SC201: Internet Security For Networked Environments (2 days)

Course Overview

IT Security for Networked Environments is an intensive two-day course covering the concepts, frameworks and existing technologies used to implement secure channels across inherently insecure networks. The course overviews the cryptographic systems at the core of providing trusted information exchanges. It also covers digital certificates, Web Servers and Security, Browser Security, SSL, and how to architect secure eCommerce applications.

Audience

Software Developers, Designers, Managers and Architects with an interest in understanding and/or deploying secure applications.

What to Expect

Expect a course that starts from first principles and progressively explores the issues and advances that have led to the current state of the art. Attendees will receive a full copy of supporting notes, designed to complement the instruction and workshops.

Course Topics

The lecturing and practical components will cover the following topics:

• Introduction and motivations for IT security
• Identification and authentication. Principals and identification. Authentication by passwords, tokens and biometrics. Flaws in authentication schemes. Kerberos and Single Sign-On. Password hacking practicals and smart card demonstrations.
• Cryptographic techniques. Secure hashing, Keyed MACs, Digital Signatures. Asymmetric and Symmetric-key encryption. Cipher overview. Key exchange issues. Data encryption and integrity checking practicals.
• Key and certificate management. Motivations and risk mitigation. Public-key and certificate management and PKI. Symmetric-key schemes and Kerberos. Integration of public and symmetric-key schemes. PKI Registration Authority practicals.
• Threat and Risk Assessment (TRA). Models for TRA and the TRA process.
• Network security. ISO OSI protocol stack overview. IP and TCP. Naming and addressing. Switching and routing. Target acquisition and footprinting. Vulnerability scanning. Risk mitigation techniques. Firewall design. Example firewall rulesets. Build-your-own firewall practical. Network Address Translation. Intrusion detection, NIDS and HIDS. Online vulnerability scanning practicals.
• Data and message security. Techniques for data security at layers 2, 3 and 4 of the OSI protocol stack; LLE, IPSec, SSL/TLS. TLS handshake protocol and handshake example. Connection-oriented and connectionless message security techniques. PKCS#7, S/MIME, XML and TLS comparison.
• N-tiered security architectures. Application of the preceding techniques. Client, middle and data tier security services. Interworking across the tiers.
• Summary and conclusions.

Practical Examples throughout the course:

Prac 1 - Password hacking.

Students will use 3rd-party software tools to recover passwords from the SAM password database. Students will create a number of accounts, and use password cracking tools to better understand good password management.

Prac 2 - Crypto and secure data.

Students will use cryptographic tools to create encrypted and digitally signed data on their local computers. Students will then use editting tools to examine the structure of the protected data and better understand the PKCS#7 data types.

Prac 3 - PKI registration.

Students will register with a Public Key Infrastructure (PKI) by completing the registration process and submitting a Certificate Signing Request (CSR) to the Registration Authority (RA). A Certicicate Authority (CA) will sign the request, and the students will then make use of their keys in subsequent practicals.

Prac 4 - Firewall design.

Students will design a firewall rule set, which will be submitted for real-time testing. Students will use vulnerability scanners to determine the requirements for their rule sets, and will receive feedback on the strength and completeness of their firewall design.

Prac 5 - Secure Email (S/MIME).

Students will use the certificates they requested during PKI registration to support the creation and verification of secure email.