INFO300 - IT Infrastructure & Security - Summer 2012

Current Stuff as at August 6th:

F I N A L Points and grades are posted as at 4:30 Monday the 6th. If you see an error in posting please let me know. These grades will be posted to the Registrar mid-day Tuesday.

The CentOS Installation was attempted a few times in class as the instructor found problems with junk equipment and this strange projector... We got it done on the 30th. These scripts were covered in the demo.

The last class will be used for Quiz #3, the IS Dept's Assessment Test, and an Optional Final Exam or re-take of Quiz #1 or #2. If you did poorly on an earlier quiz, I hope you find the options a fair way to get these points late:

(7/18) The LAN Project due date was set back to the beginning of class August 1st because some students found the MSDNAA server inaccessible earlier this week and last. As of Thursday afternoon I can report that the last known problems with the 'ISY LAN Accounts' and MSDNAA server were solved earlier this week. I've seen it work for a few students today in lab, and can report that the Network Guy on duty, Mr Crawford, is a caring & competent fellow, able to solve problems about setting up LAN accounts and downloading from MSDNAA. The link in the LAN assignment below, or, will get you to link for ISY LAN Accounts down at the lower left of the page. Use the Web App to change your password -- have your VCUOne Card when you do -- if your 'Prox #' doesn't work contact the Network Guy asap. The best way to download software is with _wired_ ethernet while in Snead Hall, in the 4th floor Lab #4222 is even better, don't even attempt it with wireless. If you're off-campus with good bandwidth MSDNAA downloads are do-able, but you'll need to get the Cisco AnyConnect Web VPN installed on your computer and run it to gain access to the servers.

Earlier topics have been moved to the bottom of the page.

Quiz #3 Topics & Dates:

(7/25) Any discussion of Software these days needs to start with the admonissions that security should be _designed_ into systems, that it's not always feasible to _add_ security to a system without it, and that a system's first security breach may result in the failure of the system's owners' enterprise or organization. As at 2012, IT Professionals have developed a legacy of standards and recommendations for securing and operating information systems -- ignorance of them is no defense against blame or liability claims when a system is robbed of 'sensitive' data or it is otherwise lost or corrupted.

Application Software may be Vulnerable to Errors or Exploits

Security breaches in software are more often a fault of application software, not the operating system that hosts the application. For example: WordPress, the heart of more than 300,000 of the blogosphere's engines, has had a recent spate of vulnerabilities in the add-on applications available for WordPress which made inappropriate disclosure of personal information or allowed destruction or defacement of the stuff of blogs. Or, a developer delivers a software update that causes the server to crash or otherwise generate errors at some critical time, like when the Customer clicks OK, or when the Dunning notices need to be sent out...

Windoze and the *ixes (Linux & proprietary unix) all provide super-adequate capabilities for securing an application environment's OS, DBMS, network, email and Web servers. If managed professionally any of them are secure hosts, and all may be vulnerable if improperly or incompletely managed.

Most of the 'vulnerability' in systems today comes from poorly designed or detailed application software that fails to provide 'non-repudiation', 'version control', 'authentication & authorization' or other pillars of system security.

Here are some links about security issues in application code: Top 25 Most Dangerous Software Errors; SANS provides Top 20 Security Controls, and with a practical guide stated as Critical Security Controls. CyberCiti suggests20 Linux Server Hardening Tips.

Lecture Topics:

Quiz #3 Study Questions Note: some of these questions come from the Setup and Secure a Firewall/Server topic, some have already appeared for Quiz #2...

LAN Project: Bill of Details and Network Diagrams for an office LAN

Specs for this project are delivered in the memo below and verbally in class. The network rack with DMZ fire-walling is similar to the DMZ sketched on the board in class. Students are asked to get together 1) purchase orders for hardware, software, and services, 2) Summaries of up-front purchases and recurring costs for operating the application environment, 3) a floorplan for the premises wiring showing equipment location and jacks for networked equipment an phones, and 4) a separate, detailed diagram showing the equipment and jumpering on the server rack.

Here is the Memo From The Boss, including a sketch of the floorplan and network rack, and general requirements for the LAN.

On the due date, bring a printed copy at the _beginning_ of class where I'll have a heavy-duty stapler, please don't submit your project in a binder of any type.  Send an electronic copy prior to class as one document (Word or PDF work well, so does Excel...), preferably not zipped, attached to VCU-originated email to

Visio is recommended for the diagrams -- it's free thru the MSDNAA. Anything else will have you working harder for a less-polished result. Here's Where & how to get MSDNAA software.

(Don't wimp out and use the Excel or Word drawing tools! The job will be much more difficult since you'll have to invent your own shapes and the diagrams won't be very Pro in appearance.) Excel makes it easy to do the Bill of Details (POs, and summaries of up-front and operating expenses). Most students put the final document together in Word and copy/paste the Visio diagrams and Excel bill of details into it. Open Office users can add 'Dia', an open-source, Visio-like, 2D CAD software that plays well with Open Office.

This is an exercise with technical drawing tools. Hand-drawn diagrams, or hand-drawn marks on a diagram are not acceptable.

Here are general requirements for the project.

Here are some Examples of winning projects.

Tips for Pro work:

Stuff under here is not organized for Spring 2012 Yet

End of Semester Notices and Topics

The next deliverable for the Tech Marketplace Brief & Hands-on Linux is due the 8th.

Due Dates for HOL and Tech Marketplace Brief:

Semester End:

Is lack of INFO160 holding you up? The new 'pre-req check' in eServices is keeping students out of INFO360. This new requirement will be waived for students who have already had EBUS202, INFO202, or INFO300. Ask if you need the waiver, I'll be bringing the forms to classes next week.

Exam Schedule:

No variation of the exam times will be permitted except attending another section's scheduled exam time which have been published far in advance so there are no conflicting exam times. Students who cannot arrive within fifteen minutes of the scheduled start times for the exam must use the School's last makeup session from noon thru 4:00 December 16th.

Tech Marketplace Brief and Hands On Linux:

Approved Topics and Mimimum Requirement for these Technical Briefs.  On the due date, posted on the home page for your class, Bring a printed copy to class, stapled or ready to staple at the upper left corner, no binders please.  Also submit an electronic copy as a single document attached to a VCU-originated email, due before the last class.

The _Outline_ and _References_ are of the essence for this assignment, so please print or copy any pages referenced in your brief. Markup on the pages, using a highliter or any other making device, any facts you've included in your brief. If you read 40 pages of stuff but only use facts from a few pages, copy only those few pages and markup the first of them with the exact url, or publication, with the facts.

Consider the Coding Standards as you work putting your brief, or a pithy abstract of it, on the web. The Instructor offers these standards as an abreaction to getting crappy looking stuff as a response to this project and not being able to dock points for it. Points will be docked liberally for any deviation from these specs. The Rubric for scoring the printed copy is also worth your consideration to earn max points and have a project worthy of your professional portfolio.

Use View -> Source on this example of a winning project to see how easy this can be: This gentleman submitted well-researched briefs of about 6 or 8 pages each, and posted these abstracts on-line. Every deadline was met, and there were a several pages of 'hilited facts' that were very useful in updating this elder geek about these well-known products and manufacturers. No time was wasted on fancy effects, but it reeks of a careful reading of the specs and serves as a clear example. You might want more pizzazz or subtle effects for your web-design portfolio, but this got max points for the class.

A portion of the Hands On Linux portion of the project will be scored automatically and reported on a 'Progress Page'. A 'snapshot' of the page with the contents of students' home directories and web space will be taken at the due date/time and points assigned on what's there. The deadline is of the essence for points on the Progress Page portion of the project. Lab Time in class will be provided, and some students get the required work done in class.

Progress Pages:

Resources for getting your hands on Linux:

Timely delivery is one of the essential requirements for both these exercises. Progress not demo'd on the class' Progress Pages by the time due will get zero points. Late papers will be docked five points for delivery after the class meeting where they are due and another point deducted for each midnight that passes before delivery.

Printed briefs and references shown at least five days before the last class may be critiqued and scored on the spot in class or in my office, and if re-work would net more points another copy submitted on or before the deadline will be considered as a candidate for full points. Please do not send me anything to review in email, or ask for critique and scoring during the four day period before the deadline.

Due Dates:

Past Topics:

Suggestions to Ace the course: Come to every class, on time; Abandon social networks during classtime; pay attention; take notes; ask questions; give testimonials; followup on any new topics using the links for the course and google -- this is all current stuff, google is IT's friend. Don't hesitate to update the Instructor -- IT's changing quick and some of you are at the front lines, see stuff coming before I do; Take notes -- if you're not taking notes, with a pencil or deft key or table strokes, you're denying yourself one of the brain's most powerful tools for recalling details and learning stuff.

Students who want to be working in 'network security' or 'network management' should already have their hands on a machine, or a few of them, on the internet, firewalling for a LAN, handling mail, &c -- If they don't it's high time to do it!

(6/11) Syllabus with course objectives, textbook info, rules for submitting papers, classroom policy, &c.

Quiz #1 Topics

(6/11) Why all the stuff about Linux?

Yes, the Instructor is biased by decades of experience! He prefers UX servers to Windows, longs for more Linux on Desktops, is glad to see it everywhere else. So will most of the technical interviewers you encounter on your way into a career.

Linux is like a Swiss Army Knife, lots of tools are built-in. Linux works fine on desktops and notebooks, but has a tiny market-share in that environment. It's getting lots of attention in 2011 as Droids and other Android OS devices catch on for smartphones and tablets, and we wonder what's next. In server and networking environments UNIX, and Linux, are doing what they were built to do and have major share. UNIX was originally built to run telephone switching and grew to handle all kinds of networks from HAM radio through the fastest Optical and other digital networks.

The 20-year anniversary, Fall of 2011, for the Linux kernel is a good time for the environment. More than ever it's becoming apparent that the compleat IT manager needs skills with at least Windows and Linux, and adding other environments like IBM's series i5 and z or Sun's Solaris makes good value too.

Here's a perspective of Linux at 20 Years. Here's how Linux got to be ubiquitous while being invisible without any help from maniacal marketeers, and lots from a zealous open source community, and is getting more firmly entrenched in the IT legacy as the 2010s play out.

Linux is in many ways an extension and improvement on many Unices/Unixes, which had been rock-solid platforms for many computing and networking tasks since the mid-'70s, then became dead-end platforms during the shakeout of mid-range computer manufacturers in the '80s. Here is a UNIX Timeline. It's surprising for some to see iOS and OS-X on there, but there they are, sprung off of WestCoastix.

Windoze NT came along in 1993, and in about 2011 Windows NT and Server have worked up to about half the the 'application server' market. Microsoft's Visual Studio IDE, Share Point, Dynamics ERP, Small Business Server, and thousands of business applications developed in the wake of the NT have matured nicely and are easy to sell, especially in a small-to-medium sized organizations where Windows solutions fit. Although some of our students leave to work in a 'Windows Only' environment, most are in a 'mixed environment'. Knowing how to work in both is more valuable than only one...

Efficient and Secure? Threads for IIS vs. Apache serving up a static page. Complexity doesn't necessarily mean insecurity, but it doesn't help it either.

The record for the world's fastest supercomputer bounces around among US, Japan, and China who leap-frog one another's technology every year or so. IBM set the record, again, recently. For decades IBM has held the record for the largest installed base of supercomputers, has the only one that can hang in a game of Jeopardy, and regularly holds the record for the fastest. IBM's Blue Gene/Q Supercomputers are scalable to 512 racks, each with 1,024 16-core compute nodes, able to focus 8,388,608 CPUs and a lot of RAM on a problem, scales to 209 TFps peak. Put a zSeries mainframe on each end to stage input and and soak up the output, add about a half acre of air-chillers outside to cool it, and you're ready to run...

Lecture Topics:

Quiz #2 Topics