OPEN For Business! is all about how you can replace proprietary technologies with superior Open Source alternatives, slashing your costs, vastly improving speed and reliability and, perhaps even more important, allowing you to wrest back control of your IT infrastructure from the proprietary IT suppliers.

Let's make this month's OPEN For Business really topical after all, they're in the news yet again, in the papers, on the TV.

Yep, we're talking about VIRUSES. And I'm going to show you how, with Open Source software, you can effectively eradicate the problem for your business, once and for all!

Think back. Have you ever had to reformat and reinstall your desktops because of the latest virus epidemic? Have you had your email service taken out, or your web site made unavailable, for days? Have you had inboxes filled with floods of messages like "I sent you this file in order to get your advice" and "Really cool screensaver". Have you had management screaming at you to get the business back up and, at the same time, users phoning every few minutes complaining about yet another IT failure? Have you ever had those embarrassing interrogations as to why we got hit by viruses, again? And how much time, money and energy did you have to waste trying to fix it all?

Now, just imagine a world where this never happens.

I, and a rapidly increasing number of businesses, already live in that world. You can too. And, guess what, it's simple, very quick and easy to do, and it saves the business a fortune - not only from the cost of virus damage, but also in time, software licences and CALs. Now, won't the business like that!

What's the scale of the problem?:

I've seen many published estimates of the business cost of viruses. Regardless of which you believe, even the smallest estimate comes out at over £6 billion each year! So the damage to business is considerable, each epidemic is worse than the last, and every few weeks or so (like a London bus), along comes another one. Melissa, Sobig.F, Sven, Nimda, FunLove, Code Red, Bugbear, Klez, the list goes on and on and on.

The board, users, management, the IT team, everybody - we all hate them. But we've come to accept them, and expect them. After all, they're a part of computing life, aren't they?

Well, actually NO.

What's the reality of viruses?:

There is a set of widely held beliefs about the virus problem that, over time, seems to have become mainstream virus orthodoxy. They have been repeated over and over, mantra-like, by the vendors, the press and TV, the 'anti-virus' industry and 'technical experts' until they've been adopted by users, management, and perhaps, even by you. They are cherished like religious beliefs.

They are, however, untrue:

• You have been told that viruses are a computer problem. They are not. They are a Microsoft problem.
• You have been told that viruses are an email problem. They are not. They are a Microsoft Outlook problem.
• You have been told that viruses will be as common on Linux when it has Microsoft's market share. They will not. Its architecture makes epidemics effectively impossible.
• You have been told that expensive anti-virus software is the solution. It is not. You've bought it, but you still get them.
• You have been told that viruses are inevitable, part of the computing experience. They are not. They are a consequence of flawed software design.

You've been living in a dream world Neo!

Time to take the red pill?:

The critical step is to realise that Microsoft software is almost entirely to blame. It is the problem, always has been the problem and, through the fundamental flaws in the underlying design and implementation of the software itself, will always be the problem. So the solution is simple, and blindingly obvious. Replace it!

And this is precisely where Open Source software comes in.

Open Source software doesn't have these problems, never has, and never will. It's simply better software. So you can eliminate your virus problems and, while you're doing that, gain loads of the other crucial business benefits and savings that Open Source delivers. Let's get started.

As usual the Pareto effect, the 80/20 rule, applies the certain areas give you the biggest returns for least effort. They can be tackled first, simply and very, very quickly. This way IT gets a clear, high profile, instant win. Now, there's a first!

Let me give you some examples.

Viruses wreak havoc with, and spread like wildfire around, Windows File and Print servers - so don't use them. Replace them with Samba. Samba does everything that Windows servers do, and then some, but does it far, far better. Samba 3 is now out and has been benchmarked at two and a half times faster than W3K and over four times as scalable. So, not only is it impervious to viruses, it is quicker, more reliable, and more scalable. It also saves your business an absolute fortune in licence fees and CALs.

Most viruses exploit Outlook right there on the user's desktop - so stop using it. Use Mozilla Messenger instead. It's full featured, faster and better and, for all you multi-platform businesses out there, it's available on all of them. You can tailor how it looks (your MD will love that) and, of course, has shared calendaring as standard. Viruses can't pull the 'Outlook Address Book Trick". And, guess what, it doesn't lose emails!

Most viruses enter your network via email and pass through your mail server. And Exchange is desperately vulnerable. You should replace it with the far better Open Source alternative. If you really want to save on licence fees and CALs big, big time, this is The One! And, of course, while you're at it, replace ISA (see last month's Open For Business for full details) and you'll gain even more!

Viruses just love IIS. So, whatever you do, don't use it. Deploy Apache instead. You'll gain unprecedented uptimes (years, not weeks) plus see an instant performance increase. It's great to see a server just sitting there, quietly in the corner, simply doing its job, and not needing continual nursing, patching, and maintenance.

Do all this and next time the latest Windows virus epidemic comes around, you'll be sitting, like us, wondering what all the fuss is about! Your users will thank you, your staff will thank you, and your board will thank you. OK. Maybe not. But we all like to dream don't we!

So there you have it. You've eradicated a massive and costly IT and business problem. No more viruses. Plus you've delivered a far faster, far more reliable service from IT, and cash savings that any Finance Director in any business would die for. It was quick and it was easy - and all simply because it's better software.

Reality check

If you're connecting a couple of networks together, or connecting a network to the Internet, most people would instantly reach for a Cisco router (or, if you were really radical, maybe go for something from Juniper Networks). It's what you do, right?

Wrong!

Have you ever taken a router apart? I know I have. If you were expecting to see real cutting edge hardware for your money in that nice black plastic box you've yet to find it right? Hmmm, wonder what all my money's going on . . .

I know. It must be the operating system that goes with it. After all, it's really complicated connecting a network to the Internet and running all those weird routing protocols isn't it? And as for packet filtering, boy I can see why they have to charge me loads extra to add that to my box. And if I change protocols, like from ISDN to ADSL or Frame Relay, it's obvious that I should need to buy all those special new modules and updates to my software. . . isn't it?

No it isn't!

Let's get real. The simple truth is, it really isn't rocket science, and you can actually do everything one of those exclusive, very expensive proprietary boxes does on an old 486. And you can do it do it better and faster.

Here's what you do. Take a commodity PC or low-end server, install Debian GNU/Linux or your favourite Open Source OS, and then slot in a Sangoma Technologies WAN card. Bingo! Instant router! Not only that, but you've now got a router that can grow, shrink, do anything you want, and handle anything that is thrown at it. More than this, you have just saved your business a great deal of money.

We think Sangoma cards are terrific. And that's why we're their UK reseller.

Getting off the treadmill

Let's take one of our clients as an example. They're a very rapidly growing business, naturally with a busy Internet connection. They'd done the Cisco thing and bought themselves a 1603 for the best part of a couple of thousand pounds, but within 6 very short months found themselves bumping up against its capacity. Guess what, they were told they should throw it away and buy themselves a mid-range 3600 series. This was going to set them back another £4-5 K just to get started (not a lot really - when the time comes for them to have their own E3 line they'll be asked a cool £6K just for the adapter module alone!). Then there was the additional training their staff needed, the management toolset the reseller felt they really should have, plus the extra . . . With Ciscos, it can very rapidly get very, very expensive.

That's when the realisation fully set in with our clients. They were on the proprietary suppliers' upgrade treadmill - they would have to do the same thing again, and again, and again, and again.

So we didn't let them do this.

We got them a nice little 1U server from Dell and slotted in one of our Sangoma WAN cards - all for less money than they originally spent on that 'entry level' Cisco. Even with their growth rate it lasted over 2 years! When they did finally reach the limit and had to upgrade, we simply swapped the Sangoma card out and put it into another, bigger, box (this time from DNUK . . .). And, since the old 1U server was commodity hardware, we used it for something else!

What they've got is a system that knocks spots off any Cisco equivalent and at a fraction of the cost. They love it, the FD in particular.

Open Source, simply better software

Kicking out the Ciscos means more than just up-front savings too. Updating your Linux box doesn't have to cost you anything. But updating your Cisco IOS most certainly will! And, if you want anything extra, other than bog-standard routing, with the proprietary suppliers you're going to have to pay for that as an extra too!

That's why our clients don't go that way. Once your Sangoma card equipped PC has Linux (or perhaps FreeBSD?) on it you can do anything you want. Packet filtering – no problem, just add IPtables. Cost of packet filtering - nothing! Proxying – no problem, just add Squid. Cost of proxying - nothing! Now just try doing that with a Cisco. They'll be laughing all the way to your bank! No wonder they power the Internet. I could on all that money!

But, they say, 'dedicated hardware' - it's bound to outperform a plain vanilla Intel/Linux box isn't it? Actually, NO. We've seen it in practice, and figures from Sangoma prove it. The figures show the Sangoma card outperforms the Cisco under ALL measures (with small packet sizes, by over 50%!) right up until saturation of the line, when the Cisco eventually achieves parity!

By the way. There's another thing our clients like about doing routing this way. You stick a Cisco into your network and you've got another box, another set of cables, another hop on the way out, and yet another operating system to learn all about (and have you looked at IOS?).

Why would anyone want all this complexity, hassle and cost? Stick one of these WAN cards in your Linux box and you simplify the whole thing. It's faster, it's cheaper, and it's a whole lot simpler to set up and administer. Have a look at Sangoma's home page. It may not be as funny as routergod.com but, if you ever do need a good laugh, there's always Slashdot.

So there you have it. A couple of day's work and you have a router that's as powerful as anything on the market. And, believe me, it really is as easy as that. You've now got a more reliable, simpler and faster solution. You've eliminated another box in your server room, and replaced it with something far easier to administer. You've reduced your exposure to, and dependency on, proprietary technologies and the constant hardware/software upgrade treadmill they force you on. Even more than this, you've saved the business a great deal of money on hardware, support staff time, software licences and 'extra' modules.

This month's OPEN For Business! is the second in our LDAP mini-series. The series is about using directory services to make the administration of your network easier, and potentially, how to replace every bit of proprietary software you may have in the network with better Open Source software, plus how to tie it all together. Last month we covered what a directory is, and hinted at what you could do with it. This month we will look at the creation of a single user account base and single sign-on initially across all of your non-Windows systems (Linux, Solaris, MacOSX, FreeBSD, HP-UX, etc).

But first you need your LDAP directory!

The Open Source world is blessed with the simply fantastic OpenLDAP project. Led by Kurt Zeilenga, the author of most of the RFCs that actually define what LDAP is and how it works, the OpenLDAP server and related tools are one of our best-kept secrets. So it's about time we corrected that...

The OpenLDAP server is a full implementation of the LDAP definition, and has such a vast range of features that are soooo technically wonderful I could go on and on and on for ever. Let's just say it's lightning fast, superbly robust, and does simply everything you could ever need a directory server to do - but without the simply obscene price tag the proprietary vendors seem to enjoy attaching to these things. Of course it's Open Source too, which gives it transparency, extensibility, unlimited customisation potential, and it's guaranteed to never deviate from LDAP's defining standards - not like some other Directory products I could actively mention!

So we've got our OpenLDAP server. Let's get on with populating it!

As I mentioned last month, an LDAP Directory enables information about objects to be held in a tree-like organisational structure (a quick tip at this point - the structure you create to hold your users can be anything you like, we recommend you create one that reflects your actual organisational structure). You can then associate key pieces of information with these objects

Time to make this real. The objects that we are interested in creating are users. If I asked you what your users consist of in IT terms, you'd probably tell me the standard stuff - username, password, home directory, access to this, denied access to that, email account with an email address, etc (funny old view we have of people, right?). Take some time right now, and you'll see that you can soon write a list of stuff defining what a user is on your network. So if we create an object in our directory that represents a user from the IT perspective, the attributes this object must have are the ones that are meaningful in an IT sense - and you've just listed them.

All this stuff is well understood, and well thought through. A central notion in the LDAP world is that of 'schemas'. You've probably noticed by now that I like to explain complex stuff in simple terms. I'm aware that there's a million and one subtleties, and my descriptions are not 'precise' in absolute terms, but we'll leave that argument to the pedants, my descriptions are good enough for where we're going. A schema is a big batch of definitions of well understood attributes, things like telephone numbers, email addresses and passwords. By registering a schema with your LDAP server you can then associate its definitions with your objects. Simple, right?

So we start by adding some schemas that represent people (our somewhat odd IT notion of what people look like that is!) and also that represent an account on a UNIX box. You now have a basic directory service, and you're ready to actually do something with it.

Now we need to move on to the boxes you want to authenticate to your shiny new Directory server. As mentioned, we're going to start with your UNIX, GNU/Linux and BSD machines. By default, these machines have a local account database (/etc/passwd) - a legacy from the early days of UNIX. This database is sometimes exactly what you need, but the truth is, in most cases it's a nightmare to manage. Imagine a network of 500 servers, each with its own user database, each of which needs visiting every time a change happens in your user population. Yuck! Traditionally UNIX solved this with systems like NIS, but this is not truly cross-platform in any trivial-to-implement way, and we want to do waaay better than that, especially when we bring our Macs and Windows boxes online!

The answer is Pluggable Authentication Modules, affectionately known as PAM. The notion is simple... Abstract the authentication layer so that your UNIX system can be authenticated by any method which has a PAM module. PAM makes the method look like traditional UNIX authentication. There are plenty of them, including MySQL, Radius, Kerberos and, for our purposes, LDAP.

Simply better software:

Once your LDAP PAM is plugged into your machine, you can authenticate the underlying operating system against your new Directory. One account base across all your UNIX and GNU/Linux servers - how cool is that? Not only that, but FreeBSD (the world's finest web server!) has had PAM capabilities since release 5, and since MacOSX is based on a BSD core, it can participate in this scheme too. There's only one significant OS missing from your new account management paradise... It’s OK. Don't worry, we’re going to hit them next month! I'll show you how to extend your new Directory to enable logons to your Windows servers and desktops. These logons will be with exactly the same accounts you've just set up to enable logons to your UNIX, GNU/Linux and BSD machines. Single identity across all of your platforms - now won't that be nice?

We'll do all this without you having to buy one of those ridiculously expensive directory solutions from one of the proprietary vendors. It'll do it better. And it's all because it's simply better software.