AC 2007-2262: USING VIRTUAL MACHINE TECHNOLOGY IN AN UNDERGRADUATE INTRUSION DETECTION LAB
暂无分享,去创建一个
Virtual machine (VM) technology was recently adopted in an undergraduate lab on Intrusion Detection Technologies. Each student was provided with a pre-built, but non-configured Fedora Core 5 Linux VM image that was used to complete hands-on labs using the virtual machine on her/his own computer. To prepare the lab environment, a virtual network was built with Windows, Linux, FreeBSD, and Solaris virtual machines to simulate network attacks. Network traces of attacks were generated inside the virtual network using Metasploit Framework and other penetration testing tools. Student exercises included installing and using host-based intrusion detection systems, network-based intrusion detection systems and network monitoring tools. Students used TCPdump, Ethereal, Snort, and Bro to analyze the trace files. Students also performed installation and detection of loadable-kernel-module rootkits inside the virtual machine. A “compromised” virtual machine could be deleted after the lab and a fresh virtual machine could be reopened from the pre-built image in no time. The virtual machine was easy to use and easier to maintain than a real computer. Using VM technology, it was possible to build a very “real” network environment at a minimal cost. Hands-on exercises of concepts could be set up in the virtual machine. Students were offered various opportunities to test other platforms such as Solaris without acquiring real physical machines. Additionally, the lab was available to students around the clock. The adoption of VM technology helped students understand basic concepts, increased their interests and improved their troubleshooting skills. In addition, VM technologies expanded the physical boundaries of the lab environment. Students were able to use their own personal computers at home to perform lab exercises that previously would have required multiple machines configured in a dedicated lab room. This flexibility allowed the students to work at their own pace, and extended the lab environment to distance education students. Using VM technology, we were able to transfer a physical hands-on intrusion detection lab from a Windows-dominated environment to a diversified virtual environment in a very short period. We believe that virtual machine technology can be successfully used in other computer security and networking labs.
[1] Richard Bejtlich,et al. The Tao of Network Security Monitoring: Beyond Intrusion Detection , 2004 .
[2] Beng-Hong Lim,et al. Virtualizing I/O Devices on VMware Workstation's Hosted Virtual Machine Monitor , 2001, USENIX Annual Technical Conference, General Track.