Network Security Essentials - Course Content

1. Introduction

Goals and targets
Machine setup
Tools summary
Surveillance
- Legal issues
- Policy necessities
- Surveillance procedures
Employee monitoring
- Privacy
- Communications ("wiretapping")
- Workplace surveillance laws
Defence
Configuration v Patching
- Defeating attack 'styles'
Why defensive configuration is vital
- Defeating unknown attacks
- Defeating post-patch exploits
Destroy defaults!

Lab Session (starting early, so we can start recording): all-in-one
install/configuration of Snort IDS, IDSCenter front end, Apache
web server, PHP, MySQL database, and ACID (Analysis Console for
Intrusion Databases)

2. Diagnosis and Detection

Port Scanning
Traffic Sniffing
- At the machine
- At the gateway
Port-to-process mapping
- Finding Suspect Processes
- Sniffing their traffic
Rootkit Detection
- Rootkit Revealer
- Tricks of the 'Trade'
Filesystem Activity
Registry Activity

Lab Session: Using nmap, Port Explorer, Packetyzer, various Rootkit
detectors and system monitors to diagnose and detect suspicious
activity

3. Vulnerability Scanning

Finding flaws
Surveillance
- Operating systems
- Network devices
- Protocols
Scanner choices
- Free tools
- Enterprise expensive
- Cheap and useful
Scanner installation
- Linux/Unix
- Windows
- "Cross-platform"
Initial configuration
DDoS (Disabling DoS!)
Producing reports
Understanding results
- Cross-checking
- Value-adding: interpretation
Applying the fixes
Lock down key systems

Lab Session: Perform a vulnerability scan of a complete "lab
network" with all Windows varieties, Linux systems, and a range of
patch and service-pack levels. Interpret the results and decide on
critical remediation

4. User Surveillance

Gateway monitoring
Content filtering
- Controlling recreational surfing
- Avoiding questionable sites
- Understanding user behaviour
Detailed analysis
- User internet activity
- Email
- Chat and Instant Messaging
Usage logging
- By protocol
- By volume
- By type
Browser Forensics
- Where has this machine been?

5. Network Surveillance

Stealth sniffing
- Password theft
- Secrets exposed
- Easy enumeration
Switch Tricks
- Man-in-the-middle
- ARP poisoning
Attacking the device
- Hardening switches?
- Other attack vectors

Lab Session: Using proprietary monitoring and analysis tools;
capturing and analysing syslog output and firewall logs; performing
a browser forensic analysis; advanced packet sniffing and
password/protocol capture; using ARP cache poisoning; capturing
secrets as man-in-the-middle

6. Administrative Challenges

Who owns "security"?
Getting the right support
The Deny-All philosophy
- When to still say yes
- Providing secure empowerment
OS Bugs and Patches
Patch monitoring and management
Automating system updates
- Do you really need them?
- How soon?

Lab Session: Using SUS (Software Update Server), WSUS (Windows
Server Update Services), SUS to WSUS migration, and using manual
monitoring and deployment tools

7. Host Surveillance and Defence

HIDS (Host Intrusion Detection)
File System monitors
Log and Event monitors
Network activity monitors
'Spy' software
Application 'firewalls'
OS 'firewalls'
Custom IDS techniques
- HoneyTokens
- Policy monitors

8. Network Surveillance

NIDS (Network Intrusion Detection)
Intrusion Detection or Intrusion Prevention?
Commercial IDS tools
Commercial and Free: Snort
Making Snort useable and effective
Easy sensor deployment
How to tune-out false alarms
- Database logging
- Aggregation and analysis
Customising IDS
- Rules
- Placement
- Analysis
Scaling IDS
- Multi-sensor strategies
- Aggregating sensor output
- How to analyse alerts

Lab Session: Analysing the information collected since the start of
the course by our IDS sensors using ACID (Analysis Console for
Intrusion Databases), determining the major causes of false alarms,
tuning the rules and configuration; pointing multiple sensors to a
single database and analysing aggregated alerts to detect attack
patterns; testing a range of surveillance and defence tools;
extended experimentation as time permits

Quick Links