Who should attend: People who are auditing Web application security, developing Web applications, or managing the development of a Web application.

Is your Web application secure? CD Universe, CreditCard.com, and others have found out the hard way: encryption and firewalls are not enough. Numerous commercial and freeware tools assist in locating network-level security vulnerabilities. However, these tools are incapable of locating security issues for Web-based applications.

With numerous real-world examples from the instructor's years of experience with security assessments, this informative and entertaining course is based on fact, not theory. The course material is presented in a step-by-step approach, and will apply to Web portals, e-commerce (B2B or B2C), online banking, shopping, subscription-based services, or any Web-enabled application.

Class exercises will require that students have an x86-based laptop computer that can be booted from a KNOPPIX CD, along with a 10/100 Ethernet network card. Please download a copy of KNOPPIX-STD (https://www.knoppix-std.org), burn it to a CD-R, and try to boot your system on a network offering DHCP. Be sure your network card is recognized by Knoppix-STD, otherwise you will not be able to participate in most classroom exercises. Wireless access will not be supported during class.

Topics include:

• The primary risks facing Web applications
• Exposures and vulnerabilities in HTML and JavaScript, authentication, and session tracking
• Tools, techniques, and methodologies required to locate weaknesses
• Recommendations for mitigating exposures found
• Best practices for Web application security

Day 1

• Introduction
• The problem and root causes
• Web primer: HTTP and HTML
• Foundational security
• OS vulnerabilities
• Web server security highlights
• Web server and Web application output
• HTTP headers
• HTML and JavaScript
• Encryption ciphers
• Error messages
• Caching
• Authentication
• Authentication: digital certificates; form-based; HTTP basic
• Threats to authentication
• Sign-on
• User name harvesting
• Brute-force password guessing
• Password harvesting
• Resource exhaustion

• Session issues
• Session tracking mechanisms
• Session ID best practices
• Session cloning
• Transaction issues
• Malicious user input
• Hidden form elements
• GET vs. POST
• JavaScript filters
• Improper application logic
• Cross-site scripting (XSS)
• Third-party products
• Testing procedures
• Methodology and safety

David Rhoades (T1, W1, R1, F1) is a principal consultant with Maven Security Consulting, Inc. Since 1996, David has provided information protection services for various FORTUNE 500 customers. His work has taken him across the US and abroad to Europe and Asia, where he has lectured and consulted in various areas of information security. David has a B.S. in computer engineering from the Pennsylvania State University and has taught for the SANS Institute, the MIS Training Institute, and ISACA.

F2 Cisco Security Features
Steve Acheson and Laura Kuiper, Cisco Systems
9:00 a.m.–5:00 p.m.

Who should attend: Network and system engineers looking to improve their familiarity with Cisco's security capabilities; security professionals interested in the technical details of securing enterprise-class networks.

As security concerns become more pervasive throughout the enterprise market, pressure on network engineers to be more security-conscious continues to grow. In tandem, as smaller enterprises increase their reliance on networked systems, they need network engineers to keep these systems secure. This session provides network engineers with a detailed overview of enterprise networking security and explores how Cisco security features can help the enterprise network.

Topics include:

• Infrastructure
• Device configurations
• Device access and user administration
• Routing protocol security
• Layer 2/switches
• Access control
• Access Control Lists (ACLs)
  • Standard vs. extended
  • Dynamic
  • Time-based
• Firewalls
  • CBAC
  • PIX
  • Authentication services
• Netword Admission Control (NAC)
• IP telephony
• Wireless LANs
• 802.1x
• Intrusion prevention
• VPNs
• Monitoring

Steve Acheson (M7, W4, W7, F2) is currently an Information Security Architect at Cisco Systems, Inc., where he is a senior member of the Corporate Information Security Department, responsible for network and system security, including designing internal security architecture and external/firewall access. Before working for Cisco, Steve managed security for NASA's Numerical Aerospace Simulations facility at Ames Research Center. He has worked in the field for over 15 years as a system administrator, network engineer, and security analyst.

Laura Kuiper (W4, W7, F2) is currently a Computer Security Architect at Cisco Systems, Inc., where she is a senior member of the Computer Information Security Department, responsible for network and system security, including designing internal security architecture and external/firewall access. Before working for Cisco, Laura managed the network at SAIC. She has worked in the field as a network engineer and security analyst for over 9 years.

F3 Time Management for System Administrators: Getting It All Done and Not Going (More) Crazy!
Tom Limoncelli, Cibernet
9:00 a.m.–12:30 p.m.

Who should attend: Sysadmins who want to improve their time-management skills, who want to have more control over their time and better follow-through on assignments. If you feel overloaded, miss appointments, and forget deadlines and tasks, this class is for you.

Do any of these statements sound like you?

• I don't have enough time to get all my work done.
• I don't have control over my schedule
• I'm spending all my time mopping the floor; I don't have time to fix the leaking pipe.
• My boss says I don't work hard enough, but I'm always working my —— off!

Tom Limoncelli used to be a time-management disaster. He reformed himself and offers his insights in this tutorial. Tom currently has two job functions at a financial services company, chairs conferences, writes books, maintains four personal Web sites, serves on the boards of two nonprofits, and has a very full social life. Yet he keeps it all together and has time for himself. If you think you don't have time to take this tutorial, you really need to take this tutorial!

Topics include:

• Why typical "time management" books don't work for sysadmins
• How to delegate tasks effectively
• How to use RT and other request tracking tools
• A way to keep from ever forgetting a user's request
• Why "to do" lists fail and how to make them work
• Managing your boss
• Managing email more effectively with procmail
• Prioritizing tasks so that users think you're a genius
• Getting more out of your Palm Pilot
• Having more time for fun (for people with a social life)
• Tips on automating sysadmin processes
• Efficient phone calls: how to avoid major time wasters
• How to leave the office every day with a smile on your face

Tom Limoncelli (R8, F3), co-author of The Practice of System and Network Administration (Addison-Wesley), is Director of IT Services at Cibernet Corp. A sysadmin and network wonk since 1987, he has worked at Dean for America, Lumeta, Bell Labs/Lucent, Mentor Graphics, and Drew University. He is a frequent presenter at LISA conferences.

F4 Advanced Topics in Host Configuration and Maintenance with Cfengine
Mark Burgess, Oslo University College
9:00 a.m.–12:30 p.m.

Who should attend: System administrators with a working knowledge of cfengine (or who have attended the introductory course) and who wish to extend their understanding of cfengine with examples and usage patterns. UNIX and Mac OS X administrators will be most at home in this tutorial, but cfengine can also be used on Windows 2000 and above.

Cfengine contains many features and facilities that make it a powerful tool for system administration, but it has a large manual that is difficult to absorb without training. In this tutorial we assume that attendees have a basic understanding of how cfengine works and would like to develop a number of "best practices" and examples to maximize their returns.

Topics include:

• Review of some basics
• Automating deployment of software throughout your infrastructure
  • UNIX/Mac/Windows
  • update.conf
  • cron and cfexecd
  • When to run
  • Integrating data from information sources
• Structure and organization of config
  • The overlapping-set model
  • Import
  • Modules
  • Methods
  • When to use these tools
• Special functions and variables
  • Variables, scalars, arrays
  • Associative arrays and their limitations
  • ExecResult, ReturnsZero, etc.
  • ReadArray, ReadList, etc.
  • IsNewerThan, IsDir, etc.
• Searching, matching, and wildcards
  • Search filters
  • Regular expressions
  • Wildcard expansions
• How does cfagent evaluate things?
  • Thinking declaratively
  • Ordering: When does it matter?
  • Locks; What are they, and why are they there?
  • Iteration over lists
  • Control, actionsequence, alerts
• Services and security
  • PP keys and exchange (trust model)
  • Authentication stages
  • Rule orderings
  • IPv6 issues
  • Peer-to-peer services
  • Example: Backing up laptops
• Host monitoring
  • cfenvd
  • Interfacing to tcpdump
  • Understanding cfenvgraph output
  • PeerCheck neighborhood watch
  • FriendStatus function
• Future developments and discussion

Mark Burgess (W8, F4) is a professor at Oslo University College and is the author of cfengine. He has been researching the principles of network and system administration for over ten years and is the author of Principles of Network and System Administration (John Wiley & Sons). He is frequently invited to speak at conferences.

F5 Intermediate Topics in Domain Name System Administration
William LeFebvre, CNN Internet Technologies
9:00 a.m.–12:30 p.m.

Who should attend: Network administrators with a basic understanding of DNS and its configuration who need to learn how to create and delegate subdomains, and administrators planning to install BIND8. Attendees are expected either to have prior experience with DNS, including an understanding of basic operation and zone transfers, or to have attended the "Introduction to Domain Name System Administration" tutorial.

Attendees will move beyond the basics into a more thorough understanding of the overall design and implementation of DNS.

Topics include:

• Subdomains and delegation
• Resource records: NS, RP, MX, TXT, AAAA
• Migration to BIND8
• DNS management tools
• DNS design
• DNS and firewalls

William LeFebvre (R5, F5) is an author, programmer, teacher, and sysadmin expert who has been using UNIX and Internet technologies since 1983. He writes a monthly column for UNIX Review and has taught since 1989 for such organizations as USENIX, the Sun User Group (SUG), MIS Training Institute, IT Forum, and Great Circle Associates. He has contributed to several widely used UNIX packages, including Wietse Venema's logdaemon package. He is also the primary programmer for the popular UNIX utility top. William is currently a technology fellow at CNN Internet Technologies, exploring the applicability of new technology to one of the busiest Web farms on the Internet. He received his bachelor's degree in 1983 and his master of science degree in 1988, both from Rice University.