Enterprise Security, Enterprise Linux
AUUG2K Conference & Tutorials
Enterprise Security, Enterprise Linux
Australian National University, Canberra
25-30 June 2000

Tutorial Programme

Sunday 25 June Time Tut No. Tutorial Title and Outline
Full Day Tutorial 9:00am-5:00pm S1 Implementing SAMBA, by Richard Sharpe

This full-day tutorial will help you with many of the more advanced aspects of Samba on Linux.  During this tutorial you will set up a Samba server to:

  • Implement virtual servers with two or more servers running under Samba
  • Perform network logons to a domain
  • Automatically generate netlogin.bat scripts for better control over Windows 9X logins
  • Understand the handling of variable substitutions in Samba
  • Set up encrypted passwords
  • Set up Samba as a PDC for both Windows NT clients and Windows 2000 clients.
Half Day Afternoon Tutorial 1:30pm-5:00pm S2 Writing Secure Software, by Michael Paddon

Today, it is more important than ever that the software we are writing is designed and built with security as a primary goal.  The ubiquitous global connectivity of the Internet has created unparalleled opportunities for malicious attack and compromise of our systems.

Most compromises occur through the exercise of bugs, limitations and unintended functionality.

This tutorial covers the fundamentals of designing and implementing systems that are secure from the ground up.

Areas covered:

  1. Taxonomy of security holes.
  2. Risk analysis and trust.
  3. Privileged software.
  4. Setuid code.
  5. Posioned contexts.
  6. Race conditions.
  7. Buffer overflows.
  8. Chroot gaols.
  9. Miscellaneous holes.
  10. Distributed security.
  11. Cryptosystems.
Half Day Afternoon Tutorial 1:30pm-5:00pm S3 Securing Linux for the Enterprise, by John Terpstra

This tutorial will step the delegate through the key steps that should be followed to ensure that a Linux system that serves the business back end can be rendered safe and secure.

We will examine key system intrusion and disabling mechanisms used by crackers, with a focus on how you can configure vital system components to minimize the risk at your site.  The key areas we will consider includes:
  • TCP_Wrappers
  • System V Initialisation Script control
  • Samba configuration
  • Apache Configuration
  • Internetworking Super Daemon configuration
  • IP Chains (firewall Scripts)
  • Sendmail configuration
  • FTP Configuration
Additionally, we will review areas in which further security provisions still need to be made - delegates will learn what information their Linux systems presently provide to help a would-be cracker.  We will also review some of the tools that the cracker may use to locate a vulnerable Linux system.  If you control a Linux system that is connected to the Internet you can not afford to miss this tutorial.  So that each delegate can immediately practice the skills learned they will receive a free full commercial box set of TurboLinux Server valued at USD$200.

Half Day Afternoon Tutorial 1:30pm-5:00pm S4 AutoConf, by Ben Elliston

Autoconf is a tool for producing shell scripts that automatically configure software source code packages to adapt to many kinds of UNIX-like systems.  The configuration scripts produced by Autoconf are independent of Autoconf when they run, so their users do not need to have Autoconf.

This workshop will cater to both kinds of Autoconf users: end-users, such as system administrators, who are running "configure" scripts and developers who want to use Autoconf to improve their package's portability.

The end-user section of the workshop will explain how to run configure and how to work through problems if the package fails to compile "out of the box".

The developer section of the workshop will give an overview of Autoconf and related programs and guide you through the process of "autoconfiscating" an existing package.

Monday 26 June Time Tut No. Tutorial Title and Outline
Full Day Tutorial 9:00am-5:00pm M5 FreeBSD Installation and Configuration, by Warren Toomey

FreeBSD is a free Unix system that makes an excellent platform for providing reliable, full-time network services on modest equipment.  FreeBSD is the operating engine behind such systems as Yahoo!, Walnut Creek and Hotmail.com.

The aim of this workshop is to install FreeBSD on a Pentium platform and configure a number of useful network services, suitable for a small enterprise or department.  We will:

  • Install a current version of the FreeBSD operating system on a Pentium-class PC;
  • Set up an SMB file and print server for Windows clients;
  • Set up a POP mail server for incoming mail, and permit outgoing mail with Sendmail;
  • Set up an Apache web server for local pages, and as a caching proxy;
  • Enable FTP service for normal users and anonymous downloads; and
  • Tighten the security of the server for login users and network accesses.
Other topic areas could be covered in this workshop, including setting up packet filters, setting up a Domain Name Server.  Please e-mail the presenter () with your wishlist, and we will see if we can cover these extra topics.

Workshop attendees will receive a copy of the latest FreeBSD system on CD-ROM.

Half Day Morning Tutorial 9:00am-12:30pm M6 Firewall Design & Management, by Lawrie Brown

With the ever increasing growth and pervasiveness of the Internet, more and more organisations find that they need to connect to the Internet in order to fulfil their goals.  However, there are persistent security concerns with such a connection.  The usual approach to reducing these concerns is to install a firewall to provide perimeter defence around private networks which supplies a single controlled and monitored point of connection.  The design, installation, and ongoing management of a firewall though, is a non-trivial task.  This workshop will provide an overview of this process.  This starts with the determination of an appropriate security policy, and then the specification of services to be supported and policy applied.  From this a suitable firewall architecture can be selected from the range available, specific equipment chosen and configured.  Then there is the ongoing management of the firewall, maintaining its safe configuration, responding to security events, and monitoring its ongoing use.  The workshop will not discuss particular products, rather it is aimed to assist those who need to manage this process.

Half Day Morning Tutorial 9:00am-12:30pm M8 The Java Jini Distributed Programming Environment, by Jan Newmarch

Jini is a new environment from Sun to give ``network plug and play'' for devices and software services.  It is designed for the huge market in smart devices that can be connected to a network, and also for the supply of software services over a network.  This tutorial covers the programming API for Jini.  The material includes:
  • Jini architectural model
  • Service registration
  • Leasing
  • Event model
  • Java Spaces
  • Lookup services
  • Client search
  • Security
  • Proxy lookup services
A basic knowledge of Java will be assumed.

Half Day Afternoon Tutorial 1:30pm-5:00pm M9 Advanced IP Packet Mangling in Linux 2.4, by Paul Rusty’Russell

This tutorial is aimed at those who have set up networking under Linux, and want to see what evil they can do to packets.  It will cover the general kernel architecture which was introduced in 2.3 (netfilter), and why such an architecture was needed.

Then it will show how the architecture has been used for simple packet filtering (iptables), which is a close cousin of the established ipchains (Linux 2.2) and ipfwadm (Linux 2.0) tools.

We then move on to connection state tracking (ip_conntrack), showing the abilities and limitations of trying to keep information about the history of packets and their relationships.

This builds to a climax with the description of Network Address (Port) Translation (ipt_nat).  This will cover loadsharing, port forwarding, masquerading and general NAT.

The last section of the tutorial will cover extending the capabilities of the Linux kernel, handling specialised protocols, and dealing with packets in userspace.

Half Day Afternoon Tutorial 1:30pm-5:00pm M10 Version Control Using CVS, by Ben Elliston

Configuration management is a crucial aspect of sound software engineering practice.  Collaborative software development requires a suitably capable version control system.  The Concurrent Versions System, CVS, is one such system, providing support for concurrent development and operation over a wide-area network.  CVS enjoys widespread use in industry and by free software projects world-wide.

This workshop will provide a tour of the CVS system, its features, and how to use it appropriately in various (hopefully familiar) software development scenarios.  I hope to provide running examples as the tour unfolds.

Half Day Afternoon Tutorial 1:30pm-5:00pm M11 Cluster Computing Technologies and Applications, by Rajkumar Buyya

Tutorial Cancelled

The availability of high-speed networks and increasingly powerful commodity microprocessors are making the usage of clusters, or networks, of computers an appealing vehicle for cost effective parallel computing.  Clusters, built using commodity-of-the-shelf (COTS) hardware components as well as free, or commonly used, software, are playing a major role in redefining the concept of supercomputing.

In this tutorial, we discuss the motivation for the transition from using dedicated parallel supercomputers, to COTS-based cluster supercomputers.  We also describe the enabling technologies and then present a number of case studies of cluster-based projects to support our discussion.

Finally, we summarise our findings and draw a number of conclusions relating to the usefulness and likely future of cluster computing.  The question naturally arises: How does Clusters, redefine concepts of traditional supercomputing?; How is this different from traditional supercomputing or MPP computing?; Are cluster offering a completely different programming paradigm?; Can one make a cluster based Supercomputer? and what are its implications of do so?  This tutorial offers answers to these and other questions related to the use and exploitation of clusters as a vehicle for high performance applications.

Tuesday 27 June Time Tut No. Tutorial Title and Outline
Full Day Tutorial 9:00am-5:00pm T12 Linux Installation, by Chris Levanes

This full-day introductory tutorial to the complete features of the Red Hat Linux set will cover the following areas and include:

  • A brief overview of Linux/Open Source
  • Red Hat Linux features and capabilities
  • A brief overview of Red Hat products
In addition, the practical component of this tutorial will involve:
  • Red Hat installation
  • Overview of services
Full Day Tutorial 9:00am-5:00pm T13 Cryptographic Algorithms Revealed, by Greg Rose

In this advanced tutorial, attendees will get a fairly detailed overview of what makes cryptographic algorithms work, and when they don't work, how they are broken.  The tutorial will be as up-to-the-minute as possible with respect to the development of the Advanced Encryption Standard.

This tutorial will require some mathematical background from attendees.  At the very least, familiarity with common mathematical notation, polynomials, and some elementary statistical knowledge will be needed.  You've been warned.

Topics covered (unless time runs out):
Brief History
  • substitution and transposition
  • development of DES
  • public key cryptography
Symmetric Block Ciphers
  • Feistel ciphers generally
  • DES
  • Current AES Candidates (Rijndael, Twofish, MARS, RC6, Serpent)
  • Block Cipher modes of operation
Symmetric Stream Ciphers
  • Panama
  • A5, SOBER and other LFSR based constructions
  • Differential & Linear cryptanalysis
  • Attack assumptions and threat models
  • Attacks on stream ciphers
Public Key systems
  • Group and Finite field theory
  • Discrete Log systems (El Gamal, Diffie-Hellman, DSS)
  • RSA
  • Elliptic curves
Other stuff:
  • Hash functions, SHA-1 Half Day

Half Day Morning Tutorial 9:00am-12:30pm T14 DNS and BIND, by Chris Vance

Tutorial Cancelled

This tutorial covers the use of the Domain Name System and the Berkeley Internet Name Daemon which provides this service on Unix and similar systems.
The Domain Name System
  • Why we use it
  • History
  • How it works
  • Domains and zones
  • Record types
  • Delegation
The BIND Name Server
  • Zone files
  • Configuration file
  • Administration
  • Politics
  • Hints
  • Supporting software
  • A look forward

Half Day Morning Tutorial 9:00am-12:30pm T15 Debugging Programs with GDB, by Andrew Cagney

GDB, the GNU project debugger, is arguably the most widely used debugger in the world.  As well as supporting most host platforms it has also been ported to almost every target architecture in existence.

This tutorial will first provide the programmer with an introduction to GDB.  It will then go on to explain some of GDB's more advanced features including inferior calls, watchpoints, conditionals and scripting.  A brief introduction to embedded debugging will also be provided.

Half Day Afternoon Tutorial 1:30pm-5:00pm T16 Practical IPSEC, by Adrian Close

Networks on the Internet are increasingly turning to firewalls as a means of protecting themselves against external network-based attacks, creating their own small islands of trust.  However, the increasing need for secure, inter-network communications requires extending that trust across the Internet itself - a risky proposition in an increasingly hostile network environment.

Implementing IPSEC is one plausible solution and this tutorial will cover the fundamentals of doing this in the real world.

Practical demonstrations of the technology involved will be given throughout the tutorial, which will include debugging techniques useful for successful deployment and interoperability of various IPSEC implementations.


  1. Why IPSEC?
  2. Basic IPSEC - ESP, AH, SAs and SPIs.
  3. Encryption algorithms - choices and availability.
  4. The problem of key exchange.
  5. ISAKMP overview.
  6. ISAKMP authentication using shared secrets and certificates.
  7. PKI - myths and realities.
  8. Alternatives to ISAKMP.
  9. IPSEC implementations and interoperability issues.
  10. IPSEC and IPV6 - a vision of the future
Half Day Afternoon Tutorial 1:30pm-5:00pm T17 Vinum Volume Manager Administration, by Greg Lehey

The Vinum Volume Manager is an Open Source software implementation of virtual disks and RAID levels 0, 1, 4 and 5.  It provides a flexible disk abstraction that can increase disk size, speed and reliability.  Performance is comparable with and in many cases exceeds that of hardware RAID solutions.  Vinum currently runs on the FreeBSD platform, but other platforms are in planning.

This tutorial demonstrates how to set up Vinum for a number of typical configurations, and how to deal with tradeoffs between media cost, performance and reliability.  Participants are encouraged to submit details of their own storage problems in advance for discussion during the tutorial.

AUUG2K Home | AUUG Home | Site Map | Email comment

webmaster@auug.org.au / $Id: tutorial.html,v 1.7 2003/02/25 03:40:03 benjsc Exp $