Information Technology Infrastructure & Security - Fall 2013

Current Stuff thru the Semester:

(8/22) Welcome to INFO300! This is the first INFO course after students have decided on an IS major, is a survey of what's in the IT legacy, the under-girding of Information Systems. INFO300 covers technical vocabulary and fundamental concepts of today's 'IT Infrastructure', with some history and some of what's emerging. The matter of the course is what's expected to be known by those in any of the fields of IS, especially those with their hands on the technology. Topics in INFO300 are valuable preparation for technical certificates, are what's common among the manufacturer-specific certs like MSCE, CCNE, RedHat, or VMWare.

Syllabus & Topic Outline

(8/22) Syllabus with course objectives, textbook info, rules for submitting papers, classroom policy, &c.

Here is a recently updated Topic Outline for the course. The outline is adapted to the links below.

Classroom Behavior

All these topics in the The Provost's Policy apply to this course. Continued arrival to these classes indicates acceptance of these policies for email, honesty, behavior in the classroom & other facets of Faculty, University and Student roles.

In addition to the Provost's rules, the instructor relates that wandering out of and back into the classroom is prohibited. Take care of any personal business before and after class. If some situation arises that you can't ignore, take your stuff and leave, don't come back until the break.

Please silence all ring tones on cellphones or notifications from social media during class. Do not have a smartphone or other device on your lap or otherwise visible during a quiz. Calculators are not allowed, neither are notes or crib sheets.

Grades:

Points for the course come from three quizzes, two projects, and a technical brief. Topics are arranged into three groups below, one for each Quiz. The projects and technical brief are described below, both need updating for this summer so please don't start until they're introduced in class: LAN Project and Tech Marketplace Brief & Hands-on Linux.

The course introduces some of the deep technical skills that are entry-level for careers in data & network security, application development, auditing, and other technical fields. Students will gain some experience with linux at the command line and modelling a network with Visio. These make good entries in a technical portfolio, and those with these skills are likely to find them valuable for getting a foot in the door in front of a sceptical technical interviewer.

Resolve to get pick up deep technical skills on your way thru our program, they are always in demand, and certificates are a good way to open doors to the interview where you'll be asked to demonstrate yours. Although INFO300 doesn't lead to any particular certifications, the course's content is common to many of them. Learn a little more about PCs and get your CompTIA A+ certificate, then learn a little more about networks and security and go for Network+ and Security+. CompTIA certs are affordable and much better than nothing!

F I N A L Grades are posted from last Spring. This semester's points will be similarly assigned, hopefully will see more As & Bs and fewer Ds & Fs.

(8/22) 2013 continues a slow recovery from tough times for students to find jobs in IS at graduation! I'm seeing some students in INFO465 get excellent situations on their way out, but some of them are still looking. There was a brief 'bubble' in 2010 & 11 where just about all 45 of our INFO465 students had a nice job lined up, and maybe these times will come back soon, I'm waiting on the results from Spring and Summer 2013 now. My observation is that IS Grads who can demonstrate 'deep technical skills' always get good to excellent situations that will lead to a rewarding career path, starting at upper-$50K, several had at least that in last semester's INFO465. Those who can't sit and demo technical skills, or showcase them in a pro-appearing portfolio, or show Project Management skills, are not getting jobs in IS, or are settling for situations in the low to mid-$40s.

To Ace This Course, or Any Other

Don't skip classes; Use your computer intelligently during class time, abandon social networks especially if you think I'm boring and talking some new language; Pay attention; Take notes!!! -- Write or key any term said or displayed that you don't know and look it up later -- this is a vocabulary kind of course, the instructor is always adding to the vocabulary, tries to repeat new terms at least three or four times; Ask questions; It looks stupid and is disrespectful to sit in a meeting or lecture and not take notes, it wastes your time and the instructor's or your Boss; Give testimonials; Read the the links for the course & outline them; Google any new words, or combinations of them; Don't hesitate to update the Instructor -- IT's changing quick and some of you are at the front lines, see stuff coming before I do; Take notes!!! -- if you're not taking notes, with a pencil or deft key and/or tablet strokes, you're denying yourself the _haptic connections_ in your brain that make our most powerful cross-references for recalling details and otherwise learning stuff.

Get Your Hands On the Technology

Lots of our students can actually do technical stuff when they go looking for jobs. Lots only attend classes, pass tests, don't get any tech skills, and are shocked when they find out the jobs they want require tech skills and they can't get to or past an interview without them! 'Entry Level Position' doesn't mean 'no skills required' it means 'have at least entry level skills'. Our biggest complaint from a focus group of people who interview our graduates is that some of them apply for jobs for which they do not have entry level skills, they think having a degree in IS is all that's required...

Students who want to be working in network security, internet security, network management, application development, or business analysis should get their hands on the hardware and software of the trade asap! Don't wait, it's already late! You need a couple years' hands on the technology to show up good at a interviews. Those wanting a networky career should have, as a minimum, some linux and a few microsoft server instances running in a virtual envionment using VMWare or VirtualBox and IPTABLES and xinetd firewalls. These need to be on The Internet, firewalling for a LAN, handling mail and text messaging, running databases, &c. If you're interested in managing IT Infrastructure and don't have hands-on the technology it's high time to start so you'll have the skills when you've graduated. Any student who is motivated to get a good job at graduation needs to be able to do the stuff I demo, and do it better than I do, to get the best situations. I can't recollect any student who showed technical curiosity and deep technical skills and didn't get a job! I can recollect lots who got no skills, got out with a 2.0 GPA, and have lots of loans to pay off with no job in IS. IS is a field where you must know _how to do it_, not _about it_ to get into it...

All Open Source stuff is freely available and the Windoze software's also free to an INFO major from VCU's MSDNAA. An enthusiastic exploration of mail and web servers will differentiate you from others who apply but have no hands-on experience or certificates. Some found machine, or one purchased for a few hundred $, can be an important first step to professionalism in IT. The more cores and RAM you can get, the more virtual machines can be hosted, and the more tech skills will be learned and demo'd.

It's a pleasure to see A is the most-earned grade, 28 of them, and 18 Bs! Thru the semester these students have shown me good to excellent skills in the tech at hand, from CAD to the Command Line, and written on their quizzes. They're respectful and attentive in class, take notes, appear to actually read the links and text on the class' page, show they can follow the instructions they read. Students who earn A almost always relate that everything they needed is in the links on this page plus a little googling, and that the links are backed up by lectures that point out what's important. Some of them are Pros already, have certificates, but many Aces are total noobs to the field. They'll likely be at the head of the line for the few jobs available in IT this season or the next. If you count, you'll see the same # of Ds and Fs, bimodal distro, sad to see, but there they are.

Timely Email from a Serious Student

Sir,

I have started trying to answer the quiz review questions and I seem to be having a very difficult time with a lot of these questions. Will we go over some of these questions specifically again even though I know we have discussed a lot already or will be allowed to specifically ask about them? I supposes I am just looking for study tips/advice on how to survive a totally new subject for myself as I feel really behind because of my lack of experience in this subject. I really enjoy the class and I am just very stressed about it.

Response:

Hi,

It might be the first half dozen or so questions in the list for Quiz #1 were for topics that were moved to the end in the topics list. Your difficulty brought them to my attention and I've moved them, and their topic, to Quiz #2 where they sit better, after the 'networking and infrastructure' topics.

The stuff of INFO300 is all around us and we use it all the time, but looking deeper into the tech is like learning a foreign language for most students in the class, and I try to talk as much of it as I can as fast as I can, and see my job in class as introducing the terms as best I can, and then I expect students will read and study outside of class, and suggest all the time that google is your friend for topics in IT. If you'll google on single topics like "csma/cd", or clusters of them, like "t1, t3, oc3" you'll find lots of stuff to interact with and develop your skills finding stuff on google.

Also, I usually start every class by asking "Are there any questions?" so _please_ ask any that aren't answered by your reading, my dry prose, or my lectures and I'll try to answer them.

I hope this helps? It pisses some students off when I say 'google it' but it really is my best advice. Google's my #1 resource for illustrating or learning about anything technical, followed by Amazon and texts or on-line resources for certifications. There may be some disciplines or instructors who don't value google, but for IS it's very valuable.

F I N A L Grades are posted at eServices, should show up later in the day today or tomorrow.

Quiz #3 will be given at the scheduled exam time for each class. Another set of conversions among binary, decimal, and hexadecimal will be offered and the score earned will replace those points from Quiz #2. You may retake Quiz #1 or Quiz #2 and the score you earn will replace the earlier score. An optional cumulative exam with the most difficult questions from the Quiz #1 & #2 material will add 30 points to the total points available and if there is an improvement points will be posted back to Quiz #1 or #2. On any of these tests, if a lower score is earned it will be used to calculate your grade.

Exam times:

(11/12) Tech Marketplace Brief: Topics have been approved. Login Ids and Passwords were assigned, and we started on the Hands-On Linux exercise, working at the command line and using vi.

Due Dates:

Hand-on Linux Progress Pages:

The LAN Project was due in class Oct 31st for the morning and afternoon sections, was due Tuesday Nov 5th for the evening section. The appearance on the _printed pages_ is the essence of this assignment so please print early to make sure the printed copies fill the page and that the details of your drawing are clearly visible. Neatness counts for these.

Points are posted for Quiz #1. Not a bad showing, overall, where As & Bs are the most often occuring grades, but it's distressing to see a third got Ds and Fs. Two of the top scorers don't attend class, otherwise attendance correlates with scores...

Class Meetings & Lectures:

Quiz #1 Topics - IT Infrastructure and Networking

Quiz #2 Topics



Stuff under here is not organized for Fall 2013, may be needed later or in another semester

The Tech Market Brief & Hands On Linux project is underway. Bring any questions to class along with your notebook computer. Due dates: Dlv #1, topic in the right place, Friday the 30th for the day sections and Tuesday 12/5 for the evening. Dlv #2, outline & references in the right place with the right permissions, is due Friday the 7th for all sections. The printed brief with highlighted references is due at the exam time for your class. Websites will be scored Thursday the 13th.

These snapshots were taken after the deadline for Dlv #1: Morning Section; Afternoon Section,

Exam times: Morning - Thursday the 13th 8:00 thru 10:50am; Afternoon - Tuesday the 11th 1:00 thru 3:50; Evening - Tuesday the 11th 7:00 - 9:40 (date corrected 12/4). For the daytime sections, the time will be used for the IS Dept's Exit Exam and retaking a quiz or taking the optional final exam. For the evening section the exam time will be used for Quiz #3 and the IS Dept's Exit Exam.

Exit Exam aka IS Assessment: The exit exam is a 70-item, multiple choice, exam that covers all the topics from INFO300 and is given to all students in the course. Points posted for it will be 'curved', one point for each decile attained relative to the class. So, someone scoring at the 2nd or 3rd decile gets 2 or 3 of 10 points posted, a score at the middle gets 5 points, the top several scores in the section get 10 points. These 'assessment exams' are given by the department to all sections of every course of our technical core. The results are used to compare instructors teaching the same courses, identify knowledge gaps section by section, guage effects of meeting times, and otherwise support decisions about our curriculum. Instructors are asked to make a portion of the final grade dependent on the exit exam to help ensure a best effort by those taking it.

Due Dates: (Need to be updated for Summer '13)

Project Two is to provide an opportunity to do a little work 'server side' at the Linux command line to learn a few unix commands and the vi-Visual Editor to put together a couple or few web pages that exemplify clean xhtml, semantic markup, css, and accessibility. Take time to find a vi or vim tutorial and learn use vi to edit the files in your project.

'Vim' is 'VI iMproved' for PC keyboards, is the ordinary version of vi on most linux distros. The classic 'vi' has no support for arrow or edit keys, works on dumb tubes without these features, so googling 'vi tutorial' might find a reference that leaves out some very useful features of vim. Googling 'vim tutorial' this morning got the definitive tute from OpenVim.Com and an enthusiastic tute at this blog.

Due Dates for HOL and Tech Marketplace Brief:

Project Two

The Tech Brief & Hands-On Linux project is underway. Topics were approved in class on the 4th, no topic will be approved for more than two students in a class. There is only one Tech Marketplace Brief due this semester, not two as in some examples.

Refer to the Coding Standards posted with the Hand-On Linux project. They call for Strict XHTML and pages with centered containers constrained to a max width of 800 or 960px. The marked up references are also very important for the project, more important than the brief, so please be printing and highlighting pages as you discover your facts.

Quiz #3 Topics

  • (11/21) Generations of Programming Languages:
    • 1st is Binary Code for a particular CPU, it may be written directly (rarely), or compiled, assembled, or interpreted.
    • 2nd is Assembler code, has a one-to-one correspondence with Binary Code, uses abbreviations for the binary codes, is run thru an 'assembler' that produces binary machine code.
    • 3rd GL is our more modern programming languages, from ancient ALGOL and FORTRAN, and COBOL thru C# and VB.net.
    • 4th generation languages make many common programming tasks automatic, especially for database and user interface, lots of drag/drop for the 4GL to turn into 3GL.
  • (11/21) Little Man Computer exercise: Machine cycles, instruction set and otherwise expand on the text. First mention of Data Structures, static in RAM of the LMC.
  • (11/21) Software: Types of Software: OS, Utilities, Anti-Virus/Firewall, Programming Languages, DBMS, Application Software single vs. multi-user vs. enterprise, ERP, &c...
  • (11/21) Sketch and discuss the several ways program code gets to the OS Executive from the programmer and some of the tradeoffs involved:
    • 1GL: Is 'Binary Code' for a CPU It is rarely coded directly, except for PAL and other 'microcoded' drivers and patches for our hardware. Binary code is usually the result of assembling a 2GL script or compiling a 3GL script.
    • 2GL: is human-readable 'Assembler Language' appropriate for a CPU like 'x86' or '64K'. There is a nearly one-to-one correspondence between between Binary Code and the Assembly Code for a solution.
    • 3GL: is even more easily human-readable scripting languages. They run thru a Compiler appropriate for the local CPU which outputs Binary coded 'executable', '.exe' files that can be presented to the OS Executive
    • 4GL is usually a powerful GUI that automates the programming of most elements of the interfaces with user and database. Most modern 4GLs produce 3GL scripts 'behind the scenes' as 'designer generated code' . Every clicked or dragged object sets the result into 3GL code while the programmer drags/drops, sets properties, and otherwise groks the IDE.
  • Some 4 GLs are Visual Studio.NET, Java Net Beans and Enterprise Net Beans, Oracle Developer, SB+, PowerBuilder, EClipse, Zend and several other 4GL operating environments. 4GLs have all the objects for interface with users, databases, web services and other tedious programming tasks so that developers can focus on business rules and improving the user interface rather than inventing code for each project. 4GLs 'make the computer the programmer', usually producing 3GL scripts as output from the GUI, then compiling the scripts to binary executable files in a traditional environment or to byte code for middleware like Java or .NET.
  • Middleware like JVM/JRE, .NET, or IBM's SLIC runs the 'byte code' compiled for the middleware and passes it to the executive
  • Uncompiled 'open source' scripts are 'interpreted' by an 'interpreter' like PHP, Perl, Ruby, or Python. There is no 'compiled code' or 'byte code' to obfuscates a customer's view of the source code and the interpreter reads the source code and puts binary code to the OS Executive practically 'a line at a time'. While noticeably slower than traditional compiled code in the old days, modern interpreters are very quick, lightweight, scale well, and provide a high degree of 'platform independence' because the interpreters have been adapted to RISC, CISC, Windoze, and *ix.
  • Demo Administrative Scripting, backup script to encrypt and transmit to remote site, &c...
  • An historical view of Data Structures & Algorithms for processing them Sequentially and Directly. Underlying data structures, mostly indexes, allow DBMS to fetch desired records from huge databases instantly...
  • Linux and Network Security

    (12/3) Demo a Secure LAMP Stack at RackSpace.

    IT Security and Professional Standards

    (12/3) Any discussion of Software these days needs to start with the admonitions that security should be _designed_ into systems, that it's not always feasible to _add_ security to a system without it, and that a system's first security breach may result in the failure of the system's owners' enterprise or organization. As at 2012, IT Professionals have developed a legacy of standards and recommendations for securing and operating information systems -- ignorance of them is no defence against blame or liability claims when a system is robbed of 'sensitive' data or it is otherwise lost or corrupted.

    Most security breaches are the fault of application software, not the operating system. For example: WordPress, the heart of more than 300,000 of the blogosphere's engines, has had a recent spate of vulnerabilities in the add-on applications available for WordPress which made inappropriate disclosure of personal information or allowed destruction or defacement of the stuff of blogs.

    Windoze and the *ixes (Linux & proprietary unix) all provide super-adequate capabilities for securing an application environment's OS, DBMS, EMail and Web servers. But much of a typical application environment's security is provided by the application software.

    Most of the 'vulnerability' in systems today comes from poorly designed or detailed application software that fails to provide 'access control', 'non-repudiation', 'version control', 'authentication & authorization' or other key components of system security.

    Current Issues in IT Security

    (12/3) Prism and Upstream are two recent NSA projects to collect every shred of data stored or transmitted on-line and phone calls overseas + what's 'tapped' onshore. This Massive Data Center in Utah is coming up in phases to keep it all indefinitely. The NSA provides an excellent pdf, Defense In Depth, a practical guide to IT security.

    The NSA's not the only outfit snooping your Web traffic. Here's What an Eavesdropper Sees when you use an unsecured WiFi. Anybody with access to the Internet's routers or application servers is able to see and soak up your packets as they fly by. I set up my elderly sister's email on earthlink, using an entirely new and unique address and within a week she had so much spam in her inbox that it was hard to see the few emails from me and my nephews and neices and somebody hijacked her account. Insecure pop3 was the culprit here, easy for crackers to filter out packets carrying userids and passwords.

    Way before email, texting, and Web 2's social networking Microwave Spying was soaking up trans-oceanic traffic, sometimes with satellites, others by sticking an antenna into the signal between the transceivers on the roof or in the window of a building that just happens to be in the stream. It's more difficult to tap into fiber-optic cables mid-ocean than the copper-wired, but this form of spying over digital circuits has given way to court orders and contracts with long-line and local communications carriers.

    Here are some links about security issues in application code: Top 25 Most Dangerous Software Errors; SANS provides 20 Critical Security Controls. CyberCiti suggests20 Linux Server Hardening Tips. The study guides for Security+ or other IT Security related certificates provide more detail, are heartily recommended for any student wanting a career in IT.

    Lecture Topics:

    Quiz #3 Study Questions Note: some of these questions come from the Setup and Secure a Firewall/Server topic...


    Projects:

    LAN Project: Bill of Details and Network Diagrams for an office LAN

    This is 100% an Individual Project. It is not a group or team project. It challenges the most basic, entry level skills in IT. If you can't do the work don't submit anybody else's as your own. Every keystroke and mouseclick should be from the student completing the project, no student should take any portion of the files from another students, an nobody should ever, under any circumstances in their academic career, GIVE any other student their files. Students are welcome to discuss the project with other students, but each of them should be working at their own PC or notebook and never share the files involved. Learning to use Visio and an ability to read and follow instructions are part of this exercise.

    Specs are delivered in the memo below and verbally in class and a couple weeks to get questions answered. The network rack for Phantom Resources is put together similar to the DMZ sketched on the board in class, and another sketch is included in the Memo From The Boss just below. Students are asked to get together the purchase orders, a summary of purchases and on-going costs, a floorplan for the premises wiring showing equipment location and location of drops for phones and networked equipment, a detailed diagram showing the jumpering for the PBX/VOIP controller equipment in the rack.

    Here's the Memo From The Boss. Read it with a hilighter and come up with an accurate Bill of Details.

    The rack-mounted servers should be identical, each rigged with at least three ethernet ports, so that any of them can take over the role of one of the others. The sketch shows these as Secure App Server, Firewall/Proxy/Router, and Backup Server. If one fails, a few changes in jumpers can get the system back quickly. (Could actually be rigged in a cluster so no jumpers need to be changed, propose this if you'd like...) All the machines will be running 'rsynch' rigged to log all updates on the secure app server and firewall to the backup server. In the event of the failure of either, a couple of jumpers can be changed and appropriate services started on the hot backup server so it can quickly take over for the failed machine.

    Visio is recommended for the diagrams -- it's free thru the MSDNAA. Don't wimp out and use the Excel or Word drawing tools because they're all you know! The job will be much more difficult since you'll have to invent your own shapes and the diagrams won't be very Pro in appearance. Excel makes it easy to do the Bill of Details (POs, and summaries of up-front and operating expenses). Most students put the final document together in Word and copy/paste the Visio diagrams and Excel bill of details into it. Open Office users can add 'Dia', an open-source, Visio-like, 2D CAD software that plays well with Open Office, but it's not as slick or adapted to as many tasks as Visio. It makes a fine looking drawing, though, and the price is right.

    Hand-drawn diagrams, or hand-drawn marks of any kind, are not acceptable.

    Here are general requirements for the project.

    Here are some Examples of winning projects. Please note: The examples do not show the separate purchase orders required for this semester's project.

    Tips for Pro work:

    On the due date, bring a printed copy at the _beginning_ of class where I'll have a heavy-duty stapler, please don't submit your project in a binder of any type.  Send an electronic copy prior to class as one document, preferably not zipped, attached to VCU-originated email to gasaunde-AT-vcu.edu.

    Tech Marketplace Brief and Hands On Linux:

    There a few parts to this project: Learning to work at the command line on a Linux server, learning to use vi-Visual Editor, collecting facts on-line or in the library and organizing them into an outline for a technical brief, putting the tech brief on-line to exemplify semantic markup and accessibility, and submitting the brief on paper with the list of references.

    Approved Topics and Mimimum Requirement for these Technical Briefs.  On the due date, posted on the home page for your class, Bring a printed copy to class, stapled or ready to staple at the upper left corner, no binders please.  Also submit an electronic copy as a single document attached to a VCU-originated email, due before the last class.

    The _Outline_ and _References_ are of the essence for this assignment, so please print or copy any pages referenced in your brief. (Except wikipedia pages, please find other pertinent references, too!) Mark up the pages with facts, using a highlighter to point out facts you've included in your brief. Don't submit pages without facts, for example if you read 10 pages of stuff but only use facts from a few pages, copy only those few pages. Be sure to show the exact url or publication where the facts were found.

    Consider the Coding Standards as you work putting your brief, or a pithy abstract of it, on the web. The Instructor offers these standards as an abreaction to getting crappy looking stuff as a response to this project and not being able to dock points for it. Points will be docked liberally for any deviation from these specs. The Rubric for scoring the printed copy is also worth your consideration to earn max points and have a project worthy of your professional portfolio.

    Use View -> Source on this example of a winning project to see how easy this can be: This gentleman submitted well-researched briefs of about 6 or 8 pages each, and posted these abstracts on-line. Every deadline was met, and there were a several pages of 'hilited facts' that were very useful in updating this elder geek about these well-known products and manufacturers. No time was wasted on fancy effects, but it reeks of a careful reading of the specs and serves as a clear example. You might want more pizzazz or subtle effects for your web-design portfolio, but this got max points for the class.

    A portion of the Hands On Linux portion of the project will be scored automatically and reported on a 'Progress Page' so you can see if you've got the right things in the right place with the correct permissions. A 'snapshot' of the page with the contents of students' home directories and web space will be taken at the due date/time and points assigned on what's there. The deadline is of the essence for points on the Progress Page portion of the project. Lab Time in class will be provided, and some students get the required work done in class.

    The text at the top of each Progress Pages tells where to place each of the required directories and files and how to set their permissions:

    Resources for getting your hands on Linux:

    Timely delivery is one of the essential requirements for both these exercises. Progress not demo'd on the class' Progress Pages by the time due will get zero points. Late papers will be docked five points for delivery after the class meeting where they are due and another point deducted for each midnight that passes before delivery.

    Printed briefs and references shown at least five days before the last class may be critiqued and scored on the spot in class or in my office, and if re-work would net more points another copy submitted on or before the deadline will be considered as a candidate for full points. Please do not send me anything to review in email, or ask for critique and scoring during the four day period before the deadline.

    HOL And Tech Brief:

    See the top of the page for this semester's due dates.


    Prior Topics:

    Topics will be moved down here when their quiz has passed...

    Exam Week

    The scheduled exam times will be used for the IS Dept's Assessment Test for 5 - 10 points, and either a short Quiz #3 for 20 points or a Comprehensive Final Exam for 40 points.

    Exam Schedule:

    No variation of the exam times will be permitted except attending another section's scheduled exam time which have been published far in advance so there are no conflicting exam times. Students who cannot arrive within fifteen minutes of the scheduled start times for the exam must use the School's last makeup session from noon thru 4:00 Thursday May 9th.