‘Internet in a room’ simulates attacks against large networks

Iowa State University this month launched the Information Systems Security Lab (ISSL), an education and product and security testing site that includes a self-contained “Internet in a room” test bed for simulating complex networks and cyberattacks.

The lab builds on existing programs in the departments of Electrical and Computer Engineering and Information Assurance and is operated by the school’s Information Assurance Center, a National Security Agency center for academic excellence in information assurance education.

“We have had a very robust graduate program since 2000,” said IAC Director Doug Jacobson, “But we noticed there is a gap in the Midwest in working with local industry and government.”


Related story:

Purdue forges top cyber research center


Smaller businesses, especially contractors for sensitive areas such as defense, are facing more government security requirements and often need help with regulatory compliance for network and information security. Both industry and state and local government also need a trusted source for information on the reliability and effectiveness of security products, said ISSL director Julie A. Rursch.

“There is a need for an environment where tools can be tested before they are put into production,” Rursch said. Relying exclusively on a vendor’s product claims “can be a scary proposition.”

A primary resource for ISSL is the ISEAGE Lab, (pronounced "ice age") the Internet-Scale Event and Attack Generation Environment, a hardware-based testbed that Jacobson calls “our Internet in a room,” used for simulating distributed attacks and network modeling. ISEAGE has been funded through Justice Department and National Science Foundation grants.

ISEAGE provides a world-class research and education facility to research Internet-scale cybersecurity events in a controlled environment.


The 64-node system can have up to 100 routers on each processor board and is reconfigurable to create arbitrary topologies with tens of thousands of simulated routers. The testbed is used in U.S. Cyber Challenge competitions and currently is also modeling Iowa’s critical infrastructure to help with response and recovery plans in the wake of recent floods in the eastern part of the state.

The essential elements of the ISSL have been in place for a while, Rursch said. “We have done some of the testing and education on a small scale, not formalized. So we do have the infrastructure in place and have the intellectual capital.”

What was missing was the money for a formal program, which has been provided through several programs. “Part of our funding is coming through the state of Iowa, through its extension service,” Jacobson said. The extension service — the Center for Industrial Research and Service — provides money for helping local industry meet federal security requirements such as those in the Health Insurance Portability and Accountability Act. But the greatest support came from the school’s seed fund strategic initiative. “The university throwing a couple of years funding to us helped us start it up,” he said.

The need for the lab is driven by a growing gap between the requirements of IT security and the available resources.

“It is becoming more and more evident we need to do something,” Jacobson said. “Industry can’t solve the problems by itself.” A few highly regulated industries such as banking have established the required perimeter defenses around their enterprises, “and it pretty well stops there. They are not addressing new threats. The rest of them just hope like hell that nothing will happen,” because there often is no demonstrable return on investment for information security, he said.

The situation in government, he said, “is as bad or worse.” The federal government is in better shape than state and local government, but it has to compete with the private sector for security expertise and does not pay as well. State government has fewer resources, and as for local government, “they’re just out of luck.” Local government has little or no money for IT staff, let alone dedicated security. “That ranks below the dog park on the list of priorities.”

To help address these needs, the ISSL provides training, both for general security awareness and literacy to produce better stewards of sensitive data, and for IT staffs.

“We’re not competing with the SANS of the world,” Jacobson said, referring to the SANS Institute, which conducts cybersecurity education and certification programs. “We’re operating at the next level down,” to help develop basic skills in IT staff not dedicated to security.

Reader Comments

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above