08:45-10:45 First session
10:45-11:00 Tea
11:00-13:00 Second session
13:00-14:00 Lunch
14:00-16:00 Third session
16:00-16:15 Tea/Coffe
16:15-18:15 Fourth session
19:30-21:00 Evening session
SANOG IV OPEN SOURCE IP SERVICES WORKSHOP
Dates: July 23 to July 27, 2004 (Friday to Tuesday)
Location: Kathmandu, Nepal (Radisson Hotel)
Organizers: South Asian Network Operators Group (SANOG) and
The Network Startup Resource Center (NSRC)
Primary Instructors: Hervey Allen, NSRC, Track Leader
Joe Abley, ISC, NSRC, Volunteer
Philip Hazel, University of Cambridge, NSRC, Volunteer
COURSE OUTLINE
FRIDAY: DAY 1, JULY 23
MORNING (HA)
------------
* Course Introduction and setup (30-45 minutes)
* Introduction to Linux: (until 16:00)
* Determination of class experience-level.
* Based on experience-level topics may include:
- Create accounts, remove accounts
- Discussion /etc/passwd, /etc/group, /etc/shadow
- Filesystem commands (cp, ls, cd, rm)
- Use of basic editor, such as vi.
- Use of 'su' command for root, and /etc/sudoers
- Retrieve RPM packages using FTP and install
- Be able to shutdown and restart server. Discussion of
init levels.
- Discussion of /etc/ and /etc/rc.d/init.d/
- If time is available, free time for practice with
instructor help.
- Linux discussion of partitioning and options -
/etc/mtab, /dev
- Discussion of Linux services and how to tell what is
running.
- Hands-on configuration of services (chkconfig).
- Starting and stopping of services.
- Discuss /etc/rc.d, /etc/sysconfig, /proc
- Hands-on configuration changes to
/etc/sysconfig/network-scripts
- Discuss /etc/crontab and practice command use.
- First mention of firewalls
- Gnome vs. KDE and XWindows. What they are. Not needed
on a server.
- Logs and where they reside. Hands on viewing of logs.
Note: /etc/syslog.conf
AFTERNOON (HA/JA)
* Continuation of Linux Introductory materials.
* Basic IP and Networking Concepts (JA) TBA
* Packets and Protocols
Introduce the core concepts of how data is packaged
using IP packets.
In general terms we will discuss:
- Physical layer
- Ethernet
- IP Packet design
- IP (Layers)
- TCP/UDP/ICMP
- Sequencing
In Addition Topics include: the protocol stack, hop by
hop forwarding, IP addresses, netmasks, CIDR prefix
notation, ethernet ARP, binary arithmetic.
* Students will be able to:
- recognise the ISO OSI seven-layer model
- understand the relationship between the TCP/IP model
and the ISO model
- describe the unifying effect of the network later
- describe how IP addresses are constructed: network
part, host part
- understand old classful networking terminology:
class A, B, C
understand modern classless networking terminology:
CIDR, prefix length, VLSM
- convert between prefix length and netmask notation
- identify network and broadcast addresses
- find lowest/highest possible IP address in a prefix
- subdivide prefixes
- understand the concepts of subnetting and
supernetting
- distinguish between different network types:
broadcast, point-to-point, NBMA
- explain the purpose of ARP
- describe the forwarding process and `longest match'
rules
EVENING SESSION (If Needed) (JA)
* Additional Basic IP Networking Concepts Practice
SATURDAY: DAY 2
MORNING (HA)
------------
* Server-side security
* Physical security.
* Firewalls don't protect from internal attacks.
* Account restrictions. Secure passwords.
* Run only the services you need. Some services not to run.
* Service-level security
- tcpwrappers
- /etc/hosts.deny and /etc/hosts.allow (old)
- /etc/xinet.d/* (new)
* Internal only services (NFS as an example)
- Students will check services.
- Students will reconfigure a service not to run.
* Polices of encrypted only username/password transactions
for:
- Email (POP and IMAP)
- Web (HTTPS)
- Shell (SSH)
- File transfers (SCP)
* Patching and security updates. Available mailing lists.
- Apply a patch.
* Intrusion detection/System integrity checking
- Should be applied _before_ connecting to network.
- Show Tripwire, AIDE, Snort projects.
* Buffer overflow attacks
- Install or discuss libsafe. Note 'cal' issue.
* Logging and syslogd.
- Edit and review syslog.conf
- Review logs and have students practice 'tail -f',
messages sent to root, and discuss possible logging
programs.
* Backups: presentation of approaches to backing up based on
server.
- discuss and use tar command
- Use tar to create tar.gz file from a directory with
multiple files. Use tar to decompress and expand the
file. Note zip as well.
AFTERNOON (HA)
* Server security and services continued:
* Encryption basics. Public and Private key encryption.
Digital Certificates.
* Install Apache+mod_ssl
- Generate local certificate
- Configure /etc/httpd/conf.d/httpd.conf as needed.
- Restart apache and connect to port 443 (firewall
issue)
* SSH presentation and excercise
- known_hosts files and authorization
- Password challenge authentication
- RSA/DSA Private/Public Key generation
- Public/Private Key use with SSH
- Using tunnels with SSH
SUNDAY: DAY 3
------
* DNS JA
- Purpose of Naming
- Names and Addreses, History of Naming
- DNS Structure: namespace, nameservers, resolvers
- Properties of the DNS
- The DNS Namespace: domains, zones
- Zones, Delegation
- Name Servers: authority servers, recursive resolvers
- Introduction to Resource Records, Zone Files
- Installing BIND 9 and setting up RNDC (with exercise)
- Building a BIND 9 Recursive Resolver (with exercise)
- Configuring Zone Files
- Practice with Zone Files (exercise)
- Using DIG (exercise)
- Restricting Zone Transfers
- TSIG
- Practice with Zone Transfers (exercise)
- Brief Overview of DNSSEC
SUNDAY EVENING SESSION
----------------------
DNS excercises if needed JA
MONDAY: DAY 4
MORNING (PH)
------------
* Mail/Exim
* Topics covered in this section
- Introduction to Internet Mail
+ Mail agents - MUA and MTA
+ Message format
+ Authentication
+ SMTP - Message in transit
+ Use of DNS for email
+ Delivering a message
+ Relay control
+ Policy control on email
- Installation of Exim and basic tests
AFTERNOON (PH)
* Mail/Exim cont.
- Exim Routers and Transports configuration
+ Configuration file
+ Changing runtime configuraiton
+ Configuration file sections
+ Default configuration file layout
+ Common global options
+ Exim 4 routing
+ Simple routing configuration
+ Default routers
+ Default transports
+ Routing to smarthosts
+ Virtual domains
+ Access control lists
+ Good and bad relaying
+ Message filtering
+ Large installations
+ Separating mail functions
- Modify routing practical exercises
TUSEDAY: DAY 5
MORNING (PH)
------------
* Mail/Exim cont.
* Access Control Lists
* Setting up a relaying host practical exercises
AFTERNOON (HA/PH)
* POP, IMAP and Web email servers
* POP3/Mail Materials
- Mailserver scalability
+ Linear password files
+ Linear mbox files
+ Too many files in one directory
+ CPU limits
+ Disk performance
+ Keep your SMTP (smarthost) and POP3 services
separate
- Maildir and qmail-pop3d practical exercises
+ Reconfigure exim for Maildir delivery
- Courier practical exercises
+ Install courier-imap
+ Configure the daemons
+ Start the daemons
+ pop3 and imap over SSL
* POP, IMAP and Web email servers
* Sqwebmail practical exercises completion
* Final exam
* Course conclusion and certificate handout (JA/HA/PH)
Last update July 27, 11:30 am NPT