IT662: Web and Internet Security

---

Instructor:	Dr. Lixin Tao, ltao@pace.edu, http://csis.pace.edu/~lixin
	GC Office: GC416A, (914)422-4463 PLV Office: G320, (914)773-3449

Lectures:

100% online through Pace Blackboard at http://blackboard.pace.edu

Office Hours:

Daily two hours online, Wednesdays 1PM - 6PM upon appointment at office GC416A

Syllabus:

Web and Internet security overview; limitations of firewall and IDS; HTTP and Web technology overview; securing Web servers, application servers, database servers, input validation, session management and J2EE servers; preventing URL hacking, cyber graffiti, e-shoplifting, session hijacking, impersonation, buffer overflows and virus and worm attacks.

Learning Objectives

After taking this course, a student should be able to

• Understand why firewall and IDS are not enough for securing e-commerce
• Understand the general structure, technologies and security weak spots of Web computing
• Set up and secure Windows and Linux systems, Web servers and Web services, and database servers as well as sample e-commerce applications
• Use security tools including nmap and netcat to analyze and report on the security weaknesses of existing operating systems, Web servers, database servers, and e-commerce applications
• Understand the impact of Web security on the coming server-side computing technologies
• Conduct research in the related areas and apply the knowledge in securing specific IT environments

Textbooks

• Web Hacking: Attacks and Defense, Stuart McClaure, Saumil, and Shreeraj Shah; Addison-Wesley 2003, ISBN 0-201-76176-9
• Web Security for Network and System Administyrators , David Mackey, Thomson Course Technology 2003, ISBM 0-619-06495-1
• Class notes and course material posted in Pace Blackboard  

Projects  

You will be assigned into teams of around 10 people each. Each team will elect its team leader who will be responsible for coordinating the project activities and communicating with the instructor. In October the instructor will post potential course projects and each team can make suggestions too. Typically each team will install and configure some web servers, database servers or web security tools on a virtual Windows Server 2003 Enterprise PC or on a virtual Ubuntu Linux PC. At the end of the semester, each team needs to submit a comprehensive report on its project.

Course Virtual VMs

For your convenience, the instructor will distribute image files of VMware Virtual Machines (VMs) with Windows Server 2003 Enterprise and Ubuntu 9.10 pre-installed and post them at Windows Server 2003 Enterprise (protected with password that is distributed in BlackBoard) and Ubuntu v9.10. You save the two downloaded files in the same folder "C:\VM" of your hard disk, and double-click on each of them to run them to completion (each taking a few minutes). This process will create two folders "WindowsServer2003Enterprise" and "ubuntu10". You can download the free VMware Player at VMware Player to run the virtual VMs as normal applications on your Windows PCs. To install VMware Player, just run the downloaded file. You will find information on how to run the virtual VMs in the "readme.txt" files of the unzipped VM folders. To run either of the two VMs, just double-click on the file with icon of three overlapped blue squares in the corresponding folders. Acknowledge "I moved it" if asked. To get the logon window for Windows, use Ctr+Alt+Insert instead of Ctr+Alt+Delete. Please keep a fresh copy of the downloaded VM image files for recovering to their initial states whenever necessary. To run the VMs, your PC needs at least one GB memory and at least ten GB free disk space. If you don't have such a PC, you can also copy the VM folders "WindowsServer2003Enterprise" and "ubuntu10" on a portable disk and run them at one of the Pace lab PCs that has VMware Player installed (or you can install it on the spot). You can watch my video tutorial at video tutorial on using VM to learn how to set up and run my VMs, even though your VMs are different. The free VMware Player doesn't work on Macs. If you need to run the VMs on a Mac, you need to buy a license of VMware Fusion (http://www.vmware.com/products/fusion/) for about $80, and VMware Fusion can also let your Mac run both Mac OS and Windows.

Bi-Weekly Course Assignments

Every two weeks, read file WhatToDoWeeksXand(X+1).pdf under Discussion Board|WeeksXand(X+1) (X will be replaced by a number) to see which tasks you need to finish for the two weeks. The bi-weekly assignments will cover reading assignments, discussion questions and project assignments. The bi-weekly course assignments will be posted on the Sunday of the first week of the period. Unless otherwise specified, all the tasks specified in a course assignment must be completed within the same two-week period and submitted by the Sunday of the second week of the period. A one-hour open-book online quiz will be conducted on the Friday of the second week of each period, from 8pm to 9pm , through the Blackboard to check your understanding of the fundamental concepts and practices covered by the assignments for the two-week period.

Assignments Submission

The submission deadline will be strictly enforced. Each working day after the submission deadline would incur a 10% penalty on the assignment's grade. All files for a period's assignments should be zipped into a single file and submitted by attaching the solution zip file in a public reply message to the proper assignment thread in the Discussion Board .

Participating in Course Discussions

Every two weeks the instructor may post one or more questions in Pace Blackboard Discussion Board ( Discussion Board|WeeksXand(X+1) ). Students will conduct discussion on the posted questions by replying to the questions in the Discussion Board within two weeks from the posting of the questions. You can also comment on other student's responses. You can get credit by asking questions and help answering questions. A grade will be assigned in each two-week period to each student based on the student's number and quality of participation in the Discussion Board . All postings must be formal with proper syntax and style, with citations to textbook pages or class notes to back up the arguments.

Grading Scheme

Project Assignments	30%
Discussion	30% (Item DGs in Blackboard grade records)
Quizzes	40%

 

Selected Public Course Material

• Course syllabus
• NSF SWEET Project Virtual Lab: Tutorial on Setting up Ubuntu Linux Virtual machines
• NSF SWEET Project Virtual Lab: Introduction to Cryptography
• NSF SWEET Project Virtual Lab: Introduction to Web Technologies
• VMware Player download

 

Current teaching schedule and course material are avaialble in Pace Blackboard.