FIREWALLS PERIMETER PROTECTION, AND VPNs (5 DAYS)
|
|
TRACK SUMMARY |
Remember the good old days when you could install "a firewall" and deem your perimeter to be secure? Well, today's attackers are creating and launching attacks specifically designed to circumvent firewalls; payload based, fragmentation, and cross-site scripting attacks are assaulting systems throughout the Internet constantly nowadays. Commercial networking companies are even releasing "helpful" software that lets your users tunnel all sorts of non-company-sanctioned applications right through your firewall via the HTTP port. Gone are the days when a single security solution is capable of locking down a network perimeter. In this course, students will learn about all the pieces required to really secure their network, and keep it secure, in today's incredibly hostile environment. Decoding IP packets, firewalls, intrusion detection, centralized logging and alerting, VPNs, auditing, and network design are all covered in depth, using real-world examples are used to illustrate the practical knowledge.
Certification Information:
You have six months following the conference to complete GIAC certification requirements. Detailed information can be found at http://www.giac.org/steps.php.
A Sampling of Topics
- IP Stimulus/Response
- IP Fragmentation
- Complex IP transports and Services
- tcpdump, windump, Ethereal, and Other Sniffers
- Business Needs VS Security
- Static Packet Filtering
- Stateful Packet Filtering and Inspection
- Proxies
- In-Depth Coverage of Popular Firewall Products
- Implementing Security with a Cisco Router
|
- Intrusion Detection
- Centralized Logging
- Firewall Log File Analysis
- Log File Alerting
- IPSec
- SSL
- SSH
- Designing a Secure Perimeter
- "Cool Tools"
|
|
|
COURSES |
2.1 TCP/IP for Firewalls
Chris Brenton, ALTeNet Solutions Inc.
Monday, October 7, 2002
9:00 AM 5:00 PM
|
Every Internet-based attack is transported using Internet Protocol (IP), so an in-depth understanding of IP and how it works is paramount in defending your network. Why blindly trust a commercial analyzer when you can learn to "read between the lines" yourself? The focus of this course is to train the student on how IP transports and services work, as well as how to distinguish between normal and malicious traffic patterns. Common network attack techniques and the ways to thwart them are discussed in detail, and free tools such as tcpdump and windump are demonstrated in class so that the student will be capable of putting their new knowledge to work immediately once they return to the office.
NOTE: Due to the technical level and pace of this course, students should already be familiar with TCP/IP fundamentals such as IP addresses; ports; IP protocols such as TCP, UDP, and ICMP; and TCP basics such as flags, sequence numbers, the three-way handshake, and session establishment/teardown. Students can test their basic knowledge of TCP/IP by taking the online quiz at http://www.sans.org/giactc/TCPIP/quiz.htm. Students who are not comfortable with the prerequisite material should consider taking either the SANS Security Essentials or Information Systems Security Officer course, or doing additional preparatory work before enrolling in this course/track.
?
|
Topics Include: |
TCP/IP Refresher
- tcpdump and How It Works
- tcpdump Output
- IP Headers and How to Read Them
- Link Layer Communications
- IP Communications
- TCP Communications
- UDP Communications
ICMP and Decoding ICMP Errors
Stimulus/Response
- Interpreting Packet Stimulus and Response
- Interpreting tcpdump Traces
- Complex IP Services
Fragmentation
- Normal Packet Fragmentation
- Malicious Packet Fragmentation
|
Microsoft Networking
- NetBIOS/IP Communications
- WINS and NetBIOS/IP Node Types
DNS
- DNS Communications
- DNS Query Tools
- DNS Enumeration and Cache Poisoning
Routing
- IP Routing
- IP Options: Source Routing and Record Route
- ARP Communication
- Malicious ARP Attacks
|
IPSec
- Authentication Header
- Encapsulating Security Payload
"Well written course with the right level of detail, taught at a good and entertaining pace."
-- Anthony J. Munns, Arthur Anderson LLP |
"The best example of the practical use of TCP/IP I've ever seen."
-- Steve Barish, Ernst & Young |
|
Back To Top ^
|
|
2.2 Firewalls 101: Perimeter Protection with Firewalls
Chris Brenton, ALTeNet Solutions Inc.
Tuesday, October 9, 2002
9:00 AM 5:00 PM
|
We are all dependent on firewalls and other perimeter protection systems to protect our sites. It is virtually impossible to secure all the systems in a facility and keep them secured, so we turn to perimeter defenses. Considering how important this protection mechanism is, it is amazing that we treat firewalls as magic black boxes. There is a tendency to put them in and forget them. Do you have the right firewall? Has it been placed correctly? Is it configured correctly? Stephen Northcutt and Chris Brenton have completely rewritten this material to offer the most intensive single-day course on perimeter defense in the world. The result is a practical, from-the-trenches, step-by-step program.
?
|
Topics Include: |
I. Perimeter Concepts
- Vulnerabilities and Threats
- Perimieter Security
- Security Policies
- Defense in Depth
- Where does a Firewall fit in?
- Perimeter Design
II. Static Packet Filtering
- How It Works
- tcpdump and windump
- Decoding Packets
- Using nmap to Assess Your Firewall Filters
- When to Use Static Packet Filtering
- Deficiencies of Static Filtering
- Ingress and Egress Filtering
III. Stateful Filtering and Inspection
- How It Works!
- Types of Stateful Packet Filters
- Stateful Inspection
- Network Address Translation (NAT)
?
|
IV. Proxy Gateways
- How They Work!
- When to Use a Proxy Firewall
- Pro's and Con's of Proxy Firewalls
- Installing and Configuring a Squid
- Proxy Server
V. FW-1 and Cisco PIX
- FW-1 Features and Products
- FW-1 Management and Policy Editor
- Pro's and Con's of FW-1
- PIX Feature Overview
- Advantages and Disadvantages of a Hardware Firewall
- PIX- Management and Configuration
|
VI. NetFilter and Gauntlet
- NetFilter Features
- NetFilter Implementation and Management
- NetFilter - Rules and Chains
- Masquerading
- Gauntlet Features
- Gauntlet Rule Management
- Gauntlet VPN Support
?
"Excellent class for introduction to firewalls and perimeter protection."
-- Shakell Shaikh, Routers America |
"This class provides a good introduction to an overview of firewall concepts and specific firewall products and their applications to the implementation of secure networks."
-- Shoshana Billik, CSC |
|
Back To Top ^
|
|
2.3 Firewalls 102: Perimeter Protection and Defense In-Depth
Chris Brenton, ALTeNet Solutions Inc.
Wednesday, October 9, 2002
9:00 AM 5:00 PM
|
Building on the foundational knowledge students gained in the Firewalls 101 course, this course takes that information and shows students how to put it to best use. Students learn how to build strong firewall rulebases, as well as how to apply them to devices such as Cisco routers, with the instructor leading the class through the building of an example rulebase. Log analysis is covered in detail, as a majority of the work involved with managing a perimeter is in reviewing firewall log entries. Students receive the benefit of many years of "in the trenches" experience, learning the most efficient and effective methods the experts use to expedite the potentially lengthy process of log review. Additionally, other perimeter security concepts such as intrusion detection and host armoring are covered so that the student may begin to understand how the various tools can be used in conjunction, layered, to construct a true defense in-depth environment.
?
|
Topics Include: |
I.Cisco Routers and ACL's
- Role of Routers in Perimeter Defense
- Cisco Router Basics
- Standard and Extended ACLs
- Reflexive ACLs
- Router Armoring/Hardening
- "Best Practices" Router Configuration
II. Building a Rulebase
- Rules Every Firewall Should Have
- Do's and Don't's of Design
- Implementing Firewall Rules
- Common Mistakes
- Troubleshooting a Rulebase
- Tuning Rulebase Performance
- Rules to Facilitate Log File Analysis
- Assessing the Security of Your
- Rulebase Design
?
|
III. Log Analysis
- What kinds of Logs Do You Have?
- Interpreting your Logs
- Common Traffic Patterns
- Searching and "Pruning" your Log Files
- Log Analysis Time Management
IV. Intrusion Detection Overview
- How Intrusion Detection fits into Perimeter Protection
- IDS Placement
- Reviewing IDS Detects
- Distinguishing Between Real Alerts and False Positives
- Static VS. Stateful IDS (Yes, it applies to IDS too!)
- IDS Product Review
- Installing and Configuring Snort
|
V. Locking Down Hosts
- Armoring a Host
- Identifying and Removing Unneeded Services
- Locking Down DNS
- Locking Down HTTP
- Locking Down SMTP
- Locking Down Windows
?
" This course was good because it provided both information on Cisco router-based access control lists, as well as information on securing end systems. It also emphasized the creation and establishment of a formal security policy for all aspects of the network including the firewalls, routers, and switches."
-- Shoshana Billik, CSC |
? |
"It is an excellent course for people dealing in security. Gives them an overall perspective of do's & don't which otherwise will take years of hit and trial on ones part to grasp and implement the security in a methodical and tested way."
-- Vijay Mishia, CNSI |
? |
|
Back To Top ^
|
|
2.4 VPNs and Remote Access
Chris Brenton, ALTeNet Solutions Inc.
Thursday, October 10, 2002
9:00 AM 5:00 PM
|
This is a foundation-level course, designed to give students the technical capability to understand what a VPN is, where the technology is headed and key implementation issues. At the completion of the course, students will understand the fundamentals of tunneling with both IPSec and PPTP based approaches. Students will build on the IPSec introduction taught in the TCP course to the details of key exchange and architecture. Students will understand how VPN encryption and authentication work, and key features to look for in products. The course closes with a live, in-depth look at several products. Whether you already have a VPN, or are designing one from scratch, this course will help you make informed decisions.
?
|
Topics Include: |
I. VPN Basics
- Why Use VPN's
- VPN Security Issues
- Encryption: Ciphers and algorithms
- Public Key Cryptography
- Digital Certificates and PKI
II. VPN Options - SSH, SSL, and PPTP
- SSL Encryption Options and stunnel
- SSL Browser Configuration
- SSH Encryption
- SSH1 vs. SSH2
- History of PPTP
- PPTP Implementations
III. VPN Options II - IPSEC
- The Ins and Outs of Security Associations (SA)
- Internet Key Exchange (IKE)
- Authentication Header (AH)
- Encapsulating Security Payload (ESP)
- IPSec Packet Analysis
- Practical Applications
?
|
IV. VPN Case Studies I - Web Servers and Remote Users
- Creating Secure Communications Channels to Web Servers
- Digital Certificates
- Implementing VPN Options for Remote Access
- Configure your Firewall to Secure Your Network from Remote Users
V. VPN Case Studies II - Connecting Networks, IMAP-4, and Citrix
- Secure Remote Access to Mail Servers
- Installation and Configuration of SSH
- Tunnelling IMAP
- Citrix SecureICA Services and Implementation
- Troubleshooting Citrix SecureICA Services
|
VI. Market Overview and VPN Design
- SANS VPN Survey
- Trends in VPN Technology
- Choosing Your VPN Hardware
- Where Exactly Does Your VPN Hardware Go?
- Personal Firewalls
- Managing Security for Hundreds of VPN Users
- The Insecurities of Wireless Encryption
- How to Deploy a Secure Wireless Network
"This course presented good detail of VPNs and how to use them. The VPN design is excellent!"
-- Joe Adams, Fleet Libris |
"Good overview of requirements and comparison of existing software options."
-- Judy Johnson, NASA/GSFC. |
?
|
Back To Top ^
|
|
2.5 Network Design and Performance
Chris Brenton, ALTeNet Solutions Inc.
Friday, October 11, 2002
9:00 AM 5:00 PM
|
Setting up a secure perimeter is a critical task, but it is only the starting point, the foundation, of your defense in-depth security program. This course focuses on the long-term administration required to maintain a secure perimeter. Centralized logging and alerting are covered in detail, and an extensive, brand new section on network and host based auditing has just been created, available for the first time at SANS Beyond Firewalls. The class will also examine many of the publicly available free tools that can be of benefit-or detriment-to the security of your environment. The second half of the day is spent exploring the principles of good network design through lecture as well as in-class exercises that us case studies to help illustrate important concepts and get students thinking along the right lines. Network design auditing and troubleshooting are explored in depth.
?
|
Topics Include: |
I. Pulling It All Together
- Setting Up a Time-Synchronized Environment
- Centralized Logging
- Centralized Alerting
- Identifying Attack Signatures
II. "Cool Tools"
- Network Monitoring
- Man-in-the-Middle Tools
- Packet Crafting Tools
- Firewall and IDS Evading Tools
- Worms, Viruses and Root Kits
|
III. Auditing
- Host Auditing
- Network Auditing
- Vulnerability Assessment
- Auditing with the Windows Resource Kit
IV. Network Design Case Studies
V. Assessing Secure Network Designs
|
"Great real-world examples! Provides the Big Picture approach to systems, security and networking, policy and procedures.!"
-- Wil Bennett, USAA |
"Again, real world examples and analysis brought out a lot of additional ideas that could be applied to my own network. Several of the discussions made it obvious how to tackle and better yet, fix problems I have currently been experiencing."
-- Tom Coulter, NovAtel, Inc.
|
"The fact that a firewall track includes a network design course demonstrates an excellent comprehensive view of network security that greatly increases my perceived value of SANS GIAC Certification. Good review, good discussions."
-- Alan Moe, ID Certify, Inc. |
|
Back To Top ^
|