Check out the new USENIX Web site.
Check out the new USENIX Web site.
18th Large Installation System Administration Conference, November 14-19, Atlanta, GA
LISA '04 Home            USENIX Home            Events            Publications            Membership



Overview | By Day (Sunday, Monday, Tuesday, Wednesday, Thursday, Friday) | By Instructor | All in One File

Monday, November 15, 2004
M1 Hands-On Linux Security Class: Learn How to Defend Linux/UNIX Systems by Learning to Think Like a Hacker (Day 2 of 2) NEW!
Rik Farrow, Security Consultant
9:00 a.m.–5:00 p.m.

See Part 1, S1, for the description of the first day of this tutorial.

Day two of this class focuses on practical forensics, that is, how to analyze a possibly hacked Linux or UNIX system from a system administrator's perspective. As a system administrator, you will not be acting as law enforcement, trying to find the perpetrator, but instead will be working as quickly as possible with the goal of uncovering what went wrong. Finding rootkits and backdoors on a sample hacked system gives you an idea of what you might find on other similar systems. You can also get clues about the nature of the attack by discovering the tools left behind on a system by an attacker.

The final portion of this class focuses on patching, with a discussion of cfengine. As this is the second day of a two-day, hands-on course, we will not repeat material covered on the first day, including getting the CD working with your laptop. If you plan on attending the course only the second day, you might want to contact the instructor before the class and get a test CD to ensure that your laptop will work in the classroom environment.

Exercises include:

  • John the Ripper, password cracking
  • Using and modifying KNOPPIX Linux boot CD
  • Elevation of privilege and suid shells
  • Rootkits, and finding rootkits (chkrootkit)
  • Sleuth Kit (looking at intrusion timelines)
  • iptables and netfilter
  • cfengine configuration

Rik Farrow (S1, M1) provides UNIX and Internet security consulting and training. Rik Farrow He has been working with UNIX system security since 1984 and with TCP/IP networks since 1988. He has taught at the IRS, Department of Justice, NSA, NASA, US West, Canadian RCMP, Swedish Navy, and for many US and European user groups. He is the author of UNIX System Security, published by Addison-Wesley in 1991, and System Administrator's Guide to System V (Prentice Hall, 1989). Farrow writes a column for ;login: and a network security column for Network magazine. Rik lives with his family in the high desert of northern Arizona and enjoys hiking and mountain biking when time permits.

M2 System and Network Monitoring: Tools in Depth
John Sellens, Certainty Solutions
9:00 a.m.–5:00 p.m.

Who should attend: Network and system administrators ready to implement comprehensive monitoring of their systems and networks using the best of the freely available tools. Participants should have an understanding of the fundamentals of networking, familiarity with computing and network components, UNIX system administration experience, and some understanding of UNIX programming and scripting languages.

This tutorial will provide in-depth instruction in the installation and configuration of some of the most popular and effective system and network monitoring tools, including Nagios, Cricket, MRTG, and Orca.

Participants should expect to leave the tutorial with the information needed to immediately implement, extend, and manage popular monitoring tools on their systems and networks.

Topics include, for each of Nagios, Cricket, MRTG, and Orca:

  • Installation—Basic steps, prerequisites, common problems, and solutions
  • Configuration, setup options, and how to manage larger and non-trivial configurations
  • Reporting and notifications—proactive and reactive
  • Special cases—how to deal with interesting problems
  • Extending the tools—how to write scripts or programs to extend the functionality of the basic package
  • Dealing effectively with network boundaries and remote sites
  • Security concerns and access control
  • Ongoing operation
John Sellens (S2, M2) has been involved in system and network administration John Sellens since 1986 and is the author of several related USENIX papers, a number of ;login: articles, and the SAGE Short Topics in System Administration booklet #7, System and Network Administration for Higher Reliability. He holds an M.Math. in computer science from the University of Waterloo and is a chartered accountant. He is the proprietor of SYONEX, a systems and networks consultancy. From 1999 to 2004, he was the General Manager for Certainty Solutions in Toronto. Prior to joining Certainty, John was the Director of Network Engineering at UUNET Canada and was a staff member in computing and information technology at the University of Waterloo for 11 years.

M3 Advanced Solaris System Administration Topics UPDATED!
Peter Baer Galvin, Corporate Technologies, Inc.
9:00 a.m.–5:00 p.m.

Who should attend: UNIX administrators who need more knowledge of Solaris administration.

We will discuss the major new features of recent Solaris releases, including which to use (and how) and which to avoid. This in-depth course will provide the information you need to run a Solaris installation effectively. This tutorial has been updated to include Solaris 10 features and functions.

Topics include:

  • Installing and upgrading
    • Architecting your facility
    • Choosing appropriate hardware
    • Planning your installation, filesystem layout, post-installation steps
    • Installing (and removing) patches and packages
    • Avoiding single points of failure
  • Advanced features of Solaris 2
    • Filesystems and their uses
    • The /proc filesystem and commands
    • Useful tips and techniques
  • Networking and the kernel
    • Virtual IP: configuration and uses
    • Kernel and performance tuning: new features, adding devices, tuning, debugging commands
    • Devices: naming conventions, drivers, gotchas
  • Enhancing Solaris
    • High availability essentials: disk failures and recovery, RAID levels, uses and performance, H/A technology and implementation
    • Performance: how to track down and resolve bottlenecks, Solaris Resource Manager
    • Tools: useful free tools, tool use strategies
    • Security: locking down Solaris, system modifications, tools, SunScreen
    • Resources and references

Peter Baer Galvin (M3, T11, R4) is the Chief Technologist for Corporate Technologies, Inc., a systems integrator and VAR, Peter Baer Galvin and was the Systems Manager for Brown University's Computer Science Department. He has written articles for Byte and other magazines. He wrote the "Pete's Wicked World" and "Pete's Super Systems" columns at SunWorld. He is currently contributing editor for Sys Admin, where he manages the Solaris Corner. Peter is co-author of the Operating Systems Concepts and Applied Operating Systems Concepts textbooks. As a consultant and trainer, Peter has taught tutorials on security and system administration and has given talks at many conferences and institutions on such topics as Web services, performance tuning, and high availability.

M4 System Log Aggregation, Statistics, and Analysis NEW!
Marcus Ranum, Trusecure Corp.
9:00 a.m.–5:00 p.m.

Who should attend: System and network administrators who are interested in learning what's going on in their firewalls, servers, network, and systems; anyone responsible for security and audit or forensic analysis.

This tutorial covers techniques and software tools for building your own log analysis system, from aggregating all your data in a single place, through normalizing it, searching, and summarizing, to generating statistics and alerts and warehousing it. We will focus primarily on open source tools for the UNIX environment, but will also describe tools for dealing with Windows systems and various devices such as routers and firewalls.

Topics include:

  • Estimating log quantities and log system requirements
  • Syslog: mediocre but pervasive logging protocol
  • Back-hauling your logs
  • Building a central loghost
  • Dealing with Windows logs
  • Logging on Windows loghosts
  • Parsing and normalizing
  • Finding needles in haystacks: searching logs
  • I'm dumb, but it works: artificial ignorance
  • Bayesian spam filters for logging
  • Storage and rotation
  • Databases and logs
  • Leveraging the human eyeball: graphing log data
  • Alerting
  • Legalities of logs as evidence
Marcus Ranum (M4, W2) is senior scientist at Trusecure Corp. and a world-renowned expertMarcus Ranum on security system design and implementation. He is recognized as the inventor of the proxy firewall and the implementer of the first commercial firewall product. Since the late 1980s, he has designed a number of groundbreaking security products, including the DEC SEAL, the TIS firewall toolkit, the Gauntlet firewall, and NFR's Network Flight Recorder intrusion detection system. He has been involved in every level of operations of a security product business, from developer, to founder and CEO of NFR. Marcus has served as a consultant to many FORTUNE 500 firms and national governments, as well as serving as a guest lecturer and instructor at numerous high-tech conferences. In 2001, he was awarded the TISC Clue award for service to the security community, and he holds the ISSA lifetime achievement award.

M5 Network Security Protocols: Theory and Current Standards
Radia Perlman, Sun Microsystems, and Charlie Kaufman, Microsoft
9:00 a.m.–5:00 p.m.

Who should attend: Anyone who wants to understand the theory behind network security protocol design, with an overview of the alphabet soup of standards and cryptography. This tutorial is especially useful for anyone who needs to design or implement a network security solution, but it is also useful to anyone who needs to understand existing offerings in order to deploy and manage them. Although the tutorial is technically deep, no background other than intellectual curiosity and a good night's sleep in the recent past is required.

First, without worrying about the details of particular standards, we discuss the pieces out of which all these protocols are built.

We then cover subtle design issues, such as how secure email interacts with distribution lists, how designs maximize security in the face of export laws, and the kinds of mistakes people generally make when designing protocols.

Armed with this conceptual knowledge of the toolkit of tricks, we describe and critique current standards.

Topics include:

  • What problems are we trying to solve?
  • Cryptography
  • Key distribution
    • Trust hierarchies
    • Public key (PKI) vs. secret key solutions
  • Handshake issues
    • Diffie-Hellman
    • Man-in-middle defense
    • Perfect forward secrecy
    • Reflection attacks
  • PKI standards
    • X.509
    • PKIX
  • Real-time protocols
    • SSL/TLS
    • IPsec (including AH, ESP, and IKE)
  • Secure email
  • Web security
    • URLs
    • HTTP, HTTPs
    • Cookies

Radia Perlman (S5, M5) is a Distinguished Engineer at Sun Microsystems. She is known Radia Perlman for her contributions to bridging (spanning tree algorithm) and routing (link state routing), as well as security (sabotage-proof networks). She is the author of Interconnections: Bridges, Routers, Switches, and Internetworking Protocols and co-author of Network Security: Private Communication in a Public World, two of the top ten networking reference books, according to Network Magazine. She is one of the twenty-five people whose work has most influenced the networking industry, according to Data Communications Magazine. She has about fifty issued patents, an S.B. and S.M. in mathematics and a Ph.D. in computer science from MIT, and an honorary doctorate from KTH, the Royal Institute of Technology in Sweden.

Charlie Kaufman (M5) is Security Architect for the Common Language Runtime group at Charlie Kaufman Microsoft. He is editor of the new Internet Key Exchange (IKEv2) protocol for the IPsec working group of IETF. He has contributed to a number of IETF standards efforts, including chairing the Web Transaction Security WG and serving as a member of the Internet Architecture Board (IAB). He served on the National Academy of Sciences expert panel that wrote the book Trust in Cyberspace. He was previously a Distinguished Engineer at IBM, where he was Chief Security Architect for Lotus Notes and Domino, and before that Network Security Architect for Digital. He holds over 25 patents in the fields of computer security and computer networking. He is coauthor of Network Security: Private Communication in a Public World (Prentice Hall, 2002).

M6 Six More Essential Topics in System Administration NEW!
Trent Hein and Ned McClain, Applied Trust Engineering
9:00 a.m.–5:00 p.m.

Who should attend: System and network administrators who are interested in picking up several new technologies quickly.

Topics include:

  • Practical Network Intrusion Detection
    Network intrusion detection has recently matured enough to be useful at some organizations. Before investing in a massive commercial NIDS implementation, join us for a discussion of the latest in this field. We'll evaluate the strengths and weaknesses of various technologies, and what might work best for your organization. In addition, we will arm you with enough practical information to deploy an open source NIDS in your environment.
  • Deploying Secure Linux Systems
    What needs to be done to secure a new Linux system before you connect to the network? We'll walk through the essentials of locking down a modern Linux system and provide tricks to manage its long-term security. These techniques will help you sleep at night and avoid security headaches down the road.
  • Effective Log Analysis with SEC
    Server and network device logs are one of the most useful sources of performance and security information. Unfortunately, organizations often ignore system logs, either from lack of time to analyze the logs or out of frustration with automated analysis tools. We discuss the Simple Event Correlator, an open source tool for parsing log messages that is particularly easy to use and configure.
  • Stateful Firewalls
    Keeping up with the latest security technology can be a challenge, but it is essential if you are to prevent unwanted intrusions. We'll cover the latest in basic firewall technology on both Cisco and Linux platforms. Specific topics covered include context-based access control, reflexive access lists, and stateful filtering on Linux systems using iptables.
  • Security Incident Handling
    You've been vigilant about your site's security, but the day still comes when you detect an intruder. How do you handle the situation, analyze the intrusion, and restore both security and confidence to your environment? This crash course in incident handling will give you the skills you need to assemble a plan at your site to deal with the unthinkable.
  • Security Crisis Case Studies
    Before your very eyes, we'll dissect a set of real-life security incident case studies using many tools available on your system or downloadable from the Net. We'll specifically describe how to avoid common security-incident pitfalls, and we'll cover the basics of incident investigation.

Trent Hein (S6, M6) is co-founder of Applied Trust Engineering, a leader in Trent Hein holistic infrastructure and security. Trent worked on the 4.4 BSD port to the MIPS architecture at Berkeley, is co-author of both the UNIX Systems Administration Handbook and the Linux Administration Handbook, and holds a B.S. in Computer Science from the University of Colorado.

Ned McClain (S6, M6) co-founder and CTO of Applied Trust Engineering, lectures around the globe Ned McClain on applying cutting-edge technology in production computing environments. Ned holds a B.S. in Computer Science from Cornell University and is a contributing author of both the UNIX Systems Administration Handbook and the Linux Administration Handbook.

M7 Designing, Implementing and Using PKI to Provide Enterprise Security Services NEW!
Steve Acheson and Doug Dexter, Cisco Systems
9:00 a.m.–12:30 p.m.

Who should attend: Developers, technical implementers, and managers considering or already involved with providing a security service based on digital certificates.

PKI has received a bad reputation as being too expensive, too difficult, and short on payoff. This tutorial provides concrete examples of working PKI solutions that solve critical business issues relating to code-signing, device identification, application identity, and VPN and wireless credential management.

Topics include:

  • Public/private key pairs
  • Certificates
  • Other tools used to provide security services via a public key infrastructure
  • PKI trust models
  • Enterprise services a PKI can provide

Steve Acheson (M7, W4, W7, F2) is currently an Information Security Architect at Cisco Systems, Inc., Steve Achesonwhere he is a senior member of the Corporate Information Security Department, responsible for network and system security, including designing internal security architecture and external/firewall access. Before working for Cisco, Steve managed security for NASA's Numerical Aerospace Simulations facility at Ames Research Center. He has worked in the field for over 15 years as a system administrator, network engineer, and security analyst.

Doug Dexter (M7) has been an Information Security Architect with CiscoDoug Dexter Systems Corporate Information Security Department for six years. He and Steve are the architects for Cisco's internal PKI deployment, which provides certificates and signs the production code for IP phones, call managers, and cable modems. Prior to working at Cisco, Doug was in the US Army for 11 years and is currently a Major in an Army Reserve Information Warfare unit. He holds an M.B.A. from the University of Texas at Austin with a concentration in Information Systems, Controls, and Assurance, and is a CISSP and an MCSE.

M8 Security Standards and Why You Need to Understand Them NEW!
Brad C. Johnson and Richard E. Mackey, Jr., SystemExperts Corporation
9:00 a.m.–12:30 p.m.

Who should attend: Administrators, technicians, and managers at any level who need to understand the gist of the key security standards and the laws and industry trends that are making these standards critical to doing business.

Organizations are turning to security standards both to measure and to document the completeness and adequacy of their security program. You may need to simply put a check in the box that says you "substantially comply" with a particular standard or you may need to prove to yourself, customers, and partners that you follow acceptable security practices. Unfortunately, organizations do not have a widely accepted method to prove they are secure. We look to security standards to meet this need.

Computer security has seen a number of standards, compliance specifications, and certification authorities. Today, a few are beginning to gain acceptance by industry groups, but it is still difficult to tell which of these will stand the test of time and practicality. Consequently, it's important to understand, at least at a high level, what the most popular initiatives are attempting to do, what problems these standards address, and the value they provide.

Topics include:

  • Why: The motivations
    • Laws: Sarbanes-Oxley, Gramm-Leach-Bliley
    • Partnerships
    • Internal audits
  • What: The standards
    • ISO 17799
    • SAS
  • How: The mechanisms
    • ISO 17799 reviews and certifications
    • Security audits
    • Security assessments
    • Information criticality assessment (e.g., NSA IAM)
    • Penetration and application testing

Brad C. Johnson (S8, M8) is vice president of SystemExperts Corporation. He has Brad C. Johnsonparticipated in seminal industry initiatives such as the Open Software Foundation, X/Open, and the IETF, and has been published in such journals as Digital Technical Journal, IEEE Computer Society Press, Information Security Magazine, Boston Business Journal, Mass High Tech Journal, ISSA Password Magazine, and Wall Street & Technology. Brad is a regular tutorial instructor and conference speaker on topics related to practical network security, penetration analysis, middleware, and distributed systems. He holds a B.A. in computer science from Rutgers University and an M.S. in applied management from Lesley University.

Richard E. Mackey, Jr. (M8) is principal of SystemExperts Corporation. Dick Mackey is regarded asRichard E. Mackey, Jr. one of the industry's foremost authorities on distributed computing infrastructure and security. Before joining SystemExperts, he worked in leading technical and director positions at The Open Group, The Open Software Foundation (DCE), and BBN Corporation (Cronus Distributed Computing Environment). He has been published often in security magazines such as ISSA Password, .NET, Information Security, and SC Secure Computing. He is a regular speaker on computer security topics at various industry conferences. Dick has a B.S. and an M.S. in Electrical and Computer Engineering from the University of Massachusetts at Amherst.

M9 Revenge of the Three-Headed Dog NEW!
Gerald Carter, Samba Team/Hewlett-Packard
9:00 a.m.–12:30 p.m.

Who should attend: Administrators who want to understand Kerberos 5 implementations on both UNIX/Linux and Windows clients and servers.

For many organizations, Kerberos is an an old technology that has been driven to the forefront by deployments of Microsoft Active Directory domains. The introduction of a standard authentication protocol into Windows domains has caused many network administrators to reexamine ways to integrate UNIX/Linux and Windows clients in a single authentication model.

Topics include:

  • Key concepts of the Kerberos 5 protocol
  • Specific related authentication interfaces such as SASL and GSSAPI
  • The specifics of implementing of Krb5 realms
  • Implementations of Krb5 cross-realm trusts
  • Integration of Windows and UNIX/Linux clients into Krb5 realms
  • Possible pitfalls of using popular Krb5 implementations such as MIT, Heimdal, and Windows 200x

Gerald Carter (M9, T2, R2) has been a member of the Samba Development Team since 1998. HeGerald Carter has published articles with various Web-based magazines and teaches courses as a consultant for several companies. Currently employed by Hewlett-Packard as a Samba developer, Gerald has written books for SAMS Publishing and is the author of the recent LDAP System Administration for O'Reilly Publishing.

M10 Over the Edge System Administration, Volume 1 NEW!
David N. Blank-Edelman, Northeastern University
1:30 p.m.–5:00 p.m.

Who should attend: Old-timers who think they've already seen it all, and those who want to develop inventive thinking early in their career. Join us and be prepared to be delighted, disgusted, and amazed. Most of all, be ready to enrich your network and system adminstration by learning to be different.

It's time to learn how to break the rules, abuse the tools, and generally turn your system administration knowledge inside out. This class is a cornucopia of ideas for creative ways to take the standard (and sometimes not-so-standard) system administration tools and techniques and use them in ways no one would expect. We'll also cover some tools you may have missed.

Topics include:

  • How to (ab)use perfectly good network transports by using them for purposes never dreamed of by their authors
  • How to increase user satisfaction during downtimes with 6 lines of Perl
  • How to improve your network services by intentionally throwing away data
  • How to drive annoying Web-only applications that don't have a command line interface—without lifting a finger
  • How to use ordinary objects you have lying around the house, such as Silly Putty, to make your life easier (seriously!)

David N. Blank-Edelman (M10, R3, R6) is the Director of Technology at the Northeastern University College of David N. Blank-EdelmanComputer and Information Science and the author of the O'Reilly book Perl for System Administration. He has spent the last 19 years as a system/network administrator in large multi-platform environments, including Brandeis University, Cambridge Technology Group, and the MIT Media Laboratory. He has given several successful invited talks off the beaten path at LISA.

M11 Troubleshooting: A Basic Skill NEW!
Geoff Halprin, The SysAdmin Group
1:30 p.m.–5:00 p.m.

Who should attend: System administrators wishing to hone their ability to troubleshoot a problem under pressure, on a system of which their knowledge may be limited.

One of the most basic skills a system administrator must be able to call upon is that of problem diagnosis and resolution, that is, troubleshooting. It doesn't matter what else you do; if the system is broken, your priority is to fix it.

Topics include:

  • A general process for troubleshooting
  • Specific techniques that will help you get to the root of the problem
  • Ways to identify candidate solutions with confidence

Geoff Halprin (M11) has spent over 25 years as a software developer, Geoff Halprin system administrator, consultant, and troubleshooter. He has written software from system management tools to mission-critical billing systems, has built and run networks for enterprises of all sizes, and has been called upon to diagnose problems in every aspect of computing infrastructure and software. He has spent more years troubleshooting other people's systems and programs than he cares to remember. Geoff was on the board of the System Administrators Guild (SAGE) and is now a member of the USENIX board of directors.

M12 Beyond Shell Scripts: 21st-Century Automation Tools and Techniques
Æleen Frisch, Exponential Consulting
1:30 p.m.–5:00 p.m.

Who should attend: System administrators who want to explore new ways of automating administrative tasks. Shell scripts are appropriate for many jobs, but more complex operations will often benefit from sophisticated tools.

Topics include:

  • Automating installations
    • Vendor-supplied tools
    • Alternative approaches
    • State-of-the-art package control
    • Heterogeneous environments
  • Other Tools
    • Expect: Automating interactive processes
      • What to Expect . . .
      • Using Expect with other tools
      • Security issues
    • Amanda, an enterprise backup management facility
      • Prerequisites
      • Configuration
      • Getting the most from Amanda
    • STEM, a new package for automating network operations
      • Understanding the context and tool capabilities
      • Sample applications
      • Performance and security issues
    • Nagios: Monitoring network and device performance
      • How it works
      • Sample configurations
      • Extending Nagios
    • RRDTool: Examining retrospective system data
      • Basic operation
      • Advanced graphing
      • Options for data collection

Æleen Frisch (M12, T3) has been a system administrator for over 20 years. She currently looks Aeleen Frischafter a pathologically heterogeneous network of UNIX and Windows systems. She is the author of several books, including Essential System Administration (now in its 3rd edition).

?Need help? Use our Contacts page.

Last changed: 17 Aug. 2004 jel
Events Calendar