New features in GFI LanGuard 2014

Released: September 10, 2013
Vulnerability assessment for smartphones and tablets:

Based on data from the National Vulnerability Database (NVD), Apple iOS® is the operating system with the most security vulnerabilities in 2012, surpassing Windows® operating systems for the first time. Now, GFI LanGuard offers agent-less vulnerability assessment for all smartphones and tablets that connect to your Microsoft Exchange servers. Apple iOS, Google Android™ and Windows phones are supported.
Patch management for major Linux® distributions:

LanGuard 2014 is now a perfect fit for mixed environments because it allows automation of patching from a single console for the entire network, including Windows, Mac OS X® and major Linux distributions such as Red Hat Enterprise Linux, Ubuntu, Suse, CentOS and Debian.

New features in GFI LanGuard 2014

Released: September 10, 2013
Vulnerability assessment for smartphones and tablets:

Based on data from the National Vulnerability Database (NVD), Apple iOS® is the operating system with the most security vulnerabilities in 2012, surpassing Windows® operating systems for the first time. Now, GFI LanGuard offers agent-less vulnerability assessment for all smartphones and tablets that connect to your Microsoft Exchange servers. Apple iOS, Google Android™ and Windows phones are supported.
Patch management for major Linux® distributions:

LanGuard 2014 is now a perfect fit for mixed environments because it allows automation of patching from a single console for the entire network, including Windows, Mac OS X® and major Linux distributions such as Red Hat Enterprise Linux, Ubuntu, Suse, CentOS and Debian.
Patch management extended with 20+ new third party applications:

Keeping all your systems fully patched is now much easier that it used to be. GFI LanGuard 2014 includes automatic patch management support for a significant number of new third-party applications covering: instant messaging (Pidgin), utilities (CBBurnerXP, ImgBurn, Notepad++, CCleaner), media (VLC, Audacity), documents (LibreOffice), imaging (IrfanView, Paint.Net), online storage/backup (Google Drive, Mozy, Box), FTP clients (WinSCP, Core FTP) and Adobe Creative Suite (Photoshop, Illustrator and InDesign).


New features in GFI LanGuard 2012 SR1

Released: December 4, 2012
Mac OS patching support

GFI LanGuard now automates patching on Apple Mac OS X computers as well as Windows computers, all from the same console.

Enhanced compliance reporting

GFI LanGuard includes dedicated reports for additional compliance standards (Health Insurance Portability and Accountability Act (HIPAA), Public Services Network - Code of Connection (PSN CoCo), Sarbanes–Oxley Act (SOX), Gramm–Leach–Bliley Act (GLB/GLBA) as well as the Payment Card Industry Digital Security Standard (PCI-DSS).


What was new in GFI LanGuard 2012

Released: July 24, 2012
Relay agents

With relay agents, patching may be offloaded from the GFI LanGuard server to agents on machines designated as relays. These contain copies of the patches that were previously stored on the GFI LanGuard server. This is extremely effective in large networks and in multi-site networks where it is much faster to patch machines from a local relay agent than it would have been from a remote LanGuard server.
Microsoft® non-security patches

GFI LanGuard has long supported patches for Microsoft applications and operating systems, as well as for third-party applications. GFI LanGuard 2012 now also supports non-security patches for Microsoft operating systems and applications. (With third-party applications there has not traditionally been a distinction between the two types of patches, so we continue to support all patches for these applications). This means that there is no longer a need to run Microsoft WSUS to apply non-security patches. GFI LanGuard does it all.

Device vulnerability checks

GFI LanGuard can now detect vulnerabilities in the firmware of network devices such as printers, routers and switches, from popular manufacturers such as HP and Cisco. In total GFI LanGuard now checks for over 50,000 vulnerabilities on your network.

Smartphone and tablet identification
When auditing your network, GFI LanGuard can now identify iPhones, Android smartphones and iPads.

Latest platform support

Windows® 8 (beta version) is now supported – as usual GFI LanGuard is ahead of the curve regarding support for the latest Microsoft platforms.

Read More ...

• IP - Internet Protocol
• TCP - Transmission Control Protocol
• HTTP Sequence Diagrams
• TCP Applications
• VOIP Call Sequence Diagrams
• IMS Sequence Diagrams
• SIGTRAN Protocols
• IP Routing Protocols

The sequence diagrams were generated using EventStudio System Designer.

IP - Internet Protocol

• IP Routing and Subnets This article describes the basics of IP routing. We will consider the example of a simple network and trace the life of a packet as it gets routed from one node to another.
• ICMP Sequence Diagram Ping is a popular application used to check the presence of another node. Ping uses the ICMP Echo and Echo Reply handshake message for this purpose
• ARP Sequence Diagram ARP (Address Resolution Protocol) is responsible for mapping from IP addresses to MAC address on Ethernet.
• BOOTP Sequence Diagram The Bootstrap Protocol (BOOTP) enables a host to boot from ROM and request it's own IP address, a gateway address and a boot file name. The boot file is used to load the disk image into RAM.
• DHCP Sequence Diagram Dynamic Host Configuration Protocol (DHCP) is used to dynamically provide IP addresses and configuration information to client nodes.
• ICMP Sequence Diagram This sequence diagram describes mounting, opening and reading of a file via the NFS (Network File System).

TCP - Transmission Control Protocol

• TCP Connection Sequence DiagramsThe sequence diagrams presented here describe the 3-way handshake setup and release of a TCP connection. The byte level sequence numbers and TCP Ack handling is also shown.
• TCP Slow Start Sequence Diagrams Analyse "Slow start" congestion control mechanisms built right into TCP. As the name suggests, "Slow Start" starts slowly, increasing its window size as it gains confidence about the network's throughput.
• TCP Congestion Avoidance Sequence Diagrams Once cwnd is greater that ssthresh, TCP enters the congestion avoidance mode of operation. In this mode, the primary objective is to maintain high throughput without causing congestion. If TCP detects segment loss, TCP reduces its data flow rate by reducing cwnd. After reducing cwnd, TCP goes back to slow start
• TCP Fast Retransmit and Fast Recovery Sequence Diagram Fast Retransmit and Recovery detect a segment loss via duplicate acknowledgements. When a segment is lost, TCP at the receiver will keep sending ack segments indicating the next expected sequence number. This triggers fast recovery at the transmitter.

HTTP Sequence Diagrams

• HTTP Sequence Diagram HTTP sequence diagram for loading of the EventHelix.com home page. The page load is captured in two threads. The sequence diagrams for individual threads are also included.
• Web Caching and Refresh Sequence Diagram This sequence diagram tutorial describes the web caching feature on the web browser side. HTTP primitives that facilitate the implementation of web browser level caching are shown using an example.
• Web Page Redirection Sequence Diagram The interactions involved in web page redirection using HTTP 302 code are covered here.
• HTTP Post Sequence Diagram HTTP Post handling and lower level TCP interactions are shown in this diagram.

TCP Applications

• FTP Sequence Diagram Here we explore the sequence of interactions in a typical FTP (File Transfer Protocol) session. Individual sequence diagrams for interactions on Port 20 and 21 are also included.
• Telnet Sequence Diagram Telnet sequence covers terminal option negotiation and server handling.
• SMTP E-Mail Sequence diagram describing SMTP e-mail send. DNS MX record interactions are also covered.
• POP3 Sequence Diagram Interactions between a POP3 server and client are described here.
• SSL Sequence Diagram Message sequence diagram describing the setup of a SSL secure connection.

VoIP Call Sequence Diagram

• SIP to PSTN Sequence Diagram In this scenario, Alice is a SIP phone or other SIP-enabled device. Bob is reachable via the PSTN at global telephone number. Alice places a call to Bob through a Proxy Server (Proxy 1) and a Network Gateway (NGW 1).
• SIP to ISDN PBX Sequence Diagram Alice is a SIP device while Carol is connected via a Gateway (GW 1) to a PBX. The PBX connection is via a ISDN trunk group.
• H.323 Call Flow The call flow diagram presents the flow of an H.323 call. Covers: H.225/Q.931 Call Setup; H.245 Negotiation and Voice Path Setup; RTP/RTCP Based Voice Communication

IP Multimedia Subsystem (IMS) Sequence Diagrams

• IMS Registration An IMS terminal accesses the home IMS via a visited IMS. Unauthenticated registration followed by authenticated registration is covered here.
• IMS to IMS Call Flow Call flow for an IMS subscriber to another IMS subscriber is covered here.
• PSTN to IMS Call A ISUP to IMS call flow is described here. Megaco/H.248 interactions and ISUP-SIP interworking are covered in detail.
• IMS to PSTN Call Here we explore an IMS to PSTN terminating call. The call flow covers the IMS-ISUP interworking and Megaco/H.248 interactions between the MGCF and IM-MGW. Call routing via the BGCF is also illustrated.
• SDP Codec Selection and QoS Signaling in an IMS callAn IMS call is analyzed with a focus on the SDP interactions involved in codec selection and QoS.
• IMS Presence Subscription and NotificationIP Multimedia Subsystem (IMS) provides a framework for building advanced telecom services. One such service is network wide publication and subscription of presence information.
• IMS Presence Resource List Subscription and NotificationThis scenario describes how a user can subscribe to a predefined list of subscribers via a Resource List Server. The RLS handles the interactions needed for presence subscription for individual users on that list.
• IMS Conference CallSetup of an IMS conference call with REFER based invitation to other subscribers.
• IMS Push-to-talk Sequence Diagram - Pre-established SessionPush-to-talk communication between IMS users that have pre-established a session.

SIGTRAN Protocols

• SCTP Sequence DiagramStream Control Transmission Protocol (SCTP) is a relatively new transport protocol in the IP stack. It has been designed to carry Telecom signaling protocols over IP.

IP Routing Protocols

• BGP Startup SequenceThe sequence of interactions at the startup of a Border Gateway Protocol (BGP) router are described here.

Refer to http://www.eventhelix.com/RealtimeMantra/Networking/#.UjKygvJfHIU

Read More ...

A question we often is what are the ports that Windows uses in a given service. For example, when configuring a firewall or DMZ to communicate between the tips was complicated without a trusted list of ports. These lists typically were fragmented into services.

I had a document that listed these ports of Windows 2003, but with many new services become obsolete information. Now Microsoft has updated the list to Windows 2008 R2 http://support.microsoft.com/kb/832017

The best in this list is that the end included references to other Microsoft products and services.

Enjoy, print or copy this link and save it!

Read More ...

About OpenVAS Software

• Architecture Overview
  
• Feature Overview
  
• Standards and Interoperability
  

Architecture Overview

The Open Vulnerability Assessment System (OpenVAS) is a framework of several services and tools. The core of this SSL-secured service-oriented architecture is the OpenVAS Scanner. The scanner very efficiently executes the actual Network Vulnerability Tests (NVTs) which are served with daily updates via the OpenVAS NVT Feed or via a commercial feed service.

The OpenVAS Manager is the central service that consolidates plain vulnerability scanning into a full vulnerability management solution. The Manager controls the Scanner via OTP (OpenVAS Transfer Protocol) and itself offers the XML-based, stateless OpenVAS Management Protocol (OMP). All intelligence is implemented in the Manager so that it is possible to implement various lean clients that will behave consistently e.g. with regard to filtering or sorting scan results. The Manager also controls a SQL database (sqlite-based) where all configuration and scan result data is centrally stored.

A couple of different OMP clients are available: The Greenbone Security Assistant (GSA) is a lean web service offering a user interface for web browsers. GSA uses XSL transformation stylesheet that converts OMP responses into HTML.

The Greenbone Security Desktop (GSD) is a Qt-based desktop client for OMP. It runs on various Linux, Windows and other operating systems.

OpenVAS CLI contains the command line tool "omp" which allows to create batch processes to drive OpenVAS Manager.

The OpenVAS Administrator acts as a command line tool or as a full service daemon offering the OpenVAS Administration Protocol (OAP). The most important tasks are the user management and feed management. GSA support OAP and users with the role "Admin" can access the OAP functionality.

Most of the tools listed above share functionality that is aggregated in the OpenVAS Libraries.

The OpenVAS Scanner offers the communication protocol OTP (OpenVAS Transfer Protocol) which allows to control the scan execution. This protocol is subject to be eventually replaced and thus it is not recommended to develop OTP clients. Traditionally, the desktop- and cli-tool OpenVAS Client acts as a direct OTP client.

Feature overview

• OpenVAS Scanner
• Many target hosts are scanned concurrently
• OpenVAS Transfer Protocol (OTP)
• SSL support for OTP (always)
• WMI support (optional)
• ...
• OpenVAS Manager
• OpenVAS Management Protocol (OMP)
• SQL Database (sqlite) for configurations and scan results
• SSL support for OMP (always)
• Many concurrent scans tasks (many OpenVAS Scanners)
• Notes management for scan results
• False Positive management for scan results
• Scheduled scans
• Flexible escalators upon status of a scan task
• Stop, Pause and Resume of scan tasks
• Master-Slave Mode to control many instances from a central one
• Reports Format Plugin Framework with various plugins for: XML, HTML, LateX, etc.
• ...
• OpenVAS Administrator
• OpenVAS Administration Protocol (OAP)
• SSL support for OAP (always)
• All OAP commands also as command line parameters
• User Management
• Feed status view
• Feed synchronisation
• ...
• Greenbone Security Assistant (GSA)
• Client for OMP and OAP
• HTTP and HTTPS
• Web server on its own (microhttpd), thus no extra web server required
• Integrated online-help system
• ...
• Greenbone Security Desktop (GSD)
• Client for OMP
• Qt-based
• Runs on Windows, Linux, etc.
• Support of Internationalization (English, German, French...)
• ...
• OpenVAS CLI
• Client for OMP
• Runs on Windows, Linux, etc.
• ...

Standards and Interoperability

OpenVAS is a official OVAL Adopter and OpenVAS-5 registered as "Systems Characteristics Producer". See here for the official entry at MITRE: OVAL Adoption Participant OpenVAS See also: OVAL Adoption Program Examples for usage are available here: Greenbone Learning Center on OVAL-SC

Read More ...

http://www.perihel.at/sec/docs/secfw.html

Author:	Herbert Haas
Address:	herbert AT perihel DOT at http://www.perihel.at/sec/
Revision:	0.1
Date:	2007-08-20
Copyright:	Copyright (c) 2007 Herbert Haas.

Abstract

This document summarizes important facts about modern firewall features with a strong focus on the Cisco Adaptive Security Appliance (ASA). This is not a tutorial. The reader should already be familiar with security fundamentals. Besides theory, practial issues are exemplified on the basis of Cisco firewall products. If you find any mistakes please send me an E-Mail, thanks!

Contents

• 1   Basic Configuration Issues
  • 1.1   aaa
  • 1.2   access-list
  • 1.3   icmp
  • 1.4   nat
  • 1.5   route
• 2   Modular Policy Framework
  • 2.1   Policy processing order
• 3   VPN
  • 3.1   Other important things
  • 3.2   WebVPN
    • 3.2.1   Disadvantages
    • 3.2.2   Proxy servers
    • 3.2.3   Configuration
    • 3.2.4   WebVPN on Routers
  • 3.3   AnyConnect Client
• 4   Transparent Firewall
  • 4.1   General rules
  • 4.2   Not supported
  • 4.3   Configuration
    • 4.3.1   ARP Inspection
    • 4.3.2   Recommendations:
    • 4.3.3   ACLs
    • 4.3.4   Note
• 5   Failover
• 6   Product Comparison
  • 6.1   Models
  • 6.2   LEDs
  • 6.3   Service Modules
• 7   ASA IP services
  • 7.1   DHCP
• 8   Interesting Commands
  • 8.1   Avoid Identity NAT
  • 8.2   Track your ISP next hops
  • 8.3   Specify a default tunnel route
  • 8.4   Use OSPF authentication
  • 8.5   Use Logging options
  • 8.6   Context Mode
  • 8.7   Failover Scenarios
  • 8.8   Redundant interfaces
  • 8.9   Multicast

Lecture stuff

This will be the place of my security repository for my customers and students. Here are some first files...

• An enjoyable(?) introductory chapter about milestones in cryptography and important modern security issues. Targeted for students.
• Diffie-Hellman and RSA (a not too serious approach)
• A short Introduction into Fields and Elliptic Curve Cryptography
• Insertion and Evasion Attacks through the Network Layer. Important techniques to bypass or attack Intrusion Detection Systems (IDS) are explained here.

Be patient, new stuff will arrive soon.

Wireless Security

I am very interested in wireless security especially WLAN security. Besides Cisco WLAN courses I also offer a WLAN Security Workshop (WLSW). The WLSW is targeted for people who are really interested in many technical details, practical attacks, and the many security holes a misconfigured WLAN could have. Contact Fast Lane or me if you want to book one of these courses.
Here are some updated docs:

• WLAN Encryption: WEP, TKIP, MIC, AES
• Actual WLAN security issues

Much more WLAN docs can be found here.

Cisco Firewall Addenda

Long time ago I listed the most interesting issues regarding Cisco's PIX firewall as addendum to the SNPA course (the Cisco Firewall course). I did not maintain this document for some years (the date on the slides only reflects the version of the powerpoint master) but almost all things are still valid and important. If you are new to the PIX (now ASA) then this document might give you an overview.
An overview about interesting ASA features (and how and when to use them) can be found in here. I will occasionally update that document.

Switch Security

Recently I wrote a summary about of how to harden your switched network, in case you have Cisco switches. Note that this is not comprehensive, there are some more issues involved. I must emphasize that it is also important to understand the particular attack scenarios and when which design is appropriate.
I will occasionally update this document.

Read More ...

IT and network security managers face many challenges in securing their organization's critical servers from attack. Lack of dedicated security resources and the increased sophistication of attack methods are among their top headaches. Although intrusion detection systems (IDS) have been a popular solution for enterprises in the past, it is not enough to block the evolving attacks in cyber-space today. One of the main issues with IDS is that they do nothing to proactively stop intrusions before attacks occur. Also, many IDS are signature-based, so they don't detect new attacks or variations on old attacks, nor do they detect attacks in encrypted traffic such as HTTP over SSL (Secure Sockets Layer).

What's the alternative? Intrusion prevention is the next logical step in enterprise security. Intrusion prevention systems take IDS to the next level by going beyond just detecting, to actually stopping attacks before they cause damage. The difference between the two technologies is one enterprise executives are all too familiar with: Intrusion prevention blocked Code Red, Nimda, and SQL Slammer, while IDS users spent millions cleaning up after each of these.

What Is An Intrusion Prevention Solution?
There are many products and tools on the market today that use the "prevention" moniker. The right intrusion prevention solution includes enabling you to circumvent the need for analysis to be done before action can be taken to protect the system. In addition, it prevents attacks from doing damage to your operating system, applications and data. By using a system to proactively prevent attacks, there is no gap between the attack being detected, identifying it as an attack, and finally doing something to prevent it. In addition, intrusion prevention helps enterprises get better control of the costly and time-consuming process of installing software patches to plug vulnerabilities in operating systems and applications and to fend off attacks like worms and buffer overflows.

How do you choose the right type of solution for your organization? This checklist should serve as the building blocks to choosing the right enterprise intrusion prevention solution for your organization.

Table 1. Intrusion Prevention Checklist

Proactive, real-time prevention of attacks	The right solution should provide real-time prevention and analysis of attacks. It should identify the attack and prevent access to critical server resources before any unauthorized activity occurs.
Patch latency relief	Patch management is a complex process. Between the time a patch is developed and deployed, a smart hacker could compromise servers and critical data. A good intrusion prevention solution gives system administrators the protection needed during patch latency and ample time to test and deploy patches.
Protection for each critical server	Servers, where the most sensitive enterprise data resides, are on the hit list for most hackers. It is vital to have an intrusion prevention solution that is tailored for server protection. Too many solutions on the market today try to be the "ultimate" protection, by using the same mousetrap for servers and desktops. The result is thin technology that does not adequately protect sensitive systems and data.
Signatures and behavioral rules	The most effective method for identifying intrusions is a hybrid approach that combines the strengths of attack-specific signatures and behavioral rules. This hybrid approach avoids the fundamental trade-off by providing coverage to both known and unknown attacks and at the same time keep the false-positive rate to a minimum. One technology can't take the place of the other: Behavioral rules allow the servers to be protected from new and previously unknown attacks. However, the coverage of behavioral systems is limited, many attacks aren't covered, and behavioral systems generate more false positives. For full forensics capability, the signature is critical in identifying attacks, so security managers can know what sort of attack is being directed at their systems.
Layers	Strong security is founded on the concept of defense in depth: having several layers of protection. Redundant mechanisms should co-exist so that even if one hurdle is bypassed, there are always other barriers to cross.
Heterogeneous environment protection	Organizations using mixed computing environments need to be sure that the intrusion prevention they choose will be consistent across all their critical servers. It should also enable consistent, reliable cross-platform protection.
Manageable	The ideal intrusion prevention solution will allow security configurations and policies too be easily be leveraged across applications, user groups and agents to decrease the cost of installing and maintaining large security deployments.
Scalable	An enterprise-class intrusion prevention solution must scale to meet the needs of the extended enterprise while maintaining the highest levels of security. Scalability comes in the form of supporting large numbers of protected servers, supporting large amounts of event traffic, and supporting distributed security management to meet the needs of large, distributed organizations.
Low total cost of ownership	Ideally, the system you invest in should decrease costs associated with monitoring and managing total server security. Make sure that the system you are evaluating can show metrics around reducing man-hours spent on clean-up, patching, monitoring, etc.
Proven prevention technology	Beware of solutions that use the word, prevention,but are really detection-based products or desktop solutions in new packaging. It is important to investigate that the solution has been thoroughly tested, deployed, and continuously maintained, in an environment similar to your own. Read case studies, ask questions, and compare.
Strong corporate security policy	All businesses need a detailed and enforced corporate security policy.

You'll notice that there are actually eleven best practices on this list. Intrusion prevention is not a one-time implementation of point products, but a continuous evolving process. All businesses need a detailed and enforced corporate security policy. A security policy defines which "users" have access rights to which enterprise resources. Make sure the policy takes into consideration users within the enterprise as well as outside users including partners, customers, and remote employees accessing corporate resources.

---

About the Author
Lou Ryan is President and CEO of Entercept Security Technologies.

Read More ...

The successful creation and operation of CERTs / CSIRTs depend on various factors. A lot of mistakes can be made, especially in early phases, that are difficult or impossible to mitigate later. This page contains a lot of good practice material that aims at helping EU Member States, but also other stakeholders, to smoothly establish and operate CERTs / CSIRTs. The material you find here has been created in cooperation with experts in this field, that dispose of long years of hands-on experience in the related areas. All material has been tested in practice.

Contact us if you'd like to find out more!

• How to set up a CERT?

A step-by-step explanation on how to plan, kick-off and establish your own CERT. We even provide you with an easy to use project plan! More...

• How to run a CERT?

A basic collection of good practice on how to operate a CERT, especially in the crucial first year. More...

• Exercises for CERTs

An easy-to-use collection of exercises for CERTs in various areas. More...

• Baseline capabilities of national / governmental CERTs

Recommendations for a basic set of capabilites of CERTs with responsibilities for CIIP and international cooperation. More...

• How CERTs manage security incidents?

Good practices, practical information and guidelines for the management of network and information security incidents with an emphasis on incident handling. More...

• How to improve detection of network security incidents?

This report lists 30 external sources and 12 categories of internal tools and mechanisms along with the relevant recommendations which can be used to improve the detection of network security incidents. More...

• Legal aspects of information exchange between CERTs

A study into the legal and regulatory aspects of information sharing and cross-border collaboration of national/governmental CERTs in Europe. More...

• Common tools for CERTs

An overview of tools in use by the European CERT community (TF-CSIRT). More...

• Supporting fight against cybercrime

A study with the aim to improve the capability of CERTs, with a focus on the national/governmental CERTs (n/g CERTs), to address the network and information security (NIS) aspects of cybercrime. More...

Refer to http://www.enisa.europa.eu/activities/cert/support

Exercise 7: Network Forensics

Main Objective	The objective of the exercise is to familiarise students with standard network monitoring tools, their output and applications for the analysis of network security events. As a result, students will be able to interpret the security context of collected network data, thus enabling the post-mortem analysis of security incidents.
Targeted Audience	Technical CERT staff
Total Duration	Roughly 6 hours, 30 minutes
Time Schedule	Introduction to the exercise	15 min.
	PART 1 PCAP TRACE ANALYSIS – SERVER SIDE ATTACK
	Task 1: Introductory scenario – fake web server vulnerability exploitation step-by-step	60 min.
	Task 2: Dabber scenario	60 min.
	PART 2 PCAP TRACE ANALYSIS – CLIENT SIDE ATTACK
	Task 1: Drive-by download without fast flux	60 min.
	Task 2: Drive-by download with fast flux	60 min.
	PART 3 NETFLOW ANALYSIS
	Task 1: DDoS analysis step-by-step	60 min.
	Task 2: DDoS analysis DIY	60 min.
	Summary of the exercise	15 min.
Frequency	This exercise should be carried out whenever a new CERT team is being set up or new team members responsible for advanced incident handling join the team. It should be extended regularly to cover new types of attacks.

General Description

The exercise should be performed as a ‘hands-on’ class. A short introduction to the field of network forensics should be made. A set of security incident packet traces should be given for analysis. Each packet trace involves a different security scenario, which is presented to the students. For each scenario the goal is to identify security information relevant to a particular incident – in the context of an attacked and attacking host or application. It is recommended that the traces include not just malicious traffic but benign traffic as well, so as to mirror real life conditions. The packet traces should be in pcap format and in the form of netflow samples. Traces in the pcap format should include examples of full packet payload captures. The students should be allowed access to the Internet and encouraged to use search engines to facilitate their analysis. This handbook contains six examples of attack scenarios. You are encouraged to create your own.
Because of the technical nature of this exercise, it is advisable that you, as the trainer, have a lot of experience with analysing packet and flow traces. The examples in the handbook are detailed so as to help you as much as possible.

Students require access to the LiveDVD, which contains all the tools and logs necessary for carrying out the exercise. The tools needed for each scenario are listed in the handbook sections devoted to the scenarios.

Read More ...