Joe John

Nominum is hoping that the second time is the charm in the outsourced DNS market, as the maker of high-end DNS software announces a hosted service on Tuesday. Slideshow: How DNS cache poisoning works On Tuesday, Nominum will reenter the outsourced DNS market with the announcement of SKYE, a separate business unit that will offer its software as a cloud-based service to smaller ISPs and enterprises. Nominum had a managed DNS services operation earlier this decade but sold it to rival UltraDNS in 2002. Nominum has since focused on its DNS and Dynamic Host Configuration Protocol (DHCP) server software, counting among its customers many of the world's largest carriers including Verizon, Sprint and NTT Communications.

Jon Shalowitz, vice president and general manager of SKYE, says the new venture's biggest differentiator is the underlying Nominum software, which is higher performing and more reliable than open source alternatives such as Berkeley Internet Name Domain (BIND). "This is the same software running in the top 100 ISPs around the world," Shalowitz says. "It handles two to three trillion transactions or queries per day. Rodney Joffe, senior vice president and senior technologist at Neustar, says hosted DNS is a big enough market to support multiple vendors. "Despite the fact that it's been a pretty awful recession, we've continued to grow very effectively in our area of managed DNS for enterprises," Joffe says. "There is definitely a market, and we're nowhere near saturation." Nominum has set up SKYE as a separate organization, with 30 full-time employees and five data centers to run Nominum's software. "Enterprises need to wake up to the risks associated with ignoring their DNS and assuming that if it's not breaking all they time [they] can ignore it," Shalowitz says. "There are still a lot of organizations running legacy DNS and open source DNS that are fraught with vulnerabilities." SKYE is offering four hosted services: SKYE Core recursive DNS service; SKYE Secure authoritative (or external) DNS services; SKYE Search redirection service; and SKYE Trust, a blacklist service for malicious Web sites. "Our target customer is anyone who has a strong Web presence: E-commerce companies, banks, anyone that has regulations for protecting data such as hospitals and healthcare companies; and any other company where breaches of personal information could be catastrophic such as credit card companies," Shalowitz says. We're leveraging that same technology in a cloud model." SKYE's main competitor will be UltraDNS, now owned by Neustar. Nominum says the time is right for hosted DNS services because of a broader push by corporate IT departments toward cloud-based services. "Part of the reason why cloud is becoming the rage is because of its operational benefits," Shalowitz says. "When companies look at the cost/benefit analysis, they'd much rather have [DNS] being done by experts and run in the cloud." Abner Germanow, director of enterprise communications at IDC, says enterprises are realizing that DNS is a critical service and are paying more attention to it. Most of them are buying DNS appliances from vendors such as Infoblox or hosted DNS services such as the ones being offered by SKYE. "We've seen a fair amount of growth in hosted DNS services," Germanow says. "There are a whole slew of companies offering a variety of DNS services both for internal, recursive DNS services and external, authoritative services…This is something that's clearly rising in popularity." Joffe said new entrants into the enterprise DNS space such as SKYE and OpenDNS, which announced an enterprise offering earlier in the month, will face difficulties if they can't deliver top-notch service level agreements. "Companies that have tried to get into this market have been burned not because having DNS servers and networks is that hard but because making them work in a carrier-like way is not easy," Joffe said, adding that UltraDNS also runs its own DNS software rather than BIND. "The ability to do DNS in a really reliable way turns out to be hard."

Researchers and hackers are developing tools to execute a new data-leak threat: sneaking proprietary information out of networks by hiding it within VoIP traffic. (A brief history of steganography) Techniques that fall under the category of VoIP steganography have been discussed in academic circles for a few years, but now more chatter is coming from the hacker community about creating easy-to-use tools, says Chet Hosmer, co-founder and Chief Scientist at WetStone Technologies, which researches cybercrime technology and trains security professionals investigating cybercrimes. "There are no mass-market programs yet, but it's on our radar, and we are concerned about it given the ubiquitous nature of VoIP," he says. Steganography in general is hiding messages so no one even suspects they are there, and when done digitally, it calls for hiding messages within apparently legitimate traffic. VoIP steganography conceals secret messages within VoIP streams without severely degrading the quality of calls.

For example, secret data can be transferred within .jpg files by using the least significant bits to carry it. There are more than 1,000 steganographic programs available for download online that can place secret data within image, sound and text files, Hosmer says, and then extract it. Because only the least significant bits are used, the hidden messages have little impact on the appearance of the images the files contain. There are none for VoIP steganography yet, but in the labs, researchers have come up with three basic ways to carry it out. The second is hiding data inside each voice payload packet but not so much that it degrades the quality of the sound. The first calls for using unused bits within UDP or RTP protocols – both used for VoIP - for carrying the secret message.

The third method calls for inserting extra and deliberately malformed packets within the VoIP flow. A variation calls for dropping in packets that are so out of sequence that the receiving device drops them. They will be dropped by the receiving phone, but can be picked up by other devices on the network that have access to the entire VoIP stream. These techniques require compromised devices or conspirators on both ends of calls or a man-in-the-middle to inject extra packets. "It's much more difficult to do and much more difficult to detect," than hiding data within other files, Hosmer says. For example, x86 executables can carry secret messages, according to Christian Collberg, an associate professor of computer science at the University of Arizona and co-author of the book Surreptitious Software.

The medium used to carry secret messages is called the carrier, and just about anything can be a carrier. By manipulating the compiler, it can be made to choose one addition operation over another, and that choice can represent a bit in the secret message, Collberg says. "There are lots of choices a compiler makes, and whenever you have a choice, that could represent a bit of information," he says. One of the newest methods takes advantage of TCP retransmission – known as retransmission steganograpny (RSTEG) - in which sending machines resend packets for which they fail to receive acknowledgements. Even something as broadly used as TCP/IP can be host to steganographic messages. The sending and receiving machines must both be in on the steganography, according to a paper written by a group of Polish researchers headed up by Wojciech Mazurczynk at the Warsaw University of Technology.

The resent packet is actually different from the initial packet and contains a steganographic message as the payload. At some point during the transmission of a file, the receiving machine fails to send an acknowledgement for a packet and it is resent. The receiving machine can distinguish such resent packets and opens up the message, the researchers say. In general, defending against steganography is tough to do because traditional security devices such as firewalls and application firewalls don't detect this type of illicit transfer; a file containing a secret message looks just like a legitimate file. In his blog Crypto-Gram Newsletter, security expert Bruce Schneier dismisses the threat from RSTEG. "I don't think these sorts of things have any large-scale applications," he says, "but they are clever." Mazurczynk and his colleagues have spent a lot of time figuring out new carriers for secret messages, publishing research on embedding them in VoIP and wireless LAN traffic.

The best way to combat suspected use of steganography to leak corporate data is to look for the telltale signs - known steganography programs on company computers, says Hosmer. When the steganography program is known, it can be applied to the carrier to reveal the secret message. On systems where it is found, forensic analysis may reveal files that contained messages and an indication of what data might have been leaked. That message may be in code and have to be decrypted, he says. They can confront the person and take steps to prevent further leaks, Collberg says. In many cases, just knowing that steganography is going on and who is responsible is enough for a business.

But businesses can take more active steps such as destroying the secret messages by altering the carrier file. Free programs such as Stirmark for scrambling files enough to destroy steganographic messages are available online. For instance, if the carrier is an image file, setting all the least significant bits to zero would destroy any messages contained there without significantly changing the appearance of the image, he says. Keith Bertolino, founder of digital forensics start-up E.R. Forensics, based in West Nyack, N.Y., has developed double stegging – inserting stenographic messages within files with the intent of disrupting other stenographic messages that might also be in the files. According to Hosmer, a look at evidence in closed cases of electronic crime found that in 3% of those cases, criminals had steganographic programs installed on their computers. "The fact that these criminals were even aware [of steganography] was a startling surprise to law enforcement agencies," he says. He is waiting to find out if he gets a Small Business Innovation and research (SBIR) grant from the government to pursue turning his steganography jamming technology into a commercial product.

Interest in steganography is growing, according to Wetstone Technology's monitoring of six popular steganography applications. That's not a dramatic increase given that the use of Internet-connected computes has gone up in the meantime, but it is still noteworthy, he says. In 2008, the six combined logged 30,000 downloads per month, up from 8,000 to 10,000 per month about three years ago, Hosmer says. Steganography is not always bad. The watermark is a secret message embedded, for instance, in an image file so if the image is use online, a Web crawler can find it. Technically, steganography is just the same as digital watermarking, but with different intent, Collberg says.

Then the creator of the image can check whether the site displaying the image has paid for it or is violating copyright, he says.

The European Union is not the only one antsy about Oracle taking possession of the open source MySQL database should the commercial database giant's merger with Sun Microsystems get final approval. On its Web site, Oracle merely notes that "MySQL will be an addition to Oracle's existing suite of database products." "I wish that Oracle would broadcast its intentions a little bit more" on the Sun acquisition, says Duane Kimble, a Linux technologist who works in the banking industry. So are MySQL users. (The E.U.'s executive arm has held up approval of the merger, fearing that Oracle's acquisition of MySQL could reduce competition in the database market, as well as harm the open source nature of MySQL. Sun's stockholders and the U.S. Justice Department have approved Oracle's $7.4 billion acquisition of Sun.) "We've got a fair number of databases and Web applications that use those databases in MySQL. If Oracle does something that sort of makes it look like MySQL's days are numbered or something is going to change that we don't like, we'll probably look at alternatives," says Ernest Joynt, a contractor for the National Oceanic and Atmospheric Administration. [ Relive Sun's storied history in InfoWorld's slideshow "The rise and fall of Sun Microsystems." | Learn why attendees at the JavaOne conference were skeptical of Oracle's buyout of Sun. ] Anand Babu Periasamy, CTO of clustered storage technology company Gluster, expresses doubts that Oracle would add enterprise capabilities to MySQL. "I hope that they will retain MySQL. [But] I am doubtful [that] they will ever improve MySQL to take it mid-enterprise level, but at least it will help them compete with Microsoft SQL Server on the low end," he says. (Gluster uses MySQL for its Web site operations.) Thus far, Oracle has said little about its intentions for MySQL and declined to discuss the issue with InfoWorld. For him, Oracle's ownership of MySQL is a specific cause for caution.

His firm has begun looking at other enterprise-scale open source databases such as EnterpriseDB's Postgres database in case it has to replace MySQL. Standing to reap a harvest from unease about the Oracle-MySQL pairing are open source database vendors EnterpriseDB and Ingres. MySQL users start looking at alternatives A key issue is that Oracle is a main competitor to MySQL, notes Timothy Dion, CTO of mobile and Web apps builder Sensei. "I'm very concerned about what that means," he says. EnterpriseDB, which builds its products on the PostgreSQL open source database, has been hearing from concerned MySQL users, says Larry Alston, EnterpriseDB's vice president of product management and marketing. "They're telling us that they're nervous" about the future of MySQL, he says. Doubts remain over the fate of other Sun technologies Users remain concerned over the fate of other Sun technologies such as Java and Solaris, not just of MySQL. "We are rethinking our Solaris deployments," says Linux technologist Kimble. "We are moving swiftly toward more of an AIX and Linux environment, depending on the size or the scale of the project." Although Kimble notes it is "too early to say whether we'll move off [Solaris] or not," he does say his employer is rethinking its Solaris commitment: "Certainly, we're not going full-bore with Solaris as we were before the merger." Kimble does see a positive side to the Sun acquisition: "I think it kind of simplifies the platform offering somewhat. Ingres also sees opportunities. "The phones ring a lot," says Ingres CEO Roger Burkhardt. Oracle is a strong company and if they keep Sun Java, which I'm sure is what they bought [Sun] for, I think it will make Java a better product." But Bryce Pier is not so sure.

Another large company buying another large company reduces competition," he says. The senior systems engineer at Target sees no benefits of the buyout - at least not yet. "I'm not really certain that it's going to be good for anybody. Pier expects the acquisition to cause Target to move away from Solaris to Red Hat's Linux over time. Oracle, said Craig Muzilla, Red Hat's vice president for middleware, was very active in the Java Community Process for updating Java and has strived for openness in Java. "We don't see anything from Oracle that [would indicate that] they would do anything" that would differ with the past, he said. One reason is the uncertainty: "We're just not sure what Oracle's commitment is going to be to the Java stack and to maintaining it as an open source project." Another is Oracle's reputation for extracting revenues from customers: "We certainly fear that all of the subscription fees are going to change for everything from Sun." At its recent conference, Red Hat sought to reassure customers about the continued openness of Java-based JBoss technology, which Red Hat owns, now that Oracle is buying Java founder Sun.

Cisco and VMware created some buzz at the VMworld show in San Francisco on Tuesday by announcing a method for using VMware's VMotion across data centers that are located as far apart as 125 miles, or 200 kilometers.

VMworld product blitz: Hot technology for the virtual world

Users have been pushing VMware to offer a method of allowing VMotion to be used between data centers, and this reference architecture is a step in the right direction. But it is only a step and not a true failover technology. It does not replace VMware's disaster recovery product, Site Recovery Manager.

The long-range Vmotion technique was originally demonstrated at Cisco Live! But VMware formally announced support for it. It can be used with Cisco switches that support VLANs, namely the Catalyst 6500 as well as the Nexus 7000. It requires that users implement VMware's latest product, vSphere (read our review of vSphere).

Today's announced reference design provides only what its makers refer to as "disaster avoidance" not "disaster recovery." Long-range movement of a virtual machine using VMotion must be performed manually (although users could write scripts to move VMs.)

Technical issues with the network and storage have yet to be solved to allow VMotion to support more automated long-distance failover. These include an inability to maintain an IP address if a VM is moved from one ISP to another, for instance from a data center in New York to another in San Jose. Likewise, storage is a problem. Until storage vendors come up with a way to support active/active SANs for the same VM moved between two physically far locations, no-latency failovers won't be possible between data centers.

Finally, this technique is not recommended, and not supported by VMware, when users have Disk Raw Mapping (DRM) turned on and used with clustered servers on either side.

All that said, for Cisco users wanting to deploy vSphere, this design can be practical in helping them manage VMs between data centers. It can be used for disaster situations where users have warning (tornadoes, hurricanes). It can be helpful for load balancing applications between data centers to offset an expected traffic spike. It also represents major progress on the network portion of the long-range VMotion problem.

The reference architecture is available for free download from Cisco.