0229590_C6FC0_solomon_negash_michael_e_whitman_amy_b_woszczynski_handbook

model was selected, the design of the classroom became the next priority.

In each of the following sections, a specific component of the distance learning program is presented, beginning with the requirements to convert a standard instructional classroom to a distance learning-capable instructional platform.

Subsequent sections address the specifics of laboratory exercise support, and server-side file sharing.

Classroom Support

Building on a standard classroom equipped with a data projector and laptop connection capabilities, thedesignteambegantoevaluateavailablemarket for instructional components. After looking and experimenting with a number of solutions, the faculty selected Camtasia (http://www.techsmith. com/camtasia.asp), a program typically used for creating application computer-based training courses. The tool contains the ability to record screens ranging from a specific application window to full-screen, and integrate audio from the system or external sources. The next step was to select a platform to host the DL instruction. Based on the instructional methodology currently employed, the faculty desired to capture a live lecture, thus optimizing their work effort. The faculty selected Tablet PCs to incorporate both the Camtasia software, and the integral Windows Journal allows the importation of a slideshow, yet allows the instructor to add blank slides to use as whiteboards on the fly. With the combination of Camtasia and Windows Journal running on the Tablet PC, the instructor essentially has a mobile instructional workstation they can create and use slideshows, whiteboards, Web sites, and applications. Sound was integrated with the incorporate of an external wireless microphone solution, converting the ¼” output to 1/8” and connecting to the microphone port on the Tablet PC. By connecting this solution to the in-class data projector, the instructor eliminates the need

to use the whiteboards and can both lecture and record at the same time.

Once a lecture is recorded with Camtasia, it can be rendered into a number of formats. The faculty selected Windows Movie (.wmv) format sinceitiswidelycompatible,andoffersreasonably goodcompressionkeepingthesizeofmediafiles to a manageable size. The Camtasia application allows for granular configuration of both audio and video rates to balance file size and quality of recordings. The lectures were then posted on a password-protected Web site for student download.

At one point the faculty considered mediabased distributed recordings, and even pilot tested one application. This application allowed the protection of recorded media (CD or DVD) integratinganapplicationallowingtheuseofpassword restrictions. Unfortunately this application requiredaper-copylicense(ofapproximately$.25) making it unusable for mainstream courses. Since that time the emergence of freeware encryption utilities like TrueCrypt (http://www.truecrypt. org/) make this option more feasible. Instructors create a password protected TrueCrypt volume, insert the lecture, and then copy it to CD/DVD for distribution. The TrueCrypt volume creates an encrypted container securing the content from unauthorized access.

Course Support

The next phase in the design of the DL support for theinformationsecurityprogramwastorelyheavily on the university course support application, WebCT and eventually WebCT Vista, for student assignments,submissions,andnotifications.With the ability to archive and upload subsequent sections, the solution, while far from ideal, was the best available. The optimal solution would be one that integrated the recorded lectures with the coursesupportmaterialsintheenhancedrecorded lecture format discussed earlier.

Project and Team Function Support

Many postsecondary educational programs seek to engage the student in group work. This is a valuable way for students to gain experience in using the theory taught in the lecture components of classes. It is also an important extension to student capabilities as students learn to work well in group tasks,asetting thatisusedinmany business tasks. This practical exposure to project work, almost universally valued by future employers, is less easily attained when student take courses that rely on DL techniques. Some mechanism is necessary in the DL approach to offer students these course experiences in teamwork.

Replicating the project team experience is possible using distance learning approaches, but requires the course instructor to create an environment that encourages student engagement and participation. Discussion boards and groupware support tools that enable file sharing can be included by the instructor into an approach that brings students together in a virtual way to collaborate on completing assignments and performing project work.

Legal Issues

An important consideration for the migration of information security classes to online variants, and equally a concern for other programs, is the management of protected intellectual property. While current copyright law allows for more liberal use of information for educational support, oncethatmaterialisplacedinapubliclyaccessible location, it is considered republished and different rules apply. The protection of IP requires faculty and students alike to ensure that any information distributed as part of the educational process is restricted to those involved in the curriculum. The use of password protected storage locations is essential. The use of course-support sites like Blackboard or WebCT provides a mechanism that assists the faculty in retaining control of the IP,

and thus avoiding potential legal issues. Nemire (2007) provides additional considerations.

distance leaRning and the infoRMation secuRity laboRatoRy

Avaluableextensiontothelearningininformation security education occurs when students experience hands-on laboratory exercises (labs). The creation and operation of information security labs have sufficient challenges of their own. The needs and approaches used to deliver lab experiences and the physical makeup of information security lab facilities has been documented extensively elsewhere. It is possible to replicate all aspects of the lab experience in a remote access environment,whenitisnecessary.Theavailability of the requisite bandwidth and the technological infrastructure to make it a success will be dependent on the resources and circumstances of each situation.

As evidenced by Duan, Hosseini, Ling, and Gay (2006), integration of hands-on laboratories with distance learning infrastructures requires considerable examination. Once labs are removed from the local, physical requirement to a global, online availability, the ability to offer virtually any InfoSec course online becomes feasible. As we consider how to bring lab experiences to distance learning students, five options have been identified. These options are not mutually exclusive, rather they offer the instructor a range of possibilities that can be combined as needed based on the learning outcomes being sought and technical infrastructure that are available. These options are: physical presence, student’s facilities, loaned facilities, VPN to physical lab, and VPN to virtual lab. These options are explained below and shown in Table 1. A fourth option is to use VPN access to lab LAN and then remote operation of the lab’s physical devices. The final option is to use VPN access to lab LAN and then use of virtual lab systems.

hardware options

When implementing distance labs, the hardware environment will dictate what can be accomplished. When Option 1 is used and students must attend a physical lab, shared use labs are often in place. In this case, the instructor must use what is available. When possible, attempt to make the lab systems capable of network segregation (see next section).

Option2willbenefitfromspecifyingcapabilities for students to acquire rather than specific devices. For instance, an instructor may instruct students to have a broadband Internet connection, a broadband router, a Microsoft Windows PC, and a Linux PC among other requirements. The more flexibility that is built into the specifications, the more likely it will be that students can comply.

WhenOption3ischosen,equipmentshouldbe specifiedtomaketransportationandconfiguration as straightforward as possible. The use of small networking devices and laptop computer systems canmakeispossibletotransportanentirenetwork configuration in a relatively small container.

Table 1. Distance learning lab options

Option 4 can be accomplished with a mediumor high-speed network connection and a moderately priced VPN concentrator. Many small office/home office (SOHO) grade routers also offer inbound VPN functionality that can support this capability.

In order to facilitate remote virtual operation, one or more server systems will be required.

These systems can be configured with a product like Microsoft Virtual Server or VMWare GSX server. This will enable the instructor to preposition operating system virtual containers or require students to build their own operating system images.

network options

Once again, while legacy and shared lab designs are not incompatible with the needs of the InfoSec lab curriculum, some factors in network implementation can make operating an InfoSec lab easier. The strongest case for specialized design is in the area of network architecture since Infosec lab assignments have a unique nature. A certain

minimum degree of isolation is required for some InfoSec exercises, and keeping the use of some software tools away from the campus network may be advisable. This is equally applicable for physical as well as virtual labs.

Default Route to Campus

The usual circumstance on many campuses is to use default routing to the Internet. This is where every client can get to the Internet for outbound requests.Whetherornotoutsidetrafficisallowed to connect to campus servers or is allowed only to specificaddressesand/orportsusingafirewallis a matter of campus policy. For lab purposes, the inbound situation is not usually an issue.

Using Network Address Translation

One common practice is to take the lab computers to local addressing. By using a locally hosted dynamic host control protocol (DHCP) server that uses network address translation (NAT), the lab computers can be kept somewhat isolated from the campus local network and still allow access to the Internet for browser access.

When making the lab subnet a nonroutable network using local addressing, you preclude lab students’ activities using lab computers from inadvertently spilling over into the campus network. This will not necessarily preclude purpose misadventuresbystudents,butwillcertainlymake themiscreantsidentifiabletocampusnetworkad-

Table 2. Reserved nonroutable address ranges

ministrators,sincealltrafficcomingfromthelab will have the lab router address assigned to it.

The equipment used to isolate the lab network can be one of three grades: residential, SOHO, or commercial. Along this continuum, the expense increases along with reliability and robustness of the devices. At KSU, initial attempts to use a server computer using Microsoft 2000 Server to provide DHCP and NAT found it was less reliable than required and took more than expected effort to configure. This solution was replaced using a residential grade cable/DSL router. This worked and was easy to configure, but required occasional rebooting and experienced unreliable performance. By increasing the asset from one with a cost of about $45 to one with a cost of about $800, a very reliable mainstream SOHO router can give near-commercial reliability within the reach of most lab budgets. An added benefit is that devices in this price range will provide the inbound VPN capabilities needed to support Options 4 and 5 for distance learning.

DMZ with Hardware Appliances

If the budget permits (or the vendor makes a donation) the lab designer may want to consider putting in all of the essential devices for a full blown screened subnet such as is used for commercial Web enterprises. Since this is an option that will provide all of the capabilities needed in any lab setting, the only comment is that if you can afford it, or have it donated, get the expert

help you will require to get it fully configured and ready for use.

Internal Lab Subnets

Within the lab subnet, the distribution options are many. One option is to provide a home wiring run for each computer to a central hub or switch. Another option, which can be used to good effect for group assignments on firewalls and intrusion detection systems, is to have clusters of client computers use small (4-8 port) hubs or switches to enable day-to-day individual connectivity and ad hoc group segmentation when necessary for project assignments.

Best Practice Recommendations

The KSU experience has been that using a SOHO router that then has a tier of true 8-port hubs for clusters of three or four client computers provides aworkablemixofreliabilityandflexibilitywithout exceeding our available budget.

operating system options

When exploring some areas in InfoSec, especially in the area of vulnerability assessment, it is very useful to have multiples operating systems, perhapsmultipleconfigurationsofmultipleoperating systems available to the each student in the lab. This can be done in a number of ways including use of removable disk drives, using multiboot operating system features, and the use of virtual computer images.

Using Removable/Selectable Drives

When there is a need to use multiple operating systems (OS) in serial fashion (there is no need to have a student use more than one OS at a time) using removable or selectable hard drives is a viable solution. This applies to the boot drive, not

the use of a removable expansion drive. There are a number of vendors that provide receiver and carrier combinations that permit the removal and replacement of a hard drive. Using this is as a boot drive does not present any serious issues. One problem that may arise is when the lab is administered using the Ghost image management software. This gives rise to a problem where each computer is identified to the Ghost server and not the drive that is mounted. It means that the automated image management features are not useable and manual image copying must be used, creating a bit more work.

Using Multiboot Systems

Anotheroptionistocreatemultiplebootpartitions on the system drive of the client computer. This gives the student or lab administrator the ability to select the OS to run at startup time. Once again this enables the client computer to run one OS at a time. The advantage is that each OS is fully native and has full and complete native access to all of the hardware. There are additional approaches in this broader category, one such being HyperOS (http://www.hyperos2002.com/) that enables multiple Windows images to be swapped about in real time. The authors have not used this tool, but testimonials and vendor claims appear make this appear to be a viable and realistic option.

Using Virtual Images

When a lab student needs to access multiple computers with different (or the same) running operating systems, the choices are multiple computer systems, each booted to run the needed OS or the use of virtual OS images. Two widely used products are available for this purpose: VMWare and Microsoft Virtual PC. VMWare (http://www. vmware.com/) is a software application that runs in Windows or a Unix variant. Once the VMWare application is running the user can then activate

as many other images as the client computer’s resources can support. With a stout client configuration(emphasisonlargeRAM),itispossible torunthreetofiveimagesinadditiontothebase image running VMWare itself. VMWare images can be built for any operating system that supports the Intel 32-bit architecture. VMWare provides bridged network access to the host computers network interface card and also allows managed control of all of the host OS resources and devices. VMWare tools are provided for select guest OS choices that enable improved information sharing between the host and guest and also easier operation of the interface as the user switches between running guest systems.

A competitor to VMWare is Microsoft Virtual PCorVPC(http://www.microsoft.com/windows/ virtualpc/default.mspx). Virtual PC is a software virtualization solution that allows users to run multiple PC-based operating systems simultaneously on one computer. The package runs on Windows XP Professional and has many similarities to VMWare in how it functions. One advantage offered to the academic community is that VPC is available under the Microsoft Academic Alliance licensing program (http://msdn.microsoft.com/ academic/program/factspage/). If the institution is already associated with this program, it is possibletooutfitalllabsfornoadditionalcost.Ifnot, this program alone can justify the annual cost per department. VPC and VMWare allow the client computer to have one stable OS that supports the virtual computer application. The application in turn can operate multiple simultaneous different OS images, making them all available to a bridged local network inside the host computer and also to the lab network.

When Option 5 is in use, the virtualization is best accomplished using a server virtualization platform such as VMWare GSX or Microsoft Virtual Server. These tools use the same approach as noted in the previous paragraphs, but have scaled them up for multiple simultaneous users.

best PRactice RecoMMendations

The KSU experience has been that using a stable and consistent lab computer platform such as

Windows XP, configured in such a ways that student reconfiguration is not easily done, gives rise to more reliable lab experiences for all students. Using virtual images with a product such as VMWare or Virtual PC allows the student to select from the necessary operating system for each learning element, and in those situations where warranted allows simultaneous execution of different operating systems (such as a Linux server and a Windows client) under the direct control of the student and/or the instructor. This includes establishing multiple security targets on a single client workstation or classroom server for examination and assessment by students. KSU has used both VMWare and VPC; however, current licensing cost considerations mandate our use of VPC.

software options

When it is time for the students to use the lab computer systems, very few lab exercises are possible without additional software. Sure, a few drills with OS commands can be useful, but using ping and nbtstat in a Windows command line window has limited room for growth. There are many, many software packages that have value in the teaching of InfoSec labs. The major grouping, based on licensing approach, is freeware, demoand shareware, and commercial software.

Freeware

Freeware is software that has been created by an author or a group of authors, perhaps using open source licensing (such as GNU General Public Licensing found at http://www.gnu.org/ licenses/licenses.html#GPL) or by simply giving the right to use the software away. There

are many freeware titles available and, in fact, lab manuals that make heavy use of freeware are available (e.g., the Hands-on Information Security Lab Manual by Whitman, Mattord & Shackleford © 2005 Course Technology). Use caution when using freeware, since not all of these applications will have the same degree of quality or reliability, and it is possible that some freeware may conceal malicious intent opening up your systems to backdoor exploitation. So long as freeware is limited to use in academic labs and kept from administrative and sensitive systems there should not be any problems.

Demoware and Shareware

Shareware (sometimes called demoware) is not free. Either the program stops working after a trial period, or, the capabilities are limited (giving this softwareanothersynonymofcrippleware)orboth. To get full functionality and/or to operate after the trial period, a license must be purchased. Lots of software is distributed as shareware. If managed properly, these programs can add a great deal to your student’s lab experiences. Demonstration versions of commercial grade software are often available for 14 or 30 day trials and the capability limits will not usually preclude their use in the lab. The lab manual mentioned above also makes use of shareware as a valuable extension to the freeware available fro the Internet.

Commercial Software

When the budget permits (or the generous vendor donates licenses) it is a real treat for students and teachers alike when they can use full featured, unlimited use of a market-leading software product.

Best Practice Recommendations

Naturally, the use of industry-proven commercial software tools would be optimum, but the realities of the lab budget means that the perfectly capable

and quite useful freeware and demoware titles are often found in most labs.

lab Presentation Methods

Within the lab setting, students may be presented with learning opportunities in different ways depending on the learning outcomes sought by the teacher.Amongthosemechanismsthatarewidely used in the lab setting are tutorials, exercises, demonstrations,simulations,Webinars,andfilms and videos. Before getting into a description of the various elements, note that a central repository of InfoSec educational content (curriculum, tutorials, exercises, videos and many other items) is available from National Information Assurance Training and Education Center (NIATEC) (http://niatec.info/curriculum.htm). According to NIATEC, “this site brings together a series of education and training modules prepared to teach introductory material with other modules contributed by their authors to the NIATEC project” (Schou, 2006).

Tutorials

A tutorial is a set of step-by step instructions with explanations that are used to give a student some skill in a specific technical area. Tutorials are often provided for software applications to enable new users to get up to speed quickly in using the application. Many applications have prepared tutorials that can be used in the InfoSec lab to quickly get started. On occasion the teacher may create a tutorial to give students a critical skill for use in the lab.

Lab Exercise

A lab exercise, like a tutorial, is a set of step-by- stepinstructionsthatguidesthestudent.Unlikethe tutorial, the intent is to demonstrate the capability of a tool or to show the results of a sequence of activities.Acertainamountofskillandfamiliarity will also be transferred by the exercise, but the

intent is to show a result or to lead the student to the conclusion of a process.

Demonstration

Whenitisnotpracticalforeachstudenttoperform the tutorial or exercise individually, it is useful to show the student how it is done. A demonstration of a technology or application enables the student to be exposed to the learning opportunity without the expense of preparing all lab systems, or because it is not practical for the student to perform the exercise due to licensing expense, technical limitations, security concerns, or other issues.

Simulation

Asimulationusesasoftwarepackagetopermitthe studenttoexperienceconditionsandoutcomesthat are not practical to implement in the real world. A simulation can allow the student to experience the effects of network attack or worm outbreak withouttheexpenseofsettingupaninfrastructure to be attacked. Some events are not possible to recreate and others are too expensive to set up for the lab experience.

Web-based Seminars

Many vendors and professional organizations broadcast seminars and training events over the Internet. Many organizations will capture these events and provide them via their Web pages. The sessions available range from product marketing materials that include very nice explanations of key concepts in Infosec to current events news of interest to the InfoSec student. The video and animated appearance of these items can provide a welcomealternativetotraditionalcontentdelivery in the classroom.

Films and Videos

Students appreciate the appropriate use of films andvideosinthelabandclassroom.Manysources

of video content are available and can be acquired at little or no cost. Once source that offers useful licensingoptionsforacademiaisthePublicBroadcasting Service (http://www.pbs.org/) which has a few good titles within its documentary series

Nova and Frontline.

Best Practice Recommendations

The KSU experience has been that it requires a mixture of each of these lab presentation models to create the most useful learning environment. Some activates are best learned by doing the actual steps on a real computing systems and can be offered in that manner. And, while every activity might be best done in a real-life fashion, some activities require the preparation and skill learning that only tutorials can deliver. Some activities are too complex to prepare and deliver in a multicomputer lab and must be shown to the student using a single real-life demonstration and some other activities are so restrictive (dangerous to the student or the academic institutions IT infrastructure)thattheymustbeshownonlythrough simulation. Often economic considerations also createajustificationfordemonstrationandsimulation. For instance, a high-end forensic analysis tool may be too expensive for every student to be provided with, but one copy for use by the instructor in a demonstration is possible.

lab content sourcing options

When a teacher prepares to take a class into the information security lab, they must have content for the learning experience. By selecting a balanced mix of tutorials and exercises using software applications, lightened up with demonstrations, simulations, Webinars and videos, the teacher can keep the student engaged. But, it is not always practical to create or even locate all of the content needed for a class. Fortunately, the availability of content continues to improve as does the overall quality.

Published Sources

Course technology and other publishers continue to bring new information and computer security titles to market. Some lab support guides are also available.

Web Sources

NIATEC (Schou, 2006) offers some lab content materials as do some of the National Security Agency Centers of Academic Excellence in Information Assurance Education (NSA, 2007). A review of the Web sites for these institutions may yield some useful content.

Best Practice Recommendations

The KSU experience has been that drawing lab content from any and all sources makes for a diverse learning experience but is accomplished at some cost to the lab instructor. Another issue when compiling from multiple sources is uneven quality of the resources (both appearance and content) and some challenges in making the labs function for students of varying abilities.

Student Teaming

When working in the lab setting, the instructor can have the student work in a variety of modes depending on a number of factors including:

•Limited equipment

•Varying skill levels of students

•Limits in the number or skill of lab assistants

•Distance learning constraints

•Requirements of other learning objectives (such as writing or teamwork objectives)

Individual Assignments

Many lab units are best done by individual students, giving each more control over the factors

in the assignments, but limiting the degree of assumed collaboration.

Ad hoc Teams

Sometimes it is advantageous to group students for a single assignment or learning opportunity.

For instance, if performing a firewall configuration exercise, it is useful to use small groups since there are many steps in the process and it usually requires operations across several computer systems.

Persistent Teams

Some lab instructors prefer to have teams that last for most or all of the duration of the class. This will improve productivity and learning for sound teams, but can pose special interpersonal management problems for some dysfunctional teams.

Best Practice Recommendations

The KSU experience has been to assign the bulk of the lab tutorials and exercises as individual assignments.Someassignmentsincludingactivities with specialized equipment and project work are done using both ad hoc and persistent teams at the discretion of the instructor.

lab Management

Client System Management

& Configuration

The InfoSec lab is like any lab or small business network in that it needs to have certain routine system management activities completed on a regular basis. Using a centrally administered antivirus solution (such as Symantec Norton Antivirus Corporate Edition) along with an image management package (such as Ghost) will make these tasks less burdensome and require

fewer passes through the lab configuring client computers.

Resetting Labs

When a lab is used for multiple sections of similar courses, there is an issue of system state to consider. For instance, if a tutorial requires that a student installs a software application as a step, that package is then installed on that computer. If a later class needs to do the same activity, that will become an issue. Depending on how the hardware is built and the OS is deployed this can be managed by the lab instructor:

•When using removable drives, each class sectionisassignedtoadrivesetandremounts the applicable drive set for use in the lab.

•When using partitioned multiboot drives, multiple versions of the same OS can be built and the image assigned to one of the class sections.

•If Ghost is being used to manage images, the image in use can be reset to a known condition prior to each lab meeting.

•If virtual OS images are used, each student or class section can be assigned a virtual image to use.

Instructed Labs vs. Self-Paced Labs

Somelabassignmentsarewellsuitedtoindividual effort and can be performed by the student using a manual or handout. Other topics are better handled when the instructor leads the lab in a click-and-checkmodelofinstructionwheretheac- tion is shown using a projector and an instructor’s workstation and then the instructor and/or lab assistants circulate to check progress and help the students. Once that section is complete, the instructor covers the next segment and so on. The lab instructor will have to make the determination regarding which approach is right for each unit of lab instruction.

Theoretical Preparation

A question usually arises when heading to the lab about how much theoretical instruction in lecture shouldbecompletedonaspecifictopicbeforetaking the students into the lab. Few will argue that some degree of theory is needed for the student to make sense out of the lab assignments. Some may argue that too much theory will reduce the feeling of discovery that the student will achieve in the lab if every aspect of the lab assignment is fully dissected before the lab itself. As in most discussions like this, each lab instructor will have to asses the degree of theoretical preparation needed to maximize student learning.

Building Vulnerability Assessment

Targets

The InfoSec lab assignments that student seem to enjoy the most are vulnerability assessment and penetration testing against lab targets. This type of activity will give the student the feeling that they are learning to hack while minimizing the risk that the lab instructor and the educational institution would face were they actually preparing hackers for a life of crime. A challenge for the lab instructor is to prepare the targets for these assignments. After having done this a few times, here are some recommendations:

•Avoid using stacks of old computers as targets unless this is the only option. The hardware issues alone are a distraction and the care and feeding of four to seven aging PC systems is in fact a challenge.

•Use a reasonably capable server using a virtual OS server (such as VMware or VPC) to bring up your targets on the lab network.

conclusion

Using the methods described here, the BS-ISA program has hosted a limited number of exclusive