SEC502: Perimeter Protection In-Depth

There is no single fix for securing your network or perimeter. If asked, "How do you secure your perimeter?", people used to answer "A firewall!", but of course, that is not a valid answer today. The perimeter is so much more complex than it used to be. That is why this course is a comprehensive analysis of a wide breadth of technologies. In fact, this is probably the most diverse course in the SANS catalog, as mastery of multiple security techniques is required to defend your network from remote attacks. You cannot just focus on a single OS or security appliance. A proper security posture must be comprised of multiple layers. This course was developed to give you the knowledge and tools necessary at every layer to ensure your network is secure.

The course starts by looking at common problems we need to resolve. How is my perimeter being bypassed? How did my system get compromised when no one can connect to it from the Internet? How do I identify compromised systems? How do I identify command and control activity? What is the best way to identify, control and investigate malware? We will dig into these questions and more and answer them.

We spend quite a bit of time learning about IP. Sure we all know how to assign an IP address, but to secure your network you really need to understand the idiosyncrasies of the protocol. We will talk about how IP works and how to spot the abnormal patterns. If you cannot hear yourself saying "Hummm, there are no TCP options in that packet. It is probably forged," then you will gain some real insight from this portion of the material.

Once you have an understanding of the complexities of IP, we will get into how to control it on the wire. Rather than trying to tell you what are good and bad products, we focus on the underlying technology used by all of them. This is extremely practical information because a side-by-side product comparison is only useful for that specific moment in time. By gaining knowledge of what goes on under the cover, you will be empowered to make good product choices for years to come. Just because two firewalls are Next Generation firewalls, do they really work the same on the wire? Is there really any difference between stateful inspection and network-based intrusion prevention, or is it just marketing? These are the types of questions we address in this portion of the course. Once we looked at the technology, we will also look at examples of open source and commercial solutions. Commercial solutions such as Palo Alto, FireEye, Bit9 and Carbon Black and more are discussed.

From there, it is a hands-on tour through how to perform a proper wire-level assessment of a potential product, as well as what options and features are available. We will even get into how to deploy traffic control while avoiding some of the most common mistakes. Feel like your firewall is generating too many daily entries for you to review the logs effectively? We will address this problem not by reducing the amount of critical data, but by streamlining and automating the backend process of evaluating it.

But you cannot do it all on the wire. A proper layered defense needs to include each individual host - not just the hosts exposed to access from the Internet, but hosts that have any kind of direct or indirect Internet communication capability as well. We will start with service and OS lockdown techniques and move on to third-party tools that can permit you to do anything from endpoint protection to full-blown application policy enforcement, advanced malware protection and advanced threat protection.

Most significantly, the course material has been developed using the following guiding principles:

  • Learn the process, not one specific product.
  • You learn more by doing, so hands-on problem solving is key.
  • Always peel back the layers and identify the root cause.

While technical knowledge is important, what really matters are the skills to properly leverage it. This is why the course is heavily focused on problem solving and root cause analysis. While these are usually considered soft skills, they are vital to being effective in the role of security architect. So along with the technical training, you will receive risk management capabilities and even a bit of Zen empowerment

Test Your Skills

If you are still not sure if this course is for you, consider taking the evaluation test. It is only 15 questions and is directly based on this course material. If you can correctly answer 12-13 questions out of the 15, you are in pretty good shape. If you answer fewer than that, you will find the content of this course valuable.

Course Syllabus
Course Contents
  SEC502.1: IP and Packet Decoding
Overview

On day one we start off with a 30,000 foot view of what needs to be addressed. This section is more than an executive overview as we dig down into the bits and bytes of the problem, as well. What can be secured at the network level, and which protection needs to be pushed back to the hosts? What are my packet level control devices really doing on the wire, and when can't I trust them?

If you want to control traffic on the wire, you have to understand the IP protocol. It is for this reason a majority of the day is spent doing packet-level analysis. While many protocol analyzers will tell you what they think is happening, if you cannot read the decodes for yourself, you will have no idea when the tool is leading you astray.

Exercises
  • Leverage a packet sniffer to decode IP traffic
  • Detect a system sniffing traffic on the wire
  • Create basic and advanced Libpcap filters
  • Identifying the nuances in each OS's IP stack
  • How to identify a source OS based on its TCP or ICMP packets
  • Hijack a TCP session and defeat a switch

CPE/CMU Credits: 6

Topics

Threat Vectors

  • What makes a system vulnerable
  • Why even your security devices are at risk
  • How to minimize the impact of a compromise
  • How to defend against APTs
  • Understanding the APT life cycle
  • Why the perimeter is still your most effective point of security
  • Why anti-virus is a dead-end technology and where to go from here
  • Why vendors may give you poor security advice
  • When it is acceptable to assume additional risk

OSI Layer 2

  • ARP - how it works and why it is a problem
  • How do attackers hijack communication sessions?
  • The six different methods of connection hijacking through a switch and how to fix them

OSI Layer 3

  • Offset and measurement, the foundation of most security technology
  • IP header layout
  • Important IP header fields
  • Record route attacks
  • Strict and loose source routing attacks - which firewalls are vulnerable?
  • How to detect a source route attack
  • Fragmentation and how it works
  • What does a normal fragmentation session look like
  • What malicious fragmentation looks like and how to detect it

OSI Layers 4 and 5

  • UDP header format and which fields are important
  • Why UDP scans are inaccurate and how to fool them
  • TCP header format and which fields are important
  • Normal and abnormal TCP patterns
  • TCP flags and how they work
  • TCP sequence numbers and how they work
  • TCP port scans and how to fool them
  • ICMP header format and which fields are important
  • Common ICMP type/codes
  • Traffic control issues with ICMP
  • Using ICMP as a covert communication channel

Packet Decoding

  • How does a packet sniffer work?
  • Reading Libpcap decodes
  • Windump/tcpdump
  • Creating display filters
  • Reading/saving capture files
  • Bit masking and how to leverage it
  • Caveats when sniffing from a Windows system
 
  SEC502.2: Network Security - Part I
Overview

The only way to understand if a network traffic control device is going to meet your requirements is to understand the technology underneath the hood. Do all firewalls handle traffic the same way? What is the difference in solutions? In today's material we will cut through the vendor marketing slicks and look at what their products are really capable of doing. We will also start pulling together the pieces of a layered defense as well as start discussing best practices for traffic control.

Exercises
  • Safely accept and record a malicious attack
  • Identify unique traits in the IP stack of different operating systems
  • Firewall hands-on, configuring and identifying weaknesses with static and stateful filtering
  • Configure and test a network firewall
  • Snort hands-on, finding and processing detects

CPE/CMU Credits: 6

Topics

IPv6

  • What is involved with migrating from IPv4
  • Transition issues
  • IPv6 header format and important fields
  • IPv6 addressing
  • IPv6 extension headers
  • ICMPv6
  • IPv6 security issues
  • Tunnel brokers

Static and Stateful Packet Filtering

  • How static filters work
  • Problems with complex protocols
  • When SI firewalls and NIPS fall back to static filtering
  • When is static filtering the best option?
  • How stateful filters work
  • Problems with the state table and how to fix them

Stateful Inspection and NAT

  • How stateful inspection works
  • Why stateful inspection fails when implemented for application security
  • Creating a "trusted host" at the egress of your perimeter
  • What options are available for NAT?
  • When NAT will help strengthen your security posture

Netfilter and Building a Rule Base

  • Assessing your needs
  • Large scale management issues
  • Best practices
  • Common implementation mistakes
  • Rulebase optimization
  • Assessing risk

Network Based Intrusion Detection and Prevention

  • When NIDS is a better choice than NIPS
  • Anomaly detection
  • NIDS and NIPS, technology under the hood
  • NIPS vs. SI firewall - is there really any difference besides price?
  • Must-have features for NIDS and NIPS
  • How to verify detects
  • Dealing with false positives and tuning them out
  • Network placement of NIDS and NIPS devices
  • Creating custom rules

NIDS Hands-on

  • NIPS vs. NIDS operation
  • Configuring variables
  • Pre-processor options
  • Post-processor options
  • How to write snort rules
  • Alerts and log entries
  • Processing the decodes
  • Running Snort
 
  SEC502.3: Network Security - Part II
Overview

On day two we laid the foundation by discussing the technology under the hood of traffic control products. In today's material, we expand further by looking at looking at additional solutions and how they work. We will also discuss how to test these products on the wire so we know exactly how they are impacting traffic. Can the product stop a source route attack? What about an application layer attack? These are the types of questions we will strive to answer in this material. We will also look at network access control (NAC), NextGen firewalls, Virtual firewalls and much more.

Exercises
  • Packet crafting 101
  • Perform a port scan while completely masking your source IP address from the target
  • Identify the hidden source of an attack
  • Recover session information with Wireshark
  • Recover all files from multiple HTTP streams with Chaosreader
  • Hands-on with Palo Alto

CPE/CMU Credits: 6

Topics

Cisco Routers

  • Strengths and limitations of filtering with your border router
  • Best practices for creating filters
  • Things the router can catch which the firewall cannot
  • Locking down the router
  • Commands to lock down IOS
  • Common mistakes
  • How to sniff traffic with a Cisco router

Network Access Control

  • NAC and how it works
  • Standards and acronyms
  • Adaptive network security

Packet Crafting

  • How Packet Crafting tools work
  • Packets that can be used to test perimeter security systems
  • Packets that can be crafted to find holes in firewalls

Perimeter Assessment

  • Options and potential approaches
  • Picking the right tools
  • Sample scripts for policy verification
  • Deep testing for new firewall products
  • What to do when something is "broken"

Virtual Firewalls and Proxies

  • Understanding Virtual Firewalls
  • Difference between fast path and slow path deployment
  • When virtualization is a bad idea
  • How a proxy works
  • Problems with proxies

Beyond Stateful

  • Breaking away from traditional port based defenses
  • How Next Generation firewalls work
  • How Next Generation firewalls make decisions
  • How Unified Threat Management works
  • When Unified Threat Management (UTM) is a bad idea
  • How Deep Packet Inspection works
  • Next Generation Firewall Deployment Scenarios
 
  SEC502.4: Protecting the Endpoint - Host Security
Overview

In the early days of the Internet it was possible to secure a network right at the perimeter. Modern-day attacks, however, are far more advanced and require a multi-layered approach to security. This does not mean the traditional perimeter no longer serves a useful role; just that it is only part of the equation - and the perimeter has changed. So in today's material, we will focus on the security posture of each of our individual hosts. We will look at Endpoint protection solutions, and solutions to identify advanced malware. Additionally, we will look at applications and the huge vulnerabilities that can be present within applications and how to secure the issues identified.

Exercises
  • Identifying an insider leaking private company info
  • Debugging potential malware
  • Exploiting web application vulnerabilities
  • Securing an application with a web application firewall
  • Identifying an insider leaking private company info
  • Identifying malware
  • Hands-on with FireEye

CPE/CMU Credits: 6

Topics

Locking Down Hosts

  • Securing DNS
  • Running split and split-split DNS
  • The problems with recursion and how to avoid them
  • How to avoid becoming a spam relay
  • Tools to test your DNS and SMTP setup
  • The importance of scrubbing banners

Locking Down Web Applications

  • Identifying application risks
  • CSRF attacks
  • Logical vulnerabilities
  • Session based weaknesses
  • Bypass attacks
  • How attackers use applications to target administrators
  • Injection exploitation
  • Securing web applications
  • Using a WAF to secure applications

Application Firewalls

  • Understand common web application attacks
  • Cross-site scripting
  • SQL injection and Blind SQL injection
  • What web application firewalls (WAFs) can and cannot protect against
  • What database firewalls can (and cannot) protect against
  • Deployment options
  • Evasion methods

Endpoint Protection

  • Can HIPS really prevent zero-day attacks?
  • Application control
  • Whitelisting
  • Keeping all malware off of your systems
  • Taking control of USB drives
  • Bit9 and Carbon Black
  • Data Loss Prevention solutions

Advanced Malware Protection

  • Methods of evaluation
  • Sandboxing
  • Cuckoo
  • FireEye
 
  SEC502.5: Logging, Wireless, Encryption, and VPNs
Overview

The number one problem students have with managing their environment is dealing with the firewall logs. This is why it is also a topic in today's material. Not only will we discuss what to look for, but through practical exercises you will learn how to optimize the log review process into something that takes less time to finish than your morning coffee.

We will also talk about security information and event management. The devices on your network really want to tell you what is going on; it is just a matter of being able to sort through all of the data. We will look at options for both daily reports as well as real-time alerting.

It is not enough to control traffic flow; we also need to be able to secure the data inside of the packets. In today's material we will start with the basics, authentication and encryption, and learn how these technologies are combined into the modern day VPN. We will discuss which of the technologies have been proved to be mathematically secure and which of them is a bit of a leap of faith. Further, we will discuss how to integrate encrypted dataflow into your overall architecture design so you are not blinded to attacks through these encrypted tunnels.

Exercises
  • Extract handshake info from an SSL session
  • Debug a failed SSL session via traffic analysis
  • Tunnel traffic through an SSH session
  • Hijack an active SSH session
  • Obscure a file via Steganography

CPE/CMU Credits: 6

Topics

Security Information and Event Management

  • The importance of time synchronization
  • How to setup NTP on each platform
  • Goals for a centralized collection system
  • Components of a log collection system
  • Designing an architecture
  • Scale considerations
  • Product options
  • Facility and severity - how to leverage them
  • Log file management
  • Producing useful reports
  • Setting up real-time alerting
  • What to look for

Firewall Log Analysis

  • What gets recorded
  • What to look for
  • Spotting patterns in the stream
  • Identifying when a firewall gives you incorrect info
  • The process for parsing any firewall log

Wireless Security

  • WEP - how everything went wrong
  • WPA and WPA2
  • 802.1X
  • Design considerations
  • Leveraging your VPN solution to secure wireless

Authentication, Encryption and VPN Basics

  • Symmetrical key cryptography and how it works
  • Stream and block ciphers
  • Public key cryptography and how it works
  • Cipher algorithms
  • Choosing good encryption, time value issues
  • Political laws
  • What is a hash and how it works
  • Initial authentication options
  • Packet-level authentication options
  • Digital certificates
  • X.509 and PKI

VPN Options

  • The structure of a VPN
  • SSL and how it works
  • SSH and how it works
  • Security problems with SSH tunnels
  • IPSec and how it works
  • Troubleshooting IPSec connections
  • Remote control options, when it makes sense
  • VDI
 
  SEC502.6: Assessments, Cloud Considerations and Pull it All Together
Overview

On the final day we will pull together everything we have learned. This day's material focuses greatly on problem resolution. The problems start off easy, like small organizations that need advice in order to make their environment more secure. The complexity quickly escalates, however, to where you need to combine security, functionality, and political issues into the design. A healthy dose of risk assessment is also thrown in for good measure.

It is not enough to simply configure the hosts securely and hope for the best. So we will also look at vulnerability scanning and audits in order to be able to validate continuous integrity. For those times when the worst occurs, we will talk about the basics of performing a forensic analysis as well.

Of course cloud computing is also important to consider today, so we will look at some of the risks and how to mitigate the risks.

Exercises
  • Audit running processes with stock tools
  • Evaluate tools for auditing purposes
  • Verify file integrity with MD5
  • Identifying collisions in the MD5 hash space
  • Hijack a TCP session and inject data
  • Spoof name server replies
  • Backdoor a system through a firewall

CPE/CMU Credits: 6

Topics

Vulnerability Assessment and Auditing

  • Anatomy of a vulnerability scanner
  • Why registry and file checking scanners can fail
  • Why network scanners can produce inaccurate information
  • When you should outsource vulnerability scanning

Cloud Considerations

  • Understanding Cloud security implications
  • Provider versus Tenant responsibilities
  • Cloud architecture and deployment models including IaaS, Paas and SaaS
  • Key cloud threat vectors
  • Security questions to ask related to cloud computing

Pulling it All Together

  • Risk Assessments
  • Taking the pieces from the course and pulling them into a comprehensive network architecture

Ettercap Labs

  • Hijack a TCP session and inject data
  • Spoof name server replies
  • Backdoor a system through a firewall

Useful Tools

  • Network mapping tools
  • Network monitoring tools
  • Packet manipulation tools
  • Where to find the best tools
 
Additional Information
 
  Testimonial

This course, on the first day, made clear several topics that I had questions on for years. The explanations provided were unlike other information contained on websites and in books.

- M. Cook, Arrowhead International

 
  Laptop Required

This document specifies the laptop hardware and software requirements needed to perform all of the labs that are part of SANS Security 502: Perimeter Protection In-Depth. Students are expected to arrive to class with their laptops fully configured and functional. This document will outline everything you need to do in order to be prepared for class.

Students should not use their regular production laptop for this class! The course will involve installing many new software tools. When installing software, there is always a chance of breaking something else on the system. Students should assume that all data on the system could potentially be lost. SANS is not responsible for any lost data. Also, many anti-virus programs will flag some of these tools as malicious and either delete or quarantine them from the system. This means that you may need to disable this functionality or make exceptions for these tools.

Quick Checklist

Here's a quick checklist of what you will need to do to prepare for class:

  • Windows 7 or later
  • A laptop that meets the processor speed and memory requirements of your selected version of Windows
  • Administrator level access to your system
  • The ability to disable anti-virus, firewall, or any other Endpoint security solutions
  • A laptop with a bootable DVD drive
  • A wired Ethernet interface
  • A modern web browser that supports HTML5. We recommend using the latest version of Firefox, Chrome or Internet Explorer
  • Install the latest Java client

Some of the labs will be performed using a modified version of Backtrack. If you wish to ensure that your system is capable of running Kali smoothly, you can download a copy of Kali from the Kali website and test it prior to arriving in class.

If you have additional questions about the laptop specifications, please contact laptop_prep@sans.org.

 
  Who Should Attend
  • Information security officers
  • Intrusion analysts
  • IT managers
  • Network architects
  • Network security engineers
  • Network and system administrators
  • Security managers
  • Security analysts
  • Security architects
  • Security auditors
 
  You Will Be Able To
  • Apply perimeter security solutions in order to identify and minimize weaknesses to properly protect your perimeter
  • Deploy and utilize multiple firewalls to understand the strengths and weaknesses that each present
  • Use built-in tools to audit, protect and identify if systems have been compromised
  • Utilize tcpdump to analyze network traffic in detail to understand what packets are communicating and how to identify potential covert channels
  • Understand and utilize techniques to compromise and protect against application layer attacks such
  • Utilize tools to evaluate packets and identify legitimate and illegitimate traffic
  • Use tools to evaluate and identify the risks related to Cloud Computing
  • Inspect the intricate complexities of IP, including identifying malicious packets
  • Evaluate and secure SSL, wireless networks, VPNs, applications and more
  • Implement a logging solution that properly identifies risk and is manageable

 

Author Statement

One of the most rewarding things I have ever done in my career is author this course material. It is really difficult to find solid, unbiased advice for securing your network. Vendors must watch their bottom line. This need can manifest itself in some interesting ways, like giving you poor advice that focuses more on reducing their support costs than increasing your security posture. Is it any surprise that vendor training has turned into a marketing opportunity rather than a chance to tell you how to work around the problems in their product?

The Internet can also be hit or miss. There are testing centers, news sites, blogs, etc., but most are either owned by a security vendor, do work for them, or sell ad space to them. There are individuals who honestly want to be helpful, but they lack the expertise to do so effectively. For example, post this question to any given security forum or mailing list, "I need a new firewall. Can anyone recommend something?" and watch the product recommendations come pouring in. How helpful can this advice really be when they know nothing about your network or specific needs?

One of the pleasures of working with SANS is that they are completely vendor neutral. In the ten years I've been authoring this course, I've never been asked to go easy or hard on a vendor. The heart of the training has always been on making students effective at their jobs. This is cool, because it allows me to create vendor-neutral material that focuses on the processes and technology, rather than what you need to click on in one specific vendor product screen.

- Chris Brenton

Additional Resources

Take your learning beyond the classroom. Explore our site network for additional resources related to this course's subject matter.

*CPE/CMU credits not offered for the SelfStudy delivery method

Online options available. Train from any location.
Type
Topic
Course
/ Location
/ Instructor
Date
Register

vLive
Security
Online
Jan 6, 2015 -
Feb 12, 2015
 

Onsite
All OnSite Course of Your Choice Your Choice  

*Course contents may vary depending upon location, see specific event description for details.