IT Infrastructure & Security - Summer 2013

Syllabus & Topic Outline

(6/10) Syllabus with course objectives, textbook info, rules for submitting papers, classroom policy, &c.

Here is a recently updated Topic Outline for the course. The outline is adapted to the courses in the links below.

Classroom behavior

All these topics in the The Provost's Policy apply to this course. Continued arrival to these classes indicates acceptance of these policies for email, honesty, behavior in the classroom & other facets of Faculty, University and Student roles.

In addition to the Provost's rules, the instructor relates that Wandering out of and back into the classroom is prohibited. Take care of any personal business before and after class. If some situaton arises that you can't ignore, take your stuff and leave, don't come back until the break.

Please silence all ring tones on cellphones or notifications from social media during class. Do not have a smartphone or other device on your lap or otherwise visible during a quiz. Calculators are not allowed, neither are notes or crib sheets.

Grades:

Points for the course come from three quizzes, two projects, and a technical brief. Topics are arranged into three groups below, one for each Quiz. The projects and technical brief are described below, both need updating for this summer so please don't start until they're introduced in class: LAN Project and Tech Marketplace Brief & Hands-on Linux.

Here are F I N A L Grades from last semester, this semester's will be assigned similar to it.

It's a pleasure to see A is the most-earned grade, 28 of them, and 18 Bs! Thru the semester these students have shown me good to excellent skills in the tech at hand, from CAD to the Command Line, and written on their quizzes. They're respectful and attentive in class, take notes, appear to actually read the links and text on the class' page, show they can follow the instructions they read. Students who earn A almost always relate that everything they needed is in the links on this page plus a little googling, and the links are backed up by lectures that point out what's important. Some of them are Pros already, have certificates, but many Aces are totally noobish. They'll likely be at the head of the line for the few jobs available in IT this season or the next. If you count, you'll see the same # of Ds and Fs, bimodal distro, sad to see, but there they are.

IBM's syNAPSE is so NOT Von Neuman...

FINAL Points are posted...

Intro and Quiz #1 & #2 topics have been moved down the page...

Class Meetings & Lectures

(6/23) Quiz #1 was Monday, July 1st.

Pop Quizzes are likely to be popped at the beginning of five or six classes this summer, at 3 points each. They'll start close to the first minute of class and generally will be collected in five minutes. If a pop quiz is missed it cannot be made up, and the quizzes of late arriving students will be collected with the rest of the class. At the end of the course the grade will be calculated using 3 points less than the total number of points available so that one pop quiz can be missed, or failed, without penalty.

Quiz #1 Topics

Quiz #2 Topics

Project Two

The Tech Brief & Hands-On Linux project is underway. Pick a topic you like and get it approved in class on the 4th, no topic will be approved for more than two students in a class. There is only one Tech Marketplace Brief due this semester, not two as in some examples.

Refer to the Coding Standards posted with the Hand-On Linux project. They call for Strict XHTML and pages with centered containers constrained to a max width of 800 px. The marked up references are also important for the project, more important than the brief, so please be printing and highlighting pages as you discover your facts.

Due Dates: (Need to be updated for Summer '13)

Project Two is to provide an opportunity to do a little work 'server side' at the Linux command line to learn a few unix commands and the vi-Visual Editor to put together a couple or few web pages that exemplify clean xhtml, semantic markup, css, and accessibility. Take time to find a vi or vim tutorial and learn use vi to edit the files in your project.

'Vim' is 'VI iMproved' for PC keyboards, is the ordinary version of vi on most linux distros. The classic 'vi' has no support for arrow or edit keys, works on dumb tubes without these features, so googling 'vi tutorial' might find a reference that leaves out some very useful features of vim. Googling 'vim tutorial' this morning got the definitive tute from OpenVim.Com and an enthusiastic tute at this blog.



Stuff under here is not organized for Summer 2013, may be needed later or in another semester

The Tech Market Brief & Hands On Linux project is underway. Bring any questions to class along with your notebook computer. Due dates: Dlv #1, topic in the right place, Friday the 30th for the day sections and Tuesday 12/5 for the evening. Dlv #2, outline & references in the right place with the right permissions, is due Friday the 7th for all sections. The printed brief with highlighted references is due at the exam time for your class. Websites will be scored Thursday the 13th.

These snapshots were taken after the deadline for Dlv #1: Morning Section; Afternoon Section,

Exam times: Morning - Thursday the 13th 8:00 thru 10:50am; Afternoon - Tuesday the 11th 1:00 thru 3:50; Evening - Tuesday the 11th 7:00 - 9:40 (date corrected 12/4). For the daytime sections, the time will be used for the IS Dept's Exit Exam and retaking a quiz or taking the optional final exam. For the evening section the exam time will be used for Quiz #3 and the IS Dept's Exit Exam.

Exit Exam aka IS Assessment: The exit exam is a 70-item, multiple choice, exam that covers all the topics from INFO300 and is given to all students in the course. Points posted for it will be 'curved', one point for each decile attained relative to the class. So, someone scoring at the 2nd or 3rd decile gets 2 or 3 of 10 points posted, a score at the middle gets 5 points, the top several scores in the section get 10 points. These 'assessment exams' are given by the department to all sections of every course of our technical core. The results are used to compare instructors teaching the same courses, identify knowledge gaps section by section, guage effects of meeting times, and otherwise support decisions about our curriculum. Instructors are asked to make a portion of the final grade dependent on the exit exam to help ensure a best effort by those taking it.

Due Dates for HOL and Tech Marketplace Brief:

Quiz #3 Topics

IT Security and Professional Standards

(7/24) Any discussion of Software these days needs to start with the admonitions that security should be _designed_ into systems, that it's not always feasible to _add_ security to a system without it, and that a system's first security breach may result in the failure of the system's owners' enterprise or organization. As at 2012, IT Professionals have developed a legacy of standards and recommendations for securing and operating information systems -- ignorance of them is no defence against blame or liability claims when a system is robbed of 'sensitive' data or it is otherwise lost or corrupted.

Most security breaches are the fault of application software, not the operating system. For example: WordPress, the heart of more than 300,000 of the blogosphere's engines, has had a recent spate of vulnerabilities in the add-on applications available for WordPress which made inappropriate disclosure of personal information or allowed destruction or defacement of the stuff of blogs.

Windoze and the *ixes (Linux & proprietary unix) all provide super-adequate capabilities for securing an application environment's OS, DBMS, EMail and Web servers. But much of a typical application environment's security is provided by the application software.

Most of the 'vulnerability' in systems today comes from poorly designed or detailed application software that fails to provide 'access control', 'non-repudiation', 'version control', 'authentication & authorization' or other key components of system security.

Current Issues in IT Security

Prism and Upstream are two recent NSA projects to collect every shred of data stored or transmitted on-line and phone calls overseas + what's 'tapped' onshore. This Massive Data Center in Utah is coming up in phases to keep it all indefinitely. The NSA provides an excellent pdf, Defense In Depth, a practical guide to IT security.

The NSA's not the only outfit snooping your Web traffic. Here's What an Eavesdropper Sees when you use an unsecured WiFi. Anybody with access to the Internet's routers or application servers is able to see and soak up your packets as they fly by. I set up my elderly sister's email on earthlink, using an entirely new and unique address and within a week she had so much spam in her inbox that it was hard to see the few emails from me and my nephews and neices and somebody hijacked her account. Insecure pop3 was the culprit here, easy for crackers to filter out packets carrying userids and passwords.

Way before email, texting, and Web 2's social networking Microwave Spying was soaking up trans-oceanic traffic, sometimes with satellites, others by sticking an antenna into the signal between the transceivers on the roof or in the window of a building that just happens to be in the stream. It's more difficult to tap into fiber-optic cables mid-ocean than the copper-wired, but this form of spying over digital circuits has given way to court orders and contracts with long-line and local communications carriers.

(7/24) Here are some links about security issues in application code: Top 25 Most Dangerous Software Errors; SANS provides 20 Critical Security Controls. CyberCiti suggests20 Linux Server Hardening Tips. The study guides for Security+ or other IT Security related certificates provide more detail, are heartily recommended for any student wanting a career in IT.

Lecture Topics:

Quiz #3 Study Questions Note: some of these questions come from the Setup and Secure a Firewall/Server topic...


Projects:

LAN Project: Bill of Details and Network Diagrams for an office LAN

This is 100% an Individual Project. It is not a group or team project. It challenges the most basic, entry level skills in IT. If you can't do the work don't submit anybody else's as your own. Every keystroke and mouseclick should be from the student completing the project, no student should take any portion of the files from another students, an nobody should ever, under any circumstances in their academic career, GIVE any other student their files. Students are welcome to discuss the project with other students, but each of them should be working at their own PC or notebook and never share the files involved. Learning to use Visio and an ability to read and follow instructions are part of this exercise.

Specs are delivered in the memo below and verbally in class and a couple weeks to get questions answered. The network rack for Phantom Resources is put together similar to the DMZ sketched on the board in class, and another sketch is included in the Memo From The Boss just below. Students are asked to get together the purchase orders, a summary of purchases and on-going costs, a floorplan for the premises wiring showing equipment location and location of drops for phones and networked equipment, a detailed diagram showing the jumpering for the PBX/VOIP controller equipment in the rack.

Here's the Memo From The Boss. Read it with a hilighter and come up with an accurate Bill of Details.

The rack-mounted servers should be identical, each rigged with at least three ethernet ports, so that any of them can take over the role of one of the others. The sketch shows these as Secure App Server, Firewall/Proxy/Router, and Backup Server. If one fails, a few changes in jumpers can get the system back quickly. (Could actually be rigged in a cluster so no jumpers need to be changed, propose this if you'd like...) All the machines will be running 'rsynch' rigged to log all updates on the secure app server and firewall to the backup server. In the event of the failure of either, a couple of jumpers can be changed and appropriate services started on the hot backup server so it can quickly take over for the failed machine.

Visio is recommended for the diagrams -- it's free thru the MSDNAA. Don't wimp out and use the Excel or Word drawing tools because they're all you know! The job will be much more difficult since you'll have to invent your own shapes and the diagrams won't be very Pro in appearance. Excel makes it easy to do the Bill of Details (POs, and summaries of up-front and operating expenses). Most students put the final document together in Word and copy/paste the Visio diagrams and Excel bill of details into it. Open Office users can add 'Dia', an open-source, Visio-like, 2D CAD software that plays well with Open Office, but it's not as slick or adapted to as many tasks as Visio. It makes a fine looking drawing, though, and the price is right.

Hand-drawn diagrams, or hand-drawn marks of any kind, are not acceptable.

Here are general requirements for the project.

Here are some Examples of winning projects.

Tips for Pro work:

On the due date, bring a printed copy at the _beginning_ of class where I'll have a heavy-duty stapler, please don't submit your project in a binder of any type.  Send an electronic copy prior to class as one document, preferably not zipped, attached to VCU-originated email to gasaunde-AT-vcu.edu.

Tech Marketplace Brief and Hands On Linux:

Last semester, Project Two, Part 1 was scored from these snapshots of the Progress Pages taken after the deadline. This summer's will be scored the same: Morning, Afternoon.

Approved Topics and Mimimum Requirement for these Technical Briefs.  On the due date, posted on the home page for your class, Bring a printed copy to class, stapled or ready to staple at the upper left corner, no binders please.  Also submit an electronic copy as a single document attached to a VCU-originated email, due before the last class.

The _Outline_ and _References_ are of the essence for this assignment, so please print or copy any pages referenced in your brief. Markup on the pages, using a highliter or any other making device, any facts you've included in your brief. If you read 40 pages of stuff but only use facts from a few pages, copy only those few pages and markup the first of them with the exact url, or publication, with the facts.

Consider the Coding Standards as you work putting your brief, or a pithy abstract of it, on the web. The Instructor offers these standards as an abreaction to getting crappy looking stuff as a response to this project and not being able to dock points for it. Points will be docked liberally for any deviation from these specs. The Rubric for scoring the printed copy is also worth your consideration to earn max points and have a project worthy of your professional portfolio.

Use View -> Source on this example of a winning project to see how easy this can be: This gentleman submitted well-researched briefs of about 6 or 8 pages each, and posted these abstracts on-line. Every deadline was met, and there were a several pages of 'hilited facts' that were very useful in updating this elder geek about these well-known products and manufacturers. No time was wasted on fancy effects, but it reeks of a careful reading of the specs and serves as a clear example. You might want more pizzazz or subtle effects for your web-design portfolio, but this got max points for the class.

A portion of the Hands On Linux portion of the project will be scored automatically and reported on a 'Progress Page'. A 'snapshot' of the page with the contents of students' home directories and web space will be taken at the due date/time and points assigned on what's there. The deadline is of the essence for points on the Progress Page portion of the project. Lab Time in class will be provided, and some students get the required work done in class.

Progress Pages from last semester, Summer's will be set up when needed:

Resources for getting your hands on Linux:

Timely delivery is one of the essential requirements for both these exercises. Progress not demo'd on the class' Progress Pages by the time due will get zero points. Late papers will be docked five points for delivery after the class meeting where they are due and another point deducted for each midnight that passes before delivery.

Printed briefs and references shown at least five days before the last class may be critiqued and scored on the spot in class or in my office, and if re-work would net more points another copy submitted on or before the deadline will be considered as a candidate for full points. Please do not send me anything to review in email, or ask for critique and scoring during the four day period before the deadline.

HOL Due Dates:

See the top of the page for this semester's due dates.


Past Stuff:

Topics will be moved down here where their quiz has passed...

(6/10) Welcome to INFO300! This is the first course after students have decided on an IS major, and is a look into the deeper corners of the IT that makes Information Systems work. It covers vocabulary and fundamental concepts about today's IT Infrastructure that are expected of IS workers, managers, and executives. It also introduces some of the deep technical skills demanded for data & network security, application development, auditing, and other IS & IT careers. Although INFO300 doesn't lead to any specific certification, the course's content appears in several of them. Resolve to get pick up deep technical skills on your way thru our program, they are always in demand.

F I N A L Grades are posted from last semester. This summer's points will be similarly assigned, just crammed into 8 weeks, so please don't get behind...

Pep Talk!

This year's been a slow recovery from tough times for students to find jobs at graduation! I'm seeing lots of students in INFO465 get excellent situations in 2013 There was a brief 'bubble' in 2010 & 11 where just about all 45 of our INFO465 students had a nice job lined up, and maybe these times will come back soon, we're waiting on the results for Spring 2013 now. IS Graduates who can demonstrate 'deep technical skills' get good to excellent situations that will lead to a rewarding career path, starting at $50K, several had at least that in last semester's INFO465. Those who can't sit and demo technical skills, or showcase them in a pro-appearing portfolio, are not getting jobs in IS, or are settling for situations in the low to mid-$40s.

Suggestions to Ace the course: Come to every class; Abandon social networks during classtime; pay attention; take notes!!!; write down any term said or displayed that you don't know and look it up -- this is a vocabulary kind of course, the instructor is always adding to the vocabulary, tries to repeat new terms at least three or four times; ask questions; give testimonials; followup on any new topics using the links for the course; this is all current stuff, google is the IT Pro's friend; Don't hesitate to update the Instructor -- IT's changing quick and some of you are at the front lines, see stuff coming before I do; Take notes -- if you're not taking notes, with a pencil or deft key and/or tablet strokes, you're denying yourself the _haptic connections_ in our occiptal brains that make our most powerful cross-references for recalling details and otherwise learning stuff.

Students who want to be working in 'network security', 'internet security, 'network management', 'application development', or 'business analysis' should already have their hands on the hard and software of the trade. Those wanting a networky career should have, as a minimum, some linux and a few microsoft server instances running in a virtual envionment using VMWare or VirtualBox. These need to be on The Internet, firewalling for a LAN, handling mail and text messaging, running databases, &c. If you're interested in managing IT Infrastructure and don't have hands-on the technology it's high time to get it so you'll have the skills when you've graduated. Any student who is motivated to get a good job at graduation need to be able to do the stuff I demo, and do it better than I do, to get the best situations. I can't recollect any student who showed deep technical skills in my sections of INFO300 and INFO465 and didn't get a job!

All Open Source stuff is freely available and the Windoze software's freely available to an INFO major from VCU's MSDNAA. An enthusiastic exploration of mail and web servers will differentiate you from others who apply but have no hands-on experience or certificates. Some found machine, or one purchased for a few hundred $, can be one of the keys to professionalism in IT. The more cores and RAM, the more virtual machines can be instantiated and deeper tech skills will be learned and demo'd.

Exam Week

The scheduled exam times will be used for the IS Dept's Assessment Test for 5 - 10 points, and either a short Quiz #3 for 20 points or a Comprehensive Final Exam for 40 points.

Exam Schedule:

No variation of the exam times will be permitted except attending another section's scheduled exam time which have been published far in advance so there are no conflicting exam times. Students who cannot arrive within fifteen minutes of the scheduled start times for the exam must use the School's last makeup session from noon thru 4:00 Thursday May 9th.