Who should attend: Network, system, and firewall administrators; security auditors and those who are audited; people involved with responding to intrusions or responsible for network-based applications or systems that might be targets for crackers (determined intruders). Participants should understand the basics of TCP/IP networking. Examples will use actual tools and will also include small amounts of HTML, JavaScript, and Tcl.

Course Description: Network-based host intrusions, whether they come from the Internet, an extranet, or an intranet, typically follow a common methodology: reconnaissance, vulnerability research, and exploitation. This tutorial will review the ways crackers perform these activities, what protocols and tools they use, and a number of current methods and exploits. You'll learn how to generate vulnerability profiles of your systems. Additionally, we'll review some important management policies and issues.

We'll focus primarily on tools that exploit many of the common TCP/IP- based protocols that underlie virtually all Internet applications, including Web technologies, network management, and remote file systems. Some topics will be addressed at a detailed technical level. We'll concentrate on examples drawn from public-domain tools that are widely available and commonly used by crackers.

Topics include:

• Profiles: what can an intruder determine about your site remotely?
• Review of profiling methodologies: different "viewpoints" generate different types of profiling information
• Techniques: scanning, online research, TCP/IP protocol "mis"uses, denial of service, cracking clubs
• Important intrusion areas: discovery techniques, SSL, SNMP, WWW, DNS
• Tools: scotty, strobe, netcat, SATAN, SAINT, ISS, mscan, sscan, queso, curl, Nmap, SSLeay/upget
• Defining management policies to minimize intrusion risk

• Social engineering
• Buffer overflow exploits
• Browser (frame) exploits
• Shell privilege escalation

Who should attend: The class is designed for the sys admin who has lots and lots of audit data from their network but isn't sure how to interpret it. It is also for System administrators and network managers responsible for monitoring and maintaining the health and well being of computers and network devices in an enterprise environment. Participants should be familiar with the UNIX operating system and basic network security, although some review is provided.

Course Description: The purpose of this tutorial is to illustrate the importance of a network-wide centralized logging infrastructure, to introduce several approaches to monitoring audit logs, and to explain the types of information and forensics that can be obtained with well-managed logging systems. Every device on your network--routers, servers, firewalls, and application software--spits out millions of lines of audit information each day. Hidden within the data that indicates normal day-to-day operation (and known problems) are the first clues that an attacker is starting to probe and penetrate your network. If you can sift through the audit data and find those clues, you can learn a lot about your present state of security and maybe even catch attackers in the act.

During this session Tina will present attack signatures from host operating systems (UNIX and Windows), applications, and intrusion detection systems to help provide guidance in reading and interpreting log data, These signatures are taken from a variety of sources, including systems compromised in the last several waves of Internet activity: We'll also cover system events that may indicate hostile activity, and what sort of log data they do (or don't) produce.

Students are expected to be familiar with UNIX syslog and Windows Event Log data formats.

Topics include:

• The extent of the audit problem: how much data are you generating every day, and how useful is it?
• Logfile content
• Logfile generation: syslog and its relatives
• Log management: centralization, parsing, and storage
• Log analysis: methods for reconstruction of an attack
• Kinds of data in syslog (with samples):
  • Normal status messages
  • Software misconfigurations
  • Hardware errors
  • Attack signatures
• Network systems, and the kinds of data they produce:
  • Operating systems and applications
  • Firewalls, VPN servers, authentication systems
  • Alarms: network IDS, host-based IDS
• Signatures of common attacks
  • Code Red and Nimda
• IIS/sadmind
  • Other buffer overflows (with obvious signature)
  • telnetd buffer with ambiguous signature
  • Multi-line signatures
• [If there's time, which seems unlikely] How to Find These swatch
  • logsurfer
  • checksyslog

Instructor Bio
Tina Bird is a Network Security Architect at Counterpane Internet Security, which provides a commercial log monitoring service. She has implemented and managed a variety of wide-area-network security technologies, such as firewalls, VPN packages and authentication systems; and developed, implemented and enforced corporate IS security policies in a variety of environments. Tina is moderator of the Virtual Private Networks mailing list and the owner of "VPN Resources on the World Wide Web," A highly regarded vendor neutral source of information about VPN technology. Tina has a BS in Physics from Notre Dame and an MS and PhD in Astrophysics

HOW TO REGISTER

Fee per tutorial: $395
If you register on or before February 8, 2002, you save $50 off the above rate.

Cancellation Policy The fee is fully refundable if cancellation notice is received in writing ten business days before the start of the tutorial.

USENIX Association
Online Tutorial Registration
2560 Ninth Street, Ste 215
Berkeley, CA 94710
Phone 510-528-8649
Fax 510-548-5738

WHAT YOU NEED TO PARTICIPATE

Centra requires two ports in order to function properly: Ports 80 and 1709. Port 80 is needed for the front end portion (login, registration, etc.). Port 1709 uses Centra's proprietary protocol, delivered via TCP. This is a registered port to Centra. For those behind a firewall or proxy, only 1709 outbound needs to be open.

To insure your firewalls or other things will not prevent you from participating in the class you can check the following way:

1. Connect to the URL https://209.202.130.210/usenix/index.jhtml
2. Click the System Check link on the upper right corner of the page.
3. The System Check tests your Web browser, network connection, and audio settings.

A NOTE ON THE CENTRA TECHNOLOGY USED FOR THE PILOTS

We are continuing to look for an interactive classroom application that will run on a browser or under UNIX or another open systems platform. Unfortunately, the interactive virtual classroom programs currently commercially available with the reliability necessary to run a seamless classroom environment all require Windows. There are conference programs that run on a browser, but they lack the interactive elements and most require multiple phone lines.

This said, USENIX recognizes what a sensitive area this is for our community. If USENIX implements a program like this in the future, we will try to accommodate those who run UNIX only with programs that are designed to be delivered for them.