perimeteropensuse12.1

Pérezetal.
SpringerPlus(2016)5:443DOI10.
1186/s40064-016-2041-8SOFTWAREAnestedvirtualizationtoolforinformationtechnologypracticaleducationCarlosPérez1,JuanM.
Ordua1*andFranciscoR.
Soriano1,2AbstractBackground:Acommonproblemofsomeinformationtechnologycoursesisthedifficultyofprovidingpracticalexercises.
Althoughdifferentapproacheshavebeenfollowedtosolvethisproblem,itisstillanopenissue,speciallyinsecurityandcomputernetworkcourses.
Results:ThispaperproposesNETinVM,atoolbasedonnestedvirtualizationthatincludesafullyfunctionallab,com-prisingseveralcomputersandnetworks,inasinglevirtualmachine.
Italsoanalyzesandevaluateshowithasbeenusedindifferentteachingenvironments.
Conclusions:Theresultsshowthatthistoolmakesitpossibletoperformdemos,labsandpracticalexercises,greatlyappreciatedbythestudents,thatwouldotherwisebeunfeasible.
Also,itsportabilityallowstoreproduceclass-roomactivities,aswellasthestudents'autonomouswork.
Keywords:Nestedvirtualization,Networksecurity,Computernetworks,Lecture-basedlearning,Systemadministration,Problem-basedlearning2016Pérezetal.
ThisarticleisdistributedunderthetermsoftheCreativeCommonsAttribution4.
0InternationalLicense(http://creativecommons.
org/licenses/by/4.
0/),whichpermitsunrestricteduse,distribution,andreproductioninanymedium,providedyougiveappropriatecredittotheoriginalauthor(s)andthesource,providealinktotheCreativeCommonslicense,andindicateifchangesweremade.
BackgroundSecurity,systemadministrationandcomputernetworksarefundamentalelementsofinformationtechnology(IT)systemstoday,andmanyrelatedcourses(operat-ingsystems,computernetworkfundamentals,computerandnetworksecurity,networkmanagement,etc.
)areincludedincomputersciencegraduateandpostgradu-atedegrees.
Acommonproblemthatarisesinallthesecoursesisthedifficultyofdesigningpracticalexercises.
Itiswidelyacceptedthatstudentslearnmoreeffectivelyfromcoursesthatprovideforinvolvementinpracticalactivities(e.
g.
,settingupacustomizednetwork,installingandconfiguringnetworkservices,testingethicalhack-ingtechniques,etc.
),asshowninawidevarietyofpapers,conferencesandbooksdevotedtocomputerscienceedu-cation(Sarkar2006;TrabelsiandAlketbi2013;O'Grady2012;Carter2013).
However,itisverydifficulttodesignpracticalexercisesthatdonotseriouslyaffecttheinfra-structurewheretheseexercisesaredone.
Operatingsystemadministrationexercisesorpenetrationtestsareexamplesofsuchactivities,thatmaybeevenillegal.
SimulationtoolssuchasPacketTracerfromCisco(2014)couldbeanalter-nativetorealsystems.
However,thecomplexityofsimu-latingrealsystemsmakethesetoolstofocusoncertainsubsystems(i.
e.
thenetwork),thuslimitingtheirscope.
Virtualizationtechniqueswereproposedsomeyearsagoasanefficientalternativeforteachingcomputernet-worksrelatedcoursesinasecureandcontrolledenviron-ment(Bulbrook2006;Gasparetal.
2008;PizzoniaandRimondini2008;Burdetal.
2009),andtheyarecurrentlyusedinmanycourses(Faircloth2011;Salah2014;Ramanetal.
2014).
Theseproposalsusevirtualizationinordertosetupnetworkandcomputerinfrastructuresthatresem-bletheactualones(evenintheuserinterface),whiletheyprovidetherequiredsecurityandisolationfromtheactualinfrastructures.
Thesetoolsprovideuserswithaneasilyreproducibleenvironment,andtheyallowstudents'autonomouswork.
Virtualizationandnestedvirtualiza-tiontoolshavealsobeenproposedinmanyeducationenvironments(Bower2010;Wannousetal.
2012).
Traditionally,twodifferentapproacheshavebeenused:thefirstoneistoprovidecopiesofvirtualmachineOpenAccess*Correspondence:Juan.
Orduna@uv.
es1DepartamentodeInformática,UniversidaddeValencia,Avda.
Universidad,s/n,46100Burjassot,Valencia,SpainFulllistofauthorinformationisavailableattheendofthearticlePage2of9Pérezetal.
SpringerPlus(2016)5:443imagestothestudentssothattheyruntheminitsowncomputer,andthesecondoneistosetupavirtuallabo-ratoryusingtheinstitution'sinfrastructure,providingstudentswithremoteaccess.
Bothoftheseapproachespresentsomeinconveniences.
Thefirstoneshouldbelimitedtoasinglevirtualmachineinordertoprovideeaseofuse.
Otherwise,itrequiresthateachstudentconfiguresitsownvirtuallabusingseveralimagesandcreatingitsownvirtualnetworkinfrastructure(anon-trivialanderror-proneprocess,whichisboundedbytheresourcesofthehostcomputer).
Thesecondapproachrequiressignificantinvestmentininfrastructureresources,andtherequirementsareproportionaltothenumberofstudents.
Additionally,theavailabilityoftheresourcescannotbeguaranteedoncethecoursefinishes(forexample,insubsequentyears).
Theadventofcloudcomputingandtheincreasingavailabilityofwebservicesduringthelastyears(Mari-nescu2013;Amazon2014;Google2014)hasallowedtogoonestepfurther,andsomecloud-basedvirtualiza-tiontoolsforonlineteachinghavebeenproposed(Salah2014;Willemsetal.
2011;Abraham2013;Xuetal.
2014).
Nevertheless,thedeploymentofcloudservicesaddssomedrawbackstovirtualizationtools.
First,theuseofagivencloudinfrastructureforcestheusertolearnanduseaconcretetechnologyandservices,makingthecoursedependentonagivenserviceprovider.
Second,thenumberofstudentsinagivencoursemayrequireacloudinfrastructuresizethatexceedsthemaximumsizethattheprovideroffersforfree,increasingthecostofthecourse.
Third,theuseofcloudresourcesmayaddsignifi-cantlatenciesthataffecttheinteractivityoftheexercises.
Finally,thereproducibilityandusabilityalongtimeisseriouslyaffected,sincestudentsarenotguaranteedthatthecloudinfrastructureisaccessiblesometimeafterthecoursefinishes(Sonetal.
2012),likethesecondapproachintheuseofvirtualizationtechniquesdescribedabove.
Inordertoavoidtheproblemsintroducedbytheseapproaches,thispaperproposesNETinVM,atoolbasedonnestedvirtualization(virtualmachinesinsideavirtualmachine)thatincludesafullyfunctionallabinasinglevirtualmachine.
Thislabcomprisesthreeinterconnectednetworkswithseveralcomputersattachedtoeachnet-work,providingaportableandrealisticscenarioforteachingcoursesrelatedtosecurity,systemadministra-tionandcomputernetworks.
ThepaperanalyzestheuseofNETinVMindifferentlearningtechniques[Problem-BasedLearning(PBL)andtraditionalLecture-BasedLearning(LBL)]appliedtocoursesofdifferentcomputersciencefields.
Theresultsshowthatthistoolallowstoperformlabsandpracticalexercisesthatwouldotherwisebeunfeasible.
Also,itallowstoreproducetheresultsoftheproposedexercises,providingportabilityandallow-ingthestudentstoworkautonomously.
Therestofthepaperisorganizedasfollows:"Imple-mentation"sectionsummarizestheimplementationandmainfeaturesofNETinVM.
Next,"Resultsanddiscus-sion"sectionshowstheapplicationofNETinVMtodif-ferentlearningandtrainingenvironmentsandtheresultsobtainedwiththistool.
Finally,"Conclusions"sectionshowscomeconclusionremarksandfutureworktobedone.
ImplementationNETinVMisaVMwarevirtualmachineimagethatincludes,readytorun,acomputernetworkofUser-ModeLinux(UML)virtualmachines.
Whenstarted,theUMLmachinesformacomputernetworknamed"example.
net"whosegeneralstructureisshowninFig.
1.
Thissec-tion,describesthesethreebasicelements(theVMwarevirtualmachine,theUMLvirtualmachinesandthevir-tualnetwork)andhowsomecriticalinfrastructureissueshavebeensolved.
Foradetaileddescription,theNET-inVMwebpagecanbeconsulted(PérezandPérez2014).
VMwarevirtualmachineimageTheVMwarevirtualmachine,namedBase,providesthebasetorunandmonitortheUMLvirtualmachines,anditsfullyqualifieddomainnameis"base.
example.
net".
Baseincludes132-bitprocessor,2GBofRAM,a20GBSCSIharddisk,aDVDplayer,1networkinter-faceconnectedtoVMware'sNATnetwork,USBcon-troller,1soundcard,and1graphicscard.
Onthisvirtualhardware,version12.
1ofopenSUSE(Novell2008)isexecuted,whichprovidestheKDEdesktop,LibreOfficeandC/C++developmenttools.
BasealsoincludesthetoolsneededtomonitortheexecutionofUMLmachines,suchasTcpdumporWireshark.
Obviously,italsoincludesUMLandthediskimageusedbytheUMLvir-tualmachinesthatwillruninit.
Evenwithallthesetoolsinstalled,Basehasaround13GBoffreediskspace.
ThisstoragecapacityallowstostartandworkwiththeUMLs,andalsotoinstalladditionaltools.
UMLvirtualmachinesTheUMLvirtualmachines(UMLs)arecreatedusingUser-ModeLinuxand,dependingonthenetworktheyareconnectedto,theyassumedifferentroles:corpo-rateworkstation,internalserver,router,bastionnode,externalserverorInternetnode.
EachUMLhasthefol-lowingvirtualhardware:132-bitprocessor,128MBRAM,1GBharddrive,and1networkinterface(excepttheUMLthatactsasarouter—labeledas"fw"inFig.
1,whichhas3interfaces).
AllUMLsusethecopy-on-writePage3of9Pérezetal.
SpringerPlus(2016)5:443techniqueprovidedbyUML.
Therefore,allofthemini-tiallystartusingthesamefilesystem,andeachonewriteshischangestoaseparatesparsefile.
Inthisfilesystemtheversion6ofDebian(2008)isinstalled,includingappro-priatetoolsforteachingnetworking,systemadministra-tionandsecuritytopics.
ThereareseveraladvantagesderivedfromallUMLmachinessharingthesamerootfilesystem,whichwecall"referencefilesystem"(RFS):1.
Itsavesspace.
Usingcopy-on-write,19UMLmachinescanberunningtakingaslittleas0.
5GBofBase'sdisk.
2.
Itsimplifiesmaintenance.
UpdatingallUMLmachineswiththelatestsecuritypatchesoraddingasoftwarepackagetoallofthemisassimpleasdoingitinoneofthem.
3.
Itsimplifiesitsuse.
AllUMLsaresimilarandhavethesamesoftwareinstalled.
VirtualnetworksNETinVMispre-configuredtocreatethreeintercon-nectedvirtualnetworks,playingtheroleofthecorpo-rate,perimeterandexternalnetworksofanorganization.
Thesenetworksarenamed"int"(forinternalnetwork),"dmz"(forDMZordemilitarizedzone,whichisoftenusedasasynonymforperimeternetwork)and"ext"(forexternalnetwork).
Thenetworksarecreatedusingthe"uml_switch"programincludedwithUML.
ThisprogramimplementsavirtualEthernethuborswitch(configuredasahubinNETinVM).
OneoftheUMLmachines,"fw"(forfirewall),interconnectsthethreenetworksprovid-ingcommunicationandpacketfiltering,asshowninFig.
1.
TherestofUMLshaveasinglenetworkinter-faceconnectedtothenetworktheyarenamedafter,asfollows(whereXcanbefrom"a"to"f"):intXUMLsareconnectedtotheinternalnetwork.
ThesemachinesonlyoffertheSSHservice.
dmzXUMLsareconnectedtotheperimeternetwork(DMZ).
Theyareconceivedasbastionnodes.
Inthisnetworktherearetwomachineswithalias.
"dmza"hasthealias"www.
example.
net"anditprovidesHTTPandHTTPSservices;"dmzb"hasthealias"ftp.
example.
net"anditoffersFTP.
Finally,extXUMLsareconnectedtonetworksthatareexternaltotheorganization(e.
g.
,"Internet").
ThesethreenetworksareconnectedthroughbasetoVMware's"vmnet8"(NAT)virtualnetwork,whichallowstheconnectionofUMLtoexternal(real)networks.
Thedefaultgatewayfortheinternalandperimeternet-works(machines"intX"and"dmzX")is"fw",thedefaultgatewayfor"fw"istheIPaddressof"base"inthe"ext"network,andthemachinesontheexternalnetwork("extX")have"base"asthedefaultgateway,and"fw"asFig.
1GeneralstructureofNETinVM.
VirtualmachinesandnetworkswithinNETinVMPage4of9Pérezetal.
SpringerPlus(2016)5:443thegatewaytoaccesstheperimeterandinternalnet-works.
"fw"appliesNATtoalltrafficfromtheinter-nalandperimeternetworksthatisgoingoutthroughitsexternalnetworkinterface,sothatthesepacketsgettotheexternalnetworkwith10.
0.
0.
254assourceIPaddress.
Therefore,thetrafficamongUMLmachinesofthethreenetworksalwaysgoesthrough"fw",whilethetrafficdirectedtomachinesoutside"base"goesthrough"fw"ifandonlyifitcomesfromtheinternalortheperimeternetworks.
Inanycase,thetraffictotheout-sideworldalwaysgoesthrough"base",which,as"fw",hasalsoenabledIPforwardingandNAT.
Communica-tionsbetween"base"andanyUMLMachinearecarriedoutdirectly,withoutpassingthrough"fw"(providedthattheIPof"base"correspondingtothenetworkoftheUMLmachineisused).
Thisarrangementisconvenientbecauseitallowsaccessfrom"base"toallUMLmachinesusingSSH,regardlessoftheconfigurationofroutingandpacketfilteringin"fw".
TheUMLmachinescancom-municateeachotherviastandardnetworkprotocols.
AllUMLmachineshavetheSSHserviceenabledbydefaultandtherearebastionnodesofferingHTTPandFTPser-vices,butanyotherstandardIPservicecanbealsocon-figured(NFS,SMTP,.
.
.
).
TheconfigurationofSNATin"fw"asdescribedaboveisnecessarysothatresponsestooutgoingconnectionstoInternetoriginatedintheinternalandperimeternet-worksgetbackthrough"fw".
IfSNATwerenotactivein"fw",theresponseswouldbesentby"base"directlytotheUMLmachines,thusbypassing"fw".
IntermachinecommunicationTheUMLmachinescancommunicateeachotherviastandardnetworkprotocols.
AllUMLmachineshavetheSSHserviceenabledbydefaultandtherearebastionnodesofferingHTTPandFTPservices,butanyotherstandardIPservicecanbealsoconfigured(NFS,SMTP,.
.
.
).
Communicationsbetween"base"andtheUMLmachinescanalsobecarriedoutthroughthenetwork,withtheadvantagethat"base"isdirectlyconnectedtothethreesubnetsand,therefore,ithasaccesstoallUMLmachinesregardlessoftheconfigurationof"fw".
Also,whenaUMLvirtualmachinestarts,3vir-tualterminalsappearsinBase.
Inthisway,theusercanworkwiththeUMLsevenwhenthenetworkisnotoperational,asifhavingphysicalaccesstothemachines.
Finally,theUMLmachineshaveaccesstothedirectory"$HOME/uml/mntdirs/tmp"ofBaseusingthepath"/mnt/tmp".
Tosetupthiscorrespondence,itisusedUML's"hostfs"filesystem.
Thus,alloftheUMLsandBaseshareadirectorythroughwhichtheycanexchangeinforma-tionwithoutnetworkaccess.
ConfigurationofUMLsAlthoughsharingthesamereferencefilesystem(RFS)isverypositive,itisclearlynecessarythateachUMLvir-tualmachinecanbeadaptedtoplaydifferentroles.
Forexample,'fw'hasthreenetworkinterfacesandperformspacketfiltering,'dmza'providesHTTPandHTTPS,'exta'onlyprovidesSSH,.
.
.
TheRFSincludesoneandonlyconfigurationtool,thescript"configure.
sh",whichisstoredin"base"andisalsoaccessibletotheUMLsusingthe"hostfs"filesystemintroducedbefore.
Whenstarting,everyUMLtriestorunthisscript,whosealgorithmisasfollows:1.
ChecksiftheUMLhasalreadybeenconfigured.
Ifso,itends.
2.
Marksthemachineasconfigured.
3.
Appliesthedefaultsettings.
4.
Appliesthenetworkspecificsettings.
5.
Appliesthemachinespecificsettings.
Theconfiguration(thedefault,networkspecificormachinespecific)involvesenablingservicesand/orexe-cuteorders.
Inanycase,astheconfigurationisdoneonlyoncepervirtualmachine,thechangeshavetobeperma-nentandstoredinthemachine'sfilesystem.
Forexample,ifaservice"fw"isadded,symboliclinksmustbeaddedto"/etc/rcX.
d"(whereXisthedefaultrunlevel).
Thisconfigurationmechanismhasthreekeyadvantages:1.
Configuration(even"configure.
sh"itself)canbecompletelychangedwithoutstartinganyUMLmachine.
2.
Oncetheyarerunning(evenafterthefirstboot),UMLshaveastandardDebianfilesystem,sincetheonlycommandsexecutedarethoseofthestandardbootingprocess.
3.
Differentconfigurationscanbeeasilysavedsothatdifferentexercisesbeginwithaknowndifferentini-tialstate.
BackupandrestoreNETinVMincludesatoolforcreatingandrestoringbackups.
TosavethestateofalloftheUMLsisenoughtorunthescript"uml_backup.
sh".
And,torestoreapre-viouslysavedstate,itisjustnecessarytorunthescript"uml_restore.
sh".
BothutilitiesusethestandardKDEfiledialogtoselectwheretostorecopies("uml_backup.
sh")andwhichbackuptorestore("uml_restore.
sh").
TheonlyrequirementisthattheUMLsmustbestoppedtoper-formabackuporrestoration.
BackupsareTGZfilesincludingconfigurationfiles(whicharesmall)andcopy-on-writefiles(whicharePage5of9Pérezetal.
SpringerPlus(2016)5:443sparsefilesthatincludeonlychangesmadewithrespecttotheRFS).
Thus,eachbackupusuallytakessomeKBor,atmost,afewMBofdiskspace.
Thismakesitpossibletoperformdozensofexercises,eachonewithmultiplerestorationpoints,withoutconsumingtoomuchstoragespace.
ResultsanddiscussionNETinVMhasbeenintensivelyusedatUniversityofValenciasince2012forteachingcoursesrelatedtosecu-rity,systemadministrationandnetworkplanning.
ThesecoursesarepartofthedegreecurriculaforTelematicsEngineeringandComputerEngineeringandmastercur-riculaforwebservices,andtheyarebasedondifferentlearningtechniques:Problem-BasedLearning(PBL)andtraditionalLecture-BasedLearning(LBL).
Also,NET-inVMhasbeenusedinotherscenariossuchasbooksandweb-basedcourses.
Inthissection,weanalyzetheuseofNETinVMinalltheseenvironments.
LecturebasedlearninginacomputersecuritycourseTraditionalLecture-BasedLearning,wheretheteachermakesanoralpresentationintendedtopresentthemainconceptsofthecourse,isusuallycomplementedwithexercisestobecarriedoutbythestudents.
Thisisthecaseforcomputersecurity,amandatorycoursesched-uledinthethirdyearofboththeDegreeinComputerEngineering(DCE)theDegreeinTelematicsEngineer-ing(DTE).
Thisisanintroductorycourseofcomputersecurityandthusithasawidescope.
Nevertheless,ithasthegoalofprovidingthestudentswithpracticalskills.
Inordertoachievethisgoal,wehaveextendedthetradi-tionalLBLmodelwiththefollowingteachingactivities,madepossiblebyNETinVM:demos,exercisesandlabs.
Demos,arepracticalexplanationswheretheteacherper-formsanddiscussestheactivitywiththestudentsinalecturesession.
Thiskindofactivityprovidesthestu-dentswithdeeperinsightsanditfosterstheirparticipa-tion.
NETinVMallowsthestudentstoreproducelaterthesameactivitiesoreventestnewcases.
Exercisescon-sistofpracticalassignmentsinvolvingseveralhostsandnetworksthatstudentsmustdoautonomously.
ByusingNETinVM,theseactivitiescanbesecurelyperformedinarealisticandreproduciblescenario.
Finally,labsareguidedsessionswherecomplexexercisesareperformedbythestudentsundertheteachersupervision.
NET-inVMallowsthestudentstocomplementtheguidedsessionwithfurtheroptionalwork.
ArepresentativeexampleofademocouldbeusingSnortasaNIDS.
ThisdemoconsistsofrunningtheSnortintrusiondetectionsoftware(Snor_team2014),andshowinghowalertsaregeneratedwhensuspiciousactivitiesaredetected.
TheexamplesusedwerescanningthenetworkwithNmap,connectingasadministratortoaremoteSQLdatabase,andaskingtheDNSserverforazonetransfer.
Whileperformingtheseactivities,thenetworktrafficwascap-turedwithWiresharkandtheresultswerediscussedwiththestudents.
Anexampleofexercisecarriedoutintheclassroomisunderstandingsecurityalerts.
TwoCVEalertswereselected,andthestudentswereaskedtotestif"base"ortheUMLmachineswerevulnerable,andiftherewasanexploitthatworkedagainstthem.
Finally,arepresentativeexampleoflabsisfirewallconfigura-tion.
UsingLinuxIptables,thelabgoesfromconfigur-ingasinglemachine(personalfirewall)toconfiguringamachinewhichisresponsiblefortheinterconnectionandfilteringofthethreeNETinVMnetworks,thuspro-vidingarealcasescenario.
Thelabincludesbothbasicstaticrulesandmoreadvancedpossibilitiesaspacketloggingorstatefulrules.
Next,wedescribesomerepresentativeexamplesoftheseteachingactivitiescarriedoutduringthe2013–2014year.
Twoofthedemosperformedwerethefollow-ingones:PublickeycryptographyinSSHforserverauthenti-cationInthisdemo,aninitialconnectiontoaSSHserverisstarted.
Sincetheserver'spublickeyisnotpresentintheclient'sknownhostsfile,aconfirma-tionmessageappears.
Theimportanceofansweringthisquestionisdiscussedwiththestudents,high-lightingthatthisverificationistheonlyprotectionagainstman-in-the-middleattacks.
UsingSnortasaNIDSThisdemoconsistsofrunningtheSnortintrusiondetectionsoftware(Snor_team2014),andshowinghowalertsaregeneratedwhensuspiciousactivitiesaredetected.
TheexamplesusedwerescanningthenetworkwithNmap,connectingasadministratortoaremoteSQLdatabase,andask-ingtheDNSserverforazonetransfer.
Whileper-formingtheseactivities,thenetworktrafficwascap-turedwithWiresharkandtheresultswerediscussedwiththestudents.
Twoexamplesoftheexercisesproposedwerethefol-lowingones:UnderstandingsecurityalertsTwoCVEalertswereselected,andthestudentswereaskedtotestif"base"ortheUMLmachineswerevulnerable,andiftherewasanexploitthatworkedagainstthem.
AnalysisofSnortrulesStudentswereaskedtoper-formtwokindsofremoteaccesstoadatabase.
Eachaccessshouldtriggerasnortalert.
Theyhadtocap-turenetworkactivity,correlatetheinformationinthecapturedpacketswiththecorrespondingsnortrule,Page6of9Pérezetal.
SpringerPlus(2016)5:443andjustifywhythealertwasorwasnotgenerated,dependingonthecase.
Thisexerciseisanextensionofthesecondexampledemoexplainedabove.
Inthisway,oncethesessionintheclassroomfinishes,thestudentscannotonlyreproducethedemobytheirown,buttheycanalsoextendthatdemothroughthisexercise.
Finally,thesearetwoexamplesofthelabscarriedout:FirewallconfigurationUsingLinuxIptables,thelabgoesfromconfiguringasinglemachine(personalfirewall)toconfiguringamachinewhichisrespon-siblefortheinterconnectionandfilteringofthethreeNETinVMnetworks,thusprovidingarealcasesce-nario.
Thelabincludesbothbasicstaticrulesandmoreadvancedpossibilitiesaspacketloggingorstatefulrules.
ForensicanalysisStudentsarechallengedtouseTheSleuthKit(TSK)andAutopsytools(Carrier2014)toconstructatimelineandretrieveinformationfromafilesystemimageofahackedUMLmachine.
Theyhavepreviouslylearnedtoobtainfilesystemimagesinademointheclassroom.
Similarly,anotherdemoshavebeenperformedtointroducethemtotheTSKandAutopsytools.
Thechallengeincludesfindingabinarytrojan,recoveringdeletedfilesrelatedtomali-ciousactivity,andfindinghiddeninformationinthefilesystem.
ItmustbenoticedthatNETinVMpermitstoeas-ilymodifyagivenactivitytobecomeadifferentkindofactivityinadifferentyear.
Thisispossiblebecausethesameplatform(NETinVM)isusedforallthreekindofactivities,andthisplatformisavailableforthestudentsanywhereandanytime.
Forexample,itiseasytochangeonedemointooneormoreautonomousexercises.
Also,itiseasytoconvertalabsessionintoasetofdemosorexercises.
Wehavequalitativelyandquantitativelyevaluatedtheapproachfollowedinthiscourse.
Thequantitativeeval-uationcomesfromnumericevaluationsofthecoursecarriedoutbythestudentsaspartoftheUniversityofValencia'squalityassessmentprotocol.
Thisproto-colincludesanonymousannualsurveyswithquestionsregardingdifferentaspectsoftheteaching-learningpro-cess.
Themostsignificantoneforourworkistheevalu-ationofthemethodology,butwehavealsoincludedtheglobalaverageforthecourse,sinceitisaglobalassess-mentofboththeNETinVMtoolanditsusethroughoutthecourse.
Numericvaluescanbebetween0and5,withamarkof5beingthebestpossiblescore.
Table1showsthequantitativeevaluationofthecoursemadebythestu-dents.
Thefirstrowinthistableshowsthespecificresultsforthemethodologyfollowedinthesecuritycourse,andthesecondoneshowsthegeneralresultsforthecourse.
Thefirst(most-left)columnshowstheresultsforthesecuritycourseintheDegreeinComputerEngineer-ing,andforcomparisonpurposesthesecondcolumnshowstheaveragevaluesobtainedinallthecoursesofthisDegree.
Thetwonextcolumnsshowtheanalogval-uesfortheDegreeinTelematicsEngineering,andthelastcolumn,labelledas"Univ.
",showstheaveragevaluesobtainedbyallthecoursestaughtintheUniversityofValencia.
ThistableshowsthatthemarksobtainedbythesecuritycourseinbothdegreesaresignificantlyhigherthantheaveragevaluesoftheirdegreesandtheUniver-sity.
Thesevaluesclearlyshowthatthestudentsgreatlyappreciatetheapproachfollowedbythecourse,thatNETinVMhasmadepossible.
Inordertocomplementthisevaluation,wehaveusedareducedversionoftheCriticalIncidentQuestion-naire,proposedbyBrookfield(2014a).
Wehaveaskedthestudentstowritedownthebestandtheworstthingsaboutthecourse.
AlthoughtheywerenotspecificallyaskedabouttheutilizationofNETinVM,theircommentsclearlyshowthattheyappreciatethepracticalapproachmadepossiblebythistool.
Effectively,themostrepeatedpositiveopinionswere(indescendingorder)thefollow-ingones:excellentdemos;uptodateandinterestingcontent;agileandenjoyableclasses;excellentlaboratoryassignments,andLabassignmentscloselyrelatedtothe-oreticalcontents.
ThesecommentsclearlyshowthatusingNETinVMthroughoutthecourse,andthepracticalactivitiesthatcanthusbeaddedtothetraditionalLBL,aregreatlyappreciatedbythestudents.
ProblembasedlearninginanetworkplanningcourseProblem-basedlearning(PBL)(BarrowsandTamblyn1980;Savery2006)isateachingmethodologywherethestudent'slearningprocessreliesonaproblem(con-structedbytheteacherorotherstudents)similartothoseproblemsthatthestudentwillfaceinreallife.
Theteacherislimitedtobea"coach"oramoderator,insteadofthesourceofknowledge,whilethestudentsshouldcollaborativelysolvetheproblemthroughcooperativeTable1StudentscourseevaluationDatafromUniversityofValencia'squalityassessmentprotocolSecurity(DCE)DCESecurity(DTE)DTEUniv.
Methodology4.
493.
634.
043.
743.
88Courseaverage4.
483.
524.
083.
673.
83Page7of9Pérezetal.
SpringerPlus(2016)5:443learning.
PBLmethodologywasappliedinthecontextofanetworkplanningcourseintheEngineeringSchool,atUniversityofValencia.
Thisisamandatorycoursesched-uledinthefourthyearoftheDegreeofTelematicsEngi-neering.
Thecoursefocusesonnetworkplanningandmanagement,includingsaturationandbottleneckdetec-tion.
Concretely,NETinVMhasbeenusedtodesignalabsessionwherepracticalwaysofdetectingnetworksatura-tionshouldbelearnedthroughPBLmethodology.
TheproblemissetupasateamcontestforwinningtheBestHackerandtheBestAdministratorAwards.
EachteamshoulddesignandimplementasecretprocedurethattriestosaturatetheNETinVMnetworks.
TheonlyruleisthatthesaturationproceduremustnotrequiretobecomerootinanyoftheNETinVMhosts.
Asaprevi-ousworktothelabsession(priortothecontest),eachteamshoulddesign,implementandtryasmanydifferentprocedurestheywantinordertosaturatethenetworksinNETinVM,andtheycandemandhelptotheteachertoguidetheprocess.
Priortothestartofthecontest,eachteamshouldprivatelypresenttheteacher(thesat-urationprocedureissecretfortherestoftheteams)awrittenreportdescribingthefinalproceduretheyhaveimplemented.
Theawardsarebasedonasinglereal-timecompetitionthattakesplaceinoneormorelabsessions,withasmanyroundsasparticipatingteams.
Whenitistheturnforeachteam,thatteamsbecomesthehackerinthatround,andtheteamcomponentsshouldimple-mentthesaturationproceduredesignedbythatteamintheNETinVMcopiesoftherestoftheteams.
Therestoftheteamsactasadministratorsinthatround,andtheyshoulddetectthesourcenode(theNETinVMhost)andtheprogram(s)causingthenetworksaturationassoonaspossible,withinmaximumtimeof20min.
Anyerrone-ousdetectionis"punished"withtheratingofthatteamasthelastoneinthatround.
Alltheroundsaretimed,startingwheneveryteam(excepttheoneactingasthehacker)hasitsNETinVMnetworksaturated,andfinish-ingeitherwhenalltheteamshavefoundtheoriginofthenetworksaturation,orwhen20minhavepassed.
Afterthecontest,thereisaroundtablediscussionwherealltheteamspresenttheirsaturationproceduretotherestoftheteams,aswellasthestrategyandcommands/pro-gramsusedfordetectingtheoriginofthesaturation.
Sincetheexercisehasnotalimitednumberofsolutions,thevalidity,advantagesanddisadvantagesofeachpro-posalarediscussed.
Theteamsaremarkedineachroundasbothadministratorsandhackers.
Asadministrators,theteamsaremarkedaccordingtothetimerequiredforfindingthecauseofthenetworksaturation(ininverseorder).
Ashackers,theyaremarkedaccordingtothetimetookbythefirstteamthatdiscoveredtheoriginofthesaturation(thelongertime,thehighertheyaremarked).
Theaggregatedmarksforalltheroundswilldeterminethefinalteamrankingsforbothcontests,beingthewin-nerofeachcontesttheteamheadingtheranking.
Theparticipationinthecontestsensuresaminimummark,butthepositionineachrankingdeterminesthemarkaseachoftheroles.
Thefinalmarkobtainedbyeachteamistheintheaveragevalueofthemarkobtainedinthetwocontests.
Theprizeforeachcontestwinnerissomeaddi-tionalmark,rangingin0.
5and1pointsoutof10.
Thefinalresolutionactivitytooktwolabsessions(therewerefiveteams,eachonecomposedoffourmembers),andthestudentsreportedanaveragededicationof5hperteammembertotheparticularproblemresolution,includingteammeetings(80%oftime)andindividualwork(20%).
Allthegroupsshowedgreatinterestintheactivity,andtheydevelopedsophisticatedproblemsolu-tionsshowingadeepknowledgeofLinuxandnetworkfundamentals.
Noerroneousdetectionshappenedinthecontest,andoneteamachievedthattherestoftheteamsexceptoneexceededthemaximumtimetofindtheori-ginofthesaturation.
ThefeasibilityoftheproposedPBLactivityfullyreliesonNETinVM,sincethesaturationofanynetworkshouldsignificantlyaffecttheactualnetworkinfrastructure.
Therefore,weaskedthestudentstoevaluatetheactiv-ity,insteadofthetool.
Concretely,wemadeananony-moussurvey,askingthestudents(groupedbyteams)toevaluatetheproposedactivityinregardtostandardlabsessionswherestudentsshouldperformpracticalexer-cisesfollowingtheguidenotesprovidedbytheteacher.
Amarkof5outof10correspondstoanevaluationwherethestudentsequallyvaluebothkindsoflabsessions,amarkof0meansthattheyabsolutelypreferthestandardlabsessions,andamarkof10meansthattheydefinitelyprefertheactivitybasedonPBLmethodology.
Wealsoaskedtoreportthemainfeature(s)oftheactivitythattheylikedthebest.
Table2showstheresultsofthesur-vey.
Thistableshowsthatthestudentssignificantlyprefertheproposedactivity.
Also,theyvaluedthefreedomfordesigninganyfeasiblesolutionandtheformatofcontestamongtheexistingteamsasthebesttwoaspectsoftheactivity(inthatorder).
Thefirstaspectwouldnotbepos-siblewithouttheuseofNETinVM,sinceitprovidesthestudentswithavirtualcopyofrealnetworksandhosts,allowingthemtotestanysolution.
Therefore,theseTable2Evaluationoftheactivityprovidedbythestu-dentsTeamsAvg.
12345Marks8.
09.
07.
08.
58.
08.
1Page8of9Pérezetal.
SpringerPlus(2016)5:443resultsvalidateNETinVMasavaluabletoolforactivitiesbasedonPBLmethodology.
UsingNETinVMforteachingenterprisewebapplicationsdevelopmentEnterprisewebapplicationsarebuiltbyintegratingspe-cializedcomponents(webservers,applicationservers,databasemanagementsystems,.
.
.
)connectedvianet-works.
Atpostgraduatelevel,studentsmustbeabletodevelopskillsinintegratingallofthesecomponentsinreal-worldscenarios.
ThisisthecaseoftheMasterinSystemsandServicesintheInformationSociety,whereacommonplatformforallthecoursesofthemasterwasdesirable.
TheauthorsengagedintheprojectofadaptingNETinVMtoprovideasatisfactoryteachingandlearningenvironmentforenterprisewebapplicationdevelopment,includingfacetssuchasapplicationdevelopment,applica-tiondeployment,serveradministrationandsecurity.
Thesolutionconsistedofadaptingthestandardcon-figurationofNETinVMtosuitthespecificneedsofthisproject.
Thefollowingchangeswereperformed:Install-ingandconfiguringanapplicationserver(Glassfish)in"dmzc";installingandconfiguringMySQLandLDAPin"intb";installingandconfiguringEclipsein"base";Adapt-ingtherulesat"fw"tothenewenvironment.
Inpar-ticular,theapplication'sserverfront-endinterface(port80)hadtobepubliclyaccessible,theapplication'sserveradministrativeinterfacehadtobeaccessibleonlyfromselectednodesoftheinternalnetwork,andtheappli-cations'servershouldbeabletocontacttheLDAPandMySQLinternalserver.
ThisadaptedversionofNETinVMprovidedmaster'sstudentsandteacherswithacommonplatformthatprovedtobeappropriatetoconductallthepracticalexer-cisesanddemonstrations,withthefollowingadvantages(Pérezetal.
2011):thestudentshadtolearnonlyasin-gletool(NETinVM)thatwassharedbydifferentsubjectsindifferentareas,suchasoperatingsystemadministra-tion,computerandnetworksecurity,andwebdevelop-ment;studentswereabletodevelop,deployandtesttheirapplicationsintheirownportableenvironmentwithoutcompromisingrealsystemsornetworks;studentsandteacherssharedacommonenvironment,soclassroomdemonstrationscouldbereproducedbystudents;finally,usingthesametoolthroughoutthemasterallowedforbettercoordinationamongteachersofdifferentsubjects.
OtherusesofNETinVMTheeaseofportabilityandreproducibilityofarealisticscenarioyieldedbyNETinVMmakethisvirtualmachineanidealtoolforMassiveOpenOnlineCourses(MOOC).
Inthisway,ithasbeenusedastheplatformforanewMassiveOpenOnlineCourse(MOOC)atUniversityofValencia(Pérez2016).
Inthisopencourse,thenet-worksandvirtualmachinesincludedinNETinVMareusedforprovidingeachstudentwithitsownvirtuallabwherepracticalnetworkandsecurityexercisescanbeperformed.
Nevertheless,NETinVMhasbeensuccessfullyusedinotherscenariosbypeoplenotrelatedtotheUniversityofValencia.
Effectively,inthebook"CASP:CompTIAAdvancedSecurityPractitioner,StudyGuide",byGregg(2012),theauthorusesNETinVMin11outof20labs.
Theselabsprovideahands-onapproachnecessarytofullyunderstandtheconceptsintroducedinthebook,whichispreparatorytothe"CompTIAAdvancedSecu-rityPractitioner"exam(Brookfield2014b).
NETinVMisusedforlabssuchasportscanning,networktrafficanaly-sis,webvulnerabilityassessment,systemauditing,net-workintrusiondetection,orrootkitdetection.
Anotherexampleofuseisthepapertitled"UsingOSSECwithNETinVM"(Allen2010),submittedbyJonMarkAllenaspartoftheGIAC(GCIH)GoldCer-tificationfromtheSANSInstitute(2014).
Thispaper,presentedinSeptember17,2010,usesNETinVMasanappropriatevirtualscenarioforinstallingandcustom-izingthehost-basedintrusiondetectionsystemOSSEC(2014).
UsingNETinVMallowedtheauthortoconfigureOSSECtocomplywithasecuritypolicy.
Inaddition,italsomadepossiblelaunchingattacks,checkingthatalertswereeffectivelygenerated,andseeinghowOSSECauto-maticallyrespondedtotheattacks.
Finally,NETinVMhasalsobeenadaptedtosuitmorespecificrequirements.
Thisisthecaseofthe"Labinabox"ofthePenTestlaboratory,whereNETinVMwasmodifiedtobuildavirtuallaboratoryforpenetrationtest-ingcourses(PenTestlaboratory2014).
Inthissetup,UMLmachineswherespecificallyconfiguredtobevulnerable,inordertobecomepotentialtargetsofpentesters.
ConclusionsThispaperhasproposedNETinVM,atoolbasedonnestedvirtualizationthatincludesafullyfunctionallabinasinglevirtualmachine.
Also,ithasanalyzedandeval-uatedhowithasbeenusedindifferentenvironments.
Theresultsshowthatthistoolmakesitpossibletoper-formdemos,labsandpracticalexercises,greatlyappreci-atedbythestudents,thatwouldotherwisebeunfeasible.
Inaddition,itallowstoreproducetheresultsofthepro-posedexercises,providingportabilityandallowingthestudentstoworkautonomously.
Also,NETinVMhasbeenadaptedtosuitotherscenarios,suchasenterprisewebapplicationdevelopmentorpenetrationtesting.
Asafuturework,theauthorsplantoaddsupportforcontrolledremoteaccess,thusallowingtheinstructortoprovidestudentswithremoteassistance.
Page9of9Pérezetal.
SpringerPlus(2016)5:443AvailabilityandrequirementsProjectname:NETinVMProjecthomepage:http://www.
netinvm.
orgHardwarerequirements:Processorwithhardwaresupportforvirtualization4GBRAM20GBofavailableharddiskspaceSoftwarerequirements:VMwarePlayer,VMwareWorkstationorVirtual-boxOperatingsystem(s):AnyoftheOSonwhichVMwareorVirtualboxworks.
Authors'contributionsCPisoneoftheNETinVMtoolsco-authors,andhehasalsobeenoneoftheinstructorsofbothsecurityandtheenterprisewebapplicationsdevelop-mentcoursesdescribedinthe"Resultsanddiscussion"section.
JMOhasbeentheinstructorofthenetworkplanningcoursedescribedinthe"Resultsanddiscussion"section.
FRShasbeenoneoftheinstructorsofthesecuritycoursedescribedinthe"Resultsanddiscussion"section.
Finally,alltheauthorshaveparticipatedinthewrittingofthispaper.
Allauthorsreadandapprovedthefinalmanuscript.
Authordetails1DepartamentodeInformática,UniversidaddeValencia,Avda.
Universidad,s/n,46100Burjassot,Valencia,Spain.
2IRTIC,UniversidaddeValencia,PolígonoLaComa,s/n,Paterna,Valencia,Spain.
AcknowledgementsThisworkhasbeensupportedbySpringerplusunderGrantCOMPPLUSSCI15.
Also,thisworkhasbeensupportedbySpanishMINECOandEUFEDERfundsunderGrantTIN2015-66972-C5-5-R.
CompetinginterestsTheauthorsdeclarethattheyhavenocompetinginterests.
Received:24September2015Accepted:22March2016ReferencesAbrahamS(2013)Virtuallearningtoolsincybersecurityeducation.
In:16thAnnualNYStatecyberSecurityconference.
IEEE,LosAlamitos,CA,pp408–415AllenJM(2010)UsingOSSECwithNETinVM.
http://www.
sans.
org/reading-room/whitepapers/detection/ossec-netinvm-33473Amazon(2014)AmazonWebServices.
http://aws.
amazon.
com/BarrowsH,TamblynR(1980)Problem-basedlearning:anapproachtomedicaleducation.
Springer,NewYork,NYBowerT(2010)Experienceswithvirtualizationtechnologyineducation.
JComputSciColl25(5):311–318BrookfieldS(2014a)CriticalIncidentQuestionnaire.
http://www.
stephen-brookfield.
comBrookfieldS(2014b)CompTIAcertificationsandexams.
http://certification.
comptia.
org/BulbrookH(2006)Usingvirtualmachinestoprovideasecureteachinglabenvironment.
Whitepaper.
DurhamTechnicalCommunityCollege,DurhamBurdSD,SeazzuAF,ConwayC(2009)Virtualcomputinglaboratories:acasestudywithcomparisonstophysicalcomputinglaboratories.
JInfTechnolEducInnovPract8(8):55–78CarrierB(2014)AutopsyandTheSleuthKittools.
http://www.
sleuthkit.
org/index.
phpCarterJ(ed)(2013)ITiCSE'13:proceedingsofthe18thACMconferenceoninnovationandtechnologyincomputerscienceeducation.
ACM,NewYork,NYCisco(2014)CiscoPacketTracert.
https://www.
netacad.
com/es/web/about-us/cisco-packet-tracerDebian_Project(2008)Debian:theuniversaloperatingsystem.
www.
debian.
orgFairclothJ(2011)Penetrationtester'sopensourcetoolkit,3rdedn.
SyngressPublishing,Sebastopol,CAGasparA,LangevinS,ArmitageWD,RideoutM(2008)Marchofthe(virtual)machines:past,present,andfuturemilestonesintheadoptionofvirtual-izationincomputingeducation.
JComputSmallColl23(5):123–132Google(2014)GoogleCloudPlatform.
https://cloud.
google.
com/GreggM(2012)CompTIAAdvancedSecurityPractitioner.
StudyGuide.
Sybex.
AWileyBrand,Hoboken,NJ,USAMarinescuDC(2013)Cloudcomputing:theoryandpractice.
ElsevierScience,AmsterdamNovellI(2008)openSUSE.
org.
http://software.
opensuse.
org/121OSSEC(2014)OpenSourceSEcurity.
http://www.
ossec.
netO'GradyMJ(2012)Practicalproblem-basedlearningincomputingeducation.
TransComputEduc12(3):10–11016.
doi:10.
1145/2275597.
2275599PenTestlaboratory(2014)LabinaBox.
http://pentestlab.
org/lab-in-a-boxPizzoniaM,RimondiniM(2008)Netkit:easyemulationofcomplexnetworksoninexpensivehardware.
In:Proceedingsofthe4thinternationalconfer-enceontestbedsandresearchinfrastructuresforthedevelopmentofnetworks&communities,pp1–10PérezC,PérezD(2014)NETinVM:atoolforteachingandlearningaboutsystems,networksandsecurity.
http://www.
netinvm.
orgPérezC,GutiérrezJ,GrimaldoF,CastroI(2011)Avirtualweblabforteachingenterprisewebapplicationsdevelopment.
In:ICERI2011,Internationalconferenceofeducation,researchandinnovation,pp408–415PérezC(2016)UV006Seguridadinformáticapráctica.
http://uvx.
uv.
es/coursesRamanR,AchuthanK,NedungadiP,DiwakarS,BoseR(2014)Thevlaboerexperience:modelingpotential-adopterstudentacceptance.
IEEETransEduc57(4):235–241.
doi:10.
1109/TE.
2013.
2294152SANSI(2014)SANSinformationsecuritytrainingandcybercertifications.
http://www.
sans.
orgSalahK(2014)Harnessingthecloudforteachingcybersecurity.
In:Proceed-ingsofthe45thACMtechnicalsymposiumoncomputerscienceeduca-tion.
ACM,NewYork,NY,pp529–534.
doi:10.
1145/2538862.
2538880SarkarNI(2006)Teachingcomputernetworkingfundamentalsusingpracticallaboratoryexercises.
IEEETransEduc49(2):285–291SaveryJ(2006)Overviewofproblem-basedlearning:definitionsanddistinc-tions.
InterdiscipJProblBasedLearn1:9–29Snort_team(2014)TheSnortProject.
https://www.
snort.
org/SonJ,IrrechukwuC,FitzgibbonsP(2012)Acomparisonofvirtuallabsolutionsforonlinecybersecurityeducation.
CommunIIMAIntInfManagAssoc12(4):81–96TrabelsiZ,AlketbiL(2013)Usingnetworkpacketgeneratorsandsnortrulesforteachingdenialofserviceattacks.
In:Proceedingsof18thACMconfer-enceoninnovationandtechnologyincomputerscienceeducation.
ACM,NewYork,NY,pp285–290WannousM,NakanoH,NagaiT(2012)Virtualizationandnestedvirtualizationforconstructingareproducibleonlinelaboratory.
In:Globalengineer-ingeducationconference(EDUCON),2012IEEE,pp1–4.
doi:10.
1109/EDUCON.
2012.
6201022WillemsC,KlingbeilT,RadvilaviciusyzL,CenyszA,MeinelC(2011)Adistrib-utedvirtuallaboratoryarchitectureforcybersecuritytraining.
In:IEEEProceedingsofthe6thinternationalconferenceoninternettechnologyandsecuredtransactions.
IEEE,LosAlamitos,CA,pp408–415XuL,HuangD,TsaiW-T(2014)Cloud-basedvirtuallaboratoryfornet-worksecurityeducation.
IEEETransEduc57(3):145–150.
doi:10.
1109/TE.
2013.
2282285