Consulting: we specialise in deploying Open Source alternatives to ISA. Deployment
Training: we can train your staff to it themselves. Training
Support: we're happy to offer support and advice for businesses keen to replace ISA themselves. Support
The Sirius Way - 8 Steps for Success
Ensure the deployment strategy matches business strategy. - Never deploy technology for technology's sake.
Get the business on board. - Achieve full buy-in and commitment, by targeting clear business benefits.
Plan the 'when'. - The when is crucial. - Know business cycles, windows, and people availability. - Ensure contingency is built-in, right from the start.
Be ready for the unexpected. - Have a clear, agreed, documented backout plan.
Never rely on enthusiastic amateurs. - Have access to proven, high quality, on demand, professional support.
Document the deployment. - Continually learn and improve. - Six months down the line, you'll know what you did!
Measure the results. - And publish them so they are open, visible, and seen by the business.
Celebrate success. - With your IT team and with the business.
Technologies
Squid Squid is a caching proxy server. Most companies require some or all of their users to have web access, but do not wish to attach modems to every single users machine. Users web browsers are pointed at the proxy server, which downloads web pages on their behalf and serves them to their browser. A caching proxy server will save a copy of all web sites it has downloaded so that next time a user looks it up, only files that have changed need to be downloaded again. Caching will, over time, save a company a huge amount of bandwidth as most users view the same sites, and certain sites are viewed again and again. Squid is:
a full-featured Web proxy cache
designed to run on Unix systems
free, open-source software
the result of many contributions by unpaid (and paid) volunteers
Squid supports...
proxying and caching of HTTP, FTP, and other URL's
proxying for SSL
cache hierarchies
ICP, HTCP, CARP, Cache Digests
transparent caching
WCCP (Squid v2.3 and above)
extensive access controls
HTTP server acceleration
SNMP
caching of DNS lookups
Iptables
Iptables does stateful packet filtering. Packet filtering is the process of inspecting incoming and outgoing network traffic to see whether it is allowed according to some security ruleset. Statefull packet filtering is an enhancement whereby packets can be accepted or denied depending on recent history (this helps protect against certain kinds of attack). The intention of this is to define which services (e.g. email, web access) are allowed to pass the packet filtering machine, and which services (e.g. network logins, access to files on the network, etc.) are denyed. Packet filtering is perhaps the most important function of any product purporting to be a Firewall. Iptables runs under the Linux operating system. The netfilter/iptables project is the Linux 2.4.x / 2.5.x firewalling subsystem.It delivers you the functionality of packet filtering (stateless or stateful), all different kinds of NAT (Network Address Translation) and packet mangling.
SpamAssassin
SpamAssassin SpamAssassin(tm) is a mail filter to identify spam. Using its rule base, it uses a wide range of heuristic tests on mail headers and body text to identify "spam", also known as unsolicited commercial email.
The spam-identification tactics used include:
header analysis: spammers use a number of tricks to mask their identities, fool you into thinking they've sent a valid mail, or fool you into thinking you must have subscribed at some stage. SpamAssassin tries to spot these.
text analysis: again, spam mails often have a characteristic style (to put it politely), and some characteristic disclaimers and CYA text.
SpamAssassin can spot these, too.
blacklists: SpamAssassin supports many useful existing blacklists, such as mail-abuse.org, ordb.org or others.
Razor: Vipul's Razor is a collaborative spam-tracking database, which works by taking a signature of spam messages. Since spam typically operates by sending an identical message to hundreds of people, Razor short-circuits this by allowing the first person to receive a spam to add it to the database -- at which point everyone else will automatically block it. Once identified, the mail can then be optionally tagged as spam for later filtering using the user's own mail user-agent application.
SpamAssassin requires very little configuration; you do not need to continually update it with details of your mail accounts, mailing list memberships, etc. It accomplishes filtering without this knowledge, as much as possible. The distribution provides a command line tool to perform filtering, along with Mail::SpamAssassin, a set of perl modules which allow SpamAssassin to be used in a wide range of products.
SpamAssassin lives at spamassassin.org or in CPAN, and is distributed under Perl's Artistic license. ('SpamAssassin' is a trademark of Network Associates, Inc.)
Features
Wide-spectrum: SpamAssassin uses a wide variety of local and network tests to identify spam signatures. This makes it harder for spammers to identify one aspect which they can craft their messages to work around.
Free software: it is distributed under the same terms and conditions as Perl itself.
Easy to extend: Rules, weights and user-visible text are stored in text configuration files as much as possible, which the user (or sysadmin) can edit to modify or add new rules.
Flexible: SpamAssassin encapsulates its logic in a well-designed, abstract API. As a result, it's not limited to the traditional local-delivery-to-spool case; using the Mail::SpamAssassin classes, it can be used in a wide variety of setups. This means that SpamAssassin support is available for a variety of mail systems -- traditional procmail, a Mail::Audit plugin, qmail, MIMEDefang, Postfix, and many others.
Snort
Snort is an open source network intrusion detection system, capable of performing real-time traffic analysis and packet logging on IP networks. It can perform protocol analysis, content searching/matching and can be used to detect a variety of attacks and probes, such as buffer overflows, stealth port scans, CGI attacks, SMB probes, OS fingerprinting attempts, and much more.
Snort uses a flexible rules language to describe traffic that it should collect or pass, as well as a detection engine that utilizes a modular plugin architecture.
Snort has a real-time alerting capability as well, incorporating alerting mechanisms for syslog, a user specified file, a UNIX socket, or WinPopup messages to Windows clients using Samba's smbclient. Snort has three primary uses. It can be used as a straight packet sniffer like tcpdump(1), a packet logger (useful for network traffic debugging, etc), or as a full blown network intrusion detection system.
Webmin
Webmin is a web-based interface for system administration for Unix. Using any browser that supports tables and forms (and Java for the File Manager module), you can setup user accounts, Apache, DNS, file sharing and so on.
Links to Key Projects
All of the key Open Source technologies that enable you to replace ISA are linked to below:
Setting Up An OpenLDAP Server Install Master Server Secure Master Server with SSL/TLS Populate Master Server Summary of User Object Classes and Attributes Table Install Slave Servers
LDAP stands for Lightweight Directory Access Protocol. OpenLDAP is an Open Source project that uses LDAP to deliver a fast, free, distributed directory service to organisations without locking them into dependence upon a single software vendor.
For example, prior to the use of centralized directory services separate directories were required for the domain itself, mailboxes, remote access, databases, and other applications. OpenLDAP enables a systems administrator to make a single entry in a directory which them gives a user account access to the network, access their email, access to corporate CRM systems or other mission-critical applications. In short, by using OpenLDAP as a multi-purpose directory an organisation enables single sign-on for its users. Once a user is authenticated by the network using OpenLDAP they will automatically unlock all of the applications or services that they have been enabled for.
Why use LDAP?:
Single source of authentication.
Simplifies administration.
Obviates need for baroque/homebrew user account replication.
Replacement for NIS, /etc/passwd, /etc/groups, /etc/shadow, NT users/groups, etc.
Platform agnostic.
Can be back-end for authenticating most services (email, ftp, proxy services, etc).
Can be used for much more than just authentication (HR, phone lists, address books, etc).
Basically, the process is:
Set up OpenLDAP server
Configure UNIX Hosts for LDAP Logins
LDAP enable Samba PDC For NT/2000 Workstations
Credits:
The following people were involved in the production of this HOWTO: Regan Burke
Setting Up An OpenLDAP Server
Install Master Server:
The latest stable version (currently 2.1.16) of OpenLDAP can be downloaded from here.
The Administrators Guide (essential reading) may be downloaded from here.
Source Install Under Solaris 8:
Solaris 8 is quite broken out of the box. We strongly suggest you immediately implement the sage advice found in fixsolaris8.txt before continuing.
Download the latest stable release ./configure make depend make make install
Source Install Under Debian GNU/Linux 3.0:
You will need the following packages installed prior to building the OpenLDAP server (apt-get is your friend!):
gcc
automake
autoconf
autotools-dev
m4
autoconf2.13
libtool
libtdl3
libtdl3-dev
You will also need to build the Berkeley DB software from source
Download latest stable release (currently 4.1.25) from here and un-gzip it into wherever you build your local software (say /usr/local/src)
cd to the 'build_unix' directory
../dist/configure
make
make install
Download the latest stable release and un-gzip it into wherever you build your local software (say /usr/local/src) ./configure make depend make make install
Non-Source Install Under Linux:
Debian:
The required packages are:
libldap2
slapd
libiodbc2
ldap-utils
Install using apt-get or dselect. Configure according to the debian-specific documentation. The slapd.conf file may require some further editing. Firstly you will need to decide which schemas to include. The core.schema must always be included. If you wish to support Solaris 8, you must include the cosine.schema, nis.schema, inetorgperson.schema and the solaris.schema. The nis.schema supplied with the distribution is borked. Please please contact us for a replacement. If you intend to support Solaris 8, please contact us. If you intend to use Samba, please contact us for the correct schema. They should be placed in /etc/ldap/schema along with the others. The latest Debian unstable also has migrationtools.
Secure Master Server with SSL/TLS:
This section has not been completed. please contact us for further details.
Populate Master Server:
How the server is populated depends on which operating systems you wish to support authentication on. Currently, this howto covers Linux, FreeBSD, Solaris 8 and the various incarntations of Microsoft Windows. It is possible (and desirable) to keep non-authentication related information in your server, such as adresses, email details, and even staff photos(!) if you want to. You will also have to make decisions on the structure of your LDAP server in terms of groupings of entries.
Set up base dn with appropriate object classes and attributes.
Set up organisational units (e.g. People, Groups, Machines, etc.) with appropriate object classes and attributes.
Add individual entries for People, Groups, Machines, etc.
Please contact us for an example setup file to create the top level plus our suggested organisational units. Obviously, you will need to customise this file to match your own organisation. When you are happy with it, it can be installed to the ldap server by issuing the command
Where 'yourserver', the domain components (dc's), and p455w0rd are suitably adjusted for your site. yourserver may be a hostname or an ip address.
User Accounts:
The minimum object classes needed for UN*X clients to authenticate UN*X users against the LDAP server are top, posixAccount and shadowAccount. The definitive guide to these (and other) object classes is RFC 2307.
Suggested object classes to include for a user:
top person organizationalPerson inetOrgPerson account posixAccount shadowAccount sambaAccount
Change the value of the following parameters to 2147483647 logoffTime kickoffTime pwdMustChange
The pam_ldap module enables the client operating system to authenticate against your LDAP server, whilst the nss_ldap module enables the client operating system to retrieve session information (GECOS field type information) from your LDAP server. Configuration is different under each client operating system, and depends upon whether you compile from source or use precompiled modules if available.
A basic intro to PAM may be downloaded (pdf format) from here Further detail on the Linux implementation of PAM may be found here Sun (who started it all) have a web page here The Linux-PAM System Administrators' Guide may be found here
Source Install Under Solaris 8:
Make sure that the following programs from Sunfreeware are installed:
autoconf
automake
libtool
libiconv
m4
Download PADL Software's pam_ldap and nss_ldap modules source code. Put them in /usr/local/src, or wherever you keep stuff you compile locally. Back up your existing /usr/lib/nss_ldap.so.1 and /usr/lib/security/pam_ldap.so.1 files.
cd into the pam_ldap-152 directory. Run "./configure" Run "aclocal" Edit the Makefile to remove "-llber" on line 115 Run "make" Run "make install"
cd into the nss_ldap-201 directory. Run "./configure" Edit the Makefile to remove "-llber" on line 157 Run "make" Run "chmod +x install-sh" Run "make install"
Edit /etc/ldap.conf to suit your site. add ldap.secret Edit /etc/nsswitch.conf. Finally, the PAM configuration file must be modified. Modify the configuration file /etc/pam.conf - for each service you wish to LDAP-enable. The modifications are quite simple, generally involving adding lines of the form: type sufficient pam_ldap.so where type is one of account, auth, password, or session. /etc/init.d/nscd restart The name service caching daemon (nscd) caches LDAP lookups locally to speed up authentication. There is a problem with synchroniation though.
Non-Source Install Under Linux:
Debian:
The required packages are:
libldap2
libpam0g
libpam-ldap
libnss-ldap
nscd
Install using apt-get or dselect.
Debconf will ask you a few questions:
Configuring Libnss-ldap - LDAP Server host - enter the ip address of your ldap server.
Edit /etc/pam_ldap.conf to suit your site. The admin passwords needs to be in the file /etc/ldap.secret. chmod this file to 0600. Edit /etc/libnss-ldap.conf to suit your site. Edit /etc/nsswitch.conf to suit your site. Finally, the PAM configuration files must be modified. cd to /etc/pam.d/ and modify the configuration file for each service you wish to LDAP-enable. The modifications are quite simple, generally involving adding lines of the form:
Becta cannot account for over £200m of taxpayer's money spent on software for schools according to data obtained under the Freedom of Information Act.
The scheme known as e-Learning Credits (eLCs) was set up to make funds available to schools to buy software from an approved list of titles and suppliers.
By April 2006 schools had received £300 million pounds of funds to buy 'educational software' intended to enhance the curriculum. Operating systems and Office suites were specifically excluded from this scope.
Becta reported on eLCs in the CAB Report to The Secretary of State, Report Number 3 December 2005 and it was the source data for this report which forms the basis of our commentary.
The data is incomplete as a quote from the FOI return from Becta makes clear:
"Detailed analysis of eLC returns suggests that they continue to understate the actual level of expenditure in the market. In particular, we have found that eLC returns appear to underestimate the real level of sales of those who have provided returns by as much as 70% and that there is a significant number of suppliers, some relatively large, who do not submit eLC returns".
The Data
Over 14,500 software titles are listed by Becta:
27% is classified as "Drill and Practice" and are largely aimed at younger students (KS1);
11% of the titles relate to assessment software;
7% is for "exploration" software;
26% is for information resources;
the remaining 29% is not classified according to use or age group.
The eLC returns are for the period January to September 2005.
Commentary
Given the above limitations we have the following observations to make on the data supplied:
The lack of eLC returns means that, in effect, over two thirds of the expenditure with accredited suppliers is not accounted for.
Nearly one third of listed, approved titles are not classified by Becta making judgments as to their suitability hard to make.
70% of sales returned through accredited suppliers is to giant software vendors and to a single ICT hardware supplier to schools. The range of these companies' education portfolio combined with a single eLC return make it impossible to audit which software titles are sold to schools.
In most cases the transparency of supplier status is difficult to ascertain. For example 'Education Bradford' is a wholly owned subsidiary of SERCO, and '3E's Enterprises (Trading) Ltd' whose sales make up one fifth of the total are a wholly owned subsidiary of the City Technology Trust - a DfES accredited supplier for the BSF bids.
Over 45% of eLC sales are to the dominant ICT hardware supplier who is also the QCA’s contractor for the National Curriculum on-line assessment project. This company exclusively supplies software for only one operating system.
A significant percentage of software is for administration purposes (contrary to the original remit). Examples include library management software; skills assessment and (ironically) many thousands of pounds were spent on software to administer proprietary licences.
Where active choices by schools can be audited, the great majority of software purchased divides into: design and technology related software (KS4 /Tertiary); music and media related software (KS3-4); and literacy and numeracy software (KS1 nad SEN).
Conclusions
The ineffectiveness of the checks and balances put in place to monitor government spending on software in schools has resulted in a huge waste of public money and a distortion of the ICT market in schools.
There is the suspicion in the low eLC returns that some companies are not adhering to the Becta guidelines. This assertion supported by anecdotal evidence from schools some of which have bought hardware through eLC funds.
Major incumbent suppliers have been the chief beneficiaries of the funds and the market has been unfairly distorted. Smaller companies and free software suppliers have been adversely affected and innovation has been stifled.
The strategy of software-title accreditation in tandem with supplier accreditation is inherently flawed. No data is available to evaluate the impact of eLC software in most areas of the curriculum.
In the absence of evidence to the contrary we regard the eLC project as the silent example of another failed, expensive Government ICT project adding to an already depressingly long list.
