SEC502: Perimeter Protection In-Depth
There is no single fix for securing your network. That's why this course is a comprehensive analysis of a wide breadth of technologies. In fact, this is probably the most diverse course in the SANS catalog, as mastery of multiple security techniques is required to defend your network from remote attacks. You cannot just focus on a single OS or security appliance. A proper security posture must be comprised of multiple layers. This course was developed to give you the knowledge and tools necessary at every layer to ensure your network is secure.
The course starts by looking at common problems we need to resolve. Is there traffic passing by my firewall I didn't expect? How did my system get compromised when no one can connect to it from the Internet? Is there a better solution than anti-virus for controlling malware? We'll dig into these questions and more and answer them.
We spend quite a bit of time learning about IP. Sure we all know how to assign an IP address, but to secure your network you really need to understand the idiosyncrasies of the protocol. We'll talk about how IP works and how to spot the abnormal patterns. If you can't hear yourself saying "Hummm, there are no TCP options in that packet. It's probably forged," then you'll gain some real insight from this portion of the material.
Once you have an understanding of the complexities of IP, we'll get into how to control it on the wire. Rather than trying to tell you what are good and bad products, we focus on the underlying technology used by all of them. This is extremely practical information because a side-by-side product comparison is only useful for that specific moment in time. By gaining knowledge of what goes on under the cover, you will be empowered to make good product choices for years to come. Just because two firewalls are stateful inspection, do they really work the same on the wire? Is there really any difference between stateful inspection and network-based intrusion prevention, or is it just marketing? These are the types of questions we address in this portion of the course.
From there, it's a hands-on tour through how to perform a proper wire-level assessment of a potential product, as well as what options and features are available. We'll even get into how to deploy traffic control while avoiding some of the most common mistakes. Feel like your firewall is generating too many daily entries for you to review the logs effectively? We'll address this problem not by reducing the amount of critical data, but by streamlining and automating the backend process of evaluating it.
But you can't do it all on the wire. A proper layered defense needs to include each individual host - not just the hosts exposed to access from the Internet, but hosts that have any kind of direct or indirect Internet communication capability as well. We'll start with OS lockdown techniques and move on to third-party tools that can permit you to do anything from sandbox insecure applications to full-blown application policy enforcement.
Most significantly, the course material has been developed using the following guiding principles:
- Learn the process, not one specific product.
- You learn more by doing, so hands-on problem solving is key.
- Always peel back the layers and identify the root cause.
While technical knowledge is important, what really matters are the skills to properly leverage it. This is why the course is heavily focused on problem solving and root cause analysis. While these are usually considered soft skills, they are vital to being effective in the role of security architect. So along with the technical training, you'll receive risk management capabilities and even a bit of Zen empowerment.
Test Your Skills
If you are still not sure if this course is for you, consider taking the evaluation test. It is only 15 questions and is directly based on this course material. If you can correctly answer 12-13 questions out of the 15, you are in pretty good shape. If you answer fewer than that, you will find the content of this course valuable.
|SEC502.1: TCP/IP for Firewalls|
On day one we start off with a 30,000 foot view of what needs to be addressed. This section is more than an executive overview as we dig down into the bits and bytes of the problem as well. What can be secured at the network level, and which protection needs to be pushed back to the hosts? What are my packet level control devices really doing on the wire, and when can't I trust them?
If you want to control traffic on the wire, you have to understand the IP protocol. It is for this reason a majority of the day is spent doing packet-level analysis. While many protocol analyzers will tell you what they think is happening, if you cannot read the decodes for yourself, you will have no idea when the tool is leading you astray.
CPE/CMU Credits: 6
OSI Layer 2
OSI Layer 3
OSI Layers 4 and 5
|SEC502.2: Firewalls, NIDS, and NIPS|
The only way to understand if a network traffic control device is going to meet your requirements is to understand the technology underneath the hood. Do all stateful inspection firewalls handle traffic the same way? Is there really any difference between a stateful inspection firewall and a network-based intrusion prevention system (NIPS)? In today's material we will cut through the vendor marketing slicks and look at what their products are really capable of doing. We'll also start pulling together the pieces of a layered defense as well as start discussing best practices for traffic control.
CPE/CMU Credits: 6
Network Address Translation
Network-based Intrusion Detection and Prevention
|SEC502.3: Wire Products and Assessment|
On day two we laid the foundation by discussing the technology under the hood of every traffic control product. In today's material we will look at how each vendor has implemented the technology. We'll also discuss how to test these products on the wire so we know exactly how they are impacting traffic. Can the product stop a covert communication channel using ICMP error packets? What about a source route attack? What about an application layer attack? These are the types of questions we'll strive to answer in this material.
The number one problem students have with managing their environment is dealing with the firewall logs. This is why it is also a focus of today's material. Not only will we discuss what to look for, but through practical exercises you will learn how to optimize the log review process into something that takes less time to finish than your morning coffee.
CPE/CMU Credits: 6
Perimeter Deployment Options
Snort - A Real-life Example
Building a Firewall Rulebase
Web Application and Database Firewalls
Firewall Log Analysis
|SEC502.4: Host Level Security|
In the early days of the Internet it was possible to secure a network right at the perimeter. Modern-day attacks, however, are far more advanced and require a multi-layered approach to security. This does not mean the perimeter no longer serves a useful role; just that it is only part of the equation. So in today's material we will focus on the security posture of each of our individual hosts. We will look at what the OS vendors give us to work with and when we may need to turn to third party tools. Additionally, we will look at applications and the huge vulnerabilities that can be present within applications and how to secure the issues identified.
It is not enough to simply configure the hosts securely and hope for the best. So we will also look at vulnerability scanning and audits in order to be able to validate continuous integrity. For those times when the worst occurs, we'll talk about the basics of performing a forensic analysis as well.
Finally, we will talk about security information management. The devices on your network really want to tell you what is going on; it's just a matter of being able to sort through all of the data. We'll look at options for both daily reports as well as real-time alerting.
CPE/CMU Credits: 6
Securing an Operating System
Securing Exposed Services
Web Application Security
Host-based Intrusion Detection and Prevention
Security Information Management
|SEC502.5: Securing the Wire|
It's not enough to control traffic flow; we also need to be able to secure the data inside of the packets. In today's material we will start with the basics, authentication and encryption, and learn how these technologies are combined into the modern day VPN. We'll discuss which of the technologies have been proved to be mathematically secure and which of them is a bit of a leap of faith. Further, we will discuss how to integrate encrypted dataflow into your overall architecture design so you are not blinded to attacks through these encrypted tunnels.
Then we turn our attention to securing the internal network structure. We'll cover deploying wireless access points without creating (yet another) point of management. We'll also look at network access control (NAC) and discuss what it can do today as well as its potential in the future.
CPE/CMU Credits: 6
Network Access Control
|SEC502.6: Perimeter Wrap Up|
On the final day we will pull together everything we have learned. This day's material focuses greatly on problem resolution. The problems start off easy, like small organizations that need advice in order to make their environment more secure. The complexity quickly escalates, however, to where you need to combine security, functionality, and political issues into the design. A healthy dose of risk assessment is also thrown in for good measure.
You will also perform a series of labs that are hostile in nature. A majority of the previous labs were geared towards problem solving. In other words, you would be presented with a security issue and then given a hands-on process for resolving it. But these final labs are far more insidious. We'll look at what attack tools are available and just how easy they are to implement.
CPE/CMU Credits: 6
Sizing Up a Network for Attack
This course, on the first day, made clear several topics that I had questions on for years. The explanations provided were unlike other information contained on websites and in books.
- M. Cook, Arrowhead International
This document specifies the laptop hardware and software requirements needed to perform all of the labs that are part of SANS Security 502: Perimeter Protection In-Depth. Students are expected to arrive to class with their laptops fully configured and functional. This document will outline everything you need to do in order to be prepared for class.
Students should not use their regular production laptop for this class! The course will involve installing many new software tools. When installing software, there is always a chance of breaking something else on the system. Students should assume that all data on the system could potentially be lost. SANS is not responsible for any lost data. Also, many anti-virus programs will flag some of these tools as malicious and either delete or quarantine them from the system. This means that you may need to disable this functionality or make exceptions for these tools.
Here's a quick checklist of what you will need to do to prepare for class:
Some of the labs will be performed using a modified version of Backtrack. If you wish to ensure that your system is capable of running Backtrack smoothly, you can download a copy of Backtrack from the Backtrack/Linux website and test it prior to arriving in class.
If you have additional questions about the laptop specifications, please contact firstname.lastname@example.org.
|Who Should Attend|
|You Will Be Able To|
Take your learning beyond the classroom. Explore our site network for additional resources related to this course's subject matter.
*CPE/CMU credits not offered for the SelfStudy delivery method