The attendees of the SANE 2006 conference will probably all be White Hats, or simply 'the good guys'. As at previous SANE conferences, the Black Hats Session will give the Black Hats viewpoint, i.e. that of the intruders (people who are trying to break into your computers).

Somebody once said: "the amount of clue on the Internet is a fixed constant". Indeed, the percentage of people on the Internet that are really hacking is decreasing. The problem is, however, that there are a lot of full-disclosure mailing lists that are read by people with too much spare time. Using standard exploit scripts and detailed descriptions they can easily attack thousands of systems with only minimal effort.

Contrary to earlier Black Hats Sessions, this time the topics will be limited so they can be explored in more detail. The topics for BHS V are:

• Footprinting, gathering information (maybe even from YOUR systems)
• Wireless technology (WiFi, WiMAX, Bluetooth, RFID, etc)
• Covert channels, hacking your network from the inside
• Stories from the trenches, a security consultants' experience with real companies, networks and systems

This Black Hats Session will highlight the problems that exist in Unix and Windows operating systems, application software and how administrators set up and work with those. Thus our intended audience will be these system and network administrators.

The Black Hats Session tries to give the audience an insight in how new technologies can be used and abused. Not by giving recipes for breaking in but by showing the technology and using the 'hacker mindset'.

Attendees are expected to have basic knowledge of UNIX and IP networks.

From a single server to a network of workstations, the Linux environment can be a daunting task for administrators knowledgeable in other platforms. Starting with a single server and finishing with a multi-server 1000+ user environment, this tutorial will provide practical information for using Linux in the real world. The following areas will be covered with a special emphasis on security:

• Installation Issues
• Boot Loaders and System Startup
• Disk Partitioning and LVM
• Software RAID
• The RPM Package System
• Networking
• User managment
• Automated System Installation
• Network-based Authentication
• User Accounts and Management
• Network Services and xinetd
• SSH: port tunneling, keys, tricks
• New Developments

At the completion of the course attendees should feel confident in their ability to setup and maintain a secure Linux server and services. The tutorial will be conducted in an open manner that allows for question and answer interruption.

This tutorial is directed at System Administrators that are planning on implementing a Linux solution in a production environment. Course attendees should be familiar with the basics of systems administration in a UNIX(tm)/Linux(tm) environment: user level commands and TCP/IP networking. Novice Administrators and Gurus alike should leave the tutorial having learned something.

Wireless Networks are becoming ready for the enterprise. Serious flaws in the encryption are being solved with new protocols on top of 802.11.

This tutorial is an introduction in the world of the newer protocols, such wpa, wpa2, leap etc. What are the strong points, weak points, how to implement an enterprise structure using a RADIUS backend and how to manage this are the key questions on which this tutoral will provide answers.

Topics included:
Design of an authentication and authorisation infrastructure for wireless networks. WPA, WPA2, LEAP, EAP, RADIUS. Set up of hard- and software (incl. clients) for a secure wireless infrastructure.

Topics not included:
Basic wireless network design, antennas, basic set-up of accesspoints.

Audience:
Network professionals and system administrators deploying and managing wireless networks in an enterprise setting and want to use the new encryption / authentication en authorisation protocols.

IPsec is a technology that can be used to secure communication across IP networks. Popular applications are Remote Access facilities for accessing an organisation's resources from a potentially hostile network or securely connecting networks across a public network such as the Internet using Virtual Private Networks (VPN).

This tutorial aims to expose participants to just enough theory to understand and sensibly apply IPsec technology, and enough practice to get started experimenting with it. Bring a laptop running a decent operating system to play along or just listen and enjoy watching others trying to bridge the theory/practice gap.

Topics included:

• Introduction:
• What is a VPN?
• What is IPSEC?
• Applications of IPSEC: VPN, Remote Access
• IPSEC mumbo-jumbo:
• Transport versus Tunnel Mode
• Authentication Header
• Encapsulating Security Payload
• Security Policies
• Security Associations
• The SA and SP Databases
• Key Management
• ISAKMP and IKE
• Main mode versus aggressive mode
• IPSEC Tools and Configuration
• racoon
• IPsec-tools
• examples using UNIX/Linux/Mac OS X/MS Windows/Cisco PIX

Topics not covered:

• FreeS/WAN

This tutorial is intended for anyone with an interest in network security. It is targeted at both network administrators and consultants, providing hands-on demos as well as a thorough treatment of IPsec concepts.

Introduction:
In this tutorial attendees will learn how to create, modify and use RPM packages. The RPM Package Management system (RPM) is used for package management on most Linux distributions. It can also be used for package management on other UNIX systems and for packaging non-free (binary) software.

The tutorial will focus on creating RPM packages for Fedora and Red Hat Enterprise Linux systems, but the theory will also apply to package software for other distributions.

Contents:
General software packaging theory will be provided as a start, followed by the history and basics of the RPM packaging system.

The headers and sections of an RPM spec file will be discussed. Hints and tricks will be given for each section to enhance the quality of the target package, including the use of macros, adapting software for installing it in an alternative root directory, ensuring correct file ownerships and attributes, the proper use of pre/post (un)installation and "trigger" scripts, and how to deal with package-specific users and init scripts.

Package dependencies and conflicts will be covered, as well as some ways too tweak the automatically generated dependencies, if needed.

Installing files in the proper place requires knowledge of the Filesystem Hierarchy Standard (FHS), hence the basics of the FHS will be discussed.

The tutorial will also show how to properly package binary software, often done for internal system management purposes, and shed light on some of the issues involved, including some legal aspects related to packaging non-free software.

Package repositories and dependency resolution. Complementary to RPM, software exists for solving dependencies, such as up2date, yum, and apt-rpm. This software and the corresponding package repositories will be discussed.

Using RPM on non-Linux systems. Although primarly used on Linux systems, RPM can also be used to package software for other (free or commercial) UNIX-like systems. Some aspects of using RPM on non-RPM systems will be discussed.

Besides the theory, several issues will be illustrated with live demonstrations.

Target audience:
The tutorial is targeted toward system administrators and software developers that want to create or modify RPM packages or get a detailed insight in the way RPM packages are built and can best be used.
The attendees need no prior knowledge of RPM, although some basic knowledge of using software packages (as a system administrator using RPM, apt/dpkg, etc.) would be helpful.

Included: Version control basics; installing Subversion; access methods; access security; repository administration; repository backups; fancy commit tricks; Subversion as a CMS.

This tutorial will get you up and running as a Subversion activist. We will focus on practical setup and configuration issues that need to be dealt with to use Subversion as a practical tool for a distributed project. We will round up with Subversion setups tuned for various applications. Examples will be done with the FreeBSD operating system, but are not system specific.

This tutorial is about _setting up Subversion_, not about using it.

Not included: SSH, SSL and Apache configuration. Subversion from a users perspective.

Who should attend: admins who need to set up Subversion repositories for local or distributed projects.

The attendees of the SANE 2006 conference will probably all be White Hats, or simply 'the good guys'. As at previous SANE conferences, the Black Hats Session will give the Black Hats viewpoint, i.e. that of the intruders (people who are trying to break into your computers).

Somebody once said: "the amount of clue on the Internet is a fixed constant". Indeed, the percentage of people on the Internet that are really hacking is decreasing. The problem is, however, that there are a lot of full-disclosure mailing lists that are read by people with too much spare time. Using standard exploit scripts and detailed descriptions they can easily attack thousands of systems with only minimal effort.

Contrary to earlier Black Hats Sessions, this time the topics will be limited so they can be explored in more detail. The topics for BHS V are:

• Footprinting, gathering information (maybe even from YOUR systems)
• Wireless technology (WiFi, WiMAX, Bluetooth, RFID, etc)
• Covert channels, hacking your network from the inside
• Stories from the trenches, a security consultants' experience with real companies, networks and systems

This Black Hats Session will highlight the problems that exist in Unix and Windows operating systems, application software and how administrators set up and work with those. Thus our intended audience will be these system and network administrators.

The Black Hats Session tries to give the audience an insight in how new technologies can be used and abused. Not by giving recipes for breaking in but by showing the technology and using the 'hacker mindset'.

Attendees are expected to have basic knowledge of UNIX and IP networks.

This tutorial will cover VoIP principles, their interaction and interface with the PSTN and IP networks. While CODECs, protocols, quality and some IETF standards are being discussed, this tutorial is also filled with practical examples.

An open source PBX software - Asterisk, is chosen to demonstrate some of the unique features VoIP can bring to various deployments, including:

• Toll by-pass
• Interactive Voice Response System
• Text to Speech applications
• Analog Telephone Adapter provisioning
• Call detail record and blacklisting
• Echo training

Through examples, attendees will discover the capability and potential of VoIP which may leverage their abilities on choosing the right products and avoiding pitfalls.

Intended Audience:
Managers and systems administrators involved in the evaluation, design, implementation, and deployment of VoIP infrastructures. Participants do not need prior exposure to VoIP but should be familiar with network principles. Attendees will come away from this tutorial with a foundation in VoIP enabling strategic and cost effective VoIP deployments in a variety of environments.

If you attended the IPv6 tutorials at SANE 2002 and/or SANE 2004, you already know how IPv6 can solve the address shortage problem that has been developing slowly in the current (IPv4) internet. This means that at some point in the future, IPv6 has to replace IPv4. We're not quite there yet, but now is a good time to start moving IPv6 out of the lab into the real world. This tutorial will tell you how to do that by focussing on:

• enabling IPv6 in popular OSes
• 6to4 and manual tunnels
• setting up an IPv6 router (software based and Cisco/Juniper)
• routing protocols: OSPF and BGP
• where to get IPv6 address space
• IPv6 in the DNS
• some example applications and daemons
• dealing with IPv4-IPv6 interaction and coexistence
• how IPv6 security differs from IPv4 security

Audience participation is encouraged, so bring a laptop with an IPv6-capable OS and 802.11 if you can. These OSes include: FreeBSD, Linux (depending on the distribution), MacOS 10.2 and up, Windows XP.

Topics not covered:
Don't expect too much information about the inner workings of IPv6: there will be very few header format and protocol interaction schematics.

Who should attend?
Anyone who does system or network administration and is interested in what life will look like with IPv6 enabled should attend. Only intermediate level knowledge of IPv4 is assumed, previous experience with IPv6 is not required.

This tutorial focuses on understanding the algorithms and protocols necessary to move data through a network. Its focus is on understanding the conceptual problems and solutions, rather than every deployed feature.

It also describes a range of potential solutions, to foster critical thinking about protocols, rather than just memorizing the exact details of a particular standard. After a problem is studied generically, the specifics of protocols such as IPv4, IPv6, ATM, MPLS, OSPF, BGP, IS-IS, bridges, and the spanning tree algorithm are covered. Understanding the range of solutions possible and the tradeoffs of comparative approaches is particularly useful for evaluating or designing future standards.

The concepts of IP addresses, masks, MAC addresses, routing algorithms, domains, switches, bridges, are pervasive when dealing with networks. We all use these terms, and configure these things, but what is really going on? What are the implications of choosing a switch vs a router? What kinds of things can go wrong in a protocol that is misdesigned, misimplemented, or mismanaged? This tutorial describes the major protocols involved in the network infrastructure. It describes conceptually what goes on in the packet switches (both layer 2/bridges and layer 3/routers), as well as the implications on endnodes. It contrasts connection-oriented approaches such as ATM and MPLS with connectionless approaches such as IPv4 and IPv6. It covers the endnode-visible pieces of layer 3, such as neighbor-discovery and address autoconfiguration. It covers intradomain routing algorithms (distance vector such as RIP and link state such as OSPF or IS-IS) and interdomain (BGP). It describes the spanning tree algorithm used by bridges/switches.

Topics include:

• Layer 2 (MAC) addresses
• Why 6 bytes?
• Relation to layer 3 addresses (IP)
• Bridges
• Basic idea
• Why it's more powerful than a repeater
• Station address learning and forwarding
• Spanning tree
• What are switches? "switched Ethernet"
• Connection-oriented networks: ATM, MPLS
• Connectionless protocols: IPv4, IPv6, and comparison with others
• Neighbor discovery (ARP, DHCP)
• Routing (distance vector vs link state, interdomain vs intradomain)
• IP Multicast
• NAT

Who should attend: Anyone who might need to design a protocol, implement a protocol, write network-based applications, or plan or manage a network. Anyone who is just curious about what is really going on under the covers in a network, and how things got the way they are. Anyone with the courage to see things from different angles, and not just parrot orthodoxy. Paradoxically, this tutorial is good as an introduction to people who are incredibly confused by all the terms and don't know where to start, as well as people who have been using this stuff for years, assumed they understood it, and want to see how all the pieces fit.

The objective of the tutorial is to show you the tools and methods for taking control of your network traffic - keeping some of it safely inside or outside your network, directing traffic to specific hosts or services, flexible resource allocation and protection against cracking, DOSing and spamming.

Topics included:

• Background and history
• Packet filter? Firewall? Demystifying some common terms.
• NAT - why NAT was needed, how it works
• PF today - features
• BSD vs Linux - Configuration (for the BSD-curious Linuxer)
• Basic setup on OpenBSD, FreeBSD and NetBSD
• Exploring the basics of rule sets
• Lists and macros and why they are good for you
• A few information gathering techniques
• Simple gateway with NAT - a common setup explained
• Handling that sad old FTP thing
• Making your firewall troubleshooting friendly
• Hygiene: block-policy, scrub and antispoof
• Adapting to changing needs, easily
• The practical sides of logging
• Keeping an eye on things with pftop
• Invisible gateway - bridge (you can filter even if you're invisible)
• Directing traffic with altq
• CARP and pfsync: redundancy and failover - a taste of what is possible
• Wireless networks and how to stop worrying about them
• Giving bruteforcers and spammers a hard time - stopping stupidity at $ext_if, greylisting and tarpitting

Topics not covered:

• Getting BSD to run on your hardware
• The intricacies of Microsoft networking
• Social engineering

Who should attend: Seasoned and aspiring network administrators looking for ways to make their environment more efficient and secure. Basic to intermediate familiarity with TCP/IP and unixes required.

This tutorial will cover the Service Management Facility (SMF), which is new in Solaris 10 and OpenSolaris. We'll give an overview of the SMF model and how to use it to manage services on Solaris. We'll talk about enhanced security and resource management features that SMF incorporates, and finally talk about creating SMF descriptions so you can include your own services in SMF.

Topics not covered:
We will not cover management of individual application services in Solaris, but focus on common tools available for all services.

Who should attend:
Any Solaris administrator or developer interested delivering services on Solaris and OpenSolaris systems will benefit from this session.

In this tutorial, we will take an in-depth look at MySQL's "Pluggable Storage Engine" architecture. Understanding the features and trade-offs in each engine allows developers to optimise their applications by making appropriate choices and tuning the MySQL server appropriately for their needs.

For example, logging of page clicks on a web site places completely different requirements on a database from say tracking customers and sales. Functionally, either can be done using generic solutions. But by utilising specific features available in specialised storage engines, extraordinary performance improvements can be attained.

This becomes particularly relevant when there are specific speed and scalability requirements for an application. Yahoo! uses the ARCHIVE storage engine to deal efficiently with the massive amounts of user traffic information that is continually generated. A general purpose storage system would simply not do.

In MySQL, the storage engine can be selected on a per-table basis. This means that different engines can be used from within a single application, as appropriate for the application's needs. In many cases, the application need not even be aware which engine is used.

In this tutorial, the different available storage engines will be compared. Also, the fundamentals of adding new storage engines will be discussed.

Overview of the MySQL Pluggable Storage Engine Architecture:

The MySQL pluggable storage engine architecture allows a database professional to select a specialized storage engine for a particular application need while being completely shielded from the need to manage any specific application coding requirements. The MySQL server architecture encapsulates the application programmer and DBA from all of the low-level implementation details at the storage level providing a consistent and easy application model and API. So while there are different capabilities across different storage engines, the application is shielded from these.

The pluggable storage engine architecture provides a standard set of management and support services that are common among all underlying storage engines. The storage engines themselves are the components of the database server that actually perform actions on the underlying data that is maintained at the physical server level.

This efficient and modular architecture provides huge benefits for those wishing to specifically target a particular application need -- such as data warehousing, transaction processing, high availability situations, etc. -- while enjoying the advantage of utilizing a set of interfaces and services that are independent of any one storage engine.

The application programmer and DBA interact with the MySQL database through Connector APIs and service layers that are above the storage engines. If application changes bring about requirements that demand the underlying storage engine change, or that one or more additional storage engines be added to support new needs, no significant coding or process changes are required to make things work. The MySQL server architecture shields the application from the underlying complexity of the storage engine by presenting a consistent and easy to use API that applies across storage engines.

Currently Available Storage Engines:

• MyISAM - the storage engine that is used the most in Web, data warehousing, and other application environments.
• InnoDB - used for transaction processing applications, and sports a number of features including ACID transaction support.
• BDB - an alternative transaction engine to InnoDB that supports COMMIT, ROLLBACK, and other transactional features.
• Memory - stores all data in RAM for extremely fast access in environments that require quick look ups of reference and other like data.
• Merge - allows a MySQL DBA or developer to logically group together a series of identical MyISAM tables and reference them as one object. Good for VLDB environments like data warehousing.
• Archive - provides the perfect solution for storing and retrieving large amounts of seldom-referenced historical, archived, or security audit information.
• Federated - offers the ability to link together separate MySQL servers to create one logical database from many physical servers. Very good for distributed or data mart environments.
• Cluster/NDB - the Clustered database engine of MySQL that is particularly suited for applications with high performance lookup needs that also require the highest possible degree of uptime and availability.
• Other - other storage engines include CSV (references comma-separated files as database tables), Blackhole (for temporarily disabling application input to the database) and an Example engine that helps jump start the process of creating custom pluggable storage engines.

While the above brief descriptions will give you a general idea of what type of application might benefit from a particular storage engine, a more detailed look at various common database tasks and needs across the various engines may help delineate the differences a little more.

Of course, you can use multiple storage engines in a single application; you are not limited to using only one storage engine in a particular database. So, you can easily mix and match storage engines for the given application need. This is often the best way to achieve optimal performance for truly demanding applications: use the right storage engine for the right job.

This tutorial is intended for DNS administrators looking to broaden and deepen their understanding of how to configure and operate name servers. Topics include name server management with rndc and configuring BIND9's logging facilities. DNS for IPv6 devices and its deployment issues will be explained. The tutorial will show how to use Dynamic Updates to update zone contents instead of editing zone files. A short explanation of the interoperability issues between DNS and Active Directory will also be covered.

Topics included:

• Using the Logging subsystem:
• Getting the most from the name server's logging capabilities
• Managing the name server with rndc
• Configuring split DNS:
• Internal and external versions of a domain
• Using the views mechanism of BIND9 to implement split DNS
• IPv6 Deployment considerations for DNS
• Dynamic DNS (DDNS):
• Dynamic updates with nsupdate
• DDNS and Active Directory

Who should attend?
DNS administrators who wish to extend their understanding of how to configure and manage name servers running BIND9. Attendees should have some experience of running a BIND8 or BIND9 name server and be familiar with DNS jargon for resource records, as well as the syntax of zone files and named.conf. This tutorial will answer the question, "I've set up master (primary) and slave (secondary) name servers. What else can I do with the name server?"

This tutorial will cover VoIP security and some counteract measures to address security concerns.

VoIP and PSTN vulnerabilities will be discussed and compared to better understand both technologies. The tutorial also features VoIP security best practices in terms of encryption, firewall and identifying threats such as:

• Wire tapping / eavesdropping
• DoS attacks
• Spam over IP telephony
• Theft of service

Through examples, attendees will leverage their abilities to discover potential danger of an existing system and to impose security on VoIP systems.

Who should attend?
Managers, systems administrators who are responsible for security measures of VoIP systems. Participants should have basic knowledge of the operations VoIP and be familiar with network protocols. Attendees will come away from this tutorial with exposure to common vulnerabilities, counter measures and some of their drawbacks.

Cfengine is a tool for setting up and maintaining a configuration across a network of hosts. It is sometimes called a tool for "Computer Immunology" -- your computer's own immune system. You can think of cfengine as a very high level language, much higher-level than Perl or shell, together with a smart agent. The idea behind cfengine is to create a single "policy" or set of configuration files that describes the setup of every host on your network, without sacrificing their autonomy.

Cfengine runs on every host and makes sure that it is in a policy-conformant state; if necessary, any deviations from policy rules are fixed automatically. Unlike tools such as rdist, cfengine does not require hosts to open themselves to any central authority, nor to subscribe to a fixed image of files. It is a modern tool, supporting state-of-the-art encryption and IPv6 transport, that can handle distribution and customization of system resources in huge networks (tens of thousands of hosts). Cfengine runs on hundreds of thousands of computers all over the world.

Topics include:

• The components of cfengine and how they are used
• How to get the system running
• How to develop a suitable policy, step by step
• Security
• Examples
• How to customize cfengine for special tasks

Who should attend:
System administrators with a minimal knowledge of a scripting language who wish to start using cfengine to automate the maintenance and security of their systems. UNIX administrators will be most at home in this tutorial, but cfengine can also be used on Windows 2000 and above.

Topics included:

• How the kernel is organized (scheduler, virtual memory system, filesystem layers, device driver layers, networking stacks)
  • The interface between each module and the rest of the kernel
  • Kernel support functions and algorithms used by each module
  • How modules provide for multiple implementations of similar functionality
• Ground rules of kernel programming (races, deadlock conditions)
• Implementation and properties of the most important algorithms
  • Portability
  • Performance
  • Functionality
• Comparison between Linux and UNIX kernels, with emphasis on differences in algorithms
• Details of the Linux scheduler
  • Its VM system
  • The ext2fs filesystem
• The requirements for portability between architectures

Topics not covered:
This class will not contain a detailed examination of the kernel source, but will rather offer an overview and roap of Linux's design and functionality, as the ground work for future exploration.

Who should attend:
Application programmers and beginning kernel developers. You should be reasonably familiar with C programming in the UNIX environment, but no prior experience with the UNIX or Linux kernel code is assumed.

Updateable Views, SQL standard stored procedures, and triggers have long been considered a basic requirement of an enterprise-ready DBMS. Now, MySQL 5.0 introduces support for these flagship features, as well as for a standard SQL-compliant INFORMATION_SCHEMA data dictionary, bringing the popular open-source DBMS several steps closer to matching all the capabilities of the competition.

MySQL 5.1 also introduces support for table partitioning.

In this tutorial, each of these features are discussed in-depth for syntax and functionality, with examples. Interesting for all users at intermediate and advanced levels, but particularly useful for existing MySQL users who may not be familiar with these features from other databases.

Topics not covered:

• Other 5.0/5.1 features in depth, there is simply not enough time.

Who should attend:

• Existing MySQL users who want to use the new MySQL 5.0/5.1 features.
• Users of other RDBMS who are evaluating MySQL 5.0/5.1 for new projects.

Name servers are often misconfigured in ways that expose them and the applications or services that depend on them to a variety of attacks: denial of service, spoofing, traffic amplification and so on. The tutorial explains how to restrict and control access to name servers. It also discusses the application of the principle of least privilege to DNS administration. Techniques for authenticating DNS transactions -- queries, zone transfers and dynamic updates -- are described. The DNS Security protocol extensions, DNSSEC are explained: the new resource records, how to sign a zone, what DNSSEC does and doesn't do, an overview of deployment and on-going development issues.

Topics included:

• Setting up an internal root server
• Securing the name server
• Setting up a chroot()'ed environment
• Using BIND9's access control lists
• Preventing unwanted access
• Transaction Signatures
• Using TSIG & SIG(0)
• Secure DNS (DNSSEC)
• RRSIG, NSEC, DS & DNSKEY Resource Records
• How to sign zones with dnssec-keygen and dnssec-signzone
• Deployment considerations
• Last mile issues

Who should attend?
DNS administrators who wish to extend their understanding of how to configure and manage name servers running BIND9. Attendees should have some experience of running a BIND8 or BIND9 name server and be familiar with DNS jargon for resource records, as well as the syntax of zone files and named.conf. This tutorial will answer the question, "I've set up master (primary) and slave (secondary) name servers. What else can I do with the name server?"

From a stand-alone client attached to the Internet to a distributed network of web servers, Systems Administrators are being tasked with bring their office environments on-line. The Network Services that need to be configured in order to do this can be daunting to Administrators who aren't familiar with the required applications. Configuration examples as well as overviews of the underlying protocols will give the usable examples that work after the conference. The following areas will be covered with a special emphasis on security:

• Networking for Linux Overview
• Network Services including:
  • SSH - Secure Shell with OpenSSH
  • FTP - Explore vsftpd
  • HTTP - Apache and Tux and Squid
  • SMTP - Postfix MTA
  • NFS - Network File Systems
  • LDAP - Global authentication with OpenLDAP
  • DHCP - DHCPD and PXE
  • DNS - ISC's BIND
  • NTP - Network Time
  • LPD - Printing with cups
• Host based Security with TCP Wrappers and Xinetd
• Overview of Linux Packet Filtering
• Network Monitoring and Logging
• Network Utilities you should be using

At the completion of the course attendees should feel confident in their ability to setup and maintain secure network services. The tutorial will be conducted in an open manner that encourages question and answer interruption.

This tutorial is directed at System Administrators who are implementing Network Services and are looking for a background in the configuration of those services as well as basics of the protocols. Attendees should have some network client/server experience and have a basic knowledge of Unix Administration, but do not need to be experienced Network Administrators. Both new and intermediate Network Administrators will leave the tutorial having learned something.

Cfengine contains many features and facilities that make it a powerful tool for system administration, but it has a large manual that is difficult to absorb without training. In this tutorial we assume that attendees have a basic understanding of how cfengine works and would like to develop a number of "best practices" and examples to maximize their returns.

Topics include:

• Review of some basics
• Automating deployment of software throughout your infrastructure
• UNIX/Mac/Windows
• update.conf
• cron and cfexecd
• When to run
• Integrating data from information sources
• Structure and organization of config
• The overlapping-set model
• Import
• Modules
• Methods
• When to use these tools
• Special functions and variables
• Variables, scalars, arrays
• Associative arrays and their limitations
• ExecResult, ReturnsZero, etc.
• ReadArray, ReadList, etc.
• IsNewerThan, IsDir, etc.
• Searching, matching, and wildcards
• Search filters
• Regular expressions
• Wildcard expansions
• How does cfagent evaluate things?
• Thinking declaratively
• Ordering: When does it matter?
• Locks; What are they, and why are they there?
• Iteration over lists
• Control, actionsequence, alerts
• Services and security
• PP keys and exchange (trust model)
• Authentication stages
• Rule orderings
• IPv6 issues
• Peer-to-peer services
• Example: Backing up laptops
• Host monitoring
• cfenvd
• Interfacing to tcpdump
• Understanding cfenvgraph output
• PeerCheck neighborhood watch
• FriendStatus function
• Future developments and discussion

Who should attend:
System administrators with a working knowledge of cfengine (or who have attended the introductory course) and who wish to extend their understanding of cfengine with examples and usage patterns. UNIX and Mac OS X administrators will be most at home in this tutorial, but cfengine can also be used on Windows 2000 and above.

Welcome at the technical session track of SANE 2006 !

Still a surprise... We're aiming at a timely topic, that will be along the lines of professor Ed Felten's current activities with his Freedom to Tinker blog.

Unix and the corresponding philosophy continue to support a vibrant community of software, network, and scientific researchers, and is a powerful force in the commercial world. But in the area of security, despite numerous experiments, widespread deployment of better security has all but stopped.

Traditional software network interfaces in Linux do not deliver satisfactory real-time performance. Hence alternative efficient real-time interfaces are required in network monitoring, distributed systems, real-time networking and remote data acquisition applications. Designing such a software network interface is not trivial.

A PC based software network intrusion detection application is studied as an example. Poor throughput and real-time performance of traditional interfaces or their enhanced versions can cause packet skipping and other non-obvious synchronization related failures, which may make the detector ineffective. The effectiveness of the detector can be enhanced by improving its packet capturing and dispatching interface. We achieve this by using an efficient real-time software interface for a PCI Ethernet card.

This paper describes the design and implementation details of this interface and its deployment for Linux based network intrusion detection sensors. The nuances of the system design for high speed packet capturing are discussed and the advantages of the proposed design are demonstrated. This mechanism outperforms existing packet capturing solutions - NAPI, PFRING and Linux kernel under heavy network load in terms of higher load bearing capacity, packet capturing capacity and superior real-time behavior.

Spoofing of domain names and poisoning of caches continues to be a favored mode of attack in both local nets and across the global Internet. The DNS Security protocol (DNSSEC) is intended to improve protection against these attacks. The protocol was published a year ago (RFCs 4033, 4034, 4035) and deployment is in the early stages. The deployment process is rather more interesting than most deployments because its intertwined with both chicken-and-egg issues and a few political issues.

In this talk I will outline the main pieces of the road map for deployment of DNSSEC and offer an assessment of both the bottlenecks and opportunities for early deployment. One of the most important indicators of progress is the signing of the root zone and the signing of the top level domains. Sweden signed its top-level domain a few months ago. .COM, .NET and .ORG are running test beds. Signing of the root zone is getting considerable attention and I will give an update on the progress there. And tools are beginning to emerge...

These days voice over IP (VoIP) is quite popular as it is a cost effective ay to reduce telephony costs using the Internet. Although many projects are focusing on developing tools and solutions for building the voice infrastructure, there is very little available in terms of tools and metrics for measuring the impact of VoIP on a network.

This paper describes the design and implementation of open source tools for detecting and measuring VoIP traffic based on both standard and proprietary protocols.

For the past fours years (or more) I've been working on improving the state of wireless networking support in the open source community. These efforts have affected all the groups, either directly--by providing new software, or indirectly--by enabling access to new wireless technology. Along the way there have been twists and turns as some groups have leveraged this work while others have not.

This talk will describe the efforts to bring state of the art wireless networking support to the open source community and review the good, the bad, and the ugly that have happened along the way.

Westhawk has designed and implemented a Java based web-applet that acts as a soft-phone for the Asterisk Open-Source PBX. This paper describes the difficulties (many) and compromises (few) that were encountered in the development process. Most of these problems related to the security, networking or threading requirements of hosting the application in a browser.

Our aim in presenting this paper at SANE is to assist systems and network professionals in their discussions with developers about what is possible vs what is acceptable in a secure, portable, low maintenance but compelling web based application.

The Linux kernel development model is unique compared to other Open source Projects. This talk will explore how it has changed over the years, why those changes were made, and the strengths and weaknesses of our current approach. In addition, this talk will also give a broad-eyed view of recent changes to the kernel and the general direction of future development in the Linux kernel.

Universal Plug and Play (UPnP) is becoming an omnipresent technology and support for it is being added to more and more routers, gateways and DSL modems. Chat clients (MSN Messenger), networked games and gaming networks (X-Box Live and others) depend on UPnP to work correctly. Up until now, there haven't been any real problems with UPnP, except for the occasional buffer overflow. UPnP seems to be working just fine. But it's not! The protocol is unclear and flawed by design and many implementations have security holes you can drive a truck through, leaving your network open to a variety of interesting attacks.

After this lecture you will understand what's wrong with UPnP and why you want to turn it off on your networked devices.

Many countries are currently developing a biometric passport with a chip that contains fingerprints and a facial scan of the passport holder. The regulations and technology involved will be discussed and reviewed in this talk, including the relevant protocols for authentication and secure transmission.

The speaker is member of an expert panel on biometry of the ministry of internal affairs of the Netherlands. In that context his research group at Nijmegen has received a test version of the new passport and has developed terminal-side software to communicate with the chipcard.

For general audience, no required skills.

We present the design, implementation and evaluation of a fully open-source, production-quality load-sharing and highly available system, to address the problem of offering continously available and reliable Internet services.

The proposed architecture is built on top of established open-source technologies, like the FreeBSD Operating System, the Packet Filter (PF), the Common Address Redundancy Protocol (CARP) and Python. Our solution is complemented with a comprehensive and highly configurable administration shell that coordinates the function of the underlying system.

This talk will provide a current overview and status of the $100 laptop project.
Its context, history, motivations, goals and challenges will provide a framework for better understanding the various management and engineering decisions up to the talk's point in time along with a general high level description of the laptop's technology. Although to its principals the $100 laptop is mainly an educational project, deploying millions of those will also have far reaching implications for the computing and communications industries. An attempt will be made to identify and discuss them.

This talk assumes an audience with general background - no special skills required.

As it is proven by practice, load balancing techniques are the only tool that network service provider have, in order to support and handle scalable network load. This paper presents PEGASUS, a novel framework that provides load balancing in network services transparently, using a competitive scheduling algorithm.

PEGASUS is designed upon the inetd superserver, thus providing a easy to configure, yet efficient infrastructure. Our proposed architecture is based on well known user space tools. The prototype implementation is using inetd as the basis application. Using inetd we provide a simple scheme for service categorization, using tcp/ip network ports. The scheduling algorithm that our system proposes is competitive. The paper concludes with a comparison of PEGASUS and other well known similar infrastructures.

After working in a corporate environment for many years, the one deciding factor in the survivability of text processing software appears to be whether the tool used was free open source or a closed source, binary only, commercial only product. Stuck with presentations and other documents in now unreadable or unconvertable formats, we need to look for ways to escape the trap of "closed" solutions as open solutions from the same era didn't suffer the same faith. We show how Open Source offers more than just "free software"; it offers better continuity and increased data preservation. If Darwinist evolution could be applied to software, open source software would be considered fitter and more likely to survive.

In this paper, we discuss a global name space for NFSv4 and mechanisms for transparent migration and replication. By convention, any file or directory name beginning with /nfs on an NFS client is part of this shared global name space. Our system supports file system migration and replication through DNS resolution, provides directory migration and replication using built-in NFSv4 mechanisms, and supports read/write replication with precise consistency guarantees, small performance penalty, and good scaling.

We implement these features with small extensions to the published NFSv4 protocol, and demonstrate a practical way to enhance network transparency and administerability of NFSv4 in wide area networks.

Drawing on 15 years of investment in analyzing various types of Internet data (workload, topology, routing, and performance), Dr. Claffy describes what we have learned, and what we have failed to learn from Internet measurement. She will discuss how to best apply both (the learnings and the failures) to future cyberinfrastructure research and development, and outline some assumptions about the current architecture that we still need to investigate with more rigorous underpinnings. She will cover background on the historical context of funding for Internet research and development, and articulate the set of most paramount and pervasive weaknesses in the current infrastructure. She will also argue that technological and political forces will inevitably demand a re-evaluation of the fundamental aspects of Internet architecture, engineering, and governance.

An overview of the MySQL Cluster architecture, what's different about it and what problems it can be used to solve. We'll be looking at how High Availability is achieved as well as setup considerations regarding performance. Basic use will also be covered, from setup (including schema considerations) to new (and exciting!) features in the 5.0 and 5.1 releases.

Information security threats are constantly advancing, adapting, and evolving, so to are honeypots. This technical presentation will cover the latest tools in the world of honeypots, including honeynets, client honeypots, and distributed deployments. We will not only discuss the value and concepts of these tools, but how they work at a technical level. In addition, we will cover what we have learned about threats, including trends over the past several years, some of the latest threats we have captured, and where we think the future lies.

In this paper we discuss the methods and tools used by the Systems Development and Support team at Oxford University Computing Services to manage the installation and configuration of more than 60 Debian GNU/Linux servers, ensuring that these systems are in a consistent and reproducible state. We also give a brief overview of some of the existing software for configuration management and discuss the rationale and evolution of the system currently in use at Oxford. This consists of three tiers, treating generation, distribution, and installation of configuration files as independent processes.

Our toolkit is built from familiar free software components: Template Toolkit for configuration file generation; Subversion for revision control; rsync for file distribution; Perl for scripting; YAML for data serialisation. We introduce each of these technologies and describe how they fit together to provide a modular and flexible system for managing configuration files.

This talk describes a design that provides data storage with high availability, protection against unauthorized disclosure, and the ability to expunge the data in a way that makes it unrecoverable. The obvious approach, of course, is to encrypt the data on nonvolatile storage, and then destroy keys at the appropriate times. But then there is the difficulty of managing the keys. This design minimizes that difficulty, and allows minimal trust in stable storage and key management, so that these functions can be outsourced. Although parts of the talk are technically deep, anyone should be able to understand the characteristics of this system. The target audience is anyone who might use or implement such a system.

Java is a strong player in the application server market and thus the performance of its virtual machine is an important aspect of a server's performance. One of the components that affect performance of a JVM is the memory manager, which also includes the garbage collector. Modern virtual machines offer a multitude of options for tuning the memory manager, which can have a significant impact on server application performance.

This paper examines the structure and performance of garbage collector implementations for the most popular JVMs. We first provide a brief overview of how memory management works in Java and then proceed to present timing options based on the results of benchmarks, both readily available and tailor made, executed using open source server applications. We employ server-class dual-processor 64-bit hardware configured with 8GB of RAM and a switching network of workstations to perform the tests. We study the effect of garbage collection tuning and present the best configurations for common workload patterns.

We're drowning under a wave of data and don't even know it yet. With large disks being so much cheaper than time it is very tempting to buy more disk instead of cleaning up and sorting old data. As data space expands we will start losing track of - and thus losing - our data. Archival backups add complexity to this already confusing situation then toss in security and availability for some spice. Where is this going and how can we handle it in the face of millions of gigabytes of 'old cruft'?

We need to pay attention as data is generated, collected, collated and organized to make sure we can find it again. Librarians have been dealing with data classification and organization for thousands of years. We can learn a few things from them.

Despite constant advances in hardware performance, the time it takes to log in to GNOME has not improved much in recent years. This work examines the causes of slow startup time using a combination of existing and ad-hoc tools and evaluates possible solutions.

The analysis shows that GNOME startup time is I/O bound and dominated by disk seeks, and that there is much room for improvement: proof-of-concept modifications made to GNOME code and to system code resulted in a more than 30% reduction in startup time.

The work also shows how trivial modifications to the dynamic linker to load libraries from disk sequentially instead of faulting them into memory can bring a relatively large benefit in application startup time.

The GNU General Public License (GPL) invented the concept of Copyleft and is the most popular Free Software license today. After many highly successful years for version 2, the GPL is currently being overhauled to meet the needs of the next decade.

The presentation will give an introduction to version 3, the changes made, their reasoning and how to participate in the process to make sure GPLv3 will be the best GPL we can collectively create.

A spectre is haunting IT-security -- the spectre of hash function cryptanalysis. A lot of actual results show that all widely used hash functions (MD4,MD5,SHA,SHA-1) are broken in a cryptographic sense.

Even worse because of some internal design properties even practical attacks against MD*-based hash functions security systems could be shown. In this paper we discuss the cryptographic status and some first-aid workarounds. We also show the impossibility to establish a "Trusted" infrastructure based on a untrustable cryptographic function.

Radio Frequency Identification (RFID) is the latest phase in the decades-old trend of the miniaturization of computers. RFID transponders are tiny resource-limited computers that do not have a battery that needs periodic replacement. RFID tags are inductively powered by their external reading devices, called RFID readers. Once the RFID tag is activated, the tag decodes the incoming query and produces an appropriate response by using the energy of the incoming radio wave to power the chip long enough to respond. RFID tags can do a limited amount of processing, and have a small amount (<1024 bits) of storage.

Although RFID tags are useful for a huge variety of applications, this talk will focus on the security implications of RFID tags for Sysadmins.

The GNU General Public License (GPL) invented the concept of Copyleft and is the most popular Free Software license today. After many highly successful years for version 2, the GPL is currently being overhauled to meet the needs of the next decade.

The presentation will give an introduction to version 3, the changes made, their reasoning and how to participate in the process to make sure GPLv3 will be the best GPL we can collectively create.