Transcript Laboratory Based Course on Internet Security

A Laboratory Based Course on
Internet Security
Prabhaker Mateti
Wright State University
Dayton, OH 45435
NSF DUE-9951380
Goals
Awareness of Security Issues
 Teach security improvement
techniques
 Explain how exploitable errors
have been made in the
development of software.
 Raise the level of ethics awareness
 Bring attention to legal issues

SIGCSE2003
Mateti/WrightStateU
2
Assumptions in the Course Design
Beliefs?
 Lab-oriented?
 Whole course or Distributed into …
 Required or Elective?
 10 weeks or 15?

SIGCSE2003
Mateti/WrightStateU
3
The course needs to be lab-oriented.
“I hear and I think.
I see and I remember.
I do and I know.”
-- Confucius
SIGCSE2003
Mateti/WrightStateU
4
Should be a course by itself.
Integrating security concepts into
other courses is very difficult.
 Easier to propose and implement
an entire course that is new.

SIGCSE2003
Mateti/WrightStateU
5
Should be a Required Course.
Security exploits have become way toocommon.
 Can motivate why Software
Development should be a more rigorous
discipline.
 Many security topics synthesize what is
learned in several disparate and unintegrated courses.

SIGCSE2003
Mateti/WrightStateU
6
Can only be an Elective Course.
Most BS Degree Requirements are too
full of core and required courses.
 Required Courses cannot be
“downgraded” to Electives.
 Cannot even re-work n required
courses into m required courses,
m < n.
 Is it a “discipline” ?

SIGCSE2003
Mateti/WrightStateU
7
Term or Semester Course
Both must be accommodated:
Term = 10, semester = 15 weeks
 At WSU …

SIGCSE2003
Mateti/WrightStateU
8
Course Logistics
Lectures on topic one per week
 Lectures on experiment one per
week
 Lab experiments one per week
 First week, only lectures. (May be
second week too.)

SIGCSE2003
Mateti/WrightStateU
9
Currently Available Material
Books
 Websites
 Courses elsewhere

SIGCSE2003
Mateti/WrightStateU
10
Books on Security
Many books, > 500
 Academic text books, in the tens.
 Garfinkel and Spafford 1996/2003, Practical
UNIX & Internet Security, O'Reilly.
 Rubin 2001, White-hat Security Arsenal,
Addison Wesley.
 Stallings 1998, Cryptography and Network
Security, Prentice Hall.
 Bishop 2003, Computer Security, Addison
Wesley.

SIGCSE2003
Mateti/WrightStateU
11
Amazon.com book search results
(2003/02/19, 19:00 PST)
Network security
Internet security
Computer security
System security
Homeland security
Security
SIGCSE2003
Mateti/WrightStateU
714
910
2673
1328
45
32000
12
Web Sites
“There is an oceanic amount of
material on network security
available over the Internet.”
-- A Web Page.
 How do we define a “Security Web
Site”?
 1000+ web sites

SIGCSE2003
Mateti/WrightStateU
13
A Few Chosen Security Websites
www.incidents.org
 www.cert.org
 www.cerias.purdue.edu
 www.securityfocus.com
 lwn.net/security
 www.microsoft.com/security
 www.phrack.com

SIGCSE2003
Mateti/WrightStateU
14
Courses Elsewhere


Many “commercial” courses.
Academic courses:
–
–
–
–
–

Mostly graduate level
Focused on cryptography
Principles and concepts only
Projects, not Lab Experiments
E.g., theory.lcs.mit.edu/~rivest/ cryptosecurity.html
Thirty-six Centers of Academic Excellence in
Information Assurance Education sponsored
by NSA www.nsa.gov/isso/programs/nietp/
newspg1.htm
SIGCSE2003
Mateti/WrightStateU
15
What We Developed
About 30 lectures, 75 minutes each.
 About 25 lab experiments, 2 hours each
 Security Lab setup details.


Collected articles on Ethics and Legal Issues.
Past exams, and links to code.
 A support website, with the above.
 At WSU, introduced a new course,
CEG 429: Internet Security.

SIGCSE2003
Mateti/WrightStateU
16
Overview of Course Contents
Depth v Breadth
 Choice of Topics
 Design of Experiments
 CEG429 week-by-week

SIGCSE2003
Mateti/WrightStateU
17
Depth v Breadth
Discuss current security breaches
and protection measures 
breadth.
 Conduct experiments
knowledgeably  depth.

SIGCSE2003
Mateti/WrightStateU
18
“Internet Security”










Trojan Horses, Viruses and Worms
Privacy and Authentication
TCP/IP exploits
Firewalls
Cryptography
Secure Config of Personal Machines
Buffer Overflow and Other Bug Exploitation
Writing Bug-free and Secure Software
Secure e-Commerce Transactions
Ethics and Legal Issues
SIGCSE2003
Mateti/WrightStateU
19
SIGCSE2003
Mateti/WrightStateU
20
Typical Article on our Website









Title
Summary
Educational Objectives
Background Information
Pre-Lab and Suggested
Preparation
Procedures
Appendix A: Acronyms
Appendix B: Further
Reading Links
Appendix C: Notes to TAs
SIGCSE2003

Procedures
– Step 1, 2, …
– Achievement Test
– Concluding Activities
 Demo
 Witness Report
 Lab cleanup
– Report on the
Mateti/WrightStateU
Experiment
21
Lab Experiments Developed
1.
2.
3.
4.
5.
Experience serious nuisance.
Viruses, Worms, and Trojans.
Boot from power up to login
System Administration.
Password Cracking Tools.
SIGCSE2003
Mateti/WrightStateU
22
Lab Experiments Developed
One-time passwords, and secure
shell.
7. Privacy Enhancing Tools.
8. Securely configure a Linux PC.
9. Fortification of a System.
10. Build a hardened kernel.
11. Setup a router.
12. Install and Run a network sniffer.
6.
SIGCSE2003
Mateti/WrightStateU
23
Lab Experiments Developed
13. Hijack
an on-going telnet session.
14. User authentication and spoofing.
15. DNS spoof.
16. Download a rootkit and install.
17. Install and discover back doors
18. White-Hat Security Tools.
SIGCSE2003
Mateti/WrightStateU
24
Lab Experiments Developed
19. Buffer
Overflow Exploits.
20. Packet Filter Firewall.
21. Probing For Weaknesses.
22. Denial-of-Service Attacks.
23. Design Weaknesses of TCP.
24. Security Audit.
25. IPv6-enabled kernel, and tools.
SIGCSE2003
Mateti/WrightStateU
25
SIGCSE2003
Mateti/WrightStateU
26
Ethics







Sign on to our Ethics Statement
The Ethics of Hacking. A discourse by "Dissident"
www.attrition.org/~modify/texts/hacking_texts/hacethic
.txt
The Hackers Ethic. The six tenets from Steven Levy,
"Heroes of the Computer Revolution".
project.cyberpunk.ru/idb/hacker_ethics.html
OSU Ethics Website.
www.cgrg.ohio-state.edu/Astrolabe
Codes of Ethics from ACM+IEEE.
www.onlineethics.org
www.ethics.org
SIGCSE2003
Mateti/WrightStateU
27
Ethics Statement





In this course I am learning network and computer security principles. It is a
10-week long course, with a prerequisite of general understanding of operating
systems and computer networks. I realize that this learning is just a
beginning.
I assure the instructor, the University, and the world that I am a caring,
responsible, and principled person. I will help create a better world. Never will
I engage in activity that deprives others in order to benefit from it.
The techniques and links that I am exposed to are for educational purposes
only. As a power user of computers and future network or systems
administrator, I must be familiar with the tools that may be used to bring a
network down. A may engage in a legitimate form of hacking, or more
precisely, ethical hacking, as a consultant who performs security audits. This is
the driving force in learning the past attack techniques.
I will not directly provide anyone with the tools to create mischief. Nor shall I
pass my knowledge to others without verifying that they also subscribe to the
principles apparent in this statement.
I will not engage in or condone any form of illegal activity including
unauthorized break-ins, cracking, or denial of service attacks.
___________________________
Name of the student
SIGCSE2003
___________________________________
Signature and Date
Mateti/WrightStateU
28
Internet Security Lab Setup
PCs, NICs, Switches, Cables
 Each PC with 2 NICs
 Physically Isolatable
 Private Network
 Linux-based Firewall-cum-Router

SIGCSE2003
Mateti/WrightStateU
29
OSIS: Operating Systems and
Internet Security Lab




Room 429, Russ Engineering Center, WSU
In continuous use since November 1999
26 PCs in the lab for students' use, and one
web server, one router, one file server, and
one PC for re-configuration experimentation.
Shared Lab
– Operating Systems Courses, CEG 433,434
– Distributed Computing Courses, CEG 730,830
– Multiple Operating Systems
SIGCSE2003
Mateti/WrightStateU
30
OSIS: Operating Systems and
Internet Security Lab


1999
Lab


– 26 PC s (PIII 450MHz,
– 26 upgraded PC s
128 MB RAM, 13 GB
HDD)
– 8 Fast Ethernet
Switches

Operating Systems
2003
Lab
(2*PIII 450MHz, 512
MB RAM, 13 GB HDD)
– 8 Fast Ethernet
Switches

Operating Systems
– Caldera Open Linux 2.3
– Mandrake Linux 8.2/9.0
– Kernel 2.2.10
– Windows NT 4
– Windows 98 SR2
– Linux 2.4.x
– Windows XP
– Windows 98 SR2
SIGCSE2003
Mateti/WrightStateU
31
OSIS: Operating Systems and
Internet Security Lab
All the PCs are on a private LAN
 One Fast Ethernet switch for each
a group of 4-6 PCs.
 Each PC is loaded with

– Linux Mandrake 8.2/9.0
– Windows XP
– Windows 98.

Boot into one of these via ntldr
SIGCSE2003
Mateti/WrightStateU
32
osis111.cs.wright.edu

All the lab PCs: 192.168.*.*

router.osis.cs.wright.edu = 192.168.17.111
osis111.cs.wright.edu = 130.108.17.111

IP Filtering Router Firewall
 All Internet connections are through the
Firewall
 IP masquerading

SIGCSE2003
Mateti/WrightStateU
33
Security Software
Secure Shell, PGP, …
 Firewall Kits
 Tools

– Top 50 Security Tools survey from www.nmap.org
– http://www.packetfactory.net
– nmap, SAINT, …
– tcpdump, ethereal, snort, …
– Password cracking
– Tcpwrapper
SIGCSE2003
Mateti/WrightStateU
34
Lab Maintenance
Individual student logins.
 Students need to be superusers.
 Reload OS images periodically.
 Update packages.
 Forgotten passwords, etc.
 Students files are not archived.

SIGCSE2003
Mateti/WrightStateU
35
Cloning the OS Images


Setup a Golden Client.
Several cloning tools exist:
–
–
–
–


Symantec Ghost
Open source SystemImager
Open source UDPcast
None of the above deal (well) with multiple file
volumes from multiple OS.
Takes about 45 minutes for 26 PCs
Individualize Each PC
– Hostname
– IP address
– Ssh host keys
SIGCSE2003
Mateti/WrightStateU
36
Teaching Experience
Lectures must be updated to keep
up with software patched with the
latest.
 Most students take the course in
their (semi-) final term.
 Cannot find knowledgeable TAs.

SIGCSE2003
Mateti/WrightStateU
37
Learning Experience
Considerable amount of “wow”
effect.
 “We really learned a lot!”
 Prerequisite:

– Computer Networking, CEG 402: Wrong?
– Operating Systems, CEG 433: Right?
SIGCSE2003
Mateti/WrightStateU
38
Goals Achieved

Awareness of Security Issues
Teach security improvement techniques
Explain how exploitable errors have
been made in the development of
software.
Raise the level of ethics awareness
Bring attention to legal issues

Taught Yes, Learned Yes, Believe In it may be.




SIGCSE2003
Mateti/WrightStateU
39
By-Products: Students are …
More at ease with real hardware
and real software – not a black box
any more.
 Amazed at the Open Source
movement, but do not understand.

SIGCSE2003
Mateti/WrightStateU
40
If I may urge you …
Introduce a course like this into
your curriculum.
 Peer-Review the articles on our
web site.

SIGCSE2003
Mateti/WrightStateU
41
Links

CEG 429 Home Page
www.cs.wright.edu/~pmateti/Courses/429
[local-link]

OSIS Lab Home Page
www.cs.wright.edu/~pmateti/OSIS
[local-link]

Support Web Site
www.cs.wright.edu/~pmateti/InternetSecurity/
[local-link]
SIGCSE2003
Mateti/WrightStateU
42