June 24, 2007
June 24, 2007
June 27, 2007
Division Experimentation & Lab-Oriented Studies
12.1575.1 - 12.1575.10
Using Virtual Machine Technology in an Undergraduate Intrusion Detection Lab
Virtual machine (VM) technology was recently adopted in an undergraduate lab on Intrusion Detection Technologies. Each student was provided with a pre-built, but non-configured Fedora Core 5 Linux VM image that was used to complete hands-on labs using the virtual machine on her/his own computer. To prepare the lab environment, a virtual network was built with Windows, Linux, FreeBSD, and Solaris virtual machines to simulate network attacks. Network traces of attacks were generated inside the virtual network using Metasploit Framework and other penetration testing tools. Student exercises included installing and using host-based intrusion detection systems, network-based intrusion detection systems and network monitoring tools. Students used TCPdump, Ethereal, Snort, and Bro to analyze the trace files. Students also performed installation and detection of loadable-kernel-module rootkits inside the virtual machine. A “compromised” virtual machine could be deleted after the lab and a fresh virtual machine could be reopened from the pre-built image in no time. The virtual machine was easy to use and easier to maintain than a real computer.
Using VM technology, it was possible to build a very “real” network environment at a minimal cost. Hands-on exercises of concepts could be set up in the virtual machine. Students were offered various opportunities to test other platforms such as Solaris without acquiring real physical machines. Additionally, the lab was available to students around the clock.
The adoption of VM technology helped students understand basic concepts, increased their interests and improved their troubleshooting skills. In addition, VM technologies expanded the physical boundaries of the lab environment. Students were able to use their own personal computers at home to perform lab exercises that previously would have required multiple machines configured in a dedicated lab room. This flexibility allowed the students to work at their own pace, and extended the lab environment to distance education students.
Using VM technology, we were able to transfer a physical hands-on intrusion detection lab from a Windows-dominated environment to a diversified virtual environment in a very short period. We believe that virtual machine technology can be successfully used in other computer security and networking labs.
2006 may have been the year of virtual machine (VM) technology. During the year, VMware Inc. released VMware Server as freeware1. To compete with free virtualization solutions offered by VMware and Xen, Microsoft announced that Virtual Server 2005 R2 was available as a free download2. Virtualization technology enables multiple virtual machines to run concurrently on a single physical computer, with each virtual machine running an isolated operating system3. A virtual network is constructed that permits mesh or point-to-point VM connectivity. The pre-
Li, P., & Lunsford, P., & Mohammed, T., & Toderick, L., & Li, C. (2007, June), Using Virtual Machine Technology In An Undergraduate Intrusion Detection Lab Paper presented at 2007 Annual Conference & Exposition, Honolulu, Hawaii. 10.18260/1-2--2718
ASEE holds the copyright on this document. It may be read by the public free of charge. Authors may archive their work on personal websites or in institutional repositories with the following citation: © 2007 American Society for Engineering Education. Other scholars may excerpt or quote from these materials with the same citation. When excerpting or quoting from Conference Proceedings, authors should, in addition to noting the ASEE copyright, list all the original authors and their institutions and name the host city of the conference. - Last updated April 1, 2015