When doing I/O intensive processing on Linux systems, I’ve found that creating a RAM based filesystem can substantially improve processing times. Of course nothing but the transitory processing data should be written to the fake filesystem to avoid data loss in the case of unintended dismount or system crash.

mount -t ramfs ramfs /tmp/ramfs -o size=4m

Start of my InfoSec article journal and book list

Not really blog worthy, but I decided to start a journal of interesting information security articles or books that I’ve found to be particularly valuable. Not all of them are publicly available, but where I can, I’ll add some links. Really this is just a list of my dog-eared books in no particular order. (-:

Articles

Security Controls That Work; Information Systems Control Journal; Volume 4, 2007

Information Security Standards Foucs on the Existence of Process, Not Its Content; Communications of the ACM; August 2006, Volume 49, Number 8

FrankenSOA; Network Computing; 06/25/07; Page 41

Books

Chris McNab, Network Security Assessment, Sebastapol, CA: O’Reilly Media, Inc., 2004 – Describes a technical assessment methodology which can be used to understand the “threats, vulnerabilities, and exposures modern public networks face.”

Andrew Jaquith, Security Metrics: Replacing Fear, Uncertainty, and Doubt, Upper Saddle River, NJ: Addison-Wesley, 2007 – Information security has been largely justified by fear over the last many years. This book is the single best book I have seen yet which provides a pragmatic guide to using effective metrics in infosec programs and communication with stakeholders. I think that organizations which adopt this type of approach will fare well when infosec spending starts to level off or dry up.

Stephen Northcut, Lenny Zeltser, Scott Winters, Karen Kent & Ronald Ritchey, Inside Network Perimeter Security, Indianapolis, Indiana: Sams Publishing, 2005 – excellent multi-layer book which describes appropriate techniques to layer differing strategies together to provide stronger perimeter defense
.  “Defense in depth is a primary focus of this book, and the concept is quite
simple: Make it harder to attack at chokepoint after chokepoint.”

One can now inexpensively build a fault tolerant firewall cluster that removes any single point of failure in the security policy enforcement points at your security zone boundaries. Synchronous firewall state table updates and an open source version of virtual router redundancy protocol (CARP) gives the ability to seamlessly insert or remove firewalls from a cluster. No more patching firewalls at 2am hoping for the best (or not patching because it’s too hard).

PDF

Soekris Engineering net5501 SBC setup with Linux

2008/09/03

net5501 is a x86 SBC that I ordered with 4 10/100 ethernet ports, 512MB memory, 500MHz Geode LX CPU

Serial console is used for setup of net5501 – BIOS writes to serial port since there is no xVGA port. <ctrl-p> to enter BIOS setup. DB9 pinout:

2 — 3

3 — 2

5 — 5

Use 19,200 bps 8 data bits, no parity, 1 stop

With the Macbook Pro, I use a Keyspan USA-19HS USB <–> DB9 RS232 serial converter (and DB9-RJ45 adapters to implement the null modem configuration and allow me to use an ethernet cable for the serial console <–> Keyspan device.

On OS X (10.5) I use “screen” to provide the serial terminal interface:

$ screen /dev/tty.USA19H1a2P1.1 19200,8

<ctrl-a><ctrl-\> to exit

On the net5501 BIOS, PXEBoot is disabled:

set PXEBoot=Disabled

I setup voyage-0.5.0 on a compact flash card then installed the card into the net5501 – works great the first boot

Default root info: root / voyage

OpenBSD setup info:

http://techblagh.blogspot.com/2008/08/installing-openbsd-43-on-soekris-5501.html

So setting up my shiny new iPhone 3G for IMAPS email was not entirely straight forward.  (-:  There are two complicating factors that I ran into.  For IMAP over SSL (IMAPS) connections to a mail server that is using a digital certificate that is signed by a well known certificate authority AND running on the default TCP port 993, no problems.  You may have a be a bit patient as the mail app on the iPhone accepts the certificate.  For less standard mail server implementations, read on …

I am using a server certificate that is in essence a self-signed certificate – it is signed by CAcert.org, however very few (if any) browsers and mobile devices trust or even know of CAcert.org.  In this case, you will need to be patient while the iPhone mail app finally rejects the server certificate as untrusted.  The dialogue box will acknowledge the mail server certificate is invalid and will ask if you want to continue.  Accept the continue option and eventually (took about 5 minutes for my iPhone) the iPhone will accept the ‘invalid’ certificate.

Now, if you are using a mail server that has IMAPS running on a non-standard port (anything other than TCP 993), you must first establish the connection and have the iPhone accept the certificate over port 993.  Once the mail account is setup initially, then you can go change the port to something non-standard.

Once I get a chance I’ll post some screen shots.