E-LEARNING platforms have become largely widespread

Transcription

1 302 IEEE TRANSACTIONS ON EDUCATION, VOL. 50, NO. 4, NOVEMBER 2007 Learning Computer Networking on Open Paravirtual Laboratories Marco Anisetti, Valerio Bellandi, Alberto Colombo, Marco Cremonini, Ernesto Damiani, Member, IEEE, Fulvio Frati, Joêl T. Hounsou, and Davide Rebeccani Abstract Learning practical information communication technology skills such as network configuration and security planning requires hands-on experience with a number of different devices which may be unavailable or too costly to provide, especially for institutions under tight budget constraints. This paper describes how a specific open software technology, paravirtualization, can be used to set up open source virtual networking labs (VNLs) easily and at virtually no cost. The paper highlights how paravirtual labs can be adopted jointly by partner organizations, e.g., when the institution hosting the virtual lab provides hands-on training and students skill evaluation as a service to partner institutions overseas. A practical VNL implementation, the open virtual lab (OVL), is used to describe the added value that open source VNLs can give to e-learning frameworks, achieving a level of students performance comparable or better than the one obtained when students directly interact with physical networking equipment. Index Terms e-learning, open source, virtual lab, virtualization. I. INTRODUCTION E-LEARNING platforms have become largely widespread among educational institutions worldwide, especially as a support to Information Technology degree courses. Video lessons, online exercises, didactic forums, and computer-supported interaction with tutors and teachers are now a standard part of many online degree courses. However, most learners require reinforcement tools to increase retention of the course material and advance the learning process. Some practical skills can only be mastered via interactive experience [1], which is not always easy to provide within a traditional e-learning platform. In Information and Communication Technology (ICT) undergraduate curricula, learning network configuration, management, and security-related skills involves hands-on experience with a number of different devices which may be unavailable or too costly to provide for institutions under budget constraints. A number of software tools and environments have been developed to help users to share distributed laboratory resources and realize virtual experiments. Still, ongoing discussions about offering lab-based courses via distance education show that most university instructors Manuscript received January 9, 2007; revised June 18, This work was supported in part by the Italian Ministry of Research under FIRB Contracts RBNE05FKZ2_004 TEKNE and RBNE01JRK8_003 MAPS. M. Anisetti, V. Bellandi, A. Colombo, M. Cremonini, E. Damiani, F. Frati, and D. Rebeccani are with the Department of Information Technology, University of Milan, Crema (CR), Italy ( [email protected]; [email protected]; [email protected]; [email protected]; [email protected]; [email protected]; [email protected]). J. T. Hounsou is with the Institut de Mathématiques et de Sciences Physiques, BP 613, Porto-Novo, Bénin ( [email protected]). Digital Object Identifier /TE consider this option impossible or ineffective [2]. As a consequence, relatively few universities offer lab-based courses to remote ICT students. virtual networking lab (VNL) technology has been recently proposed as a solution to this problem. VNL products are software platforms aimed at providing hands-on experience with commercial computer networks, such as a Cisco production network or a Microsoft-based network infrastructure. Experience in vocational courses [3] has shown that VNLs are extremely valuable in reinforcing learning in all methods of delivery; therefore, they are increasingly used within certification programs run by network equipment vendors. However, commercial VNLs also present several disadvantages, which prevent their large-scale adoption by universities. First, most commercial VNLs focus on the nuts and bolts of the equipment of a specific vendor, rather than on improving the students understanding of the general principles behind network equipment operation and use. Second, and perhaps more importantly, VNLs are often distributed as closed source, under licenses which relate the operational cost to the number of users, forcing institutions to budget based on the number of students rather than on available resources. Finally, commercial VNLs require powerful computational resources as they strive to provide live interaction with simulated network equipment. Therefore, their hosting costs must be considered. These three factors are likely to prevent the adoption of commercial VNLs wherever 1) software and hardware costs are a major issue; and 2) the number of students is high, a frequent scenario in developing countries. In this paper, an open source software platform is exploited to design and implement a distributed architecture for VNLs, the open virtual lab (OVL). OVL is a complete network training environment based on device virtualization, accessible via a standard Web browser. A. Research Contributions The present paper shows how a specific open software technology, paravirtualization, can be used to set up VNLs effectively, easily, and at virtually no cost. More specifically, the paper addresses the following research issues. The paper introduces the paravirtualization technique in a virtual lab context and explains why paravirtual, open source lab environments for computer networking are viable alternatives to commercial VNLs and to lab environments fully virtualized at the hardware level. The paper describes the architecture of an open source VNL and shows how it can be adopted jointly by partner organizations so that an organization can make the VNL available as an (affordable) service to its partners. A case study is presented showing how this technique has been /$ IEEE

2 ANISETTI et al.: LEARNING COMPUTER NETWORKING ON OPEN PARAVIRTUAL LABORATORIES 303 used in a cooperation between the Department of Information Technology, University of Milan, Italy, and the Institut de Mathématiques et de Sciences Physiques of the University of Benin, West Africa. The paper claims that OVL can be used to achieve the same level of students performance in practical laboratory activities normally obtained when students directly interact with physical networking equipment. This claim is substantiated by students performance data collected in two Network Security courses, held respectively in the online and in the traditional edition of the University of Milan s degree on Information Systems and Network Security, run from September to November Results strongly suggest that open source virtual laboratories are a valid alternative to real laboratories in many ICT teaching scenarios. The paper is organized as follows. Section II gives an overview of software and hardware virtualization techniques, and Section III discusses related work on virtualization in e-learning environments. Then, Section IV generally describes OVL open technology, while Section V shows two key aspects of this approach, presenting OVL as a product and as a service. Finally, Section VI describes two teaching cases highlighting OVL s impact in a computer science undergraduate degree. Examples include how to build a network of virtual machines to simulate network traffic, how to configure firewalls and routers, and how to avoid and to protect a system by network attacks and threats. II. VIRTUALIZATION TECHNIQUES A. Different Approaches to Virtualization In the 1960s, IBM first introduced the virtualization concept to describe how different operating systems could coexist on the same mainframe computer. Today, virtualization has become a widespread technique for software testing, dynamic provisioning, real-time migration, high availability, and load balancing [4]. Hardware virtualization technologies have become available, such as Intel s virtualization technology (VT) and Advanced Micro Devices Secure Virtual Machine (SVM), that enable a single processor to act as if several processors were working in parallel; this approach allows multiple operating systems to run at the same time on the same machine. Processors offering hardware-based virtualization, however, do not tackle the problem of virtualizing I/O subsystems. Software virtualization platforms run multiple virtual systems on the same processor in such a way that virtual systems are isolated from each other [5]. In a software virtualization platform, all virtual systems run on top of a virtual machine monitor (VMM), which interposes an indirection layer between the operating system, running on each virtual machine, and the underlying hardware [6]. The VMM virtualizes physical system resources (memory, disks, processors, network devices) and allocates them to virtual machines instances. Software virtualization techniques can be classified into three main categories. Full virtualization is an approach to create a virtual execution environment for running unmodified operating Fig. 1. Xen system layers. system images, fully replicating the original guest operating system behavior and facilities on the host system. The most currently well-established virtualization platforms, such as VMWare, Bochs, and QEMU, are based on the full-virtualization approach. Containers is an approach based on a single operating system kernel, enhanced by setting up walls that offer increased isolation among groups of processes; in particular, containers provide the ability to run multiple virtualized operating system instances on a single instance of the real operating system. This approach has been implemented by Sun s Solaris v10 operating system and by SwSoft s virtualization framework Virtuozzo [7]. Paravirtualization is an approach addressing the performance problems typical of full virtualization without attempting to replicate exactly the guest environment original behavior. This approach requires the guest operating system to be modified to run in the paravirtualized environment [4]. Patching modifies guest systems, redirecting virtualization-sensitive operations directly to the VMM, instead of trapping to the operating system as found in pure hardware virtualization. Paravirtualization is not a panacea; this approach may require substantial engineering efforts for modifying and maintaining guest operating systems. Paravirtualization suitability for teaching oriented VNLs will be discussed in detail in Section IV. Paravirtualization platforms include parallel workstations (PW) and Xen. PW is a commercial software, mainly used as a desktop virtualization solution. Xen, the open source paravirtualization framework underlying OVL, is better described in Section II-B. B. Xen Overview Xen is a virtual environment developed by the University of Cambridge [4], [8] and released under the GNU GPL license. Xen s VMM, called hypervisor, embraces the paravirtualization approach in that it supports x86/32 and x86/64 hardware platforms, but requires the guest operating system kernel to be ported to the x86-xenon architecture [4]. However, when hardware support for virtualization is available, Xen can run unmodified guest kernels, coming closer to the full virtualization approach. A Xen system is composed by multiple software layers (Fig. 1). Individual virtual execution environments are called domains. Xen s hypervisor [4] manages the scheduling operation related to the execution of each domain, while each guest

3 304 IEEE TRANSACTIONS ON EDUCATION, VOL. 50, NO. 4, NOVEMBER 2007 operating system manages the VM application scheduling. During system boot, a domain with special privileges, called Domain 0, is automatically created. Domain 0 can initialize other domains (DomUs) and manage their virtual devices. Most management and administration tasks are performed through this special domain. Xen s current usage scenarios include kernel development, operating system and network configuration testing, server consolidation, and server resources allocation. Several hosting companies have recently adopted Xen to create public virtual computing facilities, i.e., Web farms capable of flexibly increasing or decreasing their computing capacity. On a public virtual computing facility, customers can commission one, hundreds, or even thousands of server instances simultaneously, enabling Web applications to automatically scale up or down depending on computational needs. III. RELATED WORK Most early papers about virtual laboratories described virtual devices implemented using simulation software, such as Matlab, often coupled with Simulink [9]. These early papers addressed other branches of engineering than ICT. For instance, in [10], the authors present a Web-based tool for training microwave engineering students in analog filters design. Some interesting Web-based tools were developed in the framework of European projects, such as the Leonardo Da Vinci Pilot Project Virtual-Electro-Lab [11]. A Web-based virtual laboratory is presented by Garcia and Alesanco in [12], this time in the field of cache memory management. Garcia s virtual laboratory includes Web-based educational material and some interesting Web-based cache memory simulation programs. More recently, researchers working on virtual laboratories have become aware of the need to avoid close links with proprietary operating system platforms, and virtual laboratories have been increasingly based on Java software technology [13]. Closer to the topic of this paper, the work [14] presents an early Web-based environment for network management which can be used by students training on Web-based network administration via the Simple Network Management Protocol (SNMP). Works by Hu et al. [15], [16] develop this idea toward a complete training system for Information Technology courses, named Telelab, that provides to students a pool of virtual machines configured ad-hoc for particular security exercises. All these approaches to virtual laboratories, however, do not put students fully in control of the virtual system. Moreover, they focus on a very specific field or even on a particular subject. Their narrow scope may impair open experimentation and one-on-one interaction, which represents an important learning opportunity for university students. As mentioned in Section I, many commercial VNLs are now available, aimed at providing hands-on experience on specific network products, such as a Cisco-powered production network. For instance, the MIMIC virtual lab creates a very realistic VNL including a network of Cisco routers and switches. The Sybex virtual lab is a Cisco-compatible router simulator designed to follow along with the Todd Lammle et al. well-known instructional book on network configuration [17]. A more general approach has been taken by companies, such as Surgient and Akimbi, which offer general purpose VNLs for testing and evaluating software. Both Surgient and Akimbi allow easy-to-setup and run configurations involving virtual machines (VMs) running on multiple servers. They also provide tools to configure new VMs quickly and add them to (or remove them from) running configurations. Surgient and Akimbi offer the critical ability of taking snapshots of active configurations. Snapshots are used to capture load-dependent error situations, to be sent to engineers for examination and bug repair. Engineers can fire up the snapshot and start stepping through its execution to re-create the problem. Surgient also offers a slight modification of its VNL oriented to creating custom software demonstrations. Using Surgient VNL, salespeople can assemble configurations that are relevant to specific customers and deploy them on remote hosts. Other software vendors have followed a distinct, though-related line of research, developing virtual environments for application-level (as opposed to network-level) user training. VirtuoPro, based on VMware ESX3 technology, supports VMs management for business critical applications. However, VirtuoPro cannot be used as a general-purpose training environment as this system supports a restricted number of network configurations which are of interest for application support. Most of the VNLs mentioned above have a different focus from teaching, even if teaching is mentioned among their potential applications. Also, they mostly rely on proprietary technology and are distributed as closed source. An approach much closer to the one described in this paper has been recently taken by an open source project called manage large networks (MLNs). MLNs is a virtual machine administration tool designed to build and run virtual machine networks based on Xen and User-Mode Linux. MLNs is, however, not exclusively focused on education, as described by its authors as an ideal tool for creating virtual network labs for education, testing, hosting or simply playing around with Linux. To the best of the authors knowledge, however, no evidence has been collected of MLNs impact on any concrete teaching application. Finally, the network simulation tool Packet Tracer [18], distributed by Cisco and exploited during Cisco Academic Network courses, permits the simulation of the behavior of real systems and allows students to explore and configure the network using Cisco components and interfaces. This tool proposes exercises as wizards that follows the students during the network configuration, indicating a starting network topology and some final objectives to reach. Differently from the OVL approach, Packet Tracer is available only to Cisco Network Academy courses attendees and is focused only on Cisco-based equipment. To summarize, Table I provides a comparison among VLN frameworks highlighting which tools allow for simulation of a local heterogeneous network or supply specifications for an exhaustive set of network components, and which one integrates a graphical user interface (GUI) for network administration, providing a short description of the main learning services provided.

4 ANISETTI et al.: LEARNING COMPUTER NETWORKING ON OPEN PARAVIRTUAL LABORATORIES 305 TABLE I COMPARISON BETWEEN VLN FRAMEWORKS IV. PARAVIRTUALIZATION AND E-LEARNING: THE OVL APPROACH The OVL project started from the need to give to students of the online degree in Information Systems and Network Security of the University of Milan a complete training environment for distributed programming and network configuration. The online B.Sc. degree in Information Systems and Network Security is an e-learning initiative started by the University of Milan in the academic year This initiative consists in offering the B.Sc. degree in Information Systems and Network Security (established in 2003) not only in the traditional way (i.e., based on ordinary classroom lectures and laboratories) but also via an online e-learning platform, allowing students to choose each year their preferred learning strategy. Online students are required to come to the campus only to take their examinations. Today, the online B.Sc. degree in Information Systems and Network Security involves more than 300 undergraduate students, while around 400 are enrolled in the traditional version. According to the University of Milan s teaching policy, contents provided and skills to be achieved in the online version of a degree must be the same as the traditional version, and no formal distinction is allowed between the degree awarded in the two cases (i.e., as seen by prospective employers). For the sake of conciseness, this paper shall not attempt to give a complete description of the online B.Sc. degree in Information Systems and Network Security; its main aspects, including the adopted teaching model, the e-learning platform, and the characteristics of the student population have been reported in [19]. Here, OVL is currently used to provide every student enrolled in the online B.Sc. degree with a personal virtual machine comprehensive of compilers, network configuration tools, firewalls, etc. A major OVL requirement is therefore continuity. Since each student is entitled to full administrator privileges and has the right to modify a configuration, the same virtual machine must follow him or her during and beyond his or her time on campus. However, diversity is needed; the virtual machine must be customized and upgraded, depending on the courses each student will choose to follow. Furthermore, each student may need to access a number of additional devices. While the continuity requirement can be satisfied by any virtual environment, the need for diversity naturally leads to paravirtualization, which straightforwardly supports a diverse set of guest operating environments. 1 1 In principle, one might object that paravirtualization, interposing a software hypervisor between the hardware and the guest systems, could impair their performance. However, this objection does not apply to teaching-oriented VNLs, where performance is not a key issue. V. OVL KEY ASPECTS As already mentioned, OVL is currently deployed as the main VNL supporting the University of Milan s online degree on Information Systems and Network Security. Furthermore, OVL has been used in a number of international cooperations with foreign universities. OVL s current implementation supplies each remote student with a Linux virtual machine accessible via secure connections. Every student has access to his or her own personal virtual machine with full administrator privileges; in other words, each user has full control of his or her virtual machine and can perform any type of configuration operation. In this way, OVL allows students to make experience real on system configuration, system security, and network programming tasks, giving them full administrator privileges. Also, OVL is an open environment that can be operated at low cost and freely shared with a partner institution. OVL is based on Xen (Section II-B), a paravirtualization approach, and provides to each user a complete Linux-based system image. Also, OVL allows for setting up virtual Internet networks, e.g., connecting the virtual machines of students belonging to the same class. This feature allows students to experiment with network programming (socket library, Remote Procedure Calls, etc.) and to set up their own client-server applications in a virtual network environment. OVL s full support for network programming and middleware is a distinctive feature with respect to commercial virtual laboratories, which focus more on network equipment configuration than on distributed application development. OVL supports two adoption models: OVL as a product, i.e., OVL distributed and adopted as a Xen-based open source environment; and OVL as a service, showing how OVL can be shared with students and teachers from partner institutions. In both models, costs are mostly related to hosting the environment or purchasing the hardware for running it, since OVL is entirely open source software without any license charge. In OVL, each virtual machine is represented by an image of its operating system and the included software. When configuration changes on a set of virtual machines are needed, OVL administrators can operate via the OVL administration interface (OVL-AI). In particular, OVL s design is focused on supporting scale-up and scale-out operations [20]. In a scale-up approach, the system is expanded by adding more devices to an existing node; in OVL, this action consists in modifying the configuration of every single virtual machine adding, for example, more processors, storage and memory space, or network interfaces, depending on students/teachers needs in a par-

5 306 IEEE TRANSACTIONS ON EDUCATION, VOL. 50, NO. 4, NOVEMBER 2007 ticular teaching situation. For instance, exercises about firewall or router configuration require students virtual machines to be modified including multiple network interfaces; OVL-AI supports this process as a simple drag and drop from the resource panel to the configuration panel. Instead, in a scale-out approach, the system is expanded by adding more nodes. In this case, the number of available virtual machines can again be increased (or reduced) easily by OVL-AI. This operation will be beneficial, for example, when new students join or when students leave or finish the online course. From an educational perspective, OVL offers teachers and students some unique features. First of all, simplicity: access to OVL s virtual machines requires only a low-bandwidth dial-up connection with a common client. Students have full administrator privileges on their virtual machines and are allowed to perform any kind of system configuration task. In this way, students using OVL can be asked to solve network configuration exercises (Section VI-B); alternatively, they can be faced with real network problems (Section VI-C) and find the solution by discussing among themselves, requiring only nominal supervision. Also, students can freely exercise on distributed programming, taking advantage of all virtual machines owned by students of the same academic year who are gathered together in the same subnet, allowing cooperation and work group exercises. OVL can also be adopted as a service to partner institutions. Teachers can control and verify students work by connecting to OVL and accessing the corresponding virtual machine (Section VI-C). OVL can export its functionalities in two ways: by services export and on demand configuration. A. Hardware and Software Requirements Intuitively, OVL hardware requirements are essentially two: a storage unit large enough to give a complete software development environment to all students, and enough RAM memory to manage hundreds of virtual machines at the same time. Fortunately, both these requirements can be met remaining within the limits of a tight budget. Specifically, OVL s VMM is deployed on a Fujitsu Siemens Primergy RX-300 S2 with two Intel Xeon EM64T CPUs at 3.20 GHz, 8-Gb RAM memory, and four 300-Gb SCSI U320 hard disks in RAID 5. This server is connected to the Department of Information Technology s internal network with a Broadcom Corporation NetXtreme BCM5721 Gigabit Ethernet PCI network interface. OVL s firewall is implemented on a separate machine to improve system security from external attacks and to preserve virtual server performance. The firewall machine has the following features: a Fujitsu Siemens Primergy RX-100 S2 with an Intel Pentium IV CPU at 3.00-GHz, 1-Gb RAM memory and two 80-Gb SATA hard disks. The firewall is connected to the University of Milan s Intranet with an Intel GI/PI Gigabit Ethernet network interface. The implementation of OVL s virtual machines required some additional considerations. First, each virtual machine has to be an efficient, isolated duplicate of a real machine [21]. In other words, every virtual machine must work in a sealed environment, insulating its disks and memory address space and protecting system integrity from VM failures. Second, Fig. 2. Communications between virtual machines and the external net. all virtual machines must support a complete and up-to-date operating system in order to give students all the instruments needed to carry out administration tasks and develop simple programs. While paravirtualized VMM can, in principle, support a diverse set of guest operating systems, some hardware constraints, in particular the 64-b server architecture, restrict the range of acceptable guest kernels. OVL s virtual machines are implemented on the Gentoo Linux distribution. Gentoo [22] has some distinctive characteristics that fit needed requirements. First, a major feature of Gentoo distribution is its high adaptability, because of a technology called Portage. Portage performs several key functions: software distribution, that permits developers to install and compile only the needed packages that can be added at any time without reinstalling the entire system, package building and installation, that allows building a custom version of the package optimized for the underlying hardware; and automatic updating of the entire system. Second, Gentoo supports 64-b hardware architectures and implements the Xen environment in full. Finally, Gentoo is an open source system, distributed under GNU General Public License. In the current OVL environment, each student accesses his or her own virtual machine using a secure client connected directly to the OVL firewall on a specific port number (computed as ) (Fig. 2). Based on the source port, the OVL firewall forwards the connection to the corresponding virtual machine. Fig. 2 shows how the student whose is equal to 1 gains access to the firewall. Based on the student s port number, firewall rules forward the incoming connection to the local IP that identifies the student s own virtual machine. Looking at the example in Fig. 2, the incoming communication on port is forwarded to the local IP address on port, therefore to virtual machine. B. OVL Administration Interface The OVL-AI module lies at the core of the OVL environment. OVL-AI enables simple management of the entire system via a straightforward Web interface. OVL-AI provides a simplified procedure for the creation, configuration, and disposal of single virtual machines, or pools of virtual machines. Configuration is performed by choosing visually the simulated hardware cards

6 ANISETTI et al.: LEARNING COMPUTER NETWORKING ON OPEN PARAVIRTUAL LABORATORIES 307 to be inserted in each virtual machine. OVL-AI has been implemented following a multitiered approach. Namely, OVL-AI relies on AJAX on the client-side, on PHP on the server-side, and on Bash, for the interaction with the OVL server s operating system. VI. CASE STUDIES OVL s impact on ICT teaching will now be illustrated by means of two different case studies. The first case study, Case Study A (Section VI-B), works with a third-year course of Network Security of the University of Benin, B.Sc., in telecommunication engineering. In this case study OVL has been used to give to a partner institution s students the possibility of training in advanced network management at practically no cost for their home institution. The second case study, Case Study B (Section VI-C), works with a third year course of Network Security of the University of Milan s online degree on System and Network Security. This degree belongs to the B.Sc. degree class, Computer Science and Technology. With respect to standard computer technology degrees, this degree introduces a number of practical, hand-on courses on computer security. This case study presents some evidence suggesting that online students using OVL acquired the same or better practical skills than the ones attending traditional laboratory courses, which require access to real network equipment. A. Learning Strategies The two case studies take into consideration two different underlying learning strategies. In the Benin case, a skill oriented strategy was adopted. Students worked in a close environment with fixed learning objectives, i.e., the configuration of a simple network, and completed an online examination presenting a solution that they tested using the OVL. In the Case Study B, a complete learning strategy has been exploited. The teacher gave students the opportunity to explore freely the virtual environment, to try all the configurations they wished, and to prepare a traditional final examination. Such a strategy allowed the emergence of leaders and most skilled students, that start discussions in forum and can help other students in a particular situation, without the participation of the tutor. In traditional classrooms, leaders remain hidden; their emergence is more difficult; and the contribution to the student community is lower. In particular, the leader emergence was notable and measured looking at the didactic forum of the Network Security course of the online degree, where OVL was proposed to supply students a complete environment in which to train on distributed programming. Looking at posted messages for arguments strictly related to the part of course that treated distributed programming and starting from the basis of 35 students that passed the final examination and from 91 forum posts, a total of 68 messages (74%) was posted by only seven students (20%), approximating the 80:20 Pareto Rules. Such a behavior has been noticed looking at the number of follow up 2 messages (73%) and to the number of direct answers to tutor questions (75%). 2 Follow up messages are those that continue a discussion generated by tutors or students. Fig. 3. Network topology example. B. Case Study A This case study shows an exercise proposed to a group of students of the Institut de Mathématiques et de Sciences Physiques 3 (IMSP), located in Benin, a small country of West Africa. The exercise was proposed as a final examination for the Network Security short course for students majoring in Telecommunications. IMSP short courses are organized as teaching missions lasting one week. Each teaching mission is composed of two professors from overseas who alternate in teaching their (different) subjects. Normally, the morning (4 hours) is devoted to one subject, and the other is taught in the afternoon so that each course includes 20 teaching hours. In this case study, the course of Network Security was delivered by one of the authors of this paper, alternating with a database course taught by a colleague. After the end of the teaching mission, students were left with some laboratory exercises to be completed under the guidance of local teachers. The laboratory scenario with which IMSP students were faced can be quickly described: a few obsolete workstations, all of them with a single network interface. This kind of configuration does not allow students to train in firewall or router configuration, since configuration exercises require at least one server station with two or more network interfaces and a good network connection. OVL provided an effective solution to this problem. Students could remotely connect to a pool of virtual machines, all configured with three network interfaces. Each virtual machine could act as firewall, router, or client, over which students can make any kind of network configurations simulating a real complex network environment. Local teachers could refer to one of the authors of this paper for troubleshooting the environment when needed. In the following, the laboratory exercise left to the students, and the solution given by a student group are briefly discussed. 1) Exercise Text: Consider the network topology shown in Fig. 3. Provide the shell script that configures the firewall implementing the following rules. Permit HTTP and connections. Permit passive FTP traffic. Grant SMTP flow only to hosts belonging to the subnet 10.0.X.0/ available in French only.

7 308 IEEE TRANSACTIONS ON EDUCATION, VOL. 50, NO. 4, NOVEMBER 2007 Implement the NAT service. Redirect all the connections from 22/transmission control protocol (TCP) port to a specific host. Redirect 8080/TCP port traffic to 80/TCP port. To test the firewall configuration apply the script on the virtual machine that acts as firewall and configure other virtual machines to act as hosts of the subnet 10.0.X.0/24 and of the subnet 10.0.Y.0/24, and as a generic host of the Internet. 2) Proposed Solution: The Benin students tested their configuration on OVL using four virtual machines, each one with its particular network configuration, to act as, respectively, a firewall, a generic Internet client, and two subnet hosts. In Fig. 4, the script provided by the student groups is presented. Complex network configurations, which usually require ad-hoc prepared work stations or expensive commercial virtualization software, could be an easy experiment in OVL with only a low-bandwidth, dialup connection. Students were faced with real-world problems, worked in groups, and found a solution, configuring their virtual machines to work as firewall and hosts of the system. They also tested their architecture by generating traffic from one virtual machine to the second one through the firewall, logging access requests, and controlling if traffic was correctly redirected and filtered. C. Case Study B At the University of Milan, OVL has been used as the VNL environment of choice for a number of networking, operating systems, and network security classes. In this section, some statistical data are presented regarding OVL s adoption for a recent edition of the online Network Security course, which runs from September to November ) The Test: All students of the Network Security class, in their laboratory activity, were asked to learn to analyze TCP/IP network traffic and to configure and test an iptables policy. Software tools used by students can be grouped as follows: Network traffic analysis tools: tcpdump, tshark, wireshark; Network traffic generation tools: nmap, nemesis [23], packit; Network traffic editors: netdude [24]. For online students, OVL was set up as follows: each student had his or her own virtual host with full administrator privileges. This personal machine was used to analyze incoming and outgoing network traffic and to configure the iptables firewall policy. With regard to the firewall policy, students were asked to test the configuration according to some specified requirements, such as opening or accepting TCP connections, exchanging user datagram protocol (UDP) datagrams and ICMP packets, or being probed with malformed network packets. Logs recorded by standard syslog in /var/log/messages had to be presented to pass the examination. In addition to the students personal machines, OVL was configured with one shared computer (called shared client) equipped with a traffic generator and clients for some standard IP applications (e.g., the file transfer protocol, the secure shell, and some querying tools). Students could log on this host with user privileges to generate network traffic either directed to or routed through his or her personal host. Another shared host (called shared server) was configured with some standard TCP and UDP network services (i.e.,,,,, and mail servers). Students Fig. 4. Solution proposed by a student group. were not allowed to log on the shared server host, which is used only as the destination of TCP connections and UDP dns queries. Network requests to the shared server could be generated by every student from the shared client or by his or her own personal host. All replies from this set of network services were routed through the personal machine of the student who generated the network request. Traffic flows between the shared client and the shared server or between the personal host and the shared server were needed to familiarize students with iptables FORWARD and INPUT/OUTPUT chains.

8 ANISETTI et al.: LEARNING COMPUTER NETWORKING ON OPEN PARAVIRTUAL LABORATORIES 309 When setting up OVL for this exercise, a major challenge was the laboratory s routing configuration. In case of network traffic generated between the shared client and the shared server, both requests from client and replies from server must be routed via the corresponding student s host, in order to be filtered by the FORWARD iptables chain. Normally, this step is achieved by configuring the host as the network gateway, but in this case all student s hosts must act as gateways. The solution was to set up a virtual interface for each student s host in both the shared client and the shared server and configure routing manually (i.e., with the command ). Students were then instructed to specify explicitly their assigned virtual interface when traffic directed to the shared server was generated on the shared client. 4 2) Performance Evaluation: To assess OVL s impact on students performance, two groups of students were randomly selected, one composed of students attending the online version of the Network Security course and the other composed of students attending the same course with traditional classroom delivery. The two groups were instructed with the same exercises and examples during the course and learned to use the same software tools. At the end of the course, the two groups took equivalent examinations with respect to difficulty and required skills. Both student groups were required to use the same equipment during the examinations (i.e., a laboratory with physical network devices, rather than OVL). Grading was not completed blindly, although the course instructor did not know that the data were collected for comparison. Since both groups came from the same cohort and sat essentially the same examination, 5 the comparison is made based on raw, nonnormalized grades. Usually, student grades are spread to fit a normal distribution by statistical techniques of varying complexity. However, this adjustment is only necessary when comparability of scores across different subjects is required (e.g., when subject scores are added to create a ranking for university access). A criterion-based approach could also be taken, measuring student achievement against objective reference points, and then comparing the two groups based on these achievements. Criterion-based evaluation is widely used for vendor certification programs since this method is considered better in determining fitness-to-practice in professional fields. Criterion-based comparison was omitted from this paper on the ground that this method would not add much information to this case study where norm-based comparison is fully justified by the high uniformity of the two samples. Grades in Italian universities range from 0 to 30, while a grade of 18 is the threshold to pass an examination. 6 The two samples are shown in Table II, while their statistical parameters are shown in Table III. A student s t-test [25] was performed to assess the level of confidence associated with the difference 4 This setup proved effective since students showed no difficulty in understanding and using the system correctly. However, this solution is not fully satisfying since the configuration of virtual interfaces had to be performed manually by the OVL administrator. A plan to improve OVL-AI for integrating such configuration is in the general setup of the online students learning environment. 5 The examination papers were only marginally different because precautions were taken to avoid plagiarism among the members of the two groups. 6 The Italian system allows for a commendation to be given to the best students. Here, the commendation was taken into account by adding two to the grade, so that 30 cum laude is shown as 32. TABLE II STUDENTS GRADES TABLE III SAMPLE PARAMETERS TABLE IV T-TEST RESULT between the sample means. The two-tailed version of the test was used, since the two samples do not overlap. The test results shown in Table IV correspond to a level of confidence. While, as a result of the case study context, these results remain anecdotal in nature; indeed they strongly suggest that online students exposed to OVL achieved better results than the ones attending traditional laboratory course. VII. CONCLUSION AND LESSONS LEARNED Commercial VNLs are getting more and more important in ICT vocational courses, but their vendor-dependence makes them unsuitable for university degree courses. In this paper a fully open source VNL, OVL, has been presented, discussing its adoption models and the services that it can provide to external communities and partner institutions. Also, two case studies were presented. These case studies were not artificially constructed experiments; rather they were answers to real teaching problems, documenting how the use of a VNL is the only option in some practical situations. Although online students can be required to watch prerecorded video-lessons at home, requiring them to set up at home (or to otherwise attend) an appropriate environment for network configuration exercises is not realistic. When trying out exercises related to network security issues, the laboratory environment must be fully insulated from the Internet or from any shared network. Evidence coming from these case studies strongly suggests

9 310 IEEE TRANSACTIONS ON EDUCATION, VOL. 50, NO. 4, NOVEMBER 2007 that open source virtual labs are beneficial in different teaching scenarios. Two features of OVL improved considerably the results achieved by online students: students had full administrator privileges on their virtual machines (i.e., root access) and were asked to configure them as needed for the exercises; students interacted via a Web forum where they could freely discuss technical problems, exchange opinions about issues related to the configuration and installation of software packages, and ask about the correct usage of tools. The forum was supervised and moderated by one of the authors of this paper; however, fruitful direct consultation among students, with the emergence of leadership, greatly decreased his tutoring effort. In both case studies, students unanimously reported their satisfaction with the OVL environment. Also, all instructors noticed that the online students achieved a good understanding of the proposed laboratory subjects. In fact, experience has shown that compared with students attending traditional laboratory courses, OVL users had more time to design, implement, and test their programs. In conclusion, the use of OVL has been successful in both the investigated situations. Because of the high cost of ownership and rapid obsolescence of physical computer science laboratories, OVL appears to be a promising option for moving traditional laboratories to thin client architectures, even when the course is delivered via traditional classroom lessons. Using an open-source paravirtual VNL will enable universities to tolerate diversity in laboratory equipment, reduce maintenance costs, improve client performance, and permit more flexible laboratory topologies [26]. ACKNOWLEDGMENT The authors would like to thank the Editor-in-Chief and the anonymous reviewers for their valuable comments. REFERENCES [1] L. Dirckinck-Holmfeld and A. Lorentsen, Transforming university practice through ICT-integrated perspectives on organizational, technological, and pedagogical change, Interactive Learn. Environ., vol. 11, no. 2, pp , [2] L. Kelly, M. Morrell, and J. Beasley, Delivering laboratory based courses via distance education, in Proc. Science, Engineering and Technology Education Conf., Las Cruces, NM, 2006, pp [3] M. Caramihai and I. Severin, E-learning & vocational training within Leonardo da Vinci projects: The Romanian case study, in Proc. 1st Int. Workshop e-learning and Virtual and Remote Laboratories, Setubal, Portugal, 2004, pp [4] B. Dragovic, K. Fraser, S. Hand, T. Harris, A. Ho, I. Pratt, A. Warfield, P. Barham, and R. Neugebauer, Xen and the art of virtualization, in Proc. ACM Symp. Operating Systems Principles, Bolton Landing, NY, 2003, pp [5] D. A. Menascé, Virtualization: Concepts, applications, and performance modeling, in Proc. 31th Int. Computer Measurement Group Conf., Orlando, FL, 2005, pp [6] M. Rosenblum and T. Garfinkel, Virtual machine monitors: Current technology and future trends, IEEE Comput., vol. 38, no. 5, pp , May [7] S. J. Vaughan-Nichols, New approach to virtualization is a lightweight, IEEE Comput., vol. 39, no. 11, pp , Nov [8] M. Anisetti, V. Bellandi, E. Damiani, F. Frati, U. Raimondi, and D. Rebeccani, The open source virtual lab: A Case study, in Proc. Workshop Free and Open Source Learning Environments and Tools, Lugano, Switzerland, 2006, vol. 6, pp [9] C. Bonivento, L. Gentili, L. Marconi, and L. Rappini, A web-based laboratory for control engineering education, in Proc. 2nd Int. Workshop Tele-Education in Engineering Using Virtual Laboratories, Sherbrooke, QC, Canada, 2006, pp [10] R. M. Nelson and A. N. M. S. Islam, MES: A web-based design tool for microwave engineering, IEEE Trans. Educ., vol. 49, no. 1, pp , Feb [11] G. Scutaru, L. Rodrigues, P. Raes, and D. Sorea, Didactical software tools on electrical circuits and electrical machines, in Proc. 1st Int. Workshop e-learning and Virtual and Remote Laboratories, Setubal, Portugal, 2004, pp [12] J. García and Á. Alesanco, Web-based system for managing a telematics laboratory network, IEEE Trans. Educ., vol. 47, no. 2, pp , May [13] F. Colace, M. De Santo, and A. Pietrosanto, Work in progress Virtual lab for electronic engineering curricula, in Proc. 34th ASEE/IEEE Frontiers in Education Conf., Savannah, GA, 2004, pp [14] M. Grigoriadou, E. Kanidis, and A. Gogoulou, A web-based educational environment for teaching the computer cache memory, IEEE Trans. Educ., vol. 49, no. 1, pp , Feb [15] J. Hu, C. Meinel, and M. Schmitt, Tele-lab IT security: An architecture for interactive lessons for security education, in Proc. 35th Technical Symp. Computer Science Education, Norfolk, VA, 2004, pp [16] J. Hu, C. Meinel, and M. Schmitt, Virtual machine management for tele-lab IT-security server, in Proc. 10th IEEE Symp. Computers and Communications, Cartagena, Spain, 2005, pp [17] T. Lammle, W. D. Tedder, and B. Tedder, CCNA Virtual Lab Gold Edition. Hoboken, NJ: Sybex, [18] C. Goldstein, S. Leisten, K. Stark, and A. Tickle, Using a network simulation tool to engage students in active learning enhances their understanding of complex data communications concepts, in Proc. 7th Australasian Computing Education Conf., Newcastle, NSW Australia, 2005, pp [19] E. Damiani, A. Esposito, M. Mariotti, P. Samarati, D. Scaccia, and N. Scarabottolo, SSRI online: First experiences in a three-years course degree offered in e-learning at the university of Milan (Italy), in Proc. 11th Int. Conf. Distributed Multimedia Systems, Banff, AB, Canada, 2005, pp [20] B. Devlin, J. Gray, B. Laing, and G. Spix, Scalability terminology: Farms, clones, partitions, packs, RACS and RAPS, Comput. Res. Repository, 1999, cs.ar/ [21] G. J. Popek and R. P. Goldberg, Formal requirements for virtualizable third generation architectures, Commun. ACM, vol. 17, no. 7, pp , [22] G. K. Thiruvathukal, Gentoo Linux: The next generation of Linux, IEEE Comput. Sci. Eng. Mag., vol. 6, no. 5, pp , Sep./Oct [23] M. N. Garofalakis and R. Rastogi, Network data mining and analysis: The NEMESIS project, in Proc. Advances in Knowledge Discovery and Data Mining, 6th Pacific-Asia Conf., Taipei, Taiwan, 2002, pp [24] C. Kreibich, Design and implementation of netdude, a framework for packet trace manipulation, in Proc. FREENIX Track: USENIX Annu. Tech. Conf., Boston, MA, 2004, pp [25] On the probable error of a mean, Biometrika, vol. 6, pp. 1 25, [26] N. Tolia, D. G. Andersen, and M. Satyanarayanan, Quantifying interactive user experience on thin clients, IEEE Comput., vol. 39, no. 3, pp , Mar Marco Anisetti received the M.S. degree in computer science from the University of Milan, Italy, in He is currently working toward the Ph.D. degree in the Department of Information Technology, University of Milan. His main research interests are computer vision, image processing with special regard to tracking strategies, and emotional state estimation by facial analysis. He is also involved in several research projects regarding GSM protocol and mobile phone electromagnetic fields prediction. Valerio Bellandi received the M.S. degree in computer science from the University of Milan, Italy, in He is currently working toward the Ph.D. degree in the Department of Information Technology, University of Milan. His research interests are in computer vision, location algorithm, and network communication protocol, with special regard to feature extraction methods and emotional state estimation by facial analysis. He is also involved in several research projects regarding link management protocol in optical network.

10 ANISETTI et al.: LEARNING COMPUTER NETWORKING ON OPEN PARAVIRTUAL LABORATORIES 311 Alberto Colombo received the University degree in computer science from the University of Milan, Italy, in He is currently working as Research Collaborator on TEKNE, an Italian funded project on business process automation. His research interests involve software engineering including process modeling, software requirements, and process measurement. Fulvio Frati received the University degree in computer science from the University of Milan, Italy, in Since February 2005, he has been a Research Collaborator in the Information Technology Department, University of Milan. His research interests are in the areas of software engineering, Java programming, information security, distributed computing, access control, open source in e-government scenario, and virtualization. Marco Cremonini received the Laurea degree in electronic engineering and the Ph.D. degree in information systems from the University of Bologna, Bologna, Italy, in 1995 and 2000, respectively. He is currently an Assistant Professor in the Department of Information Technologies, University of Milan. He has been an Associate Researcher at the Institute for Security Technology Studies (ISTS), Dartmouth College, Hanover, NH. His research interests include information systems security, economics of information technologies, and security technologies. Joêl T. Hounsou received the Laurea and Ph.D. degrees from the Institut de Mathématiques et de Sciences Physiques, Porto-Novo, Bénin. He is in charge of network laboratory activities at the Institut de Mathématiques et de Sciences Physiques, Porto-Novo, Benin. He was a Professor at the Master of Advanced Information Technologies, International Institute for Advanced Scientific Studies, Salerno, Italy, and an Associated Researcher at the International Center for Theoretical Physics (ICTP), Trieste, Italy. Ernesto Damiani (M 06) received the University degree in computer engineering from the University of Pavia, Pavia, Italy, and the Ph.D. degree in computer science from University of Milan, Milan, Italy, in 1987 and 1993, respectively. He is currently a Professor in the Department of Information Technology, University of Milan. He has held visiting positions at George Mason University, Fairfax, VA, La Trobe University, Melbourne, Australia, and the University of Technology, Sydney, Australia. His research interests include knowledge extraction and processing, secure mobile, software process engineering, and open source. He has filed international patents and authored more than 100 refereed papers in international journals and conferences. He coauthored the book Human-Centered e-business (Norwell, MA:Kluwer 2003). Dr. Damiani is the Vice-Chair of the IFIP WG on Web Semantics (WG 2.12) and on Open Source (WG 2.13). He is also the Vice-Chair of the IEEE Technical Committee on Industrial Informatics. Davide Rebeccani is currently a computer sciences student at the University of Milan, Milan, Italy. He is a Network Administrator in the Department of Information Technology, University of Milan. His interests are in the areas of operating systems, network administration, and security. Since 1997, he has worked on several types of open source operating systems such as Linux, FreeBSD, OpenBSD, and NetBSD. Currently, he is working on operating system virtualization for e-learning systems and industrial OS development.