“Pitching Packets” Game Teaches Cyber Security with Beanbags
This October, the 14th year of National Cyber Security Awareness Month (NCSAM) focuses on educating consumers on Internet safety. Consumers can be of all ages and backgrounds, so in the spirit of NCSAM, I’d like to share how beanbags and laundry baskets can be used to teach anyone the basics of Internet routing, security, and privacy.
“Pitching Packets: Cyber Security Edition” is adapted from a game called “Welcome to Packetville” designed by Cisco employees Jennifer Lowry and Marcie Pittman in 2006. The original game aimed to describe the Internet in simple terms to a population of youth that were exploring the possibilities of STEM careers. Fast-forward to 2017 and the Global Information Security Workforce Study predicts there will be a cybersecurity workforce gap of 1.8 million in the next 5 years. For this reason, the original game was updated to concentrate on Internet safety.
In Pitching Packets, laundry baskets represent the major components of the network (core routers, home or access routers, and endpoints). To set up the game, create a network diagram by connecting baskets with routes, represented with colored tape between baskets. While the color of the core and access routers doesn’t matter, the colors of the endpoint baskets represent their address. The network topology is also irrelevant, but the size of the network depends on how many participants are available each game.
This example topology works well for groups of 20-25 students.
Once the workshop begins, assign students to a router or endpoint (represented by baskets) or to the role of packet sweeper. Set up every round by giving each endpoint a set of beanbags to transmit (e.g. give the yellow endpoint all red beanbags, indicating it is transmitting to the red endpoint.) The base rules that apply to all rounds of play include:
- The objective of the game is to toss beanbags amongst baskets until they reach destination basket, as indicated by the color of the beanbags. This corresponds to the technical idea that the objective of a network is to route all packets to their destination, as indicated by addresses.
- Students may only throw beanbags along a corresponding tape line, as packets travel along network routes.
- Students representing components may not pick up beanbags that miss the basket. Participants acting as packet sweepers are the only ones allowed to pick up beanbags and return them to an endpoint, as they represent dropped packets that endpoints are responsible for retransmitting.
These base rules demonstrate several important networking lessons:
- Internet traffic is fragmented into small units of data, called packets.
- Core routers handle the most Internet traffic, so that position is the fastest-pace in direct contrast to endpoints, which are only concerned with their own traffic.
- Dropped packets slow down the network, a situation most have experienced while waiting for a webpage or video to load.
Multiple rounds of play with modified rules provide the opportunity to integrate Internet security and privacy lessons during a post-round discussion. Rotating the students amongst various roles deepens their understanding of network operations.
Round 1 introduces the idea that nothing is truly private on the Internet. Cut photos into pieces, number them, and have students attach them to the beanbags. This directly correlates to the way packet fragmentation and re-assembly occurs at endpoints. The addition of photos represents sending a picture message or posting a disappearing photo to a social media network. Students quickly understand that cleartext messages can be read by any component it touches in the network and copies of supposedly private photos may exist on the Internet.
Left: Student playing the grey endpoint reassembles her photo message Center: Photos are cut and numbered for Round 1’s fragmentation and reassembly lesson Right: I demonstrate how to attach messages to beanbags for different lessons
Round 2 introduces the idea that privacy can be achieved through encryption (e.g. with HTTPS or VPNs.) Instruct the endpoints to write messages and demonstrate information hiding by attaching them to the beanbags with the text facing the fabric. Alternatively, teach a simple shift or substitution cipher so endpoints can generate encrypted messages.
Round 3 introduces various types of network security (e.g., anti-virus, packet inspection, firewall rules) and the concept of a layered approach to defending networks. Mark a beanbag (e.g. with an “X”) to represent a virus and inform students that if they receive the virus packet, they must pass it to any connecting route. Afterwards, they must also dump their basket of beanbags onto the ground and await a packet sweeper’s assistance. During game play, have instructors introduce the virus and allow it to spread amongst the network. After a few minutes, quietly remove the marked beanbag (as a security researcher might stop a virus.) Post-round discussion should include how quickly a virus spreads and its effect on the network speed.
I hope this blog post inspires you to recreate this game in your own community. Because it uses easily available materials and no computing devices, this highly energized analog game makes digital security education fun and accessible to all. Please feel free to use the comments below if you have ideas on adaptations to expand the lessons!
October is Cyber Security Awareness Month, and Cisco is a Champion Sponsor of this annual campaign to help people recognize the importance of cybersecurity. For the latest resources and events, visit cisco.com/go/cybersecuritymonth.