TRAINING TRACK Overview | By Day (Sunday, Monday, Tuesday, Wednesday, Thursday, Friday) | By Instructor | All in One File Locations: See the overview.

Wednesday, June 30, 2004

W1 Network Security Assessments Workshop—Hands-On (Day 2 of 2) David Rhoades, Maven Security Consulting, Inc. 10:30 a.m.–6:00 p.m. Who should attend: Anyone who needs to understand how to perform an effective and safe network assessment. How do you test a network for security vulnerabilities? Just plug some IP addresses into a network-scanning tool and click SCAN, right? If only it were that easy. Numerous commercial and freeware tools assist in locating network-level security vulnerabilities. However, these tools are fraught with dangers: accidental denial-of-service, false positives, false negatives, and long-winded reporting, to name but a few. Performing a security assessment (a.k.a. vulnerability assessment or penetration test) against a network environment requires preparation, the right tools, methodology, knowledge, and more. This hands-on workshop will cover the essential topics for performing an effective and safe network assessment. Class exercises will require that students have an x86-based laptop computer that can be booted from a KNOPPIX CD, along with a 10/100 Ethernet network card. Please download a copy of KNOPPIX-STD (https://www.knoppix-std.org), burn it to a CD-R, and try to boot your system on a network offering DHCP. Be sure your network card is recognized by Knoppix-STD, otherwise you will not be able to participate in most classroom exercises. Wireless access will not be supported during class. Topics include: Preparation: What you need before you even begin Safety measures: This often-overlooked topic will cover important practical steps to minimize or eliminate adverse effects on critical networks Architecture considerations: Where you scan from affects how you perform the assessment Inventory: Taking an accurate inventory of active systems and protocols on the target network Tools of the trade: Effective use of both freeware and commercial tools, with an emphasis on common pitfalls Automated scanning: Best-of-class tools, with tips (mostly vendor-neutral) on their proper use Research and development: What to do when existing tools don't suffice Documentation and audit trail: How to keep accurate records easily How to compile useful reports: Planning for corrective action and tracking your security measures Students will practice network assessment on a target network of Windows and UNIX-based servers and various routing components. Day 1 Lab setup and preparation Security assessment overview Types of assessments Choosing an assessment approach Assessment preparation Defining the purpose Rules of engagement Assessment logistics Open vs. closed testing Passive vs. active testing; depth of testing Denial of service (DoS) Enumeration of target information Permission Assessment safety Verification of tool authenticity Vetting tools Safety concepts The dangers of automated scanners Automated tool safety summary Documentation and audit trail Assessment phase 1: network inventory Ping scanning Discrete port scanning (host inventory only) DNS queries Traceroute ARP scanning Day 2 Assessment phase 2: target analysis TCP port scanning UDP port scanning SNMP Assessment phase 3: exploitation and confirmation Automated vulnerability scanning tools (Online) brute-force attacks (Offline) password cracking Manual testing Special consideration testing Firewalls and routers Auditing email servers Web servers Stealth technique summary Vulnerability scanning tools Automated scanning tools Commercial scanners Nessus Nessus Clients Using Nessus David Rhoades (T1, W1, R1, F1) is a principal consultant with Maven Security Consulting, Inc. Since 1996, David has provided information protection services for various FORTUNE 500 customers. His work has taken him across the US and abroad to Europe and Asia, where he has lectured and consulted in various areas of information security. David has a B.S. in computer engineering from the Pennsylvania State University and is an instructor for the SANS Institute, the MIS Training Institute, and Sensecurity (based in Singapore). W2 Making Your Code Run Faster Steve Johnson, Mathworks 10:30 a.m.–6:00 p.m. Who should attend: Developers and system programmers who have an interest in making applications run fast(er). Some programming knowledge (C/C++/Java) is desirable, as is an understanding of the primary tasks of an operating system and how it carries them out. The primary focus is on making big, hairy applications run faster, but some mid- and micro-level tuning will be discussed as well. We won't say much about real-time and embedded programs, although there is some relevant overlap with these areas. Although machines are getting faster, we still seem to spend a lot of time at our computers sitting around waiting for things to get done. It is easy for increased complexity, poor design, and scaling problems to eat up the increased capacity of new hardware. On the other hand, making an application an order of magnitude faster can open up whole new ways to use it. It is astonishingly difficult to collect data that is valid, repeatable, and also relevant to improving a program's performance. We have seen CPU benchmarks that really measured cache size, memory benchmarks that measured filesystem performance, and network benchmarks that measured the OS. Before tearing a working application to shreds, it is important to have confidence that your rework will really improve performance. A lot of the class will focus on measurement and analysis methods. For example, measurements with a commercial tool showed that one module in an application was responsible for 25% of the startup time. But when we bypassed that module, the application only got 2% faster. Making sense of observations like these will be one of the major takeaways from the class. Finally, we will talk about what it takes to engineer and achieve speed improvements, and the kinds of bit rot that can cause slowdowns. Topics include: What do we mean by performance? How do we measure it? What are the biases in these measurements? Identifying the bottleneck(s) How do bottlenecks arise? Scaling Coding to expose bottlenecks quickly Artificial benchmarks and resource restrictions Caches are ubiquitous: how they fog performance measurement The effect of compiler options, assertions, and debugging Commercial tools: GlowCode, VTune, Quantify, etc. CPU cycle counters: roll your own How to do performance modeling, not benchmarking Clusters and threading and parallelism, oh my! Performance as quality Performance and the development process Steve Johnson (W2) earned his Ph.D. in Mathematics, but has spent his entire career in computing. He spent nearly 20 years at Bell Labs and AT&T, where he worked on topics as diverse as computer music, psychometrics, and VLSI design, but he is best known for his work on UNIX: Yacc, Lint, the Portable C Compiler, and co-authoring (with Dennis Ritchie) the first AT&T UNIX port. He also ran the UNIX System V language development department for several years in the mid-1980s. In 1986 he went to Silicon Valley, where he was part of a half-dozen or so startup companies, most recently Transmeta. In 2002, he became Senior Fellow at The MathWorks in the Boston area, where he helps determine the evolution and technology of the MATLAB programming language. W3 Beyond Shell Scripts: 21st-Century Automation Tools and Techniques Aeleen Frisch, Exponential Consulting 10:30 a.m.–6:00 p.m. Who should attend: System administrators who want to explore new ways of automating administrative tasks. Shell scripts are appropriate for many jobs, but more complex operations will often benefit from sophisticated tools. Topics include: Automating installations Vendor-supplied tools Alternative approaches State-of-the-art package control Heterogeneous environments Mark Burgess's cfengine package Basic and advanced configurations Examples Installations and beyond "Self-healing" system configurations Data collection More Cfengine limitations: when not to use it Other tools Expect: automating interactive processes What to Expect . . . Using Expect with other tools Security issues Amanda, an enterprise backup management facility Prerequisites Configuration Getting the most from Amanda STEM, a new package for automating network operations Understanding the context and tool capabilities Examples Performance and security issues Nagios: monitoring network and device performance How it works Sample configurations Extending Nagios RRDTool: Examining retrospective system data Basic operation Advanced graphing Options for data collection Aeleen Frisch (T3, W3, R4) has been a system administrator for over 20 years. She currently looks after a pathologically heterogeneous network of UNIX and Windows systems. She is the author of several books, including Essential System Administration (now in its 3rd edition).   W4 Advanced Technology in Sendmail Eric Allman, Sendmail, Inc. 10:30 a.m.–6:00 p.m. Who should attend: System administrators who want to learn more about the Sendmail program, particularly details of configuration and operational issues. This tutorial assumes that you are already familiar with Sendmail, including installation, configuration, and operation. In the past few years the face of email has changed dramatically. No longer is it sufficient to use the default configurations, even in single-user systems. Spam, regulation, high loads, and increased concerns about privacy and authentication have caused major changes in sendmail and in the options available to you. This tutorial is taught by the principal author of Sendmail. Expect a fast-paced tutorial from an instructor who will be able to answer any question you may have. Topics include: SMTP authentication TLS encryption The Milter (mail filter interface) New policy control interfaces Eric Allman (W4) is the original author of Sendmail, co-founder and CTO of Sendmail, Inc., and co-author of Sendmail, published by O'Reilly. At U.C. Berkeley, he was the chief programmer on the INGRES database management project, leader of the Mammoth project, and an early contributer to BSD, authoring syslog, tset, the -me troff macros, and trek. Eric designed database user and application interfaces at Britton Lee (later Sharebase) and contributed to the Ring Array Processor project for neural-network-based speech recognition at the International Computer Science Institute. Eric is on the Editorial Review Board of ACM Queue magazine and is a former member of the Board of Directors of the USENIX Association. W5 System and Network Monitoring: Tools in Depth John Sellens, Certainty Solutions 10:30 a.m.–6:00 p.m. Who should attend: Network and system administrators ready to implement comprehensive monitoring of their systems and networks using the best of the freely available tools. Participants should have an understanding of the fundamentals of networking, familiarity with computing and network components, UNIX system administration experience, and some understanding of UNIX programming and scripting languages. This tutorial will provide in-depth instruction in the installation and configuration of some of the most popular and effective system and network monitoring tools, including Nagios, Cricket, MRTG, and Orca. Participants should expect to leave the tutorial with the information needed to immediately implement, extend, and manage popular monitoring tools on their systems and networks. Topics include, for each of Nagios, Cricket, MRTG, and Orca: Installation—Basic steps, prerequisites, common problems, and solutions Configuration, setup options, and how to manage larger and non-trivial configurations Reporting and notifications—proactive and reactive Special cases—how to deal with interesting problems Extending the tools—how to write scripts or programs to extend the functionality of the basic package Dealing effectively with network boundaries and remote sites Security concerns and access control Ongoing operations John Sellens (W5) has been involved in system and network administration since 1986 and is the author of several related USENIX papers, a number of ;login: articles, and SAGE booklet #7, System and Network Administration for Higher Reliability. He holds an M.S. in computer science from the University of Waterloo and is a chartered accountant. He is currently the General Manager for Certainty Solutions (formerly known as GNAC) in Toronto. Prior to joining Certainty, John was the Director of Network Engineering at UUNET Canada and was a staff member in computing and information technology at the University of Waterloo for 11 years.