Check out the new USENIX Web site.
2004 USENIX Annual Technical Conference, June 27-July 2, 2004, Boston Marriott Copley Place, Boston, MA
USENIX '03 Home  | USENIX Home  | Events  | Publications  | Membership

Register

organizers

sponsors

ataglance

trainingbydaybyinst

plenary

techgeneralfreenixsigsguruwips

Open Sessions

evening

afs

bofs

services

hotel

students

questions

promote

authorinstrux

  TRAINING TRACK

Overview | By Day (Sunday, Monday, Tuesday, Wednesday, Thursday, Friday) | By Instructor | All in One File

Locations: See the overview.

Sunday, June 27, 2004
S1 Hands-on Linux Security Class: Learn How to Defend Linux/UNIX Systems by Learning to Think Like a Hacker (Day 1 of 2) NEW!
Rik Farrow, Security Consultant
9:00 a.m.–5:00 p.m.
Linux/Open Source Networking Security
Who should attend: System administrators of Linux and other UNIX systems; anyone who runs a public UNIX server.

Few people enjoy learning how to swim by being tossed into the ocean, but that's what happens if a system you manage gets hacked. You often have little choice other than to reload that system, patch it, and get it running again. This two-day class gives you a chance to work with systems that have been "hacked," letting you search for hidden files or services or other evidence of the intrusion. Examples are taken from real, recent attacks on Linux systems. You will perform hands-on exercises with dual-use tools to replicate what intruders do as well as with tools dedicated to security. The tools vary from the ordinary, such as find and strings, to less familiar but very important ones, such as lsof, scanners, sniffers, and the Sleuth Kit.

The lecture portion of this class covers the background you need to understand UNIX security principles, TCP/IP, scanning, and popular attack strategies.

Day Two will explore the defenses for networks and individual systems. The class will end with a discussion of the use of patching tools for Linux, including cfengine.

Class exercises will require that you have an x86-based laptop computer that can be booted from a KNOPPIX CD. Macintosh owners interested in taking this class should contact the instructor, as a bootable KNOPPIX CD for the PPC may be provided as well if there is sufficient interest. Students will receive a version of Linux on CD that includes the tools, files, and exercises used in the course. If you have a laptop but don't know whether it can run a bootable Linux CD (that will not have an impact on your installed hard drive or operating systems), please download a copy of KNOPPIX (http://www.knoppix.org), burn it, and try it out. KNOPPIX support for wireless is the same as common Linux kernels (not exciting), but KNOPPIX does a superb job of handling most other hardware found in laptops.

Topics include:

DAY ONE:

  • Finding hidden files and evidence of intrusion
  • TCP/IP and its abuses
  • hping2 probes, or xprobe with ethereal again
  • nmap while watching with ethereal or tcpdump (connect and SYN scans)
  • Working with buffer-overflow exploit examples
  • Apache servers and finding bugs in scripts
  • John the Ripper, password cracking

DAY TWO:

  • Using and modifying KNOPPIX Linux boot CD
  • Elevation of privilege and suid shells
  • Rootkits, and finding rootkits (chkrootkit)
  • Sleuth Kit (looking at intrusion timelines)
  • iptables and netfilter
  • cfengine configuration
  • Vulnerability scanning with nessus

Rik Farrow (S1, M1) provides UNIX and Internet security consulting and training. Rik Farrow He has been working with UNIX system security since 1984 and with TCP/IP networks since 1988. He has taught at the IRS, Department of Justice, NSA, NASA, US West, Canadian RCMP, Swedish Navy, and for many US and European user groups. He is the author of UNIX System Security, published by Addison-Wesley in 1991, and System Administrator's Guide to System V (Prentice Hall, 1989). Farrow writes a column for ;login: and a network security column for Network magazine. Rik lives with his family in the high desert of northern Arizona and enjoys hiking and mountain biking when time permits.

S2 Next Generation Storage Networking and Data Protection NEW!
Jacob Farmer, Cambridge Computer Services
9:00 a.m.–5:00 p.m.
Networking Sysadmin
Who should attend: Sysadmins running day-to-day operations and those who set or enforce budgets. This lecture is technical in nature, but it does not address command-line syntax or the operation of specific products or technologies. Rather, the focus is on general architectures and various approaches to scaling in both performance and capacity. Since storage technologies tend to be expensive, there is some discussion of the relative cost of different technologies and of strategies for managing cost and achieving results on a limited budget.

There has been tremendous innovation in the data storage industry in the past few years, and this year the pace has quickened. Proprietary monolithic SAN and NAS subsystems are giving way to open-system and distributed architectures. Data-transfer protocols such as SCSI, NFS, and CIFS are facing competition from VI and DAFS. Fibre-channel and parallel SCSI interfaces are challenged by Gigabit Ethernet, iSCSI, and serial ATA. Bottlenecks imposed by I/O buses and stacks stand to be eliminated by Infiniband and RDMA. Finally, traditional file-based tape backup systems are being challenged by disk-to-disk backup and block-level backup technologies, which promise to eliminate backup windows while minimizing the chance of data loss.

This tutorial describes the latest technologies to hit the market for storage networking and data protection and offers advice on how to integrate these technologies into existing environments as well as how to set up whole new systems. The first half of the lecture covers the latest technologies for primary storage: SAN and NAS architectures, virtual storage, parallel file systems, storage interfaces, etc. The second half of the lecture focuses on secondary storage: backup systems, data replication, archiving, etc.

Topics include:

  • Storage networking
    • Fundamentals of storage networking
    • Shortcomings of conventional SAN and NAS architectures
    • Comparison of storage interfaces: fibre channel, SCSI, serial ATA, Infiniband, Ethernet
    • Comparison of storage protocols: CIFS, NFS, SCSI, VI, DAFS
    • Open systems storage virtualization
    • The convergence of SAN and NAS
    • High-performance file sharing (NAS on steroids)
    • SAN-enabled file systems
    • Wide-area file systems
    • Parallel file systems
    • Content-addressable storage
  • Backup systems
    • SAN-enabled backup systems
    • Disk-to-disk backup
    • Virtual tape libraries
    • Continuous backup
    • Data replication
    • Integrating snapshots into the backup strategy
    • The lastest tape technologies (LTO-2, SDLT-600, SAIT, AIT-4)
    • Backup system reporting and diagnostics
    • Secondary storage SANs

Jacob Farmer (S2) is the CTO of Cambridge Computer Services, a specialized Jacob Farmer integrator of backup systems and storage networks. He has over 15 years' experience with storage technologies and writes an expert advice column for InfoStor magazine. He is currently writing a book on storage networking.
 

S3 Linux Network Service Administration
Joshua Jensen, IBM
9:00 a.m.–5:00 p.m.
Linux/Open Source Networking Sysadmin
Who should attend: This tutorial is directed at system administrators who are implementing network services and are looking for a background in the configuration of those services, as well as basics of the protocols. Attendees should have some network client/server experience and have a basic knowledge of UNIX administration, but do not need to be experienced network administrators. Both new and intermediate network administrators will leave the tutorial having learned something.

From a stand-alone client attached to the Internet to a distributed network of Web servers, systems administrators are being tasked with bringing their office environments online. The network services that need to be configured in order to do this can be daunting to administrators who aren't familiar with the required applications. Configuration examples as well as overviews of the underlying protocols will give attendees the tools to implement services on their own systems. The following areas will be covered (with a special emphasis on security):

  • Overview
  • Network services
    • SSH—Secure Shell with OpenSSH
    • FTP—Explore vsftpd
    • HTTP—Apache and Tux and Squid
    • SMTP—Postfix MTA
    • NFS—Network File Systems
    • LDAP—Global authentication with OpenLDAP
    • DHCP—DHCPD and PXE
    • DNS—ISC's BIND
    • NTP—Network Time
    • LPD—Printing with cups
  • Host-based security with TCP wrappers and Xinetd
  • Linux packet filtering
  • Network monitoring and logging
  • Network utilities you should be using
At the completion of the course, attendees should feel confident in their ability to set up and maintain secure network services. The tutorial will be conducted in an open manner that encourages question-and-answer interruption.

Joshua Jensen (S3, M3) has worked for IBM and Cisco Systems and was Red Hat's first instructor, examiner, and RHCE. Joshua Jensen He worked with Red Hat for 4 1/2 years, during which time he wrote and maintained large parts of the Red Hat curriculum: Networking Services and Security, System Administration, Apache and Secure Web Server Administration, and the Red Hat Certified Engineer course and exam. Having been working with Linux since 1996, Joshua now finds himself having gone full circle, being now employed by IBM while working with Red Hat Linux onsite at Cisco Systems. In his spare time he dabbles in cats, fish, boats, and frequent flyer miles.

S4 Network Security Protocols: Theory and Current Standards
Radia Perlman, Sun Microsystems
9:00 a.m.–5:00 p.m.
Networking Security Sysadmin
Who should attend: Anyone who wants to understand the theory behind network security protocol design, with an overview of the alphabet soup of standards and cryptography. This tutorial is especially useful for anyone who needs to design or implement a network security solution, but it is also useful to anyone who needs to understand existing offerings in order to deploy and manage them. Although the tutorial is technically deep, no background other than intellectual curiosity and a good night's sleep in the recent past is required.

First, without worrying about the details of particular standards, we discuss the pieces out of which all these protocols are built.

We then cover subtle design issues, such as how secure email interacts with distribution lists, how designs maximize security in the face of export laws, and the kinds of mistakes people generally make when designing protocols.

Armed with this conceptual knowledge of the toolkit of tricks, we describe and critique current standards.

Topics include:

  • What problems are we trying to solve?
  • Cryptography
  • Key distribution
    • Trust hierarchies
    • Public key (PKI) vs. secret key solutions
  • Handshake issues
    • Diffie-Hellman
    • Man-in-middle defense
    • Perfect forward secrecy
    • Reflection attacks
  • PKI standards
    • X.509
    • PKIX
  • Real-time protocols
    • SSL/TLS
    • IPsec (including AH, ESP, and IKE)
  • Secure email
  • Web security
    • URLs
    • HTTP, HTTPs
    • Cookies

Radia Perlman (S4) is a Distinguished Engineer at Sun Microsystems. Radia Perlman She is known for her contributions to bridging (spanning tree algorithm) and routing (link state routing), as well as security (sabotage-proof networks). She is the author of Interconnections: Bridges, Routers, Switches, and Internetworking Protocols and co-author of Network Security: Private Communication in a Public World, two of the top ten networking reference books, according to Network Magazine. She is one of the twenty-five people whose work has most influenced the networking industry, according to Data Communications Magazine. She has about fifty issued patents, an S.B. and S.M. in mathematics and a Ph.D. in computer science from MIT, and an honorary doctorate from KTH, the Royal Institute of Technology in Sweden.

S5 Advanced Solaris System Administration Topics
Peter Baer Galvin, Corporate Technologies, Inc.
9:00 a.m.–5:00 p.m.
Networking Sysadmin
Who should attend: UNIX administrators who need more knowledge of Solaris administration.

We will discuss the major new features of recent Solaris releases, including which to use (and how) and which to avoid. This in-depth course will provide the information you need to run a Solaris installation effectively. This tutorial has been updated to include Solaris 9 features and functions.

Topics include:

  • Installing and upgrading
    • Architecting your facility
    • Choosing appropriate hardware
    • Planning your installation, filesystem layout, post-installation steps
    • Installing (and removing) patches and packages
    • Avoiding single points of failure
  • Advanced features of Solaris 2
    • Filesystems and their uses
    • The /proc filesystem and commands
    • Useful tips and techniques
  • Networking and the kernel
    • Virtual IP: configuration and uses
    • Kernel and performance tuning: new features, adding devices, tuning, debugging commands
    • Devices: naming conventions, drivers, gotchas
  • Enhancing Solaris
    • High availability essentials: disk failures and recovery, RAID levels, uses and performance, H/A technology and implementation
    • Performance: how to track down and resolve bottlenecks, Solaris Resource Manager
    • Tools: useful free tools, tool use strategies
    • Security: locking down Solaris, system modifications, tools, SunScreen
    • Resources and references

Peter Baer Galvin (S5) is the Chief Technologist for Corporate Technologies, Inc., a systems integrator and VAR, Peter Baer Galvin and was the Systems Manager for Brown University's Computer Science Department. He has written articles for Byte and other magazines. He wrote the "Pete's Wicked World" and "Pete's Super Systems" columns at SunWorld. He is currently contributing editor for Sys Admin, where he manages the Solaris Corner. Peter is co-author of the Operating Systems Concepts and Applied Operating Systems Concepts textbooks. As a consultant and trainer, Peter has taught tutorials on security and system administration and has given talks at many conferences and institutions on such topics as Web services, performance tuning, and high availability.

S6 How to Protect Your Intellectual Property: Current Developments, Issues, and Controversies
Dan Appelman, HellerEhrman
9:00 a.m.–5:00 p.m.
BSD coding Linux/Open Source
Who should attend: Computer programmers, system administrators, and executives who create, maintain, or commercially exploit software code or other innovations constituting intellectual property. No previous knowledge of intellectual property law is required. Protection options and issues vary depending on the kind of intellectual property, the innovations that incorporate them, and the goals of the companies or individuals who own them. We will address these variations as they become relevant during the tutorial.

This tutorial presents an overview of intellectual property protection, followed by a discussion of current issues and some practical advice about developing an intellectual property strategy. The format is a presentation by the instructor with plenty of time to ask questions. The goal is to provide attendees with a better understanding of how the law views intellectual property, of the sensitive legal issues and potential liabilities that developers face, and of the concrete steps they can take to maximize their protection while minimizing the cost of doing so.

Topics include:

  • Overview of U.S. intellectual property law
  • How to identify, protect, and enforce your intellectual property rights
  • Employer vs. employee issues
  • Cost vs. benefit with various intellectual property options
  • Reconciling open source development with intellectual property rights
  • Derivative works: Who owns them? Leveraging off someone else's inventions
  • Combining your work with work done by others: What happens to IP rights?
  • SCO and intellectual property: Fact vs. fiction
  • Intellectual property rights in cyberspace
  • Rights in data
  • Submarine patents and copyrights: Strategy, or recipe for disaster?
  • Acacia Media Technologies: Prior art and the power of a patent—the streaming media case
  • How U.S. intellectual property law differs from IP law of other countries
  • Enforcing your IP rights abroad: Should you bother?
  • How to develop an intellectual property strategy

Dan Appelman (S6) is a lawyer in the Silicon Valley office of a major international law firm. Dan Appelman He has been practicing in the areas of cyberspace and software law for many years. He was the lawyer for Berkeley Software Design in the BSDI/UNIX System Laboratories (AT&T) case. Dan is the attorney for the USENIX Association and for many tech companies. He is also founding chair of his firm's Information Technology practice group, is the current chair of the California Bar's Standing Committee on Cyberspace Law, and is a member of the American Bar Association Cyberspace Committee.

Monday, June 28, 2004
M1 Hands-On Linux Security Class: Learn How to Defend Linux/UNIX Systems by Learning to Think Like a Hacker (Day 2 of 2) NEW!
Rik Farrow, Security Consultant
10:30 a.m.–6:00 p.m.
Linux/Open Source Security
See Part 1, S1, for the description of the first day of this tutorial.

Day two of this class focuses on practical forensics, that is, how to analyze a possibly hacked Linux or UNIX system from a system administrator's perspective. As a system administrator, you will not be acting as law enforcement, trying to find the perpetrator, but instead will be working as quickly as possible with the goal of uncovering what went wrong. Finding rootkits and backdoors on a sample hacked system gives you an idea of what you might find on other similar systems. You can also get clues about the nature of the attack by discovering the tools left behind on a system by an attacker.

The final portion of this class focuses on patching, with a discussion of cfengine. As this is the second day of a two-day, hands-on course, we will not repeat material covered on the first day, including getting the CD working with your laptop. If you plan on attending the course only the second day, you might want to contact the instructor before the class and get a test CD to ensure that your laptop will work in the classroom environment.

Exercises:

  • Buffer overflows in example C programs
  • Finding hidden files and suid shells
  • Sleuth Kit (looking at intrusion timelines)
  • iptables
  • cfengine configuration

Rik Farrow (S1, M1) provides UNIX and Internet security consulting and training. Rik Farrow He has been working with UNIX system security since 1984 and with TCP/IP networks since 1988. He has taught at the IRS, Department of Justice, NSA, NASA, US West, Canadian RCMP, Swedish Navy, and for many US and European user groups. He is the author of UNIX System Security, published by Addison-Wesley in 1991, and System Administrator's Guide to System V (Prentice Hall, 1989). Farrow writes a column for ;login: and a network security column for Network magazine. Rik lives with his family in the high desert of northern Arizona and enjoys hiking and mountain biking when time permits.

M2 Solaris Internals & Architecture: Performance and Resource Management NEW!
James Mauro and Richard McDougall, Sun Microsystems, Inc.
10:30 a.m.–6:00 p.m.
Coding Sysadmin
Who should attend: System administrators, performance analysts, application architects, database administrators, software developers, and capacity planners. Anyone interested in the overall organization and structure of the Solaris kernel and in discovering how to apply that knowledge to performance tools and resource controls. The course is based on the Solaris 8 and 9 releases, but has applicability to earlier releases. Networking (TCP/IP, STREAMS) facilities and performance are not covered.

As an operating system, Solaris has evolved considerably, with some significant changes made to the UNIX SVR4 source base on which the early system was built. An understanding of how the system is organized is required in order to design and develop applications that take maximum advantage of the various features of the operating system, understand the data made available via bundled system utilities, and optimally configure and tune a Solaris system for a particular application or load.

Topics include:

  • Virtual memory system
  • Virtual file system
  • The multi-threaded process model
  • The kernel dispatcher
  • Scheduling classes
  • Filesystem implementation
  • Resource control facilities
  • Resource management facilities

For each topic, we cover the performance and observability aspects, including relevant bundled commands and utilities and the interpretation of the data they present.

James Mauro (M2) is a Senior Staff Engineer in the Performance and Availability EngineeringJames Mauro group at Sun Microsystems. Jim's currently focused on quantifying and improving enterprise platform availability, including minimizing recovery times for data services and Solaris. Jim co-developed a framework for system availability measurement and benchmarking and is working on implementing this framework within Sun.

Richard McDougall (M2) is an established engineer in the Performance Application Engineering Richard McDougall group at Sun Microsystems, where he focuses on large systems performance and architecture. He has over twelve years of performance tuning, application/kernel development, and capacity planning experience on many different flavors of UNIX. Richard has written a wide range of papers and tools to measure, monitor, trace, and size UNIX systems, including the memory sizing methodology for Sun, the set of tools known as MemTool to allow fine-grained instrumentation of memory for Solaris, the recent Priority Paging memory algorithms in Solaris, and many of the unbundled tools for Solaris.

M3 Linux Systems Administration
Joshua Jensen, IBM
10:30 a.m.–6:00 p.m.
Linux/Open Source Sysadmin
Who should attend: System administrators who plan to implement a Linux solution in a production environment. Attendees should be familiar with the basics of system administration in a UNIX/Linux environment: user-level commands, administration commands, and TCP/IP networking. Both novices and gurus should leave the tutorial having learned something.

From a single server to a network of workstations, the Linux environment can be a daunting task for administrators knowledgeable on other platforms. Starting with a single server and finishing with a multi-server, 1,000+ user environment, case studies will provide practical information for using Linux in the real world.

Topics include (with an emphasis on security):

  • Installation features
  • Disk partitioning and RAID
  • Networking
  • User accounts
  • Services
  • NFS and NIS
  • Security through packet filtering and SSH
  • New developments (journaling file systems, VPNs, and more)

At the completion of the tutorial, attendees should feel confident in their ability to set up and maintain a secure and useful Linux network. The instructor invites questions during the presentation.

Joshua Jensen (S3, M3) has worked for IBM and Cisco Systems and was Red Hat's first instructor, examiner, and RHCE. Joshua Jensen He worked with Red Hat for 4 1/2 years, during which time he wrote and maintained large parts of the Red Hat curriculum: Networking Services and Security, System Administration, Apache and Secure Web Server Administration, and the Red Hat Certified Engineer course and exam. Having been working with Linux since 1996, Joshua now finds himself having gone full circle, being now employed by IBM while working with Red Hat Linux onsite at Cisco Systems. In his spare time he dabbles in cats, fish, boats, and frequent flyer miles.

M4 Network Security Profiles: Protocol Threats, Intrusion Classes, and How Hackers Find Exploits NEW!
Brad C. Johnson, SystemExperts Corporation
10:30 a.m.–6:00 p.m.
Networking Security Sysadmin
Who should attend: Administrators, managers, auditors, those being audited, those responsible for responding to intrusions or responsible for network resources that might be targets for crackers, hackers, or determined intruders.

Participants should understand the basics of TCP/IP networking. Examples will use actual tools and will include small amounts of HTML, JavaScript, and Tcl code and show command-line arguments and GUI-based applications.

This tutorial is focused on helping you understand how people profile your network to identify resources that might be vulnerable to attack. Simply put, the more information somebody can generate about your site (by profiling it), the more likely it is that they will be able to exploit something on it. This course will also help you recognize common protocol threats and intrusion classes.

Topics include:

  • Profiling your network and system
    • Methods and tools
    • An example of a profile
  • Intrusions
    • Awareness and statistics
    • Examples of intrusions
    • Common intrusion areas
      • Web servers
      • Web applications
      • Wireless infrastructure
      • Modems
  • Discovery/profiling tools
    • Tools: sscan, typhoon, nessus, dsniff, whisker, Sam Spade, Satan/Saint/Sara, nmap, Paros, cain, Websleuth
    • Understanding protocol tunneling
  • Protocol profiling threats
    • DNS
    • SNMP
    • Issues with handhelds
    • Web infrastructure

Brad C. Johnson (M4) is vice president of SystemExperts Corporation. Brad C. JohnsonHe has participated in seminal industry initiatives such as the Open Software Foundation, X/Open, and the IETF, and has been published in such journals as Digital Technical Journal, IEEE Computer Society Press, Information Security Magazine, Boston Business Journal, Mass High Tech Journal, ISSA Password Magazine, and Wall Street & Technology. Brad is a regular tutorial instructor and conference speaker on topics related to practical network security, penetration analysis, middleware, and distributed systems. He holds a B.A. in computer science from Rutgers University and an M.S. in applied management from Lesley University.

M5 Advanced Perl Programming NEW!
Tom Christiansen, Consultant
10:30 a.m.–6:00 p.m.
Coding Sysadmin
Who should attend: Anyone with a journeyman-level knowledge of Perl programming who wants to hone Perl skills. This class will cover a wide variety of advanced topics in Perl, including many insights and tricks for using these features effectively. After completing this class, attendees will have a much richer understanding of Perl and will be better able to make it part of their daily routine.

Topics include:

  • Symbol tables and typeglobs
    • Symbolic references
    • Useful typeglob tricks (aliasing)
  • Modules
    • Autoloading
    • Overriding built-ins
    • Mechanics of exporting
    • Function prototypes
  • References
    • Implications of reference counting
    • Using weak references for self-referential data structures
    • Autovivification
    • Data structure management, including serialization and persistence
    • Closures
  • Fancy object-oriented programming
    • Using closures and other peculiar referents as objects
    • Overloading of operators, literals, and more
    • Tied objects
  • Managing exceptions and warnings
    • When die and eval are too primitive for your taste
    • The use warnings pragma
    • Creating your own warnings classes for modules and objects
  • Regular expressions
    • Debugging regexes
    • qr// operator
    • Backtracking avoidance
    • Interpolation subtleties
    • Embedding code in regexes
  • Programming with multiple processes or threads
    • The thread model
    • The fork model
    • Shared memory controls
  • Unicode and I/O layers
    • Named Unicode characters
    • Accessing Unicode properties
    • Unicode combined characters
    • I/O layers for encoding translation
    • Upgrading legacy text files to Unicode
    • Unicode display tips
  • What's new in Perl lately
    • Switch statement
    • Defined-or operators
    • Pre-compiled modules
    • Dynamic handles
    • Virtual I/O through strings

Tom Christiansen (M5) has been involved with Perl since day zero of its Tom Christiansen initial public release in 1987. Author of several books on Perl, including The Perl Cookbook and Programming Perl from O'Reilly, Tom is also a major contributor to Perl's online documentation. He holds undergraduate degrees in computer science and Spanish and a Master's in computer science. He now lives in Boulder, Colorado.

Tuesday, June 29, 2004
T1 Network Security Assessments Workshop—Hands-On (Day 1 of 2) NEW!
David Rhoades, Maven Security Consulting, Inc.
10:30 a.m.–6:00 p.m.
Networking Security Sysadmin
Who should attend: Anyone who needs to understand how to perform an effective and safe network assessment.

How do you test a network for security vulnerabilities? Just plug some IP addresses into a network-scanning tool and click SCAN, right? If only it were that easy. Numerous commercial and freeware tools assist in locating network-level security vulnerabilities. However, these tools are fraught with dangers: accidental denial-of-service, false positives, false negatives, and long-winded reporting, to name but a few. Performing a security assessment (a.k.a. vulnerability assessment or penetration test) against a network environment requires preparation, the right tools, methodology, knowledge, and more. This hands-on workshop will cover the essential topics for performing an effective and safe network assessment.

Class exercises will require that students have an x86-based laptop computer that can be booted from a KNOPPIX CD, along with a 10/100 Ethernet network card. Please download a copy of KNOPPIX-STD (http://www.knoppix-std.org), burn it to a CD-R, and try to boot your system on a network offering DHCP. Be sure your network card is recognized by Knoppix-STD, otherwise you will not be able to participate in most classroom exercises. Wireless access will not be supported during class.

Topics include:

  • Preparation: What you need before you even begin
  • Safety measures: This often-overlooked topic will cover important practical steps to minimize or eliminate adverse effects on critical networks
  • Architecture considerations: Where you scan from affects how you perform the assessment
  • Inventory: Taking an accurate inventory of active systems and protocols on the target network
  • Tools of the trade: Effective use of both freeware and commercial tools, with an emphasis on common pitfalls
  • Automated scanning: Best-of-class tools, with tips (mostly vendor-neutral) on their proper use
  • Research and development: What to do when existing tools don't suffice
  • Documentation and audit trail: How to keep accurate records easily
  • How to compile useful reports: Planning for corrective action and tracking your security measures
Students will practice network assessment on a target network of Windows and UNIX-based servers and various routing components.

Day 1

  • Lab setup and preparation
  • Security assessment overview
    • Types of assessments
    • Choosing an assessment approach
  • Assessment preparation
    • Defining the purpose
    • Rules of engagement
    • Assessment logistics
    • Open vs. closed testing
    • Passive vs. active testing; depth of testing
    • Denial of service (DoS)
    • Enumeration of target information
    • Permission
  • Assessment safety
    • Verification of tool authenticity
    • Vetting tools
    • Safety concepts
    • The dangers of automated scanners
    • Automated tool safety summary
  • Documentation and audit trail
  • Assessment phase 1: network inventory
    • Ping scanning
    • Discrete port scanning (host inventory only)
    • DNS queries
    • Traceroute
    • ARP scanning

Day 2

  • Assessment phase 2: target analysis
    • TCP port scanning
    • UDP port scanning
    • SNMP
  • Assessment phase 3: exploitation and confirmation
    • Automated vulnerability scanning tools
    • (Online) brute-force attacks
    • (Offline) password cracking
    • Manual testing
  • Special consideration testing
    • Firewalls and routers
    • Auditing email servers
    • Web servers
    • Stealth technique summary
  • Vulnerability scanning tools
    • Automated scanning tools
    • Commercial scanners
  • Nessus
    • Nessus Clients
    • Using Nessus
David Rhoades (T1, W1, R1, F1) is a principal consultant with Maven Security Consulting, Inc. David Rhoades Since 1996, David has provided information protection services for various FORTUNE 500 customers. His work has taken him across the US and abroad to Europe and Asia, where he has lectured and consulted in various areas of information security. David has a B.S. in computer engineering from the Pennsylvania State University and is an instructor for the SANS Institute, the MIS Training Institute, and Sensecurity (based in Singapore).

T2 Inside the Linux Kernel (Updated for Version 2.6)
Theodore Ts'o, IBM
10:30 a.m.–6:00 p.m.
Coding Linux/Open Source
Who should attend: Application programmers and kernel developers. You should be reasonably familiar with C programming in the UNIX environment, but no prior experience with the UNIX or Linux kernel code is assumed.

This tutorial will give you an introduction to the structure of the Linux kernel, the basic features it provides, and the most important algorithms it employs.

The Linux kernel aims to achieve conformance with existing standards and compatibility with existing operating systems; however, it is not a reworking of existing UNIX kernel code. The Linux kernel was written from scratch to provide both standard and novel features, and it takes advantage of the best practice of existing UNIX kernel designs.

Although the material will focus on the latest release version of the Linux kernel (v. 2.6), it will also address aspects of the development kernel codebase (v. 2.7) where its substance differs from 2.6. It will not contain any detailed examination of the source code but will, rather, offer an overview and roadmap of the kernel's design and functionality.

Topics include:

  • How the kernel is organized (scheduler, virtual memory system, filesystem layers, device driver layers, networking stacks)
    • The interface between each module and the rest of the kernel
    • Kernel support functions and algorithms used by each module
    • How modules provide for multiple implementations of similar functionality
  • Ground rules of kernel programming (races, deadlock conditions)
  • Implementation and properties of the most important algorithms
    • Portability
    • Performance
    • Functionality
  • Comparison between Linux and UNIX kernels, with emphasis on differences in algorithms
  • Details of the Linux scheduler
    • Its VM system
    • The ext2fs filesystem
  • The requirements for portability between architectures

Theodore Ts'o (T2) has been a Linux kernel developer since almost the Theodore Ts'o very beginnings of Linux—he implemented POSIX job control in the 0.10 Linux kernel. He is the maintainer and author for the Linux COM serial port driver and the Comtrol Rocketport driver. He architected and implemented Linux's tty layer. Outside of the kernel, he is also the maintainer of the e2fsck filesystem consistency checker. Ted is a Senior Technical Staff Member of IBM's Linux Technology Center.

T3 Administering Linux in Production Environments
Aeleen Frisch, Exponential Consulting
10:30 a.m.–6:00 p.m.
Linux/Open Source Sysadmin
Who should attend: Both current Linux system administrators and administrators from sites considering converting to Linux or adding Linux systems to their current computing resources. We will be focusing on the administrative issues that arise when Linux systems are deployed to address a variety of real-world tasks and problems arising from both commercial and research and development contexts.

Topics include:

  • Recent kernel developments
  • High-performance I/O
    • Advanced filesystems and logical volumes
    • Disk striping
    • Optimizing I/O performance
  • Advanced compute-server environments
    • Beowulf
    • Clustering
    • Parallelization environments/facilities
    • CPU performance optimization
  • High availability Linux: fault tolerance options
  • Enterprise-wide authentication
  • Fixing the security problems you didn't know you had (or, what's good enough for the researcher/hobbyist won't do for you)
  • Automating installations and other mass operations
  • Linux in the office environment

Aeleen Frisch (T3, W3, R4) has been a system administrator for over 20 years. Aeleen Frisch She currently looks after a pathologically heterogeneous network of UNIX and Windows systems. She is the author of several books, including Essential System Administration (now in its 3rd edition).

 

T4 Building a Software Security Capability: How to Foster Best Practices in Software Security NEW!
Gary McGraw, Cigital
10:30 a.m.–6:00 p.m.
Coding Security
Who should attend: Software developers who want to improve the security—and salability—of their products. You will learn current best practices and come away with a clear action plan for attacking the software security problem in your organization.

This tutorial explains why the key to proactive computer security is making software behave, and then goes on to tell you how to do it. Microsoft's Trustworthy Computing Initiative, begun in January 2002, has changed the way Microsoft builds software. To date, Microsoft has spent over $500 million (2000 worker years) on their software security push. Given the emerging importance of software security and reliability to high-profile software vendors, you need to figure out what to do about the software you develop.

Topics include:

  • The role of awareness and training (for development staff)
  • The importance of technology choices (language, OS, development tools, testing tools)
  • How to weave security analysis throughout the software development lifecycle
  • Building abuse and misuse cases
  • The role of architectural risk analysis: who, how, and when
  • The role of code review: use of advanced tools
  • Security testing (and how it differs from functional testing)
  • Post facto application security (deployment issues)
  • Measuring return on investment

Gary McGraw (T4), Cigital, Inc.'s CTO, researches software security and sets technical vision in Gary McGraw the area of Software Quality Management. Dr. McGraw is co-author of four popular books: Java Security (Wiley, 1996), Securing Java (Wiley, 1999), Software Fault Injection (Wiley 1998), and Building Secure Software (Addison-Wesley, 2001). His fifth book, Exploiting Software (Addison-Wesley), was released in February 2004. A noted authority on software and application security, Dr. McGraw consults with major software producers and consumers. Dr. McGraw has written over sixty peer-reviewed technical publications and functions as principal investigator on grants from Air Force Research Labs, DARPA, National Science Foundation, and NIST's Advanced Technology Program. He serves on Advisory Boards of Authentica, Counterpane, Fortify Software, and Indigo Security as well as advising the CS Department at UC Davis. Dr. McGraw holds a dual Ph.D. in Cognitive Science and Computer Science from Indiana University and a B.A. in Philosophy from UVa. He regularly contributes to popular trade publications and is often quoted in national press articles.

T5 System Log Aggregation, Statistics, and Analysis NEW!
Marcus Ranum, Trusecure Corp.
10:30 a.m.–6:00 p.m.
Coding Security Sysadmin
Who should attend: System and network administrators who are interested in learning what's going on in their firewalls, servers, network, and systems; anyone responsible for security and audit or forensic analysis.

This tutorial covers techniques and software tools for building your own log analysis system, from aggregating all your data in a single place, through normalizing it, searching, and summarizing, to generating statistics and alerts and warehousing it. We will focus primarily on open source tools for the UNIX environment, but will also describe tools for dealing with Windows systems and various devices such as routers and firewalls.

Topics include:

  • Estimating log quantities and log system requirements
  • Syslog: mediocre but pervasive logging protocol
  • Back-hauling your logs
  • Building a central loghost
  • Dealing with Windows logs
  • Logging on Windows loghosts
  • Parsing and normalizing
  • Finding needles in haystacks: searching logs
  • I'm dumb, but it works: artificial ignorance
  • Bayesian spam filters for logging
  • Storage and rotation
  • Databases and logs
  • Leveraging the human eyeball: graphing log data
  • Alerting
  • Legalities of logs as evidence
Marcus Ranum (T5, R5, F5) is senior scientist at Trusecure Corp. and a world-renowned expertMarcus Ranum on security system design and implementation. He is recognized as the inventor of the proxy firewall and the implementer of the first commercial firewall product. Since the late 1980s, he has designed a number of groundbreaking security products, including the DEC SEAL, the TIS firewall toolkit, the Gauntlet firewall, and NFR's Network Flight Recorder intrusion detection system. He has been involved in every level of operations of a security product business, from developer, to founder and CEO of NFR. Marcus has served as a consultant to many FORTUNE 500 firms and national governments, as well as serving as a guest lecturer and instructor at numerous high-tech conferences. In 2001, he was awarded the TISC Clue award for service to the security community, and he holds the ISSA lifetime achievement award.

Wednesday, June 30, 2004
W1 Network Security Assessments Workshop—Hands-On (Day 2 of 2) NEW!
David Rhoades, Maven Security Consulting, Inc.
10:30 a.m.–6:00 p.m.
Networking Security Sysadmin
Who should attend: Anyone who needs to understand how to perform an effective and safe network assessment.

How do you test a network for security vulnerabilities? Just plug some IP addresses into a network-scanning tool and click SCAN, right? If only it were that easy. Numerous commercial and freeware tools assist in locating network-level security vulnerabilities. However, these tools are fraught with dangers: accidental denial-of-service, false positives, false negatives, and long-winded reporting, to name but a few. Performing a security assessment (a.k.a. vulnerability assessment or penetration test) against a network environment requires preparation, the right tools, methodology, knowledge, and more. This hands-on workshop will cover the essential topics for performing an effective and safe network assessment.

Class exercises will require that students have an x86-based laptop computer that can be booted from a KNOPPIX CD, along with a 10/100 Ethernet network card. Please download a copy of KNOPPIX-STD (http://www.knoppix-std.org), burn it to a CD-R, and try to boot your system on a network offering DHCP. Be sure your network card is recognized by Knoppix-STD, otherwise you will not be able to participate in most classroom exercises. Wireless access will not be supported during class.

Topics include:

  • Preparation: What you need before you even begin
  • Safety measures: This often-overlooked topic will cover important practical steps to minimize or eliminate adverse effects on critical networks
  • Architecture considerations: Where you scan from affects how you perform the assessment
  • Inventory: Taking an accurate inventory of active systems and protocols on the target network
  • Tools of the trade: Effective use of both freeware and commercial tools, with an emphasis on common pitfalls
  • Automated scanning: Best-of-class tools, with tips (mostly vendor-neutral) on their proper use
  • Research and development: What to do when existing tools don't suffice
  • Documentation and audit trail: How to keep accurate records easily
  • How to compile useful reports: Planning for corrective action and tracking your security measures
Students will practice network assessment on a target network of Windows and UNIX-based servers and various routing components.

Day 1

  • Lab setup and preparation
  • Security assessment overview
    • Types of assessments
    • Choosing an assessment approach
  • Assessment preparation
    • Defining the purpose
    • Rules of engagement
    • Assessment logistics
    • Open vs. closed testing
    • Passive vs. active testing; depth of testing
    • Denial of service (DoS)
    • Enumeration of target information
    • Permission
  • Assessment safety
    • Verification of tool authenticity
    • Vetting tools
    • Safety concepts
    • The dangers of automated scanners
    • Automated tool safety summary
  • Documentation and audit trail
  • Assessment phase 1: network inventory
    • Ping scanning
    • Discrete port scanning (host inventory only)
    • DNS queries
    • Traceroute
    • ARP scanning
Day 2
  • Assessment phase 2: target analysis
    • TCP port scanning
    • UDP port scanning
    • SNMP
  • Assessment phase 3: exploitation and confirmation
    • Automated vulnerability scanning tools
    • (Online) brute-force attacks
    • (Offline) password cracking
    • Manual testing
  • Special consideration testing
    • Firewalls and routers
    • Auditing email servers
    • Web servers
    • Stealth technique summary
  • Vulnerability scanning tools
    • Automated scanning tools
    • Commercial scanners
  • Nessus
    • Nessus Clients
    • Using Nessus
David Rhoades (T1, W1, R1, F1) is a principal consultant with Maven Security Consulting, Inc. David Rhoades Since 1996, David has provided information protection services for various FORTUNE 500 customers. His work has taken him across the US and abroad to Europe and Asia, where he has lectured and consulted in various areas of information security. David has a B.S. in computer engineering from the Pennsylvania State University and is an instructor for the SANS Institute, the MIS Training Institute, and Sensecurity (based in Singapore).

W2 Making Your Code Run Faster NEW!
Steve Johnson, Mathworks
10:30 a.m.–6:00 p.m.
Coding
Who should attend: Developers and system programmers who have an interest in making applications run fast(er). Some programming knowledge (C/C++/Java) is desirable, as is an understanding of the primary tasks of an operating system and how it carries them out. The primary focus is on making big, hairy applications run faster, but some mid- and micro-level tuning will be discussed as well. We won't say much about real-time and embedded programs, although there is some relevant overlap with these areas.

Although machines are getting faster, we still seem to spend a lot of time at our computers sitting around waiting for things to get done. It is easy for increased complexity, poor design, and scaling problems to eat up the increased capacity of new hardware. On the other hand, making an application an order of magnitude faster can open up whole new ways to use it.

It is astonishingly difficult to collect data that is valid, repeatable, and also relevant to improving a program's performance. We have seen CPU benchmarks that really measured cache size, memory benchmarks that measured filesystem performance, and network benchmarks that measured the OS. Before tearing a working application to shreds, it is important to have confidence that your rework will really improve performance.

A lot of the class will focus on measurement and analysis methods. For example, measurements with a commercial tool showed that one module in an application was responsible for 25% of the startup time. But when we bypassed that module, the application only got 2% faster. Making sense of observations like these will be one of the major takeaways from the class.

Finally, we will talk about what it takes to engineer and achieve speed improvements, and the kinds of bit rot that can cause slowdowns.

Topics include:

  • What do we mean by performance?
  • How do we measure it?
  • What are the biases in these measurements?
  • Identifying the bottleneck(s)
  • How do bottlenecks arise? Scaling
  • Coding to expose bottlenecks quickly
  • Artificial benchmarks and resource restrictions
  • Caches are ubiquitous: how they fog performance measurement
  • The effect of compiler options, assertions, and debugging
  • Commercial tools: GlowCode, VTune, Quantify, etc.
  • CPU cycle counters: roll your own
  • How to do performance modeling, not benchmarking
  • Clusters and threading and parallelism, oh my!
  • Performance as quality
  • Performance and the development process
Steve Johnson (W2) earned his Ph.D. in Mathematics, but has spent his entire career in computing. Steve Johnson He spent nearly 20 years at Bell Labs and AT&T, where he worked on topics as diverse as computer music, psychometrics, and VLSI design, but he is best known for his work on UNIX: Yacc, Lint, the Portable C Compiler, and co-authoring (with Dennis Ritchie) the first AT&T UNIX port. He also ran the UNIX System V language development department for several years in the mid-1980s. In 1986 he went to Silicon Valley, where he was part of a half-dozen or so startup companies, most recently Transmeta. In 2002, he became Senior Fellow at The MathWorks in the Boston area, where he helps determine the evolution and technology of the MATLAB programming language.

W3 Beyond Shell Scripts: 21st-Century Automation Tools and Techniques
Aeleen Frisch, Exponential Consulting
10:30 a.m.–6:00 p.m.
Coding Sysadmin
Who should attend: System administrators who want to explore new ways of automating administrative tasks. Shell scripts are appropriate for many jobs, but more complex operations will often benefit from sophisticated tools.

Topics include:

  • Automating installations
    • Vendor-supplied tools
    • Alternative approaches
    • State-of-the-art package control
    • Heterogeneous environments
  • Mark Burgess's cfengine package
    • Basic and advanced configurations
    • Examples
      • Installations and beyond
      • "Self-healing" system configurations
      • Data collection
      • More
    • Cfengine limitations: when not to use it
  • Other tools
    • Expect: automating interactive processes
      • What to Expect . . .
      • Using Expect with other tools
      • Security issues
    • Amanda, an enterprise backup management facility
      • Prerequisites
      • Configuration
      • Getting the most from Amanda
    • STEM, a new package for automating network operations
      • Understanding the context and tool capabilities
      • Examples
      • Performance and security issues
    • Nagios: monitoring network and device performance
      • How it works
      • Sample configurations
      • Extending Nagios
    • RRDTool: Examining retrospective system data
      • Basic operation
      • Advanced graphing
      • Options for data collection
Aeleen Frisch (T3, W3, R4) has been a system administrator for over 20 years. She currently Aeleen Frisch looks after a pathologically heterogeneous network of UNIX and Windows systems. She is the author of several books, including Essential System Administration (now in its 3rd edition).

 

W4 Advanced Technology in Sendmail NEW!
Eric Allman, Sendmail, Inc.
10:30 a.m.–6:00 p.m.
Sysadmin
Who should attend: System administrators who want to learn more about the Sendmail program, particularly details of configuration and operational issues. This tutorial assumes that you are already familiar with Sendmail, including installation, configuration, and operation.

In the past few years the face of email has changed dramatically. No longer is it sufficient to use the default configurations, even in single-user systems. Spam, regulation, high loads, and increased concerns about privacy and authentication have caused major changes in sendmail and in the options available to you.

This tutorial is taught by the principal author of Sendmail. Expect a fast-paced tutorial from an instructor who will be able to answer any question you may have.

Topics include:

  • SMTP authentication
  • TLS encryption
  • The Milter (mail filter interface)
  • New policy control interfaces
Eric Allman (W4) is the original author of Sendmail, co-founder and CTO of Sendmail, Inc.,Eric Allman and co-author of Sendmail, published by O'Reilly. At U.C. Berkeley, he was the chief programmer on the INGRES database management project, leader of the Mammoth project, and an early contributer to BSD, authoring syslog, tset, the -me troff macros, and trek. Eric designed database user and application interfaces at Britton Lee (later Sharebase) and contributed to the Ring Array Processor project for neural-network-based speech recognition at the International Computer Science Institute. Eric is on the Editorial Review Board of ACM Queue magazine and is a former member of the Board of Directors of the USENIX Association.

W5 System and Network Monitoring: Tools in Depth
John Sellens, Certainty Solutions
10:30 a.m.–6:00 p.m.
Networking Sysadmin
Who should attend: Network and system administrators ready to implement comprehensive monitoring of their systems and networks using the best of the freely available tools. Participants should have an understanding of the fundamentals of networking, familiarity with computing and network components, UNIX system administration experience, and some understanding of UNIX programming and scripting languages.

This tutorial will provide in-depth instruction in the installation and configuration of some of the most popular and effective system and network monitoring tools, including Nagios, Cricket, MRTG, and Orca.

Participants should expect to leave the tutorial with the information needed to immediately implement, extend, and manage popular monitoring tools on their systems and networks.

Topics include, for each of Nagios, Cricket, MRTG, and Orca:

  • Installation—Basic steps, prerequisites, common problems, and solutions
  • Configuration, setup options, and how to manage larger and non-trivial configurations
  • Reporting and notifications—proactive and reactive
  • Special cases—how to deal with interesting problems
  • Extending the tools—how to write scripts or programs to extend the functionality of the basic package
  • Dealing effectively with network boundaries and remote sites
  • Security concerns and access control
  • Ongoing operations
John Sellens (W5) has been involved in system and network administration since 1986 John Sellens and is the author of several related USENIX papers, a number of ;login: articles, and SAGE booklet #7, System and Network Administration for Higher Reliability. He holds an M.S. in computer science from the University of Waterloo and is a chartered accountant. He is currently the General Manager for Certainty Solutions (formerly known as GNAC) in Toronto. Prior to joining Certainty, John was the Director of Network Engineering at UUNET Canada and was a staff member in computing and information technology at the University of Waterloo for 11 years.

Thursday, July 1, 2004
R1 Hacking & Securing Web-based Applications—Hands-On (Day 1 of 2) NEW!
David Rhoades, Maven Security Consulting, Inc.
10:30 a.m.–6:00 p.m.
Coding Security
Who should attend: People who are auditing Web application security, developing Web applications, or managing the development of a Web application.

Is your Web application secure? CD Universe, CreditCard.com, and others have found out the hard way: encryption and firewalls are not enough. Numerous commercial and freeware tools assist in locating network-level security vulnerabilities. However, these tools are incapable of locating security issues for Web-based applications.

With numerous real-world examples from the instructor's years of experience with security assessments, this informative and entertaining course is based on fact, not theory. The course material is presented in a step-by-step approach, and will apply to Web portals, e-commerce (B2B or B2C), online banking, shopping, subscription-based services, or any Web-enabled application.

Class exercises will require that students have an x86-based laptop computer that can be booted from a KNOPPIX CD, along with a 10/100 Ethernet network card. Please download a copy of KNOPPIX-STD (http://www.knoppix-std.org), burn it to a CD-R, and try to boot your system on a network offering DHCP. Be sure your network card is recognized by Knoppix-STD, otherwise you will not be able to participate in most classroom exercises. Wireless access will not be supported during class.

Topics include:

  • The primary risks facing Web applications
  • Exposures and vulnerabilities in HTML and JavaScript, authentication, and session tracking
  • Tools, techniques, and methodologies required to locate weaknesses
  • Recommendations for mitigating exposures found
  • Best practices for Web application security
Students will be provided access to several target Web applications. Some of these applications are real applications with known security issues. Others are mock applications designed by Maven Security to simulate real security issues. At each step, the instructor will supply the tools needed and demonstrate the required techniques. All software provided will be publicly available freeware.

Day 1

  • Introduction
    • The problem and root causes
    • Web primer: HTTP and HTML
  • Foundational security
    • OS vulnerabilities
    • Web server security highlights
  • Web server and Web application output
    • HTTP headers
    • HTML and JavaScript
    • Encryption ciphers
    • Error messages
    • Caching
  • Authentication
    • Authentication: digital certificates; form-based; HTTP basic
    • Threats to authentication
  • Sign-on
    • User name harvesting
    • Brute-force password guessing
    • Password harvesting
    • Resource exhaustion
Day 2
  • Session issues
    • Session tracking mechanisms
    • Session ID best practices
    • Session cloning
  • Transaction issues
    • Malicious user input
    • Hidden form elements
    • GET vs. POST
    • JavaScript filters
    • Improper application logic
    • Cross-site scripting (XSS)
  • Third-party products
  • Testing procedures
  • Methodology and safety
David Rhoades (T1, W1, R1, F1) is a principal consultant with Maven Security Consulting, Inc. David Rhoades Since 1996, David has provided information protection services for various FORTUNE 500 customers. His work has taken him across the US and abroad to Europe and Asia, where he has lectured and consulted in various areas of information security. David has a B.S. in computer engineering from the Pennsylvania State University and is an instructor for the SANS Institute, the MIS Training Institute, and Sensecurity (based in Singapore).

R2 Implementing LDAP Directories
Gerald Carter, Samba Team/Hewlett-Packard
10:30 a.m.–6:00 p.m.
Sysadmin
Who should attend: Both LDAP directory administrators and architects. The focus is on integrating standard network services with LDAP directories. The examples are based on UNIX hosts and the OpenLDAP directory server and will include actual working demonstrations throughout the course.

System administrators today run a variety of directory services, although these are referred to by names such as DNS and NIS. The Lightweight Directory Access Protocol (LDAP) is the up-and-coming successor to the X500 directory and has the promise of allowing administrators to consolidate multiple existing directories into one.

Topics include:

  • Replacing NIS domains
  • Integrating Samba user accounts
  • Authenticating RADIUS clients
  • Integrating MTAs such as Sendmail, Qmail, or Postfix
  • Creating address books for mail clients
  • Managing user access to HTTP and FTP services
  • Storing DNS zone information
  • Managing printer information
Gerald Carter (R2, F2) has been a member of the Samba Team since 1998. Gerald Carter He has published articles in various Web-based magazines and gives instructional courses as a consultant for several companies. Currently employed by Hewlett-Packard as a Samba developer, Gerald has written books for SAMS Publishing and is the author of the recent LDAP System Administration (O'Reilly & Associates).

R4 But Is It UNIX? A Mac OS X Administrator's Survival Guide NEW!
Aeleen Frisch, Exponential Consulting
10:30 a.m.–6:00 p.m.
BSD Sysadmin
Who should attend: UNIX system administrators who want or need to administer Macintosh systems running Mac OS X and/or Mac OS X Server. Familiarity with standard UNIX system administration concepts and tasks is assumed. No previous Macintosh experience is necessary. Experienced Macintosh users who want to learn about system administration tasks in the Mac OS X environment will also benefit from this course. People very familiar with Max OS X or with the NeXTSTEP environment will find much of this material to be a review. Note that comparisons with NeXTSTEP will not be made.

Topics include:

  • What is this beast and what's Darwin (and why should I care)?
    • System architecture
  • Basic tasks
    • Installation hints and pitfalls
    • Software packages
    • Startup and shutdown
  • File and file systems
    • File system layout
    • File types: resource forks, applications, etc.
  • User management
    • Users and groups
    • Mac OS X shared domains
    • Managed preferences
  • Networking
    • Client configuration
    • Managing standard TCP/IP daemons: DNS, DHCP, NTP, and so on
    • The Mac OS X multiprotocol environment
    • Rendezvous and its implications
  • Process management and performance
  • Managing funky Mac peripherals and user expectations
  • Mac OS X security architecture and implementation
We will note interactions between the UNIX implementation and the Mac graphical user/administrative environment.

Aeleen Frisch (T3, W3, R4) has been a system administrator for over 20 years. She currentlyAeleen Frisch looks after a pathologically heterogeneous network of UNIX and Windows systems. She is the author of several books, including Essential System Administration (now in its 3rd edition).

 

R5 Intrusion Detection and Prevention Systems
Marcus Ranum, Trusecure Corp.
10:30 a.m.–6:00 p.m.
Security
Who should attend: Network or security managers responsible for an IDS roll-out, security auditors interested in assessing IDS capabilities, security managers involved in IDS product selection.

Overview: This workshop covers the real-world issues you'll encounter as part of doing an intrusion detection roll-out or product selection. Attendees will learn the advantages and disadvantages of popular approaches to Intrusion Detection Systems (IDSes), how to deal with false positives and noise, where to deploy IDSes, how to test them, how to build out-of-band IDS management networks, and how they interact with switches, routers, and firewalls.

Topics include:

  • Technologies
    • IDS and IPS: what they are and how they work
    • Burglar alarms and honeypots—low-rent IDS
    • Misuse detection and anomaly detection
    • False positives, noise, and false alarms
    • Does freeware stack up to the commercial products?
  • Deployment issues
    • Where to place IDS within the network
    • Alert tuning: what it is and how it works
    • How to estimate the size of an IDS deployment
    • How to size and design a logging / management architecture
    • Tools and tricks for logging and event correlation
    • A typical IDS roll-out
    • How to test an IDS for correct function
    • IDS benchmarks: bogus and bogusest
  • Management issues
    • How to justify the expenditures on an IDS to management
    • Cyclical maintenance
    • Alert management procedures

Marcus Ranum (T5, R5, F5) is senior scientist at Trusecure Corp. and a world-renowned expertMarcus Ranum on security system design and implementation. He is recognized as the inventor of the proxy firewall and the implementer of the first commercial firewall product. Since the late 1980s, he has designed a number of groundbreaking security products, including the DEC SEAL, the TIS firewall toolkit, the Gauntlet firewall, and NFR's Network Flight Recorder intrusion detection system. He has been involved in every level of operations of a security product business, from developer, to founder and CEO of NFR. Marcus has served as a consultant to many FORTUNE 500 firms and national governments, as well as serving as a guest lecturer and instructor at numerous high-tech conferences. In 2001, he was awarded the TISC Clue award for service to the security community, and he holds the ISSA lifetime achievement award.

Friday, July 2, 2004
F1 Hacking & Securing Web-based Applications—Hands-On (Day 2 of 2) NEW!
David Rhoades, Maven Security Consulting, Inc.
10:30 a.m.–6:00 p.m.
Coding Security
Who should attend: People who are auditing Web application security, developing Web applications, or managing the development of a Web application.

Is your Web application secure? CD Universe, CreditCard.com, and others have found out the hard way: encryption and firewalls are not enough. Numerous commercial and freeware tools assist in locating network-level security vulnerabilities. However, these tools are incapable of locating security issues for Web-based applications.

With numerous real-world examples from the instructor's years of experience with security assessments, this informative and entertaining course is based on fact, not theory. The course material is presented in a step-by-step approach, and will apply to Web portals, e-commerce (B2B or B2C), online banking, shopping, subscription-based services, or any Web-enabled application.

Class exercises will require that students have an x86-based laptop computer that can be booted from a KNOPPIX CD, along with a 10/100 Ethernet network card. Please download a copy of KNOPPIX-STD (http://www.knoppix-std.org), burn it to a CD-R, and try to boot your system on a network offering DHCP. Be sure your network card is recognized by Knoppix-STD, otherwise you will not be able to participate in most classroom exercises. Wireless access will not be supported during class.

Topics include:

  • The primary risks facing Web applications
  • Exposures and vulnerabilities in HTML and JavaScript, authentication, and session tracking
  • Tools, techniques, and methodologies required to locate weaknesses
  • Recommendations for mitigating exposures found
  • Best practices for Web application security
Students will be provided access to several target Web applications. Some of these applications are real applications with known security issues. Others are mock applications designed by Maven Security to simulate real security issues. At each step, the instructor will supply the tools needed and demonstrate the required techniques. All software provided will be publicly available freeware.

Day 1

  • Introduction
    • The problem and root causes
    • Web primer: HTTP and HTML
  • Foundational security
    • OS vulnerabilities
    • Web server security highlights
  • Web server and Web application output
    • HTTP headers
    • HTML and JavaScript
    • Encryption ciphers
    • Error messages
    • Caching
  • Authentication
    • Authentication: digital certificates; form-based; HTTP basic
    • Threats to authentication
  • Sign-on
    • User name harvesting
    • Brute-force password guessing
    • Password harvesting
    • Resource exhaustion
Day 2
  • Session issues
    • Session tracking mechanisms
    • Session ID best practices
    • Session cloning
  • Transaction issues
    • Malicious user input
    • Hidden form elements
    • GET vs. POST
    • JavaScript filters
    • Improper application logic
    • Cross-site scripting (XSS)
  • Third-party products
  • Testing procedures
  • Methodology and safety
David Rhoades (T1, W1, R1, F1) is a principal consultant with Maven Security Consulting, Inc. David Rhoades Since 1996, David has provided information protection services for various FORTUNE 500 customers. His work has taken him across the US and abroad to Europe and Asia, where he has lectured and consulted in various areas of information security. David has a B.S. in computer engineering from the Pennsylvania State University and is an instructor for the SANS Institute, the MIS Training Institute, and Sensecurity (based in Singapore).

F2 Managing Samba 2.2 & 3.0
Gerald Carter, Samba Team/Hewlett-Packard
10:30 a.m.–6:00 p.m.
Networking Sysadmin
Who should attend: System administrators who are currently managing Samba servers or are planning to deploy new servers this year. This course will outline the new features of Samba 3.0, including working demonstrations throughout the course session.

Topics include:

  • Providing basic file and print services
  • Upgrading a Samba server from version 2.2 to 3.0
  • Integrating with Windows NT 4.0 and Active Directory authentication services
  • Centrally managing printer drivers for Windows clients
  • Managing NetBIOS network browsing
  • Implementing a Samba primary domain controller along with Samba backup domain controllers
  • Migrating from a Windows NT 4.0 domain to a Samba domain
  • Utilizing account storage alternatives to smbpasswd such as LDAP
  • Making use of Samba VFS modules for features such as virus scanning and a network recycle bin
Gerald Carter (R2, F2) has been a member of the Samba Team since 1998. Gerald Carter He has published articles in various Web-based magazines and gives instructional courses as a consultant for several companies. Currently employed by Hewlett-Packard as a Samba developer, Gerald has written books for SAMS Publishing and is the author of the recent LDAP System Administration (O'Reilly & Associates).

F4 System and Network Performance Tuning
Marc Staveley, Soma Networks
10:30 a.m.–6:00 p.m.
Networking Sysadmin
Who should attend: Novice and advanced UNIX system and network administrators, and UNIX developers concerned about network performance impacts. A basic understanding of UNIX system facilities and network environments is assumed.

We'll examine the virtual memory system, the I/O system and the file system, NFS tuning and performance strategies, common network performance problems, examples of network capacity planning, and application issues. We'll also cover guidelines for capacity planning and customized monitoring based on your workloads and traffic patterns. Analysis periods for particular situations will be provided.

Topics include:

  • Performance tuning strategies
  • Server tuning
    • Filesystem and disk tuning
    • Memory consumption and swap space
    • System resource monitoring
    • NFS issues
    • Automounter and other tricks
  • Network performance, design, and capacity planning
  • Application tuning
    • System resource usage
    • Memory allocation
    • Code profiling
    • Job scheduling and queuing
    • Real-time issues
    • Managing response time
Marc Staveley (F4) works with Soma Networks, where he is applying his many Marc Staveley years of experience with UNIX development and administration in leading their IT group. Previously Marc had been an independent consultant and also held positions at Sun Microsystems, NCR, Princeton University, and the University of Waterloo. He is a frequent speaker on the topics of standards-based development, multi-threaded programming, system administration, and performance tuning.

F5 Defeating Junk/Spam Email NEW!
Marcus Ranum, Trusecure Corp.
10:30 a.m.–6:00 p.m.
Sysadmin
Who should attend: Network and system administrators responsible for email systems; people who are annoyed by junk email; mail server administrators; senior managers who want to understand the technologies for blocking junk email. Some familiarity with Internet email systems is recommended. Familiarity with UNIX system administration is a must.

Is unplugging from the network the only way to avoid junk email? Many organizations are finding that junk email is a major time-waster and performance hog. Some individuals are finding that, every morning, 95% of their inbox is garbage.

This workshop covers real-world issues in dealing with junk email, and how to block a significant percentage of it from your personal or corporate network. Attendees will learn the various techniques of junk email blocking, the tools that are available, and the advantages and disadvantages of various approaches. We will also examine a number of popular tools in detail, and discuss configuration and tuning issues.

Topics include:

  • Junk email: you know what it is when you get it
  • Whitelisting, blacklisting, and blackholing
    • Early attempts at junk email blocking
    • The state of the art in junk email blocking
  • Tools and techniques
    • Setting up a centralized junk email blocking system
    • Integrating junk email blocking into various mail clients
    • Integrating junk email blocking into various servers
    • Legalities and legal initiatives
Marcus Ranum (T5, R5, F5) is senior scientist at Trusecure Corp. and a world-renowned expertMarcus Ranum on security system design and implementation. He is recognized as the inventor of the proxy firewall and the implementer of the first commercial firewall product. Since the late 1980s, he has designed a number of groundbreaking security products, including the DEC SEAL, the TIS firewall toolkit, the Gauntlet firewall, and NFR's Network Flight Recorder intrusion detection system. He has been involved in every level of operations of a security product business, from developer, to founder and CEO of NFR. Marcus has served as a consultant to many FORTUNE 500 firms and national governments, as well as serving as a guest lecturer and instructor at numerous high-tech conferences. In 2001, he was awarded the TISC Clue award for service to the security community, and he holds the ISSA lifetime achievement award.

?Need help? Use our Contacts page.

Last changed: 17 June 2004 ch