DæmonNews: News and views for the BSD community
March 2001 Get BSD New to BSD? Search BSD Submit News FAQ Contact Us Join Us
Search


Get BSD Stuff

BSD in a Microsoft Office

Joe Warner <rootman@xmission.com>

After being introduced to the FreeBSD operating system back in March of 2000, I was so amazed with it that I wanted to find a way to use it in the office where I work.

Two years before that, I had gotten my feet wet with Linux, mostly tinkering with Caldera and Red Hat. I was impressed with Linux as well. So much so, that I joined a local Linux Users Group, <www.sllug.org>. It was during one of our user group meetings that I was introduced to FreeBSD. During the meeting, CDROM sets of FreeBSD 3.4 were handed out and I was lucky enough to get one!

The very next day, I installed FreeBSD on an old pc at home and was immediately amazed. The overall configuration and layout of FreeBSD, from the installation choices to the directory and file structure, were in a really logical order. Everything about it just seemed to make more sense.

One of the things I was most impressed with was how easy it was to install applications from the vast ports collection. I also liked how FreeBSD gives you the choice of which applications you want as part of the base install. Some OSes seem to include a lot of applications during the install process that you may or may not have interest in using. This can be especially troublesome if you have an old pc with a small hard drive. I like the idea of installing just the core operating system and then having the choice of going back and installing what I want. I mean, who really needs fifteen different text editors, when two or three will do?

After tinkering with FreeBSD at home for a while, amidst all the noise and distractions that go with a family setting, I decided to see if I could install it on an unused pc at work. The logic being that I would have the chance to learn more about BSD/UNIX at work, since, like most of us in this day and age, this is where I spend the bulk of my time.

As luck would have it, I was able to locate an older Compaq Deskpro pc that wasn't being used. It was a 200 MHz machine with 64megs of RAM and a 4 gig hard drive. It turned out to be the perfect choice. FreeBSD 3.4 installed easily on it, using the entire amount of space on the hard disk. During the install process, I was given the choice of either manually creating the necessary partitions or selecting 'A' and letting FreeBSD do it automatically. Since I had only installed FreeBSD once before, I decided to let FreeBSD do the dirty work. Before I knew it, I had a powerful, stable and functional operating system at my fingertips!

After spending a week or two of exploration, I discovered that the famous and powerful Apache web server was already running! I stumbled into this when I pointed the web browser on another workstation to the IP address I had given my FreeBSD system. I was immediately overwhelmed with excitement and fascination when I saw the Apache welcome screen. This discovery spawned a great idea. Previously, our office had never implemented the creation of a local intranet. I knew that the use of corporate intranets were wide spread and anticipated the need for such a useful source of help and information in our office.

I immediately set to work, creating web pages with the use of Netscape Composer, that contained helpful information that our users could draw upon when they needed it. I was amazed at how fast it was to access these pages through a web browser, rather than accessing the same information locally, from a file server or email database. This was especially apparent while dialed into our network remotely.

A few months after I put FreeBSD/Apache to work, news came from upper management that there was an interest in employing the use of intranets at all the remote field offices. Other web servers and content soon sprang forth and now we have a fully functioning intranet in place and more and more of our employees are showing interest and becoming involved. We have more than a few employees now who are acting as content publishers and are creating and maintaining sections of our intranet themselves. There are also more than a few employees and co-workers who are now interested in the BSDs and wish to learn more.

The Apache web server (http://www.apache.org) was a great find, but it was hardly the end of many discoveries I would make and ideas I would come up with. After more reading, research and tinkering, I had an FTP server running and after a few days, had a Samba server (http://www.samba.org) running as well. This proved to be invaluable, since now, I can create web pages from any workstation on our network and copy them directly to the web directory on my FreeBSD system!

Acceptance and interest in the various BSD Operating Systems, and what they are capable of, was growing. Not only were co-workers in my department taking notice, but my managers as well. Just the cost saving factors alone that come with the use of BSD, and other Open Source operating systems and applications, are hard not to take notice of.

Our division had recently moved to a brand new building in an industrial section of our city. The building was constructed from the ground up with our business needs in mind. Everything in the building has a spacious and contemporary look and feel, including a state of the art data center that can be seen through large glass windows from one of the main hallways. Our network is fast, at 100 megabits.

A few months after we moved into our new building, one of my managers voiced the need for some kind of network monitoring software or tool that we could employ to monitor the health of our network and identify problems. He was considering the purchase of an expensive, hand held monitoring tool that would cost thousands of dollars. I told him that I probably already had some kind of network analysis software on my FreeBSD machine and asked him to give me a little time to find out. I also told him that if I was able to find something that would do what we wanted, we could save our office and the company a lot of money. He agreed and I was soon searching the ports collection on my FreeBSD machine for just such a utility.

It didn't take me long to discover that I already had access to powerful network analysis utilities like The Ethereal Network Analyzer and Snort. (See http://www.ethereal.com/ and http://www.snort.org or the "man" page equivelents).

I decided to go with The Ethereal Network Analyzer because it was the most GUI of the utilities that I found and was a more tangible and suitable way that I could present network analysis information. (To see screen shots of Ethereal, go to http://www.ethereal.com/introduction.html#screens) Most of my managers and co-workers use Windows NT and have never had exposure to UNIX terminal screens or UNIX shell access, much less the BSDs or even Linux.

After installing Ethereal by going into /usr/ports/net/ethereal and typing "make install clean", I did as much research on the use of Ethereal by reading the accompanying documentation (man ETHEREAL(1)) and also by visiting the main web site at http://www.ethereal.com.

During my first attempt at using Ethereal to monitor our network, I was able to immediately identify a problem and report it so that corrective action could be taken. Since Ethereal must be run from "root", I "su'd" over to my root account and launched Ethereal by typing "ethereal" at the command prompt. From the top menu, I chose "Capture" and "Start". Since I didn't yet know how to supply a filter for the session, I just made sure that "Update list of packets in real time" and "Enable name resolution" were selected. The default interface to collect from was "xl0" and "Count" was "0 (infinite)".

I noticed that one of our Lotus Notes Domino Servers, running on the IBM iSeries platform, was sending out a barrage of network announcements. I immediately went to our Lotus Notes Administrator and asked if he was aware of any problems. He said he hadn't heard of any and just when I was about to leave, one of our employees that was engaged in development on the server, came in and said that she was unable to log on. It turned out that the problem was with the TCP/IP configuration and was soon corrected.

Right away, my managers could see that this was a useful and powerful utility to have in place and I still receive requests all the time to identify possible problems and collect information on individual nodes on our network.

Ethereal is a free network protocol analyzer for Unix and Windows. It allows you to examine data from a live network or from a capture file on disk. You can interactively browse the capture data, viewing summary and detail information for each packet. Ethereal has several powerful features, including a rich display filter language and the ability to view the reconstructed stream of a TCP session. Snort is a lightweight network intrusion detection system, capable of performing real-time traffic analysis and packet logging on IP networks. It can perform protocol analysis, content searching/matching and can be used to detect a variety of attacks and probes, such as buffer overflows, stealth port scans, CGI attacks, SMB probes, OS fingerprinting attempts, and much more. Snort uses a flexible rules language to describe traffic that it should collect or pass, as well as a detection engine that utilizes a modular plugin architecture. Snort has a real-time alerting capability as well, incorporating alerting mechanisms for syslog, a user specified file, a UNIX socket, or WinPopup messages to Windows clients using Samba's smbclient. (see http://www.ethereal.com/ and http://www.snort.org/what_is_snort.htm).

I use Ethereal for general network analysis and Snort to collect information from a specific node on our network. However, both Ethereal and Snort can collect information from specific nodes or IP addresses on a network.

With Ethereal, you need to create a filter by selecting "Capture", "Start" and click the "Filter" button. Next, give your filter a name in the "Filter name" box and then supply a string in the "Filter String" box.

To collect information on a specific IP address, I typically use "net" followed by the target IP address. For example: "net 10.1.999.999". After supplying all the correct information, click the "New" button, the "Save" button and then "OK". Your new filter will then show up in the "Filter" box under "Count" in "Capture Preferences". Make sure that "Update list of packets in real time" is selected and click "OK" to start collecting information. More detailed information on how to collect network information can be found at http://www.ethereal.com/ and by reading the man page (man ETHEREAL(1)).

Recently, I and other members of our department had reason to believe that an intruder was trying to gain direct access to one of the nodes on our network via telnet or by using a port sniffer. I used Snort to effectively capture packet information from this node by changing to root and typing "snort -eadv IP_ADDRESS", where "IP_ADDRESS" is the IP address of the specific node you want to capture information on. Option "e" displays the packet ethernet addresses. Option "a" sets the alert mode to fast, full, or none (alert file alerts only). Option "d" runs snort in the background (daemon) mode. Option "v" is used to tell snort to be verbose. For more information on Snort commands, log in as root and use "snort /?" to get a list of commands.

Figure 1 below is an example of what Snort will display when someone tries to access a specific node with telnet. 

	Figure 1 - Typical Snort telnet packet display:
--------------------------------------------------------------------------
20:59:49.153313 0:10:4B:D:A9:66 -> 0:60:97:7:C2:8E type:0x800 len:0x7D
192.168.1.3:23 -> 192.168.1.4:1031 TCP TTL:64 TOS:0x10 DF
***PA* Seq: 0xDF4A6536   Ack: 0xB3A6FD01   Win: 0x446A
FF FA 22 03 03 E2 03 04 82 0F 07 E2 1C 08 82 04  ..".............
09 C2 1A 0A 82 7F 0B 82 15 0F 82 11 10 82 13 FF  ................
F0 0D 0A 46 72 65 65 42 53 44 20 28 65 6C 72 69  ...FreeBSD (elri
63 2E 68 6F 6D 65 2E 6E 65 74 29 20 28 74 74 79  c.home.net) (tty
70 30 29 0D 0A 0D 0A                             p0)....
---------------------------------------------------------------------------

In Figure 1, telnet access is identified in the line, 192.168.1.3:23 -> 192.168.1.4:1031. 192.168.1.3 is the "from" address and 192.168.1.4 is the "to" address, i.e the address of the node that is being monitored by Snort. Port number "23" at the end of the "from" address, signifies telnet access.

After monitoring the suspicious activity for a couple of weeks, it was determined that the attempts were coming from a node with an invalid IP configuration and not an intruder.

For more information on using Snort, visit the main web site at http://www.snort.org. The site contains tons of documentation, a downloads section, a port search/identification database, a FAQ, mailing lists and much much more.

When I first had the idea of finding ways to use Open Source operating systems and software at work, I thought I'd have a very difficult time doing this, since our office has been a Microsoft/IBM shop for years and these platforms and associated software are what our employees are used to using. I never intended to recommend the replacement of these platforms in favor of the BSDs or Linux but rather to employ and integrate the use of these platforms in a more cost effective and productive way.

Today's corporate networks consist of many different platforms and applications and the companies that take advantage of all these tools are the ones that come out ahead. IBM is one such company with its recent dedication and development efforts with Linux and the Open Source community as a whole. Apple is another, with its recent release of the OS X operating system that has a BSD layer at its core. Companies are realizing that it's no longer beneficial to rely on one single platform or vendor to fulfill their computing needs, but rather a combination of platforms and applications to draw upon. However, it can be tricky and expensive to get everything working in unison, but the times are changing and more and more platforms and applications are being developed with an emphasis on cross platform design. More and more software and hardware companies are contributing their resources and development efforts to the Open Source movement and community as a way to give their customers a better product and more alternatives. This in turn, translates to a higher profit margin for the software company and for their customers. Everybody wins!

For those of you who are considering employing the use of FreeBSD, NetBSD, OpenBSD or BSD/OS in your office or company, I would recommend that you install it on an available pc. Explore the huge number of applications, (currently over 4,500) in the ports collection and the many uses these powerful and unique operating systems have to offer. Start with the Apache web server as I did and then gradually display the cards in your networking hand. Start with things that are tangible and easy to see the benefits of and understand.

When I first started using FreeBSD, I was so amazed and taken with it that I could be heard preaching the BSD gospel almost every day. Keep in mind that most people will continue to use whichever operating system or application they are comfortable with. Don't be such an advocate that people become afraid to even mention the words "FreeBSD","NetBSD", "OpenBSD" or "BSD" around you. Remember, the louder you are, the harder it can be to hear you. The phrase,"Action speaks louder than words", certainly applies here. Quietly learn about the BSDs, how to use them, and offer the amazing demonstration when the opportunity presents itself. Soon, that old pc running one of the BSDs will be the honey that attracts the bees!

Joe Warner is an Operations Technical Analyst employed by the Siemens Medical Solutions Health Services Corporation. He is an enthusiastic advocate of the FreeBSD operating system and continues to be an involved member of the BSD and Open Source communities. He also works as a Marketing Coordinator for The Daemon News in his spare time. Forever the student!



Author maintains all copyrights on this article.
Images and layout Copyright © 1998-2004 Dæmon News. All Rights Reserved.