and the partial replica of the directories of other domains in a forest. It is created by default on the initial domain controller in the forest. It performs the following primary functions regarding logon capabilities and queries within Active Directory:
It enables network logon by providing universal group membership information to a domain controller when a logon request is initiated.
It enables finding directory information about all the domains in an Active Directory forest.
A Global Catalog is required to log on to a network within a multidomain environment. By providing universal group membership information, it greatly improves the response time for queries. In its absence, a user will be allowed to log on only to his local domain if his user account is external to the local domain.
Site: A site is a group of domain controllers that exist on different IP subnets and are connected via a fast and reliable network connection. A network may contain multiple sites connected by a WAN link. Sites are used to control replication traffic, which may occur within a site or between sites. Replication within a site is referred to as intrasite replication, and that between sites is referred to as intersite replication. Since all domain controllers within a site are generally connected by a fast LAN connection, the intrasite replication is always in uncompressed form. Any changes made in the domain are quickly replicated to the other domain controllers. Since sites are connected to each other via a WAN connection, the intersite replication always occurs in compressed form. Therefore, it is slower than the intrasite replication.
Page 1 of 10«StartPrev12345678910NextEnd»