Network Security Monitoring with Open Source Tools
Richard Bejtlich, TaoSecurity
Who should attend: This tutorial is designed for engineers and
analysts who detect and respond to security incidents. Participants
should be familiar with TCP/IP. Command-line knowledge of FreeBSD
is a plus, although any UNIX background should be sufficient. A
general knowledge of offensive and defensive security principles
This tutorial will equip participants with the theory and software
to detect and respond to security incidents. NSM is the collection,
analysis, and escalation of indications and warnings to detect and
respond to intrusions. NSM is an operational model partially
inspired by the United States Air Forces signals intelligence
collection methods. Signals intelligence, or SIGINT, is the
collection of information on communications and the transformation
of that information into intelligence products. Similarly, NSM
is a method of collecting and analyzing network traffic for the
purpose of identifying and validating intrusions. NSM relies upon
alert data, session data, full content data, and statistical data
to provide analysts with the information needed to make escalation
decisions. Whereas intrusion detection cares more about identifying
successful attacks, NSM is more concerned with providing evidence
to scope the extent of an intrusion, assess its impact, and propose
efficient, effective remediation steps.
NSM theory will help participants understand the different sorts
of data that must be collected. The tutorial will bring theory to
life by introducing the installation and use of numerous open source
tools for each category of NSM data. FreeBSD will be the reference
platform, and nearly every tool discussed will be in the FreeBSD
During the day I'll also integrate case studies on how various forms of NSM
data was used to resolve incident response scenarios.
- Building and deploying NSM sensors, accessing wired and wireless traffic
- Full-content tools like tcpdump, ethereal/tethereal, tcpflow, and snort as a packet logger
- Alert data generators: e.g., bro, prelude-ids, and snort as network IDS
- Session-based tools that work with NetFlow data, such as fprobe and flow-tools, argus and tcptrace
- Statistical data tools like iftop, tcpdstat, and MRTG
- Finally, sguil, an nearly-complete graphical NSM implementation for alert, full content, and session data
Richard Bejtlich (M1) is a security engineer at National Security Solutions,
a ManTech group. He was previously a principal consultant at
Foundstone, performing incident response, emergency network security
monitoring, and security research. Prior to joining Foundstone in 2002,
Richard served as senior engineer for managed network security
operations at Ball Aerospace & Technologies Corporation. From 1998 to
2001 Richard defended global American information assets as a captain in
the Air Force Computer Emergency Response Team (AFCERT). He led the
AFCERT's real time intrusion detection mission, supervising 60 civilian
and military analysts.
Formally trained as a military intelligence officer, Richard holds
degrees from Harvard University and the United States Air Force Academy.
He wrote original material for Hacking Exposed, 4th Ed., and Incident
Response, 2nd Ed., both published by Osborne McGraw-Hill. Richard is the
co-author of Real Digital Forensics and the author of The Tao of Network
Security Monitoring, separate books to be published in 2004. He acquired
his CISSP certification in 2001. His home page is www.taosecurity.com.
Intrusion Detection and Prevention Systems
Marcus Ranum, Trusecure Corp.
Who should attend: Network or security managers responsible for
an IDS roll-out, security auditors interested in assessing IDS
capabilities, security managers involved in IDS product selection.
Overview: This workshop covers the real-world issues you'll encounter as part
of doing an intrusion detection roll-out or product selection.
Attendees will learn the advantages and disadvantages
of popular approaches to Intrusion Detection Systems (IDSes), how to
deal with false positives and noise, where to deploy IDSes, how to test
them, how to build out-of-band IDS management networks, and how they
interact with switches, routers, and firewalls.
- IDS and IPS: what they are and how they work
- Burglar alarms and honeypotslow-rent IDS
- Misuse detection and anomaly detection
- False positives, noise, and false alarms
- Does freeware stack up to the commercial products?
- Deployment issues
- Where to place IDS within the network
- Alert tuning: what it is and how it works
- How to estimate the size of an IDS deployment
- How to size and design a logging / management architecture
- Tools and tricks for logging and event correlation
- A typical IDS roll-out
- How to test an IDS for correct function
- IDS benchmarks: bogus and bogusest
- Management issues
- How to justify the expenditures on an IDS to management
- Cyclical maintenance
- Alert management procedures
Marcus Ranum (M2, T2) is senior scientist at Trusecure Corp. and a world-renowned expert
on security system design and implementation.
He is recognized as the inventor of the proxy firewall and the
implementer of the first commercial firewall product. Since the
late 1980s, he has designed a number of groundbreaking security
products, including the DEC SEAL, the TIS firewall toolkit, the
Gauntlet firewall, and NFR's Network Flight Recorder intrusion
detection system. He has been involved in every level of operations
of a security product business, from developer, to founder and CEO
of NFR. Marcus has served as a consultant to many FORTUNE 500 firms
and national governments, as well as serving as a guest lecturer
and instructor at numerous high-tech conferences. In 2001, he was
awarded the TISC Clue award for service to the security community,
and he holds the ISSA lifetime achievement award.
Network Security Protocols: Theory and Current Standards
Radia Perlman, Sun Microsystems
Who should attend: Anyone who wants to understand the theory behind network security protocol design, with an overview of the alphabet soup of standards and cryptography. This tutorial is especially useful for anyone who needs to design or implement a network security solution, but it is also useful to anyone who needs to understand existing offerings in order to deploy and manage them. Although the tutorial is technically deep, no background other than intellectual curiosity and a good night's sleep in the recent past is required.
First, without worrying about the details of particular standards, we discuss the pieces out of which all these protocols are built.
We then cover subtle design issues, such as how secure email interacts with distribution lists, how designs maximize security in the face of export laws, and the kinds of mistakes people generally make when designing protocols.
Armed with this conceptual knowledge of the toolkit of tricks, we describe and
critique current standards.
- What problems are we trying to solve?
- Key distribution
- Trust hierarchies
- Public key (PKI) vs. secret key solutions
- Handshake issues
- Man-in-middle defense
- Perfect forward secrecy
- Reflection attacks
- PKI standards
- Real-time protocols
- IPsec (including AH, ESP, and IKE)
- Secure email
- Web security
Radia Perlman (M3) is a Distinguished Engineer at Sun Microsystems. She is known
for her contributions to bridging (spanning tree algorithm) and routing (link
state routing), as well as security (sabotage-proof networks). She is the
author of Interconnections: Bridges, Routers, Switches, and Internetworking
Protocols and co-author of Network Security: Private Communication in a
Public World, two of the top ten networking reference books, according to
Network Magazine. She is one of the twenty-five people whose work has most influenced the networking industry, according to Data Communications Magazine. She has about fifty issued patents, an S.B. and S.M. in mathematics and a Ph.D. in computer science from MIT, and an honorary doctorate from KTH, the Royal Institute of Technology in Sweden.
Network Security Profiles: Protocol Threats, Intrusion Classes, and How Hackers Find Exploits
Brad C. Johnson, SystemExperts Corporation
Who should attend: Administrators, managers, auditors, those being audited,
those responsible for responding to intrusions or responsible for network
resources that might be targets for crackers, hackers, or determined
Participants should understand the basics of TCP/IP networking. Examples will
code and show command line arguments and GUI based applications.
This tutorial is focused on helping you understand how people profile your
network to identify resources that might be vulnerable to attack. Simply, the
more information that somebody can generate about your site (by profiling it),
the more likely it is that they will be able to exploit something on it. This
course will also help you recognize common protocol threats and intrusion
The course consists of four segments: tools and methods used to profile your
resources, examples of common intrusion areas, specific tools that are used to
discover information about your environment, and vulnerabilities in pervasive
protocols (such as DNS and the Web).
The following topics are expected to be covered in this full day tutorial.
Approximately one quarter of the day will be used for each of the four major
- Profiling Your Network and System
- Methods and Tools
- An Example Profile
- Awareness and Statistics
- Example Intrusions
- Common Intrusion Areas (Web Servers, Web Applications, Wireless Infrastructure, Modems)
- Discovery/Profiling Tools
- Tools such as sscan, typhoon, nessus, dsniff, whisker, Sam Spade, Satan/Saint/Sara, nmap, Paros, cain, and Websleuth
- Understanding Protocol Tunneling
- Protocol Profiling Threats
- DNS (the name service)
- SNMP (system and network management)
- Handheld (PocketPC) Issues
- Web Infrastructure
Brad C. Johnson (M4) is vice president of SystemExperts Corporation.
He has participated in seminal industry initiatives such as the Open Software
Foundation, X/Open, and the IETF, and has been published often including in the
Digital Technical Journal, IEEE Computer Society Press, Information Security
Magazine, Boston Business Journal, Mass High Tech Journal, ISSA Password
Magazine, and Wall Street & Technology. Brad is a regular tutorial instructor and conference speaker on topics
related to practical network security, penetration analysis, middleware,
and distributed systems. Brad holds a B.A. in computer science from Rutgers University and an M.S. in
applied management from Lesley University.