CEDIA 1 Workshop Detailed Outline

Detailed Outline for CEDIA Network Training Workshop.
Quito, Ecuador
Feb. 29th-March 6th, 2004

CEDIA: Taller de Redes
Fechas: Febrero 29 hasta el 6 de Marzo, 2004 Lugar: Quito (Sangolquí), Ecuador (ESPE) Auspiciado Por: CEDIA (Consorcio Ecuatoriano para el Desarrollo de Internet Avanzado) y el NSRC (Network Startup Resource Center) Instructores: Hervey Allen (HA), Network Startup Resource Center Brian Candler (BC), Voluntario, Network Startup Resource Center Carlos Vicente (CV), Servicios de Redes, Univ. de Oregon Course Outline Sunday: Day 1, February 29 (Optional 1/2 day) Afternoon (HA) * Introduction to Linux: Day 1 [Materials] * Install Red Hat 9 Server * Create accounts, remove accounts * Discussion /etc/passwd, /etc/group, /etc/shadow * Filesystem commands (cp, ls, cd, rm) * Use of basic editor, such as vi. * Use of 'su' command for root, and /etc/sudoers * Retrieve RPM packages using FTP and install * Be able to shutdown and restart server. Discussion of init levels. * Discussion of /etc/ and /etc/rc.d/init.d/ * If time is available, free time for practice with instructor help. Monday: Day 2, March 1 Morning (HA) * Introduction to Linux: Day 2 [Materials] * Introductions * Workshop setup, including accounts, partitions, and schedules * Linux discussion of partitioning and options - /etc/mtab, /dev * Discussion of Linux services and how to tell what is running. * Hands-on configuration of services (Linuxconf? I prefer chkconfig). * Starting and stopping of services.* Discuss /etc/rc.d, /etc/sysconfig, /proc * Hands-on configuration changes to /etc/sysconfig/network-scripts * Discuss /etc/crontab and practice command use. * First mention of firewalls * Gnome vs. KDE and XWindows. What they are. Not needed on a server. * Logs and where they reside. Hands on viewing of logs. Note /etc/syslog.conf Afternoon (CV) * Packets and Protocols [Materials] Introduce the core concepts of how data is packaged using IP packets. In general terms we will discuss: - Physical layer - Ethernet - IP Packet design - IP (Layers) - TCP/UDP/ICMP - Sequencing * Basic IP and Networking Concepts [Materials] Topics include: the protocol stack, hop by hop forwarding, IP addresses, netmasks, CIDR prefix notation, ethernet ARP, binary arithmetic. * Students will be able to: - recognise the ISO OSI seven-layer model - understand the relationship between the TCP/IP model and the ISO model - describe the unifying effect of the network later - describe how IP addresses are constructed: network part, host part - understand old classful networking terminology: class A, B, C understand modern classless networking terminology: CIDR, prefix length, VLSM - convert between prefix length and netmask notation - identify network and broadcast addresses - find lowest/highest possible IP address in a prefix - subdivide prefixes - understand the concepts of subnetting and supernetting - distinguish between different network types: broadcast, point-to-point, NBMA - explain the purpose of ARP - describe the forwarding process and `longest match' rules Optional Morning Session (HA) * Additional Linux OS practice with Instructor Tuesday: Day 3 Morning (CV/BC) * Basic IP Networking continued: [Materials] * Static Routing Excercises using Linux boxes with two nics. [Materials] Consider student install of second nic at this point. Students will be able to: - Configure static routes on the Linux boxes. - Configuring IP addresses on Linux nic interfaces. - Configuring static default routes on Linux hosts. - Change ip addresses on nic interfaces in Linux. - add static routes to the Linux system (route, netstat) - Understand the use of Linux as a serial console. - Perform basic network troubleshooting tasks such as ping and traceroute. - Explain what a default route is. Afternoon (CV/BC) * Static Routing Excercise cont. * Switching Concepts Presentation [Materias] Wednesday: Day 4 Morning (HA) * Server-side security [Materials] * Physical security. * Firewalls don't protect from internal attacks. * Account restrictions. Secure passwords. * Run only the services you need. Some services not to run. * Service-level security - tcpwrappers - /etc/hosts.deny and /etc/hosts.allow (old) - /etc/xinet.d/* (new) * Internal only services (NFS as an example) - Students will check services. - Students will reconfigure a service not to run. * Polices of encrypted only username/password transactions for: - Email (POP and IMAP) - Web (HTTPS) - Shell (SSH) - File transfers (SCP) * Patching and security updates. Available mailing lists. - Apply a patch.* Intrusion detection/System integrity checking - Should be applied _before_ connecting to network. - Show Tripwire, AIDE, Snort projects. * Buffer overflow attacks - Install libsafe. Note 'cal' issue.* Logging and syslogd. - Edit and review syslog.conf - Review logs and have students practice 'tail -f', messages sent to root, and discuss possible logging programs. * Backups: presentation of approaches to backing up based on server. - discuss and use tar command - Use tar to create tar.gz file from a directory with multiple files. Use tar to decompress and expand the file. Note zip as well. Afternoon (HA) * Server security and services continued: [Materials] * Encryption basics. Public and Private key encryption. Digital Certificates. [Materials] * Install Apache+mod_ssl [Materials] - Generate local certificate - Configure /etc/httpd/conf.d/httpd.conf as needed. - Restart apache and connect to port 443 (firewall issue) Thursday: Day 5 (Light Day) Morning (HA/BC/CV) * Install Apache+mod_ssl (cont.) [Materials] * SSH presentation and excercise HA [Materials] - known_hosts files and authorization - Password challenge authentication - RSA/DSA Private/Public Key generation - Public/Private Key use with SSH - Using tunnels with SSH * Discussion of NAT. What it is. What it is not. (CV) [Materials] - Advantages: enforce outbound control of packets, restrict incoming traffic, partially conceal internal network - Disadvantage: Loss of packet state information, embedded IP problems, encryption and authentication problems, streaming media issues, address allocation can make logging harder, dynamic port allocation interferes with packet filters. * Wireless security issues presentation (CV) [Materials] - SSIDs - WEP easily broken - Spoofing MAC addresses - RADIUS and wireless Afternoon Rest day. Afternoon off. Optional Morning Session (BC) * Dynamic routing with Zebra [Materials] Friday: Day 6 Morning (BC) * Domain Name System (DNS) [Materials] - Objectives - Why Names? - HOSTS.TXT - What was wrong with HOSTS.TXT - What is DNS? - Hierarchical Structure of DNS - Domains - Client-Server Model - Types of Nameservers - Exercise 1 - Client Resolver Lookups - Client Utilities for Testing DNS - The BIND dig utility - Understanding output from dig - Exercise 2 - Best Practices (Client Side) * Operation of recursive (caching) nameserver - How caching NS works (1) - What if the answer is not in the cache? - How caching NS works (2) - How does it know which auth nameserver to ask? - Intermediate nameservers return a "NS" resource record - Eventually this process will either: - How does this process start? - Distributed systems have many points of failure! - Caching reduces the load on auth nameservers - Example 1: www.tiscali.co.uk (on an empty cache) - Example 2: smtp.tiscali.co.uk (after previous example) - Caches can be a problem if data becomes stale - The owner of an auth server can control how their data is cached - A compromise policy - What sort of problems might happen when a caching nameserver is operating? (1) One authoritative server is down or unreachable (2) *ALL* authoritative servers are down or unreachable! (3) Referral points to a nameserver which is not authoritative for this zone (4) Inconsistencies between authoritative servers (5) Inconsistencies in delegations (6) Mixing caching and authoritative nameservers (7) Inappropriate choice of parameters Afternoon:(BC) * DNS continued [Materials] - How to debug a domain using "dig +norec" (3) - Exercise - Setting up a Caching-Only Name Server - The Zone Data Files - Setting the default TTL (RFC-2308) - Structure of Resource Records - RRs in a Zone File - Resource Record: SOA - The named.conf file - Named.conf: - Master Config. For Domain - Named.conf: - Slave Config. For Domain - Choice of Sec. Name Server (RFC-2182) - Reloading a running server - Some Common Errors Optional Morning Session (CV) * University of Oregon Network Design Saturday: Day 7 Morning (BC) * DNS [Materials] - Exercise - Setting up an Authoritative-Only Master Name Server - Exercise - Setting up an Authoritative-Only Slave Name Server * MTA, POP, IMAP and Web email servers. [Materials] - Presentation based dependent upon time constraints * Discussion of MTA's. Why not use Sendmail. * Install optional MTA [Materials] - Exim * Setup IMAP/POP with SSL - Ensure that MTA is working. - Install Courier IMAP - Configure daemons - Configure for use with ssl - Create user accounts on machines. - Test pop/imap over ssl from neighboring machines. - install webmail server - Test webmail working over ssl (https) * Exam (HA/BC/CV) [Materials] Afternoon (HA/BC/CV) * Installation of Red Hat 9 (HA) * Handout of Certificates by Marcelo Jaramillo and Enrique Pelaez * Conclusion

[Return to Top]