Systems and Servers

Some time ago my employer asked if I would like to participate in a pilot of AT&T CallVantage from my office. This service is a competitive offering to Vonage’s VOIP service. With CallVantage, you get to pick a phone number in an area code of your preference, they send you a telephone adapter in the mail and off you go. The telephone adapter connects over the Internet to the phone company, bypassing the local carrier’s wires. Within the week I had the telephone adapter. Getting the CallVantage service up and running was no trouble at all. There is a web portal to customize the service, like recording voice mail greetings and setting up a do-not-disturb schedule. You can review call history through the portal and place numbers into a phone book. You can also initiate calls from the web site. The service will ring your phone, wait for you to answer and then ring the other party’s phone.The telephone adapter I received in the mail was manufactured by D-Link. It is actually a combination telephone adapter and firewall, if you choose to use it that way. The network here was already equipped with a firewall, so I decided to use up one of my static IP addresses and place the adapter outside the firewall. The first time the adapter connected over the Internet with AT&T, it spent a few minutes downloading new code and rebooted a couple of times, and when it was ready for service the phone connected to it rang once. The status lights on the adapter showed all green.I had been using CallVantage for a few days and everything was working great until … one day I was on a VOIP call and hosting a screen sharing session with some of my co-workers around the country. I was doing a code review, paging through an editor, showing some diagrams and talking about the design. From the network point-of-view there was a large amount of constant outbound traffic, some consisting of the screen data and some consisting of my VOIP data. Every couple of minutes someone would ask me to repeat something I said, because my voice had broken up for a brief moment. They described it as sounding similar to a cell phone breaking up, and other times they said I just went to dead air for a few seconds. I knew exactly what was happening - there was competition between VOIP and non-VOIP traffic and there was no control over which would leave my network first at any given time. It was time to seriously consider a solution to prioritize network traffic.The D-Link adapter has the ability to prioritize traffic if you use it as a pass-through device. You can configure the D-Link as a NAT router or a bridge, placing it between your ISP’s router and your private network or existing firewall. The D-Link adapter will give priority to packets for VOIP and slow down or drop packets from your network devices to accomplish a poor man’s QoS. I call it a poor man’s approach because I don’t actually think D-Link put a lot of thought and effort into it. I was always suspicious that the telephone adapter had a 10 Mbit network port on the WAN side. They put 100 Mbit ports on the LAN side. The WAN port speed was just a little too close to the upper bandwidth of the Internet connection here. There are days we get well over 10 Mbit on the inbound side of our connection, so this just seemed like a bad idea. In fact, it was a bad idea after I tried it. There was no improvement in the number of voice drop-outs. The next strategy was to move the D-Link adapter behind the firewall, reconfigure it for DHCP and use more robust approach for traffic shaping and prioritization. The D-Link adapter would only be the source and destination for VOIP traffic. No other traffic would move through it. The solution I eventually adopted is open source. I will talk more on the actual implementation in a future post.The first thing to understand about VOIP audio quality is that you can only prioritize and shape outbound traffic. This is traffic leaving your network heading for your VOIP provider. I mean, you can prioritize inbound traffic on the receiving side, but by the time this happens, the traffic has already traversed your connection and has used up some portion of bandwidth. Prioritizing inbound traffic on the receiving side will rarely improve the audio quality you hear. There are reasons beyond VOIP to prioritize and shape inbound traffic on the receiving side, like slowing down the person downloading ISO files all day on Friday. A good example from the real world is highway traffic control. Traffic signals are placed at the on-ramps to the highway, not the off-ramps. Your Internet connection is like a point-to-point highway between your ISP and your site. If you want to prioritize inbound traffic for the purposes of VOIP audio quality, talk to your ISP (the on-ramp for the traffic coming to you) so they prioritize packets before sending them to your place. What about packets traveling between the VOIP provider and your ISP? Anything can happen there and it’s out of your control. Usually these interconnections are so fast, it’s not a significant factor in quality.The next bit of knowledge about prioritizing network traffic is to have only one device at your end making the determination about which packets go out first. This means you don’t want to flood your DSL or cable router with packets, because it’s queuing strategy might undo the order of packets you send to it. The only way to be sure the packet order is maintained is to reduce your outbound bandwidth slightly to make sure only one device on your end is queuing packets in the order you specify. You want to send packets just a little slower than your connection’s upper limit, to keep all the other device queues empty. If your ISP router gets a packet and it’s queue is empty, it can send that packet right out.We will use my office setup as an example. The outbound connection speed at my office is about 1.5 Mbit. We specify to our traffic shaping device to limit outbound speeds to about 1.4 Mbit. If you don’t do some amount of reduction and just blast packets to your ISP router at full speed, it may reorder them based on it’s internal rules, or it may just start dropping packets because the manufacturer designed it with a shallow queue. Because these are usually closed, proprietary devices, you just have to accept that you don’t know what it will do as packets queue up. For our case we have the traffic shaping device reduce our outbound speed by about 6.5%. You might need more or less of a reduction, and experimentation and tuning is a required step. Re-tuning should be done once or twice a year.Next, you need a way to identify traffic from specific devices on your network and determine what the classes of priority should be. In our network we have three classes of priority for outbound traffic. The highest priority traffic comes from the VOIP devices. Medium priority traffic comes from workstations. Lowest priority traffic comes from servers. Remember these priorities are only for traffic leaving the network for the Internet. Our internal network is 100 Mbit wired or 54 Mbit wireless, so workstations connecting to the local SMTP server don’t feel any of this prioritization. The reason servers are at the lowest priority is because there are a few non-essential web sites hosted here and an SMTP server that relays outbound mail. We really don’t care if it takes 5 seconds or 20 seconds to relay an outbound email, because it is all done as background work. The VOIP devices and servers are given internal, static addresses by the DHCP server, so we can determine a packet’s priority by source IP address.The device or software you choose to prioritize your traffic may have constraints on how traffic can be identified. For example, it may only be able to identify traffic based on source and destination IP port numbers, or protocol. A simple hardware device may prioritize traffic based on physical network port connections. I have a small consumer firewall that has five 100 Mbit LAN ports, and each port can be assigned a low, medium, or high priority. Do your research and work out your strategy before committing to a solution.I decided on an open source solution called m0n0wall and a basic Dell PC with multiple network adapters. I stripped out the hard disk and floppy disk, kept the CD-ROM, added an IDE compact flash reader and a couple of extra fans just in case. I will go into details about my m0n0wall firewall and shaper settings in the next post. ...

It really has been about 1.5 years since my last post. I have been busy and now have plenty to write about. A few months ago I deployed a dedicated system running m0n0wall at the edge of my network. I needed to find a firewall and router that could do the usual firewally things. I needed support for inbound and outbound NAT, DHCP and DNS for LAN clients, and inbound VPN when I am away. I did not want the firewall to rely on any other system in the network aside from the ISP’s router. Last year a new requirement surfaced in that the office needed shaping and prioritizing of traffic to and from the Internet. There is a VOIP adapter here for AT&T CallVantage. Skype is also used periodically. Real time traffic needs priority over everything else. Traffic related to the web and email servers need to run at the lowest priority. Services like SMTP don’t need the full bandwidth of my connection here in either direction. I often find bursts of incoming SMTP can cause drop-outs on the VOIP calls. The several workstations on the network here need reasonable connectivity - high priority than the servers but less than the VOIP traffic. Finally, if a class of service is not competing with any other, that service should get the bulk of available bandwidth regardless of priority. Here is a high-level diagram of my network. From m0n0wall With the next few postings, I will go into detail of how I successfully deployed m0n0wall on this network to satisfy these requirements. ...

Risks associated with B2B e-commerce include the technical problems of creating an Internet-facing business system that enables you and your partners to save money and react quickly by doing all transactions electronically. Additionally, I found there is some concern about the antitrust risks of business-to-business exchanges. I initially started searching for technical risks, and came across this document about the business risks of competitors working closely in collaboration to negotiate prices. http://mipr.umn.edu/archive/v2n2/gotfredson.pdf Certain models of B2B exchanges would have the competitors in an open auction against each other to win the bid for some product or service. “In spite of the promises inherent in this new business model, B2B exchanges necessarily involve collaboration between competitors in a market, and thus raise potential antitrust concerns.” There is actually nothing new here about types of antitrust activities a company might undertake with B2B. I think the point of the paper tells us that the Internet potentially makes this easier to take place. Connectivity between competitors and collaborators over the Internet and the growing sophistication of software provides an atmosphere where antitrust activities can occur without immediate notice. “A second antitrust risk associated with B2B exchanges stems from the fact that the Internet allows for the aggregation and analysis of copious information concerning the exchange’s participants.” I was not able to determine if any company has had legal action taken against them for B2B-related antitrust activities. The technical risks involved with B2B are typical for Internet-facing servers of e-commerce applications. For instance, Amazon uses a web front end to interface with their customers. The front-end of an application is one place vulnerabilities can be exploited to someone’s gain. Even though B2B exchanges may use a different kind of communication protocol, like a web-service or EDI communication, if there are weaknesses in the protocol, there is a possibility someone could use it to their advantage without immediate notice. An act that is as simple as transmitting illegal values for valid operations could allow unauthorized access because of a lack of sufficient defensive programming on the server-side. I found a PowerPoint presentation (link below) that listed some areas of potential loss from poorly designed e-commerce systems. Theft of Intellectual Property Theft of Proprietary Information Sabotage of Data Networks System Penetration Insider Abuse Financial Fraud Denial of Service Virus http://www.business.duq.edu/BusinessSecurity/docs/mootcourt.ppt ...

No limit to bandwidth means that it would be possible to send any amount of information across a network with no latency. Such an achievement would change more things than just the web. For instance, with the capability of limitless bandwidth, data storage and processing power would no doubt have made equivalent leaps as well. These are components of networking infrastructure as well as general purpose computers. So, networking equipment that provided limitless bandwidth would also include processing power to handle the load - processing power with no limits. Moving any amount of information with no latency also means you need some place to put it - data storage with no limits. With these limits removed, there might be no need for a web at all. The ability to move any amount of information instantly might mean we keep a copy for ourselves of everything we interact with, continually accumulating and indexing data at a constant rate from other information providers for the rest of our lives. From this I can imagine having my own reference database of accumulated information that becomes our private web, or life encyclopedia. ...

The Internet is the worldwide network of networks, which is available to business, government, education, and individuals. Many different services are provided over the Internet, including electronic mail, instant messaging and web applications. Single devices and entire local networks can join the Internet and become connected worldwide at a variety of speeds. Many large telecommunications companies carry the backbone of the Internet. The Internet “provides, uses or makes accessible, either publicly or privately, high level services layered on the communications and related infrastructure described herein.” [1] An “intranet is a private network inside a company or organization that uses the same kinds of software that you would find on the public Internet, but that is only for internal use. An intranet may be on the Internet or may simply be a network.” [2] I have found that Intranet and internal web are often interchanged, as well as Intranet and internal network. I think in general it is safe to refer to the all services available within the private networking domain of the organization. The Intranet of a company is often available by plugging into the network at a business office or virtually plugging in to it through remote Virtual Private Network access. I have found several overlapping definitions of Extranet, but in general they all refer to the same concepts. An Extranet is a company provided extension of its Intranet services to customers and business partners. [3] Using Amazon as an example, they do business over the Internet with the majority of people with a web application. They also have business partners that receive orders and provide special services to Amazon’s customers. Business partners have access to Amazon’s Extranet, which allows them to interact with the private portion of the business’ network services, but only those services Amazon allows. [1] http://www.cs.columbia.edu/~hgs/internet/definition.html [2] http://www.lib.berkeley.edu/TeachingLib/Guides/Internet/Glossary.html [3] http://elab.vanderbilt.edu/research/studentprojects/extranet/execsumm.html [4] http://elab.vanderbilt.edu/research/studentprojects/extranet/extranet.html ...

Logical design is, “The part of the design phase of the SDLC in which all functional features of the system chosen for development in analysis are described independently of any computer platform.” [1] A logical design for a network is an abstract functional specification for a telecommunications solution. A logical design lacks specific details such as technologies and standards and focuses on the needs at a general level. A logical network design can be a view of any part of a network. An entire enterprise educational network can be a composition of many logical designs. The lower level designs can be a university campus network that connects each building to the Internet, or it could be a view of the standard office telecommunications setup. The important quality of a logical design is that is communicates all needs in general terms.Logical designs communicate with abstract concepts, such as a network, router or workstation, without specifying concrete details. A definition of abstraction that I like is, “the process of formulating general concepts by abstracting common properties of instances.” [3] Another is a “general concept formed by extracting common features from specific examples.” [3] Abstractions for complex systems, such as network designs are important because they simplify the problem space so humans can manage it. An example of a network abstraction is a WAN. A wide-area-network carries data between remote locations. To understand a WAN, you do not need to understand the physics behind fiber optic data communication, although WAN traffic may be carried over optical fiber, satellite, or copper wire. Someone specifying the need for a WAN connection on a logical network diagram can understand the concept of a WAN connection without understanding the detailed technical specifics behind it.Logical designs are often described using terms from the customer’s business vocabulary. Locations, processes, roles from the business domain can show up in the logical design. An important aspect of a logical network design is that it is part of the requirements set for a solution to a customer problem. The basic idea of physical design is that it communicates “decisions about the hardware used to deliver a system.” [2] A physical network design is created from a logical network design. A physical design will often expand elements found in a logical design. For instance, a WAN connection on a logical design diagram can be shown as a line between two buildings. When transformed into a physical design, that single line could expand into the connection, routers and other equipment at each end of the connection. The actual connection media might be shown on a physical design as well as manufacturers and other qualities of the network implementation. The primary difference between logical network design and physical network design is that of iterative production of a solution from the identification of a problem. For example, when a business needs to share information in real time with remote offices, they are thinking in terms of business first and technology second. This is where identification of a problem begins, and as the problem is documented, it can be iteratively evolved from a logical solution into many possible physical designs. The logical design of a network can be re-implemented with new technology, and yet the logical design remains the same. Logical designs can span generations of technology, while a physical design is one realization of a logical design. References[1] http://myphliputil.pearsoncmg.com/student/bp_hoffer_modernsad_3/glossary.html[2] http://lms.thomsonelearning.com/hbcp/glossary/glossary.taf?gid=21&start=p[3] http://www.cogsci.princeton.edu/cgi-bin/webwn2.0?stage=1&word=abstraction ...

I had an idea today about how to make servers self destruct in case of some type of security breach. I guess this might be influenced by the Star Trek movie I saw the other night. They seem to blow up more Enterprises in the recent stories. My idea is to keep a blank CD-R in the drive of the server at all times. On hard disk there is an ISO file that is written to the CD-R on demand and then the server is rebooted. The server will ignore the blank CD-R during reboots until it is written with a valid image. The contents of the ISO needs to be a boot loader and kernel, like Grub and Linux plus a file system with a wipe program. The wipe program is started once the kernel is booted and it iterates through the collection of hard drives, which the kernel found during the boot process, and writes over them with a pattern.This kind of the self destruct sequence can be automated with a script and invoked through a terminal on the local network or through a VPN. It could also be loaded into cron and deactivated on a regular basis from going off.So, if your servers are under heavy attack, and you have no other choice, start the count down. :-) ...

I graduate in November and then I can grow up and get a job.I have been attending a UNIX course in school the past few weeks. This week we have been studying some cost configurations in running UNIX and Linux for various network serving roles. A topic that came up was the benefit of using the free Linux distributions and related software for low cost server operations. I have a home network, and I think I count as a low cost operation. I will not spend excessive money on my network, and I have never felt compelled to spend money because software I need could be obtained for free.For example, my primary server at home routes email, serves several web sites, and acts as a router between the public Internet and my home network. It is a big server. I run Fedora Core 3 as my operating system.The email routing incorporates dovecot, sendmail, amavisd-new, SpamAssassin, and ClamAV. The last three of these programs working in tandem keep dangerous email for passing through my server. The spam analyzer learns the difference betweeen wanted and unwanted email, while the open source ClamAV scanner automatically checks for updated virus signatures every hour. The amavisd program acts as the mediator between the spam and virus services and my email server. The best part is that tainted email is rejected in real time while the sender is trying to move it to my server.As a network router, my giant egg basket of a server watches both incoming and outgoing connections for suspicious activity on all network adapters using Snort.What would I pay to recreate this configuration with commercial software? ...