Overview | Sunday | Monday | Tuesday | Wednesday | Thursday | Friday | By Instructor

Who should attend: Solaris system managers and administrators interested in learning the new administration features in Solaris 10 (and features in previous Solaris releases that they may not be using).

This tutorial covers a variety of topics concerning Solaris 10. Solaris 10 includes many new features, and there are new issues to consider when deploying, implementing, and managing Solaris 10. This will be a workshop featuring instruction and practice/exploration. Each student should have a laptop with wireless access for remote access into a provided Solaris 10 machine.

Note that, except for a few instances, Solaris 10 security is not covered in this workshop.

Topics include:

• Overview
• Solaris releases (official, Solaris Express, OpenSolaris, others)
• Installing and upgrading to Solaris 10
• Flash archives and live upgrade
• Patching
• Service Management Facility (lab)
• The kernel
• Update
• /etc/system
• Crash and core dumps
• Management and analysis
• Cool commands
• ZFS (lab)
• N1 Grid Containers (a.k.a. Zones) (lab)
• Installation
• Management
• Resource management
• Dtrace
• FMA
• Performance
• Commands
• Cachefs
• Networking
• IP multipathing
• Sysadmin best practices

Peter Baer Galvin (S1, R1) is the Chief Technologist for Corporate Technologies, Inc., a systems integrator and VAR, and was the Systems Manager for Brown University's Computer Science Department. He has written articles for Byte and other magazines. He wrote the "Pete's Wicked World" and "Pete's Super Systems" columns at SunWorld. He is currently contributing editor for Sys Admin, where he manages the Solaris Corner. Peter is co-author of the Operating Systems Concepts and Applied Operating Systems Concepts textbooks. As a consultant and trainer, Peter has taught tutorials on security and system administration and has given talks at many conferences and institutions on such topics as Web services, performance tuning, and high availability.

S2	TCP/IP WEAPONS SCHOOL (Day 1 of 2)

Who should attend: Junior and intermediate analysts and system administrators who detect and respond to security incidents.

TWS is the right way for junior and intermediate security personnel to learn the fundamentals of TCP/IP networking. Students learn how to interpret network traffic by analyzing packets generated by network security tools. Examples of normal, suspicious, and malicious traffic teach analysts how to identify security events on the wire. Students wil analyze traffic using open source tools.

The point of the class is to teach TCP/IP by looking at nontraditional TCP/IP traffic. I will make comparisons to normal TCP/IP traffic for reference purposes. The name of the course is related to the US Air Force Weapons School, which is the "Top Gun" of the Air Force.

Course plan: The class will concentrate on the protocols and services most likely to be encountered when performing system administration and security work. Students will inspect traffic such as would be seen in various malicious security events.

Topics for Day 1 include:

• Hardware and network design: Bridges, hubs, switches, routers, duplex and domains, layer-x switches, middleboxes, LANs, xANS, VPNs, WLANs, VLANs
• Layer 1: What Layer 1 is; Ethernet; raw Ethernet (Nemesis); UTP and Ethernet over UTP; fiber optics and Ethernet over fiber optics; Ethernet emulation over FireWire, IP over FireWire, and IP over wireless
• Layer 1 attack: Rogue access point
• Layer 2: What Layer 2 is; Ethernet revisited; packet delivery on the LAN; Ethernet interfaces; ARP basics, ARP request/reply, ARP cache, Arping, Arpdig, and Arpwatch; Dynamic Trunking Protocol

Want to learn more from Richard Bejtlich? Check out his extra 2-day class after LISA, December 9–10, 2006. See the PDF flyer for details.

Richard Bejtlich (S2, M2, F1) is founder of TaoSecurity LLC(https://www.taosecurity.com), a company that helps clients detect, contain, and remediate intrusions using network security monitoring (NSM) principles. Richard was previously a principal consultant at Foundstone, performing incident response, emergency NSM, and security research and training. He has created NSM operations for ManTech International Corporation and Ball Aerospace & Technologies Corporation. From 1998 to 2001, Richard defended global American information assets in the Air Force Computer Emergency Response Team (AFCERT), performing and supervising the real-time intrusion detection mission. Formally trained as an intelligence officer, he holds degrees from Harvard University and the United States Air Force Academy. Richard wrote the Tao of Network Security Monitoring: Beyond Intrusion Detection and the forthcoming Extrusion Detection: Security Monitoring for Internal Intrusions and Real Digital Forensics. He also wrote original material for Hacking Exposed, 4th Ed., Incident Response, 2nd Ed., and Sys Admin Magazine. Richard holds the CISSP, CIFI, and CCNA certifications. His popular Web log resides at https://taosecurity.blogspot.com.

Who should attend: Network and system administrators ready to implement comprehensive monitoring of their systems and networks using the best of the freely available tools. Participants should have an understanding of the fundamentals of networking, familiarity with computing and network components, UNIX system administration experience, and some understanding of UNIX programming and scripting languages.

This tutorial will provide in-depth instruction in the installation and configuration of some of the most popular and effective system and network monitoring tools, including Nagios, Cricket, MRTG, and Orca.

Participants should expect to leave this tutorial with the information needed to immediately implement, extend, and manage popular monitoring tools on their systems and networks.

Topics include, for each of Nagios, Cricket, MRTG, and Orca:

• Installation: Basic steps, prerequisites, common problems and solutions
• Configuration, setup options, and how to manage larger and nontrivial configurations
• Reporting and notifications, both proactive and reactive
• Special cases: How to deal with interesting problems
• Extending the tools: How to write scripts or programs to extend the functionality of the basic package
• Dealing effectively with network boundaries and remote sites
• Security concerns and access control
• Ongoing operations

John Sellens (S3, M12 ) has been involved in system and network administration since 1986 and is the author of several related USENIX papers, a number of ;login: articles, and the SAGE Short Topics in System Administration booklet #7, System and Network Administration for Higher Reliability. He holds an M.Math. in computer science from the University of Waterloo and is a chartered accountant. He is the proprietor of SYONEX, a systems and networks consultancy. From 1999 to 2004, he was the General Manager for Certainty Solutions in Toronto. Prior to joining Certainty, John was the Director of Network Engineering at UUNET Canada and was a staff member in computing and information technology at the University of Waterloo for 11 years.

Who should attend: Current Linux system administrators looking to learn about the latest developments and problem-solving techniques, as well as administrators from sites considering converting to Linux or adding Linux systems to their current computing resources.

This course will cover configuring and managing Linux computer systems in production environments. We will be focusing on the administrative issues that arise when Linux systems are deployed to address a variety of real-world tasks and problems arising from both commercial and research-and-development contexts.

Topics include:

• Recent kernel developments
• High-performance I/O
  • Advanced filesystems and logical volumes
  • Disk striping
  • Optimizing I/O performance
• Advanced compute-server environments
• Beowulf
• Clustering
• Parallelization environments/facilities
• CPU performance optimization
• High availability Linux: fault-tolerance options
• Enterprise-wide authentication and other security features
• Automating installations and other mass operations
• Linux performance tuning

Æleen Frisch (S4, M8) has been a system administrator for over 20 years. She currently looks after a pathologically heterogeneous network of UNIX and Windows systems. She is the author of several books, including Essential System Administration (now in its 3rd edition).

S5	LINUX SERVER SECURITY HANDS-ON

Who should attend: Both Linux and UNIX system administrators. Some experience with command-line UNIX tools is required to get the most out of this class. Security analysts and managers can also take this class and learn what must be done to create secure Linux systems.

Learn how to secure Linux servers in this hands-on class. The good news is that recent Linux distros come with good default security. The bad news is that security of Linux servers can be reduced by mistakes in configuration, poor use of server features, enabling more services than are required, and use of insecure services. The security of all but the most hardened Linux servers can be increased through the application of the techniques you will learn in this course.

You will work with a Linux server running within a VMware product for Linux or Windows (Mac users: see https://www.vmware.com/macos to sign up to try a beta version for Macs). During the class, you can participate in hands-on exercises that will drive home the key points.

Topics include:

• Checking for low-hanging fruit that can aid an attacker, such as bad file permissions, dangerous SUID files, and backdoors
• Defending servers against network-based attacks via proper service configuration
• Using local firewalls to both block potential attacks and blunt successful attacks
• Running servers within a chrooted environment
• Using secure remote administration
• Running Apache securely through proper configuration and through checking CGI scripts or programs for exploitable features
• Keeping your servers properly updated and vulnerability-free
• Setting up effective logging

Rik Farrow (S5, T9) provides UNIX and Internet security consulting and training. He has been working with UNIX system security since 1984 and with TCP/IP networks since 1988. He has taught at the IRS, Department of Justice, NSA, NASA, US West, Canadian RCMP, Swedish Navy, and for many U.S. and European user groups. He is the author of UNIX System Security, published by Addison-Wesley in 1991, and System Administrator's Guide to System V (Prentice Hall, 1989). Farrow is the editor of ;login:. Rik lives with his family in the high desert of northern Arizona and enjoys hiking and mountain biking when time permits.

Who should attend: Perl programmers with at least a journeyman-level working knowledge of Perl programming and a desire to hone their skills.

This class will cover a wide variety of advanced topics in Perl, including many insights and tricks for using these features effectively. After completing this class, attendees will have a much richer understanding of Perl and will be better able to make it part of their daily routine.

Topics include:

• Symbol tables and typeglobs
  • Symbolic references
  • Useful typeglob tricks (aliasing)
• Modules
  • Autoloading
  • Overriding built-ins
  • Mechanics of exporting
  • Function prototypes
• References
  • Implications of reference counting
  • Using weak references for self-referential data structures
  • Autovivification
  • Data structure management, including serialization and persistence
  • Closures
• Fancy object-oriented programming
  • Using closures and other peculiar referents as objects
  • Overloading of operators, literals, and more
  • Tied objects
• Managing exceptions and warnings
  • When die and eval are too primitive for your taste
  • The use warnings pragma
  • Creating your own warnings classes for modules and objects
• Regular expressions
  • Debugging regexes
  • qr// operator
  • Backtracking avoidance
  • Interpolation subtleties
  • Embedding code in regexes
• Programming with multiple processes or threads
  • The thread model
  • The fork model
  • Shared memory controls
• Unicode and I/O layers
  • Named Unicode characters
  • Accessing Unicode properties
  • Unicode combined characters
  • I/O layers for encoding translation
  • Upgrading legacy text files to Unicode
  • Unicode display tips

Tom Christiansen (S6) has been involved with Perl since day zero of its initial public release in 1987. Author of several books on Perl, including The Perl Cookbook and Programming Perl from O'Reilly, Tom is also a major contributor to Perl's online documentation. He holds undergraduate degrees in computer science and Spanish and a Master's in computer science. He now lives in Boulder, Colorado.

Sunday Morning Half-Day Tutorials

Who should attend: System or network administrators who have been exposed to the Domain Name System only as users. A basic understanding of the IP protocols, TCP and UDP, data encapsulation, and the seven-layer model will be beneficial.

DNS, the primary method the Internet uses to name and number machines, is used to translate names like "www.usenix.org" into addresses like 131.106.3.253. Any site that is serious about joining the Internet community will need to understand how to configure and administer DNS.

This tutorial will describe the basic operation of DNS and will provide instructions and guidelines for the configuration and operation of DNS on UNIX platforms using the BIND software distribution. This class is designed for the beginner and is intended to provide a foundation for the tutorial on "Intermediate Topics in Domain Name System Administration."

Topics include:

• DNS and BIND
• The DNS name hierarchy
• The four components of the DNS protocol
• Iterative vs. recursive querying
• Essential resource records: SOA, A, PTR, CNAME, NS
• Zone transfers and secondaries
• Vendor-specific differences

William LeFebvre (S7, S10) is an author, programmer, teacher, and sysadmin expert who has been using UNIX and Internet technologies since 1983. He wrote a monthly column for UNIX Review and has taught since 1989 for such organizations as USENIX, the Sun User Group (SUG), MIS Training Institute, IT Forum, and Great Circle Associates. He has contributed to several widely used UNIX packages, including Wietse Venema's logdaemon package. He is also the primary programmer for the popular UNIX utility top. William is currently an independent consultant. He received his bachelor's degree in 1983 and his master of science degree in 1988, both from Rice University.

S8	BZR, HG, AND GIT, OH MY! DISTRIBUTED SOURCE CODE MANAGEMENT SYSTEMS

S9	SO YOU HAVE ACTIVE DIRECTORY: NOW WHAT? (A GUIDE TO AD INTEGRATION FOR UNIX SYSADMINS)

Gerald Carter (S9, S12, M9, T4, W2, R7) has been a member of the Samba Development Team since 1998. He has been developing, writing about, and teaching on open source since the late 1990s. Currently employed by Centeris as a Samba and open source developer, Gerald has written books for SAMS Publishing and for O'Reilly Publishing.
 

Sunday Afternoon Half-Day Tutorials

Who should attend: Network administrators with a basic understanding of DNS and its configuration who need to learn how to create and delegate subdomains, and administrators planning to install BIND8. Attendees are expected either to have prior experience with DNS, including an understanding of basic operation and zone transfers, or to have attended the "Introduction to Domain Name System Administration" tutorial.

Attendees will move beyond the basics into a more thorough understanding of the overall design and implementation of DNS.

Topics include:

• Subdomains and delegation
• Resource records: NS, RP, MX, TXT, AAAA
• BIND views
• DNS management tools
• DNS design
• DNS and firewalls

William LeFebvre (S7, S10) is an author, programmer, teacher, and sysadmin expert who has been using UNIX and Internet technologies since 1983. He wrote a monthly column for UNIX Review and has taught since 1989 for such organizations as USENIX, the Sun User Group (SUG), MIS Training Institute, IT Forum, and Great Circle Associates. He has contributed to several widely used UNIX packages, including Wietse Venema's logdaemon package. He is also the primary programmer for the popular UNIX utility top. William is currently an independent consultant. He received his bachelor's degree in 1983 and his master of science degree in 1988, both from Rice University.

Who should attend: Administrators who want to understand Kerberos 5 implementations on both UNIX/Linux and Windows clients and servers.

For many organizations, Kerberos is an an old technology that has been driven to the forefront by deployments of Microsoft Active Directory domains. The introduction of a standard authentication protocol into Windows domains has caused many network administrators to reexamine ways to integrate UNIX/Linux and Windows clients in a single authentication model.

Topics include:

• Key concepts of the Kerberos 5 protocol
• Related authentication interfaces such as SASL and GSSAPI
• The specifics of implementing Krb5 realms
• Implementations of Krb5 cross-realm trusts
• Integration of Windows and UNIX/Linux clients into Krb5 realms
• Possible pitfalls of using popular Krb5 implementations such as those of MIT and Windows 200x

Gerald Carter (S9, S12, M9, T4, W2, R7) has been a member of the Samba Development Team since 1998. He has been developing, writing about, and teaching on open source since the late 1990s. Currently employed by Centeris as a Samba and open source developer, Gerald has written books for SAMS Publishing and for O'Reilly Publishing.

Who should attend: Novice and advanced UNIX system and network administrators, and UNIX developers concerned about network performance impacts. A basic understanding of UNIX system facilities and network environments is assumed.

We will explore procedures and techniques for tuning systems, networks, and application code. Starting from the single system view, we will examine how the virtual memory system, the I/O system, and the filesystem can be measured and optimized. We'll extend the single host view to include Network File System tuning and performance strategies. Detailed treatment of networking performance problems, including network design and media choices, will lead to examples of network capacity planning. Application issues, such as system call optimization, memory usage and monitoring, code profiling, real-time programming, and techniques for controlling response time will be addressed. Many examples will be given, along with guidelines for capacity planning and customized monitoring based on your workloads and traffic patterns. Question and analysis period for particular situations will be provided.

Topics include:

• Performance tuning strategies
• Practical goals
• Monitoring intervals
• Useful statistics
• Tools, tools, tools
• Server tuning
• Filesystem and disk tuning
• Memory consumption and swap space
• System resource monitoring
• NFS performance tuning
• NFS server constraints
• NFS client improvements
• NFS over WANs
• Automounter and other tricks
• Network performance, design, and capacity planning
• Locating bottlenecks
• Demand management
• Media choices and protocols
• Network topologies: bridges, switches, and routers
• Throughput and latency considerations
• Modeling resource usage
• Application tuning
• System resource usage
• Memory allocation
• Code profiling
• Job scheduling and queuing
• Real-time issues
• Managing response time

Marc Staveley (M1, R1) works with Soma Networks, where he is applying his many years of experience with UNIX development and administration in leading their IT group. Previously Marc had been an independent consultant and also held positions at Sun Microsystems, NCR, Princeton University, and the University of Waterloo. He is a frequent speaker on the topics of standards-based development, multi-threaded programming, system administration, and performance tuning.

M2	TCP/IP WEAPONS SCHOOL (Day 2 of 2)

See S2 for the description of the first day of this tutorial.

Who should attend: Junior and intermediate analysts and system administrators who detect and respond to security incidents.

TWS is the right way for junior and intermediate security personnel to learn the fundamentals of TCP/IP networking. Students learn how to interpret network traffic by analyzing packets generated by network security tools. Examples of normal, suspicious, and malicious traffic teach analysts how to identify security events on the wire. Students wil analyze traffic using open source tools.

The point of the class is to teach TCP/IP by looking at nontraditional TCP/IP traffic. I will make comparisons to normal TCP/IP traffic for reference purposes. The name of the course is related to the US Air Force Weapons School, which is the "Top Gun" of the Air Force.

Course plan: The class will concentrate on the protocols and services most likely to be encountered when performing system administration and security work. Students will inspect traffic such as would be seen in various malicious security events.

Topics for Day 2 include:

• Layer 2 attacks: Changing MAC addresses; MAC flooding (Macof); ARP denial of service (Arp-sk); port stealing (Ettercap); layer 2 man-in-the-middle (Ettercap); Dynamic Trunking Protocol attack (Yersinia)
• Layer 3: What Layer 3 is; Internet Protocol, raw IP (Nemesis), IP options (Fragtest), and IP time-to-live (Traceroute); Internet Control Message Protocol (Sing) and ICMP error messages (Gnetcat)
• Layer 3 attacks: IP spoofing; Gont ICMP attacks; ICMP Shell

Want to learn more from Richard Bejtlich? Check out his extra 2-day class after LISA, December 9–10, 2006. See the PDF flyer for details.

Richard Bejtlich (S2, M2, F1) is founder of TaoSecurity LLC(https://www.taosecurity.com), a company that helps clients detect, contain, and remediate intrusions using network security monitoring (NSM) principles. Richard was previously a principal consultant at Foundstone, performing incident response, emergency NSM, and security research and training. He has created NSM operations for ManTech International Corporation and Ball Aerospace & Technologies Corporation. From 1998 to 2001, Richard defended global American information assets in the Air Force Computer Emergency Response Team (AFCERT), performing and supervising the real-time intrusion detection mission. Formally trained as an intelligence officer, he holds degrees from Harvard University and the United States Air Force Academy. Richard wrote the Tao of Network Security Monitoring: Beyond Intrusion Detection and the forthcoming Extrusion Detection: Security Monitoring for Internal Intrusions and Real Digital Forensics. He also wrote original material for Hacking Exposed, 4th Ed., Incident Response, 2nd Ed., and Sys Admin Magazine. Richard holds the CISSP, CIFI, and CCNA certifications. His popular Web log resides at https://taosecurity.blogspot.com.

Who should attend: Anyone who is designing, implementing, or maintaining a UNIX environment with 2 to 20,000+ hosts. System administrators, architects, and managers who need to maintain multiple hosts with few admins.

This intermediate class will examine many of the background issues that need to be considered during the design and implementation of a mixed-architecture or single-architecture UNIX environment. It will cover issues from authentication (single sign-on) to the Holy Grail of single system images.

This class won't implement a "perfect solution," as each site has different needs. It will try to raise all the questions you should ask (and answer) while designing the solution that will meet your needs. We will look at some freeware and some commercial solutions, as well as many of the tools that exist to make a workable environment possible.

Topics include:

• Administrative domains: Who is responsible for what, and what can users do for themselves?
• Desktop services vs. farming: Do you do serious computation on the desktop, or do you build a compute farm?
• Disk layout: How do you plan for an upgrade? Where do things go?
• Free vs. purchased solutions: Should you write your own, or hire a consultant or company?
• Homogeneous vs. heterogeneous: Homogeneous is easier, but will it do what your users need?
• The essential master database: How can you keep track of what you have?
• Policies to make life easier
• Push vs. pull
• Getting the user back online in 5 minutes
• Remote administration: Lights-out operation; remote user sites; keeping up with vendor patches, etc.
• Scaling and sizing: How do you plan on scaling?
• Security vs. sharing: Your users want access to everything. So do the crackers . . .
• Single sign-on: How can you do it securely?
• Single system images: Can users see just one environment, no matter how many OSes there are?
• Tools: The free, the purchased, the homegrown

Lee Damon (M3, T3) has a B.S. in Speech Communication from Oregon State University. He has been a UNIX system administrator since 1985 and has been active in SAGE since its inception. He assisted in developing a mixed AIX/SunOS environment at IBM Watson Research and has developed mixed environments for Gulfstream Aerospace and QUALCOMM. He is currently leading the development effort for the Nikola project at the University of Washington Electrical Engineering department. Among other professional activities, he is a charter member of LOPSA and SAGE and past chair of the SAGE Ethics and Policies working groups, and he was the chair of LISA '04.

Who should attend: Anyone looking to learn more about OpenAFS and how to set up and administer an OpenAFS cell.

AFS is a global distributed file system which works on many different operating systems (UNIX, Windows, Mac OS). It is ideal for sharing data and software in a heterogeneous distributed computing environment. Now that AFS has become available through an open source license, it is available to sites and IT groups of all sizes. Although the use of AFS is simple, setting up your own AFS servers can be a rather daunting task.

Topics include:

• Overview of AFS concepts and semantics
• Setting up and managing the AFS client (even without your own servers)
• A working outline of the AFS server processes and how they play together
• How to set up a new AFS cell: design decisions, initial setup, planning for the future
• Authentication issues: Native KAS vs. Kerberos5
• Backups: How and what to choose to use
• AFS tools to make everything from maintenance to monitoring easier

Esther Filderman (M4) has been working with AFS since its infancy at CMU, before it was called AFS, and is currently Senior Operations Specialist and AFS administrator for the Pittsburgh Supercomputing Center. She has been working to bring AFS content to LISA conferences since 1999. She is also coordinating documentation efforts for the OpenAFS project.
 

Alf Wachsmann (M4) is working at the Stanford Linear Accelerator Center (SLAC) in the Computing Services' High-Performance Computing Group, where he is an infrastructure designer and automation specialist. He has a doctor's degree in natural sciences obtained in Computer Science at the University of Paderborn (Germany). He worked as a post-doc in the computing center of DESY Zeuthen (Germany) before he came to SLAC in 1999.

Who should attend: DNS administrators who wish to extend their understanding of how to configure and manage name servers running BIND 9. Attendees should have some experience of running a name server and be familiar with DNS jargon, resource records, and the syntax of zone files and named.conf.

This tutorial will answer the question, "I've set up master (primary) and slave (secondary) name servers. What else can I do with the name server?"

Topics include:

• The BIND 9 logging subsystem
  • Getting the most from the name server's logs
  • Running the name server in debugging mode
• Managing the name server with rndc
• Configuring split DNS: internal and external versions of a domain
  • Using the views mechanism of BIND 9 to implement split DNS
• Securing the name server
  • Running it chroot()ed
  • Using access control lists
  • Preventing unwanted access
• Security
  • DNS vulnerability overview
  • Using Transaction Signatures (TSIG) to protect messages: cases and tools
  • Using DNSSEC to protect DNS data: cases, tools, implications
• Dynamic DNS (DDNS)
  • Secure dynamic updates with nsupdate: policies and usage models
• IPv6
  • Resolving and answering queries over IPv6 transport
  • Setting up AAAA records to resolve IPv6 addresses

Matt Larson (M5) works in the Advanced Products and Research Group of VeriSign Information Services as a specialist in DNS protocol and operational issues. He is the co-author of the O'Reilly & Associates Nutshell Handbooks DNS on Windows Server 2003, DNS on Windows 2000, and DNS on Windows NT. Matt joined VeriSign in June 2000 from Acme Byte & Wire, a company he started in 1997 with co-author Cricket Liu. Acme Byte & Wire specialized in DNS consulting and training, and its customers included more than 10% of the Fortune 100. Prior to Acme Byte & Wire, Matt worked for five years at Hewlett-Packard, first in the Corporate Network Services group, where he ran hp.com, one of the largest corporate domains in the world. He later joined HP's professional services organization.

Monday Morning Half-Day Tutorials

Who should attend: Anyone who is interested in how hackers work these days, and what system and network administrators can do to defend themselves.

This presentation will examine recent developments in hacker tools and techniques. Live demos of tools will be given as time permits, and defenses against the tools will be discussed. Bonus: A look at some recently headlined cybercrimes, with an emphasis on the techniques used.

Topics may include:

• VoIP security
• Phishing
• Reverse engineering
• Anti-forensics
• Wi-Fi and Bluetooth
• Web application attacks
• Spyware and malware
• Network tools
• Denial of service attacks

David Rhoades (M6) is a principal consultant with Maven Security Consulting, Inc. Since 1996, David has provided information protection services for various FORTUNE 500 customers. His work has taken him across the U.S. and abroad to Europe and Asia, where he has lectured and consulted in various areas of information security. David has a B.S. in computer engineering from the Pennsylvania State University and has taught for the SANS Institute, the MIS Training Institute, and ISACA.

M7	BLOGS AND SPAM: LEGAL ISSUES FOR THE SYSTEM ADMINISTRATOR

Who should attend: System administrators at all levels of experience and seniority, and others who are facing legal and ethical issues about blogs and spam.

Blogs and spam have both proliferated tremendously in the past few years. Weak federal legislation has preempted much stronger state attempts to control spam. The Federal Trade Commission has enacted new rules that clarify some of the ambiguities in the CAN-SPAM Act. System administrators need to understand the requirements of the law and the new regulations.

Blogging raises many legal issues, including the scope of intellectual property rights, content regulation, and labor and employment issues. Several important recent cases highlight how existing laws are being applied to this new form of communication. Employees use company facilities and company time to post entries to their personal blogs and to read and comment on the blogs of others. These postings may include comments critical of their employers, or information their employers consider to be confidential and proprietary, or material created by others the use of which may not be authorized. Employers are increasingly using blogs to market and promote their company's products and services and also as a communications tool within the company. System administrators need to understand the legal issues that arise from blogging in the workplace.

This session will provide system administrators with a clear understanding of the new spam laws and the legal issues that need to be addressed when employees' right to free expression by blogging collides with employers' right to control the workplace. We will define the duties and responsibilities of system administrators when faced with spam campaigns and the use of their company's facilities for personal communication in the blogosphere. Finally, we will suggest guidelines for meeting the challenges presented by both of these popular technologies.

Topics include:

• CAN-SPAM and what it means for the system administrator
• New FTC rules implementing CAN-SPAM
• Blogging issues for the system administrator
• Use of company facilities for personal purposes: what are the limits?
• Who owns the blog?
• First Amendment rights and employer workplace rights: which prevail?
• When intellectual property rights conflict with free expression
• Blogging and trade secrets
• The fair use doctrine and blogging
• The role of company policies with respect to spam and blogging
• Recommendations for the system administrator

Daniel L. Appelman (M7) is a lawyer in the Silicon Valley office of a major international law firm. He has been practicing in the areas of cyberspace and software law for many years. He was the lawyer for Berkeley Software Design in the BSDi/UNIX System Laboratories (AT&T) case. Dan is the attorney for the USENIX Association and for many tech companies. He is also founding chair of his firm's Information Technology practice group, is the former chair of the California Bar's Standing Committee on Cyberspace Law, and is a current member of the California Bar Business Law Section's Executive Committee, the Computer Law Association, and the American Bar Association's Cyberspace Committee.

M8	BEYOND SHELL SCRIPTS: 21ST-CENTURY AUTOMATION TOOLS AND TECHNIQUES

Æleen Frisch (S4, M8) has been a system administrator for over 20 years. She currently looks after a pathologically heterogeneous network of UNIX and Windows systems. She is the author of several books, including Essential System Administration (now in its 3rd edition).

Who should attend: System and network administrators who are interested in learning more about the TCP/IP protocol and how network traffic monitoring and analysis can be used as a debugging, auditing, and security tool.

The focus of this course is using the Ethereal protocol analyzer as a debugging and auditing tool for TCP/IP networks. System logs can turn out to be incomplete or incorrect when you're trying to track down network application failures. Sometimes the quickest, or the only, way to find the cause is to look at the raw data on the wire. This course is designed to help you make sense of that data.

Topics include:

• Introduction to Ethereal for local and remote network tracing
• TCP/IP protocol basics
• Analysis of popular application protocols such as DNS, DHCP, HTTP, NFS, CIFS, and LDAP
• How some kinds of TCP/IP network attacks can be recognized

Gerald Carter (S9, S12, M9, T4, W2, R7) has been a member of the Samba Development Team since 1998. He has been developing, writing about, and teaching on open source since the late 1990s. Currently employed by Centeris as a Samba and open source developer, Gerald has written books for SAMS Publishing and for O'Reilly Publishing.
 

Monday Afternoon Half-Day Tutorials

Who should attend: System administrators who need to produce documention for the systems they manage or who want to improve their documentation skills.

Attendees should be able to make immediate, practical use of the techniques presented in this tutorial in their day-to-day tasks. Particular emphasis is placed on documentation as a time-saving tool rather than a workload imposition.

Topics include:

• Why system administrators need to document
• The document life cycle
• Targeting your audience
• An adaptable document framework
• Common mistakes
• Tools to assist the documentation process

Mike Ciavarella (M10, T3, W3) has been producing and editing technical documentation since he naively agreed to write application manuals for his first employer in the early 1980s. He has been a technical editor for MacMillan Press and has been teaching system administrators about documentation for the past eight years. Mike has an Honours Degree in Science from the University of Melbourne. After a number of years working as Senior Partner and head of the Security Practice for Cybersource Pty Ltd, Mike returned to his alma mater, the University of Melbourne. He now divides his time between teaching software engineering, providing expert testimony in computer security matters, and trying to complete a Doctorate. In his ever-diminishing spare time, Mike is a caffeine addict and photographer.

M11	HOW TO INTERVIEW A SYSTEM ADMINISTRATOR

Who should attend: System administrators of all levels of experience, as well as managers of system administrators. The course will focus on techniques for interviewers, but even sysadmins who are just starting out will learn some things to use as an interviewee. Managers of system administrators and junior sysadmins will learn, among other things, how to interview someone who knows more than you do. Junior administrators will also learn how to respond (as an interviewee) when asked a bad question—in particular, how to turn it into a better question.

Do you know how to interview a system administrator? Do the questions you ask elicit specific, narrowly focused information, or do they show you both the depth and breadth of a candidate's knowledge of a particular subject or technology? Do you know how to distinguish between a candidate who is just trying to bluff through the interview and one who has some knowledge of the field but hasn't yet become an expert? Are trick questions ever appropriate, and, if so, when and why? Some questions shouldn't be asked, and some would even land you in hot water with your company's HR or legal department: do you know what those questions are? Finally, have you figured out how to help a candidate do well in an interview while still getting an objective and fair assesment of their skills?

If you answered "no" or even "I'm not sure" to any of these questions, this course is for you.

Topics include:

• Purposes of an interview
• To assess the candidate's technical skills
• To get a feel for the candidate's personality and interpersonal skills
• To learn whether a candidate is likely to be a good fit with the company and with the IT group
• To help the candidate figure out whether he wants this job and whether he is likely to do well in the position
• Maybe even to teach the candidate something new about system administration
• Basic questions to bear in mind
• Is the candidate comfortable?
• Does he need a drink or a bathroom break?
• Does she know who you are and what your role in the company is?
• Preparatory questions
• What are you really trying to learn about the candidate's skills, and why?
• What makes a good question good?
• What makes a bad question bad?
• How can you turn bad questions into good ones?
• When is it appropriate to ask a trick question, and why?
• What questions can't or shouldn't you ask?

Adam Moskowitz (M11), in his roles as IT manager and senior system administrator, and on behalf of several of his consulting clients, has interviewed more candidates for system administration positions than he can remember. By virtue of having worked for a lot of companies that are no longer in business, he has been a candidate for almost that many system administration positions. Over the years he's been asked good questions, bad questions, and horrible questions, and has seen candidates become flummoxed when asked what seemed like rather simple questions. All this plus his almost 30 years of experience in the field (not to mention a darned good ratio of interviews to job offers) have given Adam considerable field experience to draw on for this tutorial.

When he's not in an interview, Adam works as a system administrator—but only to support his hobby of judging barbecue contests and to keep food in his puppy's bowl.

Who should attend: System and application administrators who need to support databases and database-backed applications.

Databases used to run almost exclusively on dedicated database servers, with one or more database administrators (DBAs) dedicated to their care. These days, with the easy availability of database software such as MySQL and PostgreSQL, databases are popping up in many more places, and are used by many more applications.

As a system administrator you need to understand databases, their care and feeding.

Attendees will leave the tutorial with a better understanding of databases and their use and will be ready to deploy and support common database software and database-backed applications.

Topics include:

• An introduction to database concepts
• The basics of SQL (Structured Query Language)
• Common applications of databases
• Berkeley DB and its applications
• MySQL installation, configuration, and management
• PostgreSQL installation, configuration, and management
• Security, user management, and access controls
• Ad-hoc queries with standard interfaces
• ODBC and other access methods
• Database access from other tools (Perl, PHP, sqsh, etc.)

John Sellens (S3, M12) has been involved in system and network administration since 1986 and is the author of several related USENIX papers, a number of ;login: articles, and the SAGE Short Topics in System Administration booklet #7, System and Network Administration for Higher Reliability. He holds an M.Math. in computer science from the University of Waterloo and is a chartered accountant. He is the proprietor of SYONEX, a systems and networks consultancy. From 1999 to 2004, he was the General Manager for Certainty Solutions in Toronto. Prior to joining Certainty, John was the Director of Network Engineering at UUNET Canada and was a staff member in computing and information technology at the University of Waterloo for 11 years.

Who should attend: Anyone with an existing project that isn't going well, and they're not sure why, or with a big initiative at work that they'd like to turn into a project but can't seem to get beyond a certain point with it; anyone who's been getting involved with open source software development, and things have gotten complex now that more folks are on board. If you've been thinking, "Hey, if we had a little more structure, we could get a lot more accomplished," this tutorial is for you. It's likely, but not strictly required, that you've taken some kind of project management training or done some reading on your own.

As for me: I've been pulling clients' projects out of the fire for years. As a career consultant, I'm constantly running into the "When all else fails, hire a consultant" syndrome. I've seen projects without a plan, plans without a project, and just about everything in between—including a lot of busy people who don't seem to know what the common goal is, or even whether there is one!

So come on down, bring your laptop, your notes, and your questions, and get your project back on track.

Strata Rose Chalup (M13, W8, R4) began as a fledgling sysadmin in 1983 and has been leading and managing complex IT projects for many years, serving in roles ranging from Project Manager to Director of Network Operations. She has written a number of articles on management and working with teams and has applied her management skills on various volunteer boards, including BayLISA and SAGE. Strata has a keen interest in network information systems and new publishing technologies and built a successful consulting practice around being an avid early adopter of new tools, starting with ncsa_httpd and C-based CGI libraries in 1993 and moving on to wikis, RSS readers, and blogging. Another MIT dropout, Strata founded VirtualNet Consulting in 1993.

Who should attend: Anyone who supports or may support Solaris 10 machines.

This one-day tutorial will cover the tools and utilities available in Solaris 10 for understanding system and application behavior. An overview of the various tools will be followed by a drill-down on the uses of and methodology for applying the tools to resolve performance issues and pathological behavior, or simply to understand the system and workload better.

Topics include:

• Solaris 10 features overview
• Solaris 10 tools and utilities
  • The conventional stat tools (mpstat, vmstat, etc.)
  • The procfs tools (ps, prstat, map, pfiles, etc.)
  • lockstat and plockstat
  • Using kstat
  • Dtrace, the Solaris dynamic tracing facility
  • Using mdb in a live system
• Understanding memory use and performance
• Understanding thread execution flow and profiling
• Understanding I/O flow and performance
• Looking at network traffic and performance
• Application and kernel interaction
• Putting it all together

James Mauro (T1) is a Senior Staff Engineer in the Performance and Availability Engineering group at Sun Microsystems. Jim's current interests and activities are centered on benchmarking Solaris 10 performance, workload analysis, and tool development. This work includes Sun's new Opteron-based systems and multicore performance on Sun's Chip Multithreading (CMT) Niagara processor. Jim resides in Green Brook, New Jersey, with his wife and two sons. He spent most of his spare time in the past year working on the second edition of Solaris Internals. Jim co-authored the first edition of Solaris Internals with Richard McDougall and has been writing about Solaris in various forums for the past eight years.

Richard McDougall (T1), had he lived 100 years ago, would have had the hood open on the first four-stroke internal combustion gasoline-powered vehicle, exploring new techniques for making improvements. He would be looking for simple ways to solve complex problems and helping pioneering owners understand how the technology works to get the most from their new experience. These days, McDougall uses technology to satisfy his curiosity. He is a Distinguished Engineer at Sun Microsystems, specializing in operating systems technology and system performance. He is co-author of Solaris Internals (Prentice Hall PTR, 2000) and Resource Management (Sun Microsystems Press, 1999).

Who should attend: System, network, and security administrators who want to be able to separate the wheat of warning information from the chaff of normal activity in their log files.

This tutorial will show the importance of log files for maintaining system security and general well-being, offer some strategies for building a centralized logging infrastructure, explain some of the types of information that can be obtained for both real-time monitoring and forensics, and teach techniques for analyzing log data to obtain useful information.

The devices on a medium-sized network can generate millions of lines of log messages a day. Although much of the information is normal activity, hidden within that data can be the first signs of an intrusion, denial of service, worms/viruses, and system failures. Why should you attend? Getting a handle on your log files can help you run your systems and networks more effectively and can provide forensic information for post-incident investigation.

Topics include:

• Problems, issues, and scale of handling log information
• Generating useful log information: improving the quality of your logs
• Collecting log information
  • syslog and friends
  • Building a log host
  • Integrating MS Windows into a UNIX log architecture
• Storing log information
  • Centralized log architectures
  • Log file archiving
• Log analysis
  • Log file parsing tools
  • Data analysis of log files (e.g., baselining)
  • Attack signatures and other interesting things to look for in your logs
• How to handle and preserve log files for HR and legal folks

Abe Singer (T2, W6) is a Computer Security Researcher in the Security Technologies Group at the San Diego Supercomputer Center. In his operational security responsibilities, he participates in incident response and forensics and in improving the SDSC logging infrastructure. His research is in pattern analysis of syslog data for data mining. He is co-author of of the SAGE booklet Building a Logging Infrastructure and author of a forthcoming O'Reilly book on log analysis.

Mike Ciavarella (M10, T3, W3) has been producing and editing technical documentation since he naively agreed to write application manuals for his first employer in the early 1980s. He has been a technical editor for MacMillan Press and has been teaching system administrators about documentation for the past eight years. Mike has an Honours Degree in Science from the University of Melbourne. After a number of years working as Senior Partner and head of the Security Practice for Cybersource Pty Ltd, Mike returned to his alma mater, the University of Melbourne. He now divides his time between teaching software engineering, providing expert testimony in computer security matters, and trying to complete a Doctorate. In his ever-diminishing spare time, Mike is a caffeine addict and photographer.

Lee Damon (M3, T3) has a B.S. in Speech Communication from Oregon State University. He has been a UNIX system administrator since 1985 and has been active in SAGE since its inception. He assisted in developing a mixed AIX/SunOS environment at IBM Watson Research and has developed mixed environments for Gulfstream Aerospace and QUALCOMM. He is currently leading the development effort for the Nikola project at the University of Washington Electrical Engineering department. Among other professional activities, he is a charter member of LOPSA and SAGE and past chair of the SAGE Ethics and Policies working groups, and he was the chair of LISA '04.

Gerald Carter, Centeris
9:00 a.m.–5:00 p.m.

Who should attend: System administrators who are currently managing Samba servers or are planning to deploy new servers this year. This course will outline the new features of Samba 3.0, including working demonstrations throughout the course session.

Topics include:

• Providing basic file and print services
• Centrally managing printer drivers for Windows clients
• Cofiguring Samba's support for Access Control Lists and the Microsoft Distributed File System
• Making use of Samba VFS modules for features such as virus scanning and a network recycle bin
• Integrating with Windows NT 4.0 and Active Directory authentication services
• Implementing a Samba primary domain controller along with Samba backup domain controllers
• Migrating from a Windows NT 4.0 domain to a Samba domain
• Utilizing account storage alternatives to smbpasswd such as LDAP

Gerald Carter (S9, S12, M9, T4, W2, R7) has been a member of the Samba Development Team since 1998. He has published articles with various Web-based magazines and teaches courses as a consultant for several companies. Currently employed by Hewlett-Packard as a Samba developer, Gerald has written books for SAMS Publishing and is the author of the recent LDAP System Administration for O'Reilly Publishing.

T5	INTRODUCTION TO VMWARE ESX SERVER

John Arrasjid and Stephen Sorota, VMware
9:00 a.m.–5:00 p.m.

Who should attend: System administrators and architects who are interested in deploying VMware ESX Server in a production environment. No prior experience with VMware products is required. Knowledge of Linux is helpful; basic knowledge of SANs is useful but not required.

VMware ESX Server is virtual infrastructure software for partitioning, consolidating, and managing systems in mission-critical Intel environments. In this tutorial, we will provide an overview of virtual machine technology as well as the features and functionality of ESX Server. Installation, configuration, and best practices will be the focus of the session.

Topics include:

• Virtual infrastructure overview
• ESX Server overview
• Installation and configuration
• Virtual Machine (VM) creation and operation
• Operations and administration best practices
• Advanced configuration (SAN and networking)

John Arrasjid (T5) has 20 years of experience in the computer science field. His experience includes work with companies such as AT&T, Amdahl, 3Dfx Interactive, Kubota Graphics, Roxio, and his own company, WebNexus Communications, where he developed consulting practices and built a cross-platform IT team. John is currently a senior member of the VMware Professional Services Organization as a Consulting Architect. John has developed a number of PSO engagements, including Performance, Security, and Disaster Recovery and Backup.

Tuesday Morning Half-Day Tutorials

T6	HITCHHIKER'S GUIDE TO EMAIL SENDER AUTHENTICATION

Murray Kucherawy, Sendmail, Inc.
9:00 a.m.–12:30 p.m.

Who should attend: System administrators familiar with email concepts who want to get their feet wet in the emerging area of email sender authentication.

Spam and phishing cost industry millions of dollars per year in lost productivity and fraud claims. Email sender authentication is a concerted, multi-fronted attempt to add technology to stem this tide of fraudulent and annoying email.

Some well-established methods, as well as some of the more nascent ones, will be covered. The components of each protocol, as well as the impact of bringing them into your environment, will be addressed. References will be provided to existing as well as upcoming implementations of several of these proposals (with an emphasis on the free ones, of course). We will discuss the technologies themselves while remaining as MTA-agnostic as possible, so that what you learn can be applied in whatever your home environment may be.

Topics include:

• Introduction
• Why sender authentication is necessary
• Why not PGP or S/MIME?
• Past
• Simple client checks: RMX, MTAMark
• Present
• Path-based methods: SPF, Sender-ID
• Crypto-based methods: DomainKeys, IIM, DKIM
• Best common practices
• Future
• Reputation: Realtime Blackhole Lists (RBLs), Collaborative (Vipul's Razor)

Murray Kucherawy (T6, T10) has been actively involved in email system administration and software development since 1990 and has been awarded two related patents, with a third pending. He holds a Bachelor of Mathematics degree from the University of Waterloo and has been with Sendmail, Inc., for seven years as a senior software engineer. Prior to that he completed a six-year tour of duty in the Internet Service Provider industry in both Canada and the United States, and also worked for three terms as a staff member in computing and information technology at the University of Waterloo. He is currently working with the IETF to advance the progress of sender authentication issues through the standards process.

T7	DISK-TO-DISK BACKUP AND ELIMINATING BACKUP SYSTEM BOTTLENECKS

Jacob Farmer, Cambridge Computer
9:00 a.m.–12:30 p.m.

Who should attend: System administrators involved in the design and management of backup systems and policymakers responsible for protecting their organization's data. A general familiarity with server and storage hardware is assumed. The class focuses on architectures and core technologies and is relevant regardless of what backup hardware and software you currently use. Students will leave this lecture with immediate ideas for effective, inexpensive improvements to their backup systems.

The data protection industry is going through a mini-renaissance. In the past few years, the cost of disk media has dropped to the point where it is practical to use disk arrays in backup systems, thus minimizing and sometimes eliminating the need for tape. In the first incarnations of disk-to-disk backup—disk staging and virtual tape libraries—disk has been used as a direct replacement for tape media. While this compensates for the mechanical shortcomings of tape drives, it fails to address other critical bottlenecks in the backup system, and thus many disk-to-disk backup projects fall short of expectations. Meanwhile, many early adopters of disk-to-disk backup are discovering that the longterm costs of disk staging and virtual tape libraries are prohibitive.

The good news is that the next generation of disk-enabled data protection solutions have reached a level of maturity where they can assist—and sometimes even replace—conventional enterprise backup systems. These new D2D solutions leverage the random access properties of disk devices to use capacity much more efficiently and to obviate many of the hidden backup system bottlenecks that are not addressed by first-generation solutions. The challenge to the backup system architect is to cut through the industry hype, sort out all of these new technologies, and figure out how to integrate them into an existing backup system.

This tutorial identifies the major bottlenecks in conventional backup systems and explains how to address them. The emphasis is placed on the various roles for inexpensive disk in your data protection strategy; however, attention is given to SAN-enabled backup, the current state and future of tape drives, and iSCSI.

Topics include:

• Identifying and eliminating backup system bottlenecks
• Conventional disk staging
• Virtual tape libraries
• Removable disk media
• Incremental forever and synthetic full backup strategies
• Block- and object-level incremental backups
• Information lifecycle management and nearline archiving
• Data replication
• CDP (Continuous Data Protection)
• Snapshots
• Current and future tape drives
• Capacity Optimization (Single-Instance File Systems)
• Minimizing and even eliminating tape drives
• iSCSI

Jacob Farmer (T7, T11) is a well-known figure in the data storage industry. He has authored numerous papers and articles and is a regular speaker at trade shows and conferences. In addition to his regular expert advice column in the "Reader I/O" section of InfoStor Magazine, the leading trade magazine of the data storage industry, Jacob also serves as the publication's senior technical advisor. Jacob has over 18 years of experience with storage technologies and is the CTO of Cambridge Computer Services, a national integrator of data storage and data protection solutions.

T8	OVER THE EDGE SYSTEM ADMINISTRATION, VOLUME 1

David N. Blank-Edelman, Northeastern University
9:00 a.m.–12:30 p.m.

Who should attend: Old-timers who think they've already seen it all, and those who want to develop inventive thinking early in their career. Join us and be prepared to be delighted, disgusted, and amazed. Most of all, be ready to enrich your network and system adminstration by learning to be different.

It's time to learn how to break the rules, abuse the tools, and generally turn your system administration knowledge inside out. This class is a cornucopia of ideas for creative ways to take the standard (and sometimes not-so-standard) system administration tools and techniques and use them in ways no one would expect. We'll also cover some tools you may have missed.

Note: The teacher takes no responsibility should your head explode during this class.

Topics include:

• How to (ab)use perfectly good network transports by using them for purposes never dreamed of by their authors
• How to increase user satisfaction during downtimes with 6 lines of Perl
• How to improve your network services by intentionally throwing away data
• How to drive annoying Web-only applications that don't have a command line interface—without lifting a finger
• How to use ordinary objects you have lying around the house, such as Silly Putty, to make your life easier (seriously!)

David N. Blank-Edelman (T8, T12, W5) is the Director of Technology at the Northeastern University College of Computer and Information Science and the author of the O'Reilly book Perl for System Administration. He has spent the past 20+ years as a system/network administrator in large multi-platform environments, including Brandeis University, Cambridge Technology Group, and the MIT Media Laboratory. He was the program chair of LISA '05 and is one of the LISA '06 Invited Talks co-chairs.

T9	FIREWALLS AND INTERNET SECURITY FOR MAC OS X

Rik Farrow, Security Consultant
9:00 a.m.–12:30 p.m.

Who should attend: Mac OS X users and administrators. Some experience with command-line UNIX tools is required to get the most out of this class. Security analysts and managers can also take this class and learn what must be done to create secure Mac OS X systems.

Mac OS X includes a firewall that you can enable with one click via a GUI interface. And if all you want to do is block most incoming network access, that's all you need to know. But if you need to know more, this class is for you.

Mac OS X uses ipfw, one of the firewalls available in FreeBSD. You can use the GUI to manage ipfw and do simple things such as allow SSH connections through. Under the covers, Mac OS X is storing your firewall configuration in two formats, both editable, and using the ipfw commandline tool. Ipfw provides a lot more flexibility than you can get from using the GUI tool, and a little knowledge permits you to install new rules on the fly or add rules that will be installed with every restart.

Bring your Apple laptop so that you can participate in class exercises. If you don't have a laptop, there should be enough people who do have one that you can comfortably shoulder surf.

Topics include:

• Configuring ipfw using the GUI and understanding what this actually does
• Understanding IP as it applies to firewalls and Internet security
• Using ipfw firewalls to both block potential attacks and blunt successful attacks
• Recognizing IP protocols that are peculiar to Mac OS X and may or may not be welcome in networks where you use just a few Macs
• Using ipfw to control network access to your Mac OS X systems

Rik Farrow (S5, T9) provides UNIX and Internet security consulting and training. He has been working with UNIX system security since 1984 and with TCP/IP networks since 1988. He has taught at the IRS, Department of Justice, NSA, NASA, US West, Canadian RCMP, Swedish Navy, and for many U.S. and European user groups. He is the author of UNIX System Security, published by Addison-Wesley in 1991, and System Administrator's Guide to System V (Prentice Hall, 1989). Farrow is the editor of ;login:. Rik lives with his family in the high desert of northern Arizona and enjoys hiking and mountain biking when time permits.

Tuesday Afternoon Half-Day Tutorials

T10	WRITING FILTERS USING "MILTER"

Murray Kucherawy, Sendmail, Inc.
1:30 p.m.–5:00 p.m.

Who should attend: System administrators and software developers familiar with email concepts who want to write applications that can plug into the sendmail MTA to monitor and control the flow and content of email.

Email is critical infrastructure. In the past few years there have been huge changes: growth in mail volume, new regulations, sender authentication, and an increasing variety of filtering needs. Wouldn't it be great if you didn't need to be a full-blown MTA developer to write your own customized filters, or integrate your own local applications into your email stream?

Well, you can! A few years ago, Sendmail introduced a generic programming interface called milter that allows exactly this. After this course you will be able to write and debug your own mail filtering applications that plug directly into Sendmail, and understand how all the parts fit together. Examples in both C and Perl will be offered. Sample programs will also be shown.

If you've ever hacked your own database queries or other site-specific changes into Sendmail and then had to deal with carrying your patches forward from one version to the next, this could be the tutorial you've been waiting for.

Topics include:

• Phases of SMTP and how they relate to your filter
• The callbacks milter offers
• How threads are used in milter
• Writing a basic filter using the milter API
• Registering the filter with Sendmail
• Handling failures
• Related known limitations in various environments
• Examples of applications
• Future development

Murray Kucherawy (T6, T10) has been actively involved in email system administration and software development since 1990 and has been awarded two related patents, with a third pending. He holds a Bachelor of Mathematics degree from the University of Waterloo and has been with Sendmail, Inc., for seven years as a senior software engineer. Prior to that he completed a six-year tour of duty in the Internet Service Provider industry in both Canada and the United States, and also worked for three terms as a staff member in computing and information technology at the University of Waterloo. He is currently working with the IETF to advance the progress of sender authentication issues through the standards process.

T11	NEXT GENERATION STORAGE NETWORKING

Jacob Farmer, Cambridge Computer
1:30 p.m.–5:00 p.m.

Who should attend: Sysadmins running day-to-day operations and those who set or enforce budgets. This tutorial is technical in nature, but it does not address command-line syntax or the operation of specific products or technologies. Rather, the focus is on general architectures and various approaches to scaling in both performance and capacity. Since storage networking technologies tend to be costly, there is some discussion of the relative cost of different technologies and of strategies for managing cost and achieving results on a limited budget.

There has been tremendous innovation in the data storage industry over the past few years. Proprietary, monolithic SAN and NAS solutions are beginning to give way to open-system solutions and distributed architectures. Traditional storage interfaces such as parallel SCSI and Fibre Channel are being challenged by iSCSI (SCSI over TCP/IP), SATA (serial ATA), SAS (serial attached SCSI), and even Infiniband. New filesystem designs and alternatives to NFS and CIFS are enabling high-performance filesharing measured in gigabytes (yes, "bytes," not "bits") per second. New spindle management techniques are enabling higher-performance and lower-cost disk storage. Meanwhile, a whole new set of efficiency technologies are allowing storage protocols to flow over the WAN with unprecedented performance. This tutorial is a survey of the latest storage networking technologies, with commentary on where and when these technologies are most suitably deployed.

Topics include:

• Fundamentals of storage virtualization: the storage I/O path
• Shortcomings of conventional SAN and NAS architectures
• In-band and out-of-band virtualization architectures
• The latest storage interfaces: SATA (serial ATA), SAS (serial attached SCSI), 4Gb Fibre Channel, Infiniband, iSCSI
• Content-Addressable Storage (CAS)
• Information Life Cycle Management (ILM) and Hierarchical Storage Management (HSM)
• The convergence of SAN and NAS
• High-performance file sharing
• Parallel file systems
• SAN-enabled file systems
• Wide-area file systems (WAFS)

Jacob Farmer (T7, T11) is a well-known figure in the data storage industry. He has authored numerous papers and articles and is a regular speaker at trade shows and conferences. In addition to his regular expert advice column in the "Reader I/O" section of InfoStor Magazine, the leading trade magazine of the data storage industry, Jacob also serves as the publication's senior technical advisor. Jacob has over 18 years of experience with storage technologies and is the CTO of Cambridge Computer Services, a national integrator of data storage and data protection solutions.

T12	OVER THE EDGE SYSTEM ADMINISTRATION, VOLUME 2

David N. Blank-Edelman, Northeastern University
1:30 p.m.–5:00 p.m.

Who should attend: Old-timers who think they've already seen it all, and those who want to develop inventive thinking early in their career. Join us and be prepared to be delighted, disgusted, and amazed. Most of all, be ready to enrich your network and system adminstration by learning to be different. Previous attendance at Volume 1 of the series is recommended but not required.

Join us for volume two of the wildly successful Over the Edge System Administration class series. Once again we'll learn how to break the rules, abuse the tools, and generally turn your system administration knowledge inside out with the help of a whole new set of examples. This class is a second cornucopia of ideas for creative ways to take the standard (and sometimes not-so-standard) system administration tools and techniques and use them in ways no one would expect. We'll also cover some tools you may have missed. This class will take some of the concepts from the first installment and develop them even further.

Once again, we feel it is important to remind you: The teacher takes no responsibility should your head explode during this class.

Topics include:

• How to exploit side effects to your benefit
• Applying the arts and crafts you learned in camp to system administration
• Pressing Web apps from places like Google and Yahoo! into service as sysadmin tools
• How to perform SQL queries on your network equipment
• How to use even more ordinary objects you have lying around the house to make your life easier (seriously!)

David N. Blank-Edelman (T8, T12, W5) is the Director of Technology at the Northeastern University College of Computer and Information Science and the author of the O'Reilly book Perl for System Administration. He has spent the past 20+ years as a system/network administrator in large multi-platform environments, including Brandeis University, Cambridge Technology Group, and the MIT Media Laboratory. He was the program chair of LISA '05 and is one of the LISA '06 Invited Talks co-chairs.

T13	ENTERPRISE WIRELESS NETWORK SETUP

Rudi van Drunen, Competa IT/Xlexit
1:30 p.m.–5:00 p.m.

Who should attend: Network professionals and system administrators deploying and managing wireless networks in an enterprise setting who want to use the new encryption/authentication/authorization protocols.

Wireless networks are becoming ready for the enterprise. Serious flaws in the encryption are being solved with new protocols on top of 802.11. This tutorial describes setting up a wireless network in an enterprise environment using the latest protocols for authentication, authorization, and encryption, and it explains how to choose and set up your access points, antennas, and accompanying infrastructure.

After supplying some background in radio technology and antennas and showing ways to deploy your access points, we will describe the newer higher-level protocols. This tutorial will provide answers to key questions: What are the strong points? the weak points? How should you implement an enterprise structure using a RADIUS back end? Now you have it, how can you manage it?

Topics include:

• Making a radio plan
• Selecting and placing access points
• Determining your cabling and antennae needs
• Designing the authentication/authorization infrastructure
• WPA
• WPA2
• LEAP
• EAP
• RADIUS
• Setting up hardware and software (including clients)

Topics do not include:

• Cryptanalysis of protocols
• Details of vendor-specific software

Rudi van Drunen (T13) met UNIX about 25 years ago at the University of Groningen (NL). Nowadays he is employed as a senior infrastructure and UNIX consultant. Before that, he was head of IT for a medical lab in Leiden, The Netherlands, where he did A.O. UNIX system administration and applied research in image analysis and neural networks. He is one of the tech gurus and a board member of Wireless Leiden, the leading wireless community in the Netherlands. Rudi has his own small open source and hardware design company, Xlexit. He has taught a number of classes and given invited talks on wireless topics at SANE and for the Dutch UNIX community (NLUUG).

W1	RESOURCE MANAGEMENT WITH SOLARIS CONTAINERS

Who should attend: System administrators who want to improve resource utilization of their Solaris (SPARC, x64, x86) systems.

This tutorial covers the facilities available in Solaris for managing system resources. These facilities enable you to perform workload management and service-level management, leverage available capacity, and manage system utilization. Controls for CPUs, processes and threads, CPU affinity, scheduling classes, memory, partitioning facilities, and network bandwidth management are explained and demonstrated.

At the conclusion of this session, the student will have a solid understanding of the facilities and commands available for maximizing utilization of the Solaris systems in their data center.

Topics include:

• What are resources?
• Why would you want to manage them?
• How do you use these Solaris features?
• Projects and Tasks
• Resource Controls
• Dynamic Resource Pools, including processor sets
• Physical Memory management with Resource Capping and Memory Sets
• Network bandwidth management with IPQoS
• Schedulers
• Application isolation with Zones

Jeff Victor (W1) has been using UNIX systems since 1984. His two-decade career has included software design and development, network and telecomm administration, and nine years as a Systems Engineer at Sun Microsystems. Recently Jeff wrote the Sun BluePrint "Solaris Containers Technology Architecture Guide" and the "How to Move a Container" guide, both available at www.sun.com. He also maintains the Solaris Zones and Containers FAQ at opensolaris.org. Jeff holds a B.S. in Computer Science from Rensselaer Polytechnic Institute.

Who should attend: Both LDAP directory administrators and architects. The focus is on integrating standard network services with LDAP directories. The examples are based on UNIX hosts and the OpenLDAP directory server and will include actual working demonstrations throughout the course.

System administrators today run a variety of directory services, although these are referred to by names such as DNS and NIS. The Lightweight Directory Access Protocol (LDAP) is the successor to the X.500 directory and has the promise of allowing administrators to consolidate multiple existing directories into one.

Topics include:

• Replacing NIS domains
• Integration with Samba file and print servers
• Integrating MTAs such as Sendmail and Postfix
• Creating address books for mail clients
• Managing user access to HTTP and FTP services
• Integrating with DHCP and DNS servers
• Scripting with the Net::LDAP Perl module
• Defining custom attributes and object classes

Gerald Carter (S9, S12, M9, T4, W2, R7) has been a member of the Samba Development Team since 1998. He has been developing, writing about, and teaching on open source since the late 1990s. Currently employed by Centeris as a Samba and open source developer, Gerald has written books for SAMS Publishing and for O'Reilly Publishing.
 

Wednesday Morning Half-Day Tutorials

Who should attend: Junior or intermediate system administrators or anyone with a basic knowledge of programming, preferably with some experience in Bourne/Korn shells (or their derivatives).

The humble shell script is still a mainstay of UNIX/Linux system administration, despite the wide availability of other scripting languages. This tutorial details techniques that move beyond the quick-and-dirty shell script.

Topics include:

• Common mistakes and unsafe practices
• Modular shell script programming
• Building blocks: awk, sed, etc.
• Writing secure shell scripts
• Performance tuning
• Choosing the right utilities for the job
• Addressing portability at the design stage
• When not to use shell scripts

Mike Ciavarella (M10, T3, W3) has been producing and editing technical documentation since he naively agreed to write application manuals for his first employer in the early 1980s. He has been a technical editor for MacMillan Press and has been teaching system administrators about documentation for the past eight years. Mike has an Honours Degree in Science from the University of Melbourne. After a number of years working as Senior Partner and head of the Security Practice for Cybersource Pty Ltd, Mike returned to his alma mater, the University of Melbourne. He now divides his time between teaching software engineering, providing expert testimony in computer security matters, and trying to complete a Doctorate. In his ever-diminishing spare time, Mike is a caffeine addict and photographer.

W4	INTERNET SECURITY FOR UNIX SYSTEM ADMINISTRATORS

Who should attend: UNIX system administrators and operations/support staff. Attendees should have a good working knowledge of UNIX system administration and be experienced Internet users.

After completing this tutorial, attendees will be able to establish and maintain a secure Internet site that offers the benefits of Internet connectivity while protecting their organization's information.

At this half-day tutorial you will learn strategies and techniques to help eliminate the threat of Internet intrusions and to improve the security of UNIX systems connected to the Internet. It will also help you understand, set up, and manage a number of Internet services appropriate for your site's mission.

Topics include:

• Latest information on security problems
• UNIX system security
• Security policies

Ed DeHart (W4, W7) is a former member of the CERT Coordination Center, which he helped found in 1988. The CERT was formed by the Defense Advanced Research Projects Agency (DARPA) to serve as a focal point for the computer security concerns of Internet users. Ed is currently the president of aspStation, Inc., a data center for server co-location.
 

W5	Hackingn Perl

Who should attend: Anyone who has ever had a nagging feeling that there might be ways to make hacking Perl easier and more efficient. A basic knowledge of Perl will help attendees gain more from this class.

There are many ways to learn the Perl language itself, but you usually have to learn how to get better at hacking Perl through years of trial and error. This class will help you improve the actual process of creating and debugging Perl code without all of that trouble.

Topics include:

• The best development environments for Perl (editors, IDEs, etc.)
• How to find code that already does what you need (and the potential hazards of using that code)
• Tools that can help make coding Perl easier
• Ways to make debugging Perl code (your own or someone else's) easier
• Coding techniques that lead to less debugging

David N. Blank-Edelman (T8, T12, W5) is the Director of Technology at the Northeastern University College of Computer and Information Science and the author of the O'Reilly book Perl for System Administration. He has spent the past 20+ years as a system/network administrator in large multi-platform environments, including Brandeis University, Cambridge Technology Group, and the MIT Media Laboratory. He was the program chair of LISA '05 and is one of the LISA '06 Invited Talks co-chairs.

Wednesday Afternoon Half-Day Tutorials

Who should attend: Administrators who want or need to explore strong, low-cost, scalable security without firewalls.

Good, possibly better, network security can be achieved without relying on firewalls. The San Diego Supercomputer Center does not use firewalls, yet managed to go almost 4 years without an intrusion. Our approach defies some common beliefs, but it seems to work, and it scales well.

"Use a firewall" is the common mantra of much security documentation, and are the primary security "solution" in most networks. However, firewalls don't protect against activity by insiders, nor do firewalls provide protection against any activity that is allowed through the firewall. And, as is true for many academic institutions, firewalls just don't make sense in our environment. Weighting internal threats equally with external threats, SDSC has built an effective, scalable, host-based security model. The keys parts to our model are: centralized configuration management; regular and frequent patching; and strong authentication (no plaintext passwords). This model extends well to many environments beyond the academic.

Of course, we're not perfect, and last year we had a compromise as part of a security incident that spanned numerous institutions. However, firewalls would have done little if anything to have mitigated that attack, and we believe our approach to security reduced the scope of compromise and helped us to recover faster than some of our peers.

The key parts to that model are centralized configuration management, regular and frequent patching, and strong authentication (no plaintext passwords). This model extends well to many environments besides the academic.

In addition, our system administration costs scale well. The incremental cost of adding a host to our network (beyond the cost of the hardware) is negligible, as is the cost of reinstalling a host.

Topics include:

• The threat perspective from a data-centric point of view
• How to implement and maintain centralized configuration management using cfengine, and how to build reference systems for fast and consistent (re)installation of hosts
• Secure configuration and management of core network services such as NFS, DNS, and SSH
• Good system administration practices
• Implementing strong authentication and eliminating use of plaintext passwords for services such as POP/IMAP
• A sound patching strategy
• An overview of last year's compromise, how we recovered, and what we learned

Abe Singer (T2, W6) is a Computer Security Researcher in the Security Technologies Group at the San Diego Supercomputer Center. In his operational security responsibilities, he participates in incident response and forensics and in improving the SDSC logging infrastructure. His research is in pattern analysis of syslog data for data mining. He is co-author of of the SAGE booklet Building a Logging Infrastructure and author of a forthcoming O'Reilly book on log analysis.

W7	SETTING UP A DATA CENTER (OR DATA CLOSET)

Who should attend: System administrators in charge of multiple servers, whether currently or planned to be located in one room, who are interested in learning more about how to build a server environment.

It is not unusual for system administrators to find the number of servers under their control increasing. Often the servers are located in one room or, if space is an issue, in one closet. Placement of the servers is usually based not on a longterm plan but on available space. This tutorial is for those for whom the time has come to build a server room or to move the servers into a data center. This tutorial is also well suited to the sysadmin who has inherited a server room and wants to know how best to manage it and plan for future growth.

Topics include:

• Wiring best practices
• Ethernet: Switches, ConServers, etc.
• Remote access and control
• Active and standby power
• Cooling and ventilation
• Budget realities, including free-standing vs. rack-mounted servers

Ed DeHart (W4, W7) is a former member of the CERT Coordination Center, which he helped found in 1988. The CERT was formed by the Defense Advanced Research Projects Agency (DARPA) to serve as a focal point for the computer security concerns of Internet users. Ed is currently the president of aspStation, Inc., a data center for server co-location.
 

W8	PROBLEM-SOLVING FOR IT PROFESSIONALS

Who should attend: IT support people who would like to have a better grasp of the domain of problem-solving as a discipline.

In the world of IT support, you build up a lot of specialized domains of knowledge that may or may not interact. We're going to trace out common patterns of interaction here and show you how you can apply basic principles to isolate symptoms and interactions between subsystems. As you will see, most types of troubleshooting rely on what you might call call "guided intuition"—focusing your attention down a probable path of diagnosis and then making an intuitive leap.

If you haven't practiced your intuitive pole vaulting lately, don't worry. By using checklists and patterns to do brute-force style troubleshooting, you will gradually build up a reservoir of understanding that will eventually have you shouting "Aha!" while other folks are still scratching their heads in puzzlement.

What this class will do for you:

• Give you a solid grounding in the process of solving problems
• Provide a framework on which to build specialized troubleshooting techniques that are specific to your environment
• Build your confidence in your ability to apply logic and common sense to debug problems in complex interacting systems

What this class does not provide:

• Detailed instruction in specific problem-solving situations, such as "what to do when the mouse stops moving"
• Information on custom environments that are unique to your employer or organization
• Intro or remedial tutoring on IT basics such as how DNS lookups occur or what TCP steps happen when a request to a Web server comes in

Rather than cover ground many of you already know, we have chosen to focus exclusively on problem-solving as a discipline, rather than solving specific problems common in IT situations.

Strata Rose Chalup (M13, W8, R4) began as a fledgling sysadmin in 1983 and has been leading and managing complex IT projects for many years, serving in roles ranging from Project Manager to Director of Network Operations. She has written a number of articles on management and working with teams and has applied her management skills on various volunteer boards, including BayLISA and SAGE. Strata has a keen interest in network information systems and new publishing technologies and built a successful consulting practice around being an avid early adopter of new tools, starting with ncsa_httpd and C-based CGI libraries in 1993 and moving on to wikis, RSS readers, and blogging. Another MIT dropout, Strata founded VirtualNet Consulting in 1993.

Who should attend: Solaris systems managers and administrators interested in the new security features in Solaris 10 (and features in previous Solaris releases that they may not be using).

This course covers a variety of topics surrounding Solaris 10 and security. Solaris 10 includes many new features, and there are new issues to consider when deploying, implementing, and managing Solaris 10. This will be a workshop featuring instruction and practice/exploration. Each student should have a laptop with wireless access for remote access into a Solaris 10 machine.

Topics include:

• N1 Grid Containers (a.k.a. Zones) (lab)
• RBAC (lab)
• Privileges (lab)
• NFSv4
• Flash archives and live upgrade
• Moving from NIS to LDAP
• DTrace
• FTP client and server enhancements
• PAM enhancements
• Auditing enhancements
• BSM
• Service Management Facility (lab)
• Solaris Cryptographic Framework
• Smartcard interfaces and APIs
• Kerberos enhancements
• Packet filtering
• BART

Peter Baer Galvin (S1, R1), a systems integrator and VAR, was the Systems Manager for Brown University's Computer Science Department. He has written articles for Byte and other magazines. He wrote the "Pete's Wicked World" and "Pete's Super Systems" columns at SunWorld. He is currently contributing editor for Sys Admin, where he manages the Solaris Corner. Peter is co-author of the Operating Systems Concepts and Applied Operating Systems Concepts textbooks. As a consultant and trainer, Peter has taught tutorials on security and system administration and has given talks at many conferences and institutions on such topics as Web services, performance tuning, and high availability.

Marc Staveley (M1, R1) works with Soma Networks, where he is applying his many years of experience with UNIX development and administration in leading their IT group. Previously Marc had been an independent consultant and also held positions at Sun Microsystems, NCR, Princeton University, and the University of Waterloo. He is a frequent speaker on the topics of standards-based development, multi-threaded programming, system administration, and performance tuning.

Who should attend: System administrators who plan to implement Linux in a production environment. Attendees should understand the basics of system administration in a UNIX/Linux environment, i.e., user-level commands and TCP/IP networking. Both novice admins and gurus should leave the tutorial having learned something.

From a single server to a network of workstations, maintaining a Linux environment can be a daunting task for administrators knowledgeable in other platforms. Starting with a single server and ending with a multi-server, 1000+-user environment, this tutorial will provide practical information on how to use Linux in the real world. Attendees should leave the tutorial confident in their ability to set up and manage a secure Linux server and services. The tutorial will be conducted in an open manner that allows for question-and-answer interruptions.

Topics include (with an emphasis on security):

• Installation issues
• Boot loaders and system startup
• Disk partitioning and LVM
• Software RAID
• The RPM package system
• Networking
• User management
• Automated system installation
• Network-based authentication
• User accounts and management
• Network services and xinetd
• SSH: port tunneling, keys, tricks
• New developments

Joshua Jensen (R2) has worked for IBM and Cisco Systems, and was Red Hat's first instructor, examiner, and RHCE. He worked with Red Hat for four and a half years, during which he wrote and maintained large parts of the Red Hat curriculum: Networking Services and Security, System Administration, Apache and Secure Web Server Administration, and the Red Hat Certified Engineer course and exam. Joshua has been working with Linux since 1996 and finds himself having come full circle: he recently left IBM to work with Red Hat Linux for Cisco Systems. In his spare time he dabbles in cats, fish, boats, and frequent flyer miles.

Thursday Morning Half-Day Tutorials

R3	TIME MANAGEMENT: GETTING IT ALL DONE AND NOT GOING (MORE) CRAZY!

Tom Limoncelli, Google
9:00 a.m.–12:30 p.m.

Who should attend: Sysadmins who want to improve their time-management skills, who want to have more control over their time and better follow-through on assignments. If you feel overloaded, miss appointments, and forget deadlines and tasks, this class is for you.

Do any of these statements sound like you?

• I don't have enough time to get all my work done.
• I don't have control over my schedule
• I'm spending all my time mopping the floor; I don't have time to fix the leaking pipe.
• My boss says I don't work hard enough, but I'm always working my —— off!

Based on a new book from O'Reilly, this tutorial will help you get more done in less time. You'll miss fewer deadlines, be more relaxed at work, and have more fun in your social life. If you think you don't have time to take this tutorial, you really need to take this tutorial!

Topics include:

• Why typical "time management" books don't work for sysadmins
• How to delegate tasks effectively
• A way to keep from ever forgetting a user's request
• Why "to do" lists fail and how to make them work
• Prioritizing tasks so that users think you're a genius
• Getting more out of your Palm Pilot
• Having more time for fun (for people with a social life)
• How to leave the office every day with a smile on your face

Tom Limoncelli (R3), author of O'Reilly's The Art of Time Management for System Administrators and co-author of The Practice of System and Network Administration from Addison-Wesley (second edition to be premiered at this conference), is a system administrator at Google in NYC. He received the SAGE 2005 Outstanding Achievement award. A sysadmin and network wonk since 1987, he has worked at Cibernet, Dean for America, Lumeta, Bell Labs/Lucent, AT&T, Mentor Graphics, and Drew University. He is a frequent presenter at LISA conferences.

R4	PRACTICAL PROJECT MANAGEMENT FOR SYSADMINS AND IT PROFESSIONALS

Strata Rose Chalup, Project Management Consultant
9:00 a.m.–12:30 p.m.

Who should attend: System administrators who want to stay hands-on as team leads or system architects and need a new set of skills with which to tackle bigger, more complex challenges. No previous experience with project management is required. Participants will get a no-nonsense grounding in methods that work without adding significantly to one's workload. After completing this tutorial, participants will be able to take an arbitrarily daunting task and reduce it to a plan of attack that will be realistic, lend itself to tracking, and have functional, documented goals. They will be able to give succinct and useful feedback to management on overall project viability and timelines and easily deliver regular progress reports.

People who have been through traditional multi-day project management courses will be shocked, yet refreshed, by the practicality of our approach. To get the most out of this tutorial, participants should have some real-world project or complex task in mind for the lab sections.

This tutorial focuses on complementing your own organizational style (or lack thereof) with a toolbox of ways to organize and manage complex tasks without drowning in paperwork or clumsy, meeting-intensive methodologies. Also emphasized is how to bridge the gap between ad-hoc methods and the kinds of tracking and reporting traditionally trained managers will understand.

Topics include:

• Quick basics of project management
  • The essentials you need to know
  • How to map the essentials onto real-world projects
• Skill sets
  • Defining success
  • Chunking and milestoning
  • Delegating
  • Tracking
  • Reporting
• Problem areas
  • Teams, interactions among people
  • The albatross project
  • When to go deep and when to get "pointy-haired"
  • When disaster strikes, should you scrap, or salvage?
• Project management tools
  • What tools should do for you
  • Leveraging the command line: UNIX PM
  • Freeware PM tool options
  • The only 15 minutes of MS Project you'll ever need

Strata Rose Chalup (M13, W8, R4) began as a fledgling sysadmin in 1983 and has been leading and managing complex IT projects for many years, serving in roles ranging from Project Manager to Director of Network Operations. She has written a number of articles on management and working with teams and has applied her management skills on various volunteer boards, including BayLISA and SAGE. Strata has a keen interest in network information systems and new publishing technologies and built a successful consulting practice around being an avid early adopter of new tools, starting with ncsa_httpd and C-based CGI libraries in 1993 and moving on to wikis, RSS readers, and blogging. Another MIT dropout, Strata founded VirtualNet Consulting in 1993.

R5	REGULAR EXPRESSION MASTERY

Chip Salzenberg, Cloudmark
9:00 a.m.–12:30 p.m.

Who should attend: System administrators and users who use Perl, grep, sed, awk, procmail, vi, or emacs.

Almost everyone has written a regex that produced unexpected results. Sometimes regexes appear to hang forever, and it's not clear what has gone wrong. Sometimes they behave differently in different utilities, and you can't tell why. This class will fix all these problems.

The first section of the class will explore the matching algorithms used internally by common utilities such as grep and Perl. Understanding these algorithms will allow us to predict whether a regex will match, which of several matches will be found, and which regexes are likely to be faster than others, and to understand why all of these behaviors occur. We'll learn why commonly used regex symbols such as ".," "$." and "\1" may not mean what you thought they did.

In the second section, we'll look at common matching disasters, a few practical parsing applications, and some advanced Perl features. We'll finish with a discussion of optimizations that were added to Perl 5.6, and why you should avoid using "/i."

Topics include:

• Inside the regex engine
  • Regular expressions are programs
  • Backtracking
  • NFA vs. DFA
  • POSIX and Perl
  • Quantifiers
  • Greed and anti-greed
  • Anchors and assertions
  • Backreferences
• Disasters and optimizations
  • Where machines come from
  • Disaster examples
  • Tokenizing
  • New optimizations
  • Matching strings with balanced parentheses

Chip Salzenberg (R5, R8, F5) is Principal Engineer at Cloudmark, where he fights spam with flair and aplomb. Chip is also chief coder ("pumpking") of the Parrot virtual machine (https://parrotcode.org,) with which Chip plans to bring all dynamic languages together and, in the darkness, dynamically bind them.

Chip is a well-known figure in the Perl and free and open source communities, having worked on free and open source software for over 20 years, Perl for 18 years, and Linux for 13 years. Chip was pumpking for Perl release 5.4. He created the automated Linux install-and-test system for VA Linux Systems and was VA's Kernel Coordinator. Chip is a perennial presenter at the O'Reilly Open Source Conference and YAPC (Yet Another Perl Conference), teaches Perl and C++ commercially, and has been published by O'Reilly and Prentice Hall on Perl and other topics.

When away from his keyboard, Chip plays with (live) parrots and trains in Krav Maga. Chip's journal is at https://pobox.com/~chip/journal/.

Thursday Afternoon Half-Day Tutorials

R6	BLUEPRINTS FOR HIGH AVAILABILITY

Evan Marcus, Aardvark Technologies, Ltd
1:30 p.m.–5:00 p.m.

Who should attend: System administrators and data center managers, developers, IT managers.

High availability: Every systems vendor, every OS vendor, every storage vendor, every networking vendor has his own definition of this very generic term—and all the definitions are different! Do any of these definitions apply to you and your systems? Probably not.

What does high availability really mean? Do you need it? Do you already have it? How high is up? How up is high? Whom can you trust to give you a practical and useful answer, an answer you can apply to your data center and your systems? How can you sort through all of the marketing noise and really put high availability into place on your systems?

In this lively and upbeat tutorial, we'll give you some practical and useful information about high availability. We'll show you the relationship between cost and availability. We'll show you our list of 20 key high availability design principles—the foundation for any critical system—and how you can get started down the path toward high availability without spending boatloads of money. You'll take home simple and practical tools you can use right away to persuade the bean counters in your organization of the value of putting high availability techniques and practices into place.

Evan Marcus (R6, F3) founded Aardvark Technologies in 1994 as a systems consulting company. Evan and Aardvark have produced many books, papers (white and other colors), and tutorials. Along the way, Evan acquired more than 15 years of experience in UNIX systems, through (among other things) 8 years at VERITAS Software as a systems engineer, speaker, and author. He also spent 5 years at Sun Microsystems, and 2 years at Fusion Systems, where he worked to bring the first high availability clustering software applications for SunOS and Solaris to market. He also spent 2 years as a system administrator on the equities trading floor of a multinational trading institution. He is the lead author of Blueprints for High Availability from John Wiley & Sons and co-author and co-editor of The Resilient Enterprise from VERITAS Publications. He is a well-regarded and popular speaker on the design of highly available and disaster-resilient systems, and on fixed-content storage archives.

R7	HOT SWAP FILE/PRINT SERVICES FROM WINDOWS TO SAMBA

Gerald Carter, Centeris
1:30 p.m.–5:00 p.m.

Who should attend: Administrators who are interested in transparently replacing Windows file/print servers with Samba running on UNIX/Linux servers.

Samba is the interoperability tool for mixed networks. Consolidating servers to a single OS can be a huge help when solving basic issues such as backups, remote administration, and monitoring. This course will help you to identify and solve the issues surrounding migrating existing Windows file and print servers to UNIX/Linux hosts. The process can be done after hours and in such a way that users are unaware of any changes when arriving the next day.

Topics include:

• Understanding Samba's use of POSIX Access Control Lists and Extended Attributes
• Maintaining Windows ACLs while moving files and directories
• Migrating printer queues, drivers, and settings
• Migrating users and groups from an NT4 domain controller

Gerald Carter (S9, S12, M9, T4, W2, R7) has been a member of the Samba Development Team since 1998. He has been developing, writing about, and teaching on open source since the late 1990s. Currently employed by Centeris as a Samba and open source developer, Gerald has written books for SAMS Publishing and for O'Reilly Publishing.

 

R8	HIGHER-ORDER PERL

Chip Salzenberg, Cloudmark
1:30 p.m.–5:00 p.m.

Who should attend: Programmers involved in the development and maintenance of large systems written partly or mostly in Perl.

One of the most powerful techniques available to Perl programmers is writing functions that can manufacture or modify other functions. Instead of writing ten similar functions that must be maintained separately, you can write a single function that will create the others as needed. This class will teach you how.

The first section concerns the technique of dynamically replacing functions with facades. Without changing a function's code, we can add caching behavior to it, or have it enforce an interface contract, or automatically track its own performance.

The second section concerns iterators, that is, functions for generating data a little bit at a time. For files, Perl provide filehandles, but the technique is more generally applicable. As with filehandles, the technique is suitable when the total amount of data is too large to use all at once. This section ends by implementing an improved version of Perl's standard File::Find module. Unlike the usual implementation, the improved version can be stopped in the middle and resumed later as often as desired. Multiple searches can be active simultaneously, making it possible to recursively compare two separate directory structures.

The final section concerns parsing. Perl's built-in utilities make it easy to parse simple inputs, but for more complex data a modular approach is more effective. A basic parser is a trivial function that transforms a simple input into a value. By writing functions that build more complex parsers from simple, interchangeable parts, we can easily built up a parser for any kind of input.

Chip Salzenberg (R5, R8, F5) is Principal Engineer at Cloudmark, where he fights spam with flair and aplomb. Chip is also chief coder ("pumpking") of the Parrot virtual machine (https://parrotcode.org,) with which Chip plans to bring all dynamic languages together and, in the darkness, dynamically bind them.

Chip is a well-known figure in the Perl and free and open source communities, having worked on free and open source software for over 20 years, Perl for 18 years, and Linux for 13 years. Chip was pumpking for Perl release 5.4. He created the automated Linux install-and-test system for VA Linux Systems and was VA's Kernel Coordinator. Chip is a perennial presenter at the O'Reilly Open Source Conference and YAPC (Yet Another Perl Conference), teaches Perl and C++ commercially, and has been published by O'Reilly and Prentice Hall on Perl and other topics.

When away from his keyboard, Chip plays with (live) parrots and trains in Krav Maga. Chip's journal is at https://pobox.com/~chip/journal/.

Who should attend: Anyone who wants to know what is happening on their network. I assume command-line knowledge of UNIX and familiarity with TCP/IP. Anyone with duties involving intrusion detection, security analysis, incident response, or network forensics will profit from this course.

This course will show there is more to network security monitoring (NSM) than Snort and Ethereal. In fact, we won't talk about either, unless it's to mention something you might not have seen before! NSM involves collecting the statistical, session, full content, and alert data you need to discover normal, malicious, and suspicious network events. You will leave this course immediately able to implement numerous new techniques and tools. Past participants have discovered intrusions during the class, using concepts learned in a few hours. The instructor bases his teaching on his books, professional consulting experience, and latest security research.

From the start of the course to the first break I will present NSM theory and the problems with performing intrusion detection with Web-based alert browsers such as BASE and ACID. From the first break until lunch I will describe Sguil, a free, open source NSM suite that compensates for the deficiencies of Web-based alert browsers. After lunch I will discuss a reference intrusion model which provides context for the sorts of intrusions one detects with NSM principles and will cover deployment considerations for network sensors, a topic ignored by most books and briefings. I will then turn to the tools and techniques of collecting full content data. After the final break I plan to describes the tools and techniques of collecting and analyzing sessions and statistical data.

Students with VMware Player installed will be able to follow along with the technique and tool demonstrations, using a NSM VMware image provided by the instructor.

Topics include:

• NSM theory
• Building and deploying NSM sensors
• Accessing wired and wireless traffic
• Full content tools: Tcpdump, Ethereal/Tethereal, Snort as packet logger
• Additional data analysis tools: Tcpreplay, Tcpflow, Ngrep, Netdude
• Session data tools: Cisco NetFlow, Fprobe, Flow-tools, Argus, SANCP
• Statistical data tools: Ipcad, Trafshow, Tcpdstat, Cisco accounting records
• Sguil (sguil.sf.net)
• Case studies, personal war stories, and attendee participation

Want to learn more from Richard Bejtlich? Check out his extra 2-day class after LISA, December 9–10, 2006. See the PDF flyer for details.

Richard Bejtlich (S2, M2, F1) is founder of TaoSecurity LLC(https://www.taosecurity.com), a company that helps clients detect, contain, and remediate intrusions using network security monitoring (NSM) principles. Richard was previously a principal consultant at Foundstone, performing incident response, emergency NSM, and security research and training. He has created NSM operations for ManTech International Corporation and Ball Aerospace & Technologies Corporation. From 1998 to 2001, Richard defended global American information assets in the Air Force Computer Emergency Response Team (AFCERT), performing and supervising the real-time intrusion detection mission. Formally trained as an intelligence officer, he holds degrees from Harvard University and the United States Air Force Academy. Richard wrote the Tao of Network Security Monitoring: Beyond Intrusion Detection and the forthcoming Extrusion Detection: Security Monitoring for Internal Intrusions and Real Digital Forensics. He also wrote original material for Hacking Exposed, 4th Ed., Incident Response, 2nd Ed., and Sys Admin Magazine. Richard holds the CISSP, CIFI, and CCNA certifications. His popular Web log resides at https://taosecurity.blogspot.com.

F2	WI-FI, WIMAX, RFID, UWB, ZIGBEE, BLUETOOTH, ET AL. FOR DUMMIES . . . AND YOU

Don Bailey, Computer Security Engineer
9:00 a.m.–5:00 p.m.

Who should attend: IT professionals involved or interested in anything wireless, particularly those interested in catching up on recently developed wireless technologies and their applicability to their work and leisure. Participants should already be familiar with basic computer/network technology, the Internet, and personal electronic devices such as PDAs and cell phones, but expertise is not required. This tutorial will assist and inform and enlighten many, including individuals with wireless networks at home and work, individuals who have deployed wireless networks or are planning to, and professionals too busy to learn the ins and outs of every new wireless revolution on their own.

Three years ago, the tech industry said Bluetooth was dead, but those Blueteeth are everywhere now! Yet another wireless revolution. Did you miss it? What about RFID? WiMAX? Zigbee? Ultra-Wideband? UMA? Yikes. Which wireless goes where?

This entertaining course is a one-stop wireless workshop, introducing you to a broad range of wireless technology for home and work use. From Wi-Fi's varied forms to the crazy A/V and PAN technologies that will ride on UWB, you learn about it all. Best of all, the ins and outs of each technology are covered: how they are supposed to work, how they actually work, and how they sometimes don't work. Particular attention is given to pushing high-rate data over various wireless technologies, including cellular and satellite.

Topics include:

• The 802.11 family and where it stands today
• Bluetooth device attractions and security distractions, and the future of Bluetooth
• RFID basics and how to lock yourself out of your apartment
• Ultra-Wideband and how it will put A/V pros out of business
• What Zigbee is and why it has a silly name
• Cellular data advances such as EVDO, GPRS/EDGE/HSPDA . . . 30 Mbps?
• Satellite offerings and how bandwidth might get worse

Don Bailey (F2) is a D.C.-area computer security engineer with nearly seven years of professional experience in the computer security industry. He holds a B.S. in computer science from James Madison University. He has performed numerous vulnerability assessments and penetration tests, as well as exploit and virus evaluation, and has developed new secure laboratory technologies and architectures to support computer network attack–related experimentation and training. In recent years, Mr. Bailey has tested and evaluated a wide range of commercial and consumer wireless technology. His war-driving setup and wireless adventures have been covered by NBC, NPR, the Washington Times, and the Baltimore Sun. Commonly referred to as "Beetle," Mr. Bailey has presented on the topic of wireless security at a variety of security/hacker conferences, including Black Hat, DefCon, ToorCon, LayerOne, and DallasCon.

Friday Morning Half-Day Tutorials

F3	DISASTER PLANNING (AND RECOVERY): HOW TO KEEP YOUR COMPANY (AND YOUR JOB) Alive

Evan Marcus, Aardvark Technologies, Ltd
9:00 a.m.–12:30 p.m.

Who should attend: System administrators and managers who want to know what they need to think about, what they need to plan for (and what they can safely avoid considering), and how to carry out the plan if (God forbid!) disaster ever strikes.

Disaster planning is like insurance: nobody wants to talk about it and everyone runs from the salesmen. But when you need it, you are very glad to have it! And if you don't have it when you need it, it is too late to do anything about it. Have you ever been robbed or had an accident or a medical emergency? If you had insurance, you had done personal disaster planning.

We will explore the key aspects of developing a disaster recovery plan, including identifying the key components, testing the plan, and some of the technology that can speed recovery, with an eye toward balancing costs and benefits. We will also take a close look at one organization that completely recovered very quickly after 9/11.

Topics include:

• What a DR plan should contain, with real-world examples
  • The costs of developing a plan
  • Why do you need a plan?
  • Legal and civil liabilities of not having a plan
• Four methods for testing your plan
• Downtime and data loss: two sides of the same coin
  • DR as a subset of high availability
• Methods and technologies for protecting data through a disaster
• How a disaster may affect the people responsible for recovery
  • Building and staff a DR team
  • The role of senior management in DR
  • Convincing management that a DR plan is necessary
• Case study of a company that survived 9/11

Evan Marcus (R6, F3) founded Aardvark Technologies in 1994 as a systems consulting company. Evan and Aardvark have produced many books, papers (white and other colors), and tutorials. Along the way, Evan acquired more than 15 years of experience in UNIX systems, through (among other things) 8 years at VERITAS Software as a systems engineer, speaker, and author. He also spent 5 years at Sun Microsystems, and 2 years at Fusion Systems, where he worked to bring the first high availability clustering software applications for SunOS and Solaris to market. He also spent 2 years as a system administrator on the equities trading floor of a multinational trading institution. He is the lead author of Blueprints for High Availability from John Wiley & Sons and co-author and co-editor of The Resilient Enterprise from VERITAS Publications. He is a well-regarded and popular speaker on the design of highly available and disaster-resilient systems, and on fixed-content storage archives.

F4	WIDE AREA STORAGE NETWORKING: SERVER CONSOLIDATION AND DATA PROTECTION OVER THE WAN

Chip Salzenberg (R5, R8, F5) is Principal Engineer at Cloudmark, where he fights spam with flair and aplomb. Chip is also chief coder ("pumpking") of the Parrot virtual machine (https://parrotcode.org,) with which Chip plans to bring all dynamic languages together and, in the darkness, dynamically bind them.

Chip is a well-known figure in the Perl and free and open source communities, having worked on free and open source software for over 20 years, Perl for 18 years, and Linux for 13 years. Chip was pumpking for Perl release 5.4. He created the automated Linux install-and-test system for VA Linux Systems and was VA's Kernel Coordinator. Chip is a perennial presenter at the O'Reilly Open Source Conference and YAPC (Yet Another Perl Conference), teaches Perl and C++ commercially, and has been published by O'Reilly and Prentice Hall on Perl and other topics.

When away from his keyboard, Chip plays with (live) parrots and trains in Krav Maga. Chip's journal is at https://pobox.com/~chip/journal/.