Letters to the Editor
In the article “Designing and Using DMZ Networks ...” [March 2001] Mick Bauer covered ways of securing DMZ hosts. In my opinion he missed a simple but very efficient tool to detect intruders at DMZ hosts or firewalls: Tripwire. It calculates checksums for all files on the system and stores these fingerprints in a database. Doing a compare run against this database in regular intervals (cron), it is easy to detect changes. If somebody modified /bin/login, /etc/passwd or installed other back doors, you will realize it at least after the next compare run. The key is to store Tripwire itself and the initial database on read-only media (e.g., CD-ROM) to prevent modifications. There is no way in doing the same with diff, as mentioned in the article.
Tripwire is commercial software now, but there is a GNU GPL edition for Linux available at www.tripwire.org and www.tripwire.com/. There is another GPL'd software dealing with the same subject, but I never tried it. It is at www.cs.tut.fi/~rammer/aide.html.
Another issue is the design of the DMZ shown in Figure 2. I wouldn't recommend having all hosts in a single DMZ. If you are using three different boxes for doing the job, you should use three DMZs as well . If one of the machines is compromised by an intruder, he has to cross the firewall again to attack the others. So fill up your firewall with additional NICs and use crossed cables—you won't need a switch either.
I enjoyed Robin Rowes' article, “Debian Multiboot Installation” LJ, March 2001, but have a couple of points to make about it. In the part about running rawrite2.exe, it is implied that you can't run this program from a FAT32 partition. This is wrong; the versions of DOS that come with Win98 (and Win95 OSR2) know about FAT32 (but not long filenames); otherwise, they wouldn't be able to boot Windows from a FAT32 partition either. Perhaps the author had FIPS (the DOS repartitioning tool) in mind at the time, the original versions of which cannot handle FAT32.
A discussion of the problems with WindowsME would have been useful. This is basically Windows98 with a flashier GUI and other useless features, except Microsoft tried as hard as possible to stop you from running its DOS in “real” (16-bit) mode, mainly by nobbling the FORMAT and SYS commands and removing the options for starting or restarting in DOS mode.
To boot to DOS in WindowsME, create a startup floppy from Control Panel --> Add/Remove Programs --> Startup Disk. If you reboot the PC from this floppy and select the Minimal Boot option, you will end up at a DOS prompt from which you can change to drive C: and run the rawrite2.exe program as instructed in the article. Alternatively, you could get your own back on Microsoft by nobbling the startup floppy to get CD support and a DOS prompt without any of that Windows recovery malarkey. (The easiest way is just to rename the AUTOEXEC.BAT file.)
Also, a lot of the pathnames in the article use forwardslashes instead of backslashes.
Rowe replies: You are correct that covering WinME would have been nice. The only reason I didn't was I don't have a copy and didn't want to buy one. Thanks for the nice notes on how to use it. Another interesting approach that I haven't tried is using WinImage to create the Debian floppies. I think you are right about being able to see a FAT32 partition when booting from a newer DOS. I haven't tried that in a long time, since I generally prefer FAT16 or NTFS partitions. I should have created a FAT32 partition to test that, but was in a rush to complete the article and didn't. Thanks for the correction. I've never used FIPS. Forwardslashes are correct in UNIX or Windows, although Windows persists in defaulting to backslashes. Using forwardslashes everywhere is a habit I picked up in writing portable code. Unfortunately, that only works with UNIX and Windows. The Mac doesn't like slashes (forward or back). Darwin will, I hope, change that. If you go to the file search box in Win2k, for instance, and use forwardslashes, that works fine. The one place it won't accept forwardslashes is at the DOS command prompt.
Fast/Flexible Linux OS Recovery
On Demand Now
In this live one-hour webinar, learn how to enhance your existing backup strategies for complete disaster recovery preparedness using Storix System Backup Administrator (SBAdmin), a highly flexible full-system recovery solution for UNIX and Linux systems.
Join Linux Journal's Shawn Powers and David Huffman, President/CEO, Storix, Inc.
Free to Linux Journal readers.Register Now!
- Download "Linux Management with Red Hat Satellite: Measuring Business Impact and ROI"
- ServersCheck's Thermal Imaging Camera Sensor
- The Italian Army Switches to LibreOffice
- Linux Mint 18
- Petros Koutoupis' RapidDisk
- Oracle vs. Google: Round 2
- The FBI and the Mozilla Foundation Lock Horns over Known Security Hole
- Privacy and the New Math
- Chris Birchall's Re-Engineering Legacy Software (Manning Publications)
Until recently, IBM’s Power Platform was looked upon as being the system that hosted IBM’s flavor of UNIX and proprietary operating system called IBM i. These servers often are found in medium-size businesses running ERP, CRM and financials for on-premise customers. By enabling the Power platform to run the Linux OS, IBM now has positioned Power to be the platform of choice for those already running Linux that are facing scalability issues, especially customers looking at analytics, big data or cloud computing.
￼Running Linux on IBM’s Power hardware offers some obvious benefits, including improved processing speed and memory bandwidth, inherent security, and simpler deployment and management. But if you look beyond the impressive architecture, you’ll also find an open ecosystem that has given rise to a strong, innovative community, as well as an inventory of system and network management applications that really help leverage the benefits offered by running Linux on Power.Get the Guide