re: TCP/IP skills

["Scott Schappert 6270, QA" <SSCHAPPERT () balboa-instruments com>]

Don,

What a surprise to hear this so well articulated.  I have learned by 
self-teaching: TCP/IP theory and fundamentals of the traffic that allow 
the TCP/IP to function.  The "first-principles" that I always assumed 
anyone involved in even understanding how to launch an IPSEC policy HAD 
TO KNOW.  I know for myself, I would not have progressed to any of the 
NETSEC tools without having the skills to discriminate activity, and see 
if your theory is strong enough to meet the reality of what you are 
seeing as an output from a tool.  

I strongly recommend to anyone I know who expresses interest to take as 
much time as is required to gain a "working knowledge" and comfort to 
have intelligent discourse with another of the same discipline.  I wonder 
if a simple poll was taken with three basic questions of TCP/IP first 
principles, how many would pass / fail.

Many of the tools available freely are well constructed by knowledgeable 
folks.  The first real tool I used was Ethereal.  Talk about WOW.  To me, 
actually setting up the cap was a pleasure, and the output actually meant 
something; the relationship between the data packets, to me it was the 
theory in practical applications working for me, right in front of me, 
and, "I got it".  However, I could see someone relying on the tool to 
provide meaningful feedback, but how do you interpret, based on good 
science, something you cannot really discriminate, e.g. dissection of any 
given packet, to any degree of plausibility.

Some tools are very nice and intelligent, with dedicated purpose.  Not 
understanding the output on a skillset level is somewhat meaningless, 
less those who live in a controlled world.  The tools are quite a 
different story when you synergistically "bond" with the output, based on 
a good skill level.  It's bloody fun !

In this world, one remains a student of the comm protocols, the masters 
being few between.

Cheers for now !

S.S. 

This communication is intended only for the use of the individual or
entity to which it is addressed, and may contain information that is
privileged, confidential and exempt from disclosure under applicable law.
If the reader of this communication is not the intended recipient or the
employee or agent responsible for delivering the communication to the
intended recipient, you are hereby notified that any dissemination,
distribution, publication or copying of this communication is strictly
prohibited.  If you have received this communication in error, please
notify me immediately by return email or telephone (714-384-0384).  Thank
you.

On Tuesday, July 06, 2004  6:20 PM, Don Parker wrote:
> Date: Tue, 6 Jul 2004 21:20:46 -0400 (EDT)
> From: Don Parker
> To: pen-test () securityfocus com, vuln-dev () securityfocus com
> Subject: TCP/IP skills
>
> Hello all, I just wanted to comment on what I see as a rather alarming trend in the
> security industry today. More and more many are becoming reliant upon tools to do their
> job whilst they ignore core components of their skillset. Specifically in this case an
> in-depth knowledge of TCP/IP.
>
> Knowing TCP/IP at a granular level in my opinion is very much a core skill that must be
> attained by anyone who wishes to have a successful career in the network security
> industry today. One cannot become adept by simply using tools, and never knowing how to
> interpret the output by verifying the packets themselves.
>
> It constantly amazes me when I teach a TCP/IP Analysis course that people who are
> presently in the industy do not know of such basic TCP/IP concepts as the 3 way
> handshake and how ICMP works. That or being able to wholly dissect a packet and explain
> the relationships between various metrics.
>
> I would be curious to hear of your opinions on this?
>
> Cheers,
>
> Don
>
> -------------------------------------------
> Don Parker, GCIA
> Intrusion Detection Specialist
> Rigel Kent Security & Advisory Services Inc
> www.rigelksecurity.com
> ph :613.233.HACK
> fax:613.233.1788
> toll: 1-877-777-H8CK
> --------------------------------------------