M1 — Monday, August 23 (M2, M3)

Intrusion Detection and Network Forensics

Marcus J. Ranum, Network Flight Recorder, Inc.

Who should attend:
Network and system managers, security managers, and auditors. This tutorial assumes some knowledge of TCP/IP networking and client/server computing. What can intrusion detection do for you? Intrusion detection systems are designed to alert network managers to the presence of unusual or possibly hostile events within the network. Once you've found traces of a hacker, what should you do? What kind of tools can you deploy to determine what happened, how they got in, and how to keep them out? This tutorial provides a highly technical overview of the state of intrusion detection software and the types of products that are available, as well as the basic principles for building your own intrusion detection alarms. Methods of recording events during an intrusion are also covered.

Topics include:

What is IDS?
• Principles
• Prior art

Can IDS help?
• What IDS can and can't do for you
• IDS and the WWW
• IDS and firewalls
• IDS and VPNs

Types and trends in IDS design
• Anomaly and misuse detection
• Traps
• Future avenues of research

Concepts for building your IDS
• What you need to begin
• Performance issues

Tools for building your IDS
• Sniffers and suckers
• Host logging tools
• Log recorders

Reporting and recording
• Managing alerts
• What to throw away and what to keep

Network forensics
• So you've been hacked
• Forensic tools
• Brief overview of evidence handling
• Who can help you

Resources and references

Marcus J. Ranum is CEO and founder of Network Flight Recorder, Inc. He is the principal author of several major Internet firewall products, including the DEC SEAL, the TIS Gauntlet, and the TIS Internet Firewall Toolkit. Marcus has been managing UNIX systems and network security for over 13 years, including configuring and managing whitehouse.gov. Marcus is a frequent lecturer and conference speaker on computer security topics, and is co-author with Daniel Geer and Aviel Rubin of The Web Security Sourcebook.

M2 — Monday, August 23

Advanced Topics in Windows NT Security

Phil Cox, Networking Technology Solutions

Who should attend:
Programmers, network and systems administrators, and individuals who need a better understanding of the "why's" of Windows NT security. Anyone interested in Windows NT network protocols, details on "what" registry settings actually do, and other advanced topics. An intermediate knowledge of Windows NT security and experience dealing with network security are prerequisites for this course.

Many Windows NT security issues require more than a basic understanding of security exposures and potential control measures. This course is designed for system and network administrators and system programmers who are already technically proficient with Windows NT security and want to learn more about advanced features.

Topics include:

Details of Windows NT related to security and their implications
• The internal functionality of Windows NT
• Windows networking: SMB and NetBIOS

Tradeoffs in designing and implementing suitable
solutions to address flaws

Practical exercise in defending NT using a firewall

Dealing with Windows NT authentication
• Passthrough authentication
• Derivation and protection of password hashes

Securing the Windows registry
• Advanced techniques
• Tradeoffs and pitfalls in each registry change

The Security Configuration Manager
• Default configurations
• Defining specialized templates

Phil Cox is a consultant for Networking Technology Solutions, and is a member of a government incident response team. Phil frequently writes and lectures on issues bridging the gap between UNIX and Windows NT. He is a featured columnist in ;login:, the USENIX Association magazine, and is on the upcoming USENIX LISA program committee. Phil has a B.S. in Computer Science from the College of Charleston, South Carolina.

M3 — Monday, August 23

Secure Networking — An Introduction to Virtual Private Networks

Tina Bird, Secure Netorking Group

Who should attend:
System administrators and network managers responsible for remote access and wide-area networks within their organization. Participants should be familiar with TCP/IP networking and fundamental network security, although some review is provided. The purpose of this tutorial is to provide a step-by-step guide to evaluating an organization's VPN requirements, selecting the appropriate technology, and implementing it within a pre-existing security infrastructure.

Virtual private networking technology provides a flexible mechanism for addressing connectivity needs within many organizations. This class focuses on assessing business and technical requirements for remote access and extranet connections, evaluating VPN technology, integrating VPNs within an existing network infrastructure, and common implementation difficulties.

Topics include:
• VPN security features (encryption, access control, NAT) and how they protect against common Internet threats
• Assessing your organization's needs for remote access n VPN architectures and where they fit
• A brief review of commercial VPN products
• Implementing VPN technology within your organization's network
• Common VPN difficulties

After completing this course, students will be ready to evaluate their requirements for remote access and begin testing commercial VPN implementations.

Tina Bird is a security analyst at Secure Network Group, a consulting firm in Lawrence, Kansas specializing in the installation and management of secure wide-area networks. She has implemented and managed a variety of wide-area-network security technologies, such as firewalls and VPN packages; built and supported extranet and intranet remote access packages; and developed, implemented, and enforced corporate IS security policies in a variety of environments. Her main focus in the last year has been on the evaluation and implemen-tation of virtual private networking solutions in small- to mid-sized networks (40 to 4000 hosts). Tina is the moderator of the Virtual Private Networks mailing list. She has a B.S. in physics from Notre Dame and an M.S. and Ph.D. in astrophysics from the University of Minnesota.