learning computer networking on open paravirtual laboratories

302 IEEE TRANSACTIONS ON EDUCATION, VOL. 50, NO. 4, NOVEMBER 2007

Learning Computer Networking onOpen Paravirtual Laboratories

Marco Anisetti, Valerio Bellandi, Alberto Colombo, Marco Cremonini, Ernesto Damiani, Member, IEEE,Fulvio Frati, Joêl T. Hounsou, and Davide Rebeccani

Abstract—Learning practical information communication tech-nology skills such as network configuration and security planningrequires hands-on experience with a number of different deviceswhich may be unavailable or too costly to provide, especially forinstitutions under tight budget constraints. This paper describeshow a specific open software technology, paravirtualization, can beused to set up open source virtual networking labs (VNLs) easilyand at virtually no cost. The paper highlights how paravirtual labscan be adopted jointly by partner organizations, e.g., when the in-stitution hosting the virtual lab provides hands-on training andstudents’ skill evaluation as a service to partner institutions over-seas. A practical VNL implementation, the open virtual lab (OVL),is used to describe the added value that open source VNLs can giveto e-Learning frameworks, achieving a level of students’ perfor-mance comparable or better than the one obtained when studentsdirectly interact with physical networking equipment.

Index Terms—e-Learning, open source, virtual lab, virtualiza-tion.

I. INTRODUCTION

E -LEARNING platforms have become largely widespreadamong educational institutions worldwide, especially as

a support to Information Technology degree courses. Videolessons, online exercises, didactic forums, and computer-sup-ported interaction with tutors and teachers are now a standardpart of many online degree courses. However, most learnersrequire reinforcement tools to increase retention of the coursematerial and advance the learning process. Some practical skillscan only be mastered via interactive experience [1], which isnot always easy to provide within a traditional e-Learningplatform. In Information and Communication Technology(ICT) undergraduate curricula, learning network configuration,management, and security-related skills involves hands-onexperience with a number of different devices which may beunavailable or too costly to provide for institutions under budgetconstraints. A number of software tools and environments havebeen developed to help users to share distributed laboratoryresources and realize virtual experiments.

Still, ongoing discussions about offering lab-based coursesvia distance education show that most university instructors

Manuscript received January 9, 2007; revised June 18, 2007. This work wassupported in part by the Italian Ministry of Research under FIRB ContractsRBNE05FKZ2_004 TEKNE and RBNE01JRK8_003 MAPS.

M. Anisetti, V. Bellandi, A. Colombo, M. Cremonini, E. Damiani, F.Frati, and D. Rebeccani are with the Department of Information Technology,University of Milan, 26013 Crema (CR), Italy (e-mail: [email protected];[email protected]; [email protected]; [email protected];[email protected]; [email protected]; [email protected]).

J. T. Hounsou is with the Institut de Mathématiques et de Sciences Physiques,BP 613, Porto-Novo, Bénin (e-mail: [email protected]).

Digital Object Identifier 10.1109/TE.2007.904584

consider this option impossible or ineffective [2]. As a conse-quence, relatively few universities offer lab-based courses toremote ICT students. virtual networking lab (VNL) technologyhas been recently proposed as a solution to this problem. VNLproducts are software platforms aimed at providing hands-onexperience with commercial computer networks, such as aCisco production network or a Microsoft-based network in-frastructure. Experience in vocational courses [3] has shownthat VNLs are extremely valuable in reinforcing learningin all methods of delivery; therefore, they are increasinglyused within certification programs run by network equipmentvendors. However, commercial VNLs also present severaldisadvantages, which prevent their large-scale adoption byuniversities. First, most commercial VNLs focus on the nutsand bolts of the equipment of a specific vendor, rather than onimproving the students’ understanding of the general principlesbehind network equipment operation and use. Second, and per-haps more importantly, VNLs are often distributed as “closedsource,” under licenses which relate the operational cost to thenumber of users, forcing institutions to budget based on thenumber of students rather than on available resources. Finally,commercial VNLs require powerful computational resources asthey strive to provide “live” interaction with simulated networkequipment. Therefore, their hosting costs must be considered.

These three factors are likely to prevent the adoption of com-mercial VNLs wherever 1) software and hardware costs area major issue; and 2) the number of students is high, a fre-quent scenario in developing countries. In this paper, an opensource software platform is exploited to design and implementa distributed architecture for VNLs, the open virtual lab (OVL).OVL is a complete network training environment based on de-vice virtualization, accessible via a standard Web browser.

A. Research Contributions

The present paper shows how a specific open software tech-nology, paravirtualization, can be used to set up VNLs effec-tively, easily, and at virtually no cost. More specifically, thepaper addresses the following research issues.

• The paper introduces the paravirtualization technique ina virtual lab context and explains why paravirtual, opensource lab environments for computer networking are vi-able alternatives to commercial VNLs and to lab environ-ments fully virtualized at the hardware level.

• The paper describes the architecture of an open sourceVNL and shows how it can be adopted jointly by partnerorganizations so that an organization can make the VNLavailable as an (affordable) service to its partners. A casestudy is presented showing how this technique has been

0018-9359/$25.00 © 2007 IEEE

ANISETTI et al.: LEARNING COMPUTER NETWORKING ON OPEN PARAVIRTUAL LABORATORIES 303

used in a cooperation between the Department of Informa-tion Technology, University of Milan, Italy, and the Institutde Mathématiques et de Sciences Physiques of the Univer-sity of Benin, West Africa.

• The paper claims that OVL can be used to achieve the samelevel of students’ performance in practical laboratory ac-tivities normally obtained when students directly interactwith physical networking equipment. This claim is sub-stantiated by students performance data collected in twoNetwork Security courses, held respectively in the onlineand in the traditional edition of the University of Milan’sdegree on Information Systems and Network Security, runfrom September to November 2006. Results strongly sug-gest that open source virtual laboratories are a valid alter-native to real laboratories in many ICT teaching scenarios.

The paper is organized as follows. Section II gives anoverview of software and hardware virtualization techniques,and Section III discusses related work on virtualization ine-Learning environments. Then, Section IV generally describesOVL open technology, while Section V shows two key aspectsof this approach, presenting OVL as a product and as a service.Finally, Section VI describes two teaching cases highlightingOVL’s impact in a computer science undergraduate degree.Examples include how to build a network of virtual machines tosimulate network traffic, how to configure firewalls and routers,and how to avoid and to protect a system by network attacksand threats.

II. VIRTUALIZATION TECHNIQUES

A. Different Approaches to Virtualization

In the 1960s, IBM first introduced the virtualization conceptto describe how different operating systems could coexist onthe same mainframe computer. Today, virtualization has be-come a widespread technique for software testing, dynamic pro-visioning, real-time migration, high availability, and load bal-ancing [4].

Hardware virtualization technologies have become available,such as Intel’s virtualization technology (VT) and AdvancedMicro Devices’ Secure Virtual Machine (SVM), that enable asingle processor to act as if several processors were working inparallel; this approach allows multiple operating systems to runat the same time on the same machine. Processors offering hard-ware-based virtualization, however, do not tackle the problem ofvirtualizing I/O subsystems. Software virtualization platformsrun multiple virtual systems on the same processor in such away that virtual systems are isolated from each other [5]. In asoftware virtualization platform, all virtual systems run on topof a virtual machine monitor (VMM), which interposes an in-direction layer between the operating system, running on eachvirtual machine, and the underlying hardware [6]. The VMMvirtualizes physical system resources (memory, disks, proces-sors, network devices) and allocates them to virtual machinesinstances. Software virtualization techniques can be classifiedinto three main categories.

• Full virtualization is an approach to create a virtual ex-ecution environment for running unmodified operating

Fig. 1. Xen system layers.

system images, fully replicating the original guest oper-ating system behavior and facilities on the host system.The most currently well-established virtualization plat-forms, such as VMWare, Bochs, and QEMU, are based onthe full-virtualization approach.

• Containers is an approach based on a single operatingsystem kernel, enhanced by setting up “walls” that offer in-creased isolation among groups of processes; in particular,containers provide the ability to run multiple virtualizedoperating system instances on a single instance of the realoperating system. This approach has been implementedby Sun’s Solaris v10 operating system and by SwSoft’svirtualization framework Virtuozzo [7].

• Paravirtualization is an approach addressing the perfor-mance problems typical of full virtualization without at-tempting to replicate exactly the guest environment orig-inal behavior. This approach requires the guest operatingsystem to be modified to run in the paravirtualized envi-ronment [4]. Patching modifies guest systems, redirectingvirtualization-sensitive operations directly to the VMM,instead of trapping to the operating system as found inpure hardware virtualization. Paravirtualization is not apanacea; this approach may require substantial engineeringefforts for modifying and maintaining guest operating sys-tems. Paravirtualization suitability for teaching orientedVNLs will be discussed in detail in Section IV. Paravir-tualization platforms include parallel workstations (PW)and Xen. PW is a commercial software, mainly used as adesktop virtualization solution. Xen, the open source par-avirtualization framework underlying OVL, is better de-scribed in Section II-B.

B. Xen Overview

Xen is a virtual environment developed by the University ofCambridge [4], [8] and released under the GNU GPL license.Xen’s VMM, called hypervisor, embraces the paravirtualiza-tion approach in that it supports x86/32 and x86/64 hardwareplatforms, but requires the guest operating system kernel to beported to the x86-xenon architecture [4]. However, when hard-ware support for virtualization is available, Xen can run unmod-ified guest kernels, coming closer to the full virtualization ap-proach.

A Xen system is composed by multiple software layers(Fig. 1). Individual virtual execution environments are calleddomains. Xen’s hypervisor [4] manages the scheduling opera-tion related to the execution of each domain, while each guest


operating system manages the VM application scheduling.During system boot, a domain with special privileges, calledDomain 0, is automatically created. Domain 0 can initializeother domains (DomUs) and manage their virtual devices. Mostmanagement and administration tasks are performed throughthis special domain.

Xen’s current usage scenarios include kernel development,operating system and network configuration testing, serverconsolidation, and server resources allocation. Several hostingcompanies have recently adopted Xen to create public virtualcomputing facilities, i.e., Web farms capable of flexibly in-creasing or decreasing their computing capacity. On a publicvirtual computing facility, customers can commission one, hun-dreds, or even thousands of server instances simultaneously,enabling Web applications to automatically scale up or downdepending on computational needs.

III. RELATED WORK

Most early papers about virtual laboratories described vir-tual devices implemented using simulation software, such asMatlab, often coupled with Simulink [9]. These early papersaddressed other branches of engineering than ICT. For in-stance, in [10], the authors present a Web-based tool fortraining microwave engineering students in analog filters de-sign. Some interesting Web-based tools were developed in theframework of European projects, such as the Leonardo DaVinci Pilot Project “Virtual-Electro-Lab” [11]. A Web-basedvirtual laboratory is presented by Garcia and Alesanco in[12], this time in the field of cache memory management.Garcia’s virtual laboratory includes Web-based educationalmaterial and some interesting Web-based cache memory sim-ulation programs. More recently, researchers working on vir-tual laboratories have become aware of the need to avoid closelinks with proprietary operating system platforms, and virtuallaboratories have been increasingly based on Java softwaretechnology [13].

Closer to the topic of this paper, the work [14] presentsan early Web-based environment for network managementwhich can be used by students training on Web-based networkadministration via the Simple Network Management Protocol(SNMP). Works by Hu et al. [15], [16] develop this idea towarda complete training system for Information Technology courses,named Telelab, that provides to students a pool of virtual ma-chines configured ad-hoc for particular security exercises. Allthese approaches to virtual laboratories, however, do not putstudents fully in control of the virtual system. Moreover, theyfocus on a very specific field or even on a particular subject.Their narrow scope may impair open experimentation andone-on-one interaction, which represents an important learningopportunity for university students.

As mentioned in Section I, many commercial VNLs are nowavailable, aimed at providing hands-on experience on specificnetwork products, such as a Cisco-powered production network.For instance, the MIMIC virtual lab creates a very realistic VNLincluding a network of Cisco routers and switches. The Sybexvirtual lab is a Cisco-compatible router simulator designed to

follow along with the Todd Lammle et al. well-known instruc-tional book on network configuration [17].

A more general approach has been taken by companies, suchas Surgient and Akimbi, which offer general purpose VNLsfor testing and evaluating software. Both Surgient and Akimbiallow easy-to-setup and run configurations involving virtual ma-chines (VMs) running on multiple servers. They also providetools to configure new VMs quickly and add them to (or removethem from) running configurations. Surgient and Akimbi offerthe critical ability of taking snapshots of active configurations.Snapshots are used to capture load-dependent error situations, tobe sent to engineers for examination and bug repair. Engineerscan fire up the snapshot and start stepping through its executionto re-create the problem. Surgient also offers a slight modifica-tion of its VNL oriented to creating custom software demonstra-tions. Using Surgient VNL, salespeople can assemble configu-rations that are relevant to specific customers and deploy themon remote hosts.

Other software vendors have followed a distinct, though-re-lated line of research, developing virtual environments forapplication-level (as opposed to network-level) user training.VirtuoPro, based on VMware ESX3 technology, supportsVMs management for business critical applications. However,VirtuoPro cannot be used as a general-purpose training envi-ronment as this system supports a restricted number of networkconfigurations which are of interest for application support.

Most of the VNLs mentioned above have a different focusfrom teaching, even if teaching is mentioned among theirpotential applications. Also, they mostly rely on proprietarytechnology and are distributed as closed source. An approachmuch closer to the one described in this paper has been recentlytaken by an open source project called manage large networks(MLNs). MLNs is a virtual machine administration tool de-signed to build and run virtual machine networks based onXen and User-Mode Linux. MLNs is, however, not exclusivelyfocused on education, as described by its authors as an “idealtool for creating virtual network labs for education, testing,hosting or simply playing around with Linux.” To the best of theauthors’ knowledge, however, no evidence has been collectedof MLNs’ impact on any concrete teaching application.

Finally, the network simulation tool Packet Tracer [18],distributed by Cisco and exploited during Cisco AcademicNetwork courses, permits the simulation of the behavior ofreal systems and allows students to explore and configurethe network using Cisco components and interfaces. Thistool proposes exercises as wizards that follows the studentsduring the network configuration, indicating a starting networktopology and some final objectives to reach. Differently fromthe OVL approach, Packet Tracer is available only to CiscoNetwork Academy courses’ attendees and is focused only onCisco-based equipment.

To summarize, Table I provides a comparison among VLNframeworks highlighting which tools allow for simulation of alocal heterogeneous network or supply specifications for an ex-haustive set of network components, and which one integratesa graphical user interface (GUI) for network administration,providing a short description of the main learning servicesprovided.


TABLE ICOMPARISON BETWEEN VLN FRAMEWORKS

IV. PARAVIRTUALIZATION AND E-LEARNING:THE OVL APPROACH

The OVL project started from the need to give to students ofthe online degree in Information Systems and Network Securityof the University of Milan a complete training environment fordistributed programming and network configuration.

The online B.Sc. degree in Information Systems and NetworkSecurity is an e-Learning initiative started by the University ofMilan in the academic year 2004–2005. This initiative consistsin offering the B.Sc. degree in Information Systems and Net-work Security (established in 2003) not only in the traditionalway (i.e., based on ordinary classroom lectures and laboratories)but also via an online e-Learning platform, allowing studentsto choose each year their preferred learning strategy. Onlinestudents are required to come to the campus only to take their ex-aminations. Today, the online B.Sc. degree in Information Sys-tems and Network Security involves more than 300 undergrad-uate students, while around 400 are enrolled in the traditionalversion. According to the University of Milan’s teaching policy,contents provided and skills to be achieved in the online versionof a degree must be the same as the traditional version, and noformal distinction is allowed between the degree awarded in thetwo cases (i.e., as seen by prospective employers).

For the sake of conciseness, this paper shall not attempt to givea complete description of the online B.Sc. degree in InformationSystems and Network Security; its main aspects, including theadopted teaching model, the e-Learning platform, and the char-acteristics of the student population have been reported in [19].Here, OVL is currently used to provide every student enrolledin the online B.Sc. degree with a personal virtual machine com-prehensive of compilers, network configuration tools, firewalls,etc. A major OVL requirement is therefore continuity. Since eachstudent is entitled to full administrator privileges and has the rightto modify a configuration, the same virtual machine must followhim or her during and beyond his or her time on campus. How-ever, diversity is needed; the virtual machine must be customizedand upgraded, depending on the courses each student will chooseto follow. Furthermore, each student may need to access anumber of additional devices. While the continuity requirementcan be satisfied by any virtual environment, the need for diversitynaturally leads to paravirtualization, which straightforwardlysupports a diverse set of guest operating environments.1

1In principle, one might object that paravirtualization, interposing a softwarehypervisor between the hardware and the guest systems, could impair their per-formance. However, this objection does not apply to teaching-oriented VNLs,where performance is not a key issue.

V. OVL KEY ASPECTS

As already mentioned, OVL is currently deployed as the mainVNL supporting the University of Milan’s online degree onInformation Systems and Network Security. Furthermore, OVLhas been used in a number of international cooperations withforeign universities. OVL’s current implementation supplieseach remote student with a Linux virtual machine accessible viasecure connections. Every student has access to his or herown personal virtual machine with full administrator privileges;in other words, each user has full control of his or her virtualmachine and can perform any type of configuration operation.In this way, OVL allows students to make experience real onsystem configuration, system security, and network program-ming tasks, giving them full administrator privileges. Also,OVL is an open environment that can be operated at low costand freely shared with a partner institution. OVL is based onXen (Section II-B), a paravirtualization approach, and providesto each user a complete Linux-based system image. Also, OVLallows for setting up virtual Internet networks, e.g., connectingthe virtual machines of students belonging to the same class.This feature allows students to experiment with network pro-gramming (socket library, Remote Procedure Calls, etc.) and toset up their own client-server applications in a virtual networkenvironment. OVL’s full support for network programming andmiddleware is a distinctive feature with respect to commercialvirtual laboratories, which focus more on network equipmentconfiguration than on distributed application development.

OVL supports two adoption models: OVL as a product, i.e.,OVL distributed and adopted as a Xen-based open source en-vironment; and OVL as a service, showing how OVL can beshared with students and teachers from partner institutions. Inboth models, costs are mostly related to hosting the environ-ment or purchasing the hardware for running it, since OVL isentirely open source software without any license charge.

In OVL, each virtual machine is represented by an image ofits operating system and the included software. When configu-ration changes on a set of virtual machines are needed, OVLadministrators can operate via the OVL administration inter-face (OVL-AI). In particular, OVL’s design is focused on sup-porting scale-up and scale-out operations [20]. In a scale-upapproach, the system is expanded by adding more devices toan existing node; in OVL, this action consists in modifyingthe configuration of every single virtual machine adding, forexample, more processors, storage and memory space, or net-work interfaces, depending on students/teachers needs in a par-


ticular teaching situation. For instance, exercises about firewallor router configuration require students’ virtual machines to bemodified including multiple network interfaces; OVL-AI sup-ports this process as a simple “drag and drop” from the re-source panel to the configuration panel. Instead, in a scale-outapproach, the system is expanded by adding more nodes. In thiscase, the number of available virtual machines can again be in-creased (or reduced) easily by OVL-AI. This operation will bebeneficial, for example, when new students join or when stu-dents leave or finish the online course.

From an educational perspective, OVL offers teachers andstudents some unique features. First of all, simplicity: access toOVL’s virtual machines requires only a low-bandwidth dial-upconnection with a common client. Students have full ad-ministrator privileges on their virtual machines and are allowedto perform any kind of system configuration task. In this way,students using OVL can be asked to solve network configura-tion exercises (Section VI-B); alternatively, they can be facedwith real network problems (Section VI-C) and find the solu-tion by discussing among themselves, requiring only nominalsupervision.

Also, students can freely exercise on distributed program-ming, taking advantage of all virtual machines owned bystudents of the same academic year who are gathered togetherin the same subnet, allowing cooperation and work groupexercises. OVL can also be adopted as a service to partnerinstitutions. Teachers can control and verify students’ work byconnecting to OVL and accessing the corresponding virtualmachine (Section VI-C). OVL can export its functionalities intwo ways: by services export and on demand configuration.

A. Hardware and Software Requirements

Intuitively, OVL hardware requirements are essentially two:a storage unit large enough to give a complete software devel-opment environment to all students, and enough RAM memoryto manage hundreds of virtual machines at the same time.Fortunately, both these requirements can be met remainingwithin the limits of a tight budget. Specifically, OVL’s VMM isdeployed on a Fujitsu–Siemens Primergy RX-300 S2 with twoIntel Xeon EM64T CPUs at 3.20 GHz, 8-Gb RAM memory,and four 300-Gb SCSI U320 hard disks in RAID 5. This serveris connected to the Department of Information Technology’sinternal network with a Broadcom Corporation NetXtremeBCM5721 Gigabit Ethernet PCI network interface. OVL’sfirewall is implemented on a separate machine to improvesystem security from external attacks and to preserve virtualserver performance. The firewall machine has the followingfeatures: a Fujitsu–Siemens Primergy RX-100 S2 with an IntelPentium IV CPU at 3.00-GHz, 1-Gb RAM memory and two80-Gb SATA hard disks. The firewall is connected to the Uni-versity of Milan’s Intranet with an Intel 82541 GI/PI GigabitEthernet network interface.

The implementation of OVL’s virtual machines requiredsome additional considerations. First, each virtual machine hasto be an efficient, isolated duplicate of a real machine [21].In other words, every virtual machine must work in a sealedenvironment, insulating its disks and memory address spaceand protecting system integrity from VM failures. Second,

Fig. 2. Communications between virtual machines and the external net.

all virtual machines must support a complete and up-to-dateoperating system in order to give students all the instrumentsneeded to carry out administration tasks and develop simpleprograms. While paravirtualized VMM can, in principle, sup-port a diverse set of guest operating systems, some hardwareconstraints, in particular the 64-b server architecture, restrictthe range of acceptable guest kernels.

OVL’s virtual machines are implemented on the GentooLinux distribution. Gentoo [22] has some distinctive charac-teristics that fit needed requirements. First, a major feature ofGentoo distribution is its high adaptability, because of a tech-nology called Portage. Portage performs several key functions:software distribution, that permits developers to install andcompile only the needed packages that can be added at anytime without reinstalling the entire system, package buildingand installation, that allows building a custom version of thepackage optimized for the underlying hardware; and automaticupdating of the entire system. Second, Gentoo supports 64-bhardware architectures and implements the Xen environmentin full. Finally, Gentoo is an open source system, distributedunder GNU General Public License.

In the current OVL environment, each student accesses his orher own virtual machine using a secure client connected di-rectly to the OVL firewall on a specific port number (computedas ) (Fig. 2). Based on the source port, theOVL firewall forwards the connection to the corresponding vir-tual machine. Fig. 2 shows how the student whoseis equal to 1 gains access to the firewall. Based on the student’sport number , firewall rules forward the incoming con-nection to the local IP that identifies the student’s own virtualmachine. Looking at the example in Fig. 2, the incoming com-munication on port is forwarded to the local IP address

on port , therefore to virtual machine .

B. OVL Administration Interface

The OVL-AI module lies at the core of the OVL environment.OVL-AI enables simple management of the entire system via astraightforward Web interface. OVL-AI provides a simplifiedprocedure for the creation, configuration, and disposal of singlevirtual machines, or pools of virtual machines. Configuration isperformed by choosing visually the simulated hardware cards


to be inserted in each virtual machine. OVL-AI has been im-plemented following a multitiered approach. Namely, OVL-AIrelies on AJAX on the client-side, on PHP on the server-side,and on Bash, for the interaction with the OVL server’s oper-ating system.

VI. CASE STUDIES

OVL’s impact on ICT teaching will now be illustrated bymeans of two different case studies. The first case study, CaseStudy A (Section VI-B), works with a third-year course ofNetwork Security of the University of Benin, B.Sc., in telecom-munication engineering. In this case study OVL has beenused to give to a partner institution’s students the possibility oftraining in advanced network management at practically no costfor their home institution. The second case study, Case StudyB (Section VI-C), works with a third year course of NetworkSecurity of the University of Milan’s online degree on Systemand Network Security. This degree belongs to the B.Sc. degreeclass, “Computer Science and Technology.” With respect tostandard computer technology degrees, this degree introducesa number of practical, hand-on courses on computer security.This case study presents some evidence suggesting that onlinestudents using OVL acquired the same or better practical skillsthan the ones attending traditional laboratory courses, whichrequire access to real network equipment.

A. Learning Strategies

The two case studies take into consideration two different un-derlying learning strategies.

In the Benin case, a skill oriented strategy was adopted. Stu-dents worked in a close environment with fixed learning ob-jectives, i.e., the configuration of a simple network, and com-pleted an online examination presenting a solution that theytested using the OVL.

In the Case Study B, a complete learning strategy has beenexploited. The teacher gave students the opportunity to explorefreely the virtual environment, to try all the configurations theywished, and to prepare a traditional final examination. Such astrategy allowed the emergence of leaders and most skilled stu-dents, that start discussions in forum and can help other studentsin a particular situation, without the participation of the tutor. Intraditional classrooms, leaders remain hidden; their emergenceis more difficult; and the contribution to the student communityis lower.

In particular, the leader emergence was notable and measuredlooking at the didactic forum of the Network Security course ofthe online degree, where OVL was proposed to supply students acomplete environment in which to train on distributed program-ming. Looking at posted messages for arguments strictly relatedto the part of course that treated distributed programming andstarting from the basis of 35 students that passed the final exam-ination and from 91 forum posts, a total of 68 messages (74%)was posted by only seven students (20%), approximating the80:20 Pareto Rules. Such a behavior has been noticed lookingat the number of follow up2 messages (73%) and to the numberof direct answers to tutor questions (75%).

2Follow up messages are those that continue a discussion generated by tutorsor students.

Fig. 3. Network topology example.

B. Case Study A

This case study shows an exercise proposed to a groupof students of the Institut de Mathématiques et de SciencesPhysiques3 (IMSP), located in Benin, a small country of WestAfrica. The exercise was proposed as a final examination forthe Network Security short course for students majoring inTelecommunications.

IMSP short courses are organized as “teaching missions”lasting one week. Each teaching mission is composed of twoprofessors from overseas who alternate in teaching their (dif-ferent) subjects. Normally, the morning (4 hours) is devoted toone subject, and the other is taught in the afternoon so that eachcourse includes 20 teaching hours. In this case study, the courseof Network Security was delivered by one of the authors of thispaper, alternating with a database course taught by a colleague.After the end of the teaching mission, students were left withsome laboratory exercises to be completed under the guidanceof local teachers.

The laboratory scenario with which IMSP students werefaced can be quickly described: a few obsolete workstations,all of them with a single network interface. This kind ofconfiguration does not allow students to train in firewall orrouter configuration, since configuration exercises require atleast one server station with two or more network interfacesand a good network connection. OVL provided an effectivesolution to this problem. Students could remotely connect toa pool of virtual machines, all configured with three networkinterfaces. Each virtual machine could act as firewall, router,or client, over which students can make any kind of networkconfigurations simulating a real complex network environment.Local teachers could refer to one of the authors of this paperfor troubleshooting the environment when needed.

In the following, the laboratory exercise left to the students,and the solution given by a student group are briefly discussed.

1) Exercise Text: Consider the network topology shown inFig. 3. Provide the shell script that configures the firewall im-plementing the following rules.

• Permit HTTP and connections.• Permit passive FTP traffic.• Grant SMTP flow only to hosts belonging to the subnet

10.0.X.0/24.

3http://www.imsp-uac.org/genie/accueil.html, available in French only.


• Implement the NAT service.• Redirect all the connections from 22/transmission control

protocol (TCP) port to a specific host.• Redirect 8080/TCP port traffic to 80/TCP port.

To test the firewall configuration apply the script on the virtualmachine that acts as firewall and configure other virtual ma-chines to act as hosts of the subnet 10.0.X.0/24 and of the subnet10.0.Y.0/24, and as a generic host of the Internet.

2) Proposed Solution: The Benin students tested their con-figuration on OVL using four virtual machines, each one with itsparticular network configuration, to act as, respectively, a fire-wall, a generic Internet client, and two subnet hosts. In Fig. 4,the script provided by the student groups is presented. Complexnetwork configurations, which usually require ad-hoc preparedwork stations or expensive commercial virtualization software,could be an easy experiment in OVL with only a low-bandwidth,dialup connection. Students were faced with real-world prob-lems, worked in groups, and found a solution, configuring theirvirtual machines to work as firewall and hosts of the system.They also tested their architecture by generating traffic fromone virtual machine to the second one through the firewall, log-ging access requests, and controlling if traffic was correctly redi-rected and filtered.

C. Case Study B

At the University of Milan, OVL has been used as the VNLenvironment of choice for a number of networking, operatingsystems, and network security classes. In this section, some sta-tistical data are presented regarding OVL’s adoption for a recentedition of the online Network Security course, which runs fromSeptember to November 2006.

1) The Test: All students of the Network Security class, intheir laboratory activity, were asked to learn to analyze TCP/IPnetwork traffic and to configure and test an iptables policy. Soft-ware tools used by students can be grouped as follows:

• Network traffic analysis tools: tcpdump, tshark, wireshark;• Network traffic generation tools: nmap, nemesis [23],

packit;• Network traffic editors: netdude [24].For online students, OVL was set up as follows: each stu-

dent had his or her own virtual host with full administrator priv-ileges. This personal machine was used to analyze incomingand outgoing network traffic and to configure the iptables fire-wall policy. With regard to the firewall policy, students wereasked to test the configuration according to some specified re-quirements, such as opening or accepting TCP connections, ex-changing user datagram protocol (UDP) datagrams and ICMPpackets, or being probed with malformed network packets. Logsrecorded by standard syslog in /var/log/messages had to be pre-sented to pass the examination. In addition to the students’ per-sonal machines, OVL was configured with one shared com-puter (called shared client) equipped with a traffic generator andclients for some standard IP applications (e.g., the file transferprotocol , the secure shell , and some queryingtools). Students could log on this host with user privileges togenerate network traffic either directed to or routed through hisor her personal host. Another shared host (called shared server)was configured with some standard TCP and UDP network ser-vices (i.e., , , , , and mail servers). Students

Fig. 4. Solution proposed by a student group.

were not allowed to log on the shared server host, which isused only as the destination of TCP connections and UDP dnsqueries. Network requests to the shared server could be gen-erated by every student from the shared client or by his or herown personal host. All replies from this set of network serviceswere routed through the personal machine of the student whogenerated the network request. Traffic flows between the sharedclient and the shared server or between the personal host and theshared server were needed to familiarize students with iptables’FORWARD and INPUT/OUTPUT chains.


When setting up OVL for this exercise, a major challenge wasthe laboratory’s routing configuration. In case of network trafficgenerated between the shared client and the shared server, bothrequests from client and replies from server must be routed viathe corresponding student’s host, in order to be filtered by theFORWARD iptables chain. Normally, this step is achieved byconfiguring the host as the network gateway, but in this case allstudent’s hosts must act as gateways. The solution was to set up avirtual interface for each student’s host in both the shared clientand the shared server and configure routing manually (i.e., withthe command ). Students were then instructed to specifyexplicitly their assigned virtual interface when traffic directedto the shared server was generated on the shared client.4

2) Performance Evaluation: To assess OVL’s impact on stu-dents’ performance, two groups of students were randomly se-lected, one composed of students attending the online version ofthe Network Security course and the other composed of studentsattending the same course with traditional classroom delivery.The two groups were instructed with the same exercises and ex-amples during the course and learned to use the same softwaretools. At the end of the course, the two groups took equivalentexaminations with respect to difficulty and required skills. Bothstudent groups were required to use the same equipment duringthe examinations (i.e., a laboratory with physical network de-vices, rather than OVL). Grading was not completed blindly, al-though the course instructor did not know that the data were col-lected for comparison. Since both groups came from the samecohort and sat essentially the same examination,5 the compar-ison is made based on raw, nonnormalized grades. Usually, stu-dent grades are spread to fit a normal distribution by statisticaltechniques of varying complexity. However, this adjustment isonly necessary when comparability of scores across differentsubjects is required (e.g., when subject scores are added to createa ranking for university access).

A criterion-based approach could also be taken, measuringstudent achievement against objective reference points, andthen comparing the two groups based on these achievements.Criterion-based evaluation is widely used for vendor certi-fication programs since this method is considered better indetermining fitness-to-practice in professional fields. Crite-rion-based comparison was omitted from this paper on theground that this method would not add much information tothis case study where norm-based comparison is fully justifiedby the high uniformity of the two samples.

Grades in Italian universities range from 0 to 30, while agrade of 18 is the threshold to pass an examination.6 The twosamples are shown in Table II, while their statistical parametersare shown in Table III. A student’s t-test [25] was performedto assess the level of confidence associated with the difference

4This setup proved effective since students showed no difficulty in under-standing and using the system correctly. However, this solution is not fully satis-fying since the configuration of virtual interfaces had to be performed manuallyby the OVL administrator. A plan to improve OVL-AI for integrating such con-figuration is in the general setup of the online students’ learning environment.

5The examination papers were only marginally different because precautionswere taken to avoid plagiarism among the members of the two groups.

6The Italian system allows for a commendation to be given to the best stu-dents. Here, the commendation was taken into account by adding two to thegrade, so that 30 cum laude is shown as 32.

TABLE IISTUDENTS’ GRADES

TABLE IIISAMPLE PARAMETERS

TABLE IVT-TEST RESULT

between the sample means. The two-tailed version of the testwas used, since the two samples do not overlap. The test resultsshown in Table IV correspond to a level of confidence .While, as a result of the case study context, these results remainanecdotal in nature; indeed they strongly suggest that online stu-dents exposed to OVL achieved better results than the ones at-tending traditional laboratory course.

VII. CONCLUSION AND LESSONS LEARNED

Commercial VNLs are getting more and more important inICT vocational courses, but their vendor-dependence makesthem unsuitable for university degree courses. In this paper afully open source VNL, OVL, has been presented, discussingits adoption models and the services that it can provide toexternal communities and partner institutions. Also, two casestudies were presented. These case studies were not artificiallyconstructed experiments; rather they were answers to realteaching problems, documenting how the use of a VNL isthe only option in some practical situations. Although onlinestudents can be required to watch prerecorded video-lessonsat home, requiring them to set up at home (or to otherwiseattend) an appropriate environment for network configurationexercises is not realistic. When trying out exercises related tonetwork security issues, the laboratory environment must befully insulated from the Internet or from any shared network.Evidence coming from these case studies strongly suggests


that open source virtual labs are beneficial in different teachingscenarios. Two features of OVL improved considerably theresults achieved by online students:

• students had full administrator privileges on their virtualmachines (i.e., root access) and were asked to configurethem as needed for the exercises;

• students interacted via a Web forum where they couldfreely discuss technical problems, exchange opinionsabout issues related to the configuration and installationof software packages, and ask about the correct usage oftools. The forum was supervised and moderated by one ofthe authors of this paper; however, fruitful direct consul-tation among students, with the emergence of leadership,greatly decreased his tutoring effort.

In both case studies, students unanimously reported theirsatisfaction with the OVL environment. Also, all instructors no-ticed that the online students achieved a good understanding ofthe proposed laboratory subjects. In fact, experience has shownthat compared with students attending traditional laboratorycourses, OVL users had more time to design, implement, andtest their programs.

In conclusion, the use of OVL has been successful in boththe investigated situations. Because of the high cost of owner-ship and rapid obsolescence of physical computer science labo-ratories, OVL appears to be a promising option for moving tra-ditional laboratories to thin client architectures, even when thecourse is delivered via traditional classroom lessons. Using anopen-source paravirtual VNL will enable universities to toleratediversity in laboratory equipment, reduce maintenance costs,improve client performance, and permit more flexible labora-tory topologies [26].

ACKNOWLEDGMENT

The authors would like to thank the Editor-in-Chief and theanonymous reviewers for their valuable comments.

REFERENCES

[1] L. Dirckinck-Holmfeld and A. Lorentsen, “Transforming universitypractice through ICT-integrated perspectives on organizational, tech-nological, and pedagogical change,” Interactive Learn. Environ., vol.11, no. 2, pp. 91–111, 2003.

[2] L. Kelly, M. Morrell, and J. Beasley, “Delivering laboratory basedcourses via distance education,” in Proc. Science, Engineering andTechnology Education Conf., Las Cruces, NM, 2006, pp. 10–14.

[3] M. Caramihai and I. Severin, “E-learning & vocational training withinLeonardo da Vinci projects: The Romanian case study,” in Proc. 1st Int.Workshop e-Learning and Virtual and Remote Laboratories, Setubal,Portugal, 2004, pp. 31–39.

[4] B. Dragovic, K. Fraser, S. Hand, T. Harris, A. Ho, I. Pratt, A. Warfield,P. Barham, and R. Neugebauer, “Xen and the art of virtualization,” inProc. ACM Symp. Operating Systems Principles, Bolton Landing, NY,2003, pp. 164–177.

[5] D. A. Menascé, “Virtualization: Concepts, applications, and perfor-mance modeling,” in Proc. 31th Int. Computer Measurement GroupConf., Orlando, FL, 2005, pp. 407–414.

[6] M. Rosenblum and T. Garfinkel, “Virtual machine monitors: Currenttechnology and future trends,” IEEE Comput., vol. 38, no. 5, pp. 39–47,May 2005.

[7] S. J. Vaughan-Nichols, “New approach to virtualization is a light-weight,” IEEE Comput., vol. 39, no. 11, pp. 12–14, Nov. 2006.

[8] M. Anisetti, V. Bellandi, E. Damiani, F. Frati, U. Raimondi, and D.Rebeccani, “The open source virtual lab: A Case study,” in Proc. Work-shop Free and Open Source Learning Environments and Tools, Lugano,Switzerland, 2006, vol. 6, pp. 5–12.

[9] C. Bonivento, L. Gentili, L. Marconi, and L. Rappini, “A web-basedlaboratory for control engineering education,” in Proc. 2nd Int. Work-shop Tele-Education in Engineering Using Virtual Laboratories, Sher-brooke, QC, Canada, 2006, pp. 45–56.

[10] R. M. Nelson and A. N. M. S. Islam, “MES: A web-based design toolfor microwave engineering,” IEEE Trans. Educ., vol. 49, no. 1, pp.67–75, Feb. 2006.

[11] G. Scutaru, L. Rodrigues, P. Raes, and D. Sorea, “Didactical softwaretools on electrical circuits and electrical machines,” in Proc. 1st Int.Workshop e-Learning and Virtual and Remote Laboratories, Setubal,Portugal, 2004, pp. 12–19.

[12] J. García and Á. Alesanco, “Web-based system for managing atelematics laboratory network,” IEEE Trans. Educ., vol. 47, no. 2, pp.284–294, May 2004.

[13] F. Colace, M. De Santo, and A. Pietrosanto, “Work in progress—Vir-tual lab for electronic engineering curricula,” in Proc. 34th ASEE/IEEEFrontiers in Education Conf., Savannah, GA, 2004, pp. 22–24.

[14] M. Grigoriadou, E. Kanidis, and A. Gogoulou, “A web-based educa-tional environment for teaching the computer cache memory,” IEEETrans. Educ., vol. 49, no. 1, pp. 147–156, Feb. 2006.

[15] J. Hu, C. Meinel, and M. Schmitt, “Tele-lab IT security: An architecturefor interactive lessons for security education,” in Proc. 35th TechnicalSymp. Computer Science Education, Norfolk, VA, 2004, pp. 412–416.

[16] J. Hu, C. Meinel, and M. Schmitt, “Virtual machine management fortele-lab IT-security server,” in Proc. 10th IEEE Symp. Computers andCommunications, Cartagena, Spain, 2005, pp. 448–453.

[17] T. Lammle, W. D. Tedder, and B. Tedder, CCNA Virtual Lab GoldEdition. Hoboken, NJ: Sybex, 2001.

[18] C. Goldstein, S. Leisten, K. Stark, and A. Tickle, “Using a networksimulation tool to engage students in active learning enhances theirunderstanding of complex data communications concepts,” in Proc. 7thAustralasian Computing Education Conf., Newcastle, NSW Australia,2005, pp. 223–228.

[19] E. Damiani, A. Esposito, M. Mariotti, P. Samarati, D. Scaccia, and N.Scarabottolo, “SSRI online: First experiences in a three-years coursedegree offered in e-Learning at the university of Milan (Italy),” in Proc.11th Int. Conf. Distributed Multimedia Systems, Banff, AB, Canada,2005, pp. 65–70.

[20] B. Devlin, J. Gray, B. Laing, and G. Spix, “Scalability terminology:Farms, clones, partitions, packs, RACS and RAPS,” Comput. Res.Repository, 1999, cs.AR/9912010.

[21] G. J. Popek and R. P. Goldberg, “Formal requirements for virtualiz-able third generation architectures,” Commun. ACM, vol. 17, no. 7, pp.412–421, 1974.

[22] G. K. Thiruvathukal, “Gentoo Linux: The next generation of Linux,”IEEE Comput. Sci. Eng. Mag., vol. 6, no. 5, pp. 66–74, Sep./Oct. 2004.

[23] M. N. Garofalakis and R. Rastogi, “Network data mining and anal-ysis: The NEMESIS project,” in Proc. Advances in Knowledge Dis-covery and Data Mining, 6th Pacific-Asia Conf., Taipei, Taiwan, 2002,pp. 1–12.

[24] C. Kreibich, “Design and implementation of netdude, a framework forpacket trace manipulation,” in Proc. FREENIX Track: USENIX Annu.Tech. Conf., Boston, MA, 2004, pp. 63–72.

[25] “On the probable error of a mean,” Biometrika, vol. 6, pp. 1–25, 1908.[26] N. Tolia, D. G. Andersen, and M. Satyanarayanan, “Quantifying inter-

active user experience on thin clients,” IEEE Comput., vol. 39, no. 3,pp. 46–52, Mar. 2006.

Marco Anisetti received the M.S. degree in computer science from the Univer-sity of Milan, Italy, in 2004. He is currently working toward the Ph.D. degree inthe Department of Information Technology, University of Milan.

His main research interests are computer vision, image processing with spe-cial regard to tracking strategies, and emotional state estimation by facial anal-ysis. He is also involved in several research projects regarding GSM protocoland mobile phone electromagnetic fields prediction.

Valerio Bellandi received the M.S. degree in computer science from the Uni-versity of Milan, Italy, in 2004. He is currently working toward the Ph.D. degreein the Department of Information Technology, University of Milan.

His research interests are in computer vision, location algorithm, and networkcommunication protocol, with special regard to feature extraction methods andemotional state estimation by facial analysis. He is also involved in several re-search projects regarding link management protocol in optical network.


Alberto Colombo received the University degree in computer science from theUniversity of Milan, Italy, in 2003.

He is currently working as Research Collaborator on TEKNE, an Italianfunded project on business process automation. His research interests involvesoftware engineering including process modeling, software requirements, andprocess measurement.

Marco Cremonini received the Laurea degree in electronic engineering and thePh.D. degree in information systems from the University of Bologna, Bologna,Italy, in 1995 and 2000, respectively.

He is currently an Assistant Professor in the Department of Information Tech-nologies, University of Milan. He has been an Associate Researcher at the In-stitute for Security Technology Studies (ISTS), Dartmouth College, Hanover,NH. His research interests include information systems security, economics ofinformation technologies, and security technologies.

Ernesto Damiani (M’06) received the University degree in computer engi-neering from the University of Pavia, Pavia, Italy, and the Ph.D. degree incomputer science from University of Milan, Milan, Italy, in 1987 and 1993,respectively.

He is currently a Professor in the Department of Information Technology,University of Milan. He has held visiting positions at George Mason Univer-sity, Fairfax, VA, La Trobe University, Melbourne, Australia, and the Univer-sity of Technology, Sydney, Australia. His research interests include knowl-edge extraction and processing, secure mobile, software process engineering,and open source. He has filed international patents and authored more than 100refereed papers in international journals and conferences. He coauthored thebook Human-Centered e-Business (Norwell, MA:Kluwer 2003).

Dr. Damiani is the Vice-Chair of the IFIP WG on Web Semantics (WG 2.12)and on Open Source (WG 2.13). He is also the Vice-Chair of the IEEE TechnicalCommittee on Industrial Informatics.

Fulvio Frati received the University degree in computer science from the Uni-versity of Milan, Italy, in 2004.

Since February 2005, he has been a Research Collaborator in the Informa-tion Technology Department, University of Milan. His research interests are inthe areas of software engineering, Java programming, information security, dis-tributed computing, access control, open source in e-Government scenario, andvirtualization.

Joêl T. Hounsou received the Laurea and Ph.D. degrees from the Institut deMathématiques et de Sciences Physiques, Porto-Novo, Bénin.

He is in charge of network laboratory activities at the Institut de Mathéma-tiques et de Sciences Physiques, Porto-Novo, Benin. He was a Professor at theMaster of Advanced Information Technologies, International Institute for Ad-vanced Scientific Studies, Salerno, Italy, and an Associated Researcher at theInternational Center for Theoretical Physics (ICTP), Trieste, Italy.

Davide Rebeccani is currently a computer sciences student at the University ofMilan, Milan, Italy. He is a Network Administrator in the Department of Infor-mation Technology, University of Milan. His interests are in the areas of oper-ating systems, network administration, and security. Since 1997, he has workedon several types of open source operating systems such as Linux, FreeBSD,OpenBSD, and NetBSD. Currently, he is working on operating system virtual-ization for e-Learning systems and industrial OS development.

learning computer networking on open paravirtual laboratories

Documents