IS 3423: Network Security
Fall 2011
Department of Information Systems and Technology Management
The University of Texas at San Antonio
Instructor: Prof. Seok-Won Lee, Ph.D.
Web page: http://www.machinediscovery.com
Email: Seok-Won.Lee@utsa.edu
(Always insert “IS3423: “ in the Subject line)
Office Phone: 210-458-8548
Office Location & Hours: BB 4.02.22, Thursdays 4:00 – 5:00 PM or by appointments
Classroom: BB 3.04.04
Meeting Time: Tuesdays & Thursdays, 8:30 – 9:45 PM
Course Objectives:
The course provides a foundation in networking technologies that are core to creating secure networks. Topics included in this course are basic cryptography, secure networking protocols, logical and physical security management, and security devices. Relation between these technologies and operational & implementation issues for these technologies will also be discussed. Course content is derived from the text, as well as outside reading.
Required Course Materials:
1. Corporate Computer and Network Security, by Raymond R. Panko (2nd Edition 2010, ISBN: 0131854755)
Recommended Course Materials:
2. Introduction to Computer Security, by M. Goodrich & R. Tamassia (ISBN 0321512944)
3. Introduction to Computer Security, by M. Bishop (ISBN 0321247442)
4. Designing Network Security, by Merike Kaeo (ISBN: 1587051176)
The following is a tentative schedule of topics, textbook references, assignments, and assignment due dates. As circumstances dictate, I reserve the right to change this schedule including but not limited to tests, assignments, due dates, etc. Please review these assignments before they are due so you turn in the proper material.
Topics (Tentative)
Overview of Computer Security Threat Environment
Cryptography & Systems Network Security Protocols
Firewalls Access Control Systems
VPN Wireless Network Security
Intrusion Detection Systems Malware
Web Security Physical Security
Application Security Disaster Recovery Planning
Schedule (Tentative)
Meeting |
Date |
Topics (Tentative) |
Due |
Misc |
1 (W1) |
8/25 |
Introduction |
|
|
2 (W2) |
8/30 |
Overview of Computer Security Threat Environment |
|
Bishop Panko |
9/1 |
Planning |
|
Panko |
|
4 (W3) |
9/6 |
Elements of Cryptography |
|
Panko |
9/8 |
Elements of Cryptography |
|
Panko |
|
6 (W4) |
9/13 |
Network Security Concepts & Protocols for Link, Network, Transport, Application Layers |
|
Goodrich |
9/15 |
Group Project Discussion Lab Assignment: NMAP/NESSUS/WIRESHARK |
Last Day Finalize Groups & Topics for Project |
|
|
8 (W5) |
9/20 |
Network Security Concepts & Protocols for Link, Network, Transport, Application Layers |
|
Goodrich |
9/22 |
Cryptographic System Standards |
|
Panko |
|
10 (W6) |
9/27 |
Cryptographic System Standards |
|
Panko |
9/29 |
Group Project |
|
|
|
12 (W7) |
10/4 |
Mid-term exam |
|
|
10/6 |
Access Control |
|
Panko |
|
14 (W8) |
10/11 |
Security Certification and Accreditation |
|
|
10/13 |
Preliminary Presentation on Group Projects(by this time, you are |
Even number Groups |
|
|
16 (W9) |
10/18 |
Odd number Groups |
Panko |
|
10/20 |
Firewalls/ Host and Data Security |
|
Panko/Goodrich |
|
18 (W10) |
10/25 |
Web Security |
|
Goodrich |
10/27 |
Physical Security |
|
Goodrich |
|
20 (W11) |
11/1 |
Security Policies, Standards and Procedures |
|
|
11/3 |
Application Security (Database, Email, Payment, DRM, Social Networking, Voting Systems) |
|
|
|
22 (W12) |
11/8 |
Application Security |
|
|
11/10 |
Incident and Disaster Response |
|
Panko |
|
24 (W13) |
11/15 |
Written Project Reports and Project Presentation Slides due at the beginning of the class. |
Groups 1, 2 |
|
11/17 |
Project Presentation |
Groups 3, 4 |
|
|
26 (W14) |
11/22 |
Project Presentation |
Groups 5, 6 |
|
11/24 |
Thanksgiving Holiday (No Class) |
|
|
|
27 (W15) |
11/29 |
Project Presentation |
Groups 7, 8 |
|
12/1 |
Project Presentation |
Groups 9, 10 |
|
|
29 (W16) |
12/6 |
Project Presentation |
Groups 11, 12 |
|
30 |
12/13 |
Final Exam (Tuesday 8:00 – 10:30 PM) |
|
|
Course Requirements:
This course is designed to be highly interactive. I will present the basic concepts, and you are expected to apply them. You should be prepared to:
• Attend class
• Read the assignments
• Participate in class discussions
• Study for exams
• Seek help if you do not understand
• Conduct outside research to better understand the material
• Work closely with fellow team mates to produce a product that you would be proud to show to others
Group Project:
There is one group project for this class:
• Applying secure network design concepts to a given business type.
Project Description:
Organize into groups of 3 or 4 (depending on class size) people to design and report on a solution for a given secure network design problem. Specifically, you are to choose one of the business types. Based upon the business type you selected, you are to define a company (real or fictional) that meets the business type, then apply the concepts from the previous chapters, as well as class discussions. Each team is expected to present their solution, focusing on the characteristics of their given company. It will soon become obvious to you that secure network design is not the same for all companies and all situations.
Business types include the following:
• Full Service Bank
• Hospital
• Global Telecommunications Company
• Web-Based Vendor
• Security Consulting Firm
• Charitable Organization (e.g. United Way)
• University
• Hotel Chain
• Online Auctions
• Computer Hardware/ Electronics Manufacturer
• Software Company and more…
At a minimum, you are to address the following:
• Detailed description of company
• Stakeholders and their impact on network security
• Network Interfaces which might impact security
• Regulations and legislation to be addressed, and how (not generic)
• Major threats and vulnerabilities – based on your company (not generic)
• Policies to be created, based on threats and vulnerabilities
• Physical security controls
• Logical security controls
• Infrastructure and data integrity
• Incident handling procedures
• Securing internal and external network access
Topic selections are on a first come, first serve basis. Each group is expected to send me, via e-mail Seok-Won.Lee@utsa.edu a list of all team members and a ranked order (in case of tie) of your topic selection by Thursday, September 15, 2011.
There are five main parts to this project: 1) Topic Selection; 2) Preliminary Presentation; 3) Written Report; 4) Final Project Presentation; and 5) Peer Evaluation.
1. Topic Selection. These projects are meant to be a learning experience for the entire class.
Your group is expected to review the potential companies, decide which company you wish to focus upon, and then review the topics of chapter discussion.
REMEMBER: PLAN AHEAD
2. Preliminary Presentation. Each group is expected to make a preliminary presentation on group projects on Thursday, October 13, 2011. During the preliminary presentation each group is expected to present the company description, stakeholders, interfaces, threats and vulnerabilities, review of regulations and legislations and preliminary policies. Each group will be allocated 5-10 minutes for each presentation. Each group should also create PowerPoint slides to assist with the preliminary presentation. Preliminary presentation grade will be assessed on the progress made by the group on the project. Preliminary presentation grade will count for up to 5 points towards your final project grade.
3. Written Report. The results of your research are to be presented in the following format - cover page, table of contents (including location of illustrations and exhibits, the report, alphabetical list of references cited). The table of contents should list all major headings, exhibits, and illustrations (including page locations). The report should be at least 15 pages in length, not counting the cover page, table of contents, or references. Include at least 6 references, other than your textbook. You are expected to already know how to write a research paper.
Paper Submission: Your written report is due Tuesday, November 15, 2011. Submit an electronic copy of your report (in MS Word or PDF format) latest by the due date. Failure to submit the report on time will result in a penalty of loss in 10% of the project grade per day of delay in submission. Evidence of plagiarism will result in a project grade of zero for all teammembers. All team members are expected to have fully reviewed the paper beforesubmission.
Also, submit to me an electronic copy of your PowerPoint presentation by the due date. Best way to submit the files electronically is through email. Also, where possible, include electronic copies of your cited references. If the reference is from the Web, save a copy, assuring the URL is noted on the footer. If you do not have access to an electronic copy of your reference, either scan the reference or include a hard copy. If you are citing from a book, only include the area referenced within the book. If all citations are in electronic format, you do not need to submit any of your references in hard copy format.
NOTE: You can submit your report earlier for a “free” review, but no later than Tuesday, November 1, 2011. If submitted for “free” review, I will provide you with comments and suggestions for improving the final project, if possible.
IMPORTANT: The final report should reflect the work of a group of people working together for a minimum of eight weeks, producing a quality product. Grading will be based upon this amount of expected effort. If your group puts minimal effort in the project, your project grade will also probably reflect minimal effort.
Your final paper submission should contain the following:
• Electronic copy of your paper and project presentation (should be submitted through email, or a CD)
• Electronic copies of cited papers or the web links to the cited sources
• Hard copy of any papers, books, etc. cited which are NOT in electronic format
4. The Group Presentation offers you the chance to impart knowledge to the rest of the class.
Each group will be allocated 25 minutes for presentation. 10 additional minutes will be dedicated to discussion and questions. Presentation content will be derived from your written report, following a similar format. Emphasis should be placed on the specific securityrequirements of your given industry/group and how you intend to meet these requirements.
At the end of your presentation, include a slide that contains two questions pertaining to your presentation that you expect the rest of the class to be able to answer (These questions should be short-answer questions. Multiple choice and true/false questions are not acceptable). These questions will be used as study guides for the final exam. Group presentations will commence Tuesday, November 15, 2011. Your team can decide how the presentation is to be made – by one group member, two group members, all group members, etc. Absence of a team member on the day of presentation is not sufficient cause for delaying a presentation.
5. Peer Evaluation. This is expected to be a group project. Any team member who does not contribute his or her fair share on the project should not expect to receive the same project grade as others. Following the team presentation, each team is to submit evaluations of each team member. Please use the attached peer evaluation form. If there are three members on a team, A evaluates B and C; B evaluated C and A; and C evaluates A and B. Individual project grade = team project grade * peer evaluation percentage. For example, if your group project grade = 90, and peer evaluation grade = 100, your individual project grade = 90. However, if your team project grade = 90 and peer evaluation grade = 50, your individual project grade = 45!
Peer evaluations are due within one class period after your presentation. If I do not receive evaluations by that time, I will assume that all group members received a 100% evaluation.
NOTE: Choose your teammates wisely. If you have a problem with a teammate, try to work it out among yourselves. If you cannot resolve the problem, you can elect to fire a member. However, all other team members must agree, and no member can be fired after Thursday, September 29, 2011.
Class Participation:
Questions, comments, etc. are encouraged. If you do not understand some of the material, please ask questions. You can receive up to 25 points (5 points each day) for participating in topic discussion during project presentation days. However, in order to receive the full participation grade, you must be present at the beginning of class time, listen attentively (don’t do homework, study for an exam, talk to your neighbor, etc.) and participate in discussion following the presentation. Naturally, if you do not attend class during team presentation days, you should not expect to receive participation points for these days.
Exams:
Exam content is based on reading assignments, class discussion, and group presentations related to the cases. You are expected to fully understand these topics. Exams may include a mix of multiple choice, short answer and essay questions. Exam questions are based on one’s understanding of the subject, rather than one’s ability to memorize. The best way to study for these exams is to review class and lecture notes, formulate questions related to the content, and write out a detailed response to the question. In addition, you are responsible for knowing the answers to the questions posed by presentation groups.
Please feel free to see me during office hours (or by appointment) to discuss your proposed questions and responses prior to an exam.
Make-Up Exams Will Not be Given. If you miss an exam and notify me prior to the exam, you will be required to take a comprehensive final, and the final exam grade will count twice (for the final and for the exam missed). If you miss an exam and DO NOT notify me prior to the exam, you will receive a zero for the exam.
Grading Criteria:
Project 125 points (group grade*peer evaluation grade)
Project Participation 25 points
Class attendance & participation 50 points
Exams 300 points
Total 500 points
Final Grade is based on total points accumulated
A = 450 – 500 points
B = 400 – 449 points
C = 350 – 399 points
D = 300 – 349 points
F = < 300 points
Special Notes:
Academic Honesty:
As written in the UTSA Student Code of Conduct, “The University can best function and accomplish its objectives in an atmosphere of high ethical standards. All students are expected and encouraged to contribute to such an atmosphere in every way possible, especially by observing all accepted principles of academic honesty. It is recognized, however, that a large university will include a few students who do not understand, appreciate or practice these principles. Consequently, alleged cases of academic dishonesty involving UTSA students will inevitably occur.
Academic or scholastic dishonesty includes, but is not limited to, cheating, plagiarism, collusion, the submission for credit of any work or materials that are attributable in whole or in part to another person, taking an examination for another person, any act designed to give unfair advantage to a student or the attempt to commit such acts. Academic dishonesty is a violation of the Student Code of Conduct.” Students are expected to follow the UTSA honor pledge:
"On my honor, as a student of The University of Texas at San Antonio, I will uphold the highest standards of academic integrity and personal accountability for the advancement of the dignity and the reputation of our university and myself.”
IS 3423
FALL 2011
PROJECT PRESENTATION GRADING CRITERIA
Group_______________________________
Organization__________________________
(Maximum Points = 30 points)
Was the presentation clear (i.e. did not read presentation to audience, spoke clearly
and loudly)? _____________
(0-10)
Provided in-depth coverage of the subject- clearly evident that group relied upon
material other than that available in the text book _____________
(0-10)
Provided well thought out secure design for given company and conditions
(0-10) _____________
TOTAL _____________
Presentation exceeded or was significantly under the allotted time
(Loss of 5 points) _____________
IS 3423
FALL 2011
PROJECT WRITTEN REPORT GRADING CRITERIA
Group_______________________________
Organization__________________________
(Maximum Points = 90 points)
Was the paper well organized, well written, and readable?
(0-15) _____________
Was the paper in format specified (cover page, TOC, illustrations and/or tables,
references, page length, etc.)
(0-15) _____________
Did the paper provide a convincing, well thought out secure design that met the needs
of the given company? Was the design tailored to the company rather than generic?
(0-30) _____________
Was the quality of the paper indicative of 8 weeks of work?
( 0-10) _____________
Did the group/student perform a thorough review of the literature? Were at least 6
references cited, and were they of high quality, directly related to the given topic?
(0-10) _____________
Was the paper properly referenced? Were electronic copies of the
articles submitted?
(0-10) _____________
TOTAL _____________
Evidence of plagiarism will result in a project grade of zero for all team members. All team members are expected to have fully reviewed the paper before submission.
IS 3423
FALL 2011
PEER EVALUATION FORM
Group_______________________________
Organization__________________________
Each category is rated on a scale of 1 to 5 in which 5 = outstanding, 4 = very good, 3 = acceptable, 2 = had some problems, 1 = poor, and 0 = totally unacceptable.
Team Member Name |
|
|
|
|
Completed assignments on time |
|
|
|
|
Provided Quality Work |
|
|
|
|
Provided Valuable input |
|
|
|
|
Was available, when |
|
|
|
|
Would like to work with |
|
|
|
|
Total |
|
|
|
|
Percentage = Total X 4 |
|
|
|
|
Evaluating team member:
Name ____________________________ Signature ___________________________
Submit one form per evaluating team member. Team members do not participate in evaluation of themselves.