Close Window
 

NEWS YOU CAN USE FROM VANDYKE SOFTWARE®

A Monthly Newsletter - November 2003

First, some highlights from the recent LISA 2003 conference, with a focus on time management for sysadmins. Then, in case you stay awake at night thinking of ways to secure file sharing, this month's tip covers securing SMB shares on Windows. Finally, just as you finish your holiday wish list, Marc Orchant reviews the newest book on Secure Shell by Himanshu Dwivedi of @Stake, with a bonus online interview with the author.


-------------
Contents
-------------

1. Feature - LISA Conference Report
2. Tip - Tunneling Samba (SMB) with SecureCRT(R)
3. Recommended Reading - "Implementing SSH"
4. New Releases
5. Current Releases


-----------------------------------------------------------------------------------------
1. Feature - LISA Conference Report: Time Management A Big Hit
-----------------------------------------------------------------------------------------


The annual Usenix Large Installation System Administration (LISA) conference, held October 26-31 in San Diego, covered its typical wide range of topics and issues, from combating spam and biometrics to Howard Dean and a GLBTF BOF. If you have never attended, consider a future field trip to gain knowledge and expand your professional network. You can find information on upcoming meetings at www.usenix.org/events, and conference proceedings are available as well to Usenix members.

Some LISA tutorials covered hardening common operating systems like FreeBSD and Mac OS X. In one popular session, Steve Acheson and Laura Kapur presented on "Architecting a Secure Environment." They laid out the political and financial layers that network administrators need to add to the OSI model to successfully implement a secure network.

One of the most jammed sessions addressed a softer topic than authentication or security architecture: time management for system engineers. Working system administrator Tom Limoncelli spoke to a packed auditorium of 150 people, and received a standing ovation. He addressed why standard approaches don't work for sysadmins (they get interrupted constantly, have lots of short-term projects, and don't like being told how to do their work), the importance of having a system for time management, the advantages of PDAs and paper planners, and the value of help desk software, among many other points.

You can find more of Tom's ideas in his book "The Practice of System and Network Administration," Addison Wesley 2003, ISBN: 0201702711, www.everythingsysadmin.com.

Just in case you are one of those people who does like to absorb new ideas on managing your time, we compiled a list of our favorite books on managing your time and focus for projects great and small.

  • "Getting Things Done: The Art of Stress-Free Productivity", by David Allen, (Penguin 2003, ISBN: 0142000280). Allen is a charismatic, unconventional thinker who has trained thousands at Goldman Sachs, VanDyke Software, and other companies. Find information on seminars at www.davidco.com. Highly recommended.

  • "To Do, Doing, Done", by Snead, Wycoff, and Snead, (Fireside 1997, ISBN: 0684818876). Basic tools and techniques from the Franklin Quest "Planning for Results" seminar.

  • "Extreme Programming Explained", by Kennt Beck, (Addison-Wesley 2000, ISBN: 0201616416). An introduction to eXtreme Programming, an agile development methodology that has revolutionized how software can be developed. Many of the practices in XP can be adapted to "agile system adminsitration" and help improve reponsiveness as well as save time.

  • "Who Moved My Cheese?", by Johnson and Blanchard, (Putnam 1998, ISBN: 0399144463). Not directly related, but valuable insight on our reaction to change at work and how not to waste time on it, from the authors of the "One-Minute Manager" series.

Finally, for any cynics out there, an amusing title:

  • "Who Cut The Cheese? - An A-Mazing Parody about Change (and How We Can Get Our Hands on Yours)", by Stilton Jarlsberg, Kenneth Bleucheese, (Crown 2000, ISBN: 0609608916).


-----------------------------------------------------------------
2. Tip - Tunneling Samba (SMB) with SecureCRT
-----------------------------------------------------------------

Do you use SMB Samba to provide file services to your users? You might have worried about security for these mounts. Never fear: SMB services can be accessed securely through Windows Explorer using a Secure Shell tunnel provided by SecureCRT® or Entunnel™. There is a significant tradeoff involved, since SMB support is mutually exclusive with Windows File and Print Services, but the added security may be worth it to your organization.

Setting up a Secure Shell tunnel for SMB involves two choices in approach and significant configuration changes. You can provide a tunnel for SMB to only the machine running SecureCRT or Entunnel, or use a "gateway" machine to allow access from multiple clients. The sections below describe the two approaches. For complete step-by-step instructions, visit the following page on the VanDyke Support web site:

http://www.vandyke.com/support/tips/tunnel_smb.html

In both cases, the Windows client machine will not be able to share any local files or printers, as File and Printer Sharing must be uninstalled in order to allow Entunnel or SecureCRT to bind to the required port (139) to accept incoming connections.

Secure Single-PC Access To An SMB Share
-----------------------------------------------------------

If you have only one machine, remote or on a LAN, that needs a secure tunnel to an SMB share, you will probably want to follow the first set of steps. This allows access to the share from only the machine running Entunnel or SecureCRT.

  • Configure the local network interface so that NetBIOS over TCP/IP is enabled.
  • Remove the File and Printer Sharing component from the PC.
  • Create a session in SecureCRT or Entunnel that connects to the remote Secure Shell server, forwarding from 127.0.0.1 port 139 to the remote SMB server.
  • Edit the .ini file of the newly-created session to allow requests from all addresses. This step is necessary because Windows sets the external IP address of the machine to the source address when making the connection.
  • Start Entunnel or SecureCRT and connect to the SMB-forwarding session.

You can now use Windows Explorer to browse the shares on the remote SMB server, and can also map a network drive with the path:

\\127.0.0.1\SHARE_NAME


Secure "Gateway" Access For Multiple PCs To An SMB Share
-----------------------------------------------------------------------------------

To set up a secure tunnel to an SMB share that is accessible to multiple users within a local network, follow the second set of steps. The "gateway" machine running SecureCRT or Entunnel will not be able to map any network shares itself.

  • Configure the local network interface so that NetBIOS over TCP/IP is disabled.
  • Remove the File and Printer Sharing component from the "gateway" PC.
  • Create a session in SecureCRT or Entunnel to connect to the remote Secure Shell server and forward port 139 to the remote SMB server.
  • Edit the .ini file of the newly-created session to allow requests from all addresses. This step is necessary because Windows sets the external IP address of the machine to the source address when making the connection.
  • Start SecureCRT or Entunnel and connect to the SMB-forwarding session.

You can now use Windows Explorer on a separate machine to browse the shares on the remote SMB server, and can also map a network drive with the path:

\\IP_ADDRESS_OF_TUNNEL_GATEWAY_MACHINE\SHARE_NAME


----------------------------------------------------------------
3. Recommended Reading - Implementing SSH
----------------------------------------------------------------

"Implementing SSH: Strategies for Optimizing the Secure Shell," by Himanshu Dwivedi, (John Wiley & Sons 2003, ISBN: 0471458805) is a tactical guide to installing, implementing, optimizing, and supporting Secure Shell in order to secure your network.

Himanshu Dwivedi, Security Architect for @Stake, explains how Secure Shell provides the core requirements for better network security: authentication, authorization, encryption, integrity, and auditing. He also lays out ways to optimize the protocol for security and functionality on Unix, Windows, and network architecture environments. Dwivedi explores implementations by VanDyke Software, SSH Communications, and OpenSSH.

Incorporating architectural examples and case studies, the book focuses on acquiring the necessary skills to:

  • Replace nonsecure protocols such as Telnet, rlogin, and FTP.
  • Use Secure Shell on network devices otherwise managed by Telnet.
  • Explore remote access solutions, including the concept, setup, and configuration of port forwarding.
  • Take advantage of features such as secure e-mail, proxy, and dynamic port forwarding.
  • Employ Secure Shell as a lightweight alternative to VPNs.
  • Use Secure Shell to secure Web browsing and as a secure wireless (802.11) solution.

Recently we sat down with Himanshu Dwivedi to discuss why he felt the book was needed and what he'd like to see improved in the protocol and its implementations. Read the complete interview here:

http://www.vandyke.com/aboutus/news/newsletters/resources/implement_ssh.html


-----------------------
4. New Releases
-----------------------

Beta releases are available for SecureCRT 4.1, SecureFX® 2.2, CRT™ 4.1, and AbsoluteFTP® 2.2.

The beta 5 releases of SecureCRT 4.1 and SecureFX 2.2, when used with VShell™ 2.2, provide support for Kerberos v5 authentication.

New maintenance releases are also available for VShell 2.2.3, SecureCRT 4.0.9, Entunnel 1.0.8 and CRT 4.0.9.

You can download new releases at:

http://www.vandyke.com/download/index.html

For quick access to previous official releases, go to:

http://www.vandyke.com/download/prevreleases.html


---------------------------
5. Current Releases
---------------------------

The following lists our latest official product releases:

SecureCRT 4.0.9
SecureFX 2.1.8
Entunnel 1.0.8
CRT 4.0.9
AbsoluteFTP 2.0.5
VShell 2.2.3 Server for Windows
VShell 2.2.3 Server for UNIX
    Red Hat Linux 7
    Red Hat Linux 8
    Red Hat Linux 9
    Solaris 8
    FreeBSD 4.8
    HP-UX 11
    Mac OS X

To download any of our current releases, go to:

http://www.vandyke.com/download/index.html


To download an extended version of OpenSSH 3.7.2 p2 that supports the public-key subsystem, visit:

http://www.vandyke.com/download/os/pks_ossh.html


All VanDyke Software products may be downloaded and evaluated at no cost for 30 days. Licenses include one year of free upgrades and unlimited access to our expert technical support.


Pass it along! If you find this monthly newsletter helpful and informative, forward it to co-workers or friends, or tell them where to sign up.

http://www.vandyke.com/support/newreleasemailinglist.html


--------------------------
What do you think?
--------------------------

Let us know what you think about this issue. Was the tip useful? Did you like the feature? Is there a topic you'd like to see us write about? Send us an e-mail at:

  


----------------------------------
Subscription Information
----------------------------------

VanDyke Company News is an opt-in mailing list. If you prefer not to receive e-mail like this from us, or need to change your e-mail address, go to:

http://www.vandyke.com/support/newreleasemailinglist.html


---

VanDyke Software, AbsoluteFTP, CRT, Entunnel, SecureCRT, SecureFX, and VShell are trademarks or registered trademarks of VanDyke Software, Inc.

All other products and services mentioned are trademarks or registered trademarks of their respective companies.

Close Window