Funny & Jokes

A Security Capstone Course: An Innovative Practical Approach to Distance Education

A Security Capstone Course: An Innovative Practical Approach to Distance Education
of 4
All materials on our website are shared by users. If you have any questions about copyright issues, please report us to resolve them. We are always happy to assist you.
Related Documents
  Session W2F 978-1-4244-4714-5/09/$25.00 ©2009 IEEE October 18 - 21, 2009, San Antonio, TX39 th ASEE/IEEE Frontiers in Education ConferenceW2F - 1 A Security Capstone Course: An InnovativePractical Approach to Distance Education  Nate Evans, Benjamin Blakely, and Doug Jacobson Iowa State University,,,  Abstract  - Information assurance is a growing field in theinformation technology world. While many individualsseek further education in this field, it is currentlydifficult to complete an entire program of studyremotely. A capstone course at Iowa State University willenable distance education students to complete therequirements for a Master’s of Engineering inInformation Assurance from an accredited universitywithout ever setting foot on a campus. This course willencompass all focal points of the degree and demonstratea level of mastery sufficient for awarding of the degree(in accordance with other degree requirements). Thiscourse will consist of three parts: the planning &implementing phase, the defending & attacking phase,and the infrastructure assessing phase.  Index Terms – Capstone, VMWare, Information Assuranceand Security. M OTIVATION   The Information Assurance Master's program is amultidisciplinary masters program at Iowa State University.It takes aspects of computer engineering, political science,computer science and mathematics and combines them toform a cohesive foundation of security education. To helpincrease demand for the degree, the required courses areoffered as part of the Distance Education curriculum at IowaState. This allows all the lectures to be recorded andstreamed to anyone who is interested in taking the courses, but can't physically attend courses in Ames. However, untilnow students still needed to come to Iowa State to defend aMasters thesis or to complete a Creative Component in order to graduate. As enrollment in these courses has grown, thetime the professors have to manage these capstonecomponents has decreased, creating a need for a coursestudents can take remotely to fulfill this requirement. Arecent survey of students currently enrolled in the distanceeducation program showed that over 70% of the studentswill switch to the new coursework only degree. A capstonecourse, which touches on each piece learned in the other required courses, was proposed. However, not only DistanceEducation students can take the course, it will also be used by on-campus students as an integrating experience and can be a replacement for the creative component if they do anoral exam about what they did in the capstone.Iowa State University hosted Cyber Defense Competitions(CDCs) for the past four years. In a CDC, a group of students set up a small network of computers running avariety of services such as an e-mail server, a web server, or a remote console server. They must defend this network against recruited professional “hackers” from industry,government, and academia. This has become so successfulthat there are now four competitions each year: a local IowaState competition, a community college competition, anational post-secondary competition, and a high schoolcompetition (now part of IT-Olympics).It quickly became apparent that the educational advantagesof a CDC could form the basis for an excellent course inInformation Assurance. This could allow students to use allthe skills they had learned in a realistic “trial-by-fire” lab- based course, while allowing for distance education tocontinue.This work shows the future of distance education courseswhere faxing in an exam sheet is not enough. To be able tofully engage a CSET student in a laboratory environment isvital to that student’s fuller understanding of the subjectmaterial. This innovation allows for a practical and fullyimmersive information assurance education experience for students, regardless of physical location. C OURSE O VERVIEW   This 18 week capstone course is an entirely lab-based course broken down into the following phases:1.   Planning and implementing2.   Attacking and defending3.   Infrastructure assessingThe Planning and implementing phase lasts six weeks. Itrequires students to develop a network plan based on a givenscenario and then construct it. The students have absolutefreedom when it comes to network design and OS choice aslong as the software is free, is publicly available, has a demo period which covers phases 2 and 3, or is site-licensed toIowa State. The students must produce a network plan proposal containing the following: •   A diagram of the student's network  •   Rationale for the student's choice of operatingsystems and network applications (i.e., daemons) •   Anything security-relevant in the design (e.g., NAT, firewalls, jailing, user limits)  Session W2F 978-1-4244-4714-5/09/$25.00 ©2009 IEEE October 18 - 21, 2009, San Antonio, TX39 th ASEE/IEEE Frontiers in Education ConferenceW2F - 2 The students then implement their design in a VMWareESXi environment. They must install operating systems, setup the virtual network infrastructure, and configure serviceswithin the virtual environment.The use of VMWare ESXi provides for maximum flexibilityfor the students with minimum administrative overhead for the course coordinator. The coordinator need only installESXi on a machine and create a login for the student. Thestudent then uses the VMWare Infrastructure Client toconnect to his or her host machine. VMWare allows thestudent to create virtual switches, virtual machines, anddivide up resources as they see fit. The host machine hastwo external connections, one to the public internet (for management), and one to the course network. The coursenetwork includes a server which contains network-bootableinstallers for many popular operating systems. It is also thenetwork on which they will interface with other students inthe course. All virtual machines must exclusively use thisnetwork. To access the internet from this network, studentsconnect to a dual-layer proxy server, which is aware of thedivision of competition network and the internet. This protects the internet from attacks perpetrated by the students.At the end of this phase, students submit a final network document which contains: •   The full details of their operating systems, services,network layout, and reasoning behind thesedecisions •   Any differences between the proposed network  plan and the final implementation, and the reasonsfor these changes.The Attacking and Defending Phase lasts four weeks. Beforethis phase the course coordinator must certify that everyvirtual machine is, in fact, connected only to the coursenetwork. During this phase students try to attack other students' networks, while defending their own network. Thestudents must try to capture predefined flags from the other networks, while planting flags on those same systems, and protecting flags on their own systems. They are encouragedto document as much as possible during this phase, as theywill be required to report on it in the final phase. ttackingthe VMWare host machines or course infrastructure is notallowed.The Infrastructure assessing phase lasts five weeks. Duringthis phase the students combine everything from the first two phases and produce a comprehensive document andvideo/audio oral presentation. This presentation wouldconsist of a Webex conference call with the class where thestudent would share his/her results. The document and oral presentation should answer the following questions:1.   What were the key defensive technologiesimplemented on the student's network? Did thesehold up to attack? How could the implementationof these be improved in the future?2.   What were some key limitations and weaknesses in both the student's network and the networksattacked by the student? How could these bemitigated?3.   What changes should be made if the planning andimplementing phase were to be repeated?4.   Which attacks were most successful? How couldthe be defended against in the future? T ECHNOLOGY   1.   VMWare ESXi2.    Network Interfaces - One connected to the internetfor management, one connected to an internettestbed (ISECUBE).3.    Nagios and Cacti for monitoring. Nagios will allowthe students to see if their services are up or down.Cacti will allow students to track resource usage ontheir virtual machines.4.   MediaWiki for documentation. Students are askedto use the wiki for communication betweenstudents, a support guide and to post successfulattacks. Also an external red team will use this to post successful attacks.  Layout of Capstone Course In the network diagram above, the top cluster of 5 boxes isthe simulated Internet called ISECUBE, which is connectedto each team (on the right). In addition to this a connectionto the real Internet (on the left) is connected to each box toserve as a VM Management Interface. F ORESEEABLE P ROBLEMS   Students may not take into consideration that this is areplacement of their creative component when it comes tohow much time they devote to it, because it’s broken up by  Session W2F 978-1-4244-4714-5/09/$25.00 ©2009 IEEE October 18 - 21, 2009, San Antonio, TX39 th ASEE/IEEE Frontiers in Education ConferenceW2F - 3 credits. It should be made very clear early in the course thatit will require the classic 4 hour rule per credit hour. This isto produce high quality work from the distance educationstudents. It is difficult to statistically evaluate the difficultyof a creative component in comparison to this capstonecourse. As such, the work required must validate their knowledge and understanding of the entire curriculum presented throughout the Master's in Information Assurance program at Iowa State University. C OURSE F EEDBACK    The course has been run twice as pilot courses, once with 5students and once with one student. The first time was runwithout the attacking component. In both of these, thecourse was run as a normal course without the creativecomponent replacement and was only for on-campusstudents. These were run to test and develop theinfrastructure before opening the course to a large number of distance education students. C OURSE S CHEDULE   Week 1: Planning and implementing phase beingsWeek 3: Network plan proposal dueWeek 4: Implementation startsWeek 6: Planning and implementing phase ends. Finalnetwork plan due.Week 7: Attacking and defending phase begins.Week 10: Attacking and defending phase ends.Week 11: Infrastructure assessing phase begins.Week 15: Assessment paper and presentation due. G RADING    Network plan proposal: 20%Implementation (based on completion and availability bydeadline): 20%Attack and defense documentation: 20%Assessment paper: 20%Assessment presentation: 20% E XAMPLE S CENARIO   The CDC Data Corporation (CDC) is a small dot-comstartup in Metropolitan, Iowa. It is a hosting company withsmall sites across the country. This way, clients can have alocal place to store their company's information securely,without the overhead of an on-site information technologystaff. CDC provides web, CVS, and remote desktop servicesat each site. These sites are regularly tested for security bythe CDC Corporate Red Team.You are in charge of installing a new CDC site. As such,your team has been assigned the task of designing a securenetwork that will hold up to attack and keep clientinformation secure. You must maintain servers for theadvertised services (more detail below), and be able toguarantee the security of the data. There are many issues to be addressed, as flexibility and usability are of the utmostimportance, but the security of client data cannot besacrificed in the process. Protected data may reside on any of the servers, as clients can log into any of the advertisedservices. You must additionally provide the infrastructurefor these servers (DNS, and Intrusion Detection System, andoptionally firewalls).You will be given a list of user names and passwords thatmust be implemented on each advertised service. Youcannot change these passwords.You will be given a list of flags that must be present on eachrequired service. Failure to include these flags will result in a penalty. (See the Rules document).This said, any implementation is acceptable as long as it provides the following:Web Server ( outside web development team has been contracted todesign CDC's site ( and will provide your team with the content and the server once you begin settingup your network on November 15th. Every client will have alog on to this box to update their web content. You may notremove any client content from this machine. Doing so isequivalent to taking the web server offline. Your teamshould instead focus on implementing global securitymeasures (Apache configuration, PHP configuration,MySQL configuration, ModSecurity, etc) that will protectyour web server from any malicious or badly-written clientcode. Users must be able to FTP into this box to update their web site content. Domain Name Server ( of DNS will need to handled by your team. For a fee, CDC corporate offers a consulting service to help youwith this if you so desire (see the Rules document for details). You will need to provide the IP address of thismachine to the CDC Corporate IT team (the CompetitionDirector) at least one week before your site goes online(December 6th). Remember that if this service fails, no onewill be able to access any of your services. If you wish to setup redundant servers for this task, inform the CompetitionDirector when you give him your DNS server IP addresses.(Note: N is the number of your team.)Concurrent Versioning Server (CVS: need to be able to access a CVS server to check-in/check-out web code, or any other projects they're workingon. You should use SSH CVS logins, and allow clients tolog in via SSH to a shell. Users should be allowed at least1GB of storage on this server (even though they may not usethat much). File sizes must be able to grow to 250MB, assome clients store media projects on this server. You will be provided with the CVS data to put onto this server one week  before your site goes online (December 6th).  Session W2F 978-1-4244-4714-5/09/$25.00 ©2009 IEEE October 18 - 21, 2009, San Antonio, TX39 th ASEE/IEEE Frontiers in Education ConferenceW2F - 4 Remote Desktop Server ( who have limited computing resources may takeadvantage of the amazing hardware provided at your site for their development work. They should be able to use: FTP toconnect to the web server (Internet Explorer will suffice),the Eclipse ( IDE with CVS access to theCVS server, to edit documents and connectto the MySQL databases on the web server. Users must beable to check out their entire CVS module (up to 1GB) tothis machine.Intrusion Detection System:To ensure the security of your network, CDC CorporatePolicy requires you to employ an Intrusion DetectionSystem. The recommended product is Snort ( the BASE web interface ( as it isfree, widely documented and supported, and easy to use.One way to set it up is documented at: you'd like, a preconfigured Snort machine can be orderedfrom CDC Corporate for a fee (see the Rules document for details). CDC Corporate expects periodic (bi-hourly)intrusion/counter intrusion reports (see the Rules documentfor details).Firewall (Optional):Your team may decide to structure your network to use oneor more firewalls to protect your servers. CDC Corporaterecommends pfSense for this task (, butother solutions are acceptable as well.Due to cleanup and remodeling work, the new building isnot accessible to you until the day before your site goesonline. Due to this fact, all setup will be done remotely.Equipment purchased from your budget will be set up as yourequest and remote KVMs will be made available. The day before your site goes online, you will have a twelve hour window to put the finishing touches on your network beforeclients begin using your services, and the Corporate RedTeam is allowed to begin testing.CDC Corporate, for auditing purposes, requires that your network be documented; and for public relations, that youhave a guide available for your clients on how to use your services. Both of these documents must be provided to CDCCorporate (the Competition Director) prior to your sitecoming online. See the Rules document for details. C ONCLUSIONS AND F UTURE W ORK    The two pilot semesters were a success and the course is planning to open up to full enrollment in the fall semester of 2009. The Master’s of Engineering degree has beenapproved as a course work only option for students. Thecapstone course is a requirement in the new Master’s of Engineering degree. The capstone course has also beenapproved as a replacement for the creative component partof the MS degree with an oral exam.There is additional work that needs to be accomplished tosupport anticipated student load. More documentationgiving students assistance with the setup is needed,especially for students not familiar with the VMWareenvironment. Additional documentation is needed to allowthis course to be supported by the department’s computer support personal. The details of how the lab was constructedand who someone could replicate the lab need to bedeveloped and disseminated. R  EFERENCES   Hoffman, Lance J and Ragsdale, Daniel, “Exploring a National Cyber Defense Exercise for Colleges and Universities”  Report No. CSPRI-2004-08 . Aug 24, 2004.Jacobson, Doug and Evans, Nate. “Cyber Defense Competition”  AmericanSociety of Engineering Education . 2006. A UTHOR  I NFORMATION  Nate Evans PHD Candidate Computer Engineering, IowaState University, Benjamin Blakely Doctoral Student Computer Engineering,Iowa State University, Doug Jacobson University Professor Computer andElectrical Engineering, Iowa State University,  
Related Search
We Need Your Support
Thank you for visiting our website and your interest in our free products and services. We are nonprofit website to share and download documents. To the running of this website, we need your help to support us.

Thanks to everyone for your continued support.

No, Thanks