M1 Hands-On Linux Security Class: Learn How to Defend Linux/UNIX Systems by Learning to Think Like a Hacker (Day 2 of 2)
Rik Farrow, Security Consultant
9:00 a.m.5:00 p.m.
See Part 1, S1, for the description of the first day of this tutorial.
Day two of this class focuses on practical forensics, that is, how to analyze a possibly hacked Linux or UNIX system from a system administrator's perspective. As a system administrator, you will not be acting as law enforcement, trying to find the perpetrator, but instead will be working as quickly as possible with the goal of uncovering what went wrong. Finding rootkits and backdoors on a sample hacked system gives you an idea of what you might find on other similar systems. You can also get clues about the nature of the attack by discovering the tools left behind on a system by an attacker.
The final portion of this class focuses on patching, with a discussion of cfengine. As this is the second day of a two-day, hands-on course, we will not repeat material covered on the first day, including getting the CD working with your laptop. If you plan on attending the course only the second day, you might want to contact the instructor before the class and get a test CD to ensure that your laptop will work in the classroom environment.
- John the Ripper, password cracking
- Using and modifying KNOPPIX Linux boot CD
- Elevation of privilege and suid shells
- Rootkits, and finding rootkits (chkrootkit)
- Sleuth Kit (looking at intrusion timelines)
- iptables and netfilter
- cfengine configuration
Rik Farrow (S1, M1) provides UNIX and Internet security consulting and training. He has been working with UNIX system security since 1984 and with TCP/IP networks since 1988. He has taught at the IRS, Department of Justice, NSA, NASA, US West, Canadian RCMP, Swedish Navy, and for many US and European user groups. He is the author of UNIX System Security, published by Addison-Wesley in 1991, and System Administrator's Guide to System V (Prentice Hall, 1989). Farrow writes a column for ;login: and a network security column for Network magazine. Rik lives with his family in the high desert of northern Arizona and enjoys hiking and mountain biking when time permits.
M2 System and Network Monitoring: Tools in Depth
John Sellens, Certainty Solutions
9:00 a.m.5:00 p.m.
Who should attend: Network and system administrators ready to
implement comprehensive monitoring of their systems and networks
using the best of the freely available tools. Participants should
have an understanding of the fundamentals of networking, familiarity
with computing and network components, UNIX system administration
experience, and some understanding of UNIX programming and scripting
This tutorial will provide in-depth instruction in the installation
and configuration of some of the most popular and effective system
and network monitoring tools, including Nagios, Cricket, MRTG, and
Participants should expect to leave the tutorial with the information
needed to immediately implement, extend, and manage popular monitoring
tools on their systems and networks.
Topics include, for each of Nagios, Cricket, MRTG, and Orca:
John Sellens (S2, M2) has been involved in system and network administration
since 1986 and is the author of several related USENIX papers, a number of ;login: articles, and the SAGE Short Topics in System Administration booklet #7, System and Network Administration for Higher Reliability. He holds an M.Math. in computer science from the University of Waterloo and is a chartered accountant. He is the proprietor of SYONEX, a systems and networks consultancy. From 1999 to 2004, he was the General Manager for Certainty Solutions in Toronto. Prior to joining Certainty, John was the Director of Network Engineering at UUNET Canada and was a staff member in computing and information technology at the University of Waterloo for 11 years.
- InstallationBasic steps, prerequisites, common problems, and solutions
- Configuration, setup options, and how to manage larger and non-trivial configurations
- Reporting and notificationsproactive and reactive
- Special caseshow to deal with interesting problems
- Extending the toolshow to write scripts or programs to extend the functionality of the basic package
- Dealing effectively with network boundaries and remote sites
- Security concerns and access control
- Ongoing operation
M3 Advanced Solaris System Administration Topics
Peter Baer Galvin, Corporate Technologies, Inc.
9:00 a.m.5:00 p.m.
Who should attend: UNIX administrators who need more knowledge of Solaris administration.
We will discuss the major new features of recent Solaris releases, including which to use (and how) and which to avoid. This in-depth course will provide the information you need to run a Solaris installation effectively. This tutorial has been updated to include Solaris 10 features and functions.
- Installing and upgrading
- Architecting your facility
- Choosing appropriate hardware
- Planning your installation, filesystem layout, post-installation steps
- Installing (and removing) patches and packages
- Avoiding single points of failure
- Advanced features of Solaris 2
- Filesystems and their uses
- The /proc filesystem and commands
- Useful tips and techniques
- Networking and the kernel
- Virtual IP: configuration and uses
- Kernel and performance tuning: new features, adding devices, tuning, debugging commands
- Devices: naming conventions, drivers, gotchas
- Enhancing Solaris
- High availability essentials: disk failures and recovery, RAID levels, uses and performance, H/A technology and implementation
- Performance: how to track down and resolve bottlenecks, Solaris Resource Manager
- Tools: useful free tools, tool use strategies
- Security: locking down Solaris, system modifications, tools, SunScreen
- Resources and references
Peter Baer Galvin (M3, T11, R4) is the Chief Technologist for Corporate Technologies, Inc., a systems integrator and VAR, and was the Systems Manager for Brown University's Computer Science Department. He has written articles
for Byte and other magazines. He wrote the "Pete's Wicked World" and
"Pete's Super Systems" columns at SunWorld. He is currently
contributing editor for Sys Admin, where he manages the Solaris
Corner. Peter is co-author of the Operating Systems Concepts and Applied Operating Systems Concepts textbooks. As a consultant and trainer, Peter has taught tutorials on security and system administration and has given talks at many conferences and institutions on such topics as Web
services, performance tuning, and high availability.
M4 System Log Aggregation, Statistics, and Analysis
Marcus Ranum, Trusecure Corp.
9:00 a.m.5:00 p.m.
Who should attend: System and network administrators who are interested in
learning what's going on in their firewalls, servers, network,
and systems; anyone responsible for security and audit or
This tutorial covers techniques and software tools for
building your own log analysis system, from aggregating
all your data in a single place, through normalizing it,
searching, and summarizing, to generating statistics and
alerts and warehousing it. We will focus primarily on
open source tools for the UNIX environment, but will
also describe tools for dealing with Windows systems
and various devices such as routers and firewalls.
Marcus Ranum (M4, W2) is senior scientist at Trusecure Corp. and a world-renowned expert
on security system design and implementation.
He is recognized as the inventor of the proxy firewall and the
implementer of the first commercial firewall product. Since the
late 1980s, he has designed a number of groundbreaking security
products, including the DEC SEAL, the TIS firewall toolkit, the
Gauntlet firewall, and NFR's Network Flight Recorder intrusion
detection system. He has been involved in every level of operations
of a security product business, from developer, to founder and CEO
of NFR. Marcus has served as a consultant to many FORTUNE 500 firms
and national governments, as well as serving as a guest lecturer
and instructor at numerous high-tech conferences. In 2001, he was
awarded the TISC Clue award for service to the security community,
and he holds the ISSA lifetime achievement award.
- Estimating log quantities and log system requirements
- Syslog: mediocre but pervasive logging protocol
- Back-hauling your logs
- Building a central loghost
- Dealing with Windows logs
- Logging on Windows loghosts
- Parsing and normalizing
- Finding needles in haystacks: searching logs
- I'm dumb, but it works: artificial ignorance
- Bayesian spam filters for logging
- Storage and rotation
- Databases and logs
- Leveraging the human eyeball: graphing log data
- Legalities of logs as evidence
M5 Network Security Protocols: Theory and Current Standards
Radia Perlman, Sun Microsystems,
and Charlie Kaufman, Microsoft
9:00 a.m.5:00 p.m.
Who should attend: Anyone who wants to understand the theory behind network security protocol design, with an overview of the alphabet soup of standards and cryptography. This tutorial is especially useful for anyone who needs to design or implement a network security solution, but it is also useful to anyone who needs to understand existing offerings in order to deploy and manage them. Although the tutorial is technically deep, no background other than intellectual curiosity and a good night's sleep in the recent past is required.
First, without worrying about the details of particular standards, we discuss the pieces out of which all these protocols are built.
We then cover subtle design issues, such as how secure email interacts with distribution lists, how designs maximize security in the face of export laws, and the kinds of mistakes people generally make when designing protocols.
Armed with this conceptual knowledge of the toolkit of tricks, we describe and
critique current standards.
- What problems are we trying to solve?
- Key distribution
- Trust hierarchies
- Public key (PKI) vs. secret key solutions
- Handshake issues
- Man-in-middle defense
- Perfect forward secrecy
- Reflection attacks
- PKI standards
- Real-time protocols
- IPsec (including AH, ESP, and IKE)
- Secure email
- Web security
Radia Perlman (S5, M5) is a Distinguished Engineer at Sun Microsystems. She is known
for her contributions to bridging (spanning tree algorithm) and routing (link
state routing), as well as security (sabotage-proof networks). She is the
author of Interconnections: Bridges, Routers, Switches, and Internetworking
Protocols and co-author of Network Security: Private Communication in a
Public World, two of the top ten networking reference books, according to
Network Magazine. She is one of the twenty-five people whose work has most influenced the networking industry, according to Data Communications Magazine. She has about fifty issued patents, an S.B. and S.M. in mathematics and a Ph.D. in computer science from MIT, and an honorary doctorate from KTH, the Royal Institute of Technology in Sweden.
Charlie Kaufman (M5) is Security Architect for the Common Language Runtime group at
Microsoft. He is editor of the new Internet Key Exchange
(IKEv2) protocol for the IPsec working group of IETF. He has contributed
to a number of IETF standards efforts, including chairing the Web
Transaction Security WG and serving as a member of the Internet
Architecture Board (IAB). He served on the National Academy of Sciences
expert panel that wrote the book Trust in Cyberspace. He was previously a
Distinguished Engineer at IBM, where he was Chief Security Architect for
Lotus Notes and Domino, and before that Network Security Architect for
Digital. He holds over 25 patents in the fields of computer security and
computer networking. He is coauthor of Network Security: Private
Communication in a Public World (Prentice Hall, 2002).
M6 Six More Essential Topics in System Administration
Trent Hein and Ned McClain, Applied Trust Engineering
9:00 a.m.5:00 p.m.
Who should attend: System and network administrators who are
interested in picking up several new technologies quickly.
- Practical Network Intrusion Detection
Network intrusion detection has recently matured enough to be useful at
some organizations. Before investing in a massive commercial NIDS
implementation, join us for a discussion of the latest in this field. We'll
evaluate the strengths and weaknesses of various technologies, and what
might work best for your organization. In addition, we will arm you with
enough practical information to deploy an open source NIDS in your
- Deploying Secure Linux Systems
What needs to be done to secure a new Linux system before you connect to
the network? We'll walk through the essentials of locking down a modern
Linux system and provide tricks to manage its long-term security. These
techniques will help you sleep at night and avoid security headaches down
- Effective Log Analysis with SEC
Server and network device logs are one of the most useful sources of
performance and security information. Unfortunately, organizations often
ignore system logs, either from lack of time to analyze the logs
or out of frustration with automated analysis tools. We discuss the Simple Event
Correlator, an open source tool for parsing log messages that is
particularly easy to use and configure.
- Stateful Firewalls
Keeping up with the latest security technology can be a challenge, but it
is essential if you are to prevent unwanted intrusions. We'll cover the latest in
basic firewall technology on both Cisco and Linux platforms. Specific
topics covered include context-based access control, reflexive access
lists, and stateful filtering on Linux systems using iptables.
- Security Incident Handling
You've been vigilant about your site's security, but the day still comes
when you detect an intruder. How do you handle the situation, analyze the
intrusion, and restore both security and confidence to your environment?
This crash course in incident handling will give you the skills you need to
assemble a plan at your site to deal with the unthinkable.
- Security Crisis Case Studies
Before your very eyes, we'll dissect a set of real-life security incident
case studies using many tools available on your system or downloadable from the Net.
We'll specifically describe how to avoid common security-incident pitfalls,
and we'll cover the basics of incident investigation.
Trent Hein (S6, M6) is co-founder of Applied Trust Engineering, a leader in
holistic infrastructure and security. Trent worked on the 4.4
BSD port to the MIPS architecture at Berkeley, is co-author of both
the UNIX Systems Administration Handbook and the Linux Administration
Handbook, and holds a B.S. in Computer Science from the University
Ned McClain (S6, M6) co-founder and CTO of Applied Trust Engineering, lectures
around the globe on applying cutting-edge technology in production computing
environments. Ned holds a B.S. in Computer Science from
Cornell University and is a contributing author of both
the UNIX Systems Administration Handbook and the Linux Administration
M7 Designing, Implementing and Using PKI to Provide Enterprise Security Services
Steve Acheson and Doug Dexter, Cisco Systems
9:00 a.m.12:30 p.m.
Who should attend: Developers, technical implementers, and managers considering or already
involved with providing a security service based on digital certificates.
PKI has received a bad reputation as being too expensive,
too difficult, and short on payoff. This tutorial provides concrete examples
of working PKI solutions that solve critical business issues relating
to code-signing, device identification, application identity, and VPN
and wireless credential management.
- Public/private key pairs
- Other tools used to provide security services via a public key infrastructure
- PKI trust models
- Enterprise services a PKI can provide
Steve Acheson (M7, W4, W7, F2) is currently an Information Security Architect at Cisco
Systems, Inc., where he is a senior member of the Corporate Information
Security Department, responsible for network and system security,
including designing internal security architecture and external/firewall
access. Before working for Cisco, Steve managed security for NASA's
Numerical Aerospace Simulations facility at Ames Research Center. He
has worked in the field for over 15 years as a system administrator, network engineer, and
Doug Dexter (M7) has been an Information Security Architect with Cisco Systems Corporate Information Security Department for six years. He and
Steve are the architects for Cisco's internal PKI deployment, which
provides certificates and signs the production code for IP phones, call
managers, and cable modems. Prior to working at Cisco, Doug was in the
US Army for 11 years and is currently a Major in an Army Reserve
Information Warfare unit. He holds an M.B.A. from the University of Texas
at Austin with a concentration in Information Systems, Controls, and
Assurance, and is a CISSP and an MCSE.
M8 Security Standards and Why You Need to Understand Them
Brad C. Johnson and Richard E. Mackey, Jr., SystemExperts Corporation
9:00 a.m.12:30 p.m.
Who should attend: Administrators, technicians, and managers at any
level who need to understand the gist of the key security standards
and the laws and industry trends that are making these standards
critical to doing business.
Organizations are turning
to security standards both to measure and to document the completeness
and adequacy of their security program. You may need to simply put
a check in the box that says you "substantially comply" with a
particular standard or you may need to prove to yourself, customers, and
partners that you follow acceptable security practices. Unfortunately, organizations do not have a
widely accepted method to prove they are secure. We look to security
standards to meet this need.
Computer security has seen a number of standards, compliance
specifications, and certification authorities. Today, a few are beginning
to gain acceptance by industry groups, but it is still difficult to tell
which of these will stand the test of time and practicality.
Consequently, it's important to understand, at least at a high
level, what the most popular initiatives are attempting to do, what
problems these standards address, and the value they provide.
- Why: The motivations
- Laws: Sarbanes-Oxley, Gramm-Leach-Bliley
- Internal audits
- What: The standards
- How: The mechanisms
- ISO 17799 reviews and certifications
- Security audits
- Security assessments
- Information criticality assessment (e.g., NSA IAM)
- Penetration and application testing
Brad C. Johnson (S8, M8) is vice president of SystemExperts Corporation. He has
participated in seminal industry initiatives such as the Open Software
Foundation, X/Open, and the IETF, and has been published in such journals as
Digital Technical Journal, IEEE Computer Society Press, Information Security
Magazine, Boston Business Journal, Mass High Tech Journal, ISSA Password
Magazine, and Wall Street & Technology. Brad is a regular tutorial instructor and conference speaker on topics
related to practical network security, penetration analysis, middleware,
and distributed systems. He holds a B.A. in computer science from Rutgers University and an M.S. in
applied management from Lesley University.
Richard E. Mackey, Jr. (M8) is principal of SystemExperts Corporation.
Dick Mackey is regarded as one of the industry's foremost authorities on
distributed computing infrastructure and security. Before joining
SystemExperts, he worked in leading technical and director positions at The
Open Group, The Open Software Foundation (DCE), and BBN Corporation (Cronus
Distributed Computing Environment). He has been published often in security
magazines such as ISSA Password, .NET, Information Security, and SC Secure
Computing. He is a regular speaker on computer security topics at various
industry conferences. Dick has a B.S. and an M.S. in Electrical and Computer Engineering from the University of Massachusetts at Amherst.
M9 Revenge of the Three-Headed Dog
Gerald Carter, Samba Team/Hewlett-Packard
9:00 a.m.12:30 p.m.
Who should attend: Administrators who want to
understand Kerberos 5 implementations on both UNIX/Linux and Windows clients
For many organizations, Kerberos is an an old technology that has been
driven to the forefront by deployments of Microsoft Active Directory
domains. The introduction of a standard authentication protocol into
Windows domains has caused many network administrators to reexamine ways
to integrate UNIX/Linux and Windows clients in a single authentication
- Key concepts of the Kerberos 5 protocol
- Specific related authentication interfaces such as SASL and
- The specifics of implementing of Krb5 realms
- Implementations of Krb5 cross-realm trusts
- Integration of Windows and UNIX/Linux clients into Krb5 realms
- Possible pitfalls of using popular
Krb5 implementations such as MIT, Heimdal, and Windows 200x
Gerald Carter (M9, T2, R2) has been a member of the Samba Development Team
since 1998. He has published articles with various
Web-based magazines and teaches courses as a
consultant for several companies. Currently employed by
Hewlett-Packard as a Samba developer, Gerald has written
books for SAMS Publishing and is the author of the recent
LDAP System Administration for O'Reilly Publishing.
M10 Over the Edge System Administration, Volume 1
David N. Blank-Edelman, Northeastern University
1:30 p.m.5:00 p.m.
Who should attend: Old-timers who think they've already seen it all, and those who
want to develop inventive thinking early in their career. Join us and be
prepared to be delighted, disgusted, and amazed. Most of all, be ready to
enrich your network and system adminstration by learning to be different.
It's time to learn how to break the rules, abuse the tools, and generally
turn your system administration knowledge inside out. This class is a
cornucopia of ideas for creative ways to take the standard (and sometimes
not-so-standard) system administration tools and techniques and use them in
ways no one would expect. We'll also cover some tools you may have missed.
- How to (ab)use perfectly good network transports by using them for
purposes never dreamed of by their authors
- How to increase user satisfaction during downtimes with 6 lines of Perl
- How to improve your network services by intentionally throwing away data
- How to drive annoying Web-only applications that don't have a command
line interfacewithout lifting a finger
- How to use ordinary objects you have lying around the house, such as Silly
Putty, to make your life easier (seriously!)
David N. Blank-Edelman (M10, R3, R6) is the Director of Technology
at the Northeastern University College of Computer and Information Science
and the author of the O'Reilly book Perl for System Administration. He has
spent the last 19 years as a system/network administrator in large multi-platform environments, including Brandeis University, Cambridge Technology
Group, and the MIT Media Laboratory. He has given several successful
invited talks off the beaten path at LISA.
M11 Troubleshooting: A Basic Skill
Geoff Halprin, The SysAdmin Group
1:30 p.m.5:00 p.m.
Who should attend: System administrators wishing to hone their ability to
troubleshoot a problem under pressure, on a system of which their knowledge may be limited.
One of the most basic skills a system administrator must be
able to call upon is that of problem diagnosis and resolution, that is,
troubleshooting. It doesn't matter what else you do; if the system
is broken, your priority is to fix it.
- A general process for troubleshooting
- Specific techniques that will help you get to the root of the problem
- Ways to identify candidate solutions with confidence
Geoff Halprin (M11) has spent over 25 years as a software developer, system administrator, consultant, and troubleshooter. He has written software from system management tools to mission-critical billing systems, has built and run networks for enterprises
of all sizes, and has been called upon to diagnose problems in every aspect of computing infrastructure and software. He has spent more years troubleshooting other
people's systems and programs than he cares to remember. Geoff was on the board
of the System Administrators Guild (SAGE) and is now a member of the
USENIX board of directors.
M12 Beyond Shell Scripts: 21st-Century Automation Tools and Techniques
Æleen Frisch, Exponential Consulting
1:30 p.m.5:00 p.m.
Who should attend: System administrators who want to explore new
ways of automating administrative tasks. Shell scripts are
appropriate for many jobs, but more complex operations will
often benefit from sophisticated tools.
- Automating installations
- Vendor-supplied tools
- Alternative approaches
- State-of-the-art package control
- Heterogeneous environments
- Other Tools
- Expect: Automating interactive processes
- What to Expect . . .
- Using Expect with other tools
- Security issues
- Amanda, an enterprise backup management facility
- Getting the most from Amanda
- STEM, a new package for automating network operations
- Understanding the context and tool capabilities
- Sample applications
- Performance and security issues
- Nagios: Monitoring network and device performance
- How it works
- Sample configurations
- Extending Nagios
- RRDTool: Examining retrospective system data
- Basic operation
- Advanced graphing
- Options for data collection
Æleen Frisch (M12, T3) has been a system administrator for over 20 years. She currently
looks after a pathologically heterogeneous network of UNIX and Windows
systems. She is the author of several books, including Essential
System Administration (now in its 3rd edition).