Previous Issue Current Issue Main page Next Issue
Fusion Authority Fusion Authority
The House of Fusion Technical Magazine
Issue: 15

March 20, 2000
March 26, 2000
This is an opt-in magazine. To join, leave or change subscription mode, please visit the signup page. All content of this magazine is copyright Fusion Authority, Inc. It may not be reproduced without permission.

Community
FA Profile:Rain Forest Puppy, Security Specialist, Part II
Marc Funero's New CFClustering Article
CFUG Announcements
 
News
New Generation Web Architecture for Media Manager Is Based On ColdFusion
New Payment Pipeline Software Supports ColdFusion
REPEAT/Chronicle Communications, Inc. Acquisition of ETA Internet Solutions, Inc. Gives It an Infusion of ColdFusion Expertise
Eye Media, Inc.'s Virtual Auctioneer Software 2.5 to Debut at 'Internet World 2000'
NuMega DevPartner 2.0 Java Edition Supports JRun
Personalization Summit 2000 Nearly Sold Out
 
Tech and Tags
What's New in the Tag Gallery
Windows 2000 Compatibility
HomeSite/Studio 4.5 'Allaire FTP and RDS' is Not Showing Up in File Dialogs
Testing an LDAP Connection
Starting ColdFusion After Setting the Server Java Settings Causes ERROR 2140
Looking At ColdFusion Memory Usage
 
Reviews
When You Can't Afford a Second Chance...
 

Community

FA Profile:Rain Forest Puppy, Security Specialist, Part II

by J. Dinowitz and S.M. Cohen

Most developers who are diligent about the security of their sites have come across the pseudonym "Rain Forest Puppy" (known affectionately as "RFP" in many circles) at one point or another. Among his past exploits was the uncovering, analysis and publication of information on important security holes in ColdFusion. Last week, we presented the first part of this two-part profile.

Playing the Security Game

We asked RFP for his advice on how to approach security issues: "If you're in charge of security, you have to realize that it's not an afterthought. You can't say, 'OK, I've done all the apps, now I'll see if everything's secure.' It has to be consistent, ongoing. Set aside time to check out the forums, BugTraq and NTBugTraq, looking for problems that could affect you. Granted, there's a lot to wade through. Say every Friday, or even twice a week -- just go to the archives and scan the topics to see if there's anything ColdFusion- or Microsoft- or ODBC- or IIS-related."

He also recommends a free service from SANS, at www.sans.org, called Security Alert Consensus. This is a weekly scan of all the archives on BugTraq and the other sites to pull together the applicable data and regurgitate it into usable "solution-centric" chunks: Here's a problem and here's the solution. If there's no known solution, at least the problem is aired so that the user KNOWS that there IS a problem. Subscribers can pick the server and OS platforms needed and what applications to

How Quick IS "Quick Enough?"

RFP is firm in saying that "You cannot afford ANY time on a security issue. By the time it hits BugTraq or NTBugTraq, it's likely that someone has known about it for months."

RFP also notes that not everyone in the industry reads Phrack: "Some people in the corporate security IT world do, and so does most of the hacker underground. That's why I was surprised when my first Phrack article on ColdFusion was picked up on by someone in the ColdFusion community and [he] contacted me."

Many ColdFusion people come from a corporate, rather than a technical, background and may not know where to go for the resources. For instance, when the CF-Talk list was told about the source code posted to BugTraq, RFP was rather dismayed to get e-mails asking "What's BugTraq? Is there an Allaire BugTraq, a CFBugTraq?" [The BugTraq and NTBugTraq mailing lists were created in 1993 and are considered by many to be THE prime source for security problems on the Internet.]

Getting a Security Education

Many ColdFusion programmers were not programmers to begin with but were drawn from other departments in the company. They've never been involved in programming before. "If you're not involved in programming BEFORE you get into ColdFusion, you may not know anything about the programming community. Where would you go to find out?"

On the other hand, RFP feels that there SHOULD be a division between those who make the Web pages and code the applications and those who maintain the servers, and that it is the server team that should be maintaining server security.

However, learning secure coding concepts (the proper and secure way to make an application) is a matter of education, and, at the moment, there is no clear, viable source for such learning.

"Programmers in general need to learn secure or good programming concepts. Most people think, 'I'm making a Web page, I don't need to think about security.' Or 'We need a ColdFusion template to list files on the web server. No big deal,' and just code it, not thinking about, 'OK, can it be used to gain server access or look up and grab files that they don't need to see?'

"So many people take shortcuts. [But] that shortcut may cause security problems. So you may have to be more formal in it.

"Combine that with the ease of learning ColdFusion. It doesn't take much to start doing development. It's so simple that people can start doing stuff right away, without spending years in programming research. They jump in unaware of programming concepts, as it is, and how to do things securely. They can follow sample apps, rig stuff up, take someone else's stuff, see if it works for them and say, 'Here you go.'

"That's not a bad thing, but at the same time, say, an accountant can learn to do programming simply because we made it so simple to do, and he's just interested in getting things done and out there fast. What are the odds that he's going to have in mind security issues and implications and actually do it right?"

We asked him what he recommends to minimize security problems. "Unfortunately, that's a very hard question. It's going to be very hard to fix, because of the big surge in Internet and computers in commerce. There are people who can do the job, ... but really don't know technically about security concerns.

"It's a matter of research and learning thoroughly what you're doing. There are no classes or institutes that teach computer security. They're starting to show up, but they're not in the mainstream. Wading through something like BugTraq and NTBugTraq is likely to leave someone lost, saying 'OK, here's obviously security problems, holes and solutions,' but it doesn't teach them anything about the PROCESS of finding these problems or WHY they're bad or WHY that's a hole.

"There is nowhere to go, unless you want to sit down and dig through yourself, which is the kind of stuff I'm doing. That's why, in my RDS advisory, I didn't make it into a two-page, 'Here's a hole, created by this script, and here's the solution.' I sat down and detailed out what I tried first, next, etc. It shows the process. Not just the problem, but how I went about finding it."

Traditionally, in many industries, there is some kind of apprenticeship program to learn from other, more experienced workers, but that's just not out there. RFP feels that there's a need for such a thing, but that there's no demand yet. He noted that "A lot of corporations have the attitude or presumption that 'no one will want to hack us.' When I tell them, 'Your web server is insecure; it has a hole in it,' they say, 'Well, we don't think that's a priority because we don't have anything they'd want.'

"But doing security is tricky, because defending is a lot harder than attacking. To attack, all you need is to find one hole. To defend, you have to patch ALL of them, even the ones you maybe don't know about!" Doing it needs both education and experience. "A lot of it is experience, and it's a long term education. You need to know what you're doing so well, knowing how the web server works, knowing the HTTP protocol, getting down to that level, that you get down to where the problems are. If you DO know it well, you kind of KNOW where the security problems are going to creep up, so you're well on your way.

Is Easier Better?

Microsoft in particular has put on a big push for ease of administration. NT 5.0 will feature a bevy of wizards to automate many administrative tasks. RFP believes that that's going to lead to even lesser-experienced administrators. It makes it easier, fine; but is easier necessarily better? "But," he says, "I don't see that there's much we can do about that."

He points out that Allaire's Spectra is similarly point-and-click simple. Is so much delegation of administrative tasks going to lead to longer-term problems?

"It's nice to make things easier, but by making it easier, we're also requiring less experience to operate. Is less experience necessarily a good thing? There's a huge demand in staffing issues. With a little experience and products so easy to use, your people can go off and do better things. That's good for corporations, because they can hire people with less experience, for less money, who can do more things. In the long run, it's kind of scary."

RFP noted that Microsoft has in the past granted its special title of MCSE (Microsoft Certified System Engineer) to a 12-year-old. A junior high school student sat down, read the MCSE texts, and took the six tests, one of which he failed four times before passing it. The MCSE certification is supposed to assure the user that the holder is an experienced IT administrator. Does this child KNOW system administration, infrastructure, corporate IT?

RFP saw something similar while working in the computer repair shop: People would bring in a computer and ask them to install NT. Then, during the course of conversation, he would learn that they were studying for the MCSE.

"I'd think, 'You want to be an NT administrator, but don't know how to install it? You're paying someone else to do it?' And then what happens when they need repairs or upgrades on a holiday when the repair shop isn't open?"

A lot of corporations are hiring the lowest denominator system administrator, who just got his certification, like that 12-year-old to do the job, then they hire a security person with a little more experience. RFP suggests that this may be the best approach, as long as the corporation asks key questions about how that person got his security experience and how thorough it is.

"If you have a staffing issue, where you need to hire a dozen security administrators or a dozen system administrators to maintain your servers, realize that maybe not EVERYONE knows the security end. Try to go the extra step and find someone who DOES know about it and hire him or her." That raises an interesting question. Who are the people who probably KNOW about security and can fit that need? There is a big pool of them, obviously: the hacker community.

The hacker community is not looked upon so favorably, or even understood, yet notable hackers have been hired by IT departments in a running lead IT position. Corporations are realizing these are the people who know what they're doing. They are very viable employees and more experienced than half the MCSE's that are being cranked out right now.

Advice from the Expert

We asked RFP to give our readers the benefit of his advice: "The biggest advice I can give anyone is just QUESTION WHAT YOU'RE DOING. Question everything. You're administering a web server; what exactly does that mean? Look at every little detail. Under IIS, there's lots of extra sample apps in virtual directories. What are they? Why are they there? Do you really need them? Question everything.

"My second piece of advice is THE LESS, THE BETTER. Be minimal. If you don't need it, get rid of it. It may or may not be a security problem in and of itself, but if you don't need it, delete it and don't worry about it.

"If you keep those two ideas in mind, you'll be well on your way." He also recommends staying current with as many of the public resources as you can. However, he has a problem with some of even the best of them. For instance, NTBugTraq has published their policy, which is not just to announce ALL security problems, but to put the better-researched security problems and solutions out there.

"My position is that ANY security problems should be out there immediately. Let people know. Even the smallest of problems should be known. If there's any potential of your server being hacked by it, causing potential downtime, people should know about it, not someone deciding, 'Well, it's not a real big one; we'll just let that slide.' Even if only one person has that hole, and that site is hacked and causes two weeks downtime, costing the corporation $2,000 in clean-up costs, recreating content, etc., obviously it's a problem! Withholding security information is detrimental, end of story."

RFP also recommends remembering the old cliche of "You're only as strong as your weakest link." The problem could technically be in a Microsoft database, but if it runs on YOUR NT server, through YOUR ColdFusion program to YOUR site, it's YOUR problem.

You can find out more about RFP at his site, http://www.wiretrip.net/rfp/.

[Top]

Marc Funero's New CFClustering Article

Thanks to Marc Funaro, for contributing yet another good resource to the CF community's growing list of resources. His new article, outlining the details of preparing a ColdFusion application to run in a clustered environment, should be of definite help for developers trying to do ClusterCATS. In Marc's own words, "I consider this document a 'work in progress', and welcome your comments." Look for the article at http://www.advantex.net/ColdFusion/CFClustering.htm.

[Top]

CFUG Announcements

New meetings have been announced at the following CFUGs: New York CFUG (meeting April 11), Northern Colorado CFUG (meeting March 28). See the CFUG page here at Fusion Authority for details.

[Top]


News

New Generation Web Architecture for Media Manager Is Based On ColdFusion

OAKDALE, Minn.--(BUSINESS WIRE)--March 13, 2000--Imation Corp. has announced a new generation Web-based architecture for Imation Media Manager, the company's media asset management software, based on Allaire's ColdFusion. The company believes that this will dramatically advance Imation Media Manager as a web-based digital asset management system and enable rapid customization and deployment. Scheduled for release in May.

Yahoo Article

[Top]

New Payment Pipeline Software Supports ColdFusion

ALPHARETTA, Ga.--(BUSINESS WIRE)--March 20, 2000--Atomic Software has announced the availability of a payment pipeline designed to provide seamless integration between Microsoft's Site Server Commerce Edition and Atomic's iAuthorizer payment service. E-commerce sites developed using Site Server can add real time transaction processing by linking the site's order form to Atomic's iAuthorizer payment portal. The pipeline component formats the information needed by payment processors to complete a credit card transaction, is certified on all major payment networks for credit card transactions and supports ColdFusion.

Business Wire Site

[Top]

REPEAT/Chronicle Communications, Inc. Acquisition of ETA Internet Solutions, Inc. Gives It an Infusion of ColdFusion Expertise

TAMPA, Fla.--(BUSINESS WIRE)--March 20, 2000--Chronicle Communications Inc. has announced that it has acquired, through a newly formed subsidiary, the assets and business of ETA Internet Solutions, Inc., which includes 10 new employees, among them some high-end ColdFusion developers and programmers. Take note, people: It looks like the best way to get experienced ColdFusion programmers is to buy a company!

Business Wire Site

[Top]

Eye Media, Inc.'s Virtual Auctioneer Software 2.5 to Debut at 'Internet World 2000'

DALLAS, March 21 /PRNewswire/ -- eye media, inc. has announced that it will release Version 2.5 of its Virtual Auctioneer(TM) software at Internet World 2000, April 3-7 in Los Angeles, California. Virtual Auctioneer, built around a proprietary bidding engine created with the Allaire ColdFusion(TM) development environment, offers middle-market companies a powerful and cost-effective packaged solution to support a variety of eCommerce transactions, including Internet auctions, exchanges and online stores.

PR Newswire

[Top]

NuMega DevPartner 2.0 Java Edition Supports JRun

SAN JOSE, Calif., March 22 /PRNewswire/ -- Compuware Corporation has announced the introduction of NuMega DevPartner 2.0 Java Edition, a suite of software development productivity tools designed to help developers build reliable, high-performance applications with Java technology, including JRun.

PR Newswire

[Top]

Personalization Summit 2000 Nearly Sold Out

MINNEAPOLIS, March 23 /PRNewswire/ -- Net Perceptions, Inc. is reporting unprecedented industry interest in Personalization Summit 2000, to be held in Boston, April 9-11 at the Marriott Copley Place Hotel. All major sponsorships and exhibit space sold out almost immediately, and registration is nearly maxed out. Virtually every leading company in the personalization space will be represented, as speaker, exhibitor or attendee or, in some cases, all three. Allaire is a Gold Sponsor of this event.

PR Newswire

[Top]


Tech and Tags

What's New in the Tag Gallery

CF_DealerLocator
Allows you to find dealers in the end-user locality based on zipcodes. Returns all zip code(s) within a specified radius along with relative distance from the originating zip code. The code is available from here BUT the accompanying database MUST be downloaded from http://www.webcaterers.com/dealerlocator.
Random Quote Generator
Really simple way to add random quotes to your site. You can also allow visitors to add quotes. Easy to install just add a datasource and place the CFINCLUDE tag wherever you want the random quotes to appear.
Eazyad
Eazyad is a banner/image rotator that doesn't use a database but an array instead. Eazyad is very quick and easy to set up and maintain.
cf_schedule
Adds or removes objects to/from a known container, using the default scheduling rule.
BannerManager
About as simple as it gets to add, edit or remove banners from rotation within your site. Access database driven, consists of a simple form area where you fill in your account username, password, banner html code and frequency of display. When you have set all the parameters, simply use the CFINCLUDE tag wherever you want banner rotation to take place. Couldn't get any easier.
Rebol color coding scheme
TSyntaxMemo color coding scheme for Rebol scripting language (more info: http://www.rebol.com).
GetPvP
Just like GetDilbert, GetPVP goes to the PVPOnline site and grabs the latest PVP Comic Strip.
GetPennyArcade
A'la GetDilbert, this easy-to-use tag goes out to the Penny Arcade site, and grabs that day's strip.
SQL ProcParam Generator
Cut and paste input parameters declared in a T-SQL procedure into ColdFusion Studio, highlight them and run this script. CFPROCPARAM tags will be generated with the variable names and datatypes already inserted.
ClientDump
Dump your clients! Variables that is. This utility tag is similar to ObjectDump. It displays the current contents of a client's variable scope in a table. Allows you to see any CLIENT scoped variable you have created. The "ALL" option lets you see the Read-Only client variables created by CFAS.
CF_RSS2CF
Converts RDF/RSS files to a handful of CF Structures and a Query to store the actual news items.
Call Logger
Easy to use online call tracking and management system.
DebugMaster
This tag will display all variables that have been created. All levels are supported (like array of struct of array of queries... whatever...)
CF_CONSTANT_WIDTH_SELECT
Builds a cross-browser SELECT box with an absolute pixel width, regardless of content. Corrects for an annoying Netscape shortcoming.
CF_Mod10a
Updated version of original CF_Mod10 tag by Jeff Tapper. Eliminates problems with date interpretation for years after 2000.
AuctionBuilder
AuctionBuilder, a browser-based application that allows users to quickly create, customize, and administer auction sites. AuctionBuilder can simultaneously facilitate multiple auction types, but it also enables multiple auction models as well, from a consumer-to-consumer (C2C) model such as E-Bay, to a business-to-consumer (B2C) model such as OnSale, to any model in between. With source code access, AuctionBuilder can be easily extended to enable enterprise builders to enter the largest of e-commerce markets, the business-to-business (B2B) sector. To evaluate AuctionBuilder, please download the free 30-day demo from our site.
CFX_Excel v2.0
Sends the results of a query to an Excel worksheet. Can be used to send query results to a preformatted Excel file which can be downloaded using CFCONTENT.
CFA_TypeIndexAllKeyUpdate
Updates the all types collection with new content.

[Top]

Windows 2000 Compatibility

This alert on the Allaire site reminds developers that, if their needs include Windows 2000 compatibility, they will need version 4.5.1 of ColdFusion Studio or HomeSite, both available early Q2, 2000.

Allaire Article 14801

Allaire Article 14800

[Top]

HomeSite/Studio 4.5 'Allaire FTP and RDS' is Not Showing Up in File Dialogs

If the "Allaire FTP and RDS" can't be seen in the file dialogs in your HomeSite or Studio 4.5, this article will tell you how to fix it.

HomeSite/Studio 4.5 'Allaire FTP and RDS' is Not Showing Up in File Dialogs

[Top]

Testing an LDAP Connection

This article tells you how to test your LDAP connection for use with ColdFusion.

Testing an LDAP Connection

[Top]

Starting ColdFusion After Setting the Server Java Settings Causes ERROR 2140

Problem: If you've chosen the option "Load JVM when starting ColdFusion," and your Java Virtual Machine Path setting is wrong, ColdFusion will not start and gives the following message: "ERROR 2140: An internal Windows NT error occurred".

Instructions for correcting this problem at the URL below.

Starting ColdFusion After Setting the Server Java Settings Causes ERROR 2140

[Top]

Looking At ColdFusion Memory Usage

Let's put this in English: When you've got a problem, and you don't know why, one of the first places to look is at ColdFusion's use of memory. This article goes over what to look for and why.

Looking At ColdFusion Memory Usage

[Top]


Reviews

When You Can't Afford a Second Chance...

'A Review of NSI Software's Double-Take Mirror/Replication/Failover Software'

Part I

by John Cesta

hat is the best way to create a load- balanced webserver?

hich product has the functionality I need to provide my client with clustering and webserver failover?

here can I find a webserver failover solution that is simple to configure and administer?

These questions and more are popping up with increasing frequency in the discussion forums, mailing lists, and newsgroups that I visit on a regular basis.

A few years ago, our company asked the same questions. So we began our search. We quickly learned that there is no black and white solution and not every product works in any and every situation.

While we didn't know exactly what we wanted, we knew what we didn't want.

Finally, we found Double-Take. While not a total solution (it does not provide load balancing), we found Double-Take's mirroring, replication, monitoring and failover modules to be top notch. And, after our evaluation of Double-Take, we found it to be a very easy-to-install, non-intrusive, software-based solution.

Installation...

Our first and most important question was, "Does Double-Take install any NT system-level components which would require a re-install of our latest service pack?" The answer is a resounding NO. Double-Take installs its own drivers, the key one being dblhook.sys. (Dblhook is the main DT driver. dblhook allows DT's replication process to operate at the file system level. This lets DT track file changes independently from the file's related application.) Double-Take consists of two fundamental modules -- a source and a target -- both run as an NT service. You may install both on each server. We let Double-Take perform its default installation, which installs both the source and target modules. The installation is quick and easy, almost boring. After installing it two or three times on three or four different servers, I was convinced that its easy, uneventful installation process was not just a fluke.

During the installation, you may elect to start Double-Take's services automatically or manually, and you may set up Double-Take's monitoring and failover capabilities. Double-Take runs three NT services: (1) Double-Take itself (2) Double-Take Logger (3) Double-Take Server Monitor. I've been told by Double-Take tech support that the new 3.1 version only runs 2 services.

As an interface to Double-Take, you are offered a GUI Management Console or a DOS-based text client. Upon launching the GUI console, each server found on the network is represented by a small computer icon sitting quietly in the left window pane. In order to work with each server, you must logon by right-clicking each icon and entering the admin's password.

By using the Properties sheet of the icon, you are able to administer each server's Double-Take properties. Here you can set the Double-Take Startup options: (1) Load source module automatically (2) Load target module automatically (3) Log Statistics. You may also set the source module startup options to: (1) Automatically reconnect during a reboot (2) Perform remirror after auto-reconnect (on reboot).

Most other software failover products we evaluated required two NIC cards (one for regular network traffic and one for the product's proprietary communications) and several hard drives. By default, Double-Take requires only one NIC card in each server.  Important NOTE: Should you experience a bottleneck, Double-Take will support two NIC cards per server -- one for regular network traffic and one for Double-Take's mirroring, data replication and failover processes.

Double-Take uses TCP port 1100 to Communicate with other Double-Take servers and UDP port 1100 as a heartbeat port (heartbeats allow Double-Take machines to locate each other on the network). TCP port 1105 is used as the failover target communications port. The ports may be changed to suit your particular configuration.

Key features...

Double-Take's key features are its ability to synchronize real-time data -- on two or more servers -- and its monitoring and failover capability. Let's go through each feature. We'll use our company's setup as an example.

The configuration our company uses is quite simple. Our primary Double-Take function is to failover our Web servers. Each set of servers (we maintain a few webserver clusters) contains a source and a target. The source data -- Web pages, FTP data, DNS zone files, and some proprietary programs -- are replicated real-time, and the target runs in a monitor/failover mode. In the event the primary server goes down, the target senses this and takes over its duties - assuming all IP addresses along the way. Here's how it works:

To Be Continued ... Take a Walk Through Double-Take's Features, in the next Fusion Authority Weekly News Alert

[Top]


This is an opt-in magazine. To join, leave or change subscription mode, please visit the signup page. All content of this magazine is copyright Fusion Authority, Inc. It may not be reproduced without permission.