Tutorial Programme

With the ever increasing growth and pervasiveness of the Internet, more and more organisations find that they need to connect to the Internet in order to fulfil their goals.  However, there are persistent security concerns with such a connection.  The usual approach to reducing these concerns is to install a firewall to provide perimeter defence around private networks which supplies a single controlled and monitored point of connection.  The design, installation, and ongoing management of a firewall though, is a non-trivial task.  This workshop will provide an overview of this process.  This starts with the determination of an appropriate security policy, and then the specification of services to be supported and policy applied.  From this a suitable firewall architecture can be selected from the range available, specific equipment chosen and configured.  Then there is the ongoing management of the firewall, maintaining its safe configuration, responding to security events, and monitoring its ongoing use.  The workshop will not discuss particular products, rather it is aimed to assist those who need to manage this process. 

Contents 
 

Introduction What is a Firewall Acquiring a Firewall Risk Assessment

Gateway Policy Gateway Design Installation and Configuration Gateway Management

Summary More Resources Appendices

Networks on the Internet are increasingly turning to firewalls as a means of protecting themselves against external network-based attacks, creating their own small islands of trust. 

However, the increasing need for secure, inter-network communications requires extending that trust across the Internet itself - a risky proposition in an increasingly hostile network environment. 

Implementing IPSEC is one plausible solution and this tutorial will cover the fundamentals of doing this in the real world. 

Practical demonstrations of the technology involved will be given throughout the tutorial, which will include debugging techniques useful for successful deployment and interoperability of various IPSEC implementations. 

Topics: 
 

Why IPSEC? Basic IPSEC - ESP, AH, SAs and SPIs. Encryption algorithms - choices and availability. The problem of key exchange. ISAKMP overview.

ISAKMP authentication using shared secrets and certificates. PKI - myths and realities. Alternatives to ISAKMP. IPSEC implementations and interoperability issues. IPSEC and IPV6 - a vision of the future.

Solaris is currently the most widely implemented proprietary UNIX on the Internet today. Like all systems, the standard installation can have security issues - from out of date applications to insecure defaults.

This tutorial will give the student an overview of the tasks required to secure a Solaris system in a number of environments - from workstation and server to firewall and web server.

Main topics discussed will be:

• Base Operating System Installation
• Operating System Hardening
• Securing the Network Connection
• Intrusion Detection
• System Specifics:
  • Workstation
  • Server
  • Firewall
  • Web Server

Data encryption algorithms form an important technical component in providing secure and authenticated electronic security and communications. This workshop is designed to provide attendees with a brief overview of the field of cryptography, the terms, techniques, and algorithms. It starts by introducing the classical cryptographic techniques which form the foundations of the field. We then survey modern private key ciphers, widely used for bulk and link data encryption, from DES to the new AES encryption algorithm Rijndael. Next we consider public key encryption algorithms and signature schemes, essential for the use of cryptography in large scale, wide area communications. We conclude with a brief look at a couple of cryptographic applications, illustrating the different ways these components are combined to build a security solution.

Contents

Most network administrators today recognise the need for firewalls to enforce policy on inter-network traffic. While there are many commercial products addressing this need, many organisations are turning to open source solutions for reasons of performance, strength, robustness, transparency and price.

One popular and mature open source firewall package is Darren Reed's ipfilter, which is available for a wide range of unix like systems, both open source and commercial. Attendees will learn, in detail, how to configure ipfilter for a wide range of real world situations and protocols. Topics covered include:

• introduction to the ipfilter processing model
• filtering raw IP packets
• filtering UDP and TCP packets
• stateful packet filtering
• effective ruleset structures
• packet logging
• customising icmp returns
• tuning for performance
• rule groups
• complex protocols
• authorisation
• network address translation
• general firewall configuration tips

Attendees are expected to be familiar with the IP, UDP and TCP protocols and should have some systems/network administration experience.

The integrity of the Internet depends on the security practices of the service providers whose networks are its constituent parts. Many organisations pay detailed attention to protecting end sites and their servers, but often overlooking the critical components which actually make up the Internet - the routers.

This tutorial covers many of the concepts and techniques necessary to protect routers, and gives an overview of some of the facilities available on routers to deal with network incidents directed at the core infrastructure. Topics will include:

• minimum and essential configuration requirements
• inbound and outbound filtering
• routing protocol security
• administrative and operational practices
• unicast reverse path forwarding checks
• facilities to deal with attacks on routers and networks

The Domain Name System, DNS, is used to resolve names to IP addresses and vice versa and thus is one of the fundamental infrastructure protocols in use on the Internet and within organisations. in use. Unfortunately, a number of security exploits have been revealed in specific versions of BIND and many default installations of BIND are exploitable.

This tutorial will give the student an overview of the tasks required to secure a BIND name server and steps which can be taken to minimize the impact of any future vulnerabilities which may be found in BIND. Example configurations will be given for versions 8 and 9 of BIND.

The main topics discussed will be:

• Obtaining and installing the latest BIND software
• Improving BIND security through configuration options
• Implementing BIND in a chroot environment
• Running multiple versions of BIND on a single server to implement split-DNS
• Future BIND security directions with zone and request authentication
• Extending principles used to secure BIND to other crucial services
• Alternative DNS implementations