Check out the new USENIX Web site.
FedWeek '11 Banner

Tuesday, June 14

Wednesday, June 15

Thursday, June 16

Friday, June 17

TRAINING PROGRAM

Overview | Tuesday | Wednesday | Thursday | Friday

Attendees, please note: If you join the tutorial late, we ask that you refrain from asking the instructor to review the material that you missed.

  Tuesday, June 14, 2011

SECURING LINUX SERVERS Farrow
Salon A

Rik Farrow, Security Consultant

Who should attend: Linux system administrators and security managers familiar with Linux sysem administration, whether you manage a handful or clusters of Linux systems.

Linux servers start out very secure—it's what you do with them when you use them that can create insecurities. A straight Linux server install runs minimal services, has few users, and has a firewall that is very restrictive, which is a great security posture but is rather useless for most purposes. As users are added, services enabled, and holes punched through the firewall, the security can quickly deteriorate.

This class shows you how to maintain a strong security posture by minimizing risks through careful configuration and proper use of Linux tools and services. Linux contains tools and software that can be enabled to slow brute-force attacks against user accounts, can notice when your accounts have weak passwords or are under attack, can keep services and software up-to-date, and can sandbox applications to prevent even zero-day attacks. The class will cover what you need to know to secure new and existing Linux servers, with a particular focus on attacks most recently seen, including attacks on mail and Web servers.

This class includes exercises that will be performed using a provided VM.

Take back to work: Techniques for securing and maintaining Linux servers.

Topics include:

  • Minimizing risk
  • User accounts
    • Controlling remote access
    • Passwords
    • Cracking
  • File permissions
    • SELinux
  • Minimizing services
    • Identifying services
  • Firewall
  • Monitoring logfiles
  • Checking public services
  • Updates and configuration management

Rik Farrow began working with UNIX system security in 1984 and with TCP/IP networks in 1988. He taught his first security class in 1987 and started teaching internationally the following year. He has been a consultant since 1980 and has advised both firewall and intrusion detection companies in the design of their products. Rik has published two books, one on UNIX security and the other on system administration. He designed a five-day, hands-on class in Internet security for internal use by the Department of Defense. He wrote the "Network Defense" column for Network magazine for over six years and is currently the editor of ;login:, the USENIX magazine. Rik lives with his wife in the high desert of northern Arizona, where he continues to work and research, and still ventures out to teach.

  Wednesday, June 15, 2011

SELINUX (SECURITY-ENHANCED LINUX) Farrow
Salon C

Rik Farrow, Security Consultant

Who should attend: Linux system administrators and security managers who want or are required to use SELinux. Participants must be familiar with Linux system administration; previous frustration with SELinux is expected but not required.

SELinux provides an extra layer of security for most Linux systems—if you leave it enabled. Most commonly, SELinux gets disabled as the first step when debugging system problems, even when it is not the problem. SELinux can stop many attacks, even previously unknown (zero-day) attacks, as it confines applications' access to files, directories, commands, and network sockets.

This class will show you how to work with SELinux: how to determine if SELinux is blocking an application and how to adjust policy to move beyond problems. SELinux includes many tools for viewing audit logs, file and process contexts, modifying policy, and even interpreting log messages, and you will learn how to use these tools. You will learn how to modify file contexts, add new policy, monitor logs both graphically and in text-only mode, and, most importantly, how to recover full SELinux coverage on systems where it has been disabled. The class will cover reading and modifying existing policy where necessary, so that changes to services, such as non-standard directory locations, are accommodated. The class will also investigate adding new, custom services to SELinux policy.

This class includes exercises that will be performed using a provided VM.

Take back to work: The ability to run Linux servers and desktops with SELinux enabled and to modify policy to handle configurations not supported by the default policy.

Topics include:

  • SELinux uncloaked
    • Types, contexts, and roles
    • Context-based policy
    • Extensions to familiar commands
    • Using the sandbox command
  • Using the audit file
    • Tools for deciphering audit messages
    • Searching audit messages
    • Using setroubleshoot
  • Adjusting file/directory context
    • Fixing common access problems
  • Using Booleans to adjust policy
  • Extending policy
    • Using audit2allow to correct policy
    • Using sepolgen to create new policies
    • SELinux rule syntax
    • Understanding and using interfaces

Rik Farrow began working with UNIX system security in 1984 and with TCP/IP networks in 1988. He taught his first security class in 1987 and started teaching internationally the following year. He has been a consultant since 1980 and has advised both firewall and intrusion detection companies in the design of their products. Rik has published two books, one on UNIX security and the other on system administration. He designed a five-day, hands-on class in Internet security for internal use by the Department of Defense. He wrote the "Network Defense" column for Network magazine for over six years and is currently the editor of ;login:, the USENIX magazine. Rik lives with his wife in the high desert of northern Arizona, where he continues to work and research, and still ventures out to teach.


VMWARE VCLOUD OVERVIEW AND DESIGN CONSIDERATIONS Lin Arrasjid
Salon D

John Arrasjid and Ben Lin, VMware

Who should attend: System administrators and architects who are interested in deploying a VMware vCloud. Experience with VMware vSphere, VMware Chargeback, and Distributed Virtual Switches is a preferred prerequisite to this class.

VMware vCloud is a suite of VMware technologies used to stand up cloud computing environments (public/private/hybrid and on/off premises). VMware vCloud provides multi-tenancy, resource elasticity, segmentation of resources, and provisioning mechanisms through the use of VMware vCloud Director, vShield, vCenter Chargeback, vCloud Connector, and other technologies. This is a vendor-specific tutorial.

An overview of the technology, design, and implementation and management will be covered in a concise manner. Demonstrations of various aspects will be included throughout the session.

Take back to work: The knowledge needed to deploy a VMware Cloud for use as an enterprise private cloud.

Topics include:

  • VMware vCloud core concepts and features
  • VMware vCloud design considerations
  • VMware vCloud design patterns and best practices
  • Demonstration of features
  • Example low-cost solutions for standing up a vCloud environment (time permitting)

John Y. Arrasjid is a Principal Architect at VMware, specializing in cloud computing, virtualization, business continuity, and disaster recovery. John has written Cloud Computing with VMware vCloud Director, Foundation for Cloud Computing with VMware vSphere 4, and Deploying the VMware Infrastructure, all published by the USENIX Association, where he currently is a Board of Directors member at large. John regularly presents at VMworld, VMware Partner Exchange, and USENIX conferences. He is a VMware Certified Professional and one of the first VMware Certified Design Experts (VCDX 001). John holds a Bachelor of Science in Computer Science from SUNY at Buffalo, NY. He can be followed on Twitter at http://twitter.com/vcdx001.

Ben Lin is a Senior Consultant in the VMware Cloud Services Group. He has been closely involved with VMware vCloud Director (vCD) cloud solutions and services ever since the early implementations of vCD. Ben is a co-author of the USENIX Short Topics Series book Cloud Computing with VMware vCloud Director. He has been with VMware for 3 years, has been a developer and active participant in VMworld sessions and labs, and has presented at USENIX LISA. He is VCDX and VCP4 certified.

  Thursday, June 16, 2011

LINUX PERFORMANCE TUNING Ts'o
Salon C

Theodore Ts'o, Google

Who should attend: Intermediate and advanced Linux system administrators who want to understand their systems better and get the most out of them.

The Linux operating system is commonly used in both the data center and for scientific computing applications; it is used in embedded systems as small as a wristwatch, as well as in large mainframes. As a result, the Linux system has many tuning knobs, so that it can be optimized for a wide variety of workloads. Some tuning of the Linux operating system has been done "out of the box" by enterprised-optimized distributions, but there are still many opportunities for a system administrator to improve the performance of his or her workloads on a Linux system.

This class will cover the tools that can be used to monitor and analyze a Linux system, and key tuning parameters to optimize Linux for specific server applications, covering the gamut from memory usage to filesystem and storage stacks, networking, and application tuning.

Take back to work: The ability to hone your Linux systems for the specific tasks they need to perform.

Topics include:

  • Strategies for performance tuning
    • Characterizing your workload's requirements
    • Finding bottlenecks
    • Tools for measuring system performance
  • Memory usage tuning
  • Filesystem and storage tuning
  • NFS performance tuning
  • Network tuning
    • Latency vs. throughput
    • Capacity planning
  • Profiling
  • Memory cache and TLB tuning
  • Application tuning strategies

Theodore Ts'o has been a Linux kernel developer since almost the very beginnings of Linux: he implemented POSIX job control in the 0.10 Linux kernel. He is the maintainer and author of the Linux COM serial port driver and the Comtrol Rocketport driver, and he architected and implemented Linux's tty layer. Outside of the kernel, he is the maintainer of the e2fsck filesystem consistency checker. Ted is currently employed by Google.


SANS SECURITY 464: HACKER DETECTION FOR SYSTEMS ADMINISTRATORS Shewmaker
Salon G

James Shewmaker, SANS

Who should attend: System administrators and the security teams that lead them.

System administrators are at the front line of any security architecture. They also know the systems that they manage on a daily basis better than anyone else. However, most system administrators are not security professionals. Making the assumption that they are often leads to many of the security-related issues organizations face today.

This course is not designed to make a system administrator into a security geek. Rather, it will help them better understand what is required by security teams and auditors and to turn into the human sensors for malicious activity. The course also focuses strongly on developing skills with the tools and techniques that a system administrator would need to meet audit and security requirements in as efficient a manner as possible.

This class provides the tools and techniques to bridge the gap and help system administrator teams meet the needs of security and audit teams—and still do their day jobs.

Take back to work: The knowldege of how to detect intrusions using open-source tools and human discriminators.

Topics include:

  • Why bad things happen to good system administrators: 5 common misconfigurations and mistakes that lead to a system being compromised
  • Security methodology and thought process in daily system administration activities
  • A sysadmin's view of what matters in systems architectures
  • Security monitoring: Not knowing makes the auditors and hackers happy
  • The hard part: Knowing what is normal for Windows and UNIX systems
  • The harder part: Knowing what is abnormal for Windows and UNIX systems
  • Hardening Windows and UNIX systems is easier than you thought
  • Command-line kung fu for UNIX and Windows
  • Understanding network traffic for system administrators
  • Malware: Why it is still effective in your environment

James Shewmaker has over 15 years experience in IT, primarily developing appliances for automation and security for broadcast radio, Internet, and satellite devices. He is one of the first GIAC Platinum certified Malware (GSM) experts. James is a founder and active consultant for Bluenotch Corporation, which focuses on investigations, assessments, penetration testing, and analysis. He has contributed to the courseware in various SANS courses including "Security Essentials" and "Reverse Engineering Malware: Advanced Techniques." James started the Netwars project in 2009, a capture the flag challenge for the US Cyber Challenge, and continues to design, build, and operate custom attack and defense scenarios.

  Friday, June 17, 2011

INTRODUCTION TO AUTOMATING SYSTEM ADMINISTRATION WITH CFENGINE 3 Tsalolikhin
Salon C

Aleksey Tsalolikhin, Cfengine Enthusiast

Who should attend: Anyone with a basic knowledge of system administration who is interested in increasing efficiency by automating system configuration, change management, and knowledge management; anyone who knows Cfengine 2 and wants a jumpstart on Cfengine 3.

Cfengine is the granddaddy of policy-based configuration management systems, and Cfengine version 3 increases the power and flexibility of managing network-attached computers.

Take back to work: A thorough grounding in automated system administration and configuration using Cfengine v3, and the ability to implement configuration policies on your systems.

Topics include:

  • History, design principles, and philosophy of Cfengine
    • Convergence
    • The Promise model
  • Basic Cfengine grammar
    • Promise bundles
    • Promise bodies
  • Cfengine 3 data types
    • Strings, integers, and reals
    • Lists of strings, integers, and reals
  • Cfengine 3 patterns
    • Classes
    • Regexes
    • Lists
  • The importance of abstraction for knowledge management
  • Demonstration: deployment, configuration, and integration of a multi-tier Web app in the Amazon EC2 cloud

Aleksey Tsalolikhin has been administering UNIX systems for over 12 years, including 7 years at EarthLink during its growth from 1,000 to 5,000,000 users. Wrangling EarthLink's server farms by hand, Aleksey developed an abiding interest in configuration management. He has been using Cfengine for 5 years. Aleksey was born in a country that does not exist anymore.


SANS SECURITY 464: HACKER DETECTION FOR SYSTEMS ADMINISTRATORS Shewmaker
Salon G

James Shewmaker, SANS

Who should attend: System administrators and the security teams that lead them.

System administrators are at the front line of any security architecture. They also know the systems that they manage on a daily basis better than anyone else. However, most system administrators are not security professionals. Making the assumption that they are often leads to many of the security-related issues organizations face today.

This course is not designed to make a system administrator into a security geek. Rather, it will help them better understand what is required by security teams and auditors and to turn into the human sensors for malicious activity. The course also focuses strongly on developing skills with the tools and techniques that a system administrator would need to meet audit and security requirements in as efficient a manner as possible.

This class provides the tools and techniques to bridge the gap and help system administrator teams meet the needs of security and audit teams—and still do their day jobs.

Take back to work: The knowldege of how to detect intrusions using open-source tools and human discriminators.

Topics include:

  • Why bad things happen to good system administrators: 5 common misconfigurations and mistakes that lead to a system being compromised
  • Security methodology and thought process in daily system administration activities
  • A sysadmin's view of what matters in systems architectures
  • Security monitoring: Not knowing makes the auditors and hackers happy
  • The hard part: Knowing what is normal for Windows and UNIX systems
  • The harder part: Knowing what is abnormal for Windows and UNIX systems
  • Hardening Windows and UNIX systems is easier than you thought
  • Command-line kung fu for UNIX and Windows
  • Understanding network traffic for system administrators
  • Malware: Why it is still effective in your environment

James Shewmaker has over 15 years experience in IT, primarily developing appliances for automation and security for broadcast radio, Internet, and satellite devices. He is one of the first GIAC Platinum certified Malware (GSM) experts. James is a founder and active consultant for Bluenotch Corporation, which focuses on investigations, assessments, penetration testing, and analysis. He has contributed to the courseware in various SANS courses including "Security Essentials" and "Reverse Engineering Malware: Advanced Techniques." James started the Netwars project in 2009, a capture the flag challenge for the US Cyber Challenge, and continues to design, build, and operate custom attack and defense scenarios.

?Need help? Use our Contacts page.

Last changed: 7 June 2011 jp