W1 Network Security Assessments WorkshopHands-On (Day 2 of 2)
Who should attend: Anyone who needs to understand how to perform an effective and safe network assessment.
David Rhoades, Maven Security Consulting, Inc.
10:30 a.m.6:00 p.m.
How do you test a network for security vulnerabilities? Just plug
some IP addresses into a network-scanning tool and click SCAN,
right? If only it were that easy. Numerous commercial and freeware tools assist
in locating network-level security vulnerabilities. However, these
tools are fraught with dangers: accidental denial-of-service,
false positives, false negatives, and long-winded reporting, to name but
a few. Performing a security assessment (a.k.a. vulnerability assessment
or penetration test) against a network environment requires
preparation, the right tools, methodology, knowledge, and more.
This hands-on workshop will cover the essential topics for performing
an effective and safe network assessment.
Class exercises will require that students have an x86-based laptop
computer that can be booted from a KNOPPIX CD, along with a 10/100 Ethernet
network card. Please download a copy of KNOPPIX-STD
(http://www.knoppix-std.org), burn it to a CD-R, and try to boot your system
on a network offering DHCP. Be sure your network card is recognized by
Knoppix-STD, otherwise you will not be able to participate in most classroom
exercises. Wireless access will not be supported during class.
Students will practice network assessment on a target network of Windows and UNIX-based servers and various routing components.
- Preparation: What you need before you even begin
- Safety measures: This often-overlooked topic will cover important
practical steps to minimize or eliminate adverse effects on critical networks
- Architecture considerations: Where you scan from affects how you perform the assessment
- Inventory: Taking an accurate inventory of active systems and protocols
on the target network
- Tools of the trade: Effective use of both freeware and commercial tools, with an emphasis on common pitfalls
- Automated scanning: Best-of-class tools, with tips (mostly vendor-neutral) on their proper use
- Research and development: What to do when existing tools don't suffice
- Documentation and audit trail: How to keep accurate records easily
- How to compile useful reports: Planning for corrective action and tracking your security measures
- Lab setup and preparation
- Security assessment overview
- Types of assessments
- Choosing an assessment approach
- Assessment preparation
- Defining the purpose
- Rules of engagement
- Assessment logistics
- Open vs. closed testing
- Passive vs. active testing; depth of testing
- Denial of service (DoS)
- Enumeration of target information
- Assessment safety
- Verification of tool authenticity
- Vetting tools
- Safety concepts
- The dangers of automated scanners
- Automated tool safety summary
- Documentation and audit trail
- Assessment phase 1: network inventory
- Ping scanning
- Discrete port scanning (host inventory only)
- DNS queries
- ARP scanning
David Rhoades (T1, W1, R1, F1) is a principal consultant with Maven Security
Consulting, Inc. Since 1996, David has provided information protection services
for various FORTUNE 500 customers. His work has taken him across the US
and abroad to Europe and Asia, where he has lectured and consulted in
various areas of information security. David has a B.S. in computer
engineering from the Pennsylvania State University and is an instructor
for the SANS Institute, the MIS Training Institute, and Sensecurity
(based in Singapore).
- Assessment phase 2: target analysis
- TCP port scanning
- UDP port scanning
- Assessment phase 3: exploitation and confirmation
- Automated vulnerability scanning tools
- (Online) brute-force attacks
- (Offline) password cracking
- Manual testing
- Special consideration testing
- Firewalls and routers
- Auditing email servers
- Web servers
- Stealth technique summary
- Vulnerability scanning tools
- Automated scanning tools
- Commercial scanners
- Nessus Clients
- Using Nessus
W2 Making Your Code Run Faster
Who should attend: Developers and system
programmers who have an interest in making applications run fast(er).
Some programming knowledge (C/C++/Java) is desirable, as is an understanding
of the primary tasks of an operating system and how it carries them out. The primary focus is on making big,
hairy applications run faster, but some mid- and micro-level tuning will be
discussed as well. We won't say much about real-time and embedded
programs, although there is some relevant overlap with these areas.
Steve Johnson, Mathworks
10:30 a.m.6:00 p.m.
Although machines are getting faster, we still seem to spend a lot
of time at our computers sitting around waiting for things to get
done. It is easy for increased complexity, poor design, and scaling
problems to eat up the increased capacity of new hardware. On the
other hand, making an application an order of magnitude faster can
open up whole new ways to use it.
It is astonishingly difficult to collect data that is valid,
repeatable, and also relevant to improving a program's
performance. We have seen CPU benchmarks that really measured
cache size, memory benchmarks that measured filesystem
performance, and network benchmarks that measured the OS. Before
tearing a working application to shreds, it is important to have
confidence that your rework will really improve performance.
A lot of the class will focus on measurement and analysis methods.
For example, measurements with a commercial tool showed that one
module in an application was responsible for 25% of the startup
time. But when we bypassed that module, the application only got
2% faster. Making sense of observations like these will be one of
the major takeaways from the class.
Finally, we will talk about what it takes to engineer and achieve
speed improvements, and the kinds of bit rot that can cause slowdowns.
Steve Johnson (W2) earned his Ph.D. in Mathematics, but has spent his entire career in computing. He spent nearly 20 years at Bell Labs and AT&T, where he
worked on topics as diverse as computer music, psychometrics, and VLSI
design, but he is best known for his work on UNIX: Yacc, Lint, the Portable C
Compiler, and co-authoring (with Dennis Ritchie) the first AT&T UNIX port.
He also ran the UNIX System V language development department for several
years in the mid-1980s. In 1986 he went to Silicon Valley, where he was part of a half-dozen or so
startup companies, most recently Transmeta. In 2002, he became Senior
Fellow at The MathWorks in the Boston area, where he helps determine the
evolution and technology of the MATLAB programming language.
- What do we mean by performance?
- How do we measure it?
- What are the biases in these measurements?
- Identifying the bottleneck(s)
- How do bottlenecks arise? Scaling
- Coding to expose bottlenecks quickly
- Artificial benchmarks and resource restrictions
- Caches are ubiquitous: how they fog performance measurement
- The effect of compiler options, assertions, and debugging
- Commercial tools: GlowCode, VTune, Quantify, etc.
- CPU cycle counters: roll your own
- How to do performance modeling, not benchmarking
- Clusters and threading and parallelism, oh my!
- Performance as quality
- Performance and the development process
W3 Beyond Shell Scripts: 21st-Century Automation Tools and Techniques
Who should attend: System administrators who want to explore new
ways of automating administrative tasks. Shell scripts are
appropriate for many jobs, but more complex operations will
often benefit from sophisticated tools.
Aeleen Frisch, Exponential Consulting
10:30 a.m.6:00 p.m.
Aeleen Frisch (T3, W3, R4) has been a system administrator for over 20 years. She currently
looks after a pathologically heterogeneous network of UNIX and Windows
systems. She is the author of several books, including Essential
System Administration (now in its 3rd edition).
- Automating installations
- Vendor-supplied tools
- Alternative approaches
- State-of-the-art package control
- Heterogeneous environments
- Mark Burgess's cfengine package
- Basic and advanced configurations
- Installations and beyond
- "Self-healing" system configurations
- Data collection
- Cfengine limitations: when not to use it
- Other tools
- Expect: automating interactive processes
- What to Expect . . .
- Using Expect with other tools
- Security issues
- Amanda, an enterprise backup management facility
- Getting the most from Amanda
- STEM, a new package for automating network operations
- Understanding the context and tool capabilities
- Performance and security issues
- Nagios: monitoring network and device performance
- How it works
- Sample configurations
- Extending Nagios
- RRDTool: Examining retrospective system data
- Basic operation
- Advanced graphing
- Options for data collection
W4 Advanced Technology in Sendmail
Who should attend: System administrators who want to learn more about the
Sendmail program, particularly details of configuration and operational
issues. This tutorial assumes that you are already familiar with Sendmail,
including installation, configuration, and operation.
Eric Allman, Sendmail, Inc.
10:30 a.m.6:00 p.m.
In the past few years the face of email has changed dramatically. No
longer is it sufficient to use the default configurations, even in
single-user systems. Spam, regulation, high loads, and increased concerns
about privacy and authentication have caused major changes in sendmail and
in the options available to you.
This tutorial is taught by the principal author of Sendmail. Expect a
fast-paced tutorial from an instructor who will be able to answer any question
you may have.
Eric Allman (W4) is the original author of Sendmail, co-founder and CTO of
Sendmail, Inc., and co-author of Sendmail, published by O'Reilly. At
U.C. Berkeley, he was the chief programmer on the INGRES database
management project, leader of the Mammoth project, and an early
contributer to BSD, authoring syslog, tset, the -me troff macros, and
trek. Eric designed database user and application interfaces at
Britton Lee (later Sharebase) and contributed to the Ring Array
Processor project for neural-network-based speech recognition at the
International Computer Science Institute. Eric is on the Editorial
Review Board of ACM Queue magazine and is a former member of the Board
of Directors of the USENIX Association.
- SMTP authentication
- TLS encryption
- The Milter (mail filter interface)
- New policy control interfaces
W5 System and Network Monitoring: Tools in Depth
Who should attend: Network and system administrators ready to
implement comprehensive monitoring of their systems and networks
using the best of the freely available tools. Participants should
have an understanding of the fundamentals of networking, familiarity
with computing and network components, UNIX system administration
experience, and some understanding of UNIX programming and scripting
John Sellens, Certainty Solutions
10:30 a.m.6:00 p.m.
This tutorial will provide in-depth instruction in the installation
and configuration of some of the most popular and effective system
and network monitoring tools, including Nagios, Cricket, MRTG, and
Participants should expect to leave the tutorial with the information
needed to immediately implement, extend, and manage popular monitoring
tools on their systems and networks.
Topics include, for each of Nagios, Cricket, MRTG, and Orca:
John Sellens (W5) has been involved in system and network administration
since 1986 and is the author of several related USENIX papers, a
number of ;login: articles, and SAGE booklet #7, System and Network
Administration for Higher Reliability. He holds an M.S. in computer
science from the University of Waterloo and is a chartered accountant.
He is currently the General Manager for Certainty Solutions (formerly
known as GNAC) in Toronto. Prior to joining Certainty, John was
the Director of Network Engineering at UUNET Canada and was a staff
member in computing and information technology at the University
of Waterloo for 11 years.
- InstallationBasic steps, prerequisites, common problems, and solutions
- Configuration, setup options, and how to manage larger and non-trivial configurations
- Reporting and notificationsproactive and reactive
- Special caseshow to deal with interesting problems
- Extending the toolshow to write scripts or programs to extend the functionality of the basic package
- Dealing effectively with network boundaries and remote sites
- Security concerns and access control
- Ongoing operations