Linuxcbt Security Edition Encompasses 9 Pivotal Security Modules: 1

LinuxCBT Security Edition encompasses 9 pivotal security modules: 1. Security Basics (fundamentals) 2. Proxy Security featuring Squid 3. Firewall Security featuring IPTables 4. SELinux Security - MAC-based Security Controls 5. Network Intrusion Detection System (NIDS) Security featuring Snort® NIDS 6. Packet | Capture | Analysis Security featuring Ethereal® 7. Pluggable Authentication Modules (PAM) Security 8. Open Secure Shell version 2 (OpenSSHv2) Security 9. OpenPGP with Gnu Privacy Guard (GPG) Security LinuxCBT Security Edition is unparalleled in content, depth and expertise. It entails 89-hours, or ~ 2-weeks of classroom training. LinuxCBT Security Edition prepares you or your organization for successfully securing GNU/Linux & Open Source-based solutions. As a by- product, many of the covered concepts, utilities and tricks are applicable to heterogeneous computing environments, ensuring your coverage of the fundamentals of securing corporate infrastructures. Recommended Prerequisites for: • Any LinuxCBT Operating System Course (Classic/EL-4/SUSE/Debian Editions)  Open mind & determination to master Linux and related open-source applications  Basic understanding of networking concepts  Access to a PC to follow the exercises

Basic Security - Module 1 • Boot Security ○ Explore Dell PowerEdge BIOS Security-related features ○ Discuss concepts & improve Dell PowerEdge BIOS security ○ Explain run-time boot loader vulnerabilities ○ Explore single-user mode (rootshell) and its inherent problems ○ Modify default GRUB startup options & examine results ○ Secure boot loader using MD5 hash ○ Identify key startup-related configuration files & define boot security measures ○ Identify key boot-related utilities ○ Confirm expected hardware configuration ○ Discuss INIT process, runlevel configuration & concepts ○ Explore & tighten the security of the INIT configuration ○ ○ Shell Security ○ Confirm expected applications ○ Discuss Teletype Terminals (TTYs) and Pseudo Terminals (PTS) ○ Identify common TTYs and PTSs ○ Track current TTYs and PTSs - character devices ○ Discuss concepts related to privileged and non-privileged use ○ Restrict privileged login ○ Use SSH and discuss TTYs ○ Discuss the importance of consistent system-wide banners & messages ○ Define and configure system banners for pre and post-system-access ○ Identify user-logon history and correlate to TTYs ○ Identify current user-connections - console-based and network-based ○ Use lsof to identify open files and sockets ○ ○ Syslog Security ○ Discuss Syslog concepts and applications ○ Explain Syslog semantics - facilities & levels - message handling & routing ○ Focus on security-related Syslog facilities ○ Examine security logs managed by Syslog ○ Configure Network Time Protocol (NTP) on interesting hosts ○ Secure NTP configuration ○ Ensure time consistency to preserve log-integrity ○ Configure Syslog replication to preserve log-integrity ○ Identify log discrepancies between Syslog hosts ○ ○ Reconnaissance & Vulnerability Assessment Tools ○ Discuss Stage-1 host/network attack concepts ○ Upgrade NMAP reconnaissance tool to increase effectiveness ○ Identify NMAP files ○ Discuss TCP handshake procedure ○ Discuss half-open/SYN connections ○ Perform connect and SYN-based host/network reconnaissance ○ Identify potential vulnerabilities on interesting hosts derived from reconnaissance ○ Examine NMAP logging capabilities ○ Perform port sweeps to identify common vulnerabilities across exposed systems ○ Secure exposed daemons/services ○ Perform follow-up audit to ensure security policy compliance ○ Discuss vulnerability scanner capabilities and applications ○ Prepare system for Nessus vulnerability scanner installation - identify/install dependencies ○ Generate self-signed SSL/TLS certificates for secure client/server communications ○ Activate Nessus subscription, server and client components ○ Explore vulnerability scanner interface and features ○ Perform network-based reconnaissance attack to determine vulnerabilities ○ Examine results of the reconnaissance attack and archive results ○ Secure exposed vulnerabilities ○ ○ XINETD - TCPWrappers - Chattr - Lsattr - TCPDump - Clear Text Daemons ○ Install Telnet Daemon ○ Install Very Secure FTP Daemon (VSFTPD) ○ Explore XINETD configuration and explain directives ○ Configure XINETD to restrict communications at layer-3 and layer-4 ○ Restrict access to XINETD-protected daemons/services based on time range ○ Examine XINETD logging via Syslog ○ Discuss TCPWrappers security concepts & applications ○ Enhance Telnetd security with TCPWrappers ○ Confirm XINETD & TCPWrappers security ○ Discuss chattr applications & usage ○ Identify & flag key files as immutable to deter modifcation ○ Confirm extended attributes (XATTRs) ○ Discuss TCPDump applications & usage ○ Configure TCPDump to intercept Telnet & FTP - clear-text traffic ○ Use Ethereal to examine & reconstruct captured clear-text traffic ○ ○ Secure Shell (SSH) & MD5SUM Applications ○ Use Ethereal to examine SSH streams ○ Generate RSA/DSA PKI usage keys ○ Configure Public Key Infrastructure (PKI) based authentication ○ Secure PKI authentication files ○ Use SCP to transfer files securely in non-interactive mode ○ Use SFTP to transfer files securely in interactive mode ○ Configure SSH to support a pseudo-VPN using SSH-Tunnelling ○ Discuss MD5SUM concepts and applications ○ Compare & contrast modified files using MD5SUM ○ Use MD5SUM to verify the integrity of downloaded files ○ ○ GNU Privacy Guard (GPG) - Pretty Good Privacy (PGP) Compatible - PKI ○ Discuss GPG concepts & applications - symmetric/asymmetric encryption ○ Generate asymmetric RSA/DSA GPG/PGP usage keys - for multiple users ○ Create a local web of trust ○ Perform encrypts/decrypts and test data-exchanges ○ Sign encrypted content and verify signatures @ recipient ○ Import & export public keys for usage ○ Use GPG/PGP with Mutt Mail User Agent (MUA) ○ ○ AIDE File Integrity Implementation ○ Discuss file-integrity checker concepts & applications ○ Identify online repository & download AIDE ○ Install AIDE on interesting hosts ○ Configure AIDE to protect key files & directories ○ Alter file system objects and confirm modifications using AIDE ○ Audit the file system using AIDE ○ ○ Rootkits ○ Discuss rootkits concepts & applications ○ Describe privilege elevation techniques ○ Obtain & install T0rnkit - rootkit ○ Identify system changes due to the rootkit ○ Implement T0rnkit with AIDE to identify compromised system objects ○ Implement T0rnkit with chkrootkit to identify rootkits ○ T0rnkit - rootkit - cleanup ○ Implement N-DU rootkit ○ Evaluate system changes ○ ○ Bastille Linux - OS-Hardening ○ Discuss Bastille Linux system hardening capabilities ○ Obtain Bastille Linux & perform a system assessment ○ Install Bastille Linux ○ Evaluate hardened system components ○  top Proxy Security - Module 2 • Squid Proxy Initialization ○ Discuss Squid concepts & applications ○ Discuss DNS application ○ Configure DNS on primary SuSE Linux server for the Squid Proxy environment ○ Confirm DNS environment ○ Start Squid and evaluate default configuration ○ Install Squid Proxy server ○ ○ General Proxy Usage ○ Configure web browser to utilize proxy services ○ Grant permissions to permit local hosts to utilize proxy services ○ Discuss ideal file system layout - partitioning ○ Explore key configuration files ○ Use client to test the performance of proxy services ○ Discuss HIT/MISS logic for serving content ○ Configure proxy support for text-based (lftp/wget/lynx) HTTP clients ○ ○ Squid Proxy Logs ○ Discuss Squid Proxy logging mechanism ○ Identify key log files ○ Discuss & explore the Access log to identify HITS and/or MISSES ○ Discuss & explore the Store log to identify cached content ○ Convert Squid logs to the Common Log Format (CLF) for easy processing ○ Discuss key CLF fields ○ Configure Webalizer to process Squid-CLF logs ○ Revert to Squid Native logs ○ Discuss key Native log fields ○ Configure Webalizer to process Squid Native logs ○ ○ Squid Network Configuration & System Stats ○ Discuss cachemgr.cgi Common Gateway Interface(CGI) script ○ Explore the available metrics provided by cachemgr.cgi ○ Change default Squid Proxy port ○ Modify text/graphical clients and test communications ○ Discuss Safe Ports - usage & applications ○ ○ Squid Access Control Lists (ACLs) ○ Intro to Access Control Lists (ACLs) - syntax ○ Define & test multiple HTTP-based ACLs ○ Define & test ACL lists - to support multiple hosts/subnets ○ Define & test time-based ACLs ○ Nest ACLs to tighten security ○ Implement destination domain based ACLs ○ Exempt destination domains from being cached to ensure content freshness ○ Define & test Anded ACLs ○ Discuss the benefits of Regular Expressions (Regexes) ○ Implement Regular Expressions ACLs to match URL patterns ○ Exempt hosts/subnets from being cached or using the Squid cache ○ Force cache usage ○ Configure enterprise-class Cisco PIX firewall to deny outbound traffic ○ Configure DNS round-robin with multiple Squid Proxy caches for load-balancing ○ Discuss delay pool concepts & applications - bandwidth management ○ Configure delay pools - to support rate-limiting ○ Examine results of various delay pool classes ○ Enforce maximum connections to deter Denial of Service (DoS) attacks ○ Verify maximum connections comply with security policy ○ ○ Squid Proxy Hierarchies ○ Discuss Squid cache hierarchy concepts & applications ○ Ensure communications through a primary cache server - double-auditing ○ Discuss and configure parent-child bypass based on ACLs ○ Configure Intranet ACLs for peer-cache bypass ○ Discuss & implement Squid cache hierarchy siblings ○ Configure transparent proxy services ○  top Firewall Security - Module 3 • Intro IPTables ○ Discuss key IPTables concepts ○ OSI Model discussion ○ Determine if IPTables support is available in the current kernel ○ Identify key IPTables modules and supporting files ○ Explore and examine the default tables ○ Learn IPTables Access Control List (ACL) syntax ○ Discuss ACL management ○ Learn to Save & Restore IPTables ACLs ○ ○ IPTables - Chain Management ○ Explore the various chains in the default tables ○ Discuss the purpose of each chain ○ Examine packet counts & bytes traversing the various chains ○ Focus on appending and inserting new ACLs into pre-defined chains ○ Write rules to permit common traffic flows ○ Delete & Replace ACLs to alter security policy ○ Flush ACLs - reset the security policy to defaults ○ Zero packet counts & bytes - bandwidth usage monitoring ○ Create user-defined chains to perform additional packet handling ○ Rename chains to suit the security policy/nomenclature ○ Discuss & explore chain policy ○ ○ IPTables - Packet Matching & Handling ○ Explain the the basics of packet matching ○ Identify key layer-3/4 match objects - (Source/Dest IPs, Source/Dest Ports, etc.) ○ Explore the multi-homed configuration ○ Block traffic based on untrusted (Internet-facing) interface ○ Perform packet matching/handling based on common TCP streams ○ Perform packet matching/handling based on common UDP datagrams ○ Perform packet matching/handling based on common ICMP traffic ○ Write fewer rules (ACLs) by specifying lists of interesting layer-4 ports ○ Discuss layer-3/4 IPTables default packet matching ○ Discuss default layer-2 behavior ○ Increase security by writing rules to match packets based on layer-2 addresses ○ ○ IPTables - State Maintenance - Stateful Firewall ○ Discuss the capabilities of traditional packet-filtering firewalls ○ Explain the advantages of stateful firewalls ○ Examine the supported connection states ○ Identify key kernel modules to support the stateful firewall ○ Implement stateful ACLs & examine traffic flows ○ ○ IPTables - Targets - Match Handling ○ Discuss the purpose of IPTables targets for packet handling ○ Write rules with the ACCEPT target ○ Write rules with the DROP target ○ Write rules with the REJECT target ○ Write rules with the REDIRECT target ○ Confirm expected behavior for all targets ○ ○ IPTables - Logging ○ Explore Syslog kernel logging configuration ○ Define Access Control Entry (ACEs) to perform logging ○ Explain the key fields captured by IPTables ○ Log using user-defined chain for enhanced packet handling ○ Log traffic based on security policy ○ Define a catch-all ACE ○ Use ACE negation to control logged packets ○ Label log entries for enhanced parsing ○ ○ IPTables - Packet Routing ○ Describe subnet layout ○ Enable IP routing in the kernel - committ changes to disk ○ Update routing tables on the other Linux Hosts on the network ○ Update the Cisco PIX Firewall's routing tables ○ Test routing through the Linux router, from a remote Windows 2003 Host ○ Focus on the forward chain ○ Write ACEs to permit routing ○ Test connectivity ○ ○ IPTables - Network Address Translation (NAT) ○ Discuss NAT features & concepts ○ Discuss & implement IP masquerading ○ Define Source NAT (SNAT) ACEs & test translations ○ Create SNAT multiples ○ Implement Destination NAT (DNAT) ACEs & test translations ○ Define DNAT multiples ○ Create NETMAP subnet mappings - one-to-one NATs ○ ○ IPTables - Demilitarized Zone (DMZ) Configuration ○ Describe DMZ configuration ○ Write Port Address Translation (PAT) rules to permit inbound traffic ○ Test connectivity from connected subnets ○ Configure DMZ forwarding (Routing) ○ Implement Dual-DMZs - ideal for n-tiered web applications ○  top SELinux Security - Module 4 • Access Control Models ○ Describe Access Control Model (ACM) theories (DAC/MAC/nDAC) ○ Explain features & shortcomings of Discretionary Access Control (DAC) models ○ Identify key DAC-based utilities ○ Discuss the advantages & caveats of Mandatory Access Control (MAC)models ○ Explore DAC-based programs ○ ○ SELinux - Basics ○ Discuss subjects & objects ○ Explain how SELinux is implemented in 2.6.x-based kernels ○ Confirm SELinux support in the kernel ○ Identify key SELinux packages ○ Use sestatus to obtain the current SELinux mode ○ Discuss subject & object labeling ○ Describe the 3 SELinux operating modes ○ Identify key utilities & files, which dictate the current SELinux operating mode ○ Focus on the features of SELinux permissive mode ○ Explore the boot process as it relates to SELinux ○ ○ SELinux - Object Labeling ○ Discuss subject & object labeling ○ Discuss the role of extended attributes (XATTRs) ○ Expose the labels of specific objects ○ Alter the lables of specific objects ○ Configure SELinux to automatically label objects per security policy ○ Reset the system and confirm labels on altered objects ○ Explain security tuples ○ Use fixfiles to restore object labels on running system per security policy ○ ○ SELinux - Type Contexts - Security Labels Applied to Objects ○ Intro to object security tuples - security labels ○ Attempt to serve HTML content using Apache in SELinux enforcing mode ○ Identify problematic object security labels ○ Serve HTML content in SELinux permissive mode ○ Use chcon to alter object security labels ○ Switch to enforcing mode & confirm the ability to serve HTML content ○ Use restorecon to restore object security context (labels) ○ ○ SELinux - Basic Commands - Type & Domain Exposition ○ ps - reveal subjects' security context (security label) - Domains ○ ls - reveal objects' security label - Types ○ cp - preserve/inherit security labels ○ mv - preserve security labels ○ id - expose subject security label ○ ○ SELinux - Targeted Policy - Binary ○ Explain the Targeted Policy's features ○ Discuss policy transitions for domains ○ Compare & contrast confined & unconfined states ○ Exempt Apache daemon from the auspicies of the targeted policy's confined state ○ Evaluate results after exemption ○ Explain the security contexts applied to subjects & objects ○ Peruse key targeted binary policy files ○ Identify the daemons protected by the targeted policy ○ Discuss the unconfined_t domain - subject label ○ ○ SELinux - Targeted Policy - Source ○ Install the targeted policy source files ○ Identify & discuss TE and FC files ○ Explore file_contexts - context definition for objects ○ Discuss the file context syntax ○ Explain the purpose of using run_init to initiate SELinux-protected daemons ○ Switch between permissive & enforcing modes and evaluate behavior ○ Peruse the key files in the targeted source policy ○ ○ SELinux - Miscellaneous Utilities - Logging ○ Use tar to archive SELinux-protected objects ○ Confirm security labels on tar-archived objects ○ Use the tar substitute 'star' to archive extended attributes(XATTRs) ○ Confirm security labels on star-archived objects ○ Discuss the role of the AVC ○ Examine SELinux logs - /var/log/messages ○ Alter Syslog configuration to route SELinux messages to an ideal location ○ Use SETools, shell-based programs to output real-time statistics ○ Install & use SEAudit graphical SELinux log-management tool ○  top Network Intrusion Detection System (NIDS) Security - Module 5 • Snort NIDS - Installation ○ Peruse the LinuxCBT Security Edition classroom network topology ○ Download Snort ○ Import G/PGP public key and verify package integrity ○ Identify & download key Snort dependencies ○ Install current libpcap - Packet Capture Library ○ Establish security configuration baseline ○ ○ Snort NIDS - Sniffer Mode ○ Discuss sniffer mode concepts & applications ○ Sniff IP packet headers - layer-3/4 ○ Sniff data-link headers - layer-2 ○ Sniff application payload - layer-7 ○ Sniff application/ip packet headers/data-link headers - all layers except physical ○ Examine packets & packet loss ○ Sniff traffic traversing interesting interfaces ○ Sniff clear-text traffic ○ Sniff encrypted streams ○ • Snort NIDS - Logging Mode ○ Discuss logging mode concepts & applications ○ Log traffic using default PCAP/TCPDump format ○ Log traffic using ASCII mode & examine output ○ Discuss directory structure created by ASCII logging mode ○ Control verbosity of ASCII logging mode & examine output ○ Enhance packet logging analysis by defaulting to binary logging ○ Discuss default nomenclature for binary/TCPDump files ○ Alter binary output options ○ Use Snort NIDS to read binary/TCPDump files ○ • Snort NIDS - Berkeley Packet Filters (BPFs) ○ Explain the advantages to utilizing BPFs ○ Discuss BPF directional, type, and protocol qualifiers ○ Identify clear-text based network applications and define appropriate BPFs ○ Execute Snort NIDS in sniffer mode with BPFs enabled to match interesting traffic ○ Log to the active pseudo-terminal console and examine the packet flows ○ Combine BPF qualifiers to increase packet-matching capabilities ○ Use logical operators to define more flexible BPFs ○ Read binary TCPDump files using Snort & BPFs ○ Execute Snort NIDS in logging/daemon mode ○ • Snort NIDS - Cisco Switch Configuration ○ Examine the current network configuration ○ Identify Snort NIDS sensors and centralized DBMS Server ○ Create multiple VLANs on the Cisco Switch ○ Secure the Cisco Switch configuration ○ Isolate internal and external hosts, sensors and DBMS systems ○ Configure SPAN - Port Mirroring for internal and external Snort NIDS Sensors ○ Examine internal and external packet flows ○ • Snort NIDS - Network Intrusion Detection System (NIDS) Mode ○ Discuss NIDS concepts & applications ○ Prepare /etc/snort - configuration directory for NIDS operation ○ Explore the snort.conf NIDS configuration file ○ Discuss all snort.conf sections ○ Download & install community rules ○ Execute Snort in NIDS mode with TCPDump compliant output plugin ○ Download & install Snort Vulnerability Research Team (VRT) rules ○ Compare & contrast community rules to VRT rules ○ • Snort NIDS - Output Plugin - Barnyard Configuration ○ Discuss features & benefits ○ Configure Syslog based logging and examine results ○ Configure Snort to log sequentially to multiple output locations ○ Implement unified binary output logging to enhance performance ○ Discuss concepts & features associated with post-processing Snort logs ○ Download and install current barnyard post-processor ○ Use barnyard to post-process logs to multiple output destinations ○ ○ Snort NIDS - BASE - MySQL® Implementation ○ Discuss benefits of centralized console reporting for 1 or more Snort sensors ○ Re-compile Snort on both sensors to support MySQL logging ○ Configure MySQL on Database Management System (DBMS) Host ○ Implement Snort database schema on DBMS Host ○ Configure Snort to log output to MySQL DBMS Host ○ Confirm output logging to the MySQL DBMS Host ○ Prepare DBMS Host for BASE console installation ○ Install BASE and complete schema extension ○ Peruse BASE interface ○ ○ Snort® NIDS - Rules Configuration & Updates ○ Discuss the concept of rules as related to Snort NIDS ○ Examine Snort rule syntax ○ Peruse pre-defined Snort rules ○ Download & configure oinkmaster to automatically update Snort rules ○ Confirm oinkmaster operation ○  top Packet Capture Analysis Security feat. Ethereal® - Module 6 • Introduction - Topology - Features ○ Discuss course outline ○ Explore system configuration ○ Identify key network interfaces to be used for captures ○ Identify connected interfaces on Cisco Switch ○ Explore network topology - IPv4 & IPv6 ○ Identify Ethereal installation ○ Enumerate and discuss key Ethereal features ○ ○ Ethereal® Graphical User Interface (GUI) ○ Identify installation footprint ○ Differentiate between promiscuous and non-promiscuous modes ○ Configure X.org to permit non-privileged user to write output to screen ○ Launch Ethereal GUI ○ Identify the primary GUI components /Packet List | Packet Details | Packet Bytes/ ○ Discuss defaults ○ Explore key menu items ○ • TCPDump | WinDump - Packet Capturing for /Linux|Unix|Windows/ ○ Discuss defaults, features and applications ○ Use TCPDump on Linux to capture packets ○ Log traffic using default PCAP/TCPDump format ○ Discuss Berkeley Packet Filters (BPFs) ○ Capture and log specific packets using BPFs for analysis with Ethereal ○ Connect to Windows 2003 Server using Remote Desktop (RDesktop) utility ○ Install WinDump and WinPCAP on Windows 2003 Server ○ Identify available network interfaces using WinDump ○ Capture and log packets using WinDump ○ Capture and log specific packets using BPFs with WinDump for analysis with Ethereal ○ Upload captures to Linux system for analysis in Ethereal ○ • Snort® NIDS Packet Capturing & Logging ○ Discuss Snort NIDS's features ○ Confirm prerequisites - /PCRE|LibPCAP|GCC|Make/ ○ Download and Import Snort G/PGP key and MD5SUM for Snort NIDS ○ Download, verify, compile and install Snort NIDS ○ Discuss BPF directional, type, and protocol qualifiers ○ Identify clear-text based network applications and define appropriate BPFs ○ Execute Snort NIDS in sniffer mode with BPFs enabled to match interesting traffic ○ Log to the active pseudo-terminal console and examine the packet flows ○ Combine BPF qualifiers to increase packet-matching capabilities ○ Use logical operators to define more flexible BPFs ○ Create captures for further analysis with Ethereal ○ • Sun Snoop Packet Capturing & Logging ○ Connect to Solaris 10 system and prepare to use Snoop ○ Draw parallels to TCPDump ○ Enumerate key features ○ Sniff and log generic traffic ○ Sniff and log specific traffic using filters ○ Sniff using Snoop, HTTP and FTP traffic ○ Save filters for analysis by Ethereal ○ Snoop various Solaris interfaces for interesting traffic ○ • Layer-2 & Internet Control Messaging Protocol (ICMP) Captures ○ Launch Ethereal ○ Identify sniffing interfaces ○ Capture Address Resolution Protocol (ARP) Packets using Capture Filters ○ Discuss and Identify Protocol Data Units (PDUs) ○ Identify default Ethereal capture file ○ Peruse packet capture statistics ○ Identify Cisco VOIP router generating ARP requests ○ Peruse time precision features - deci - nano-seconds ○ Discuss time manipulations - relative to first packet - actual time ○ Reveal protocol information from layer-1 through 7 ○ Identify network broadcasts in the packet stream ○ Generate Layer-2 ARP traffic using PING and capture and analyze results ○ Sniff traffic based on MAC addresses using Ethereal and Capture FIlters ○ • User Datagram Protocol (UDP) Captures & Analyses ○ Discuss UDP Characteristics ○ Focus on Network Time Protocol (NTP) ○ Setup NTP strata for testing between multiple systems ○ Analyze NTP - UDP traffic using Ethereal ○ Focus on Domain Name Service (DNS) ○ Install a BIND DNS Caching-Only Server ○ Analyze DIG queries ○ Analyze 'nslookup' queries ○ ○ Transmission Control Protocol (TCP) Captures & Analyses ○ Discuss TCP Characteristics - Connection-Oriented Services ○ Explain TCP connection rules - Socket creation ○ Sniff TCP traffic using Capture Filters in Ethereal ○ Use Display Filters to parse TCP traffic ○ Sniff FTP traffic ○ Reconstruct FTP flows using TCP Stream Reassembly ○ Differentiate between client and server flows ○ Quantify client and server flows ○ Discuss embedded Protocol Data Units (PDUs) ○ Sniff Internet Protocol Version 6 (IPv6) traffic ○ Peruse and discuss the IPv6:TCP:FTP traffic dump ○ Analyze TCP Sockets ○ ○ Ethereal Display Filters - Post Processing Filters ○ Identify previously captured - TCPDump - Ethereal - Snort - Snoop - Dumps ○ Discuss features ○ Explain Display Filter syntax ○ Post-process previously captured traffic dumps ○ Identify the various methods to exact display filters ○ Filter data using the expression builder ○ Filter traffic based on interesting properties ○ Filter traffic using logical operators ○ ○ Ethereal Statistics ○ Discuss features ○ Explore the summary (metadata) of captured packets ○ Peruse the protocol hierarchy - Layer's 1 - 7 of OSI ○ Examine network conversations of captured packets ○ Identify Destinations in packet dumps ○ Examine ICMP statistics ○ • Text-based Captures with Tethereal ○ Discuss features and applications ○ Identify 'tethereal' and invoke ○ Enumerate network interfaces ○ Sniff generic network traffic ○ Suppress capture output ○ Apply Capture Filters ○ Capture UDP Traffic ○ Capture TCP Traffic ○ ○ Intranet-based Captures & Analysis ○ Discuss Intranet monitoring objectives ○ Analyze the network topology drawing ○ Discuss Unicast, Broadcast and Multicast traffic ○ Discuss Switch Port Mirroring - SPAN ○ Configure Port Mirroring - SPAN on Cisco Switch for interesting ports ○ Dedicate a network interface for sniffing traffic ○ Configure Snort NIDS to sniff traffic on dedicated network interface ○ Analyze Snort NIDS captures in Ethereal ○ Sniff traffic between various Intranet hosts ○ ○ Internet-based Captures & Analysis ○ Discuss Internet monitoring objectives ○ Identify key external interfaces to monitor ○ Update the Port Mirroring configuration to capture Internet traffic ○ Capture external traffic ○ Analyze using Ethereal ○ ○ Wireless-based Captures & Analysis ○ Discuss Wireless monitoring objectives ○ Connect to remote system with wireless interface ○ Enable wireless interface ○ Sniff traffic on wireless network ○ Analyze using Ethereal ○ ○ Windows-based Captures & Analysis on Windows ○ Download and Install Ethereal for Windows ○ Explore interface ○ Load previously captured data ○ Analyze data ○ Compare and contrast with Ethereal for Linux|Unix systems ○ ○ top Pluggable Authentication Modules (PAM) Security - Module 7 • Introduction - Topology - Features ○ Discuss course outline ○ Explore system configuration ○ Explore network topology ○ Identify primary PAM systems ○ Enumerate and discuss key PAM features ○ ○ PAM Rules Files & Syntax ○ Identify key PAM configuration files ○ Explain the purpose of the /etc/pam.d/other PAM rules file ○ Discuss PAM's 4 management tasks ○ Identify the 4 tokens supported within PAM rules files ○ Explain possible values for the 4 supported rules file tokens ○ Discuss PAM's stacking of rules for the 4 management tasks ○ Examine the /etc/pam.d/sshd PAM rules file for the SSHD service/daemon ○ Explore the contents of included PAM rules files ○ • Common PAMs - Identify & Discuss Commonly Implemented PAMs ○ Explain the purpose and implementation of pam_echo ○ Test pam_echo using SSH ○ Explain the purpose and implementation of pam_warn ○ Explain the purpose and implementation of pam_deny ○ Identify instances of pam_warn and pam_deny modules ○ Explain the purpose and implementation of pam_unix2 ○ Identify instances of pam_unix2 module ○ Explain the purpose and implementation of pam_env ○ Explain the purpose and implementation of pam_ftp ○ Peruse /etc/pam.d/vsftpd and discuss the implemenation of pam_ftp ○ Explain the purpose and implementation of pam_lastlog ○ Explain the purpose and implementation of pam_limits ○ Explain the purpose and implementation of pam_listfile ○ Explain the purpose and implementation of pam_nologin ○ • Account Policies with PAM ○ Explain authentication flow when using PAM ○ Discuss account policies features ○ Identify and peruse the default account policies file: /etc/login.defs ○ Discus PAM's usage of /etc/login.defs as it pertains to system security ○ Discuss pam_pwcheck is maintaining system policy ○ Configure pam_pwcheck to support minimum password length ○ Correlate pam_pwcheck system policy to user accounts database ○ Configure pam_pwcheck to support password history ○ Use chage to enumerate and change user accounts' attributes associated with system policy ○ • PAM Tally ○ Explain applications of pam_tally ○ Identify failed logins log file: /var/log/faillog ○ Identify PAM authentication messages in /var/log/messages ○ Compare and contrast pam_tally with faillog ○ Use pam_tally to display user's tally ○ Enable pam_tally system-wide with desired policy ○ Fail to login multiple times, exceeding the system policy and evaluate results ○ Reset user's login count using pam_tally and faillog ○ Redirect PAM log messages using Syslog-NG ○ • PAM Password Quality Check (pam_passwdqc) ○ Identify pam_passwdqc using RPM ○ Discuss features ○ Enumerate the supported password character classes - Complex passwords ○ Replace pam_pwcheck with pam_passwdqc using at least 2 character classes ○ Test password policy in non-enforcing mode ○ Evaluate the effects ○ Enable password policy in enforcing mode and evaluate ○ Alter character class and length (complexity) requirements and evaluate ○ • PAM Time - Time-based Access Control ○ Discuss features ○ Explain configuration file syntax ○ Impose restrictions on common services ○ Evaluate results ○ ○ PAM Nologin ○ Discuss features ○ Explain configuration file syntax ○ Implement nologin module via /etc/nologin ○ Evaluate results ○ ○ PAM Limits - System Resource Limits Controlled by PAM ○ Discuss features ○ Explain configuration file syntax ○ Impose restrictions on system resources ○ Evaluate results ○ ○ PAM Authentication with Apache ○ Discuss features and desired result ○ Install Apache and development modules providing apxs support ○ Download PAM Apache module ○ Compile and install PAM Apache module ○ Configure Apache web site to support PAM ○ Evaluate results ○ • top Open Secure Shell version 2 (OpenSSHv2) Security - Module 8 • Introduction - Topology - Features ○ Discuss course outline ○ Explore system configuration ○ Identify key systems to be used ○ Explore network topology ○ Enumerate and discuss key OpenSSHv2 features ○ ○ Identify Key OpenSSHv2 Components ○ Identify installed OpenSSHv2 related packages ○ Peruse related startup and run-control script files ○ Locate 'sshd' on the file system ○ Discuss related client | server configuration files ○ • OpenSSHv2 Client - /ssh/ ○ Discuss features and benefits ○ Obtain shell access on a remote system ○ Configure /etc/hosts to provide local name resolution for OpenSSHv2 ○ Identify and discuss pseudo-terminals - pty ○ Redirect X11/X.org traffic to localhost via SSH ○ Bind 'ssh' to specific source IP address and test connectivity ○ Execute commands on remote system without allocating a pseudo-terminal ○ Debug 'ssh' connectivity ○ Explore the system-wide client configuration file ○ Explore user configuration file ○ • Secure Copy Program (SCP) - /scp/ ○ Discuss features and benefits ○ Locate 'scp' on the file system ○ Discuss usage ○ Copy, non-interactively, previously generated data to remote systems ○ Test 'scp' with global and user configuration directives ○ Debug 'scp' connectivity ○ Limit transfer rate to conserve bandwidth ○ • Secure File Transfer Program (SFTP) - /sftp/ ○ Discuss features and benefits ○ Locate 'sftp' on the file system ○ Discuss usage ○ Connect to remote system using 'sftp' interactive shell ○ Issue puts and gets and evaluate results ○ Identify the sftp-server subsystem ○ Peruse process list while connected to OpenSSHv2 server ○ Illustrate batch file usage ○ • SSH Key Scan Utility - /ssh-keyscan/ ○ Discuss features and benefits ○ Locate 'ssh-keyscan' on the file system ○ Discuss usage ○ Scan the network from STDIN for OpenSSHv2 public keys - RSA (SSHv1 & SSHv2) | DSA ○ Scan the network based on a file with a list of hosts for OpenSSHv2 public keys ○ Populate ~/.ssh/known_hosts file using 'ssh-keyscan' with BASH for loop ○ Compare and contrast STDOUT with the output file ○ • SSH Key Generation Utility - /ssh-keygen/ ○ Discuss features and benefits ○ Locate 'ssh-keygen' on the file system ○ Discuss usage ○ Generate RSA-2 usage keys ○ Identify RSA-2 public and private key pair ○ Generate DSA usage keys ○ Identify DSA public and private key pair ○ Expose usage keys' fingerprint using 'ssh-keygen' ○ Generate RSA-2 | DSA usage keys for all hosts ○ ○ Public Key Infrastructure (PKI) - Password-less Logins ○ Discuss features and benefits ○ Identify key files for client and server implemenation of password-less (PKI- based) logins ○ Copy manually, RSA-2 | DSA public keys to remote system's ~/.ssh/authorized_keys file ○ Test password-less logins ○ Use 'ssh-copy-id' to seamlessly populate remote system with RSA-2 | DSA usage keys ○ Test password-less connectivity after using 'ssh-copy-id' ○ Confirm password-less connectivity using SSH clients /ssh|scp|sftp/ in debug mode ○ Connect to privileged account from non-privileged account using PKI ○ Configure RSA-1 connectivity using PKI ○ ○ System-wide OpenSSHv2 Configuration Directives ○ Identify key directory and files associated with client | server configuration ○ Explore primary server configuration file ○ Discuss applicability of directives ○ Alter and test several SSHD directives ○ Explore OpenSSHv2 configuration on RedHat Linux ○ Explore OpenSSHv2 configuration on Solaris 10 ○ ○ Port Forwarding - Pseudo-VPN Support - /Local|Remote|Gateway/ ○ Discuss features and benefits ○ Implement local port forwarding using 'ssh' ○ Configure remote port forwarding using 'ssh' ○ Test circumvention of local firewall using remote port forwarding ○ Implement gateway ports to share forwarded /local|remote/ with connected users ○ Test connectivity ○ • Windows Integration - /PuTTY|WinSCP/ ○ Discuss features and applications ○ Download and install PuTTY ○ Explore PuTTY's features ○ Configure PKI logins ○ Download and install WinSCP ○ Explore WinSCP's features ○ Move data between Windows, Linux and Solaris ○ ○ Syslog | Syslog-NG Configuration ○ Discuss features and benefits ○ Identify default configuration ○ Redirect OpenSSHv2 data using Syslog and Syslog-NG ○ Examine results ○ Enable debugging ○ ○ Host-based Authentication ○ Discuss applicability and caveats ○ Identify key configuration files and directives ○ Implement host-based authentication ○ Test results ○ ○ OpenSSHv2 Source Installation ○ Discuss features and benefits ○ Download current OpenSSHv2 source code ○ Compile and install ○ Restart services|daemons ○ Test new version of OpenSSHv2 ○ ○ Secure OpenSSHv2 Implementation ○ Discuss features and benefits ○ Identify key configuration file ○ Enumerate and implement key directives ○ Test configuration ○ ○ top OpenSSHv2 Security - Module 9 • Introduction - Topology - Features ○ Discuss course outline ○ Explore system configuration ○ Identify key systems to be used ○ Explore network topology ○ Enumerate and discuss key OpenPGP features ○ ○ Explore GPG Configuration ○ Identify installed GPG packages in various Linux distros ○ Discuss the key contents of those packages ○ Explore configuration hierarchy ○ Discuss security as it pertains to private key management ○ Explain the purpose of public and private keys ○ Discuss symmetric and asymmetric encryption provided by OpenPGP-compliant Apps ○ • Generate | Import | Export OpenPGP Usage Keys ○ Discuss features and benefits ○ Obtain shell access on remote systems ○ Generate usage (private|public) keys ○ Identify the generated keys ○ Discuss how usage keys are used ○ Generate usage keys on remote systems ○ Export OpenPGP public key chain on various systems ○ Import OpenPGP public keys on various systems ○ Evaluate the results of exchanging public keys ○ • Digital Signatures ○ Discuss features and benefits as they pertain to data integrity ○ Identify default digital signatures on multiple hosts ○ Explain the differences between signing and encrypting correspondence ○ Sign and export data to remote systems - Inline ○ Create detached OpenPGP signatures for data ○ Confirm the signed data on the remote systems ○ Recap non-repudiation benefits provided by digitally signing correspondence ○ • Encryption | Decryption | Sign & Encrypt Content ○ Discuss features and benefits ○ Generate files for usage ○ Encrypt content using symmetric (shared-key) algorithm ○ Decrypt content using the shared-key, based on the symmetric algorithm ○ Evaluate results on multiple machines ○ Explain caveats associated with symmetric encryption ○ Encrypt content to a given recipient, using their public key - asymmetric encryption ○ Decrypt content on various hosts ○ Attempt to decrypt content without the corresponding private key ○ Evaluate results ○ Encrypt using ASCII-armoured and binary (OpenPGP-compliant) formats ○ Decrypt both ASCII-armoured and binary formats ○ Recap encryption decryption processes ○ Discuss the requirements of signing and encrypting content ○ Sign and encrypt content to various recipients ○ Confirm signed and encrypted content ○ Attempt to confirm and decrypt content as the unintended recipient ○ Evaluate results ○ • OpenPGP Key Management | Web of Trust | Internet Key Distribution ○ Discuss features and benefits ○ Explore GPG key management facility ○ Update properties of public/private key pairs ○ Add sub-keys to public/private key pairs ○ Sign remote users' public keys ○ Evaluate results ○ Discuss the web of trust functionality ○ Create a web of trust with various hosts ○ Evaluate trust confirmation ○ Discuss the features of OpenPGP Internet key distribution servers ○ Generate and upload public keys to an Internet key server ○ Download the uploaded public keys to the public keyrings of various hosts ○ Evaluate results ○ • Perl Scripting with GPG ○ Discuss features and benefits ○ Create a Perl script to backup key directories and files ○ Ensure that the script GPG-protects the content post-backup ○ Include error-handling to ensure that each step of the script is routed appropriately ○ Configure the script to transfer the encrypted content to a remote host ust 'scp' ○ Evaluate results ○ ○ OpenPGP (GPG | PGP Desktop) on Win32 ○ Discuss features and benefits ○ Download and install GPG for Win32 ○ Generate usage keys ○ Exchange public keys with a user on a Linux system ○ Sign and encrypt content to and from the Win32 user ○ Confirm results ○ Download and install GPG4WIN (GUI-based GPG for Win32) ○ Explore features ○ Sign and encrypt content to and from the Win32 user ○ Confirm results ○ Integrate GPG4WIN with MS Outlook ○ Sign and encrypt e-mail messages ○ Confirm and decrypt e-mail messages ○ Install PGP Desktop for Win32 ○ Explore features and interface ○ Generate usage keys ○ Exchange public keys with Linux user ○ Sign and encrypt content to and from the Win32 user using PGP Desktop ○ Evaluate results ○ Draw parallels between Win32 based OpenPGP tools and GPG for Linux | Unix ○ Recap OpenPGP functionality included in /GPG|GPG4WIN|PGP Desktop/