skip to main content
article

Laboratory experiments for network security instruction

Published: 01 December 2006 Publication History

Abstract

We describe a sequence of five experiments on network security that cast students successively in the roles of computer user, programmer, and system administrator. Unlike experiments described in several previous papers, these experiments avoid placing students in the role of attacker. Each experiment starts with an in-class demonstration of an attack by the instructor. Students then learn how to use open-source defense tools appropriate for the role they are playing and the attack at hand. Threats covered include eavesdropping, dictionary, man-in-the-middle, port scanning, and fingerprinting attacks. Defense skills gained by students include how to forward ports with OpenSSH, how to prevent weak passwords with CrackLib, how to salt passwords, how to set up a simple certifying authority, issue and verify certificates, and guarantee communication confidentiality and integrity using OpenSSL, and how to set up firewalls and IPsec-based virtual private networks. At two separate offerings, tests taken before and after each experiment showed that each has a statistically significant and large effect on students' learning. Moreover, surveys show that students finish the sequence of experiments with high interest in further studies and work in the area of security. These results suggest that the experiments are well-suited for introductory security or networking courses.

References

[1]
Aycock, J. and Barker, K. 2005. Viruses 101. In Proceedings of SIGCSE. ACM, New York. 152--156.
[2]
Barrett, D. and Silverman, R. 2001. SSH, the Secure Shell: The Definitive Guide. O'Reilly, Sebastopol, CA.
[3]
Bhagyavati, Aguei-Mensah, S., Shumba, R., and Kearse, I. 2005. Teaching hands-on computer and information systems security despite limited resources. In Proceedings of SIGCSE. ACM, New York. 325--326.
[4]
Cheswick, W., Bellovin, S., and Rubin, A. 2003. Firewalls and Internet Security: Repelling the Wily Hacker, 2nd ed. Addison-Wesley, Reading, MA.
[5]
Cohen, J. 1988. Statistical Power Analysis for the Behavioral Sciences. Lawrence Erlbaum, Mahwah, NJ.
[6]
Dierks, T. and Allen, C. 1999. The TLS Protocol Version 1.0. IETF, RFC 2246. {Online} ftp://ftp.rfc-editor.org/in-notes/rfc2246.txt.
[7]
Ethereal. 2003. Homepage. {Online} http://www.ethereal.com/, last accessed Mar. 2005.
[8]
FreeBSD. 2003. Homepage. {Online} http://www.freebsd.org/, last accessed Mar. 2005.
[9]
Freier, A., Karlton, P., and Kocher, P. 1996. The SSL protocol version 3.0. {Online} http://wp.netscape.com/eng/ssl3/draft302.txt, last accessed Mar. 2005.
[10]
Frincke, D. 2003. Who watches the security educators? Security & Privacy, 56--58.
[11]
Hart, D. 1992. Authentic Assessment: A Handbook for Educators. Addison-Wesley, Reading, MA.
[12]
Hill, J., Carver, C., Humphries, J., and Pooch, U. 2001. Using an isolated network laboratory to teach advanced networks and security. In Proceedings of SIGCSE. ACM, New York. 36-- 40.
[13]
Holliday, M. A. 2003. Animation of computer networking concepts. ACM Journal of Educational Resources in Computing 3, 2 (June), Article 2.
[14]
Insecure.org. 2003. nmap. {Online} http://www.insecure.org/nmap/, last accessed Mar. 2005.
[15]
Kent, S. and Atkinson, R. 1998. Security Architecture for the Internet Protocol. IETF, RFC 2401. {Online} ftp://ftp.rfc-editor.org/in-notes/pdfrfc/rfc2401.txt.pdf.
[16]
Kurose, J. and Ross, K. 2004. Computer Networks: A Top-Down Approach Featuring the Internet, 3rd ed. Addison-Wesley, Reading, MA.
[17]
Logan, P. and Clarkson, A. 2005. Teaching students to hack: Curriculum issues in information security. In Proceedings of SIGCSE. ACM, New York. 157--161.
[18]
Lonvick, C. 2004. SSH Protocol Architecture. IETF, Internet Draft. {Online} ftp://ftp.rfc-editor.org/in-notes/internet-drafts/draft-ietf-secsh-architecture-17.txt.
[19]
Mateti, P. 2003. A laboratory-based course on Internet security. In Proceedings of SIGCSE. ACM, New York. 252--256.
[20]
Micco, M. and Rossman, H. 2002. Building a cyberwar lab: Lessons learned teaching cybersecurity principles to undergraduates. In Proceedings of SIGCSE. ACM, New York. 23--27.
[21]
Morse, D. T. 1999. MINSIZE2: A computer program for determining effect size and minimum sample size for statistical significance for univariate, multivariate, and nonparametric tests. Educational and Psychological Measurement 59, 3 (June), 518--531.
[22]
Muffet, A. 2003a. Crack version 4.1: A sensible password checker for unix. {Online} http://www.crypticide.com/users/alecm/security/crack-v4.1-whitepaper.ps.gz, last accessed Mar. 2005.
[23]
Muffet, A. 2003b. Cracklib v2.7. {Online} http://www.crypticide.com/users/alecm/security/cracklib,2.7.tar.gz, last accessed Mar. 2005.
[24]
Mullins, P., Wolfe, J., Fry, M., Wynters, E., Calhoun, W., Montante, R., and Oblitey, W. 2002. Panel on integrating security concepts into existing computer courses. In Proceedings of SIGCSE. ACM, New York. 365--366.
[25]
National Institute of Standards and Technology. 1995. Specifications for Secure Hash Standard. Federal Information Processing Standards Publication 180-1. {Online} http://www.itl.nist.gov/fipspubs/fip180-1.htm.
[26]
National Institute of Standards and Technology. 2001. Specification for the Advanced Encryption Standard (AES). Federal Information Processing Standards Publication 197. {Online} http://csrc.nist.gov/publications/fips/fips197/fips-197.pdf.
[27]
OpenSSL. 2003. Homepage. {Online} http://www.openssl.org/, last accessed Mar. 2005.
[28]
Openwall. 2003. John the Ripper password cracker. {Online} http://www.openwall.com/john/, last accessed Mar. 2005.
[29]
Ragsdale, D., Welch, D., and Dodge, R. 2003. Information assurance the West Point way. Security & Privacy, 64--67.
[30]
Rekhter, Y., Moskowitz, B., Karrenberg, D., de Groot, G. J., and Lear, E. 1996. Address Allocation for Private Internets. IETF, RFC 1918. {Online} ftp://ftp.rfc-editor.org/in-notes/pdfrfc/rfc1918.txt.pdf.
[31]
Rivest, R., Shamir, A., and Adleman, L. 1978. A method for obtaining digital signatures and public-key cryptosystems. Communications of the ACM 21, 2 (Feb.), 120--126.
[32]
Sadasivam, K., Samudrala, B., and Yang, T. A. 2005. Design of network security projects using honeypots. Journal of Computing Sciences in Colleges 20, 4 (Apr.), 282--293.
[33]
Skoudis, E. 2002. Counter Hack. Prentice-Hall, Upper Saddle River, NJ.
[34]
Smith, S. 2003. Humans in the loop: Human-computer interaction and security. Security & Privacy, 75--79. {Online} http://www.cs.dartmouth.edu/sws/papers/humans.pdf.
[35]
Song, D. 2000. dsniff. {Online} http://naughty.monkey.org/dugsong/dsniff/, last accessed Mar. 2005.
[36]
Srisuresh, P. and Holdrege, M. 1999. IP Network Address Translator (NAT) Technology and Considerations. IETF, RFC 2663. {Online} ftp://ftp.rfc-editor.org/in-notes/pdfrfc/rfc2663.txt.pdf.
[37]
Tanenbaum, A. and van Steen, M. 2002. Distributed Systems: Principles and Paradigms. Prentice-Hall, Upper Saddle River, NJ.
[38]
Tcpdump. 2003. Homepage. {Online} http://www.tcpdump.org/, last accessed Mar. 2005.
[39]
Tikekar, R. and Bacon, T. 2003. The challenges of designing lab exercises for a curriculum in computer security. Journal of Computing Sciences in Colleges 18, 5 (May), 175--183.
[40]
Vaughn R. Jr. 2000. Application of security to the computing science curriculum. In Proceedings of SIGCSE. ACM, New York. 90--94.
[41]
Viega, J., Messier, M., and Chandra, P. 2002. Network Security with OpenSSL. O'Reilly, Sebastopol, CA.
[42]
Wagner, P. and Wudi, J. 2004. Designing and implementing a cyberwar laboratory exercise for a computer security course. In Proceedings of SIGCSE. ACM, New York. 402--406.
[43]
Whitten, A. and Tygar, J. D. 1999. Why Johnny can't encrypt: A case study. In Proceedings of Usenix Security Symposium. {Online} http://www.usenix.org/publications/library/proceedings/sec99/full_papers/whitten/whitten.ps.
[44]
Wulf, T. 2003. Implementing a minimal lab for an undergraduate network security course. Journal of Computing Sciences in Colleges 19, 1 (Oct.), 94--98.
[45]
Xia, H. and Brustoloni, J. 2005. Hardening web browsers against man-in-the-middle and eavesdropping attacks. In Proceedings of WWW 2005. IW3C2/ACM. {Online} http://www.cs.pitt.edu/~jcb/papers/www2005.pdf.

Cited By

View all
  • (2021)Using experiential learning to teach and learn digital forensics: Educator and student perspectivesComputers and Education Open10.1016/j.caeo.2021.1000452(100045)Online publication date: Dec-2021
  • (2020)An Experimental Approach for Estimating Cyber Risk: a Proposal Building upon Cyber Ranges and Capture the Flags2020 IEEE European Symposium on Security and Privacy Workshops (EuroS&PW)10.1109/EuroSPW51379.2020.00016(56-65)Online publication date: Sep-2020
  • (2017)Exploring students' experiences in using a physical laboratory for computer networks and data securityComputer Applications in Engineering Education10.1002/cae.2179725:2(290-303)Online publication date: 1-Mar-2017
  • Show More Cited By

Recommendations

Comments

Information & Contributors

Information

Published In

cover image Journal on Educational Resources in Computing
Journal on Educational Resources in Computing  Volume 6, Issue 4
December 2006
63 pages
ISSN:1531-4278
EISSN:1531-4278
DOI:10.1145/1248453
Issue’s Table of Contents
Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 01 December 2006
Published in JERIC Volume 6, Issue 4

Permissions

Request permissions for this article.

Check for updates

Author Tags

  1. Certificate
  2. IPsec
  3. SSH
  4. SSL
  5. VPN
  6. certifying authority
  7. course
  8. dictionary attack
  9. eavesdropping
  10. education
  11. experiment
  12. fingerprinting
  13. firewall
  14. man-in-the-middle
  15. password
  16. port scanning
  17. security

Qualifiers

  • Article

Contributors

Other Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

  • Downloads (Last 12 months)10
  • Downloads (Last 6 weeks)1
Reflects downloads up to 20 Feb 2025

Other Metrics

Citations

Cited By

View all
  • (2021)Using experiential learning to teach and learn digital forensics: Educator and student perspectivesComputers and Education Open10.1016/j.caeo.2021.1000452(100045)Online publication date: Dec-2021
  • (2020)An Experimental Approach for Estimating Cyber Risk: a Proposal Building upon Cyber Ranges and Capture the Flags2020 IEEE European Symposium on Security and Privacy Workshops (EuroS&PW)10.1109/EuroSPW51379.2020.00016(56-65)Online publication date: Sep-2020
  • (2017)Exploring students' experiences in using a physical laboratory for computer networks and data securityComputer Applications in Engineering Education10.1002/cae.2179725:2(290-303)Online publication date: 1-Mar-2017
  • (2016)Hands-on computer security with a Raspberry PiJournal of Computing Sciences in Colleges10.5555/2904446.290444731:6(4-10)Online publication date: 1-Jun-2016
  • (2015)Teaching Cybersecurity Using the CloudIEEE Transactions on Learning Technologies10.1109/TLT.2015.24246928:4(383-392)Online publication date: 1-Oct-2015
  • (2014)Harnessing the cloud for teaching cybersecurityProceedings of the 45th ACM technical symposium on Computer science education10.1145/2538862.2538880(529-534)Online publication date: 5-Mar-2014
  • (2014)Developing Faculty Expertise in Information Assurance through Case Studies and Hands-On ExperiencesProceedings of the 2014 47th Hawaii International Conference on System Sciences10.1109/HICSS.2014.606(4938-4945)Online publication date: 6-Jan-2014
  • (2012)IPv6 certification and course developmentProceedings of the 13th annual conference on Information technology education10.1145/2380552.2380599(155-160)Online publication date: 11-Oct-2012
  • (2012)Virtualized lab infrastructure on a budget for various computing and engineering courses2012 International Conference on Information Technology Based Higher Education and Training (ITHET)10.1109/ITHET.2012.6246028(1-7)Online publication date: Jun-2012
  • (2011)How secure is WiFi MAC layer in comparison with IPsec for classified environments?Proceedings of the 14th Communications and Networking Symposium10.5555/2048416.2048431(109-116)Online publication date: 3-Apr-2011
  • Show More Cited By

View Options

Login options

Full Access

View options

PDF

View or Download as a PDF file.

PDF

eReader

View online with eReader.

eReader

Figures

Tables

Media

Share

Share

Share this Publication link

Share on social media