This document summarizes a proposed capstone course for a Master's in Information Assurance program at Iowa State University. The 18-week course would allow students to complete their degree requirements remotely through hands-on work in a virtual environment. It is broken into three phases: planning and implementing a virtual network, attacking and defending networks against other students, and assessing infrastructure security. The goal is to provide distance learning students a practical educational experience comparable to an on-campus thesis or project. By using virtualization software, the course allows fully immersive network security training regardless of students' physical locations.

1. Session W2F
978-1-4244-4714-5/09/$25.00 ©2009 IEEE October 18 - 21, 2009, San Antonio, TX
39th
ASEE/IEEE Frontiers in Education Conference
W2F-1
A Security Capstone Course: An Innovative
Practical Approach to Distance Education
Nate Evans, Benjamin Blakely, and Doug Jacobson
Iowa State University, natevans@iastate.edu, bab@iastate.edu, dougj@iastate.edu
Abstract - Information assurance is a growing field in the
information technology world. While many individuals
seek further education in this field, it is currently
difficult to complete an entire program of study
remotely. A capstone course at Iowa State University will
enable distance education students to complete the
requirements for a Master’s of Engineering in
Information Assurance from an accredited university
without ever setting foot on a campus. This course will
encompass all focal points of the degree and demonstrate
a level of mastery sufficient for awarding of the degree
(in accordance with other degree requirements). This
course will consist of three parts: the planning &
implementing phase, the defending & attacking phase,
and the infrastructure assessing phase.
Index Terms – Capstone, VMWare, Information Assurance
and Security.
MOTIVATION
The Information Assurance Master's program is a
multidisciplinary masters program at Iowa State University.
It takes aspects of computer engineering, political science,
computer science and mathematics and combines them to
form a cohesive foundation of security education. To help
increase demand for the degree, the required courses are
offered as part of the Distance Education curriculum at Iowa
State. This allows all the lectures to be recorded and
streamed to anyone who is interested in taking the courses,
but can't physically attend courses in Ames. However, until
now students still needed to come to Iowa State to defend a
Masters thesis or to complete a Creative Component in order
to graduate. As enrollment in these courses has grown, the
time the professors have to manage these capstone
components has decreased, creating a need for a course
students can take remotely to fulfill this requirement. A
recent survey of students currently enrolled in the distance
education program showed that over 70% of the students
will switch to the new coursework only degree. A capstone
course, which touches on each piece learned in the other
required courses, was proposed. However, not only Distance
Education students can take the course, it will also be used
by on-campus students as an integrating experience and can
be a replacement for the creative component if they do an
oral exam about what they did in the capstone.
Iowa State University hosted Cyber Defense Competitions
(CDCs) for the past four years. In a CDC, a group of
students set up a small network of computers running a
variety of services such as an e-mail server, a web server, or
a remote console server. They must defend this network
against recruited professional “hackers” from industry,
government, and academia. This has become so successful
that there are now four competitions each year: a local Iowa
State competition, a community college competition, a
national post-secondary competition, and a high school
competition (now part of IT-Olympics).
It quickly became apparent that the educational advantages
of a CDC could form the basis for an excellent course in
Information Assurance. This could allow students to use all
the skills they had learned in a realistic “trial-by-fire” lab-
based course, while allowing for distance education to
continue.
This work shows the future of distance education courses
where faxing in an exam sheet is not enough. To be able to
fully engage a CSET student in a laboratory environment is
vital to that student’s fuller understanding of the subject
material. This innovation allows for a practical and fully
immersive information assurance education experience for
students, regardless of physical location.
COURSE OVERVIEW
This 18 week capstone course is an entirely lab-based course
broken down into the following phases:
1. Planning and implementing
2. Attacking and defending
3. Infrastructure assessing
The Planning and implementing phase lasts six weeks. It
requires students to develop a network plan based on a given
scenario and then construct it. The students have absolute
freedom when it comes to network design and OS choice as
long as the software is free, is publicly available, has a demo
period which covers phases 2 and 3, or is site-licensed to
Iowa State. The students must produce a network plan
proposal containing the following:
• A diagram of the student's network
• Rationale for the student's choice of operating
systems and network applications (i.e., daemons)
• Anything security-relevant in the design (e.g.,
NAT, firewalls, jailing, user limits)

2. Session W2F
978-1-4244-4714-5/09/$25.00 ©2009 IEEE October 18 - 21, 2009, San Antonio, TX
39th
ASEE/IEEE Frontiers in Education Conference
W2F-2
The students then implement their design in a VMWare
ESXi environment. They must install operating systems, set
up the virtual network infrastructure, and configure services
within the virtual environment.
The use of VMWare ESXi provides for maximum flexibility
for the students with minimum administrative overhead for
the course coordinator. The coordinator need only install
ESXi on a machine and create a login for the student. The
student then uses the VMWare Infrastructure Client to
connect to his or her host machine. VMWare allows the
student to create virtual switches, virtual machines, and
divide up resources as they see fit. The host machine has
two external connections, one to the public internet (for
management), and one to the course network. The course
network includes a server which contains network-bootable
installers for many popular operating systems. It is also the
network on which they will interface with other students in
the course. All virtual machines must exclusively use this
network. To access the internet from this network, students
connect to a dual-layer proxy server, which is aware of the
division of competition network and the internet. This
protects the internet from attacks perpetrated by the students.
At the end of this phase, students submit a final network
document which contains:
• The full details of their operating systems, services,
network layout, and reasoning behind these
decisions
• Any differences between the proposed network
plan and the final implementation, and the reasons
for these changes.
The Attacking and Defending Phase lasts four weeks. Before
this phase the course coordinator must certify that every
virtual machine is, in fact, connected only to the course
network. During this phase students try to attack other
students' networks, while defending their own network. The
students must try to capture predefined flags from the other
networks, while planting flags on those same systems, and
protecting flags on their own systems. They are encouraged
to document as much as possible during this phase, as they
will be required to report on it in the final phase. ttacking
the VMWare host machines or course infrastructure is not
allowed.
The Infrastructure assessing phase lasts five weeks. During
this phase the students combine everything from the first two
phases and produce a comprehensive document and
video/audio oral presentation. This presentation would
consist of a Webex conference call with the class where the
student would share his/her results. The document and oral
presentation should answer the following questions:
1. What were the key defensive technologies
implemented on the student's network? Did these
hold up to attack? How could the implementation
of these be improved in the future?
2. What were some key limitations and weaknesses in
both the student's network and the networks
attacked by the student? How could these be
mitigated?
3. What changes should be made if the planning and
implementing phase were to be repeated?
4. Which attacks were most successful? How could
the be defended against in the future?
TECHNOLOGY
1. VMWare ESXi
2. Network Interfaces - One connected to the internet
for management, one connected to an internet
testbed (ISECUBE).
3. Nagios and Cacti for monitoring. Nagios will allow
the students to see if their services are up or down.
Cacti will allow students to track resource usage on
their virtual machines.
4. MediaWiki for documentation. Students are asked
to use the wiki for communication between
students, a support guide and to post successful
attacks. Also an external red team will use this to
post successful attacks.
Layout of Capstone Course
In the network diagram above, the top cluster of 5 boxes is
the simulated Internet called ISECUBE, which is connected
to each team (on the right). In addition to this a connection
to the real Internet (on the left) is connected to each box to
serve as a VM Management Interface.
FORESEEABLE PROBLEMS
Students may not take into consideration that this is a
replacement of their creative component when it comes to
how much time they devote to it, because it’s broken up by

3. Session W2F
978-1-4244-4714-5/09/$25.00 ©2009 IEEE October 18 - 21, 2009, San Antonio, TX
39th
ASEE/IEEE Frontiers in Education Conference
W2F-3
credits. It should be made very clear early in the course that
it will require the classic 4 hour rule per credit hour. This is
to produce high quality work from the distance education
students. It is difficult to statistically evaluate the difficulty
of a creative component in comparison to this capstone
course. As such, the work required must validate their
knowledge and understanding of the entire curriculum
presented throughout the Master's in Information Assurance
program at Iowa State University.
COURSE FEEDBACK
The course has been run twice as pilot courses, once with 5
students and once with one student. The first time was run
without the attacking component. In both of these, the
course was run as a normal course without the creative
component replacement and was only for on-campus
students. These were run to test and develop the
infrastructure before opening the course to a large number of
distance education students.
COURSE SCHEDULE
Week 1: Planning and implementing phase beings
Week 3: Network plan proposal due
Week 4: Implementation starts
Week 6: Planning and implementing phase ends. Final
network plan due.
Week 7: Attacking and defending phase begins.
Week 10: Attacking and defending phase ends.
Week 11: Infrastructure assessing phase begins.
Week 15: Assessment paper and presentation due.
GRADING
Network plan proposal: 20%
Implementation (based on completion and availability by
deadline): 20%
Attack and defense documentation: 20%
Assessment paper: 20%
Assessment presentation: 20%
EXAMPLE SCENARIO
The CDC Data Corporation (CDC) is a small dot-com
startup in Metropolitan, Iowa. It is a hosting company with
small sites across the country. This way, clients can have a
local place to store their company's information securely,
without the overhead of an on-site information technology
staff. CDC provides web, CVS, and remote desktop services
at each site. These sites are regularly tested for security by
the CDC Corporate Red Team.
You are in charge of installing a new CDC site. As such,
your team has been assigned the task of designing a secure
network that will hold up to attack and keep client
information secure. You must maintain servers for the
advertised services (more detail below), and be able to
guarantee the security of the data. There are many issues to
be addressed, as flexibility and usability are of the utmost
importance, but the security of client data cannot be
sacrificed in the process. Protected data may reside on any of
the servers, as clients can log into any of the advertised
services. You must additionally provide the infrastructure
for these servers (DNS, and Intrusion Detection System, and
optionally firewalls).
You will be given a list of user names and passwords that
must be implemented on each advertised service. You
cannot change these passwords.
You will be given a list of flags that must be present on each
required service. Failure to include these flags will result in a
penalty. (See the Rules document).
This said, any implementation is acceptable as long as it
provides the following:
Web Server (www.siteN.cdc.com):
An outside web development team has been contracted to
design CDC's site (siteN.cdc.com) and will provide your
team with the content and the server once you begin setting
up your network on November 15th. Every client will have a
log on to this box to update their web content. You may not
remove any client content from this machine. Doing so is
equivalent to taking the web server offline. Your team
should instead focus on implementing global security
measures (Apache configuration, PHP configuration,
MySQL configuration, ModSecurity, etc) that will protect
your web server from any malicious or badly-written client
code. Users must be able to FTP into this box to update their
web site content. Domain
Name Server (ns.siteN.cdc.com):
Management of DNS will need to handled by your team. For
a fee, CDC corporate offers a consulting service to help you
with this if you so desire (see the Rules document for
details). You will need to provide the IP address of this
machine to the CDC Corporate IT team (the Competition
Director) at least one week before your site goes online
(December 6th). Remember that if this service fails, no one
will be able to access any of your services. If you wish to set
up redundant servers for this task, inform the Competition
Director when you give him your DNS server IP addresses.
(Note: N is the number of your team.)
Concurrent Versioning Server (CVS: cvs.siteN.cdc.com):
Clients need to be able to access a CVS server to check-
in/check-out web code, or any other projects they're working
on. You should use SSH CVS logins, and allow clients to
log in via SSH to a shell. Users should be allowed at least
1GB of storage on this server (even though they may not use
that much). File sizes must be able to grow to 250MB, as
some clients store media projects on this server. You will be
provided with the CVS data to put onto this server one week
before your site goes online (December 6th).

4. Session W2F
978-1-4244-4714-5/09/$25.00 ©2009 IEEE October 18 - 21, 2009, San Antonio, TX
39th
ASEE/IEEE Frontiers in Education Conference
W2F-4
Remote Desktop Server (rdp.siteN.cdc.com):
Clients who have limited computing resources may take
advantage of the amazing hardware provided at your site for
their development work. They should be able to use: FTP to
connect to the web server (Internet Explorer will suffice),
the Eclipse (www.eclipse.org) IDE with CVS access to the
CVS server, OpenOffice.org to edit documents and connect
to the MySQL databases on the web server. Users must be
able to check out their entire CVS module (up to 1GB) to
this machine.
Intrusion Detection System:
To ensure the security of your network, CDC Corporate
Policy requires you to employ an Intrusion Detection
System. The recommended product is Snort (www.snort.org)
with the BASE web interface (base.secureideas.net) as it is
free, widely documented and supported, and easy to use.
One way to set it up is documented at:
http://www.howtoforge.com/intrusion_detection_base_snort.
If you'd like, a preconfigured Snort machine can be ordered
from CDC Corporate for a fee (see the Rules document for
details). CDC Corporate expects periodic (bi-hourly)
intrusion/counter intrusion reports (see the Rules document
for details).
Firewall (Optional):
Your team may decide to structure your network to use one
or more firewalls to protect your servers. CDC Corporate
recommends pfSense for this task (www.pfsense.org), but
other solutions are acceptable as well.
Due to cleanup and remodeling work, the new building is
not accessible to you until the day before your site goes
online. Due to this fact, all setup will be done remotely.
Equipment purchased from your budget will be set up as you
request and remote KVMs will be made available. The day
before your site goes online, you will have a twelve hour
window to put the finishing touches on your network before
clients begin using your services, and the Corporate Red
Team is allowed to begin testing.
CDC Corporate, for auditing purposes, requires that your
network be documented; and for public relations, that you
have a guide available for your clients on how to use your
services. Both of these documents must be provided to CDC
Corporate (the Competition Director) prior to your site
coming online. See the Rules document for details.
CONCLUSIONS AND FUTURE WORK
The two pilot semesters were a success and the course is
planning to open up to full enrollment in the fall semester of
2009. The Master’s of Engineering degree has been
approved as a course work only option for students. The
capstone course is a requirement in the new Master’s of
Engineering degree. The capstone course has also been
approved as a replacement for the creative component part
of the MS degree with an oral exam.
There is additional work that needs to be accomplished to
support anticipated student load. More documentation
giving students assistance with the setup is needed,
especially for students not familiar with the VMWare
environment. Additional documentation is needed to allow
this course to be supported by the department’s computer
support personal. The details of how the lab was constructed
and who someone could replicate the lab need to be
developed and disseminated.
REFERENCES
Hoffman, Lance J and Ragsdale, Daniel, “Exploring a National Cyber
Defense Exercise for Colleges and Universities” Report No. CSPRI-
2004-08. Aug 24, 2004.
Jacobson, Doug and Evans, Nate. “Cyber Defense Competition” American
Society of Engineering Education. 2006.
AUTHOR INFORMATION
Nate Evans PHD Candidate Computer Engineering, Iowa
State University, natevans@iastate.edu.
Benjamin Blakely Doctoral Student Computer Engineering,
Iowa State University, bab@iastate.edu.
Doug Jacobson University Professor Computer and
Electrical Engineering, Iowa State University,
dougj@iastate.edu.