User Account

All Pages

COIT20262 Advanced Network Security- Assignment Problem

Assignment Help Computer Network Security
Reference no: EM132385298

COIT20262 - Advanced Network Security

Assignment

Discuss, Explain, Design Style Questions

• Use terminology that has been used throughout the lectures. Using non-standard terminology, or terminology that significantly differs from that in this topic, is an example of unclear writing.

• Be specific, referring to files, algorithms, keys or other relevant data elements.

• When relevant, use examples to assist your explanation (although don’t use just examples; give a general explanation as well).

• Including wrong or irrelevant information in your answer will result in low marks. An answer with multiple wrong/irrelevant statements as well as a correct statement, may receive 0 marks.

• Don’t rely heavily on images (unless they are asked for). If you do include images, then draw them yourself – don’t take images from the Internet, textbook or lecture notes.

Virtnet

Questions 1 and 2 require you to use virtnet topology 5. The questions are related, so you must use the same nodes for all three questions.

• node1: client; assumed to be external from the perspective of the firewall.

• node2: router; gateway between the internal network and external network. Also runs the firewall.

• node3: server; assumed to be internal from the perspective of the firewall. Runs a web server with HTTPS and a SSH server for external users (e.g. on node1) to login to. Will contain accounts for multiple users.

Question 1. HTTPS and Certificates

For this question you must use virtnet to study HTTPS and certificates. This assumes you have already setup and are familiar with virtnet. See Moodle and tutorial instructions for information on setting up and using virtnet, deploying the website, and testing the website.

Your task is to setup a web server that supports HTTPS. The tasks and sub-questions are grouped into multiple phases.

Phase 1: Setup Topology

1. Create topology 5 in virtnet.

2. Deploy the MyUni demo website, with node3 being the real web server.

3. Change the domain name from www.myuni.edu to www.[StudentID].edu by editing the /etc/hosts file on node1.

Phase 2: Certificate Signing Request

You will need to use the files made available to you for download from Assignment 1.

1. Using [StudentID]-keypair.pem you must create a Certificate Signing Request called [StudentID]-csr.pem. The CSR must contain these field values:

• State: state of your campus

• Locality: city of your campus

• Organisation Name: your full name

• Common Name: www.[StudentID].edu

• Email address: your @cqumail address

• Other field values must be selected appropriately.

Phase 3: Certificate from CA

Send your Certificate Signing Request file to your Certificate Authority. The method of contacting your CA will be published on Moodle. You will be issued with a certificate called

[StudentID]-cert.pem from CA (or in the case of an error, a response indicating the CSR is not valid).

Note that there may be a delay of up to 24 hours during weekdays (and 48 hours over the weekend) for the CA to respond to your CSR. Further details of the process can be found on Moodle.

Phase 3: HTTPs Configuration

1. Configure Apache web server on node3 to use HTTPS. Remember the domain name must be www.[StudentID].edu where [StudentID] is replace with your actual student ID.

2. Load the CA certificate into the client on node1. The CA certificate can be downloaded from Moodle

Phase 4: Testing

1. Start capturing on node2 using tcpdump.

2. On node1, use lynx to visit https://www.[StudentID].edu/grades/ and login to view some grades.

3. Exit lynx.

4. Stop capturing and save the file as [StudentID]-https.pcap.

Phase 5: Analysis

(a) Add the CSR [StudentID]-csr.pem to [StudentID]-files.zip.

(b) Add the issued certificate [StudentID]-cert.pem to [StudentID]-files.zip.

(c) Add the packet capture [StudentID]-https.pcap to [StudentID]-files.zip.

Assuming an attacker only has access to the packet capture (i.e. traffic between web browser and web server – they don’t know about the network structure or that there are only three nodes), for the following, discuss what the attacker learns and how, or what they cannot learn and why not. For example, if the attacker can learn the information, explain what is the value they learn, what packet(s) they learn it from and how. If the attacker cannot learn the information, then explain why they cannot learn it.

What does the attacker know about the:

(d) domain of the website that the client visited

(e) IP address of the client’s computer

(f) application layer protocol being used between client and server

(g) specific web page a client requested

(h) size of a web page sent by server to client

(i) username and password the client uses to login to the grading system

(j) browsing behaviour of the web browser user, with regards to when they navigate between pages

(k) encryption algorithm(s) used, if any

(l) CA that the web server uses.

Now consider the role of certificates in this question.

(m)There were two different certificates exchanged between server and browser. For each certificate complete the following information.

Information

Whose public key is included?

What hash algorithm was used in signing?

Whose private key was used when creating the certificate?

Certificate 1

Certificate 2

(n) Referring to the certificates, explain how the web browser is certain that the web server it is communicating with is in fact the web server for the request domain.

(o) Explain why self-signed certificates are generally used for CA’s, but not used for web servers.

Question 2. Firewalls and iptables

In this question you will use iptables and virtnet to create a firewall on node2 of the topology used in the previous questions. node1 is considered external and node3 is internal.

Although there are only 3 machines in the topology, when creating your rules you must assume there will be more than that. For example, while there is only 1 internal subnet, there may be more than 2 internal nodes on that subnet (you don’t have to create additional nodes in
virtnet; just design the rules assuming they are there).

Phase 1: Change SSH Server Port

SSH servers by default use port 22. However, the port can be changed by editing the SSH server configuration file: /etc/ssh/sshd_config. For the change take effect, the SSH server needs to be restarted with:

sudo systemctl restart sshd

Once the SSH server port has changed, then SSH clients can specify the port using the -p option, e.g.

ssh -p <PORT> <IP>

Change the SSH server port on node3 to 22XY where XY is the last two digits of your student ID. For example, with the student ID 12345678, the port would be 2278.

Phase 2: Setup the Firewall

You need to setup an iptables based firewall on node2. The firewall must use SPI and have a default policy of DROP. Configure the firewall to implement the following security policy.

• All external nodes can access the HTTPS web server on node3.

• No external nodes can use HTTP to access the web server on node3.

• Only computers on the same subnet as node1 (including node1) can access the SSH server on node3.

• node1 is the only external node that can access a special server using port 50326 on node3.

• All internal nodes can access HTTP and HTTPS servers on any external node.

• node3 is the only internal node that can access external SSH servers.

• node3 is allowed to ping external nodes, but no other internal node can ping out, and no external node can ping in.

Remember that while node1 is the only external node, and node3 is the only internal node, you must write your firewall rules assuming there are other internal/external nodes, on potentially different subnets.

Phase 3: Test the Firewall and Servers

You should extensively test your firewall and servers to ensure the security policies (of the firewall and file access control) are implemented correctly. To test the firewall you can use wget for HTTP/HTTPS, ssh for SSH and netcat for other services. For example, you can use
netcat in server mode to start a server on a chosen port, and then use netcat in client mode to attempt to connect to that server (see Assignment 1 instructions for netcat examples).

To demonstrate that your firewall and servers are working correctly, take screenshots of the following scenarios. Each screenshot (except number 4) must clearly show only node1 and must be taken with the in-built VirtualBox screenshot tool (View menu -- Take Screenshot).

Screenshot 1, saved as [StudentID]-screenshot1.png. Run the following commands and then take the screenshot:

• clear

• wget -T 3 -t 2

The -T option specifies a timeout of 3 seconds and -t option specifies 2 retries. Screenshot 2, saved as [StudentID]-screenshot2.png. Run the following commands and then take the screenshot:

• clear

• ssh -p 22XY www.[StudentID].edu

• Enter the correct password for the user if prompted.

This command specifies the user using the -l option and the port using the -p option. The port is that used in phase 1.

Screenshot 3, saved as [StudentID]-screenshot3.png. Run the following commands and then take the screenshot:

• clear

• ssh -p 22 www.[StudentID].edu

• Enter the correct password for the user if prompted.

Note the above uses port 22, not port 22XY.

Screenshot 4, saved as [StudentID]-screenshot4.png. Use netcat to demonstrate that node1 can access the special server on port 50326 on node3. For this screenshot you must use another screenshot tool (e.g. Windows Snipping Tool) to take a screenshot of both node1 and node3 at the same time (e.g. two windows), so that the one screenshot shows both the netcat client on node1 and the netcat server on node3.

Phase 4: Save the Rules

Once you have determined the firewall is correct, save the rules to a file using:

sudo iptables-save -c > [StudentID]-iptables.txt

This should create the file [StudentID]-iptables.txt which contains a summary of your rules. Note that the rules saved must have been tested when possible. Don’t flush/delete and then re-add the rules before saving; save the rules that are tested.

Phase 5: Analysis

You must include the screenshots in your report – do not submit the screenshot files separately.

(a) Include [StudentID]-screenshot1.png in your report.

(b) Include [StudentID]-screenshot2.png in your report.

(c) Include [StudentID]-screenshot3.png in your report.

(d) Include [StudentID]-screenshot4.png in your report.

(e) Add [StudentID]-iptables.txt to [StudentID]-files.zip.

(f) Some websites are accessible via both HTTP and HTTPS, while some only HTTP, and others only HTTPS. From the perspective of a web server operator or admin, explain why it may be beneficial to support only HTTPS (as opposed to both HTTP and HTTPS). Consider what an attacker could try to do if a web server supported both HTTP and HTTPS.

(g) The firewall was setup so that only a certain computer (node1) could access the special server on port 50326. Explain how an external attacker (that could not gain access to or compromise node1) could attempt to gain access to the special server.

Question 3. Network Security

You are tasked with designing a network upgrade for a local business. The business currently has a wired network (Ethernet LAN) across two floors of their office building, connecting approximately 25 desktop computers, several servers and 10’s of other devices (e.g. printers,
payment terminals, machinery). There are currently 50 full-time and part-time employees, some working in the office while others are outside or in an external workshop. The network and servers are currently setup with a centralised authentication server, e.g. a user can login with their username/password from any computer on the network. The network upgrade has two main components:

• A wireless LAN to allow all employees access to the internal network from within the office, outside and in the workshop. Customers of the business may also be granted guest access to the wireless LAN. The wireless LAN will most likely need more than 10 APs and have 50 to 100 clients.

• A VPN to allow selected employees to access the internal network from home or when visiting customers at other locations.

The business has one IT employee who is capable with computer networking (e.g. they previously setup the wired LAN), but has little knowledge of security. Answer the following questions assuming that you are explaining to the IT employee (as they need to build the
network).

(a) Draw a network diagram that illustrates the wired network, wireless network, and VPN. You should not draw all users and devices; only draw a sample of the users and devices.

For example, several switches, several APs, several wired computers, several WiFi users, 1 or 2 VPN external users. (Several may be 2 to 5). Also, clearly indicate which portions of the network have data encrypted due to either WiFi encryption or the VPN (for example, mark those paths that have encryption in red or some other clear label). Now consider the wireless LAN security mechanisms that may be considered.

(b) Explain how MAC address filtering works as a security mechanism. Your explanation should make it clear to the IT employee what they would need to do if it was chosen to be implemented.

(c) Discuss the advantages and disadvantages of using MAC filtering, and give a recommendation to the IT employee whether to use it or not. The recommendation should be clearly justified (e.g. referring to the advantages and disadvantages).

(d) A simple setup to provide authentication and encryption would be to use WPA2 Personal. Explain to the IT employee what they would need to do to setup WPA2 Personal on APs and employee computers (including mobile phones).

(e) WPA2 typically uses AES128 or AES256. Assuming AES128, explain to the IT employee the difference between the following key/password selection schemes with respect to security and convenience:

• Random 128 bit binary value

• Random 16 digit hex value

Random 12 character string, where the character set is: uppercase English, lowercase English, digits 0 to 9, and the 10 characters , . / ? [ ] { } ( )

(f) Rather than having a single key/password for all WiFi device, the IT employee wants individual company employees to use their existing user name and password (from the centralised authentication server) to get access to WiFi. Explain what the IT employee would need to setup.

(g) One aim is to keep the guest customer’s WiFi traffic separate from the employee’s WiFi traffic. Explain what the IT employee would need to do to set this up. Include in your explanation the brand/model/version of a specific AP that supports such setup, as well as a screenshot(s) that shows the settings page of that AP where you set the SSID to your [StudentID]. You may use emulators for the AP settings (you don’t need to set a real AP, although you may do so if you have access). The screenshot should clearly show your StudentID in the SSID field.

Now consider the VPN component of the network.

(h) Explain to the IT employee what is a typical setup to support the VPN. This may include what software or hardware components are necessary and where, what configuration users may have to perform and/or what configuration the IT employee may have the perform.

(i) Select two VPN tunnelling protocols that may be used, and explain to the IT employee the advantages and disadvantages of each.

(j) Take a screenshot (or photo) of the VPN settings on a mobile phone, where the name or profile of the VPN is set to your [StudentID] and one of the tunnelling protocols from above is selected. You don’t need to complete the setup of the VPN on your phone;  just take of a screenshot of the settings. Now consider the centralised authentication server used in the business, which uses Linuxbased authentication.

The IT employee has informed you that a past employee (who has since left the business) most likely stole a copy of the /etc/passwd and /etc/shadow file from the authentication server. They told you the system used MD5 without a salt.

(k) Explain to the IT employee how the past employee could find the password of the Manager of the business from the stolen files. Refer to the specific files and information in those files, and give the steps of what the past employee would do.

(l) Recommend to the IT employee a more secure method for password storage in Linux, referring to specific algorithms and/or data to be stored. Explain why it is more secure.

(m)Given the passwords of all users should be reset, write a set of recommendations that the IT employee can give staff regarding choosing their new password. For each recommendation you give, justify it with respect to the security and/or convenience.

Reference no: EM132385298

Questions Cloud

Engage in self-directed professional development : Based on your experience, what are the benefits of knowing languages? Why is it important to engage in self-directed professional development?
ACFI 5022 Strategic and Financial Decision-Making Assignment : ACFI 5022 Strategic and Financial Decision-Making Assignment Help and Solutions-De Montfort University-UK-Explain why CAPM can be used to allow for risk.
Dorothy wordsworth floating island : Dorothy Wordsworth's "Floating Island" presents a poetic vision of nature. How is her presentation of nature like/unlike William Wordsworth's in "Tintern Abbey"
Evaluates dystopian novel-film or television series : evaluates dystopian novel-film or television series. how it represents one or two of the dystopian controls. Compare it to Octavia Butler's Parable of the Sower
COIT20262 Advanced Network Security- Assignment Problem : COIT20262 - Advanced Network Security Assignment Help and Solutions- Central Queensland University Australia-Create topology 5 in virtnet. Deploy the MyUni demo
CIS 608 Information Security Management Assignment Problem : CIS 608 Information Security Management assignment help and solutions, Bellevue University, assessment help - List each assessment method that will be executed.
Describe four common deliverables for an analytics project : Describe four common deliverables for an analytics project. Give examples of appropriate charts to create in a presentation for other data analysts and data.
Identify tools for developing instructional gaming material : You have been assigned to teach a class using gaming, in which 75% of the students are from a particular ethnic group (you decide the content area, class size).
Examine potential impacts of pharmacotherapeutics : For this Discussion, you will select an interactive media piece to practice decision making when treating patients with psychological disorders.

Reviews

len2385298

10/11/2019 12:07:22 AM

Do not exchange files (reports, captures, diagrams) with other students. • Complete tasks with virtnet yourself – do not use results from another student. • Draw your own diagrams. Do not use diagrams from other sources (Internet, textbooks) or from other students. • Write your own explanations. In some cases, students may arrive at the same numerical answer, however their explanation of the answer should always be their own. • Do not copy text from websites or textbooks. During research you should read and understand what others have written, and then write in your own words. • Perform the tasks using the correct values listed in the question and using the correct file names.

Write a Review

Computer Network Security Questions & Answers

  An overview of wireless lan security - term paper

Computer Science or Information Technology deals with Wireless LAN Security. Wireless LAN Security is gaining importance in the recent times. This report talks about how vulnerable are wireless LAN networks without any security measures and also talk..

  Computer networks and security against hackers

This case study about a company named Magna International, a Canada based global supplier of automotive components, modules and systems. Along with the company analysis have been made in this assignment.

  New attack models

The Internet evolution is and is very fast and the Internet exposes the connected computers to attacks and the subsequent losses are in rise.

  Islamic Calligraphy

Islamic calligraphy or Arabic calligraphy is a primary form of art for Islamic visual expression and creativity.

  A comprehensive study about web-based email implementation

Conduct a comprehensive study about web-based email implementation in gmail. Optionally, you may use sniffer like wireshark or your choice to analyze the communication traffic.

  Retention policy and litigation hold notices

The purpose of this project is to provide you with an opportunity to create a document retention policy. You will also learn how to serve a litigation hold notice for an educational institute.

  Tools to enhance password protection

A report on Tools to enhance Password Protection.

  Analyse security procedures

Analyse security procedures

  Write a report on denial of service

Write a report on DENIAL OF SERVICE (DoS).

  Phising email

Phising email It is multipart, what are the two parts? The HTML part, is it inviting the recepient to click somewhere? What is the email proporting to do when the link is clicked?

  Express the shannon-hartley capacity theorem

Express the Shannon-Hartley capacity theorem in terms of where is the Energy/bit and is the psd of white noise.

  Modern symmetric encryption schemes

Pseudo-random generators, pseudo-random functions and pseudo-random permutations

Free Assignment Quote

Assured A++ Grade

Get guaranteed satisfaction & time on delivery in every assignment order you paid with us! We ensure premium quality solution document along with free turntin report!

Submit Assignment

Academics

Major Subjects

Majors

Get In Touch

whatsapp: +1-415-670-9521

Phone: +1-415-670-9521

Email: [email protected]

TERMS & POLICIES

HELP & SUPPORT

All rights reserved! Copyrights ©2019-2020 ExpertsMind IT Educational Pvt Ltd