Reference no: EM132637449
COIT20262 Advanced Network Security - Central Queensland University
Scenario
You are a cyber security analyst for an educational institution (e.g. university). You are to conduct tasks and perform on issues impacting the university.
Question 1. HTTPS and Certificates
Part (b) Information Learnt
DONE
Part (c) Certificates
DONE
Part (d) CRL and OSCP
Now consider the use of certificates in the real Internet (not in virtnet), in particular certificates used for websites. To answer these questions, you may need to research further about the topics.
One issue with certificates is dealing with compromised certificates (e.g. when the private key has been compromised or the certificate is no longer correct). Explain what a CRL and OCSP is, including how the assist in dealing with compromised certificates, and compare the two.
Part (e) Validity Period
Consider the validity period (or lifetime) of certificates issued by a Certificate Authority. Compare the validity period used, allowed or recommended by different services (that is, organisations that issue or accept certificates, e.g. LetsEncrypt, Apple, GoDaddy, DigiCert, Google or others). Discuss the advantages and disadvantages of having a shorter validity period. In your discussion refer to the specific services and the values they use or allow.
Question 2. Question 2. WiFi Security and Authentication
WiFi Security and Authentication [34/80 marks]
You are tasked with designing a network upgrade for a local business. The business currently has a wired network (Ethernet LAN) across three floors of their office building, connecting approximately 40 desktop computers, several servers and 10's of other devices (e.g. printers, payment terminals, machinery). There are currently 70 full-time and part-time employees, some working in the office while others are outside or in an external workshop. The network and servers are currently setup with a centralised authentication server, e.g. a user can login with their username/password from any computer on the network. The network upgrade has two main components:
• A wireless LAN to allow all employees access to the internal network from within the office, outside and in the workshop. Customers of the business may also be granted guest access to the wireless LAN. The wireless LAN will most likely need more than 15 APs and have 100 to 150 clients.
• A VPN to allow selected employees to access the internal network from home or when visiting customers at other locations.
Assume the network has the following internal servers:
• A web server that supports HTTPS only and is accessible to the public.
• An email server accessible to the public.
• A SSH server accessible only to a small selection of employees when they are outside of the network. (The VPN is not needed for these employees to access the SSH server)
• A server application running a custom TCP-based application protocol that the company has developed. The protocol uses port number WXYZ, where WXYZ are the last 4 digits of your Student ID. For example, with student ID 12345678, the port is 5678. For student ID 12340321, the port is 321 (since the first digit is 0).
Assume NAT is not used in the network - all internal devices have public IPv4 addresses.
The business has one IT employee who is capable with computer networking (e.g. they previously setup the wired LAN), but has little knowledge of security.
Answer the following questions assuming that you are explaining to the IT employee (as they need to build the network).
Part (a) Network Diagram
Draw a network diagram that illustrates the wired network, wireless network, and VPN. You should not draw all users and devices; only draw a sample of the users and devices. For example, several switches, several APs, several wired computers, several WiFi users, 1 or 2 VPN external users. (Several may be 2 to 5). Also, clearly indicate which portions of the network have data encrypted due to either WiFi encryption or the VPN (for example, mark those paths that have encryption in red or some other clear label).
Part (b) Table of Addresses
Draw a table that lists the names, IP addresses and ports of each server. You may choose
any IP address range
Part (c) MAC Address Filtering Explanation
Now consider the wireless LAN security mechanisms that may be considered as options.
Explain how MAC address filtering works as a security mechanism. Your explanation should make it clear to the IT employee what they would need to do if it was chosen to be implemented.
Write your answer here
Part (d) MAC Address Filtering Recommendation
Discuss the advantages and disadvantages of using MAC filtering, and give a recommendation to the IT employee whether to use it or not. The recommendation should be clearly justified (e.g. referring to the advantages and disadvantages).
Write your answer here
(Part e&F)Consider two approaches to setup authentication with the wireless LAN: simple and centralised.
Part (e) WPA2 Personal
A simple setup to provide authentication and encryption would be to use WPA2 Personal. Explain to the IT employee what they would need to do to setup WPA2 Personal on APs and employee computers (including mobile phones).
Write your answer here
Part (f) Centralised Authentication
Rather than having a single key/password for all WiFi devices, the IT employee wants individual company employees to use their existing username and password (from the centralised authentication server) to get access to WiFi. Explain what the IT employee would need to setup
Write your answer here
(Partg&h)Now consider the centralised authentication server used in the business, which uses Linuxbased authentication. The IT employee has informed you that a past employee (who has since left the business) most likely stole a copy of the /etc/passwd and /etc/shadow file from the authentication server. They told you the system used MD5 without a salt.
Part (g) Finding Password
Explain to the IT employee how the past employee could find the password of the Manager of the business from the stolen files. Refer to the specific files and information in those files, and give the steps of what the past employee would do.
Write your answer here
Part (h) Recommended Storage of Passwords
Recommend to the IT employee a more secure method for password storage in Linux, referring to specific algorithms and/or data to be stored. Explain why it is more secure.
Write your answer here
Part (i) Password Policy
Write a password policy for the company. The policy must give rules for how new users are registered with the systems, as well as how existing users change their passwords (including forgotten or wrong passwords). Each rule in the policy must be classified as "must" (it is required), "should" (it is required unless there is a good reason for not applying it), or "may" (optional). Each rule be justified/explained. The policy must make a reasonable trade-off between security and convenience. For example, "All users must use a 30-character random password" is a poor policy design (too inconvenient), as is "All users must use their last name as a password" (too insecure).
New Users
Write your answer here
Changing Passwords
Write your answer here
(Part j&K)Finally, the company is considering issuing every employee with a special USB token that can be used for user authentication. There are two modes in which the tokens can be used: one mode requires the users to enter a password and have the token; another mode allows users to login without entering the password if they insert the token into a company computer.
Part (j) Password Plus Token
For password plus token mode, explain the advantages and disadvantages of this authentication approach compared to using only passwords.
Write your answer here
Part (k) Token Only
For token only mode, explain the advantages and disadvantages of this authentication approach compared to using password plus token mode.
Write your answer here
Question 3. Firewalls and iptables - Consider the scenario from Question 2. Your task is to protect the organisations' network using a single iptables-based packet filtering firewall that supports SPI.
Part (a) Firewall Locations
Explain where you would locate the firewall, and justify that location.
Write your answer here
Part (b) Limitations
Assuming the firewall can be correctly configured to meet the security policy, discuss the weaknesses/limitations of using the firewall in the location you selected. Give examples of threats that highlight the weaknesses/limitations.
Write your answer here
Part (c) Firewall Design
Design a set of firewall rules for the organisation. For each rule, give a short justification for that rule.
Repeat the tables for as many rules as necessary
Explanation: write your explanation of the rule here
Explanation: write your explanation of the rule here
Part (d) iptables
Include the actual iptables rules here, and explain how it relates to your design (including justify any missing rules)
Write your answer here.
Question 4:
Consider the following scenario: To promote their "learning for everyone" campaign, the city council has organised a 2-week pop-up "uni-campus" to be located within the grounds of a large inner city 30-acre park. The uni-campus will host up to 40 different courses that members of the public can enrol into. On offer so far are: a 4-day course in commercial art; a 3-day course in basic Microsoft office; a 1-day course in how to cut your own hair; a 4-day course in high school math; a 2-day course in basic Internet; a 2-day workshop in creating a foolproof CV; a 3-day ‘lets do it now' course in creative writing and many more. The courses will all be run from different stalls conducted by respective teaching staff at each stall. Courses cost from $15 - 45 depending on the course. An online assessment and certificate are available on conclusion of learning. Chairs will be provided to accommodate up to 15 students each session per course. The popup campus will include a latest-model office-quality printer to be accessible only to uni-campus patrons. An RJ-45 connection to a council network switch is available from a secure cabinet located in the park near the unicampus site. Power is available at each stall.
The council has decided that all patrons and park visitors should have free but secure wireless access to the Internet while they are in the park so they can connect to various webpages relevant to the event and participate in the online activities. You have been given the task of setting up a wireless network to serve this need for the duration of the pop-up campus.
Three types of wireless LANs are the Independent Basic Service Set (IBSS), the Extended Service Set (ESS) and the Mesh Wireless network. Briefly explain each of these wireless architectures in your own words, the pros and cons of each type, an evaluation of its suitability for your network, and how you would set each one up in the park. Finally nominate the type that you would implement and give clear reasons for your selection.
Hints: First, research or review each of the types of wireless LANs. Next, study the given scenario thoroughly - your solution must cater for all stated requirements, be technicallysound, take the context into account, and any assumptions made should be reasonable and stated. Finally, write up your answer, using your own words.
Attachment:- HTTPS and Certificates.rar