re: TCP/IP skills

From: Scott Schappert 6270, QA (SSCHAPPERT@balboa-instruments.com)
Date: Thu Jul 08 2004 - 13:09:37 EDT


Don,

What a surprise to hear this so well articulated. I have learned by
self-teaching: TCP/IP theory and fundamentals of the traffic that allow
the TCP/IP to function. The "first-principles" that I always assumed
anyone involved in even understanding how to launch an IPSEC policy HAD
TO KNOW. I know for myself, I would not have progressed to any of the
NETSEC tools without having the skills to discriminate activity, and see
if your theory is strong enough to meet the reality of what you are
seeing as an output from a tool.

I strongly recommend to anyone I know who expresses interest to take as
much time as is required to gain a "working knowledge" and comfort to
have intelligent discourse with another of the same discipline. I wonder
if a simple poll was taken with three basic questions of TCP/IP first
principles, how many would pass / fail.

Many of the tools available freely are well constructed by knowledgeable
folks. The first real tool I used was Ethereal. Talk about WOW. To me,
actually setting up the cap was a pleasure, and the output actually meant
something; the relationship between the data packets, to me it was the
theory in practical applications working for me, right in front of me,
and, "I got it". However, I could see someone relying on the tool to
provide meaningful feedback, but how do you interpret, based on good
science, something you cannot really discriminate, e.g. dissection of any
given packet, to any degree of plausibility.

Some tools are very nice and intelligent, with dedicated purpose. Not
understanding the output on a skillset level is somewhat meaningless,
less those who live in a controlled world. The tools are quite a
different story when you synergistically "bond" with the output, based on
a good skill level. It's bloody fun !

In this world, one remains a student of the comm protocols, the masters
being few between.

Cheers for now !

S.S.

This communication is intended only for the use of the individual or
entity to which it is addressed, and may contain information that is
privileged, confidential and exempt from disclosure under applicable law.
If the reader of this communication is not the intended recipient or the
employee or agent responsible for delivering the communication to the
intended recipient, you are hereby notified that any dissemination,
distribution, publication or copying of this communication is strictly
prohibited. If you have received this communication in error, please
notify me immediately by return email or telephone (714-384-0384). Thank
you.

On Tuesday, July 06, 2004 6:20 PM, Don Parker wrote:
>
>Date: Tue, 6 Jul 2004 21:20:46 -0400 (EDT)
>From: Don Parker
>To: pen-test@securityfocus.com, vuln-dev@securityfocus.com
>Subject: TCP/IP skills
>
>Hello all, I just wanted to comment on what I see as a rather alarming trend in the
>security industry today. More and more many are becoming reliant upon tools to do their
>job whilst they ignore core components of their skillset. Specifically in this case an
>in-depth knowledge of TCP/IP.
>
>Knowing TCP/IP at a granular level in my opinion is very much a core skill that must be
>attained by anyone who wishes to have a successful career in the network security
>industry today. One cannot become adept by simply using tools, and never knowing how to
>interpret the output by verifying the packets themselves.
>
>It constantly amazes me when I teach a TCP/IP Analysis course that people who are
>presently in the industy do not know of such basic TCP/IP concepts as the 3 way
>handshake and how ICMP works. That or being able to wholly dissect a packet and explain
>the relationships between various metrics.
>
>I would be curious to hear of your opinions on this?
>
>Cheers,
>
>Don
>
>-------------------------------------------
>Don Parker, GCIA
>Intrusion Detection Specialist
>Rigel Kent Security & Advisory Services Inc
>www.rigelksecurity.com
>ph :613.233.HACK
>fax:613.233.1788
>toll: 1-877-777-H8CK
>--------------------------------------------



This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:53:57 EDT