Monday Tutorials:

Firewalls: High Performance, High Availability, High Security

Course Director:
Norm Laudermilch
Uunet Technologies, Inc.

Course Objective:
This tutorial will briefly cover the philosophies of firewalls, and then move into a discussion on building firewalls for mission critical operations. More and more organizations are relying on Internet and external connectivity for their mission critical applications, and the firewalls that protect those connections needed for a higher level of performance and reliability. There are difficult problems associated with building reliable firewalls that support speeds of 45 Mbit/sec and up, and this tutorial addresses many of them. Also presented will be discussions of which operating systems to use (UNIX, NT, etc.), which hardware to use (PC hardware, UNIX workstations, etc.), and what services to allow and deny. This tutorial will require a basic knowledge of firewall technologies and architectures, UNIX, TCP/IP networking, and a general understanding of the vulnerabilities of common Internet protocols. While brief discussions on these topics will be presented to support the tutorial material, there will not be in-depth training on any of these subjects.

Course Outline:
1. Introduction
2. Philosophies/Background

• Firewall architectures
• Services available
• Allowing and disallowing services
• Dealing with bogus requirements

• How to plan them
• How to build them
• How to test them
• How to maintain them
• How to expand them

Course Directors:
Brian Tetrick and David Klur
Deloitte & Touche

Course Objective:
This tutorial describes the role of security and reliability in successful applications of electronic commerce, and explains some of the key challenges faced in establishing and maintaining secure and reliable electronic business processes.

Course Outline:
1. Introduction
2. Security and Reliability Play Critical Roles
3. The Secure and Reliable Electronic Commerce Infrastructure
4. Security and Reliability in Electronic Commerce Applications
5. Case Studies and Their Overall Security Approaches

A Full Day Tutorial, 8:30 am Monday, December 8, 1997, Registration Code: M3

Course Director:
Aaron Cohen
JOTA System Security Consultants

Course Objective:
In the beginning assurance was simple. The Orange book (TCSEC) specified what assurance was in terms of pre-defined packages (C1, C2, B1, B2, B3, and A1) and the yellow book instructed users on how much assurance was needed. With the rise of alternate assurance methodologies and the release of the Common Criteria (CC), this is no longer the case. The CC does not contain absolute assurance packages as in the TCSEC and claims to envelop developmental assurance. This tutorial will examine the CC assurance structure and the ability to roll your own assurance as well as the fundamental differences between alternate assurance and evaluation assurance. Alternate assurance methodologies (SSE-CMM, TCMM, ISO 9000, and X/OPEN) will be compared to the CC to investigate how alternate assurance may be used to shorten the evaluation schedule and possibly replace evaluations. In addition, the CC will be examined to see where and how alternate assurance fits in and how the CC can become an assurance framework. The tutorial will end with a review of some of the ongoing assurance activities such as the assurance framework by WITAT, AAWG, and ISO.

Course Outline:
1. What is assurance?
2. Assurance types
3. An assurance framework
4. Introduction to some alternate assurance methodologies
5. Comparison of alternate assurance and evaluation assurance
6. Can alternate assurance methodologies replace evaluations?
7. Ongoing assurance activities

A Full Day Tutorial, 8:30 AM, Tuesday, December 9, 1997, Registration Code: T4

Course Director:
Dr. Rolf Oppliger
Swiss Federal Office of Information Technology and Systems (BFI)

Course Objective:
There are several security technologies available today that can be used to provide Internet and intranet security. In particular, there are firewalls to provide access control services and cryptographic protocols to provide communication security services, such as authentication, data confidentiality, data integrity, and non-repudiation services. In fact, there are many cryptographic protocols that have been developed, proposed, and partly implemented to provide security services at the Internet, transport, and application layer. The aim of this tutorial is to overview the various security technologies that are available today to secure TCP/IP-based networks, and discuss their advantages and disadvantages with regard to their deployment within the Internet or corporate intranets. The tutorial is organized as follows:

Course Outline:
1. Fundamentals
2. Access Control
3. Communications Security
4. Discussion