IJCSNS International Journal of Computer Science and Network Security, VOL.10 No.

12, December 2010 1

An Integrated Multimedia Based Platform for Teaching Network

Security
W Makasiranondh, S P Maj, D Veal,

Edith Cowan University, Perth, Western Australia

Summary There are some important limitations of SDM; for example

Configuring a secure network is of paramount importance to all it cannot be used to configure and manage layer switches
organizations. Accordingly staff should be appropriately [2]. This is a serious limitation as SDM cannot be used to
qualified and trained. The Cisco Network Academy Program configure protocols such as: Virtual LANs (VLANs);
(CNAP) recently introduced the Cisco Network Academy Trunk Aggregation; Spanning Tree Protocol (STP) and
Associate (CCNA) Security course for college students,
university students and practicing professionals. This course is
other layer 2 related protocols. Even more importantly,
designed to provide the skills and knowledge to design, configure SDM cannot be used to ensure a layer 2 switch is properly
and manage a secure network. One of the key technologies secured against attacks that include: VLAN hopping;
employed by this course is the Security Device Manager (SDM). switch spoofing; and port violation. Although more
However it has been demonstrated that there are significant effective network management tools are available
limitations with SDM. This problem is exacerbated when courses commercially, they are not generally cost effective when
are offered on-line to remotely located students. This paper used solely for learning purposes, and they are not freely
demonstrates that these problems are addressed when students available on CNAP based courses.
are provided with an integrated multimedia based platform Despite the limitation of SDM in interacting with layer 2
incorporating SDM and also the State Model Diagram (SMD)
method of device configuration and management.
related devices, using the SDM is relatively easy to
Key words: configure the network security; for example a site to site
Network security, Security Device Manager (SDM), State Model Virtual Private Network (VPN) and a firewall can be
Diagrams (SMDs), Remote Access Networking Laboratories. configured by using the default options. On the other hand,
inputting an associated generated configuration code via
command line interface (CLI) alone can be considered as a
1. Introduction complex task and hence potentially problematic when
conducting fault diagnosis. Incorporating another GUI tool,
Security is an essential aspect of network configuration such as Sate Model Diagram (SMD) may compensate this
and management. Significantly security threats are not complexity.
only complex but are also constantly and dynamically Therefore, this study explored the possibility of
developing in complexity. In order to address this problem incorporating more device representation tools to the
Cisco, the world’s largest vendor of network equipment learning environments.
and developer of the world’s largest network educational
program have introduced the Cisco Network Academy
Associate (CCNA) Security Course. The prerequisite for 2. State Model Diagrams
this course is successful completion of the introductory
Cisco Network Academy Associate (CCNA) course. The In addition to employing the standard text-based
CCNA course teaches the basic skills and knowledge Command Line Interface (CLI) there are considerable
required for configuring and managing a standard but advantages to using the State Model Diagram (SMD)
insecure network. The CCNA Security course builds upon method for device configuration and management [3]. It
this foundation knowledge in order to provide specialist was found that:
theoretical and practical knowledge in network security.
Comprehensive on-line instructional material is available Significantly, SMDs allow networking concepts and
along with the associated workshop exercises. However, it technical detail to be taught using a single common
has been demonstrated that there are some major concerns template. Technical details may be progressively included
with conducting security based laboratories in an online while maintaining conceptual integrity by means of
mode[1]. A key tool in this course is the Security Device hierarchical leveling. SMDs may, therefore, support
Manager (SDM). The SDM is a graphical user interface student learning at both introductory and advanced levels
(GUI) designed to simplify secure device configuration, by [4]
means of a menu based interface.

Manuscript received December 5, 2010

Manuscript revised December 20, 2010
2 IJCSNS International Journal of Computer Science and Network Security, VOL.10 No.12, December 2010

Experimental results have shown that when instruction is able to use and clearly understand the system under
based on SMDs students develop a rich conceptual model consideration. Accordingly Nielsen developed criteria for
that is strongly aligned with that of an expert [5]. a successful user interface [9]. This was further developed
Significantly the SMD method is universally applicable by Johnston who proposed a security Human Computer
and it has been demonstrated that this method of device Interface (HCI-S) [10]. Certainly each method, CLI, SDM
and network protocol modeling can be used for all network and SMD each have their strengths and weaknesses (table
devices (switch, router, wireless access points etc) and 1). However it has been argued that:
associated protocols (routing, switching etc) [6].
Furthermore the SMD method has been found to be The SMD method user interface represents an intermediate
particularly useful when configuring complex security to the CLI and SDM. The SMD provides granular
devices and protocols such as PIX devices and Zone Based configuration control by means of independent but closely
Firewalls (ZBFs) [7]. It should be recognized that correct coupled functional groups [7].
network device configuration is of paramount importance.

Table 1: Evaluation of configuration interfaces 3. Remote access, on-line instruction

Advantages Disadvantages
CLI - Can be used for all - Verbose, lot of detail On-line instruction is now a common method of
network devices and that may not be important. instruction. Not only is it ideally suited to remotely located
protocols - Syntactically exact and students but also it is a cost-effective method of course
- Routinely used by demanding. delivery. Many students now routinely use communication
professional in the field - Difficult to learn and use
especially for novices
technologies such as email, podcast; discussions boards etc
- Device configuration and hence have developed skills and aptitudes ideally
may be time consuming suited to on-line delivery.
- Cannot display device Furthermore, within the field of network technology there
status are network simulation tools such as Packet Tracer and
- Cannot display protocol GNS3. These simulators allow students to create network
status without user topologies and then configure the associated virtual
intervention devices. Significantly they can be deployed on a standard
SDM - Simple to use. - Cannot be used for PC. Packet Tracer is in fact an integral part of the Cisco
- Lacks the granularity configuring and managing
Network Academy Associate (CCNA) course. However,
of control that is layer 2 switches.
possible with both CLI - May generate extensive Cisco recommends Packet Tracer as a software tool to be
and SMD configuration commands used in addition to standard, practical, hands-on,
- Rapid device which may be laboratory based instruction [11]. It is recognized that such
configuration problematic during fault skills are of paramount importance to prospective
- Can display device diagnosis employers. It is not uncommon for on-site students to
status enroll as remote students but attend the normal workshops.
- Can automatically Simulation tools depict part of the actual hands-on
display protocol status experiences that students may learn from the traditional
SMD - Can be used for all - Proof of concept classrooms. However, practicing with actual devices will
network devices and software only
protocols.
give a further realistic experience. A significant problem
- Provides a hieratical therefore is providing remote, on-line students with the
representation of a opportunity to develop their practical skills without access
network. to actual network devices.
- Multiple devices and
protocols can be
simultaneously 4. Enhanced remote access, on-line platform
displayed
- Rapid device In order to address this problem a pedagogically rich,
configuration interactive on-line learning platform has been developed
- Can display device
[12]. Remote on-line students are provided with a PC
status
- Can automatically
based interface consisting of two different network device
display protocol status representations (figure 1) and four communication
methods:
According to Van den Akker [8], security breaches may be
caused by user errors. Hence network managers must be Device representations are:
• The Command Line Interface (CLI)
IJCSNS International Journal of Computer Science and Network Security, VOL.10 No.12, December 2010 3

• State Model Diagrams (SMDs) 5. Incorporating SDM into the enhanced

Communication representations are: remote access on-line training platform
• Video stream
• Voice over IP (VOIP) The Security Device Manager (SDM) was incorporated
• Class presentation slide into the Enhanced Remote Access on-line platform as a
• Online chat third method of device representation (figure. 2). One of
the challenges of providing GUI based configuration tools
was the tools normally require direct IP connectivity to the
devices. The security devices in the laboratory are
normally separated from live production networks. Hence,
direct IP connectivity to these devices seems to be
prohibited and considered as potential risk to the ongoing
network. However, this study provided these tools in the
learning environment as an alternative of device
representation.

Device representations are:

• The Command Line Interface (CLI)
• State Model Diagrams (SMDs)
• The Cisco - Security Device Manager (SDM)

Fig. 1 A standard learning environment consisting of CLI and SMD.

This platform does not provide actual hands-on experience

but does provide students with visual communication with
the devices they are actually configuring. This is important
because novice learners need to make the conceptual
transition from the ‘concrete’ to the ‘abstract’ [13].
Interaction with a physical device is therefore of
paramount importance to novice students.
Furthermore in some institutions, especially in developing
countries, there may simply be no alternative due to the
lack of information and communication technology (ICT)
devices for instructional purposes [14]. A standard Cisco
based new unit (3 routers, 3 switches and wireless
equipment) costs approximately AUS$19,000. Such a unit
is suitable for only two students at a time. A class set of 10 Fig. 2 User view of Remote access screen, incorporating Cisco SDM.
units, suitable for a class of twenty students, is likely to be
prohibitively expensive for many institutions. They may Enhanced Remote Access on-line platform learning
need to consider also the rapid falling rate of equipment environment allows students, within the limitations of each
price on the period after purchased, which can fall as quick software tool, to interact with network devices and
as 17% annually [15]. Although second hand equipment protocols using all three device representations. Work to
can be purchased from the internet as an economical date has demonstrated that all three software tools can
alternative, they may not be reliable and some institutions operate concurrently. Changing a device configuration
policies may prevent acquiring these used equipment. using, for example, the CLI automatically results in the
Preliminary trials indicate there are advantages to associated change in the SDM and SMD device
employing this pedagogically enhanced learning platform. representations. Similarly changing a device configuration
According to this preliminary study, it elaborated the need using the SDM automatically effects changes when viewed
of incorporating multimedia learning environment by by the other representations. Preliminary trials were
demonstrating the benefit of accessing to more than CLI conducted over a remote link (100km). Despite the
control of the laboratory [12]. computational overheads associated with Graphical User
Interfaces there was no perceptible deterioration in
performance. However further trials are needed in order to
4 IJCSNS International Journal of Computer Science and Network Security, VOL.10 No.12, December 2010

evaluate the effects, if any, of remote access to users in Proceedings of the sixth ACM symposium on Access
other countries with communication links that may be control models and technologies, 2001.
problematic. [9] J. Nielsen and R. Molich, "Heuristic evaluation of user
interfaces," Proceedings of the SIGCHI conference on
Our trials accessing the system found that an average hour
Human factors in computing systems: Empowering people,
data consumption rate was around 218MB, which can be 1990.
calculated at approximately 0.48 Mbps or 496 Kbps [10] J. Johnston, J.H.P. Eloff, and L. Labuschagne, "Security and
bandwidth consumption. This was tested via a 7497/975 human computer interfaces," Computers & Security, vol.22,
Kbps ADSL connection. Some acceptable delay, of about pp.675-684, 2003.
2 seconds, may occur with this high bit rate. However, [11] Frequency asked questions: new CCNA curricula (2009),
when testing at the lower bandwidth 64kbps, the response December 2nd 2009,
rate of the system fell drastically. Delay was increased to http://www.cisco.com/web/learning/netacad/downloads/pdf/
10 seconds for any GUI action undertaking. As expected, newCCNAfaq.pdf
[12] W. Makasiranondh, S.P. Maj, and D. Veal, "A pedagogical
CLI commands could be used normally as they are purely
rich interactive on-line learning platform for Network
text based and were not affected by this slower connection. Technology students in Thailand," Thirteen Australasian
Computing Education Conference, In print.
[13] J. Piaget, The origins of intelligence in children, New York:
6. Conclusions International Universities Press 1952.
[14] P.T.J. James, "Academic staff perceptions of ICT and
This paper has demonstrated that remote, on-line access eLearning a Thai he case study," Turkish Online Journal of
may be considerably enhanced by incorporating three Educational Technology, vol.7, pp.36-45, 2008.
network configuration tools – the Command Line Interface, [15] M. Doms and C. Forman, Prices for local area network
State Model Diagrams and the Security Device Manager. equipment. Working papers in applied economic theory,
Despite the higher bandwidth overheads during 2003.
preliminary trials there was no measurable deterioration in
A/Prof S. P. Maj has been highly
performance except when using in the lower speed successful in linking applied research with
connection. Further work is needed in this important area curriculum development. He was awarded
of remote laboratory access. an ECU Research Leader of the Year in
2000, and Vice-Chancellor’s Excellence in
References Teaching Award in 2002, and 2009. He
[1] S.P. Maj, D. Veal, and L. Yassa, "A Preliminary Evaluation received a National Carrick Citation in
of the new Cisco Network Security Course," International 2006. He is the only Australian judge for
journal of computer science and network security, vol.10, the annual IEEE International Student
pp.183-187, 2010. Competition and was the first Australian
[2] S.P. Maj and D. Veal, "Using State Model Diagrams to reviewer for the American National Science Foundation (NSF)
Manage Secure Layer 2 Switches," International journal of Courses, Curriculum and Laboratory Improvement (CCLI)
computer science and network security, vol.10, pp.141-144, program.
2010.
[3] S.P. Maj, G. Murphy, and G. Kohli. "State models for Dr. David Veal is a Senior Lecturer at
internetworking technologies," Frontiers in Education, 2004. Edith Cowan University. He is the
FIE 2004. 34th Annual, F2G-10-15 2004. manager of Cisco Network Academy
[4] S.P. Maj and D. Veal, "State Model Diagrams as a Program at Edith Cowan University and be
Pedagogical Tool: An International Evaluation," Education, a unit coordinator of all Cisco network
IEEE Transactions on, vol.50, pp.204-207, 2007. technology units. His research interests are
[5] S.P. Maj, G. Kohli, and T. Fetherston, "A pedagogical in Graphical User Interface for the visually
evaluation of new state model diagrams for teaching handicapped and also computer network
internetwork technologies," Proceedings of the Twenty- modeling.
eighth Australasian conference on Computer Science -
Volume 38, 2005. Woratat Makasiranondh received the
[6] S.P. Maj and D. Veal, "An Evaluation of State Model B.Eng in Telecommunication Engineering
Diagrams for Secure Network Configuration and from Suranaree University of Technology,
Management," International journal of computer science and and M.S. degrees in Computer Science
network security, vol.10, pp.66-72, 2010. from Rangsit University in 2001 and 2005,
[7] S.P. Maj, W. Makasiranondh, and D. Veal, "An evaluation respectively. After working in the IT
of Firewall configuration methods," International journal of industry he became an academic member
computer science and network security, vol.10, pp.1-7, 2010. of Rangsit University. He is currently on
[8] T. Van den Akker, Q.O. Snell, and M.J. Clement, "The study leave and undertaking his doctorate
YGuard access control model: set-based access control," research at Edith Cowan University in the field of network
technology education.