To ensure the security of application data, you are advised to divide the openGauss typical network into two independent networks: front-end service network and data management and storage network.
Figure 1 Typical networking
Table 1 describes the network division.
Table 1 Network division
Type
Description
Database management and storage network
The database administrator uses this network to invoke OM scripts to manage and maintain openGauss instances. It is also used for openGauss primary/standby communication networking. The database management and storage network are also used for applications to execute system monitoring.
Front-end service network
External clients access openGauss through this network.
The typical networking has the following advantages:
The service network is isolated from the database management and storage network, effectively protecting the security of back-end storage data.
The isolation between the service network and database management and storage network prevents attackers from managing database servers through the Internet, improving system security.
Network exclusiveness and 1:1 bandwidth convergence ratio are the basic requirements for openGauss network performance. Therefore, in the production system, the back-end storage network shown in Figure 1 must meet the requirements of exclusiveness and 1:1 bandwidth convergence ratio. For example, in Figure 2, the Fat-tree networking is used. To achieve a convergence ratio of 1:1, the bandwidth doubles each time the switching network layer is increased by one layer. In the figure, each bold line indicates the 80GE bandwidth, that is, the sum of the bandwidth upper limits of eight physical machines. At the access layer, each switch provides 160GE downlink bandwidth and 160GE uplink bandwidth. The convergence ratio is 1:1. The access bandwidth of each switch at the aggregation layer is 320GE.
For the test system, the preceding requirements can be lowered.
His Personal Trajectory and Views in Art: An Interview with Alejandro Duque
By Claire Leggett
On October 10th, 2015 we had an incredible opportunity of interviewing Alejandro Duque, an artist from Columbia who recently finished his PHD dissertation in Switzerland at the European Graduate School. We sought to discuss four topics through our interview: how he arrived at the development of his current work/research, the topic of his drone projects, his interest in exploring sound as a medium, and his views on low tech/open source.
—
Alejandro attended the European Graduate School located in Leuk, Switzerand for a PHD developing in his arts practice. His undergraduate degree was done in Columbia. He then did a masters in Spain on media and net based art. His masters work sought to show artworks seen only on a computer from home. He states that the goal was to “deny authorship” as an artist and get away from the “me” mentality that was happening as a trend within artist circles at the end of the 90s. He returned to Columbia after he received his masters, and was a professor at his old university in visual arts for a year and a half. He decided to return to school to do his PHD so he could develop and learn more about the computer as his chosen medium in his artwork, for him, “as a painter would like to learn more about his pencils or his brushes,” he says. He felt he could go a tech route, or he could explore this medium in its history and philosophy, then out of that knowledge, develop in it as a vehicle for ideas. He decided to go with the latter.
He states that his works and research are thus a cross-section between social critique, philosophy and technology: he is processing/presenting the works as a fusion of these. In his drone works he is playing with the ideas of flying being at the surface fun, while presenting the socio-political controversy of drones used as military technology. He films kids throwing stones at drones with several statements including neutrally presenting that it is a time of accessibility of hobby-ing to create one’s own weapons. (The stones, although they seem real in the videos, for safety, they are in fact made of foam to ensure in the filming process no one would be hurt).
For Alejandro, from filming drones to addressing just what the ear captures, his movement to bring sound investigations into his work started from a desire to implement/present sounds that would not easily be heard. This area of investigation has an extremely high allurement for him especially from exploring radio as a medium. He started recording space shuttles going by. Sound defined as ‘in noise’ informs his philosophically approached dissertation. For him, sound is a path to get into another realm, approached through experimentation.
His doctorate took seven to eight years and his most influential professor came from approaches which encourages experimentation in artworks. Through his masters and PHD, he states he learned to emphasize discoveries achieved in the process and collaboration of executing the concept at hand vs. striving just for an end result. Even though the end result is still important, the process guides you to this point not visa versa. He states that his task is to decolonize with art. To achieve this in a healthy work-life balance, he shares that “[he] fights [his] own fight to secure that space” to create the work that is needed, to have free time and to experiment.
We concluded with Alejandro’s views on the use of open source in art today. He says in terms of artists even approaching writing about their work that we live in a time of “how to” and not a time of manifestos. As for ideologies: he esteems a value of open source materials, as they are resources that people create in their free time curtailed out of their passions. As an example, open source code he says, is actually artistic in nature. He states that additionally with these resources that there is immediate collaborative potential. The artist can re-purpose or integrate the open source code into their work. For him, artists have an ethical call to make in protecting the rights to their work or not/in making decisions if people pay to use the artist’s ideas or not. He uses the example of the book Do lt (curated by Hans Ulrich Obrist), which walks you through principles on curatorial methods, but, if used, you have to pay for the rights to follow the curatorial instructional steps. He finds this extremely ironic and harkens that using creative commons and copy left, for example, instead are excellent principles to follow to further Art.
To further gain access to his writings on these topics and more, Alejandro states that he aims to have his dissertation accessible online in the form of a free-download in the next year.
To hear the full interview: Conversations on Low Tech with Artist Alejandro Duque
Verifying CRIME, SSLv2 and Plain Text TLS Injection with OpenSSL
So this is a tutorial on how to install Openssl from source on a Debain system with a few easy modifications so that you will be able to test for CRIME, SSL version 2 and TLS plain text injection.
First, you’ll need to make sure you have these programs installed:
Next, you’ll need the source code to OpenSSL. After this is downloaded, you’ll need to move into the openssl directory:
$ apt-get source openssl
$ cd openssl-*/
SSLv2
SSL version two is an outdated SSL protocol that is filled with problems. For this reason, Debian and other Linux distributions disable SSLv2 in openssl by default. While this is a nice gesture to prevent users from making insecure ciphers, there are those of us that need to be able to check for said ciphers. So we’ll be adding the support back in.
First, from the openssl directory, remove all patches:
$ quilt pop -a
Now we need to remove where the no-sslv2 patch is mentioned inside of the files debian/patches/series and debian/rules.
In debian/patches/series, just take out the entire line where no-sslv2 is mentioned. In my case the file originally looked like:
default_bits.patch
ssltest_no_sslv2.patch
cpuid.patch
and after the change it became:
default_bits.patch
cpuid.patch
aesni-mac.patch
Also remove just the no-ssl2 from one line in debian/rules:
Now that all instances of the no-sslv2 patch have been removed, we can put the remaining patches back into place:
$ quilt push -a
If you were to stop at this point in the tutorial, upon installing you would be able to successfully issue the command:
$ openssl s_client -ssl2 -connect
If the connection is made, the server is configured to use SSL version 2.
TLS Plain Text Injection
TLS plain text injection is a vulnerability where if a command is injected in plain text before an encrypted authenticated session begins, the command is run after the encrypted session has started. Wietse Venema,describes it in detail here: http://www.postfix.org/CVE-2011-0411.html and gives a quick way to modify the openssl source to check for this issue. At this link, you can find out how to replace the -starttls smtp flag to test for TLS plain text injection. However by following that guide, you’ll be losing the previous functionality. So instead, I’ll be showing you how to add a few new commands: -starttls smtpi and -starttls ftpi that will add the a TLS injection check without losing any of the old openssl functionality.
Open apps/s_client.c in your favorite text editor (I’m rather partial to VIM). We are pretty much going to change the source of this file anywhere PROTO_FTP or PROTO_SMTP are used. So in vim I searched for PROTO_SMTP\|PROTO_FTP to highlight those areas and make them easy to find.
We need to add in the variables PROTO_SMTPI and PROTO_FTPI, just yank and put (copy / paste) the PROTO_SMTP and PROTO_FTP lines, stealing their format, and add the “I” to the end of them. Here is what it looks like on my screen (lines 550 and 554). The top part of the split screen is the original, the bottom is after the modification.
The next occurrence of our search term is where it checks what command line argument you passed to -starttls. We just need to copy the same format again and add options for smtpi and ftpi. Make sure to make the smtpi an else if, since there can only be one if. The following is what it should look like after you are done (new lines: 911, 912, 919, 920 )
Next up is a list of if statements to check which protocol you are using for -starttls so we can send the appropriate message to the server. This section is a bit more complicated, so play close attention to the code. For smtp the code looks like:
This means the same code will execute for smtp or smtpi. Now we just need to change the way the code in this if statement works:
So now, if starttls_proto==PROTO_SMTPI is given, it will append the harmless plain text command RSET to the STARTTLS command. By adding this, we will not lose our normal -starttls smtp functionality.
Nearly the same thing is done for the PROTO_FTP else if section, only instead of RSET you will use a NOOP command for no-operation.
and
Go ahead and save the file. If you were to stop at this point in the tutorial, upon installing you would be able to successfully issue the command:
$openssl s_client -starttls ftpi -connect
Upon making the connection, openssl will print out information on the cipher. There will be a line that is just two dashes (“–”) and then a 220 response. The 220 response is saying the server connected to you and is happy. Now if there is another line that says “220 Command okay.” that means it also revived and executed your NOOP command which was sent in plain text, and thus the server is vulnerable.
CRIME
CRIME is a vulnerability in SSL compression. If a web server supports SSL compression then it is vulnerable to the CRIME attack. If you just do an apt-get install openssl you probably don’t have zlib enabled, so openssl will not try to use compression while connecting to a server. To make sure you have zlib, just configure with the the parameter “zlib” and “zlib-dynamic” as so:
$ ./config zlib zlib-dynamic
Now if you were to install at this point, whenever you use s_client to connect to a server, openssl will automatically try to use compression. If you see “Compression: gzip” then the server supports SSL compression and is vulnerable to CRIME. However, if you see “Compression: None” it is not vulnerable. Installing
Run the following commands to install your changes. From the openssl directory do the following.
Update the source:
$ dch -n 'sslv2, tls injection and zilb'
Record the changes in the source tree: $ dpkg-source –commit
Build the package: $ debuild -uc -us
Install: $ cd ../ $ sudo dpkg -i *ssl*.deb
That’s it! Now openssl can test for SSLv2, CRIME, SMTP TLS plain text injection, and FTP TLS plain text injection, all without breaking the other wonderful things we love about openssl (such as testing expired certificates, self-signed certificates, weak ciphers and more). One tool to rule them all.
Open source framework with an awesome feature set; push notifications, data synchronization, track and verify in-app purchases, Passbook, and logging and analytics.
Кое-что в работе программиста повторяется. Например, куски кода. Или сложные запросы к базам данных. Кое-что из этого программист держит в голове. Но большую часть приходится искать либо в поисковике, либо в своем старом коде. На эти операции тратится приличное количество времени.
А если заготовить все эти куски кода, команды и лучшие практики заранее? Если всегда держать их под рукой в удобном виде? Тогда программист сможет сэкономить на поисках кучу времени.
В этом репозитории лежат сниппеты для типичного веб-разработчика. Предполагается, что разработчик имеет дело с front-end и back-end кодом приложений и Debian-based Linux дистрибутивами.