virtusertable based domain routing

Incoming E-mail messages can be sorted based on the recipient domain name with the virtusertable utility. Because user accounts are not directly associated with any specific domain names, a virtusertable must be used to differentiate between recipient domain names. For example, a virtusertable mapping will allow you to direct E-mail messages for webmaster@mydomain.name and webmaster@subhost.name to different users on your VPS v2.

Configuring Virtusertable mappings

In order to create virtusertable mappings, you must first create a text file in the /etc/mail/ directory of your server (there is a sample file in that directory named virtusertable.sample). This file will contain virtusertable mappings.

Each entry in a virtusertable should be on a single line. The original recipient address on the left hand side, with one or more spaces or tabs separating it from the right hand side, which contains the destination address. Using the example above, the virtusertable mapping would be as follows:

webmaster@mydomain.name     tom
webmaster@subhost.name      steve  

The original recipient is the E-mail address that people will send messages to, and can be either a full address (username@domain.name), or a catch all for all messages to the specified domain (@domain.name). If you want to create multiple virtusertable entries for a single domain, make sure that you put the catch all below any other entries for that same domain name. For example:

webmaster@mydomain.name    tom
support@mydomain.name      someuser@hotmail.com
 john@mydomain.name         john
@mydomain.name             john

The destination address should be a local user, an alias, or a remote E-mail address. You may also use a %1 to indicate that the original user should be prepended to a catch all.

Any time you make a change to the /etc/mail/virtusertable text file, you will need to create a db file that sendmail can read. The following command will create the /etc/mail/virtusertable.db file when run by root:

# makemap hash /etc/mail/virtusertable < /etc/mail/virtusertable

Alternatively, a shorter version of this same command can be used:

# vnewvirtmaps

Example Virtusertable Entries

The following entry would deliver any message sent to floyd@example.com to the local account floydr.

floyd@example.com		floydr

The next entry will deliver a message sent to john@example.com to his personal E-mail account with his ISP.

john@example.com		jfranklin@my-isp.com

Any other E-mail sent to the super-host.com domain will go to Floyd's local account.

@super-host.com			floydr

Anything sent to a user at example.net will be sent to example.com, but will not change the username the message was originally sent to (only the domain is modified).

@example.net			%1@example.com

The following entry will reject mail addressed to any address at the example.net domain that is not defined in the virtusertable file. The sender will receive an appropriate error code plus the description, "User unknown."

@example.net			error:nouser User unknown

MySQL Replication

MySQL Master-Master Replication

1. Now we will set up MySQL with master-master replication. First, set the MySQL root user password on both machines where YOUR_PASSWORD_HERE is replaced with your MySQL root password: 
   

   mysqladmin -u root password YOUR_PASSWORD_HERE

2. Create a user replication and grant it privileges on the database. Replace 10.1.1. with the first three octets of your private IP range: 
   

    mysql -u root –p mysql> GRANT REPLICATION SLAVE ON *.* TO 'replicaton'@'10.1.1.%' IDENTIFIED BY 'slave'; mysql> GRANT REPLICATION CLIENT ON *.* TO 'replication'@'10.1.1.%'; mysql> GRANT SUPER ON *.* TO 'replication'@'10.1.1.%'; mysql> GRANT RELOAD ON *.* TO 'replication'@'10.1.1.%'; 

3. Create the Wordpress database and create a db user and password to access the db other than root, replacingmyblog_wordpress, wpadmin,abcd1234 and 10.1.1. with the appropriate values you previously set: 
   

   mysql> CREATE DATABASE myblog_wordpress; mysql> USE myblog_wordpress; mysql> GRANT ALL ON myblog_wordpress.* TO wpadmin@'10.1.1.%' IDENTIFIED BY 'abcd1234'; mysql> GRANT ALL ON myblog_wordpress.* TO wpadmin@localhost IDENTIFIED BY 'abcd1234'; mysql> FLUSH PRIVILEGES; mysql> quit 

Configuring db01

1. Now configure MySQL on db01 by editing my.cnf conf file: 
   

   vi /etc/my.cnf

2. Modify the file to look like this, replacing myblog_wordpress with the actual name of the database and10.1.1.12 with the private IP of db02. Pay extra attention to the lines with the #Different comments: 
   

   [mysqld] datadir=/var/lib/mysql socket=/var/lib/mysql/mysql.sock user=mysql # Default to using old password format for compatibility with mysql 3.x # clients (those using the mysqlclient10 compatibility package). old_passwords=1  server-id=1 #Different than db02  log-bin log-bin=/var/log/mysqld/db01-bin #Different than db02 log-bin-index=/var/log/mysqld/db01-bin-log.index #Different than db02 binlog-do-db=myblog_wordpress binlog-ignore-db=mysql binlog-ignore-db=test  master-host=10.1.1.12 #Different than db02 master-user=replication master-password=slave  replicate-same-server-id=0 auto-increment-increment=2 auto-increment-offset=1 master-connect-retry=5  relay-log=/var/log/mysqld/db01-relay-bin #Different than db02 relay-log-index=/var/log/mysqld/db01-relay-log.index #Different than db02  expire_logs_days=10 max_binlog_size=500M  [mysqld_safe] log-error=/var/log/mysqld.log pid-file=/var/run/mysqld/mysqld.pid 

3. Create the log file directories for the new MySQL logging and then restart the service: 
   

   mkdir /var/log/mysqld chown mysql:mysql /var/log/mysqld service mysqld restart 

Configuring db02

1. Now configure MySQL on db02 by editing my.cnf conf file: 
   

   vi /etc/my.cnf

2. Modify the file to look like this, replacing myblog_wordpress with the actual name of the database and10.1.1.11 with the private IP of db01. Pay extra attention to the lines with the #different comments: 
   

   [mysqld] datadir=/var/lib/mysql socket=/var/lib/mysql/mysql.sock user=mysql # Default to using old password format for compatibility with mysql 3.x # clients (those using the mysqlclient10 compatibility package). old_passwords=1  server-id=2  log-bin log-bin=/var/log/mysqld/db02-bin #Different than db01 log-bin-index=/var/log/mysqld/db02-bin-log.index #Different than db01 binlog-do-db=myblog_wordpress binlog-ignore-db=mysql binlog-ignore-db=test  master-host=10.1.1.11 #Different than db01 master-user=replication master-password=slave  replicate-same-server-id=0 auto-increment-increment=2 auto-increment-offset=2 #Different than db01 master-connect-retry=5  relay-log=/var/log/mysqld/db02-relay-bin #Different than db01 relay-log-index=/var/log/mysqld/db02-relay-log.index #Different than db01  expire_logs_days=10 max_binlog_size=500M  [mysqld_safe] log-error=/var/log/mysqld.log pid-file=/var/run/mysqld/mysqld.pid 

3. Create the log file directories for the new MySQL logging and then restart the service: 
   

   mkdir /var/log/mysqld chown mysql:mysql /var/log/mysqld service mysqld restart 

Verify the MySQL Replication Status

1. To verify the MySQL replication, enter MySQL and run the following commands: 
   

   mysql -u root –p mysql> SHOW MASTER STATUS; mysql> SHOW SLAVE STATUS\G 

2. The most important lines to check are the following, which should read "Yes" on both DB servers: 
   

   Slave_IO_Running:  Yes Slave_SQL_Running:  Yes 

3. Also important is the following line from SHOW SLAVE STATUS\G which should match the Position value fromSHOW MASTER STATUS; on the other server. The number may differ from what you see below: 
   

   Read_Master_Log_Pos:  98 

4. MySQL replication usually works well and is extremely useful, but the databases can get out of sync under certain conditions. One thing to try is to issue the following commands on both servers: 
   

   mysql> stop slave; mysql> reset master; mysql> reset slave; mysql> start slave;

Runnig SunJava On Linux (CentOs/RedHat)

By far the most messy thing on CentOS 5.2 is adding Sun's Java.  I have never found great success from the different packages that are out there for installing java.  I prefer to simply use the packages from Sun.

Step (1) : Visit Sun's web site and download the latest version of Java (the *.bin file not the *-rpm.bin) (http://java.sun.com/javase/downloads/index.jsp)(pay close attention if you want the 32bit or 64bit version)

Step (2) :

[user@www]# cd /opt/
  [user@www]# wget "[GIANT_SUN_URL_TO_GET_THE_JAVA_BIN_FILE_x64_IN_THIS_CASE]"
  [user@www]# /bin/sh jdk-6u7-linux-x64.bin

Step (3) : Setup the alternatives correctly

[user@www]# alternatives --install /usr/bin/java java /opt/jdk1.6.0_07/bin/java 2
  [user@www]# alternatives --config java
   
There are 2 programs which provide 'java'.
 
  Selection    Command
  -----------------------------------------------
*+ 1           /usr/lib/jvm/jre-1.4.2-gcj/bin/java
     2           /opt/jdk1.6.0_07/bin/java
   
Enter to keep the current selection[+], or type selection number: 2
  [user@www]#

Step (4) : Check to make sure the install was a success

[user@www]# java -version
  java version "1.6.0_07"
Java(TM) SE Runtime Environment (build 1.6.0_07-b06)
  Java HotSpot(TM) 64-Bit Server VM (build 10.0-b23, mixed mode)
  [user@www]#

NagiosQL3 Installation

Configure NagiosQL3

Requirements

•   Webserver e.g. Apache 1.x or above
•   PHP 4.3 or above
•   MySQL 4.1 or above
•   Nagios 2 or above
•   PEAR Module: HTML_Template_IT 1.1 or above
•   PHP Extension: gettext
•   PHP Extension: mysql
•   PHP Extension: ftp
•   Javascript enabled at your Webbrowser

Installation

HTML_Template_IT

Pear modules can be installed automatically by invoking the following command (requires Internet access): 

# pear install HTML_Template_IT   

Locales

The NagiosQL translation depends on gnu-gettext and this framework depends on your locale system settings. Make sure you have the appropriate locale installed on your system (e.g. en-GB.utf-8). Please verify that by executing "locale -a". 

NagiosQL

Download and extract

Download the latest NagiosQL Version from www.nagiosql.org and extract the nagiosql-*.tar.gz to a directory accessible by your webserver (e.g. /srv/www/htdocs). A subdirectory "nagiosql" will be created: 

# cd /srv/www/htdocs/ 

# wget http://downloads.sourceforge.net/project/nagiosql/nagiosql/NagiosQL%203.0.3/nagiosql303.zip?use_mirror=nchc

# cp nagiosql303.zip /srv/www/htdocs/ # unzip nagiosql303.zip

Configuration 

Directory Structure

It is recommend to have the following directory structure (you can change the directory names in your NagiosQL Domain Configuration): 

/etc/nagiosql/                  -> Common configuration files "            /hosts         -> Host configuration files "            /services   -> Service configuration files "            /backup/   -> Backups of the common configuration files "         "      /hosts  -> Backups of the host configuration files "         "      /services  -> Backups of the service configuration files 

Nagios

In order to find the configuration files generated by NagiosQL your Nagios configuration must be amended, too. You are free to change the directory names, but be sure to do that in both configuration files (Nagios: nagios.cfg, NagiosQL: Domain Administration). The directory structure (e.g. backup directories below main directories) should never be changed! 
The Nagios configuration file nagios.cfg should be amended to follow the above recommendation: 

cfg_file=/etc/nagiosql/contacttemplates.cfg cfg_file=/etc/nagiosql/contactgroups.cfg cfg_file=/etc/nagiosql/contacts.cfg cfg_file=/etc/nagiosql/timeperiods.cfg cfg_file=/etc/nagiosql/commands.cfg

cfg_file=/etc/nagiosql/hostgroups.cfg cfg_file=/etc/nagiosql/servicegroups.cfg  cfg_dir=/etc/nagiosql/hosts cfg_dir=/etc/nagiosql/services

And optional: 

cfg_file=/etc/nagiosql/hosttemplates.cfg cfg_file=/etc/nagiosql/servicetemplates.cfg cfg_file=/etc/nagiosql/servicedependencies.cfg cfg_file=/etc/nagiosql/serviceescalations.cfg cfg_file=/etc/nagiosql/hostdependencies.cfg cfg_file=/etc/nagiosql/hostescalations.cfg cfg_file=/etc/nagiosql/hostextinfo.cfg cfg_file=/etc/nagiosql/serviceextinfo.cfg  

Permissions

The following file permissions are required to let NagiosQL read and write the Nagios configuration files. In our example the Apache runs as user "www-data" and the group "www-data" as well as Nagios runs by the user "nagios" and the group "nagios". Instead of the below configuration, you could also add the Apache user to the Nagios group. The configuration files are located at /etc/nagiosql. Please amend if this differs from your installation. 

## Nagios Main Configuration Files  # chgrp www-data /etc/nagios # chgrp www-data /etc/nagios/nagios.cfg # chgrp www-data /etc/nagios/cgi.cfg # chmod 775 /etc/nagios # chmod 664 /etc/nagios/nagios.cfg # chmod 664 /etc/nagios/cgi.cfg  ## NagiosQL Configuration

# chmod 6755 /etc/nagiosql # chown www-data.nagios/etc/nagiosql # chmod 6755 /etc/nagiosql/hosts # chown www-data.nagios/etc/nagiosql/hosts # chmod 6755 /etc/nagiosql/services # chown www-data.nagios /etc/nagiosql/services     ## NagiosQL Backup Configuration   # chmod 6755 /etc/nagiosql/backup # chown www-data.nagios /etc/nagiosql/backup # chmod 6755 /etc/nagiosql/backup/hosts # chown www-data.nagios /etc/nagiosql/backup/hosts # chmod 6755 /etc/nagiosql/backup/services # chown www-data.nagios /etc/nagiosql/backup/services  ## Amend already existing files     # chmod 644 /etc/nagiosql/*.cfg # chown www-data.nagios /etc/nagiosql/*.cfg 

If these directories already have files, amend the permissions for them, too: 

# chmod 644 /etc/nagiosql/hosts/*.cfg # chown www-data.nagios /etc/nagiosql/hosts/*.cfg    # chmod 644 /etc/nagiosql/services/*.cfg # chown www-data.nagios /etc/nagiosql/services/*.cfg     

The Nagios binary must be executable by the Apache user: 

# chown nagios.www-data /usr/sbin/nagios # chmod 750 /usr/sbin/nagios 

Be sure the Apache user is able to write the Nagios commandfile. Please check your nagios.cfg for the correct path to the commandfile! 

# chown nagios.www.data /usr/local/nagios/var/rw/nagios.cmd # chmod 660 /usr/local/nagios/var/rw/nagios.cmd 

Verify Installation and Configuration

Please execute as the webserver user "nagios -v /etc/nagios/nagios.cfg" and check for additional permissions.

Running NagiosQL

Now you should be able start NagiosQL: http://www.domain.tld/nagiosql/index.php
The Installation Wizard will help you installing NagiosQL.

Configure Nagios Environment within NagiosQL

After the Installation Wizard succeeded, you should configure your Nagios Environment for NagiosQL. Please login to your fresh installation and navigate to "Administration" => "Domains". Setup your Nagios Environment and if you need help, try the integrated help system first.

LogMeIn Hamachi Installation in linux

LogMeIn Hamachi is a VPN service that easily sets up in 10 minutes, and enables secure remote access to your business network, anywhere there's an Internet connection.
 It works with your existing firewall, and requires no additional configuration. Hamachi is the first networking application to deliver an unprecedented level of direct peer-to-peer connectivity. It is simple, secure, and cost-effective.

Download latest hamachi version

# wget http://files.hamachi.cc/linux/hamachi-0.9.9.9-20-lnx.tar.gz

Unpack hamachi-0.9.9.9-20-lnx.tar.gz

# tar -zxvf hamachi-0.9.9.9-20-lnx.tar.gz

Installing Hamachi

# cd hamachi-0.9.9.9-20-lnx

# make install

Run tuncfg

# /sbin/tuncfg

After installation, issue the following commands

Create keys and set configuration directory

# hamachi-init -c /etc/hamachi

Start hamachi

# hamachi -c /etc/hamachi start

Login to hamachi network

# hamachi -c /etc/hamachi login

Create your personal network and password protect it

# hamachi -c /etc/hamachi create YOUR_NETWORK
Password:
Creating YOUR_NETWORK .. ok

Go-Online on your network

# hamachi -c /etc/hamachi go-online YOUR_NETWORK

Joining other networks

# hamachi -c /etc/hamachi join OTHER_NETWORK password

Leaving other networks

# hamachi -c /etc/hamachi leave OTHER_NETWORK

Changing nick name

# hamachi -c /etc/hamachi set-nick NEW_NICK

Getting a list of networks & members

# hamachi -c /etc/hamachi list

SHA1 Algorithm

SHA-1 is a cryptographic hash function designed by the National Security Agency (NSA) and published by the NIST as a U.S. Federal Information Processing Standard. SHA stands for Secure Hash Algorithm. The three SHA algorithms are structured differently and are distinguished asSHA-0, SHA-1, and SHA-2. SHA-1 is very similar to SHA-0, but corrects an error in the original SHA hash specification that led to significant weaknesses. The SHA-0 algorithm was not adopted by many applications. SHA-2 on the other hand significantly differs from the SHA-1 hash function.

SHA-1 is the most widely used of the existing SHA hash functions, and is employed in several widely-used security applications and protocols. In 2005, security flaws were identified in SHA-1, namely that a mathematical weakness might exist, indicating that a stronger hash function would be desirable.^[2]Although no successful attacks have yet been reported on the SHA-2 variants, they are algorithmically similar to SHA-1 and so efforts are underway to develop improved alternatives.^[3][4] A new hash standard, SHA-3, is currently under development — an ongoing NIST hash function competition is scheduled to end with the selection of a winning function in 2012.

SHA-1 produces a 160-bit digest from a message with a maximum length of (2⁶⁴ − 1) bits. SHA-1 is based on principles similar to those used by Ronald L. Rivest of MIT in the design of the MD4 and MD5 message digest algorithms, but has a more conservative design.

The original specification of the algorithm was published in 1993 as the Secure Hash Standard, FIPS PUB 180, by US government standards agency NIST (National Institute of Standards and Technology). This version is now often referred to as SHA-0. It was withdrawn by NSA shortly after publication and was superseded by the revised version, published in 1995 in FIPS PUB 180-1 and commonly referred to as SHA-1. SHA-1 differs from SHA-0 only by a single bitwise rotation in the message schedule of its compression function; this was done, according to NSA, to correct a flaw in the original algorithm which reduced its cryptographic security. However, NSA did not provide any further explanation or identify the flaw that was corrected. Weaknesses have subsequently been reported in both SHA-0 and SHA-1. SHA-1 appears to provide greater resistance to attacks, supporting the NSA’s assertion that the change increased the security.

Comparison of SHA functions

In the table below, internal state means the “internal hash sum” after each compression of a data block.

Further information: Merkle–Damgård construction

Algorithm and variant		Output size (bits)	Internal state size (bits)	Block size (bits)	Max message size (bits)	Word size (bits)	Rounds	Operations	Collisions found
SHA-0		160	160	512	264 − 1	32	80	+,and,or,xor,rot	Yes
SHA-1									None (263 attack)[5]
SHA-2	SHA-256/224	256/224	256	512	264 − 1	32	64	+,and,or,xor,shr,rot	None
	SHA-512/384	512/384	512	1024	2128 − 1	64	80	+,and,or,xor,shr,rot	None

-

SHA Algorithm

"SHA" redirects here. For other meanings, see Sha (disambiguation).

The Secure Hash Algorithm is one of a number of cryptographic hash functions published by the National Institute of Standards and Technology as a U.S. Federal Information Processing Standard. There are currently three generations of Secure Hash Algorithm:

• SHA-1 is the original 160-bit hash function. Resembling the earlier MD5 algorithm, this was designed by the National Security Agency (NSA) to be part of the Digital Signature Algorithm. Originally just called "SHA", it was withdrawn shortly after publication due to an undisclosed "significant flaw" and replaced by the slightly revised version SHA-1. The original withdrawn algorithm is now known by the retronym SHA-0.
• SHA-2 is a family of two similar hash functions, with different block sizes, known as SHA-256 and SHA-512. They differ in the word size; SHA-256 uses 32-bit words where SHA-512 uses 64-bit words. There are also truncated versions of each standardized, known as SHA-224 and SHA-384. These were also designed by the NSA.
• SHA-3 is a future hash function standard still in development. This is being chosen in a public review process from non-government designers. An ongoing NIST hash function competition is scheduled to end with the selection of a winning function, which will be given the name SHA-3, in 2012.

The corresponding standards have been FIPS PUB 180 (original SHA), FIPS PUB 180-1 (SHA-1), FIPS PUB 180-2 (SHA-1, SHA-256, SHA-384, and SHA-512), FIPS PUB 180-3 (SHA-1, SHA-224, SHA-256, SHA-384, and SHA-512).

Difference Between Public and Private IP Addresses

A public IP address makes your equipment accessible to everyone on the internet and is needed for VoIP or if you want to give others to access to specific equipment on your network.  You must therefore be careful to protect your equipment from hackers and viruses and not to allow your equipment to be hi-jacked and used as an open email-relay, for example.  A private IP address is for private use within the network and allows many more PCs to be connected.  If a customer is using a private IP and later wants VOIP they would need to change to a public IP address. 

How many IP addresses can I use?
Link-Sat provides a set of 8 IP addresses at the time of site activation. Here is the example of how these IP addresses are used: 
1st IP is for network assignment (cannot be used)
2nd IP is for RCST IP Gateway
3rd, 4th, 5th, 6th and 7th for your router, PCs etc.
8th one is for broadcast (cannot be used)
A subnet mask and two DNS IP addresses are also provided for connected PCs.

A unique Internet Protocol (IP) address, known as a public IP address, is assigned to every computer that connects to the Internet. The IP addressing scheme makes it possible for computers to "find each other" online and exchange information. Within a private network, computers use addresses excluded by convention from use on the Internet. The difference between a private IP address and a public IP address then, is that privateIP addresses are reserved for private networks, and public IP addresses are reserved for the Internet.

The Internet Assigned Numbers Authority (IANA), a once-autonomous organization, now works within the purview of the Internet Corporation for Assigned Names and Numbers (ICANN). IANA is responsible for overseeing global allocation of IP numbers, among other related protocols. Within the range of publicly available IP addresses are specific, excluded ranges withheld for private network use. These private IP ranges are as follows:

• 10.0.0.0 … 10.255.255.255
• 172.16.0.0 … 172.31.255.255
• 192.168.0.0 … 192.168.255.255

Computers within a private network are each assigned a unique address in order to exchange files and share resources with one another. The network router, which routes information, will pass data back and forth among the connected computers, using the respective addresses. But how do computers on a private network connect to the Internet?

Assuming the network has Internet connectivity, the computer connected to the digital subscriber line (DSL) modem is assigned a public IP address by the Internet Service Provider (ISP). This single public IP address is used to identify the network on the Internet. Now the network's router acts as a gatekeeper between the private network and the public Internet. Using a built-in Network Address Translator (NAT), the router passes requests to the Internet using the assigned public IP address. Returning data is routed back to the public IP address, with the router determining which private IP address requested the information. In essence, the private IP address is daisy-chained to the public IP address through processes in the router.

A public IP address can be static or dynamic. A static public IP address does not change and is used primarily for hosting webpages or services on the Internet. Some gamers also prefer static IPs for interactive gaming. A dynamic public IP address is chosen from a pool of available addresses and changes each time one connects to the Internet. Most people have a dynamic public IP address, as it is the standard type of public IP address assigned when purchasing Internet connectivity.

Various freeware programs are available online that will display your computer's assigned public IP address for you. To see private IP addresses you can open your router's configuration dialogs, or if using Windows XP, type ipconfig at the command prompt. The command prompt is available through Start -> All Programs -> Accessories -> Command Prompt. To leave the command prompt window, type exit.

Intrusion Detection

IDS, called Intrusion Detection System (for Cisco) is an advanced form of traffic analysis for firewalls. It is also called Stateful Inspection. Depending on the amount of security needed, it may not be enough to restrict access by port, source and destination. What if I allow the WHOLE internet access to my company's public FTP server (maybe for a free download), someone might know of a FLAW for that particular FTP server that could give them some special and unwanted access. This is where Stateful Inspection comes in. Stateful Inspection is an amazing utility that knows all the valid commands to expect for your typical network services (SMTP, HTTP, FTP, DNS, etc). If you setup a Stateful Inspection firewall, it makes sure that only approved and correct commands are being used for each type of service. This is what you use to protect about know service vulnerabilities, such as buffer overruns. Stateful Inspection firewalls are CPU intensive and expensive. You can get equipment from vendors such as Cisco (PIX Firewall or IDS feature set), Symantec, and Checkpoint. Article last reviewed: 01/09/2006   del.icio.us  Created by: Digital Foundation, inc. Copyright © 2002-2005 Digital Foundation, inc.  www.networkclue.com All content of the NetworkClue website is copyrighted. Articles, notes, outlines, and all other materials may not be stored on the Internet or sold or placed by themselves or with other material in any electronic or printed format in whole or part. However materials may be referenced by links to the site.

Related Articles: NAT Firewall Packet Filter Firewall Audit Trails Cisco ACL Packet Filtering    Firewall

Symmetric vs. asymmetric algorithms

When using symmetric algorithms, both parties share the same key for en- and decryption. To provide privacy, this key needs to be kept secret. Once somebody else gets to know the key, it is not safe any more. Symmetric algorithms have the advantage of not consuming too much computing power. A few well-known examples are: DES, Triple-DES (3DES), IDEA, CAST5, BLOWFISH, TWOFISH.
Asymmetric algorithms use pairs of keys. One is used for encryption and the other one for decryption. The decryption key is typically kept secretly, therefore called ``private key'' or ``secret key'', while the encryption key is spread to all who might want to send encrypted messages, therefore called ``public key''. Everybody having the public key is able to send encrypted messages to the owner of the secret key. The secret key can't be reconstructed from the public key. The idea of asymmetric algorithms was first published 1976 by Diffie and Hellmann.
Asymmetric algorithms seem to be ideally suited for real-world use: As the secret key does not have to be shared, the risk of getting known is much smaller. Every user only needs to keep one secret key in secrecy and a collection of public keys, that only need to be protected against being changed. With symmetric keys, every pair of users would need to have an own shared secret key. Well-known asymmetric algorithms are RSA, DSA, ELGAMAL.
However, asymmetric algorithms are much slower than symmetric ones. Therefore, in many applications, a combination of both is being used. The asymmetric keys are used for authentication and after this has been successfully done, one or more symmetric keys are generated and exchanged using the asymmetric encryption. This way the advantages of both algorithms can be used. Typical examples of this procedure are the RSA/IDEA combination of PGP2 or the DSA/BLOWFISH used by GnuPG.

--
Rachit Seth