 NYI was established
in 1996
NYI caters
to small to medium-size enterprises
NYI is located
in the heart of Wall Street area in New York
NYI owns and
maintains its own Data Centers
All services
can be priced and ordered on this site |
|
WHAT'S
UP ON WHATSDOWN?
NYI now offers an online diagnostic toolbox
ONE MORE TIME ON FIREWALL SOLUTIONS,
PACKET SNIFFING, AND INTRUSION DETECTION
WEBMAIL: MORE FUNCTIONALITY, MORE OPTIONS
About the new interface and features for NYI's Webmail
NYI'S NEW PEERING ARRANGEMENT
NYI is now peering at NYIIX
CONTROL PANEL GETS A MAKEOVER
SECURE HELPDESK
NYI encrypts the Helpdesk system
SPAM SHIELD
Spam Assassin detects 92% of spam and tags it
WHAT'S AN IDS AND WHY DO YOU NEED IT
Get more security with IDS' help
NEW BANDWIDTH OPTION
BE YOUR FIREWALL'S GATE KEEPER
ULTIMATE GOAL: ACHIEVING BALANCE
On Load Balancing solution
NEW BACKUP SOLUTION FROM NYI
WE SNORT; SO SHOULD YOU
Snort detects the trouble early
SUNSCREEN FOR YOUR DATA
On NYI's firewall capabilities
OUT OF SITE, OUT OF MIND
About NYI's web accessed, environment monitoring tool
SECURITY LINK ANALYSIS
About NYI's network monitoring tool
LOCK AND LOAD
NYI's suggestions on how to make your machine more secure.
(by A. Koralewski)
STARTING UNIX FOR STARTERS
Useful tips on unix system boot up (by A. Koralewski)
INFORMED CLIENT IS A SATISFIED CLIENT
NYI's Colocation and Dedicated Server clients can now
view their servers' exact bandwidth usage.
CODE RED WORM TALK
Read about preventive maintenance against the current
plague of the Red Worm.
NEW AND IMPROVED HELPDESK
A WORD ON QUOTE GENERATOR
UPGRADE CENTER
What's Up on Whatsdown?
When a system of yours has trouble, it may be difficult
to objectionably diagnose it unless you have the right
tools. In an effort to help our clients have all the resources
they need, we've set up a multi-use toolbox available
at http://www.whatsdown.net/.
There you will be able to diagnose connectivity problems
from multiple locations (not just from NYI's network),
as well as port scan your system(s) for possible insecure
services. In addition, we have a mail server test to identify
if your mail server has an open relay which could add
to the internet's already rampant unsolicited mail problem.
Your system may get black-listed if you do not clear such
problems up.
We are accepting suggestions on how to further improve
this toolbox for network/system diagnosis/troubleshooting
so if you have any ideas on how to improve it, please
drop us a line at support@nyi.net and we'll try to accommodate
you as best we can.
back
to headlines
One More Time on Firewall Solutions,
Packet Sniffing, and Intrusion Detection
NYI is mostly a FreeBSD shop and we use its ipfw filtering
software to do all of our filtering and bandwidth management.
It allows us to pretty much control everything about all
the packets entering and leaving our network at different
locations.
We can filter packets based on a number of criteria, such
as to which subnet it is destined to or from which it
originated. Other criteria include, which network service
is requested (based on port numbers for UDP/IP). ICMP
hasn't been left out either, we can filter based on ICMP
types such as allowing ping requests and replies to pass
through or block, while controlling other ICMP functions
such as destination unreachable messages. We can get more
intimate with our packets by looking at the TCP flags
(SYN,ACK,FIN,etc) to determine whether the connection
is initializing, ending, or transient. For even more flexibility
with the firewall, we can examine IP options such as fragmentation
characteristics.
Additionally, we have the facility to create virtual traffic
pipes to control the flow of traffic based on any aforementioned
criteria in order to emulate a more limited bandwidth
connection (i.e. we physically use a 100BaseT port but
emulate a 512Kbps link for a client who needs a half a
meg pipe), as well as packet loss rate for testing purposes,
etc.
This also allows us to give different traffic types different
weights. For example, if you have a mail server and an
FTP server on the same subnetwork, you do not want your
more important email services being degraded by the bulk
traffic of the FTP services. In such a case, we would
assign a higher priority/weight to the mail services (e.g.
by port numbers) than FTP so that mail would take precedence
over other traffic (such as FTP). When there is no email
passing through the subnetwork, other traffic would not
be limited as no other traffic has been configured to
take precedence.
In terms of intrusion detection, we use a very mature
and effective open source project called Snort (www.snort.org).
A great number of closed source commercial solutions are
either based upon this successful program, or are compatible
with it. Snort allows us to monitor in real time suspicious
activity based on known patterns (i.e. rules) of network
traffic (e.g. packet contents; traffic flow characteristics).
We have developed an in-house program that lets us to
easily choose which rules we want to use. We have also
tied Snort into the ipfw utility to dynamically disable
access to offending users from accessing hosts behind
the firewall for a specific amount of time. We feel this
is the best combination of power and flexibility in a
managed firewall solution while maintaining control over
what happens.
back
to headlines
Webmail: More Functionality, More
Options
Recently, NYI has introduced the new interface for the
Webmail to make it easier, more convenient and more functional
for our clients. This new interface will keep you logged
in longer, so if you have passed off Webmail for just
this reason, give it another try.
The update also included adding many new useful features
such as: - Mail Filters, that will help you better organize
your mail and dispose of unsolicited advertisements (spam)
- Notifications of new email messages - Spell Checker
- Translator by the way of Babelfish, InterTran and others
- Calendar
All of the aforementioned features can be easily configured
by clicking on the "Options" link at the top
of your browser's window. If you need a few pointers on
the new features, here is a short guide to using some
of them.
back
to headlines
NYI's New Peering Arrangement
NYI is proud to announce that it will be peering at NYIIX,
which will allow direct connections with dozens of network,
not limited to but including:
Demon, Nildram, Wirehub, Net Access, Abovenet, BBC, KDDI,
Internet Solution, Tiscali, Globix, Stealth, Colt, Time
Warner, TTSG, IIJ, Emirates Telecommunication, Akamai,
Chello, Mobilcom CityLine, DSL.net, VillageWorld.com,
Pacific Century CyberWorks, Hurricane Electric, Deutsche
Telekom, Peer1, Sunrise, Blue Stream, Chunghwa Telecom
(HiNet), NTL, Thorn Communications, DACOM, Group Telecom,
Easynet, BT North America, Nexus Telecom, ISPrime, Finnet
International, Accretive Networks, BigPipe, FLAG Telecom,
Primustel Canada, Like Whoa, Logic Communications.
Why is peering important to ISPs?
Peering is an inexpensive means of exchanging Internet
traffic. Without peering, ISPs must pay expensive fees
(called "transit fees") to national (mostly
Telco-based) network providers. Once a peering connection
is installed, private peering enables ISPs to move traffic
from the ISP's transit circuit to the ISP's peering circuit.
The freed transit bandwidth can be used for additional
customers and/or to save the ISP money by postponing the
need to purchase additional transit bandwidth.
NYI looks forward to connecting with the regional, national,
and international networks that comprise the NYIIX member
list, and feel that this will bolster NYI's ability to
serve our clients data in the most efficient manner possible.
We look forward to begin peering sessions in Washington
DC, Chicago, and San Jose in the near future.
Other well known peering points are: ATL-NAP Atlanta,
BMPX - Boston Metropolitan Exchange Point, Bellsouth Multimedia
eXchange, BNAP - Baltimore NAP, ipx - A New Jersey Activity,
Louisville-nap.net, MAGPI - a Mid Atlantic Gigapop for
Internet2, NNAP - Neutral NAP/ inactive link, Nashville
Regional Exchange Point, Nap of the Americas, NY6iX -
A New York IPv6 exchange, Philadelphia Internet Exchange,
Pittsburgh Internet Exchange, Research Triangle Park,
Sprint NAP (Pennsauken NJ), Vermont ISP Exchange, AMAP
- Anchorage Metropolitan Access Point, COX - Central Oregon
Internet Exchange, HIX - Hawaii Internet Exchange, LAIIX
- Telehouse LosAngles, LAP - A Los Angeles Exchange, includes
MAE-LA, Northwest Access Exchange - Portland, OIX - Oregon
Internet Exchange, Pacific Bell NAP Information, PACIFIC
WAVE - Pacific Wave Exchange, SD-NAP - San Diego (Caida),
SIX - Seattle Internet Exchange, New Mexico Internet Exchange,
New Mexico Network Access Point, TTI - The Tucson Interconnect,
Compaq's Houston NAP, The Middle American Exchange Points,
Ameritech NAP info (Chicago NAP), CMH-IX - Columbus Internet
Exchange, DIX - Denver Internet Exchange, IndyX - Indianapolis
Data Exchange, Nashville CityNet, Ohio Exchange, RMIX
Rocky Mountain Internet exchange, STAR TAP (12 GigaPOP),
The Arch - St. Louis, Mo, Utah REP, BCIX - British Columbia
Internet Exchange, CA/NAP Canada/Toronto Exchange, CANIX:
Originally CA*net sponsored - No URL Supplied, Edmonton
Internet Exchange, MIX - Montreal Internet Exchange, The
Nova Scotia Internet exchange, Ottawa Internet exchange,
Quebec Internet Exchange (French), Toronto Internet Exchange
and more.
back
to headlines
Control Panel Gets a Makeover
As many of our hosting clients have probably noticed,
our virtual hosting control panel has finally been redesigned
and some features have been added. While the adjustments
may seem minor, this is part of a massive overhaul in
our online control panel area that will eventually become
an NYI Client Portal to manage all aspects of their NYI
account(s) from adding email accounts to updating billing
information to viewing open invoices on the account. This
control panel will soon not only be for virtual hosting
clients, but for all clients and incorporate all of the
specific services involved with the particular account
(i.e.email management, mrtg stats, firewall/IDS configuration,
HelpDesk access, etc.) This is further evidence of NYI's
unending quest to make sure our clients experience the
best and most efficient service in the market today.
back
to headlines
Secure Helpdesk
All of NYI's clients are familiar with our HelpDesk system.
This powerful tool serves as a communication medium between
our customers and technical staff, allowing for the best
response times in case of any kind of technical issue.
All a client needs to do is to logon with a unique user
ID and generate a trouble ticket that will immediately
alert NYI's tech support staff that will address the issue
at once.
The HelpDesk system is relatively new and we work on improving
it on a daily basis. The latest improvement was bringing
the maximum level of security by ensuring that all the
information entered in the system is encrypted. In other
words the HelpDesk has been made secure, in case any sensitive
information needs to be submitted by our clients. The
HelpDesk's URL is now https://hd.nyi.net
back
to headlines
Spam Shield
If you have been online for a fair amount of time, chances
are, you have received your share of spam -- unsolicited
commercial bulk email. In other words, electronic junk
mail, anything from financial services advertisements
to adult material. And chances are that you have suffered
from such unsolicited mailings, when your privacy was
invaded by explicit images and vulgar language, or when
you missed a legitimate email among the dozens of spam
messages, or many other unpleasant scenarios.
Things are changing, however. New York Internet is pleased
to announce its plan of instituting a number of filtering
methods to combat spam. The software will combine a growing
number of known signatures common to spam along with keen
decision making to mark spam email as such. You will still
receive every message intended for your address, but you
will be able to easily set filters within your email program
to either move the suspected spam message into a special
folder, awaiting your scrutiny, or simply move it to the
trash.
From our tests, we have found our filters to be very effective,
recognizing over 92% of all incoming spam messages as
such. Any higher a rating is exponentially more difficult
to attain because of spammers' continued modification
of their methods to stay abreast of anti-spam tools. This
rating is still very high, and will be very effective
in helping you manage your mailbox.
back
to headlines
What's an IDS and Why Do You Need
It?
We all have been witness to the increasing frequency of
security incidents, ranging from intricate and involved
hacks, to run-away Internet based worms like Code Red
and Klez.
The costs involved in dealing with such incidents are
staggering. A hacking attempt may begin with an attacker
port scanning your server to see which ports, and thus,
which services are opened and accepting connections. Many
tools have the ability to even guess which operating system
you are running. Armed with this information an attacker
can simply search for easy to use software to exploit
the server software you are running. An attacker might
also scan an entire range of IP addresses, looking for
a specific port. Case in point: the recent increase in
scanning of port 1433 by the myriad of recent Windows-biased
worms looking to enter your system through Microsoft's
SQL server.
In the past, such activity could largely go unnoticed.
But as the Internet becomes less of a friendly community
and more of a hostile battleground pitting systems administrators
and security experts against hobbyist or malicious attackers,
more tools are available to notify you of possible attacks,
and even act to protect your systems. These tools fall
under the category of Intrusion Detection Systems (IDS).
You might be wondering why you need such a system when
you already have a firewall in place. The term "firewall"
encompasses a wide variety of devices and may give a false
sense of security. In its purest form, a firewall is only
as good as the access rules it is configured with. Let's
use an example to illustrate the point. Suppose you needed
the database server to be available to clients outside
of your network, making the server accessible to anyone.
And suppose the Klez worm has just been released into
the wild. Your risk of being infected would be great.
You might be fortunate enough to hear of the worm in time,
and had your network specialist block off the port to
the outside. But that would mean interrupted service and
loss of productivity. And if you did get infected, it
could spell disaster. Now imagine that you were protected
by intelligent software that can recognize the signature
of an attack and automatically block the IP address of
the sender. The service is still available to your customers
and the attacks never arrive at your server. Your clients
are never denied service, your servers are never compromised
and do not have to be reinstalled from scratch, and your
server never has to use its resources to process the attacker's
requests, and instead process legitimate traffic.
The above example doesn't limit the use of IDS to just
that situation. Among hundreds of various attack signatures,
the IDS protects you against port scans, distributed scans
of a specific port on many machines, web access to exe
and ids programs common to Microsoft's IIS, CGI exploits
and buffer overflows, and many more.
back
to headlines
New Bandwidth Option
Here at NYI, we care about our clients. We research their
needs and modify our services to match these needs. We
want our offerings to be as flexible and as helpful as
they can be. As many of you have probably noticed, our
Quote Generators constantly get updated and improved.
One of the options that we regularly update is bandwidth.
First, we offered a Fixed bandwidth option. This option
allowed clients to have a constant bandwidth throughout
the month. Soon after, we realized that this option wasn't
flexible enough and did not suit all our customers. Thus,
we added the Burstable bandwidth solution. This option
allowed a dedicated or colocated server to have a constant
bandwidth, but when necessary, stretch (or "burst")
to a higher tier if traffic increased. This became a popular
option, but we didn't want to stop there. To add more
flexibility, we added the Data Transfer bandwidth option.
This option allowed a client to specify the amount of
data that his/her server would be sending per month. Yet,
this option turned out to be insufficient, as it didn't
specify the speed at all. After careful review, we have
decided to improve this option by combining it with our
Tiered Burstable option.
With this new Data Transfer option, our clients can specify
the amount of data they wish to transfer per month and
the line speed that they want to do it at. This option
is the most efficient for clients whose speed needs fluctuate
(as opposed to clients whose speed needs are consistent,
in which case they are better off with NYI's Fixed solution).
With this option, you kill two birds with one stone: you
get the ability of transferring data at high speeds while
not incurring the high cost of the fixed bandwidth. (Example:
75 gigabytes of data transfer at 2 Mbps per month costs
less than 50% of the cost of a fixed 2 Mbps line.) Another
important advantage of this bandwidth option is that there
won't be a cap once the selected data transfer option
is reached. Instead, the transfer will take place at additional
cost of $3.50 per gigabyte.
We invite you to generate quotes with our new bandwidth
option and use our present 10% discount on monthly and
setup charges.
back
to headlines
Be Your Firewall's Gate Keeper
Wouldn't it be great to control the dedicated New York
Internet firewalls that your servers are being protected
by? Now you can! New York Internet's developers bring
you yet another tool to make your life easier. The Firewall
Control Panel will let you control any traffic to any
of your IP addresses through an intuitive, web based application
accessible from any browser. And if you sign up for our
Network Intrusion Detection solution, you will be able
to see in real time which IP addresses have been dynamically
denied access to your address space.
back
to headlines
Ultimate Goal: Achieving Balance
Uptime and availability are crucial to companies with
an Internet presence. It's no secret that misfortunes
do happen: hard disks crash, processors fry, power supplies
explode, etc. These accidents, however, should not necessitate
downtime for your company or your clients.
With New York Internet's load balancing solutions, you
will have the ability to run multiple servers concurrently
sharing the workload of serving your visitors. If you
experience a spike in traffic, your web services will
not be overwhelmed, but rather share the load. If one
of your machines crashes terminally, your other server(s)
will pick up the load, unbeknownst to your end users.
This can be achieved by situating your server farm behind
a dedicated UNIX-based load balancer and having assigned
to it a private IP range.
This solution has a number of advantages. First, all requests
would come to the same IP address that you have always
used for your server, which means no turnaround time.
Second, you would not have to use up any more of your
NYI assigned IP addresses. Third, the fact that all requests
go through a central server means that you will have the
ability to filter the traffic with firewall software,
and protect your web servers from worms or port scans
with Intrusion Detection Software
back
to headlines
New Backup Solution from NYI
Whether you are a purely digital company, or simply one
with a web presence, your digital resources are an integral
part of your wealth. At the same time, they are a very
fragile and volatile resource, subject to destruction
due to accidental deletion, attacks, or severe hardware
failures. We recognize your need for redundancy in the
form of secure backup solutions. That is why we are pleased
to offer to you the New York Internet Backup Server solution
which will be fully operational starting July 1st.
The New York Internet Backup Server is a secure UNIX based
server that will allow you to store your important files
in a central and secure location for safe keeping.
After being granted an account with a disk space quota
of your choice, you will be able to transfer your files
from your server here at NYI to the backup machine using
ftp, scp, or sftp.
You will be allowed to log in with your user name and
password to perform a limited number of administrative
tasks, such as managing your files and checking your disk
usage stats. You may type "?" (without the quotes)
while logged in to receive some helpful hints.
back
to headlines
We Snort; So Should You.
There are many reasons people use the Internet. Some like
the possibilities, while others like the anonymity. Like
in real life, some just like to cause trouble. Fortunately
for everyone else, there are great utilities to detect
when trouble is on the way.
One such utility is Snort. Snort is a network intrusion
detection system. NYI makes extensive use of Snort to
monitor our network usage and make sure that the rest
of the Internet is getting along well with NYI. Snort
is our network-intrusion detecting program of choice because
of its flexibility and scalability. Snort is able to notify
NYI's ever-vigilant staff of anything suspicious, so that
we may take appropriate action, from keeping an eye out
on things, to blocking malicious traffic or even contacting
the responsible party. Snort is able to match data to
many predefined regulations for traffic passing in or
out to the Internet and if something looks fishy, you
can be sure NYI will know about it and will keep it from
becoming a problem later.
back
to headlines
Sunscreen For Your Data
Recently New York Internet has integrated firewall capabilities
to our product colocation and dedicated server offerings.
With recent attacks on the largest names in web space,
firewall protection will surely benefit almost any installation
to our network. New York Internet has chosen to partner
with Netscreen Technologies, after testing their equipment,
as well as Cisco's PIX 520, Sonic firewall, and Checkpoint
firewall. Features such as statefull inspection of every
data packet coming across the ethernet connection at wire
speed, hardened and customized firewall -centric os, and
ASIC-based hardware components make Netscreen that fastest
firewall we could find. Rated at 512,000 concurrent sessions,
this firewall will be every client's dream come true.
Firewall features include:
- Deny any or every packet from every or any IP address
- Deny any or every port from every or any IP address
- Deny any or every packet to every or any IP address
- Deny any or every port to every or any IP address
- Detect SYN attack
- Detect ICMP flood
- Detect UDP flood
- Detect ping of death attack
- Detect tear drop attack
- Detect WinNuke attack
- Filter IP Source route
- Detect port scan Attack
- Detect address sweep attack
- Detect land attack
- Optional block Java/ActiveX/ZIP/EXE component
- Optional URL filtering
With this technology implemented, NYI can also execute
VPN solutions for secure communication of your data. Whether
you're setting up for LAN-to-LAN or Dialup-to-LAN communication,
VPN will increase the level of security.
To create an Autokey IKE VPN: VPN tunnel's encryption
and authentication is actually a two-phase process. Phase
1 essentially covers how the gateways will securely negotiate
and handle the building of the tunnel. The P1 (Phase 1)
Proposal sets the terms of the negotiation. Phase 2 sets
up how the data passing through the tunnel will be encrypted
at one end and decrypted at the other. The encryption
method you choose needs to account for both phases. This
process is carried out on both sides of the tunnel. The
P2 (Phase 2) Proposal sets the terms of the negotiation.
The predefined Phase Proposals are listed:
Phase 1 Proposals:
pre-g2-des-md5
pre-g2-des-sha
pre-g2-3des-md5
pre-g2-3des-sha
rsa-g2-des-md5
rsa-g2-des-sha
rsa-g2-3des-md5
rsa-g2-3des-sha
dsa-g2-des-md5
dsa-g2-des-sha
dsa-g2-3des-md5
dsa-g2-3des-sha
Phase 2 Proposals:
nopfs-esp-des-md5
nopfs-esp-des-sha
nopfs-esp-3des-md5
nopfs-esp-3des-sha
g2-esp-des-md5
g2-esp-des-sha
g2-esp-3des-md5
g2-esp-3des-sha
back
to headlines
Out of Site, Out of Mind
Sometimes there is no substitute for "just being
there". I am referring, of course to NYI's colocation
solution. Well, now you can leverage NYI's IP network
and have a visual of your equipment at your finger tips!
The Security ViewCam is a web-accessed, environment-monitoring
appliance that checks the internal environment conditions
of an equipment cabinet such as temperature, humidity,
smoke, and airflow. Alarms providing you with advanced
warning of equipment failure are sent via email and pager
when a connected devices condition is out of range. A
built-in camera records individuals accessing the rack
or cabinet and allows both the customer and technician
to easily view the condition of equipment via an internally
generated web page. User-defined alarms are sent via pager
and email notification to designated personnel.
back
to headlines
Security Link Analysis
NYI monitors its network accurately and thoroughly at
all times. One of tools we use for that is Security Link
Analysis. This tool lets us monitor multiple network statistics
variables concurrently and allows us to predict future
network needs and plan for them accordingly. Alarms are
generated whenever present threshold parameters are exceeded,
informing us about network exception conditions that may
require immediate attention. When clients experience an
attack or some strange activity on their IP, NYI can provide
them with detailed statistics and graphs of their traffic.
If you think there is an issue with your machine, IP,
etc., please submit a ticket on our online Helpdesk
requesting the Security Link Analysis.
This program monitors and displays a network segment's
packet rate, utilization and error rate in real time.
Statistical counters for all network detail parameters
are maintained in memory, and may be exported to Excel
format for tabulation or charting.
The host table maintains each network node's traffic statistics
in real time. It keeps MAC, IP network, IP application,
IPX transport layer information in separate tables, all
of which may be viewed in table, bar or pie chart formats.
The host table can be sorted by any statistical variable
of your choice, in either ascending or descending order.
The matrix table maintains network node pair conversation
traffic statistics in real time. It keeps MAC, IP network,
IP application, IPX network, and IPX transport layer information
in separate tables, all of which may be viewed in table,
bar or pie or pie chart formats. The matrix table can
be sorted by any statistical variable of your choice,
in either ascending or descending order.
The traffic map provides a birds-eye view of the network
traffic patterns in real time. It gives a complete graphical
presentation of the traffic pattern between network nodes.
The Security Link Analysis Protocol Distribution function
allows the reporting of network usage based on the network
layer, TCP/IP application layer, and IPX transport layer
protocols. Network Layer protocols monitored are IPX/SPX,
TCP/IP, NetBIOS, AppleTalk, DECnet, SNA, Banyan, and others.
The "TCP/IP Application Distribution" function
reports on the percentage or cumulated load of each TCP/IP
application as part of TCP/IP traffic. This tool monitors
popular applications, including NFS, FTP, Telnet, SMTP,
POP2, POP3, HTTP (WWW), Gopher, NNTP, SNMP, X-Window,
and others.
Security Link Analysis is capable of capturing all packets
at near wire speed. When we use it with various address,
protocol, and data pattern filters, it lets us pinpoint
network trouble areas accurately and effectively. In particular,
the IP address filter provides a powerful way to capture
conversations between nodes that span across routers.
back
to headlines
Lock and Load
Once you get your new machine, there are some things you
might want to look into before you have your computer
known to the rest of the Internet. Not everyone on the
Internet behaves well, so there are some precautions you
should take to secure your machine.
It's important that your machine only performs the services
it's supposed to. Every extra thing it does can be looked
at as an extra vulnerability. Most new unix installations
install a service called portmap, which often is not necessary
(unless you're running nfs or rpc services). It'd be wise
to leave that turned off. We at NYI make sure to do this
when we install a colocated machine for you but it may
be overlooked if you do not have NYI install your machine.
Another common service that's become the target of Internet
delinquents is traffic sniffing. While NYI does its part
to minimize the possibility of listening in on network
traffic, there isn't anything we can do about the rest
of the Internet. One commonly sniffed protocol is telnet.
As you may know, telnet allows you to log in remotely
to another system. The problem with telnet however is
that it sends everything, your commands, the system's
responses, even your login/password using plaintext. That
means anyone can see what is being typed. Ideally, this
kind of information should be encrypted to keep from prying
eyes. This is where SSH comes in. The Secure SHell service
allows you to do whatever you would using telnet, but
keeps it secure. Furthermore, it allows you to tunnel
other plaintext service using encrypted channels.
At NYI our goal is not only reliable operations but also
secure ones. This is why we not only encourage, but recommend
SSH usage as an alternate to telnet. Machines installed
by NYI have telnet disabled by default and ssh access
exclusively available for your convenience. There are
many SSH clients available for just about any operating
system you use.
Additionally, once you have your machine running the absolute
bare essentials, you can concentrate on the system's internal
security. If an intruder does get access to your machine,
you want to minimize the chances of them gaining administrative
(root) access. The target of such an attack are usually
set-uid and set-gid programs. Such programs, are set to
run as the root user to do their task and then exit. However
if a malicious user knows how to manipulate poorly written
programs, he may be able to get root access (because the
program runs as the root user momentarily). What you will
want to do is to deinstall any insecure programs, especially
ones you don't use, and if at all possible, replace them
with a more secure version. One such example is sendmail.
Sendmail is a well established mail daemon but it has
a history of security holes not only locally but remotely
exploitable. At NYI, we encourage alternate mail daemon
use such as Qmail and Postfix. We do not run sendmail
on any critical systems of our own. Any server program
that provides remote service and runs as root needs to
be evaluated in your security model to make sure it is
really necessary, and whether it can be made more secure
by using an alternate version of the server program.
back
to headlines
Starting UNIX for Starters
To someone who is new to the world of unix, seeing a unix
system boot up for the first time can be a rather intimidating
experience. It's a lot less friendly than a typical windows
system. Instead, you're greeted with pages full of text
that scrolls off the screen before you have a chance to
read a sentence of it. Fortunately, what's actually happening
isn't as complex as it looks.
Once the boot loader, usually located among the first
few physical sectors of the media, finishes loading, the
kernel loads. The boot loader is a small program which
begins loading/executing the kernel of the operating system.
The kernel is actually a program like any other, that
is the heart of the operating system, and is responsible
for many incredibly critical, yet transparent-to-the-user
tasks. One of its most important tasks is memory management,
another is hardware access, network access, filesystem
access, permission checking, etc. A well-written operating
system will make it seem as if there wasn't even any kernel
running because all things are so seamless.
The kernel is so important that it's always running and
always in memory. Once loaded, it begins execution. This
is what the first page or two of text messages you see
when a unix system boots. The text is actually the kernel's
output stating what hardware and drivers it recognizes
as it loaded. The kernel will then mount (make accessible)
a root partition, and afterwards, continue to the next
step of the boot process. The kernel itself is typically
a special filename such as: /unix or /genunix (for Solaris),
/kernel (for FreeBSD), /vmlinuz (for Linux), etc.
Once the root partition is accessible, the program /sbin/init
is called. Then there are two schools of thought on how
the system should proceed to boot up, and different unix
systems use one of these two ways. These two different
methodologies' origins trace back to the beginning of
unix itself.
The first philosophy is used on System V (SYSV) systems,
such as Solaris and RedHat Linux. This method is concerned
with different 'run levels' that the system enters. Each
run level is represented as a directory on the system,
and each run level directory has a set of scripts (or
links to scripts) that perform a function, such as starting
one service or stopping another. The scripts themselves
are usually in the directory /etc/init.d/ (or/etc/rc.d/init.d/)
and are a flexible version that are capable of both stopping
and starting a service. To determine how it behaves, the
script's link begins with S (start) or K (stop), followed
by two numbers (which determine its order of execution)
and a short name. The order of execution is determined
by alphabetical/numerical order. An example is:
-rwxr--r-- 5 root sys 7317 Sep 1 1998 S69inet -
../init.d/inetinit
The script itself is in init.d/inetdinit, but the symlink
in the run level directory called S69init. This means
it would call the script init.d/inetinit with the 'start'
parameter and would execute after all K00-99 and S00 -
S68 scripts but before any S70-S99 scripts. If the link
name had began with K instead of S, being K69inet, it
would call the script init.d/inetinit with the 'stop'
parameter, running after K00-68 scripts, but before any
K70-99 and S00-99 scripts.
Which run level is entered (and hence, which set of scripts
is ran) is determined by what needs to be accomplished.
The levels are: 0 - ran when the system is about to be
powered down; 1 - administrative mode, also known as single
user mode (level s or S is another name for it); 2 - multi-user
mode; 3 - multi-user mode with remote file sharing; 4
- user definable, but not often used; and level 6 - which
is used for shutting down and rebooting. The run level
that the system would normally boot up to is determined
by the 'initdefault' line in the file /etc/inittab. The
program telinit is called when the system's state (run
level) changes.
The other method of booting up, is used by the Berkeley
System Distribution (BSD), such as FreeBSD, and Slackware
Linux. It isn't quite as organized so it's not as complex
as the SYSV approach. Instead, init calls a script in
/etc called 'rc'. This script, in turn, calls other scripts
to handle functions such as bringing the network up (rc.network),
checking filesystems, etc. The script, rc.local, usually
runs last.
Once the last of the init scripts have finished running,
the system is ready to accept connections and perform
the services it has been set up for. If there are services
that shouldn't be running (such as portmap), you would
need to configure your init scripts to prevent it from
running.
back
to headlines
Informed Client Is a Satisfied ClientThere's
a certain appeal to knowing vital statistics about your
system(s). That appeal probably has something to do with
the fact that you become an informed client and aren't
left in the dark. We at NYI not only want you to be a
satisfied client, but an informed one as well. For this
reason, we worked hard to develop a way for you to view
your exact bandwidth usage on four different time intervals
(last few days, weeks, months or year) in a convenient
and private way. We use an external program (for the curious,
it is called MRTG, the Multi-Router Traffic Grapher, written
by Tobias Oetiker among others) to collect the relevant
numbers from our routers and graph them. Then our system
makes your graph or set of graphs available to you using
a secure method that ensures your privacy as well as convenience
(see example below). All the relevant set of your systems
has its own graph, displayed neatly one below another
with a textual summary for the current time interval for
a quick way to understand exactly what's going on at all
times.
back
to headlines
Code Red Worm Talk
In the past several weeks, NYI has dealt with few servers
infected by viruses, most common being the Code Red Worm.
We've all been hearing about this recent virus scare in
the news, however it seems that not everybody knows what
it is and how to fight against it.
The Code Red Worm is a dangerous virus, that can infect
any Windows NT 4.0 or Windows 2000 operating system, that
doesn't have the latest patch from Microsoft. There are
two versions of this worm, Code Red and Code Red II. Though
both are serious threats, Code Red II is much more dangerous.
The way it works is it takes advantage of vulnerability
in unpatched systems by causing a buffer overflow. The
first version of the worm would then attack what used
to be the white house web page. The second version of
the worm is much more harmful. It installs a back-door
(A program which allows users to take over your system)
onto the system allowing any user to take advantage of
the system and use it for whatever they intend to do.
Then, the program will lay dormant until a certain date.
Once the virus stops being dormant, it will try to find
at least 300 other machines that are not patched and infect
them, causing the virus to spread rapidly.
For example, assume one system was originally infected.
That single infected system then tries to find 300 other
unpatched systems, which are not yet infected. It then
infects those systems. Once those systems are infected,
they all try to infect 300 other systems. After only the
second round of infections, there would be 90,000 machines
infected with this worm. These numbers show that every
system, that is not patched, is either going to be, or
already is infected.
Once we started monitoring for the Code Red worm, we realized
that some of our clients' machines in our Data Center
did not have the patch. Even though this virus has gotten
so much media attention, some users haven't taken the
measures of protecting their machine as well as other
users. The problem with monitoring for this virus is that
we can only see that it is on a system when it's actually
trying to compromise other machines. While it is in its
dormant stage, it is impossible for us to see it on the
machine.
The bottom line is: if you have a Windows NT 4.0 or Windows
2000 machine, make sure to get the latest patch. If your
machine is not patched, the chances of it not getting
infected are slim. The URL to the patch that will fix
the vulnerability in Windows NT and 2000 systems is http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/MS01-033.asp
Please note that this patch only makes it so that you
can not be infected with the virus. In order to cleanup
the trojan that the worm leaves behind, it is advisable
to upgrade your virus scan and to scan the whole system.
back
to headlines
New and Improved HelpDesk
In the ideal world, there would be no problems and everyone
would have whatever they wanted when they wanted. However
in reality, things aren't so perfect. At NYI, we recognize
this and have worked hard to address this by taking an
old idea and giving it a new approach. Whenever you have
a question, inquiry or request, it's not very efficient
to call in to our headquarters, and if you have done so,
you may have been referred to the HelpDesk.
The HelpDesk is
NYI's online support system, where we can communicate
and work together with our clients more effectively to
come up with a solution to our clients changing needs.
At the beginning of August, you may have noticed a new
look to this HelpDesk
system that we've been using for a few months. This is
because it's been entirely re-designed and re-written
from scratch by NYI's talented programmers and designers.
To make the transition easier, the process of which you
would open up a Support Case, (formerly known as a "ticket")
is similar, but more powerful and flexible. We hope you
will find this system a lot easier to use if ever the
need arises to seek further help from NYI concerning your
service. A lot of time, thought and effort has been put
into re-designing the system to make it the best available.
And like any great project, it might still be improved
upon. If you have any suggestions as to how you believe
the HelpDesk can
be made even better, please email
us or live the experience and open up a case online.
back
to headlines
A Word on Quote Generators
For the last year, NYI has offered customers what no other
ISP has been able to effectively offer; the ability to
generate customized quotes with no obligation for services
such as Hosting, Colocation, and Dedicated Servers. Over
the past year, we have added features and allowed for
unique specifications that have made our Quote Generators
some of the most widely used methods of pricing on the
Internet today with tens of thousands of quotes being
generated daily.
Earlier this month, NYI released a redesigned and re-engineered
version of its patented Quote Generators. The new design
is even easier to use and allows users to follow the progress
of the quote through the time that it becomes an order.
This process of Quote generation eliminates the need for
intrusive sales people that have no idea what the customer
is looking for. These new generators allow potential clients
to become familiar with the various features of our services
which allows the sales process to proceed much more efficiently
and quickly. NYI will continue to maintain and upgrade
our Quote Generators in an effort to provide the most
comprehensive quote generating tools available on the
Internet today.
Upgrade Center
NYI has created the Upgrade Center for its current clients.
This tool is a twin of the Quote Generator except it's
only for upgrading the already existing service. It works
the same way as the Quote Generator: you choose the options
you need, view the price online, and then proceed to order.
Please note that the options you choose will be added
on to whatever options you had prior to the upgrade.
back
to headlines
|
|
|
