A Distributed Virtual Computer Security Lab with Central Authority

Similar documents
PDF hosted at the Radboud Repository of the Radboud University Nijmegen

Curriculum Catalog

CyberP3i Course Module Series

Title Core TIs Optional TIs Core Labs Optional Labs. All None 1.1.6, 1.1.7, and Network Math All None None 1.2.5, 1.2.6, and 1.2.

Networking interview questions

ก ก Information Technology II

Fundamental Questions to Answer About Computer Networking, Jan 2009 Prof. Ying-Dar Lin,

Title Core TIs Optional TIs Core Labs Optional Labs. 1.1 WANs All None None None. All None None None. All None 2.2.1, 2.2.4, 2.2.

Network Review TEJ4M. SBrace

CIW: Web Security Associate. Course Outline. CIW: Web Security Associate. 12 Oct ( Add-On )

Chapter 6 Connecting Device

ISO/OSI Model and Collision Domain NETWORK INFRASTRUCTURES NETKIT - LECTURE 1 MANUEL CAMPO, MARCO SPAZIANI

Study Abroad Programme

Why Firewalls? Firewall Characteristics

Cisco Networking Academy Curriculum - Semester Three Scope and Sequence

Computer Networks. Dr. Abdel Ilah ALshbatat Dept. of Communication and Computer Engineering Faculty of Engineering Tafila Technical University

Chapter Topics Part 1. Network Definitions. Behind the Scenes: Networking and Security

Electrical and Telecommunications Engineering Technology_TCET3142/TC570 NEW YORK CITY COLLEGE OF TECHNOLOGY THE CITY UNIVERSITY OF NEW YORK

Internet Layers. Physical Layer. Application. Application. Transport. Transport. Network. Network. Network. Network. Link. Link. Link.

Computer Networks Course for M.Tech CS,AI and IT students (July Dec 2005)

CCNA Exploration Network Fundamentals

OSI Model with Protocols. Layer Name PDU Address Protocols Device

Wednesday, May 16, 2018

Course Outline. CCNA Cisco Certified Network Associate Routing and Switching Study Guide.

Course Outline. CCNA Cisco Certified Network Associate Routing and Switching Study Guide.

Course Outline. Pearson CISCO: CCENT/CCNA (ICND ) official cert guide.

Virtual-Machine-Based Network Exercises for Introductory Computer Networking Courses

Course Outline. Pearson CISCO: CCENT/CCNA (ICND ) official cert guide.

Introduction to Internetworking

Data Communications. Connecting Devices

Read addressing table and network map

Material for the Networking lab in EITF25 & EITF45

CN [Network Devices]

Title Core TIs Optional TIs Core Labs Optional Labs. All None 1.1.4a, 1.1.4b, 1.1.4c, 1.1.5, WAN Technologies All None None None

A Technical Overview of the Lucent Managed Firewall

Introduction to TCP/IP

Upon successful completion of this course, the student should be competent to complete the following tasks:

Hands-On TCP/IP Networking

CCRI Networking Technology I CSCO-1850 Spring 2014

ICS 351: Networking Protocols

COMPUTER AND DATA NETWORKS

Concept Questions Demonstrate your knowledge of these concepts by answering the following questions in the space that is provided.

Port Scanning A Brief Introduction

Identify the features of network and client operating systems (Windows, NetWare, Linux, Mac OS)

SE 4C03 Winter Final Examination Answer Key. Instructor: William M. Farmer

Introduction. An introduction to the equipment and organization of the Internet Lab.

CCNA 1 Chapter 7 v5.0 Exam Answers 2013

Networking By: Vince

Lecture: Chapter 1, Introduction to Computer Data

Navpreet Singh INTRODUCTION TO COMPUTER NETWORKS. Computer Centre Indian Institute of Technology Kanpur Kanpur INDIA

Module 11. OSI Model, Network Devices, and Network Standards

NT1210 Introduction to Networking. Unit 10

Fundamentals of IP Networking 2017 Webinar Series Part 4 Building a Segmented IP Network Focused On Performance & Security

CCNA Exploration Network Fundamentals. Chapter 3 Application Layer Functionality and Protocols

Firewall Simulation COMP620

PT Activity 8.6.1: CCNA Skills Integration Challenge Topology Diagram

Layer 4: UDP, TCP, and others. based on Chapter 9 of CompTIA Network+ Exam Guide, 4th ed., Mike Meyers

Computer Network Addressing. The TCP/IP Layers and Addresses. Topics. The Internet Communication. The TCP/IP Layers and Addresses IP Address

UNIVERSITY OF NEBRASKA AT OMAHA Computer Science 3550 Communication Networks

SJTU 2018 Fall Computer Networking. Wireless Communication

Operating Systems CS 571

CS-435 spring semester Network Technology & Programming Laboratory. Stefanos Papadakis & Manolis Spanakis

03 The Internet Model and TCP/IP

Agenda. Before we start: Assignment #1. Routing in a wide area network. Protocols more concepts. Internetworking. Congestion control

Networking. Robotics is networking. Liam Paull, co-inventor of Duckietown and professor at University of Montreal

CCNA. Course Catalog

MODULE: NETWORKS MODULE CODE: CAN1102C. Duration: 2 Hours 15 Mins. Instructions to Candidates:

Computer Science and Engineering Technology Course Descriptions

CCENT ICND Pearson ucertify. Course Outline. CCENT ICND Pearson ucertify. 26 Mar

Internetworking Basics

NFS is an acronym for Network File System, so it should come as no surprise that

Scope and Sequence: CCNA Exploration v4.0

Student Lab Manual. Student Lab Manual. Network Communications Infrastructure IS3120

Defining Networks with the OSI Model. Module 2

Computer Networks/DV2 Lab

User Datagram Protocol(UDP)

Switching & ARP Week 3

ROYAL INSTITUTE OF INFORMATION & MANAGEMENT

Networking for Data Acquisition Systems. Fabrice Le Goff - 14/02/ ISOTDAQ

TRANSMISSION CONTROL PROTOCOL. ETI 2506 TELECOMMUNICATION SYSTEMS Monday, 7 November 2016

Software Engineering 4C03 Answer Key

Chapter 14: Introduction to Networking

Course Outline. CompTIA Network+ Deluxe Study Guide Third Edition (Course & Labs)

Wired internetworking devices. Unit objectives Differentiate between basic internetworking devices Identify specialized internetworking devices

while the LAN interface is in the DMZ. You can control access to the WAN port using either ACLs on the upstream router, or the built-in netfilter

HP OpenVMS Network Administration Exam.

CMPE 150 Winter 2009

NETWORK INTRUSION. Information Security in Systems & Networks Public Development Program. Sanjay Goel University at Albany, SUNY Fall 2006

Course Outline. CompTIA Network+ N Pearson ucertify Course and Labs. CompTIA Network+ N Pearson ucertify Course and Labs

CCNA 1 Final Exam Answers UPDATE 2012 eg.1

Using Ethereal As A Tool For Network Security Mentor: Mr. Christopher Edwards Team Members: Jerome Mitchell, Anthony Anderson, and Napoleon Paxton

OHLONE COLLEGE Ohlone Community College District OFFICIAL COURSE OUTLINE

TCP/IP Fundamentals. Introduction. Practice Practice : Name. Date Period

Computer Networks - Xarxes de Computadors

Data Communications and Networks Spring Syllabus and Reading Assignments

This course prepares candidates for the CompTIA Network+ examination (2018 Objectives) N

Cisco Exam Cisco Interconnecting Cisco Networking Devices Part 1 (ICND) Version: 12.0 [ Total Questions: 202 ]

Introduction to Computer Networks. CS 166: Introduction to Computer Systems Security

CCNA Boot Camp. Course Description

Introduction... xiii Chapter 1: Introduction to Computer Networks and Internet Computer Networks Uses of Computer Networks...

Transcription:

A Distributed Virtual Computer Security Lab with Central Authority Jens Haag, Tobias Horsmann, Stefan Karsch Cologne University of Applied Sciences, Germany Harald Vranken Open Universiteit, Netherlands

Introduction Learning Scenario Computer Security Lab Virtual Computer Security Lab Agenda Distributed Virtual Computer Security Lab (DVCSL) Functional Principles Central Authority Conclusion and Future Perspectives 08.04.2011 A Distributed Virtual Computer Security Lab with Central Authority 2

Learning Scenario I Teaching security of computer systems and networks (IT Security) Basics (e.g. network configuration, routing) Advanced content (e.g. security management and measurements, firewalls) Students learn the theoretical background in lessons from textbooks Knowledge is illustrated, deepened and anchored by carrying out practical exercises Teaching IT Security Theoretical Background Practical Exercises 08.04.2011 A Distributed Virtual Computer Security Lab with Central Authority 3

Learning Scenario II Example exercise: Setup, configure and secure a network Server, which provides services Router with firewall Client Students can gather several practical experiences Configuring the network interfaces and the routing Providing and using internet services, e.g. HTTP, SSH, FTP Adding security measures, e.g. configuring the firewall Attacks ( Hacking ), e.g. Buffer Overflows 08.04.2011 A Distributed Virtual Computer Security Lab with Central Authority 4

Computer Security Lab At the university: Room containing computer systems Network isolated from the outside world (Internet) Group work is possible Students work with super-user rights After a session, reinstalling the operating system may be necessary Not suited for distance learning Significant administration effort necessary Usually closed in the evening hours and on weekends 08.04.2011 A Distributed Virtual Computer Security Lab with Central Authority 5

Virtual Computer Security Lab (VCSL) General idea: Move the lab to the students Computer Security Lab nested in a virtual environment Stand-alone environment, composed of two virtualization layers Layer : Between Host machine and Virtual host machine Based on free virtualization software (e.g. VMware player, Oracle VirtualBox) Typically runs on almost all student computers Layer : Between Virtual host machine and highly resource efficient scalable UML virtual machine Based on Netkit, applies User Mode Linux (UML) Multiple virtual hosts and isolated, virtual network(s) UML virtual machines in virtual network Virtual host machine Host machine 08.04.2011 A Distributed Virtual Computer Security Lab with Central Authority 6

Using the Virtual Computer Security Lab Our VCSL is an isolated secured software environment Provided to the students on a DVD Can easily install and run on students own computer (Virtual) Hardware setup for the example exercise Start the VCSL environment Issue 3 commands Three virtual hosts Network interfaces in separated broadcast domains vstart server --eth0=neta vstart router --eth0=neta --eth1=netb vstart client --eth0=netb 08.04.2011 A Distributed Virtual Computer Security Lab with Central Authority 7

Experiences with the Virtual Computer Security Lab Advantages of the current VCSL version Students can work wherever and whenever they want Reduced administration effort Students can use their own computer, no extra hardware required Decentralized approach usable for distance education Already used successfully in a IT Security course by more than two hundred students with only few minor problems Disadvantages of the current VCSL version Students work alone, group work is not possible University cannot assist or grade the work of students 08.04.2011 A Distributed Virtual Computer Security Lab with Central Authority 8

Distributed Virtual Computer Security Lab (DVCSL) Improvement: Distributing the virtual lab DVCSL Goals Two or more geographically distant students connect their local VCSLs across an external intermediate network (e.g. the internet) Synchronous group work, assigning roles and tasks for performing assignments (e.g. Hacker, Administrator, User) Scenarios closer to the situation in real networks Preserving the properties of a computer security lab (e.g. isolated network) DVCSL should unite the benefits of working independent from time and location, offering the possibility for group work 08.04.2011 A Distributed Virtual Computer Security Lab with Central Authority 9

DVCSL Functional Principles - Requirements Students should have the impression of being connected within an Ethernet LAN Connected virtual networks must behave like a single broadcast domain Requires transparent connection on OSI-layer 2 (Data Link Layer) Requirements Extracting and injecting network data on virtual network level Sending and receiving the extracted network data 08.04.2011 A Distributed Virtual Computer Security Lab with Central Authority 10

DVCSL Functional Principles Basic Architecture Virtual networking architecture of Netkit/UML Virtual hosts (VH) communicate with each other by using UNIX-Socket and UML-Switch Each virtual network has its own, separated instance of UML-Switch and UML-Socket VCSL VH NetKit VH Virtual Network Guest Operating System VH s and UML-Switch are attached to one UNIX-Socket UML-Switch listens for incoming data sent by the VH UML-Switch reads the data and writes it to all other connected VHs (HUB-like behavior) A host in a virtual network receives all data sent by other hosts within the virtual network VH Virtual Machine Host Operating System VH UNIX-Socket UML-Switch Virtual Network 08.04.2011 A Distributed Virtual Computer Security Lab with Central Authority 11

DVCSL Functional Principles - Extension Extending Netkit/UML with an additional interface New software component, not jailed in the Netkit environment Access to virtual network and WAN, e.g. the internet VH VH UNIX-Socket UML-Switch Virtual Network Extracting and injecting (ghost host - GH) Invisible host connected to the virtual network Can read and write ethernet frames via UNIX-Socket Sending and receiving (remote bridge endpoint - RBE) Encapsulates ethernet frames in transport protocol (IP) Distant networks cannot intercommunicate with WAN VH VH UNIX-Socket UML-Switch GH RBE 08.04.2011 A Distributed Virtual Computer Security Lab with Central Authority 12

DVCSL Functional Principles Example Architecture Architecture layout example Two students with VCSL s Each VCSL has two virtual host Direct (P2P) connection between students computer Isolated network due to encapsulated ethernet frames VH VH UNIX-Socket UML-Switch GH RBE IP TCP / UDP GH RBE Ethernet Link Layer Transport Layer Network Layer VH VH UNIX-Socket UML-Switch 08.04.2011 A Distributed Virtual Computer Security Lab with Central Authority 13

Experiences with the DVCSL Interface can connect two virtual networks Transparent Small and lightweight additional software component No need to modify Netkit or UML Students must know the IP addresses of their remote partner(s) Additional network configuration on virtualization layer Connection of three or more VCSLs is possible, but can lead into infinite circular flow of network packets Requires careful planning by students May consume too much time 08.04.2011 A Distributed Virtual Computer Security Lab with Central Authority 14

DVCSL with Central Authority (CA) I Further improvement: Central Authority Goals Optimize organization and management when students work together Reduce administration effort for students on their PCs DVCSL with CA The CA is typically hosted at the university Each student can connect one or more virtual networks to the CA in one session Additional session can be opened and closed on demand 08.04.2011 A Distributed Virtual Computer Security Lab with Central Authority 15

DVCSL with Central Authority II CA acts as a point of distribution (session layer) Network data, which is send between virtual hosts in different VCSLs, is forwarded transparently Deterministic behavior, no circular flow of network packets CA offers management functionality (control layer) Different groups of students can work in separate DVCSLs No additional network configuration needed CA can observe user interaction and network data Identify course students (user authentication) Inspecting network data Active probing (e.g. ping) for monitoring remote VCSLs 08.04.2011 A Distributed Virtual Computer Security Lab with Central Authority 16

Using the DVCSL with Central Authority Control layer used by students to operate the DVCSL Querying a running session Creating a new session Joining a session Deleting a session Student A // Start server with network vstart server --eth0=neta // Connect neta to CA connect neta to <ip of CA>:<port> // Create a new session create session_a // Join the session join session_a Simplified example: Connect two hosts Student A opens a remote session_a Student B joins session_a Student B // Start client with network vstart client --eth0=neta // Connect neta to CA connect neta to <ip of CA>:<port> // Query running sessions on CA query sessions // Join the session from Student A join session_a 08.04.2011 A Distributed Virtual Computer Security Lab with Central Authority 17

DVCSL with Central Authority Example Architecture Architecture layout example Two students with remote VCSLs Each VCSL runs one virtual host Connected within one session Control Layer Session Layer Control Channel Student A VH GH R B E Event data DVCSL Central Authority Session A Distributor Session Channel Control Channel Network data R B E Event data GH Student B VH Scalability Students Hosts Virtual Networks Sessions VCSL Virtual Network NetKit Guest Operating System Virtual Machine Host Operating System IP TCP / UDP Ethernet OSI-Layer 2 OSI-Layer 4 OSI-Layer 3 Virtual Network NetKit Guest Operating System Virtual Machine Host Operating System VCSL 08.04.2011 A Distributed Virtual Computer Security Lab with Central Authority 18

Conclusion Remote students can perform network security exercises inside an encapsulated common networking environment Existing VCSL environment (Netkit/UML) enhanced by a communication interface Ghost host Remote bridge No need to modify existing components Added a Central Authority Simplifies the administration effort Can assist students in various ways Server Router (Firewall) Client Student A Student B Student C 08.04.2011 A Distributed Virtual Computer Security Lab with Central Authority 19

Short-term goals Future Perspectives Adding a suitable user management Work out customized assignments Create a final simplified DVCSL distribution Using and evaluating the DVCSL-CA environment during next semester Long-term goals Additional channel for user interaction (e.g. chat) Assist students (e.g. automatic feedback program) Use DVCSL s session data to grade students work 08.04.2011 A Distributed Virtual Computer Security Lab with Central Authority 20

Thank your for your attention! Please ask your questions E-Mail: jens.haag@fh-koeln.de 08.04.2011 A Distributed Virtual Computer Security Lab with Central Authority 21

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback