Reference no: EM132928233

COIT20262 Advanced Network Security - Central Queensland University

Question 1. Authentication and Access Control

Consider a scenario where you are responsible for IT security in a small company. The company is expected to have around 40 employees over the next few years. The employees are classified into the following roles:

• CEO
• Executive Group (including CEO and other employees in leadership positions, e.g. leader of the Finance team)
• Finance
• Software Engineering
• Graphic Design
• Web Development
• Sales and Marketing
• Human Resources
• IT Administration
Some employees may take on multiple roles, e.g. an employee may be both in Software Engineering and Web Development.
The key data resources of the company are classified as:
• Web Content
• Source Code (e.g. for non-web software)
• Multimedia Assets (e.g. images, videos, artwork)
• Trade Secrets (e.g. algorithms, formulas that give the company a significant commercial advantage over competitors)
• Financial Accounts
• Personnel Records
• Marketing Material
• Company Policies
• Meeting Records
Assume role-based access control is to be used for users in different roles to access the above listed resources. The access rights are:
• Own: can change the access rights on the resource
• Read: can view the resource
• Write: can create, delete and modify the resource

(a) Create a table that shows the mappings from Role to Resource. Provide a brief explanation of why you choose this particular mapping.
(b) One principle in access control is that of least privilege. Explain what the principle is, and explain an example by referring to your mapping above.

The company has many trade secrets, some of which are very valuable and known only by the Executive Group (e.g. it would be a significant financial loss if a competing company knew them), some are also know by Software Engineers that implement the algorithms, while other trade secrets are important but known by a wider number of employees. The CEO has asked you to consider implementing Mandatory Access Control on the trade secrets.
(c) Explain how you could apply MAC to the trade secrets, including the levels you would use and the assignment of roles to security clearance levels.
The company is planning to use only passwords as the authentication mechanism for access computing systems. There will be no token-based or biometric authentication.
(d) Write a password policy for the company. The policy must give rules for how new users are registered with the systems, as well as how existing users change their passwords (including forgotten or wrong passwords). Each rule in the policy must be classified as "must" (it is required), "should" (it is required unless there is a good reason for not applying it), or "may" (optional). Each rule be justified/explained. The policy must make a reasonable trade-off between security and convenience. For example, "All users must use a 30 character random password" is a poor policy design (too inconvenient), as is "All users must use their last name as a password" (too insecure).
(e) Assume a malicious user knew your password policy. Select and explain two different attacks that the malicious user may use try to defeat the password-based authentication. For each attack, provide details of what the malicious user would do (e.g. list of steps, example techniques or software to use).
While passwords were originally planned for the main computer systems, the company is considering using other authentication systems for high importance assets (e.g. finance, trade secrets). For these, the company is considering between:
• USB tokens
• Fingerprint scanning
• Voice recognition

(f) Explain how USB tokens can be used to allow users to login to a computer. Your explanation may include steps that the user must take, and any setup the IT administrator must perform in advance to allow USB tokens to work.
(g) Compare the three techniques with respect to security, convenience and cost. For security you should discuss their strengths and weaknesses against different attacks. For convenience you should consider the additional burden then place on users. For cost, you do not need to give exact prices, but should discuss what additional infrastructure is needed to deploy each system.

Question 2. Firewalls and iptables
In this question you will use iptables and virtnet to create a firewall. You need to consider two different scenarios:
1. Firewall does not use SPI; default policy is Accept.
2. Firewall uses SPI; default policy is Drop.
Both scenarios will use topology 7 in virtnet, with nodes 1 and 2 being external, node 3 the firewall, and nodes 4 and 5 internal. Although there are only 5 machines in the topology, when creating your rules you must assume there will be more than that. For example, while there is only 1 internal subnet, there may be more than 2 internal nodes on that subnet (you don't have to create additional nodes in virtnet; just design the rules assuming they are there).
For both scenarios you must save the iptables commands you used in a Shell script file, named [StudentID]-iptables1.sh and [StudentID]-iptables2.sh. You must also add a comment that explains each rule in the file. Comments start with a hash (#) character.
The Shell scripts may be executed during marking, therefore it is important you have the exact commands included, and no other text unless it is a comment.
Where you see [StudentPort1] replace it with the value 8 followed by the last three numbers of your student ID. For example, if your student ID is 12345678, then [StudentPort1] is replaced with:
8678
Where you see [StudentPort2], do the same as [StudentPort1], except start with 9 (instead of 8). The example would replace [StudentPort2] with:
9678

Scenario 1: No SPI
Implement a firewall that:
(a) Blocks ping into the internal subnet, as well as out from the internal subnet.
(b) Blocks ping into the firewall (node3), but allows the firewall to ping out.
(c) Blocks all traffic from external subnets into the firewall, except if secure shell traffic.
(d) Blocks node1 from access the web server on node4.
(e) Blocks node5 from secure shell to any external node.
(f) Blocks all external nodes from access a server on node4 that uses port [StudentPort1].
Save all iptables commands used to implement the above rules in the file [StudentID]- iptables1.sh. Before each command, include a comment that explains why the iptables command(s) implements the required rule.

Scenario 2: With SPI
Before starting this scenario, delete (flush) all rules created in Scenario 1. Implement a firewall that:

(g) Sets the default policy on all chains as Drop.
(h) Enable SPI.
(i) Allows all external nodes to access the web server on node4.
(j) Allows all external nodes to access the secure shell server on node5.
(k) Allows all internal nodes to access any external web servers.
(l) Allow node1 to access a server on node5 that uses port [StudentPort2].

Save all iptables commands used to implement the above rules in the file [StudentID]- iptables2.sh (including for setting the policy and enabling SPI). Before each command, include a comment that explains why the iptables command(s) implements the required rule.

Question 3. HTTPS and Certificates

For this question you must use virtnet (as used in the workshops) to study HTTPS and certificates. This assumes you have already setup and are familiar with virtnet. See Moodle and workshop instructions for information on setting up and using virtnet, deploying the website, and testing the website.
Your task is to setup a web server that supports HTTPS. The tasks and sub-questions are grouped into multiple phases.

Phase 1: Setup Topology
1. Create topology 7 in virtnet.
2. Deploy the MyUni demo website, with node4 being the real web server.
3. Change the domain name from www.myuni.edu to www.[StudentID].edu by editing the /etc/hosts file on node1.
NOTE: You may use the same nodes as used in Question 2 on firewalls. However if you do, you must not use a firewall to complete this question (i.e. flush all the rules). Alternatively, you may delete the nodes from Question 2, and re-create topology 7 for this question.

Phase 2: Certificate Creation
You will need to use the files made available to you for download from Assignment 1.
1. Using [StudentID]-keypair.pem you must create a Certificate Signing Request called [StudentID]-csr.pem. The CSR must contain these field values:
• State: state of your campus
• Locality: city of your campus
• Organisation Name: your full name
• Common Name: www.[StudentID].edu
• Email address: your @cqumail address
• Other field values must be selected appropriately.
Now you will change role to be a CA. A different public/private key pair has been created for your CA as [StudentID]-ca-keypair.pem. As the CA you must:
2. Setup the files/directories for a demoCA
3. Create a self-signed certificate for the CA called [StudentID]-ca-cert.pem.
4. Using the CSR from step 1 issue a certificate for www.[StudentID].edu called
[StudentID]-cert.pem.

Phase 3: HTTPs Configuration
1. Configure Apache web server on node4 to use HTTPS. Remember the domain name must be www.[StudentID].edu where [StudentID] is replace with your actual student ID.
2. Load the CA certificate into the client on node1.

Phase 4: Testing
1. Start capturing on node3 using tcpdump.
2. On node1, use lynx to visit https://www.[StudentID].edu/grades/ and login to view some grades.
3. Exit lynx.
4. Stop the capturing and save the file as [StudentID]-https.pcap.
When capturing, make sure you capture a full HTTPS session, and avoiding capturing multiple sessions.

Phase 5: Analysis
(a) Submit the CSR [StudentID]-csr.pem.
(b) Submit the CA self-signed certificate [StudentID]-ca-cert.pem.
(c) [Updated 6 Sep 2018] Submit the issued certificate [StudentID]-ca-cert.pem
[StudentID]-cert.pem
(d) Submit the packet capture [StudentID]-https.pcap.
(e) When the web browser receives a certificate in a HTTPS exchange, what does the browser do to verify the certificate, and what information from the certificate is used in subsequent steps of the exchange? Explain your answers in detailed by referring to algorithms and cryptographic techniques used.
(f) In this question your CA used a self-signed certificate. Explain why it is not good practice for the web server (www.[StudentID].edu) to also use a self-signed certificate.
(g) If an attacker obtained [StudentID]-ca-keypair.pem, explain an attack that they could perform on users visiting. You must give details of the attack, such as the steps the attacker would perform and how the users/data would be compromised. Giving just an attack name is insufficient.

Question 4. WiFi Security
(a) Explain how a MAC address filter for a WiFi access point works. Discuss the role of MAC address filters in security, and issues or limitations of MAC address filters.
(b) WPA is recommended for encryption and authentication in WiFi. WPA can use AES for encryption, which uses key lengths of 128 bits or 256 bits. However when users setup WPA/AES in their home WiFi access point, then often select a passphrase. Explain the difference between the passphrase and 128 bit key and discuss the advantages and disadvantages of using a passphrase (compared to a 128 bit or longer key). Also discuss the potential for successful brute force attacks on passphrases and 128 bit keys.
(c) While WPA is considered secure when configured correctly, it is recommended that WiFi users use a VPN when connecting via public WiFi hot spots. Explain why a VPN is recommended in these cases, what is required to be setup in advance to use a VPN, and what security the VPN provides.

Attachment:- Advanced Network Security.rar