1 / 42

A Laboratory Based Course on Internet Security

A Laboratory Based Course on Internet Security. Prabhaker Mateti Wright State University Dayton, OH 45435 NSF DUE-9951380. Goals. Awareness of Security Issues Teach security improvement techniques Explain how exploitable errors have been made in the development of software.

arch
Download Presentation

A Laboratory Based Course on Internet Security

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. A Laboratory Based Course on Internet Security Prabhaker Mateti Wright State University Dayton, OH 45435 NSF DUE-9951380

  2. Goals • Awareness of Security Issues • Teach security improvement techniques • Explain how exploitable errors have been made in the development of software. • Raise the level of ethics awareness • Bring attention to legal issues Mateti/WrightStateU

  3. Assumptions in the Course Design • Beliefs? • Lab-oriented? • Whole course or Distributed into … • Required or Elective? • 10 weeks or 15? Mateti/WrightStateU

  4. The course needs to be lab-oriented. “I hear and I think. I see and I remember. I do and I know.” -- Confucius Mateti/WrightStateU

  5. Should be a course by itself. • Integrating security concepts into other courses is very difficult. • Easier to propose and implement an entire course that is new. Mateti/WrightStateU

  6. Should be a Required Course. • Security exploits have become way too-common. • Can motivate why Software Development should be a more rigorous discipline. • Many security topics synthesize what is learned in several disparate and un-integrated courses. Mateti/WrightStateU

  7. Can only be an Elective Course. • Most BS Degree Requirements are too full of core and required courses. • Required Courses cannot be “downgraded” to Electives. • Cannot even re-work n required courses into m required courses, m < n. • Is it a “discipline” ? Mateti/WrightStateU

  8. Term or Semester Course • Both must be accommodated: Term = 10, semester = 15 weeks • At WSU … Mateti/WrightStateU

  9. Course Logistics • Lectures on topic one per week • Lectures on experiment one per week • Lab experiments one per week • First week, only lectures. (May be second week too.) Mateti/WrightStateU

  10. Currently Available Material • Books • Websites • Courses elsewhere Mateti/WrightStateU

  11. Books on Security • Many books, > 500 • Academic text books, in the tens. • Garfinkel and Spafford 1996/2003, Practical UNIX & Internet Security, O'Reilly. • Rubin 2001, White-hat Security Arsenal, Addison Wesley. • Stallings 1998, Cryptography and Network Security, Prentice Hall. • Bishop 2003, Computer Security, Addison Wesley. Mateti/WrightStateU

  12. Amazon.com book search results(2003/02/19, 19:00 PST) Mateti/WrightStateU

  13. Web Sites • “There is an oceanic amount of material on network security available over the Internet.” -- A Web Page. • How do we define a “Security Web Site”? • 1000+ web sites Mateti/WrightStateU

  14. A Few Chosen Security Websites • www.incidents.org • www.cert.org • www.cerias.purdue.edu • www.securityfocus.com • lwn.net/security • www.microsoft.com/security • www.phrack.com Mateti/WrightStateU

  15. Courses Elsewhere • Many “commercial” courses. • Academic courses: • Mostly graduate level • Focused on cryptography • Principles and concepts only • Projects, not Lab Experiments • E.g., theory.lcs.mit.edu/~rivest/ crypto-security.html • Thirty-six Centers of Academic Excellence in Information Assurance Education sponsored by NSA www.nsa.gov/isso/programs/nietp/ newspg1.htm Mateti/WrightStateU

  16. What We Developed • About 30 lectures, 75 minutes each. • About 25 lab experiments, 2 hours each • Security Lab setup details. • Collected articles on Ethics and Legal Issues. • Past exams, and links to code. • A support website, with the above. • At WSU, introduced a new course, CEG 429: Internet Security. Mateti/WrightStateU

  17. Overview of Course Contents • Depth v Breadth • Choice of Topics • Design of Experiments • CEG429 week-by-week Mateti/WrightStateU

  18. Depth v Breadth • Discuss current security breaches and protection measures  breadth. • Conduct experiments knowledgeably  depth. Mateti/WrightStateU

  19. “Internet Security” • Trojan Horses, Viruses and Worms • Privacy and Authentication • TCP/IP exploits • Firewalls • Cryptography • Secure Config of Personal Machines • Buffer Overflow and Other Bug Exploitation • Writing Bug-free and Secure Software • Secure e-Commerce Transactions • Ethics and Legal Issues Mateti/WrightStateU

  20. Mateti/WrightStateU

  21. Title Summary Educational Objectives Background Information Pre-Lab and Suggested Preparation Procedures Appendix A: Acronyms Appendix B: Further Reading Links Appendix C: Notes to TAs Procedures Step 1, 2, … Achievement Test Concluding Activities Demo Witness Report Lab cleanup Report on the Experiment Typical Article on our Website Mateti/WrightStateU

  22. Lab Experiments Developed • Experience serious nuisance. • Viruses, Worms, and Trojans. • Boot from power up to login • System Administration. • Password Cracking Tools. Mateti/WrightStateU

  23. Lab Experiments Developed • One-time passwords, and secure shell. • Privacy Enhancing Tools. • Securely configure a Linux PC. • Fortification of a System. • Build a hardened kernel. • Setup a router. • Install and Run a network sniffer. Mateti/WrightStateU

  24. Lab Experiments Developed • Hijack an on-going telnet session. • User authentication and spoofing. • DNS spoof. • Download a rootkit and install. • Install and discover back doors • White-Hat Security Tools. Mateti/WrightStateU

  25. Lab Experiments Developed • Buffer Overflow Exploits. • Packet Filter Firewall. • Probing For Weaknesses. • Denial-of-Service Attacks. • Design Weaknesses of TCP. • Security Audit. • IPv6-enabled kernel, and tools. Mateti/WrightStateU

  26. Mateti/WrightStateU

  27. Ethics • Sign on to our Ethics Statement • The Ethics of Hacking. A discourse by "Dissident" www.attrition.org/~modify/texts/hacking_texts/hacethic.txt • The Hackers Ethic. The six tenets from Steven Levy, "Heroes of the Computer Revolution". project.cyberpunk.ru/idb/hacker_ethics.html • OSU Ethics Website. www.cgrg.ohio-state.edu/Astrolabe • Codes of Ethics from ACM+IEEE. • www.onlineethics.org • www.ethics.org Mateti/WrightStateU

  28. Ethics Statement • In this course I am learning network and computer security principles.  It is a 10-week long course, with a prerequisite of general understanding of operating systems and computer networks.  I realize that this learning is just a beginning.  • I  assure the instructor, the University, and the world that I am a caring, responsible, and principled person.  I will  help create a better world.  Never will I engage in activity that deprives others in order to benefit from it. • The techniques and links that I am exposed to are for educational purposes only.  As a power user of computers and future network or systems administrator, I must be familiar with the tools that may be used to bring a network down.   A may engage in a legitimate form of hacking, or more precisely, ethical hacking, as a consultant who performs security audits.  This is the driving force in learning the past attack techniques. • I will not directly provide anyone with the tools to create mischief.   Nor shall I pass my knowledge to others without verifying that they also subscribe to the principles apparent in this statement. • I will not engage in or condone any form of illegal activity including unauthorized break-ins, cracking, or denial of service attacks. ___________________________    ___________________________________Name of the student Signature and Date Mateti/WrightStateU

  29. Internet Security Lab Setup • PCs, NICs, Switches, Cables • Each PC with 2 NICs • Physically Isolatable • Private Network • Linux-based Firewall-cum-Router Mateti/WrightStateU

  30. OSIS: Operating Systems and Internet Security Lab • Room 429, Russ Engineering Center, WSU • In continuous use since November 1999 • 26 PCs in the lab for students' use, and one web server, one router, one file server, and one PC for re-configuration experimentation. • Shared Lab • Operating Systems Courses, CEG 433,434 • Distributed Computing Courses, CEG 730,830 • Multiple Operating Systems Mateti/WrightStateU

  31. 1999 Lab 26 PC s (PIII 450MHz, 128 MB RAM, 13 GB HDD) 8 Fast Ethernet Switches Operating Systems Caldera Open Linux 2.3 Kernel 2.2.10 Windows NT 4 Windows 98 SR2 2003 Lab 26 upgraded PC s (2*PIII 450MHz, 512 MB RAM, 13 GB HDD) 8 Fast Ethernet Switches Operating Systems Mandrake Linux 8.2/9.0 Linux 2.4.x Windows XP Windows 98 SR2 OSIS: Operating Systems andInternet Security Lab Mateti/WrightStateU

  32. OSIS: Operating Systems andInternet Security Lab • All the PCs are on a private LAN • One Fast Ethernet switch for each a group of 4-6 PCs. • Each PC is loaded with • Linux Mandrake 8.2/9.0 • Windows XP • Windows 98. • Boot into one of these via ntldr Mateti/WrightStateU

  33. osis111.cs.wright.edu • All the lab PCs: 192.168.*.* • router.osis.cs.wright.edu = 192.168.17.111 • osis111.cs.wright.edu = 130.108.17.111 • IP Filtering Router Firewall • All Internet connections are through the Firewall • IP masquerading Mateti/WrightStateU

  34. Security Software • Secure Shell, PGP, … • Firewall Kits • Tools • Top 50 Security Tools survey from www.nmap.org • http://www.packetfactory.net • nmap, SAINT, … • tcpdump, ethereal, snort, … • Password cracking • Tcpwrapper Mateti/WrightStateU

  35. Lab Maintenance • Individual student logins. • Students need to be superusers. • Reload OS images periodically. • Update packages. • Forgotten passwords, etc. • Students files are not archived. Mateti/WrightStateU

  36. Cloning the OS Images • Setup a Golden Client. • Several cloning tools exist: • Symantec Ghost • Open source SystemImager • Open source UDPcast • None of the above deal (well) with multiple file volumes from multiple OS. • Takes about 45 minutes for 26 PCs • Individualize Each PC • Hostname • IP address • Ssh host keys Mateti/WrightStateU

  37. Teaching Experience • Lectures must be updated to keep up with software patched with the latest. • Most students take the course in their (semi-) final term. • Cannot find knowledgeable TAs. Mateti/WrightStateU

  38. Learning Experience • Considerable amount of “wow” effect. • “We really learned a lot!” • Prerequisite: • Computer Networking, CEG 402: Wrong? • Operating Systems, CEG 433: Right? Mateti/WrightStateU

  39. Goals Achieved • Awareness of Security Issues • Teach security improvement techniques • Explain how exploitable errors have been made in the development of software. • Raise the level of ethics awareness • Bring attention to legal issues • Taught Yes, Learned Yes, Believe In it may be. Mateti/WrightStateU

  40. By-Products: Students are … • More at ease with real hardware and real software – not a black box any more. • Amazed at the Open Source movement, but do not understand. Mateti/WrightStateU

  41. If I may urge you … • Introduce a course like this into your curriculum. • Peer-Review the articles on our web site. Mateti/WrightStateU

  42. Links • CEG 429 Home Pagewww.cs.wright.edu/~pmateti/Courses/429[local-link] • OSIS Lab Home Pagewww.cs.wright.edu/~pmateti/OSIS[local-link] • Support Web Sitewww.cs.wright.edu/~pmateti/InternetSecurity/[local-link] Mateti/WrightStateU

More Related