Detecting and Analyzing Intrusions: Hands-On

Frequently Asked Questions

What is this course about? In this course, you gain extensive experience detecting intrusions and configuring several Intrusion Detection Systems (IDS). You also gain the skills to respond to potential attacks by recognizing the scans, floods and methods used by intruders. You learn how to deploy intrusion detection systems within your network, taking into account switched architectures, routers, firewalls and encrypted links. You also learn how to configure IDS to detect complex attacks, including botnets, buffer overruns, denial-of-service (DoS) attacks and exploits against Web vulnerabilities. You tune and test your IDS to ensure they do not alert on normal traffic. By utilizing special correlation software, you allow the IDS to indicate the severity of an attack. Throughout the course, you gain hands-on experience with a wide range of security tools and techniques for maintaining the security of your network operations. Who will benefit from this course? This course is ideal for those responsible for network and system security and those who want to learn how to secure their enterprise. Typical participants include network and system administrators, technical managers, auditors, computer security officers and staff with direct involvement in security. What background do I need? It is recommended that you have a good understanding of security issues and TCP/IP. For example, you should understand: IP and TCP header fields and operation Common TCP/IP security vulnerabilities Course 468, System and Network Security: A Comprehensive Introduction, provides the necessary background on security issues. Knowledge of TCP/IP at the level of Course 367, TCP/IP: A Comprehensive Hands-On Introduction, is helpful, but not required. Working knowledge of UNIX/Linux is helpful, since you will be working in Linux for several exercises. However, exercise steps are clearly illustrated, and if you follow instructions, you should have no issues working with Linux. What types of intrusion detection are covered in this course? The course discusses both network- and host-based intrusion detection systems. Will I learn how hackers break into systems? Yes. To be able to detect attacks, you have to understand how hackers formulate attacks. You learn how hackers conduct scans, buffer overruns, and denial-of-service attacks against UNIX and Windows systems. You also see how hackers try to evade detection by IDS using fragmentation and Web traffic obfuscation. For more detailed information and analysis on modern ethical hacking techniques, please see Course 537, Ethical Hacking and Countermeasures: Hands-On. Will I analyze hacker attacks? Yes. This course goes into great detail about hacker attacks. You analyze attacks using the Sguil application, which displays a considerable amount of useful information about the alert. We also discuss log analysis. Furthermore, you also detect various types of port scanning activity. Will there be any real exploit traffic in the course? Yes. The instructor will be releasing actual real-world captured exploits on the network that will test your Intrusion Detection System's detection capability. Additionally, you use the Karalon Traffic IQ Pro testing tool, within which are embedded authentic attack traces. Will this course help me prepare for the CISSP Certification examination? Yes, this course helps you prepare for multiple domains on the CISSP Certification exam. For more information, please ask a customer service representative for a copy of the Learning Tree Preparing for the (ISC)2 CISSP Certification Q&A. Does this course provide me with (ISC)2 continuing professional education (CPE) credits? Yes! Learning Tree, in agreement with (ISC)2, is a recognized "Trusted CPE Provider." This course provides you with 32 "A-level" CPE credits toward maintaining your CISSP Certification. For more information on the continuing education requirements of (ISC)2, please ask a customer service representative for a copy of the Learning Tree Preparing for the (ISC)2 CISSP Certification Q&A. How much time is devoted to each topic? Content Hours Detecting and analyzing network- and host-based intruder attacks 8.0 Integrating intrusion detection systems (IDS) into your current network topology 2.5 Tuning IDS operations using the latest tools and techniques 2.0 Scoping and remediating intrusions with Network Security Monitoring (NSM) 3.0 Correlating IDS alerts with scanner vulnerability information 2.0 Clarifying intrusions by correlating multiple sensor events 2.0 Enhancing IDS detection by analyzing signatures 1.5 Uncovering common attacks and detection avoidance schemes 2.5 Enforcing network forensics 1.0 Times, including the workshops, are estimates; exact times may vary according to the needs of each class. What kinds of hands-on exercises are in the course? Approximately half of the class time is spent on hands-on exercises and "Do Now" demonstrations. The exercises are designed to give you experience implementing intrusion detection systems to create a defensible and secure network. In addition to using commercial and open source IDS, you also use a protocol analyzer to verify an attack event and other tools to generate attack traffic. Focus is placed on interpreting the signature of the attack and learning how IDS detect specific types of attacks. What products and tools are covered in this course? This course employs two popular IDS products: ISS RealSecure Network Sensor and Server Sensor and the open source Snort. Using these products, you are able to put the course concepts into practice and see how an actual attack is detected with an IDS. Other tools used include nmap scanner, Wireshark protocol analyzer, Sguil network security monitoring, and ISS Internet Scanner. Traffic IQ Pro, which is a purpose-built IDS testing software, is used throughout the course. Will I be looking at Enterprise-based solutions? Yes. You monitor intrusions in Snort Barnyard logs with a BASE console based on PHP, accessing a MySQL database via an Open SSL-based Stunnel encrypted connection. You will manage Snort signatures and configuration with the IDS Policy Manager. Throughout the course, you will use the ISS RealSecure Site Protector. Will I learn how IDS are integrated into my network? Yes. This course covers placement of an IDS within a network infrastructure which contains routers, switches and VLANs. You discover differences between using a hub, passive Taps and Switch Port analyzer (SPAN) ports. Will I learn how to tune the IDS? Yes. We discuss how IDS tuning is used to minimize the number of generated alerts. You use the multiple tuning features provided in the RealSecure software. Will I learn how to correlate IDS alerts? Yes. You use the ISS Security Fusion Module to correlate alerts with vulnerability information collected by the ISS Security Scanner. You also use the Open Source Security Information Management (OSSIM) system for correlating attack events. How does this course relate to other Learning Tree courses? This course relates to the following Learning Tree courses: 367, TCP/IP: A Comprehensive Hands-On Introduction provides a comprehensive technical introduction to TCP/IP 940, Securing Web Applications, Services and Servers: Hands-On offers in-depth, hands-on experience securing Web-based applications and host servers within your organization 589, Hands-On Vulnerability Assessment: Protecting Your Organization provides the skills to detect and respond to vulnerabilities that put your organization at risk using scanners The following Learning Tree courses may also be of interest: 420, Securing Wireless Networks: Hands-On  433, UNIX® and Linux® Security: Hands-On  536, Computer Forensics and Incident Response: Hands-On