Matt-J.co.uk : Ramblings

So today I stumbled accross this: IBM’s new eX5 architechture/server range.

The main advantage is they seem to have decoupled memory from the Xeon X86 processors, allowing for extra rackmount modules of RAM without needing extra processors or more servers.

It’s all well and good and i’d like to be able to say, this this the birth of MAN’s (Memory Area Networks) to accompany existing SAN and LAN technology, however; I can’t answer that, as there does not seem to be much technical information available!

For example, is the architechture addressable? can a memory module be connected to multiple server nodes and memory used as needed (like a Dynamic SAN environment can for secondary storage). This would allow the system ideally to scale to a full MAN type scenario, with virtualisation provisioning technologies reserving X amount of memory for new VM’s, could even allow memory sharing between server nodes at memory speeds for clustered applications and failover scenario’s.

-or-

is it, as I expect, some silicon that extends QPI onto some custom IBM external interface, allowing point to point or limited point to multipoint connection to another tray of ram. I get the feeling this is probably more the case.

I cannot confirm from what I have read so far that it’s either of these, but if it was the former I should imagine there would be more of a fuss…

I guess i’ll have to wait a while for a distributed network technology that is still DDR3-Quick even after additional network addressing overheads.

Still, good to see movement from the norm, if for no other reason than to spark technical discussion.

Matt

Further Reading:

http://www-03.ibm.com/press/us/en/pressrelease/29570.wss

http://www.redbooks.ibm.com/abstracts/redp4650.html

ftp://public.dhe.ibm.com/common/ssi/pm/br/n/xsb03013usen/XSB03013USEN.PDF
ftp://public.dhe.ibm.com/common/ssi/pm/rg/n/xso03099usen/XSO03099USEN.PDF

Recently had to try and explain why a FTPS configuration was not working over an otherwise open private WAN. Issue was the two stateful firewalls at each end. Since writing this post I have shown it / e-mailed it to three other people to try and help them understand their own encrypted FTP issues.

So because it seems helpful I’ll add it here (IP Guru’s will get annoyed by the very simplistic language used, but it could save you time if you get asked in future!)

FTP connections require more than one channel of information, there is the control channel, TCP Port 21 and then single / multiple data transfer channels for PUT/GET/DIR commands for sending/receiving/listing data etc. The TCP or UDP ports that the data transfer channels use are negotiated between the server and client via the control channel once the user has logged in successfully.

A modern firewall works by looking at outbound connections from an internal network and ‘tracking’ them, that is, it keeps a record of internal host A trying to contact internet webserver W1 on port 21, then only allows traffic from the internet if it is from Webserver W1 on port 21 sending data to internal host A. In this way, any communication channel that has not originated inside the customers network will not be allowed into the network from the internet (or <NETWORK NAME REMOVED> in this case). Clearly this posed a problem for the FTP protocol, as the original FTP specification mandated that the FTP SERVER would decide on the data transfer channel ports and try connecting BACK to the client on these new ports, of course that did not work, as the firewall at the client end has no record of the client connecting outbound on these data transfer channel ports and so drops the connection.

To get around this issue (when security became important on the internet and people started deploying firewalls) the FTP standards created a new ‘PASSIVE’ mode, this mode just allows the data transfer channels to be created FROM the client to the server, allowing the firewall to see the outbound connection and therefore allow return data traffic from the server. This works fine, unless BOTH server AND client are behind firewalls, at this point, neither ACTIVE or PASSIVE mode solves the problem, there will always be one firewall that drops the connection because it hasn’t seen the computer behind it initiate the connection first.

To solve this, most firewalls (including ours here and the one at <SITE NAME REMOVED>) have ‘FTP Helpers’ built in, these pieces of code inspect the data passed between server and client in the FTP control channel (Port 21) and therefore see the negotiation between the systems over what data channels to use, because they see which ports the systems are getting ready to use for FTP data channels, the firewalls can dynamically open the needed ports, expectantly waiting for the connection and then close the ports again when the control channel disconnects (because if there is no control channel there is no user).

This works perfectly, however if you need ENCRYPTION on your FTP transfer, due to the nature of the data you are transferring, then, both control and data channels are encrypted from client to server and back again with TLS or SSL encryption.The firewall becomes blind to the data it needs to ‘help’ the FTP connection, as the control channel appears to the firewall as nothing but encrypted jibberish, therefore the FTP helper in the firewalls cannot work out what ports are being negotiated.

This is why you can log in successfully, but anything that requires listing, sending or retrieving data fails, as the data channel cannot be set up because the firewalls are not expecting the connections. The only resolution to this is FTP Clear Control Channel mode, this (as the name suggests) only uses encryption for the transfer channels and leaves the control channel in plain text so that firewalls along the path can deal with the connection correctly.

It is support for FTP Clear Control Channel mode that I wanted to log onto the server and check for, but after some reading into FileZilla server, it appears this is not supported.

It is for this reason that both our site AND <SITE NAME REMOVED> are to blame, purely because they both operate firewalls.

This is not an issue that can be resolved without doing one of the following:

- Running a FTP server that supports CCC

- Removing one of the Firewalls

- Removing encryption

- Permanently opening up a range of ports from/to both machines and then configuring both server and client to always use these ports for data channels. This would also mean only that pair of systems specifically configured for this server could successfully use FTP in this manner.

Hi All,
Just a quick update, looking for a house and work is still taking up most of my time, but starting to look into IPv6/MPLS and BGP together, it’s all a little crazy, there’s going to be a lot of wireshark involved and if GNS3 hadn’t just lost configs on 6 routers I’d be a lot further on than I now am ;P

Anyway, putting this here should make me carry on and write something more about it!

Everyone has a little niggleing topic in their chosen profession, a tiny little thing that relates to a lot of the stuff you do everyday, but that you just don’t ‘get’…

With computing/networking, this happens a lot, but occasionally even reading and extensive googleing doesen’t help. It’s at this point you ask other people you know, and when they don’t know either, you’re fully foobared.

It’s a feeling second only to the horrible lack of answers created by googleing an issue and getting your own blog back as the only result!

Anyway, rambling hills of pretext over, for me, locking down terminal servers has always been one of these sore points. I have used AD a lot, through server 2000,2003,2008 and all the R2’s inbetween, happy with cli tools for complex replication debugging and delving into the LDAP bowls or crawling through kerberos/NTLM wireshark dumps, however;

Locking down terminal servers;
-User GPO’s apply to users, pretty much everywhere! no matter which machine they log on to, this is no good for locking down single machines!
-Computer GPO’s are much better, but lack a whole shed of useful tools for restricting or controlling user actions

So how to do it? I have come up with lots of bastardized ways in the past to achieve this kind of lock down, usually at the expense of ease of administration.

Until last week, a colleague found this:

http://support.microsoft.com/kb/231287

Loopback policy mode! It’s been there since Windows Server 2000!
Basically, this option within the computer policy section of a GPO was designed to tackle this exact problem, any computers that this policy get’s applied too, will also apply the (usually discarded) user policy section of that GPO to any users logging onto the machine!

Bloody brilliant! Why I have never found this is Google searches before is beyond me!

Anyway, the term ‘you learn something new every day’ had real significance because of this, hope it helps someone else out too!

Wow, over a year sice my last post. The blog took a backseat through final year uni work and I guess it never really picked up again! Have considered shutting this down a couple of times, but now i’m finding time to look into new tech I guess it makes sense to start updating again, if for no other reason that my own memory!

Lots has changed since my last post (as you’d expect!), moved home for a month towards the end of my degree to focus on my dissertation, outstanding coursework and revision.

Good Job I did too, graduated with a 1st with honours in BSc Computer Networks, averaged over 90% in my last summester! Quite proud of myself!

After graduation I went fulltime at IT Start in Manchester and moved home to get some funds together before beginning the flat/house hunt that is now my number one priority.

Christmas/New years was good, predrinks with sam and Joejoe in manchester newyears eve eve then a bit of a family do new years.

Sam bagged himself a nifty job doing hardcore tech support for high speed storage solutions in reading, and so quickly dissapeared down there, nearly followed him when a position opened up at the same company, however on putting things on paper the financials (of my debt at that point and owning a car mainly) just wouldnt have worked, mixed with some other issues which I won’t go into here :).

Which brings us to now (with lots missed out, but youre not hear for a 12 month blow by blow account!)
Enjoying still being in manchester, looking for my own place (however the house rental market seems to suck at the moment if you want to be anywhere near manchester bar salford… and to be honest four years is enough :) ) and getting stuck into new tech partly for the job and partly for my own interest.

So currently sat here, on this joyous 4 day weekend, finding myself just able to look at a PC screen after last nights drinkage and wondering what can be done to get me fit to head out again tonight!

Hope everyone is well, doing whatever they are doing!.. (wonder how many RSS readers this url is still in)

More soon, definatley won’t be a year this time! ;)

Matt

PS. As it’s been so long since all my previous posts, have deleted the old tag cloud and moved all old posts to an ‘old blog’ catagory, should make things a little easier to filter :)

A month since my last post!
Poor I know but I have been more snowed under with exams, coursework and final year project work than.. well, london :)

Now into the second semmester of my final year, timetable changes have meant my job work hours/days have changed, however this may not be such a bad thing. Last semester I worked Monday Tuesday part time for an IT company, then did uni and project work wed-fri. Now I have lectures Tuesday morning and every other day at some point except Monday, so I’m working Monday, then wed afternoon and Thursday morning.

Have done this for one week now and I actually like it, I feel that due to the break between the days I am going to get much more done on the long running projects that work has assigned me, as that break between wed/thurs allows your brain to reflect and carry on pondering, allowing touch ups and changes the next day.
It also breaks the work up, never a bad thing.

Had exams throughout January for last semesters modules, some pretty deep questions on low level bluetooth, UWB (Ultra wideband) and wimax (IEEE802.16d/e) were asked in our advanced network technologies exam however I think I answered them OK.

Also pondering next year quite a lot at the moment, with friends rushing round applying for jobs left right and center, I really need to consider exactly what I plan to do and where I want to be come next September.
Obviously somewhere in network security / advanced network tech, just where would best suit my knowledge and allow me to keep learning what I enjoy… Answers on a postcard :)

Anyway, enough of a catchup, I have stuff to ramble about like more IPtables stuff, opensolaris and my uni project, but I’ll save those for another post.

//Matt

A proof of concept attack has been presented at 25C3 (http://events.ccc.de/congress/2008/) showing that it is possible to use the well known MD5 hash collision insecurity to create your own ‘Certificate Authority’ (CA) signing certificate which is already accepted as trusted by most of the major browsers.

This allows an attacker with this root CA key to sign any other certificates he wishes, and all of these will be trusted by client browsers.

Scenario: In the past, if you went to your online banking website and a certificate error appeared, you would suspect something was up, possably you were being Man-in-the-middled and you were being proxied through a malicious machine, or alternativley your DNS had been poisoned and the site you were looking at was not the real bank’s site. You knew this BECAUSE of the certificate error and the attacker could do nothing about it because he was not able to get the private key of the bank’s certificate, or have his own bank certificate pair signed by a signing authority. The attacker just had to hope the user just clicked ‘Continue anyway’ etc.

However now, the attacker basically has the public and private key for a root CA certificate installed in your browser, he can sign any certificate pair he wants, and it will be trusted. How do you differentiate now? when both the real bank and attacker bank site come up with a rosy green SSL bill of health?

Creation of such a certificate only works against certificate authorities that still use MD5 (RapidSSL was used in this particular exploit) and with the release of this information, I should hope that the number of CA’s using this == 0 in a very short while :)

This has been a very crude and technically lacking explanation, however I suggest you read the following link for a much more indepth step by step process on how this was carried out;

http://www.win.tue.nl/hashclash/rogue-ca/

//Matt

Hi all, Just a quick update.

I’m sure we are all farmilliar with the Windows NT Password offline editor? (if not http://home.eunet.no/pnordahl/ntpasswd/ )
It provides a bootable environment based on chntpw to change or blank any 2000/XP/2003/Vista local users password, very useful for lost accounts.
However, while playing around I was wondering how easy it would be to get a copy of the users original hash first, so it can be put back in place after you have reset the password, allowing you to cover your tracks (Not having to hastle users to set a new password is always a good thing!)..

Turns out windows does no checks on the file properties of the ‘SAM’ account manager registry hive, so;

• boot into some form of linux with NTFS-3G (NTFS Read/Write support), copy SYSDRIVE:/Windows/System32/Config/SAM to SAM.Bak.

• Go ahead with your chntpw based password reset (may as well use the raw chntpw tool since you are already in linux, however nothing wrong with shutting down and booting into the NTPWRS bootable cd (as the SAM.Bak file was saved on the actual drive).

• Reset the users password of your choice and do whatever needs to be done…

• When finished, boot back into Linux with NTFS R/W support and move SAM.Bak back to SAM, overwriting the current ‘SAM’ file.

Thats it, passwords for all users back to what they were.

This isn’t anything new, or actually that exciting, but it’s something not really mentioned around the NTPWRS/chntpw pages and I thaught it could come in useful to know it works :)

Right, onto the real point of my messing around, I want to be able to do the same for active directory;
So far it looks like I have hit a deadend trying to access the AD DB itself while the system is live, user passwords are stored in a ‘UnicodePWD’ class inside the users object which is a ‘write only’ field. I have a few more idea’s on how to get this, and then putting the hash back whenever required is very easy indeed :)

More later.

//Matt

The other day I cleared up something that has been confusing my brain for ages! (whether anyone else cares is another matter but anyway :P)

I could not understand why WIFI sniffing tools such as kismet were able to collect all data from clients on a given channel when the underlying multiplexing technology was direct sequence spread spectrum. DSSS (Basic overview: http://en.wikipedia.org/wiki/Direct-sequence_spread_spectrum) allows multiple clients to transmit simultaneously on the same frequency by multiplying a pseudorandom ‘chipping code’ of 1’s 0’s and -1’s to the data before transmission. The receiver can then use the code for that client to pick out the clients data from the other noise on that frequency range. The data can even be received if the clients signal is at a lower power than the noise floor.

It is this technology that is used in 3G UMTS systems to allow multiple mobile phones within the same cell area to all upload data (and download, because downloads still require ACK’s) at much faster speeds to GSM (GSM uses traditional frequency and time division multiplexing techniques to ’slice’ up the available bandwidth and hand it out to clients (as without DSSS only one client can transmit on a certain frequency at a certain time))

So that’s the overview, this was my puzzle, if DSSS is being used on a wireless network, each client has a chipping code in line with how DSSS works. This would mean that traffic from laptop A would be sent to the access point multiplied by a pseudo-random number that only itself and the access point knew. Making it impossible for me, laptop B to sniff laptop A’s data, as I do not have the same chipping code and would therefore not decode laptop A’s transmission properly, therefore, DSSS would provide some rudimentary encryption just because of how it operates.

However, from sniffing wireless LAN’s with kismet, I KNOW this not to be the case, I can recover another wireless clients data very easily and from the collected data I can resemble full TCP streams, so I am definitely receiving all the traffic to/from that client.

The reason?
The IEEE’s use of DSSS for 802.11b/g is not how DSSS is ‘usually’ used. They have used DSSS for some of it’s other properties and not for it’s simultaneous client transmit ability (probably due to power/cost issues in full on DSSS decoding requirements and that broadcast traffic would have to be encoded with each clients chipping code).
Therefore, the 802.11b standard (I believe, I am trying to find it) actually specifies the chipping code to be used by all 802.11b compatible kit. This standard means that WIFI is still a ‘One person transmitting at a time’ medium (as everyone is using the same code so it offers no way to differentiate between simultaneous transmissions) and because of this CSMA/CA (carrier sense multiple access with collision avoidance) is used along with RTS/CTS (request to send/clear to send) management frames to ensure that only one client is transmitting at a time.
This single hardcoded chipping code also explains why kismet is able to sniff all traffic on a WIFI network, even though DSSS is in use!

Hope this helps someone else’s brain take a few hours off too :) or at least got someone interested in low level network tech :)

//Matt