Check out the new USENIX Web site.
USENIX Security Symposium, August 9-13, 2004, San Diego, CA, USA
USENIX '03 Home  | USENIX Home  | Events  | Publications  | Membership


Register Now!     TRAINING PROGRAM

Overview | By Day (Monday, Tuesday) | By Instructor | All in One File

Monday, August 9, 2004    
M1 Network Security Monitoring with Open Source Tools 
Richard Bejtlich, TaoSecurity

Who should attend: This tutorial is designed for engineers and analysts who detect and respond to security incidents. Participants should be familiar with TCP/IP. Command-line knowledge of FreeBSD is a plus, although any UNIX background should be sufficient. A general knowledge of offensive and defensive security principles is helpful.

This tutorial will equip participants with the theory and software to detect and respond to security incidents. NSM is the collection, analysis, and escalation of indications and warnings to detect and respond to intrusions. NSM is an operational model partially inspired by the United States Air Forces signals intelligence collection methods. Signals intelligence, or SIGINT, is the collection of information on communications and the transformation of that information into intelligence products. Similarly, NSM is a method of collecting and analyzing network traffic for the purpose of identifying and validating intrusions. NSM relies upon alert data, session data, full content data, and statistical data to provide analysts with the information needed to make escalation decisions. Whereas intrusion detection cares more about identifying successful attacks, NSM is more concerned with providing evidence to scope the extent of an intrusion, assess its impact, and propose efficient, effective remediation steps.

NSM theory will help participants understand the different sorts of data that must be collected. The tutorial will bring theory to life by introducing the installation and use of numerous open source tools for each category of NSM data. FreeBSD will be the reference platform, and nearly every tool discussed will be in the FreeBSD ports tree.

Topics include:

  • Building and deploying NSM sensors, accessing wired and wireless traffic
  • Full-content tools like tcpdump, ethereal/tethereal, tcpflow, and snort as a packet logger
  • Alert data generators: e.g., bro, prelude-ids, and snort as network IDS
  • Session-based tools that work with NetFlow data, such as fprobe and flow-tools, argus and tcptrace
  • Statistical data tools like iftop, tcpdstat, and MRTG
  • Finally, sguil, an nearly-complete graphical NSM implementation for alert, full content, and session data
During the day I'll also integrate case studies on how various forms of NSM data was used to resolve incident response scenarios.

Richard Bejtlich (M1) is a security engineer at National Security Solutions, a ManTech group. He was previously a principal consultant at Richard Bejtlich Foundstone, performing incident response, emergency network security monitoring, and security research. Prior to joining Foundstone in 2002, Richard served as senior engineer for managed network security operations at Ball Aerospace & Technologies Corporation. From 1998 to 2001 Richard defended global American information assets as a captain in the Air Force Computer Emergency Response Team (AFCERT). He led the AFCERT's real time intrusion detection mission, supervising 60 civilian and military analysts.

Formally trained as a military intelligence officer, Richard holds degrees from Harvard University and the United States Air Force Academy. He wrote original material for Hacking Exposed, 4th Ed., and Incident Response, 2nd Ed., both published by Osborne McGraw-Hill. Richard is the co-author of Real Digital Forensics and the author of The Tao of Network Security Monitoring, separate books to be published in 2004. He acquired his CISSP certification in 2001. His home page is

M2 Intrusion Detection and Prevention Systems
Marcus Ranum, Trusecure Corp.

Who should attend: Network or security managers responsible for an IDS roll-out, security auditors interested in assessing IDS capabilities, security managers involved in IDS product selection.

Overview: This workshop covers the real-world issues you'll encounter as part of doing an intrusion detection roll-out or product selection. Attendees will learn the advantages and disadvantages of popular approaches to Intrusion Detection Systems (IDSes), how to deal with false positives and noise, where to deploy IDSes, how to test them, how to build out-of-band IDS management networks, and how they interact with switches, routers, and firewalls.

Topics include:

  • Technologies
    • IDS and IPS: what they are and how they work
    • Burglar alarms and honeypots—low-rent IDS
    • Misuse detection and anomaly detection
    • False positives, noise, and false alarms
    • Does freeware stack up to the commercial products?
  • Deployment issues
    • Where to place IDS within the network
    • Alert tuning: what it is and how it works
    • How to estimate the size of an IDS deployment
    • How to size and design a logging / management architecture
    • Tools and tricks for logging and event correlation
    • A typical IDS roll-out
    • How to test an IDS for correct function
    • IDS benchmarks: bogus and bogusest
  • Management issues
    • How to justify the expenditures on an IDS to management
    • Cyclical maintenance
    • Alert management procedures

Marcus Ranum (M2, T2) is senior scientist at Trusecure Corp. and a world-renowned expertMarcus Ranum on security system design and implementation. He is recognized as the inventor of the proxy firewall and the implementer of the first commercial firewall product. Since the late 1980s, he has designed a number of groundbreaking security products, including the DEC SEAL, the TIS firewall toolkit, the Gauntlet firewall, and NFR's Network Flight Recorder intrusion detection system. He has been involved in every level of operations of a security product business, from developer, to founder and CEO of NFR. Marcus has served as a consultant to many FORTUNE 500 firms and national governments, as well as serving as a guest lecturer and instructor at numerous high-tech conferences. In 2001, he was awarded the TISC Clue award for service to the security community, and he holds the ISSA lifetime achievement award.

M3 Network Security Protocols: Theory and Current Standards
Radia Perlman, Sun Microsystems

Who should attend: Anyone who wants to understand the theory behind network security protocol design, with an overview of the alphabet soup of standards and cryptography. This tutorial is especially useful for anyone who needs to design or implement a network security solution, but it is also useful to anyone who needs to understand existing offerings in order to deploy and manage them. Although the tutorial is technically deep, no background other than intellectual curiosity and a good night's sleep in the recent past is required.

First, without worrying about the details of particular standards, we discuss the pieces out of which all these protocols are built.

We then cover subtle design issues, such as how secure email interacts with distribution lists, how designs maximize security in the face of export laws, and the kinds of mistakes people generally make when designing protocols.

Armed with this conceptual knowledge of the toolkit of tricks, we describe and critique current standards.

Topics include:

  • What problems are we trying to solve?
  • Cryptography
  • Key distribution
    • Trust hierarchies
    • Public key (PKI) vs. secret key solutions
  • Handshake issues
    • Diffie-Hellman
    • Man-in-middle defense
    • Perfect forward secrecy
    • Reflection attacks
  • PKI standards
    • X.509
    • PKIX
  • Real-time protocols
    • SSL/TLS
    • IPsec (including AH, ESP, and IKE)
  • Secure email
  • Web security
    • URLs
    • HTTP, HTTPs
    • Cookies

Radia Perlman (M3) is a Distinguished Engineer at Sun Microsystems. Radia Perlman She is known for her contributions to bridging (spanning tree algorithm) and routing (link state routing), as well as security (sabotage-proof networks). She is the author of Interconnections: Bridges, Routers, Switches, and Internetworking Protocols and co-author of Network Security: Private Communication in a Public World, two of the top ten networking reference books, according to Network Magazine. She is one of the twenty-five people whose work has most influenced the networking industry, according to Data Communications Magazine. She has about fifty issued patents, an S.B. and S.M. in mathematics and a Ph.D. in computer science from MIT, and an honorary doctorate from KTH, the Royal Institute of Technology in Sweden.

M4 Network Security Profiles: Protocol Threats, Intrusion Classes, and How Hackers Find Exploits 
Brad C. Johnson, SystemExperts Corporation

Who should attend: Administrators, managers, auditors, those being audited, those responsible for responding to intrusions or responsible for network resources that might be targets for crackers, hackers, or determined intruders.

Participants should understand the basics of TCP/IP networking. Examples will use actual tools and will include small amounts of HTML, JavaScript, and Tcl code and show command line arguments and GUI based applications.

This tutorial is focused on helping you understand how people profile your network to identify resources that might be vulnerable to attack. Simply, the more information that somebody can generate about your site (by profiling it), the more likely it is that they will be able to exploit something on it. This course will also help you recognize common protocol threats and intrusion classes.

The course consists of four segments: tools and methods used to profile your resources, examples of common intrusion areas, specific tools that are used to discover information about your environment, and vulnerabilities in pervasive protocols (such as DNS and the Web).

The following topics are expected to be covered in this full day tutorial. Approximately one quarter of the day will be used for each of the four major topic areas.

Topics include:

  • Profiling Your Network and System
    • Methods and Tools
    • An Example Profile
  • Intrusions
    • Awareness and Statistics
    • Example Intrusions
    • Common Intrusion Areas (Web Servers, Web Applications, Wireless Infrastructure, Modems)
  • Discovery/Profiling Tools
    • Tools such as sscan, typhoon, nessus, dsniff, whisker, Sam Spade, Satan/Saint/Sara, nmap, Paros, cain, and Websleuth
    • Understanding Protocol Tunneling
  • Protocol Profiling Threats
    • DNS (the name service)
    • SNMP (system and network management)
    • Handheld (PocketPC) Issues
    • Web Infrastructure

Brad C. Johnson (M4) is vice president of SystemExperts Corporation. Brad Johnson He has participated in seminal industry initiatives such as the Open Software Foundation, X/Open, and the IETF, and has been published often including in the Digital Technical Journal, IEEE Computer Society Press, Information Security Magazine, Boston Business Journal, Mass High Tech Journal, ISSA Password Magazine, and Wall Street & Technology. Brad is a regular tutorial instructor and conference speaker on topics related to practical network security, penetration analysis, middleware, and distributed systems. Brad holds a B.A. in computer science from Rutgers University and an M.S. in applied management from Lesley University.

?Need help? Use our Contacts page.

Last changed: 8 June 2004 jel