BOSTON (05/08/2000) - Pat goes to Orlando and learns a whole bunch about TCP/IP and threats to domain controllers - reallyFirst, to the readers of this column: Thank you! You have really come through for me. I received more than 257 e-mails regarding Check Point Software Technologies Ltd.'s Fire Wall-1, VPNs and scripting solutions. I regret that I will not be able to respond to all of those messages, but I would like to thank you publicly for sticking with me these past two months. I enjoy writing this column, and I'm glad you enjoy reading it. If there are any features you think I should add or change, just let me know! Now, on to my regularly scheduled column.
I know why the SANS Institute picked Orlando for its SANS 2000 conference - a meeting like this is the only opportunity any of us have to see daylight and get our vitamin D! When I arrived Monday evening, I was able to pick up my books quickly. The bad news was that I should have brought a truck, because the sack they gave me was straining under the 50-pound load. Some people had three sacks. I began to wonder how I was going to get it all home.
Back in my room, I decided it was a good time to check up on a day's worth of e-mail and get ready for my first class, "IP for Intrusion Detection and Firewalls." Stephen Northcutt and Marty Roesch were the instructors. According to the literature, the class would serve as the foundation for the rest of the week. It would help me improve my already-decent understanding of the TCP/IP protocol by demonstrating how it is used against systems by crackers.
The Shadow Knows
In case you don't know him, Stephen Northcutt is an extremely respected member of the security community. He has a long résumé that includes serving as leader of the Department of Defense's Shadow Intrusion Detection Team and as director of the Information System Security Office at the Naval Surface Warfare Center.
He is currently chief for information warfare at the Ballistic Missile Defense Organization.
Marty Roesch has an equally impressive résumé, as one of the original creators of a freeware IDS/sniffer that is similar to but has more features than TCPdump for Unix.
During the reception the night after the first class, I met Fred Kerby of the Naval Surface Warfare Center. If you haven't had an opportunity to visit its Web site (www.nswc.navy.mil/ISSEC/), I encourage you to do so. It is an excellent resource, and, as Fred said, "after all, your taxes have already paid for the information."
The next day, I had an even more exciting class, called "Computer and Network Hacker Exploits," taught by Eric Cole. Eric said he worked for the government but wasn't too specific about it. He was dynamic and full of energy, giving information on the specific types of tools crackers use and the methodologies they use to gain access to a computer or network.
Win 2k Gotchas
You could take other classes at night, or you could go to an open forum called the "Birds of a Feather" series. Several interesting topics were discussed, and beer and popcorn were provided (a must after being in class all day!). These meetings offered a great way for administrators to get together, brainstorm and possibly grab ideas from one another.
There were some great topics, including IDS in a switched environment, Internet Information Server 5 in Windows 2000, Windows 2000 gotchas and protecting the critical infrastructure. Two of the best lectures were "Windows 2000 Security, Step-by-Step" and an impromptu meeting with Jeffrey Hunker, the senior director of the National Security Council, to discuss what the government needs to change in order to maintain security in an ever-changing technical environment.
Toward the end of the meeting with Hunker, someone brought up the fact that network TV, cable, radio and the telephone all are governed by the Federal Communications Commission and that there are severe consequences for even the smallest infraction of one of its rules. So, why aren't Internet service providers held up to those same standards? I mean, really, don't you think ISPs should be regulated like everyone else in areas such as quality-of-service and connectivity, how they prevent piracy of their signals and how they build filters to prevent denial-of-service attacks?
Hunker seemed to hesitate on this notion, and I don't know why. The crowd seemed to be a little harsh on him.
To be quite honest, you wouldn't catch me up there in front of a bunch of security administrators. We analyze every detail by nature; you think I'm going to put my thoughts out there for you to analyze?
I guess I already do, huh?
Hacker Exploits, Part 2
Thursday was Part 2 of Ed Skoudis' "Computer and Network Hacker Exploits," which I really enjoyed. There was one problem though: About a quarter of the way through the class, I noticed there was a class called "Security in Windows 2000" that wasn't on the list when I signed up back in February. So I jumped into the new class, which was excellent.
One important thing I learned was what happens if you have domain controllers all over the country and someone breaks into a remote site with minimal security and corrupts your Active Directory database - and you don't find out until two days later. Hello, global database corruptions! That's right - you and your team have just won the restore job from hell. You not only have to restore every domain controller from the point you think the corruption began, but you have just lost every update to the Active Directory database since that point!
For large corporations, this could mean millions in lost revenue and production. All the more reason to physically secure your domain controllers.
This is why servers come with keys: So you can lock the power button. Even better: Put them in locked cabinets so no one can pull the plug.
Friday and Saturday were pretty much devoted to the vendors and to minimeetings.
On Sunday, there was yet another great class, called "Windows NT Security Detailed." I learned a lot about advanced NT security measures and steps I can take on my own network.
Well, time to pack my suntan lotion and swimsuit. No more checking e-mail or the network from poolside. Anytime you can take your laptop, dial in through a cell phone and maintain your position of security with a Mai Tai in one hand and your PalmPilot in the other, life is good!