Check out the new USENIX Web site.
9th USENIX Security Symposium, Aug. 14-17, 2000, Denver, Colorado
Home  | At a Glance  | Register/Hotel  | Tutorials  | Technical Sessions  | Exhibition  | Organizers  | Activities

Tutorial Descriptions    [Tutorial Overview]

MONDAY, AUGUST 14, 2000


M1 Intrusion Detection and Network Forensics
Marcus J. Ranum, Network Flight Recorder, Inc.

Who should attend: Network and system managers, security managers, and auditors. This tutorial assumes some knowledge of TCP/IP networking and client/server computing.

Intrusion detection systems are designed to alert network managers to unusual or possibly hostile events within the network. This tutorial provides a highly technical overview of the state of intrusion detection software and the types of products that are available, as well as basic principles to apply to building your own intrusion detection alarms. Methods of recording events during an intrusion are also covered.

Topics include:

  • What is IDS?
    • Principles
    • Prior art
  • Can IDS help?
    • What IDS can and can't do
    • IDS and the WWW
    • IDS and firewalls
    • IDS and VPNs
  • Types and trends in IDS design
    • Anomaly detection
    • Misuse detection
    • Traps
    • Future avenues of research
  • Concepts for building your IDS
    • What you need to know first
    • Performance issues
  • Tools for building your IDS
    • Sniffers and suckers
    • Host logging tools
    • Log recorders
  • Reporting and recording
    • Managing alerts
    • What to throw away
    • What to keep
  • Network forensics
    • So you've been hacked . . .
    • Forensic tools
    • Brief overview of evidence handling
    • Who can help you
  • Resources and references

Marcus J. Ranum ranum_marcusis CEO and founder of Network Flight Recorder, Inc. He is the principal author of several major Internet firewall products, including the DEC SEAL, the TIS Gauntlet, and the TIS Internet Firewall Toolkit. Marcus has been managing UNIX systems and network security for over 13 years, including configuring and managing whitehouse.gov. Marcus is a frequent lecturer and conference speaker.

M2 Windows 2000 Security
Phil Cox, SystemExperts; Paul B. Hill, MIT

Who should attend: System and network administrators who will need to implement or maintain Windows 2000—based systems and networks, and site managers charged with selecting and setting site security requirements.

The security implications of a large Windows 2000 (Win2K) deployment are not yet well understood. This tutorial presents the problems and solutions surrounding Win2K and the security of the networks it runs on. It will cover the design of Win2K from a security standpoint and outline what Win2K has "out of the box" for security, along with Win2K-related risks and appropriate countermeasures. It will conclude with specific recommendations on firewalling Win2K and offer pointers on how to "harden" the system.

Topics include:

  • Overview of Win2K
    • Domains/Active Directory
    • Authentication: Kerberos, NTLM, smart cards, certificates, PKI
    • Authorization: Group policies
    • Auditing: Event auditing, WEBM, WMI, SNMP
    • Network services
  • Security threats
    • What are the threats?
    • Who are the hackers?
    • Methods of attacks
    • Win2K—specific threats to watch for
  • What Win2K provides as countermeasures
    • Defining security
    • Authentication
    • Authorization
    • Auditing
    • Protective measures
    • Detecting and dealing with attacks
    • User and group security management
    • File system security and resource sharing
  • Firewalling Win2K
    • Defensive strategies
    • What you need to filter
  • Steps to hardening Win2K

Phil Cox cox_philis a consultant for SystemExperts Corporation, a consulting firm that specializes in system security and management. Phil is a featured columnist in ;login:, the magazine of USENIX & SAGE, and has served on numerous USENIX program committees. Phil holds a B.S. in computer science from the College of Charleston, South Carolina.

Paul B. Hill, a programmer/analyst at the Massachusetts Institute of Technology, has been involved with the development of MIT's Kerberos implementation since 1991. Paul is the senior programmer on MIT's Project Pismere, a project to provide an academic computing environment on Windows 2000 that is integrated into MIT's existing Athena computing environment. Paul also consults on system security.

M3  Security from the Inside Out: System Engineering for Security Systems
Char Sample, L-3 Network Security;
Ian Poynter, Jerboa Inc.

Who should attend: Consultants, systems architects, information security professionals, system administrators, and anyone responsible for planning, implementing, or evaluating security systems.

Firewalls, IDS, VPNs, authentication devices, and various servers all provide tactical point solutions that address various security issues. How do we pull them together to form a security system? How do we properly engineer this system and avoid the pitfalls of over-engineering?

You will learn how to quantify values in your networked environment, giving you the information to determine how much security is needed and where.

Topics include the following systems engineering areas as they relate to network security:

  • Needs
  • Operations, stated and unstated
  • Requirements: how to derive and quantify them
  • Architecture
  • Design
  • Implementation and integration
  • Testing and evaluation (or reevaluation) of the security system

We will discuss the vision of a security architecture and how to handle all phases of this process, how to engineer the multiple layers of security, and how to navigate politically and technically to create the best solution for your environment.

Char Sample, sample_chara senior systems engineer at L-3 Network Security, has over fourteen years of experience in the industry. One of the original five engineers on the Gauntlet project at Trusted Information Systems, Char has installed and integrated over 200 firewalls and has experience deploying e-commerce solutions. She has developed and delivered training for a number of organizations and has been an invited speaker for various industry security conferences.

Ian Poynter poynter_ianis president of Jerboa Inc., a strategic Internet security consultancy he founded in 1994. He has over 14 years in the technology industry, focusing on networking and human/computer interfaces. He has delivered firewall and Internet security training to key IS personnel and has appeared as an expert speaker at professional meetings and industry conferences. Mr. Poynter holds a B.Sc. First Class in computer science from University College, London.

M4 Cryptography: From the Basics Through PKI in 23,400 Seconds
Dan Geer, @Stake, Inc.; Avi Rubin, AT&T Labs--Research

Who should attend: Corporate security officers, Webmasters, IT planners, and all those who want to augment their self-taught knowledge of modern security technology with an up-to-date, sophisticated look at what they have to work with.

Topics include:

  • What is and isn't possible in network security
  • The trade-offs among security, cryptographic complexity, accountability, and cost
  • What security really is
  • How to buy only as much security as you need
  • What the alternatives are and how to evaluate them

We approach cryptography as a tool, not a calling and we see a Public Key Infrastructure as an investment you may or may not choose to make. If we do our job, you'll be in a position to buy with confidence.

Daniel E. Geer, Jr., geer_danSc.D., is Chief Technologist Officer for @stake, Inc., a privately held confidential security consulting firm. Current Treasurer of the USENIX Board of Directors, he is President-Elect of the Board. He currently serves as a member of the Federal Trade Commission's Advisory Committee on Access and Security. Dr. Geer, co-author of the Web Security Sourcebook, is the inventor of record on a number of security patents pending.

Avi Rubin rubin_aviis a Senior Technical Staff Member at AT&T Labs, Research, in the secure systems research department, and an Adjunct Professor of Computer Science at New York University, where he teaches cryptography and computer security. He is the co-author of the Web Security Sourcebook. Avi has served on several program committees for major security conferences and as the program chair of the USENIX Security '98, the USENIX Annual Technical '99, and the SOC NDSS 2000 conferences.

TUESDAY, AUGUST 15, 2000


T1 Network Security Profiles: A Collection (Hodgepodge) of Stuff Hackers Know About You
Phil Cox, SystemExperts Corporation

Who should attend: Network, system, and firewall administrators; security auditors and those who are audited; people involved with responding to intrusions or responsible for network-based applications or systems that might be targets for hackers. Participants should understand the basics of TCP/IP networking. Examples will use actual tools and will also include small amounts of HTML, JavaScript, and Tcl.

This course will be useful for anyone with any TCP/IP-based system--a UNIX, Windows NT, or mainframe operating system, or a router, firewall, or gateway network host.

Whether network-based host intrusions come from the Internet, an extranet, or an intranet, they typically follow a common methodology: reconnaissance, vulnerability research, and exploitation. This tutorial will review the tools and techniques hackers (determined intruders) use to perform these activities. You will learn what types of protocols and tools they use, and you will become familiar with a number of current methods and exploits. The course will show how you can generate vulnerability profiles of your own systems. Additionally, it will review some of the important management policies and issues related to these network-based probes.

The course will focus primarily on tools that exploit many of the common TCP/IP— based protocols, such as WWW, SSL, DNS, ICMP, and SNMP, that underlie virtually all Internet applications, including Web technologies, network management, and remote file systems. Some topics will be addressed at a detailed technical level. This course will concentrate on examples drawn from public domain tools, because these tools are widely available and commonly used by hackers (and are free for you to use).

Topics include:

  • Profiles: what can an intruder determine about your site remotely?
  • Review of profiling methodologies: different "viewpoints" generate different types of profiling information
  • Techniques: scanning, on-line research, TCP/IP protocol "mis"uses, denial of service, hacking clubs
  • Important intrusion areas: discovery techniques, SSL, SNMP, WWW, DNS
  • Tools: scotty, strobe, netcat, SATAN, SAINT, ISS, mscan, sscan, queso, curl, Nmap, SSLeay/upget
  • Management issues: defining policies and requirements to minimize intrusion risk

Topics not covered:

  • Social engineering
  • Buffer overflow exploits
  • Browser (frame) exploits
  • Shell privilege escalation

Phil Cox cox_philis a consultant for SystemExperts Corporation, a consulting firm that specializes in system security and management. Phil frequently writes and lectures on issues bridging the gap between UNIX and Windows NT. He is a featured columnist in ;login:, the magazine of USENIX & SAGE, and has served on numerous USENIX program committees. Phil holds a B.S. in computer science from the College of Charleston, South Carolina.

T2  Handling Computer and Network Security Incidents
Jim Duncan, Cisco Systems; Rik Farrow, Consultant

Who should attend: System and network administrators, information system security officers, and managers who have responsibility for the security of networks and computing systems. Basic knowledge of modern operating systems and networking is recommended because it will help in understanding the incidents, procedures, and countermeasures given as examples.

Are you prepared to handle a security incident at your company or organization? The recent spate of distributed denial of service (DDoS) attacks was resolved most effectively by sites that could field coordinated incident handling capabilities. The ability to respond to computer security incidents is a requirement of rapidly increasing importance for any organization in which computers and networks are an essential part of the infrastructure. This course provides the knowledge necessary to prepare for and handle computer and network security incidents with step-by-step information and examples from real-world incidents.

Topics include:

  • The need for comprehensive incident handling capability
  • How to communicate that need to management and the user community
  • How to build and maintain that capability
  • How to investigate an incident (as a handler, not as law enforcement)
  • How to adapt policy to incident handling capability, and vice versa
  • How to staff an incident response team
  • How to communicate with other teams and with law enforcement agencies
  • How to evaluate the impact of a security advisory
  • How to rewrite advisories to reach your own community

Jim Duncan duncan_jimis the Lead Product Security Incident Manager for the Product Security Incident Response Team (PSIRT) at Cisco Systems, Inc., where he is responsible for assisting customers with computer and network security incidents. Jim was a card-carrying member of the Penn State CERT. He is a contributor to the original Site Security Policy Handbook (RFC 1244), and he has composed or rewritten many security advisories, policies, and guidelines on systems and network administration, computer security, incident handling, and ethics.

Rik Farrow farrow_ rikprovides UNIX and Internet security consulting and training. He has been working with UNIX system security since 1984 and with TCP/IP networks since 1988. He has taught at the IRS, Department of Justice, NSA, US West, Canadian RCMP, Swedish Navy, and for many U.S. and European user groups. Farrow recently licensed his Survey of Intrusion Techniques and Defense Measures five-day class to the NSA for internal use. He is the author of UNIX System Security and System Administrator's Guide to System V. Farrow writes columns for ;login: and Network Magazine.

T3  Cryptographic Algorithms Revealed
Greg Rose, QUALCOMM Australia

Who should attend: Anyone interested in a fairly detailed overview of what makes cryptographic algorithms work, and, when they don't work, how they are broken. The tutorial will be as up-to-the-minute as possible with respect to the development of the Advanced Encryption Standard.

Some mathematical background is required--at the very least, familiarity with common mathematical notation and polynomials, and some elementary statistical knowledge. You've been warned.

Topics include (unless time runs out):

  • Brief history
    • substitution and transposition
    • development of DES
    • public-key cryptography
  • Symmetric block ciphers
    • Feistel ciphers in general
    • DES
    • SKIPJACK
    • Current AES candidates (Rijndael, Twofish, MARS, RC6, Serpent)
    • Block-cipher modes of operation
  • Symmetric stream ciphers
    • Panama
    • A5, SOBER and other LFSR-based constructions
  • Cryptanalysis
    • Differential & linear cryptanalysis
    • Attack assumptions and threat models
    • Attacks on stream ciphers
  • Public-key systems
    • Group and finite field theory
    • Discrete log systems (El Gamal, Diffie-Hellman, DSS)
    • RSA
    • Elliptic curves
  • Other stuff
    • Hash functions, SHA-1

Greg Rose rose_greggraduated from the University of New South Wales with a B.Sc. (honours) in computer science and was awarded the University Medal in 1977. A member of the Board of Directors of the USENIX Association, he served as program chair of the 1996 USENIX Security Symposium. As Principal Engineer at QUALCOMM, he focuses on cryptographic security and authentication for wireless communications, and on setting up the office of QUALCOMM Australia. He has written a number of public tools using cryptography, and he holds generic cryptographic export licenses for two countries.

T4 Secure Networking: An Introduction to VPN Architecture and Implementation
Tina Bird, Counterpane Internet Security

Who should attend: System administrators and network managers responsible for remote access and wide-area networks within their organization. Participants should be familiar with TCP/IP networking and fundamental network security, although some review is provided. The purpose of this tutorial is to provide a step-by-step guide to evaluating an organization's VPN requirements, selecting the appropriate VPN architecture, and implementing it within a preexisting security infrastructure.

Virtual private networking technology provides a flexible mechanism for addressing connectivity needs within many organizations. This class focuses on assessing business and technical requirements for remote access and extranet connections; evaluating VPN technology; integrating VPNs within an existing network infrastructure; common implementation difficulties; and VPN security issues.

Topics include:

  • VPN security features (encryption, access control, NAT) and how they protect against common Internet threats
  • Assessing your organization's needs for remote access
  • IPSec, PPTP, application-layer VPNs, and where they fit
  • A brief review of commercial VPN products
  • Implementing VPN technology within your organization's network
  • Common VPN difficulties
  • VPN security issues

After completing this course, attendees should be ready to evaluate their requirements for remote access and begin testing commercial VPN implementations.

Tina Bird bird_tinais a senior security analyst at Counterpane Internet Security. She has implemented and managed a variety of wide-area-network security technologies and has developed, implemented, and enforced corporate IS security policies. She is the moderator of the VPN mailing list and the owner of "VPN Resources on the World Wide Web," a vendor-neutral source of information about VPN technology. Tina has a B.S. in physics from Notre Dame and an M.S. and Ph.D. in astrophysics from the University of Minnesota.


?Need help? Use our Contacts page.
Last changed: 24 April 2000 jr
Security 2000 home
Events calendar
USENIX home