Laboratory experiments for network security instruction

We describe a sequence of five experiments on network security that cast students successively in the roles of computer user, programmer, and system administrator. Unlike experiments described in several previous papers, these experiments avoid placing students in the role of attacker. Each experiment starts with an in-class demonstration of an attack by the instructor. Students then learn how to use open-source defense tools appropriate for the role they are playing and the attack at hand. Threats covered include eavesdropping, dictionary, man-in-the-middle, port scanning, and fingerprinting attacks. Defense skills gained by students include how to forward ports with OpenSSH, how to prevent weak passwords with CrackLib, how to salt passwords, how to set up a simple certifying authority, issue and verify certificates, and guarantee communication confidentiality and integrity using OpenSSL, and how to set up firewalls and IPsec-based virtual private networks. At two separate offerings, tests taken before and after each experiment showed that each has a statistically significant and large effect on students' learning. Moreover, surveys show that students finish the sequence of experiments with high interest in further studies and work in the area of security. These results suggest that the experiments are well-suited for introductory security or networking courses.

[1]  John Aycock,et al.  Viruses 101 , 2005 .

[2]  Connie Yu Advanced texturing in undergraduate computer graphics course: tutorial presentation , 2005 .

[3]  Jacob Cohen Statistical Power Analysis for the Behavioral Sciences , 1969, The SAGE Encyclopedia of Research Design.

[4]  Diane Hart,et al.  Authentic Assessment: A Handbook for Educators , 1992 .

[5]  Matt Holdrege,et al.  IP Network Address Translator (NAT) Terminology and Considerations , 1999, RFC.

[6]  Paul J. Wagner,et al.  Designing and implementing a cyberwar laboratory exercise for a computer security course , 2004, SIGCSE '04.

[7]  J. Doug Tygar,et al.  Why Johnny Can't Encrypt: A Usability Evaluation of PGP 5.0 , 1999, USENIX Security Symposium.

[8]  Alan O. Freier,et al.  The SSL Protocol Version 3.0 , 1996 .

[9]  Ameet S. Talwadker Survey of performance issues in parallel database systems , 2003 .

[10]  Rahul Tikekar,et al.  The challenges of designing lab exercises for a curriculum in computer security , 2003 .

[11]  Daniel J. Barrett,et al.  SSH, The Secure Shell: The Definitive Guide , 2001 .

[12]  Mary Micco,et al.  Building a cyberwar lab: lessons learned: teaching cybersecurity principles to undergraduates , 2002, SIGCSE '02.

[13]  Christopher Allen,et al.  The TLS Protocol Version 1.0 , 1999, RFC.

[14]  Rayford B. Vaughn,et al.  Application of security tot he computing science classroom , 2000, SIGCSE '00.

[15]  Sean W. Smith Humans in the Loop: Human-Computer Interaction and Security , 2003, IEEE Secur. Priv..

[16]  Randall J. Atkinson,et al.  Security Architecture for the Internet Protocol , 1995, RFC.

[17]  John Viega,et al.  Network Security with OpenSSL , 2002 .

[18]  Keith W. Ross,et al.  Computer networking - a top-down approach featuring the internet , 2000 .

[19]  Ronald C. Dodge,et al.  Information Assurance the West Point Way , 2003, IEEE Secur. Priv..

[20]  BrustoloniJosé Carlos Laboratory experiments for network security instruction , 2006 .

[21]  Prabhaker Mateti A laboratory-based course on internet security , 2003, SIGCSE.

[22]  Adi Shamir,et al.  A method for obtaining digital signatures and public-key cryptosystems , 1978, CACM.

[23]  José Carlos Brustoloni,et al.  Hardening Web browsers against man-in-the-middle and eavesdropping attacks , 2005, WWW '05.

[24]  Fred Martin Engaging computing: makin' it real for kids and undergrads , 2004 .

[25]  Rose Shumba,et al.  Teaching hands-on computer and information systems security despite limited resources , 2005, SIGCSE.

[26]  David T. Morse,et al.  Minsize2: a Computer Program for Determining Effect Size and Minimum Sample Size for Statistical Significance for Univariate, Multivariate, and Nonparametric Tests , 1999 .

[27]  Angela Sasse,et al.  Humans in the Loop Human – Computer Interaction and Security , 2022 .

[28]  Udo W. Pooch,et al.  Using an isolated network laboratory to teach advanced networks and security , 2001, SIGCSE '01.

[29]  R. Mateosian Firewalls and internet security: Repelling the wily hacker, 2nd ed. [Book Review] , 2003, IEEE Micro.

[30]  Bill Cheswick,et al.  Firewalls and internet security - repelling the wily hacker , 2003, Addison-Wesley professional computing series.

[31]  Tom Wulf Implementing a minimal lab for an undergraduate network security course , 2003 .

[32]  Mark A. Holliday,et al.  Animation of computer networking concepts , 2003, JERC.

[33]  Patricia Y. Logan,et al.  Teaching students to hack: curriculum issues in information security , 2005 .

[34]  Deborah A. Frincke,et al.  Who Watches the Security Educators? , 2003, IEEE Secur. Priv..

[35]  Yakov Rekhter,et al.  Address Allocation for Private Internets , 1994, RFC.

[36]  T. Andrew Yang,et al.  DESIGN OF NETWORK SECURITY PROJECTS USING HONEYPOTS * , 2005 .

[37]  Rose Shumba,et al.  Teaching hands-on computer and information systems security despite limited resources , 2005, SIGCSE '05.

[38]  Ricardo A. López,et al.  Computer networks. A top-down approach featuring Internet, second edition , 2007 .

[39]  Andrew S. Tanenbaum,et al.  Distributed systems: Principles and Paradigms , 2001 .

[40]  Michael Fry,et al.  Panel on integrating security concepts into existing computer courses , 2002, SIGCSE '02.