B20.3157 Computer and Network Security -- Extended Summer 2005

Instructor		Patrick McDaniel (mcdaniel 'at' cse.psu.edu)
TA		Kevin Butler (butler 'at' cse.psu.edu)
Location		KMC 590
Office Hours		Prof. McDaniel : by appointment Kevin Butler : by appointment
Mail-list		B20-3157-U1-U2005@stern.nyu.edu

Absences

This class meets only 5 times. Hence, any absence will result in a failing or incomplete grade. There will be no exceptions.

Overview

As enterprises become increasingly reliant on electronic media and communication, the protection of data and electronic infrastructure becomes critically important. Incidences of security failures in commercial and non-commercial environments are increasing in number and severity. Hence, it is essential that enterprises continually develop and refine security strategies that reflect the changing uses of information technology.

This course introduces basic concepts of computer and network security, with an emphasis on the threats and countermeasures relevant to Internet and web services. Students will be prepared to evaluate the security needs of organizations, and to develop strategies to address these needs. The requirements and design of security technologies will be reviewed and case studies presented.

Grading

The course will be graded on exams, a course project, and class participation in the following proportions:

15%	Class Participation
35%	Course Project
50%	Final exam

Exam

The final is closed book to be held on the last day of the course. The exam may include any topic covered in lectures or assigned readings. A hint: exam questions will often require students to think beyond or delve deeper into the particulars of lectures. Hence, students who have read and understand all assigned material will have a much better chance a doing well on the exams. Students who rely exclusively either on the readings or the lectures will almost certainly do poorly. In short, the exams will not ask students to regurgitate facts, but to reason about the field. This requires a deep understanding of the material that cannot be acquired during the exam time.

Course Project

The course project requires the student execute some limited research in security. The chief product of the project will be a technical report and presentation. Project topics will be discussed in on the first day of class. Be realistic about what can be accomplished in the allowed time, and work in groups of 4 or less. However, the work should reflect real thought and effort. The grade will be based on the following factors: novelty, depth, correctness, clarity of presentation, and effort.

Class Participation

This course is essentially a discussion course. That is, the lectures will be driven the discourse resulting from the course material. Students are going to be required to participate in discussions of the content during each lecture. Hence, the students ability to exhibit comprehension of papers is essential to a passing grade.

Required Texts

Most of the course readings will come from seminal papers in the field. Links to these papers will be provided on the course pages as the assignments are made. The following book is also required for the course.

Kaufman, C., Perlman, R. and Speciner, M., Network Security (Private Communication in a Public World), 2nd edition, Prentice Hall 2002.

The following are also recommended:

Cheswick, W, Bellovin, S, and Rubin, A. Firewalls and Internet Security: Repelling the Wily Hacker, Addison-Wesley, 2002.
Schneier, B, Applied Cryptography, (2nd edition), Wiley.
Stinson, D, Cryptography Theory and Practice, CRC Press, Inc., Boca Raton, Florida, 1995.

Course Outline

The course focuses on the study of computer and network security. The lectures begin with basic topics and terminology in computer security. Subsequent lectures will cover a broad range of topics in depth. These latter topics will largely be introduced through class readings. Students should complete readings before the lecture, as the discussion will be directed by the paper contents.

A preliminary outline of the class topics is as follows. Note that content is subject to change as the class progresses.

1. What is security?: Overview; Threat Models; Trust; Developing Enterprise Security Strategies; Security in the Real World; Readings:Kaufman et al. chapters 1, 9, 10
2. Cryptography: Basics of cryptography; Readings:Kaufman et al. chapters 2, 3, 4, 5, 6; SPAM**
3. Web Security: Web Authentication; Cookies; PKI; SSL; Web applications (Eamil, Java, Active-X, ASP, ...); Dynamic Content; Readings:Kaufman et al. chapters 15, 25
4. Network Security: IP Protocols; Firewalls; Intrusion detection; IPsec; DOS Mitigation; VPNs; Readings:Kaufman et al. chapters 16, 17, 20 23
5. (Sun 9/18/05 9am-12pm) Wrapup: Wrapup

** -- just for fun.

Ethics Statement

This course considers topics involving personal and public privacy and security. As part of this investigation we will cover technologies whose abuse may infringe on the rights of others. As an instructor, I rely on the ethical use of these technologies. Unethical use may include circumvention of existing security or privacy measurements for any purpose, or the dissemination, promotion, or exploitation of vulnerabilities of these services. Exceptions to these guidelines may occur in the process of reporting vulnerabilities through public and authoritative channels. Any activity outside the letter or spirit of these guidelines will be reported to the proper authorities and may result in dismissal from the class.

When in doubt, please contact the instructor for advice. Do not undertake any action which could be perceived as technology misuse anywhere and/or under any circumstances unless you have received explicit permission from Professor McDaniel.

Lecture Slides

Lecture 1 (Overview)
Lecture 2 (Crypto and SPAM)
- Solutions to in-class exercise.
Lecture 3 (Network Security)
Lecture 4 (Web Security)
Lecture 5 (Wrapup)

Note: lectures and slides subject to change without notification.

B20.3157 Computer and Network Security

Last modified: Thu Sep 15 11:03:33 EDT 2005