Internet Security Auditing Class Handouts

It is possible that we will give other classes in the near future. These are one-time events, no recordings made. We do not intend to make a living out of this, but hope such presentations help us to finish the material for a book.

Warning - in order to view this material you need an up-to-date PostScript printer or previewer.

• Some files were created with MS WORD. These require a PostScript level 3 printer: old printers and most, if not all, GHOSTVIEW versions have problems.
• The files created with XFIG are actually a concatenation of many little files; some really cheap printers print only every other slide.

This material amounts to about 200 pages, so you can save a tree by printing double sided.

• Introduction

  slides (intro.ps)

  Dan opens the day with an introduction to key concepts of auditing: what is an audit, the importance of security policies, why and when an audit should be done, and who can do it.

• Case study #1: A simple firewall audit, with data inspired by real life

  slides (fw-audit.ps)

  Wietse examines a firewall - from the inside (so you can see the light coming in through the cracks), and with a magnifying glass. The examples show some typical problems.

• How to do a security audit (without really trying)

  slides (how2.ps)

  This presentation expands on the material discussed earlier in the morning. In a talk that covers two time slots, Dan explains the subject with great fervor, and illustrates his points with many examples from personal experience (but not all of these are on the slides).

  intermezzo (tiger.ps)

  Halfway through the presentation, Dan makes a little break to discuss the not-so-subtle difference between a tiger team job and a security audit.

• Lunch break

• Case study #2: The FISH.COM audit

  slides (fish-audit.ps)

  For the purpose of this security class, Wietse did an audit of the the FISH.COM home network owned by Dan and Muffy. Even though the network is relatively small, the audit already shows many types of problems that networked systems can suffer from. See also the sections below on writing a security audit report , and the final report itself.

• Networks, networks (and more networks)

  slides (networks.ps)

  Wietse mounts the floor again. Auditing a host is one thing, auditing a network of hosts quickly becomes complicated because of interactions between systems. The larger a network the less complete the information.

  slides (network-examples.ps)

  Two examples of large-scale auditing of networks with 14000 to 25000 hosts, the results, and the reactions from the users. See also the Appendix .

• Reporting (the hard stuff)

  slides (reporting.ps)

  Dan discusses what goes into a security audit report. Do not underestimate the difficulty of this part. Writing the report is at least as difficult as doing the audit itself. This presentation uses the FISH.COM security audit as an example.

• The pretty FISH.COM report

  report (fish.ps)

  An audit report should be systematic, thorough, precise, readable, and many other things. This report summarizes the results from the FISH.COM audit.

• Case study #3: The firewall at Bell laboratories

  slides (att.ps)

  Wietse presents the results of a two-day visit, together with Dan, to Bell laboratories, one week before the security audit class was given. The firewall was quite different from the one described in the Cheswick and Bellovin book , and construction was still going on while we were there. Bill and Steve gave us full insights into how things work. Interesting, there is always a part that the book does not tell about...

• Appendix - Flirting with SATAN

  slides (nancy_cook.ps)

  A short report by Nancy Cook and Marie Corbin who used SATAN to reduce the vulnerability of a network of approximately 14000 hosts.