RE: Teaching Firewalls (was: Firewall for Pedagogical Purposes)

[John McDermott <jjm () jkintl com>]

Chuck and Neil,

I wrote and teach a firewalls class for a large worldwide training company. 

I follow Chuck's suggestions farily closely with some minor changes:

--- On Mon, 12 Jan 1998 11:59:05 -0500 (EST)  chuck+fwwiz () snew com wrote:

> Okay, a new thread.  Comments?
>
>
> Never used Juno.  Remember that the TIS FWTK is a toolkit - not a
> firewall, but a set of proxies that go onto a secure machine.
> Adding it to an unsecure machine means you have an unsecure machine
> running (secure) proxies.

If you use the FWTK you'd probably have to require the attendees to know 
some programming.  It is, as Chuck says, a toolkit.

I've looked a Juniper and that may be the way to go, depending on your 
audience,  I have friends who use it as the basis for a commercial product 
and like it very much.

We chose to use Gauntlet for NT because 1) it runs on NT and the 
marketplace seems to like NT (for some reason :-), and 2) it is a popular 
commerical product, and it uses proxies.

> For teaching, I'd think it far more important to teach (just an
> off the cuff list):
> - TCP/IP and how it works

We require this as background as our course is only four days.  We do 
review some TCP and UDP essentials.

> - Filtering techniques (and why);

This is very important.  Our attendees write filters for Cisco routers.

> - Various (common) protocols and their weaknesses and strengths.

This is very important, too.  I will be adding more protocols in the next 
revision of the course, with more discussion of why a business wants each 
and what the dangers might be.

> - Monitoring techniques (with IP security issues in mind)
>
> ==> answering "Why can't I use this UDP application through the FW?"
> ==> answering "Why do I need a machine inside to handle my mail users?"
> ==> answering "What risks does running MS Exchange through the
>               firewall to my sales people pose?"
> ==> answering "How can I tell if I've been broken into?"
> ==> answering "Am I being attacked or is there just a broken server
>               out there?"

These are also all good.  answering "What do I do if I've been broken into 
(or think I have)?" is also important.

> Then, perhaps, teach the OS of choice and how to shut services down,
> how to monitor the machine (securely), how to build/configure
> kernels, etc.

Time constrains us to doing just auditing, probing and some basic 
configuration.  The limitation is largely because we do some UN*X and some 
NT in the same course.  In fact, attendees choose their OS for most of the 
hands-on exericses. The company offers separate classes in Web, UNIX and NT 
security to do the OS specific stuff.

> I offer this because I have cleaned up firewalls set up by "trained"
> people who shouldn't pass a CNE test, who shouldn't be an SA.  To
> design/run a firewall, using current technology and techniques, one
> must understand the protocols used, the applications (and what
> protocols they use and how they are vulnerable), proxies and
> filtering philosophies, and secure programming.

I agree 100%.  Just being able to use the GUI of xxx firewall is not 
enough. One should understand the different types of firewall architectures 

(e.g. how stateful filters and proxies differ) and what they do.

> If they can BUILD a firewall, then they can buy (a good) one and
> configure/run it.  If they can't build one, and don't understand the
> issues, then they tend to not know why allowing "nfs" through the FW
> is bad - let alone argue against it to management.

This is soooo true.

> chuck
> chuck () snew com

--john

> It is claimed, but unverified, that neil d. quiogue wrote:
> [...]
> > I'm not sure if this has been asked before.  But does anyone know of a
> > _good_ firewall for teaching purposes?  It should be cost-effective 
since
> > it's worthless to buy an expensive firewall for that purpose (or is 
it?).
> > The Juniper fwtk, for example, has a license that is free for teaching
> > purposes.  I forgot about the TIS fwtk license but I believe it has the
> > same line of thought.

-----------------End of Original Message-----------------

-------------------------------------
Name: John McDermott
VOICE: 505/377-6293 FAX 505/377-6313
E-mail: John McDermott <jjm () jkintl com>
Writer and Computer Consultant
Author of Learning Tree International courses on Security and Firewalls
-------------------------------------