802.11

Reference:
http://www.cs.wright.edu/~pmateti/InternetSecurity/Lectures/WirelessHacks/Mateti-WirelessHacks.htm
http://en.wikipedia.org/wiki/IEEE_802.11
http://www.informit.com/articles/article.aspx?p=413459
http://www.cisco.com/warp/public/cc/pd/witc/ao1200ap/prodlit/wswpf_wp.htm
http://xirrus.gcsmarket.com/posters/pdfs.asp

Secure Network Access

NAC stands for Network Access Control.
802.1X is the IEEE standard for port-based network access control.

NAC provides Endpoint security. The end point device can be a Laptop connected to a corporate network or a VPN client.
Depending on the security policy NAC will do user authentication, periodic health checks and policy enforcement.

-> User authentication can be by portal login, 802.1x etc.
-> Health check is done by a custom made Java applet, which runs on client, collect useful device information. Microsoft’s built-in NAP client also does the same job.
-> Policy enforcement, the most important part in a NAC, is done by SSCP, SSCPLite (Nortel proprietary), 802.1x etc.

=> NAC creates database with the information forwarded by NAC client. The policy decision is made based on corporate policy and database information. NAC server is also known as Policy Decision Point.

=> Policy enforcement point can be Switch, router, VPN gateway or firewall. Most commonly used access control techniques are VLAN segregation and packet filtering ACLs.

Future of NAC:
Some NAC policy servers are:
1. Cisco's Access Control Server (ACS)
2. Juniper's Unified Access Controller (UAC)
3. Microsoft's Network Policy Server (NPS)
4. Nortel's Secure Network Access (NSNA)
5. Trusted Computing Group's Trusted Network Connect (TNC)

IF-MAP is a standard client/server, XML-based SOAP, protocol for accessing a Metadata Access Point. The IF-MAP server has a database for storing information about network security events and objects (users, devices, etc.). The IF-MAP protocol defines a powerful publish/subscribe/search mechanism and an extensible set of identifiers, and data types.





=> Integrity measurements are carried between the TNC Client and TNC Server on a protocol called IF-TNCCS (Trusted Network Connect Client-Server).
=> For communication with NAP Client and NAP Server Microsoft used protocol called System of Health (SoH). Later donated to TCG as IF-TNCCS-SOH.

=> Consolidated IF-TNCCS enables Client-Server interoperability between NAP and TNC.
=> industry has agreed on TNC standard for NAC, except Cisco.

Reference:
White Paper - 1
http://features.techworld.com/networking/4073/microsoft-gets-nac-act-together
http://www.isp-planet.com/technology/2007/nac_3c.html
http://www.trustedcomputinggroup.org/developers/trusted_network_connect

802.1x

PPP is a data link protocol commonly used to establish a direct connection between two networking nodes.
PPP can provide connection authentication, transmission encryption privacy, and compression.

PPP -> alone provides username/password authentication (CHAP, PAP)
PPP + EAP -> Any type of authentication (EAP-MD5, PEAP)
PPP + EAP + RAS -> works fine
PPP + EAP + RAS + AAA -> RADIUS protocol takes care of the authentication
EAPOL + RAS + AAA -> 802.1x

L2TP and Microsoft’s secure RAS made PPP popular.
EAP is a universal authentication framework.
EAPOL is a standard for passing EAP over LAN.


802.1x is an IEEE standard for Port-Based Network Access Control.
802.1x works at Layer 2 to authentication and authorize devices on LAN switches and wireless APs.
It won’t work with multiple PC's connecting to a switch via a hub.

-> The user/client that wants to be authenticated is called a supplicant.
-> The actual server doing the authentication, typically a RADIUS server, is called the authentication server.
-> And the device in between, such as a wireless access point, is called the authenticator.



Benefits of IEEE 802.1X
1. Leverages existing standards EAP and RADIUS
2. Authentication based on Network Access Identifier and credentials
3. Centralized authentication, authorization, and accounting
4. Scalable through EAP types
5. Supports password authentication and One-Time Passwords (OTP)

Configure Freeradius:
/etc/raddb/clients.conf -> "client localhost { secret = testing }"
/etc/raddb/users -> "user1 User-Password := "pass1""
/sbin/radiusd -X
/bin/radtest user1 pass1 localhost 0 testing

Configure Switch (Nortel ERS 4550):
vlan members remove 1 1-11
vlan members add 16 1-11
vlan ports 12 tagging enable

radius-server host 192.168.10.254
radius-server key "testing"
radius-server port 1812

eapol enable
##EAPOL Administrative Status #> ENABLE
##EAPOL Administrative Status for ports #> Auto

Configure PC:
enable the following windows services:
-> Extensible Authentication Protocol Service
-> Wired AutoConfig / Wireless Zero Configuration

Local Area Connection properties -> Authentication -> Enable IEEE 802.1x authentication
Local Area Connection properties -> Authentication -> network auth method -> Protected EAP
Local Area Connection properties -> Authentication -> settings -> Authentication method -> EAP-MSCHAP v2


Reference:
http://www.javvin.com/protocol8021X.html
http://www.netcraftsmen.net/welcher/papers/dot1x.html
http://www.ipv6.com/articles/wireless/8021x-Wireless.htm
http://www.zyxeltech.de/SNotep335wt/app/8021x.htm
http://en.opensuse.org/RadiusServerHOWTO
http://www.ibm.com/developerworks/library/l-radius/

Brain Teaser

Try to get 56 in all the blue boxes, using the pull-down lists!

	=	=	=	=	=	=
	=	3 7 15 31	3 7 15 31	3 7 15 31	3 7 15 31	=
	=	3 7 15 31	3 7 15 31	3 7 15 31	3 7 15 31	=
	=	3 7 15 31	3 7 15 31	3 7 15 31	3 7 15 31	=
	=	3 7 15 31	3 7 15 31	3 7 15 31	3 7 15 31	=
	=	=	=	=	=	=

a SOAP message using SAAJ

--> doGoogleSearch WebService with JAVA

----------------------Client.java----------------------
import javax.xml.soap.SOAPConnectionFactory;
import javax.xml.soap.SOAPConnection;
import javax.xml.soap.MessageFactory;
import javax.xml.soap.SOAPMessage;
import javax.xml.soap.SOAPPart;
import javax.xml.soap.SOAPEnvelope;
import javax.xml.soap.SOAPBody;
import javax.xml.soap.SOAPElement;
import javax.xml.soap.MimeHeaders;

import javax.xml.transform.TransformerFactory;
import javax.xml.transform.Transformer;
import javax.xml.transform.Source;

import javax.xml.transform.stream.StreamResult;

public class Client {

  public static void main(String[] args) {

    try {
        // Create the connection
        SOAPConnectionFactory scf = SOAPConnectionFactory.newInstance();
        SOAPConnection conn = scf.createConnection();

        // Create message
        MessageFactory mf = MessageFactory.newInstance();
        SOAPMessage msg = mf.createMessage();

        // Add eventually a SoapAction header if necessary
        MimeHeaders hd = msg.getMimeHeaders();
        hd.addHeader("SOAPAction", "\"urn:GoogleSearchAction\"");

        // Object for message parts
        SOAPPart sp = msg.getSOAPPart();

        SOAPEnvelope env = sp.getEnvelope();
        env.addNamespaceDeclaration("xsd","http://www.w3.org/2001/XMLSchema");
        env.addNamespaceDeclaration("xsi","http://www.w3.org/2001/XMLSchema-instance");
        env.addNamespaceDeclaration("enc","http://schemas.xmlsoap.org/soap/encoding/");
        env.addNamespaceDeclaration("env","http://schemas.xmlsoap.org/soap/envelop/");
        env.setEncodingStyle("http://schemas.xmlsoap.org/soap/encoding/");

        SOAPBody bd = env.getBody();

        // Populate body
        // Main element and namespace
        SOAPElement be = bd.addChildElement(env.createName("doGoogleSearch",
                "namesp1",
                "urn:GoogleSearch"));
        be.addChildElement("key").addTextNode("OS7mOjxQFHIztxIYU9yb8y3ibYgY4w2o").setAttribute("xsi:type","xsd:string");
        be.addChildElement("q").addTextNode("ls").setAttribute("xsi:type","xsd:string");
        be.addChildElement("start").addTextNode("0").setAttribute("xsi:type","xsd:int");
        be.addChildElement("maxResults").addTextNode("5").setAttribute("xsi:type","xsd:int");
        be.addChildElement("filter").addTextNode("0").setAttribute("xsi:type","xsd:boolean");
        be.addChildElement("restrict").setAttribute("xsi:type","xsd:string");
        be.addChildElement("safeSearch").addTextNode("0").setAttribute("xsi:type","xsd:boolean");
        be.addChildElement("lr").setAttribute("xsi:type","xsd:string");
        be.addChildElement("ie").addTextNode("latin1").setAttribute("xsi:type","xsd:string");
        be.addChildElement("oe").addTextNode("latin1").setAttribute("xsi:type","xsd:string");

        // Save message
        msg.saveChanges();

        // View input
        System.out.println("\n Soap request:\n");
        msg.writeTo(System.out);
        System.out.println();

        // Send
        String urlval = "http://api.google.com/search/beta2";
        SOAPMessage rp = conn.call(msg, urlval);

        // View the output
        System.out.println("\nXML response\n");

        // Create transformer
        TransformerFactory tff = TransformerFactory.newInstance();
        Transformer tf = tff.newTransformer();

        // Get reply content
        Source sc = rp.getSOAPPart().getContent();

        // Set output transformation
        StreamResult result = new StreamResult(System.out);
        tf.transform(sc, result);
        System.out.println();

        // Close connection
        conn.close();

      }
      catch (Exception e){
        System.out.println(e.getMessage());
      }
   }
}
-------------------------------------------------------

1. get the latest java sdk (1.6.0_16)
2. javac Client.java
3. java Client

Reference:
http://www.pascalbotte.be
http://users.skynet.be/pascalbotte/rcx-ws-doc/present.htm
http://users.skynet.be/pascalbotte/rcx-ws-doc/saajpost.htm

GoogleSearch with SOAP - perl

------------------google.pl------------------
#!/usr/bin/perl

use SOAP::Lite;
use strict;
use warnings;

@ARGV == 2 or die "Usage: google <query> <number of results 1-10>\n";

my $key='OS7mOjxQFHIztxIYU9yb8y3ibYgY4w2o';

my($query, $maxResults) = @ARGV;

my @params = ($key, $query, 0, $maxResults, 0, '', 0, '', 'latin1', 'latin1');

my $result = SOAP::Lite->service("http://api.google.com/GoogleSearch.wsdl")->doGoogleSearch(@params);

print "Result: \n";

print join "\n", map( { qq{$_->{URL}} } @{$result->{resultElements}} ), "";
---------------------------------------------

1. Download SOAP for Perl from here.
2. tar xzvf SOAP-Lite-0.60a.tar.gz
3. cd SOAP-Lite-0.60/lib
4. chmod 755 google.pl
5. ./google.pl ls 10

Reference:
perl-google-soap-example
http://search.cpan.org/~byrne/SOAP-Lite/lib/SOAP/Lite

Learn to speak chess

You can learn speek chess from here.

Download Filemate tool from here.

1. File >> New Game
2. Options >> Setup Position...
3. clear, and start adding blank and white coins

This will be the best game to start with
1. e4 e5
2. Nf3 d6
3. d4 Bg4
4. dxe5 Bxf3
5. Qxf3 dxe5
6. Bc4 Nf6
7. Qb3 Qe7
8. Nc3 c6
9. Bg5 b5
10. Nxb5 cxb5
11. Bxb5+ Nbd7
12. O-O-O Rd8
13. Rxd7 Rxd7
14. Rd1 Qe6
15. Bxd7+ Nxd7
16. Qb8+!! Nxb8
17. Rd8#

enjoy!!!

Reference:
http://www.enpassant.dk/chess/softeng.htm

Enable call option in Yahoo! Messensger

Y!M supports PC to PC calling option.

It is supported in Yahoo! Messenger USA and it is not supported in Yahoo! Messenger India.

Upgrade to latest Y!M USA version :-)
Enjoy!!!

Reference:
http://in.answers.yahoo.com/question/index?qid=20090814230433AAUOAnF

How to add category in the blog

Please refer this link.

1. Layout >> Page Element >> Add a Gadget >> Labels (Show all the labels of posts in your blog).

2. Layout >> Edit HTML >> Add "Label Cloud User Variables", "Label Cloud Styles" and "Widget Label code" at the specified location.

3. Add "Lables for this post" for at least one post.

Happy Blogging...
Enjoy!!!!

Reference:
http://phy3blog.googlepages.com/Beta-Blogger-Label-Cloud.html
http://ialja.blogspot.com/2007/04/view-blogger-labels-in-label-cloud.html

openssl and certificates

Download the latest openssl source from here (0.9.8k).

1.3.6.1.4.1.311.20.2.2 - Smart Card Logon
1.3.6.1.4.1.311.20.2.3 - UPN (User Principal Name)

Certificate extentions:

.pem - (Privacy Enhanced Mail) Base64 encoded DER certificate, 
       enclosed between "-----BEGIN CERTIFICATE-----" 
       and "-----END CERTIFICATE-----"

.cer, .crt, .der - usually in binary DER form, 
       but Base64-encoded certificates are common too

.p7b, .p7c - PKCS#7 SignedData structure without data, 
       just certificate(s) or CRL(s)

.p12 - PKCS#12, may contain certificate(s) (public)
       and private keys (password protected) 
       (Personnal Information Exchange)

Generate CA key and Certificate:

openssl genrsa -out ca.key 1024

openssl req -new -x509 -days 365 \
-subj '/C=IN/ST=KA/L=BL/O=Nortel/OU=Eng/CN=localhost ca' \
-key ca.key -out ca.crt

Generate server key and certificate:

openssl genrsa -out server.key 1024

openssl req -new \
-subj '/C=IN/ST=KA/L=BL/O=Nortel/OU=Eng/CN=localhost' \
-key server.key -out server.csr

cat > server.cnf << EOF
[dir_sect]
keyUsage=digitalSignature,keyEncipherment
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid,issuer
subjectAltName=otherName:1.3.6.1.4.1.311.20.2.3;UTF8:humble@yahoo.com
EOF

openssl x509 -req -days 365 -in server.csr \
-CA ca.crt -CAkey ca.key \
-extfile server.cnf -extensions dir_sect -set_serial 01 -out server.crt

Verify and show the server generated certificate:

# openssl pkcs12 -export -out server.p12 -inkey server.key -in server.crt
# openssl req -in server.csr -noout -verify -key server.key
# openssl x509 -noout -text -in server.crt
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 1 (0x1)
        Signature Algorithm: sha1WithRSAEncryption
        Issuer: C=IN, ST=KA, L=BL, O=Nortel, OU=Eng, CN=localhost ca
        Validity
            Not Before: Jul 27 09:23:44 2010 GMT
            Not After : Jul 27 09:23:44 2011 GMT
        Subject: C=IN, ST=KA, L=BL, O=Nortel, OU=Eng, CN=localhost
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
            RSA Public Key: (1024 bit)
                Modulus (1024 bit):
                    00:d3:d4:a6:31:55:20:94:38:a8:72:16:eb:b8:2a:
                    9a:7c:07:98:36:63:7c:3c:f7:ad:ff:ad:27:4b:9b:
                    38:85:92:e5:44:07:12:1e:e3:b7:e9:09:d2:67:01:
                    71:51:50:fc:a7:7f:ec:72:2c:30:f4:24:0b:68:fa:
                    c4:7e:56:7b:70:dd:c4:50:7a:8c:51:d5:7f:46:a1:
                    02:7f:76:d8:6f:2c:79:48:57:9b:6f:fa:06:2d:dd:
                    5c:e6:f0:74:57:0a:85:85:39:a0:ce:36:64:2a:b1:
                    7b:1e:26:aa:df:c5:8f:93:6b:e6:02:cb:8d:f8:44:
                    89:37:58:31:cd:83:68:3a:87
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Key Usage:
                Digital Signature, Key Encipherment
            X509v3 Subject Key Identifier:
                CF:36:42:69:6D:85:D4:D6:22:F8:6F:45:DD:EC:74:...
            X509v3 Authority Key Identifier:
                keyid:55:B0:22:DC:4F:4C:21:AA:69:EA:47:31:A2:...

            X509v3 Subject Alternative Name:
                othername:
    Signature Algorithm: sha1WithRSAEncryption
        de:ff:04:5c:82:e5:74:3c:75:d0:80:21:c7:5b:74:21:91:5b:
        07:cb:5a:9e:6d:46:ae:5d:1d:69:26:5a:44:ec:b5:ad:25:72:
        a5:5d:f1:e9:b5:45:14:2c:98:b6:40:5f:b8:e8:92:ba:a5:0c:
        34:86:0e:20:51:25:64:6a:f7:cf:33:ec:50:f8:eb:9f:59:de:
        99:b5:c1:75:cd:d2:ff:00:c0:ed:b2:30:44:f2:1e:13:75:dd:
        21:da:f7:7f:bd:3c:60:7a:f6:66:44:c1:c9:b4:b6:75:ac:59:
        07:c3:e5:06:eb:97:b2:64:0c:f2:2c:2c:39:b1:35:a6:19:b6:
        a6:50

The certificate "server.crt" in windows:


Reference:
make-certs.sh
http://www.madboa.com/geek/openssl
http://en.wikipedia.org/wiki/X.509