GL510 Linux Network Security Course Outline

Section 1 Ethernet and IP Operation OSI Network Model
  • Application Layers
  • Network Services Layers
  • Moving Data Through The Stack
  • Data Link Layer Format
  • Ethernet Operation
  • Hub and Switch Operation
  • Ethernet Security Issues
  • Detecting Promiscuous NICs
  • Network Packet Capture
  • tcpdump
  • Ethereal
  • IPv4
  • IP Addressing
  • Differentiated Services
  • IP Fragmentation
  • Path MTU Discovery
  • ARP
  • ICMP
  • ICMP Redirects
  • Important ICMP Messages
  • ICMP Security Issues
  • Protecting Against ICMP Abuse
  • Lab 1 - Basic Traffic Generation, Capture, and Analysis Capture and analyze ARP traffic with a variety of tools
    • Capture and analyze ICMP echo, unreachable, and redirect messages
    • Explore the differences between a variety of traffic capture utilities and their interfaces and options
Section 2 IP and ARP Vulnerability Analysis IP Security Issues
  • IP Routing
  • Routing Protocol Security
  • Protecting Against IP Abuse
  • ARP Security Issues
  • Cache Poisoning with ARP Replies
  • Cache Poisoning with ARP Requests
  • ARP Cache Poisoning Defense
  • Lab 2 - Advanced Traffic Generation, and Capture Learn to use a variety of tools to generate traffic, including forged headers.
    • Use ARP cache "poisoning" to capture traffic on a switched LAN
    • Use various techniques to discover if a NIC is in promiscuous mode
Section 3 UDP/TCP Protocol and TELNET Vulnerability Analysis User Datagram Protocol
  • UDP Segment Format
  • Transmission Control Protocol
  • TCP Segment Format
  • TCP Port Numbers
  • TCP Sequence / Acknowledgment #’s
  • TCP Three-way Handshake
  • TCP Window Size
  • The TCP State Machine
  • The TCP State Transitions
  • TCP Connection Termination
  • TCP SYN Attack
  • TCP Sequence Guessing
  • TCP Connection Hijacking
  • Telnet
  • Telnet Concepts - Options
  • Telnet Concepts - Commands
  • Telnet Security Concerns
  • Lab 3 - Attacks on TCP Use forged packets to slow and kill TCP sessions.
    • Monitor and hijack a telnet session
Section 4 FTP and HTTP Vulnerability Analysis FTP
  • Modes
  • Transfer Methods
  • Security Concerns
  • The Bounce Attack
  • Minimizing Risk
  • FTP - Port Stealing
  • Brute-force Attacks
  • Access Restriction
  • Privacy
  • HTTPv1.1
  • HTTP Protocol Parameters
  • HTTP Message
  • HTTP Request/Method Definitions
  • Response/Status Codes
  • Proxies
  • Authentication
  • Security Concerns
  • Personal Information
  • Attacks On File and Path Names
  • Header Spoofing
  • Auth Credentials and Idle Clients
  • Proxy Servers
    • Lab 4 - Attacks on FTP and HTTP Use dsniff to capture FTP and HTTP passwords
    • Bonus exercise: Use urlsnarf and webspy to monitor a web browser
Section 5 DNS Protocol Vulnerability Analysis DNS
  • DNS Basic Concepts and Terms
  • DNS Resolution
  • DNS Zone Transfers
  • DNS Spoofing
  • DNS Cache Poisoning
  • DNS Security Improvements
  • Lab 5 - Attacks on DNS Use dnsspoof to forge DNS responses to redirect web traffic
    • Use forged DNS responses to circumvent host based access security
Section 6 SSH and HTTPS Protocol Vulnerability Analysis SSH Concepts
  • Initial Connection
  • Protocols
  • SSH1
  • SSH2
  • Encryption Vulnerabilities
  • SSH Vulnerabilities
  • SSH1 Insertion Attack
  • SSH Brute Force Attack
  • SSH1 CRC Compensation Attack
  • Bleichenbacher Oracle
  • SSH1 Session Key Recovery
  • Client Authentication Forwarding
  • Host Authentication Bypass
  • X Session Forwarding
  • HTTPS Protocol Analysis
  • SSL Enabled Protocols
  • SSL protocol
  • SSL Layers
  • The SSL Handshake
  • SSL Vulnerabilities
  • Intercepted Change Cipher Spec
  • Intercepted Key Exchange
  • Version Rollback Attack
  • Lab 6 - HTTPS and SSH Perform a man-in-the-middle attack on secure web connections.
    • Perform a man-in-the-middle attack on SSH v1 connections.
    • Perform a timing and packet length attack on SSH v1 and SSH v2 connections.
Section 7 Remote Operating System Detection OS Detection
  • Banners
  • Commands
  • Less-direct Approaches
  • TCP/IP Stack Fingerprinting
  • Remote Fingerprinting Apps
  • nmap
  • Lab 7 - Using nmap Use the Nmap utility to perform general network sweep scans.
    • Use Nmap to perform a wide variety of scans on a host.
    • Use Nmap to perform TCP/IP fingerprinting for remote OS detection.
Section 8 Attacks and Basic Attack Detection Sources of Attack
  • Denial-of-Service Attacks
  • Methods of Intrusion
  • Exploit Software Bugs
  • Exploit System Confiuration
  • Exploit Design Flaws
  • Password cracking
  • Typical Intrusion Scenario
  • Intrusion Detection
  • IDS Considerations
  • Attack Detection Tools
  • Klaxon
  • PortSentry
  • PortSentry Design
  • Snort
  • Lab 8 - Basic Scan Detection Examine standard system logs and statistics for signs of attack
    • Configure portsentry to log port scans from nmap
    • Configure portsentry for active response to port scans
Section 9 Intrusion Detection Technologies Intrusion Detection Systems
  • Host Based IDS
  • Network Based IDS
  • Network Node IDS
  • File Integrity Checkers
  • Hybrid NIDS
  • Honeypots
  • Focused Monitors
  • Snort Architecture
  • Snort Detection Rules
  • Snort Logs and Alerts
  • Snort Rules
  • Lab 9 - Exploring Snort Install snort
    • Test Snort to see if it detects Nmap scans
    • Use Snort to examine network traffic in decoded text format
    • Use Snort to capture all network packets in tcpdump-style binary logs
    • Use tethereal to analyze captured packets
    • Setup Snort to log to SYSLOG
Section 10 Advanced Snort Configuration Advanced snort Features
  • snort Add-ons
  • ACID Web Console
  • The ACID Interface
  • SnortCenter Management
  • Lab 10 - Snort Tools Set up a new MySQL database for use with snort
    • Configure snort to log to the new database
    • Set up and test the ACID analysis tool
    • Setup and configure SnortCenter
    • Install and configure the Linux SnortCenter Sensor Agent
    • Observe how snort and ACID respond to attacks.
Section 11 Snort Rules Snort Rules Format
  • Snort Rules Options
  • Writing Snort Rules
  • Example Rules
  • Lab 11 - Custom Snort Rules Capture packet from exploit that Snort does not currently detect
    • Write a custom rule for snort to detect the exploit
    • Verify exploit detection
Section 12 Linux and Static Routing Linux As a Router
  • Linux Router Minimum Requirements
  • Router Focused Distributions
  • Router Specific Settings
  • Lab 12 - Static Routing Configure your host to act as a router
    • Configure and test "automatic" anti-spoofing protection
    • Configure the system to implement the above automatically on reboot
Section 13 Linux Firewalls Types of Firewalls
  • Application Firewalls:TCP Wrappers
  • Application Firewalls: Squid
  • Packet Filter: ipchains
  • Stateful Packet Filter: iptables
  • Firewall Topology
  • Recommended Firewall Rules
  • Firewall Limitations
  • iptables Concepts
  • Using iptables
  • Advanced iptables Actions
  • iptables: A More Secure Approach
  • Lab 13 - IPtables Use iptables to filter traffic destined to your host
    • Use iptables to log traffic destined to a specific port on your host
Section 14 Network and Port Address Translation Address Translation
  • Configuring NAT and PAT
  • NAT Limitations