Global Information Assurance Certification Paper - GIAC Certifications
←
→
Page content transcription
If your browser does not render page correctly, please read the page content below
Global Information Assurance Certification Paper
Copyright SANS Institute
Author Retains Full Rights
This paper is taken from the GIAC directory of certified professionals. Reposting is not permited without express written permission.
Interested in learning more?
Check out the list of upcoming events offering
"Security Essentials Bootcamp Style (Security 401)"
at http://www.giac.org/registration/gsecGSEC Assignment Ver 1.3 7/5/2002 – Michael Galvin
First Line of Defence – Cisco Internet Router Configuration.
Abstract
s.
ht
One of the main areas that the SANS GSEC course teaches is the concept of ‘defence in
rig
depth’. The idea behind this is to protect your information assets from internal and
external compromise by deploying not one, but multiple layers of defence. In doing this,
ull
it makes it more difficult for the would be attacker to reach your valuable assets should
f
any one layer be compromised. The purpose of this paper is to give an example of a Cisco
ins
router configuration that can be used as the first layer of protection from external attack.
Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46
The example organisation ACME, has single mail server and a small web site that
eta
contains static content. ACME consists of approx. 100 employees, all of which send and
rr
receive email and access the internet on a daily basis.
ho
ACME Network Diagram
A ut
5,
00
-2
00
20
te
tu
sti
In
NS
Diagram Source: Original by author.
SA
Hardware/Software Specification.
©
The following hardware and software was chosen for the ACME Internet/border router:
Cisco 2620
32k NVRAM
Key
8192kfingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46
Flash Memory
1 x Fast Ethernet interface
1 x BRI interface
Cisco IOS Version 12.1
© SANS Institute 2000 - 2005 Author retains full rights.Router Access.
In order to enquire on, or modify the router configuration, a connection to the device
s.
must be established. This can be achieved in a number of different ways, either by
ht
connecting directly to the serial port at the back of the router or using a telnet program to
rig
connect to the IP address of one of the router interfaces.
ull
Inputting Commands.
f
ins
The router configuration can be input or updated by manually typing the commands into
Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46
the Cisco command line interface (CLI) or by cutting and pasting the commands from a
eta
text file, or uploading them from a TFTP server.
rr
Commands entered into the CLI are used to input, update or enquire upon the routers
ho
status. The commands are applied globally to the router or to a specific router interface.
Document Conventions.
A ut
5,
The following conventions will be used within this document to show the command line
00
structure.
-2
- All router prompts will be shown in normal case.
00
- Commands will be shown in their long form in italics long version of command .
20
- An explanation on the command will be shown, along with the short form of the
command in brackets (short command).
te
tu
Command Line Basics
sti
Once a connection to the router has been established, you will be required to enter the
In
password to gain access:
NS
password: password supply the router password.
SA
If a valid password is entered, the command prompt with the name of the router will
©
appear:
acme_R2>
You fingerprint
Key are now connected to the 2F94
= AF19 FA27 router998D
in unprivileged
FDB5 DE3D or exec
F8B5mode.
06E4 This
A169mode
4E46allows
limited examination of the router:
acme_R2> show version display information about the
running software version. (sh
© SANS Institute 2000 - 2005 Author retains full rights.ver)
acme_R2> show memory display information about the
routers memory. (sh mem)
s.
To update the router configuration, you must be in privileged exec or enable mode:
ht
rig
acme_R2> enable enter privileged mode. (en)
acme_R2> password : password supply the privileged mode
ull
password.
f
ins
Once in enable mode, the router command prompt will change to the following:
Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46
eta
acme_R2#
rr
To configure the router from the command line, you must enter terminal configuration
ho
mode:
acme_R2# configure terminal
A ut enter terminal configuration
mode (conf t).
5,
00
The command prompt will change to allow input of global configuration commands:
-2
acme_R2(config)#
00
20
To configure specific interfaces on the router, enter the interface name at the global
configuration command prompt:
te
tu
acme_R2(config)# interface fast ethernet 0 interface Fast Ethernet 0 (int
sti
fast 0).
In
The command prompt will change to allow input of interface specific commands:
NS
acme_R2(config-if)#
SA
Once you have finished inputting your router configuration commands, you can exit to
©
the previous configuration level by typing ‘exit’ at the command prompt or to
exit configuration mode completely.
acme_R2(config-if)# exit exit to previous configuration
level
Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46
acme_R2(config)# ^Z exit configuration
mode completely .
The routers running configuration is now updated. If you are happy that this
© SANS Institute 2000 - 2005 Author retains full rights.configuration is correct, you may now copy the running configuration to the start up
configuration for use when the router is reloaded.
acme_R2# copy running startup copy running configuration to
s.
start up configuration (copy
ht
run start).
rig
acme_R2# destination filename(startup-config) specify the name of the
filename for the startup
ull
configuration or default
f
ins
Now that we have covered the basics of accessing the router and inputting global and
Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46
interface specific commands, we will move on to more the detailed security aspects that
eta
need to be addressed.
rr
Preventing Physical Access to the Router.
ho
ut
Preventing physical access to the router will stop unauthorised persons from connecting
locally to the console or aux port. As by default, no password is required for this type of
A
connection, an attacker could logon on and attempt to enter privileged mode to change
5,
any aspect of the router configuration.
00
To restrict physical access to the router, it is recommended that the router is kept in a
-2
secure area where access is monitored.
00
Setting Passwords and Restricting Access.
20
To prevent unauthorised login, strong encrypted passwords should be used for login and
te
privileged mode access.
tu
To prevent unauthorised remote access, telnet should be restricted to specific
sti
workstations on your trusted network and Cisco http server should be disabled.
In
The above can be achieved using the following commands:
NS
acme_R2> enable enter privileged mode (en).
SA
acme_R2> password : password supply the privileged mode
password.
©
acme_R2# configure terminal enter terminal configuration
mode (conf t).
acme_R2(config)#
Key service
fingerprint = AF19 password-encryption
FA27 MD5
2F94 998D FDB5 DE3D F8B5 06E4hashing on password.
A169 4E46
acme_R2(config)# enable secret password establish or change the
privileged mode password.
acme_R2(config)# access-list 1 permit my.net.2.150 permit telnet access
© SANS Institute 2000 - 2005 Author retains full rights.only from host
my.net.2.150.
acme_R2(config)# line vty 0 4 set the vty to apply the access-
list to.
s.
ht
acme_R2(config)# access-class 1 in apply access-list 1 inbound.
rig
acme_R2(config)# no ip http server disable http access.
full
ins
Unauthorised Access Banner.
Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46
eta
It is recommend that a logon banner is enabled on the router to warn any unauthorised
rr
persons that they have connected to a proprietry device.
The banner should state that unauthorised access and configuration is not allowed and
ho
may be subject to prosecution. An example banner for ACME:
A ut
‘WARNING - You have logged on to an ACME proprietry device. If you are not
authorised to use this device, please log off immediately. Anyone found using this device
5,
for any unauthorised purpose may be subject to disciplinary action, and/or prosecution’
00
-2
To enable the banner, use the following command:
acme_R2(config)# banner login ^Cbanner text^C banner to display at logon.
00
20
Disable Unnecessary Services.
te
There are many services that are provided by the Cisco IOS that are not required or used
tu
in the ACME network scenario. The following services should be disabled to prevent the
sti
router from sending out information that may give a would be attacker clues as to the
topology of the local network, or enable the router to be compromised. In addition,
In
several known vulnerabilities exist which could be exploited by allowing access to these
NS
services/ports. Disabling unnecessary services will also prevent future as yet undiscovered
vulnerabilities with these services being exploited.
SA
acme_R2(config)# no service UDP-small-servers disable UDP ports echo,
©
chargen, snmp etc
acme_R2(config)# no service TCP-small-servers disable TCP ports echo,
discard, chargen etc
acme_R2(config)# no service finger disable finger service – could
be06E4
Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 used A169
to provide
4E46router
information to outside.
acme_R2(config)# no cdp run disable Cisco Discovery
Protocol – prevents router
announcing information
© SANS Institute 2000 - 2005 Author retains full rights.about itself.
acme_R2(config)# no snmp-server disable SNMP
acme_R2(config)# no ip bootp server disable bootp
acme_R2(config)# no service dhcp disable dhcp
acme_R2(config)# no service pad disable packet
s.
assembler/disassembler
ht
acme_R2(config)# no ip classless disable classless forwarding
rig
acme_R2(config)# no ip direct-broadcast disable direct broadcast
possible DOS attack
ull
acme_R2(config)# no ip domain-lookup disable DNS queries
f
acme_R2(config)# no ip source route disable source routing
ins
acme_R2(config)# no ip redirects disable ICMP redirects
Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46
acme_R2(config)# no ip unreachables disable ICMP unreachables –
eta
prevents router from sending
rr
out network information.
ho
Access Control Lists.
A ut
One of the main security aspects that can be implemented on the router are Access
Control Lists (referred to in the rest of this document as ACL).
5,
ACLs are used to filter traffic in either direction on each router interface to which they are
00
applied. There are 2 types of ACL, Standard and Extended. Standard ACLs are used to
-2
permit or deny traffic from a specific source address, whereas, Extended IP ACLs allow
more flexibility as they can permit or deny traffic based on both source and destination
00
address, port and protocol.
20
Each ACL is given a number, the number ranges are predefined according to the type of
ACL and the protocol to which they apply. For example Standard IP ACLs number range
te
is 1-99 and 1300 to 1999, and Extended IP ACLs range is 100 to 199 and 2000 to 2699.
tu
sti
Standard ACL Command Specification
In
access-list access-list-number {permit | deny} source source-wildcard
NS
Extended ACL Command Specification
SA
access-list access-list-number {permit | deny} protocol source source-wildcard
©
destination destination-wildcard [eq [port]]
Rules that Apply to Access Control lists:
Therefingerprint
Key are a few =basic
AF19 rules
FA27that2F94
apply998D
to ACLs
FDB5: DE3D F8B5 06E4 A169 4E46
- ACLs are applied top down, therefore the most restrictive statements should be
first.
© SANS Institute 2000 - 2005 Author retains full rights.- Only one ACL is allowed for each protocol, on each interface, in either direction
to which it is applied.
- There is an implicit deny all at the end of each ACL, therefore, what is not
s.
explicitly allowed by the ACL is implicitly denied.
ht
rig
ACME Scenario
ull
f
In our scenario for ACME we are going to apply 2 types of filters using ACLs. The first
ins
Ingress filter, will be applied inbound on the external or internet facing interface of the
Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46
router. In the case of ACME this is the BRI0 interface. This filter will be used to block
eta
incoming traffic from any private, non-routable (RFC1918) address. It will also be used to
rr
block traffic destined for specific ports that are well known for malicious activity or
vulnerable services.
ho
ut
The second, Egress filter will be applied inbound on the internal interface (E0) of the
router. This will filter will be used to ensure that only ACMEs valid assigned address
A
space passes out onto the internet. This prevents any malicious (DDOS) or unauthorised
5,
traffic from being generated on the internal network and sent out.
00
-2
Both filters will use an extended IP Access Control List.
00
Ingress Filter
20
The Ingress filter that I will demonstrate is based on denying access to specific IP
te
addresses and ports as opposed to only allowing access to specific ports and services.
tu
sti
To create the access list first connect and logon to the router:
In
acme_R2> enable Enter privileged mode (en).
NS
acme_R2> password : password Supply the privileged mode
password.
SA
acme_R2# configure terminal enter terminal configuration
©
mode (conf t).
Once in terminal configuration mode, we can create our extended IP access list. As basis
for the Ingress filter, I will use the SANS top ten Cisco ACL blocking recommendations
plus fingerprint
Key additional blocking
= AF19 FA27that I 2F94
recommend for ACME.
998D FDB5 DE3DSee Appendix
F8B5 A for4E46
06E4 A169 the full list.
The first access list entry I will demonstrate will block access from any traffic originating
from one of the private (RFC1918) addresses, in this case the reserved class A network
range 10.0.0.0 – 10.255.255.255. These address ranges are reserved for use on internal
© SANS Institute 2000 - 2005 Author retains full rights.private networks, and therefore cannot come from outside of the ACME internal network.
acme_R2(config)# access-list 102 deny ip 10.0.0.0 0.255.255.255 any
The second access list entry I will demonstrate will block access to the telnet service,TCP
s.
and UDP port 23. Although useful, telnet poses a huge security threat as it allows remote
ht
command execution via a terminal window connected to the telnet server.
rig
acme_R2(config)# access-list 102 deny tcp 23
ull
acme_R2(config)# access-list 102 deny udp 23
f
ins
The third access list entry will allow incoming mail traffic to the ACME mail relay only on
Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46
port 25 (smtp) and incoming web traffic to the ACME web server only on port 80 (http).
eta
rr
acme_R2(config)# access-list 102 permit tcp any my.dmz.1.2 0.0.0.0 eq 25
acme_R2(config)# access-list 102 permit tcp any my.dmz.1.3 0.0.0.0 eq 80
ho
ut
Next we will apply the access-list inbound on the BRI0 interface:
A
acme_R2(config)# interface BRI0 interface BRI0 (int BRI0).
5,
acme_R2(config-if)# ip access-group 102 in apply the access list 102
00
inbound.
-2
acme_R2(config-if)# exit exit to previous configuration
00
level or
20
acme_R2(config)# ^Z exit configuration
mode completely .
te
tu
The filter is now applied to the running configuration and will come into effect
sti
immediately.
In
Egress Filter
NS
The Egress filter is based on the valid IP address range and mask that are assigned to
SA
ACME. It is simple to set up and apply:
©
To create the access list first connect and logon to the router:
acme_R2> enable enter privileged mode (en).
acme_R2> password : password supply the privileged mode
password.
Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46
acme_R2# configure terminal enter terminal configuration
mode (conf t).
© SANS Institute 2000 - 2005 Author retains full rights.acme_R2(config)# access-list 101 permit ip my.ext.0.0 0.0.255.255 any
acme_R2(config)# access-list 101 deny ip any any
acme_R2(config)# interface fastethernet 0 interface fast ethernet 0 (int
fast 0).
s.
acme_R2(config-if)# ip access-group 101 in apply ACL 101
ht
inbound.
rig
acme_R2(config-if)# exit exit to previous configuration
ull
level or
f
acme_R2(config)# ^Z exit configuration
ins
mode completely .
Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46
eta
The filter is now applied to the running configuration and will come into effect
rr
immediately.
ho
Testing the Configuration
requirements:
A ut
Once applied, the configuration should be tested to ensure that it meets ACMEs security
5,
00
To test the Ingress filter, a tool such as NMAP (http://www.insecure.org/nmap) should be
-2
used from outside of the network to run a port scan and check that only the required
ports/services on the router are open/enabled.
00
20
To test the Egress filter, the logging option on the router should be enabled and a tool
such as HPING2 (http://www.hping.org) can be used to craft invalid packets and try and
te
send them out on to the internet.
tu
sti
To switch on logging:
In
acme_R2(config)# logging on
NS
acme_R2(config)# log my.net.2.101 send logs to syslog server.
SA
If the tests prove to be satisfactory and achieve the required results, the running
configuration should be saved for use as the startup configuration when the router is
©
reloaded:
acme_R2# copy running startup copy running configuration to
start up configuration (copy
run
Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 start).
06E4 A169 4E46
acme_R2# destination filename(startup-config) specify the name of the
filename for the startup
configuration or default
© SANS Institute 2000 - 2005 Author retains full rights.Conclusion
Protecting your external router from unauthorised access and misconfiguration is a critical
element in the defence of your network. If any unauthorised person should gain access to
the router, they could reconfigure the system to remove any filtering in place and
s.
configure it for their own use.
ht
Using ACLs as a first line of defence to filter inbound and outbound traffic in conjuntion
rig
with firewalls and intrusion detection systems will provide some of the multiple layers of
defence and monitoring that are talked about in the SANS GSEC course. Performing
ull
regular scans on your network from an external source will enable you to check that only
f
the ports/services that are required on the router are listening and available, thus
ins
minimising the risk of external attack/compromise.
Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46
eta
rr
References
ho
1. Configuring passwords and privileges on Cisco IOS.
ut
http://www.cisco.com/univercd/cc/td/doc/product/software/ios120/12cgcr/secur_c
/scprt5/scpass.htm
A
2. SANS Reading Room.
5,
http://rr.sans.org/index.php
00
3. Cole, Eric. “GSEC Course – SANS GIAC Certification Program”, January 2002.
-2
4. Graesser, Dana. “Cisco Router Hardening Step-by-Step”, 25 July 2001
http://rr.sans.org/firewall/router2.php
00
5. SANS Institute. “How to Eliminate The Ten Most Critical Internet Security
20
Threats ver 1.33”, June 2001.
http://www.sans.org/topten.htm
te
6. Brett and Variable K, “Building Bastion Routers Using Cisco IOS” Phrack
tu
Magazine, Vol 9, Issue 9, September 1999.
sti
http://www.phrack.com/show.php?p=55&a=10
7. Middleton, James, “Hybrid Threats overtake DOS Attacks”, April 2002.
In
http://www.vnunet.com/News/1131294
NS
8. NMAP.
http://www.insecure.org/nmap
SA
9. HPING2.
http://www.hping.org
©
Appendix A - Top ten block Cisco ACL blocking recommendations from SANS
Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46
Source: http://www.sans.org/topten.htm
1. Block "spoofed" addresses-- packets coming from outside your company sourced from
internal addresses, private (RFC1918 and network 127) and IANA reserved addresses.
© SANS Institute 2000 - 2005 Author retains full rights.Also block source routed packets.
2. Login services-- telnet (23/TCP), SSH (22/TCP), FTP (21/TCP), NetBIOS (139/TCP),
rlogin et al (512/TCP through 514/TCP)
3. RPC and NFS-- Portmap/rpcbind (111/TCP and 111/UDP), NFS (2049/TCP and
2049/UDP), lockd (4045/TCP and 4045/UDP)
s.
4. NetBIOS in Windows NT -- 135 (TCP and UDP), 137 (UDP), 138 (UDP), 139 (TCP).
ht
Windows 2000 – earlier ports plus 445(TCP and UDP)
rig
X Windows -- 6000/TCP through 6255/TCP
5. Naming services-- DNS (53/UDP) to all machines which are not DNS servers, DNS
ull
zone transfers (53/TCP) except from external secondaries, LDAP (389/TCP and
f
389/UDP)
ins
6. Mail-- SMTP (25/TCP) to all machines, which are not external mail relays, POP
Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46
(109/TCP and 110/TCP), IMAP (143/TCP)
eta
7. Web-- HTTP (80/TCP) and SSL (443/TCP) except to external Web servers, may also
rr
want to block common high-order HTTP port choices (8000/TCP, 8080/TCP, 8888/TCP,
etc.)
ho
8. "Small Services"-- ports below 20/TCP and 20/UDP, time (37/TCP and 37/UDP)
ut
9. Miscellaneous-- TFTP (69/UDP), finger (79/TCP), NNTP (119/TCP), NTP (123/TCP),
LPD (515/TCP), syslog (514/UDP), SNMP (161/TCP and 161/UDP, 162/TCP and
A
162/UDP), BGP (179/TCP), SOCKS (1080/TCP)
5,
10. ICMP-- block incoming echo request (ping and Windows traceroute), block outgoing
00
echo replies, time exceeded, and destination unreachable messages except "packet too
-2
big" messages (type 3, code 4). (This item assumes that you are willing to forego the
legitimate uses of ICMP echo request in order to block some known malicious uses)
00
20
Additional Blocking Recommendations:
te
tu
sti
Port(s) Protocol Description
2222, 6669, TCP Serbian badman/backdoor.subseven
In
7000
NS
16959, 27274, TCP Subseven
6711, 6712,
SA
6776
16660, 65000 TCP Stacheldrant
©
27665 TCP Trinoo
27444, 31335 UDP Trinoo
33270, 39168 TCP Trinity V3
1993 UDP Cisco SNMP
6660fingerprint
Key - 6669 TCP FA27 2F94
= AF19 IRC 998D FDB5 DE3D F8B5 06E4 A169 4E46
5190 TCP AIM
1027, 1029, TCP ICQ
1032
© SANS Institute 2000 - 2005 Author retains full rights.Source: Original by Author.
s.
ht
rig
full
ins
Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46
eta
rr
ho
A ut
5,
00
-2
00
20
te
tu
sti
In
NS
SA
©
Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46
© SANS Institute 2000 - 2005 Author retains full rights.Last Updated: July 23rd, 2019
Upcoming Training
SANS Boston Summer 2019 Boston, MA Jul 29, 2019 - Aug 03, 2019 Live Event
SANS Crystal City 2019 Arlington, VA Aug 05, 2019 - Aug 10, 2019 Live Event
SANS Melbourne 2019 Melbourne, Australia Aug 05, 2019 - Aug 10, 2019 Live Event
SANS London August 2019 London, United Aug 05, 2019 - Aug 10, 2019 Live Event
Kingdom
Minneapolis 2019 - SEC401: Security Essentials Bootcamp Style Minneapolis, MN Aug 12, 2019 - Aug 17, 2019 vLive
SANS Minneapolis 2019 Minneapolis, MN Aug 12, 2019 - Aug 17, 2019 Live Event
SANS San Jose 2019 San Jose, CA Aug 12, 2019 - Aug 17, 2019 Live Event
SANS Virginia Beach 2019 Virginia Beach, VA Aug 19, 2019 - Aug 30, 2019 Live Event
SANS Chicago 2019 Chicago, IL Aug 19, 2019 - Aug 24, 2019 Live Event
SANS New York City 2019 New York, NY Aug 25, 2019 - Aug 30, 2019 Live Event
SANS Tampa-Clearwater 2019 Clearwater, FL Aug 25, 2019 - Aug 30, 2019 Live Event
SANS Copenhagen August 2019 Copenhagen, Denmark Aug 26, 2019 - Aug 31, 2019 Live Event
SANS Canberra Spring 2019 Canberra, Australia Sep 02, 2019 - Sep 21, 2019 Live Event
SANS Brussels September 2019 Brussels, Belgium Sep 02, 2019 - Sep 07, 2019 Live Event
SANS Munich September 2019 Munich, Germany Sep 02, 2019 - Sep 07, 2019 Live Event
Mentor Session - SEC401 Charleston, SC Sep 03, 2019 - Nov 05, 2019 Mentor
SANS vLive - SEC401: Security Essentials Bootcamp Style SEC401 - 201909, Sep 03, 2019 - Oct 10, 2019 vLive
Network Security 2019 - SEC401: Security Essentials Bootcamp Las Vegas, NV Sep 09, 2019 - Sep 14, 2019 vLive
Style
SANS Network Security 2019 Las Vegas, NV Sep 09, 2019 - Sep 16, 2019 Live Event
Mentor Session - SEC401 Tysons, VA Sep 14, 2019 - Oct 12, 2019 Mentor
SANS Raleigh 2019 Raleigh, NC Sep 16, 2019 - Sep 21, 2019 Live Event
SANS Bahrain September 2019 Manama, Bahrain Sep 21, 2019 - Sep 26, 2019 Live Event
SANS San Francisco Fall 2019 San Francisco, CA Sep 23, 2019 - Sep 28, 2019 Live Event
SANS Dallas Fall 2019 Dallas, TX Sep 23, 2019 - Sep 28, 2019 Live Event
Community SANS Vancouver SEC401 Vancouver, BC Sep 23, 2019 - Sep 28, 2019 Community SANS
SANS London September 2019 London, United Sep 23, 2019 - Sep 28, 2019 Live Event
Kingdom
SANS Northern VA Fall- Reston 2019 Reston, VA Sep 30, 2019 - Oct 05, 2019 Live Event
SANS DFIR Europe Summit & Training 2019 - Prague Edition Prague, Czech Republic Sep 30, 2019 - Oct 06, 2019 Live Event
SANS Cardiff September 2019 Cardiff, United Kingdom Sep 30, 2019 - Oct 05, 2019 Live Event
SANS Tokyo Autumn 2019 Tokyo, Japan Sep 30, 2019 - Oct 12, 2019 Live Event
SANS Baltimore Fall 2019 Baltimore, MD Oct 07, 2019 - Oct 12, 2019 Live EventYou can also read
