A Network Security Class? 11
eap asks: "Some friends of mine and I are creating a Network Security course to take this summer. We have discussed the idea, but so far haven't decided what the class should entail. We were thinking of running exploits against several OS's, and then trying to plug the holes. Could anyone recommend a 'syllabus' for how such a class might go?" This is a good idea, but they need to flesh out that syllabus a bit more. Running exploits and plugging the holes is one thing, but that's not all there is to securing your LAN, is there? For one thing, it leaves out -internal- network security..not all threats to a network exist on the outside.
internal hardware configuration (Score:1)
just a thought
Monitor (Score:2)
Theory vs. Practice (Score:1)
In studying security, it may bebennificial to the administrator to move past the practices that are current at the time and examine the underlying theory that the practices are based upon. For example, to determine what Network Intrustion system would be best suited for a particular enviorment it is usefull to have some understanding of the various types of NIDS systems. I offer the following reading list as a suggestion of items which may fit within the scope of the course:
Secure Computers and Networks, by Fisch and White
One of the better introductions to security analysis and design I have seen. The book is written to be a textbook for a security class. Of particular note is the chapter on Risk Assessment. It does a good job at demystifying this nebulous subject and offers some simple metrics by which one can assess their current risk.
Security in Computing, by Charles Pfleeger.
Another good textbook introducing security. I would suggest skipping chapter 2 for last, the encryption sections would have fit the end of the book better. There is an updated version out as of April, my reading was of the 1996 version. Dr. Pfleeger presents the various security models used in host, database, and network security in a clear manner. Of intrest to network administrators and sysadmins would be his discussion of covert channels.
Intrusion Detection, Macmillian Technology Serise
This one presents a through introduction into the topic of Intrusion Detection systems (both host and network). The histroy part is a bit dry, IMHO, but if you are going to be tasked with deploying or selecting a Network IDS system, this book will allow you to go beyond the glossy paper and understand what that IDS system will really mean for you -- both good and bad.
Network Intrusion Detection: An Analyst's Handbook by Stephen Northcutt.
Topics covered by Northcutt include recognizing attacks, weaknessess, and responding to incidents both as and after they occur. No matter how good your security, they will occur.
Information Warfare: Principals and Opperations by Edwand Waltz.
Not a network security book, but the new buzz word is Informaiton Warfare. While Dr. Denning has written extensively on this subject, Dr. Waltz takes the military perspective on this topic. and covers the entire spectrum of information warfare in a lively manner. Increasingly our systems and networks will be targeted not by teenagers, but by orginized groups. This book will help you seperate the information on IW from the hype.
Hole range of areas to cover (Score:3)
I would take a look over at Security Focus [securityfocus.com] for further ideas on what to include. I also maintain a listing of security sites [visi.com] I feel are worth while.
Security Course Offerings and Resources (Score:1)
http://www.isc2.org/ [isc2.org]
http://www.brainbench.com/ [brainbench.com]
http://www.robertgraham.com/ [robertgraham.com]
http://www.r00tabega.com/ [r00tabega.com]
http://www.sans.org/ [sans.org]
http://www.csc.com/ [csc.com]
http://www.ey.com [ey.com]
http://www.securityfocus.com/ [securityfocus.com]
http://astalavista.box.sk/ [astalavista.box.sk]
http://neworder.box.sk/ [neworder.box.sk]
http://blacksun.box.sk/tutorials.html [blacksun.box.sk]
http://www.prosofttraining.com/ [prosofttraining.com]
Don Head
Linux Mentor
Topics (Score:3)
These are all commonsense and obvious, but need to be stressed all the more. Security is not merely a technical problem. Planning, proceedures, and psychology are weapons in this warfare -- on both sides, no doubt
Re:Security Course Offerings and Resources (Score:1)
"There was a recent post on ms-focus@securityfocus.com regarding security courses."
Don Head
Linux Mentor
Points to Consider (Score:2)
It is also important to remember that new versions of software fix old holes and create new ones, and that admins should look out for fixes and new dangers when installing software.
rootprompt.org has a lot of security stuff. I find two serials paticularly interesting [rootprompt.org]Watching and Waiting, [rootprompt.org] about what happens when a system gets cracked, and Know your Enemy, [rootprompt.org] about how a typical cracker works.
Sorry about That (Score:1)
MIT Class (Score:2)
This may not be what you're looking for; I find the questions interesting, and plan on taking the class sometime in the next couple years.
Practical Security (Score:3)
1. COVER FAILED PROTOCOLS.
The field is littered with broken protocols and algorithms. Some of them are broken because they're stupid (so study why so many people thought they were smart). Some are broken because they got overtaken by technology (so cover how the protocol left itself vulnerable to technology [1]). Some are broken because the assumptions underlying the protocol are incorrect [2]. Some are... etc. Study the failed ones closely, and learn why so many people thought for so long that they were good.
2. STUDY PRACTICAL AND THEORETICAL DIFFERENCES.
IPsec is a very good protocol in theory; in practice, it's painfully mediocre. IPsec works well as a lesson for how "the best-laid plans of mice and men gang aft agley"; somewhere inside of it there's a beautiful, small protocol screaming to get out, but it gets bogged down in elephantine bulk.
Theoreticians tend to create complex protocols which are damnably difficult to implement well (but when they are, they tend to be nice). Those who take a more practical approach create simple algorithms which can be implemented well, but don't address subtleties.
For examples, see [3] and [4].
3. STUDY THE MISTAKES PEOPLE KEEP ON MAKING.
There are very few really new protocols; people just keep on re-inventing old ones. They also make the same mistakes over and over again. We've known ever since WW2 that poor passwords lead to compromised ciphers. We've known that re-using one-time pads make it trivial to cryptanalyze data. Yet, certain nameless day-trading firms limit user passwords to six alphanumerics, case-insensitive--that's a weak password. Yet, we sometimes see KAK ciphers (OFB ciphers) being used with a repeated IV--that's the same as repeating a one-time pad.
Programming errors are even more common than protocol errors, and can be just as damning [5].
[1] DSA, for instance, originally used a 512-bit modulus. This was way too short for long-term security, and they had to revise it to 1,024 bits almost immediately. It is likely that in the not-too-distant-future, DSA will have to be changed yet again.
[2] Atjai-Dwork and Cramer-Shoup are good examples here.
[3] Kerberos is an example of a theoretically sound protocol which is difficult to implement well in practice. Check the modifications which have been done to Kerberos--for instance, why PCBC mode was used for crypto and why it was changed to CBC mode.
[4] Schneier has some good examples of digital-cash and digital-voting schemes which are practical, but fail to address subtleties.
[5] Check out PGP's latest exploit.