0blivion5:(0blivion5.txt):16/07/2000 << Back To 0blivion5

_____ _ _ _____ | | |_| |_|| | | | _ _ __ _ _ _ | | ____ | _ || | | |\ \\ \ | || || _ || _ \ | | | || |__ | | \ \\ \ | || || | | || | \ \ | | | || || | \ \\ \ | || || | | || | | | | |_| || [] || |___\ \\ \| || || |_| || | | | |_____||____||_____\\_\\___||_||_____||_| |_| M a g a z i n e -=[ Oblivion Magazine ]=- -=[ http://www.0blivion.org ]=- Feer Us Fools, Because We Are Gaining R00t On You -=[ Editor: Cyber0ptix ]=- -=[ cyberoptix@0blivion.org ]=- -=[ Assistant Editor: Slider ]=- -=[ Slider@0blivion.org ]=- Life Is A Bitch Then You Meet Us -=[ IRC: #OBLIVIONMAG on EFnet ]=- Join Us And Be A Bitch ----------------------------- Designed On 800x600 Resolution -=[ Issue 5 - 15/07/2000 ]=- The Fifth Element -=[ Contents ]=- -------- --------------------------------------- ----------------- [ Articles ] [ Author ] +-------------------------------------+ +---------------+ [ Contents ] [ Slider ] [ Introduction To Issue 5 ] [ Slider ] [ Editor Comments/Rant ] [ Cyber0ptix ] [ News - http://net-security.org ] [ Slider ] [ Creating A ISP ] [ Slider ] [ The Net Effect ] [ Spyderco ] [ Linux on OS/390 ] [ Slider&0mega1 ] [ Introduction To Wireless Technology ] [ Slider ] [ DoD Classes "Orange Book" ] [ Slider ] [ End Credits ] [ 0blivion.org ] --------------------------------------- ----------------- Experience should teach us to be most on our guard to protect liberty when the govenment's purposes are beneficent. Men born to freedom are naturally alert to repel invasion of their liberty by evil-minded rulers. The greatest dangers to liberty lurk in insidious encroachment by men of zeal, well-meaning but without understanding. -- Louis D. Brandeis, US Supreme Court Justice (1928) ---------------------------------------------- ********************************************** Introduction to Issue 5 - Slider ********************************************** Re. Welcome to issue 5, this month we have dealings with information ranging from wireless communication to making your own ISP and the effect of the internet, and even running Linux on a OS/390 system. So what else can you expect, of course the Oblivion tekniq of producing documents that are worth reading and absorbing. We may not be covering stuff like 0-day hacking tekniq's, but instead we are covering stuff that should be known and absorbed and then used to make the internet a better place. We are here to be an instrument for learning and producing the next generation of internet users, and maybe even entertain and maybe even teach the orginal members of the internet, that make it a better place even for us. Big up to Elias Levy, Rhino9 and R.F.P and many others that i look upto and follow to the greatest degree of my learning. I have these members and many others to thank for being where i am today. Hey! drop us an email or visit us on EFNet on #oblivionmag one day and tell us what you think of Oblivion caus im sure as hell interested in what you think... and maybe,if your lucky we might publish one of your articles! So what has the oblivion team been up to for the last month. Well, i have only spoken to cybr about 5 times this month caus he has been unfortunatly working, and pubbing/clubbing and moving house like any normal happy go-lucky student. And i wonder if thats the reasons why i have applied to uni... So i have been working by myself to both compile this months edition and articles. Also, after some minor hiccup's with Project Omega, for example the host of http://www.slidersecurity.co.uk decided to kill my RAS connection so i couldnt up load the files. But, apart from that Project Omega has gone into "Active" status. If you are interested in being tested then drop us a email, the page should now be up and running and details can be found on there, on how to contact us. We have already 4 happy clients which we supplied "free" solutions to. Anyways, many thanks to people that helped me out at the start of the month with my little problem. But, that is between me and them, and not you :] We have had alot of feed back from readers congratulating us on another issue, and how they have *finally* learned something from a Ezine! We unfortunatly would like some more feed back from you the readers, and some articles! Many thanks to the people that already have. What has been happening in the scene's this month, well apart from a v. interesting article/whitepaper published by http://www.securityfocus.com this was a very good look of what happens in the underground scene dealing with some *average* script kiddie type crackers, it goes into very good depth on how someone cracks into a Solaris out-of-box install and then sets it up to do things it is not ment to do. I must say i had a laugh at the IRC logs, like i said an average bunch of crackers. But, i may add that the scene is not like this... Most crackers dont just crack machines to setup IRC Bot's and DoS clients, most people crack into them to inform an admin, repair the server, and then bugger off out, or use it to compile programs, or use it as storage space. But, there are some tossers that deface pages, and delete alot of ppl's hard work... unless it's a peodophile site, then good luck to them! Also theres been some interesting news within the development of Microdrives. IBM claim that they have created a micro-drive capable of holding 1gig of data but we have yet to see if anyone breaks that mark... Also, it has been reported that the 1gigahertz processor mark has been done. Also we have seen some interesting cracks/hacks using DNS (if u call it hacking/cracking) where Nike.com was re-routed to a site which is against third world labour... after reading that site, and seeing that they might only make 5 quid a week from doing a 12 hour, day 7 days a week it kinda makes me think about them everytime i put on my 160 quid Nike Airs... And grab my Nike Sports bag to go down the gym... Anyways, to find out how it was done check out http://www.shameonnike.com (thats if its still up, after the legal battle...). Also congrats go out to everyone that have completed there exams. On a minor note, i will not be around for a while, well for one issue, this is due to starting a new job :] I wont know how long it will be until i have net access, or have the time to come online or write articles. So dont think WTF is going on when you open next months issue and theres not many texts from me ;] So on with issue 5. But actually, that can wait until tomorrow... caus i is off out clubbing...! back @ 8:00 Am to goto bed and then up @ 2 - 3 to carry on...!!! Slider. You can suck my dick,if you dont like my shit, caus i was high when i wrote this,so suck my dick, caus i dont give a fuck if you dont like my shit, caus i was high when i wrote this, so suck my dick... hah.. hehe... suck my mother fucking dick! -- Eminem, Under The Infulence, The Marshall Mathers LP ---------------------------------------------- ********************************************** Editor Comments/Rant - Cyber0ptix ********************************************** This month has been a very busy one for me, although not much time to do anything to do with 0blivion.org unfortunately. Firstly I finished uni for the year and started to work full time, although this may have been last month but I cant remember ;o). Also my contract ran out at my house so I am currently crashing at a mates till the end of the month. No computer or internet access except at work! Cant wait to get into my new house and get it all set back up again ;o) Well unfortunately caffeine appears to have a few corrupted disks ;o( SSI on the site isn;t working and neither are cgi scripts. I have mail Vortex about this but so far haven't had a reply. Damn shame cos it was a damn kewl home for the web site and a nice shell for me and Slider. Apparantly BT are threatening to cut the line to the company that host the box ;o( always the killjoys arn't they. Ohh well keep your eyes peeled at 0blivion as I may be able to get a box hosted with shell account access. So Sliders been busy this month, I didn't hear from him for ages then out of the blue and email saying he had nearly finsihed issue 5. Well what can I say, Slider keep up the great work I dont know what would happen to 0blivion without you. On that note, I'd just like to let everyone know that we are currently looking for some permanent staff to join 0blivion and help in the writing, editing website design and any other projects that we can come up with. Anyone that is interested should email me or Slider at cyberoptix@0blivion.org or slider@0blivion.org. Just let us know what you want to help out with and Im sure there is something that you could do! If you don't want to join the team but have a few articles you want publishing then mail them in and we'll get them in an issue as soon as possible. Also looking for a few projects to set up, so if anyone has any ideas but need some people to help then get the ideas in and well get some sort of project team set up so we can get some projects underway. I have a great idea for a .com business that I am currently working on getting a business plan together ;o) yeah I think I may even go and see the bank manager! If this goes to plan I will be looking for people fluent in PHP, CGI, HTML, Security and online debiting etc. Anyone think they can help drop me a mail and I'll keep your name on file for future reference if I think the idea could be viable. Well who heard about the awsome supping power of Ewan Blair....made me proud to be British, the Prime Ministers son laid in the gutter covered in sick....reminded me of when I was 16 ;o) [ And me, and the same again please bar tender! - Slider] Anyways thats my little bit of info out of the way for the month....hopefully I will be back online next month and contributing a lot more to 0blivion and get some things sorted out. Anyways catch ya'll later....remember #oblivionmag on Efnet Werd to all I know, Slider, trode, wie, micron, pentium, logistix later cyber0ptix. Get with the program, dick head - Keith Flint, Prodigy, 1998 ---------------------------------------------- ********************************************** This Months News Links - Slider ********************************************** Oblivion Mag's news section is now sponsored by Help-Net Security. http://net-security.org All information is taken from Net-Sec mini letter. ---------------------------------------------------------------------------- 26.06.2000 ---------------------------------------------------------------------------- PLAYING WITH FIRE Nato scientists have created a computer virus "by mistake",causing military secrets to find their way onto the internet. The virus, called Anti-Smyser 1, was created by scientists at Nato's Kfor peacekeeping force headquarters in Pristina, Kosovo. Link: http://www.the-times.co.uk/news/pages/sti/2000/06/18/stinwenws01024.html ---------------------------------------------------------------------------- FEARS OF CYBERCRIMINALS More than two-thirds of Americans are concerned about the threat of hackers and cybercriminals, says a poll released Monday at a conference of technology executives and law enforcement officials. Link: http://www.mercurycenter.com/svtech/news/breaking/merc/docs/016033.htm ---------------------------------------------------------------------------- PROBLEMS WITH IT MANAGERS According to ZDNet's editorial, the problem with the latest outbreaks of Outlook spreading worms isn't in Microsoft but "real problem lies with IT and line-of- business managers who are still in denial about their need to take responsibility for the security of their enterprises' IT architectures". Link: http://www.zdnet.com/eweek/stories/general/0,11011,2587070,00.html ---------------------------------------------------------------------------- MORE FROM JANET RENO U.S. Attorney General Janet Reno urged high-tech companies Monday to step up cooperation with law-enforcement officials battling cyber crime. Link: http://partners.nytimes.com/library/tech/00/06/biztech/articles/20renocrime.html ---------------------------------------------------------------------------- PIRACY SITUATION IN CROATIA Croatian security web site Active Security published an interview with Business Software Alliance Croatia, where BSA points out the piracy ratio in this European country. In 1997, ratio was 94% and later it fell to 84%. Link: http://active-security.org/bsa.html ---------------------------------------------------------------------------- UPDATE ON STAGES WORM "It has spread to many big companies, dozens of Fortune 500 [firms], several Fortune 100, including top companies in aerospace, media, software, communications and securities." - David Perry from Trend Micro said. He declined to identify the companies, but CNN reported that its system was among those infected. Link: http://www.ecommercetimes.com/news/articles2000/000621-nb1.shtml ---------------------------------------------------------------------------- SECURITY GUIDELINES FOR WEB APPLICATIONS "After doing some tests with some of my domain names, I found out that I was able to change anything from contact info to dns settings without having to authenticate. I asked a friend of mine to do the same thing with his domains hosted by register.com, and he was able to do the same thing." Link: http://www.rootprompt.org/article.php3?article=569 ---------------------------------------------------------------------------- BUFFER OVERFLOWS AND THE POWERPC Christopher Shepherd gives an introduction to standard buffer-overflow exploits on the PowerPC in a three-part series, to encourage further full-disclosure review of the vulnerabilities of PowerPC operating systems. Part One - discusses the logistics of buffer overflows and offers a quick introduction to PowerPC assembly on Linux. http://bpc.net/belgo.org/propeller/ppc-stack-1.html Part Two - Covers actually writing buffer overflow code in PowerPC assembly. http://bpc.net/belgo.org/propeller/ppc-stack-2.html Part Three - Actually shows some PowerPC buffer overflows for LinuxPPC and Mac OS X Server. http://bpc.net/belgo.org/propeller/ppc-stack-3.html ---------------------------------------------------------------------------- FIX TOOL FOR STAGES WORM Symantec Corporation has developed a tool to remove the changes to a computer system caused by VBS.STAGES.A, polymorphic computer worm. Link: http://www.net-security.org/cgi-bin/download.cgi?fixlife.exe ---------------------------------------------------------------------------- "ZULU" IS THE CREATOR OF SEVERAL WORMS According to Bruce Hughes, a manager at ICSA, creator of the Stages worm is connected with several other worms that hit Internet users in the past months - Bubbleboy, Monopoly and Freelink. Reuters articles says that person with handle "Zulu" didn't unleash his creations directly, but he posted them on several VX related boards, where others picked them and started the rampage. Link: http://www.techweb.com/wire/story/reuters/REU20000620S0009 ---------------------------------------------------------------------------- U.S. BACKS NET PRIVACY METHOD by LogError Thursday 22 June 2000 on 1:38 PM The White House has endorsed a major Internet industry initiative aimed at boosting online privacy by redesigning the way browsing software handles personal data. After years in development, on Wednesday in New York the new standard underwent its first public test of how similarly engineered software applications would work together. Link: http://www.wired.com/news/politics/0,1283,37142,00.html ---------------------------------------------------------------------------- NIKE.COM TAKEN OVER On-line home of Nike (www.nike.com) was hijacked and pointed out to Australia-based "S11 alliance", an organization that is preparing protests against the ill effects of globalization at the World Economic Forum. It looks it is once again a "classical" domain hijack from Network Solutions. Security Watch has an in depth article on this issue. Link: http://www.securitywatch.com/newsforward/default.asp?AID=3137 ---------------------------------------------------------------------------- INTEL ADMITS WIRELESS SECURITY CONCERNS The head of Intel's Wireless Competency Centre admits that security is a serious concern in the company's future vision of wireless technology and mobile Internet. Speaking at Intel's Wireless Competency Centre in Stockholm this week managing director Leif Persson acknowledged hugely complicated wireless environments are causing them serious anxiety. Link: http://www.zdnet.co.uk/news/2000/24/ns-16164.html ---------------------------------------------------------------------------- INTERVIEW WITH CHRIS ROULAND Chris Rouland is the director of X-Force at Internet Security Systems (ISS), a group dedicated to understanding, documenting and coding new vulnerability checks and tests, attack signatures and solutions to global security problems. Link: http://linuxtoday.com/news_story.php3?ltsn=2000-06-24-005-06-PS ---------------------------------------------------------------------------- INTERVIEW WITH WORM CREATOR Bruno Gerondi from ZDNet Latin America interviewed Zulu, creator of Stages and Bubbleboy worms. Zulu says that he is neither a veteran nor a hacker, that he didn't do anything wrong and that he writes worms as a hobby in his spare time. Link: http://www.zdnet.com/zdnn/stories/news/0,4586,2592429,00.html ---------------------------------------------------------------------------- VULNERABILITIES EXPOSED BY JRUN 2.3.X CODE SAMPLE JRun 2.3.x includes a number of example applications and sample code that expose security issues. JRun 3.0 addresses the viewsource.jsp issue. Allaire strongly recommends that customers follow the best practice of not installing sample code and documentation on production servers, and removing the sample code and documentation files from production servers and restricting access to those directories where they are installed on workstations. Link: < http://net-security.org/cgi-bin/bugs/fullnews.cgi?newsid961723753,31498, > ---------------------------------------------------------------------------- BLACKICE BY NETWORK ICE CORP VULNERABILITY At security level NERVOUS or lower, BlackICE and the host protected by BlackICE are vulnerable to Back Orifice (BO) 1.2. Recall that BO 1.2 uses UDP as a client-server transport protocol, and the BO server uses a high UDP port, by default, to run its service. BlackICE configured at NERVOUS security level or below does not block the high UDP ports. Link: < http://net-security.org/cgi-bin/bugs/fullnews.cgi?newsid961589955,90856, > ---------------------------------------------------------------------------- NET TOOLS PKI SERVER EXPLOITS There is a vulnerability in an OEM version of software incorporated within the Net Tools PKI Server product. An attacker can, under rare circumstances, gain unauthorized access to the computer hosting the Enrollment and/or Administrative Web servers of the Net Tools PKI. The vulnerability revolves around an issue with the XUDA template files included with the product, where these files do not reference absolute pathnames to other files Link: < http://net-security.org/cgi-bin/bugs/fullnews.cgi?newsid961505593,92660, > ---------------------------------------------------------------------------- PROBLEM WITH PANDA ANTIVIRUS NETWARE SERVERS Customers to Panda Antivirus may have a Panda Antivirus console open on port 2001. This Panda console is open to everyone who has access to this port. You are not prompted for authentication. Link: < http://net-security.org/cgi-bin/bugs/fullnews.cgi?newsid961432406,52174, > ---------------------------------------------------------------------------- ANTI VIRUS SUPPORT Central Command announced PerfectSupport, a new support service that provides mission critical antivirus support and services. This subscription service provides maximum virus protection to all organizations where virus prevention, and malicious application recovery is critical to their operation. Press release: < http://www.net-security.org/cgi-bin/press/fullnews.cgi?newsid962040421,209, > ---------------------------------------------------------------------------- MAXON SERVICES BROADENS MANAGED SECURITY OFFERING - [20.06.2000] Maxon Services, a leading Canadian provider of Check Point Software Technologies managed VPN-1/FireWall-1 services, and Check Point Software Technologies, the worldwide leader in securing the Internet, today announced that Maxon Services has extended its managed security offerings to include Check Point SiteManager-1 to address the needs of small-to-medium size businesses, and Check Point Provider-1 to manage the Internet security for the large enterprise. Press release: < http://www.net-security.org/cgi-bin/press/fullnews.cgi?newsid961510464,90158, > ---------------------------------------------------------------------------- RSA SECURITY TO SECURE WIRELESS E-BUSINESS - [20.06.2000] RSA Security Inc., the most trusted name in e-security, today announced it has begun shipping RSA BSAFE(R) WTLS-C software, a complete WTLS protocol-compliant security component that is designed to make it easier for developers of WAP-enabled (Wireless Application Protocol) wireless devices, gateways and other applications to quickly build secure, interoperable products for wireless e-commerce. Tested to interoperate with the leading WAP gateways, the RSA BSAFE WTLS-C security component provides critical authentication, data privacy and data integrity security features for both clients and servers. Press release: < http://www.net-security.org/cgi-bin/press/fullnews.cgi?newsid961514888,38294, > ---------------------------------------------------------------------------- BIOMETRICS TO PREVENT E-MAIL WORMS? - [21.06.2000] This week, Congress passed a bill that will make electronic signatures as legally binding as a written signature. What is an electronic signature? How does this impact the life of a virus? As one type of electronic signature, biometric technology can be used to prevent computer viruses. Please put your thumbprint on the dotted line. Press release: < http://www.net-security.org/cgi-bin/press/fullnews.cgi?newsid961588281,95647, > ---------------------------------------------------------------------------- F-SECURE PRAISES PASSAGE OF DIGITAL SIGNATURES - [21.06.2000] Chris Vargas, President of Leading Enterprise Security Company, said that the proper use of digital signatures will remove one barrier to widespread adoption of electronic purchasing among consumers and business customers. He cautioned, however, that while digital IDs are the legal equivalent to written signatures, they are not an alternative to vigilance against the various security threats that challenge the safety and validity of an electronic transaction. Press release: < http://www.net-security.org/cgi-bin/press/fullnews.cgi?newsid961588703,14259, > ---------------------------------------------------------------------------- FIREWALL TO BENEFIT ANTARES CUSTOMERS - [22.06.2000] Antares Management Solutions has introduced a high-performance firewall that will allow companies in the healthcare field to conduct e-business with the highest level of security. The firewall, which has been praised by industry-leading consultants, is now available to companies doing business with Antares, a company that provides state-of-the-art computer systems and administrative services to businesses in the health insurance industry and other companies in the medical field. Press release: < http://www.net-security.org/cgi-bin/press/fullnews.cgi?newsid961695677,19521, > ---------------------------------------------------------------------------- SYMANTEC'S STRATEGY TO SECURE ENTERPRISE ASSETS - [22.06.2000] Symantec Corporation today announced Symantec Enterprise Security, a comprehensive and modular Internet security solution for enterprise computing environments. The solution allows a corporation to manage the complete security lifecycle of their computing environment from assessment and planning to implementation and monitoring. Press release: < http://www.net-security.org/cgi-bin/press/fullnews.cgi?newsid961695789,63262, > ---------------------------------------------------------------------------- SECURING B2B WITH DIGITAL SIGNATURE VALIDATION - [22.06.2000] As President Clinton prepares to sign electronic signature legislation, PenOp, a global provider of eSignature software, and ValiCert, a leading provider of end-to-end secure infrastructure solutions for e-Transactions, today announced a Strategic Alliance Agreement to add digital certificate validation and digital receipt capabilities to PenOp's recently announced Ceremony(TM) software. Press release: < http://www.net-security.org/cgi-bin/press/fullnews.cgi?newsid961695886,16923, > ---------------------------------------------------------------------------- COVALENT TECH. SHIPS RAVEN SSL 1.5 FOR APACHE - [22.06.2000] Covalent Technologies, Inc., the leading provider of Apache Web server e-commerce solutions, announced the availability today of the newest version of its security add-on for Apache, Raven SSL 1.5. Because Apache is the world's most popular Web server with 60% of the market share in the Web server arena, Raven SSL 1.5 will benefit e-businesses throughout the world. New features in Raven SSL 1.5 simplify the installation of the software and make it easier to administer. With added support for third party products such as hardware accelerators from nCipher and Rainbow Technologies, Raven guarantees fast and secure e-commerce transactions. Press release: < http://www.net-security.org/cgi-bin/press/fullnews.cgi?newsid961695977,16821, > ---------------------------------------------------------------------------- Net-Sec newsletter 03.07.2000 http://net-security.org ---------------------------------------------------------------------------- SECURITY CHECKS CRASH ROUTERS Red-faced networking giant Cisco has been forced to warn customers that its routers can crash when tested for security vulnerabilities by security scanning software programs. Link: http://www.vnunet.com/News/1104718 ---------------------------------------------------------------------------- SECURE MESSAGING Critical Path detailed a suite of secure messaging services designed to help enterprises protect information assets such as engineering drawings, financial documents, and legal agreements transferred over the Internet. Link: http://www.infoworld.com/articles/hn/xml/00/06/26/000626hncritical.xml ---------------------------------------------------------------------------- UK BACKS OFF AWAY FROM RIP BILL CNN reports that the U.K. government is backing away from some of the more controversial aspects of its e-mail surveillance bill (Regulation of Investigatory Powers - RIP) currently under consideration in the House of Lords. Link: http://www.cnn.com/2000/TECH/computing/06/26/cybersnoop.idg/index.html ---------------------------------------------------------------------------- CRACKED! PART 6: TELKING WITH THE ENEMY "Soon after rebuilding the system I started talking to someone on IRC that identified themselves as the person that had cracked our system. He was connecting from the same places that the cracker had been coming from and seemed to know things that only the cracker would have known, so I decided to take him at face value. Over the first couple of weeks we talked about a variety of subjects. I have selected some of the most interesting bits and grouped them together to give an idea of the flavor of the conversations. It was an interesting window into the mind of someone living a very different life." Link: http://www.rootprompt.org/article.php3?article=588 ---------------------------------------------------------------------------- SCENES FROM THE "HACKERS" HOOD "The impression that most people fail to get from regular attacks is how trivial they are," said Elias Levy, chief technology officer of SecurityFocus.com. "These people tend to choose their targets pretty much at random - or whoever bothers them that day, or pisses them off." Link: http://www.wired.com/news/culture/0,1284,37238,00.html ---------------------------------------------------------------------------- VIRUS SCAN FOR HANDHELDS It looks like McAfee is now offering virus scanning software for handheld computers. Altought there are no viruses for handhelds, there is an option to infect when you sync your handheld and your PC. Contributed by Brian. Link: http://www.mcafee.com/wireless/handscan/default.asp? ---------------------------------------------------------------------------- MATTEL AND PRIVACY In response to public complaints about privacy, Mattel Interactive announced that the company would provide a tool that removes software that was surreptitiously placed on customersÆ computers and is designed to transmit and receive information to Mattel. Link: http://abcnews.go.com/sections/business/DailyNews/mattel000624.html ---------------------------------------------------------------------------- BANK DETAILS SNATCHED A man calling himself 'Kelly' rang ABC radio station 2BL claiming he had accessed company details from the GST information site www.gstassist.gov.au, which contains the details of about 27,000 businesses. According to ZDnet AU, he said that he he simply used a inserted numbers between 1 and 27,000 into a CGI output and it retrieved records. Contributed by Apocalyse Dow. Link: http://www.zdnet.com.au/zdnn/stories/zdnn_display/au0003700.html ---------------------------------------------------------------------------- NIKE HIJACKING, PART II Nike.com hijacking received a sequel - when Nike's website was hijacked last week, traffic was redirected through one man's Web servers in the U.K., bogging them down and costing his Web hosting company time and money (at least he says so). Now he is suing Nike and he created "Shame on Nike" web site. Link: http://www.wired.com/news/politics/0,1283,37286,00.html Link: http://www.shameonnike.com/ ---------------------------------------------------------------------------- LOVE LETTER CREATOR CHARGED Onel de Guzman is charged for writting the Love Letter worm. The National Bureau of Investigation will charge de Guzman "traditional" crimes such as theft and violation of a law that normally covers credit card fraud. If charged maximum penalty of 20 years in prison. ---------------------------------------------------------------------------- COMPUTER ASSOCIATES REBUFFS SOPHOS ALLEGATIONS Simon Perry, Computer Associates' vice president, told Newsbytes that he viewed Sophos' comments as irrelevant, adding that the approach his firm takes with warnings customers about viruses is to warn them of any potential problems, for whatever reason. "Our reporting of viruses to our customers has drawn kudos, both from customers and the industry at large," he said, adding that the company aims to quickly let people know what the latest virus is and what the associated dangers are. Link: http://www.computeruser.com/news/00/06/30/news19.html ---------------------------------------------------------------------------- STUDENT ADMITS GOVERNMENT ATTACKS A university student admitted in Boston federal court to breaking into U.S. government computers including Defense Department and NASA systems. Ikenna Iffih, a student at Northeastern University's College of Computer Science, pleaded guilty to a series of coast-to-coast cyber attacks before U.S. District Judge Robert Keeton late on Thursday. Link: http://www.wired.com/news/politics/0,1283,37352,00.html ---------------------------------------------------------------------------- SEGA DREAMCAST COPYRIGHT PROTECTION BROKEN The Dreamcast game system has been viewed as one of the most secure digital entertainment systems on the market. It looks like it is not so secure. Group called Utopia has broken through copyright protections of the system. Link: http://news.cnet.com/news/0-1005-200-2181596.html?tag=st.ne.1005.sndstry.ni ---------------------------------------------------------------------------- LEE ASHURT'S POINT OF VIEW Lee Ashurst accused of hacking into and sabotaging the Internet service Etisalat, has filed a defamation suit in Dubai against them. He has also set up a site with his opinion on the whole situation. Link: http://www.supportlee.4mg.com/ ---------------------------------------------------------------------------- ISSUE DISCLOSURE POLICY Lewis Z. Koch did an article on Rain Forrest Puppy's "issue disclosure policy", a text dealing with reporting vulnerabilities to vendors. First version of this text file was sent to Bugtraq approximately 3 weeks ago. Link: http://mcafee.snap.com/main/page/pcp/cd/0,85,-1716-1431464-397786,00.html ---------------------------------------------------------------------------- IE 5 AND EXCEL 2000, POWERPOINT 2000 VULNERABILITY Internet Explorer 5.01, Excel 2000 and PowerPoint under Windows 98 (suppose other versions are also vulnerable, have not tested) allow executing programs when viewing a web page or HTML email message - in the latter case at least with IFRAME. This allows taking full control over user's computer. Link: http://www.net-security.org/text/bugs/962198313,44285,.shtml ---------------------------------------------------------------------------- IE 5 AND ACCESS 2000 VULNERABILITY Internet Explorer 5.01 and Access 2000 under Windows 98 (suppose other versions are also vulnerable) allow executing programs when viewing a web page or HTML email message - (in the latter case with IFRAME). This allows taking full control over user's computer. Link: http://www.net-security.org/text/bugs/962198423,71032,.shtml ---------------------------------------------------------------------------- PATCH FOR "ACTIVE SETUP DOWNLOAD" PROBLEM Microsoft has released a patch that eliminates a security vulnerability in an ActiveX control that ships with Microsoft Internet Explorer. The vulnerability could be used to overwrite files on the computer of a user who visited a malicious web site operator's site. Link: http://www.net-security.org/text/bugs/962463758,19962,.shtml ---------------------------------------------------------------------------- DOS IN MICROSOFT WINDOWS 2000 SERVER Multiple ports and protocols on Microsoft Windows 2000 Server are susceptible to a simple network attack which raises CPU utilization on Windows 2000 Server to 100%. Link: http://www.net-security.org/text/bugs/962540960,71332,.shtml ---------------------------------------------------------------------------- DOS IN CHECK POINT FIREWALL-1 ON WINDOWS NT The SMTP Security Server component of Check Point Firewall-1 4.0 and 4.1 is vulnerable to a simple network-based attack which raises the firewall load to 100%. Link: http://www.net-security.org/text/bugs/962541047,22517,.shtml ---------------------------------------------------------------------------- DOS IN MICROSOFT WINDOWS 2000 TELNET SERVER Microsoft Windows 2000 Server is supplied with a Telnet server for remote console access. A Denial of Service vulnerability exists in this server which may be exploited by a local or remote attacker. Link: http://www.net-security.org/text/bugs/962541114,23868,.shtml ---------------------------------------------------------------------------- BOA WEBSERVER LOCAL PATH PROBLEM BOA Webserver is a small fast webserver that supports only basic functions. It beats the pants off of apache for speed however, the only problem is that it does not do any URL parsing. It admits this (somewhere on the page it says you better lock down your file system real good), but the problem still remains. Basically you can specify the full local path to any file on a Boa webserver and out it spits the contents. i.e. Link: http://www.net-security.org/text/bugs/962541273,5729,.shtml ---------------------------------------------------------------------------- [MANDRAKE] WU-FTPD UPDATE Wu-ftpd is vulnerable to a very serious remote attack in the SITE EXEC implementation. Because of user input going directly into a format string for a *printf function, it is possible to overwrite important data, such as a return address, on the stack. Link: http://www.net-security.org/text/bugs/962578199,96510,.shtml ---------------------------------------------------------------------------- [MANDRAKE] - DHCP UPDATE The OpenBSD team discovered a vulnerability in it that allows for remote exploitation by a corrupt dhcp server, (or an attacker pretending to be a dhcp server). If this vulnerability is exploited, root access can be gained on the host running dhcp client remotely. The problem is that input is not checked and, as a result, it is possible to execute commands remotely when the network config files are being written on the dhcp client. Link: http://www.net-security.org/text/bugs/962578323,92268,.shtml ---------------------------------------------------------------------------- CENTRAL COMMAND ANNOUNCES PERFECTSUPPORT - [26.06.2000] Today Central Command announced PerfectSupport, a new support service that provides mission critical antivirus support and services. This subscription service provides maximum virus protection to all organizations where virus prevention, and malicious application recovery is critical to their operation. This premium service includes unlimited toll-free phone support at any time and priority access to Central Command's Emergency Virus Response Team during virus outbreaks. Press release: < http://www.net-security.org/text/press/962040421,209,.shtml > ---------------------------------------------------------------------------- eWEEK CHALLENGES PUBLIC TO HACK THEM - [27.06.2000] In its second major test of Web enterprise security, Labs Interactive, by the editors of eWEEK, in conjunction with digital security services firm Guardent, has created an e-commerce site and is challenging the public to hack the site at openhack.com. Prize money of up to $2,500 will be awarded to the first hacker to crack the site which mimics a true corporate e-commerce network, including e-mail, Web server, a database application, remote access and five different operating systems. The challenge goes live on June 26 and runs through the first two weeks of July. Press release: < http://www.net-security.org/text/press/962098245,92659,.shtml > ---------------------------------------------------------------------------- GENUITY ANNOUNCES ENHANCED FIREWALL SERVICES - [27.06.2000] Genuity Inc., formerly GTE Internetworking, today announced significant new enhancements to the Site Patrol for FireWall-1 family of managed Internet security services. Designed to secure high-volume enterprise intranets and e-business extranets, new leading-edge features include the industry's first High Availability managed firewall service. Site Patrol uses StoneSoft Corporation's award-winning StoneBeat clustering technology with dynamic load balancing to ensure maximum availability, scalability and performance. In addition, a hot standby, High Availability option is also available for organizations with fixed throughput requirements. Press release: < http://www.net-security.org/text/press/962098361,38122,.shtml > ---------------------------------------------------------------------------- SECOND ANNUAL GLOBAL E-SECURITY CONVENTION - [28.06.2000] Baltimore Technologies, a global leader in e-security solutions, today announced the company's second annual Global e-Security Convention, focusing on the use of e-security to deliver secure, trusted business models and applications. Global e-Security 2000 is the most authoritative convention set up to educate delegates on the business and technology benefits of e-security. This convention will highlight PKI technology as an integral component of secure e-business with the ability to unleash endless opportunities for companies worldwide. Press release: < http://www.net-security.org/text/press/962198599,45835,.shtml > ---------------------------------------------------------------------------- CA ANNOUNCES ETRUST SINGLE SIGN-ON 6.5 - [28.06.2000] Computer Associates International, Inc., the world's leading eBusiness solutions provider, today announced the general availability (GA) of eTrust Single Sign-On (SSO) 6.5, the industry-leading secured access solution. The latest version of eTrust SSO provides a comprehensive solution for eBusinesses desiring integrated SSO and access control capabilities for existing client/server and Web-based applications from a single product. Press release: < http://www.net-security.org/text/press/962198695,70218,.shtml > ---------------------------------------------------------------------------- CYLINK ANNOUNCES GENERAL EELEASE OF NETHAWK - [29.06.2000] On June 23, Cylink Corporation began customer shipments of its NetHawk, the companyÆs new high-speed virtual private network (VPN) appliance for secure, site-to-site Internet communications. NetHawk is an Internet Protocol Security (IPSec) solution that transparently integrates into the network, providing an enterprise-strength combination of performance and manageability. Press release: < http://www.net-security.org/text/press/962275562,59227,.shtml > ---------------------------------------------------------------------------- FREE LINUX FIREWALL RELEASED TO PUBLIC - [01.07.2000] NetMaster Networking Solutions, Inc. of Chilliwack, B.C., announced today they are making their Gateway Guardian Personal Edition firewall software available FREE for personal and non-profit use. It can be downloaded off their web site, www.GatewayGuardian.com, and also from over 100 download sites across the Internet. "We have done this to meet the increasing demand for firewall protection from families adopting high-speed cable, and DSL internet connections across Canada and the U.S.," said Steve Hemenway, NetMaster's Vice President of Sales and Marketing. Press release: < http://www.net-security.org/text/press/962464441,94200,.shtml > ---------------------------------------------------------------------------- INTERPOL AND ATOMICTANGERINE ANNOUNCE ALLIANCE - [01.07.2000] Companies worldwide will have new access to superior intelligence in their war against global cyber crime as a result of an innovative alliance between the private and public sector. Working directly with Menlo Park-based venture consulting powerhouse AtomicTangerine, famous Lyon, France-based Interpol has initiated a special relationship designed to deliver advanced intelligence collected by the law enforcement organization to corporations worldwide. Interpol is the world's pre-eminent organization supporting the prevention and detection of international crime. Press release: < http://www.net-security.org/text/press/962550257,75895,.shtml > ---------------------------------------------------------------------------- ******* 10.07.2000 http://net-security.org ---------------------------------------------------------------------------- Subscribe to this weekly digest on: http://www.net-security.org/text/newsletter ---------------------------------------------------------------------------- KAIST CONTEST FINISHED The Information Security Education Research Center of the Korean Advanced Institute of Science and Technology said Sunday that no hackers among the 3,664 teams worldwide managed to conquer its third level server. KAIST paid two teams $30,000 for entering the second level. Link: http://www.chosun.com/w21data/html/news/200007/200007020212.html ---------------------------------------------------------------------------- WEB SITE WORM Kaspersky Lab announced today the discovery of a new Internet-worm (called "Jer"), which has an ability to penetrate computers at the moment users visit "infected" web pages. While surfing to the web site containing the worm, a security box opens and if you click on yes, you'll get infected. Link: http://www.kasperskylab.ru/eng/news/press/20000702-1.asp ---------------------------------------------------------------------------- SECURING PALM PILOTS "In order to add satisfactory security to your PalmPilot, you must search out 3rd party software to add the necessary components" - Jim Reavis from Security Portal writes. Link: http://www.securityportal.com/ ---------------------------------------------------------------------------- HACKERS AS CRIMINALS "Stop blaming Microsoft - it's the hackers who are the guilty ones" - is a final comment from Andrew Tomas, journalist from The Register UK. The writer blames hackers and call them criminals, because in the article the big companies out their are just to make money and not ready to protect their customers. Contributed by Apocalyse Dow. Link: http://www.theregister.co.uk/content/1/11763.html ---------------------------------------------------------------------------- SOPHOS ANTI-VIRUS FOR EXCHANGE Sophos has made available a beta version of Sophos Anti-Virus for Exchange for download. New features include scanning inside compressed and archived files, and detection of Apple Macintosh viruses. Link: http://www.sophos.com/downloads/beta/ ---------------------------------------------------------------------------- NSI AUTHENTIFICATION FAQ With all this domain hijackings, the following FAQ on Network Solutions's web site comes very useful. It deals with all questions regarding authentification at NSI. Link: http://www.networksolutions.com/help/guardian.html ---------------------------------------------------------------------------- OPENHACK.COM DEFACED "Web site successfully defaced, details upcoming" - there are some news from eWEEK hacking contest. According to the rules, this was not a successful compromise, but Attrition has the mirror. Link: http://www.attrition.org/mirror/attrition/2000/07/03/www.openhack.com/ ---------------------------------------------------------------------------- SPECIAL FEATURE: ECHELON ZDNet United Kingdom has a special feature on their site - and the topic is Echelon. It has a variety of aricles, comments and multimedia files on the world wide privacy risk. Link: http://www.zdnet.co.uk/news/specials/2000/06/echelon/ ---------------------------------------------------------------------------- LEGAL FACTS Wired also did a report on Lee Ashurst who is accused of pentrating into systems of Arab ISP named "Emirates Internet and Multimedia". Article focuses mostly on legal facts of computer crime law in UAE. Link: http://www.wired.com/news/politics/0,1283,37401,00.html ---------------------------------------------------------------------------- ACCESS DENIED TO FBI WEB SITE "You can't access fbi.gov if you have a Freedom 'nym' running," confirmed Dov Smith, spokesman for Zero-Knowledge Systems who created software called Freedom, which lets you use the Internet anonymously. Link: http://www.wired.com/news/technology/0,1282,37425,00.html ---------------------------------------------------------------------------- E-COMMERCE SECURITY REPORT Deloitte Touche Tohmatsu and the Information Systems Audit and Control Foundation have published a report entitled "E-commerce Security Enterprise Best Practices." The report is the result of worldwide survey of professionals in 46 locations, including Hong Kong, over a period of six months. The report is an effort to address the security, control and audit issues involved in e-commerce. Link: http://www.computeruser.com/news/00/07/07/news5.html ---------------------------------------------------------------------------- SECURITY IS NOT A LUXURY ANYMORE This article by Andrew Kaufman talks about shortsighted thinking that is prevalent in many companies that do not put in place effective security measures. Link: http://linuxsecurity.com/feature_stories/feature_story-58.html ---------------------------------------------------------------------------- CELLULARS, FRAUDS AND PROBLEMS "With the GSM standard, fraud cannot be easily detected and when back-end infrastructure/logistics are not completely in place networks are especially vulnerable" - said Gary Bernstein, UK-based fraud management consultancy Praesidium Services Ltd managing partner. Link: http://www.financialexpress.com/fe/daily/20000707/fco07003.html ---------------------------------------------------------------------------- "HACKER" INSURANCE Lloyd's of London will offer up to $100 million in insurance coverage to clients of computer security management firm Counterpane Security against hacker losses to their business or their customers. Link: http://news.cnet.com/news/0-1005-200-2232221.html?tag=st.ne.1430735..ni ---------------------------------------------------------------------------- OPENHACK.COM DEFACED, PART DEUX OpenHack.com was defaced for the second time. After "al and mei" penatrated the server and changed its index page, Jfs did it also. BTW if you remember, Jfs also hacked into last year's PC Week hacking contest server. ---------------------------------------------------------------------------- OpenHack defaced again https://www.openhack.com/index_cracked_2.html ---------------------------------------------------------------------------- Info on lats year's PC Week hack http://hispahack.ccc.de/en/mi019en.htm ---------------------------------------------------------------------------- REMOTE DOS ATTACK IN REAL NETWORKS REAL SERVER The Ussr Labs team has recently discovered a memory problem in the RealServer 7 Server (patched and non-patched). What happens is, by performing an attack sending specially-malformed information to the RealServer HTTP Port(default is 8080), the process containing the services will stop responding. Link: http://www.net-security.org/text/bugs/962751695,46694,.shtml ---------------------------------------------------------------------------- ORACLE WEB LISTENER FOR AIX DOS By issuing a malformed URL (variations on "..") it is possible to cause a Denial of Service situation where the Oracle_Web_Listener will no longer accept HTTP requests and the service needs to be restarted. Link: http://www.net-security.org/text/bugs/962846668,98024,.shtml ---------------------------------------------------------------------------- VULNERABILITY IN POLL_IT CGI V2.0 Because the CGI initializes it's internal variables before parsing any form data, and the method it uses to parse form data overwrites internal variables (in this case, $data_dir), it is possible to retrieve any files readable by the webserver. http://www.net-security.org/text/bugs/962976911,43476,.shtml ---------------------------------------------------------------------------- PATCHING "STORED PROCEDURE PERMISSIONS" VULNERABILITY Microsoft has released a patch that eliminates a security vulnerability in Microsoft SQL Server 7.0. The vulnerability could allow a malicious user to run a database stored procedure without proper permissions. Link: http://www.net-security.org/text/bugs/963135822,65666,.shtml ---------------------------------------------------------------------------- COBALT LINUX PROBLEMS There are two major problems with Cobalt Linux, used to drive the Cobalt RaQ series of hardware (used by thousands of ISPs). Both problems were tested against a Cobalt RaQ 3 with OS Update 3.0, which was released on the 15th of June. No updates have been released. Link: http://www.net-security.org/text/bugs/963135955,96589,.shtml ---------------------------------------------------------------------------- FLOWERFIRE SAWMILL VULNERABILITIES PATCH "We have just shipped a new version of Flowerfire Sawmill (5.0.22) which corrects both of the vulnerabilities mentioned on your web site (Flowerfire Sawmill File Access Vulnerability and Flowerfire Sawmill Weak Password Encryption Vulnerability). The update is free. " Link: http://www.net-security.org/text/bugs/963136068,19952,.shtml ---------------------------------------------------------------------------- NOVELL BORDER MANGER PROBLEM To provide SSO-like capabilities for customers using BorderManger proxy server and the NetWare client, Novell uses a small program, ClientTrust, typically run from the user's login script. Once run, ClientTrust listens indefinitely on port 3024 for requests. Upon a user's initial attempt to access the web through BorderManager, BorderManager sends a "request" to the user's box in the form of UDP packets on port 3024. Link: http://www.net-security.org/text/bugs/963136348,87288,.shtml ---------------------------------------------------------------------------- [MANDRAKE] BITCHX UPDATE A denial of service vulnerability exists in BitchX. Improper handling of incoming invitation messages can crash the client. Any user on IRC can send the client an invitation message that causes BitchX to segfault. Link: http://www.net-security.org/text/bugs/963228702,20509,.shtml ---------------------------------------------------------------------------- SECURECRT OPENS UP SSH TO OPEN-SOURCE SERVERS - [04.07.2000] The OpenSSH server, currently version 2.1.1, implements both SSH1 and SSH2 protocols on BSD and Linux, as well as several commercial UNIX platforms. OpenSSH was developed by a group of programmers under the OpenBSD project. The server supports SSH2 features such as multiple authentication methods, including public key authentication with up to 1024-bit DSA security. Press release: < http://www.net-security.org/text/press/962675746,58806,.shtml > ---------------------------------------------------------------------------- SOPHOS TOP TEN LIST FOR JUNE - [04.07.2000] Top ten viruses reported to Sophos Anti-Virus in June 2000This is the latest in a series of monthly charts counting down the ten most frequently occurring viruses as compiled by Sophos, worldwide leaders in anti-virus protection. Press release: < http://www.net-security.org/text/press/962676094,48520,.shtml > ---------------------------------------------------------------------------- INTRUSION.COM ACQUIRES MIMESTAR - [05.07.2000] Intrusion.com, a global provider of enterprise security solutions, today announced the acquisition of MimeStar, Inc., developer of the advanced network intrusion detection software, SecureNet Pro. Press release: < http://www.net-security.org/text/press/962804485,13519,.shtml > ---------------------------------------------------------------------------- VERISIGN PROVIDING INTERNET TRUST SERVICES FOR E-DOCS - [06.07.2000] e-DOCS.net, the medical e-document company, announced today VeriSign has been selected to provide Internet trust services for e-DOCS.net's new professional portal, the e-DOCS Physician Network. VeriSign's Web site digital certificate services are used by all of the Fortune 500 companies with a Web presence. Press release: < http://www.net-security.org/text/press/962879584,17494,.shtml > ---------------------------------------------------------------------------- COSTAR SELECTS RSA SECURITY AS ITS SECURITY PROVIDER - [06.07.2000] CoStar Group, Inc., the leading provider of information services to the U.S. commercial real estate industry announced it has integrated premium high-tech security features from RSA Security Inc., the most trusted name in e-security, into CoStar Exchange, a Web-based interactive marketplace for commercial properties for sale. Press release: < http://www.net-security.org/text/press/962879876,52670,.shtml > ---------------------------------------------------------------------------- FREE SECURITY LINUX MANAGEMENT SOLUTION FROM SOLSOFT - [06.07.2000] Solsoft, Inc., the leading provider of policy management for e-Business security, today announced a free security management solution for the Linux community. To facilitate distribution the company has entered into a worldwide partnership with MandrakeSoft, one of the world's leading Linux publishers. Called Solsoft NP-Lite, the software is included with the Linux-Mandrake PowerPack or Deluxe 7.1 operating system released last month. Press release: < http://www.net-security.org/text/press/962908184,62401,.shtml > ---------------------------------------------------------------------------- MAIL.COM ANTI-VIRUS INTERCEPTIONS INCREASE 580% - [06.07.2000] Mail.com, Inc., a leading global provider of Internet Messaging services for businesses, announced today that its leading anti-virus service, MailWatch, formerly MailZone, intercepted 51,510 viruses in the second quarter. That figure represents a 580 percent increase over the first quarter's virus interception activity, and is due largely to the "I Love You" (AKA "Love Letter") virus in May, the "Stages" virus in June, and an increase in corporate customers using the MailWatch service. Press release: < http://www.net-security.org/text/press/962908037,90908,.shtml > ---------------------------------------------------------------------------- AUTHORIZOR INC. ANNOUNCES AUTHORIZOR 2000 - [09.07.2000] Authorizor Inc., an internet security software provider announced today that its new Authorizor 2000 software product, which is designed to provide fail-safe website security, is now available. This new version enhances ease-of-use for customers and offers increased Internet security and access management functionality. Press release: < http://www.net-security.org/text/press/963137242,35553,.shtml > ---------------------------------------------------------------------------- NETSCREEN ADDS RSA SECURITY SOFTWARE TO IA OS - [09.07.2000] RSA Security Inc. today announced that NetScreen Technologies Inc., a leading developer of ASIC-based Internet security appliances and systems, has licensed RSA BSAFE« Crypto-C software. NetScreen has added the RSA Security product to NetScreen ScreenOS 2.0, the operating system that powers the company's line of integrated security appliances. By adopting RSA Security software, NetScreen has been able to add encryption and authentication functions enabled by RSA BSAFE Crypto-C software - one of the world's best selling cryptography engines - to the NetScreen operating system. Press release: < http://www.net-security.org/text/press/963142839,13266,.shtml > ---------------------------------------------------------------------------- CLICKNET FORGES ALLIANCE WITH CISCO SYSTEMS - [10.07.2000] ClickNet and Cisco to Develop Intrusion Detection Solution for Securing E-Business Operations Throughout the Corporate NetworkClickNet Software Corp., the premier provider of anti-hacking e-server security solutions, today announced an alliance with networking giant Cisco Systems, Inc. to develop a complete intrusion detection solution for securing vulnerable e-business environments. Press release: < http://www.net-security.org/text/press/963228079,34377,.shtml > ---------------------------------------------------------------------------- COMMON SYSTEM INTRUSION METHODS by Craig H. Rowland "I've done a large amount of system auditing and network attack tool programming in the past and here is what I consider the most common methods for gaining access to a target host." Article: < http://www.net-security.org/text/articles/common.shtml > ---------------------------------------------------------------------------- TECHNIQUES ADOPTED BY 'SYSTEM CRACKERS' WHEN ATTEMPTING TO BREAK INTO CORPORATE OR SENSITIVE PRIVATE NETWORKS - by the consultants of the Network Security Solutions Ltd. Front-line Information Security Team This white paper was written to help give systems administrators and network operations staff an insight into the tactics and methodologies adopted by typical system crackers when targeting large networks. Article: < http://www.net-security.org/text/articles/techniques.shtml > ---------------------------------------------------------------------------- STRUCTURAL VERSUS OPERATIONAL INTRUSION DETECTION - by John Kozubik "Structural IDS will be defined as identifying and monitoring unusual actions and objects in the network and computers participating on the network." Article: < http://www.net-security.org/text/articles/ids.shtml > ---------------------------------------------------------------------------- SECURITY FOR THE HOME NETWORK - by JC Pollman and Bill Mote "Security for the home network is your responsibility. With all the tools available to the crackers and script kiddies, it is not a matter of IF but rather WHEN you will be probed and possibly attacked. I have personally been connected via modem for less than 5 minutes and been port scanned! Your ISP really does not care if you are being attacked by "x" because if they shut down "x", tomorrow it will be "y" attacking you. Fortunately there are several things you can do to greatly increase the security of your network." Article: < http://www.net-security.org/text/articles/homenetwork.shtml > ---------------------------------------------- ********************************************** Creating An Internet Service Providers ( ISP's ) - Slider ********************************************** An Internet Service Provider (ISP) is a company that has access to the Internet and sells this ability to connect to the Internet to members of the general public. There are various ways that a provider can be connected to the Internet; normally a provider will be connected with some type of telecommunication line that provides a much higher throughput than any one individual would need or could afford. This throughput and cost are then shared by all subscribers. An Internet Service Provider is not the same as an Information Service. At one time it was easy to distinguish between an Internet Service Provider and an information service, such as Compuserve or America On-Line (AOL). These services provided access to their own network, and sometimes even allowed e-mail to be sent to other networks. However, these types of information services are becoming more and more entwined with the Internet and also almost all now provide the ability to directly access the Internet. They advertise as being Internet Service Providers and provide services such as News, WWW and even Chat. These information services have seen the increased opportunities available in being an Internet Service Provider. The first and most popular service provided by Internet Service Providers is e-mail. Initially it was considered sufficient to just provide e-mail access. Nowadays, e-mail is considered to be the absolute minimum service that an ISP should provide. The services that are now available range from basic e-mail to a full-fledged company presence on the Internet including a home page, product catalogs and secure online ordering, as well as customer support with real-time audio and video. As the Internet was beginning to become popular relatively few people had the necessary hardware to access these services. To access the services properly you need a Transmission Control Protocol/Internet Protocol (TCP/IP) network connection. Initially this type of connection was only available on platforms running UNIX. In the meantime, however, this type of connection is available on almost all major operating systems, from Microsoft Windows to IBMs OS/390. - Sample Network Design for an ISP Below is a crude example of a network design for an (ISP). Basically this design consists of servers running software that provide various services. It also includes routers that provide connectivity to the Internet and dial-in access for remote users. SERVER#1 SERVER#N \ / \ / ISP NETWORK ------------ DIAL UP ------ USER / \ / \ ROUTER \ / \ / \ INTERNET SERVER ADMIN Implementing a network such as this for an ISP requires many decisions among the various platforms, hardware, software and connectivity options. This text attempts to cover some of that. It does not provide all the information that you need in every instance, but addresses all important topics and provides assistance in obtaining further information. A decision to establish an ISP is usually a financial decision; either it is seen as an opportunity to make money or to save money that is currently being paid to another ISP. To protect your investment and ensure that an ISP continues to meet its financial expectations it must be properly managed. - Connectivity I am begininng by examining the Internet topology to show the way an ISP is located within this network. -- Internet Topology The Internet consists of high-speed circuits connecting routers that transmit data through Transmission Control Protocol/Internet Protocol (TCP/IP). It doesnt belong to only one group, company or country. All the different parts belong to several organizations, but the Net itself doesnt belong to anyone. The circuits are maintained by large telecommunications companies in each country such as MCI, Sprint, Worldcomm in the USA and Embratel in Brazil. The national ISPs, such as IGN, lease high-speed circuits from the telecommunications companies to be connected in their Points Of Presence (POPs - not to be confused with the POP mail protocol) through routers. In this way they have access to the Network Access Points (NAPs) where they can exchange routes and traffic, shuffling information from one machine to another. The largest NAPs are connected by very high-speed data circuits, often between 45 and 144 Mbps. Regional and local ISPs purchase connections from these national ISPs or, in some cases, directly from the large telecommunications companies. Consequently they can offer Internet access and services to their customers. Therefore, as the Internet backbone is really made up of several complex backbones that are joined at the various NAPs, you wont be able to be connected directly to the Internet. This is not the way it works. You will need a TCP/IP network connection to another Internet provider that is already connected to the Internet. It can be a national ISP or another ISP. The ISPs who offer this type of service are usually called Internet backbone providers or upstream providers. This upstream connection gives the ISP and its customers access to the Internet backbone. The customers links to the ISP, however, are called downstream connections. The terms upstream and downstream are used when discussing connections from an ISP to other sites, where upstream circuits route data closer to the Internet core while downstream connections refer to those that route information further away from it. Another way of looking at it is that an ISP pays for upstream links and charges for downstream links. --- Internet Backbone Connection Connecting an ISP to the Internet backbone requires several steps, including identifying the organization that is going to provide the Internet access, choosing the technology and network hardware that will be used in the connection, and getting the domain and IP address. * Upstream Provider Choosing an upstream provider is one of your most critical decisions. You have to choose circuits that are going to connect you and your customers to the Internet. The capability, performance and reliability of these circuits are important. However, as they represent a major expense, they must be chosen carefully. Buying an Internet connection is a lot like buying a computer. Just as when you are buying a computer, your choice of an Internet service provider should be driven by your intended use. If you are looking for minimum cost, you might seek out the lowest-priced system in the back of a magazine or even assemble something yourself from parts bought at a flea market. There are some low-cost IP service suppliers who claim to be just as good as the others, but may not be in business next year to prove it. Since you are buying something your business will depend on, this is not the wisest choice. If you make the arrangements with a backbone provider whose connections are small or bad, your customer base will know it. They will feel it when using your service. It also doesnt mean that buying the most expensive solution is going to be the best choice, supporting the theory that you get what you pay for. You should analyze the options you have carefully, paying attention to the different services, price structures, peak bandwidth limitations, personal service quality and geographical constraints. Some topics you need to think about when evaluating upstream providers are: ╖ Network Topology This is one of the most important criteria to consider when choosing a provider. Looking at the network topology can help you understand how vulnerable the network is to outages, how much capacity is available when the network is loaded more heavily than usual, and the most important, how well the provider understands network engineering. ╖ Network Link Speeds It is important to look closely at the speeds of the backbone links. To be able to do that, you should consider what kind of link services you are going to provide to your customers in order to size your needs. Do you intend to be an upstream provider to other ISPs or to just have dial-up customers? Another point to understand is that your network connection can only be as fast as the slowest link in the path. It doesnt matter if the node you will be connected to is a T3 if the link between you and it will be only 56 kbps. The limit will be the 56 kbps link, not how much capacity the T3 node has. On the other hand, if the provider only has 256 kbps to its upstream connection, there is no sense buying a T1 from it. Dont forget to ask if the topology you are being shown is operational now. Some providers like to show links that are not operational as part of their backbone infrastructure. It is also important not to be confused between the press release about a new high-speed network link and that link actually being operational. ╖ External Network Links Take a look at the external links of each providers backbone. Do they have a single connection to the rest of the world? This is a potential single point of failure. Look for multiple, direct connections to other network providers. The more of these connections, the better. This shows that the provider is concerned about external connectivity and does not want to be dependent on some third party for interconnection. If they have a single connection to the outside world, ask them how often it fails and how long they usually are isolated. If they cant give you these statistics, are they managing their own network well enough to manage yours? One extremely important point is how far it is from the high-speed data circuits. The performance and throughput for your customers will be related to how close you are to the major NAP circuits. Upgrades can also be difficult if you are far from the backbone circuits. Even if you start small, youll eventually want to increase your bandwidth. And changing your provider incurs considerable costs, both in changing IP addresses (in most cases) and the work time to complete the task. ╖ Location You must consider if you can connect to high-speed backbones for a reasonable cost. The POPs locations the upstream provider offers to you are extremely relevant. The distance from your office location to the nearest POP can make or break your business, due to the varying level of circuit availability and bandwidth costs. In the former, there are some areas where there are very long lead times for a new specific circuit. In the latter, the provider requires that you buy the local loop segment that is going to make the connection between your company office to its closest POP. You will have to buy this directly or indirectly from one of the telephone companies serving your local area. The local loop charges are often the highest costs in the communications chain. So pay attention to the whole solution cost, which must include the local loop and the service provider fee. ╖ Technology The technology being used to operate the network is also critically important. Today, there is a great deal of commercial quality router, switch and modem technology available from companies whose business it is to make that equipment. Sometimes a provider can have a bad case of the not invented here syndrome. This is a sure sign of long-term problems. Any provider still relying on their own internally developed equipment is doing you a disservice. You deserve the benefits of leading-edge production technology, not aging hardware that has been contorted into a use never intended by its designers. Remember, you are buying a service. The provider of this service should be using the best available technology to deliver this service. ╖ Technical Staff Another aspect to consider when choosing a provider is the quality of its technical staff. They are the ones who will get your connection running to begin with and then keep it and the network running in the future. They have to be experienced in TCP/IP data networking. Make sure the provider has adequate staffing to cover the usual situations. If they send people to trade shows for a week, how many people are back at the office running things and how skilled are they? Find out what their technical staff turnover is. If people are leaving, find out why and who is left to keep your connection operational. Many suppliers of service have single points of failure in their staff capacity as well. ╖ Help Desk Infrastructure Check out their help desk infrastructure. It should be 24x7 (24 hours a day and 7 days a week) staffed by at least one person, including nights, weekends and holidays. Make sure that they will have someone capable of dealing with your problem and not someone who will just answer the phone all the time. ╖ Organization Find out how long the company has been in the IP business. Try to determine if they are going to be in business for the long run. Quality networks are not built on a small budget. The pricing may look attractive now, but the passage of time often reveals hidden costs and price increases, the greatest of which can be having to switch providers. Another way of getting good information is by talking to other ISPs. You can try looking up their information in some Internet forums. If you dont find anything about whose backbone providers to use, at least you will find whose you should not. ╖ Full Range of Services Does your provider have a full range of services or is it just filling a niche? If you need to increase or decrease your service level, will you need to switch providers? - Access Technologies There is a wide variety of data circuit technology choices to connect an ISP to an upstream provider. They vary from dial-up to leased lines, ISDN, frame relay, ATM, satellite and cable modem as well many others. Because there are so many options, we describe the access technologies most commonly used. Most ISPs use two types of available circuits: point-to-point and shared physical networks. In the point-to-point connection we can find two distinct physical terminations for the link, meaning its physically connected through wires. The most often used links are leased lines, from 56 kbps to T3 circuits. In the shared network, the connection is divided among several customers and the circuit disappears into a cloud. In this topic we discuss the frame relay technology. - Leased Lines Leased lines (also called dedicated lines) are the most common way to connect an ISP environment to the upstream provider. Here you have a private network between you and your provider, available through twisted-pair copper wires between the two points. Dedicated lines are stable and reliable, and in some countries you can get very cheap high-speed channels. However, as the connection is always open and available for you, you will have to pay the full utilization of the circuit. The cost of the connection depends on the distance between the two linked points as well. Although this may not make much difference when the connection stays in the same city, large increases can occur if your connection travels through other exchanges. Despite the differences between the providers, the nearer the POP, the better. The bandwidth rates vary with the type of connection you will need, from low-speed to high-speed circuits. Although there are many different kinds of leased connections and they can vary depending on the country, the most popular speed and standards are as follows: ╖ 56 kbps This is an entry point for dedicated circuits and is called Dataphone Digital Service (DDS). It is a digital phone-line connection capable of carrying 56,000 bps. At this speed, a megabyte will take about three minutes to transfer. This is 3.7 times as fast as a 14,400 bps modem. ╖ 64 kbps This is also a digital phone-line connection capable of carrying 64,000 bps. At this basic speed rate a megabyte will take about two minutes to transfer. This is 4.4 times as fast as a 14,400 bps modem. It is also called DS0 (that means Data Speed 0, Digital Service 0 or Digital Signal 0, depending on the reference book). ╖ Fractional T1 A fractional T1 (FT1 or FracT1) is a subchannel of a full T1 channel, which is a percentage use of the available data channel. A full 1.5 Mbps T1 circuit contains 24 fractional T1 lines, each with a bandwidth of 56 or 64 kbps. The purchase of the circuit can be one or more fractional lines. For example, a 256-kbps link can be accomplished with four of the above channels. For 512 kbps, we will need eight channels, and so on. Upgrades can also be done just by adding the extra fractional T1 lines needed to the current leased channel. Although you dont need to purchase a complete T1 line, you may be surprised with the cost of the lower-speed connections. This is because fractional T1 and full T1 services are not functions of the physical connection speed, but have to do with choices programmed into the data communications equipment. In this way, although FracT1 uses only some of the available channels, you will need to purchase a full T1 circuit anyway. For this reason the money you pay for an initial 256-kbps connection is not equally proportional to an upgrade to a 512 kbps or a full T1. ╖ T1 T1, also called DS1, is a leased-line connection at 1.5 Mbps, that is 1,544,000 bps. This term is used in the USA, Australia and in some other countries. A T1 circuit has 24 channels that provide a total bandwidth of 1.536 Mbps or 1.344 Mbps and depending on the line encoding channel, 64 kbps or 56 kbps. At maximum theoretical capacity, a T1 line could move a megabyte in less than 10 seconds. ╖ E1 Similar to a T1 link, this standard is used in Europe, South America and in other parts of the world. In an E1, each circuit is composed of 32 64-kbps channels that provide a total bandwidth of 2,048,000 bps. It is also called a 2-Mbps link. ╖ E3 In an E3 line there are 480 channels for a total bandwidth of 34,368,000 bps. Also used in Europe and other countries. ╖ T3 A T3 circuit, also known as DS3, is a high-speed leased-line connection capable of providing 44,736,000 bps. It is equivalent to 28 T1 circuits. As a T1 circuit is constructed from lower bandwidth slices, a T3 link carries 672 channels of 64 kbps. It is usually available over high-speed fiber-optic cable, generally in large Internet backbones. Fractional T3 lines are also available in the same way as in T1. The previous circuits are the most often used by ISPs. However, there are two other T-carrier services standards: T2 and T4. T2 provides up to 4 T1 channels, but is not available commercially. T4 carries 168 T1 channels for a total bandwidth of 274.176 bps. - Frame Relay Frame relay is a data communication interface originating from ISDN, designed to provide high-speed frame or packet transmission with minimum delay and efficient use of bandwidth. It is a variation on the X.25 interface and a form of fast packet switching. It derives its name from using the data link or frame OSI layer 2 to route or relay a packet directly to its destination instead of terminating the packet at each switching node. This eliminates processing overheads and increases throughput speed. Its based on the ITU-TS Lap-D standard and uses variable-length packets. Like Ethernet or token-ring, frame relay assumes that connections are reliable. It does not have error detection and error control within the network, which helps to speed up the protocol. When errors occur, frame relay relies on higher level protocols for error control. We can also think of frame relay as a point-to-point connection, but in this case we are referring to the virtual connection between two sites. They appear to have a dedicated connection but they are actually sharing networking hardware with many others. Frame relay is offered by most large telecommunications companies and Regional Bell Operating Companies (RBOC) with a bandwidth range from 56 kbps to 2 Mbps. Although possible voice transport over frame relay is possible, its considered to be restricted to data transport because of the constant transmission required. Using frame relay you will probably get a lower cost connection service. This is because it works with a common cloud, where its total bandwidth is divided among all the other customers. However, theres a standard - Committed Information Rate (CIR) - that guarantees some amount of bandwidth. For example, you can purchase a 512-kbps link from a frame relay provider and set the CIR to 128 kbps. In this way, you can not always have 512 kbps, but you will have at least 128 kbps guaranteed. But when the traffic on the frame relay cloud is low, you can have up to the full 512 kbps. You pay for the CIR you choose, of course. - ATM Asynchronous Transfer Mode (ATM) is a relatively new, very high digital data transmission circuit capable of data transfer rates up to 2.488 Gbps under experimental circumstances. However, initial implementations are around 155 Mbps or 622 Mbps. ATM is a cell-based data transfer technique in which channel demand determines packet allocation. It offers fast packet technology, real time, demand-led switching for efficient use of network resources. It can deal with all kinds of traffic: data, voice and video. All information is transported through the network in very short blocks called cells. In contrast to frame relay, which allows variable frame sizes, each cell is always 53 bytes long - 48 bytes of data plus 5 bytes of header. Information flow is along paths (called virtual channels) set up as a series of pointers through the network. The cell header contains an identifier that links the cell to the correct path to take towards its destination. Cells on a particular virtual channel always flow on the same path through the network and are delivered to the destination in the same order in which they were received. ATM is designed so that simple hardware-based logic elements may be employed at each node to perform the switching. For example, on a link of 1 Gbps, a new cell arrives and a cell is transmitted every .43msec. There is not a lot of time to decide what to do with an arriving packet. ATM can be used in two distinct environments: carrier, provided as a service to the end user, and private network, where a large organization purchases lines from a carrier (or installs them itself) and builds a private ATM network. Although ATM will be the high-bandwidth networking standard of the decade, it is a technology that is maturing slowly in wide area networks. One of the major problem is government regulation. In most countries, governments regulate the detailed technical characteristics of everything that connects to a public communications network. This is often called homologation, and part of its process requires protocol testing, which is an extremely expensive and very slow task. At the moment, ATM is starting to appear only at the NAP level or in connections between the NAPs. Its a very expensive option, but something that could be considered in cases where T-carrier is not enough anymore. - Other Technologies There are some other trends to obtain bandwidth into the Internet network. We discuss three of them. Optical Cabling: In the most commonly used method of connection, through the leased lines, the communications infrastructure is almost completely based on copper lines, which increases the local loop charges. As optical cabling becomes cheaper to install and maintain than traditional copper wires, the telephone and cable companies are replacing aging infrastructures with this type of cabling. With this upgraded infrastructure, the ability to transmit data in the local loop will be increased, and bandwidth cost will tend to climb. Some research results show that this physical link, about the size of a human hair, is able to deliver 1000 billion bps - roughly 2000 times faster than the theoretical maximum of twisted pair. Cable TV and Satellite: Other growing options for Internet access are the use of cable TV and satellite. Cable Internet access has been tested in some countries, while some satellite companies have been using solutions in the Direct TV style dishes. Although there are still many restrictions for an ISP upstream connection, these emerging technologies may be used on a large scale in future. But before explaining the restrictions, you need to understand some concepts: cable technology, one-way and two-way communications methods of cable system. The cable system technology has a starting point in each community that is responsible for the origin of the communitys signals and the reception of signals that come from satellites through the air. From this point, the signals are carried in a coaxial cable throughout the community. The transmission method called Frequency Division Multiplexing (FDM) allocates 6 MHz of bandwidth on the coaxial cable for each signal, which allows multiple channels to be carried over the same coaxial cable. In order to cover all the community, the cable is split and the entire signal is reproduced on each cable after each split. This results in a tree topology. In some ways, the cable architecture is similar to Ethernet LANs, which send all the information to all hosts on the network, but only the correct host gets all of the Ethernet packages addressed to it. Although the cable system has been used by the cable companies for many years, it has been modified due to the advances in fiber-optic transmission technology. They are changing this tree topology to a new hybrid fiber-and-coaxial (HFC) system. In this system fiber is used in the neighborhoods and coaxial cable is used for the connection to each door. This technology can transmit more information than coaxial cable because it has more frequency ranges. Also, as it uses light instead of electricity, it can carry the signal for longer distances without amplification. Despite all these improvements, the cost of optic fiber prevents the telephone companies from installing it. So theres a new configuration called Fiber-to-Fiber-Neighborhood (FTTN) that takes optic fiber into a group of houses. As a consequence, many coaxial cables are replaced by fiber while small connections remain coaxial. In addition, the signal quality is improved, the number of amplifiers is reduced. This FTTN infrastructure permits the use of two-way communications, but it depends on the geographical implementation. To bypass this situation, theres a temporary solution called one-way communication. In the one-way concept, the cable company only provides the path responsible for receiving data, which is called downstream bandwidth (not to be confused with a downstream connection related to ISP customers). An example of this downstream bandwidth usage is the Web page requested information that comes into a Web browser. The path that sends data the other way is called upstream bandwidth. It is used, for example, when you request a site page within the Web browser field. This path has to be provided by other different connections (such as a dial-up line) with an ISP. As a result, the upstream connection is slower than the downstream one. In two-way connection, we can have both paths on the same link, but it requires HFC technology. Also it will need some changes. First of all, adequate spectrum has to be allocated for the upstream data, followed by the replacement of the amplifiers to divide upstream and downstream data into the correct frequency. Finally, the cable company must implement a method to multiplex all the upstream data from multiple users onto the coaxial cable. The satellite technology for Internet access is very similar to cable connectivity. In one-way satellite communication another link is needed to perform the upstream transmission (that is zero). This method has only been available recently. On the other hand, two-way transmission is well established, but only very few ISPs offer this type of connection. As you can see, the use of cable or satellite technologies to connect an ISP to its upstream provider has a lot of limitations. In one-way solutions, there is no upstream bandwidth and it is necessary a to have a complementary upstream link. Two-way cable technology depends on the cable company offerings, and in two-way satellite communication there are very few ISP providers. You should consider satellite link if you are in a remote area, where stretching a T1 circuit across several hundred miles can be very expensive, or if you want to transmit a very large amount of data. - Networking Hardware In this part of the text we explain the networking hardware needed to connect an ISP to its upstream provider in the two most common methods: leased lines and frame relay. We are going to use below the IBM set of products because this is what i am most experienced with in networking architecture. -- Hardware Components The basic networking hardware components for an upstream connection are discussed in the following sections. Router: This is the crucial equipment required in an Internet upstream connection. Its responsible for the IP datagrams flow between the ISP and the Internet core in both directions. As the principal function is to examine the IP headers and decide where they should be sent, it can be accomplished by a UNIX machine or a stand-alone router. However, as this simple-seeming function has to be done at extremely high speeds (or the consequences of errors can be disastrous), the stand-alone router is recommended because it has considerably faster routing than the UNIX machine. For an initial ISP, the router must have at least two interfaces: one for the backbone provider and the other to the ISP local network. However, depending on the type of bandwidth coming to the ISP, the router may support other interfaces, one for each dedicated data circuit. Some important characteristics that you should observe in a router are: ╖ Performance: A router has performance characteristics measured in packets per second. Consequently, the more connections and bandwidth, the more pps is required from the router. ╖ Management: The management tools should indicate what is happening and allow easy adjustment and restoration of parameters. ╖ Routing protocols: The router protocol must be compatible with the one used on the other end of the data circuit. The most common routing protocols used on the Internet are RIP, OSPF and BGP-4. ╖ Filters: The router should include the basic filters capabilities in order to permit or not a specific packet flow, if you need basic firewall capabilities in the future. CSU/DSU: This equipment provides the interface between the telephone companys network and the ISP network. Although its often referred to as one equipment, it has two distinct functions. The Channel Service Unit (CSU) is a simple device that interfaces with the telecommunication network. The Data Service Unit (DSU) is the data unit that speaks to the data terminal equipment (the router) and is responsible for filtering the digital signal, synchronizing the signal with the network clock and providing networking control codes; it is similar to an analog modem. This CSU/DSU device depends on the connection speed. In general, its a V.35 interface and is already provided in the routers with DSU functionality. Hub: This equipment, although not directly related to the upstream connection, will be present in the ISP network. It connects the equipment in the network, such as routers and servers, in a star cabling topology. This helps in management due to the fact that a defect is isolated in its segment. The hubs can support several LAN types such as Ethernet, 100Base-T, token-ring, FDDI and ATM. The most commonly used hubs are Ethernet with RJ45 connectors. -- Upstream Hardware Connections A DDS or T1 connection will need the following prerequisites: ╖ A communication line ╖ A CSU/DSU ╖ A router The router will be connected both in the ISP LAN (through a hub) and in the CSU/DSU (if not already integrated in the router). From the CSU/DSU device, the telephone line will connect to the telephone companys network termination unit (NTU), and then to the upstream provider. Normally, it is the ISPs responsibility to get the equipment from the NTU up to its network, but depending on the arrangement, the line can also be rented from the upstream provider or from the telephone company. In a T3 link, the connection will depend on the media purchased. If it is delivered on two coaxial cables, you will connect them directly onto the DSU. (A CSU is not required.) But if it comes in optic fiber or microwave, you will connect them in a terminal first. The link between the DSU and the router can be V.35, High-Speed Serial Interface (HSSI) or SCSI. A typical frame relay connection has similar prerequisites than a T1, but the equipment must be able to use frame relay to send data to the WAN. Usually the ISP is connected to the nearest frame relay POP through normal wire. The POP is responsible for the physical connection into the cloud. - Domain and IP Address Finally, we see the essential requisites for an ISPs Internet backbone connection: the domain and IP addresses. All equipment on the Internet needs an IP address. It has to be a globally routable IP address that is allocated to you by someone and is routed by your upstream provider to the rest of the Internet. But how do people get IP addresses and domains? Before answering this question, we have an overview of Internet domains and IP addresses, and also the organizations responsible for them. -- Internet Domains We usually refer to the equipment on the Internet by symbolic names, which are associated with IP addresses. This mapping between IP addresses and host names is made through a group of servers called Domain Name System (DNS). The DNS is a distributed database, because no single site on the Internet knows all the information. The domain allocation in the Internet has the objective to avoid using the same name in more than one system and to decentralize the registration. Therefore, the Internet was divided in distinct administrative domains in which equipment or subdomains cant have duplicate names. Recursively, we guarantee that there is only one name for each Internet equipment. This name space is built as a hierarchical tree structure with a root on top. Therefore, the symbolic name of Internet equipment is made up of a local name and its domain hierarchy, called Fully Qualified Domain Name (FQDN). This name is separated by dots and is read from left to right, from the most specific name to the highest hierarchical level. The Internet domains can be either institutional or geographical types. In the USA, the institutional domains are most often used. For example, we could have: www.microsoft.com www.nasa.gov The other countries adopted a geographical domain in the top-level domain (TLD) by using the two-letter country code taken from the ISO standard 3166. The second-level structure varies from country to country, but often also takes the form of co or com for commercial companies, re for research groups, etc. In some countries, such as Canada and France, the organizations are even put directly below the country TLD. Here are some examples: www.whitchurch.cardiff.sch.uk www.dtag.de www.embratel.net.br However, it should be noticed that some of the TLDs are international and can be used in other countries without including the country code, for example, com, org, net. - The Registries The Internet Assigned Numbers Authority (IANA) is responsible for the overall coordination and management of the Internet Domain Name System. It is the central coordinator for the assignment of unique parameter values for Internet protocols and especially the delegation of portions of TLDs, most of them the two-letter country codes. The IANA is chartered by the Internet Society (ISOC) and the Federal Network Council (FNC). Furthermore, a central Internet Registry (IR) has been selected and designated to handle most of the day-to-day administration of the DNS. Applications for new top-level domains are handled by the IR with consultation with the IANA. The current IR is InterNIC 1 . However, the Internet activity growth has led to a further delegation of authority for the domain name space to some other regional/national registries. The InterNIC takes care of registry for the Americas that includes (but is not limited to) North America, South America, South Africa and the Caribbean. Other registration requests should be directed to the appropriate regional/national registry. - IP Address Each computer needs to have an IP address. The routing decisions made by the routers on the Internet rely on addressing alone. An ISP needs to allocate a set of addresses accordingly to its dedicated business customers, dial-in users, remote POPs, ISP-related servers and networking equipment. The technique used to allocate addresses is called subnetting. The routers on the Internet deal with the subnetwork part of the address; their tables are updated to determine in which data circuit the packet should be forward to. The challenge to the Internet is to keep the routing tables as small as possible on the very high-speed backbones and NAPs, and allow the routers in the ISPs to handle the routing to individual business and dial-in users. Theoretically, an ISP could get one of the three IP address classes (A, B or C) that fits its needs. However, as there are no class A addresses anymore, and few class B, most ISP networks are assigned multiple class C address blocks. A class C network block uses the network mask of 255.255.255.0, meaning that there are 255 addresses available. An ISP may assign an entire class C block of addresses to a business or may further subnet the block of addresses to service multiple businesses. For example, if the network mask is changed to 255.255.255.248, then eight addresses are available to that particular customer. From the Internet point of view, any class C address that is within the ISPs range gets routed to the ISP. - How to Get IP Addresses You can get your IP address range directly from your upstream provider or through the regional register. However, the best (and easiest) way of getting your IP address space is by getting it from the upstream provider, who also got its address space from its upstream provider or directly from a registry. The provider will give you IP addresses that come from the IP address space allocated to its backbone. It can use subnetting or CIDR techniques. These globally unique addresses owned by the upstream provider are called Provider Access (PA) IP addresses. When a customer terminates the contract with the provider, any assigned PA addresses must be relinquished. The advantage is that these addresses can minimize the network routing tables, resulting in better performance. This is the policy the IANA recommends to be adopted. If you do not want to get the IP range from a service provider you must apply directly to the regional registry responsible for your country. You will receive Provider Independent (PI) IP addresses. They are also globally unique addresses, but are owned by the customers and can be transferred from one provider to another. Its use is mandatory you have upstream connections with different providers. Unlike PA addresses, the routing of PI addresses through the Internet is not guaranteed; if the size of the network routing tables gets too large, ISPs may remove PI addresses from their tables. For this reason, the use of PI addresses is not recommended, and the use of PA addresses encouraged. Finally, as the address allocation is very important for the ISP (from what is actually being used to what is available) the ISP should carefully map out the addressing strategy before getting it. In fact, when an ISP contacts any provider to get an IP subnet, it will require a network topology diagram and engineering plans. And to require more than one you will probably have to prove this need and guarantee that most of the addresses will be used immediately. - How to Obtain a Domain Name As discussed before, to use domain names we need to resolve host names into their corresponding IP addresses. These functions rely on machines called name servers. In a typical Internet dial-up connection, the name server is located in the provider. Thats because the customer uses his or her providers domain name, and normally only for e-mail. However, as you will be the provider, you will probably want to have your own domain name server so you can have more flexibility to provide services to your customers. For example, if you have Web hosting services for a set of businesses, each one will want a unique home page for their customers. To do that, you need a primary DNS that also refers to other alternate addresses and aliases. Finally, for a domain name registration its necessary to contact the regional registry. This task can be accomplished directly (by you) or indirectly (by your provider). - Downstream Connections The principal objective of an ISP is to offer services to users so that they are able to access the Internet and its resources. Thats where the ISP earns money. Therefore, the downstream connections are the second fundamental item of Internet connectivity. - Types of Users The following are the different types of customers an ISP could have: ╖ Home Users These are the individual users, commonly called small office/home office (SOHO) users. They usually get connected to the Internet to access Web pages and e-mail services. As a rule, this kind of user accesses the Internet during non-working hours and weekends. These are the most typical customers of an ISP. ╖ Corporate Users These are business customers who connect their networks to the Internet. Typically they use the Internet to provide a Web site, to communicate with their other locations and customers, and to provide Internet access to their employees. Their heaviest traffic is during business hours. ╖ ISP Customers These are other ISPs that will also resell Internet access and services to their customers. This a smaller market, so you will need to have enough resources to be able to offer these services. - Access Issues For customers to be able to access the Internet and its resources, they will need to access their ISP LAN servers first. There are two ways of providing this remote connection: through dial-up or dedicated circuits, depending on the customer type and needs. They are available through SLIP or PPP protocols. - Dial-Up Connection This is the simplest kind of connection, commonly made available through the conventional telephone lines and modems in which the connection speed may vary from 9.600 bps to 33.600 bps. These physical devices are used with enlace protocols that make the users equipment available to run TCP/IP applications. The analog modem is most typical, but digital systems (ISDN) have also been used. The digital system connection speed carries 128 kbps. This is the most common access type used by SOHO or even by business employees whose companies dont have a network connection. Normally, these users have access to the following ISP services. ╖ TPC/IP tools such as WWW, ftp and telnet ╖ E-mail server ╖ News ╖ Their own Web home pages - Dedicated Connection Here theres a permanent link available, usually through private line, where both the ISP and the customers LANs are connected through routers. Switched packet networks, such as frame relay, can also be used. The corporate and the ISP customers are the ones who utilize this kind of link. Despite the issues for an ISP customer, the typical services offered in this category are: ╖ IP and DNS negotiation with the responsible registry ╖ Secondary DNS server ╖ Primary DNS server (optional) ╖ News feed ╖ Web hosting - Integrated Services Digital Network (ISDN) ISDN is an acronym for Integrated Services Digital Network, in which it is possible to gain the benefits of digital speeds or connectivity without using dedicated lines. From voice and data to complex images, full-color video and stereo quality sound, all are transmitted with digital speed and accuracy through what is now a totally digital network. ISDN replaces todays slow modem technology with speeds of up to 128 kbps (kilobits per second) before compression. With compression, users in many applications today can achieve throughput speeds from 256 kbps to more than 1,024 kbps, more than a megabit per second. Digital lines are almost totally error free, which means that the slowdowns and errors typically encountered in todays modern transmissions are no longer a problem. A single ISDN line can serve as many as eight devices: digital telephones, facsimiles, desktop computers, video units and much more. Each device, in turn, can be assigned its own telephone number, so that incoming calls can be routed directly to the appropriate device. Any two of these devices can be in use at the same time for voice for data transmissions, and the lines can also be combined for higher data speeds. In addition, an almost unlimited number of lower-speed data transmissions (for e-mail, credit card authorization, etc.) can go on at the same time. In most cases, the same copper wires used today for what is typically called plain old telephone service can be used successfully for ISDN. This means most homes and offices are ISDN-ready today. That are three types of ISDN services: ╖ Basic Rate ISDN (BRI) The BRI service has three data channels: two 64-kbps 3 B (bearer) channels and one 16-kbps D (delta) channel. The B channels carry voice and data, and the D channel is responsible for the control or signaling information. Its also possible to use both B channels together and get 128 kbps. The BRI interface uses two twisted pairs of copper wires. ╖ Primary Rate ISDN (PRI) In the PRI service there are 23 64-kbps B channels and 1 64-kbps D channel, that provides a total bandwidth of 1.544 Mbps. In some countries the number of B channel are 30 or 31, which gives a bandwidth of 2.048 Mbps. The B channels are combined to be used according to the needs: data transmission, phone lines, etc. This service is utilized in the ISP side to connect the BRI customers. ╖ Broadband-ISDN (B-ISDN) This is a the proposed advanced version of ISDN for providing speeds of 155.52 Mbps and higher. However, the standards and switching technology that will work this fast are under development. The B-ISDN promises universal coverage based on ATM/SDH technologies and optical fiber. Although ISDN has been available for many years, it has just beginning to become popular with users. In some countries it may not even be supported. - SLIP and PPP Serial Line Internet Protocol (SLIP) and Point-to-Point Protocol (PPP) are always associated with dial-up connections protocols. Although they are actually widely used in part-time Internet connections over analog modems, they can be used for full-time connections as well. However, these protocols are solutions that have two requirements: the connection point number must be two and the link must be full-duplex. Then they are used in dial-up connections over analog modems, in leased-line connections with routers and even with ISDN. Frame relay and X.25 are also possible. The SLIP is just a very simple protocol designed quite a long time ago and is merely a packet framing protocol. It defines a sequence of characters that frame IP packets on a serial line, and nothing more. SLIP has been replaced by PPP because of the drawbacks: ╖ It cannot support multiple protocols across a single link; all packets must be IP datagrams. ╖ It does no form of frame error detection which forces retransmission by higher level protocols in the case of errors on noisy lines. ╖ It provides no mechanism for compressing frequently used IP header fields. Many applications over slow serial links tend to be single-user interactive TCP traffic such as TELNET. This frequently involves small packet sizes and therefore a relatively large overhead in TCP and IP headers which do not change much between datagrams, but which can have a noticeably detrimental effect on interactive response times. However, many SLIP implementations now use Van Jacobsen Header Compression. This is used to reduce the size of the combined IP and TCP headers from 40 bytes to 8 bytes by recording the states of a set of TCP connections at each end of the link and replacing the full headers with encoded updates for the normal case where many of the fields are unchanged or are incremented by small amounts between successive IP datagrams for a session. This compression is described in RFC 1144. PPP addresses these problems. It has three main components: 1. A method for encapsulating datagrams over serial links. 2. A Link Control Protocol (LCP) for establishing, configuring, and testing the data link connection. 3. A family of Network Control Protocols (NCPs) for establishing and configuring different network layer protocols. PPP is designed to allow the simultaneous use of multiple network layer protocols such as IP, OSI, IPX, etc. Before a link is considered to be ready for use by network layer protocols, a specific sequence of events must happen. The LCP provides a method of establishing, configuring, maintaining and terminating the connection. LCP goes through the following phases: 1. Link establishment and configuration negotiation: In this phase, link control packets are exchanged and link configuration options are negotiated. Once options are agreed upon, the link is open, but not necessarily ready for network layer protocols to be started. 2. Link quality determination: This phase is optional. PPP does not specify the policy for determining quality, but does provide low-level tools, such as echo request and reply. 3. Authentication: This phase is optional. Each end of the link authenticates itself with the remote end using authentication methods agreed to during phase 1. 4. Network layer protocol configuration negotiation: Once LCP has finished the previous phase, network layer protocols may be separately configured by the appropriate NCP. 5. Link termination: LCP may terminate the link at any time. This will usually be done at the request of a human user, but may happen because of a physical event. The IP Control Protocol (IPCP) is the NCP for IP and is responsible for configuring, enabling and disabling the IP protocol on both ends of the point-to-point link. The IPCP options negotiation sequence is the same as for LCP, thus allowing the possibility of reusing the code. One important option used with IPCP is Van Jacobsen Header Compression which is used to reduce the size of the combined IP and TCP headers from 40 bytes to approximately 4 by recording the states of a set of TCP connections at each end of the link and replacing the full headers with encoded updates for the normal case where many of the fields are unchanged or are incremented by small amounts between successive IP datagrams for a session. This compression is described in RFC 1144. - Other Technologies There are new technologies that have just been started to be used by SOHO users. We discuss some of them: wireless, cable and satellite. Wireless When we talk about wireless access, theres always a confusion between wireless WANs and wireless LANs. The wireless LANs are local area networks that allow devices with radios to connect to local servers. These radios use the direct sequence spread spectrum technology. The wireless link is between a PC and an access point wired to a wired LAN connected to a server. The user with a PC or terminal with one of these radios must be in the local vicinity of a wireless access point for his wireless LAN adapter to work. The WAN radios required to connect to servers that are located far distances away from where the user machine actually is are very different than the LAN radios described previously. The WAN radios act the same as wired modems that you may be familiar with. When you use a WAN radio, you connect to a service provider (not an ISP but one that provides wireless connectivity to its customers) such as AT&T, RAM Mobitex or ARDIS. These providers offer their customers the ability to use a radio that wirelessly connects to their services from which they can connect to the existing worldwide telephone service. For example, a thinkpad with a wireless WAN radio would dial out on a special number and get connected to its ISP via a TCP/IP link, the same as if it plugged in a modem to a phone line. The main difference is that its *phone line* is actually a wireless connection to a wireless service provider. The key components in wireless WANs are PCMCIA adapters that represent the latest in wireless communication. Cellular Digital Packet Data ( CDPD 4 ) is unique to the Advanced Mobile Phone Service ( AMPS ) cellular network, the largest in the United States. Advanced Radio Data Information Service ( ARDIS 5 ) provides interactive, real-time data communications throughout the U.S. and Canada. The IBM 2489-600 with integrated Wireless Modem for ARDIS supports automatic nationwide roaming, which means users can move seamlessly from one city to another and still communicate. The use of this radio modem requires the purchase of ARDIS services from a service provider. Mobitex runs on the RAM Mobile Data 6 network that serves some European countries and about 8,000 cities across the United States with fax, e-mail, two-way messaging and server applications. The IBM 2489-600 with integrated Wireless Modem for Mobitex consists of an integrated PCMCIA adapter (not yet available in EMEA) with an integrated antenna. Due to distinct country differences in communications standards, it is currently impossible to say one network provides wireless WAN services in EMEA. In most cases, analog data is transmitted using a cellular-enabled modem with a handheld phone. GSM/DCS 1800 data wireless networks are further made up of GSM, the digital equivalent of AMPS, and DCS 1800, an 1800MHz system with similar protocols to GSM and a data adapter. CT2 (Cellular Telephone) is a short-range campus and public network. It requires an integrated adapter/transceiver connected to a local base station for campus work that is connected to a PSTN for WAN communications. - ISP Networking Hardware Downstream Hardware Components The basic networking hardware used in the connections between the ISP and its customers are: ╖ Remote Access Server The Remote Access Server (RAS) is the device used to connect the remote PCs of the users through dial-in connections. It is also called terminal server because historically it was used to connect character-based terminals to interactive hosts. Usually its contains one LAN interface that is attached to the hub, and many serial ports where the modems are connected. The first function of an RAS is to capture the authentication information from the client and then ask the authentication server for approval. Once the authorization is approved, the protocol switches to PPP, and the RAS gives an IP address to the client. The IP address given is based on a user name, port or a pool of addresses. In this way, the client is in the ISP LAN and therefore can have its IP packets forward to the Internet. The RAS are available in two different kinds of solutions: in a server with multiserial adapters or in a distinct hardware, that can be integrated or not within a router. The server-based solution has the advantage of being cheaper. However, the second one has some important features. Its not connected to the server. As in a LAN theres usually more than one RAS. In case of failure only one RAS goes down and the other users still have access to the LAN while in the server everybody looses contact. It is also highly scalable and manageable. Another point is that it alleviates the server load. ╖ Modem This device is used between the RAS and the telephone lines. Its function is to modulate an outgoing binary bit stream to an analog carrier, and demodulate an incoming binary bit stream from an analog carrier. The standards defined by the International Telecommunications Union (ITU) are: - V.32 Up to 9.600 bps for use over dial-up or leased lines. - V.32 bis Up to 14.400 bps for use over dial-up or leased lines. - V.42 Its not for modem, but for error control procedures. - V.42 bis Data compression technique for use with V.42. - V.34 28.800 bps for use over dial-up line V.42. With the addition of V.42 bis compression, in theory it can reach up to 115.200 bps. - V.34-1996 It provides two additional, optional data transmission speeds of 31.2 and 33.6 kbps. Further enhancements to supporting protocols allow devices implementing V.34-1996 to deliver more robust and more frequent 26.4 and 28.8 kbps connections. With additional, optional speeds of 31.2 and 33.6 kbps, modems implementing the V.34-1996 standard can communicate at speeds up to 16.6 percent faster than existing V.34 modems. Although several different names were used to describe this new revision of the V.34 standard (for example, Rockwell suggested V.34+ or V.34 Plus and Lucent Technologies ▓extended rate V.34▓), in October 1996, Study Group 14 of the ITU-T standards committee finalized the naming of the new standard as V.34-1996. There are four areas of improvement that distinguish devices implementing V.34-1996 from those using the initial version of the standard: - Higher Data Rates The potential for increased communication speed and faster data throughput always attracts the most excitement in a new or revised standard. In many instances, using modems that support the optional connection speeds of 31.2 and 33.6 kbps in the V.34-1996 standard should provide attractive performance gains in real-world operation. Faster file downloads and reduced online connection charges are key potential benefits to the end user. - More Frequent High-Speed Connections Testing by Xircom and its modem ASIC partners indicates that on about 60 percent of networks currently supporting 26.4-kbps data transmission, the enhancements in V.34-1996 offer 2.4 to 4.8 kbps improvement in connection speeds. - V.8bis The original V.34 standard includes a component protocol known as V.8. This protocol specifies the negotiation startup or handshaking procedures used between modems before a data exchange. The V.34-1996 proposal includes an updated startup protocol, V.8bis, providing quicker connection initialization. Additionally, while certain types of echo canceling equipment previously caused V.8 to fall back to V.32bis automode negotiation (limiting speed to a 14.4 kbps maximum), V.8bis delivers a true V.34-protocol connection. V.8bis also improves faxing, reduces connection delays and provides more reliable support when switching between fax and telephone operation. - Signaling System 5 Problem Resolved Most modern telephone networks in the United States use Signaling System 7 (SS7) protocols to manage data transmission between central office (CO) switches. However, some older COs still use an earlier version known as Signaling System 5 (SS5). Two first-generation V.34 modems communicating between COs using SS5 occasionally experience connection failures. In V.34-1996, the startup algorithms are modified allowing successful operation on older networks using SS5. The ISP must be concerned about the quality of the modems. As some have more reliable quality calls than others, it can avoid having unanswered calls, downgrade to a lower speed, disconnection in the middle of the call and unability to reset after disconnection. At the moment theres a new 56 kbps modem technology that has been revolutionary in Internet communications. Its an asymmetrical modem modulation scheme that provides data transmissions speeds up to 56 kbps downstream over the Public Switched Telephone Network (PSTN). It takes advantage of todays Internet access where a customers analog modem connects to a site that is linked to a digital telephone network. In a connection between two analog V.34 modems, the telephone network converts the analog signal transmitted from the first point modem to a digital signal. It is then transmitted to the the second point, where its converted back to an analog signal. The analog information must be transformed to binary digits in order to be sent over the PSTN. The incoming analog waveform is sampled 8,000 times per second, and each time its amplitude is recorded as a pulse code modulation (PCM) code. The sampling system uses 256 discrete 8-bit PCM codes. Because analog waveforms are continuous and binary numbers are discrete, the digits that are sent across the PSTN and reconstructed at the other end approximate the original analog waveform. The difference between the original waveform and the reconstructed quantized waveform in this analog-to-digital conversion is called quantization noise, that limits the communications channel to about 35 kbps. However, the quantization noise affects only analog-to-digital conversion, not digital-to-analog. This is the fundamental point of this technology: taking advantage of having direct access to the digital telephone network at one side of the connection instead of the analog loop. In this way, in a communication between a home user and an ISP with a digital link to the PSTN, theres no analog-to-digital conversions in the server-to-client path data transmission. This eliminates the quantization noise and makes possible a higher transmission rate. The upstream direction data flow remains slower because the analog-to-digital conversion must still be made at the client side. This technique is specially indicated for the Internet access. The requirement of having digital access to the PSTN to one side is satisfied, since most ISPs have one T1, for example. And the other end connects through an analog line, that is typically the case of the ISPs customers. The Internet access is also the best application. Nowadays the customer downloads files, graphics and games (that always require more and more bandwidth) and send usually only mouse clicks in the upstream transmission. To take advantage of this technology, its necessary to have a pair of equipments: a server modem at the ISP and a modem at the customers house. No special lines are required, but both modems equipments must be of the same supplier. This is because the basic concepts are similar, but the protocols are not the same. More importantly, the 56-kbps technology is not a standard. In October 1996, the ITU-T formed an initial working group to begin the lengthy standardization process. It is expected that this process will take at least 18 months and likely longer. Additionally, several companies have received patents on proprietary algorithms that are core to the 56-kbps technologies. For example, we have the 56flex (from Rockwell and used by Motorola) and the x2 (from 3Com and used by USRobotics). It is likely that an extended period of licensing battles will need to be resolved before the widespread acceptance of 56 kbps is a reality. - Downstream Hardware Connections Finally, we have the typical networking environments for the ISP downstream connections. In the most often offered connection, analog dial-up with modems, the ISP will need: ╖ RAS ╖ Modems ╖ Telephone Lines The RAS will be connected in the ISP LAN hub and in the modems through its serial ports. Depending on the RAS ports number, it will be necessary to have more than one to attend the whole number of users. The customers will then make a call to the ISPs telephone numbers to get their connections into the LAN. They will need a PC and a modem (integrated or not) and PPP or SLIP to be able to do that. On the other hand, if the connections will be made by ISDN, the RAS must have PRI support, and the modems will be replaced by CDU/DSUs. The ISDN service will connect from the telephone company switch to the home user through a two-wire cable. Then it will connect to a Terminal Adapter (TA), a kind of ISDN modem, that can be either a stand-alone unit or an interface card within the PC. If in North America, a Network Termination 1 (NT1) will be required between the telephone company and the TA. If the customer has a LAN, it will be necessary to include an NT 2, which is usually a router or bridge with a LAN adapter. For the corporate customers that require dedicated connections, the usual way of establishing these links is through routers in both sides. The RAS is not used in this case. Im not going into detail about downstream user connections. If you do want details about it, then email me, and if i have the time i will put something together for you! - Internet Services There are several services you should consider supporting for your user base. It is important to note that you wont be expected to run a server for every single service discussed here. You should treat this list as food for thought. You may also find that some, or all of these services may be provided either free (included in the cost of your link), or at an additional cost from your upstream provider. Throughout this chapter, server refers to the program running on one of your machines providing the service being discussed. You will be able to run more than one server on each machine in most cases. - Domain Name Service The Domain Name Service (DNS) has become the glue that binds the Internet together. It provides a mechanism for converting easy-to-remember names such as www.0blivion.org, into the less easy to remember IP addresses that are used in the underlying protocols. It is also used for other services, for example, using a special record in the DNS. You can make use of your upstream providers mail backup servers (if they provide that service). DNS issues are discussed in the comp.protocols.tcp-ip.domains news group. - Berkeley Internet Name Daemon Before you can register any domains you need to have the domains configured on a name server. If you choose to run your own name server, the most commonly used server is Berkeley Internet Name Daemon (BIND, which is now maintained by the Internet Software Consortium (ISC). Other DNS implementations have been made available, but the majority of name servers in the field are either running BIND, or a product that is based on BIND. BIND is released in source code format for free by the ISC, and a lot of effort has been made to support as many operating systems as possible. If you are running UNIX as your server platform, the chances are that the provided DNS daemon is an (albeit out of date) implementation of BIND. The support Web page for BIND can be found at http://www.isc.org/bind.html and it includes lots of links to other DNS-related sites. BIND has its own support newsgroup: comp.protocols.dns.bind. - Mail Service It used to be the case that if you provided an e-mail address for your users, then you were classed as an ISP. Although this perception has changed, e-mail is still a critical service to provide. Your users will expect at least one e-mail address from you, most ISPs now provide around three e-mail addresses per account. You will need two mail servers, one to your users to collect their ow mail (POP server), and one to receive the incoming mail and place it on the POP server and allow your users to send mail (SMTP server or relay). - POP Server Because your dial up users wont be connected to the Internet 24 hours a day, they wont always be connected when somebody sends them mail, so you will have to hold their mail for them, until they pick it up. The most common method of mail retrieval by clients is via the POP3 (Post Office Protocol Version 3). The users e-mail software connects to the POP server, logs on with a user ID and password, downloads any waiting mail, deletes the mail from your server and disconnects. Most UNIX operating systems come with a POP server supplied, but there are several alternatives available on the Internet. - Internet Mail Application Protocol Internet Mail Application Protocol, currently at Version 4 (IMAP4), is less common than POP3, but is gaining popularity all the time. The most significant difference between POP and IMAP, is that IMAP clients leave the mail on the server, rather than downloading the messages and removing them from the server as POP clients do. IMAP provides folders on the server to provide a remote mailbox which can be manipulated in the same way as local mailboxes. - SMTP Server The way that e-mail is sent from source to destination has changed very slightly since it was first used. It used to be the case that the source machine connected directly to the target machine, transferred the note and disconnected. If the target machine was down, then the source machine would try again later, and keep trying until either the mail was delivered, or some time-out limit was reached. However, some machines wanted to receive e-mail, but werent directly connected to the Internet. This was accomplished by placing mail relays on the Internet that knew how to contact these non-Internet connected machines. These principles still hold, but the mail relays now have an extra role to perform, as some, or all of your customers wont be connected to the Internet 24 hours a day, so if the destination is down, their machines may not be able to retry. The solution to this, is for you to provide a mail relay for them. In this case, the users e-mail software sends the mail to your mail relay, which then attempts to send it on to the destination on behalf of the user. Every single UNIX implementation comes with a mail server. The most popular one is Sendmail which is supported by its author, Eric Allman (http://www.sendmail.org/). Sendmail is not without some very subtle bugs though. It is highly recommended that if you choose Sendmail, you keep updated with any fixes or new releases. - Web Service In todays Internet, you are nobody without a Web site. Your users will also expect some space on your Web server to put up some pages of their own. This could be accomplished by either asking your users to e-mail you their Web pages and graphics for you to upload onto the Web server, or by giving each user FTP access to their own area on the Web server. - FTP Service FTP or File Transfer Protocol is a simple protocol that is supported by all Internet server and client platforms. An FTP server can be used to distribute updates to client programs to your users, and your users may want to share data with other people via FTP. * Management Though the planning and setup of your ISP will initially require all your attention, once your ISP has been established you will be spending most of your time managing your ISP resources. The manner in which you manage these resources is a critical factor in the success of your ISP. Success means being able to provide customers with high levels of service and performance. This is essential to ensure your customers satisfaction. Proper management will allow you to react to network outages or increased customer demand. You will need to manage the users that have access to your system, the amount of time they spend on your system, the amount of time others spend looking at their offerings, as well as your own connection to the Internet. - Authentication Anytime a modem is added to a network, the network becomes more vulnerable to security breaches. An ISP, of course, wants to guard against such break-ins. However, valid users must be permitted to access the services that you provide. The security system that an ISP puts in place must not be so cumbersome as to cause valid users difficulty in accessing the system. All popular authentication solutions keep track of users and their authorizations. When a user attempts to access your services a sequence of identification is performed. The typical identification sequence consists of obtaining a user name and password from the user and then verifying this through the authorization system. If the user name and password are correct, the user is granted access to specific resources on the network. If the conditions of the log-in process are not met, the user is denied access to the network. There are many different varying ways to connect to a network below is a few. - Challenge Handshake Authentication Protocol/Password Authentication Protocol (CHAP/PAP) The Point-to-Point Protocol (PPP) provides a standard method of encapsulating Network Layer protocol information over point-to-point links. PPP also defines an extensible Link Control Protocol, which allows negotiation of an Authentication Protocol for authenticating its peer before allowing Network Layer protocols to transmit over the link. After a PPP link has been established, PPP provides for an optional Authentication phase before proceeding to the Network Layer Protocol phase. By default, authentication is not mandatory. If authentication is desired, the Authentication Protocol Configuration Option must be specified during the link establishment phase. These authentication protocols are intended for use primarily by hosts and routers that connect to a PPP network server via switched circuits or dial-up lines, but might be applied to dedicated links as well. The server can use the identification of the connecting host or router in the selection of options for network layer negotiations. CHAP and PAP are two authentication protocols for PPP links. - PAP The Password Authentication Protocol (PAP) provides a simple method for the peer to establish its identity using a 2-way handshake. This is done only upon initial link establishment. After the link establishment phase is complete, an ID/password pair is repeatedly sent by the peer to the authenticator until authentication is acknowledged or the connection is terminated. PAP is not a strong authentication method. Passwords are sent over the circuit *in the clear*, and there is no protection from playback or repeated trial and error attacks. The peer is in control of the frequency and timing of the attempts. Any implementations which include a stronger authentication method (such as CHAP, described below) must offer to negotiate that method prior to PAP. This authentication method is most appropriately used where a plain text password must be available to simulate a login at a remote host. In such use, this method provides a similar level of security to the usual user login at the remote host. -- CHAP CHAP basically uses a random challenge, with a cryptographically hashed Response which depends upon the challenge and a secret key. CHAP is used to periodically verify the identity of the peer using a three-way handshake. This is always done upon initial link establishment and may be repeated anytime after the link has been established. A typical protocol sequence is as follows: 1. After the link establishment phase is complete, the authenticator sends a challenge message to the peer. 2. The peer responds with a value calculated using a one-way hash function. 3. The authenticator checks the response against its own calculation of the expected hash value. If the values match, the authentication is acknowledged; otherwise the connection should be terminated. 4. At random intervals, the authenticator sends a new challenge to the peer, and repeats steps 1 to 3. CHAP provides protection against a playback attack by another peer through the use of changing identifiers and variable challenge values. The authenticator is in control of the frequency and timing of challenges. This authentication method depends upon a secret known only to the authenticator and that peer. The secret is not sent over the link. Although the authentication is only one-way, by negotiating CHAP in both directions the same secret set may easily be used for mutual authentication. Since CHAP may be used to authenticate many different systems, name fields may be used as an index to locate the proper secret in a large table of secrets. This also makes it possible to support more than one name/secret pair per system, and to change the secret in use at any time during the session. CHAP requires that the secret be available in plaintext form. Irreversibly encrypted password databases commonly available cannot be used. It is not as useful for large installations, since every possible secret is maintained at both ends of the link. -- Kerberos The Kerberos Authentication and Authorization System is an encryption-based security system that provides mutual authentication between the users and the servers in a network environment. Kerberos performs the following functions for a system: ╖ Authentication to prevent fraudulent requests/responses between users and servers that must be confidential and on groups of at least one user and one service. ╖ Authorization can be implemented independently from the authentication by each service that wants to provide its own authorization system. The authorization system can assume that the authentication of a user/client is reliable. ╖ Permits the implementation of an accounting system that is integrated, secure and reliable, with modular attachment and support for charge backs or billing purposes. The Kerberos system is primarily used for authentication purposes, but it also provides the flexibility to add authorization information. In the Kerberos system, a client that wants to contact a server for its service, first has to ask for a ticket from a mutually trusted third party, the Kerberos Authentication Server (KAS). This ticket is obtained as a function where one of the components is a private key known only by the service and the Kerberos Authentication Server, so that the service can be confident that the information on the ticket originates from Kerberos. The Kerberos Authentication Model permits only the service to verify the identity of the requestor and gives no information on whether the requester can use the service or not. The Kerberos Authorization Model is based on the principal that each service knows the user so that each one can maintain its own authorization information. However, the Kerberos Authorization System could be extended and used for authorization purposes. Kerberos could then check if a user/client is allowed to use a particular service. - Remote Authentication Dial-In User Service (RADIUS) Remote Authentication Dial-In User Service (RADIUS) is a good example of an open and easily integrated authentication protocol. The RADIUS server allows or denies access to the network. It allows all security information to be located in a single, central database, instead of scattered around the network on several different devices. It creates a single, centrally located database of users and services. It also performs extensive tracking and logging of user activities. -- Terminal Access Controller Access System (TACACS) Originally, TACACS allowed a router that accepted dial-up access to accept a user name and password and send a query to a TACACS authentication server, sometimes called a TACACS daemon or simply TACACSD. This server was normally a program running on a host. The host would determine whether to accept or deny the request and sent a response back. The router then allowed access or not, based upon the response. While routers accepting dial-in access are no longer a major presence on the Internet, terminal servers are. Cisco Systems terminal servers implement an extended version of this TACACS protocol. Thus, the access control decision is delegated to a host. In this way, the process of making the decision is opened up and the algorithms and data used to make the decision are under the complete control of whoever is running the TACACS daemon. For example: Anyone with a first name of Joe can only log in after 10:00 p.m. Monday-Friday, unless his last name is Smith or there is a Susan already logged in. The extensions to the protocol provide for more types of authentication requests and more types of response codes than were in the original specification. The original TACACS protocol specification does exist. However, due to copyright issues, it is not publicly available. RFC 1492 An Access Protocol Sometimes Called TACACS was written to alleviate this lack of access. This version of the specification was developed with the assistance of Cisco Systems, who has an implementation of the TACACS protocol that is believed to be compatible with the original specification. To be precise, the Cisco Systems implementation supports both the simple (non-extended) and extended versions. It is the simple version that would be compatible with the original. In this protocol a request/response pair is the basic unit of interaction. In this pair, the client sends a request and the server replies with a response. All requests must be acknowledged with a response. This requirement implies that all requests can be denied, although it is probably futile to attempt to deny a logout request. - Network Management If an ISP is to remain competitive, then it will have to effectively manage its network. It will be necessary to determine if the connection to the Internet is operational and what the actual throughput of the network has been. Network Management consists of all the activities and products that are used to plan, configure, control, monitor, tune and administrate your computer network. This can be extremely complex dependent upon: ╖ The number and variety of network components for example, servers, modems, routers and gateways ╖ System mix: for example, operating systems, protocols and versions ╖ Geographic location of components ╖ Number of companies involved ╖ Number of services provided Unfortunately managing all these different aspects has been characterized by individual management tools. Each vendor offers its own interfaces for the same management task, requiring knowledge of each management tool. Fortunately, tools are appearing that help to provide a global view of the system. Management via a global view of the system is accomplished through integrated network management. Essential to integrated network management is that the managed components deliver information in a format that can be interpreted independent of the product originating the information. This requires standardization of interfaces and protocols. - Standards The current network management framework for TCP/IP-based Internets consist of: 1. SMI (RFC 1155) - Describes how managed objects contained in the Management Information Base (MIB) are defined. 2. MIB-II (RFC 1213) - Describes the managed objects contained in the MIB. 3. SNMP (RFC 1098) - Defines the protocol used to manage these objects. The Internet Architecture Board (IAB) issued an RFC detailing its recommendation, which adopted two different approaches: ╖ In the short term SNMP should be used. The IAB recommends that all IP and TCP implementations be network-manageable. At the current time, this implies implementation of the Internet MIB-II (RFC 1213), and at least the recommended management protocol SNMP (RFC 1157). Note that the historic protocols Simple Gateway Monitoring Protocol (SGMP), RFC 1028 and MIB-I (RFC-1156) are not recommended for use. ╖ In the long term, use of the emerging OSI network management protocol (CMIP) would be investigated. This is known as over TCP/IP (CMOT). Both SNMP and CMOT use the same basic concepts in describing and defining management information called Structure and Identification of Management Information (SMI) described in RFC 1155 and Management Information Base (MIB) described in RFC 1156. Simple Network Management Protocol (SNMP) is an Internet standard protocol. Its status is recommended. Its current specification can be found in RFC 1157 -Simple Network Management Protocol (SNMP). MIB-II is an Internet standard protocol. Its status is recommended. Its current specification can be found in RFC 1213 - Management Information Base for Network Management of TCP/IP-based Internets: MIB-II. Common Management Information Protocol (CMIP) and Common Management Information Services (CMIS) are defined by the ISO/IEC 9595 and 9596 standards. CMIS/CMIP Over TCP/IP (CMOT) is an Internet proposed standard protocol. Its status is elective. Its current specification can be found in RFC 1189 - Common Management Information Services and Protocols for the Internet (CMOT) and (CMIP). OIM-MIB-II is an Internet proposed standard protocol. Its status is elective. Its current specification can be found in RFC 1214 - OSI Internet Management: Management Information Base. Other RFCs issued by the Internet Architecture Board (IAB) on this subject are: ╖ RFC 1052 - IAB Recommendations for the Development of Internet Network Management Standards ╖ RFC 1085 - ISO Presentation Services on Top of TCP/IP-based Internets ╖ RFC 1155 - Structure and Identification of Management Information for TCP/IP-based Internets ╖ RFC 1156 - Management Information Base for Network Management of TCP/IP-based Internets ╖ RFC 1215 - Convention for Defining Traps for Use with the SNMP ╖ RFC 1227 - SNMP MUX Protocol and MIB ╖ RFC 1228 - SNMP-DPI: Simple Network Management Protocol Distributed Programming Interface ╖ RFC 1230 - IEEE 802.4 Token Bus MIB ╖ RFC 1231 - IEEE 802.5 Token-Ring MIB ╖ RFC 1239 - Reassignment of Experimental MIBs to Standard MIBs ╖ RFC 1351 - SNMP Administrative Model ╖ RFC 1352 - SNMP Security Protocols - Structure and Identification of Management Information (SMI) The SMI defines the rules for how managed objects are described and how management protocols may access these objects. The description of managed objects is made using a subset of the ASN.1 (Abstract Syntax Notation 1, ISO standard 8824), a data description language. - Management Information Base (MIB) The MIB defines the objects that may be managed for each layer in the TCP/IP protocol. There are two versions, MIB-I and MIB-II. MIB-I was defined in RFC 1156, and is now classified as an historic protocol with a status of not recommended. The list of managed objects defined has been derived from those elements considered essential. This approach of taking only the essential objects is not restrictive, since the SMI provides extensibility mechanisms such as the definition of a new version of the MIB and definition of private or non-standard objects. - Simple Network Management Protocol (SNMP) The SNMP added the improvement of many years of experience in SGMP and allowed it to work with the objects defined in the MIB with the representation defined in the SIM. RFC 1157 defines the Network Management Station (NMS) as the one that executes network management applications (NMA) that monitor and control network elements (NE) such as hosts, gateways and terminal servers. These network elements use a management agent (MA) to perform the network management functions requested by the network management stations. The Simple Network Management Protocol (SNMP) is used to communicate management information between the network management stations and the agents in the network elements. Im not going to go into details on this one due to the fact that i could fill an entire article just on the same subject. Maybe later in another issue. - Common Management Information Protocol over TCP/IP (CMOT) CMOT is the network management architecture that has been developed to move towards a closer relationship with the Open System Interconnection (OSI) network management standards named Common Management Information Protocol (CMIP). With these premises CMOT, as in the OSI model, can be divided into an organizational model, functional model and informational model. In the organizational and informational models the same OSI concept is used in CMOT and in SNMP. The object identification is formed using the subtree related to the DoD with subdivisions in management, directory, experimental and private. All the management objects are defined in the Management Information Base (MIB) being represented by the Structure and Identification of Management Information (SMI), a subset of the ASN.1 (OSI Abstract Syntax Notation 1). In the functional model CMOT adopted the OSI model that divides the management components into managers and agents. The agent collects information, performs commands and executes tests and the manager receives data, generates commands and sends instructions to the agents. This manager and agent are formed by a set of specific management information per communication layer named the Layer Management Entities (LME). All the LMEs are coordinated by a System Management Application Process (SMAP) that can communicate between different systems over the Common Management Information Protocol (CMIP). In the OSI approach the management can occur only over fully established connections between the managers and the agents. CMOT allows management information exchange over connectionless services (datagram). And yet again, we can fill anotehr article on this, check it out in the future. Seeing as we have the defaults laid down on a ISP, its now the subject you have been waiting for. Security !!! - Internet Security Many companies are thinking of connecting their internal corporate networks to the Internet, and for good reasons. There are many rewards associated with both increased visibility and the opportunity to run new types of applications. At the same time, companies are concerned with the security of their systems. The Internet is a collection of connected networks, but nobody really knows the structure of the Internet. The Internet keeps changing all of the time. There is no centralized network management and no single authority is in charge. All data crossing the Internet is passed *in the clear* such as user names, passwords, and e-mail messages. The entire company is exposed to the outside world. In this text, we take a layered approach to securing your ISP when attaching it to the Internet. We strongly recommend not connecting your ISP to the Internet until you are 100% sure that you have thoroughly reviewed security and that the TCP/IP applications you have chosen to use across the Internet are properly and securely configured. Network security is a key component of Internet security and in this chapter we provide some elements that will help you to evaluate the need for a firewall or not. - The Costs of Security Breaches LetÆs take a quick look at how much poor security costs both business and the U.S. government each year. The size of the figures involved should help you concentrate on implementing the appropriate security measures at your own site. According to information released by the U.S. SenateÆs Permanent Investigations Subcommittee, intruders cost big business more than US $800 million last year. In most cases, the attacks on their systems and the resulting losses were not reported to law-enforcement agencies for fear that an extended investigation with its attendant publicity would harm the corporation. The report indicates that the problem is worse in private industry than in government computer systems, with intruders concentrating on banks (always a popular target) and hospitals, where cases of record-altering are on the rise. Of the US $800 million losses, about half, or US $400 million, were incurred by U.S. companies and the rest by companies operating in other countries. According to this same report, there were an estimated 250,000 attacks on the U.S. Department of Defense computers last year, and the rate of attack is doubling every year. And these are the attacks that were detected. Who knows how many were either undetected or went unreported for other reasons. Recent attacks on unclassified U.S. Department of Defense computers are reportedly successful 65 percent of the time. Some of these attacks were considered of nuisance value only, but some were a serious threat to national security. One of the best documented took place during spring 1994 at an Air Force laboratory in Rome, NY. Two intruders made more than 150 trips into the labÆs computer systems, collecting passwords from outside users and then using these passwords to invade more than 100 other computers attached to the Internet. An investigation led to the arrest of one of the intruders, a 16-year-old boy living in London, England. The other intruder was never identified and never apprehended. The problem is certainly considered serious because more than 90 percent of the PentagonÆs daily traffic is carried by unclassified computer systems connected to the Internet, and anyone tampering with logistical information or shipping information could cause chaos to military operations. When intruders gain access to your Web site, they may do one of several things. They may deface your Web pages with a message such as "The system has been Cracked!" or they may erase your Web site pages and replace them with their own. Sites as diverse as the British government, the American Psychoanalytic Association, and the Nations of Islam have suffered from such attacks in the recent past. - The Internet and Security A few years ago, security wasnÆt a major concern for most sites connected to the Internet. As far as the universities participating in the Internet were concerned, the basic premise was to provide free access to everything, and if a few people took advantage, that was the price you had to pay. Many universities on the Internet still follow this philosophy and impose few restrictions of any kind. Most control access with only a user ID and a password, and many still allow anonymous use of their systems; anyone can log on without a valid user ID and a password. The huge potential for commerce on the Internet has changed much of this thinking, and many system and network administrators now feel that any user of their site is a potential for intrusion. This is actually true. Therefore, they usually begin with the premise of *donÆt trust anyone*. Today, this is definitely the best policy. - Defining Security Threats The most common security threats range from complete network infiltration to simple virus contamination. Some threats are accidental, and others are malicious; some affect hardware, and others affect software. - Internal Threats Internal security problems are probably the most common. Users entrusted with certain levels of access to systems and hardware can be a major threat if not controlled and monitored carefully. Put simply, you never know what someone is going to do. Even the most loyal employees or workers can change their tune and get into a malicious mode, wreaking havoc on your computing environment. Check your workersÆ backgrounds, references, and previous employers carefully, and routinely change and audit your security methods. - External Threats External security threats are the most problematic. You never know when an outsider will attempt to breach your systems or who the perpetrator may be. Some people go to great extremes to gain access to your systems and information. There are many documented cases of outsiders easily gaining access to systems that were assumed to be protected. Even the Department of Defense admits that its computer systems were attacked more than 250,000 times in 1995. That statistic alone should stop you in your tracks and make you think a bit. It has been recently theorized that a well-funded group of computer hackers could bring the entire country to a screeching halt within 90 days with almost no trouble at all. - Intruders Are People Intruders may use your own policies and routines against you. Any intruder could pose as a person from one of your departments or come in as a worker representing another firm that would normally be considered non-intrusive. Someone posing as part of the cleaning crew; as a utility worker, as a building inspector, as an insurance official, and so on could have only one purpose: gaining the knowledge needed to infiltrate your network. You can even assume that people are digging through your trash looking for keys to assist them in breaching your systems. You need to understand that anything is possible and that people will do anything to get what they want. Beware of strangers asking questions about how the system works, and never give anyone your password. The notorious Kevin Mitnik used very subtle persuasion techniques that came to be known as social engineering to first gain peopleÆs confidence and then their passwords. - How Intruders Break In To Your System Intruders break in to your system in any number of ways. With the advent of the Internet, lots of UNIX software is being ported to Windows NT and other operating systems, and so are a lot of the security holes in that UNIX software. This means that your seemingly harmless and brand new software may in fact be a new generation of an age-old problem. - Sendmail Intruders have traditionally used services that run on computers to gain access to them. One of the most widely used holes is in Sendmail and its many derivatives. Sendmail can actually assist a potential intruder in creating files, altering files, and even mailing sensitive files to the intruder. Go over your mail server software carefully, and find out its origins. If it turns out to be a Sendmail port from UNIX, use the UNIX hacking techniques against it. - Checking CGI Scripts Web servers by themselves pose only moderate security risks, particularly when protected by a firewall or a proxy server. But the one concern is how your system uses CGI scripts. Your Web server may be configured to create HTML pages on-the-fly using a script written in Perl or in some other scripting language. When considering these external programs, ask these questions: ╖ Can a knowledgeable attacker trick the external program into doing something that you donÆt want it to do? ╖ Can a knowledgeable attacker upload an external program and have that program execute on your system? You can minimize the threat from both these sources by using some of the techniques that will be discussed later in this chapter and by ensuring that your Web server does not contain anything that you donÆt want revealed to the outside world. Do not take it for granted that someoneÆs really nifty Web enhancement software is completely safe and harmless. Writing CGI scripts is not particularly easy, and writing secure scripts can be a job for the experts. You cannot completely assume that some programmer is writing a nice little CGI script to complement your Web site, one that you wonÆt be able to resist trying out and that will invariably put the holes in place that others need to infiltrate your systems and networks. Lots of programmers hide backdoors, tricks, and traps in their seemingly harmless software for their own convenience in testing and debugging and then forget to remove these elements when they release the package. You may think you have just downloaded and installed the worldÆs greatest page counter, whereas in reality you have just installed an open door on your system. Always test shareware and freeware thoroughly on a stand-alone system, and ask others for their reviews on the software before you can place it on one of your production servers. Otherwise, you may lose everything. - FTP Problems FTP can be a real problem, and you should take great care when configuring your FTP server. Double- and triple-check your file permissions for every FTP user account. Log on as that user, and ensure that the access is restricted in the way you want it. Additionally, many intruders use anonymous FTP servers to upload and stash pirated software, cracking tools, and other illegal material that you do not want on your FTP server. One easy way to protect your site is not to allow users to upload files to your FTP site; just let them download the material you originally established the FTP server to manage and distribute. If it is important that you allow uploads, set the directory permissions so that you have to explicitly specify who can upload files. - Telnet Problems You need to be aware of the potential exposures you can have when you enable a Telnet server: ╖ The Telnet server cannot restrict a user from getting a sign-on display if the Telnet server is already started. There is no anonymous Telnet support. ╖ When you type your user ID and password, both flow *in the clear* across your network. Hackers on the Internet or on your intranet can use sniffers (line-tracing equipment) to access your logon passwords. ╖ The number of sign-on attempts is equal to the number of system sign-on attempts allowed multiplied by the number of virtual devices that can be created. This increases the number of attempts a hacker can try to log on to your system. Because of this, attacks can turn into denial of service. ╖ The Telnet server application does not provide good logging procedures. - E-Mail Problems There are a few risks associated with electronic mail; some examples are forging mail or snooping mail that might contain confidential or private information. But accepting e-mail opens the door to three major exposures that we cover in more detail in this section: ╖ Denial-of-service attacks: Incoming mail, if it makes the form of mail bombing, can tie up your computer resources (disk space and processor) to the point where your server is put out of commission. Although we worry about this type of attack, in practice, you can probably have similar effects from an accident such as a chain letter or a few huge images (MIME attachments) sent to your users. ╖ Downloading viruses: Attachments sent in e-mail can be stored in a shared folder or in the integrated file of the POP3 server and from there they can be downloaded to other usersÆ PCs or POP3 clients. ╖ Snooping on POP3 user ID or password: Standard POP clients send the userÆs ID and password in the clear; therefore, anyone snooping on the connection can see them. On the AS/400 system, for example, each POP user needs a user profile and directory entry so if someone is able to capture the POP userÆs ID and password, they also get the user ID and password of an AS/400 user. If the intruder manages to get hold of a powerful user profile (for example, one with *ALLOBJ special authority), the intruder can cause much damage to your system. ╖ Snooping on sensitive e-mail: You need to think about the exposure of sending sensitive or confidential information over the Internet. Depending on your own environment, you might need to use alternative methods to exchange sensitive information. - Spoofing Your System Some intruders may attempt to use spoofing to gain access to your systems. Spoofing is the process of replacing parts of the TCP/IP header with bogus information in an effort to fool your firewall or proxy into thinking that the network traffic came from an allowed and trusted origin. Be sure your firewall can prevent this sort of trickery, and implement its prevention fiercely. -- What Should You Secure? When you devise your security measures, you should think of a layer approach to security. When you connect an ISP to the Internet, there are many points where security is compromised and, therefore, that you should protect. You should think of this layer approach as a system with multiple locks; if a hacker manages to break one of them, you have others to protect you. - Network Security Network security control access to your ISP. Who is allowed to enter your corporationÆs network to access your Internet server? Probably you do not want to generally limit the access but it is a major issue to protect your internal network and the productive systems within your companyÆs internal network. Network security can be achieved in various ways: ╖ Isolating the Internet servers ╖ Multiprotocol router blocking from non-wanted TCP/IP traffic ╖ Securing the network gateway (usually called a firewall) to protect the company-internal network Internet network security also determines how your own users may access the Internet. - Application Security Each application that you can use on your ISP connected to the Internet such as HTTP, FTP, Telnet, and so on offer different alternatives to limit access and make it safe to use. - Transaction Security Commercial transactions through the Internet require safe communications. The parties need to be identified and exchanged data has to be protected. In this case: ╖ How can you perform authentication without sending an user ID and password in the clear? ╖ How can you protect the privacy of your data to ensure that only authorized persons may read it? ╖ How can you assure that messages have not been altered between the sender and the recipient? There is a single technology that provides the foundation for solving all of these challenges called cryptography. Secure Sockets Layer (SSL) is an industry-standard providing cryptography. - System Security Depending of the operating system, an OS/400 for example, you can have a strong set of security tools, but you must take the time to learn about the tools and apply them. There are various areas of the systemÆs security to be considered before attaching your system to the Internet: ╖ System-wide security values ╖ User profile and password management ╖ Resource security ╖ General TCP/IP definitions Im not gonna go into them, cos i havent got anymore time. I may stick this in as a later text cos i want to get this into oblivion this month. Slider. #f41th <dynamics> "Do you want to be in my gang and RAPE A LITTLE GIRL... Paedo paedo! Paedo paedo! Paedo paedo paedo!" <dynamics> Garry Glitter looks like a paedo too <dynamics> i wonder how he gets them he bed, he must sing them into submission or something <dynamics> "No please... not more of your tunes... I'll shag you if you shut up!!" <dynamics> but then he finds out he's not as fit as he used to be and has run out of viagra <dynamics> "Come on Come on! Come on come on!" <dynamics> but mister wee wee wont stand up.. <zomba> ur twisted <dynamics> life is twisted <Slider_> Ur fucked up man.. where the fuck do u get this sick shizz? ---------------------------------------------- ********************************************** The Net Effect - Spyderco Psyops ********************************************** Ars ipsi secreta magistro, Jean Robert du Carlet, 1644. THE Internet has dramatically altered the way many people perform numerous tasks communicating with one another, shopping, banking, making travel arrangements, keeping abreast of the news. Now add to the list political and human-rights reform. Proponents in those fields assert that the Internet and the World Wide Web have become essential tools for effecting change. But critics contend that the medium is often least available where it is most needed. The ongoing struggle for democracy in Indonesia underscores the power of the Internet. Last spring protesters bypassed the state-controlled media there by posting a Web site containing a database that kept track of the corruption of then president Suharto. People across the country were continually adding information about the accumulated wealth of the president and his children, knowledge of which fuelled an already inflammatory situation. Students also relied on the Internet to co-ordinate their demonstrations, which eventually led to Suharto's resignation. Indeed, political dissenters and human-rights organizations around the world have taken advantage of the Internet's ability. The Zapatista rebels have exploited it to garner support among international journalists and sympathizers against the Mexican government. The Free Burma Coalition uses its Web site to encourage consumers to boycott companies doing business in Myanmar. And the Digital Freedom Network routinely posts on the Web the writings of political dissidents, such as Ra·l Rivero of Cuba, who are censored in their homelands. "To build up on-line communities with such limited resources is amazing," notes Xiao Qiang of Human Rights in China, a group based in New York City, which uses the Internet to organize letter-writing campaigns. Adds William F. Schulz, New York executive director of Amnesty International USA, "the Web is a critical new took that we now have. It has increased our ability to funnel information." For their part, governments face a quandary: How do they cobble together restrictive policies that will help them maintain the status quo 'without' stifling the Web's many business benefits? Because of Indonesia's solid economic growth before the recent downturn, the country had a hands-off policy toward the Internet, which many companies had used to communicate with suppliers and customers across the sprawling archipelago nation. But the same medium that enabled firms there to monitor the status of their factories and inventories also allowed dissidents to mobilize. Meanwhile the Internet's role in political and human-rights reform has been evolving beyond mere information dissemination and calls for action. On Mexican Independence Day, thousands of people staged a "virtual sit-in" to protest the government treatment of Zapatista rebels in Chiapas. The digital demonstrators tried to overwhelm targeted Web sites, including those of Mexican president Ernesto Zedilla, reportedly by using an automated software program to issue repeated phony requests to download information. Other groups have gone further, breaking into systems and defacing web-sites. Last October, soon after the Chinese government had launched a new Web site to proclaim its efforts in human rights, hackers replaced the home page with one containing a diatribe: "China's people have no rights at all, never mind Human Rights." Other "hacktivists" have plied their craft to protest conditions in various areas--among them East Timor, Indonesia; Kashmir, India; and Kosovo, Serbia--knowing all too well that attacking a government is usually much easier electronically than physically. And often the main reason for such electronic rabble-rousing is not the actual acts themselves but the follow-up media attention that can garner quick, world wide publicity for a cause. John Vranesevich, considered as a media whore by some people, including myself and founder of AntiOnline, a Web site that tracks hacker activities, predicts that the number of such electronic exploits will escalate in the future as the first generation of young hacker matures. "These hackers are becoming politically minded," Vranesevich says. "They are starting to vote, and they are starting to take a look at the world around them. Now they are using the skills they've honed to make their opinion heard. " Bronc Buster, a pseudonym for the 26-yar-old who led the attack on the Chinese human-rights server, recalls that when he first saw that Web site he was outraged. "Two years ago, when I was a freshmen, I had to do a huge paper on China for one of my political science classes, so I knew what was happening over there," he says. "When I went to that site and read what was on it, I got extremely mad. It reminded me of the Nazis saying the Holocaust never happened." Yet while some people have proclaimed the dawning of a new age in electronic activism, other caution that the Internet's effect may be grossly exaggerated. Of a total world wide population of about six billion people, only a tiny fraction is wired, and most of that is in North America, Europe and Japan, geographic areas not particularly known for political tyranny or egregious human-rights violations. For this reason, critics say the view of the Internet as a juglenaut for implementing sweeping reforms is an overblown, North-centric perspective. "How many people in the world have never even made a phone call? Maybe a third to a half. And how much impact do you think the Web's having on them?" asks Patrick Ball, senior program associate for the Science and Human Rights Program of American Association for the Advancement of Science. The North-South dichotomy could worsen as the experiences of countries such as Indonesia and China make other nations wary of going on-line. In Saudi Arabia, for example, Internet service providers must apply for a license through the government, which requires that Web traffic be filtered through state-controlled proxy servers. And a host of governments have stepped up their efforts to make certain activities illegal, if for no other reason than instill a chilling effect among the general populace. Last spring a Shanghai software engineer was arrested for allegedly sending a list of the e-mail addresses of thousands of Chinese to a U.S.-based dissident publication. Such acts notwithstanding, countries have also been loath to pull the plug on the Internet, fearing that the medium will be essential for their future economic success. But the greates value of the Internet certainly goes far beyond the actual numbers of people on-line, asserts Jagdish Parikh of Human Rights Watch in New York City. "How many people in China have Internet access? Not many," he notes. "But then why is the government there rushing to make laws restricting access? It's because the Internet makes people realize that they should have the legal, codified right to information." Spyderco Psyops. ---------------------------------------------- ********************************************** Linux on OS/390 - Slider & 0mega1 ********************************************** <MuFtAk> s/390 sucks <Slider> Another happy user then? I wrote this shit caus there is so many retards out there that think their cool when they bitch about S/390 and Linux, Y00 no nothing biatchs :] "HerE We G0 AgaIn, He'S gOnnA Say sOmeThiNg BrIGht..." The strengths of S/390 are well known. Rock solid reliability, the ability to run multiple diverse workloads and highly scaleable technology make S/390 an ideal choice for hosting key e-business applications. Now Linux has joined the S/390 family of operating systems bringing a wealth of open source applications, middleware and trained talented developers to help you respond to your business challenges quicker than ever before. "SouNdS Gr00veY, Can iT HavE My BaBys?" It doesn't matter if you are dot-com company or a bricky, the Internet and e-business are now changing everything from the way we interact and reach customers; how we work with our partners; our suppliers, their suppliers; our contractors and sub-contractors, in fact the products, processes and procedures that make our very organizations. Through these changes, we face an era of business innovation, an era in which opportunity and complexity may go hand in hand. However, it doesn't have to be that way. Through the adoption of truly open industry standards we can reduce and eliminate much of the complexity and allow business innovation to flourish. Yet, we are witnessing only the emergence of e-business! The initial solutions and approaches resemble the initial steps of a child, random, some what uncoordinated, many taken very quickly with occasional stumbles. Yet, as it is with a small child, this is also an essential part of the growth and maturity of the e-business, and the Next Generation of e-business solutions. Some people feel, that like a child, the e-business will take 20-years to become fully mature, fully useful and to be able to fulfil its destiny. It is not important if you agree with this or not, what is important that you recognize and accept that we are at the crossroads of a number of interdependent generations of technologies. Web browser and web server technologies, wireless and mobile devices, web application programming all serve the Internet/e-business arena. Yet all face a rapid succession of changes and progression as the new business requirements of the Internet and new technology force a never ending succession of revisions, extensions and re-examination of what is used, how it used and what we can do we it. In this environment there appear to a number of established and emerging technologies that will continue to evolve at a rate and in a way that can benefit both users, developers and suppliers and which seem to offer the biggest and best opportunity to support the rapid progression and evolution of the Internet and e-business towards maturity. "WhaT Th3 FuCK haS MatUritY g0t tO Do wIth ThIs ShIt ???" - Native S/390 Installation and operation of Linux -- In a native LPAR on S/390 Linux can be installed on S/390 hardware via VM, VSE and on a native LPAR. The intent of this bit is to step you through the process of building an IPLable Linux for S/390 tape, IPLing from it, customizing a new file system and IPLing once more but from DASD. --- Assumptions * It is assumed that the installer has access or can work with an individual who does have access to an OS/390 operating system in order to do the following: - ftp files from a work station to OS/390 - a userid capable of submitting JCL to copy code and create 3490 IPL tapes. - authorization to vary devices online and offline * Access to a tape drive such as a 3490 and of course a 3490 (or equivalent) tape. Make sure you know the unit address/device number of the tape drive. * Access to a Hardware Management Console (HMC) * All downloaded code mentioned in this chapter came off of the version 2.2.15 Marist distribution dated 05/19/00. --- Skills and resources required "SkilLs, WoT ThE fUck aRe SkiLLs BiatCh?" You may be saying, "IÆm a Linux "GuRu" programmer. Why should I be worried about where, what and how Linux is installed as far as hardware is concerned?". He/she is correct, once Linux is activated. But obviously before this is true, some planning and prior knowledge like the following is required: * Either doing it yourself or having a "system programmer"-type carve out a partition for Linux out of an OS/390 Central Electronics Complex (CEC). I doubt if you will have a whole dedicated machine for this. We have seen that a mixture of both Linux/Unix skills and OS/390 skills is required for the Linux for S/390 install. * At least read access to the system IOCDS to see the subchannel path id (chpid) layout of the Linux partition * Direct access storage device (DASD) and its layout that will be used by the Linux for S/390. How much DASD is required, Linux will only be able to access 64 DASD devices. If you only expect to IPL from tape to satisfy your curiosity then DASD will not be needed. * Limited knowledge of the text editor vi. * If connectivity through a network is desired then knowledge of the network is required. The following information should be obtained before attempting a Linux for S/390 networkenabled install. *- Type of network device (OSA2 token ring or ethernet, CTC, or ESCON) *- Host name of the Linux for S/390 *- IP address of the Linux for S/390 *- Peer IP address (for CTC or ESCON), or *- Broadcast IP address (for OSA2, typically x.y.z.255) *- Gateway IP address (for OSA2) *- Domain name server IP address *- Subnet mask *- Network address (typically x.y.z.0) *- DNS search domain (i.e. www.slidersecurity.co.uk) - Hardware preparation "nOw whErE tHe FucK dId I pUt It?" Linux for S/390 runs on a separate partition. It does not run on top of the OS/390 operating system as you may think like Unix System Services. * A minimum of 1 cpu is required. It need not be dedicated. However in order to better monitor the partition and debug problems, we would recommend that you first install and test on one dedicated processor and then change that when the system goes into production. * Linux for S/390 has a maximum RAM size of 2Gb. Therefore it would be uncessary to allocate more than 2 Gb of central storage for your Linux partition. The absolute minimum amount of storage required for Linux for S/390 is appoximately 12MB. But your possibilities are limited with such a system. Of course this will vary from installation to installation since we do not know what the reader of this book intends to do with the Linux for S/390 system. We do recommend you have a minimum system of 64MB. This should be enough to do daily Linux work for 1-5 users and have a webserver running. * At the time of writng this book, the kernel version 2.2.14 contained a maximum number of devices limitation. That is, if more than 1000 devices were configured online to the Linux for S/390 partition, the kernel would get confused on IPL and hang. No error messages would be displayed, no disabled wait state either. This limitation was lifted with the kernel version 2.2.15. This version of the kernel was IPLed by us and run but on an LPAR that did not have over 1000 devices online to it. Therefore, that aspect of 2.2.15 has not been tested. As a minimum we recommend only the required device chpids to be online for the Linux for S/390 partition during its first installation. They are: *- DASD (if more than a tape IPL is expected) *- 3490 tape drive *- OSA card or communication equivalent Hardware used The following are the specifications of the system used to install and customize Linux for S/390 during the writing of this text. This does not mean that the system you use must adhere to the same specifications. System: 9672-X77 Central storage: 768Mb Expanded storage: 64Mb (not accessible)1 Cpus: 2 (shared) Chpids: 3 online (DASD, tape drive and OSA card) OSA card: OSA-2 Token Ring/Ethernet (10Mbit) -- Activating Linux for S/390 To install Linux for S/390 on a native LPAR you will: 1. Build an IPLable tape from downloaded code 2. Activate your Linux for S/390 partition via tape 3. Format direct access storage device (DASD) and create file systems if DASD IPL is desired 4. Uncompress a file system on the formatted DASD 5. Customize files on the file system 6. Create and activate swap space 7. ReIPL from DASD And that is the quick way, at the time of writing this text the installation part written by 0mega1 had not been completed :[ So if anyone really, really, really wants it then i might be able to bug him until he gives it to me to send out... But no promises :[ - Slider - Linux for S/390 bootup and shutdown At this point we assume you have a Linux for S/390 system up and running and have seen many messages during initial load of Linux for S/390. Lets have a closer look at what happens at system startup and shutdown time. "ThIs bIt GeTs Fun BiaTch's" -- Kernel initialization To boot the system the Linux for S/390 kernel is loaded into memory from either intrd-Image (ram disk) or from the hard disk (dasd) you created with the silo command. At initialization time the kernel prints messages to the system console protocol ling the process. Most of the messages are saved in the system log files. Linux version 2.2.15 (root@0wned)(gcc version 2.95.2 19991024 (release)) #4 SMP Tue May 17 19:45:19 EDT 2000 Command line is: mdisk=400 dasd=190,19e,19f,19d,191,200,300,400,192 root=/dev/dasdf1 ro noinitrd (1) We are running under VM (2) This machine has no IEEE fpu Initial ramdisk at: 0x00800000 (8388608 bytes) Detected device 0009 on subchannel 0000 - PIM = 80, PAM = 80, POM = FF (3) ...... Detected device 080A on subchannel 000E - PIM = 80, PAM = 80, POM = FF Detected device 080B on subchannel 000F - PIM = 80, PAM = 80, POM = FF Highest subchannel number detected: 16 SenseID :Device 0009 reports: Dev Type/Mod = 3215/00 SenseID :Device 000C reports: Dev Type/Mod = 3505/00 SenseID :Device 0190 reports: CU Type/Mod = 3990/E9, Dev Type/Mod = 3390/0A ....... SenseID :Device 0191 reports: CU Type/Mod = 3990/E9, Dev Type/Mod = 3390/0A SenseID :Device 0200 reports: CU Type/Mod = 3990/E9, Dev Type/Mod = 3390/0A SenseID :Device 0300 reports: CU Type/Mod = 3990/E9, Dev Type/Mod = 3390/0A SenseID :Device 0400 reports: CU Type/Mod = 3990/E9, Dev Type/Mod = 3390/0A SenseID :Device 0192 reports: CU Type/Mod = 3990/E9, Dev Type/Mod = 3390/0A SenseID :Device 080A reports: Dev Type/Mod = 3088/08 SenseID :Device 080B reports: Dev Type/Mod = 3088/08 dasd: added dasd range from ..... (4) Calibrating delay loop... 147.05 BogoMIPS (5) Memory: 119424k/131072k available (1052k kernel code, 4k reserved, 2400k data, 0k init) Dentry hash table entries: 16384 (order 5, 128k) Buffer cache hash table entries: 131072 (order 7, 512k) Page cache hash table entries: 32768 (order 5, 128k) POSIX conformance testing by UNIFIX Detected 1 CPU's Boot cpu address 0 cpu 0 phys_idx=0 vers=FF ident=0D0822 machine=9672 unused=0000 Linux NET4.0 for Linux 2.2 Based upon Swansea University Computer Society NET3.039 NET4: Unix domain sockets 1.0 for Linux NET4.0. NET4: Linux TCP/IP 1.0 for NET4.0 IP Protocols: ICMP, UDP, TCP TCP: Hash tables configured (ehash 131072 bhash 65536) Starting kswapd v 1.5 RAM disk driver initialized: 16 RAM disks of 8192K size mnda: register device at major 5F with 179803 blocks 4096 blksize (6) mndb: register device at major 5F with 179803 blocks 4096 blksize loop: registered device at major 7 dasd:initializing... dasd(eckd):3390/a (3990/1) Cyl: 107 Head: 15 Sec: 224 dasd(eckd):Estimate: 58786 Byte/trk 2074 byte/kByte 33 kByte/trk dasd(eckd):Verified: 58786 B/trk 5202 B/Blk(4096 B) 12 Blks/trk 48 kB/trk dasd:77040 kB <- 'soft'-block: 4096, hardsect 4096 Bytes dasd:devno 190 added as minor 0 (ECKD) .......... Partition check: (7) dasda:(nonl)/ : dasda1 dasdb:(nonl)/ : dasdb1 dasdc:(CMS1)/Z-DISK: dasdc1(CMS) dasdd:(CMS1)/HELP! : dasdd1(CMS) dasde:(CMS1)/LIN191: dasde1(CMS) dasdf:(nonl)/ : dasdf1 xpraminfo:initializing: xpraminfo: number of devices (partitions): 1 xpraminfo: size of partition 0 to be set automatically xpraminfo: hardsector size: 4096B xpraminfo: 20480 kB expanded memory found. xpraminfo: automatically determined partition size: 20480 kB channel: 2 Parallel channel found - 0 ESCON channel found ctc0: read dev: 080a irq: 000e - write dev: 080b irq: 000f (8) VFS: Mounted root (ext2 filesystem) readonly. (9) Freeing unused kernel memory: 0k freed INIT: version 2.74 booting (10) "ThaTs SoMe KinKy ShiT Y00 goT TheRe" (1) Display of the current active kernel parameters from the parameter file, these parameters are: root= device corresponding to the root filesystem. The parameter ro (read-only) tells that the root filesystem should be mounted read-only for filesystem check. Later during the system startup it is remounted read-write. Noinitrd has to be specified when the kernel is compiled with ramdisk support but there is no ramdisk. Here are two examples: /dev/ram0 ro points to the ramdisk /dev/dasda ro noinitrd points to a disk mdisk= mini disks that are associated to the system in the order of device node assignment. dasd= DASD devices that are associated to the system in order of device node assignment. (2) Detection of the environment Linux for S/390 is running in, which can be VM, native or LPAR. (3) Detection of devices and device arithmetics by subchannel. (4) Honoring the dasd= specifications from kernel parameter. (5) Measurement of processor speed which is used to calculate delay loops for several device drivers; in a shared environment like S/390 you will see different BogoMIPS depending on the workload within the S/390 complex. (6) Associate Linux device node, major number and minor number to the block devices, mnd = mini disk, dasd = DASD devices. (7) Display of all devices specified by the dasd= kernel parameter. If these devices are formatted and reserved by VM/CMS, the type and volume information is displayed.Devices formatted and reserved by CMS will be displayed as : dasd<letter>:(CMS1)/<volid> : dasd<letter>1 (MDSK) Devices formatted by CMS but not reserved will be displayed dsdasd<letter>:(CMS1)/<volid> : dasd<letter>1 (CMS) xpram* messages show information about expanded storage used with the xpram device driver. (8) Initialization of the network devices like ctc, tr or eth. (9) Mount / = root file system (FS) as specified in the kernel parameter root= statement and freeing up some of the memory used by the memory-loaded kernel until now. (10) Enter init process basic startup. -- Init process and runlevel. The following messages appear after entering the init process at boot time: INIT: version 2.74 booting (1) Starting lcs module (2) No lcs capible cards found /lib/modules/2.2.14/net/lcs.o: init_module: Device or resource busy Mounting proc filesystem [ OK ] (3) /etc/rc.d/rc.sysinit: /proc/sys/kernel/sysrq: No such file or directory unrecognized option `-S' Setting clock (srm): Thu May 12 18:42:04 EDT 2000 [ OK ] Activating swap partitions swapon: warning: /dev/dasdi1 has insecure permissions 0644, 0600 suggested swapon: cannot stat /mnt/swap/swapfs1: No such file or directory (4) swapon: cannot stat /mnt/swap/swapfs2: No such file or directory [FAILED] Setting hostname linux6 [ OK ] Checking root filesystem /dev/dasdf1: clean, 31367/225344 files, 163545/449997 blocks [OK ] Remounting root filesystem in read-write mode [ OK ] Finding module dependencies [ OK ] Checking filesystems /dev/dasdg1: clean, 13/27008 files, 23918/26997 blocks [OK] Mounting local filesystems [ OK ] Enabling swap space [ OK ] INIT: Entering runlevel: 3 (5) Entering non-interactive startup Bringing up interface lo [ OK ] Bringing up interface ctc0 [ OK ] Starting portmapper: [ OK ] Initializing random number generator [ OK ] Mounting other filesystems [ OK ] Starting system logger: [ OK ] Starting kernel logger: [ OK ] Starting INET services: [ OK ] Starting httpd: [ OK ] Starting X Font Server: [ OK ] Give root password for maintenance (or type Control-D for normal startup): "ThiS ShIt Is gEttIng ScarY Man" (1) Start init process which runs rc.sysinit; at this point the boot process switches to the customizable part. (2) Load lcs (lan channel station) driver module for OSA-card enablement; this is done with the insmod or modprobe command (3) More basic settings is done as defined within the shell script rc.sysinit which executes tasks like clock setting and filesystem checking and mounting. (4) Startup Swap devices (swap files and swap devices as listed in /etc/fstab). (5) Enter runlevel 3. -- System init and inittab The kernel starts the init process (which always has the process id 1) which first reads /etc/inittab. This file describes which processes are started at bootup and which processes should be started and or restarted after termination in a running Linux environment. Inittab syntax is specified in a fixed format code:runlevel:action:command. code 2-4 character identifier (usually only 2) runlevel specifies by runlevel number where this command is executed action determines what to do, possible actions are : initdefault sets default runlevel sysinit basic system init that runs only once at boot time respawn restart the command if terminated wait wait for completion before doing anything else command the command to execute -- Basic system initialization For basic system initialization init calls rc.sysinit (/sbin/init.d/boot for SuSE) as specified in the sysinit row of /etc/inittab. This shell script activates the necessary modules like the lcs device driver, synchronizes the system clock with the underlying layer (TOD or simulated by VM) and checks and mounts the filesystems. Our rc.sysinit looked like this: [root@0wned init.d]# cat rc.sysinit . /etc/sysconfig/network # Source functions. /etc/rc.d/init.d/functions insmod /lib/modules/2.2.14/net/lcs.o # Print a banner. ;) action "Mounting proc filesystem" mount -n -t proc /proc /proc . /etc/sysconfig/clock action "Activating swap partitions" swapon -a action "Setting hostname ${HOSTNAME}" hostname ${HOSTNAME} # Set the NIS domain nameif [ -n "$NISDOMAIN" ]; then action "Setting NIS domain name $NISDOMAIN" domainname $NISDOMAIN if [ -f /fsckoptions ]; then fsckoptions=`cat /fsckoptions` STRING="Checking root filesystem" initlog -c "fsck -T -a $fsckoptions /" # Add /proc to /etc/mtab mount -f -t proc /proc /proc # Enter root and /proc into mtab., mount -f / , mount -f /proc # Mount all other filesystems (except for NFS and /proc, which is already# mounted). action "Mounting local filesystems" mount -a -t nonfs,smbfs,ncpfs,proc # Configure machine if necessary. if [ -x /usr/bin/passwd ]; then /usr/bin/passwd root if [ -x /usr/sbin/netconfig ]; then /usr/sbin/netconfig if [ -x /usr/sbin/timeconfig ]; then /usr/sbin/timeconfig if [ -x /usr/sbin/authconfig ]; then /usr/sbin/authconfig --nostart if [ -x /usr/sbin/ntsysv ]; then /usr/sbin/ntsysv --level 35 # Reread in network configuration data. . /etc/sysconfig/network # Reset the hostname. action "Resetting hostname ${HOSTNAME}" hostname ${HOSTNAME} # Reset the NIS domain name. action "Resetting NIS domain name $NISDOMAIN" domainname $NISDOMAIN # Delete X locks, rm -f /tmp/.X*-lock # Right, now turn on swap in case we swap to files. swapon -a >/dev/null 2>&1 cat > /boot/kernel.h << EOF make kernel headers # Now that we have all of our basic modules loaded and the kernel going, # let's dump the syslog ring somewhere so we can find it later dmesg > /var/log/dmesg "Wow tHaT iS KinDa FuNky bAbY" -- Linux runlevel After basic initialization the system switches to a so called runlevel which means that a certain set of processes are started. Several different runlevels are available: The runlevels 0 and 6 are reserved for system usage, runlevel 1 should be kept unchanged for emergency assistence. Runlevels 2-5 have a predefined behaviour but they are open for modification by the system administrator. +----+----------------------------------------------+ run level description +----+----------------------------------------------+ 0 Halt the system 1 Single user mode 2 Multiuser mode without NFS 3 Multiuser mode 4 Unused 5 Multiuser mode with graphical login (X11) 6 Reboot the system +----+----------------------------------------------+ You can find the scripts executed by the rc script in the directory /etc/rc.d/init.d/ (/sbin/init.d/ for SuSE). One example is the netsetup script started at the first Linux boot to create the network parameter files like /etc/HOSTNAME, /sysconfig/network and /sysconfig/network-scripts/ifcfg-<ip-dev>. These scripts that manage startup and stop of certain services (typically daemons) have a common structure that define a set of possible actions like start, stop, status, restart and reload. The syslog script that starts the syslog daemon may serve as an example: [root@0wned init.d]# cat syslog #!/bin/sh # # syslog Starts syslogd/klogd. # # # chkconfig: 2345 30 99 # description: Syslog is the facility by which many daemons use to log \ # messages to various system log files. It is a good idea to always \ # run syslog. # Source function library. . /etc/rc.d/init.d/functions [ -f /sbin/syslogd ] || exit 0 [ -f /sbin/klogd ] || exit 0 RETVAL=0 # See how we were called. case "$1" in start) echo -n "Starting system logger: " # we don't want the MARK ticks daemon syslogd -m 0 RETVAL=$? echo echo -n "Starting kernel logger: " daemon klogd echo [ $RETVAL -eq 0 ] && touch /var/lock/subsys/syslog ;; stop) echo -n "Shutting down kernel logger: " killproc klogd echo echo -n "Shutting down system logger: " killproc syslogd RETVAL=$? echo [ $RETVAL -eq 0 ] && rm -f /var/lock/subsys/syslog ;; status) status syslogd status klogd RETVAL=$? ;; restart|reload) $0 stop $0 start RETVAL=$? ;; *) echo "Usage: syslog {start|stop|status|restart}" exit 1 esac exit $RETVAL "kAmakAzI bUlL sHiT bIatCh!" To get the status of the syslog service call the script with entrypoint status : /etc/rc.d/init.d/syslog status The following messages indicate the status : syslogd (pid 308) is running... klogd (pid 319) is running... The entrypoints start, stop and restart can be used similar. Symbolic links to scripts like this determine which services are started (in which order) in a certain runlevel. The separate runlevels correspond to the links in the directories /etc/rc.d/rc<runlevel>.d. The name Snn<script> refers to the script called with the start (S = start) parameter, Knn<script> to the script called with the stop (K = kill) parameter. The sequence in which to run the scripts is determined by the nn number in the name of the link. On our system the links for runlevel 3 were these: [root@0wned rc3.d]# ls -l /etc/rc.d/rc3.d total 0 lrwxrwxrwx 1 root root 16 May 2 10:57 K55routed -> ../init.d/routed lrwxrwxrwx 1 root root 14 May 2 10:57 K80nscd -> ../init.d/nscd lrwxrwxrwx 1 root root 17 May 2 10:57 S00netsetup -> ../init.d/netsetup lrwxrwxrwx 1 root root 17 May 2 10:57 S10network -> ../init.d/network lrwxrwxrwx 1 root root 17 May 2 10:57 S11portmap -> ../init.d/portmap lrwxrwxrwx 1 root root 16 May 2 10:57 S20random -> ../init.d/random lrwxrwxrwx 1 root root 15 May 2 10:57 S25netfs -> ../init.d/netfs lrwxrwxrwx 1 root root 16 May 2 10:57 S30syslog -> ../init.d/syslog lrwxrwxrwx 1 root root 14 May 2 10:57 S50inet -> ../init.d/inet lrwxrwxrwx 1 root root 15 May 2 10:57 S85httpd -> ../init.d/httpd lrwxrwxrwx 1 root root 13 May 2 10:57 S90xfs -> ../init.d/xfs lrwxrwxrwx 1 root root 11 May 2 10:57 S99local -> ../rc.local The script netsetup is called first (S00*), followed by network (S10*), the last to be executed is rc.local (S99*). One can add script-calls by adding a symbolic link, e.g. to add a service (started be myscript) that should be started as the last one in this runlevel: ln -s /etc/rc.d/init.d/myscript /etc/rc.d/rc3.d/S95myscript S99local points to a special script where the system administrator can specify all actions that do not belong elsewhere. (Not all distributions use S99local. SuSE, for example, uses script boot.local that is called before the first runlevel is entered.) -- shutdown To bring the system down properly you issue the shutdown command: shutdown -h <time> Stops the system (by entering runlevel 0). During shutdown the filesystem buffers are written to the physical devices (disks), the filesystems are marked as clean and finally unmounted. Improper shutdown (like simply deactivation via HMC) would leave the filesystems marked as not clean and cause a filesystem check at the next reboot. shutdown -r <time> or reboot enters runlevel 6 to halt and restart the system. With the shutdown command one must always specify the time (now , +mm, time of day) to halt the system: shutdown -h now halt the system immediatly shutdown -h +10 halt the system in 10 Minutes shutdown -h 13:00 halt the system at 1:00 pm If you want to cancel the shutdown you issue a shutdown -c command. Shutdown messages are printed on the console: [root@0wned /root]# shutdown -h now INIT: Switching to runlevel: 0 (1) INIT: Sending processes the TERM signal INIT: Sending processes the KILL signal (2) Shutting down X Font Server: [ OK ] Shutting down http: [ OK ] Stopping INET services: [ OK ] Saving random seed [ OK ] Stopping portmap services: [ OK ] Shutting down interface ctc0 [ OK ] (3) Disabling IPv4 automatic defragmentation [ OK ] Shutting down kernel logger: [ OK ] Shutting down system logger: [ OK ] Starting killall [ OK ] Sending all processes the TERM signal... Turning off swap (4) Unmounting filesystems Unmounting proc filesystem (1) The init process switches to runlevel 0. The processes receive a TERM signal and have some time to shutdown gracefully. (2) The processes that are still alive are simply killed. (3) The network devices and kernel modules are deactivated. (4) The swap spaces are deactivated and the filesytems are unmounted. "Wow ThaT wAs ReALly FunKy bAbY" - Linux for S/390 Administration The first part of this bit describes tasks to perform for accessing devices in Linux for S/390. The second part lists tasks to administer the usage of the system, i.e. user administration, shells and the basic security settings. -- Devices For unix everything is a file. The hardware (as disks and printers) attached to the system and many software mechanisms (e.g. the vitual garbage can, /dev/null)are represented as so called devices within Linux. The devices correspond to special files (device files or device nodes) usually found in the directory /dev/. With this layer of abstraction it is possible to operate on *everything* using file operations. As an example, one does not need special commands to fill the entire disk represented by /dev/dasdf with zeros, a simple dd if=/dev/zero of=/dev/dasdf does it (The device /dev/zero is the Linux source of zero bytes). The above rather destructive command may seem pretty useless, as it does not leave anything useful on the whole disk, however, in situations where data has be physically erased (for security reasons) this is the way (removing a file only unlinks it from its inode, the contents are still somewhere on the disk surface). There are two types of devices, block devices (block oriented operation) and character devices (character oriented operation). With block devices (most notably disks) the data transfer happens in multiples of their blocksize. Character devices transfer data in units of bytes. To work with anything via its device three conditions must be met: 0) (If a piece of hardware) it must be attached. 1) The Linux kernel must support it. With Linux the kernel device drivers can be compiled either into the kernel binary itself or compiled as modules that can be loaded after boot. 2) The appropriate device file must be present. The type of the device is determined by its major number. The minor number typically selects one particular device of several identical devices or a certain part of one device (like a partition on a disk). The major and minor numbers are listed in the file /usr/src/linux/Documentation/devices.txt. The major and minor numbers of the device files are listed by simply using the ls -l command: brw-r--r-- 1 root root 94, 0 Feb 20 09:14 dasda brw-r--r-- 1 root root 94, 1 Feb 20 09:14 dasda1 brw-r--r-- 1 root root 94, 4 Feb 20 09:14 dasdb brw-r--r-- 1 root root 94, 5 Feb 20 09:14 dasdb1 brw-r--r-- 1 root root 94, 8 Feb 20 09:14 dasdc brw-r--r-- 1 root root 94, 9 Feb 20 09:15 dasdc1 The file /proc/devices can be used to get a list of device types supported by the kernel; the output is a list of major numbers followed by the base name of the appropriate device file: [root@0wned /proc]# cat /proc/devices Character devices: 1 mem 2 pty 3 ttyp 4 ttyS 5 ptmx 10 misc 128 ptm 136 pts Block devices: 1 ramdisk 7 loop 35 xpram 94 dasd 95 mnd The last line tells us that the device files for the minidisks are named (/dev/)mnda, mndb, mndc and so on. The partitions on mnda will correspond to mnda1, mnda2, mnda3 etc. -- Creating a device node: mknod Device nodes associate a major number which identifies the device type and a minor number which identifies the unit of a device. They allow programs to access hardware devices through the kernel device drivers. All device nodes are located in the directory /dev. Use the mknod command (as superuser) to create a new device node: mknod [-m permissions] name type(c=char,b=block) major minor The permission option -m is optional, but consider what permissions are really needed on the device. Wrongly set permissions may give unwanted access to a device (through raw reads on the device node) bypassing file security. Write access to the device node even allows formatting or the creation of a partition or filesystem. To create a device node for the ninth dasd device issue the command : mknod /dev/dasdi b 94 32 -- Linux for S/390 device node assignment The kernel parameters influence the association of device nodes. This could be important as your file systems including root file system are accessed through a device node mapping, e.g. root=/dev/dasda1. When no DASD kernel parameters are specified, the system will auto detect the DASD devices. The order is determined by subchannel; see the extract of the boot messages: Detected device 0190 on subchannel 0004 - PIM = F0, PAM = F0, POM = FF Detected device 0191 on subchannel 0008 - PIM = F0, PAM = F0, POM = FF Detected device 0200 on subchannel 0009 - PIM = F0, PAM = F0, POM = FF Detected device 0300 on subchannel 0009 - PIM = F0, PAM = F0, POM = FF Detected device 0400 on subchannel 0009 - PIM = F0, PAM = F0, POM = FF Detected device 0192 on subchannel 000C - PIM = F0, PAM = F0, POM = FF +------------+--------------------------+---------------------------+ unit address expected device node device node depending on the assignment through device ADR sequence auto detect +------------+--------------------------+---------------------------+ 190 /dev/dasda (minor 0) /dev/dasda (minor 0) 191 /dev/dasdb (minor 4) /dev/dasdb (minor 4) 192 /dev/dasdc (minor 8) /dev/dasdf (minor 20) 200 /dev/dasdd (minor 12) /dev/dasdc (minor 8) 300 /dev/dasde (minor 16) /dev/dasdd (minor 12) 400 /dev/dasdf (minor 20) /dev/dasde (minor 16) +------------+--------------------------+----------------------------+ In this example, based on the unit addresses the conclusion can be made that a device node association will look like in the table above column *expected*. As you can see from the boot messages above, the system uses a different method for assigning device nodes based on the subchannel number when auto detecting the devices see the table above row *auto detect* for the result. The file /proc/dasd/devices reports the dasd device numbers with their associated major and minor numbers: # cat /proc/dasd/devices dev# MAJ minor node Format 0190 94 0 /dev/dasda n/a 0191 94 4 /dev/dasdb n/a 0192 94 8 /dev/dasdc 4096 0200 94 12 /dev/dasdd 4096 0300 94 16 /dev/dasde 4096 0400 94 20 /dev/dasdf 4096 Imagine you want to format the device with unit address 192 without first looking in the /proc/dasd/devices file. You would specify the device node /dev/dasdc as the device is the third dasd in the device number sequence, but this will format the device 200 instead! To avoid this and have the DASD ordered as your convenience you can specify the kernel parameter dasd=. The order of appearance in the dasd= parameter line(s) determines the assignment of the device nodes. dasd=190-192,200,300,400 this parm line example will result in a device node assignment as shown in column *expected device node depending on the device ADR sequence* in the Table above. -- Filesystem types Linux supports various kinds of filesystems, among them are: ext2 second extended filesystem, mainly developed for Linux, the de-facto standard Linux filesystem. reiserfs a journaled filesystem nfs network filesystem used to acces remote filesystems over net swap swap *filesystem*, used to page out currently unused memory pages. Not mounted procfs a virtual filesystem where the kernel provides system information accessible with file operations smbfs samba filesystem, allows file sharing with windows clients With Linux for S/390 you will most likely use the ext2 or the reiser filesystem. "diD thAt TuRn Y00 On, oR jUsT mE?" - Users and Groups While a human unix user enters his username (or login) and password to log on to the system his identity is represented by a (unique, positive) integer for the unix operating system. This number is called the user identifier (UID). By convention a lower UID range (e.g. 0..499) is reserved for acounts that exist for system level services. The user id zero is reserved for the so called super user or *root*. The super user can do anything (that can be done in user space) on the system. One should log on as root solely for administrative tasks, because any error while having root permissions can have disastrous results. Daemon users (with UIDs typically in the range 1..99) are accounts for programs running in the background which offer certain services. Examples are named (name service), wwwrun (http server script execution) and database backends like postfix. Which daemon users are actually present on a particular system depends on which services have been installed. Some daemons also run with root priviliges. The user nobody (usually UID 65534) exists for certain tasks where no special rights are required (or wanted) like for the automatic update of the file database. Every user belongs to an (initial or login) group. Groups, similar to users, consist of a cleartext name and an integer identifier, the GID. One group can contain more than one user and one user can belong to more than one (i.e. his login) group. Groups are a means of granting certain rights to users. As an example, some users of might be added to a group which grants the right to access a common working directory. Similarly, a user might make some files readable for the members of his login group. The command su allows to run a shell with another UID (and GID). Authentication (entering the password of the account that one switches to) is required except for root. -- Creating a user account: useradd Use the useradd command to create a new user. The options you should at least specify are in bold letters. useradd [-d <home>][-g <group>] [-G additional groups>] [-m] [-s <shell>] [-u <uid>] [-p passwd] <username> The options are c comment (usually full name of the user) d the home directory to be created g the default group for the user by name or by GID. If you do not specify a group, Linux will create a group with the same name as the user and the next free group id >=500. The user is then the only member in this new group. G Additional groups the user should belong to m Create the home directory specified by the -d option if it does not exist s Basic shell, i.e. program to run at login time. u Numeric userid associated with the user name. If this value is not specified, the system will associate the next free user id >=500. p Set initial password To add a user named user1 issue : useradd -m -d /home/user1 -p dummypw -c ÆSam AdamsÆ user1 This user will have the password dummypw which he can change using the passwd command, cf. man passwd. New users are entered in the file /etc/passwd: [root@0wned /etc]# tail -1 /etc/passwd user1:!tyj61STZId5Iw!:501:501:Sam Adams:/home/user1:/bin/bash The format of the passwd entries is user:password:uid:gid:description:home:login_shell The defaults used when creating a user are defined by settings in /etc/default/useradd. To display or change the defaults use useradd with the -D option. useradd -D may give GROUP=100 HOME=/home INACTIVE=-1 EXPIRE= SHELL=/bin/bash SKEL=/etc/skel To change the default password expiration time frame to 60 days use useradd -D -e60 For further options valid with the -D option see the useradd man page. -- Modifying a user account: usermod To change the characteristics of a user use the usermod command. Its options are c new comment g new initial group id or group name for the user G comma separated list of supplementary group the user should be in. The user will be removed from groups not listed in here. s change login shell u specify the user id for which to change any values l change the login name of the user Some attributes can only be changed when the user is not currently logged in. The usermod changes file ownership of the /home directory of the user when changing any relevant data like the group id. usermod -u 500 -l name2 Will assign a new name to the user with uid 500. -- Deleting a user account: userdel In order to delete a user account use userdel -r user2 The option -r causes the home directory of the user to be deleted. Userdel does not delete any files owned by the user that are not stored in the userÆs home directory. Files owned by the user can be found ( beforedeleting the user) with : find / -user user2 Automatic deletion of all those file can be achieved with find / -user user2 -exec rm -f {} \; Utmost care with the find/rm command is strongly advised; you might want to replace *-f* by *-i* in the above command line. The group(s) the user belongs to will not be deleted even if the user was the last user of that group. -- Creating a new group: groupadd To create a group use the groupadd command groupadd [-g <groupid>] [-f] <groupname> g specifies the group id, group ids 0 - 499 are reserved for system usage f abort with an error if the group already exists groupadd group1 creates a group named group1 with the next free gid >=500. groupadd -g 610 group2 creates a group named group2 with gid 610. The groups are listed in the file /etc/group: [root@0wned /etc]# cat /etc/group root::0:root bin::1:root,bin,daemon daemon::2:root,bin,daemon sys::3:root,bin,adm adm::4:root,adm,daemon tty::5: disk::6:root lp::7:daemon,lp mem::8: kmem::9: wheel::10:root mail::12:mail news::13:news uucp::14:uucp man::15: games::20: gopher::30: dip::40: ftp::50: nobody::99: users::100: utmp:x:22: xfs:x:101: group1:x:500: group2:x:610: This file has the following format name:password_of_group:gid:list_of_users -- Modifying a group: groupmod To change a group use the groupmod command groupmod [-g <gid>] [-n <newname>] <groupname> g change the group id n change the name of the group The following example changes the GID of group1 to 603: groupmod -g 603 group1 Beware that if you change the gid of a group, groupmod does not change the gid of the users and files. This can result in problems accessing files. -- Deleting a group: groupdel Delete the group named group2 with groupdel group2 The initial or primary group of any user cannot be deleted with groupdel. With the groups command you can determine to which groups a user belongs. groups user1 -- File ownership and access permissions Files created by some user belong to him and his login group. File ownership can only be changed by the super user. The group can also be changed by the owner of the file, but only to a group that he is a member of. chown jj.math /somewhere/fft.c makes jj the new owner of the named file and math its group. chown -R fbi/elsewhere/xfiles/ Makes fbi the new owner of the directory /elsewhere/xfiles/ and all the files and directories in it. The access permissions (write, read, execute) for different domains of users (owner, initial group of owner, everybody) can be granted by the owner of the file. chmod ug+x progfile Adds the permission to execute the file progfile to the owner (*u*, for user ) and members of the fileÆs group (*g*). chmod a+r message.txt Allows everybody (*a* for all) to read the file message.txt. chmod -R go-rwx mysecrets/ Withdraws rights to read, write or execute (or enter directories) for mysecrets and any file or directory within (option *-R*) to everybody except the file owner. The calling synytax for chmod is given in the chmod man page. Listing files with ls -lF gives an output like drwxr-xr-x 2 jj users 12318 May 8 10:21 somedir/ -rw------- 1 jj users 12318 May 8 23:21 secret.txt -rwxr-x--- 1 jj users 11347 May 3 20:59 myprog* -rw-r--r-- 1 jj users 103 May 2 15:47 myprog.c The left column consists of 10 characters, the leftmost of these indicates the type (*d* for directory, *-* for regular files). The remaining nine characters are three fields each of the form *rwx* (read,write,execute) corresponding to user (the owner of the file), group and others. The file secret.txt has read and write permissions for the owner but for nobody else. myprog can be executed by the owner and the members of his group, the owner also has write permissions. The file myprog.c can be edited by its owner and read by everybody. The directory somedir allows everybody to cd into it (*x* field set) but only the owner can create or delete files in it. An often useful option for chmod is the *-c* switch: if actual changes in the file permissions took place, the resulting permissions are printed in the *rwx* format just described. The nine bits defining the access permisssions can be and octal format with the chmod command: chmod 750 myprog is equivalent to chmod u=rwx,g=rx,o= myprog and results in access permissions as shown in the listing above. An so called umask controls the acces rights of newly created files. The umask contains the permission bits that are unsetfor new files. The typical setting is 022, removing write permissions to everybody except the file owner. The paranoia setting would be 077, removing all access permissions for all but the file owner. -- Changing passwords The passwd command allows a user to change his password interactively by simply entering passwd without arguments. The old password must be entered first then the new password has to be entered twice (to avoid problems caused by typos). The superuser can change the passwords of any user (without having to know the current password) by using the passwd command followed by the username. In order to enforce system security a regular (mandatory) change of user passwords can be obtained with the expire mechanism. The respective default parameter (PASS_MAX_DAYS, cf. man login.defs) can be set in the file /etc/login.defs. For an existing account an expiry date can be set by the usermod command: usermod -e 24/12/2001 jj Will set the expiry date for the user jj to the 24.December 2001. -- Shells A shell is an interactive interface that allows the user to interactively work with the operationg system. Several different shells are available within Linux; some of the more important are /bin/sh Bourne shell (now a link to bash) /bin/bash Bourne Again Shell. It is the default shell of almost all existing Linux installations. /bin/csh C shell (now a link to tcsh); its syntax is somewhat similar to C /bin/tcsh enhanced C shell. /bin/ksh Korn shell; compatible to the bourne shell. It combines the characteristics of bourne and C shell. /bin/zsh Z shell; enhanced version of the Korn shell. To determine which shell one is currently using enter [root@0wned /root]# echo $SHELL /bin/bash During login the system calls the shell that is set in the /etc/passwd file for this user. The login shell can be changed interactively using the chsh command. Entering the shell the file /etc/profile and files in the users home directory (like .profile , cf. the man page of your shell for details) are executed. These startup files allow system (/etc/profile) and user specific (files in the home directory) settings like customizing the prompt and. Temporarily changing to an alternative shell can be achieved by simply starting the binary of wanted shell: tcsh Leaving it with the logout command gets you back into the original shell. To permanently change the login shell use the chsh (CHange SHell) command, cf. man chsh. -- System logs The syslog daemon syslogd logs various kinds of system activity. It is started during runlevel processing at boot time (/rc<N>.d/S30syslog). The /etc/syslog.conf file contains the configuration of syslogd. It describes which kind and level of information is logged into which file. The configuration file on our system loooks like this: [root@0wned /etc]# cat syslog.conf # Log anything (except mail) of level info or higher. # Don't log private authentication messages! *.info;mail.none;authpriv.none /var/log/messages authpriv.* /var/log/secure # Log all the mail messages in one place.mail.* /var/log/maillog *.emerg * # Save mail and news errors of level err and higher in a # special file. uucp,news.crit /var/log/spooler # Save boot messages also to boot.log local7.* The first information in the configuration files contains the kind of messages in the form systemapplication.level . It can be repeated several times seperated by a semicolon. Possible system applications can be. auth - used by user authentication (login) programs. cron - used by the cron daemon. daemon - used by miscellaneous daemons. kern - used by the Linux kernel itself. lpr - used by the printer daemon. mail - used by the mail daemon. news - used by the news daemon. syslog - used by syslog itself. uucp - used by UUCP daemon. local0 - local7 - used by miscellaneous daemons and applications, for example the application chat writes its messages to facility local2. The level determines the severity of the message and can contain none - do not write messages debug - debugging messages. info - miscellaneous information messages. notice - something may be wrong, maybe. warning - a condition that my cause trouble if not checked. err - an error condition. crit - a critical error. alert - a severe error. emerg - an irrecoverable error has occurred within the kernel, often followed by kernel panic on your screen! :] The second field contains the location where to store the messages. This can be any filename or * for the current virtual console or terminal (xterm) started with the -C option. You can change the syslogd configuration by editing the configuration file. To tell syslogd to reread the file after changes send the HUP signal to it kill -HUP Æcat /var/run/syslogpidÆ The cat /var/log/syslog.pid gives the current process id of the syslog daemon. You can also determine the process id with the ps -ef or ps auxww command. "hoW abOuT GivInG mE a SHell BiAtcH" - Linux TCP/IP connectivity -- Introduction I will begin with a short explanation of the most common TCP/IP protocols used in Linux and continue with a discussion of IP addressing. I move on with short descriptions of the diverse configuration files, scripts, and daemons. These will be followed by a description of a few of the troubleshooting tools that will be available to you on your Linux machine. Finally, we close with how you can connect to your data and applications. -- Assumptions We are assuming that you are running the Marist Linux big file system. Further you should have the following files on you Linux system: *- /etc/hosts *- /etc/services *- /etc/protocols *- /etc/HOSTNAME *- /etc/inetd.conf *- /etc/rc.d/init.d/network We also assume that your network is up and running with such programs as ping, netstat, ifconfig, route, telnet, and ftp avialable for your use. We will be giving you a guided tour through some of the more important corners of your Linux networking environment. -- Skills "MorE FecKInG skIllS? jeSuS!" You will need to be able to edit a text file, download from the internet and have a sense of adventure. We also assume that you have a basic knowledge of how to navigate through the Linux filesystem. -- TCP/IP protocols We will give you a list and brief description of the standard protocols used within IP networking. These protocols are from the Transport Layer which rests on top of the Network Layerin which IP operates. IP is a connection less and unreliableprotocol that just sends the datagrams it is given over the net. The following Transport Layer protocols add reliability to the Network Layer (IP). To give you a reference point as to where we are in the OSI Networking Model, we added the lower four layers in the form of the OSI Model Table below. Please note that we give but a few examples of what belongs in which layer, there are more. +-----+-----------------------------------------+ OSI Model +-----+-----------------------------------------+ 4. Transport Layer (TCP, UDP, ICMP) 3. Network Layer (IP) 2. Datalink Layer (TokenRing, Ethernet) 1. Physical Layer (Twisted Pair, Coax) +-----+-----------------------------------------+ --- TCP Transmission Control Protocol was developed on top of IP to provide the reliability mechanism that is missing. It manages the disassembly of a mass of data into a stream of datagramsand passes them to the Network Layer that uses IP to send to the receiving machine. On the receiving machine TCP receives the datagrams from the Network Layer and reassembles the datagrams into a stream of data. This is a connection orientatedprotocol that uses acknowledgments to ensure that each of the sent datagrams has arrived. If a datagram would be missing from the delivered stream, TCP will ensure that it will be resent. --- UDP User Datagram Protocoluses a single datagram to send a message from one machine to another. This protocol is usually used for networking housekeeping tasks. This is a connectionlessprotocol that sends its datagrams out onto the net and does not check if they are delivered to the given address. --- ICMP Internet Control Message Protocol is used to carry control messages across the internet. These messages are how internet hosts communicate with each other and in most cases applications will not use this protocol. -- IP address types There are two ways of getting a machine connected to the network using IP addresses, either with a static address or by obtaining it dynamically. --- Static IP addresses Static IP addressing is done by your network administrator assigning TCP/IP addresses to identify the clients within your network. These static TCP/IP addresses were defined as part of the installation of your Linux system. For the rest you just do nothing, you have a permanent address that only will change if your network administrator assigns your Linux machine a new one. This should not happen very often. --- Dynamic IP addresses Dynamic IP addressing differs from static IP addressing in that your addresses are obtained from a DHCP (Dynamic Host Control Protocol) server. This server is responsible for answering any DHCP requestsfrom clients who want an address on the network. A DHCP client would request (for example, at boot time) an IP address from a DHCP server, which returns an IP address. If the server name is not known beforehand, then the client broadcastsits request out onto the net. The address comes with a leasewhich basically gives the client a time limit that the address is valid. When a client using DHCP logs on again it will first check its DHCP lease database. If the client is in possession of a valid lease the client will try to log onto the network with the IP address that is associated with that lease. If it fails then the DHCP server will be asked once again to provide a new IP address, which in turn will have a new lease. If the lease database no longer contains a lease that is valid then the client will just ask the DHCP server for another IP address and the process starts at the beginning. We do not see this form of addressing being used within the mainframe environment as all network adjustments are planned and the IP addresses are given statically to the individual machines. "oO0Oo oO0Oo y00 sO tUrN mE on!" -- Configuration files The files we will describe here hold information that networking programs use as they run. They can all be found in the /etc/ directory. --- Hosts This file holds a text database consisting of the host names and IP addresses of the hosts your Linux system will need before being able to contact its DNS server. It is read to resolve these host names into their IP addresses. The lines have the following syntax, with one line for each host entry: numerical.IP.address internet.hostname [nickname] For example the entry in hosts for the mailhost machine on an example network could be: 9.9.9.9 mailhost.example.com mailhost One thing to note is that it is possible to give one host more than one nickname. This form of host resolving is not very scalable and will only remain useful for small intranets, after more than four hosts in a network the administration overhead gets out of hand. The solution to this is moving to DNS. --- Services This file names the networking services that your Linux machine provides to other hosts on the internet, identifying the port and host-to-host protocol that the service uses. The entries in this file have the following syntax, with one service entry for each service offered: service_name IP_port / udp | tcp For example the entry in services for the telnet service could be: telnet 23/tcp telnet 23/udp This shows that telnet uses port 23 and can use either TCP or UDP as the transport protocol. --- Protocols This file names the TCP/IP protocols that your Linux system recognizes and assigns a number to each of them. You will most likely never need to edit this file. An example of what we found on our version of Marist Linux big file system: # /etc/protocols: # $Id: protocols,v 1.1 1995/02/24 01:09:41 imurdock Exp $ # # Internet (IP) protocols # # from: @(#)protocols5.1 (Berkeley) 4/17/89 # # Updated for NetBSD based on RFC 1340, Assigned Numbers (July 1992). ip 0 IP # internet protocol, pseudo protocol number icmp 1 ICMP # internet control message protocol igmp 2 IGMP # Internet Group Management ggp 3 GGP # gateway-gateway protocol ipencap 4 IP-ENCAP # IP encapsulated in IP (officially ``IP'') st 5 ST # ST datagram mode tcp 6 TCP # transmission control protocol egp 8 EGP # exterior gateway protocol pup 12 PUP # PARC universal packet protocol udp 17 UDP # user datagram protocol hmp 20 HMP # host monitoring protocol xns-idp 22 XNS-IDP # Xerox NS IDP rdp 27 RDP # "reliable datagram" protocol iso-tp4 29 ISO-TP4 # ISO Transport Protocol class 4 xtp 36 XTP # Xpress Tranfer Protocol ddp 37 DDP # Datagram Delivery Protocol idpr-cmtp 39 IDPR-CMTP # IDPR Control Message Transport rspf 73 RSPF #Radio Shortest Path First. vmtp 81 VMTP # Versatile Message Transport ospf 89 OSPFIGP # Open Shortest Path First IGP ipip 94 IPIP # Yet Another IP encapsulation encap 98 ENCAP # Yet Another IP encapsulation --- HOSTNAME This file holds your Linux machineÆs name. For example, if you named your machine 0wned.linux.com, then the contents of your HOSTNAME will read: 0wned You will have done this during the installation of your Linux machine, and if you would want to rename your Linux machine then you would have to, among other things, edit this file. This can be done by hand or with the hostname command, please refer to its manpage for further details. --- Inetd.conf This configuration file is read by inetd,the TCP/IP super server. Each line in this file describes how inetdhandles one service and the syntax is as follows, with the entry fields separated by a tab or a space: service name socket type protocol wait/nowait[.max] user[.group] server program server program arguments Put very simply, each line gives inetdthe ports to which it should listen and the server that it should activate to handle traffic on a given port. For example to specify the standard telnet service, the entry could look like the following example line taken from our Linux machine: telnet stream tcp nowait root /user/sbin/tcpd in.telnetd This tells inetdthat when a connection request occurs on the telnet port it should activate the telnetdby running /user/sbin/tcpd with the argument listed. For more information see the inetd.conf and tcpd manpage. [ Everything else is covered in a previous text in Issue 4 by spyderco - Slider] "thAt KindA SuCks SliDeR, Y00 LikE JuSt blAgGed iT" - Linux Security issues In this bit we merely scratch the surface of a few security related issues, the URLs given in the last section point to more and deeper information. One should be aware that millions of Linux installations exist which are connected to the internet and among its operators there are inevitably some that have the knowledge and intention to exploit security holes on remote systems. "dO y00 mEaN Me BiaTch?" Security by obscurity is therefore no longer an option. Some Linux distributions offer a selection of security profiles for certain situations like *in trusted environment*, *DMZ (DeMilitarized Zone)* or *paranoia setting*. Starting from the most appropriate of those the required level of security can be achieved with only a few addtional steps specific for the actual environment. Note that the Marist distribution offers virtually no security as it is intented to experminenting and exploration of the system as easy as possible. -- Consider remote logging Important system messages and warnings are usually logged into the files /var/log/messages and /var/log/warn, respectively. An attacker who managed to gain unauthorized access to the system is likely to be able to remove his traces in these (and other) files. The ability to send the messages to be logged to another machine helps with this problem. The man page : man syslog.conf gives instructions and examples for the configuration of syslogd for remote logging. -- Disable unnecessary services Flaws in the code of programs that run with root priviliges (like several daemons for networked services) have repeatedly given attackers the possibility of gaining unauthorized access to unix systems. Though the number of such incidents may decrease it is sure that such things will happen as long as computers offer networked services. The system administrator should therefore follow the online forums that inform about known software weaknesses and possible fixes. The more services are running on a system the greater the probability that some program failure produces a security danger. The simple consequence is to disable all services that are not necessary for the operation of the system. Many daemons are started by the *super daemon* inetd: commenting out the respective entries in /etc/inetd.conf by putting an "#" in front of the line and restarting inetd by killall -HUP inetd does it. Other daemons are running all the time (listening on their port); simply do not start unnecessary ones. - Disable remote login for root If remote login for root is not allowed the only way to become the super user is by logging on with the personal account and then switching to root by using the "su" command. Even if the root password should get known to some attacker he had to get hold of another account on which he login remotely. The device names of the ttys from which root can log in are listed in the file /etc/securetty.TODO: ??? doesnÆt work for marist at the time of writing In case an ftp server is running on your system: The file /etc/ftpusers lists users which are not allowed to connect via ftp. Root and some other users should definitely be in this file, cf. man ftpusers. If you are running Linux for S/390 in a virtual machine you may decide to limit root logons to the Linux console. In other words, only by logging onto the Linux virtual machine or by being an authorized secondary user could you attempt to log on to Linux as root. -- Use encrypted connections If an attacker has access to the physical network segment (e.g. by having an login account on a computer directly attached to the network) he can access all information(!) that is transmitted on the segment. Using simple scripts on top of a *network sniffer* program (like tcpdump) he can filter out login/password pairs transferred in cleartext. The only protection against this is not to transfer any unencrypted data: Disable telnet and rlogin (/etc/inetd.conf); allow remote login only via ssh. Transfer files only with the scp command. -- Use scp instead of ftp As data transferred by ftp is no encrypted and implementations of the ftp service have shown vulnerabilities in the past one might ask for an alternative possibility for file transfer. Luckily there is scp (secure copy). scp allows you to copy files between machines and uses the authentification mechanism of the secure shell. The data is encrypted during transfer by scp.. scp understands a syntax very similar to that of the usual cp command: scp myfile.txt joe@host.mydomain.com:somedir/ copy myfile.txt into joeÆs home directory under the directory somedir/. -- Use a tcp wrapper (tcpd) tcpd monitors, logs and controls the startup of daemons normally started directly by the inetd. It does some checks for apparent attempts of an attack (like a host prentending to have the name of another host) and if nothing suspicious was detected starts the service. Linux distributions will likely install the tcpd by default. If your system doesnÆt have tcpd installed: install it. The configuration of tcpd is nicely explained in man tcpd k. Most likely you want to make entries in the files /etc/hosts.allow and /etc/hosts.deny where access for hosts can explicitly be allowed or denied, cf. man 5 hosts_access. -- Use shadow passwords The user (and group) passwords are not stored as clear text anywhere in the system. Instead the passwords are encrypted and authenfication is done by encrypting the entered passwords and comparing the encrypted passwords. The encrypted passwords used to be stored in the file /etc/passwd which is (and has to be) world readable. In this situation any user can obtain the list of all logins and encryted passwords on the system. By using certain programs (like cracklib) that use a dictionary of frequently used passwords (and variations of the login sometimes used as password by users not aware of the risks) it is feasible to obtain passwords and thereby unauthorized access. With the shadow password suite installed the passwords are stored in a file (/etc/shadow) readable only by root, thereby eliminating the possibility that ordinary users could perform the cracklib or other dictinary attacks. Consult the security related internet sites regularly. Formerly unknown security problems are first described on the internet. Often an appropriate fix is published at the same time. If you have to care about security then do visit the security sites regularly and/or subscribe to the mailing lists run by them. The following list gives some good starting points: http://www.securityfocus.com/ http://rootshell.com/ http://www.insecure.org/ http://www.slidersecurity.co.uk http://packetstorm.securify.com http://www.cert.org/ http://lsap.org/ "y00 juSt Had tO gEt uR SiTe iN tHaR slIdEr" Linux distributors often have websites with information specific to the software as packaged for their distribution: http://www.suse.de/de/support/security/ - Intel architecture, S/390 architecture and VM/ESA Linux is usually considered a PC operating system. Linux was first developed for an Intel 80386 and the Intel architecture remains the most common platform for Linux. In this bit, we describe the fundamentals of the Intel architecture and that of S/390. The Intel symmetric multiprocessor (SMP) architecture is compared with S/390, with particular attention to reliability, availability and serviceability. We also give a brief introduction to S/390 virtual machines and VM/ESA. Using VM/ESA, you can potentially run hundreds or even thousands of Linux virtual servers on a single S/390 system. -- Architecture description This section is intended as a brief introduction to the basic architecture of IBM S/390 and the Intel 32-bit (IA32) processors. --- IA32 An IA32 processor offers different modes of operation, but some of them are provided only for compatibility reasons and today are not used very often. The so-called *protected mode* is the one used by today operating systems in that it allows to divide the memory in different segments, isolated one from the others as to obtain higher protection, and supports paging to obtain a virtual memory larger than the physical one. The IA32 processors contain different set of registers: - General purpose registers: these 8 registers can be used to maintain operands and main memory pointers. Some of them are reserved for particular purposes: for example the ESP register is used as a pointer to the stack. - Segment registers: are used to hold the descriptors of segments used while accessing code, data, or the stack. - Status registers: are used to encode the processor status and to specify its mode of operation. Also, a set of floating point registers is provided to support floating point operations. These registers are organized as a stack and are 80 bit each. The memory on a IA32 processor operating in protected mode is divided into segments. Each segment has a maximum size of 4GB (which has been increased to 64 GB on the latest Pentium processors). A segment is accessed by mean of a segment selector contained in one of the segment registers. A segment selector is composed of three parts: - A segment descriptor index. - A table indicator that allows to establish if the index is referred to the global descriptor table (GDT) or the local descriptor table (LDT). - A requested privilege level, that is used for segment protection reasons. The LDT is local to each thread and is saved during thread switch. The GDT is global to the entire system. The GDT and LDT contain the segment descriptors, that are used to maintain information about: - The size of the segment. - Its base address in the virtual storage. - The type of the segment and its associated privilege level. The segment type is used to distinguish between segments containing data or code and segments containing system structures, as tasks related information, the LDT and so on. When accessing memory, a segment register and an offset registers are used: the address of the data in memory is obtained adding the base address of the segment referenced by the segment register to the offset contained in the offset register. This linear address can be equal to the physical address of data in memory in case paging is not active. Otherwise another translation step is required to translate the linear address into the physical one. The pages most commonly used by IA32 processors have a fixed size of 4KB, but pages as large as 2MB or 4MB are supported. The information that the processor uses during the page translation process, is contained in some data structures: - Page directory: contains up to 1024 32-bit page-directory entries. Each of them contains the base address of a page table and information about the status of the page (for example if it is valid, it is in main memory or it is swapped in the secondary storage and so on). - Page table: each entry contains the address of a page and some bits used to maintain information about the state of the page and the privileges needed to access it. -- S/390 An S/390 system is usually composed of one or more central processing units, a main storage, an expanded storage, and a channel subsystem that is connected to the I/O devices. "CenTrAl pRoCeSsInG? i fAntAzIe aBouT tHaT sHit" The main storage contains code and data used by the CPUs and is divided into blocks of 4KB each. On the other hand, expanded storage cannot be used to maintain data currently used by the CPUs and it is usually reserved for paging purposes, in that allows to transfer memory blocks faster than mass storage. It is divided into pages of 4KB, each addressed by a 32-bit identifier, thus allowing up to 2 32 pages. Only complete pages can be transferred to or from expanded storage to main memory. The expanded storage is a unique feature of the S/390 architecture and there is nothing similar in IA32. Each CPU contains a set of registers that can be used by programs. They can be divided into the following: * Program status word: used to maintain information related to the status of the CPU and to instruction sequencing. * General registers: 16 32-bit registers used for integer arithmetic and for addressing. * Floating-point registers: depending on the configuration, 4 or 16 registers are available and can be used both for hexadecimal and floating point computations. * Control registers: 16 registers are available and are used to control various hardware facilities. * Access registers: contain segment-table designators used to access address spaces. Depending on the mode of operation, the addresses generated by a program can be interpreted in three different ways: * Absolute addresses: are addresses given to the main storage locations. * Real addresses: are translated to absolute addresses by prefixing. * Virtual addresses: are translated to real addresses by means of dynamic address translation. The S/390 absolute address is like the IA32 real address; both are used to designate a given location in the main storage. The virtual address can be compared to the IA32 linear address because both are used to support paging and to provide a virtual address space larger than the real main memory. Prefixing is used to allow different CPUs sharing main storage to work independently. Prefixing remaps the first 4KB of storage using the value contained in the prefix register of each CPU: if a memory reference is within the first 4KB, the address is added to the prefix to obtain the new address. For translating a virtual address to a real one, each CPU uses some translation tables. The translation table used depends on the address space used. The control program associates to each address space a unique number of 16 bits known as address-space number (ASN). The ASN is maintained by the CPU in one of its registers and is used as a key to retrieve the address space control information, through a process known as address space number translation (ASNT). The ASNT consists of a two table lookup process. The first 10 bits of the ASN are used as a key in the first table to obtain the address of the second table. Then the remaining 6 bits of the ASN are used as an index in the second table, that contains the address space control information, that among other things, includes the address of the authority table and the address of the segment table. The authority table is used to establish if the current process can use the address space, thus allowing the use of a given address space only by authorized processes; 2 16 authorization levels are possible, so this table contains up to 2 16 entries. -- I/O subsystem The S/390 I/O subsystem is different from the ones of other architectures. In fact S/390 defines a unified way to access all kind of devices through so called channels. All the I/O activity is managed by the channel subsystem, that is responsible to control the flow of information between the I/O devices and the main storage. The communication between the channel subsystem and the devices happens through channel paths. Different kinds of channels paths are available, and each support different data-transfer speeds. An S/390 box can support, depending on the configuration, up to 256 channel paths. Channel paths and devices are connected through control units. Control units are needed to adapt the standard form of control used by the channel subsystem to the particular needs of each kind of device. Each I/O device is associated with a subchannel. Subchannels provide information about the device they are connected to and are the only mean by which the channel subsystem can access the device. Each subchannel has a system wide unique 16 bits ID associated, that is used when requesting an I/O operation to indicate the device it is directed to. Given the size of a subchannel ID, a maximum of 65,536 subchannels (and I/O devices) can be connected to a channel subsystem. While the subchannel associated with each device is unique, a device can be reached through different channel paths. In fact a device can be connected to more than a control unit and a control unit can be connected to more than one channel path. While communication happens only through one of them, the presence of multiple paths allows for better performances and higher reliability and availability. In fact, when starting an I/O operation, the channel subsystem has the ability to perform a path selection choosing between all the available paths, and using a different path if one is busy. Beyond the ability to connect a large number of devices, another advantage of this I/O architecture is its high efficiency while performing data transfers. In fact, the CPU is busy only during the first phase of the I/O operation, that is passing the needed information and commands to the subchannel. After that the CPU can continue its activity while the work of moving data is performed by the channel subsystem. When the I/O operation has ended, the CPU receives a notification through an asynchronous interrupt. If interrupts have been disabled, the pending interrupt is stored with information about its source; this way the CPU can interrogate the channel subsystem to know if a given channel ended its activity without being interrupted asynchronously during its work. -- Symmetric multiprocessing In a symmetric multiprocessor (SMP), multiple processors share the same resources as the main memory, the communication buses, the I/O subsystem and so on, allowing to better distribute the workload and allowing simple and fast data sharing between processors. "oOoOoOoOoOoOo thIs iS rEaLly FunKy sHitE" --- Intel SMP With the introduction of the Profusion chip-set, Intel pushed the limit of its multiprocessing technology up to 8-way. In fact, the Profusion chip-set supports up to 8 Pentium Xeon processors. The Xeon version is used because of its large on chip second level cache needed to reduce the memory traffic that is quite high due to the large number of processors.\ The 8 processors are divided into two groups of 4 each; the processors in each group share a common bus that connects them the Profusion chip-set. The Profusion chip set creates a *fusion* of three Pentium III processor buses and two main memory subsystems. Two of the three processor buses are actually used to connect processors, while the other is used to connect I/O devices. The Pentium Xeon processors have integrated L1 data and instruction caches, of 16KB each. The second level cache is integrated in the same package and works at the same frequency of the core. The Profusion chip-set coordinates the activity of the buses and connects them with the main memory and, also, it allows for reduced coherency traffic thanks to the coherency filters. The chip-set is divided into two chips, the Memory Access Controller (MAC) and the Data Interface Buffer (DIB). The MAC contains the control functions need to control the system. It manages the memory contained in the coherency filters and controls coherency notifications, preventing unneeded coherency traffic from reaching processor buses. This is accomplished using the coherency filters, each containing information about a superset of the data cached by the processors in the related bus. Before propagating coherency information in a bus, the MAC verifies if it is needed checking the information contained in the coherency filter. The DIB contains the data paths needed to connect the buses and the main memory. It is controlled by the MAC and allows to move data between the processor buses and the system memory. Also, the DIB generates error correcting codes (ECC) needed to recover from errors. To better the performances, the memory is divided into two interleaved banks and each bank is connected to the profusion chip-set through a dedicated port. This way it is possible to double the maximum data transfer speed, that reaches 1.6 GB/sec. --- IBM SMP The last generations of the S/390 multiprocessor (G5 and G6) are based on a design different from the one used for the previous generations (G3 and G4) that offers higher performances and supports the load of a larger number of CPUs. The new design is based on the so called binodal cache the processors and cache memories are divided into two nodes connected one another and with the memory cards. Each node is composed of up to 6 processors (7 in the G6) with integrated L1 cache, an L2 cache, a system controller (SC), the memory cards and, the buses needed to connect them. The L1 cache is unified (it contains both instructions and data) and has a size of 256 KB. It is of write-through type: if data are written to locations that are not in cache, those data are not transferred in cache. So the data are immediately transferred to the L2 cache to be written to memory. The L2 caches have a size of 4MB each and operate at half the frequency of the processors, like all the other chips in the node. They contain all the data contained in the L1 caches of the node, thus simplifying the management of coherency. Also, L2 cache is store-in, meaning that if a store is made to a memory location that is not cached, the content of this memory location is first transferred to the cache and then updated. This way the next reference to this location will hit in cache. The SC maintains information about the L2 cache, manages coherency of caches, controls the binodal architecture, and provides for communication with main memory. It is split into two chips to obtain more pins and to allow for larger L2 caches; each chip is part of one node. The SC is responsible of maintaining cache coherence; this is done using a modified MESI (modified/exclusive/shared/invalid) protocol. The modification is needed to account for the possibility of sharing inside the node (locally) or outside between the two nodes (globally). This distinction allows to perform faster operations when a processor requires exclusive access to some data and the data are shared only locally. Also, if an access to a node L2 cache misses, the SC tries to search the data in the L2 cache of the other node. This way it is possible to improve performances because retrieving data from the other node cache is faster than retrieving them from memory. The memory is organized into 4 cards each containing 4 banks. This way 16 banks are available and up to 16 fetch and store operation to main memory can be served simultaneously. Also, the design of the G5 and G6 has been optimized to efficiently perform the rich set of data movement operations. A series of hardware devices have been added to allow only minimal processors involvement during the movement of data. For example the hardware-assisted move engine allows to move block of data from one area of the main memory to another, optimizing the movement to avoid conflicts with the read and store operations that are required by the processors. The design of the S/390 server allows to obtain the high efficiency in memory access and data transfer that is needed to support the large number of processors and the large amount of data managed by an enterprise server, that requires a good balancing between computational power and I/O capabilities. -- RAS considerations Important factors in evaluating high-end servers are reliability, availability and serviceability. --- Intel Profusion chip set RAS considerations The Intel chip-set implements a number of techniques to obtain an high RAS. The system, memory and I/O buses are all protected by error correcting codes (ECC) to allow discovery of transmission errors and eventually their recovery. "So WhaT u ArE TryInG to sAy, iS ThaT iT is lIkE ReLiaBlE?" Also, the system is able to continue to work even if some hardware failures occur: * If a processor or processor bus fails, the system continues to work using only the other bus. * If one of the memory ports fails, the system can work using only one port. * If any of the coherency filters fails, it is disabled and the system remains operational, but with lower performances. * If an I/O device fails, it is possible to isolate and disable it. Also, I/O devices are hot-pluggable, meaning that you can change them without interrupting server activity. To allow for better serviceability, the chip set is able to perform error-logging. This way it is possible to identify error sources in less time and promptly correct the system behavior. -- S/390 RAS considerations The S/390 system offers a very rich set of RAS capabilities and it was designed from its first start with RAS in mind. The processors contain duplicated instruction unit (IU), fixed-point unit (FXU) and floating-point unit (FPU) and on every operation, the results of the two copies are compared to discover possible errors. The check is performed by the register unit (RU) before committing the result of each operation. When the check succeeds, the current state is saved as a checkpoint to allow restart of the next operation in case of failure. The RU, like the L1 cache is not duplicated, but is protected using ECC in general and parity checking when the information is replicated elsewhere in the processor. This way the processor is able do discover and eventually recover a large series of possible faults. When a processor fails due to some permanent internal fault, it is isolated and removed from operation, while system operation continues unaffected for the other processors, thus maintaining a high degree of availability. Also if a spare processor is configured, it is automatically activated and the state of the failing processor is transferred to it, allowing the resume of the normal activity without user intervention and without any impact on the application or on the operating system. In some case, depending on the type of fault, it is not necessary to completely stop the processor, but simply disabling the faulty device operation can continue although with reduced performances. "wOh tHaT iS fUnkY!" The L2 cache and the buses connecting it with main memory and with processors are protected using ECC. When erroneous data is individuated by an ECC station, the data propagation is blocked to avoid their propagation inside the system. Also when an L2 cache line is discovered to be invalid, it is purged to avoid use of the invalid data by any of the processors. The next time the data will be referenced, they will be reloaded from the main memory. Obviously, because of the low failure rates, the purge of cache lines does not have a bad impact on system performances. Also the L2 cache contains spare cache lines that are automatically used to substitute failing lines. This way it is possible to recover from errors in a cache chip without the need to mark the whole chip as faulty. The main memory is organized as that each DRAM module contributes only one bit to a given ECC check box. This way, because ECC are able to correct single bit errors, it is possible to recover from all partial module and all complete module failures. Also, to avoid the accumulation of errors that can result in the inability to correct them, memory is continuously analyzed and errors are eventually recovered as soon as they are discovered. When the number of errors discovered (and recovered) on a given memory module becomes greater than a given threshold, the module is substituted with a spare one. All the content of the failing module is copied into the new one while, all the intervening stores are propagated to both the modules. This way, when the copy is finished the old module is completely replaced by the new one. The usage of spare DRAM memory modules allows to substitute a failing module without stopping the machine, increasing the total availability of the S/390. The S/390 provides a quite large number of mechanisms that are used to grant very high availability and integrity of data. In a large number of cases, f an error is discovered, the hardware is able to recover from the error condition, isolating the faulty device and activating spare ones. Also, only the hardware that presents failures is isolated from the system, allowing to maintain operative the largest possible number of working devices to impact the lowest possible the performances of the system. -- Conclusion of the two architectures "aRchiTecTurEs Are LikE bUilDinGs, InNiT?" Both the IA32 and the S/390 are so called Complex Instruction Set Computer (CISC) architectures, meaning that they offer a very rich set of instructions. Ffrom the micro-architectural point of view, the IA32 and the S/390 CPUs are very different. The IA32 transforms complex instructions in to simpler ones that are executed in parallel and out-of-order, using a complex scheduling mechanism. So the IA32 core is optimized to execute simple instructions in parallel. On the other hand the S/390 G5 and G6 CPUs are able to execute only one operation per cycle but are optimized to reduce the time needed to complete the execution of complex, long running instructions that are often used in programs. Also, only one integer operation is executed per cycle even if, for example, two integer pipelines are available, because both of them execute the same operation to allow checking the result. This way the reliability of the processor is preferred to the raw speed. In general, the S/390 CPU offers higher RAS and allows it to discover and recover from a large number of errors, usually disabling only the faulty devices. Also, the S/390 instruction set offers a quite rich set of instructions to move memory blocks, that is supported by specialized hardware as to obtain higher performances. For example, the move engine can be used to quickly obtain pages from main storage to expanded storage, thus speeding up the swapping process. The expanded storage is a unique feature of the S/390. It allows it to obtain a large and fast memory that can be used to swap out unused memory pages faster than what is allowed using mass storage. Also, the expanded storage can be used as a cache for minidisks, improving the performances of applications I/O. Both the IA/32 and the S/390 support paging, but they offer slightly different mechanisms. The IA32 allows each task to maintain information about its mapping of virtual address versus real ones; usually, each thread is mapped on a different task and all the threads of a single process share the same page mapping. The S/390 implements a different page mapping for each address space and allows to access up to 16 address spaces at the same time. Also, the S/390 uses the concept of segment to group pages; during the address translation process, in fact, the first part of the virtual address is used to index the segment table that allows to obtain the address of a page table. Instead, the IA32 uses segments to protect storage areas. There is no direct relation between pages and segments but a segment is used to define the access rights on a given virtual memory region. This way, when accessing virtual memory each process can only read or write what is contained in the segment defined by the descriptor it is using. From an SMP architecture point of view, the S/390 supports a higher number of CPUs while maintaining a quite linear performance increase. While the Intel multiprocessor allows up to 8 CPUs, the G6 supports 12 processors plus two other processors configured for I/O or as spare processors. Also, the availability of spare processors allows the substitution of a faulty processor on-the-fly, without stopping the system and without the intervention by the operating system or application. Also, the design of the binodal cache allows the disabling of only a single faulty processor, while, for example, the Intel multiprocessor needs to disable 4 processors if its bus fails. The use of spare devices is not limited to processors only. For example, the availability of spare memory modules allows to automatically substitute faulty ones while continuing to work, thus obtaining very high availability and avoiding user intervention. While the IA32 offers higher computational power with faster processors that are able to execute more than one simple instruction per clock cycle, the S/390 offers an higher degree of reliability and a better balance between raw computational power and I/O bandwidth, supporting a large number of devices and a very optimized I/O mechanism. Also the S/390 offers higher RAS, which is a very important factor when evaluating high end servers. And that my friends is Linux On OS/390! "aNd 2 aLl u wH0rEs oUt tHar, gEt iT rIghT fuCkeRs!" Slider & 0mega1 clocking off. - EOF - Werd : MuFtAk, Zomba, Hybrid, Nynex, Spaceman, Abattis (where the fuck r u), [TNC], greedyfly, redmangy, #linux, dc_`, Is-, Lilo-x, JonP, Gossi, DERA, Uk.gov. FuqU : ... TUVM : 0mega1 for sorting out the installation shit and giving me a OS/390 enabled box. "Live as if your were to die tomorrow. Learn as if you were to live forever." -Gandhi ---------------------------------------------- ********************************************** An Introduction to Wireless Technology ********************************************** - Introduction It may come as a surprise, but the earliest forms of communication were made by using wireless data technology. Long before the telephone was invented by Alexander Graham Bell in 1876, people were using wireless data communications. American Indians used smoke signals to communicate over long distances and messages could be passed along between a number of people spread over a considerable distance. Sailors were using semaphore with flags, or Morse code with signalling lanterns, to communicate between ships or to the shore. Long distance communications were accomplished by using carrier pigeons to deliver written messages. You can probably think of several other examples of wireless data which have been used in the past. Communication using coded signals rather than voice was still the only method of sending information over long distance telegraph wires prior to the invention of the telephone. Morse code allowed normally written characters and symbols to be transmitted over copper wires for the first time. The first practical radio communication was demonstrated by Gugielmi Marconi when he made the first transatlantic wireless communication in 1901 using Morse code to transmit messages. Voice communication over wires had been around for many years, but Morse code was the only radio communication method until 1904 when a demonstration of voice broadcasting was made at the St. Louis Worlds Fair. Morse code is still used occasionally for long distance communications to ships at sea and by amateur radio enthusiasts. For the purposes of this text, we can define wireless communication as any form of communication without using wires (or fiber optic cable). Data communication means transmitting information that is not in the form of speech. Radio (or radio frequency) is the part of the electromagnetic spectrum that has a frequency lower than that of infrared light. The advent of computer communications has changed our perception of data communications from thinking of Morse Code operating at one character per second over relatively short distances to the very high-speed data links of thousands or millions of bits of information per second over tremendous spans of geography. The data transmitted can represent many different types of information including multiple voice channels, full-motion video and computer data. The most common use of radio data communication today is the microwave link, which provides high-speed communications without underground or overhead cables and is a primary mechanism for carrying long-distance voice traffic. Voice communications over radio has moved into the public domain with the rapid spread of cellular telephone technology in many countries of the world. Anyone with a cellular phone can now stay in touch with people while traveling, or even just away from their normal telephone. Parallel to these developments in wireless technology, the power of personal computing has brought high-speed data processing ability to the desktop. New applications have made PC users more productive; new lightweight and inexpensive portable PCs allow users to take their information and tools with them. The need to share information and resources among personal computer users has spawned the spread of local area networks (LANs), which in turn have required wire-based connections. The use of copper wires limits user flexibility to move freely within the office environment. Growth in client/server applications has made unfettered connectivity between workstations and other network resources very attractive. The marriage of wireless communications and mobile computing will transform the way we do business. The convergence of hardware, software, communications and wireless technologies will ensure that information and services will be available to computer users at all times, in all places. Many different wireless communication technologies currently support hundreds of services. Cellular and cordless phones, pagers, portable computers, mobile radio units, and vehicle tracking units all use a wide range of protocols and transport options. Future portable products such as Personal Digital Assistants (PDAs) or Personal Intelligent Communicators (PICs) will combine separate voice and data functions in compact portable packages. The communications technologies will provide a choice of communications methods with several wired and wireless options available in a single device, automatically selected for the most appropriate method according to the kind of information transfer required, the physical location of the device, and the needs of the user. - Why Is Wireless Technology Important? Wireless communication is growing at an explosive rate around the world. In the United States alone, the number of cellular telephones grew ten-fold from one million in mid-1987 to 10 million in 1993; 180,000 cellular phones are being sold each month. The number of cellular subscribers worldwide in 1994 was 52 million. In Europe, the highest penetration of cellular phones is in Sweden. With a population of only 8 million people, more than one person in ten has a cellular phone. There are some 50 million cordless telephones in use; satellite paging systems (a small fraction of all paging systems) are projected to grow from $90 million in 1992 revenue to $500 million in 1995. Cellular phones have changed from heavy automobile-mounted devices to shirt pocket portables weighing the same as a pocket diary. The many emerging mobile end-user devices will become *information appliances*. Wireless products and services in the 1990s are forecasted to be an even bigger revolution than the personal computer (PC) and local area network (LAN) were in the 1980s. The mobility offered by wireless technology will be used to allow businesses to optimize their use of employee time, become more competitive, make better business decisions and provide better customer service. As a result, many businesses will dramatically restructure their operations to more effectively take advantage of wireless benefits. Therefore, industry will truly be looking to install wireless solutions as a major step towards running businesses profitably. Cutting-edge companies today are capitalizing on time as a critical component of competitive advantage. The way leading companies manage time in new product development, product introduction and production, as well as in sales, distribution and service, represent the most powerful new source of competitive advantage. By reducing the consumption of time in every aspect of business, companies reduce costs, improve quality and stay closer to their customers. Some driving forces behind the interest in utilizing time as a source of competitive advantage are as follows: ╖ Quicker response time - through the use of remote input and access of data, fax or voice information. ╖ Increased customer contact and satisfaction - by contacting customers early, before they contact someone else. ╖ *Just In Time* manufacturing practices - maintaining leaner inventories. ╖ Accuracy of information - direct input of data without transcribing. ╖ Faster management information systems - information *as it happens*. We are truly witnessing one of the most dramatic opportunities of our time Wireless communications will emerge as the major technology of the 21st century. With wireless communications access any time and any place, you will expect and get the delivery of information and services no matter where you are. Wireless technologies make it possible to be logically present though remote connections: an increased level of responsiveness can be achieved from remote locations. New wireless technologies offer convenience, providing value to general business and everyday use. Un-tethered operations are required for immediacy when moving about (for example, to contact a public safety officer on patrol, or a medical professional in case of a problem), to avoid wiring expenses for temporary communications or in an environment where wiring is impractical (for example, a national landmark building or a staging area where emergency response teams are mobilized), when wire lines are down (for example, in a natural disaster), or where an inadequate, unreliable, or obsolete wired infrastructure exists (for example, underdeveloped areas). Why now? Technology has advanced and it is now possible to communicate with small, reliable, energy-constrained mobile devices that are cheap enough for widespread use. These radical changes occurred at a surprisingly rapid pace, creating in a short time, mobile telephony systems used by millions. In the 1990s, other forms of information are being merged into more advanced digital wireless systems, a trend driven by portable computers and digital hand-held data devices. Metropolitan, national, and even international public and private networks with wireless capability are emerging today. All of these wireless *enablers* can be the basis of new devices and applications. The most important issue for wireless communications in the 1990s is usage: who will use the technology when and how will they use it? Cost of service will also be a critical issue: how much will a user be willing to pay every month to connect a personal communicator to a network? What value will be perceived from such services? Cellular phone service has only been available for a few years, and at first it was considered to be too expensive for general use and only a few of the most senior people in large companies were able to justify the cost of ownership. In a few short years cellular phones became an affordable and sometimes essential device for all kinds of people in their working day. Today, cellular phones are becoming common in the domestic environment and very soon a mobile phone will be as essential as a TV receiver or VCR to an ordinary family. New technology drives new uses and applications for the technology, which in turn creates demand for further technological advances. As more users purchase equipment and services, so the price becomes more affordable and the amount and diversity of uses increase. Governmental regulation of the frequency spectrum is, and will continue to be, another key question; the answer to which will dictate technical strategy and tactical plans. Inconsistent worldwide frequency allocations and licensing will remain an issue and inhibit international roaming. It will take a very long time for all countries in the world to agree and implement a worldwide allocation of radio frequencies. Governments and commercial enterprises have invested very large sums of money in existing radio communication infrastructures and the frequencies allocated to these applications will only be freed up once new technology has been established and the very last user of the old service has agreed to change to the new service. Wireless communication solutions that provide logical presence through physical roaming, or the ability to stay in touch on ones own terms, will continue to be in great demand. Today, these requirements are requested by mobile professionals and other workers who want to download E-mail, update their calendars, send or receive a fax, check inventory, place an order, record route status, call a customer, talk to a peer in short a virtual office - anywhere, anytime. The Electronic Mail Association predicts a tripling of electronic mail users, to 27 million sending more than 14 billion messages annually in 1995 alone. Advances in semiconductor technologies enable the use of higher frequencies and will achieve better reliability of wireless connections. This will accelerate wireless product development. Continued miniaturization of circuitry, of displays, of user interfaces (for example, gallium arsenide, flash memory), the *building blocks* of portable devices, along with advances in low-power electronics, battery (life, weight) and solar cell technologies, will also help the mobile product user achieve higher levels of efficiency. Affordable application solutions will be the key ingredient in the rapid acceptance of wireless technologies. Traditional methods of interaction with computing devices will have to change when they become highly miniaturized and portable. For example, the technology exists to build a computing device that may be worn on the wrist, but it would be very difficult to interact with such a device using traditional methods. It would be impossible to produce an alphanumeric computer keyboard that could be used successfully and a screen could only display a few characters if it were to be used by a person with average eyesight. - Characteristics of the World of Wireless in the 1990s In this changing world, technological leaders such as IBM will package mobile/wireless devices and other products in individualized ways, implementing seamless connectivity for vertical industry solutions to common business problems. IBM will be a wireless vendor and service provider due to a continued wireless communications focus that will be characterized by an environment of: 1. Ubiquity: People will want to be in touch from anywhere, at any time. This will force standards to emerge between carriers and between vendors for common devices and seamless roaming. 2. Spectrum Availability: Current frequency allocations are not sufficient for the wireless public world of the 1990s. Constrained frequency allocations are a critical asset for competition, requiring competence on working through regulatory agencies and licensing bodies. 3. Mass Customization: Wireless devices must be easily tailored (that is, programmable) to individual roles and preferences. 4. Price discontinuities: A price threshold will be found which ignites explosive usage of cellular and RF data, fax, and voice usage. 5. Social/human/usability issues: The social acceptability of wireless devices will affect demand. For example, wireless technologies could enable people to have their personal whereabouts recorded, resulting in an undesirable invasion of privacy. People may not want to be able to be reached in circumstances where they are used to unwinding and being out of touch. Human-centric solutions will be required. 6. Key applications, total systems solutions: critical vertical and cross-industry applications will propel wireless technologies. Simply put, wireless applications are crucial and product vendors will have to align with application developers. 7. Merging industries: The computer, communications, networking, consumer electronics, and entertainment industries of the next five years will be much more integrated than they are today. 8. Wireless communities are emerging, especially in sparsely populated areas (for example, the telephone connections in the Australian outback are mostly wireless). The high cost of long cable runs in rural areas makes wireless communication a more cost-effective solution. Wireless technologies will be a credible and cost-effective alternative to upgrading some existing wired infrastructures or creating a spontaneous communication situation, such as in a disaster area. 9. Technological advances in batteries (life, weight), solar power, and circuit miniaturization will increasingly enable attractive, functional, affordable, and practical devices which will use wireless communications. 10. Incorporated intelligence will become more pervasive. Appliances, automobiles, or remote equipment will use wireless devices to alert central maintenance facilities when service is required. Intelligent vending machines will automatically place just-in-time wireless calls for restocking, cash removal, and service; allowing vendors to operate at enormously improved levels of efficiency. 11. Wireless networks will provide value added services both directly and by means of links into other services. Delivery of timely, accurate and relevant information such as weather warnings, traffic delays and emergency messages will become an essential part of any wireless network service. - Wireless Applications The main driving force behind wireless and remote computing devices is the applications. The successful introduction of a new technology depends on the wide acceptance of those applications which use that technology. The applications must meet a real need. -- Voice Communication Early wireless communications used Morse code followed by simple voice communications. In the 1930s, radio equipment used valves (tubes) which needed high-wattage power supplies. Radio receivers were either electric main power source operated or needed large batteries for the high voltages required. Police mobile radio allowed one-way communication from central dispatch to cars who listened in on dedicated frequency bands. The police officer then called back from a pay phone. Amplitude Modulation (AM) was employed but was not very efficient in using the available bandwidth. In 1935 Frequency Modulation (FM) was invented. It was further developed by the military during World War II and in the 1940s all police radio systems were moved to FM. The need for two-way communications led to the establishment of the first Mobile Telephone Service in 1946 in St.Louis. This was based on one FM transmitter with a coverage area of 50 miles (80 km) diameter. Within a year this service was available in 25 US States. The system used a number of base stations, each with an FM transmitter. Each base station was connected into the wired telephone network using a controller. A new and improved wireless system was introduced in the mid 1960s. This system was known as the Improved Mobile Telephone Service (IMTS) and was the forerunner of the present cellular service. The new features included: ╖ Automatic trunking (all users can access all channels - no dedicated channels) ╖ Direct dialing (no operator at the mobile network controller) ╖ Full-duplex (no *push to talk* required) ╖ FM channel of 25-30 kHz ╖ Each phone searches for a free channel (special tone used) As the number of subscribers increased there were not enough channels available to allow access for everyone who wanted a connection. This led to the development of cellular radio. By reducing the area covered, the bandwidth could be reused and hence more users could be supported. Cities and rural districts were carved up into *cells* or areas, each with their own base transmitter. The same frequencies were used as before but with much lower transmitter power. Since the power is low, the signals remain within the cell, which has a diameter of between 1 mile (1.6 Km) and 20 miles (32 km) with little chance of interference in nearby cells. To further reduce the probability of interference between mobile stations on the same channel in adjacent cells, channel re-use was not allowed until a cell was skipped. The first cellular systems were developed by Bell Laboratories in the 1970s and experimental operation of the Advanced Mobile Telephone System (AMPS) began in 1979 in Chicago. Other countries followed with their own versions of cellular telephone systems, notably the Scandinavian countries in 1981 with the Nordic Mobile Telephone on 450 MHz (NMT450), and the UK in 1985 with the Total Access Control System (TACS). Japan has its own unique analog cellular system developed by NTT, and Germany and France both have unique systems that are incompatible with other countries. -- Cellular Systems __ __ __ __ __ __/ \__/ \__/ \__/ \__/ \__ / \__/ \__/ \__/ \__/ \__/ \ \__/ \__/ \__/ \__/ \__/ \__/ / \__/ \__/ \__/ \__/ \__/ \__/ \__/ \__/ \__/ \__/ / \__/ \__/ \__/ \__/ \ \__/ \__/ \__/ \__/ \__/ Hexagon shapes are a convenient way of illustrating the network, but in real life, the cells can be very irregular shapes.The center cell of each group of seven cells has a range of frequencies. Other cells have different frequencies assigned to them, and so on. No two adjacent cells have the same set of frequencies; there are always at least two intervening cells before the frequencies are re-used. At first, only the major cities were covered with cellular transmitters. It was not always economical to cover less populated areas as the initial costs were high (prices ranged upwards to tens of millions of dollars). In the early 1980s the capacity of urban cells reached their limits and were divided up into smaller and smaller cells with lower power transmitters. Since a mobile cellular telephone (for example, in a car) can receive signals from different cell transmitters (known as base stations) near cell boundaries, a mobile switching center (MSC) was created to coordinate the frequencies used by the different mobile users and cell transmitters. As the mobile user moves out of a cell, the MSC must decide which is the proper cell to take over the call. The MSC can communicate with all mobile phones in the area of the base stations which it controls by means of a special radio channel called a control channel. This channel is not used for voice communications but allows the MSC to send instructions to the mobile phone. The MSC contacts each adjacent cell and instructs it to measure the signal strength of the mobile unit. The results are transmitted back to the MSC and the strongest signal and cell are determined. A new channel is allocated in the destination cell and the current cell is instructed to relay this information to the mobile station. This is known as a *handoff*. Cellular handoffs today can take several seconds. This is fine if cells are large and not many cell boundaries are crossed, but mobile cellular units in a car can cross cell boundaries often in urban locations. For this reason, in 1984 an additional 10 MHz of bandwidth was allocated by the FCC in USA to bring the total to 50 MHz in the 800 MHz band for the Advanced Mobile Phone Service (AMPS). This allows 832 channels (full duplex) to be used. Handoffs can also occur even when the mobile station is not moving. The MSC can balance the load of users between base stations by switching some of the users from a base station which is heavily loaded to an adjacent base station which has some spare capacity. This is, of course, only possible if some of the users are in an area where they can communicate with both base stations. The reason for doing this is to ensure that there is always some spare capacity for new callers to access the base station or for callers in vehicles that are passing through the area. When a cellular phone is first switched on, it will scan a predetermined set of radio channels. These channels are the control channels that have been allocated to the particular cellular network on which the phone is registered as a valid subscriber. A different network in the same geographical location will have a different set of control channels allocated to it. The phone may have the ability to be registered with more than one network, but the user must decide which network the phone will register with at any one time. This is normally accomplished using a menu-driven selection from the keypad of the phone. Once the phone has scanned all the control channels for the network, it will build a table of the frequencies of the strongest signals. Not all of the control channels available for a network will be within range and the phone will try and use the channel with the strongest signal first. It will initiate a registration with the base station whose signal is strongest. If it fails to do this, then it will try the next strongest signal and so on. If the phone cannot, for some reason, register with any base station, it will indicate the fact to the user by means of an *out of service* indicator. The most common reasons for not being able to register are: ╖ The phone is not in an area of cellular coverage ╖ The phone is in a *blackspot* (radio coverage hole) ╖ The base station is busy with other callers ╖ The phone is not registered as a valid subscriber to the network Cellular phones have a physical identifier encoded in them as well as their mobile phone number. The physical identifier is known as the electronic serial number or ESN, and is assigned to the phone at the time of manufacture. The ESN is used to ensure that there is no fraudulent use of the phone network. The ESN and the subscribers mobile phone number are held by the network operator, and each time that a phone tries to register with the network, the subscriber number and the ESN are compared to ensure that the combination of the two is valid. In the early days of cellular telephones, the ESN was sufficient to prevent fraud, but today, ways have been found to re-write ESNs and fraudulently register stolen phones. Fraudulent use of cellular phones is a major problem in the US and is reaching other parts of the world very rapidly. The new digital phone technologies will have more sophisticated methods of fraud prevention. Different cellular technologies (AMPS, ETACS, NMT) will have slightly different detailed implementations of the calling process, but the overall sequence is similar for all technologies. When a subscriber with a cellular phone wishes to make a call, the phone number is entered on the key pad of the phone and the SEND button is pressed. This causes the phone to send the dialled digits to the network via the control channel assuming that the phone is still registered with a base station. The cellular network will then assign a voice channel for the connection once the called partys phone starts to ring. While the call is in progress, the network can detect if a mobile phone is moving out of range of a particular base station. The network can then request that the phone switch channels to a closer base station to continue the call. This is achieved by the transmission of a short burst of data on the voice channel which is not passed to the audio circuits of the phone, and thus is not heard by the subscriber. When a call is placed to a mobile phone the call is first routed to the MSC closest to the origin of the call. If there is more than one MSC in the network, the call will be routed to the MSC that the phone was last registered in. The MSC will then transmit a paging message to all mobile phones in its area. If the mobile phone responds, the MSC will assign a voice channel and route the call to it. If the mobile phone does not respond, the other MSCs will try paging mobile phones in their areas. -- The Move to Digital Analog mobile telephony served well as a first-generation technology; however, analog services are now straining to keep up with user demand. Analog transmissions are less efficient than digital transmissions when it comes to spectrum utilization. Most analog standards allow low-speed (up to 4.8 Kbps) data transmission such as fax or file transfer, but interface equipment is expensive compared to the cost of mobile phones, and performance can be unreliable (for example, fax only works well when sent from a stationary terminal). Roaming across national boundaries is only possible where neighboring countries implement the same standards. For these reasons, efforts to develop next-generation mobile telephony networks focus on digital technologies in general and on GSM (Global System for Mobile Communications, formally called Group SpΘcial Mobile), a digital transmission standard accepted by all European countries and many other countries. Analog cellular phone systems such as AMPS, TACS and NMT use the analog signal from the microphone to modulate the frequency of the radio carrier wave directly using frequency modulation. A digital cellular phone will convert the analog signal from the microphone into digital data which will then be used to modulate the carrier. This would normally use phase modulation.The analog signal is converted using a device called a vocoder which will sample the level of the analog signal many times during a single cycle of the signal. A single level sample will be encoded as a binary value and strung together with other sample values to form a continuous data stream. At the receiving end, the data stream is broken up into individual samples which are used to reconstruct the original signal. In order to keep the amount of data to a manageable level, the data is compressed at the transmitting end and decompressed at the receiving end. These compression techniques take advantage of the characteristics of human speech and the silent periods between words. Most digital cellular systems use this basic technology for transmission of speech, but will vary in the way they modulate the radio carrier and the structure of the network. GSM will serve as the basis for forthcoming mobile telephony services. Compared with analog services, GSM, which operates in the 900 MHz band, offers greater signal quality and hence fewer transmission errors, better security through encryption and encoding, and more efficient use of the spectrum giving higher network capacity. The GSM networks now in place handle voice traffic and data services are just starting in a few countries, notably the UK and Germany. Other countries plan to implement data in the near future. The data services offer data transmission rates up to 9.6 Kbps for circuit switched connections and a Short Message Service (SMS) which provides the ability to do two-way paging using a GSM phone. In addition, fax services will be provided and a later implementation will include packet data services. Digital mobile telephony services also can be provided via the Digital Communications System (DCS) 1800 standard, developed by the European Telecommunications Standards Institute (ETSI) as an extension of GSM. DCS1800 services, known as Personal Communications Networks (PCNs), operate in the 1800 MHz band in Europe. PCN and GSM are functionally similar in terms of voice quality, data facilities, and call handling. One difference between the two is that PCN is available only on hand-portable terminals, while GSM is available on hand-portable and higher-powered car-mounted terminals. Because PCNs use a higher radio frequency, they require more base stations than GSM networks, which means they will be more expensive to install and operate. For this reason, PCN service providers are expected to focus their attention on urban areas, which means users looking for wider geographic coverage probably will tend towards GSM networks. PCN is often referred to as Microcellular, since the cells are smaller than regular cells allowing phones to be smaller using less power. GSM technology in the form of DCS1900 will be seen in North America as the first systems using Personal Communications Services (PCS) licenses are implemented. DCS1900 is the same as DCS1800 except that the operating frequency is 1900 MHz. AMPS is based on analog technology and is available in North and South America as well as some Asian and African countries. D-AMPS is a digital cellular radio system now being implemented in North America. An alternative digital cellular phone technology, CDMA, is being implemented by Qualcomm and may result in differing digital cellular services in different parts of North America. -- Cordless Telephones In addition to the requirement for telephone equipment to be mobile across large distances, the desire to have mobile telephone access within a limited space, typically within 50 to 100 meters of a base station (such as the home or an office) led to the development of the cordless telephone. This does not offer mobile access as with the cellular systems. It is really an access technology into a business PBX system or a domestic telephone connection. The cost is low and it offers less function than cellular phones. Early cordless phones suffered from a number of problems. Not all countries had standards for cordless phones and interference to essential services was caused by imported devices that operated in parts of the spectrum allocated for other services. Cordless phones had a very limited number of radio channels and users could eavesdrop on their neighbors conversations. In addition, fraudulent use of cordless phones could result in a third party making calls from a cordless handset by accessing a cordless base station that did not belong to them, thus avoiding paying for the call. These problems were overcome when standards for cordless phones were implemented. Several cordless communications standards are now in use, including the analog Cordless Telephony 0 (CT-0) and CT-1 standards and the CT-2 digital standard. CT-2 has been adopted by ETSI as an interim European standard for domestic and business applications. CT-2 is likely to be superseded by Digital European Cordless Telecommunications (DECT), a digital standard which can be used for wireless LANs. Both CT-2 and DECT can support voice and data, but DECT has a wider range (up to 200 meters) and greater data capacity (up to 384 Kbps, compared with CT-2s 32 Kbps). The actual throughput of data using DECT is closer to 320 Kbps because there are channels which are there for supervisory and control functions which use some of the capacity. Another DECT advantage is that connections can be handed off between base stations, a feature that CT-2 cannot provide, and the ability of the mobile station to receive calls as well as to initiate them. DECT will use very similar technology to GSM/DCS1800, which should provide low-cost implementations and the ability to use common designs which could have the ability to access different networks in the future. Telepoint is another cordless system that requires users to be within close range (100 to 200 meters) of a base station. Telepoint is being deployed as a wide-area service, with base stations typically located in public-access areas such as shopping centers, airports, and train stations. As in mobile telephony services, Telepoint users can place calls over the public dial-up network. A key difference, however, is that the CT-2 standard used for Telepoint services allows users only to place calls; CT-2-based systems do not handle incoming calls. Some service operators work around this limitation by providing pagers to notify users that someone is trying to contact them, while others allow incoming calls to users logged in to their nearest base station. Telepoint services are intended primarily for voice communications. France Telecom is developing an interface between Bi-Bop, its Telepoint service, and Personal Digital Assistants (PDAs). The Telepoint services in both the UK and Germany have both been discontinued due to the limited functionality available, and the ubiquity and low cost of full cellular and PCN networks. Telepoint may be revived in these countries once DECT technology is implemented. -- Private Mobile Radio Unlike mobile telephony services, which are linked to the public network, private mobile radio (PMR) and private access mobile radio (PAMR) services handle closed user groups only. In a typical PMR/PAMR application, mobile workers use the system to communicate both with a central control point and with one another. Primary users include providers of emergency services, public utilities and taxi companies. PMR networks are generally owned and operated by the organizations that use them, while PAMR (or trunked) networks are run by third-party providers that offer services on a subscription basis. One of the main benefits of using a third-party service is geographic coverage: PAMR operators have more resources to build widespread networks than most individual organizations. PMR services currently are based on a wide variety of proprietary analog transmission standards, while many PAMR services have adopted the UK MPT standard. Like mobile telephony services, PMR/PAMR services are optimized for voice, although some network operators such as National Band III in the UK are now offering data services. Some examples of the use of PMR/PAMR are as follows: ╖ Most police forces use their own PMR systems to communicate with officers in vehicles and on foot patrol. ╖ Utility companies use PMR systems to direct their engineers for maintenance or repairs. ╖ Ambulance services use PMR to direct vehicles to accident sites. ╖ Trucking companies will use PMR to stay in touch with drivers. ╖ In the UK, the Automobile Association uses mobile radio networks to send information about disabled cars to repair personnel. A number of factors, including differences in frequency allocations, now prevent PMR/PAMR networks from handling communications outside national borders. Some of the trunked PMR networks make use of the older VHF TV frequencies which may be different in various countries. This limitation on roaming may be lifted in Europe in the future, thanks to a digital mobile radio standard now being developed by ETSI. That standard, known as TETRA (Trans European Trunked Radio), will provide improved voice quality, faster data rates, better security (through encryption), and more efficient spectrum use for PMR, PAMR and mobile data services (see below). However, specific decisions on frequency allocation and supported data rates have not yet been agreed upon. Although PMR/PAMR networks tend to be less expensive than mobile telephony services, the fact that they accommodate only closed user groups limits their use. However, once an organization has been allocated a frequency to use for PMR communications, it would be very reluctant to give it up as there would be very little chance of getting another allocation. This situation is limiting the opportunity to move to Private Access Mobile Radio. Organizations that require mobile communications with third parties are obliged to use mobile telephony services or mobile data services. -- Mobile Data Services The cellular telephone networks of the 1980s could be used to transmit data in much the same way as it is done over the public-switched telephone network (PSTN). However, this technology was slow, unreliable, and expensive and it was recognized that a dedicated wireless data network could solve these problems. In 1983, IBM developed a private packet radio data network called DCS (Data Communication System) for the use of its field engineers. This was used for call dispatch and call reporting and some other data applications. The terminal device consisted of a hand held data terminal about the size and shape of a house brick, by which name it was consequently known. The radio infrastructure was provided by Motorola and operated at 4.8 Kbps on a carrier frequency of 800 MHz. The network covered the major cities of the United States but the FCC licence did not allow the service to be sold to other users. At the same time, Motorola was building a network using the same technology for public access. In 1990, the IBM and Motorola networks were joined to form a public access network known as ARDIS (Advanced Radio Data Information System). The original implementation of ARDIS used a protocol known as MDC4800, but a new protocol called RD-LAP is being introduced alongside with the advantage of operating at 19.2 Kbps. In 1984 a similar technology was being developed in Sweden by Swedish Telecom (now called Telia Mobitel) and Eritel AB. The technology was known as Mobitex and was supplied by Ericsson Mobile Communications AB. The first commercial operation started in Sweden in 1986. The first systems operated in Scandinavia were in various parts of the VHF band (dependant on country), and had a data rate of 1200 bps. The Mobitex system spread to other parts of Europe and was developed to operate at 8 Kbps in the 400 - 450 MHz band. In North America the same system is used but in the 800 MHz band. Mobitex has now become the defacto standard in Europe with only Germany having an active RD-LAP network (Modacom). Both Mobitex and the ARDIS MDC4800/RD-LAP systems are available in North America. Both systems are used in other parts of the world, notably Southeast Asia and the Pacific Rim where the Motorola technology is known as Datatac. There are other radio packet data network technologies, but these tend to be unique to individual environments or countries. For example, in the UK there are two other radio packet data networks: ╖ Paknet - a wireless extension of the X.25 PSS network operated by Vodafone on VHF frequencies and using some of the Vodafone cellular telephone infrastructure. ╖ Cognito - a VHF two-way radio messaging system using hand held integrated data terminals. At the moment there are no international recognized standards for mobile data networks, and no common frequencies available in all countries. There is only limited roaming capability between countries which have common frequency allocations. Mobile data services also use radio-spectrum more efficiently than other mobile services, which means they tend to cost less. One problem with the use of packet switching in mobile data networks is that there usually is some delay in getting data to the intended receiver. With circuit-switched services like mobile telephony and PMR/PAMR networks, end-to-end circuits guarantee immediate delivery. Mobile data networks are like conventional X.25 networks in that packets are sent to a central network point which then forwards those packets to the receiver. Mobile data services are ideal for organizations that require regular data transmissions between mobile terminals, such as those located in delivery vehicles. Where regulations permit, some companies are deploying mobile data services for stationary terminals, such as point-of-sale terminals in retail stores. Although mobile radio networks can accommodate transmissions of larger files, such as fax documents, the nature of most applications makes such file transfers impractical. Most packet radio applications are built to handle large numbers of very short transactions. A fax document or large file transfer could tie up an entire 9.6 Kbps channel for several minutes, disrupting the networks main purpose. The fact that mobile data networks require more customization has limited their appeal to larger organizations. But the arrival of some generic, off-the-shelf applications such as electronic mail transfer could make mobile data services more attractive to small organizations. -- Satellite Applications Satellite navigation systems can be used to show the position of a vehicle anywhere on the Earths surface. --- Global Positioning System The Global Positioning System (GPS) was developed for the US Military, but can be used to provide positional information for commercial and even leisure applications. The GPS system consists of a bracelet of satellites transmitting information about their position relative to the Earth, and very accurate timing information. A small receiver in a vehicle can determine its position on the surface of the earth by receiving signals from at least three satellites. With three satellites the position can be determined in two dimensions, but with four or more signals received the altitude can be measured as well. In open country, a receiver can normally receive information from five satellites. The positional information can be calculated by the receiver knowing how long the radio signal takes to reach it from each satellite (and thus its distance from it) and the position of each satellite in space. The US Military has built in a random error mechanism so that other users cannot achieve the same accuracy as official users, who access the GPS information on a separate encrypted radio channel. GPS equipment has now been developed that is highly miniaturized and ruggedized, may be carried by people who are walking in remote areas or by small boat sailors. The cost of these devices has reduced to the point where they are no more expensive than a good quality VCR. --- Direct Broadcast Satellites The satellite systems that are most familiar to us are the Direct Broadcast Satellite (DBS) systems. These can carry hundreds of TV channels in addition to other services. DBS satellites are normally in geostationary orbit, which means they appear to be in one position in the sky at all times. This is achieved by placing them in an orbit whose period is identical to that of the Earths rotation. The altitude required for a geostationary circular orbit is 35,803 km. --- Communication Satellites Communication satellite systems are used to access remote parts of the world, as well as providing intercontinental telephone, TV and data links. The intercontinental services are provided by fixed groundstations in each continent and form part of the international telecommunications network. Private satellite service operators such as Inmarsat and Eutelsat provide communication services to mobile groundstations. The mobile groundstations tend to be bulky and have to have their antennae accurately positioned to establish communications. These services include TV and voice reporting from remote locations as well as data services. Companies such as IBM can offer communication satellite uplink and downlink services, providing communication satellite access without the need for the customer to invest in their own groundstations. --- Satellite Phone Systems Over the next few years we will expect to see a number of global phone satellite networks which will supplement existing cellular and other wireless networks. Satellite phone networks will provide global coverage to hand portable wireless phones and to fixed stations in remote parts of the world. This will allow communities is isolated locations to access to the switched network of the rest of the world. At present, there are many locations where it is either physically impossible or too expensive to provide land line communications and satellite phones will be able to bring normal telephone communications to these people. There are four systems proposed at the time of writing as follows: ╖ Odyssey - 12 satellites - Medium Earth Orbit (MEO) - Eight Earth Stations - Planned for year 2000 ╖ Globalstar - 48 satellites - Low Earth Orbit (LEO) - 200 Earth Stations - Planned for year 1998 ╖ Iridium - 66 satellites - Low Earth Orbit (LEO) - Planned for year 1998 ╖ Inmarsat-P - 10 satellites - Medium Earth Orbit (MEO) - Planned for year 2000 Low Earth Orbiting systems typically orbit at around 750 km altitude and require around 50 satellites to provide global coverage. Medium Earth Orbiting systems have an altitude of 10,000 km and only need about a quarter of the number of satellites. The LEO satellite systems discussed above are generally known as *Big LEOs* to distinguish them from another class of satellite called *Little LEOs*. Little LEOs are primarily for low bandwidth applications such as locator service, two-way messaging and spot coverage for cellular carriers. They may use UHF or even VHF for communications. - Wireless Methodologies This bit discusses some of the basic physics associated with wireless transmission techniques and goes on to describe how the technology is implemented in various applications. -- Radio Frequency Characteristics The characteristics of radio waves in any frequency band determine how useful those frequencies are for the service required. The main characteristic of interest is how signals are changed or distorted, by absorption and reflection, by the air and other physical media before reaching the receiver. Since a radio signal is a particular form of energy, it is useful to consider the different forms of energy and how they can be converted and transmitted. --- General Aspects In order to understand some of the properties of radio and infrared propagation it is important that the underlying principles or the physics of electromagnetic waves be defined. A good starting point is a discussion of energy and the ways it can be transmitted. Energy is defined in physics as the result of multiplying power by time and may take a number of different forms (such as sound, electrical, kinetic, potential, chemical, heat, and nuclear energy). A fundamental principle of physics is that of the conservation of energy - energy can be neither gained nor lost, only converted from one form to another. When we talk about generating a particular form of energy, say electricity, what we are really doing is changing one form of energy (heat to electricity) in a power generating station. Some forms of energy are mechanical in nature, for example, kinetic energy. An object is said to have kinetic energy by virtue of its motion. A moving vehicle has kinetic energy and this has been converted from chemical energy in the gasoline and air used to power the engine. If the vehicle is driven to the top of a hill, it is said to have gained potential energy. The energy is stored in the vehicle and can be released by coasting down the other side of the hill thus becoming kinetic energy again. If the vehicle is brought to a halt, it will lose its kinetic energy, which will be converted to heat by raising the temperature of the brakes. Whenever one form of energy is converted to another, the process may not be very efficient in changing the energy into the form desired. The internal combustion engine moving our vehicle will convert some of the chemical energy into kinetic energy, but quite a lot will be converted to heat. This energy is not lost, it is just not in a form which is useful in moving the vehicle. Even this wasted heat is welcome on a cold day! A special form of potential energy is called elastic potential energy. An example of this is a clock spring which can store the kinetic energy used to wind it and release it again as kinetic energy to drive the clock. A special form of kinetic energy is heat. The temperature of an object is due to minute vibrations of its molecules. As an object cools, it will transmit its heat energy to its surroundings, air and other objects, by means of infrared radiation and conduction. Eventually the object and its surroundings will all have the same temperature and no energy will be transferred. This is known as entropy, which is the tendency for all energy to have the same potential, and thus no useful work can be done. Sound can also be looked upon as a form of kinetic energy, but in the form of pressure waves or vibrations in a fluid or solid. Because sound requires a medium, it cannot traverse the vacuum of space. Chemical energy is energy that is released in a chemical reaction such as combustion. It is normally converted into light or heat, or even directly into electrical energy as in a battery. Nuclear energy is released by nuclear fission (splitting an atomic nucleus), or nuclear fusion (joining of subatomic particles). Electrical energy is transferred either by conduction or radiation. When an electric current flows in a wire energy is transferred by conduction. Electrical energy is also radiated by a radio transmitter. An electric current will flow in a conductor such as a copper wire, if there is a potential difference between the two ends. A potential difference can be considered as an excess of electrons at one end and a shortage of electrons at the other end. As the current flows, an electromagnetic field is generated and if the wire has resistance, some of the energy will be converted to heat, thus warming the wire. The relationship between the potential difference (voltage), the electrical resistance of the wire, and the current flowing through the wire was first described by Ohm for direct current in his well-known law: E = I x R where E = Potential Difference in volts I = Current in amps R = Resistance in ohms In other words, the greater the resistance (which is proportional to the length) of the wire, the less current will flow through the wire for a given voltage level. This law forms the basis for much of electrical theory and is valid for direct current (an electric current that does not vary in time). An electric current that varies in time is known as an alternating current, which is the normal method for distributing electricity for domestic and commercial use. When dealing with alternating current, the R (representing resistance) is replaced by a Z representing impedance: E = I x Z where E = Potential difference in volts I = Current in amps Z = Impedance in ohms Impedance is made up of two components: 1. R - the resistance of the wire. 2. X - the active or frequency dependent part of the impedance, 90░ phase shifted with R. where the following equation is used to describe the late relationship between them: Z = R + iX The *i* simply means 90░ phase shifted. This shows how impedance, or the characteristics of a wire or other material, changes with the frequency of the signal passing through it. A high frequency alternating current will generate a radio frequency signal as it passes through a conducting wire, creating the simplest form of radio transmitter. The different forms of electromagnetic radiation are defined by their frequencies and include radio waves, infrared radiation (heat), visible light, ultra violet light, X-rays and gamma rays. All these different frequencies of electromagnetic radiation form the electromagnetic spectrum. For the purposes of this theory we will consider radiant energy as an electromagnetic wave, but it can also be viewed as a series of particles or quanta, which is sometimes more convenient when explaining certain properties. Electromagnetic radiation can travel through free space and can also travel through various solids and fluids to varying degrees dependent on the frequency and the kind of solid or fluid. For example, light can travel through air, water and glass, but not other solid material. Radio frequency waves can travel through some solids, but not through metal, while metal can be transparent to X-rays and gamma rays. You can see that the higher frequency waves have more ability to penetrate solids than those with lower frequencies. Although radio frequency waves may be able to penetrate the material of a building, the construction of modern buildings may prevent radio transmissions from reaching the inside of an office block. Most modern buildings are constructed using a steel frame to provide the main structural integrity. The external cladding is fixed to the frame to enclose the space and provide an aesthetically pleasing appearance. Internal subdivisions for offices are constructed using steel or wooden frames to support partition walls. Radio waves are able to penetrate the cladding of the building but the steel frame acts as a *Faraday Cage* to effectively screen the interior of the building to radio waves of some wavelengths. This effect was named after Michael Faraday who was the first to demonstrate and explain it. If the construction of the frame or *cage* is such that the spaces between the steel girders equate to, or are smaller than the wavelength of a radio signal then the signal is drastically attenuated. Radio frequencies for use in buildings must be carefully selected to ensure that the best compromise be made between the Faraday Cage effect and the material penetration capability of radio waves. The Faraday Cage effect is used in electronic devices to provide screening of unwanted radio frequency signals without the need to used solid metal enclosures. In a vacuum, all electromagnetic radiation will travel at the same velocity, that is, 186,321 miles/s or 299,790 km/s. This is commonly termed *the speed of light*. The velocity in fluids and solids will vary according to the type of material and the frequency of the radiation. This can be easily demonstrated when white light is passed through a prism. White light is made up of a number of different frequencies corresponding to the different colors of the visible spectrum. The shorter wavelengths (higher frequencies) will travel more slowly through the glass of the prism and be refracted more than the lower wavelengths. Thus the violet light will be bent by the glass of the prism more than the red light and this will result in the white light being spread into a spectrum of all the colors. Some radio waves have similar properties to light and similar techniques may be used to control them. Electromagnetic radiation is normally considered to consist of a sine wave which has the properties of wavelength, frequency and amplitude. The relationship between frequency and wavelength is given by the following equation: l = (300 x 10╖)/f where f = frequency in Hz and l = wavelength in meters (300 x 10╖ is the speed of light) Electromagnetic radiation can be generated in various ways according to the frequency of the radiation required. Light and heat can be generated by simply raising the temperature of an object, while radio waves and X-rays need more sophisticated methods. Note: Objects which are raised to very high temperatures will radiate energy over a very wide range of the electromagnetic spectrum. For example, the sun radiates radio frequency, heat, visible light, ultra violet light, X-rays and gamma rays. However, it is not practical to use this method to generate and control anything other than heat or light. An alternating electric current will generate electromagnetic radiation. This is probably the most common method for producing most kinds of electromagnetic radiation in use today. Electrical energy is transmitted in the form of electrical impulses or waves, regardless of whether the energy is conveyed across wires, air or water. The frequency is expressed in hertz (Hz), which represent impulses or cycles per second. The electrical energy, or signal, is changed by the medium that it passes through. It can be attenuated (absorbed) or reflected resulting in a signal that is distorted in some way. Waves are changed in size or amplitude (attenuated), direction (reflected), or shape (distorted), depending on the frequency of the signal and the characteristics of the medium that they pass through. By choosing the correct medium, a signal can be changed or controlled. An electrical signal will be attenuated when it passes through a wire. High frequency light signals can travel through air, are reflected by mirrored surfaces, and are absorbed by most solid objects. For example, light signals can pass through the atmosphere but are blocked by solid walls, unless made of glass or transparent material. Low-frequency signals are not propagated well by air but can travel well through some solid objects depending on conductivity. For example, the electric power generated by public utility systems will remain mostly within the copper transmission wires which are a very suitable medium for electric current. (Some of the energy will be radiated in the form of electrical and magnetic fields around the wire.) On the other hand, plastic cladding for the wires is a good insulator for low-frequency electric utility power, effectively blocking current flow. Submarine communication is generally made at low frequencies since water attenuates high-frequency signals. Frequencies below 900 MHz can, in general, propagate well through walls and other barriers. As radio frequencies increase and approach the frequency of light, they take on more of the propagation characteristics of light. Signals between 900 MHz and 18 GHz, typically used by wireless LANs, are not as limited as light but still do not pass through physical barriers as easily as typical radio broadcast band signals (1600 kHz, 100 MHz). Signals of 300 MHz or higher can be reflected, focused, and controlled similarly to a beam of light. Parabolic transmitting antennae use the properties of UHF and higher frequency signals to allow a relatively low-power signal to be focussed directly towards its destination. Still closer to light signals, infrared signals have properties similar to light. Experimenting with a remote TV controller at home can help you understand which surfaces reflect infrared signals and how directional they are. By choosing the most suitable frequency, you can achieve the best propagation or transmission characteristics. The fact that only radio signals of certain frequencies are reflected by certain surfaces can be utilized to advantage. For example, the ability of high frequency microwave signals to penetrate the earths atmosphere without being reflected is useful for satellite communications. Lower frequency signals (200 kHz to 30 MHz) are reflected back from the ionosphere (upper layer of the atmosphere), depending on time of day, season, and sunspot activity. This characteristic enables radio signals to be bounced off the ionosphere for long-distance communications beyond the horizon. When higher frequency carrier waves are used, there is normally more bandwidth available to transmit information. By increasing the bandwidth of a communications channel, more data may be transmitted in a given period of time since the information is directly proportional to the bandwidth of the signal. For example, a 100 kHz bandwidth channel can pass 100 times the amount of information per second that a 1 kHz channel can. The frequencies of most interest to wireless transmission range from near the 200 kHz mark, where long wave radio transmissions are situated, up to infrared light in the Terahertz range. There are some drawbacks in using higher frequencies. The technology to build radio transmitters and receivers at higher frequencies is more complex. At higher frequencies, the wavelength of the radio signal approaches the physical length of the connections in the radio itself. Since a wire lambda/4 or multiples of this length is a good antenna, the actual connections within the radio itself must be kept short and become part of the circuit design because of problems with signal leakage. The individual radio components must also be capable of very fast switching rates. The path loss between transmitter and receiver is also a function of the wavelength: Path Loss in dB = 20 log10(l/4pR) where R = range in meters and l = wavelength in meters Another property of electromagnetic radiation is that it can be polarized. The concept of polarization is most familiar to us in the use of polarized sunglasses to eliminate reflections off shiny surfaces such as water. Polarized sunglasses will only allow light of one polarization to pass through them and will cut out light reflected from the surface. This is because electromagnetic radiation undergoes a 90░ change in polarization each time it is reflected. Radio waves can be polarized in the same way and selection of polarization of a transmitted signal may be achieved by the position of the transmitting elements in a horizontal or vertical attitude. This property can be used to reject unwanted or spurious signals which may arrive at the receiving antenna with a different polarization to that of the wanted signal. --- Wireless LAN Frequencies The two most widely used methods for wireless LAN usage are Infrared (IR) and Radio Frequency (RF) channels. Because most IR receivers detect the power (amplitude) of optical signals (not their frequency or phase), the systems that use them are simple in design, have no frequency conversions or precision components, and are readily available. It is possible to use phase or frequency modulation and there are some existing products, but they are not in common use. The cost efficiency of an infrared design can be enhanced if it can share components or subsystems with such mass-produced devices as television remote controls. Because infrared systems are not regulated (other than with limits on the permissible optical power densities), there are no regulatory constraints on a design. In comparison to radio systems, this freedom from regulatory constraints can help to keep costs down. The worldwide demand for applications of RF technology has created extreme competition for frequency spectrum, causing regulatory agencies to place tight specifications on the use of an allocated band. The signal transmitted must be kept within the permitted frequency band to tight tolerances adding significantly to the cost of the transmitter. For some applications, the receiver must be able to select bands in order to be able to operate with transmitters at different frequencies, also adding to the cost. Selectivity is a measure of the ability of a radio to detect and receive a signal while rejecting signals at adjacent frequencies. Higher selectivity becomes more important in busy frequency bands with many transmitters. For a receiver to exhibit high selectivity, the individual components in the tuning section of the radio must be manufactured to very close tolerances. Complex filters are often used to eliminate unwanted signals. Active filters are a common type of complex filter where the characteristics of active components, such as transistors or integrated circuits, are precisely controlled by electrical signals. These filters can be accurately tuned to accept a predetermined frequency signal and reject other unwanted signals. Filters using resistors, capacitors, and inductors without active components are known as passive filters. Drift is the tendency of transmitter or receiver frequency to change with time. This can be caused by temperature tolerance of radio components or slight voltage changes in the power supply source. Digital tuning circuits and phase-locked loops can be used to lock on accurately to a signal in order to eliminate this effect. Higher tolerances and complexities of a receiver also add to cost. Sensitivity determines how well a receiver can detect a weak signal. In order to reduce interference with transmitters at adjacent frequencies and in adjacent areas the transmitter power is kept as low as possible. This places a burden on the receiver for being able to detect low-power signals from a noisy frequency band. Noise can come from a variety of sources. Man-made noise can be spurious signals radiating from electrical equipment such as electric motors. This is especially critical in industrial environments. Background noise can come from many natural sources such as lightning, sun-spot activity or other extra-terrestrial sources. This can become more significant in less populated areas. To prevent the low signal-to-noise ratio from being further degraded by noise at the receiver, the signal level is increased by a high-gain amplifier. Gain is a measure of amplification, and is expressed in the following form: Gain = 10 Log (Power out / Power in) and is measured in decibels (dB). The need for selectivity and high gain leads to complex receiver structures involving amplification at higher carrier frequencies, frequency conversion involving precision local oscillators, and precision selective components. The need to coexist in the crowded RF spectrum places a cost burden on radio systems that does not exist for infrared systems. In the US, radio systems operating in the license-free ISM bands (Industrial, Scientific, and Medical: 902-928 MHz, 2400-2483.5 MHz and 5725-5850 MHz) bear an additional cost burden because of the need to implement spectrum-spreading techniques to prevent interference to or from other appliances and systems. These bands have been set aside for unlicensed operation provided that the transmitter and receiver comply with a set of regulations specified by the FCC (Federal Communications Commission). Typical applications now operating within these bands are cordless telephones, door openers, security motion detectors, remote controls and meter reading devices. Parts of these bands were auctioned off to commercial carriers in December 1994. Low-cost radio systems can still be achieved, however, with volume production of components and systems. An example of this is the widespread use of cordless telephones. Wireless LAN implementations have benefited from the component volumes of cellular telephone production; when digital cordless telephones, wireless PBX, and PCS/PCN telephone systems stimulate high-volume component production, wireless LAN systems will benefit further. Advances in the fabrication of components promise higher levels of integration, more accurate passive filters rather than expensive active filters, and smaller, less expensive systems. --- Analog Cellular Telephony The development of mobile telephony systems has led to the cellular telephone systems in existence today. In this narrow-band FDMA-based system, voice is transmitted using Frequency Modulation (FM); channel spacing is either 30 kHz for the Advanced Mobile Telephone System (AMPS) in the USA, 25 kHz in Europe, or 6.25 kHz in Japan. In the USA and Canada AMPS is the most widely available cellular system and is provided by two carriers in each service area to ensure competition. More than 25 carriers serve more than 734 service areas using base stations with 100 W power in the 800 MHz frequency band. See A.4, Portable units transmit with 0.6 W, transportable units with 1.6 W and car units with 4 W. The 50 MHz available band width is split into 25 MHz for base stations and 25 MHz for mobile stations. Each of these 25 MHz ranges is divided between the two carriers for that service area. In Europe, mobile telephony services based on analog transmission standards operate in the 450 MHz and 900 MHz frequency bands. The primary analog standards are TACS (Total Access Control System) and NMT (Nordic Mobile Telephone). France, Germany, and Italy also each use different national standards: ╖ Nordic Mobile Telephone 450 MHz (NMT-450) is used in Austria, Belgium, Czech Republic, Denmark, Finland, Iceland, Luxembourg, the Netherlands, Norway, Poland, Slovakia, Spain, Sweden and Turkey. ╖ Nordic Mobile Telephone 900 MHz (NMT-900) is used in Denmark, Finland, the Netherlands, Norway, Sweden and Switzerland. ╖ Extended Total Access Communication System 900 MHz (E-TACS) is used in Austria, Ireland, Italy, Spain, and the UK. ╖ Netz-C 450 MHz is used in Germany, Portugal, and South Africa. ╖ Radiocomm 2000, 450 and 900 MHz and Ligne SFR/NMT-450 is used in France. ╖ NTT System 900 MHz and Japanese TACS 900 MHz are used in Japan. It is possible to transmit digital signals using Public Switched Telephone Network (PSTN) modems and cellular phones. For example, V.32 modems operating at 4800 bps have been used successfully. However, the radio link introduces conditions which PSTN modems find difficulty in handling. During signal fade conditions, the modems try to adapt to noisy conditions by changing speed and may even lose their connection by the time the signal returns. Channel switching by the cellular phone to a less noisy channel may also be sufficient for the modem to drop the connection. Differences in bandwidth between different analog channels can also lead to problems. Since there are no industry standards for operation of PSTN modems connected to a cellular telephone through an interface adapter, proprietary error-control protocols have been developed by some manufacturers (for example, Microcom Network Protocol 10 or MNP 10). A special adapter is required to connect a PSTN modem to a cellular phone. Some manufacturers tap into the handset-transceiver connection (for example, CelJack from Telular) and others provide connections for their own cellular phones (Motorola). In the US, Spectrum Cellular offers a range of equipment for connection to the cellular phone network including fax machines and special modems. It can sometimes be difficult to get type-approval for these kind of solutions in some countries, as the requirements of a data connection can be different to those for a voice-only system. There are no standards for data-over-cellular and the national approval authorities may not even allow these solutions in some countries. --- Digital Cellular Telephony Digital cellular telephony is based on the same network concept as analog cellular telephony with base stations and mobile stations. The move to digital, led to the development of different systems in Europe, Japan, and the US. It had been recognized for some time that the analog cellular telephone systems did not make efficient use of the available radio spectrum. In any voice conversation on an analog network, the whole channel has to be dedicated to the end-to-end connection. Most conversations consist of a small amount of time when information is actually being transmitted, and the rest of the available time is silence - between words, waiting for the other party to respond, pauses for breath, and thinking time. A digital system can use this *dead time* to allow other conversations to use the same radio channel. This is called Time Division Multiple Access (TDMA). Using digital technology it is also possible to compress speech by making some assumptions about speech waveforms. In addition to using the *dead time* for other voice calls, compressing speech allows even more users to share the same channel. GSM in Europe can have up to eight two-way calls in the same pair of radio channels. Future developments will be able to double this within the next few years. With the analog cellular network capacity quickly becoming saturated, it is not surprising that a great deal of development effort has gone into digital cellular. One other major advantage of digital cellular is the quality of the voice call. Because the digital data stream can have error correction built in, interference and other short breaks in transmission do not result in any loss of quality. If the error correction mechanism cannot recover the lost data, then a short period of silence will ensue. Listening to a digital cellular conversation compared to listening to an analog phone can be likened to the difference between a compact disk recording and a vinyl record. In fact, many of the same techniques are used in digital cellular as are used in the production of CDs. The last significant advantage of digital cellular is the inherent security against casual eavesdropping. With analog cellular, a standard FM radio receiver capable of covering the cellular channels can be tuned to receive an analog cellular phone conversation. No special equipment is needed and a radio *scanner* can be readily purchased at an affordable price. The scanner may only be able to receive the channel being transmitted by the cellular base station, but both halves of the conversation can usually be heard due to the fact that they both share the same pair of wires in the land-based telephone network. If the cellular phone user is moving, then the conversation may only be heard for a short time until the phone moves into the next cell. With more sophisticated computer controlled scanning equipment installed in a vehicle, it is possible to follow a moving cellular phone and switch to new channels in each cell automatically. A digital cellular phone conversation is much harder to decode. Special equipment is needed to select the required time slot for the particular voice conversation to be followed. Most digital systems encrypt the data representing the speech information, and may enable frequency hopping, thus making it even more difficult to eavesdrop. This does not make it impossible to eavesdrop, but it does increase the cost of the listening equipment to a point where it is unlikely that it would be worth doing. It must be remembered that the cost of breaking into a secure system must be less than the value of the information obtained if it is to be attempted. A digital cellular system will ultimately have far greater potential for miniaturization and cost reduction of both the base station equipment and the mobile equipment. This will be helped by the move towards international standards using common systems, architectures and components, thus spreading development costs over a much larger customer base. Already the GSM architecture is becoming the accepted standard and the service is reaping these benefits. The introduction of GSM provided a unique opportunity to define and develop a range of significant value added services such as data transmission, fax, and messaging. --- Global System for Mobile Communications (GSM) The GSM standard was proposed by CEPT in 1982 and completed by ETSI in 1990; the first networks were deployed in 1991. It is similar to the terrestrial ISDN network with its definitions of voice and data channels, and is designed to be compatible with it. However, the data rates are much lower due to the limitations of radio bandwidth. The main driving force behind the introduction of GSM in Europe was to provide a common standard for European Cellular Communications which allowed subscribers to roam throughout Europe and access cellular networks in each country with the same equipment. It also allows the equipment manufacturers to sell identical mobile and fixed equipment in all countries. A digital system was chosen for all the reasons described above. GSM operates in the 900 MHz band, the same as existing European analog cellular systems and more channels will be allocated to GSM from analog as the networks grow. The system uses Time Division Multiple Access to enable multiple voice calls to use a single radio channel. For GSM there are eight time slots on each radio channel called burst periods (BPs) which together make up a TDMA frame of duration 4.615 ms. Each burst period has a duration of 0.577 ms. The radio channel has a bandwidth of 200 kHz compared to 25 kHz of the analog systems. The voice or data information is transmitted in a string of burst periods in consecutive frames, thus creating a logical channel. In order to provide some immunity to interference, the digital data is interleaved. This means that a single piece of information is spread over time and mixed with other discrete pieces of information. If an interfering signal causes a data error, the error will be spread over a number of separate pieces of information, but will be less significant and the error correction mechanism will be able to recover the lost data. GSM provides full-duplex operation (to be able to transmit information in both directions at the same time), and makes use of separate transmit and receive radio channels. The radio channel transmitting information from the mobile station is called the uplink, and is separated by 45 MHz from the downlink radio channel which sends information from the base station to the mobile. The mobile station is instructed by the base station to operate on a particular radio frequency and this will always consist of a transmit and receive pair separated by 45 MHz. The GSM specification allows for the use of slow frequency hopping, which occurs at 217 hops per second. This allows a complete TDMA frame to be sent at one frequency before a hop takes place. In order to transmit analog speech over a digital network, the analog signal first has to be converted to digital information. The encoder takes a sample of the analog speech signal every 20 ms and encodes it to 260 bits of digital data. This gives a data rate of 13 Kbps. The data is then passed through a convolutional encoder which adds a special code based on the information content to the original bit stream. This provides an error correction capability built into the original information. This data is delivered to the transmitter in the form of blocks of data consisting of 456 bits every 20 ms. This results in a 22.8 Kbps data stream. As each radio channel is capable of carrying data at a rate of 270 Kbps, eight logical channels can be used in one radio frequency channel with 87.6 Kbps spare for control signalling and error correction. The data is transmitted by modulating the radio frequency carrier using Gaussian Minimum Shift Keying. If there is no voice signal (silence), then no data will be transmitted. Although the network structure of GSM seems very similar to analog cellular networks like AMPS and TACS at first glance, the underlying structure is much more complex. One of the main reasons for this is that the architecture is structured to enable international roaming and the customer billing processes that ensure a mobile phone can be used in different GSM networks. The following is a list of the main GSM network components: ╖ Base Transceiver Station (BTS) - The BTS transmits and receives to and from all GSM phones in its cell. ╖ Base Station Controller (BSC) - The BSC controls several base stations and ensures that a mobile phone can move from one cell to another and switch to the new radio channel without a break in communication. ╖ Mobile Switching Center (MSC) - The MSC is the way that the GSM network is connected to other networks such as PSTN, ISDN or other mobile networks. It also controls call setup and disconnect, call routing, and switching to other MSCs. It generates data for customer billing systems. ╖ Home Location Register (HLR) - The HLR contains information about the subscriber including level of service allowed and location information. ╖ Visitor Location Register (VLR) - The VLR obtains subscriber information from the subscribers HLR when the GSM phone is being used on a different network. ╖ Equipment Identity Register (EIR) - The EIR is a database which contains information about the validity of GSM telephones being used on the network. Each phone has an International Mobile Equipment Identity number (IMEI) which is independent of the subscriber number. ╖ Authentication Center (AUC) - The AUC provides a security function to ensure that a call is being made by an authorized phone. ╖ Operations Management Center (OMC) - The OMC manages the network on a regional and day-to-day basis. ╖ Network Management Centre (NMC) - The NMC manages the entire network on a global basis and is used for long-term planning. The subscriber service on a GSM network is separate from the GSM phone itself. This means that the subscribers identity (or phone number) can be transferred from one physical phone to another, without reprogramming the phone. This is accomplished by means of a Subscriber Identity Module (SIM), in the form of a credit card-sized smart card device as shown below. The SIM has a small microprocessor with read only and read/write memory. It is used as the subscribers *identity* and has security functions, together with the ability to store the subscribers personal information (phone book) and short messages (SMS). The SIM can be inserted into a GSM phone, which then takes on the identity of the subscribers GSM phone. Some hand-held phones have only a very small aperture for the SIM, and for this reason the SIM card has a thumb-nail sized break-out section containing the electronics. The SIM allows subscribers to use a different phone (for example, in a rental car) and still retain their normal GSM phone number and be billed as usual for calls. When a SIM is inserted in a GSM phone and the phone power is switched on, the GSM phone will listen on a number of predefined common control channels. These control channels contain information about the network and the current location. The mobile station can then inform the network of its location and its home location register (HLR) is updated with this information. When the subscriber wishes to make a call, the number is keyed in and the SND button pressed. The network will check that the phone is authorized to make the call and the MSC will route the call to the appropriate number usually via PSTN. The MSC will also generate billing data and send it to the network billing system. To make a call to a GSM phone from a fixed PSTN phone, the process is more complex. The PSTN network will route the call to the MSC closest to the calling PSTN phone. This MSC will look at the Home Location Register for the mobile phone and determine its location. If the mobile phone is in the same region as the MSC, it will send out a paging message on a control channel. Assuming that the mobile is switched on and in range, the mobile will respond and the MSC will authenticate its response. If it is a valid subscriber and device, the MSC will route the call to the mobile and the phone will ring. If the phone is in the region covered by another MSC, but still in the same network, the first MSC will route the call via the MSC local to the mobile phone. The most complex process is where the mobile user is roaming in another network area. (This may be another country.) In order to understand how calls are routed to a roaming subscriber, we must first look at the telephone numbering schemes involved. With a fixed PSTN number, it is divided into three groups: ╖ Country number - 1 for USA, 44 for UK and so on ╖ Area or region number - this defines local areas for billing purposes ╖ Subscriber number - this may define groups as well as individuals For calls within a local area it is only necessary to dial the subscriber number. For calls outside a local area but still within the same country, it is only necessary to dial the area code and subscriber number. With a cellular phone, the area number is replaced by a number which defines the network operator. A particular operator may have more than one number depending on the size of the network. Cellular phone numbers have the same structure as PSTN numbers. The PSTN numbering scheme is called the ISDN (Integrated Switched Digital Network) number and the GSM cellular phone number is called the Mobile Station International ISDN number (MSISDN). The GSM phone is identified over the air interface by a different numbering scheme. This is the International Mobile Subscriber Identity (IMSI) or Temporary IMSI (TIMSI). This allows the phone to be identified regardless of its home. When a call is made to a phone roaming outside its home location, the call is routed to a gateway MSC (GMSC) in its home network. The GMSC interrogates the Home Location Register (HLR), which contains information about where the mobile phone is currently located. This information is obtained from the Visitor Location Register (VLR) of the network where the phone is located and includes a Mobile Station Roaming Number (MSRN) that is assigned to the mobile phone. Using this information, the GMSC routes the call to the new network MSC (which may be via an international link). The host MSC pages the mobile phone and the call is connected after validation. A call directed to a phone roaming outside its home network will always be routed via a gateway MSC in its home network. One problem that arises from this is that if a call is made from one GSM phone to another, both roaming out of their home networks, then it is possible that they will be charged for a double international call even if they are next to each other in the same room. This is because the phone making the call will be charged for a call back to its home network GMSC and the phone receiving the call will be charged for a call from its home GMSC to its current location. There is no way of avoiding this situation without causing an unacceptable increase in billing complexity for average calls. One of the main reasons for implementing GSM is the new services that can be offered. One of the first of these is the Short Message Service (SMS). This allows the GSM phone to send and receive short messages, using the networks control channel to transfer the information. This means that no circuit-switched connection is established and the message can be stored and forwarded when the phone is able to accept the message. The GSM Short Message Service allows the phone to act like a two-way alphanumeric pager. Up to 160 characters can be transmitted in one message. One implementation of the service provides access via a normal paging bureau, or direct from a customers host system. The mobile phone subscriber can respond by entering a message using the phones keypad to emulate an alphanumeric keyboard. This can be quite laborious for longer messages, but useful for short acknowledgements. One way to simplify this operation is to store a number of predefined messages in the phones memory and modify them as necessary before sending them. An alternative method is to connect the phone to a notebook computer or PDA and use that devices keyboard. SMS messages can be sent from host to mobile, mobile to mobile, or mobile to host. In the latter case it will depend on the network operators implementation of the service. If a standard one-way paging bureau service is used for SMS access, then a direct connection back to a customers host system may not be possible. SMS messages can be stored in the phones own memory or in the subscribers SIM memory. This is especially useful if the subscriber is using a different phone from his own, but with his SIM inserted. SMS messages can also be broadcast to a number of subscribers at the same time. This is known as *cell broadcast*. All mobiles within a defined area that are equipped with this feature will receive the broadcast, and no special subscription is needed. This can be used for things such as traffic information, weather warnings and the like. The cell broadcast is limited to 93 characters. Apart from private messaging services, SMS can be used by network operators to communicate with subscribers and even download new phone configurations to enable other services. Other applications will be developed as networks grow. In order to send circuit-switched data over a GSM network, it is important to understand that the air link is digital and that the encoding and compression algorithms are designed to expect speech information. It is therefore impossible to use ordinary PSTN compatible modems to send data over a GSM network. The GSM specification includes data services for fax, circuit-switched, and packet-switched data. The first implementation of GSM does not include packet-switched data. In order to send circuit-switched data, the network operator must provide a mechanism that allows digital information sent from a host computer to be encoded directly in the GSM air protocol. In addition, if the data is to be transmitted over the PSTN, the network operator must provide modems to match the end-user requirements. In the mobile phone itself, the data connection bypasses the analog/digital conversion and also bypasses the voice compression circuits. There is no need for a modem at the mobile end; the connections are all digital. At the fixed station (MSC), voice and data calls are separated. The data path bypasses the compression function and is sent directly to banks of modems which convert to a modem protocol to match the users requirements. As the GSM air link runs at 9.6 Kbps, the highest speed modem required is only V.32. Separate digital interfaces connect to ISDN or PSPDN (X.25). Not all GSM networks will offer these data services to start with, but all GSM equipment is designed to support them. GSM circuit switched data can operate in two modes, Transparent (T) and Non-Transparent (NT). Transparent mode uses a forward error correction scheme to ensure error-free transmissions, while Non-Transparent mode relies on the retransmission of data with errors using an Automatic Repeat Request (ARQ). Group 3 fax services are handled in a similar way with the network operator providing fax modems to convert from the digital data stream to analog signals that can be sent over PSTN. All the above considerations apply equally well to DCS1800 and DCS1900, the Personal Communications Network Technology (PCN). The key differences with PCN are in the implementation of the network. PCN networks are designed to work with hand-held phones. Vehicle installations with higher power transmitters are not allowed. The network structure is designed around microcells, to provide good coverage in metropolitan areas, both outside and within buildings. Coverage of rural areas will be limited. - Packet Network Methodologies With the exception of CDPD, the cellular networks discussed so far have been designed primarily for use with speech information. Radio packet data networks are designed for data only. -- Mobitex The description which follows applies to the newer UHF Mobitex systems in North America and Europe. The original VHF systems which operated in Scandinavia are being replaced by UHF systems with much higher data rates. Mobitex in the US transmits from the base station on channels in the range of frequencies 935-940 MHz, and receives in the range of 896-901 MHz. The transmit and receive frequencies for any channel are always 39 MHz apart. Mobitex in Europe has different frequency allocations for each country but they are all in the range of 410-459 MHz. Apart from this difference in radio carrier frequency, the European and North American systems are the same. The radio channels are 12.5 KHz wide and each Base Radio Station (BRS) can have up to sixteen different channel frequencies. The physical BRS can be used as a number of logical base stations using directional antennae. The radio channel is modulated using a modified type of Gaussian Minimum Shift Keying (GMSK). The Mobitex network is cellular in structure, but because the system uses packets of data instead of continuous connection, there is no requirement for dynamic handoff as in a cellular telephone network. The data rate of the Mobitex network is 9.6 Kbps, which gives a maximum end-to-end throughput of 8.0 Kbps. One of the key factors when dealing with a packet data network is the network delay. The delay can vary according to the load on the network and may be a few seconds. Network operators are careful to ensure that no single application will load the network in such a way that other users are affected. Legacy host applications may need to be modified to work properly with packet networks, which may be a key factor in choosing a suitable network. Access to the Mobitex network from external host systems is provided by a number of different gateways. The availability and definition of these gateways will vary from network to network, but will normally include: ╖ X.25 - MTP/1 transport layer is optional ╖ TCP/IP - Host connection - X.25 or SLIP (Serial Line Internet Protocol) ╖ SNA/3270 - MTP/1 transport layer is required. Mobile units on the network can take the form of vehicle-based installations with application dependent displays and data entry functions. A simple two-line display with a number of predefined data entry keys may be used for a taxi application, while a notebook computer may be attached to a Mobitex radio/modem for a full-screen data application. A recent development from IBM consists of a PCMCIA card which contains a complete Mobitex radio/modem. This will allow a notebook computer to communicate over the Mobitex network without attaching to any external device. Applications using the Mobitex network can also be fixed-station telemetry where the difficulty or cost of installing a fixed wire connection would not be economical. A packet radio data network is ideal for sending small amounts of data at irregular intervals. -- MDC4800 and RD-LAP The second major radio packet data network type is a Motorola technology known as ARDIS in the US. The same technology is used in other countries, notably Germany where it is known as Modacom, and Southeast Asia and the Pacific Rim where it is known as Datatac. The following description will use ARDIS as an example of a network implemented using this technology. The ARDIS network uses two different protocols. The original protocol is called MDC4800 (Mobile Data Communication 4800), and as its name suggests operates at 4.8 Kbps. The newer services use a protocol called RD-LAP (Radio Data-Link Access Procedure), which provides a data rate over the air link at 19.2 Kbps. Whatever air link protocol is used, the underlying network is the same. In North America, ARDIS uses radio frequency channels in the 806-824 MHz band for base station receiving, and 851-869 MHz for base station transmitting. ARDIS provides a number of protocols to access the network including: ╖ SNA LU 6.2 ╖ X.25 ╖ SNA 3270 terminal emulation and bisynchronous 3270 ╖ Bisynchronous point-to-point ╖ Asynchronous These protocols are used over a leased line connection with dial backup at either 9.6 Kbps or 19.2 Kbps. The topology of the network is similar to that of Mobitex networks. A number of base stations are connected to a switching center known as an RF/NCP. These in turn are connected to a message switching center. The connections to customer host systems of Value Added Networks (VANS) are made at the RF/NCP level, while the message switches control routing between regions. - Radio Technology Electromagnetic spectrum is a limited natural resource, the use of which is governed by physical laws as well as national legislation. It has been estimated that as much as 75% of usable radio spectrum is reserved for use by various national governments and military applications. The amount of bandwidth available for commercial, private and public use is severely constrained and use of particular frequency bands is limited to individual countries or groups of countries. Although there are moves to define internationally recognized frequency allocations (notably the World Administrative Radio Conference (WARC)), it will take many years for different countries to free up radio spectrum for international commercial use. This situation not only makes it more difficult and costly to provide radio devices for use in all countries, it provides a major incentive to develop techniques to make the very best use of any available spectrum. There are two complementary strategies for achieving this: ╖ Modulation techniques - maximizing the throughput for a given bandwidth ╖ Multiplexing techniques - enabling many users to share the same bandwidth Many current techniques used were originally developed for the land-based telecommunications market and thus have a firm foundation in the telephony arena. Some of the technologies in use include: ╖ Modulation techniques ╖ Access methods ╖ Detection methods ╖ Synchronization methods ╖ Equalization techniques Both analog and digital modulation techniques are described in this chapter. Although analog techniques are well suited to voice communications, data communications are more suited to digital technology. Analog systems can be used successfully, but can experience more problems. These advantages include improved performance, lower costs, better security, error detection and error correction. -- Transmitting Information by Modulating a Carrier Voice signals can be transmitted over copper wires directly at their original frequency, as was the case for the first telephone systems. This is known as baseband transmission. In order to send several channels across the same wire simultaneously without interference, the voice signals can be superimposed or modulated onto higher frequency signals. These higher frequency signals can then be combined with other signals and transmitted across long distances. In many situations information cannot be sent directly but must be carried as variations in another signal, as is the case with radio broadcasting. Radio communication is perhaps the most common example of using a modulated carrier to convey information but the use of modems to carry digital information through the analog telephone network is also very common. This is often called *wideband*, *broadband*, or *passband* modulation (these terms mean roughly the same thing). A carrier signal is almost always a sinusoidal wave of a particular frequency. Information is carried by introducing variations in this carrier signal. There are many variations on how a modulated signal is created and how it is received. Notes: 1. A baseband binary data stream is created representing the bits to be sent. 2. A sinusoidal carrier signal is generated (for RF this is usually a crystal controlled oscillator). 3. The digital signal is then used to modulate the carrier signal and the resultant signal is sent to the antenna. 4. In the receiver, the signal is first filtered (to separate it from all other radio signals around) and then the carrier is removed. 5. The result is a baseband signal containing distortion and noise which then has to be processed by a detector in order to recover the original bit stream. ---- Amplitude Modulation (AM) This is the simplest form of modulation and was the first to be put into practice. The strength of the signal (loudness or amplitude) is systematically changed according to the information to be transmitted, that is the amplitude of the carrier signal varies with the amplitude of the signal to be transmitted. The bandwidth required by the sidebands using AM is large so that effective use of the frequency spectrum is not made. AM is used by radio broadcast stations in the Long Wave, Medium Wave, and Short Wave radio bands. ---- Frequency Modulation (FM) In Frequency Modulation, the frequency of the carrier is varied by the signal to be transmitted. The maximum frequency deviation from the carrier frequency is proportional to the modulating signal. An advantage of FM is that the width of the sidebands is limited and more efficient use is made of the frequency band. FM is used extensively by radio broadcast stations in the VHF band. ----- Phase Modulation (PM) In Phase Modulation, systematic changes in the phase of the carrier are used. The frequency of the carrier remains constant while the phase is shifted in proportion to the modulating signal. PM requires more sophisticated receivers than FM or AM and is sensitive to multi-path errors. ---- Pulse Code Modulation (PCM) Analog signals are subject to distortion and noise along their transmission path. With each link and amplifier along the path, the signal-to-noise ratio deteriorates and there is no easy method of signal regeneration since the shape of the signal cannot be predicted. On the other hand, digital signals can easily be regenerated by pulse-shaping circuits in the receiver so that distortion and noise is much reduced. PCM is a method of sampling a signal at a higher frequency to produce a digital signal which can then be multiplexed with many other digital signals and transmitted error-free to the receiver. It is widely used in telephone equipment to ensure quality of service on multi-channel links. --- Sidebands When a sinusoidal carrier signal is generated it varies by only a very small amount. That is, the range of frequencies over which the carrier is spread is very narrow. When such a signal is modulated, it seems reasonable that the frequency spread (at least for AM and PM techniques) should remain unchanged. Sadly, it doesnt work quite this way. You get a spread of frequencies equal to twice the maximum frequency of the modulating signal. What you get is a carrier signal ( carrying no information) surrounded by two *sidebands* (above and below). Each sideband uses a frequency spread of exactly the maximum modulating frequency. All of the modulation information is carried in the sidebands - the carrier contains no information (it is nevertheless quite useful to have in some systems). Some transmission systems suppress transmission of the carrier (it is pointless to waste power sending something that contains no information) and others suppress both the carrier and one sideband (Single Sideband - SSB Transmission). It is important to note that sidebands are generated for all three modulation schemes. They are different in the sense that the precise form of the sidebands is different for each different modulating technique. --- Bandwidth The above leads us to the concept of bandwidth. A signal doesnt use just one frequency. It uses a band of frequencies equal in width (from lowest to highest) to twice the maximum frequency of the modulating signal. (If SSB transmission is used the bandwidth occupied is just the maximum frequency of the modulating signal.) -- Carrier Sense Multiple Access (CSMA) CSMA is a contention-based access method. The CSMA access method is to wireless LANs what Ethernet is to wired LANs. CSMA is also used on PMR networks where a station listens to the control channel to ensure that it is free before transmitting. With CSMA all stations access the network randomly without coordination or synchronization. Each station wishing to transmit first listens to see if there is anyone else transmitting on the frequency it intends to transmit on. If the frequency is free, then that station transmits. One difference between CSMA in the wireless environment and Ethernet in the wired environment is that the wireless CSMA station cannot detect any other station starting to transmit at the same time. The reason is that each station transmitting cannot *listen* at the same time as transmitting. Its own signal effectively drowns out all other signals on that frequency at that time. As for Ethernet, CSMA works fine at lower utilization rates. When the utilization of the radio link capacity increases, the number of collisions also increases and the effective data throughput can fall dramatically. This can lead to ineffective use of the bandwidth. A CSMA system is also vulnerable to interference. Implementation can be based on relatively inexpensive Ethernet chip-sets which are based on Carrier Sense Multiple Access / Collision Detect (CSMA/CD). The CD part of the system is simply replaced by Collision Avoidance (CA) to give a CSMA/CA system. The reliability and robustness of this method are limited and does not lend itself to integrating voice and data since there are only limited prioritizing possibilities. There are limited power-saving possibilities for battery-operated stations since the receiver is always listening. The CSMA method lends itself to a peer-to-peer network topology. -- Time Division Multiple Access (TDMA) TDMA is a deterministic-based access method. The TDMA access method is to wireless what token-ring is to wired LANs. It is effectively a system of polling. One station asks each of the other stations in turn whether they have any information to transmit. Each station is allocated a timeslot when it can respond. If a station indicates that it has data to transmit, then it is allocated a time interval in which to send its data. The number of time intervals allocated depends on the amount of data being sent. One advantage of the TDMA method is that priorities can be allocated to chosen stations or certain types of data. This could be used to allow voice and data to be carried on the same wireless LAN with higher priority being allocated to the voice traffic. The ability to mix isochronous and asynchronous traffic is required for multimedia applications. The effective data rate can be determined fairly accurately since there are no collisions between stations in the same LAN. Time Division Multiple Access (TDMA) divides each communication channel into time segments so that a transceiver or radio can support multiple channels or time slots for reduced power consumption. The TDMA access method lends itself to a base-to-remote network topology since communication between stations is synchronized and time slots are allocated to remote stations by a scheduling function in the wireless base station. This also leads to more efficient use of the bandwidth. There are also power-saving possibilities for battery-operated stations using TDMA. The receiver needs only to listen at assigned time intervals. The TDMA base stations are more complex than CSMA since the synchronization is carried out by the base station. They may be more expensive since a microprocessor will be required. On the other hand, the remote stations will be less complex. TDMA is relatively new to wireless LANs. Many of the existing wireless LANs are based on CSMA methods, but these methods are also used in many other wireless environments. Most high-speed satellite communications, GSM and the standards being worked on in Europe as well as the CDPD networks are based on the TDMA method. - Radio LAN Systems Considerations There are special considerations to be taken into account when implementing a radio LAN. The main problems are set out below, together with some solutions: -- Collocated but Unrelated Radio LANs One important requirement for a radio LAN system is the need to allow multiple unrelated LANs (of the same type) to be located in the same area. This requires a system for channel sharing and LAN administration that allows each independent LAN to be set up and operated without the need to consider other (similar) LANs in the same space. As radio LANs operate in the ISM bands, there is no license required and other organizations may install a radio LAN whose coverage are overlaps with one already installed. The new LAN may or may not be compatible with the existing LAN. For this reason, radio LAN systems must be capable of avoiding interfering with or being interfered with by another LAN. The use of spread spectrum technology ensures that radio LANs may coexist. -- Countering Multi-Path Effects As mentioned above, multi-path effects are the most serious problem for the indoor radio environment. The following are some of the general approaches used to counter them: Antenna Diversity Antenna diversity can mitigate both ISI and Rayleigh fading effects. There are many different ways of approaching this: 1. Multiple Directional Antennas An example of this is the Motorola *Altair* radio LAN system which uses a six-segment antenna. Antenna segments are arranged in a circle at an angle of 60 degrees from each other. Each antenna segment is highly directional; thus, signals coming from different directions (reflections, etc.) are received on different antenna segments. As signals are received the system selects the antenna segment receiving the strongest signal and uses that signal alone. This severely limits the number of possible paths. Moreover, surviving paths will have lengths that are not too different from one another. This provides an excellent solution to the ISI problem but does not do a lot for fading. Notice, however, that with a narrowband microwave system (1.6 cm wavelength) Rayleigh fading is not as significant as it is at longer wavelengths. 2. Multiple Antennas Other systems use multiple dipole antennas separated from one another by more than half a wavelength. Signals are added together before detection and this does provide a measure of protection against fading (but not against ISI). 3. Multiple Coordinated Receivers Two antennas are situated exactly 1/4 of a wavelength apart. Each antenna services a different receiver circuit. The signals are then combined in such a way as to minimize multi-path effects. 4. Polarization Diversity Because the signal polarization changes as reflections occur, a good counter to fading is to provide both horizontal and vertically polarized antennas acting together. The signal is transmitted and received in both polarizations. Data Rate The ISI problem is most severe when the delay spread covers more than one data bit time. The easy way to avoid this is to limit the data rate to less than the inverse of the delay spread. However, if the objective is to operate at LAN speeds (above 1 Mbps) then this will not always be practical. Spread Spectrum Techniques As discussed above, spread spectrum techniques provide a good measure of protection against ISI and fading. Spread spectrum is mandatory in the ISM bands. Thus in the indoor radio situation spread spectrum is a preferred method of controlling the multi-path effects. Frequency Diversity Fading in a narrowband system can be combatted by transmitting the signal on two different frequencies with sufficient separation for the channels to have different fading characteristics. When the signals are received, the station just picks the strongest. You could call this *half-baked spread spectrum* since all it is doing is spreading the spectrum through an adhoc method. Adaptive Equalization Adaptive equalization is a very good way of countering the ISI form of multi-path interference. It is, however, relatively expensive to implement at high speeds. There is some disagreement among specialists as to under which circumstances (if any) adaptive equalization is needed. However, to the knowledge of the author, no current radio LAN system uses adaptive equalization. -- Summary We have seen in this bit some of the techniques used to make the best use of the available electromagnetic spectrum. These techniques include improving the throughput by sophisticated methods of modulation, and enabling several users to share the same part of the spectrum by means of multiplexing. Many of the technologies are analogous to those used in wireline communications, but are adapted to meet the different requirements of wireless technology. - Radio Communication in LANs The task of a radio LAN is the same as that of any LAN: to provide peer-to-peer or terminal-to-host communication in a local area. Ideally, it should appear to the user to be exactly the same as a wired LAN in all respects (including performance). The radio medium is different in many ways from wired media and these differences give rise to unique problems and solutions. This section will concentrate on the aspects unique to the radio medium and will only briefly discuss aspects that are held in common with wired media. -- Radio LAN Technology --- Characteristics of the Indoor Radio Medium ---- Multi-Path Effects At the extremely high frequencies involved, radio waves will reflect off solid objects, which means that there are many possible paths for a signal to take from transmitter to receiver. In this case both transmitter and receiver are in the same room. Part of the signal will take the obvious direct path but there are many other paths and some of the signal will follow each of these. (Reflection from the floor is especially significant.) The signal travels from transmitter to receiver on multiple paths and is reflected from room walls and solid objects. This has a number of consequences: 1. To some extent the signal will travel around solid objects (and can penetrate others that are *radio transparent*). This is what gives radio its biggest advantage over infrared transmission in the indoor environment. 2. A signal arriving on many paths will spread out in time (because some paths are shorter than others). More accurately, many copies of the signal will arrive at the receiver slightly shifted in time. Studies have shown that in office and factory environments the delay spread is typically from 30 ns to 250 ns depending on the geometry of the area in question. (In an outdoor, suburban environment, delay spread is typically between .5 ms and 3 ms.) Delay spread has two quite different effects which must be countered. ---- Rayleigh Fading After traveling different distances, two signal components are added together in the receiver. If the difference in the length of the paths they traveled is an odd multiple of half the wavelength of the carrier signal, then they will cancel one another out (if it is an even multiple they will strengthen one another). At 2.4 Gbps the wavelength is 125 mm. In a room there can be dozens or even hundreds of possible paths and all the signals will be added in quite complex ways. The result is that in any room there will be places where little or no signal is detectable and other places, a few meters away, where the signal could be very strong. If the receiver is mobile, rapid variations in signal strength are usually observed. ---- Inter-Symbol Interference When we are digitally modulating a carrier, another important consideration is the length of the symbol (the transmission state representing a bit or group of bits). If we are sending one bit per symbol and the bit rate is 1 Mbps then the *length* of a bit will be slightly less than 300 meters. In time, at 1 Mbps a bit will be 1 ms long. If the delay spread is 250 ns then each bit will be spread out to a length of 1.25 ms and will overlap with the following bit by a quarter of its length. This is called Inter-Symbol Interference (ISI) and has the effect of limiting the maximum data rate possible. ISI is present in most communications channels and there are good techniques for combating it (such as Adaptive Equalization). It is most severe in the radio environment. Most people are familiar with this effect since it is the cause of *ghosts* in television reception - especially with indoor antennae. 3. When people move about the room, the characteristics of the room (as far as radio propagation is concerned) change. Overcoming multi-path effects is the most significant challenge in the design of indoor radio systems. ╖ Intermittent Operation In an office or factory environment people move about the area and occasionally move large objects about. This can cause intermittent interruption to the signal, rapid fading, and the like. ╖ Security Because there are no boundaries for a radio signal, it is possible for unauthorized people to receive it. This is not as serious a problem as would first appear since the signal strength decreases with the fourth power of the distance from the transmitter (for systems where the antenna is close to the ground - such as indoor systems). This is known as the inverse square law in free space. Nevertheless, spectrum is a problem which must be addressed by any radio LAN proposal. ╖ Bandwidth Radio waves at frequencies above a few GHz do not bend much in the atmosphere (they travel in straight lines) and are reflected from most solid objects. Thus, radio signals at this frequency will not normally penetrate a building. Inside the building this means there is a wide range of frequencies available which may be used for local applications with very few restrictions. ╖ Direction In general radio waves will radiate from a transmitting antenna in all directions. With a smart antenna design it is possible to direct the signal into specific directions or even into beams. In the indoor environment, however, this doesnt make a lot of difference due to the signal reflections at the wavelengths commonly used. ╖ Polarization Radio signals are naturally polarized and in free space will maintain their polarization over long distances. However, polarization changes when a signal is reflected. Side-effects that flow from this must be taken into consideration in the design of an indoor radio system. ╖ Interference Depending on which frequency band is in use there are many sources of possible interference with the signal. Some of these are from other transmitters in the same band (such as radar sets and microwave installations nearby). The most likely source of interference within the 2.4 GHz frequency band is the microwave oven. Potential leakage can be as high as 200 mW, which is twice the IBM Wireless LANs transmit power. Electric motors, switches, and stray radiation from electronic devices are other sources of interference. -- Sharing the Bandwidth With many workstations in the same area wanting to communicate a method is needed to share the bandwidth. Different LAN designs use quite different methods of operation and of bandwidth sharing. However, most use a combination of the methods below: Frequency Division Multiplexing (FDM) Time Division Multiplexing (TDM) Polarization Division Multiplexing (PDM) Space Division Multiplexing (SDM) Code Division Multiplexing (CDMA) -- Security Aspects One of the main concerns often expressed when installing wireless LANs is the question of data security. These concerns are valid and may be addressed as follows: There are three types of security risks: ╖ Attack by casual listener ╖ Attack by professional hacker ╖ Attack by insiders --- Attack by Casual Listener A casual listener might be someone in a neighboring building using the same type of equipment. Each WLAN system must be capable of identifying those workstations authorized to participate in that LAN, and deny unauthorized workstations to access the WLAN. It should not be possible for unauthorized workstations to overhear and interpret data traffic on a WLAN. --- Attack by Professional Hacker A passive attack could come from someone receiving the WLAN radio signal and using sophisticated tools to try to interpret the data content of the radio signal heard. An active attack could originate within transmission range of the WLAN but outside the facility. Eavesdropping by attempting to insert an unauthorized wireless workstation into an existing WLAN is one example. --- Attack by Insiders Insider attacks are attempts by employees, who are authorized for limited data access, to try to access data to which they are not authorized. One form of this is attempting to log on to a server or a WLAN in a different department. One method successfully used to combat both casual listener and professional hacker attacks is data encryption. Data is passed to software or hardware encryption systems before transmission. Encrypting data online using software algorithms during transmission can significantly reduce the effective data capacity of a link since processing resources are spent on behalf of the encryption program. Using a hardware chip to encrypt data on the WLAN adapter is more efficient since the workstation processor is not being put under any load. Wireless station registration is a method used to prevent unauthorized workstations from connecting to a WLAN. Each WLAN workstation is registered by a unique address or name to the base station. Only registered workstations are permitted to log on to the WLAN base station. This method is used to combat many different kinds of attacks. A third method to prevent an unauthorized access to a wireless LAN is that of authentication. Authentication can be a simple coded response from a workstation to a query from the base station or access point. Other methods could include sophisticated dynamic profiles of individual users such as keyboard techniques and response times. Authentication need not be a single process at registration time but may be a continuous check on both workstation and user. Both spread spectrum techniques (DSSS and FHSS) make it extremely difficult for unauthorized stations to determine the content of WLAN traffic. DSSS signal power levels are frequently below the general level of background noise, which makes them very difficult to detect. FHSS signals change frequency so often that it is almost impossible for a receiver to follow the sequence if the hopping pattern is not known. Spread spectrum is one of the preferred techniques used by military organizations for these reasons. Military versions are credited with key roles in many battlefield successes by providing secure communication channels. Additional security is often provided by the Network Operating System (NOS) used in the LAN. Usually, the LAN server requires user identification and passwords during the logon procedure. This prevents unauthorized users, who may have access to an authorized workstation from accessing sensitive data. -- Scalability The ability to expand an installed WLAN network to meet business needs is a vital factor in designing a WLAN system. When the number of workstations connected to a base-station approaches the maximum for that cell, another base station can be installed to reduce the load on the first base station. Base stations are typically connected to an Ethernet or token-ring backbone network. When multiple overlapping cells are installed, interference can affect performance. DSSS cells can be sensitive to interference from adjacent cells since all frequencies are used simultaneously. FHSS systems tend to be less sensitive to interference since each cell uses a different hopping sequence and a large number of frequencies are used sequentially. The integration of a WLAN into an existing network is an important factor in providing seamless connectivity. Typically a WLAN is connected to a wired Ethernet or token-ring network by a bridge or router. Many WLANs support protocols commonly used in the wired LAN environment (typically 802.2, NetBIOS, TCP/IP and IPX). This allows existing applications to be used without modification in a wireless environment. Interoperability The current state of standards for WLANs will make direct interoperability between WLAN stations from different manufacturers difficult. Connectivity is generally enabled by joining different base stations together through a backbone Ethernet or token ring. Publication of the final 802.11 standard and implementation in available WLAN products should improve the ability to interconnect WLAN products. However, adherence to 802.11 standards will only ensure interoperability when the same PHY and MAC layer models are used by each product. -- Health Issues The power levels used in wireless LANs must be low enough not to affect user health. There have been conflicting expert reports on the effects of various levels of frequency spectrum exposure on the human body. Occasionally reports have been misused or quoted out of context, which has led to misunderstanding and public apprehension in some instances. Some high-frequency sources which have come under scrutiny include high tension power lines, radio telephones and cellular telephones. While there have been reports of higher cancer rates among people exposed to high-tension power lines, these reports have been rebutted by other experts who claim that this has not been statistically proven. There was considerable controversy over the safety of cellular telephones after a consumer in Florida claimed that his wife had died of a brain tumor caused by a cellular phone. He brought a legal suit against the manufacturer of the phone but the lawsuit was dismissed. A recent study sponsored by the National Institutes of Health measured how much radiation a users shoulders, head, neck and upper torso absorbed. The study found that the level of radiation absorbed by the body is four to five times lower than levels generally accepted by scientists as safe. The IEEE is also working on health-related aspects of wireless LANs and has published the IEEE standard C95.1-1991. The findings are that eight hours of exposure to WLANs is equivalent to three seconds of cordless phone operation. The National Cancer Institute is investigating the results of radiation on the human body. As a result of these different investigations, it is possible that the regulations on transmission power may be tightened in some areas. In the ISM bands, there is a U.S. limitation of 1 W transmitted power when using spread spectrum techniques. The IBM Wireless LAN transmits at less than 100 mW of power in this band. This compares favorably with the 0.6 W transmitted by handheld or 3 W by mobile cellular phones which have been agreed on as safe power levels. Microwave ovens also operate in the 2.4 GHz ISM band and are not seen as a health hazard. - Summary In this text we have seen some of the main radio communication network setups and their uses in todays enviroment and we have also seen the problems associated with designing and setting up an radio LAN or telecommunications network. If you have any questions dont hesitate to email me, or drop in on us on EFNet on #oblivionmag Slider. ---------------------------------------------- ********************************************** DoD Classes - Slider ********************************************** Now everyone has heard about the Rainbow books. A supposed selection of manuals produced by the US Department Of Defense detailing Security and such like. Below is a Low-Down on the Orange criteria. The Orange Book criteria came from a task force of the Defense Science Board started in 1967. The original report, Security Controls for Computer Systems was published in 1970. The current document is Trusted Computer System Evaluation (DoD85). This material is important for many installations, but it is often misunderstood and misused. There are two quite distinct sets of criteria. One set defines a number of security features. The other set defines the tools, information, and some of the processes required to verify the correctness (design and operation) of the features. The security features are the Security Policy and the second set is the Assurance criteria. Seven security levels are defined. These levels are: ╖ D - Minimal Protection ╖ C1 - Discretionary Security Protection ╖ C2 - Controlled Access Protection ╖ B1 - Labeled Security Protection, Mandatory Access Control ╖ B2 - Structured Protection ╖ B3 - Security Domains ╖ A1 - Verified Design. and the following terms have specific meanings: ╖ Security Policy. These are the rules that the security features enforce. For example: every user must have a password, or only a file owner can change the access list for the file. The specific rules will vary in different security levels and in local installation standards. The total set of rules enforced by the system forms the security policy of the system. ╖ Identification and Authentication (I&A). Subjects must be uniquely defined. A subject is a user or a process. ╖ Marking or Labeling. Objects (usually a file) must be associated with a security label that contains a security level and security category. For example, *Secret* is a level and Research might be a category. ╖ Accountability. This refers to complete and secure records of actions that affect security. Such actions include user setup, assignment or change of security levels, and denied access attempts. ╖ Assurance. This refers to system mechanisms that enforce security; it must be possible to measure the effectiveness of these mechanisms. ╖ Continuous Protection. The hardware and software mechanisms that implement security must be protected against unauthorized change. ╖ Object Reuse. This refers to memory blocks or disk blocks, for example. A program should not find ▓left over▓ data from another process or file when it acquires a memory or disk block. ╖ Covert Channels. This refers to indirect means of delivering information to an unauthorized user. For example, a program might make subtle changes to unclassified messages to convey classified information, or leave data in a shared memory location. The following table (taken from DoD85) contains the requirements for the various security classes. Criteria Classes D C1 C2 B1 B2 B3 A1 SECURITY POLICY: Discretionary Access Control x R R - - R - Object Reuse x x R - - - - Labels x x x R R - - Label Integrity x x x R - - - Exportation of Labeled Information x x x R - - - Labeling Human-Readable Output x x x R - - - Mandatory Access Control x x x R R - - Subject Sensitivity Labels x x x x R - - Device Labels x x x x R - - ACCOUNTABILITY: Identification and Authentication x R R R - - - Audit x x R R R R - Trusted Path x x x x R R - ASSURANCE: System Architecture x R R R R R - System Integrity x R - - - - - Security Testing x R R R R R R Design Specification / Verification x x x R R R R Covert Channel Analysis x x x x R R R Trust Facility Management x x x x R R - Trust Recovery x x x x x R - Trusted Distribution x x x x x x R DOCUMENTATION: Security Features Users Guide x R - - - - - Trusted Facility Manual x R R R R R - Test Documentation x R - - R - R Design Documentation x R - R R R R An *x* means no requirement. An *R* means this class has additional requirements over the lower classes. A *-* means this class has the same requirements as the next lower class. As can be seen, the requirements listed in this table are very general. Many systems can claim to cover various levels of these requirements. To have any real meaning, a system must be certified for a particular level. This means that the system was examined (in great detail) by a U.S. government agency and certified to operate at a certain security level. This certification is a long process and can be expensive for the system developer. The specific tests and criteria are designed for national security installations and may not be completely appropriate for commercial users. Level *D* sometimes is applied to a system that failed tests for a higher level. Certification does not provide a guarantee or warranty that the security system is perfect. It merely says that it satisfied the agency performing the tests. However, these tests are generally accepted to be rigorous. Discretionary Access Control (DAC) and Mandatory Access Control (MAC) are very important concepts. DAC allows the owner of a file to set the security parameters for the file. In AIX this is the owner setting permission bits or ACL controls. MAC means that the system (through control parameters set by the security officer) automatically controls the security parameters of a file. The owner of the file cannot change these. AIX does not support MAC. A system can have both MAC and DAC. The security officer (using various control lists) decides which files (or categories of files) are controlled through MAC and which are allowed for DAC. The DoD standard does not specify any particular implementation for these facilities, and different systems use very different mechanisms to implements these controls. Human-readable output labels, specified in the DoD table, means the system must automatically print security labels on output. This is independent of any particular application program. This can be a difficult requirement because the operating system does not understand what an application program is printing on any particular page. If the system overprints *TOP SECRET* at some page location it may overlay important application output. (The MVS/RACF solution uses only laser page printers, and prints the security label in a nondestructive manner.) - Levels for Commercial Users Class C is the most important security level for most commercial installations. (Almost all systems at this level control Object Reuse and provide an Audit facility, although these are C2 requirements only.) Class C is important for two key reasons, neither of which is directly related to the specific security features of C1 or C2: 1. A reasonable set of security features are included. This set is sufficient to provide reasonable control for most installations without creating a major administrative burden. 2. The system has been independently tested and certified to perform these functions correctly. Unless there is a specific need for higher security, C1 or C2 should meet generally accepted security practice requirements ---- if used intelligently. From the users point of view, there is little difference between C1 and C2. 72 The assurance and testing requirements for C2 are more rigorous and, in this sense, a C2 system is better than a C1 system. From a normal commercial viewpoint, class B introduces two major changes: mandatory security access (MAC) and security labels. Security labels include both security level (secret,...) and category (research, payroll, ...). A user might have access to secret data in research, but only unclassified data in payroll. The implementation of security labels requires substantial changes to most systems. Both security labels and MAC may require considerable administrative effort to implement and maintain. The B2 and B3 classes become very rigorous and are difficult to certify. Class A security would be very unusual for a commercial installation. - Comments System owners often assume the following: ╖ A higher security class is better. ╖ A higher class will take care of security needs with less effort. ╖ Certain applications need a higher security class. These assumptions are all false and lead to misuse and misunderstanding of the security classes. One key factor is the sharing of systems. For example, consider a customer-account system in a bank. This appears a good candidate for a very high security level. However if this system is implemented as a totally unshared system (that is, there are no users other than this application), and there are no *timesharing* terminals attached to the system, and physical security is sufficient, and so forth, then a formal security class is pointless. Likewise a small departmental system shared by users of the same *security level* (whatever this may mean in a given organization) is unlikely to need as much protection as a large system shared by many varied users of different security levels and categories. More security functions usually require more administrative effort. A higher class does not automatically provide more security. It is capable of providing more security, with proper administration. Conversely, a higher class system may work very poorly and eventually become unusable if the security functions are not properly administered. Do not buy or install more security than you are prepared to administer. The Orange Book specifications skip two especially important areas: ╖ Networking ╖ System updates Most systems are attached to local area networks, and it is sometimes difficult to clearly separate network security from individual system security. An individual system administrator has little control over general network security and must accept some network functions *on faith.* It is foolish, for example, to demand a B1 system and then connect it (with default, standard facilities) to an *open* TCP/IP network.73 Most commercially available operating systems have updates.74 The DoD specifications seem to ignore these. It is not practical to re-certify a system for every update or *fix*. Thus, in principle, a system is uncertified after any update/fix is installed. The same concept applies when third party software products having *authorized* modules are installed. In practice these upgrades and products are accepted on faith. - Slider. ---------------------------------------------- | | | \____ 0wning The World Is A Slow Process,So Give Up And Let Us Gain R00t On You #OblivionMag EFNet Copyright 0blivion.org 2000 B0w Down And Feer The Revolution Of Oblivion Designed On 800x600 Resolution The Bitch Man : +44 (0)800 891486 - Ask for a bridge Sponsors : http://www.slidersecurity.co.uk http://net-security.org http://www.hackernews.com http://www.caffeine.org.uk http://www.slidersecurity.co.uk/omega Music : Glastonbury, Live BBC2 Eminem - The Marshall Mathers Lp Orbital - For there elite shizz Drink : Stella Atois - caus it was free! Red Bull - Late nite shizz Thanks : Vortex, For hosting 0blivion.org Spammy for his Bot's on #oblivionmag 0mega1 for doing his shizz, finally! Fudge for saving me from a kicking Barry for letting me try my shizz out on his decks EchoTango for letting me have a drive in his Lotus Elise :] Aleph1, R.F.P and all the h0es that make my life worth living online And Akt0r, DC_`, d0tslash, Cl0wn, redmang and a few others that i forget #Darkcyde, #bellcrew, #2600-uk, #bifemunix, #hax0r, #b10z, #is, #beyond G' Luck : All that took there exams this month Funny : The Dairylea advert people "caus they are cool, innit"!