UNIX SECURITY --- June 14, 2001 Published by ITworld.com -- changing the way you view IT http://www.itworld.com/newsletters ______________________________________________________________________ Getting Back to Basics: SANS 2001 By Carole Fennelly To be honest, I haven't attended a SANS conference (http://www.sans.org) since 1998 when I walked out of almost every talk with the impression that the presenters should update their material. The last straw came when a presenter patronizingly suggested I attend the tutorials after I disagreed with his solution of securing a Web server by sticking a firewall in front of it. Yes, I know what a firewall is, but I also know that they are not the answer to every security requirement. Things change, and I was given an opportunity to re-evaluate SANS by way of a free pass to the conference held in Baltimore this past May, courtesy of Alan Paller (http://www.sans.org/SANS2001.htm). According to Alan: "SANS exists to enable technologists to learn from the top rated teacher/practitioners in their fields -- people with front-line, real world experience. There are a lot of great practitioners who are not very good at teaching and there are hundreds of good teachers who do not have the front-line experience to answer questions well." Does SANS meet this goal? I drove down to Baltimore to find out. I wanted to attend tutorials at will to get a better over-all feel for the conference but registering for Track 4, "Advanced Incident Handling and Hacker Exploits", restricted me to tutorials for that track alone. The course materials were comprehensive and very detailed. In fact, the course materials seemed to be all that I would need to learn about the few tools I wasn't already familiar with. While it would have been worthwhile to sit through the tutorials for the side comments and extra insights from presenters Eric Cole and Edward Skoudis, I opted to check out the rest of the conference instead. I wanted to attend Marty Roesch's tutorial on Snort (http://www.sourcefire.com), an Open Source Intrusion Detection package. I found this to be a very useful tutorial for anyone interested in Intrusion Detection Systems, not just Snort. Especially effective was the screen showing real-time details of building and using the package. More detail than I really needed, but I've been building and using software packages for about 20 years. I wish tutorials like this were available when I started in Unix. I skipped the afternoon session of Snort to check out a presentation hosted by Network Computing magazine at the Sheraton, "Network Computing Challenge: Securing Your eBusiness" (http://www.networkcomputing.com/events/june_challenge.html). This presentation was open to anyone, though targeted at IT managers. I expected a 50,000-foot view of security and only went to finally meet the guys from Neohapsis (http://www.neohapsis.com) who were presenting. Jeff Forristal did a great job explaining the hazards of wireless networks to an audience that really needed to hear it. Although I interviewed Jeff for an article I wrote on wireless (http://www- 106.ibm.com/developerworks/wireless/library/wi-sec.html), I learned something from his presentation and picked up another good resource for wireless networking, the "Wildpackets" site (http://www.wildpackets.com). Wednesday's Technical Conference kicked off with a keynote address by Gopal Kapur of the Center for Project Management titled "Management's Seven Deadly Sins". Keynote addresses are usually good and this was no exception. Management mistakes are often a source of humor, such as Scott Adams' popular Dilbert comic strip, and Gopal kept the audience entertained as well as informed with examples that everyone could relate to. While Gopal offered many useful suggestions to fix management mistakes, the average techie usually is not positioned to affect management changes. I couldn't help feeling that Gopal was preaching to the choir. For me, the most important aspect of a conference is the social interaction with other people in the field. I've learned more talking to people in hallways or at the bar than in any tutorial. Based on my previous experiences, I didn't expect too much social interaction at SANS. I was pleasantly surprised. The vendor floor had a great turnout and included the IDNet Demonstration Network for attendees to test their hacking skills and observe intrusion detection systems responses. This became the gathering spot for some of the top people in the information security field attending the conference. As many discussions initiated there continued over lunch or into the evening outings, it occurred to me that getting these talented people together and adding alcohol could be very dangerous! I only caught the last 15 minutes of Simple Nomad's "Stealth Communications Across Networks" presentation, and was told by the door monitor that I missed a "great talk". Based on the conversation I had with Simple Nomad (http://www.nmrc.org/) over lunch, I can believe it. The last official event I attended was one I always look forward to, Rob Kolstad and Dan Klein's "Quiz Show" ? Jeopardy for Geeks. It's always lots of fun and I give credit to anyone brave enough to get onstage and be on the receiving end of Rob's good-natured abuse. Overall, the conference was well worth attending, even though I did not stick to the program. On the negative side, I felt "herded" and I wasn't happy with the rigid restrictions to Tracks. With over 2000 attendees attending 100 classes in one week, this is understandable but I still found it annoying. Still, SANS is a great resource for the average person in the IT field. You won't see many new theories presented and that's fine; plenty of other conferences exist for the more advanced audience and we definitely need to educate the beginner to intermediate audience. For more advanced security people, it's still worth attending for the vendor floor and social interaction at the very least. As a colleague who shall remain nameless put it, "SANS is good for people who are confused at USENIX." About the author(s) ------------------- Carole Fennelly is a partner in Wizard's Keys Corporation, a company specializing in computer security consulting. She has been a Unix system administrator for almost 20 years on various platforms, and provides security consultation to several financial institutions in the New York City area. She is also a regular columnist for Unix Insider (http://www.unixinsider.com). Visit her site (http://www.wkeys.com/) or reach her at carole.fennellyat_private ______________________________________________________________________ SUBSCRIBE/UNSUBSCRIBE: - Go to: http://reg.itworld.com/cgi-bin/subcontent12.cgi - Enter your email address under "Current subscriber" to log in - Uncheck the box next to the newsletter you want to unsubscribe from - Or check the box next to the newsletter you want to subscribe to - Submit If you have questions, please send email to customer service at: mailto:supportat_private ________________________________________________________________________________ CONTACTS * For editorial comments, write Andrew Santosusso, Associate Editor, Newsletters at: andrew_santosussoat_private * For advertising information, write Dan Chupka, Account Executive at: dan_chupkaat_private * For recruitment advertising information, write Jamie Swartz, Eastern Regional Sales Manager at: jamie_swartzat_private or Paul Duthie, Western Regional Sales Manager at: paul_duthieat_private * For all other inquiries, write Jodie Naze, Product Manager, Newsletters at: jodie_nazeat_private ________________________________________________________________________________ ISN is hosted by SecurityFocus.com --- To unsubscribe email isn-unsubscribeat_private
This archive was generated by hypermail 2b30 : Tue Jun 19 2001 - 02:00:49 PDT