Ends Tomorrow! iPad Pro, Surface Pro 4, or $500 Off with SANS Online Training

London 2013

London, United Kingdom | Sat, Nov 16 - Mon, Nov 25, 2013

SEC502: Perimeter Protection In-Depth

Just outstanding having Paul teach this class he knows his stuff. Brings real world experience to the discussions.
Stephen Dillon, MITRE

This course, on the first day, made clear several topics that I had questions on for years. The explanations provided were unlike other information contained on websites and in books.
M. Cook, Arrowhead International

There is no single fix for securing your network. That's why this course is a comprehensive analysis of a wide breadth of technologies. In fact, this is probably the most diverse course in the SANS catalog, as mastery of multiple security techniques is required to defend your network from remote attacks. You cannot just focus on a single OS or security appliance. A proper security posture must be comprised of multiple layers. This course was developed to give you the knowledge and tools necessary at every layer to ensure your network is secure.

The course starts by looking at common problems we need to resolve. Is there traffic passing by my firewall I didn't expect? How did my system get compromised when no one can connect to it from the Internet? Is there a better solution than anti-virus for controlling malware? We'll dig into these questions and more and answer them.

We spend quite a bit of time learning about IP. Sure we all know how to assign an IP address, but to secure your network you really need to understand the idiosyncrasies of the protocol. We'll talk about how IP works and how to spot the abnormal patterns. If you can't hear yourself saying "Hummm, there are no TCP options in that packet. It's probably forged," then you'll gain some real insight from this portion of the material.

Once you have an understanding of the complexities of IP, we'll get into how to control it on the wire. Rather than trying to tell you what are good and bad products, we focus on the underlying technology used by all of them. This is extremely practical information because a side-by-side product comparison is only useful for that specific moment in time. By gaining knowledge of what goes on under the cover, you will be empowered to make good product choices for years to come. Just because two firewalls are stateful inspection, do they really work the same on the wire? Is there really any difference between stateful inspection and network-based intrusion prevention, or is it just marketing? These are the types of questions we address in this portion of the course.

From there, it's a hands-on tour through how to perform a proper wire-level assessment of a potential product, as well as what options and features are available. We'll even get into how to deploy traffic control while avoiding some of the most common mistakes. Feel like your firewall is generating too many daily entries for you to review the logs effectively? We'll address this problem not by reducing the amount of critical data, but by streamlining and automating the backend process of evaluating it.

But you can't do it all on the wire. A proper layered defense needs to include each individual host - not just the hosts exposed to access from the Internet, but hosts that have any kind of direct or indirect Internet communication capability as well. We'll start with OS lockdown techniques and move on to third-party tools that can permit you to do anything from sandbox insecure applications to full-blown application policy enforcement.

Most significantly, the course material has been developed using the following guiding principles:

  • Learn the process, not one specific product.
  • You learn more by doing, so hands-on problem solving is key.
  • Always peel back the layers and identify the root cause.

While technical knowledge is important, what really matters are the skills to properly leverage it. This is why the course is heavily focused on problem solving and root cause analysis. While these are usually considered soft skills, they are vital to being effective in the role of security architect. So along with the technical training, you'll receive risk management capabilities and even a bit of Zen empowerment.

Test Your Skills

If you are still not sure if this course is for you, consider taking the evaluation test. It is only 15 questions and is directly based on this course material. If you can correctly answer 12-13 questions out of the 15, you are in pretty good shape. If you answer fewer than that, you will find the content of this course valuable.

Course Syllabus
Course Contents InstructorsSchedule
  SEC502.1: TCP/IP for Firewalls George Bakos Mon Nov 18th, 2013
9:00 AM - 5:00 PM

On day one we start off with a 30,000 foot view of what needs to be addressed. This section is more than an executive overview as we dig down into the bits and bytes of the problem as well. What can be secured at the network level, and which protection needs to be pushed back to the hosts? What are my packet level control devices really doing on the wire, and when can't I trust them?

If you want to control traffic on the wire, you have to understand the IP protocol. It is for this reason a majority of the day is spent doing packet-level analysis. While many protocol analyzers will tell you what they think is happening, if you cannot read the decodes for yourself, you will have no idea when the tool is leading you astray.

CPE/CMU Credits: 6


Threat Vectors

  • What makes a system vulnerable
  • Why even your security devices are at risk
  • How to minimize the impact of a compromise
  • Why the perimeter is still your most effective point of security
  • Why anti-virus is a dead-end technology and where to go from here
  • Why vendors may give you poor security advice
  • When it's acceptable to assume additional risk

OSI Layer 2

  • ARP - how it works and why it's a problem
  • How do attackers hijack communication sessions?
  • The six different methods of connection hijacking through a switch and how to fix them

OSI Layer 3

  • Offset and measurement, the foundation of most security technology
  • IP header layout
  • Important IP header fields
  • Record route attacks
  • Strict and loose source routing attacks - which firewalls are vulnerable?
  • How to detect a source route attack
  • Fragmentation and how it works
  • What does a normal fragmentation session look like
  • What malicious fragmentation looks like and how to detect it

OSI Layers 4 and 5

  • UDP header format and which fields are important
  • Why UDP scans are inaccurate and how to fool them
  • TCP header format and which fields are important
  • Normal and abnormal TCP patterns
  • TCP flags and how they work
  • TCP sequence numbers and how they work
  • TCP port scans and how to fool them
  • ICMP header format and which fields are important
  • Common ICMP type/codes
  • Traffic control issues with ICMP
  • Using ICMP as a covert communication channel

Packet Decoding

  • How does a packet sniffer work?
  • Reading Libpcap decodes
  • Windump/tcpdump
  • Creating display filters
  • Reading/saving capture files
  • Bit masking and how to leverage it
  • Caveats when sniffing from a Windows system


  • Leverage a packet sniffer to decode IP traffic
  • Detect a system sniffing traffic on the wire
  • Create basic and advanced Libpcap filters
  • Identifying the nuances in each OS's IP stack
  • How to identify a source OS based on its TCP or ICMP packets
  • Hijack a TCP session and defeat a switch

  SEC502.2: Firewalls, NIDS, and NIPS George Bakos Tue Nov 19th, 2013
9:00 AM - 5:00 PM

The only way to understand if a network traffic control device is going to meet your requirements is to understand the technology underneath the hood. Do all stateful inspection firewalls handle traffic the same way? Is there really any difference between a stateful inspection firewall and a network-based intrusion prevention system (NIPS)? In today's material we will cut through the vendor marketing slicks and look at what their products are really capable of doing. We'll also start pulling together the pieces of a layered defense as well as start discussing best practices for traffic control.

  • Safely accept and record a malicious attack
  • Identify unique traits in the IP stack of different operating systems
  • Firewall hands-on, configuring and identifying weaknesses with static and stateful filtering
  • Configure and test a network firewall
  • Snort hands-on, finding and processing detects

CPE/CMU Credits: 6



  • What's involved with migrating from IPv4
  • Transition issues
  • IPv6 header format and important fields
  • IPv6 addressing
  • IPv6 extension headers
  • ICMPv6
  • IPv6 security issues
  • Tunnel brokers

Static Filters

  • How static filters work
  • Problems with complex protocols
  • When SI firewalls and NIPS fall back to static filtering
  • When is static filtering the best option?
  • Best practices and common rules

Stateful Filters

  • How stateful filters work
  • Problems with the state table and how to fix them
  • When stateful inspection firewalls fall back on stateful filtering
  • Best practices and common rules

Stateful Inspection

  • How stateful inspection works
  • How stateful inspection recovers complex protocols
  • Why stateful inspection fails when implemented for application security
  • Best practices
  • Creating a "trusted host" at the egress of your perimeter

Network Address Translation

  • What options are available for NAT?
  • When not to use NAT
  • When NAT will help strengthen your security posture

Network-based Intrusion Detection and Prevention

  • When NIDS is a better choice than NIPS
  • Anomaly detection
  • NIDS and NIPS, technology under the hood
  • NIPS vs. SI firewall - is there really any difference besides price?
  • Must-have features for NIDS and NIPS
  • How to verify detects
  • Dealing with false positives and tuning them out
  • Network placement of NIDS and NIPS devices
  • Switch issues
  • Ethernet taps
  • Creating custom rules


  • How a proxy works
  • When is a proxy more secure than stateful inspection?
  • When is stateful inspection more secure than a proxy?
  • Proxy deployments, gatekeeper vs. application specific
  • Performance issues and how to deal with them

Border Routers

  • Strengths and limitations of filtering with your border router
  • Best practices for creating filters
  • Things the router can catch which the firewall cannot
  • Locking down the router

Cisco IOS

  • IOS basics and common commands
  • Implementing best practice static filters
  • Implementing best practice stateful filters
  • Commands to lock down IOS
  • Common mistakes
  • How to sniff traffic with a Cisco router


  • Strengths and weaknesses vs. tcpdump/windump
  • Additional command line tools
  • Configuration options and common mistakes
  • Creating capture filters
  • Creating display filters
  • Recovering files from the datastream


  • Safely accept and record a malicious attack
  • Identify unique traits in the IP stack of different operating systems
  • Packet crafting 101
  • Perform a port scan while completely masking your source IP address from the target
  • Recover session information with Wireshark
  • Recover all files from multiple HTTP streams with Chaosreader
  SEC502.3: Wire Products and Assessment George Bakos Wed Nov 20th, 2013
9:00 AM - 5:00 PM

On day two we laid the foundation by discussing the technology under the hood of every traffic control product. In today's material we will look at how each vendor has implemented the technology. We'll also discuss how to test these products on the wire so we know exactly how they are impacting traffic. Can the product stop a covert communication channel using ICMP error packets? What about a source route attack? What about an application layer attack? These are the types of questions we'll strive to answer in this material.

The number one problem students have with managing their environment is dealing with the firewall logs. This is why it is also a focus of today's material. Not only will we discuss what to look for, but through practical exercises you will learn how to optimize the log review process into something that takes less time to finish than your morning coffee.

  • Packet crafting 101
  • Perform a port scan while completely masking your source IP address from the target
  • Identify the hidden source of an attack
  • Recover session information with Wireshark
  • Recover all files from multiple HTTP streams with Chaosreader
  • Hands-on with Palo Alto

CPE/CMU Credits: 6


Perimeter Deployment Options

  • Stateful Inspection based
  • Proxy based
  • Intrusion detection
  • Intrusion prevention
  • Distinguishing features
  • When Unified Threat Management (UTM) is a bad idea
  • When virtualization is a bad idea
  • Open source product options

Snort - A Real-life Example

  • NIPS vs. NIDS operation
  • Configuring variables
  • Pre-processor options
  • Post-processor options
  • How to write snort rules
  • Alerts and log entries
  • Processing the decodes
  • Running Snort on Windows

Building a Firewall Rulebase

  • Assessing your needs
  • Large scale management issues
  • Best practices
  • Common implementation mistakes
  • Rulebase optimization
  • Assessing risk

Web Application and Database Firewalls

  • Understand common web application attacks
  • Cross-site scripting
  • SQL injection and Blind SQL injection
  • What web application firewalls (WAFs) can and cannot protect against
  • What database firewalls can (and cannot) protect against
  • Deployment options
  • Evasion methods

Firewall Assessment

  • Options and potential approaches
  • When outsourcing makes sense
  • Picking the right tools
  • Sample scripts for policy verification
  • Deep testing for new firewall products
  • What to do when something is "broken"

Firewall Log Analysis

  • What gets recorded
  • What to look for
  • Spotting patterns in the stream
  • Identifying when a firewall gives you incorrect info
  • The process for parsing any firewall log


  • In-depth trace analysis
  • Identify why a NIDS is really not stopping an attack
  • Identify the hidden source of an attack
  • Snort hands-on, finding and processing detects
  • Configure and test a network firewall
  • Nmap 101
  • Nmap - advanced options
  • Identifying a DDoS attack and which packets are evil
  • Checking 200,000 firewall log entries in less than three minutes

  SEC502.4: Host Level Security George Bakos Thu Nov 21st, 2013
9:00 AM - 5:00 PM

In the early days of the Internet it was possible to secure a network right at the perimeter. Modern-day attacks, however, are far more advanced and require a multi-layered approach to security. This does not mean the perimeter no longer serves a useful role; just that it is only part of the equation. So in today's material we will focus on the security posture of each of our individual hosts. We will look at what the OS vendors give us to work with and when we may need to turn to third party tools. Additionally, we will look at applications and the huge vulnerabilities that can be present within applications and how to secure the issues identified.

It is not enough to simply configure the hosts securely and hope for the best. So we will also look at vulnerability scanning and audits in order to be able to validate continuous integrity. For those times when the worst occurs, we'll talk about the basics of performing a forensic analysis as well.

Finally, we will talk about security information management. The devices on your network really want to tell you what is going on; it's just a matter of being able to sort through all of the data. We'll look at options for both daily reports as well as real-time alerting.

  • Identifying an insider leaking private company info
  • Debugging potential malware
  • Exploiting web application vulnerabilities
  • Securing an application with a web application firewall
  • Identifying an insider leaking private company info
  • Identifying malware
  • Hands-on with FireEye

CPE/CMU Credits: 6


Securing an Operating System

  • Patching
  • Using better passwords
  • Removing dangerous OS tools
  • Policy management
  • Tools to assist in lockdown
  • Controlling administrator and root access

Securing Exposed Services

  • Bind and Microsoft DNS compared
  • Running split DNS
  • The problems with recursion and how to avoid them
  • Proper web server permissions
  • Limiting web server access
  • Logging extended properties with IIS
  • How to avoid becoming a spam relay
  • Tools to test your DNS and SMTP setup
  • The importance of scrubbing banners

Web Application Security

  • Identifying application risks
  • CSRF attacks
  • Logical vulnerabilities
  • Session based weaknesses
  • Bypass attacks
  • How attackers use applications to target administrators
  • Injection exploitation
  • Securing web applications
  • Using a WAF to secure applications

Host-based Intrusion Detection and Prevention

  • Can HIPS really prevent zero-day attacks?
  • Log-based implementations
  • Signature-based implementations
  • Sandbox implementations
  • Kernel-level implementations
  • Application control - has anti-virus been superseded?
  • Keeping all malware off of your systems
  • Taking control of USB drives
  • Data Loss Prevention solutions

Vulnerability Assessment

  • Anatomy of a vulnerability scanner
  • Why registry and file checking scanners can fail
  • Why network scanners can produce inaccurate information
  • When you should outsource vulnerability scanning
  • Product comparison

Baseline Audits

  • Baseline auditing as a process
  • What to look for
  • What can't be detected with an audit
  • How to automate checking of multiple systems
  • Stock OS tools you can use


  • Auditing vs. forensics
  • The real goals of a forensic analysis
  • Forensics and law enforcement, when to make that call
  • Processing a crime scene
  • Collecting pertinent data from all devices
  • Preserving the volatile
  • Getting info off the system
  • Tools you can use
  • Anti-forensics

Security Information Management

  • The importance of time synchronization
  • How to setup NTP on each platform
  • Goals for a centralized collection system
  • Components of a log collection system
  • Designing an architecture
  • Scale considerations
  • Product options
  • Options for Windows
  • Facility and severity - how to leverage them
  • Log file management
  • Producing useful reports
  • Setting up real-time alerting
  • What to look for


  • Identifying an insider leaking private company info
  • Debugging potential malware
  • Exploiting web application vulnerabilities
  • Securing an application with a web application firewall
  • Audit running processes with stock tools
  • Evaluate tools for auditing purposes
  • Identify rogue listening ports
  • Crack Linux/UNIX hashes
  • Crack Windows hashes
  SEC502.5: Securing the Wire George Bakos Fri Nov 22nd, 2013
9:00 AM - 5:00 PM

It's not enough to control traffic flow; we also need to be able to secure the data inside of the packets. In today's material we will start with the basics, authentication and encryption, and learn how these technologies are combined into the modern day VPN. We'll discuss which of the technologies have been proved to be mathematically secure and which of them is a bit of a leap of faith. Further, we will discuss how to integrate encrypted dataflow into your overall architecture design so you are not blinded to attacks through these encrypted tunnels.

Then we turn our attention to securing the internal network structure. We'll cover deploying wireless access points without creating (yet another) point of management. We'll also look at network access control (NAC) and discuss what it can do today as well as its potential in the future.

  • Extract handshake info from an SSL session
  • Debug a failed SSL session via traffic analysis
  • Tunnel traffic through an SSH session
  • Hijack an active SSH session
  • Obscure a file via Steganography

CPE/CMU Credits: 6



  • Symmetrical key cryptography and how it works
  • Stream and block ciphers
  • Public key cryptography and how it works
  • Cipher algorithms
  • Choosing good encryption, time value issues
  • Political laws


  • What's a hash and how it works
  • Initial authentication options
  • Packet-level authentication options
  • Digital certificates
  • X.509 and PKI

VPN Options

  • The structure of a VPN
  • SSL and how it works
  • SSH and how it works
  • Security problems with SSH tunnels
  • IPSec and how it works
  • Troubleshooting IPSec connections
  • Remote control options, when it makes sense

VPN Architecture

  • Placement of a VPN gateway, best practices
  • Personal firewalls, what features to look for
  • Personal firewall management
  • Alternatives to personal firewalls


  • WEP - how everything went wrong
  • WPA and WPA2
  • 802.1X
  • Design considerations
  • Leveraging your VPN solution to secure wireless

Network Access Control

  • NAC and how it works
  • Standards and acronyms
  • Standards NAC Vs. Cisco NAC
  • A NAC implementation - case study
  • Adaptive network security, is it ready for prime time?
  • Building an adaptive network with Cisco gear


  • Verify file integrity with MD5
  • Identifying collisions in the MD5 hash space
  • Extract handshake info from an SSL session
  • Debug a failed SSL session via traffic analysis
  • Tunnel traffic through an SSH session
  • Hijack an active SSH session
  • Obscure a file via Steganography
  SEC502.6: Perimeter Wrap Up George Bakos Sat Nov 23rd, 2013
9:00 AM - 5:00 PM

On the final day we will pull together everything we have learned. This day's material focuses greatly on problem resolution. The problems start off easy, like small organizations that need advice in order to make their environment more secure. The complexity quickly escalates, however, to where you need to combine security, functionality, and political issues into the design. A healthy dose of risk assessment is also thrown in for good measure.

You will also perform a series of labs that are hostile in nature. A majority of the previous labs were geared towards problem solving. In other words, you would be presented with a security issue and then given a hands-on process for resolving it. But these final labs are far more insidious. We'll look at what attack tools are available and just how easy they are to implement.

  • Audit running processes with stock tools
  • Evaluate tools for auditing purposes
  • Verify file integrity with MD5
  • Identifying collisions in the MD5 hash space
  • Hijack a TCP session and inject data
  • Spoof name server replies
  • Backdoor a system through a firewall

CPE/CMU Credits: 6


Sizing Up a Network for Attack

  • Collecting info via public data stores
  • Extrapolating useful clues
  • Firewall fingerprinting
  • Deceptive scanning
  • Masking your probes
  • Banner grabbing
  • Finding exploits
  • Leveraging voicemail info
  • Social engineering

Cool Tools

  • Network mapping tools
  • Network monitoring tools
  • Packet manipulation tools
  • Where to find the best tools


  • Analyze security needs for a small field office
  • Analyze security needs between two business partners
  • Analyze security needs for a .edu environment
  • Analyze security needs for a class B network
  • Hijack a TCP session and inject data
  • Spoof name server replies
  • Backdoor a system through a firewall

Additional Information

"This course, on the first day, made clear several topics that I had questions on for years. The explanations provided were unlike other information contained on websites and in books." - M. Cook, Arrowhead International

  Laptop Required

This document specifies the laptop hardware and software requirements needed to perform all of the labs that are part of SANS Security 502: Perimeter Protection In-Depth. Students are expected to arrive to class with their laptops fully configured and functional. This document will outline everything you need to do in order to be prepared for class.

Students should not use their regular production laptop for this class! The course will involve installing many new software tools. When installing software, there is always a chance of breaking something else on the system. Students should assume that all data on the system could potentially be lost. SANS is not responsible for any lost data. Also, many anti-virus programs will flag some of these tools as malicious and either delete or quarantine them from the system. This means that you may need to disable this functionality or make exceptions for these tools.

Quick Checklist

Here's a quick checklist of what you will need to do to prepare for class:

  • Windows 2000 or later
  • A laptop that meets the processor speed and memory requirements of your selected version of Windows
  • Administrator level access to your system
  • The ability to disable anti-virus, firewall, and application control software
  • A laptop with a bootable DVD drive
  • A wired Ethernet interface

Some of the labs will be performed using a modified version of Backtrack. If you wish to ensure that your system is capable of running Backtrack smoothly, you can download a copy of Backtrack from the Backtrack/Linux website and test it prior to arriving in class.

If you have additional questions about the laptop specifications, please contact laptop_prep@sans.org.

  Who Should Attend
  • Information security officers
  • Intrusion analysts
  • IT managers
  • Network architects
  • Network security engineers
  • Network and system administrators
  • Security managers
  • Security analysts
  • Security architects
  • Security auditors
  You Will Be Able To
  • Apply perimeter security solutions in order to identify and minimize weaknesses to properly protect your perimeter
  • Deploy and utilize multiple firewalls to understand the strengths and weaknesses that each present
  • Use built-in tools to audit, protect and identify if systems have been compromised
  • Utilize tcpdump to analyze network traffic in detail to understand what packets are communicating and how to identify potential covert channels
  • Understand and utilize techniques to compromise and protect against application layer attacks such
  • Utilize tools to evaluate packets and identify legitimate and illegitimate traffic
  • Use tools to evaluate and identify the risks related to Cloud Computing
  • Inspect the intricate complexities of IP, including identifying malicious packets
  • Evaluate and secure SSL, wireless networks, VPNs, applications and more
  • Implement a logging solution that properly identifies risk and is manageable


Author Statement

One of the most rewarding things I have ever done in my career is author this course material. It is really difficult to find solid, unbiased advice for securing your network. Vendors must watch their bottom line. This need can manifest itself in some interesting ways, like giving you poor advice that focuses more on reducing their support costs than increasing your security posture. Is it any surprise that vendor training has turned into a marketing opportunity rather than a chance to tell you how to work around the problems in their product?

The Internet can also be hit or miss. There are testing centers, news sites, blogs, etc., but most are either owned by a security vendor, do work for them, or sell ad space to them. There are individuals who honestly want to be helpful, but they lack the expertise to do so effectively. For example, post this question to any given security forum or mailing list, "I need a new firewall. Can anyone recommend something?" and watch the product recommendations come pouring in. How helpful can this advice really be when they know nothing about your network or specific needs?

One of the pleasures of working with SANS is that they are completely vendor neutral. In the ten years I've been authoring this course, I've never been asked to go easy or hard on a vendor. The heart of the training has always been on making students effective at their jobs. This is cool, because it allows me to create vendor-neutral material that focuses on the processes and technology, rather than what you need to click on in one specific vendor product screen.

- Chris Brenton