Security and Privacy in Internet of Things - Review

International Journal of Distributed

Sensor Networks
2020, Vol. 16(9)
Educational modules and research Ó The Author(s) 2020
DOI: 10.1177/1550147720954678
surveys on critical cybersecurity topics journals.sagepub.com/home/dsn

Lixin Wang1 , Jianhua Yang1 and Peng-Jun Wan2

Abstract
Cybersecurity comprised all the technologies and practices that protect data as well as computer and network systems.
In this article, we develop four course modules on critical cybersecurity topics that can be adopted in college-level
cybersecurity courses in which these topics are covered. Our goal for developing these course modules with the hands-
on labs is to increase students’ understanding and hands-on experiences on these critical topics that support cyber skills
development for college students. The hands-on labs are designed to enhance students’ engagement and provide them
hands-on experiences with real-world cyber activities to augment their cyber education of both foundational and
advanced skills. We also conduct research surveys on the most-recent significant research in these critical cybersecurity
fields. These cybersecurity course modules with the labs are also designed to help college/university professors enhance
and update their cybersecurity course content, activities, hands-on lab exercises, and pedagogical methods, as well as
emphasize the cyber skills to meet today’s pressing cybersecurity education needs for college students. Our proposed
cybersecurity modules with hands-on labs will also help building the nation’s cybersecurity workforce.

Keywords
Application security, web security, firewall configuration, wireless network security, hands-on experience

Date received: 30 May 2020; accepted: 11 August 2020

Handling Editor: Peio Lopez Iturri

Introduction implemented with new technologies such as traffic sys-

tems with self-driving vehicles. Today, the need to pro-
Cybersecurity comprised all the technologies and prac- tect private data from malicious attacks is the highest
tices that protect data as well as computer and network concern of business, academic, and government. In
systems. It is a huge and growing field as we are living 2018, the report of Cyber Incident & Breach Trends
in a world full of ubiquitous computing and more and from the Internet Society1 told us that the financial
more of our businesses and social activities are online. impact of all types of incidents can be more than $45
The wide-range applications of the Internet have chan- billion in 2018, though the results vary widely due to
ged our society greatly and made our daily life much the different methodologies to track data breaches.
more convenient. A serious problem with the Internet
is that it is much easier for hackers to launch cyberat- 1
TSYS School of Computer Science, Columbus State University,
tacks than before. Columbus, GA, USA
If your systems are compromised by malicious 2
Department of Computer Science, Illinois Institute of Technology,
attacks, it is not only a direct vulnerability to the confi- Chicago IL, USA
dential data your company has, but it could also
Corresponding author:
destroy your relationships with your clients. The conse-
Lixin Wang, TSYS School of Computer Science, Columbus State
quences caused by malicious cyber attackers could be University, 4225 University Ave, Columbus, GA 31907-5679, USA.
disaster and more serious for those systems Email: [email protected]

Creative Commons CC BY: This article is distributed under the terms of the Creative Commons Attribution 4.0 License
(https://creativecommons.org/licenses/by/4.0/) which permits any use, reproduction and distribution of the work
without further permission provided the original work is attributed as specified on the SAGE and Open Access pages
(https://us.sagepub.com/en-us/nam/open-access-at-sage).
2 International Journal of Distributed Sensor Networks

Today, more people and businesses are exposed to cybersecurity course in which these topics are
cyber threats than ever before. covered;
In this article, we develop four course modules on  We develop a scenario-based hands-on virtual
critical cybersecurity topics that can be adopted in any machine lab for each of these cybersecurity
cybersecurity course in which these topics are covered. course modules;
Our primary goal for developing these course modules  We conduct research surveys on the most-recent
with the hands-on labs is to increase students’ under- significant research in these critical cybersecurity
standing and hands-on experiences on these cybersecur- fields.
ity topics that support cyber skills development for
both undergraduate and graduate students. These The rest of the article is organized as follows: In sec-
cybersecurity course modules with the labs are designed tion ‘‘Research surveys on critical cybersecurity topics,’’
to help college/university professors enhance and we provide research surveys on the critical cybersecurity
update their cybersecurity course content, activities, topics discussed in this article. In section ‘‘Development
hands-on lab exercises, and pedagogical methods, as of four cybersecurity course modules,’’ we present the
well as emphasize the cyber skills to meet today’s cyber- four course modules on these critical cybersecurity
security education needs for college students. topics. In section ‘‘Development of the hands-on labs,’’
Each course module will represent a specific cyberse- we then develop a hands-on lab for each of these course
curity topic in tandem with several vital cyber concepts modules. Finally, we conclude this article in section
and useful tools. The critical cybersecurity topics ‘‘Conclusion.’’
selected for the course modules include (1) application
security, (2) web security, (3) firewall configurations,
and (4) wireless networking security. Research surveys on critical cybersecurity
For each cybersecurity course module, we will topics
develop a scenario-based hands-on virtual machine lab
that support students’ better understanding of these In this section, we conduct literature reviews on the
critical cybersecurity topics. These virtual machine labs most-recent significant research in the critical cyberse-
are designed to enhance students’ engagement and pro- curity fields discussed in this article: application secu-
vide them hands-on experiences with real-world cyber rity, web security, firewall configurations, and wireless
activities to augment their cyber education of both networking security. We begin with the research survey
foundational and advanced cyber skills. Our well- in software security. In order to protect the application
designed labs will greatly improve students’ hands-on workloads and sensitive data of patients, E Zheng
experience in cybersecurity. et al.2 proposed a secure virtually air-gapped cloud
The major impact of our proposed cybersecurity application with Amazon Web Services (AWS).
course modules will be on the advancement of cyberse- Implementation of this cloud environment developed
curity education. Our well-designed course modules in Zheng et al.2 needs more efforts in the delivery pipe-
and hands-on labs will provide much needed practical line of application and modification of automation for
experience for students nationwide. This will have a big management. F Fischer et al.3 proposed a method
impact on the cybersecurity curriculum of Center of based on the idea of stack overflow to embed a
Academic Excellence (CAE) cyber defense designated security-concerned code snippet into professional appli-
institutions as well as other institutions in the United cation products. Code security is a complicated issue,
States. Our goal is to produce significant improvements and it is extremely hard to offer the ready availability
for the cybersecurity courses in which these course of a secure solution to each application. H Zhang
modules of critical topics are adopted. et al.4 developed a triggering correlation model for
Another big impact of our proposed cybersecurity examining network packets at runtime on devices run-
modules will help building the nation’s cybersecurity ning Android system. This article proposed a new
workforce. Currently, there is a severe shortage of well- machine learning method to find the interdependency
trained cybersecurity professionals to meet the nation’s of requests for networks which can be utilized to dis-
cyber defense demand and the issue is pressing. cover secret activities produced by malware.
Developing course modules on critical cybersecurity topics Next, we conduct a brief literature reviews in web
with associated hands-on labs is vital and essential for security. Huang H-C et al.5 developed a vulnerability
meeting the nation’s cybersecurity education for students. scanner for Web applications that can automatically
In summary, the contributions of this article are produce data for penetration testing using some com-
listed below: binable evasion schemes. Such a vulnerability scanner
for Web applications proposed in Huang et al.5 may
 We present four course modules on critical discover more vulnerabilities than existing ones.
cybersecurity topics that can be adopted in any Marashdih AW et al.6 proposed a methodology to
Wang et al. 3

discover cross-site scripting (XSS) vulnerability for web wireless networks. There are several security vulnerabil-
applications written in PHP by utilizing a genetical ities on such integrated systems. The wireless communi-
method through static analysis. The approach pro- cation involved in UAV terrestrial transportation are
posed in Marashdih et al.6 examines XSS threats of a vulnerable to jamming and eavesdropping attacks initi-
Web application through constructing and process the ated by malicious wireless hosts in the system. Also,
control flow graph by removing the paths on it which vicious UAV node could initiate jamming and eaves-
are infeasible. The method proposed in Marashdih dropping to ground communications. Wu et al.12 dis-
et al.6 can lessen the false-positive errors of the detec- covered these security vulnerabilities of the 5G wireless
tion. Rahman MA et al.7 presented an experimental networks involving UAVs and developed effective solu-
analysis of Web applications focusing on e-commerce tions to protect such 5G wireless networks. Huo Y
businesses to assess the security of some Web applica- et al.13 studied the problem of cooperative jamming in
tions deployed in Bangladesh. The two vulnerability 2-tier 5G heterogeneous networks (HetNets), in which
scanners utilized are Nikto and Acunetix for this study. large-scale antenna arrays are embedded into the
This article claimed that most of these Web applica- macrobase stations, and space diversity and dense local
tions in Bangladesh have the security flaw of Cross-Site users are accommodated at the local base stations.
Request Forgery. Taking the state information of defective channels into
Now, we conduct a brief literature reviews in fire- consideration, Huo et al.13 developed several efficient
wall configurations. Security experts generally agree security algorithms that can be used to protect such 5G
that corporate firewalls often enforce poorly written HetNets with distinct conditions as well as satisfying
rule sets. Wool et al.8 revisits a 2004 survey of corpo- different requirements for network security using coop-
rate firewall configurations that quantified the extent erative jamming.
of this issue. It introduces a new firewall complexity
measure that applies to both types of firewalls.
However, unlike the 2004 study, the study in Wool Development of four cybersecurity course
et al.8 doesn’t suggest that later software versions have modules
fewer errors. Li et al.9 proposed a new Supervisory
Control and Data Acquisition firewall model powered In this section, we develop four course modules on crit-
by the Comprehensive Packet Inspection (CPI) technol- ical cybersecurity topics that support cyber skills devel-
ogy. This model includes a new Proprietary Industrial opment for both undergraduate and graduate students.
Protocols Extension Algorithm to extend capabilities Scenario-based hands-on cybersecurity virtual machine
to proprietary industrial protocol protection, and an labs will be designed in next section. Our cybersecurity
Out-of-Sequence Detection Algorithm to detect course modules and hands-on labs strongly support the
abnormality within industrial operations. The perfor- applied education programs that expand foundational
mance evaluation results show that CPI prototype can and advanced cybersecurity skills development. These
maintain real-time communication without sacrificing proposed activities will greatly help produce well-
network performance. Kobayashi et al.10 proposed a qualified cybersecurity professionals to address the
scheme of Firewall Probe and Honeypot for investigat- pressing cybersecurity workforce shortage of the
ing the firewall type of malware-infected networks. By nation.
capturing network scan made on the Internet by honey-
pot, the malicious source can be found and the firewall
Application security
probe can be deployed targeting to the source and cate-
gorize the network type into Type A (safe) ... Type E Among the seven layers of the Open Systems
(alert). Firewalls can be investigated remotely in this Interconnection (OSI) model, the application layer is
way for both randomly selected networks on the the one that can be protected with the most difficulty.14
Internet and malware-infected networks. There are two reasons for this. First, the security
Finally, we give a brief research survey in wireless threats at this layer usually come from un-sanitized
network security. Ahmad I et al.11 summarized the user inputs. Second, the application layer is the place
security vulnerabilities in 5G wireless networks and where all the user applications reside, accessible, and
presented solutions to some of these threats or ideas exposed to the outside Internet where hackers come
about how to protect 5G wireless networks against from. For example, for a Web application or service to
these new threats. This article also provided some cur- work appropriately, it should be accessed via http or
rent and foreseen security vulnerabilities on 5G and https protocols. The following Figure 1 shows that a
post-5G wireless networks and offered valuable ideas Web application could be completely exposed to the
and future directions how to secure these wireless net- Internet, although certain network security mechanisms
works. Wu Q et al.12 investigated the problem of inte- such as intrusion detection system (IDS) or firewall sys-
grating unmanned aerial vehicles (UAVs) into 5G tems are in place.
4 International Journal of Distributed Sensor Networks

Figure 1. A Web app is completely exposed to the Internet.

Developing secure applications is the most effective applications in which such vulnerabilities exist. The
approach to protect them against these security attacks. buffer overflow vulnerabilities may be attacked by
Software developers should understand how to protect intruders to get control of a remote computer, escalate
applications against security attacks and build defenses user privilege for the attackers, or make arbitrary (mal-
into the applications when they create software applica- icious) code execution on a remote server. Privilege
tions. In this module, we discuss two types of applica- escalation can be done by attacking a buffer overflow
tion attacks which are commonly used by malicious vulnerability to execute malicious code in a running
attackers: buffer overflow attacks and code injection application with a system administrator’s privileges.
attacks. Buffer overflow attacks on software could be
avoided or alleviated with some countermeasures
Buffer overflow attacks. A buffer is a memory space where against such attacks. Alleviation is the course of mini-
information can be stored. It is a part of the main mem- mizing the impact of a vulnerability before or after the
ory of a computer system. A typical type of application vulnerability happens. Such attacks could be stopped
threats is the buffer overflow vulnerability. A buffer before they happen. Of course, we also need counter-
overflow usually occurs because of uncareful program- measure methods available to minimize the influence
ming and un-sanitization of user inputs when the appli- when buffer overflow attacks happen.
cations were created. In the following, we will discuss The most efficient action to defeat buffer overflow
(1) how a buffer overflow works, (2) why it could be a attacks is to stop the conditions of buffer overflow from
severe security threat, and (3) some commonly used occurring in the program source codes. For instance, if
countermeasure techniques against buffer overflow a program uses an array of 10 elements, the program
attacks. source code must check to make sure that no more than
A buffer overflow occurs when a running program 10 items will be put into the array at any time during
tries to write data outside the memory buffer because the program execution. Proactive approaches used to
the data size exceeds the limit of the buffer. Such over- prevent buffer overflow like these should be adopted in
flows may be caused by invalid user inputs. When a order to overcome buffer overflow threats. An alterna-
buffer overflow happens, data will be written to a mem- tive way of securing applications against buffer over-
ory location which is outside the buffer limit and the flows attacks is to find them as they occur and alleviate
running program may crash or return incorrect out- the issues. This method is referred to as the reactive
puts. The overwritten sections of your computer main method and based on minimizing the destructive influ-
memory might contain some critical data using by the ence. An example of efficient alleviation is a modern
operating system or other applications running in the operating system that safeguards some memory spaces
system which is no longer available to that program from being over-written to. This method can stop an
anymore. Attackers may use buffer overflows to launch intruder from injecting malicious code into the com-
attacks by injecting malicious code into a running puter memory when a buffer overflow attack occurred.
application and making arbitrary code execution on a Buffer overflow attacks cannot be prevented with this
remote server. approach. However, the consequences produced by
When a buffer overflow is employed by an attacker such attacks can be minimized.
to inject malicious code in the computer memory, he or
she could get the execution control of the application Code injection attacks. Code injection is the process of
that is compromised. Therefore, buffer overflow vul- injecting malicious code into applications. The injected
nerabilities are severe security threats for running code could gain authorized access to a private database
Wang et al. 5

and sensitive data, and change security setting in a vic- backdoor program running on a victim web server,
tim system, bypassing the access and authentication intruders can gain unauthorized access to the victim
control in place. Code injection attacks may crash an system with root users’ privileges and then manipulate
application that requires inputs from users during exe- the victim as a root user and access the sensitive data in
cution. Therefore, if user inputs are not correctly the databases on the victim system. Any applications
handled by an application, such vulnerabilities can be running the victim server are now compromised by the
used by intruders to launch code injection attacks. attack. The intruder can also utilize the compromised
Code injection vulnerabilities usually come from impro- victim server to spread out phishing emails or launch
per user input validation that should be carefully done other types of malicious attacks.
by secure applications. One of the fundamental causes of code injection
In the following, we will discuss types of code injec- threats is the un-sanitized inputs provided to the PHP
tion and some commonly used countermeasures against library function eval(). PHP programs that have to call
code injection attacks. this library function eval() must be carefully written.
SQL injection, shell injection, and script injection For those applications that do not need this vulnerable
are the main types of code injection attacks. SQL injec- function anymore, the function and the ‘‘e’’ modifier
tion is an approach that used by hackers to gain for preg_replace() should be disabled by installing the
unauthorized access to a private database, retrieve, and software patch Suhosin with proper configuration to
modify sensitive data in the data. It allows attackers to harden PHP programs. After such a software patch
gain access to a remote victim system with root users’ (developed for PHP engine) installed with proper con-
or system administrators’ privileges. Shell injection is figuration, all the eval() functions used in your PHP
referred to as Operating System Command Attacks. programs could be cleaned up and most of the mali-
Applications with shell injection vulnerabilities employ cious PHP code and backdoor programs can be
user input to create system commands that will be run removed while the program is interpreted by the PHP
by processes that belong the OS. A part or the whole of engine.
such system commands could be formed via Web In summary, we presented in detail the following
forms. If the user inputs received from these Web forms two commonly used types of application attacks: (1)
are not properly validated, the application is most attackers may use buffer overflows to launch attacks
likely vulnerable against shell injection attacks. For by injecting malicious code into a running application
such vulnerable applications, attackers can inject mali- and making arbitrary code execution on a remote ser-
cious system commands into a victim system, and then ver, and (2) attackers may use code injection attacks to
execute these commands on the victim. Script injection inject malicious code into running applications.
allows intruders to inject malicious code into the inter-
preter program of the server-side scripting. XSS is the
most commonly used type of script injection by attack-
Web security
ers. With such attacks, arbitrary scripts can be injected In this module, we develop a course module on web
into a website that requires high level of security, such security. The applications over web-based infrastruc-
as websites of financial institutions. An intruder could ture are called web applications. Nowadays, web appli-
employ a web browser to inject malicious client-side cations dominate the application over the Internet. A
script into a trusted website to launch a script injection web application uses Browser–Server structure. It
attack. involves a web browser, such as Internet Explorer,
A lot of countermeasures to defeat code injection Chrome, or Firefox; communication protocols, such as
attacks have been proposed for both software and sys- HTTP or HTTPs; and a web server. A user’s request
tem architectures. Examples of such countermeasure can be sent via a web browser to a web server. A typical
approaches are (1) validation of user inputs and (2) the web application may have a database server involved
use of parameters. which can be accessed indirectly by a user through a
Software developers are always supposed to utilize web server which connects to the database server. Web
the available application programming interfaces servers act as a window between your network and the
(APIs) in the library for the programming languages rest of the world.
they use for development of applications. The pro- HTTPs is a HTTP over TLS (Transport Layer
gramming language that is the most vulnerable against Security)/SSL (Security Socket Layer). It is communi-
code inject attacks is PHP. Attackers can easily execute cations protocol for secure communication over a com-
arbitrary malicious PHP code on a remote web server puter network widely used on the Internet. Along with
using the privileges of the underlying web application the development of online shopping and secured email,
and incur severe damage on the web server. Through more and more sensitive transactions occur on the
code injection, hackers could upload a backdoor pro- Internet. Those sensitive transactions require the
gram to the remote victim web server. With such a authentication of the visited website, protection of
6 International Journal of Distributed Sensor Networks

privacy, and integrity of the exchanged data. HTTPs term hacking by its misuse. In web security, hacker
was developed to meet all the requirements. It provides normally refers to the people who seek to exploit weak-
authentication of a website and protects against ness in software and computer systems for their own
man-in-the-middle attacks. Bidirectional encryption of benefits.
communications between a client and server is also pro- Computer virus is a malicious code that, if executed,
vided in HTTPs. This protects against eavesdropping would replicate itself, modify computer system config-
and tampering attacks. It can ensure that the contents uration, affect other program, and insert its own code.
of communications between a browser client and a web Data files, computer boot sector, and utility programs
server site cannot be read or forged by any third party. could be the targets of virus. Computer virus can cause
The details on how HTTPs works and interacts with a huge cost to the world. It can reach up to billions of
TLS and SSL are beyond this article. Interested readers dollars due to system failure, wasting computer
can refer to some professional books/websites related resources, corrupting data, and increasing maintenance
to computer network security.15 costs. There are more than thousands different types of
Nothing is absolutely secured if it is accessed. The virus. The first computer virus called ‘‘Elk Cloner’’ was
world’s most secure website is the one turned off. As made by Richard Skrenta in 1982 when he was a high
long as a website provides accessing to the world, the school student. A college student from University of
site is at risk. However, web security is relative. For the Southern California wrote his paper ‘‘Computer virus-
same website, different applications running would put Theory and Experiments’’ which was the first paper to
the website at different risk levels. If a website has few describe the feature of a self-reproducing virus
network resources of financial values, is set up with systematically.17
tight permissions, and the web server is patched and A computer worm is a malware that can replicate
updated in time, the security of this website is relatively itself to reach other computers through the Internet
high. On the contrary, if a website runs critical applica- spreading. Worms can propagate freely without user’s
tions to process sensitive information, such as credit intervention. Once a victim computer is infected, the
card or identity information, or is old and maintained worm would attempt to find and infect other computer
by an underfunded or outsourced IT department, its targets. Trojan horse virus is also a malicious code but
security is relatively low. Technically, a web application pretends to be legitimate software which can trick some
may accept and handle any request without validating unexperienced computer users to install, and run it
its identity and allow scripts or SQL statements to be secretly. According to the actions that a Trojan can
executed on the site to access database server in perform on a computer system, Trojan malware can be
response to client-side requests. All the web-based classified to Backdoor, Exploit, Rootkit, Trojan-
forms, scripts having weaknesses or bugs may bring Banker, Trojan-DDoS, Trojan-Downloader, Trojan-
risks to the website. IM, Trojan-Ransom, Trojan-SMS, Trojan-Spy,
Web security is also called cybersecurity involving Trojan-FakeAV, Trojan-Mailfinder, Trojan-Dropper,
protecting information by preventing, detecting, and Trojan-GameThief, and so on. Obviously,
responding to attacks. It includes web server security, Ransomware is a form of Trojan that has around since
data security, and web application security. Data secu- 1989. It can infect a target computer by encrypting the
rity will be discussed in this section, and web applica- owner’s personal files, and then contact the victim to
tion security will not be presented in this article. exchange cash by offering a key to decrypt the files.
A web server normally running powerful, flexible, KeyLoggers are software that can monitor user’s
and multiple applications is naturally more subject to activity such as keystroking. Modern KeyLoggers can
web security risks. Any web server with multiple open not only record keystrokes on keyboard, but also
ports, services, and script languages is also vulnerable record mouse movement and clicks, menus that are
because it has many points to be attacked. What a web invoked, and take screenshots of the computer infected.
user could do to protect themselves is to recognize the Firewall is a mechanism for content regulation and
security risks and to be familiar with web security ter- data filtering. It can block unwanted traffic from enter-
minologies including Hacker, Virus, Worms, Trojan ing the sub-network and prevent subnet users from use
horses, Ransomware, KeyLoggers, and Firewalls. of unauthorized sites.
The word ‘‘hacker’’ has long been understood nega- Data security is to protect computing data from
tively. Hacking actually involves computing skills to three aspects: privacy, integrity, and authenticity.
find vulnerabilities from a system, penetrate a system, Privacy is to keep information private. If Alice sends a
and be able to remove evidence of access to a system.16 message to Bob through the Internet, the privacy also
Similar to the case that doctors who might criminally called confidentiality, here, means nobody else except
abuse their knowledge to harm humans, a hacker who Alice and Bob can access the message. The most popu-
knows some special offensive hacking skills might also lar way to implement privacy is to encrypt the message
misuse the techniques, but we should not define the by a secret key which is known only to Alice and Bob.
Wang et al. 7

In modern computer communication over the Internet, password is not accessed by any third party, and the
secret key can be distributed over the Internet through communication contents are not altered.
Private Key and Public Key approach. CA (Certificate In summary, we gave a detailed discussion on vari-
Associate) center can enable public key published leg- ous topics in web security in this module. The security
ally. So in this communication scenario, before Alice provided by HTTPS was discussed. We also explored
sends the message out, she must obtain Bob’s public web server security, data security, and web application
key from CA, encrypt the secret key with Bob’s public security. Computer viruses, worms, and KeyLoggers
key, then send the key to Bob. As long as Bob receives were briefly discussed as well.
the encrypted secret key, he can easily decrypt it and
send an acknowledgment to Alice using the decrypted Firewall configurations
secret key. So Alice and Bob can communicate each A firewall is a system that blocks unauthorized access
other to guarantee the privacy between them. to or from a private network, usually an internal local
Data integrity is to make sure that the data delivered area network (LAN).18 It is software or hardware
over the Internet cannot be replaced or modified. device that filters all traffic between a private internal
Maintaining the data integrity of any communication is network and an untrusted network—usually the
vital. MAC (Message Authentication Code) is a short Internet. A firewall not only safeguards a local system
piece of information used to confirm that a message or network against network vulnerabilities, but also
was sent from a sender and was not changed. MD5, affords access to the outside users through wide area
SHA-1, SHA-2, and SHA-3 are the hash functions to network (WAN) and the Internet. In the following, we
generate MAC code to implement Data integrity. will present the design of firewalls, types of firewalls,
If Bob receives a message from Alice, Bob needs to and what a firewall can or cannot block.19
know if the message is sent by Alice. This process is Network administrators use firewalls to safeguard
called sender Authentication. The simple php code, networks or systems of networks against various
\?php mail([email protected], ‘‘Hi from Steve Jobs’’, network-based attacks. A firewall implements a set of
‘‘Hi, I am Steve Jobs’’, ‘‘From:[email protected]’’); security policy that is specifically defined to treat the
?., can make Alice believe that Steve Jobs sent her malicious activities that might occur. A security policy
email. It is obviously not true. Due to the nature of defines a set of rules that determine what network traf-
Simple Mail Transfer Protocol (SMTP) protocol, any- fic is allowed to go through the firewall. An example of
one can send email from anyone’s address without a security policy to only allow some Internet Protocol
knowing the sender’s password. This would cause a big (IP) addresses or some sub networks to access a pro-
chaos in the Internet communication. The solution is to tected internal LAN. Firewall systems impose prede-
authenticate that an email originated from the sender’s fined security rules controlling what network traffic will
domain. Digital signature is used for this purpose. be allowed and what network traffic will be blocked.
Digital signature is a technique which combines MAC Table 1 below shows a sample of firewall configura-
and Public-Key Infrastructure. We continue to use the tion. The firewall’s action is determined in a top-down
scenario that Alice sends a Message to Bob as an exam- manner, and the first matching rule in the table is applied.
ple to demonstrate how the sender is authenticated. Rule 1 in the above table says that any incoming
Alice first uses any hash method, such as MD5, to gen- network traffic to the port 443 (HTTPS) is allowed
erate the MAC code for the message sent to Bob. A from any host to the machine 192.168.1.200 with the
new message is formed by adding the MAC code the HTTPS web server available. By rule 2, any incoming
message. Alice second encrypts the new message using network traffic to the port 80 (HTTP) is allowed from
Alice’s private key and the secret key. After Bob any host in the subnet 192.168.* to the machine
receives the encrypt message, Bob uses the secret key to 192.168.1.100 with the web server available. Rule 3 says
decrypt it to make sure that the privacy is implemented. that any incoming network traffic to the port 20/21
Then, Bob uses Alice’s public key to decrypt it and get (the Standard FTP) is denied from any host in the sub-
the original message and the MAC code generated by net 192.168.1.* to the machine 216.1.1.100. By rule 4,
Alice. Sender Alice is authenticated since only Alice any incoming network traffic to the port 69 (the Trivial
holds her private key. Bob runs MD5 for the received FTP) is denied from any host in the subnet 216.1.1.* to
message to generate a new MAC code and compares the machine 192.168.1.50.
with the received MAC code. If the two MAC codes are Next, we discuss types of firewalls and give a brief
the same, it indicates that data integrity is implemented. description for each of these firewall types: packet fil-
Today, since almost everything relies on computers, tering, state inspection, circuit-level gateway, and appli-
the Internet, and websites, maintaining privacy, integ- cation proxy.
rity, and authenticity of data security is vital. For exam-
ple, in online banking, the banker side needs to know Packet filtering firewalls. This type of firewall system
you are the user to login to the bank system, and the checks every packet coming into or going out from the
8 International Journal of Distributed Sensor Networks

Table 1. A sample of firewall configuration.

Rule # Type Source IP Destination IP Destination port Action

1 TCP * 192.168.1.200 443 Permit

2 TCP 192.168.* 192.168.1.100 80 Permit
3 TCP 192.168.1.* 216.1.1.100 20/21 Deny
4 UDP 216.1.1.* 192.168.1.50 69 Deny

TCP: Transmission Control Protocol; UDP: User Datagram Protocol.

*
indicates that it matches any value in the field.

network and allow it to pass through according to An application proxy firewall acts as a proxy server
some predefined rules by users. A packet filtering fire- that connects to the Internet, makes the requests for
wall is very efficient. However, it is hard to configure Web pages, or connections to servers, and so on, and
this type of firewalls. Packet filtering firewalls deny or receives the data on behalf of the host behind it. An
allow packets to pass merely according to the basis of application proxy firewall is a type of gateway that
the source and destination IP addresses, and the source hides the actual IP address of the host behind it so that
and destination port numbers in the packet headers. this host is protected by the proxy firewall. The cap-
Therefore, the details of the content in the packet’s abilities of firewalls rely on the fact that an application
data field are beyond the filtering capability of this type proxy could be set to permit only some types of net-
of firewalls. work traffic to go through. For example, only HTTP,
HTTPS, or FTP traffic is permitted to pass through the
firewall.
Stateful inspection firewalls. A packet filtering firewall
In summary, we defined what a firewall is and dis-
checks packets one at a time, allows or denies it to pass
cussed how to configure a firewall in this module. A
through according to predefined rules by users, and
sample of firewall configuration was given in a table.
then checks the next one. A stateful inspection firewall
Then, we discussed four commonly used types of fire-
keeps track of state information across packets in the
walls and gave a brief description for each of them.
data stream coming from a network. The decisions of
rejection or acceptance will be made based on the saved
state information of a connection containing many
Wireless networking security
packets.
In this module, we introduce the basic concepts of wire-
less networking, the operating modes and different
Circuit-level gateway firewalls. A circuit is a logic connec- types of wireless networks, vulnerabilities of wireless
tion that exists for a certain period of time and then networks, and security protocols to protect wireless
disconnected. A circuit-level gateway firewall permits a networks. In a wireless network, a host connects either
network to be an extension of another network. An to a base station or to another wireless host through a
application of this type of firewalls is a virtual private wireless communication link. Different wireless link
network (VPN). The circuit-level gateway firewall veri-
technologies have different transmission rates and can
fies the connection when it was established, and then
transmit over different distances. A wireless host can be
all the following data transferred between the two com-
a laptop, personal digital assistant (PDA), smart
munication parties are not examined anymore by the
phone, desktop computer, or other wireless devices.
firewall. In the seven-layer OSI model, a circuit-level
For wireless networks operating in the infrastructure
gateway firewall is typically implemented at the session
mode, the base stations are the core components of the
layer and it serves as a virtual gateway between the two
wireless network and responsible for sending and
Transmission Control Protocol (TCP)/IP networks
receiving packets to and from the wireless nodes. The
connected by the gateway firewall.
wireless networking nodes within the communication
range of a base station utilize the base stations to relay
Application proxy firewalls. Packet filtering firewalls only packets between them and finally send the packets to
check the headers of packets, not the details of their their destinations. A cellular network is an example of
data payloads. However, there are bugs in some com- wireless network that operate in the infrastructure
plex applications. Applications usually require privi- mode in which the cell towers are the infrastructure
leges of all users because they function on behalf of all nodes. An 802.11 wireless LANs is another example of
users. An application that contains errors could pro- infrastructure-mode wireless network in which the wire-
duce many harmful outputs when are running with all less routers are the access points (APs)—the infrastruc-
users’ privileges. ture nodes.
Wang et al. 9

Wireless networks can operate in two different maybe sensitive and must be provided for secu-
modes. Wireless hosts associated with a base station or rity purpose.
an AP are referred to as operating in the infrastructure (2) Integrity. In wireless networks, there are two
mode, since all the basic network functions such as types of sources for security threats. On one
routing and IP address assignments are provided by the hand, there are several un-malicious sources of
network to which a host is connected through the base vulnerabilities in wireless environment, including
station or the AP. In the ad hoc mode, wireless hosts (1) unavoidable interferences from other trans-
have no such infrastructure with which to connect. In mitting nodes simultaneously; (2) signal loss or
the absence of such infrastructures, the wireless nodes diminution caused by different levels of clutters,
themselves must provide not only their own functions, which are also referred to as shadowing effects
but also networking services such as routing, IP address such as ubiquitous and various background
assignment, and Domain Name System (DNS)-like noises and obstructions like buildings and trees
name translation. on the radio signal propagation path; (3) recep-
Types of wireless networks include 802.11 wireless tion issues incurred by severe weather conditions;
LANs, 802.15 Bluetooth technologies, cellular net- and (4) occasional communication failures caused
works, and wireless ad hoc networks. Among these by internal hardware and software problems
four different types of wireless networks, 802.11 wire- within the wireless devices, and so on.
less LANs and cellular networks operate in the infra-
structure mode, whereas 802.15 Bluetooth networks On the other hand, there are also malicious sources
and wireless ad hoc networks operate in the ad hoc of security threats in wireless networks. This type of
mode. For the wireless networks operating in the ad integrity violations is the malicious attacks with the
hoc mode, every node not only performs its own func- purpose of revising the payload data of intercepted
tions locally, but also serves as a router of the network wireless packets. For unencrypted wireless traffic, a
for packets forwarding as well as perform other net- hacker may impersonate one end of the communication
working services such as IP address assignment. and involve in the conversation with the other end user.
Next, we discuss the security vulnerabilities of wireless Another vulnerability of wireless networks is that when
networks. Since wireless communications use a section a wireless network user receives two radio signals, he or
of the radio spectrum, the radio signals are available to she usually chooses the stronger one for use. So if a
any devices within the range. Wireless links are not be as hacker’s wireless router intercepts a radio signal from a
safe as communications with wired links due to the more sender and then impersonates the receiver to transmit a
vulnerable radio signals that are exposed to every wire- stronger radio signal back to the sender, appearing to
less device around. These wireless links utilize predefined come from the receiver’s wireless router, then the intru-
radio frequencies known to everyone, so malicious intru- der is able to impersonate the receiver and communi-
ders may intercept the wireless packets or impersonate a cate with the victim sender.
communication party through man-in-the-middle
attacks, for example. Similar to traditional wired net- (3) Availability. There are three issues regarding
availability of wireless networks: (1) the first
works, wireless networking is also subject to threats of
problem of availability happens if hardware or
confidentiality, integrity, and availability, which will be
software component is not working. For exam-
discussed in detail below:
ple, a battery-powered hardware is out of
power, or a software component is out of date
(1) Confidentiality. In wireless networks, the wire- and must be updated due to some fatal bugs;
less signals can be received by anyone within (2) the second issue of availability with wireless
the range of transmission. Therefore, malicious networks is that a user loses some accesses to
hackers can easily intercept sensitive data con- certain networking services. For example, slow
veyed over wireless links. The nature of wire- services offered by a wireless network. There
less communication can be confidential, too, are many possible reasons for this: interference
no matter what purpose is the transmission generated by nearby transmitting nodes simul-
for. The wireless communication maybe used taneously, severe background noise produced
for sending emails, requesting web page access, by nearby constructions, service demand
performing peer-to-peer networking, or for the exceeding the receiver’s capability, and so on;
purpose of wireless network management and (3) the third issue of availability of wireless
activities. In the case of encrypted wireless traf- networks is the possibility of rogue wireless
fic, the encryption mechanisms and algorithms connection. For example, private owners of
used for the communication are sensitive. personal Wi-Fi hot spots do not want to share
Therefore, the confidentiality of a wireless link their access with other people in range.
10 International Journal of Distributed Sensor Networks

Next, we introduce the security protocols of protect- WPA2. As an extension to the WPA protocol, the
ing wireless networks: Wired Equivalency Privacy WPA2 standard was ratified by the IEEE standards
(WEP), Wi-Fi Protected Access (WPA), WPA2, and committee in 2004 as the 802.11i standard. Since its
the newest technology for wireless network security— release, WPA2 has been steadily growing in usage. Like
WPA3. WEP and WPA, WPA2 also provides enterprise and
personal versions. WPA2 was considered as the most
secure wireless security standard available for wireless
WEP. The first countermeasure for securing wireless networks since then. The similarity of WPA and WPA2
networks is the protocol WEP released in 1997. The include the use of the 802.1x/Extensible Authentication
design for WEP intended for radio communication is to Protocol (EAP) framework as the infrastructure to pro-
provide privacy equivalence to traditional wired com- vide mutual authentication and dynamic key manage-
munication networks. As the first encryption algorithm ment and designed to secure all versions of 802.11
for the 802.11 standard used in the wireless environ- devices.
ment, WEP was designed to prevent intruders from The major difference between WPA and WPA2 is
snooping on wireless data as it was transmitted between that WPA2 utilizes Advanced Encryption Standard
wireless hosts and APs. However, from the very begin- (AES) for encryption. AES is a block cipher, whereas
ning of WEP design, it lacked the necessary counter- RC4 is a stream cipher.
measures to accomplish this goal. Cybersecurity experts The block size used in AES is 128 bits for both
identified several severe flaws in WEP in 2001, eventu- plaintext and ciphertext. Also, three different key sizes
ally leading to industry-wide recommendations not to are used in AES: 128, 192, and 256 bits, each of which
use WEP for wireless security. The weaknesses in WEP is used in different rounds or iterations of the algorithm
are so severe that a WEP connection may be cracked with a total of 36 rounds involved in AES. The encryp-
with available software in a few minutes. WEP uses the tion provided by AES is so secure that it will take mil-
RC4 (Rivest Cipher 4) stream cipher for authentication lions of years for a brute-force attack to break AES’
as well as encryption. It uses an encryption key shared encryption. The WPA2 protocol also replaces the
by the wireless users and the APs. A brute-force attack Temporal Key Integrity Protocol (TKIP) employed in
with certain software against a 40-bit key may work WPA with a better authentication mechanism—
very quickly. Even with the key length 104 bits, the Counter Mode with Cipher Block Chaining Message
flaws in the RC4 stream cipher can be easily defeated Authentication Code Protocol (CCMP). Figure 2
by some tools such as WEPCrack and aircrack-ng. shows how WPA2 authentication works.
Here is a summary of the weaknesses in WEP: However, WPA2 also has vulnerabilities that have
been discovered by security experts in wireless net-
 WEP design does not use efficient encryption works. A major vulnerability of WPA2 is that people
algorithms; could break the WPA2-Personal passphrase by gues-
 WEP does not authenticate users correctly; sing the password if simple password is used by a user.
 WEP lacks effective controls over unauthorized Once a hacker guesses a simple password correctly, he
data access in wireless networks; or she can then decrypt the captured wireless packets.
 Availability to authorized users not guaranteed Therefore, if a user uses a simple password, then the
by WEP. security provided by WPA2-Personal passphrase can

As a result, the security provided by the WEP protocol

for wireless networks is not acceptable.

WPA. In 2003, the Wi-Fi Alliance released WPA as an

interim standard, while the IEEE standards committee
worked to develop a more advanced secure protocol
WPA2, as a long-term replacement for WEP. The WPA
protocol is designed to overcome the well-known flaws
that have been found in WEP. Many features in WPA
directly address the vulnerabilities of the WEP protocol.
WPA fixes many flaws of the WEP protocol using
much stronger encryption, encryption keys with larger
size, and more secure integrity check are involved. Figure 2. Demonstration of WPA2 authentication process.
Wang et al. 11

shows the WPA3 connection flow chart based on SAE

encryption.

WPA3-enterprise. For better protection of wireless net-

works used for business, an additional layer of security
with a 192-bit key is implemented in the enterprise ver-
sion of WPA3 protocol—WPA3-Enterprise. This new
security feature is essential to those enterprise wireless
networks that are deployed in a sensitive environment
and require high-level security and protection.
A significant security feature included in WPA3-
Enterprise is Wi-Fi Enhanced Open. With this new
function, 802.11 conversations between the APs and
the wireless hosts in open networks are encrypted with
different keys for different connections. The encryption
on each wireless link is different. The underlying tech-
Figure 3. WPA3 connection flow chart based on SAE nology is referred to as Opportunistic Wireless
encryption. Encryption (OWE). With WPA3-Enterprise, Protected
Management Frames (PMF) is employed to protect the
wireless traffic of management activities between the
be easily broken by hackers. Another flaw in WPA2- wireless hosts and the APs. Another function of Wi-Fi
Personal is that a user having the passphrase can sneak Enhanced Open is that it protects the wireless users
and eavesdrop on network traffic of other users and from sneak the network traffic or launch attacks with
then launch malicious attacks. each other. Therefore, attacks such as session hijacking
are not possible to be performed by hackers on wireless
networks with WPA3-Enterprise protocol implemen-
WPA3. The newest technology for wireless network
ted. Table 2 below summarizes the security features of
security is the WPA3 protocol, released in 2018. The
WEP, WPA, WPA2, and WPA3.
critical new features added to this brand-new security
In this module, we reviewed some basic concepts
protocol for wireless networks are the much better pro-
related to wireless networks, presented the two operat-
tection for simple passwords used by users, encryption
ing modes of wireless networking, and discussed differ-
for personal and open networks provided for individual
ent types of wireless networks. Finally, we explored the
users, and for enterprise networks, more secure encryp-
vulnerabilities of wireless networks, and the protocols
tion is also implemented in this new technology.
for securing wireless networks.

WPA3-Personal. WPA3 protocol offers encryption based

Development of the hands-on labs
on Simultaneous Authentication of Equals (SAE) by
replacing the Pre-shared key (PSK) authentication In order to help students to digest the critical cyberse-
method used it predecessors. SAE offers much stronger curity topics discussed in the above four courses
encryption than PSK. Therefore, if attackers use brute- modules quickly and thoroughly, we develop a
force or dictionary-based attacks, the security provided scenario-based hands-on virtual machine lab for each
by WPA3 on personal networks works well and can of these course modules. These virtual machine labs are
defeat those attacks. But if a wireless user utilizes a very designed to enhance students’ engagement and provide
simple password, a hacker can easily guess the pass- them hands-on experiences with real-world cyber activ-
word and gain unauthorized to a private wireless ities to augment their cyber education.
network.
WPA3-Personal offers encryption on personal wire-
less networks for each individual user. On a WPA3- A hands-on lab on application security
Personal wireless network, it is impossible for a user to In this subsection, we develop a scenario-based hands-
sneak or eavesdrop the wireless traffic of other users on virtual machine lab for the course module of appli-
protected by WPA3-Personal protocol. Even if a hacker cation security presented in section ‘‘Application
has successfully guessed a user’s password, he or she security.’’ We redesigned and modified Lab 10
cannot obtain the session keys used for encryption, and (Analyze and Differentiate Types of Malware &
thus cannot decrypted any wireless traffic. Therefore, Application Attacks) of Security + Lab Series on
all encrypted wireless traffic is still protected. Figure 3 NDG NETLAB+.20 For readers’ convenience, we use
12 International Journal of Distributed Sensor Networks

Table 2. Comparison of WEP, WPA, WPA2, and WPA3.

Standard WEP WPA WPA2 WPA3

Release 1997 2003 2004 2018

Encryption RC 4 TKIP with RC 4 AES CCMP AES CCMP and GCMP
Key size(s) 64 and 128 bits 128 bits 128 bits 128 and 256 bits
Cipher type Stream Stream Block Block
Authentication Open system Pre-shared key and Pre-shared key and Simultaneous Authentication of
and shared key 802.1x with EAP variant 802.1x with EAP variant Equals and 802.1x with EAP variant

WEP: Wired Equivalency Privacy; WPA: Wi-Fi Protected Access; RC 4: Rivest Cipher 4; TKIP: Temporal Key Integrity Protocol; AES: Advanced
Encryption Standard; EAP: Extensible Authentication Protocol.

the same network topology as the one designed for this vulnerable to shellshock’ bash -c ‘echo shell-
standard lab series available on NDG NETLAB + . In shock Linux system vulnerability test’
this lab, students will exploit the Shellshock vulnerabil-
ity on a Linux system using an environment variable.
Upon completion of this lab, students will be able to
exploit the Shellshock vulnerability on a Linux system
9. If your system is vulnerable to the Bash
using environment variables.
‘‘Shellshock’’ bug, the above command will
produce the following output:
Lab instructions. the Linux system is vulnerable to shellshock
shellshock Linux system vulnerability test
1. Log into your account on NDG NETLAB + , 10. Otherwise, you will see the following message
load the network topology for the NISGTC on the output:
Security + Lab Series. shellshock Linux system vulnerability test
2. On the login screen of the Ubuntu virtual 11. Therefore, the Ubuntu system in the topology
machine, select the student account. is NOT vulnerable to the shellshock vulnerabil-
3. When prompted for the password, type secure- ity. The Ubuntu system is up to date.
password. Press Enter.
4. Active the Ubuntu PC viewer if it is not.
5. Open a terminal window on Ubuntu by click- Explanation of lab results. We defined an environmental
ing the Terminal icon on the left menu on variable e to be ‘(){:; }; echo the Linux system is vulner-
Ubuntu desktop. able to shellshock’, and then run bash with the com-
6. Change to the directory/home/scripts by mand ‘echo shellshock Linux system vulnerability test’.
executing the following command: cd /home/ But the semi colon (;) outside the pair of curly-brackets
scripts {} allows ending one command and entering another
7. To run a vulnerability check on the current on the same line so indeed the function could have had
bash configuration for the Ubuntu system, run more than one command. The colon (:) is a no-op. It
the following script: ./shellshock_test.sh ran the command (echo the vulnerable to shellshock)
after the function definition instead of just defining the
function. Basically, it did not stop after the function’s
definition and instead went on to run other commands
(during the function definition) by starting a new pro-
cess due to the command ‘‘bash -c.’’

8. The program env on Linux allows modification A hands-on lab on web security
of the environmental variables for a command, In this subsection, we develop a scenario-based hands-
and the command bash -c allows running a on lab for the course module of web security. In this
specific command(s) by starting a new process. lab, students first use Wmap from Kali Linux to scan a
We use both commands together to test web server to find vulnerability. Second, students use
whether the Linux system is vulnerable to Metasploit Framework (MSF) to exploit the web ser-
shellshock by running the following command: ver, get the control of the server, and upload the neces-
env e=‘() {:; }; echo the Linux system is sary tools to hack the server. Third, students lunch
Wang et al. 13

denial of service (DoS) attack through exhausting the

target’s hard drive available space. The learning objec-
tives of this lab include (1) understand web vulnerabil-
ity scanning; (2) demonstrate using MSF framework to
exploit a remote server; (3) illustrate the techniques to
launch a DoS attack to a web server. The network used
in this lab includes a Kali Linux computer named Kali,
a web server named OWASP, and a Fedora Linux host. (7) Add a website and make it to be the target.
Kali Linux host is separated from the web server by a
firewall named pfSense.

Vulnerability scanning using Wmap. Hackers usually use

Nmap to scan a network to find a target, and the open
services, open ports on the target. After a victim is
locked, hackers use Nessus, OpenVAS, or Wmap to
scan the target to see if there is any vulnerability can be
used to attack the target. As long as any vulnerability is (8) Make sure the modules in /root/profile are
found, the hacker would use MSF to control the target, available and enabled in the target.
and launch attacks. In the following, we will use Wmap
to scan target OWASP with IP address 192.168.68.12
from Kali Linux:

(1) Login to Kali Linux with root.

(2) Startup MSF framework.
(3) Run ifconfig to check the IP address of Kali
Linux.

(4) Use Connect command to connect to web ser- (9) Run vulnerability scanning using wmap_run.
ver OWASP with IP ‘‘192.168.68.12’’ port
‘‘80.’’

(5) Show the available payloads.

(10) Use Command ‘‘wmap_vulns –l’’ to list the
vulnerabilities on the target.

(6) Load web application scanner Plugin Wmap.

14 International Journal of Distributed Sensor Networks

MSF exploitation. A hacker can use some available be increased continuously. This point can be
exploits to login to a remote server bypassing the verified by execute ‘‘ls –hl.’’
authentication. The following shows the steps to do so
by exploiting the vulnerabilities in software TikiWiki
CMS which runs at the target OWASP:

1. Search the matched exploits for software

TikiWiki.

(3) Of course, the hard drive will be exhausted

with the increasing of the size of bigfile. One
way to limit the size of a file created by a user is
2. Use the exploit to gain the access to the target. to add some rules to ‘‘limits.conf.’’ For example,
if we add ‘‘yang_jianhua hard fsize 30000’’ to
limits.conf which means limit the size of a file
created by user ‘‘yang_jianhua’’ as 30M. You
3. Set the remote target to be ‘‘192.168.68.12,’’ and must reboot your Fedora system to make your
local host to be ‘‘192.168.9.2.’’ change effective. Type ‘‘reboot’’ at the terminal
and login with you’re the same user name.

4. Set the payload to be reverse TCP.

5. Initiate the exploit on the target host.

(4) We modify ‘‘limits.conf’’ and run the same

command to see if the size of ‘‘bigfile’’ is
limited.

6. Verify we have logged into the target machine

by command ‘‘pwd.’’

DoS attack. This attack can be launched to any type of

system. In the following, we use a web server running
Fedora Linux to show how to launch a DoS attack:
A hands-on lab on wireless network security
(1) Login to Fedora Linux system as an unprivi- In this subsection, we develop a scenario-based hands-
leged user (it does not have to be root), such as on virtual machine lab for the course module of
user ‘‘yang_jianhua.’’ Wireless Network Security. We redesigned and modi-
(2) Open a terminal at your Fedora, and execute fied Lab 4 (Secure Implementation of Wireless
‘‘cat /dev/urandom . bigfile &’’ which means Networking) of Security + Lab Series on NDG
random numbers are generated and write to NETLAB+.21 For readers’ convenience, we use the
‘‘bigfile’’ continuously. The size of this file will same network topology as the one designed for this
Wang et al. 15

standard lab series available on NDG NETLAB + . In 13. Change the focus to the terminal and run the
this lab, students will practice to decrypt WPA traffic following command:
using the airdecap-ng tool and then analyze the aircrack-ng /tmp/captures/WPA01-cap -w /tmp/
decrypted 802.11 wireless packets with Wireshark. wordlists/passlist
Upon completion of this lab, students will be able to 14. For Index of target network? Type 5 for the
decrypt and then examine 802.11 WPA wireless traffic. network with the ESSID T4QY4. Since no valid
WPA handshakes found again, the result is
shown below (same as the result from Step 12)
Lab instructions
1. Log into your account on NDG NETLAB + ,
load the network topology for the NISGTC
Security + Lab Series
2. On the login screen of the Kali virtual machine,
select Other
3. When presented with the username, type root.
Press Enter
4. When prompted for the password, type toor. 15. Change the focus to the terminal and run the
Press Enter following command:
5. On the Kali virtual machine, open a terminal aircrack-ng /tmp/captures/WPA01-cap -w /tmp/
and type Wireshark. The Wireshark program wordlists/passlist
will open 16. For Index of target network? Type 3 for the
6. On the Wireshark window, click File-.Open, network with the ESSID TOWSON333. Since
the ‘‘Open Capture File’’ window opens there is a valid WPA handshake found in this
7. Select the File System on the left pane, then case, the WPA passphrase is obtained as shown
navigate to the directory tmp/captures on the below
right pane
8. Select the file ‘‘WPA-01.cap’’ and then click
Open on the bottom of the window
9. In the Filter pane of the Wireshark window, type
http and then click Apply. You cannot see any
traffic because the wireless traffic is encrypted
10. Next, we decrypt the captured file ‘‘WPA-01.cap’’
using the network software suite aircrack-ng with
the option -w to set the WPA cracking path to a
wordlist file named passlist under the directory / 17. Now, decrypt the 802.11 traffic for the wireless
tmp/wordlists. You may also use ‘‘-’’ without the network TOWSON333. Type the command
quotes for standard input (stdin) below to decrypt the wireless traffic:
11. Change the focus to the terminal and run the airdecap-ng /tmp/captures/WPA01-cap -e
following command: TOWSON333 -p breezeless
aircrack-ng/tmp/captures/WPA01-cap-w /tmp/ 18. The tool airdecap-ng is a network software
wordlists/passlist suite that can decrypt WEP/WPA/WPA2 cap-
12. For Index of target network? Type 2 for the tured files. As well, it can also be used to
network with the ESSID boguswifi. The remove the wireless headers from an unen-
Extended Service Set Identification (ESSID) is crypted wireless capture. It outputs a new file
one of two types of Service Set Identification ending with ‘‘-dec.cap’’ which is the decrypted
(SSID). Since no valid WPA handshakes version of the input captured file
found, the result is listed below

19. Total number of decrypted WPA data packets

is 11,401
16 International Journal of Distributed Sensor Networks

20. Navigate to the /tmp/captures directory and configure the network address translation (NAT), and
then select the file ‘‘WPA-01-dec.cap’’ understand security policies implemented by a firewall.
21. In the Filter pane on the Wireshark window,
type http and then click Apply
Lab instructions. Log into your account on NDG
NETLAB + , load the network topology for the
Network Security Lab Series.

Part 1. Configure the Windows 2008 Firewall to

redirect all the FTPS (port 990), FTP (port 21),
HTTPS (port 443), and HTTP (port 80) traffic to
22. Select the File menu option and navigate to the Backtrack 5r3 virtual machine on the internal
Export Objects HTTP network.
23. A new window appears. Browser through the
list and examine the image files downloaded. 1. Log into the Windows 2008 Firewall on the
Find the packet with packet number 4860 and pod topology as the Administrator using the
select it. Click the Save As button on the password firewall
bottom 2. Double-click the icon Routing and Remote
24. Accept the default and save the file in the direc- Access on the desktop
tory /tmp/captures. Then click Save 3. On the Routing and Remote Access window,
25. View the image file by selecting the Places right-click on FW (local) and select Disable
menu option from the top menu pane and click Routing and Remote Access
Recent Documents, and the select the file 4. Click Yes in the dialog for the warning
‘‘wireless-network-new-5.jpg.’’ The result is message
shown below 5. When the arrow on the right-hand side of FW
(local) turns to red, right-click on FW (local)
and select Configure and Enable Routing and
Remote Access
6. The Routing and Remote Access Server Setup
Wizard appears. Click Next
7. In the radio button, select NAT and then click
Next
8. Select the WAN–External public interface and
click Next
9. Select the option I will set up name and address
services later. Click Next
A hands-on lab on firewall configurations 10. Click Finish to close the wizard and then wait
until it finishes
In this subsection, we develop a scenario-based hands- 11. Click the plus icon next to IPv4 to expand the
on virtual machine lab for the cybersecurity module of list and select NAT
firewall configurations. We redesigned and modified 12. Right-click on the WAN–External interface
Lab 1 (Configuring a Windows-Based Firewall to and select Properties
Allow Incoming Traffic) of Network Security Lab 13. Click the Services and Ports tab on the
Series on NDG NETLAB + .22 For readers’ conveni- External Properties window
ence, we use the same network topology as the one 14. Click the Add button located underneath all of
designed for this standard lab series available on NDG the listed services
NETLAB + . 15. Type FTPS as the Description of this Service.
In this lab, students will set up services on virtual For the Incoming port, type 990. For the
machines in the internal network that will be used by Private Address, type 192.168.1.50. For the
hosts from the external network; configure the firewalls Outgoing port, type 990. Click OK twice
between the internal and the external networks to allow 16. FTPS by default runs on port 990. It is FTP
certain incoming traffic or outgoing traffic; and test over SSL. FTPS is highly secure due to the
whether or not the firewall system is properly working. encapsulation within a SSL channel, but it
Upon completion of this lab, students will be able to requires quite a few open ports to operate
understand firewall configurations, know how to
Wang et al. 17

17. You will see the newly added service FTPS on machine. Type http://216.1.1.1 on the address
the bottom of the list. It should look like bar for the URL
10. Note that the HTTP traffic from external vir-
tual machines was re-directed to the internal
Backtrack 5r3 virtual machine configured at
the Windows 2008 Firewall.

Conclusion
In this article, we presented four course modules on
critical cybersecurity topics that can be adopted in
college-level cybersecurity courses in which these topics
are covered. Our hands-on labs are designed to offer
18. From the service list, click on the FTP server college students hands-on experiences with real-world
19. In the Edit Service window, type 192.168.1.50 cyber activities and provide them career-ready cyber
into the Private address space. Click OK experiences. Students are able to learn both founda-
20. Check the box on the left-hand side of the FTP tional and advanced skills from our well-designed
server cybersecurity course modules and hands-on labs. We
21. Repeat Steps 18–20 for adding the services also conducted literature reviews on the most-recent
HTTPS and HTTP significant research in these critical cybersecurity fields.
22. Click OK to complete the configuration of the It is important for college students to learn and appreci-
Windows 2008 Firewall. ate these recent significant research outcomes and aug-
ment their cyber education.
Part 2. Test whether the configured Windows 2008 As for future research directions related to this arti-
Firewall works properly. cle, we will develop educational modules and conduct
1. Log onto the Windows 7 virtual machine on research surveys on other critical cybersecurity topics
the external network as a student with the pass- such as cloud computing security, IoT security, and
word ‘‘password’’ cyber physics security.
2. Double-click the cmd-shortcut icon on the
Desktop to open a command window. Run the Declaration of conflicting interests
following command: The author(s) declared no potential conflicts of interest with
nmap 216.1.1.1 respect to the research, authorship, and/or publication of this
3. Note that only the TCP port 21 is open for the article.
FTP service. The other three ports 80, 443, and
990 are all closed on the Windows 7 external Funding
machine The author(s) received no financial support for the research,
4. Log onto the Backtrack 5r3 virtual machine on authorship, and/or publication of this article.
the internal network as the root user with pass-
word toor ORCID iD
5. Type the following command to start the
Lixin Wang https://orcid.org/0000-0003-4965-5510
Graphical User Interface (GUI):
root@bt:;# startx
6. To start the Apache web server, on the GUI, References
select Applications . BackTrack . Services . 1. Internet Society. 2018 cyber incident & breach trends
HTTPD . apache start. A window similar to report, 4 December 2019, https://www.internetsociety.
the following appears org/wp-content/uploads/2019/07/OTA-Incident-Breach-
7. Now, go back to the Windows 7 external vir- Trends-Report_2019.pdf
tual machine. Run the following command 2. Zheng E, Gates-Idem P and Lavin M. Building a virtu-
again on a command window: ally air-gapped secure environment in AWS: with princi-
ples of devops security program and secure software
nmap 216.1.1.1
delivery. In: Proceedings of the 5th annual symposium and
8. Note that both ports 21 and 80 are open at this
bootcamp on hot topics in the science of security, New
time, the other two ports 443 and 990 are still York, 10–11 April 2018. New York: IEEE.
closed 3. Fischer F, Böttinger K, Xiao H, et al. Stack overflow
9. Open the Mozilla Firefox browser on the considered harmful? The impact of copy & paste on
Desktop on the Windows 7 external virtual android application security. In: IEEE symposium on
18 International Journal of Distributed Sensor Networks

security and privacy (SP), San Jose, CA, 22–26 May 12. Wu Q, Mei W and Zhang R. Safeguarding wireless net-
2017. New York: IEEE. work with UAVs: a physical layer security perspective.
4. Zhang H, Yao D and Ramakrishnan N. Causality-based IEEE Wireless Commun 2019; 26(5): 12–18.
sensemaking of network traffic for android application 13. Huo Y, Fan X, Ma L, et al. Secure communications in
security. In: Proceedings of the 2016 ACM workshop on tiered 5G wireless networks with cooperative jamming.
artificial intelligence and security, 2016, https://yaog IEEE Trans Wireless Commun 2019; 18(6): 3265–3280.
roup.cs.vt.edu/papers/AISec-Causal-analysis-Android-Yao.pdf 14. Ionescu P. The 10 most common application attacks in
5. Huang H-C, Zhang Z-K, Cheng H-W, et al. Web appli- action, 2015 April, https://securityintelligence.com/the-
cation security: threats, countermeasures, and pitfalls. 10-most-common-application-attacks-in-action
Computer 2017; 50(6): 81–85. 15. Stallings W. Network security essentials: application and
6. Marashdih AW, Zaaba ZF and Omer HK. Web security: standards. 4th ed. London: Pearson, 2011.
detection of cross site scripting in PHP web application 16. Logan P and Clarkson A. Teaching students to hack: cur-
using genetic algorithm. Int J Adv Comput Sci Appli riculum issues in information security. In: Special interest
2017; 8(5): 080509. group on computer science education symposium, St. Louis,
7. Rahman MA, Amjad M, Ahmed B, et al. Analyzing web MO, 23–27 February 2005. New York: ACM Press.
application vulnerabilities: an empirical study on e- 17. Cohen F. An undetectable computer virus. New York:
commerce sector in Bangladesh. In: Proceedings of the IBM, 1987.
international conference on computing advancements, 18. Knowledge base—about firewalls, 2019 February,
Dhaka, Bangladesh, 10–12 January 2020, pp.1–6. New https://kb.iu.edu/d/aoru
York: ACM. 19. Pfleeger CP, Pfleeger SL and Margulies J. Security in
8. Wool A. Trends in firewall configuration errors: measur- computing. Upper Saddle River, NJ: Prentice Hall, 2015.
ing the holes in Swiss cheese. IEEE Internet Comput 20. Security + Lab Series on NDG NETLAB + . Lab 10 –
2010; 14(4): 58–65. analyze and differentiate types of malware & application
9. Li D, Guo H, Zhou J, et al. SCADAWall: a CPI-enabled attacks, 2015 September, https://www.coursehero.com/
firewall model for SCADA security. Comput Secur 2019; file/38627592/Ch-2-Lab-10-Analyze-and-Differentiate-
80: 134–154. Types-of-Malware-Application-Attacksdocx/
10. Kobayashi H, Zhang Z, Ochiai H, et al. Probing firewalls 21. Security + Lab Series on NDG NETLAB + . Lab 4 –
of malware-infected networks with honeypot. In: Pro- secure implementation of wireless networking, 2015 Septem-
ceedings of the 14th international conference on future ber, https://www.coursehero.com/file/26240413/Lab04pdf/
internet technologies, Phuket Thailand, 7–9 August 2019, 22. Network Security Lab Series on NDG NETLAB + . Lab
pp.1–4. New York: ACM. 1—configuring a windows based firewall to allow incom-
11. Ahmad I, Shahabuddin S, Kumar T, et al. Security for ing traffic, 2015 September, https://www.coursehero.com/
5G and beyond. IEEE Commun Surv Tutor 2019; 21(4): file/48446967/Network-Security-Lab-01-configuring-a-Win
3682–3722. dows-based-firewall-to-allow-incoming-trafficpdf/