A review of SANS 2001

[InfoSec News <isn () c4i org>]

UNIX SECURITY --- June 14, 2001
Published by ITworld.com -- changing the way you view IT
http://www.itworld.com/newsletters
______________________________________________________________________

Getting Back to Basics: SANS 2001
By Carole Fennelly

To be honest, I haven't attended a SANS conference
(http://www.sans.org) since 1998 when I walked out of almost every
talk with the impression that the presenters should update their
material.  The last straw came when a presenter patronizingly
suggested I attend the tutorials after I disagreed with his solution
of securing a Web server by sticking a firewall in front of it. Yes, I
know what a firewall is, but I also know that they are not the answer
to every security requirement.

Things change, and I was given an opportunity to re-evaluate SANS by
way of a free pass to the conference held in Baltimore this past May,
courtesy of Alan Paller (http://www.sans.org/SANS2001.htm). According
to Alan:

    "SANS exists to enable technologists to learn from the top rated 
     teacher/practitioners in their fields -- people with front-line, 
     real world experience. There are a lot of great practitioners who 
     are not very good at teaching and there are hundreds of good 
     teachers who do not have the front-line experience to answer 
     questions well." 

Does SANS meet this goal? I drove down to Baltimore to find out.

I wanted to attend tutorials at will to get a better over-all feel for
the conference but registering for Track 4, "Advanced Incident
Handling and Hacker Exploits", restricted me to tutorials for that
track alone.  The course materials were comprehensive and very
detailed. In fact, the course materials seemed to be all that I would
need to learn about the few tools I wasn't already familiar with.
While it would have been worthwhile to sit through the tutorials for
the side comments and extra insights from presenters Eric Cole and
Edward Skoudis, I opted to check out the rest of the conference
instead.

I wanted to attend Marty Roesch's tutorial on Snort
(http://www.sourcefire.com), an Open Source Intrusion Detection
package. I found this to be a very useful tutorial for anyone
interested in Intrusion Detection Systems, not just Snort. Especially
effective was the screen showing real-time details of building and
using the package. More detail than I really needed, but I've been
building and using software packages for about 20 years. I wish
tutorials like this were available when I started in Unix.

I skipped the afternoon session of Snort to check out a presentation
hosted by Network Computing magazine at the Sheraton, "Network
Computing Challenge: Securing Your eBusiness"  
(http://www.networkcomputing.com/events/june_challenge.html).

This presentation was open to anyone, though targeted at IT managers.
I expected a 50,000-foot view of security and only went to finally
meet the guys from Neohapsis (http://www.neohapsis.com) who were
presenting.  Jeff Forristal did a great job explaining the hazards of
wireless networks to an audience that really needed to hear it.
Although I interviewed Jeff for an article I wrote on wireless
(http://www- 106.ibm.com/developerworks/wireless/library/wi-sec.html),
I learned something from his presentation and picked up another good
resource for wireless networking, the "Wildpackets" site
(http://www.wildpackets.com).

Wednesday's Technical Conference kicked off with a keynote address by
Gopal Kapur of the Center for Project Management titled "Management's
Seven Deadly Sins". Keynote addresses are usually good and this was no
exception. Management mistakes are often a source of humor, such as
Scott Adams' popular Dilbert comic strip, and Gopal kept the audience
entertained as well as informed with examples that everyone could
relate to. While Gopal offered many useful suggestions to fix
management mistakes, the average techie usually is not positioned to
affect management changes. I couldn't help feeling that Gopal was
preaching to the choir.

For me, the most important aspect of a conference is the social
interaction with other people in the field. I've learned more talking
to people in hallways or at the bar than in any tutorial. Based on my
previous experiences, I didn't expect too much social interaction at
SANS. I was pleasantly surprised.

The vendor floor had a great turnout and included the IDNet
Demonstration Network for attendees to test their hacking skills and
observe intrusion detection systems responses. This became the
gathering spot for some of the top people in the information security
field attending the conference. As many discussions initiated there
continued over lunch or into the evening outings, it occurred to me
that getting these talented people together and adding alcohol could
be very dangerous!

I only caught the last 15 minutes of Simple Nomad's "Stealth
Communications Across Networks" presentation, and was told by the door
monitor that I missed a "great talk". Based on the conversation I had
with Simple Nomad (http://www.nmrc.org/) over lunch, I can believe it.

The last official event I attended was one I always look forward to,
Rob Kolstad and Dan Klein's "Quiz Show" ? Jeopardy for Geeks. It's
always lots of fun and I give credit to anyone brave enough to get
onstage and be on the receiving end of Rob's good-natured abuse.

Overall, the conference was well worth attending, even though I did
not stick to the program. On the negative side, I felt "herded" and I
wasn't happy with the rigid restrictions to Tracks. With over 2000
attendees attending 100 classes in one week, this is understandable
but I still found it annoying.

Still, SANS is a great resource for the average person in the IT
field.  You won't see many new theories presented and that's fine;
plenty of other conferences exist for the more advanced audience and
we definitely need to educate the beginner to intermediate audience.
For more advanced security people, it's still worth attending for the
vendor floor and social interaction at the very least. As a colleague
who shall remain nameless put it, "SANS is good for people who are
confused at USENIX."

About the author(s)
-------------------
Carole Fennelly is a partner in Wizard's Keys Corporation, a company
specializing in computer security consulting. She has been a Unix
system administrator for almost 20 years on various platforms, and
provides security consultation to several financial institutions in
the New York City area. She is also a regular columnist for Unix
Insider (http://www.unixinsider.com). Visit her site
(http://www.wkeys.com/) or reach her at carole.fennelly () unixinsider com.
______________________________________________________________________

SUBSCRIBE/UNSUBSCRIBE:
- Go to: http://reg.itworld.com/cgi-bin/subcontent12.cgi
- Enter your email address under "Current subscriber" to log in
- Uncheck the box next to the newsletter you want to unsubscribe from
- Or check the box next to the newsletter you want to subscribe to
- Submit

If you have questions, please send email to customer service at:
mailto:support () itworld com
________________________________________________________________________________

CONTACTS

* For editorial comments, write Andrew Santosusso, Associate Editor, 
  Newsletters at: andrew_santosusso () itworld com
* For advertising information, write Dan Chupka, Account Executive at:
  dan_chupka () itworld com
* For recruitment advertising information, write Jamie Swartz, Eastern
  Regional Sales Manager at: jamie_swartz () itworld com or Paul Duthie,
  Western Regional Sales Manager at: paul_duthie () itworld com
* For all other inquiries, write Jodie Naze, Product Manager, 
  Newsletters at: jodie_naze () itworld com
________________________________________________________________________________



ISN is hosted by SecurityFocus.com
---
To unsubscribe email isn-unsubscribe () SecurityFocus com.