The semester finished up for me a couple weeks ago. I taught the lab course this semester. There is no final in that course but instead a final project, so I’m done a bit earlier than regular lecture courses.
This was the fourth time through this course, and overall I thought the course went well. I ended up with 21 students, which was the highest enrollment I’ve seen. I don’t think I’d want to go much higher than 21 unless we had more resources. The students overall were quite strong, and I enjoyed interacting with them.
At the end of the semester I also got notified that the course now has a regular course number. I had been teaching it under a special topics number until now. I may never teach a cs498sh course again! Or at least not for a while.Things that went well:
- Virtual Machines - I used vmserver on a 64 bit FC8 base, and it was so much better than continually reloading images and dual booting. I got a set of new Dell systems, so this was the first year that running vmware was really feasible. I was able to build a image on one machine and then copy it around to the other machines. For some of the OS configuration labs, we were able to have each student have his/her own image. This made the SE Linux lab slightly better but not totally (see what went wrong below). The Department support guy at the beginning of the semester suggested just using vmware for everything. At that time, I didn’t really have any experience with vmware and was hesitant to completely give up on a physical lab. I think I’ll stay with the current environment for at least another semester. A good portion of the labs involve networking, and I think working with real devices is more beneficial that interacting with virtualized routers. I’m not familiar with how much variety vmware supports for virtual network devices. Plus having a physical lab forces students to directly interact with each other, which has fallen away from most of the other lab oriented courses.
- Metasploit and the exploit lab - Each semester I’ve had the students write a stack smashing attack. I’ve followed the framework of the Smashing the Stack for Fun and Profit article. I give the students a basic shell spawning shellcode, and give them the assembly for a more advanced shellcode that they must translate to hexcode. Last year, I had another professor guest lecture and give a demo of metasploit. This semester we had an in lecture exercise using metasploit at the beginning of the exploit lab assignment. A couple students figured out another way of using the metasploit generated poison packet to launch the attack. And in the shared lab environment, they taught this technique to their colleagues. Only three students used the technique I outlined in the lab writeup. I think this is cool because the students dug into metasploit. However, I think many of the students lost out on a deeper understanding of how the exploit really works because they didn’t have to translate to hex or create their own packet. I haven’t decided on whether I’m going to insist on a particular technique next time I give this lab.
- Vista Lab - Actually this was almost identical to the XP least privilege programming lab I’ve used in past years, but I added a component to look at the mandatory integrity controls (MIC) that Vista adds. The students also had to figure out how to work around the user account control. Based on the results of this semester’s labs, I should be able to integrate a real MIC part to the lab next semester.
- Virtual PIX - This is the first year I’ve used the virtual firewall (security context) feature of the PIX. Since I have only a very basic license, I could only set up 2-3 virtual firewalls per physical firewall (5 physical devices). But with that and VMs on the hosts, I could set up 10-15 reasonably separated firewall environments for pairs of students to work on. There was one major hicup that caused much student angst. For a each virtual firewall on a PIX, you want them to have unique MACs. You could assign your own, or use the “automatic” MAC. I went automatic and did not review the MAC selection closely. Alone in the lab, my few probes worked fine, but with a full lab traffic would fail mysteriously. Some students noticed that traffic destined for another students network was being delivered to their machine. Turns out the auto MAC selection only guarantees uniqueness within a device. Between devices it pretty much guarantees conflicts. Once I created my only MAC naming scheme, everything worked fine.
- SE Linux Lab - Each year I’m hopeful that the SE Linux lab will go well this year. In the first two years, we had file labeling problems because students were sharing machines. Last year, I had students work in groups so they did not have to share machines, but they ran into issues of not understanding what macros were needed to make basic file creation and execution work. This year with the per student VMs and the new Fedora SE Linux administrative GUI’s, I thought we were all set. However, the user support has changed significantly, and the new mechanism was not well documented. Plus newrole didn’t seem to work at all. I assigned my standard user separation policy where Alice is a member of two groups (or roles), so it would be natural to map that policy into different roles. Much time was wasted, but ultimately no one got the roles to work. I think next semester I’ll give up and do a class exercise. Currently, I do the MCS as a class exercise. Perhaps I’ll expand that to do a bit of policy entry. Then I’ll add a snort lab or an identity management lab.
- Written assignments - Again this year I only got one written assignment in. I just need to get thinking about this sooner. It is hard to get an interesting design assignment which everyone will have sufficient background on. Perhaps I can mine this years final projects for subsections to assign. I think that having some pure design and writing assignments is a good thing. Much of what these folks will be doing after graduation is designing and communicating designs. Perhaps I can work in a proper risk analysis exercise here.
Next fall I’m scheduled to teach the Intro to Security course again (assuming I get my contract). Last year I had a record number of 80 students. So far the number of students is much lower (40 or 50). We added another prerequisite class which may be dropping the numbers. The class will meet three times a week. In the past I’ve taught two longer sessions a week. I’m going to try and make one of the weekly meetings a more interactive class and less of a lecture. If anyone out there has ideas for security related in class exercises, I’d appreciate any and all pointers.