Remember the good old days when you could install "a firewall" and deem your perimeter to be secure? Well, today's attackers are creating and launching attacks specifically designed to circumvent firewalls; payload based, fragmentation, and cross-site scripting attacks are assaulting systems throughout the Internet constantly nowadays. Commercial networking companies are even releasing "helpful" software that lets your users tunnel all sorts of non-company-sanctioned applications right through your firewall via the HTTP port. Gone are the days when a single security solution is capable of locking down a network perimeter. In this course, students will learn about all the pieces required to really secure their network, and keep it secure, in today's incredibly hostile environment. Decoding IP packets, firewalls, intrusion detection, centralized logging and alerting, VPNs, auditing, and network design are all covered in depth, using real-world examples are used to illustrate the practical knowledge.

Certification Information:
You have six months following the conference to complete GIAC certification requirements. Detailed information can be found at http://www.giac.org/steps.php.

A Sampling of Topics

Every Internet-based attack is transported using Internet Protocol (IP), so an in-depth understanding of IP and how it works is paramount in defending your network. Why blindly trust a commercial analyzer when you can learn to "read between the lines" yourself? The focus of this course is to train the student on how IP transports and services work, as well as how to distinguish between normal and malicious traffic patterns. Common network attack techniques and the ways to thwart them are discussed in detail, and free tools such as tcpdump and windump are demonstrated in class so that the student will be capable of putting their new knowledge to work immediately once they return to the office.

NOTE: Due to the technical level and pace of this course, students should already be familiar with TCP/IP fundamentals such as IP addresses; ports; IP protocols such as TCP, UDP, and ICMP; and TCP basics such as flags, sequence numbers, the three-way handshake, and session establishment/teardown. Students can test their basic knowledge of TCP/IP by taking the online quiz at http://www.sans.org/giactc/TCPIP/quiz.htm. Students who are not comfortable with the prerequisite material should consider taking either the SANS Security Essentials or Information Systems Security Officer course, or doing additional preparatory work before enrolling in this course/track.

?

• tcpdump and How It Works
• tcpdump Output
• IP Headers and How to Read Them
• Link Layer Communications
• IP Communications
• TCP Communications
• UDP Communications

ICMP and Decoding ICMP Errors

Stimulus/Response

• Interpreting Packet Stimulus and Response
• Interpreting tcpdump Traces
• Complex IP Services

Fragmentation

• Normal Packet Fragmentation
• Malicious Packet Fragmentation

Microsoft Networking

• NetBIOS/IP Communications
• WINS and NetBIOS/IP Node Types

• DNS Communications
• DNS Query Tools
• DNS Enumeration and Cache Poisoning

Routing

• IP Routing
• IP Options: Source Routing and Record Route
• ARP Communication
• Malicious ARP Attacks

IPSec

• Authentication Header
• Encapsulating Security Payload

We are all dependent on firewalls and other perimeter protection systems to protect our sites. It is virtually impossible to secure all the systems in a facility and keep them secured, so we turn to perimeter defenses. Considering how important this protection mechanism is, it is amazing that we treat firewalls as magic black boxes. There is a tendency to put them in and forget them. Do you have the right firewall? Has it been placed correctly? Is it configured correctly? Stephen Northcutt and Chris Brenton have completely rewritten this material to offer the most intensive single-day course on perimeter defense in the world. The result is a practical, from-the-trenches, step-by-step program.

?

• Vulnerabilities and Threats
• Perimieter Security
• Security Policies
• Defense in Depth
• Where does a Firewall fit in?
• Perimeter Design

II. Static Packet Filtering

• How It Works
• tcpdump and windump
• Decoding Packets
• Using nmap to Assess Your Firewall Filters
• When to Use Static Packet Filtering
• Deficiencies of Static Filtering
• Ingress and Egress Filtering

III. Stateful Filtering and Inspection

• How It Works!
• Types of Stateful Packet Filters
• Stateful Inspection
• Network Address Translation (NAT)

?

• How They Work!
• When to Use a Proxy Firewall
• Pro's and Con's of Proxy Firewalls
• Installing and Configuring a Squid
• Proxy Server

V. FW-1 and Cisco PIX

• FW-1 Features and Products
• FW-1 Management and Policy Editor
• Pro's and Con's of FW-1
• PIX Feature Overview
• Advantages and Disadvantages of a Hardware Firewall
• PIX- Management and Configuration

VI. NetFilter and Gauntlet

• NetFilter Features
• NetFilter Implementation and Management
• NetFilter - Rules and Chains
• Masquerading
• Gauntlet Features
• Gauntlet Rule Management
• Gauntlet VPN Support

?

Building on the foundational knowledge students gained in the Firewalls 101 course, this course takes that information and shows students how to put it to best use. Students learn how to build strong firewall rulebases, as well as how to apply them to devices such as Cisco routers, with the instructor leading the class through the building of an example rulebase. Log analysis is covered in detail, as a majority of the work involved with managing a perimeter is in reviewing firewall log entries. Students receive the benefit of many years of "in the trenches" experience, learning the most efficient and effective methods the experts use to expedite the potentially lengthy process of log review. Additionally, other perimeter security concepts such as intrusion detection and host armoring are covered so that the student may begin to understand how the various tools can be used in conjunction, layered, to construct a true defense in-depth environment.

?

• Role of Routers in Perimeter Defense
• Cisco Router Basics
• Standard and Extended ACLs
• Reflexive ACLs
• Router Armoring/Hardening
• "Best Practices" Router Configuration

II. Building a Rulebase

• Rules Every Firewall Should Have
• Do's and Don't's of Design
• Implementing Firewall Rules
• Common Mistakes
• Troubleshooting a Rulebase
• Tuning Rulebase Performance
• Rules to Facilitate Log File Analysis
• Assessing the Security of Your
• Rulebase Design

?

• What kinds of Logs Do You Have?
• Interpreting your Logs
• Common Traffic Patterns
• Searching and "Pruning" your Log Files
• Log Analysis Time Management

IV. Intrusion Detection Overview

• How Intrusion Detection fits into Perimeter Protection
• IDS Placement
• Reviewing IDS Detects
• Distinguishing Between Real Alerts and False Positives
• Static VS. Stateful IDS (Yes, it applies to IDS too!)
• IDS Product Review
• Installing and Configuring Snort

V. Locking Down Hosts

• Armoring a Host
• Identifying and Removing Unneeded Services
• Locking Down DNS
• Locking Down HTTP
• Locking Down SMTP
• Locking Down Windows

?

" This course was good because it provided both information on Cisco router-based access control lists, as well as information on securing end systems. It also emphasized the creation and establishment of a formal security policy for all aspects of the network including the firewalls, routers, and switches." -- Shoshana Billik, CSC	?
"It is an excellent course for people dealing in security. Gives them an overall perspective of do's & don't which otherwise will take years of hit and trial on ones part to grasp and implement the security in a methodical and tested way." -- Vijay Mishia, CNSI	?

This is a foundation-level course, designed to give students the technical capability to understand what a VPN is, where the technology is headed and key implementation issues. At the completion of the course, students will understand the fundamentals of tunneling with both IPSec and PPTP based approaches. Students will build on the IPSec introduction taught in the TCP course to the details of key exchange and architecture. Students will understand how VPN encryption and authentication work, and key features to look for in products. The course closes with a live, in-depth look at several products. Whether you already have a VPN, or are designing one from scratch, this course will help you make informed decisions.

?

• Why Use VPN's
• VPN Security Issues
• Encryption: Ciphers and algorithms
• Public Key Cryptography
• Digital Certificates and PKI

II. VPN Options - SSH, SSL, and PPTP

• SSL Encryption Options and stunnel
• SSL Browser Configuration
• SSH Encryption
• SSH1 vs. SSH2
• History of PPTP
• PPTP Implementations

III. VPN Options II - IPSEC

• The Ins and Outs of Security Associations (SA)
• Internet Key Exchange (IKE)
• Authentication Header (AH)
• Encapsulating Security Payload (ESP)
• IPSec Packet Analysis
• Practical Applications

?

• Creating Secure Communications Channels to Web Servers
• Digital Certificates
• Implementing VPN Options for Remote Access
• Configure your Firewall to Secure Your Network from Remote Users

V. VPN Case Studies II - Connecting Networks, IMAP-4, and Citrix

• Secure Remote Access to Mail Servers
• Installation and Configuration of SSH
• Tunnelling IMAP
• Citrix SecureICA Services and Implementation
• Troubleshooting Citrix SecureICA Services

VI. Market Overview and VPN Design

• SANS VPN Survey
• Trends in VPN Technology
• Choosing Your VPN Hardware
• Where Exactly Does Your VPN Hardware Go?
• Personal Firewalls
• Managing Security for Hundreds of VPN Users
• The Insecurities of Wireless Encryption
• How to Deploy a Secure Wireless Network

?

Setting up a secure perimeter is a critical task, but it is only the starting point, the foundation, of your defense in-depth security program. This course focuses on the long-term administration required to maintain a secure perimeter. Centralized logging and alerting are covered in detail, and an extensive, brand new section on network and host based auditing has just been created, available for the first time at SANS Beyond Firewalls. The class will also examine many of the publicly available free tools that can be of benefit-or detriment-to the security of your environment. The second half of the day is spent exploring the principles of good network design through lecture as well as in-class exercises that us case studies to help illustrate important concepts and get students thinking along the right lines. Network design auditing and troubleshooting are explored in depth.

?

• Setting Up a Time-Synchronized Environment
• Centralized Logging
• Centralized Alerting
• Identifying Attack Signatures

II. "Cool Tools"

• Network Monitoring
• Man-in-the-Middle Tools
• Packet Crafting Tools
• Firewall and IDS Evading Tools
• Worms, Viruses and Root Kits

• Host Auditing
• Network Auditing
• Vulnerability Assessment
• Auditing with the Windows Resource Kit

IV. Network Design Case Studies

V. Assessing Secure Network Designs