Sharing Laboratory Facilities via VITAL - A
Virtual Lab For Information Assurance
Nasir Memon
William J. Hery
Polytechnic University
Brooklyn, NY
8/29/2004 1
Presentation Outline
Motivation for IA Lab sharing
Overview of the Polytechnic University
ISIS Lab
VITAL Program overview
VITAL Lab description
Conclusions
8/29/2004 2
Establishing an Effective, Quality IA
Program
Trained faculty
Excellent summer and short programs available
Courseware
Numerous resources.
Laboratory facilities
IA must be a “hands on” experience
Various designs have been presented but …
building and maintaining one requires significant
resources.
Challenge for small colleges/small IA programs.
Polytechnic University: State of the art SIS Lab
8/29/2004 3
IA Lab Requirements
Insulated ISIS at Polytechnic
Robust Initially based on
Reconfigurable ISSI LAB at Iowa
Heterogeneous State
Scalable Supported by NSF
Cost Effective CCLI (99), NSF
Maintainable capacity building
Realistic (01), and Cisco (02)
8/29/2004 4
Challenges for Small IA Programs
A significant number of small IA programs teach IA courses without IA
lab facilities. Why?
Cost
Need for testbed of many workstations, servers, routers for students to
configure securely, scan, “attack”, learn on.
Isolation requirements make these resources difficult to share with other lab
functions
Small colleges may only teach a few IA courses, making the use of
dedicated resources impractical
General funding problems
Lack of sufficient expertise in small, service oriented or new programs
How do we provide ISIS level capabilities to small
colleges/IA programs in NY City?
8/29/2004 5
A Novel Solution to the Lab Problem
Build a centralized laboratory facility that can
be shared by multiple institutions.
Virtual Lab
Instructors provision and configure resources
remotely via a browser interface.
Students access via web browser and run
experiments on networks and computers
configured for a specific assignment.
Resources are released when assignment
completed or time slot expires.
A “Virtualization” of Polytechnic’s ISIS lab to share
with other colleges.
8/29/2004 6
Description of the Polytechnic ISIS Lab
8/29/2004 7
Background
ISIS Background
Initially started by an NSF CCLI, Adaptation and
Implementation grant to develop a sequence of
undergraduate courses in computer and network
security
Initial lab design and course design was done with
the assistance of Information Systems Security
Laboratory (ISSL) at Iowa State University
NSF Capacity building grant.
ISIS has been running for more than two years
now and the lab and the courses it supports have
proved to be immensely successful
8/29/2004 8
ISIS Architecture
ISIS lab is divided physically and logically
into four areas:
The Student Workstation Network,
The Server Cluster,
A Secure Systems Experimentation Test
bed (ASSET).
A VPN Concentrator
8/29/2004 9
ISIS Architecture
8/29/2004 10
ISIS Lab
8/29/2004 11
ISIS Architecture
ISIS network is built around a class A private
network
ISIS network was created using a router with NAT
capabilities
A private network separates our network traffic
from external network in order to stop internal
traffic, malicious and otherwise, from reaching the
external network
Class A private network can supports a large
number of subnets. We could potentially have 216
subnets with 250 hosts in each subnet in our
network. This allows us to create/modify/delete
subnets inside our network as we please.
8/29/2004 12
ISIS Architecture
The “Master Router” is responsible for
managing NAT and impose restriction on
incoming and outgoing traffic
The “Test Bed Router” is responsible for
containing attack traffic such as port
scanning, and DDoS, within the testbed.
The VPN concentrator is used to provide
connectivity to ISIS network from remote
locations using a private VPN tunnel.
8/29/2004 13
The Student Workstation Network
8/29/2004 14
The Student Workstation Network
The primary purpose of the workstation
network is to provide students a means to
access the ASSET network
20 - Pentium 4, 1.5 GHz general-purpose
machines
Windows 2000
With standard university lab software, like
compilers, editors etc
These workstations are members of the ISIS
active directory server present in the server
network
8/29/2004 15
The Student Workstation Network
Individual workstations in this network are
completely locked down
Physically using pad locks
BIOS restrictions.
Active Directory restriction (windows security).
Student are only allowed to store temporary files
in the workstation.
Each workstation is cleaned occasionally by
erasing all users temporary directories, and/or re-
installing a fresh image, if necessary, during the
cleaning process
8/29/2004 16
The Server Cluster
8/29/2004 17
The Server Cluster
The server component of ISIS currently is composed
of four serves:
A Web server
A Solaris server
A Win2k Terminal/File server
An Active Directory server.
The web server is used to host lab’s and students
web pages
The Solaris and Win2k terminal servers are used by
the students for compute intensive tasks.
These servers also contain a repository of security
related tools that students need for their projects and
assignments
8/29/2004 18
The Server Cluster
The Active Directory server is used to
manage user accounts and files. Each
student is allowed to store up to 5GB of
data in this server.
All storage is backed up by an
automated system.
The storage server can also facilitate
secure remote access to our network
8/29/2004 19
ASSET- A Secure Systems Experimentation
TestBed
ASSET is the core of the lab
It consists of a highly reconfigurable network
built around 2 layer 2 switch, 32 computers
fitted with two or more NICs and removable
hard drives, two VMware ESX servers which
simulate 16 hosts each.
16 CISCO 2611 routers, and 1 CISCO 4235
IDS sensor to be added this summer ☺
8/29/2004 20
ASSET
8/29/2004 21
ASSET
8/29/2004 22
Sample Server Assignments
These assignments only utilize one or more of
the servers in the server network. Often they
are compute intensive in nature.
Explore the confusion and diffusion properties of
modern cryptosystems like AES.
Explore the difficulty of a brute force attack as the
key length increases. Students are able to
successfully attack a 40 bit key using the
computing resources of the server.
Finally, assignments that involve password
cracking also utilize the servers
8/29/2004 23
Sample Host Assignments
Here the ASSET network is configured as a flat network
of hosts and each student or group of students is
assigned a host.
Explore security vulnerabilities in a stand-alone
computer system.
Harden a poorly configured Windows and/or Linux
machine as per security guidelines specified by the
NSA.
Assignments involving malicious code.
Assignments that involve learning about robust
programming techniques in general and exploring
buffer overflow, and format string vulnerabilities in
particular.
8/29/2004 24
Sample Network Assignments
These assignments require configuration of the ASSET into a
collection of networks or clouds of networks and student tasks
include exploring, configuring, and defending a network.
Exploiting and understanding ARP vulnerabilities, such as ARP
cache poisoning and denial of service attacks.
TCP and UDP vulnerabilities such as session hijacking, spoofing,
and other DOS attacks in TCP and UDP.
Vulnerabilities in routing protocols such as RIP, and OSPF.
Use of network mapping utilities.
Secure communication using IPSEC, SSL, and other upper layer
protocols.
Blue team/Red Team exercise.
8/29/2004 25
VITAL Program Overview
8/29/2004 26
VITAL – A Virtual Lab for IA
Education in for NY City
NY Metropolitan Area consortium formed to create
such a facility
Planned to start with limited scope in September
2004.
Fully functional by September 2005.
Currently six partner institutions.
Each with different goals and different program strengths.
Many additional institutions have expressed interest
in availing facilities of VITAL.
8/29/2004 27
CUNY John Jay College
Associate, baccalaureate and masters degrees.
PhD in Criminal Justice and Forensic Psychology.
10,133 undergraduates, 2,513 graduate students.
Interdisciplinary Forensic Computing M.S. program.
Courses potentially impacted by lab
Data Communications and Forensic Security, Architecture of
Secure Operating Systems, Network Forensics, Security of
Computers and their Data, Quantitative Methods in Criminal
Justice.
One of the strongest Criminal Justice programs in the
country. IA needs mostly in support of forensics and
criminal justice program.
8/29/2004 28
CUNY Borough of Manhattan Community
College (BMCC)
Serves more than 24,000 students in its credit and
non-credit programs.
In partnership with the Alcatel, New York Software,
Information Association (NYSIA), Secret Service and
Lehman College, has solicited support from NSF
under the Advanced Technology Education initiative
to develop a comprehensive curriculum in the area of
Computer Security.
Aspire to get designated as a COE in the near future.
Large variety of IA course offerings planned but
limited labs.
Need VITAL as whetting ground to develop their own
labs as and when resources become available.
8/29/2004 29
CUNY New York City College of
Technology
Student body of more than 11,700
Nearly 1000 students are in the baccalaureate
program of Computer Systems Technology.
Plan to add new module in Information
Security in Fall 2004.
Includes Information Security, System Security
and Network Security.
Looking to use VITAL to complement these
courses with a hands on component.
Actively looking for resources to develop their
own lab.
8/29/2004 30
Brooklyn College
Very strong CS department with renowned
faculty.
Limited IA course offerings. 1 or 2 a year.
Cannot justify dedicated lab for IA.
Looking to use VITAL to improve quality of IA
courses and add hands on component.
8/29/2004 31
Adelphi University
Oldest institution of higher education on Long
Island (chartered in 1896).
Very small CS department (75).
No IA course offered prior to joining VITAL
consortium.
Looking to use VITAL to teach sequence new
IA course sequence starting Fall 2005.
8/29/2004 32
VITAL Lab Description
8/29/2004 33
Envisioned Virtual Lab
Polytechnic University
Polytechnic University
Virtual Lab VLnet Creation
Virtual Lab
Resources
Host 6 Host 2 Power Cycle
Host 1 Router 1
U Welcome External Router
OK
Net 2 Robert
p
External Server
Reset KVM
. d Your Partner's
VLnet
. Net 1 External Router
OK
. a 1) Nick Johnson (e-mai)l
2) ....
External Server
.
.
Router 4
t .
.
External Router
IP:e.f.g.h
Current Assignment's
. . Log Off
Router 2 Router 3
e . Console
Net 3 Net 4 .
PIX 1
V
Host 3
Host 4 Host 5
L Console
LAN1
Net x
. n View Traffic
External Server
.
. Resource Name Group e IP:w.x.y.z
Host 1 Intrusion Detection System Group1
.
. Router 1 External Router Group2 t
.
Remotely configurable and accessible hosts, routers, firewalls, gateways,
ethernet switches, and other network elements. (More later…)
8/29/2004 34
Requirements of a Virtual Lab
In addition to IA Lab requirements, virtual lab
should confirm to these requirements:
Accessibility
Observability
Seperability of virtual networks
Remote configurability
Information Systems and Internet
8/29/2004 Security Laboratory 35
VITAL Functional Requirements
Remote Access to Realistic
Network Environment
Purpose of VITAL is to provide remote
users with an interface to a realistic
network environment
The network must be available from anywhere on the
Internet
Configuration of the virtual networks within the
VITAL environment can be done remotely
Access transparency
Location Transparency
Performance Transparency
8/29/2004 36
VITAL Functional Requirements
Heterogeneous Environment
Will be accessed by a variety of
remote users
The system must be accessible under
a variety of client environments
The host nodes in the VITAL
environment must be capable of
running a variety of operating
systems.
8/29/2004 37
VITAL Functional Requirements
User & Network Isolation
isolation is required to provide the impression of
access to/control of isolated environments to subsets
of users
view of an instructor - components of the network assigned to
that instructor.
view of a student - same as that of his/her instructor, though
access may be limited
view of an administrator - not limited and shall include all
network components
instructor’s view of system users - limited to him/herself and
the students created under him.
student’s view of system users - limited to him/herself and his
or her partners as assigned by the instructor.
The gateway (VLG) will isolate the internal network (VLnet)
from the outside world. It will also filter incoming and
outgoing traffic.
8/29/2004 38
VITAL Functional Requirements
Virtual Network Configurability
Administrators - add new nodes, routers, etc. to the
pool of virtual network components
Administrators - partition subsets of the whole
network into virtual networks
Instructors - configure all components allocated to
them by an administrator
Instructors - assign specific components to students
associated with them
Students – access/configure components assigned to
them
8/29/2004 39
VITAL Functional Requirements
Remote User Interface
certain information must be available
and presented to users based upon
their role
For administrators
Instructors
Students
8/29/2004 40
High Level Design (GUI)
8/29/2004 41
High Level Design
8/29/2004 42
High Level Security Design
8/29/2004 43
Issues to Address During
Development
Security
Policies
Architecture
Implementation
Resource Allocation
Policies
Conflict Resolution
Optimization
8/29/2004 44
Conclusions
In addition to faculty training and courseware, there is
a strong need for IA lab facilities in small colleges
Different colleges had different needs. A “canned” IA
lab would not fit the different needs.
Different motivations
Lack of resources or current commitment from administration.
Limited size and scope of IA offerings.
Whetting ground while they created their own laboratories.
Partner with COE to ultimately gain COE status.
Poor maintenance and support infrastructure at their
institution.
Improve their IA program quality
8/29/2004 45
Contact Information
Those interested in joining the VITAL
consoritium should contact:
Nasir Memon, memon@poly.edu
Bill Hery, hery@nac.net
8/29/2004 46