Monday, August 22, 2005

Request for Lab Ideas

I previously announced my four day Network Security Operations class. I have planned some of the labs for the class, but I thought you might have ideas regarding the sorts of hands-on activities you would want to try.

The class consists of four days, covering network security monitoring, network incident response, and network forensics. Days one, two, and three each offer small labs at regular intervals to reinforce the lecture material. Day four is entirely lab-based.

One of my goals is to give each student his or her own environment for analysis. I am considering a mix of real, jailed, and virtual environments. The activities students want to try will drive how I implement the student work environment. For example, using my GSX server I believe I can support 16 simultaneous VMs. A single FreeBSD install might be able to support many more jails on its own. Real hardware could be problematic, but I might be able to use Soekris systems. VMs are attractive because they offer snapshot features, whereas real hardware needs to be re-imaged.

I don't intend to provide each student his or her own laptop. I prefer each student to bring a laptop to the class, and SSH from the laptop to his or her own environment. Alternatively, if VMWare GSX is used on the class server, the student could connect using the VMWare Virtual Console. That requires adding code to the student's own laptop (which needs to be running Linux or Windows), which I would prefer to avoid.

Another option involves building a custom live CD, perhaps using FreeSBIE. Each student could run a local FreeBSD instance on his or her laptop. I foresee problems with inadequate laptops, unrecognized hardware, and limited learning scenarios. That's still an option though.

I have been trying to imagine the sorts of activities I would want to try in a class covering these topics. I want students to try a wide variety of network analysis tools, like Tcpdump, Tethereal, Snort, Tcpflow, Ngrep, Flowgrep, Flow-tools, Argus, Tcpdstat, Capinfos, and so on. These can be implemented (especially when reading from saved Libpcap traces) fairly simply.

If I want to provide a more exotic environment, implementation becomes more difficult. For example, I would like to let each student experiment with Sguil. Should students be able to run tools that sniff live traffic in promiscuous mode? I'm also considering a section that describes how to set up a caged server using Pf. Implementing a bridging firewall setup to build a cage presents all sorts of issues.

Perhaps analysis is more important. In that case, deciphering network traffic might be the focus. That is easier to implement than creating a dynamic network environment. I am concerned that VMWare might not support an open (non-switched) network conducive to sniffing.

I've set a limit of 15 students per class for my private classes. However, when I teach at USENIX, I could have 30 or more students. Although I do not teach an all-lab day at USENIX, my other classes (NSM, NIR, NF) could have hands-on components if I plan them to accommodate large groups.

When I taught at Foundstone we provided every student his or her own Dell laptop, and the labs centered on students trying to break into laptop target ranges. Eventually we replaced the laptop targets with VMs.

So, what sorts of lab activities would you want to see in a class on NSM, NIR, and NF? What have you seen other classes do, and what did you like? I appreciate your feedback.

8 comments:

Anonymous said...

Richard, I wish I could offer more concrete suggestions, but I am still a newbie. However, teaching is something I would also like to do someday...quite a ways down the road though. :)

I would definitely suggest sticking to making students get on your environments as opposed to getting their laptops in sync with what you have. It might be that one student who paid the money and demands you get his gear to work and winds up taking up lots of your time.

This sort of reminds me of one of the better-tuned books on networking: Computer Networks: Internet Protocols in Action (Jeanne Matthews). Rather than spend time (both in the book and in her classroom setting) recreating traffic, she pre-captured traffic and let the students immediately open it up in ethereal. One of the best and simplest ideas!

What I would possibly most enjoy in a lab-based class would be seeing some of these tools in action against real-world sorts of attacks, both automated and human-driven, with both false positives and negatives thrown in, along with how to deal with them. To me, as a relative newbie, I would love to see what these tools are made for and to get my feet wet in playing with them...nothing huge and fancy (unless you had the class time and enthuisiasm from the group!)...but enough to get me really going. I would not want to spent too much time on environment or network setup.

I truly wish I could take one of your classes, and someday I hope to have that opportunity as I have greatly enjoyed your books, blog posts, and insights.

-LonerVamp

Anonymous said...

I am a big fan of caned examples in training. A short story from my colllege days. I took a math class and it was overflowing with students to the point they split it into 2 sections. One was the "fast" section and the other was the "not so fast" section. The fast section was taught by the Prof. and the other section was taught by a phd student. At the end of the term the "not so fast" group had covered more material then the "fast" group, I was in the fast group. The reason for this was rediciously simple the phd taught from notes and the professor just figured it out real time. The lack of notes caused time to be wasted. I think that doing things in the wild/ad-hock captures would also cause you to spend time not covering the material, but dealing with problems. Use canned example/captures it will allow you to teach more material in the class.

marc
mspitzer@gmail.com

Keydet89 said...

Richard,

When I teach my Windows IR course, I rely pretty heavily upon "canned" exercises in order to teach the attendees skills and processes.

I include canned "infections" of malware, usually scripted through batch files and run off of the course CD. That way, it takes only a couple of minutes before a break to have the students insert the CD, then I run around the room (or have the lab asst. do it with me) and run the script that "infects" the systems. These are simple, easy to script, and the clean-up is scripted as well.

Here's what I suggest...use a combination of various types of canned examples. In one instance, use a canned tcpdump capture and let the attendees "explore" ways of examining it. In another, have something on one system that generates traffic, and have the attendees perform the captures themselves.

If this is the sort of thing you're looking for, let me know, and we can hash these out a bit.

H. Carvey
"Windows Forensics and Incident Recovery"
http://www.windows-ir.com
http://windowsir.blogspot.com

Chuck said...

Richard,

I hope that one day I can take one of your courses. Right now I'm more of a network guy than into security; however, I'm starting to dip more into security each and every day. Since I spend a lot of time in a Sniffer, it seems like the next logical step in my career (is to move into security).

For your labs, I'd imagine that the virtual stuff will work best because in just a matter of seconds you can restore the system back to its original config (in case you need to start over, or to try a different attack vector, etc). Time is of the essence.

I'd like to see something like a 'Capture the flag' contest at Blackhat. Divide the group up into teams of 5 (provided that you have 15 folks present). Each team has to make notes of what attacks they tried on the other team(s) and report on how far they got into hacking into each environment. Plus report on how well their environment was protected during the attacks. (This example might be a stretch, but I had to mention it because I would like to think that the learning experience of this would be a real gem)

Another would be, for YOU (Richard) to be the attacker and for the teams to be the Network Security groups of different corporations. You've given each team of 5 people an environment to monitor and protect. For you Richard, you could probably just replay traces of attacks you've recorded or captured (it'll make it easier) for you so that you can assist the team(s) in protecting their environment and support them while you have the automated attack looping or a script running,etc.
Since time is of the essence, you might place focus on certain tools that are best utilized per attack.

Thanks for allowing us to make suggestions - hope they come in handy.

Chuck

Anonymous said...

I agree with the posts above that recommend that YOU provide and control the classroom environment.

A couple of years ago I attended a digital forensics class where each student was supposed to bring thier own laptop configured with Linux. VERY specific instructions were provided but many students failed to follow them. Throughout the week time was lost trying to get things to work properly on those systems. Those of us who followed the instructions felt like our time was being wasted by those who didn't (or couldn't) follow instructions.

A few weeks later I attended the Foundstone Forensics and Incident Response (taught in part by you) and the difference was amazing. NO time was lost trying to make miscongigured systems work.

The use of VMware is obvious. Also, you may want to take a look at VMware ACE. I have seen a couple of presentations about it and think it has some benefits in the classroom. With ACE you can create self running VM images that can overcome the problem you cited with bootable CDs. I think you can even create these images in such a way that they will expire.

Of course this is one more software purchase that needs to be dealt with.

Then there is the non techical time waster that is just as hard to control. Make sure that students have at least the basic knowledge necessary to understand the content of the class. I have attended (and I'm sure you have taught) classes where one or more students lacked even the basic skills necessary to understand the class content. Perhaps a pre-test for required skills would help.

Ronny Vaningh said...

Richard,

Don't count on people to bring their laptop packed with all tools needed. I think a bootable cd which contains the tools needed will avoid multiple hours trying to troubleshoot compiling problems and still allows for a flexible lab setup using demonstrating hubs/taps/spans etc.

I think you should focus on detection and more specificaly on analysis and correlation between different sources of information.
There are enough "hacking courses" that let you run diverse tools but up to now I still need to find the first course that covers real time detection scenarios.

I did like the forensics challenge of the honeynet project where you needed to find out how a box got hacked and create the timeline of the intrusion. Maybe you can use this kind of canned forensics exercise too

Sean C said...

Hi Richard,

I am also a newbie to security, but thought I could offer some advice on content for your class. Not knowing the techinical skill-set of the class (assume they know TCP/IP and networking basics), I'm sure it can be a challenge to make sure each student walks out of the class feeling they learned something.

My company recently enrolled me in an IDS class. There were plenty of new apps to play with (over 20). A simple problem, and one that I hope you can avoid, is supplying a simple "score-card" of what each apps does. For example, in the IDS class, we touched:
1-ISS RealSecure
2-Snort
3-ISDCenter
4-ISDInformer
5-Netcat
6-NMap
7-FPort
8-Barnyard
9-Acid
10-TCPReplay
etc.....

Keeping track of all the apps while in the class became a little daunting after the 3rd or 4th day. Being primarily a networking tech, even playing with UNIX or Linux was a novelty.

Overall, I greatly appreciate your comments on Amazon and your website. I look to you for guidance on introducing me to Security (and what's worth my time and what's not worth my time).
Thanks,
Sean

Richard Bejtlich said...

Sean C, would you mind sending me email? richard at taosecurity dot com. Thank you.