February 27, 2008

On March 4th, Life On The Network Will Be Better For Everyone

image

On March 4th, Cisco will hold an interactive online event, where Cisco will unveil an important new innovation. The event features Cisco chairman and CEO John Chambers and other leading Cisco executives, who will share an exciting new solution for enterprise and service provider companies. It will feature live, moderated chat and will be available in multiple time zones so that you can participate from your location. As a network über-user [1], you won't want to miss it.

[1] - What is in an über-user?
One who uses the human network to perform ultra-interactive feats (in real and virtual worlds) anytime, anywhere using any device.

For more info go to www.cisco.com/uberusers

February 24, 2008

The Italian Man Who Went to Malta

It's a bit older but those of you who haven't heard it yet, here you go: http://www.jozjan.net/x/italian_english.mp3

Do we really need to know this binary thing?

During the last two weeks I was teaching a basic networking course (CCNA Exploration 1) for the T-Systems Slovakia and when we have got into the binary numbers, students were a bit confused why do they have to learn all those binary things. To clear out the importance of the binary system I used a picture of a fancy T-Shirt at thinkgeek.com, which is a pretty good example explaining why is it better to use the binary system instead of the decimal system while counting on your fingers. While using a decimal system you can count on your 10 fingers only to 10 (ten). But when utilizing the binary system, you can count on your 10 fingers to 1023 (10^2-1) ;-)

Although to be honest, it could be really a bit confusing (if not dangerous) asking for 4 beers showing it with your fingers in the binary system ...

image

Wikipedia article about Binary Fingers.

Packet Tracer 5.0 - New Features

As Cisco has published an official announcement for the Packet Tracer 5.0, I think, now it should be OK to republish my previous post about PT5.0:

By the request from Cisco, I am temporarily retracting this blog post.

clip_image001

I have been selected as a beta tester for the new Cisco Packet Tracer 5.0 for the Cisco Networking Academy. During the last week we had a Meetingplace conf call with the PT project manager where he showed in his presentation some of the new features. Conclusion? WOW! The Packet Tracer 5.0 will bring many new brilliant features. Just to mention some of them:

WOW feature #1:

PT5.0 will be multi-user. It means you will be able to run multiple instances of PT5.0 on one or more computers and then connect them together trough IP sockets. With this feature you will be able to create one big topology, distributed across computers on your classroom and each student will work on his small part of the big picture. It can lead to network games, challenge labs, etc. Great job guys!

image

WOW feature #2:

Native PT5.0 Linux release! Finally Linux users will be able to use the PT. Although they were already able to run it with Wine.

WOW feature #3:

Open Devel API – PT5.0 will offer an open development API for Flash Action Script and C++. You will be able to write your own PT addons, features, etc. One of the great addon could be a plugin which connects the virtual PT5.0 devices to a real devices!

WOW feature #4:

PT portal – There will be a PT web portal which will collect information about PT, labs for PT, manuals, applications, plugins (addons), etc. It will be available at http://pt.netacad.net

And at last, but not least, some new protocol support:

  • IPv6
  • Multi-Area OSPF
  • Route Redistribution
  • Multilayer Switch (3560)
  • SSH
  • RSTP
  • Frame Relay update
  • Interface range
  • Different grades for different commands in labs
  • Possibility for locking PT to the student's name

A release for the beta testers will be released probably on 28th of February 2008, and a final public release is planed for the beginning of this summer.

.htaccess - Authentication from File and LDAP or other sources at the same time

Sometimes you may need to authenticate a user against different credentials stores, like standard files (.htpasswd), databases, ldap, ...
With Apache, you can use these more authentication sources by defining them in the AuthBasicProvider property.

The configuration bellow will authenticate a user first against a file (.htpasswd) and then against an LDAP accounts.

AuthName 'Enter your Username and Password:'
AuthType Basic

# Authenticate against file and then against ldap
AuthBasicProvider file ldap

# auth file
AuthUserFile /var/www/.htpasswd

# LDAP auth fallback to other auth mechanisms
AuthzLDAPAuthoritative off
AuthLDAPURL ldap://10.0.0.1:6361/ou=web,dc=top?cn?sub?(objectClass=*)

# File auth
Require valid-user
# LDAP auth
Require ldap-attribute objectClass=simpleSecurityObject

You can use it in your Apache's configuration and in the .htaccess as well.

.htaccess - Redirect to SSL (HTTPS) before Basic Authentication

I prefer running a site in HTTP only mode when there are no confidential information transferred (username, password, credit card number, etc.). It saves some of the CPU time because there is no need to do data encryption. But I strongly recommend to use HTTPS mode for confidential information exchange between a web browser and a web server.

I was facing a situation where I had to authenticate a user on a Apache web server, which provided HTTP as well as HTTPS connection. By default a web application running on that server was accessed only by HTTP. I had no access to the Apache's configuration (no root access), what would not be a problem, if I wanted to do just a .htaccess and a .htpasswd based basic HTTP authentication without anything else. It's pretty easy then. Just create a .htaccess file, with contents like this:

AuthName 'Enter your Username and Password:'
AuthType Basic
AuthUserFile /var/www/myweb/.htpasswd
Require valid-user

and a .htpasswd file (man htpasswd) which will contain usernames and particular passwords.

Then put the .htaccess file into a directory which you want to be protected by username/password.

You can even customize it by adding a FileMatch property to require credentials validation only when accessing some files:

AuthName 'Enter your Username and Password:'
AuthType Basic
AuthUserFile /var/www/myweb/.htpasswd
Require valid-user
<FilesMatch "(attach|edit|manage|rename|save|upload|mail|logon|.*auth).*">
      Require valid-user
</FilesMatch>

As I said above, I preffer HTTPS connection when confidential information are transfered over an IP network (in this case username and password). So the thing I wanted to do, was first to redirect a web browser to the HTTPS site and just then request the credentials. This was a point where I've got into a botleneck. If an authentication procedure is defined for a directory or a file, the authentication has higher priority then a redir command (mod_rewrite - redir). So the user is first authenticated, then moved to the HTTPS site and then authenticated once again. The problem is that the first athetincation is transferred in HTTP cleartext which is definitelly not secure.

AuthName 'Enter your Username and Password:'
AuthType Basic
AuthUserFile /var/www/myweb/.htpasswd
Require valid-user
<FilesMatch "(attach|edit|manage|rename|save|upload|mail|logon|.*auth).*">
      RewriteEngine on
      RewriteCond %{HTTPS} !=on    # If the connection is not HTTPS then apply the next Rewrite rule
      RewriteRule .* https://%{HTTP_HOST}%{REQUEST_URI}  [R,L]
      Require valid-user
</FilesMatch>

After some hours spent with configuration and RTFM, I found a hack which is maybe not the ideal solution, but it's pretty good and it's working.

There is an Apache configuration command which can be used in .htaccess as well. If the "SSLRequireSSL" command is specified for a directory or a file and it's accessed with a connection which is not SSL secured (HTTPS), it will generate a 403 error code and an error message will be sent to a web broswer. The "SSLRequireSSL" command has higher priority then the authentication itself, so it will generate this error code always when the connection is not SSL secured.
So far it looks good, the problem is that a user will just see an error page and he is still not automatically redirected to the HTTPS connection. A workaround is a bit tricky. You can define your own custom error documents, which are displayed when an error code is thrown. You have definitely seen these fancy custom error documents for the 404 - Page Not Found error code.

So the workaround was to use the ErrorDocument property in the .htaccess file. A custom page defined in ErrorDocument is called when the error code is thrown. The page itself gets information about the original request, so you can write a custom error page in some server side scripting language and generate some "special" events. I created a perl cgi script (there was no PHP support for that site) which redirects a browser to the HTTPS site which is exactly what I wanted in the beginning. So here is the .htaccess file:

AuthName 'Enter your Username and Password:'
AuthType Basic
AuthUserFile /var/www/myweb/.htpasswd
Require valid-user
<FilesMatch "(attach|edit|manage|rename|save|upload|mail|logon|.*auth).*">
      SSLRequireSSL
      ErrorDocument 403 /bin/move.pl
      Require valid-user
</FilesMatch>

and the move.pl file goes here:

#!/usr/bin/perl -T
use CGI qw(:standard);

$path = "https://$ENV{'SERVER_NAME'}$ENV{'REQUEST_URI'}";
if ( $ENV{'SERVER_PORT'} == 80) {
    print "Status: 302 Moved\n";
    print "Location: $path\n\n";
}
else {
    print "Content-type: text/html\n\n";
    print "How did you get here???";
}

With this combination, if the files defined in the FilesMatch directive are accessed with the HTTP only connection, an 403 error code is thrown by the SSLRequireSSL, which is handled by the ErrorDocument property. The /bin/move.pl cgi perl script is called which will then redirect a web browser to the HTTPS site. Furthermore, if the files defined in the FilesMatch directive are accessed with the HTTPS connection, a user is requested to authenticate himself with his username/password.

It's maybe not the best solution, but it's working, and it's enough to have .htaccess definitions enabled.

Enjoy!