In
chess, everything is laid out in front of you. Nothing is hidden. The outcome
depends solely on your skill. No cards are hidden. You can’t be dealt a bad
hand. No dice can give you snake eyes or boxcars.
When
looking at network traffic, packets give you a chess player's view. It is all
there in front of you, whether you are troubleshooting problems or looking for
what the bad guy did. That doesn’t make
it easy, of course. Your skill and knowledge determine how much you can do,
especially against a stronger opponent.
Of
course, encrypted traffic is different. Then it becomes more like poker. Much
of what you would like to know is hidden.
As the game goes on, you can get clues about what is hidden, but you
cannot know for certain what is there.
To be
more precise, looking at encrypted traffic is more like playing stud poker than
draw. In the latter, all cards are hidden. In stud, some are dealt face up, so
you always know something about the hands on the other side. Network packets
always show their headers.
These are the cards you can see. Pulled together
into session data, they give you a solid basis for analyzing what is going on.
This makes reading packets an important skill for network administration and an
essential skill for network defense.
[Here
comes the commercial part.]
For that
reason, my favorite security course is SANS Security 503. It also happens to be
one of the best courses SANS has put together. That is why I am teaching it in the
SANS Mentor format this spring. The course will meet in Rockville, MD, each
Wednesday beginning April 13.
In
addition to reading packets you will learn about intrusion detection using
Snort and Bro. As you might expect from a SANS course, there will be plenty of
hands-on work, so you will come out knowing that you can actually do it.
You can
find more information about it at https://www.sans.org/mentor/class/sec503-rockville-13apr2016-james-voorhees.
If you
are in the DC area, I hope you’ll sign up.
No comments:
Post a Comment