This extremely popular class focuses on network security, and makes an excellent companion class to the GL550: Enterprise Linux Security Administration course. After a detailed discussion of the TCP/IP suite component protocols and Ethernet operation, the student practices using various tools to capture, analyze, and generate IP traffic. Students then explore the tools and techniques used to exploit protocol weaknesses and perform more advanced network attacks. After building a thorough understanding of network based attacks, course focus shifts to the defensive solutions available. Students install, configure, and test one of the most popular and powerful NIDS solutions available. Finally, students create a Linux based router / firewall solution, including advanced functionality such as NAT, policy routing, and traffic shaping.
Prerequisites: Since the tools used in class are compiled and run on a Linux system, Linux or UNIX system experience is helpful, but not necessary. A solid background in networking concepts will greatly aid incomprehension. This is an intense class that covers many topics.
This course is currently taught using Fedora Core 3.
Express Interest in this Course
Detailed Course Outline
Section 1 Ethernet and IP OperationOSI Network Model
Application Layers
Network Services Layers
Moving Data Through The Stack
Data Link Layer Format
Ethernet Operation
Hub and Switch Operation
Ethernet Security Issues
Detecting Promiscuous NICs
Network Packet Capture
tcpdump
Ethereal
IPv4
IP Addressing
Differentiated Services
IP Fragmentation
Path MTU Discovery
ARP
ICMP
ICMP Redirects
Important ICMP Messages
ICMP Security Issues
Protecting Against ICMP Abuse
Lab 1 - Basic Traffic Generation, Capture, and AnalysisApplication Layers
Network Services Layers
Moving Data Through The Stack
Data Link Layer Format
Ethernet Operation
Hub and Switch Operation
Ethernet Security Issues
Detecting Promiscuous NICs
Network Packet Capture
tcpdump
Ethereal
IPv4
IP Addressing
Differentiated Services
IP Fragmentation
Path MTU Discovery
ARP
ICMP
ICMP Redirects
Important ICMP Messages
ICMP Security Issues
Protecting Against ICMP Abuse
Capture and analyze ARP traffic with a variety of tools
Capture and analyze ICMP echo, unreachable, and redirect messages
Explore the differences between a variety of traffic capture utilities and their interfaces and options
Section 2 IP and ARP Vulnerability AnalysisCapture and analyze ICMP echo, unreachable, and redirect messages
Explore the differences between a variety of traffic capture utilities and their interfaces and options
IP Security Issues
IP Routing
Routing Protocol Security
Protecting Against IP Abuse
ARP Security Issues
Cache Poisoning with ARP Replies
Cache Poisoning with ARP Requests
ARP Cache Poisoning Defense
Lab 2 - Advanced Traffic Generation, and CaptureIP Routing
Routing Protocol Security
Protecting Against IP Abuse
ARP Security Issues
Cache Poisoning with ARP Replies
Cache Poisoning with ARP Requests
ARP Cache Poisoning Defense
Learn to use a variety of tools to generate traffic, including forged headers.
Use ARP cache "poisoning" to capture traffic on a switched LAN
Use various techniques to discover if a NIC is in promiscuous mode
Section 3 UDP/TCP Protocol and TELNET Vulnerability AnalysisUse ARP cache "poisoning" to capture traffic on a switched LAN
Use various techniques to discover if a NIC is in promiscuous mode
User Datagram Protocol
UDP Segment Format
Transmission Control Protocol
TCP Segment Format
TCP Port Numbers
TCP Sequence / Acknowledgment #’s
TCP Three-way Handshake
TCP Window Size
The TCP State Machine
The TCP State Transitions
TCP Connection Termination
TCP SYN Attack
TCP Sequence Guessing
TCP Connection Hijacking
Telnet
Telnet Concepts - Options
Telnet Concepts - Commands
Telnet Security Concerns
Lab 3 - Attacks on TCPUDP Segment Format
Transmission Control Protocol
TCP Segment Format
TCP Port Numbers
TCP Sequence / Acknowledgment #’s
TCP Three-way Handshake
TCP Window Size
The TCP State Machine
The TCP State Transitions
TCP Connection Termination
TCP SYN Attack
TCP Sequence Guessing
TCP Connection Hijacking
Telnet
Telnet Concepts - Options
Telnet Concepts - Commands
Telnet Security Concerns
Use forged packets to slow and kill TCP sessions.
Monitor and hijack a telnet session
Section 4 FTP and HTTP Vulnerability AnalysisMonitor and hijack a telnet session
FTP
Modes
Transfer Methods
Security Concerns
The Bounce Attack
Minimizing Risk
FTP - Port Stealing
Brute-force Attacks
Access Restriction
Privacy
HTTPv1.1
HTTP Protocol Parameters
HTTP Message
HTTP Request/Method Definitions
Response/Status Codes
Proxies
Authentication
Security Concerns
Personal Information
Attacks On File and Path Names
Header Spoofing
Auth Credentials and Idle Clients
Proxy Servers
Lab 4 - Attacks on FTP and HTTPModes
Transfer Methods
Security Concerns
The Bounce Attack
Minimizing Risk
FTP - Port Stealing
Brute-force Attacks
Access Restriction
Privacy
HTTPv1.1
HTTP Protocol Parameters
HTTP Message
HTTP Request/Method Definitions
Response/Status Codes
Proxies
Authentication
Security Concerns
Personal Information
Attacks On File and Path Names
Header Spoofing
Auth Credentials and Idle Clients
Proxy Servers
Use dsniff to capture FTP and HTTP passwords
Bonus exercise: Use urlsnarf and webspy to monitor a web browser
Section 5 DNS Protocol Vulnerability AnalysisBonus exercise: Use urlsnarf and webspy to monitor a web browser
DNS
DNS Basic Concepts and Terms
DNS Resolution
DNS Zone Transfers
DNS Spoofing
DNS Cache Poisoning
DNS Security Improvements
Lab 5 - Attacks on DNSDNS Basic Concepts and Terms
DNS Resolution
DNS Zone Transfers
DNS Spoofing
DNS Cache Poisoning
DNS Security Improvements
Use dnsspoof to forge DNS responses to redirect web traffic
Use forged DNS responses to circumvent host based access security
Section 6 SSH and HTTPS Protocol Vulnerability AnalysisUse forged DNS responses to circumvent host based access security
SSH Concepts
Initial Connection
Protocols
SSH1
SSH2
Encryption Vulnerabilities
SSH Vulnerabilities
SSH1 Insertion Attack
SSH Brute Force Attack
SSH1 CRC Compensation Attack
Bleichenbacher Oracle
SSH1 Session Key Recovery
Client Authentication Forwarding
Host Authentication Bypass
X Session Forwarding
HTTPS Protocol Analysis
SSL Enabled Protocols
SSL protocol
SSL Layers
The SSL Handshake
SSL Vulnerabilities
Intercepted Change Cipher Spec
Intercepted Key Exchange
Version Rollback Attack
Lab 6 - HTTPS and SSHInitial Connection
Protocols
SSH1
SSH2
Encryption Vulnerabilities
SSH Vulnerabilities
SSH1 Insertion Attack
SSH Brute Force Attack
SSH1 CRC Compensation Attack
Bleichenbacher Oracle
SSH1 Session Key Recovery
Client Authentication Forwarding
Host Authentication Bypass
X Session Forwarding
HTTPS Protocol Analysis
SSL Enabled Protocols
SSL protocol
SSL Layers
The SSL Handshake
SSL Vulnerabilities
Intercepted Change Cipher Spec
Intercepted Key Exchange
Version Rollback Attack
Perform a man-in-the-middle attack on secure web connections.
Perform a man-in-the-middle attack on SSH v1 connections.
Perform a timing and packet length attack on SSH v1 and SSH v2 connections.
Section 7 Remote Operating System DetectionPerform a man-in-the-middle attack on SSH v1 connections.
Perform a timing and packet length attack on SSH v1 and SSH v2 connections.
OS Detection
Banners
Commands
Less-direct Approaches
TCP/IP Stack Fingerprinting
Remote Fingerprinting Apps
nmap
Lab 7 - Using nmapBanners
Commands
Less-direct Approaches
TCP/IP Stack Fingerprinting
Remote Fingerprinting Apps
nmap
Use the Nmap utility to perform general network sweep scans.
Use Nmap to perform a wide variety of scans on a host.
Use Nmap to perform TCP/IP fingerprinting for remote OS detection.
Section 8 Attacks and Basic Attack DetectionUse Nmap to perform a wide variety of scans on a host.
Use Nmap to perform TCP/IP fingerprinting for remote OS detection.
Sources of Attack
Denial-of-Service Attacks
Methods of Intrusion
Exploit Software Bugs
Exploit System Confiuration
Exploit Design Flaws
Password cracking
Typical Intrusion Scenario
Intrusion Detection
IDS Considerations
Attack Detection Tools
Klaxon
PortSentry
PortSentry Design
Snort
Lab 8 - Basic Scan DetectionDenial-of-Service Attacks
Methods of Intrusion
Exploit Software Bugs
Exploit System Confiuration
Exploit Design Flaws
Password cracking
Typical Intrusion Scenario
Intrusion Detection
IDS Considerations
Attack Detection Tools
Klaxon
PortSentry
PortSentry Design
Snort
Examine standard system logs and statistics for signs of attack
Configure portsentry to log port scans from nmap
Configure portsentry for active response to port scans
Section 9 Intrusion Detection TechnologiesConfigure portsentry to log port scans from nmap
Configure portsentry for active response to port scans
Intrusion Detection Systems
Host Based IDS
Network Based IDS
Network Node IDS
File Integrity Checkers
Hybrid NIDS
Honeypots
Focused Monitors
Snort Architecture
Snort Detection Rules
Snort Logs and Alerts
Snort Rules
Lab 9 - Exploring SnortHost Based IDS
Network Based IDS
Network Node IDS
File Integrity Checkers
Hybrid NIDS
Honeypots
Focused Monitors
Snort Architecture
Snort Detection Rules
Snort Logs and Alerts
Snort Rules
Install snort
Test Snort to see if it detects Nmap scans
Use Snort to examine network traffic in decoded text format
Use Snort to capture all network packets in tcpdump-style binary logs
Use tethereal to analyze captured packets
Setup Snort to log to SYSLOG
Section 10 Advanced Snort ConfigurationTest Snort to see if it detects Nmap scans
Use Snort to examine network traffic in decoded text format
Use Snort to capture all network packets in tcpdump-style binary logs
Use tethereal to analyze captured packets
Setup Snort to log to SYSLOG
Advanced snort Features
snort Add-ons
ACID Web Console
The ACID Interface
SnortCenter Management
Lab 10 - Snort Toolssnort Add-ons
ACID Web Console
The ACID Interface
SnortCenter Management
Set up a new MySQL database for use with snort
Configure snort to log to the new database
Set up and test the ACID analysis tool
Setup and configure SnortCenter
Install and configure the Linux SnortCenter Sensor Agent
Observe how snort and ACID respond to attacks.
Section 11 Snort RulesConfigure snort to log to the new database
Set up and test the ACID analysis tool
Setup and configure SnortCenter
Install and configure the Linux SnortCenter Sensor Agent
Observe how snort and ACID respond to attacks.
Snort Rules Format
Snort Rules Options
Writing Snort Rules
Example Rules
Lab 11 - Custom Snort RulesSnort Rules Options
Writing Snort Rules
Example Rules
Capture packet from exploit that Snort does not currently detect
Write a custom rule for snort to detect the exploit
Verify exploit detection
Section 12 Linux and Static RoutingWrite a custom rule for snort to detect the exploit
Verify exploit detection
Linux As a Router
Linux Router Minimum Requirements
Router Focused Distributions
Router Specific Settings
Lab 12 - Static RoutingLinux Router Minimum Requirements
Router Focused Distributions
Router Specific Settings
Configure your host to act as a router
Configure and test "automatic" anti-spoofing protection
Configure the system to implement the above automatically on reboot
Section 13 Linux FirewallsConfigure and test "automatic" anti-spoofing protection
Configure the system to implement the above automatically on reboot
Types of Firewalls
Application Firewalls:TCP Wrappers
Application Firewalls: Squid
Packet Filter: ipchains
Stateful Packet Filter: iptables
Firewall Topology
Recommended Firewall Rules
Firewall Limitations
iptables Concepts
Using iptables
Advanced iptables Actions
iptables: A More Secure Approach
Lab 13 - IPtablesApplication Firewalls:TCP Wrappers
Application Firewalls: Squid
Packet Filter: ipchains
Stateful Packet Filter: iptables
Firewall Topology
Recommended Firewall Rules
Firewall Limitations
iptables Concepts
Using iptables
Advanced iptables Actions
iptables: A More Secure Approach
Use iptables to filter traffic destined to your host
Use iptables to log traffic destined to a specific port on your host
Section 14 Network and Port Address TranslationUse iptables to log traffic destined to a specific port on your host
Address Translation
Configuring NAT and PAT
NAT Limitations
Configuring NAT and PAT
NAT Limitations