Archives ||  About Us ||  Advertise ||  Feedback ||  Subscribe-
-
   Home
   Archives
 About Us
   Advertise
 Feedback
 Subscribe

Home > News > Full Story

News & Analysis

Server 'biggies' take a little plunge in US
In a report by IDC, the US server market plunged 30 percent in the third quarter of 2001, with IBM the least damaged and HP edging to within a fraction of Sun's lead in the key Unix server segment. The total server market dropped from $15.2 billion in the third quarter of 2000 to $10.7 billion in the third quarter of 2001.

In the overall market, IBM sales dropped 6.1 percent to $2.8 billion, but its market share rose 6.5 percent. Much of that gain took place at the expense of rival Sun Microsystems, which lost 6.3 percent of market share and saw revenue plunge 53 percent to $1.3 billion.

Sun, which specializes in the Unix servers that make up the largest part of the overall market, had been ascendant in 2000, but lumbering IBM mustered a response and now is carving back sales from Sun. Meanwhile, HP, once the top Unix server seller, is fighting back as well, and IDC said that, the company is within a hair's breadth of reclaiming the lead.

In the Unix market, Sun had 28.8 percent of the market in the third quarter, with sales of $1.33 billion. HP had 28.5 percent with sales of $1.31 billion, IDC said. IBM, in third place, had $960 million in sales for 20.9 percent of the market.

In the overall market, Compaq Computer was in second place with 16.3 percent of the market and a revenue drop of 34.7 percent to $1.75 billion. HP was in third place with 15.2 percent and revenue that dropped 29.7 percent to $1.64 billion. Dell, in fifth place with 7.9 percent of the market, had a revenue drop of 5.8 percent--the smallest of the top companies--with revenue of $847 million.

JSP hole ignored by many
A new survey by Web server information firm Netcraft reports that administrators of many e-commerce websites have yet to plug a year old security hole that allows malicious users to hijack other users' identities.

According to the report, all vulnerable systems use Java Application Servers based on Sun Microsystems' reference implementation of the Java Server Developers Kit 2.0. The affected applications are Java Web Server from Version 1.1, IBM's WebSphere, and various versions of Cambridge, Mass.-based Art Technology Group Incorporated's Dynamo e-Business Platform.

The vulnerability may harm users because it can provide unwanted access to session IDs. Netcraft in a monthly survey said, more than 1000 transactional websites, many of which are high-profile, still use predictable session Ids. Session IDs are issued to users when they log in and are used to identify each page request. A user's ID is displayed in the Web browser address bar or stored on a user's hard disk in a cookie. The IDs are encoded using a simple rule, making them easy to predict. A malicious user could simply alter the address or cookie on his machine and take over somebody else's session.

JSP (Java Server Pages) aren't widely deployed by rank-and-file sites, but professional e-commerce Web sites that provide services such as stock trading, banking and ticketing often use them, Netcraft said. Most vendors however have fixes for the problem.


New replication technology
A new replication technology called asynchronous replication is the latest approach to providing fault tolerance for server and network storage. Unlike the replication technologies that preceded it, asynchronous technology works by capturing changes in files at the OS level.

Previous replication technologies like SQL transaction replication, work either within applications or at the hardware layer. In the former case, the level of protection is limited to a single application engine and typically adds overheads to the network. In the latter case, it often causes latency to the production disk or significant and cost-prohibitive WAN (Wide Area Network) usage.

Instead of replicating transactions within an application or disk blocks, asynchronous replication technology captures changes to any files managed by the server OS at a byte level. This is accomplished by installing a file-system filter driver, which filters all transactions sent to the file system. Using a few simple rules, the filter driver captures a copy of each transaction and passes it to a system service or daemon, which then transmits it via TCP/IP to the target server.

Regardless of the application that creates data change, like SQL, Exchange, Web services, and file sharing, the disk write looks the same by the time the OS sees it. Specifically, the disk write is an instruction to modify the logical bytes of a given file.

From the OS viewpoint, there is no difference between an update to Exchange and an update to a text file from NotePad.exe. This approach ensures the data replication is completely independent of the application. This approach is hardware-independent. It doesn't matter whether a Windows 2000 OS is storing data on a storage-area network or on its own storage drives.

A common misunderstanding about asynchronous replication is that the replicated data isn't as current as the production data. This occurs only in cases in which there is a constant flow of writes to the production disks and the amount of actual bytes changed is greater than the bandwidth of the connecting pipe.

However, in environments with large databases, the I/O demands on production disks are significantly higher in reads than writes. So the small percentage of write I/O is actually replicated with negligible latency to the target.

As for data delivery, almost all replication technologies use standard network protocols. The differentiator is whether they use a dedicated crossover cable or standard Internet Protocol. Crossover connections require servers to be in relatively close proximity, which negates their viability for disaster recovery. Standard IP networking with asynchronous replication provides a very economical disaster recovery solution because you can deploy disaster recovery target servers across the Internet or a corporate WAN.

In regard to data integrity, it's important to ensure the sequential transmission of asynchronous replication. Since it's possible to lose packets across the wide area, and given the possibility of latency, it's critical to ensure that packets don't arrive at the target in a different order than the one in which they were transmitted.

The OS receives logical changes from applications and converts them to file-write instructions. Asynchronous replication technologies capture these file-change commands and send them to another server via IP networking. The second server simply applies the same file-change command.

Unix login vulnerabilities
Experts at Internet Security Systems Inc. (ISS) and the Computer Emergency Response Team/Coordination Center (CERT/CC) said in separate statements that attackers could get full access to servers running Unix versions supplied by Sun and IBM. This is due to a security hole in the login program of the OS.

A buffer overflow flaw in the Unix login program authenticates access to the system by usernames and passwords. Since the login program can also be used remotely by running telnet and rlogin (remote login), the flaw can be exploited even by those who do not have direct access to the system. Systems are only vulnerable if telnet, rlogin, and other terminal connection services that use login for authentication are enabled, which they usually are by default.

Attackers can exploit the vulnerability to gain superuser privileges or root access to the server, which is the highest privilege level on Unix systems, allowing the attacker to execute arbitrary commands. A software tool, or exploit, to compromise systems running the affected OSs has been made public.

ISS and CERT/CC advise system administrators to install SSH (Secure Shell), a secure alternative to telnet and rlogin, and disable default terminal connection services until the software can be patched. Sun and IBM have software fixes available, according to CERT/CC.

Sun's Solaris 8 and earlier versions, and IBM's AIX versions 4.3 and 5.1, are affected. Other systems derived from the same code base, Unix System V, could also be vulnerable, CERT/CC said.

The ISS security advisory can be found at xforce.iss.net/alerts/ advise105.php

The CERT/CC advisory can be found at www.cert.org/advisories/CA-2001-34.html

Large companies more keen to outsource security
Preliminary findings by IDC point out that larger organizations are more comfortable outsourcing the management of their security functions, unlike their small and medium-sized counterparts. The key reason is, ironically, that big enterprises typically have dedicated IT staff to manage their security in-house, and therefore have clearly defined security policies and procedures. By the same token, small companies lack both the manpower and resources and only one person does everything. And so he/she may not have the time to properly document the processes.

By having proper security processes with clear documentation, an enterprise can not only mitigate the risks involved in going to an external party, but also enable itself to identify critical elements of security functions that need to be managed in-house.

IDC's early findings highlight an important point. Security outsourcing is an option that more companies are willing to consider--even conservative ones. High profile security breaches, increased Internet usage, the increased number of e-commerce initiatives undertaken, and increased mobile and collaborative computing are business factors driving the change in attitude and old bias.

9i upgrade adds Java and SOAP support
The latest release (Release 2) of Oracle's 9i Application Server supports Java 2 Enterprise Edition, Web technologies like SOAP (Simple Object Access Protocol) and the Universal Description, Discovery and Integration directory of business-to-business services. A free developers' edition of the upgrade is available for downloading from Oracle's website. Standard and enterprise editions of the software are scheduled to ship in the first quarter.

Current Oracle users feel the Java support in Release 2 can help reduce the cost of tying together different enterprise applications. The upgrade can help reduce costs and ease integration complexity by providing a single platform for connecting applications.

- <Back to Top>-  

Copyright 2001: Indian Express Group (Mumbai, India). All rights reserved throughout the world. This entire site is compiled in Mumbai by The Business Publications Division of the Indian Express Group of Newspapers. Site managed by BPD