I’m taking the RedHat RHA030 and 130 right now at ECU. The really cool thing about the class is that it’s all online. We use VMware Workstation 6 and connect to the classroom servers through a VPN connection. The biggest drawback to the class is that it’s all online. Weird how that works.

Any-who, one of our labs has us using mount and umount (did I mention that RHA030 is a basic GNU/Linux skills class with a RedHat flavor?) with a floppy drive. There are a couple of problems with this, however. One, there’s no virtual floppy disk on the virtual machine that’s been configured for class. Two, VMware Workstation 6 has this weird quirk (at least the version we have) that won’t allow you to create floppy images in the img format. It adds flp to the end of whatever you put want to name your file, and then gives this error that the file already exists, which doesn’t make a lot of sense since the Workstation just created the file and should know that.

So, here’s a (mostly) graphical tutorial that allows you to create your own floppy image and use it with VMware Workstation 6.

Step 1. Open VMware Workstation and select the virtual machine you want to add a virtual floppy drive to.

Step 2. Select “Edit Virtual Machine Settings” from that virtual machine’s “Commands” menu.

Step 3. From the “Virtual Machine Settings” dialog’s “Hardware” tab, click the “Add…” button

Step 4. On the “Hardware Wizard” dialog, select the “Floppy Drive” hardware type and then click the “Next” button.

Step 5. On the “Hardware Wizard” dialog, choose the “Create a blank floppy image” radio button and then click the “Next” button.

Step 6. On the “Hardware Wizard” dialog, click the “Bowse” button to choose a location for your floppy image.

Step 7. Type in the name of the image file you want to create. Notice I tried to input an “.img” extension which is one of the types listed in the file type select box. Don’t bother trying that because Workstation will automatically tack on a “.flp” extension regardless of what you input.

Step 8. Check your file’s path and then click “Finish”. What’s supposed to happen is, Workstation creates an image file with the name in the text box.

Step 9. What happens is Workstation adds the “.flp” extension, creates the image file, then gives you this Alert box stating: “Unable to create floppy image. File exists.” Idiotic really. Just click the “OK” button and proceed as follows.

Step 10. You’ll now see that your file name has been appended with the “.flp” extension and that and further “Finish” clicking will merely give you to opportunity to view the Alert box again. But don’t worry, because even though you’re getting error a strange and magical thing has happened. Click “Cancel” to proceed to the next step.

Step 11. Click “OK” on the “Virtual Machine Settings” dialog.

Step 12. Ok, this is less of a step than just a view of the results. Remember that “strange and magical” thing I mentioned? Well, as it turns out Workstation has added the floppy drive to your virtual hardware and created and added the floppy image to your floppy drive just fine even with those errors. Weird, weird, weird, but I’m not really complaining, now I can do my lab!

Hope this helps anyone still having problems with this.

There’s a short article on optical fiber eavesdropping over at TechRepublic. While not impossible (as the article clearly points out), it is a very difficult feat to accomplish for a number of reasons.

Accessibility

First, most installations use fiber in a cabling plant’s backbone (cables between floors or buildings). These cables are multi-fiber affairs, usually consisting of at least six, but sometimes up to one hundred forty four (or more) fibers. The bigger the user base of the network, the more fibers you’ll find in the backbone. On these types of networks, you’d have to know exactly which fiber(s) you’re looking for in order to tap. As the article states the average cost of the tap device is under $1000, but I doubt you’d want to install over a hundred of them to get to one particular fiber.

As I stated earlier, the fiber backbone runs between buildings or floors. When run between buildings, the optical fiber cables are usually strung through underground conduits (usually between one and 6 inches in diameter) or hung on building-to-building, aerial messenger strands (fancy way to say metal lines or cables). Conduits between buildings can sometimes be pressurized to prevent moisture from entering and degrading the cable jacketing. Aerial fiber runs are sometimes reinforced by an interlocking armor which is built into the jacketing of the bundled fiber cable. When installing the tapping device, these would be the areas in which you would want to focus your efforts for installation. Due to the difficulty of accessing these areas, your best alternative would be to install the device close to the entry or exit points for these locations.

There are some cabling installations where fiber is run all the way from the backbone to the workstation or network host. These installations are usually termed Fiber to the Desk (FttD). In such these cases an attacker would find it much easier to install the device in a location where visual detection would be difficult.

Detection

While visual detection is one way of finding these devices, it certainly isn’t the only way. As the article eludes, “intrusion detection devices” can detect tap devices. What I believe they may be referring to here is a set of devices which measures a fiber’s signal characteristics by transmitting a signal in one end of the fiber and measuring it on the other. This is not too far removed from an initial certification test.

When any network transition media is installed, whether it be twisted-pair cable, optical fiber cable or even wireless devices, a certification test is performed on the medium to verify that signals will travel across it with no problems and in a manner which is consistent with the applicable standards. This is another way, however that the tap devices can be detected.

Regular network certification is a way to detect these types of devices on not only optical fiber cables, but twisted-pair as well. NOTE: This is an effective method to use on twisted-pair cables, unless they are being tapped with an induction device. However, this too can be guarded against by using a shielded or foiled cables.

One of the tools used to certify a fiber network is called an OTDR or Optical Time Domain Reflectometer (there are versions available for copper/twisted-pair cables as well which are called simply TDRs, these are what can be used by the cable company to make sure there are no more tv’s hooked up in your home than you say there are - wow, when did I get that paranoid?). OTDRs use lasers of different frequencies to create detectable reflections. These reflections only occur at points in the cable where bends, twists or breaks exist. Since a fiber tap would require a bend which would be detectable to tap the fiber, it would be easy to detect on a cable which had no bends before. The only drawback to regular testing is cost of equipment, but this cost can be defrayed by hiring contractors to do the testing.

Encryption?

Another point is that of data encryption. While this is always an option, encryption being used internally on a network as opposed to entry and exit points on a network should be considered overkill. Mainly because of the logistics and systems involved in getting such a system to operate (won’t someone think of the overhead!).

A better option in this case would be to check for a high occurrence of data errors. Anytime you introduce a bend into a fiber which would be great enough to allow light through the cladding of the fiber, as used in a fiber tap, you also introduce data errors. This is because the light reflected back toward the source of the signal means that less light is available to travel to the receiving end of the fiber. These data errors will only increase with distance, so for longer cable runs you may also completely loose your signal.

Costs

Finally, when you use a fiber tap, you also have to know what type of network application is being used. Some applications use multiple frequencies of light, not just a single frequency to transmit more data using a single fiber. These types of multi-frequency transmissions are used for applications like Ten Gigabit Ethernet. Ten Gigabit Ethernet equipment is more complex than Gigabit Ethernet and therefore more costly. I’m not sure I believe that $1000 quote for the fiber tap, unless it’s the total for the tap only, not the actual fiber equipment used to decode the signals.

Conclusions

While the article brings up good points about no transmission medium being a silver bullet against eavesdropping, it also has many week points on ease of implementation, and seems to exaggerate these. As I tend to tell those people who are new to the web, you have to take everything with a grain of salt, The technology described in the article is really cool, so it’s worth a look - but keep in mind that not everything you read can be taken at face value.

Links:
Article: Protect your network against fiber hack
Via: Schneier on Security