Archive for December, 2007


The OSI Model

December 24, 2007

Okay, so I lied… Here’s yet another topic: The seven-layer OSI model.

 The OSI, or Open Systems Interconnect, model consists of seven distinct layers and was developed by a standards organization called ISO, which is derived from the Greek word for equal.

Each layer, described below, represents a particular aspect of network functionality:

Layer 1: Physical Layer – This layer is responsible for defining the network standards relating to electrical signals, connectors and media types and the way that data is placed on the network media.

Layer 2: Data Link Layer – This layer is responsible for gathering together and completing all of the elements that make up a data packet and putting the whole thing together so that it can be passed to a Physical layer device and onto the network. This layer assembles outgoing packets and generates the CRC. For incoming packets, it checks the data validity by comparing its locally generated CRC value with that sent in the packet. This layer also determines whether it’s possible or permissible at any instant to try and send data to the network.

Layer 3: Network Layer – This layer understands addressing – how to find the ultimate destination address for a data packet – and routing, to make sure the packet ends up in the right place.

Layer 4: Transport Layer – This layer breaks the data packet into smaller, manageable chunks that will fit inside two or more packets. This is known as fragmentation. The Transport layer is also responsible for confirming whether transmitted packets have reached their destination intact and retransmitting them if they haven’t. For incoming packets, the Transport layers reassembles the fragmented data (called defragmentation), ensuring that received packets are processed in the correct order. The layer also manages the flow of the data, so that packets are sent at a pace that is suitable for receiving device and general network conditions.

Layer 5: Session Layer – This layer sets up, manages and terminates the data connections (called sessions) between networked devices.

Layer 6: Presentation Layer – This layer is responsible for managing and translating information by catering to differences in the ways some systems store and manage their data. Protocols in this layer are responsible for data encryption.

Layer 7: Application Layer – This layer represents the network-related program code and functions running on a computer system. Some application layer functions do exist as user-executable programs – for example, some file transfer and e-mail applications reside entirely on this layer.



December 23, 2007

Last post for today will talk a bit about honeypots…

A honeypot is the name given to a device or server used to attract and entice attackers into trying to access it, thereby removing attention from actual critical systems. The name refers to using a pot of honey to attract bees who are, in this case, hackers. The honeypot server is usually situated in the DMZ zone of the network and runs popular Internet services that are vulnerable to attack, such as Web or FTP services. The server doesn’t have any basic protections and it freely advertises open Internet ports that can be picked up by hackers’ port scanners.

A slight danger exists if the honeypot isn’t configured correctly – if an unauthorized user hacks into the server – that the hacker might be able to attack other systems on the DMZ. To prevent this scenario, some honeypot systems can emulate services instead of running them.

Honeypots can simply be used as a decoy device, distracting attention from the real production servers or they can be used by a network administrator to find out the identity of the hackers through logging and auditing. By keeping accurate logs of the IP addresses being used by the attacker, the administrator might be able to either track them down or pass the information onto legal authorities. From a legal standpoint, however, this can be tricky, especially if the server advertises files for downloading or viewing because this is considered entrapment, which is illegal.

Honeypot systems are best suited for understanding the different types of attacks that can happen to your network. You can log when and what types of attacks are occurring, and then use that information to secure your network even further by including protection against attacks that weren’t included in the original security plan.


The Ping Command

December 23, 2007

The Ping command is a good place to begin your network troubleshooting. The utility is used to test connectivity between two systems on the network. Ping uses the ICMP protocol to exchange packets with the remote system. It uses the ICMP protocol to send UDP messages to an address (ECHO REQUEST) and waits to hear for a reply (ECHO REPLY). The remote system sends the reply packets back to their source, and the round trip is determined.

The Ping command has a much different syntax when used with the Windows operating system (both servers and clients). The options include the following:

-t: Continues pinging until explicitly halted by using CTRL+C. Statistics are displayed after you halt the command.

-a: Resolves addresses to hostnames.

-n count: Specifies the number of ICMP ECHO REQUEST packets to send.

-l size: Sends buffer size.

-f: Sets the don’t fragment flag in the packet. This is useful to determine a device is changing the packet size between nodes.

-i TTL: Time to Live value.

-v TOS: Type of Service.

-r count: Displays route for count hops.

-s count: Displays a timestamp for each hop.

-j host-list: Loose source route along host-list.

-k host-list: Strict source route along host-list.

-w timeout: Timeout value to wait for each reply (in milliseconds).

Using Ping on Linux systems, the basic syntax is defined as follows:

-q: Quiet output; nothing is displayed except summary lines at startup and completion.

-v: Verbose output; Lists ICMP packets that are received in addition to echo responses.

-R: Record route option; includes the RECORD_ROUTE option in the ECHO REQUEST packet and displays the route buffer on returned packets.

-c Count: Specifies the number of ECHO REQUESTs to be sent before the concluding test (default is to run until interrupted with a CTRL+C).

-i Wait: Indicates the number of seconds to wait between sending each packet (default=1).

-s PacketSize: Specifies the number of data bytes to be sent; the total ICMP packet size will be PacketSize  + 8 bytes due to ICMP header (default=56 or a64-byte packet).

Host: Host IP address or hostname of a target system.

The syntax for using Ping on a Unix system is as follows:

-c number: Specifies the number of ICMP ECHO_REQUESTs that are sent out.

-d: Causes ping to send packets as fast as they are echoed back from the remote system, or up to 100 times per second. Exercise caution when using this option regularly, to avoid generating high volumes of traffic on a busy network.

-I seconds: Enables you to specify the number of seconds between each packet sent; the default is 1 second. This option cannot be used with the -R option.

-R: Records the route taken by the packet.

Troubleshooting a Network Connection Using the Ping Command:

1. Ping the local system’s own numeric IP address.
2. Ping the system’s hostname.
3. Ping another system that you know is on the local subnet.
4. Ping the default gateway (also called the default route).
5. Ping a system on a remote subnet.


Server Operating Systems

December 23, 2007

As many of you already know, there are several different operating systems. Some of the more popular ones include:

Microsoft Windows Server 2003
Microsoft Windows Server 2000
Microsoft Windows NT Server
Novell NetWare 6.5
Sun Solaris

Most people use Windows Server 2003, Novell NetWare, Solaris or a Linux distro, so those are the ones I will focus on.

Microsoft Windows Server 2003

Windows Server 2003 is available in several different editions, including the Standard Edition, which costs $995 with five client access licenses. The Web Edition sells for less than $400 and is a Web hosting and Web application platform. The Enterprise Edition supports up to 8 processors, supports eight node clusters with failover, and has 32GB of memory. There is a 64-bit version as well for Itanium systems. The Datacenter Edition offers support for up to 32 processors and 64GB of memory in the 32-bit version. This edition is available for OEMs and VARs who qualify for Microsoft’s certification program. The 64-bit version can scale up to 128-way SMP systems and 512GB of RAM. It can be configured for up to 8 node clusters. Included in this version are load balancing and a system management utility called the Windows System Resource Manager.

The Small Business Server 2003 Edition supports a single domain with no trust relationships, supports up to 75 connected users (provided you purchase the client access licenses), and comes with a suite of applications, including Exchange, SharePoint and a basic firewall. The Premium version adds both SQL Server and Internet Security and Acceleration (ISA) Server, which is a proxy, firewall and caching server. Because of trust limitations, this edition isn’t viable for a workgroup in larger system. The Windows Storage Server 2003 edition is a highly-tuned version of a file and print server. You cannot buy this version of the O/S alone: you may only purchase it from a certified VAR or OEM as a hardware software bundle.  The pricing for this edition is aggressive, and it does not require connected clients to obtain client access licenses.

Novell NetWare 6.5

NetWare was one of the last major enterprise networking platforms to accept TCP/IP as its native protocol. The current version is 6.5, and Novell advertises it as “the most reliable foundation for deploying business-critical, open-source enabled solutions.” Novell bundles the Novell Cluster Services Solution into 6.5, which allows you to create two-node server clusters, both locally and as a failover to a remote location. Other new features include its native support for iSCSI, which is a server migration wizard and server consolidation utility, and the NOS built-in snapshot backup tool. NetWare also comes bundled with a browser-based network management tool that Novell calls iManager, which can inventory your network clients and servers.

Sun Solaris

Solaris is arguably the best-supported version of UNIX in the PC server marketplace. What makes Solaris special is that there are more applications running on Solaris than on all other UNIX versions combined – about 10,000 or more. Solaris comes in two versions: one that runs on the SPARC and UltraSPARC processors, and one that runs on the Intel x86 processor platform. Solaris 10 began to incorporate Linux APIs and can also natively run Linux binaries on the x86 platform. The Sun O/S is released under what is called the Common Development and Distribution License (CDDL), based on the Open Source Initiative (OSI) license model. Solaris 10 concentrated on adding a number of new networking features, including an improved dual IP stack, better IPv6 support, Layer 3 multipathing (featuring better network redundancy), better streaming and session support, an improved Solaris Network Cache Accelerator (NCA), and a new technology called Solaris Containers (previously known as N1 Grid Containers). IPv6 support also means that there is better support for the IPSec secure communications protocol and with the Internet Key Exchange (IKE) infrastructure. Solutions on Sun tend to be more expensive than those on other platforms, and because you are buying proprietary hardware, there is a narrower choice of hardware from which to choose.


Linux is an interesting proposition as a server NOS platform because it has been embraced by almost all major server hardware vendors, including IBM, Hewlett-Packard, Novell and others. The Linux O/S us an open source project and is loosely based on UNIX, but it has its own kernel, which is what the name Linux actually refers to. Linux runs on a variety of processor platforms, but most often appears on the Intel x86 processor platform. Linux’s low cost has given the O/S a position in small, embedded systems such as set-top boxes, PDAs such as the Symbian O/S, phones, routers and firewalls from companies such as Linksys and even the TiVo personal video recorder (PVR). There are, perhaps, as many as 300 distributions of Linux, ranging from packages such as Mandriva (formerly Mandrake) that are meant for desktop users to Novell’s SUSE Linux Enterprise Server 9, which is sold as a server platform. The Red Hat version of Linux dominates the sales of this platform for server applications. Most organizations adopt Linux servers for two reasons: The lower cost of licensing the O/S and the modest equipment demands of Linux.


Teaming and Failover

December 23, 2007

On this blog posting, I thought I’d describe teaming and failover.

Teaming is the process of installing multiple NICs into a server or router, and configuring them work together. Teaming is controlled by the software on the network device that is using the teaming service. A team can include up to eight network ports in a server. This can be up to eight single-port network adapters (card-based or integrated) or a smaller number of multi-port adapters. Remember, however, that because teaming can be for a variety of purposes, you must be familiar with the process of configuring a team.

Failover is when you want to make sure that a server or other network device is constantly available. Failover can play an important role in your server network. A failover, which is automatic and transparent to the user, switches you to a backup device in the event of the failure of a server, database, router, or other network device. You can use failover for emergency situations when you have a device failure or when you need to take a device down for routine maintenance. Failover requires that you have a duplicate device that is connected and ready to be switched to in the event that the original hardware fails. This option can be expensive to implement, but if your cost of being down is more than the cost of the redundant hardware, it is well worth it. You can implement many levels of failover, ranging from support for very minor components, such as a network card, to the extreme of having a backup device to everything on your network. If you use routers that support the Virtual Router Redundancy Protocol (VRRP), you can configure two or more routers to provide redundancy and failover services. However, failover should not be limited to NIC and router installations.


Run Your Own Server

December 6, 2007

Ever since getting a 30GB Video iPod as a combination birthday/Christmas gift last year from my wife, I’ve been listening to the Run Your Own Server podcast via iTunes.

The podcast is run by three guys (Thud, Seg and Gek) who all work full-time as system administrators. The topics they cover are things of particular interest to those who either work as system admins, or those who want to work as system admins.

Things ranging from databases to DNS to file servers to L.A.M.P. (which will receive its own lone blog in the future) to different operating systems (FreeBSD, OpenBSD, Ubuntu Linux, Fedora Linux, and more) to how to land a job as a system admin and more really show the depth and innate skill that the three of them have.

If you have ANY interest in system administration, either as a career or just for fun, this is a podcast you CANNOT miss. 


Top Five Favorite Networking Websites

December 1, 2007

Okay, I know it’s not much, but this is just to get things started… Kick the party off, so to speak.

My top 5 favorite networking-related Web links:

5. Bruce Schneier on Security –

4. SysAdmin Talk Forums –

 3. –

2. Server Watch –

1. The League of Professional System Administrators –