SlideShare a Scribd company logo

COIT20262 Assignment 2 Questions Term 2, 2018 Advanced Net.docx

Download as DOCX, PDF
M
mary772

The COIT20262 Advanced Network Security assignment for Term 2, 2018 includes various questions aimed at assessing students' understanding of network security concepts. Key topics covered are role-based access control, password policies, firewalls using iptables, HTTPS and certificates, and Wi-Fi security. Students must complete all tasks independently and are advised to submit specific files while adhering to instructions regarding naming conventions and security practices.

Education
1 of 15
Download to read offline
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
COIT20262 Assignment 2 Questions Term 2, 2018 Advanced Network Security Page 1 of 8 COIT20262 - Advanced Network Security, Term 2, 2018 Assignment 2 Questions Due date: 5pm Friday 5 October 2018 (Week 12) ASSESSMENT Weighting: 45% 2 Length: N/A Updated 6 Sep 2018 Question 3, part (c) on page 7 had a mistaken file name. It should be [StudentID]-cert.pem Instructions Attempt all questions. This is an individual assignment, and it is expected students answer the questions themselves. Discussion of approaches to solving questions is allowed (and encouraged), however each student should develop and write-up their own answers. See CQUniversity resources on Referencing and Plagiarism. Guidelines for this assignment include: • Do not exchange files (reports, captures, diagrams) with other students. • Complete tasks with virtnet yourself – do not use results from
another student. • Draw your own diagrams. Do not use diagrams from other sources (Internet, textbooks) or from other students. • Write your own explanations. In some cases, students may arrive at the same numerical answer, however their explanation of the answer should always be their own. • Do not copy text from websites or textbooks. During research you should read and understand what others have written, and then write in your own words. • Perform the tasks using the correct values listed in the question and using the correct file names. File Names and Parameters Where you see [StudentID] in the text, replace it with your actual student ID. If your student ID contains a letter (e.g. “s1234567”), make sure the letter is in lowercase. Where you see [FirstName] in the text, replace it with your actual first name. If you do not have a first name, then use your last name. Do NOT include any spaces or other non- alphabetical characters (e.g. “-“). Marking Scheme A separate spreadsheet lists the detailed marking criteria.
https://www.cqu.edu.au/student-life/services-and- facilities/referencing COIT20262 Assignment 2 Questions Term 2, 2018 Advanced Network Security Page 2 of 8 Question 1. Authentication and Access Control Consider a scenario where you are responsible for IT security in a small company. The company is expected to have around 40 employees over the next few years. The employees are classified into the following roles: • CEO • Executive Group (including CEO and other employees in leadership positions, e.g. leader of the Finance team) • Finance • Software Engineering • Graphic Design • Web Development • Sales and Marketing • Human Resources • IT Administration Some employees may take on multiple roles, e.g. an employee may be both in Software Engineering and Web Development. The key data resources of the company are classified as:
• Web Content • Source Code (e.g. for non-web software) • Multimedia Assets (e.g. images, videos, artwork) • Trade Secrets (e.g. algorithms, formulas that give the company a significant commercial advantage over competitors) • Financial Accounts • Personnel Records • Marketing Material • Company Policies • Meeting Records Assume role-based access control is to be used for users in different roles to access the above listed resources. The access rights are: • Own: can change the access rights on the resource • Read: can view the resource • Write: can create, delete and modify the resource (a) Create a table that shows the mappings from Role to Resource. Provide a brief explanation of why you choose this particular mapping. (b) One principle in access control is that of least privilege. Explain what the principle is, and explain an example by referring to your mapping above. COIT20262 Assignment 2 Questions Term 2, 2018
Advanced Network Security Page 3 of 8 The company has many trade secrets, some of which are very valuable and known only by the Executive Group (e.g. it would be a significant financial loss if a competing company knew them), some are also know by Software Engineers that implement the algorithms, while other trade secrets are important but known by a wider number of employees. The CEO has asked you to consider implementing Mandatory Access Control on the trade secrets. (c) Explain how you could apply MAC to the trade secrets, including the levels you would use and the assignment of roles to security clearance levels. The company is planning to use only passwords as the authentication mechanism for access computing systems. There will be no token-based or biometric authentication. (d) Write a password policy for the company. The policy must give rules for how new users are registered with the systems, as well as how existing users change their passwords (including forgotten or wrong passwords). Each rule in the policy must be classified as “must” (it is required), “should” (it is required unless there is a good reason for not applying it), or “may” (optional). Each rule be justified/explained. The policy must make a reasonable trade-off between security and convenience. For example, “All users must use a 30 character random password” is a poor policy design (too inconvenient),
as is “All users must use their last name as a password” (too insecure). (e) Assume a malicious user knew your password policy. Select and explain two different attacks that the malicious user may use try to defeat the password-based authentication. For each attack, provide details of what the malicious user would do (e.g. list of steps, example techniques or software to use). While passwords were originally planned for the main computer systems, the company is considering using other authentication systems for high importance assets (e.g. finance, trade secrets). For these, the company is considering between: • USB tokens • Fingerprint scanning • Voice recognition (f) Explain how USB tokens can be used to allow users to login to a computer. Your explanation may include steps that the user must take, and any setup the IT administrator must perform in advance to allow USB tokens to work. (g) Compare the three techniques with respect to security, convenience and cost. For security you should discuss their strengths and weaknesses against different attacks. For convenience you should consider the additional burden then place on users. For cost, you do not need to give exact prices, but should discuss
what additional infrastructure is needed to deploy each system. COIT20262 Assignment 2 Questions Term 2, 2018 Advanced Network Security Page 4 of 8 Question 2. Firewalls and iptables In this question you will use iptables and virtnet to create a firewall. You need to consider two different scenarios: 1. Firewall does not use SPI; default policy is Accept. 2. Firewall uses SPI; default policy is Drop. Both scenarios will use topology 7 in virtnet, with nodes 1 and 2 being external, node 3 the firewall, and nodes 4 and 5 internal. Although there are only 5 machines in the topology, when creating your rules you must assume there will be more than that. For example, while there is only 1 internal subnet, there may be more than 2 internal nodes on that subnet (you don’t have to create additional nodes in virtnet; just design the rules assuming they are there). For both scenarios you must save the iptables commands you used in a Shell script file, named [StudentID]-iptables1.sh and [StudentID]-iptables2.sh.
You must also add a comment that explains each rule in the file. Comments start with a hash (#) character. The Shell scripts may be executed during marking, therefore it is important you have the exact commands included, and no other text unless it is a comment. Where you see [StudentPort1] replace it with the value 8 followed by the last three numbers of your student ID. For example, if your student ID is 12345678, then [StudentPort1] is replaced with: 8678 Where you see [StudentPort2], do the same as [StudentPort1], except start with 9 (instead of 8). The example would replace [StudentPort2] with: 9678 Scenario 1: No SPI Implement a firewall that: (a) Blocks ping into the internal subnet, as well as out from the internal subnet. (b) Blocks ping into the firewall (node3), but allows the firewall to ping out. (c) Blocks all traffic from external subnets into the firewall, except if secure shell traffic. (d) Blocks node1 from access the web server on node4. (e) Blocks node5 from secure shell to any external node. (f) Blocks all external nodes from access a server on node4 that
uses port [StudentPort1]. Save all iptables commands used to implement the above rules in the file [StudentID]- iptables1.sh. Before each command, include a comment that explains why the iptables command(s) implements the required rule. Scenario 2: With SPI Before starting this scenario, delete (flush) all rules created in Scenario 1. Implement a firewall that: COIT20262 Assignment 2 Questions Term 2, 2018 Advanced Network Security Page 5 of 8 (g) Sets the default policy on all chains as Drop. (h) Enable SPI. (i) Allows all external nodes to access the web server on node4. (j) Allows all external nodes to access the secure shell server on node5. (k) Allows all internal nodes to access any external web servers. (l) Allow node1 to access a server on node5 that uses port [StudentPort2]. Save all iptables commands used to implement the above rules in the file [StudentID]- iptables2.sh (including for setting the policy and enabling SPI). Before each command, include a comment that explains why the iptables command(s)
implements the required rule. COIT20262 Assignment 2 Questions Term 2, 2018 Advanced Network Security Page 6 of 8 Question 3. HTTPS and Certificates For this question you must use virtnet (as used in the workshops) to study HTTPS and certificates. This assumes you have already setup and are familiar with virtnet. See Moodle and workshop instructions for information on setting up and using virtnet, deploying the website, and testing the website. Your task is to setup a web server that supports HTTPS. The tasks and sub-questions are grouped into multiple phases. Phase 1: Setup Topology 1. Create topology 7 in virtnet. 2. Deploy the MyUni demo website, with node4 being the real web server. 3. Change the domain name from www.myuni.edu to www.[StudentID].edu by editing the /etc/hosts file on node1.
NOTE: You may use the same nodes as used in Question 2 on firewalls. However if you do, you must not use a firewall to complete this question (i.e. flush all the rules). Alternatively, you may delete the nodes from Question 2, and re-create topology 7 for this question. Phase 2: Certificate Creation You will need to use the files made available to you for download from Assignment 1. 1. Using [StudentID]-keypair.pem you must create a Certificate Signing Request called [StudentID]-csr.pem. The CSR must contain these field values: • State: state of your campus • Locality: city of your campus • Organisation Name: your full name • Common Name: www.[StudentID].edu • Email address: your @cqumail address • Other field values must be selected appropriately. Now you will change role to be a CA. A different public/private key pair has been created for your CA as [StudentID]-ca-keypair.pem. As the CA you must: 2. Setup the files/directories for a demoCA 3. Create a self-signed certificate for the CA called [StudentID]-ca-cert.pem. 4. Using the CSR from step 1 issue a certificate for www.[StudentID].edu called [StudentID]-cert.pem.
Phase 3: HTTPs Configuration 1. Configure Apache web server on node4 to use HTTPS. Remember the domain name must be www.[StudentID].edu where [StudentID] is replace with your actual student ID. 2. Load the CA certificate into the client on node1. http://www.myuni.edu/ http://www.%5Bstudentid%5D.edu/ http://www.%5Bstudentid%5D.edu/ http://www.%5Bstudentid%5D.edu/ http://www.%5Bstudentid%5D.edu/ COIT20262 Assignment 2 Questions Term 2, 2018 Advanced Network Security Page 7 of 8 Phase 4: Testing 1. Start capturing on node3 using tcpdump. 2. On node1, use lynx to visit https://www.[StudentID].edu/grades/ and login to view some grades. 3. Exit lynx. 4. Stop the capturing and save the file as [StudentID]- https.pcap. When capturing, make sure you capture a full HTTPS session,
and avoiding capturing multiple sessions. Phase 5: Analysis (a) Submit the CSR [StudentID]-csr.pem. (b) Submit the CA self-signed certificate [StudentID]-ca- cert.pem. (c) [Updated 6 Sep 2018] Submit the issued certificate [StudentID]-ca-cert.pem [StudentID]-cert.pem (d) Submit the packet capture [StudentID]-https.pcap. (e) When the web browser receives a certificate in a HTTPS exchange, what does the browser do to verify the certificate, and what information from the certificate is used in subsequent steps of the exchange? Explain your answers in detailed by referring to algorithms and cryptographic techniques used. (f) In this question your CA used a self-signed certificate. Explain why it is not good practice for the web server (www.[StudentID].edu) to also use a self-signed certificate. (g) If an attacker obtained [StudentID]-ca-keypair.pem, explain an attack that they could perform on users visiting https://www.[StudentID].edu/grades/. You must give details of the attack, such as the steps the attacker would perform and how the users/data would be compromised. Giving just an attack name is insufficient.
https://www.%5Bstudentid%5D.edu/grades/ http://www.%5Bstudentid%5D.edu/ https://www.%5Bstudentid%5D.edu/grades/ COIT20262 Assignment 2 Questions Term 2, 2018 Advanced Network Security Page 8 of 8 Question 4. WiFi Security (a) Explain how a MAC address filter for a WiFi access point works. Discuss the role of MAC address filters in security, and issues or limitations of MAC address filters. (b) WPA is recommended for encryption and authentication in WiFi. WPA can use AES for encryption, which uses key lengths of 128 bits or 256 bits. However when users setup WPA/AES in their home WiFi access point, then often select a passphrase. Explain the difference between the passphrase and 128 bit key and discuss the advantages and disadvantages of using a passphrase (compared to a 128 bit or longer key). Also discuss the potential for successful brute force attacks on passphrases and 128 bit keys. (c) While WPA is considered secure when configured correctly, it is recommended that WiFi users use a VPN when connecting via public WiFi hot
spots. Explain why a VPN is recommended in these cases, what is required to be setup in advance to use a VPN, and what security the VPN provides. Updated 6 Sep 2018InstructionsFile Names and ParametersMarking SchemeQuestion 1. Authentication and Access ControlQuestion 2. Firewalls and iptablesQuestion 3. HTTPS and CertificatesQuestion 4. WiFi Security

More Related Content

DOCX
COIT20262 Assignment 1 Term 1, 2018 Advanced Network Secur.docx
clarebernice
 
DOC
A02 assignment-2
Sandeep Ratnam
 
PDF
Advance security in cloud computing for military weapons
IRJET Journal
 
DOCX
Cis 534 Education Organization -- snaptutorial.com
DavisMurphyB71
 
DOC
CIS 534 Education Specialist / snaptutorial.com
stevesonz129
 
DOCX
ops300 Project(4)
trayyoo
 
DOCX
ops300 Project(3)
trayyoo
 
DOCX
75629 Topic prevention measures for vulneranbilitiesNumber of.docx
sleeperharwell
 
COIT20262 Assignment 1 Term 1, 2018 Advanced Network Secur.docx
clarebernice
 
A02 assignment-2
Sandeep Ratnam
 
Advance security in cloud computing for military weapons
IRJET Journal
 
Cis 534 Education Organization -- snaptutorial.com
DavisMurphyB71
 
CIS 534 Education Specialist / snaptutorial.com
stevesonz129
 
ops300 Project(4)
trayyoo
 
ops300 Project(3)
trayyoo
 
75629 Topic prevention measures for vulneranbilitiesNumber of.docx
sleeperharwell
 

Similar to COIT20262 Assignment 2 Questions Term 2, 2018 Advanced Net.docx (20)

PPTX
Clean sw 3_architecture
AngelLuisBlasco
 
DOCX
CIS 599 Exceptional Education / snaptutorial.com
donaldzs98
 
PDF
SC-401 Question and Answer pdf dumps.pdf
anam0909123
 
DOC
Cis 599 Education Redefined - snaptutorial.com
DavisMurphyC77
 
DOCX
01-01-2017 This section will lay out the implementation plan o.docx
honey725342
 
DOCX
Cis 534 Technology levels--snaptutorial.com
sholingarjosh62
 
DOCX
Cis 534 Enthusiastic Study / snaptutorial.com
Stephenson05
 
DOC
Cis 534 Effective Communication / snaptutorial.com
StokesCope34
 
PDF
Clone of an organization
IRJET Journal
 
DOCX
Assignment Grading Rubric Course IT286 Unit 4 Po.docx
ssuser562afc1
 
PDF
DumpsCafe CompTIA CASP CAS-005 Exam Dumps PDF
Dumpcollection
 
PDF
Cis 599 Enhance teaching / snaptutorial.com
Davis105
 
PPTX
ITARC15 Workshop - Architecting a Large Software Project - Lessons Learned
João Pedro Martins
 
DOCX
Documentation
Rajesh Seendripu
 
DOCX
erm Paper Managing an IT Infrastructure AuditDue Week 10 and wo
eleanorabarrington
 
DOCX
Assignment 3 TCSS 143 Programming Assignment 3 .docx
ursabrooks36447
 
PDF
IRJET- Placemate - Sakec Portal
IRJET Journal
 
DOCX
Term Paper Managing an IT Infrastructure AuditDue Week 10 a.docx
manningchassidy
 
DOCX
Project 1CST630 Project ChecklistStudent Name DateNote This che
davieec5f
 
DOC
Chapter 9 lab a security policy development and implementation (instructor ve...
wosborne03
 
Clean sw 3_architecture
AngelLuisBlasco
 
CIS 599 Exceptional Education / snaptutorial.com
donaldzs98
 
SC-401 Question and Answer pdf dumps.pdf
anam0909123
 
Cis 599 Education Redefined - snaptutorial.com
DavisMurphyC77
 
01-01-2017 This section will lay out the implementation plan o.docx
honey725342
 
Cis 534 Technology levels--snaptutorial.com
sholingarjosh62
 
Cis 534 Enthusiastic Study / snaptutorial.com
Stephenson05
 
Cis 534 Effective Communication / snaptutorial.com
StokesCope34
 
Clone of an organization
IRJET Journal
 
Assignment Grading Rubric Course IT286 Unit 4 Po.docx
ssuser562afc1
 
DumpsCafe CompTIA CASP CAS-005 Exam Dumps PDF
Dumpcollection
 
Cis 599 Enhance teaching / snaptutorial.com
Davis105
 
ITARC15 Workshop - Architecting a Large Software Project - Lessons Learned
João Pedro Martins
 
Documentation
Rajesh Seendripu
 
erm Paper Managing an IT Infrastructure AuditDue Week 10 and wo
eleanorabarrington
 
Assignment 3 TCSS 143 Programming Assignment 3 .docx
ursabrooks36447
 
IRJET- Placemate - Sakec Portal
IRJET Journal
 
Term Paper Managing an IT Infrastructure AuditDue Week 10 a.docx
manningchassidy
 
Project 1CST630 Project ChecklistStudent Name DateNote This che
davieec5f
 
Chapter 9 lab a security policy development and implementation (instructor ve...
wosborne03
 
Ad

More from mary772 (20)

DOCX
Coding NotesImproving Diagnosis By Jacquie zegan, CCS, w.docx
mary772
 
DOCX
CNL-521 Topic 3 Vargas Case StudyBob and Elizabeth arrive.docx
mary772
 
DOCX
Cognitive and Language Development Milestones Picture Book[WLO .docx
mary772
 
DOCX
Codes of (un)dress and gender constructs from the Greek to t.docx
mary772
 
DOCX
Coding Assignment 3CSC 330 Advanced Data Structures, Spri.docx
mary772
 
DOCX
CodeZipButtonDemo.javaCodeZipButtonDemo.java Demonstrate a p.docx
mary772
 
DOCX
CoevolutionOver the ages, many species have become irremediably .docx
mary772
 
DOCX
Coding Component (50)Weve provided you with an implementation .docx
mary772
 
DOCX
Codes of Ethics Guides Not Prescriptions A set of rules and di.docx
mary772
 
DOCX
Code switching involves using 1 language or nonstandard versions of .docx
mary772
 
DOCX
Code of Ethics for the Nutrition and Dietetics Pr.docx
mary772
 
DOCX
Code of Ethics for Engineers 4. Engineers shall act .docx
mary772
 
DOCX
Coder Name Rebecca Oquendo .docx
mary772
 
DOCX
Codes of Ethical Conduct A Bottom-Up ApproachRonald Paul .docx
mary772
 
DOCX
CNL-530 Topic 2 Sexual Response Cycle ChartMasters and John.docx
mary772
 
DOCX
Code#RE00200012002020MN2DGHEType of Service.docx
mary772
 
DOCX
CODE OF ETHICSReview the following case study and address the qu.docx
mary772
 
DOCX
cocaine, conspiracy theories and the cia in central america by Craig.docx
mary772
 
DOCX
Code of EthicsThe Code of Ethical Conduct and Statement of Com.docx
mary772
 
DOCX
Code Galore Caselet Using COBIT® 5 for Information Security.docx
mary772
 
Coding NotesImproving Diagnosis By Jacquie zegan, CCS, w.docx
mary772
 
CNL-521 Topic 3 Vargas Case StudyBob and Elizabeth arrive.docx
mary772
 
Cognitive and Language Development Milestones Picture Book[WLO .docx
mary772
 
Codes of (un)dress and gender constructs from the Greek to t.docx
mary772
 
Coding Assignment 3CSC 330 Advanced Data Structures, Spri.docx
mary772
 
CodeZipButtonDemo.javaCodeZipButtonDemo.java Demonstrate a p.docx
mary772
 
CoevolutionOver the ages, many species have become irremediably .docx
mary772
 
Coding Component (50)Weve provided you with an implementation .docx
mary772
 
Codes of Ethics Guides Not Prescriptions A set of rules and di.docx
mary772
 
Code switching involves using 1 language or nonstandard versions of .docx
mary772
 
Code of Ethics for the Nutrition and Dietetics Pr.docx
mary772
 
Code of Ethics for Engineers 4. Engineers shall act .docx
mary772
 
Coder Name Rebecca Oquendo .docx
mary772
 
Codes of Ethical Conduct A Bottom-Up ApproachRonald Paul .docx
mary772
 
CNL-530 Topic 2 Sexual Response Cycle ChartMasters and John.docx
mary772
 
Code#RE00200012002020MN2DGHEType of Service.docx
mary772
 
CODE OF ETHICSReview the following case study and address the qu.docx
mary772
 
cocaine, conspiracy theories and the cia in central america by Craig.docx
mary772
 
Code of EthicsThe Code of Ethical Conduct and Statement of Com.docx
mary772
 
Code Galore Caselet Using COBIT® 5 for Information Security.docx
mary772
 
Ad

Recently uploaded (20)

PDF
FORM 1 BIOLOGY MIND MAPS and their schemes
arcade5
 
PDF
LDMMIA Reiki Yoga Finals Review Spring Summer
LDMMia Reiki Lectures
 
PPTX
B.Sc. DS Unit 2 Software Engineering.pptx
Dr. Pallawi Bulakh
 
PDF
Chinmaya Tiranga quiz Grand Finale.pdf
Nitin Suresh
 
PPTX
Introduction to Building Materials
Mrunali Vasava
 
PDF
What if we spent less time fighting change, and more time building what’s rig...
Derek Wenmoth
 
PDF
RTP_AR_KS1_Tutor's Guide_English [FOR REPRODUCTION].pdf
RobertMentino1
 
PDF
CISA (Certified Information Systems Auditor) Domain-Wise Summary.pdf
infosecTrain
 
PPTX
Virtual and Augmented Reality in Current Scenario
Shruti Dalela
 
PDF
advance database management system book.pdf
hinamannan364
 
PDF
MBA _Common_ 2nd year Syllabus _2021-22_.pdf
DrAnubha4
 
PDF
HVAC Specification 2024 according to central public works department
amitrobanipl
 
PDF
AI-driven educational solutions for real-life interventions in the Philippine...
EleniIlkou
 
PDF
1.3 FINAL REVISED K-10 PE and Health CG 2023 Grades 4-10 (1).pdf
JohnJerryDalawampu
 
PPTX
202450812 BayCHI UCSC-SV 20250812 v17.pptx
home
 
PDF
David L Page_DCI Research Study Journey_how Methodology can inform one's prac...
David L Page
 
PDF
ChatGPT for Dummies - Pam Baker Ccesa007.pdf
Demetrio Ccesa Rayme
 
PDF
Black Hat USA 2025 - Micro ICS Summit - ICS/OT Threat Landscape
Chris Sistrunk
 
PPTX
TNA_Presentation-1-Final(SAVE)) (1).pptx
RomnickTanilon
 
PDF
Vision Prelims GS PYQ Analysis 2011-2022 www.upscpdf.com.pdf
navneetgupta711851
 
FORM 1 BIOLOGY MIND MAPS and their schemes
arcade5
 
LDMMIA Reiki Yoga Finals Review Spring Summer
LDMMia Reiki Lectures
 
B.Sc. DS Unit 2 Software Engineering.pptx
Dr. Pallawi Bulakh
 
Chinmaya Tiranga quiz Grand Finale.pdf
Nitin Suresh
 
Introduction to Building Materials
Mrunali Vasava
 
What if we spent less time fighting change, and more time building what’s rig...
Derek Wenmoth
 
RTP_AR_KS1_Tutor's Guide_English [FOR REPRODUCTION].pdf
RobertMentino1
 
CISA (Certified Information Systems Auditor) Domain-Wise Summary.pdf
infosecTrain
 
Virtual and Augmented Reality in Current Scenario
Shruti Dalela
 
advance database management system book.pdf
hinamannan364
 
MBA _Common_ 2nd year Syllabus _2021-22_.pdf
DrAnubha4
 
HVAC Specification 2024 according to central public works department
amitrobanipl
 
AI-driven educational solutions for real-life interventions in the Philippine...
EleniIlkou
 
1.3 FINAL REVISED K-10 PE and Health CG 2023 Grades 4-10 (1).pdf
JohnJerryDalawampu
 
202450812 BayCHI UCSC-SV 20250812 v17.pptx
home
 
David L Page_DCI Research Study Journey_how Methodology can inform one's prac...
David L Page
 
ChatGPT for Dummies - Pam Baker Ccesa007.pdf
Demetrio Ccesa Rayme
 
Black Hat USA 2025 - Micro ICS Summit - ICS/OT Threat Landscape
Chris Sistrunk
 
TNA_Presentation-1-Final(SAVE)) (1).pptx
RomnickTanilon
 
Vision Prelims GS PYQ Analysis 2011-2022 www.upscpdf.com.pdf
navneetgupta711851
 

COIT20262 Assignment 2 Questions Term 2, 2018 Advanced Net.docx

  • 1. COIT20262 Assignment 2 Questions Term 2, 2018 Advanced Network Security Page 1 of 8 COIT20262 - Advanced Network Security, Term 2, 2018 Assignment 2 Questions Due date: 5pm Friday 5 October 2018 (Week 12) ASSESSMENT Weighting: 45% 2 Length: N/A Updated 6 Sep 2018 Question 3, part (c) on page 7 had a mistaken file name. It should be [StudentID]-cert.pem Instructions Attempt all questions. This is an individual assignment, and it is expected students answer the questions themselves. Discussion of approaches to solving questions is allowed (and encouraged), however each student should develop and write-up their own answers. See CQUniversity resources on Referencing and Plagiarism. Guidelines for this assignment include: • Do not exchange files (reports, captures, diagrams) with other students. • Complete tasks with virtnet yourself – do not use results from
  • 2. another student. • Draw your own diagrams. Do not use diagrams from other sources (Internet, textbooks) or from other students. • Write your own explanations. In some cases, students may arrive at the same numerical answer, however their explanation of the answer should always be their own. • Do not copy text from websites or textbooks. During research you should read and understand what others have written, and then write in your own words. • Perform the tasks using the correct values listed in the question and using the correct file names. File Names and Parameters Where you see [StudentID] in the text, replace it with your actual student ID. If your student ID contains a letter (e.g. “s1234567”), make sure the letter is in lowercase. Where you see [FirstName] in the text, replace it with your actual first name. If you do not have a first name, then use your last name. Do NOT include any spaces or other non- alphabetical characters (e.g. “-“). Marking Scheme A separate spreadsheet lists the detailed marking criteria.
  • 3. https://www.cqu.edu.au/student-life/services-and- facilities/referencing COIT20262 Assignment 2 Questions Term 2, 2018 Advanced Network Security Page 2 of 8 Question 1. Authentication and Access Control Consider a scenario where you are responsible for IT security in a small company. The company is expected to have around 40 employees over the next few years. The employees are classified into the following roles: • CEO • Executive Group (including CEO and other employees in leadership positions, e.g. leader of the Finance team) • Finance • Software Engineering • Graphic Design • Web Development • Sales and Marketing • Human Resources • IT Administration Some employees may take on multiple roles, e.g. an employee may be both in Software Engineering and Web Development. The key data resources of the company are classified as:
  • 4. • Web Content • Source Code (e.g. for non-web software) • Multimedia Assets (e.g. images, videos, artwork) • Trade Secrets (e.g. algorithms, formulas that give the company a significant commercial advantage over competitors) • Financial Accounts • Personnel Records • Marketing Material • Company Policies • Meeting Records Assume role-based access control is to be used for users in different roles to access the above listed resources. The access rights are: • Own: can change the access rights on the resource • Read: can view the resource • Write: can create, delete and modify the resource (a) Create a table that shows the mappings from Role to Resource. Provide a brief explanation of why you choose this particular mapping. (b) One principle in access control is that of least privilege. Explain what the principle is, and explain an example by referring to your mapping above. COIT20262 Assignment 2 Questions Term 2, 2018
  • 5. Advanced Network Security Page 3 of 8 The company has many trade secrets, some of which are very valuable and known only by the Executive Group (e.g. it would be a significant financial loss if a competing company knew them), some are also know by Software Engineers that implement the algorithms, while other trade secrets are important but known by a wider number of employees. The CEO has asked you to consider implementing Mandatory Access Control on the trade secrets. (c) Explain how you could apply MAC to the trade secrets, including the levels you would use and the assignment of roles to security clearance levels. The company is planning to use only passwords as the authentication mechanism for access computing systems. There will be no token-based or biometric authentication. (d) Write a password policy for the company. The policy must give rules for how new users are registered with the systems, as well as how existing users change their passwords (including forgotten or wrong passwords). Each rule in the policy must be classified as “must” (it is required), “should” (it is required unless there is a good reason for not applying it), or “may” (optional). Each rule be justified/explained. The policy must make a reasonable trade-off between security and convenience. For example, “All users must use a 30 character random password” is a poor policy design (too inconvenient),
  • 6. as is “All users must use their last name as a password” (too insecure). (e) Assume a malicious user knew your password policy. Select and explain two different attacks that the malicious user may use try to defeat the password-based authentication. For each attack, provide details of what the malicious user would do (e.g. list of steps, example techniques or software to use). While passwords were originally planned for the main computer systems, the company is considering using other authentication systems for high importance assets (e.g. finance, trade secrets). For these, the company is considering between: • USB tokens • Fingerprint scanning • Voice recognition (f) Explain how USB tokens can be used to allow users to login to a computer. Your explanation may include steps that the user must take, and any setup the IT administrator must perform in advance to allow USB tokens to work. (g) Compare the three techniques with respect to security, convenience and cost. For security you should discuss their strengths and weaknesses against different attacks. For convenience you should consider the additional burden then place on users. For cost, you do not need to give exact prices, but should discuss
  • 7. what additional infrastructure is needed to deploy each system. COIT20262 Assignment 2 Questions Term 2, 2018 Advanced Network Security Page 4 of 8 Question 2. Firewalls and iptables In this question you will use iptables and virtnet to create a firewall. You need to consider two different scenarios: 1. Firewall does not use SPI; default policy is Accept. 2. Firewall uses SPI; default policy is Drop. Both scenarios will use topology 7 in virtnet, with nodes 1 and 2 being external, node 3 the firewall, and nodes 4 and 5 internal. Although there are only 5 machines in the topology, when creating your rules you must assume there will be more than that. For example, while there is only 1 internal subnet, there may be more than 2 internal nodes on that subnet (you don’t have to create additional nodes in virtnet; just design the rules assuming they are there). For both scenarios you must save the iptables commands you used in a Shell script file, named [StudentID]-iptables1.sh and [StudentID]-iptables2.sh.
  • 8. You must also add a comment that explains each rule in the file. Comments start with a hash (#) character. The Shell scripts may be executed during marking, therefore it is important you have the exact commands included, and no other text unless it is a comment. Where you see [StudentPort1] replace it with the value 8 followed by the last three numbers of your student ID. For example, if your student ID is 12345678, then [StudentPort1] is replaced with: 8678 Where you see [StudentPort2], do the same as [StudentPort1], except start with 9 (instead of 8). The example would replace [StudentPort2] with: 9678 Scenario 1: No SPI Implement a firewall that: (a) Blocks ping into the internal subnet, as well as out from the internal subnet. (b) Blocks ping into the firewall (node3), but allows the firewall to ping out. (c) Blocks all traffic from external subnets into the firewall, except if secure shell traffic. (d) Blocks node1 from access the web server on node4. (e) Blocks node5 from secure shell to any external node. (f) Blocks all external nodes from access a server on node4 that
  • 9. uses port [StudentPort1]. Save all iptables commands used to implement the above rules in the file [StudentID]- iptables1.sh. Before each command, include a comment that explains why the iptables command(s) implements the required rule. Scenario 2: With SPI Before starting this scenario, delete (flush) all rules created in Scenario 1. Implement a firewall that: COIT20262 Assignment 2 Questions Term 2, 2018 Advanced Network Security Page 5 of 8 (g) Sets the default policy on all chains as Drop. (h) Enable SPI. (i) Allows all external nodes to access the web server on node4. (j) Allows all external nodes to access the secure shell server on node5. (k) Allows all internal nodes to access any external web servers. (l) Allow node1 to access a server on node5 that uses port [StudentPort2]. Save all iptables commands used to implement the above rules in the file [StudentID]- iptables2.sh (including for setting the policy and enabling SPI). Before each command, include a comment that explains why the iptables command(s)
  • 10. implements the required rule. COIT20262 Assignment 2 Questions Term 2, 2018 Advanced Network Security Page 6 of 8 Question 3. HTTPS and Certificates For this question you must use virtnet (as used in the workshops) to study HTTPS and certificates. This assumes you have already setup and are familiar with virtnet. See Moodle and workshop instructions for information on setting up and using virtnet, deploying the website, and testing the website. Your task is to setup a web server that supports HTTPS. The tasks and sub-questions are grouped into multiple phases. Phase 1: Setup Topology 1. Create topology 7 in virtnet. 2. Deploy the MyUni demo website, with node4 being the real web server. 3. Change the domain name from www.myuni.edu to www.[StudentID].edu by editing the /etc/hosts file on node1.
  • 11. NOTE: You may use the same nodes as used in Question 2 on firewalls. However if you do, you must not use a firewall to complete this question (i.e. flush all the rules). Alternatively, you may delete the nodes from Question 2, and re-create topology 7 for this question. Phase 2: Certificate Creation You will need to use the files made available to you for download from Assignment 1. 1. Using [StudentID]-keypair.pem you must create a Certificate Signing Request called [StudentID]-csr.pem. The CSR must contain these field values: • State: state of your campus • Locality: city of your campus • Organisation Name: your full name • Common Name: www.[StudentID].edu • Email address: your @cqumail address • Other field values must be selected appropriately. Now you will change role to be a CA. A different public/private key pair has been created for your CA as [StudentID]-ca-keypair.pem. As the CA you must: 2. Setup the files/directories for a demoCA 3. Create a self-signed certificate for the CA called [StudentID]-ca-cert.pem. 4. Using the CSR from step 1 issue a certificate for www.[StudentID].edu called [StudentID]-cert.pem.
  • 12. Phase 3: HTTPs Configuration 1. Configure Apache web server on node4 to use HTTPS. Remember the domain name must be www.[StudentID].edu where [StudentID] is replace with your actual student ID. 2. Load the CA certificate into the client on node1. http://www.myuni.edu/ http://www.%5Bstudentid%5D.edu/ http://www.%5Bstudentid%5D.edu/ http://www.%5Bstudentid%5D.edu/ http://www.%5Bstudentid%5D.edu/ COIT20262 Assignment 2 Questions Term 2, 2018 Advanced Network Security Page 7 of 8 Phase 4: Testing 1. Start capturing on node3 using tcpdump. 2. On node1, use lynx to visit https://www.[StudentID].edu/grades/ and login to view some grades. 3. Exit lynx. 4. Stop the capturing and save the file as [StudentID]- https.pcap. When capturing, make sure you capture a full HTTPS session,
  • 13. and avoiding capturing multiple sessions. Phase 5: Analysis (a) Submit the CSR [StudentID]-csr.pem. (b) Submit the CA self-signed certificate [StudentID]-ca- cert.pem. (c) [Updated 6 Sep 2018] Submit the issued certificate [StudentID]-ca-cert.pem [StudentID]-cert.pem (d) Submit the packet capture [StudentID]-https.pcap. (e) When the web browser receives a certificate in a HTTPS exchange, what does the browser do to verify the certificate, and what information from the certificate is used in subsequent steps of the exchange? Explain your answers in detailed by referring to algorithms and cryptographic techniques used. (f) In this question your CA used a self-signed certificate. Explain why it is not good practice for the web server (www.[StudentID].edu) to also use a self-signed certificate. (g) If an attacker obtained [StudentID]-ca-keypair.pem, explain an attack that they could perform on users visiting https://www.[StudentID].edu/grades/. You must give details of the attack, such as the steps the attacker would perform and how the users/data would be compromised. Giving just an attack name is insufficient.
  • 14. https://www.%5Bstudentid%5D.edu/grades/ http://www.%5Bstudentid%5D.edu/ https://www.%5Bstudentid%5D.edu/grades/ COIT20262 Assignment 2 Questions Term 2, 2018 Advanced Network Security Page 8 of 8 Question 4. WiFi Security (a) Explain how a MAC address filter for a WiFi access point works. Discuss the role of MAC address filters in security, and issues or limitations of MAC address filters. (b) WPA is recommended for encryption and authentication in WiFi. WPA can use AES for encryption, which uses key lengths of 128 bits or 256 bits. However when users setup WPA/AES in their home WiFi access point, then often select a passphrase. Explain the difference between the passphrase and 128 bit key and discuss the advantages and disadvantages of using a passphrase (compared to a 128 bit or longer key). Also discuss the potential for successful brute force attacks on passphrases and 128 bit keys. (c) While WPA is considered secure when configured correctly, it is recommended that WiFi users use a VPN when connecting via public WiFi hot
  • 15. spots. Explain why a VPN is recommended in these cases, what is required to be setup in advance to use a VPN, and what security the VPN provides. Updated 6 Sep 2018InstructionsFile Names and ParametersMarking SchemeQuestion 1. Authentication and Access ControlQuestion 2. Firewalls and iptablesQuestion 3. HTTPS and CertificatesQuestion 4. WiFi Security