ACM Portal
  Subscribe (Full Service)    Register (Limited Service, Free)    Login
  Search:   The ACM Digital Library   The Guide
  
ACM Home Page
Please provide us with feedback. Feedback
Laboratory experiments for network security instruction
Full text PdfPdf (131 KB)
Source Journal on Educational Resources in Computing (JERIC) archive
Volume 6 ,  Issue 4  (December 2006) table of contents
Article No. 5  
Year of Publication: 2006
ISSN:1531-4278
Author
José Carlos Brustoloni  University of Pittsburgh, Pittsburgh, Pennsylvania
Publisher
ACM  New York, NY, USA
Bibliometrics
Downloads (6 Weeks): 40,   Downloads (12 Months): 303,   Citation Count: 2
Additional Information:

abstract   references   cited by   index terms   collaborative colleagues  

Tools and Actions: Request Permissions Request Permissions    Review this Article  
DOI Bookmark: Use this link to bookmark this Article: http://doi.acm.org/10.1145/1248453.1248458
What is a DOI?

ABSTRACT

We describe a sequence of five experiments on network security that cast students successively in the roles of computer user, programmer, and system administrator. Unlike experiments described in several previous papers, these experiments avoid placing students in the role of attacker. Each experiment starts with an in-class demonstration of an attack by the instructor. Students then learn how to use open-source defense tools appropriate for the role they are playing and the attack at hand. Threats covered include eavesdropping, dictionary, man-in-the-middle, port scanning, and fingerprinting attacks. Defense skills gained by students include how to forward ports with OpenSSH, how to prevent weak passwords with CrackLib, how to salt passwords, how to set up a simple certifying authority, issue and verify certificates, and guarantee communication confidentiality and integrity using OpenSSL, and how to set up firewalls and IPsec-based virtual private networks. At two separate offerings, tests taken before and after each experiment showed that each has a statistically significant and large effect on students' learning. Moreover, surveys show that students finish the sequence of experiments with high interest in further studies and work in the area of security. These results suggest that the experiments are well-suited for introductory security or networking courses.


REFERENCES

Note: OCR errors may be found in this Reference List extracted from the full text article. ACM has opted to expose the complete List rather than only correct and linked references.

1
J. Aycock , K. Barker, Viruses 101, Proceedings of the 36th SIGCSE technical symposium on Computer science education, February 23-27, 2005, St. Louis, Missouri, USA
 
2
Daniel J. Barrett , Richard E. Silverman, SSH, The Secure Shell: The Definitive Guide, O'Reilly & Associates, Inc., Sebastopol, CA, 2001
3
Bhagyavati , Stephen O. Agyei-Mensah , Rose Shumba , Iretta B.C. Kearse, Teaching hands-on computer and information systems security despite limited resources, Proceedings of the 36th SIGCSE technical symposium on Computer science education, February 23-27, 2005, St. Louis, Missouri, USA
 
4
William R. Cheswick , Steven M. Bellovin , Aviel D. Rubin, Firewalls and Internet Security: Repelling the Wily Hacker, Addison-Wesley Longman Publishing Co., Inc., Boston, MA, 2003
 
5
Cohen, J. 1988. Statistical Power Analysis for the Behavioral Sciences. Lawrence Erlbaum, Mahwah, NJ.
 
6
Dierks, T. and Allen, C. 1999. The TLS Protocol Version 1.0. IETF, RFC 2246. {Online} ftp://ftp.rfc-editor.org/in-notes/rfc2246.txt.
 
7
Ethereal. 2003. Homepage. {Online} http://www.ethereal.com/, last accessed Mar. 2005.
 
8
FreeBSD. 2003. Homepage. {Online} http://www.freebsd.org/, last accessed Mar. 2005.
 
9
Freier, A., Karlton, P., and Kocher, P. 1996. The SSL protocol version 3.0. {Online} http://wp.netscape.com/eng/ssl3/draft302.txt, last accessed Mar. 2005.
 
10
Deborah Frincke, Who Watches the Security Educators?, IEEE Security and Privacy, v.1 n.3, p.56-58, May 2003  [doi>10.1109/MSECP.2003.1203223]
 
11
Hart, D. 1992. Authentic Assessment: A Handbook for Educators. Addison-Wesley, Reading, MA.
12
John M. D. Hill , Curtis A. Carver, Jr. , Jeffrey W. Humphries , Udo W. Pooch, Using an isolated network laboratory to teach advanced networks and security, Proceedings of the thirty-second SIGCSE technical symposium on Computer Science Education, p.36-40, February 2001, Charlotte, North Carolina, United States
13
Mark A. Holliday, Animation of computer networking concepts, Journal on Educational Resources in Computing (JERIC), v.3 n.2, p.2-es, June 2003  [doi>10.1145/982753.982755]
 
14
Insecure.org. 2003. nmap. {Online} http://www.insecure.org/nmap/, last accessed Mar. 2005.
 
15
Kent, S. and Atkinson, R. 1998. Security Architecture for the Internet Protocol. IETF, RFC 2401. {Online} ftp://ftp.rfc-editor.org/in-notes/pdfrfc/rfc2401.txt.pdf.
 
16
James F. Kurose , Keith W. Ross, Computer Networking: A Top-Down Approach Featuring the Internet, Pearson Benjamin Cummings, 2004
17
Patricia Y. Logan , Allen Clarkson, Teaching students to hack: curriculum issues in information security, Proceedings of the 36th SIGCSE technical symposium on Computer science education, February 23-27, 2005, St. Louis, Missouri, USA
 
18
Lonvick, C. 2004. SSH Protocol Architecture. IETF, Internet Draft. {Online} ftp://ftp.rfc-editor.org/in-notes/internet-drafts/draft-ietf-secsh-architecture-17.txt.
19
Prabhaker Mateti, A laboratory-based course on internet security, Proceedings of the 34th SIGCSE technical symposium on Computer science education, February 19-23, 2003, Reno, Navada, USA
20
Mary Micco , Hart Rossman, Building a cyberwar lab: lessons learned: teaching cybersecurity principles to undergraduates, Proceedings of the 33rd SIGCSE technical symposium on Computer science education, February 27-March 03, 2002, Cincinnati, Kentucky
 
21
Morse, D. T. 1999. MINSIZE2: A computer program for determining effect size and minimum sample size for statistical significance for univariate, multivariate, and nonparametric tests. Educational and Psychological Measurement 59, 3 (June), 518--531.
 
22
Muffet, A. 2003a. Crack version 4.1: A sensible password checker for unix. {Online} http://www.crypticide.com/users/alecm/security/crack-v4.1-whitepaper.ps.gz, last accessed Mar. 2005.
 
23
Muffet, A. 2003b. Cracklib v2.7. {Online} http://www.crypticide.com/users/alecm/security/cracklib,2.7.tar.gz, last accessed Mar. 2005.
24
Paul Mullins , Jim Wolfe , Michael Fry , Erik Wynters , William Calhoun , Robert Montante , William Oblitey, Panel on integrating security concepts into existing computer courses, Proceedings of the 33rd SIGCSE technical symposium on Computer science education, February 27-March 03, 2002, Cincinnati, Kentucky
 
25
National Institute of Standards and Technology. 1995. Specifications for Secure Hash Standard. Federal Information Processing Standards Publication 180-1. {Online} http://www.itl.nist.gov/fipspubs/fip180-1.htm.
 
26
National Institute of Standards and Technology. 2001. Specification for the Advanced Encryption Standard (AES). Federal Information Processing Standards Publication 197. {Online} http://csrc.nist.gov/publications/fips/fips197/fips-197.pdf.
 
27
OpenSSL. 2003. Homepage. {Online} http://www.openssl.org/, last accessed Mar. 2005.
 
28
Openwall. 2003. John the Ripper password cracker. {Online} http://www.openwall.com/john/, last accessed Mar. 2005.
 
29
Ragsdale, D., Welch, D., and Dodge, R. 2003. Information assurance the West Point way. Security & Privacy, 64--67.
 
30
Rekhter, Y., Moskowitz, B., Karrenberg, D., de Groot, G. J., and Lear, E. 1996. Address Allocation for Private Internets. IETF, RFC 1918. {Online} ftp://ftp.rfc-editor.org/in-notes/pdfrfc/rfc1918.txt.pdf.
31
R. L. Rivest , A. Shamir , L. Adleman, A method for obtaining digital signatures and public-key cryptosystems, Communications of the ACM, v.21 n.2, p.120-126, Feb. 1978  [doi>10.1145/359340.359342]
 
32
Karthik Sadasivam , Banuprasad Samudrala , T. Andrew Yang, Design of network security projects using honeypots, Journal of Computing Sciences in Colleges, v.20 n.4, p.282-293, April 2005
 
33
Skoudis, E. 2002. Counter Hack. Prentice-Hall, Upper Saddle River, NJ.
 
34
S. W. Smith, Humans in the Loop: Human-Computer Interaction and Security, IEEE Security and Privacy, v.1 n.3, p.75-79, May 2003  [doi>10.1109/MSECP.2003.1203228]
 
35
Song, D. 2000. dsniff. {Online} http://naughty.monkey.org/dugsong/dsniff/, last accessed Mar. 2005.
 
36
Srisuresh, P. and Holdrege, M. 1999. IP Network Address Translator (NAT) Technology and Considerations. IETF, RFC 2663. {Online} ftp://ftp.rfc-editor.org/in-notes/pdfrfc/rfc2663.txt.pdf.
 
37
Andrew S. Tanenbaum , Maarten van Steen, Distributed Systems: Principles and Paradigms (2nd Edition), Prentice-Hall, Inc., Upper Saddle River, NJ, 2006
 
38
Tcpdump. 2003. Homepage. {Online} http://www.tcpdump.org/, last accessed Mar. 2005.
 
39
Rahul Tikekar , Thomas Bacon, The challenges of designing lab exercises for a curriculum in computer security, Journal of Computing Sciences in Colleges, v.18 n.5, p.175-183, May 2003
40
Rayford B. Vaughn, Jr., Application of security tot he computing science classroom, Proceedings of the thirty-first SIGCSE technical symposium on Computer science education, p.90-94, March 07-12, 2000, Austin, Texas, United States
 
41
Jon Viega , Pravir Chandra , Matt Messier, Network Security with Openssl, O'Reilly & Associates, Inc., Sebastopol, CA, 2002
42
Paul J. Wagner , Jason M. Wudi, Designing and implementing a cyberwar laboratory exercise for a computer security course, Proceedings of the 35th SIGCSE technical symposium on Computer science education, March 03-07, 2004, Norfolk, Virginia, USA
 
43
Alma Whitten , J. D. Tygar, Why Johnny can't encrypt: a usability evaluation of PGP 5.0, Proceedings of the 8th conference on USENIX Security Symposium, p.14-14, August 23-26, 1999, Washington, D.C.
 
44
Tom Wulf, Implementing a minimal lab for an undergraduate network security course, Journal of Computing Sciences in Colleges, v.19 n.1, p.94-98, October 2003
45
Haidong Xia , José Carlos Brustoloni, Hardening Web browsers against man-in-the-middle and eavesdropping attacks, Proceedings of the 14th international conference on World Wide Web, May 10-14, 2005, Chiba, Japan  [doi>10.1145/1060745.1060817]

CITED BY  2
Anna Riccioni , Enrico Denti , Roberto Laschi, An experimental environment for teaching Java security, Proceedings of the 6th international symposium on Principles and practice of programming in Java, September 09-11, 2008, Modena, Italy
Xiaohong Yuan , Omari T. Wright , Huiming Yu , Kenneth A. Williams, Laboratory design for wireless network attacks, Proceedings of the 5th annual conference on Information security curriculum development, September 26-27, 2008, Kennesaw, Georgia

INDEX TERMS

Primary Classification:
  C. Computer Systems Organization
  C.2 COMPUTER-COMMUNICATION NETWORKS
      C.2.0 General
          Subjects: Security and protection (e.g., firewalls)

Additional Classification:
  D. Software
  D.4 OPERATING SYSTEMS
      D.4.6 Security and Protection
          Subjects: Cryptographic controls; Authentication

  E. Data
  E.3 DATA ENCRYPTION
      Subjects: Public key cryptosystems; Standards (e.g., DES, PGP, RSA)

  H. Information Systems
  H.1 MODELS AND PRINCIPLES
      H.1.2 User/Machine Systems
          Subjects: Human factors


General Terms:
Experimentation, Security


Keywords:
Certificate, IPsec, SSH, SSL, VPN, certifying authority, course, dictionary attack, eavesdropping, education, experiment, fingerprinting, firewall, man-in-the-middle, password, port scanning, security

Collaborative Colleagues:
José Carlos Brustoloni: colleagues

The ACM Portal is published by the Association for Computing Machinery. Copyright © 2009 ACM, Inc.
Terms of Usage   Privacy Policy   Code of Ethics   Contact Us

Useful downloads: Adobe Acrobat    QuickTime    Windows Media Player    Real Player