Wednesday, June 27, 2001

W1 Running Web Servers Securely  NEW
Rik Farrow, Consultant

W2 Hacking Exposed: LIVE!
George Kurtz and Stuart Mcclure, Foundstone, Inc.

W3 Inside the Linux Kernel
Ted Ts'o, VA Linux Systems

W4 Network Programming with Perl  NEW
Lincoln Stein, Perl hacker

W5 Cryptographic Algorithms Revealed
Greg Rose, Qualcomm

W6 System and Network Performance Tuning
Marc Staveley, Soma Networks

W7 Configuring and Administering Samba Servers
Gerald Carter, VA Linux Systems

W8 Computer Crime: Investigating Computer-Based Evidence  NEW
Steve Romig, Ohio State University

W9 Solaris Internals: Architecture, Tips, and Tidbits
Richard McDougall and James Mauro, Sun Microsystems, Inc.

W10 Panning for Gold: What System Logs Tell You About Your Network Security  NEW
Tina Bird, Counterpane Internet Security

Who should attend: Web server administrators, managers, and security consultants who manage or audit Web servers. We will examine every aspect of Web server security, from configuration and file permissions to scripting. At the end of this class, you will have learned how to harden a UNIX system for use as a Web server, configure Apache correctly for tightest security, write and audit Perl scripts for common weaknesses, and use the safest techniques for remote administration of Web servers.

Among the favorite targets for hackers are Web servers, because they need to be exposed in order to be useful, and, once broached, they often provide access to internal servers. While misconfiguration of the Web server can provide a way in, CGI programming has been used so often that there are even tools designed specifically to look for weaknesses in CGI.

You will learn about securing Web servers through the examples of others who were not so careful. The class begins with an in-depth description of a famous hack of a Linux server running Apache. We will look at tools for scanning Web servers, such as Whisker, that look for common mistakes, and we'll take a look at other legendary mistakes in CGI scripts. You will learn the role of Perl's taint mechanism in uncovering flaws in script design. We will explore Java's servlet mechanism and see how Java's security mechanisms can provide an additional layer of security.

Topics include:

• HTTP protocol
• The difference between GET and POST
• Hidden and browser variables
• How attackers fake requests
• Hardening the base operating system
• Use of firewalls to control access
• Secure configuration of Apache
• Safe use of modules
• Auditing Perl CGI scripts
• Use of Java servlets
• Scanning tools
• Monitoring logs for security
• Remote administration technique

Rik Farrow (W1) provides UNIX and Internet security consulting and training. He has been working with UNIX system security since 1984 and with TCP/IP networks since 1988. He has taught at the IRS, Department of Justice, NSA, US West, Canadian RCMP, Swedish Navy, and for U.S. and European user groups. He is the author of UNIX System Security (Addison-Wesley) and System Administrator's Guide to System V (Prentice Hall). He writes columns for ;login: and for Network.

W2 Hacking Exposed: LIVE!
George Kurtz and Stuart Mcclure, Foundstone, Inc.

Who should attend: Network and system administrators, security administrators, and technical auditors who want to secure their UNIX/NT—based networks.

Is your UNIX/NT—based network infrastructure up to meeting the challenge of malicious marauders? In this tutorial we'll present the methodologies used by today's hackers to gain access to your networks and critical data. We'll demonstrate a typical attack exploiting both well-known and little-known NT-based vulnerabilities. We'll show how NT attackers can leverage UNIX vulnerabilities to circumvent traditional security mechanisms. And we'll identify opportunities to better secure the host and networks against more esoteric attacks. All examples will be demonstrated on a live network of machines.

Topics include:

• Footprinting your e-commerce site
  • Port scanning
  • Banner grabbing
• Exploiting common configuration and design weaknesses in NT networks
  • Enumerating user and system information from NT 4 and Windows 2000 hosts
  • Exploiting Web services
  • Logging on to NT using only the password hash
  • Routing through IPX and NetBEUI networks
  • Grabbing remote shells on NT
  • Hijacking the GUI
  • Hidden trojans: executing streamed files
• Bypassing routers and firewall filtering
  • Using source ports
  • Leveraging port redirection
  • 101 uses for Netcat
• Linking NT and UNIX vulnerabilities for maximum exploitation
• Securing NT systems to prevent attacks

George Kurtz (W2) has performed hundreds of firewall, network, and e-commerce—related security assessments throughout his security consulting career. He is a regular speaker at many security conferences and is frequently quoted in The Wall Street Journal, InfoWorld, USA Today, and the Associated Press and is a co-author of the widely acclaimed Hacking Exposed: Network Security Secrets & Solutions.

Stuart McClure (W2) specializes in security assessments, firewall reviews, e-commerce application testing, hosts reviews, PKI technologies, intrusion detection, and incident response. For the past two years Stuart has co-authored a weekly column on security for InfoWorld magazine. For the past four years, he has worked both with Big 5 security consulting and the InfoWorld Test Center. Before InfoWorld, Mr. McClure has managed and secured a wide variety of corporate, academic, and government networks and systems.

W3 Inside the Linux Kernel
Ted Ts'o, VA Linux Systems

Who should attend: Application programmers and kernel developers. You should be reasonably familiar with C programming in the UNIX environment, but no prior experience with the UNIX or Linux kernel code is assumed.

This tutorial will give you an introduction to the structure of the Linux kernel, the basic features it provides, and the most important algorithms it employs.

The Linux kernel aims to achieve conformance with existing standards and compatibility with existing operating systems; however, it is not a reworking of existing UNIX kernel code. The Linux kernel was written from scratch to provide both standard and novel features, and takes advantage of the best practice of existing UNIX kernel designs.

Although the material will focus on the release version of the Linux kernel, it will also address aspects of the development kernel codebase where its substance differs. It will not contain any detailed examination of the source code but will rather offer an overview and roadmap of the kernel's design and functionality.

Topics include:

• How the Linux kernel is organized: scheduler, virtual memory system, filesystem layers, device driver layers, and networking stacks
  • The interface between each module and the rest of the kernel, and the functionality provided by that interface
  • The common kernel support functions and algorithms used by that module
  • How modules provide for multiple implementations of similar functionality (network protocols, filesystem types, device drivers, and architecture-specific machine interfaces)
• Basic ground rules of kernel programming (dealing with issues such as races and deadlock conditions)
• Implementation of the most important kernel algorithms and their general properties (aspects of portability, performance, and functionality)
• The main similarities and differences between Linux and traditional UNIX kernels, with attention to places where Linux implements significantly different algorithms
• Details of the Linux scheduler, its VM system, and the ext2fs file system.
• The strict requirements for ensuring that kernel code is portable

Theodore Ts'o (W3) has been a Linux kernel developer since almost the very beginnings of Linux--he implemented POSIX job control in the 0.10 Linux kernel. He is the maintainer and author for the Linux COM serial port driver and the Comtrol Rocketport driver. He architected and implemented Linux's tty layer. Outside of the kernel, he is the maintainer of the e2fsck filesystem consistency checker. Ted is currently employed by VA Linux Systems.

W4 Network Programming with Perl NEW
Lincoln Stein, Perl hacker

Who should attend: Novice to intermediate Perl programmers who understand the basics of input and output, loops, regular expression matches, and the array and hash data types. A working familiarity with Perl5's object-oriented syntax is also recommended. You should understand the basics of networking, including the concepts of IP addresses, DNS names, and servers.

This tutorial will show you how to write robust client/server applications in Perl. We will begin with simple TCP-based clients that you can use to talk such standard services as ftp, http, mail, and news. We will then turn to writing client/server applications from scratch, using as our examples applications that range from toys (a TCP-based psychotherapist server) to full-scale applications (an Internet chat system based on multicasting).

Topics include:

• Perl's low-level socket interface.
• The high-level IO::Socket, IO::Select and IO::Poll modules.
• Forward and reverse name resolution.
• The Net::FTP, Net::Telnet, Net::SMTP, LWP and MIME modules
• Choosing between TCP and UDP services.
• Choosing the right server architecture:
  • Fork-and-select
  • Multiplexed
  • Multithreaded
  • Preforked
• Advanced networking topics
  • Broadcasting
  • Multicasting
  • Non-blocking I/O

Lincoln Stein (W4) is a researcher at Cold Spring Harbor Laboratory, where he works on information architecture related to the Human Genome Project. He is the author of How to Set Up and Maintain a Web Site, Web Security: A Step-by-Step Reference Guide, The Official Guide to Programming with CGI.pm, and, most recently, Network Programming with Perl.

W5 Cryptographic Algorithms Revealed
Greg Rose, Qualcomm

Who should attend: Anyone interested in a fairly detailed overview of what makes cryptographic algorithms work, and, when they don't work, how they are broken. Some of the Advanced Encryption Standard finalists are covered to provide lessons in block ciphers, with the winner, Rijndael, treated in depth.

Some mathematical background is required--at the very least, familiarity with common mathematical notation and polynomials, and some elementary statistical knowledge. You've been warned.

Topics include (unless time runs out):

• Brief history
  • substitution and transposition
  • development of DES
  • public-key cryptography
• Symmetric block ciphers
  • Feistel ciphers in general
  • DES
  • Other AES candidates (Twofish, RC6, Serpent)
  • Rijndael (AES) in depth
  • Block-cipher modes of operation
• Symmetric stream ciphers
  • Linear feedback shift registers
  • A5, SOBER, and other LFSR-based constructions
• Cryptanalysis
  • Differential & linear cryptanalysis
  • Attack assumptions and threat models
  • Attacks on stream ciphers
• Public-key systems
  • Group and finite field theory
  • Discrete log systems (El Gamal, Diffie-Hellman, DSS)
  • RSA
  • Elliptic curves
• Other stuff
  • Hash functions, SHA-1, SHA-256

Greg Rose (W5) is a Principal Engineer for QUALCOMM International, based in Australia, where he works on cryptographic security and authentication for third-generation mobile phones and other technologies. He holds a number of patents for cryptographic methods and has successfully cryptanalyzed widely deployed ciphers.

W6 System and Network Performance Tuning
Marc Staveley, Soma Networks

Who should attend: Novice and advanced UNIX system and network administrators, and UNIX developers concerned about network performance impacts. A basic understanding of UNIX system facilities and network environments is assumed.

We will explore techniques for tuning systems, networks, and application code. Starting from a single-system view, we'll examine how the virtual memory system, the I/O system, and the file system can be measured and optimized. We'll move on to Network File System tuning and performance strategies. Detailed treatment of network performance problems, including network design and media choices, will lead to examples of network capacity planning. Application issues, such as system call optimization, memory usage and monitoring, code profiling, real-time programming, and controlling response time will be covered. Many examples will be given, along with guidelines for capacity planning and customized monitoring based on your workloads and traffic patterns. Analysis periods for particular situations will be provided.

Topics include:

• Performance tuning strategies
  • Practical goals
  • Monitoring intervals
  • Useful statistics
  • Tools, tools, tools
• Server tuning
  • Filesystem and disk tuning
  • Memory consumption and swap space
  • System resource monitoring
• NFS performance tuning
  • NFS server constraints
  • NFS client improvements
  • NFS over WANs
  • Automounter and other tricks
• Network performance, design, and capacity planning
  • Locating bottlenecks
  • Demand management
  • Media choices and protocols
  • Network topologies: bridges, switches, routers
  • Throughput and latency
  • Modeling resource usage
• Application tuning
  • System resource usage
  • Memory allocation
  • Code profiling
  • Job scheduling and queuing
  • Real-time issues
  • Managing response time

Marc Staveley (W6) recently took a position with Soma Networks, where he is applying his 18 years of experience with UNIX development and administration in leading their IT group. Previously Marc was an independent consultant and has also held positions at Sun Microsystems, NCR, Princeton University, and the University of Waterloo. He is a frequent speaker on the topics of standards-based development, multi-threaded programming, systems administration, and performance tuning.

W7 Configuring and Administering Samba Servers
Gerald Carter, VA Linux Systems

Who should attend: System and network administrators who wish to integrate Samba running on a UNIX-based machine with Microsoft Windows clients. No familiarity with Windows networking concepts will be assumed.

Samba is a freely available suite of programs that allows UNIX-based machines to provide file and print services to Microsoft Windows PCs without installing any third-party software on the clients. This allows users to access necessary resources from both PCs and UNIX workstations. As Samba makes its way into more and more network shops all over the world, it is common to see "configuring Samba servers" listed as a desired skill on many job descriptions for network administrators.

This tutorial will use real-world examples taken from daily administrative tasks.

Topics include:

• Installing Samba from the ground up
• The basic Microsoft networkingprotocols and concepts, such as NetBIOS, CIFS, and Windows NT domains (including Windows 2000)
• Configuring a UNIX box to provide remote access to local files and printers from Microsoft Windows clients
• Utilizing client tools to access files on Windows servers from a UNIX host
• Configuring Samba as a member of a Windows NT domain in order to utilize the domain's PDC for user authentication
• Using Samba as a domain controller
• Configuring Samba to participate in network browsing
• Automating daily management tasks

Gerald Carter (M7, W7), a member of the Samba Team since 1998, is employed by VA Linux Systems. He is working with O'Reilly Publishing on a guide to LDAP for system administrators. He holds an M.S. in computer science from Auburn University, where he also served as a network and systems administrator. Gerald has published articles with Web-based magazines such as Linuxworld and has authored courses for companies such as Linuxcare. He is the lead author of Teach Yourself Samba in 24 Hours (Sams Publishing).

W8 Computer Crime: Investigating Computer-Based Evidence NEW
Steve Romig, Ohio State University

Who should attend: People who investigate computer crimes who have some familiarity with systems or network administration and a basic understanding of what the Internet is and what people commonly use it for. This tutorial picks up where Tutorial T8, "Forensic Computer Investigations: Principles and Procedures," leaves off.

We will see where to find evidence in a wide variety of sources, including various flavors of UNIX, Windows, NT, and such network devices as routers and switches. Specific and detailed case studies will show how to safely recover and preserve this evidence. Real-life examples will be used to illustrate the application of the principles and suggested procedures from the introductory tutorial.

Finally, we will demonstrate how to correlate evidence from different sources to build a coherent and robust reconstruction of events that comprises the "crime scene."

Topics include:

• Review of basic issues, procedures
• Big picture: where the evidence is
• Host-based investigations
  • Memory, swap
  • Processes
  • Network activity
  • Files and file systems
• UNIX- and NT-specific examples
• Network-based investigations
  • Host-based network service logs
  • Network activity logs
  • Authentication logs
  • Telco logs, including pen registers, phone traces, and caller ID
• Specific examples from a variety of network devices
• Tool demonstrations (may be interleaved with previous material)
• Tying it all together

Steve Romig (T8, W8) is in charge of the Ohio State University Incident Response Team and is working with a group of Central Ohio businesses to improve Internet security practices. Steve has also worked as lead UNIX system administrator at one site with 40,000 users and 12 hosts and another with 3,000 users and over 500 hosts. Steve received his B.S. in mathematics (computer science track) from Carnegie Mellon University.

W9 Solaris Internals: Architecture, Tips, and Tidbits
Richard McDougall and James Mauro, Sun Microsystems, Inc.

Who should attend: Software engineers, application architects and developers, kernel developers, device driver writers, system administrators, performance analysts, capacity planners, Solaris users who wish to know more about the system they're using and the information available from bundled and unbundled tools, and anyone interested in operating system internals.

The installed base of Solaris systems being used for various commercial data-processing applications across all market segments and scientific computing applications has grown dramatically over the last several years, and it continues to grow. As an operating system, Solaris has evolved considerably, with some significant changes made to the UNIX SVR4 source base on which the early system was built. An understanding of how the system works is required in order to design and develop applications that take maximum advantage of the various features of the operating system, to understand the data made available via bundled system utilities, and to optimally configure and tune a Solaris system for a particular application or load.

Topics include the major components of the Solaris 8 kernel. We discuss significant differences between Solaris 8 and the previous volume release (Solaris 2.6). We discuss in detail the kernel system services facilities, such as system calls, traps and interrupts, system clocks and synchronization primitives. We discuss the 64-bit kernel, loadable kernel modules, and the runtime linker. We examine the multi-threaded process model, the threads implementation, and thread scheduling at the library and kernel level. Interprocess communication, including Solaris Doors, is also covered. The kernel's virtual memory implementation, file system, and file support are also covered. Along the way, we use examples from bundled Solaris utilities (mpstat, vmstat, cpustat, etc.) and the kernel debugger (mdb) to illustrate points and provide examples.

After completing this course, participants will have a solid understanding of the internals of the major areas of the Solaris kernel that they will be able to apply to systems performance analysis, tuning, load/behavior analysis, and application development.

Richard McDougall (W9), an Established Engineer in the Performance Application Engineering Group at Sun Microsystems, focuses on large systems performance and architecture. He has over twelve years of experience in UNIX performance tuning, application/kernel development, and capacity planning. Richard is the author of many papers and tools for measurement, monitoring, tracing and sizing UNIX systems, including the memory-sizing methodology for Sun, the MemTool set for Solaris, the recent Priority Paging memory algorithms in Solaris, and many unbundled tools for Solaris, and is co-author of Solaris Internals: Architecture Tips and Techniques (Sun Microsystems Press/Prentice Hall, 2000).

James Mauro (W9) is a Senior Staff Engineer in the Performance and Availability Engineering group at Sun Microsystems. His current projects are focused on quantifying and improving enterprise platform availability, including minimizing recovery times for data services and Solaris. Jim, co-author ed Solaris Internals: Architecture Tips and Techniques (Sun Microsystems Press/Prentice Hall, 2000) and writes the monthly "Inside Solaris" column for UNIX Insider.

W10 Panning for Gold: What System Logs Tell You About Your Network Security NEW
Tina Bird, Counterpane Internet Security

Who should attend: System administrators and network managers responsible for monitoring and maintaining the health and well-being of computers and network devices in an enterprise environment. Participants should be familiar with the UNIX operating system and basic network security, although some review is provided.

The purpose of this tutorial is to illustrate the importance of a network-wide centralized logging infrastructure, to introduce several approaches to monitoring audit logs, and to explain the types of information and forensics that can be obtained with well-managed logging systems.

Every device on your network--routers, servers, firewalls, application software--spits out millions of lines of audit information a day. Hidden within the data that indicates normal day-to-day operation (and known problems) are the first clues that an attacker is starting to probe and penetrate your network. If you can sift through the audit data and find those clues, you can learn a lot about your present state of security and maybe even catch attackers in the act.

Topics include:

• The extent of the audit problem: how much data are you generating every day, and how useful is it?
• Logfile content
• Logfile generation: syslog and its relatives
• Log management: centralization, parsing, and storage
• Log analysis: methods for reconstruction of an attack

This class won't teach you how to write Perl scripts to simplify your logfiles. It will teach you how to build a log management infrastructure, how to figure out what your log data means, and what in the world you do with it once you've acquired it.

Tina Bird (W10) is a network security architect at Counterpane Internet Security. She has implemented and managed a variety of wide-area-network security technologies and has developed, implemented, and enforced corporate IS security policies. She is the moderator of the VPN mailing list and the owner of "VPN Resources on the World Wide Web." Tina has a B.S. in physics from Notre Dame and an M.S. and Ph.D. in astrophysics from the University of Minnesota.