Slashdot Mirror
Designing a Security Lab?
RanmaPlex asks: "I've been asked by a university professor to design a network security lab for use by about 15 students. Designing a course was asked earlier, but little info was discussed on equipment. It needs to be vendor independent if possible. I've got ideas on using virtual machines, patches, IDS, firewalls/vpn and sniffers but would like to know what the Slashdot community can come up with."
Whatever you ultimately decide on, it would be best for a good security education to include a variety of platforms and hardware so that students can experience different things. For example, if you have something along these lines:
n = # of students
(n/2) PC's running Windows XP / Linux / Solaris-x86 triple boot set-ups -- for them to hack from and get hacked by... If you play a competitive game of "you get x minutes to secure your box on y OS, then everyone try to hack each other's boxes-- figure out what OS they are running, and what (if any) known vulnerabilities it has."
Throw in another box that's to run as a "server," run by the teacher-- it's a similar dual or triple boot box to provide variety.
A few routers & switches of different brands (3Com, Cisco)
-- Just my $0.02
Isn't that what a student would encounter in the real world? Or do you want to make it like every other stupid college course teaching "theory" instead of some valid "experience"?
I've been asked by a university professor to design a network security lab for use by about 15 students... but little info was discussed on equipment. It needs to be vendor independent if possible.
...
Your first and most important piece of equipment: a lawyer.
No, I'm serious. Especially if you and your students will be investigating aspects of network security.
Given the current mess involving "business process" patents and "Intellectual Property" and stealth/submarine patents, there's no guarantee that what seems obvious to you or your students may not be something somebody else claims as their sole property for the next 20 years. So far, that only opens you to years of litigation and the possibility of crippling penalties. You're lucky it only goes that far.
Because...
Given the current state of the U.S. law -- specifically the DMCA -- it's no longer clear that reverse engineering is legal. Anytime somebody, er, some corporation -- such as printer manufacturer Lexmark -- claims they've built an anti-circumvention device into their product -- you and your students face the possibility of civil and criminal penalties.
And
Not to mention that in our zeal to "protect" ourselves post 9-11, what may seem to you or your students to be reasonable and even noble acts -- like pointing out software vulnerabilities that hackers or terrorists might use -- may be itself construed as hacking or even terrorism. And prosecuted accordingly.
Perhaps I'm overstating the legal barriers to innovation and research. I hope I am. But you owe it to yourself, your students, and your institution to hope for the best while preparing for the worst.
And I'm afraid the way you prepare for the worst in America in 2003 is by getting yourself a lawyer.
(PS, is it just me, or is Slashdot intermittently very very slow to respond -- that is, is Slashdot being, uh, Slashdotted?)
Opinions on the Twiddler2 hand-held keyboard?
It is a much better way to learn about the real security risks than trying to come up with a network secured against threats learned from books only.
Another good idea to enlighten your students is to have them install one redhat 6.0 box, and a current one. Likely, the 6.0 box will be rooted in a matter of hours, or, if you are lucky, days. Then, use the slashdot search engine to compare the number of posts claiming that Linux is inherently secure when RH6.0 was current vs. today - likely, you'll find that they are the same. Lesson learned: No matter what people tell you, all software sucks. The best thing to know as someone dealing with security.
Programming can be fun again. Film at 11.
The STEAL lab at the Nebraska University Consortium of Information Assurance has a pretty nice setup that sounds similar to what the AskSlashdot post described. One thing I noticed when walking by the lab: they have signs up indicating that if you walk in through their door with a USB keydrive or a CDR, you can plan on walking out without it. The basic idea is that no electronic media, whatsoever, is allowed in or out without a CAREFUL audit of what's going on. If you're going to play with live viruses, the setup demands nothing less, I suppose. Remember that if you don't have physical security, network security doesn't make any difference.
http://tinyurl.com/4ny52
You should check with www.securityie.com about the hardware required for the CCIE Security certification. You might have to use some cisco hardware, but for the most part, it will be a bunch of Linux, OpenBSD and Solaris machines, some windows machines and some other Linux machines with traffic generation software. You will also need an Internet connection and a domain name, so you can direct real outside spam and other attacks to yourself.
Here's a better idea. If you are in a university, setup a server and name it FINANCIAL or something, give it an ftp or http server that gives a stern warning for students be penalized and expelled if the server is attacked. Sit back and enjoy the show.
"Give orange me give eat orange me eat orange give me eat orange give me you." -Nim Chimpsky
I setup an operating system lab at UBC a few years ago. It consisted of about 10 PCs connected to a serial port hub and a "reset controller". Basically, you interacted with them via the serial ports and telnet and the reset controller allowed the students to reboot them on command. I actually found the software and schematics for the controller at another university (can't remember which). The operating system (in this case Xinu - think simple Unix) was loaded via tftp. All of this was accessible from their lab workstations. Not sure if the same setup will work for you, but it might be handy for the students to remote reboot machines in case they get hung. I'm sure they will help you out if you contact the Comp Sci. department. Of course I'm pretty sure you can't tftp boot Windows, so if thats what you plan on using you're SOL :-)
i suggest locks on the doors and the windows
Set up your network using this topology -note that your computers are in bottom-center, with firewall between you and your attackers. To control it all, get a command center inside a facility like this. Of course, you'll need physical security; try using a giant robot. Make sure your pilot isn't a total wuss, though. Oh, and make sure you have large cooling units filled with these.
Focus on the problem. Get the students to understand the problems; Why security is an issue (insecure programs, design flaws,etc.). Make them be able to advocate secure programs/programming. Make them advocates against design flaws Teach them how to track current security issues. How to prevent the/keep up with latest patches etc. (+ ofcourse the obvious things you already mentioned.)
A traditional multi-tier enterprise setup:
.Net across the board; you might not want to mix them on the same set of servers, because you're interested in vulnerabilities, right? So you might have older ASP/MTS server setups, and newer .Net ones).
Database
-
Middleware server
-
Intranet web server (inside firewall)
-
Firewall (separate machine)
-
Web server (DMZ machine)
-
Client boxes
You might want to set up a few common architectures:
Oracle and SQL Server databases on backend / Windows 2000 middleware / Firewall (hardware? an enterprise special-purpose firewall?) / Windows 2000 web server (Note that this architecture could be duplicated, one set with traditional ASP and COM+, and one with
Oracle, MySQL, and PostGresql databases on backend / Linux or FreeBSD based middleware / Linux or FreeBSD based firewall / Linux or FreeBSD based Apache web server (Note that this architecture probably would be java based, so you could use JBoss as your app server, etc)
Of course, this is just off the top of my head, but my thinking is, if you duplicate what people are actually using out in the world, then you'll learn more about the vulnerabilities and the countermeasures that are out there...
Farewell! It's been a fine buncha years!
I checked out the STEAL lab setup and it sounds incredible, but alot of that stuff seems a tad unnecessary, especially if your talking about less than 20 students.
My ideal lab would consist of as few specialized systems/peices of equiptment as possible, and a surplus of all purpose, say P4 or equivalent AMD boxes.
For example, I wouldn't consider a lab such as you're describing without a few cisco routers or network appliances. You may also want some specialized hardware for a specail sun server or Unix box. All in all though, I say keep the majority where it will likely be in the real world, on PC's (let me know if you disagree).
Now, I'm a particular fan of apps like drive image pro and using drive images liberally. So you may wish to take this with a grain of salt, but I'm all for the practice of maintaining HDD images of different OS's you can switch out on your workstations as the lessons progress. You can have your (perfectly licenced) winXP images, setup, one for each PC, so that Problem XP has won't be an issue. You can do the same with linux and any other operating systems you like.
The other advantage to this, specifically having several extra machines is that you can have as few or as many servers as you need, to give the effect, perhaps with the help of VMware, of a target network. On the flip side, you could give the students the extra workstations and give them the chance to use multiple attack vectors for specialized attacks.
Another not-so related idea would be to have a dedicated network trafic recording computer, just for piece of mind that every bit of activity will be recorded if nothing else.
In closing, I think the key, IMHO, is that you maintain maxiumum flexibility in such a lab, so you can simulate virtually any modern network and thus any relavant environment for studies in the area. I've seen lot's of success with random amenities like a projector and nice large screen. I'll give the STEAL labs that, but alot can be said for good, standard PC's running what your students will likely be using in thier future proffesions. A lab with say, 20 PC's that can, within an hour or two, with one tech, be changed to either
20 WinXP machines or
20 RedHat 9 boxes
Or even a network of:
1 FreeBSD webserver
2 RH Routers 1 'internal' XP workstation
1 'internal target' FreeBSD MySQL server
15 RH or XP 'attack' workstations
Is a great thing in my book.
"Oh... There it goes... my brain stopped" - Ed from Ed, Edd, and Eddy.
Rather than having the students attacking each other, let them concentrate on securing their own box. Simply put all their boxes live on the internet and post their IP addresses here on Slashdot, so as to let all Slashdot readers openly attack them. There sure are enough of us. Now there's some valuable real world experience.
You can use knoppix STD and Phlak Bootable linux distros to keep the machines clean and give the students tools and "hacking" experience. I also recommend Target machines (i.e. windows server(web/email etc), solaris server, linux server, couple windows desktops) and make sure you keep symantec ghost images so you can bring them back to state quickly. Additionally, Firewalls, VPNs, IDS (snort is a good one to learn on). links to stuff: www.phlak.org (pro hacker linux assault kit) www.knoppix.org (cdrom zero foot print linux) www.symantec.com (ghost harddrive image software) www.snort.org (Network intrusion detection)
I used to be a sysadmin here when I was an undergrad, and while the lab grew quite a bit during my time there, there's still a lot that I wanted to do (although sometimes, we were funds-challenged).
You will also need to think about 1) setting up good security policies and enforcing them, and 2) physical security. There are other things, but I can't think of them right now.
With regard to policy, you have to remember that security and convenience are often conflicting. Security is a habit that needs to be engrained into users' minds. I'm not saying that you should never compromise, just know when to draw the line. We went through some growing pains, and our policy became more restrictive as we got more and more students. For example, shutting off telnet was a pain in the ass, even though I was extremely proactive and sent out directions and warnings several weeks before making the move.
Run network tests (like worms) on a private, disconnected network. If you have to run things on the open (highly unlikely) that may generate suspicious packet activity, make sure you get permission from the higher ups! For example, things like having an unauthorized vulnerable box on the open network, even for research purposes, can be a bad idea and it can piss off people more powerful than you.
As someone mentioned before, a lawyer is important. At least do some research into the legality of certain actions.
Also, good security involves knowing what not to do. Sometimes they're obvious (don't write down the root password, don't finger punch the root password), and sometimes they're not.
Yes, patch your machines, upgrade your kernels, lock your doors, lock your workstations, and make good passwords. But the scope of security spans many disciplines, such as psychology, business, and law... it's not about just hardware and software.
When a college retires a bunch of computers, some crappy printer, or anything else that might've at one time used electricity, claim it for your lab, otherwise it'll be auctioned off. You'll always be hurting for kit no matter how much funding you have. Note that this implies you need a decent amount of space to store lots of crap that might seem useless now, but will come in handy when you want to try something out that could result in damage to hardware, for example. You don't want to break a shiny new P4 mobo when you could throw a Slot A mobo to the wolves.
Next, you need a super modular software system. Regardless of what OS you're trying to break, you might want to try the same break on different versions of one particular library. Doing a full install of an OS when you could've just replaced one file is a waste of time.
Finally, remember that securing a system is specific, but breaking into a system is vague. If you're trying to secure a network, you know the threat model (don't you?) and what steps you need to take to protect it. If you're trying to bust a system, it doesn't matter how you do it (Harmony says, "think outside the gift horse").
I was having all kinds of problems this morning. The pages would load, but when I tried to login nothing would happen at all, this happened multiple times under links, mozilla, and firebird. Then when I managed to login and tried to post, I repeatedly got a 500 Internal Server Error, over ten times in a row on one post. So it's not just you, although things have been smooth on my end since a few hours back. PS - I'll be damned, I just got another 500 error when trying to post this. Something is definitely up with /. today.
Anti-social? My code is just platform-specific.
We've got a security-lab here at the University of Hamburg, Germany. We deal with viruses mostly but also with other security-related stuff. If you are planing on working with malware, make shure that your are able to separate your lab-network from the world outside completly. This is the only way to enshure that you wont become a virri-multiplier on accident. Our lab has got the possibility to form 3 independent networks within, using redundant switches. Only one of those networks is connected to the internet. We also use dedicated SCSI-discs for each project in addition to VMware.
Security, Podcasting and the Truth (aka my personal opinion)
It takes a little setup, and a little cash, but I believe it makes for the best lab setup possible. I've designed several setups for customers like this:
- As many servers as you need (8, for example) Buy 8 identical servers - explained later.
- A Fibre Channel HBA for each host.
- A Fibre Channel disk array. Preferrably an old XIOtech Magnitude, available on eBay now for $14K - $20K, new from around $60K
- Connect up to 8 hosts directly to the Magnitude, assign a boot volume to the host from the Mag's management interface. Tell the host HBA to boot from the attached device
- Load the OS of your choice (most now support FC HBAs as boot devices). You can load multiple OS on each box, and swap logical hosts between physical boxes if need be.
- Lather, Rinse, Repeat.
email me with any additional questions- slineyp at hotmail dot com
Striving to achieve a lower state of conciousness
See the comments by Medusa in this board:
p hp?t=186
http://www.security-forums.com/forum/viewtopic.
Very insightful stuff. It really makes you sit up and realize HOW insecure your system can be. And that there's nothing to protect you from anyone serious enough unless that you don't matter.
Described here:
a b.html
http://www.geekspeed.net/~beetle/download/attackl
Includes some isolating scripts, but a year and a half old, however.
Vmware is excellent for this. Do a default install of every version of every OS you can get your hands on, and burn them to CD. Its an excellent resource to have them at your fingertips, as it saves the time of installation when you want to test something on a particular version. (No I don't work for vmware)