Until now, I had set the lab up to have students SSH in to a step stone server. From there, they connected out to a BackTrack platform that did not have a default gateway set. Even if students would attempt to break out of the lab network, the step stone platform had firewall rules set up not to allow outbound traffic.
As a result, it consisted of a fairly robust environment.
Due to capacity limitations, the entire class shared one instance of BackTrack. All students have root access to that box, and it usually doesn't take long before they find out that the shell history and artifacts downloaded by fellow students are interesting. As a result of my architectural choices, it is also kind-of tricky to remove artifacts from the lab environment.
Instead of using an SSH bastion host, I'm going to give all students a bootable USB drive with an openvpn client installled. The client will connect to the bastion host and will not allow split tunneling. As a result, while booted from the USB drive, students will ONLY be able to access the security lab. In the lab, I'll provide a file server (Samba or NFS, most likely) on which I load the tools that might be useful to them. That way, the tools are not accessible to anyone, but those who are VPN'ed in.