Google has gotten a lot of press lately, and it seems to be using that to launch a series of new services. These services will break Google out of the 'just a search engine' niche market it currently enjoys.

One of these new services is called gmail. Google will be offering free web email services, much like yahoo and hotmail, only with vastly more mail box space available. Linked with this, will be googles own search capability, allowing you to store all your email, and make it searchable when you need to find something in your crowded inbox.

The gotcha to all this - Google will have small ads associated with your emails as you read them. These ads will be linked to your email content, where possible.  This is the issue that has privacy groups worried. It means Google will be scanning your emails, and looking for content that it can link to one of its advertisers.

Of course the reality is that your emails are scanned on a regular basis, by your ISP, by your local provider, and by your firewall or virus protection software.  All these places are searching email content to detect and eliminate viruses, spam and worms.

Another privacy issue involved in this gmail offering is the vast quantity of emails you could be storing on Googles servers. For many of us, this isn't just the private chats we have with friends and family. This is email notifications of online banking, mutual fund accounts, medical insurance information, and even updated passwords sent in email.  Combine this detailed set of personal information with a search engine powerhouse, and you have to wonder - will they resist the urge to compile complete profiles of their gmail customers and sell that to marketeers? Or worse, will they have a security hole such that hackers can gain access to your mail boxes and search across them for private account numbers?

Like anything on the Internet, it all has to be understood, both the benefits and the risks involved.

Email has long been known to be the top avenue for hackers and spammers to attack vulnerable machines. The realities of social engineering mean this will remain the top security hole in any company or home computer use.  People will open emails, even if they know viruses spread that way. It's human nature.

To add to the paranoia, a recent report from NetworkWorldFusion ezine tells of a new security hole in Yahoo and Hotmail online email accounts.  According to this report, it may be possible for a hacker to gain access to your pc by simply opening an email.  Most viruses require you to not only open the email, but click on some other link that downloads the virus.

This is no longer true. Due to extensions to HTML to make online multimedia improvements, it is now possible to embed the virus into the email itself, triggering hacker scripts to download onto your pc the moment you open the email. It is now more important than ever to filter your emails based on known and trusted senders.  Once this security hole is exploited by some spammer or hacker, it won't take long for them to combine common spamming techniques with this new exploit, making it unsafe to even open emails from your friends list, for fear your friend has gotten the virus and is transmitting to their friends list.

It also brings up the possibility of hackers gaining access to your online email account.  Time to clean up  those old emails, and re-consider all those paperless account emails from your bank or brokerage accounts. They all become readable via this new security hole.

RADIUS is a protocol defined by IETF RFC2865 and RFC2866, with some extention RFCs involved. These documents detail the messages that pass between a RADIUS client, or Network Access Server (NAS) and a RADIUS server.  The main purposes for these messages are for Authentication, Authorization, and Accounting (AAA).

RADIUS is used frequently for remote access authentication and tracking. This is true for Virtual Private Networks (VPNs), remote logins (ssh), and now Wirless LAN access (WLANs). RADIUS servers are typically software that you get from a company like Funk, or as open source from gnu RADIUS.  You install this software on an appropriate (UNIX, WINDOWS) platform and configure it to work with your NAS.

Funk and Infoblox also sell RADIUS server appliances, that is, the RADIUS software is bundled with a dedicated (rack mountable) hardware platform. This saves you the step of integrating the software, and also should give you improved performance based on the dedicated hardware.

Authentication
RADIUS authentication happens at logon time for a remote user. The user and NAS communicate to establish connectivity parameters and the username/password pair (preferably not in clear text). The NAS then passes this username/password pair to the RADIUS server. The RADIUS server can either authenticate the user locally, or pass on the information to an LDAP or SQL backend database, or proxy it to another RADIUS Server.

Based on the RADIUS response, the user is either authenticated, rejected, or an ACCESS-CHALLENGE is issued, meaning the user and/or NAS must provide further information before the user can be authenticated.

Authorization
Once a user is authenticated by the RADIUS server, the server can optionally pass back attribute information to the NAS which includes authorization information. This could be a group parameter which associates the user with a particular set of access rights.

Accounting
Accounting information can be gathered, based on the support for accounting present in both the NAS and the RADIUS server. After authentication, the NAS sends an accounting-start message to the RADIUS server, listing the user and time of access. Then, periodically, the NAS can update accounting information with an interim message. Finally, when the NAS detects the client has logged off or otherwise left its domain, the NAS sends and accounting-stop message, with the duration of the user's time on the network, and a total of the bytes that user sent and received during that time.

This information can be used for tracking and billing purposes.

RADIUS Servers typically support a number of encryption methods to hide sensitive password and accounting information. These menthods include EAP, PAP, MSCHAP (version 1 and version 2).

Domain Name Services(DNS) are a crucial part of the Internet. Without DNS, we would all have to remember the specific Internet Protocol (IP) address for whichever website we were surfing. Imagine haveing to remember 66.218.71.88 (www.yahoo.com) or 207.171.182.16 (www.amazon.com).

DNS provides a lookup service for all our Internet access. In a nutshell, the URL you input to your web browser triggers a query to a DNS server. This server either caches (remembers) the URL, or it queries a root DNS server (a master server) for the IP address you wish to contact.

So for www.yahoo.com, your PC connects to your ISP (broadband or dialup) DNS server. If that DNS server knows 66.218.71.88, it passes back that information to your PC and your connection to Yahoo is made. If it doesn't know the IP address, it sends a query to the root DNS server for the .com domain space. This server responds with the IP address, the ISP DNS server caches (remembers) this address and passes it back to your pc.

DNS servers are the target of multiple security attacks. Imagine if I could take over the DNS server at your ISP. Now when you want to buy something at amazon.com, your PC tries to get their via an IP address from a poisoned DNS server. Instead of sending you to amazon.com, I send you to my own version of Amazon.com. It is easy enough to make the pages look the same in your browser, and because I've poisoned the DNS cache, your browser goto bar will have www.amazon.com written in it, even though you are not talking to amazon.com.

Now if you enter your credit card information for a book purchase, I have all I need to steal your identity. 

Other forms of DNS attacks will attempt to block websites entirely. This is a common attack against anti-spam sites.

The Internet has a plethora of information available on any topic imaginable. A search on network security or information security will bring up thousands of hits. So how to find sites that are useful? Well supplementing my favorites listed on the right, here are a few others.

Network Security News

• Infosyssec
• SearchSecurity

Network Security Tutorials
These sites also contain tutorials on security topics, recommended reading, and email lists for beginners.

• Security Focus
• WindowSecurity.com

I recommend Security Focus newsletters. A weekly synopsis of what the website covered over the past week, including security vunerabilties found. It contains links back to the site for the full article. A nice way to summarize what's been happening.

Spam has become the plague of everyone's email inbox. It is estimated that more than a third of all email traffic is spam, and this percentage is growing. To combat this scurge, vendors of email systems (Mail Transfer Agents - MTAs) and others have been developing complex anti-spam techniques. Before covering anti-spam technology, a brief introduction to Simple Mail Transfer Protocol (SMTP) might help.

SMTP is  IETF standard RFC821. This protocol standardized the sending and recieving of email across various MTAs, to and from Mail User Agents (MUAs) which basically means from your Eudora mailbox to my yahoo mailbox. The protocol contains headers and message syntax which allows the MTAs and MUAs to determine the incoming request (sending, recieving), the originator of the message, type of message and body of the message.

The first interesting parameter in the SMTP protocol is part of the HELO message. This contains the host name of the originator of the message. A first level of defense against spam is to use this host domain name in a DNS (Domain Name Server) lookup. Since the message is carried over IP, a DNS lookup for that IP address will return a domain name that should match the contents of the HELO message. If it does not, there is a good chance the email is spam. Early anti-spam techniques would use this DNS lookup and drop or filter the email based on a mismatch.

Unfortunately, DNS lookups are timeconsuming. With the ubiquitous nature of email communication, this approach did not scale.  The next level of defense came as blacklists. Blacklisting an email sender will effectively block or filter all emails from that source. Spammers adapted quickly to this, varying the source and making these blacklists less useful over time.

Another defense measure, the opposite of blacklists, are whitelists. Whitelists are a list of trusted email senders that will bypass your anti-spam filters. These lists can be as simple as what you can add to your own email client software via filters, or as advanced as BondedSender, which requires listed senders to put up a bond in guarantee of their good behavior. (Any legitimate complaints against the sender would result in a fine against that bond).

These techniques are helpful, but not enough. Dedicated spammers have been altering email addresses, spoofing domains, and randomly modifying email content such that direct phrase-based filtering can be bypassed. (i.e. instead of getting "GET RICH QUICK" emails, we now get "GET$$ R$ICH Q$UICK" which is harder to filter against). To combat this, anti-spam vendors are using complext heuristics against email headers and body contents. These heuristics can apply a spam "score" to the email, indicating the likelihood that the email is spam. Your email client software can then filter based on a threshold level you set for this spam score. BrightMail supplies an anti-spam product based on these heuristics.

Many of these techniques are best applied at the Internet Service Provider (ISP) level. If spam can be blocked there, then our inboxes may once again be safe and unclogged. And Internet traffic can be cleaned up before spam becomes half or more of all traffic generated.

The future of anti-spam may rely on advancements on the SMTP protocol itself, to add email identity markers (making email directly traceable to a source host) and other protocol adjustments. Until then, we need to adjust our own behavior to ignore and delete unsolicited emails.

TechRepublic recently had an article about the misconceptions of who is writing and unleasing the viruses, worms and trojans on the Internet.   While people may think the virus writers are disgruntled teenagers or long-haired dysfunctional computer programmers, a number of recent attacks (some of the Phishing scams posing as legitimate paypal or Citicorp sites) have been deliberate attacks from what seems to be Eastern European or Russsian organizations. 

An older article describes a comparison in punishments for virus writers (script kiddies) vs the cost their virus incurred on the Internet community. While we may fuss and fume that these other countries need to do more toward stemming internet crime, we aren't doing much with our own captured criminals in this area.

Storage Area Networks (SAN) and Network Area Storage (NAS) are the latest in providing high-speed access between a server and its associated data. SANs have a number of benefits over localized storage, including - single source of data across multiple servers, high-speed access (using Fibre Channel) ease of backup/redundancy, centralized management, and unified security.

SANs are built out of the interconnection of servers and data storage devices through a Fibre Channel switch.  These fibre optic (or copper wire) switches can connect in a number of topologies, including star, mesh, ring, or one-to-one, depending on the data access needs of the network. The interconnected switches, servers, and storage devices are collectively referred to as the Fibre Channel fabric, or switch fabric. Fibre Channel is a data level transport protocol which can achieve speeds upwards of 1Gigabit/sec.  The protocol itself is independent of data type, cable media, and can handle up to 1km distances between nodes. Multiple higher level protocols have been mapped to Fibre Channel, includding HIPPI, IP, and ATM. This makes it extremely flexible for SAN topologies.

Securing the switch fabric is critical to most SAN environments. This security need has been addressed by a combination of access control, and logical subdivision of the switch fabric. Access control limits which server can communicate with which storage device by controling the port to port data transmissions across the SAN switch (Zoning). Finer grain security can be provided by Logical Unit Number (LUN) Masking.  This approach limits which set of storage devices a server can communicate with based on port or World Wide Names (WWNs).

The future of SAN security will provide more role-based access control, with the addition of data encryption over the fibre channel, or via IPSec. In the future, the storage devices themselves may add encryption to the static data stored. Both HP and others are moving in this direction to address the security requirements for HIPAA and other government regulations.

I finally updated my laptop for Norton's latest security product - Norton Security 2004.  This version has Norton's personal firewall and anti-virus programs in one package. I upgraded my 2002 version in what took a few hours of scanning and loading and updating virus protection.

When it finished, I ran some tests against it. Surprisingly, it did well against Securityspace's basic and no risk free audits (tcp port scans), and Gibson Research's series of firewall tests - Shields UP and Leaktest. These are simpler tests than the tcp port scans, but also test a number of other typical firewall problem areas.

Norton passed them all. This edition puts all ports in stealth mode, which hides the system from online hackers. 

While at Gibson research's site, I also ran the dcombobulator program to turn off dcom, a common source of Microsoft security flaws. This is the same site that has the "shoot the messenger" program to turn of Microsoft Messenger, another security hole.