W1 Network Security Assessments Workshop—Hands-On (Day 2 of 2) 
David Rhoades, Maven Security Consulting, Inc.
9:00 a.m.–5:00 p.m.
Who should attend: Anyone who needs to understand how to perform an effective and safe network assessment.
How do you test a network for security vulnerabilities? Just plug
some IP addresses into a network-scanning tool and click SCAN,
right? If only it were that easy. Numerous commercial and freeware tools assist
in locating network-level security vulnerabilities. However, these
tools are fraught with dangers: accidental denial-of-service,
false positives, false negatives, and long-winded reporting, to name but
a few. Performing a security assessment (a.k.a. vulnerability assessment
or penetration test) against a network environment requires
preparation, the right tools, methodology, knowledge, and more.
This hands-on workshop will cover the essential topics for performing
an effective and safe network assessment.
Class exercises will require that students have an x86-based laptop
computer that can be booted from a KNOPPIX CD, along with a 10/100 Ethernet
network card. Please download a copy of KNOPPIX-STD
(https://www.knoppix-std.org), burn it to a CD-R, and try to boot your system
on a network offering DHCP. Be sure your network card is recognized by
Knoppix-STD, otherwise you will not be able to participate in most classroom
exercises. Wireless access will not be supported during class.
Topics include:
- Preparation: What you need before you even begin
- Safety measures: This often-overlooked topic will cover important
practical steps to minimize or eliminate adverse effects on critical networks
- Architecture considerations: Where you scan from affects how you perform the assessment
- Inventory: Taking an accurate inventory of active systems and protocols
on the target network
- Tools of the trade: Effective use of both freeware and commercial tools, with an emphasis on common pitfalls
- Automated scanning: Best-of-class tools, with tips (mostly vendor-neutral) on their proper use
- Research and development: What to do when existing tools don't suffice
- Documentation and audit trail: How to keep accurate records easily
- How to compile useful reports: Planning for corrective action and tracking your security measures
Students will practice network assessment on a target network of Windows and UNIX-based servers and various routing components.
Day 1
- Lab setup and preparation
- Security assessment overview
- Types of assessments
- Choosing an assessment approach
- Assessment preparation
- Defining the purpose
- Rules of engagement
- Assessment logistics
- Open vs. closed testing
- Passive vs. active testing; depth of testing
- Denial of service (DoS)
- Enumeration of target information
- Permission
- Assessment safety
- Verification of tool authenticity
- Vetting tools
- Safety concepts
- The dangers of automated scanners
- Automated tool safety summary
- Documentation and audit trail
- Assessment phase 1: network inventory
- Ping scanning
- Discrete port scanning (host inventory only)
- DNS queries
- Traceroute
- ARP scanning
Day 2
- Assessment phase 2: target analysis
- TCP port scanning
- UDP port scanning
- SNMP
- Assessment phase 3: exploitation and confirmation
- Automated vulnerability scanning tools
- (Online) brute-force attacks
- (Offline) password cracking
- Manual testing
- Special consideration testing
- Firewalls and routers
- Auditing email servers
- Web servers
- Stealth technique summary
- Vulnerability scanning tools
- Automated scanning tools
- Commercial scanners
- Nessus
- Nessus Clients
- Using Nessus
David Rhoades (T1, W1, R1, F1) is a principal consultant with Maven Security
Consulting, Inc.  Since 1996, David has provided information protection services
for various FORTUNE 500 customers. His work has taken him across the US
and abroad to Europe and Asia, where he has lectured and consulted in
various areas of information security. David has a B.S. in computer
engineering from the Pennsylvania State University and has taught
for the SANS Institute, the MIS Training Institute, and ISACA.
W2 Defeating Junk/Spam Email
Marcus Ranum, Trusecure Corp.
9:00 a.m.–5:00 p.m.
Who should attend: Network and system administrators
responsible for email systems; people who are annoyed by junk email;
mail server administrators; senior managers who want to understand the
technologies for blocking junk email. Some familiarity with Internet email systems is recommended. Familiarity with
UNIX system administration is a must.
Is unplugging from the network the only way to avoid junk email? Many
organizations are finding that junk email is a major time-waster and
performance hog. Some individuals are finding that, every morning, 95% of their inbox is
garbage.
This workshop covers real-world issues in dealing with junk email, and how
to block a significant percentage of it from your personal or corporate
network. Attendees will learn the various techniques of junk email blocking,
the tools that are available, and the advantages and disadvantages of various
approaches. We will also examine a number of popular tools in detail, and
discuss configuration and tuning issues.
Topics include:
- Junk email: you know what it is when you get it
- Whitelisting, blacklisting, and blackholing
- Early attempts at junk email blocking
- The state of the art in junk email blocking
- Tools and techniques
- Setting up a centralized junk email blocking system
- Integrating junk email blocking into various mail clients
- Integrating junk email blocking into various servers
- Legalities and legal initiatives
Marcus Ranum (M4, W2) is senior scientist at Trusecure Corp. and a world-renowned expert
on security system design and implementation.
He is recognized as the inventor of the proxy firewall and the
implementer of the first commercial firewall product. Since the
late 1980s, he has designed a number of groundbreaking security
products, including the DEC SEAL, the TIS firewall toolkit, the
Gauntlet firewall, and NFR's Network Flight Recorder intrusion
detection system. He has been involved in every level of operations
of a security product business, from developer, to founder and CEO
of NFR. Marcus has served as a consultant to many FORTUNE 500 firms
and national governments, as well as serving as a guest lecturer
and instructor at numerous high-tech conferences. In 2001, he was
awarded the TISC Clue award for service to the security community,
and he holds the ISSA lifetime achievement award.
W3 Regular Expression Mastery
Mark-Jason Dominus, Consultant and Author
9:00 a.m.–12:30 p.m.
Who should attend: System administrators and users who use Perl, grep, sed, awk, procmail, vi, or emacs. Almost everyone has written a regex that produced unexpected results. Sometimes regexes appear to hang forever, and it's not clear what has gone wrong. Sometimes they behave differently in different utilities, and you can't tell why. This class will fix all these problems. The first section of the class will explore the matching algorithms used internally by common utilities such as grep and Perl. Understanding these algorithms will allow us to predict whether a regex will match, which of several matches will be found, and which regexes are likely to be faster than others, and to understand why all of these behaviors occur. We'll learn why commonly used regex symbols such as ".," "$." and "\1" may not mean what you thought they did. In the second section, we'll look at common matching disasters, a few practical parsing applications, and some advanced Perl features. We'll finish with a discussion of optimizations that were added to Perl 5.6, and why you should avoid using "/i." Topics include: - Inside the regex engine
- Regular expressions are programs
- Backtracking
- NFA vs. DFA
- POSIX and Perl
- Quantifiers
- Greed and anti-greed
- Anchors and assertions
- Backreferences
- Disasters and optimizations
- Where machines come from
- Disaster examples
- Tokenizing
- New optimizations
- Matching strings with balanced parentheses
Mark-Jason Dominus (W3, W6) has been programming in Perl since 1992. He is a moderator of the comp.lang.perl.moderated newsgroup, the author of the Text::Template, Tie::File, and Memoize modules, a contributor to the Perl core, and author of the perlreftut man page. His work on the Rx regular expression debugger won the 2001 Larry Wall Award for Practical Utility. He lives in Philadelphia with his wife and several plush octopuses.
W4 Cisco Device Configuration Basics, Part 1
Steve Acheson and Laura Kuiper, Cisco Systems
9:00 a.m.–12:30 p.m.
Who should attend: Anyone who bought a Cisco
router or switch on Ebay and wants to know
how to configure it.
This class will go through the steps you need to take to configure your
router or switch from the day you receive it to actually using it.
Topics include:
- Introduction to IOS and its naming
- Cabling your device(s)
- Loading a new image
- Stepping through the configuration basics
- Using the "Setup" script
- Using the Cisco command line interface
- Setting up a hostname, DNS, etc.
- Setting up Network Time Protocol (NTP)
- Router Specifics
- Configuring the interfaces and IP addresses
- Forwarding packets (basic routing)
- Switch specifics
- Configuring ports
- Setting up VLANs
- Security: Access Control List basics
- Troubleshooting
- "show" commands
- "debug" commands
- CDP (Cisco Discovery Protocol)
Steve Acheson (M7, W4, W7, F2) is currently an Information Security Architect at Cisco
Systems, Inc.,  where he is a senior member of the Corporate Information
Security Department, responsible for network and system security,
including designing internal security architecture and external/firewall
access. Before working for Cisco, Steve managed security for NASA's
Numerical Aerospace Simulations facility at Ames Research Center. He
has worked in the field for over 15 years as a system administrator, network engineer, and
security analyst.
Laura Kuiper (W4, W7, F2) is currently a Computer Security Architect at Cisco
Systems, Inc., where she is a senior member of the Computer Information
Security Department, responsible for network and system security,
including designing internal security architecture and external/firewall
access. Before working for Cisco, Laura managed the network at SAIC.
She has worked in the field as a network engineer and security analyst
for over 9 years.
W5 Oracle Backup and Recovery
W. Curtis Preston, Glasshouse
Technologies
9:00 a.m.–12:30 p.m.
Who should attend: System administrators with Oracle in their environment.
Oracle is one of the most popular databases in today's datacenter,
and yet its backup and recovery are often misunderstood and
misconfigured. Learn everything everything you need to know about
Oracle and its backups in this half-day tutorial. We'll start
with an explanation of Oracle architecture, designed especially for
the non-DBA. We'll debunk a few myths along the way, such as the one
that says Oracle datafiles don't change while Oracle is in
backup mode. (You'd be surprised how many people believe that
myth.) Other myths we'll debunk include "You can't do hot
backups without RMAN" and "You can't use RMAN without buying
expensive backup software." Having explained all the pieces that
go into Oracle backup and recovery, the instructor will demonstrate
various Oracle backup and recovery scenarios live.
Topics include:
- Oracle architecture
- Data files
- Tablespaces
- Redo logs
- Control files
- Rollback segment
- Physical backups without a storage manager
- Scripting backups without RMAN
- Using RMAN without a storage manager
- Physical backups with a storage manager
- Managing the archived redo logs
- Recovering Oracle
- Logical backups
W. Curtis Preston (T12, W5) is Vice President of Service Development for Glasshouse
Technologies, the global leader in independent storage services. Curtis has ten years' experience designing storage systems for
many environments, both large and small. As a recognized expert in the
field, Curtis has advised the major product vendors regarding product
features and implementation methods. Curtis is the administrator of the
NetBackup and NetWorker FAQs and answers the "Ask The Experts" backup
forum on SearchStorage.com. He is also the author of O'Reilly's UNIX
Backup & Recovery and Using SANs & NAS, as well as a monthly column in
Storage Magazine.
W6 Perl Program Repair Shop and Red Flags
Mark-Jason Dominus, Consultant and Author
1:30 p.m.–5:00 p.m.
Who should attend: Anyone who writes Perl programs regularly. Participants should have at least three months'
experience programming in Perl.
You've probably been working too hard when you program,
writing twenty lines of code when you only needed ten. But there is a
better way, and I will show it to you. You'll learn how to improve
your own code and the code of others, making it cleaner, more
readable, more reusable, and more efficient, while at the same time
making it 30-50% smaller. Smaller code contains fewer bugs and takes
less time to maintain.
We will examine several real code examples in detail and see how to
improve them. We'll focus on red flags--warning
signs in your code that are plainly visible once you know what to look
for--and on techniques that require little complex thought or
ingenuity. All the bad code in this class is guaranteed 100% genuine
and typical.
Participants are encouraged to submit their own code for anonymous
review in the class. (Send it to
mjd-lisa-2003+@plover.com.) Class
content varies depending on submissions, but is sure to include some
of the topics listed below.
Topics include:
- Families of variables
- Making relationships explicit
- Refactoring
- Programming by convention
- The Flesh Blanket
- Conciseness
- Why you should avoid the "." operator
- Elimination of global variables
- Superstition
- The "use strict" zombies
- Repressed subconscious urges
- The cardinal rule of computer programming
- The psychology of repeated code
- Techniques for eliminating repeated code
- What can go wrong with "if" and "else"
- The Condition That Ate Michigan
- Resisting "Holy Doctrine"
- Trying it both ways
- Structural vs. functional code
- Elimination of structure
- Boolean values
- Programs that take two steps forward and one step back
- Programs that are 10% backslashes
- 'print print print print print '
- C-style "for" loops
- Loop counter variables
- Array length variables
- Unnecessary shell calls
- How (and why) to let "undef" be the special value
- Confusion of internal and external representations of data
- Tool use
- Elimination of repeated code with higher-order functions
- Learning to use a hammer
- The "swswsw" problem
- Avoiding special cases
- Using uniform data representations
Mark-Jason Dominus (W3, W6) has been programming in Perl since 1992. He is a moderator of the comp.lang.perl.moderated newsgroup, the author of the Text::Template, Tie::File, and Memoize modules, a contributor to the Perl core, and author of the perlreftut man page. His work on the Rx regular expression debugger won the 2001 Larry Wall Award for Practical Utility. He lives in Philadelphia with his wife and several plush octopuses.
W7 Cisco Device Configuration Basics, Part 2
Steve Acheson and Laura Kuiper, Cisco Systems
1:30 p.m.–5:00 p.m.
Who should attend: Anyone who bought a Cisco
router or switch on Ebay and wants to know
how to configure it. This class will build on the morning
class, W4, to help you get the most out of your Cisco equipment.
Topics include:
- Review of IOS capabilities and image features
- Setting up SNMP monitoring
- SSH (secure access)
- Switch specifics
- Spanning tree
- Trunking
- Differences between CatOS- and IOS-based switches
- Router Specifics
- Making your router a DHCP server
- Doing NAT/PAT with your router
- Using the GUI SDM (Security Device Manager) to configure your router
- More security
- PVLAN edge (protected port)
- Local authentication
- RADIUS authentication
- Advanced ACLs
- Using your router as a VPN gateway
- Additional capabilities your router offers
Steve Acheson (M7, W4, W7, F2) is currently an Information Security Architect at Cisco
Systems, Inc., where he is a senior member of the Corporate Information
Security Department, responsible for network and system security,
including designing internal security architecture and external/firewall
access. Before working for Cisco, Steve managed security for NASA's
Numerical Aerospace Simulations facility at Ames Research Center. He
has worked in the field for over 15 years as a system administrator, network engineer, and
security analyst.
Laura Kuiper (W4, W7, F2) is currently a Computer Security Architect at Cisco
Systems, Inc., where she is a senior member of the Computer Information
Security Department, responsible for network and system security,
including designing internal security architecture and external/firewall
access. Before working for Cisco, Laura managed the network at SAIC.
She has worked in the field as a network engineer and security analyst
for over 9 years.
W8 Introduction to Host Configuration and Maintenance with Cfengine
Mark Burgess, Oslo University College
1:30 p.m.–5:00 p.m.
Who should attend: System administrators with a minimal
knowledge of a scripting language who wish to start using cfengine to
automate the maintenance and security of their systems. UNIX
administrators will be most at home in this tutorial, but cfengine can
also be used on Windows 2000 and above.
Cfengine is a tool for setting up and maintaining a configuration
across a network of hosts. It is sometimes called a tool for "Computer
Immunology"--your computer's own immune system. You can think of
cfengine as a very high level language, much higher-level than Perl
or shell, together with a smart agent. The idea behind cfengine is to
create a single "policy" or set of configuration files that describes
the setup of every host on your network, without sacrificing their
autonomy.
Cfengine runs on every host and makes sure that it is in a
policy-conformant state; if necessary, any deviations from policy
rules are fixed automatically. Unlike tools such as rdist, cfengine does
not require hosts to open themselves to any central authority, nor to
subscribe to a fixed image of files. It is a modern tool, supporting
state-of-the-art encryption and IPv6 transport, that can handle
distribution and customization of system resources in huge networks
(tens of thousands of hosts). Cfengine runs on hundreds of thousands
of computers all over the world.
Topics include:
- The components of cfengine and how they are used
- How to get the system running
- How to develop a suitable policy, step by step
- Security
- Examples
- How to customize cfengine for special tasks
Mark Burgess (W8, F4) is a professor at Oslo University College and is the
author of
 cfengine. He has been researching the
principles of network
and system administration for over ten years and is the author
of Principles of Network and System Administration (John Wiley & Sons).
He is frequently invited to speak at conferences.
|
Need help? Use our Contacts page.
