This course is not scheduled. Inquire about Onsite training at your facility.
Overview
| Course code | QLG51 | Skill level | Intermediate |
|---|---|---|---|
| Duration | 5.0 days | Delivery type | Classroom
(Hands-on labs) |
| Course type | Public or Private on-site | ||
| Public price | USD $2,750.00 plus tax | ||
This course focuses on network security and makes an excellent companion to:
- Enterprise Linux Security Administration (QLG55)
After a detailed discussion of the TCP/IP suite component protocols and Ethernet operation, practice using various tools to capture, analyze, and generate Internet Protocol (IP) traffic.
Then explore the tools and techniques used to exploit protocol weaknesses and perform more advanced network attacks.
After building a thorough understanding of network based attacks, shift focus to the defensive solutions available.
Install, configure, and test one of the most popular and powerful Network Intrusion Detection Systems (NIDS) solutions available.
Finally, create a Linux based router / firewall solution, including advanced functionality, such as Network Address Translation (NAT), policy routing, and traffic shaping.
This course supports the latest versions of Red Hat Enterprise Linux, Fedora Core, SUSE Linux Professional, and SUSE Linux Enterprise Server.
Audience
This is an intermediate course for:
- Network administrators needing to improve security skills
- Linux system administrators needing network security skills
- Individuals needing network <--> ethical hacking skills
Prerequisites
Linux or UNIX system experience is helpful, but not necessary, because the tools used in class are compiled and run on a Linux system.
A solid background in networking concepts will greatly aid incomprehension. This is an intense class that covers many topics.
Skills taught
- Analyze the TCP/IP suite component protocols exploring exploitable protocol design flaws
- Use various tools to capture, analyze, and generate IP traffic
- Explore IP and Address Resolution Protocol (ARP) vulnerabilities, including packet spoofing and traffic redirection
- Explore Transmission Control Protocol (TCP) and User Datagram Protocol (UDP) vulnerabilities including session hijacking
- Explore File Transfer Protocol (FTP), Hypertext Transfer Protocol (HTTP), Domain Name System (DNS), Secure Shell (SSH), and Hypertext Transfer Protocol Secure (HTTPS) vulnerabilities including DNS spoofing and man-in-the-middle attacks against encrypted session
- Use nmap and other tools to identify remote hosts and services
- Perform and detect attacks on remote and local systems
- Deploy intrusion detection systems using snort
- Implement and configure a stateful firewall using the Kernel's Netfilter system
- Configure network and port address translation
Course outline
Section 1 - Ethernet and iP operation
- Open systems interconnection (OSI) network model
- application layers
- network services layers
- moving data through the stack
- data link layer format
- Ethernet operation
- hub and switch operation
- Ethernet security issues
- detecting promiscuous Network interface controllers (NIC)
- network packet capture
- tcpdump
- ethereal
- Internet Protocol Version 4 (IPv4)
- IP addressing
- differentiated services
- IP fragmentation
- path Maximum transmission Unit (MTU) discovery
- Address resolution Protocol (ARP)
- Internet control Message Protocol (ICMP)
- ICMP redirects
- important iCMP messages
- ICMP security issues
- protecting against iCMP abuse
Lab 1 - basic traffic generation, capture, and analysis
- capture and analyze ARP traffic with a variety of tools
- capture and analyze iCMP echo, unreachable, and redirect messages
- explore the differences between a variety of traffic capture utilities and their interfaces and options
Section 2 - iP and ARP vulnerability analysis
- IP security issues
- IP routing
- routing protocol security
- protecting against iP abuse
- ARP security issues
- cache poisoning with ARP replies
- cache poisoning with ARP requests
- ARP cache poisoning defense
Lab 2 - advanced traffic generation and capture
- learn to use a variety of tools to generate traffic, including forged headers.
- use ARP cache poisoning to capture traffic on a switched local area Network (LAN)
- use various techniques to discover if a NIC is in promiscuous mode
Section 3 - User datagram Protocol (UDP) / TCP and telnet vulnerability analysis
- UDP
- UDP segment format
- TCP
- TCP segment format
- TCP port numbers
- TCP sequence / acknowledgment #'s
- TCP three-way handshake
- TCP window size
- The TCP state machine
- The TCP state transitions
- TCP connection termination
- TCP San attack
- TCP sequence guessing
- TCP connection hijacking
- Telnet
- Telnet concepts - options
- Telnet concepts - commands
- Telnet security concerns
Lab 3 - attacks on TCP
- use forged packets to slow and kill TCP sessions.
- monitor and hijack a telnet session
Section 4 - FTP and HTTP vulnerability analysis
- FTP
- modes
- transfer methods
- security concerns
- the bounce attack
- minimizing risk
- FTP - Port stealing
- brute-force attacks
- access restriction
- privacy
- HTTPv1.1
- HTTP parameters
- HTTP message
- HTTP request/method definitions
- response/status codes
- proxies
- authentication
- security concerns
- personal information
- attacks on file and path names
- header spoofing
- auth credentials and idle clients
- proxy servers
Lab 4 - attacks on FTP and HTTP
- use dsniff to capture FTP and HTTP passwords
- bonus exercise: use urlsnarf and webspy to monitor a Web browser
Section 5 - DNS protocol vulnerability analysis
- DNS
- DNS basic concepts and terms
- DNS resolution
- DNS zone transfers
- DNS spoofing
- DNS cache poisoning
- DNS security improvements
Lab 5 - attacks on DNS
- use dnsspoof to forge DNS responses to redirect Web traffic
- use forged DNS responses to circumvent host based access security
Section 6 - SSH and HTTPS protocol vulnerability analysis
- SSH concepts
- initial connection
- protocols
- SSH1
- SSH2
- encryption vulnerabilities
- SSH vulnerabilities
- SSH1 insertion attack
- SSH brute force attack
- SSH1 CRC compensation attack
- Bleichenbacher oracle
- SSH1 session key recovery
- client authentication forwarding
- host authentication bypass
- X session forwarding
- HTTPS protocol analysis
- Secure sockets layer (SSL) enabled protocols
- SSL protocol
- SSL layers
- the SSL handshake
- SSL vulnerabilities
- intercepted change cipher spec
- intercepted key exchange
- version rollback attack
Lab 6 - HTTPS and SSH
- perform a man-in-the-middle attack on secure Web connections
- perform a man-in-the-middle attack on SSH v1 connections
- perform a timing and packet length attack on SSH v1 and SSH v2 connections
Section 7 - remote Operating system (OS) detection
- OS detection
- banners
- commands
- less-direct approaches
- TCP/IP stack fingerprinting
- remote fingerprinting apps
- nmap
Lab 7 - using nmap
- use the nmap utility to perform general network sweep scans
- use nmap to perform a wide variety of scans on a host
- use nmap to perform TCP/IP fingerprinting for remote OS detection
Section 8 - attacks and basic attack detection
- sources of attack
- denial-of-service attacks
- methods of intrusion
- exploit software bugs
- exploit system configuration
- exploit design flaws
- password cracking
- typical intrusion scenario
- intrusion detection
- Intrusion Detection System (IDS) considerations
- attack detection tools
- Klaxon
- PortSentry
- PortSentry design
- Snort
Lab 8 - basic scan detection
- examine standard system logs and statistics for signs of attack
- configure portsentry to log port scans from nmap
- configure portsentry for active response to port scans
Section 9 - intrusion detection technologies
- intrusion detection systems
- host based IDS
- network based IDS
- network Node IDS
- file integrity checkers
- hybrid NIDS
- honeypots
- focused monitors
- Snort architecture
- Snort detection rules
- Snort logs and alerts
- Snort rules
Lab 9 - exploring Snort
- Install Snort
- test Snort to see if it detects nmap scans
- use Snort to examine network traffic in decoded text format
- use Snort to capture all network packets in tcpdump-style binary logs
- use tethereal to analyze captured packets
- set up Snort to log to SYSLOG
Section 10 - advanced Snort configuration
- advanced Snort features
- Snort add-ons
- Atomicity, Consistency, Isolation, and Durability (ACID) Web console
- the ACID interface
- SnortCenter management
Lab 10 - Snort tools
- set up a new MySQL database for use with Snort
- configure Snort to log to the new database
- set up and test the ACID analysis tool
- set up and configure SnortCenter
- install and configure the Linux SnortCenter sensor agent
- observe how Snort and ACID respond to attacks.
Section 11 - Snort rules
- Snort rules format
- Snort rules options
- writing Snort rules
- example rules
Lab 11 - custom Snort rules
- capture packet from exploit that Snort does not currently detect
- write a custom rule for Snort to detect the exploit
- verify exploit detection
Section 12 - Linux and static routing
- Linux as a router
- Linux router minimum requirements
- router focused distributions
- router specific settings
Lab 12 - static routing
- configure your host to act as a router
- configure and test automatic anti-spoofing protection
- configure the system to implement the above automatically on reboot
Section 13 - Linux firewalls
- types of firewalls
- application firewalls:TCP wrappers
- application firewalls: Squid
- packet filter: ipchains
- stateful packet filter: iptables
- firewall topology
- recommended firewall rules
- firewall limitations
- iptables concepts
- using iptables
- advanced iptables actions
- iptables: a more secure approach
Lab 13 - iptables
- use iptables to filter traffic destined to your host
- use iptables to log traffic destined to a specific port on your host
Section 14 - network and port address translation
- address translation
- configuring NAT and Port Address Translation (PAT)
- NAT limitations
My IBM
We're here to help
Easy ways to get the answers you need.
or call us at
Call 1-800-426-8322
Open M-F 9AM-7PM ET.
