Solaris Operating System Network Intrusion Detection (SC-345)

Who Can Benefit

Back to top

Prerequisites

• Install, configure, and maintain a Solaris product line server
• Configure a Solaris NIC for LAN and Internet access
• Have a firm understanding of the TCP/IP protocol stack and IP routing
• Configure Solaris logging daemons like syslog
• Install open source utilities like tcpdump and libpcap

Back to top

Skills Gained

• Identify and protect against design flaws in standard networking protocols (such as TCP, UDP, IP, ICMP, SSL, SSH, HTTP and ARP)
• List possible ways that an intruder can gather information about a server or a whole network
• Describe all types of network based security attacks like SYN/ACK attack, man-in-the-middle attack, ARP spoofing, session hijacking and Buffer Overflow attacks
• Install a Network Intrusion Detection System and a host based firewall
• Identify, in real time, a network security breach and respond

Back to top

Related Courses

Before:

• Solaris 8 TCP/IP Network Admin (SA-389)
• Administering Security on the Solaris Operating System (SC-300)

Back to top

Course Content

Module 1 - Ethernet and IP Operation

• Review OSI network model
• Review application and network service layers
• Identify Ethernet security issues
• Review IPv4 addressing
• Understand IP fragmentation
• Identify ICMP security issues
• Implement basic traffic capture and analysis

Module 2 - IP and ARP Vulnerability Analysis

• Identify IP security issues
• Describe IP routing and routing protocol security
• Protect against IP abuse
• Identify ARP security issues
• Execute attacks against ARP
• Protect against ARP abuse
• Implement advanced packet capture and analysis

Module 3 - UDP/TCP Protocol and TELNET Vulnerability Analysis

• Discuss characteristics of UDP and TCP
• Identify TCP security issues
• Describe common TCP abuses: SYN attack, sequence guessing, connection hijacking
• Discuss characteristics of TELNET
• Identify TELNET security issues
• Execute attacks on TCP and TELNET
• Protect against TCP and TELNET abuse

Module 4 - FTP and HTTP Vulnerability Analysis

• Discuss characteristics of FTP
• Describe FTP transfer methods and modes
• Identify FTP security issues
• Describe common FTP abuses: FTP bounce attack, port stealing, brute force
• Discuss characteristics of HTTPv1.1
• Describe role of HTTP proxy servers and HTTP authentication
• Identify HTTP security issues
• Describe common HTTP abuses: path name stealing, header spoofing, proxy poisoning
• Execute attacks on FTP and HTTP
• Protect against FTP and HTTP abuse

Module 5 - DNS Vulnerability Analysis

• Discuss characteristics of DNS
• Identify DNS security issues
• Describe common DNS abuses: DNS spoofing, DNS cache poisoning, unauthorized zone transfers
• Execute attacks on DNS
• Protect against DNS abuse

Module 6 - SSH and HTTPS Vulnerability Analysis

• Discuss characteristics of SSH
• Describe differences between SSH1 and SSH2 protocol
• Identify SSH security issues
• Describe common SSH abuses: insertion attack, brute force attack, CRC compensation attack
• Describe characteristics HTTPS (SSL)
• Discuss other SSL enabled protocols
• Identify SSL issues
• Describe common SSL abuses: man-in-the-middle and version rollback attack

Module 7 - Remote Operating System Detection

• Use standard system commands and exploit default settings to guess remote operating systems
• Use open source utilities to guess remote operating systems by scanning open ports
• Describe TCP/IP stack fingerprinting
• Install and use nmap for remote OS detection

Module 8 - Network Attack Techniques and Basic Attack Detection

• Identify sources of network attacks
• Discuss methods of intrusion
• Describe common network attacks: denial-of-service, software buffer overflow, poor system configuration, password guessing/cracking
• Describe a typical intrusion scenario
• Introduce the concept of an Intrusion Detection System (IDS)
• List some of the most popular IDS tools: Klaxon, Portsentry, snort
• Implement basic scan detection

Module 9 - Implementing Intrusion Detection Technologies

• Identify the difference between host based and network based IDS
• Discuss different types of IDS implementation: hybrid NIDS and honeypots
• Describe core components of a NIDS using the snort NIDS
• Compile and install the snort NIDS

Module 10 - Advanced NIDS Configuration

• Discuss advanced snort features like "real time response" and snort log monitors
• Install a database (mysql) to log snort alerts
• Install the graphical user interfaces (GUI) Demarc and ACID to better
• interpret snort logs by querying the snort database
• Generate outside attacks that trigger snort alerts
• Interpret GUI snort monitors to identify attacks

Module 11 - Writing snort rules

• Describe the different components of a snort rule
• Configure different snort rule options
• Write custom snort rules to watch for specific traffic patterns
• Execute attacks against custom snort rules and interpret GUI snort monitors to identify attacks

Module 12 - Solaris Routing

• List requirements for a Solaris host to be a router
• Implement a Solaris host as a router
• Use the ndd utility to secure a Solaris router

Module 13 - Solaris Firewalls

• Describe different types of Solaris firewalls: application firewalls and packet filters
• Identify two of the most common Solaris firewall products: Sunsceen Lite and IPfilter
• Learn firewall policy basics
• Write firewall rules for network or host based firewalls
• Install an IPfilter firewall on a Solaris host

Module 14 - Solaris Network (NAT) and Port Translation (PAT)

• Describe NAT and PAT concepts
• Implement NAT to secure a private network behind a Solaris firewall

Back to top

Browse Other Course Topic Areas