a laboratory based course on internet security prabhaker mateti wright state university dayton, oh...

A Laboratory Based Course on A Laboratory Based Course on Internet SecurityInternet Security

Prabhaker MatetiWright State UniversityDayton, OH 45435

NSF DUE-9951380

SIGCSE2003 Mateti/WrightStateU 2

GoalsGoals

Awareness of Security Issues Teach security improvement

techniquesExplain how exploitable errors

have been made in the development of software.

Raise the level of ethics awarenessBring attention to legal issues


Assumptions in the Course Design Assumptions in the Course Design

Beliefs?Lab-oriented?Whole course or Distributed into …Required or Elective?10 weeks or 15?


The course needs to be lab-oriented.The course needs to be lab-oriented.

“I hear and I think. I see and I remember. I do and I know.”

-- Confucius


Should be a course by itself.Should be a course by itself.

Integrating security concepts into other courses is very difficult.

Easier to propose and implement an entire course that is new.


Should be a Required Course.Should be a Required Course.

Security exploits have become way too-common.

Can motivate why Software Development should be a more rigorous discipline.

Many security topics synthesize what is learned in several disparate and un-integrated courses.


Can only be an Elective Course.Can only be an Elective Course.

Most BS Degree Requirements are too full of core and required courses.

Required Courses cannot be “downgraded” to Electives.

Cannot even re-work n required courses into m required courses, m < n.

Is it a “discipline” ?


Term or Semester CourseTerm or Semester Course

Both must be accommodated: Term = 10, semester = 15 weeks

At WSU …


Course LogisticsCourse Logistics

Lectures on topic one per weekLectures on experiment one per

weekLab experiments one per weekFirst week, only lectures. (May be

second week too.)


Currently Available MaterialCurrently Available Material

BooksWebsitesCourses elsewhere


Books on SecurityBooks on Security

Many books, > 500 Academic text books, in the tens. Garfinkel and Spafford 1996/2003, Practical

UNIX & Internet Security, O'Reilly. Rubin 2001, White-hat Security Arsenal,

Addison Wesley. Stallings 1998, Cryptography and Network

Security, Prentice Hall. Bishop 2003, Computer Security, Addison

Wesley.


Amazon.com book search resultsAmazon.com book search results(2003/02/19, 19:00 PST)(2003/02/19, 19:00 PST)

Network security 714Internet security 910Computer security 2673System security 1328Homeland security 45Security 32000


Web SitesWeb Sites

“There is an oceanic amount of material on network security available over the Internet.”

-- A Web Page.

How do we define a “Security Web Site”?

1000+ web sites


A Few Chosen Security WebsitesA Few Chosen Security Websites

www.incidents.orgwww.cert.orgwww.cerias.purdue.eduwww.securityfocus.comlwn.net/securitywww.microsoft.com/securitywww.phrack.com

http://www.cert.org/

http://www.cerias.purdue.edu/

http://www.securityfocus.com/

http://www.microsoft.com/security

http://www.phrack.com/


Courses ElsewhereCourses Elsewhere

Many “commercial” courses. Academic courses:

– Mostly graduate level– Focused on cryptography– Principles and concepts only– Projects, not Lab Experiments– E.g., theory.lcs.mit.edu/~rivest/ crypto-security.html

Thirty-six Centers of Academic Excellence in Information Assurance Education sponsored by NSA www.nsa.gov/isso/programs/nietp/ newspg1.htm

http://www.nsa.gov/isso/programs/nietp/newspg1.htm

http://www.nsa.gov/isso/programs/nietp/newspg1.htm


What We DevelopedWhat We Developed

About 30 lectures, 75 minutes each. About 25 lab experiments, 2 hours each Security Lab setup details. Collected articles on Ethics and Legal Issues. Past exams, and links to code. A support website, with the above. At WSU, introduced a new course,

CEG 429: Internet Security.


Overview of Course ContentsOverview of Course Contents

Depth v BreadthChoice of TopicsDesign of ExperimentsCEG429 week-by-week


Depth v BreadthDepth v Breadth

Discuss current security breaches and protection measures breadth.

Conduct experiments knowledgeably depth.


““Internet Security”Internet Security”

Trojan Horses, Viruses and Worms Privacy and Authentication TCP/IP exploits Firewalls Cryptography Secure Config of Personal Machines Buffer Overflow and Other Bug Exploitation Writing Bug-free and Secure Software Secure e-Commerce Transactions Ethics and Legal Issues


Typical Article on our WebsiteTypical Article on our Website

Title Summary Educational Objectives Background Information Pre-Lab and Suggested

Preparation Procedures Appendix A: Acronyms Appendix B: Further

Reading Links Appendix C: Notes to TAs

Procedures– Step 1, 2, …– Achievement Test – Concluding Activities

Demo Witness Report Lab cleanup

– Report on the Experiment


Lab Experiments DevelopedLab Experiments Developed

1. Experience serious nuisance.2. Viruses, Worms, and Trojans.3. Boot from power up to login4. System Administration.5. Password Cracking Tools.



6. One-time passwords, and secure shell.

7. Privacy Enhancing Tools.8. Securely configure a Linux PC.9. Fortification of a System.10. Build a hardened kernel.11. Setup a router.12. Install and Run a network sniffer.



13. Hijack an on-going telnet session.14. User authentication and spoofing.15. DNS spoof.16. Download a rootkit and install.17. Install and discover back doors18. White-Hat Security Tools.



19. Buffer Overflow Exploits.20. Packet Filter Firewall.21. Probing For Weaknesses.22. Denial-of-Service Attacks.23. Design Weaknesses of TCP.24. Security Audit.25. IPv6-enabled kernel, and tools.


EthicsEthics

Sign on to our Ethics Statement The Ethics of Hacking. A discourse by "Dissident"

www.attrition.org/~modify/texts/hacking_texts/hacethic.txt

The Hackers Ethic. The six tenets from Steven Levy, "Heroes of the Computer Revolution". project.cyberpunk.ru/idb/hacker_ethics.html

OSU Ethics Website. www.cgrg.ohio-state.edu/Astrolabe

Codes of Ethics from ACM+IEEE. www.onlineethics.org www.ethics.org


Ethics StatementEthics Statement

In this course I am learning network and computer security principles. It is a 10-week long course, with a prerequisite of general understanding of operating systems and computer networks. I realize that this learning is just a beginning.

I assure the instructor, the University, and the world that I am a caring, responsible, and principled person. I will help create a better world. Never will I engage in activity that deprives others in order to benefit from it.

The techniques and links that I am exposed to are for educational purposes only. As a power user of computers and future network or systems administrator, I must be familiar with the tools that may be used to bring a network down. A may engage in a legitimate form of hacking, or more precisely, ethical hacking, as a consultant who performs security audits. This is the driving force in learning the past attack techniques.

I will not directly provide anyone with the tools to create mischief. Nor shall I pass my knowledge to others without verifying that they also subscribe to the principles apparent in this statement.

I will not engage in or condone any form of illegal activity including unauthorized break-ins, cracking, or denial of service attacks.

___________________________ ___________________________________Name of the student Signature and Date


Internet Security Lab SetupInternet Security Lab Setup

PCs, NICs, Switches, CablesEach PC with 2 NICsPhysically IsolatablePrivate NetworkLinux-based Firewall-cum-Router


OSIS: Operating Systems and OSIS: Operating Systems and Internet Security LabInternet Security Lab

Room 429, Russ Engineering Center, WSU In continuous use since November 1999 26 PCs in the lab for students' use, and one

web server, one router, one file server, and one PC for re-configuration experimentation.

Shared Lab– Operating Systems Courses, CEG 433,434– Distributed Computing Courses, CEG 730,830– Multiple Operating Systems


OSIS: Operating Systems andOSIS: Operating Systems andInternet Security LabInternet Security Lab

1999 Lab

– 26 PC s (PIII 450MHz, 128 MB RAM, 13 GB HDD)

– 8 Fast Ethernet Switches

Operating Systems– Caldera Open Linux 2.3– Kernel 2.2.10– Windows NT 4– Windows 98 SR2

2003 Lab

– 26 upgraded PC s (2*PIII 450MHz, 512 MB RAM, 13 GB HDD)

– 8 Fast Ethernet Switches

Operating Systems– Mandrake Linux 8.2/9.0– Linux 2.4.x– Windows XP– Windows 98 SR2


OSIS: Operating Systems andOSIS: Operating Systems andInternet Security LabInternet Security Lab

All the PCs are on a private LANOne Fast Ethernet switch for each

a group of 4-6 PCs.Each PC is loaded with

– Linux Mandrake 8.2/9.0– Windows XP – Windows 98.

Boot into one of these via ntldr


osis111.cs.wright.eduosis111.cs.wright.edu

All the lab PCs: 192.168.*.* router.osis.cs.wright.edu = 192.168.17.111 osis111.cs.wright.edu = 130.108.17.111 IP Filtering Router Firewall All Internet connections are through the

Firewall IP masquerading


Security SoftwareSecurity Software

Secure Shell, PGP, …Firewall KitsTools

– Top 50 Security Tools survey from www.nmap.org– http://www.packetfactory.net– nmap, SAINT, …– tcpdump, ethereal, snort, …– Password cracking– Tcpwrapper


Lab MaintenanceLab Maintenance

Individual student logins.Students need to be superusers.Reload OS images periodically.Update packages.Forgotten passwords, etc.Students files are not archived.


Cloning the OS ImagesCloning the OS Images

Setup a Golden Client. Several cloning tools exist:

– Symantec Ghost– Open source SystemImager– Open source UDPcast– None of the above deal (well) with multiple file

volumes from multiple OS. Takes about 45 minutes for 26 PCs Individualize Each PC

– Hostname– IP address– Ssh host keys


Teaching ExperienceTeaching Experience

Lectures must be updated to keep up with software patched with the latest.

Most students take the course in their (semi-) final term.

Cannot find knowledgeable TAs.


Learning ExperienceLearning Experience

Considerable amount of “wow” effect.

“We really learned a lot!”Prerequisite:

– Computer Networking, CEG 402: Wrong?– Operating Systems, CEG 433: Right?


Goals AchievedGoals Achieved

Awareness of Security Issues Teach security improvement techniques Explain how exploitable errors have

been made in the development of software.

Raise the level of ethics awareness Bring attention to legal issues Taught Yes, Learned Yes, Believe In it may be.


By-Products: Students are …By-Products: Students are …

More at ease with real hardware and real software – not a black box any more.

Amazed at the Open Source movement, but do not understand.


If I may urge you …If I may urge you …

Introduce a course like this into your curriculum.

Peer-Review the articles on our web site.


LinksLinks

CEG 429 Home Pagewww.cs.wright.edu/~pmateti/Courses/429 [local-link]

OSIS Lab Home Pagewww.cs.wright.edu/~pmateti/OSIS[local-link]

Support Web Sitewww.cs.wright.edu/~pmateti/InternetSecurity/ [local-link]

http://www.cs.wright.edu/~pmateti/Courses/429

http://www.cs.wright.edu/~pmateti/OSIS

http://www.cs.wright.edu/~pmateti/InternetSecurity/

a laboratory based course on internet security prabhaker mateti wright state university dayton, oh...

Documents