I previously announced my four day Network Security Operations class. I have planned some of the labs for the class, but I thought you might have ideas regarding the sorts of hands-on activities you would want to try.
The class consists of four days, covering network security monitoring, network incident response, and network forensics. Days one, two, and three each offer small labs at regular intervals to reinforce the lecture material. Day four is entirely lab-based.
One of my goals is to give each student his or her own environment for analysis. I am considering a mix of real, jailed, and virtual environments. The activities students want to try will drive how I implement the student work environment. For example, using my GSX server I believe I can support 16 simultaneous VMs. A single FreeBSD install might be able to support many more jails on its own. Real hardware could be problematic, but I might be able to use Soekris systems. VMs are attractive because they offer snapshot features, whereas real hardware needs to be re-imaged.
I don't intend to provide each student his or her own laptop. I prefer each student to bring a laptop to the class, and SSH from the laptop to his or her own environment. Alternatively, if VMWare GSX is used on the class server, the student could connect using the VMWare Virtual Console. That requires adding code to the student's own laptop (which needs to be running Linux or Windows), which I would prefer to avoid.
Another option involves building a custom live CD, perhaps using FreeSBIE. Each student could run a local FreeBSD instance on his or her laptop. I foresee problems with inadequate laptops, unrecognized hardware, and limited learning scenarios. That's still an option though.
I have been trying to imagine the sorts of activities I would want to try in a class covering these topics. I want students to try a wide variety of network analysis tools, like Tcpdump, Tethereal, Snort, Tcpflow, Ngrep, Flowgrep, Flow-tools, Argus, Tcpdstat, Capinfos, and so on. These can be implemented (especially when reading from saved Libpcap traces) fairly simply.
If I want to provide a more exotic environment, implementation becomes more difficult. For example, I would like to let each student experiment with Sguil. Should students be able to run tools that sniff live traffic in promiscuous mode? I'm also considering a section that describes how to set up a caged server using Pf. Implementing a bridging firewall setup to build a cage presents all sorts of issues.
Perhaps analysis is more important. In that case, deciphering network traffic might be the focus. That is easier to implement than creating a dynamic network environment. I am concerned that VMWare might not support an open (non-switched) network conducive to sniffing.
I've set a limit of 15 students per class for my private classes. However, when I teach at USENIX, I could have 30 or more students. Although I do not teach an all-lab day at USENIX, my other classes (NSM, NIR, NF) could have hands-on components if I plan them to accommodate large groups.
When I taught at Foundstone we provided every student his or her own Dell laptop, and the labs centered on students trying to break into laptop target ranges. Eventually we replaced the laptop targets with VMs.
So, what sorts of lab activities would you want to see in a class on NSM, NIR, and NF? What have you seen other classes do, and what did you like? I appreciate your feedback.